Hi,
On 17-07-2020 15:47, Arne Schwabe wrote:
> The change in name signals that data-ciphers is the preferred way to
> configure data channel (and not --cipher). The data prefix is chosen
> to avoid ambiguity and make it distinct from tls-cipher for the TLS
> ciphers.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> Changes.rst | 13 ++++++++++---
> doc/man-sections/protocol-options.rst | 11 +++++++----
> doc/man-sections/server-options.rst | 4 ++--
> sample/sample-config-files/client.conf | 2 +-
> src/openvpn/multi.c | 4 ++--
> src/openvpn/options.c | 5 +++--
> src/openvpn/ssl_ncp.c | 4 ++--
> 7 files changed, 27 insertions(+), 16 deletions(-)
>
> diff --git a/Changes.rst b/Changes.rst
> index 6e283270..2158c8e7 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support
> channel.
>
> Improved Data channel cipher negotiation
> + The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
> + The old name is still accepted. The change in name signals that
> + ``data-ciphers`` is the preferred way to configure data channel
> + ciphers and the data prefix is chosen to avoid the ambiguity that
> + exists with ``--cipher`` for the data cipher and ``tls-cipher``
> + for the TLS ciphers.
> +
> OpenVPN clients will now signal all supported ciphers from the
> - ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
> - servers will select the first common cipher from the ``ncp-ciphers``
> + ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
> + servers will select the first common cipher from the ``data-ciphers``
> list instead of blindly pushing the first cipher of the list. This
> allows to use a configuration like
> - ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
> + ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
> prefers ChaCha20-Poly1305 but uses it only if the client supports it.
>
> Asynchronous (deferred) authentication support for auth-pam plugin.
> diff --git a/doc/man-sections/protocol-options.rst
> b/doc/man-sections/protocol-options.rst
> index 923d2da0..051f1d32 100644
> --- a/doc/man-sections/protocol-options.rst
> +++ b/doc/man-sections/protocol-options.rst
> @@ -62,7 +62,7 @@ configured in a compatible way between both the local and
> remote side.
> The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
> Block Chaining mode. When cipher negotiation (NCP) is allowed,
> OpenVPN 2.4 and newer on both client and server side will automatically
> - upgrade to :code:`AES-256-GCM`. See ``--ncp-ciphers`` and
> + upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` and
> ``--ncp-disable`` for more details on NCP.
>
> Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
> @@ -169,7 +169,7 @@ configured in a compatible way between both the local and
> remote side.
> non-standard key lengths, and a larger key may offer no real guarantee
> of greater security, or may even reduce security.
>
> ---ncp-ciphers cipher-list
> +--data-ciphers cipher-list
> Restrict the allowed ciphers to be negotiated to the ciphers in
> ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
> and defaults to :code:`AES-256-GCM:AES-128-GCM`.
> @@ -189,9 +189,9 @@ configured in a compatible way between both the local and
> remote side.
> Additionally, to allow for more smooth transition, if NCP is enabled,
> OpenVPN will inherit the cipher of the peer if that cipher is different
> from the local ``--cipher`` setting, but the peer cipher is one of the
> - ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3,
> + ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3,
> or with --ncp-disabled set) connecting to a NCP server (v2.4+) with
> - ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can
> + ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can
> either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both
> will work.
>
> @@ -201,6 +201,9 @@ configured in a compatible way between both the local and
> remote side.
> This list is restricted to be 127 chars long after conversion to OpenVPN
> ciphers.
>
> + This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed
> + to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
> +
> --ncp-disable
> Disable "Negotiable Crypto Parameters". This completely disables cipher
> negotiation.
> diff --git a/doc/man-sections/server-options.rst
> b/doc/man-sections/server-options.rst
> index c24aec0b..74ad5e18 100644
> --- a/doc/man-sections/server-options.rst
> +++ b/doc/man-sections/server-options.rst
> @@ -473,8 +473,8 @@ fast hardware. SSL/TLS authentication must be used in
> this mode.
> *AES-GCM-128* and *AES-GCM-256*.
>
> :code:`IV_CIPHERS=<ncp-ciphers>`
> - The client pushes the list of configured ciphers with the
> - ``--ciphers`` option to the server.
> + The client announces the list of supported ciphers configured with
> the
> + ``--data-ciphers`` option to the server.
>
> :code:`IV_GUI_VER=<gui_id> <version>`
> The UI version of a UI if one is running, for example
> diff --git a/sample/sample-config-files/client.conf
> b/sample/sample-config-files/client.conf
> index 7f2f30a3..47ca4099 100644
> --- a/sample/sample-config-files/client.conf
> +++ b/sample/sample-config-files/client.conf
> @@ -112,7 +112,7 @@ tls-auth ta.key 1
> # then you must also specify it here.
> # Note that v2.4 client/server will automatically
> # negotiate AES-256-GCM in TLS mode.
> -# See also the ncp-cipher option in the manpage
> +# See also the data-ciphers option in the manpage
> cipher AES-256-CBC
>
> # Enable compression on the VPN link.
> diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
> index 88ba9db2..d2549bca 100644
> --- a/src/openvpn/multi.c
> +++ b/src/openvpn/multi.c
> @@ -1827,7 +1827,7 @@ multi_client_set_protocol_options(struct context *c)
> else
> {
> /*
> - * Push the first cipher from --ncp-ciphers to the client that
> + * Push the first cipher from --data-ciphers to the client that
> * the client announces to be supporting.
> */
> char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers,
> o->ciphername,
> @@ -1847,7 +1847,7 @@ multi_client_set_protocol_options(struct context *c)
> {
> msg(M_INFO, "PUSH: No common cipher between server and "
> "client. Expect this connection not to work. Server "
> - "ncp-ciphers: '%s', client supported ciphers '%s'",
> + "data-ciphers: '%s', client supported ciphers '%s'",
> o->ncp_ciphers, peer_ciphers);
> }
> else
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 31e33ae3..896abcde 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -536,7 +536,7 @@ static const char usage_message[] =
> "--cipher alg : Encrypt packets with cipher algorithm alg\n"
> " (default=%s).\n"
> " Set alg=none to disable encryption.\n"
> - "--ncp-ciphers list : List of ciphers that are allowed to be
> negotiated.\n"
> + "--data-ciphers list : List of ciphers that are allowed to be
> negotiated.\n"
> "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n"
> "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
> " nonce_secret_len=nsl. Set alg=none to disable
> PRNG.\n"
> @@ -7866,7 +7866,8 @@ add_option(struct options *options,
> VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
> options->ciphername = p[1];
> }
> - else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
> + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
> + && p[1] && !p[2])
> {
> VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
> options->ncp_ciphers = p[1];
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index e057a40b..6760884e 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -111,7 +111,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena
> *gc)
> const cipher_kt_t *ktc = cipher_kt_get(token);
> if (!ktc)
> {
> - msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
> + msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
> error_found = true;
> }
> else
> @@ -130,7 +130,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena
> *gc)
> if (!(buf_forward_capacity(&new_list) >
> strlen(ovpn_cipher_name) + 2))
> {
> - msg(M_WARN, "Length of --ncp-ciphers is over the "
> + msg(M_WARN, "Length of --data-ciphers is over the "
> "limit of 127 chars");
> error_found = true;
> }
>
Thanks. Patch looks good, and passes manual tests.
Acked-by: Steffan Karger <stef...@karger.me>
-Steffan
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
