Accepting request 586118 from home:avindra

- Update to 2.4.5 * New features + The new option --tls-cert-profile can be used to restrict the set of allowed crypto algorithms in TLS certificates in mbed TLS builds. The default profile is 'legacy' for now, which allows SHA1+, RSA-1024+ and any elliptic curve certificates. The default will be changed to the 'preferred' profile in the future, which requires SHA2+, RSA-2048+ and any curve. + openvpnserv: Add support for multi-instances (to support multiple parallel OpenVPN installations, like EduVPN and regular OpenVPN) + Use P_DATA_V2 for server->client packets too (better packet alignment) + improve management interface documentation + rework registry key handling for OpenVPN service, notably making most registry values optional, falling back to reasonable defaults + accept IPv6 address for pushed "dhcp-option DNS ..." (make OpenVPN 2 option compatible with OpenVPN 3 iOS and Android clients) * Bug fixes + Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ + Fix lots of compiler warnings (format string, type casts, ...) + reload HTTP proxy credentials when moving to the next connection profile + Fix build with LibreSSL (multiple times) + Remove non-useful warning on pushed tun-ipv6 option. + autoconf: Fix engine checks for openssl 1.1 + lz4: Rebase compat-lz4 against upstream v1.7.5 + lz4: Fix broken builds when pkg-config is not present but system library is + Fix '--bind ipv6only' + Allow learning iroutes with network made up of all 0s - Includes 2.4.4 * Bug fixes + Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side + Ignore --keysize when NCP have resulted in a changed cipher + Configurations using --auth-nocache and the management interface to provide user credentials (like NetworkManager) on client side with servers implementing authentication tokens (for example, using --auth-gen-token) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel. + Invalid or corrupt SOCKS port number when changing the proxy via the management interface. + man page should now have proper escaping of hyphen/minus characters and other minor corrections. * User-visible Changes + Linux servers with systemd which use the openvpn-server@.service unit file for server configurations will now utilize the automatic restart feature in systemd. If the OpenVPN server process dies unexpectedly, systemd will ensure the OpenVPN configuration will be restarted automatically. * Deprecated + --no-replay (will be removed in 2.5) + --keysize (will be removed in 2.6) * Security + CVE-2017-12166: Fix bounds check for configurations using --key-method 1. Before this fix, attackers could send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as --key-method 2 has been the default since 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5. - Rebase openvpn-fips140-2.3.2.patch - Drop 0002-Fix-bounds-check-in-read_key.patch * upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255 - Partial cleanup with spec-cleaner OBS-URL: https://build.opensuse.org/request/show/586118 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=133
2018-04-10 14:14:26 +00:00 · 2018-04-10 14:14:26 +00:00 · 42c7e8bef4
commit 42c7e8bef4
parent f33ffa2f73
8 changed files with 120 additions and 113 deletions
--- a/0002-Fix-bounds-check-in-read_key.patch
+++ b/0002-Fix-bounds-check-in-read_key.patch
@ -1,58 +0,0 @@
-From 3b1a61e9fb27213c46f76312f4065816bee8ed01 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger@fox-it.com>
-Date: Tue, 15 Aug 2017 10:04:33 +0200
-Subject: [PATCH] Fix bounds check in read_key()
-
-The bounds check in read_key() was performed after using the value, instead
-of before.  If 'key-method 1' is used, this allowed an attacker to send a
-malformed packet to trigger a stack buffer overflow.
-
