Commit 82ee2fe4b4 already did this when the session id stayed the same
but forgot the other code path that could also lead to tls-crypt keys to be
setup.
This approach was a bit too fragile as it missed some other code path
that might trigger the same behaviour. This commit changes the logic
to directly infer if the key is already initialised instead of taking
a proxy (like key state as the previous commit did).
The fix in commit 7a6ab5773 (#121, #127) made sure that we do not try
to extract the tls-crypt-v2 key multiple times and made the unit test
basically not work as the extraction was skipped and then could also
not fail anymore. I could work around it in the unit test but improving
tls_wrap_free felt preferable.
(Backported from master commit e287547d85151)
CVE: 2026-13698
Reported-By: Max Fillinger <maximilian.fillinger@sentyron.com>
Github: OpenVPN/openvpn-private-issues#137
Github: OpenVPN/openvpn-private-issues#138
Github: OpenVPN/openvpn-private-issues#147 (2.6 backport)
Change-Id: I3b5e4e84762aa253d46e69103f7b1e84ebefca1d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-By: Max Fillinger <maximilian.fillinger@sentyron.com>
Acked-By: Gert Doering <gert@greenie.muc.de>