Hello community, here is the log from the commit of package openvpn for openSUSE:Factory checked in at 2017-06-12 15:30:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvpn (Old) and /work/SRC/openSUSE:Factory/.openvpn.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn" Mon Jun 12 15:30:13 2017 rev:75 rq:501452 version:2.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2017-05-08 19:03:00.964127085 +0200 +++ /work/SRC/openSUSE:Factory/.openvpn.new/openvpn.changes 2017-06-12 15:30:42.230982401 +0200 @@ -1,0 +2,20 @@ +Tue Jun 6 14:59:29 CEST 2017 - [email protected] + +- Update tp 2.4.2 + - auth-token: Ensure tokens are always wiped on de-auth + - Make --cipher/--auth none more explicit on the risks + - Use SHA256 for the internal digest, instead of MD5 + - Deprecate --ns-cert-type + - Deprecate --no-iv + - Support --block-outside-dns on multiple tunnels + - Limit --reneg-bytes to 64MB when using small block ciphers + - Fix --tls-version-max in mbed TLS builds + Details changelogs are avilable in + https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 + [*0001-preform-deferred-authentication-in-the-background.patch + *openvpn-2.3.x-fixed-multiple-low-severity-issues.patch + *openvpn-fips140-2.3.2.patch] +- pkcs11-helper-devel >= 1.11 is needed for openvpn-2.4.2 +- cleanup the spec file + +------------------------------------------------------------------- Old: ---- openvpn-2.3.14.tar.xz openvpn-2.3.14.tar.xz.asc New: ---- openvpn-2.4.2.tar.xz openvpn-2.4.2.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvpn.spec ++++++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:47.802196665 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:47.806196101 +0200 @@ -32,7 +32,7 @@ %else PreReq: %insserv_prereq %fillup_prereq %endif -Version: 2.3.14 +Version: 2.4.2 Release: 0 Summary: Full-featured SSL VPN solution using a TUN/TAP Interface License: SUSE-GPL-2.0-with-openssl-exception and LGPL-2.1 @@ -63,8 +63,8 @@ BuildRequires: systemd %endif BuildRequires: libselinux-devel -BuildRequires: pkcs11-helper-devel -Requires: pkcs11-helper +BuildRequires: pkcs11-helper-devel >= 1.11 +Requires: pkcs11-helper >= 1.11 %if %{with_systemd} BuildRequires: systemd-devel %endif @@ -147,14 +147,14 @@ sed -e "s|@PLUGIN_LIBDIR@|%{_libdir}/openvpn/plugins|g" \ -e "s|@PLUGIN_DOCDIR@|%{_defaultdocdir}/%{name}|g" \ -i doc/openvpn.8 -sed -e "s|/var/run|%{_rundir}|g" < \ +sed -e "s|%{_localstatedir}/run|%{_rundir}|g" < \ $RPM_SOURCE_DIR/%{name}.service > %{name}.service # %%doc items shouldn't be executable. find contrib sample -type f -exec chmod a-x \{\} \; %build -export CFLAGS="$RPM_OPT_FLAGS $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" +export CFLAGS="%{optflags} $(getconf LFS_CFLAGS) -W -Wall -fno-strict-aliasing" export LDFLAGS %configure \ --enable-iproute2 \ @@ -169,52 +169,54 @@ --enable-plugin-auth-pam \ CFLAGS="$CFLAGS $(getconf LFS_CFLAGS) -fPIE $PLUGIN_DEFS" \ LDFLAGS="$LDFLAGS -pie -lpam -rdynamic -Wl,-rpath,%{_libdir}/%{name}/plugins" -make +make %{_smp_mflags} %install make DESTDIR=$RPM_BUILD_ROOT install -find $RPM_BUILD_ROOT -name '*.la' | xargs rm -f -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/openvpn -mkdir -p $RPM_BUILD_ROOT/%{_rundir}/openvpn -mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openvpn +find %{buildroot} -type f -name "*.la" -delete -print +mkdir -p %{buildroot}/%{_sysconfdir}/openvpn +mkdir -p %{buildroot}/%{_rundir}/openvpn +mkdir -p %{buildroot}/%{_datadir}/openvpn %if %{with_systemd} +rm %{buildroot}%{_libdir}/systemd/system/[email protected] +rm %{buildroot}%{_libdir}/systemd/system/[email protected] install -D -m 644 %{name}.service %{buildroot}/%{_unitdir}/%{name}@.service install -D -m 644 $RPM_SOURCE_DIR/%{name}.target %{buildroot}/%{_unitdir}/%{name}.target install -D -m 755 $RPM_SOURCE_DIR/rc%{name} %{buildroot}%{_sbindir}/rc%{name} # tmpfiles.d -mkdir -p %{buildroot}%{_libexecdir}/tmpfiles.d -install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf +mkdir -p %{buildroot}%{_libdir}/tmpfiles.d +install -m 0644 $RPM_SOURCE_DIR/%{name}-tmpfile.conf %{buildroot}%{_libdir}/tmpfiles.d/%{name}.conf %else -install -D -m 755 $RPM_SOURCE_DIR/openvpn.init $RPM_BUILD_ROOT/%{_sysconfdir}/init.d/openvpn -ln -sv %{_sysconfdir}/init.d/openvpn $RPM_BUILD_ROOT/%{_sbindir}/rcopenvpn +install -D -m 755 $RPM_SOURCE_DIR/openvpn.init %{buildroot}/%{_sysconfdir}/init.d/openvpn +ln -sv %{_sysconfdir}/init.d/openvpn %{buildroot}/%{_sbindir}/rcopenvpn # the /etc/sysconfig/openvpn template only with sysvinit, no needed with systemd -install -d -m0755 %{buildroot}/var/adm/fillup-templates +install -d -m0755 %{buildroot}%{_localstatedir}/adm/fillup-templates install -m0600 $RPM_SOURCE_DIR/openvpn.sysconfig \ - %{buildroot}/var/adm/fillup-templates/sysconfig.openvpn + %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.openvpn %endif cp -p $RPM_SOURCE_DIR/openvpn.README.SUSE README.SUSE install -m 755 $RPM_SOURCE_DIR/client-netconfig.up sample/sample-scripts/client-netconfig.up install -m 755 $RPM_SOURCE_DIR/client-netconfig.down sample/sample-scripts/client-netconfig.down # we install docs via spec into _defaultdocdir/name/management-notes.txt -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/{OpenVPN,%name} +rm -rf %{buildroot}%{_datadir}/doc/{OpenVPN,%{name}} find sample -name .gitignore | xargs rm -f %post %if %{with_systemd} -systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf ||: +systemd-tmpfiles --create %{_libdir}/tmpfiles.d/%{name}.conf ||: %service_add_post %{name}.target # try to migrate openvpn.service autostart to openvpn@<CONF>.service if test ${FIRST_ARG:-$1} -ge 1 -a \ -x /bin/systemctl -a \ - -f /etc/sysconfig/openvpn -a \ - -f /var/adm/fillup-templates/sysconfig.openvpn && \ + -f %{_sysconfdir}/sysconfig/openvpn -a \ + -f %{_localstatedir}/adm/fillup-templates/sysconfig.openvpn && \ /bin/systemctl --quiet is-enabled openvpn.service &>/dev/null ; then - . /etc/sysconfig/openvpn + . %{_sysconfdir}/sysconfig/openvpn try_service_cgroup_join() { - local p="/var/run/openvpn/${1}.pid" + local p="%{_localstatedir}/run/openvpn/${1}.pid" local t="/sys/fs/cgroup/systemd/system/[email protected]/${1}" /sbin/checkproc -p "$p" "%{_sbindir}/openvpn" &>/dev/null || return 0 test -d "$t" || mkdir -p "$t" 2>/dev/null || return 1 @@ -222,22 +224,22 @@ } if test "X$OPENVPN_AUTOSTART" != "X" ; then for conf in $OPENVPN_AUTOSTART ; do - test -f "/etc/openvpn/${conf}.conf" && \ + test -f "%{_sysconfdir}/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done else shopt -s nullglob || : - for conf in /etc/openvpn/*.conf ; do + for conf in %{_sysconfdir}/openvpn/*.conf ; do conf=${conf##*/} conf=${conf%.conf} - test -f "/etc/openvpn/${conf}.conf" && \ + test -f "%{_sysconfdir}/openvpn/${conf}.conf" && \ /bin/systemctl enable "openvpn@${conf}.service" && \ try_service_cgroup_join "$conf" || continue done fi fi -rm -f /etc/sysconfig/openvpn || : +rm -f %{_sysconfdir}/sysconfig/openvpn || : %else %{?fillup_and_insserv:%fillup_and_insserv} %endif @@ -269,13 +271,14 @@ %doc %{_mandir}/man8/openvpn.8.gz %config(noreplace) %{_sysconfdir}/openvpn/ %if %{with_systemd} +%dir %{_libdir}/tmpfiles.d %{_unitdir}/%{name}@.service %{_unitdir}/%{name}.target -%{_libexecdir}/tmpfiles.d/%{name}.conf +%{_libdir}/tmpfiles.d/%{name}.conf %dir %attr(0750,root,root) %ghost %{_rundir}/openvpn/ %else %config %{_sysconfdir}/init.d/openvpn -/var/adm/fillup-templates/sysconfig.openvpn +%{_localstatedir}/adm/fillup-templates/sysconfig.openvpn %dir %attr(750,root,root) %{_rundir}/openvpn/ %endif %{_sbindir}/rcopenvpn @@ -296,5 +299,6 @@ %files devel %defattr(-,root,root) %{_includedir}/%{name}-plugin.h +%{_includedir}/%{name}-msg.h %changelog ++++++ 0001-preform-deferred-authentication-in-the-background.patch ++++++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:47.846190461 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:47.846190461 +0200 @@ -1,17 +1,16 @@ -From 8c39dbd45d3551e838310732a73e05f6d2d2e784 Mon Sep 17 00:00:00 2001 -From: Nirmoy Das <[email protected]> -Date: Thu, 12 May 2016 12:08:56 +0200 -Subject: [PATCH] preform deferred authentication in the background to not - cause main daemon processing delays when the underlying pam mechanism (e.g. - ldap) needs longer to response. -References: bsc#959511 - - diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c -index bd71792..119fc31 100644 +index 54471a3..a2d509f 100644 --- a/src/plugins/auth-pam/auth-pam.c +++ b/src/plugins/auth-pam/auth-pam.c -@@ -55,6 +55,7 @@ +@@ -43,6 +43,7 @@ + #include <stdlib.h> + #include <sys/types.h> + #include <sys/socket.h> ++#include <linux/limits.h> + #include <sys/wait.h> + #include <fcntl.h> + #include <signal.h> +@@ -56,6 +57,7 @@ /* Command codes for foreground -> background communication */ #define COMMAND_VERIFY 0 #define COMMAND_EXIT 1 @@ -19,16 +18,16 @@ /* Response codes for background -> foreground communication */ #define RESPONSE_INIT_SUCCEEDED 10 -@@ -108,6 +109,7 @@ struct user_pass { - char username[128]; - char password[128]; - char common_name[128]; -+ char auth_control_file[PATH_MAX]; +@@ -112,6 +114,7 @@ struct user_pass { + char username[128]; + char password[128]; + char common_name[128]; ++ char auth_control_file[PATH_MAX]; - const struct name_value_list *name_value_list; + const struct name_value_list *name_value_list; }; -@@ -687,6 +689,21 @@ pam_auth (const char *service, const struct user_pass *up) - return ret; +@@ -708,6 +711,21 @@ pam_auth(const char *service, const struct user_pass *up) + return ret; } +static int handle_auth_control_file(char *auth_control_file, int status) @@ -49,51 +48,52 @@ /* * Background process -- runs with privilege. */ -@@ -781,6 +798,41 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list - } - break; - -+ case COMMAND_VERIFY_V2: -+ if (recv_string (fd, up.username, sizeof (up.username)) == -1 -+ || recv_string (fd, up.password, sizeof (up.password)) == -1 -+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1 -+ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1) -+ { -+ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", -+ command); -+ goto done; -+ } +@@ -807,6 +825,42 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * + plugin_secure_memzero(up.password, sizeof(up.password)); + break; + ++ case COMMAND_VERIFY_V2: ++ if (recv_string (fd, up.username, sizeof (up.username)) == -1 ++ || recv_string (fd, up.password, sizeof (up.password)) == -1 ++ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1 ++ || recv_string (fd, up.auth_control_file, sizeof (up.auth_control_file)) == -1) ++ { ++ fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", ++ command); ++ goto done; ++ } + -+ if (DEBUG (verb)) -+ { ++ if (DEBUG (verb)) ++ { +#if 0 -+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", -+ up.username, up.password); ++ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", ++ up.username, up.password); +#else -+ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); ++ fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); +#endif -+ } ++ } ++ ++ if (pam_auth (service, &up)) /* Succeeded */ ++ { ++ if (handle_auth_control_file(up.auth_control_file, 1) == -1) { ++ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); ++ } ++ } ++ else /* Failed */ ++ { ++ if (handle_auth_control_file(up.auth_control_file, 0) == -1) { ++ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); ++ } ++ } ++ break; + -+ if (pam_auth (service, &up)) /* Succeeded */ -+ { -+ if (handle_auth_control_file(up.auth_control_file, 1) == -1) { -+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); -+ } -+ } -+ else /* Failed */ -+ { -+ if (handle_auth_control_file(up.auth_control_file, 0) == -1) { -+ fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on control file\n"); -+ } -+ } -+ break; + - case COMMAND_EXIT: - goto done; + case COMMAND_EXIT: + goto done; -@@ -804,3 +856,56 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list +@@ -833,3 +887,56 @@ done: - return; + return; } + +int @@ -149,15 +149,12 @@ + } +} diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports -index b07937c..11a80f1 100644 +index 597e33f..b304ff4 100644 --- a/src/plugins/auth-pam/auth-pam.exports +++ b/src/plugins/auth-pam/auth-pam.exports @@ -1,4 +1,5 @@ - openvpn_plugin_open_v1 + openvpn_plugin_open_v3 openvpn_plugin_func_v1 +openvpn_plugin_func_v2 openvpn_plugin_close_v1 openvpn_plugin_abort_v1 --- -2.6.2 - ++++++ openvpn-2.3.x-fixed-multiple-low-severity-issues.patch ++++++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:47.882185384 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:47.882185384 +0200 @@ -1,238 +1,257 @@ diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c -index 4261795..44c1f9e 100644 +index 09659aa..b35d884 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c -@@ -151,7 +151,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, - ASSERT (cipher_ctx_reset(ctx->cipher, iv_buf)); +@@ -119,7 +119,7 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, + dmsg(D_PACKET_CONTENT, "ENCRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 80, &gc)); - /* Buffer overflow check */ -- if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - { - msg (D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", - buf->capacity, -@@ -278,7 +278,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, - const int iv_size = cipher_ctx_iv_length (ctx->cipher); - const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); - uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH]; -- int outlen; -+ int outlen = 0; - - /* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */ - ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT))); -@@ -305,7 +305,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, - CRYPT_ERROR ("cipher init failed"); - - /* Buffer overflow check (should never happen) */ -- if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher))) -+ if (!buf_safe (&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) - CRYPT_ERROR ("potential buffer overflow"); + /* Buffer overflow check */ +- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) ++ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) + { + msg(D_CRYPT_ERRORS, + "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d", +@@ -238,7 +238,7 @@ openvpn_encrypt_v1(struct buffer *buf, struct buffer work, + ASSERT(cipher_ctx_reset(ctx->cipher, iv_buf)); + + /* Buffer overflow check */ +- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) ++ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) + { + msg(D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d", + buf->capacity, +@@ -379,7 +379,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, + const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher); + uint8_t *tag_ptr = NULL; + int tag_size = 0; +- int outlen; ++ int outlen = 0; + struct gc_arena gc; + + gc_init(&gc); +@@ -456,7 +456,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, + dmsg(D_PACKET_CONTENT, "DECRYPT FROM: %s", format_hex(BPTR(buf), BLEN(buf), 0, &gc)); + + /* Buffer overflow check (should never fail) */ +- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) ++ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) + { + CRYPT_ERROR("potential buffer overflow"); + } +@@ -602,7 +602,7 @@ openvpn_decrypt_v1(struct buffer *buf, struct buffer work, + } - /* Decrypt packet ID, payload */ + /* Buffer overflow check (should never happen) */ +- if (!buf_safe(&work, buf->len + cipher_ctx_block_size(ctx->cipher))) ++ if (!buf_safe(&work, buf->len + OPENVPN_MAX_BLOCK_LENGTH)) + { + CRYPT_ERROR("potential buffer overflow"); + } diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h -index 2ed0bef..ae9f24d 100644 +index f8ddbc8..7706b02 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -53,6 +53,9 @@ typedef HMAC_CTX hmac_ctx_t; /** Maximum length of an IV */ - #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH + #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH +/** Maximum length of a cipher block */ +#define OPENVPN_MAX_BLOCK_LENGTH EVP_MAX_BLOCK_LENGTH + /** Cipher is in CBC mode */ - #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE + #define OPENVPN_MODE_CBC EVP_CIPH_CBC_MODE diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index 089e3c4..e03a3e6 100644 +index 66126ef..b8d4a8c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c -@@ -2614,8 +2614,8 @@ init_context_buffers (const struct frame *frame) - b->aux_buf = alloc_buf (BUF_SIZE (frame)); +@@ -3052,8 +3052,8 @@ init_context_buffers(const struct frame *frame) + b->aux_buf = alloc_buf(BUF_SIZE(frame)); #ifdef ENABLE_CRYPTO -- b->encrypt_buf = alloc_buf (BUF_SIZE (frame)); -- b->decrypt_buf = alloc_buf (BUF_SIZE (frame)); -+ b->encrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH); -+ b->decrypt_buf = alloc_buf (BUF_SIZE (frame) + OPENVPN_MAX_BLOCK_LENGTH); +- b->encrypt_buf = alloc_buf(BUF_SIZE(frame)); +- b->decrypt_buf = alloc_buf(BUF_SIZE(frame)); ++ b->encrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH); ++ b->decrypt_buf = alloc_buf(BUF_SIZE(frame) + OPENVPN_MAX_BLOCK_LENGTH); #endif - #ifdef ENABLE_LZO + #ifdef USE_COMP diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c -index 89989d1..5809daa 100644 +index b0ed327..0ad0385 100644 --- a/src/openvpn/proxy.c +++ b/src/openvpn/proxy.c -@@ -76,6 +76,9 @@ recv_line (socket_descriptor_t sd, - struct buffer la; - int lastc = 0; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - CLEAR (la); - if (lookahead) - la = *lookahead; -@@ -283,11 +286,11 @@ get_proxy_authenticate (socket_descriptor_t sd, - struct gc_arena *gc, - volatile int *signal_received) - { -- char buf[256]; -+ char buf[256] = {0}; - int ret = HTTP_AUTH_NONE; - while (true) - { -- if (!recv_line (sd, buf, sizeof (buf), timeout, true, NULL, signal_received)) -+ if (!recv_line (sd, buf, sizeof (buf) - 1, timeout, true, NULL, signal_received)) - { - *data = NULL; - return HTTP_AUTH_NONE; -@@ -498,9 +501,9 @@ establish_http_proxy_passthru (struct http_proxy_info *p, - volatile int *signal_received) - { - struct gc_arena gc = gc_new (); -- char buf[512]; -- char buf2[129]; -- char get[80]; -+ char buf[512] = {0}; -+ char buf2[129] = {0}; -+ char get[80] = {0}; - int status; - int nparms; - bool ret = false; -@@ -586,7 +589,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, - goto error; - - /* receive reply from proxy */ -- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line (sd, buf, sizeof(buf) - 1 , p->options.timeout, true, NULL, signal_received)) - goto error; +@@ -74,6 +74,9 @@ recv_line(socket_descriptor_t sd, + struct buffer la; + int lastc = 0; - /* remove trailing CR, LF */ -@@ -615,7 +619,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, ++ if (sd >= FD_SETSIZE) ++ return false; ++ + CLEAR(la); + if (lookahead) + { +@@ -312,11 +315,11 @@ get_proxy_authenticate(socket_descriptor_t sd, + struct gc_arena *gc, + volatile int *signal_received) + { +- char buf[256]; ++ char buf[256] = {0}; + int ret = HTTP_AUTH_NONE; + while (true) + { +- if (!recv_line(sd, buf, sizeof(buf), timeout, true, NULL, signal_received)) ++ if (!recv_line(sd, buf, sizeof(buf) - 1, timeout, true, NULL, signal_received)) + { + *data = NULL; + return HTTP_AUTH_NONE; +@@ -631,9 +634,9 @@ establish_http_proxy_passthru(struct http_proxy_info *p, + volatile int *signal_received) + { + struct gc_arena gc = gc_new(); +- char buf[512]; +- char buf2[129]; +- char get[80]; ++ char buf[512] = {0}; ++ char buf2[129] = {0}; ++ char get[80] = {0}; + int status; + int nparms; + bool ret = false; +@@ -723,7 +726,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, + } + + /* receive reply from proxy */ +- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) ++ memset(buf, 0, sizeof(buf)); ++ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + { + goto error; + } +@@ -754,7 +758,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, - while (true) + while (true) + { +- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) ++ memset(buf, 0, sizeof(buf)); ++ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + { + goto error; + } +@@ -834,7 +839,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, + } + + /* receive reply from proxy */ +- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) ++ memset(buf, 0, sizeof(buf)); ++ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) { -- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received)) goto error; - chomp (buf); - msg (D_PROXY, "HTTP proxy returned: '%s'", buf); -@@ -685,7 +690,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, - goto error; - - /* receive reply from proxy */ -- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received)) - goto error; - - /* remove trailing CR, LF */ -@@ -795,7 +801,8 @@ establish_http_proxy_passthru (struct http_proxy_info *p, - goto error; - - /* receive reply from proxy */ -- if (!recv_line (sd, buf, sizeof(buf), p->options.timeout, true, NULL, signal_received)) -+ memset(buf, 0, sizeof(buf)); -+ if (!recv_line (sd, buf, sizeof(buf) - 1, p->options.timeout, true, NULL, signal_received)) - goto error; - - /* remove trailing CR, LF */ + } +@@ -952,7 +958,8 @@ establish_http_proxy_passthru(struct http_proxy_info *p, + } + + /* receive reply from proxy */ +- if (!recv_line(sd, buf, sizeof(buf), get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) ++ memset(buf, 0, sizeof(buf)); ++ if (!recv_line(sd, buf, sizeof(buf) - 1, get_server_poll_remaining_time(server_poll_timeout), true, NULL, signal_received)) + { + goto error; + } diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c -index 3474f18..dfd9d6c 100644 +index 7d3dd60..334c47e 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c -@@ -832,6 +832,9 @@ socket_listen_accept (socket_descriptor_t sd, - struct openvpn_sockaddr remote_verify = act->dest; - int new_sd = SOCKET_UNDEFINED; - -+ if (sd >= FD_SETSIZE) -+ return -1; -+ - CLEAR (*act); - socket_do_listen (sd, local, do_listen, true); - -@@ -919,6 +922,9 @@ openvpn_connect (socket_descriptor_t sd, +@@ -1163,6 +1163,9 @@ socket_listen_accept(socket_descriptor_t sd, + /* struct openvpn_sockaddr *remote = &act->dest; */ + struct openvpn_sockaddr remote_verify = act->dest; + socket_descriptor_t new_sd = SOCKET_UNDEFINED; ++ ++ if (sd >= FD_SETSIZE) ++ return -1; + + CLEAR(*act); + socket_do_listen(sd, local, do_listen, true); +@@ -1315,6 +1318,9 @@ openvpn_connect(socket_descriptor_t sd, { - int status = 0; + int status = 0; -+ if (sd >= FD_SETSIZE) -+ return -1; ++ if (sd >= FD_SETSIZE) ++ return -1; + - #ifdef CONNECT_NONBLOCK - set_nonblock (sd); - status = connect (sd, &remote->addr.sa, af_addr_size(remote->addr.sa.sa_family)); + #ifdef TARGET_ANDROID + protect_fd_nonlocal(sd, remote); + #endif diff --git a/src/openvpn/socks.c b/src/openvpn/socks.c -index 57dc02a..8954e91 100644 +index b50cac3..79632a8 100644 --- a/src/openvpn/socks.c +++ b/src/openvpn/socks.c -@@ -97,13 +97,16 @@ socks_username_password_auth (struct socks_proxy_info *p, - socket_descriptor_t sd, - volatile int *signal_received) +@@ -99,13 +99,16 @@ socks_username_password_auth(struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) { -- char to_send[516]; -- char buf[2]; -+ char