Ubuntu
openvpn package

Merge ~lvoytek/ubuntu/+source/openvpn:MRE-jammy-2.5.9 into ubuntu/+source/openvpn:ubuntu/jammy-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/openvpn
  3. MRE-jammy-2.5.9
  4. Merge into ubuntu/jammy-devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 92190dd39433831d4a2333b7bc97f49160f102e7
Proposed branch: ~lvoytek/ubuntu/+source/openvpn:MRE-jammy-2.5.9
Merge into: ubuntu/+source/openvpn:ubuntu/jammy-devel
Diff against target: 602 lines (+188/-40)
20 files modified
ChangeLog (+25/-0)
Changes.rst (+32/-0)
build/msvc/msvc-generate/Makefile.mak (+6/-3)
configure (+13/-13)
debian/changelog (+17/-0)
doc/man-sections/protocol-options.rst (+7/-0)
doc/openvpn.8 (+7/-0)
doc/openvpn.8.html (+6/-0)
include/openvpn-plugin.h (+1/-1)
sample/sample-plugins/Makefile (+5/-5)
src/openvpn/forward.c (+0/-3)
src/openvpn/misc.c (+1/-0)
src/openvpn/misc.h (+1/-0)
src/openvpn/ntlm.c (+13/-0)
src/openvpn/options.c (+10/-5)
src/openvpn/push.c (+7/-5)
src/openvpn/ssl_mbedtls.c (+7/-1)
src/openvpn/ssl_ncp.c (+14/-2)
tests/unit_tests/openvpn/test_ncp.c (+14/-0)
version.m4 (+2/-2)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Andreas Hasenack Pending
Canonical Server Reporter Pending
Review via email: mp+449214@code.launchpad.net

Description of the change

MRE for version 2.5.9 in Jammy with the caveat that each upstream commit is checked for backwards-incompatible changes.

OpenVPN is currently rejected as an MRE, but the SRU team has agreed to accept version updates in Jammy provided that they are aware of changes that may break an existing user's setup. For more context see: https://lists.ubuntu.com/archives/ubuntu-release/2023-July/005688.html

Going through all 12 commits I found no additions that would break a user's setup, and there was only one change that contains a feature update. The new feature allows users to include optional cipher algorithms in the --data-ciphers option.

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/openvpn-mre

Autopkgtest results:
  openvpn @ amd64:
    15.08.23 20:09:34 Log 🗒️ ✅ Triggers: openvpn/2.5.9-0ubuntu0.22.04.1~ppa1
  openvpn @ arm64:
    15.08.23 20:27:18 Log 🗒️ ✅ Triggers: openvpn/2.5.9-0ubuntu0.22.04.1~ppa1
  openvpn @ armhf:
    15.08.23 20:07:48 Log 🗒️ ✅ Triggers: openvpn/2.5.9-0ubuntu0.22.04.1~ppa1
  openvpn @ ppc64el:
    15.08.23 20:10:28 Log 🗒️ ✅ Triggers: openvpn/2.5.9-0ubuntu0.22.04.1~ppa1
  openvpn @ s390x:
    15.08.23 20:15:29 Log 🗒️ ✅ Triggers: openvpn/2.5.9-0ubuntu0.22.04.1~ppa1

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for this MP Lena!

I reviewed all changes related to version 2.5.9 (nothing from 2.5.8 that is already in jammy-proposed), and I agree with your analysis. There is this single change introducing a new feature (--data-ciphers) which is optional. I do not think there will be a push back from the SRU team because of this since it will not change any behavior for existing users.

Build, tests, changelog, bug description... everything looks good to me! +1.

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, lucaskanashiro
Uploaders: lvoytek, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the review Lucas! Uploaded:

