Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-01-25 23:33:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn" Changes: -------- --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-01-10 10:52:01.367138159 +0100 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-01-25 23:33:51.207649062 +0100 @@ -1,0 +2,34 @@ +Sun Jan 22 15:21:17 UTC 2017 - [email protected] + +- silence warning about %{_rundir}/openvpn + - for non systemd case: just package the %{_rundir}/openvpn in + the package + - for systemd case: call systemd-tmpfiles and own the dir as + %ghost in the filelist + +------------------------------------------------------------------- +Sun Jan 22 14:51:44 UTC 2017 - [email protected] + +- refreshed patches to apply cleanly again + openvpn-2.3-plugin-man.dif + openvpn-fips140-2.3.2.patch + +------------------------------------------------------------------- +Sun Jan 22 14:47:39 UTC 2017 - [email protected] + +- update to 2.3.14 + - update year in copyright message + - Document the --auth-token option + - Repair topology subnet on FreeBSD 11 + - Repair topology subnet on OpenBSD + - Drop recursively routed packets + - Support --block-outside-dns on multiple tunnels + - When parsing '--setenv opt xx ..' make sure a third parameter + is present + - Map restart signals from event loop to SIGTERM during + exit-notification wait + - Correctly state the default dhcp server address in man page + - Clean up format_hex_ex() +- enabled pkcs11 support + +------------------------------------------------------------------- Old: ---- openvpn-2.3.13.tar.xz openvpn-2.3.13.tar.xz.asc New: ---- openvpn-2.3.14.tar.xz openvpn-2.3.14.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.127510450 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.131509847 +0100 @@ -1,7 +1,7 @@ # # spec file for package openvpn # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version: 2.3.13 +Version: 2.3.14 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -154,6 +154,7 @@ --enable-iproute2 \ --enable-x509-alt-username \ --enable-password-save \ + --enable-pkcs11 \ %if %{with_systemd} --enable-systemd \ %endif @@ -194,8 +195,8 @@ find sample -name .gitignore | xargs rm -f %post -%__mkdir_p -m750 %{_rundir}/openvpn %if %{with_systemd} +systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf ||: %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@<CONF>.service if test ${FIRST_ARG:-$1} -ge 1 -a \ @@ -265,13 +266,14 @@ %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target %{_libexecdir}/tmpfiles.d/%{name}.conf +%dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %else %config %{_sysconfdir}/init.d/openvpn /var/adm/fillup-templates/sysconfig.openvpn +%dir %attr(750,root,root) %{_rundir}/openvpn/ %endif %{_sbindir}/rcopenvpn %{_sbindir}/openvpn -%attr(0750,root,root) %dir %ghost %{_rundir}/openvpn %files down-root-plugin %defattr(-,root,root) ++++++ openvpn-2.3-plugin-man.dif ++++++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.191500807 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.191500807 +0100 @@ -1,6 +1,8 @@ ---- doc/openvpn.8 -+++ doc/openvpn.8 2015/03/02 08:58:02 -@@ -2569,12 +2569,11 @@ plug-in modules, see the README file in +Index: doc/openvpn.8 +=================================================================== +--- doc/openvpn.8.orig ++++ doc/openvpn.8 +@@ -2690,12 +2690,11 @@ plug-in modules, see the README file in .B plugin folder of the OpenVPN source distribution. ++++++ openvpn-2.3.13.tar.xz -> openvpn-2.3.14.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/ChangeLog new/openvpn-2.3.14/ChangeLog --- old/openvpn-2.3.13/ChangeLog 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/ChangeLog 2016-12-07 12:35:43.000000000 +0100 @@ -1,6 +1,30 @@ OpenVPN Change Log Copyright (C) 2002-2015 OpenVPN Technologies, Inc. <[email protected]> +2016.12.06 -- Version 2.3.14 +Christian Hesse (1): + update year in copyright message + +David Sommerseth (1): + Document the --auth-token option + +Gert Doering (2): + Repair topology subnet on FreeBSD 11 + Repair topology subnet on OpenBSD + +Lev Stipakov (1): + Drop recursively routed packets + +Selva Nair (4): + Support --block-outside-dns on multiple tunnels + When parsing '--setenv opt xx ..' make sure a third parameter is present + Map restart signals from event loop to SIGTERM during exit-notification wait + Correctly state the default dhcp server address in man page + +Steffan Karger (1): + Clean up format_hex_ex() + + 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): Use AES ciphers in our sample configuration files and add a few modern 2.4 examples diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/Makefile.in new/openvpn-2.3.14/Makefile.in --- old/openvpn-2.3.13/Makefile.in 2016-11-03 09:52:54.000000000 +0100 +++ new/openvpn-2.3.14/Makefile.in 2016-12-07 12:36:12.000000000 +0100 @@ -113,8 +113,8 @@ $(srcdir)/config.h.in $(srcdir)/version.sh.in \ $(am__dist_doc_DATA_DIST) $(am__dist_noinst_DATA_DIST) \ $(dist_noinst_HEADERS) AUTHORS COPYING ChangeLog INSTALL NEWS \ - README compile config.guess config.sub install-sh missing \ - ltmain.sh + README compile config.guess config.sub depcomp install-sh \ + missing ltmain.sh ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/m4/ax_socklen_t.m4 \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/configure new/openvpn-2.3.14/configure --- old/openvpn-2.3.13/configure 2016-11-03 09:52:52.000000000 +0100 +++ new/openvpn-2.3.14/configure 2016-12-07 12:36:14.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.13. +# Generated by GNU Autoconf 2.69 for OpenVPN 2.3.14. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.3.13' -PACKAGE_STRING='OpenVPN 2.3.13' +PACKAGE_VERSION='2.3.14' +PACKAGE_STRING='OpenVPN 2.3.14' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1436,7 +1436,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.3.13 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.3.14 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1506,7 +1506,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.3.13:";; + short | recursive ) echo "Configuration of OpenVPN 2.3.14:";; esac cat <<\_ACEOF @@ -1708,7 +1708,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.3.13 +OpenVPN configure 2.3.14 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2490,7 +2490,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.3.13, which was +It was created by OpenVPN $as_me 2.3.14, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2854,7 +2854,7 @@ fi -$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,13,0" >>confdefs.h +$as_echo "#define OPENVPN_VERSION_RESOURCE 2,3,14,0" >>confdefs.h ac_aux_dir= @@ -3378,7 +3378,7 @@ # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.3.13' + VERSION='2.3.14' cat >>confdefs.h <<_ACEOF @@ -17755,7 +17755,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.3.13, which was +This file was extended by OpenVPN $as_me 2.3.14, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17821,7 +17821,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -OpenVPN config.status 2.3.13 +OpenVPN config.status 2.3.14 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/distro/rpm/openvpn.spec new/openvpn-2.3.14/distro/rpm/openvpn.spec --- old/openvpn-2.3.13/distro/rpm/openvpn.spec 2016-11-03 09:53:39.000000000 +0100 +++ new/openvpn-2.3.14/distro/rpm/openvpn.spec 2016-12-07 12:36:59.000000000 +0100 @@ -13,7 +13,7 @@ Summary: OpenVPN is a robust and highly flexible VPN daemon by James Yonan. Name: openvpn -Version: 2.3.13 +Version: 2.3.14 Release: 1 URL: http://openvpn.net/ Source0: http://prdownloads.sourceforge.net/openvpn/%{name}-%{version}.tar.gz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/doc/openvpn.8 new/openvpn-2.3.14/doc/openvpn.8 --- old/openvpn-2.3.13/doc/openvpn.8 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/doc/openvpn.8 2016-12-07 12:35:43.000000000 +0100 @@ -4,7 +4,7 @@ .\" packet encryption, packet authentication, and .\" packet compression. .\" -.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]> +.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <[email protected]> .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License version 2 @@ -34,7 +34,7 @@ .\" .ft -- normal face .\" .in +|-{n} -- indent .\" -.TH openvpn 8 "17 November 2008" +.TH openvpn 8 "25 August 2016" .\"********************************************************* .SH NAME openvpn - secure IP tunnel daemon. @@ -1626,16 +1626,25 @@ are mutually exclusive and cannot be used together. .\"********************************************************* .TP -.B \-\-keepalive n m +.B \-\-keepalive interval timeout A helper directive designed to simplify the expression of .B \-\-ping and +.B \-\-ping\-restart. + +This option can be used on both client and server side, but it is +in enough to add this on the server side as it will push appropriate +.B \-\-ping +and .B \-\-ping\-restart -in server mode configurations. +options to the client. If used on both server and client, +the values pushed from server will override the client local values. -The server timeout is set twice the value of the second argument. -This ensures that a timeout is detected on client side -before the server side drops the connection. +The +.B timeout +argument will be twice as long on the server side. This ensures that +a timeout is detected on client side before the server side drops +the connection. For example, .B \-\-keepalive 10 60 @@ -1645,13 +1654,13 @@ .ft 3 .in +4 if mode server: - ping 10 - ping-restart 120 - push "ping 10" - push "ping-restart 60" + ping 10 # Argument: interval + ping\-restart 120 # Argument: timeout*2 + push "ping 10" # Argument: interval + push "ping\-restart 60" # Argument: timeout else - ping 10 - ping-restart 60 + ping 10 # Argument: interval + ping\-restart 60 # Argument: timeout .in -4 .ft .fi @@ -2745,10 +2754,10 @@ if dev tap OR (dev tun AND topology == subnet): ifconfig 10.8.0.1 255.255.255.0 if !nopool: - ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 - push "route-gateway 10.8.0.1" - if route-gateway unset: - route-gateway 10.8.0.2 + ifconfig\-pool 10.8.0.2 10.8.0.253 255.255.255.0 + push "route\-gateway 10.8.0.1" + if route\-gateway unset: + route\-gateway 10.8.0.2 .in -4 .ft @@ -2880,6 +2889,7 @@ .B \-\-ip\-win32, \-\-dhcp\-option, .B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, .B \-\-setenv, +.B \-\-auth\-token, .B \-\-persist\-key, \-\-persist\-tun, \-\-echo, .B \-\-comp\-lzo, .B \-\-socket\-flags, @@ -3796,6 +3806,10 @@ parameter (default=1) controls the maximum number of attempts that the client will try to resend the exit notification message. OpenVPN will not send any exit notifications unless this option is enabled. +.TP +.B \-\-allow\-recursive\-routing +When this option is set, OpenVPN will not drop incoming tun packets +with same destination as host. .