From 80285c31e83a8e233016e227a393543d508194eb Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Tue, 20 Oct 2020 19:17:00 +0200
Subject: New upstream version 2.5~rc3

---
 src/openvpn/ssl_ncp.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'src/openvpn/ssl_ncp.c')

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 5549639..45bddbe 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -110,7 +110,15 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
          * e.g. replacing AeS-128-gCm with AES-128-GCM
          */
         const cipher_kt_t *ktc = cipher_kt_get(token);
-        if (!ktc)
+        if (strcmp(token, "none") == 0)
+        {
+            msg(M_WARN, "WARNING: cipher 'none' specified for --data-ciphers. "
+                        "This allows negotiation of NO encryption and "
+                        "tunnelled data WILL then be transmitted in clear text "
+                        "over the network! "
+                        "PLEASE DO RECONSIDER THIS SETTING!");
+        }
+        if (!ktc && strcmp(token, "none") != 0)
         {
             msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
             error_found = true;
@@ -118,6 +126,12 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
         else
         {
             const char *ovpn_cipher_name = cipher_kt_name(ktc);
+            if (ktc == NULL)
+            {
+                /* NULL resolves to [null-cipher] but we need none for
+                 * data-ciphers */
+                ovpn_cipher_name = "none";
+            }
 
             if (buf_len(&new_list)> 0)
             {
@@ -325,4 +339,4 @@ check_pull_client_ncp(struct context *c, const int found)
             "to this server.");
         return false;
     }
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3