From b9f6a97b59a4654c0145a8e2f8db2f44e6425b261d87a32c3995c925ac52af68 Mon Sep 17 00:00:00 2001
From: Reinhard Max <max@suse.com>
Date: Fri, 26 Nov 2021 13:36:45 +0000
Subject: [PATCH 1/2] - Disable
 0001-preform-deferred-authentication-in-the-background.patch   for testing,
 because the PAM module now has upstream support for   deferred
 authentication.

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=169
---
 openvpn.changes | 7 +++++++
 openvpn.spec    | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/openvpn.changes b/openvpn.changes
index 1f67dc2..65769ef 100644
--- a/openvpn.changes
+++ b/openvpn.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov 26 13:27:19 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Disable 0001-preform-deferred-authentication-in-the-background.patch
+  for testing, because the PAM module now has upstream support for
+  deferred authentication. 
+
 -------------------------------------------------------------------
 Sat Oct 16 10:05:25 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
diff --git a/openvpn.spec b/openvpn.spec
index 0ad6648..c6b044e 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -124,7 +124,7 @@ This package provides the header file to build external plugins.
 %setup -q
 %patch1
 %patch6
-%patch9
+#patch9
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c

From 122fb572524b64d004fefbcd1f3d24738048bcd5549d0869948e5f4ddd4435de Mon Sep 17 00:00:00 2001
From: Reinhard Max <max@suse.com>
Date: Thu, 9 Dec 2021 14:14:14 +0000
Subject: [PATCH 2/2] - Drop
 0001-preform-deferred-authentication-in-the-background.patch   Upstream has
 meanwhile solved this differently and the two   implementations interfere
 (boo#1193017). - Obsoleted SLE patches up to this point:   *
 openvpn-CVE-2020-15078.patch   * openvpn-CVE-2020-11810.patch   *
 openvpn-CVE-2018-7544.patch   * openvpn-CVE-2018-9336.patch      
 (bsc#1085803, CVE-2018-7544)

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=170
---
 ...red-authentication-in-the-background.patch | 156 ------------------
 openvpn.changes                               |  14 +-
 openvpn.spec                                  |   2 -
 3 files changed, 10 insertions(+), 162 deletions(-)
 delete mode 100644 0001-preform-deferred-authentication-in-the-background.patch

