Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openvpn for openSUSE:Factory checked
in at 2023-03-03 22:24:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvpn (Old)
and /work/SRC/openSUSE:Factory/.openvpn.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvpn"
Fri Mar 3 22:24:15 2023 rev:106 rq:1068620 version:2.5.9
Changes:
--------
--- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes 2023-02-14
20:08:10.356394728 +0100
+++ /work/SRC/openSUSE:Factory/.openvpn.new.31432/openvpn.changes
2023-03-03 22:24:18.410486988 +0100
@@ -1,0 +2,21 @@
+Thu Mar 2 07:34:31 UTC 2023 - Mohd Saquib <mohd.saq...@suse.com>
+
+- update to 2.5.9:
+ * Optional ciphers in --data-ciphers Ciphers in --data-ciphers
+ can now be prefixed with a ? to mark those as optional and only
+ use them if the SSL library supports them.
+ * when compiling from a git checkout, put proper branch names into
+ windows builds
+ * do not include auth-token in pulled-option digest (interferes
+ with persist-tun when auth-token is in use, GH #200).
+ * fix corner case that might lead to leaked file descriptor
+ * fix parser bug (parse_line()) that can lead to buffer overflows
+ on malformed command line or server ccd file handling.
+ Not exploitable.
+ * pull-filter: ignore leading spaces in option names (work around
+ server side bug with erroneous extra spaces)
+ * push: do not add leading spaces to "out of renegotiations" pushed
+ auth-token fix NULL pointer crash on "openvpn --show-tls" with
+ mbedtls
+
+-------------------------------------------------------------------
Old:
----
openvpn-2.5.8.tar.gz
openvpn-2.5.8.tar.gz.asc
New:
----
openvpn-2.5.9.tar.gz
openvpn-2.5.9.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.2I1P41/_old 2023-03-03 22:24:19.242490150 +0100
+++ /var/tmp/diff_new_pack.2I1P41/_new 2023-03-03 22:24:19.246490164 +0100
@@ -20,7 +20,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
-Version: 2.5.8
+Version: 2.5.9
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception
++++++ openvpn-2.5.8.tar.gz -> openvpn-2.5.9.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/ChangeLog new/openvpn-2.5.9/ChangeLog
--- old/openvpn-2.5.8/ChangeLog 2022-10-28 10:40:27.000000000 +0200
+++ new/openvpn-2.5.9/ChangeLog 2023-02-14 17:21:11.000000000 +0100
@@ -1,6 +1,31 @@
OpenVPN Change Log
Copyright (C) 2002-2022 OpenVPN Inc <sa...@openvpn.net>
+2023.02.14 -- Version 2.5.9
+
+Arne Schwabe (6):
+ Implement optional cipher in --data-ciphers prefixed with ?
+ Fix handling an optional invalid cipher at the end of data-ciphers
+ Ensure that argument to parse_line has always space for final sentinel
+ Improve documentation on user/password requirement and unicodize function
+ Remove unused gc_arena
+ Fix corner case that might lead to leaked file descriptor
+
+Frank Lichtenheld (1):
+ msvc: always call git-version.py
+
+Lev Stipakov (1):
+ git-version.py: proper support for tags
+
+Max Fillinger (1):
+ Check if pkcs11_cert is NULL before freeing it
+
+Selva Nair (3):
+ Do not add leading space to pushed options
+ pull-filter: ignore leading "spaces" in option names
+ Do not include auth-token in pulled option digest
+
+
2022.10.27 -- Version 2.5.8
Antonio Quartulli (1):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/Changes.rst
new/openvpn-2.5.9/Changes.rst
--- old/openvpn-2.5.8/Changes.rst 2022-10-28 10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/Changes.rst 2023-02-14 17:21:11.000000000 +0100
@@ -1,3 +1,35 @@
+Overview of changes in 2.5.9
+============================
+
+New features
+------------
+- Optional ciphers in ``--data-ciphers``
+ Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
+ those as optional and only use them if the SSL library supports them.
+
+User-visible Changes
+--------------------
+- when compiling from a git checkout, put proper branch names into
+ windows builds
+
+Bugfixes
+--------
+- do not include auth-token in pulled-option digest (interferes with
+ persist-tun when auth-token is in use, GH #200).
