Up to [cvs.NetBSD.org] / pkgsrc / net / openvpn-acct-wtmpx
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
openvpn: updated to 2.6.12 v2.6.12 Bug fixes: the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user configurations with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script. Strip those before testing the command buffer. Also, add unit test. Http-proxy: fix bug preventing proxy credentials caching.
openvpn: updated to 2.6.11 v2.6.11 Security fixes: CVE-2024-4877: Windows: harden interactive service pipe. Security scope: a malicious process with "some" elevated privileges (SeImpersonatePrivilege) could open the pipe a second time, tricking openvn GUI into providing user credentials (tokens), getting full access to the account openvpn-gui.exe runs as. (Zeze with TeamT5) CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson) CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client (Reynir Björnsson) New features: Windows Crypto-API: Implement Windows CA template match for searching certificates in windows crypto store. Support pre-created DCO interface on FreeBSD (OpenVPN would fail to set ifmode p2p/subnet otherwise) Bug fixes: Fix connect timeout when using SOCKS proxies Work around LibreSSL crashing on OpenBSD 7.5 when enumerating ciphers Add bracket in fingerprint message and do not warn about missing verification Documentation: Remove "experimental" denotation for --fast-io Correctly document ifconfig_* variables passed to scripts Documentation: make section levels consistent Samples: Update sample configurations (remove compression & old cipher settings, add more informative comments)
openvpn: updated to 2.6.10 Version 2.6.10 Christoph Schug (1): Update documentation references in systemd unit files Frank Lichtenheld (6): Fix typo --data-cipher-fallback samples: Remove tls-*.conf check_compression_settings_valid: Do not test for LZ4 in LZO check t_client.sh: Allow to skip tests Update Copyright statements to 2024 GHA: general update March 2024 Lev Stipakov (4): win32: Enforce loading of plugins from a trusted directory interactive.c: disable remote access to the service pipe interactive.c: Fix potential stack overflow issue Disable DCO if proxy is set via management Martin Rys (1): openvpn-[client|server].service: Remove syslog.target Max Fillinger (1): Remove license warning from README.mbedtls Selva Nair (1): Document that auth-user-pass may be inlined wellweek (1): remove repetitive words in documentation and comments
regen distinfo
net/openvpn: Update to 2.6.8 upstream NEWS: bugfixes
net/openvpn: Update to 2.6.7 Upstream NEWS: Security Fixes: * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly use a send buffer after it has been free()d in some circumstances, causing some free()d memory to be sent to the peer. All configurations using TLS (e.g. not using --secret) are affected by this issue. (found while tracking down CVE-2023-46849 / Github #400, #417) * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly restore --fragment configuration in some circumstances, leading to a division by zero when --fragment is used. On platforms where division by zero is fatal, this will cause an OpenVPN crash.(Github #400, #417). User visible changes: * DCO: warn if DATA_V1 packets are sent by the other side - this a hard incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4 server, and the only fix is to use --disable-dco. * Remove OpenSSL Engine method for loading a key. This had to be removed because the original author did not agree to relicensing the code with the new linking exception added. This was a somewhat obsolete feature anyway as it only worked with OpenSSL 1.x, which is end-of-support. * add warning if p2p NCP client connects to a p2mp server - this is a combination that used to work without cipher negotiation (pre 2.6 on both ends), but would fail in non-obvious ways with 2.6 to 2.6. * add warning to --show-groups that not all supported groups are listed (this is due the internal enumeration in OpenSSL being a bit weird, omitting X448 and X25519 curves). * --dns: remove support for exclude-domains argument (this was a new 2.6 option, with no backend support implemented yet on any platform, and it turns out that no platform supported it at all - so remove option again) * warn user if INFO control message too long, do not forward to management client (safeguard against protocol-violating server implementations) New features: * DCO-WIN: get and log driver version (for easier debugging). * print "peer temporary key details" in TLS handshake * log OpenSSL errors on failure to set certificate, for example if the algorithms used are in acceptable to OpenSSL (misleading message would be printed in cryptoapi / pkcs11 scenarios) * add CMake build system for MinGW and MSVC builds * remove old MSVC build system * improve cmocka unit test building for Windows
