From 02a50fb2174994d24e9c707f0fc0378e760d1483 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Fri, 17 May 2013 12:06:18 +0200 Subject: new upstream --- debian/changelog | 6 +-- debian/patches/cve-2013-2061.patch | 81 --------------------------------- debian/patches/kfreebsd_support.patch | 12 ++--- debian/patches/manpage_fixes.patch | 27 ++++------- debian/patches/openvpn-pkcs11warn.patch | 6 +-- debian/patches/route_default_nil.patch | 6 +-- debian/patches/series | 1 - 7 files changed, 24 insertions(+), 115 deletions(-) delete mode 100644 debian/patches/cve-2013-2061.patch (limited to 'debian') diff --git a/debian/changelog b/debian/changelog index a5972f8..c3b972a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,7 @@ -openvpn (2.3.0-2) unstable; urgency=low +openvpn (2.3.1-1) unstable; urgency=low - * Applied patch use of non-constant-time memcmp in HMAC comparison. - CVE-2013-2061 (Closes: #707329) + * New upstream version. Fixes use of non-constant-time memcmp in HMAC + comparison. CVE-2013-2061 (Closes: #707329) -- Alberto Gonzalez Iniesta Fri, 17 May 2013 11:54:31 +0200 diff --git a/debian/patches/cve-2013-2061.patch b/debian/patches/cve-2013-2061.patch deleted file mode 100644 index 531a27b..0000000 --- a/debian/patches/cve-2013-2061.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001 -From: Steffan Karger -Date: Tue, 19 Mar 2013 13:01:50 +0100 -Subject: [PATCH] Use constant time memcmp when comparing HMACs in - openvpn_decrypt. - -Signed-off-by: Steffan Karger -Acked-by: Gert Doering -Signed-off-by: Gert Doering ---- - src/openvpn/buffer.h | 8 ++++++++ - src/openvpn/crypto.c | 20 +++++++++++++++++++- - 2 files changed, 27 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h -index 7cae733..93efb09 100644 ---- a/src/openvpn/buffer.h -+++ b/src/openvpn/buffer.h -@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) - } - } - -+/** -+ * Compare src buffer contents with match. -+ * *NOT* constant time. Do not use when comparing HMACs. -+ */ - static inline bool - buf_string_match (const struct buffer *src, const void *match, int size) - { -@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) - return memcmp (BPTR (src), match, size) == 0; - } - -+/** -+ * Compare first size bytes of src buffer contents with match. -+ * *NOT* constant time. Do not use when comparing HMACs. -+ */ - static inline bool - buf_string_match_head (const struct buffer *src, const void *match, int size) - { -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 405c0aa..d9adf5b 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -65,6 +65,24 @@ - #define CRYPT_ERROR(format) \ - do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) - -+/** -+ * As memcmp(), but constant-time. -+ * Returns 0 when data is equal, non-zero otherwise. -+ */ -+static int -+memcmp_constant_time (const void *a, const void *b, size_t size) { -+ const uint8_t * a1 = a; -+ const uint8_t * b1 = b; -+ int ret = 0; -+ size_t i; -+ -+ for (i = 0; i < size; i++) { -+ ret |= *a1++ ^ *b1++; -+ } -+ -+ return ret; -+} -+ - void - openvpn_encrypt (struct buffer *buf, struct buffer work, - const struct crypto_options *opt, -@@ -244,7 +262,7 @@ - hmac_ctx_final (ctx->hmac, local_hmac); - - /* Compare locally computed HMAC with packet HMAC */ -- if (memcmp (local_hmac, BPTR (buf), hmac_len)) -+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) - CRYPT_ERROR ("packet HMAC authentication failed"); - - ASSERT (buf_advance (buf, hmac_len)); --- -1.8.1.6 - diff --git a/debian/patches/kfreebsd_support.patch b/debian/patches/kfreebsd_support.patch index e070630..bfdee76 100644 --- a/debian/patches/kfreebsd_support.patch +++ b/debian/patches/kfreebsd_support.patch @@ -3,9 +3,9 @@ Author: Gonéri Le Bouder Bug-Debian: http://bugs.debian.org/626062 Index: openvpn/src/openvpn/route.c =================================================================== ---- openvpn.orig/src/openvpn/route.c 2012-11-05 16:29:30.292804798 +0100 -+++ openvpn/src/openvpn/route.c 2012-11-05 16:48:38.766499773 +0100 -@@ -1412,7 +1412,7 @@ +--- openvpn.orig/src/openvpn/route.c 2013-05-17 12:04:05.250078543 +0200 ++++ openvpn/src/openvpn/route.c 2013-05-17 12:04:05.242078504 +0200 +@@ -1415,7 +1415,7 @@ argv_msg (D_ROUTE, &argv); status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed"); @@ -16,9 +16,9 @@ Index: openvpn/src/openvpn/route.c ROUTE_PATH); Index: openvpn/src/openvpn/tun.c =================================================================== ---- openvpn.orig/src/openvpn/tun.c 2012-11-05 16:29:30.296804820 +0100 -+++ openvpn/src/openvpn/tun.c 2012-11-05 16:48:38.770499790 +0100 -@@ -1097,7 +1097,7 @@ +--- openvpn.orig/src/openvpn/tun.c 2013-05-17 12:04:05.250078543 +0200 ++++ openvpn/src/openvpn/tun.c 2013-05-17 12:04:05.246078520 +0200 +@@ -1089,7 +1089,7 @@ add_route_connected_v6_net(tt, es); } diff --git a/debian/patches/manpage_fixes.patch b/debian/patches/manpage_fixes.patch index f228f4d..0a8f677 100644 --- a/debian/patches/manpage_fixes.patch +++ b/debian/patches/manpage_fixes.patch @@ -2,8 +2,8 @@ Description: Man page fixes Author: Alberto Gonzalez Iniesta Index: openvpn/doc/openvpn.8 =================================================================== ---- openvpn.orig/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100 -+++ openvpn/doc/openvpn.8 2012-11-05 16:51:54.803471868 +0100 +--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:17.678140187 +0200 ++++ openvpn/doc/openvpn.8 2013-05-17 12:04:17.674140147 +0200 @@ -21,13 +21,13 @@ .\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA .\" @@ -20,7 +20,7 @@ Index: openvpn/doc/openvpn.8 .\" .nf -- no formatting .\" .fi -- resume formatting .\" .ft 3 -- boldface -@@ -2506,7 +2506,7 @@ +@@ -2513,7 +2513,7 @@ .B \-\-management-signal Send SIGUSR1 signal to OpenVPN if management session disconnects. This is useful when you wish to disconnect an OpenVPN session on @@ -29,7 +29,7 @@ Index: openvpn/doc/openvpn.8 a disconnect will always generate a SIGTERM. .\"********************************************************* .TP -@@ -3865,7 +3865,7 @@ +@@ -3889,7 +3889,7 @@ This option is only relevant in UDP mode, i.e. when either .B \-\-proto udp @@ -38,16 +38,7 @@ Index: openvpn/doc/openvpn.8 .B \-\-proto option is specified. -@@ -4650,7 +4650,7 @@ - Field in x509 certificate subject to be used as username (default=CN). - .B Fieldname - will be uppercased before matching. When this option is used, the ----tls-remote option will match against the chosen fieldname instead -+\-\-tls-remote option will match against the chosen fieldname instead - of the CN. - .\"********************************************************* - .TP -@@ -4935,7 +4935,7 @@ +@@ -5012,7 +5012,7 @@ This option have changed behaviour in OpenVPN 2.3. Earlier you had to define @@ -56,7 +47,7 @@ Index: openvpn/doc/openvpn.8 to use the SystemRoot environment variable, otherwise it defaulted to C:\\WINDOWS. It is not needed to use the .B env -@@ -4978,7 +4978,7 @@ +@@ -5055,7 +5055,7 @@ .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is @@ -65,7 +56,7 @@ Index: openvpn/doc/openvpn.8 If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP -@@ -5272,26 +5272,26 @@ +@@ -5349,26 +5349,26 @@ documentation of the IPv6-related options. More documentation can be found on http://www.greenie.net/ipv6/openvpn.html. .TP @@ -100,7 +91,7 @@ Index: openvpn/doc/openvpn.8 Specify an IPv6 address pool for dynamic assignment to clients. The pool starts at .B ipv6addr -@@ -5299,20 +5299,20 @@ +@@ -5376,20 +5376,20 @@ .B /bits setting controls the size of the pool. .TP @@ -128,7 +119,7 @@ Index: openvpn/doc/openvpn.8 interact. .\"********************************************************* -@@ -5798,7 +5798,7 @@ +@@ -5875,7 +5875,7 @@ .TP .B peer_cert Temporary file name containing the client certificate upon diff --git a/debian/patches/openvpn-pkcs11warn.patch b/debian/patches/openvpn-pkcs11warn.patch index 04325f8..1a1b50c 100644 --- a/debian/patches/openvpn-pkcs11warn.patch +++ b/debian/patches/openvpn-pkcs11warn.patch @@ -3,9 +3,9 @@ Author: Florian Kulzer Bug-Debian: http://bugs.debian.org/475353 Index: openvpn/src/openvpn/options.c =================================================================== ---- openvpn.orig/src/openvpn/options.c 2012-11-05 16:29:30.284804762 +0100 -+++ openvpn/src/openvpn/options.c 2012-11-05 16:44:12.873181274 +0100 -@@ -6098,6 +6098,20 @@ +--- openvpn.orig/src/openvpn/options.c 2013-05-17 12:03:56.574035519 +0200 ++++ openvpn/src/openvpn/options.c 2013-05-17 12:03:56.570035501 +0200 +@@ -6119,6 +6119,20 @@ { VERIFY_PERMISSION (OPT_P_ROUTE_EXTRAS); } diff --git a/debian/patches/route_default_nil.patch b/debian/patches/route_default_nil.patch index 8b12c0e..bd7c4b2 100644 --- a/debian/patches/route_default_nil.patch +++ b/debian/patches/route_default_nil.patch @@ -2,9 +2,9 @@ Description: Fix small wording in man page. Author: Alberto Gonzalez Iniesta Index: openvpn/doc/openvpn.8 =================================================================== ---- openvpn.orig/doc/openvpn.8 2012-11-05 16:29:30.256804617 +0100 -+++ openvpn/doc/openvpn.8 2012-11-05 16:46:31.765870008 +0100 -@@ -945,7 +945,7 @@ +--- openvpn.orig/doc/openvpn.8 2013-05-17 12:04:01.742061149 +0200 ++++ openvpn/doc/openvpn.8 2013-05-17 12:04:01.738061129 +0200 +@@ -952,7 +952,7 @@ otherwise 0. The default can be specified by leaving an option blank or setting diff --git a/debian/patches/series b/debian/patches/series index fac69c7..f37465a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,3 @@ -cve-2013-2061.patch auth-pam_libpam_so_filename.patch close_socket_before_scripts.patch debian_nogroup_for_sample_files.patch -- cgit v1.2.3