Attention is currently required from: plaisthos, ralf_lici.
Hello plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: tls: reject incoming reneg request if primary key is not fully
valid
......................................................................
tls: reject incoming reneg request if primary key is not fully valid
Incoming P_CONTROL_SOFT_RESET_V1 can arrive while the active key is not
yet fully valid for renegotiation. This includes the window where we are
still waiting for auth_deferred_expire (derived from handshake/reneg
timing), as well as cases where deferred or mid-session auth later
leaves the key non-authenticated even though state is S_GENERATED_KEYS.
This patch keeps read_control_auth as the first gate, then rejects the
incoming renegotiation requests unless the primary key is KS_AUTH_TRUE
and auth_deferred_expire has passed.
Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Signed-off-by: Ralf Lici <[email protected]>
---
M src/openvpn/ssl.c
1 file changed, 14 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1478/3
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 69d0e4e..98641a1 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3747,6 +3747,20 @@
goto error;
}
+ /*
+ * Do not allow incoming renegotiation unless our primary key is
+ * fully authenticated and past the deferred-auth/transition gate.
+ */
+ time_t auth_deferred_left = ks->auth_deferred_expire - now;
+ if (ks->authenticated != KS_AUTH_TRUE || auth_deferred_left > 0)
+ {
+ msg(D_TLS_ERRORS,
+ "TLS Error: rejecting incoming renegotiation request for
key-id %d: "
+ "auth=%s, auth_deferred_expire in %d seconds",
+ ks->key_id, ks_auth_name(ks->authenticated),
auth_deferred_left > 0 ? (int)auth_deferred_left : 0);
+ goto error;
+ }
+
key_state_soft_reset(session);
dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d
sid=%s", i,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Gerrit-Change-Number: 1478
Gerrit-PatchSet: 3
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: ralf_lici <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
