Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
to review the following change.
Change subject: tls_multi_process: promote lame duck key to primary after reneg
......................................................................
tls_multi_process: promote lame duck key to primary after reneg
When a key is negotiated, the transition window logic imposes a delay
before fully adopting the new key. The auth_deferred_expire field
indicates the interval we must wait before considering the key fully
usable (see tls_select_encryption_key). However, in an unfortunate
scenario where the remote peer uses a reneg-sec interval lower than our
handshake window or lower than half of our reneg-sec interval, we end up
initializing every key with an auth_deferred_expire value that never
expires. This leads to selecting the wrong key when invoking
tls_select_encryption_key.
To ensure we always have a fully valid key, whenever a renegotiation
happens, promote the old key even if its auth_deferred_expire has not
yet expired.
Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
---
M src/openvpn/ssl.c
1 file changed, 5 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/78/1478/1
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 69d0e4e..6a28b64 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3310,6 +3310,11 @@
ks->state = S_ERROR_PRE;
}
+ /* make the lame duck key the primary one while we transition to
+ * the new one */
+ struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
+ ks_lame->auth_deferred_expire = now;
+
/* Update auth token on the client if needed on renegotiation
* (key id !=0) */
if (session->key[KS_PRIMARY].key_id != 0)
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1478?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I704c560fa23c03237d0f8adc30908a617265a5a1
Gerrit-Change-Number: 1478
Gerrit-PatchSet: 1
Gerrit-Owner: ralf_lici <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
