Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option. This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.
This patch is a minimal way to resolve this issue in the master and
release/2.4 branches. I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.
Trac: #906
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170627222029.26623-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1960,7 +1960,7 @@ cleanup: |
1960 | 1960 |
|
1961 | 1961 |
bool |
1962 | 1962 |
tls_session_update_crypto_params(struct tls_session *session, |
1963 |
- const struct options *options, struct frame *frame) |
|
1963 |
+ struct options *options, struct frame *frame) |
|
1964 | 1964 |
{ |
1965 | 1965 |
if (!session->opt->server |
1966 | 1966 |
&& 0 != strcmp(options->ciphername, session->opt->config_ciphername) |
... | ... |
@@ -1969,6 +1969,8 @@ tls_session_update_crypto_params(struct tls_session *session, |
1969 | 1969 |
msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", |
1970 | 1970 |
options->ciphername, session->opt->config_ciphername, |
1971 | 1971 |
options->ncp_ciphers); |
1972 |
+ /* undo cipher push, abort connection setup */ |
|
1973 |
+ options->ciphername = session->opt->config_ciphername; |
|
1972 | 1974 |
return false; |
1973 | 1975 |
} |
1974 | 1976 |
|
... | ... |
@@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi, |
481 | 481 |
* @return true if updating succeeded, false otherwise. |
482 | 482 |
*/ |
483 | 483 |
bool tls_session_update_crypto_params(struct tls_session *session, |
484 |
- const struct options *options, struct frame *frame); |
|
484 |
+ struct options *options, struct frame *frame); |
|
485 | 485 |
|
486 | 486 |
/** |
487 | 487 |
* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. |