svn commit: r319579 - in head/security: openvpn20 openvpn20/files openvpn22 openvpn22/files vuxml

Matthias Andree mandree at FreeBSD.org
Sat Jun 1 16:47:43 UTC 2013 

Author: mandree
Date: Sat Jun  1 16:47:41 2013
New Revision: 319579
URL: http://svnweb.freebsd.org/changeset/ports/319579

Log:
  - Backport fix for CVE-2013-2061 to openvpn22 and openvpn20;
    while it is unclear whether it affects OpenSSL-builds at all.
    Let's play it safe.
  - Reference CVE-2013-2061 name in OpenVPN's VuXML entry
  - Mark 2.0.9_4 <= openvpn < 2.1.0 and 2.2.2_2 < openvpn < 2.3.0 not vulnerable
  - Mark openvpn22 deprecated and to expire 2013-09-01.
    (openvpn20 is already marked to expire 2013-07-11.)
  
  Security:	CVE-2013-2061
  Security:	92f30415-9935-11e2-ad4c-080027ef73ec

Added:
  head/security/openvpn20/files/patch-CVE-2013-2061   (contents, props changed)
  head/security/openvpn22/files/patch-CVE-2013-2061   (contents, props changed)
Modified:
  head/security/openvpn20/Makefile
  head/security/openvpn22/Makefile
  head/security/vuxml/vuln.xml

Modified: head/security/openvpn20/Makefile
==============================================================================
--- head/security/openvpn20/Makefile	Sat Jun  1 16:35:57 2013	(r319578)
+++ head/security/openvpn20/Makefile	Sat Jun  1 16:47:41 2013	(r319579)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openvpn
 PORTVERSION=	2.0.9
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security net
 # MASTER_SITES points to hosts in distinct data centers,
 # so just one MASTER_SITES entry should be OK.

Added: head/security/openvpn20/files/patch-CVE-2013-2061
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn20/files/patch-CVE-2013-2061	Sat Jun  1 16:47:41 2013	(r319579)
@@ -0,0 +1,74 @@
+commit 11d21349a4e7e38a025849479b36ace7c2eec2ee
+Author: Steffan Karger <steffan.karger at fox-it.com>
+Date:   Tue Mar 19 13:01:50 2013 +0100
+
+    Use constant time memcmp when comparing HMACs in openvpn_decrypt.
+    
+    Signed-off-by: Steffan Karger <steffan.karger at fox-it.com>
+    Acked-by: Gert Doering <gert at greenie.muc.de>
+    Signed-off-by: Gert Doering <gert at greenie.muc.de>
+
+diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
+index 7cae733..93efb09 100644
+--- ./buffer.h~
++++ ./buffer.h
+@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good)
+     }
+ }
+ 
++/**
++ * Compare src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match (const struct buffer *src, const void *match, int size)
+ {
+@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size)
+   return memcmp (BPTR (src), match, size) == 0;
+ }
+ 
++/**
++ * Compare first size bytes of src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match_head (const struct buffer *src, const void *match, int size)
+ {
+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
+index 405c0aa..d9adf5b 100644
+--- ./crypto.c~
++++ ./crypto.c
+@@ -65,6 +65,24 @@
+ #define CRYPT_ERROR(format) \
+   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
+ 
++/**
++ * As memcmp(), but constant-time.
++ * Returns 0 when data is equal, non-zero otherwise.
++ */
++static int
++memcmp_constant_time (const void *a, const void *b, size_t size) {
++  const uint8_t * a1 = a;
++  const uint8_t * b1 = b;
++  int ret = 0;
++  size_t i;
++
++  for (i = 0; i < size; i++) {
++      ret |= *a1++ ^ *b1++;
++  }
++
++  return ret;
++}
++
+ void
+ openvpn_encrypt (struct buffer *buf, struct buffer work,
+ 		 const struct crypto_options *opt,
+@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
+ 	  hmac_ctx_final (ctx->hmac, local_hmac);
+ 
+ 	  /* Compare locally computed HMAC with packet HMAC */
+-	  if (memcmp (local_hmac, BPTR (buf), hmac_len))
++	  if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
+ 	    CRYPT_ERROR ("packet HMAC authentication failed");
+ 
+ 	  ASSERT (buf_advance (buf, hmac_len));

Modified: head/security/openvpn22/Makefile
==============================================================================
--- head/security/openvpn22/Makefile	Sat Jun  1 16:35:57 2013	(r319578)
+++ head/security/openvpn22/Makefile	Sat Jun  1 16:47:41 2013	(r319579)
@@ -3,7 +3,7 @@
 
