LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
24690 Commits
1 Branch
46 MiB
Tree: f7432ce19a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f7432ce19a'
${ noResults }
openwrt-packages-dist/net/openvpn/patches/115-fix-mbedtls-without-ren...

42 lines
2.0 KiB
Raw Normal View History

openvpn: update to 2.5.2 Fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Add CI build test script. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
3 years ago
 
  1. From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001
  2. From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
  3. Date: Mon, 12 Apr 2021 19:46:17 +0200
  4. Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support
  5. 

  6. In mbedtls, support for SSL renegotiation can be disabled at
  7. compile-time. However, OpenVPN cannot be built with such a library
  8. because it calls mbedtls_ssl_conf_renegotiation() to disable this
  9. feature at runtime. This function doesn't exist when mbedtls was built
  10. without support for SSL renegotiation.
  11. 

  12. This commit fixes the build by ifdef'ing out the function call when
  13. mbedtls was built without support for SSL renegotiation.
  14. 

  15. Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
  16. Acked-by: Antonio Quartulli <antonio@openvpn.net>
  17. Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com>
  18. URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com
  19. Signed-off-by: Gert Doering <gert@greenie.muc.de>
  20. ---

  21.  src/openvpn/ssl_mbedtls.c | 9 ++++++---
  22.  1 file changed, 6 insertions(+), 3 deletions(-)
  23. 

  24. --- a/src/openvpn/ssl_mbedtls.c

  25. +++ b/src/openvpn/ssl_mbedtls.c

  26. @@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl

  27.      {
  28.          mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
  29.      }
  30. -    /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL

  31. -     * session and does not depend on this feature. And TLS renegotiations have

  32. -     * been problematic in the past */

  33. +

  34. +    /* Disable TLS renegotiations if the mbedtls library supports that feature.

  35. +     * OpenVPN's renegotiation creates new SSL sessions and does not depend on

  36. +     * this feature and TLS renegotiations have been problematic in the past. */

  37. +#if defined(MBEDTLS_SSL_RENEGOTIATION)

  38.      mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
  39. +#endif /* MBEDTLS_SSL_RENEGOTIATION */

  40.  
  41.      /* Disable record splitting (for now).  OpenVPN assumes records are sent
  42.       * unfragmented, and changing that will require thorough review and