rpm/openvpn
SHA256
1
0
Fork 0
forked from pool/openvpn
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory
pool:factory
pool:devel
...
pull from: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory

5 Commits
factory ... factory

Author SHA256 Message Date
Ana Guerrero
1cb5b5ef09 Accepting request 1233845 from network:vpn 
- Set %_buildshell because of bashisms in build recipe ([[ and =~)
- Replace over-the-top `find -exec rm` by just -delete (forwarded request 1232791 from jengelh)

OBS-URL: https://build.opensuse.org/request/show/1233845
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=117
 2024-12-30 11:50:53 +00:00
Richard Rahl
4b21f5f5e6 - Set %_buildshell because of bashisms in build recipe ([[ and =~) 
- Replace over-the-top `find -exec rm` by just -delete

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=210
 2024-12-29 23:33:17 +00:00
Ana Guerrero
690bf31ff3 Accepting request 1218829 from network:vpn 
OBS-URL: https://build.opensuse.org/request/show/1218829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openvpn?expand=0&rev=116
 2024-10-29 13:32:19 +00:00
Rahul Jain
c1302e0b01 bugowner:rjain Patch applied for the submission by rjain 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=208
 2024-10-28 14:18:16 +00:00
Alexandre Vicenzi
bd1ac08c0b Accepting request 1174409 from home:bmwiedemann:branches:network:vpn 
Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
  if libnl >= 3.4 is available

now recommends ovpn-dco kmp

still needs testing

OBS-URL: https://build.opensuse.org/request/show/1174409
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=207
 2024-06-14 08:55:43 +00:00
3 changed files with 119 additions and 3 deletions
Show Stats Expand all files Collapse all files

87
openvpn-CVE-2024-28882.patch Normal file
View File

@ -0,0 +1,87 @@
diff -Naurp src.orig/openvpn/forward.c src/openvpn/forward.c
--- src.orig/openvpn/forward.c 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.c 2024-10-18 08:52:38.695704757 +0200
@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
}
/*
- * Schedule a signal n_seconds from now.
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
*/
-void
-schedule_exit(struct context *c, const int n_seconds, const int signal)
+bool
+schedule_exit(struct context *c)
{
+ const int n_seconds = c->options.scheduled_exit_interval;
+ /* don't reschedule if already scheduled. */
+ if (event_timeout_defined(&c->c2.scheduled_exit))
+ {
+ return false;
+ }
tls_set_single_session(c->c2.tls_multi);
update_time();
reset_coarse_timers(c);
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
- c->c2.scheduled_exit_signal = signal;
+ c->c2.scheduled_exit_signal = SIGTERM;
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
+ return true;
}
/*
diff -Naurp src.orig/openvpn/forward.h src/openvpn/forward.h
--- src.orig/openvpn/forward.h 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/forward.h 2024-10-18 08:53:26.223161629 +0200
@@ -302,7 +302,7 @@ void reschedule_multi_process(struct con
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
+bool schedule_exit(struct context *c);
static inline struct link_socket_info *
get_link_socket_info(struct context *c)
diff -Naurp src.orig/openvpn/push.c src/openvpn/push.c
--- src.orig/openvpn/push.c 2024-10-17 14:19:53.719827337 +0200
+++ src/openvpn/push.c 2024-10-18 09:18:53.861388522 +0200
@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
* */
if (c->options.mode == MODE_SERVER)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ if(!schedule_exit(c))
+ {
+ /* Return early when we don't need to notify management */
+ return;
+ }
}
else
{
@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
void
send_auth_failed(struct context *c, const char *client_reason)
{
- if (event_timeout_defined(&c->c2.scheduled_exit))
+ if (!schedule_exit(c))
{
msg(D_TLS_DEBUG, "exit already scheduled for context");
return;
@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, cons
static const char auth_failed[] = "AUTH_FAILED";
size_t len;
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
-
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
if (len > PUSH_BUNDLE_SIZE)
{
@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_mu
void
send_restart(struct context *c, const char *kill_msg)
{
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
+ schedule_exit(c);
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
}

19
openvpn.changes
View File

@ -1,3 +1,22 @@
-------------------------------------------------------------------
Fri Dec 20 08:13:18 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Set %_buildshell because of bashisms in build recipe
- Replace over-the-top `find -exec rm` by just -delete
-------------------------------------------------------------------
Thu Oct 10 08:13:54 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
- Fix multiple exit notifications from authenticated clients will
extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
Patchname:openvpn-CVE-2024-28882.patch
-------------------------------------------------------------------
Thu May 16 06:42:54 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
- Enable Data-Channel-Offloading (DCO) for better performance (jsc#PED-8305)
if libnl >= 3.4 is available
-------------------------------------------------------------------
Thu Mar 21 08:33:45 UTC 2024 - Mohd Saquib <mohd.saquib@suse.com>

16
openvpn.spec
View File

@ -16,6 +16,7 @@
#
%define _buildshell /bin/bash
%if ! %{defined _rundir}
%define _rundir %{_localstatedir}/run
%endif
@ -37,6 +38,7 @@ Source9: %{name}.target
Source10: %{name}-tmpfile.conf
Source11: rc%{name}
Patch1: %{name}-2.3-plugin-man.dif
Patch2: openvpn-CVE-2024-28882.patch
BuildRequires: iproute2
BuildRequires: libcap-ng-devel
BuildRequires: liblz4-devel
@ -49,10 +51,12 @@ BuildRequires: pam-devel
BuildRequires: pkcs11-helper-devel >= 1.11
BuildRequires: pkgconfig
BuildRequires: xz
BuildRequires: pkgconfig(libnl-genl-3.0)
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
Requires: iproute2
Requires: pkcs11-helper >= 1.11
Recommends: ovpn-dco-kmp
%systemd_ordering
%description
@ -135,8 +139,14 @@ export LDFLAGS
# usrmerge
export IPROUTE="%{_sbindir}/ip"
%endif
libnlversion=$(rpm -q --qf "%%{version}" libnl3-devel)
if [[ $libnlversion == 3.[0-3].* ]] ; then
confopt=--enable-iproute2
else
confopt=--enable-dco
fi
%configure \
--enable-iproute2 \
$confopt \
--enable-x509-alt-username \
--enable-pkcs11 \
--enable-systemd \
@ -149,7 +159,7 @@ export IPROUTE="%{_sbindir}/ip"
%install
%make_install
find %{buildroot} -type f -name "*.la" -print -exec rm -f {} +
find %{buildroot} -type f -name "*.la" -print -delete
mkdir -p %{buildroot}/%{_sysconfdir}/openvpn
mkdir -p %{buildroot}/%{_rundir}/openvpn
mkdir -p %{buildroot}/%{_datadir}/openvpn
@ -169,7 +179,7 @@ install -m 755 %{SOURCE5} sample/sample-scripts/client-netconfig.down
# we install docs via spec into _defaultdocdir/name/management-notes.txt
rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}}
find sample -name .gitignore -exec rm -f {} +
find sample -name .gitignore -delete
%pre
%service_add_pre %{name}.target