git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Sat, 27 Mar 2021 18:35:44 +0000 (19:35 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Tue, 20 Apr 2021 12:50:41 +0000 (14:50 +0200)
commit	3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a
tree	98bc06e2eb8b7e32e1fdfe273259eaf62b80617b	tree
parent	3aca477a1b58714754fea3a26d0892fffc51db6b	commit \| diff

Ensure auth-token is only sent on a fully authenticated session

This fixes the problem that if client authentication is deferred, we
send an updated token before the authentication fully finished.

Calling the new ssl_session_fully_authenticated from the two places
that do the state transition to KS_AUTH_TRUE is a bit suboptimal but
a cleaner solution requires more refactoring of the involved methods
and state machines.

This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) *and*
"--auth-gen-token" into returning a PUSH_REPLY before the AUTH_FAILED
message, which can possibly be used to gather information about a
VPN setup or even get access to a VPN with an otherwise-invalid account.

CVE-2020-15078 has been assigned to acknowledge this risk.

CVE: 2020-15078
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <d25ec73f-2ab0-31df-8cb6-7778000f4822@openvpn.net>
URL: non-public, embargoed
Signed-off-by: Gert Doering <gert@greenie.muc.de>