|
+ --persist-key |
+ Don't re-read key files across SIGUSR1 or --ping-restart.
+-This option can be combined with --user nobody to allow restarts
++ This option can be combined with --user openvpn to allow restarts
+ triggered by the SIGUSR1 signal. Normally if you drop root
+ privileges in OpenVPN, the daemon cannot be restarted since it will now
+ be unable to re-read protected key files.
+@@ -824,7 +824,7 @@ initialization, dropping privileges in the process. Th
+ useful to protect the system in the event that some hostile party was
+ able to gain control of an OpenVPN session. Though OpenVPN's security
+ features make this unlikely, it is provided as a second line of defense.
+-By setting user to nobody or somebody similarly unprivileged,
++ By setting user to openvpn or somebody similarly unprivileged,
+ the hostile party would be limited in what damage they could cause. Of
+ course once you take away privileges, you cannot return them to an
+ OpenVPN session. This means, for example, that if you want to reset an
diff --git a/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 b/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992
deleted file mode 100644
index b563b279..00000000
--- a/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992
+++ /dev/null
@@ -1,136 +0,0 @@
-From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001
-From: Jeremy Evans
-Date: Wed, 20 May 2020 11:34:04 -0700
-Subject: [PATCH] Switch assertion failure to returning false
-
-This assertion failure can be hit in production, which causes the
-openvpn server process to stop and all clients to be disconnected.
-Bug #1270 has been filed for this issue on Trac by another user
-who has experienced the issue, and this patch attempts to address it.
-
-Tracing callers, it appears that some callers check ks->authenticated
-before calling, but others do not. It may be possible to add the check
-for the callers that do not check, but this seems to be a simpler
-solution.
-
-To give some background, we hit this assertion failure, with the
-following log output:
-
-```
-Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received
-control message: 'PUSH_REQUEST'
-Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL
-[username]: 'PUSH_REPLY,redirect-gateway
-def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology
-subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id
-89' (status=1)
-Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at
-/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated)
-Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal
-error
-Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP
-interface
-```
-
-using the following OpenVPN server configuration:
-
-```
-port 1194
-proto udp
-dev-type tun
-ca ca.crt
-cert server.crt
-key server.key
-dh dh.pem
-topology subnet
-push "redirect-gateway def1"
-push "comp-lzo"
-push "persist-key"
-push "persist-tun"
-keepalive 10 120
-comp-lzo
-user nobody
-group nobody
-persist-key
-persist-tun
-cd /home/openvpn/server
-chroot /var/empty
-daemon
-verb 3
-crl-verify crl.pem
-tls-auth ta.key 0
-cipher AES-256-CBC
-tls-version-min 1.2
-tls-cipher ECDHE-RSA-AES256-GCM-SHA384
-ncp-disable
-mute-replay-warnings
-script-security 3
-auth-user-pass-verify "ldap-auth/ldap-auth" via-env
-auth-user-pass-optional
-```
-
-and the following command line options:
-
-```
---config openvpn.conf --dev tun1 --local 206.131.72.52 \
---log-append openvpn.log --status openvpn-status.log \
---server 10.28.47.0 255.255.255.0
-```
-
-The failed assertion is inside the function
-`tls_session_generate_data_channel_keys`, which is called 3 other places
-in `ssl.c.`:
-
-* `key_method_2_write`: checks for `ks->authenticated` before calling
-
-* `key_method_2_read`: appears to run in client mode but not in server
- mode
-
-* `tls_session_update_crypto_params`: runs in server mode and does not
- check before calling
-
-That leads me to believe the problem caller is
-`tls_session_update_crypto_params`. There.s three callers of
-`tls_session_update_crypto_params`:.
-
-* `incoming_push_message` (`push.c`): Probably this caller, since the
- server pushes configuration to clients, and the log shows the
- assertion failure right after the push reply.
-
-* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is
- disabled in config, and async push was not enabled when compiling.
-
-* `do_deferred_options` (`init.c`): Not this caller. The server
- configuration doesn't pull.
-
-Changing the assertion to returning false appears to be the simplest
-fix. Another approach would be changing callers to check
-`ks->authenticated` before calling, either
-`tls_session_update_crypto_params` or `incoming_push_message`.
