From 5126890df22eb99ea080dde7d2b57bdd2e5d7ef577cbfc0cbd0f6ae52a3d9c0f Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 5 Aug 2021 14:32:44 +0000 Subject: [PATCH 1/3] - Update to 2.5.3: * Removal of BF-CBC support in default configuration *** POSSIBLE INCOMPATIBILITY *** See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8). * Connections setup is now much faster * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer * Client-specific tls-crypt keys (--tls-crypt-v2) * Improved Data channel cipher negotiation * HMAC based auth-token support for seamless reconnects to standalone servers or a group of servers * Asynchronous (deferred) authentication support for auth-pam plugin * Asynchronous (deferred) support for client-connect scripts and plugins * Support IPv4 configs with /31 netmasks * 802.1q VLAN support on TAP servers * Support IPv6-only tunnels * New option --block-ipv6 to reject all IPv6 packets (ICMPv6) * Support Virtual Routing and Forwarding (VRF) * Netlink integration (OpenVPN no longer needs to execute ifconfig/route or ip commands) * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch - bsc#1062157: The fix for bsc#934237 causes problems with the crypto self-test of newer openvpn versions. Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch . OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165 --- ...red-authentication-in-the-background.patch | 22 +- openvpn-2.3-plugin-man.dif | 31 +-- ...-heap-overflow-on-getaddrinfo-result.patch | 66 ----- ...x-fixed-multiple-low-severity-issues.patch | 257 ------------------ openvpn-2.4.11.tar.xz | 3 - openvpn-2.4.11.tar.xz.asc | 16 -- openvpn-2.5.3.tar.xz | 3 + openvpn-2.5.3.tar.xz.asc | 16 ++ openvpn-fips140-2.3.2.patch | 93 ++++--- openvpn.changes | 33 +++ openvpn.spec | 10 +- 11 files changed, 128 insertions(+), 422 deletions(-) delete mode 100644 openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch delete mode 100644 openvpn-2.3.x-fixed-multiple-low-severity-issues.patch delete mode 100644 openvpn-2.4.11.tar.xz delete mode 100644 openvpn-2.4.11.tar.xz.asc create mode 100644 openvpn-2.5.3.tar.xz create mode 100644 openvpn-2.5.3.tar.xz.asc diff --git a/0001-preform-deferred-authentication-in-the-background.patch b/0001-preform-deferred-authentication-in-the-background.patch index 6501d54..eaf0026 100644 --- a/0001-preform-deferred-authentication-in-the-background.patch +++ b/0001-preform-deferred-authentication-in-the-background.patch @@ -1,7 +1,5 @@ -Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c -=================================================================== ---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c -+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c +--- src/plugins/auth-pam/auth-pam.c.orig ++++ src/plugins/auth-pam/auth-pam.c @@ -43,6 +43,7 @@ #include #include @@ -18,7 +16,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 -@@ -115,6 +117,7 @@ struct user_pass { +@@ -120,6 +122,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; @@ -26,8 +24,8 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c const struct name_value_list *name_value_list; }; -@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru - return ret; +@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char + exit(0); } +static int handle_auth_control_file(char *auth_control_file, int status) @@ -48,7 +46,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c /* * Background process -- runs with privilege. */ -@@ -878,6 +896,42 @@ pam_server(int fd, const char *service, +@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service, plugin_secure_memzero(up.password, sizeof(up.password)); break; @@ -91,7 +89,7 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c case COMMAND_EXIT: goto done; -@@ -905,3 +959,56 @@ done: +@@ -1029,3 +1083,56 @@ done: return; } @@ -148,10 +146,8 @@ Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c + return OPENVPN_PLUGIN_FUNC_ERROR; + } +} -Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports -=================================================================== ---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports -+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports +--- src/plugins/auth-pam/auth-pam.exports.orig ++++ src/plugins/auth-pam/auth-pam.exports @@ -1,4 +1,5 @@ openvpn_plugin_open_v3 openvpn_plugin_func_v1 diff --git a/openvpn-2.3-plugin-man.dif b/openvpn-2.3-plugin-man.dif index 7aa3e49..e9a2bab 100644 --- a/openvpn-2.3-plugin-man.dif +++ b/openvpn-2.3-plugin-man.dif @@ -1,22 +1,15 @@ -Index: doc/openvpn.8 -=================================================================== --- doc/openvpn.8.orig +++ doc/openvpn.8 -@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in - .B plugin - folder of the OpenVPN source distribution. - +@@ -6059,9 +6059,9 @@ For more information and examples on how + modules, see the README file in the \fBplugin\fP folder of the OpenVPN + source distribution. + .sp -If you are using an RPM install of OpenVPN, see --/usr/share/openvpn/plugin. The documentation is --in --.B doc --and the actual plugin modules are in --.B lib. -+If you are using an RPM install of OpenVPN, the actual -+plugin modules are in -+.B @PLUGIN_LIBDIR@ -+and the documentation is in -+.B @PLUGIN_DOCDIR@/README.. - - Multiple plugin modules can be cascaded, and modules can be - used in tandem with scripts. The modules will be called by +-\fB/usr/share/openvpn/plugin\fP\&. The documentation is in \fBdoc\fP and +-the actual plugin modules are in \fBlib\fP\&. ++If you are using an RPM install of OpenVPN, the actual plugin modules ++are in \fB@PLUGIN_LIBDIR@\fP\& and the documentation is in ++\fB@PLUGIN_DOCDIR@/README.\fP\&. + .sp + Multiple plugin modules can be cascaded, and modules can be used in + tandem with scripts. The modules will be called by OpenVPN in the order diff --git a/openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch b/openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch deleted file mode 100644 index ec4eaa8..0000000 --- a/openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch +++ /dev/null @@ -1,66 +0,0 @@ -Author: Gert Doering -Date: Tue Nov 10 22:58:39 2015 +0100 - - Fix possible heap overflow on read accessing getaddrinfo() result. - - The code always tried to copy-out a "struct sockaddr_in6" even for IPv4 - results, which reads more bytes than getaddrinfo() is guaranteed to - allocate. - - Now, look at ai->ai_family and only copy "struct sockaddr" for IPv4. - - Also, reformat this block of code to comply to coding style. - - This is a specific 2.3 bug as the code in master (to be 2.4) has been - completely rewritten to properly handle dual-stack and multiple responses - from getaddrinfo() proper. - - Bug found by Daniel Hirche using "gcc -fsanitize=address". No possible - exploits are known. - - Signed-off-by: Gert Doering - Acked-by: Arne Schwabe - Message-Id: <1447192719-31381-1-git-send-email-gert@greenie.muc.de> - URL: http://article.gmane.org/gmane.network.openvpn.devel/10479 - -References: bsc#959714 - -diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c -index a143853..0f46bad 100644 ---- a/src/openvpn/socket.c -+++ b/src/openvpn/socket.c - -1259,20 +1259,24 resolve_remote (struct link_socket *sock, - ASSERT (0); - } - -- /* Temporary fix, this need to be changed for dual stack */ -- status = openvpn_getaddrinfo(flags, sock->remote_host, retry, -- signal_received, af, &ai); -- if(status == 0) { -- sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); -- freeaddrinfo(ai); -+ /* Temporary fix, this need to be changed for dual stack */ -+ status = openvpn_getaddrinfo(flags, sock->remote_host, retry, -+ signal_received, af, &ai); -+ if(status == 0) -+ { -+ if ( ai->ai_family == AF_INET6 ) -+ sock->info.lsa->remote.addr.in6 = *((struct sockaddr_in6*)(ai->ai_addr)); -+ else -+ sock->info.lsa->remote.addr.in4 = *((struct sockaddr_in*)(ai->ai_addr)); -+ freeaddrinfo(ai); - -- dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", -+ dmsg (D_SOCKET_DEBUG, "RESOLVE_REMOTE flags=0x%04x phase=%d rrs=%d sig=%d status=%d", - flags, - phase, - retry, - signal_received ? *signal_received : -1, - status); -- } -+ } - if (signal_received) - { - if (*signal_received) --- -2.4.9 diff --git a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch b/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch deleted file mode 100644 index 5617349..0000000 --- a/openvpn-2.3.x-fixed-multiple-low-severity-issues.patch +++ /dev/null @@ -1,257 +0,0 @@ -Index: openvpn-2.4.10/src/openvpn/crypto.c -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/crypto.c -+++ openvpn-2.4.10/src/openvpn/crypto.c -@@ -118,7 +118,7 @@ openvpn_encrypt_aead(struct buffer *buf, - dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); - - /* Buffer overflow check */ -- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - { - msg(D_CRYPT_ERRORS, - "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", -@@ -237,7 +237,7 @@ openvpn_encrypt_v1(struct buffer *buf, s - ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); - - /* Buffer overflow check */ -- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - { - msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", - buf->capacity, -@@ -378,7 +378,7 @@ openvpn_decrypt_aead(struct buffer *buf, - const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); - uint8_t *tag_ptr = NULL; - int tag_size = 0; -- int outlen; -+ int outlen = 0; - struct gc_arena gc; - - gc_init(&gc); -@@ -455,7 +455,7 @@ openvpn_decrypt_aead(struct buffer *buf, - dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); - - /* Buffer overflow check (should never fail) */ -- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - { - CRYPT_ERROR("potential buffer overflow"); - } -@@ -601,7 +601,7 @@ openvpn_decrypt_v1(struct buffer *buf, s - } - - /* Buffer overflow check (should never happen) */ -- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - { - CRYPT_ERROR("potential buffer overflow"); - } -Index: openvpn-2.4.10/src/openvpn/crypto_openssl.h -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/crypto_openssl.h -+++ openvpn-2.4.10/src/openvpn/crypto_openssl.h -@@ -52,6 +52,9 @@ typedef HMAC_CTX hmac_ctx_t; - /** Maximum length of an IV */ - #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH - -+/** Maximum length of a cipher block */ -+#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH -+ - /** Cipher is in CBC mode */ - #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE - -Index: openvpn-2.4.10/src/openvpn/init.c -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/init.c -+++ openvpn-2.4.10/src/openvpn/init.c -@@ -3215,8 +3215,8 @@ init_context_buffers(const struct frame - b->aux_buf = alloc_buf(BUF_SIZE(frame)); - - #ifdef ENABLE_CRYPTO -- b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); -- b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); -+ b->encrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH); -+ b->decrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH); - #endif - - #ifdef USE_COMP -Index: openvpn-2.4.10/src/openvpn/proxy.c -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/proxy.c -+++ openvpn-2.4.10/src/openvpn/proxy.c -@@ -73,6 +73,9 @@ recv_line(socket_descriptor_t sd, - struct buffer la; - int lastc = 0; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - CLEAR(la); - if (lookahead) - { -@@ -321,11 +324,11 @@ get_proxy_authenticate(socket_descriptor - struct gc_arena *gc, - volatile int *signal_received) - { -- char buf[256]; -+ char buf[256] = {0}; - int ret = HTTP_AUTH_NONE; - while (true) - { -- if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) -+ if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received)) - { - free(*data); - *data = NULL; -@@ -641,9 +644,9 @@ establish_http_proxy_passthru(struct htt - volatile int *signal_received) - { - struct gc_arena gc = gc_new(); -- char buf[512]; -- char buf2[129]; -- char get[80]; -+ char buf[512] = {0}; -+ char buf2[129] = {0}; -+ char get[80] = {0}; - int status; - int nparms; - bool ret = false; -@@ -733,7 +736,8 @@ establish_http_proxy_passthru(struct htt - } - - /* receive reply from proxy */ -- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) - { - goto error; - } -@@ -764,7 +768,8 @@ establish_http_proxy_passthru(struct htt - - while (true) - { -- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) - { - goto error; - } -@@ -844,7 +849,8 @@ establish_http_proxy_passthru(struct htt - } - - /* receive reply from proxy */ -- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) - { - goto error; - } -@@ -969,7 +975,8 @@ establish_http_proxy_passthru(struct htt - } - - /* receive reply from proxy */ -- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) - { - goto