If we do not get a cipher pushed we call tls_poor_mans_ncp to determine
whether we can use the server's cipher. Inherited from OpenVPN
2.4's code we only did this check when the ciphers were different.
Since OpenVPN 2.5 does not assume that our cipher we report in OCC
(options->ciphername) is always a valid cipher we always need to perform
this check.
V2: Only call tls_item_in_cipher_list if remote_cipher is non-null to
avoid calling strcmp with NULL.
Reported-By: Rafael Gava <gava...@gmail.com>
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl_ncp.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index c9ab85ce..55496395 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -269,14 +269,11 @@ static bool
tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
{
if (remote_ciphername
- && 0 != strcmp(o->ciphername, remote_ciphername))
+ && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
{
- if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
- {
- o->ciphername = string_alloc(remote_ciphername, &o->gc);
- msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
- return true;
- }
+ o->ciphername = string_alloc(remote_ciphername, &o->gc);
+ msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
+ return true;
}
return false;
}
--
2.26.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