net/openvpn-*: revbump and regen distinfo for openvpn update
net/openvpn-acct-wtmpx: revbump/distinfo for openvpn update
openvpn: updated to 2.6.4 Overview of changes in 2.6.4 User visible changes License amendment: all NEW commits fall under a modified license that explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) - see COPYING for details. Existing code will fall under the new license as soon as all contributors have agreed to the change - work ongoing. New features DCO: support kernel-triggered key rotation (avoid IV reuse after 2^32 packets). This is the userland side, accepting a message from kernel, and initiating a TLS renegotiation. As of release, only implemented in FreeBSD kernel. Bug fixes fix pkcs#11 usage with OpenSSL 3.x and PSS signing fix compile error on TARGET_ANDROID fix typo in help text manpage updates (--topology) encoding of non-ASCII windows error messages in log + management fixed (use UTF8 "as for everything else", not ANSI codepages)
openvpn: updated to 2.6.3 Version 2.6.3 GHA: remove Ubuntu 18.04 builds vcpkg: request "tools" feature of openssl for MSVC build doc: run rst2* with --strict to catch warnings Support of DNS domain for DHCP-less drivers Bug-fix: segfault in dco_get_peer_stats()
openvpn: updated to 2.6.2 Overview of changes in 2.6.2 New features implement byte counter statistics for DCO Linux (p2mp server and client) implement byte counter statistics for DCO Windows (client only) '--dns server <n> address ...' now permits up to 8 v4 or v6 addresses fix a few cases of possibly undefined behaviour detected by ASAN add more unit tests for Windows cryptoapi interface Bug fixes sending of AUTH_PENDING and INFO_PRE messages fixed Windows: do not treat "setting IPv6 interface metric failed" as fatal error on "block-dns" install - this can happen if IPv6 is disabled on the interface and is not harmful in itself fix '--inactive' if DCO is in use NOTE: on FreeBSD, this is not working yet (missing per-peer stats) DCO-Linux: do not print errno on netlink errors (errno is not set by NL) SOCKS client: improve error reporting on server disconnects DCO-Linux: fix lockups due to netlink buffer overflows on high client connect/disconnect activity. See "User visible changes" for more details of this. fix some uses of the OpenSSL3 API for non-default providers (enable use of quantum-crypto OpenSSL provider) fix memory leak of approx. 1600 bytes per incoming initial TLS packet fix bug when using ECDSA signatures with OpenSSL 3.0.x and pkcs11-helper (data format conversion was not done properly) fix 'make distcheck' - unexpected side effect of 'subdir-objects' fix ASSERT() with dynamic tls-crypt and --tls-crypt-v2 User visible changes print (kernel) DCO version on startup - helpful for getting a more complete picture of the environment in use. New control packets flow for data channel offloading on Linux. 2.6.2+ changes the way OpenVPN control packets are handled on Linux when DCO is active, fixing the lockups observed with 2.6.0/2.6.1 under high client connect/disconnect activity. This is an INCOMPATIBLE change and therefore an ovpn-dco kernel module older than v0.2.20230323 (commit ID 726fdfe0fa21) will not work anymore and must be upgraded. The kernel module was renamed to "ovpn-dco-v2.ko" in order to highlight this change and ensure that users and userspace software could easily understand which version is loaded. Attempting to use the old ovpn-dco with 2.6.2+ will lead to disabling DCO at runtime. The client-pending-auth management command now requires also the key id. The management version has been changed to 5 to indicate this change. A client will now refuse a connection if pushed compression settings will contradict the setting of allow-compression as this almost always results in a non-working connection.
