From patchwork Fri Sep 22 12:39:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3362 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2697:b0:d7:3b0f:3938 with SMTP id ha23csp3716691dyb; Fri, 22 Sep 2023 05:40:27 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG+xtpR7GWZZC9+an4gXz7+sNldG9ryzcVgnWgLG7Pj3KXsPqajjMGjysHboFIzVBslhhAh X-Received: by 2002:a05:6358:79f:b0:143:6813:bffa with SMTP id n31-20020a056358079f00b001436813bffamr8312317rwj.0.1695386426695; Fri, 22 Sep 2023 05:40:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695386426; cv=none; d=google.com; s=arc-20160816; b=y9g5RbKbPcBRhS4dxfP77zpWVsnjh0LBBwLqLew05BXLZV+gn5V4lfQOMq5k7J1zMb 2j8aoNc0vaHMl3oRYsk3ZUc2epbtkHM47tyt0lHxAj+jnq6ZNQJ9TI9i70ykXpLdjJBX 6A+19jbdoF5G/BerDhG9tweAUTbieZn2P9nUNBFKtyNzgFZcNnTjwGOQf7IoqIt8jGgl zFQLvjqklHRf0UFb1YWa+NSDPeKHP0MqvZFEtgyWZsUa+eTYhxhZejAzU1Ntsiz9n1xV oeyDMCizxglbBXGXm2UNZvgF+Ta8Ln0ihiL++SlpTJWKl8WUUlYRfsLTAt5Bh7afZ0TF IRlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:date:from :dkim-signature:dkim-signature:dkim-signature; bh=698/BqwrJw3LKIxg0YRvTZM0M4RlCdydvATH+cvfmhs=; fh=0ihzoNh+ykTuHYwOui6NLLDfwT6yIhKoTPr7auffFfI=; b=RUFt/4kxZ0n+Os+aHiQz3Jbg1IMdNBir8f+93Qpl+LSdgHX6YVMEL5Skp/LfFJrfOM jAETPfngEIVeglarIfaUvWTXL5rr+2lGkXFBOtcLK8a7su0daIu3jbhcO1c2Zqs4GjCI U4DqT4rhPnZ+EVHHpL0l1yhJEe4XtRnwNZ6pJ/vV4PJ/iGddxdrtslTPRpHJvlzlP+63 9zBpLHBT97MHSKEv5R3EvLohCTIYhMaDzH5Y0MTmD/dGcEFW27H8jYyOAVBFFaBRYx4p CYjr6JUmb/fwMYmED70+h5+ZdZaim0e7Uqn9SZzIqtw2RFCCEd5rCoWkD42uj4Mc50bv 0+Tw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FEJG3T1d; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VZbyI63r; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=XCJwYcWO; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e3-20020a656883000000b005641ddd0309si3685658pgt.599.2023.09.22.05.40.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Sep 2023 05:40:26 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=FEJG3T1d; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VZbyI63r; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=XCJwYcWO; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1qjfRc-0005bK-Ht; Fri, 22 Sep 2023 12:39:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1qjfRZ-0005b7-2l for openvpn-devel@lists.sourceforge.net; Fri, 22 Sep 2023 12:39:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:Date:From :Sender:To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=plaH7hPxUl6czbvFxjvSumEh8BAfZ1Pkh+dQU35d7LQ=; b=FEJG3T1dwppRhhPbB4U6L8jVlY OQaDITfU8Cr2ritrSBf3lZjtuQ6fcvVwE2bHzhNGgOAfJyelz/J2uQ8zJgcR/91SE4SWPFR40RAJX qOM2o/IoMuTk9Ls/Scwl7+Yvmf4l2oynZsqIkiqA5PhOiUmeppYkzjIJdhAGNsfvn+w8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:Date:From:Sender:To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=plaH7hPxUl6czbvFxjvSumEh8BAfZ1Pkh+dQU35d7LQ=; b=V ZbyI63rvWIIWqCGqZV/CemwxEGtzOO+AAdGOoXpTeF8u297v04xhyZVvFC7rvcm94+pfLx8aJhE7g sqGgGPxma2cutvarg6lahD1lAsAZUI098ibukVzmpuriXx/rAHAo35yTiWCyO0EatDmK6vmHizUcS 83fB/yU4tB9IOq5M=; Received: from mail-wm1-f53.google.com ([209.85.128.53]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1qjfRT-002BIk-3J for openvpn-devel@lists.sourceforge.net; Fri, 22 Sep 2023 12:39:34 +0000 Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-401b393ddd2so21578825e9.0 for ; Fri, 22 Sep 2023 05:39:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1695386364; x=1695991164; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:date:from:from:to:cc :subject:date:message-id:reply-to; bh=plaH7hPxUl6czbvFxjvSumEh8BAfZ1Pkh+dQU35d7LQ=; b=XCJwYcWOiP5fH20rYWWKHwSGZ7AElV3FYEoV/7XbJy0SHj0YA1uxSJBsjlCfKDMrZK XntMSGX8WuTFRazban/+KPNlp2RuaNHbuhFIk+eEeBSAgyuhlNt0kRW+gwdiIR7TDHCZ VdG2ZXWVVNp9MLZUg8QErVrba0WutSYMiBAODHlSRcYUTKmIZwYRkojD52Kk+rNly3Jt nATxpYNq/I4kYkqKhaEU2CRkmBsfuXwnZIXx0okWvqFGjSxoOjk9/fYyWoDCaAIv4qkG bDjBwUPrjSG7SRWw8FWsXq1TiNKNHyPLuhDkK9vgxEU/kAeMLe3CI7hFFRKpwT9Myr7M Fgrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695386364; x=1695991164; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=plaH7hPxUl6czbvFxjvSumEh8BAfZ1Pkh+dQU35d7LQ=; b=mg0bwJsLAgqKrcdJZKrmWRpYjyX059s2/LMyZsWhclm+t7nbZ7qy9NbJeKVpgVrMxP 8PcZ+ocBKIFm48Hm8eTY7zBhsxTHH4zY9NnpKcp+HM/W2bxzYOaf7MMBRkGhZKBudfGy J7qRhCt8gNSxUs9Tk92cCaTY4MnJWTcwTs6HOHr9JwBdsa46qmiFZKyIhPXU0N2OEosJ 916bBhi4YfPdk3Sfjgrzo/4yJQcjjZJa97mEsJqcs87JRcRtkdDpw27fyr0bjzXb/UsW LkHE55LtETzcOrd+WiZIBVejEmMlED8UDQfto8gAjZuWvbtCEJ/J5bIuCksP2NAACNmI bkXQ== X-Gm-Message-State: AOJu0YzvckDIPh12o/0AOYnnIW7Arcqz/Ol97V/lEx+8v6l2iM1pb9x6 5DDx4oGRMcBbYR/6TDhbQ1MISQ== X-Received: by 2002:a05:600c:2304:b0:401:bdd7:49ae with SMTP id 4-20020a05600c230400b00401bdd749aemr7661987wmo.18.1695386364295; Fri, 22 Sep 2023 05:39:24 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id n3-20020a05600c3b8300b004053a6b8c41sm2740886wms.12.2023.09.22.05.39.