rpm/openvpn
SHA256
1
0
Fork 0
forked from pool/openvpn
Code Pull Requests Activity
ad6d5b8047
openvpn/openvpn-fips140-2.3.2.patch
Reinhard Max 5126890df2 - Update to 2.5.3: 
* Removal of BF-CBC support in default configuration
    *** POSSIBLE INCOMPATIBILITY ***
    See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8).
  * Connections setup is now much faster
  * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel
  * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer
  * Client-specific tls-crypt keys (--tls-crypt-v2)
  * Improved Data channel cipher negotiation
  * HMAC based auth-token support for seamless reconnects to
    standalone servers or a group of servers
  * Asynchronous (deferred) authentication support for auth-pam
    plugin
  * Asynchronous (deferred) support for client-connect scripts and
    plugins
  * Support IPv4 configs with /31 netmasks
  * 802.1q VLAN support on TAP servers
  * Support IPv6-only tunnels
  * New option --block-ipv6 to reject all IPv6 packets (ICMPv6)
  * Support Virtual Routing and Forwarding (VRF)
  * Netlink integration (OpenVPN no longer needs to execute
    ifconfig/route or ip commands)
  * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch
- bsc#1062157: The fix for bsc#934237 causes problems with the
  crypto self-test of newer openvpn versions.
  Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch .

OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=165
2021-08-05 14:32:44 +00:00

124 lines
4.1 KiB
Diff
Raw Blame History

From a33c0d811ad976561e5cb5bfc8431c1a286e796b Mon Sep 17 00:00:00 2001
From: Nirmoy Das <ndas@suse.de>
Date: Fri, 23 Jun 2017 11:00:08 +0200
Subject: [PATCH] fips-140
Signed-off-by: Nirmoy Das <ndas@suse.de>
---
src/openvpn/crypto.c | 2 +-
src/openvpn/crypto_backend.h | 3 ++-
src/openvpn/crypto_openssl.c | 6 +++++-
src/openvpn/ntlm.c | 2 +-
src/openvpn/options.c | 4 ++++
src/openvpn/ssl.c | 4 ++--
6 files changed, 15 insertions(+), 6 deletions(-)
--- src/openvpn/crypto.c.orig
+++ src/openvpn/crypto.c
@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const
if (kt->digest && kt->hmac_length > 0)
{
ctx->hmac = hmac_ctx_new();
- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest);
+ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0);
msg(D_HANDSHAKE,
"%s: Using %d bit message hash '%s' for HMAC authentication",
--- src/openvpn/crypto_backend.h.orig
+++ src/openvpn/crypto_backend.h
@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx);
* @param key The key to use for the HMAC
* @param key_len The key length to use
* @param kt Static message digest parameters
+ * @param prf_use Intended use for PRF in TLS protocol
*
*/
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length,
- const md_kt_t *kt);
+ const md_kt_t *kt, bool prf_use);
/*
* Free the given HMAC context.
--- src/openvpn/crypto_openssl.c.orig
+++ src/openvpn/crypto_openssl.c
@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx)
void
hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
- const EVP_MD *kt)
+ const EVP_MD *kt, bool prf_use)
{
ASSERT(NULL != kt && NULL != ctx);
HMAC_CTX_reset(ctx);
+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not
+ * * to be used anywhere else */
+ if(kt == EVP_md5() && prf_use)
+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
HMAC_Init_ex(ctx, key, key_len, kt, NULL);
/* make sure we used a big enough key */
--- src/openvpn/ntlm.c.orig
+++ src/openvpn/ntlm.c
@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da
const md_kt_t *md5_kt = md_kt_get("MD5");
hmac_ctx_t *hmac_ctx = hmac_ctx_new();
- hmac_ctx_init(hmac_ctx, key, key_len, md5_kt);
+ hmac_ctx_init(hmac_ctx, key, key_len, md5_kt, 0);
hmac_ctx_update(hmac_ctx, data, data_len);
hmac_ctx_final(hmac_ctx, result);
hmac_ctx_cleanup(hmac_ctx);
--- src/openvpn/options.c.orig
+++ src/openvpn/options.c
@@ -850,6 +850,10 @@ init_options(struct options *o, const bo
o->tcp_queue_limit = 64;
o->max_clients = 1024;
o->max_routes_per_client = 256;
+#ifdef OPENSSL_FIPS
+ if(FIPS_mode())
+ o->ciphername = "AES-256-CBC";
+#endif
o->stale_routes_check_interval = 0;
o->ifconfig_pool_persist_refresh_freq = 600;
#if P2MP
@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option
if (!o->ciphername)
{
o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ o->ciphername = "AES-256-CBC";
+ }
+#endif
}
return;
}
@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option
/* We still need to set the ciphername to BF-CBC since various other
* parts of OpenVPN assert that the ciphername is set */
o->ciphername = "BF-CBC";
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ {
+ o->ciphername = "AES-256-CBC";
+ }
+#endif
}
else if (!o->enable_ncp_fallback
&& !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers))
--- src/openvpn/ssl.c.orig
+++ src/openvpn/ssl.c
@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt,
int chunk = md_kt_size(md_kt);
unsigned int A1_len = md_kt_size(md_kt);
- hmac_ctx_init(ctx, sec, sec_len, md_kt);
- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+ hmac_ctx_init(ctx, sec, sec_len, md_kt, 1);
+ hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt, 1);
hmac_ctx_update(ctx,seed,seed_len);
hmac_ctx_final(ctx, A1);
View Git Blame Copy Permalink