[Openvpn-devel] [PATCH v2] Undo cipher push in client options state if cipher is rejected

Tue, 27 Jun 2017 15:23:13 -0700 

Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option.  This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.

This patch is a minimal way to resolve this issue in the master and
release/2.4 branches.  I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.

Trac: #906

Signed-off-by: Steffan Karger <stef...@karger.me>
---
v2 - send the _entire_ patch, not just 1 hunk...

 src/openvpn/ssl.c | 4 +++-
 src/openvpn/ssl.h | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index bbc1c965..f868457e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1958,7 +1958,7 @@ cleanup:
 
 bool
 tls_session_update_crypto_params(struct tls_session *session,
-                                 const struct options *options, struct frame 
*frame)
+                                 struct options *options, struct frame *frame)
 {
     if (!session->opt->server
         && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
@@ -1967,6 +1967,8 @@ tls_session_update_crypto_params(struct tls_session 
*session,
         msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or 
%s",
             options->ciphername, session->opt->config_ciphername,
             options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 56ea6013..0e0f68fa 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi,
  * @return true if updating succeeded, false otherwise.
  */
 bool tls_session_update_crypto_params(struct tls_session *session,
-                                      const struct options *options, struct 
frame *frame);
+                                      struct options *options, struct frame 
*frame);
 
 /**
  * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
-- 
2.11.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to