\"********************************************************* .SS Data Channel Encryption Options: These options are meaningful for both Static & TLS-negotiated key modes @@ -4817,6 +4831,57 @@ username/password. It is always cached. .\"********************************************************* .TP +.B \-\-auth\-token token +This is not an option to be used directly in any configuration files, +but rather push this option from a +.B \-\-client\-connect +script or a +.B \-\-plugin +which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or +OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides +a possibility to replace the clients password with an authentication +token during the lifetime of the OpenVPN client. + +Whenever the connection is renegotiated and the +.B \-\-auth\-user\-pass\-verify +script or +.B \-\-plugin +making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is +triggered, it will pass over this token as the password +instead of the password the user provided. The authentication +token can only be reset by a full reconnect where the server +can push new options to the client. The password the user entered +is never preserved once an authentication token have been set. If +the OpenVPN server side rejects the authentication token, the +client will receive an AUTH_FAIL and disconnect. + +The purpose of this is to enable two factor authentication +methods, such as HOTP or TOTP, to be used without needing to +retrieve a new OTP code each time the connection is renegotiated. +Another use case is to cache authentication data on the client +without needing to have the users password cached in memory +during the life time of the session. + +To make use of this feature, the +.B \-\-client\-connect +script or +.B \-\-plugin +needs to put + +.nf +.ft 3 +.in +4 +push "auth\-token UNIQUE_TOKEN_VALUE" +.in -4 +.ft +.fi + +into the file/buffer for dynamic configuration data. This +will then make the OpenVPN server to push this value to the +client, which replaces the local password with the +UNIQUE_TOKEN_VALUE. +.\"********************************************************* +.TP .B \-\-tls\-verify cmd Run command .B cmd @@ -5297,7 +5362,7 @@ .B \-\-dev tun mode, OpenVPN will cause the DHCP server to masquerade as if it were coming from the remote endpoint. The optional offset parameter is -an integer which is > \-256 and < 256 and which defaults to 0. +an integer which is > \-256 and < 256 and which defaults to -1. If offset is positive, the DHCP server will masquerade as the IP address at network address + offset. If offset is negative, the DHCP server will masquerade as the IP diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/buffer.c new/openvpn-2.3.14/src/openvpn/buffer.c --- old/openvpn-2.3.13/src/openvpn/buffer.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/buffer.c 2016-12-07 12:35:43.000000000 +0100 @@ -400,9 +400,13 @@ int space_break, const char* separator, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (maxoutput ? maxoutput : - ((size * 2) + (size / space_break) * (int) strlen (separator) + 2), - gc); + const size_t separator_len = separator ? strlen (separator) : 0; + static_assert (INT_MAX <= SIZE_MAX, "Code assumes INT_MAX <= SIZE_MAX"); + const size_t out_len = maxoutput > 0 ? maxoutput : + ((size * 2) + ((size / space_break) * separator_len) + 2); + + struct buffer out = alloc_buf_gc (out_len, gc); + int i; for (i = 0; i < size; ++i) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/error.h new/openvpn-2.3.14/src/openvpn/error.h --- old/openvpn-2.3.13/src/openvpn/error.h 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/error.h 2016-12-07 12:35:43.000000000 +0100 @@ -217,6 +217,14 @@ void assert_failed (const char *filename, int line, const char *condition) __attribute__((__noreturn__)); +/* Poor-man's static_assert() for when not supplied by assert.h, taken from + * Linux's sys/cdefs.h under GPLv2 */ +#ifndef static_assert +#define static_assert(expr, diagnostic) \ + extern int (*__OpenVPN_static_assert_function (void)) \ + [!!sizeof (struct { int __error_if_negative: (expr) ? 2 : -1; })] +#endif + #ifdef ENABLE_DEBUG void crash (void); /* force a segfault (debugging only) */ #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/forward.c new/openvpn-2.3.14/src/openvpn/forward.c --- old/openvpn-2.3.13/src/openvpn/forward.