diff -Nru openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak --- openvpn-2.5.8/build/msvc/msvc-generate/Makefile.mak 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/build/msvc/msvc-generate/Makefile.mak 2023-02-14 16:21:11.000000000 +0000 @@ -51,10 +51,13 @@ cscript //nologo msvc-generate.js --config="$(OUTPUT_PLUGIN_CONFIG)" --input="$(INPUT_PLUGIN)" --output="$(OUTPUT_PLUGIN)" $(OUTPUT_MAN): $(INPUT_MAN) - -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" + -FOR /F %i IN ('where rst2html.py') DO python %i "$(INPUT_MAN)" "$(OUTPUT_MAN)" -$(OUTPUT_MSVC_GIT_CONFIG): - python git-version.py $(SOLUTIONDIR) +# Force regeneration because we can't detect whether it is outdated +$(OUTPUT_MSVC_GIT_CONFIG): FORCE + python git-version.py $(SOLUTIONDIR) + +FORCE: clean: -del "$(OUTPUT_MSVC_VER)" diff -Nru openvpn-2.5.8/ChangeLog openvpn-2.5.9/ChangeLog --- openvpn-2.5.8/ChangeLog 2022-10-28 08:40:27.000000000 +0000 +++ openvpn-2.5.9/ChangeLog 2023-02-14 16:21:11.000000000 +0000 @@ -1,6 +1,31 @@ OpenVPN Change Log Copyright (C) 2002-2022 OpenVPN Inc +2023.02.14 -- Version 2.5.9 + +Arne Schwabe (6): + Implement optional cipher in --data-ciphers prefixed with ? + Fix handling an optional invalid cipher at the end of data-ciphers + Ensure that argument to parse_line has always space for final sentinel + Improve documentation on user/password requirement and unicodize function + Remove unused gc_arena + Fix corner case that might lead to leaked file descriptor + +Frank Lichtenheld (1): + msvc: always call git-version.py + +Lev Stipakov (1): + git-version.py: proper support for tags + +Max Fillinger (1): + Check if pkcs11_cert is NULL before freeing it + +Selva Nair (3): + Do not add leading space to pushed options + pull-filter: ignore leading "spaces" in option names + Do not include auth-token in pulled option digest + + 2022.10.27 -- Version 2.5.8 Antonio Quartulli (1): diff -Nru openvpn-2.5.8/Changes.rst openvpn-2.5.9/Changes.rst --- openvpn-2.5.8/Changes.rst 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/Changes.rst 2023-02-14 16:21:11.000000000 +0000 @@ -1,3 +1,35 @@ +Overview of changes in 2.5.9 +============================ + +New features +------------ +- Optional ciphers in ``--data-ciphers`` + Ciphers in ``--data-ciphers`` can now be prefixed with a ``?`` to mark + those as optional and only use them if the SSL library supports them. + +User-visible Changes +-------------------- +- when compiling from a git checkout, put proper branch names into + windows builds + +Bugfixes +-------- +- do not include auth-token in pulled-option digest (interferes with + persist-tun when auth-token is in use, GH #200). + +- fix corner case that might lead to leaked file descriptor + +- fix parser bug (parse_line()) that can lead to buffer overflows on + malformed command line or server ccd file handling. Not exploitable. + +- pull-filter: ignore leading spaces in option names (work around server side + bug with erroneous extra spaces) + +- push: do not add leading spaces to "out of renegotiations" pushed auth-token + +- fix NULL pointer crash on "openvpn --show-tls" with mbedtls + + Overview of changes in 2.5.8 ============================ diff -Nru openvpn-2.5.8/configure openvpn-2.5.9/configure --- openvpn-2.5.8/configure 2022-10-28 08:40:33.000000000 +0000 +++ openvpn-2.5.9/configure 2023-02-14 16:21:11.