diff options
Diffstat (limited to 'debian/patches/CVE-2017-7479-prereq.patch')
-rw-r--r-- | debian/patches/CVE-2017-7479-prereq.patch | 443 |
1 files changed, 0 insertions, 443 deletions
diff --git a/debian/patches/CVE-2017-7479-prereq.patch b/debian/patches/CVE-2017-7479-prereq.patch deleted file mode 100644 index e3c94d7..0000000 --- a/debian/patches/CVE-2017-7479-prereq.patch +++ /dev/null @@ -1,443 +0,0 @@ -From a87e1431baccd49a9344cfc63ab7446c4317fa2f Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan.karger@fox-it.com> -Date: Fri, 5 May 2017 19:44:51 +0200 -Subject: [PATCH] cleanup: merge packet_id_alloc_outgoing() into - packet_id_write() - -The functions packet_id_alloc_outgoing() and packet_id_write() were -always called in tandem. Instead of forcing the caller to allocate a -packet_id_net to do so, merge the two functions. This simplifies the API -and reduces the chance on mistakes in the future. - -This patch adds unit tests to verify the behaviour of packet_id_write(). -Verifying that we assert out correctly required the change to mock_msg.c. - -Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> -Acked-by: Gert Doering <gert@greenie.muc.de> -Acked-by: David Sommerseth <davids@openvpn.net> -Message-Id: <1494006291-3522-1-git-send-email-steffan.karger@fox-it.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14541.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> - -[prerequisite for CVE-2017-7479. Adjusted to apply to 2.4.0 release -- sbeattie] - ---- - src/openvpn/crypto.c | 20 ++-- - src/openvpn/packet_id.c | 24 ++++- - src/openvpn/packet_id.h | 35 +++---- - src/openvpn/tls_crypt.c | 6 +- - tests/unit_tests/openvpn/Makefile.am | 13 ++- - tests/unit_tests/openvpn/mock_msg.c | 15 ++- - tests/unit_tests/openvpn/test_packet_id.c | 168 ++++++++++++++++++++++++++++++ - 7 files changed, 228 insertions(+), 53 deletions(-) - create mode 100644 tests/unit_tests/openvpn/test_packet_id.c - -Index: openvpn-2.4.0/src/openvpn/crypto.c -=================================================================== ---- openvpn-2.4.0.orig/src/openvpn/crypto.c -+++ openvpn-2.4.0/src/openvpn/crypto.c -@@ -85,7 +85,6 @@ openvpn_encrypt_aead(struct buffer *buf, - /* Prepare IV */ - { - struct buffer iv_buffer; -- struct packet_id_net pin; - uint8_t iv[OPENVPN_MAX_IV_LENGTH] = {0}; - const int iv_len = cipher_ctx_iv_length(ctx->cipher); - -@@ -94,8 +93,7 @@ openvpn_encrypt_aead(struct buffer *buf, - buf_set_write(&iv_buffer, iv, iv_len); - - /* IV starts with packet id to make the IV unique for packet */ -- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, false); -- ASSERT(packet_id_write(&pin, &iv_buffer, false, false)); -+ ASSERT(packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)); - - /* Remainder of IV consists of implicit part (unique per session) */ - ASSERT(buf_write(&iv_buffer, ctx->implicit_iv, ctx->implicit_iv_len)); -@@ -198,23 +196,21 @@ openvpn_encrypt_v1(struct buffer *buf, s - /* Put packet ID in plaintext buffer */ - if (packet_id_initialized(&opt->packet_id)) - { -- struct packet_id_net pin; -- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)); -- ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true)); -+ ASSERT(packet_id_write(&opt->packet_id.send, buf, -+ opt->flags & CO_PACKET_ID_LONG_FORM, -+ true)); - } - } - else if (cipher_kt_mode_ofb_cfb(cipher_kt)) - { -- struct packet_id_net pin; - struct buffer b; - - /* IV and packet-ID required for this mode. */ - ASSERT(opt->flags & CO_USE_IV); - ASSERT(packet_id_initialized(&opt->packet_id)); - -- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); - buf_set_write(&b, iv_buf, iv_size); -- ASSERT(packet_id_write(&pin, &b, true, false)); -+ ASSERT(packet_id_write(&opt->packet_id.send, &b, true, false)); - } - else /* We only support CBC, CFB, or OFB modes right now */ - { -@@ -264,9 +260,9 @@ openvpn_encrypt_v1(struct buffer *buf, s - { - if (packet_id_initialized(&opt->packet_id)) - { -- struct packet_id_net pin; -- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM)); -- ASSERT(packet_id_write(&pin, buf, BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), true)); -+ ASSERT(packet_id_write(&opt->packet_id.send, buf, -+ BOOL_CAST(opt->flags & CO_PACKET_ID_LONG_FORM), -+ true)); - } - if (ctx->hmac) - { -Index: openvpn-2.4.0/src/openvpn/packet_id.c -=================================================================== ---- openvpn-2.4.0.orig/src/openvpn/packet_id.c -+++ openvpn-2.4.0/src/openvpn/packet_id.c -@@ -325,12 +325,30 @@ packet_id_read(struct packet_id_net *pin - return true; - } - -+static void -+packet_id_send_update(struct packet_id_send *p, bool long_form) -+{ -+ if (!p->time) -+ { -+ p->time = now; -+ } -+ p->id++; -+ if (!p->id) -+ { -+ ASSERT(long_form); -+ p->time = now; -+ p->id = 1; -+ } -+} -+ - bool --packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend) -+packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, -+ bool prepend) - { -- packet_id_type net_id = htonpid(pin->id); -- net_time_t net_time = htontime(pin->time); -+ packet_id_send_update(p, long_form); - -+ const packet_id_type net_id = htonpid(p->id); -+ const net_time_t net_time = htontime(p->time); - if (prepend) - { - if (long_form) -Index: openvpn-2.4.0/src/openvpn/packet_id.h -=================================================================== ---- openvpn-2.4.0.orig/src/openvpn/packet_id.h -+++ openvpn-2.4.0/src/openvpn/packet_id.h -@@ -254,7 +254,18 @@ const char *packet_id_persist_print(cons - - bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form); - --bool packet_id_write(const struct packet_id_net *pin, struct buffer *buf, bool long_form, bool prepend); -+/** -+ * Write a packet ID to buf, and update the packet ID state. -+ * -+ * @param p Packet ID state. -+ * @param buf Buffer to write the packet ID too -+ * @param long_form If true, also update and write time_t to buf -+ * @param prepend If true, prepend to buffer, otherwise apppend. -+ * -+ * @return true if successful, false otherwise. -+ */ -+bool packet_id_write(struct packet_id_send *p, struct buffer *buf, -+ bool long_form, bool prepend); - - /* - * Inline functions. -@@ -304,28 +315,6 @@ packet_id_close_to_wrapping(const struct - return p->id >= PACKET_ID_WRAP_TRIGGER; - } - --/* -- * Allocate an outgoing packet id. -- * Sequence number ranges from 1 to 2^32-1. -- * In long_form, a time_t is added as well. -- */ --static inline void --packet_id_alloc_outgoing(struct packet_id_send *p, struct packet_id_net *pin, bool long_form) --{ -- if (!p->time) -- { -- p->time = now; -- } -- pin->id = ++p->id; -- if (!pin->id) -- { -- ASSERT(long_form); -- p->time = now; -- pin->id = p->id = 1; -- } -- pin->time = p->time; --} -- - static inline bool - check_timestamp_delta(time_t remote, unsigned int max_delta) - { -Index: openvpn-2.4.0/src/openvpn/tls_crypt.c -=================================================================== ---- openvpn-2.4.0.orig/src/openvpn/tls_crypt.c -+++ openvpn-2.4.0/src/openvpn/tls_crypt.c -@@ -95,11 +95,7 @@ tls_crypt_wrap(const struct buffer *src, - format_hex(BPTR(src), BLEN(src), 80, &gc)); - - /* Get packet ID */ -- { -- struct packet_id_net