diff --git a/0001-preform-deferred-authentication-in-the-background.patch b/0001-preform-deferred-authentication-in-the-background.patch index 5fb2e54..6501d54 100644 --- a/0001-preform-deferred-authentication-in-the-background.patch +++ b/0001-preform-deferred-authentication-in-the-background.patch @@ -1,7 +1,7 @@ -diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c -index 54471a3..a2d509f 100644 ---- a/src/plugins/auth-pam/auth-pam.c -+++ b/src/plugins/auth-pam/auth-pam.c +Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c +=================================================================== +--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c ++++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c @@ -43,6 +43,7 @@ #include #include @@ -18,15 +18,15 @@ index 54471a3..a2d509f 100644 /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 -@@ -112,6 +114,7 @@ struct user_pass { - char username[128]; +@@ -115,6 +117,7 @@ struct user_pass { char password[128]; char common_name[128]; -+ char auth_control_file[PATH_MAX]; + char response[128]; ++ char auth_control_file[PATH_MAX]; const struct name_value_list *name_value_list; }; -@@ -708,6 +711,21 @@ pam_auth(const char *service, const struct user_pass *up) +@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru return ret; } @@ -48,7 +48,7 @@ index 54471a3..a2d509f 100644 /* * Background process -- runs with privilege. */ -@@ -807,6 +825,42 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * +@@ -878,6 +896,42 @@ pam_server(int fd, const char *service, plugin_secure_memzero(up.password, sizeof(up.password)); break; @@ -91,7 +91,7 @@ index 54471a3..a2d509f 100644 case COMMAND_EXIT: goto done; -@@ -833,3 +887,56 @@ done: +@@ -905,3 +959,56 @@ done: return; } @@ -148,10 +148,10 @@ index 54471a3..a2d509f 100644 + return OPENVPN_PLUGIN_FUNC_ERROR; + } +} -diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports -index 597e33f..b304ff4 100644 ---- a/src/plugins/auth-pam/auth-pam.exports -+++ b/src/plugins/auth-pam/auth-pam.exports +Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports +=================================================================== +--- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports ++++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports @@ -1,4 +1,5 @@ openvpn_plugin_open_v3 openvpn_plugin_func_v1 diff --git a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch b/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch index 04ab6d3..5617349 100644 --- a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch +++ b/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch @@ -1,8 +1,8 @@ -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index ff0f9a7..fb27b36 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, +Index: openvpn-2.4.10/src/openvpn/crypto.c +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/crypto.c ++++ openvpn-2.4.10/src/openvpn/crypto.c +@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf, dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); /* Buffer overflow check */ @@ -11,7 +11,7 @@ index ff0f9a7..fb27b36 100644 { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", -@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, +@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, s ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); /* Buffer overflow check */ @@ -20,7 +20,7 @@ index ff0f9a7..fb27b36 100644 { msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", buf->capacity, -@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, +@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf, const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); uint8_t *tag_ptr = NULL; int tag_size = 0; @@ -29,7 +29,7 @@ index ff0f9a7..fb27b36 100644 struct gc_arena gc; gc_init(&gc); -@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, +@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf, dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); /* Buffer overflow check (should never fail) */ @@ -38,7 +38,7 @@ index ff0f9a7..fb27b36 100644 { CRYPT_ERROR("potential buffer overflow"); } -@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, +@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, s } /* Buffer overflow check (should never happen) */ @@ -47,10 +47,10 @@ index ff0f9a7..fb27b36 100644 { CRYPT_ERROR("potential buffer overflow"); } -diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h -index 60a2812..c191695 100644 ---- a/src/openvpn/crypto_openssl.h -+++ b/src/openvpn/crypto_openssl.h +Index: openvpn-2.4.10/src/openvpn/crypto_openssl.h +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/crypto_openssl.h ++++ openvpn-2.4.10/src/openvpn/crypto_openssl.h @@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t; /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH @@ -61,11 +61,11 @@ index 60a2812..c191695 100644 /** Cipher is in CBC mode */ #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index 0652ef4..9fa3352 100644 ---- a/src/openvpn/init.c -+++ b/src/openvpn/init.c -@@ -3067,8 +3067,8 @@ init_context_buffers(const struct frame *frame) +Index: openvpn-2.4.10/src/openvpn/init.c +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/init.c ++++ openvpn-2.4.10/src/openvpn/init.c +@@ -3215,8 +3215,8 @@ init_context_buffers(const struct frame b->aux_buf = alloc_buf(BUF_SIZE(frame)); #ifdef ENABLE_CRYPTO @@ -76,10 +76,10 @@ index 0652ef4..9fa3352 100644 #endif #ifdef USE_COMP -diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c -index 7a737ea..592bd97 100644 ---- a/src/openvpn/proxy.c -+++ b/src/openvpn/proxy.c +Index: openvpn-2.4.10/src/openvpn/proxy.c +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/proxy.c ++++ openvpn-2.4.10/src/openvpn/proxy.c @@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd, struct buffer la; int lastc = 0; @@ -90,7 +90,7 @@ index 7a737ea..592bd97 100644 CLEAR(la); if (lookahead) { -@@ -311,11 +314,11 @@ get_proxy_authenticate(socket_descriptor_t sd, +@@ -321,11 +324,11 @@ get_proxy_authenticate(socket_descriptor struct gc_arena *gc, volatile int *signal_received) { @@ -104,7 +104,7 @@ index 7a737ea..592bd97 100644 { free(*data); *data = NULL; -@@ -631,9 +634,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -641,9 +644,9 @@ establish_http_proxy_passthru(struct htt volatile int *signal_received) { struct gc_arena gc = gc_new(); @@ -117,7 +117,7 @@ index 7a737ea..592bd97 100644 int status; int nparms; bool ret = false; -@@ -723,7 +726,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -733,7 +736,8 @@ establish_http_proxy_passthru(struct htt } /* receive reply from proxy */ @@ -127,7 +127,7 @@ index 7a737ea..592bd97 100644 { goto error; } -@@ -754,7 +758,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -764,7 +768,8 @@ establish_http_proxy_passthru(struct htt while (true) { @@ -137,7 +137,7 @@ index 7a737ea..592bd97 100644 { goto error; } -@@ -834,7 +839,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -844,7 +849,8 @@ establish_http_proxy_passthru(struct htt } /* receive reply from proxy */ @@ -147,7 +147,7 @@ index 7a737ea..592bd97 100644 { goto error; } -@@ -959,7 +965,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, +@@ -969,7 +975,8 @@ establish_http_proxy_passthru(struct htt } /* receive reply from proxy */ @@ -157,11 +157,11 @@ index 7a737ea..592bd97 100644 { goto error; } -diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c -index 4e7e3f9..93ea889 100644 ---- a/src/openvpn/socket.c -+++ b/src/openvpn/socket.c -@@ -1162,6 +1162,9 @@ socket_listen_accept(socket_descriptor_t sd, +Index: openvpn-2.4.10/src/openvpn/socket.c +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/socket.c ++++ openvpn-2.4.10/src/openvpn/socket.c +@@ -1278,6 +1278,9 @@ socket_listen_accept(socket_descriptor_t /* struct openvpn_sockaddr *remote = &act->dest; */ struct openvpn_sockaddr remote_verify = act->dest; socket_descriptor_t new_sd = SOCKET_UNDEFINED; @@ -171,7 +171,7 @@ index 4e7e3f9..93ea889 100644 CLEAR(*act); socket_do_listen(sd, local, do_listen, true); -@@ -1314,6 +1317,9 @@ openvpn_connect(socket_descriptor_t sd, +@@ -1428,6 +1431,9 @@ openvpn_connect(socket_descriptor_t sd, { int status = 0; @@ -181,11 +181,11 @@ index 4e7e3f9..93ea889 100644 #ifdef TARGET_ANDROID protect_fd_nonlocal(sd, remote); #endif -diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c -index 92747ec..f8e02a4 100644 ---- a/src/openvpn/socks.c -+++ b/src/openvpn/socks.c -@@ -98,13 +98,16 @@ socks_username_password_auth(struct socks_proxy_info *p, +Index: openvpn-2.4.10/src/openvpn/socks.c +=================================================================== +--- openvpn-2.4.10.orig/src/openvpn/socks.c ++++ openvpn-2.4.10/src/openvpn/socks.c +@@ -98,13 +98,16 @@ socks_username_password_auth(struct sock socket_descriptor_t sd, volatile int *signal_received) { @@ -204,7 +204,7 @@ index 92747ec..f8e02a4 100644 creds.defined = 0; if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) { -@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info *p, +@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info socket_descriptor_t sd, volatile int *signal_received) { @@ -213,7 +213,7 @@ index 92747ec..f8e02a4 100644 int len = 0; const int timeout_sec = 5; ssize_t size; -@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info *p, +@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ } @@ -227,17 +227,17 @@ index 92747ec..f8e02a4 100644 char atyp = '\0'; int alen = 0; int len = 0; -- char buf[22]; -+ char buf[22] = {0}; +- char buf[270]; /* 4 + alen(max 256) + 2 */ ++ char buf[270] = {0}; /* 4 + alen(max 256) + 2 */ const int timeout_sec = 5; -+ if (sd >= FD_SETSIZE) -+ return false; ++ if (sd >= FD_SETSIZE) ++ return false; + if (addr != NULL) { addr->addr.in4.sin_family = AF_INET; -@@ -395,7 +404,7 @@ recv_socks_reply(socket_descriptor_t sd, +@@ -398,7 +407,7 @@ recv_socks_reply(socket_descriptor_t sd, } /* store char in buffer */ @@ -246,12 +246,12 @@ index 92747ec..f8e02a4 100644 { buf[len] = c; } -@@ -447,7 +456,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p, +@@ -454,7 +463,7 @@ establish_socks_proxy_passthru(struct so const char *servname, /* openvpn server port */ volatile int *signal_received) { -- char buf[128]; -+ char buf[128] = {0}; +- char buf[270]; ++ char buf[270] = {0}; size_t len; if (!socks_handshake(p, sd, signal_received)) diff --git a/openvpn-2.4.10.tar.xz b/openvpn-2.4.10.tar.xz new file mode 100644 index 0000000..d4f2a07 --- /dev/null +++ b/openvpn-2.4.10.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf285395a679f0b68c0acde2cb2480e8ead6ca07ff14c1bc52ae65a1243aa377 +size 968852 diff --git a/openvpn-2.4.10.tar.xz.asc b/openvpn-2.4.10.tar.xz.asc new file mode 100644 index 0000000..7a8fea9 --- /dev/null +++ b/openvpn-2.4.10.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEMz1GMGz52fH2MNuNlq7ECABda7QFAl/QtjUACgkQlq7ECABd +a7TxvA//QFhMZIu0BupMkZurkad3N7bRrQmtelA1LGEgTuq6Jfj20bVf7cfZQrLl +rbM6L7s+JGPJlDjL0jzl1Xzphbu3kv2M9KViQ/T8jaNbusnDlggAVA1A0FTD3dKh +TGJtzyugq4X9KpCxWxTmT2yKz5RmDBxwYTS2cYbDB8WVhIUDUJuY1tGoLzV3NgPs +jLtUCUlD5if83CebyP0S1w9NbIUYlCtChjLJeV5RFfUh0ZeyvahDT6nmIempt71O +lWeR+DZt9t0x8MyKYN2r+1N+udRJ4enSeD/2TY5V4aKhITV9lT5fb5em2MUUJ1u3 +imAeUfCHRN1iB0IiPYZ9OVOhzxhoGLKGPRVau93R0srl3RZKJoiDsenCGDghgdNq +9awTlgwwrHgtS9NqL4SYU/LqkBB75Z8L8PsQPviY0MU13tM7ezYNveuyLv1D9ArV ++yeBb9Vqs1jPLGjUstskhrgiRMgfIk7EmGxpf/ddxZnlbSW6UFE0xKOJru6LXM9y +ue3S5buqzdAb1AuIJ6a2PKC1Xj+FIGQ4tnuQQUeMzTePzoudn18IPjYl8jWUJjkd +SzjpI77QZAidgxhxHG0iKdbjfrswk2/e1QzoY6EQIcU/e1//5Es4C438IOwrIay1 +MqOPskZF1sVU1LkrGxElfDFqRIiyCPxVX9HInQaNOF0VKCi2gD0= +=s0Nr +-----END PGP SIGNATURE----- diff --git a/openvpn-2.4.9.tar.xz b/openvpn-2.4.9.tar.xz deleted file mode 100644 index fdfd85b..0000000 --- a/openvpn-2.4.9.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 -size 954264 diff --git a/openvpn-2.4.9.tar.xz.asc b/openvpn-2.4.9.tar.xz.asc deleted file mode 100644 index 99ac29b..0000000 --- a/openvpn-2.4.9.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEMz1GMGz52fH2MNuNlq7ECABda7QFAl6ZkJ8ACgkQlq7ECABd -a7T5zRAAnUqzN0R2i7labvsLPmUJp2Rs46DZobZXRwVki1gatWAt3r8hcQqEPuXu -ND3/P74ZThoQvSjDauWHyjKPYNZ6pEpv8Wf5tTeNOJyMAkY8ChiEC5SyIckLslT/ -sUSD8YKozjcOXKCdhLSAPILNSd9mXxnUuAsW5/JNbFeWIKT7KsFJOaTgZiJenCX1 -ks7LRUF0EBZzRcRt+5j3Qb//VGrIqqHX8I0NaC6qGg9N1kLKiX9ZiYjXwoon9Ggb -4PrrjccKhQ5WtrC3VwIPFnjk2xpcYu2JBIIfvt3sLIszPUwj2MbPEsr4A9Dtqst0 -MaKWQE8P5qZgsuitDfyNLs0xvLG7AdVJyBGULKnRZo87kxvtLUNkytaW2or8Xu4Z -NRSL0iOREyCc0+IjkOgsbdTIFv1QNqpJWfGFuW5R9V068dIgP2XcoTu4duUH6nK4 -td1UUz9j+csRSZGVBjiar0IZygPaqnIq4okARrzgL1Ue5PR6mMU75rWffVednM+t -SWfQRf9UVOjo/5C3Djw8djcUG7sFxZ8hUct/D921fewwmAQYI+ShoIV3CneJ45Ek -S3RHwRlklCuExVWcxnaAN5kdOuA743BCYtWwZF7TyvfW9S+xqrvyK5nkvrEeCmWb -Cb9KMMOVKb52onMQ7cIyg0TDn5UP24O5FB7nvIahDI9RFEaeC2s= -=f3TL ------END PGP SIGNATURE----- diff --git a/openvpn.changes b/openvpn.changes index b5ab7cc..e8d2c1f 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,31 @@ +------------------------------------------------------------------- +Wed Jan 6 17:15:13 UTC 2021 - Dirk Müller + +- update to 2.4.10: + - OpenVPN client will now announce the acceptable ciphers to the server + (IV_CIPHER=...), so NCP cipher negotiation works better + - Parse static challenge response in auth-pam plugin + - Accept empty password and/or response in auth-pam plugin + - Log serial number of revoked certificate + - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack + - Fix auth-token not being updated if auth-nocache is set + (this should fix all remaining client-side bugs for the combination + "auth-nocache in client-config" + "auth-token in use on the server") + - Fix stack overflow in OpenSolaris and *BSD NEXTADDR() + - Fix error detection / abort in --inetd corner case (#350) + - Fix TUNSETGROUP compatibility with very old Linux systems (#1152) + - Fix handling of 'route remote_host' for IPv6 transport case + (#1247 and #1332) + - Fix --show-gateway for IPv6 on NetBSD/i386 (#734) + - A number of documentation improvements / clarification fixes. + - Fix line number reporting on config file errors after segments + - Fix fatal error at switching remotes (#629) + - socks.c: fix alen for DOMAIN type addresses, bump up buffer sizes (#848) + - Switch "ks->authenticated" assertion failure to returning false (#1270) + +- refresh 0001-preform-deferred-authentication-in-the-background.patch + openvpn-2.3.x-fixed-multiple-low-severity-issues.patch against 2.4.10 + ------------------------------------------------------------------- Fri Sep 11 11:52:54 UTC 2020 - Dirk Mueller diff --git a/openvpn.spec b/openvpn.spec index 398468b..2444830 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version: 2.4.9 +Version: 2.4.10 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception AND LGPL-2.1-only