[Openvpn-devel,v3,1/9] Implement optional cipher in --data-ciphers prefixed with ?

Message ID 20211206145652.3141891-1-arne@rfc2549.org
State Not Applicable
Headers show
Series [Openvpn-devel,v3,1/9] Implement optional cipher in --data-ciphers prefixed with ? | expand

Commit Message

Arne Schwabe Dec. 6, 2021, 3:56 a.m. UTC
This allows to use the same configuration multiple platforms/ssl libraries
and include optional algorithms that are not available on all platforms

For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
emulate the default behaviour of OpenVPN 2.6.

Patch v2: fix error_found reset by optional cipher, fix typo in Changes.rst
Patch v3: remove part of other patch accidently included

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_ncp.c               | 4 ++--
 tests/unit_tests/openvpn/test_ncp.c | 3 +++
 2 files changed, 5 insertions(+), 2 deletions(-)

Comments

Arne Schwabe Dec. 6, 2021, 4:06 a.m. UTC | #1
Am 06.12.21 um 15:56 schrieb Arne Schwabe:
> This allows to use the same configuration multiple platforms/ssl libraries
> and include optional algorithms that are not available on all platforms
> 
> For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
> emulate the default behaviour of OpenVPN 2.6.
> 
> Patch v2: fix error_found reset by optional cipher, fix typo in Changes.rst
> Patch v3: remove part of other patch accidently included
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
>   src/openvpn/ssl_ncp.c               | 4 ++--
>   tests/unit_tests/openvpn/test_ncp.c | 3 +++
>   2 files changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 7ad825038..7f5e6fe8b 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -134,7 +134,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
>           {
>               const char* optstr = optional ? "optional ": "";
>               msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
> -            error_found = !optional;
> +            error_found = error_found || !optional;
>           }
>           else
>           {
> @@ -489,4 +489,4 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
>           multi->use_peer_id, multi->peer_id, common_cipher);
>   
>       gc_free(&gc);
> -}
> \ No newline at end of file
> +}
> diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
> index faf09a36c..6702133ad 100644
> --- a/tests/unit_tests/openvpn/test_ncp.c
> +++ b/tests/unit_tests/openvpn/test_ncp.c
> @@ -95,6 +95,9 @@ test_check_ncp_ciphers_list(void **state)
>       /* All unsupported should still yield an empty list */
>       assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
>   
> +    /* If the last is optional, previous invalid ciphers should be ignored */
> +    assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
> +
>       /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
>        * a different spelling the normalised cipher output is the same */
>       bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
> 

Disregard this. I did not realise the original version of the patch had 
been already pushed to master. I will amend the commmit to make this is 
a follow up patch.

Arne

Patch

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 7ad825038..7f5e6fe8b 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -134,7 +134,7 @@  mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
         {
             const char* optstr = optional ? "optional ": "";
             msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
-            error_found = !optional;
+            error_found = error_found || !optional;
         }
         else
         {
@@ -489,4 +489,4 @@  p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
         multi->use_peer_id, multi->peer_id, common_cipher);
 
     gc_free(&gc);
-}
\ No newline at end of file
+}
diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
index faf09a36c..6702133ad 100644
--- a/tests/unit_tests/openvpn/test_ncp.c
+++ b/tests/unit_tests/openvpn/test_ncp.c
@@ -95,6 +95,9 @@  test_check_ncp_ciphers_list(void **state)
     /* All unsupported should still yield an empty list */
     assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
 
+    /* If the last is optional, previous invalid ciphers should be ignored */
+    assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
+
     /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
      * a different spelling the normalised cipher output is the same */
     bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");