On 12/03/2020 12:36, Arne Schwabe wrote: > In scenarios of mbed TLS vs OpenSSL we already normalise the ciphers > that are send via the wire protocol via OCC to not have a mismatch > warning between server and client. This is done by > translate_cipher_name_from_openvpn. The same applies also to the > ncp-ciphers list. Specifying non normalised names in ncp-ciphers will > cause negotation not to succeed if ciphers are not in the same form. > Therefore we will normalise the ciphers in options_postmutate. > > The alternative and a lot less user friendly alternative would be to > bail if on of the ciphers in ncp-ciphers is not in its normalised form. > > Also restrict the ncp-ciphers list to 127. This is somewhat arbitrary > but should prevent too large IV_CIPHER messages and problems sending > those. The server will accept also large IV_CIPHER values from clients. > > Patch V2: Correct comment about normalising ciphers > Patch V3: Correct #ifdef statement > Patch V5: Fix tests with OpenSSL 1.0.2 and libraries missing Chacha > Patch V6: Fix unit tests for mbed tls, which recognises ChaCha20-Poly1305 > only when used with all uppercase, fix missing space in message > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > --- > doc/openvpn.8 | 3 ++ > src/openvpn/options.c | 14 ++++--- > src/openvpn/ssl_ncp.c | 57 +++++++++++++++++++++++++---- > src/openvpn/ssl_ncp.h | 19 +++++++++- > tests/unit_tests/openvpn/test_ncp.c | 54 +++++++++++++++++++++++---- > 5 files changed, 125 insertions(+), 22 deletions(-) >
I've only done quick code review and built it on RHEL7 not finding any issues. Code looks reasonable, so I don't see any reason to hold this back any more. Acked-by: David Sommerseth <dav...@openvpn.net> -- kind regards, David Sommerseth OpenVPN Inc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
