Accepting request 443666 from home:stroeder:branches:network:vpn
- update to 2.3.13 - successfully tested as VPN client on TW x86_64 - please review FIPS patch update carefully OBS-URL: https://build.opensuse.org/request/show/443666 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=111
This commit is contained in:
parent
71dd389b3e
commit
ce8599bf09
@ -1,11 +0,0 @@
|
||||
--- doc/openvpn.8
|
||||
+++ doc/openvpn.8
|
||||
@@ -21,7 +21,7 @@
|
||||
.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
.\"
|
||||
.\" Manual page for openvpn
|
||||
-.\
|
||||
+.\"
|
||||
.\" SH section heading
|
||||
.\" SS subsection heading
|
||||
.\" LP paragraph
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7
|
||||
size 833496
|
@ -1,7 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlcxenoACgkQwp2X7RmNIqOn3wCeP9QB36A5JwmBIYihnWS6v/p4
|
||||
XikAn1YoYlNJMcL2Tnnu30GKWULkbyov
|
||||
=LkUj
|
||||
-----END PGP SIGNATURE-----
|
3
openvpn-2.3.13.tar.xz
Normal file
3
openvpn-2.3.13.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
|
||||
size 829484
|
7
openvpn-2.3.13.tar.xz.asc
Normal file
7
openvpn-2.3.13.tar.xz.asc
Normal file
@ -0,0 +1,7 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
Version: GnuPG v1
|
||||
|
||||
iEYEABECAAYFAlgbEocACgkQwp2X7RmNIqOSJwCfQVrcS2k/XC71G1H8ABMQpPrS
|
||||
MvAAn3TdER/TEpi82whq3SLABg8wTNuz
|
||||
=Zf4E
|
||||
-----END PGP SIGNATURE-----
|
@ -272,9 +272,27 @@
|
||||
o->ciphername_defined = true;
|
||||
o->authname = "SHA1";
|
||||
o->authname_defined = true;
|
||||
--- openvpn-2.3.2/src/openvpn/push.c
|
||||
+++ openvpn-2.3.2/src/openvpn/push.c 2015/02/19 09:15:02
|
||||
@@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex
|
||||
--- openvpn-2.3.13.orig/src/openvpn/push.c
|
||||
+++ openvpn-2.3.13/src/openvpn/push.c 2016-12-03 22:57:58.198398996 +0100
|
||||
@@ -408,7 +408,7 @@
|
||||
#endif
|
||||
|
||||
static void
|
||||
-push_update_digest(struct md5_state *ctx, struct buffer *buf)
|
||||
+push_update_digest(struct sha1_state *ctx, struct buffer *buf)
|
||||
{
|
||||
char line[OPTION_PARM_SIZE];
|
||||
while (buf_parse (buf, ',', line, sizeof (line)))
|
||||
@@ -416,7 +416,7 @@
|
||||
/* peer-id might change on restart and this should not trigger reopening tun */
|
||||
if (strstr (line, "peer-id ") != line)
|
||||
{
|
||||
- md5_state_update (ctx, line, strlen(line));
|
||||
+ sha1_state_update (ctx, line, strlen(line));
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -472,10 +472,10 @@
|
||||
if (ch == ',')
|
||||
{
|
||||
struct buffer buf_orig = buf;
|
||||
@ -288,24 +306,17 @@
|
||||
}
|
||||
if (!c->c2.did_pre_pull_restore)
|
||||
{
|
||||
@@ -465,13 +465,13 @@ process_incoming_push_msg (struct contex
|
||||
{
|
||||
case 0:
|
||||
case 1:
|
||||
- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
|
||||
- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
|
||||
- c->c2.pulled_options_md5_init_done = false;
|
||||
+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
|
||||
+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
|
||||
+ c->c2.pulled_options_sha1_init_done = false;
|
||||
ret = PUSH_MSG_REPLY;
|
||||
break;
|
||||
case 2:
|
||||
- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
|
||||
+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
|
||||
ret = PUSH_MSG_CONTINUATION;
|
||||
break;
|
||||
}
|
||||
@@ -493,8 +493,8 @@
|
||||
{
|
||||
case 0:
|
||||
case 1:
|
||||
- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
|
||||
- c->c2.pulled_options_md5_init_done = false;
|
||||
+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
|
||||
+ c->c2.pulled_options_sha1_init_done = false;
|
||||
ret = PUSH_MSG_REPLY;
|
||||
break;
|
||||
case 2:
|
||||
--- openvpn-2.3.2/src/openvpn/ssl.c
|
||||
+++ openvpn-2.3.2/src/openvpn/ssl.c 2015/02/19 09:15:02
|
||||
@@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt,
|
||||
|
@ -1,35 +0,0 @@
|
||||
From: Andreas Stieger <astieger@suse.com>
|
||||
Date: Thu, 08 Sep 2016 15:23:12 +0200
|
||||
Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
|
||||
References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
|
||||
Upstream: no
|
||||
|
||||
The 2.3 default is blowfish which does not work in FIPS mode.
|
||||
This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.
|
||||
|
||||
Index: openvpn-2.3.8/sample/sample-config-files/client.conf
|
||||
===================================================================
|
||||
--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200
|
||||
+++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200
|
||||
@@ -111,6 +111,8 @@ remote-cert-tls server
|
||||
# If the cipher option is used on the server
|
||||
# then you must also specify it here.
|
||||
;cipher x
|
||||
+# Use a FIPS 140-2 approved cipher in FIPS mode
|
||||
+;cipher AES-256-CBC # AES-256
|
||||
|
||||
# Enable compression on the VPN link.
|
||||
# Don't enable this unless it is also
|
||||
Index: openvpn-2.3.8/sample/sample-config-files/server.conf
|
||||
===================================================================
|
||||
--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200
|
||||
+++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200
|
||||
@@ -249,6 +249,8 @@ keepalive 10 120
|
||||
;cipher BF-CBC # Blowfish (default)
|
||||
;cipher AES-128-CBC # AES
|
||||
;cipher DES-EDE3-CBC # Triple-DES
|
||||
+# Use a FIPS 140-2 approved cipher in FIPS mode
|
||||
+;cipher AES-256-CBC # AES-256
|
||||
|
||||
# Enable compression on the VPN link.
|
||||
# If you enable it here, you must also
|
@ -1,3 +1,75 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Dec 3 21:26:52 UTC 2016 - michael@stroeder.com
|
||||
|
||||
- update to 2.3.13
|
||||
- removed obsolete patch files openvpn-2.3.0-man-dot.diff and
|
||||
openvpn-fips140-AES-cipher-in-config-template.patch
|
||||
|
||||
2016.11.02 -- Version 2.3.13
|
||||
Arne Schwabe (2):
|
||||
* Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
|
||||
* Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
|
||||
David Sommerseth (4):
|
||||
* t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
|
||||
* t_client.sh: Add support for Kerberos/ksu
|
||||
* t_client.sh: Improve detection if the OpenVPN process did start during tests
|
||||
* t_client.sh: Add prepare/cleanup possibilties for each test case
|
||||
Gert Doering (5):
|
||||
* Do not abort t_client run if OpenVPN instance does not start.
|
||||
* Fix t_client runs on OpenSolaris
|
||||
* make t_client robust against sudoers misconfiguration
|
||||
* add POSTINIT_CMD_suf to t_client.sh and sample config
|
||||
* Fix --multihome for IPv6 on 64bit BSD systems.
|
||||
Ilya Shipitsin (1):
|
||||
* skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
|
||||
Lev Stipakov (2):
|
||||
* Exclude peer-id from pulled options digest
|
||||
* Fix compilation in pedantic mode
|
||||
Samuli Seppänen (1):
|
||||
* Automatically cache expected IPs for t_client.sh on the first run
|
||||
Steffan Karger (6):
|
||||
* Fix unittests for out-of-source builds
|
||||
* Make gnu89 support explicit
|
||||
* cleanup: remove code duplication in msg_test()
|
||||
* Update cipher-related man page text
|
||||
* Limit --reneg-bytes to 64MB when using small block ciphers
|
||||
* Add a revoked cert to the sample keys
|
||||
|
||||
2016.08.23 -- Version 2.3.12
|
||||
Arne Schwabe (2):
|
||||
* Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
|
||||
* Move ASSERT so external-key with OpenSSL works again
|
||||
David Sommerseth (3):
|
||||
* Only build and run cmocka unit tests if its submodule is initialized
|
||||
* Another fix related to unit test framework
|
||||
* Remove NOP function and callers
|
||||
Dorian Harmans (1):
|
||||
* Add CHACHA20-POLY1305 ciphersuite IANA name translations.
|
||||
Ivo Manca (1):
|
||||
* Plug memory leak in mbedTLS backend
|
||||
Jeffrey Cutter (1):
|
||||
* Update contrib/pull-resolv-conf/client.up for no DOMAIN
|
||||
Jens Neuhalfen (2):
|
||||
* Add unit testing support via cmocka
|
||||
* Add a test for auth-pam searchandreplace
|
||||
Josh Cepek (1):
|
||||
* Push an IPv6 CIDR mask used by the server, not the pool's size
|
||||
Leon Klingele (1):
|
||||
* Add link to bug tracker
|
||||
Samuli Seppänen (2):
|
||||
* Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
|
||||
* Clarify the fact that build instructions in README are for release tarballs
|
||||
Selva Nair (4):
|
||||
* Make error non-fatal while deleting address using netsh
|
||||
* Make block-outside-dns work with persist-tun
|
||||
* Ignore SIGUSR1/SIGHUP during exit notification
|
||||
* Promptly close the netcmd_semaphore handle after use
|
||||
Steffan Karger (4):
|
||||
* Fix polarssl / mbedtls builds
|
||||
* Don't limit max incoming message size based on c2->frame
|
||||
* Fix '--cipher none --cipher' crash
|
||||
* Discourage using 64-bit block ciphers
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com
|
||||
|
||||
|
@ -32,7 +32,7 @@ Url: http://openvpn.net/
|
||||
%else
|
||||
PreReq: %insserv_prereq %fillup_prereq
|
||||
%endif
|
||||
Version: 2.3.11
|
||||
Version: 2.3.13
|
||||
Release: 0
|
||||
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
|
||||
License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
|
||||
@ -50,9 +50,7 @@ Source9: %{name}.target
|
||||
Source10: %{name}-tmpfile.conf
|
||||
Source11: rc%{name}
|
||||
Patch1: %{name}-2.3-plugin-man.dif
|
||||
Patch5: %{name}-2.3.0-man-dot.diff
|
||||
Patch6: %{name}-fips140-2.3.2.patch
|
||||
Patch7: openvpn-fips140-AES-cipher-in-config-template.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||
BuildRequires: iproute2
|
||||
BuildRequires: lzo-devel
|
||||
@ -136,9 +134,7 @@ This package provides the header file to build external plugins.
|
||||
%prep
|
||||
%setup -q -n %{name}-%{version}
|
||||
%patch1 -p0
|
||||
%patch5 -p0
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
|
||||
-i src/openvpn/options.c
|
||||
|
Loading…
Reference in New Issue
Block a user