Rename ncp-ciphers to data-ciphers

The change in name signals that data-ciphers is the preferred way to configure data channel (and not --cipher). The data prefix is chosen to avoid ambiguity and make it distinct from tls-cipher for the TLS ciphers. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Steffan Karger <steffan.karger@foxcrypto.com> Message-Id: <20200717134739.21168-8-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20444.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
author: Arne Schwabe 2020-07-17 15:47:38 +0200
committer: Gert Doering 2020-07-27 10:02:54 +0200
commit: 30d19c6ebee05de4cc35155a6c7742ccbf021a82 (patch)
tree: 61795fcf7b67fc016c2dd5f6437233179368641d
parent: a3b21a76b87fedf045c409481f55c34486d8cd27 (diff)
download: openvpn-30d19c6ebee05de4cc35155a6c7742ccbf021a82.zip
openvpn-30d19c6ebee05de4cc35155a6c7742ccbf021a82.tar.gz
7 files changed, 27 insertions, 16 deletions
diff --git a/Changes.rst b/Changes.rst
index 17be0e1..0da01e8 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support
     channel.
 
 Improved Data channel cipher negotiation
+    The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
+    The old name is still accepted. The change in name signals that
+    ``data-ciphers`` is the preferred way to configure data channel
+    ciphers and the data prefix is chosen to avoid the ambiguity that
+    exists with ``--cipher`` for the data cipher and ``tls-cipher``
+    for the TLS ciphers.
+
     OpenVPN clients will now signal all supported ciphers from the
-    ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
-    servers will select the first common cipher from the ``ncp-ciphers``
+    ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+    servers will select the first common cipher from the ``data-ciphers``
     list instead of blindly pushing the first cipher of the list. This
     allows to use a configuration like
-    ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+    ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
     prefers ChaCha20-Poly1305 but uses it only if the client supports it.
 
 Asynchronous (deferred) authentication support for auth-pam plugin.
diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
index 923d2da..051f1d3 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -62,7 +62,7 @@ configured in a compatible way between both the local and remote side.
   The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
   Block Chaining mode. When cipher negotiation (NCP) is allowed,
   OpenVPN 2.4 and newer on both client and server side will automatically
-  upgrade to :code:`AES-256-GCM`.  See ``--ncp-ciphers`` and
+  upgrade to :code:`AES-256-GCM`.  See ``--data-ciphers`` and
   ``--ncp-disable`` for more details on NCP.
 
   Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
@@ -169,7 +169,7 @@ configured in a compatible way between both the local and remote side.
   non-standard key lengths, and a larger key may offer no real guarantee
   of greater security, or may even reduce security.
 
---ncp-ciphers cipher-list
+--data-ciphers cipher-list
   Restrict the allowed ciphers to be negotiated to the ciphers in
   ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
   and defaults to :code:`AES-256-GCM:AES-128-GCM`.
@@ -189,9 +189,9 @@ configured in a compatible way between both the local and remote side.
   Additionally, to allow for more smooth transition, if NCP is enabled,
   OpenVPN will inherit the cipher of the peer if that cipher is different
   from the local ``--cipher`` setting, but the peer cipher is one of the
-  ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3,
+  ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3,
   or with --ncp-disabled set) connecting to a NCP server (v2.4+) with
-  ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can
+  ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can
   either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both
   will work.
 
@@ -201,6 +201,9 @@ configured in a compatible way between both the local and remote side.
   This list is restricted to be 127 chars long after conversion to OpenVPN
   ciphers.
 
+  This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed
+  to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
+
 --ncp-disable
   Disable "Negotiable Crypto Parameters". This completely disables cipher
   negotiation.
diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst
index babf33d..f1f0667 100644
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@@ -479,8 +479,8 @@ fast hardware. SSL/TLS authentication must be used in this mode.
         *AES-GCM-128* and *AES-GCM-256*.
 
   :code:`IV_CIPHERS=<ncp-ciphers>`
-        The client pushes the list of configured ciphers with the
-        ``--ciphers`` option to the server.
+        The client announces the list of supported ciphers configured with the
+        ``--data-ciphers`` option to the server.
 
   :code:`IV_GUI_VER=<gui_id> <version>`
         The UI version of a UI if one is running, for example
diff --git a/sample/sample-config-files/client.conf b/sample/sample-config-files/client.conf
index 7f2f30a..47ca409 100644
--- a/sample/sample-config-files/client.conf
+++ b/sample/sample-config-files/client.conf
@@ -112,7 +112,7 @@ tls-auth ta.key 1
 # then you must also specify it here.
 # Note that v2.4 client/server will automatically
 # negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
+# See also the data-ciphers option in the manpage
 cipher AES-256-CBC
 
 # Enable compression on the VPN link.
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index b83a0f0..9bda38b 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1824,7 +1824,7 @@ multi_client_set_protocol_options(struct context *c)
         else
         {
             /*
-             * Push the first cipher from --ncp-ciphers to the client that
+             * Push the first cipher from --data-ciphers to the client that
              * the client announces to be supporting.
              */
             char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername,
@@ -1844,7 +1844,7 @@ multi_client_set_protocol_options(struct context *c)
                 {
                     msg(M_INFO, "PUSH: No common cipher between server and "
                         "client. Expect this connection not to work. Server "
-                        "ncp-ciphers: '%s', client supported ciphers '%s'",
+                        "data-ciphers: '%s', client supported ciphers '%s'",
                         o->ncp_ciphers, peer_ciphers);
                 }
                 else
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index a8a9bb9..5827222 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -531,7 +531,7 @@ static const char usage_message[] =
     "--cipher alg    : Encrypt packets with cipher algorithm alg\n"
     "                  (default=%s).\n"
     "                  Set alg=none to disable encryption.\n"
-    "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
+    "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
     "--ncp-disable   : (DEPRECATED) Disable cipher negotiation.\n"
     "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
     "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"
@@ -7863,7 +7863,8 @@ add_option(struct options *options,
         VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
         options->ciphername = p[1];
     }
-    else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
+    else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
+            && p[1] && !p[2])
     {
         VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
         options->ncp_ciphers = p[1];
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 4d10109..8e432fb 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -111,7 +111,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
         const cipher_kt_t *ktc = cipher_kt_get(token);
         if (!ktc)
         {
-            msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
+            msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
             error_found = true;
         }
         else
@@ -130,7 +130,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
             if (!(buf_forward_capacity(&new_list) >
                   strlen(ovpn_cipher_name) + 2))
             {
-                msg(M_WARN, "Length of --ncp-ciphers is over the "
+                msg(M_WARN, "Length of --data-ciphers is over the "
                     "limit of 127 chars");
                 error_found = true;
             }
author	Arne Schwabe	2020-07-17 15:47:38 +0200
committer	Gert Doering	2020-07-27 10:02:54 +0200
commit	30d19c6ebee05de4cc35155a6c7742ccbf021a82 (patch)
tree	61795fcf7b67fc016c2dd5f6437233179368641d
parent	a3b21a76b87fedf045c409481f55c34486d8cd27 (diff)
download	openvpn-30d19c6ebee05de4cc35155a6c7742ccbf021a82.zip openvpn-30d19c6ebee05de4cc35155a6c7742ccbf021a82.tar.gz