From 6ecb7b3c684fc6bacc4e31dcabd33602e816b7e9 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue, 19 Mar 2024 20:44:18 +0100
Subject: [PATCH] ovpnmain.cgi: Force NCP on clients

This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.

This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de    |  2 +-
 doc/language_issues.en    |  2 +-
 doc/language_issues.es    |  2 +-
 doc/language_issues.fr    |  2 +-
 doc/language_issues.it    |  2 +-
 doc/language_issues.nl    |  2 +-
 doc/language_issues.pl    |  2 +-
 doc/language_issues.ru    |  2 +-
 doc/language_issues.tr    |  2 +-
 doc/language_missings     | 16 ++++++++--------
 html/cgi-bin/ovpnmain.cgi | 23 +++++++----------------
 langs/en/cgi-bin/en.pl    |  2 +-
 12 files changed, 25 insertions(+), 34 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index d3d12a50c..a66701abf 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -990,7 +990,7 @@ WARNING: untranslated string: optional = Optional
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire invalid tree = Invalid repository selected
diff --git a/doc/language_issues.en b/doc/language_issues.en
index a54b2f5f7..21ecd7dfe 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1451,8 +1451,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE:
 WARNING: untranslated string: ovpn on orange = OpenVPN on ORANGE:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 4babd80e7..0637de7a4 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1051,7 +1051,7 @@ WARNING: untranslated string: openvpn cert has expired = Expired
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 31f5a293f..ec60074b4 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -997,7 +997,7 @@ WARNING: untranslated string: oops something went wrong = Oops, something went w
 WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 456260cdd..96202c409 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1239,7 +1239,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index cef2d9b4d..7152e38cf 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1265,7 +1265,7 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 0c3a17634..4f352e4bb 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1429,8 +1429,8 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index be1b8d3e9..287507ea0 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1424,8 +1424,8 @@ WARNING: untranslated string: ovpn crypt options = Cryptographic options
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn ha = Hash algorithm
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
 WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn no connections = No active OpenVPN connections
 WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required.
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 61fd02a1a..450d5a276 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1153,7 +1153,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
-WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher.
+WARNING: untranslated string: ovpn no cipher selected = No cipher selected
 WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server
 WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log
 WARNING: untranslated string: ovpn tls auth = TLS Channel Protection:
diff --git a/doc/language_missings b/doc/language_missings
index 1a4a5fc3f..23aed8777 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -88,7 +88,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < quick control
@@ -162,7 +162,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < processors
@@ -207,7 +207,7 @@
 < ovpn ciphers
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn unsupported cipher selected
 < processors
@@ -596,7 +596,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
@@ -1168,7 +1168,7 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn reneg sec
 < ovpn roadwarrior server
 < ovpn rw connection log
@@ -2058,7 +2058,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -2067,6 +2066,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3082,7 +3082,6 @@
 < ovpn fallback cipher help
 < ovpn generating the root and host certificates
 < ovpn ha
-< ovpn if ncp is disabled we must have cipher
 < ovpn mgmt in root range
 < ovpn mtu-disc
 < ovpn mtu-disc and mtu not 1500
@@ -3091,6 +3090,7 @@
 < ovpn mtu-disc off
 < ovpn mtu-disc with mssfix or fragment
 < ovpn mtu-disc yes
+< ovpn no cipher selected
 < ovpn no connections
 < ovpn port in root range
 < ovpn reneg sec
@@ -3606,7 +3606,7 @@
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
-< ovpn if ncp is disabled we must have cipher
+< ovpn no cipher selected
 < ovpn roadwarrior server
 < ovpn rw connection log
 < ovpn tls auth
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 818153b2f..3b9ffcad9 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -715,9 +715,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
     my @temp=();
 
-	# If NCP is disabled, we need the fallback cipher
-	if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') {
-		$errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'};
+	# We must have at least one cipher selected
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn no cipher selected'};
 		goto ADV_ERROR;
 	}
 
@@ -2178,18 +2178,9 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
 
-	# Cryptography
-
-	# If no data ciphers have been selected, we try to use the fallback cipher
-	if ($vpnsettings{'DATACIPHERS'} eq '') {
-		print CLIENTCONF "ncp-disable\r\n";
-
-		if ($vpnsettings{'DCIPHER'} ne '') {
-		    print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
-		}
-	} else {
-		# Otherwise we don't write anything because the server and client will negotiate
-	}
+	# We no longer send any cryptographic configuration since 2.6.
+	# That way, we will be able to push this from the server.
+	# Therefore we always mandate NCP for new clients.
 
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
@@ -2648,7 +2639,7 @@ ADV_ERROR:
 					</td>
 
 					<td>
-						<select name='DATACIPHERS' multiple>
+						<select name='DATACIPHERS' multiple required>
 END
 
 	foreach my $cipher (@SUPPORTED_CIPHERS) {
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index e2a7393c4..1d67f5a9f 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2039,7 +2039,6 @@
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
 'ovpn ha' => 'Hash algorithm',
-'ovpn if ncp is disabled we must have cipher' => 'If you want to disable cipher negotiation, you will have to select a fallback cipher.',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.',
 'ovpn mtu-disc' => 'Path MTU Discovery',
@@ -2049,6 +2048,7 @@
 'ovpn mtu-disc off' => 'Disabled',
 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.',
 'ovpn mtu-disc yes' => 'Forced',
+'ovpn no cipher selected' => 'No cipher selected',
 'ovpn no connections' => 'No active OpenVPN connections',
 'ovpn on blue' => 'OpenVPN on BLUE:',
 'ovpn on orange' => 'OpenVPN on ORANGE:',
-- 
2.39.5