Restore pre-NCP cipher options on SIGUSR1

As reported by debbie10t on the openvpn-devel list (Message-ID:
<326b8ff7-39a6-1974-c0b0-82fd2abdc7b7@gmail.com>), an NCP client will
attempt to reconnect with the previously pushed cipher, instead of the
cipher from the config file, after a sigusr1 restart.  This can be a
problem when the server is reconfigured (as debbie10t explainted), or when
roaming to a differently-configured server.  Fix this by restoring the
cipher options from the config file after a sigusr1 restart.

This makes the cipher options behaviour different from other pushable
options, because those are also cached until a sighup restart.  We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.

v2: also cache and restore keysize, as that parameter is relevant too.
v3: inherit cached cipher options from parent context.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478027207-28651-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12869.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index eaa5e7993d455b547a26a4e359b1ded920846250..a0281475bd460ee26cff5acd73c4f49d8eb5a727 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2242,6 +2242,7 @@ do_init_crypto_tls_c1 (struct context *c)
 
       c->c1.ciphername = options->ciphername;
       c->c1.authname = options->authname;
+      c->c1.keysize = options->keysize;
 
 #if 0 /* was: #if ENABLE_INLINE_FILES --  Note that enabling this code will break restarts */
       if (options->priv_key_file_inline)
@@ -2254,6 +2255,11 @@ do_init_crypto_tls_c1 (struct context *c)
   else
     {
       msg (D_INIT_MEDIUM, "Re-using SSL/TLS context");
+
+      /* Restore pre-NCP cipher options */
+      c->options.ciphername = c->c1.ciphername;
+      c->options.authname = c->c1.authname;
+      c->options.keysize = c->c1.keysize;
     }
 }
 
@@ -3791,6 +3797,10 @@ inherit_context_child (struct context *dest,
   dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
   dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
   dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
+  /* inherit pre-NCP ciphers */
+  dest->c1.ciphername = src->c1.ciphername;
+  dest->c1.authname = src->c1.authname;
+  dest->c1.keysize = src->c1.keysize;
 #endif
 
   /* options */

diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 5cda7b4519abee8a03fc3a403798c22b3a6c0178..4366a42240a50e8d49d6fe25abc81890d0f90074 100644 (file)
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -213,6 +213,7 @@ struct context_1
 
   const char *ciphername;      /**< Data channel cipher from config file */
   const char *authname;                /**< Data channel auth from config file */
+  int keysize;                 /**< Data channel keysize from config file */
 #endif
 };