options: warn and ignore --reneg-bytes/pkts when DCO is enabled

Thresholds specified by --reneg-bytes and --reneg-pkts cannot be
enforced when DCO is enabled, as it only provides global statistics.

Rather than adding complexity to support these options, ignore them when
DCO is enabled. Print a warning to inform users and update the manpage
accordingly.

Change-Id: I7b718a14b81e3759398e7a52fe151102494cc821
Signed-off-by: Ralf Lici <ralf@mandelbit.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1280
Message-Id: <20251017191612.15642-1-gert@greenie.muc.de>
URL: https://sourceforge.net/p/openvpn/mailman/message/59248122/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/doc/man-sections/renegotiation.rst b/doc/man-sections/renegotiation.rst
index 1e7c34002b207128d7fd94883d0b8308f32a51d0..f5eb90de5c762090c7adda778af1263b78d9b3ea 100644 (file)
--- a/doc/man-sections/renegotiation.rst
+++ b/doc/man-sections/renegotiation.rst
@@ -19,10 +19,18 @@ separate ephemeral encryption key which is rotated at regular intervals.
   the SWEET32 attack vector. For more information see the ``--cipher``
   option.
 
+  When data channel offload (DCO) is enabled, this option is ignored. DCO
+  does not support configurable renegotiation thresholds; automatic key
+  renegotiation mechanisms are sufficient for modern ciphers.
+
 --reneg-pkts n
   Renegotiate data channel key after **n** packets sent and received
   (disabled by default).
 
+  When data channel offload (DCO) is enabled, this option is ignored. DCO
+  does not support configurable renegotiation thresholds; automatic key
+  renegotiation mechanisms are sufficient for modern ciphers.
+
 --reneg-sec args
   Renegotiate data channel key after at most ``max`` seconds
   (default :code:`3600`) and at least ``min`` seconds (default is 90% of

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 44f68c74b795f5dfccdc7893fd235a75a4e31c80..65c6b3b3ec7dfea687946e5c364a03be36c8a8ac 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3317,11 +3317,22 @@ options_postprocess_verify(const struct options *o)
 
     dns_options_verify(M_FATAL, &o->dns_options);
 
-    if (dco_enabled(o) && o->enable_c2c)
+    if (dco_enabled(o))
     {
-        msg(M_WARN, "Note: --client-to-client has no effect when using data "
-                    "channel offload: packets are always sent to the VPN "
-                    "interface and then routed based on the system routing table");
+        if (o->enable_c2c)
+        {
+            msg(M_WARN, "Note: --client-to-client has no effect when using data "
+                        "channel offload: packets are always sent to the VPN "
+                        "interface and then routed based on the system routing table");
+        }
+
+        if (o->renegotiate_bytes > 0 || o->renegotiate_packets)
+        {
+            msg(M_WARN, "Note: '--reneg-bytes' and '--reneg-pkts' are not supported "
+                        "by data channel offload; automatic key renegotiation "
+                        "mechanisms are sufficient for modern ciphers. "
+                        "Ignoring these options.");
+        }
     }
 }