Re: [Openvpn-devel] [PATCH] Fix problems with NCP and --inetd.

2016-08-22 Thread Steffan Karger 
On 22 August 2016 at 21:22, Gert Doering  wrote:
> NCP only works with --pull or --mode server, leading to breakage
> in --inetd mode (because that has --tls-server, but not --mode server,
> but clients can still ask for PUSH_REQUEST).
>
> Fix by turning off o->ncp_enable unless (pull or mode server), and
> double-fix by logging an appropriate message and refusing to change
> ciphers if the server has already set up its keys.
>
> Trac #715
>
> Signed-off-by: Gert Doering 
> ---
>  src/openvpn/options.c |  8 
>  src/openvpn/push.c| 21 -
>  2 files changed, 24 insertions(+), 5 deletions(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index c100d4c..a2b22f4 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2614,6 +2614,14 @@ options_postprocess_mutate (struct options *o)
>if (streq (o->dh_file, "none"))
> o->dh_file = NULL;
>  }
> +
> +  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
> +  if ( o->ncp_enabled &&
> +! (o->pull || o->mode == MODE_SERVER) )
> +{
> +  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not in P2MP 
> client or server mode" );
> +  o->ncp_enabled = false;
> +}
>  #endif
>
>  #if ENABLE_MANAGEMENT
> diff --git a/src/openvpn/push.c b/src/openvpn/push.c
> index 000c82f..4bdede9 100644
> --- a/src/openvpn/push.c
> +++ b/src/openvpn/push.c
> @@ -321,11 +321,22 @@ prepare_push_reply (struct options *o, struct tls_multi 
> *tls_multi)
>/* Push cipher if client supports Negotiable Crypto Parameters */
>if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled)
>  {
> -  /* Push the first cipher from --ncp-ciphers to the client.
> -   * TODO: actual negotiation, instead of server dictatorship. */
> -  char *push_cipher = string_alloc(o->ncp_ciphers, >gc);
> -  o->ciphername = strtok (push_cipher, ":");
> -  push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
> +  /* if we have already created our key, we cannot change our own
> +   * cipher, so disable NCP and warn = explain why
> +   */
> +  struct tls_session *session = _multi->session[TM_ACTIVE];
> +  if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized )
> +   {
> +  msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but 
> server has already generated data channel keys, ignoring client request" );
> +   }
> +  else
> +   {
> + /* Push the first cipher from --ncp-ciphers to the client.
> +  * TODO: actual negotiation, instead of server dictatorship. */
> + char *push_cipher = string_alloc(o->ncp_ciphers, >gc);
> + o->ciphername = strtok (push_cipher, ":");
> + push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
> +   }
>  }
>return true;
>  }
> --
> 2.7.3

I'd suggest to wrap the long lines, but otherwise this looks good.  So, ACK.

-Steffan

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Fix problems with NCP and --inetd.

2016-08-22 Thread Steffan Karger 
On 22 August 2016 at 21:22, Gert Doering  wrote:
> NCP only works with --pull or --mode server, leading to breakage
> in --inetd mode (because that has --tls-server, but not --mode server,
> but clients can still ask for PUSH_REQUEST).
>
> Fix by turning off o->ncp_enable unless (pull or mode server), and
> double-fix by logging an appropriate message and refusing to change
> ciphers if the server has already set up its keys.
>
> Trac #715
>
> Signed-off-by: Gert Doering 
> ---
>  src/openvpn/options.c |  8 
>  src/openvpn/push.c| 21 -
>  2 files changed, 24 insertions(+), 5 deletions(-)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index c100d4c..a2b22f4 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2614,6 +2614,14 @@ options_postprocess_mutate (struct options *o)
>if (streq (o->dh_file, "none"))
> o->dh_file = NULL;
>  }
> +
> +  /* cipher negotiation (NCP) currently assumes --pull or --mode server */
> +  if ( o->ncp_enabled &&
> +! (o->pull || o->mode == MODE_SERVER) )
> +{
> +  msg( M_WARN, "disabling NCP mode (--ncp-disable) because not in P2MP 
> client or server mode" );
> +  o->ncp_enabled = false;
> +}
>  #endif
>
>  #if ENABLE_MANAGEMENT
> diff --git a/src/openvpn/push.c b/src/openvpn/push.c
> index 000c82f..4bdede9 100644
> --- a/src/openvpn/push.c
> +++ b/src/openvpn/push.c
> @@ -321,11 +321,22 @@ prepare_push_reply (struct options *o, struct tls_multi 
> *tls_multi)
>/* Push cipher if client supports Negotiable Crypto Parameters */
>if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled)
>  {
> -  /* Push the first cipher from --ncp-ciphers to the client.
> -   * TODO: actual negotiation, instead of server dictatorship. */
> -  char *push_cipher = string_alloc(o->ncp_ciphers, >gc);
> -  o->ciphername = strtok (push_cipher, ":");
> -  push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
> +  /* if we have already created our key, we cannot change our own
> +   * cipher, so disable NCP and warn = explain why
> +   */
> +  struct tls_session *session = _multi->session[TM_ACTIVE];
> +  if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized )
> +   {
> +  msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but 
> server has already generated data channel keys, ignoring client request" );
> +   }
> +  else
> +   {
> + /* Push the first cipher from --ncp-ciphers to the client.
> +  * TODO: actual negotiation, instead of server dictatorship. */
> + char *push_cipher = string_alloc(o->ncp_ciphers, >gc);
> + o->ciphername = strtok (push_cipher, ":");
> + push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
> +   }
>  }
>return true;
>  }
> --
> 2.7.3

I'd suggest to wrap the long lines, but otherwise this looks good.  So, ACK.

-Steffan

--
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel