Accepting request 443666 from home:stroeder:branches:network:vpn

- update to 2.3.13
- successfully tested as VPN client on TW x86_64
- please review FIPS patch update carefully

OBS-URL: https://build.opensuse.org/request/show/443666
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=111
This commit is contained in:
Nirmoy Das 2017-01-09 12:13:41 +00:00 committed by Git OBS Bridge
parent 71dd389b3e
commit ce8599bf09
9 changed files with 115 additions and 82 deletions

View File

@ -1,11 +0,0 @@
--- doc/openvpn.8
+++ doc/openvpn.8
@@ -21,7 +21,7 @@
.\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
.\"
.\" Manual page for openvpn
-.\
+.\"
.\" SH section heading
.\" SS subsection heading
.\" LP paragraph

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7
size 833496

View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlcxenoACgkQwp2X7RmNIqOn3wCeP9QB36A5JwmBIYihnWS6v/p4
XikAn1YoYlNJMcL2Tnnu30GKWULkbyov
=LkUj
-----END PGP SIGNATURE-----

3
openvpn-2.3.13.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
size 829484

View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlgbEocACgkQwp2X7RmNIqOSJwCfQVrcS2k/XC71G1H8ABMQpPrS
MvAAn3TdER/TEpi82whq3SLABg8wTNuz
=Zf4E
-----END PGP SIGNATURE-----

View File

@ -272,9 +272,27 @@
o->ciphername_defined = true;
o->authname = "SHA1";
o->authname_defined = true;
--- openvpn-2.3.2/src/openvpn/push.c
+++ openvpn-2.3.2/src/openvpn/push.c 2015/02/19 09:15:02
@@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex
--- openvpn-2.3.13.orig/src/openvpn/push.c
+++ openvpn-2.3.13/src/openvpn/push.c 2016-12-03 22:57:58.198398996 +0100
@@ -408,7 +408,7 @@
#endif
static void
-push_update_digest(struct md5_state *ctx, struct buffer *buf)
+push_update_digest(struct sha1_state *ctx, struct buffer *buf)
{
char line[OPTION_PARM_SIZE];
while (buf_parse (buf, ',', line, sizeof (line)))
@@ -416,7 +416,7 @@
/* peer-id might change on restart and this should not trigger reopening tun */
if (strstr (line, "peer-id ") != line)
{
- md5_state_update (ctx, line, strlen(line));
+ sha1_state_update (ctx, line, strlen(line));
}
}
}
@@ -472,10 +472,10 @@
if (ch == ',')
{
struct buffer buf_orig = buf;
@ -288,24 +306,17 @@
}
if (!c->c2.did_pre_pull_restore)
{
@@ -465,13 +465,13 @@ process_incoming_push_msg (struct contex
{
case 0:
case 1:
- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
- c->c2.pulled_options_md5_init_done = false;
+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+ c->c2.pulled_options_sha1_init_done = false;
ret = PUSH_MSG_REPLY;
break;
case 2:
- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
ret = PUSH_MSG_CONTINUATION;
break;
}
@@ -493,8 +493,8 @@
{
case 0:
case 1:
- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
- c->c2.pulled_options_md5_init_done = false;
+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+ c->c2.pulled_options_sha1_init_done = false;
ret = PUSH_MSG_REPLY;
break;
case 2:
--- openvpn-2.3.2/src/openvpn/ssl.c
+++ openvpn-2.3.2/src/openvpn/ssl.c 2015/02/19 09:15:02
@@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt,

View File

@ -1,35 +0,0 @@
From: Andreas Stieger <astieger@suse.com>
Date: Thu, 08 Sep 2016 15:23:12 +0200
Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
Upstream: no
The 2.3 default is blowfish which does not work in FIPS mode.
This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.
Index: openvpn-2.3.8/sample/sample-config-files/client.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200
@@ -111,6 +111,8 @@ remote-cert-tls server
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC # AES-256
# Enable compression on the VPN link.
# Don't enable this unless it is also
Index: openvpn-2.3.8/sample/sample-config-files/server.conf
===================================================================
--- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200
+++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200
@@ -249,6 +249,8 @@ keepalive 10 120
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
+# Use a FIPS 140-2 approved cipher in FIPS mode
+;cipher AES-256-CBC # AES-256
# Enable compression on the VPN link.
# If you enable it here, you must also

View File

@ -1,3 +1,75 @@
-------------------------------------------------------------------
Sat Dec 3 21:26:52 UTC 2016 - michael@stroeder.com
- update to 2.3.13
- removed obsolete patch files openvpn-2.3.0-man-dot.diff and
openvpn-fips140-AES-cipher-in-config-template.patch
2016.11.02 -- Version 2.3.13
Arne Schwabe (2):
* Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
* Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
David Sommerseth (4):
* t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
* t_client.sh: Add support for Kerberos/ksu
* t_client.sh: Improve detection if the OpenVPN process did start during tests
* t_client.sh: Add prepare/cleanup possibilties for each test case
Gert Doering (5):
* Do not abort t_client run if OpenVPN instance does not start.
* Fix t_client runs on OpenSolaris
* make t_client robust against sudoers misconfiguration
* add POSTINIT_CMD_suf to t_client.sh and sample config
* Fix --multihome for IPv6 on 64bit BSD systems.
Ilya Shipitsin (1):
* skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
Lev Stipakov (2):
* Exclude peer-id from pulled options digest
* Fix compilation in pedantic mode
Samuli Seppänen (1):
* Automatically cache expected IPs for t_client.sh on the first run
Steffan Karger (6):
* Fix unittests for out-of-source builds
* Make gnu89 support explicit
* cleanup: remove code duplication in msg_test()
* Update cipher-related man page text
* Limit --reneg-bytes to 64MB when using small block ciphers
* Add a revoked cert to the sample keys
2016.08.23 -- Version 2.3.12
Arne Schwabe (2):
* Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
* Move ASSERT so external-key with OpenSSL works again
David Sommerseth (3):
* Only build and run cmocka unit tests if its submodule is initialized
* Another fix related to unit test framework
* Remove NOP function and callers
Dorian Harmans (1):
* Add CHACHA20-POLY1305 ciphersuite IANA name translations.
Ivo Manca (1):
* Plug memory leak in mbedTLS backend
Jeffrey Cutter (1):
* Update contrib/pull-resolv-conf/client.up for no DOMAIN
Jens Neuhalfen (2):
* Add unit testing support via cmocka
* Add a test for auth-pam searchandreplace
Josh Cepek (1):
* Push an IPv6 CIDR mask used by the server, not the pool's size
Leon Klingele (1):
* Add link to bug tracker
Samuli Seppänen (2):
* Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
* Clarify the fact that build instructions in README are for release tarballs
Selva Nair (4):
* Make error non-fatal while deleting address using netsh
* Make block-outside-dns work with persist-tun
* Ignore SIGUSR1/SIGHUP during exit notification
* Promptly close the netcmd_semaphore handle after use
Steffan Karger (4):
* Fix polarssl / mbedtls builds
* Don't limit max incoming message size based on c2->frame
* Fix '--cipher none --cipher' crash
* Discourage using 64-bit block ciphers
-------------------------------------------------------------------
Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com

View File

@ -32,7 +32,7 @@ Url: http://openvpn.net/
%else
PreReq: %insserv_prereq %fillup_prereq
%endif
Version: 2.3.11
Version: 2.3.13
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
@ -50,9 +50,7 @@ Source9: %{name}.target
Source10: %{name}-tmpfile.conf
Source11: rc%{name}
Patch1: %{name}-2.3-plugin-man.dif
Patch5: %{name}-2.3.0-man-dot.diff
Patch6: %{name}-fips140-2.3.2.patch
Patch7: openvpn-fips140-AES-cipher-in-config-template.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: iproute2
BuildRequires: lzo-devel
@ -136,9 +134,7 @@ This package provides the header file to build external plugins.
%prep
%setup -q -n %{name}-%{version}
%patch1 -p0
%patch5 -p0
%patch6 -p1
%patch7 -p1
sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
-i src/openvpn/options.c