Although we want to get rid of none as cipher, we still have not
deprecated it. In order to use it currently you need
--ncp-disable together with --cipher none to use the none cipher
otherwise OpenVPN will spit out an error about an unrecognised
cipher in --data-ciphers.
In our current situation allowing none to be specified in data-ciphers
is the lesser evil.
This commit also fixes that we use '[null-cipher]' instead 'none' when
setting remote_cipher.
Note that negotiating to cipher 'none' can the same the same problems
with frame size calculation as any other non AEAD cipher. If
--cipher none is also specified in the configuration, the workaround
of commit
e539c95dc will also apply to cipher none.
Patch V2: Also work correctly if remote_cipher is NULL.
Patch V3: fix unit tests, add note about corner case
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20201008115959.21151-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21181.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
multi->remote_ciphername =
options_string_extract_option(options, "cipher", NULL);
+ /* In OCC we send '[null-cipher]' instead 'none' */
+ if (multi->remote_ciphername
+ && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
+ {
+ free(multi->remote_ciphername);
+ multi->remote_ciphername = string_alloc("none", NULL);
+ }
+
if (tls_session_user_pass_enabled(session))
{
/* Perform username/password authentication */
* e.g. replacing AeS-128-gCm with AES-128-GCM
*/
const cipher_kt_t *ktc = cipher_kt_get(token);
- if (!ktc)
+ if (strcmp(token, "none") == 0)
+ {
+ msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. "
+ "This allows negotiation of NO encryption and "
+ "tunnelled data WILL then be transmitted in clear text "
+ "over the network! "
+ "PLEASE DO RECONSIDER THIS SETTING!");
+ }
+ if (!ktc && strcmp(token, "none") != 0)
{
msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
error_found = true;
else
{
const char *ovpn_cipher_name = cipher_kt_name(ktc);
+ if (ktc == NULL)
+ {
+ /* NULL resolves to [null-cipher] but we need none for
+ * data-ciphers */
+ ovpn_cipher_name = "none";
+ }
if (buf_len(&new_list)> 0)
{
"to this server.");
return false;
}
-}
\ No newline at end of file
+}
struct gc_arena gc = gc_new();
bool have_chacha = cipher_kt_get("CHACHA20-POLY1305");
-
+ assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none");
+ assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc),
+ "AES-256-GCM:none");
assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers);
char *best_cipher;
const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM";
- const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC";
+ const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC:none";
best_cipher = ncp_get_best_cipher(serverlist,
"IV_YOLO=NO\nIV_BAR=7",
assert_string_equal(best_cipher, "AES-128-GCM");
+ best_cipher = ncp_get_best_cipher(serverlist, NULL,
+ "none", &gc);
+ assert_ptr_equal(best_cipher, NULL);
+
+ best_cipher = ncp_get_best_cipher(serverlistbfcbc, NULL,
+ "none", &gc);
+ assert_string_equal(best_cipher, "none");
+
best_cipher = ncp_get_best_cipher(serverlist, NULL,NULL, &gc);
assert_ptr_equal(best_cipher, NULL);
projects / thirdparty / openvpn.git / commitdiff