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.8. +# Generated by GNU Autoconf 2.71 for OpenVPN 2.5.9. # # Report bugs to . # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='OpenVPN' PACKAGE_TARNAME='openvpn' -PACKAGE_VERSION='2.5.8' -PACKAGE_STRING='OpenVPN 2.5.8' +PACKAGE_VERSION='2.5.9' +PACKAGE_STRING='OpenVPN 2.5.9' PACKAGE_BUGREPORT='openvpn-users@lists.sourceforge.net' PACKAGE_URL='' @@ -1507,7 +1507,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures OpenVPN 2.5.8 to adapt to many kinds of systems. +\`configure' configures OpenVPN 2.5.9 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1578,7 +1578,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of OpenVPN 2.5.8:";; + short | recursive ) echo "Configuration of OpenVPN 2.5.9:";; esac cat <<\_ACEOF @@ -1794,7 +1794,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -OpenVPN configure 2.5.8 +OpenVPN configure 2.5.9 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2588,7 +2588,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by OpenVPN $as_me 2.5.8, which was +It was created by OpenVPN $as_me 2.5.9, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3364,13 +3364,13 @@ fi -printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,8,0" >>confdefs.h +printf "%s\n" "#define OPENVPN_VERSION_RESOURCE 2,5,9,0" >>confdefs.h OPENVPN_VERSION_MAJOR=2 OPENVPN_VERSION_MINOR=5 -OPENVPN_VERSION_PATCH=.8 +OPENVPN_VERSION_PATCH=.9 printf "%s\n" "#define OPENVPN_VERSION_MAJOR 2" >>confdefs.h @@ -3379,7 +3379,7 @@ printf "%s\n" "#define OPENVPN_VERSION_MINOR 5" >>confdefs.h -printf "%s\n" "#define OPENVPN_VERSION_PATCH \".8\"" >>confdefs.h +printf "%s\n" "#define OPENVPN_VERSION_PATCH \".9\"" >>confdefs.h @@ -3905,7 +3905,7 @@ # Define the identity of the package. PACKAGE='openvpn' - VERSION='2.5.8' + VERSION='2.5.9' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -20500,7 +20500,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by OpenVPN $as_me 2.5.8, which was +This file was extended by OpenVPN $as_me 2.5.9, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20568,7 +20568,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -OpenVPN config.status 2.5.8 +OpenVPN config.status 2.5.9 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru openvpn-2.5.8/debian/changelog openvpn-2.5.9/debian/changelog --- openvpn-2.5.8/debian/changelog 2023-02-03 22:49:35.000000000 +0000 +++ openvpn-2.5.9/debian/changelog 2023-09-29 23:14:48.000000000 +0000 @@ -1,3 +1,29 @@ +openvpn (2.5.9-0ubuntu0.22.04.2) jammy; urgency=medium + + * d/rules: Use --with-openssl-engine=yes during configuration to maintain the + existing behavior of technically allowing openssl engine access in jammy. + For more information see + https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/2004676/comments/6 + + -- Lena Voytek Fri, 29 Sep 2023 16:14:48 -0700 + +openvpn (2.5.9-0ubuntu0.22.04.1) jammy; urgency=medium + + * New upstream release 2.5.9 (LP: #2004676): + - The version is being updated to the latest in 2.5.x rather than 2.6.x to + avoid feature releases and focus on bug fixes + - Updates: + + Allow optional ciphers in --data-ciphers + - Bug Fixes Include: + + Fix null pointer error when running openvpn --show-tls with mbedtls + + Fix corner case that could lead to leaked file descriptor + + Fix parsing issue in pull-filter when there are leading spaces + + Fix possible buffer overflow in parse_line