git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Tom van Leeuwen <tom.van.leeuwen@technolution.eu>
	Tue, 31 Mar 2020 07:14:37 +0000 (09:14 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 1 Apr 2020 11:50:49 +0000 (13:50 +0200)
commit	a59e0754afd37a606d96cf24cea771ace3467289
tree	afe229fc2794fcb85d957f3dcc3fdd569743c2a2	tree
parent	a2a2132c46dfcac057cb8c50df5d27005e9e40e5	commit \| diff

mbedTLS: Make sure TLS session survives move

When a client disconnects from a server compiled with mbedTLS, the server
cannot process the PUSH_REQUEST from a new connection with the same client
IP and port number. This is the case when the client binds to a static
port.

This behavior is initiated by move_session(), which copies the content of
the
tls_session to a new session and re-initializes the old session once the
new
session is authenticated.
This tls_session contains, among other things, an mbedtls_ssl_config and
bio_ctx structure. However, the mbedtls context has internal pointers to
the
mbedtls_ssl_config and bio_ctx. When the session is moved, these internal
pointers point to the reinitialized session and as a result all received
packets that are stored in the bio_ctx of the moved session can never be
read
by the mbedtls session. The PUSH_REQUEST is therefore never seen by the
server.

Since there is no public method to update these internal pointers, this
patch dynamically allocates the mbedtls_ssl_config and bio_ctx and stores
the pointers to those structures in the tls_session instead.

Trac #880

Signed-off-by: Tom van Leeuwen <tom.van.leeuwen@technolution.eu>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20200331071437.12708-1-tom.van.leeuwen@technolution.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19661.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/ssl_mbedtls.c		diff \| blob \| blame \| history
src/openvpn/ssl_mbedtls.h		diff \| blob \| blame \| history