Remove deprecated/removed NCP toggle from OpenVPN. Fixes #14201

pfsense · Mar 29, 2023 · 8dcaa36 · 8dcaa36
1 parent 0abc80b
commit 8dcaa36
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 50 deletions.
diff --git a/src/etc/inc/openvpn.inc b/src/etc/inc/openvpn.inc
@@ -1415,12 +1415,7 @@ function openvpn_reconfigure($mode, $settings) {
 	/* Data encryption cipher support.
 	 * If it is not set, assume enabled since that is OpenVPN's default.
 	 * Note that diabling this is now deprecated and will be removed in a future version of OpenVPN */
-	if (($settings['ncp_enable'] == "disabled") ||
-	    ($settings['mode'] == "p2p_shared_key")) {
-		if ($settings['mode'] != "p2p_shared_key") {
-			/* Do not include this option for shared key as it is redundant. */
-			$conf .= "ncp-disable\n";
-		}
+	if ($settings['mode'] == "p2p_shared_key") {
 		$conf .= "cipher {$fbcipher}\n";
 	} else {
 		$conf .= "data-ciphers " . str_replace(',', ':', openvpn_build_data_cipher_list($settings['data_ciphers'], $fbcipher)) . "\n";
@@ -2448,9 +2443,9 @@ function openvpn_is_tunnel_network_in_use($net) {
 	return false;
 }
 
-function openvpn_build_data_cipher_list($data_ciphers = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305', $fallback_cipher = 'AES-256-GBC', $ncp_enabled = true) {
+function openvpn_build_data_cipher_list($data_ciphers = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305', $fallback_cipher = 'AES-256-GCM') {
 	/* If the data_ciphers list is empty, populate it with the fallback cipher. */
-	if (empty($data_ciphers) || !$ncp_enabled) {
+	if (empty($data_ciphers)) {
 		$data_ciphers = $fallback_cipher;
 	}
 	/* Add the fallback cipher to the data ciphers list if it isn't already present */

diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php
@@ -93,7 +93,6 @@
 }
 
 if ($act == "new") {
-	$pconfig['ncp_enable'] = "enabled";
 	$pconfig['data_ciphers'] = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305';
 	$pconfig['data_ciphers_fallback'] = 'AES-256-CBC';
 	$pconfig['autokey_enable'] = "yes";
@@ -141,11 +140,6 @@
 		} else {
 			$pconfig['data_ciphers'] = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305';
 		}
-		if (isset($a_client[$id]['ncp_enable'])) {
-			$pconfig['ncp_enable'] = $a_client[$id]['ncp_enable'];
-		} else {
-			$pconfig['ncp_enable'] = "enabled";
-		}
 		$pconfig['dev_mode'] = $a_client[$id]['dev_mode'];
 
 		if ($pconfig['mode'] != "p2p_shared_key") {
@@ -226,8 +220,6 @@
 		$vpnid = 0;
 	}
 
-	$pconfig['ncp_enable'] = ($pconfig['ncp_enable'] == 'yes') ? 'enabled' : 'disabled';
-
 	if ($pconfig['disable'] && openvpn_inuse($vpnid, 'client')) {
 		$input_errors[] = gettext("Cannot disable an OpenVPN instance while the interface is assigned. Remove the interface assignment first.");
 	}
@@ -620,8 +612,6 @@
 			$client['data_ciphers'] = implode(",", $pconfig['data_ciphers']);
 		}
 
-		$client['ncp_enable'] = $pconfig['ncp_enable'];
-
 		$client['ping_method'] = $pconfig['ping_method'];
 		$client['keepalive_interval'] = $pconfig['keepalive_interval'];
 		$client['keepalive_timeout'] = $pconfig['keepalive_timeout'];
@@ -945,15 +935,6 @@
 		$certlist['server']
 		));
 
-	$section->addInput(new Form_Checkbox(
-		'ncp_enable',
-		'Data Encryption Negotiation',
-		'Enable Data Encryption Negotiation',
-		($pconfig['ncp_enable'] == "enabled")
-	))->setHelp('This option allows OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
-			'data encryption algorithms from those selected in the Data Encryption Algorithms list below. ' .
-			'Disabling this feature is deprecated.');
-
 	foreach (explode(",", $pconfig['data_ciphers']) as $cipher) {
 		$data_ciphers_list[$cipher] = $cipher;
 	}
@@ -1347,8 +1328,7 @@
 			$print_sk_warning = true;
 		}
 		$server = "{$client['server_addr']}:{$client['server_port']}";
-		$ncp = (($client['mode'] != "p2p_shared_key") && ($client['ncp_enable'] != 'disabled'));
-		$dc = openvpn_build_data_cipher_list($client['data_ciphers'], $client['data_ciphers_fallback'], $ncp);
+		$dc = openvpn_build_data_cipher_list($client['data_ciphers'], $client['data_ciphers_fallback']);
 		$dca = explode(',', $dc);
 		if (count($dca) > 5) {
 			$dca = array_slice($dca, 0, 5);

diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php
@@ -100,7 +100,6 @@
 }
 
 if ($act == "new") {
-	$pconfig['ncp_enable'] = "enabled";
 	$pconfig['data_ciphers'] = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305';
 	$pconfig['data_ciphers_fallback'] = 'AES-256-CBC';
 	$pconfig['autokey_enable'] = "yes";
@@ -134,11 +133,6 @@
 		} else {
 			$pconfig['data_ciphers'] = 'AES-256-GCM,AES-128-GCM,CHACHA20-POLY1305';
 		}
-		if (isset($a_server[$id]['ncp_enable'])) {
-			$pconfig['ncp_enable'] = $a_server[$id]['ncp_enable'];
-		} else {
-			$pconfig['ncp_enable'] = "enabled";
-		}
 		$pconfig['dev_mode'] = $a_server[$id]['dev_mode'];
 		$pconfig['interface'] = $a_server[$id]['interface'];
 
@@ -305,8 +299,6 @@
 		$vpnid = 0;
 	}
 
-	$pconfig['ncp_enable'] = ($pconfig['ncp_enable'] == 'yes') ? 'enabled' : 'disabled';
-
 	if ($pconfig['disable'] && openvpn_inuse($vpnid, 'server')) {
 		$input_errors[] = gettext("Cannot disable an OpenVPN instance while the interface is assigned. Remove the interface assignment first.");
 	}
@@ -846,8 +838,6 @@
 			$server['data_ciphers'] = implode(",", $pconfig['data_ciphers']);
 		}
 
-		$server['ncp_enable'] = $pconfig['ncp_enable'];
-
 		$server['ping_method'] = $pconfig['ping_method'];
 		$server['keepalive_interval'] = $pconfig['keepalive_interval'];
 		$server['keepalive_timeout'] = $pconfig['keepalive_timeout'];
@@ -1186,15 +1176,6 @@
 		$pconfig['shared_key']
 	))->setHelp('Paste the shared key here');
 
-	$section->addInput(new Form_Checkbox(
-		'ncp_enable',
-		'Data Encryption Negotiation',
-		'Enable Data Encryption Negotiation',
-		($pconfig['ncp_enable'] == "enabled")
-	))->setHelp('This option allows OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
-			'data encryption algorithms from those selected in the Data Encryption Algorithms list below. ' .
-			'Disabling this feature is deprecated.');
-
 	$group = new Form_Group('Data Encryption Algorithms');
 
 	$group->add(new Form_Select(
@@ -1845,8 +1826,7 @@
 		if ($server['mode'] == 'p2p_shared_key') {
 			$print_sk_warning = true;
 		}
-		$ncp = (($server['mode'] != "p2p_shared_key") && ($server['ncp_enable'] != 'disabled'));
-		$dc = openvpn_build_data_cipher_list($server['data_ciphers'], $server['data_ciphers_fallback'], $ncp);
+		$dc = openvpn_build_data_cipher_list($server['data_ciphers'], $server['data_ciphers_fallback']);
 		$dca = explode(',', $dc);
 		if (count($dca) > 5) {
 			$dca = array_slice($dca, 0, 5);