Ubuntu
openvpn package

Merge ~lvoytek/ubuntu/+source/openvpn:2.5.8-MRE-jammy-allow-openssl-engines into ubuntu/+source/openvpn:ubuntu/jammy-devel

  1. Git
  2. lp:~lvoytek/ubuntu/+source/openvpn
  3. 2.5.8-MRE-jammy-allow-openssl-engines
  4. Merge into ubuntu/jammy-devel
Proposed by Lena Voytek
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 59bc5060a27cf09b38664f5f51a727997ae1d4ed
Proposed branch: ~lvoytek/ubuntu/+source/openvpn:2.5.8-MRE-jammy-allow-openssl-engines
Merge into: ubuntu/+source/openvpn:ubuntu/jammy-devel
Diff against target: 624 lines (+198/-41)
21 files modified
ChangeLog (+25/-0)
Changes.rst (+32/-0)
build/msvc/msvc-generate/Makefile.mak (+6/-3)
configure (+13/-13)
debian/changelog (+26/-0)
debian/rules (+1/-1)
doc/man-sections/protocol-options.rst (+7/-0)
doc/openvpn.8 (+7/-0)
doc/openvpn.8.html (+6/-0)
include/openvpn-plugin.h (+1/-1)
sample/sample-plugins/Makefile (+5/-5)
src/openvpn/forward.c (+0/-3)
src/openvpn/misc.c (+1/-0)
src/openvpn/misc.h (+1/-0)
src/openvpn/ntlm.c (+13/-0)
src/openvpn/options.c (+10/-5)
src/openvpn/push.c (+7/-5)
src/openvpn/ssl_mbedtls.c (+7/-1)
src/openvpn/ssl_ncp.c (+14/-2)
tests/unit_tests/openvpn/test_ncp.c (+14/-0)
version.m4 (+2/-2)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Andreas Hasenack Approve
Canonical Server Reporter Pending
Review via email: mp+452307@code.launchpad.net

Description of the change

Allow openssl engines in jammy to maintain behavior against 2.5.5-1ubuntu3.1 prior to the 2.5.8 MRE. This commit configures them to be on using the new configuration argument provided by upstream: --with-openssl-engine=yes. This is needed based on the discussion in https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676.

PPA: https://launchpad.net/~lvoytek/+archive/ubuntu/openvpn-2.5.8-allow-openssl-engine

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1, I tried the package from the ppa, and can confirm loading the engine keeps being available and loaded after updating fom jammy's 2.5.5.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Do we want to do this on top of 2.5.9 which is in unapproved? Or, as you did here, on top of 2.5.8 which is in jammy proposed?

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: lvoytek, ahasenack
Uploaders: lvoytek, ahasenack
MP auto-approved

review: Approve
Revision history for this message
Lena Voytek (lvoytek) wrote :

I'm fine with either. Do you know which would be more convenient for the SRU team?

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Let's go with 2.5.9, as that's what the bug is using. When uploading, I'll take care to include the version currently in proposed in the changes file.

Revision history for this message
Lena Voytek (lvoytek) wrote :

Sounds good, I rebased and uploaded with rich history. Accidentally uploaded without the previous changes the first time, so I uploaded a second copy:

