rpm/openvpn
SHA256
1
0
Fork 0
forked from pool/openvpn
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=117

Browse Source
This commit is contained in:
Nirmoy Das 2017-06-06 12:54:53 +00:00 committed by Git OBS Bridge
parent 9c3259ca06
commit 9b5c6bd385
9 changed files with 405 additions and 638 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
0001-preform-deferred-authentication-in-the-background.patch
View File

@ -1,17 +1,8 @@
From 8c39dbd45d3551e838310732a73e05f6d2d2e784 Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Thu, 12 May 2016 12:08:56 +0200
Subject: [PATCH] preform deferred authentication in the background to not
cause main daemon processing delays when the underlying pam mechanism (e.g.
ldap) needs longer to response.
References: bsc#959511
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index bd71792..119fc31 100644 index 54471a3..1d52035 100644
--- a/src/plugins/auth-pam/auth-pam.c --- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c
@@ -55,6 +55,7 @@ @@ -56,6 +56,7 @@
/* Command codes for foreground -> background communication */ /* Command codes for foreground -> background communication */
#define COMMAND_VERIFY 0 #define COMMAND_VERIFY 0
#define COMMAND_EXIT 1 #define COMMAND_EXIT 1
@ -19,16 +10,16 @@ index bd71792..119fc31 100644
/* Response codes for background -> foreground communication */ /* Response codes for background -> foreground communication */
#define RESPONSE_INIT_SUCCEEDED 10 #define RESPONSE_INIT_SUCCEEDED 10
@@ -108,6 +109,7 @@ struct user_pass { @@ -112,6 +113,7 @@ struct user_pass {
char username[128]; char username[128];
char password[128]; char password[128];
char common_name[128]; char common_name[128];
+ char auth_control_file[PATH_MAX]; + char auth_control_file[PATH_MAX];
const struct name_value_list *name_value_list; const struct name_value_list *name_value_list;
}; };
@@ -687,6 +689,21 @@ pam_auth (const char *service, const struct user_pass *up) @@ -708,6 +710,21 @@ pam_auth(const char *service, const struct user_pass *up)
return ret; return ret;
} }
+static int handle_auth_control_file(char *auth_control_file, int status) +static int handle_auth_control_file(char *auth_control_file, int status)
@ -49,51 +40,52 @@ index bd71792..119fc31 100644
/* /*
* Background process -- runs with privilege. * Background process -- runs with privilege.
*/ */
@@ -781,6 +798,41 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list @@ -807,6 +824,42 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
} plugin_secure_memzero(up.password, sizeof(up.password));
break; break;
+ case COMMAND_VERIFY_V2: + case COMMAND_VERIFY_V2:
+ if (recv_string (fd, up.username, sizeof (up.username)) == -1 + if (recv_string (fd, up.username, sizeof (up.username)) == -1
+ || recv_string (fd, up.password, sizeof (up.password)) == -1 + || recv_string (fd, up.password, sizeof (up.password)) == -1
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1 + || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1
+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1) + || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1)
+ { + {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", + fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
+ command); + command);
+ goto done; + goto done;
+ } + }
+ +
+ if (DEBUG (verb)) + if (DEBUG (verb))
+ { + {
+#if 0 +#if 0
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n",
+ up.username, up.password); + up.username, up.password);
+#else +#else
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username);
+#endif +#endif
+ } + }
+ +
+ if (pam_auth (service, &up)) /* Succeeded */ + if (pam_auth (service, &up)) /* Succeeded */
+ { + {
+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) { + if (handle_auth_control_file(up.auth_control_file, 1) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); + fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ } + }
+ } + }
+ else /* Failed */ + else /* Failed */
+ { + {
+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) { + if (handle_auth_control_file(up.auth_control_file, 0) == -1) {
+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); + fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n");
+ } + }
+ } + }
+ break; + break;
+ +
case COMMAND_EXIT: +
goto done; case COMMAND_EXIT:
goto done;
@@ -804,3 +856,56 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list @@ -833,3 +886,56 @@ done:
return; return;
} }
+ +
+int +int
@ -149,15 +141,12 @@ index bd71792..119fc31 100644
+ } + }
+} +}
diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports
index b07937c..11a80f1 100644 index 597e33f..b304ff4 100644
--- a/src/plugins/auth-pam/auth-pam.exports --- a/src/plugins/auth-pam/auth-pam.exports
+++ b/src/plugins/auth-pam/auth-pam.exports +++ b/src/plugins/auth-pam/auth-pam.exports
@@ -1,4 +1,5 @@ @@ -1,4 +1,5 @@
openvpn_plugin_open_v1 openvpn_plugin_open_v3
openvpn_plugin_func_v1 openvpn_plugin_func_v1
+openvpn_plugin_func_v2 +openvpn_plugin_func_v2
openvpn_plugin_close_v1 openvpn_plugin_close_v1
openvpn_plugin_abort_v1 openvpn_plugin_abort_v1
--
2.6.2

3
openvpn-2.3.14.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f3a0d0eaf8d544409f76a9f2a238a0cd3dde9e1a9c1f98ac732a8b572bcdee98
size 831404

7
openvpn-2.3.14.tar.xz.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlhH9nkACgkQwp2X7RmNIqOYtQCfbRsvCy0r7RnYXEAZJ3nzsaww
JoMAoIMDSlotKGn/9tey0L+Nj8+8kI+N
=D64i
-----END PGP SIGNATURE-----

413
openvpn-2.3.x-fixed-multiple-low-severity-issues.patch
View File

@ -1,238 +1,257 @@
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 4261795..44c1f9e 100644 index 09659aa..b35d884 100644
--- a/src/openvpn/crypto.c --- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c
@@ -151,7 +151,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, @@ -119,7 +119,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
ASSERT (cipher_ctx_reset(ctx->cipher, iv_buf)); dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc));
/* Buffer overflow check */ /* Buffer overflow check */
- if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) - if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) + if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{ {
msg (D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", msg(D_CRYPT_ERRORS,
buf->capacity, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d",
@@ -278,7 +278,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, @@ -238,7 +238,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work,
const int iv_size = cipher_ctx_iv_length (ctx->cipher); ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf));
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher);
uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
- int outlen;
+ int outlen = 0;
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ /* Buffer overflow check */
ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT))); - if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
@@ -305,7 +305,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, + if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
CRYPT_ERROR ("cipher init failed"); {
msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
buf->capacity,
@@ -379,7 +379,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
uint8_t *tag_ptr = NULL;
int tag_size = 0;
- int outlen;
+ int outlen = 0;
struct gc_arena gc;
/* Buffer overflow check (should never happen) */ gc_init(&gc);
- if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) @@ -456,7 +456,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
+ if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc));
CRYPT_ERROR ("potential buffer overflow");
/* Decrypt packet ID, payload */ /* Buffer overflow check (should never fail) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
@@ -602,7 +602,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work,
}
/* Buffer overflow check (should never happen) */
- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
+ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH))
{
CRYPT_ERROR("potential buffer overflow");
}
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 2ed0bef..ae9f24d 100644 index f8ddbc8..7706b02 100644
--- a/src/openvpn/crypto_openssl.h --- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h
@@ -53,6 +53,9 @@ typedef HMAC_CTX hmac_ctx_t; @@ -53,6 +53,9 @@ typedef HMAC_CTX hmac_ctx_t;
/** Maximum length of an IV */ /** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
+/** Maximum length of a cipher block */ +/** Maximum length of a cipher block */
+#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH +#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH
+ +
/** Cipher is in CBC mode */ /** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE
diff --git a/src/openvpn/init.c b/src/openvpn/init.c diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 089e3c4..e03a3e6 100644 index 66126ef..b8d4a8c 100644
--- a/src/openvpn/init.c --- a/src/openvpn/init.c
+++ b/src/openvpn/init.c +++ b/src/openvpn/init.c
@@ -2614,8 +2614,8 @@ init_context_buffers (const struct frame *frame) @@ -3052,8 +3052,8 @@ init_context_buffers(const struct frame *frame)
b->aux_buf = alloc_buf (BUF_SIZE (frame)); b->aux_buf = alloc_buf(BUF_SIZE(frame));
#ifdef ENABLE_CRYPTO #ifdef ENABLE_CRYPTO
- b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); - b->encrypt_buf = alloc_buf(BUF_SIZE(frame));
- b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); - b->decrypt_buf = alloc_buf(BUF_SIZE(frame));
+ b->encrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH); + b->encrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
+ b->decrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH); + b->decrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH);
#endif #endif
#ifdef ENABLE_LZO #ifdef USE_COMP
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 89989d1..5809daa 100644 index b0ed327..0ad0385 100644
--- a/src/openvpn/proxy.c --- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c
@@ -76,6 +76,9 @@ recv_line (socket_descriptor_t sd, @@ -74,6 +74,9 @@ recv_line(socket_descriptor_t sd,
struct buffer la; struct buffer la;
int lastc = 0; int lastc = 0;
+ if (sd >= FD_SETSIZE) + if (sd >= FD_SETSIZE)
+ return false; + return false;
+ +
CLEAR (la); CLEAR(la);
if (lookahead) if (lookahead)
la = *lookahead;
@@ -283,11 +286,11 @@ get_proxy_authenticate (socket_descriptor_t sd,
struct gc_arena *gc,
volatile int *signal_received)
{
- char buf[256];
+ char buf[256] = {0};
int ret = HTTP_AUTH_NONE;
while (true)
{ {
- if (!recv_line (sd, buf, sizeof (buf), timeout, true, NULL, signal_received)) @@ -312,11 +315,11 @@ get_proxy_authenticate(socket_descriptor_t sd,
+ if (!recv_line (sd, buf, sizeof (buf) - 1, timeout, true, NULL, signal_received)) struct gc_arena *gc,
{ volatile int *signal_received)
*data = NULL;
return HTTP_AUTH_NONE;
@@ -498,9 +501,9 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
volatile int *signal_received)
{ {
struct gc_arena gc = gc_new (); - char buf[256];
- char buf[512]; + char buf[256] = {0};
- char buf2[129]; int ret = HTTP_AUTH_NONE;
- char get[80]; while (true)
+ char buf[512] = {0}; {
+ char buf2[129] = {0}; - if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received))
+ char get[80] = {0}; + if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received))
int status; {
int nparms; *data = NULL;
bool ret = false; return HTTP_AUTH_NONE;
@@ -586,7 +589,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, @@ -631,9 +634,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line (sd, buf, sizeof(buf) - 1 , p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
@@ -615,7 +619,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
while (true)
{
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
goto error;
chomp (buf);
msg (D_PROXY, "HTTP proxy returned: '%s'", buf);
@@ -685,7 +690,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
@@ -795,7 +801,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p,
goto error;
/* receive reply from proxy */
- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received))
goto error;
/* remove trailing CR, LF */
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 3474f18..dfd9d6c 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -832,6 +832,9 @@ socket_listen_accept (socket_descriptor_t sd,
struct openvpn_sockaddr remote_verify = act->dest;
int new_sd = SOCKET_UNDEFINED;
+ if (sd >= FD_SETSIZE)
+ return -1;
+
CLEAR (*act);
socket_do_listen (sd, local, do_listen, true);
@@ -919,6 +922,9 @@ openvpn_connect (socket_descriptor_t sd,
{
int status = 0;
+ if (sd >= FD_SETSIZE)
+ return -1;
+
#ifdef CONNECT_NONBLOCK
set_nonblock (sd);
status = connect (sd, &remote->addr.sa, af_addr_size(remote->addr.sa.sa_family));
diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
index 57dc02a..8954e91 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -97,13 +97,16 @@ socks_username_password_auth (struct socks_proxy_info *p,
socket_descriptor_t sd,
volatile int *signal_received) volatile int *signal_received)
{ {
- char to_send[516]; struct gc_arena gc = gc_new();
- char buf[2]; - char buf[512];
+ char to_send[516] = {0}; - char buf2[129];
+ char buf[2] = {0}; - char get[80];
int len = 0; + char buf[512] = {0};
const int timeout_sec = 5; + char buf2[129] = {0};
struct user_pass creds; + char get[80] = {0};
ssize_t size; int status;
int nparms;
bool ret = false;
@@ -723,7 +726,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
}
+ if (sd >= FD_SETSIZE) /* receive reply from proxy */
+ return false; - if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ + memset(buf, 0, sizeof(buf));
creds.defined = 0; + if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
if (!get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) {
{ goto error;
@@ -189,7 +192,7 @@ socks_handshake (struct socks_proxy_info *p, }
socket_descriptor_t sd, @@ -754,7 +758,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
volatile int *signal_received)
while (true)
{
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
@@ -834,7 +839,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
@@ -952,7 +958,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p,
}
/* receive reply from proxy */
- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
+ memset(buf, 0, sizeof(buf));
+ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received))
{
goto error;
}
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 7d3dd60..334c47e 100644
--- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c
@@ -1163,6 +1163,9 @@ socket_listen_accept(socket_descriptor_t sd,
/* struct openvpn_sockaddr *remote = &act->dest; */
struct openvpn_sockaddr remote_verify = act->dest;
socket_descriptor_t new_sd = SOCKET_UNDEFINED;
+
+ if (sd >= FD_SETSIZE)
+ return -1;
CLEAR(*act);
socket_do_listen(sd, local, do_listen, true);
@@ -1315,6 +1318,9 @@ openvpn_connect(socket_descriptor_t sd,
