forked from pool/openvpn
Accepting request 1082779 from home:msaquib:branches:network:vpn
- update to 2.6.3: * For full changelog please refer to: https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst * implement byte counter statistics for DCO Linux (p2mp server and client) * implement byte counter statistics for DCO Windows (client only) * '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses * fix a few cases of possibly undefined behaviour detected by ASAN * add more unit tests for Windows cryptoapi interface * Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. * Keying Material Exporters (RFC 5705) based key generation * As part of the cipher negotiation OpenVPN will automatically prefer the RFC5705 based key material generation to the current custom OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+. * OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort has been made to check or implement all the requirements/ recommendation of FIPS 140-2. This just allows OpenVPN to be run on a system that be configured OpenSSL in FIPS mode. * mlock will now check if enough memlock-able memory has been reserved, and if less than 100MB RAM are available, use setrlimit() to upgrade the limit. See Trac #1390. Not available on OpenSolaris. * The --peer-fingerprint option has been introduced to give users an easy to use alternative to the tls-verify for matching the fingerprint of the peer. The option takes use a number of allowed SHA256 certificate fingerprints. * When --peer-fingerprint is used, the --ca and --capath option become OBS-URL: https://build.opensuse.org/request/show/1082779 OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=189
This commit is contained in:
parent
28504fd594
commit
fc90bfc0a8
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8794b7125998c68f30de654267a702b9581454ca1e7061511fcc5f99fea4bd32
|
||||
size 1840560
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmPsuVsACgkQi3QXs+uz
|
||||
swmCnA/9HZonTX9ShsdohsrxMmFk0PwgOKWabjm82rFPLqcIx/3UOhEBJsmKwUnX
|
||||
+aT/6qEgLTDc8O2YNofk3J+RPLbUoAf42orbCYYcz86AVKnqjBQ4Lmeo1GzkZM4F
|
||||
8KqmovYGMR0taOHd/qVLOWsczYofrnDcc2gAjGJUhcrhGqajL4MX7zXMgiL/rMeZ
|
||||
AsaGi95WbJaw17oWKgNb2XW2iQ1/LNtJPyB9E8L/1tIEolYrXAMrWn4L4A6h51j/
|
||||
Lo+HqRS85gawWR48g6nlP/sGmCamoQFF0SH7YX07qGL180i+ouDzH+WCGolKgJAW
|
||||
V6s6TAJzXIGc7KV5Wvz6uWn0zjqXJQzXFhkWatjO+HbPKn7wnvgRFnzElTTh9Tdt
|
||||
EkwtGek+/I8iQXOsLf+bk8bqv17C/6B84X52ZKxMCZU5mKF9es0SxKZK5tIR6J3q
|
||||
6K/ILMLC5EFT5Vr55Ls4+upKZtcs+yvs1bo1QhM1pYJglwak1ZFDMZcXSU88I0k8
|
||||
ThGD1WGSvlHJTPu7LfRGMv57oUEJ9/5RE6ehcX/i5mg9O32ICtfS/kzKoJTAN61a
|
||||
msVzBbamQafq92ZgtkCIk3v/0MXPwSHL/xIBckKM5foAVw/+zyG3kOYiMf3h1ho7
|
||||
TjiCJV1fySbazFkKEQKnHWoLSOPcpy0NWwEyNLwPmQGmANhZaLo=
