From 02d82cd5f06c9139abc58f4bb69898bec07faf4c Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 19 Mar 2024 20:44:18 +0100
Subject: [PATCH] ovpnmain.cgi: Force NCP on clients

This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.

This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de    |  2 +-
 doc/language_issues.en    |  2 +-
 doc/language_issues.es    |  2 +-
 doc/language_issues.fr    |  2 +-
 doc/language_issues.it    |  2 +-
 doc/language_issues.nl    |  2 +-
 doc/language_issues.pl    |  2 +-
 doc/language_issues.ru    |  2 +-
 doc/language_issues.tr    |  2 +-
 doc/language_missings     | 16 ++++++++--------
 html/cgi-bin/ovpnmain.cgi | 23 +++++++----------------
 langs/en/cgi-bin/en.pl    |  2 +-
 12 files changed, 25 insertions(+), 34 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 60a42175e..2f9000b07 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -1014,7 +1014,7 @@ WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b398e25ed..eb43246d4 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1436,8 +1436,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE:
 WARNING: untranslated string: ovpn on orange = OpenVPN on ORANGE:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 735fe3d80..e44a4568a 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1077,7 +1077,7 @@ WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 0aa069111..6497a117c 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1025,7 +1025,7 @@ WARNING: untranslated string: oops something went wrong = Oops, something went w
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index ce9f2657f..f23439f68 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1263,7 +1263,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 1d9df3022..05bfb9f23 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1289,7 +1289,7 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index ec63c0aa6..c3511696d 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1453,8 +1453,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 249df9230..ff5f8940d 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1448,8 +1448,8 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eaaa90a15..d06b71a6c 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1177,7 +1177,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_missings b/doc/language_missings
index cd29d5f9e..5c23b4bfd 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -88,7 +88,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < quick control
@@ -167,7 +167,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < processors
@@ -220,7 +220,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < processors
@@ -617,7 +617,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
@@ -1197,7 +1197,7 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn reneg sec
 < ovpn roadwarrior server
 < ovpn rw connection log
@@ -2095,7 +2095,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -2104,6 +2103,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3127,7 +3127,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -3136,6 +3135,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3659,7 +3659,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 3f9abf922..21d7391d4 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -715,9 +715,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
     my @temp=();
 
-	# If NCP is disabled, we need the fallback cipher
-	if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') {
-		$errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'};
+	# We must have at least one cipher selected
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn no cipher selected'};
 		goto ADV_ERROR;
 	}
 
@@ -2178,18 +2178,9 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
 
-	# Cryptography
-
-	# If no data ciphers have been selected, we try to use the fallback cipher
-	if ($vpnsettings{'DATACIPHERS'} eq '') {
-		print CLIENTCONF "ncp-disable\r\n";
-
-		if ($vpnsettings{'DCIPHER'} ne '') {
-		    print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
-		}
-	} else {
-		# Otherwise we don't write anything because the server and client will negotiate
-	}
+	# We no longer send any cryptographic configuration since 2.6.
+	# That way, we will be able to push this from the server.
+	# Therefore we always mandate NCP for new clients.
 
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
@@ -2648,7 +2639,7 @@ ADV_ERROR:
 					</td>
 
 					<td>
-						<select name='DATACIPHERS' multiple>
+						<select name='DATACIPHERS' multiple required>
 END
 
 	foreach my $cipher (@SUPPORTED_CIPHERS) {
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index e2813a533..5e09cf296 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2036,7 +2036,6 @@
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
-'ovpn if ncp is disabled we must have cipher' => 'If you want to disable cipher negotiation, you will have to select a fallback cipher.',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.',
 'ovpn mtu-disc' => 'Path MTU Discovery',
@@ -2046,6 +2045,7 @@
 'ovpn mtu-disc off' => 'Disabled',
 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
 'ovpn mtu-disc yes' => 'Forced',
+'ovpn no cipher selected' => 'No cipher selected',
 'ovpn no connections' => 'No active OpenVPN connections',
 'ovpn on blue' => 'OpenVPN on BLUE:',
 'ovpn on orange' => 'OpenVPN on ORANGE:',
-- 
2.39.5