openvpn: update to 2.5.0

New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years ago · 2e55fc8b2d
--- a/net/openvpn/Config-mbedtls.in
+++ b/net/openvpn/Config-mbedtls.in
@ -8,10 +8,6 @@ config OPENVPN_mbedtls_ENABLE_LZ4
 	bool "Enable LZ4 compression support"
 	default y

 config OPENVPN_mbedtls_ENABLE_SERVER
 	bool "Enable server support (otherwise only client mode is support)"
 	default y

 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n
--- a/net/openvpn/Config-nossl.in
+++ b/net/openvpn/Config-nossl.in
@ -1,50 +0,0 @@
 if PACKAGE_openvpn-nossl

 config OPENVPN_nossl_ENABLE_LZO
 	bool "Enable LZO compression support"
 	default y

 config OPENVPN_nossl_ENABLE_LZ4
 	bool "Enable LZ4 compression support"
 	default y

 config OPENVPN_nossl_ENABLE_SERVER
 	bool "Enable server support (otherwise only client mode is support)"
 	default y

 config OPENVPN_nossl_ENABLE_MANAGEMENT
 	bool "Enable management server support"
 	default n

 config OPENVPN_nossl_ENABLE_FRAGMENT
 	bool "Enable internal fragmentation support (--fragment)"
 	default y

 config OPENVPN_nossl_ENABLE_MULTIHOME
 	bool "Enable multi-homed UDP server support (--multihome)"
 	default y

 config OPENVPN_nossl_ENABLE_PORT_SHARE
 	bool "Enable TCP server port-share support (--port-share)"
 	default y

 config OPENVPN_nossl_ENABLE_DEF_AUTH
 	bool "Enable deferred authentication"
 	default y

 config OPENVPN_nossl_ENABLE_PF
 	bool "Enable internal packet filter"
 	default y

 config OPENVPN_nossl_ENABLE_IPROUTE2
 	bool "Enable support for iproute2"
 	default n

 config OPENVPN_nossl_ENABLE_SMALL
 	bool "Enable size optimization"
 	default y
 	help
 	  enable smaller executable size (disable OCC, usage
 	  message, and verb 4 parm list)

 endif
--- a/net/openvpn/Config-openssl.in
+++ b/net/openvpn/Config-openssl.in
@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
 	bool "Enable the --x509-username-field feature"
 	default n

 config OPENVPN_openssl_ENABLE_SERVER
 	bool "Enable server support (otherwise only client mode is support)"
 	default y

 #config OPENVPN_openssl_ENABLE_EUREPHIA
 #	bool "Enable support for the eurephia plug-in"
 #	default n
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=openvpn

 PKG_VERSION:=2.4.9
 PKG_RELEASE:=5
 PKG_VERSION:=2.5.0
 PKG_RELEASE:=1

 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
 PKG_HASH:=029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd

 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>

@ -37,16 +37,11 @@ define Package/openvpn/Default
  MENU:=1
  DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
  VARIANT:=$(1)
 ifeq ($(1),nossl)
  PROVIDES:=openvpn
 else
  PROVIDES:=openvpn openvpn-crypto
 endif
 endef

 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))

 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
@ -54,7 +49,6 @@ endef

 Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
 Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
 Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)

 ifeq ($(BUILD_VARIANT),mbedtls)
 CONFIG_OPENVPN_MBEDTLS:=y
@ -62,13 +56,8 @@ endif
 ifeq ($(BUILD_VARIANT),openssl)
 CONFIG_OPENVPN_OPENSSL:=y
 endif
 ifeq ($(BUILD_VARIANT),nossl)
 CONFIG_OPENVPN_NOSSL:=y
 endif

 CONFIGURE_VARS += \
 	IFCONFIG=/sbin/ifconfig \
 	ROUTE=/sbin/route \
 	IPROUTE=/sbin/ip \
 	NETSTAT=/sbin/netstat

