Skip to content

Commit

Permalink
OpenVPN CLI-option: T6571: rename ncp-ciphers with data-ciphers
Browse files Browse the repository at this point in the history
  • Loading branch information
srividya0208 committed Jul 17, 2024
1 parent 887de85 commit 2c1db9d
Show file tree
Hide file tree
Showing 7 changed files with 45 additions and 16 deletions.
4 changes: 2 additions & 2 deletions data/templates/openvpn/server.conf.j2
Original file line number Diff line number Diff line change
Expand Up @@ -206,8 +206,8 @@ tls-server
{% if encryption.cipher is vyos_defined %}
cipher {{ encryption.cipher | openvpn_cipher }}
{% endif %}
{% if encryption.ncp_ciphers is vyos_defined %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{% if encryption.data_ciphers is vyos_defined %}
data-ciphers {{ encryption.data_ciphers | openvpn_data_ciphers }}
{% endif %}
{% endif %}
providers default
Expand Down
2 changes: 1 addition & 1 deletion interface-definitions/interfaces_openvpn.xml.in
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@
</constraint>
</properties>
</leafNode>
<leafNode name="ncp-ciphers">
<leafNode name="data-ciphers">
<properties>
<help>Cipher negotiation list for use in server or client mode</help>
<completionHelp>
Expand Down
4 changes: 2 additions & 2 deletions python/vyos/template.py
Original file line number Diff line number Diff line change
Expand Up @@ -556,8 +556,8 @@ def get_openvpn_cipher(cipher):
return openvpn_translate[cipher].upper()
return cipher.upper()

@register_filter('openvpn_ncp_ciphers')
def get_openvpn_ncp_ciphers(ciphers):
@register_filter('openvpn_data_ciphers')
def get_openvpn_data_ciphers(ciphers):
out = []
for cipher in ciphers:
if cipher in openvpn_translate:
Expand Down
6 changes: 3 additions & 3 deletions smoketest/config-tests/dialup-router-medium-vpn
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ set interfaces ethernet eth1 mtu '9000'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 speed 'auto'
set interfaces loopback lo
set interfaces openvpn vtun0 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun0 encryption data-ciphers 'aes256'
set interfaces openvpn vtun0 hash 'sha512'
set interfaces openvpn vtun0 ip adjust-mss '1380'
set interfaces openvpn vtun0 ip source-validation 'strict'
Expand All @@ -52,7 +52,7 @@ set interfaces openvpn vtun0 tls ca-certificate 'openvpn_vtun0_2'
set interfaces openvpn vtun0 tls certificate 'openvpn_vtun0'
set interfaces openvpn vtun1 authentication password 'vyos1'
set interfaces openvpn vtun1 authentication username 'vyos1'
set interfaces openvpn vtun1 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun1 encryption data-ciphers 'aes256'
set interfaces openvpn vtun1 hash 'sha1'
set interfaces openvpn vtun1 ip adjust-mss '1380'
set interfaces openvpn vtun1 keep-alive failure-count '3'
Expand All @@ -77,7 +77,7 @@ set interfaces openvpn vtun1 tls ca-certificate 'openvpn_vtun1_2'
set interfaces openvpn vtun2 authentication password 'vyos2'
set interfaces openvpn vtun2 authentication username 'vyos2'
set interfaces openvpn vtun2 disable
set interfaces openvpn vtun2 encryption ncp-ciphers 'aes256'
set interfaces openvpn vtun2 encryption data-ciphers 'aes256'
set interfaces openvpn vtun2 hash 'sha512'
set interfaces openvpn vtun2 ip adjust-mss '1380'
set interfaces openvpn vtun2 keep-alive failure-count '3'
Expand Down
10 changes: 5 additions & 5 deletions smoketest/scripts/cli/test_interfaces_openvpn.py
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ def test_openvpn_client_verify(self):
interface = 'vtun2000'
path = base_path + [interface]
self.cli_set(path + ['mode', 'client'])
self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192gcm'])
self.cli_set(path + ['encryption', 'data-ciphers', 'aes192gcm'])

# check validate() - cannot specify local-port in client mode
self.cli_set(path + ['local-port', '5000'])
Expand Down Expand Up @@ -197,7 +197,7 @@ def test_openvpn_client_interfaces(self):
auth_hash = 'sha1'

self.cli_set(path + ['device-type', 'tun'])
self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes256'])
self.cli_set(path + ['encryption', 'data-ciphers', 'aes256'])
self.cli_set(path + ['hash', auth_hash])
self.cli_set(path + ['mode', 'client'])
self.cli_set(path + ['persistent-tunnel'])
Expand Down Expand Up @@ -371,7 +371,7 @@ def test_openvpn_server_subnet_topology(self):
port = str(2000 + ii)

self.cli_set(path + ['device-type', 'tun'])
self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192'])
self.cli_set(path + ['encryption', 'data-ciphers', 'aes192'])
self.cli_set(path + ['hash', auth_hash])
self.cli_set(path + ['mode', 'server'])
self.cli_set(path + ['local-port', port])
Expand Down Expand Up @@ -462,8 +462,8 @@ def test_openvpn_site2site_verify(self):

self.cli_set(path + ['mode', 'site-to-site'])

# check validate() - encryption ncp-ciphers cannot be specified in site-to-site mode
self.cli_set(path + ['encryption', 'ncp-ciphers', 'aes192gcm'])
# check validate() - cipher negotiation cannot be enabled in site-to-site mode
self.cli_set(path + ['encryption', 'data-ciphers', 'aes192gcm'])
with self.assertRaises(ConfigSessionError):
self.cli_commit()
self.cli_delete(path + ['encryption'])
Expand Down
6 changes: 3 additions & 3 deletions src/conf_mode/interfaces_openvpn.py
Original file line number Diff line number Diff line change
Expand Up @@ -326,8 +326,8 @@ def verify(openvpn):
if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]:
raise ConfigError('Must specify IPv4 "subnet-mask" for local-address')

if dict_search('encryption.ncp_ciphers', openvpn):
raise ConfigError('NCP ciphers can only be used in client or server mode')
if dict_search('encryption.data_ciphers', openvpn):
raise ConfigError('Cipher negotiation can only be used in client or server mode')

else:
# checks for client-server or site-to-site bridged
Expand Down Expand Up @@ -517,7 +517,7 @@ def verify(openvpn):

if dict_search('encryption.cipher', openvpn):
raise ConfigError('"encryption cipher" option is deprecated for TLS mode. '
'Use "encryption ncp-ciphers" instead')
'Use "encryption data-ciphers" instead')

if dict_search('encryption.cipher', openvpn) == 'none':
print('Warning: "encryption none" was specified!')
Expand Down
29 changes: 29 additions & 0 deletions src/migration-scripts/openvpn/2-to-3
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env python3
# Copyright 2024 VyOS maintainers and contributors <[email protected]>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this library. If not, see <http://www.gnu.org/licenses/>.
# Renames ncp-ciphers option to data-ciphers

from vyos.configtree import ConfigTree

def migrate(config: ConfigTree) -> None:
ovpn_intfs = config.list_nodes(['interfaces', 'openvpn'])
for i in ovpn_intfs:
ncp_cipher_path = ['interfaces', 'openvpn', i, 'encryption', 'ncp-ciphers']
if not config.exists(ncp_cipher_path):
# Nothing to do
return

if config.exists(ncp_cipher_path):
config.rename([ncp_cipher_path, 'data-ciphers')

0 comments on commit 2c1db9d

Please sign in to comment.