-
-Signed-off-by: Jeremy Evans
-Acked-by: Steffan Karger
-Message-Id: <20200520183404.54822-1-code@jeremyevans.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html
-Signed-off-by: Gert Doering
-(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f)
----
- src/openvpn/ssl.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
-index cf6689982..215147f37 100644
---- ./src/openvpn/ssl.c
-+++ ./src/openvpn/ssl.c
-@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session)
- const struct session_id *server_sid = !session->opt->server ?
- &ks->session_id_remote : &session->session_id;
-
-- ASSERT(ks->authenticated);
-+ if (!ks->authenticated) {
-+ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
-+ goto cleanup;
-+ }
-
- ks->crypto_options.flags = session->opt->crypto_flags;
- if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi,
diff --git a/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 b/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88
deleted file mode 100644
index f798c6cd..00000000
--- a/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88
+++ /dev/null
@@ -1,61 +0,0 @@
-From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001
-From: Selva Nair
-Date: Thu, 20 Feb 2020 22:00:28 -0500
-Subject: [PATCH] Persist management-query-remote and proxy prompts
-
-Currently this prompt is only output once, not re-written to the
-management interface when the management client connects. It is thus
-not seen by a client that connects after the prompt is output or one that
-disconnects and reconnects. This leads to a deadlock: the daemon waiting
-for the "remote" command from the client, the latter not aware of it.
-
-Resolve by adding the ">REMOTE" and ">PROXY" prompt to
-man.persist.special_state_msg as done for other persisted prompts such
-as ">PASSWORD"
-
-Signed-off-by: Selva Nair
-Acked-by: Gert Doering
-Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html
-Signed-off-by: Gert Doering
-(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad)
----
- src/openvpn/init.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 8bac74f97..e153682ed 100644
---- ./src/openvpn/init.c
-+++ ./src/openvpn/init.c
-@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c)
- buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1,
- (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote));
- management_notify_generic(management, BSTR(&out));
-+ management->persist.special_state_msg = BSTR(&out);
- }
- ce->flags |= CE_MAN_QUERY_PROXY;
- while (ce->flags & CE_MAN_QUERY_PROXY)
-@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c)
- break;
- }
- }
-+ management->persist.special_state_msg = NULL;
- gc_free(&gc);
- }
-
-@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c)
- buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port,
- proto2ascii(ce->proto, ce->af, false));
- management_notify_generic(management, BSTR(&out));
-+ management->persist.special_state_msg = BSTR(&out);
-
- ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT);
- ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT);
-@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c)
- break;
- }
- }
-+ management->persist.special_state_msg = NULL;
- }
- gc_free(&gc);
-
diff --git a/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea b/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea
deleted file mode 100644
index de810ca5..00000000
--- a/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea
+++ /dev/null
@@ -1,214 +0,0 @@
-From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001
-From: Selva Nair
-Date: Tue, 24 Jul 2018 22:34:53 -0400
-Subject: [PATCH] Parse static challenge response in auth-pam plugin
-
-If static challenge is in use, the password passed to the plugin by openvpn
-is of the form "SCRV1:base64-pass:base64-response". Parse this string to
-separate it into password and response and use them to respond to queries
-in the pam conversation function.
-
-On the plugin parameters line the substitution keyword for the static
-challenge response is "OTP". For example, for pam config named "test" that
-prompts for "user", "password" and "pin", use
-
-plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
-
-Signed-off-by: Selva Nair
-
-Acked-by: Gert Doering
-Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html
-Signed-off-by: Gert Doering
-(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6)
----
- src/plugins/auth-pam/README.auth-pam | 15 ++++--
- src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++-
- 2 files changed, 84 insertions(+), 6 deletions(-)
-
-diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam
-index e12369021..908156542 100644
---- a/src/plugins/auth-pam/README.auth-pam
-+++ ./src/plugins/auth-pam/README.auth-pam
-@@ -36,19 +36,20 @@ pairs to answer PAM module queries.
-
- For example:
-
-- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
-+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
-
- tells auth-pam to (a) use the "login" PAM module, (b) answer a
--"login" query with the username given by the OpenVPN client, and
--(c) answer a "password" query with the password given by the
--OpenVPN client. This provides flexibility in dealing with the different
-+"login" query with the username given by the OpenVPN client,
-+(c) answer a "password" query with the password, and (d) answer a
-+"pin" query with the OTP given by the OpenVPN client.
