- Fixed to use correct sha digest data length and in fips mode,

use aes instead of the disallowed blowfish crypto (boo#914166).

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=88

openvpn-fips140-2.3.2.patch

@@ -1,6 +1,5 @@
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_backend.h openvpn-2.3.2/src/openvpn/crypto_backend.h
+--- openvpn-2.3.2/src/openvpn/crypto_backend.h
---- openvpn-2.3.2.orig/src/openvpn/crypto_backend.h	2013-08-13 03:24:16.465313821 +0200
++++ openvpn-2.3.2/src/openvpn/crypto_backend.h	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto_backend.h	2013-08-13 05:55:40.914256287 +0200
 @@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_
   * @param key		The key to use for the HMAC
   * @param key_len	The key length to use
@@ -14,9 +13,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_backend.h openvpn-2.3.2/src/ope
  
  /*
   * Free the given HMAC context.
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.c openvpn-2.3.2/src/openvpn/crypto.c
+--- openvpn-2.3.2/src/openvpn/crypto.c
---- openvpn-2.3.2.orig/src/openvpn/crypto.c	2013-08-13 03:24:16.466313824 +0200
++++ openvpn-2.3.2/src/openvpn/crypto.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto.c	2013-08-13 05:54:09.655008218 +0200
 @@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc
    if (kt->digest && kt->hmac_length > 0)
      {
@@ -104,9 +102,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.c openvpn-2.3.2/src/openvpn/cry
  }
  
  #endif /* ENABLE_CRYPTO */
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.h openvpn-2.3.2/src/openvpn/crypto.h
+--- openvpn-2.3.2/src/openvpn/crypto.h
---- openvpn-2.3.2.orig/src/openvpn/crypto.h	2013-08-13 03:24:16.459313788 +0200
++++ openvpn-2.3.2/src/openvpn/crypto.h	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto.h	2013-08-13 05:54:09.656008193 +0200
 @@ -364,24 +364,24 @@ void free_ssl_lib (void);
  #endif /* ENABLE_SSL */
  
@@ -143,9 +140,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto.h openvpn-2.3.2/src/openvpn/cry
  
  /*
   * Inline functions
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_openssl.c openvpn-2.3.2/src/openvpn/crypto_openssl.c
+--- openvpn-2.3.2/src/openvpn/crypto_openssl.c
---- openvpn-2.3.2.orig/src/openvpn/crypto_openssl.c	2013-08-13 03:24:16.462313808 +0200
++++ openvpn-2.3.2/src/openvpn/crypto_openssl.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto_openssl.c	2013-08-13 05:56:06.930326789 +0200
 @@ -719,13 +719,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t *
  
  void
@@ -165,9 +161,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_openssl.c openvpn-2.3.2/src/ope
    HMAC_Init_ex (ctx, key, key_len, kt, NULL);
  
    /* make sure we used a big enough key */
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_openssl.h openvpn-2.3.2/src/openvpn/crypto_openssl.h
+--- openvpn-2.3.2/src/openvpn/crypto_openssl.h
---- openvpn-2.3.2.orig/src/openvpn/crypto_openssl.h	2013-08-13 03:24:16.465313821 +0200
++++ openvpn-2.3.2/src/openvpn/crypto_openssl.h	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto_openssl.h	2013-08-13 05:54:09.656008193 +0200
 @@ -33,6 +33,7 @@
  #include <openssl/evp.h>
  #include <openssl/hmac.h>
@@ -176,9 +171,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_openssl.h openvpn-2.3.2/src/ope
  
  /** Generic cipher key type %context. */
  typedef EVP_CIPHER cipher_kt_t;
-diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_polarssl.c openvpn-2.3.2/src/openvpn/crypto_polarssl.c
+--- openvpn-2.3.2/src/openvpn/crypto_polarssl.c
---- openvpn-2.3.2.orig/src/openvpn/crypto_polarssl.c	2013-08-13 03:24:16.460313793 +0200
++++ openvpn-2.3.2/src/openvpn/crypto_polarssl.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/crypto_polarssl.c	2013-08-13 05:56:23.116370864 +0200
 @@ -608,7 +608,7 @@ md_ctx_final (md_context_t *ctx, uint8_t
   * TODO: re-enable dmsg for crypto debug
   */
@@ -188,9 +182,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/crypto_polarssl.c openvpn-2.3.2/src/op
  {
    ASSERT(NULL != kt && NULL != ctx);
  