openvpn: updated to 2.6.1 Overview of changes in 2.6.1 New features Dynamic TLS Crypt When both peers are OpenVPN 2.6.1+, OpenVPN will dynamically create a tls-crypt key that is used for renegotiation. This ensure that only the previously authenticated peer can do trigger renegotiation and complete renegotiations. CryptoAPI (Windows): support issuer name as a selector. Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:<string>" where <string> is matched as a substring of the issuer (CA) name in the certificate. User visible changes on crypto initialization, move old "quite verbose" messages to --verb 4 and only print a more compact summary about crypto and timing parameters by default configure now enables DCO build by default on FreeBSD and Linux, which brings in a default dependency for libnl-genl (for Linux distributions that are too old to have this library, use "configure --disable-dco") make "configure --help" output more consistent CryptoAPI (Windows): remove support code for OpenSSL before 3.0.1 (this will not affect official OpenVPN for Windows installers, as they will always be built with OpenSSL 3.0.x) CryptoAPI (Windows): log the selected certificate's name "configure" now uses "subdir-objects", for automake >= 1.16 (less warnings for recent-enough automake versions, will change the way .o files are created) Bugfixes / minor improvements fixed old IPv6 ifconfig race condition for FreeBSD 12.4 fix compile-time breakage related to DCO defines on FreeBSD 14 enforce minimum packet size for "--fragment" (avoid division by zero) some alignment fixes to avoid unaligned memory accesses, which will bring problems on some architectures (Sparc64, some ARM versions) - found by USAN clang checker windows source code fixes to reduce number of compile time warnings (eventual goal is to be able to compile with -Werror on MinGW), mostly related to signed/unsigned char * conversions, printf() format specifiers and unused variables. avoid endless loop on logging with --management + --verb 6+ build (but not run) unit tests on MinGW cross compiles, and run them when building with GitHub Actions. add unit test for parts of cryptoapi.c add debug logging to help with diagnosing windows driver selection disable DCO if proxy config is set via management interface do not crash on Android if run without --management improve documentation about cipher negotiation and OpenVPN3 for x86 windows builds, use proper calling conventions for dco-win (__stdcall) differentiate "dhcp-option ..." options into "needs an interface with true DHCP service" (tap-windows) and "can also be installed by IPAPI or service, and can be used on non-DHCP interfaces" (wintun, dco-win) windows interactive service: fix possible double-free if "--block-dns" installation fails due to "security products" interfering "make dist": package ovpn_dco_freebsd.h to permit building from tarballs on FreeBSD 14
openvpn: updated to 2.5.8 Overview of changes in 2.5.8 New features allow running a default configuration with TLS libraries without BF-CBC (even if TLS cipher negotiation would not actually use BF-CBC, the long-term compatibility "default cipher BF-CBC" would trigger an error on such TLS libraries) User-visible Changes add git branch name + commit ID to OpenVPN version string on MSVC builds (windows) Testing Enhancements t_client.sh: if fping is found and fping6 is not, assume we have fping 4.0 and up, and call "fping -6" for IPv6 ping tests t_client.sh: allow to force FAIL on prerequisite fails, so a CI environment will no longer "silently skip" t_client runs if fping (etc) can not be found, but will error out Bugfixes ``--auth-nocache'' was not always correctly clearing username+password after a renegotiation ensure that auth-token received from server is cleared if requested by the management interface ("forget password" or automatically via ``--management-forget-disconnect'') in a setup without username+password, but with auth-token and auth-token-username pushed by the server, OpenVPN would start asking for username+password on token expiry. Fix. using --auth-token together with --management-client-auth (on the server) would lead to TLS keys getting out of sync and client being disconnected. Fix. management interface would sometimes get stuck if client and server try to write something simultaneously. Fix by allowing a limited level of recursion in virtual_output_callback() fix management interface not returning ERROR:/SUCCESS: response on "signal SIGxxx" commands when in HOLD state tls-crypt-v2: abort connection if client-key is too short make man page agree with actual code on replay-window backtrag log message remove useless empty line from CR_RESPONSE message
openvpn*: Update to 2.5.7 Upstream changes: bugfixes
openvpn: updated to 2.5.6 OpenVPN 2.5.6. This is mostly a bugfix release including one security fix ("Disallow multiple deferred authentication plug-ins.", CVE: 2022-0547).
