Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package openvpn for openSUSE:Factory checked 
in at 2023-03-03 22:24:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvpn (Old)
 and      /work/SRC/openSUSE:Factory/.openvpn.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openvpn"

Fri Mar  3 22:24:15 2023 rev:106 rq:1068620 version:2.5.9

Changes:
--------
--- /work/SRC/openSUSE:Factory/openvpn/openvpn.changes  2023-02-14 
20:08:10.356394728 +0100
+++ /work/SRC/openSUSE:Factory/.openvpn.new.31432/openvpn.changes       
2023-03-03 22:24:18.410486988 +0100
@@ -1,0 +2,21 @@
+Thu Mar  2 07:34:31 UTC 2023 - Mohd Saquib <mohd.saq...@suse.com>
+
+- update to 2.5.9:
+  * Optional ciphers in --data-ciphers Ciphers in --data-ciphers
+    can now be prefixed with a ? to mark those as optional and only
+    use them if the SSL library supports them.
+  * when compiling from a git checkout, put proper branch names into
+    windows builds
+  * do not include auth-token in pulled-option digest (interferes
+    with persist-tun when auth-token is in use, GH #200).
+  * fix corner case that might lead to leaked file descriptor
+  * fix parser bug (parse_line()) that can lead to buffer overflows
+    on malformed command line or server ccd file handling.
+    Not exploitable.
+  * pull-filter: ignore leading spaces in option names (work around
+    server side bug with erroneous extra spaces)
+  * push: do not add leading spaces to "out of renegotiations" pushed
+    auth-token fix NULL pointer crash on "openvpn --show-tls" with
+    mbedtls
+
+-------------------------------------------------------------------

Old:
----
  openvpn-2.5.8.tar.gz
  openvpn-2.5.8.tar.gz.asc

New:
----
  openvpn-2.5.9.tar.gz
  openvpn-2.5.9.tar.gz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openvpn.spec ++++++
--- /var/tmp/diff_new_pack.2I1P41/_old  2023-03-03 22:24:19.242490150 +0100
+++ /var/tmp/diff_new_pack.2I1P41/_new  2023-03-03 22:24:19.246490164 +0100
@@ -20,7 +20,7 @@
 %define _rundir %{_localstatedir}/run
 %endif
 Name:           openvpn
-Version:        2.5.8
+Version:        2.5.9
 Release:        0
 Summary:        Full-featured SSL VPN solution using a TUN/TAP Interface
 License:        GPL-2.0-only WITH openvpn-openssl-exception

++++++ openvpn-2.5.8.tar.gz -> openvpn-2.5.9.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/ChangeLog new/openvpn-2.5.9/ChangeLog
--- old/openvpn-2.5.8/ChangeLog 2022-10-28 10:40:27.000000000 +0200
+++ new/openvpn-2.5.9/ChangeLog 2023-02-14 17:21:11.000000000 +0100
@@ -1,6 +1,31 @@
 OpenVPN Change Log
 Copyright (C) 2002-2022 OpenVPN Inc <sa...@openvpn.net>
 
+2023.02.14 -- Version 2.5.9
+
+Arne Schwabe (6):
+      Implement optional cipher in --data-ciphers prefixed with ?
+      Fix handling an optional invalid cipher at the end of data-ciphers
+      Ensure that argument to parse_line has always space for final sentinel
+      Improve documentation on user/password requirement and unicodize function
+      Remove unused gc_arena
+      Fix corner case that might lead to leaked file descriptor
+
+Frank Lichtenheld (1):
+      msvc: always call git-version.py
+
+Lev Stipakov (1):
+      git-version.py: proper support for tags
+
+Max Fillinger (1):
+      Check if pkcs11_cert is NULL before freeing it
+
+Selva Nair (3):
+      Do not add leading space to pushed options
+      pull-filter: ignore leading "spaces" in option names
+      Do not include auth-token in pulled option digest
+
+
 2022.10.27 -- Version 2.5.8
 