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Sep 2023 05:39:23 -0700 (PDT) From: "flichtenheld (Code Review)" X-Google-Original-From: "flichtenheld (Code Review)" X-Gerrit-PatchSet: 4 Date: Fri, 22 Sep 2023 12:39:23 +0000 Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 X-Gerrit-Change-Number: 281 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 6d76218dd68dfa930d98f1cc7dcdc59c3bfbf5ce References: Message-ID: <1a838914a60b857bf491d7c77e4b4fa0cd90c71d-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: 1.0 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: flichtenheld has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/281?usp=email ) Change subject: Remove --no-replay option Content analysis details: (1.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.53 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 1.2 MISSING_HEADERS Missing To: header 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1qjfRT-002BIk-3J Subject: [Openvpn-devel] [M] Change in openvpn[master]: Remove --no-replay option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: frank@lichtenheld.com, arne-openvpn@rfc2549.org, heiko@openvpn.net, openvpn-devel@lists.sourceforge.net, gert@greenie.muc.de, lstipakov@gmail.com, a@unstable.cc Cc: plaisthos , cron2 , openvpn-devel , d12fk Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1777741514871568837?= X-GMAIL-MSGID: =?utf-8?q?1777741517671562263?= X-getmail-filter-classifier: gerrit message type newchange flichtenheld has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/281?usp=email ) Change subject: Remove --no-replay option ...................................................................... Remove --no-replay option Officially deprecated since v2.4. We have warned about using this forever. It is time to pull the plug. Change-Id: I58706019add6d348483ba222dd74e1466ff6c709 Signed-off-by: Frank Lichtenheld Acked-by: Heiko Hund Message-Id: <20230922103830.37151-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27059.html Signed-off-by: Gert Doering --- M doc/man-sections/link-options.rst M doc/man-sections/server-options.rst M doc/man-sections/unsupported-options.rst M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/init.c M src/openvpn/mtu.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl.c M src/openvpn/ssl_common.h M tests/unit_tests/openvpn/test_crypto.c 12 files changed, 22 insertions(+), 90 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/281/4 diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 14e76b4..675fee4 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -366,8 +366,7 @@ order they were received to the TCP/IP protocol stack, provided they satisfy several constraints. - (a) The packet cannot be a replay (unless ``--no-replay`` is - specified, which disables replay protection altogether). + (a) The packet cannot be a replay. (b) If a packet arrives out of order, it will only be accepted if the difference between its sequence number and the highest sequence diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 6b9ad21..80dc77d 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -406,7 +406,7 @@ Options that will be compared for compatibility include ``dev-type``, ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, - ``auth``, ``keysize``, ``secret``, ``no-replay``, + ``auth``, ``keysize``, ``secret``, ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 5c4e3a0..a0c1232 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -30,8 +30,9 @@ VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay - Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + Removed in OpenVPN 2.7. This option should not be used as it weakens the + VPN tunnel security. Previously we claimed to have removed this in + OpenVPN 2.5, but this wasn't actually the case. --ns-cert-type Removed in OpenVPN 2.5. The ``nsCertType`` field is no longer supported diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index a77b5a1..e4452d7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -328,7 +328,7 @@ if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS)) { msg(D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- " - "see the man page entry for --no-replay and --replay-window for " + "see the man page entry for --replay-window for " "more info or silence this warning with --mute-replay-warnings", error_prefix, packet_id_net_print(pin, true, gc)); } @@ -942,18 +942,6 @@ return true; } -void -check_replay_consistency(const struct key_type *kt, bool packet_id) -{ - ASSERT(kt); - - if (!packet_id && (cipher_kt_mode_ofb_cfb(kt->cipher) - || cipher_kt_mode_aead(kt->cipher))) - { - msg(M_FATAL, "--no-replay cannot be used with a CFB, OFB or AEAD mode cipher"); - } -} - /* * Generate a random key. */ diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 88f8f44..c5fd253 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -40,7 +40,7 @@ * HMAC at all. * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option. * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay - * protection (if not disabled by \c \-\-no-replay). + * protection. * - \b Timestamp, a 32-bit timestamp of the current time. * - \b Payload, the plain text network packet to be encrypted (unless * encryption is disabled by using \c \-\-cipher \c none). The payload might @@ -304,8 +304,6 @@ */ int write_key_file(const int nkeys, const char *filename); -void check_replay_consistency(const struct key_type *kt, bool packet_id); - bool check_key(struct key *key, const struct key_type *kt); bool write_key(const struct key *key, const struct key_type *kt, @@ -445,7 +443,7 @@ * this and add it themselves. * * @param kt Struct with the crypto algorithm to use - * @param packet_id_size Size of the packet id, can be 0 if no-replay is used + * @param packet_id_size Size of the packet id * @param occ if true calculates the overhead for crypto in the same * incorrect way as all previous OpenVPN versions did, to * end up with identical numbers for OCC compatibility diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 80c1b2e..019f5a4 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3019,17 +3019,14 @@ } /* Initialize packet ID tracking */ - if (options->replay) - { - packet_id_init(&c->c2.crypto_options.packet_id, - options->replay_window, - options->replay_time, - "STATIC", 0); - c->c2.crypto_options.pid_persist = &c->c1.pid_persist; - c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; - packet_id_persist_load_obj(&c->c1.pid_persist, - &c->c2.crypto_options.packet_id); - } + packet_id_init(&c->c2.crypto_options.packet_id, + options->replay_window, + options->replay_time, + "STATIC", 0); + c->c2.crypto_options.pid_persist = &c->c1.pid_persist; + c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM; + packet_id_persist_load_obj(&c->c1.pid_persist, + &c->c2.crypto_options.packet_id); if (!key_ctx_bi_defined(&c->c1.ks.static_key)) { @@ -3051,9 +3048,6 @@ /* Get key schedule */ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; - - /* Sanity check on sequence number, and cipher mode options */ - check_replay_consistency(&c->c1.ks.key_type, options->replay); } /* @@ -3256,9 +3250,6 @@ return; } - /* Sanity check on sequence number, and cipher mode options */ - check_replay_consistency(&c->c1.ks.key_type, options->replay); - /* In short form, unique datagram identifier is 32 bits, in long form 64 bits */ packet_id_long_form = cipher_kt_mode_ofb_cfb(c->c1.ks.key_type.cipher); @@ -3279,7 +3270,6 @@ to.ssl_ctx = c->c1.ks.ssl_ctx; to.key_type = c->c1.ks.key_type; to.server = options->tls_server; - to.replay = options->replay; to.replay_window = options->replay_window; to.replay_time = options->replay_time; to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); @@ -3645,11 +3635,6 @@ } } - if (!o->replay) - { - msg(M_WARN, "WARNING: You have disabled Replay Protection (--no-replay) which may make " PACKAGE_NAME " less secure"); - } - if (o->tls_server) { warn_on_use_of_common_subnets(&c->net_ctx); diff --git a/src/openvpn/mtu.c b/src/openvpn/mtu.c index 