From 9585e8323a02d438f708459a6bfe8e0bca7e46c5 Mon Sep 17 00:00:00 2001 From: ziggi Date: Wed, 3 Jun 2020 07:57:27 +0000 Subject: [PATCH] openvpn minor update --- net/openvpn/Makefile | 2 +- net/openvpn/distinfo | 6 +- ...t-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 | 136 +++++++++++ ...t-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 | 61 +++++ ...t-b89e48b015e581a4a0f5c306e2ab20da34c862ea | 214 ++++++++++++++++++ ...t-cab48ad43eaba51c54fa23e55b0b2eb436dd921f | 40 ++++ ...t-fc0297143494e0a0f08564d90dbb210669d0abf5 | 28 +++ .../files/patch-src_openvpn_openssl__compat.h | 20 ++ .../files/patch-src_openvpn_ssl__openssl.c | 69 ++++++ 9 files changed, 572 insertions(+), 4 deletions(-) create mode 100644 net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 create mode 100644 net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 create mode 100644 net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea create mode 100644 net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f create mode 100644 net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 create mode 100644 net/openvpn/files/patch-src_openvpn_openssl__compat.h create mode 100644 net/openvpn/files/patch-src_openvpn_ssl__openssl.c diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index 0e131cd8..a52054c1 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -2,7 +2,7 @@ # $Id$ # PORTNAME= openvpn -PORTVERSION= 2.4.8 +PORTVERSION= 2.4.9 CATEGORIES= security net #MASTER_SITES= http://openvpn.net/release/ MASTER_SITES+= http://swupdate.openvpn.net/community/releases/ diff --git a/net/openvpn/distinfo b/net/openvpn/distinfo index f52ba9f9..767e4abc 100644 --- a/net/openvpn/distinfo +++ b/net/openvpn/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1572545475 -SHA256 (openvpn-2.4.8.tar.xz) = fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91 -SIZE (openvpn-2.4.8.tar.xz) = 952444 +TIMESTAMP = 1591166889 +SHA256 (openvpn-2.4.9.tar.xz) = 641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 +SIZE (openvpn-2.4.9.tar.xz) = 954264 diff --git a/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 b/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 new file mode 100644 index 00000000..b563b279 --- /dev/null +++ b/net/openvpn/files/patch-git-098edbb1f5a2e1360fd6a4ae0642b63bec12e992 @@ -0,0 +1,136 @@ +From 098edbb1f5a2e1360fd6a4ae0642b63bec12e992 Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Wed, 20 May 2020 11:34:04 -0700 +Subject: [PATCH] Switch assertion failure to returning false + +This assertion failure can be hit in production, which causes the +openvpn server process to stop and all clients to be disconnected. +Bug #1270 has been filed for this issue on Trac by another user +who has experienced the issue, and this patch attempts to address it. + +Tracing callers, it appears that some callers check ks->authenticated +before calling, but others do not. It may be possible to add the check +for the callers that do not check, but this seems to be a simpler +solution. + +To give some background, we hit this assertion failure, with the +following log output: + +``` +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 PUSH: Received +control message: 'PUSH_REQUEST' +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 SENT CONTROL +[username]: 'PUSH_REPLY,redirect-gateway +def1,comp-lzo,persist-key,persist-tun,route-gateway 10.28.47.1,topology +subnet,ping 10,ping-restart 120,ifconfig 10.28.47.38 255.255.255.0,peer-id +89' (status=1) +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Assertion failed at +/path/to/openvpn-2.4.7/src/openvpn/ssl.c:1944 (ks->authenticated) +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Exiting due to fatal +error +Tue May 19 15:57:05 2020 username/73.135.141.11:1194 Closing TUN/TAP +interface +``` + +using the following OpenVPN server configuration: + +``` +port 1194 +proto udp +dev-type tun +ca ca.crt +cert server.crt +key server.key +dh dh.pem +topology subnet +push "redirect-gateway def1" +push "comp-lzo" +push "persist-key" +push "persist-tun" +keepalive 10 120 +comp-lzo +user nobody +group nobody +persist-key +persist-tun +cd /home/openvpn/server +chroot /var/empty +daemon +verb 3 +crl-verify crl.pem +tls-auth ta.key 0 +cipher AES-256-CBC +tls-version-min 1.2 +tls-cipher ECDHE-RSA-AES256-GCM-SHA384 +ncp-disable +mute-replay-warnings +script-security 3 +auth-user-pass-verify "ldap-auth/ldap-auth" via-env +auth-user-pass-optional +``` + +and the following command line options: + +``` +--config openvpn.conf --dev tun1 --local 206.131.72.52 \ +--log-append openvpn.log --status openvpn-status.log \ +--server 10.28.47.0 255.255.255.0 +``` + +The failed assertion is inside the function +`tls_session_generate_data_channel_keys`, which is called 3 other places +in `ssl.c.