Browse code
Refactor/Reformat tls_pre_decrypt
- Extract data packet handling to its own function
- Replace two instances of
if (x) { code }
with
if (!x) return; code
- Remove extra curly braces that were used for pre C99 code style
to be able to declare variables in the middle of a block
This patch is easier to review with "ignore white space" as the
diff is then a lot smaller in that case and the changes more obvious.
Patch V2: Fix function name spelling, cleanup goto code in the new
handle_data_channel_packet function
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200811105541.2543-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20707.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe authored on 2020/08/11 19:55:41Showing 1 changed files
| ... | ... |
@@ -3142,6 +3142,95 @@ nohard: |
| 3142 | 3142 |
* to implement a multiplexed TLS channel over the TCP/UDP port. |
| 3143 | 3143 |
*/ |
| 3144 | 3144 |
|
| 3145 |
+static inline void |
|
| 3146 |
+handle_data_channel_packet(struct tls_multi *multi, |
|
| 3147 |
+ const struct link_socket_actual *from, |
|
| 3148 |
+ struct buffer *buf, |
|
| 3149 |
+ struct crypto_options **opt, |
|
| 3150 |
+ bool floated, |
|
| 3151 |
+ const uint8_t **ad_start) |
|
| 3152 |
+{
|
|
| 3153 |
+ struct gc_arena gc = gc_new(); |
|
| 3154 |
+ |
|
| 3155 |
+ uint8_t c = *BPTR(buf); |
|
| 3156 |
+ int op = c >> P_OPCODE_SHIFT; |
|
| 3157 |
+ int key_id = c & P_KEY_ID_MASK; |
|
| 3158 |
+ |
|
| 3159 |
+ /* data channel packet */ |
|
| 3160 |
+ for (int i = 0; i < KEY_SCAN_SIZE; ++i) |
|
| 3161 |
+ {
|
|
| 3162 |
+ struct key_state *ks = multi->key_scan[i]; |
|
| 3163 |
+ |
|
| 3164 |
+ /* |
|
| 3165 |
+ * This is the basic test of TLS state compatibility between a local OpenVPN |
|
| 3166 |
+ * instance and its remote peer. |
|
| 3167 |
+ * |
|
| 3168 |
+ * If the test fails, it tells us that we are getting a packet from a source |
|
| 3169 |
+ * which claims reference to a prior negotiated TLS session, but the local |
|
| 3170 |
+ * OpenVPN instance has no memory of such a negotiation. |
|
| 3171 |
+ * |
|
| 3172 |
+ * It almost always occurs on UDP sessions when the passive side of the |
|
| 3173 |
+ * connection is restarted without the active side restarting as well (the |
|
| 3174 |
+ * passive side is the server which only listens for the connections, the |
|
| 3175 |
+ * active side is the client which initiates connections). |
|
| 3176 |
+ */ |
|
| 3177 |
+ if (DECRYPT_KEY_ENABLED(multi, ks) |
|
| 3178 |
+ && key_id == ks->key_id |
|
| 3179 |
+ && (ks->authenticated == KS_AUTH_TRUE) |
|
| 3180 |
+ && (floated || link_socket_actual_match(from, &ks->remote_addr))) |
|
| 3181 |
+ {
|
|
| 3182 |
+ if (!ks->crypto_options.key_ctx_bi.initialized) |
|
| 3183 |
+ {
|
|
| 3184 |
+ msg(D_MULTI_DROPPED, |
|
| 3185 |
+ "Key %s [%d] not initialized (yet), dropping packet.", |
|
| 3186 |
+ print_link_socket_actual(from, &gc), key_id); |
|
| 3187 |
+ goto done; |
|
| 3188 |
+ } |
|
| 3189 |
+ |
|
| 3190 |
+ /* return appropriate data channel decrypt key in opt */ |
|
| 3191 |
+ *opt = &ks->crypto_options; |
|
| 3192 |
+ if (op == P_DATA_V2) |
|
| 3193 |
+ {
|
|
| 3194 |
+ *ad_start = BPTR(buf); |
|
| 3195 |
+ } |
|
| 3196 |
+ ASSERT(buf_advance(buf, 1)); |
|
| 3197 |
+ if (op == P_DATA_V1) |
|
| 3198 |
+ {
|
|
| 3199 |
+ *ad_start = BPTR(buf); |
|
| 3200 |
+ } |
|
| 3201 |
+ else if (op == P_DATA_V2) |
|
| 3202 |
+ {
|
|
| 3203 |
+ if (buf->len < 4) |
|
| 3204 |
+ {
|
|
| 3205 |
+ msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", |
|
| 3206 |
+ print_link_socket_actual(from, &gc)); |
|
| 3207 |
+ ++multi->n_soft_errors; |
|
| 3208 |
+ goto done; |
|
| 3209 |
+ } |
|
| 3210 |
+ ASSERT(buf_advance(buf, 3)); |
|
| 3211 |
+ } |
|
| 3212 |
+ |
|
| 3213 |
+ ++ks->n_packets; |
|
| 3214 |
+ ks->n_bytes += buf->len; |
|
| 3215 |
+ dmsg(D_TLS_KEYSELECT, |
|
| 3216 |
+ "TLS: tls_pre_decrypt, key_id=%d, IP=%s", |
|
| 3217 |
+ key_id, print_link_socket_actual(from, &gc)); |
|
| 3218 |
+ gc_free(&gc); |
|
| 3219 |
+ return; |
|
| 3220 |
+ } |
|
| 3221 |
+ } |
|
| 3222 |
+ |
|
| 3223 |
+ msg(D_TLS_ERRORS, |
|
| 3224 |
+ "TLS Error: local/remote TLS keys are out of sync: %s [%d]", |
|
| 3225 |
+ print_link_socket_actual(from, &gc), key_id); |
|
| 3226 |
+ |
|
| 3227 |
+done: |
|
| 3228 |
+ tls_clear_error(); |
|
| 3229 |