pin; -- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); -- packet_id_write(&pin, dst, true, false); -- } -+ ASSERT(packet_id_write(&opt->packet_id.send, dst, true, false)); - - dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", - format_hex(BPTR(dst), BLEN(dst), 0, &gc)); -Index: openvpn-2.4.0/tests/unit_tests/openvpn/Makefile.am -=================================================================== ---- openvpn-2.4.0.orig/tests/unit_tests/openvpn/Makefile.am -+++ openvpn-2.4.0/tests/unit_tests/openvpn/Makefile.am -@@ -1,6 +1,6 @@ - AUTOMAKE_OPTIONS = foreign - --check_PROGRAMS = argv_testdriver buffer_testdriver -+check_PROGRAMS = argv_testdriver buffer_testdriver packet_id_testdriver - - if ENABLE_CRYPTO - check_PROGRAMS += tls_crypt_testdriver -@@ -27,6 +27,17 @@ buffer_testdriver_SOURCES = test_buffer. - $(openvpn_srcdir)/buffer.c \ - $(openvpn_srcdir)/platform.c - -+packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ -+ -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ -+ $(OPTIONAL_CRYPTO_CFLAGS) -+packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ -+ $(OPTIONAL_CRYPTO_LIBS) -+packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c \ -+ $(openvpn_srcdir)/buffer.c \ -+ $(openvpn_srcdir)/otime.c \ -+ $(openvpn_srcdir)/packet_id.c \ -+ $(openvpn_srcdir)/platform.c -+ - tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \ - $(OPTIONAL_CRYPTO_CFLAGS) -Index: openvpn-2.4.0/tests/unit_tests/openvpn/mock_msg.c -=================================================================== ---- openvpn-2.4.0.orig/tests/unit_tests/openvpn/mock_msg.c -+++ openvpn-2.4.0/tests/unit_tests/openvpn/mock_msg.c -@@ -29,9 +29,12 @@ - #endif - - #include <stdarg.h> --#include <stdbool.h> -+#include <stddef.h> - #include <stdio.h> - #include <stdlib.h> -+#include <setjmp.h> -+#include <cmocka.h> -+ - - #include "errlevel.h" - #include "error.h" -@@ -70,14 +73,8 @@ x_msg(const unsigned int flags, const ch - void - assert_failed(const char *filename, int line, const char *condition) - { -- if (condition) -- { -- printf("Assertion failed at %s:%d (%s)", filename, line, condition); -- } -- else -- { -- printf("Assertion failed at %s:%d", filename, line); -- } -+ mock_assert(false, condition ? condition : "", filename, line); -+ /* Keep compiler happy. Should not happen, mock_assert() does not return */ - exit(1); - } - -Index: openvpn-2.4.0/tests/unit_tests/openvpn/test_packet_id.c -=================================================================== ---- /dev/null -+++ openvpn-2.4.0/tests/unit_tests/openvpn/test_packet_id.c -@@ -0,0 +1,168 @@ -+/* -+ * OpenVPN -- An application to securely tunnel IP networks -+ * over a single UDP port, with support for SSL/TLS-based -+ * session authentication and key exchange, -+ * packet encryption, packet authentication, and -+ * packet compression. -+ * -+ * Copyright (C) 2016 Fox Crypto B.V. <openvpn@fox-it.com> -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License version 2 -+ * as published by the Free Software Foundation. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program (see the file COPYING included with this -+ * distribution); if not, write to the Free Software Foundation, Inc., -+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -+ */ -+ -+#ifdef HAVE_CONFIG_H -+#include "config.h" -+#elif defined(_MSC_VER) -+#include "config-msvc.h" -+#endif -+ -+#include "syshead.h" -+ -+#include <stdarg.h> -+#include <stddef.h> -+#include <setjmp.h> -+#include <cmocka.h> -+ -+#include "packet_id.h" -+ -+#include "mock_msg.h" -+ -+struct test_packet_id_write_data { -+ struct { -+ uint32_t