git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Tue, 19 Aug 2025 21:22:09 +0000 (23:22 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sat, 23 Aug 2025 15:53:52 +0000 (17:53 +0200)
commit	518e122b42739b0dbb54e7169a8a3aadb4773125
tree	7451df67fd2f726eb0e2248e6573ab1092f8deb0	tree
parent	5c4744f28e2adb3fc8f6fb3b3c8ffe22636eb0a0	commit \| diff

Check message id/acked ids too when doing sessionid cookie checks

This fixes that control packets on a floating client can trigger
creating a new session in special circumstances:

To trigger this circumstance a connection needs to

- starts on IP A
- successfully floats to IP B by data packet
- then has a control packet from IP A before any
data packet can trigger the float back to IP A

and all of this needs to happen in the 60s time
that hmac cookie is valid in the default
configuration.

In this scenario we would trigger a new connection as the HMAC
session id would be valid.

This patch adds checking also of the message-id and acked ids to
discern packet from the initial three-way handshake where these
ids are 0 or 1 from any later packet.

This will now trigger (at verb 4 or higher) a messaged like:

Packet (P_ACK_V1) with invalid or missing SID

instead.

Also remove a few duplicated free_tls_pre_decrypt_state in test_ssl.

Reported-By: Walter Doekes <walter.openvpn@wjd.nu>
Tested-By: Walter Doekes <walter.openvpn@wjd.nu>
Change-Id: I6752dcd5aff3e5cea2b439366479e86751a1c403
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Message-Id: <20250819212214.16218-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg32626.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/mudp.c		diff \| blob \| blame \| history
src/openvpn/ssl_pkt.c		diff \| blob \| blame \| history
src/openvpn/ssl_pkt.h		diff \| blob \| blame \| history
tests/unit_tests/openvpn/test_pkt.c		diff \| blob \| blame \| history