[Openvpn-devel,v3,1/9] Implement optional cipher in --data-ciphers prefixed with ?
Commit Message
This allows to use the same configuration multiple platforms/ssl libraries
and include optional algorithms that are not available on all platforms
For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
emulate the default behaviour of OpenVPN 2.6.
Patch v2: fix error_found reset by optional cipher, fix typo in Changes.rst
Patch v3: remove part of other patch accidently included
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/ssl_ncp.c | 4 ++--
tests/unit_tests/openvpn/test_ncp.c | 3 +++
2 files changed, 5 insertions(+), 2 deletions(-)
Comments
Am 06.12.21 um 15:56 schrieb Arne Schwabe:
> This allows to use the same configuration multiple platforms/ssl libraries
> and include optional algorithms that are not available on all platforms
>
> For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
> emulate the default behaviour of OpenVPN 2.6.
>
> Patch v2: fix error_found reset by optional cipher, fix typo in Changes.rst
> Patch v3: remove part of other patch accidently included
>
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
> src/openvpn/ssl_ncp.c | 4 ++--
> tests/unit_tests/openvpn/test_ncp.c | 3 +++
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 7ad825038..7f5e6fe8b 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -134,7 +134,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
> {
> const char* optstr = optional ? "optional ": "";
> msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
> - error_found = !optional;
> + error_found = error_found || !optional;
> }
> else
> {
> @@ -489,4 +489,4 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
> multi->use_peer_id, multi->peer_id, common_cipher);
>
> gc_free(&gc);
> -}
> \ No newline at end of file
> +}
> diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
> index faf09a36c..6702133ad 100644
> --- a/tests/unit_tests/openvpn/test_ncp.c
> +++ b/tests/unit_tests/openvpn/test_ncp.c
> @@ -95,6 +95,9 @@ test_check_ncp_ciphers_list(void **state)
> /* All unsupported should still yield an empty list */
> assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
>
> + /* If the last is optional, previous invalid ciphers should be ignored */
> + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
> +
> /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
> * a different spelling the normalised cipher output is the same */
> bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
>
Disregard this. I did not realise the original version of the patch had
been already pushed to master. I will amend the commmit to make this is
a follow up patch.
Arne
@@ -134,7 +134,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
{
const char* optstr = optional ? "optional ": "";
msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
- error_found = !optional;
+ error_found = error_found || !optional;
}
else
{
@@ -489,4 +489,4 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
multi->use_peer_id, multi->peer_id, common_cipher);
gc_free(&gc);
-}
\ No newline at end of file
+}
@@ -95,6 +95,9 @@ test_check_ncp_ciphers_list(void **state)
/* All unsupported should still yield an empty list */
assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
+ /* If the last is optional, previous invalid ciphers should be ignored */
+ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
+
/* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
* a different spelling the normalised cipher output is the same */
bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");