argument + + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25 for + additional bug fixes and information + + -- Lena Voytek Tue, 15 Aug 2023 10:48:49 -0700 + openvpn (2.5.8-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream releases 2.5.6-2.5.8 (LP: #2004676): diff -Nru openvpn-2.5.8/debian/rules openvpn-2.5.9/debian/rules --- openvpn-2.5.8/debian/rules 2023-02-03 22:49:35.000000000 +0000 +++ openvpn-2.5.9/debian/rules 2023-09-29 23:14:48.000000000 +0000 @@ -17,7 +17,7 @@ override_dh_auto_configure: -test -f tests/t_client.sh.not || mv tests/t_client.sh tests/t_client.sh.not - $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username $(EXTRA_ARGS) + $(ENV_VARS) dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --with-openssl-engine=yes $(EXTRA_ARGS) override_dh_auto_build: diff -Nru openvpn-2.5.8/doc/man-sections/protocol-options.rst openvpn-2.5.9/doc/man-sections/protocol-options.rst --- openvpn-2.5.8/doc/man-sections/protocol-options.rst 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/doc/man-sections/protocol-options.rst 2023-02-14 16:21:11.000000000 +0000 @@ -184,6 +184,13 @@ supported by the client will be pushed to clients that support cipher negotiation. + Starting with OpenVPN 2.5.9 a cipher can be prefixed with a :code:`?` to mark + it as optional. This allows including ciphers in the list that may not be + available on all platforms. + E.g. :code:`AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305` would only enable + Chacha20-Poly1305 if the underlying SSL library (and its configuration) + supports it. + Cipher negotiation is enabled in client-server mode only. I.e. if ``--mode`` is set to 'server' (server-side, implied by setting ``--server`` ), or if ``--pull`` is specified (client-side, implied by diff -Nru openvpn-2.5.8/doc/openvpn.8 openvpn-2.5.9/doc/openvpn.8 --- openvpn-2.5.8/doc/openvpn.8 2022-10-28 08:40:46.000000000 +0000 +++ openvpn-2.5.9/doc/openvpn.8 2023-02-14 16:21:11.000000000 +0000 @@ -887,6 +887,13 @@ supported by the client will be pushed to clients that support cipher negotiation. .sp +Starting with OpenVPN 2.5.9 a cipher can be prefixed with a \fB?\fP to mark +it as optional. This allows including ciphers in the list that may not be +available on all platforms. +E.g. \fBAES\-256\-GCM:AES\-128\-GCM:?CHACHA20\-POLY1305\fP would only enable +Chacha20\-Poly1305 if the underlying SSL library (and its configuration) +supports it. +.sp Cipher negotiation is enabled in client\-server mode only. I.e. if \fB\-\-mode\fP is set to \(aqserver\(aq (server\-side, implied by setting \fB\-\-server\fP ), or if \fB\-\-pull\fP is specified (client\-side, implied by diff -Nru openvpn-2.5.8/doc/openvpn.8.html openvpn-2.5.9/doc/openvpn.8.html --- openvpn-2.5.8/doc/openvpn.8.html 2022-10-28 08:40:45.000000000 +0000 +++ openvpn-2.5.9/doc/openvpn.8.html 2023-02-14 16:21:11.000000000 +0000 @@ -1113,6 +1113,12 @@

For servers, the first cipher from cipher-list that is also supported by the client will be pushed to clients that support cipher negotiation.

+

Starting with OpenVPN 2.5.9 a cipher can be prefixed with a ? to mark +it as optional. This allows including ciphers in the list that may not be +available on all platforms. +E.g. AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305 would only enable +Chacha20-Poly1305 if the underlying SSL library (and its configuration) +supports it.

