From: Antonio Quartulli <a@unstable.cc>
Date: Wed, 7 Dec 2022 10:02:01 +0000 (+0100)
Subject: disable DCO if --secret is specified
X-Git-Tag: v2.7_alpha1~660
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f5febf7f8998e425afb051cd6f965f4dd40b1659;p=thirdparty%2Fopenvpn.git

disable DCO if --secret is specified

P2P mode with pre-shared key is deprecated, unsecure and should NOT be
used. This said we still carry it around for a bit and we have to make
sure it does not fight with DCO.

Disable DCO at all when --secret is specified.

Github: OpenVPN/openvpn#188

Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221207100201.6467-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25629.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index d599dd7e1..1cd698bfe 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -274,6 +274,12 @@ dco_check_startup_option(int msglevel, const struct options *o)
         return false;
     }
 
+    if (o->shared_secret_file)
+    {
+        msg(msglevel, "--secret is set. Disabling data channel offload");
+        return false;
+    }
+
     if (dev_type_enum(o->dev, o->dev_type) != DEV_TYPE_TUN)
     {
         msg(msglevel, "Note: dev-type not tun, disabling data channel offload.");