Extract check_session_cipher into standalone function

This allow the code later to check if the cipher is okay to use and
update it for the calculation for the max MTU size.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch v2: Name function check_session_cipher to better reflect its
          function
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220729123748.3267207-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24766.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 24d7f3f4818f4e40b0f99f8cb975f11d4e3a7781..ee248b4729b1d92f792bcbb9945e79c190cf1761 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session,
                                  struct frame *frame_fragment,
                                  struct link_socket_info *lsi)
 {
-
-    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
-                                      && streq(options->ciphername, session->opt->config_ciphername);
-
-    if (!session->opt->server && !cipher_allowed_as_fallback
-        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    if (!check_session_cipher(session, options))
     {
-        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
-            options->ciphername, options->ncp_ciphers);
-        /* undo cipher push, abort connection setup */
-        options->ciphername = session->opt->config_ciphername;
         return false;
     }
 

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 564942503dcfaad7c94d804536e0c1d605b777d7..a58ced537b23820a68083dff3db724eecc8b81e6 100644 (file)
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
 
     gc_free(&gc);
 }
+
+
+bool
+check_session_cipher(struct tls_session *session, struct options *options)
+{
+    bool cipher_allowed_as_fallback = options->enable_ncp_fallback
+                                      && streq(options->ciphername, session->opt->config_ciphername);
+
+    if (!session->opt->server && !cipher_allowed_as_fallback
+        && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+    {
+        msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
+            options->ciphername, options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
+        return false;
+    }
+    else
+    {
+        return true;
+    }
+}

diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h
index 853017f5f69880133830709bed300f6bccbe34e7..97c04302990ed363dba8cb19fae43a260fcc62f5 100644 (file)
--- a/src/openvpn/ssl_ncp.h
+++ b/src/openvpn/ssl_ncp.h
@@ -148,4 +148,12 @@ const char *
 get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
                    struct gc_arena *gc);
 
+
+/**
+ * Checks if the cipher is allowed, otherwise returns false and reset the
+ * cipher to the config cipher.
+ */
+bool
+check_session_cipher(struct tls_session *session, struct options *options);
+
 #endif /* ifndef OPENVPN_SSL_NCP_H */