Hi, I'm working through this, and have some questions...
On Fri, Oct 07, 2022 at 05:38:23PM +0200, Arne Schwabe wrote:
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index 6a45b9e91..eca4a4335 100644
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -195,9 +196,15 @@ check_tls(struct context *c)
>
> interval_schedule_wakeup(&c->c2.tmp_int, &wakeup);
>
> - /* Our current code has no good hooks in the TLS machinery to update
> + /*
> + * Our current code has no good hooks in the TLS machinery to update
> * DCO keys. So we check the key status after the whole TLS machinery
> * has been completed and potentially update them
> + *
> + * We have a hidden state transition from secondary to primary key based
> + * on ks->auth_deferred_expire that DCO needs to check that the normal
> + * TLS state engine does not check. So we call the doc check even if
> + * tmp_status does not indicate that something has changed.
> */
> check_dco_key_status(c);
>
This seems unrelated to auth-token, but "escaped from the P2P DCO rework".
I suggest to ignore that hunk.
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index f1cade2ef..db0a96cc9 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -624,6 +625,10 @@ struct tls_multi
> * user/pass authentications in this session.
> */
> char *auth_token_initial;
> + /**< Last time an auth-token was generated, this is strictly speaking
> redundant
> + * as the auth_token attribute already contains the information but in a
> + * highly encoded way */
> + time_t auth_token_lastgenerated;
> /**< The first auth-token we sent to a client. We use this to remember
> * the session ID and initial timestamp when generating new auth-token.
> */
This is not used at all. I suspect this was coming from an initial
approach and later all was done based on event handling.
I suggest to ignore that hunk as well.
The rest looks reasonable (and I'm halfway through applying it, so
no need for a v2, just an "yes, please ignore those hunks").
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
