@@ -3278,9 +3278,9 @@ handle_data_channel_packet(struct tls_multi *multi,
* active side is the client which initiates connections).
*/
if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
+ && ks->authenticated == KS_AUTH_TRUE
&& (floated || link_socket_actual_match(from, &ks->remote_addr)))
{
- ASSERT(ks->authenticated == KS_AUTH_TRUE);
if (!ks->crypto_options.key_ctx_bi.initialized)
{
msg(D_MULTI_DROPPED,
@@ -3863,9 +3863,8 @@ struct key_state *tls_select_encryption_key(struct tls_multi *multi)
for (int i = 0; i < KEY_SCAN_SIZE; ++i)
{
struct key_state *ks = get_key_scan(multi, i);
- if (ks->state >= S_GENERATED_KEYS)
+ if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
{
- ASSERT(ks->authenticated == KS_AUTH_TRUE);
ASSERT(ks->crypto_options.key_ctx_bi.initialized);
if (!ks_select)
When tls_deauthenticate is called (e.g. by management kicking of a client) the key auth state is changed to KS_AUTH_FALSE while the key state is still in S_GENERATED_KEYS. This triggers the assertion. Remove the assertions and instead check that the auth state is KS_AUTH_TRUE Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)