Ticket #845: 0001-Allow-changing-cipher-from-a-ccd-file.patch

File 0001-Allow-changing-cipher-from-a-ccd-file.patch, 4.2 KB (added by Steffan Karger, 5 years ago)
  • src/openvpn/multi.c

    From d3f7fcf4822f96dff7c42379c37d501f462515dd Mon Sep 17 00:00:00 2001
    From: Steffan Karger <steffan@karger.me>
    Date: Fri, 17 Feb 2017 16:12:15 +0100
    Subject: [PATCH v2] Allow changing cipher from a ccd file
    
    As described in msg  <374a7eb7-f539-5231-623b-41f208ed856e@belkam.com> on
    openvpn-devel@lists.sourceforge.net, clients that are compiled with
    --disable-occ (included in --enable-small) won't send an options string.
    Without the options string, the 2.4 server doesn't know which cipher to
    use for poor man's NCP.
    
    This patch allows working around that issue by allowing the 'cipher'
    directive to be used in --client-config-dir files.  That way, a server
    admin can add ccd files to specify per-client which cipher to use.
    
    Because the ccd files are read after where we would normally generate keys,
    this patch delays key generation for non-NCP p2mp servers until after
    reading the ccd file.
    
    Signed-off-by: Steffan Karger <steffan@karger.me>
    ---
    v2: postpone p2mp non-NCP key generation, such that setting cipher in
        a ccd file for a non-NCP client actually works.
    
     src/openvpn/multi.c   | 14 ++++++++++++++
     src/openvpn/options.c |  2 +-
     src/openvpn/options.h |  2 +-
     src/openvpn/ssl.c     |  9 ++++-----
     4 files changed, 20 insertions(+), 7 deletions(-)
    
    diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
    index 56009b7..4c81e9a 100644
    a b script_failed: 
    20862086            mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
    20872087        }
    20882088
     2089        /* Generate tunnel keys, unless IV_NCP >= 2 is negotiated. The first key
     2090         * generation is then postponed until after the pull/push, so we can
     2091         * process pushed cipher directives.
     2092         */
     2093        struct tls_session *session = &mi->context.c2.tls_multi->session[TM_ACTIVE];
     2094        struct key_state *ks = &session->key[KS_PRIMARY];
     2095        if (!session->opt->ncp_enabled && ks->authenticated
     2096            && !tls_session_update_crypto_params(session, &mi->context.options,
     2097                                                 &mi->context.c2.frame))
     2098        {
     2099            msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
     2100            cc_succeeded = false;
     2101        }
     2102
    20892103        /* set flag so we don't get called again */
    20902104        mi->connection_established_flag = true;
    20912105
  • src/openvpn/options.c

    diff --git a/src/openvpn/options.c b/src/openvpn/options.c
    index dde1f48..0e6b393 100644
    a b add_option(struct options *options, 
    75367536    }
    75377537    else if (streq(p[0], "cipher") && p[1] && !p[2])
    75387538    {
    7539         VERIFY_PERMISSION(OPT_P_NCP);
     7539        VERIFY_PERMISSION(OPT_P_NCP|OPT_P_INSTANCE);
    75407540        options->ciphername = p[1];
    75417541    }
    75427542    else if (streq(p[0], "ncp-ciphers") && p[1] && !p[2])
  • src/openvpn/options.h

    diff --git a/src/openvpn/options.h b/src/openvpn/options.h
    index a14f2ab..f4f0226 100644
    a b struct options 
    628628#define OPT_P_MTU             (1<<14) /* TODO */
    629629#define OPT_P_NICE            (1<<15)
    630630#define OPT_P_PUSH            (1<<16)
    631 #define OPT_P_INSTANCE        (1<<17)
     631#define OPT_P_INSTANCE        (1<<17) /**< Allow usage in ccd file */
    632632#define OPT_P_CONFIG          (1<<18)
    633633#define OPT_P_EXPLICIT_NOTIFY (1<<19)
    634634#define OPT_P_ECHO            (1<<20)
  • src/openvpn/ssl.c

    diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
    index 8c724cb..1479c77 100644
    a b key_method_2_write(struct buffer *buf, struct tls_session *session) 
    24012401    }
    24022402
    24032403    /* Generate tunnel keys if we're a TLS server.
    2404      * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
    2405      * generation is postponed until after the pull/push, so we can process pushed
    2406      * cipher directives.
     2404     * If we're a p2mp server, the first key generation is postponed so we can
     2405     * switch cipher during the connection setup phase.
    24072406     */
    2408     if (session->opt->server && !(session->opt->ncp_enabled
    2409                                   && session->opt->mode == MODE_SERVER && ks->key_id <= 0))
     2407    if (session->opt->server
     2408        && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0))
    24102409    {
    24112410        if (ks->authenticated)
    24122411        {