Hi, On 05/07/2021 15:34, Arne Schwabe wrote: > Since generating data channel keys does not happen when we have reach the > S_ACTIVE/S_GOT_KEY state anymore like it used to be before NCP, the > state that data channel keys deserves its own state in the TLS session > state machine. > > The changes done by this commit are rather intrusive since they > move the key generation to a completely different place and also > rely on the state machine to decide if keys should be > generated rather than on the complicated conditions that were > implemented in the key_method_2_write/read methods. > > A (intended) side effect of this change is that sessions that > are still in deferred state (ks->authenticated == KS_DEFERRED) > will not have data channel keys generated. This avoids corner > cases where a not fully authenticated sessions might leak data. > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> > > Patch v2: rebased > > Patch v3: fix crash in non TLS mode > > Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Thanks for fixing the crash. I added the basic --secret test to my suite and I could indeed see the crash when using v2 of this patch. I can confirm that v3 is indeed fixing the crash. Classic client/server and p2p with TLS still works as expected. Deferred auth works too. Regards, -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