+ buf->len = 0; |
|
| 3230 |
+ *opt = NULL; |
|
| 3231 |
+ gc_free(&gc); |
|
| 3232 |
+} |
|
| 3233 |
+ |
|
| 3145 | 3234 |
/* |
| 3146 | 3235 |
* |
| 3147 | 3236 |
* When we are in TLS mode, this is the first routine which sees |
| ... | ... |
@@ -3175,440 +3264,374 @@ tls_pre_decrypt(struct tls_multi *multi, |
| 3175 | 3175 |
bool floated, |
| 3176 | 3176 |
const uint8_t **ad_start) |
| 3177 | 3177 |
{
|
| 3178 |
+ |
|
| 3179 |
+ if (buf->len <= 0) |
|
| 3180 |
+ {
|
|
| 3181 |
+ buf->len = 0; |
|
| 3182 |
+ *opt = NULL; |
|
| 3183 |
+ return false; |
|
| 3184 |
+ } |
|
| 3185 |
+ |
|
| 3178 | 3186 |
struct gc_arena gc = gc_new(); |
| 3179 | 3187 |
bool ret = false; |
| 3180 | 3188 |
|
| 3181 |
- if (buf->len > 0) |
|
| 3189 |
+ /* get opcode */ |
|
| 3190 |
+ uint8_t pkt_firstbyte = *BPTR(buf); |
|
| 3191 |
+ int op = pkt_firstbyte >> P_OPCODE_SHIFT; |
|
| 3192 |
+ |
|
| 3193 |
+ if ((op == P_DATA_V1) || (op == P_DATA_V2)) |
|
| 3182 | 3194 |
{
|
| 3183 |
- int i; |
|
| 3184 |
- int op; |
|
| 3185 |
- int key_id; |
|
| 3195 |
+ handle_data_channel_packet(multi, from, buf, opt, floated, ad_start); |
|
| 3196 |
+ return false; |
|
| 3197 |
+ } |
|
| 3186 | 3198 |
|
| 3187 |
- /* get opcode and key ID */ |
|
| 3199 |
+ /* get key_id */ |
|
| 3200 |
+ int key_id = pkt_firstbyte & P_KEY_ID_MASK; |
|
| 3201 |
+ |
|
| 3202 |
+ /* control channel packet */ |
|
| 3203 |
+ bool do_burst = false; |
|
| 3204 |
+ bool new_link = false; |
|
| 3205 |
+ struct session_id sid; /* remote session ID */ |
|
| 3206 |
+ |
|
| 3207 |
+ /* verify legal opcode */ |
|
| 3208 |
+ if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) |
|
| 3209 |
+ {
|
|
| 3210 |
+ if (op == P_CONTROL_HARD_RESET_CLIENT_V1 |
|
| 3211 |
+ || op == P_CONTROL_HARD_RESET_SERVER_V1) |
|
| 3188 | 3212 |
{
|
| 3189 |
- uint8_t c = *BPTR(buf); |
|
| 3190 |
- op = c >> P_OPCODE_SHIFT; |
|
| 3191 |
- key_id = c & P_KEY_ID_MASK; |
|
| 3213 |
+ msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1"); |
|
| 3192 | 3214 |
} |
| 3215 |
+ msg(D_TLS_ERRORS, |
|
| 3216 |
+ "TLS Error: unknown opcode received from %s op=%d", |
|
| 3217 |
+ print_link_socket_actual(from, &gc), op); |
|
| 3218 |
+ goto error; |
|
| 3219 |
+ } |
|
| 3193 | 3220 |
|
| 3194 |
- if ((op == P_DATA_V1) || (op == P_DATA_V2)) |
|
| 3221 |
+ /* hard reset ? */ |
|
| 3222 |
+ if (is_hard_reset_method2(op)) |
|
| 3223 |
+ {
|
|
| 3224 |
+ /* verify client -> server or server -> client connection */ |
|
| 3225 |
+ if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 |
|
| 3226 |
+ || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) |
|
| 3227 |
+ || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) |
|
| 3195 | 3228 |
{
|
| 3196 |
- /* data channel packet */ |
|
| 3197 |
- for (i = 0; i < KEY_SCAN_SIZE; ++i) |
|
| 3198 |
- {
|
|
| 3199 |
- struct key_state *ks = multi->key_scan[i]; |
|
| 3200 |
- |
|
| 3201 |
- /* |
|
| 3202 |
- * This is the basic test of TLS state compatibility between a local OpenVPN |
|
| 3203 |
- * instance and its remote peer. |
|
| 3204 |
- * |
|
| 3205 |
- * If the test fails, it tells us that we are getting a packet from a source |
|
| 3206 |
- * which claims reference to a prior negotiated TLS session, but the local |
|
| 3207 |
- * OpenVPN instance has no memory of such a negotiation. |
|
| 3208 |
- * |
|
| 3209 |
- * It almost always occurs on UDP sessions when the passive side of the |
|
| 3210 |
- * connection is restarted without the active side restarting as well (the |
|
| 3211 |
- * passive side is the server which only listens for the connections, the |
|
| 3212 |
- * active side is the client which initiates connections). |
|
| 3213 |
- */ |
|
| 3214 |
- if (DECRYPT_KEY_ENABLED(multi, ks) |
|
| 3215 |
- && key_id == ks->key_id |
|
| 3216 |
- && (ks->authenticated == KS_AUTH_TRUE) |
|
| 3217 |
- && (floated || link_socket_actual_match(from, &ks->remote_addr))) |
|
| 3218 |
- {
|
|
| 3219 |
- if (!ks->crypto_options.key_ctx_bi.initialized) |
|
| 3220 |
- {
|
|
| 3221 |
- msg(D_MULTI_DROPPED, |
|
| 3222 |
- "Key %s [%d] not initialized (yet), dropping packet.", |
|
| 3223 |
- print_link_socket_actual(from, &gc), key_id); |
|
| 3224 |
- goto error_lite; |
|
| 3225 |
- } |
|
| 3226 |
- |
|
| 3227 |
- /* return appropriate data channel decrypt key in opt */ |
|
| 3228 |
- *opt = &ks->crypto_options; |
|
| 3229 |
