git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Fri, 9 Sep 2022 19:59:00 +0000 (21:59 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Tue, 18 Oct 2022 08:25:20 +0000 (10:25 +0200)
commit	f786e8a41cde31b437f20a17cb3fd122b489d6b3
tree	4d75c8898b1825462b89650fddf3e73f3f72c37a	tree
parent	9a5161704173e31f2510d3f5c29361f76e275d0f	commit \| diff

Allows renegotiation only to start if session is fully established

This change makes the state machine more strict in terms of transaction
that are allowed. The benefit of this change are twofold:

- only allow renegotiations after pushed option handling is done,
   to ensure that pushed options which might affect renegotiation
   have been processed on both sides
   This is a prerequisite for the upcoming secure renegotiation patch set
- avoids corner cases of a peer (or an attacker) trying to renegotiate the
   session while the original session is not fully setup. Currently there
   there are no problems known with this but it is better to avoid the
   corner case in the first time.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Heiko Hund <heiko@ist.eigentlich.net>
Message-Id: <20220909195902.2011798-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25162.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>