buf_id; -+ uint32_t buf_time; -+ } test_buf_data; -+ struct buffer test_buf; -+ struct packet_id_send pis; -+}; -+ -+static int -+test_packet_id_write_setup(void **state) { -+ struct test_packet_id_write_data *data = -+ calloc(1, sizeof(struct test_packet_id_write_data)); -+ -+ if (!data) -+ { -+ return -1; -+ } -+ -+ data->test_buf.data = (void *) &data->test_buf_data; -+ data->test_buf.capacity = sizeof(data->test_buf_data); -+ -+ *state = data; -+ return 0; -+} -+ -+static int -+test_packet_id_write_teardown(void **state) { -+ free(*state); -+ return 0; -+} -+ -+static void -+test_packet_id_write_short(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ now = 5010; -+ assert_true(packet_id_write(&data->pis, &data->test_buf, false, false)); -+ assert_true(data->pis.id == 1); -+ assert_true(data->test_buf_data.buf_id == htonl(1)); -+ assert_true(data->test_buf_data.buf_time == 0); -+} -+ -+static void -+test_packet_id_write_long(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ now = 5010; -+ assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); -+ assert(data->pis.id == 1); -+ assert(data->pis.time == now); -+ assert_true(data->test_buf_data.buf_id == htonl(1)); -+ assert_true(data->test_buf_data.buf_time == htonl(now)); -+} -+ -+static void -+test_packet_id_write_short_prepend(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ data->test_buf.offset = sizeof(packet_id_type); -+ now = 5010; -+ assert_true(packet_id_write(&data->pis, &data->test_buf, false, true)); -+ assert_true(data->pis.id == 1); -+ assert_true(data->test_buf_data.buf_id == htonl(1)); -+ assert_true(data->test_buf_data.buf_time == 0); -+} -+ -+static void -+test_packet_id_write_long_prepend(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ data->test_buf.offset = sizeof(data->test_buf_data); -+ now = 5010; -+ assert_true(packet_id_write(&data->pis, &data->test_buf, true, true)); -+ assert(data->pis.id == 1); -+ assert(data->pis.time == now); -+ assert_true(data->test_buf_data.buf_id == htonl(1)); -+ assert_true(data->test_buf_data.buf_time == htonl(now)); -+} -+ -+static void -+test_packet_id_write_short_wrap(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ data->pis.id = ~0; -+ expect_assert_failure( -+ packet_id_write(&data->pis, &data->test_buf, false, false)); -+} -+ -+static void -+test_packet_id_write_long_wrap(void **state) -+{ -+ struct test_packet_id_write_data *data = *state; -+ -+ data->pis.id = ~0; -+ now = 5010; -+ assert_true(packet_id_write(&data->pis, &data->test_buf, true, false)); -+ assert(data->pis.id == 1); -+ assert(data->pis.time == now); -+ assert_true(data->test_buf_data.buf_id == htonl(1)); -+ assert_true(data->test_buf_data.buf_time == htonl(now)); -+} -+ -+int -+main(void) { -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test_setup_teardown(test_packet_id_write_short, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ cmocka_unit_test_setup_teardown(test_packet_id_write_long, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ cmocka_unit_test_setup_teardown(test_packet_id_write_short_prepend, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ cmocka_unit_test_setup_teardown(test_packet_id_write_long_prepend, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ cmocka_unit_test_setup_teardown(test_packet_id_write_short_wrap, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ cmocka_unit_test_setup_teardown(test_packet_id_write_long_wrap, -+ test_packet_id_write_setup, test_packet_id_write_teardown), -+ }; -+ -+ return cmocka_run_group_tests_name("packet_id tests", tests, NULL, NULL); -+} |