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/forward.c 2016-12-07 12:35:43.000000000 +0100 @@ -968,6 +968,76 @@ perf_pop (); } +/** + * Drops UDP packets which OS decided to route via tun. + * + * On Windows and OS X when netwotk adapter is disabled or + * disconnected, platform starts to use tun as external interface. + * When packet is sent to tun, it comes to openvpn, encapsulated + * and sent to routing table, which sends it again to tun. + */ +static void +drop_if_recursive_routing (struct context *c, struct buffer *buf) +{ + bool drop = false; + struct openvpn_sockaddr tun_sa; + int ip_hdr_offset = 0; + + if (c->c2.to_link_addr == NULL) /* no remote addr known */ + return; + + tun_sa = c->c2.to_link_addr->dest; + + int proto_ver = get_tun_ip_ver (TUNNEL_TYPE (c->c1.tuntap), &c->c2.buf, &ip_hdr_offset); + + if (proto_ver == 4) + { + const struct openvpn_iphdr *pip; + + /* make sure we got whole IP header */ + if (BLEN (buf) < ((int) sizeof (struct openvpn_iphdr) + ip_hdr_offset)) + return; + + /* skip ipv4 packets for ipv6 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET) + return; + + pip = (struct openvpn_iphdr *) (BPTR (buf) + ip_hdr_offset); + + /* drop packets with same dest addr as gateway */ + if (tun_sa.addr.in4.sin_addr.s_addr == pip->daddr) + drop = true; + } + else if (proto_ver == 6) + { + const struct openvpn_ipv6hdr *pip6; + + /* make sure we got whole IPv6 header */ + if (BLEN (buf) < ((int) sizeof (struct openvpn_ipv6hdr) + ip_hdr_offset)) + return; + + /* skip ipv6 packets for ipv4 tun */ + if (tun_sa.addr.sa.sa_family != AF_INET6) + return; + + /* drop packets with same dest addr as gateway */ + pip6 = (struct openvpn_ipv6hdr *) (BPTR (buf) + ip_hdr_offset); + if (IN6_ARE_ADDR_EQUAL(&tun_sa.addr.in6.sin6_addr, &pip6->daddr)) + drop = true; + } + + if (drop) + { + struct gc_arena gc = gc_new (); + + c->c2.buf.len = 0; + + msg(D_LOW, "Recursive routing detected, drop tun packet to %s", + print_link_socket_actual(c->c2.to_link_addr, &gc)); + gc_free (&gc); + } +} + /* * Input: c->c2.buf * Output: c->c2.to_link @@ -993,6 +1063,8 @@ if (c->c2.buf.len > 0) { + if ((c->options.mode == MODE_POINT_TO_POINT) && (!c->options.allow_recursive_routing)) + drop_if_recursive_routing (c, &c->c2.buf); /* * The --passtos and --mssfix options require * us to examine the IP header (IPv4 or IPv6). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/helper.c new/openvpn-2.3.14/src/openvpn/helper.c --- old/openvpn-2.3.13/src/openvpn/helper.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/helper.c 2016-12-07 12:35:43.000000000 +0100 @@ -230,7 +230,7 @@ * if tap OR (tun AND topology == subnet): * ifconfig 10.8.0.1 255.255.255.0 * if !nopool: - * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 + * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 * push "route-gateway 10.8.0.1" * if route-gateway unset: * route-gateway 10.8.0.2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/options.c new/openvpn-2.3.14/src/openvpn/options.c --- old/openvpn-2.3.13/src/openvpn/options.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/options.c 2016-12-07 12:35:43.000000000 +0100 @@ -500,6 +500,8 @@ "--server-poll-timeout n : when polling possible remote servers to connect to\n" " in a round-robin fashion, spend no more than n seconds\n" " waiting for a response before trying the next server.\n" + "--allow-recursive-routing : When this option is set, OpenVPN will not drop\n" + " incoming tun packets with same destination as host.\n" #endif #ifdef ENABLE_OCC "--explicit-exit-notify [n] : On exit/restart, send exit signal to\n" @@ -876,6 +878,7 @@ } #endif /* WIN32 */ #endif /* P2MP_SERVER */ + o->allow_recursive_routing = false; } void @@ -2091,6 +2094,8 @@ if (options->ifconfig_ipv6_local && !options->tun_ipv6 ) msg (M_INFO, "Warning: --ifconfig-ipv6 without --tun-ipv6 will not do IPv6"); + if (options->allow_recursive_routing) + msg (M_USAGE, "--allow-recursive-routing cannot be used with --mode server"); if (options->auth_user_pass_file) msg (M_USAGE, "--auth-user-pass cannot be used with --mode server (it should be used on the client side only)"); if (options->ccd_exclusive && !options->client_config_dir) @@ -3528,7 +3533,7 @@ show_windows_version( M_INFO|M_NOPREFIX ); #endif msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); - msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]>"); + msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <[email protected]>"); #ifndef ENABLE_SMALL #ifdef CONFIGURE_DEFINES msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); @@ -4210,6 +4215,8 @@ */ if (streq (p[0], "setenv") && p[1] && streq (p[1], "opt") && !(permission_mask & OPT_P_PULL_MODE)) { + if (!p[2]) + p[2] = "setenv opt"; /* will trigger an error that includes setenv opt */ p += 2; msglevel_fc = M_WARN; } @@ -7122,6 +7129,11 @@ options->use_peer_id = true; options->peer_id = atoi(p[1]); } + else if (streq (p[0], "allow-recursive-routing") && !p[1]) + { + VERIFY_PERMISSION (OPT_P_GENERAL); + options->allow_recursive_routing = true; + } else { int i; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/options.h new/openvpn-2.3.14/src/openvpn/options.h --- old/openvpn-2.3.13/src/openvpn/options.h 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/options.h 2016-12-07 12:35:43.000000000 +0100 @@ -598,6 +598,10 @@ bool use_peer_id; uint32_t peer_id; + + /* Useful when packets sent by openvpn itself are not subject + to the routing tables that would move packets into the tunnel. */ + bool allow_recursive_routing; }; #define streq(x, y) (!strcmp((x), (y))) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/proto.h new/openvpn-2.3.14/src/openvpn/proto.h --- old/openvpn-2.3.13/src/openvpn/proto.h 2016-11-03 09:49:49.