blob: b3b9613a6021c60d66de2bc44c646402b1be206f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 0e5516a9d656ce86f7fb370c824344ea1760c255 Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 6 Apr 2021 00:05:21 +0200
Subject: [PATCH] Ensure key state is authenticated before sending push reply
This ensures that the key state is authenticated when sending
a push reply.
---
src/openvpn/push.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 002be2332..52c6e8200 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -652,6 +652,7 @@ int
process_incoming_push_request(struct context *c)
{
int ret = PUSH_MSG_ERROR;
+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
#ifdef ENABLE_ASYNC_PUSH
c->c2.push_request_received = true;
@@ -662,7 +663,12 @@ process_incoming_push_request(struct context *c)
send_auth_failed(c, client_reason);
ret = PUSH_MSG_AUTH_FAILURE;
}
- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
+ && ks->authenticated
+ #ifdef ENABLE_DEF_AUTH
+ && !ks->auth_deferred
+ #endif
+ )
{
time_t now;
|