From: Steffan Karger <steffan@karger.me>
Date: Wed, 7 Dec 2016 19:20:47 +0000 (+0100)
Subject: Deprecate --no-iv
X-Git-Tag: v2.4_rc2~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4969f0d6bba8a82d411f0700c2e8e4efbeccb6c8;p=thirdparty%2Fopenvpn.git

Deprecate --no-iv

This fixes the bug of supporting --no-iv (since we're only accepting
bugfixes in the current release phase ;) ).

The --no-iv function decreases security if used (CBC *requires*
unpredictable IVs, other modes don't allow --no-iv at all), and even
marginally decreases other user's security by adding unwanted
complexity to our code.

Let's get rid of this.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1481138447-6292-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13430.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/Changes.rst b/Changes.rst
index 9258230f1..a21c0946f 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -177,6 +177,8 @@ Deprecated features
   X.509 subject formatting must be updated to the standardized formatting.  See
   the man page for more information.
 
+- ``--no-iv`` is deprecated in 2.4 and will be remove in 2.5.
+
 User-visible Changes
 --------------------
 - For certificate DNs with duplicate fields, e.g. "OU=one,OU=two", both fields
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 290a441ad..e5619c028 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4399,6 +4399,10 @@ This option only makes sense when replay protection is enabled
 .\"*********************************************************
 .TP
 .B \-\-no\-iv
+
+.B DEPRECATED
+This option will be removed in OpenVPN 2.5.
+
 (Advanced) Disable OpenVPN's use of IV (cipher initialization vector).
 Don't use this option unless you are prepared to make
 a tradeoff of greater efficiency in exchange for less
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index db1cfe35e..f6e0f138a 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2238,6 +2238,10 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
     {
       msg (M_USAGE, "--no-iv not allowed when NCP is enabled.");
     }
+  if (!options->use_iv)
+    {
+      msg (M_WARN, "WARNING: --no-iv is deprecated and will be removed in 2.5");
+    }
 
   /*
    * Check consistency of replay options