[arch-commits] Commit in openvpn/trunk (4 files)

Christian Hesse eworm at archlinux.org
Tue Sep 26 16:07:54 UTC 2017 

    Date: Tuesday, September 26, 2017 @ 16:07:53
  Author: eworm
Revision: 306252

upgpkg: openvpn 2.4.4-1

new upstream release

Modified:
  openvpn/trunk/PKGBUILD
Deleted:
  openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch
  openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
  openvpn/trunk/openvpn-2.4.3.tar.xz.asc

------------------------------------------------------------------------------+
 0001-set-tls-cipher-restriction-before-loading-certificates.patch            |   47 ----------
 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch |   40 --------
 PKGBUILD                                                                     |   29 +-----
 3 files changed, 5 insertions(+), 111 deletions(-)

Deleted: 0001-set-tls-cipher-restriction-before-loading-certificates.patch
===================================================================
--- 0001-set-tls-cipher-restriction-before-loading-certificates.patch	2017-09-26 12:26:53 UTC (rev 306251)
+++ 0001-set-tls-cipher-restriction-before-loading-certificates.patch	2017-09-26 16:07:53 UTC (rev 306252)
@@ -1,47 +0,0 @@
-From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Mon, 26 Jun 2017 13:13:26 +0200
-Subject: Set tls-cipher restriction before loading certificates
-
-OpenSSL 1.1 does not allow MD5 signed certificates by default anymore.
-This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but
-only if the cipher list is set before loading the certificates. This patch
-changes the order of loading.
-
-Acked-by: Christian Hesse <list at eworm.de>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <1498475606-8337-1-git-send-email-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html
-
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf)
----
- src/openvpn/ssl.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
-index 15cd94ad..98f4741b 100644
---- a/src/openvpn/ssl.c
-+++ b/src/openvpn/ssl.c
-@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
-         tls_ctx_client_new(new_ctx);
-     }
- 
-+    /* Allowable ciphers */
-+    /* Since @SECLEVEL also influces loading of certificates, set the
-+     * cipher restrictions before loading certificates */
-+    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
-+
-     tls_ctx_set_options(new_ctx, options->ssl_flags);
- 
-     if (options->pkcs12_file)
-@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
-         tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
-     }
- 
--    /* Allowable ciphers */
--    tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
--
- #ifdef ENABLE_CRYPTO_MBEDTLS
-     /* Personalise the random by mixing in the certificate */
-     tls_ctx_personalise_random(new_ctx);

Deleted: 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
===================================================================
--- 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	2017-09-26 12:26:53 UTC (rev 306251)
+++ 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch	2017-09-26 16:07:53 UTC (rev 306252)
@@ -1,40 +0,0 @@
-From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001
-From: Antonio Quartulli <a at unstable.cc>
-Date: Fri, 7 Jul 2017 22:01:08 +0800
-Subject: management: preserve wait_for_push field when asking for user/pass
-
-With the introduction of the wait_for_push field in the auth_user_pass
-structure, we have to make sure that such field is not accidentally
-erased when the management asks the user for user/pass.
-
-Erasing such field would mess up the logic introduced by
-("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
-
-Thanks to David Sommerseth for the preliminary analysis and debugging.
-
-Reported-by: Steven Haigh <netwiz at crc.id.au>
-Signed-off-by: Antonio Quartulli <a at unstable.cc>
-Tested-by: Steven Haigh <netwiz at crc.id.au>
-Acked-by: David Sommerseth <davids at openvpn.net>
-Message-Id: <20170707140108.31612-1-a at unstable.cc>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
----
- src/openvpn/manage.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
-index 13be6f6d..ff948240 100644
---- a/src/openvpn/manage.c
-+++ b/src/openvpn/manage.c
-@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man,
-          */
-         if (ret)
-         {
--            man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */
-+            /* preserve caller's settings */
-+            man->connection.up_query.nocache = up->nocache;
-+            man->connection.up_query.wait_for_push = up->wait_for_push;
-             *up = man->connection.up_query;
-         }
-         secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query));

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-09-26 12:26:53 UTC (rev 306251)
+++ PKGBUILD	2017-09-26 16:07:53 UTC (rev 306252)
@@ -2,8 +2,8 @@
 # Maintainer: Christian Hesse <mail at eworm.de>
 
 pkgname=openvpn
-pkgver=2.4.3
-pkgrel=3
+pkgver=2.4.4
+pkgrel=1
 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
 arch=('i686' 'x86_64')
 url='http://openvpn.net/index.php/open-source.html'
@@ -13,29 +13,10 @@
 makedepends=('systemd')
 license=('custom')
 validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <security at openvpn.net>
-#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc})
-source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz"
-        "openvpn-${pkgver}.tar.xz.asc"
-        '0001-set-tls-cipher-restriction-before-loading-certificates.patch'
-        '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch')
-sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571'
-            'SKIP'
-            'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9'
-            'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a')
+source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc})
+sha256sums=('96cd1b8fe1e8cb2920f07c3fd3985faea756e16fdeebd11d3e146d5bd2b04a80'
+            'SKIP')
 
-prepare() {
-  cd "${srcdir}"/${pkgname}-${pkgver}
-
-  # Set tls-cipher restriction before loading certificates
-  patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch
-
-  # management: preserve wait_for_push field when asking for user/pass
-  patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch
-
-  # regenerate configure script
-  autoreconf -fi
-}
-
 build() {
   cd "${srcdir}"/${pkgname}-${pkgver}
 

Deleted: openvpn-2.4.3.tar.xz.asc
===================================================================
(Binary files differ)

More information about the arch-commits mailing list