`: + +* `key_method_2_write`: checks for `ks->authenticated` before calling + +* `key_method_2_read`: appears to run in client mode but not in server + mode + +* `tls_session_update_crypto_params`: runs in server mode and does not + check before calling + +That leads me to believe the problem caller is +`tls_session_update_crypto_params`. There.s three callers of +`tls_session_update_crypto_params`:. + +* `incoming_push_message` (`push.c`): Probably this caller, since the + server pushes configuration to clients, and the log shows the + assertion failure right after the push reply. + +* `multi_process_file_closed` (`multi.c`): Not this caller. NCP is + disabled in config, and async push was not enabled when compiling. + +* `do_deferred_options` (`init.c`): Not this caller. The server + configuration doesn't pull. + +Changing the assertion to returning false appears to be the simplest +fix. Another approach would be changing callers to check +`ks->authenticated` before calling, either +`tls_session_update_crypto_params` or `incoming_push_message`. + +Signed-off-by: Jeremy Evans +Acked-by: Steffan Karger +Message-Id: <20200520183404.54822-1-code@jeremyevans.net> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19914.html +Signed-off-by: Gert Doering +(cherry picked from commit 984bd1e1601e4b9562dbc88b02a8db60b884286f) +--- + src/openvpn/ssl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c +index cf6689982..215147f37 100644 +--- ./src/openvpn/ssl.c ++++ ./src/openvpn/ssl.c +@@ -1941,7 +1941,10 @@ tls_session_generate_data_channel_keys(struct tls_session *session) + const struct session_id *server_sid = !session->opt->server ? + &ks->session_id_remote : &session->session_id; + +- ASSERT(ks->authenticated); ++ if (!ks->authenticated) { ++ msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated"); ++ goto cleanup; ++ } + + ks->crypto_options.flags = session->opt->crypto_flags; + if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, diff --git a/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 b/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 new file mode 100644 index 00000000..f798c6cd --- /dev/null +++ b/net/openvpn/files/patch-git-38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 @@ -0,0 +1,61 @@ +From 38b46e6bf65489c2c5d75da1c02a3a1c33e6da88 Mon Sep 17 00:00:00 2001 +From: Selva Nair +Date: Thu, 20 Feb 2020 22:00:28 -0500 +Subject: [PATCH] Persist management-query-remote and proxy prompts + +Currently this prompt is only output once, not re-written to the +management interface when the management client connects. It is thus +not seen by a client that connects after the prompt is output or one that +disconnects and reconnects. This leads to a deadlock: the daemon waiting +for the "remote" command from the client, the latter not aware of it. + +Resolve by adding the ">REMOTE" and ">PROXY" prompt to +man.persist.special_state_msg as done for other persisted prompts such +as ">PASSWORD" + +Signed-off-by: Selva Nair +Acked-by: Gert Doering +Message-Id: <1582254028-7763-1-git-send-email-selva.nair@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19497.html +Signed-off-by: Gert Doering +(cherry picked from commit 93ba6ccddafcc87f336f50dadde144ea4f6178ad) +--- + src/openvpn/init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/openvpn/init.c b/src/openvpn/init.c +index 8bac74f97..e153682ed 100644 +--- ./src/openvpn/init.c ++++ ./src/openvpn/init.c +@@ -269,6 +269,7 @@ ce_management_query_proxy(struct context *c) + buf_printf(&out, ">PROXY:%u,%s,%s", (l ? l->current : 0) + 1, + (proto_is_udp(ce->proto) ? "UDP" : "TCP"), np(ce->remote)); + management_notify_generic(management, BSTR(&out)); ++ management->persist.special_state_msg = BSTR(&out); + } + ce->flags |= CE_MAN_QUERY_PROXY; + while (ce->flags & CE_MAN_QUERY_PROXY) +@@ -280,6 +281,7 @@ ce_management_query_proxy(struct context *c) + break; + } + } ++ management->persist.special_state_msg = NULL; + gc_free(&gc); + } + +@@ -349,6 +351,7 @@ ce_management_query_remote(struct context *c) + buf_printf(&out, ">REMOTE:%s,%s,%s", np(ce->remote), ce->remote_port, + proto2ascii(ce->proto, ce->af, false)); + management_notify_generic(management, BSTR(&out)); ++ management->persist.special_state_msg = BSTR(&out); + + ce->flags &= ~(CE_MAN_QUERY_REMOTE_MASK << CE_MAN_QUERY_REMOTE_SHIFT); + ce->flags |= (CE_MAN_QUERY_REMOTE_QUERY << CE_MAN_QUERY_REMOTE_SHIFT); +@@ -362,6 +365,7 @@ ce_management_query_remote(struct context *c) + break; + } + } ++ management->persist.special_state_msg = NULL; + } + gc_free(&gc); + diff --git a/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea b/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea new file mode 100644 index 00000000..de810ca5 --- /dev/null +++ b/net/openvpn/files/patch-git-b89e48b015e581a4a0f5c306e2ab20da34c862ea @@ -0,0 +1,214 @@ +From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001 +From: Selva Nair +Date: Tue, 24 Jul 2018 22:34:53 -0400 +Subject: [PATCH] Parse static challenge response in auth-pam plugin + +If static challenge is in use, the password passed to the plugin by openvpn +is of the form "SCRV1:base64-pass:base64-response". Parse this string to +separate it into password and response and use them to respond to queries +in the pam conversation function. + +On the plugin parameters line the substitution keyword for the static +challenge response is "OTP". For example, for pam config named "test" that +prompts for "user", "password" and "pin", use + +plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP" + +Signed-off-by: Selva Nair + +Acked-by: Gert Doering +Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html +Signed-off-by: Gert Doering +(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6) +--- + src/plugins/auth-pam/README.auth-pam | 15 ++++-- + src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++- + 2 files changed, 84 insertions(+), 6 deletions(-) + +diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam +index e12369021..908156542 100644 +--- a/src/plugins/auth-pam/README.auth-pam ++++ ./src/plugins/auth-pam/README.auth-pam +@@ -36,19 +36,20 @@ pairs to answer PAM module queries. + + For example: + +- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" ++ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP" + + tells auth-pam to (a) use the "login" PAM module, (b) answer a +-"login" query with the username given by the OpenVPN client, and +-(c) answer a "password" query with the password given by the +-OpenVPN client. This provides flexibility in dealing with the different ++"login" query with the username given by the OpenVPN client, ++(c) answer a "password" query with the password, and (d) answer a ++"pin" query with the OTP given by the OpenVPN client. ++This provides flexibility in dealing with different + types of query strings which different PAM modules might generate. + For example, suppose you were using a PAM module called + "test" which queried for "name" rather than "login": + + plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" + +-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute ++While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute + to client-supplied values, it is also possible to name literal values + to use as PAM module query responses. For example, suppose that the + login module queried for a third parameter, "domain" which +@@ -61,6 +62,10 @@ the operation of this plugin: + + client-cert-not-required + username-as-common-name ++ static-challenge ++ ++Use of --static challenege is required to pass a pin (represented by "OTP" in ++parameter substituion) or a second password. + + Run OpenVPN with --verb 7 or higher to get debugging output from + this plugin, including the list of queries presented by the +diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c +index 5ba4dc4cb..1324307f1 100644 +--- a/src/plugins/auth-pam/auth-pam.c ++++ ./src/plugins/auth-pam/auth-pam.c +@@ -6,6 +6,7 @@ + * packet compression. + * + * Copyright (C) 2002-2018 OpenVPN Inc ++ * Copyright (C) 2016-2018 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 +@@ -64,6 +65,7 @@ + + /* Pointers to functions exported from openvpn */ + static plugin_secure_memzero_t plugin_secure_memzero = NULL; ++static plugin_base64_decode_t plugin_base64_decode = NULL; + + /* + * Plugin state, used by foreground +@@ -87,6 +89,7 @@ struct auth_pam_context + * "USERNAME" -- substitute client-supplied username + * "PASSWORD" -- substitute client-specified password + * "COMMONNAME" -- substitute client certificate common name ++ * "OTP" -- substitute static challenge response if available + */ + + #define N_NAME_VALUE 16 +@@ -111,6 +114,7 @@ struct user_pass { + char username[128]; + char password[128]; + char common_name[128]; ++ char response[128]; + + const struct name_value_list *name_value_list; + }; +@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match) + return strncasecmp(match, query, strlen(match)) == 0; + } + ++/* ++ * Split and decode up->password in the form