-Fix this by moving the input validation to before the writes.
-
-Note that 'key-method 1' has been replaced by 'key method 2' as the default
-in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4
-and marked for removal in 2.5.  This should limit the amount of users
-impacted by this issue.
-
-CVE: 2017-12166
-Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Acked-by: David Sommerseth <davids@openvpn.net>
-Message-Id: <80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com>
-URL: https://www.mail-archive.com/search?l=mid&q=80690690-67ac-3320-1891-9fecedc6a1fa@fox-it.com
-Signed-off-by: David Sommerseth <davids@openvpn.net>
---
- src/openvpn/crypto.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index 131257e5..3f3caa1c 100644
--- a/src/openvpn/crypto.c
-+++ b/src/openvpn/crypto.c
-@@ -1666,6 +1666,11 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
-         goto read_err;
-     }
- 
-+    if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
-+    {
-+        goto key_len_err;
-+    }
-+
-     if (!buf_read(buf, key->cipher, cipher_length))
-     {
-         goto read_err;
-@@ -1675,11 +1680,6 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
-         goto read_err;
-     }
- 
-    if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
-    {
-        goto key_len_err;
-    }
-
-     return 1;
- 
- read_err:
-- 
-2.13.6
-
--- a/openvpn-2.4.3.tar.xz
+++ b/openvpn-2.4.3.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:15e15fc97f189b52aee7c90ec8355aa77469c773125110b4c2f089abecde36fb
-size 938440
--- a/openvpn-2.4.3.tar.xz.asc
+++ b/openvpn-2.4.3.tar.xz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIcBAABAgAGBQJZSkg4AAoJENcq80SMwrA0XBwQAKoiJYeq99LnxrXrxDNVyGTr
-r8hFA7zo5Py3ZLelliKqVldBVeX6kkfrJAD5Immwt35PzffzSfVjUCd8mTUCoTdK
-nOuxVRsIfccb2B9yF25HmKPk7tXYfOg7QCCPK8Za8QJxLV85U9h0amTa5veRC4wm
-xQ4TRSk3yQRRKarOySpAJU7ue59LJ3jVBbuiNU0i6xGTzykrnqrli6pAzvFuTqfi
-DOIO8lwMFxwyDXonlX2faglfWanjVSv8nIwmP7EzefhTUkT9EU+7aoA1Lluh2HR6
-DmqOxh0x2DCR+pv37PHgQ0LhBJ2IVRp5sKskzUqkupV3S5dqj8OVFGly6+4D5aoO
-mTd9ZtVK1GAM/yw7QKO+jguSxRn/usIgBmxFcVcLZESycTCSS2iqtdQfSp/PtcGM
-0pQfNsyOm6vutlYFaUQqeGYIlqnlBEDeJr7zI9TdQoJ12DmeYyWABQ4MswnEWOGa
-LwD1PeKLNLddXiSXI1b4b/9TDmSiYw2MH9wDbMvKep+1IQhoh1Zubtv+DbcXXXCR
-cKWkDcTDzGoE55yHAPiP5VCZJvwTWEUA6z9hW38vVY2wauHMNXTeNcVGeTggq+YJ
-NfVv5Np7UP2BbSOPAspGsVlV5sekHvl1YAXuA5Y6hyixt1+KxZdJfFbqsU+fYm1n
-B1yC9E8sA2QK4kahvDj/
-=GwRO
-----END PGP SIGNATURE-----
--- a/openvpn-2.4.5.tar.xz
+++ b/openvpn-2.4.5.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:43c0a363a332350f620d1cd93bb431e082bedbc93d4fb872f758650d53c1d29e
+size 942696
--- a/openvpn-2.4.5.tar.xz.asc
+++ b/openvpn-2.4.5.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEtZYG4tjG4QuAvisx1yrzRIzCsDQFAlqXrFYACgkQ1yrzRIzC
+sDTqwA//XYEvyevywKRZlrzoO9BfCH+hu2SK6BVlba5nEiR+akJ952TdUo7kHYRF
+Ha4roGtQsCRa/oUYLeZ47wd0OvYFy+65iu3/6cK8eCZgy2oq7/3bAV+A/3S13FU/
+Si4MB1g442rYB9g6153XHC/tIQZbBmFkaIMJ0ObSzQIhcLdQFduMtzXOIMtJYa8k
+sjty85JvWuJGvkOgQDUn9V/5Io4uanVnSpRhBgEetH3vr70sl5623ePLkp4TLGzM
+f5mSapOOw31Wal1nTNXuIQWTXaj7br/yBLdxarJCH5WfwQksop2EvArdVM7wZ78C
+DEo4vUWvdWrGbQniPsD4dQkCy3g1wHD+f+O1QfM2xikIZ+n80K7jYqaaxJvMQ5r5
+AuKGhBT4wlU++BjOA8uIN0mZjEdhUt3Z8qLDDo9TPt4CA7FPmorMM8qdAQJkDHnC
+JYJysg9l7dCdavF9abRbz+Uj5vK1h3zMFq7V8mqPbuUKuloNL8yuyEvbTK65CAbi
+8JvVgbeeFiu61dAIjqBG20nIyUzPpv/Bv4rG8/WDZJtoByI8piEYO73stuQa1oS5
+CUciSEpDXriG6kkdTuqYq68aqKc74qSpJ5cLSYH6WVggIxtSnxCD+GmpP8CWLJhW
+O7pl8IKesdmU9sDnCv8jDLumEtZkZen4kpou+tm+FehLSHzIBUA=
+=I1E6
+-----END PGP SIGNATURE-----
--- a/openvpn-fips140-2.3.2.patch
+++ b/openvpn-fips140-2.3.2.patch
@ -47,7 +47,7 @@ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
 index a55e65c..79f5530 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -926,11 +926,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
+@@ -926,11 +926,15 @@
 
