disable DCO if --secret is specified

P2P mode with pre-shared key is deprecated, unsecure and should NOT be
used. This said we still carry it around for a bit and we have to make
sure it does not fight with DCO.

Disable DCO at all when --secret is specified.

Github: OpenVPN/openvpn#188

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221207100201.6467-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25629.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f5febf7f8998e425afb051cd6f965f4dd40b1659)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d599dd7e11c31a87643a06327661a354003e3b61..1cd698bfed4e63eae61de3f19d96e19b34ae3249 100644 (file)
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -274,6 +274,12 @@ dco_check_startup_option(int msglevel, const struct options *o)
         return false;
     }
 
+    if (o->shared_secret_file)
+    {
+        msg(msglevel, "--secret is set. Disabling data channel offload");
+        return false;
+    }
+
     if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
     {
         msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");