git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Wed, 1 Mar 2023 13:53:52 +0000 (14:53 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 20 Mar 2023 13:08:00 +0000 (14:08 +0100)
commit	31279f71ab4124516fd0c2143f67a0c3f008ad20
tree	7a9cbd672c764fdc8dad646e9d31ac81fbe74fdf	tree \| snapshot
parent	a05ec70edd5178aac7b7432c57878c32aa838013	commit \| diff

Use key_state instead of multi for tls_send_payload parameter

Currently, this function and other parts of OpenVPN assume that
multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session
to send control message.

This assumption was only achieve through complicated session moving and
shuffling in our state machine in the past. The old logic basically also
always assumed that control messages are always for fully authenticated
clients. This assumption was never really true (see AUTH_FAILED message)
but has been broken even more by auth-pending. Cleaning up the state machine
transitions in 7dcde87b7a broke this assumption even more.

This change now allows to specify the key_state/TLS session that is used to
send the control message.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301135353.2811069-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26319.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 06af538eb7bde36feb20ef63febb171c9607a5e6)

src/openvpn/forward.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl.h		diff \| blob \| blame \| history