dput ubuntu ../openvpn_2.5.9-0ubuntu0.22.04.1_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_2.5.9-0ubuntu0.22.04.1_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../openvpn_2.5.9-0ubuntu0.22.04.1.dsc: Valid signature from 34B8AD7D9529E793
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openvpn_2.5.9-0ubuntu0.22.04.1.dsc: done.
  Uploading openvpn_2.5.9.orig.tar.gz: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.1.debian.tar.xz: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.1_source.buildinfo: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.1_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ChangeLog b/ChangeLog
2index 5da537a..3701823 100644
3--- a/ChangeLog
4+++ b/ChangeLog
5@@ -1,6 +1,31 @@
6 OpenVPN Change Log
7 Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
8
9+2023.02.14 -- Version 2.5.9
10+
11+Arne Schwabe (6):
12+ Implement optional cipher in --data-ciphers prefixed with ?
13+ Fix handling an optional invalid cipher at the end of data-ciphers
14+ Ensure that argument to parse_line has always space for final sentinel
15+ Improve documentation on user/password requirement and unicodize function
16+ Remove unused gc_arena
17+ Fix corner case that might lead to leaked file descriptor
18+
19+Frank Lichtenheld (1):
20+ msvc: always call git-version.py
21+
22+Lev Stipakov (1):
23+ git-version.py: proper support for tags
24+
25+Max Fillinger (1):
26+ Check if pkcs11_cert is NULL before freeing it
27+
28+Selva Nair (3):
29+ Do not add leading space to pushed options
30+ pull-filter: ignore leading "spaces" in option names
31+ Do not include auth-token in pulled option digest
32+
33+
34 2022.10.27 -- Version 2.5.8
35
36 Antonio Quartulli (1):
37diff --git a/Changes.rst b/Changes.rst
38index cafb1f2..3ba78c6 100644
39--- a/Changes.rst
40+++ b/Changes.rst
41@@ -1,3 +1,35 @@
42+Overview of changes in 2.5.9
43+============================
44+
45+New features
46+------------
47+- Optional ciphers in ``--data-ciphers``
48+ Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
49+ those as optional and only use them if the SSL library supports them.
50+
51+User-visible Changes
52+--------------------
53+- when compiling from a git checkout, put proper branch names into
54+ windows builds
55+
56+Bugfixes
57+--------
58+- do not include auth-token in pulled-option digest (interferes with
59+ persist-tun when auth-token is in use, GH #200).
60+
61+- fix corner case that might lead to leaked file descriptor
62+
63+- fix parser bug (parse_line()) that can lead to buffer overflows on
64+ malformed command line or server ccd file handling. Not exploitable.
65+
66+- pull-filter: ignore leading spaces in option names (work around server side
67+ bug with erroneous extra spaces)
68+
69+- push: do not add leading spaces to "out of renegotiations" pushed auth-token
70+
71+- fix NULL pointer crash on "openvpn --show-tls" with mbedtls
72+
73+
74 Overview of changes in 2.5.8
75 ============================
76
77diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak
78index ae8b084..1c1c4ba 100644
79--- a/build/msvc/msvc-generate/Makefile.mak
80+++ b/build/msvc/msvc-generate/Makefile.mak
81@@ -51,10 +51,13 @@ $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG)
82 cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
83
84 $(OUTPUT_MAN): $(INPUT_MAN)
85- -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)"
86+ -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)"
87
88-$(OUTPUT_MSVC_GIT_CONFIG):
89- python git-version.py $(SOLUTIONDIR)
90+# Force regeneration because we can't detect whether it is outdated
91+$(OUTPUT_MSVC_GIT_CONFIG): FORCE
92+ python git-version.py $(SOLUTIONDIR)
93+
94+FORCE:
95
96 clean:
97 -del "$(OUTPUT_MSVC_VER)"
98diff --git a/configure b/configure
99index 6b01f1c..b8acf1a 100755
100--- a/configure
101+++ b/configure
102@@ -1,6 +1,6 @@
103 #! /bin/sh
104 # Guess values for system-dependent variables and create Makefiles.
105-# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8.
106+# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9.
107 #
108 # Report bugs to <openvpn-users@lists.sourceforge.net>.
109 #
110@@ -621,8 +621,8 @@ MAKEFLAGS=
111 # Identity of this package.
112 PACKAGE_NAME='OpenVPN'
113 PACKAGE_TARNAME='openvpn'
114-PACKAGE_VERSION='2.5.8'
115-PACKAGE_STRING='OpenVPN 2.5.8'
116+PACKAGE_VERSION='2.5.9'
117+PACKAGE_STRING='OpenVPN 2.5.9'
118 PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
