[Openvpn-devel] Ensure tls session is authenticated before sending push reply

Message ID 20210624130840.2583433-1-arne@rfc2549.org
State Accepted
Headers show
  • [Openvpn-devel] Ensure tls session is authenticated before sending push reply
Related show

Commit Message

Arne Schwabe June 24, 2021, 1:08 p.m.
We ensure here that the tls session is authenticated before sending
a push_reply

This a part of to fix CVE-2020-15078 in the master branch.
 src/openvpn/push.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


Gert Doering June 24, 2021, 3:25 p.m. | #1
Acked-by: Gert Doering <gert@greenie.muc.de>

For whatever reason, this particular code path escaped previous patches,
so now it's fixed as well.  And verified - even with the previous 3 
patches (and I was sure I had seen it fixed!) sometimes I hit the
"PUSH_REPLY sent too fast" thing.  Now, gone.

Not tested on the client side (this is server-only code).

Server side test rig succeeded.  Since this is a fairly isolated
change, verifying that PUSH_REQUEST/PUSH_REPLY still works was easy
(but tested all of it, for good measure).

Your patch has been applied to the master branch.

commit 87c8c081d5a1ede46b3cb01e0c25a876441f074b
Author: Arne Schwabe
Date:   Thu Jun 24 15:08:40 2021 +0200

     Ensure tls session is authenticated before sending push reply

     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20210624130840.2583433-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22587.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>

kind regards,

Gert Doering


diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index b6f1252d2..b27f401e1 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -863,7 +863,8 @@  process_incoming_push_request(struct context *c)
         send_auth_failed(c, client_reason);
         ret = PUSH_MSG_AUTH_FAILURE;
-    else if (c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
+    else if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_SUCCEEDED
+        && c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
         time_t now;