summaryrefslogtreecommitdiff
path: root/debian/patches/cve-2013-2061.patch
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2013-05-17 12:06:18 +0200
committerAlberto Gonzalez Iniesta <agi@inittab.org>2013-05-17 12:07:16 +0200
commit02a50fb2174994d24e9c707f0fc0378e760d1483 (patch)
treefadaa9b88271811b7bf0f30e1568665318f01c7f /debian/patches/cve-2013-2061.patch
parent7da22c96dd646047e97732832331c84528bdc95e (diff)
new upstream
Diffstat (limited to 'debian/patches/cve-2013-2061.patch')
-rw-r--r--debian/patches/cve-2013-2061.patch81
1 files changed, 0 insertions, 81 deletions
diff --git a/debian/patches/cve-2013-2061.patch b/debian/patches/cve-2013-2061.patch
deleted file mode 100644
index 531a27b..0000000
--- a/debian/patches/cve-2013-2061.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger@fox-it.com>
-Date: Tue, 19 Mar 2013 13:01:50 +0100
-Subject: [PATCH] Use constant time memcmp when comparing HMACs in
- openvpn_decrypt.
-
-Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/buffer.h | 8 ++++++++
- src/openvpn/crypto.c | 20 +++++++++++++++++++-
- 2 files changed, 27 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
-index 7cae733..93efb09 100644
---- a/src/openvpn/buffer.h
-+++ b/src/openvpn/buffer.h
-@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
- }
- }
-
-+/**
-+ * Compare src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match (const struct buffer *src, const void *match, int size)
- {
-@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...)
- return memcmp (BPTR (src), match, size) == 0;
- }
-
-+/**
-+ * Compare first size bytes of src buffer contents with match.
-+ * *NOT* constant time. Do not use when comparing HMACs.
-+ */
- static inline bool
- buf_string_match_head (const struct buffer *src, const void *match, int size)
- {
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index 405c0aa..d9adf5b 100644
---- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -65,6 +65,24 @@
- #define CRYPT_ERROR(format) \
- do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
-
-+/**
-+ * As memcmp(), but constant-time.
-+ * Returns 0 when data is equal, non-zero otherwise.
-+ */
-+static int
-+memcmp_constant_time (const void *a, const void *b, size_t size) {
-+ const uint8_t * a1 = a;
-+ const uint8_t * b1 = b;
-+ int ret = 0;
-+ size_t i;
-+
-+ for (i = 0; i < size; i++) {
-+ ret |= *a1++ ^ *b1++;
-+ }
-+
-+ return ret;
-+}
-+
- void
- openvpn_encrypt (struct buffer *buf, struct buffer work,
- const struct crypto_options *opt,
-@@ -244,7 +262,7 @@
- hmac_ctx_final (ctx->hmac, local_hmac);
-
- /* Compare locally computed HMAC with packet HMAC */
-- if (memcmp (local_hmac, BPTR (buf), hmac_len))
-+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
- CRYPT_ERROR ("packet HMAC authentication failed");
-
- ASSERT (buf_advance (buf, hmac_len));
---
-1.8.1.6
-