[Openvpn-devel] Remove --no-iv

Message ID 20200717171544.21632-1-davids@openvpn.net
State Accepted
Headers show
Series [Openvpn-devel] Remove --no-iv | expand

Commit Message

David Sommerseth July 17, 2020, 7:15 a.m. UTC
This finializes the depreacation started in OpenVPN 2.4, where --no-iv
was made into a NOOP option.

Signed-off-by: David Sommerseth <davids@openvpn.net>
 Changes.rst                              | 3 +++
 doc/man-sections/server-options.rst      | 2 +-
 doc/man-sections/unsupported-options.rst | 2 +-
 src/openvpn/options.c                    | 5 -----
 4 files changed, 5 insertions(+), 7 deletions(-)


Gert Doering July 17, 2020, 11 p.m. UTC | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

I have taken this one out of sequence (it is intended to
go after the --no-replay patch), because *this* one is simple,
and the other one is quite a bit above my pay grade - plus
it modifies stuff that Arne is working on (the frame adjustment
stuff), so that needs much more careful scrutiny.

The patch itself is conflict-free, but the patch context in 
Changes.rst and doc/man-sections/server-options.rst is different.

Your patch has been applied to the master branch.

commit 4b4b34da9811da9e6912c89cd68be3cfe1684a97
Author: David Sommerseth
Date:   Fri Jul 17 19:15:44 2020 +0200

     Remove --no-iv

     Signed-off-by: David Sommerseth <davids@openvpn.net>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20200717171544.21632-1-davids@openvpn.net>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20460.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/Changes.rst b/Changes.rst
index e279d360..7d4fdec6 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -39,6 +39,9 @@  https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
     adds a security weakness.  This was also highlighted during the
     `OpenVPN 2.4 security audit <https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits#OVPN-03-3:Insecureconfigurationoptions:--no-replay>`_.
+- ``no-iv`` has been removed
+  This option was made into a NOOP option with OpenVPN 2.4.  This has now
+  been completely removed.
 Overview of changes in 2.4
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index 2381f5c8..75d174ea 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -399,7 +399,7 @@  fast hardware. SSL/TLS authentication must be used in this mode.
   ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``,
   ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``,
   ``auth``, ``keysize``, ``secret``,
-  ``no-iv``, ``tls-auth``, ``key-method``, ``tls-server``
+  ``tls-auth``, ``key-method``, ``tls-server``
   and ``tls-client``.
   This option requires that ``--disable-occ`` NOT be used.
diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst
index 8aff5dd9..05ba3ca2 100644
--- a/doc/man-sections/unsupported-options.rst
+++ b/doc/man-sections/unsupported-options.rst
@@ -19,7 +19,7 @@  longer supported
   Removed in OpenVPN 2.5.  This option should not be used as it weakens the
-  VPN tunnel security.
+  VPN tunnel security.  This has been a NOOP option since OpenVPN 2.4.
   Removed in OpenVPN 2.5.  This option should not be used as it weakens the
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e1658472..0f0b37d1 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7985,11 +7985,6 @@  add_option(struct options *options,
         options->mute_replay_warnings = true;
-    else if (streq(p[0], "no-iv") && !p[1])
-    {
-        msg(msglevel,
-            "--no-iv is no longer supported. Remove it from client and server configs.");
-    }
     else if (streq(p[0], "replay-persist") && p[1] && !p[2])