From patchwork Fri Jul 17 07:15:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 1298 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.54]) by backend30.mail.ord1d.rsapps.net with LMTP id KKemNAvdEV8YaQAAIUCqbw for ; Fri, 17 Jul 2020 13:16:59 -0400 Received: from proxy6.mail.iad3a.rsapps.net ([172.27.255.54]) by director8.mail.ord1d.rsapps.net with LMTP id ICrUMQvdEV+kMQAAfY0hYg ; Fri, 17 Jul 2020 13:16:59 -0400 Received: from smtp53.gate.iad3a ([172.27.255.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3a.rsapps.net with LMTP id oFokLAvdEV/bVgAA8udqhg ; Fri, 17 Jul 2020 13:16:59 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp53.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 520f945e-c851-11ea-8020-5254009c3572-1-1 Received: from [216.105.38.7] ([216.105.38.7:48904] helo=lists.sourceforge.net) by smtp53.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A1/E5-32261-A0DD11F5; Fri, 17 Jul 2020 13:16:59 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jwTxz-0004Zc-7L; Fri, 17 Jul 2020 17:16:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jwTxx-0004ZK-DO for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2020 17:16:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XoYZzY2OsXHQ5zBS9T81/LBbj+ov7U0JloXA4Wyehnc=; b=OCejCo3cyEGgp2ET6znY2hsNYM mZiNxWbdrXyce7JKqqxbnyqYc4QGHWT0P1/xibizgJ+qyLv32z6mfzjq3nIr0Mie49IBFf+HtALVZ /CwtzYTFIhzDmAVPZNhF2z97RQk7bpnsHtH4mLV8NbmBXUjpqZtcoVzQguh9cOyabqak=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=XoYZzY2OsXHQ5zBS9T81/LBbj+ov7U0JloXA4Wyehnc=; b=Z xx39rztsrieNWBz1AOSiwd99oEhaYA4ufqVixNxo9HfOHHbObbfm06Hc81G0uyXfgvxX5VkjJbLBM nzYRJUum1BjanfuMAAR86A0S+oOWFGgxaKyRWNPQrU00TnN3Zq3egx4zRBJcja/5BFekCxAtecv4u JGdaLPkiwFLZQlaE=; Received: from mx0.basenordic.cloud ([185.212.44.139]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jwTxv-007fUD-JC for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2020 17:16:09 +0000 Received: from localhost (unknown [IPv6:::1]) by mx0.basenordic.cloud (Postfix) with ESMTP id 8C3C582BF66 for ; Fri, 17 Jul 2020 17:15:52 +0000 (UTC) Received: from mx0.basenordic.cloud ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pUOCfQck3ax1 for ; Fri, 17 Jul 2020 19:15:48 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx0.basenordic.cloud (Postfix) with ESMTPS id CE88782A39F for ; Fri, 17 Jul 2020 19:15:47 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 36DFD4011453 for ; Fri, 17 Jul 2020 19:15:47 +0200 (CEST) Received: from zimbra.sommerseth.email ([127.0.0.1]) by localhost (zimbra.sommerseth.email [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id S6_4e2PINXdk for ; Fri, 17 Jul 2020 19:15:47 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (optimus.homebase.sommerseths.net [10.35.0.233]) by zimbra.sommerseth.email (Postfix) with ESMTPS id 0348E4011448 for ; Fri, 17 Jul 2020 19:15:46 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Fri, 17 Jul 2020 19:15:44 +0200 Message-Id: <20200717171544.21632-1-davids@openvpn.net> X-Mailer: git-send-email 2.26.0 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1jwTxv-007fUD-JC Subject: [Openvpn-devel] [PATCH] Remove --no-iv X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This finializes the depreacation started in OpenVPN 2.4, where --no-iv was made into a NOOP option. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- Changes.rst | 3 +++ doc/man-sections/server-options.rst | 2 +- doc/man-sections/unsupported-options.rst | 2 +- src/openvpn/options.c | 5 ----- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/Changes.rst b/Changes.rst index e279d360..7d4fdec6 100644 --- a/Changes.rst +++ b/Changes.rst @@ -39,6 +39,9 @@ https://community.openvpn.net/openvpn/wiki/DeprecatedOptions adds a security weakness. This was also highlighted during the `OpenVPN 2.4 security audit `_. +- ``no-iv`` has been removed + This option was made into a NOOP option with OpenVPN 2.4. This has now + been completely removed. Overview of changes in 2.4 ========================== diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 2381f5c8..75d174ea 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -399,7 +399,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``link-mtu``, ``tun-mtu``, ``proto``, ``ifconfig``, ``comp-lzo``, ``fragment``, ``keydir``, ``cipher``, ``auth``, ``keysize``, ``secret``, - ``no-iv``, ``tls-auth``, ``key-method``, ``tls-server`` + ``tls-auth``, ``key-method``, ``tls-server`` and ``tls-client``. This option requires that ``--disable-occ`` NOT be used. diff --git a/doc/man-sections/unsupported-options.rst b/doc/man-sections/unsupported-options.rst index 8aff5dd9..05ba3ca2 100644 --- a/doc/man-sections/unsupported-options.rst +++ b/doc/man-sections/unsupported-options.rst @@ -19,7 +19,7 @@ longer supported --no-iv Removed in OpenVPN 2.5. This option should not be used as it weakens the - VPN tunnel security. + VPN tunnel security. This has been a NOOP option since OpenVPN 2.4. --no-replay Removed in OpenVPN 2.5. This option should not be used as it weakens the diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e1658472..0f0b37d1 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7985,11 +7985,6 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); options->mute_replay_warnings = true; } - else if (streq(p[0], "no-iv") && !p[1]) - { - msg(msglevel, - "--no-iv is no longer supported. Remove it from client and server configs."); - } else if (streq(p[0], "replay-persist") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL);