From patchwork Sun Nov 17 07:12:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 924 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 6FRaDviN0V3jcgAAIUCqbw for ; Sun, 17 Nov 2019 13:14:16 -0500 Received: from proxy10.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id CCHVC/iN0V3OXAAAvGGmqA ; Sun, 17 Nov 2019 13:14:16 -0500 Received: from smtp24.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3b.rsapps.net with LMTP id KEi7BviN0V1bKAAA/F5p9A ; Sun, 17 Nov 2019 13:14:16 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 101c1a9a-0966-11ea-ac7a-525400892b35-1-1 Received: from [216.105.38.7] ([216.105.38.7:34222] helo=lists.sourceforge.net) by smtp24.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 83/D3-05782-7FD81DD5; Sun, 17 Nov 2019 13:14:15 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1iWP2t-0006xM-4M; Sun, 17 Nov 2019 18:13:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1iWP2n-0006wW-FI for openvpn-devel@lists.sourceforge.net; Sun, 17 Nov 2019 18:13:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tuEsuKiGRePh6d9UfSyKdJmGhOq4ujQDeqUClIx4bZE=; b=e7gZX+CMB4VdfEz6dAInXNGxU7 zRnyRbTgFQxtoqLziFnUNAVuMD1TnXV0SYeVrC7RUuivx6qyGVjkZ1fiGBYxG7rMxVAKgW7LXtksl 3+z0nRaCGyiw/3qtF6MXM2j4UWSFeuFU1d3bNhaNSgqXGKyYRI+LVVjEgANNllAfs8hc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tuEsuKiGRePh6d9UfSyKdJmGhOq4ujQDeqUClIx4bZE=; b=MOrzK9k2bjTikf4OeIyze/s++n ouLBBKEwWMRgs6isAfmqYve9Q7+4AGX4dghgE9ISzLlyt0w5LUwivFq7LjJSPhbL1msiE4QMN8meX N6VRPpdEIXmHvFhNE9zeuPmzd3/jnSIES7sxJ5Kq11m5UgPH3BSUGW5xqFbMqHadeKAk=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1iWP2j-003csw-48 for openvpn-devel@lists.sourceforge.net; Sun, 17 Nov 2019 18:13:05 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1iWP2R-000Aeq-Ud for openvpn-devel@lists.sourceforge.net; Sun, 17 Nov 2019 19:12:43 +0100 Received: (nullmailer pid 28964 invoked by uid 10006); Sun, 17 Nov 2019 18:12:43 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 17 Nov 2019 19:12:40 +0100 Message-Id: <20191117181243.28919-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1iWP2j-003csw-48 Subject: [Openvpn-devel] [PATCH 1/4] Only announce IV_NCP=2 when we are willing to support these ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox We currently always announce IV_NCP=2 when we support these ciphers even when we do not accept them. This lead to a server pushing a AES-GCM-128 cipher to clients and the client then rejecting it. Signed-off-by: Arne Schwabe --- doc/openvpn.8 | 2 ++ src/openvpn/init.c | 4 ++++ src/openvpn/openvpn.h | 1 + src/openvpn/ssl.c | 4 +++- src/openvpn/ssl_common.h | 1 + 5 files changed, 11 insertions(+), 1 deletion(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 457c2667..ae24b6c0 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4392,6 +4392,8 @@ NCP server (v2.4+) with "\-\-cipher BF\-CBC" and "\-\-ncp\-ciphers AES\-256\-GCM:AES\-256\-CBC" set can either specify "\-\-cipher BF\-CBC" or "\-\-cipher AES\-256\-CBC" and both will work. +Note, for using NCP with a OpenVPN 2.4 server this list must include +the AES\-256\-GCM and AES\-128\-GCM ciphers. .\"********************************************************* .TP .B \-\-ncp\-disable diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0bdb0a9c..8f142311 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -623,6 +623,7 @@ save_ncp_options(struct context *c) c->c1.ciphername = c->options.ciphername; c->c1.authname = c->options.authname; c->c1.keysize = c->options.keysize; + c->c1.ncp_ciphers = c->options.ncp_ciphers; } /* Restores NCP-negotiable options to original values */ @@ -632,6 +633,7 @@ restore_ncp_options(struct context *c) c->options.ciphername = c->c1.ciphername; c->options.authname = c->c1.authname; c->options.keysize = c->c1.keysize; + c->options.ncp_ciphers = c->c1.ncp_ciphers; } void @@ -2827,6 +2829,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.tcp_mode = link_socket_proto_connection_oriented(options->ce.proto); to.config_ciphername = c->c1.ciphername; to.config_authname = c->c1.authname; + to.config_ncp_ciphers = c->c1.ncp_ciphers; to.ncp_enabled = options->ncp_enabled; to.transition_window = options->transition_window; to.handshake_window = options->handshake_window; @@ -4532,6 +4535,7 @@ inherit_context_child(struct context *dest, dest->c1.ciphername = src->c1.ciphername; dest->c1.authname = src->c1.authname; dest->c1.keysize = src->c1.keysize; + dest->c1.ncp_ciphers = src->c1.ncp_ciphers; /* inherit auth-token */ dest->c1.ks.auth_token_key = src->c1.ks.auth_token_key; diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 900db7e1..9e46ad6c 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -209,6 +209,7 @@ struct context_1 const char *ciphername; /**< Data channel cipher from config file */ const char *authname; /**< Data channel auth from config file */ + const char *ncp_ciphers; /**< NCP Ciphers */ int keysize; /**< Data channel keysize from config file */ #endif }; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 4455ebb8..6ca5c79a 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2322,7 +2322,9 @@ push_peer_info(struct buffer *buf, struct tls_session *session) /* support for Negotiable Crypto Parameters */ if (session->opt->ncp_enabled - && (session->opt->mode == MODE_SERVER || session->opt->pull)) + && (session->opt->mode == MODE_SERVER || session->opt->pull) + && tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers) + && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers)) { buf_printf(&out, "IV_NCP=2\n"); } diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 8dd08862..fb82f610 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -290,6 +290,7 @@ struct tls_options const char *config_ciphername; const char *config_authname; + const char *config_ncp_ciphers; bool ncp_enabled; bool tls_crypt_v2;