From af433564b4d75e86f9bd706986aee220eb07bcba Mon Sep 17 00:00:00 2001
From: Arne Schwabe <arne@rfc2549.org>
Date: Tue, 6 Apr 2021 00:05:21 +0200
Subject: [PATCH] Ensure key state is authenticated before sending push reply

This ensures that the key state is authenticated when sending
a push reply.

CVE-2020-15078

Change-Id: I0d45582cbc73e1633dae95e61883b8b82d11960a
---
 src/openvpn/push.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 6a30e47..cb0ae41 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -634,6 +634,7 @@ int
 process_incoming_push_request(struct context *c)
 {
     int ret = PUSH_MSG_ERROR;
+    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
 
 #ifdef ENABLE_ASYNC_PUSH
     c->c2.push_request_received = true;
@@ -644,7 +645,12 @@ process_incoming_push_request(struct context *c)
         send_auth_failed(c, client_reason);
         ret = PUSH_MSG_AUTH_FAILURE;
     }
-    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
+    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
+             && ks->authenticated
+ #ifdef ENABLE_DEF_AUTH
+             && !ks->auth_deferred
+ #endif
+             )
     {
         time_t now;
 
-- 
2.7.4