Allow changing fallback cipher from ccd files/client-connect

This allows to control the fallback cipher that is used when the
client/server do have any common cipher on a per client basis.

The patch is similar to Steffan's

  [PATCH v4] Allow changing cipher from a ccd file.

Steffan's old patch also moves the cipher negotiation to
multi_established_connection() which I independently discovered and
implemented in commit 5e78bf66fa9 (Extract process_incoming_push_reply
from process_incoming_push_msg)

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200711093655.23686-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20281.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index b93fd4fec68062593106a02d86d7d6344deca47a..bf2760e1e58b0f275b07eb74647f35079a22b448 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -7892,7 +7892,7 @@ add_option(struct options *options,
     }
     else if (streq(p[0], "cipher") && p[1] && !p[2])
     {
-        VERIFY_PERMISSION(OPT_P_NCP);
+        VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
         options->ciphername = p[1];
     }
     else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])

diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index c83a46aa6bc29b3b922e78bd106159ffa982ce8d..c37006d3c07bd921d0e42f7fbe8dd0340d1359e9 100644 (file)
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -677,7 +677,7 @@ struct options
 #define OPT_P_MTU             (1<<14) /* TODO */
 #define OPT_P_NICE            (1<<15)
 #define OPT_P_PUSH            (1<<16)
-#define OPT_P_INSTANCE        (1<<17)
+#define OPT_P_INSTANCE        (1<<17) /**< allowed in ccd, client-connect etc*/
 #define OPT_P_CONFIG          (1<<18)
 #define OPT_P_EXPLICIT_NOTIFY (1<<19)
 #define OPT_P_ECHO            (1<<20)