+
+- fix corner case that might lead to leaked file descriptor
+
+- fix parser bug (parse_line()) that can lead to buffer overflows on
+ malformed command line or server ccd file handling. Not exploitable.
+
+- pull-filter: ignore leading spaces in option names (work around server side
+ bug with erroneous extra spaces)
+
+- push: do not add leading spaces to "out of renegotiations" pushed auth-token
+
+- fix NULL pointer crash on "openvpn --show-tls" with mbedtls
+
+
Overview of changes in 2.5.8
============================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak
new/openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak
--- old/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak 2022-10-28
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak 2023-02-14
17:21:11.000000000 +0100
@@ -51,10 +51,13 @@
cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)"
--input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
$(OUTPUT_MAN): $(INPUT_MAN)
- -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)"
"$(OUTPUT_MAN)"
+ -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)"
"$(OUTPUT_MAN)"
-$(OUTPUT_MSVC_GIT_CONFIG):
- python git-version.py $(SOLUTIONDIR)
+# Force regeneration because we can't detect whether it is outdated
+$(OUTPUT_MSVC_GIT_CONFIG): FORCE
+ python git-version.py $(SOLUTIONDIR)
+
+FORCE:
clean:
-del "$(OUTPUT_MSVC_VER)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/configure new/openvpn-2.5.9/configure
--- old/openvpn-2.5.8/configure 2022-10-28 10:40:33.000000000 +0200
+++ new/openvpn-2.5.9/configure 2023-02-14 17:21:11.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8.
+# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9.
#
# Report bugs to <openvpn-us...@lists.sourceforge.net>.
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='OpenVPN'
PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.5.8'
-PACKAGE_STRING='OpenVPN 2.5.8'
+PACKAGE_VERSION='2.5.9'
+PACKAGE_STRING='OpenVPN 2.5.9'
PACKAGE_BUGREPORT='openvpn-us...@lists.sourceforge.net'
PACKAGE_URL=''
@@ -1507,7 +1507,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1578,7 +1578,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenVPN 2.5.8:";;
+ short | recursive ) echo "Configuration of OpenVPN 2.5.9:";;
esac
cat <<\_ACEOF
@@ -1794,7 +1794,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-OpenVPN configure 2.5.8
+OpenVPN configure 2.5.9
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2588,7 +2588,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenVPN $as_me 2.5.8, which was
+It was created by OpenVPN $as_me 2.5.9, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3364,13 +3364,13 @@
fi
-printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h
+printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h
OPENVPN_VERSION_MAJOR=2
OPENVPN_VERSION_MINOR=5
-OPENVPN_VERSION_PATCH=.8
+OPENVPN_VERSION_PATCH=.9
printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
@@ -3379,7 +3379,7 @@
printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h
-printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h
+printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h
@@ -3905,7 +3905,7 @@
# Define the identity of the package.
PACKAGE='openvpn'
- VERSION='2.5.8'
+ VERSION='2.5.9'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -20500,7 +20500,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by OpenVPN $as_me 2.5.8, which was
+This file was extended by OpenVPN $as_me 2.5.9, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -20568,7 +20568,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-OpenVPN config.status 2.5.8
+OpenVPN config.status 2.5.9
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/doc/man-sections/protocol-options.rst
new/openvpn-2.5.9/doc/man-sections/protocol-options.rst
--- old/openvpn-2.5.8/doc/man-sections/protocol-options.rst 2022-10-28
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/doc/man-sections/protocol-options.rst 2023-02-14
17:21:11.000000000 +0100
@@ -184,6 +184,13 @@
supported by the client will be pushed to clients that support cipher
negotiation.
+ Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark
+ it as optional. This allows including ciphers in the list that may not be
+ available on all platforms.
+ E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable
+ Chacha20-Poly1305 if the underlying SSL library (and its configuration)
+ supports it.