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/proto.h 2016-11-08 09:37:16.000000000 +0100 @@ -219,6 +219,45 @@ - sizeof(struct openvpn_tcphdr)) /* + * This returns an ip protocol version of packet inside tun + * and offset of IP header (via parameter). + */ +inline static int get_tun_ip_ver(int tunnel_type, struct buffer *buf, int *ip_hdr_offset) +{ + int ip_ver = -1; + + /* for tun get ip version from ip header */ + if (tunnel_type == DEV_TYPE_TUN) + { + *ip_hdr_offset = 0; + if (likely(BLEN (buf) >= (int) sizeof (struct openvpn_iphdr))) + { + ip_ver = OPENVPN_IPH_GET_VER (*BPTR(buf)); + } + } + else if (tunnel_type == DEV_TYPE_TAP) + { + *ip_hdr_offset = (int)(sizeof (struct openvpn_ethhdr)); + /* for tap get ip version from eth header */ + if (likely(BLEN (buf) >= *ip_hdr_offset)) + { + const struct openvpn_ethhdr *eh = (const struct openvpn_ethhdr *) BPTR (buf); + uint16_t proto = ntohs (eh->proto); + if (proto == OPENVPN_ETH_P_IPV6) + { + ip_ver = 6; + } + else if (proto == OPENVPN_ETH_P_IPV4) + { + ip_ver = 4; + } + } + } + + return ip_ver; +} + +/* * If raw tunnel packet is IPv4 or IPv6, return true and increment * buffer offset to start of IP header. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/sig.c new/openvpn-2.3.14/src/openvpn/sig.c --- old/openvpn-2.3.13/src/openvpn/sig.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/sig.c 2016-12-07 12:35:43.000000000 +0100 @@ -362,7 +362,8 @@ /** * If a restart signal is received during exit-notification, reset the - * signal and return true. + * signal and return true. If its a soft restart signal from the event loop + * which implies the loop cannot continue, remap to SIGTERM to exit promptly. */ static bool ignore_restart_signals (struct context *c) @@ -372,10 +373,20 @@ if ( (c->sig->signal_received == SIGUSR1 || c->sig->signal_received == SIGHUP) && event_timeout_defined(&c->c2.explicit_exit_notification_interval) ) { - msg (M_INFO, "Ignoring %s received during exit notification", - signal_name(c->sig->signal_received, true)); - signal_reset (c->sig); - ret = true; + if (c->sig->hard) + { + msg (M_INFO, "Ignoring %s received during exit notification", + signal_name(c->sig->signal_received, true)); + signal_reset (c->sig); + ret = true; + } + else + { + msg (M_INFO, "Converting soft %s received during exit notification to SIGTERM", + signal_name(c->sig->signal_received, true)); + register_signal(c, SIGTERM, "exit-with-notification"); + ret = false; + } } #endif return ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/tun.c new/openvpn-2.3.14/src/openvpn/tun.c --- old/openvpn-2.3.13/src/openvpn/tun.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/tun.c 2016-12-07 12:35:43.000000000 +0100 @@ -625,7 +625,8 @@ } #endif -#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) +#if defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)||\ + defined(TARGET_OPENBSD) /* we can't use true subnet mode on tun on all platforms, as that * conflicts with IPv6 (wants to use ND then, which we don't do), * but the OSes want "a remote address that is different from ours" @@ -635,8 +636,8 @@ * is still point to point and no layer 2 resolution is done... */ -const char * -create_arbitrary_remote( struct tuntap *tt, struct gc_arena * gc ) +in_addr_t +create_arbitrary_remote( struct tuntap *tt ) { in_addr_t remote; @@ -644,7 +645,7 @@ if ( remote == tt->local ) remote ++; - return print_in_addr_t (remote, 0, gc); + return remote; } #endif @@ -916,6 +917,8 @@ #elif defined(TARGET_OPENBSD) + in_addr_t remote_end; /* for "virtual" subnet topology */ + /* * On OpenBSD, tun interfaces are persistent if created with * "ifconfig tunX create", and auto-destroyed if created by @@ -935,12 +938,13 @@ else if ( tt->topology == TOP_SUBNET ) { + remote_end = create_arbitrary_remote( tt ); argv_printf (&argv, "%s %s %s %s mtu %d netmask %s up -link0", IFCONFIG_PATH, actual, ifconfig_local, - ifconfig_local, + print_in_addr_t (remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); @@ -957,6 +961,19 @@ ); argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed"); + + /* Add a network route for the local tun interface */ + if (!tun && tt->topology == TOP_SUBNET) + { + struct route_ipv4 r; + CLEAR (r); + r.flags = RT_DEFINED; + r.network = tt->local & tt->remote_netmask; + r.netmask = tt->remote_netmask; + r.gateway = remote_end; + add_route (&r, tt, 0, NULL, es); + } + if ( do_ipv6 ) { argv_printf (&argv, @@ -1126,6 +1143,8 @@ #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY) + in_addr_t remote_end; /* for "virtual" subnet topology */ + /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) argv_printf (&argv, @@ -1138,12 +1157,13 @@ ); else if ( tt->topology == TOP_SUBNET ) { + remote_end = create_arbitrary_remote( tt ); argv_printf (&argv, "%s %s %s %s mtu %d netmask %s up", IFCONFIG_PATH, actual, ifconfig_local, - create_arbitrary_remote( tt, &gc ), + print_in_addr_t (remote_end, 0, &gc), tun_mtu, ifconfig_remote_netmask ); @@ -1170,7 +1190,7 @@ r.flags = RT_DEFINED; r.network = tt->local & tt->remote_netmask; r.netmask = tt->remote_netmask; - r.gateway = tt->local; + r.gateway = remote_end; add_route (&r, tt, 0, NULL, es); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/win32.c new/openvpn-2.3.14/src/openvpn/win32.c --- old/openvpn-2.3.13/src/openvpn/win32.c 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/win32.c 2016-12-07 12:35:43.000000000 +0100 @@ -63,6 +63,7 @@ func_FwpmSubLayerDeleteByKey0 FwpmSubLayerDeleteByKey0 = NULL; func_FwpmFreeMemory0 FwpmFreeMemory0 = NULL; func_FwpmGetAppIdFromFileName0 FwpmGetAppIdFromFileName0 = NULL; +func_FwpmSubLayerGetByKey0 FwpmSubLayerGetByKey0 = NULL; /* * WFP firewall name. @@ -1140,6 +1141,7 @@ FwpmSubLayerDeleteByKey0 = (func_FwpmSubLayerDeleteByKey0)GetProcAddress(fwpuclntHandle, "FwpmSubLayerDeleteByKey0"); FwpmFreeMemory0 = (func_FwpmFreeMemory0)GetProcAddress(fwpuclntHandle, "FwpmFreeMemory0"); FwpmGetAppIdFromFileName0 = (func_FwpmGetAppIdFromFileName0)GetProcAddress(fwpuclntHandle, "FwpmGetAppIdFromFileName0"); + FwpmSubLayerGetByKey0 = (func_FwpmSubLayerGetByKey0) GetProcAddress(fwpuclntHandle, "FwpmSubLayerGetByKey0"); if (!ConvertInterfaceIndexToLuid || !FwpmFilterAdd0 || @@ -1148,6 +1150,7 @@ !FwpmSubLayerAdd0 || !FwpmSubLayerDeleteByKey0 || !FwpmFreeMemory0 || + !FwpmSubLayerGetByKey0 || !FwpmGetAppIdFromFileName0) { msg (M_NONFATAL, "Can't get address for all WFP-related procedures."); @@ -1157,6 +1160,49 @@ return true; } +/* UUID of WFP sublayer used by all instances of openvpn + 2f660d7e-6a37-11e6-a181-001e8c6e04a2 */ +DEFINE_GUID( + OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, + 0x2f660d7e, + 0x6a37, + 0x11e6, + 0xa1, 0x81, 0x00, 0x1e, 0x8c, 0x6e, 0x04, 0xa2 +); + +/* + * Add a persistent sublayer with specified uuid + */ +static DWORD +add_sublayer (GUID uuid) +{ + FWPM_SESSION0 session; + HANDLE engine = NULL; + DWORD err = 0; + FWPM_SUBLAYER0 sublayer; + + CLEAR (session); + CLEAR (sublayer); + + err = FwpmEngineOpen0 (NULL, RPC_C_AUTHN_WINNT, NULL, &session, &engine); + if (err != ERROR_SUCCESS) + goto out; + + sublayer.subLayerKey = uuid; + sublayer.displayData.name = FIREWALL_NAME; + sublayer.displayData.description = FIREWALL_NAME; + sublayer.flags = 0; + sublayer.weight = 0x100; + + /* Add sublayer to the session */ + err = FwpmSubLayerAdd0 (engine, &sublayer, NULL); + +out: + if (engine) + FwpmEngineClose0 (engine); + return err; +} + bool win_wfp_add_filter (HANDLE engineHandle, const FWPM_FILTER0 *filter, @@ -1175,13 +1221,14 @@ win_wfp_block_dns (const NET_IFINDEX index) { FWPM_SESSION0 session = {0}; - FWPM_SUBLAYER0 SubLayer = {0}; + FWPM_SUBLAYER0 *sublayer_ptr = NULL; NET_LUID tapluid; UINT64 filterid; WCHAR openvpnpath[MAX_PATH]; FWP_BYTE_BLOB *openvpnblob = NULL; FWPM_FILTER0 Filter = {0}; FWPM_FILTER_CONDITION0 Condition[2] = {0}; + DWORD status; /* Add temporary filters which don't survive reboots or crashes. */ session.flags = FWPM_SESSION_FLAG_DYNAMIC; @@ -1194,28 +1241,32 @@ return false; } - if (UuidCreate(&SubLayer.subLayerKey) != NO_ERROR) - return false; - - /* Populate packet filter layer information. */ - SubLayer.displayData.name = FIREWALL_NAME; - SubLayer.displayData.description = FIREWALL_NAME; - SubLayer.flags = 0; - SubLayer.weight = 0x100; - - /* Add packet filter to our interface. */ - dmsg (D_LOW, "Adding WFP sublayer"); - if (FwpmSubLayerAdd0(m_hEngineHandle, &SubLayer, NULL) != ERROR_SUCCESS) - { - msg (M_NONFATAL, "Can't add WFP sublayer"); - return false; + /* Check sublayer exists and add one if it does not. */ + if (FwpmSubLayerGetByKey0 (m_hEngineHandle, &OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER, &sublayer_ptr) + == ERROR_SUCCESS) + { + msg (D_LOW, "Retrieved existing sublayer"); + FwpmFreeMemory0 ((void **)&sublayer_ptr); + } + else + { /* Add a new sublayer -- as another process may add it in the meantime, + do not treat "already exists" as an error */ + status = add_sublayer (OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER); + + if (status == FWP_E_ALREADY_EXISTS || status == ERROR_SUCCESS) + msg (D_LOW, "Added a persistent sublayer with pre-defined UUID"); + else + { + msg (M_NONFATAL, "Failed to add persistent sublayer (status = %lu)", status); + goto err; + } } - dmsg (D_LOW, "Blocking DNS using WFP"); + dmsg (M_INFO, "Blocking DNS using WFP"); if (ConvertInterfaceIndexToLuid(index, &tapluid) != NO_ERROR) { msg (M_NONFATAL, "Can't convert interface index to LUID"); - return false; + goto err; } dmsg (D_LOW, "Tap Luid: %I64d", tapluid.Value); @@ -1223,10 +1274,10 @@ GetModuleFileNameW(NULL, openvpnpath, MAX_PATH); if (FwpmGetAppIdFromFileName0(openvpnpath, &openvpnblob) != ERROR_SUCCESS) - return false; + goto err; /* Prepare filter. */ - Filter.subLayerKey = SubLayer.subLayerKey; + Filter.subLayerKey = OPENVPN_BLOCK_OUTSIDE_DNS_SUBLAYER; Filter.displayData.name = FIREWALL_NAME; Filter.weight.type = FWP_UINT8; Filter.weight.uint8 = 0xF; @@ -1277,7 +1328,12 @@ goto err; dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid); - /* Fifth filter. Permit IPv4 DNS queries from TAP. */ + /* Fifth filter. Permit IPv4 DNS queries from TAP. + * Use a non-zero weight so that the permit filters get higher priority + * over the block filter added with automatic weighting */ + + Filter.weight.type = FWP_UINT8; + Filter.weight.uint8 = 0xE; Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4; Filter.action.type = FWP_ACTION_PERMIT; Filter.numFilterConditions = 2; @@ -1292,7 +1348,8 @@ goto err; dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid); - /* Sixth filter. Permit IPv6 DNS queries from TAP. */ + /* Sixth filter. Permit IPv6 DNS queries from TAP. + * Use same weight as IPv4 filter */ Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6; /* Add filter condition to our interface. */ @@ -1304,7 +1361,14 @@ return true; err: - FwpmFreeMemory0((void **)&openvpnblob); + if (openvpnblob) + FwpmFreeMemory0((void **)&openvpnblob); + if (m_hEngineHandle) + { + FwpmEngineClose0 (m_hEngineHandle); + m_hEngineHandle = NULL; + } + return false; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/src/openvpn/win32_wfp.h new/openvpn-2.3.14/src/openvpn/win32_wfp.h --- old/openvpn-2.3.13/src/openvpn/win32_wfp.h 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/src/openvpn/win32_wfp.h 2016-12-07 12:35:43.000000000 +0100 @@ -62,6 +62,9 @@ #ifndef FWPM_SESSION_FLAG_DYNAMIC #define FWPM_SESSION_FLAG_DYNAMIC 0x00000001 #endif +#ifndef FWP_E_ALREADY_EXISTS +#define FWP_E_ALREADY_EXISTS 0x80320009 +#endif // c38d57d1-05a7-4c33-904f-7fbceee60e82 DEFINE_GUID( @@ -317,7 +320,7 @@ PNET_LUID InterfaceLuid ); -typedef DWORD *(WINAPI *func_FwpmEngineOpen0)( +typedef DWORD (WINAPI *func_FwpmEngineOpen0)( const wchar_t *serverName, UINT32 authnService, SEC_WINNT_AUTH_IDENTITY_W *authIdentity, @@ -325,35 +328,41 @@ HANDLE *engineHandle ); -typedef DWORD *(WINAPI *func_FwpmEngineClose0)( +typedef DWORD (WINAPI *func_FwpmEngineClose0)( HANDLE engineHandle ); -typedef DWORD *(WINAPI *func_FwpmFilterAdd0)( +typedef DWORD (WINAPI *func_FwpmFilterAdd0)( HANDLE engineHandle, const FWPM_FILTER0 *filter, PSECURITY_DESCRIPTOR sd, UINT64 *id ); -typedef DWORD *(WINAPI *func_FwpmSubLayerAdd0)( +typedef DWORD (WINAPI *func_FwpmSubLayerAdd0)( HANDLE engineHandle, const FWPM_SUBLAYER0 *subLayer, PSECURITY_DESCRIPTOR sd ); -typedef DWORD *(WINAPI *func_FwpmSubLayerDeleteByKey0)( +typedef DWORD (WINAPI *func_FwpmSubLayerDeleteByKey0)( HANDLE engineHandle, const GUID *key ); -typedef void *(WINAPI *func_FwpmFreeMemory0)( +typedef void (WINAPI *func_FwpmFreeMemory0)( void **p ); -typedef DWORD *(WINAPI *func_FwpmGetAppIdFromFileName0)( +typedef DWORD (WINAPI *func_FwpmGetAppIdFromFileName0)( const wchar_t *fileName, FWP_BYTE_BLOB **appId ); +typedef DWORD (WINAPI *func_FwpmSubLayerGetByKey0)( + HANDLE engineHandle, + const GUID *key, + FWPM_SUBLAYER0 **subLayer +); + #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvpn-2.3.13/version.m4 new/openvpn-2.3.14/version.m4 --- old/openvpn-2.3.13/version.m4 2016-11-03 09:52:28.000000000 +0100 +++ new/openvpn-2.3.14/version.m4 2016-12-07 12:35:43.000000000 +0100 @@ -1,9 +1,9 @@ dnl define the OpenVPN version define([PRODUCT_NAME], [OpenVPN]) define([PRODUCT_TARNAME], [openvpn]) -define([PRODUCT_VERSION], [2.3.13]) +define([PRODUCT_VERSION], [2.3.14]) define([PRODUCT_BUGREPORT], [[email protected]]) -define([PRODUCT_VERSION_RESOURCE], [2,3,13,0]) +define([PRODUCT_VERSION_RESOURCE], [2,3,14,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) ++++++ openvpn-fips140-2.3.2.patch ++++++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.579442349 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.579442349 +0100 @@ -1,6 +1,8 @@ ---- openvpn-2.3.2/src/openvpn/crypto_backend.h -+++ openvpn-2.3.2/src/openvpn/crypto_backend.h 2015/02/19 09:15:02 -@@ -452,10 +452,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ +Index: openvpn-2.3.14/src/openvpn/crypto_backend.h +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto_backend.h ++++ openvpn-2.3.14/src/openvpn/crypto_backend.h +@@ -480,10 +480,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ * @param key The key to use for the HMAC * @param key_len The key length to use * @param kt Static message digest parameters @@ -13,9 +15,11 @@ /* * Free the given HMAC context. ---- openvpn-2.3.2/src/openvpn/crypto.c -+++ openvpn-2.3.2/src/openvpn/crypto.c 2015/02/19 09:15:02 -@@ -486,7 +486,7 @@ init_key_ctx (struct key_ctx *ctx, struc +Index: openvpn-2.3.14/src/openvpn/crypto.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto.c ++++ openvpn-2.3.14/src/openvpn/crypto.c +@@ -505,7 +505,7 @@ init_key_ctx (struct key_ctx *ctx, struc if (kt->digest && kt->hmac_length > 0) { ALLOC_OBJ(ctx->hmac, hmac_ctx_t); @@ -24,7 +28,7 @@ msg (D_HANDSHAKE, "%s: Using %d bit message hash '%s' for HMAC authentication", -@@ -1409,61 +1409,61 @@ free_ssl_lib (void) +@@ -1421,61 +1421,61 @@ free_ssl_lib (void) #endif /* ENABLE_SSL */ /* @@ -102,9 +106,11 @@ } #endif /* ENABLE_CRYPTO */ ---- openvpn-2.3.2/src/openvpn/crypto.h -+++ openvpn-2.3.2/src/openvpn/crypto.h 2015/02/19 09:15:02 -@@ -364,24 +364,24 @@ void free_ssl_lib (void); +Index: openvpn-2.3.14/src/openvpn/crypto.h +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto.h ++++ openvpn-2.3.14/src/openvpn/crypto.h +@@ -430,24 +430,24 @@ void free_ssl_lib (void); #endif /* ENABLE_SSL */ /* @@ -140,9 +146,11 @@ /* * Inline functions ---- openvpn-2.3.2/src/openvpn/crypto_openssl.c -+++ openvpn-2.3.2/src/openvpn/crypto_openssl.c 2015/02/19 09:15:02 -@@ -719,13 +719,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t * +Index: openvpn-2.3.14/src/openvpn/crypto_openssl.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.c ++++ openvpn-2.3.14/src/openvpn/crypto_openssl.c +@@ -829,13 +829,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t * void hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -161,8 +169,10 @@ HMAC_Init_ex (ctx, key, key_len, kt, NULL); /* make sure we used a big enough key */ ---- openvpn-2.3.2/src/openvpn/crypto_openssl.h -+++ openvpn-2.3.2/src/openvpn/crypto_openssl.h 2015/02/19 09:15:02 +Index: openvpn-2.3.14/src/openvpn/crypto_openssl.h +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.h ++++ openvpn-2.3.14/src/openvpn/crypto_openssl.h @@ -33,6 +33,7 @@ #include <openssl/evp.h> #include <openssl/hmac.h> @@ -171,9 +181,11 @@ /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; ---- openvpn-2.3.2/src/openvpn/crypto_polarssl.c -+++ openvpn-2.3.2/src/openvpn/crypto_polarssl.c 2015/02/19 09:15:02 -@@ -608,7 +608,7 @@ md_ctx_final (md_context_t *ctx, uint8_t +Index: openvpn-2.3.14/src/openvpn/crypto_polarssl.