From 06af538eb7bde36feb20ef63febb171c9607a5e6 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Wed, 1 Mar 2023 14:53:52 +0100 Subject: [PATCH] Use key_state instead of multi for tls_send_payload parameter Currently, this function and other parts of OpenVPN assume that multi->session[TM_ACTIVE].key[KS_PRIMARY] is always the right session to send control message. This assumption was only achieve through complicated session moving and shuffling in our state machine in the past. The old logic basically also always assumed that control messages are always for fully authenticated clients. This assumption was never really true (see AUTH_FAILED message) but has been broken even more by auth-pending. Cleaning up the state machine transitions in 7dcde87b7a broke this assumption even more. This change now allows to specify the key_state/TLS session that is used to send the control message. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20230301135353.2811069-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26319.html Signed-off-by: Gert Doering --- src/openvpn/forward.c | 5 ++++- src/openvpn/ssl.c | 7 ++----- src/openvpn/ssl.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index ddfd5a183..29490a2c4 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -372,8 +372,11 @@ send_control_channel_string_dowork(struct tls_multi *multi, struct gc_arena gc = gc_new(); bool stat; + ASSERT(multi); + struct key_state *ks = get_key_scan(multi, 0); + /* buffered cleartext write onto TLS control channel */ - stat = tls_send_payload(multi, (uint8_t *) str, strlen(str) + 1); + stat = tls_send_payload(ks, (uint8_t *) str, strlen(str) + 1); msg(msglevel, "SENT CONTROL [%s]: '%s' (status=%d)", tls_common_name(multi, false), diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index fe6390fad..60aaee8da 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -4007,18 +4007,15 @@ tls_post_encrypt(struct tls_multi *multi, struct buffer *buf) */ bool -tls_send_payload(struct tls_multi *multi, +tls_send_payload(struct key_state *ks, const uint8_t *data, int size) { - struct key_state *ks; bool ret = false; tls_clear_error(); - ASSERT(multi); - - ks = get_key_scan(multi, 0); + ASSERT(ks); if (ks->state >= S_ACTIVE) { diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index a050cd5c9..4ed4cfaa4 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -424,7 +424,7 @@ void ssl_put_auth_challenge(const char *cr_str); /* * Send a payload over the TLS control channel */ -bool tls_send_payload(struct tls_multi *multi, +bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size); -- 2.47.2