{ {
- char buf[2]; int status = 0;
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
ssize_t size;
@@ -198,6 +201,8 @@ socks_handshake (struct socks_proxy_info *p,
char method_sel[3] = { 0x05, 0x01, 0x00 };
if (p->authfile[0])
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
+ if (sd >= FD_SETSIZE)
+ return false;
size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL); + if (sd >= FD_SETSIZE)
if (size != sizeof (method_sel)) + return -1;
@@ -302,9 +307,12 @@ recv_socks_reply (socket_descriptor_t sd,
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[22];
+ char buf[22] = {0};
const int timeout_sec = 5;
+ if (sd >= FD_SETSIZE)
+ return false;
+ +
if (addr != NULL) #ifdef TARGET_ANDROID
{ protect_fd_nonlocal(sd, remote);
addr->addr.in4.sin_family = AF_INET; #endif
@@ -381,7 +389,7 @@ recv_socks_reply (socket_descriptor_t sd, diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c
} index b50cac3..79632a8 100644
--- a/src/openvpn/socks.c
+++ b/src/openvpn/socks.c
@@ -99,13 +99,16 @@ socks_username_password_auth(struct socks_proxy_info *p,
socket_descriptor_t sd,
volatile int *signal_received)
{
- char to_send[516];
- char buf[2];
+ char to_send[516] = {0};
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
struct user_pass creds;
ssize_t size;
+ if (sd >= FD_SETSIZE)
+ return false;
+
creds.defined = 0;
if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT))
{
@@ -194,7 +197,7 @@ socks_handshake(struct socks_proxy_info *p,
socket_descriptor_t sd,
volatile int *signal_received)
{
- char buf[2];
+ char buf[2] = {0};
int len = 0;
const int timeout_sec = 5;
ssize_t size;
@@ -206,6 +209,9 @@ socks_handshake(struct socks_proxy_info *p,
method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */
/* store char in buffer */
- if (len < (int)sizeof(buf))
+ if (len < (int)sizeof(buf) && len >= 0)
buf[len] = c;
++len;
} }
@@ -411,7 +419,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, + if (sd >= FD_SETSIZE)
const int port, /* openvpn server port */ + return false;
volatile int *signal_received) +
{ size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL);
- char buf[128]; if (size != sizeof(method_sel))
+ char buf[128] = {0}; {
size_t len; @@ -313,9 +319,12 @@ recv_socks_reply(socket_descriptor_t sd,
char atyp = '\0';
int alen = 0;
int len = 0;
- char buf[22];
+ char buf[22] = {0};
const int timeout_sec = 5;
if (!socks_handshake (p, sd, signal_received)) + if (sd >= FD_SETSIZE)
+ return false;
+
if (addr != NULL)
{
addr->addr.in4.sin_family = AF_INET;
@@ -396,7 +405,7 @@ recv_socks_reply(socket_descriptor_t sd,
}
/* store char in buffer */
- if (len < (int)sizeof(buf))
+ if (len < (int)sizeof(buf) && len >= 0)
{
buf[len] = c;
}
@@ -448,7 +457,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p,
const char *servname, /* openvpn server port */
volatile int *signal_received)
{
- char buf[128];
+ char buf[128] = {0};
size_t len;
if (!socks_handshake(p, sd, signal_received))

3
openvpn-2.4.2.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:df5c4f384b7df6b08a2f6fa8a84b9fd382baf59c2cef1836f82e2a7f62f1bff9
size 918448

11
openvpn-2.4.2.tar.xz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJZFE4hAAoJEClYTZ9AhkV454EIAMI6GwqVrxgO+XewvCFWMrXv
GuVpFx8w4DVoBN6Kc6bLrcP1R4m04SCYrsey88ahDP5113Z4QlGkuVo3GSKSqFtS
ZvO0r9c37VnSUpIp8yD1F/F/K9np1mvywyF8/1cHDFoIMwEe5TNti3Fvo0TaFO7k
rLnNdcTILWveqTQBP4Hhma9Hl0MRLOXY9CPcwKBhYZqh8UBjlmbnAyOPXD9hQe/q
QP96ZCl6sClvPyBTfGw8q0bxsdWjTJQjZnioO61xkR4JyQr7dpOLr2gCwnL1l9U6
feV9EyjHQxX9lbr+SvfuDOWMZXAAqMfx0Ltz7oopB3DTAtiN9TAWQn5v7kSxwxc=
=Wkw4
-----END PGP SIGNATURE-----

416
openvpn-fips140-2.3.2.patch
View File

@ -1,356 +1,96 @@
Index: openvpn-2.3.14/src/openvpn/crypto_backend.h diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
=================================================================== index 4b54279..09659aa 100644
--- openvpn-2.3.14.orig/src/openvpn/crypto_backend.h --- a/src/openvpn/crypto.c
+++ openvpn-2.3.14/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto.c
@@ -480,10 +480,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ @@ -877,7 +877,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
* @param key The key to use for the HMAC if (kt->digest && kt->hmac_length > 0)
* @param key_len The key length to use {
* @param kt Static message digest parameters ALLOC_OBJ(ctx->hmac, hmac_ctx_t);
+ * @param prf_use Intended use for PRF in TLS protocol - hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
msg(D_HANDSHAKE,
"%s: Using %d bit message hash '%s' for HMAC authentication",
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 2c79baa..81848c9 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -557,10 +557,11 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst);
* @param key The key to use for the HMAC
* @param key_len The key length to use
* @param kt Static message digest parameters
+ * @param prf_use Intended use for PRF in TLS protocol
* *
*/ */
