This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size.
Signed-off-by: Arne Schwabe <[email protected]> Patch v2: Name function check_session_cipher to better reflect its function --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 24d7f3f48..ee248b472 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, struct frame *frame_fragment, struct link_socket_info *lsi) { - - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); - - if (!session->opt->server && !cipher_allowed_as_fallback - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + if (!check_session_cipher(session, options)) { - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", - options->ciphername, options->ncp_ciphers); - /* undo cipher push, abort connection setup */ - options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 564942503..a58ced537 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } + + +bool +check_session_cipher(struct tls_session *session, struct options *options) +{ + bool cipher_allowed_as_fallback = options->enable_ncp_fallback + && streq(options->ciphername, session->opt->config_ciphername); + + if (!session->opt->server && !cipher_allowed_as_fallback + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + { + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", + options->ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; + return false; + } + else + { + return true; + } +} diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 853017f5f..97c043029 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -148,4 +148,12 @@ const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc); + +/** + * Checks if the cipher is allowed, otherwise returns false and reset the + * cipher to the config cipher. + */ +bool +check_session_cipher(struct tls_session *session, struct options *options); + #endif /* ifndef OPENVPN_SSL_NCP_H */ -- 2.32.1 (Apple Git-133) _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
