new upstream

parent 7da22c96
openvpn (2.3.0-2) unstable; urgency=low
openvpn (2.3.1-1) unstable; urgency=low
* Applied patch use of non-constant-time memcmp in HMAC comparison.
CVE-2013-2061 (Closes: #707329)
* New upstream version. Fixes use of non-constant-time memcmp in HMAC
comparison. CVE-2013-2061 (Closes: #707329)
-- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 17 May 2013 11:54:31 +0200
......
From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Tue, 19 Mar 2013 13:01:50 +0100
Subject: [PATCH] Use constant time memcmp when comparing HMACs in
openvpn_decrypt.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/buffer.h | 8 ++++++++
src/openvpn/crypto.c | 20 +++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
index 7cae733..93efb09 100644
--- a/src/openvpn/buffer.h
+++ b/src/openvpn/buffer.h
@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
}
}
+/**
+ * Compare src buffer contents with match.
+ * *NOT* constant time. Do not use when comparing HMACs.
+ */
static inline bool
buf_string_match (const struct buffer *src, const void *match, int size)
{
@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
return memcmp (BPTR (src), match, size) == 0;
}
+/**
+ * Compare first size bytes of src buffer contents with match.
+ * *NOT* constant time. Do not use when comparing HMACs.
+ */
static inline bool
buf_string_match_head (const struct buffer *src, const void *match, int size)
{
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 405c0aa..d9adf5b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -65,6 +65,24 @@
#define CRYPT_ERROR(format) \
do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
+/**
+ * As memcmp(), but constant-time.
+ * Returns 0 when data is equal, non-zero otherwise.
+ */
+static int
+memcmp_constant_time (const void *a, const void *b, size_t size) {
+ const uint8_t * a1 = a;
+ const uint8_t * b1 = b;
+ int ret = 0;
+ size_t i;
+
+ for (i = 0; i < size; i++) {
+ ret |= *a1++ ^ *b1++;
+ }
+
+ return ret;
+}
+
void
openvpn_encrypt (struct buffer *buf, struct buffer work,
const struct crypto_options *opt,
@@ -244,7 +262,7 @@
hmac_ctx_final (ctx->hmac, local_hmac);
/* Compare locally computed HMAC with packet HMAC */
- if (memcmp (local_hmac, BPTR (buf), hmac_len))
+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
CRYPT_ERROR ("packet HMAC authentication failed");
ASSERT (buf_advance (buf, hmac_len));
--
1.8.1.6
......@@ -3,9 +3,9 @@ Author: Gonéri Le Bouder <goneri@rulezlan.org>
Bug-Debian: http://bugs.debian.org/626062
Index: openvpn/src/openvpn/route.c
===================================================================
--- openvpn.orig/src/openvpn/route.c 2012-11-05 16:29:30.292804798 +0100
+++ openvpn/src/openvpn/route.c 2012-11-05 16:48:38.766499773 +0100
@@ -1412,7 +1412,7 @@
--- openvpn.orig/src/openvpn/route.c 2013-05-17 12:04:05.250078543 +0200
+++ openvpn/src/openvpn/route.c 2013-05-17 12:04:05.242078504 +0200
@@ -1415,7 +1415,7 @@
argv_msg (D_ROUTE, &argv);
status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
......@@ -16,9 +16,9 @@ Index: openvpn/src/openvpn/route.c
ROUTE_PATH);
Index: openvpn/src/openvpn/tun.c
===================================================================
--- openvpn.orig/src/openvpn/tun.c 2012-11-05 16:29:30.296804820 +0100
+++ openvpn/src/openvpn/tun.c 2012-11-05 16:48:38.770499790 +0100
@@ -1097,7 +1097,7 @@
--- openvpn.orig/src/openvpn/tun.c 2013-05-17 12:04:05.250078543 +0200
+++ openvpn/src/openvpn/tun.c 2013-05-17 12:04:05.246078520 +0200
@@ -1089,7 +1089,7 @@
add_route_connected_v6_net(tt, es);
}
......
......@@ -2,8 +2,8 @@ Description: Man page fixes
Author: Alberto Gonzalez Iniesta <agi@inittab.org>
Index: openvpn/doc/openvpn.8
===================================================================
--- openvpn.orig/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100
+++ openvpn/doc/openvpn.8 2012-11-05 16:51:54.803471868 +0100
--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:17.678140187 +0200
+++ openvpn/doc/openvpn.8 2013-05-17 12:04:17.674140147 +0200
@@ -21,13 +21,13 @@
.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.\"
......@@ -20,7 +20,7 @@ Index: openvpn/doc/openvpn.8
.\" .nf -- no formatting
.\" .fi -- resume formatting
.\" .ft 3 -- boldface
@@ -2506,7 +2506,7 @@
@@ -2513,7 +2513,7 @@
.B \-\-management-signal
Send SIGUSR1 signal to OpenVPN if management session disconnects.
This is useful when you wish to disconnect an OpenVPN session on
......@@ -29,7 +29,7 @@ Index: openvpn/doc/openvpn.8
a disconnect will always generate a SIGTERM.
.\"*********************************************************
.TP
@@ -3865,7 +3865,7 @@
@@ -3889,7 +3889,7 @@
This option is only relevant in UDP mode, i.e.
when either
.B \-\-proto udp
......@@ -38,16 +38,7 @@ Index: openvpn/doc/openvpn.8
.B \-\-proto
option is specified.
@@ -4650,7 +4650,7 @@
Field in x509 certificate subject to be used as username (default=CN).
.B Fieldname
will be uppercased before matching. When this option is used, the
---tls-remote option will match against the chosen fieldname instead
+\-\-tls-remote option will match against the chosen fieldname instead
of the CN.
.\"*********************************************************
.TP
@@ -4935,7 +4935,7 @@
@@ -5012,7 +5012,7 @@
This option have changed behaviour in OpenVPN 2.3. Earlier you had to
define
......@@ -56,7 +47,7 @@ Index: openvpn/doc/openvpn.8
to use the SystemRoot environment variable, otherwise it defaulted to C:\\WINDOWS.
It is not needed to use the
.B env
@@ -4978,7 +4978,7 @@
@@ -5055,7 +5055,7 @@
.B \-\-dev tun
mode, OpenVPN will cause the DHCP server to masquerade as if it were
coming from the remote endpoint. The optional offset parameter is
......@@ -65,7 +56,7 @@ Index: openvpn/doc/openvpn.8
If offset is positive, the DHCP server will masquerade as the IP
address at network address + offset.
If offset is negative, the DHCP server will masquerade as the IP
@@ -5272,26 +5272,26 @@
@@ -5349,26 +5349,26 @@
documentation of the IPv6-related options. More documentation can be
found on http://www.greenie.net/ipv6/openvpn.html.
.TP
......@@ -100,7 +91,7 @@ Index: openvpn/doc/openvpn.8
Specify an IPv6 address pool for dynamic assignment to clients. The
pool starts at
.B ipv6addr
@@ -5299,20 +5299,20 @@
@@ -5376,20 +5376,20 @@
.B /bits
setting controls the size of the pool.
.TP
......@@ -128,7 +119,7 @@ Index: openvpn/doc/openvpn.8
interact.
.\"*********************************************************
@@ -5798,7 +5798,7 @@
@@ -5875,7 +5875,7 @@
.TP
.B peer_cert
Temporary file name containing the client certificate upon
......
......@@ -3,9 +3,9 @@ Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
Bug-Debian: http://bugs.debian.org/475353
Index: openvpn/src/openvpn/options.c
===================================================================
--- openvpn.orig/src/openvpn/options.c 2012-11-05 16:29:30.284804762 +0100
+++ openvpn/src/openvpn/options.c 2012-11-05 16:44:12.873181274 +0100
@@ -6098,6 +6098,20 @@
--- openvpn.orig/src/openvpn/options.c 2013-05-17 12:03:56.574035519 +0200
+++ openvpn/src/openvpn/options.c 2013-05-17 12:03:56.570035501 +0200
@@ -6119,6 +6119,20 @@
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
}
......
......@@ -2,9 +2,9 @@ Description: Fix small wording in man page.
Author: Alberto Gonzalez Iniesta <agi@inittab.org>
Index: openvpn/doc/openvpn.8
===================================================================
--- openvpn.orig/doc/openvpn.8 2012-11-05 16:29:30.256804617 +0100
+++ openvpn/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100
@@ -945,7 +945,7 @@
--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:01.742061149 +0200
+++ openvpn/doc/openvpn.8 2013-05-17 12:04:01.738061129 +0200
@@ -952,7 +952,7 @@
otherwise 0.
The default can be specified by leaving an option blank or setting
......
cve-2013-2061.patch
auth-pam_libpam_so_filename.patch
close_socket_before_scripts.patch
debian_nogroup_for_sample_files.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment