@@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session,
struct frame *frame_fragment,
struct link_socket_info *lsi)
{
-
- bool cipher_allowed_as_fallback = options->enable_ncp_fallback
- && streq(options->ciphername, session->opt->config_ciphername);
-
- if (!session->opt->server && !cipher_allowed_as_fallback
- && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+ if (!check_session_cipher(session, options))
{
- msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
- options->ciphername, options->ncp_ciphers);
- /* undo cipher push, abort connection setup */
- options->ciphername = session->opt->config_ciphername;
return false;
}
@@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
gc_free(&gc);
}
+
+
+bool
+check_session_cipher(struct tls_session *session, struct options *options)
+{
+ bool cipher_allowed_as_fallback = options->enable_ncp_fallback
+ && streq(options->ciphername, session->opt->config_ciphername);
+
+ if (!session->opt->server && !cipher_allowed_as_fallback
+ && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
+ {
+ msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
+ options->ciphername, options->ncp_ciphers);
+ /* undo cipher push, abort connection setup */
+ options->ciphername = session->opt->config_ciphername;
+ return false;
+ }
+ else
+ {
+ return true;
+ }
+}
@@ -148,4 +148,12 @@ const char *
get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info,
struct gc_arena *gc);
+
+/**
+ * Checks if the cipher is allowed, otherwise returns false and reset the
+ * cipher to the config cipher.
+ */
+bool
+check_session_cipher(struct tls_session *session, struct options *options);
+
#endif /* ifndef OPENVPN_SSL_NCP_H */
This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Patch v2: Name function check_session_cipher to better reflect its function --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-)