error; - } -Index: openvpn-2.4.10/src/openvpn/socket.c -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/socket.c -+++ openvpn-2.4.10/src/openvpn/socket.c -@@ -1278,6 +1278,9 @@ socket_listen_accept(socket_descriptor_t - /* struct openvpn_sockaddr *remote = &act->dest; */ - struct openvpn_sockaddr remote_verify = act->dest; - socket_descriptor_t new_sd = SOCKET_UNDEFINED; -+ -+ if (sd >= FD_SETSIZE) -+ return -1; - - CLEAR(*act); - socket_do_listen(sd, local, do_listen, true); -@@ -1428,6 +1431,9 @@ openvpn_connect(socket_descriptor_t sd, - { - int status = 0; - -+ if (sd >= FD_SETSIZE) -+ return -1; -+ - #ifdef TARGET_ANDROID - protect_fd_nonlocal(sd, remote); - #endif -Index: openvpn-2.4.10/src/openvpn/socks.c -=================================================================== ---- openvpn-2.4.10.orig/src/openvpn/socks.c -+++ openvpn-2.4.10/src/openvpn/socks.c -@@ -98,13 +98,16 @@ socks_username_password_auth(struct sock - socket_descriptor_t sd, - volatile int *signal_received) - { -- char to_send[516]; -- char buf[2]; -+ char to_send[516] = {0}; -+ char buf[2] = {0}; - int len = 0; - const int timeout_sec = 5; - struct user_pass creds; - ssize_t size; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - creds.defined = 0; - if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) - { -@@ -193,7 +196,7 @@ socks_handshake(struct socks_proxy_info - socket_descriptor_t sd, - volatile int *signal_received) - { -- char buf[2]; -+ char buf[2] = {0}; - int len = 0; - const int timeout_sec = 5; - ssize_t size; -@@ -205,6 +208,9 @@ socks_handshake(struct socks_proxy_info - method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ - - } -+ if (sd >= FD_SETSIZE) -+ return false; -+ - size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); - if (size != sizeof(method_sel)) - { -@@ -312,9 +318,12 @@ recv_socks_reply(socket_descriptor_t sd, - char atyp = '\0'; - int alen = 0; - int len = 0; -- char buf[270]; /* 4 + alen(max 256) + 2 */ -+ char buf[270] = {0}; /* 4 + alen(max 256) + 2 */ - const int timeout_sec = 5; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - if (addr != NULL) - { - addr->addr.in4.sin_family = AF_INET; -@@ -398,7 +407,7 @@ recv_socks_reply(socket_descriptor_t sd, - } - - /* store char in buffer */ -- if (len < (int)sizeof(buf)) -+ if (len < (int)sizeof(buf) && len >= 0) - { - buf[len] = c; - } -@@ -454,7 +463,7 @@ establish_socks_proxy_passthru(struct so - const char *servname, /* openvpn server port */ - volatile int *signal_received) - { -- char buf[270]; -+ char buf[270] = {0}; - size_t len; - - if (!socks_handshake(p, sd, signal_received)) diff --git a/openvpn-2.4.11.tar.xz b/openvpn-2.4.11.tar.xz deleted file mode 100644 index 23ca1ce..0000000 --- a/openvpn-2.4.11.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e579eff218ab1d765965e64a917927504d8324717afdfcd56850f6b83ba8441b -size 970872 diff --git a/openvpn-2.4.11.tar.xz.asc b/openvpn-2.4.11.tar.xz.asc deleted file mode 100644 index 42a19c9..0000000 --- a/openvpn-2.4.11.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmB/tIAACgkQEco5yCwF -7olP2BAA29nE8DfSzet1Lu1u/D5TdtLoMcSclZBnRP3McSzZV+HBECWEmoXCW1I3 -ljtJgG1bIKGQUPDUmBzCkTG7SB2rGSp90q96ppybgsKpWV6ZjoKLPVEBcePVYBhS -sbGMBj4YgviyIG0yaemWRx5dz/7SpxqYMc8yQ9u2tI6ydicMepdPXgQIggh5FoRf -j7G8UbZeOGeqrYQyatIbhW3vehw4HrsCTx6YmhomOKHuMppf+JbjlpDmm3BVRjhO -9qRA49n5Cmh68mXJG0SpxW02bHFXgMKi+DyjFlJPdA97IN/exzGuIUoim3Jk58eM -AnhKiC2Ctb7BRc3h4JBtm3guDd1xirV56XOnRmjyoVl+vq4gl8p+XzL8NeKbfqGa -WW59zd/8uF5r7u8smIjOvlUXh8lCwPrKo/IpxXzy54jknhlGfUZdzv4Kb+MVdP1w -VM2MnBZ5ukVLR2e/DnAeHTORQYHauyVj3whpdrQqMccDbqhz2R1YOu+ndTS+XOs+ -VnyNbsvBxOekT+ZqFZ70yT2+dFKu5Y9XfyfDnjBdHCd1qnF15Fe95O0SGw16eqfM -lqfz6WPxsxTfr6kOqQCfbKQVrPVu2hQuOROrJrA5Yheeqcnv6QMQm0efYfr/DwkQ -0qLNszu/Sx9ndgxXTeRZpQkfxKsubARPr0KiCo9dRBB8/sf6Iow= -=fE7o ------END PGP SIGNATURE----- diff --git a/openvpn-2.5.3.tar.xz b/openvpn-2.5.3.tar.xz new file mode 100644 index 0000000..8868f1e --- /dev/null +++ b/openvpn-2.5.3.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e +size 1149004 diff --git a/openvpn-2.5.3.tar.xz.asc b/openvpn-2.5.3.tar.xz.asc new file mode 100644 index 0000000..9364db9 --- /dev/null +++ b/openvpn-2.5.3.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE/DZ4Imbv9iQMR50nEco5yCwF7okFAmDLEwoACgkQEco5yCwF +7okUew/8D+suTEafri2IKM8Mycg/k8ENpBK+8xB+POAsRd4t1SjgOUT6+iuodu4p +rwUr7r2GKyRXRpiKFNPhQnjgoUzJ8EGCImB6I45Hgl47J5H47ns8x5EIQoXexWXg +FS/wFE0XcejF5hpH4s1TJ5PhWifzfeUjcVT2hYNVb8ArAAO9vN56kR28ocQAujJk +LDjQUKabCGo6XSfatq+hgNoq1I1VOE33vrzKLCeIO/GK/FT9ey6AYVCULidEA+jt +2H9RgvlzmzTSzJYTJuuVIw2om0ozNRcTayN20qgmFtnWusbqrv4gt8mk0gZ3xhoP +7MEC/r/SJrxR1q1yaQ6VWFY4yYU1H6uRXgr8xwg31tmC8cGwWYkNUNNQRDY9nlDC +6VAcq2MSduTYtBvBw/Nu/sCIx5hwaiFto2oPzWREWMgyx3KG7DN8Gb8RjzgJ+oep +3jW48umrbtI8mKK0gvOa8DOSWAKchdCEfrbUXsgzReENwobN3FnoTkFK/1uBkWLN +fs6PbmNB5L05zwXhmuCZl4Iyf6KlQpNiMTzvpfM0pZKVSBW70UfZU575vUMtOsXL +pRwPPTCZ5oQgQ6UQyCnEvUct+IUBPo3Guf2xeEQkdGitcAH5qd2o2LdjefbiRZl8 +s7vwHk85Gx2ZKO6d+YTEEPOgiTJm1oeLmkqK7Adw1BkJgFTPwbA= +=MMVI +-----END PGP SIGNATURE----- diff --git a/openvpn-fips140-2.3.2.patch b/openvpn-fips140-2.3.2.patch index 8239c66..d05d549 100644 --- a/openvpn-fips140-2.3.2.patch +++ b/openvpn-fips140-2.3.2.patch @@ -13,11 +13,9 @@ Signed-off-by: Nirmoy Das src/openvpn/ssl.c | 4 ++-- 6 files changed, 15 insertions(+), 6 deletions(-) -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 5f482d0..ff0f9a7 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, +--- src/openvpn/crypto.c.orig ++++ src/openvpn/crypto.c +@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const if (kt->digest && kt->hmac_length > 0) { ctx->hmac = hmac_ctx_new(); @@ -26,11 +24,9 @@ index 5f482d0..ff0f9a7 100644 msg(D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", -diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index b7f519b..2911248 100644 ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); +--- src/openvpn/crypto_backend.h.orig ++++ src/openvpn/crypto_backend.h +@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters @@ -43,11 +39,9 @@ index b7f519b..2911248 100644 /* * Free the given HMAC context. -diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index a55e65c..79f5530 100644 ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -926,11 +926,15 @@ +--- src/openvpn/crypto_openssl.c.orig ++++ src/openvpn/crypto_openssl.c +@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx) void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -64,11 +58,9 @@ index a55e65c..79f5530 100644 HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ -diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c -index 0b1163e..93283bc 100644 ---- a/src/openvpn/ntlm.c -+++ b/src/openvpn/ntlm.c -@@ -88,7 +88,7 @@ +--- src/openvpn/ntlm.c.orig ++++ src/openvpn/ntlm.c +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da const md_kt_t *md5_kt = md_kt_get("MD5"); hmac_ctx_t *hmac_ctx = hmac_ctx_new(); @@ -77,28 +69,50 @@ index 0b1163e..93283bc 100644 hmac_ctx_update(hmac_ctx, data, data_len); hmac_ctx_final(hmac_ctx, result); hmac_ctx_cleanup(hmac_ctx); -diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index fef5e90..33b6976 100644 ---- a/src/openvpn/options.c -+++ b/src/openvpn/options.c -@@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc) - #endif - #ifdef ENABLE_CRYPTO - o->ciphername = "BF-CBC"; +--- src/openvpn/options.c.orig ++++ src/openvpn/options.c +@@ -850,6 +850,10 @@ init_options(struct options *o, const bo + o->tcp_queue_limit = 64; + o->max_clients = 1024; + o->max_routes_per_client = 256; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + o->ciphername = "AES-256-CBC"; +#endif - #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ - o->ncp_enabled = true; - #else -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index 15cd94a..21f50f1 100644 ---- a/src/openvpn/ssl.c -+++ b/src/openvpn/ssl.c -@@ -1635,8 +1635,8 @@ tls1_P_hash(const md_kt_t *md_kt, - chunk = md_kt_size(md_kt); - A1_len = md_kt_size(md_kt); + o->stale_routes_check_interval = 0; + o->ifconfig_pool_persist_refresh_freq = 600; + #if P2MP +@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option + if (!o->ciphername) + { + o->ciphername = "BF-CBC"; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ o->ciphername = "AES-256-CBC"; ++ } ++#endif + } + return; + } +@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option + /* We still need to set the ciphername to BF-CBC since various other + * parts of OpenVPN assert that the ciphername is set */ + o->ciphername = "BF-CBC"; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ o->ciphername = "AES-256-CBC"; ++ } ++#endif + } + else if (!o->enable_ncp_fallback + && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) +--- src/openvpn/ssl.c.orig ++++ src/openvpn/ssl.c +@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt, + int chunk = md_kt_size(md_kt); + unsigned int A1_len = md_kt_size(md_kt); - hmac_ctx_init(ctx, sec, sec_len, md_kt); - hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); @@ -107,6 +121,3 @@ index 15cd94a..21f50f1 100644 hmac_ctx_update(ctx,seed,seed_len); hmac_ctx_final(ctx, A1); --- -2.13.1 - diff --git a/openvpn.changes b/openvpn.changes index 4bcba90..062102b 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Thu Aug 5 14:07:14 UTC 2021 - Reinhard Max + +- Update to 2.5.3: + + * Removal of BF-CBC support in default configuration + *** POSSIBLE INCOMPATIBILITY *** + See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8). + + * Connections setup is now much faster + * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel + * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer + * Client-specific tls-crypt keys (--tls-crypt-v2) + * Improved Data channel cipher negotiation + * HMAC based auth-token support for seamless reconnects to + standalone servers or a group of servers + * Asynchronous (deferred) authentication support for auth-pam + plugin + * Asynchronous (deferred) support for client-connect scripts and + plugins + * Support IPv4 configs with /31 netmasks + * 802.1q VLAN support on TAP servers + * Support IPv6-only tunnels + * New option --block-ipv6 to reject all IPv6 packets (ICMPv6) + * Support Virtual Routing and Forwarding (VRF) + * Netlink integration (OpenVPN no longer needs to execute + ifconfig/route or ip commands) + * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch + +- bsc#1062157: The fix for bsc#934237 causes problems with the + crypto self-test of newer openvpn versions. + Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch . + ------------------------------------------------------------------- Mon May 31 15:29:08 UTC 2021 - Dirk Müller diff --git a/openvpn.spec b/openvpn.spec index bc5e342..4302222 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -24,7 +24,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version: 2.4.11 +Version: 2.5.3 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception @@ -42,8 +42,6 @@ Source10: %{name}-tmpfile.conf Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch6: %{name}-fips140-2.3.2.patch -Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch -Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch Patch9: 0001-preform-deferred-authentication-in-the-background.patch BuildRequires: iproute2 BuildRequires: libselinux-devel @@ -127,10 +125,8 @@ This package provides the header file to build external plugins. %prep %setup -q %patch1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%patch6 +%patch9 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \ -i src/openvpn/options.c From 6c81d3760aaf3f34d0037d061e576a6f40c3b56c3ff2a106c4015da0cc93fc61 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 5 Aug 2021 15:04:36 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=166 --- openvpn.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn.spec b/openvpn.spec index 4302222..12ae20b 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -57,7 +57,7 @@ BuildRequires: pkgconfig(systemd) Requires: iproute2 Requires: pkcs11-helper >= 1.11 Requires: sysvinit-tools -%systemd_ordering +%{?systemd_ordering} %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide From 4674679943331197c55295a75c3dbe6290dc009c4fe8cac0ed7348993bfcd482 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Thu, 5 Aug 2021 15:24:46 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=167 --- openvpn.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openvpn.spec b/openvpn.spec index 12ae20b..4302222 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -57,7 +57,7 @@ BuildRequires: pkgconfig(systemd) Requires: iproute2 Requires: pkcs11-helper >= 1.11 Requires: sysvinit-tools -%{?systemd_ordering} +%systemd_ordering %description OpenVPN is a full-featured SSL VPN solution which can accommodate a wide