pool/openvpn
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 861546 from network:vpn

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/861546
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=90
This commit is contained in:
Dominique Leuenberger 2021-01-11 16:09:38 +00:00 committed by Git OBS Bridge
commit 86973f04d6
8 changed files with 112 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
0001-preform-deferred-authentication-in-the-background.patch
View File

@ -1,7 +1,7 @@
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 54471a3..a2d509f 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
===================================================================
--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c
+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c
@@ -43,6 +43,7 @@
#include <stdlib.h>
#include <sys/types.h>
@ -18,15 +18,15 @@ index 54471a3..a2d509f 100644
/* Response codes for background -> foreground communication */
#define RESPONSE_INIT_SUCCEEDED 10
@@ -112,6 +114,7 @@ struct user_pass {
char username[128];
@@ -115,6 +117,7 @@ struct user_pass {
char password[128];
char common_name[128];
+ char auth_control_file[PATH_MAX];
char response[128];
+ char auth_control_file[PATH_MAX];
const struct name_value_list *name_value_list;
};
@@ -708,6 +711,21 @@ pam_auth(const char *service, const struct user_pass *up)
@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru
return ret;
}
@ -48,7 +48,7 @@ index 54471a3..a2d509f 100644
/*
* Background process -- runs with privilege.
*/
@@ -807,6 +825,42 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
@@ -878,6 +896,42 @@ pam_server(int fd, const char *service,
plugin_secure_memzero(up.password, sizeof(up.password));
break;
@ -91,7 +91,7 @@ index 54471a3..a2d509f 100644
case COMMAND_EXIT:
goto done;
@@ -833,3 +887,56 @@ done:
@@ -905,3 +959,56 @@ done:
return;
}
@ -148,10 +148,10 @@ index 54471a3..a2d509f 100644
+ return OPENVPN_PLUGIN_FUNC_ERROR;
+ }
+}
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
index 597e33f..b304ff4 100644
--- a/src/plugins/auth-pam/auth-pam.exports
+++ b/src/plugins/auth-pam/auth-pam.exports
Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
===================================================================
--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports
+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,5 @@
openvpn_plugin_open_v3
openvpn_plugin_func_v1

