diff options
author | Arne Schwabe | 2022-11-30 17:57:05 +0100 |
---|---|---|
committer | Gert Doering | 2022-11-30 20:21:25 +0100 |
commit | cde3edb132abd5091b2fbee83c0af43ee4e6e009 (patch) | |
tree | c33889e3611987fa882a4826e6ee595262055c01 /src/openvpn/forward.c | |
parent | 816eae83a57df4fa3ffd49b1794779ae9054a6ee (diff) | |
download | openvpn-cde3edb132abd5091b2fbee83c0af43ee4e6e009.zip openvpn-cde3edb132abd5091b2fbee83c0af43ee4e6e009.tar.gz |
Introduce connection state for reconnecting peer in p2p
We introduce this state to make the reconnecting of a client more
obvious and what is called again instead of making it implicit. The
new state CAS_RECONNECT_PENDING is between CAS_WAITING_OPTIONS_IMPORT and
CAS_CONNECT_DONE as we need to redo some of the steps of the connection
setup, so this new state is going a "half step" back in the state machine.
We also do no longer generate data channel keys for untrusted session. This
is done for clarity but also to allow them being generated after the
session has become actually active.
These changes allow a reconnect in p2p mode with DCO to work as the initial
reconnect working.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221130165705.159610-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25595.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/forward.c')
-rw-r--r-- | src/openvpn/forward.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3b5b040..37340ae 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -174,7 +174,14 @@ check_tls(struct context *c) const int tmp_status = tls_multi_process (c->c2.tls_multi, &c->c2.to_link, &c->c2.to_link_addr, get_link_socket_info(c), &wakeup); - if (tmp_status == TLSMP_ACTIVE) + + if (tmp_status == TLSMP_RECONNECT) + { + event_timeout_init(&c->c2.wait_for_connect, 1, now); + reset_coarse_timers(c); + } + + if (tmp_status == TLSMP_ACTIVE || tmp_status == TLSMP_RECONNECT) { update_time(); interval_action(&c->c2.tmp_int); @@ -196,9 +203,15 @@ check_tls(struct context *c) interval_schedule_wakeup(&c->c2.tmp_int, &wakeup); - /* Our current code has no good hooks in the TLS machinery to update + /* + * Our current code has no good hooks in the TLS machinery to update * DCO keys. So we check the key status after the whole TLS machinery * has been completed and potentially update them + * + * We have a hidden state transition from secondary to primary key based + * on ks->auth_deferred_expire that DCO needs to check that the normal + * TLS state engine does not check. So we call the \c check_dco_key_status + * function even if tmp_status does not indicate that something has changed. */ check_dco_key_status(c); @@ -302,7 +315,6 @@ check_push_request(struct context *c) static void check_connection_established(struct context *c) { - if (connection_established(c)) { /* if --pull was specified, send a push request to server */ @@ -337,7 +349,6 @@ check_connection_established(struct context *c) event_timeout_clear(&c->c2.wait_for_connect); } - } bool |