upstream/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2026-05-28 04:03:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Restore pre-NCP cipher options on SIGUSR1

Browse source 
As reported by debbie10t on the openvpn-devel list (Message-ID:
<326b8ff7-39a6-1974-c0b0-82fd2abdc7b7@gmail.com>), an NCP client will
attempt to reconnect with the previously pushed cipher, instead of the
cipher from the config file, after a sigusr1 restart.  This can be a
problem when the server is reconfigured (as debbie10t explainted), or when
roaming to a differently-configured server.  Fix this by restoring the
cipher options from the config file after a sigusr1 restart.

This makes the cipher options behaviour different from other pushable
options, because those are also cached until a sighup restart.  We might
want to change this behaviour in general, but for now let's just fix the
issue at hand.

v2: also cache and restore keysize, as that parameter is relevant too.
v3: inherit cached cipher options from parent context.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1478027207-28651-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12869.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
This commit is contained in:
Steffan Karger 2016-11-01 20:06:47 +01:00 committed by David Sommerseth
parent b59fc7f421
commit 129d2924bb
2 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/openvpn/init.c
View file

@ -2242,6 +2242,7 @@ do_init_crypto_tls_c1 (struct context *c)
c->c1.ciphername = options->ciphername;
c->c1.authname = options->authname;
c->c1.keysize = options->keysize;
#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
if (options->priv_key_file_inline)
@ -2254,6 +2255,11 @@ do_init_crypto_tls_c1 (struct context *c)
else
{
msg (D_INIT_MEDIUM, "Re-using SSL/TLS context");
/* Restore pre-NCP cipher options */
c->options.ciphername = c->c1.ciphername;
c->options.authname = c->c1.authname;
c->options.keysize = c->c1.keysize;
}
}
@ -3791,6 +3797,10 @@ inherit_context_child (struct context *dest,
dest->c1.ks.ssl_ctx = src->c1.ks.ssl_ctx;
dest->c1.ks.tls_auth_key = src->c1.ks.tls_auth_key;
dest->c1.ks.tls_auth_key_type = src->c1.ks.tls_auth_key_type;
/* inherit pre-NCP ciphers */
dest->c1.ciphername = src->c1.ciphername;
dest->c1.authname = src->c1.authname;
dest->c1.keysize = src->c1.keysize;
#endif
/* options */

1
src/openvpn/openvpn.h
View file

@ -213,6 +213,7 @@ struct context_1
const char *ciphername; /**< Data channel cipher from config file */
const char *authname; /**< Data channel auth from config file */
int keysize; /**< Data channel keysize from config file */
#endif
};