-+This provides flexibility in dealing with different
- types of query strings which different PAM modules might generate.
- For example, suppose you were using a PAM module called
- "test" which queried for "name" rather than "login":
-
- plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-
--While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
-+While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute
- to client-supplied values, it is also possible to name literal values
- to use as PAM module query responses. For example, suppose that the
- login module queried for a third parameter, "domain" which
-@@ -61,6 +62,10 @@ the operation of this plugin:
-
- client-cert-not-required
- username-as-common-name
-+ static-challenge
-+
-+Use of --static challenege is required to pass a pin (represented by "OTP" in
-+parameter substituion) or a second password.
-
- Run OpenVPN with --verb 7 or higher to get debugging output from
- this plugin, including the list of queries presented by the
-diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
-index 5ba4dc4cb..1324307f1 100644
---- a/src/plugins/auth-pam/auth-pam.c
-+++ ./src/plugins/auth-pam/auth-pam.c
-@@ -6,6 +6,7 @@
- * packet compression.
- *
- * Copyright (C) 2002-2018 OpenVPN Inc
-+ * Copyright (C) 2016-2018 Selva Nair
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2
-@@ -64,6 +65,7 @@
-
- /* Pointers to functions exported from openvpn */
- static plugin_secure_memzero_t plugin_secure_memzero = NULL;
-+static plugin_base64_decode_t plugin_base64_decode = NULL;
-
- /*
- * Plugin state, used by foreground
-@@ -87,6 +89,7 @@ struct auth_pam_context
- * "USERNAME" -- substitute client-supplied username
- * "PASSWORD" -- substitute client-specified password
- * "COMMONNAME" -- substitute client certificate common name
-+ * "OTP" -- substitute static challenge response if available
- */
-
- #define N_NAME_VALUE 16
-@@ -111,6 +114,7 @@ struct user_pass {
- char username[128];
- char password[128];
- char common_name[128];
-+ char response[128];
-
- const struct name_value_list *name_value_list;
- };
-@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match)
- return strncasecmp(match, query, strlen(match)) == 0;
- }
-
-+/*
-+ * Split and decode up->password in the form SCRV1:base64_pass:base64_response
-+ * into pass and response and save in up->password and up->response.
-+ * If the password is not in the expected format, input is not changed.
-+ */
-+static void
-+split_scrv1_password(struct user_pass *up)
-+{
-+ const int skip = strlen("SCRV1:");
-+ if (strncmp(up->password, "SCRV1:", skip) != 0)
-+ {
-+ return;
-+ }
-+
-+ char *tmp = strdup(up->password);
-+ if (!tmp)
-+ {
-+ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n");
-+ goto out;
-+ }
-+
-+ char *pass = tmp + skip;
-+ char *resp = strchr(pass, ':');
-+ if (!resp) /* string not in SCRV1:xx:yy format */
-+ {
-+ goto out;
-+ }
-+ *resp++ = '\0';
-+
-+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
-+ if (n > 0)
-+ {
-+ up->password[n] = '\0';
-+ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
-+ if (n > 0)
-+ {
-+ up->response[n] = '\0';
-+ if (DEBUG(up->verb))
-+ {
-+ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n");
-+ }
-+ goto out;
-+ }
-+ }
-+
-+ /* decode error: reinstate original value of up->password and return */
-+ plugin_secure_memzero(up->password, sizeof(up->password));
-+ plugin_secure_memzero(up->response, sizeof(up->response));
-+ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */
-+
-+ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n");
-+
-+out:
-+ if (tmp)
-+ {
-+ plugin_secure_memzero(tmp, strlen(tmp));
-+ free(tmp);
-+ }
-+}
-+
- OPENVPN_EXPORT int
- openvpn_plugin_open_v3(const int v3structver,
- struct openvpn_plugin_args_open_in const *args,
-@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver,
-
- /* Save global pointers to functions exported from openvpn */
- plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
-+ plugin_base64_decode = args->callbacks->plugin_base64_decode;
-
- /*
- * Make sure we have two string arguments: the first is the .so name,
-@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array,
- {
- aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
- }
-+ else if (strstr(match_value, "OTP"))
-+ {
-+ aresp[i].resp = searchandreplace(match_value, "OTP", up->response);
-+ }
- else
- {
- aresp[i].resp = strdup(match_value);