@ -86,7 +75,6 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
@ -94,7 +82,6 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
 		$(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
 		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
 		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
 	)
@ -155,4 +142,3 @@ endef

 $(eval $(call BuildPackage,openvpn-openssl))
 $(eval $(call BuildPackage,openvpn-mbedtls))
 $(eval $(call BuildPackage,openvpn-nossl))
--- a/net/openvpn/files/openvpn.config
+++ b/net/openvpn/files/openvpn.config
@ -254,6 +254,24 @@ config openvpn sample_server
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"

 	# List the preferred ciphers to use for the data channel.
 	# Run openvpn --show-ciphers to see all supported ciphers.
 #	list data_ciphers 'AES-256-GCM'
 #	list data_ciphers 'AES-128-GCM'
 #	list data_ciphers 'CHACHA20-POLY1305'

 	# Set a fallback cipher in order to be compatible with
 	# peers that do not support cipher negotiation.
 	#
 	# Use AES-256-CBC as fallback
 #	option data_ciphers_fallback 'AES-128-CBC'
 	# Use AES-128-CBC as fallback
 #	option data_ciphers_fallback 'AES-256-CBC'
 	# Use Triple-DES as fallback
 #	option data_ciphers_fallback 'DES-EDE3-CBC'
 	# Use BF-CBC as fallback
 #	option data_ciphers_fallback 'BF-CBC'

 	# OpenVPN versions 2.4 and later will attempt to
 	# automatically negotiate the most secure cipher
 	# between the client and server, regardless of a
@ -265,21 +283,6 @@ config openvpn sample_server
 	# cipher option instead (not recommended).
 #	option ncp_disable

 	# Select a cryptographic cipher.
 	# This config item must be copied to
 	# the client config file as well.
 	#
 	# To see all supported ciphers, run:
 	# openvpn --show-ciphers
 	#
 	# Blowfish (default for backwards compatibility,
 	# but not recommended due to weaknesses):
 #	option cipher BF-CBC
 	# AES:
 #	option cipher AES-128-CBC
 	# Triple-DES:
 #	option cipher DES-EDE3-CBC

 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
@ -293,6 +296,15 @@ config openvpn sample_server
 	# LZO is compatible with most OpenVPN versions
 	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
 #	option compress lzo
 	# Control how OpenVPN handles peers using compression
 	#
 	# Do not allow any connections using compression
 #	option allow_compression 'no'
 	# Allow incoming compressed packets, but do not send compressed packets to other peers
 	# This can be useful when migrating old configurations with compression activated
 #	option allow_compression 'asym'
 	# Both incoming and outgoing packets may be compressed
 #	option allow_compression 'yes'

 	# The maximum number of concurrently connected
 	# clients we want to allow.
@ -449,10 +461,21 @@ config openvpn sample_client
 	# on the system
 #	option tls_version_min "1.2 'or-highest'"

 	# Select a cryptographic cipher.
 	# If the cipher option is used on the server
 	# then you must also specify it here.
 #	option cipher x
 	# List the preferred ciphers for the data channel.
 #	list data_ciphers 'AES-256-GCM'
 #	list data_ciphers 'AES-128-GCM'
 #	list data_ciphers 'CHACHA20-POLY1305'

 	# Set a fallback cipher if you connect to a peer that does
 	# not support cipher negotiation.
 	# Use AES-256-CBC as fallback
 #	option data_ciphers_fallback 'AES-128-CBC'
 	# Use AES-128-CBC as fallback
 #	option data_ciphers_fallback 'AES-256-CBC'
 	# Use Triple-DES as fallback
 #	option data_ciphers_fallback 'DES-EDE3-CBC'
 	# Use BF-CBC as fallback
 #	option data_ciphers_fallback 'BF-CBC'

