From patchwork Fri Sep 3 23:56:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 1938 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id +NgqCSBDM2FLLwAAIUCqbw (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id 2B6/CCBDM2HOQwAAeJ7fFg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 Received: from smtp26.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id WEiECCBDM2GABQAAHz/atg (envelope-from ) for ; Sat, 04 Sep 2021 05:57:52 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 91223830-0d66-11ec-ae0b-b8ca3a5bd12c-1-1 Received: from [216.105.38.7] ([216.105.38.7:40804] helo=lists.sourceforge.net) by smtp26.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/40-25532-F1343316; Sat, 04 Sep 2021 05:57:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mMSPq-0002ED-Ly; Sat, 04 Sep 2021 09:56:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mMSPp-0002DG-8y for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=l3Js4iuIvQlHbz3NPtgFNGlg8wNz+Xoohyu9rKru0R8=; b=ZUCzXMOolnhkijeHteGS0M8l2V iBG/ofgPPxyg8jxlnd3urZb5Dq8U3sEggJ7gYR6QEPrEsvlrcIoGACMM/SVDz/ufnkeBRGolV4Pa6 dmAS2yPfptJh8joTHJ+QBugjxRI5D7Yl7HOc7GT5PCzthSiKFFZryVi8GX5IW4+0p0+g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=l3Js4iuIvQlHbz3NPtgFNGlg8wNz+Xoohyu9rKru0R8=; b=A4hG0NXpc83ago+eNklRmvhN+D C9vCAU7q+BZYfxtLHuX7sRYUzzLzBHEED0a8p+gS5sD9jQ1krXXc+sBTs7z0+HSt0YwcU57a5mf+H xrWQZ958DV9BVpvMyjLMKelaRM7MfEQCLjvqmoINOePvY5xIdWWnL+tqTtJ0dLPQUFXg=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mMSPo-00EOMT-HP for openvpn-devel@lists.sourceforge.net; Sat, 04 Sep 2021 09:56:49 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sat, 4 Sep 2021 11:56:27 +0200 Message-Id: <20210904095629.6273-6-a@unstable.cc> In-Reply-To: <20210904095629.6273-1-a@unstable.cc> References: <20210904095629.6273-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: For compatibility with OpenVPN older than 2.4.0, the '--data-cipher-fallback' argument is automatically added with the same value as specified by '--cipher'. This happens only when the user specifies compat-mode with a version older than 2.4.0. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1mMSPo-00EOMT-HP Subject: [Openvpn-devel] [PATCH 5/7] compat-mode: add --data-cipher-fallback auomatically if requested X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For compatibility with OpenVPN older than 2.4.0, the '--data-cipher-fallback' argument is automatically added with the same value as specified by '--cipher'. This happens only when the user specifies compat-mode with a version older than 2.4.0. Signed-off-by: Arne Schwabe Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- doc/man-sections/generic-options.rst | 2 ++ src/openvpn/options.c | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 8b26cd1a..3e099e12 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -68,6 +68,8 @@ which mode OpenVPN is configured as. to the configuration if no other compression options are present. - 2.4.x or lower: The cipher in ``--cipher`` is appended to ``--data-ciphers`` + - 2.3.x or lower: ``--data-cipher-fallback`` is automatically added with + the same cipher as ``--cipher`` --config file Load additional config options from ``file`` where each line corresponds diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 88ac5bed..f2fb6d64 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3152,6 +3152,13 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + if (o->ciphername && need_compatibility_before(o, 20400)) + { + o->enable_ncp_fallback = true; + } + /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression. *