dput ubuntu ../openvpn_2.5.9-0ubuntu0.22.04.2_source.changes
D: Setting host argument.
Checking signature on .changes
gpg: ../openvpn_2.5.9-0ubuntu0.22.04.2_source.changes: Valid signature from 34B8AD7D9529E793
Checking signature on .dsc
gpg: ../openvpn_2.5.9-0ubuntu0.22.04.2.dsc: Valid signature from 34B8AD7D9529E793
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openvpn_2.5.9-0ubuntu0.22.04.2.dsc: done.
  Uploading openvpn_2.5.9.orig.tar.gz: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.2.debian.tar.xz: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.2_source.buildinfo: done.
  Uploading openvpn_2.5.9-0ubuntu0.22.04.2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/ChangeLog b/ChangeLog
2index 5da537a..3701823 100644
3--- a/ChangeLog
4+++ b/ChangeLog
5@@ -1,6 +1,31 @@
6 OpenVPN Change Log
7 Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
8
9+2023.02.14 -- Version 2.5.9
10+
11+Arne Schwabe (6):
12+ Implement optional cipher in --data-ciphers prefixed with ?
13+ Fix handling an optional invalid cipher at the end of data-ciphers
14+ Ensure that argument to parse_line has always space for final sentinel
15+ Improve documentation on user/password requirement and unicodize function
16+ Remove unused gc_arena
17+ Fix corner case that might lead to leaked file descriptor
18+
19+Frank Lichtenheld (1):
20+ msvc: always call git-version.py
21+
22+Lev Stipakov (1):
23+ git-version.py: proper support for tags
24+
25+Max Fillinger (1):
26+ Check if pkcs11_cert is NULL before freeing it
27+
28+Selva Nair (3):
29+ Do not add leading space to pushed options
30+ pull-filter: ignore leading "spaces" in option names
31+ Do not include auth-token in pulled option digest
32+
33+
34 2022.10.27 -- Version 2.5.8
35
36 Antonio Quartulli (1):
37diff --git a/Changes.rst b/Changes.rst
38index cafb1f2..3ba78c6 100644
39--- a/Changes.rst
40+++ b/Changes.rst
41@@ -1,3 +1,35 @@
42+Overview of changes in 2.5.9
43+============================
44+
45+New features
46+------------
47+- Optional ciphers in ``--data-ciphers``
48+ Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
49+ those as optional and only use them if the SSL library supports them.
50+
51+User-visible Changes
52+--------------------
53+- when compiling from a git checkout, put proper branch names into
54+ windows builds
55+
56+Bugfixes
57+--------
58+- do not include auth-token in pulled-option digest (interferes with
59+ persist-tun when auth-token is in use, GH #200).
60+
61+- fix corner case that might lead to leaked file descriptor
62+
63+- fix parser bug (parse_line()) that can lead to buffer overflows on
64+ malformed command line or server ccd file handling. Not exploitable.
65+
66+- pull-filter: ignore leading spaces in option names (work around server side
67+ bug with erroneous extra spaces)
68+
69+- push: do not add leading spaces to "out of renegotiations" pushed auth-token
70+
71+- fix NULL pointer crash on "openvpn --show-tls" with mbedtls
72+
73+
74 Overview of changes in 2.5.8
75 ============================
76
77diff --git a/build/msvc/msvc-generate/Makefile.mak b/build/msvc/msvc-generate/Makefile.mak
78index ae8b084..1c1c4ba 100644
79--- a/build/msvc/msvc-generate/Makefile.mak
80+++ b/build/msvc/msvc-generate/Makefile.mak
81@@ -51,10 +51,13 @@ $(OUTPUT_PLUGIN): $(INPUT_PLUGIN) $(OUTPUT_PLUGIN_CONFIG)
82 cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)"
83
84 $(OUTPUT_MAN): $(INPUT_MAN)
85- -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)"
86+ -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)"
87
88-$(OUTPUT_MSVC_GIT_CONFIG):
89- python git-version.py $(SOLUTIONDIR)
90+# Force regeneration because we can't detect whether it is outdated
91+$(OUTPUT_MSVC_GIT_CONFIG): FORCE
92+ python git-version.py $(SOLUTIONDIR)
93+
94+FORCE:
95
96 clean:
97 -del "$(OUTPUT_MSVC_VER)"
98diff --git a/configure b/configure
99index 6b01f1c..b8acf1a 100755
100--- a/configure
