From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 22 Apr 2022 14:29:41 +0000 (+0200)
Subject: Move CRL reload to key_state_init from S_START transition
X-Git-Tag: v2.6_beta1~217
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb6e6c2ae3e6ecdc6ac0b69a79741d52189c0c70;p=thirdparty%2Fopenvpn.git

Move CRL reload to key_state_init from S_START transition

The current place that we reload is a bit more efficient since it only
triggers reload after a completed 3way handshake. On the other hand the
key_state_init is a much more logical place and with the upcoming
HMAC based UDP code and TCP code, the initialisation will only be done
after a 3way handshake.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20220422142953.3805364-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24156.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2c1cad670..65703eaac 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -958,6 +958,17 @@ key_state_init(struct tls_session *session, struct key_state *ks)
 #ifdef ENABLE_MANAGEMENT
     ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
 #endif
+
+    /*
+     * Attempt CRL reload before TLS negotiation. Won't be performed if
+     * the file was not modified since the last reload
+     */
+    if (session->opt->crl_file
+        && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
+    {
+        tls_ctx_reload_crl(&session->opt->ssl_ctx,
+                           session->opt->crl_file, session->opt->crl_file_inline);
+    }
 }
 
 
@@ -2513,20 +2524,8 @@ tls_process_state(struct tls_multi *multi,
         ks->state = S_START;
         state_change = true;
 
-        /*
-         * Attempt CRL reload before TLS negotiation. Won't be performed if
-         * the file was not modified since the last reload
-         */
-        if (session->opt->crl_file
-            && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
-        {
-            tls_ctx_reload_crl(&session->opt->ssl_ctx,
-                               session->opt->crl_file, session->opt->crl_file_inline);
-        }
-
         /* New connection, remove any old X509 env variables */
         tls_x509_clear_env(session->opt->es);
-
         dmsg(D_TLS_DEBUG_MED, "STATE S_START");
     }