tls_session_update_crypto_params() did not properly set crypto_flags_or,
but instead set crypto_flags_and twice if a OFB/CFB mode was selected.
Also, the crypto flags in ks->crypto_options.flags were set before
tls_session_update_crypto_params() was called, causing those to not be
adjusted. To fix this, set the crypto flags in
tls_session_generate_data_channel_keys() instead of key_state_init().
While touching that code, remove the to _or and _and variables, which are
not needed at all.
Finally, refuse to accept --no-iv if NCP is enabled (we might otherwise
negotiate invalid combinations and ASSERT out later, and using --no-iv is
a bad idea anyway).
Trac: #784
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
1481133684-5325-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13428.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
/etc/openvpn/client (depending on unit file). This also avoids these new
unit files and how they work to collide with older pre-existing unit files.
+- using ``--no-iv`` (which is generally not a recommended setup) will
+ require explicitly disabling NCP with ``--disable-ncp``. This is
+ intentional because NCP will by default use AES-GCM, which requires
+ an IV - so we want users of that option to consciously reconsider.
+
Maintainer-visible changes
--------------------------
if (options->mute_replay_warnings)
to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
- to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
+ to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
if (packet_id_long_form)
- to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
+ to.crypto_flags |= CO_PACKET_ID_LONG_FORM;
to.ssl_ctx = c->c1.ks.ssl_ctx;
to.key_type = c->c1.ks.key_type;
{
msg (M_USAGE, "NCP cipher list contains unsupported ciphers.");
}
+ if (options->ncp_enabled && !options->use_iv)
+ {
+ msg (M_USAGE, "--no-iv not allowed when NCP is enabled.");
+ }
/*
* Check consistency of replay options
}
ks->crypto_options.pid_persist = NULL;
- ks->crypto_options.flags = session->opt->crypto_flags;
- ks->crypto_options.flags &= session->opt->crypto_flags_and;
- ks->crypto_options.flags |= session->opt->crypto_flags_or;
#ifdef MANAGEMENT_DEF_AUTH
ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
ASSERT (ks->authenticated);
+ ks->crypto_options.flags = session->opt->crypto_flags;
if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi,
&session->opt->key_type, ks->key_src, client_sid, server_sid,
session->opt->server))
options->authname, options->keysize, true, true);
bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher);
- session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM);
+ session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
if (packet_id_long_form)
- session->opt->crypto_flags_and = CO_PACKET_ID_LONG_FORM;
+ session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
/* Update frame parameters: undo worst-case overhead, add actual overhead */
frame_add_to_extra_frame (frame, -(crypto_max_overhead()));
/* struct crypto_option flags */
unsigned int crypto_flags;
- unsigned int crypto_flags_and;
- unsigned int crypto_flags_or;
int replay_window; /* --replay-window parm */
int replay_time; /* --replay-window parm */
projects / thirdparty / openvpn.git / commitdiff
