Date: Monday, July 24, 2017 @ 14:42:41 Author: eworm Revision: 301201
archrelease: copy trunk to testing-i686, testing-x86_64 Added: openvpn/repos/testing-i686/ openvpn/repos/testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch) openvpn/repos/testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch) openvpn/repos/testing-i686/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD) openvpn/repos/testing-i686/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc) openvpn/repos/testing-x86_64/ openvpn/repos/testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch) openvpn/repos/testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch) openvpn/repos/testing-x86_64/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD) openvpn/repos/testing-x86_64/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc) ---------------------------------------------------------------------------------------------+ testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch | 47 +++++ testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch | 40 ++++ testing-i686/PKGBUILD | 84 ++++++++++ testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch | 47 +++++ testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch | 40 ++++ testing-x86_64/PKGBUILD | 84 ++++++++++ 6 files changed, 342 insertions(+) Copied: openvpn/repos/testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch) =================================================================== --- testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch (rev 0) +++ testing-i686/0001-set-tls-cipher-restriction-before-loading-certificates.patch 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,47 @@ +From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <a...@rfc2549.org> +Date: Mon, 26 Jun 2017 13:13:26 +0200 +Subject: Set tls-cipher restriction before loading certificates + +OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. +This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but +only if the cipher list is set before loading the certificates. This patch +changes the order of loading. + +Acked-by: Christian Hesse <l...@eworm.de> +Acked-by: Steffan Karger <steffan.kar...@fox-it.com> +Message-Id: <1498475606-8337-1-git-send-email-a...@rfc2549.org> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html + +Signed-off-by: Gert Doering <g...@greenie.muc.de> +(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf) +--- + src/openvpn/ssl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index 15cd94ad..98f4741b 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_client_new(new_ctx); + } + ++ /* Allowable ciphers */ ++ /* Since @SECLEVEL also influces loading of certificates, set the ++ * cipher restrictions before loading certificates */ ++ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); ++ + tls_ctx_set_options(new_ctx, options->ssl_flags); + + if (options->pkcs12_file) +@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); + } + +- /* Allowable ciphers */ +- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); +- + #ifdef ENABLE_CRYPTO_MBEDTLS + /* Personalise the random by mixing in the certificate */ + tls_ctx_personalise_random(new_ctx); Copied: openvpn/repos/testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch) =================================================================== --- testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (rev 0) +++ testing-i686/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,40 @@ +From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli <a...@unstable.cc> +Date: Fri, 7 Jul 2017 22:01:08 +0800 +Subject: management: preserve wait_for_push field when asking for user/pass + +With the introduction of the wait_for_push field in the auth_user_pass +structure, we have to make sure that such field is not accidentally +erased when the management asks the user for user/pass. + +Erasing such field would mess up the logic introduced by +("Ignore auth-nocache for auth-user-pass if auth-token is pushed"). + +Thanks to David Sommerseth for the preliminary analysis and debugging. + +Reported-by: Steven Haigh <net...@crc.id.au> +Signed-off-by: Antonio Quartulli <a...@unstable.cc> +Tested-by: Steven Haigh <net...@crc.id.au> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170707140108.31612-...@unstable.cc> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + src/openvpn/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c +index 13be6f6d..ff948240 100644 +--- a/src/openvpn/manage.c ++++ b/src/openvpn/manage.c +@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man, + */ + if (ret) + { +- man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */ ++ /* preserve caller's settings */ ++ man->connection.up_query.nocache = up->nocache; ++ man->connection.up_query.wait_for_push = up->wait_for_push; + *up = man->connection.up_query; + } + secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query)); Copied: openvpn/repos/testing-i686/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD) =================================================================== --- testing-i686/PKGBUILD (rev 0) +++ testing-i686/PKGBUILD 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,84 @@ +# $Id$ +# Maintainer: Christian Hesse <m...@eworm.de> + +pkgname=openvpn +pkgver=2.4.3 +pkgrel=3 +pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' +arch=('i686' 'x86_64') +url='http://openvpn.net/index.php/open-source.html' +depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper') +optdepends=('easy-rsa: easy CA and certificate handling' + 'pam: authenticate via PAM') +makedepends=('systemd') +license=('custom') +validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <secur...@openvpn.net> +#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}) +source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz" + "openvpn-${pkgver}.tar.xz.asc" + '0001-set-tls-cipher-restriction-before-loading-certificates.patch' + '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch') +sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571' + 'SKIP' + 'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9' + 'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a') + +prepare() { + cd "${srcdir}"/${pkgname}-${pkgver} + + # Set tls-cipher restriction before loading certificates + patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch + + # management: preserve wait_for_push field when asking for user/pass + patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch + + # regenerate configure script + autoreconf -fi +} + +build() { + cd "${srcdir}"/${pkgname}-${pkgver} + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-iproute2 \ + --enable-pkcs11 \ + --enable-plugins \ + --enable-systemd \ + --enable-x509-alt-username + make +} + +check() { + cd "${srcdir}"/${pkgname}-${pkgver} + + make check +} + +package() { + cd "${srcdir}"/${pkgname}-${pkgver} + + # Install openvpn + make DESTDIR="${pkgdir}" install + + # Create empty configuration directories + install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} + + # Install examples + install -d -m0755 "${pkgdir}"/usr/share/openvpn + cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples + + # Install license + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ + + # Install contrib + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type "${FILE}")" in + "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done +} + Copied: openvpn/repos/testing-i686/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc) =================================================================== (Binary files differ) Copied: openvpn/repos/testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch (from rev 301200, openvpn/trunk/0001-set-tls-cipher-restriction-before-loading-certificates.patch) =================================================================== --- testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch (rev 0) +++ testing-x86_64/0001-set-tls-cipher-restriction-before-loading-certificates.patch 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,47 @@ +From 95c07b13ce112ceb8b15175fcae0d95c70e93eee Mon Sep 17 00:00:00 2001 +From: Arne Schwabe <a...@rfc2549.org> +Date: Mon, 26 Jun 2017 13:13:26 +0200 +Subject: Set tls-cipher restriction before loading certificates + +OpenSSL 1.1 does not allow MD5 signed certificates by default anymore. +This can be enabled again by settings tls-cipher "DEFAULT:@SECLEVEL=0" but +only if the cipher list is set before loading the certificates. This patch +changes the order of loading. + +Acked-by: Christian Hesse <l...@eworm.de> +Acked-by: Steffan Karger <steffan.kar...@fox-it.com> +Message-Id: <1498475606-8337-1-git-send-email-a...@rfc2549.org> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14961.html + +Signed-off-by: Gert Doering <g...@greenie.muc.de> +(cherry picked from commit 26345ba61b8d5bccb1331894ab6d1468e3b09adf) +--- + src/openvpn/ssl.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index 15cd94ad..98f4741b 100644 +--- a/src/openvpn/ssl.c ++++ b/src/openvpn/ssl.c +@@ -616,6 +616,11 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_client_new(new_ctx); + } + ++ /* Allowable ciphers */ ++ /* Since @SECLEVEL also influces loading of certificates, set the ++ * cipher restrictions before loading certificates */ ++ tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); ++ + tls_ctx_set_options(new_ctx, options->ssl_flags); + + if (options->pkcs12_file) +@@ -708,9 +713,6 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) + tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); + } + +- /* Allowable ciphers */ +- tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); +- + #ifdef ENABLE_CRYPTO_MBEDTLS + /* Personalise the random by mixing in the certificate */ + tls_ctx_personalise_random(new_ctx); Copied: openvpn/repos/testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (from rev 301200, openvpn/trunk/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch) =================================================================== --- testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch (rev 0) +++ testing-x86_64/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,40 @@ +From 3322c558fa742cb823fa919f682486973abc4f8e Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli <a...