Merge ~lvoytek/ubuntu/+source/openvpn:2.5.8-MRE-jammy-allow-openssl-engines into ubuntu/+source/openvpn:ubuntu/jammy-devel
- Git
- lp:~lvoytek/ubuntu/+source/openvpn
- 2.5.8-MRE-jammy-allow-openssl-engines
- Merge into ubuntu/jammy-devel
Status: | Merged |
---|---|
Approved by: | git-ubuntu bot |
Approved revision: | not available |
Merged at revision: | 59bc5060a27cf09b38664f5f51a727997ae1d4ed |
Proposed branch: | ~lvoytek/ubuntu/+source/openvpn:2.5.8-MRE-jammy-allow-openssl-engines |
Merge into: | ubuntu/+source/openvpn:ubuntu/jammy-devel |
Diff against target: |
624 lines (+198/-41) 21 files modified
ChangeLog (+25/-0) Changes.rst (+32/-0) build/msvc/msvc-generate/Makefile.mak (+6/-3) configure (+13/-13) debian/changelog (+26/-0) debian/rules (+1/-1) doc/man-sections/protocol-options.rst (+7/-0) doc/openvpn.8 (+7/-0) doc/openvpn.8.html (+6/-0) include/openvpn-plugin.h (+1/-1) sample/sample-plugins/Makefile (+5/-5) src/openvpn/forward.c (+0/-3) src/openvpn/misc.c (+1/-0) src/openvpn/misc.h (+1/-0) src/openvpn/ntlm.c (+13/-0) src/openvpn/options.c (+10/-5) src/openvpn/push.c (+7/-5) src/openvpn/ssl_mbedtls.c (+7/-1) src/openvpn/ssl_ncp.c (+14/-2) tests/unit_tests/openvpn/test_ncp.c (+14/-0) version.m4 (+2/-2) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
git-ubuntu bot | Approve | ||
Andreas Hasenack | Approve | ||
Canonical Server Reporter | Pending | ||
Review via email: mp+452307@code.launchpad.net |
Commit message
Description of the change
Allow openssl engines in jammy to maintain behavior against 2.5.5-1ubuntu3.1 prior to the 2.5.8 MRE. This commit configures them to be on using the new configuration argument provided by upstream: --with-
PPA: https:/
Andreas Hasenack (ahasenack) wrote : | # |
Do we want to do this on top of 2.5.9 which is in unapproved? Or, as you did here, on top of 2.5.8 which is in jammy proposed?
git-ubuntu bot (git-ubuntu-bot) wrote : | # |
Approvers: lvoytek, ahasenack
Uploaders: lvoytek, ahasenack
MP auto-approved
Lena Voytek (lvoytek) wrote : | # |
I'm fine with either. Do you know which would be more convenient for the SRU team?
Andreas Hasenack (ahasenack) wrote : | # |
Let's go with 2.5.9, as that's what the bug is using. When uploading, I'll take care to include the version currently in proposed in the changes file.
Lena Voytek (lvoytek) wrote : | # |
Sounds good, I rebased and uploaded with rich history. Accidentally uploaded without the previous changes the first time, so I uploaded a second copy:
dput ubuntu ../openvpn_
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_
Checking signature on .dsc
gpg: ../openvpn_
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Uploading openvpn_
Successfully uploaded packages.
