From: Arne Schwabe Date: Mon, 6 Dec 2021 15:08:52 +0000 (+0100) Subject: Fix handling an optional invalid cipher at the end of data-ciphers X-Git-Tag: v2.5.9~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b43a9b9f3324ccd7dffde3048c616aa5becc2b13;p=thirdparty%2Fopenvpn.git Fix handling an optional invalid cipher at the end of data-ciphers If an optional cipher was found at the end of --data-cipher that was not available, it would reset the error and allow non optional ciphers to be ignored. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211206150852.3142891-1-arne@rfc2549.org> URL: https://www.mail-archive.com/search?l=mid&q=20211206150852.3142891-1-arne@rfc2549.org Signed-off-by: Gert Doering (cherry picked from commit 868433857fbf8d71515ac0ffecb98eae893515dc) --- diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index de7efa407..4ab39a539 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -133,7 +133,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) { const char* optstr = optional ? "optional ": ""; msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); - error_found = !optional; + error_found = error_found || !optional; } else { diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 134a58ab6..6e1e50a47 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -85,6 +85,9 @@ test_check_ncp_ciphers_list(void **state) /* All unsupported should still yield an empty list */ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); + /* If the last is optional, previous invalid ciphers should be ignored */ + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");