- if (op == P_DATA_V2) |
|
| 3230 |
- {
|
|
| 3231 |
- *ad_start = BPTR(buf); |
|
| 3232 |
- } |
|
| 3233 |
- ASSERT(buf_advance(buf, 1)); |
|
| 3234 |
- if (op == P_DATA_V1) |
|
| 3235 |
- {
|
|
| 3236 |
- *ad_start = BPTR(buf); |
|
| 3237 |
- } |
|
| 3238 |
- else if (op == P_DATA_V2) |
|
| 3239 |
- {
|
|
| 3240 |
- if (buf->len < 4) |
|
| 3241 |
- {
|
|
| 3242 |
- msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", |
|
| 3243 |
- print_link_socket_actual(from, &gc)); |
|
| 3244 |
- goto error; |
|
| 3245 |
- } |
|
| 3246 |
- ASSERT(buf_advance(buf, 3)); |
|
| 3247 |
- } |
|
| 3229 |
+ msg(D_TLS_ERRORS, |
|
| 3230 |
+ "TLS Error: client->client or server->server connection attempted from %s", |
|
| 3231 |
+ print_link_socket_actual(from, &gc)); |
|
| 3232 |
+ goto error; |
|
| 3233 |
+ } |
|
| 3234 |
+ } |
|
| 3248 | 3235 |
|
| 3249 |
- ++ks->n_packets; |
|
| 3250 |
- ks->n_bytes += buf->len; |
|
| 3251 |
- dmsg(D_TLS_KEYSELECT, |
|
| 3252 |
- "TLS: tls_pre_decrypt, key_id=%d, IP=%s", |
|
| 3253 |
- key_id, print_link_socket_actual(from, &gc)); |
|
| 3254 |
- gc_free(&gc); |
|
| 3255 |
- return ret; |
|
| 3256 |
- } |
|
| 3257 |
- } |
|
| 3236 |
+ /* |
|
| 3237 |
+ * Authenticate Packet |
|
| 3238 |
+ */ |
|
| 3239 |
+ dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", |
|
| 3240 |
+ packet_opcode_name(op), print_link_socket_actual(from, &gc)); |
|
| 3258 | 3241 |
|
| 3242 |
+ /* get remote session-id */ |
|
| 3243 |
+ {
|
|
| 3244 |
+ struct buffer tmp = *buf; |
|
| 3245 |
+ buf_advance(&tmp, 1); |
|
| 3246 |
+ if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) |
|
| 3247 |
+ {
|
|
| 3259 | 3248 |
msg(D_TLS_ERRORS, |
| 3260 |
- "TLS Error: local/remote TLS keys are out of sync: %s [%d]", |
|
| 3261 |
- print_link_socket_actual(from, &gc), key_id); |
|
| 3262 |
- goto error_lite; |
|
| 3249 |
+ "TLS Error: session-id not found in packet from %s", |
|
| 3250 |
+ print_link_socket_actual(from, &gc)); |
|
| 3251 |
+ goto error; |
|
| 3263 | 3252 |
} |
| 3264 |
- else /* control channel packet */ |
|
| 3265 |
- {
|
|
| 3266 |
- bool do_burst = false; |
|
| 3267 |
- bool new_link = false; |
|
| 3268 |
- struct session_id sid; /* remote session ID */ |
|
| 3253 |
+ } |
|
| 3254 |
+ |
|
| 3255 |
+ int i; |
|
| 3256 |
+ /* use session ID to match up packet with appropriate tls_session object */ |
|
| 3257 |
+ for (i = 0; i < TM_SIZE; ++i) |
|
| 3258 |
+ {
|
|
| 3259 |
+ struct tls_session *session = &multi->session[i]; |
|
| 3260 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3269 | 3261 |
|
| 3270 |
- /* verify legal opcode */ |
|
| 3271 |
- if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE) |
|
| 3262 |
+ dmsg(D_TLS_DEBUG, |
|
| 3263 |
+ "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", |
|
| 3264 |
+ i, |
|
| 3265 |
+ state_name(ks->state), |
|
| 3266 |
+ session_id_print(&session->session_id, &gc), |
|
| 3267 |
+ session_id_print(&sid, &gc), |
|
| 3268 |
+ print_link_socket_actual(from, &gc), |
|
| 3269 |
+ session_id_print(&ks->session_id_remote, &gc), |
|
| 3270 |
+ print_link_socket_actual(&ks->remote_addr, &gc)); |
|
| 3271 |
+ |
|
| 3272 |
+ if (session_id_equal(&ks->session_id_remote, &sid)) |
|
| 3273 |
+ /* found a match */ |
|
| 3274 |
+ {
|
|
| 3275 |
+ if (i == TM_LAME_DUCK) |
|
| 3272 | 3276 |
{
|
| 3273 |
- if (op == P_CONTROL_HARD_RESET_CLIENT_V1 |
|
| 3274 |
- || op == P_CONTROL_HARD_RESET_SERVER_V1) |
|
| 3275 |
- {
|
|
| 3276 |
- msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1"); |
|
| 3277 |
- } |
|
| 3278 | 3277 |
msg(D_TLS_ERRORS, |
| 3279 |
- "TLS Error: unknown opcode received from %s op=%d", |
|
| 3280 |
- print_link_socket_actual(from, &gc), op); |
|
| 3278 |
+ "TLS ERROR: received control packet with stale session-id=%s", |
|
| 3279 |
+ session_id_print(&sid, &gc)); |
|
| 3281 | 3280 |
goto error; |
| 3282 | 3281 |
} |
| 3282 |
+ dmsg(D_TLS_DEBUG, |
|
| 3283 |
+ "TLS: found match, session[%d], sid=%s", |
|
| 3284 |
+ i, session_id_print(&sid, &gc)); |
|
| 3285 |
+ break; |
|
| 3286 |
+ } |
|
| 3287 |
+ } |
|
| 3283 | 3288 |
|
| 3284 |
- /* hard reset ? */ |
|
| 3285 |
- if (is_hard_reset_method2(op)) |
|
| 3286 |
- {
|
|
| 3287 |
- /* verify client -> server or server -> client connection */ |
|
| 3288 |
- if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 |
|
| 3289 |
- || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) |
|
| 3290 |
- || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) |
|
| 3291 |
- {
|
|
| 3292 |
- msg(D_TLS_ERRORS, |
|
| 3293 |
- "TLS Error: client->client or server->server connection attempted from %s", |
|
| 3294 |
- print_link_socket_actual(from, &gc)); |
|
| 3295 |
- goto error; |
|
| 3296 |
- } |
|
| 3297 |
- } |
|
| 3298 |
- |
|
| 3299 |
- /* |
|
| 3300 |
- * Authenticate Packet |
|
| 3301 |
- */ |
|
| 3302 |
- dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", |
|
| 3303 |
- packet_opcode_name(op), print_link_socket_actual(from, &gc)); |
|
| 3289 |
+ /* |
|
| 3290 |
+ * Hard reset and session id does not match any session in |
|
| 3291 |
+ * multi->session: Possible initial packet |
|
| 3292 |
+ */ |
|
| 3293 |
+ if (i == TM_SIZE && is_hard_reset_method2(op)) |
|
| 3294 |
+ {
|
|
| 3295 |
+ struct tls_session *session = &multi->session[TM_ACTIVE]; |
|
| 3296 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3304 | 3297 |
|
| 3305 |
- /* get remote session-id */ |
|
| 3298 |
+ /* |
|
| 3299 |
+ * If we have no session currently in progress, the initial packet will |
|
| 3300 |
+ * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. |
|
| 3301 |
+ */ |
|
| 3302 |
+ if (!session_id_defined(&ks->session_id_remote)) |
|
| 3303 |
+ {
|
|
| 3304 |
+ if (multi->opt.single_session && multi->n_sessions) |
|
| 3306 | 3305 |
{
|
| 3307 |
- struct buffer tmp = *buf; |
|
| 3308 |
- buf_advance(&tmp, 1); |
|
| 3309 |
- if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid)) |
|
| 3310 |
- {
|
|
| 3311 |
- msg(D_TLS_ERRORS, |
|
| 3312 |
- "TLS Error: session-id not found in packet from %s", |
|
| 3313 |
- print_link_socket_actual(from, &gc)); |
|
| 3314 |
- goto error; |
|
| 3315 |
- } |
|
| 3306 |
+ msg(D_TLS_ERRORS, |
|
| 3307 |
+ "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", |
|
| 3308 |
+ print_link_socket_actual(from, &gc)); |
|
| 3309 |
+ goto error; |
|
| 3316 | 3310 |
} |
| 3317 | 3311 |
|
| 3318 |
- /* use session ID to match up packet with appropriate tls_session object */ |
|
| 3319 |
- for (i = 0; i < TM_SIZE; ++i) |
|
| 3312 |
+#ifdef ENABLE_MANAGEMENT |
|
| 3313 |
+ if (management) |
|
| 3320 | 3314 |
{
|
| 3321 |
- struct tls_session *session = &multi->session[i]; |
|
| 3322 |
- struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3323 |
- |
|
| 3324 |
- dmsg(D_TLS_DEBUG, |
|
| 3325 |
- "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", |
|
| 3326 |
- i, |
|
| 3327 |
- state_name(ks->state), |
|
| 3328 |
- session_id_print(&session->session_id, &gc), |
|
| 3329 |
- session_id_print(&sid, &gc), |
|
| 3330 |
- print_link_socket_actual(from, &gc), |
|
| 3331 |
- session_id_print(&ks->session_id_remote, &gc), |
|
| 3332 |
- print_link_socket_actual(&ks->remote_addr, &gc)); |
|
| 3333 |
- |
|
| 3334 |
- if (session_id_equal(&ks->session_id_remote, &sid)) |
|
| 3335 |
- /* found a match */ |
|
| 3336 |
- {
|
|
| 3337 |
- if (i == TM_LAME_DUCK) |
|
| 3338 |
- {
|
|
| 3339 |
- msg(D_TLS_ERRORS, |
|
| 3340 |
- "TLS ERROR: received control packet with stale session-id=%s", |
|
| 3341 |
- session_id_print(&sid, &gc)); |
|
| 3342 |
- goto error; |
|
| 3343 |
- } |
|
| 3344 |
- dmsg(D_TLS_DEBUG, |
|
| 3345 |
- "TLS: found match, session[%d], sid=%s", |
|
| 3346 |
- i, session_id_print(&sid, &gc)); |
|
| 3347 |
- break; |
|
| 3348 |
- } |
|
| 3315 |
+ management_set_state(management, |
|
| 3316 |
+ OPENVPN_STATE_AUTH, |
|
| 3317 |
+ NULL, |
|
| 3318 |
+ NULL, |
|
| 3319 |
+ NULL, |
|
| 3320 |
+ NULL, |
|
| 3321 |
+ NULL); |
|
| 3349 | 3322 |
} |
| 3323 |
+#endif |
|
| 3350 | 3324 |
|
| 3351 |
- /* |
|
| 3352 |
- * Hard reset and session id does not match any session in |
|
| 3353 |
- * multi->session: Possible initial packet |
|
| 3354 |
- */ |
|
| 3355 |
- if (i == TM_SIZE && is_hard_reset_method2(op)) |
|
| 3356 |
- {
|
|
| 3357 |
- struct tls_session *session = &multi->session[TM_ACTIVE]; |
|
| 3358 |
- struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3359 |
- |
|
| 3360 |
- /* |
|
| 3361 |
- * If we have no session currently in progress, the initial packet will |
|
| 3362 |
- * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. |
|
| 3363 |
- */ |
|
| 3364 |
- if (!session_id_defined(&ks->session_id_remote)) |
|
| 3365 |
- {
|
|
| 3366 |
