Allow 'none' cipher being specified in --data-ciphers

Although we want to get rid of none as cipher, we still have not deprecated it. In order to use it currently you need --ncp-disable together with --cipher none to use the none cipher. In our current situation allowing none to be specified in data-ciphers is the lesser evil. This commit also fixes that we use '[null-cipher]' instead 'none' when setting remote_cipher Signed-off-by: Arne Schwabe <[email protected]>
schwabe · Sep 21, 2020 · 46ce665 · 46ce665
1 parent 13d683a
commit 46ce665
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
@@ -2471,6 +2471,14 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio
     multi->remote_ciphername =
         options_string_extract_option(options, "cipher", NULL);
 
+    /* In OCC we send '[null-cipher]' instead 'none' */
+    if (multi->remote_ciphername
+        && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
+    {
+        free(multi->remote_ciphername);
+        multi->remote_ciphername = string_alloc("none", NULL);
+    }
+
     if (tls_session_user_pass_enabled(session))
     {
         /* Perform username/password authentication */

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
@@ -110,14 +110,28 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
          * e.g. replacing AeS-128-gCm with AES-128-GCM
          */
         const cipher_kt_t *ktc = cipher_kt_get(token);
-        if (!ktc)
+        if (strcmp(token, "none") == 0)
+        {
+            msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. "
+                        "This allows negotiation of NO encryption and "
+                        "tunnelled data WILL then be transmitted in clear text "
+                        "over the network! "
+                        "PLEASE DO RECONSIDER THIS SETTING!");
+        }
+        if (!ktc && strcmp(token, "none")!= 0)
         {
             msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
             error_found = true;
         }
         else
         {
             const char *ovpn_cipher_name = cipher_kt_name(ktc);
+            if (ktc == NULL)
+            {
+                /* NULL resolves to [null-cipher] but we need none for
+                 * data-ciphers */
+                ovpn_cipher_name = "none";
+            }
 
             if (buf_len(&new_list)> 0)
             {

diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
@@ -50,7 +50,9 @@ test_check_ncp_ciphers_list(void **state)
     struct gc_arena gc = gc_new();
     bool have_chacha = cipher_kt_get("CHACHA20-POLY1305");
 
-
+    assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none");
+    assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc),
+                        "AES-256-GCM:none");
 
     assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers);
 
@@ -139,7 +141,7 @@ test_poor_man(void **state)
     char *best_cipher;
 
     const char *serverlist = "CHACHA20_POLY1305:AES-128-GCM";
-    const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC";
+    const char *serverlistbfcbc = "CHACHA20_POLY1305:AES-128-GCM:BF-CBC:none";
 
     best_cipher = ncp_get_best_cipher(serverlist,
                                       "IV_YOLO=NO\nIV_BAR=7",
@@ -166,6 +168,10 @@ test_poor_man(void **state)
 
     assert_string_equal(best_cipher, "AES-128-GCM");
 
+    best_cipher = ncp_get_best_cipher(serverlist, NULL,
+                                      "none", &gc);
+    assert_string_equal(best_cipher, "none");
+
     best_cipher = ncp_get_best_cipher(serverlist, NULL,NULL, &gc);
     assert_ptr_equal(best_cipher, NULL);