Menu
▾
▴
openvpn-devel
|
From: plaisthos (C. Review) <ge...@op...> - 2025-11-12 11:06:23
|
plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> --- M src/openvpn/dco.c 1 file changed, 10 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1369/1 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..a0a990f 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,16 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-19 13:45:28
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 19 Nov 2025 13:45:12 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-11-19 13:48:02
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) The change is no longer submittable: Code-Review is unsatisfied now. Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 1: Code-Review-2 (2 comments) Patchset: PS1: this is missing the required "return false" + gc cleanup File src/openvpn/dco.c: http://gerrit.openvpn.net/c/openvpn/+/1369/comment/bb353f92_d38bfc69?usp=email : PS1, Line 486: } should this have a `gc_free(&gc); return false;` here? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Wed, 19 Nov 2025 13:47:52 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes |
|
From: plaisthos (C. Review) <ge...@op...> - 2025-12-02 15:15:11
|
Attention is currently required from: cron2.
Hello cron2,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email
to look at the new patch set (#2).
Change subject: Fix dco with null cipher being enabled without auth none
......................................................................
Fix dco with null cipher being enabled without auth none
This is a corner case and only the FreeBSD DCO module support the
none encryption but as long as it supports it, we should only
enable it when the configuration actually allows to enable it.
Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/dco.c
1 file changed, 12 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1369/2
diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad3..6a1a5c9 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -474,6 +474,18 @@
gc_free(&gc);
return false;
}
+ /* FreeBSD supports none as cipher type but requires auth none to be
+ * be also enabled */
+ if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0)
+ {
+ msg(msglevel,
+ "Note: cipher '%s' in --data-ciphers is only supported "
+ "with --auth=none by ovpn-dco, disabling data channel "
+ "offload.",
+ token);
+ gc_free(&gc);
+ return false;
+ }
}
gc_free(&gc);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3
Gerrit-Change-Number: 1369
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: cron2 <ge...@gr...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: cron2 <ge...@gr...>
|
|
From: plaisthos (C. Review) <ge...@op...> - 2025-12-02 15:15:15
|
Attention is currently required from: cron2. plaisthos has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 1: (1 comment) File src/openvpn/dco.c: http://gerrit.openvpn.net/c/openvpn/+/1369/comment/4cfc3549_2b460fa1?usp=email : PS1, Line 486: } > should this have a `gc_free(&gc); return false;` here? Acknowledged -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Tue, 02 Dec 2025 15:14:53 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 <ge...@gr...> |
|
From: ordex (C. Review) <ge...@op...> - 2025-12-04 12:46:14
|
Attention is currently required from: cron2, plaisthos. ordex has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: cron2 <ge...@gr...> Gerrit-Comment-Date: Thu, 04 Dec 2025 12:46:04 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 13:45:24
|
Attention is currently required from: plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Patch Set 2: -Code-Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Comment-Date: Thu, 04 Dec 2025 13:45:09 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-12-04 13:45:34
|
From: Arne Schwabe <ar...@rf...> This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli <an...@ma...> diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); |
|
From: Gert D. <ge...@gr...> - 2025-12-04 15:01:49
|
We know everything about corners inside corner cases!
But we also do them right!
I have not tested this for real - it's fairly trivial anyway, and it has
no memory leaks anymore :-) - the use case is "testing" or "I just need
a tunnel with a more dynamic endpoint than statically-configured GRE,
no crypto needed, and minimum overhead required". Whether or not this is
a good idea is not addressed by the patch, and OpenVPN itself *will* print
a big fat warning when trying to do "cipher none".
Your patch has been applied to the master branch.
commit 4ff746ad87ca5aa7b2058c9332622fc86551c0c8
Author: Arne Schwabe
Date: Thu Dec 4 14:45:16 2025 +0100
Fix dco with null cipher being enabled without auth none
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Antonio Quartulli <an...@ma...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg34847.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:57
|
cron2 has uploaded a new patch set (#3) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by ordex Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/69/1369/3 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-12-04 15:01:59
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email ) Change subject: Fix dco with null cipher being enabled without auth none ...................................................................... Fix dco with null cipher being enabled without auth none This is a corner case and only the FreeBSD DCO module support the none encryption but as long as it supports it, we should only enable it when the configuration actually allows to enable it. Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Antonio Quartulli <an...@ma...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg34847.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dco.c 1 file changed, 12 insertions(+), 0 deletions(-) diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7abdad3..6a1a5c9 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -474,6 +474,18 @@ gc_free(&gc); return false; } + /* FreeBSD supports none as cipher type but requires auth none to be + * be also enabled */ + if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0) + { + msg(msglevel, + "Note: cipher '%s' in --data-ciphers is only supported " + "with --auth=none by ovpn-dco, disabling data channel " + "offload.", + token); + gc_free(&gc); + return false; + } } gc_free(&gc); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1369?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3 Gerrit-Change-Number: 1369 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: ordex <an...@ma...> Gerrit-CC: openvpn-devel <ope...@li...> |
Thanks for helping keep SourceForge clean.
X