[OpenVPN]: T1704: Added function for ncp-ciphers, and ability to disable it.

[OpenVPN]: T1704: Changed config structure for OpenVPN encryption to support ncp-ciphers.
[OpenVPN]: T1704: Added migration scripts for interface 2-to-3

3 files changed, 193 insertions, 53 deletions

diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml
index 42c953fdc..10f8198f2 100644
--- a/interface-definitions/interfaces-openvpn.xml
+++ b/interface-definitions/interfaces-openvpn.xml
@@ -102,57 +102,114 @@
               <valueless/>
             </properties>
           </leafNode>
-          <leafNode name="encryption">
+          <node name="encryption">
             <properties>
-              <help>Data Encryption Algorithm</help>
-              <completionHelp>
-                <list>des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
-              </completionHelp>
-              <valueHelp>
-                <format>des</format>
-                <description>DES algorithm</description>
-              </valueHelp>
-              <valueHelp>
-                <format>3des</format>
-                <description>DES algorithm with triple encryption</description>
-              </valueHelp>
-              <valueHelp>
-                <format>bf128</format>
-                <description>Blowfish algorithm with 128-bit key</description>
-              </valueHelp>
-              <valueHelp>
-                <format>bf256</format>
-                <description>Blowfish algorithm with 256-bit key</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes128</format>
-                <description>AES algorithm with 128-bit key CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes128gcm</format>
-                <description>AES algorithm with 128-bit key GCM</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes192</format>
-                <description>AES algorithm with 192-bit key CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes192gcm</format>
-                <description>AES algorithm with 192-bit key GCM</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes256</format>
-                <description>AES algorithm with 256-bit key CBC</description>
-              </valueHelp>
-              <valueHelp>
-                <format>aes256gcm</format>
-                <description>AES algorithm with 256-bit key GCM</description>
-              </valueHelp>
-              <constraint>
-                <regex>(des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
-              </constraint>
+              <help>Data Encryption settings</help>
             </properties>
-          </leafNode>
+            <children>
+              <leafNode name="cipher">
+                <properties>
+                  <help>Standard Data Encryption Algorithm</help>
+                  <completionHelp>
+                    <list>des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>des</format>
+                    <description>DES algorithm</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>3des</format>
+                    <description>DES algorithm with triple encryption</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>bf128</format>
+                    <description>Blowfish algorithm with 128-bit key</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>bf256</format>
+                    <description>Blowfish algorithm with 256-bit key</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes128</format>
+                    <description>AES algorithm with 128-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes128gcm</format>
+                    <description>AES algorithm with 128-bit key GCM</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes192</format>
+                    <description>AES algorithm with 192-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes192gcm</format>
+                    <description>AES algorithm with 192-bit key GCM</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes256</format>
+                    <description>AES algorithm with 256-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes256gcm</format>
+                    <description>AES algorithm with 256-bit key GCM</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="ncp-ciphers">
+                <properties>
+                  <help>Data Encryption Algorithm list for use in server or client mode</help>
+                  <completionHelp>
+                    <list>des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>des</format>
+                    <description>DES algorithm</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>3des</format>
+                    <description>DES algorithm with triple encryption</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes128</format>
+                    <description>AES algorithm with 128-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes128gcm</format>
+                    <description>AES algorithm with 128-bit key GCM</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes192</format>
+                    <description>AES algorithm with 192-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes192gcm</format>
+                    <description>AES algorithm with 192-bit key GCM</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes256</format>
+                    <description>AES algorithm with 256-bit key CBC</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>aes256gcm</format>
+                    <description>AES algorithm with 256-bit key GCM</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
+                  </constraint>
+                  <multi/>
+                </properties>
+              </leafNode>
+              <leafNode name="disable-ncp">
+                <properties>
+                  <help>Disable support for ncp-ciphers</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+            </children>
+          </node>
           <leafNode name="hash">
             <properties>
               <help>Hashing Algorithm</help>
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index cdd133904..5140cc468 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -220,6 +220,12 @@ cipher aes-256-gcm
 {%- elif 'aes256' in encryption %}
 cipher aes-256-cbc
 {% endif %}
+{%- if ncp_ciphers %}
+ncp-ciphers {{ncp_ciphers}}
+{% endif %} 
+{% endif %}
+{%- if disable_ncp %}
+ncp-disable
 {% endif %}
 
 {%- if auth %}
@@ -277,6 +283,7 @@ default_config_data = {
     'deleted': False,
     'description': '',
     'disable': False,
+    'disable_ncp': False,
     'encryption': '',
     'hash': '',
     'intf': '',
@@ -287,6 +294,7 @@ default_config_data = {
     'local_host': '',
     'local_port': '',
     'mode': '',
+    'ncp_ciphers': '',
     'options': [],
     'persistent_tunnel': False,
     'protocol': '',
@@ -410,10 +418,36 @@ def get_config():
     if conf.exists('disable'):
         openvpn['disable'] = True
 