Preview Diff
1 | diff --git a/ChangeLog b/ChangeLog |
2 | index 5da537a..3701823 100644 |
3 | --- a/ChangeLog |
4 | +++ b/ChangeLog |
5 | @@ -1,6 +1,31 @@ |
6 | OpenVPN Change Log |
7 | Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net> |
8 | |
9 | +2023.02.14 -- Version 2.5.9 |
10 | + |
11 | +Arne Schwabe (6): |
12 | + Implement optional cipher in --data-ciphers prefixed with ? |
13 | + Fix handling an optional invalid cipher at the end of data-ciphers |
14 | + Ensure that argument to parse_line has always space for final sentinel |
15 | + Improve documentation on user/password requirement and unicodize function |
16 | + Remove unused gc_arena |
17 | + Fix corner case that might lead to leaked file descriptor |
18 | + |
19 | +Frank Lichtenheld (1): |
20 | + msvc: always call git-version.py |
21 | + |
22 | +Lev Stipakov (1): |
23 | + git-version.py: proper support for tags |
24 | + |
25 | +Max Fillinger (1): |
26 | + Check if pkcs11_cert is NULL before freeing it |
27 | + |
28 | +Selva Nair (3): |
29 | + Do not add leading space to pushed options |
30 | + pull-filter: ignore leading "spaces" in option names |
31 | + Do not include auth-token in pulled option digest |
32 | + |
33 | + |
34 | 2022.10.27 -- Version 2.5.8 |
35 | |
36 | Antonio Quartulli (1): |
37 | diff --git a/Changes.rst b/Changes.rst |
38 | index cafb1f2..3ba78c6 100644 |
39 | --- a/Changes.rst |
40 | +++ b/Changes.rst |
41 | @@ -1,3 +1,35 @@ |
42 | +Overview of changes in 2.5.9 |
43 | +============================ |
44 | + |
45 | +New features |
46 | +------------ |
47 | +- Optional ciphers in ``--data-ciphers`` |
48 | + Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark |
49 | + those as optional and only use them if the SSL library supports them. |
50 | + |
51 | +User-visible Changes |
52 | +-------------------- |
53 | +- when compiling from a git checkout, put proper branch names into |
54 | + windows builds |
55 | + |
56 | +Bugfixes |
57 | +-------- |
58 | +- do not include auth-token in pulled-option digest (interferes with |
59 | + persist-tun when auth-token is in use, GH #200). |
60 | + |
61 | +- fix corner case that might lead to leaked file descriptor |
62 | + |
63 | +- fix parser bug (parse_line()) that can lead to buffer overflows on |
64 | + malformed command line or server ccd file handling. Not exploitable. |
65 | + |
66 | +- pull-filter: ignore leading spaces in option names (work around server side |
67 | + bug with erroneous extra spaces) |
68 | + |
69 | +- push: do not add leading spaces to "out of renegotiations" pushed auth-token |
70 | + |
71 | +- fix NULL pointer crash on "openvpn --show-tls" with mbedtls |
72 | + |
73 | + |
74 | Overview of changes in 2.5.8 |
75 | ============================ |
76 | |
77 | diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak |
78 | index ae8b084..1c1c4ba 100644 |
79 | --- a/build/msvc/msvc-generate/Makefile.mak |
80 | +++ b/build/msvc/msvc-generate/Makefile.mak |
81 | @@ -51,10 +51,13 @@ $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG) |
82 | cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" |
83 | |
84 | $(OUTPUT_MAN): $(INPUT_MAN) |
85 | - -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" |
86 | + -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" |
87 | |
88 | -$(OUTPUT_MSVC_GIT_CONFIG): |
89 | - python git-version.py $(SOLUTIONDIR) |
90 | +# Force regeneration because we can't detect whether it is outdated |
91 | +$(OUTPUT_MSVC_GIT_CONFIG): FORCE |
92 | + python git-version.py $(SOLUTIONDIR) |
93 | + |
94 | +FORCE: |
95 | |
96 | clean: |
97 | -del "$(OUTPUT_MSVC_VER)" |
98 | diff --git a/configure b/configure |
