[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)

[Christian Hesse]

Date: Wednesday, June 21, 2017 @ 10:40:07
  Author: eworm
Revision: 299112

upgpkg: openvpn 2.4.3-1

new upstream release with security fixes

Modified:
  openvpn/trunk/PKGBUILD
Deleted:
  openvpn/trunk/0004-openssl-1-1-0.patch

--+
 0004-openssl-1-1-0.patch | 1614 -
 PKGBUILD |   18 
 2 files changed, 7 insertions(+), 1625 deletions(-)

Deleted: 0004-openssl-1-1-0.patch
===
--- 0004-openssl-1-1-0.patch2017-06-21 10:23:04 UTC (rev 299111)
+++ 0004-openssl-1-1-0.patch2017-06-21 10:40:07 UTC (rev 299112)
@@ -1,1614 +0,0 @@
-From 17d1ab90c228b1efbe774357bd3265b2af006899 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget 
-Date: Mon, 12 Jun 2017 15:43:23 +0200
-Subject: [PATCH 1/8] OpenSSL: don't use direct access to the internal of
- X509
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including X509. We have to use the defined
-functions to do so.
-
-In x509_verify_ns_cert_type() in particular, this means that we
-cannot directly check for the extended flags to find whether the
-certificate should be used as a client or as a server certificate.
-We need to leverage the X509_check_purpose() API yet this API is
-far stricter than the currently implemented check. So far, I have
-not been able to find a situation where this stricter test fails
-(although I must admit that I haven't tested that very well).
-
-We double-check the certificate purpose using "direct access" to the
-internal of the certificate object (of course, this is not a real
-direct access, but we still fetch ASN1 strings within the X509 object
-and we check the internal value of these strings). This allow us to
-warn the user if there is a discrepancy between the X509_check_purpose()
-return value and our internal, less strict check.
-
-We use these changes to make peer_cert a non-const parameter to
-x509_verify_ns_cert_type(). The underlying library waits for a
-non-const pointer, and forcing it to be a const pointer does not make
-much sense (please note that this has an effect on the mbedtls part
-too).
-
-Compatibility with OpenSSL 1.0 is kept by defining the corresponding
-functions when they are not found in the library.
-
-Signed-off-by: Emmanuel Deloget 
-Acked-by: Steffan Karger 
-Message-Id: <20170612134330.20971-2-log...@free.fr>
-URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html
-Signed-off-by: Gert Doering 

- configure.ac |  1 +
- src/openvpn/openssl_compat.h | 15 +
- src/openvpn/ssl_openssl.c|  3 +-
- src/openvpn/ssl_verify_backend.h |  2 +-
- src/openvpn/ssl_verify_mbedtls.c |  2 +-
- src/openvpn/ssl_verify_openssl.c | 68 ++--
- 6 files changed, 78 insertions(+), 13 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 334247df..c30bf3d5 100644
 a/configure.ac
-+++ b/configure.ac
-@@ -921,6 +921,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
-   [ \
-   SSL_CTX_get_default_passwd_cb \
-   SSL_CTX_get_default_passwd_cb_userdata \
-+  X509_get0_pubkey \
-   X509_STORE_get0_objects \
-   X509_OBJECT_free \
-   X509_OBJECT_get_type \
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index 811d559c..612bfa56 100644
 a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -73,6 +73,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
- }
- #endif
- 
-+#if !defined(HAVE_X509_GET0_PUBKEY)
-+/**
-+ * Get the public key from a X509 certificate
-+ *
-+ * @param x  X509 certificate
-+ * @return   The certificate public key
-+ */
-+static inline EVP_PKEY *
-+X509_get0_pubkey(const X509 *x)
-+{
-+return (x && x->cert_info && x->cert_info->key) ?
-+   x->cert_info->key->pkey : NULL;
-+}
-+#endif
-+
- #if !defined(HAVE_X509_STORE_GET0_OBJECTS)
- /**
-  * Fetch the X509 object stack from the X509 store
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 1fa46e18..89c3b014 100644
 a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -1070,7 +1070,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx 
*ctx,
- }
- 
- /* get the public key */
--ASSERT(cert->cert_info->key->pkey); /* NULL before 
SSL_CTX_use_certificate() is called */
-+EVP_PKEY *pkey = X509_get0_pubkey(cert);
-+ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
- pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
- 
- /* initialize RSA object */
-diff --git a/src/openvpn/ssl_verify_backend.h 
b/src/openvpn/ssl_verify_backend.h
-index 

