Hi, On 17-02-17 16:20, Steffan Karger wrote: > As described in msg <374a7eb7-f539-5231-623b-41f208ed8...@belkam.com> on > openvpn-devel@lists.sourceforge.net, clients that are compiled with > --disable-occ (included in --enable-small) won't send an options string. > Without the options string, the 2.4 server doesn't know which cipher to > use for poor man's NCP. > > This patch allows working around that issue by allowing the 'cipher' > directive to be used in --client-config-dir files. That way, a server > admin can add ccd files to specify per-client which cipher to use. > > Because the ccd files are read after where we would normally generate keys, > this patch delays key generation for non-NCP p2mp servers until after > reading the ccd file. > > Trac: #845 > > Signed-off-by: Steffan Karger <stef...@karger.me> > --- > v2: postpone p2mp non-NCP key generation, such that setting cipher in > a ccd file for a non-NCP client actually works. > > src/openvpn/multi.c | 14 ++++++++++++++ > src/openvpn/options.c | 2 +- > src/openvpn/options.h | 2 +- > src/openvpn/ssl.c | 9 ++++----- > 4 files changed, 20 insertions(+), 7 deletions(-) > > diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c > index 56009b7..4c81e9a 100644 > --- a/src/openvpn/multi.c > +++ b/src/openvpn/multi.c > @@ -2086,6 +2086,20 @@ script_failed: > mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : > CAS_FAILED; > } > > + /* Generate tunnel keys, unless IV_NCP >= 2 is negotiated. The first > key > + * generation is then postponed until after the pull/push, so we can > + * process pushed cipher directives. > + */ > + struct tls_session *session = > &mi->context.c2.tls_multi->session[TM_ACTIVE]; > + struct key_state *ks = &session->key[KS_PRIMARY]; > + if (!session->opt->ncp_enabled && ks->authenticated > + && !tls_session_update_crypto_params(session, > &mi->context.options, > + &mi->context.c2.frame)) > + { > + msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion > failed"); > + cc_succeeded = false; > + } > + > /* set flag so we don't get called again */ > mi->connection_established_flag = true; > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index dde1f48..0e6b393 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -7536,7 +7536,7 @@ add_option(struct options *options, > } > else if (streq(p[0], "cipher") && p[1] && !p[2]) > { > - VERIFY_PERMISSION(OPT_P_NCP); > + VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); > options->ciphername = p[1]; > } > else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) > diff --git a/src/openvpn/options.h b/src/openvpn/options.h > index a14f2ab..f4f0226 100644 > --- a/src/openvpn/options.h > +++ b/src/openvpn/options.h > @@ -628,7 +628,7 @@ struct options > #define OPT_P_MTU (1<<14) /* TODO */ > #define OPT_P_NICE (1<<15) > #define OPT_P_PUSH (1<<16) > -#define OPT_P_INSTANCE (1<<17) > +#define OPT_P_INSTANCE (1<<17) /**< Allow usage in ccd file */ > #define OPT_P_CONFIG (1<<18) > #define OPT_P_EXPLICIT_NOTIFY (1<<19) > #define OPT_P_ECHO (1<<20) > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 8c724cb..1479c77 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -2401,12 +2401,11 @@ key_method_2_write(struct buffer *buf, struct > tls_session *session) > } > > /* Generate tunnel keys if we're a TLS server. > - * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key > - * generation is postponed until after the pull/push, so we can process > pushed > - * cipher directives. > + * If we're a p2mp server, the first key generation is postponed so we > can > + * switch cipher during the connection setup phase. > */ > - if (session->opt->server && !(session->opt->ncp_enabled > - && session->opt->mode == MODE_SERVER && > ks->key_id <= 0)) > + if (session->opt->server > + && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) > { > if (ks->authenticated) > { >
This patch seems to work for the reporter from #845: https://community.openvpn.net/openvpn/ticket/845#comment:5 -Steffan (Yes, this is a shameless bump to trick people into reviewing this patch ;-) ) ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel