From 57f0b7b331088e489e93ae89ee0aed98381d8806 Mon Sep 17 00:00:00 2001
From: Bernhard Schmidt <berni@debian.org>
Date: Tue, 1 Sep 2020 16:53:26 +0200
Subject: New upstream version 2.5~beta3

---
 src/openvpn/ssl_ncp.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

(limited to 'src/openvpn/ssl_ncp.c')

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index f522b8f..5549639 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -269,14 +269,11 @@ static bool
 tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
 {
     if (remote_ciphername
-        && 0 != strcmp(o->ciphername, remote_ciphername))
+        && tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
     {
-        if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
-        {
-            o->ciphername = string_alloc(remote_ciphername, &o->gc);
-            msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
-            return true;
-        }
+        o->ciphername = string_alloc(remote_ciphername, &o->gc);
+        msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
+        return true;
     }
     return false;
 }
@@ -296,13 +293,14 @@ check_pull_client_ncp(struct context *c, const int found)
     }
     /* If the server did not push a --cipher, we will switch to the
      * remote cipher if it is in our ncp-ciphers list */
-    bool useremotecipher = tls_poor_mans_ncp(&c->options,
-                                             c->c2.tls_multi->remote_ciphername);
-
+    if(tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername))
+    {
+        return true;
+    }
 
     /* We could not figure out the peer's cipher but we have fallback
      * enabled */
-    if (!useremotecipher && c->options.enable_ncp_fallback)
+    if (!c->c2.tls_multi->remote_ciphername && c->options.enable_ncp_fallback)
     {
         return true;
     }
-- 
cgit v1.2.3