openvpn: updated to 2.5.5 Overview of changes in 2.5.5 ============================ User-visible Changes -------------------- - SWEET32/64bit cipher deprecation change was postponed to 2.7 - Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. - require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support) New features ------------ - Windows build: use CFG and Spectre mitigations on MSVC builds - bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\SSL\openssl.cfg (typically: c:\program files\openvpn\SSL\openssl.cfg) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Bugfixes -------- - Windows build: enable EKM - Windows build: improve various vcpkg related build issues - Windows build: fix regression related to non-writeable status files - Windows build: fix regression that broke OpenSSL EC support - Windows build: fix "product version" display (2.5..4 -> 2.5.4) - Windows build: fix regression preventing use of PKCS12 files - improve "make check" to notice if "openvpn --show-cipher" crashes - improve argv unit tests - ensure unit tests work with mbedTLS builds without BF-CBC ciphers - include "--push-remove" in the output of "openvpn --help" - fix error in iptables syntax in example firewall.sh script - fix "resolvconf -p" invocation in example "up" script - fix "common_name" environment for script calls when "--username-as-common-name" is in effect Documentation ------------- - move "push-peer-info" documentation from "server options" to "client" (where it belongs) - correct "foreign_option_{n}" typo in manpage - update IRC information in CONTRIBUTING.rst (libera.chat) - README.down-root: fix plugin module name
net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch
net: Remove SHA1 hashes for distfiles
openvpn: updated to 2.5.4 Overview of changes in 2.5.4 ============================ Bugfixes -------- - fix prompting for password on windows console if stderr redirection is in use - this breaks 2.5.x on Win11/ARM, and might also break on Win11/adm64 when released. - fix setting MAC address on TAP adapters (--lladdr) to use sitnl (was overlooked, and still used "ifconfig" calls) - various improvements for man page building (rst2man/rst2html etc) - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on at least one platform strictly checking this) - fix minor memory leak under certain conditions in add_route() and add_route_ipv6() User-visible Changes -------------------- - documentation improvements - copyright updates where needed - better error reporting when win32 console access fails New features ------------ - also build man page on Windows builds
openvpn: updated to 2.5.3 Version 2.5.3 * Add missing free_key_ctx for auth_token * Add github actions * Implement auth-token-user * Update copyrights * openvpnmsica: properly schedule reboot in the end of installation * msvc: add ARM64 configuration * msvc: standalone building * contrib/vcpkg-ports: add pkcs11-helper port * vcpkg-ports: restore trailing whitespaces in .patch files * GitHub actions: add MSVC build * crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606) * contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606) * Fix SIGSEGV (NULL deref) receiving push "echo" * Fix build with mbedtls w/o SSL renegotiation support * Improve documentation of AUTH_PENDING related directives * Apply the connect-retry backoff to only one side of a connection
openvpn: updated to 2.5.2 The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with “–auth-gen-token” or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account. OpenVPN 2.5.2 also includes other bug fixes and improvements. Updated OpenSSL and OpenVPN GUI are included in Windows installers.
openvpn: updated to 2.5.1 Version 2.5.1 * Fix auth-token not being updated if auth-nocache is set * Remove auth_user_pass.wait_for_push variable * Fix port-share option with TLS-Crypt v2 * Zero initialise msghdr prior to calling sendmesg * Fix tls-auth mismatch OCC message when tls-cryptv2 is used. * build: Fix missing install of man page in certain environments * Fix too early argv freeing when registering DNS * Remove 1 second delay before running netsh * Skip DHCP renew with Wintun adapter * Change travis build scripts to use https when fetching prerequisites. * Fix line number reporting on config file errors after <inline> segments * Clarify --block-ipv6 intent and direction. * Document common uses of 'echo' directive, re-enable logging for 'echo'. * Make OPENVPN_PLUGIN_ENABLE_PF failures FATAL * clean up / rewrite sample-plugins/defer/simple.c * Fix naming error in sample-plugins/defer/simple.c * Documentation fixes around openvpn_plugin_func_v3 in openvpn-plugin.h.in * Update openvpn_plugin_func_v2 to _v3 in sample-plugins/defer/simple.c * More explicit versioning compatibility in sample-plugins/defer/simple.c * Explain structver usage in sample defer plugin. * Man page sections corrections * Quote the domain name argument passed to the wmic command * tls-crypt-v2: fix server memory leak * tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key)
(net/openvpn-acct-wtmpx) regend distinfo
