diff options
| -rw-r--r-- | UPDATING | 12 | ||||
| -rw-r--r-- | security/openvpn/Makefile | 79 | ||||
| -rw-r--r-- | security/openvpn/distinfo | 6 | ||||
| -rw-r--r-- | security/openvpn/files/extra-tunnelblick-openvpn_xorpatch | 234 | ||||
| -rw-r--r-- | security/openvpn/files/patch-configure | 11 | ||||
| -rw-r--r-- | security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 | 136 | ||||
| -rw-r--r-- | security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 | 61 | ||||
| -rw-r--r-- | security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea | 214 | ||||
| -rw-r--r-- | security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f | 40 | ||||
| -rw-r--r-- | security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 | 28 | ||||
| -rw-r--r-- | security/openvpn/files/patch-src_openvpn_ssl__openssl.c | 69 | ||||
| -rw-r--r-- | security/openvpn/pkg-plist | 6 |
12 files changed, 175 insertions, 721 deletions
@@ -5,6 +5,18 @@ they are unavoidable. You should get into the habit of checking this file for changes each time you update your ports collection, before attempting any port upgrades. +20201030: + AFFECTS: users of security/openvpn + AUTHOR: mandree@FreeBSD.org + + The security/openvpn port has been updated to v2.5.0, which brings a + change to the default ciphersuite, which no longer contains BF-CBC. + + Some options have been removed. Also, if you need to support very old (v2.3) + and unsupported clients or servers, you will need to adjust the + configuration. For details, see: + https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-25 + 20201029: AFFECTS: users of www/node AUTHOR: bhughes@FreeBSD.org diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile index 4d8cd96ced06..2d47712fedeb 100644 --- a/security/openvpn/Makefile +++ b/security/openvpn/Makefile @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openvpn -DISTVERSION= 2.4.9 -PORTREVISION?= 3 +DISTVERSION= 2.5.0 +PORTREVISION?= 0 CATEGORIES= security net net-vpn MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \ https://build.openvpn.net/downloads/releases/ \ @@ -15,86 +15,79 @@ COMMENT?= Secure IP/Ethernet tunnel daemon LICENSE= GPLv2 LICENSE_FILE= ${WRKSRC}/COPYRIGHT.GPL -USES= cpe libtool pkgconfig shebangfix tar:xz - -CONFLICTS_INSTALL?= openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* +USES= cpe libtool localbase:ldflags pkgconfig shebangfix tar:xz +IGNORE_SSL= libressl libressl-devel +USE_RC_SUBR= openvpn -GNU_CONFIGURE= yes SHEBANG_FILES= sample/sample-scripts/verify-cn \ sample/sample-scripts/auth-pam.pl \ sample/sample-scripts/ucn.pl + +GNU_CONFIGURE= yes CONFIGURE_ARGS+= --enable-strict # set PLUGIN_LIBDIR so that unqualified plugin paths are found: CONFIGURE_ENV+= PLUGINDIR="${PREFIX}/lib/openvpn/plugins" +CONFLICTS_INSTALL?= openvpn-2.[!5].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]* + +SUB_FILES= pkg-message openvpn-client + +PORTDOCS= * +PORTEXAMPLES= * + # avoid picking up CMAKE, we don't have cmocka in the tarballs. CONFIGURE_ENV+= ac_cv_prog_CMAKE= CMAKE= -# let OpenVPN's configure script pick up the requisite libraries, -# but do not break the plugin build if an older version is installed -# XXX FIXME: once there is an opportunity for testing with older -# versions with incompatible plugins again, try USES+=localbase:ldflags, -# suggested by Mateusz Piotrowski 0mp@ 2020-07-17 -CPPFLAGS+= -I${WRKSRC}/include -I${LOCALBASE}/include -LDFLAGS+= -L${LOCALBASE}/lib -Wl,--as-needed - OPTIONS_DEFINE= PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \ TEST LZ4 LZO SMALL TUNNELBLICK ASYNC_PUSH OPTIONS_DEFAULT= EASYRSA OPENSSL TEST LZ4 LZO OPTIONS_SINGLE= SSL OPTIONS_SINGLE_SSL= OPENSSL MBEDTLS ASYNC_PUSH_DESC= Enable async-push support -PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) EASYRSA_DESC= Install security/easy-rsa RSA helper package MBEDTLS_DESC= SSL/TLS via mbedTLS (lacks TLS v1.3) +PKCS11_DESC= Use security/pkcs11-helper (OpenSSL only) +SMALL_DESC= Build a smaller executable with fewer features TUNNELBLICK_DESC= Tunnelblick XOR scramble patch (READ HELP!) X509ALTUSERNAME_DESC= Enable --x509-username-field (OpenSSL only) -SMALL_DESC= Build a smaller executable with fewer features -ASYNC_PUSH_CONFIGURE_ENABLE= async-push ASYNC_PUSH_LIB_DEPENDS= libinotify.so:devel/libinotify +ASYNC_PUSH_CONFIGURE_ENABLE= async-push EASYRSA_RUN_DEPENDS= easy-rsa>=0:security/easy-rsa -PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper -PKCS11_CONFIGURE_ENABLE= pkcs11 -PKCS11_PREVENTS= MBEDTLS -PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead - -TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch - -X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username -X509ALTUSERNAME_PREVENTS= MBEDTLS -X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead +LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 +LZ4_CONFIGURE_ENABLE= lz4 -OPENSSL_USES= ssl -OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl +LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 +LZO_CONFIGURE_ENABLE= lzo MBEDTLS_LIB_DEPENDS= libmbedtls.so:security/mbedtls MBEDTLS_CONFIGURE_ON= --with-crypto-library=mbedtls -LZO_CONFIGURE_ENABLE= lzo -LZO_LIB_DEPENDS+= liblzo2.so:archivers/lzo2 +OPENSSL_USES= ssl +OPENSSL_CONFIGURE_ON= --with-crypto-library=openssl -LZ4_CONFIGURE_ENABLE= lz4 -LZ4_LIB_DEPENDS+= liblz4.so:archivers/liblz4 +PKCS11_PREVENTS= MBEDTLS +PKCS11_PREVENTS_MSG= OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead +PKCS11_LIB_DEPENDS= libpkcs11-helper.so:security/pkcs11-helper +PKCS11_CONFIGURE_ENABLE= pkcs11 SMALL_CONFIGURE_ENABLE= small -USE_RC_SUBR= openvpn +TEST_ALL_TARGET= check +TEST_TEST_TARGET_OFF= check -SUB_FILES= pkg-message openvpn-client +TUNNELBLICK_EXTRA_PATCHES= ${FILESDIR}/extra-tunnelblick-openvpn_xorpatch:-p1 + +X509ALTUSERNAME_PREVENTS= MBEDTLS +X509ALTUSERNAME_PREVENTS_MSG= OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead +X509ALTUSERNAME_CONFIGURE_ENABLE= x509-alt-username .ifdef (LOG_OPENVPN) CFLAGS+= -DLOG_OPENVPN=${LOG_OPENVPN} .endif -PORTDOCS= * -PORTEXAMPLES= * - -TEST_ALL_TARGET= check -TEST_TEST_TARGET_OFF= check - .include <bsd.port.options.mk> .if ${PORT_OPTIONS:MMBEDTLS} @@ -140,11 +133,13 @@ post-install: @${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up ${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client ${MKDIR} ${STAGEDIR}${PREFIX}/include + @: # workaround for 2.5.0 only XXX FIXME remove after 2.5.0 + ${INSTALL_MAN} ${WRKSRC}/doc/openvpn.8 ${STAGEDIR}${MANPREFIX}/man/man8 post-install-DOCS-on: ${MKDIR} ${STAGEDIR}${DOCSDIR}/ .for i in AUTHORS ChangeLog PORTS - ${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ + ${INSTALL_MAN} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/ .endfor post-install-EXAMPLES-on: diff --git a/security/openvpn/distinfo b/security/openvpn/distinfo index f925de019854..86ed7defd29a 100644 --- a/security/openvpn/distinfo +++ b/security/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1587146198 -SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 -SIZE (openvpn-2.4.9.tar.xz) = 954264 +TIMESTAMP = 1604077828 +SHA256 (openvpn-2.5.0.tar.xz) = 029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd +SIZE (openvpn-2.5.0.tar.xz) = 1126928 diff --git a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch index 63e73bae2b08..bb00494137c0 100644 --- a/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch +++ b/security/openvpn/files/extra-tunnelblick-openvpn_xorpatch @@ -10,47 +10,47 @@ detail on the following wiki page: https://tunnelblick.net/cOpenvpn_xorpatch.html -The patch was ported to OpenVPN 2.4 by OPNsense. - ---- src/openvpn/forward.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/forward.c -@@ -730,7 +730,10 @@ read_incoming_link(struct context *c) +diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/forward.c openvpn-2.5_beta1.new/src/openvpn/forward.c +--- openvpn-2.5_beta1.old/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 ++++ openvpn-2.5_beta1.new/src/openvpn/forward.c 2020-08-16 11:57:15.000000000 -0400 +@@ -811,7 +811,10 @@ status = link_socket_read(c->c2.link_socket, &c->c2.buf, - &c->c2.from); -+ &c->c2.from, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); ++ &c->c2.from, ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); if (socket_connection_reset(c->c2.link_socket, status)) { -@@ -1368,7 +1371,10 @@ process_outgoing_link(struct context *c) +@@ -1621,7 +1624,10 @@ /* Send packet */ size = link_socket_write(c->c2.link_socket, &c->c2.to_link, - to_addr); + to_addr, -+ c->options.ce.xormethod, -+ c->options.ce.xormask, -+ c->options.ce.xormasklen); ++ c->options.ce.xormethod, ++ c->options.ce.xormask, ++ c->options.ce.xormasklen); /* Undo effect of prepend */ link_socket_write_post_size_adjust(&size, size_delta, &c->c2.to_link); ---- src/openvpn/options.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.c -@@ -811,6 +811,9 @@ init_options(struct options *o, const bo +diff -u -r -x .DS_Store openvpn-2.5_rc3.old/src/openvpn/options.c openvpn-2.5_rc3.new/src/openvpn/options.c +--- openvpn-2.5_rc3.old/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 ++++ openvpn-2.5_rc3.new/src/openvpn/options.c 2020-10-19 13:38:17.000000000 -0400 +@@ -821,6 +821,9 @@ o->resolve_retry_seconds = RESOLV_RETRY_INFINITE; o->resolve_in_advance = false; o->proto_force = -1; + o->ce.xormethod = 0; + o->ce.xormask = "\0"; + o->ce.xormasklen = 0; - #ifdef ENABLE_OCC o->occ = true; - #endif -@@ -972,6 +975,9 @@ setenv_connection_entry(struct env_set * + #ifdef ENABLE_MANAGEMENT + o->management_log_history_cache = 250; +@@ -973,6 +976,9 @@ setenv_str_i(es, "local_port", e->local_port, i); setenv_str_i(es, "remote", e->remote, i); setenv_str_i(es, "remote_port", e->remote_port, i); @@ -60,17 +60,17 @@ The patch was ported to OpenVPN 2.4 by OPNsense. if (e->http_proxy_options) { -@@ -1474,6 +1480,9 @@ show_connection_entry(const struct conne +@@ -1452,6 +1458,9 @@ SHOW_BOOL(bind_ipv6_only); SHOW_INT(connect_retry_seconds); SHOW_INT(connect_timeout); -+ SHOW_INT(xormethod); -+ SHOW_STR(xormask); -+ SHOW_INT(xormasklen); ++ SHOW_INT (xormethod); ++ SHOW_STR (xormask); ++ SHOW_INT (xormasklen); if (o->http_proxy_options) { -@@ -5915,6 +5924,46 @@ add_option(struct options *options, +@@ -6260,6 +6269,46 @@ } options->proto_force = proto_force; } @@ -103,23 +103,24 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + } + else if (!p[2]) + { -+ msg(M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); ++ msg (M_WARN, "WARNING: No recognized 'scramble' method specified; using 'scramble xormask \"%s\"'", p[1]); + options->ce.xormethod = 1; + options->ce.xormask = p[1]; + options->ce.xormasklen = strlen(options->ce.xormask); + } + else + { -+ msg(msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); ++ msg (msglevel, "No recognized 'scramble' method specified or extra parameters for 'scramble'"); + goto err; + } + } else if (streq(p[0], "http-proxy") && p[1] && !p[5]) { struct http_proxy_options *ho; ---- src/openvpn/options.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/options.h -@@ -98,6 +98,9 @@ struct connection_entry +diff -u -r -x .DS_Store openvpn-2.5_git_57d6f10.old/src/openvpn/options.h openvpn-2.5_git_57d6f10.new/src/openvpn/options.h +--- openvpn-2.5_git_57d6f10.old/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 ++++ openvpn-2.5_git_57d6f10.new/src/openvpn/options.h 2018-07-28 06:02:27.000000000 -0400 +@@ -99,6 +99,9 @@ int connect_retry_seconds; int connect_retry_seconds_max; int connect_timeout; @@ -129,33 +130,36 @@ The patch was ported to OpenVPN 2.4 by OPNsense. struct http_proxy_options *http_proxy_options; const char *socks_proxy_server; const char *socks_proxy_port; ---- src/openvpn/socket.c.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.c -@@ -55,6 +55,53 @@ const int proto_overhead[] = { /* indexe +--- openvpn-2.5_git_974513e/src/openvpn/socket.c 2017-08-17 11:27:23.000000000 -0400 ++++ openvpn-2.5_git_974513e_patched/src/openvpn/socket.c 2017-08-18 18:37:11.000000000 -0400 +@@ -54,6 +54,56 @@ IPv6_TCP_HEADER_SIZE, }; - -+int buffer_mask (struct buffer *buf, const char *mask, int xormasklen) { -+ int i; -+ uint8_t *b; -+ if ( xormasklen > 0 ) { -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ mask[i % xormasklen]; -+ } -+ } -+ return BLEN (buf); + ++int buffer_mask(struct buffer *buf, const char *mask, int xormasklen) ++{ ++ int i; ++ uint8_t *b; ++ if ( xormasklen > 0 ) { ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ mask[i % xormasklen]; ++ } ++ } ++ return BLEN (buf); +} + -+int buffer_xorptrpos (struct buffer *buf) { -+ int i; -+ uint8_t *b; -+ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { -+ *b = *b ^ i+1; -+ } -+ return BLEN (buf); ++int buffer_xorptrpos(struct buffer *buf) ++{ ++ int i; ++ uint8_t *b; ++ for (i = 0, b = BPTR (buf); i < BLEN(buf); i++, b++) { ++ *b = *b ^ i+1; ++ } ++ return BLEN (buf); +} + -+int buffer_reverse (struct buffer *buf) { ++int buffer_reverse(struct buffer *buf) ++{ +/* This function has been rewritten for Tunnelblick. The buffer_reverse function at + * https://github.com/clayface/openvpn_xorpatch + * makes a copy of the buffer and it writes to the byte **after** the @@ -167,38 +171,39 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + * actually reverse the contents of the buffer. Instead, it changes 'abcde' to 'aedcb'. + * (Of course, the actual buffer contents are bytes, and not necessarily characters.) + */ -+ int len = BLEN(buf); -+ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ -+ int i; -+ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ -+ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ -+ uint8_t tmp; -+ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { -+ tmp = *b_start; -+ *b_start = *b_end; -+ *b_end = tmp; ++ int len = BLEN(buf); ++ if ( len > 2 ) { /* Leave '', 'a', and 'ab' alone */ ++ int i; ++ uint8_t *b_start = BPTR (buf) + 1; /* point to first byte to swap */ ++ uint8_t *b_end = BPTR (buf) + (len - 1); /* point to last byte to swap */ ++ uint8_t tmp; ++ for (i = 0; i < (len-1)/2; i++, b_start++, b_end--) { ++ tmp = *b_start; ++ *b_start = *b_end; ++ *b_end = tmp; ++ } + } -+ } -+ return len; ++ return len; +} + /* * Convert sockflags/getaddr_flags into getaddr_flags */ ---- src/openvpn/socket.h.orig 2016-12-22 07:25:18 UTC -+++ src/openvpn/socket.h -@@ -249,6 +249,10 @@ struct link_socket +diff -u -r -x .DS_Store openvpn-2.5_beta1.old/src/openvpn/socket.h openvpn-2.5_beta1.new/src/openvpn/socket.h +--- openvpn-2.5_beta1.old/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 ++++ openvpn-2.5_beta1.new/src/openvpn/socket.h 2020-08-16 11:57:17.000000000 -0400 +@@ -249,6 +249,10 @@ #endif }; -+int buffer_mask (struct buffer *buf, const char *xormask, int xormasklen); -+int buffer_xorptrpos (struct buffer *buf); -+int buffer_reverse (struct buffer *buf); ++int buffer_mask(struct buffer *buf, const char *xormask, int xormasklen); ++int buffer_xorptrpos(struct buffer *buf); ++int buffer_reverse(struct buffer *buf); + /* * Some Posix/Win32 differences. */ -@@ -1046,30 +1050,55 @@ int link_socket_read_udp_posix(struct li +@@ -1049,30 +1053,56 @@ static inline int link_socket_read(struct link_socket *sock, struct buffer *buf, @@ -209,11 +214,10 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + int xormasklen) { + int res; -+ if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { - int res; -- + #ifdef _WIN32 res = link_socket_read_udp_win32(sock, buf, from); #else @@ -233,33 +237,34 @@ The patch was ported to OpenVPN 2.4 by OPNsense. ASSERT(0); return -1; /* NOTREACHED */ } -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_mask(buf,xormask,xormasklen); -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_mask(buf,xormask,xormasklen); ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } + return res; } /* -@@ -1159,8 +1188,33 @@ link_socket_write_udp(struct link_socket +@@ -1163,8 +1193,34 @@ static inline int link_socket_write(struct link_socket *sock, struct buffer *buf, @@ -269,27 +274,28 @@ The patch was ported to OpenVPN 2.4 by OPNsense. + const char *xormask, + int xormasklen) { -+ switch (xormethod) { -+ case 0: -+ break; -+ case 1: -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ case 2: -+ buffer_xorptrpos(buf); -+ break; -+ case 3: -+ buffer_reverse(buf); -+ break; -+ case 4: -+ buffer_xorptrpos(buf); -+ buffer_reverse(buf); -+ buffer_xorptrpos(buf); -+ buffer_mask(buf,xormask,xormasklen); -+ break; -+ default: -+ ASSERT (0); -+ return -1; /* NOTREACHED */ ++ switch(xormethod) ++ { ++ case 0: ++ break; ++ case 1: ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ case 2: ++ buffer_xorptrpos(buf); ++ break; ++ case 3: ++ buffer_reverse(buf); ++ break; ++ case 4: ++ buffer_xorptrpos(buf); ++ buffer_reverse(buf); ++ buffer_xorptrpos(buf); ++ buffer_mask(buf,xormask,xormasklen); ++ break; ++ default: ++ ASSERT (0); ++ return -1; /* NOTREACHED */ + } if (proto_is_udp(sock->info.proto)) /* unified UDPv4 and UDPv6 */ { diff --git a/security/openvpn/files/patch-configure b/security/openvpn/files/patch-configure deleted file mode 100644 index 86b586fe526c..000000000000 --- a/security/openvpn/files/patch-configure +++ /dev/null @@ -1,11 +0,0 @@ ---- configure.orig 2020-04-16 13:26:53 UTC -+++ configure -@@ -18226,8 +18226,6 @@ fi - $as_echo "!! WARNING !! The cmoka git submodule has not been initialized or updated. Unit testing cannot be performed." >&6; } - fi - else -- { $as_echo "$as_me:${as_lineno-$LINENO}: result: !! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&5 --$as_echo "!! WARNING !! CMake is NOT available. Unit testing cannot be performed." >&6; } - if false; then - CMOCKA_INITIALIZED_TRUE= - CMOCKA_INITIALIZED_FALSE='#' diff --git a/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 b/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 deleted file mode 100644 index b563b2793ecf..000000000000 --- a/security/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 +++ /dev/null @@ -1,136 +0,0 @@ -From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001 -From: Jeremy Evans <code@jeremyevans.net> -Date: Wed, 20 May 2020 11:34:04 -0700 -Subject: [PATCH] Switch assertion failure to returning false - -This assertion failure can be hit in production, which causes the -openvpn server process to stop and all clients to be disconnected. -Bug #1270 has been filed for this issue on Trac by another user -who has experienced the issue, and this patch attempts to address it. - -Tracing callers, it appears that some callers check ks->authenticated -before calling, but others do not. It may be possible to add the check -for the callers that do not check, but this seems to be a simpler -solution. - -To give some background, we hit this assertion failure, with the -following log output: - -``` -Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received -control message: 'PUSH_REQUEST' -Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL -[username]: 'PUSH_REPLY,redirect-gateway -def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology -subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id -89' (status=1) -Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at -/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated) -Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal -error -Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP -interface -``` - -using the following OpenVPN server configuration: - -``` -port 1194 -proto udp -dev-type tun -ca ca.crt -cert server.crt -key server.key -dh dh.pem -topology subnet -push "redirect-gateway def1" -push "comp-lzo" -push "persist-key" -push "persist-tun" -keepalive 10 120 -comp-lzo -user nobody -group nobody -persist-key -persist-tun -cd /home/openvpn/server -chroot /var/empty -daemon -verb 3 -crl-verify crl.pem -tls-auth ta.key 0 -cipher AES-256-CBC -tls-version-min 1.2 -tls-cipher ECDHE-RSA-AES256-GCM-SHA384 -ncp-disable -mute-replay-warnings -script-security 3 -auth-user-pass-verify "ldap-auth/ldap-auth" via-env -auth-user-pass-optional -``` - -and the following command line options: - -``` ---config openvpn.conf --dev tun1 --local 206.131.72.52 \ ---log-append openvpn.log --status openvpn-status.log \ ---server 10.28.47.0 255.255.255.0 -``` - -The failed assertion is inside the function -`tls_session_generate_data_channel_keys`, which is called 3 other places -in `ssl.c.`: - -* `key_method_2_write`: checks for `ks->authenticated` before calling - -* `key_method_2_read`: appears to run in client mode but not in server - mode - -* `tls_session_update_crypto_params`: runs in server mode and does not - check before calling - -That leads me to believe the problem caller is -`tls_session_update_crypto_params`. There.s three callers of -`tls_session_update_crypto_params`:. - -* `incoming_push_message` (`push.c`): Probably this caller, since the - server pushes configuration to clients, and the log shows the - assertion failure right after the push reply. - -* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is - disabled in config, and async push was not enabled when compiling. - -* `do_deferred_options` (`init.c`): Not this caller. The server - configuration doesn't pull. - -Changing the assertion to returning false appears to be the simplest -fix. Another approach would be changing callers to check -`ks->authenticated` before calling, either -`tls_session_update_crypto_params` or `incoming_push_message`. - -Signed-off-by: Jeremy Evans <code@jeremyevans.net> -Acked-by: Steffan Karger <steffan.karger@foxcrypto.com> -Message-Id: <20200520183404.54822-1-code@jeremyevans.net> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> -(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f) ---- - src/openvpn/ssl.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index cf6689982..215147f37 100644 ---- ./src/openvpn/ssl.c -+++ ./src/openvpn/ssl.c -@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session) - const struct session_id *server_sid = !session->opt->server ? - &ks->session_id_remote : &session->session_id; - -- ASSERT(ks->authenticated); -+ if (!ks->authenticated) { -+ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated"); -+ goto cleanup; -+ } - - ks->crypto_options.flags = session->opt->crypto_flags; - if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, diff --git a/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 b/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 deleted file mode 100644 index f798c6cd897b..000000000000 --- a/security/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 +++ /dev/null @@ -1,61 +0,0 @@ -From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001 -From: Selva Nair <selva.nair@gmail.com> -Date: Thu, 20 Feb 2020 22:00:28 -0500 -Subject: [PATCH] Persist management-query-remote and proxy prompts - -Currently this prompt is only output once, not re-written to the -management interface when the management client connects. It is thus -not seen by a client that connects after the prompt is output or one that -disconnects and reconnects. This leads to a deadlock: the daemon waiting -for the "remote" command from the client, the latter not aware of it. - -Resolve by adding the ">REMOTE" and ">PROXY" prompt to -man.persist.special_state_msg as done for other persisted prompts such -as ">PASSWORD" - -Signed-off-by: Selva Nair <selva.nair@gmail.com> -Acked-by: Gert Doering <gert@greenie.muc.de> -Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> -(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad) ---- - src/openvpn/init.