 void
 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
@ -56,7 +56,7 @@ index a55e65c..79f5530 100644
 {
     ASSERT(NULL != kt && NULL != ctx);
 
-     HMAC_CTX_init(ctx);
+     HMAC_CTX_reset(ctx);
 +	/* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
 +	 * * to be used anywhere else */
 +	if(kt == EVP_md5() && prf_use)
@ -68,14 +68,14 @@ diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
 index 0b1163e..93283bc 100644
 --- a/src/openvpn/ntlm.c
 +++ b/src/openvpn/ntlm.c
-@@ -87,7 +87,7 @@ gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char *
+@@ -88,7 +88,7 @@
     const md_kt_t *md5_kt = md_kt_get("MD5");
     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
 
 -    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
 +    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
-     hmac_ctx_update(hmac_ctx, (const unsigned char *)data, data_len);
-     hmac_ctx_final(hmac_ctx, (unsigned char *)result);
+     hmac_ctx_update(hmac_ctx, data, data_len);
+     hmac_ctx_final(hmac_ctx, result);
     hmac_ctx_cleanup(hmac_ctx);
 diff --git a/src/openvpn/options.c b/src/openvpn/options.c
 index fef5e90..33b6976 100644
--- a/openvpn.changes
+++ b/openvpn.changes
@ -1,3 +1,76 @@
+-------------------------------------------------------------------
+Tue Mar 13 01:32:52 UTC 2018 - avindra@opensuse.org
+
+- Update to 2.4.5
+  * New features
+    + The new option --tls-cert-profile can be used to restrict the
+      set of allowed crypto algorithms in TLS certificates in mbed
+      TLS builds. The default profile is 'legacy' for now, which
+      allows SHA1+, RSA-1024+ and any elliptic curve certificates.
+      The default will be changed to the 'preferred' profile in the
+      future, which requires SHA2+, RSA-2048+ and any curve.
+    + openvpnserv: Add support for multi-instances (to support
+      multiple parallel OpenVPN installations, like EduVPN and
+      regular OpenVPN)
+    + Use P_DATA_V2 for server->client packets too (better packet
+      alignment)
+    + improve management interface documentation
+    + rework registry key handling for OpenVPN service, notably
+      making most registry values optional, falling back to
+      reasonable defaults
+    + accept IPv6 address for pushed "dhcp-option DNS ..." (make
+      OpenVPN 2 option compatible with OpenVPN 3 iOS and Android
+      clients)
+  * Bug fixes
+    + Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+
+    + Fix lots of compiler warnings (format string, type casts, ...)
+    + reload HTTP proxy credentials when moving to the next
+      connection profile
+    + Fix build with LibreSSL (multiple times)
+    + Remove non-useful warning on pushed tun-ipv6 option.
+    + autoconf: Fix engine checks for openssl 1.1
+    + lz4: Rebase compat-lz4 against upstream v1.7.5
+    + lz4: Fix broken builds when pkg-config is not present but
+      system library is
+    + Fix '--bind ipv6only'
+    + Allow learning iroutes with network made up of all 0s
+- Includes 2.4.4
+  * Bug fixes
+    + Fix issues when a pushed cipher via the Negotiable Crypto
+      Parameters (NCP) is rejected by the remote side
+    + Ignore --keysize when NCP have resulted in a changed cipher
+    + Configurations using --auth-nocache and the management
+      interface to provide user credentials (like NetworkManager)
+      on client side with servers implementing authentication
+      tokens (for example, using --auth-gen-token) will now behave
+      correctly and not query the user for an, to them, unknown
+      authentication token on renegotiations of the tunnel.
+    + Invalid or corrupt SOCKS port number when changing the proxy
+      via the management interface.
+    + man page should now have proper escaping of hyphen/minus
+      characters and other minor corrections.
+  * User-visible Changes
+    + Linux servers with systemd which use the openvpn-server@.service
+      unit file for server configurations will now utilize the
+      automatic restart feature in systemd. If the OpenVPN server
+      process dies unexpectedly, systemd will ensure the OpenVPN
+      configuration will be restarted automatically.
+  * Deprecated
+    + --no-replay (will be removed in 2.5)
+    + --keysize (will be removed in 2.6)
+  * Security
+    + CVE-2017-12166: Fix bounds check for configurations using
+      --key-method 1. Before this fix, attackers could send a
+      malformed packet to trigger a stack overflow. This is
+      considered to be a low risk issue, as --key-method 2 has
+      been the default since 2.0 (released on 2005-04-17). This
+      option is already deprecated in v2.4 and will be completely
+      removed in v2.5.
+- Rebase openvpn-fips140-2.3.2.patch
+- Drop 0002-Fix-bounds-check-in-read_key.patch
+  * upstreamed in c7e259160b28e94e4ea7f0ef767f8134283af255
+- Partial cleanup with spec-cleaner
+
 -------------------------------------------------------------------
 Tue Feb 13 17:49:09 UTC 2018 - max@suse.com