openvpn: updated to 2.4.9 OpenVPN 2.4.9 * socks: use the right function when printing struct openvpn_sockaddr * Fetch OpenSSL versions via source/old links * Fix OpenSSL error stack handling of tls_ctx_add_extra_certs * Fix OpenSSL 1.1.1 not using auto elliptic curve selection * Fix broken fragmentation logic when using NCP * Fix building with --enable-async-push in FreeBSD * Fix broken async push with NCP is used * Fix illegal client float (CVE-2020-11810) * OpenSSL: Fix --crl-verify not loading multiple CRLs in one file * Fix OpenSSL private key passphrase notices * Swap the order of checks for validating interactive service user * Move querying username/password from management interface to a function * When auth-user-pass file has no password query the management interface (if available). * Fix possibly uninitialized return value in GetOpenvpnSettings() * Fix possible access of uninitialized pipe handles * Skip expired certificates in Windows certificate store * Allow unicode search string in --cryptoapicert option * mbedTLS: Make sure TLS session survives move * docs: Add reference to X509_LOOKUP_hash_dir(3)
openvpn: updated to 2.4.8 Version 2.4.8 This is primarily a maintenance release with minor bugfixes and improvements. New features Support compiling with OpenSSL 1.1 without deprecated APIs handle PSS padding in cryptoapicert (necessary for TLS >= 1.2) User visible changes do not abort when hitting the combination of "--pull-filter" and "--mode server" (this got hit when starting OpenVPN servers using the windows GUI which installs a pull-filter to force ip-win32) increase listen() backlog queue to 32 (improve response behaviour on openvpn servers using TCP that get portscanned) fix and enhance documentation (INSTALL, man page, ...) Bug fixes the combination "IPv6 and proto UDP and SOCKS proxy" did not work - as a workaround, force IPv4 in this case until a full implementation for IPv6-UDP-SOCKS can be made. fix IPv6 routes on tap interfaces on OpenSolaris/OpenIndiana fix building with LibreSSL do not set pkcs11-helper 'safe fork mode' (should fix PIN querying in systemd environments) repair windows builds repair Darwin builds (remove -no-cpp-precomp flag)
openvpn: updated to 2.4.7 OpenVPN 2.4.7 - Fix subnet topology on NetBSD (2.4). - add support for %lu in argv_printf and prevent ASSERT - buffer_list: add functions documentation - ifconfig-ipv6(-push): allow using hostnames - Properly free tuntap struct on android when emulating persist-tun - Add OpenSSL compat definition for RSA_meth_set_sign - Add support for tls-ciphersuites for TLS 1.3 - Add better support for showing TLS 1.3 ciphersuites in --show-tls - Use right function to set TLS1.3 restrictions in show-tls - Add message explaining early TLS client hello failure - Fallback to password authentication when auth-token fails - systemd: extend CapabilityBoundingSet for auth_pam - plugin: Export base64 encode and decode functions - Add %d, %u and %lu tests to test_argv unit tests. - Fix combination of --dev tap and --topology subnet across multiple platforms. - Add 'printing of port number' to mroute_addr_print_ex() for v4-mapped v6. - preparing release v2.4.7 (ChangeLog, version.m4, Changes.rst) - Minor reliability layer documentation fixes - Resolves small IV_GUI_VER typo in the documentation. - Clarify and expand management interface documentation - Refactor NCP-negotiable options handling - init.c: refine functions names and description - interactive.c: fix usage of potentially uninitialized variable - options.c: fix broken unary minus usage - Remove extra token after #endif - Fix error message when using RHEL init script - man: correct a --redirection-gateway option flag - Replace M_DEBUG with D_LOW as the former is too verbose - Correct the declaration of handle in 'struct openvpn_plugin_args_open_return' - Bump version of openvpn plugin argument structs to 5 - Move get system directory to a separate function - Enable dhcp on tap adapter using interactive service - Pass the hash without the DigestInfo header to NCryptSignHash() - White-list pull-filter and script-security in interactive service - Add Interactive Service developer documentation - Detect TAP interfaces with root-enumerated hardware ID - man: add security considerations to --compress section - mbedtls: print warning if random personalisation fails - Fix memory leak after sighup - travis: add OpenSSL 1.1 Windows build - Fix --disable-crypto build - Don't print OCC warnings about 'key-method', 'keydir' and 'tls-auth' - buffer_list_aggregate_separator(): simplify code
openvpn: 2.4.6 OpenVPN 2.4.6 management: Warn if TCP port is used without password Correct version in ChangeLog - should be 2.4.5, was mistyped as 2.4.4 Fix potential double-free() in Interactive Service (CVE-2018-9336) preparing release v2.4.6 (ChangeLog, version.m4, Changes.rst) manpage: improve description of --status and --status-version Make return code external tls key match docs Delete the IPv6 route to the "connected" network on tun close Management: warn about password only when the option is in use Avoid overflow in wakeup time computation Add missing #ifdef SSL_OP_NO_TLSv1_1/2 Check for more data in control channel
