[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)
Date: Wednesday, June 21, 2017 @ 10:40:07 Author: eworm Revision: 299112 upgpkg: openvpn 2.4.3-1 new upstream release with security fixes Modified: openvpn/trunk/PKGBUILD Deleted: openvpn/trunk/0004-openssl-1-1-0.patch --+ 0004-openssl-1-1-0.patch | 1614 - PKGBUILD | 18 2 files changed, 7 insertions(+), 1625 deletions(-) Deleted: 0004-openssl-1-1-0.patch === --- 0004-openssl-1-1-0.patch2017-06-21 10:23:04 UTC (rev 299111) +++ 0004-openssl-1-1-0.patch2017-06-21 10:40:07 UTC (rev 299112) @@ -1,1614 +0,0 @@ -From 17d1ab90c228b1efbe774357bd3265b2af006899 Mon Sep 17 00:00:00 2001 -From: Emmanuel Deloget-Date: Mon, 12 Jun 2017 15:43:23 +0200 -Subject: [PATCH 1/8] OpenSSL: don't use direct access to the internal of - X509 - -OpenSSL 1.1 does not allow us to directly access the internal of -any data type, including X509. We have to use the defined -functions to do so. - -In x509_verify_ns_cert_type() in particular, this means that we -cannot directly check for the extended flags to find whether the -certificate should be used as a client or as a server certificate. -We need to leverage the X509_check_purpose() API yet this API is -far stricter than the currently implemented check. So far, I have -not been able to find a situation where this stricter test fails -(although I must admit that I haven't tested that very well). - -We double-check the certificate purpose using "direct access" to the -internal of the certificate object (of course, this is not a real -direct access, but we still fetch ASN1 strings within the X509 object -and we check the internal value of these strings). This allow us to -warn the user if there is a discrepancy between the X509_check_purpose() -return value and our internal, less strict check. - -We use these changes to make peer_cert a non-const parameter to -x509_verify_ns_cert_type(). The underlying library waits for a -non-const pointer, and forcing it to be a const pointer does not make -much sense (please note that this has an effect on the mbedtls part -too). - -Compatibility with OpenSSL 1.0 is kept by defining the corresponding -functions when they are not found in the library. - -Signed-off-by: Emmanuel Deloget -Acked-by: Steffan Karger -Message-Id: <20170612134330.20971-2-log...@free.fr> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html -Signed-off-by: Gert Doering - configure.ac | 1 + - src/openvpn/openssl_compat.h | 15 + - src/openvpn/ssl_openssl.c| 3 +- - src/openvpn/ssl_verify_backend.h | 2 +- - src/openvpn/ssl_verify_mbedtls.c | 2 +- - src/openvpn/ssl_verify_openssl.c | 68 ++-- - 6 files changed, 78 insertions(+), 13 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 334247df..c30bf3d5 100644 a/configure.ac -+++ b/configure.ac -@@ -921,6 +921,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then - [ \ - SSL_CTX_get_default_passwd_cb \ - SSL_CTX_get_default_passwd_cb_userdata \ -+ X509_get0_pubkey \ - X509_STORE_get0_objects \ - X509_OBJECT_free \ - X509_OBJECT_get_type \ -diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h -index 811d559c..612bfa56 100644 a/src/openvpn/openssl_compat.h -+++ b/src/openvpn/openssl_compat.h -@@ -73,6 +73,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) - } - #endif - -+#if !defined(HAVE_X509_GET0_PUBKEY) -+/** -+ * Get the public key from a X509 certificate -+ * -+ * @param x X509 certificate -+ * @return The certificate public key -+ */ -+static inline EVP_PKEY * -+X509_get0_pubkey(const X509 *x) -+{ -+return (x && x->cert_info && x->cert_info->key) ? -+ x->cert_info->key->pkey : NULL; -+} -+#endif -+ - #if !defined(HAVE_X509_STORE_GET0_OBJECTS) - /** - * Fetch the X509 object stack from the X509 store -diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index 1fa46e18..89c3b014 100644 a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -1070,7 +1070,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - } - - /* get the public key */ --ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */ -+EVP_PKEY *pkey = X509_get0_pubkey(cert); -+ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = cert->cert_info->key->pkey->pkey.rsa; - - /* initialize RSA object */ -diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h -index
