!28 update to 2.5.5 mastet分支 openvpn

From: @xigaoxinyan 
Reviewed-by: @small_leek 
Signed-off-by: @small_leek

CVE-2020-11810.patch

@@ -1,65 +0,0 @@
-From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
-From: Lev Stipakov <lev@openvpn.net>
-Date: Wed, 15 Apr 2020 10:30:17 +0300
-Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
-
-There is a time frame between allocating peer-id and initializing data
-channel key (which is performed on receiving push request or on async
-push-reply) in which the existing peer-id float checks do not work right.
-
-If a "rogue" data channel packet arrives during that time frame from
-another address and  with same peer-id, this would cause client to float
-to that new address. This is because:
-
- - tls_pre_decrypt() sets packet length to zero if
-   data channel key has not been initialized, which leads to
-
- - openvpn_decrypt() returns true if packet length is zero,
-   which leads to
-
- - process_incoming_link_part1() returns true, which
-   calls multi_process_float(), which commits float
-
-Note that problem doesn't happen when data channel key is initialized,
-since in this case openvpn_decrypt() returns false.
-
-The net effect of this behaviour is that the VPN session for the
-"victim client" is broken.  Since the "attacker client" does not have
-suitable keys, it can not inject or steal VPN traffic from the other
-session.  The time window is small and it can not be used to attack
-a specific client's session, unless some other way is found to make it
-disconnect and reconnect first.
-
-CVE-2020-11810 has been assigned to acknowledge this risk.
-
-Fix illegal float by adding buffer length check ("is this packet still
-considered valid") before calling multi_process_float().
-
-Trac: #1272
-CVE: 2020-11810
-
-Signed-off-by: Lev Stipakov <lev@openvpn.net>
-Acked-by: Arne Schwabe <arne@rfc2549.org>
-Acked-by: Antonio Quartulli <antonio@openvpn.net>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/multi.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
-index b42bcec97..056e3dc76 100644
---- a/src/openvpn/multi.c
-+++ b/src/openvpn/multi.c
-@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
-             orig_buf = c->c2.buf.data;
-             if (process_incoming_link_part1(c, lsi, floated))
-             {
--                if (floated)
-+                /* nonzero length means that we have a valid, decrypted packed */
-+                if (floated && c->c2.buf.len > 0)
-                 {
-                     multi_process_float(m, m->pending);
-                 }

CVE-2020-15078.patch

@@ -1,39 +0,0 @@
-From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne@rfc2549.org>
-Date: Tue, 6 Apr 2021 00:05:21 +0200
-Subject: [PATCH] Ensure key state is authenticated before sending push reply
-
-This ensures that the key state is authenticated when sendinga push reply.
----
- src/openvpn/push.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/push.c b/src/openvpn/push.c
-index dd5bd41..fcdd76b 100644
---- a/src/openvpn/push.c
-+++ b/src/openvpn/push.c
-@@ -647,6 +647,7 @@ int
- process_incoming_push_request(struct context *c)
- {
-     int ret = PUSH_MSG_ERROR;
-+    struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
- 
- #ifdef ENABLE_ASYNC_PUSH
-     c->c2.push_request_received = true;
-@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
-         send_auth_failed(c, client_reason);
-         ret = PUSH_MSG_AUTH_FAILURE;
-     }
--    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
-+    else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
-+             && ks->authenticated
-+ #ifdef ENABLE_DEF_AUTH
-+             && !ks->auth_deferred
-+ #endif
-+             )
-     {
-         time_t now;
- 
--- 
-2.23.0
-

CVE-2022-0547.patch

@@ -1,57 +1,48 @@
-From 58ec3bb4aac77131118dbbc39a65181e7847adee Mon Sep 17 00:00:00 2001
+From af3e382649d96ae77cc5e42be8270f355e5cfec5 Mon Sep 17 00:00:00 2001
 From: David Sommerseth <davids@openvpn.net>
-Date: Tue, 15 Mar 2022 16:53:43 +0100
+Date: Sun, 13 Mar 2022 20:31:53 +0100
 Subject: [PATCH] plug-ins: Disallow multiple deferred authentication plug-ins
 
 The plug-in API in OpenVPN 2.x is not designed for running multiple
 deferred authentication processes in parallel. The authentication
 results of such configurations are not to be trusted.  For now we bail
-out when this discovered with an error in the log.
+out when this is discovered with an error in the log.
-
-This is a backport of commit 282ddbac54f8d4923844f699 (master), taking
-the different man-page format into account.  The code change is the same.
 