99 | index 6b01f1c..b8acf1a 100755 |
100 | --- a/configure |
101 | +++ b/configure |
102 | @@ -1,6 +1,6 @@ |
103 | #! /bin/sh |
104 | # Guess values for system-dependent variables and create Makefiles. |
105 | -# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8. |
106 | +# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9. |
107 | # |
108 | # Report bugs to <openvpn-users@lists.sourceforge.net>. |
109 | # |
110 | @@ -621,8 +621,8 @@ MAKEFLAGS= |
111 | # Identity of this package. |
112 | PACKAGE_NAME='OpenVPN' |
113 | PACKAGE_TARNAME='openvpn' |
114 | -PACKAGE_VERSION='2.5.8' |
115 | -PACKAGE_STRING='OpenVPN 2.5.8' |
116 | +PACKAGE_VERSION='2.5.9' |
117 | +PACKAGE_STRING='OpenVPN 2.5.9' |
118 | PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' |
119 | PACKAGE_URL='' |
120 | |
121 | @@ -1507,7 +1507,7 @@ if test "$ac_init_help" = "long"; then |
122 | # Omit some internal or obsolete options to make the list less imposing. |
123 | # This message is too long to be a string in the A/UX 3.1 sh. |
124 | cat <<_ACEOF |
125 | -\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems. |
126 | +\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems. |
127 | |
128 | Usage: $0 [OPTION]... [VAR=VALUE]... |
129 | |
130 | @@ -1578,7 +1578,7 @@ fi |
131 | |
132 | if test -n "$ac_init_help"; then |
133 | case $ac_init_help in |
134 | - short | recursive ) echo "Configuration of OpenVPN 2.5.8:";; |
135 | + short | recursive ) echo "Configuration of OpenVPN 2.5.9:";; |
136 | esac |
137 | cat <<\_ACEOF |
138 | |
139 | @@ -1794,7 +1794,7 @@ fi |
140 | test -n "$ac_init_help" && exit $ac_status |
141 | if $ac_init_version; then |
142 | cat <<\_ACEOF |
143 | -OpenVPN configure 2.5.8 |
144 | +OpenVPN configure 2.5.9 |
145 | generated by GNU Autoconf 2.71 |
146 | |
147 | Copyright (C) 2021 Free Software Foundation, Inc. |
148 | @@ -2588,7 +2588,7 @@ cat >config.log <<_ACEOF |
149 | This file contains any messages produced by compilers while |
150 | running configure, to aid debugging if configure makes a mistake. |
151 | |
152 | -It was created by OpenVPN $as_me 2.5.8, which was |
153 | +It was created by OpenVPN $as_me 2.5.9, which was |
154 | generated by GNU Autoconf 2.71. Invocation command line was |
155 | |
156 | $ $0$ac_configure_args_raw |
157 | @@ -3364,13 +3364,13 @@ if test -z "${htmldir}"; then |
158 | fi |
159 | |
160 | |
161 | -printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h |
162 | +printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h |
163 | |
164 | OPENVPN_VERSION_MAJOR=2 |
165 | |
166 | OPENVPN_VERSION_MINOR=5 |
167 | |
168 | -OPENVPN_VERSION_PATCH=.8 |
169 | +OPENVPN_VERSION_PATCH=.9 |
170 | |
171 | |
172 | printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h |
173 | @@ -3379,7 +3379,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h |
174 | printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h |
175 | |
176 | |
177 | -printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h |
178 | +printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h |
179 | |
180 | |
181 | |
182 | @@ -3905,7 +3905,7 @@ fi |
183 | |
184 | # Define the identity of the package. |
185 | PACKAGE='openvpn' |
186 | - VERSION='2.5.8' |
187 | + VERSION='2.5.9' |
188 | |
189 | |
190 | printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h |
191 | @@ -20500,7 +20500,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 |
192 | # report actual input values of CONFIG_FILES etc. instead of their |
193 | # values after options handling. |
194 | ac_log=" |
195 | -This file was extended by OpenVPN $as_me 2.5.8, which was |
196 | +This file was extended by OpenVPN $as_me 2.5.9, which was |
197 | generated by GNU Autoconf 2.71. Invocation command line was |
198 | |
199 | CONFIG_FILES = $CONFIG_FILES |
200 | @@ -20568,7 +20568,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ |
201 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
202 | ac_cs_config='$ac_cs_config_escaped' |
203 | ac_cs_version="\\ |
204 | -OpenVPN config.status 2.5.8 |
205 | +OpenVPN config.status 2.5.9 |
206 | configured by $0, generated by GNU Autoconf 2.71, |
207 | with options \\"\$ac_cs_config\\" |
208 | |
209 | diff --git a/debian/changelog b/debian/changelog |
210 | index 241b094..0558d64 100644 |
211 | --- a/debian/changelog |
212 | +++ b/debian/changelog |
213 | @@ -1,3 +1,29 @@ |
214 | +openvpn (2.5.9-0ubuntu0.22.04.2) jammy; urgency=medium |
215 | + |
216 | + * d/rules: Use --with-openssl-engine=yes during configuration to maintain the |
217 | + existing behavior of technically allowing openssl engine access in jammy. |
218 | + For more information see |
219 | + https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/comments/6 |
220 | + |
221 | + -- Lena Voytek <lena.voytek@canonical.com> Fri, 29 Sep 2023 16:14:48 -0700 |
222 | + |
223 | +openvpn (2.5.9-0ubuntu0.22.04.1) jammy; urgency=medium |
224 | + |
225 | + * New upstream release 2.5.9 (LP: #2004676): |
226 | + - The version is being updated to the latest in 2.5.x rather than 2.6.x to |
227 | + avoid feature releases and focus on bug fixes |
228 | + - Updates: |
229 | + + Allow optional ciphers in --data-ciphers |
230 | + - Bug Fixes Include: |
231 | + + Fix null pointer error when running openvpn --show-tls with mbedtls |
232 | + + Fix corner case that could lead to leaked file descriptor |
233 | + + Fix parsing issue in pull-filter when there are leading spaces |
234 | + + Fix possible buffer overflow in parse_line argument |
235 | + + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for |
236 | + additional bug fixes and information |
237 | + |
238 | + -- Lena Voytek <lena.voytek@canonical.com> Tue, 15 Aug 2023 10:48:49 -0700 |
239 | + |
240 | openvpn (2.5.8-0ubuntu0.22.04.1) jammy; urgency=medium |
241 | |
242 | * New upstream releases 2.5.6-2.5.8 (LP: #2004676): |
243 | diff --git a/debian/rules b/debian/rules |
244 | index a49ff29..62b5639 100755 |
245 | --- a/debian/rules |
246 | +++ b/debian/rules |
247 | @@ -17,7 +17,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all |
248 | |
249 | override_dh_auto_configure: |
250 | -test -f tests/t_client.sh.not || mv tests/t_client.sh tests/t_client.sh.not |
251 | - $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username $(EXTRA_ARGS) |
252 | + $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --with-openssl-engine=yes $(EXTRA_ARGS) |
253 | |
254 | |
255 | override_dh_auto_build: |
256 | diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst |
257 | index e9d5d63..25f8db1 100644 |
258 | --- a/doc/man-sections/protocol-options.rst |
259 | +++ b/doc/man-sections/protocol-options.rst |
260 | @@ -184,6 +184,13 @@ configured in a compatible way between both the local and remote side. |
261 | supported by the client will be pushed to clients that support cipher |
262 | negotiation. |
263 | |
264 | + Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark |
265 | + it as optional. This allows including ciphers in the list that may not be |
266 | + available on all platforms. |
267 | + E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable |
268 | + Chacha20-Poly1305 if the underlying SSL library (and its configuration) |
269 | + supports it. |
270 | + |
271 | Cipher negotiation is enabled in client-server mode only. I.e. if |
272 | ``--mode`` is set to 'server' (server-side, implied by setting |
