Accepting request 1082779 from home:msaquib:branches:network:vpn

- update to 2.6.3: * For full changelog please refer to: https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst * implement byte counter statistics for DCO Linux (p2mp server and client) * implement byte counter statistics for DCO Windows (client only) * '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses * fix a few cases of possibly undefined behaviour detected by ASAN * add more unit tests for Windows cryptoapi interface * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. * Keying Material Exporters (RFC 5705) based key generation * As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort has been made to check or implement all the requirements/ recommendation of FIPS 140-2. This just allows OpenVPN to be run on a system that be configured OpenSSL in FIPS mode. * mlock will now check if enough memlock-able memory has been reserved, and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. * The --peer-fingerprint option has been introduced to give users an easy to use alternative to the tls-verify for matching the fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. * When --peer-fingerprint is used, the --ca and --capath option become OBS-URL: https://build.opensuse.org/request/show/1082779 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=189
2023-04-25 14:33:17 +00:00 · 2023-04-25 14:33:17 +00:00 · fc90bfc0a8
commit fc90bfc0a8
parent 28504fd594
7 changed files with 87 additions and 145 deletions
--- a/openvpn-2.5.9.tar.gz
+++ b/openvpn-2.5.9.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8794b7125998c68f30de654267a702b9581454ca1e7061511fcc5f99fea4bd32
 size 1840560
--- a/openvpn-2.5.9.tar.gz.asc
+++ b/openvpn-2.5.9.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz
 swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX
 +aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F
 8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ
 AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/
 Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW
 V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt
 EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q
 6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8
 ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a
 msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7
 TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo=
 =0TR5
 -----END PGP SIGNATURE-----
--- a/openvpn-2.6.3.tar.gz
+++ b/openvpn-2.6.3.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6
 size 1860557
--- a/openvpn-2.6.3.tar.gz.asc
+++ b/openvpn-2.6.3.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmQ33N8ACgkQi3QXs+uz
 swlZQBAApR0ge0c+HyMay1rQDkSV8YgOmpoIrOh2BaPqxs8a5eeumBbWjv/jBtUu
 bOXwpYz127fLA1H9MdKbsgOIB/uniiQPFurUkyLw/11mWCxmpaykwMA8SDfz+Zdy
 7SaX/2IaouyXMDydMfzjWXZX20+Ek9MeFJFczWj3LQS2ohGPXc0CPde4yNwR6QKf
 Rv31Y55ysMB/p+snCumzLo6quvVyqzJkZdzygefk+uOSc7GfwpZxifr8B4v5aAtm
 922Rp3NIithzdYK8VZWPbVIeQqwZSyJ+SXb88ALtHKHTMeYk5qXFzl10a33HQDCY
 gzTjYXMkVzIYMaEvLCyb/zwOri3XUzbd5a/6WIaaW5BrM2PyQhKqf7m7iOTFasaF
 em+664o6tsCzmb8lFJCygWxgc8iszzHJS1WaV8jasek7GSkj0NE4tmsYDULK8nXA
 wVrnWRVHuAKjOYwE6lGapKJ6lOHYUwdgvIcUEKlCqM7PNNaWfutzf/l63UWnkKTc
 y6Q9tOm9m3yJka+Oqva3dcS8Wjo+e4s6xrhDTGZC480LDmCkz+NEsn3RxdoQh/pq
 BOkQfdElC0y2Pd54uucOgoQRQCCpQkCrB1J5SLhpqdFOVD2wAIY2VQzB9R+m9PJY
 uxvY9uSvJmiq2mZrAxX/kUKG/Xz/3OGa5vzm/UQJSSxFx9WkO1c=
 =U3/y
 -----END PGP SIGNATURE-----
--- a/openvpn-fips140-2.3.2.patch
+++ b/openvpn-fips140-2.3.2.patch
@ -1,123 +0,0 @@
 From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001
 From: Nirmoy Das <ndas@suse.de>
 Date: Fri, 23 Jun 2017 11:00:08 +0200
 Subject: [PATCH] fips-140
 Signed-off-by: Nirmoy Das <ndas@suse.de>
 ---
 src/openvpn/crypto.c         | 2 +-
 src/openvpn/crypto_backend.h | 3 ++-
 src/openvpn/crypto_openssl.c | 6 +++++-
 src/openvpn/ntlm.c           | 2 +-
 src/openvpn/options.c        | 4 ++++
 src/openvpn/ssl.c            | 4 ++--
 6 files changed, 15 insertions(+), 6 deletions(-)
 --- src/openvpn/crypto.c.orig
 +++ src/openvpn/crypto.c
@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
     if (kt->digest && kt->hmac_length > 0)
     {
         ctx->hmac = hmac_ctx_new();
 -        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