-@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
- #endif
- }
-
-+ /* If password is of the form SCRV1:base64:base64 split it up */
-+ split_scrv1_password(&up);
-+
- if (pam_auth(service, &up)) /* Succeeded */
- {
- if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
-@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
- command);
- goto done;
- }
-+ plugin_secure_memzero(up.response, sizeof(up.response));
- }
- done:
--
- plugin_secure_memzero(up.password, sizeof(up.password));
-+ plugin_secure_memzero(up.response, sizeof(up.response));
- #ifdef USE_PAM_DLOPEN
- dlclose_pam();
- #endif
diff --git a/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f b/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f
deleted file mode 100644
index 8ba8e7f2..00000000
--- a/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f
+++ /dev/null
@@ -1,40 +0,0 @@
-From cab48ad43eaba51c54fa23e55b0b2eb436dd921f Mon Sep 17 00:00:00 2001
-From: Selva Nair
-Date: Tue, 7 Aug 2018 22:44:31 -0400
-Subject: [PATCH] Accept empty password and/or response in auth-pam plugin
-
-In the auth-pam plugin correctly parse the static challenge string
-even when password or challenge response is empty.
-
-Whether an empty user input is an error is determined by the PAM
-conversation function depending on whether the PAM module queries
-for it or not.
-
-Signed-off-by: Selva Nair
-Acked-by: Gert Doering
-Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html
-Signed-off-by: Gert Doering
-(cherry picked from commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)
----
- src/plugins/auth-pam/auth-pam.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
-index 1324307f1..88b53204b 100644
---- a/src/plugins/auth-pam/auth-pam.c
-+++ ./src/plugins/auth-pam/auth-pam.c
-@@ -310,11 +310,11 @@ split_scrv1_password(struct user_pass *up)
- *resp++ = '\0';
-
- int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
-- if (n > 0)
-+ if (n >= 0)
- {
- up->password[n] = '\0';
- n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
-- if (n > 0)
-+ if (n >= 0)
- {
- up->response[n] = '\0';
- if (DEBUG(up->verb))
diff --git a/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 b/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5
deleted file mode 100644
index c946f8c7..00000000
--- a/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5
+++ /dev/null
@@ -1,28 +0,0 @@
-From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001
-From: Antonio Quartulli
-Date: Sat, 30 May 2020 02:05:54 +0200
-Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses
-
-Signed-off-by: Antonio Quartulli
-Acked-by: Gert Doering
-Message-Id: <20200530000600.1680-2-a@unstable.cc>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html
-Signed-off-by: Gert Doering
-(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed)
----
- src/openvpn/pool.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c
-index da28bc06b..e45bf88a2 100644
---- ./src/openvpn/pool.c
-+++ ./src/openvpn/pool.c
-@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end,
- if (pool->ipv6)
- {
- pool->base_ipv6 = ipv6_base;
-- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) )
-+ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits))
- : IFCONFIG_POOL_MAX;
-
- msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s",
diff --git a/net/openvpn/files/patch-src_openvpn_ssl__openssl.c b/net/openvpn/files/patch-src_openvpn_ssl__openssl.c
deleted file mode 100644
index 6d66949a..00000000
--- a/net/openvpn/files/patch-src_openvpn_ssl__openssl.c
+++ /dev/null
@@ -1,69 +0,0 @@
-In the corner case that the global OpenSSL has an invalid command like
-
- MinProtocol = TLSv1.0
-
-(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct)
-
-the SSL_ctx_new function leaves the errors for parsing the config file
-on the stack.
-
-OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value
-
-Since the later functions, especially the one of loading the
-certificates expected a clean error this error got reported at the
-wrong place.
-
-Print the warnings with crypto_msg when we detect that we are in this
-situation (this also clears the stack).
----
- src/openvpn/ssl_openssl.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-Acked-by: Gert Doering
-
-"Explanation and Code make sense, Debian testing confirmed it fixes
-the problem observed" (which was a user error in the end, but led to an
-unexpected error in openvpn).
-
-Basic client test run with openssl 1.1.1 on Linux/Gentoo.
-
-Your patch has been applied to the master and release/2.4 branch.
-
-commit 75aa88af774abaa168bf72e43e1dbb57be14c044 (master)
-commit 125654bfa6f99a251b581522182e85748dd8043a (release/2.4)
-Author: Arne Schwabe
-Date: Tue Apr 21 12:11:22 2020 +0200
-
- Fix tls_ctx_client/server_new leaving error on OpenSSL error stack
-
- Acked-by: Gert Doering
- Message-Id: <20200421101122.24284-1-arne@rfc2549.org>
- URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html
- Signed-off-by: Gert Doering
-
---- src/openvpn/ssl_openssl.c.orig 2020-04-16 13:26:45 UTC
-+++ src/openvpn/ssl_openssl.c
-@@ -110,6 +110,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx)
- {
- crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
- }
-+ if (ERR_peek_error() != 0)
-+ {
-+ crypto_msg(M_WARN, "Warning: TLS server context initialisation "
-+ "has warnings.");
-+ }
- }
-
- void
-@@ -122,6 +127,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx)
- if (ctx->ctx == NULL)
- {
- crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
-+ }
-+ if (ERR_peek_error() != 0)
-+ {
-+ crypto_msg(M_WARN, "Warning: TLS client context initialisation "
-+ "has warnings.");
- }
- }
-
diff --git a/net/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c b/net/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
new file mode 100644
index 00000000..633bc0f0
--- /dev/null
+++ b/net/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
@@ -0,0 +1,10 @@
+--- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC
++++ src/plugins/auth-pam/auth-pam.c
+@@ -39,6 +39,7 @@
+ #include
+ #include
+ #include
++#include
+ #include
+ #include
+ #include
diff --git a/net/openvpn/files/patch-tests__t_cltsrv.sh b/net/openvpn/files/patch-tests__t_cltsrv.sh
index e1dcb3ca..9d0af369 100644
--- a/net/openvpn/files/patch-tests__t_cltsrv.sh
+++ b/net/openvpn/files/patch-tests__t_cltsrv.sh
@@ -40,7 +40,7 @@
+ add='proto udp6 '
+fi
+for i in server client ; do
-+ sed -e "s/localhost/$2/" -e "/^remote /a\\
++ sed -e "s|localhost|${2%/*}|" -e "/^remote /a\\
+$add" ${root}/sample-config-files/loopback-$i \
+ >${root}/sample-config-files/loopback-$i.test
+done
diff --git a/net/openvpn/pkg-plist b/net/openvpn/pkg-plist
index 4416425b..73714ea7 100644
--- a/net/openvpn/pkg-plist
+++ b/net/openvpn/pkg-plist
@@ -1,25 +1,16 @@
-sbin/openvpn
+include/openvpn-msg.h
include/openvpn-plugin.h
-
lib/openvpn/plugins/openvpn-plugin-auth-pam.la
lib/openvpn/plugins/openvpn-plugin-auth-pam.so
lib/openvpn/plugins/openvpn-plugin-down-root.la
lib/openvpn/plugins/openvpn-plugin-down-root.so
-
-share/doc/openvpn/README.auth-pam
-share/doc/openvpn/README.down-root
-share/doc/openvpn/management-notes.txt
-
+man/man5/openvpn-examples.5.gz
+man/man8/openvpn.8.gz
+sbin/openvpn
+share/examples/openvpn/client.conf
+share/examples/openvpn/server.conf
+share/examples/openvpn/tls-home.conf
+share/examples/openvpn/tls-office.conf
@dir lib/openvpn/plugins
@dir lib/openvpn
-@dir share/doc/openvpn
-@dir share/doc
-
-%%EXAMPLESDIR%%/client.conf
-%%EXAMPLESDIR%%/server.conf
-%%EXAMPLESDIR%%/static-home.conf
-%%EXAMPLESDIR%%/static-office.conf
-%%EXAMPLESDIR%%/tls-home.conf
-%%EXAMPLESDIR%%/tls-office.conf
-@dir %%EXAMPLESDIR%%
-
+@dir share/examples/openvpn
|