+
Cipher negotiation is enabled in client-server mode only. I.e. if
``--mode`` is set to 'server' (server-side, implied by setting
``--server`` ), or if ``--pull`` is specified (client-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/doc/openvpn.8
new/openvpn-2.5.9/doc/openvpn.8
--- old/openvpn-2.5.8/doc/openvpn.8 2022-10-28 10:40:46.000000000 +0200
+++ new/openvpn-2.5.9/doc/openvpn.8 2023-02-14 17:21:11.000000000 +0100
@@ -887,6 +887,13 @@
supported by the client will be pushed to clients that support cipher
negotiation.
.sp
+Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark
+it as optional. This allows including ciphers in the list that may not be
+available on all platforms.
+E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable
+Chacha20\-Poly1305 if the underlying SSL library (and its configuration)
+supports it.
+.sp
Cipher negotiation is enabled in client\-server mode only. I.e. if
\fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting
\fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/doc/openvpn.8.html
new/openvpn-2.5.9/doc/openvpn.8.html
--- old/openvpn-2.5.8/doc/openvpn.8.html 2022-10-28 10:40:45.000000000
+0200
+++ new/openvpn-2.5.9/doc/openvpn.8.html 2023-02-14 17:21:11.000000000
+0100
@@ -1113,6 +1113,12 @@
<p>For servers, the first cipher from <tt class="docutils literal"><span
class="pre">cipher-list</span></tt> that is also
supported by the client will be pushed to clients that support cipher
negotiation.</p>
+<p>Starting with OpenVPN 2.5.9 a cipher can be prefixed with a <code>?</code>
to mark
+it as optional. This allows including ciphers in the list that may not be
+available on all platforms.
+E.g. <code>AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305</code> would only enable
+Chacha20-Poly1305 if the underlying SSL library (and its configuration)
+supports it.</p>
<p>Cipher negotiation is enabled in client-server mode only. I.e. if
<tt class="docutils literal"><span class="pre">--mode</span></tt> is set to
'server' (server-side, implied by setting
<tt class="docutils literal"><span class="pre">--server</span></tt> ), or if
<tt class="docutils literal"><span class="pre">--pull</span></tt> is specified
(client-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/include/openvpn-plugin.h
new/openvpn-2.5.9/include/openvpn-plugin.h
--- old/openvpn-2.5.8/include/openvpn-plugin.h 2022-10-28 10:40:43.000000000
+0200
+++ new/openvpn-2.5.9/include/openvpn-plugin.h 2023-02-14 17:21:11.000000000
+0100
@@ -53,7 +53,7 @@
*/
#define OPENVPN_VERSION_MAJOR 2
#define OPENVPN_VERSION_MINOR 5
-#define OPENVPN_VERSION_PATCH ".8"
+#define OPENVPN_VERSION_PATCH ".9"
/*
* Plug-in types. These types correspond to the set of script callbacks
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/sample/sample-plugins/Makefile
new/openvpn-2.5.9/sample/sample-plugins/Makefile
--- old/openvpn-2.5.8/sample/sample-plugins/Makefile 2022-10-28
10:40:43.000000000 +0200
+++ new/openvpn-2.5.9/sample/sample-plugins/Makefile 2023-02-14
17:21:11.000000000 +0100
@@ -213,7 +213,7 @@
OPENSSL_LIBS = -lssl -lcrypto
OPENVPN_VERSION_MAJOR = 2
OPENVPN_VERSION_MINOR = 5
-OPENVPN_VERSION_PATCH = .8
+OPENVPN_VERSION_PATCH = .9
OPTIONAL_CRYPTO_CFLAGS =
OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
OPTIONAL_DL_LIBS = -ldl
@@ -234,13 +234,13 @@
PACKAGE = openvpn
PACKAGE_BUGREPORT = openvpn-us...@lists.sourceforge.net
PACKAGE_NAME = OpenVPN
-PACKAGE_STRING = OpenVPN 2.5.8
+PACKAGE_STRING = OpenVPN 2.5.9
PACKAGE_TARNAME = openvpn
PACKAGE_URL =
-PACKAGE_VERSION = 2.5.8
+PACKAGE_VERSION = 2.5.9
PATH_SEPARATOR = :
PKCS11_HELPER_CFLAGS =
-PKCS11_HELPER_LIBS =
+PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
PKG_CONFIG = /usr/bin/pkg-config
PKG_CONFIG_LIBDIR =
PKG_CONFIG_PATH =
@@ -267,7 +267,7 @@
TEST_CFLAGS = -I$(top_srcdir)/include
TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka
TMPFILES_DIR =
-VERSION = 2.5.8
+VERSION = 2.5.9
abs_builddir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_srcdir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
abs_top_builddir =
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/forward.c
new/openvpn-2.5.9/src/openvpn/forward.c
--- old/openvpn-2.5.8/src/openvpn/forward.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/forward.c 2023-02-14 17:21:11.000000000
+0100
@@ -1714,8 +1714,6 @@
void
process_outgoing_tun(struct context *c)
{
- struct gc_arena gc = gc_new();
-
/*
* Set up for write() call to TUN/TAP
* device.
@@ -1801,7 +1799,6 @@
buf_reset(&c->c2.to_tun);
perf_pop();
- gc_free(&gc);
}
void
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/misc.c
new/openvpn-2.5.9/src/openvpn/misc.c
--- old/openvpn-2.5.8/src/openvpn/misc.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/misc.c 2023-02-14 17:21:11.000000000
+0100
@@ -273,6 +273,7 @@
msg(D_LOW, "No password found in %s authfile '%s'. Querying
the management interface", prefix, auth_file);
if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
{
+ fclose(fp);
return false;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/misc.h
new/openvpn-2.5.9/src/openvpn/misc.h
--- old/openvpn-2.5.8/src/openvpn/misc.h 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/misc.h 2023-02-14 17:21:11.000000000
+0100
@@ -74,6 +74,7 @@
#else
#define USER_PASS_LEN 128
#endif
+ /* Note that username and password are expected to be null-terminated */
char username[USER_PASS_LEN];
char password[USER_PASS_LEN];
};
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ntlm.c
new/openvpn-2.5.9/src/openvpn/ntlm.c
--- old/openvpn-2.5.8/src/openvpn/ntlm.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/ntlm.c 2023-02-14 17:21:11.000000000
+0100
@@ -143,6 +143,19 @@
}
}
+/**
+ * This function expects a null-terminated string in src and will
+ * copy it (including the terminating NUL byte),
+ * alternating it with 0 to dst.
+ *
+ * This basically will transform a ASCII string into valid UTF-16.
+ * Characters that are 8bit in src, will get the same treatment, resulting in
+ * invalid or wrong unicode code points.
+ *
+ * @note the function will blindly assume that dst has double
+ * the space of src.
+ * @return the length of the number of bytes written to dst
+ */
static int
unicodize(char *dst, const char *src)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/options.c
new/openvpn-2.5.9/src/openvpn/options.c
--- old/openvpn-2.5.8/src/openvpn/options.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/options.c 2023-02-14 17:21:11.000000000
+0100
@@ -4926,8 +4926,6 @@
unsigned int *option_types_found,
struct env_set *es)
{
- int i, j;
-
/* usage message */
if (argc <= 1)
{
@@ -4937,7 +4935,7 @@
/* config filename specified only? */
if (argc == 2 && strncmp(argv[1], "--", 2))
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
p[0] = "config";
p[1] = argv[1];
@@ -4947,9 +4945,9 @@
else
{
/* parse command line */
- for (i = 1; i < argc; ++i)
+ for (int i = 1; i < argc; ++i)
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
CLEAR(p);
p[0] = argv[i];
if (strncmp(p[0], "--", 2))
@@ -4961,6 +4959,7 @@
p[0] += 2;
}
+ int j;
for (j = 1; j < MAX_PARMS; ++j)
{
if (i + j < argc)
@@ -5001,6 +5000,12 @@
return true;
}
+ /* skip leading spaces matching the behaviour of parse_line */
+ while (isspace(*line))
+ {
+ line++;
+ }
+
for (f = o->pull_filter_list->head; f; f = f->next)
{
if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size)
== 0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/push.c
new/openvpn-2.5.9/src/openvpn/push.c
--- old/openvpn-2.5.8/src/openvpn/push.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/push.c 2023-02-14 17:21:11.000000000
+0100
@@ -536,7 +536,7 @@
/* Construct a mimimal control channel push reply message */
struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
- buf_printf(&buf, "%s, %s", push_reply_cmd, e->option);
+ buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
gc_free(&gc);
}
@@ -779,8 +779,10 @@
char line[OPTION_PARM_SIZE];
while (buf_parse(buf, ',', line, sizeof(line)))
{
- /* peer-id might change on restart and this should not trigger
reopening tun */
- if (strprefix(line, "peer-id "))
+ /* peer-id and auth-token might change on restart and this should not
trigger reopening tun */
+ if (strprefix(line, "peer-id ")
+ || strprefix(line, "auth-token ")
+ || strprefix(line, "auth-token-user "))
{
continue;
}
@@ -891,13 +893,13 @@