 Antonio Quartulli (1):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/Changes.rst 
new/openvpn-2.5.9/Changes.rst
--- old/openvpn-2.5.8/Changes.rst       2022-10-28 10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/Changes.rst       2023-02-14 17:21:11.000000000 +0100
@@ -1,3 +1,35 @@
+Overview of changes in 2.5.9
+============================
+
+New features
+------------
+- Optional ciphers in ``--data-ciphers``
+  Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
+  those as optional and only use them if the SSL library supports them.
+
+User-visible Changes
+--------------------
+- when compiling from a git checkout, put proper branch names into
+  windows builds
+
+Bugfixes
+--------
+- do not include auth-token in pulled-option digest (interferes with
+  persist-tun when auth-token is in use, GH #200).
+
+- fix corner case that might lead to leaked file descriptor
+
+- fix parser bug (parse_line()) that can lead to buffer overflows on
+  malformed command line or server ccd file handling.  Not exploitable.
+
+- pull-filter: ignore leading spaces in option names (work around server side
+  bug with erroneous extra spaces)
+
+- push: do not add leading spaces to "out of renegotiations" pushed auth-token
+
+- fix NULL pointer crash on "openvpn --show-tls" with mbedtls
+
+
 Overview of changes in 2.5.8
 ============================
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak 
new/openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak
--- old/openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak     2022-10-28 
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak     2023-02-14 
17:21:11.000000000 +0100
@@ -51,10 +51,13 @@
        cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" 
--input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
 
 $(OUTPUT_MAN): $(INPUT_MAN)
-    -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" 
"$(OUTPUT_MAN)"
+       -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" 
"$(OUTPUT_MAN)"
 
-$(OUTPUT_MSVC_GIT_CONFIG):
-    python git-version.py $(SOLUTIONDIR)
+# Force regeneration because we can't detect whether it is outdated
+$(OUTPUT_MSVC_GIT_CONFIG): FORCE
+       python git-version.py $(SOLUTIONDIR)
+
+FORCE:
 
 clean:
        -del "$(OUTPUT_MSVC_VER)"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/configure new/openvpn-2.5.9/configure
--- old/openvpn-2.5.8/configure 2022-10-28 10:40:33.000000000 +0200
+++ new/openvpn-2.5.9/configure 2023-02-14 17:21:11.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8.
+# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9.
 #
 # Report bugs to <openvpn-us...@lists.sourceforge.net>.
 #
@@ -621,8 +621,8 @@
 # Identity of this package.
 PACKAGE_NAME='OpenVPN'
 PACKAGE_TARNAME='openvpn'
-PACKAGE_VERSION='2.5.8'
-PACKAGE_STRING='OpenVPN 2.5.8'
+PACKAGE_VERSION='2.5.9'
+PACKAGE_STRING='OpenVPN 2.5.9'
 PACKAGE_BUGREPORT='openvpn-us...@lists.sourceforge.net'
 PACKAGE_URL=''
 
@@ -1507,7 +1507,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems.
+\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1578,7 +1578,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenVPN 2.5.8:";;
+     short | recursive ) echo "Configuration of OpenVPN 2.5.9:";;
    esac
   cat <<\_ACEOF
 
@@ -1794,7 +1794,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-OpenVPN configure 2.5.8
+OpenVPN configure 2.5.9
 generated by GNU Autoconf 2.71
 
 Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2588,7 +2588,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by OpenVPN $as_me 2.5.8, which was
+It was created by OpenVPN $as_me 2.5.9, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   $ $0$ac_configure_args_raw
@@ -3364,13 +3364,13 @@
 fi
 
 
-printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h
+printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h
 
 OPENVPN_VERSION_MAJOR=2
 
 OPENVPN_VERSION_MINOR=5
 
-OPENVPN_VERSION_PATCH=.8
+OPENVPN_VERSION_PATCH=.9
 
 
 printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
@@ -3379,7 +3379,7 @@
 printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h
 
 
-printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h
+printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h
 
 
 
@@ -3905,7 +3905,7 @@
 
 # Define the identity of the package.
  PACKAGE='openvpn'
- VERSION='2.5.8'
+ VERSION='2.5.9'
 
 
 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -20500,7 +20500,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by OpenVPN $as_me 2.5.8, which was
+This file was extended by OpenVPN $as_me 2.5.9, which was
 generated by GNU Autoconf 2.71.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -20568,7 +20568,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config='$ac_cs_config_escaped'
 ac_cs_version="\\
-OpenVPN config.status 2.5.8
+OpenVPN config.status 2.5.9
 configured by $0, generated by GNU Autoconf 2.71,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/doc/man-sections/protocol-options.rst 
new/openvpn-2.5.9/doc/man-sections/protocol-options.rst
--- old/openvpn-2.5.8/doc/man-sections/protocol-options.rst     2022-10-28 
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/doc/man-sections/protocol-options.rst     2023-02-14 
17:21:11.000000000 +0100
@@ -184,6 +184,13 @@
   supported by the client will be pushed to clients that support cipher
   negotiation.
 
+  Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark
+  it as optional. This allows including ciphers in the list that may not be
+  available on all platforms.
+  E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable
+  Chacha20-Poly1305 if the underlying SSL library (and its configuration)
+  supports it.
+
   Cipher negotiation is enabled in client-server mode only. I.e. if
   ``--mode`` is set to 'server' (server-side, implied by setting
   ``--server`` ), or if ``--pull`` is specified (client-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/doc/openvpn.8 
new/openvpn-2.5.9/doc/openvpn.8
--- old/openvpn-2.5.8/doc/openvpn.8     2022-10-28 10:40:46.000000000 +0200
+++ new/openvpn-2.5.9/doc/openvpn.8     2023-02-14 17:21:11.000000000 +0100
@@ -887,6 +887,13 @@
 supported by the client will be pushed to clients that support cipher
 negotiation.
 .sp
+Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark
+it as optional. This allows including ciphers in the list that may not be
+available on all platforms.
+E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable
+Chacha20\-Poly1305 if the underlying SSL library (and its configuration)
+supports it.
+.sp
 Cipher negotiation is enabled in client\-server mode only. I.e. if
 \fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting
 \fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/doc/openvpn.8.html 
new/openvpn-2.5.9/doc/openvpn.8.html
--- old/openvpn-2.5.8/doc/openvpn.8.html        2022-10-28 10:40:45.000000000 
+0200
+++ new/openvpn-2.5.9/doc/openvpn.8.html        2023-02-14 17:21:11.000000000 
+0100
@@ -1113,6 +1113,12 @@
 <p>For servers, the first cipher from <tt class="docutils literal"><span 
class="pre">cipher-list</span></tt> that is also
 supported by the client will be pushed to clients that support cipher
 negotiation.</p>
+<p>Starting with OpenVPN 2.5.9 a cipher can be prefixed with a <code>?</code> 
to mark
+it as optional. This allows including ciphers in the list that may not be
+available on all platforms.
+E.g. <code>AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305</code> would only enable
+Chacha20-Poly1305 if the underlying SSL library (and its configuration)
+supports it.</p>
 <p>Cipher negotiation is enabled in client-server mode only. I.e. if
 <tt class="docutils literal"><span class="pre">--mode</span></tt> is set to 
'server' (server-side, implied by setting
 <tt class="docutils literal"><span class="pre">--server</span></tt> ), or if 
<tt class="docutils literal"><span class="pre">--pull</span></tt> is specified 
(client-side, implied by
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/include/openvpn-plugin.h 
new/openvpn-2.5.9/include/openvpn-plugin.h
--- old/openvpn-2.5.8/include/openvpn-plugin.h  2022-10-28 10:40:43.000000000 
+0200
+++ new/openvpn-2.5.9/include/openvpn-plugin.h  2023-02-14 17:21:11.000000000 
+0100
@@ -53,7 +53,7 @@
  */
 #define OPENVPN_VERSION_MAJOR 2
 #define OPENVPN_VERSION_MINOR 5
-#define OPENVPN_VERSION_PATCH ".8"
+#define OPENVPN_VERSION_PATCH ".9"
 