|
||||
=0TR5
|
||||
-----END PGP SIGNATURE-----
|
3
openvpn-2.6.3.tar.gz
Normal file
3
openvpn-2.6.3.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6
|
||||
size 1860557
|
16
openvpn-2.6.3.tar.gz.asc
Normal file
16
openvpn-2.6.3.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEVmH/adZUFVhLcg/Ai3QXs+uzswkFAmQ33N8ACgkQi3QXs+uz
|
||||
swlZQBAApR0ge0c+HyMay1rQDkSV8YgOmpoIrOh2BaPqxs8a5eeumBbWjv/jBtUu
|
||||
bOXwpYz127fLA1H9MdKbsgOIB/uniiQPFurUkyLw/11mWCxmpaykwMA8SDfz+Zdy
|
||||
7SaX/2IaouyXMDydMfzjWXZX20+Ek9MeFJFczWj3LQS2ohGPXc0CPde4yNwR6QKf
|
||||
Rv31Y55ysMB/p+snCumzLo6quvVyqzJkZdzygefk+uOSc7GfwpZxifr8B4v5aAtm
|
||||
922Rp3NIithzdYK8VZWPbVIeQqwZSyJ+SXb88ALtHKHTMeYk5qXFzl10a33HQDCY
|
||||
gzTjYXMkVzIYMaEvLCyb/zwOri3XUzbd5a/6WIaaW5BrM2PyQhKqf7m7iOTFasaF
|
||||
em+664o6tsCzmb8lFJCygWxgc8iszzHJS1WaV8jasek7GSkj0NE4tmsYDULK8nXA
|
||||
wVrnWRVHuAKjOYwE6lGapKJ6lOHYUwdgvIcUEKlCqM7PNNaWfutzf/l63UWnkKTc
|
||||
y6Q9tOm9m3yJka+Oqva3dcS8Wjo+e4s6xrhDTGZC480LDmCkz+NEsn3RxdoQh/pq
|
||||
BOkQfdElC0y2Pd54uucOgoQRQCCpQkCrB1J5SLhpqdFOVD2wAIY2VQzB9R+m9PJY
|
||||
uxvY9uSvJmiq2mZrAxX/kUKG/Xz/3OGa5vzm/UQJSSxFx9WkO1c=
|
||||
=U3/y
|
||||
-----END PGP SIGNATURE-----
|
@ -1,123 +0,0 @@
|
||||
From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001
|
||||
From: Nirmoy Das <ndas@suse.de>
|
||||
Date: Fri, 23 Jun 2017 11:00:08 +0200
|
||||
Subject: [PATCH] fips-140
|
||||
|
||||
Signed-off-by: Nirmoy Das <ndas@suse.de>
|
||||
---
|
||||
src/openvpn/crypto.c | 2 +-
|
||||
src/openvpn/crypto_backend.h | 3 ++-
|
||||
src/openvpn/crypto_openssl.c | 6 +++++-
|
||||
src/openvpn/ntlm.c | 2 +-
|
||||
src/openvpn/options.c | 4 ++++
|
||||
src/openvpn/ssl.c | 4 ++--
|
||||
6 files changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
--- src/openvpn/crypto.c.orig
|
||||
+++ src/openvpn/crypto.c
|
||||
@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
|
||||
if (kt->digest && kt->hmac_length > 0)
|
||||
{
|
||||
ctx->hmac = hmac_ctx_new();
|
||||
- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
|
||||
+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
|
||||
|
||||
msg(D_HANDSHAKE,
|
||||
"%s: Using %d bit message hash '%s' for HMAC authentication",
|
||||
--- src/openvpn/crypto_backend.h.orig
|
||||
+++ src/openvpn/crypto_backend.h
|
||||
@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
|
||||
* @param key The key to use for the HMAC
|
||||
* @param key_len The key length to use
|
||||
* @param kt Static message digest parameters
|
||||
+ * @param prf_use Intended use for PRF in TLS protocol
|
||||
*
|
||||
*/
|
||||
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
|
||||
- const md_kt_t *kt);
|
||||
+ const md_kt_t *kt, bool prf_use);
|
||||
|
||||
/*
|
||||
* Free the given HMAC context.
