Hi, I totally want to have this, and overall the changes all make sense (so ACK for the refactoring part, needs a few windows held side by side in addition to tkdiff... :-) ), but something puzzles me...
On Tue, Nov 22, 2016 at 08:57:11PM +0100, Steffan Karger wrote:
[..]
> @@ -2320,6 +2318,26 @@ key_method_2_read (struct buffer *buf, struct context
> *c, struct tls_session *se
> /* Peer does not support NCP */
> session->opt->ncp_enabled = false;
> }
> +
> + /* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
> + * Allows non-NCP client to upgrade their cipher individually. */
> + char *remote_cipher = options_string_extract_option (options, "cipher",
> &gc);
> + if (c->options.ncp_enabled && !session->opt->ncp_enabled && remote_cipher
> &&
> + 0 != strcmp(c->options.ciphername, remote_cipher))
> + {
This looks totally logical and all, until I try to compile it - and
then the compiler ruins the day for me...
../../../openvpn/src/openvpn/ssl.c: In function 'key_method_2_read':
../../../openvpn/src/openvpn/ssl.c:2313:7: error: 'c' undeclared (first use in
this function)
if (c->options.ncp_enabled && !session->opt->ncp_enabled && remote_cipher &&
^
... and I can not seriously argue with it here... - there is no "c".
(David pointed out that *his* patch brings in the "c" here, but that one
didn't receive enough love yet, so is not in *my* tree...)
So - this needs to be sorted out.
There is another catch here - options_string_extract_option() is wrapped
in an #ifdef ENABLE_OCC, which is turned off if you configure --enable-small
(so linking breaks). That second catch can be easily fixed by wrapping
this whole code new code block in #ifdef ENABLE_OCC as well (if the data
is just not enable in this case) or by moving the "extract" function
after the corresponding #endif...
Finally, moving over tls_limit_reneg_bytes() broke the whitespace in
weird ways - it got mangled to
tls_limit_reneg_bytes (session->opt->key_type.cipher,
&session->opt->renegotiate_bytes);
while it was
tls_limit_reneg_bytes (session->opt->key_type.cipher,
&session->opt->renegotiate_bytes);
(I could fix that on the fly, and also the #ifdef ENABLE_OCC, but not
the "c" one)
"Can I have a v5, please...?"
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
