Am 31.03.20 um 09:14 schrieb Tom van Leeuwen: > From: Tom van Leeuwen <tom.van.leeu...@technolution.eu> > > When a client disconnects from a server compiled with mbedTLS, the server > cannot process the PUSH_REQUEST from a new connection with the same client > IP and port number. This is the case when the client binds to a static port. > > This behavior is initiated by move_session(), which copies the content of the > tls_session to a new session and re-initializes the old session once the new > session is authenticated. > This tls_session contains, among other things, an mbedtls_ssl_config and > bio_ctx structure. However, the mbedtls context has internal pointers to the > mbedtls_ssl_config and bio_ctx. When the session is moved, these internal > pointers point to the reinitialized session and as a result all received > packets that are stored in the bio_ctx of the moved session can never be read > by the mbedtls session. The PUSH_REQUEST is therefore never seen by the > server. > > Since there is no public method to update these internal pointers, this > patch dynamically allocates the mbedtls_ssl_config and bio_ctx and stores > the pointers to those structures in the tls_session instead.
I have not verified that this fix actually fixes the bug but the explaination is solid. I however checked the code that handling of ctx is correct after the patch. Also the problem of moving ctx and having pointers to the wrong object is present before this patch and the patch fixes that bug. Acked-By: Arne Schwabe <a...@rfc2549.org>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