273 | ``--server`` ), or if ``--pull`` is specified (client-side, implied by |
274 | diff --git a/doc/openvpn.8 b/doc/openvpn.8 |
275 | index 1b8dfcd..197d1eb 100644 |
276 | --- a/doc/openvpn.8 |
277 | +++ b/doc/openvpn.8 |
278 | @@ -887,6 +887,13 @@ For servers, the first cipher from \fBcipher\-list\fP that is also |
279 | supported by the client will be pushed to clients that support cipher |
280 | negotiation. |
281 | .sp |
282 | +Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark |
283 | +it as optional. This allows including ciphers in the list that may not be |
284 | +available on all platforms. |
285 | +E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable |
286 | +Chacha20\-Poly1305 if the underlying SSL library (and its configuration) |
287 | +supports it. |
288 | +.sp |
289 | Cipher negotiation is enabled in client\-server mode only. I.e. if |
290 | \fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting |
291 | \fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by |
292 | diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html |
293 | index 12705c9..2a6f0b8 100644 |
294 | --- a/doc/openvpn.8.html |
295 | +++ b/doc/openvpn.8.html |
296 | @@ -1113,6 +1113,12 @@ and defaults to <code>AES-256-GCM:AES-128-GCM</code>.</p> |
297 | <p>For servers, the first cipher from <tt class="docutils literal"><span class="pre">cipher-list</span></tt> that is also |
298 | supported by the client will be pushed to clients that support cipher |
299 | negotiation.</p> |
300 | +<p>Starting with OpenVPN 2.5.9 a cipher can be prefixed with a <code>?</code> to mark |
301 | +it as optional. This allows including ciphers in the list that may not be |
302 | +available on all platforms. |
303 | +E.g. <code>AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305</code> would only enable |
304 | +Chacha20-Poly1305 if the underlying SSL library (and its configuration) |
305 | +supports it.</p> |
306 | <p>Cipher negotiation is enabled in client-server mode only. I.e. if |
307 | <tt class="docutils literal"><span class="pre">--mode</span></tt> is set to 'server' (server-side, implied by setting |
308 | <tt class="docutils literal"><span class="pre">--server</span></tt> ), or if <tt class="docutils literal"><span class="pre">--pull</span></tt> is specified (client-side, implied by |
309 | diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h |
310 | index 8185984..d4202ab 100644 |
311 | --- a/include/openvpn-plugin.h |
312 | +++ b/include/openvpn-plugin.h |
313 | @@ -53,7 +53,7 @@ extern "C" { |
314 | */ |
315 | #define OPENVPN_VERSION_MAJOR 2 |
316 | #define OPENVPN_VERSION_MINOR 5 |
317 | -#define OPENVPN_VERSION_PATCH ".8" |
318 | +#define OPENVPN_VERSION_PATCH ".9" |
319 | |
320 | /* |
321 | * Plug-in types. These types correspond to the set of script callbacks |
322 | diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile |
323 | index b4b72d0..9e2e420 100644 |
324 | --- a/sample/sample-plugins/Makefile |
325 | +++ b/sample/sample-plugins/Makefile |
326 | @@ -213,7 +213,7 @@ OPENSSL_CFLAGS = |
327 | OPENSSL_LIBS = -lssl -lcrypto |
328 | OPENVPN_VERSION_MAJOR = 2 |
329 | OPENVPN_VERSION_MINOR = 5 |
330 | -OPENVPN_VERSION_PATCH = .8 |
331 | +OPENVPN_VERSION_PATCH = .9 |
332 | OPTIONAL_CRYPTO_CFLAGS = |
333 | OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto |
334 | OPTIONAL_DL_LIBS = -ldl |
335 | @@ -234,13 +234,13 @@ P11KIT_LIBS = |
336 | PACKAGE = openvpn |
337 | PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net |
338 | PACKAGE_NAME = OpenVPN |
339 | -PACKAGE_STRING = OpenVPN 2.5.8 |
340 | +PACKAGE_STRING = OpenVPN 2.5.9 |
341 | PACKAGE_TARNAME = openvpn |
