From: Steffan Karger Date: Tue, 27 Jun 2017 22:20:29 +0000 (+0200) Subject: Undo cipher push in client options state if cipher is rejected X-Git-Tag: v2.5_beta1~643 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3be9a1c1cd75627c30dca05bed28c84ad4dc1d37;p=thirdparty%2Fopenvpn.git Undo cipher push in client options state if cipher is rejected Because of the way we re-use the options parser for both config files and pushed options, we always update the local options state when we accept an option. This resulted in a pushed cipher being rejected the first time it was pushed, but being accepted the second time. This patch is a minimal way to resolve this issue in the master and release/2.4 branches. I'll send a more invasive patch for master, to reset the entire options state on reconnects, later. Trac: #906 Signed-off-by: Steffan Karger Acked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20170627222029.26623-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9ca300c0c..df232894e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1960,7 +1960,7 @@ cleanup: bool tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame) + struct options *options, struct frame *frame) { if (!session->opt->server && 0 != strcmp(options->ciphername, session->opt->config_ciphername) @@ -1969,6 +1969,8 @@ tls_session_update_crypto_params(struct tls_session *session, msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s", options->ciphername, session->opt->config_ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 56ea60137..0e0f68fa3 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi, * @return true if updating succeeded, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame); + struct options *options, struct frame *frame); /** * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.