|
||||
--- src/openvpn/crypto_openssl.c.orig
|
||||
+++ src/openvpn/crypto_openssl.c
|
||||
@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
|
||||
|
||||
void
|
||||
hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
|
||||
- const EVP_MD *kt)
|
||||
+ const EVP_MD *kt, bool prf_use)
|
||||
{
|
||||
ASSERT(NULL != kt && NULL != ctx);
|
||||
|
||||
HMAC_CTX_reset(ctx);
|
||||
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
|
||||
+ * * to be used anywhere else */
|
||||
+ if(kt == EVP_md5() && prf_use)
|
||||
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
|
||||
HMAC_Init_ex(ctx, key, key_len, kt, NULL);
|
||||
|
||||
/* make sure we used a big enough key */
|
||||
--- src/openvpn/ntlm.c.orig
|
||||
+++ src/openvpn/ntlm.c
|
||||
@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
|
||||
const md_kt_t *md5_kt = md_kt_get("MD5");
|
||||
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
|
||||
|
||||
- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
|
||||
+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
|
||||
hmac_ctx_update(hmac_ctx, data, data_len);
|
||||
hmac_ctx_final(hmac_ctx, result);
|
||||
hmac_ctx_cleanup(hmac_ctx);
|
||||
--- src/openvpn/options.c.orig
|
||||
+++ src/openvpn/options.c
|
||||
@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
|
||||
o->tcp_queue_limit = 64;
|
||||
o->max_clients = 1024;
|
||||
o->max_routes_per_client = 256;
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if(FIPS_mode())
|
||||
+ o->ciphername = "AES-256-CBC";
|
||||
+#endif
|
||||
o->stale_routes_check_interval = 0;
|
||||
o->ifconfig_pool_persist_refresh_freq = 600;
|
||||
#if P2MP
|
||||
@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
|
||||
if (!o->ciphername)
|
||||
{
|
||||
o->ciphername = "BF-CBC";
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (FIPS_mode())
|
||||
+ {
|
||||
+ o->ciphername = "AES-256-CBC";
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
return;
|
||||
}
|
||||
@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
|
||||
/* We still need to set the ciphername to BF-CBC since various other
|
||||
* parts of OpenVPN assert that the ciphername is set */
|
||||
o->ciphername = "BF-CBC";
|
||||
+#ifdef OPENSSL_FIPS
|
||||
+ if (FIPS_mode())
|
||||
+ {
|
||||
+ o->ciphername = "AES-256-CBC";
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
else if (!o->enable_ncp_fallback
|
||||
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
|
||||
--- src/openvpn/ssl.c.orig
|
||||
+++ src/openvpn/ssl.c
|
||||
@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
|
||||
int chunk = md_kt_size(md_kt);
|
||||
unsigned int A1_len = md_kt_size(md_kt);
|
||||
|
||||
- hmac_ctx_init(ctx, sec, sec_len, md_kt);
|
||||
- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
|
||||
+ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
|
||||
+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
|
||||
|
||||
hmac_ctx_update(ctx,seed,seed_len);
|
||||
hmac_ctx_final(ctx, A1);
|
@ -1,4 +1,68 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 25 14:02:08 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
|
||||
|
||||
- update to 2.6.3:
|
||||
* For full changelog please refer to:
|
||||
https://github.com/OpenVPN/openvpn/blob/v2.6.3/Changes.rst
|
||||
* implement byte counter statistics for DCO Linux (p2mp server
|
||||
and client)
|
||||
* implement byte counter statistics for DCO Windows (client only)
|
||||
* '--dns server <n> address ...' now permits up to 8 v4 or v6
|
||||
addresses
|
||||
* fix a few cases of possibly undefined behaviour detected by ASAN
|
||||
* add more unit tests for Windows cryptoapi interface
|
||||
* Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN
|
||||
will dynamically create a tls-crypt key that is used for
|
||||
renegotiation. This ensure that only the previously authenticated
|
||||
peer can do trigger renegotiation and complete renegotiations.
|
||||
* Keying Material Exporters (RFC 5705) based key generation
|
||||
* As part of the cipher negotiation OpenVPN will automatically prefer
|
||||
the RFC5705 based key material generation to the current custom
|
||||
OpenVPN PRF. This feature requires OpenSSL or mbed TLS 2.18+.
|
||||
* OpenVPN will now work with OpenSSL in FIPS mode. Note, no effort
|
||||
has been made to check or implement all the requirements/
|
||||
recommendation of FIPS 140-2. This just allows OpenVPN to be run on
|
||||
a system that be configured OpenSSL in FIPS mode.
