Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
to look at the new patch set (#2).
Change subject: tls: reject incoming reneg request if primary key is not fully
valid
......................................................................
tls: reject incoming reneg request if primary key is not fully valid
An incoming P_CONTROL_SOFT_RESET_V1 can arrive while the primary key is
already in S_GENERATED_KEYS but no longer fully authorized. This can
happen when deferred auth later expires/fails, or when mid-session auth
checks deauthenticate the key without demoting its TLS state.
This patch keeps read_control_auth as the first gate, then rejects the
incoming renegotiation request unless the primary key is KS_AUTH_TRUE
and its auth_deferred_expire gate has passed.
Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Signed-off-by: Ralf Lici <[email protected]>
---
M src/openvpn/ssl.c
1 file changed, 11 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1478/2
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 69d0e4e..ce88478 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3747,6 +3747,17 @@
goto error;
}
+ /*
+ * Do not allow incoming renegotiation unless our primary key is
+ * fully authenticated and past the deferred-auth/transition gate.
+ */
+ if (ks->authenticated != KS_AUTH_TRUE || now <
ks->auth_deferred_expire)
+ {
+ msg(D_TLS_ERRORS,
+ "TLS Error: rejecting incoming renegotiation request: key
not fully authenticated/valid");
+ goto error;
+ }
+
key_state_soft_reset(session);
dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d
sid=%s", i,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Gerrit-Change-Number: 1478
Gerrit-PatchSet: 2
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