 /*
  * Plug-in types.  These types correspond to the set of script callbacks
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/sample/sample-plugins/Makefile 
new/openvpn-2.5.9/sample/sample-plugins/Makefile
--- old/openvpn-2.5.8/sample/sample-plugins/Makefile    2022-10-28 
10:40:43.000000000 +0200
+++ new/openvpn-2.5.9/sample/sample-plugins/Makefile    2023-02-14 
17:21:11.000000000 +0100
@@ -213,7 +213,7 @@
 OPENSSL_LIBS = -lssl -lcrypto
 OPENVPN_VERSION_MAJOR = 2
 OPENVPN_VERSION_MINOR = 5
-OPENVPN_VERSION_PATCH = .8
+OPENVPN_VERSION_PATCH = .9
 OPTIONAL_CRYPTO_CFLAGS =  
 OPTIONAL_CRYPTO_LIBS =  -lssl -lcrypto
 OPTIONAL_DL_LIBS = -ldl
@@ -234,13 +234,13 @@
 PACKAGE = openvpn
 PACKAGE_BUGREPORT = openvpn-us...@lists.sourceforge.net
 PACKAGE_NAME = OpenVPN
-PACKAGE_STRING = OpenVPN 2.5.8
+PACKAGE_STRING = OpenVPN 2.5.9
 PACKAGE_TARNAME = openvpn
 PACKAGE_URL = 
-PACKAGE_VERSION = 2.5.8
+PACKAGE_VERSION = 2.5.9
 PATH_SEPARATOR = :
 PKCS11_HELPER_CFLAGS = 
-PKCS11_HELPER_LIBS = 
+PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
 PKG_CONFIG = /usr/bin/pkg-config
 PKG_CONFIG_LIBDIR = 
 PKG_CONFIG_PATH = 
@@ -267,7 +267,7 @@
 TEST_CFLAGS =     -I$(top_srcdir)/include 
 TEST_LDFLAGS =  -lssl -lcrypto  -llzo2 -lcmocka
 TMPFILES_DIR = 
-VERSION = 2.5.8
+VERSION = 2.5.9
 abs_builddir = 
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
 abs_srcdir = 
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
 abs_top_builddir = 
/home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/forward.c 
new/openvpn-2.5.9/src/openvpn/forward.c
--- old/openvpn-2.5.8/src/openvpn/forward.c     2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/forward.c     2023-02-14 17:21:11.000000000 
+0100
@@ -1714,8 +1714,6 @@
 void
 process_outgoing_tun(struct context *c)
 {
-    struct gc_arena gc = gc_new();
-
     /*
      * Set up for write() call to TUN/TAP
      * device.
@@ -1801,7 +1799,6 @@
     buf_reset(&c->c2.to_tun);
 
     perf_pop();
-    gc_free(&gc);
 }
 
 void
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/misc.c 
new/openvpn-2.5.9/src/openvpn/misc.c
--- old/openvpn-2.5.8/src/openvpn/misc.c        2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/misc.c        2023-02-14 17:21:11.000000000 
+0100
@@ -273,6 +273,7 @@
                 msg(D_LOW, "No password found in %s authfile '%s'. Querying 
the management interface", prefix, auth_file);
                 if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
                 {
+                    fclose(fp);
                     return false;
                 }
             }
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/misc.h 
new/openvpn-2.5.9/src/openvpn/misc.h
--- old/openvpn-2.5.8/src/openvpn/misc.h        2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/misc.h        2023-02-14 17:21:11.000000000 
+0100
@@ -74,6 +74,7 @@
 #else
 #define USER_PASS_LEN 128
 #endif
+    /* Note that username and password are expected to be null-terminated */
     char username[USER_PASS_LEN];
     char password[USER_PASS_LEN];
 };
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ntlm.c 
new/openvpn-2.5.9/src/openvpn/ntlm.c
--- old/openvpn-2.5.8/src/openvpn/ntlm.c        2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/ntlm.c        2023-02-14 17:21:11.000000000 
+0100
@@ -143,6 +143,19 @@
     }
 }
 
