Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.

The NCP (data channel crypto negotiation) code on the client side waits
for an incoming PUSH_REPLY before setting up the data channel crypto
parameters, because the PUSH_REPLY could contain a "cipher xxx" setting.

In the particular case of a empty PUSH_REPLY message, the relevant code
bits was not called because "we have not received any options, do not
bother to look into it in more detail" - so, ciphers were not set up,
resulting in an error message like this:

    Key [AF_INET]... [0] not initialized (yet), dropping packet.

Remove that check, always init the crypto layer on PUSH_REPLY.

Trac: #903

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170618092244.8801-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14856.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 2532cf8508a1d75c2ed12b513caf5b15f9f5a699..91ab28e045bd62b58fe15b1bf7ee52f599b3685e 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1925,7 +1925,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
     {
         reset_coarse_timers(c);
 
-        if (pulled_options && option_types_found)
+        if (pulled_options)
         {
             if (!do_deferred_options(c, option_types_found))
             {