From patchwork Mon Mar 2 15:25:45 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4787 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:292f:b0:83c:d90d:321 with SMTP id f15csp1857160maw; Mon, 2 Mar 2026 07:26:44 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWxbK76yIrleRM6WSs2lvKKhZohgsVhPuk+xvWueJAuvLXbI7kDKFsJV5u66zTrqeEPv6jmWdsJSls=@openvpn.net X-Received: by 2002:a05:6830:7187:b0:7d4:9679:5797 with SMTP id 46e09a7af769-7d591c0a885mr9014631a34.28.1772465204687; Mon, 02 Mar 2026 07:26:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1772465204; cv=none; d=google.com; s=arc-20240605; b=CksSsnBY2xYkl1dkqPGKIw7z/tyBME5ugKkaKLNo6RSixbRDDj9SRjqhzfFH8ZhXc2 cy9dSOYX2naYnAcN7+VCWLkDmDC2sQucay7jc2FJsB2NdnJ3al6IHmQnSAtkBV0x1u1R xJNPMwgFdZ13sQB0W5mHRSOb54m+rqYcRvFUq8pBmx1EK2Giz1ugg+aTSrN7t26U2Zfv hpovv6h00dbGPVw99H2XKaddGaP6ete0Nlrd+GfDLFCYwlRaX7Rl++6cTdvtHZR2MNtZ YJydoPkXFNhnjK17AZ5CQxYzQ1nWM7HSQhqXaoO7Roqz1FadncSEWHc9zkM6b8Euf+F4 988g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=s4gWV5ANF1gNpN+OPYceneIey8oXbaA3PQsuX6SMrQs=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=fk/z73C3JZ09P6ZP872xaCkG3qolfLTk9VYGzgD2uaCpDP4cnycLHKdWVUpVtFHFOx mPdjsuslW1jENQr/wqaOsvYTHa+357uZcDBYicd3zrozIx58I5lt4Xsc6mtBuLmRK+Z/ Y0VCwRNmCqui8w0P2kQSltFEORZCcC0hJ4P1uzuSgbW5dw6nsa1/17qVUPmMf7+LpiYd kInwQdJ7vwuedK1pyRu+uPPR5iAwVUf8IzOY846SjceR585t0tkAoK2TsPgAl+emHfCO u4fbpkePREuM7B+QD9By/qWC3JVKi9hZgHwmU0JH/D9EGggmv4+4xJnZeUwewodoHxb4 nebw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AItfWWiY; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=WmmnNEtL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WEbQ1ggu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7d5866d0334si8095060a34.134.2026.03.02.07.26.44 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Mar 2026 07:26:44 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=AItfWWiY; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=WmmnNEtL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=WEbQ1ggu; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=s4gWV5ANF1gNpN+OPYceneIey8oXbaA3PQsuX6SMrQs=; b=AItfWWiY14pVfjMHkEaqqUzZBm zcOQjsv0Z0NCu1HRWd6ejMafmEf8O53UYRJsfSHyebZ6i2bTT1cvg+ZswQWZICfisYX8W+wT440MT Idr7zNp3wx22AfD6zpXwY7JoSvwgojdtHoplHlCTiBnBBupolgNzdgNFOJqh4VMS+cro=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vx59s-00042g-2O; Mon, 02 Mar 2026 15:26:08 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vx59q-00042X-Ec for openvpn-devel@lists.sourceforge.net; Mon, 02 Mar 2026 15:26:06 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GH2BW/88Oj1Qe9y1tO/z+azF0N1WIx19W5pIXI+Cbsg=; b=WmmnNEtLBQsyW3s7YAq0ePDd9u Ed6QHVt57nVz/5SLBk1uje/SjvHfnOsWV1GgU3vwQyn507zWWHRFTZhckaol/+t0ruAmDLQqrIe+Z IAriPMQPIE9dKShdGFnR+hFgBWfATas+C+KBvKOKH3pGhTYiiT7XNFDcwvTNEU1w3/h0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GH2BW/88Oj1Qe9y1tO/z+azF0N1WIx19W5pIXI+Cbsg=; b=WEbQ1ggulCFMsDpDMn4qwMFMVi INl7h6+RkelFwFjCz+uzhkjkXCR0BvM5pUehE/lGq5s/BlaT8at1olIG5qqd8ev1QTOgWk3qVTNJd uj+ik+LHs9o3bNqyI0b4pfKaRPax1nvvvecHbiV0q6NZhTkwEQ0ORjQUulUMRgl0HMbY=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vx59p-00059z-LK for openvpn-devel@lists.sourceforge.net; Mon, 02 Mar 2026 15:26:06 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 622FPshP012049 for ; Mon, 2 Mar 2026 16:25:54 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 622FPsEM012048 for openvpn-devel@lists.sourceforge.net; Mon, 2 Mar 2026 16:25:54 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Mon, 2 Mar 2026 16:25:45 +0100 Message-ID: <20260302152553.12035-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Ralf Lici Incoming P_CONTROL_SOFT_RESET_V1 can arrive while the active key is not yet fully valid for renegotiation. This includes the window where we are still waiting for auth_deferred_expire (derived from ha [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vx59p-00059z-LK Subject: [Openvpn-devel] [PATCH v3] tls: reject incoming reneg request if primary key is not fully valid X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1858564474457634487?= X-GMAIL-MSGID: =?utf-8?q?1858564474457634487?= From: Ralf Lici Incoming P_CONTROL_SOFT_RESET_V1 can arrive while the active key is not yet fully valid for renegotiation. This includes the window where we are still waiting for auth_deferred_expire (derived from handshake/reneg timing), as well as cases where deferred or mid-session auth later leaves the key non-authenticated even though state is S_GENERATED_KEYS. This patch keeps read_control_auth as the first gate, then rejects the incoming renegotiation requests unless the primary key is KS_AUTH_TRUE and auth_deferred_expire has passed. Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1 Signed-off-by: Ralf Lici Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1478 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1478 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 69d0e4e..98641a1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -3747,6 +3747,20 @@ goto error; } + /* + * Do not allow incoming renegotiation unless our primary key is + * fully authenticated and past the deferred-auth/transition gate. + */ + time_t auth_deferred_left = ks->auth_deferred_expire - now; + if (ks->authenticated != KS_AUTH_TRUE || auth_deferred_left > 0) + { + msg(D_TLS_ERRORS, + "TLS Error: rejecting incoming renegotiation request for key-id %d: " + "auth=%s, auth_deferred_expire in %d seconds", + ks->key_id, ks_auth_name(ks->authenticated), auth_deferred_left > 0 ? (int)auth_deferred_left : 0); + goto error; + } + key_state_soft_reset(session); dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,