Accepting request 1082780 from network:vpn

OBS-URL: https://build.opensuse.org/request/show/1082780
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=107

openvpn-2.5.9.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8794b7125998c68f30de654267a702b9581454ca1e7061511fcc5f99fea4bd32
-size 1840560

openvpn-2.5.9.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz
-swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX
-+aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F
-8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ
-AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/
-Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW
-V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt
-EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q
-6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8
-ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a
-msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7
-TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo=
-=0TR5
------END PGP SIGNATURE-----

openvpn-2.6.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6
+size 1860557

openvpn-2.6.3.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmQ33N8ACgkQi3QXs+uz
+swlZQBAApR0ge0c+HyMay1rQDkSV8YgOmpoIrOh2BaPqxs8a5eeumBbWjv/jBtUu
+bOXwpYz127fLA1H9MdKbsgOIB/uniiQPFurUkyLw/11mWCxmpaykwMA8SDfz+Zdy
+7SaX/2IaouyXMDydMfzjWXZX20+Ek9MeFJFczWj3LQS2ohGPXc0CPde4yNwR6QKf
+Rv31Y55ysMB/p+snCumzLo6quvVyqzJkZdzygefk+uOSc7GfwpZxifr8B4v5aAtm
+922Rp3NIithzdYK8VZWPbVIeQqwZSyJ+SXb88ALtHKHTMeYk5qXFzl10a33HQDCY
+gzTjYXMkVzIYMaEvLCyb/zwOri3XUzbd5a/6WIaaW5BrM2PyQhKqf7m7iOTFasaF
+em+664o6tsCzmb8lFJCygWxgc8iszzHJS1WaV8jasek7GSkj0NE4tmsYDULK8nXA
+wVrnWRVHuAKjOYwE6lGapKJ6lOHYUwdgvIcUEKlCqM7PNNaWfutzf/l63UWnkKTc
+y6Q9tOm9m3yJka+Oqva3dcS8Wjo+e4s6xrhDTGZC480LDmCkz+NEsn3RxdoQh/pq
+BOkQfdElC0y2Pd54uucOgoQRQCCpQkCrB1J5SLhpqdFOVD2wAIY2VQzB9R+m9PJY
+uxvY9uSvJmiq2mZrAxX/kUKG/Xz/3OGa5vzm/UQJSSxFx9WkO1c=
+=U3/y
+-----END PGP SIGNATURE-----

openvpn-fips140-2.3.2.patch

@@ -1,123 +0,0 @@
-From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001
-From: Nirmoy Das <ndas@suse.de>
-Date: Fri, 23 Jun 2017 11:00:08 +0200
-Subject: [PATCH] fips-140
-
-Signed-off-by: Nirmoy Das <ndas@suse.de>
----
- src/openvpn/crypto.c         | 2 +-
- src/openvpn/crypto_backend.h | 3 ++-
- src/openvpn/crypto_openssl.c | 6 +++++-
- src/openvpn/ntlm.c           | 2 +-
- src/openvpn/options.c        | 4 ++++
- src/openvpn/ssl.c            | 4 ++--
- 6 files changed, 15 insertions(+), 6 deletions(-)
-
---- src/openvpn/crypto.c.orig
-+++ src/openvpn/crypto.c
-@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
-     if (kt->digest && kt->hmac_length > 0)
-     {
-         ctx->hmac = hmac_ctx_new();
--        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
-+        hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
- 
-         msg(D_HANDSHAKE,
-             "%s: Using %d bit message hash '%s' for HMAC authentication",
---- src/openvpn/crypto_backend.h.orig
-+++ src/openvpn/crypto_backend.h
-@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
-  * @param key           The key to use for the HMAC
-  * @param key_len       The key length to use
-  * @param kt            Static message digest parameters
-+ * @param prf_use          Intended use for PRF in TLS protocol
-  *
-  */
- void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
--                   const md_kt_t *kt);
-+                   const md_kt_t *kt, bool prf_use);
- 
- /*
-  * Free the given HMAC context.
---- src/openvpn/crypto_openssl.c.orig
-+++ src/openvpn/crypto_openssl.c
-@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
- 
- void
- hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
--              const EVP_MD *kt)
-+              const EVP_MD *kt, bool prf_use)
- {
-     ASSERT(NULL != kt && NULL != ctx);
- 
-     HMAC_CTX_reset(ctx);
-+	/* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
-+	 * * to be used anywhere else */
-+	if(kt == EVP_md5() && prf_use)
-+		HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-     HMAC_Init_ex(ctx, key, key_len, kt, NULL);
- 
-     /* make sure we used a big enough key */
---- src/openvpn/ntlm.c.orig
-+++ src/openvpn/ntlm.c
-@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
-     const md_kt_t *md5_kt = md_kt_get("MD5");
-     hmac_ctx_t *hmac_ctx = hmac_ctx_new();
- 
--    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
-+    hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
-     hmac_ctx_update(hmac_ctx, data, data_len);
-     hmac_ctx_final(hmac_ctx, result);
-     hmac_ctx_cleanup(hmac_ctx);
---- src/openvpn/options.c.orig
-+++ src/openvpn/options.c
-@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
-     o->tcp_queue_limit = 64;
-     o->max_clients = 1024;
-     o->max_routes_per_client = 256;
-+#ifdef OPENSSL_FIPS
-+	if(FIPS_mode())
-+		o->ciphername = "AES-256-CBC";
-+#endif
-     o->stale_routes_check_interval = 0;
-     o->ifconfig_pool_persist_refresh_freq = 600;
- #if P2MP
-@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
-         if (!o->ciphername)
-         {
-             o->ciphername = "BF-CBC";
-+#ifdef OPENSSL_FIPS
-+	    if (FIPS_mode())
-+	    {
-+	       o->ciphername = "AES-256-CBC";
-+	    }
-+#endif
-         }
-         return;
-     }
-@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
-         /* We still need to set the ciphername to BF-CBC since various other
-          * parts of OpenVPN assert that the ciphername is set */
-         o->ciphername = "BF-CBC";
-+#ifdef OPENSSL_FIPS
-+	if (FIPS_mode())
-+	{
-+	   o->ciphername = "AES-256-CBC";
-+	}
-+#endif
-     }
-     else if (!o->enable_ncp_fallback
-              && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
---- src/openvpn/ssl.c.orig
-+++ src/openvpn/ssl.c
-@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
-     int chunk = md_kt_size(md_kt);
-     unsigned int A1_len = md_kt_size(md_kt);
- 
--    hmac_ctx_init(ctx, sec, sec_len, md_kt);
--    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
-+    hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
-+    hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
- 
-     hmac_ctx_update(ctx,seed,seed_len);
-     hmac_ctx_final(ctx, A1);

