diff --git a/openvpn-2.3.0-man-dot.diff b/openvpn-2.3.0-man-dot.diff deleted file mode 100644 index 234b988..0000000 --- a/openvpn-2.3.0-man-dot.diff +++ /dev/null @@ -1,11 +0,0 @@ ---- doc/openvpn.8 -+++ doc/openvpn.8 -@@ -21,7 +21,7 @@ - .\" 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - .\" - .\" Manual page for openvpn --.\ -+.\" - .\" SH section heading - .\" SS subsection heading - .\" LP paragraph diff --git a/openvpn-2.3.11.tar.xz b/openvpn-2.3.11.tar.xz deleted file mode 100644 index cb4e70c..0000000 --- a/openvpn-2.3.11.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 -size 833496 diff --git a/openvpn-2.3.11.tar.xz.asc b/openvpn-2.3.11.tar.xz.asc deleted file mode 100644 index ef6cdbc..0000000 --- a/openvpn-2.3.11.tar.xz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlcxenoACgkQwp2X7RmNIqOn3wCeP9QB36A5JwmBIYihnWS6v/p4 -XikAn1YoYlNJMcL2Tnnu30GKWULkbyov -=LkUj ------END PGP SIGNATURE----- diff --git a/openvpn-2.3.13.tar.xz b/openvpn-2.3.13.tar.xz new file mode 100644 index 0000000..7f364f2 --- /dev/null +++ b/openvpn-2.3.13.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0 +size 829484 diff --git a/openvpn-2.3.13.tar.xz.asc b/openvpn-2.3.13.tar.xz.asc new file mode 100644 index 0000000..ca1369f --- /dev/null +++ b/openvpn-2.3.13.tar.xz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlgbEocACgkQwp2X7RmNIqOSJwCfQVrcS2k/XC71G1H8ABMQpPrS +MvAAn3TdER/TEpi82whq3SLABg8wTNuz +=Zf4E +-----END PGP SIGNATURE----- diff --git a/openvpn-fips140-2.3.2.patch b/openvpn-fips140-2.3.2.patch index 3313c1e..ec91607 100644 --- a/openvpn-fips140-2.3.2.patch +++ b/openvpn-fips140-2.3.2.patch @@ -272,9 +272,27 @@ o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true; ---- openvpn-2.3.2/src/openvpn/push.c -+++ openvpn-2.3.2/src/openvpn/push.c 2015/02/19 09:15:02 -@@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex +--- openvpn-2.3.13.orig/src/openvpn/push.c ++++ openvpn-2.3.13/src/openvpn/push.c 2016-12-03 22:57:58.198398996 +0100 +@@ -408,7 +408,7 @@ + #endif + + static void +-push_update_digest(struct md5_state *ctx, struct buffer *buf) ++push_update_digest(struct sha1_state *ctx, struct buffer *buf) + { + char line[OPTION_PARM_SIZE]; + while (buf_parse (buf, ',', line, sizeof (line))) +@@ -416,7 +416,7 @@ + /* peer-id might change on restart and this should not trigger reopening tun */ + if (strstr (line, "peer-id ") != line) + { +- md5_state_update (ctx, line, strlen(line)); ++ sha1_state_update (ctx, line, strlen(line)); + } + } + } +@@ -472,10 +472,10 @@ if (ch == ',') { struct buffer buf_orig = buf; @@ -288,24 +306,17 @@ } if (!c->c2.did_pre_pull_restore) { -@@ -465,13 +465,13 @@ process_incoming_push_msg (struct contex - { - case 0: - case 1: -- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); -- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); -- c->c2.pulled_options_md5_init_done = false; -+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); -+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); -+ c->c2.pulled_options_sha1_init_done = false; - ret = PUSH_MSG_REPLY; - break; - case 2: -- md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); -+ sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig)); - ret = PUSH_MSG_CONTINUATION; - break; - } +@@ -493,8 +493,8 @@ + { + case 0: + case 1: +- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); +- c->c2.pulled_options_md5_init_done = false; ++ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); ++ c->c2.pulled_options_sha1_init_done = false; + ret = PUSH_MSG_REPLY; + break; + case 2: --- openvpn-2.3.2/src/openvpn/ssl.c +++ openvpn-2.3.2/src/openvpn/ssl.c 2015/02/19 09:15:02 @@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt, diff --git a/openvpn-fips140-AES-cipher-in-config-template.patch b/openvpn-fips140-AES-cipher-in-config-template.patch deleted file mode 100644 index c8eb5d7..0000000 --- a/openvpn-fips140-AES-cipher-in-config-template.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Andreas Stieger -Date: Thu, 08 Sep 2016 15:23:12 +0200 -Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file -References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00 -Upstream: no - -The 2.3 default is blowfish which does not work in FIPS mode. -This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode. - -Index: openvpn-2.3.8/sample/sample-config-files/client.conf -=================================================================== ---- openvpn-2.3.8.orig/sample/sample-config-files/client.conf 2015-07-17 07:43:32.000000000 +0200 -+++ openvpn-2.3.8/sample/sample-config-files/client.conf 2016-09-08 15:12:32.650248879 +0200 -@@ -111,6 +111,8 @@ remote-cert-tls server - # If the cipher option is used on the server - # then you must also specify it here. - ;cipher x -+# Use a FIPS 140-2 approved cipher in FIPS mode -+;cipher AES-256-CBC # AES-256 - - # Enable compression on the VPN link. - # Don't enable this unless it is also -Index: openvpn-2.3.8/sample/sample-config-files/server.conf -=================================================================== ---- openvpn-2.3.8.orig/sample/sample-config-files/server.conf 2015-07-17 07:43:32.000000000 +0200 -+++ openvpn-2.3.8/sample/sample-config-files/server.conf 2016-09-08 15:11:55.869874892 +0200 -@@ -249,6 +249,8 @@ keepalive 10 120 - ;cipher BF-CBC # Blowfish (default) - ;cipher AES-128-CBC # AES - ;cipher DES-EDE3-CBC # Triple-DES -+# Use a FIPS 140-2 approved cipher in FIPS mode -+;cipher AES-256-CBC # AES-256 - - # Enable compression on the VPN link. - # If you enable it here, you must also diff --git a/openvpn.changes b/openvpn.changes index e679299..30b5b64 100644 --- a/openvpn.changes +++ b/openvpn.changes @@ -1,3 +1,75 @@ +------------------------------------------------------------------- +Sat Dec 3 21:26:52 UTC 2016 - michael@stroeder.com + +- update to 2.3.13 +- removed obsolete patch files openvpn-2.3.0-man-dot.diff and + openvpn-fips140-AES-cipher-in-config-template.patch + +2016.11.02 -- Version 2.3.13 + Arne Schwabe (2): + * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples + * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer + David Sommerseth (4): + * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues + * t_client.sh: Add support for Kerberos/ksu + * t_client.sh: Improve detection if the OpenVPN process did start during tests + * t_client.sh: Add prepare/cleanup possibilties for each test case + Gert Doering (5): + * Do not abort t_client run if OpenVPN instance does not start. + * Fix t_client runs on OpenSolaris + * make t_client robust against sudoers misconfiguration + * add POSTINIT_CMD_suf to t_client.sh and sample config + * Fix --multihome for IPv6 on 64bit BSD systems. + Ilya Shipitsin (1): + * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto + Lev Stipakov (2): + * Exclude peer-id from pulled options digest + * Fix compilation in pedantic mode + Samuli Seppänen (1): + * Automatically cache expected IPs for t_client.sh on the first run + Steffan Karger (6): + * Fix unittests for out-of-source builds + * Make gnu89 support explicit + * cleanup: remove code duplication in msg_test() + * Update cipher-related man page text + * Limit --reneg-bytes to 64MB when using small block ciphers + * Add a revoked cert to the sample keys + +2016.08.23 -- Version 2.3.12 + Arne Schwabe (2): + * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. + * Move ASSERT so external-key with OpenSSL works again + David Sommerseth (3): + * Only build and run cmocka unit tests if its submodule is initialized + * Another fix related to unit test framework + * Remove NOP function and callers + Dorian Harmans (1): + * Add CHACHA20-POLY1305 ciphersuite IANA name translations. + Ivo Manca (1): + * Plug memory leak in mbedTLS backend + Jeffrey Cutter (1): + * Update contrib/pull-resolv-conf/client.up for no DOMAIN + Jens Neuhalfen (2): + * Add unit testing support via cmocka + * Add a test for auth-pam searchandreplace + Josh Cepek (1): + * Push an IPv6 CIDR mask used by the server, not the pool's size + Leon Klingele (1): + * Add link to bug tracker + Samuli Seppänen (2): + * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes + * Clarify the fact that build instructions in README are for release tarballs + Selva Nair (4): + * Make error non-fatal while deleting address using netsh + * Make block-outside-dns work with persist-tun + * Ignore SIGUSR1/SIGHUP during exit notification + * Promptly close the netcmd_semaphore handle after use + Steffan Karger (4): + * Fix polarssl / mbedtls builds + * Don't limit max incoming message size based on c2->frame + * Fix '--cipher none --cipher' crash + * Discourage using 64-bit block ciphers + ------------------------------------------------------------------- Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com diff --git a/openvpn.spec b/openvpn.spec index 684a0d9..868ae7f 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -32,7 +32,7 @@ Url: http://openvpn.net/ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version: 2.3.11 +Version: 2.3.13 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -50,9 +50,7 @@ Source9: %{name}.target Source10: %{name}-tmpfile.conf Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif -Patch5: %{name}-2.3.0-man-dot.diff Patch6: %{name}-fips140-2.3.2.patch -Patch7: openvpn-fips140-AES-cipher-in-config-template.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: iproute2 BuildRequires: lzo-devel @@ -136,9 +134,7 @@ This package provides the header file to build external plugins. %prep %setup -q -n %{name}-%{version} %patch1 -p0 -%patch5 -p0 %patch6 -p1 -%patch7 -p1 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \ -i src/openvpn/options.c