From 4ff746ad87ca5aa7b2058c9332622fc86551c0c8 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 4 Dec 2025 14:45:16 +0100
Subject: [PATCH] Fix dco with null cipher being enabled without auth none

This is a corner case and only the FreeBSD DCO module support the
none encryption but as long as it supports it, we should only
enable it when the configuration actually allows to enable it.

Change-Id: I1104044701145fa37cea857e2e0e0fcac7a2bee3
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1369
Message-Id: <20251204134521.20025-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34847.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/dco.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c
index 7abdad35d..6a1a5c9a9 100644
--- a/src/openvpn/dco.c
+++ b/src/openvpn/dco.c
@@ -474,6 +474,18 @@ dco_check_option(msglvl_t msglevel, const struct options *o)
             gc_free(&gc);
             return false;
         }
+        /* FreeBSD supports none as cipher type but requires auth none to be
+         * be also enabled */
+        if (strcmp(token, "none") == 0 && strcmp(o->authname, "none") != 0)
+        {
+            msg(msglevel,
+                "Note: cipher '%s' in --data-ciphers is only supported "
+                "with --auth=none by ovpn-dco, disabling data channel "
+                "offload.",
+                token);
+            gc_free(&gc);
+            return false;
+        }
     }
     gc_free(&gc);
 
-- 
2.47.3