[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)
Date: Sunday, June 18, 2017 @ 19:30:50 Author: eworm Revision: 298959 upgpkg: openvpn 2.4.2-2 use final upstream openssl 1.1.0 patches Modified: openvpn/trunk/0004-openssl-1-1-0.patch openvpn/trunk/PKGBUILD --+ 0004-openssl-1-1-0.patch | 532 - PKGBUILD |4 2 files changed, 339 insertions(+), 197 deletions(-) Modified: 0004-openssl-1-1-0.patch === --- 0004-openssl-1-1-0.patch2017-06-18 12:24:26 UTC (rev 298958) +++ 0004-openssl-1-1-0.patch2017-06-18 19:30:50 UTC (rev 298959) @@ -1,6 +1,6 @@ -From 166ab46e4ff9e44f31ce9713995516538da105ec Mon Sep 17 00:00:00 2001 +From 17d1ab90c228b1efbe774357bd3265b2af006899 Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget-Date: Fri, 17 Feb 2017 14:39:07 +0100 +Date: Mon, 12 Jun 2017 15:43:23 +0200 Subject: [PATCH 1/8] OpenSSL: don't use direct access to the internal of X509 @@ -16,23 +16,41 @@ not been able to find a situation where this stricter test fails (although I must admit that I haven't tested that very well). +We double-check the certificate purpose using "direct access" to the +internal of the certificate object (of course, this is not a real +direct access, but we still fetch ASN1 strings within the X509 object +and we check the internal value of these strings). This allow us to +warn the user if there is a discrepancy between the X509_check_purpose() +return value and our internal, less strict check. + +We use these changes to make peer_cert a non-const parameter to +x509_verify_ns_cert_type(). The underlying library waits for a +non-const pointer, and forcing it to be a const pointer does not make +much sense (please note that this has an effect on the mbedtls part +too). + Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget -Signed-off-by: Christian Hesse +Acked-by: Steffan Karger +Message-Id: <20170612134330.20971-2-log...@free.fr> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html +Signed-off-by: Gert Doering --- configure.ac | 1 + - src/openvpn/openssl_compat.h | 15 +++ - src/openvpn/ssl_openssl.c| 3 ++- - src/openvpn/ssl_verify_openssl.c | 28 +++- - 4 files changed, 37 insertions(+), 10 deletions(-) + src/openvpn/openssl_compat.h | 15 + + src/openvpn/ssl_openssl.c| 3 +- + src/openvpn/ssl_verify_backend.h | 2 +- + src/openvpn/ssl_verify_mbedtls.c | 2 +- + src/openvpn/ssl_verify_openssl.c | 68 ++-- + 6 files changed, 78 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac -index 2406ad8..d2c40ff 100644 +index 334247df..c30bf3d5 100644 --- a/configure.ac +++ b/configure.ac -@@ -902,6 +902,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then +@@ -921,6 +921,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then [ \ SSL_CTX_get_default_passwd_cb \ SSL_CTX_get_default_passwd_cb_userdata \ @@ -41,10 +59,10 @@ X509_OBJECT_free \ X509_OBJECT_get_type \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h -index e98e8df..fe245ed 100644 +index 811d559c..612bfa56 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h -@@ -74,6 +74,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) +@@ -73,6 +73,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) } #endif @@ -67,10 +85,10 @@ /** * Fetch the X509 object stack from the X509 store diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index f011e06..b683961 100644 +index 1fa46e18..89c3b014 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c -@@ -1073,7 +1073,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, +@@ -1070,7 +1070,8 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, } /* get the public key */ @@ -80,11 +98,37 @@ pub_rsa = cert->cert_info->key->pkey->pkey.rsa; /* initialize RSA object */ +diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h +index 35660532..978e54fd 100644 +--- a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h +@@ -210,7 +210,7 @@ void x509_setenv_track(const struct x509_track *xt, struct env_set *es, + * the expected bit set. \c FAILURE if the certificate does + * not have NS cert type verification or the wrong bit set. + */ +-result_t x509_verify_ns_cert_type(const openvpn_x509_cert_t *cert, const int