- if (multi->opt.single_session && multi->n_sessions) |
|
| 3367 |
- {
|
|
| 3368 |
- msg(D_TLS_ERRORS, |
|
| 3369 |
- "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]", |
|
| 3370 |
- print_link_socket_actual(from, &gc)); |
|
| 3371 |
- goto error; |
|
| 3372 |
- } |
|
| 3325 |
+ msg(D_TLS_DEBUG_LOW, |
|
| 3326 |
+ "TLS: Initial packet from %s, sid=%s", |
|
| 3327 |
+ print_link_socket_actual(from, &gc), |
|
| 3328 |
+ session_id_print(&sid, &gc)); |
|
| 3373 | 3329 |
|
| 3374 |
-#ifdef ENABLE_MANAGEMENT |
|
| 3375 |
- if (management) |
|
| 3376 |
- {
|
|
| 3377 |
- management_set_state(management, |
|
| 3378 |
- OPENVPN_STATE_AUTH, |
|
| 3379 |
- NULL, |
|
| 3380 |
- NULL, |
|
| 3381 |
- NULL, |
|
| 3382 |
- NULL, |
|
| 3383 |
- NULL); |
|
| 3384 |
- } |
|
| 3385 |
-#endif |
|
| 3330 |
+ do_burst = true; |
|
| 3331 |
+ new_link = true; |
|
| 3332 |
+ i = TM_ACTIVE; |
|
| 3333 |
+ session->untrusted_addr = *from; |
|
| 3334 |
+ } |
|
| 3335 |
+ } |
|
| 3386 | 3336 |
|
| 3387 |
- msg(D_TLS_DEBUG_LOW, |
|
| 3388 |
- "TLS: Initial packet from %s, sid=%s", |
|
| 3389 |
- print_link_socket_actual(from, &gc), |
|
| 3390 |
- session_id_print(&sid, &gc)); |
|
| 3337 |
+ /* |
|
| 3338 |
+ * If we detected new session in the last if block, i has |
|
| 3339 |
+ * changed to TM_ACTIVE, so check the condition again. |
|
| 3340 |
+ */ |
|
| 3341 |
+ if (i == TM_SIZE && is_hard_reset_method2(op)) |
|
| 3342 |
+ {
|
|
| 3343 |
+ /* |
|
| 3344 |
+ * No match with existing sessions, |
|
| 3345 |
+ * probably a new session. |
|
| 3346 |
+ */ |
|
| 3347 |
+ struct tls_session *session = &multi->session[TM_UNTRUSTED]; |
|
| 3391 | 3348 |
|
| 3392 |
- do_burst = true; |
|
| 3393 |
- new_link = true; |
|
| 3394 |
- i = TM_ACTIVE; |
|
| 3395 |
- session->untrusted_addr = *from; |
|
| 3396 |
- } |
|
| 3397 |
- } |
|
| 3349 |
+ /* |
|
| 3350 |
+ * If --single-session, don't allow any hard-reset connection request |
|
| 3351 |
+ * unless it the the first packet of the session. |
|
| 3352 |
+ */ |
|
| 3353 |
+ if (multi->opt.single_session) |
|
| 3354 |
+ {
|
|
| 3355 |
+ msg(D_TLS_ERRORS, |
|
| 3356 |
+ "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", |
|
| 3357 |
+ print_link_socket_actual(from, &gc)); |
|
| 3358 |
+ goto error; |
|
| 3359 |
+ } |
|
| 3398 | 3360 |
|
| 3399 |
- /* |
|
| 3400 |
- * If we detected new session in the last if block, i has |
|
| 3401 |
- * changed to TM_ACTIVE, so check the condition again. |
|
| 3402 |
- */ |
|
| 3403 |
- if (i == TM_SIZE && is_hard_reset_method2(op)) |
|
| 3404 |
- {
|
|
| 3405 |
- /* |
|
| 3406 |
- * No match with existing sessions, |
|
| 3407 |
- * probably a new session. |
|
| 3408 |
- */ |
|
| 3409 |
- struct tls_session *session = &multi->session[TM_UNTRUSTED]; |
|
| 3410 |
- |
|
| 3411 |
- /* |
|
| 3412 |
- * If --single-session, don't allow any hard-reset connection request |
|
| 3413 |
- * unless it the the first packet of the session. |
|
| 3414 |
- */ |
|
| 3415 |
- if (multi->opt.single_session) |
|
| 3416 |
- {
|
|
| 3417 |
- msg(D_TLS_ERRORS, |
|
| 3418 |
- "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]", |
|
| 3419 |
- print_link_socket_actual(from, &gc)); |
|
| 3420 |
- goto error; |
|
| 3421 |
- } |
|
| 3361 |
+ if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3362 |
+ session->opt)) |
|
| 3363 |
+ {
|
|
| 3364 |
+ goto error; |
|
| 3365 |
+ } |
|
| 3422 | 3366 |
|
| 3423 |
- if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3424 |
- session->opt)) |
|
| 3425 |
- {
|
|
| 3426 |
- goto error; |
|
| 3427 |
- } |
|
| 3367 |
+ /* |
|
| 3368 |
+ * New session-initiating control packet is authenticated at this point, |
|
| 3369 |
+ * assuming that the --tls-auth command line option was used. |
|
| 3370 |
+ * |
|
| 3371 |
+ * Without --tls-auth, we leave authentication entirely up to TLS. |
|
| 3372 |
+ */ |
|
| 3373 |
+ msg(D_TLS_DEBUG_LOW, |
|
| 3374 |
+ "TLS: new session incoming connection from %s", |
|
| 3375 |
+ print_link_socket_actual(from, &gc)); |
|
| 3428 | 3376 |
|
| 3429 |
- /* |
|
| 3430 |
- * New session-initiating control packet is authenticated at this point, |
|
| 3431 |
- * assuming that the --tls-auth command line option was used. |
|
| 3432 |
- * |
|
| 3433 |
- * Without --tls-auth, we leave authentication entirely up to TLS. |
|
| 3434 |
- */ |
|
| 3435 |
- msg(D_TLS_DEBUG_LOW, |
|
| 3436 |