+/**
+ * This function expects a null-terminated string in src and will
+ * copy it (including the terminating NUL byte),
+ * alternating it with 0 to dst.
+ *
+ * This basically will transform a ASCII string into valid UTF-16.
+ * Characters that are 8bit in src, will get the same treatment, resulting in
+ * invalid or wrong unicode code points.
+ *
+ * @note the function will blindly assume that dst has double
+ * the space of src.
+ * @return  the length of the number of bytes written to dst
+ */
 static int
 unicodize(char *dst, const char *src)
 {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/options.c 
new/openvpn-2.5.9/src/openvpn/options.c
--- old/openvpn-2.5.8/src/openvpn/options.c     2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/options.c     2023-02-14 17:21:11.000000000 
+0100
@@ -4926,8 +4926,6 @@
            unsigned int *option_types_found,
            struct env_set *es)
 {
-    int i, j;
-
     /* usage message */
     if (argc <= 1)
     {
@@ -4937,7 +4935,7 @@
     /* config filename specified only? */
     if (argc == 2 && strncmp(argv[1], "--", 2))
     {
-        char *p[MAX_PARMS];
+        char *p[MAX_PARMS+1];
         CLEAR(p);
         p[0] = "config";
         p[1] = argv[1];
@@ -4947,9 +4945,9 @@
     else
     {
         /* parse command line */
-        for (i = 1; i < argc; ++i)
+        for (int i = 1; i < argc; ++i)
         {
-            char *p[MAX_PARMS];
+            char *p[MAX_PARMS+1];
             CLEAR(p);
             p[0] = argv[i];
             if (strncmp(p[0], "--", 2))
@@ -4961,6 +4959,7 @@
                 p[0] += 2;
             }
 
+            int j;
             for (j = 1; j < MAX_PARMS; ++j)
             {
                 if (i + j < argc)
@@ -5001,6 +5000,12 @@
         return true;
     }
 
+    /* skip leading spaces matching the behaviour of parse_line */
+    while (isspace(*line))
+    {
+        line++;
+    }
+
     for (f = o->pull_filter_list->head; f; f = f->next)
     {
         if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) 
== 0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/push.c 
new/openvpn-2.5.9/src/openvpn/push.c
--- old/openvpn-2.5.8/src/openvpn/push.c        2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/push.c        2023-02-14 17:21:11.000000000 
+0100
@@ -536,7 +536,7 @@
 
     /* Construct a mimimal control channel push reply message */
     struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
-    buf_printf(&buf, "%s, %s", push_reply_cmd, e->option);
+    buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
     send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
     gc_free(&gc);
 }
@@ -779,8 +779,10 @@
     char line[OPTION_PARM_SIZE];
     while (buf_parse(buf, ',', line, sizeof(line)))
     {
-        /* peer-id might change on restart and this should not trigger 
reopening tun */
-        if (strprefix(line, "peer-id "))
+        /* peer-id and auth-token might change on restart and this should not 
trigger reopening tun */
+        if (strprefix(line, "peer-id ")
+            || strprefix(line, "auth-token ")
+            || strprefix(line, "auth-token-user "))
         {
             continue;
         }
@@ -891,13 +893,13 @@
         /* cycle through the push list */
         while (e)
         {
-            char *p[MAX_PARMS];
+            char *p[MAX_PARMS+1];
             bool enable = true;
 