[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)

[Christian Hesse]

Date: Sunday, June 18, 2017 @ 19:30:50
  Author: eworm
Revision: 298959

upgpkg: openvpn 2.4.2-2

use final upstream openssl 1.1.0 patches

Modified:
  openvpn/trunk/0004-openssl-1-1-0.patch
  openvpn/trunk/PKGBUILD

--+
 0004-openssl-1-1-0.patch |  532 -
 PKGBUILD |4 
 2 files changed, 339 insertions(+), 197 deletions(-)

Modified: 0004-openssl-1-1-0.patch
===
--- 0004-openssl-1-1-0.patch2017-06-18 12:24:26 UTC (rev 298958)
+++ 0004-openssl-1-1-0.patch2017-06-18 19:30:50 UTC (rev 298959)
@@ -1,6 +1,6 @@
-From 166ab46e4ff9e44f31ce9713995516538da105ec Mon Sep 17 00:00:00 2001
+From 17d1ab90c228b1efbe774357bd3265b2af006899 Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget 
-Date: Fri, 17 Feb 2017 14:39:07 +0100
+Date: Mon, 12 Jun 2017 15:43:23 +0200
 Subject: [PATCH 1/8] OpenSSL: don't use direct access to the internal of
  X509
 
@@ -16,23 +16,41 @@
 not been able to find a situation where this stricter test fails
 (although I must admit that I haven't tested that very well).
 
+We double-check the certificate purpose using "direct access" to the
+internal of the certificate object (of course, this is not a real
+direct access, but we still fetch ASN1 strings within the X509 object
+and we check the internal value of these strings). This allow us to
+warn the user if there is a discrepancy between the X509_check_purpose()
+return value and our internal, less strict check.
+
+We use these changes to make peer_cert a non-const parameter to
+x509_verify_ns_cert_type(). The underlying library waits for a
+non-const pointer, and forcing it to be a const pointer does not make
+much sense (please note that this has an effect on the mbedtls part
+too).
+
 Compatibility with OpenSSL 1.0 is kept by defining the corresponding
 functions when they are not found in the library.
 
 Signed-off-by: Emmanuel Deloget 
-Signed-off-by: Christian Hesse 
+Acked-by: Steffan Karger 
+Message-Id: <20170612134330.20971-2-log...@free.fr>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html
+Signed-off-by: Gert Doering 
 ---
  configure.ac |  1 +
- src/openvpn/openssl_compat.h | 15 +++
- src/openvpn/ssl_openssl.c|  3 ++-
- src/openvpn/ssl_verify_openssl.c | 28 +++-
- 4 files changed, 37 insertions(+), 10 deletions(-)
+ src/openvpn/openssl_compat.h | 15 +
+ src/openvpn/ssl_openssl.c|  3 +-
+ src/openvpn/ssl_verify_backend.h |  2 +-
+ src/openvpn/ssl_verify_mbedtls.c |  2 +-
+ src/openvpn/ssl_verify_openssl.c | 68 ++--
+ 6 files changed, 78 insertions(+), 13 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2406ad8..d2c40ff 100644
+index 334247df..c30bf3d5 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -902,6 +902,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
+@@ -921,6 +921,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
[ \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
@@ -41,10 +59,10 @@
X509_OBJECT_free \
X509_OBJECT_get_type \
 diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index e98e8df..fe245ed 100644
+index 811d559c..612bfa56 100644
 --- a/src/openvpn/openssl_compat.h
 +++ b/src/openvpn/openssl_compat.h
-@@ -74,6 +74,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+@@ -73,6 +73,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
  }
  #endif
  
