diff options
author | Steffan Karger | 2017-05-09 21:30:09 +0200 |
---|---|---|
committer | David Sommerseth | 2017-05-11 01:17:02 +0200 |
commit | e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (patch) | |
tree | b36f9b2e75b101c59b3a11e1d762b7b4feadce58 /tests | |
parent | 5774cf4c25e1d8bf4e544702db8f157f111c9d93 (diff) | |
download | openvpn-e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8.zip openvpn-e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8.tar.gz |
Drop packets instead of assert out if packet id rolls over (CVE-2017-7479)
Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys. Until the
packet ID would roll over and we would ASSERT() out.
Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability. An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)*2^32 bytes, or approx. 196 GB).
This is a fix for finding 5.2 from the OSTIF / Quarkslab audit.
CVE: 2017-7479
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <1494358209-4568-3-git-send-email-steffan.karger@fox-it.com>
URL: http://www.mail-archive.com/search?l=mid&q=1494358209-4568-3-git-send-email-steffan.karger@fox-it.com
Signed-off-by: David Sommerseth <davids@openvpn.net>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/unit_tests/openvpn/test_packet_id.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/tests/unit_tests/openvpn/test_packet_id.c b/tests/unit_tests/openvpn/test_packet_id.c index 5627a5b..0a785ad 100644 --- a/tests/unit_tests/openvpn/test_packet_id.c +++ b/tests/unit_tests/openvpn/test_packet_id.c @@ -129,8 +129,7 @@ test_packet_id_write_short_wrap(void **state) struct test_packet_id_write_data *data = *state; data->pis.id = ~0; - expect_assert_failure( - packet_id_write(&data->pis, &data->test_buf, false, false)); + assert_false(packet_id_write(&data->pis, &data->test_buf, false, false)); } static void @@ -139,8 +138,16 @@ test_packet_id_write_long_wrap(void **state) struct test_packet_id_write_data *data = *state; data->pis.id = ~0; + data->pis.time = 5006; + + /* Write fails if time did not change */ + now = 5006; + assert_false(packet_id_write(&data->pis, &data->test_buf, true, false)); + + /* Write succeeds if time moved forward */ now = 5010; assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); + assert(data->pis.id == 1); assert(data->pis.time == now); assert_true(data->test_buf_data.buf_id == htonl(1)); |