security upgrade to OpenVPN 2.3.1; upstream release notes are

"This release adds supports for PolarSSL 1.2. It also adds a fix to prevent potential side-channel attacks by switching to a constant-time memcmp when comparing HMACs in the openvpn_decrypt function. In addition, it contains several bugfixes and documentation updates, as well as some minor enhancements." Full ChangeLog: <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23> The port upgrade also offers an option to use the GPLv2+-licensed PolarSSL instead of OpenSSL (which brings in a license mix). PR: ports/177517 Reviewed by: miwi Approved by: portmgr (miwi) Security: 92f30415-9935-11e2-ad4c-080027ef73ec
svn path=/head/; revision=315640
2013-03-31 16:00:02 +00:00 · 2013-03-31 16:00:02 +00:00 · 2cc4d448bc · 2021-03-31 03:12:20 +00:00
commit 2cc4d448bc
parent 1ef28d7c9a
3 changed files with 43 additions and 9 deletions
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@ -2,8 +2,7 @@
 # $FreeBSD$

 PORTNAME=	openvpn
-DISTVERSION=	2.3.0
-PORTREVISION=	3
+DISTVERSION=	2.3.1
 CATEGORIES=	security net
 MASTER_SITES=	http://swupdate.openvpn.net/community/releases/ \
 		http://build.openvpn.net/downloads/releases/
@ -16,18 +15,19 @@ LICENSE=	GPLv2
 CONFLICTS_INSTALL=	openvpn-2.[!3].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*

 GNU_CONFIGURE=	yes
-USE_OPENSSL=	yes
 USE_XZ=		yes
 # let OpenVPN's configure script pick up the requisite libraries:
 CPPFLAGS+=	-I${LOCALBASE}/include
 LDFLAGS+=	-L${LOCALBASE}/lib

-# PolarSSL is not provided; OpenVPN does not currently compile with PolarSSL 1.2.0+
 OPTIONS_DEFINE=		PW_SAVE PKCS11 EASYRSA
-OPTIONS_DEFAULT=	EASYRSA
+OPTIONS_DEFAULT=	EASYRSA OPENSSL
+OPTIONS_SINGLE=		SSL
+OPTIONS_SINGLE_SSL=	OPENSSL POLARSSL
 PW_SAVE_DESC=	Interactive passwords may be read from a file
 PKCS11_DESC=	Use security/pkcs11-helper
 EASYRSA_DESC=	Install security/easy-rsa RSA helper package
+POLARSSL_DESC=	SSL/TLS support via PolarSSL

 .include <bsd.port.options.mk>

@ -40,7 +40,15 @@ INSTALL_TARGET=	install DESTDIR=${_stagedir}
 RUN_DEPENDS+=	easy-rsa>=0:${PORTSDIR}/security/easy-rsa
 .endif

-INSTALL_TARGET+=	mandir=${MANPREFIX}/man
+.if ${PORT_OPTIONS:MPOLARSSL}
+LIB_DEPENDS+=	polarssl:${PORTSDIR}/security/polarssl
+CONFIGURE_ARGS+=	--with-crypto-library=polarssl
+.else
+USE_OPENSSL=	yes
+CONFIGURE_ARGS+=	--with-crypto-library=openssl
+.endif
+
+.INSTALL_TARGET+=	mandir=${MANPREFIX}/man
 MAN8=		openvpn.8

 USE_RC_SUBR=	openvpn
@ -98,7 +106,6 @@ post-install:
 	${INSTALL_DATA} ${_stagedir}${PREFIX}/include/* ${PREFIX}/include/
 	${INSTALL_MAN} ${_stagedir}${PREFIX}/man/man8/* ${MAN8PREFIX}/man/man8/
 .if ${PORT_OPTIONS:MDOCS}
-	-${RMDIR} ${_stagedir}${DOCSDIR}/sample
 	(cd ${_stagedir}${DOCSDIR} && ${COPYTREE_SHARE} \* ${DOCSDIR}/)
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_MAN} ${WRKSRC}/${i} ${DOCSDIR}/
--- a/security/openvpn/distinfo
+++ b/security/openvpn/distinfo
@ -1,2 +1,2 @@
-SHA256 (openvpn-2.3.0.tar.xz) = a9fcf7bc1c1cd88cd8867ff567e8f8df5e695f0e983bd0aed3a3e1f6ae14d107
-SIZE (openvpn-2.3.0.tar.xz) = 762052
+SHA256 (openvpn-2.3.1.tar.xz) = 9d7723ea83cdc0c78b32005f4b9c1f7ca1cc9e53e90b77bd643a203e6189884b
+SIZE (openvpn-2.3.1.tar.xz) = 776076
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -51,6 +51,33 @@ Note:  Please add new entries to the beginning of this file.

 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="92f30415-9935-11e2-ad4c-080027ef73ec">
+    <topic>OpenVPN -- potential side-channel/timing attack when comparing HMACs</topic>
+    <affects>
+      <package>
+	<name>openvpn</name>
+	<range><lt>2.3.1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The OpenVPN project reports:</p>
+	<blockquote cite="https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1<">
+	  <p>[OpenVPN 2.3.1 adds a fix to prevent potential side-channel
+	    attacks by switching to a] constant time memcmp when comparing HMACs in [the] openvpn_decrypt [function].</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.1</url>
+      <url>http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=commit;h=11d21349a4e7e38a025849479b36ace7c2eec2ee</url>
+    </references>
+    <dates>
+      <discovery>2013-03-19</discovery>
+      <entry>2013-03-31</entry>
+    </dates>
+  </vuln>
+
  <vuln vid="843a4641-9816-11e2-9c51-080027019be0">
    <topic>libxml2 -- cpu consumption Dos</topic>
    <affects>