git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Wed, 1 Mar 2023 13:53:52 +0000 (14:53 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 20 Mar 2023 13:01:59 +0000 (14:01 +0100)
commit	06af538eb7bde36feb20ef63febb171c9607a5e6
tree	8e3b80a80abe4ed048d22bd879414f5b33ca0921	tree \| snapshot
parent	6c111be9b109a6dbcd39cac7821ea3dd78ff6adf	commit \| diff

Use key_state instead of multi for tls_send_payload parameter

Currently, this function and other parts of OpenVPN assume that
multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session
to send control message.

This assumption was only achieve through complicated session moving and
shuffling in our state machine in the past. The old logic basically also
always assumed that control messages are always for fully authenticated
clients. This assumption was never really true (see AUTH_FAILED message)
but has been broken even more by auth-pending. Cleaning up the state machine
transitions in 7dcde87b7a broke this assumption even more.

This change now allows to specify the key_state/TLS session that is used to
send the control message.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301135353.2811069-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26319.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/forward.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl.h		diff \| blob \| blame \| history