Check message id/acked ids too when doing sessionid cookie checks

author Arne Schwabe <arne@rfc2549.org>

Tue, 19 Aug 2025 21:22:09 +0000 (23:22 +0200)

committer Gert Doering <gert@greenie.muc.de>

Sat, 23 Aug 2025 15:53:52 +0000 (17:53 +0200)
author Arne Schwabe <arne@rfc2549.org>
Tue, 19 Aug 2025 21:22:09 +0000 (23:22 +0200)
committer Gert Doering <gert@greenie.muc.de>
Sat, 23 Aug 2025 15:53:52 +0000 (17:53 +0200)
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c

index 7259a4bb6894a9bd6491f9b849903caace82b471..31134bea88e0eeda86e69b00ac9bbe35d126b813 100644 (file)
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -151,7 +151,8 @@ do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *stat
           * need to contain the peer id */
          struct gc_arena gc = gc_new();
  
           * need to contain the peer id */
          struct gc_arena gc = gc_new();
  
-        bool ret = check_session_id_hmac(state, from, hmac, handwindow);
+        bool pkt_is_ack = (verdict == VERDICT_VALID_ACK_V1);
+        bool ret = check_session_hmac_and_pkt_id(state, from, hmac, handwindow, pkt_is_ack);
  
          const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
          uint8_t pkt_firstbyte = *BPTR(&m->top.c2.buf);
  
          const char *peer = print_link_socket_actual(&m->top.c2.from, &gc);
          uint8_t pkt_firstbyte = *BPTR(&m->top.c2.buf);
@@ -159,7 +160,8 @@ do_pre_decrypt_check(struct multi_context *m, struct tls_pre_decrypt_state *stat
  
          if (!ret)
          {
  
          if (!ret)
          {
-            msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from %s",
+            msg(D_MULTI_MEDIUM, "Packet (%s) with invalid or missing SID from"
+                                " %s or wrong packet id",
                  packet_opcode_name(op), peer);
          }
          else
                  packet_opcode_name(op), peer);
          }
          else
diff --git a/src/openvpn/ssl_pkt.c b/src/openvpn/ssl_pkt.c

index b901f87a286f75f0f9fe02abfd55e27914481857..6ec05a7eeb9896baf7f9c56d891354f9366af152 100644 (file)
--- a/src/openvpn/ssl_pkt.c
+++ b/src/openvpn/ssl_pkt.c
@@ -496,8 +496,11 @@ calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_soc
  }
  
  bool
  }
  
  bool
-check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from,
-                      hmac_ctx_t *hmac, int handwindow)
+check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state,
+                              const struct openvpn_sockaddr *from,
+                              hmac_ctx_t *hmac,
+                              int handwindow,
+                              bool pkt_is_ack)
  {
      if (!from)
      {
  {
      if (!from)
      {
@@ -512,6 +515,36 @@ check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_
          return false;
      }
  
          return false;
      }
  
+    /* Check if the packet ID of the packet or ACKED packet  is <= 1 */
+    for (int i = 0; i < ack.len; i++)
+    {
+        /* This packet ACKs a packet that has a higher packet id than the
+         * ones expected in the three-way handshake, consider it as invalid
+         * for the session */
+        if (ack.packet_id[i] > 1)
+        {
+            return false;
+        }
+    }
+
+    if (!pkt_is_ack)
+    {
+        packet_id_type message_id;
+        /* Extract the packet ID from the packet */
+        if (!reliable_ack_read_packet_id(&buf, &message_id))
+        {
+            return false;
+        }
+
+        /* similar check. Anything larger than 1 is not considered part of the
+         * three-way handshake */
+        if (message_id > 1)
+        {
+            return false;
+        }
+    }
+
+
      /* check adjacent timestamps too */
      for (int offset = -2; offset <= 1; offset++)
      {
      /* check adjacent timestamps too */
      for (int offset = -2; offset <= 1; offset++)
      {
diff --git a/src/openvpn/ssl_pkt.h b/src/openvpn/ssl_pkt.h

index 8fe48804333555678b8918ce8637400500a191d0..96cdd68366cee7c908c9c1e9e9176eaa039498d2 100644 (file)
--- a/src/openvpn/ssl_pkt.h
+++ b/src/openvpn/ssl_pkt.h
@@ -178,14 +178,20 @@ struct session_id calculate_session_id_hmac(struct session_id client_sid,
  /**
   * Checks if a control packet has a correct HMAC server session id
   *
  /**
   * Checks if a control packet has a correct HMAC server session id
   *
+ * This will also consider packets that have a packet id higher
+ * than 1 or ack packets higher than 1 to be invalid as they are
+ * not part of the initial three way handshake of OpenVPN and should
+ * not create a new connection.
+ *
   * @param state         session information
   * @param from          link_socket from the client
   * @param hmac          the hmac context to use for the calculation
   * @param handwindow    the quantisation of the current time
   * @param state         session information
   * @param from          link_socket from the client
   * @param hmac          the hmac context to use for the calculation
   * @param handwindow    the quantisation of the current time
+ * @param pkt_is_ack    the packet being checked is a P_ACK_V1
   * @return              the expected server session id
   */
   * @return              the expected server session id
   */
-bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from,
-                           hmac_ctx_t *hmac, int handwindow);
+bool check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from,
+                                   hmac_ctx_t *hmac, int handwindow, bool pkt_is_ack);
  
  /*
   * Write a control channel authentication record.
  
