[Openvpn-devel,2/2] Also announce IV_CIPHERS as client in OpenVPN 2.4

Message ID 20200830140736.16571-3-arne@rfc2549.org
State New
Headers show
Series
  • Backport/implement IV_CIPHERS support for OpenVPN 2.4
Related show

Commit Message

Arne Schwabe Aug. 30, 2020, 2:07 p.m.
This improves compatbility to a OpenVPN 2.5 server and
allows to negotiate a different cipher than AES-128/256-GCM
without abusing the poor man's NCP support with --cipher.

We keep the IV_NCP=2 flag logic as broken as it is since 2.5 server
ignore the flag if IV_CIPHERS is set and this might break existing
2.4 setups.

Server support for IV_CIPHERS is not added since it would be quite
intrusive and users should rather upgrade to 2.5 on the server
if they want the full benefits.

This commit cherry picks a few parts of
868b200c3aef6ee5acfdf679770832018ebc7b70

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/init.c       |  1 +
 src/openvpn/ssl.c        | 11 +++++++++++
 src/openvpn/ssl_common.h |  1 +
 3 files changed, 13 insertions(+)

Comments

Arne Schwabe Aug. 30, 2020, 4:29 p.m. | #1
> +++ b/src/openvpn/ssl.c
> @@ -2311,7 +2311,18 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
>          if (session->opt->ncp_enabled
>              && (session->opt->mode == MODE_SERVER || session->opt->pull))
>          {
> +            /* We keep announcing IV_NCP=2 in OpenVPN 2.4 even though it is
> +             * technically wrong to ensure not to break 2.4 setups on a
> +             * minor release */
>              buf_printf(&out, "IV_NCP=2\n");
> +            buf_printf(&out, "IV_CIPHERS=%s", session->opt->config_ncp_ciphers);
> +            if (!tls_item_in_cipher_list(session->opt->config_ciphername,
> +                                         session->opt->config_ncp_ciphers))
> +            {
> +                buf_printf(&out, ":%s", session->opt->config_ciphername);
> +            }
> +            buf_printf(&out, "\n")

This line misses a ';' at the end :(

I forgot this amending. I can resend the patch if needed.

Arne

Patch

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index e153682e..7ce6dd97 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2734,6 +2734,7 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto);
     to.config_ciphername = c->c1.ciphername;
     to.config_authname = c->c1.authname;
+    to.config_ncp_ciphers = options->ncp_ciphers;
     to.ncp_enabled = options->ncp_enabled;
     to.transition_window = options->transition_window;
     to.handshake_window = options->handshake_window;
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index dd9c52fb..d70dcb46 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2311,7 +2311,18 @@  push_peer_info(struct buffer *buf, struct tls_session *session)
         if (session->opt->ncp_enabled
             && (session->opt->mode == MODE_SERVER || session->opt->pull))
         {
+            /* We keep announcing IV_NCP=2 in OpenVPN 2.4 even though it is
+             * technically wrong to ensure not to break 2.4 setups on a
+             * minor release */
             buf_printf(&out, "IV_NCP=2\n");
+            buf_printf(&out, "IV_CIPHERS=%s", session->opt->config_ncp_ciphers);
+            if (!tls_item_in_cipher_list(session->opt->config_ciphername,
+                                         session->opt->config_ncp_ciphers))
+            {
+                buf_printf(&out, ":%s", session->opt->config_ciphername);
+            }
+            buf_printf(&out, "\n")
+
         }
 
         /* push compression status */
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index ac25ffa7..378b81fd 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -286,6 +286,7 @@  struct tls_options
 
     const char *config_ciphername;
     const char *config_authname;
+    const char *config_ncp_ciphers;
     bool ncp_enabled;
 
     /** TLS handshake wrapping state */