Re: [Openvpn-devel] [PATCH] Switch assertion failure to returning false

Wed, 20 May 2020 13:35:21 -0700 

Hi,

On Wed, May 20, 2020 at 11:34:04AM -0700, Jeremy Evans wrote:
> To give some background, we hit this assertion failure, with the
> following log output:

This should not happen, asserting out in "normal server use" is bad.  

(Neither should it ever reach that point without ks->authenticated being 
true)

> Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at 
> /path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)

Is this with true 2.4.7, or is this something more recent?

> @@ -1930,7 +1930,10 @@ tls_session_generate_data_channel_keys(struct 
> tls_session *session)
>                                            &ks->session_id_remote : 
> &session->session_id;
>  
> -    ASSERT(ks->authenticated);
> +    if (!ks->authenticated) {
> +        msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
> +        goto cleanup;
> +    }
>  
>      ks->crypto_options.flags = session->opt->crypto_flags;
>      if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi,

I'm not sure if that code is correct, though - it will erase key
material (in cleanup) without actually having generated a session
key.  So "bad things might happen later".

But I leave that to Steffan or Arne who understands these intricacies
better than I do.

(Just confirmed, the ASSERT() is still like this in master)


Trying to understand the somewhat twisted maze how ks->authenticated
is set to true/false leads me to more questions...

 - are plugins or auth scripts involved on your side?
 - can you reproduce this, or was this a once-in-a-lifetime crash?

(reproduceable is better, of course :-) - as this could be a plugin
or script authentication interfering with changes brought by NCP...)

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to