summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2015-05-04 08:49:21 +0000
committerJo-Philipp Wich <jow@openwrt.org>2015-05-04 08:49:21 +0000
commita28deda59043d2f77a728ad90ee3731c2efd19b1 (patch)
treef30e66d627c32cfda868dfbd4b0360bbbcedb631
parentaea93173d1d492b6c9508336ec965aecb09b69e1 (diff)
downloadmtk-20170518-a28deda59043d2f77a728ad90ee3731c2efd19b1.zip
mtk-20170518-a28deda59043d2f77a728ad90ee3731c2efd19b1.tar.gz
mtk-20170518-a28deda59043d2f77a728ad90ee3731c2efd19b1.tar.bz2
openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101)
OpenVPN assumes that its control channel messages are sent and received unfragmented, this assumption is broken when CBC record splitting is enabled in mbedTLS. The record splitting is intended as countermeasure against BEAST attacks which do not apply to OpenVPN, therefore we simply disable it until upstream OpenVPN gains the ability to process fragmented control messages. Disabling the splitting also works around a (not remotely triggerable) segmentation fault in mbedTLS. References: * https://dev.openwrt.org/ticket/19101 * https://community.openvpn.net/openvpn/ticket/524 * https://github.com/ARMmbed/mbedtls/pull/185 Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45602
-rw-r--r--package/network/services/openvpn/Makefile2
-rw-r--r--package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch16
2 files changed, 17 insertions, 1 deletions
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 2b0b038..3e9be0d 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
PKG_VERSION:=2.3.6
-PKG_RELEASE:=3
+PKG_RELEASE:=4
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch
new file mode 100644
index 0000000..9e1511b
--- /dev/null
+++ b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch
@@ -0,0 +1,16 @@
+Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c
+===================================================================
+--- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c
++++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c
+@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state
+ if (ssl_ctx->allowed_ciphers)
+ ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
+
++ /* Disable record splitting (breaks current ssl handling) */
++#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
++ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED);
++#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
++
+ /* Initialise authentication information */
+ if (is_server)
+ ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );