Attention is currently required from: plaisthos, ralf_lici.

Hello plaisthos,

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email

to look at the new patch set (#3).

The following approvals got outdated and were removed:
Code-Review+2 by plaisthos

The change is no longer submittable: Code-Review and checks~ChecksSubmitRule 
are unsatisfied now.


Change subject: tls: reject incoming reneg request if primary key is not fully 
valid
......................................................................

tls: reject incoming reneg request if primary key is not fully valid

Incoming P_CONTROL_SOFT_RESET_V1 can arrive while the active key is not
yet fully valid for renegotiation. This includes the window where we are
still waiting for auth_deferred_expire (derived from handshake/reneg
timing), as well as cases where deferred or mid-session auth later
leaves the key non-authenticated even though state is S_GENERATED_KEYS.

This patch keeps read_control_auth as the first gate, then rejects the
incoming renegotiation requests unless the primary key is KS_AUTH_TRUE
and auth_deferred_expire has passed.

Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Signed-off-by: Ralf Lici <[email protected]>
---
M src/openvpn/ssl.c
1 file changed, 14 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1478/3

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 69d0e4e..98641a1 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3747,6 +3747,20 @@
                 goto error;
             }

+            /*
+             * Do not allow incoming renegotiation unless our primary key is
+             * fully authenticated and past the deferred-auth/transition gate.
+             */
+            time_t auth_deferred_left = ks->auth_deferred_expire - now;
+            if (ks->authenticated != KS_AUTH_TRUE || auth_deferred_left > 0)
+            {
+                msg(D_TLS_ERRORS,
+                    "TLS Error: rejecting incoming renegotiation request for 
key-id %d: "
+                    "auth=%s, auth_deferred_expire in %d seconds",
+                    ks->key_id, ks_auth_name(ks->authenticated), 
auth_deferred_left > 0 ? (int)auth_deferred_left : 0);
+                goto error;
+            }
+
             key_state_soft_reset(session);

             dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d 
sid=%s", i,

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Gerrit-Change-Number: 1478
Gerrit-PatchSet: 3
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: ralf_lici <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to