Date: Sat, 1 Jun 2013 16:47:41 +0000 (UTC) From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r319579 - in head/security: openvpn20 openvpn20/files openvpn22 openvpn22/files vuxml Message-ID: <201306011647.r51GlfnG028889@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mandree Date: Sat Jun 1 16:47:41 2013 New Revision: 319579 URL: http://svnweb.freebsd.org/changeset/ports/319579 Log: - Backport fix for CVE-2013-2061 to openvpn22 and openvpn20; while it is unclear whether it affects OpenSSL-builds at all. Let's play it safe. - Reference CVE-2013-2061 name in OpenVPN's VuXML entry - Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable - Mark openvpn22 deprecated and to expire 2013-09-01. (openvpn20 is already marked to expire 2013-07-11.) Security: CVE-2013-2061 Security: 92f30415-9935-11e2-ad4c-080027ef73ec Added: head/security/openvpn20/files/patch-CVE-2013-2061 (contents, props changed) head/security/openvpn22/files/patch-CVE-2013-2061 (contents, props changed) Modified: head/security/openvpn20/Makefile head/security/openvpn22/Makefile head/security/vuxml/vuln.xml Modified: head/security/openvpn20/Makefile ============================================================================== --- head/security/openvpn20/Makefile Sat Jun 1 16:35:57 2013 (r319578) +++ head/security/openvpn20/Makefile Sat Jun 1 16:47:41 2013 (r319579) @@ -3,7 +3,7 @@ PORTNAME= openvpn PORTVERSION= 2.0.9 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= security net # MASTER_SITES points to hosts in distinct data centers, # so just one MASTER_SITES entry should be OK. Added: head/security/openvpn20/files/patch-CVE-2013-2061 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn20/files/patch-CVE-2013-2061 Sat Jun 1 16:47:41 2013 (r319579) @@ -0,0 +1,74 @@ +commit 11d21349a4e7e38a025849479b36ace7c2eec2ee +Author: Steffan Karger <steffan.karger@fox-it.com> +Date: Tue Mar 19 13:01:50 2013 +0100 + + Use constant time memcmp when comparing HMACs in openvpn_decrypt. + + Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Signed-off-by: Gert Doering <gert@greenie.muc.de> + +diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h +index 7cae733..93efb09 100644 +--- ./buffer.h~ ++++ ./buffer.h +@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good) + } + } + ++/** ++ * Compare src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match (const struct buffer *src, const void *match, int size) + { +@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size) + return memcmp (BPTR (src), match, size) == 0; + } + ++/** ++ * Compare first size bytes of src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match_head (const struct buffer *src, const void *match, int size) + { +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index 405c0aa..d9adf5b 100644 +--- ./crypto.c~ ++++ ./crypto.c +@@ -65,6 +65,24 @@ + #define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + ++/** ++ * As memcmp(), but constant-time. ++ * Returns 0 when data is equal, non-zero otherwise. ++ */ ++static int ++memcmp_constant_time (const void *a, const void *b, size_t size) { ++ const uint8_t * a1 = a; ++ const uint8_t * b1 = b; ++ int ret = 0; ++ size_t i; ++ ++ for (i = 0; i < size; i++) { ++ ret |= *a1++ ^ *b1++; ++ } ++ ++ return ret; ++} ++ + void + openvpn_encrypt (struct buffer *buf, struct buffer work, + const struct crypto_options *opt, +@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, + hmac_ctx_final (ctx->hmac, local_hmac); + + /* Compare locally computed HMAC with packet HMAC */ +- if (memcmp (local_hmac, BPTR (buf), hmac_len)) ++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) + CRYPT_ERROR ("packet HMAC authentication failed"); + + ASSERT (buf_advance (buf, hmac_len)); Modified: head/security/openvpn22/Makefile ============================================================================== --- head/security/openvpn22/Makefile Sat Jun 1 16:35:57 2013 (r319578) +++ head/security/openvpn22/Makefile Sat Jun 1 16:47:41 2013 (r319579) @@ -3,7 +3,7 @@ PORTNAME= openvpn DISTVERSION= 2.2.