Ticket #715: push-no-ncp-for-you.txt

File push-no-ncp-for-you.txt, 1.1 KB (added by Gert Döring, 6 years ago)

no soup for you, we have already eaten

Line 
1diff --git a/src/openvpn/push.c b/src/openvpn/push.c
2index 000c82f..4bdede9 100644
3--- a/src/openvpn/push.c
4+++ b/src/openvpn/push.c
5@@ -321,12 +321,23 @@ prepare_push_reply (struct options *o, struct tls_multi *tls_multi)
6   /* Push cipher if client supports Negotiable Crypto Parameters */
7   if (tls_peer_info_ncp_ver (peer_info) >= 2 && o->ncp_enabled)
8     {
9+      /* if we have already created our key, we cannot change our own
10+       * cipher, so disable NCP and warn = explain why
11+       */
12+      struct tls_session *session = &tls_multi->session[TM_ACTIVE];
13+      if ( session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized )
14+       {
15+          msg( M_INFO, "PUSH: client wants to negotiate cipher (NCP), but server has already generated data channel keys, ignoring client request" );
16+       }
17+      else
18+       {
19          /* Push the first cipher from --ncp-ciphers to the client.
20           * TODO: actual negotiation, instead of server dictatorship. */
21          char *push_cipher = string_alloc(o->ncp_ciphers, &o->gc);
22          o->ciphername = strtok (push_cipher, ":");
23          push_option_fmt(o, M_USAGE, "cipher %s", o->ciphername);
24        }
25+    }
26   return true;
27 }
28