From 6186fe732b058ef7f1ae43cce2184ba0c4d90184 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Wed, 21 Apr 2021 22:45:03 +0200 Subject: [PATCH] openvpn: update to 2.5.2 Fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Add CI build test script. Signed-off-by: Magnus Kroken --- net/openvpn/Makefile | 6 +-- ...bedtls-disable-runtime-version-check.patch | 2 +- ...15-fix-mbedtls-without-renegotiation.patch | 42 +++++++++++++++++++ net/openvpn/test.sh | 10 +++++ 4 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch create mode 100755 net/openvpn/test.sh diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index 3b3adce42..d46b7bb73 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.5.1 -PKG_RELEASE:=3 +PKG_VERSION:=2.5.2 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=40930489c837c05f6153f38e1ebaec244431ef1a034e4846ff732d71d59ff194 +PKG_HASH:=b12743836901f365efaf82ab2493967e1b21c21eb43ce9a8da1002a17c9c1dc8 PKG_MAINTAINER:=Magnus Kroken diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index 4141c2863..c54277006 100644 --- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1520,7 +1520,7 @@ const char * +@@ -1535,7 +1535,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch new file mode 100644 index 000000000..532d64f60 --- /dev/null +++ b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch @@ -0,0 +1,42 @@ +From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001 +From: Max Fillinger +Date: Mon, 12 Apr 2021 19:46:17 +0200 +Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support + +In mbedtls, support for SSL renegotiation can be disabled at +compile-time. However, OpenVPN cannot be built with such a library +because it calls mbedtls_ssl_conf_renegotiation() to disable this +feature at runtime. This function doesn't exist when mbedtls was built +without support for SSL renegotiation. + +This commit fixes the build by ifdef'ing out the function call when +mbedtls was built without support for SSL renegotiation. + +Signed-off-by: Max Fillinger +Acked-by: Antonio Quartulli +Message-Id: +URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com +Signed-off-by: Gert Doering +--- + src/openvpn/ssl_mbedtls.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/src/openvpn/ssl_mbedtls.c ++++ b/src/openvpn/ssl_mbedtls.c +@@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl + { + mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); + } +- /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL +- * session and does not depend on this feature. And TLS renegotiations have +- * been problematic in the past */ ++ ++ /* Disable TLS renegotiations if the mbedtls library supports that feature. ++ * OpenVPN's renegotiation creates new SSL sessions and does not depend on ++ * this feature and TLS renegotiations have been problematic in the past. */ ++#if defined(MBEDTLS_SSL_RENEGOTIATION) + mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); ++#endif /* MBEDTLS_SSL_RENEGOTIATION */ + + /* Disable record splitting (for now). OpenVPN assumes records are sent + * unfragmented, and changing that will require thorough review and diff --git a/net/openvpn/test.sh b/net/openvpn/test.sh new file mode 100755 index 000000000..b51ccd6a1 --- /dev/null +++ b/net/openvpn/test.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +case "$1" in + "openvpn-mbedtls") + openvpn --version | grep "$2.*SSL (mbed TLS)" + ;; + "openvpn-openssl") + openvpn --version | grep "$2.*SSL (OpenSSL)" + ;; +esac