[Openvpn-devel] [S] Change in openvpn[master]: Do not leave half-initialised key wrap struct when d

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/921?usp=email )

The following approvals got outdated and were removed:
Code-Review+2 by MaxF


Change subject: Do not leave half-initialised key wrap struct when dynamic tls-crypt fails
......................................................................

Do not leave half-initialised key wrap struct when dynamic tls-crypt fails

In case when key_state_export_keying_material fails we left a
half-initialised tls_wrap_reneg  structure in the tls_session.
Later calls to try to free this structure causes freeing of
invalid memory locations.

To test: make key_state_export_keying_material return false even though
         HAVE_EXPORT_KEYING_MATERIAL is defined and connect to a server
         supporting dynamic tls-crypt (2.6.0+)

Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: MaxF <ma...@ma...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31267.html
Signed-off-by: Gert Doering <ge...@gr...>
---
M src/openvpn/tls_crypt.c
1 file changed, 9 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/21/921/2

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index eb7b03d..9e9807d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -97,6 +97,15 @@
 bool
 tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
 {
+    struct key2 rengokeys;
+    if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
+                                          strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
+                                          rengokeys.keys, sizeof(rengokeys.keys)))
+    {
+        return false;
+    }
+    rengokeys.n = 2;
+
     session->tls_wrap_reneg.opt = session->tls_wrap.opt;
     session->tls_wrap_reneg.mode = TLS_WRAP_CRYPT;
     session->tls_wrap_reneg.cleanup_key_ctx = true;
@@ -108,16 +117,6 @@
                    session->opt->replay_time,
                    "TLS_WRAP_RENEG", session->key_id);
 
-
-    struct key2 rengokeys;
-    if (!key_state_export_keying_material(session, EXPORT_DYNAMIC_TLS_CRYPT_LABEL,
-                                          strlen(EXPORT_DYNAMIC_TLS_CRYPT_LABEL),
-                                          rengokeys.keys, sizeof(rengokeys.keys)))
-    {
-        return false;
-    }
-    rengokeys.n = 2;
-
     if (session->tls_wrap.mode == TLS_WRAP_CRYPT
         || session->tls_wrap.mode == TLS_WRAP_AUTH)
     {

-- 
To view, visit http://gerrit.openvpn.net/c/openvpn/+/921?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I54073f8b63894a62699f6ecdc90a77f9f131205b
Gerrit-Change-Number: 921
Gerrit-PatchSet: 2
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: MaxF <ma...@ma...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-MessageType: newpatchset


[Openvpn-devel] [S] Change in openvpn[master]: Do not leave half-initialised key wrap struct when d

Robust and flexible VPN network tunnelling

[Openvpn-devel] [S] Change in openvpn[master]: Do not leave half-initialised key wrap struct when dynamic tls-crypt ...