98
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
View File

@ -1,8 +1,8 @@
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ff0f9a7..fb27b36 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
Index: openvpn-2.4.10/src/openvpn/crypto.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto.c
+++ openvpn-2.4.10/src/openvpn/crypto.c
@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* Buffer overflow check */
@ -11,7 +11,7 @@ index ff0f9a7..fb27b36 100644
{
msg(D_CRYPT_ERRORS,
"ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, s
ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf));
/* Buffer overflow check */
@ -20,7 +20,7 @@ index ff0f9a7..fb27b36 100644
{
msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
buf->capacity,
@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf,
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
uint8_t *tag_ptr = NULL;
int tag_size = 0;
@ -29,7 +29,7 @@ index ff0f9a7..fb27b36 100644
struct gc_arena gc;
gc_init(&gc);
@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf,
dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc));
/* Buffer overflow check (should never fail) */
@ -38,7 +38,7 @@ index ff0f9a7..fb27b36 100644
{
CRYPT_ERROR("potential buffer overflow");
}
@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work,
@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, s
}
/* Buffer overflow check (should never happen) */
@ -47,10 +47,10 @@ index ff0f9a7..fb27b36 100644
{
CRYPT_ERROR("potential buffer overflow");
}
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 60a2812..c191695 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
Index: openvpn-2.4.10/src/openvpn/crypto_openssl.h
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/crypto_openssl.h
+++ openvpn-2.4.10/src/openvpn/crypto_openssl.h
@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t;
/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
@ -61,11 +61,11 @@ index 60a2812..c191695 100644
/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 0652ef4..9fa3352 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3067,8 +3067,8 @@ init_context_buffers(const struct frame *frame)
Index: openvpn-2.4.10/src/openvpn/init.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/init.c
+++ openvpn-2.4.10/src/openvpn/init.c
@@ -3215,8 +3215,8 @@ init_context_buffers(const struct frame
b->aux_buf = alloc_buf(BUF_SIZE(frame));
#ifdef ENABLE_CRYPTO
@ -76,10 +76,10 @@ index 0652ef4..9fa3352 100644
#endif
#ifdef USE_COMP
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 7a737ea..592bd97 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
Index: openvpn-2.4.10/src/openvpn/proxy.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/proxy.c
+++ openvpn-2.4.10/src/openvpn/proxy.c
@@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd,
struct buffer la;
int lastc = 0;
@ -90,7 +90,7 @@ index 7a737ea..592bd97 100644
CLEAR(la);
if (lookahead)
{
@@ -311,11 +314,11 @@ get_proxy_authenticate(socket_descriptor_t sd,
@@ -321,11 +324,11 @@ get_proxy_authenticate(socket_descriptor
struct gc_arena *gc,
volatile int *signal_received)
{
@ -104,7 +104,7 @@ index 7a737ea..592bd97 100644
{
free(*data);
*data = NULL;
@@ -631,9 +634,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
@@ -641,9 +644,9 @@ establish_http_proxy_passthru(struct htt
volatile int *signal_received)
{
struct gc_arena gc = gc_new();
@ -117,7 +117,7 @@ index 7a737ea..592bd97 100644
int status;
int nparms;
bool ret = false;
@@ -723,7 +726,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
@@ -733,7 +736,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
@ -127,7 +127,7 @@ index 7a737ea..592bd97 100644
{
goto error;
}
@@ -754,7 +758,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
@@ -764,7 +768,8 @@ establish_http_proxy_passthru(struct htt
while (true)
{
@ -137,7 +137,7 @@ index 7a737ea..592bd97 100644
{
goto error;
}
@@ -834,7 +839,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
@@ -844,7 +849,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
@ -147,7 +147,7 @@ index 7a737ea..592bd97 100644
{
goto error;
}
@@ -959,7 +965,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
@@ -969,7 +975,8 @@ establish_http_proxy_passthru(struct htt
}
/* receive reply from proxy */
@ -157,11 +157,11 @@ index 7a737ea..592bd97 100644
{
goto error;
}
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 4e7e3f9..93ea889 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1162,6 +1162,9 @@ socket_listen_accept(socket_descriptor_t sd,
Index: openvpn-2.4.10/src/openvpn/socket.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socket.c
+++ openvpn-2.4.10/src/openvpn/socket.c
@@ -1278,6 +1278,9 @@ socket_listen_accept(socket_descriptor_t
/* struct openvpn_sockaddr *remote = &act->dest; */
struct openvpn_sockaddr remote_verify = act->dest;
socket_descriptor_t new_sd = SOCKET_UNDEFINED;
@ -171,7 +171,7 @@ index 4e7e3f9..93ea889 100644
CLEAR(*act);
socket_do_listen(sd, local, do_listen, true);
@@ -1314,6 +1317,9 @@ openvpn_connect(socket_descriptor_t sd,
@@ -1428,6 +1431,9 @@ openvpn_connect(socket_descriptor_t sd,
{
int status = 0;
@ -181,11 +181,11 @@ index 4e7e3f9..93ea889 100644
#ifdef TARGET_ANDROID
protect_fd_nonlocal(sd, remote);
#endif
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 92747ec..f8e02a4 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -98,13 +98,16 @@ socks_username_password_auth(struct socks_proxy_info *p,
Index: openvpn-2.4.10/src/openvpn/socks.c
===================================================================
--- openvpn-2.4.10.orig/src/openvpn/socks.c
+++ openvpn-2.4.10/src/openvpn/socks.c
@@ -98,13 +98,16 @@ socks_username_password_auth(struct sock
socket_descriptor_t sd,
volatile int *signal_received)
{
@ -204,7 +204,7 @@ index 92747ec..f8e02a4 100644
creds.defined = 0;
if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT))
{
@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info *p,
@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info
socket_descriptor_t sd,
volatile int *signal_received)
{
@ -213,7 +213,7 @@ index 92747ec..f8e02a4 100644
int len = 0;
const int timeout_sec = 5;
ssize_t size;
@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info *p,
@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
}
@ -227,17 +227,17 @@ index 92747ec..f8e02a4 100644
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[22];
+ char buf[22] = {0};
- char buf[270]; /* 4 + alen(max 256) + 2 */
+ char buf[270] = {0}; /* 4 + alen(max 256) + 2 */
const int timeout_sec = 5;
+ if (sd >= FD_SETSIZE)
+ return false;
+ if (sd >= FD_SETSIZE)
+ return false;
+
if (addr != NULL)
{
addr->addr.in4.sin_family = AF_INET;
@@ -395,7 +404,7 @@ recv_socks_reply(socket_descriptor_t sd,
@@ -398,7 +407,7 @@ recv_socks_reply(socket_descriptor_t sd,
}
/* store char in buffer */
@ -246,12 +246,12 @@ index 92747ec..f8e02a4 100644
{
buf[len] = c;
}
@@ -447,7 +456,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p,
@@ -454,7 +463,7 @@ establish_socks_proxy_passthru(struct so
const char *servname, /* openvpn server port */
volatile int *signal_received)
{
- char buf[128];
+ char buf[128] = {0};
- char buf[270];
+ char buf[270] = {0};
size_t len;
if (!socks_handshake(p, sd, signal_received))

3
openvpn-2.4.10.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cf285395a679f0b68c0acde2cb2480e8ead6ca07ff14c1bc52ae65a1243aa377
size 968852