101+++ b/configure
102@@ -1,6 +1,6 @@
103 #! /bin/sh
104 # Guess values for system-dependent variables and create Makefiles.
105-# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8.
106+# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9.
107 #
108 # Report bugs to <openvpn-users@lists.sourceforge.net>.
109 #
110@@ -621,8 +621,8 @@ MAKEFLAGS=
111 # Identity of this package.
112 PACKAGE_NAME='OpenVPN'
113 PACKAGE_TARNAME='openvpn'
114-PACKAGE_VERSION='2.5.8'
115-PACKAGE_STRING='OpenVPN 2.5.8'
116+PACKAGE_VERSION='2.5.9'
117+PACKAGE_STRING='OpenVPN 2.5.9'
118 PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net'
119 PACKAGE_URL=''
120
121@@ -1507,7 +1507,7 @@ if test "$ac_init_help" = "long"; then
122 # Omit some internal or obsolete options to make the list less imposing.
123 # This message is too long to be a string in the A/UX 3.1 sh.
124 cat <<_ACEOF
125-\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems.
126+\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems.
127
128 Usage: $0 [OPTION]... [VAR=VALUE]...
129
130@@ -1578,7 +1578,7 @@ fi
131
132 if test -n "$ac_init_help"; then
133 case $ac_init_help in
134- short | recursive ) echo "Configuration of OpenVPN 2.5.8:";;
135+ short | recursive ) echo "Configuration of OpenVPN 2.5.9:";;
136 esac
137 cat <<\_ACEOF
138
139@@ -1794,7 +1794,7 @@ fi
140 test -n "$ac_init_help" && exit $ac_status
141 if $ac_init_version; then
142 cat <<\_ACEOF
143-OpenVPN configure 2.5.8
144+OpenVPN configure 2.5.9
145 generated by GNU Autoconf 2.71
146
147 Copyright (C) 2021 Free Software Foundation, Inc.
148@@ -2588,7 +2588,7 @@ cat >config.log <<_ACEOF
149 This file contains any messages produced by compilers while
150 running configure, to aid debugging if configure makes a mistake.
151
152-It was created by OpenVPN $as_me 2.5.8, which was
153+It was created by OpenVPN $as_me 2.5.9, which was
154 generated by GNU Autoconf 2.71. Invocation command line was
155
156 $ $0$ac_configure_args_raw
157@@ -3364,13 +3364,13 @@ if test -z "${htmldir}"; then
158 fi
159
160
161-printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h
162+printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h
163
164 OPENVPN_VERSION_MAJOR=2
165
166 OPENVPN_VERSION_MINOR=5
167
168-OPENVPN_VERSION_PATCH=.8
169+OPENVPN_VERSION_PATCH=.9
170
171
172 printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
173@@ -3379,7 +3379,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h
174 printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h
175
176
177-printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h
178+printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h
179
180
181
182@@ -3905,7 +3905,7 @@ fi
183
184 # Define the identity of the package.
185 PACKAGE='openvpn'
186- VERSION='2.5.8'
187+ VERSION='2.5.9'
188
189
190 printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
191@@ -20500,7 +20500,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
192 # report actual input values of CONFIG_FILES etc. instead of their
193 # values after options handling.
194 ac_log="
195-This file was extended by OpenVPN $as_me 2.5.8, which was
196+This file was extended by OpenVPN $as_me 2.5.9, which was
197 generated by GNU Autoconf 2.71. Invocation command line was
198
199 CONFIG_FILES = $CONFIG_FILES
200@@ -20568,7 +20568,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
201 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
202 ac_cs_config='$ac_cs_config_escaped'
203 ac_cs_version="\\
204-OpenVPN config.status 2.5.8
205+OpenVPN config.status 2.5.9
206 configured by $0, generated by GNU Autoconf 2.71,
207 with options \\"\$ac_cs_config\\"
208
209diff --git a/debian/changelog b/debian/changelog
210index 241b094..0558d64 100644
211--- a/debian/changelog
212+++ b/debian/changelog
213@@ -1,3 +1,29 @@
214+openvpn (2.5.9-0ubuntu0.22.04.2) jammy; urgency=medium
215+
216+ * d/rules: Use --with-openssl-engine=yes during configuration to maintain the
