diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-16 09:35:10 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-16 09:39:00 +0000 |
commit | 48428d91b73c1141f947f4e7f9de8a924b49b101 (patch) | |
tree | a17ec2dc535d236bea65fb3f5cd9a2217c3d6e2a | |
parent | c615fd8274c721d0ea73931ef7f6ad5689bee458 (diff) | |
download | aports-48428d91b73c1141f947f4e7f9de8a924b49b101.tar.bz2 aports-48428d91b73c1141f947f4e7f9de8a924b49b101.tar.xz |
main/openvpn: security fix (CVE-2013-2061)
fixes #1880
-rw-r--r-- | main/openvpn/APKBUILD | 6 | ||||
-rw-r--r-- | main/openvpn/CVE-2013-2061.patch | 81 |
2 files changed, 85 insertions, 2 deletions
diff --git a/main/openvpn/APKBUILD b/main/openvpn/APKBUILD index 929cd73db..03df002ab 100644 --- a/main/openvpn/APKBUILD +++ b/main/openvpn/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=openvpn pkgver=2.2.2 -pkgrel=0 +pkgrel=1 pkgdesc="A robust, and highly configurable VPN (Virtual Private Network)" url="http://openvpn.sourceforge.net/" arch="all" @@ -16,6 +16,7 @@ source="http://swupdate.openvpn.net/community/releases/$pkgname-$pkgver.tar.gz openvpn.up openvpn.down openvpn-2.2.2-ipv6.patch + CVE-2013-2061.patch " _builddir="$srcdir"/$pkgname-$pkgver @@ -93,4 +94,5 @@ ec99092827faa7226e9f548c2cd1d20c openvpn.initd 9eca88cac6294027ec1bb7be74185c3a openvpn.confd dc72fecd1a1bcef937603057cd6574b1 openvpn.up dc3ff0bae442b9aedd947b8ffda1687a openvpn.down -51b1ddade743505b84d27db9ebfd6c0a openvpn-2.2.2-ipv6.patch" +51b1ddade743505b84d27db9ebfd6c0a openvpn-2.2.2-ipv6.patch +8416c8db9c60ecb5a54367af57ac7884 CVE-2013-2061.patch" diff --git a/main/openvpn/CVE-2013-2061.patch b/main/openvpn/CVE-2013-2061.patch new file mode 100644 index 000000000..732ddc228 --- /dev/null +++ b/main/openvpn/CVE-2013-2061.patch @@ -0,0 +1,81 @@ +From 11d21349a4e7e38a025849479b36ace7c2eec2ee Mon Sep 17 00:00:00 2001 +From: Steffan Karger <steffan.karger@fox-it.com> +Date: Tue, 19 Mar 2013 13:01:50 +0100 +Subject: [PATCH] Use constant time memcmp when comparing HMACs in + openvpn_decrypt. + +Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> +Acked-by: Gert Doering <gert@greenie.muc.de> +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + src/openvpn/buffer.h | 8 ++++++++ + src/openvpn/crypto.c | 20 +++++++++++++++++++- + 2 files changed, 27 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h +index 7cae733..93efb09 100644 +--- a/buffer.h ++++ b/buffer.h +@@ -668,6 +668,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) + } + } + ++/** ++ * Compare src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match (const struct buffer *src, const void *match, int size) + { +@@ -676,6 +680,10 @@ bool openvpn_snprintf(char *str, size_t size, const char *format, ...) + return memcmp (BPTR (src), match, size) == 0; + } + ++/** ++ * Compare first size bytes of src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match_head (const struct buffer *src, const void *match, int size) + { +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index 405c0aa..d9adf5b 100644 +--- a/crypto.c ++++ b/crypto.c +@@ -65,6 +65,24 @@ + #define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + ++/** ++ * As memcmp(), but constant-time. ++ * Returns 0 when data is equal, non-zero otherwise. ++ */ ++static int ++memcmp_constant_time (const void *a, const void *b, size_t size) { ++ const uint8_t * a1 = a; ++ const uint8_t * b1 = b; ++ int ret = 0; ++ size_t i; ++ ++ for (i = 0; i < size; i++) { ++ ret |= *a1++ ^ *b1++; ++ } ++ ++ return ret; ++} ++ + void + openvpn_encrypt (struct buffer *buf, struct buffer work, + const struct crypto_options *opt, +@@ -244,7 +262,7 @@ + hmac_ctx_final (ctx->hmac, local_hmac); + + /* Compare locally computed HMAC with packet HMAC */ +- if (memcmp (local_hmac, BPTR (buf), hmac_len)) ++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) + CRYPT_ERROR ("packet HMAC authentication failed"); + + ASSERT (buf_advance (buf, hmac_len)); +-- +1.8.1.6 + |