'[Openvpn-devel] [PATCH] Ensure tls session is authenticated before sending push reply'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-devel
Subject:    [Openvpn-devel] [PATCH] Ensure tls session is authenticated before sending push reply
From:       Arne Schwabe <arne () rfc2549 ! org>
Date:       2021-06-24 13:08:40
Message-ID: 20210624130840.2583433-1-arne () rfc2549 ! org
[Download RAW message or body]

We ensure here that the tls session is authenticated before sending
a push_reply

This a part of to fix CVE-2020-15078 in the master branch.
---
 src/openvpn/push.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index b6f1252d2..b27f401e1 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -863,7 +863,8 @@ process_incoming_push_request(struct context *c)
         send_auth_failed(c, client_reason);
         ret = PUSH_MSG_AUTH_FAILURE;
     }
-    else if (c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
+    else if (tls_authentication_status(c->c2.tls_multi) == TLS_AUTHENTICATION_SUCCEEDED
+        && c->c2.tls_multi->multi_state >= CAS_CONNECT_DONE)
     {
         time_t now;
 
-- 
2.32.0



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic