Rename ncp-ciphers to data-ciphers

The change in name signals that data-ciphers is the preferred way to
configure data channel (and not --cipher). The data prefix is chosen
to avoid ambiguity and make it distinct from tls-cipher for the TLS
ciphers.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200717134739.21168-8-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20444.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Changes.rst

@@ -14,12 +14,19 @@ ChaCha20-Poly1305 cipher support
     channel.
 
 Improved Data channel cipher negotiation
+    The option ``ncp-ciphers`` has been renamed to ``data-ciphers``.
+    The old name is still accepted. The change in name signals that
+    ``data-ciphers`` is the preferred way to configure data channel
+    ciphers and the data prefix is chosen to avoid the ambiguity that
+    exists with ``--cipher`` for the data cipher and ``tls-cipher``
+    for the TLS ciphers.
+
     OpenVPN clients will now signal all supported ciphers from the
-    ``ncp-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
-    servers will select the first common cipher from the ``ncp-ciphers``
+    ``data-ciphers`` option to the server via ``IV_CIPHERS``. OpenVPN
+    servers will select the first common cipher from the ``data-ciphers``
     list instead of blindly pushing the first cipher of the list. This
     allows to use a configuration like
-    ``ncp-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
+    ``data-ciphers ChaCha20-Poly1305:AES-256-GCM`` on the server that
     prefers ChaCha20-Poly1305 but uses it only if the client supports it.
 
 Asynchronous (deferred) authentication support for auth-pam plugin.

doc/man-sections/protocol-options.rst

@@ -62,7 +62,7 @@ configured in a compatible way between both the local and remote side.
   The default is :code:`BF-CBC`, an abbreviation for Blowfish in Cipher
   Block Chaining mode. When cipher negotiation (NCP) is allowed,
   OpenVPN 2.4 and newer on both client and server side will automatically
-  upgrade to :code:`AES-256-GCM`.  See ``--ncp-ciphers`` and
+  upgrade to :code:`AES-256-GCM`.  See ``--data-ciphers`` and
   ``--ncp-disable`` for more details on NCP.
 
   Using :code:`BF-CBC` is no longer recommended, because of its 64-bit
@@ -169,7 +169,7 @@ configured in a compatible way between both the local and remote side.
   non-standard key lengths, and a larger key may offer no real guarantee
   of greater security, or may even reduce security.
 
---ncp-ciphers cipher-list
+--data-ciphers cipher-list
   Restrict the allowed ciphers to be negotiated to the ciphers in
   ``cipher-list``. ``cipher-list`` is a colon-separated list of ciphers,
   and defaults to :code:`AES-256-GCM:AES-128-GCM`.
@@ -189,9 +189,9 @@ configured in a compatible way between both the local and remote side.
   Additionally, to allow for more smooth transition, if NCP is enabled,
   OpenVPN will inherit the cipher of the peer if that cipher is different
   from the local ``--cipher`` setting, but the peer cipher is one of the
-  ciphers specified in ``--ncp-ciphers``. E.g. a non-NCP client (<=v2.3,
+  ciphers specified in ``--data-ciphers``. E.g. a non-NCP client (<=v2.3,
   or with --ncp-disabled set) connecting to a NCP server (v2.4+) with
-  ``--cipher BF-CBC`` and ``--ncp-ciphers AES-256-GCM:AES-256-CBC`` set can
+  ``--cipher BF-CBC`` and ``--data-ciphers AES-256-GCM:AES-256-CBC`` set can
   either specify ``--cipher BF-CBC`` or ``--cipher AES-256-CBC`` and both
   will work.
 
@@ -201,6 +201,9 @@ configured in a compatible way between both the local and remote side.
   This list is restricted to be 127 chars long after conversion to OpenVPN
   ciphers.
 
+  This option was called ``ncp-ciphers`` in OpenVPN 2.4 but has been renamed
+  to ``data-ciphers`` in OpenVPN 2.5 to more accurately reflect its meaning.
+
 --ncp-disable
   Disable "Negotiable Crypto Parameters". This completely disables cipher
   negotiation.

doc/man-sections/server-options.rst

@@ -479,8 +479,8 @@ fast hardware. SSL/TLS authentication must be used in this mode.
         *AES-GCM-128* and *AES-GCM-256*.
 
   :code:`IV_CIPHERS=<ncp-ciphers>`
-        The client pushes the list of configured ciphers with the
-        ``--ciphers`` option to the server.
+        The client announces the list of supported ciphers configured with the
+        ``--data-ciphers`` option to the server.
 
   :code:`IV_GUI_VER=<gui_id> <version>`
         The UI version of a UI if one is running, for example

sample/sample-config-files/client.conf

@@ -112,7 +112,7 @@ tls-auth ta.key 1
 # then you must also specify it here.
 # Note that v2.4 client/server will automatically
 # negotiate AES-256-GCM in TLS mode.
-# See also the ncp-cipher option in the manpage
+# See also the data-ciphers option in the manpage
 cipher AES-256-CBC
 
 # Enable compression on the VPN link.

src/openvpn/multi.c

@@ -1824,7 +1824,7 @@ multi_client_set_protocol_options(struct context *c)
         else
         {
             /*
-             * Push the first cipher from --ncp-ciphers to the client that
+             * Push the first cipher from --data-ciphers to the client that
              * the client announces to be supporting.
              */
             char *push_cipher = ncp_get_best_cipher(o->ncp_ciphers, o->ciphername,
@@ -1844,7 +1844,7 @@ multi_client_set_protocol_options(struct context *c)
                 {
                     msg(M_INFO, "PUSH: No common cipher between server and "
                         "client. Expect this connection not to work. Server "
-                        "ncp-ciphers: '%s', client supported ciphers '%s'",
+                        "data-ciphers: '%s', client supported ciphers '%s'",
                         o->ncp_ciphers, peer_ciphers);
                 }
                 else

src/openvpn/options.c

@@ -531,7 +531,7 @@ static const char usage_message[] =
     "--cipher alg    : Encrypt packets with cipher algorithm alg\n"
     "                  (default=%s).\n"
     "                  Set alg=none to disable encryption.\n"
-    "--ncp-ciphers list : List of ciphers that are allowed to be negotiated.\n"
+    "--data-ciphers list : List of ciphers that are allowed to be negotiated.\n"
     "--ncp-disable   : (DEPRECATED) Disable cipher negotiation.\n"
     "--prng alg [nsl] : For PRNG, use digest algorithm alg, and\n"
     "                   nonce_secret_len=nsl.  Set alg=none to disable PRNG.\n"
@@ -7863,7 +7863,8 @@ add_option(struct options *options,
         VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
         options->ciphername = p[1];
     }
-    else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
+    else if ((streq(p[0], "data-ciphers") || streq(p[0], "ncp-ciphers"))
+            && p[1] && !p[2])
     {
         VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INSTANCE);
         options->ncp_ciphers = p[1];

src/openvpn/ssl_ncp.c

@@ -111,7 +111,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
         const cipher_kt_t *ktc = cipher_kt_get(token);
         if (!ktc)
         {
-            msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
+            msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
             error_found = true;
         }
         else
@@ -130,7 +130,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
             if (!(buf_forward_capacity(&new_list) >
                   strlen(ovpn_cipher_name) + 2))
             {
-                msg(M_WARN, "Length of --ncp-ciphers is over the "
+                msg(M_WARN, "Length of --data-ciphers is over the "
                     "limit of 127 chars");
                 error_found = true;
             }