void hmac_ctx_init (hmac_ctx_t *ctx, const uint8_t *key, int key_length, void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
- const md_kt_t *kt); - const md_kt_t *kt);
+ const md_kt_t *kt, bool prf_use); + const md_kt_t *kt, bool prf_use);
/* /*
* Free the given HMAC context. * Free the given HMAC context.
Index: openvpn-2.3.14/src/openvpn/crypto.c diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
=================================================================== index 881a2d1..deb41c7 100644
--- openvpn-2.3.14.orig/src/openvpn/crypto.c --- a/src/openvpn/crypto_openssl.c
+++ openvpn-2.3.14/src/openvpn/crypto.c +++ b/src/openvpn/crypto_openssl.c
@@ -505,7 +505,7 @@ init_key_ctx (struct key_ctx *ctx, struc @@ -891,13 +891,17 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
if (kt->digest && kt->hmac_length > 0)
{
ALLOC_OBJ(ctx->hmac, hmac_ctx_t);
- hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+ hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
msg (D_HANDSHAKE,
"%s: Using %d bit message hash '%s' for HMAC authentication",
@@ -1421,61 +1421,61 @@ free_ssl_lib (void)
#endif /* ENABLE_SSL */
/*
- * md5 functions
+ * sha1 functions
*/
const char *
-md5sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc)
+sha1sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc)
{
- uint8_t digest[MD5_DIGEST_LENGTH];
- const md_kt_t *md5_kt = md_kt_get("MD5");
+ uint8_t digest[SHA_DIGEST_LENGTH];
+ const md_kt_t *sha1_kt = md_kt_get("SHA1");
- md_full(md5_kt, buf, len, digest);
+ md_full(sha1_kt, buf, len, digest);
- return format_hex (digest, MD5_DIGEST_LENGTH, n_print_chars, gc);
+ return format_hex (digest, SHA_DIGEST_LENGTH, n_print_chars, gc);
}
void void
-md5_state_init (struct md5_state *s) hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
+sha1_state_init (struct sha1_state *s) - const EVP_MD *kt)
+ const EVP_MD *kt, bool prf_use)
{ {
- const md_kt_t *md5_kt = md_kt_get("MD5"); ASSERT(NULL != kt && NULL != ctx);
+ const md_kt_t *sha1_kt = md_kt_get("SHA1");
- md_ctx_init(&s->ctx, md5_kt); CLEAR(*ctx);
+ md_ctx_init(&s->ctx, sha1_kt);
}
void HMAC_CTX_init(ctx);
-md5_state_update (struct md5_state *s, void *data, size_t len) + /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+sha1_state_update (struct sha1_state *s, void *data, size_t len) + * to be used anywhere else */
{ + if(kt == EVP_md5() && prf_use)
md_ctx_update(&s->ctx, data, len); + HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
} HMAC_Init_ex(ctx, key, key_len, kt, NULL);
void /* make sure we used a big enough key */
-md5_state_final (struct md5_state *s, struct md5_digest *out) diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
+sha1_state_final (struct sha1_state *s, struct sha1_digest *out) index 0c43681..c3d5613 100644
{ --- a/src/openvpn/ntlm.c
md_ctx_final(&s->ctx, out->digest); +++ b/src/openvpn/ntlm.c
md_ctx_cleanup(&s->ctx); @@ -89,7 +89,7 @@ gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char *
} hmac_ctx_t hmac_ctx;
CLEAR(hmac_ctx);
void - hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt);
-md5_digest_clear (struct md5_digest *digest) + hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0);
+sha1_digest_clear (struct sha1_digest *digest) hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len);
{ hmac_ctx_final(&hmac_ctx, (unsigned char *)result);
CLEAR (*digest); hmac_ctx_cleanup(&hmac_ctx);
} diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9fef394..6b52dec 100644
bool --- a/src/openvpn/options.c
-md5_digest_defined (const struct md5_digest *digest) +++ b/src/openvpn/options.c
+sha1_digest_defined (const struct sha1_digest *digest) @@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc)
{
int i;
- for (i = 0; i < MD5_DIGEST_LENGTH; ++i)
+ for (i = 0; i < SHA_DIGEST_LENGTH; ++i)
if (digest->digest[i])
return true;
return false;
}
bool
-md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2)
+sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2)
{
- return memcmp(d1->digest, d2->digest, MD5_DIGEST_LENGTH) == 0;
+ return memcmp(d1->digest, d2->digest, SHA_DIGEST_LENGTH) == 0;
}
#endif /* ENABLE_CRYPTO */
Index: openvpn-2.3.14/src/openvpn/crypto.h
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/crypto.h
+++ openvpn-2.3.14/src/openvpn/crypto.h
@@ -430,24 +430,24 @@ void free_ssl_lib (void);
#endif /* ENABLE_SSL */
/*
- * md5 functions
+ * sha1 functions
*/
-struct md5_state {
+struct sha1_state {
md_ctx_t ctx;
};
-struct md5_digest {
- uint8_t digest [MD5_DIGEST_LENGTH];
+struct sha1_digest {
+ uint8_t digest [SHA_DIGEST_LENGTH];
};
-const char *md5sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc);
-void md5_state_init (struct md5_state *s);
-void md5_state_update (struct md5_state *s, void *data, size_t len);
-void md5_state_final (struct md5_state *s, struct md5_digest *out);
-void md5_digest_clear (struct md5_digest *digest);
-bool md5_digest_defined (const struct md5_digest *digest);
-bool md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2);