 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
--- a/net/openvpn/files/openvpn.options
+++ b/net/openvpn/files/openvpn.options
@ -1,10 +1,12 @@
 OPENVPN_PARAMS='
 allow_compression
 askpass
 auth
 auth_retry
 auth_user_pass
 auth_user_pass_verify
 bcast_buffers
 bind_dev
 ca
 capath
 cd
@ -21,6 +23,7 @@ connect_retry
 connect_retry_max
 connect_timeout
 crl_verify
 data_ciphers_fallback
 dev
 dev_node
 dev_type
@ -51,7 +54,6 @@ iroute_ipv6
 keepalive
 key
 key_direction
 key_method
 keysize
 learn_address
 link_mtu
@ -69,7 +71,6 @@ mssfix
 mtu_disc
 mute
 nice
 ns_cert_type
 ping
 ping_exit
 ping_restart
@ -116,6 +117,9 @@ syslog
 tcp_queue_limit
 tls_auth
 tls_crypt
 tls_crypt_v2
 tls_crypt_v2_verify
 tls_export_cert
 tls_timeout
 tls_verify
 tls_version_min
@ -129,6 +133,8 @@ user
 verb
 verify_client_cert
 verify_x509_name
 vlan_accept
 vlan_pvid
 x509_username_field
 '

@ -137,6 +143,7 @@ allow_recursive_routing
 auth_nocache
 auth_user_pass_optional
 bind
 block_ipv6
 ccd_exclusive
 client
 client_to_client
@ -185,10 +192,13 @@ tls_server
 up_delay
 up_restart
 username_as_common_name
 vlan_tagging
 '

 OPENVPN_LIST='
 data_ciphers
 ncp_ciphers
 tls_cipher
 tls_ciphersuites
 tls_groups
 '
--- a/net/openvpn/patches/001-reproducible-remove_DATE.patch
+++ b/net/openvpn/patches/001-reproducible-remove_DATE.patch
@ -1,9 +1,9 @@
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
@@ -106,7 +106,6 @@ const char title_string[] =
 #ifdef HAVE_AEAD_CIPHER_MODES
     " [AEAD]"
@@ -105,7 +105,6 @@ const char title_string[] =
 #endif
 #endif
     " [AEAD]"
 -    " built on " __DATE__
 ;
 
--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
@@ -1415,7 +1415,7 @@ const char *
@@ -1520,7 +1520,7 @@ const char *
 get_ssl_library_version(void)
 {
     static char mbedtls_version[30];
--- a/net/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ b/net/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@ -1,58 +0,0 @@
 From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
 From: Steffan Karger <steffan@karger.me>
 Date: Sun, 26 Nov 2017 16:04:00 +0100
 Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols

 Compiling our current master against OpenSSL 1.1 with
 -DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
 the errors about the deprecated SSLEAY/SSLeay symbols and defines.

 Signed-off-by: Steffan Karger <steffan@karger.me>
 Acked-by: Gert Doering <gert@greenie.muc.de>
 Message-Id: <20171126150401.28565-1-steffan@karger.me>
 URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
 ---
 configure.ac                 | 1 +
 src/openvpn/openssl_compat.h | 8 ++++++++
 src/openvpn/ssl_openssl.c    | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

 --- a/configure.ac
 +++ b/configure.ac
@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
 			EVP_MD_CTX_free \
 			EVP_MD_CTX_reset \
 			EVP_CIPHER_CTX_reset \
 +			OpenSSL_version \
 			SSL_CTX_get_default_passwd_cb \
 			SSL_CTX_get_default_passwd_cb_userdata \
 			SSL_CTX_set_security_level \
 --- a/src/openvpn/openssl_compat.h
 +++ b/src/openvpn/openssl_compat.h
@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
 #endif
 
 /* SSLeay symbols have been renamed in OpenSSL 1.1 */
 +#ifndef OPENSSL_VERSION
 +#define OPENSSL_VERSION SSLEAY_VERSION
 +#endif
 +
 +#ifndef HAVE_OPENSSL_VERSION
 +#define OpenSSL_version SSLeay_version
 +#endif
 +
 #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
 #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
 #endif
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
 const char *
 get_ssl_library_version(void)
 {
 -    return SSLeay_version(SSLEAY_VERSION);
 +    return OpenSSL_version(OPENSSL_VERSION);
 }
 