Cipher negotiation is enabled in client-server mode only. I.e. if --mode is set to 'server' (server-side, implied by setting --server ), or if --pull is specified (client-side, implied by diff -Nru openvpn-2.5.8/include/openvpn-plugin.h openvpn-2.5.9/include/openvpn-plugin.h --- openvpn-2.5.8/include/openvpn-plugin.h 2022-10-28 08:40:43.000000000 +0000 +++ openvpn-2.5.9/include/openvpn-plugin.h 2023-02-14 16:21:11.000000000 +0000 @@ -53,7 +53,7 @@ */ #define OPENVPN_VERSION_MAJOR 2 #define OPENVPN_VERSION_MINOR 5 -#define OPENVPN_VERSION_PATCH ".8" +#define OPENVPN_VERSION_PATCH ".9" /* * Plug-in types. These types correspond to the set of script callbacks diff -Nru openvpn-2.5.8/sample/sample-plugins/Makefile openvpn-2.5.9/sample/sample-plugins/Makefile --- openvpn-2.5.8/sample/sample-plugins/Makefile 2022-10-28 08:40:43.000000000 +0000 +++ openvpn-2.5.9/sample/sample-plugins/Makefile 2023-02-14 16:21:11.000000000 +0000 @@ -213,7 +213,7 @@ OPENSSL_LIBS = -lssl -lcrypto OPENVPN_VERSION_MAJOR = 2 OPENVPN_VERSION_MINOR = 5 -OPENVPN_VERSION_PATCH = .8 +OPENVPN_VERSION_PATCH = .9 OPTIONAL_CRYPTO_CFLAGS = OPTIONAL_CRYPTO_LIBS = -lssl -lcrypto OPTIONAL_DL_LIBS = -ldl @@ -234,13 +234,13 @@ PACKAGE = openvpn PACKAGE_BUGREPORT = openvpn-users@lists.sourceforge.net PACKAGE_NAME = OpenVPN -PACKAGE_STRING = OpenVPN 2.5.8 +PACKAGE_STRING = OpenVPN 2.5.9 PACKAGE_TARNAME = openvpn PACKAGE_URL = -PACKAGE_VERSION = 2.5.8 +PACKAGE_VERSION = 2.5.9 PATH_SEPARATOR = : PKCS11_HELPER_CFLAGS = -PKCS11_HELPER_LIBS = +PKCS11_HELPER_LIBS = -lpthread -ldl -lcrypto -lpkcs11-helper PKG_CONFIG = /usr/bin/pkg-config PKG_CONFIG_LIBDIR = PKG_CONFIG_PATH = @@ -267,7 +267,7 @@ TEST_CFLAGS = -I$(top_srcdir)/include TEST_LDFLAGS = -lssl -lcrypto -llzo2 -lcmocka TMPFILES_DIR = -VERSION = 2.5.8 +VERSION = 2.5.9 abs_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins abs_srcdir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn/sample/sample-plugins abs_top_builddir = /home/flichtenheld/openvpn/community/openvpn-release-scripts/release/openvpn diff -Nru openvpn-2.5.8/src/openvpn/forward.c openvpn-2.5.9/src/openvpn/forward.c --- openvpn-2.5.8/src/openvpn/forward.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/forward.c 2023-02-14 16:21:11.000000000 +0000 @@ -1714,8 +1714,6 @@ void process_outgoing_tun(struct context *c) { - struct gc_arena gc = gc_new(); - /* * Set up for write() call to TUN/TAP * device. @@ -1801,7 +1799,6 @@ buf_reset(&c->c2.to_tun); perf_pop(); - gc_free(&gc); } void diff -Nru openvpn-2.5.8/src/openvpn/misc.c openvpn-2.5.9/src/openvpn/misc.c --- openvpn-2.5.8/src/openvpn/misc.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/misc.c 2023-02-14 16:21:11.000000000 +0000 @@ -273,6 +273,7 @@ msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file); if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge)) { + fclose(fp); return false; } } diff -Nru openvpn-2.5.8/src/openvpn/misc.h openvpn-2.5.9/src/openvpn/misc.h --- openvpn-2.5.8/src/openvpn/misc.h 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/misc.h 2023-02-14 16:21:11.000000000 +0000 @@ -74,6 +74,7 @@ #else #define USER_PASS_LEN 128 #endif + /* Note that username and password are expected to be null-terminated */ char username[USER_PASS_LEN]; char password[USER_PASS_LEN]; }; diff -Nru openvpn-2.5.8/src/openvpn/ntlm.c openvpn-2.5.9/src/openvpn/ntlm.c --- openvpn-2.5.8/src/openvpn/ntlm.