- "TLS: new session incoming connection from %s", |
|
| 3437 |
- print_link_socket_actual(from, &gc)); |
|
| 3377 |
+ new_link = true; |
|
| 3378 |
+ i = TM_UNTRUSTED; |
|
| 3379 |
+ session->untrusted_addr = *from; |
|
| 3380 |
+ } |
|
| 3381 |
+ else |
|
| 3382 |
+ {
|
|
| 3383 |
+ struct tls_session *session = &multi->session[i]; |
|
| 3384 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3438 | 3385 |
|
| 3439 |
- new_link = true; |
|
| 3440 |
- i = TM_UNTRUSTED; |
|
| 3441 |
- session->untrusted_addr = *from; |
|
| 3442 |
- } |
|
| 3443 |
- else |
|
| 3386 |
+ /* |
|
| 3387 |
+ * Packet must belong to an existing session. |
|
| 3388 |
+ */ |
|
| 3389 |
+ if (i != TM_ACTIVE && i != TM_UNTRUSTED) |
|
| 3390 |
+ {
|
|
| 3391 |
+ msg(D_TLS_ERRORS, |
|
| 3392 |
+ "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", |
|
| 3393 |
+ print_link_socket_actual(from, &gc), |
|
| 3394 |
+ i, |
|
| 3395 |
+ packet_opcode_name(op)); |
|
| 3396 |
+ goto error; |
|
| 3397 |
+ } |
|
| 3398 |
+ |
|
| 3399 |
+ /* |
|
| 3400 |
+ * Verify remote IP address |
|
| 3401 |
+ */ |
|
| 3402 |
+ if (!new_link && !link_socket_actual_match(&ks->remote_addr, from)) |
|
| 3403 |
+ {
|
|
| 3404 |
+ msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", |
|
| 3405 |
+ print_link_socket_actual(from, &gc)); |
|
| 3406 |
+ goto error; |
|
| 3407 |
+ } |
|
| 3408 |
+ |
|
| 3409 |
+ /* |
|
| 3410 |
+ * Remote is requesting a key renegotiation |
|
| 3411 |
+ */ |
|
| 3412 |
+ if (op == P_CONTROL_SOFT_RESET_V1 |
|
| 3413 |
+ && DECRYPT_KEY_ENABLED(multi, ks)) |
|
| 3414 |
+ {
|
|
| 3415 |
+ if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3416 |
+ session->opt)) |
|
| 3444 | 3417 |
{
|
| 3445 |
- struct tls_session *session = &multi->session[i]; |
|
| 3446 |
- struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3418 |
+ goto error; |
|
| 3419 |
+ } |
|
| 3447 | 3420 |
|
| 3448 |
- /* |
|
| 3449 |
- * Packet must belong to an existing session. |
|
| 3450 |
- */ |
|
| 3451 |
- if (i != TM_ACTIVE && i != TM_UNTRUSTED) |
|
| 3452 |
- {
|
|
| 3453 |
- msg(D_TLS_ERRORS, |
|
| 3454 |
- "TLS Error: Unroutable control packet received from %s (si=%d op=%s)", |
|
| 3455 |
- print_link_socket_actual(from, &gc), |
|
| 3456 |
- i, |
|
| 3457 |
- packet_opcode_name(op)); |
|
| 3458 |
- goto error; |
|
| 3459 |
- } |
|
| 3421 |
+ key_state_soft_reset(session); |
|
| 3460 | 3422 |
|
| 3461 |
- /* |
|
| 3462 |
- * Verify remote IP address |
|
| 3463 |
- */ |
|
| 3464 |
- if (!new_link && !link_socket_actual_match(&ks->remote_addr, from)) |
|
| 3465 |
- {
|
|
| 3466 |
- msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s", |
|
| 3467 |
- print_link_socket_actual(from, &gc)); |
|
| 3468 |
- goto error; |
|
| 3469 |
- } |
|
| 3423 |
+ dmsg(D_TLS_DEBUG, |
|
| 3424 |
+ "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", |
|
| 3425 |
+ i, session_id_print(&sid, &gc)); |
|
| 3426 |
+ } |
|
| 3427 |
+ else |
|
| 3428 |
+ {
|
|
| 3429 |
+ /* |
|
| 3430 |
+ * Remote responding to our key renegotiation request? |
|
| 3431 |
+ */ |
|
| 3432 |
+ if (op == P_CONTROL_SOFT_RESET_V1) |
|
| 3433 |
+ {
|
|
| 3434 |
+ do_burst = true; |
|
| 3435 |
+ } |
|
| 3470 | 3436 |
|
| 3471 |
- /* |
|
| 3472 |
- * Remote is requesting a key renegotiation |
|
| 3473 |
- */ |
|
| 3474 |
- if (op == P_CONTROL_SOFT_RESET_V1 |
|
| 3475 |
- && DECRYPT_KEY_ENABLED(multi, ks)) |
|
| 3476 |
- {
|
|
| 3477 |
- if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3478 |
- session->opt)) |
|
| 3479 |
- {
|
|
| 3480 |
- goto error; |
|
| 3481 |
- } |
|
| 3437 |
+ if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3438 |
+ session->opt)) |
|
| 3439 |
+ {
|
|
| 3440 |
+ goto error; |
|
| 3441 |
+ } |
|
| 3482 | 3442 |
|
| 3483 |
- key_state_soft_reset(session); |
|
| 3443 |
+ dmsg(D_TLS_DEBUG, |
|
| 3444 |
+ "TLS: received control channel packet s#=%d sid=%s", |
|
| 3445 |
+ i, session_id_print(&sid, &gc)); |
|
| 3446 |
+ } |
|
| 3447 |
+ } |
|
| 3484 | 3448 |
|
| 3485 |
- dmsg(D_TLS_DEBUG, |
|
| 3486 |
- "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", |
|
| 3487 |
- i, session_id_print(&sid, &gc)); |
|
| 3488 |
- } |
|
| 3489 |
- else |
|
| 3490 |
- {
|
|
| 3491 |
- /* |
|
| 3492 |
- * Remote responding to our key renegotiation request? |
|
| 3493 |
- */ |
|
| 3494 |
- if (op == P_CONTROL_SOFT_RESET_V1) |
|
