NCL-1802 : Upgrade OpenVPN for Sophos Connect Client to 2.6.0

.github/workflows/build.yaml

@@ -130,7 +130,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-18.04, ubuntu-20.04]
+        os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04]
         sslpkg: [libmbedtls-dev]
         ssllib: [mbedtls]
         libname: [mbed TLS]
@@ -148,6 +148,10 @@ jobs:
             sslpkg: "libssl-dev"
             libname: OpenSSL 1.1.1
             ssllib: openssl
+          - os: ubuntu-22.04
+            sslpkg: "libssl-dev"
+            libname: OpenSSL 3.0.2
+            ssllib: openssl
           - os: ubuntu-20.04
             sslpkg: "libssl-dev"
             libname: OpenSSL 1.1.1
@@ -220,15 +224,37 @@ jobs:
 
   macos:
     runs-on: macos-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ossl: [ 1.1, 3 ]
+        build: [ normal, asan ]
+        include:
+          - build: asan
+            cflags: "-fsanitize=address -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1"
+            ldflags: -fsanitize=address
+            # Our build system ignores LDFLAGS for plugins
+            configureflags: --disable-plugin-auth-pam  --disable-plugin-down-root
+          - build: normal
+            cflags: "-O2 -g"
+            ldflags: ""
+            configureflags: ""
+
+    name: "macOS - OpenSSL ${{matrix.ossl}} - ${{matrix.build}}"
+    env:
+      CFLAGS: ${{ matrix.cflags }}
+      LDFLAGS: ${{ matrix.ldflags }}
+      OPENSSL_CFLAGS: -I/usr/local/opt/openssl@${{matrix.ossl}}/include
+      OPENSSL_LIBS: "-L/usr/local/opt/openssl@${{matrix.ossl}}/lib -lcrypto -lssl"
     steps:
+      - name: Install dependencies
+        run: brew install [email protected] openssl@3 lzo lz4 man2html cmocka libtool automake autoconf
       - name: Checkout OpenVPN
         uses: actions/checkout@v2
-      - name: Install dependencies
-        run: brew install openssl lzo lz4 man2html cmocka libtool automake autoconf
       - name: autoconf
         run: autoreconf -fvi
       - name: configure
-        run: OPENSSL_CFLAGS=-I/usr/local/opt/[email protected]/include  OPENSSL_LIBS="-L/usr/local/opt/[email protected]/lib -lcrypto -lssl" ./configure
+        run: ./configure ${{matrix.configureflags}}
       - name: make all
         run: make -j4
       - name: make check
@@ -268,19 +294,17 @@ jobs:
       - name: Install rst2html
         run: python -m pip install --upgrade pip rst2html
 
-      - name: Restore artifacts, or run vcpkg, build and cache artifacts
-        uses: lukka/run-vcpkg@v7.4
+      - name: Restore artifacts, or setup vcpkg (do not install any package)
+        uses: lukka/run-vcpkg@v10
         with:
-          vcpkgGitCommitId: 'a2fcb03749ff5897b5985092934dc6057680c789'
-          vcpkgArguments: 'openssl lz4 lzo pkcs11-helper tap-windows6'
-          vcpkgTriplet: '${{ matrix.triplet }}-windows-ovpn'
-          cleanAfterBuild: false
+          vcpkgGitCommitId: '4b766c1cd17205e1b768c4fadfd5f867c1d0510e'
+          appendedCacheKey: '${{matrix.triplet}}'
 
-      - name: Build
+      - name: Run MSBuild consuming vcpkg.json
         working-directory: ${{env.GITHUB_WORKSPACE}}
         run: |
-          vcpkg integrate install
-          msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" .
+            vcpkg integrate install
+            msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} /p:Platform="${{ matrix.plat }}" .
 
       - name: Archive artifacts
         uses: actions/upload-artifact@v2

.gitignore

@@ -44,6 +44,7 @@ m4/ltoptions.m4
 m4/ltsugar.m4
 m4/ltversion.m4
 m4/lt~obsolete.m4
+vcpkg_installed
 
 version.sh
 msvc-env-local.bat

COPYING

@@ -31,6 +31,53 @@ OpenVPN license:
   file, but you are not obligated to do so.  If you do not wish to
   do so, delete this exception statement from your version.
 