--- a/openvpn.spec
+++ b/openvpn.spec
@ -18,9 +18,8 @@

 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
-  %define _fillupdir /var/adm/fillup-templates
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
-
 %if 0%{?suse_version} > 1210
 %define with_systemd 1
 %else
@ -29,26 +28,20 @@
 %if ! %{defined _rundir}
 %define _rundir %{_localstatedir}/run
 %endif
-
 Name:           openvpn
-Url:            http://openvpn.net/
-%if %{with_systemd}
-%{?systemd_requires}
-%else
-PreReq:         %insserv_prereq %fillup_prereq
-%endif
-Version:        2.4.3
+Version:        2.4.5
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
-License:        SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
+License:        SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only
 Group:          Productivity/Networking/Security
+Url:            http://openvpn.net/
 Source:         https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz
 Source1:        https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.xz.asc
 Source2:        %{name}.init
-Source6:        %{name}.sysconfig
 Source3:        %{name}.README.SUSE
 Source4:        client-netconfig.up
 Source5:        client-netconfig.down
+Source6:        %{name}.sysconfig
 Source7:        %{name}.keyring
 Source8:        %{name}.service
 Source9:        %{name}.target
@ -59,23 +52,27 @@ Patch6:         %{name}-fips140-2.3.2.patch
 Patch7:         openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
 Patch8:         openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
 Patch9:         0001-preform-deferred-authentication-in-the-background.patch
-Patch10:        0002-Fix-bounds-check-in-read_key.patch
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  iproute2
+BuildRequires:  libselinux-devel
 BuildRequires:  lzo-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pam-devel
+BuildRequires:  pkcs11-helper-devel >= 1.11
+BuildRequires:  xz
+Requires:       iproute2
+Requires:       pkcs11-helper >= 1.11
+%if %{with_systemd}
+%{?systemd_requires}
+%else
+PreReq:         %fillup_prereq
+PreReq:         %insserv_prereq
+%endif
 %if %{with_systemd}
 BuildRequires:  systemd
 %endif
-BuildRequires:  libselinux-devel
-BuildRequires:  pkcs11-helper-devel >= 1.11
-Requires:       pkcs11-helper >= 1.11
 %if %{with_systemd}
 BuildRequires:  systemd-devel
 %endif
-Requires:       iproute2
-BuildRequires:  xz

 %description
 OpenVPN is a full-featured SSL VPN solution which can accommodate a wide
@ -141,13 +138,12 @@ Requires:       %{name} = %{version}
 This package provides the header file to build external plugins.

 %prep
-%setup -q -n %{name}-%{version}
-%patch1 -p0
+%setup -q
+%patch1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
-%patch10 -p1

 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c
@ -176,10 +172,10 @@ export LDFLAGS
 	--enable-plugin-auth-pam	\
 	CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS"	\
 	LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins"
-make %{_smp_mflags}
+make %{?_smp_mflags}

 %install
-make DESTDIR=$RPM_BUILD_ROOT install
+%make_install
 find %{buildroot} -type f -name "*.la" -delete -print
 mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
 mkdir -p %{buildroot}/%{_rundir}/openvpn
@ -271,8 +267,8 @@ rm -f %{_sysconfdir}/sysconfig/openvpn || :
 %endif

 %files
-%defattr(-,root,root)
-%doc AUTHORS COPYING COPYRIGHT.GPL ChangeLog PORTS README
+%license COPYING
+%doc AUTHORS COPYRIGHT.GPL ChangeLog PORTS README
 %doc src/plugins/{auth-pam/README.auth-pam,down-root/README.down-root}
 %doc README.*
 %doc contrib
@ -280,7 +276,7 @@ rm -f %{_sysconfdir}/sysconfig/openvpn || :
 %doc sample/sample-keys
 %doc sample/sample-scripts
 %doc doc/management-notes.txt
-%doc %{_mandir}/man8/openvpn.8.gz
+%{_mandir}/man8/openvpn.8%{?ext_man}
 %config(noreplace) %{_sysconfdir}/openvpn/
 %if %{with_systemd}
 %dir %{_tmpfilesdir}
@ -297,19 +293,16 @@ rm -f %{_sysconfdir}/sysconfig/openvpn || :
 %{_sbindir}/openvpn

 %files down-root-plugin
-%defattr(-,root,root)
 %dir %{_libdir}/%{name}
 %dir %{_libdir}/%{name}/plugins
 %{_libdir}/%{name}/plugins/%{name}-plugin-down-root.so

 %files auth-pam-plugin
-%defattr(-,root,root)
 %dir %{_libdir}/%{name}
 %dir %{_libdir}/%{name}/plugins
 %{_libdir}/%{name}/plugins/%{name}-plugin-auth-pam.so

 %files devel
-%defattr(-,root,root)
 %{_includedir}/%{name}-plugin.h
 %{_includedir}/%{name}-msg.h