From patchwork Sun Aug 30 03:03:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1404 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id sOHUDBSkS19deQAAqwncew for ; Sun, 30 Aug 2020 09:05:24 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id kOfGDBSkS18wfgAAvGGmqA (envelope-from ) for ; Sun, 30 Aug 2020 09:05:24 -0400 Received: from smtp15.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTPS id kNtLDBSkS1+0MwAAMe1Fpw (envelope-from ) for ; Sun, 30 Aug 2020 09:05:24 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 76b690a4-eac1-11ea-8c26-5254007ab6c8-1-1 Received: from [216.105.38.7] ([216.105.38.7:59604] helo=lists.sourceforge.net) by smtp15.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AD/C9-26100-314AB4F5; Sun, 30 Aug 2020 09:05:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kCMzr-0001Md-6R; Sun, 30 Aug 2020 13:03:47 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kCMzo-0001Lm-ET for openvpn-devel@lists.sourceforge.net; Sun, 30 Aug 2020 13:03:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=FfZVaueDcJgvVbkypnPv3EoT9Hjz3bJofHBstojXdk4=; b=cgzv6+iDQknu5v60JcPihxft6a i0gIhDaBEQoiuHiKdzvPaXccZc5+TAFx+wRqO0eilWOqos5W81hWi7SzrgrEsOeeLbvWNoNo07xxi GPrIGZXVOOO3JkNGpp4ZhMp6dlNT1DnzeNNJQ7RP8j/H3dBUeTAfjJNmsb8ZNHsy4qp8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=FfZVaueDcJgvVbkypnPv3EoT9Hjz3bJofHBstojXdk4=; b=CpD0N1njaIlNSsFfHUKNtE/WuX uKsv7Rrq6HXkthCpH9w+Q8n+6YIgqOjSf+7uIEoSWy2q8s1TwSbwvjFScZoehnc4Qk86wBgV+JV5F a1evtv9Y0MjSUCOxgrYXm5uS4OIclBppJ5rW14QV242WeWWWqkDrAXiO3wRVf63QgNeo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kCMzl-009xq9-Rd for openvpn-devel@lists.sourceforge.net; Sun, 30 Aug 2020 13:03:44 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kCMzf-000JPe-DH for openvpn-devel@lists.sourceforge.net; Sun, 30 Aug 2020 15:03:35 +0200 Received: (nullmailer pid 9470 invoked by uid 10006); Sun, 30 Aug 2020 13:03:35 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 30 Aug 2020 15:03:35 +0200 Message-Id: <20200830130335.9425-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.0 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.3 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1kCMzl-009xq9-Rd Subject: [Openvpn-devel] [PATCH] Fix client NCP OCC fallback when server and client cipher are identical X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox If we do not get a cipher pushed we call tls_poor_mans_ncp to determine if we can use the cipher that the server uses. Left over from OpenVPN 2.4's code we only did this check when the ciphers were different. Since OpenVPN 2.5 does not assume that our cipher we report in OCC (options->ciphername) is always a valid cipher we always need to the check. Reported-By: Rafael Gava Signed-off-by: Arne Schwabe --- src/openvpn/ssl_ncp.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index c9ab85ce..d82419fb 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -268,15 +268,11 @@ ncp_get_best_cipher(const char *server_list, const char *peer_info, static bool tls_poor_mans_ncp(struct options *o, const char *remote_ciphername) { - if (remote_ciphername - && 0 != strcmp(o->ciphername, remote_ciphername)) + if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) { - if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers)) - { - o->ciphername = string_alloc(remote_ciphername, &o->gc); - msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); - return true; - } + o->ciphername = string_alloc(remote_ciphername, &o->gc); + msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername); + return true; } return false; }