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net # MASTER_SITES points to hosts in distinct data centers, # so just one MASTER_SITES entry should be OK. @@ -18,6 +18,9 @@ LICENSE= GPLv2 LATEST_LINK= openvpn22 CONFLICTS_INSTALL= openvpn-devel-[0-9]* openvpn-2.[!2]* openvpn-beta-[0-9]* +DEPRECATED= Please migrate to a newer OpenVPN version +EXPIRATION_DATE= 2013-09-01 + GNU_CONFIGURE= yes USE_OPENSSL= yes USE_XZ= yes Added: head/security/openvpn22/files/patch-CVE-2013-2061 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openvpn22/files/patch-CVE-2013-2061 Sat Jun 1 16:47:41 2013 (r319579) @@ -0,0 +1,74 @@ +commit 11d21349a4e7e38a025849479b36ace7c2eec2ee +Author: Steffan Karger <steffan.karger@fox-it.com> +Date: Tue Mar 19 13:01:50 2013 +0100 + + Use constant time memcmp when comparing HMACs in openvpn_decrypt. + + Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> + Acked-by: Gert Doering <gert@greenie.muc.de> + Signed-off-by: Gert Doering <gert@greenie.muc.de> + +diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h +index 7cae733..93efb09 100644 +--- ./buffer.h~ ++++ ./buffer.h +@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good) + } + } + ++/** ++ * Compare src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match (const struct buffer *src, const void *match, int size) + { +@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size) + return memcmp (BPTR (src), match, size) == 0; + } + ++/** ++ * Compare first size bytes of src buffer contents with match. ++ * *NOT* constant time. Do not use when comparing HMACs. ++ */ + static inline bool + buf_string_match_head (const struct buffer *src, const void *match, int size) + { +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index 405c0aa..d9adf5b 100644 +--- ./crypto.c~ ++++ ./crypto.c +@@ -65,6 +65,24 @@ + #define CRYPT_ERROR(format) \ + do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) + ++/** ++ * As memcmp(), but constant-time. ++ * Returns 0 when data is equal, non-zero otherwise. ++ */ ++static int ++memcmp_constant_time (const void *a, const void *b, size_t size) { ++ const uint8_t * a1 = a; ++ const uint8_t * b1 = b; ++ int ret = 0; ++ size_t i; ++ ++ for (i = 0; i < size; i++) { ++ ret |= *a1++ ^ *b1++; ++ } ++ ++ return ret; ++} ++ + void + openvpn_encrypt (struct buffer *buf, struct buffer work, + const struct crypto_options *opt, +@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, + hmac_ctx_final (ctx->hmac, local_hmac); + + /* Compare locally computed HMAC with packet HMAC */ +- if (memcmp (local_hmac, BPTR (buf), hmac_len)) ++ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len)) + CRYPT_ERROR ("packet HMAC authentication failed"); + + ASSERT (buf_advance (buf, hmac_len)); Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Jun 1 16:35:57 2013 (r319578) +++ head/security/vuxml/vuln.xml Sat Jun 1 16:47:41 2013 (r319579) @@ -1662,7 +1662,9 @@ Note: Please add new entries to the beg <affects> <package> <name>openvpn</name> - <range><lt>2.3.1</lt></range> + <range><lt>2.0.9_4</lt></range> + <range><ge>2.1.0</ge><lt>2.2.2_2</lt></range> + <range><ge>2.3.0</ge><lt>2.3.1</lt></range> </package> </affects> <description> @@ -1677,10 +1679,12 @@ Note: Please add new entries to the beg </description> <references> <url>https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc</url>; + <cvename>CVE-2013-2061</cvename> </references> <dates> <discovery>2013-03-19</discovery> <entry>2013-03-31</entry> + <modified>2013-06-01</modified> </dates> </vuln>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201306011647.r51GlfnG028889>