From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 23 Oct 2020 12:02:58 +0000 (+0200)
Subject: Send AUTH_FAILED message to clients on renegotiation failures
X-Git-Tag: v2.6_beta1~652
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55d5eaa3e021a21b9537a474c46636d4c2dcdac5;p=thirdparty%2Fopenvpn.git

Send AUTH_FAILED message to clients on renegotiation failures

This changes the exit in server mode on renegotiation to an exit that
also sends an AUTH_FAILED to the client. Any previously set failed auth
reason is passed to the client.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20201023120259.29783-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21222.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
index 958246c41..67615a6bf 100644
--- a/src/openvpn/forward.c
+++ b/src/openvpn/forward.c
@@ -155,7 +155,14 @@ check_tls(struct context *c)
         }
         else if (tmp_status == TLSMP_KILL)
         {
-            register_signal(c, SIGTERM, "auth-control-exit");
+            if (c->options.mode == MODE_SERVER)
+            {
+                send_auth_failed(c, c->c2.tls_multi->client_reason);
+            }
+            else
+            {
+                register_signal(c, SIGTERM, "auth-control-exit");
+            }
         }
 
         interval_future_trigger(&c->c2.tmp_int, wakeup);