-    # data encryption algorithm
-    if conf.exists('encryption'):
-        openvpn['encryption'] = conf.return_value('encryption')
-
+    # data encryption algorithm cipher
+    if conf.exists('encryption cipher'):
+        openvpn['encryption'] = conf.return_value('encryption cipher')
+
+    # disable ncp-ciphers support
+    if conf.exists('encryption disable-ncp'):
+        openvpn['disable_ncp'] = True
+    
+    # data encryption algorithm ncp-list
+    if conf.exists('encryption ncp-ciphers'):
+        _ncp_ciphers = []
+        for enc in conf.return_values('encryption ncp-ciphers'):
+            if enc == 'des':
+                _ncp_ciphers.append('des-cbc')
+            elif enc == '3des':
+                _ncp_ciphers.append('des-ede3-cbc')
+            elif enc == 'aes128':
+                _ncp_ciphers.append('aes-128-cbc')
+            elif enc == 'aes128gcm':
+                _ncp_ciphers.append('aes-128-gcm')
+            elif enc == 'aes192':
+                _ncp_ciphers.append('aes-192-cbc')
+            elif enc == 'aes192gcm':
+                _ncp_ciphers.append('aes-192-gcm')
+            elif enc == 'aes256':
+                _ncp_ciphers.append('aes-256-cbc')
+            elif enc == 'aes256gcm':
+                _ncp_ciphers.append('aes-256-gcm')
+        openvpn['ncp_ciphers'] = ':'.join(_ncp_ciphers)
+    
     # hash algorithm
     if conf.exists('hash'):
         openvpn['hash'] = conf.return_value('hash')
@@ -621,6 +655,9 @@ def verify(openvpn):
         if openvpn['bridge_member']:
             raise ConfigError('Can not delete {} as it is a member interface of bridge {}!'.format(openvpn['intf'], bridge))
 
+    # Check if we have disabled ncp and at the same time specified ncp-ciphers
+    if openvpn['disable_ncp'] and openvpn['ncp_ciphers']:
+        raise ConfigError('Cannot specify both "encryption disable-ncp" and "encryption ncp-ciphers"')
     #
     # OpenVPN client mode - VERIFY
     #
@@ -661,6 +698,9 @@ def verify(openvpn):
             if openvpn['local_address'] == openvpn['local_host']:
                 raise ConfigError('"local-address" cannot be the same as "local-host"')
 
+        if openvpn['ncp_ciphers']:
+            raise ConfigError('encryption ncp-ciphers cannot be specified in site-to-site mode, only server or client')
+
     else:
         if openvpn['local_address'] or openvpn['remote_address']:
             raise ConfigError('Cannot specify "local-address" or "remote-address" in client-server mode')
diff --git a/src/migration-scripts/interfaces/2-to-3 b/src/migration-scripts/interfaces/2-to-3
new file mode 100755
index 000000000..a63a54cdf
--- /dev/null
+++ b/src/migration-scripts/interfaces/2-to-3
@@ -0,0 +1,43 @@
+#!/usr/bin/env python3
+
+# Change syntax of openvpn encryption settings
+# - move cipher from encryption to encryption cipher
+# https://phabricator.vyos.net/T1704
+
+import sys
+from vyos.configtree import ConfigTree
+
+if (len(sys.argv) < 1):
+    print("Must specify file name!")
+    sys.exit(1)
+
+file_name = sys.argv[1]
+
+with open(file_name, 'r') as f:
+    config_file = f.read()
+
+config = ConfigTree(config_file)
+base = ['interfaces', 'openvpn']
+
+if not config.exists(base):
+    # Nothing to do
+    sys.exit(0)
+else:
+    #
+    # move cipher from "encryption" to "encryption cipher"
+    #
+    for intf in config.list_nodes(['interfaces', 'openvpn']):
+        # Check if encryption is set
+        if config.exists(['interfaces', 'openvpn', intf, 'encryption']):
+            # Get cipher used
+            cipher = config.return_value(['interfaces', 'openvpn', intf, 'encryption'])
+            # Delete old syntax
+            config.delete(['interfaces', 'openvpn', intf, 'encryption'])
+            # Add new syntax to config
+            config.set(['interfaces', 'openvpn', intf, 'encryption', 'cipher'], value=cipher)
+    try:
+        with open(file_name, 'w') as f:
+            f.write(config.to_string())
+    except OSError as e:
+        print("Failed to save the modified config: {}".format(e))
+        sys.exit(1)