openvpn: updated to 2.4.5 OpenVPN 2.4.5: reload HTTP proxy credentials when moving to the next connection profile Allow learning iroutes with network made up of all 0s (only if netbits < 8) mbedtls: fix typ0 in comment manpage: fix simple typ0 Treat dhcp-option DNS6 and DNS identical show the right string for key-direction Fix typo in error message: "optione" -> "option" lz4: Fix confused version check lz4: Fix broken builds when pkg-config is not present but system library is Remove references to keychain-mcd in Changes.rst lz4: Rebase compat-lz4 against upstream v1.7.5 systemd: Add and ship README.systemd Update copyright to include 2018 plus company name change man: Add .TQ groff support macro man: Reword --management to prefer unix sockets over TCP OpenSSL: check EVP_PKEY key types before returning the pkey Remove warning on pushed tun-ipv6 option. Fix removal of on-link prefix on windows with netsh travis-ci: add brew cache, remove ccache travis-ci: modify openssl build script to support openssl-1.1.0 autoconf: Fix engine checks for openssl 1.1 Cast time_t to long long in order to print it. Fix build with LibreSSL Check whether in pull_mode before warning about previous connection blocks Avoid illegal memory access when malformed data is read from the pipe Fix missing check for return value of malloc'd buffer Return NULL if GetAdaptersInfo fails Use RSA_meth_free instead of free Bring cryptoapi.c upto speed with openssl 1.1 Add SSL_CTX_get_max_proto_version() not in openssl 1.0 TLS v1.2 support for cryptoapicert -- RSA only Refactor get_interface_metric to return metric and auto flag separately Ensure strings read from registry are null-terminated Make most registry values optional Use lowest metric interface when multiple interfaces match a route Adapt to RegGetValue brokenness in Windows 7 Fix format spec errors in Windows builds Local functions are not supported in MSVC. Bummer. Mixing wide and regular strings in concatenations is not allowed in MSVC. RtlIpv6AddressToStringW() and RtlIpv4AddressToStringW() require mstcpip.h Simplify iphlpapi.dll API calls Fix local #include to use quoted form Document ">PASSWORD:Auth-Token" real-time message Fix typo in "verb" command examples Uniform swprintf() across MinGW and MSVC compilers MSVC meta files added to .gitignore list openvpnserv: Add support for multi-instances Document missing OpenVPN states make struct key * argument of init_key_ctx const buffer_list_aggregate_separator(): add unit tests Add --tls-cert-profile option. Use P_DATA_V2 for server->client packets too Fix memory leak in buffer unit tests buffer_list_aggregate_separator(): update list size after aggregating buffer_list_aggregate_separator(): don't exceed max_len buffer_list_aggregate_separator(): prevent 0-byte malloc Fix types around buffer_list_push(_data) ssl_openssl: fix compiler warning by removing getbio() wrapper travis: use clang's -fsanitize=address to catch more bugs Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ Add support for TLS 1.3 in --tls-version-{min, max} Plug memory leak if push is interrupted Fix format errors when cross-compiling for Windows Log pre-handshake packet drops using D_MULTI_DROPPED Enable stricter compiler warnings by default Get rid of ax_check_compile_flag.m4 mbedtls: don't use API deprecated in mbed 2.7 Warn if tls-version-max < tls-version-min Don't throw fatal errors from create_temp_file() Fix '--bind ipv6only'
openvpn: update to 2.4.4 Version 2.4.4 ============= This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements. Bug fixes --------- - Fix issues when a pushed cipher via the Negotiable Crypto Parameters (NCP) is rejected by the remote side - Ignore ``--keysize`` when NCP have resulted in a changed cipher. - Configurations using ``--auth-nocache`` and the management interface to provide user credentials (like NetworkManager on Linux) on client side with servers implementing authentication tokens (for example, using ``--auth-gen-token``) will now behave correctly and not query the user for an, to them, unknown authentication token on renegotiations of the tunnel. - Fix bug causing invalid or corrupt SOCKS port number when changing the proxy via the management interface. - The man page should now have proper escaping of hyphens/minus characters and have seen some minor corrections. User-visible Changes -------------------- - Linux servers with systemd which uses the ``openvpn-server@.service`` unit file for server configurations will now utilize the automatic restart feature in systemd. If the OpenVPN server process dies unexpectedly, systemd will ensure the OpenVPN configuration will be restarted without any user interaction. Deprecated features ------------------- - ``--no-replay`` is deprecated and will be removed in OpenVPN 2.5. - ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6 Security -------- - CVE-2017-12166: Fix bounds check for configurations using ``--key-method 1``. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as ``--key-method 2`` has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5.
Use DIST_SUBDIR properly.
Distfile has been changed upstream
Updated openvpn to 2.4.3
OpenVPN 2.4.2 Compared to OpenVPN 2.3 this is a major update with a large number of new features, improvements and fixes. Some of the major features are AEAD (GCM) cipher and Elliptic Curve DH key exchange support, improved IPv4/IPv6 dual stack support and more seamless connection migration when client's IP address changes (Peer-ID). Also, the new --tls-crypt feature can be used to increase users' connection privacy. Compared to OpenVPN 2.4.1 there are several bugfixes and small enhancements. A summary of the changes is available in Changes.rst.
Version 2.3.16: * fix redirect-gateway behaviour when an IPv4 default route does not exist * Avoid a 1 byte overcopy in x509_get_subject (ssl_verify_openssl.c) * Check for errors in the return value of GetModuleFileNameW() * Fix gateway detection with OpenBSD routing domains
update openvpn to 2.3.15 fixes DoSses: CVE-2017-7478 CVE-2017-7479 fixes PR pkg/52044 relevant excerpt of ChangeLog: OpenVPN Change Log Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> 2017.05.11 -- Version 2.3.15 David Sommerseth (5): dev-tools: Added script for updating copyright years in files Update copyrights docs: Further improve --reneg-bytes and SWEET32 information git: Merge .gitignore files into a single file Make --cipher/--auth none more explicit on the risks Gert Doering (1): Document --proto udp6, tcp6, etc. Julien Muchembled (1): Fix implicit declarations when HAVE_OPENSSL_ENGINE is unset Steffan Karger (6): Add missing includes in error.h cleanup: merge packet_id_alloc_outgoing() into packet_id_write() Document that OpenVPN 2.3 does not check the CRL signature Introduce and use secure_memzero() to erase secrets Drop packets instead of assert out if packet id rolls over (CVE-2017-7479) Don't assert out on receiving too-large control packets (CVE-2017-7478) 2016.12.06 -- Version 2.3.14 Christian Hesse (1): update year in copyright message David Sommerseth (1): Document the --auth-token option Gert Doering (2): Repair topology subnet on FreeBSD 11 Repair topology subnet on OpenBSD Lev Stipakov (1): Drop recursively routed packets Selva Nair (4): Support --block-outside-dns on multiple tunnels When parsing '--setenv opt xx ..' make sure a third parameter is present Map restart signals from event loop to SIGTERM during exit-notification wait Correctly state the default dhcp server address in man page Steffan Karger (1): Clean up format_hex_ex() 2016.11.02 -- Version 2.3.13 Arne Schwabe (2): Use AES ciphers in our sample configuration files and add a few modern 2.4 examples Incorporate the Debian typo fixes where appropriate and make show_opt default message clearer David Sommerseth (4): t_client.sh: Make OpenVPN write PID file to avoid various sudo issues t_client.sh: Add support for Kerberos/ksu t_client.sh: Improve detection if the OpenVPN process did start during tests t_client.sh: Add prepare/cleanup possibilties for each test case Gert Doering (5): Do not abort t_client run if OpenVPN instance does not start. Fix t_client runs on OpenSolaris make t_client robust against sudoers misconfiguration add POSTINIT_CMD_suf to t_client.sh and sample config Fix --multihome for IPv6 on 64bit BSD systems. Ilya Shipitsin (1): skip t_lpback.sh and t_cltsrv.sh if openvpn configured --disable-crypto Lev Stipakov (2): Exclude peer-id from pulled options digest Fix compilation in pedantic mode Samuli Seppänen (1): Automatically cache expected IPs for t_client.sh on the first run Steffan Karger (6): Fix unittests for out-of-source builds Make gnu89 support explicit cleanup: remove code duplication in msg_test() Update cipher-related man page text Limit --reneg-bytes to 64MB when using small block ciphers Add a revoked cert to the sample keys 2016.08.23 -- Version 2.3.12 Arne Schwabe (2): Complete push-peer-info documentation and allow IV_PLAT_VER for other platforms than Windows if the client UI supplies it. Move ASSERT so external-key with OpenSSL works again David Sommerseth (3): Only build and run cmocka unit tests if its submodule is initialized Another fix related to unit test framework Remove NOP function and callers Dorian Harmans (1): Add CHACHA20-POLY1305 ciphersuite IANA name translations. Ivo Manca (1): Plug memory leak in mbedTLS backend Jeffrey Cutter (1): Update contrib/pull-resolv-conf/client.up for no DOMAIN