 #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
--- a/net/openvpn/patches/111-openssl-add-missing-include-statements.patch
+++ b/net/openvpn/patches/111-openssl-add-missing-include-statements.patch
@ -1,65 +0,0 @@
 From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
 From: Steffan Karger <steffan@karger.me>
 Date: Sun, 26 Nov 2017 16:49:12 +0100
 Subject: [PATCH] openssl: add missing #include statements

 Compiling our current master against OpenSSL 1.1 with
 -DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
 the errors caused by missing includes.  Previous openssl versions would
 usually include 'the rest of the world', but they're fixing that.  So we
 should no longer rely on it.

 (And sneaking in alphabetic ordering of the includes while touching them.)

 Signed-off-by: Steffan Karger <steffan@karger.me>
 Acked-by: Gert Doering <gert@greenie.muc.de>
 Message-Id: <20171126154912.13283-1-steffan@karger.me>
 URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
 ---
 src/openvpn/openssl_compat.h     | 1 +
 src/openvpn/ssl_openssl.c        | 6 +++++-
 src/openvpn/ssl_verify_openssl.c | 3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)

 --- a/src/openvpn/openssl_compat.h
 +++ b/src/openvpn/openssl_compat.h
@@ -42,6 +42,7 @@
 
 #include "buffer.h"
 
 +#include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
@@ -52,10 +52,14 @@
 
 #include "ssl_verify_openssl.h"
 
 +#include <openssl/bn.h>
 +#include <openssl/crypto.h>
 +#include <openssl/dh.h>
 +#include <openssl/dsa.h>
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
 +#include <openssl/rsa.h>
 #include <openssl/x509.h>
 -#include <openssl/crypto.h>
 #ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 #endif
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
@@ -44,8 +44,9 @@
 #include "ssl_verify_backend.h"
 #include "openssl_compat.h"
 
 -#include <openssl/x509v3.h>
 +#include <openssl/bn.h>
 #include <openssl/err.h>
 +#include <openssl/x509v3.h>
 
 int
 verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
--- a/net/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ b/net/openvpn/patches/210-build_always_use_internal_lz4.patch
@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
@@ -1080,68 +1080,15 @@ dnl
@@ -1077,68 +1077,15 @@ dnl
 AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
 AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
 if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
--- a/net/openvpn/patches/220-disable_des.patch
+++ b/net/openvpn/patches/220-disable_des.patch
@ -1,24 +1,17 @@
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
 /*
  * Should we include NTLM proxy functionality
  */
 -#if defined(ENABLE_CRYPTO)
 -#define NTLM 1
 -#else
 +//#if defined(ENABLE_CRYPTO)
 +//#define NTLM 1
 +//#else
 #define NTLM 0
 -#endif
 +//#endif
 
 /*
  * Should we include proxy digest auth functionality
 --- a/src/openvpn/crypto_mbedtls.c
 +++ b/src/openvpn/crypto_mbedtls.c
@@ -319,6 +319,7 @@ int
@@ -383,6 +383,7 @@ int
 key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
 {
     int ret = 0;
@ -26,7 +19,7 @@
     if (kt->type == MBEDTLS_CIPHER_DES_CBC)
     {
         ret = 1;
@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher
     {
         ret = 3;
     }
@ -34,7 +27,7 @@
 
     dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
     return ret;
@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher
 bool
 key_des_check(uint8_t *key, int key_len, int ndc)
 {
@ -42,7 +35,7 @@
     int i;
     struct buffer b;
 
@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len,
 
 err:
     return false;
@ -58,7 +51,7 @@
     int i;
     struct buffer b;
 
@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len,
         }
         mbedtls_des_key_set_parity(key);
     }
@ -66,7 +59,7 @@
 }
 
 /*
@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch
                        unsigned char *src,
                        unsigned char *dst)
 {