diff --git a/openvpn-2.5.9.tar.gz b/openvpn-2.5.9.tar.gz deleted file mode 100644 index 6c6da55..0000000 --- a/openvpn-2.5.9.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8794b7125998c68f30de654267a702b9581454ca1e7061511fcc5f99fea4bd32 -size 1840560 diff --git a/openvpn-2.5.9.tar.gz.asc b/openvpn-2.5.9.tar.gz.asc deleted file mode 100644 index fa20344..0000000 --- a/openvpn-2.5.9.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz -swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX -+aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F -8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ -AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/ -Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW -V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt -EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q -6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8 -ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a -msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7 -TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo= -=0TR5 ------END PGP SIGNATURE----- diff --git a/openvpn-2.6.3.tar.gz b/openvpn-2.6.3.tar.gz new file mode 100644 index 0000000..e973b38 --- /dev/null +++ b/openvpn-2.6.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6 +size 1860557 diff --git a/openvpn-2.6.3.tar.gz.asc b/openvpn-2.6.3.tar.gz.asc new file mode 100644 index 0000000..190a8a3 --- /dev/null +++ b/openvpn-2.6.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmQ33N8ACgkQi3QXs+uz +swlZQBAApR0ge0c+HyMay1rQDkSV8YgOmpoIrOh2BaPqxs8a5eeumBbWjv/jBtUu +bOXwpYz127fLA1H9MdKbsgOIB/uniiQPFurUkyLw/11mWCxmpaykwMA8SDfz+Zdy +7SaX/2IaouyXMDydMfzjWXZX20+Ek9MeFJFczWj3LQS2ohGPXc0CPde4yNwR6QKf +Rv31Y55ysMB/p+snCumzLo6quvVyqzJkZdzygefk+uOSc7GfwpZxifr8B4v5aAtm +922Rp3NIithzdYK8VZWPbVIeQqwZSyJ+SXb88ALtHKHTMeYk5qXFzl10a33HQDCY +gzTjYXMkVzIYMaEvLCyb/zwOri3XUzbd5a/6WIaaW5BrM2PyQhKqf7m7iOTFasaF +em+664o6tsCzmb8lFJCygWxgc8iszzHJS1WaV8jasek7GSkj0NE4tmsYDULK8nXA +wVrnWRVHuAKjOYwE6lGapKJ6lOHYUwdgvIcUEKlCqM7PNNaWfutzf/l63UWnkKTc +y6Q9tOm9m3yJka+Oqva3dcS8Wjo+e4s6xrhDTGZC480LDmCkz+NEsn3RxdoQh/pq +BOkQfdElC0y2Pd54uucOgoQRQCCpQkCrB1J5SLhpqdFOVD2wAIY2VQzB9R+m9PJY +uxvY9uSvJmiq2mZrAxX/kUKG/Xz/3OGa5vzm/UQJSSxFx9WkO1c= +=U3/y +-----END PGP SIGNATURE----- diff --git a/openvpn-fips140-2.3.2.patch b/openvpn-fips140-2.3.2.patch deleted file mode 100644 index d05d549..0000000 --- a/openvpn-fips140-2.3.2.patch +++ /dev/null @@ -1,123 +0,0 @@ -From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001 -From: Nirmoy Das -Date: Fri, 23 Jun 2017 11:00:08 +0200 -Subject: [PATCH] fips-140 - -Signed-off-by: Nirmoy Das ---- - src/openvpn/crypto.c | 2 +- - src/openvpn/crypto_backend.h | 3 ++- - src/openvpn/crypto_openssl.c | 6 +++++- - src/openvpn/ntlm.c | 2 +- - src/openvpn/options.c | 4 ++++ - src/openvpn/ssl.c | 4 ++-- - 6 files changed, 15 insertions(+), 6 deletions(-) - ---- src/openvpn/crypto.c.orig -+++ src/openvpn/crypto.c -@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const - if (kt->digest && kt->hmac_length > 0) - { - ctx->hmac = hmac_ctx_new(); -- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); -+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); - - msg(D_HANDSHAKE, - "%s: Using %d bit message hash '%s' for HMAC authentication", ---- src/openvpn/crypto_backend.h.orig -+++ src/openvpn/crypto_backend.h -@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); - * @param key The key to use for the HMAC - * @param key_len The key length to use - * @param kt Static message digest parameters -+ * @param prf_use Intended use for PRF in TLS protocol - * - */ - void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, -- const md_kt_t *kt); -+ const md_kt_t *kt, bool prf_use); - - /* - * Free the given HMAC context. ---- src/openvpn/crypto_openssl.c.orig -+++ src/openvpn/crypto_openssl.c -@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx) - - void - hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, -- const EVP_MD *kt) -+ const EVP_MD *kt, bool prf_use) - { - ASSERT(NULL != kt && NULL != ctx); - - HMAC_CTX_reset(ctx); -+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not -+ * * to be used anywhere else */ -+ if(kt == EVP_md5() && prf_use) -+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - HMAC_Init_ex(ctx, key, key_len, kt, NULL); - - /* make sure we used a big enough key */ ---- src/openvpn/ntlm.c.orig -+++ src/openvpn/ntlm.c -@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da - const md_kt_t *md5_kt = md_kt_get("MD5"); - hmac_ctx_t *hmac_ctx = hmac_ctx_new(); - -- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt); -+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0); - hmac_ctx_update(hmac_ctx, data, data_len); - hmac_ctx_final(hmac_ctx, result); - hmac_ctx_cleanup(hmac_ctx); ---- src/openvpn/options.c.orig -+++ src/openvpn/options.c -@@ -850,6 +850,10 @@ init_options(struct options *o, const bo - o->tcp_queue_limit = 64; - o->max_clients = 1024; - o->max_routes_per_client = 256; -+#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ o->ciphername = "AES-256-CBC"; -+#endif - o->stale_routes_check_interval = 0; - o->ifconfig_pool_persist_refresh_freq = 600; - #if P2MP -@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option - if (!o->ciphername) - { - o->ciphername = "BF-CBC"; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ o->ciphername = "AES-256-CBC"; -+ } -+#endif - } - return; - } -@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option - /* We still need to set the ciphername to BF-CBC since various other - * parts of OpenVPN assert that the ciphername is set */ - o->ciphername = "BF-CBC"; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) -+ { -+ o->ciphername = "AES-256-CBC"; -+ } -+#endif - } - else if (!o->enable_ncp_fallback - && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) ---- src/openvpn/ssl.c.orig -+++ src/openvpn/ssl.c -@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt, - int chunk = md_kt_size(md_kt); - unsigned int A1_len = md_kt_size(md_kt); - -- hmac_ctx_init(ctx, sec, sec_len, md_kt); -- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); -+ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1); -+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1); - - hmac_ctx_update(ctx,seed,seed_len); - hmac_ctx_final(ctx, A1); diff --git a/openvpn.changes b/openvpn.changes index fa86df8..e6dceba 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,4 +1,68 @@ ------------------------------------------------------------------- +Tue Apr 25 14:02:08 UTC 2023 - Mohd Saquib + +- update to 2.6.3: + * For full changelog please refer to: + https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst + * implement byte counter statistics for DCO Linux (p2mp server + and client) + * implement byte counter statistics for DCO Windows (client only) + * '--dns server address ...' now permits up to 8 v4 or v6 + addresses + * fix a few cases of possibly undefined behaviour detected by ASAN + * add more unit tests for Windows cryptoapi interface + * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN + will dynamically create a tls-crypt key that is used for + renegotiation. This ensure that only the previously authenticated + peer can do trigger renegotiation and complete renegotiations. + * Keying Material Exporters (RFC 5705) based key generation + * As part of the cipher negotiation OpenVPN will automatically prefer + the RFC5705 based key material generation to the current custom + OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. + * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort + has been made to check or implement all the requirements/ + recommendation of FIPS 140-2. This just allows OpenVPN to be run on + a system that be configured OpenSSL in FIPS mode. + * mlock will now check if enough memlock-able memory has been reserved, + and if less than 100MB RAM are available, use setrlimit() to upgrade + the limit. See Trac #1390. Not available on OpenSolaris. + * The --peer-fingerprint option has been introduced to give users an + easy to use alternative to the tls-verify for matching the fingerprint + of the peer. The option takes use a number of allowed SHA256 + certificate fingerprints. + * When --peer-fingerprint is used, the --ca and --capath option become + optional. This allows for small OpenVPN setups without setting up a + PKI with Easy-RSA or similar software. + * The --auth-user-pass-verify script supports now deferred authentication. + * Both auth plugin and script can now signal pending authentication to + the client when using deferred authentication. The new client-crresponse + script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can + be used to parse a client response to a CR_TEXT two factor challenge. + * The modernisation of defaults can impact the compatibility of OpenVPN + 2.6.0 with older peers. The options --compat-mode allows UIs to provide + users with an easy way to still connect to older servers. + * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user + visible but improve general compatibility with OpenSSL 3.0. + --tls-cert-profile insecure has been added to allow selecting the lowest + OpenSSL security level (not recommended, use only if you must). OpenSSL + 3.0 no longer supports the Blowfish (and other deprecated) algorithm by + default and the new option --providers allows loading the legacy provider + to renable these algorithms. + * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as + optional and only use them if the SSL library supports them. + * The --mssfix and --fragment options now allow an optional mtu parameter to + specify that different overhead for IPv4/IPv6 should taken into account + and the resulting size is specified as the total size of the VPN packets + including IP and UDP headers. + * Instead of allocating a connection for each client on the initial packet + OpenVPN server will now use an HMAC based cookie as its session id. This way + the server can verify it on completing the handshake without keeping state. + This eliminates the amplification and resource exhaustion attacks. + For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because + the client needs to resend its client key on completing the hand shake. + The tls-crypt-v2 option allows controlling if older clients are accepted. +- Removed openvpn-fips140-2.3.2.patch +------------------------------------------------------------------- Thu Mar 2 07:34:31 UTC 2023 - Mohd Saquib - update to 2.5.9: diff --git a/openvpn.spec b/openvpn.spec index b9d12a7..a1e092b 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -20,7 +20,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version: 2.5.9 +Version: 2.6.3 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: GPL-2.0-only WITH openvpn-openssl-exception @@ -37,9 +37,11 @@ Source9: %{name}.target Source10: %{name}-tmpfile.conf Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif -Patch6: %{name}-fips140-2.3.2.patch BuildRequires: iproute2 +BuildRequires: libcap-ng-devel +BuildRequires: liblz4-devel BuildRequires: libselinux-devel +BuildRequires: lz4 BuildRequires: lzo-devel BuildRequires: openssl-devel BuildRequires: p11-kit-devel @@ -116,7 +118,6 @@ This package provides the header file to build external plugins. %prep %setup -q %patch1 -%patch6 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \ -i src/openvpn/options.c