[Openvpn-devel] Fix triggering assertion of ks->authticated after tls_deauthenticate

Message ID 20211129135247.2221585-1-arne@rfc2549.org
State Superseded
Headers show
Series
  • [Openvpn-devel] Fix triggering assertion of ks->authticated after tls_deauthenticate
Related show

Commit Message

Arne Schwabe Nov. 29, 2021, 1:52 p.m.
When tls_deauthenticate is called (e.g. by management kicking of a client)
the key auth state is changed to KS_AUTH_FALSE while the key state is
still in S_GENERATED_KEYS. This triggers the assertion. Remove the assertions
and instead check that the auth state is KS_AUTH_TRUE

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

Patch

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index ad3e08274..5e53ad57e 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3278,9 +3278,9 @@  handle_data_channel_packet(struct tls_multi *multi,
          * active side is the client which initiates connections).
          */
         if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
+            && ks->authenticated == KS_AUTH_TRUE
             && (floated || link_socket_actual_match(from, &ks->remote_addr)))
         {
-            ASSERT(ks->authenticated == KS_AUTH_TRUE);
             if (!ks->crypto_options.key_ctx_bi.initialized)
             {
                 msg(D_MULTI_DROPPED,
@@ -3863,9 +3863,8 @@  struct key_state *tls_select_encryption_key(struct tls_multi *multi)
     for (int i = 0; i < KEY_SCAN_SIZE; ++i)
     {
         struct key_state *ks = get_key_scan(multi, i);
-        if (ks->state >= S_GENERATED_KEYS)
+        if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
         {
-            ASSERT(ks->authenticated == KS_AUTH_TRUE);
             ASSERT(ks->crypto_options.key_ctx_bi.initialized);
 
             if (!ks_select)