to_send[516] = {0}; -+ char buf[2] = {0}; - int len = 0; - const int timeout_sec = 5; - struct user_pass creds; - ssize_t size; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - creds.defined = 0; - if (!get_user_pass (&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) - { -@@ -189,7 +192,7 @@ socks_handshake (struct socks_proxy_info *p, - socket_descriptor_t sd, - volatile int *signal_received) - { -- char buf[2]; -+ char buf[2] = {0}; - int len = 0; - const int timeout_sec = 5; - ssize_t size; -@@ -198,6 +201,8 @@ socks_handshake (struct socks_proxy_info *p, - char method_sel[3] = { 0x05, 0x01, 0x00 }; - if (p->authfile[0]) - method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ -+ if (sd >= FD_SETSIZE) -+ return false; - - size = send (sd, method_sel, sizeof (method_sel), MSG_NOSIGNAL); - if (size != sizeof (method_sel)) -@@ -302,9 +307,12 @@ recv_socks_reply (socket_descriptor_t sd, - char atyp = '\0'; - int alen = 0; - int len = 0; -- char buf[22]; -+ char buf[22] = {0}; - const int timeout_sec = 5; - -+ if (sd >= FD_SETSIZE) -+ return false; -+ - if (addr != NULL) - { - addr->addr.in4.sin_family = AF_INET; -@@ -381,7 +389,7 @@ recv_socks_reply (socket_descriptor_t sd, - } - - /* store char in buffer */ -- if (len < (int)sizeof(buf)) -+ if (len < (int)sizeof(buf) && len >= 0) - buf[len] = c; - ++len; +- char to_send[516]; +- char buf[2]; ++ char to_send[516] = {0}; ++ char buf[2] = {0}; + int len = 0; + const int timeout_sec = 5; + struct user_pass creds; + ssize_t size; + ++ if (sd >= FD_SETSIZE) ++ return false; ++ + creds.defined = 0; + if (!get_user_pass(&creds, p->authfile, UP_TYPE_SOCKS, GET_USER_PASS_MANAGEMENT)) + { +@@ -194,7 +197,7 @@ socks_handshake(struct socks_proxy_info *p, + socket_descriptor_t sd, + volatile int *signal_received) + { +- char buf[2]; ++ char buf[2] = {0}; + int len = 0; + const int timeout_sec = 5; + ssize_t size; +@@ -206,6 +209,9 @@ socks_handshake(struct socks_proxy_info *p, + method_sel[2] = 0x02; /* METHODS = [2 (plain login)] */ + } -@@ -411,7 +419,7 @@ establish_socks_proxy_passthru (struct socks_proxy_info *p, - const int port, /* openvpn server port */ - volatile int *signal_received) - { -- char buf[128]; -+ char buf[128] = {0}; - size_t len; ++ if (sd >= FD_SETSIZE) ++ return false; ++ + size = send(sd, method_sel, sizeof(method_sel), MSG_NOSIGNAL); + if (size != sizeof(method_sel)) + { +@@ -313,9 +319,12 @@ recv_socks_reply(socket_descriptor_t sd, + char atyp = '\0'; + int alen = 0; + int len = 0; +- char buf[22]; ++ char buf[22] = {0}; + const int timeout_sec = 5; + ++ if (sd >= FD_SETSIZE) ++ return false; ++ + if (addr != NULL) + { + addr->addr.in4.sin_family = AF_INET; +@@ -396,7 +405,7 @@ recv_socks_reply(socket_descriptor_t sd, + } + + /* store char in buffer */ +- if (len < (int)sizeof(buf)) ++ if (len < (int)sizeof(buf) && len >= 0) + { + buf[len] = c; + } +@@ -448,7 +457,7 @@ establish_socks_proxy_passthru(struct socks_proxy_info *p, + const char *servname, /* openvpn server port */ + volatile int *signal_received) + { +- char buf[128]; ++ char buf[128] = {0}; + size_t len; - if (!socks_handshake (p, sd, signal_received)) + if (!socks_handshake(p, sd, signal_received)) ++++++ openvpn-2.3.14.tar.xz -> openvpn-2.4.2.tar.xz ++++++ ++++ 177282 lines of diff (skipped) ++++++ openvpn-fips140-2.3.2.patch ++++++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:48.426108672 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:48.426108672 +0200 @@ -1,356 +1,96 @@ -Index: openvpn-2.3.14/src/openvpn/crypto_backend.h -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto_backend.h -+++ openvpn-2.3.14/src/openvpn/crypto_backend.h -@@ -480,10 +480,11 @@ void md_ctx_final (md_ctx_t *ctx, uint8_ - * @param key The key to use for the HMAC - * @param key_len The key length to use - * @param kt Static message digest parameters -+ * @param prf_use Intended use for PRF in TLS protocol +diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c +index 4b54279..09659aa 100644 +--- a/src/openvpn/crypto.c ++++ b/src/openvpn/crypto.c +@@ -877,7 +877,7 @@ init_key_ctx(struct key_ctx *ctx, struct key *key, + if (kt->digest && kt->hmac_length > 0) + { + ALLOC_OBJ(ctx->hmac, hmac_ctx_t); +- hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest); ++ hmac_ctx_init(ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); + + msg(D_HANDSHAKE, + "%s: Using %d bit message hash '%s' for HMAC authentication", +diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h +index 2c79baa..81848c9 100644 +--- a/src/openvpn/crypto_backend.h ++++ b/src/openvpn/crypto_backend.h +@@ -557,10 +557,11 @@ void md_ctx_final(md_ctx_t *ctx, uint8_t *dst); + * @param key The key to use for the HMAC + * @param key_len The key length to use + * @param kt Static message digest parameters ++ * @param prf_use Intended use for PRF in TLS protocol * */ - void hmac_ctx_init (hmac_ctx_t *ctx, const uint8_t *key, int key_length, -- const md_kt_t *kt); -+ const md_kt_t *kt, bool prf_use); + void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, +- const md_kt_t *kt); ++ const md_kt_t *kt, bool prf_use); /* * Free the given HMAC context. -Index: openvpn-2.3.14/src/openvpn/crypto.