Undo cipher push in client options state if cipher is rejected

Because of the way we re-use the options parser for both config files and pushed options, we always update the local options state when we accept an option. This resulted in a pushed cipher being rejected the first time it was pushed, but being accepted the second time. This patch is a minimal way to resolve this issue in the master and release/2.4 branches. I'll send a more invasive patch for master, to reset the entire options state on reconnects, later. Trac: #906 Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20170627222029.26623-1-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14984.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2024-11-24 02:03:56 +08:00 · 2017-06-28 00:20:29 +02:00 · 2017-06-28 00:20:29 +02:00 · 3be9a1c1cd
commit 3be9a1c1cd
parent 7ee9a94fcb
2 changed files with 4 additions and 2 deletions
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@ -1960,7 +1960,7 @@ cleanup:

 bool
 tls_session_update_crypto_params(struct tls_session *session,
-                                 const struct options *options, struct frame *frame)
+                                 struct options *options, struct frame *frame)
 {
    if (!session->opt->server
        && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
@ -1969,6 +1969,8 @@ tls_session_update_crypto_params(struct tls_session *session,
        msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
            options->ciphername, session->opt->config_ciphername,
            options->ncp_ciphers);
+        /* undo cipher push, abort connection setup */
+        options->ciphername = session->opt->config_ciphername;
        return false;
    }

--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@ -481,7 +481,7 @@ void tls_update_remote_addr(struct tls_multi *multi,
 * @return true if updating succeeded, false otherwise.
 */
 bool tls_session_update_crypto_params(struct tls_session *session,
-                                      const struct options *options, struct frame *frame);
+                                      struct options *options, struct frame *frame);

 /**
 * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.