Message ID | 20220621161649.2872985-3-arne@rfc2549.org |
---|---|
State | Superseded |
Headers | show |
Series | [Openvpn-devel,1/6] Remove leftover frame_set_mtu_dynamic definitions in mtu.h | expand |
Acked-By: Frank Lichtenheld <frank@lichtenheld.com> Trivial code move. On Tue, Jun 21, 2022 at 06:16:46PM +0200, Arne Schwabe wrote: > This allow the code later to check if the cipher is okay to use and > update it for the calculation for the max MTU size. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > src/openvpn/ssl.c | 11 +---------- > src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ > src/openvpn/ssl_ncp.h | 8 ++++++++ > 3 files changed, 31 insertions(+), 10 deletions(-) > > diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c > index 61dea996d..ddd90080b 100644 > --- a/src/openvpn/ssl.c > +++ b/src/openvpn/ssl.c > @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, > struct frame *frame_fragment, > struct link_socket_info *lsi) > { > - > - bool cipher_allowed_as_fallback = options->enable_ncp_fallback > - && streq(options->ciphername, session->opt->config_ciphername); > - > - if (!session->opt->server && !cipher_allowed_as_fallback > - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) > + if (!update_session_cipher(session, options)) > { > - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", > - options->ciphername, options->ncp_ciphers); > - /* undo cipher push, abort connection setup */ > - options->ciphername = session->opt->config_ciphername; > return false; > } > > diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c > index 564942503..c800f718f 100644 > --- a/src/openvpn/ssl_ncp.c > +++ b/src/openvpn/ssl_ncp.c > @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) > > gc_free(&gc); > } > + > + > +bool > +update_session_cipher(struct tls_session *session, struct options *options) > +{ > + bool cipher_allowed_as_fallback = options->enable_ncp_fallback > + && streq(options->ciphername, session->opt->config_ciphername); > + > + if (!session->opt->server && !cipher_allowed_as_fallback > + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) > + { > + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", > + options->ciphername, options->ncp_ciphers); > + /* undo cipher push, abort connection setup */ > + options->ciphername = session->opt->config_ciphername; > + return false; > + } > + else > + { > + return true; > + } > +} > diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h > index 853017f5f..5ba2f7ae7 100644 > --- a/src/openvpn/ssl_ncp.h > +++ b/src/openvpn/ssl_ncp.h > @@ -148,4 +148,12 @@ const char * > get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, > struct gc_arena *gc); > > + > +/** > + * Checks if the cipher is allowed and updates the TLS session cipher with it, > + * otherwise returns false > + */ > +bool > +update_session_cipher(struct tls_session *session, struct options *options); > + > #endif /* ifndef OPENVPN_SSL_NCP_H */ > -- > 2.32.1 (Apple Git-133) > > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 61dea996d..ddd90080b 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1678,17 +1678,8 @@ tls_session_update_crypto_params(struct tls_session *session, struct frame *frame_fragment, struct link_socket_info *lsi) { - - bool cipher_allowed_as_fallback = options->enable_ncp_fallback - && streq(options->ciphername, session->opt->config_ciphername); - - if (!session->opt->server && !cipher_allowed_as_fallback - && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + if (!update_session_cipher(session, options)) { - msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", - options->ciphername, options->ncp_ciphers); - /* undo cipher push, abort connection setup */ - options->ciphername = session->opt->config_ciphername; return false; } diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 564942503..c800f718f 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -490,3 +490,25 @@ p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session) gc_free(&gc); } + + +bool +update_session_cipher(struct tls_session *session, struct options *options) +{ + bool cipher_allowed_as_fallback = options->enable_ncp_fallback + && streq(options->ciphername, session->opt->config_ciphername); + + if (!session->opt->server && !cipher_allowed_as_fallback + && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers)) + { + msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s", + options->ciphername, options->ncp_ciphers); + /* undo cipher push, abort connection setup */ + options->ciphername = session->opt->config_ciphername; + return false; + } + else + { + return true; + } +} diff --git a/src/openvpn/ssl_ncp.h b/src/openvpn/ssl_ncp.h index 853017f5f..5ba2f7ae7 100644 --- a/src/openvpn/ssl_ncp.h +++ b/src/openvpn/ssl_ncp.h @@ -148,4 +148,12 @@ const char * get_p2p_ncp_cipher(struct tls_session *session, const char *peer_info, struct gc_arena *gc); + +/** + * Checks if the cipher is allowed and updates the TLS session cipher with it, + * otherwise returns false + */ +bool +update_session_cipher(struct tls_session *session, struct options *options); + #endif /* ifndef OPENVPN_SSL_NCP_H */
This allow the code later to check if the cipher is okay to use and update it for the calculation for the max MTU size. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl.c | 11 +---------- src/openvpn/ssl_ncp.c | 22 ++++++++++++++++++++++ src/openvpn/ssl_ncp.h | 8 ++++++++ 3 files changed, 31 insertions(+), 10 deletions(-)