Most TLS 1.3 libraries inlcude the Chacha20-Poly1305 based cipher suite
beside the AES-GCM based ones int he list of default ciphers suites.
Chacha20-Poly1305 is accepted as good alternative AEAD algorithm to the
AES-GCM algorithm by crypto community.
Follow this and include Chacha20-Poly1305 by default in data-ciphers
when available. This makes picking Chacha20-Poly1305 easier as it only
requires to change server (by changing priority) or client side (removing
AES-GCM from data-ciphers) to change to Chacha20-Poly1305.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <
20210818213354.687736-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22745.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This option mainly served a role as debug option when NCP was first
introduced. It should now no longer be necessary.
+
+User-visible Changes
+--------------------
+- CHACHA20-POLY1305 is included in the default of ``--data-ciphers`` when available.
+
Overview of changes in 2.5
==========================
OpenVPN 2.5 will only allow the ciphers specified in ``--data-ciphers``. To ensure
backwards compatibility also if a cipher is specified using the ``--cipher`` option
it is automatically added to this list. If both options are unset the default is
-:code:`AES-256-GCM:AES-128-GCM`.
+:code:`AES-256-GCM:AES-128-GCM`. In 2.6 and later the default is changed to
+:code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when Chacha20-Poly1305 is available.
OpenVPN 2.4 clients
-------------------
--data-ciphers cipher-list
Restrict the allowed ciphers to be negotiated to the ciphers in
``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
- and defaults to :code:`AES-256-GCM:AES-128-GCM`.
+ and defaults to :code:`AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305` when
+ Chacha20-Poly1305 is available and otherwise :code:`AES-256-GCM:AES-128-GCM`.
For servers, the first cipher from ``cipher-list`` that is also
supported by the client will be pushed to clients that support cipher
o->stale_routes_check_interval = 0;
o->ifconfig_pool_persist_refresh_freq = 600;
o->scheduled_exit_interval = 5;
- o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
o->authname = "SHA1";
o->prng_hash = "SHA1";
o->prng_nonce_secret_len = 16;
}
}
+/**
+ * Checks for availibility of Chacha20-Poly1305 and sets
+ * the ncp_cipher to either AES-256-GCM:AES-128-GCM or
+ * AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305.
+ */
+static void
+options_postprocess_setdefault_ncpciphers(struct options *o)
+{
+ if (o->ncp_ciphers)
+ {
+ /* custom --data-ciphers set, keep list */
+ return;
+ }
+ else if (cipher_kt_get("CHACHA20-POLY1305"))
+ {
+ o->ncp_ciphers = "AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305";
+ }
+ else
+ {
+ o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
+ }
+}
+
static void
options_postprocess_cipher(struct options *o)
{
helper_keepalive(o);
helper_tcp_nodelay(o);
+ options_postprocess_setdefault_ncpciphers(o);
options_postprocess_cipher(o);
options_postprocess_mutate_invariant(o);
projects / thirdparty / openvpn.git / commitdiff