diff --git a/0001-preform-deferred-authentication-in-the-background.patch b/0001-preform-deferred-authentication-in-the-background.patch
deleted file mode 100644
index eaf0026..0000000
--- a/0001-preform-deferred-authentication-in-the-background.patch
+++ /dev/null
@@ -1,156 +0,0 @@
---- src/plugins/auth-pam/auth-pam.c.orig
-+++ src/plugins/auth-pam/auth-pam.c
-@@ -43,6 +43,7 @@
- #include <stdlib.h>
- #include <sys/types.h>
- #include <sys/socket.h>
-+#include <linux/limits.h>
- #include <sys/wait.h>
- #include <fcntl.h>
- #include <signal.h>
-@@ -56,6 +57,7 @@
- /* Command codes for foreground -> background communication */
- #define COMMAND_VERIFY 0
- #define COMMAND_EXIT   1
-+#define COMMAND_VERIFY_V2 2
- 
- /* Response codes for background -> foreground communication */
- #define RESPONSE_INIT_SUCCEEDED   10
-@@ -120,6 +122,7 @@ struct user_pass {
-     char password[128];
-     char common_name[128];
-     char response[128];
-+    char auth_control_file[PATH_MAX];
- 
-     const struct name_value_list *name_value_list;
- };
-@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char
-     exit(0);
- }
- 
-+static int handle_auth_control_file(char *auth_control_file, int status)
-+{
-+	FILE *fp = fopen(auth_control_file, "w");
-+
-+	if (fp) {
-+		if (fprintf (fp, "%d\n", status) < 0) {
-+			fclose(fp);
-+			return -1;
-+		}
-+		fclose(fp);
-+		return 0;
-+	}
-+	return -1;
-+}
-+
- /*
-  * Background process -- runs with privilege.
-  */
-@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service,
-                 plugin_secure_memzero(up.password, sizeof(up.password));
-                 break;
- 
-+			case COMMAND_VERIFY_V2:
-+				if (recv_string (fd, up.username, sizeof (up.username)) == -1
-+						|| recv_string (fd, up.password, sizeof (up.password)) == -1
-+						|| recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
-+						|| recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
-+				{
-+					fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
-+							command);
-+					goto done;
-+				}
-+
-+				if (DEBUG (verb))
-+				{
-+#if 0
-+						fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
-+								up.username, up.password);
-+#else
-+						fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
-+#endif
-+				}
-+
-+				if (pam_auth (service, &up)) /* Succeeded */
-+				{
-+					if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
-+						fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
-+					}
-+				}
-+				else /* Failed */
-+				{
-+					if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
-+						fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
-+					}
-+				}
-+				break;
-+
-+
-             case COMMAND_EXIT:
-                 goto done;
- 
-@@ -1029,3 +1083,56 @@ done:
- 
-     return;
- }
-+
-+int
-+handle_auth_pass_verify_v2(struct auth_pam_context *context, const char *argv[], const char *envp[])
-+{
-+
-+	/* get username/password from envp string array */
-+	const char *username = get_env ("username", envp);
-+	const char *password = get_env ("password", envp);
-+	const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
-+	const char *auth_control_file = get_env ("auth_control_file", envp);
-+
-+	if (!username || !*username || !password)
-+		return OPENVPN_PLUGIN_FUNC_ERROR;
-+
-+	if (!auth_control_file || !*auth_control_file || access( auth_control_file, F_OK ) == -1)
-+		return OPENVPN_PLUGIN_FUNC_ERROR;
-+
-+	if (send_control (context->foreground_fd, COMMAND_VERIFY_V2) == -1
-+			|| send_string (context->foreground_fd, username) == -1
-+			|| send_string (context->foreground_fd, password) == -1
-+			|| send_string (context->foreground_fd, common_name) == -1
-+			|| send_string (context->foreground_fd, auth_control_file) == -1)
-+	{
-+		fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
-+	}
-+	else
-+	{
-+		return OPENVPN_PLUGIN_FUNC_DEFERRED;
-+	}
-+
-+	return OPENVPN_PLUGIN_FUNC_ERROR;
-+}
-+
-+OPENVPN_EXPORT int
-+openvpn_plugin_func_v2 (openvpn_plugin_handle_t handle,
-+		const int type,
-+		const char *argv[],
-+		const char *envp[],
-+		void *per_client_context,
-+		struct openvpn_plugin_string_list **return_list)
-+{
-+	struct auth_pam_context *context = (struct auth_pam_context *) handle;
-+
-+	switch (type)
-+	{
-+		case OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY:
-+			printf ("OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY\n");
-+			return handle_auth_pass_verify_v2 (context, argv, envp);
-+		default:
-+			printf ("OPENVPN_PLUGIN_?\n");
-+			return OPENVPN_PLUGIN_FUNC_ERROR;
-+	}
-+}
---- src/plugins/auth-pam/auth-pam.exports.orig
-+++ src/plugins/auth-pam/auth-pam.exports
-@@ -1,4 +1,5 @@
- openvpn_plugin_open_v3
- openvpn_plugin_func_v1
-+openvpn_plugin_func_v2
- openvpn_plugin_close_v1
- openvpn_plugin_abort_v1
diff --git a/openvpn.changes b/openvpn.changes
index 65769ef..470aa99 100644
--- a/openvpn.changes
+++ b/openvpn.changes
@@ -1,9 +1,14 @@
 -------------------------------------------------------------------
-Fri Nov 26 13:27:19 UTC 2021 - Reinhard Max <max@suse.com>
+Wed Dec  8 14:40:22 UTC 2021 - Reinhard Max <max@suse.com>
 
-- Disable 0001-preform-deferred-authentication-in-the-background.patch
-  for testing, because the PAM module now has upstream support for
-  deferred authentication. 
+- Drop 0001-preform-deferred-authentication-in-the-background.patch
+  Upstream has meanwhile solved this differently and the two
+  implementations interfere (boo#1193017).
+- Obsoleted SLE patches up to this point:
+  * openvpn-CVE-2020-15078.patch
+  * openvpn-CVE-2020-11810.patch
+  * openvpn-CVE-2018-7544.patch
+  * openvpn-CVE-2018-9336.patch
 
 -------------------------------------------------------------------
 Sat Oct 16 10:05:25 UTC 2021 - Dirk Müller <dmueller@suse.com>
@@ -325,6 +330,7 @@ Tue Mar 13 01:32:52 UTC 2018 - avindra@opensuse.org
     + Use P_DATA_V2 for server->client packets too (better packet
       alignment)
     + improve management interface documentation
+      (bsc#1085803, CVE-2018-7544)
     + rework registry key handling for OpenVPN service, notably
       making most registry values optional, falling back to
       reasonable defaults
diff --git a/openvpn.spec b/openvpn.spec
index c6b044e..732af93 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -42,7 +42,6 @@ Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
 Patch6:         %{name}-fips140-2.3.2.patch
-Patch9:         0001-preform-deferred-authentication-in-the-background.patch
 BuildRequires:  libselinux-devel
 BuildRequires:  lzo-devel
 BuildRequires:  openssl-devel
@@ -124,7 +123,6 @@ This package provides the header file to build external plugins.
 %setup -q
 %patch1
 %patch6
-#patch9
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c