> On 24-04-2025 10:26, Arne Schwabe wrote:
> The code doesn't really do what the comment does. If you were trying to
> actually figure out if it is the same client you should rather compare
> the session ID of the tls state.

As for the session_id, I checked the following:

- m->session[TM_ACTIVE].session_id (matches)
- m->session[TM_ACTIVE].key[KS_PRIMARY].session_id_remote (matches)
- m->session[TM_ACTIVE].key[KS_LAME_DUCK].session_id_remote (is zero)

- m->session[TM_UNTRUSTED].session_id (does not match)
- m->session[TM_UNTRUSTED].key[KS_PRIMARY].session_id_remote (is zero)
- m->session[TM_UNTRUSTED].key[KS_LAME_DUCK].session_id_remote (is zero)

So, two session IDs match. I'll assume you meant the
m->session[TM_ACTIVE].session_id one then.

I can change the if-expression in my original patch to this:

  if (m1->multi_state == CAS_CONNECT_DONE
      && m2->multi_state == CAS_NOT_CONNECTED
      && m1->locked_cert_hash_set
      && !m2->locked_cert_hash_set
      && session_id_equal(&m1->session[TM_ACTIVE].session_id,
                          &m2->session[TM_ACTIVE].session_id))

Or do you suggest something else?


>> The offending commit is:
>>
>>    commit b364711486dc6371ad2659a5aa190941136f4f04
>>    Author: Arne Schwabe <a...@rfc2549.org>
>>    Date:   Mon May 2 17:43:10 2022 +0200
>>
>>      Implement stateless HMAC-based sesssion-id three-way-handshake
>>
>> Double checked and confirmed. Apparently this alters things so the
>> source-IP-switched connection shows up as a second connection.
[...]

> Well that changes the behaviour of how new sessions are established,
> that this change is the one that is triggering the issue is even more
> perplexing.

Well. If it was expected, we wouldn't be here investigating ;)

Can I assist you with some test or extra log line?

Cheers,
Walter




_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to