Browse code
Remove S_OP_NORMAL key state.
The key state is virtually identical S_ACTIVE and we only did the state
state transition form S_ACTIVE to S_OP_NORMAL at the point where we
normally would have timed out the TLS negotiation. This is not a very
useful information to have and indeed we never use it anywhere.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200810143707.5834-14-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20674.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Arne Schwabe authored on 2020/08/10 23:37:03Showing 2 changed files
| ... | ... |
@@ -755,9 +755,6 @@ state_name(int state) |
| 755 | 755 |
case S_ACTIVE: |
| 756 | 756 |
return "S_ACTIVE"; |
| 757 | 757 |
|
| 758 |
- case S_NORMAL_OP: |
|
| 759 |
- return "S_NORMAL_OP"; |
|
| 760 |
- |
|
| 761 | 758 |
case S_ERROR: |
| 762 | 759 |
return "S_ERROR"; |
| 763 | 760 |
|
| ... | ... |
@@ -2705,21 +2702,12 @@ tls_process(struct tls_multi *multi, |
| 2705 | 2705 |
} |
| 2706 | 2706 |
|
| 2707 | 2707 |
/* Are we timed out on receive? */ |
| 2708 |
- if (now >= ks->must_negotiate) |
|
| 2708 |
+ if (now >= ks->must_negotiate && ks->state < S_ACTIVE) |
|
| 2709 | 2709 |
{
|
| 2710 |
- if (ks->state < S_ACTIVE) |
|
| 2711 |
- {
|
|
| 2712 |
- msg(D_TLS_ERRORS, |
|
| 2713 |
- "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", |
|
| 2714 |
- session->opt->handshake_window); |
|
| 2715 |
- goto error; |
|
| 2716 |
- } |
|
| 2717 |
- else /* assume that ks->state == S_ACTIVE */ |
|
| 2718 |
- {
|
|
| 2719 |
- dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); |
|
| 2720 |
- ks->state = S_NORMAL_OP; |
|
| 2721 |
- ks->must_negotiate = 0; |
|
| 2722 |
- } |
|
| 2710 |
+ msg(D_TLS_ERRORS, |
|
| 2711 |
+ "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", |
|
| 2712 |
+ session->opt->handshake_window); |
|
| 2713 |
+ goto error; |
|
| 2723 | 2714 |
} |
| 2724 | 2715 |
|
| 2725 | 2716 |
/* Wait for Initial Handshake ACK */ |
| ... | ... |
@@ -2759,6 +2747,8 @@ tls_process(struct tls_multi *multi, |
| 2759 | 2759 |
} |
| 2760 | 2760 |
state_change = true; |
| 2761 | 2761 |
ks->state = S_ACTIVE; |
| 2762 |
+ /* Cancel negotiation timeout */ |
|
| 2763 |
+ ks->must_negotiate = 0; |
|
| 2762 | 2764 |
INCR_SUCCESS; |
| 2763 | 2765 |
|
| 2764 | 2766 |
/* Set outgoing address for data channel packets */ |
| ... | ... |
@@ -64,8 +64,7 @@ |
| 64 | 64 |
* material. |
| 65 | 65 |
* -# \c S_GOT_KEY, have received remote part of \c key_source2 random |
| 66 | 66 |
* material. |
| 67 |
- * -# \c S_ACTIVE, normal operation during remaining handshake window. |
|
| 68 |
- * -# \c S_NORMAL_OP, normal operation. |
|
| 67 |
+ * -# \c S_ACTIVE, normal operation |
|
| 69 | 68 |
* |
| 70 | 69 |
* Servers follow the same order, except for \c S_SENT_KEY and \c |
| 71 | 70 |
* S_GOT_KEY being reversed, because the server first receives the |
| ... | ... |
@@ -94,9 +93,9 @@ |
| 94 | 94 |
* immediately after negotiation has |
| 95 | 95 |
* completed while still within the |
| 96 | 96 |
* handshake window. */ |
| 97 |
-/* ready to exchange data channel packets */ |
|
| 98 |
-#define S_NORMAL_OP 7 /**< Normal operational \c key_state |
|
| 99 |
- * state. */ |
|
| 97 |
+/* Note that earlier versions also had a S_OP_NORMAL state that was |
|
| 98 |
+ * virtually identical with S_ACTIVE and the code still assumes everything |
|
| 99 |
+ * >= S_ACTIVE to be fully operational */ |
|
| 100 | 100 |
/** @} name Control channel negotiation states */ |
| 101 | 101 |
/** @} addtogroup control_processor */ |
| 102 | 102 |
|