@@ -67,10 +85,10 @@
  /**
   * Fetch the X509 object stack from the X509 store
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index f011e06..b683961 100644
+index 1fa46e18..89c3b014 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -1073,7 +1073,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx 
*ctx,
+@@ -1070,7 +1070,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx 
*ctx,
  }
  
  /* get the public key */
@@ -80,11 +98,37 @@
  pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
  
  /* initialize RSA object */
+diff --git a/src/openvpn/ssl_verify_backend.h 
b/src/openvpn/ssl_verify_backend.h
+index 35660532..978e54fd 100644
+--- a/src/openvpn/ssl_verify_backend.h
 b/src/openvpn/ssl_verify_backend.h
+@@ -210,7 +210,7 @@ void x509_setenv_track(const struct x509_track *xt, struct 
env_set *es,
+  *  the expected bit set. \c FAILURE if the certificate 
does
+  *  not have NS cert type verification or the wrong bit 
set.
+  */
+-result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int 

[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)

[Christian Hesse]

Date: Monday, March 6, 2017 @ 13:00:45
  Author: eworm
Revision: 290046

more upstream patches

Modified:
  openvpn/trunk/0004-openssl-1-1-0.patch
  openvpn/trunk/PKGBUILD

--+
 0004-openssl-1-1-0.patch |   36 
 PKGBUILD |2 +-
 2 files changed, 25 insertions(+), 13 deletions(-)

Modified: 0004-openssl-1-1-0.patch
===
--- 0004-openssl-1-1-0.patch2017-03-06 11:52:39 UTC (rev 290045)
+++ 0004-openssl-1-1-0.patch2017-03-06 13:00:45 UTC (rev 290046)
@@ -772,9 +772,9 @@
)
  
CFLAGS="${saved_CFLAGS}"
-From 79d89580db6fd92c059dabc4f5f4d83b72bb9d3d Mon Sep 17 00:00:00 2001
+From 09776c5b52df13121504e07894a26d5cd1883317 Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget 
-Date: Fri, 17 Feb 2017 12:56:23 +0100
+Date: Thu, 23 Feb 2017 15:35:56 +0100
 Subject: [PATCH 10/20] OpenSSL: don't use direct access to the internal of
  RSA_METHOD
 
@@ -786,6 +786,10 @@
 functions when they are not found in the library.
 
 Signed-off-by: Emmanuel Deloget 
+Acked-by: Steffan Karger 
+Message-Id: 
<79d89580db6fd92c059dabc4f5f4d83b72bb9d3d.1487859361.git.log...@free.fr>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14175.html
+Signed-off-by: Gert Doering 
 Signed-off-by: Christian Hesse 
 ---
  configure.ac |   9 ++
@@ -2494,9 +2498,9 @@
  secure_memzero(A1, sizeof(A1));
  
  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, 
olen_orig, 0, ));
-From 7f94ece5cb4b3f0ab53e026662dc22937e10743a Mon Sep 17 00:00:00 2001
+From c828ffc648eebda20e2f9087248944fa0f52a582 Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget 
-Date: Fri, 17 Feb 2017 14:18:33 +0100
+Date: Fri, 17 Feb 2017 23:00:52 +0100
 Subject: [PATCH 18/20] OpenSSL: SSLeay symbols are no longer available in
  OpenSSL 1.1
 
@@ -2504,6 +2508,10 @@
 equivalent symbols (OSSL). Use them instead of the old ones
 