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/crypto_polarssl.c ++++ openvpn-2.3.14/src/openvpn/crypto_polarssl.c +@@ -695,7 +695,7 @@ md_ctx_final (md_context_t *ctx, uint8_t * TODO: re-enable dmsg for crypto debug */ void @@ -182,9 +194,11 @@ { ASSERT(NULL != kt && NULL != ctx); ---- openvpn-2.3.2/src/openvpn/init.c -+++ openvpn-2.3.2/src/openvpn/init.c 2015/02/19 09:15:02 -@@ -1352,12 +1352,12 @@ do_route (const struct options *options, +Index: openvpn-2.3.14/src/openvpn/init.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/init.c ++++ openvpn-2.3.14/src/openvpn/init.c +@@ -1360,12 +1360,12 @@ do_route (const struct options *options, */ #if P2MP static void @@ -199,7 +213,7 @@ } #endif -@@ -1649,8 +1649,8 @@ do_up (struct context *c, bool pulled_op +@@ -1713,8 +1713,8 @@ do_up (struct context *c, bool pulled_op if (!c->c2.did_open_tun && PULL_DEFINED (&c->options) && c->c1.tuntap @@ -210,7 +224,7 @@ { /* if so, close tun, delete routes, then reinitialize tun and add routes */ msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); -@@ -2697,11 +2697,11 @@ do_compute_occ_strings (struct context * +@@ -2792,11 +2792,11 @@ do_compute_occ_strings (struct context * #ifdef ENABLE_CRYPTO msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", options_string_version (c->c2.options_string_local, &gc), @@ -224,8 +238,10 @@ strlen (c->c2.options_string_remote), 9, &gc)); #endif ---- openvpn-2.3.2/src/openvpn/ntlm.c -+++ openvpn-2.3.2/src/openvpn/ntlm.c 2015/02/19 09:15:02 +Index: openvpn-2.3.14/src/openvpn/ntlm.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/ntlm.c ++++ openvpn-2.3.14/src/openvpn/ntlm.c @@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data hmac_ctx_t hmac_ctx; CLEAR(hmac_ctx); @@ -235,9 +251,11 @@ hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); hmac_ctx_final(&hmac_ctx, (unsigned char *)result); hmac_ctx_cleanup(&hmac_ctx); ---- openvpn-2.3.2/src/openvpn/openvpn.h -+++ openvpn-2.3.2/src/openvpn/openvpn.h 2015/02/19 09:15:02 -@@ -206,7 +206,7 @@ struct context_1 +Index: openvpn-2.3.14/src/openvpn/openvpn.h +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/openvpn.h ++++ openvpn-2.3.14/src/openvpn/openvpn.h +@@ -205,7 +205,7 @@ struct context_1 #endif /* if client mode, hash of option strings we pulled from server */ @@ -246,7 +264,7 @@ /**< Hash of option strings received from the * remote OpenVPN server. Only used in * client-mode. */ -@@ -474,9 +474,9 @@ struct context_2 +@@ -473,9 +473,9 @@ struct context_2 bool did_pre_pull_restore; /* hash of pulled options, so we can compare when options change */ @@ -259,9 +277,11 @@ struct event_timeout server_poll_interval; ---- openvpn-2.3.2/src/openvpn/options.c -+++ openvpn-2.3.2/src/openvpn/options.c 2015/02/19 09:15:10 -@@ -828,6 +828,10 @@ init_options (struct options *o, const b +Index: openvpn-2.3.14/src/openvpn/options.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/options.c ++++ openvpn-2.3.14/src/openvpn/options.c +@@ -835,6 +835,10 @@ init_options (struct options *o, const b #endif #ifdef ENABLE_CRYPTO o->ciphername = "BF-CBC"; @@ -272,9 +292,11 @@ o->ciphername_defined = true; o->authname = "SHA1"; o->authname_defined = true; ---- openvpn-2.3.13.orig/src/openvpn/push.c -+++ openvpn-2.3.13/src/openvpn/push.c 2016-12-03 22:57:58.198398996 +0100 -@@ -408,7 +408,7 @@ +Index: openvpn-2.3.14/src/openvpn/push.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/push.c ++++ openvpn-2.3.14/src/openvpn/push.c +@@ -408,7 +408,7 @@ push_reset (struct options *o) #endif static void @@ -283,7 +305,7 @@ { char line[OPTION_PARM_SIZE]; while (buf_parse (buf, ',', line, sizeof (line))) -@@ -416,7 +416,7 @@ +@@ -416,7 +416,7 @@ push_update_digest(struct md5_state *ctx /* peer-id might change on restart and this should not trigger reopening tun */ if (strstr (line, "peer-id ") != line) { @@ -292,7 +314,7 @@ } } } -@@ -472,10 +472,10 @@ +@@ -472,10 +472,10 @@ process_incoming_push_msg (struct contex if (ch == ',') { struct buffer buf_orig = buf; @@ -306,7 +328,7 @@ } if (!c->c2.did_pre_pull_restore) { -@@ -493,8 +493,8 @@ +@@ -493,8 +493,8 @@ process_incoming_push_msg (struct contex { case 0: case 1: @@ -317,9 +339,11 @@ ret = PUSH_MSG_REPLY; break; case 2: ---- openvpn-2.3.2/src/openvpn/ssl.c -+++ openvpn-2.3.2/src/openvpn/ssl.c 2015/02/19 09:15:02 -@@ -1342,8 +1342,8 @@ tls1_P_hash(const md_kt_t *md_kt, +Index: openvpn-2.3.14/src/openvpn/ssl.c +=================================================================== +--- openvpn-2.3.14.orig/src/openvpn/ssl.c ++++ openvpn-2.3.14/src/openvpn/ssl.c +@@ -1396,8 +1396,8 @@ tls1_P_hash(const md_kt_t *md_kt, chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt); ++++++ openvpn-tmpfile.conf ++++++ --- /var/tmp/diff_new_pack.NzaYsJ/_old 2017-01-25 23:33:52.607438130 +0100 +++ /var/tmp/diff_new_pack.NzaYsJ/_new 2017-01-25 23:33:52.607438130 +0100 @@ -1 +1 @@ -D /var/run/openvpn 0750 root root - +D /run/openvpn 0750 root root -
