From: Arne Schwabe Date: Sun, 30 Aug 2020 13:14:40 +0000 (+0200) Subject: Fix client NCP OCC fallback when server and client cipher are identical X-Git-Tag: v2.6_beta1~713 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6ffe64e34004967a96514cc55abb22215fbe5640;p=thirdparty%2Fopenvpn.git Fix client NCP OCC fallback when server and client cipher are identical If we do not get a cipher pushed we call tls_poor_mans_ncp to determine whether we can use the server's cipher. Inherited from OpenVPN 2.4's code we only did this check when the ciphers were different. Since OpenVPN 2.5 does not assume that our cipher we report in OCC (options->ciphername) is always a valid cipher we always need to perform this check. V2: Only call tls_item_in_cipher_list if remote_cipher is non-null to avoid calling strcmp with NULL. Reported-By: Rafael Gava Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20200830131440.10933-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20843.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index c9ab85ce2..55496395d 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -269,14 +269,11 @@ static bool tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) { if (remote_ciphername - && 0 != strcmp(o->ciphername, remote_ciphername)) + && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) { - if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) - { - o->ciphername = string_alloc(remote_ciphername, &o->gc); - msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); - return true; - } + o->ciphername = string_alloc(remote_ciphername, &o->gc); + msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); + return true; } return false; }