pool/openvpn
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to 2.5.3:

Browse Source 
* Removal of BF-CBC support in default configuration
    *** POSSIBLE INCOMPATIBILITY ***
    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
  * Connections setup is now much faster
  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * HMAC based auth-token support for seamless reconnects to
    standalone servers or a group of servers
  * Asynchronous (deferred) authentication support for auth-pam
    plugin
  * Asynchronous (deferred) support for client-connect scripts and
    plugins
  * Support IPv4 configs with /31 netmasks
  * 802.1q VLAN support on TAP servers
  * Support IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * Support Virtual Routing and Forwarding (VRF)
  * Netlink integration (OpenVPN no longer needs to execute
    ifconfig/route or ip commands)
  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
  crypto self-test of newer openvpn versions.
  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
This commit is contained in:
Reinhard Max 2021-08-05 14:32:44 +00:00 committed by Git OBS Bridge
parent d362a8d722
commit 5126890df2
11 changed files with 128 additions and 422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
0001-preform-deferred-authentication-in-the-background.patch
View File

@ -1,7 +1,5 @@
Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
===================================================================
--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c
+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
--- src/plugins/auth-pam/auth-pam.c.orig
+++ src/plugins/auth-pam/auth-pam.c
@@ -43,6 +43,7 @@
#include <stdlib.h>
#include <sys/types.h>
@ -18,7 +16,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
/* Response codes for background -> foreground communication */
#define RESPONSE_INIT_SUCCEEDED 10
@@ -115,6 +117,7 @@ struct user_pass {
@@ -120,6 +122,7 @@ struct user_pass {
char password[128];
char common_name[128];
char response[128];
@ -26,8 +24,8 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
const struct name_value_list *name_value_list;
};
@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru
return ret;
@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char
exit(0);
}
+static int handle_auth_control_file(char *auth_control_file, int status)
@ -48,7 +46,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
/*
* Background process -- runs with privilege.
*/
@@ -878,6 +896,42 @@ pam_server(int fd, const char *service,
@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service,
plugin_secure_memzero(up.password, sizeof(up.password));
break;
@ -91,7 +89,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
case COMMAND_EXIT:
goto done;
@@ -905,3 +959,56 @@ done:
@@ -1029,3 +1083,56 @@ done:
return;
}
@ -148,10 +146,8 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
===================================================================
--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports
+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
--- src/plugins/auth-pam/auth-pam.exports.orig
+++ src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,5 @@
openvpn_plugin_open_v3
openvpn_plugin_func_v1

31
openvpn-2.3-plugin-man.dif
View File

@ -1,22 +1,15 @@
Index: doc/openvpn.8
===================================================================
--- doc/openvpn.8.orig
+++ doc/openvpn.8
@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in
.B plugin
folder of the OpenVPN source distribution.
@@ -6059,9 +6059,9 @@ For more information and examples on how
modules, see the README file in the \fBplugin\fP folder of the OpenVPN
source distribution.
.sp
-If you are using an RPM install of OpenVPN, see
-/usr/share/openvpn/plugin. The documentation is
-in
-.B doc
-and the actual plugin modules are in
-.B lib.
+If you are using an RPM install of OpenVPN, the actual
+plugin modules are in
+.B @PLUGIN_LIBDIR@
+and the documentation is in
+.B @PLUGIN_DOCDIR@/README.<plugin-name>.
Multiple plugin modules can be cascaded, and modules can be
used in tandem with scripts. The modules will be called by
-\fB/usr/share/openvpn/plugin\fP\&. The documentation is in \fBdoc\fP and
-the actual plugin modules are in \fBlib\fP\&.
+If you are using an RPM install of OpenVPN, the actual plugin modules
+are in \fB@PLUGIN_LIBDIR@\fP\& and the documentation is in
+\fB@PLUGIN_DOCDIR@/README.<plugin-name>\fP\&.
.sp
Multiple plugin modules can be cascaded, and modules can be used in
tandem with scripts. The modules will be called by OpenVPN in the order

