Fix client NCP OCC fallback when server and client cipher are identical
If we do not get a cipher pushed we call tls_poor_mans_ncp to determine
whether we can use the server's cipher. Inherited from OpenVPN
2.4's code we only did this check when the ciphers were different.
Since OpenVPN 2.5 does not assume that our cipher we report in OCC
(options->ciphername) is always a valid cipher we always need to perform
this check.
V2: Only call tls_item_in_cipher_list if remote_cipher is non-null to
avoid calling strcmp with NULL.
Reported-By: Rafael Gava <gava100@gmail.com>
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200830131440.10933-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20843.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6ffe64e34004967a96514cc55abb22215fbe5640)
Arne Schwabe authored on 2020/08/30 22:14:40Showing 1 changed files
| ... | ... |
@@ -269,14 +269,11 @@ static bool |
| 269 | 269 |
tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) |
| 270 | 270 |
{
|
| 271 | 271 |
if (remote_ciphername |
| 272 |
- && 0 != strcmp(o->ciphername, remote_ciphername)) |
|
| 272 |
+ && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) |
|
| 273 | 273 |
{
|
| 274 |
- if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) |
|
| 275 |
- {
|
|
| 276 |
- o->ciphername = string_alloc(remote_ciphername, &o->gc); |
|
| 277 |
- msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); |
|
| 278 |
- return true; |
|
| 279 |
- } |
|
| 274 |
+ o->ciphername = string_alloc(remote_ciphername, &o->gc); |
|
| 275 |
+ msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); |
|
| 276 |
+ return true; |
|
| 280 | 277 |
} |
| 281 | 278 |
return false; |
| 282 | 279 |
} |