Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/921?usp=email
to review the following change.
Change subject: Do not leave half-initialised key wrap struct when dynamic
tls-crypt fails
......................................................................
Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
In case when key_state_export_keying_material fails we left a
half-initialised tls_wrap_reneg structure in the tls_session.
Later calls to try to free this structure causes freeing of
invalid memory locations.
To test: make key_state_export_keying_material return false even though
HAVE_EXPORT_KEYING_MATERIAL is defined and connect to a server
supporting dynamic tls-crypt (2.6.0+)
Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
M src/openvpn/tls_crypt.c
1 file changed, 9 insertions(+), 10 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/921/1
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index eb7b03d..9e9807d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -97,6 +97,15 @@
bool
tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
{
+ struct key2 rengokeys;
+ if (!key_state_export_keying_material(session,
EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
+
strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
+ rengokeys.keys,
sizeof(rengokeys.keys)))
+ {
+ return false;
+ }
+ rengokeys.n = 2;
+
session->tls_wrap_reneg.opt = session->tls_wrap.opt;
session->tls_wrap_reneg.mode = TLS_WRAP_CRYPT;
session->tls_wrap_reneg.cleanup_key_ctx = true;
@@ -108,16 +117,6 @@
session->opt->replay_time,
"TLS_WRAP_RENEG", session->key_id);
-
- struct key2 rengokeys;
- if (!key_state_export_keying_material(session,
EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
-
strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
- rengokeys.keys,
sizeof(rengokeys.keys)))
- {
- return false;
- }
- rengokeys.n = 2;
-
if (session->tls_wrap.mode == TLS_WRAP_CRYPT
|| session->tls_wrap.mode == TLS_WRAP_AUTH)
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/921?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b
Gerrit-Change-Number: 921
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