66
openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
View File

@ -1,66 +0,0 @@
Author: Gert Doering <gert@greenie.muc.de>
Date: Tue Nov 10 22:58:39 2015 +0100
Fix possible heap overflow on read accessing getaddrinfo() result.
The code always tried to copy-out a "struct sockaddr_in6" even for IPv4
results, which reads more bytes than getaddrinfo() is guaranteed to
allocate.
Now, look at ai->ai_family and only copy "struct sockaddr" for IPv4.
Also, reformat this block of code to comply to coding style.
This is a specific 2.3 bug as the code in master (to be 2.4) has been
completely rewritten to properly handle dual-stack and multiple responses
from getaddrinfo() proper.
Bug found by Daniel Hirche using "gcc -fsanitize=address". No possible
exploits are known.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1447192719-31381-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10479
References: bsc#959714
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index a143853..0f46bad 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
<at> <at> -1259,20 +1259,24 <at> <at> resolve_remote (struct link_socket *sock,
ASSERT (0);
}
- /* Temporary fix, this need to be changed for dual stack */
- status = openvpn_getaddrinfo(flags, sock->remote_host, retry,
- signal_received, af, &ai);
- if(status == 0) {
- sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
- freeaddrinfo(ai);
+ /* Temporary fix, this need to be changed for dual stack */
+ status = openvpn_getaddrinfo(flags, sock->remote_host, retry,
+ signal_received, af, &ai);
+ if(status == 0)
+ {
+ if ( ai->ai_family == AF_INET6 )
+ sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr));
+ else
+ sock->info.lsa->remote.addr.in4 = *((struct sockaddr_in*)(ai->ai_addr));
+ freeaddrinfo(ai);
- dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
+ dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d",
flags,
phase,
retry,
signal_received ? *signal_received : -1,
status);
- }
+ }
if (signal_received)
{
if (*signal_received)
--
2.4.9

