diff options
Diffstat (limited to 'debian/patches/cve-2013-2061.patch')
| -rw-r--r-- | debian/patches/cve-2013-2061.patch | 81 |
1 files changed, 0 insertions, 81 deletions
diff --git a/debian/patches/cve-2013-2061.patch b/debian/patches/cve-2013-2061.patch deleted file mode 100644 index 531a27b..0000000 --- a/debian/patches/cve-2013-2061.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001 -From: Steffan Karger <steffan.karger@fox-it.com> -Date: Tue, 19 Mar 2013 13:01:50 +0100 -Subject: [PATCH] Use constant time memcmp when comparing HMACs in - openvpn_decrypt. - -Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> -Acked-by: Gert Doering <gert@greenie.muc.de> -Signed-off-by: Gert Doering <gert@greenie.muc.de> ---- - src/openvpn/buffer.h | 8 ++++++++ - src/openvpn/crypto.c | 20 +++++++++++++++++++- - 2 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h -index 7cae733..93efb09 100644 ---- a/src/openvpn/buffer.h -+++ b/src/openvpn/buffer.h -@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) - } - } - -+/** -+ * Compare src buffer contents with match. -+ * *NOT* constant time. Do not use when comparing HMACs. -+ */ - static inline bool - buf_string_match (const struct buffer *src, const void *match, int size) - { -@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) - return memcmp (BPTR (src), match, size) == 0; - } - -+/** -+ * Compare first size bytes of src buffer contents with match. -+ * *NOT* constant time. Do not use when comparing HMACs. -+ */ - static inline bool - buf_string_match_head (const struct buffer *src, const void *match, int size) - { -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 405c0aa..d9adf5b 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -65,6 +65,24 @@ - #define CRYPT_ERROR(format) \ - do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) - -+/** -+ * As memcmp(), but constant-time. -+ * Returns 0 when data is equal, non-zero otherwise. -+ */ -+static int -+memcmp_constant_time (const void *a, const void *b, size_t size) { -+ const uint8_t * a1 = a; -+ const uint8_t * b1 = b; -+ int ret = 0; -+ size_t i; -+ -+ for (i = 0; i < size; i++) { -+ ret |= *a1++ ^ *b1++; -+ } -+ -+ return ret; -+} -+ - void - openvpn_encrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, -@@ -244,7 +262,7 @@ - hmac_ctx_final (ctx->hmac, local_hmac); - - /* Compare locally computed HMAC with packet HMAC */ -- if (memcmp (local_hmac, BPTR (buf), hmac_len)) -+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) - CRYPT_ERROR ("packet HMAC authentication failed"); - - ASSERT (buf_advance (buf, hmac_len)); --- -1.8.1.6 - |