Ticket #715: 0001-Only-support-server-side-NCP-for-server-configs.patch

File 0001-Only-support-server-side-NCP-for-server-configs.patch, 1.5 KB (added by Steffan Karger, 6 years ago)
  • src/openvpn/push.c

    From e130610fde9752a6e92c19b969b6016d3530ae12 Mon Sep 17 00:00:00 2001
    From: Steffan Karger <steffan@karger.me>
    Date: Wed, 27 Jul 2016 20:59:25 +0200
    Subject: [PATCH] Only support server-side NCP for --server configs
    
    Right now, when a --tls-server (not --server), receives a PUSH_REQUEST with
    IV_NCP=2, it will try to push a cipher.  The initialization code however
    doesn't know whether the client will send a PUSH_REQUEST, so we can't
    decide on whether to postpone the data channel crypto initialization.  To
    avoid this, just disable server side NCP support if we're not a --server
    (which is how it was meant to be).
    
    Users who are building their own --tls-server without --server can still
    add a 'push "cipher funky-crypt"' to their config if they really want to
    push a cipher to their (single) client.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    ---
     src/openvpn/push.c | 3 ++-
     1 file changed, 2 insertions(+), 1 deletion(-)
    
    diff --git a/src/openvpn/push.c b/src/openvpn/push.c
    index 000c82f..f9c462a 100644
    a b prepare_push_reply (struct options *o, struct tls_multi *tls_multi) 
    319319    }
    320320
    321321  /* Push cipher if client supports Negotiable Crypto Parameters */
    322   if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled)
     322  if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled &&
     323      o->mode == MODE_SERVER)
    323324    {
    324325      /* Push the first cipher from --ncp-ciphers to the client.
    325326       * TODO: actual negotiation, instead of server dictatorship. */