+const char *sha1sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc);
+void sha1_state_init (struct sha1_state *s);
+void sha1_state_update (struct sha1_state *s, void *data, size_t len);
+void sha1_state_final (struct sha1_state *s, struct sha1_digest *out);
+void sha1_digest_clear (struct sha1_digest *digest);
+bool sha1_digest_defined (const struct sha1_digest *digest);
+bool sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2);
/*
* Inline functions
Index: openvpn-2.3.14/src/openvpn/crypto_openssl.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.c
+++ openvpn-2.3.14/src/openvpn/crypto_openssl.c
@@ -829,13 +829,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t *
void
hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len,
- const EVP_MD *kt)
+ const EVP_MD *kt, bool prf_use)
{
ASSERT(NULL != kt && NULL != ctx);
CLEAR(*ctx);
HMAC_CTX_init (ctx);
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+ * to be used anywhere else */
+ if(kt == EVP_md5() && prf_use)
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
HMAC_Init_ex (ctx, key, key_len, kt, NULL);
/* make sure we used a big enough key */
Index: openvpn-2.3.14/src/openvpn/crypto_openssl.h
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.h
+++ openvpn-2.3.14/src/openvpn/crypto_openssl.h
@@ -33,6 +33,7 @@
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/md5.h>
+#include <openssl/sha.h>
/** Generic cipher key type %context. */
typedef EVP_CIPHER cipher_kt_t;
Index: openvpn-2.3.14/src/openvpn/crypto_polarssl.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/crypto_polarssl.c
+++ openvpn-2.3.14/src/openvpn/crypto_polarssl.c
@@ -695,7 +695,7 @@ md_ctx_final (md_context_t *ctx, uint8_t
* TODO: re-enable dmsg for crypto debug
*/
void
-hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt)
+hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt, bool prf_use)
{
ASSERT(NULL != kt && NULL != ctx);
Index: openvpn-2.3.14/src/openvpn/init.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/init.c
+++ openvpn-2.3.14/src/openvpn/init.c
@@ -1360,12 +1360,12 @@ do_route (const struct options *options,
*/
#if P2MP
static void
-save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest)
+save_pulled_options_digest (struct context *c, const struct sha1_digest *newdigest)
{
if (newdigest)
c->c1.pulled_options_digest_save = *newdigest;
else
- md5_digest_clear (&c->c1.pulled_options_digest_save);
+ sha1_digest_clear (&c->c1.pulled_options_digest_save);
}
#endif
@@ -1713,8 +1713,8 @@ do_up (struct context *c, bool pulled_op
if (!c->c2.did_open_tun
&& PULL_DEFINED (&c->options)
&& c->c1.tuntap
- && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest)
- || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)))
+ && (!sha1_digest_defined (&c->c1.pulled_options_digest_save) || !sha1_digest_defined (&c->c2.pulled_options_digest)
+ || !sha1_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest)))
{
/* if so, close tun, delete routes, then reinitialize tun and add routes */
msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.");
@@ -2792,11 +2792,11 @@ do_compute_occ_strings (struct context *
#ifdef ENABLE_CRYPTO
msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'",
options_string_version (c->c2.options_string_local, &gc),
- md5sum ((uint8_t*)c->c2.options_string_local,
+ sha1sum ((uint8_t*)c->c2.options_string_local,
strlen (c->c2.options_string_local), 9, &gc));
msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'",
options_string_version (c->c2.options_string_remote, &gc),
- md5sum ((uint8_t*)c->c2.options_string_remote,
+ sha1sum ((uint8_t*)c->c2.options_string_remote,
strlen (c->c2.options_string_remote), 9, &gc));
#endif
Index: openvpn-2.3.14/src/openvpn/ntlm.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/ntlm.c
+++ openvpn-2.3.14/src/openvpn/ntlm.c
@@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data
hmac_ctx_t hmac_ctx;
CLEAR(hmac_ctx);
- hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt);
+ hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0);
hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len);
hmac_ctx_final(&hmac_ctx, (unsigned char *)result);
hmac_ctx_cleanup(&hmac_ctx);
Index: openvpn-2.3.14/src/openvpn/openvpn.h
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/openvpn.h
+++ openvpn-2.3.14/src/openvpn/openvpn.h
@@ -205,7 +205,7 @@ struct context_1
#endif
/* if client mode, hash of option strings we pulled from server */
- struct md5_digest pulled_options_digest_save;
+ struct sha1_digest pulled_options_digest_save;
/**< Hash of option strings received from the
* remote OpenVPN server. Only used in
* client-mode. */
@@ -473,9 +473,9 @@ struct context_2
bool did_pre_pull_restore;
/* hash of pulled options, so we can compare when options change */
- bool pulled_options_md5_init_done;
- struct md5_state pulled_options_state;
- struct md5_digest pulled_options_digest;
+ bool pulled_options_sha1_init_done;
