mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
b364711486
OpenVPN currently has a bit of a weakness in its early three way handshake
A single client reset packet (first packet of the handshake) will
- trigger creating a session on the server side leading to potential
ressource exhaustion
- make the server respond with 3 answers trying to get an ACK for its
P_CONTROL_HARD_RESET_SERVER_V2 answer making it an amplification
Instead of allocating a connection for each client on the initial packet
OpenVPN will now calculate a session id based on a HMAC that serves as
verifiable cookie that can be checked for authenticity when the client
responds with it. This eliminates the amplification attack and resource
exhaustion attacks.
For tls-crypt-v2 clients the HMAC based handshake is not used yet (will
be added in one of the next patches).
Patch v2: rebase on master
patch v3: fix unit tests, improve comment/style of code
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220502154310.836947-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24262.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||
|---|---|---|
| .. | ||
| doc_compression.h | ||
| doc_control_processor.h | ||
| doc_control_tls.h | ||
| doc_data_control.h | ||
| doc_data_crypto.h | ||
| doc_eventloop.h | ||
| doc_external_multiplexer.h | ||
| doc_fragmentation.h | ||
| doc_internal_multiplexer.h | ||
| doc_key_generation.h | ||
| doc_mainpage.h | ||
| doc_memory_management.h | ||
| doc_protocol_overview.h | ||
| doc_reliable.h | ||
| doc_tunnel_state.h | ||
| Makefile.am | ||
| openvpn.doxyfile.in | ||