@unstable.cc> +Date: Fri, 7 Jul 2017 22:01:08 +0800 +Subject: management: preserve wait_for_push field when asking for user/pass + +With the introduction of the wait_for_push field in the auth_user_pass +structure, we have to make sure that such field is not accidentally +erased when the management asks the user for user/pass. + +Erasing such field would mess up the logic introduced by +("Ignore auth-nocache for auth-user-pass if auth-token is pushed"). + +Thanks to David Sommerseth for the preliminary analysis and debugging. + +Reported-by: Steven Haigh <net...@crc.id.au> +Signed-off-by: Antonio Quartulli <a...@unstable.cc> +Tested-by: Steven Haigh <net...@crc.id.au> +Acked-by: David Sommerseth <dav...@openvpn.net> +Message-Id: <20170707140108.31612-...@unstable.cc> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html +Signed-off-by: David Sommerseth <dav...@openvpn.net> +--- + src/openvpn/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c +index 13be6f6d..ff948240 100644 +--- a/src/openvpn/manage.c ++++ b/src/openvpn/manage.c +@@ -3501,7 +3501,9 @@ management_query_user_pass(struct management *man, + */ + if (ret) + { +- man->connection.up_query.nocache = up->nocache; /* preserve caller's nocache setting */ ++ /* preserve caller's settings */ ++ man->connection.up_query.nocache = up->nocache; ++ man->connection.up_query.wait_for_push = up->wait_for_push; + *up = man->connection.up_query; + } + secure_memzero(&man->connection.up_query, sizeof(man->connection.up_query)); Copied: openvpn/repos/testing-x86_64/PKGBUILD (from rev 301200, openvpn/trunk/PKGBUILD) =================================================================== --- testing-x86_64/PKGBUILD (rev 0) +++ testing-x86_64/PKGBUILD 2017-07-24 14:42:41 UTC (rev 301201) @@ -0,0 +1,84 @@ +# $Id$ +# Maintainer: Christian Hesse <m...@eworm.de> + +pkgname=openvpn +pkgver=2.4.3 +pkgrel=3 +pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)' +arch=('i686' 'x86_64') +url='http://openvpn.net/index.php/open-source.html' +depends=('openssl' 'lzo' 'iproute2' 'libsystemd' 'pkcs11-helper') +optdepends=('easy-rsa: easy CA and certificate handling' + 'pam: authenticate via PAM') +makedepends=('systemd') +license=('custom') +validpgpkeys=('F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7') # OpenVPN - Security Mailing List <secur...@openvpn.net> +#source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}) +source=("http://www.eurephia.net/openvpn/openvpn-${pkgver}.tar.xz" + "openvpn-${pkgver}.tar.xz.asc" + '0001-set-tls-cipher-restriction-before-loading-certificates.patch' + '0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch') +sha256sums=('7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571' + 'SKIP' + 'd23b4b7642450eab01873c9dbc95c851324f9726f5706541fffde7551818ebb9' + 'e4b95b766b5e0c4db3e7f67dcc5bba1e63e259861ef4b28244c180a88e1d643a') + +prepare() { + cd "${srcdir}"/${pkgname}-${pkgver} + + # Set tls-cipher restriction before loading certificates + patch -Np1 < "${srcdir}"/0001-set-tls-cipher-restriction-before-loading-certificates.patch + + # management: preserve wait_for_push field when asking for user/pass + patch -Np1 < "${srcdir}"/0002-management-preserve-wait_for_push-field-when-asking-for-user_pass.patch + + # regenerate configure script + autoreconf -fi +} + +build() { + cd "${srcdir}"/${pkgname}-${pkgver} + + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --enable-iproute2 \ + --enable-pkcs11 \ + --enable-plugins \ + --enable-systemd \ + --enable-x509-alt-username + make +} + +check() { + cd "${srcdir}"/${pkgname}-${pkgver} + + make check +} + +package() { + cd "${srcdir}"/${pkgname}-${pkgver} + + # Install openvpn + make DESTDIR="${pkgdir}" install + + # Create empty configuration directories + install -d -m0750 -g 90 "${pkgdir}"/etc/openvpn/{client,server} + + # Install examples + install -d -m0755 "${pkgdir}"/usr/share/openvpn + cp -r sample/sample-config-files "${pkgdir}"/usr/share/openvpn/examples + + # Install license + install -d -m0755 "${pkgdir}"/usr/share/licenses/openvpn/ + ln -sf /usr/share/doc/openvpn/{COPYING,COPYRIGHT.GPL} "${pkgdir}"/usr/share/licenses/openvpn/ + + # Install contrib + for FILE in $(find contrib -type f); do + case "$(file --brief --mime-type "${FILE}")" in + "text/x-shellscript") install -D -m0755 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + *) install -D -m0644 "${FILE}" "${pkgdir}/usr/share/openvpn/${FILE}" ;; + esac + done +} + Copied: openvpn/repos/testing-x86_64/openvpn-2.4.3.tar.xz.asc (from rev 301200, openvpn/trunk/openvpn-2.4.3.tar.xz.asc) =================================================================== (Binary files differ)