Stared at the code a bit, discussed on IRC about "what state does what?"
- so this new state is "TLS is ok, waiting for (deferred) authentication"
and CAS_PENDING* is "waiting for (deferred) *client-connect* things" -
which MUST NOT run before authentication is finished (= CVE...).
With that explanation, the changes looks straightforward enough, with the
new state added and the explanation given.
Arne also stated that a patch will come that better documents all
CAS_ values.
Tested on the client side (no surprises) and on the server side test
rig, with all the nasties - deferred plugin auth, deferred client connect,
deferred script auth, succeeding and failing, config from ccd/ and from
--client-connect scripts - and it behaved nicely.
[Note: I still have no test rig with management auth, so we need to trust
the AS QA team to test all these cases...]
This still does not fix the "PUSH_REPLY is sent too quickly" CVE in
all cases, it seems. But with the *next* one, it is finally fixed.
As discussed on IRC, added a note about the CVE to the commit message.
Your patch has been applied to the master branch.
commit 489c45fb373adfb22c2f1dd0a524bde17c686876
Author: Arne Schwabe
Date: Fri Jun 4 16:39:38 2021 +0200
Make waiting on auth an explicit state in the context state machine
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
Acked-by: Antonio Quartulli <anto...@openvpn.net>
Message-Id: <20210604143938.779193-1-a...@rfc2549.org>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22491.html
Signed-off-by: Gert Doering <g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
