From patchwork Wed Dec  7 10:02:01 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <a@unstable.cc>
X-Patchwork-Id: 2891
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:622a:418d:b0:3a5:7962:c21f with SMTP id cd13csp78829qtb;
        Wed, 7 Dec 2022 02:03:23 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf4tSuv0E1NAz2OS3T5AD2XWaieh2DemgN/OOucV2gmX16jJ5p0Vc13M00dJwTffYMwAbOeC
X-Received: by 2002:a63:495e:0:b0:470:75a1:c6d7 with SMTP id
 y30-20020a63495e000000b0047075a1c6d7mr65521096pgk.120.1670407403446;
        Wed, 07 Dec 2022 02:03:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1670407403; cv=none;
        d=google.com; s=arc-20160816;
        b=WcpqyJOwjmdM2YVZQA76RD/cWfaqRiRsn312tfL3c5IwioKF6DZAtvpii6g+RmgojU
         04HFlbj1v8EHnqWFsuvmCu+054iSAWFjOQrGXkgqhC8Byz4Y+RofyqUQYTgTKFaOT3yJ
         jkNLSkmo8iyjTJDX2gUhXo0DNhTZQMwm+U4zxvwA1NUljptHVEfdhzZT1XFDS8uAGDEE
         llGklQTMExQ8Sw38aHIz09Dy2kiWtDqww/DWvBEvpWs0bE/8zARmrtggRtYQ1OBm7bc/
         HAAk/N4Fsfep4QuOEj9oYhrQaeasCTssKa4FeEZl4ayDYecmxb0Xk7MjszThlYDUwwmm
         MiDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature;
        bh=1dLkEQFYWpVgs7G6e8ATy58nHHpm0OwfHS/uGZZehdY=;
        b=V+cdK65wZFwFn5Q1ydJu+l2QSyKw5NkU6siWKGFPDBO73t4gO99T5CGyjS3g4k3lLG
         89yykXJ93aEBb734n+zLv532TFcYUkblWSUcWSM/6yW7T0ovtMUag3cWNNBdwzHbREgq
         R8isXPNPaMjZokHxa9ykIMA0IetwhXVbwJWTOxgVL/icw8S9eWfZ1PQzCPv61B8/B0hW
         m3suLELtFEKlRsytVll3UQobWnfRKTCeAF3oVyBEUv3d+MTKR+nvFXC42uhPAu/1Tvf8
         DO2TTNWQpPaV1PnIvEwzAZKZ0hH52SI+8dPLC8e1IkDPLVqNIzAz75dq8yUPZvxfWJ/o
         AQ1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=VBmUlUzC;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dHH2PCRo;
       dkim=fail header.i=@unstable.cc header.s=20220809-q8oc
 header.b=WMIj4Ks4;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 m127-20020a632685000000b0047842533cc4si20992171pgm.838.2022.12.07.02.03.23
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 07 Dec 2022 02:03:23 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=VBmUlUzC;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=dHH2PCRo;
       dkim=fail header.i=@unstable.cc header.s=20220809-q8oc
 header.b=WMIj4Ks4;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1p2rFg-0003JI-Jd;
	Wed, 07 Dec 2022 10:02:08 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <a@unstable.cc>) id 1p2rFZ-0003Iy-2x
 for openvpn-devel@lists.sourceforge.net;
 Wed, 07 Dec 2022 10:02:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=f1CRD7Cfei+FZokX7atetDO19KKCeTNooaP98UM6ShA=; b=VBmUlUzCu8fxDoiBqsFIjzjlD+
 g+u+xRv2RlglmkdU56EgvAxal0ZERN7eyffNk5vP2a7JYQ/c1r+g2WnnpSlJf1NWtvD8eZC0577nN
 eyyX4UhirEKjOpHVWdmkQAo5yGdlpCaNGICGIc8JHAdBimyL7AC+VRJG0qNZrKb1ctVM=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=f1CRD7Cfei+FZokX7atetDO19KKCeTNooaP98UM6ShA=; b=d
 HH2PCRo2ueN576N1qTcS4LJcgB7ZXU2yTVM1R01UVUsXQMUpNSy8hAiPYznlrbgMWn4ppyEuxBinA
 n6t/cnG/XV4/yl+sl2E0bYyVOtuGEe4splsIKir0xolF1ILEHIYfisgy2uH5Z2oH9/q39rZ8tb4s2
 JBfJZtzE2ZJsmgGE=;
Received: from mailout-l3b-97.contactoffice.com ([212.3.242.97])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1p2rFR-00082A-Uq for openvpn-devel@lists.sourceforge.net;
 Wed, 07 Dec 2022 10:02:01 +0000
Received: from smtpauth2.co-bxl (smtpauth2.co-bxl [10.2.0.24])
 by mailout-l3b-97.contactoffice.com (Postfix) with ESMTP id DF3A2431;
 Wed,  7 Dec 2022 11:01:46 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1670407306;
 s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc;
 h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Transfer-Encoding;
 l=875; bh=f1CRD7Cfei+FZokX7atetDO19KKCeTNooaP98UM6ShA=;
 b=WMIj4Ks4DJu16DVQmKn7Rmo4A9zt8Q9kK1zegTlMSKpLHM5RiuHA2eFyg7+EAg2p
 O3qRXXoXIiMM8+MOd17lrXUsgrl0TU3pHd7Gb0kvICXdR7ujMkVw/Zb4z+i4VDENsPO
 6NWjrEdy7rxWgXrTUD5N0UQLE0JsLK5xMTGy4paL98DBDThT6vuXgHSKs8sud56FeGj
 ZBly5ZLpuNrd0UCL8SjgMRYFIXtqWAeS+/IXVJb3i9cnI8o4LJGoLuUr5z37+oYCtk5
 RGJNe+x1VOVcfeeLHMONbA8UvCHgOPkyLNFYG/VeTAlE0I3cs2xq5ZyPqg2YSdcSOOH
 1jTzazTu5g==
Received: by smtp.mailfence.com with ESMTPSA ;
 Wed, 7 Dec 2022 11:01:44 +0100 (CET)
From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Wed,  7 Dec 2022 11:02:01 +0100
Message-Id: <20221207100201.6467-1-a@unstable.cc>
X-Mailer: git-send-email 2.37.4
MIME-Version: 1.0
X-Spam-Flag: NO
X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED,
 BAYES_00 device=10.2.0.21
X-ContactOffice-Account: com:375058688
X-Spam-Score: -0.9 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  P2P mode with pre-shared key is deprecated,
 unsecure and should
 NOT be used. This said we still carry it around for a bit and we have to
 make sure it does not fights with DCO. Disable DCO at all when --secret is
 specified.
 Content analysis details:   (-0.9 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
 low trust [212.3.242.97 listed in list.dnswl.org]
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: unstable.cc]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1p2rFR-00082A-Uq
Subject: [Openvpn-devel] [PATCH] disable DCO if --secret is specified
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Antonio Quartulli <a@unstable.cc>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1751549113032039226?=
X-GMAIL-MSGID: =?utf-8?q?1751549113032039226?=

P2P mode with pre-shared key is deprecated, unsecure and should NOT be
used. This said we still carry it around for a bit and we have to make
sure it does not fights with DCO.

Disable DCO at all when --secret is specified.

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/dco.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d599dd7e..1cd698bf 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -274,6 +274,12 @@ dco_check_startup_option(int msglevel, const struct options *o)
         return false;
     }
 
+    if (o->shared_secret_file)
+    {
+        msg(msglevel, "--secret is set. Disabling data channel offload");
+        return false;
+    }
+
     if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
     {
         msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");