Because of the way we re-use the options parser for both config files and
pushed options, we always update the local options state when we accept an
option. This resulted in a pushed cipher being rejected the first time it
was pushed, but being accepted the second time.
This patch is a minimal way to resolve this issue in the master and
release/2.4 branches. I'll send a more invasive patch for master, to
reset the entire options state on reconnects, later.
Trac: #906
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20170627222029.26623-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit
3be9a1c1cd75627c30dca05bed28c84ad4dc1d37)
bool
tls_session_update_crypto_params(struct tls_session *session,
- const struct options *options, struct frame *frame)
+ struct options *options, struct frame *frame)
{
if (!session->opt->server
&& 0 != strcmp(options->ciphername, session->opt->config_ciphername)
msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
options->ciphername, session->opt->config_ciphername,
options->ncp_ciphers);
+ /* undo cipher push, abort connection setup */
+ options->ciphername = session->opt->config_ciphername;
return false;
}
* @return true if updating succeeded, false otherwise.
*/
bool tls_session_update_crypto_params(struct tls_session *session,
- const struct options *options, struct frame *frame);
+ struct options *options, struct frame *frame);
/**
* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
projects / thirdparty / openvpn.git / commitdiff
