summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2013-05-17 12:06:18 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2013-05-17 12:07:16 +0200
commit02a50fb2174994d24e9c707f0fc0378e760d1483 (patch)
treefadaa9b88271811b7bf0f30e1568665318f01c7f
parent7da22c96dd646047e97732832331c84528bdc95e (diff)
new upstream
-rw-r--r--debian/changelog6
-rw-r--r--debian/patches/cve-2013-2061.patch81
-rw-r--r--debian/patches/kfreebsd_support.patch12
-rw-r--r--debian/patches/manpage_fixes.patch27
-rw-r--r--debian/patches/openvpn-pkcs11warn.patch6
-rw-r--r--debian/patches/route_default_nil.patch6
-rw-r--r--debian/patches/series1
7 files changed, 24 insertions, 115 deletions
diff --git a/debian/changelog b/debian/changelog
index a5972f8..c3b972a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,7 +1,7 @@
-openvpn (2.3.0-2) unstable; urgency=low
+openvpn (2.3.1-1) unstable; urgency=low
- * Applied patch use of non-constant-time memcmp in HMAC comparison.
- CVE-2013-2061 (Closes: #707329)
+ * New upstream version. Fixes use of non-constant-time memcmp in HMAC
+ comparison. CVE-2013-2061 (Closes: #707329)
-- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 17 May 2013 11:54:31 +0200
diff --git a/debian/patches/cve-2013-2061.patch b/debian/patches/cve-2013-2061.patch
deleted file mode 100644
index 531a27b..0000000
--- a/debian/patches/cve-2013-2061.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger@fox-it.com>
-Date: Tue, 19 Mar 2013 13:01:50 +0100
-Subject: [PATCH] Use constant time memcmp when comparing HMACs in
- openvpn_decrypt.
-
-Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/buffer.h | 8 ++++++++
- src/openvpn/crypto.c | 20 +++++++++++++++++++-
- 2 files changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
-index 7cae733..93efb09 100644
---- a/src/openvpn/buffer.h
-+++ b/src/openvpn/buffer.h
-@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
- }
- }
-
-+/**
-+ * Compare src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match (const struct buffer *src, const void *match, int size)
- {
-@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
- return memcmp (BPTR (src), match, size) == 0;
- }
-
-+/**
-+ * Compare first size bytes of src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match_head (const struct buffer *src, const void *match, int size)
- {
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index 405c0aa..d9adf5b 100644
---- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -65,6 +65,24 @@
- #define CRYPT_ERROR(format) \
- do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
-
-+/**
-+ * As memcmp(), but constant-time.
-+ * Returns 0 when data is equal, non-zero otherwise.
-+ */
-+static int
-+memcmp_constant_time (const void *a, const void *b, size_t size) {
-+ const uint8_t * a1 = a;
-+ const uint8_t * b1 = b;
-+ int ret = 0;
-+ size_t i;
-+
-+ for (i = 0; i < size; i++) {
-+ ret |= *a1++ ^ *b1++;
-+ }
-+
-+ return ret;
-+}
-+
- void
- openvpn_encrypt (struct buffer *buf, struct buffer work,
- const struct crypto_options *opt,
-@@ -244,7 +262,7 @@
- hmac_ctx_final (ctx->hmac, local_hmac);
-
- /* Compare locally computed HMAC with packet HMAC */
-- if (memcmp (local_hmac, BPTR (buf), hmac_len))
-+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
- CRYPT_ERROR ("packet HMAC authentication failed");
-
- ASSERT (buf_advance (buf, hmac_len));
---
-1.8.1.6
-
diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch
index e070630..bfdee76 100644
--- a/debian/patches/kfreebsd_support.patch
+++ b/debian/patches/kfreebsd_support.patch
@@ -3,9 +3,9 @@ Author: Gonéri Le Bouder <goneri@rulezlan.org>
Bug-Debian: http://bugs.debian.org/626062
Index: openvpn/src/openvpn/route.c
===================================================================
---- openvpn.orig/src/openvpn/route.c 2012-11-05 16:29:30.292804798 +0100
-+++ openvpn/src/openvpn/route.c 2012-11-05 16:48:38.766499773 +0100
-@@ -1412,7 +1412,7 @@
+--- openvpn.orig/src/openvpn/route.c 2013-05-17 12:04:05.250078543 +0200
++++ openvpn/src/openvpn/route.c 2013-05-17 12:04:05.242078504 +0200
+@@ -1415,7 +1415,7 @@
argv_msg (D_ROUTE, &argv);
status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
@@ -16,9 +16,9 @@ Index: openvpn/src/openvpn/route.c
ROUTE_PATH);
Index: openvpn/src/openvpn/tun.c
===================================================================
---- openvpn.orig/src/openvpn/tun.c 2012-11-05 16:29:30.296804820 +0100
-+++ openvpn/src/openvpn/tun.c 2012-11-05 16:48:38.770499790 +0100
-@@ -1097,7 +1097,7 @@
+--- openvpn.orig/src/openvpn/tun.c 2013-05-17 12:04:05.250078543 +0200
++++ openvpn/src/openvpn/tun.c 2013-05-17 12:04:05.246078520 +0200
+@@ -1089,7 +1089,7 @@
add_route_connected_v6_net(tt, es);
}
diff --git a/debian/patches/manpage_fixes.patch b/debian/patches/manpage_fixes.patch
index f228f4d..0a8f677 100644
--- a/debian/patches/manpage_fixes.patch
+++ b/debian/patches/manpage_fixes.patch
@@ -2,8 +2,8 @@ Description: Man page fixes
Author: Alberto Gonzalez Iniesta <agi@inittab.org>
Index: openvpn/doc/openvpn.8
===================================================================
---- openvpn.orig/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100
-+++ openvpn/doc/openvpn.8 2012-11-05 16:51:54.803471868 +0100
+--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:17.678140187 +0200
++++ openvpn/doc/openvpn.8 2013-05-17 12:04:17.674140147 +0200
@@ -21,13 +21,13 @@
.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.\"
@@ -20,7 +20,7 @@ Index: openvpn/doc/openvpn.8
.\" .nf -- no formatting
.\" .fi -- resume formatting
.\" .ft 3 -- boldface
-@@ -2506,7 +2506,7 @@
+@@ -2513,7 +2513,7 @@
.B \-\-management-signal
Send SIGUSR1 signal to OpenVPN if management session disconnects.
This is useful when you wish to disconnect an OpenVPN session on
@@ -29,7 +29,7 @@ Index: openvpn/doc/openvpn.8
a disconnect will always generate a SIGTERM.
.\"*********************************************************
.TP
-@@ -3865,7 +3865,7 @@
+@@ -3889,7 +3889,7 @@
This option is only relevant in UDP mode, i.e.
when either
.B \-\-proto udp
@@ -38,16 +38,7 @@ Index: openvpn/doc/openvpn.8
.B \-\-proto
option is specified.
-@@ -4650,7 +4650,7 @@
- Field in x509 certificate subject to be used as username (default=CN).
- .B Fieldname
- will be uppercased before matching. When this option is used, the
----tls-remote option will match against the chosen fieldname instead
-+\-\-tls-remote option will match against the chosen fieldname instead
- of the CN.
- .\"*********************************************************
- .TP
-@@ -4935,7 +4935,7 @@
+@@ -5012,7 +5012,7 @@
This option have changed behaviour in OpenVPN 2.3. Earlier you had to
define
@@ -56,7 +47,7 @@ Index: openvpn/doc/openvpn.8
to use the SystemRoot environment variable, otherwise it defaulted to C:\\WINDOWS.
It is not needed to use the
.B env
-@@ -4978,7 +4978,7 @@
+@@ -5055,7 +5055,7 @@
.B \-\-dev tun
mode, OpenVPN will cause the DHCP server to masquerade as if it were
coming from the remote endpoint. The optional offset parameter is
@@ -65,7 +56,7 @@ Index: openvpn/doc/openvpn.8
If offset is positive, the DHCP server will masquerade as the IP
address at network address + offset.
If offset is negative, the DHCP server will masquerade as the IP
-@@ -5272,26 +5272,26 @@
+@@ -5349,26 +5349,26 @@
documentation of the IPv6-related options. More documentation can be
found on http://www.greenie.net/ipv6/openvpn.html.
.TP
@@ -100,7 +91,7 @@ Index: openvpn/doc/openvpn.8
Specify an IPv6 address pool for dynamic assignment to clients. The
pool starts at
.B ipv6addr
-@@ -5299,20 +5299,20 @@
+@@ -5376,20 +5376,20 @@
.B /bits
setting controls the size of the pool.
.TP
@@ -128,7 +119,7 @@ Index: openvpn/doc/openvpn.8
interact.
.\"*********************************************************
-@@ -5798,7 +5798,7 @@
+@@ -5875,7 +5875,7 @@
.TP
.B peer_cert
Temporary file name containing the client certificate upon
diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch
index 04325f8..1a1b50c 100644
--- a/debian/patches/openvpn-pkcs11warn.patch
+++ b/debian/patches/openvpn-pkcs11warn.patch
@@ -3,9 +3,9 @@ Author: Florian Kulzer <florian.kulzer+debian@icfo.es>
Bug-Debian: http://bugs.debian.org/475353
Index: openvpn/src/openvpn/options.c
===================================================================
---- openvpn.orig/src/openvpn/options.c 2012-11-05 16:29:30.284804762 +0100
-+++ openvpn/src/openvpn/options.c 2012-11-05 16:44:12.873181274 +0100
-@@ -6098,6 +6098,20 @@
+--- openvpn.orig/src/openvpn/options.c 2013-05-17 12:03:56.574035519 +0200
++++ openvpn/src/openvpn/options.c 2013-05-17 12:03:56.570035501 +0200
+@@ -6119,6 +6119,20 @@
{
VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS);
}
diff --git a/debian/patches/route_default_nil.patch b/debian/patches/route_default_nil.patch
index 8b12c0e..bd7c4b2 100644
--- a/debian/patches/route_default_nil.patch
+++ b/debian/patches/route_default_nil.patch
@@ -2,9 +2,9 @@ Description: Fix small wording in man page.
Author: Alberto Gonzalez Iniesta <agi@inittab.org>
Index: openvpn/doc/openvpn.8
===================================================================
---- openvpn.orig/doc/openvpn.8 2012-11-05 16:29:30.256804617 +0100
-+++ openvpn/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100
-@@ -945,7 +945,7 @@
+--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:01.742061149 +0200
++++ openvpn/doc/openvpn.8 2013-05-17 12:04:01.738061129 +0200
+@@ -952,7 +952,7 @@
otherwise 0.
The default can be specified by leaving an option blank or setting
diff --git a/debian/patches/series b/debian/patches/series
index fac69c7..f37465a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,4 +1,3 @@
-cve-2013-2061.patch
auth-pam_libpam_so_filename.patch
close_socket_before_scripts.patch
debian_nogroup_for_sample_files.patch