             /* parse the push item */
             CLEAR(p);
             if (e->enable
-                && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, 
D_ROUTE_DEBUG, &gc))
+                && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 
1, D_ROUTE_DEBUG, &gc))
             {
                 /* is the push item a route directive? */
                 if (p[0] && !strcmp(p[0], "route") && !p[3])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ssl_mbedtls.c 
new/openvpn-2.5.9/src/openvpn/ssl_mbedtls.c
--- old/openvpn-2.5.8/src/openvpn/ssl_mbedtls.c 2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/ssl_mbedtls.c 2023-02-14 17:21:11.000000000 
+0100
@@ -168,7 +168,13 @@
         }
 
 #if defined(ENABLE_PKCS11)
-        pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+        /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper
+         * has not been initialized, it will ASSERT() - so, do not pass NULL
+         */
+        if (ctx->pkcs11_cert)
+        {
+            pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
+        }
 #endif
 
         if (ctx->allowed_ciphers)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/src/openvpn/ssl_ncp.c 
new/openvpn-2.5.9/src/openvpn/ssl_ncp.c
--- old/openvpn-2.5.8/src/openvpn/ssl_ncp.c     2022-10-28 10:40:26.000000000 
+0200
+++ new/openvpn-2.5.9/src/openvpn/ssl_ncp.c     2023-02-14 17:21:11.000000000 
+0100
@@ -108,7 +108,18 @@
          * (and translate_cipher_name_from_openvpn/
          * translate_cipher_name_to_openvpn) also normalises the cipher name,
          * e.g. replacing AeS-128-gCm with AES-128-GCM
+         *
+         * ciphers that have ? in front of them are considered optional and
+         * OpenVPN will only warn if they are not found (and remove them from
+         * the list)
          */
+
+        bool optional = false;
+        if (token[0] == '?')
+        {
+            token++;
+            optional = true;
+        }
         const cipher_kt_t *ktc = cipher_kt_get(token);
         if (strcmp(token, "none") == 0)
         {
@@ -120,8 +131,9 @@
         }
         if (!ktc && strcmp(token, "none") != 0)
         {
-            msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
-            error_found = true;
+            const char* optstr = optional ? "optional ": "";
+            msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, 
token);
+            error_found = error_found || !optional;
         }
         else
         {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c 
new/openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c
--- old/openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c       2022-10-28 
10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c       2023-02-14 
17:21:11.000000000 +0100
@@ -74,6 +74,20 @@
         assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL);
     }
 
+    /* Check that optional ciphers work */
+    
assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", 
&gc),
+                        aes_ciphers);
+
+    /* Check that optional ciphers work */
+    assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", 
&gc),
+                        aes_ciphers);
+
+    /* All unsupported should still yield an empty list */
+    assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), 
NULL);
+
+    /* If the last is optional, previous invalid ciphers should be ignored */
+    
assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit",
 &gc), NULL);
+
     /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
      * a different spelling the normalised cipher output is the same */
     bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/openvpn-2.5.8/version.m4 new/openvpn-2.5.9/version.m4
--- old/openvpn-2.5.8/version.m4        2022-10-28 10:40:26.000000000 +0200
+++ new/openvpn-2.5.9/version.m4        2023-02-14 17:21:11.000000000 +0100
@@ -3,12 +3,12 @@
 define([PRODUCT_TARNAME], [openvpn])
 define([PRODUCT_VERSION_MAJOR], [2])
 define([PRODUCT_VERSION_MINOR], [5])
-define([PRODUCT_VERSION_PATCH], [.8])
+define([PRODUCT_VERSION_PATCH], [.9])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
 define([PRODUCT_BUGREPORT], [openvpn-us...@lists.sourceforge.net])
-define([PRODUCT_VERSION_RESOURCE], [2,5,8,0])
+define([PRODUCT_VERSION_RESOURCE], [2,5,9,0])
 dnl define the TAP version
 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])

Reply via email to