119 PACKAGE_URL=''
120
121@@ -1507,7 +1507,7 @@ if test "$ac_init_help" = "long"; then
122 # Omit some internal or obsolete options to make the list less imposing.
123 # This message is too long to be a string in the A/UX 3.1 sh.
124 cat <<_ACEOF
125-\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems.
126+\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems.
127
128 Usage: $0 [OPTION]... [VAR=VALUE]...
129
130@@ -1578,7 +1578,7 @@ fi
131
132 if test -n "$ac_init_help"; then
133 case $ac_init_help in
134- short | recursive ) echo "Configuration of OpenVPN 2.5.8:";;
135+ short | recursive ) echo "Configuration of OpenVPN 2.5.9:";;
136 esac
137 cat <<\_ACEOF
138
139@@ -1794,7 +1794,7 @@ fi
140 test -n "$ac_init_help" && exit $ac_status
141 if $ac_init_version; then
142 cat <<\_ACEOF
143-OpenVPN configure 2.5.8
144+OpenVPN configure 2.5.9
145 generated by GNU Autoconf 2.71
146
147 Copyright (C) 2021 Free Software Foundation, Inc.
148@@ -2588,7 +2588,7 @@ cat >config.log <<_ACEOF
149 This file contains any messages produced by compilers while
150 running configure, to aid debugging if configure makes a mistake.
151
152-It was created by OpenVPN $as_me 2.5.8, which was
153+It was created by OpenVPN $as_me 2.5.9, which was
154 generated by GNU Autoconf 2.71. Invocation command line was
155
156 $ $0$ac_configure_args_raw
157@@ -3364,13 +3364,13 @@ if test -z "${htmldir}"; then
158 fi
159
160
161-printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h
162+printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h
163
164 OPENVPN_VERSION_MAJOR=2
165
166 OPENVPN_VERSION_MINOR=5
167
168-OPENVPN_VERSION_PATCH=.8
169+OPENVPN_VERSION_PATCH=.9
170
171
172 printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
173@@ -3379,7 +3379,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
174 printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h
175
176
177-printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h
178+printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h
179
180
181
182@@ -3905,7 +3905,7 @@ fi
183
184 # Define the identity of the package.
185 PACKAGE='openvpn'
186- VERSION='2.5.8'
187+ VERSION='2.5.9'
188
189
190 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
191@@ -20500,7 +20500,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
192 # report actual input values of CONFIG_FILES etc. instead of their
193 # values after options handling.
194 ac_log="
195-This file was extended by OpenVPN $as_me 2.5.8, which was
196+This file was extended by OpenVPN $as_me 2.5.9, which was
197 generated by GNU Autoconf 2.71. Invocation command line was
198
199 CONFIG_FILES = $CONFIG_FILES
200@@ -20568,7 +20568,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
201 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
202 ac_cs_config='$ac_cs_config_escaped'
203 ac_cs_version="\\
204-OpenVPN config.status 2.5.8
205+OpenVPN config.status 2.5.9
206 configured by $0, generated by GNU Autoconf 2.71,
207 with options \\"\$ac_cs_config\\"
208
209diff --git a/debian/changelog b/debian/changelog
210index 241b094..fe545f9 100644
211--- a/debian/changelog
212+++ b/debian/changelog
213@@ -1,3 +1,20 @@
214+openvpn (2.5.9-0ubuntu0.22.04.1) jammy; urgency=medium
215+
216+ * New upstream release 2.5.9 (LP: #2004676):
217+ - The version is being updated to the latest in 2.5.x rather than 2.6.x to
218+ avoid feature releases and focus on bug fixes
219+ - Updates:
220+ + Allow optional ciphers in --data-ciphers
221+ - Bug Fixes Include:
222+ + Fix null pointer error when running openvpn --show-tls with mbedtls
223+ + Fix corner case that could lead to leaked file descriptor
224+ + Fix parsing issue in pull-filter when there are leading spaces
225+ + Fix possible buffer overflow in parse_line argument
226+ + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for
227+ additional bug fixes and information
228+
229+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 15 Aug 2023 10:48:49 -0700
230+
231 openvpn (2.5.8-0ubuntu0.22.04.1) jammy; urgency=medium
232
233 * New upstream releases 2.5.6-2.5.8 (LP: #2004676):
234diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
235index e9d5d63..25f8db1 100644
236--- a/doc/man-sections/protocol-options.rst
237+++ b/doc/man-sections/protocol-options.rst
238@@ -184,6 +184,13 @@ configured in a compatible way between both the local and remote side.
239 supported by the client will be pushed to clients that support cipher
240 negotiation.
