[Openvpn-devel] [PATCH v2] Restore pre-NCP cipher options on SIGUSR1

Mon, 12 Sep 2016 05:17:20 -0700 

As reported by debbie10t on the openvpn-devel list (Message-ID:
<326b8ff7-39a6-1974-c0b0-82fd2abdc...@gmail.com>), an NCP client will
attempt to reconnect with the previously pushed cipher, instead of the
cipher from the config file, after a sigusr1 restart.  This can be a
problem when the server is reconfigured (as debbie10t explainted), or when
roaming to a differently-configured server.  Fix this by restoring the
cipher options from the config file after a sigusr1 restart.

This makes the cipher options behaviour different from other pushable
options, because those are also cached until a sighup restart.  We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.

v2: also cache and restore keysize, as that parameter is relevant too.

Signed-off-by: Steffan Karger <stef...@karger.me>
---
 src/openvpn/init.c    | 6 ++++++
 src/openvpn/openvpn.h | 1 +
 2 files changed, 7 insertions(+)

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 4d106c7..876141f 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2277,6 +2277,7 @@ do_init_crypto_tls_c1 (struct context *c)
 
       c->c1.ciphername = options->ciphername;
       c->c1.authname = options->authname;
+      c->c1.keysize = options->keysize;
 
 #if 0 /* was: #if ENABLE_INLINE_FILES --  Note that enabling this code will 
break restarts */
       if (options->priv_key_file_inline)
@@ -2289,6 +2290,11 @@ do_init_crypto_tls_c1 (struct context *c)
   else
     {
       msg (D_INIT_MEDIUM, "Re-using SSL/TLS context");
+
+      /* Restore pre-NCP cipher options */
+      c->options.ciphername = c->c1.ciphername;
+      c->options.authname = c->c1.authname;
+      c->options.keysize = c->c1.keysize;
     }
 }
 
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index 1a458f1..a39ff56 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -213,6 +213,7 @@ struct context_1
 
   const char *ciphername;      /**< Data channel cipher from config file */
   const char *authname;                /**< Data channel auth from config file 
*/
+  int keysize;                 /**< Data channel keysize from config file */
 #endif
 };
 
-- 
2.7.4


------------------------------------------------------------------------------
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to