257
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
View File

@ -1,257 +0,0 @@
Index: openvpn-2.4.10/src/openvpn/crypto.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto.c
+++ openvpn-2.4.10/src/openvpn/crypto.c
@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* Buffer overflow check */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
msg(D_CRYPT_ERRORS,
"ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, s
ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf));
/* Buffer overflow check */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
buf->capacity,
@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf,
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
uint8_t *tag_ptr = NULL;
int tag_size = 0;
- int outlen;
+ int outlen = 0;
struct gc_arena gc;
gc_init(&gc);
@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc));
/* Buffer overflow check (should never fail) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, s
}
/* Buffer overflow check (should never happen) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
Index: openvpn-2.4.10/src/openvpn/crypto_openssl.h
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto_openssl.h
+++ openvpn-2.4.10/src/openvpn/crypto_openssl.h
@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t;
/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
+/** Maximum length of a cipher block */
+#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH
+
/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
Index: openvpn-2.4.10/src/openvpn/init.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/init.c
+++ openvpn-2.4.10/src/openvpn/init.c
@@ -3215,8 +3215,8 @@ init_context_buffers(const struct frame
b->aux_buf = alloc_buf(BUF_SIZE(frame));
#ifdef ENABLE_CRYPTO
- b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
- b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
+ b->encrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
+ b->decrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
#endif
#ifdef USE_COMP
Index: openvpn-2.4.10/src/openvpn/proxy.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/proxy.c
+++ openvpn-2.4.10/src/openvpn/proxy.c
@@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd,
struct buffer la;
int lastc = 0;
+ if (sd >= FD_SETSIZE)
+ return false;
+
CLEAR(la);
if (lookahead)
{
@@ -321,11 +324,11 @@ get_proxy_authenticate(socket_descriptor
struct gc_arena *gc,
volatile int *signal_received)
{
- char buf[256];
+ char buf[256] = {0};
int ret = HTTP_AUTH_NONE;
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
+ if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received))
{
free(*data);
*data = NULL;
@@ -641,9 +644,9 @@ establish_http_proxy_passthru(struct htt
volatile int *signal_received)
{
struct gc_arena gc = gc_new();
- char buf[512];
- char buf2[129];
- char get[80];
+ char buf[512] = {0};
+ char buf2[129] = {0};
+ char get[80] = {0};
int status;
int nparms;
bool ret = false;
@@ -733,7 +736,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
@@ -764,7 +768,8 @@ establish_http_proxy_passthru(struct htt
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
@@ -844,7 +849,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
@@ -969,7 +975,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
Index: openvpn-2.4.10/src/openvpn/socket.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socket.c
+++ openvpn-2.4.10/src/openvpn/socket.c
@@ -1278,6 +1278,9 @@ socket_listen_accept(socket_descriptor_t
/* struct openvpn_sockaddr *remote = &act->dest; */
struct openvpn_sockaddr remote_verify = act->dest;
socket_descriptor_t new_sd = SOCKET_UNDEFINED;
+
+ if (sd >= FD_SETSIZE)
+ return -1;
CLEAR(*act);
socket_do_listen(sd, local, do_listen, true);
@@ -1428,6 +1431,9 @@ openvpn_connect(socket_descriptor_t sd,
{
int status = 0;
+ if (sd >= FD_SETSIZE)
+ return -1;
+
#ifdef TARGET_ANDROID
protect_fd_nonlocal(sd, remote);
#endif
Index: openvpn-2.4.10/src/openvpn/socks.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socks.c
+++ openvpn-2.4.10/src/openvpn/socks.c
@@ -98,13 +98,16 @@ socks_username_password_auth(struct sock
socket_descriptor_t sd,
volatile int *signal_received)
{
- char to_send[516];
- char buf[2];
+ char to_send[516] = {0};
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
struct user_pass creds;
ssize_t size;
+ if (sd >= FD_SETSIZE)
+ return false;
+
creds.defined = 0;
if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT))
{
@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info
socket_descriptor_t sd,
volatile int *signal_received)
{
- char buf[2];
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
ssize_t size;
@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
}
+ if (sd >= FD_SETSIZE)
+ return false;
+
size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
if (size != sizeof(method_sel))
{
@@ -312,9 +318,12 @@ recv_socks_reply(socket_descriptor_t sd,
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[270]; /* 4 + alen(max 256) + 2 */
+ char buf[270] = {0}; /* 4 + alen(max 256) + 2 */
const int timeout_sec = 5;
+ if (sd >= FD_SETSIZE)
+ return false;
+
if (addr != NULL)
{
addr->addr.in4.sin_family = AF_INET;
@@ -398,7 +407,7 @@ recv_socks_reply(socket_descriptor_t sd,
}
/* store char in buffer */
- if (len < (int)sizeof(buf))
+ if (len < (int)sizeof(buf) && len >= 0)
{
buf[len] = c;
}
@@ -454,7 +463,7 @@ establish_socks_proxy_passthru(struct so
const char *servname, /* openvpn server port */
volatile int *signal_received)
{
- char buf[270];
+ char buf[270] = {0};
size_t len;
if (!socks_handshake(p, sd, signal_received))

3
openvpn-2.4.11.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e579eff218ab1d765965e64a917927504d8324717afdfcd56850f6b83ba8441b
size 970872

