Currently, this function and other parts of OpenVPN assume that
multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session
to send control message.
This assumption was only achieve through complicated session moving and
shuffling in our state machine in the past. The old logic basically also
always assumed that control messages are always for fully authenticated
clients. This assumption was never really true (see AUTH_FAILED message)
but has been broken even more by auth-pending. Cleaning up the state machine
transitions in
7dcde87b7a broke this assumption even more.
This change now allows to specify the key_state/TLS session that is used to
send the control message.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20230301135353.
2811069-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26319.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
struct gc_arena gc = gc_new();
bool stat;
+ ASSERT(multi);
+ struct key_state *ks = get_key_scan(multi, 0);
+
/* buffered cleartext write onto TLS control channel */
- stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1);
+ stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1);
msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
tls_common_name(multi, false),
*/
bool
-tls_send_payload(struct tls_multi *multi,
+tls_send_payload(struct key_state *ks,
const uint8_t *data,
int size)
{
- struct key_state *ks;
bool ret = false;
tls_clear_error();
- ASSERT(multi);
-
- ks = get_key_scan(multi, 0);
+ ASSERT(ks);
if (ks->state >= S_ACTIVE)
{
/*
* Send a payload over the TLS control channel
*/
-bool tls_send_payload(struct tls_multi *multi,
+bool tls_send_payload(struct key_state *ks,
const uint8_t *data,
int size);
projects / thirdparty / openvpn.git / commitdiff
