[arch-commits] Commit in openvpn/repos (10 files)

Christian Hesse eworm at archlinux.org
Mon Jul 24 14:42:41 UTC 2017


    Date: Monday, July 24, 2017 @ 14:42:41
  Author: eworm
Revision: 301201

archrelease: copy trunk to testing-i686, testing-x86_64

Added:
  openvpn/repos/testing-i686/
  openvpn/repos/testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch
    (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch)
  openvpn/repos/testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
    (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch)
  openvpn/repos/testing-i686/PKGBUILD
    (from rev 301200, openvpn/trunk/PKGBUILD)
  openvpn/repos/testing-i686/openvpn-2.4.3.tar.xz.asc
    (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc)
  openvpn/repos/testing-x86_64/
  openvpn/repos/testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch
    (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch)
  openvpn/repos/testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
    (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch)
  openvpn/repos/testing-x86_64/PKGBUILD
    (from rev 301200, openvpn/trunk/PKGBUILD)
  openvpn/repos/testing-x86_64/openvpn-2.4.3.tar.xz.asc
    (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc)

---------------------------------------------------------------------------------------------+
 testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch              |   47 +++++
 testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch   |   40 ++++
 testing-i686/PKGBUILD                                                                       |   84 ++++++++++
 testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch            |   47 +++++
 testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch |   40 ++++
 testing-x86_64/PKGBUILD                                                                     |   84 ++++++++++
 6 files changed, 342 insertions(+)

Copied: openvpn/repos/testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch)
===================================================================
--- testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch	                        (rev 0)
+++ testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,47 @@
+From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Mon, 26 Jun 2017 13:13:26 +0200
+Subject: Set tls-cipher restriction before loading certificates
+
+OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
+This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
+only if the cipher list is set before loading the certificates. This patch
+changes the order of loading.
+
+Acked-by: Christian Hesse <list at eworm.de>
+Acked-by: Steffan Karger <steffan.karger at fox-it.com>
+Message-Id: <1498475606-8337-1-git-send-email-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html
+
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf)
+---
+ src/openvpn/ssl.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index 15cd94ad..98f4741b 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+         tls_ctx_client_new(new_ctx);
+     }
+ 
++    /* Allowable ciphers */
++    /* Since @SECLEVEL also influces loading of certificates, set the
++     * cipher restrictions before loading certificates */
++    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
++
+     tls_ctx_set_options(new_ctx, options->ssl_flags);
+ 
+     if (options->pkcs12_file)
+@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+         tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
+     }
+ 
+-    /* Allowable ciphers */
+-    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
+-
+ #ifdef ENABLE_CRYPTO_MBEDTLS
+     /* Personalise the random by mixing in the certificate */
+     tls_ctx_personalise_random(new_ctx);

Copied: openvpn/repos/testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch)
===================================================================
--- testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	                        (rev 0)
+++ testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,40 @@
+From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <a at unstable.cc>
+Date: Fri, 7 Jul 2017 22:01:08 +0800
+Subject: management: preserve wait_for_push field when asking for user/pass
+
+With the introduction of the wait_for_push field in the auth_user_pass
+structure, we have to make sure that such field is not accidentally
+erased when the management asks the user for user/pass.
+
+Erasing such field would mess up the logic introduced by
+("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
+
+Thanks to David Sommerseth for the preliminary analysis and debugging.
+
+Reported-by: Steven Haigh <netwiz at crc.id.au>
+Signed-off-by: Antonio Quartulli <a at unstable.cc>
+Tested-by: Steven Haigh <netwiz at crc.id.au>
+Acked-by: David Sommerseth <davids at openvpn.net>
+Message-Id: <20170707140108.31612-1-a at unstable.cc>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
+Signed-off-by: David Sommerseth <davids at openvpn.net>
+---
+ src/openvpn/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
+index 13be6f6d..ff948240 100644
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man,
+          */
+         if (ret)
+         {
+-            man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
++            /* preserve caller's settings */
++            man->connection.up_query.nocache = up->nocache;
++            man->connection.up_query.wait_for_push = up->wait_for_push;
+             *up = man->connection.up_query;
+         }
+         secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));

Copied: openvpn/repos/testing-i686/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD	                        (rev 0)
+++ testing-i686/PKGBUILD	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,84 @@
+# $Id$
+# Maintainer: Christian Hesse <mail at eworm.de>
+
+pkgname=openvpn
+pkgver=2.4.3
+pkgrel=3
+pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
+arch=('i686' 'x86_64')
+url='http://openvpn.net/index.php/open-source.html'
+depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper')
+optdepends=('easy-rsa: easy CA and certificate handling'
+            'pam: authenticate via PAM')
+makedepends=('systemd')
+license=('custom')
+validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <security at openvpn.net>
+#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc})
+source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz"
+        "openvpn-${pkgver}.tar.xz.asc"
+        '0001-set-tls-cipher-restriction-before-loading-certificates.patch'
+        '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch')
+sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571'
+            'SKIP'
+            'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9'
+            'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a')
+
+prepare() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  # Set tls-cipher restriction before loading certificates
+  patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch
+
+  # management: preserve wait_for_push field when asking for user/pass
+  patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
+
+  # regenerate configure script
+  autoreconf -fi
+}
+
+build() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  ./configure \
+    --prefix=/usr \
+    --sbindir=/usr/bin \
+    --enable-iproute2 \
+    --enable-pkcs11 \
+    --enable-plugins \
+    --enable-systemd \
+    --enable-x509-alt-username
+  make
+}
+
+check() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  make check
+}
+
+package() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  # Install openvpn
+  make DESTDIR="${pkgdir}" install
+
+  # Create empty configuration directories
+  install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+
+  # Install examples
+  install -d -m0755 "${pkgdir}"/usr/share/openvpn
+  cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples
+
+  # Install license
+  install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
+  ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/
+
+  # Install contrib
+  for FILE in $(find contrib -type f); do
+    case "$(file --brief --mime-type "${FILE}")" in
+      "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+      *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+    esac
+  done
+}
+

Copied: openvpn/repos/testing-i686/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc)
===================================================================
(Binary files differ)

Copied: openvpn/repos/testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch)
===================================================================
--- testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch	                        (rev 0)
+++ testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,47 @@
+From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Mon, 26 Jun 2017 13:13:26 +0200
+Subject: Set tls-cipher restriction before loading certificates
+
+OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
+This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
+only if the cipher list is set before loading the certificates. This patch
+changes the order of loading.
+
+Acked-by: Christian Hesse <list at eworm.de>
+Acked-by: Steffan Karger <steffan.karger at fox-it.com>
+Message-Id: <1498475606-8337-1-git-send-email-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html
+
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf)
+---
+ src/openvpn/ssl.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
+index 15cd94ad..98f4741b 100644
+--- a/src/openvpn/ssl.c
++++ b/src/openvpn/ssl.c
+@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+         tls_ctx_client_new(new_ctx);
+     }
+ 
++    /* Allowable ciphers */
++    /* Since @SECLEVEL also influces loading of certificates, set the
++     * cipher restrictions before loading certificates */
++    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
++
+     tls_ctx_set_options(new_ctx, options->ssl_flags);
+ 
+     if (options->pkcs12_file)
+@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
+         tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
+     }
+ 
+-    /* Allowable ciphers */
+-    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
+-
+ #ifdef ENABLE_CRYPTO_MBEDTLS
+     /* Personalise the random by mixing in the certificate */
+     tls_ctx_personalise_random(new_ctx);

Copied: openvpn/repos/testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch)
===================================================================
--- testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	                        (rev 0)
+++ testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,40 @@
+From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <a at unstable.cc>
+Date: Fri, 7 Jul 2017 22:01:08 +0800
+Subject: management: preserve wait_for_push field when asking for user/pass
+
+With the introduction of the wait_for_push field in the auth_user_pass
+structure, we have to make sure that such field is not accidentally
+erased when the management asks the user for user/pass.
+
+Erasing such field would mess up the logic introduced by
+("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
+
+Thanks to David Sommerseth for the preliminary analysis and debugging.
+
+Reported-by: Steven Haigh <netwiz at crc.id.au>
+Signed-off-by: Antonio Quartulli <a at unstable.cc>
+Tested-by: Steven Haigh <netwiz at crc.id.au>
+Acked-by: David Sommerseth <davids at openvpn.net>
+Message-Id: <20170707140108.31612-1-a at unstable.cc>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
+Signed-off-by: David Sommerseth <davids at openvpn.net>
+---
+ src/openvpn/manage.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
+index 13be6f6d..ff948240 100644
+--- a/src/openvpn/manage.c
++++ b/src/openvpn/manage.c
+@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man,
+          */
+         if (ret)
+         {
+-            man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
++            /* preserve caller's settings */
++            man->connection.up_query.nocache = up->nocache;
++            man->connection.up_query.wait_for_push = up->wait_for_push;
+             *up = man->connection.up_query;
+         }
+         secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));

Copied: openvpn/repos/testing-x86_64/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD	                        (rev 0)
+++ testing-x86_64/PKGBUILD	2017-07-24 14:42:41 UTC (rev 301201)
@@ -0,0 +1,84 @@
+# $Id$
+# Maintainer: Christian Hesse <mail at eworm.de>
+
+pkgname=openvpn
+pkgver=2.4.3
+pkgrel=3
+pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
+arch=('i686' 'x86_64')
+url='http://openvpn.net/index.php/open-source.html'
+depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper')
+optdepends=('easy-rsa: easy CA and certificate handling'
+            'pam: authenticate via PAM')
+makedepends=('systemd')
+license=('custom')
+validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <security at openvpn.net>
+#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc})
+source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz"
+        "openvpn-${pkgver}.tar.xz.asc"
+        '0001-set-tls-cipher-restriction-before-loading-certificates.patch'
+        '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch')
+sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571'
+            'SKIP'
+            'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9'
+            'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a')
+
+prepare() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  # Set tls-cipher restriction before loading certificates
+  patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch
+
+  # management: preserve wait_for_push field when asking for user/pass
+  patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
+
+  # regenerate configure script
+  autoreconf -fi
+}
+
+build() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  ./configure \
+    --prefix=/usr \
+    --sbindir=/usr/bin \
+    --enable-iproute2 \
+    --enable-pkcs11 \
+    --enable-plugins \
+    --enable-systemd \
+    --enable-x509-alt-username
+  make
+}
+
+check() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  make check
+}
+
+package() {
+  cd "${srcdir}"/${pkgname}-${pkgver}
+
+  # Install openvpn
+  make DESTDIR="${pkgdir}" install
+
+  # Create empty configuration directories
+  install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server}
+
+  # Install examples
+  install -d -m0755 "${pkgdir}"/usr/share/openvpn
+  cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples
+
+  # Install license
+  install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/
+  ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/
+
+  # Install contrib
+  for FILE in $(find contrib -type f); do
+    case "$(file --brief --mime-type "${FILE}")" in
+      "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+      *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;;
+    esac
+  done
+}
+

Copied: openvpn/repos/testing-x86_64/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc)
===================================================================
(Binary files differ)



More information about the arch-commits mailing list