Re: [Openvpn-devel] [PATCH] Don't reopen tun if cipher changes

Thu, 15 Dec 2016 11:52:03 -0800 

On 15/12/16 19:52, Steffan Karger wrote:
> When the pulled options change, OpenVPN will attempt to reopen the tun
> device.  That might fail if the process has already dropper privileges,
> and is not needed unless the tun MTU is changed.  This patch therefore
> ignores the cipher value for the digest if a fixed tun-mtu is used.
> 
> Additionally, this patch changes the md_ctx_update() call to include the
> trailing zero byte of each option, to make sure that parsing "foo,bar"
> results in a different hash than "foobar".  (Sorry for not catching that
> during the review...)
> 
> Trac: #761
> 
> Signed-off-by: Steffan Karger <stef...@karger.me>
> ---
>  src/openvpn/push.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/src/openvpn/push.c b/src/openvpn/push.c
> index 34c65c4..674efeb 100644
> --- a/src/openvpn/push.c
> +++ b/src/openvpn/push.c
> @@ -677,17 +677,22 @@ process_incoming_push_request(struct context *c)
>  #endif /* if P2MP_SERVER */
>  
>  static void
> -push_update_digest(md_ctx_t *ctx, struct buffer *buf)
> +push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options 
> *opt)
>  {
>      char line[OPTION_PARM_SIZE];
>      while (buf_parse(buf, ',', line, sizeof(line)))
>      {
>          /* peer-id might change on restart and this should not trigger 
> reopening tun */
> -        if (strstr(line, "peer-id ") != line)
> +        if (strcmp(line, "peer-id ") == 0)

Are you sure about this strcmp()?  I'd expect line to contain
"peer-id 1" or something like that ... so the result would be 49 (or
anything not 0) .... strncmp(line, "peer-id ", 8) would provide a match
though.

>          {
> -            md_ctx_update(ctx, (const uint8_t *) line, strlen(line));
> +            continue;
>          }
> -    }
> +        if (strcmp(line, "cipher ") == 0 && !opt->ce.tun_mtu_defined)

Same as above.


-- 
kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to