[Openvpn-devel,2/2] Fix condition to generate session keys

Message ID 20201215164221.5995-2-arne@rfc2549.org
State New
Headers show
Series
  • [Openvpn-devel,1/2] Move context_auth from context_2 to tls_multi
Related show

Commit Message

Arne Schwabe Dec. 15, 2020, 4:42 p.m.
For --nobind clients OpenVPN reuses the context and tls_multi structs
of the previous clients and does not rerun the connect scripts on
connect. But since it is a new client connection, the key_id is 0 and
we postpone the key generation but it will never happen.

This commit changes postponing the key generation to the right
condition of NCP done for this session.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index efbf688f..5d322598 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -2351,7 +2351,7 @@  error:
  * to the TLS control channel (cleartext).
  */
 static bool
-key_method_2_write(struct buffer *buf, struct tls_session *session)
+key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
 {
     struct key_state *ks = &session->key[KS_PRIMARY];      /* primary key */
 
@@ -2442,12 +2442,17 @@  key_method_2_write(struct buffer *buf, struct tls_session *session)
         goto error;
     }
 
-    /* Generate tunnel keys if we're a TLS server.
-     * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
-     * generation is postponed until after the pull/push, so we can process pushed
-     * cipher directives.
+    /*
+     * Generate tunnel keys if we're a TLS server.
+     *
+     * If we're a p2mp server to allow NCP, the first key
+     * generation is postponed until after the connect script finished and the
+     * NCP options can be processed. Since that always happens at after connect
+     * script options are available the CAS_SUCCEEDED status is identical to
+     * NCP options are processed and we have no extra state for NCP finished.
      */
-    if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0))
+    if (session->opt->server && (session->opt->mode != MODE_SERVER
+            || multi->context_auth == CAS_SUCCEEDED))
     {
         if (ks->authenticated > KS_AUTH_FALSE)
         {
@@ -2936,7 +2941,7 @@  tls_process(struct tls_multi *multi,
         if (!buf->len && ((ks->state == S_START && !session->opt->server)
                           || (ks->state == S_GOT_KEY && session->opt->server)))
         {
-            if (!key_method_2_write(buf, session))
+            if (!key_method_2_write(buf, multi, session))
             {
                 goto error;
             }