-diff -urNp openvpn-2.3.2.orig/src/openvpn/init.c openvpn-2.3.2/src/openvpn/init.c
+--- openvpn-2.3.2/src/openvpn/init.c
---- openvpn-2.3.2.orig/src/openvpn/init.c	2013-08-13 03:24:16.465313821 +0200
++++ openvpn-2.3.2/src/openvpn/init.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/init.c	2013-08-13 05:54:09.658008149 +0200
 @@ -1352,12 +1352,12 @@ do_route (const struct options *options,
   */
  #if P2MP
@@ -231,9 +224,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/init.c openvpn-2.3.2/src/openvpn/init.
  	       strlen (c->c2.options_string_remote), 9, &gc));
  #endif
  
-diff -urNp openvpn-2.3.2.orig/src/openvpn/ntlm.c openvpn-2.3.2/src/openvpn/ntlm.c
+--- openvpn-2.3.2/src/openvpn/ntlm.c
---- openvpn-2.3.2.orig/src/openvpn/ntlm.c	2013-08-13 03:24:16.460313793 +0200
++++ openvpn-2.3.2/src/openvpn/ntlm.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/ntlm.c	2013-08-13 05:54:09.658008149 +0200
 @@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data
  	hmac_ctx_t hmac_ctx;
  	CLEAR(hmac_ctx);
@@ -243,9 +235,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/ntlm.c openvpn-2.3.2/src/openvpn/ntlm.
  	hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len);
  	hmac_ctx_final(&hmac_ctx, (unsigned char *)result);
  	hmac_ctx_cleanup(&hmac_ctx);
-diff -urNp openvpn-2.3.2.orig/src/openvpn/openvpn.h openvpn-2.3.2/src/openvpn/openvpn.h
+--- openvpn-2.3.2/src/openvpn/openvpn.h
---- openvpn-2.3.2.orig/src/openvpn/openvpn.h	2013-08-13 03:24:16.465313821 +0200
++++ openvpn-2.3.2/src/openvpn/openvpn.h	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/openvpn.h	2013-08-13 05:54:09.658008149 +0200
 @@ -206,7 +206,7 @@ struct context_1
  #endif
  
@@ -268,9 +259,21 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/openvpn.h openvpn-2.3.2/src/openvpn/op
  
    struct event_timeout server_poll_interval;
  
-diff -urNp openvpn-2.3.2.orig/src/openvpn/push.c openvpn-2.3.2/src/openvpn/push.c
+--- openvpn-2.3.2/src/openvpn/options.c
---- openvpn-2.3.2.orig/src/openvpn/push.c	2013-08-13 03:24:16.459313788 +0200
++++ openvpn-2.3.2/src/openvpn/options.c	2015/02/19 09:15:10
-+++ openvpn-2.3.2/src/openvpn/push.c	2013-08-13 05:54:09.659008129 +0200
+@@ -828,6 +828,10 @@ init_options (struct options *o, const b
+ #endif
+ #ifdef ENABLE_CRYPTO
+   o->ciphername = "BF-CBC";
++#ifdef OPENSSL_FIPS
++  if(FIPS_mode())
++    o->ciphername = "AES-256-CBC";
++#endif
+   o->ciphername_defined = true;
+   o->authname = "SHA1";
+   o->authname_defined = true;
+--- openvpn-2.3.2/src/openvpn/push.c
++++ openvpn-2.3.2/src/openvpn/push.c	2015/02/19 09:15:02
 @@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex
        if (ch == ',')
  	{
@@ -303,9 +306,8 @@ diff -urNp openvpn-2.3.2.orig/src/openvpn/push.c openvpn-2.3.2/src/openvpn/push.
  		ret = PUSH_MSG_CONTINUATION;
  		break;
  	      }
-diff -urNp openvpn-2.3.2.orig/src/openvpn/ssl.c openvpn-2.3.2/src/openvpn/ssl.c
+--- openvpn-2.3.2/src/openvpn/ssl.c
---- openvpn-2.3.2.orig/src/openvpn/ssl.c	2013-08-13 03:24:16.459313788 +0200
++++ openvpn-2.3.2/src/openvpn/ssl.c	2015/02/19 09:15:02
-+++ openvpn-2.3.2/src/openvpn/ssl.c	2013-08-13 05:54:09.660008110 +0200
 @@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt,
    chunk = md_kt_size(md_kt);
    A1_len = md_kt_size(md_kt);

openvpn.changes

@@ -1,7 +1,8 @@
 -------------------------------------------------------------------
-Wed Feb 18 17:20:46 UTC 2015 - mt@suse.de
+Mon Mar  2 08:26:08 UTC 2015 - mt@suse.de
 
-- Fixed to use correct sha digest data length (boo#914166)
+- Fixed to use correct sha digest data length and in fips mode,
+  use aes instead of the disallowed blowfish crypto (boo#914166).
 
 -------------------------------------------------------------------
 Mon Dec  1 19:37:29 UTC 2014 - mt@suse.de

openvpn.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openvpn
 #
-# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed