Hi, On Wed, May 20, 2020 at 11:34:04AM -0700, Jeremy Evans wrote: > To give some background, we hit this assertion failure, with the > following log output:
This should not happen, asserting out in "normal server use" is bad.
(Neither should it ever reach that point without ks->authenticated being
true)
> Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at
> /path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)
Is this with true 2.4.7, or is this something more recent?
> @@ -1930,7 +1930,10 @@ tls_session_generate_data_channel_keys(struct
> tls_session *session)
> &ks->session_id_remote :
> &session->session_id;
>
> - ASSERT(ks->authenticated);
> + if (!ks->authenticated) {
> + msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
> + goto cleanup;
> + }
>
> ks->crypto_options.flags = session->opt->crypto_flags;
> if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi,
I'm not sure if that code is correct, though - it will erase key
material (in cleanup) without actually having generated a session
key. So "bad things might happen later".
But I leave that to Steffan or Arne who understands these intricacies
better than I do.
(Just confirmed, the ASSERT() is still like this in master)
Trying to understand the somewhat twisted maze how ks->authenticated
is set to true/false leads me to more questions...
- are plugins or auth scripts involved on your side?
- can you reproduce this, or was this a once-in-a-lifetime crash?
(reproduceable is better, of course :-) - as this could be a plugin
or script authentication interfering with changes brought by NCP...)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
