From patchwork Fri Jul 17 03:47:38 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1284 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oJtNEjusEV/EDgAAIUCqbw for ; Fri, 17 Jul 2020 09:48:43 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id kGLTETusEV9efgAAIasKDg ; Fri, 17 Jul 2020 09:48:43 -0400 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id QN6JETusEV/oAQAAsk8m8w ; Fri, 17 Jul 2020 09:48:43 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 39c6de60-c834-11ea-9662-5254006d4589-1-1 Received: from [216.105.38.7] ([216.105.38.7:39984] helo=lists.sourceforge.net) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9F/DD-32040-A3CA11F5; Fri, 17 Jul 2020 09:48:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jwQiU-00028r-G3; Fri, 17 Jul 2020 13:47:58 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jwQiP-00028B-U5 for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2020 13:47:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Hy7pTOT7i2CONEpfVVERxnTLdDvqOVrfXAcBbMTEOwQ=; b=Zkv9Ix1Nw6auzDS2i8B2/7zHse Wvm2tT5OLIU939s26ufpACGpU0cpxdxAaQEGbxkvzLZohxzJr9BRU12XhBx6EaEGvricIYv9rexzS FY3j29eFRMuHjLwPOuxpCzyi25LG6kuHGKRmKdr9PDZQ+PpY8gjPow6G4ZoPlA8yk3Lk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Hy7pTOT7i2CONEpfVVERxnTLdDvqOVrfXAcBbMTEOwQ=; b=HB2tZuVAB8CJYqj8LkV6+Wtmuj TP/9dcIcNXzmOIAy8CxfhXA+9Rox+b7qXKeVn5jXArXL26JglKK8omXEiJtxArNjcICDvwRxPDU1G CQr/KdCmLtlPjKV1BMg94HduvTLn7pQ0w/x5hPOxiX7JzcRllota0LLc9s5/Y7QzZZew=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jwQiN-007T3B-66 for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2020 13:47:53 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1jwQiC-000KwM-El for openvpn-devel@lists.sourceforge.net; Fri, 17 Jul 2020 15:47:40 +0200 Received: (nullmailer pid 21235 invoked by uid 10006); Fri, 17 Jul 2020 13:47:40 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 17 Jul 2020 15:47:38 +0200 Message-Id: <20200717134739.21168-8-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200717134739.21168-1-arne@rfc2549.org> References: <20200717134739.21168-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jwQiN-007T3B-66 Subject: [Openvpn-devel] [PATCH 8/9] Rename ncp-ciphers to data-ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The change in name signals that data-ciphers is the preferred way to configure data channel (and not --cipher). The data prefix is chosen to avoid ambiguity and make it distinct from tls-cipher for the TLS ciphers. Signed-off-by: Arne Schwabe Acked-by: Steffan Karger --- Changes.rst | 13 ++++++++++--- doc/man-sections/protocol-options.rst | 11 +++++++---- doc/man-sections/server-options.rst | 4 ++-- sample/sample-config-files/client.conf | 2 +- src/openvpn/multi.c | 4 ++-- src/openvpn/options.c | 5 +++-- src/openvpn/ssl_ncp.c | 4 ++-- 7 files changed, 27 insertions(+), 16 deletions(-) diff --git a/Changes.rst b/Changes.rst index 6e283270..2158c8e7 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support channel. Improved Data channel cipher negotiation + The option ``ncp-ciphers`` has been renamed to ``data-ciphers``. + The old name is still accepted. The change in name signals that + ``data-ciphers`` is the preferred way to configure data channel + ciphers and the data prefix is chosen to avoid the ambiguity that + exists with ``--cipher`` for the data cipher and ``tls-cipher`` + for the TLS ciphers. + OpenVPN clients will now signal all supported ciphers from the - ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN - servers will select the first common cipher from the ``ncp-ciphers`` + ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN + servers will select the first common cipher from the ``data-ciphers`` list instead of blindly pushing the first cipher of the list. This allows to use a configuration like - ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that + ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that prefers ChaCha20-Poly1305 but uses it only if the client supports it. Asynchronous (deferred) authentication support for auth-pam plugin. diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst index 923d2da0..051f1d32 100644 --- a/doc/man-sections/protocol-options.rst +++ b/doc/man-sections/protocol-options.rst @@ -62,7 +62,7 @@ configured in a compatible way between both the local and remote side. The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will automatically - upgrade to :code:`AES-256-GCM`. See ``--ncp-ciphers`` and + upgrade to :code:`AES-256-GCM`. See ``--data-ciphers`` and ``--ncp-disable`` for more details on NCP. Using :code:`BF-CBC` is no longer recommended, because of its 64-bit @@ -169,7 +169,7 @@ configured in a compatible way between both the local and remote side. non-standard key lengths, and a larger key may offer no real guarantee of greater security, or may even reduce security. ---ncp-ciphers cipher-list +--data-ciphers cipher-list Restrict the allowed ciphers to be negotiated to the ciphers in ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers, and defaults to :code:`AES-256-GCM:AES-128-GCM`. @@ -189,9 +189,9 @@ configured in a compatible way between both the local and remote side. Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN will inherit the cipher of the peer if that cipher is different from the local ``--cipher`` setting, but the peer cipher is one of the - ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3, + ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3, or with --ncp-disabled set) connecting to a NCP server (v2.4+) with - ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can + ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both will work. @@ -201,6 +201,9 @@ configured in a compatible way between both the local and remote side. This list is restricted to be 127 chars long after conversion to OpenVPN ciphers. + This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed + to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning. + --ncp-disable Disable "Negotiable Crypto Parameters". This completely disables cipher negotiation. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index c24aec0b..74ad5e18 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -473,8 +473,8 @@ fast hardware. SSL/TLS authentication must be used in this mode. *AES-GCM-128* and *AES-GCM-256*. :code:`IV_CIPHERS=` - The client pushes the list of configured ciphers with the - ``--ciphers`` option to the server. + The client announces the list of supported ciphers configured with the + ``--data-ciphers`` option to the server. :code:`IV_GUI_VER= ` The UI version of a UI if one is running, for example diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf index 7f2f30a3..47ca4099 100644 --- a/sample/sample-config-files/client.conf +++ b/sample/sample-config-files/client.conf @@ -112,7 +112,7 @@ tls-auth ta.key 1 # then you must also specify it here. # Note that v2.4 client/server will automatically # negotiate AES-256-GCM in TLS mode. -# See also the ncp-cipher option in the manpage +# See also the data-ciphers option in the manpage cipher AES-256-CBC # Enable compression on the VPN link. diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 88ba9db2..d2549bca 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1827,7 +1827,7 @@ multi_client_set_protocol_options(struct context *c) else { /* - * Push the first cipher from --ncp-ciphers to the client that + * Push the first cipher from --data-ciphers to the client that * the client announces to be supporting. */ char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername, @@ -1847,7 +1847,7 @@ multi_client_set_protocol_options(struct context *c) { msg(M_INFO, "PUSH: No common cipher between server and " "client. Expect this connection not to work. Server " - "ncp-ciphers: '%s', client supported ciphers '%s'", + "data-ciphers: '%s', client supported ciphers '%s'", o->ncp_ciphers, peer_ciphers); } else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 31e33ae3..896abcde 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -536,7 +536,7 @@ static const char usage_message[] = "--cipher alg : Encrypt packets with cipher algorithm alg\n" " (default=%s).\n" " Set alg=none to disable encryption.\n" - "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n" + "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n" "--ncp-disable : (DEPRECATED) Disable cipher negotiation.\n" "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n" " nonce_secret_len=nsl. Set alg=none to disable PRNG.\n" @@ -7866,7 +7866,8 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); options->ciphername = p[1]; } - else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) + else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers")) + && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE); options->ncp_ciphers = p[1]; diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index e057a40b..6760884e 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -111,7 +111,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) const cipher_kt_t *ktc = cipher_kt_get(token); if (!ktc) { - msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token); + msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token); error_found = true; } else @@ -130,7 +130,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) if (!(buf_forward_capacity(&new_list) > strlen(ovpn_cipher_name) + 2)) { - msg(M_WARN, "Length of --ncp-ciphers is over the " + msg(M_WARN, "Length of --data-ciphers is over the " "limit of 127 chars"); error_found = true; }