]> git.feebdaed.xyz Git - 0xmirror/openvpn.git/commit
projects / 0xmirror / openvpn.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: f1b851d) | patch
Fix memcmp check for the hmac verification in the 3way handshake being inverted
authorArne Schwabe <arne@rfc2549.org>
Mon, 27 Oct 2025 09:05:55 +0000 (10:05 +0100)
committerGert Doering <gert@greenie.muc.de>
Mon, 17 Nov 2025 09:08:36 +0000 (10:08 +0100)
commit18c483dd6031d86eb393527855734e8cd62fea19
treef4f3dccacea2b81a0b1735941c940659815a9795tree | snapshot
parentf1b851dae60eb1e277315dfe6265e3a58660b16acommit | diff
Fix memcmp check for the hmac verification in the 3way handshake being inverted

This is a stupid mistake but causes all hmac cookies to be accepted,
thus breaking source IP address validation.   As a consequence, TLS
sessions can be openend and state can be consumed in the server from
IP addresses that did not initiate an initial connection.

While at it, fix check to only allow [t-2;t] timeslots, disallowing
HMACs coming in from a future timeslot.

Github: OpenVPN/openvpn-private-issues#56

CVE: 2025-13086

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)
Reported-By: stefan@srlabs.de
Change-Id: I9cbe2bf535575b47ddd7f34e985c5c1c6953a6fc
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <max@max-fillinger.net>
src/openvpn/ssl_pkt.c diff | blob | history
tests/unit_tests/openvpn/test_pkt.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.