From patchwork Fri Nov 5 04:07:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2057 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WMcGFvtIhWGjGQAAIUCqbw (envelope-from ) for ; Fri, 05 Nov 2021 11:08:43 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id 8JaGFftIhWF+UgAAeJ7fFg (envelope-from ) for ; Fri, 05 Nov 2021 11:08:43 -0400 Received: from smtp6.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id 4EbEMvxIhWFgfQAAtEH5vw (envelope-from ) for ; Fri, 05 Nov 2021 11:08:44 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 43590966-3e4a-11ec-9193-52540050e3e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:36310] helo=lists.sourceforge.net) by smtp6.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 41/F7-02365-AF845816; Fri, 05 Nov 2021 11:08:42 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mj0p0-0007I4-3Y; Fri, 05 Nov 2021 15:08:02 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mj0oy-0007Ht-Ca for openvpn-devel@lists.sourceforge.net; Fri, 05 Nov 2021 15:08:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zZKIutdpJonPwPj//mGbg/Z2bB9oj6QH6krSKtGIoN4=; b=cu+0Q6LJ/fUwkXbQgQF2ZAVI2p EQ7cE8FHjwYuF9JB+3Jrne77dEFRUlS42T7jq9h27I3Uym4MqwE19yEwZU8gF8EIH7an0Sb/tfm56 KeEjkKIIIT+D1S3ugKvteX/1t9JL07clAFEtvrFiBUpqFZCndciAF/21e46mC2gqZBSY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zZKIutdpJonPwPj//mGbg/Z2bB9oj6QH6krSKtGIoN4=; b=FxxbIuEqnGpcE2rJvocMkvhy48 cWbjRLY4nPSSXiEtUBQm5V+JPJ+rX4NDTg3go6+aZVoWnz7anenMUM5Kws8Cj7qPeP4P87ec6aJ+6 ZoKqSrK1dinXJIx5kj4fkqdO8EmqHuOQEO1xDWb2tYHsN4dQe2ZiWlbhXfLWtwtyMZgk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mj0ou-0005gp-4D for openvpn-devel@lists.sourceforge.net; Fri, 05 Nov 2021 15:08:00 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mj0of-000GRY-R3 for openvpn-devel@lists.sourceforge.net; Fri, 05 Nov 2021 16:07:41 +0100 Received: (nullmailer pid 2909491 invoked by uid 10006); Fri, 05 Nov 2021 15:07:42 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 5 Nov 2021 16:07:42 +0100 Message-Id: <20211105150742.2909443-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211006180644.3081219-1-arne@rfc2549.org> References: <20211006180644.3081219-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specifi [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1mj0ou-0005gp-4D Subject: [Openvpn-devel] [PATCH v2] Default to --cipher BF-CBC if not set and compat-mode < 2.4.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox When we try to make a configuration compatible to a version earlier than 2.4.0 we probably need to have a --cipher configured since NCP is not available. In configuration where --cipher is not specified we default to BF-CBC to support these old clients. Note that with OpenSSL 3.0 you will also need to enable the legacy provider otherwise we bail out since BF-CBC is no longer supported. Also move the condition so BF-CBC gets included in the data-ciphers list. Patch v2: move the comment to a better place. Signed-off-by: Arne Schwabe Reviewed-by: Antonio Quartulli Acked-by: Antonio Quartulli --- src/openvpn/options.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4dc70e4f3..6751084af 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3186,6 +3186,19 @@ options_set_backwards_compatible_options(struct options *o) } } + if (need_compatibility_before(o, 20400)) + { + if (!o->ciphername) + { + /* If ciphername is not set default to BF-CBC when targeting these + * old versions that do not have NCP */ + o->ciphername = "BF-CBC"; + } + /* Versions < 2.4.0 additionally might be compiled with --enable-small and + * not have OCC strings required for "poor man's NCP" */ + o->enable_ncp_fallback = true; + } + /* Versions < 2.5.0 do need --cipher in the list of accepted ciphers. * Version 2.4 might probably does not need it but NCP was not so * good with 2.4 and ncp-disable might be more common on 2.4 peers. @@ -3198,13 +3211,6 @@ options_set_backwards_compatible_options(struct options *o) append_cipher_to_ncp_list(o, o->ciphername); } - /* Versions < 2.4.0 additionally might be compiled with --enable-small and - * not have OCC strings required for "poor man's NCP" */ - if (o->ciphername && need_compatibility_before(o, 20400)) - { - o->enable_ncp_fallback = true; - } - #ifdef USE_COMP /* Compression is deprecated and we do not want to announce support for it * by default anymore, additionally DCO breaks with compression.