Jens Neuhalfen (2): Add unit testing support via cmocka Add a test for auth-pam searchandreplace Josh Cepek (1): Push an IPv6 CIDR mask used by the server, not the pool's size Leon Klingele (1): Add link to bug tracker Samuli Seppänen (2): Update CONTRIBUTING.rst to allow GitHub PRs for code review purposes Clarify the fact that build instructions in README are for release tarballs Selva Nair (4): Make error non-fatal while deleting address using netsh Make block-outside-dns work with persist-tun Ignore SIGUSR1/SIGHUP during exit notification Promptly close the netcmd_semaphore handle after use Steffan Karger (4): Fix polarssl / mbedtls builds Don't limit max incoming message size based on c2->frame Fix '--cipher none --cipher' crash Discourage using 64-bit block ciphers
Update openvpn distfile. Bump PKGREVISION.
Add SHA512 digests for distfiles for net category Problems found with existing digests: Package haproxy distfile haproxy-1.5.14.tar.gz 159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded] da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated] Problems found locating distfiles: Package bsddip: missing distfile bsddip-1.02.tar.Z Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2 Package djbdns: missing distfile djbdns-cachestats.patch Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch Package gated: missing distfile gated-3-5-11.tar.gz Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz Package poink: missing distfile poink-1.6.tar.gz Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch Package waste: missing distfile waste-source.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Update checksums for openvpn update.
Changes 2.3.4: The most important change in this release is that TLS version negotiation is no longer used unless it's explicitly turned on in the configuration files, thus reverting back to the 2.3.2 behaviour as interoperability issues were encountered in 2.3.3. Other notable changes include addition of SSL library version reporting, fixing of SOCKSv5 authentication logic and making serial env exporting consistent between OpenSSL and PolarSSL. This release also contains a number of other bug fixes and small enhancements.
Keep distinfo in sync with openvpn main package. Bump revision.
Don't call libtool --mode=finish without argument, this will be fatal with the next version.
Upgrade OpenVPN to 2.3.0 Bump openvpn-acct-wtmpx to add its licence and to take into account the new location of plugin directory Significant changes since 2.2.x: * Full IPv6 support * SSL layer modularised, enabling easier implementation for other SSL libraries * PolarSSL support as a drop-in replacement for OpenSSL * New plug-in API providing direct certificate access, improved logging API and easier to extend in the future * Added 'dev_type' environment variable to scripts and plug-ins - which is set to 'TUN' or 'TAP' * New feature: --management-external-key - to provide access to the encryption keys via the management interface * New feature: --x509-track option, more fine grained access to X.509 fields in scripts and plug-ins * New feature: --client-nat support * New feature: --mark which can mark encrypted packets from the tunnel, suitable for more advanced routing and firewalling * New feature: --management-query-proxy - manage proxy settings via the management interface (supercedes --http-proxy-fallback) * New feature: --stale-routes-check, which cleans up the internal routing table * New feature: --x509-username-field, where other X.509v3 fields can be used for the authentication instead of Common Name * Improved client-kill management interface command * Improved UTF-8 support - and added --compat-names to provide backwards compatibility with older scripts/plug-ins * Improved auth-pam with COMMONNAME support, passing the certificate's common name in the PAM conversation * More options can now be used inside <connection> blocks * Completely new build system, enabling easier cross-compilation and Windows builds * Much of the code has been better documented * Many documentation updates * Plenty of bug fixes and other code clean-ups
Explicitly include utmpx.h for NetBSD/current.
Fix unprivileged build. Use SPECIAL_PERMS. Sort PLIST. Bump revision.
This OpenVPN plugin logs VPN logins and logouts in the wtmpx file. Using it, you can have a look of OpenPVN usage by the last(1) command.
Initial revision