Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2021-08-16 10:09:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn" Mon Aug 16 10:09:00 2021 rev:94 rq:911848 version:2.5.3 Changes: -------- --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2021-06-15 16:37:24.177700340 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new.1899/openvpn.changes 2021-08-16 10:13:54.402931761 +0200 @@ -1,0 +2,33 @@ +Thu Aug 5 14:07:14 UTC 2021 - Reinhard Max <m...@suse.com> + +- Update to 2.5.3: + + * Removal of BF-CBC support in default configuration + *** POSSIBLE INCOMPATIBILITY *** + See section "DATA CHANNEL CIPHER NEGOTIATION" in openvpn(8). + + * Connections setup is now much faster + * Support ChaCha20-Poly1305 cipher in the OpenVPN data channel + * Improved TLS 1.3 support when using OpenSSL 1.1.1 or newer + * Client-specific tls-crypt keys (--tls-crypt-v2) + * Improved Data channel cipher negotiation + * HMAC based auth-token support for seamless reconnects to + standalone servers or a group of servers + * Asynchronous (deferred) authentication support for auth-pam + plugin + * Asynchronous (deferred) support for client-connect scripts and + plugins + * Support IPv4 configs with /31 netmasks + * 802.1q VLAN support on TAP servers + * Support IPv6-only tunnels + * New option --block-ipv6 to reject all IPv6 packets (ICMPv6) + * Support Virtual Routing and Forwarding (VRF) + * Netlink integration (OpenVPN no longer needs to execute + ifconfig/route or ip commands) + * Obsoletes openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch + +- bsc#1062157: The fix for bsc#934237 causes problems with the + crypto self-test of newer openvpn versions. + Remove openvpn-2.3.x-fixed-multiple-low-severity-issues.patch . + +------------------------------------------------------------------- Old: ---- openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch openvpn-2.3.x-fixed-multiple-low-severity-issues.patch openvpn-2.4.11.tar.xz openvpn-2.4.11.tar.xz.asc New: ---- openvpn-2.5.3.tar.xz openvpn-2.5.3.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.XVSEKh/_old 2021-08-16 10:13:54.946931065 +0200 +++ /var/tmp/diff_new_pack.XVSEKh/_new 2021-08-16 10:13:54.950931061 +0200 @@ -24,7 +24,7 @@ %define _rundir %{_localstatedir}/run %endif Name: openvpn -Version: 2.4.11 +Version: 2.5.3 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: LGPL-2.1-only AND SUSE-GPL-2.0-with-openssl-exception @@ -42,8 +42,6 @@ Source11: rc%{name} Patch1: %{name}-2.3-plugin-man.dif Patch6: %{name}-fips140-2.3.2.patch -Patch7: openvpn-2.3.9-Fix-heap-overflow-on-getaddrinfo-result.patch -Patch8: openvpn-2.3.x-fixed-multiple-low-severity-issues.patch Patch9: 0001-preform-deferred-authentication-in-the-background.patch BuildRequires: iproute2 BuildRequires: libselinux-devel @@ -127,10 +125,8 @@ %prep %setup -q %patch1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 +%patch6 +%patch9 sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \ -i src/openvpn/options.c ++++++ 0001-preform-deferred-authentication-in-the-background.patch ++++++ --- /var/tmp/diff_new_pack.XVSEKh/_old 2021-08-16 10:13:54.982931020 +0200 +++ /var/tmp/diff_new_pack.XVSEKh/_new 2021-08-16 10:13:54.982931020 +0200 @@ -1,7 +1,5 @@ -Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c -=================================================================== ---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.c -+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.c +--- src/plugins/auth-pam/auth-pam.c.orig ++++ src/plugins/auth-pam/auth-pam.c @@ -43,6 +43,7 @@ #include <stdlib.h> #include <sys/types.h> @@ -18,7 +16,7 @@ /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 -@@ -115,6 +117,7 @@ struct user_pass { +@@ -120,6 +122,7 @@ struct user_pass { char password[128]; char common_name[128]; char response[128]; @@ -26,8 +24,8 @@ const struct name_value_list *name_value_list; }; -@@ -776,6 +779,21 @@ pam_auth(const char *service, const stru - return ret; +@@ -884,6 +887,21 @@ do_deferred_pam_auth(int fd, const char + exit(0); } +static int handle_auth_control_file(char *auth_control_file, int status) @@ -48,7 +46,7 @@ /* * Background process -- runs with privilege. */ -@@ -878,6 +896,42 @@ pam_server(int fd, const char *service, +@@ -1002,6 +1020,42 @@ pam_server(int fd, const char *service, plugin_secure_memzero(up.password, sizeof(up.password)); break; @@ -91,7 +89,7 @@ case COMMAND_EXIT: goto done; -@@ -905,3 +959,56 @@ done: +@@ -1029,3 +1083,56 @@ done: return; } @@ -148,10 +146,8 @@ + return OPENVPN_PLUGIN_FUNC_ERROR; + } +} -Index: openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports -=================================================================== ---- openvpn-2.4.10.orig/src/plugins/auth-pam/auth-pam.exports -+++ openvpn-2.4.10/src/plugins/auth-pam/auth-pam.exports +--- src/plugins/auth-pam/auth-pam.exports.orig ++++ src/plugins/auth-pam/auth-pam.exports @@ -1,4 +1,5 @@ openvpn_plugin_open_v3 openvpn_plugin_func_v1 ++++++ openvpn-2.3-plugin-man.dif ++++++ --- /var/tmp/diff_new_pack.XVSEKh/_old 2021-08-16 10:13:55.022930969 +0200 +++ /var/tmp/diff_new_pack.XVSEKh/_new 2021-08-16 10:13:55.026930964 +0200 @@ -1,22 +1,15 @@ -Index: doc/openvpn.8 -=================================================================== --- doc/openvpn.8.orig +++ doc/openvpn.8 -@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in - .B plugin - folder of the OpenVPN source distribution. - +@@ -6059,9 +6059,9 @@ For more information and examples on how + modules, see the README file in the \fBplugin\fP folder of the OpenVPN + source distribution. + .sp -If you are using an RPM install of OpenVPN, see --/usr/share/openvpn/plugin. The documentation is --in --.B doc --and the actual plugin modules are in --.B lib. -+If you are using an RPM install of OpenVPN, the actual -+plugin modules are in -+.B @PLUGIN_LIBDIR@ -+and the documentation is in -+.B @PLUGIN_DOCDIR@/README.<plugin-name>. - - Multiple plugin modules can be cascaded, and modules can be - used in tandem with scripts. The modules will be called by +-\fB/usr/share/openvpn/plugin\fP\&. The documentation is in \fBdoc\fP and +-the actual plugin modules are in \fBlib\fP\&. ++If you are using an RPM install of OpenVPN, the actual plugin modules ++are in \fB@PLUGIN_LIBDIR@\fP\& and the documentation is in ++\fB@PLUGIN_DOCDIR@/README.<plugin-name>\fP\&. + .sp + Multiple plugin modules can be cascaded, and modules can be used in + tandem with scripts. The modules will be called by OpenVPN in the order ++++++ openvpn-2.4.11.tar.xz -> openvpn-2.5.3.tar.xz ++++++ ++++ 96410 lines of diff (skipped) ++++++ openvpn-fips140-2.3.2.patch ++++++ --- /var/tmp/diff_new_pack.XVSEKh/_old 2021-08-16 10:13:55.546930299 +0200 +++ /var/tmp/diff_new_pack.XVSEKh/_new 2021-08-16 10:13:55.546930299 +0200 @@ -13,11 +13,9 @@ src/openvpn/ssl.c | 4 ++-- 6 files changed, 15 insertions(+), 6 deletions(-) -diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 5f482d0..ff0f9a7 100644 ---- a/src/openvpn/crypto.c -+++ b/src/openvpn/crypto.c -@@ -876,7 +876,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, +--- src/openvpn/crypto.c.orig ++++ src/openvpn/crypto.c +@@ -849,7 +849,7 @@ init_key_ctx(struct key_ctx *ctx, const if (kt->digest && kt->hmac_length > 0) { ctx->hmac = hmac_ctx_new(); @@ -26,11 +24,9 @@ msg(D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", -diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h -index b7f519b..2911248 100644 ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -604,10 +604,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); +--- src/openvpn/crypto_backend.h.orig ++++ src/openvpn/crypto_backend.h +@@ -634,10 +634,11 @@ void hmac_ctx_free(hmac_ctx_t *ctx); * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters @@ -43,11 +39,9 @@ /* * Free the given HMAC context. -diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index a55e65c..79f5530 100644 ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -926,11 +926,15 @@ +--- src/openvpn/crypto_openssl.c.orig ++++ src/openvpn/crypto_openssl.c +@@ -1008,11 +1008,15 @@ hmac_ctx_free(HMAC_CTX *ctx) void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -64,11 +58,9 @@ HMAC_Init_ex(ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ -diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c -index 0b1163e..93283bc 100644 ---- a/src/openvpn/ntlm.c -+++ b/src/openvpn/ntlm.c -@@ -88,7 +88,7 @@ +--- src/openvpn/ntlm.c.orig ++++ src/openvpn/ntlm.c +@@ -88,7 +88,7 @@ gen_hmac_md5(const uint8_t *data, int da const md_kt_t *md5_kt = md_kt_get("MD5"); hmac_ctx_t *hmac_ctx = hmac_ctx_new(); @@ -77,28 +69,50 @@ hmac_ctx_update(hmac_ctx, data, data_len); hmac_ctx_final(hmac_ctx, result); hmac_ctx_cleanup(hmac_ctx); -diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index fef5e90..33b6976 100644 ---- a/src/openvpn/options.c -+++ b/src/openvpn/options.c -@@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc) - #endif - #ifdef ENABLE_CRYPTO - o->ciphername = "BF-CBC"; +--- src/openvpn/options.c.orig ++++ src/openvpn/options.c +@@ -850,6 +850,10 @@ init_options(struct options *o, const bo + o->tcp_queue_limit = 64; + o->max_clients = 1024; + o->max_routes_per_client = 256; +#ifdef OPENSSL_FIPS + if(FIPS_mode()) + o->ciphername = "AES-256-CBC"; +#endif - #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ - o->ncp_enabled = true; - #else -diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c -index 15cd94a..21f50f1 100644 ---- a/src/openvpn/ssl.c -+++ b/src/openvpn/ssl.c -@@ -1635,8 +1635,8 @@ tls1_P_hash(const md_kt_t *md_kt, - chunk = md_kt_size(md_kt); - A1_len = md_kt_size(md_kt); + o->stale_routes_check_interval = 0; + o->ifconfig_pool_persist_refresh_freq = 600; + #if P2MP +@@ -3087,6 +3091,12 @@ options_postprocess_cipher(struct option + if (!o->ciphername) + { + o->ciphername = "BF-CBC"; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ o->ciphername = "AES-256-CBC"; ++ } ++#endif + } + return; + } +@@ -3109,6 +3119,12 @@ options_postprocess_cipher(struct option + /* We still need to set the ciphername to BF-CBC since various other + * parts of OpenVPN assert that the ciphername is set */ + o->ciphername = "BF-CBC"; ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) ++ { ++ o->ciphername = "AES-256-CBC"; ++ } ++#endif + } + else if (!o->enable_ncp_fallback + && !tls_item_in_cipher_list(o->ciphername, o->ncp_ciphers)) +--- src/openvpn/ssl.c.orig ++++ src/openvpn/ssl.c +@@ -1661,8 +1661,8 @@ tls1_P_hash(const md_kt_t *md_kt, + int chunk = md_kt_size(md_kt); + unsigned int A1_len = md_kt_size(md_kt); - hmac_ctx_init(ctx, sec, sec_len, md_kt); - hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt); @@ -107,6 +121,3 @@ hmac_ctx_update(ctx,seed,seed_len); hmac_ctx_final(ctx, A1); --- -2.13.1 -