  /*
   * Write a control channel authentication record.
diff --git a/tests/unit_tests/openvpn/test_pkt.c b/tests/unit_tests/openvpn/test_pkt.c

index 65b31e7808aa393b0d05a9cfb571324f2b67bea2..51227662400f7f644aa8fe6255bbbb8fa5c2dae3 100644 (file)
--- a/tests/unit_tests/openvpn/test_pkt.c
+++ b/tests/unit_tests/openvpn/test_pkt.c
@@ -139,6 +139,27 @@ const uint8_t client_ack_none_random_id[] = { 0x28, 0xae, 0xb9, 0xaf, 0xe1, 0xf0
                                                0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd, 0x85,
                                                0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e };
  
                                                0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0xdd, 0x85,
                                                0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e };
  
+/* no tls-auth, P_ACK_V1, acks 0,1, and 2 */
+const uint8_t client_ack_123_none_random_id[] = {
+    0x28,
+    0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8,
+    0x03,
+    0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x01,
+    0x00, 0x00, 0x00, 0x02,
+    0xdd, 0x85, 0xdb, 0x53, 0x56, 0x23, 0xb0, 0x2e
+};
+
+/* no tls-auth, P_CONTROL_V1, acks 0, msg-id 2 */
+const uint8_t client_control_none_random_id[] = {
+    0x20,
+    0xae, 0xb9, 0xaf, 0xe1, 0xf0, 0x1d, 0x79, 0xc8,
+    0x01,
+    0x00, 0x00, 0x00, 0x00,
+    0x02
+};
+
+
  struct tls_auth_standalone
  init_tas_auth(int key_direction)
  {
  struct tls_auth_standalone
  init_tas_auth(int key_direction)
  {
@@ -256,12 +277,10 @@ test_tls_decrypt_lite_auth(void **ut_state)
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
-    free_tls_pre_decrypt_state(&state);
      /* The pre decrypt function should not modify the buffer, so calling it
       * again should have the same result */
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      /* The pre decrypt function should not modify the buffer, so calling it
       * again should have the same result */
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
-    free_tls_pre_decrypt_state(&state);
  
      /* and buf memory should be equal */
      assert_memory_equal(BPTR(&buf), client_reset_v2_tls_auth, sizeof(client_reset_v2_tls_auth));
  
      /* and buf memory should be equal */
      assert_memory_equal(BPTR(&buf), client_reset_v2_tls_auth, sizeof(client_reset_v2_tls_auth));
@@ -279,7 +298,6 @@ test_tls_decrypt_lite_auth(void **ut_state)
      assert_int_equal(verdict, VERDICT_INVALID);
      free_tls_pre_decrypt_state(&state);
  
      assert_int_equal(verdict, VERDICT_INVALID);
      free_tls_pre_decrypt_state(&state);
  
-    free_tls_pre_decrypt_state(&state);
      /* Wrong key direction gives a wrong hmac key and should not validate */
      free_key_ctx_bi(&tas.tls_wrap.opt.key_ctx_bi);
      free_tas(&tas);
      /* Wrong key direction gives a wrong hmac key and should not validate */
      free_key_ctx_bi(&tas.tls_wrap.opt.key_ctx_bi);
      free_tas(&tas);
@@ -319,15 +337,12 @@ test_tls_decrypt_lite_none(void **ut_state)
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
-    free_tls_pre_decrypt_state(&state);
      buf_reset_len(&buf);
      buf_write(&buf, client_reset_v2_tls_crypt, sizeof(client_reset_v2_none));
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
      buf_reset_len(&buf);
      buf_write(&buf, client_reset_v2_tls_crypt, sizeof(client_reset_v2_none));
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_RESET_V2);
      free_tls_pre_decrypt_state(&state);
  
-    free_tls_pre_decrypt_state(&state);
-
      /* This is not a reset packet and should trigger the other response */
      buf_reset_len(&buf);
      buf_write(&buf, client_ack_tls_auth_randomid, sizeof(client_ack_tls_auth_randomid));
      /* This is not a reset packet and should trigger the other response */
      buf_reset_len(&buf);
      buf_write(&buf, client_ack_tls_auth_randomid, sizeof(client_ack_tls_auth_randomid));
@@ -405,7 +420,7 @@ test_verify_hmac_tls_auth(void **ut_state)
      assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
  
      /* This is a valid packet but containing a random id instead of an HMAC id*/
      assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
  
      /* This is a valid packet but containing a random id instead of an HMAC id*/
-    bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
+    bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, false);
      assert_false(valid);
  
      free_tls_pre_decrypt_state(&state);
      assert_false(valid);
  
      free_tls_pre_decrypt_state(&state);
@@ -436,7 +451,7 @@ test_verify_hmac_none(void **ut_state)
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
  
      verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
      assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
  
-    bool valid = check_session_id_hmac(&state, &from.dest, hmac, 30);
+    bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true);
      assert_true(valid);
  
      free_tls_pre_decrypt_state(&state);
      assert_true(valid);
  
      free_tls_pre_decrypt_state(&state);
@@ -445,6 +460,51 @@ test_verify_hmac_none(void **ut_state)
      hmac_ctx_free(hmac);
  }
  
      hmac_ctx_free(hmac);
  }
  
+static void
+test_verify_hmac_none_out_of_range_ack(void **ut_state)
+{
+    hmac_ctx_t *hmac = session_id_hmac_init();
+
+    struct link_socket_actual from = { 0 };
+    from.dest.addr.sa.sa_family = AF_INET;
+
+    struct tls_auth_standalone tas = { 0 };
+    struct tls_pre_decrypt_state state = { 0 };
+
+    struct buffer buf = alloc_buf(1024);
+    enum first_packet_verdict verdict;
+
+    tas.tls_wrap.mode = TLS_WRAP_NONE;
+
+    buf_reset_len(&buf);
+    buf_write(&buf, client_ack_123_none_random_id, sizeof(client_ack_123_none_random_id));
+
+
+    verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
+    assert_int_equal(verdict, VERDICT_VALID_ACK_V1);
+
+    /* should fail because it acks 2 */
+    bool valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true);
+    assert_false(valid);
+    free_tls_pre_decrypt_state(&state);
+
+    /* Try test with the control with a too high message id now */
+    buf_reset_len(&buf);
+    buf_write(&buf, client_control_none_random_id, sizeof(client_control_none_random_id));
+
+    verdict = tls_pre_decrypt_lite(&tas, &state, &from, &buf);
+    assert_int_equal(verdict, VERDICT_VALID_CONTROL_V1);
+
+    /* should fail because it has message id 2 */
+    valid = check_session_hmac_and_pkt_id(&state, &from.dest, hmac, 30, true);
+    assert_false(valid);
+
+    free_tls_pre_decrypt_state(&state);
+    free_buf(&buf);
+    hmac_ctx_cleanup(hmac);
+    hmac_ctx_free(hmac);
+}
+
  static hmac_ctx_t *
  init_static_hmac(void)
  {
  static hmac_ctx_t *
  init_static_hmac(void)
  {
@@ -634,16 +694,20 @@ int
  main(void)
  {
      openvpn_unit_test_setup();
  main(void)
  {
      openvpn_unit_test_setup();
-    const struct CMUnitTest tests[] = { cmocka_unit_test(test_tls_decrypt_lite_none),
-                                        cmocka_unit_test(test_tls_decrypt_lite_auth),
-                                        cmocka_unit_test(test_tls_decrypt_lite_crypt),
-                                        cmocka_unit_test(test_parse_ack),
-                                        cmocka_unit_test(test_calc_session_id_hmac_static),
-                                        cmocka_unit_test(test_verify_hmac_none),
-                                        cmocka_unit_test(test_verify_hmac_tls_auth),
-                                        cmocka_unit_test(test_generate_reset_packet_plain),
-                                        cmocka_unit_test(test_generate_reset_packet_tls_auth),
-                                        cmocka_unit_test(test_extract_control_message) };
+
+    const struct CMUnitTest tests[] = {
+        cmocka_unit_test(test_tls_decrypt_lite_none),
+        cmocka_unit_test(test_tls_decrypt_lite_auth),
+        cmocka_unit_test(test_tls_decrypt_lite_crypt),
+        cmocka_unit_test(test_parse_ack),
+        cmocka_unit_test(test_calc_session_id_hmac_static),
+        cmocka_unit_test(test_verify_hmac_none),
+        cmocka_unit_test(test_verify_hmac_tls_auth),
+        cmocka_unit_test(test_verify_hmac_none_out_of_range_ack),
+        cmocka_unit_test(test_generate_reset_packet_plain),
+        cmocka_unit_test(test_generate_reset_packet_tls_auth),
+        cmocka_unit_test(test_extract_control_message)
+    };
  
  #if defined(ENABLE_CRYPTO_OPENSSL)
      OpenSSL_add_all_algorithms();
  
  #if defined(ENABLE_CRYPTO_OPENSSL)
      OpenSSL_add_all_algorithms();
author	Arne Schwabe <arne@rfc2549.org>
	Tue, 19 Aug 2025 21:22:09 +0000 (23:22 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Sat, 23 Aug 2025 15:53:52 +0000 (17:53 +0200)
src/openvpn/mudp.c		patch \| blob \| blame \| history
src/openvpn/ssl_pkt.c		patch \| blob \| blame \| history
src/openvpn/ssl_pkt.h		patch \| blob \| blame \| history
tests/unit_tests/openvpn/test_pkt.c		patch \| blob \| blame \| history