241
242+ Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark
243+ it as optional. This allows including ciphers in the list that may not be
244+ available on all platforms.
245+ E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable
246+ Chacha20-Poly1305 if the underlying SSL library (and its configuration)
247+ supports it.
248+
249 Cipher negotiation is enabled in client-server mode only. I.e. if
250 ``--mode`` is set to 'server' (server-side, implied by setting
251 ``--server`` ), or if ``--pull`` is specified (client-side, implied by
252diff --git a/doc/openvpn.8 b/doc/openvpn.8
253index 1b8dfcd..197d1eb 100644
254--- a/doc/openvpn.8
255+++ b/doc/openvpn.8
256@@ -887,6 +887,13 @@ For servers, the first cipher from \fBcipher\-list\fP that is also
257 supported by the client will be pushed to clients that support cipher
258 negotiation.
259 .sp
260+Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark
261+it as optional. This allows including ciphers in the list that may not be
262+available on all platforms.
263+E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable
264+Chacha20\-Poly1305 if the underlying SSL library (and its configuration)
265+supports it.
266+.sp
267 Cipher negotiation is enabled in client\-server mode only. I.e. if
268 \fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting
269 \fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by
270diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html
271index 12705c9..2a6f0b8 100644
272--- a/doc/openvpn.8.html
273+++ b/doc/openvpn.8.html
274@@ -1113,6 +1113,12 @@ and defaults to <code>AES-256-GCM:AES-128-GCM</code>.</p>
275 <p>For servers, the first cipher from <tt class="docutils literal"><span class="pre">cipher-list</span></tt> that is also
276 supported by the client will be pushed to clients that support cipher
277 negotiation.</p>
278+<p>Starting with OpenVPN 2.5.9 a cipher can be prefixed with a <code>?</code> to mark
279+it as optional. This allows including ciphers in the list that may not be
280+available on all platforms.
281+E.g. <code>AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305</code> would only enable
282+Chacha20-Poly1305 if the underlying SSL library (and its configuration)
283+supports it.</p>
284 <p>Cipher negotiation is enabled in client-server mode only. I.e. if
285 <tt class="docutils literal"><span class="pre">--mode</span></tt> is set to 'server' (server-side, implied by setting
286 <tt class="docutils literal"><span class="pre">--server</span></tt> ), or if <tt class="docutils literal"><span class="pre">--pull</span></tt> is specified (client-side, implied by
287diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
288index 8185984..d4202ab 100644
289--- a/include/openvpn-plugin.h
290+++ b/include/openvpn-plugin.h
291@@ -53,7 +53,7 @@ extern "C" {
292 */
293 #define OPENVPN_VERSION_MAJOR 2
294 #define OPENVPN_VERSION_MINOR 5
295-#define OPENVPN_VERSION_PATCH ".8"
296+#define OPENVPN_VERSION_PATCH ".9"
297
298 /*
299 * Plug-in types. These types correspond to the set of script callbacks
300diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
301index b4b72d0..9e2e420 100644
302--- a/sample/sample-plugins/Makefile
303+++ b/sample/sample-plugins/Makefile
304@@ -213,7 +213,7 @@ OPENSSL_CFLAGS =
305 OPENSSL_LIBS = -lssl -lcrypto
306 OPENVPN_VERSION_MAJOR = 2
307 OPENVPN_VERSION_MINOR = 5
308-OPENVPN_VERSION_PATCH = .8
309+OPENVPN_VERSION_PATCH = .9
310 OPTIONAL_CRYPTO_CFLAGS =
311 OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
312 OPTIONAL_DL_LIBS = -ldl
313@@ -234,13 +234,13 @@ P11KIT_LIBS =
314 PACKAGE = openvpn
315 PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
316 PACKAGE_NAME = OpenVPN
317-PACKAGE_STRING = OpenVPN 2.5.8
318+PACKAGE_STRING = OpenVPN 2.5.9
319 PACKAGE_TARNAME = openvpn
320 PACKAGE_URL =
321-PACKAGE_VERSION = 2.5.8
322+PACKAGE_VERSION = 2.5.9
323 PATH_SEPARATOR = :
324 PKCS11_HELPER_CFLAGS =
325-PKCS11_HELPER_LIBS =
326+PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
327 PKG_CONFIG = /usr/bin/pkg-config
328 PKG_CONFIG_LIBDIR =
329 PKG_CONFIG_PATH =
330@@ -267,7 +267,7 @@ TAP_WIN_MIN_MINOR = 9
331 TEST_CFLAGS = -I$(top_srcdir)/include
332 TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka
333 TMPFILES_DIR =
334-VERSION = 2.5.8
335+VERSION = 2.5.9
336 abs_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
337 abs_srcdir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