217+ existing behavior of technically allowing openssl engine access in jammy.
218+ For more information see
219+ https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/comments/6
220+
221+ -- Lena Voytek <lena.voytek@canonical.com> Fri, 29 Sep 2023 16:14:48 -0700
222+
223+openvpn (2.5.9-0ubuntu0.22.04.1) jammy; urgency=medium
224+
225+ * New upstream release 2.5.9 (LP: #2004676):
226+ - The version is being updated to the latest in 2.5.x rather than 2.6.x to
227+ avoid feature releases and focus on bug fixes
228+ - Updates:
229+ + Allow optional ciphers in --data-ciphers
230+ - Bug Fixes Include:
231+ + Fix null pointer error when running openvpn --show-tls with mbedtls
232+ + Fix corner case that could lead to leaked file descriptor
233+ + Fix parsing issue in pull-filter when there are leading spaces
234+ + Fix possible buffer overflow in parse_line argument
235+ + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for
236+ additional bug fixes and information
237+
238+ -- Lena Voytek <lena.voytek@canonical.com> Tue, 15 Aug 2023 10:48:49 -0700
239+
240 openvpn (2.5.8-0ubuntu0.22.04.1) jammy; urgency=medium
241
242 * New upstream releases 2.5.6-2.5.8 (LP: #2004676):
243diff --git a/debian/rules b/debian/rules
244index a49ff29..62b5639 100755
245--- a/debian/rules
246+++ b/debian/rules
247@@ -17,7 +17,7 @@ export DEB_BUILD_MAINT_OPTIONS = hardening=+all
248
249 override_dh_auto_configure:
250 -test -f tests/t_client.sh.not || mv tests/t_client.sh tests/t_client.sh.not
251- $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username $(EXTRA_ARGS)
252+ $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --with-openssl-engine=yes $(EXTRA_ARGS)
253
254
255 override_dh_auto_build:
256diff --git a/doc/man-sections/protocol-options.rst b/doc/man-sections/protocol-options.rst
257index e9d5d63..25f8db1 100644
258--- a/doc/man-sections/protocol-options.rst
259+++ b/doc/man-sections/protocol-options.rst
260@@ -184,6 +184,13 @@ configured in a compatible way between both the local and remote side.
261 supported by the client will be pushed to clients that support cipher
262 negotiation.
263
264+ Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark
265+ it as optional. This allows including ciphers in the list that may not be
266+ available on all platforms.
267+ E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable
268+ Chacha20-Poly1305 if the underlying SSL library (and its configuration)
269+ supports it.
270+
271 Cipher negotiation is enabled in client-server mode only. I.e. if
272 ``--mode`` is set to 'server' (server-side, implied by setting
273 ``--server`` ), or if ``--pull`` is specified (client-side, implied by
274diff --git a/doc/openvpn.8 b/doc/openvpn.8
275index 1b8dfcd..197d1eb 100644
276--- a/doc/openvpn.8
277+++ b/doc/openvpn.8
278@@ -887,6 +887,13 @@ For servers, the first cipher from \fBcipher\-list\fP that is also
279 supported by the client will be pushed to clients that support cipher
280 negotiation.
281 .sp
282+Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark
283+it as optional. This allows including ciphers in the list that may not be
284+available on all platforms.
285+E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable
286+Chacha20\-Poly1305 if the underlying SSL library (and its configuration)
287+supports it.
288+.sp
289 Cipher negotiation is enabled in client\-server mode only. I.e. if
290 \fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting
291 \fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by
292diff --git a/doc/openvpn.8.html b/doc/openvpn.8.html
293index 12705c9..2a6f0b8 100644
294--- a/doc/openvpn.8.html
295+++ b/doc/openvpn.8.html
296@@ -1113,6 +1113,12 @@ and defaults to <code>AES-256-GCM:AES-128-GCM</code>.</p>
297 <p>For servers, the first cipher from <tt class="docutils literal"><span class="pre">cipher-list</span></tt> that is also
298 supported by the client will be pushed to clients that support cipher
299 negotiation.</p>
300+<p>Starting with OpenVPN 2.5.9 a cipher can be prefixed with a <code>?</code> to mark
301+it as optional. This allows including ciphers in the list that may not be
302+available on all platforms.
303+E.g. <code>AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305</code> would only enable
304+Chacha20-Poly1305 if the underlying SSL library (and its configuration)
305+supports it.</p>
306 <p>Cipher negotiation is enabled in client-server mode only. I.e. if
307 <tt class="docutils literal"><span class="pre">--mode</span></tt> is set to 'server' (server-side, implied by setting
308 <tt class="docutils literal"><span class="pre">--server</span></tt> ), or if <tt class="docutils literal"><span class="pre">--pull</span></tt> is specified (client-side, implied by
309diff --git a/include/openvpn-plugin.h b/include/openvpn-plugin.h
310index 8185984..d4202ab 100644
311--- a/include/openvpn-plugin.h
312+++ b/include/openvpn-plugin.h
313@@ -53,7 +53,7 @@ extern "C" {
314 */
315 #define OPENVPN_VERSION_MAJOR 2
316 #define OPENVPN_VERSION_MINOR 5
317-#define OPENVPN_VERSION_PATCH ".8"
318+#define OPENVPN_VERSION_PATCH ".9"
319
320 /*
321 * Plug-in types. These types correspond to the set of script callbacks
322diff --git a/sample/sample-plugins/Makefile b/sample/sample-plugins/Makefile
323index b4b72d0..9e2e420 100644
324--- a/sample/sample-plugins/Makefile
325+++ b/sample/sample-plugins/Makefile
326@@ -213,7 +213,7 @@ OPENSSL_CFLAGS =
327 OPENSSL_LIBS = -lssl -lcrypto
328 OPENVPN_VERSION_MAJOR = 2
329 OPENVPN_VERSION_MINOR = 5
330-OPENVPN_VERSION_PATCH = .8
331+OPENVPN_VERSION_PATCH = .9
332 OPTIONAL_CRYPTO_CFLAGS =
333 OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto
334 OPTIONAL_DL_LIBS = -ldl
335@@ -234,13 +234,13 @@ P11KIT_LIBS =
336 PACKAGE = openvpn
337 PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net
338 PACKAGE_NAME = OpenVPN
339-PACKAGE_STRING = OpenVPN 2.5.8
340+PACKAGE_STRING = OpenVPN 2.5.9
341 PACKAGE_TARNAME = openvpn
342 PACKAGE_URL =
343-PACKAGE_VERSION = 2.5.8
344+PACKAGE_VERSION = 2.5.9
345 PATH_SEPARATOR = :
346 PKCS11_HELPER_CFLAGS =
347-PKCS11_HELPER_LIBS =
348+PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper
349 PKG_CONFIG = /usr/bin/pkg-config
350 PKG_CONFIG_LIBDIR =
351 PKG_CONFIG_PATH =
352@@ -267,7 +267,7 @@ TAP_WIN_MIN_MINOR = 9
353 TEST_CFLAGS = -I$(top_srcdir)/include
354 TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka
355 TMPFILES_DIR =
356-VERSION = 2.5.8
357+VERSION = 2.5.9
358 abs_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
359 abs_srcdir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins
360 abs_top_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn
361diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
362index de80dcf..de7cafd 100644
363--- a/src/openvpn/forward.c
364+++ b/src/openvpn/forward.c
365@@ -1714,8 +1714,6 @@ process_outgoing_link(struct context *c)
366 void
367 process_outgoing_tun(struct context *c)
368 {
369- struct gc_arena gc = gc_new();
370-
371 /*
372 * Set up for write() call to TUN/TAP
373 * device.
374@@ -1801,7 +1799,6 @@ process_outgoing_tun(struct context *c)
375 buf_reset(&c->c2.to_tun);
376
377 perf_pop();
378- gc_free(&gc);
379 }
380
381 void
382diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
383index 40b3bf5..e4662a7 100644
384--- a/src/openvpn/misc.c
385+++ b/src/openvpn/misc.c
386@@ -273,6 +273,7 @@ get_user_pass_cr(struct user_pass *up,
387 msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file);
388 if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
389 {
390+ fclose(fp);
391 return false;
392 }
393 }
394diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
395index 570e473..1e52056 100644
396--- a/src/openvpn/misc.h
397+++ b/src/openvpn/misc.h
398@@ -74,6 +74,7 @@ struct user_pass
399 #else
400 #define USER_PASS_LEN 128
401 #endif