| 3495 |
- {
|
|
| 3496 |
- do_burst = true; |
|
| 3497 |
- } |
|
| 3449 |
+ /* |
|
| 3450 |
+ * We have an authenticated control channel packet (if --tls-auth was set). |
|
| 3451 |
+ * Now pass to our reliability layer which deals with |
|
| 3452 |
+ * packet acknowledgements, retransmits, sequencing, etc. |
|
| 3453 |
+ */ |
|
| 3454 |
+ struct tls_session *session = &multi->session[i]; |
|
| 3455 |
+ struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3498 | 3456 |
|
| 3499 |
- if (!read_control_auth(buf, &session->tls_wrap, from, |
|
| 3500 |
- session->opt)) |
|
| 3501 |
- {
|
|
| 3502 |
- goto error; |
|
| 3503 |
- } |
|
| 3457 |
+ /* Make sure we were initialized and that we're not in an error state */ |
|
| 3458 |
+ ASSERT(ks->state != S_UNDEF); |
|
| 3459 |
+ ASSERT(ks->state != S_ERROR); |
|
| 3460 |
+ ASSERT(session_id_defined(&session->session_id)); |
|
| 3504 | 3461 |
|
| 3505 |
- dmsg(D_TLS_DEBUG, |
|
| 3506 |
- "TLS: received control channel packet s#=%d sid=%s", |
|
| 3507 |
- i, session_id_print(&sid, &gc)); |
|
| 3508 |
- } |
|
| 3509 |
- } |
|
| 3462 |
+ /* Let our caller know we processed a control channel packet */ |
|
| 3463 |
+ ret = true; |
|
| 3510 | 3464 |
|
| 3511 |
- /* |
|
| 3512 |
- * We have an authenticated control channel packet (if --tls-auth was set). |
|
| 3513 |
- * Now pass to our reliability layer which deals with |
|
| 3514 |
- * packet acknowledgements, retransmits, sequencing, etc. |
|
| 3515 |
- */ |
|
| 3516 |
- {
|
|
| 3517 |
- struct tls_session *session = &multi->session[i]; |
|
| 3518 |
- struct key_state *ks = &session->key[KS_PRIMARY]; |
|
| 3465 |
+ /* |
|
| 3466 |
+ * Set our remote address and remote session_id |
|
| 3467 |
+ */ |
|
| 3468 |
+ if (new_link) |
|
| 3469 |
+ {
|
|
| 3470 |
+ ks->session_id_remote = sid; |
|
| 3471 |
+ ks->remote_addr = *from; |
|
| 3472 |
+ ++multi->n_sessions; |
|
| 3473 |
+ } |
|
| 3474 |
+ else if (!link_socket_actual_match(&ks->remote_addr, from)) |
|
| 3475 |
+ {
|
|
| 3476 |
+ msg(D_TLS_ERRORS, |
|
| 3477 |
+ "TLS Error: Existing session control channel packet from unknown IP address: %s", |
|
| 3478 |
+ print_link_socket_actual(from, &gc)); |
|
| 3479 |
+ goto error; |
|
| 3480 |
+ } |
|
| 3519 | 3481 |
|
| 3520 |
- /* Make sure we were initialized and that we're not in an error state */ |
|
| 3521 |
- ASSERT(ks->state != S_UNDEF); |
|
| 3522 |
- ASSERT(ks->state != S_ERROR); |
|
| 3523 |
- ASSERT(session_id_defined(&session->session_id)); |
|
| 3482 |
+ /* |
|
| 3483 |
+ * Should we do a retransmit of all unacknowledged packets in |
|
| 3484 |
+ * the send buffer? This improves the start-up efficiency of the |
|
| 3485 |
+ * initial key negotiation after the 2nd peer comes online. |
|
| 3486 |
+ */ |
|
| 3487 |
+ if (do_burst && !session->burst) |
|
| 3488 |
+ {
|
|
| 3489 |
+ reliable_schedule_now(ks->send_reliable); |
|
| 3490 |
+ session->burst = true; |
|
| 3491 |
+ } |
|
| 3524 | 3492 |
|
| 3525 |
- /* Let our caller know we processed a control channel packet */ |
|
| 3526 |
- ret = true; |
|
| 3493 |
+ /* Check key_id */ |
|
| 3494 |
+ if (ks->key_id != key_id) |
|
| 3495 |
+ {
|
|
| 3496 |
+ msg(D_TLS_ERRORS, |
|
| 3497 |
+ "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", |
|
| 3498 |
+ ks->key_id, key_id, print_key_id(multi, &gc)); |
|
| 3499 |
+ goto error; |
|
| 3500 |
+ } |
|
| 3527 | 3501 |
|
| 3528 |
- /* |
|
| 3529 |
- * Set our remote address and remote session_id |
|
| 3530 |
- */ |
|
| 3531 |
- if (new_link) |
|
| 3532 |
- {
|
|
| 3533 |
- ks->session_id_remote = sid; |
|
| 3534 |
- ks->remote_addr = *from; |
|
| 3535 |
- ++multi->n_sessions; |
|
| 3536 |
- } |
|
| 3537 |
- else if (!link_socket_actual_match(&ks->remote_addr, from)) |
|
| 3538 |
- {
|
|
| 3539 |
- msg(D_TLS_ERRORS, |
|
| 3540 |
- "TLS Error: Existing session control channel packet from unknown IP address: %s", |
|
| 3541 |
- print_link_socket_actual(from, &gc)); |
|
| 3542 |
- goto error; |
|
| 3543 |
- } |
|
| 3502 |
+ /* |
|
| 3503 |
+ * Process incoming ACKs for packets we can now |
|
| 3504 |
+ * delete from reliable send buffer |
|
| 3505 |
+ */ |
|
| 3506 |
+ {
|
|
| 3507 |
+ /* buffers all packet IDs to delete from send_reliable */ |
|
| 3508 |
+ struct reliable_ack send_ack; |
|
| 3544 | 3509 |
|
| 3545 |
- /* |
|
| 3546 |
- * Should we do a retransmit of all unacknowledged packets in |