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index 8bac74f97..e153682ed 100644 ---- ./src/openvpn/init.c -+++ ./src/openvpn/init.c -@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c) - buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, - (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); - management_notify_generic(management, BSTR(&out)); -+ management->persist.special_state_msg = BSTR(&out); - } - ce->flags |= CE_MAN_QUERY_PROXY; - while (ce->flags & CE_MAN_QUERY_PROXY) -@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c) - break; - } - } -+ management->persist.special_state_msg = NULL; - gc_free(&gc); - } - -@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c) - buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, - proto2ascii(ce->proto, ce->af, false)); - management_notify_generic(management, BSTR(&out)); -+ management->persist.special_state_msg = BSTR(&out); - - ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); - ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); -@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c) - break; - } - } -+ management->persist.special_state_msg = NULL; - } - gc_free(&gc); - diff --git a/security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea b/security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea deleted file mode 100644 index de810ca5411f..000000000000 --- a/security/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea +++ /dev/null @@ -1,214 +0,0 @@ -From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001 -From: Selva Nair <selva.nair@gmail.com> -Date: Tue, 24 Jul 2018 22:34:53 -0400 -Subject: [PATCH] Parse static challenge response in auth-pam plugin - -If static challenge is in use, the password passed to the plugin by openvpn -is of the form "SCRV1:base64-pass:base64-response". Parse this string to -separate it into password and response and use them to respond to queries -in the pam conversation function. - -On the plugin parameters line the substitution keyword for the static -challenge response is "OTP". For example, for pam config named "test" that -prompts for "user", "password" and "pin", use - -plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP" - -Signed-off-by: Selva Nair <selva.nair@gmail.com> - -Acked-by: Gert Doering <gert@greenie.muc.de> -Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> -(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6) ---- - src/plugins/auth-pam/README.auth-pam | 15 ++++-- - src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++- - 2 files changed, 84 insertions(+), 6 deletions(-) - -diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam -index e12369021..908156542 100644 ---- a/src/plugins/auth-pam/README.auth-pam -+++ ./src/plugins/auth-pam/README.auth-pam -@@ -36,19 +36,20 @@ pairs to answer PAM module queries. - - For example: - -- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" -+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP" - - tells auth-pam to (a) use the "login" PAM module, (b) answer a --"login" query with the username given by the OpenVPN client, and --(c) answer a "password" query with the password given by the --OpenVPN client. This provides flexibility in dealing with the different -+"login" query with the username given by the OpenVPN client, -+(c) answer a "password" query with the password, and (d) answer a -+"pin" query with the OTP given by the OpenVPN client. -+This provides flexibility in dealing with different - types of query strings which different PAM modules might generate. - For example, suppose you were using a PAM module called - "test" which queried for "name" rather than "login": - - plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" - --While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute -+While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute - to client-supplied values, it is also possible to name literal values - to use as PAM module query responses. For example, suppose that the - login module queried for a third parameter, "domain" which -@@ -61,6 +62,10 @@ the operation of this plugin: - - client-cert-not-required - username-as-common-name -+ static-challenge -+ -+Use of --static challenege is required to pass a pin (represented by "OTP" in -+parameter substituion) or a second password. - - Run OpenVPN with --verb 7 or higher to get debugging output from - this plugin, including the list of queries presented by the -diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c -index 5ba4dc4cb..1324307f1 100644 ---- a/src/plugins/auth-pam/auth-pam.c -+++ ./src/plugins/auth-pam/auth-pam.c -@@ -6,6 +6,7 @@ - * packet compression. - * - * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> -+ * Copyright (C) 2016-2018 Selva Nair <selva.nair@gmail.com> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 -@@ -64,6 +65,7 @@ - - /* Pointers to functions exported