Accepting request 443666 from home:stroeder:branches:network:vpn

- update to 2.3.13
- successfully tested as VPN client on TW x86_64
- please review FIPS patch update carefully

OBS-URL: https://build.opensuse.org/request/show/443666
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=111

openvpn-2.3.0-man-dot.diff

@@ -1,11 +0,0 @@
---- doc/openvpn.8
-+++ doc/openvpn.8
-@@ -21,7 +21,7 @@
- .\"  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- .\"
- .\" Manual page for openvpn
--.\
-+.\"
- .\" SH section heading
- .\" SS subsection heading
- .\" LP paragraph

openvpn-2.3.11.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7
-size 833496

openvpn-2.3.11.tar.xz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAlcxenoACgkQwp2X7RmNIqOn3wCeP9QB36A5JwmBIYihnWS6v/p4
-XikAn1YoYlNJMcL2Tnnu30GKWULkbyov
-=LkUj
------END PGP SIGNATURE-----

openvpn-2.3.13.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
+size 829484

openvpn-2.3.13.tar.xz.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iEYEABECAAYFAlgbEocACgkQwp2X7RmNIqOSJwCfQVrcS2k/XC71G1H8ABMQpPrS
+MvAAn3TdER/TEpi82whq3SLABg8wTNuz
+=Zf4E
+-----END PGP SIGNATURE-----

openvpn-fips140-2.3.2.patch

@@ -272,9 +272,27 @@
    o->ciphername_defined = true;
    o->authname = "SHA1";
    o->authname_defined = true;
---- openvpn-2.3.2/src/openvpn/push.c
+--- openvpn-2.3.13.orig/src/openvpn/push.c
-+++ openvpn-2.3.2/src/openvpn/push.c	2015/02/19 09:15:02
++++ openvpn-2.3.13/src/openvpn/push.c	2016-12-03 22:57:58.198398996 +0100
-@@ -446,10 +446,10 @@ process_incoming_push_msg (struct contex
+@@ -408,7 +408,7 @@
+ #endif
+ 
+ static void
+-push_update_digest(struct md5_state *ctx, struct buffer *buf)
++push_update_digest(struct sha1_state *ctx, struct buffer *buf)
+ {
+   char line[OPTION_PARM_SIZE];
+   while (buf_parse (buf, ',', line, sizeof (line)))
+@@ -416,7 +416,7 @@
+       /* peer-id might change on restart and this should not trigger reopening tun */
+       if (strstr (line, "peer-id ") != line)
+ 	{
+-	  md5_state_update (ctx, line, strlen(line));
++	  sha1_state_update (ctx, line, strlen(line));
+ 	}
+     }
+ }
+@@ -472,10 +472,10 @@
        if (ch == ',')
  	{
  	  struct buffer buf_orig = buf;
@@ -288,24 +306,17 @@
  	    }
  	  if (!c->c2.did_pre_pull_restore)
  	    {
-@@ -465,13 +465,13 @@ process_incoming_push_msg (struct contex
+@@ -493,8 +493,8 @@
- 	      {
+ 		{
- 	      case 0:
+ 		  case 0:
- 	      case 1:
+ 		  case 1:
--		md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
+-		    md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
--		md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+-		    c->c2.pulled_options_md5_init_done = false;
--	        c->c2.pulled_options_md5_init_done = false;
++		    sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
-+		sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
++		    c->c2.pulled_options_sha1_init_done = false;
-+		sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest);
+ 		    ret = PUSH_MSG_REPLY;
-+	        c->c2.pulled_options_sha1_init_done = false;
+ 		    break;
- 		ret = PUSH_MSG_REPLY;
+ 		  case 2:
- 		break;
- 	      case 2:
--		md5_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
-+		sha1_state_update (&c->c2.pulled_options_state, BPTR(&buf_orig), BLEN(&buf_orig));
- 		ret = PUSH_MSG_CONTINUATION;
- 		break;
- 	      }
 --- openvpn-2.3.2/src/openvpn/ssl.c
 +++ openvpn-2.3.2/src/openvpn/ssl.c	2015/02/19 09:15:02
 @@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt,

openvpn-fips140-AES-cipher-in-config-template.patch

@@ -1,35 +0,0 @@
-From: Andreas Stieger <astieger@suse.com>
-Date: Thu, 08 Sep 2016 15:23:12 +0200
-Subject: Add an example for a FIPS 140-2 approved cipher configuration to the sample configuration file
-References: bsc#988522 https://github.com/OpenVPN/openvpn/commit/bde1b90da0db2d68d13d274102986f0ca7096c00
-Upstream: no
-
-The 2.3 default is blowfish which does not work in FIPS mode.
-This change was done in 2.4, and 2.4 will negotiate AES-256-GCM in TLS mode.
-
-Index: openvpn-2.3.8/sample/sample-config-files/client.conf
-===================================================================
---- openvpn-2.3.8.orig/sample/sample-config-files/client.conf	2015-07-17 07:43:32.000000000 +0200
-+++ openvpn-2.3.8/sample/sample-config-files/client.conf	2016-09-08 15:12:32.650248879 +0200
-@@ -111,6 +111,8 @@ remote-cert-tls server
- # If the cipher option is used on the server
- # then you must also specify it here.
- ;cipher x
-+# Use a FIPS 140-2 approved cipher in FIPS mode
-+;cipher AES-256-CBC   # AES-256
- 
- # Enable compression on the VPN link.
- # Don't enable this unless it is also
-Index: openvpn-2.3.8/sample/sample-config-files/server.conf
-===================================================================
---- openvpn-2.3.8.orig/sample/sample-config-files/server.conf	2015-07-17 07:43:32.000000000 +0200
-+++ openvpn-2.3.8/sample/sample-config-files/server.conf	2016-09-08 15:11:55.869874892 +0200
-@@ -249,6 +249,8 @@ keepalive 10 120
- ;cipher BF-CBC        # Blowfish (default)
- ;cipher AES-128-CBC   # AES
- ;cipher DES-EDE3-CBC  # Triple-DES
-+# Use a FIPS 140-2 approved cipher in FIPS mode
-+;cipher AES-256-CBC   # AES-256
- 
- # Enable compression on the VPN link.
- # If you enable it here, you must also

