diff options
author | Bernhard Schmidt <berni@debian.org> | 2020-04-19 15:52:33 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2020-04-19 15:52:33 +0200 |
commit | 620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (patch) | |
tree | 7b876715822d9620801283022ba73f2fce7387a3 /src/openvpn/multi.c | |
parent | 8a3450ef8682b9085637d7b94afc5c7e6f92e64b (diff) |
New upstream version 2.4.9upstream/2.4.9
Diffstat (limited to 'src/openvpn/multi.c')
-rw-r--r-- | src/openvpn/multi.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index baffd74..c8c9a40 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -2132,8 +2132,30 @@ multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags) { if (mi) { - /* continue authentication and send push_reply */ + /* continue authentication, perform NCP negotiation and send push_reply */ multi_process_post(m, mi, mpp_flags); + + /* With NCP and deferred authentication, we perform cipher negotiation and + * data channel keys generation on incoming push request, assuming that auth + * succeeded. When auth succeeds in between push requests and async push is used, + * we send push reply immediately. Above multi_process_post() call performs + * NCP negotiation and here we do keys generation. */ + + struct context *c = &mi->context; + struct frame *frame_fragment = NULL; +#ifdef ENABLE_FRAGMENT + if (c->options.ce.fragment) + { + frame_fragment = &c->c2.frame_fragment; + } +#endif + struct tls_session *session = &c->c2.tls_multi->session[TM_ACTIVE]; + if (!tls_session_update_crypto_params(session, &c->options, + &c->c2.frame, frame_fragment)) + { + msg(D_TLS_ERRORS, "TLS Error: initializing data channel failed"); + register_signal(c, SIGUSR1, "init-data-channel-failed"); + } } else { @@ -2540,7 +2562,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst orig_buf = c->c2.buf.data; if (process_incoming_link_part1(c, lsi, floated)) { - if (floated) + /* nonzero length means that we have a valid, decrypted packed */ + if (floated && c->c2.buf.len > 0) { multi_process_float(m, m->pending); } |