[arch-commits] Commit in openvpn/trunk (3 files)
Christian Hesse
eworm at archlinux.org
Mon Jul 24 14:41:11 UTC 2017
Date: Monday, July 24, 2017 @ 14:41:11
Author: eworm
Revision: 301200
upgpkg: openvpn 2.4.3-3
* add optional dependency for PAM
* apply: Set tls-cipher restriction before loading certificates
* apply: management: preserve wait_for_push field when asking for user/pass (FS#54797)
Added:
openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch
openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
Modified:
openvpn/trunk/PKGBUILD
------------------------------------------------------------------------------+
0001-set-tls-cipher-restriction-before-loading-certificates.patch | 47 ++++++++++
0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch | 40 ++++++++
PKGBUILD | 19 +++-
3 files changed, 102 insertions(+), 4 deletions(-)
Added: 0001-set-tls-cipher-restriction-before-loading-certificates.patch
===================================================================
--- 0001-set-tls-cipher-restriction-before-loading-certificates.patch (rev 0)
+++ 0001-set-tls-cipher-restriction-before-loading-certificates.patch 2017-07-24 14:41:11 UTC (rev 301200)
@@ -0,0 +1,47 @@
+From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Mon, 26 Jun 2017 13:13:26 +0200
+Subject: Set tls-cipher restriction before loading certificates
+
+OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
+This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
+only if the cipher list is set before loading the certificates. This patch
+changes the order of loading.
+
+Acked-by: Christian Hesse <list at eworm.de>
+Acked-by: Steffan Karger <steffan.karger at fox-it.com>
+Message-Id: <1498475606-8337-1-git-send-email-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html
+
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf)
+---
+ src/openvpn/ssl.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index 15cd94ad..98f4741b 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+ tls_ctx_client_new(new_ctx);
+ }
+
++ /* Allowable ciphers */
++ /* Since @SECLEVEL also influces loading of certificates, set the
++ * cipher restrictions before loading certificates */
++ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
++
+ tls_ctx_set_options(new_ctx, options->ssl_flags);
+
+ if (options->pkcs12_file)
+@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+ tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
+ }
+
+- /* Allowable ciphers */
+- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
+-
+ #ifdef ENABLE_CRYPTO_MBEDTLS
+ /* Personalise the random by mixing in the certificate */
+ tls_ctx_personalise_random(new_ctx);
Added: 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
===================================================================
--- 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (rev 0)
+++ 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch 2017-07-24 14:41:11 UTC (rev 301200)
@@ -0,0 +1,40 @@
+From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <a at unstable.cc>
+Date: Fri, 7 Jul 2017 22:01:08 +0800
+Subject: management: preserve wait_for_push field when asking for user/pass
+
+With the introduction of the wait_for_push field in the auth_user_pass
+structure, we have to make sure that such field is not accidentally
+erased when the management asks the user for user/pass.
+
+Erasing such field would mess up the logic introduced by
+("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
+
+Thanks to David Sommerseth for the preliminary analysis and debugging.
+
+Reported-by: Steven Haigh <netwiz at crc.id.au>
+Signed-off-by: Antonio Quartulli <a at unstable.cc>
+Tested-by: Steven Haigh <netwiz at crc.id.au>
+Acked-by: David Sommerseth <davids at openvpn.net>
+Message-Id: <20170707140108.31612-1-a at unstable.cc>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
+Signed-off-by: David Sommerseth <davids at openvpn.net>
+---
+ src/openvpn/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
+index 13be6f6d..ff948240 100644
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man,
+ */
+ if (ret)
+ {
+- man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
++ /* preserve caller's settings */
++ man->connection.up_query.nocache = up->nocache;
++ man->connection.up_query.wait_for_push = up->wait_for_push;
+ *up = man->connection.up_query;
+ }
+ secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2017-07-24 10:39:11 UTC (rev 301199)
+++ PKGBUILD 2017-07-24 14:41:11 UTC (rev 301200)
@@ -3,24 +3,35 @@
pkgname=openvpn
pkgver=2.4.3
-pkgrel=2
+pkgrel=3
pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
arch=('i686' 'x86_64')
url='http://openvpn.net/index.php/open-source.html'
depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper')
-optdepends=('easy-rsa: easy CA and certificate handling')
+optdepends=('easy-rsa: easy CA and certificate handling'
+ 'pam: authenticate via PAM')
makedepends=('systemd')
license=('custom')
validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <security at openvpn.net>
#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc})
source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz"
- "openvpn-${pkgver}.tar.xz.asc")
+ "openvpn-${pkgver}.tar.xz.asc"
+ '0001-set-tls-cipher-restriction-before-loading-certificates.patch'
+ '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch')
sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571'
- 'SKIP')
+ 'SKIP'
+ 'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9'
+ 'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a')
prepare() {
cd "${srcdir}"/${pkgname}-${pkgver}
+ # Set tls-cipher restriction before loading certificates
+ patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch
+
+ # management: preserve wait_for_push field when asking for user/pass
+ patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
+
# regenerate configure script
autoreconf -fi
}
More information about the arch-commits
mailing list