+ struct sha1_state pulled_options_state;
+ struct sha1_digest pulled_options_digest;
struct event_timeout server_poll_interval;
Index: openvpn-2.3.14/src/openvpn/options.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/options.c
+++ openvpn-2.3.14/src/openvpn/options.c
@@ -835,6 +835,10 @@ init_options (struct options *o, const b
#endif #endif
#ifdef ENABLE_CRYPTO #ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC"; o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS +#ifdef OPENSSL_FIPS
+ if(FIPS_mode()) + if(FIPS_mode())
+ o->ciphername = "AES-256-CBC"; + o->ciphername = "AES-256-CBC";
+#endif +#endif
o->ciphername_defined = true; #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->authname = "SHA1"; o->ncp_enabled = true;
o->authname_defined = true; #else
Index: openvpn-2.3.14/src/openvpn/push.c diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
=================================================================== index 51c7b95..2f89df7 100644
--- openvpn-2.3.14.orig/src/openvpn/push.c --- a/src/openvpn/ssl.c
+++ openvpn-2.3.14/src/openvpn/push.c +++ b/src/openvpn/ssl.c
@@ -408,7 +408,7 @@ push_reset (struct options *o) @@ -1626,8 +1626,8 @@ tls1_P_hash(const md_kt_t *md_kt,
#endif chunk = md_kt_size(md_kt);
A1_len = md_kt_size(md_kt);
static void - hmac_ctx_init(&ctx, sec, sec_len, md_kt);
-push_update_digest(struct md5_state *ctx, struct buffer *buf) - hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt);
+push_update_digest(struct sha1_state *ctx, struct buffer *buf) + hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1);
{ + hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1);
char line[OPTION_PARM_SIZE];
while (buf_parse (buf, ',', line, sizeof (line)))
@@ -416,7 +416,7 @@ push_update_digest(struct md5_state *ctx
/* peer-id might change on restart and this should not trigger reopening tun */
if (strstr (line, "peer-id ") != line)
{
- md5_state_update (ctx, line, strlen(line));
+ sha1_state_update (ctx, line, strlen(line));
}
}
}
@@ -472,10 +472,10 @@ process_incoming_push_msg (struct contex
if (ch == ',')
{
struct buffer buf_orig = buf;
- if (!c->c2.pulled_options_md5_init_done)
+ if (!c->c2.pulled_options_sha1_init_done)
{
- md5_state_init (&c->c2.pulled_options_state);
- c->c2.pulled_options_md5_init_done = true;
+ sha1_state_init (&c->c2.pulled_options_state);
+ c->c2.pulled_options_sha1_init_done = true;
}
if (!c->c2.did_pre_pull_restore)
{
@@ -493,8 +493,8 @@ process_incoming_push_msg (struct contex
{
case 0:
case 1:
- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
- c->c2.pulled_options_md5_init_done = false;
+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+ c->c2.pulled_options_sha1_init_done = false;
ret = PUSH_MSG_REPLY;
break;
case 2:
Index: openvpn-2.3.14/src/openvpn/ssl.c
===================================================================
--- openvpn-2.3.14.orig/src/openvpn/ssl.c
+++ openvpn-2.3.14/src/openvpn/ssl.c
@@ -1396,8 +1396,8 @@ tls1_P_hash(const md_kt_t *md_kt,
chunk = md_kt_size(md_kt);
A1_len = md_kt_size(md_kt);
- hmac_ctx_init(&ctx, sec, sec_len, md_kt); hmac_ctx_update(&ctx,seed,seed_len);
- hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); hmac_ctx_final(&ctx, A1);
+ hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1);
+ hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1);
hmac_ctx_update(&ctx,seed,seed_len);
hmac_ctx_final(&ctx, A1);

67
openvpn.keyring
View File

@ -1,30 +1,41 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux) Version: GnuPG v1
mQGiBEsHuu4RBACnPwEKcLYmlwe8v2e8xizlO1fCeqOA7zj6tU/T/1+YTJhrVbgW mQENBFilZHYBCADGVuvyV9yg2GW7bslnPylaa9cxb3IXmb0qC7hUJueGnz0vLdit
PiRYSNKAmAq0uLFLQ14KpIDsrtdi5ySeUTf64kJtDrBa2si6h0HUyNHf9EX6rUVC /fPPPfsI3/hgcQYK1Y8cP5p2Pq+CZL0TVQWBEu2naH2unwxtfNm1EJcWDsky9DzW
g/CTpsfYEkqlfMoBH7w7L5O2yidwWA+F4RGWhruzP7i1z+bBsIguSxiBzwCg5qPh CZQrcZ/v/coaV4UqMTVzGQaxQOzzeaP5nRgdX95dVKqXqsG8wKoIJmBuILAqkOPi
pgkFGeWArp/OUBHkaqmPZ00D/08dmkrez9d7C/PoR/cFq0nQBqL3zmsRxv66I6fM 4EG9NQt2Lbqaiszo3LdsqyeGYK2yc745xBX4UDgIN7XTrXcQDyUOb4dsJynbM+Z9
TUqwaRpweWHh9P6XR+pTJjBglVSvk9kLv+PYCvk7yxbT3M6OA/GrSEp/53itlzOU 8NMQxdA5q0s6BwWSA1xK/gKUCzfF7D1fwWuO2MoedHveB45rOMSFlfVUgr7fa1CR
MPkv/OF6BmbRbYJK5HAsZgHGbuZxUHUqm4qJ+t4+WZaz9i8WtYbOM6T9aNWQrVUW zCe7lccu0APfgXrTnNWwWMVoQMO8HIyk2iGnABEBAAG0JVNhbXVsaSBTZXBww6Ru
dUMqA/4tZlHJzCrd1NbfEetQVeso9rzzWWWmDAusbvkowfrFHXJGUjfL0hBmxj/9 ZW4gPHNhbXVsaUBvcGVudnBuLm5ldD6JATgEEwECACIFAlilZtwCGwMGCwkIBwMC
JmZtwU+i8G+MKQS0w9rCVLEMLoHLLxPH+Jiknz3Y2xE6CbiSvL+8cvOolgADz/06 BhUIAgkKCwQWAgMBAh4BAheAAAoJEClYTZ9AhkV46tEH/Aot7SnpcLHpEkkCX7Jm
MniHKOZb4tPFPw7ObESeAGp4T9FgT53fJ14AMjGLyHv6EXbfvbQsU2FtdWxpIFNl ERrWuqIwYJp7fQlbOPAVZG1+iC/3KlhYxHmH1/Dj6rP3LEEfWpCQSHSbBFkzPtZ6
cHDDpG5lbiA8c2FtdWxpLnNlcHBhbmVuQGdtYWlsLmNvbT6IYAQTEQIAIAUCSwe6 AGnEfaxovXjso/tgnAAjYnxy9R0+1t0g5T6anXzCAjl3+mOssjzWBICBDZaFW9Rd
7gIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEMKdl+0ZjSKjsfsAoK6khXtq R47vCA92Fp9kAy3N+AMOv1HfTabaPo6p8HbaBSUQtgdOrfoBSXaFzaPSp8uwonQW