 +        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
         msg(D_HANDSHAKE,
             "%s: Using %d bit message hash '%s' for HMAC authentication",
 --- src/openvpn/crypto_backend.h.orig
 +++ src/openvpn/crypto_backend.h
@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
  * @param key           The key to use for the HMAC
  * @param key_len       The key length to use
  * @param kt            Static message digest parameters
 + * @param prf_use          Intended use for PRF in TLS protocol
  *
  */
 void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
 -                   const md_kt_t *kt);
 +                   const md_kt_t *kt, bool prf_use);
 /*
  * Free the given HMAC context.
 --- src/openvpn/crypto_openssl.c.orig
 +++ src/openvpn/crypto_openssl.c
@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
 void
 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
 -              const EVP_MD *kt)
 +              const EVP_MD *kt, bool prf_use)
 {
     ASSERT(NULL != kt && NULL != ctx);
     HMAC_CTX_reset(ctx);
 +	/* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
 +	 * * to be used anywhere else */
 +	if(kt == EVP_md5() && prf_use)
 +		HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
     /* make sure we used a big enough key */
 --- src/openvpn/ntlm.c.orig
 +++ src/openvpn/ntlm.c
@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
     const md_kt_t *md5_kt = md_kt_get("MD5");
     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
 -    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
 +    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
     hmac_ctx_update(hmac_ctx, data, data_len);
     hmac_ctx_final(hmac_ctx, result);
     hmac_ctx_cleanup(hmac_ctx);
 --- src/openvpn/options.c.orig
 +++ src/openvpn/options.c
@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
     o->tcp_queue_limit = 64;
     o->max_clients = 1024;
     o->max_routes_per_client = 256;
 +#ifdef OPENSSL_FIPS
 +	if(FIPS_mode())
 +		o->ciphername = "AES-256-CBC";
 +#endif
     o->stale_routes_check_interval = 0;
     o->ifconfig_pool_persist_refresh_freq = 600;
 #if P2MP
@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
         if (!o->ciphername)
         {
             o->ciphername = "BF-CBC";
 +#ifdef OPENSSL_FIPS
 +	    if (FIPS_mode())
 +	    {
 +	       o->ciphername = "AES-256-CBC";
 +	    }
 +#endif
         }
         return;
     }
@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
         /* We still need to set the ciphername to BF-CBC since various other
          * parts of OpenVPN assert that the ciphername is set */
         o->ciphername = "BF-CBC";
 +#ifdef OPENSSL_FIPS
 +	if (FIPS_mode())
 +	{
 +	   o->ciphername = "AES-256-CBC";
 +	}
 +#endif
     }
     else if (!o->enable_ncp_fallback
              && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
 --- src/openvpn/ssl.c.orig
 +++ src/openvpn/ssl.c
@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
     int chunk = md_kt_size(md_kt);
     unsigned int A1_len = md_kt_size(md_kt);
 -    hmac_ctx_init(ctx, sec, sec_len, md_kt);
 -    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
 +    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
 +    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
     hmac_ctx_update(ctx,seed,seed_len);
     hmac_ctx_final(ctx, A1);
--- a/openvpn.changes
+++ b/openvpn.changes
@ -1,4 +1,68 @@
 -------------------------------------------------------------------
 Tue Apr 25 14:02:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 - update to 2.6.3:
  * For full changelog please refer to:
    https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
  * implement byte counter statistics for DCO Linux (p2mp server
    and client)
  * implement byte counter statistics for DCO Windows (client only)
  * '--dns server <n> address ...' now permits up to 8 v4 or v6
    addresses
  * fix a few cases of possibly undefined behaviour detected by ASAN
  * add more unit tests for Windows cryptoapi interface
  * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
    will dynamically create a tls-crypt key that is used for
    renegotiation. This ensure that only the previously authenticated
    peer can do trigger renegotiation and complete renegotiations.
