From: Lev Stipakov <l...@openvpn.net> NCP negotiation can alter options. On reconnect client sends possibly altered options while server expects original values. This leads to warnings in log and, if server uses --opt-verify, breaks reconnect.
Fix by decouple setting/unsetting NCP options from the state of TLS context. At startup (and once per sighup) we load original values to c->c1, which persists over sigusr1 (restart). When tearing tunnel down we restore (possibly altered) options back to original values. Trac: #1105 Signed-off-by: Lev Stipakov <l...@openvpn.net> --- v2: refined commit message src/openvpn/init.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f432106..9353527 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -612,6 +612,33 @@ uninit_proxy(struct context *c) uninit_proxy_dowork(c); } +/* + * Assign NCP-negotiable options to context->c1 + * from context->options (initially config values). + * They persist over sigusr1 restart. + */ +static void +do_set_ncp_options(struct context *c) +{ + c->c1.ciphername = c->options.ciphername; + c->c1.authname = c->options.authname; + c->c1.keysize = c->options.keysize; +} + +/* + * Restore NCP-negotiable options from c->c1 to + * c->options. The latter ones can be altered by + * pushed options and therefore need to be restored + * to original values on sigusr1 restart. + */ +static void +do_unset_ncp_options(struct context *c) +{ + c->options.ciphername = c->c1.ciphername; + c->options.authname = c->c1.authname; + c->options.keysize = c->c1.keysize; +} + void context_init_1(struct context *c) { @@ -621,6 +648,8 @@ context_init_1(struct context *c) init_connection_list(c); + do_set_ncp_options(c); + #if defined(ENABLE_PKCS11) if (c->first_time) { @@ -2593,10 +2622,6 @@ do_init_crypto_tls_c1(struct context *c) /* initialize tls-auth/crypt key */ do_init_tls_wrap_key(c); - c->c1.ciphername = options->ciphername; - c->c1.authname = options->authname; - c->c1.keysize = options->keysize; - #if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */ if (options->priv_key_file_inline) { @@ -2609,11 +2634,6 @@ do_init_crypto_tls_c1(struct context *c) { msg(D_INIT_MEDIUM, "Re-using SSL/TLS context"); - /* Restore pre-NCP cipher options */ - c->options.ciphername = c->c1.ciphername; - c->options.authname = c->c1.authname; - c->options.keysize = c->c1.keysize; - /* * tls-auth/crypt key can be configured per connection block, therefore * we must reload it as it may have changed @@ -4293,6 +4313,8 @@ close_instance(struct context *c) /* free key schedules */ do_close_free_key_schedule(c, (c->mode == CM_P2P || c->mode == CM_TOP)); + do_unset_ncp_options(c); + /* close TCP/UDP connection */ do_close_link_socket(c); -- 2.7.4 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel