diff options
author | Steffan Karger | 2016-11-22 21:41:26 +0100 |
---|---|---|
committer | Gert Doering | 2016-11-22 22:20:50 +0100 |
commit | 418d2d98489dfe7afafcaf21828541d034afb7f4 (patch) | |
tree | 99ff4eb5af349b800079df01c2ebf1274f6668d4 /src/openvpn/ssl.c | |
parent | 39b7d4da02c40e76640c4da96ef7da7a6354cc00 (diff) | |
download | openvpn-418d2d98489dfe7afafcaf21828541d034afb7f4.zip openvpn-418d2d98489dfe7afafcaf21828541d034afb7f4.tar.gz |
--tls-crypt fixes
* Check return value of buf_init() (found by coverity)
* Use the TLS frame to determine the buffer size, as is done for the
reliability buffers used for tls-auth. (We previously incorrectly used
the TLS *plaintext* buffer size, which is bigger for typical setups
with tun-mtu <= 1500. Using the frame to calculate the size saves some
bytes for typical setups, and doesn't break setups with big tun-mtu.)
* More carefully handle errors in tls_crypt_wrap() - just drop the packet
instead of ASSERT()ing out (should not happen in the first place, but
this is a bit more friendly if it happens somehow anyway).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1479847286-17518-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13204.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r-- | src/openvpn/ssl.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index dc06350..97e9aab 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -973,7 +973,7 @@ tls_session_init (struct tls_multi *multi, struct tls_session *session) /* Initialize control channel authentication parameters */ session->tls_wrap = session->opt->tls_wrap; - session->tls_wrap.work = alloc_buf (TLS_CHANNEL_BUF_SIZE); + session->tls_wrap.work = alloc_buf (BUF_SIZE (&session->opt->frame)); /* initialize packet ID replay window for --tls-auth */ packet_id_init (&session->tls_wrap.opt.packet_id, @@ -1320,13 +1320,20 @@ write_control_auth (struct tls_session *session, } else if (session->tls_wrap.mode == TLS_WRAP_CRYPT) { - buf_init (&session->tls_wrap.work, buf->offset); + ASSERT (buf_init (&session->tls_wrap.work, buf->offset)); ASSERT (buf_write (&session->tls_wrap.work, &header, sizeof(header))); ASSERT (session_id_write (&session->session_id, &session->tls_wrap.work)); - ASSERT (tls_crypt_wrap (buf, &session->tls_wrap.work, &session->tls_wrap.opt)); - /* Don't change the original data in buf, it's used by the reliability - * layer to resend on failure. */ - *buf = session->tls_wrap.work; + if (tls_crypt_wrap (buf, &session->tls_wrap.work, &session->tls_wrap.opt)) + { + /* Don't change the original data in buf, it's used by the reliability + * layer to resend on failure. */ + *buf = session->tls_wrap.work; + } + else + { + buf->len = 0; + return; + } } *to_link_addr = &ks->remote_addr; } |