16
openvpn-2.4.11.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmB/tIAACgkQEco5yCwF
7olP2BAA29nE8DfSzet1Lu1u/D5TdtLoMcSclZBnRP3McSzZV+HBECWEmoXCW1I3
ljtJgG1bIKGQUPDUmBzCkTG7SB2rGSp90q96ppybgsKpWV6ZjoKLPVEBcePVYBhS
sbGMBj4YgviyIG0yaemWRx5dz/7SpxqYMc8yQ9u2tI6ydicMepdPXgQIggh5FoRf
j7G8UbZeOGeqrYQyatIbhW3vehw4HrsCTx6YmhomOKHuMppf+JbjlpDmm3BVRjhO
9qRA49n5Cmh68mXJG0SpxW02bHFXgMKi+DyjFlJPdA97IN/exzGuIUoim3Jk58eM
AnhKiC2Ctb7BRc3h4JBtm3guDd1xirV56XOnRmjyoVl+vq4gl8p+XzL8NeKbfqGa
WW59zd/8uF5r7u8smIjOvlUXh8lCwPrKo/IpxXzy54jknhlGfUZdzv4Kb+MVdP1w
VM2MnBZ5ukVLR2e/DnAeHTORQYHauyVj3whpdrQqMccDbqhz2R1YOu+ndTS+XOs+
VnyNbsvBxOekT+ZqFZ70yT2+dFKu5Y9XfyfDnjBdHCd1qnF15Fe95O0SGw16eqfM
lqfz6WPxsxTfr6kOqQCfbKQVrPVu2hQuOROrJrA5Yheeqcnv6QMQm0efYfr/DwkQ
0qLNszu/Sx9ndgxXTeRZpQkfxKsubARPr0KiCo9dRBB8/sf6Iow=
=fE7o
-----END PGP SIGNATURE-----

3
openvpn-2.5.3.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e
size 1149004

16
openvpn-2.5.3.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmDLEwoACgkQEco5yCwF
7okUew/8D+suTEafri2IKM8Mycg/k8ENpBK+8xB+POAsRd4t1SjgOUT6+iuodu4p
rwUr7r2GKyRXRpiKFNPhQnjgoUzJ8EGCImB6I45Hgl47J5H47ns8x5EIQoXexWXg
FS/wFE0XcejF5hpH4s1TJ5PhWifzfeUjcVT2hYNVb8ArAAO9vN56kR28ocQAujJk
LDjQUKabCGo6XSfatq+hgNoq1I1VOE33vrzKLCeIO/GK/FT9ey6AYVCULidEA+jt
2H9RgvlzmzTSzJYTJuuVIw2om0ozNRcTayN20qgmFtnWusbqrv4gt8mk0gZ3xhoP
7MEC/r/SJrxR1q1yaQ6VWFY4yYU1H6uRXgr8xwg31tmC8cGwWYkNUNNQRDY9nlDC
6VAcq2MSduTYtBvBw/Nu/sCIx5hwaiFto2oPzWREWMgyx3KG7DN8Gb8RjzgJ+oep
3jW48umrbtI8mKK0gvOa8DOSWAKchdCEfrbUXsgzReENwobN3FnoTkFK/1uBkWLN
fs6PbmNB5L05zwXhmuCZl4Iyf6KlQpNiMTzvpfM0pZKVSBW70UfZU575vUMtOsXL
pRwPPTCZ5oQgQ6UQyCnEvUct+IUBPo3Guf2xeEQkdGitcAH5qd2o2LdjefbiRZl8
s7vwHk85Gx2ZKO6d+YTEEPOgiTJm1oeLmkqK7Adw1BkJgFTPwbA=
=MMVI
-----END PGP SIGNATURE-----