 CVE: 2022-0547
 Signed-off-by: David Sommerseth <davids@openvpn.net>
 
-Acked-by: Gert Doering <gert@greenie.muc.de>
+Acked-by: Antonio Quartulli <antonio@openvpn.net>
-Message-Id: <20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net>
+Message-Id: <20220313193154.9350-3-openvpn@sf.lists.topphemmelig.net>
-URL: https://www.mail-archive.com/search?l=mid&q=20220315155344.37787-3-openvpn@sf.lists.topphemmelig.net
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23931.html
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
+(cherry picked from commit 282ddbac54f8d4923844f69983b38dd2b813a00a)
 ---
- doc/openvpn.8        | 13 +++++++++++++
+ doc/man-sections/plugin-options.rst |  9 ++++++++
- src/openvpn/plugin.c | 33 ++++++++++++++++++++++++++++++---
+ src/openvpn/plugin.c                | 33 ++++++++++++++++++++++++++---
- 2 files changed, 43 insertions(+), 3 deletions(-)
+ 2 files changed, 39 insertions(+), 3 deletions(-)
 
-diff --git a/doc/openvpn.8 b/doc/openvpn.8
+diff --git a/doc/man-sections/plugin-options.rst b/doc/man-sections/plugin-options.rst
-index 598d5fce5..7f773b695 100644
+index 51c574fe6..9266429ea 100644
---- a/doc/openvpn.8
+--- a/doc/man-sections/plugin-options.rst
-+++ b/doc/openvpn.8
++++ b/doc/man-sections/plugin-options.rst
-@@ -2805,6 +2805,19 @@ function (such as tls\-verify, auth\-user\-pass\-verify, or
+@@ -55,3 +55,12 @@ plug-ins must be prebuilt and adhere to the OpenVPN Plug-In API.
- client\-connect), then
+   (such as tls-verify, auth-user-pass-verify, or client-connect), then
- every module and script must return success (0) in order for
+   every module and script must return success (:code:`0`) in order for the
- the connection to be authenticated.
+   connection to be authenticated.
 +
-+.INDENT 7.0
++  **WARNING**:
-+.TP
++        Plug-ins may do deferred execution, meaning the plug-in will
-+.B \fBWARNING\fP:
++        return the control back to the main OpenVPN process and provide
-+Plug\-ins may do deferred execution, meaning the plug\-in will
++        the plug-in result later on via a different thread or process.
-+return the control back to the main OpenVPN process and provide
++        OpenVPN does **NOT** support multiple authentication plug-ins
-+the plug\-in result later on via a different thread or process.
++        **where more than one plugin** tries to do deferred authentication.
-+OpenVPN does \fBNOT\fP support multiple authentication plug\-ins
++        If this behaviour is detected, OpenVPN will shut down upon first
-+\fBwhere more than one plugin\fP tries to do deferred authentication.
++        authentication.
-+If this behaviour is detected, OpenVPN will shut down upon first
-+authentication.
-+.UNINDENT
-+.UNINDENT
- .\"*********************************************************
- .TP
- .B \-\-keying\-material\-exporter label len
 diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
-index 0ab99ab5c..5ba1c2470 100644
+index e8f8830d0..ed5d7c067 100644
 --- a/src/openvpn/plugin.c
 +++ b/src/openvpn/plugin.c
-@@ -809,7 +809,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+@@ -806,7 +806,7 @@ plugin_call_ssl(const struct plugin_list *pl,
          const int n = plugin_n(pl);
          bool success = false;
          bool error = false;
@@ -60,7 +51,7 @@ index 0ab99ab5c..5ba1c2470 100644
  
          setenv_del(es, "script_type");
          envp = make_env_array(es, false, &gc);
-@@ -834,7 +834,34 @@ plugin_call_ssl(const struct plugin_list *pl,
+@@ -829,7 +829,34 @@ plugin_call_ssl(const struct plugin_list *pl,
                      break;
  
                  case OPENVPN_PLUGIN_FUNC_DEFERRED:
@@ -96,7 +87,7 @@ index 0ab99ab5c..5ba1c2470 100644
                      break;
  
                  default:
-@@ -858,7 +885,7 @@ plugin_call_ssl(const struct plugin_list *pl,
+@@ -853,7 +880,7 @@ plugin_call_ssl(const struct plugin_list *pl,
          {
              return OPENVPN_PLUGIN_FUNC_ERROR;
          }

openvpn.spec

@@ -1,12 +1,10 @@
 Name: openvpn
-Version: 2.4.8
+Version: 2.5.5
-Release: 7
+Release: 1
 Summary: A full-featured open source SSL VPN solution
-License: GPLv2 and OpenSSL and SSLeay
+License: GPL-2.0-or-later and OpenSSL and SSLeay
 URL: https://community.openvpn.net/openvpn
 Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
-Patch0000:     CVE-2020-11810.patch
-Patch0001:     CVE-2020-15078.patch
 # https://github.com/OpenVPN/openvpn/commit/58ec3bb
 Patch0002:     CVE-2022-0547.patch
 BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
@@ -123,8 +121,12 @@ fi
 %files help
 %{_pkgdocdir}
 %{_mandir}/man8/%{name}.8*
+%{_mandir}/man5/openvpn-examples.5.gz
 
 %changelog
+* Wed Apr 13 2022 xigaoxinyan <xigaoxinyan@h-partners.com> - 2.5.5-1
+- Update to 2.5.5
+
 * Wed Mar 30 2022 wangkai <wangkai385@huawei.com> - 2.4.8-7
 - Fix CVE-2022-0547