+Apache2 linking exception:
+---------------------------
+OpenVPN is currently undergoing a license change to add an exception for
+Apache 2 linking. The following exception is only valid for new contributions
+after 2023-05-03 and past contribution where the authors have already agreed
+to the exception.
+
+  In addition, as a special exception, OpenVPN Inc and the
+  contributors give permission to link the code of this program to
+  libraries (the "Libraries") licensed under the Apache License
+  version 2.0 (this work and any linked library the "Combined Work")
+  and copy and distribute the Combined Work without an obligation to
+  license the Libraries under the GNU General Public License v2
+  (GPL-2.0) as required by Section 2 of the GPL-2.0, and without an
+  obligation to refrain from imposing any additional restrictions in
+  the Apache License version 2 that are not in the GPL-2.0, as
+  required by Section 6 of the GPL-2.0.  You must comply with the
+  GPL-2.0 in all other respects for the Combined Work, including
+  the obligation to provide source code.  If you modify this file, you
+  may extend this exception to your version of the file, but you are
+  not obligated to do so.  If you do not wish to do so, delete this
+  exception statement from your version.
+
+For better understanding, in plain non-legalese English this basically says:
+
+ * The intention for this license exception is to allow OpenVPN to be
+   linked against APL-2 licensed libraries, even where the GPL-2.0 and
+   APL-2 licenses conflict from a legal perspective.
+
+ * OpenVPN itself will stay GPL-2.0 and the code belonging to the
+   OpenVPN project must comply to the GPL-2.0 license.  This is NOT
+   dual-licensing of the OpenVPN code base.
+
+ * This license exception DOES NOT require NOR expect a license change
+   of the APL-2 based library.  This exception allows using the APL-2
+   library as-is.  However, when distributing a compiled OpenVPN binary
+   linking against APL-2 libraries ("Combined Work"), the REQUIREMENT is
+   that the APL-2 library MUST also be available on similar terms as in
+   GPL-2.0, like providing the source code of the library upon request,
+   except in the two specific ways mentioned.
+
+ * If the APL-2 based library forbids such linking and distribution,
+   this license exception DOES NOT overrule the restriction of the APL-2
+   based library.  If the APL-2 library cannot satisfy the requirements
+   in this license exception, you CANNOT distribute an OpenVPN binary
+   linked with this library.
+
 LZO license:
 ------------
 

ChangeLog

@@ -1,6 +1,105 @@
 OpenVPN Change Log
 Copyright (C) 2002-2022 OpenVPN Inc <[email protected]>
 
+2023.02.14 -- Version 2.5.9
+
+Arne Schwabe (6):
+      Implement optional cipher in --data-ciphers prefixed with ?
+      Fix handling an optional invalid cipher at the end of data-ciphers
+      Ensure that argument to parse_line has always space for final sentinel
+      Improve documentation on user/password requirement and unicodize function
+      Remove unused gc_arena
+      Fix corner case that might lead to leaked file descriptor
+
+Frank Lichtenheld (1):
+      msvc: always call git-version.py
+
+Lev Stipakov (1):
+      git-version.py: proper support for tags
+
+Max Fillinger (1):
+      Check if pkcs11_cert is NULL before freeing it
+
+Selva Nair (3):
+      Do not add leading space to pushed options
+      pull-filter: ignore leading "spaces" in option names
+      Do not include auth-token in pulled option digest
+
+
+2022.10.27 -- Version 2.5.8
+
+Antonio Quartulli (1):
+      tls-crypt-v2: bail out if the client key is too small
+
+Arne Schwabe (4):
+      Remove useless empty line from CR_RESPONSE message
+      Allow running a default configuration with TLS libraries without BF-CBC
+      Change command help to match man page and implementation
+      Fix OpenVPN querying user/password if auth-token with user expires
+
+Frank Lichtenheld (2):
+      t_client: Allow to force FAIL on prerequisite fails
+      t_client.sh: do not require fping6
+
+Gert Doering (1):
+      Preparing release 2.5.8
+
+Lev Stipakov (1):
+      msvc: add branch name and commit hash to version output
+
+Martin Janů (1):
+      Update the replay-window backtrack log message
+
+Selva Nair (5):
+      Do not skip ERROR:/SUCCESS: response from management interface
+      Fix auth-token usage with management-def-auth
+      Allow a few levels of recursion in virtual_output_callback()
+      Ensure --auth-nocache is handled during renegotiation
+      Purge auth-token as well while purging passwords
+      Do not copy auth_token username to itself
+
+
+2022.05.24 -- Version 2.5.7
+
+Antonio Quartulli (4):
+      networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
+      networking_iproute2: don't pass M_WARN to openvpn_execve_check()
+      t_net.sh: delete dummy iface using iproute command
+      auth-pam.c: add missing include limits.h
+
+Arne Schwabe (11):
+      Add insecure tls-cert-profile options
+      Refactor early initialisation and uninitialisation into methods
+      Allow loading of non default providers
+      Add ubuntu 22.04 to Github Actions
+      Add macos OpenSSL 3.0 and ASAN builds
+      Add --with-openssl-engine autoconf option (auto|yes|no)
+      Fix allowing/showing unsupported ciphers and digests
+      Remove dependency on BF-CBC existance from test_ncp
+      Add message when decoding PKCS12 file fails.
+      Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
+      Fix client-pending-auth error message to say ERROR instead of SUCCESS
+
+Gert Doering (1):
+      Preparing release 2.5.7
+
+Jan Mikkelsen (1):
+      cipher-negotiation.rst missing from doc/Makefile.am
+
+Lev Stipakov (5):
+      vcpkg-ports\pkcs11-helper: shorten patch filename
+      msvc: adjust build options to harden binaries
+      vcpkg-ports: remove openssl port
+      vcpkg: switch to manifest
+      Fix M_ERRNO behavior on Windows
+
+Marc Becker (1):
+      vcpkg-ports/pkcs11-helper: bump to release 1.29
+
+Simon Rozman (1):
+      tapctl: Resolve MSVC C4996 warnings
+
+
 2022.03.16 -- Version 2.5.6
 