 Signed-off-by: Emmanuel Deloget 
+Acked-by: Steffan Karger 
+Message-Id: 
<9ce17efda7b1ed100e73554b1916c0bfa687d9d1.1487368114.git.log...@free.fr>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14089.html
+Signed-off-by: Gert Doering 
 Signed-off-by: Christian Hesse 
 ---
  src/openvpn/openssl_compat.h | 5 +
@@ -2511,10 +2519,10 @@
  2 files changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index 8792710..3c93bfa 100644
+index e98e8df..92f014d 100644
 --- a/src/openvpn/openssl_compat.h
 +++ b/src/openvpn/openssl_compat.h
-@@ -619,4 +619,9 @@ RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
+@@ -307,4 +307,9 @@ RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
  }
  #endif
  
@@ -2525,7 +2533,7 @@
 +
  #endif /* OPENSSL_COMPAT_H_ */
 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 2f3211f..5a8fd1e 100644
+index f011e06..d7cc2ba 100644
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
 @@ -995,7 +995,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned 
char *to, RSA *rsa, i
@@ -2574,9 +2582,9 @@
  if (!ret)
  {
  crypto_msg(M_FATAL, "Error creating %s BIO", desc);
-From 5045e449cb40223a759fa07976c9c37e939b2d9e Mon Sep 17 00:00:00 2001
+From 8d00afae88b626c9cf14170a943b33a7ed378070 Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget 
-Date: Mon, 20 Feb 2017 14:45:22 +0100
+Date: Mon, 20 Feb 2017 15:32:34 +0100
 Subject: [PATCH 20/20] OpenSSL: use EVP_CipherInit_ex() instead of
  EVP_CipherInit()
 
@@ -2591,6 +2599,10 @@
 on dirty tricks.
 
 Signed-off-by: Emmanuel Deloget 
+Acked-by: Steffan Karger 
+Message-Id: 
<2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.log...@free.fr>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html
+Signed-off-by: Gert Doering 
 Signed-off-by: Christian Hesse 
 ---
  src/openvpn/crypto_openssl.c | 4 ++--
@@ -2597,10 +2609,10 @@
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 23de175..2bca88b 100644
+index a66ee71..5549d70 100644
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
-@@ -683,7 +683,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int 
key_len,
+@@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int 
key_len,
  crypto_msg(M_FATAL, "EVP set key size");
  }
  #endif
@@ -2609,7 +2621,7 @@
  {
  crypto_msg(M_FATAL, "EVP cipher init #2");
  }
-@@ -736,7 +736,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
+@@ -724,7 +724,7 @@ 

[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)

[Christian Hesse]

Date: Saturday, February 25, 2017 @ 14:17:42
  Author: eworm
Revision: 289531

allow to build against openssl 1.1.0

Added:
  openvpn/trunk/0004-openssl-1-1-0.patch
Modified:
  openvpn/trunk/PKGBUILD

--+
 0004-openssl-1-1-0.patch | 2620 +
 PKGBUILD |9 
 2 files changed, 2627 insertions(+), 2 deletions(-)

