diff options
Diffstat (limited to 'app/openvpn/src/openvpn/ssl.c')
-rw-r--r-- | app/openvpn/src/openvpn/ssl.c | 46 |
1 files changed, 27 insertions, 19 deletions
diff --git a/app/openvpn/src/openvpn/ssl.c b/app/openvpn/src/openvpn/ssl.c index f79f42d9..cdc8eb19 100644 --- a/app/openvpn/src/openvpn/ssl.c +++ b/app/openvpn/src/openvpn/ssl.c @@ -454,7 +454,7 @@ ssl_put_auth_challenge (const char *cr_str) * return tls_version_max(). */ int -tls_version_min_parse(const char *vstr, const char *extra) +tls_version_parse(const char *vstr, const char *extra) { const int max_version = tls_version_max(); if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version) @@ -2036,7 +2036,11 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi ASSERT (session->opt->key_method == 2); /* discard leading uint32 */ - ASSERT (buf_advance (buf, 4)); + if (!buf_advance (buf, 4)) { + msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", + buf->len); + goto error; + } /* get key method */ key_method_flags = buf_read_u8 (buf); @@ -2773,7 +2777,8 @@ bool tls_pre_decrypt (struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, - struct crypto_options *opt) + struct crypto_options *opt, + bool floated) { struct gc_arena gc = gc_new (); bool ret = false; @@ -2817,7 +2822,7 @@ tls_pre_decrypt (struct tls_multi *multi, #ifdef ENABLE_DEF_AUTH && !ks->auth_deferred #endif - && link_socket_actual_match (from, &ks->remote_addr)) + && (floated || link_socket_actual_match (from, &ks->remote_addr))) { /* return appropriate data channel decrypt key in opt */ opt->key_ctx_bi = &ks->key; @@ -3492,27 +3497,30 @@ tls_rec_payload (struct tls_multi *multi, return ret; } -/* Update the remote_addr, needed if a client floats. */ void -tls_update_remote_addr (struct tls_multi *multi, -const struct link_socket_actual *from) +tls_update_remote_addr (struct tls_multi *multi, const struct link_socket_actual *addr) { struct gc_arena gc = gc_new (); - int i; + int i, j; - for (i = 0; i < KEY_SCAN_SIZE; ++i) + for (i = 0; i < TM_SIZE; ++i) { - struct key_state *ks = multi->key_scan[i]; - if (DECRYPT_KEY_ENABLED (multi, ks) && ks->authenticated && link_socket_actual_defined(&ks->remote_addr)) - { - if (link_socket_actual_match (from, &ks->remote_addr)) - continue; - dmsg (D_TLS_KEYSELECT, - "TLS: tls_update_remote_addr from IP=%s to IP=%s", + struct tls_session *session = &multi->session[i]; + + for (j = 0; j < KS_SIZE; ++j) + { + struct key_state *ks = &session->key[j]; + + if (!link_socket_actual_defined(&ks->remote_addr) || + link_socket_actual_match (addr, &ks->remote_addr)) + continue; + + dmsg (D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s", print_link_socket_actual (&ks->remote_addr, &gc), - print_link_socket_actual (from, &gc)); - memcpy(&ks->remote_addr, from, sizeof(*from)); - } + print_link_socket_actual (addr, &gc)); + + ks->remote_addr = *addr; + } } gc_free (&gc); } |