|
||||
* mlock will now check if enough memlock-able memory has been reserved,
|
||||
and if less than 100MB RAM are available, use setrlimit() to upgrade
|
||||
the limit. See Trac #1390. Not available on OpenSolaris.
|
||||
* The --peer-fingerprint option has been introduced to give users an
|
||||
easy to use alternative to the tls-verify for matching the fingerprint
|
||||
of the peer. The option takes use a number of allowed SHA256
|
||||
certificate fingerprints.
|
||||
* When --peer-fingerprint is used, the --ca and --capath option become
|
||||
optional. This allows for small OpenVPN setups without setting up a
|
||||
PKI with Easy-RSA or similar software.
|
||||
* The --auth-user-pass-verify script supports now deferred authentication.
|
||||
* Both auth plugin and script can now signal pending authentication to
|
||||
the client when using deferred authentication. The new client-crresponse
|
||||
script option and OPENVPN_PLUGIN_CLIENT_CRRESPONSE plugin function can
|
||||
be used to parse a client response to a CR_TEXT two factor challenge.
|
||||
* The modernisation of defaults can impact the compatibility of OpenVPN
|
||||
2.6.0 with older peers. The options --compat-mode allows UIs to provide
|
||||
users with an easy way to still connect to older servers.
|
||||
* OpenSSL 3.0 has been added. Most of OpenSSL 3.0 changes are not user
|
||||
visible but improve general compatibility with OpenSSL 3.0.
|
||||
--tls-cert-profile insecure has been added to allow selecting the lowest
|
||||
OpenSSL security level (not recommended, use only if you must). OpenSSL
|
||||
3.0 no longer supports the Blowfish (and other deprecated) algorithm by
|
||||
default and the new option --providers allows loading the legacy provider
|
||||
to renable these algorithms.
|
||||
* Ciphers in --data-ciphers can now be prefixed with a ? to mark those as
|
||||
optional and only use them if the SSL library supports them.
|
||||
* The --mssfix and --fragment options now allow an optional mtu parameter to
|
||||
specify that different overhead for IPv4/IPv6 should taken into account
|
||||
and the resulting size is specified as the total size of the VPN packets
|
||||
including IP and UDP headers.
|
||||
* Instead of allocating a connection for each client on the initial packet
|
||||
OpenVPN server will now use an HMAC based cookie as its session id. This way
|
||||
the server can verify it on completing the handshake without keeping state.
|
||||
This eliminates the amplification and resource exhaustion attacks.
|
||||
For tls-crypt-v2 clients, this requires OpenVPN 2.6 clients or later because
|
||||
the client needs to resend its client key on completing the hand shake.
|
||||
The tls-crypt-v2 option allows controlling if older clients are accepted.
|
||||
- Removed openvpn-fips140-2.3.2.patch
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 2 07:34:31 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
|
||||
|
||||
- update to 2.5.9:
|
||||
|
@ -20,7 +20,7 @@
|
||||
%define _rundir %{_localstatedir}/run
|
||||
%endif
|
||||
Name: openvpn
|
||||
Version: 2.5.9
|
||||
Version: 2.6.3
|
||||
Release: 0
|
||||
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
|
||||
License: GPL-2.0-only WITH openvpn-openssl-exception
|
||||
@ -37,9 +37,11 @@ Source9: %{name}.target
|
||||
Source10: %{name}-tmpfile.conf
|
||||
Source11: rc%{name}
|
||||
Patch1: %{name}-2.3-plugin-man.dif
|
||||
Patch6: %{name}-fips140-2.3.2.patch
|
||||
BuildRequires: iproute2
|
||||
BuildRequires: libcap-ng-devel
|
||||
BuildRequires: liblz4-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: lz4
|
||||
BuildRequires: lzo-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: p11-kit-devel
|
||||
@ -116,7 +118,6 @@ This package provides the header file to build external plugins.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1
|
||||
%patch6
|
||||
|
||||
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
|
||||
-i src/openvpn/options.c
|
||||
|
Loading…
Reference in New Issue
Block a user