342 | PACKAGE_URL = |
343 | -PACKAGE_VERSION = 2.5.8 |
344 | +PACKAGE_VERSION = 2.5.9 |
345 | PATH_SEPARATOR = : |
346 | PKCS11_HELPER_CFLAGS = |
347 | -PKCS11_HELPER_LIBS = |
348 | +PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper |
349 | PKG_CONFIG = /usr/bin/pkg-config |
350 | PKG_CONFIG_LIBDIR = |
351 | PKG_CONFIG_PATH = |
352 | @@ -267,7 +267,7 @@ TAP_WIN_MIN_MINOR = 9 |
353 | TEST_CFLAGS = -I$(top_srcdir)/include |
354 | TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka |
355 | TMPFILES_DIR = |
356 | -VERSION = 2.5.8 |
357 | +VERSION = 2.5.9 |
358 | abs_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins |
359 | abs_srcdir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins |
360 | abs_top_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn |
361 | diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c |
362 | index de80dcf..de7cafd 100644 |
363 | --- a/src/openvpn/forward.c |
364 | +++ b/src/openvpn/forward.c |
365 | @@ -1714,8 +1714,6 @@ process_outgoing_link(struct context *c) |
366 | void |
367 | process_outgoing_tun(struct context *c) |
368 | { |
369 | - struct gc_arena gc = gc_new(); |
370 | - |
371 | /* |
372 | * Set up for write() call to TUN/TAP |
373 | * device. |
374 | @@ -1801,7 +1799,6 @@ process_outgoing_tun(struct context *c) |
375 | buf_reset(&c->c2.to_tun); |
376 | |
377 | perf_pop(); |
378 | - gc_free(&gc); |
379 | } |
380 | |
381 | void |
382 | diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c |
383 | index 40b3bf5..e4662a7 100644 |
384 | --- a/src/openvpn/misc.c |
385 | +++ b/src/openvpn/misc.c |
386 | @@ -273,6 +273,7 @@ get_user_pass_cr(struct user_pass *up, |
387 | msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file); |
388 | if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) |
389 | { |
390 | + fclose(fp); |
391 | return false; |
392 | } |
393 | } |
394 | diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h |
395 | index 570e473..1e52056 100644 |
396 | --- a/src/openvpn/misc.h |
397 | +++ b/src/openvpn/misc.h |
398 | @@ -74,6 +74,7 @@ struct user_pass |
399 | #else |
400 | #define USER_PASS_LEN 128 |
401 | #endif |
402 | + /* Note that username and password are expected to be null-terminated */ |
403 | char username[USER_PASS_LEN]; |
404 | char password[USER_PASS_LEN]; |
405 | }; |
406 | diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c |
407 | index e370748..9158cfd 100644 |
408 | --- a/src/openvpn/ntlm.c |
409 | +++ b/src/openvpn/ntlm.c |
410 | @@ -143,6 +143,19 @@ my_strupr(char *str) |
411 | } |
412 | } |
413 | |
414 | +/** |
415 | + * This function expects a null-terminated string in src and will |
416 | + * copy it (including the terminating NUL byte), |
417 | + * alternating it with 0 to dst. |
418 | + * |
419 | + * This basically will transform a ASCII string into valid UTF-16. |
420 | + * Characters that are 8bit in src, will get the same treatment, resulting in |
421 | + * invalid or wrong unicode code points. |
422 | + * |
423 | + * @note the function will blindly assume that dst has double |
424 | + * the space of src. |
425 | + * @return the length of the number of bytes written to dst |
426 | + */ |
427 | static int |
428 | unicodize(char *dst, const char *src) |
429 | { |
430 | diff --git a/src/openvpn/options.c b/src/openvpn/options.c |
431 | index 20d1273..2ddf30d 100644 |
432 | --- a/src/openvpn/options.c |
433 | +++ b/src/openvpn/options.c |
434 | @@ -4926,8 +4926,6 @@ parse_argv(struct options *options, |
435 | unsigned int *option_types_found, |
436 | struct env_set *es) |
437 | { |
438 | - int i, j; |
439 | - |
440 | /* usage message */ |
441 | if (argc <= 1) |
442 | { |