/* cycle through the push list */
while (e)
{
- char *p[MAX_PARMS];
+ char *p[MAX_PARMS+1];
bool enable = true;
/* parse the push item */
CLEAR(p);
if (e->enable
- && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1,
D_ROUTE_DEBUG, &gc))
+ && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]",
1, D_ROUTE_DEBUG, &gc))
{
/* is the push item a route directive? */
if (p[0] && !strcmp(p[0], "route") && !p[3])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ssl_mbedtls.c
new/openvpn-2.5.9/src/openvpn/ssl_mbedtls.c
--- old/openvpn-2.5.8/src/openvpn/ssl_mbedtls.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/ssl_mbedtls.c 2023-02-14 17:21:11.000000000
+0100
@@ -168,7 +168,13 @@
}
#if defined(ENABLE_PKCS11)
- pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+ /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper
+ * has not been initialized, it will ASSERT() - so, do not pass NULL
+ */
+ if (ctx->pkcs11_cert)
+ {
+ pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+ }
#endif
if (ctx->allowed_ciphers)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ssl_ncp.c
new/openvpn-2.5.9/src/openvpn/ssl_ncp.c
--- old/openvpn-2.5.8/src/openvpn/ssl_ncp.c 2022-10-28 10:40:26.000000000
+0200
+++ new/openvpn-2.5.9/src/openvpn/ssl_ncp.c 2023-02-14 17:21:11.000000000
+0100
@@ -108,7 +108,18 @@
* (and translate_cipher_name_from_openvpn/
* translate_cipher_name_to_openvpn) also normalises the cipher name,
* e.g. replacing AeS-128-gCm with AES-128-GCM
+ *
+ * ciphers that have ? in front of them are considered optional and
+ * OpenVPN will only warn if they are not found (and remove them from
+ * the list)
*/
+
+ bool optional = false;
+ if (token[0] == '?')
+ {
+ token++;
+ optional = true;
+ }
const cipher_kt_t *ktc = cipher_kt_get(token);
if (strcmp(token, "none") == 0)
{
@@ -120,8 +131,9 @@
}
if (!ktc && strcmp(token, "none") != 0)
{
- msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
- error_found = true;
+ const char* optstr = optional ? "optional ": "";
+ msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr,
token);
+ error_found = error_found || !optional;
}
else
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c
new/openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c
--- old/openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c 2022-10-28
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c 2023-02-14
17:21:11.000000000 +0100
@@ -74,6 +74,20 @@
assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL);
}
+ /* Check that optional ciphers work */
+
assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM",
&gc),
+ aes_ciphers);
+
+ /* Check that optional ciphers work */
+ assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM",
&gc),
+ aes_ciphers);
+
+ /* All unsupported should still yield an empty list */
+ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc),
NULL);
+
+ /* If the last is optional, previous invalid ciphers should be ignored */
+
assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit",
&gc), NULL);
+
/* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
* a different spelling the normalised cipher output is the same */
bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvpn-2.5.8/version.m4 new/openvpn-2.5.9/version.m4
--- old/openvpn-2.5.8/version.m4 2022-10-28 10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/version.m4 2023-02-14 17:21:11.000000000 +0100
@@ -3,12 +3,12 @@
define([PRODUCT_TARNAME], [openvpn])
define([PRODUCT_VERSION_MAJOR], [2])
define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.8])
+define([PRODUCT_VERSION_PATCH], [.9])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
define([PRODUCT_BUGREPORT], [openvpn-us...@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,8,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,9,0])
dnl define the TAP version
define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])