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto.c -+++ openvpn-2.3.14/src/openvpn/crypto.c -@@ -505,7 +505,7 @@ init_key_ctx (struct key_ctx *ctx, struc - if (kt->digest && kt->hmac_length > 0) - { - ALLOC_OBJ(ctx->hmac, hmac_ctx_t); -- hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest); -+ hmac_ctx_init (ctx->hmac, key->hmac, kt->hmac_length, kt->digest, 0); - - msg (D_HANDSHAKE, - "%s: Using %d bit message hash '%s' for HMAC authentication", -@@ -1421,61 +1421,61 @@ free_ssl_lib (void) - #endif /* ENABLE_SSL */ - - /* -- * md5 functions -+ * sha1 functions - */ - - const char * --md5sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) -+sha1sum (uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc) - { -- uint8_t digest[MD5_DIGEST_LENGTH]; -- const md_kt_t *md5_kt = md_kt_get("MD5"); -+ uint8_t digest[SHA_DIGEST_LENGTH]; -+ const md_kt_t *sha1_kt = md_kt_get("SHA1"); - -- md_full(md5_kt, buf, len, digest); -+ md_full(sha1_kt, buf, len, digest); - -- return format_hex (digest, MD5_DIGEST_LENGTH, n_print_chars, gc); -+ return format_hex (digest, SHA_DIGEST_LENGTH, n_print_chars, gc); - } - - void --md5_state_init (struct md5_state *s) -+sha1_state_init (struct sha1_state *s) - { -- const md_kt_t *md5_kt = md_kt_get("MD5"); -+ const md_kt_t *sha1_kt = md_kt_get("SHA1"); - -- md_ctx_init(&s->ctx, md5_kt); -+ md_ctx_init(&s->ctx, sha1_kt); - } - - void --md5_state_update (struct md5_state *s, void *data, size_t len) -+sha1_state_update (struct sha1_state *s, void *data, size_t len) - { - md_ctx_update(&s->ctx, data, len); - } - - void --md5_state_final (struct md5_state *s, struct md5_digest *out) -+sha1_state_final (struct sha1_state *s, struct sha1_digest *out) - { - md_ctx_final(&s->ctx, out->digest); - md_ctx_cleanup(&s->ctx); - } - - void --md5_digest_clear (struct md5_digest *digest) -+sha1_digest_clear (struct sha1_digest *digest) - { - CLEAR (*digest); - } - - bool --md5_digest_defined (const struct md5_digest *digest) -+sha1_digest_defined (const struct sha1_digest *digest) - { - int i; -- for (i = 0; i < MD5_DIGEST_LENGTH; ++i) -+ for (i = 0; i < SHA_DIGEST_LENGTH; ++i) - if (digest->digest[i]) - return true; - return false; - } - - bool --md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2) -+sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2) - { -- return memcmp(d1->digest, d2->digest, MD5_DIGEST_LENGTH) == 0; -+ return memcmp(d1->digest, d2->digest, SHA_DIGEST_LENGTH) == 0; - } - - #endif /* ENABLE_CRYPTO */ -Index: openvpn-2.3.14/src/openvpn/crypto.h -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto.h -+++ openvpn-2.3.14/src/openvpn/crypto.h -@@ -430,24 +430,24 @@ void free_ssl_lib (void); - #endif /* ENABLE_SSL */ - - /* -- * md5 functions -+ * sha1 functions - */ - --struct md5_state { -+struct sha1_state { - md_ctx_t ctx; - }; - --struct md5_digest { -- uint8_t digest [MD5_DIGEST_LENGTH]; -+struct sha1_digest { -+ uint8_t digest [SHA_DIGEST_LENGTH]; - }; - --const char *md5sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); --void md5_state_init (struct md5_state *s); --void md5_state_update (struct md5_state *s, void *data, size_t len); --void md5_state_final (struct md5_state *s, struct md5_digest *out); --void md5_digest_clear (struct md5_digest *digest); --bool md5_digest_defined (const struct md5_digest *digest); --bool md5_digest_equal (const struct md5_digest *d1, const struct md5_digest *d2); -+const char *sha1sum(uint8_t *buf, int len, int n_print_chars, struct gc_arena *gc); -+void sha1_state_init (struct sha1_state *s); -+void sha1_state_update (struct sha1_state *s, void *data, size_t len); -+void sha1_state_final (struct sha1_state *s, struct sha1_digest *out); -+void sha1_digest_clear (struct sha1_digest *digest); -+bool sha1_digest_defined (const struct sha1_digest *digest); -+bool sha1_digest_equal (const struct sha1_digest *d1, const struct sha1_digest *d2); - - /* - * Inline functions -Index: openvpn-2.3.14/src/openvpn/crypto_openssl.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.c -+++ openvpn-2.3.14/src/openvpn/crypto_openssl.c -@@ -829,13 +829,17 @@ md_ctx_final (EVP_MD_CTX *ctx, uint8_t * - - void - hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len, -- const EVP_MD *kt) -+ const EVP_MD *kt, bool prf_use) - { - ASSERT(NULL != kt && NULL != ctx); - - CLEAR(*ctx); - - HMAC_CTX_init (ctx); -+ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not -+ * to be used anywhere else */ -+ if(kt == EVP_md5() && prf_use) -+ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - HMAC_Init_ex (ctx, key, key_len, kt, NULL); - - /* make sure we used a big enough key */ -Index: openvpn-2.3.14/src/openvpn/crypto_openssl.h -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto_openssl.h -+++ openvpn-2.3.14/src/openvpn/crypto_openssl.h -@@ -33,6 +33,7 @@ - #include <openssl/evp.h> - #include <openssl/hmac.h> - #include <openssl/md5.h> -+#include <openssl/sha.h> - - /** Generic cipher key type %context. */ - typedef EVP_CIPHER cipher_kt_t; -Index: openvpn-2.3.14/src/openvpn/crypto_polarssl.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/crypto_polarssl.c -+++ openvpn-2.3.14/src/openvpn/crypto_polarssl.c -@@ -695,7 +695,7 @@ md_ctx_final (md_context_t *ctx, uint8_t - * TODO: re-enable dmsg for crypto debug - */ - void --hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt) -+hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt, bool prf_use) - { - ASSERT(NULL != kt && NULL != ctx); - -Index: openvpn-2.3.14/src/openvpn/init.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/init.c -+++ openvpn-2.3.14/src/openvpn/init.c -@@ -1360,12 +1360,12 @@ do_route (const struct options *options, - */ - #if P2MP - static void --save_pulled_options_digest (struct context *c, const struct md5_digest *newdigest) -+save_pulled_options_digest (struct context *c, const struct sha1_digest *newdigest) - { - if (newdigest) - c->c1.pulled_options_digest_save = *newdigest; - else -- md5_digest_clear (&c->c1.pulled_options_digest_save); -+ sha1_digest_clear (&c->c1.pulled_options_digest_save); - } - #endif - -@@ -1713,8 +1713,8 @@ do_up (struct context *c, bool pulled_op - if (!c->c2.did_open_tun - && PULL_DEFINED (&c->options) - && c->c1.tuntap -- && (!md5_digest_defined (&c->c1.pulled_options_digest_save) || !md5_digest_defined (&c->c2.pulled_options_digest) -- || !md5_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) -+ && (!sha1_digest_defined (&c->c1.pulled_options_digest_save) || !sha1_digest_defined (&c->c2.pulled_options_digest) -+ || !sha1_digest_equal (&c->c1.pulled_options_digest_save, &c->c2.pulled_options_digest))) - { - /* if so, close tun, delete routes, then reinitialize tun and add routes */ - msg (M_INFO, "NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device."); -@@ -2792,11 +2792,11 @@ do_compute_occ_strings (struct context * - #ifdef ENABLE_CRYPTO - msg (D_SHOW_OCC_HASH, "Local Options hash (VER=%s): '%s'", - options_string_version (c->c2.options_string_local, &gc), -- md5sum ((uint8_t*)c->c2.options_string_local, -+ sha1sum ((uint8_t*)c->c2.options_string_local, - strlen (c->c2.options_string_local), 9, &gc)); - msg (D_SHOW_OCC_HASH, "Expected Remote Options hash (VER=%s): '%s'", - options_string_version (c->c2.options_string_remote, &gc), -- md5sum ((uint8_t*)c->c2.options_string_remote, -+ sha1sum ((uint8_t*)c->c2.options_string_remote, - strlen (c->c2.options_string_remote), 9, &gc)); - #endif - -Index: openvpn-2.3.14/src/openvpn/ntlm.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/ntlm.c -+++ openvpn-2.3.14/src/openvpn/ntlm.c -@@ -90,7 +90,7 @@ gen_hmac_md5 (const char* data, int data - hmac_ctx_t hmac_ctx; - CLEAR(hmac_ctx); - -- hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); -+ hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0); - hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); - hmac_ctx_final(&hmac_ctx, (unsigned char *)result); - hmac_ctx_cleanup(&hmac_ctx); -Index: openvpn-2.3.14/src/openvpn/openvpn.h -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/openvpn.h -+++ openvpn-2.3.14/src/openvpn/openvpn.h -@@ -205,7 +205,7 @@ struct context_1 - #endif - - /* if client mode, hash of option strings we pulled from server */ -- struct md5_digest pulled_options_digest_save; -+ struct sha1_digest pulled_options_digest_save; - /**< Hash of option strings received from the - * remote OpenVPN server. Only used in - * client-mode. */ -@@ -473,9 +473,9 @@ struct context_2 - bool did_pre_pull_restore; - - /* hash of pulled options, so we can compare when options change */ -- bool pulled_options_md5_init_done; -- struct md5_state pulled_options_state; -- struct md5_digest pulled_options_digest; -+ bool pulled_options_sha1_init_done; -+ struct sha1_state pulled_options_state; -+ struct sha1_digest pulled_options_digest; - - struct event_timeout server_poll_interval; - -Index: openvpn-2.3.14/src/openvpn/options.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/options.c -+++ openvpn-2.3.14/src/openvpn/options.c -@@ -835,6 +835,10 @@ init_options (struct options *o, const b +diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c +index 881a2d1..deb41c7 100644 +--- a/src/openvpn/crypto_openssl.c ++++ b/src/openvpn/crypto_openssl.c +@@ -891,13 +891,17 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) + + void + hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, +- const EVP_MD *kt) ++ const EVP_MD *kt, bool prf_use) + { + ASSERT(NULL != kt && NULL != ctx); + + CLEAR(*ctx); + + HMAC_CTX_init(ctx); ++ /* FIPS 140-2 explicitly allows MD5 for the use in PRF although it is not ++ * to be used anywhere else */ ++ if(kt == EVP_md5() && prf_use) ++ HMAC_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + HMAC_Init_ex(ctx, key, key_len, kt, NULL); + + /* make sure we used a big enough key */ +diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c +index 0c43681..c3d5613 100644 +--- a/src/openvpn/ntlm.c ++++ b/src/openvpn/ntlm.c +@@ -89,7 +89,7 @@ gen_hmac_md5(const char *data, int data_len, const char *key, int key_len,char * + hmac_ctx_t hmac_ctx; + CLEAR(hmac_ctx); + +- hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt); ++ hmac_ctx_init(&hmac_ctx, key, key_len, md5_kt, 0); + hmac_ctx_update(&hmac_ctx, (const unsigned char *)data, data_len); + hmac_ctx_final(&hmac_ctx, (unsigned char *)result); + hmac_ctx_cleanup(&hmac_ctx); +diff --git a/src/openvpn/options.c b/src/openvpn/options.c +index 9fef394..6b52dec 100644 +--- a/src/openvpn/options.c ++++ b/src/openvpn/options.c +@@ -850,6 +850,10 @@ init_options(struct options *o, const bool init_gc) #endif #ifdef ENABLE_CRYPTO - o->ciphername = "BF-CBC"; + o->ciphername = "BF-CBC"; +#ifdef OPENSSL_FIPS -+ if(FIPS_mode()) -+ o->ciphername = "AES-256-CBC"; ++ if(FIPS_mode()) ++ o->ciphername = "AES-256-CBC"; +#endif - o->ciphername_defined = true; - o->authname = "SHA1"; - o->authname_defined = true; -Index: openvpn-2.3.14/src/openvpn/push.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/push.c -+++ openvpn-2.3.14/src/openvpn/push.c -@@ -408,7 +408,7 @@ push_reset (struct options *o) - #endif - - static void --push_update_digest(struct md5_state *ctx, struct buffer *buf) -+push_update_digest(struct sha1_state *ctx, struct buffer *buf) - { - char line[OPTION_PARM_SIZE]; - while (buf_parse (buf, ',', line, sizeof (line))) -@@ -416,7 +416,7 @@ push_update_digest(struct md5_state *ctx - /* peer-id might change on restart and this should not trigger reopening tun */ - if (strstr (line, "peer-id ") != line) - { -- md5_state_update (ctx, line, strlen(line)); -+ sha1_state_update (ctx, line, strlen(line)); - } - } - } -@@ -472,10 +472,10 @@ process_incoming_push_msg (struct contex - if (ch == ',') - { - struct buffer buf_orig = buf; -- if (!c->c2.pulled_options_md5_init_done) -+ if (!c->c2.pulled_options_sha1_init_done) - { -- md5_state_init (&c->c2.pulled_options_state); -- c->c2.pulled_options_md5_init_done = true; -+ sha1_state_init (&c->c2.pulled_options_state); -+ c->c2.pulled_options_sha1_init_done = true; - } - if (!c->c2.did_pre_pull_restore) - { -@@ -493,8 +493,8 @@ process_incoming_push_msg (struct contex - { - case 0: - case 1: -- md5_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); -- c->c2.pulled_options_md5_init_done = false; -+ sha1_state_final (&c->c2.pulled_options_state, &c->c2.pulled_options_digest); -+ c->c2.pulled_options_sha1_init_done = false; - ret = PUSH_MSG_REPLY; - break; - case 2: -Index: openvpn-2.3.14/src/openvpn/ssl.c -=================================================================== ---- openvpn-2.3.14.orig/src/openvpn/ssl.c -+++ openvpn-2.3.14/src/openvpn/ssl.c -@@ -1396,8 +1396,8 @@ tls1_P_hash(const md_kt_t *md_kt, - chunk = md_kt_size(md_kt); - A1_len = md_kt_size(md_kt); - -- hmac_ctx_init(&ctx, sec, sec_len, md_kt); -- hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); -+ hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1); -+ hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1); + #ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ + o->ncp_enabled = true; + #else +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index 51c7b95..2f89df7 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -1626,8 +1626,8 @@ tls1_P_hash(const md_kt_t *md_kt, + chunk = md_kt_size(md_kt); + A1_len = md_kt_size(md_kt); + +- hmac_ctx_init(&ctx, sec, sec_len, md_kt); +- hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt); ++ hmac_ctx_init(&ctx, sec, sec_len, md_kt, 1); ++ hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt, 1); - hmac_ctx_update(&ctx,seed,seed_len); - hmac_ctx_final(&ctx, A1); + hmac_ctx_update(&ctx,seed,seed_len); + hmac_ctx_final(&ctx, A1); ++++++ openvpn.keyring ++++++ --- /var/tmp/diff_new_pack.QHVtIS/_old 2017-06-12 15:30:48.490099647 +0200 +++ /var/tmp/diff_new_pack.QHVtIS/_new 2017-06-12 15:30:48.490099647 +0200 @@ -1,30 +1,41 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) +Version: GnuPG v1 -mQGiBEsHuu4RBACnPwEKcLYmlwe8v2e8xizlO1fCeqOA7zj6tU/T/1+YTJhrVbgW -PiRYSNKAmAq0uLFLQ14KpIDsrtdi5ySeUTf64kJtDrBa2si6h0HUyNHf9EX6rUVC -g/CTpsfYEkqlfMoBH7w7L5O2yidwWA+F4RGWhruzP7i1z+bBsIguSxiBzwCg5qPh -pgkFGeWArp/OUBHkaqmPZ00D/08dmkrez9d7C/PoR/cFq0nQBqL3zmsRxv66I6fM -TUqwaRpweWHh9P6XR+pTJjBglVSvk9kLv+PYCvk7yxbT3M6OA/GrSEp/53itlzOU -MPkv/OF6BmbRbYJK5HAsZgHGbuZxUHUqm4qJ+t4+WZaz9i8WtYbOM6T9aNWQrVUW -dUMqA/4tZlHJzCrd1NbfEetQVeso9rzzWWWmDAusbvkowfrFHXJGUjfL0hBmxj/9 -JmZtwU+i8G+MKQS0w9rCVLEMLoHLLxPH+Jiknz3Y2xE6CbiSvL+8cvOolgADz/06 -MniHKOZb4tPFPw7ObESeAGp4T9FgT53fJ14AMjGLyHv6EXbfvbQsU2FtdWxpIFNl -cHDDpG5lbiA8c2FtdWxpLnNlcHBhbmVuQGdtYWlsLmNvbT6IYAQTEQIAIAUCSwe6 -7gIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEMKdl+0ZjSKjsfsAoK6khXtq -w2xDtNBv/UhRhuVH0NQOAKCDWiB2zYNvHWLYnuIpAlE1sAnGPrkCDQRLB7ruEAgA -jwSEfTWLJsIW5qlKNEhySIjmRmcVgqB/NTaZ+Nd/r++stYSan1qb7qlQ3B3w48p1 -gB0SPfwKRmMkiYsHNcbRr5KIHWTnYrMI/5OAjPIiz/2j294wRnObzrbJK3T+qJSL -A2mEXXPPK7i0hUwH12ZJej/h98lPQA+NiDgDOaq4asyq4pcHrR2T2NyiiR2+Xi/L -2Lz1zKj4iQ3f5g0ktmAEdGcDtV7tI0xZeXWEtesRXeXmqPmjLskJozUoZP1GXXAz -80PySK2HsEQ/846q1Ybl5KYwbSH+l8jLIyqMDTQnCYG+Ft1moCk3HLyc4c1ALVov -1Rvom8u3dM5tUtpuZMwcJwADBQf+MCohqLqGJmEdiTEnmggsiKSoZTIBJhcujRaL -pxPpBlXz6P2bvlprUedBs+zxEEI+Q/CqIlyYaN+Kca1FK4YG9iQoHmb9IIVHf4C/ -lyWSx1xK+BnIk7SEfMjpGAjofNzNc34NmebnosHfP/g3ruLo6EgtjQ68iUty9PgX -Q1bZQ/SeXk16b8Nn0xQa9S+hg5LAxA+DuSvXbMqU5q2p8JlPgGEFVKzaVcxPhppB -Kcv/2CxjsqXj/6sW3nFSw+8Jd4SWL1+cPZ1v1WHG3SUMFoLAjSmVj3X8roG5EiLi -QxSGOUz8uVtvumfKyd25MYmgHMELL7fxhrZcw2OVdo977lt2fIhJBBgRAgAJBQJL -B7ruAhsMAAoJEMKdl+0ZjSKjgrAAoLeln17YxSQA7RUHwTbquOA92odMAKDiq7c8 -p2hUs3rZaXY1aMmExyB0gQ== -=l5lk ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file +mQENBFilZHYBCADGVuvyV9yg2GW7bslnPylaa9cxb3IXmb0qC7hUJueGnz0vLdit +/fPPPfsI3/hgcQYK1Y8cP5p2Pq+CZL0TVQWBEu2naH2unwxtfNm1EJcWDsky9DzW +CZQrcZ/v/coaV4UqMTVzGQaxQOzzeaP5nRgdX95dVKqXqsG8wKoIJmBuILAqkOPi +4EG9NQt2Lbqaiszo3LdsqyeGYK2yc745xBX4UDgIN7XTrXcQDyUOb4dsJynbM+Z9 +8NMQxdA5q0s6BwWSA1xK/gKUCzfF7D1fwWuO2MoedHveB45rOMSFlfVUgr7fa1CR +zCe7lccu0APfgXrTnNWwWMVoQMO8HIyk2iGnABEBAAG0JVNhbXVsaSBTZXBww6Ru +ZW4gPHNhbXVsaUBvcGVudnBuLm5ldD6JATgEEwECACIFAlilZtwCGwMGCwkIBwMC +BhUIAgkKCwQWAgMBAh4BAheAAAoJEClYTZ9AhkV46tEH/Aot7SnpcLHpEkkCX7Jm +ERrWuqIwYJp7fQlbOPAVZG1+iC/3KlhYxHmH1/Dj6rP3LEEfWpCQSHSbBFkzPtZ6 +AGnEfaxovXjso/tgnAAjYnxy9R0+1t0g5T6anXzCAjl3+mOssjzWBICBDZaFW9Rd +R47vCA92Fp9kAy3N+AMOv1HfTabaPo6p8HbaBSUQtgdOrfoBSXaFzaPSp8uwonQW +xRvpG91XtDrEoQio13460025ww+sZe5mIH4c7xhKBEZPswO2xnFszcFp3u12Glbj +eloAn8oxNycEuw11DfsHf2ctlbQCOLlJJxh2MND5SyL0SjCWMqO7v2c8UUUe4igS +xeuIRgQQEQIABgUCWKVo6wAKCRDCnZftGY0ioxDUAJ45kbXxCH3hiUexMvlJzvgN +mZmpyACg0UKbcmHUiFhnhyjtTTmAS5TjB8G0LFNhbXVsaSBTZXBww6RuZW4gPHNh +bXVsaS5zZXBwYW5lbkBnbWFpbC5jb20+iQE4BBMBAgAiBQJYpWR2AhsDBgsJCAcD +AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRApWE2fQIZFeLAeB/9lGhVfON8TR6o6+lbm +GslU2xqV3PQ3hVuAlEttxpP4hCTKU0PwLLb7gtc0UF642qyB7ho2RtU+bg1tiq5z +R93Ka92Aex4yJDI4viEJ04MTX2WLRv6ogGTRrytIqmYGbYHTFXlnMnQD7Tf+O4sv +8tJj5gguB/zT8MXQGqU6zq9CF6b3XXdPSITkC7df/CU425HI4V5HvluC/4GrzFZI +za4Hv/d8G1tXzHXDqoLIBdS44g6GRdXak3PfROKsuk7sG/MmtfbfUPnyBI+yaGQk +jhlj3BRY0b1dg7T5SiZ6NoMXFH9zKEh7KnG8CaoqiNWDSp2sazy8kbZR5HUp2jOt +yXmgiEYEEBECAAYFAlilaOsACgkQwp2X7RmNIqOStQCePGpvkvmpISX4fR+lGAlt +VtWf3XgAmwQTECYXlq3NMdefzLxA5dnxstlEuQENBFilZHYBCADEe46V63aYL+VL +nZbmBz78KA0fOb5qopFQsOp79FdCQevGXa6JtdibaOLhWUiaMNgkGXma0rSzv/yc +kDX310JSSrNvbXtbn29MdmCZhWum3lT0bhHltF2w23ha913AEneUq1TAESZz74zJ +wGtoej7f2H0e3qjOKtwIzItnHRQSHXFRZUh1IRbZAqXQKqRRWiYVLG3pgF1iC9gA +jLcihK9P89G8jUmB8Ko+9Guw6JszKN+l5SVuK+ttrKCRi8hrkOIiazQUL4gu9PZs +aGPxNdwnzKGHGZKT0WglXavZFMWHunb6I9/CrCK3ekyHWAvYF7IY95r4SH+CtKqj +QoW8fOeVABEBAAGJAR8EGAECAAkFAlilZHYCGwwACgkQKVhNn0CGRXiO1QgAh3/I +EELh+pTiII5IiolHXEKEmgJ6WUU4RzM26Pfv3yMQKqUKBeEvKc21ZWmMKzPWXOE8 +1np7DVXcp0ayiXrfGheGbXSpFP5WGlquYdYjVegBgRJ+v/r/QR+Oy2kbq0lsWuNz +Eia08fEHr7PM7mct0d1rFVuSS1m+1YOZNN8e/eSox84HvboSq6xk+3IC1NGXXdUQ +qObWceUyU0KmmBFMV86pUgI/YbA2uMxkFK8XGsOqMgTBdBWHTTcSOfmPsu/04zDl +MuQ+GC2WcUHoTtxytA432TzOixF5wfunqTzXeZxAybQPkETmAFgHT0BmUVShwPQ0 +XuwT7RpGDZ6jBfphYQ== +=FKLE +-----END PGP PUBLIC KEY BLOCK-----