338 abs_top_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
339diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
340index de80dcf..de7cafd 100644
341--- a/src/openvpn/forward.c
342+++ b/src/openvpn/forward.c
343@@ -1714,8 +1714,6 @@ process_outgoing_link(struct context *c)
344 void
345 process_outgoing_tun(struct context *c)
346 {
347- struct gc_arena gc = gc_new();
348-
349 /*
350 * Set up for write() call to TUN/TAP
351 * device.
352@@ -1801,7 +1799,6 @@ process_outgoing_tun(struct context *c)
353 buf_reset(&c->c2.to_tun);
354
355 perf_pop();
356- gc_free(&gc);
357 }
358
359 void
360diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
361index 40b3bf5..e4662a7 100644
362--- a/src/openvpn/misc.c
363+++ b/src/openvpn/misc.c
364@@ -273,6 +273,7 @@ get_user_pass_cr(struct user_pass *up,
365 msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file);
366 if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
367 {
368+ fclose(fp);
369 return false;
370 }
371 }
372diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
373index 570e473..1e52056 100644
374--- a/src/openvpn/misc.h
375+++ b/src/openvpn/misc.h
376@@ -74,6 +74,7 @@ struct user_pass
377 #else
378 #define USER_PASS_LEN 128
379 #endif
380+ /* Note that username and password are expected to be null-terminated */
381 char username[USER_PASS_LEN];
382 char password[USER_PASS_LEN];
383 };
384diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
385index e370748..9158cfd 100644
386--- a/src/openvpn/ntlm.c
387+++ b/src/openvpn/ntlm.c
388@@ -143,6 +143,19 @@ my_strupr(char *str)
389 }
390 }
391
392+/**
393+ * This function expects a null-terminated string in src and will
394+ * copy it (including the terminating NUL byte),
395+ * alternating it with 0 to dst.
396+ *
397+ * This basically will transform a ASCII string into valid UTF-16.
398+ * Characters that are 8bit in src, will get the same treatment, resulting in
399+ * invalid or wrong unicode code points.
400+ *
401+ * @note the function will blindly assume that dst has double
402+ * the space of src.
403+ * @return the length of the number of bytes written to dst
404+ */
405 static int
406 unicodize(char *dst, const char *src)
407 {
408diff --git a/src/openvpn/options.c b/src/openvpn/options.c
409index 20d1273..2ddf30d 100644
410--- a/src/openvpn/options.c
411+++ b/src/openvpn/options.c
412@@ -4926,8 +4926,6 @@ parse_argv(struct options *options,
413 unsigned int *option_types_found,
414 struct env_set *es)
415 {
416- int i, j;
417-
418 /* usage message */
419 if (argc <= 1)
420 {
421@@ -4937,7 +4935,7 @@ parse_argv(struct options *options,
422 /* config filename specified only? */
423 if (argc == 2 && strncmp(argv[1], "--", 2))
424 {
425- char *p[MAX_PARMS];
426+ char *p[MAX_PARMS+1];
427 CLEAR(p);
428 p[0] = "config";
429 p[1] = argv[1];
430@@ -4947,9 +4945,9 @@ parse_argv(struct options *options,
431 else
432 {
433 /* parse command line */
434- for (i = 1; i < argc; ++i)
435+ for (int i = 1; i < argc; ++i)
436 {
437- char *p[MAX_PARMS];
438+ char *p[MAX_PARMS+1];
439 CLEAR(p);
440 p[0] = argv[i];
441 if (strncmp(p[0], "--", 2))
442@@ -4961,6 +4959,7 @@ parse_argv(struct options *options,
443 p[0] += 2;
444 }
445
446+ int j;
447 for (j = 1; j < MAX_PARMS; ++j)
448 {
449 if (i + j < argc)
450@@ -5001,6 +5000,12 @@ apply_pull_filter(const struct options *o, char *line)
451 return true;
452 }
453
454+ /* skip leading spaces matching the behaviour of parse_line */
455+ while (isspace(*line))
456+ {
457+ line++;
458+ }
459+
460 for (f = o->pull_filter_list->head; f; f = f->next)
461 {
462 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
463diff --git a/src/openvpn/push.c b/src/openvpn/push.c
464index 7c36530..43db191 100644
465--- a/src/openvpn/push.c
466+++ b/src/openvpn/push.c
467@@ -536,7 +536,7 @@ send_push_reply_auth_token(struct tls_multi *multi)
468
469 /* Construct a mimimal control channel push reply message */
470 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
471- buf_printf(&buf, "%s, %s", push_reply_cmd, e->option);
472+ buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
473 send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
474 gc_free(&gc);
475 }
476@@ -779,8 +779,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
477 char line[OPTION_PARM_SIZE];
478 while (buf_parse(buf, ',', line, sizeof(line)))
479 {
480- /* peer-id might change on restart and this should not trigger reopening tun */
481- if (strprefix(line, "peer-id "))
