Fix problems with NCP and --inetd.

NCP only works with --pull or --mode server, leading to breakage
in --inetd mode (because that has --tls-server, but not --mode server,
but clients can still ask for PUSH_REQUEST).

Fix by turning off o->ncp_enable unless (pull or mode server), and
double-fix by logging an appropriate message and refusing to change
ciphers if the server has already set up its keys.

v2: wrap long msg() text lines

Trac: 715
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: 1471897487-8354-1-git-send-email-gert@greenie.muc.de
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg00060.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index c100d4ca0f1e11d1f1cebdd4deb0a9206e61a86b..e052042f3671f971617fd298f5a42425c0cf1d40 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2614,6 +2614,15 @@ options_postprocess_mutate (struct options *o)
       if (streq (o->dh_file, "none"))
        o->dh_file = NULL;
     }
+
+  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
+  if ( o->ncp_enabled &&
+        ! (o->pull || o->mode == MODE_SERVER) )
+    {
+      msg( M_WARN, "disabling NCP mode (--ncp-disable) because not "
+                   "in P2MP client or server mode" );
+      o->ncp_enabled = false;
+    }
 #endif
 
 #if ENABLE_MANAGEMENT

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 000c82f93f3025b63259945c50181f3387272424..a1b999e2d97b0a799ce88090976888e136c3c35a 100644 (file)
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -321,11 +321,24 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi)
   /* Push cipher if client supports Negotiable Crypto Parameters */
   if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled)
     {
-      /* Push the first cipher from --ncp-ciphers to the client.
-       * TODO: actual negotiation, instead of server dictatorship. */
-      char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
-      o->ciphername = strtok (push_cipher, ":");
-      push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
+      /* if we have already created our key, we cannot change our own
+       * cipher, so disable NCP and warn = explain why
+       */
+      struct tls_session *session = &tls_multi->session[TM_ACTIVE];
+      if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized )
+       {
+          msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but "
+                       "server has already generated data channel keys, "
+                       "ignoring client request" );
+       }
+      else
+       {
+         /* Push the first cipher from --ncp-ciphers to the client.
+          * TODO: actual negotiation, instead of server dictatorship. */
+         char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
+         o->ciphername = strtok (push_cipher, ":");
+         push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
+       }
     }
   return true;
 }