SCRV1:base64_pass:base64_response ++ * into pass and response and save in up->password and up->response. ++ * If the password is not in the expected format, input is not changed. ++ */ ++static void ++split_scrv1_password(struct user_pass *up) ++{ ++ const int skip = strlen("SCRV1:"); ++ if (strncmp(up->password, "SCRV1:", skip) != 0) ++ { ++ return; ++ } ++ ++ char *tmp = strdup(up->password); ++ if (!tmp) ++ { ++ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n"); ++ goto out; ++ } ++ ++ char *pass = tmp + skip; ++ char *resp = strchr(pass, ':'); ++ if (!resp) /* string not in SCRV1:xx:yy format */ ++ { ++ goto out; ++ } ++ *resp++ = '\0'; ++ ++ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1); ++ if (n > 0) ++ { ++ up->password[n] = '\0'; ++ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1); ++ if (n > 0) ++ { ++ up->response[n] = '\0'; ++ if (DEBUG(up->verb)) ++ { ++ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n"); ++ } ++ goto out; ++ } ++ } ++ ++ /* decode error: reinstate original value of up->password and return */ ++ plugin_secure_memzero(up->password, sizeof(up->password)); ++ plugin_secure_memzero(up->response, sizeof(up->response)); ++ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */ ++ ++ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n"); ++ ++out: ++ if (tmp) ++ { ++ plugin_secure_memzero(tmp, strlen(tmp)); ++ free(tmp); ++ } ++} ++ + OPENVPN_EXPORT int + openvpn_plugin_open_v3(const int v3structver, + struct openvpn_plugin_args_open_in const *args, +@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver, + + /* Save global pointers to functions exported from openvpn */ + plugin_secure_memzero = args->callbacks->plugin_secure_memzero; ++ plugin_base64_decode = args->callbacks->plugin_base64_decode; + + /* + * Make sure we have two string arguments: the first is the .so name, +@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array, + { + aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name); + } ++ else if (strstr(match_value, "OTP")) ++ { ++ aresp[i].resp = searchandreplace(match_value, "OTP", up->response); ++ } + else + { + aresp[i].resp = strdup(match_value); +@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * + #endif + } + ++ /* If password is of the form SCRV1:base64:base64 split it up */ ++ split_scrv1_password(&up); ++ + if (pam_auth(service, &up)) /* Succeeded */ + { + if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1) +@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list * + command); + goto done; + } ++ plugin_secure_memzero(up.response, sizeof(up.response)); + } + done: +- + plugin_secure_memzero(up.password, sizeof(up.password)); ++ plugin_secure_memzero(up.response, sizeof(up.response)); + #ifdef USE_PAM_DLOPEN + dlclose_pam(); + #endif diff --git a/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f b/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f new file mode 100644 index 00000000..8ba8e7f2 --- /dev/null +++ b/net/openvpn/files/patch-git-cab48ad43eaba51c54fa23e55b0b2eb436dd921f @@ -0,0 +1,40 @@ +From cab48ad43eaba51c54fa23e55b0b2eb436dd921f Mon Sep 17 00:00:00 2001 +From: Selva Nair +Date: Tue, 7 Aug 2018 22:44:31 -0400 +Subject: [PATCH] Accept empty password and/or response in auth-pam plugin + +In the auth-pam plugin correctly parse the static challenge string +even when password or challenge response is empty. + +Whether an empty user input is an error is determined by the PAM +conversation function depending on whether the PAM module queries +for it or not. + +Signed-off-by: Selva Nair +Acked-by: Gert Doering +Message-Id: <1533696271-21799-2-git-send-email-selva.nair@gmail.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17382.html +Signed-off-by: Gert Doering +(cherry picked from commit 7a8109023f4c345fe12f23421c5fa7e88e1ea85b) +--- + src/plugins/auth-pam/auth-pam.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c +index 1324307f1..88b53204b 100644 +--- a/src/plugins/auth-pam/auth-pam.c ++++ ./src/plugins/auth-pam/auth-pam.c +@@ -310,11 +310,11 @@ split_scrv1_password(struct user_pass *up) + *resp++ = '\0'; + + int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1); +- if (n > 0) ++ if (n >= 0) + { + up->password[n] = '\0'; + n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1); +- if (n > 0) ++ if (n >= 0) + { + up->response[n] = '\0'; + if (DEBUG(up->verb)) diff --git a/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 b/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 new file mode 100644 index 00000000..c946f8c7 --- /dev/null +++ b/net/openvpn/files/patch-git-fc0297143494e0a0f08564d90dbb210669d0abf5 @@ -0,0 +1,28 @@ +From fc0297143494e0a0f08564d90dbb210669d0abf5 Mon Sep 17 00:00:00 2001 +From: Antonio Quartulli +Date: Sat, 30 May 2020 02:05:54 +0200 +Subject: [PATCH] pool: prevent IPv6 pools to be larger than 2^16 addresses + +Signed-off-by: Antonio Quartulli +Acked-by: Gert Doering +Message-Id: <20200530000600.1680-2-a@unstable.cc> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19945.html +Signed-off-by: Gert Doering +(cherry picked from commit 81d66a1f14d4be3282dd648ecc2049658e3a65ed) +--- + src/openvpn/pool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/openvpn/pool.c b/src/openvpn/pool.c +index da28bc06b..e45bf88a2 100644 +--- ./src/openvpn/pool.c ++++ ./src/openvpn/pool.c +@@ -183,7 +183,7 @@ ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, + if (pool->ipv6) + { + pool->base_ipv6 = ipv6_base; +- pool->size_ipv6 = ipv6_netbits>96 ? ( 1<<(128-ipv6_netbits) ) ++ pool->size_ipv6 = ipv6_netbits > 112 ? (1 << (128 - ipv6_netbits)) + : IFCONFIG_POOL_MAX; + + msg( D_IFCONFIG_POOL, "IFCONFIG POOL IPv6: (IPv4) size=%d, size_ipv6=%d, netbits=%d, base_ipv6=%s", diff --git a/net/openvpn/files/patch-src_openvpn_openssl__compat.h b/net/openvpn/files/patch-src_openvpn_openssl__compat.h new file mode 100644 index 00000000..2d68b96e --- /dev/null +++ b/net/openvpn/files/patch-src_openvpn_openssl__compat.h @@ -0,0 +1,20 @@ +--- src/openvpn/openssl_compat.h.orig 2020-04-16 13:26:45 UTC ++++ src/openvpn/openssl_compat.h +@@ -747,7 +747,7 @@ SSL_CTX_get_max_proto_version(SSL_CTX *ctx) + } + #endif /* SSL_CTX_get_max_proto_version */ + +-#ifndef SSL_CTX_set_min_proto_version ++#if !defined(SSL_CTX_set_min_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) + /** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ + static inline int + SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) +@@ -776,7 +776,7 @@ SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_v + } + #endif /* SSL_CTX_set_min_proto_version */ + +-#ifndef SSL_CTX_set_max_proto_version ++#if !defined(SSL_CTX_set_max_proto_version) && !defined(LIBRESSL_VERSION_NUMBER) + /** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ + static inline int + SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) diff --git a/net/openvpn/files/patch-src_openvpn_ssl__openssl.c b/net/openvpn/files/patch-src_openvpn_ssl__openssl.c new file mode 100644 index 00000000..6d66949a --- /dev/null +++ b/net/openvpn/files/patch-src_openvpn_ssl__openssl.c @@ -0,0 +1,69 @@ +In the corner case that the global OpenSSL has an invalid command like + + MinProtocol = TLSv1.0 + +(Due to OpenSSL's idiosyncrasies MinProtocol = TLSv1 would be correct) + +the SSL_ctx_new function leaves the errors for parsing the config file +on the stack. + +OpenSSL: error:14187180:SSL routines:ssl_do_config:bad value + +Since the later functions, especially the one of loading the +certificates expected a clean error this error got reported at the +wrong place. + +Print the warnings with crypto_msg when we detect that we are in this +situation (this also clears the stack). +--- + src/openvpn/ssl_openssl.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +Acked-by: Gert Doering + +"Explanation and Code make sense, Debian testing confirmed it fixes +the problem observed" (which was a user error in the end, but led to an +unexpected error in openvpn). + +Basic client test run with openssl 1.1.1 on Linux/Gentoo. + +Your patch has been applied to the master and release/2.4 branch. + +commit 75aa88af774abaa168bf72e43e1dbb57be14c044 (master) +commit 125654bfa6f99a251b581522182e85748dd8043a (release/2.4) +Author: Arne Schwabe +Date: Tue Apr 21 12:11:22 2020 +0200 + + Fix tls_ctx_client/server_new leaving error on OpenSSL error stack + + Acked-by: Gert Doering + Message-Id: <20200421101122.24284-1-arne@rfc2549.org> + URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19802.html + Signed-off-by: Gert Doering + +--- src/openvpn/ssl_openssl.c.orig 2020-04-16 13:26:45 UTC ++++ src/openvpn/ssl_openssl.c +@@ -110,6 +110,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) + { + crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method"); + } ++ if (ERR_peek_error() != 0) ++ { ++ crypto_msg(M_WARN, "Warning: TLS server context initialisation " ++ "has warnings."); ++ } + } + + void +@@ -122,6 +127,11 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) + if (ctx->ctx == NULL) + { + crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method"); ++ } ++ if (ERR_peek_error() != 0) ++ { ++ crypto_msg(M_WARN, "Warning: TLS client context initialisation " ++ "has warnings."); + } + } +