482+ /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
483+ if (strprefix(line, "peer-id ")
484+ || strprefix(line, "auth-token ")
485+ || strprefix(line, "auth-token-user "))
486 {
487 continue;
488 }
489@@ -891,13 +893,13 @@ remove_iroutes_from_push_route_list(struct options *o)
490 /* cycle through the push list */
491 while (e)
492 {
493- char *p[MAX_PARMS];
494+ char *p[MAX_PARMS+1];
495 bool enable = true;
496
497 /* parse the push item */
498 CLEAR(p);
499 if (e->enable
500- && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
501+ && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
502 {
503 /* is the push item a route directive? */
504 if (p[0] && !strcmp(p[0], "route") && !p[3])
505diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
506index be0e57f..9958099 100644
507--- a/src/openvpn/ssl_mbedtls.c
508+++ b/src/openvpn/ssl_mbedtls.c
509@@ -168,7 +168,13 @@ tls_ctx_free(struct tls_root_ctx *ctx)
510 }
511
512 #if defined(ENABLE_PKCS11)
513- pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
514+ /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper
515+ * has not been initialized, it will ASSERT() - so, do not pass NULL
516+ */
517+ if (ctx->pkcs11_cert)
518+ {
519+ pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
520+ }
521 #endif
522
523 if (ctx->allowed_ciphers)
524diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
525index b94c786..4ab39a5 100644
526--- a/src/openvpn/ssl_ncp.c
527+++ b/src/openvpn/ssl_ncp.c
528@@ -108,7 +108,18 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
529 * (and translate_cipher_name_from_openvpn/
530 * translate_cipher_name_to_openvpn) also normalises the cipher name,
531 * e.g. replacing AeS-128-gCm with AES-128-GCM
532+ *
533+ * ciphers that have ? in front of them are considered optional and
534+ * OpenVPN will only warn if they are not found (and remove them from
535+ * the list)
536 */
537+
538+ bool optional = false;
539+ if (token[0] == '?')
540+ {
541+ token++;
542+ optional = true;
543+ }
544 const cipher_kt_t *ktc = cipher_kt_get(token);
545 if (strcmp(token, "none") == 0)
546 {
547@@ -120,8 +131,9 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
548 }
549 if (!ktc && strcmp(token, "none") != 0)
550 {
551- msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
552- error_found = true;
553+ const char* optstr = optional ? "optional ": "";
554+ msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
555+ error_found = error_found || !optional;
556 }
557 else
558 {
559diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
560index 4337f6d..6e1e50a 100644
561--- a/tests/unit_tests/openvpn/test_ncp.c
562+++ b/tests/unit_tests/openvpn/test_ncp.c
563@@ -74,6 +74,20 @@ test_check_ncp_ciphers_list(void **state)
564 assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL);
565 }
566
567+ /* Check that optional ciphers work */
568+ assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", &gc),
569+ aes_ciphers);
570+
571+ /* Check that optional ciphers work */
572+ assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc),
573+ aes_ciphers);
574+
575+ /* All unsupported should still yield an empty list */
576+ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
577+
578+ /* If the last is optional, previous invalid ciphers should be ignored */
579+ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
580+
581 /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
582 * a different spelling the normalised cipher output is the same */
583 bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
584diff --git a/version.m4 b/version.m4
585index dd66b1a..53d1edf 100644
586--- a/version.m4
587+++ b/version.m4
588@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
589 define([PRODUCT_TARNAME], [openvpn])
590 define([PRODUCT_VERSION_MAJOR], [2])
591 define([PRODUCT_VERSION_MINOR], [5])
592-define([PRODUCT_VERSION_PATCH], [.8])
593+define([PRODUCT_VERSION_PATCH], [.9])
594 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
595 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
596 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
597 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
598-define([PRODUCT_VERSION_RESOURCE], [2,5,8,0])
599+define([PRODUCT_VERSION_RESOURCE], [2,5,9,0])
600 dnl define the TAP version
601 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
602 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])

Subscribers

People subscribed via source and target branches