OpenVPN · stoops · Aug 6, 2025 · Aug 12, 2025 · Oct 26, 2025
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
@@ -35,15 +35,15 @@ auth_token_kt(void)
 }
 
 void
-add_session_token_env(struct tls_session *session, struct tls_multi *multi,
-                      const struct user_pass *up)
+add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 {
     if (!multi->opt.auth_token_generate)
     {
         return;
     }
 
-    int auth_token_state_flags = session->key[KS_PRIMARY].auth_token_state_flags;
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    int auth_token_state_flags = ks->auth_token_state_flags;
 
     const char *state;
 
@@ -81,7 +81,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
         state = "Invalid";
     }
 
-    setenv_str(session->opt->es, "session_state", state);
+    setenv_str(multi->opt.es, "session_state", state);
 
     /* We had a valid session id before */
     const char *session_id_source;
@@ -111,7 +111,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
     memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX),
            AUTH_TOKEN_SESSION_ID_LEN * 8 / 6);
 
-    setenv_str(session->opt->es, "session_id", session_id);
+    setenv_str(multi->opt.es, "session_id", session_id);
 }
 
 void
@@ -217,8 +217,8 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
      * a new token with the empty username since we do not want to loose
      * the information that the username cannot be trusted
      */
-    struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
-    if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    if (ks && ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
     {
         hmac_ctx_update(ctx, (const uint8_t *)"", 0);
     }
@@ -415,10 +415,15 @@ void
 check_send_auth_token(struct context *c)
 {
     struct tls_multi *multi = c->c2.tls_multi;
-    struct tls_session *session = &multi->session[TM_ACTIVE];
 
-    if (get_primary_key(multi)->state < S_GENERATED_KEYS
-        || get_primary_key(multi)->authenticated != KS_AUTH_TRUE)
+    if (!multi)
+    {
+        return;
+    }
+
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+
+    if (ks->state < S_GENERATED_KEYS || ks->authenticated != KS_AUTH_TRUE)
     {
         /* the currently active session is still in renegotiation or another
          * not fully authorized state. We are either very close to a
@@ -447,11 +452,11 @@ check_send_auth_token(struct context *c)
 
     generate_auth_token(&up, multi);
 
-    resend_auth_token_renegotiation(multi, session);
+    resend_auth_token_renegotiation(multi);
 }
 
 void
-resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
+resend_auth_token_renegotiation(struct tls_multi *multi)
 {
     /*
      * Auth token already sent to client, update auth-token on client.

diff --git a/src/openvpn/auth_token.h b/src/openvpn/auth_token.h
@@ -128,7 +128,7 @@ is_auth_token(const char *password)
  * @param multi     Pointer the multi object of the TLS session
  * @param session   Pointer to the TLS session itself
  */
-void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);
+void resend_auth_token_renegotiation(struct tls_multi *multi);
 
 
 /**