[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)
Date: Monday, March 6, 2017 @ 13:00:45 Author: eworm Revision: 290046 more upstream patches Modified: openvpn/trunk/0004-openssl-1-1-0.patch openvpn/trunk/PKGBUILD --+ 0004-openssl-1-1-0.patch | 36 PKGBUILD |2 +- 2 files changed, 25 insertions(+), 13 deletions(-) Modified: 0004-openssl-1-1-0.patch === --- 0004-openssl-1-1-0.patch2017-03-06 11:52:39 UTC (rev 290045) +++ 0004-openssl-1-1-0.patch2017-03-06 13:00:45 UTC (rev 290046) @@ -772,9 +772,9 @@ ) CFLAGS="${saved_CFLAGS}" -From 79d89580db6fd92c059dabc4f5f4d83b72bb9d3d Mon Sep 17 00:00:00 2001 +From 09776c5b52df13121504e07894a26d5cd1883317 Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget-Date: Fri, 17 Feb 2017 12:56:23 +0100 +Date: Thu, 23 Feb 2017 15:35:56 +0100 Subject: [PATCH 10/20] OpenSSL: don't use direct access to the internal of RSA_METHOD @@ -786,6 +786,10 @@ functions when they are not found in the library. Signed-off-by: Emmanuel Deloget +Acked-by: Steffan Karger +Message-Id: <79d89580db6fd92c059dabc4f5f4d83b72bb9d3d.1487859361.git.log...@free.fr> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14175.html +Signed-off-by: Gert Doering Signed-off-by: Christian Hesse --- configure.ac | 9 ++ @@ -2494,9 +2498,9 @@ secure_memzero(A1, sizeof(A1)); dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, )); -From 7f94ece5cb4b3f0ab53e026662dc22937e10743a Mon Sep 17 00:00:00 2001 +From c828ffc648eebda20e2f9087248944fa0f52a582 Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget -Date: Fri, 17 Feb 2017 14:18:33 +0100 +Date: Fri, 17 Feb 2017 23:00:52 +0100 Subject: [PATCH 18/20] OpenSSL: SSLeay symbols are no longer available in OpenSSL 1.1 @@ -2504,6 +2508,10 @@ equivalent symbols (OSSL). Use them instead of the old ones Signed-off-by: Emmanuel Deloget +Acked-by: Steffan Karger +Message-Id: <9ce17efda7b1ed100e73554b1916c0bfa687d9d1.1487368114.git.log...@free.fr> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14089.html +Signed-off-by: Gert Doering Signed-off-by: Christian Hesse --- src/openvpn/openssl_compat.h | 5 + @@ -2511,10 +2519,10 @@ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h -index 8792710..3c93bfa 100644 +index e98e8df..92f014d 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h -@@ -619,4 +619,9 @@ RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) +@@ -307,4 +307,9 @@ RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) } #endif @@ -2525,7 +2533,7 @@ + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index 2f3211f..5a8fd1e 100644 +index f011e06..d7cc2ba 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -995,7 +995,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i @@ -2574,9 +2582,9 @@ if (!ret) { crypto_msg(M_FATAL, "Error creating %s BIO", desc); -From 5045e449cb40223a759fa07976c9c37e939b2d9e Mon Sep 17 00:00:00 2001 +From 8d00afae88b626c9cf14170a943b33a7ed378070 Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget -Date: Mon, 20 Feb 2017 14:45:22 +0100 +Date: Mon, 20 Feb 2017 15:32:34 +0100 Subject: [PATCH 20/20] OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() @@ -2591,6 +2599,10 @@ on dirty tricks. Signed-off-by: Emmanuel Deloget +Acked-by: Steffan Karger +Message-Id: <2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.log...@free.fr> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html +Signed-off-by: Gert Doering Signed-off-by: Christian Hesse --- src/openvpn/crypto_openssl.c | 4 ++-- @@ -2597,10 +2609,10 @@ 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c -index 23de175..2bca88b 100644 +index a66ee71..5549d70 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c -@@ -683,7 +683,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, +@@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif @@ -2609,7 +2621,7 @@ { crypto_msg(M_FATAL, "EVP cipher init #2"); } -@@ -736,7 +736,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) +@@ -724,7 +724,7 @@
[arch-commits] Commit in openvpn/trunk (0004-openssl-1-1-0.patch PKGBUILD)