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/ntlm.c 2023-02-14 16:21:11.000000000 +0000 @@ -143,6 +143,19 @@ } } +/** + * This function expects a null-terminated string in src and will + * copy it (including the terminating NUL byte), + * alternating it with 0 to dst. + * + * This basically will transform a ASCII string into valid UTF-16. + * Characters that are 8bit in src, will get the same treatment, resulting in + * invalid or wrong unicode code points. + * + * @note the function will blindly assume that dst has double + * the space of src. + * @return the length of the number of bytes written to dst + */ static int unicodize(char *dst, const char *src) { diff -Nru openvpn-2.5.8/src/openvpn/options.c openvpn-2.5.9/src/openvpn/options.c --- openvpn-2.5.8/src/openvpn/options.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/options.c 2023-02-14 16:21:11.000000000 +0000 @@ -4926,8 +4926,6 @@ unsigned int *option_types_found, struct env_set *es) { - int i, j; - /* usage message */ if (argc <= 1) { @@ -4937,7 +4935,7 @@ /* config filename specified only? */ if (argc == 2 && strncmp(argv[1], "--", 2)) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = "config"; p[1] = argv[1]; @@ -4947,9 +4945,9 @@ else { /* parse command line */ - for (i = 1; i < argc; ++i) + for (int i = 1; i < argc; ++i) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; CLEAR(p); p[0] = argv[i]; if (strncmp(p[0], "--", 2)) @@ -4961,6 +4959,7 @@ p[0] += 2; } + int j; for (j = 1; j < MAX_PARMS; ++j) { if (i + j < argc) @@ -5001,6 +5000,12 @@ return true; } + /* skip leading spaces matching the behaviour of parse_line */ + while (isspace(*line)) + { + line++; + } + for (f = o->pull_filter_list->head; f; f = f->next) { if (f->type == PUF_TYPE_ACCEPT && strncmp(line, f->pattern, f->size) == 0) diff -Nru openvpn-2.5.8/src/openvpn/push.c openvpn-2.5.9/src/openvpn/push.c --- openvpn-2.5.8/src/openvpn/push.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/push.c 2023-02-14 16:21:11.000000000 +0000 @@ -536,7 +536,7 @@ /* Construct a mimimal control channel push reply message */ struct buffer buf = alloc_buf_gc(PUSH_BUNDLE_SIZE, &gc); - buf_printf(&buf, "%s, %s", push_reply_cmd, e->option); + buf_printf(&buf, "%s,%s", push_reply_cmd, e->option); send_control_channel_string_dowork(multi, BSTR(&buf), D_PUSH); gc_free(&gc); } @@ -779,8 +779,10 @@ char line[OPTION_PARM_SIZE]; while (buf_parse(buf, ',', line, sizeof(line))) { - /* peer-id might change on restart and this should not trigger reopening tun */ - if (strprefix(line, "peer-id ")) + /* peer-id and auth-token might change on restart and this should not trigger reopening tun */ + if (strprefix(line, "peer-id ") + || strprefix(line, "auth-token ") + || strprefix(line, "auth-token-user ")) { continue; } @@ -891,13 +893,13 @@ /* cycle through the push list */ while (e) { - char *p[MAX_PARMS]; + char *p[MAX_PARMS+1]; bool enable = true; /* parse the push item */ CLEAR(p); if (e->enable - && parse_line(e->option, p, SIZE(p), "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) + && parse_line(e->option, p, SIZE(p)-1, "[PUSH_ROUTE_REMOVE]", 1, D_ROUTE_DEBUG, &gc)) { /* is the push item a route directive? */ if (p[0] && !strcmp(p[0], "route") && !p[3]) diff -Nru openvpn-2.5.8/src/openvpn/ssl_mbedtls.c openvpn-2.5.9/src/openvpn/ssl_mbedtls.c --- openvpn-2.5.8/src/openvpn/ssl_mbedtls.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/ssl_mbedtls.c 2023-02-14 16:21:11.000000000 +0000 @@ -168,7 +168,13 @@ } #if defined(ENABLE_PKCS11) - pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); + /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper + * has not been initialized, it will ASSERT() - so, do not pass NULL + */ + if (ctx->pkcs11_cert) + { + pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); + } #endif if (ctx->allowed_ciphers) diff -Nru openvpn-2.5.8/src/openvpn/ssl_ncp.c openvpn-2.5.9/src/openvpn/ssl_ncp.c --- openvpn-2.5.8/src/openvpn/ssl_ncp.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/src/openvpn/ssl_ncp.c 2023-02-14 16:21:11.000000000 +0000 @@ -108,7 +108,18 @@ * (and translate_cipher_name_from_openvpn/ * translate_cipher_name_to_openvpn) also normalises the cipher name, * e.g. replacing AeS-128-gCm with AES-128-GCM + * + * ciphers that have ? in front of them are considered optional and + * OpenVPN will only warn if they are not found (and remove them from + * the list) */ + + bool optional = false; + if (token[0] == '?') + { + token++; + optional = true; + } const cipher_kt_t *ktc = cipher_kt_get(token); if (strcmp(token, "none") == 0) { @@ -120,8 +131,9 @@ } if (!ktc && strcmp(token, "none") != 0) { - msg(M_WARN, "Unsupported cipher in --data-ciphers: %s", token); - error_found = true; + const char* optstr = optional ? "optional ": ""; + msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); + error_found = error_found || !optional; } else { diff -Nru openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c --- openvpn-2.5.8/tests/unit_tests/openvpn/test_ncp.c 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/tests/unit_tests/openvpn/test_ncp.c 2023-02-14 16:21:11.000000000 +0000 @@ -74,6 +74,20 @@ assert_ptr_equal(mutate_ncp_cipher_list(bf_chacha, &gc), NULL); } + /* Check that optional ciphers work */ + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?vollbit:AES-128-GCM", &gc), + aes_ciphers); + + /* Check that optional ciphers work */ + assert_string_equal(mutate_ncp_cipher_list("?AES-256-GCM:?AES-128-GCM", &gc), + aes_ciphers); + + /* All unsupported should still yield an empty list */ + assert_ptr_equal(mutate_ncp_cipher_list("?kugelfisch:?grasshopper", &gc), NULL); + + /* If the last is optional, previous invalid ciphers should be ignored */ + assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); diff -Nru openvpn-2.5.8/version.m4 openvpn-2.5.9/version.m4 --- openvpn-2.5.8/version.m4 2022-10-28 08:40:26.000000000 +0000 +++ openvpn-2.5.9/version.m4 2023-02-14 16:21:11.000000000 +0000 @@ -3,12 +3,12 @@ define([PRODUCT_TARNAME], [openvpn]) define([PRODUCT_VERSION_MAJOR], [2]) define([PRODUCT_VERSION_MINOR], [5]) -define([PRODUCT_VERSION_PATCH], [.8]) +define([PRODUCT_VERSION_PATCH], [.9]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MAJOR]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_MINOR], [[.]]) m4_append([PRODUCT_VERSION], [PRODUCT_VERSION_PATCH], [[]]) define([PRODUCT_BUGREPORT], [openvpn-users@lists.sourceforge.net]) -define([PRODUCT_VERSION_RESOURCE], [2,5,8,0]) +define([PRODUCT_VERSION_RESOURCE], [2,5,9,0]) dnl define the TAP version define([PRODUCT_TAP_WIN_COMPONENT_ID], [tap0901]) define([PRODUCT_TAP_WIN_MIN_MAJOR], [9])