From patchwork Tue Jan 24 09:38:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 91 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director4.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id e/GPFUTlFVrFVAAAgoeIoA for ; Wed, 22 Nov 2017 15:59:48 -0500 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director4.mail.ord1d.rsapps.net (Dovecot) with LMTP id 63VpFUTlFVqcfQAAHDmxtw ; Wed, 22 Nov 2017 15:59:48 -0500 Received: from smtp3.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net (Dovecot) with LMTP id uagSCkTlFVrTegAAiYrejw ; Wed, 22 Nov 2017 15:59:48 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO Authentication-Results: smtp3.gate.ord1d.rsapps.net x-tls.subject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com"; auth=pass (cipher=AES128-GCM-SHA256) X-Virus-Scanned: OK X-Orig-To: patchwork@openvpn.net X-Originating-Ip: [74.125.82.67] Authentication-Results: smtp3.gate.ord1d.rsapps.net; iprev=pass policy.iprev="74.125.82.67"; spf=pass smtp.mailfrom="steffan@karger.me" smtp.helo="mail-wm0-f67.google.com"; dkim=pass header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 126d842a-cfc8-11e7-a052-5254006d4589-1-1 Received: from [74.125.82.67] ([74.125.82.67:36992] helo=mail-wm0-f67.google.com) by smtp3.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=AES128-GCM-SHA256 subject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com") id 93/CA-20116-345E51A5; Wed, 22 Nov 2017 15:59:48 -0500 Received: by mail-wm0-f67.google.com with SMTP id v186so12763025wma.2 for ; Wed, 22 Nov 2017 12:59:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=resent-from:resent-date:resent-message-id:resent-to:from:to:cc :subject:date:message-id:in-reply-to:references; bh=bnAp1H7MaCMPwvGLOsPkede0ZcAL91STG+x9pU7QhSM=; b=PU/x0i/ldA7WYKVc4lBX6fIZOJ2FlYFcwXpaiQA2x7qQrWOX0YWloCmSHsMG09Vrj2 tqIBhHQRfs1zHpU5kFZhpxSEIhEKQaB00t0M9ZwF9yh4lGRuWQbHxtCxJ4oxyickcsrD dwuJ/w6XyZW+YcV01n02DvE12o+dJuJw1U8bRqiw7sKzEZ4kOoJyq/MmkXeIH+UyJojM ksp0Kfw8bfRu3Ae167QOxSHPl+BNPrQ6AwOQaa+ipLalNFCtGtNkuqTcutxpR4YPjMyn gN7OCXa2movHnvxFyGfG4K+k0YoBXU2Nerco9W/mKGZT+B0E7T4dwWN5986c7ST8m+8X or+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:resent-from:resent-date:resent-message-id :resent-to:from:to:cc:subject:date:message-id:in-reply-to:references; bh=bnAp1H7MaCMPwvGLOsPkede0ZcAL91STG+x9pU7QhSM=; b=nq/pRFHiS2EwQ+vhPlMzdABi2UUPjisgbNdOQcL5ed9K8HOnHiGahPI7DNmPyuFdLp m5qvn2Zwv6ZxbPEMZLBXE/sc6gxah15BkMu+YuARfcEtWRo/2uQ4YcKcT1Slx6j0124h hFGWOOpfVwU5esxlCrOtGb+721A6m3EEPABjkJbmKsVJwvZm7yjn1cKayndy78D4Juys dP4vCdZqJzbQI1ypLIA1ioSEnHa3e47agJuWf7npawpVeSNuc2J2/ttCqA/dX/fEC1U+ CXkX7tvhBuG16El4fGM2DBmlKvZIvpbsXwfRretHMy1ZG/MJcz5NqFEgDsjAHz9A+dhY rxvw== X-Gm-Message-State: AJaThX74wtpSTtoOjUIbLn02riiG4eo0fQf+pgK4VbZIyGL4NXtDDGjJ 15H4ExAEj4zjssuQHlhBP2COWSIX7a0= X-Google-Smtp-Source: AGs4zMZcXEC7lRYfxTqtpVdP+282TVv5Esv0ROA8pW6AETx82FmoSAtV6VphTWuLWQ607LM6X9WFlg== X-Received: by 10.80.145.14 with SMTP id e14mr19882894eda.34.1511384386175; Wed, 22 Nov 2017 12:59:46 -0800 (PST) Received: from vesta ([2001:985:e54:1:49aa:20fb:8bc6:c39]) by smtp.gmail.com with ESMTPSA id 30sm12507087edz.42.2017.11.22.12.59.44 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 22 Nov 2017 12:59:45 -0800 (PST) Resent-From: Steffan Karger Resent-Date: Wed, 22 Nov 2017 21:59:43 +0100 Resent-Message-ID: <20171122205943.ucnifz3q5kb5znmc@vesta> Resent-To: patchwork@openvpn.net Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id u41sm21570143wrc.1.2017.01.24.12.38.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 24 Jan 2017 12:38:53 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Cc: openvpn-users@lists.sourceforge.net, Steffan Karger Subject: [PATCH] Allow changing cipher from a ccd file Date: Tue, 24 Jan 2017 21:38:24 +0100 Message-Id: <1485290304-12292-1-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 In-Reply-To: <20170124125537.GR940@greenie.muc.de> References: <20170124125537.GR940@greenie.muc.de> X-getmail-retrieved-from-mailbox: Inbox As described in msg <374a7eb7-f539-5231-623b-41f208ed856e@belkam.com> on openvpn-devel@lists.sourceforge.net, clients that are compiled with --disable-occ (included in --enable-small) won't send an options string. Without the options string, the 2.4 server doesn't know which cipher to use for poor man's NCP. This patch allows working around that issue by allowing the 'cipher' directive to be used in --client-config-dir files. That way, a server admin can add ccd files to specify per-client which cipher to use. Signed-off-by: Steffan Karger --- src/openvpn/options.c | 2 +- src/openvpn/options.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 4b6d720..6f89616 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -7536,7 +7536,7 @@ add_option(struct options *options, } else if (streq(p[0], "cipher") && p[1] && !p[2]) { - VERIFY_PERMISSION(OPT_P_NCP); + VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE); options->ciphername = p[1]; } else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a14f2ab..f4f0226 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -628,7 +628,7 @@ struct options #define OPT_P_MTU (1<<14) /* TODO */ #define OPT_P_NICE (1<<15) #define OPT_P_PUSH (1<<16) -#define OPT_P_INSTANCE (1<<17) +#define OPT_P_INSTANCE (1<<17) /**< Allow usage in ccd file */ #define OPT_P_CONFIG (1<<18) #define OPT_P_EXPLICIT_NOTIFY (1<<19) #define OPT_P_ECHO (1<<20)