openvpn.changes

@@ -1,3 +1,75 @@
+-------------------------------------------------------------------
+Sat Dec  3 21:26:52 UTC 2016 - michael@stroeder.com
+
+- update to 2.3.13
+- removed obsolete patch files openvpn-2.3.0-man-dot.diff and
+  openvpn-fips140-AES-cipher-in-config-template.patch
+
+2016.11.02 -- Version 2.3.13
+  Arne Schwabe (2):
+  * Use AES ciphers in our sample configuration files and add a few modern 2.4 examples
+  * Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer
+  David Sommerseth (4):
+  * t_client.sh: Make OpenVPN write PID file to avoid various sudo issues
+  * t_client.sh: Add support for Kerberos/ksu
+  * t_client.sh: Improve detection if the OpenVPN process did start during tests
+  * t_client.sh: Add prepare/cleanup possibilties for each test case
+  Gert Doering (5):
+  * Do not abort t_client run if OpenVPN instance does not start.
+  * Fix t_client runs on OpenSolaris
+  * make t_client robust against sudoers misconfiguration
+  * add POSTINIT_CMD_suf to t_client.sh and sample config
+  * Fix --multihome for IPv6 on 64bit BSD systems.
+  Ilya Shipitsin (1):
+  * skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto
+  Lev Stipakov (2):
+  * Exclude peer-id from pulled options digest
+  * Fix compilation in pedantic mode
+  Samuli Seppänen (1):
+  * Automatically cache expected IPs for t_client.sh on the first run
+  Steffan Karger (6):
+  * Fix unittests for out-of-source builds
+  * Make gnu89 support explicit
+  * cleanup: remove code duplication in msg_test()
+  * Update cipher-related man page text
+  * Limit --reneg-bytes to 64MB when using small block ciphers
+  * Add a revoked cert to the sample keys
+
+2016.08.23 -- Version 2.3.12
+  Arne Schwabe (2):
+  * Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it.
+  * Move ASSERT so external-key with OpenSSL works again
+  David Sommerseth (3):
+  * Only build and run cmocka unit tests if its submodule is initialized
+  * Another fix related to unit test framework
+  * Remove NOP function and callers
+  Dorian Harmans (1):
+  * Add CHACHA20-POLY1305 ciphersuite IANA name translations.
+  Ivo Manca (1):
+  * Plug memory leak in mbedTLS backend
+  Jeffrey Cutter (1):
+  * Update contrib/pull-resolv-conf/client.up for no DOMAIN
+  Jens Neuhalfen (2):
+  * Add unit testing support via cmocka
+  * Add a test for auth-pam searchandreplace
+  Josh Cepek (1):
+  * Push an IPv6 CIDR mask used by the server, not the pool's size
+  Leon Klingele (1):
+  * Add link to bug tracker
+  Samuli Seppänen (2):
+  * Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes
+  * Clarify the fact that build instructions in README are for release tarballs
+  Selva Nair (4):
+  * Make error non-fatal while deleting address using netsh
+  * Make block-outside-dns work with persist-tun
+  * Ignore SIGUSR1/SIGHUP during exit notification
+  * Promptly close the netcmd_semaphore handle after use
+  Steffan Karger (4):
+  * Fix polarssl / mbedtls builds
+  * Don't limit max incoming message size based on c2->frame
+  * Fix '--cipher none --cipher' crash
+  * Discourage using 64-bit block ciphers
+
 -------------------------------------------------------------------
 Mon Nov 28 16:33:34 UTC 2016 - matwey.kornilov@gmail.com
 

openvpn.spec

@@ -32,7 +32,7 @@ Url:            http://openvpn.net/
 %else
 PreReq:         %insserv_prereq %fillup_prereq
 %endif
-Version:        2.3.11
+Version:        2.3.13
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1
@@ -50,9 +50,7 @@ Source9:        %{name}.target
 Source10:       %{name}-tmpfile.conf
 Source11:       rc%{name}
 Patch1:         %{name}-2.3-plugin-man.dif
-Patch5:         %{name}-2.3.0-man-dot.diff
 Patch6:         %{name}-fips140-2.3.2.patch
-Patch7:         openvpn-fips140-AES-cipher-in-config-template.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  iproute2
 BuildRequires:  lzo-devel
@@ -136,9 +134,7 @@ This package provides the header file to build external plugins.
 %prep
 %setup -q -n %{name}-%{version}
 %patch1 -p0
-%patch5 -p0
 %patch6 -p1
-%patch7 -p1
 
 sed -e "s|\" __DATE__|$(date '+%b %e %Y' -r version.m4)\"|g" \
     -i src/openvpn/options.c