git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Thu, 20 May 2021 15:11:42 +0000 (17:11 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 24 Jun 2021 13:31:04 +0000 (15:31 +0200)
commit	d01277608a248f31df3fde1883eba6dd8d16a1e4
tree	b836ef89a873eeef5e438911258d57eef75c2b35	tree
parent	716049923e3e70c3de938d6da5d05f529ec515b5	commit \| diff

Add connection_established as state in tls_multi->context_auth

The socket_info->connection_establish is set through
link_socket_set_outgoing_addr when we reach FULL_SYNC. This patch
introduces a new state in context_auth that replaces the
connection_established state for TLS connections. This make the state
machine easier to understand.

Also, rename "enum client_connect_status" to "multi_status", re-order
states so CAS_NOT_CONNECTED (=0) is the default state, and introduce
CAS_CONNECT_DONE as numerically highest so "are we done?" can be
easily checked.

This is part of the patchset to fix CVE-2020-15078 in "master" by
reorganizing the handling of incoming new and renegotiated TLS sessions
to make the code easier to understand and less prone to "edge case"
issues.

Patch v2: fix p2p mode server without (without ncp)

CVE: 2020-15078

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210520151148.2565578-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22419.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/forward.c		diff \| blob \| blame \| history
src/openvpn/forward.h		diff \| blob \| blame \| history
src/openvpn/multi.c		diff \| blob \| blame \| history
src/openvpn/occ.c		diff \| blob \| blame \| history
src/openvpn/openvpn.h		diff \| blob \| blame \| history
src/openvpn/push.c		diff \| blob \| blame \| history
src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_common.h		diff \| blob \| blame \| history