Accepting request 940946 from network:vpn
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/940946 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=96
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
715786395f
@ -1,156 +0,0 @@
|
||||
--- src/plugins/auth-pam/auth-pam.c.orig
|
||||
+++ src/plugins/auth-pam/auth-pam.c
|
||||
@@ -43,6 +43,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
+#include <linux/limits.h>
|
||||
#include <sys/wait.h>
|
||||
#include <fcntl.h>
|
||||
#include <signal.h>
|
||||
@@ -56,6 +57,7 @@
|
||||
/* Command codes for foreground -> background communication */
|
||||
#define COMMAND_VERIFY 0
|
||||
#define COMMAND_EXIT 1
|
||||
+#define COMMAND_VERIFY_V2 2
|
||||
|
||||
/* Response codes for background -> foreground communication */
|
||||
#define RESPONSE_INIT_SUCCEEDED 10
|
||||
@@ -120,6 +122,7 @@ struct user_pass {
|
||||
char password[128];
|
||||
char common_name[128];
|
||||
char response[128];
|
||||
+ char auth_control_file[PATH_MAX];
|
||||
|
||||
const struct name_value_list *name_value_list;
|
||||
};
|
||||
@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char
|
||||
exit(0);
|
||||
}
|
||||
|
||||
+static int handle_auth_control_file(char *auth_control_file, int status)
|
||||
+{
|
||||
+ FILE *fp = fopen(auth_control_file, "w");
|
||||
+
|
||||
+ if (fp) {
|
||||
+ if (fprintf (fp, "%d\n", status) < 0) {
|
||||
+ fclose(fp);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ fclose(fp);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Background process -- runs with privilege.
|
||||
*/
|
||||
@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service,
|
||||
plugin_secure_memzero(up.password, sizeof(up.password));
|
||||
break;
|
||||
|
||||
+ case COMMAND_VERIFY_V2:
|
||||
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1
|
||||
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
|
||||
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
|
||||
+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
|
||||
+ {
|
||||
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
|
||||
+ command);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (DEBUG (verb))
|
||||
+ {
|
||||
+#if 0
|
||||
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
|
||||
+ up.username, up.password);
|
||||
+#else
|
||||
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ if (pam_auth (service, &up)) /* Succeeded */
|
||||
+ {
|
||||
+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
|
||||
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
|
||||
+ }
|
||||
+ }
|
||||
+ else /* Failed */
|
||||
+ {
|
||||
+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
|
||||
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
|
||||
+ }
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+
|
||||
case COMMAND_EXIT:
|
||||
goto done;
|
||||
|
||||
@@ -1029,3 +1083,56 @@ done:
|
||||
|
||||
return;
|
||||
}
|
||||
+
|
||||
+int
|
||||
+handle_auth_pass_verify_v2(struct auth_pam_context *context, const char *argv[], const char *envp[])
|
||||
+{
|
||||
+
|
||||
+ /* get username/password from envp string array */
|
||||
+ const char *username = get_env ("username", envp);
|
||||
+ const char *password = get_env ("password", envp);
|
||||
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
|
||||
+ const char *auth_control_file = get_env ("auth_control_file", envp);
|
||||
+
|
||||
+ if (!username || !*username || !password)
|
||||
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
||||
+
|
||||
+ if (!auth_control_file || !*auth_control_file || access( auth_control_file, F_OK ) == -1)
|
||||
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
||||
+
|
||||
+ if (send_control (context->foreground_fd, COMMAND_VERIFY_V2) == -1
|
||||
+ || send_string (context->foreground_fd, username) == -1
|
||||
+ || send_string (context->foreground_fd, password) == -1
|
||||
+ || send_string (context->foreground_fd, common_name) == -1
|
||||
+ || send_string (context->foreground_fd, auth_control_file) == -1)
|
||||
+ {
|
||||
+ fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
|
||||
+ }
|
||||
+
|
||||
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
||||
+}
|
||||
+
|
||||
+OPENVPN_EXPORT int
|
||||
+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
|
||||
+ const int type,
|
||||
+ const char *argv[],
|
||||
+ const char *envp[],
|
||||
+ void *per_client_context,
|
||||
+ struct openvpn_plugin_string_list **return_list)
|
||||
+{
|
||||
+ struct auth_pam_context *context = (struct auth_pam_context *) handle;
|
||||
+
|
||||
+ switch (type)
|
||||
+ {
|
||||
+ case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
|
||||
+ printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
|
||||
+ return handle_auth_pass_verify_v2 (context, argv, envp);
|
||||
+ default:
|
||||
+ printf ("OPENVPN_PLUGIN_?\n");
|
||||
+ return OPENVPN_PLUGIN_FUNC_ERROR;
|
||||
+ }
|
||||
+}
|
||||
--- src/plugins/auth-pam/auth-pam.exports.orig
|
||||
+++ src/plugins/auth-pam/auth-pam.exports
|
||||
@@ -1,4 +1,5 @@
|
||||
openvpn_plugin_open_v3
|
||||
openvpn_plugin_func_v1
|
||||
+openvpn_plugin_func_v2
|
||||
openvpn_plugin_close_v1
|
||||
openvpn_plugin_abort_v1
|
||||
@ -1,3 +1,15 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 8 14:40:22 UTC 2021 - Reinhard Max <max@suse.com>
|
||||
|
||||
- Drop 0001-preform-deferred-authentication-in-the-background.patch
|
||||
Upstream has meanwhile solved this differently and the two
|
||||
implementations interfere (boo#1193017).
|
||||
- Obsoleted SLE patches up to this point:
|
||||
* openvpn-CVE-2020-15078.patch
|
||||
* openvpn-CVE-2020-11810.patch
|
||||
* openvpn-CVE-2018-7544.patch
|
||||
* openvpn-CVE-2018-9336.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Oct 16 10:05:25 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
@ -318,6 +330,7 @@ Tue Mar 13 01:32:52 UTC 2018 - avindra@opensuse.org
|
||||
+ Use P_DATA_V2 for server->client packets too (better packet
|
||||
alignment)
|
||||
+ improve management interface documentation
|
||||
(bsc#1085803, CVE-2018-7544)
|
||||
+ rework registry key handling for OpenVPN service, notably
|
||||
making most registry values optional, falling back to
|
||||
reasonable defaults
|
||||
|
||||
@ -42,7 +42,6 @@ Source10: %{name}-tmpfile.conf
|
||||
Source11: rc%{name}
|
||||
Patch1: %{name}-2.3-plugin-man.dif
|
||||
Patch6: %{name}-fips140-2.3.2.patch
|
||||
Patch9: 0001-preform-deferred-authentication-in-the-background.patch
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: lzo-devel
|
||||
BuildRequires: openssl-devel
|
||||
@ -124,7 +123,6 @@ This package provides the header file to build external plugins.
|
||||
%setup -q
|
||||
%patch1
|
||||
%patch6
|
||||
%patch9
|
||||
|
||||
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
|
||||
-i src/openvpn/options.c
|
||||
|
||||
Loading…
Reference in New Issue
Block a user