new upstream

7 files changed, 24 insertions, 115 deletions

diff --git a/debian/changelog b/debian/changelog
index a5972f8..c3b972a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
-openvpn (2.3.0-2) unstable; urgency=low
+openvpn (2.3.1-1) unstable; urgency=low
 
-  * Applied patch use of non-constant-time memcmp in HMAC comparison.
-    CVE-2013-2061 (Closes: #707329)
+  * New upstream version. Fixes use of non-constant-time memcmp in HMAC
+    comparison. CVE-2013-2061 (Closes: #707329)
 
  -- Alberto Gonzalez Iniesta <agi@inittab.org>  Fri, 17 May 2013 11:54:31 +0200
 
diff --git a/debian/patches/cve-2013-2061.patch b/debian/patches/cve-2013-2061.patch
deleted file mode 100644
index 531a27b..0000000
--- a/debian/patches/cve-2013-2061.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger@fox-it.com>
-Date: Tue, 19 Mar 2013 13:01:50 +0100
-Subject: [PATCH] Use constant time memcmp when comparing HMACs in
- openvpn_decrypt.
-
-Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/buffer.h |  8 ++++++++
- src/openvpn/crypto.c | 20 +++++++++++++++++++-
- 2 files changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
-index 7cae733..93efb09 100644
---- a/src/openvpn/buffer.h
-+++ b/src/openvpn/buffer.h
-@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
-     }
- }
- 
-+/**
-+ * Compare src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match (const struct buffer *src, const void *match, int size)
- {
-@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
-   return memcmp (BPTR (src), match, size) == 0;
- }
- 
-+/**
-+ * Compare first size bytes of src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match_head (const struct buffer *src, const void *match, int size)
- {
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index 405c0aa..d9adf5b 100644
---- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -65,6 +65,24 @@
- #define CRYPT_ERROR(format) \
-   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
- 
-+/**
-+ * As memcmp(), but constant-time.
-+ * Returns 0 when data is equal, non-zero otherwise.
-+ */
-+static int
-+memcmp_constant_time (const void *a, const void *b, size_t size) {
-+  const uint8_t * a1 = a;
-+  const uint8_t * b1 = b;
-+  int ret = 0;
-+  size_t i;
-+
-+  for (i = 0; i < size; i++) {
-+      ret |= *a1++ ^ *b1++;
-+  }
-+
-+  return ret;
-+}
-+
- void
- openvpn_encrypt (struct buffer *buf, struct buffer work,
- 		 const struct crypto_options *opt,
-@@ -244,7 +262,7 @@
- 	  hmac_ctx_final (ctx->hmac, local_hmac);
- 
- 	  /* Compare locally computed HMAC with packet HMAC */
--	  if (memcmp (local_hmac, BPTR (buf), hmac_len))
-+	  if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
- 	    CRYPT_ERROR ("packet HMAC authentication failed");
- 
- 	  ASSERT (buf_advance (buf, hmac_len));
--- 
-1.8.1.6
-
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
index e070630..bfdee76 100644
--- a/debian/patches/kfreebsd_support.patch
+++ b/debian/patches/kfreebsd_support.patch
@@ -3,9 +3,9 @@ Author: Gonéri Le Bouder <goneri@rulezlan.org>
 Bug-Debian: http://bugs.debian.org/626062
 Index: openvpn/src/openvpn/route.c
 ===================================================================
---- openvpn.orig/src/openvpn/route.c	2012-11-05 16:29:30.292804798 +0100
-+++ openvpn/src/openvpn/route.c	2012-11-05 16:48:38.766499773 +0100
-@@ -1412,7 +1412,7 @@
+--- openvpn.orig/src/openvpn/route.c	2013-05-17 12:04:05.250078543 +0200
++++ openvpn/src/openvpn/route.c	2013-05-17 12:04:05.242078504 +0200
+@@ -1415,7 +1415,7 @@
    argv_msg (D_ROUTE, &argv);
    status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
  
@@ -16,9 +16,9 @@ Index: openvpn/src/openvpn/route.c
  		ROUTE_PATH);
 Index: openvpn/src/openvpn/tun.c
 ===================================================================
---- openvpn.orig/src/openvpn/tun.c	2012-11-05 16:29:30.296804820 +0100
-+++ openvpn/src/openvpn/tun.c	2012-11-05 16:48:38.770499790 +0100
-@@ -1097,7 +1097,7 @@
+--- openvpn.orig/src/openvpn/tun.c	2013-05-17 12:04:05.250078543 +0200
++++ openvpn/src/openvpn/tun.c	2013-05-17 12:04:05.246078520 +0200
+@@ -1089,7 +1089,7 @@
  	  add_route_connected_v6_net(tt, es);
  	}
  
diff --git a/debian/patches/manpage_fixes.patch b/debian/patches/manpage_fixes.patch
index f228f4d..0a8f677 100644
--- a/debian/patches/manpage_fixes.patch
+++ b/debian/patches/manpage_fixes.patch
@@ -2,8 +2,8 @@ Description: Man page fixes
 Author: Alberto Gonzalez Iniesta <agi@inittab.org>
 Index: openvpn/doc/openvpn.8
 ===================================================================
---- openvpn.orig/doc/openvpn.8	2012-11-05 16:46:31.765870008 +0100
-+++ openvpn/doc/openvpn.8	2012-11-05 16:51:54.803471868 +0100
+--- openvpn.orig/doc/openvpn.8	2013-05-17 12:04:17.678140187 +0200
++++ openvpn/doc/openvpn.8	2013-05-17 12:04:17.674140147 +0200
 @@ -21,13 +21,13 @@
  .\"  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  .\"
@@ -20,7 +20,7 @@ Index: openvpn/doc/openvpn.8
  .\" .nf -- no formatting
  .\" .fi -- resume formatting
  .\" .ft 3 -- boldface
-@@ -2506,7 +2506,7 @@
+@@ -2513,7 +2513,7 @@
  .B \-\-management-signal
  Send SIGUSR1 signal to OpenVPN if management session disconnects.
  This is useful when you wish to disconnect an OpenVPN session on
@@ -29,7 +29,7 @@ Index: openvpn/doc/openvpn.8
  a disconnect will always generate a SIGTERM.
  .\"*********************************************************
  .TP
-@@ -3865,7 +3865,7 @@
+@@ -3889,7 +3889,7 @@
  This option is only relevant in UDP mode, i.e.
  when either
  .B \-\-proto udp
@@ -38,16 +38,7 @@ Index: openvpn/doc/openvpn.8
  .B \-\-proto
  option is specified.
  
-@@ -4650,7 +4650,7 @@
- Field in x509 certificate subject to be used as username (default=CN).
- .B Fieldname
- will be uppercased before matching. When this option is used, the
----tls-remote option will match against the chosen fieldname instead
-+\-\-tls-remote option will match against the chosen fieldname instead
- of the CN.
- .\"*********************************************************
- .TP
-@@ -4935,7 +4935,7 @@
+@@ -5012,7 +5012,7 @@
  
  This option have changed behaviour in OpenVPN 2.3.  Earlier you had to
  define
@@ -56,7 +47,7 @@ Index: openvpn/doc/openvpn.8
  to use the SystemRoot environment variable, otherwise it defaulted to C:\\WINDOWS.
  It is not needed to use the
  .B env
-@@ -4978,7 +4978,7 @@
+@@ -5055,7 +5055,7 @@
  .B \-\-dev tun
  mode, OpenVPN will cause the DHCP server to masquerade as if it were
  coming from the remote endpoint.  The optional offset parameter is
@@ -65,7 +56,7 @@ Index: openvpn/doc/openvpn.8
  If offset is positive, the DHCP server will masquerade as the IP
  address at network address + offset.
  If offset is negative, the DHCP server will masquerade as the IP
-@@ -5272,26 +5272,26 @@
+@@ -5349,26 +5349,26 @@
  documentation of the IPv6-related options. More documentation can be
  found on http://www.greenie.net/ipv6/openvpn.html.
  .TP
@@ -100,7 +91,7 @@ Index: openvpn/doc/openvpn.8
  Specify an IPv6 address pool for dynamic assignment to clients.  The
  pool starts at
  .B ipv6addr
-@@ -5299,20 +5299,20 @@
+@@ -5376,20 +5376,20 @@
  .B /bits
  setting controls the size of the pool.
  .TP
@@ -128,7 +119,7 @@ Index: openvpn/doc/openvpn.8
  interact.
  
  .\"*********************************************************
-@@ -5798,7 +5798,7 @@
+@@ -5875,7 +5875,7 @@
  .TP
  .B peer_cert
  Temporary file name containing the client certificate upon
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
index 04325f8..1a1b50c 100644
--- a/debian/patches/openvpn-pkcs11warn.patch
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -3,9 +3,9 @@ Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
 Bug-Debian: http://bugs.debian.org/475353
 Index: openvpn/src/openvpn/options.c
 ===================================================================
---- openvpn.orig/src/openvpn/options.c	2012-11-05 16:29:30.284804762 +0100
-+++ openvpn/src/openvpn/options.c	2012-11-05 16:44:12.873181274 +0100
-@@ -6098,6 +6098,20 @@
+--- openvpn.orig/src/openvpn/options.c	2013-05-17 12:03:56.574035519 +0200
++++ openvpn/src/openvpn/options.c	2013-05-17 12:03:56.570035501 +0200
+@@ -6119,6 +6119,20 @@
      {
        VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
      }
diff --git a/debian/patches/route_default_nil.patch b/debian/patches/route_default_nil.patch
index 8b12c0e..bd7c4b2 100644
--- a/debian/patches/route_default_nil.patch
+++ b/debian/patches/route_default_nil.patch
@@ -2,9 +2,9 @@ Description: Fix small wording in man page.
 Author: Alberto Gonzalez Iniesta <agi@inittab.org>
 Index: openvpn/doc/openvpn.8
 ===================================================================
---- openvpn.orig/doc/openvpn.8	2012-11-05 16:29:30.256804617 +0100
-+++ openvpn/doc/openvpn.8	2012-11-05 16:46:31.765870008 +0100
-@@ -945,7 +945,7 @@
+--- openvpn.orig/doc/openvpn.8	2013-05-17 12:04:01.742061149 +0200
++++ openvpn/doc/openvpn.8	2013-05-17 12:04:01.738061129 +0200
+@@ -952,7 +952,7 @@
  otherwise 0.
  
  The default can be specified by leaving an option blank or setting
diff --git a/debian/patches/series b/debian/patches/series
index fac69c7..f37465a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
-cve-2013-2061.patch
 auth-pam_libpam_so_filename.patch
 close_socket_before_scripts.patch
 debian_nogroup_for_sample_files.patch