  * Keying Material Exporters (RFC 5705) based key generation
  * As part of the cipher negotiation OpenVPN will automatically prefer
    the RFC5705 based key material generation to the current custom
    OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
  * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
    has been made to check or implement all the requirements/
    recommendation of FIPS 140-2. This just allows OpenVPN to be run on
    a system that be configured OpenSSL in FIPS mode.
  * mlock will now check if enough memlock-able memory has been reserved,
    and if less than 100MB RAM are available, use setrlimit() to upgrade
    the limit. See Trac #1390. Not available on OpenSolaris.
  * The --peer-fingerprint option has been introduced to give users an
    easy to use alternative to the tls-verify for matching the fingerprint
    of the peer. The option takes use a number of allowed SHA256
    certificate fingerprints.
  * When --peer-fingerprint is used, the --ca and --capath option become
    optional. This allows for small OpenVPN setups without setting up a
    PKI with Easy-RSA or similar software.
  * The --auth-user-pass-verify script supports now deferred authentication.
  * Both auth plugin and script can now signal pending authentication to
    the client when using deferred authentication. The new client-crresponse
    script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can
    be used to parse a client response to a CR_TEXT two factor challenge.
  * The modernisation of defaults can impact the compatibility of OpenVPN
    2.6.0 with older peers. The options --compat-mode allows UIs to provide
    users with an easy way to still connect to older servers.
  * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user
    visible but improve general compatibility with OpenSSL 3.0.
    --tls-cert-profile insecure has been added to allow selecting the lowest
    OpenSSL security level (not recommended, use only if you must). OpenSSL
    3.0 no longer supports the Blowfish (and other deprecated) algorithm by
    default and the new option --providers allows loading the legacy provider
    to renable these algorithms.
  * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as
    optional and only use them if the SSL library supports them.
  * The --mssfix and --fragment options now allow an optional mtu parameter to
    specify that different overhead for IPv4/IPv6 should taken into account
    and the resulting size is specified as the total size of the VPN packets
    including IP and UDP headers.
  * Instead of allocating a connection for each client on the initial packet
    OpenVPN server will now use an HMAC based cookie as its session id. This way
    the server can verify it on completing the handshake without keeping state.
    This eliminates the amplification and resource exhaustion attacks.
    For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because
    the client needs to resend its client key on completing the hand shake.
    The tls-crypt-v2 option allows controlling if older clients are accepted.
 - Removed openvpn-fips140-2.3.2.patch
 -------------------------------------------------------------------
 Thu Mar  2 07:34:31 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 - update to 2.5.9:
--- a/openvpn.spec
+++ b/openvpn.spec
@ -20,7 +20,7 @@
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.5.9
+Version:        2.6.3
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception
@ -37,9 +37,11 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
 Patch6:         %{name}-fips140-2.3.2.patch
 BuildRequires:  iproute2
 BuildRequires:  libcap-ng-devel
 BuildRequires:  liblz4-devel
 BuildRequires:  libselinux-devel
 BuildRequires:  lz4
 BuildRequires:  lzo-devel
 BuildRequires:  openssl-devel
 BuildRequires:  p11-kit-devel
@ -116,7 +118,6 @@ This package provides the header file to build external plugins.
 %prep
 %setup -q
 %patch1
 %patch6
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
    -i src/openvpn/options.c