Added: 0004-openssl-1-1-0.patch
===
--- 0004-openssl-1-1-0.patch(rev 0)
+++ 0004-openssl-1-1-0.patch2017-02-25 14:17:42 UTC (rev 289531)
@@ -0,0 +1,2620 @@
+From 5b48e8c9f85442936f744c3c550d9d41fe8c7b60 Mon Sep 17 00:00:00 2001
+From: Steffan Karger 
+Date: Sun, 22 Jan 2017 17:04:41 +0100
+Subject: [PATCH 01/20] Use SHA256 for the internal digest, instead of MD5
+
+Our internal options digest uses MD5 hashes to store the state, instead of
+storing the full options string.  There's nothing wrong with that, but it
+would still be better to use SHA256 because:
+ * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5)
+ * We don't have to explain anymore that MD5 is fine too
+
+The slightly less bytes for the digest (16 instead of 32) and operations
+per connection setup are not worth sticking to MD5.
+
+Note that might SHA256 not be available in de crypto lib, OpenVPN will
+refuse to start and shout "Message hash algorithm 'SHA256' not found".
+
+Signed-off-by: Steffan Karger 
+Acked-by: David Sommerseth 
+Message-Id: <1485101081-9784-1-git-send-email-stef...@karger.me>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html
+Signed-off-by: David Sommerseth 
+Signed-off-by: Christian Hesse 
+---
+ src/openvpn/crypto.h |  6 +++---
+ src/openvpn/crypto_mbedtls.h |  1 +
+ src/openvpn/crypto_openssl.h |  1 +
+ src/openvpn/init.c   | 10 +-
+ src/openvpn/openvpn.h|  6 +++---
+ src/openvpn/push.c   |  8 
+ 6 files changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
+index 42a46d9..afd6fe5 100644
+--- a/src/openvpn/crypto.h
 b/src/openvpn/crypto.h
+@@ -131,9 +131,9 @@
+ #include "packet_id.h"
+ #include "mtu.h"
+ 
+-/** Wrapper struct to pass around MD5 digests */
+-struct md5_digest {
+-uint8_t digest[MD5_DIGEST_LENGTH];
++/** Wrapper struct to pass around SHA256 digests */
++struct sha256_digest {
++uint8_t digest[SHA256_DIGEST_LENGTH];
+ };
+ 
+ /*
+diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
+index 525b256..da2db16 100644
+--- a/src/openvpn/crypto_mbedtls.h
 b/src/openvpn/crypto_mbedtls.h
+@@ -73,6 +73,7 @@ typedef mbedtls_md_context_t hmac_ctx_t;
+ #define MD4_DIGEST_LENGTH   16
+ #define MD5_DIGEST_LENGTH   16
+ #define SHA_DIGEST_LENGTH   20
++#define SHA256_DIGEST_LENGTH32
+ #define DES_KEY_LENGTH 8
+ 
+ /**
+diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
+index 56ec6e1..f8ddbc8 100644
+--- a/src/openvpn/crypto_openssl.h
 b/src/openvpn/crypto_openssl.h
+@@ -33,6 +33,7 @@
+ #include 
+ #include 
+ #include 
++#include 
+ 
+ /** Generic cipher key type %context. */
+ typedef EVP_CIPHER cipher_kt_t;
+diff --git a/src/openvpn/init.c b/src/openvpn/init.c
+index f2e75c8..756bf36 100644
+--- a/src/openvpn/init.c
 b/src/openvpn/init.c
+@@ -1919,12 +1919,12 @@ tun_abort()
+  * equal, or either one is all-zeroes.
+  */
+ static bool
+-options_hash_changed_or_zero(const struct md5_digest *a,
+- const struct md5_digest *b)
++options_hash_changed_or_zero(const struct sha256_digest *a,
++ const struct sha256_digest *b)
+ {
+-const struct md5_digest zero = {{0}};
+-return memcmp(a, b, sizeof(struct md5_digest))
+-   || !memcmp(a, , sizeof(struct md5_digest));
++const struct sha256_digest zero = {{0}};
++return memcmp(a, b, sizeof(struct sha256_digest))
++   || !memcmp(a, , sizeof(struct sha256_digest));
+ }
+ #endif /* P2MP */
+ 
+diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
+index 37edec4..893296e 100644
+--- a/src/openvpn/openvpn.h
 b/src/openvpn/openvpn.h
+@@ -202,7 +202,7 @@ struct context_1
+ #endif
+ 
+ /* if client mode, hash of option strings we pulled from server */
+-struct md5_digest pulled_options_digest_save;
++struct sha256_digest pulled_options_digest_save;
+ /**< Hash of option strings received from the
+  *   remote OpenVPN server.  Only used in
+  *   client-mode. */
+@@ -471,9 +471,9 @@ struct context_2
+ bool did_pre_pull_restore;
+ 
+ /* hash of pulled options, so we can compare when options change */
+-bool pulled_options_md5_init_done;
++bool pulled_options_digest_init_done;
+ md_ctx_t pulled_options_state;
+-struct md5_digest