diff options
author | Lev Stipakov | 2020-03-13 18:59:13 +0200 |
---|---|---|
committer | Gert Doering | 2020-04-16 09:01:07 +0200 |
commit | 3b06b57d9f1d972ec16f0893d06697439c1bb1fe (patch) | |
tree | ab05f3116ece20ffa0d899e274e68a994fc83337 /src/openvpn/push.c | |
parent | d8ac887c6b1b57a1953ab62058b4aed5d8c11f65 (diff) | |
download | openvpn-3b06b57d9f1d972ec16f0893d06697439c1bb1fe.zip openvpn-3b06b57d9f1d972ec16f0893d06697439c1bb1fe.tar.gz |
Fix broken async push with NCP is used
With NCP and deferred auth, we perform cipher negotiation and generate
data channel keys on incoming push request, assuming that auth succeeded.
With async push, when auth succeeds in between push requests, we send
push reply immediately.
The code which generates data channel keys is only called on handling
incoming push requests (incoming_push_message). It might not be called
with NCP, deferred auth and async push, because on incoming push request,
auth might not be complete yet. When auth is complete in between push
requests, push reply is sent and it is assumed that connection is
established. However, since data channel keys are not generated on the
server side, connection doesn't work.
Fix by adding a call to generate data channel keys when async push is
triggered.
Also, all the "session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized"
checks have been moved into tls_session_update_crypto_params(), which
is just reducing duplicate code, no actual code change (*all* callers
had this pre-check).
Trac: #1259
Reported-by: smaxfield@duosecurity.com
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200313165913.12682-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19553.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/push.c')
-rw-r--r-- | src/openvpn/push.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 71f22e9..aef00d3 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -298,10 +298,8 @@ incoming_push_message(struct context *c, const struct buffer *buffer) } #endif struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; - /* Do not regenerate keys if client send a second push request */ - if (!session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized - && !tls_session_update_crypto_params(session, &c->options, - &c->c2.frame, frame_fragment)) + if (!tls_session_update_crypto_params(session, &c->options, + &c->c2.frame, frame_fragment)) { msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); goto error; |