When tls_deauthenticate is called (e.g. by management kicking of a client)
the key auth state is changed to KS_AUTH_FALSE while the key state is
still in S_GENERATED_KEYS. This triggers the assertion. Remove the assertions
and instead check that the auth state is KS_AUTH_TRUE
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/ssl.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 05096ee0a..8cbb129d2 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3276,9 +3276,9 @@ handle_data_channel_packet(struct tls_multi *multi,
* active side is the client which initiates connections).
*/
if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
+ && ks->authenticated == KS_AUTH_TRUE
&& (floated || link_socket_actual_match(from, &ks->remote_addr)))
{
- ASSERT(ks->authenticated == KS_AUTH_TRUE);
if (!ks->crypto_options.key_ctx_bi.initialized)
{
msg(D_MULTI_DROPPED,
@@ -3861,9 +3861,8 @@ struct key_state *tls_select_encryption_key(struct
tls_multi *multi)
for (int i = 0; i < KEY_SCAN_SIZE; ++i)
{
struct key_state *ks = get_key_scan(multi, i);
- if (ks->state >= S_GENERATED_KEYS)
+ if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
{
- ASSERT(ks->authenticated == KS_AUTH_TRUE);
ASSERT(ks->crypto_options.key_ctx_bi.initialized);
if (!ks_select)
--
2.33.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
