1. openvpn
  2. Commit 3be9a1c1cd75627c30dca05bed28c84ad4dc1d37
Browse code

Undo cipher push in client options state if cipher is rejected

Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option. This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.

This patch is a minimal way to resolve this issue in the master and
release/2.4 branches. I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.

Trac: #906

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20170627222029.26623-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2017/06/28 07:20:29
Showing 2 changed files
src/openvpn/ssl.c
History View file @ 3be9a1c
... ... 
@@ -1960,7 +1960,7 @@ cleanup:
1960 1960
1961 1961 
 bool
1962 1962 
 tls_session_update_crypto_params(struct tls_session *session,
1963 
-                                 const struct options *options, struct frame *frame)
1963 
+                                 struct options *options, struct frame *frame)
1964 1964 
 {
1965 1965 
     if (!session->opt->server
1966 1966 
         && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
... ... 
@@ -1969,6 +1969,8 @@ tls_session_update_crypto_params(struct tls_session *session,
1969 1969 
         msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
1970 1970 
             options->ciphername, session->opt->config_ciphername,
1971 1971 
             options->ncp_ciphers);
1972 
+        /* undo cipher push, abort connection setup */
1973 
+        options->ciphername = session->opt->config_ciphername;
1972 1974 
         return false;
1973 1975 
     }
1974 1976
src/openvpn/ssl.h
History View file @ 3be9a1c
... ... 
@@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi,
481 481 
  * @return true if updating succeeded, false otherwise.
482 482 
  */
483 483 
 bool tls_session_update_crypto_params(struct tls_session *session,
484 
-                                      const struct options *options, struct frame *frame);
484 
+                                      struct options *options, struct frame *frame);
485 485
486 486 
 /**
487 487 
  * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.