[Openvpn-devel,v4,1/5] Only announce IV_NCP=2 when we are willing to support these ciphers

Message ID 20200217144339.3273-2-arne@rfc2549.org
State Accepted
Headers show
Series
  • NCP v2 patch set
Related show

Commit Message

Arne Schwabe Feb. 17, 2020, 2:43 p.m.
We currently always announce IV_NCP=2 when we support these ciphers even
when we do not accept them. This lead to a server pushing a AES-GCM-128
cipher to clients and the client then rejecting it.

Patch V2:  Remove unecessary restoring of ncp_ciphers
Patch V3:  Do not add ncp_ciphers in context

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 doc/openvpn.8            | 2 ++
 src/openvpn/init.c       | 1 +
 src/openvpn/ssl.c        | 4 +++-
 src/openvpn/ssl_common.h | 1 +
 4 files changed, 7 insertions(+), 1 deletion(-)

Comments

Lev Stipakov Feb. 17, 2020, 2:50 p.m. | #1
Previous version has been acked, I checked that there are no changes, so

Acked-by: Lev Stipakov <lstipakov@gmail.com>
Gert Doering Feb. 17, 2020, 6:33 p.m. | #2
Your patch has been applied to the master branch.

(Have stared at the patch a bit and gave it a t_client test run, did
not explicitly test the case without the required ciphers)

commit 868b200c3aef6ee5acfdf679770832018ebc7b70
Author: Arne Schwabe
Date:   Mon Feb 17 15:43:35 2020 +0100

     Only announce IV_NCP=2 when we are willing to support these ciphers

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Lev Stipakov <lstipakov@gmail.com>
     Message-Id: <20200217144339.3273-2-arne@rfc2549.org>
     URL: https://www.mail-archive.com/search?l=mid&q=20200217144339.3273-2-arne@rfc2549.org
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 8feb3b9c..b8f2f042 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4398,6 +4398,8 @@  NCP server (v2.4+) with "\-\-cipher BF\-CBC" and "\-\-ncp\-ciphers
 AES\-256\-GCM:AES\-256\-CBC" set can either specify "\-\-cipher BF\-CBC" or
 "\-\-cipher AES\-256\-CBC" and both will work.
 
+Note, for using NCP with a OpenVPN 2.4 server this list must include
+the AES\-256\-GCM and AES\-128\-GCM ciphers.
 .\"*********************************************************
 .TP
 .B \-\-ncp\-disable
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 04207b61..5c2f801a 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2827,6 +2827,7 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
     to.config_ciphername = c->c1.ciphername;
     to.config_authname = c->c1.authname;
+    to.config_ncp_ciphers = options->ncp_ciphers;
     to.ncp_enabled = options->ncp_enabled;
     to.transition_window = options->transition_window;
     to.handshake_window = options->handshake_window;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index e708fc93..b8351737 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2322,7 +2322,9 @@  push_peer_info(struct buffer *buf, struct tls_session *session)
 
         /* support for Negotiable Crypto Parameters */
         if (session->opt->ncp_enabled
-            && (session->opt->mode == MODE_SERVER || session->opt->pull))
+            && (session->opt->mode == MODE_SERVER || session->opt->pull)
+            && tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
+            && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
         {
             buf_printf(&out, "IV_NCP=2\n");
         }
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 8dd08862..fb82f610 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -290,6 +290,7 @@  struct tls_options
 
     const char *config_ciphername;
     const char *config_authname;
+    const char *config_ncp_ciphers;
     bool ncp_enabled;
 
     bool tls_crypt_v2;