from openvpn */ - static plugin_secure_memzero_t plugin_secure_memzero = NULL; -+static plugin_base64_decode_t plugin_base64_decode = NULL; - - /* - * Plugin state, used by foreground -@@ -87,6 +89,7 @@ struct auth_pam_context - * "USERNAME" -- substitute client-supplied username - * "PASSWORD" -- substitute client-specified password - * "COMMONNAME" -- substitute client certificate common name -+ * "OTP" -- substitute static challenge response if available - */ - - #define N_NAME_VALUE 16 -@@ -111,6 +114,7 @@ struct user_pass { - char username[128]; - char password[128]; - char common_name[128]; -+ char response[128]; - - const struct name_value_list *name_value_list; - }; -@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match) - return strncasecmp(match, query, strlen(match)) == 0; - } - -+/* -+ * Split and decode up->password in the form SCRV1:base64_pass:base64_response -+ * into pass and response and save in up->password and up->response. -+ * If the password is not in the expected format, input is not changed. -+ */ -+static void -+split_scrv1_password(struct user_pass *up) -+{ -+ const int skip = strlen("SCRV1:"); -+ if (strncmp(up->password, "SCRV1:", skip) != 0) -+ { -+ return; -+ } -+ -+ char *tmp = strdup(up->password); -+ if (!tmp) -+ { -+ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n"); -+ goto out; -+ } -+ -+ char *pass = tmp + skip; -+ char *resp = strchr(pass, ':'); -+ if (!resp) /* string not in SCRV1:xx:yy format */ -+ { -+ goto out; -+ } -+ *resp++ = '\0'; -+ -+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1); -+ if (n > 0) -+ { -+ up->password[n] = '\0'; -+ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1); -+ if (n > 0) -+ { -+ up->response[n] = '\0'; -+ if (DEBUG(up->verb)) -+ { -+ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n"); -+ } -+ goto out; -+ } -+ } -+ -+ /* decode error: reinstate original value of up->password and return */ -+ plugin_secure_memzero(up->password, sizeof(up->password)); -+ plugin_secure_memzero(up->response, sizeof(up->response)); -+ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */ -+ -+ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n"); -+ -+out: -+ if (tmp) -+ { -+ plugin_secure_memzero(tmp, strlen(tmp)); -+ free(tmp); -+ } -+} -+ - OPENVPN_EXPORT int - openvpn_plugin_open_v3(const int v3structver, - struct openvpn_plugin_args_open_in const *args, -@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver, - - /* Save global pointers to functions exported from openvpn */ - plugin_secure_memzero = args->callbacks->plugin_secure_memzero; -+ plugin_base64_decode = args->callbacks->plugin_base64_decode; - - /* - * Make sure we have two string arguments: the first is the .so name, -@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array, - { - aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name); - } -+ else if (strstr(match_value, "OTP")) -+ { -+ aresp[i].resp = searchandreplace(match_value, "OTP", up->response); -+ } - else - { - aresp[i].resp = strdup(match_value); -@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * - #endif - } - -+ /* If password is of the form SCRV1:base64:base64 split it up */ -+ split_scrv1_password(&up); -+ - if (pam_auth(service, &up)) /* Succeeded */ - { - if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1) -@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * - command); - goto done; - } -+ plugin_secure_memzero(up.response, sizeof(up.response)); - } - done: -- - plugin_secure_memzero(up.password, sizeof(up.password)); -+ plugin_secure_memzero(up.response, sizeof(up.response)); - #ifdef USE_PAM_DLOPEN - dlclose_pam(); - #endif diff --git a/security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f b/security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f deleted file mode 100644 index 8ba8e7f278b4..000000000000 --- a/security/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f +++ /dev/null @@ -1,40 +0,0 @@ -From cab48ad43eaba51c54fa23e55b0b2eb436dd921f Mon Sep 17 00:00:00 2001 -From: Selva Nair <selva.nair@gmail.com> -Date: Tue, 7 Aug 2018 22:44:31 -0400 -Subject: [PATCH] Accept empty password and/or response in auth-pam plugin - -In the auth-pam plugin correctly parse the static challenge string -even when password or challenge response is empty. - -Whether an empty user input is an error is determined by the PAM -conversation function depending on whether the PAM module queries -for it or not. - -Signed-off-by: Selva Nair <selva.nair@gmail.com> -Acked-by: Gert Doering <gert@greenie.muc.de> -Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> -(cherry picked from commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b) ---- - src/plugins/auth-pam/auth-pam.