diff options
author | Arne Schwabe | 2020-08-10 16:37:03 +0200 |
---|---|---|
committer | Gert Doering | 2020-08-11 10:44:45 +0200 |
commit | c13d20fae3961ba67de3c4c85c75ebd1ac802b26 (patch) | |
tree | 21c00b37acfde2fd57f5d7c6cf3d6d0799d87edd | |
parent | 4b4f5fe22f8ac0ffaf32185ac995da08d524dcbd (diff) | |
download | openvpn-c13d20fae3961ba67de3c4c85c75ebd1ac802b26.zip openvpn-c13d20fae3961ba67de3c4c85c75ebd1ac802b26.tar.gz |
Remove S_OP_NORMAL key state.
The key state is virtually identical S_ACTIVE and we only did the state
state transition form S_ACTIVE to S_OP_NORMAL at the point where we
normally would have timed out the TLS negotiation. This is not a very
useful information to have and indeed we never use it anywhere.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20674.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | src/openvpn/ssl.c | 24 | ||||
-rw-r--r-- | src/openvpn/ssl_common.h | 9 |
2 files changed, 11 insertions, 22 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 70e397c..eefa242 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -755,9 +755,6 @@ state_name(int state) case S_ACTIVE: return "S_ACTIVE"; - case S_NORMAL_OP: - return "S_NORMAL_OP"; - case S_ERROR: return "S_ERROR"; @@ -2705,21 +2702,12 @@ tls_process(struct tls_multi *multi, } /* Are we timed out on receive? */ - if (now >= ks->must_negotiate) + if (now >= ks->must_negotiate && ks->state < S_ACTIVE) { - if (ks->state < S_ACTIVE) - { - msg(D_TLS_ERRORS, - "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", - session->opt->handshake_window); - goto error; - } - else /* assume that ks->state == S_ACTIVE */ - { - dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); - ks->state = S_NORMAL_OP; - ks->must_negotiate = 0; - } + msg(D_TLS_ERRORS, + "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", + session->opt->handshake_window); + goto error; } /* Wait for Initial Handshake ACK */ @@ -2759,6 +2747,8 @@ tls_process(struct tls_multi *multi, } state_change = true; ks->state = S_ACTIVE; + /* Cancel negotiation timeout */ + ks->must_negotiate = 0; INCR_SUCCESS; /* Set outgoing address for data channel packets */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 9f77775..96897e4 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -64,8 +64,7 @@ * material. * -# \c S_GOT_KEY, have received remote part of \c key_source2 random * material. - * -# \c S_ACTIVE, normal operation during remaining handshake window. - * -# \c S_NORMAL_OP, normal operation. + * -# \c S_ACTIVE, normal operation * * Servers follow the same order, except for \c S_SENT_KEY and \c * S_GOT_KEY being reversed, because the server first receives the @@ -94,9 +93,9 @@ * immediately after negotiation has * completed while still within the * handshake window. */ -/* ready to exchange data channel packets */ -#define S_NORMAL_OP 7 /**< Normal operational \c key_state - * state. */ +/* Note that earlier versions also had a S_OP_NORMAL state that was + * virtually identical with S_ACTIVE and the code still assumes everything + * >= S_ACTIVE to be fully operational */ /** @} name Control channel negotiation states */ /** @} addtogroup control_processor */ |