[Openvpn-devel,5/7] compat-mode: add --data-cipher-fallback auomatically if requested

Message ID 20210904095629.6273-6-a@unstable.cc
State Accepted
Headers show
Series
  • change defaults and introduce compat-mode
Related show

Commit Message

Antonio Quartulli Sept. 4, 2021, 9:56 a.m.
For compatibility with OpenVPN older than 2.4.0, the
'--data-cipher-fallback' argument is automatically added with the same
value as specified by '--cipher'.

This happens only when the user specifies compat-mode with a version
older than 2.4.0.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 doc/man-sections/generic-options.rst | 2 ++
 src/openvpn/options.c                | 7 +++++++
 2 files changed, 9 insertions(+)

Comments

Arne Schwabe Sept. 6, 2021, 1:23 p.m. | #1
Am 04.09.21 um 11:56 schrieb Antonio Quartulli:
> For compatibility with OpenVPN older than 2.4.0, the
> '--data-cipher-fallback' argument is automatically added with the same
> value as specified by '--cipher'.
> 
> This happens only when the user specifies compat-mode with a version
> older than 2.4.0.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> Signed-off-by: Antonio Quartulli <a@unstable.cc>
> ---
>  doc/man-sections/generic-options.rst | 2 ++
>  src/openvpn/options.c                | 7 +++++++

> 
Acked-By: Arne Schwabe <arne@rfc2549.org>
Gert Doering Sept. 20, 2021, 3:29 p.m. | #2
Code change looks reasonably simple :-) - not sure I understand all
the intricacies, but at least it does not break anything in my test 
rigs.  Which I wouldn't expect.

Your patch has been applied to the master branch.

commit cdef503b646087f9284b53e01c64988c98879c36
Author: Antonio Quartulli
Date:   Sat Sep 4 11:56:27 2021 +0200

     compat-mode: add --data-cipher-fallback auomatically if requested

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Signed-off-by: Antonio Quartulli <a@unstable.cc>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20210904095629.6273-6-a@unstable.cc>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22798.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index 8b26cd1a..3e099e12 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -68,6 +68,8 @@  which mode OpenVPN is configured as.
     to the configuration if no other compression options are present.
   - 2.4.x or lower: The cipher in ``--cipher`` is appended to
     ``--data-ciphers``
+  - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with
+    the same cipher as ``--cipher``
 
 --config file
   Load additional config options from ``file`` where each line corresponds
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 88ac5bed..f2fb6d64 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3152,6 +3152,13 @@  options_set_backwards_compatible_options(struct options *o)
         append_cipher_to_ncp_list(o, o->ciphername);
     }
 
+    /* Versions < 2.4.0 additionally might be compiled with --enable-small and
+     * not have OCC strings required for "poor man's NCP" */
+    if (o->ciphername && need_compatibility_before(o, 20400))
+    {
+        o->enable_ncp_fallback = true;
+    }
+
     /* Compression is deprecated and we do not want to announce support for it
      * by default anymore, additionally DCO breaks with compression.
      *