132f93c..56db118 100644 --- a/src/openvpn/mtu.c +++ b/src/openvpn/mtu.c @@ -52,13 +52,6 @@ unsigned int calc_packet_id_size_dc(const struct options *options, const struct key_type *kt) { - /* Unless no-replay is enabled, we have a packet id, no matter if - * encryption is used or not */ - if (!options->replay) - { - return 0; - } - bool tlsmode = options->tls_server || options->tls_client; bool packet_id_long_form = !tlsmode || cipher_kt_mode_ofb_cfb(kt->cipher); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index d168163..ab59a41 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -549,7 +549,6 @@ #ifndef ENABLE_CRYPTO_MBEDTLS "--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" #endif - "--no-replay : (DEPRECATED) Disable replay protection.\n" "--mute-replay-warnings : Silence the output of replay warnings to log file.\n" "--replay-window n [t] : Use a replay protection sliding window of size n\n" " and a time window of t seconds.\n" @@ -868,7 +867,6 @@ o->ifconfig_pool_persist_refresh_freq = 600; o->scheduled_exit_interval = 5; o->authname = "SHA1"; - o->replay = true; o->replay_window = DEFAULT_SEQ_BACKTRACK; o->replay_time = DEFAULT_TIME_BACKTRACK; o->key_direction = KEY_DIRECTION_BIDIRECTIONAL; @@ -1954,7 +1952,6 @@ #ifndef ENABLE_CRYPTO_MBEDTLS SHOW_BOOL(engine); #endif /* ENABLE_CRYPTO_MBEDTLS */ - SHOW_BOOL(replay); SHOW_BOOL(mute_replay_warnings); SHOW_INT(replay_window); SHOW_INT(replay_time); @@ -2817,16 +2814,6 @@ } /* - * Check consistency of replay options - */ - if (!options->replay - && (options->replay_window != defaults.replay_window - || options->replay_time != defaults.replay_time)) - { - msg(M_USAGE, "--replay-window doesn't make sense when replay protection is disabled with --no-replay"); - } - - /* * SSL/TLS mode sanity checks. */ if (options->tls_server + options->tls_client @@ -4198,7 +4185,6 @@ * --cipher * --auth * --secret - * --no-replay * * SSL Options: * @@ -4364,10 +4350,6 @@ { buf_printf(&out, ",secret"); } - if (!o->replay) - { - buf_printf(&out, ",no-replay"); - } #ifdef ENABLE_PREDICTION_RESISTANCE if (o->use_prediction_resistance) @@ -8670,7 +8652,9 @@ else if (streq(p[0], "no-replay") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->replay = false; + /* always error out, this breaks the connection */ + msg(M_FATAL, "--no-replay was removed in OpenVPN 2.7. " + "Update your configuration."); } else if (streq(p[0], "replay-window") && !p[3]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b9..5810fd1 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -560,7 +560,6 @@ const char *authname; const char *engine; struct provider_list providers; - bool replay; bool mute_replay_warnings; int replay_window; int replay_time; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c975dbc..5e6205c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1007,12 +1007,9 @@ reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */ - if (session->opt->replay) - { - packet_id_init(&ks->crypto_options.packet_id, - session->opt->replay_window, session->opt->replay_time, "SSL", - ks->key_id); - } + packet_id_init(&ks->crypto_options.packet_id, + session->opt->replay_window, session->opt->replay_time, "SSL", + ks->key_id); ks->crypto_options.pid_persist = NULL; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b0294..d3edc5f 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -310,7 +310,6 @@ const char *remote_options; /* from command line */ - bool replay; bool single_session; bool disable_occ; int mode; diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 58eebc0..5564524 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -247,7 +247,6 @@ /* common defaults */ o.ce.tun_mtu = 1400; - o.replay = true; o.ce.proto = PROTO_UDP; /* No crypto at all */ @@ -334,15 +333,6 @@ linkmtu = calc_options_string_link_mtu(&o, &f); assert_int_equal(linkmtu, 1405); - /* tls client, auth none, cipher none, no-replay */ - o.replay = false; - - linkmtu = calc_options_string_link_mtu(&o, &f); - assert_int_equal(linkmtu, 1401); - - - o.replay = true; - /* tls client, auth SHA1, cipher AES-256-GCM */ o.authname = "SHA1"; o.ciphername = "AES-256-GCM"; @@ -378,7 +368,6 @@ /* common defaults */ o.ce.tun_mtu = 1400; o.ce.mssfix = 1000; - o.replay = true; o.ce.proto = PROTO_UDP; /* No crypto at all */