summaryrefslogtreecommitdiff
path: root/src/openvpn/multi.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-04-19 15:52:33 +0200
committerBernhard Schmidt <berni@debian.org>2020-04-19 15:52:33 +0200
commit620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (patch)
tree7b876715822d9620801283022ba73f2fce7387a3 /src/openvpn/multi.c
parent8a3450ef8682b9085637d7b94afc5c7e6f92e64b (diff)
New upstream version 2.4.9upstream/2.4.9
Diffstat (limited to 'src/openvpn/multi.c')
-rw-r--r--src/openvpn/multi.c27
1 files changed, 25 insertions, 2 deletions
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index baffd74..c8c9a40 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -2132,8 +2132,30 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
{
if (mi)
{
- /* continue authentication and send push_reply */
+ /* continue authentication, perform NCP negotiation and send push_reply */
multi_process_post(m, mi, mpp_flags);
+
+ /* With NCP and deferred authentication, we perform cipher negotiation and
+ * data channel keys generation on incoming push request, assuming that auth
+ * succeeded. When auth succeeds in between push requests and async push is used,
+ * we send push reply immediately. Above multi_process_post() call performs
+ * NCP negotiation and here we do keys generation. */
+
+ struct context *c = &mi->context;
+ struct frame *frame_fragment = NULL;
+#ifdef ENABLE_FRAGMENT
+ if (c->options.ce.fragment)
+ {
+ frame_fragment = &c->c2.frame_fragment;
+ }
+#endif
+ struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE];
+ if (!tls_session_update_crypto_params(session, &c->options,
+ &c->c2.frame, frame_fragment))
+ {
+ msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed");
+ register_signal(c, SIGUSR1, "init-data-channel-failed");
+ }
}
else
{
@@ -2540,7 +2562,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
orig_buf = c->c2.buf.data;
if (process_incoming_link_part1(c, lsi, floated))
{
- if (floated)
+ /* nonzero length means that we have a valid, decrypted packed */
+ if (floated && c->c2.buf.len > 0)
{
multi_process_float(m, m->pending);
}