openvpn.changes

@@ -1,4 +1,68 @@
 -------------------------------------------------------------------
+Tue Apr 25 14:02:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
+
+- update to 2.6.3:
+  * For full changelog please refer to:
+    https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
+  * implement byte counter statistics for DCO Linux (p2mp server
+    and client)
+  * implement byte counter statistics for DCO Windows (client only)
+  * '--dns server <n> address ...' now permits up to 8 v4 or v6
+    addresses
+  * fix a few cases of possibly undefined behaviour detected by ASAN
+  * add more unit tests for Windows cryptoapi interface
+  * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
+    will dynamically create a tls-crypt key that is used for
+    renegotiation. This ensure that only the previously authenticated
+    peer can do trigger renegotiation and complete renegotiations.
+  * Keying Material Exporters (RFC 5705) based key generation
+  * As part of the cipher negotiation OpenVPN will automatically prefer
+    the RFC5705 based key material generation to the current custom
+    OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
+  * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
+    has been made to check or implement all the requirements/
+    recommendation of FIPS 140-2. This just allows OpenVPN to be run on
+    a system that be configured OpenSSL in FIPS mode.
+  * mlock will now check if enough memlock-able memory has been reserved,
+    and if less than 100MB RAM are available, use setrlimit() to upgrade
+    the limit. See Trac #1390. Not available on OpenSolaris.
+  * The --peer-fingerprint option has been introduced to give users an
+    easy to use alternative to the tls-verify for matching the fingerprint
+    of the peer. The option takes use a number of allowed SHA256
+    certificate fingerprints.
+  * When --peer-fingerprint is used, the --ca and --capath option become
+    optional. This allows for small OpenVPN setups without setting up a
+    PKI with Easy-RSA or similar software.
+  * The --auth-user-pass-verify script supports now deferred authentication.
+  * Both auth plugin and script can now signal pending authentication to
+    the client when using deferred authentication. The new client-crresponse
+    script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can
+    be used to parse a client response to a CR_TEXT two factor challenge.
+  * The modernisation of defaults can impact the compatibility of OpenVPN
+    2.6.0 with older peers. The options --compat-mode allows UIs to provide
+    users with an easy way to still connect to older servers.
+  * OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user
+    visible but improve general compatibility with OpenSSL 3.0.
+    --tls-cert-profile insecure has been added to allow selecting the lowest
+    OpenSSL security level (not recommended, use only if you must). OpenSSL
+    3.0 no longer supports the Blowfish (and other deprecated) algorithm by
+    default and the new option --providers allows loading the legacy provider
+    to renable these algorithms.
+  * Ciphers in --data-ciphers can now be prefixed with a ? to mark those as
+    optional and only use them if the SSL library supports them.
+  * The --mssfix and --fragment options now allow an optional mtu parameter to
+    specify that different overhead for IPv4/IPv6 should taken into account
+    and the resulting size is specified as the total size of the VPN packets
+    including IP and UDP headers.
+  * Instead of allocating a connection for each client on the initial packet
+    OpenVPN server will now use an HMAC based cookie as its session id. This way
+    the server can verify it on completing the handshake without keeping state.
+    This eliminates the amplification and resource exhaustion attacks.
+    For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because
+    the client needs to resend its client key on completing the hand shake.
+    The tls-crypt-v2 option allows controlling if older clients are accepted.
+- Removed openvpn-fips140-2.3.2.patch
+-------------------------------------------------------------------
 Thu Mar  2 07:34:31 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
 
 - update to 2.5.9:

openvpn.spec

@@ -20,7 +20,7 @@
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.5.9
+Version:        2.6.3
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception
@@ -37,9 +37,11 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
-Patch6:         %{name}-fips140-2.3.2.patch
 BuildRequires:  iproute2
+BuildRequires:  libcap-ng-devel
+BuildRequires:  liblz4-devel
 BuildRequires:  libselinux-devel
+BuildRequires:  lz4
 BuildRequires:  lzo-devel
 BuildRequires:  openssl-devel
 BuildRequires:  p11-kit-devel
@@ -116,7 +118,6 @@ This package provides the header file to build external plugins.
 %prep
 %setup -q
 %patch1
-%patch6
 
 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c