| Message ID | 20210624130840.2583433-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel] Ensure tls session is authenticated before sending push reply | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> For whatever reason, this particular code path escaped previous patches, so now it's fixed as well. And verified - even with the previous 3 patches (and I was sure I had seen it fixed!) sometimes I hit the "PUSH_REPLY sent too fast" thing. Now, gone. Not tested on the client side (this is server-only code). Server side test rig succeeded. Since this is a fairly isolated change, verifying that PUSH_REQUEST/PUSH_REPLY still works was easy (but tested all of it, for good measure). Your patch has been applied to the master branch. commit 87c8c081d5a1ede46b3cb01e0c25a876441f074b Author: Arne Schwabe Date: Thu Jun 24 15:08:40 2021 +0200 Ensure tls session is authenticated before sending push reply Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20210624130840.2583433-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22587.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/push.c b/src/openvpn/push.c index b6f1252d2..b27f401e1 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -863,7 +863,8 @@ process_incoming_push_request(struct context *c) send_auth_failed(c, client_reason); ret = PUSH_MSG_AUTH_FAILURE; } - else if (c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE) + else if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_SUCCEEDED + && c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE) { time_t now;