|
| 3547 |
- * the send buffer? This improves the start-up efficiency of the |
|
| 3548 |
- * initial key negotiation after the 2nd peer comes online. |
|
| 3549 |
- */ |
|
| 3550 |
- if (do_burst && !session->burst) |
|
| 3551 |
- {
|
|
| 3552 |
- reliable_schedule_now(ks->send_reliable); |
|
| 3553 |
- session->burst = true; |
|
| 3554 |
- } |
|
| 3510 |
+ send_ack.len = 0; |
|
| 3511 |
+ if (!reliable_ack_read(&send_ack, buf, &session->session_id)) |
|
| 3512 |
+ {
|
|
| 3513 |
+ msg(D_TLS_ERRORS, |
|
| 3514 |
+ "TLS Error: reading acknowledgement record from packet"); |
|
| 3515 |
+ goto error; |
|
| 3516 |
+ } |
|
| 3517 |
+ reliable_send_purge(ks->send_reliable, &send_ack); |
|
| 3518 |
+ } |
|
| 3555 | 3519 |
|
| 3556 |
- /* Check key_id */ |
|
| 3557 |
- if (ks->key_id != key_id) |
|
| 3558 |
- {
|
|
| 3559 |
- msg(D_TLS_ERRORS, |
|
| 3560 |
- "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", |
|
| 3561 |
- ks->key_id, key_id, print_key_id(multi, &gc)); |
|
| 3562 |
- goto error; |
|
| 3563 |
- } |
|
| 3520 |
+ if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable)) |
|
| 3521 |
+ {
|
|
| 3522 |
+ packet_id_type id; |
|
| 3564 | 3523 |
|
| 3565 |
- /* |
|
| 3566 |
- * Process incoming ACKs for packets we can now |
|
| 3567 |
- * delete from reliable send buffer |
|
| 3568 |
- */ |
|
| 3524 |
+ /* Extract the packet ID from the packet */ |
|
| 3525 |
+ if (reliable_ack_read_packet_id(buf, &id)) |
|
| 3526 |
+ {
|
|
| 3527 |
+ /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */ |
|
| 3528 |
+ if (reliable_wont_break_sequentiality(ks->rec_reliable, id)) |
|
| 3529 |
+ {
|
|
| 3530 |
+ if (reliable_not_replay(ks->rec_reliable, id)) |
|
| 3569 | 3531 |
{
|
| 3570 |
- /* buffers all packet IDs to delete from send_reliable */ |
|
| 3571 |
- struct reliable_ack send_ack; |
|
| 3572 |
- |
|
| 3573 |
- send_ack.len = 0; |
|
| 3574 |
- if (!reliable_ack_read(&send_ack, buf, &session->session_id)) |
|
| 3532 |
+ /* Save incoming ciphertext packet to reliable buffer */ |
|
| 3533 |
+ struct buffer *in = reliable_get_buf(ks->rec_reliable); |
|
| 3534 |
+ ASSERT(in); |
|
| 3535 |
+ if (!buf_copy(in, buf)) |
|
| 3575 | 3536 |
{
|
| 3576 |
- msg(D_TLS_ERRORS, |
|
| 3577 |
- "TLS Error: reading acknowledgement record from packet"); |
|
| 3537 |
+ msg(D_MULTI_DROPPED, |
|
| 3538 |
+ "Incoming control channel packet too big, dropping."); |
|
| 3578 | 3539 |
goto error; |
| 3579 | 3540 |
} |
| 3580 |
- reliable_send_purge(ks->send_reliable, &send_ack); |
|
| 3541 |
+ reliable_mark_active_incoming(ks->rec_reliable, in, id, op); |
|
| 3581 | 3542 |
} |
| 3582 | 3543 |
|
| 3583 |
- if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable)) |
|
| 3584 |
- {
|
|
| 3585 |
- packet_id_type id; |
|
| 3586 |
- |
|
| 3587 |
- /* Extract the packet ID from the packet */ |
|
| 3588 |
- if (reliable_ack_read_packet_id(buf, &id)) |
|
| 3589 |
- {
|
|
| 3590 |
- /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */ |
|
| 3591 |
- if (reliable_wont_break_sequentiality(ks->rec_reliable, id)) |
|
| 3592 |
- {
|
|
| 3593 |
- if (reliable_not_replay(ks->rec_reliable, id)) |
|
| 3594 |
- {
|
|
| 3595 |
- /* Save incoming ciphertext packet to reliable buffer */ |
|
| 3596 |
- struct buffer *in = reliable_get_buf(ks->rec_reliable); |
|
| 3597 |
- ASSERT(in); |
|
| 3598 |
- if (!buf_copy(in, buf)) |
|
| 3599 |
- {
|
|
| 3600 |
- msg(D_MULTI_DROPPED, |
|
| 3601 |
- "Incoming control channel packet too big, dropping."); |
|
| 3602 |
- goto error; |
|
| 3603 |
- } |
|
| 3604 |
- reliable_mark_active_incoming(ks->rec_reliable, in, id, op); |
|
| 3605 |
- } |
|
| 3606 |
- |
|
| 3607 |
- /* Process outgoing acknowledgment for packet just received, even if it's a replay */ |
|
| 3608 |
- reliable_ack_acknowledge_packet_id(ks->rec_ack, id); |
|
| 3609 |
- } |
|
| 3610 |
- } |
|
| 3611 |
- } |
|
| 3544 |
+ /* Process outgoing acknowledgment for packet just received, even if it's a replay */ |
|
| 3545 |
+ reliable_ack_acknowledge_packet_id(ks->rec_ack, id); |
|
| 3612 | 3546 |
} |
| 3613 | 3547 |
} |
| 3614 | 3548 |
} |
| ... | ... |
@@ -3621,7 +3644,6 @@ done: |
| 3621 | 3621 |
|
| 3622 | 3622 |
error: |
| 3623 | 3623 |
++multi->n_soft_errors; |
| 3624 |
-error_lite: |
|
| 3625 | 3624 |
tls_clear_error(); |
| 3626 | 3625 |
goto done; |
| 3627 | 3626 |
} |