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c -index 1324307f1..88b53204b 100644 ---- a/src/plugins/auth-pam/auth-pam.c -+++ ./src/plugins/auth-pam/auth-pam.c -@@ -310,11 +310,11 @@ split_scrv1_password(struct user_pass *up) - *resp++ = '\0'; - - int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1); -- if (n > 0) -+ if (n >= 0) - { - up->password[n] = '\0'; - n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1); -- if (n > 0) -+ if (n >= 0) - { - up->response[n] = '\0'; - if (DEBUG(up->verb)) diff --git a/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 b/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 deleted file mode 100644 index c946f8c78b8e..000000000000 --- a/security/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 +++ /dev/null @@ -1,28 +0,0 @@ -From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001 -From: Antonio Quartulli <a@unstable.cc> -Date: Sat, 30 May 2020 02:05:54 +0200 -Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses - -Signed-off-by: Antonio Quartulli <a@unstable.cc> -Acked-by: Gert Doering <gert@greenie.muc.de> -Message-Id: <20200530000600.1680-2-a@unstable.cc> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html -Signed-off-by: Gert Doering <gert@greenie.muc.de> -(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed) ---- - src/openvpn/pool.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c -index da28bc06b..e45bf88a2 100644 ---- ./src/openvpn/pool.c -+++ ./src/openvpn/pool.c -@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, - if (pool->ipv6) - { - pool->base_ipv6 = ipv6_base; -- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) ) -+ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits)) - : IFCONFIG_POOL_MAX; - - msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s", diff --git a/security/openvpn/files/patch-src_openvpn_ssl__openssl.c b/security/openvpn/files/patch-src_openvpn_ssl__openssl.c deleted file mode 100644 index 6d66949a15fa..000000000000 --- a/security/openvpn/files/patch-src_openvpn_ssl__openssl.c +++ /dev/null @@ -1,69 +0,0 @@ -In the corner case that the global OpenSSL has an invalid command like - - MinProtocol = TLSv1.0 - -(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) - -the SSL_ctx_new function leaves the errors for parsing the config file -on the stack. - -OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value - -Since the later functions, especially the one of loading the -certificates expected a clean error this error got reported at the -wrong place. - -Print the warnings with crypto_msg when we detect that we are in this -situation (this also clears the stack). ---- - src/openvpn/ssl_openssl.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -Acked-by: Gert Doering <gert@greenie.muc.de> - -"Explanation and Code make sense, Debian testing confirmed it fixes -the problem observed" (which was a user error in the end, but led to an -unexpected error in openvpn). - -Basic client test run with openssl 1.1.1 on Linux/Gentoo. - -Your patch has been applied to the master and release/2.4 branch. - -commit 75aa88af774abaa168bf72e43e1dbb57be14c044 (master) -commit 125654bfa6f99a251b581522182e85748dd8043a (release/2.4) -Author: Arne Schwabe -Date: Tue Apr 21 12:11:22 2020 +0200 - - Fix tls_ctx_client/server_new leaving error on OpenSSL error stack - - Acked-by: Gert Doering <gert@greenie.muc.de> - Message-Id: <20200421101122.24284-1-arne@rfc2549.org> - URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html - Signed-off-by: Gert Doering <gert@greenie.muc.de> - ---- src/openvpn/ssl_openssl.c.orig 2020-04-16 13:26:45 UTC -+++ src/openvpn/ssl_openssl.c -@@ -110,6 +110,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) - { - crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method"); - } -+ if (ERR_peek_error() != 0) -+ { -+ crypto_msg(M_WARN, "Warning: TLS server context initialisation " -+ "has warnings."); -+ } - } - - void -@@ -122,6 +127,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) - if (ctx->ctx == NULL) - { - crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method"); -+ } -+ if (ERR_peek_error() != 0) -+ { -+ crypto_msg(M_WARN, "Warning: TLS client context initialisation " -+ "has warnings."); - } - } - diff --git a/security/openvpn/pkg-plist b/security/openvpn/pkg-plist index da156194eb1f..a3495c2a6273 100644 --- a/security/openvpn/pkg-plist +++ b/security/openvpn/pkg-plist @@ -1,9 +1,9 @@ -include/openvpn-plugin.h include/openvpn-msg.h +include/openvpn-plugin.h lib/openvpn/plugins/openvpn-plugin-auth-pam.so lib/openvpn/plugins/openvpn-plugin-down-root.so +libexec/openvpn-client.down +libexec/openvpn-client.up man/man8/openvpn.8.gz sbin/openvpn sbin/openvpn-client -libexec/openvpn-client.up -libexec/openvpn-client.down |