From 53ed7276945dcc7ca474b2f1fb400ce3d14b7561 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Sun, 19 Oct 2014 20:26:40 +0200 Subject: fixes for session id --HG-- extra : rebase_source : 2e61ba41bbfe03c9bb6c3d402151ec4466270fb2 --- main/openvpn/config-version.h | 2 +- main/openvpn/src/openvpn/crypto.c | 2 +- main/openvpn/src/openvpn/mudp.c | 6 ++++-- 3 files changed, 6 insertions(+), 4 deletions(-) (limited to 'main/openvpn') diff --git a/main/openvpn/config-version.h b/main/openvpn/config-version.h index 762b9dc6..ff7575de 100644 --- a/main/openvpn/config-version.h +++ b/main/openvpn/config-version.h @@ -1,2 +1,2 @@ -#define CONFIGURE_GIT_REVISION "icsopenvpn_618-e63b88d330782d14" +#define CONFIGURE_GIT_REVISION "icsopenvpn_619-c77887f504ec4f11" #define CONFIGURE_GIT_FLAGS "" diff --git a/main/openvpn/src/openvpn/crypto.c b/main/openvpn/src/openvpn/crypto.c index 62c4ab28..59a6c737 100644 --- a/main/openvpn/src/openvpn/crypto.c +++ b/main/openvpn/src/openvpn/crypto.c @@ -430,7 +430,7 @@ crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt) hmac_ctx_final (ctx->hmac, local_hmac); /* Compare locally computed HMAC with packet HMAC */ - if (memcmp (local_hmac, BPTR (buf) + offset, hmac_len)) + if (memcmp_constant_time (local_hmac, BPTR (buf) + offset, hmac_len)) { gc_free (&gc); return false; diff --git a/main/openvpn/src/openvpn/mudp.c b/main/openvpn/src/openvpn/mudp.c index 7a6911ca..f6349dbf 100644 --- a/main/openvpn/src/openvpn/mudp.c +++ b/main/openvpn/src/openvpn/mudp.c @@ -119,8 +119,10 @@ multi_get_create_instance_udp (struct multi_context *m) if (!link_socket_actual_match(&mi->context.c2.from, &m->top.c2.from)) { - msg(D_MULTI_MEDIUM, "floating detected from %s to %s", - print_link_socket_actual (&mi->context.c2.from, &gc), print_link_socket_actual (&m->top.c2.from, &gc)); + msg(D_MULTI_MEDIUM, "floating detected from %s to %s (session id: %d)", + print_link_socket_actual (&mi->context.c2.from, &gc), + print_link_socket_actual (&m->top.c2.from, &gc), + sess_id); /* session-id is not trusted, so check hmac */ session_forged = !(crypto_test_hmac(&m->top.c2.buf, &mi->context.c2.crypto_options)); -- cgit v1.2.3