Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
The NCP (data channel crypto negotiation) code on the client side waits
for an incoming PUSH_REPLY before setting up the data channel crypto
parameters, because the PUSH_REPLY could contain a "cipher xxx" setting.
In the particular case of a empty PUSH_REPLY message, the relevant code
bits was not called because "we have not received any options, do not
bother to look into it in more detail" - so, ciphers were not set up,
resulting in an error message like this:
Key [AF_INET]... [0] not initialized (yet), dropping packet.
Remove that check, always init the crypto layer on PUSH_REPLY.
Trac: #903
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170618092244.8801-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14856.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Gert Doering authored on 2017/06/18 18:22:44Showing 1 changed files
| ... | ... |
@@ -1925,7 +1925,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found) |
| 1925 | 1925 |
{
|
| 1926 | 1926 |
reset_coarse_timers(c); |
| 1927 | 1927 |
|
| 1928 |
- if (pulled_options && option_types_found) |
|
| 1928 |
+ if (pulled_options) |
|
| 1929 | 1929 |
{
|
| 1930 | 1930 |
if (!do_deferred_options(c, option_types_found)) |
| 1931 | 1931 |
{
|