 Antonio Quartulli (4):

Changes.rst

@@ -1,3 +1,138 @@
+Overview of changes in 2.5.9
+============================
+
+New features
+------------
+- Optional ciphers in ``--data-ciphers``
+  Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark
+  those as optional and only use them if the SSL library supports them.
+
+User-visible Changes
+--------------------
+- when compiling from a git checkout, put proper branch names into
+  windows builds
+
+Bugfixes
+--------
+- do not include auth-token in pulled-option digest (interferes with
+  persist-tun when auth-token is in use, GH #200).
+
+- fix corner case that might lead to leaked file descriptor
+
+- fix parser bug (parse_line()) that can lead to buffer overflows on
+  malformed command line or server ccd file handling.  Not exploitable.
+
+- pull-filter: ignore leading spaces in option names (work around server side
+  bug with erroneous extra spaces)
+
+- push: do not add leading spaces to "out of renegotiations" pushed auth-token
+
+- fix NULL pointer crash on "openvpn --show-tls" with mbedtls
+
+
+Overview of changes in 2.5.8
+============================
+
+New features
+------------
+- allow running a default configuration with TLS libraries without BF-CBC
+  (even if TLS cipher negotiation would not actually use BF-CBC, the
+  long-term compatibility "default cipher BF-CBC" would trigger an error
+  on such TLS libraries)
+
+User-visible Changes
+--------------------
+- add git branch name + commit ID to OpenVPN version string on
+  MSVC builds (windows)
+
+Testing Enhancements
+--------------------
+- t_client.sh: if fping is found and fping6 is not, assume we have
+  fping 4.0 and up, and call "fping -6" for IPv6 ping tests
+
+- t_client.sh: allow to force FAIL on prerequisite fails, so a CI
+  environment will no longer "silently skip" t_client runs if fping (etc)
+  can not be found, but will error out
+
+Bugfixes
+--------
+- ``--auth-nocache'' was not always correctly clearing username+password
+  after a renegotiation
+
+- ensure that auth-token received from server is cleared if requested
+  by the management interface ("forget password" or automatically
+  via ``--management-forget-disconnect'')
+
+- in a setup without username+password, but with auth-token and
+  auth-token-username pushed by the server, OpenVPN would start asking
+  for username+password on token expiry.  Fix.
+
+- using ``--auth-token`` together with ``--management-client-auth``
+  (on the server) would lead to TLS keys getting out of sync and client
+  being disconnected.  Fix.
+
+- management interface would sometimes get stuck if client and server
+  try to write something simultaneously.  Fix by allowing a limited
+  level of recursion in virtual_output_callback()
+
+- fix management interface not returning ERROR:/SUCCESS: response
+  on "signal SIGxxx" commands when in HOLD state
+
+- tls-crypt-v2: abort connection if client-key is too short
+
+- make man page agree with actual code on replay-window backtrag log message
+
+- remove useless empty line from CR_RESPONSE message
+
+
+Overview of changes in 2.5.7
+============================
+
+New features
+------------
+- Limited OpenSSL 3.0 support
+    OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies
+    on the compatiblity layer and full OpenSSL 3.0 support is coming with
+    OpenVPN 2.6. Only features that impact usage directly have been
+    backported:
+
+    ``--tls-cert-profile insecure``  has been added to allow selecting the
+    lowest  OpenSSL security level (not recommended, use only if you must).
+
+    OpenSSL 3.0 no longer supports the Blowfish (and other deprecated)
+    algorithm by default and the new option ``--providers`` allows loading
+    the legacy provider to renable these algorithms.  Most notably,
+    reading of many PKCS#12 files encrypted with the RC2 algorithm fails
+    unless ``--providers legacy default`` is configured.
+
+    The OpenSSL engine feature ``--engine`` is not enabled by default
+    anymore if OpenSSL 3.0 is detected.
+
+- print OpenSSL error stack if decoding PKCS12 file fails
+
+User-visible Changes
+--------------------
+- windows vcpkg building includes pkcs11-helper 1.29 now
+
+- add MSVC build options to harden windows binaries (HW-enforced
+  stack protection, SHA256 object hashes, SDL).
+
+Bugfixes
+--------
+- fix omission of cipher-negotiation.rst in tarballs
+
+- fix errno handling on Windows (Windows has different classes of
+  error codes, GetLastError() and C runtime errno, these should now
+  be handled correctly)
+
+- fix PATH_MAX build failure in auth-pam.c
+
+- fix t_net.sh self-test leaving around stale "ovpn-dummy0" interface
+
+- fix overlong path names, leading to missing pkcs11-helper patch
+  in tarball
+
+
 Overview of changes in 2.5.6
 ============================