402+ /* Note that username and password are expected to be null-terminated */
403 char username[USER_PASS_LEN];
404 char password[USER_PASS_LEN];
405 };
406diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
407index e370748..9158cfd 100644
408--- a/src/openvpn/ntlm.c
409+++ b/src/openvpn/ntlm.c
410@@ -143,6 +143,19 @@ my_strupr(char *str)
411 }
412 }
413
414+/**
415+ * This function expects a null-terminated string in src and will
416+ * copy it (including the terminating NUL byte),
417+ * alternating it with 0 to dst.
418+ *
419+ * This basically will transform a ASCII string into valid UTF-16.
420+ * Characters that are 8bit in src, will get the same treatment, resulting in
421+ * invalid or wrong unicode code points.
422+ *
423+ * @note the function will blindly assume that dst has double
424+ * the space of src.
425+ * @return the length of the number of bytes written to dst
426+ */
427 static int
428 unicodize(char *dst, const char *src)
429 {
430diff --git a/src/openvpn/options.c b/src/openvpn/options.c
431index 20d1273..2ddf30d 100644
432--- a/src/openvpn/options.c
433+++ b/src/openvpn/options.c
434@@ -4926,8 +4926,6 @@ parse_argv(struct options *options,
435 unsigned int *option_types_found,
436 struct env_set *es)
437 {
438- int i, j;
439-
440 /* usage message */
441 if (argc <= 1)
442 {
443@@ -4937,7 +4935,7 @@ parse_argv(struct options *options,
444 /* config filename specified only? */
445 if (argc == 2 && strncmp(argv[1], "--", 2))
446 {
447- char *p[MAX_PARMS];
448+ char *p[MAX_PARMS+1];
449 CLEAR(p);
450 p[0] = "config";
451 p[1] = argv[1];
452@@ -4947,9 +4945,9 @@ parse_argv(struct options *options,
453 else
454 {
455 /* parse command line */
456- for (i = 1; i < argc; ++i)
457+ for (int i = 1; i < argc; ++i)
458 {
459- char *p[MAX_PARMS];
460+ char *p[MAX_PARMS+1];
461 CLEAR(p);
462 p[0] = argv[i];
463 if (strncmp(p[0], "--", 2))
464@@ -4961,6 +4959,7 @@ parse_argv(struct options *options,
465 p[0] += 2;
466 }
467
468+ int j;
469 for (j = 1; j < MAX_PARMS; ++j)
470 {
471 if (i + j < argc)
472@@ -5001,6 +5000,12 @@ apply_pull_filter(const struct options *o, char *line)
473 return true;
474 }
475
476+ /* skip leading spaces matching the behaviour of parse_line */
477+ while (isspace(*line))
478+ {
479+ line++;
480+ }
481+
482 for (f = o->pull_filter_list->head; f; f = f->next)
483 {
484 if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0)
485diff --git a/src/openvpn/push.c b/src/openvpn/push.c
486index 7c36530..43db191 100644
487--- a/src/openvpn/push.c
488+++ b/src/openvpn/push.c
489@@ -536,7 +536,7 @@ send_push_reply_auth_token(struct tls_multi *multi)
490
491 /* Construct a mimimal control channel push reply message */
492 struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc);
493- buf_printf(&buf, "%s, %s", push_reply_cmd, e->option);
494+ buf_printf(&buf, "%s,%s", push_reply_cmd, e->option);
495 send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH);
496 gc_free(&gc);
497 }
498@@ -779,8 +779,10 @@ push_update_digest(md_ctx_t *ctx, struct buffer *buf, const struct options *opt)
499 char line[OPTION_PARM_SIZE];
500 while (buf_parse(buf, ',', line, sizeof(line)))
501 {
502- /* peer-id might change on restart and this should not trigger reopening tun */
503- if (strprefix(line, "peer-id "))
504+ /* peer-id and auth-token might change on restart and this should not trigger reopening tun */
505+ if (strprefix(line, "peer-id ")
506+ || strprefix(line, "auth-token ")
507+ || strprefix(line, "auth-token-user "))
508 {
509 continue;
510 }
511@@ -891,13 +893,13 @@ remove_iroutes_from_push_route_list(struct options *o)
512 /* cycle through the push list */
513 while (e)
514 {
515- char *p[MAX_PARMS];
516+ char *p[MAX_PARMS+1];
517 bool enable = true;
518
519 /* parse the push item */
520 CLEAR(p);
521 if (e->enable
522- && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
523+ && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc))