443 | @@ -4937,7 +4935,7 @@ parse_argv(struct options *options, |
444 | /* config filename specified only? */ |
445 | if (argc == 2 && strncmp(argv[1], "--", 2)) |
446 | { |
447 | - char *p[MAX_PARMS]; |
448 | + char *p[MAX_PARMS+1]; |
449 | CLEAR(p); |
450 | p[0] = "config"; |
451 | p[1] = argv[1]; |
452 | @@ -4947,9 +4945,9 @@ parse_argv(struct options *options, |
453 | else |
454 | { |
455 | /* parse command line */ |
456 | - for (i = 1; i < argc; ++i) |
457 | + for (int i = 1; i < argc; ++i) |
458 | { |
459 | - char *p[MAX_PARMS]; |
460 | + char *p[MAX_PARMS+1]; |
461 | CLEAR(p); |
462 | p[0] = argv[i]; |
463 | if (strncmp(p[0], "--", 2)) |
464 | @@ -4961,6 +4959,7 @@ parse_argv(struct options *options, |
465 | p[0] += 2; |
466 | } |
467 | |
468 | + int j; |
469 | for (j = 1; j < MAX_PARMS; ++j) |
470 | { |
471 | if (i + j < argc) |
472 | @@ -5001,6 +5000,12 @@ apply_pull_filter(const struct options *o, char *line) |
473 | return true; |
474 | } |
475 | |
476 | + /* skip leading spaces matching the behaviour of parse_line */ |
477 | + while (isspace(*line)) |
478 | + { |
479 | + line++; |
480 | + } |
481 | + |
482 | for (f = o->pull_filter_list->head; f; f = f->next) |
483 | { |
484 | if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0) |
485 | diff --git a/src/openvpn/push.c b/src/openvpn/push.c |
486 | index 7c36530..43db191 100644 |
487 | --- a/src/openvpn/push.c |
488 | +++ b/src/openvpn/push.c |
489 | @@ -536,7 +536,7 @@ send_push_reply_auth_token(struct tls_multi *multi) |
490 | |
491 | /* Construct a mimimal control channel push reply message */ |
492 | struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc); |
493 | - buf_printf(&buf, "%s, %s", push_reply_cmd, e->option); |
494 | + buf_printf(&buf, "%s,%s", push_reply_cmd, e->option); |
495 | send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); |
496 | gc_free(&gc); |
497 | } |
498 | @@ -779,8 +779,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt) |
499 | char line[OPTION_PARM_SIZE]; |
500 | while (buf_parse(buf, ',', line, sizeof(line))) |
501 | { |
502 | - /* peer-id might change on restart and this should not trigger reopening tun */ |
503 | - if (strprefix(line, "peer-id ")) |
504 | + /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ |
505 | + if (strprefix(line, "peer-id ") |
506 | + || strprefix(line, "auth-token ") |
507 | + || strprefix(line, "auth-token-user ")) |
508 | { |
509 | continue; |
510 | } |
511 | @@ -891,13 +893,13 @@ remove_iroutes_from_push_route_list(struct options *o) |
512 | /* cycle through the push list */ |
513 | while (e) |
514 | { |
515 | - char *p[MAX_PARMS]; |
516 | + char *p[MAX_PARMS+1]; |
517 | bool enable = true; |
518 | |
519 | /* parse the push item */ |
520 | CLEAR(p); |
521 | if (e->enable |
522 | - && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) |
523 | + && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) |
524 | { |
525 | /* is the push item a route directive? */ |
526 | if (p[0] && !strcmp(p[0], "route") && !p[3]) |
527 | diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c |
528 | index be0e57f..9958099 100644 |
529 | --- a/src/openvpn/ssl_mbedtls.c |
530 | +++ b/src/openvpn/ssl_mbedtls.c |
531 | @@ -168,7 +168,13 @@ tls_ctx_free(struct tls_root_ctx *ctx) |
532 | } |
533 | |
534 | #if defined(ENABLE_PKCS11) |
535 | - pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); |
536 | + /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper |
537 | + * has not been initialized, it will ASSERT() - so, do not pass NULL |
538 | + */ |
539 | + if (ctx->pkcs11_cert) |
540 | + { |
541 | + pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); |
542 | + } |