93
openvpn-fips140-2.3.2.patch
View File

@ -13,11 +13,9 @@ Signed-off-by: Nirmoy Das <ndas@suse.de>
src/openvpn/ssl.c | 4 ++--
6 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5f482d0..ff0f9a7 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
--- src/openvpn/crypto.c.orig
+++ src/openvpn/crypto.c
@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
if (kt->digest && kt->hmac_length > 0)
{
ctx->hmac = hmac_ctx_new();
@ -26,11 +24,9 @@ index 5f482d0..ff0f9a7 100644
msg(D_HANDSHAKE,
"%s: Using %d bit message hash '%s' for HMAC authentication",
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index b7f519b..2911248 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
--- src/openvpn/crypto_backend.h.orig
+++ src/openvpn/crypto_backend.h
@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
* @param key The key to use for the HMAC
* @param key_len The key length to use
* @param kt Static message digest parameters
@ -43,11 +39,9 @@ index b7f519b..2911248 100644
/*
* Free the given HMAC context.
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index a55e65c..79f5530 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -926,11 +926,15 @@
--- src/openvpn/crypto_openssl.c.orig
+++ src/openvpn/crypto_openssl.c
@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
void
hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
@ -64,11 +58,9 @@ index a55e65c..79f5530 100644
HMAC_Init_ex(ctx, key, key_len, kt, NULL);
/* make sure we used a big enough key */
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 0b1163e..93283bc 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -88,7 +88,7 @@
--- src/openvpn/ntlm.c.orig
+++ src/openvpn/ntlm.c
@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
const md_kt_t *md5_kt = md_kt_get("MD5");
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
@ -77,28 +69,50 @@ index 0b1163e..93283bc 100644
hmac_ctx_update(hmac_ctx, data, data_len);
hmac_ctx_final(hmac_ctx, result);
hmac_ctx_cleanup(hmac_ctx);
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index fef5e90..33b6976 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc)
#endif
#ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC";
--- src/openvpn/options.c.orig
+++ src/openvpn/options.c
@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
o->tcp_queue_limit = 64;
o->max_clients = 1024;
o->max_routes_per_client = 256;
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ o->ciphername = "AES-256-CBC";
+#endif
#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->ncp_enabled = true;
#else
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 15cd94a..21f50f1 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1635,8 +1635,8 @@ tls1_P_hash(const md_kt_t *md_kt,
chunk = md_kt_size(md_kt);
A1_len = md_kt_size(md_kt);
o->stale_routes_check_interval = 0;
o->ifconfig_pool_persist_refresh_freq = 600;
#if P2MP
@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
if (!o->ciphername)
{
o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ o->ciphername = "AES-256-CBC";
+ }
+#endif
}
return;
}
@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
/* We still need to set the ciphername to BF-CBC since various other
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ o->ciphername = "AES-256-CBC";
+ }
+#endif
}
else if (!o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
--- src/openvpn/ssl.c.orig
+++ src/openvpn/ssl.c
@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
int chunk = md_kt_size(md_kt);
unsigned int A1_len = md_kt_size(md_kt);
- hmac_ctx_init(ctx, sec, sec_len, md_kt);
- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
@ -107,6 +121,3 @@ index 15cd94a..21f50f1 100644
hmac_ctx_update(ctx,seed,seed_len);
hmac_ctx_final(ctx, A1);
--
2.13.1

33
openvpn.changes
View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Thu Aug 5 14:07:14 UTC 2021 - Reinhard Max <max@suse.com>
- Update to 2.5.3:
* Removal of BF-CBC support in default configuration
*** POSSIBLE INCOMPATIBILITY ***
See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
* Connections setup is now much faster
* Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
* Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
* Client-specific tls-crypt keys (--tls-crypt-v2)
* Improved Data channel cipher negotiation
* HMAC based auth-token support for seamless reconnects to
standalone servers or a group of servers
* Asynchronous (deferred) authentication support for auth-pam
plugin
* Asynchronous (deferred) support for client-connect scripts and
plugins
* Support IPv4 configs with /31 netmasks
* 802.1q VLAN support on TAP servers
* Support IPv6-only tunnels
* New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
* Support Virtual Routing and Forwarding (VRF)
* Netlink integration (OpenVPN no longer needs to execute
ifconfig/route or ip commands)
* Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
crypto self-test of newer openvpn versions.
Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .
-------------------------------------------------------------------
Mon May 31 15:29:08 UTC 2021 - Dirk Müller <dmueller@suse.com>

10
openvpn.spec
View File

@ -24,7 +24,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
Version: 2.4.11
Version: 2.5.3
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception
@ -42,8 +42,6 @@ Source10: %{name}-tmpfile.conf
Source11: rc%{name}
Patch1: %{name}-2.3-plugin-man.dif
Patch6: %{name}-fips140-2.3.2.patch
Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
Patch9: 0001-preform-deferred-authentication-in-the-background.patch
BuildRequires: iproute2
BuildRequires: libselinux-devel
@ -127,10 +125,8 @@ This package provides the header file to build external plugins.
%prep
%setup -q
%patch1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch6
%patch9
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
-i src/openvpn/options.c