From: Jo-Philipp Wich Date: Mon, 4 May 2015 08:49:21 +0000 (+0000) Subject: openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101) X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=a28deda59043d2f77a728ad90ee3731c2efd19b1;p=openwrt%2Fstaging%2Fnbd.git openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101) OpenVPN assumes that its control channel messages are sent and received unfragmented, this assumption is broken when CBC record splitting is enabled in mbedTLS. The record splitting is intended as countermeasure against BEAST attacks which do not apply to OpenVPN, therefore we simply disable it until upstream OpenVPN gains the ability to process fragmented control messages. Disabling the splitting also works around a (not remotely triggerable) segmentation fault in mbedTLS. References: * https://dev.openwrt.org/ticket/19101 * https://community.openvpn.net/openvpn/ticket/524 * https://github.com/ARMmbed/mbedtls/pull/185 Signed-off-by: Jo-Philipp Wich SVN-Revision: 45602 --- diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 2b0b038a29..3e9be0dae3 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn PKG_VERSION:=2.3.6 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch new file mode 100644 index 0000000000..9e1511b6b6 --- /dev/null +++ b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch @@ -0,0 +1,16 @@ +Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c +=================================================================== +--- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c ++++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c +@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state + if (ssl_ctx->allowed_ciphers) + ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); + ++ /* Disable record splitting (breaks current ssl handling) */ ++#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) ++ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED); ++#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ ++ + /* Initialise authentication information */ + if (is_server) + ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );