dco: turn supported ciphers list into a function

Other platforms may need more complex logic to decide whether a cipher
is supported or not, therefore turn hardcoded list into a function that
can be implemented by each platform independently.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220807100404.8618-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24835.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index c23ac0f7871391e813d29cd29f9573a60bbc392e..4f40255eb78827c0d0e294b0fffbe5a9c6a7de4f 100644 (file)
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -306,7 +306,7 @@ dco_check_option_conflict(int msglevel, const struct options *o)
 
     /* At this point the ciphers have already been normalised */
     if (o->enable_ncp_fallback
-        && !tls_item_in_cipher_list(o->ciphername, DCO_SUPPORTED_CIPHERS))
+        && !tls_item_in_cipher_list(o->ciphername, dco_get_supported_ciphers()))
     {
         msg(msglevel, "Note: --data-cipher-fallback with cipher '%s' "
             "disables data channel offload.", o->ciphername);
@@ -360,7 +360,7 @@ dco_check_option_conflict(int msglevel, const struct options *o)
     const char *token;
     while ((token = strsep(&tmp_ciphers, ":")))
     {
-        if (!tls_item_in_cipher_list(token, DCO_SUPPORTED_CIPHERS))
+        if (!tls_item_in_cipher_list(token, dco_get_supported_ciphers()))
         {
             msg(msglevel, "Note: cipher '%s' in --data-ciphers is not supported "
                 "by ovpn-dco, disabling data channel offload.", token);

diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h
index 725690836cf65716534f09208d08cd9d4a652493..6b5c016aad495750a2546c2ff4620392480ed9a3 100644 (file)
--- a/src/openvpn/dco.h
+++ b/src/openvpn/dco.h
@@ -213,6 +213,13 @@ void dco_install_iroute(struct multi_context *m, struct multi_instance *mi,
  */
 void dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi);
 
+/**
+ * Retrieve the list of ciphers supported by the current platform
+ *
+ * @return                   list of colon-separated ciphers
+ */
+const char *dco_get_supported_ciphers();
+
 #else /* if defined(ENABLE_DCO) */
 
 typedef void *dco_context_t;
@@ -320,5 +327,11 @@ dco_delete_iroutes(struct multi_context *m, struct multi_instance *mi)
 {
 }
 
+static inline const char *
+dco_get_supported_ciphers()
+{
+    return "";
+}
+
 #endif /* defined(ENABLE_DCO) */
 #endif /* ifndef DCO_H */

diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 5e77139a80e7caff18636cf44ce4a1bc174973c0..f86ea8192f0d1f3c39c5a9dc1ebdd9e8b58063d2 100644 (file)
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -931,4 +931,10 @@ dco_event_set(dco_context_t *dco, struct event_set *es, void *arg)
     }
 }
 
+const char *
+dco_get_supported_ciphers()
+{
+    return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305";
+}
+
 #endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */

diff --git a/src/openvpn/dco_linux.h b/src/openvpn/dco_linux.h
index e0e59fa6f4f43014724fe58beee98750a1d32605..416ea30a06a961987e97295e29f694eb3cf890b4 100644 (file)
--- a/src/openvpn/dco_linux.h
+++ b/src/openvpn/dco_linux.h
@@ -34,7 +34,6 @@
 typedef enum ovpn_key_slot dco_key_slot_t;
 typedef enum ovpn_cipher_alg dco_cipher_t;
 
-#define DCO_SUPPORTED_CIPHERS "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"
 
 typedef struct
 {