Date: Saturday, February 25, 2017 @ 14:17:42 Author: eworm Revision: 289531 allow to build against openssl 1.1.0 Added: openvpn/trunk/0004-openssl-1-1-0.patch Modified: openvpn/trunk/PKGBUILD --+ 0004-openssl-1-1-0.patch | 2620 + PKGBUILD |9 2 files changed, 2627 insertions(+), 2 deletions(-) Added: 0004-openssl-1-1-0.patch === --- 0004-openssl-1-1-0.patch(rev 0) +++ 0004-openssl-1-1-0.patch2017-02-25 14:17:42 UTC (rev 289531) @@ -0,0 +1,2620 @@ +From 5b48e8c9f85442936f744c3c550d9d41fe8c7b60 Mon Sep 17 00:00:00 2001 +From: Steffan Karger+Date: Sun, 22 Jan 2017 17:04:41 +0100 +Subject: [PATCH 01/20] Use SHA256 for the internal digest, instead of MD5 + +Our internal options digest uses MD5 hashes to store the state, instead of +storing the full options string. There's nothing wrong with that, but it +would still be better to use SHA256 because: + * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5) + * We don't have to explain anymore that MD5 is fine too + +The slightly less bytes for the digest (16 instead of 32) and operations +per connection setup are not worth sticking to MD5. + +Note that might SHA256 not be available in de crypto lib, OpenVPN will +refuse to start and shout "Message hash algorithm 'SHA256' not found". + +Signed-off-by: Steffan Karger +Acked-by: David Sommerseth +Message-Id: <1485101081-9784-1-git-send-email-stef...@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html +Signed-off-by: David Sommerseth +Signed-off-by: Christian Hesse +--- + src/openvpn/crypto.h | 6 +++--- + src/openvpn/crypto_mbedtls.h | 1 + + src/openvpn/crypto_openssl.h | 1 + + src/openvpn/init.c | 10 +- + src/openvpn/openvpn.h| 6 +++--- + src/openvpn/push.c | 8 + 6 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h +index 42a46d9..afd6fe5 100644 +--- a/src/openvpn/crypto.h b/src/openvpn/crypto.h +@@ -131,9 +131,9 @@ + #include "packet_id.h" + #include "mtu.h" + +-/** Wrapper struct to pass around MD5 digests */ +-struct md5_digest { +-uint8_t digest[MD5_DIGEST_LENGTH]; ++/** Wrapper struct to pass around SHA256 digests */ ++struct sha256_digest { ++uint8_t digest[SHA256_DIGEST_LENGTH]; + }; + + /* +diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h +index 525b256..da2db16 100644 +--- a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h +@@ -73,6 +73,7 @@ typedef mbedtls_md_context_t hmac_ctx_t; + #define MD4_DIGEST_LENGTH 16 + #define MD5_DIGEST_LENGTH 16 + #define SHA_DIGEST_LENGTH 20 ++#define SHA256_DIGEST_LENGTH32 + #define DES_KEY_LENGTH 8 + + /** +diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h +index 56ec6e1..f8ddbc8 100644 +--- a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + /** Generic cipher key type %context. */ + typedef EVP_CIPHER cipher_kt_t; +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index f2e75c8..756bf36 100644 +--- a/src/openvpn/init.c b/src/openvpn/init.c +@@ -1919,12 +1919,12 @@ tun_abort() + * equal, or either one is all-zeroes. + */ + static bool +-options_hash_changed_or_zero(const struct md5_digest *a, +- const struct md5_digest *b) ++options_hash_changed_or_zero(const struct sha256_digest *a, ++ const struct sha256_digest *b) + { +-const struct md5_digest zero = {{0}}; +-return memcmp(a, b, sizeof(struct md5_digest)) +- || !memcmp(a, , sizeof(struct md5_digest)); ++const struct sha256_digest zero = {{0}}; ++return memcmp(a, b, sizeof(struct sha256_digest)) ++ || !memcmp(a, , sizeof(struct sha256_digest)); + } + #endif /* P2MP */ + +diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h +index 37edec4..893296e 100644 +--- a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h +@@ -202,7 +202,7 @@ struct context_1 + #endif + + /* if client mode, hash of option strings we pulled from server */ +-struct md5_digest pulled_options_digest_save; ++struct sha256_digest pulled_options_digest_save; + /**< Hash of option strings received from the + * remote OpenVPN server. Only used in + * client-mode. */ +@@ -471,9 +471,9 @@ struct context_2 + bool did_pre_pull_restore; + + /* hash of pulled options, so we can compare when options change */ +-bool pulled_options_md5_init_done; ++bool pulled_options_digest_init_done; + md_ctx_t pulled_options_state; +-struct md5_digest