From: Gert Doering <gert@greenie.muc.de>
Date: Sun, 18 Jun 2017 09:22:44 +0000 (+0200)
Subject: Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.
X-Git-Tag: v2.4.3~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e82f7005256f77a63a3191ab7fef67e0cf0a9d02;p=thirdparty%2Fopenvpn.git

Fix edge case with clients failing to set up cipher on empty PUSH_REPLY.

The NCP (data channel crypto negotiation) code on the client side waits
for an incoming PUSH_REPLY before setting up the data channel crypto
parameters, because the PUSH_REPLY could contain a "cipher xxx" setting.

In the particular case of a empty PUSH_REPLY message, the relevant code
bits was not called because "we have not received any options, do not
bother to look into it in more detail" - so, ciphers were not set up,
resulting in an error message like this:

    Key [AF_INET]... [0] not initialized (yet), dropping packet.

Remove that check, always init the crypto layer on PUSH_REPLY.

Trac: #903

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170618092244.8801-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14856.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit bd230079d98bfe6aec70b7aedefdffcdbd0e56da)
---

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 47f4debf9..6fd959288 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1925,7 +1925,7 @@ do_up(struct context *c, bool pulled_options, unsigned int option_types_found)
     {
         reset_coarse_timers(c);
 
-        if (pulled_options && option_types_found)
+        if (pulled_options)
         {
             if (!do_deferred_options(c, option_types_found))
             {