Date: Monday, July 24, 2017 @ 14:41:11 Author: eworm Revision: 301200
upgpkg: openvpn 2.4.3-3 * add optional dependency for PAM * apply: Set tls-cipher restriction before loading certificates * apply: management: preserve wait_for_push field when asking for user/pass (FS#54797) Added: openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch Modified: openvpn/trunk/PKGBUILD ------------------------------------------------------------------------------+ 0001-set-tls-cipher-restriction-before-loading-certificates.patch | 47 ++++++++++ 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch | 40 ++++++++ PKGBUILD | 19 +++- 3 files changed, 102 insertions(+), 4 deletions(-) Added: 0001-set-tls-cipher-restriction-before-loading-certificates.patch =================================================================== --- 0001-set-tls-cipher-restriction-before-loading-certificates.patch (rev 0) +++ 0001-set-tls-cipher-restriction-before-loading-certificates.patch 2017-07-24 14:41:11 UTC (rev 301200) @@ -0,0 +1,47 @@ +From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <a...@rfc2549.org> +Date: Mon, 26 Jun 2017 13:13:26 +0200 +Subject: Set tls-cipher restriction before loading certificates + +OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. +This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but +only if the cipher list is set before loading the certificates. This patch +changes the order of loading. + +Acked-by: Christian Hesse <l...@eworm.de> +Acked-by: Steffan Karger <steffan.kar...@fox-it.com> +Message-Id: <1498475606-8337-1-git-send-email-a...@rfc2549.org> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html + +Signed-off-by: Gert Doering <g...@greenie.muc.de> +(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf) +--- + src/openvpn/ssl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index 15cd94ad..98f4741b 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_client_new(new_ctx); + } + ++ /* Allowable ciphers */ ++ /* Since @SECLEVEL also influces loading of certificates, set the ++ * cipher restrictions before loading certificates */ ++ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); ++ + tls_ctx_set_options(new_ctx, options->ssl_flags); + + if (options->pkcs12_file) +@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); + } + +- /* Allowable ciphers */ +- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); +- + #ifdef ENABLE_CRYPTO_MBEDTLS + /* Personalise the random by mixing in the certificate */ + tls_ctx_personalise_random(new_ctx); Added: 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch =================================================================== --- 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (rev 0) +++ 0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch 2017-07-24 14:41:11 UTC (rev 301200) @@ -0,0 +1,40 @@ +From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli <a...@unstable.cc> +Date: Fri, 7 Jul 2017 22:01:08 +0800 +Subject: management: preserve wait_for_push field when asking for user/pass + +With the introduction of the wait_for_push field in the auth_user_pass +structure, we have to make sure that such field is not accidentally +erased when the management asks the user for user/pass. + +Erasing such field would mess up the logic introduced by +("Ignore auth-nocache for auth-user-pass if auth-token is pushed"). + +Thanks to David Sommerseth for the preliminary analysis and debugging. + +Reported-by: Steven Haigh <net...@crc.id.au> +Signed-off-by: Antonio Quartulli <a...@unstable.cc> +Tested-by: Steven Haigh <net...@crc.id.au> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170707140108.31612-...@unstable.cc> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + src/openvpn/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c +index 13be6f6d..ff948240 100644 +--- a/src/openvpn/manage.c ++++ b/src/openvpn/manage.c +@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man, + */ + if (ret) + { +- man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */ ++ /* preserve caller's settings */ ++ man->connection.up_query.nocache = up->nocache; ++ man->connection.up_query.wait_for_push = up->wait_for_push; + *up = man->connection.up_query; + } + secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query)); Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-07-24 10:39:11 UTC (rev 301199) +++ PKGBUILD 2017-07-24 14:41:11 UTC (rev 301200) @@ -3,24 +3,35 @@ pkgname=openvpn pkgver=2.4.3 -pkgrel=2 +pkgrel=3 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' arch=('i686' 'x86_64') url='http://openvpn.net/index.php/open-source.html' depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper') -optdepends=('easy-rsa: easy CA and certificate handling') +optdepends=('easy-rsa: easy CA and certificate handling' + 'pam: authenticate via PAM') makedepends=('systemd') license=('custom') validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <secur...@openvpn.net> #source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}) source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz" - "openvpn-${pkgver}.tar.xz.asc") + "openvpn-${pkgver}.tar.xz.asc" + '0001-set-tls-cipher-restriction-before-loading-certificates.patch' + '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch') sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571' - 'SKIP') + 'SKIP' + 'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9' + 'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a') prepare() { cd "${srcdir}"/${pkgname}-${pkgver} + # Set tls-cipher restriction before loading certificates + patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch + + # management: preserve wait_for_push field when asking for user/pass + patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch + # regenerate configure script autoreconf -fi }