 PORTNAME=	openvpn
 DISTVERSION=	2.2.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security net
 # MASTER_SITES points to hosts in distinct data centers,
 # so just one MASTER_SITES entry should be OK.
@@ -18,6 +18,9 @@ LICENSE=	GPLv2
 LATEST_LINK=	openvpn22
 CONFLICTS_INSTALL=	openvpn-devel-[0-9]* openvpn-2.[!2]* openvpn-beta-[0-9]*
 
+DEPRECATED=		Please migrate to a newer OpenVPN version
+EXPIRATION_DATE=	2013-09-01
+
 GNU_CONFIGURE=	yes
 USE_OPENSSL=	yes
 USE_XZ=		yes

Added: head/security/openvpn22/files/patch-CVE-2013-2061
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openvpn22/files/patch-CVE-2013-2061	Sat Jun  1 16:47:41 2013	(r319579)
@@ -0,0 +1,74 @@
+commit 11d21349a4e7e38a025849479b36ace7c2eec2ee
+Author: Steffan Karger <steffan.karger at fox-it.com>
+Date:   Tue Mar 19 13:01:50 2013 +0100
+
+    Use constant time memcmp when comparing HMACs in openvpn_decrypt.
+    
+    Signed-off-by: Steffan Karger <steffan.karger at fox-it.com>
+    Acked-by: Gert Doering <gert at greenie.muc.de>
+    Signed-off-by: Gert Doering <gert at greenie.muc.de>
+
+diff --git a/src/openvpn/buffer.h b/src/openvpn/buffer.h
+index 7cae733..93efb09 100644
+--- ./buffer.h~
++++ ./buffer.h
+@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good)
+     }
+ }
+ 
++/**
++ * Compare src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match (const struct buffer *src, const void *match, int size)
+ {
+@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size)
+   return memcmp (BPTR (src), match, size) == 0;
+ }
+ 
++/**
++ * Compare first size bytes of src buffer contents with match.
++ * *NOT* constant time. Do not use when comparing HMACs.
++ */
+ static inline bool
+ buf_string_match_head (const struct buffer *src, const void *match, int size)
+ {
+diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
+index 405c0aa..d9adf5b 100644
+--- ./crypto.c~
++++ ./crypto.c
+@@ -65,6 +65,24 @@
+ #define CRYPT_ERROR(format) \
+   do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
+ 
++/**
++ * As memcmp(), but constant-time.
++ * Returns 0 when data is equal, non-zero otherwise.
++ */
++static int
++memcmp_constant_time (const void *a, const void *b, size_t size) {
++  const uint8_t * a1 = a;
++  const uint8_t * b1 = b;
++  int ret = 0;
++  size_t i;
++
++  for (i = 0; i < size; i++) {
++      ret |= *a1++ ^ *b1++;
++  }
++
++  return ret;
++}
++
+ void
+ openvpn_encrypt (struct buffer *buf, struct buffer work,
+ 		 const struct crypto_options *opt,
+@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
+ 	  hmac_ctx_final (ctx->hmac, local_hmac);
+ 
+ 	  /* Compare locally computed HMAC with packet HMAC */
+-	  if (memcmp (local_hmac, BPTR (buf), hmac_len))
++	  if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
+ 	    CRYPT_ERROR ("packet HMAC authentication failed");
+ 
+ 	  ASSERT (buf_advance (buf, hmac_len));

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sat Jun  1 16:35:57 2013	(r319578)
+++ head/security/vuxml/vuln.xml	Sat Jun  1 16:47:41 2013	(r319579)
@@ -1662,7 +1662,9 @@ Note:  Please add new entries to the beg
     <affects>
       <package>
 	<name>openvpn</name>
-	<range><lt>2.3.1</lt></range>
+	<range><lt>2.0.9_4</lt></range>
+	<range><ge>2.1.0</ge><lt>2.2.2_2</lt></range>
+	<range><ge>2.3.0</ge><lt>2.3.1</lt></range>
       </package>
     </affects>
     <description>
@@ -1677,10 +1679,12 @@ Note:  Please add new entries to the beg
     </description>
     <references>
       <url>https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc</url>
+      <cvename>CVE-2013-2061</cvename>
     </references>
     <dates>
       <discovery>2013-03-19</discovery>
       <entry>2013-03-31</entry>
+      <modified>2013-06-01</modified>
     </dates>
   </vuln>

More information about the svn-ports-head mailing list