git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Tue, 1 Apr 2025 17:30:37 +0000 (19:30 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 2 Apr 2025 06:24:00 +0000 (08:24 +0200)
commit	82ee2fe4b42d9988c59ae3f83bd56a54d54e8c76
tree	ed1ffc6b041b919bcf98f1babe9bc6cec18eafa1	tree
parent	f60a49362515a87ccf8db406ef422499adf34eb7	commit \| diff

Allow tls-crypt-v2 to be setup only on initial packet of a session

This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.

The error condition results in an ASSERT statement being triggered,

NOTE: due to the security sensitive nature, this patch was prepared
under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.

CVE: 2025-2704
Change-Id: I07c1352204d308e5bde5f0b85e561a5dd0bc63c8
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <385d88f0-d7c9-4330-82ff-9f5931183afd@rfc2549.org>
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_common.h		diff \| blob \| blame \| history
src/openvpn/ssl_pkt.c		diff \| blob \| blame \| history
src/openvpn/ssl_pkt.h		diff \| blob \| blame \| history
src/openvpn/tls_crypt.c		diff \| blob \| blame \| history
src/openvpn/tls_crypt.h		diff \| blob \| blame \| history
tests/unit_tests/openvpn/test_tls_crypt.c		diff \| blob \| blame \| history