524 {
525 /* is the push item a route directive? */
526 if (p[0] && !strcmp(p[0], "route") && !p[3])
527diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
528index be0e57f..9958099 100644
529--- a/src/openvpn/ssl_mbedtls.c
530+++ b/src/openvpn/ssl_mbedtls.c
531@@ -168,7 +168,13 @@ tls_ctx_free(struct tls_root_ctx *ctx)
532 }
533
534 #if defined(ENABLE_PKCS11)
535- pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
536+ /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper
537+ * has not been initialized, it will ASSERT() - so, do not pass NULL
538+ */
539+ if (ctx->pkcs11_cert)
540+ {
541+ pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
542+ }
543 #endif
544
545 if (ctx->allowed_ciphers)
546diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
547index b94c786..4ab39a5 100644
548--- a/src/openvpn/ssl_ncp.c
549+++ b/src/openvpn/ssl_ncp.c
550@@ -108,7 +108,18 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
551 * (and translate_cipher_name_from_openvpn/
552 * translate_cipher_name_to_openvpn) also normalises the cipher name,
553 * e.g. replacing AeS-128-gCm with AES-128-GCM
554+ *
555+ * ciphers that have ? in front of them are considered optional and
556+ * OpenVPN will only warn if they are not found (and remove them from
557+ * the list)
558 */
559+
560+ bool optional = false;
561+ if (token[0] == '?')
562+ {
563+ token++;
564+ optional = true;
565+ }
566 const cipher_kt_t *ktc = cipher_kt_get(token);
567 if (strcmp(token, "none") == 0)
568 {
569@@ -120,8 +131,9 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
570 }
571 if (!ktc && strcmp(token, "none") != 0)
572 {
573- msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token);
574- error_found = true;
575+ const char* optstr = optional ? "optional ": "";
576+ msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token);
577+ error_found = error_found || !optional;
578 }
579 else
580 {
581diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c
582index 4337f6d..6e1e50a 100644
583--- a/tests/unit_tests/openvpn/test_ncp.c
584+++ b/tests/unit_tests/openvpn/test_ncp.c
585@@ -74,6 +74,20 @@ test_check_ncp_ciphers_list(void **state)
586 assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL);
587 }
588
589+ /* Check that optional ciphers work */
590+ assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", &gc),
591+ aes_ciphers);
592+
593+ /* Check that optional ciphers work */
594+ assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc),
595+ aes_ciphers);
596+
597+ /* All unsupported should still yield an empty list */
598+ assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL);
599+
600+ /* If the last is optional, previous invalid ciphers should be ignored */
601+ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL);
602+
603 /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in
604 * a different spelling the normalised cipher output is the same */
605 bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305");
606diff --git a/version.m4 b/version.m4
607index dd66b1a..53d1edf 100644
608--- a/version.m4
609+++ b/version.m4
610@@ -3,12 +3,12 @@ define([PRODUCT_NAME], [OpenVPN])
611 define([PRODUCT_TARNAME], [openvpn])
612 define([PRODUCT_VERSION_MAJOR], [2])
613 define([PRODUCT_VERSION_MINOR], [5])
614-define([PRODUCT_VERSION_PATCH], [.8])
615+define([PRODUCT_VERSION_PATCH], [.9])
616 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR])
617 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]])
618 m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]])
619 define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net])
620-define([PRODUCT_VERSION_RESOURCE], [2,5,8,0])
621+define([PRODUCT_VERSION_RESOURCE], [2,5,9,0])
622 dnl define the TAP version
623 define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901])
624 define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])

Subscribers

People subscribed via source and target branches