git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Thu, 11 May 2017 21:13:41 +0000 (23:13 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Tue, 13 Jun 2017 07:02:02 +0000 (09:02 +0200)
commit	66576f9903cc166072901673ff1e673fa2e29611
tree	42ea1fd8c60f5de046fc330c6e251d510f407f54	tree
parent	aded94168651ffc4346e73604b62cfcee4ef7297	commit \| diff

Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)

Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.

Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).

This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.

This patch was cherry-picked from b727643c (release/2.3).

CVE: 2017-7479
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1494537221-12050-3-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14645.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

crypto.c		diff \| blob \| blame \| history
packet_id.c		diff \| blob \| blame \| history
packet_id.h		diff \| blob \| blame \| history