16
openvpn-2.4.10.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMz1GMGz52fH2MNuNlq7ECABda7QFAl/QtjUACgkQlq7ECABd
a7TxvA//QFhMZIu0BupMkZurkad3N7bRrQmtelA1LGEgTuq6Jfj20bVf7cfZQrLl
rbM6L7s+JGPJlDjL0jzl1Xzphbu3kv2M9KViQ/T8jaNbusnDlggAVA1A0FTD3dKh
TGJtzyugq4X9KpCxWxTmT2yKz5RmDBxwYTS2cYbDB8WVhIUDUJuY1tGoLzV3NgPs
jLtUCUlD5if83CebyP0S1w9NbIUYlCtChjLJeV5RFfUh0ZeyvahDT6nmIempt71O
lWeR+DZt9t0x8MyKYN2r+1N+udRJ4enSeD/2TY5V4aKhITV9lT5fb5em2MUUJ1u3
imAeUfCHRN1iB0IiPYZ9OVOhzxhoGLKGPRVau93R0srl3RZKJoiDsenCGDghgdNq
9awTlgwwrHgtS9NqL4SYU/LqkBB75Z8L8PsQPviY0MU13tM7ezYNveuyLv1D9ArV
+yeBb9Vqs1jPLGjUstskhrgiRMgfIk7EmGxpf/ddxZnlbSW6UFE0xKOJru6LXM9y
ue3S5buqzdAb1AuIJ6a2PKC1Xj+FIGQ4tnuQQUeMzTePzoudn18IPjYl8jWUJjkd
SzjpI77QZAidgxhxHG0iKdbjfrswk2/e1QzoY6EQIcU/e1//5Es4C438IOwrIay1
MqOPskZF1sVU1LkrGxElfDFqRIiyCPxVX9HInQaNOF0VKCi2gD0=
=s0Nr
-----END PGP SIGNATURE-----

3
openvpn-2.4.9.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
size 954264

16
openvpn-2.4.9.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMz1GMGz52fH2MNuNlq7ECABda7QFAl6ZkJ8ACgkQlq7ECABd
a7T5zRAAnUqzN0R2i7labvsLPmUJp2Rs46DZobZXRwVki1gatWAt3r8hcQqEPuXu
ND3/P74ZThoQvSjDauWHyjKPYNZ6pEpv8Wf5tTeNOJyMAkY8ChiEC5SyIckLslT/
sUSD8YKozjcOXKCdhLSAPILNSd9mXxnUuAsW5/JNbFeWIKT7KsFJOaTgZiJenCX1
ks7LRUF0EBZzRcRt+5j3Qb//VGrIqqHX8I0NaC6qGg9N1kLKiX9ZiYjXwoon9Ggb
4PrrjccKhQ5WtrC3VwIPFnjk2xpcYu2JBIIfvt3sLIszPUwj2MbPEsr4A9Dtqst0
MaKWQE8P5qZgsuitDfyNLs0xvLG7AdVJyBGULKnRZo87kxvtLUNkytaW2or8Xu4Z
NRSL0iOREyCc0+IjkOgsbdTIFv1QNqpJWfGFuW5R9V068dIgP2XcoTu4duUH6nK4
td1UUz9j+csRSZGVBjiar0IZygPaqnIq4okARrzgL1Ue5PR6mMU75rWffVednM+t
SWfQRf9UVOjo/5C3Djw8djcUG7sFxZ8hUct/D921fewwmAQYI+ShoIV3CneJ45Ek
S3RHwRlklCuExVWcxnaAN5kdOuA743BCYtWwZF7TyvfW9S+xqrvyK5nkvrEeCmWb
Cb9KMMOVKb52onMQ7cIyg0TDn5UP24O5FB7nvIahDI9RFEaeC2s=
=f3TL
-----END PGP SIGNATURE-----

28
openvpn.changes
View File

@ -1,3 +1,31 @@
-------------------------------------------------------------------
Wed Jan 6 17:15:13 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 2.4.10:
- OpenVPN client will now announce the acceptable ciphers to the server
(IV_CIPHER=...), so NCP cipher negotiation works better
- Parse static challenge response in auth-pam plugin
- Accept empty password and/or response in auth-pam plugin
- Log serial number of revoked certificate
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
- Fix auth-token not being updated if auth-nocache is set
(this should fix all remaining client-side bugs for the combination
"auth-nocache in client-config" + "auth-token in use on the server")
- Fix stack overflow in OpenSolaris and *BSD NEXTADDR()
- Fix error detection / abort in --inetd corner case (#350)
- Fix TUNSETGROUP compatibility with very old Linux systems (#1152)
- Fix handling of 'route remote_host' for IPv6 transport case
(#1247 and #1332)
- Fix --show-gateway for IPv6 on NetBSD/i386 (#734)
- A number of documentation improvements / clarification fixes.
- Fix line number reporting on config file errors after <inline> segments
- Fix fatal error at switching remotes (#629)
- socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848)
- Switch "ks->authenticated" assertion failure to returning false (#1270)
- refresh 0001-preform-deferred-authentication-in-the-background.patch
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10
-------------------------------------------------------------------
Fri Sep 11 11:52:54 UTC 2020 - Dirk Mueller <dmueller@suse.com>

4
openvpn.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package openvpn
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -29,7 +29,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
Version: 2.4.9
Version: 2.4.10
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only