From: Arne Schwabe Date: Tue, 7 Dec 2021 17:01:54 +0000 (+0100) Subject: Fix triggering assertion of ks->authenticated after tls_deauthenticate X-Git-Tag: v2.6_beta1~349 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce9c1990ba89ebb1335a8093e0889f2df71a6cfe;p=thirdparty%2Fopenvpn.git Fix triggering assertion of ks->authenticated after tls_deauthenticate When tls_deauthenticate is called (e.g. by management kicking of a client) the key auth state is changed to KS_AUTH_FALSE while the key state is still in S_GENERATED_KEYS. This triggers the assertion. Remove the assertions and instead check that the auth state is KS_AUTH_TRUE Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211207170211.3275837-5-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23340.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 05096ee0a..8cbb129d2 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3276,9 +3276,9 @@ handle_data_channel_packet(struct tls_multi *multi, * active side is the client which initiates connections). */ if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id + && ks->authenticated == KS_AUTH_TRUE && (floated || link_socket_actual_match(from, &ks->remote_addr))) { - ASSERT(ks->authenticated == KS_AUTH_TRUE); if (!ks->crypto_options.key_ctx_bi.initialized) { msg(D_MULTI_DROPPED, @@ -3861,9 +3861,8 @@ struct key_state *tls_select_encryption_key(struct tls_multi *multi) for (int i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = get_key_scan(multi, i); - if (ks->state >= S_GENERATED_KEYS) + if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE) { - ASSERT(ks->authenticated == KS_AUTH_TRUE); ASSERT(ks->crypto_options.key_ctx_bi.initialized); if (!ks_select)