diff mbox series

[Openvpn-devel,v2] Fix dco with null cipher being enabled without auth none

Message ID 20251204134521.20025-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v2] Fix dco with null cipher being enabled without auth none | expand

Commit Message

Gert Doering Dec. 4, 2025, 1:45 p.m. UTC 
From: Arne Schwabe <arne@rfc2549.org>

This is a corner case and only the FreeBSD DCO module support the
none encryption but as long as it supports it, we should only
enable it when the configuration actually allows to enable it.

Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Antonio Quartulli <antonio@mandelbit.com>

Comments

Gert Doering Dec. 4, 2025, 3:01 p.m. UTC | #1 
We know everything about corners inside corner cases!

But we also do them right!

I have not tested this for real - it's fairly trivial anyway, and it has
no memory leaks anymore :-) - the use case is "testing" or "I just need
a tunnel with a more dynamic endpoint than statically-configured GRE,
no crypto needed, and minimum overhead required".  Whether or not this is
a good idea is not addressed by the patch, and OpenVPN itself *will* print
a big fat warning when trying to do "cipher none".

Your patch has been applied to the master branch.

commit 4ff746ad87ca5aa7b2058c9332622fc86551c0c8
Author: Arne Schwabe
Date:   Thu Dec 4 14:45:16 2025 +0100

     Fix dco with null cipher being enabled without auth none

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Antonio Quartulli <antonio@mandelbit.com>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
     Message-Id: <20251204134521.20025-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34847.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad3..6a1a5c9 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -474,6 +474,18 @@ 
             gc_free(&gc);
             return false;
         }
+        /* FreeBSD supports none as cipher type but requires auth none to be
+         * be also enabled */
+        if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0)
+        {
+            msg(msglevel,
+                "Note: cipher '%s' in --data-ciphers is only supported "
+                "with --auth=none by ovpn-dco, disabling data channel "
+                "offload.",
+                token);
+            gc_free(&gc);
+            return false;
+        }
     }
     gc_free(&gc);