w2xDtNBv/UhRhuVH0NQOAKCDWiB2zYNvHWLYnuIpAlE1sAnGPrkCDQRLB7ruEAgA xRvpG91XtDrEoQio13460025ww+sZe5mIH4c7xhKBEZPswO2xnFszcFp3u12Glbj
jwSEfTWLJsIW5qlKNEhySIjmRmcVgqB/NTaZ+Nd/r++stYSan1qb7qlQ3B3w48p1 eloAn8oxNycEuw11DfsHf2ctlbQCOLlJJxh2MND5SyL0SjCWMqO7v2c8UUUe4igS
gB0SPfwKRmMkiYsHNcbRr5KIHWTnYrMI/5OAjPIiz/2j294wRnObzrbJK3T+qJSL xeuIRgQQEQIABgUCWKVo6wAKCRDCnZftGY0ioxDUAJ45kbXxCH3hiUexMvlJzvgN
A2mEXXPPK7i0hUwH12ZJej/h98lPQA+NiDgDOaq4asyq4pcHrR2T2NyiiR2+Xi/L mZmpyACg0UKbcmHUiFhnhyjtTTmAS5TjB8G0LFNhbXVsaSBTZXBww6RuZW4gPHNh
2Lz1zKj4iQ3f5g0ktmAEdGcDtV7tI0xZeXWEtesRXeXmqPmjLskJozUoZP1GXXAz bXVsaS5zZXBwYW5lbkBnbWFpbC5jb20+iQE4BBMBAgAiBQJYpWR2AhsDBgsJCAcD
80PySK2HsEQ/846q1Ybl5KYwbSH+l8jLIyqMDTQnCYG+Ft1moCk3HLyc4c1ALVov AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRApWE2fQIZFeLAeB/9lGhVfON8TR6o6+lbm
1Rvom8u3dM5tUtpuZMwcJwADBQf+MCohqLqGJmEdiTEnmggsiKSoZTIBJhcujRaL GslU2xqV3PQ3hVuAlEttxpP4hCTKU0PwLLb7gtc0UF642qyB7ho2RtU+bg1tiq5z
pxPpBlXz6P2bvlprUedBs+zxEEI+Q/CqIlyYaN+Kca1FK4YG9iQoHmb9IIVHf4C/ R93Ka92Aex4yJDI4viEJ04MTX2WLRv6ogGTRrytIqmYGbYHTFXlnMnQD7Tf+O4sv
lyWSx1xK+BnIk7SEfMjpGAjofNzNc34NmebnosHfP/g3ruLo6EgtjQ68iUty9PgX 8tJj5gguB/zT8MXQGqU6zq9CF6b3XXdPSITkC7df/CU425HI4V5HvluC/4GrzFZI
Q1bZQ/SeXk16b8Nn0xQa9S+hg5LAxA+DuSvXbMqU5q2p8JlPgGEFVKzaVcxPhppB za4Hv/d8G1tXzHXDqoLIBdS44g6GRdXak3PfROKsuk7sG/MmtfbfUPnyBI+yaGQk
Kcv/2CxjsqXj/6sW3nFSw+8Jd4SWL1+cPZ1v1WHG3SUMFoLAjSmVj3X8roG5EiLi jhlj3BRY0b1dg7T5SiZ6NoMXFH9zKEh7KnG8CaoqiNWDSp2sazy8kbZR5HUp2jOt
QxSGOUz8uVtvumfKyd25MYmgHMELL7fxhrZcw2OVdo977lt2fIhJBBgRAgAJBQJL yXmgiEYEEBECAAYFAlilaOsACgkQwp2X7RmNIqOStQCePGpvkvmpISX4fR+lGAlt
B7ruAhsMAAoJEMKdl+0ZjSKjgrAAoLeln17YxSQA7RUHwTbquOA92odMAKDiq7c8 VtWf3XgAmwQTECYXlq3NMdefzLxA5dnxstlEuQENBFilZHYBCADEe46V63aYL+VL
p2hUs3rZaXY1aMmExyB0gQ== nZbmBz78KA0fOb5qopFQsOp79FdCQevGXa6JtdibaOLhWUiaMNgkGXma0rSzv/yc
=l5lk kDX310JSSrNvbXtbn29MdmCZhWum3lT0bhHltF2w23ha913AEneUq1TAESZz74zJ
-----END PGP PUBLIC KEY BLOCK----- wGtoej7f2H0e3qjOKtwIzItnHRQSHXFRZUh1IRbZAqXQKqRRWiYVLG3pgF1iC9gA
jLcihK9P89G8jUmB8Ko+9Guw6JszKN+l5SVuK+ttrKCRi8hrkOIiazQUL4gu9PZs
aGPxNdwnzKGHGZKT0WglXavZFMWHunb6I9/CrCK3ekyHWAvYF7IY95r4SH+CtKqj
QoW8fOeVABEBAAGJAR8EGAECAAkFAlilZHYCGwwACgkQKVhNn0CGRXiO1QgAh3/I
EELh+pTiII5IiolHXEKEmgJ6WUU4RzM26Pfv3yMQKqUKBeEvKc21ZWmMKzPWXOE8
1np7DVXcp0ayiXrfGheGbXSpFP5WGlquYdYjVegBgRJ+v/r/QR+Oy2kbq0lsWuNz
Eia08fEHr7PM7mct0d1rFVuSS1m+1YOZNN8e/eSox84HvboSq6xk+3IC1NGXXdUQ
qObWceUyU0KmmBFMV86pUgI/YbA2uMxkFK8XGsOqMgTBdBWHTTcSOfmPsu/04zDl
MuQ+GC2WcUHoTtxytA432TzOixF5wfunqTzXeZxAybQPkETmAFgHT0BmUVShwPQ0
XuwT7RpGDZ6jBfphYQ==
=FKLE
-----END PGP PUBLIC KEY BLOCK-----

14
openvpn.spec
View File

@ -32,7 +32,7 @@ Url: http://openvpn.net/
%else %else
PreReq: %insserv_prereq %fillup_prereq PreReq: %insserv_prereq %fillup_prereq
%endif %endif
Version: 2.3.14 Version: 2.4.2
Release: 0 Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
@ -178,12 +178,14 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn
%if %{with_systemd} %if %{with_systemd}
rm %{buildroot}/usr/lib64/systemd/system/openvpn-client@.service
rm %{buildroot}/usr/lib64/systemd/system/openvpn-server@.service
install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service
install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target
install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name}
# tmpfiles.d # tmpfiles.d
mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d mkdir -p %{buildroot}%{_libdir}/tmpfiles.d
install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libdir}/tmpfiles.d/%{name}.conf
%else %else
install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn
ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn
@ -202,7 +204,7 @@ find sample -name .gitignore | xargs rm -f
%post %post
%if %{with_systemd} %if %{with_systemd}
systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf ||: systemd-tmpfiles --create /usr/lib64/tmpfiles.d/%{name}.conf ||:
%service_add_post %{name}.target %service_add_post %{name}.target
# try to migrate openvpn.service autostart to openvpn@<CONF>.service # try to migrate openvpn.service autostart to openvpn@<CONF>.service
if test ${FIRST_ARG:-$1} -ge 1 -a \ if test ${FIRST_ARG:-$1} -ge 1 -a \
@ -269,9 +271,10 @@ rm -f /etc/sysconfig/openvpn || :
%doc %{_mandir}/man8/openvpn.8.gz %doc %{_mandir}/man8/openvpn.8.gz
%config(noreplace) %{_sysconfdir}/openvpn/ %config(noreplace) %{_sysconfdir}/openvpn/
%if %{with_systemd} %if %{with_systemd}
%dir %{_libdir}/tmpfiles.d
%{_unitdir}/%{name}@.service %{_unitdir}/%{name}@.service
%{_unitdir}/%{name}.target %{_unitdir}/%{name}.target
%{_libexecdir}/tmpfiles.d/%{name}.conf %{_libdir}/tmpfiles.d/%{name}.conf
%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/
%else %else
%config %{_sysconfdir}/init.d/openvpn %config %{_sysconfdir}/init.d/openvpn
@ -296,5 +299,6 @@ rm -f /etc/sysconfig/openvpn || :
%files devel %files devel
%defattr(-,root,root) %defattr(-,root,root)
%{_includedir}/%{name}-plugin.h %{_includedir}/%{name}-plugin.h
%{_includedir}/%{name}-msg.h
%changelog %changelog