From patchwork Sun Jul 12 23:32:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 1239 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id GEQbOIQqDF9uVgAAIUCqbw for ; Mon, 13 Jul 2020 05:33:56 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id yKv+N4QqDF8BJQAAIasKDg ; Mon, 13 Jul 2020 05:33:56 -0400 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id sGu2N4QqDF/EOwAA7PHxkg ; Mon, 13 Jul 2020 05:33:56 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: f8baee84-c4eb-11ea-b72f-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:47230] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 33/1A-15374-48A2C0F5; Mon, 13 Jul 2020 05:33:56 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1juupp-0002hx-2e; Mon, 13 Jul 2020 09:33:17 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1juupo-0002hp-ET for openvpn-devel@lists.sourceforge.net; Mon, 13 Jul 2020 09:33:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VBT2knPOaIPp5psfw5ml3W/x6VRqnEM8UUCHHHIA9cU=; b=YEAnC5ACwRnTmFWD2XnnXsI1G2 pSwhFaNXJtxXcdRntkyrDDesmYPMSVo1zK57EUAbAaMWEKScqAdhy2QTEaSCfEOunHTbDiyimqKCd Y5eOVojzpv6NGMsUD3AXkKNmwN+m8454t+PVHgaR4I+w9OjeoN/sfIxjHw692N9lvKCo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=VBT2knPOaIPp5psfw5ml3W/x6VRqnEM8UUCHHHIA9cU=; b=N Z3po7ynKSG+pA9BN/x80334EtD9qGuaft4P4hqzJ73Z1fd9B03ONfck3kJMcJBrmNqOUssuXu/BeV vLK3O0XlGyXgLvXGFx5SnZeN6O96eRXcJaY8g9izJ+MR640SrNMFqRvCFnrnK70jo0ig9epYqiB5K cuh6xxh7a8o0GAPk=; Received: from vmail1.greenie.net ([195.30.8.66]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1juupl-001H2z-Jx for openvpn-devel@lists.sourceforge.net; Mon, 13 Jul 2020 09:33:16 +0000 Received: from gentoo.ov.greenie.net (gentoo.ov.greenie.net [IPv6:2001:608:0:814:0:0:f000:11]) by vmail1.greenie.net (8.15.2/8.12.11) with SMTP id 06D9WuGi003241; Mon, 13 Jul 2020 11:32:56 +0200 (CEST) Received: (nullmailer pid 30962 invoked by uid 1000); Mon, 13 Jul 2020 09:32:56 -0000 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 13 Jul 2020 11:32:52 +0200 Message-Id: <20200713093252.30916-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (vmail1.greenie.net [IPv6:2001:608:1:995a:20c:29ff:feb8:10eb]); Mon, 13 Jul 2020 11:32:56 +0200 (CEST) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1juupl-001H2z-Jx Subject: [Openvpn-devel] [PATCH v2] Handle connecting clients without NCP or OCC without crashing. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox ssl_ncp.c:ncp_get_best_cipher() would crash if a client connects without NCP (or with a NCP cipher list that does not contain the first NCP cipher in the server list) due to a NULL pointer strcmp(). Work around / fix by just assigning an empty string to remote_cipher here ("not NULL but will never match either"). Add new warning message in multi.c for the "we do not know what the client can do" case (no NCP and non-helpful OCC), rewrapped the existing message to keep line lenght limit. Signed-off-by: Gert Doering Acked-By: Arne Schwabe --- src/openvpn/multi.c | 17 +++++++++++++---- src/openvpn/ssl_ncp.c | 6 ++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index a2af071a..c2ffcb9d 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1833,10 +1833,19 @@ multi_client_set_protocol_options(struct context *c) { struct gc_arena gc = gc_new(); const char *peer_ciphers = tls_peer_ncp_list(peer_info, &gc); - msg(M_INFO, "PUSH: No common cipher between server and client." - "Expect this connection not to work. " - "Server ncp-ciphers: '%s', client supported ciphers '%s'", - o->ncp_ciphers, peer_ciphers); + if (strlen(peer_ciphers) > 0) + { + msg(M_INFO, "PUSH: No common cipher between server and " + "client. Expect this connection not to work. Server " + "ncp-ciphers: '%s', client supported ciphers '%s'", + o->ncp_ciphers, peer_ciphers); + } + else + { + msg(M_INFO, "No NCP data received from peer, falling back " + "to --cipher '%s'. Peer reports in OCC --cipher '%s'", + o->ciphername, np(tls_multi->remote_ciphername)); + } gc_free(&gc); } } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index ea1dc960..fe7f5855 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -225,6 +225,12 @@ ncp_get_best_cipher(const char *server_list, const char *server_cipher, const char *peer_ncp_list = tls_peer_ncp_list(peer_info, &gc_tmp); + /* non-NCP client without OCC? "assume nothing" */ + if (remote_cipher == NULL ) + { + remote_cipher = ""; + } + char *tmp_ciphers = string_alloc(server_list, &gc_tmp); const char *token = strsep(&tmp_ciphers, ":");