From e130610fde9752a6e92c19b969b6016d3530ae12 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Wed, 27 Jul 2016 20:59:25 +0200
Subject: [PATCH] Only support server-side NCP for --server configs
Right now, when a --tls-server (not --server), receives a PUSH_REQUEST with
IV_NCP=2, it will try to push a cipher. The initialization code however
doesn't know whether the client will send a PUSH_REQUEST, so we can't
decide on whether to postpone the data channel crypto initialization. To
avoid this, just disable server side NCP support if we're not a --server
(which is how it was meant to be).
Users who are building their own --tls-server without --server can still
add a 'push "cipher funky-crypt"' to their config if they really want to
push a cipher to their (single) client.
Signed-off-by: Steffan Karger <steffan@karger.me>
---
src/openvpn/push.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 000c82f..f9c462a 100644
a
|
b
|
prepare_push_reply (struct options *o, struct tls_multi *tls_multi) |
319 | 319 | } |
320 | 320 | |
321 | 321 | /* Push cipher if client supports Negotiable Crypto Parameters */ |
322 | | if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled) |
| 322 | if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled && |
| 323 | o->mode == MODE_SERVER) |
323 | 324 | { |
324 | 325 | /* Push the first cipher from --ncp-ciphers to the client. |
325 | 326 | * TODO: actual negotiation, instead of server dictatorship. */ |