aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2014-12-01 19:49:59 +0000
committerFelix Fietkau <nbd@openwrt.org>2014-12-01 19:49:59 +0000
commitfe05893ffb669d48eed2913fd566c33a40a0720e (patch)
treef1d89cb8de1230badbfc0fd5b2b3a1c090266db8
parent374f8a04e1250aa598df63e35ad7a434323651b1 (diff)
downloadupstream-fe05893ffb669d48eed2913fd566c33a40a0720e.tar.gz
upstream-fe05893ffb669d48eed2913fd566c33a40a0720e.tar.bz2
upstream-fe05893ffb669d48eed2913fd566c33a40a0720e.zip
openvpn: update to 2.3.6, fixes CVE-2014-8104
Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 43482
-rw-r--r--package/network/services/openvpn/Makefile4
-rw-r--r--package/network/services/openvpn/patches/100-polarssl_compat.h67
2 files changed, 46 insertions, 25 deletions
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 27f831b6d5..05303e920a 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
-PKG_VERSION:=2.3.4
+PKG_VERSION:=2.3.6
PKG_RELEASE:=1
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MD5SUM:=04d47237907faabe9d046970ffe44b2e
+PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h
index 86e7ec6a94..4def9670f0 100644
--- a/package/network/services/openvpn/patches/100-polarssl_compat.h
+++ b/package/network/services/openvpn/patches/100-polarssl_compat.h
@@ -11,7 +11,7 @@
struct _buffer_entry {
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
-@@ -45,7 +45,7 @@
+@@ -46,7 +46,7 @@
#include "manage.h"
#include "ssl_common.h"
@@ -20,12 +20,13 @@
#include <polarssl/havege.h>
#include "ssl_verify_polarssl.h"
-@@ -209,12 +209,12 @@ tls_ctx_load_dh_params (struct tls_root_
+@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
{
- if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
+ if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
{
-- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
-+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
+- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
++ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
+ strlen(dh_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
@@ -35,13 +36,13 @@
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
}
-@@ -249,13 +249,13 @@ tls_ctx_load_cert_file (struct tls_root_
+@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
- if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
+ if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
{
-- if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
-+ if (0 != x509_crt_parse(ctx->crt_chain, cert_file_inline,
- strlen(cert_file_inline)))
+- if (0 != x509parse_crt(ctx->crt_chain,
++ if (0 != x509_crt_parse(ctx->crt_chain,
+ (const unsigned char *) cert_inline, strlen(cert_inline)))
msg (M_FATAL, "Cannot load inline certificate file");
}
else
@@ -51,12 +52,31 @@
msg (M_FATAL, "Cannot load certificate file %s", cert_file);
}
}
-@@ -476,13 +476,13 @@ void tls_ctx_load_ca (struct tls_root_ct
+@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
+ status = x509parse_key(ctx->priv_key,
+ (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
+ NULL, 0);
+- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
++ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
+ {
+ char passbuf[512] = {0};
+ pem_password_callback(passbuf, 512, 0, NULL);
+@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
+ else
+ {
+ status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
+- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
++ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
+ {
+ char passbuf[512] = {0};
+ pem_password_callback(passbuf, 512, 0, NULL);
+@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
- if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
+ if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
{
-- if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
-+ if (0 != x509_crt_parse(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
+- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
++ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
+ strlen(ca_inline)))
msg (M_FATAL, "Cannot load inline CA certificates");
}
else
@@ -67,13 +87,14 @@
msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
}
}
-@@ -496,13 +496,13 @@ tls_ctx_load_extra_certs (struct tls_roo
+@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
- if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
+ if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
{
-- if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
-+ if (0 != x509_crt_parse(ctx->crt_chain, extra_certs_file_inline,
- strlen(extra_certs_file_inline)))
+- if (0 != x509parse_crt(ctx->crt_chain,
++ if (0 != x509_crt_parse(ctx->crt_chain,
+ (const unsigned char *) extra_certs_inline,
+ strlen(extra_certs_inline)))
msg (M_FATAL, "Cannot load inline extra-certs file");
}
else
@@ -83,7 +104,7 @@
msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
}
}
-@@ -684,7 +684,7 @@ void key_state_ssl_init(struct key_state
+@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
external_key_len );
else
#endif
@@ -92,7 +113,7 @@
/* Initialise SSL verification */
#if P2MP_SERVER
-@@ -1026,7 +1026,7 @@ print_details (struct key_state_ssl * ks
+@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
cert = ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
@@ -103,7 +124,7 @@
msg (D_HANDSHAKE, "%s%s", s1, s2);
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
-@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_contex
+@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
@@ -218,7 +239,7 @@
{
--- a/configure.ac
+++ b/configure.ac
-@@ -809,13 +809,13 @@ if test "${with_crypto_library}" = "pola
+@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola
#include <polarssl/version.h>
]],
[[