diff options
author | Arne Schwabe | 2021-03-28 14:02:41 +0200 |
---|---|---|
committer | Gert Doering | 2021-04-20 11:39:10 +0200 |
commit | a005044be9ca77ee8a47cb65a603d0b1c41b99f4 (patch) | |
tree | 51e205b720921570b0413dcda31f2b0099588eb7 /src/openvpn/ssl.c | |
parent | 0767d5b447044e4cdcfd198058aef1f85f63bbe6 (diff) | |
download | openvpn-a005044be9ca77ee8a47cb65a603d0b1c41b99f4.zip openvpn-a005044be9ca77ee8a47cb65a603d0b1c41b99f4.tar.gz |
Fix condition to generate session keys
When OpenVPN sees a new (SSL) connection via HARD_RESET or SOFT_RESET with
the same port/ip as an existing session, it will give it the slot of the
renegotiation session (TM_UNTRUSTED). And when the authentication
succeeds it will replace the current session. In the case of a SOFT_RESET
this a renegotiation and we will generated data channel keys at the of
key_method_2_write function as key-id > 0.
For a HARD RESET the key-id is 0. Since we already have gone through
connect stages and set context_auth to CAS_SUCCEEDED, we don't
call all the connect stages again, and therefore also never call
multi_client_generate_tls_keys for this session.
This commit changes postponing the key generation to be done only if
the multi_connect has not yet been finished.
Patch V2: Explain better in the commit message why this change is done.
Trac: #1316
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210328120241.27605-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21873.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index d8662d0..4574be5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2345,12 +2345,17 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi goto error; } - /* Generate tunnel keys if we're a TLS server. - * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key - * generation is postponed until after the pull/push, so we can process pushed - * cipher directives. + /* + * Generate tunnel keys if we're a TLS server. + * + * If we're a p2mp server to allow NCP, the first key + * generation is postponed until after the connect script finished and the + * NCP options can be processed. Since that always happens at after connect + * script options are available the CAS_SUCCEEDED status is identical to + * NCP options are processed and we have no extra state for NCP finished. */ - if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) + if (session->opt->server && (session->opt->mode != MODE_SERVER + || multi->multi_state == CAS_SUCCEEDED)) { if (ks->authenticated > KS_AUTH_FALSE) { |