543 | #endif |
544 | |
545 | if (ctx->allowed_ciphers) |
546 | diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c |
547 | index b94c786..4ab39a5 100644 |
548 | --- a/src/openvpn/ssl_ncp.c |
549 | +++ b/src/openvpn/ssl_ncp.c |
550 | @@ -108,7 +108,18 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) |
551 | * (and translate_cipher_name_from_openvpn/ |
552 | * translate_cipher_name_to_openvpn) also normalises the cipher name, |
553 | * e.g. replacing AeS-128-gCm with AES-128-GCM |
554 | + * |
555 | + * ciphers that have ? in front of them are considered optional and |
556 | + * OpenVPN will only warn if they are not found (and remove them from |
557 | + * the list) |
558 | */ |
559 | + |
560 | + bool optional = false; |
561 | + if (token[0] == '?') |
562 | + { |
563 | + token++; |
564 | + optional = true; |
565 | + } |
566 | const cipher_kt_t *ktc = cipher_kt_get(token); |
567 | if (strcmp(token, "none") == 0) |
568 | { |
569 | @@ -120,8 +131,9 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) |
570 | } |
571 | if (!ktc && strcmp(token, "none") != 0) |
572 | { |
573 | - msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token); |
574 | - error_found = true; |
575 | + const char* optstr = optional ? "optional ": ""; |
576 | + msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); |
577 | + error_found = error_found || !optional; |
578 | } |
579 | else |
580 | { |
581 | diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c |
582 | index 4337f6d..6e1e50a 100644 |
583 | --- a/tests/unit_tests/openvpn/test_ncp.c |
584 | +++ b/tests/unit_tests/openvpn/test_ncp.c |
585 | @@ -74,6 +74,20 @@ test_check_ncp_ciphers_list(void **state) |
586 | assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL); |
587 | } |
588 | |
589 | + /* Check that optional ciphers work */ |
590 | + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", &gc), |
591 | + aes_ciphers); |
592 | + |
593 | + /* Check that optional ciphers work */ |
594 | + assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), |
595 | + aes_ciphers); |
596 | + |
597 | + /* All unsupported should still yield an empty list */ |
598 | + assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); |
599 | + |
600 | + /* If the last is optional, previous invalid ciphers should be ignored */ |
601 | + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); |
602 | + |
603 | /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in |
604 | * a different spelling the normalised cipher output is the same */ |
605 | bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); |
606 | diff --git a/version.m4 b/version.m4 |
607 | index dd66b1a..53d1edf 100644 |
608 | --- a/version.m4 |
609 | +++ b/version.m4 |
610 | @@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN]) |
611 | define([PRODUCT_TARNAME], [openvpn]) |
612 | define([PRODUCT_VERSION_MAJOR], [2]) |
613 | define([PRODUCT_VERSION_MINOR], [5]) |
614 | -define([PRODUCT_VERSION_PATCH], [.8]) |
615 | +define([PRODUCT_VERSION_PATCH], [.9]) |
616 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) |
617 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) |
618 | m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) |
619 | define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) |
620 | -define([PRODUCT_VERSION_RESOURCE], [2,5,8,0]) |
621 | +define([PRODUCT_VERSION_RESOURCE], [2,5,9,0]) |
622 | dnl define the TAP version |
623 | define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) |
624 | define([PRODUCT_TAP_WIN_MIN_MAJOR], [9]) |
+1, I tried the package from the ppa, and can confirm loading the engine keeps being available and loaded after updating fom jammy's 2.5.5.