From patchwork Sat Oct 31 14:06:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magnus Kroken X-Patchwork-Id: 1391500 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=doBn9zYX; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=FPDe3nyi; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CNh2Z4dXhz9sS8 for ; Sun, 1 Nov 2020 01:12:21 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe :List-Id:MIME-Version:Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=cmvnloNJ8S/fq4InKhukSRwchEYlzERZRBZVAAbS5Gc=; b=doBn9zYX9LHK3XPwsmZhSUvMAj ao6O4osTbiczI7G4tP/t+UYxmB9TnBUf3zvygyNI+B0fJp+/FT4Yw7cXGOS4s1A3Nh50SzYU23IB6 ryNDeT+PfEr7+/GkUIOSzb6s0tn9gp66Bi0SoDEOUTQwBN2g85BZKo1WF6gQLypOUDMJRQ7q+5vjc V1uk7FAE2jQ3oyDg8Ip/sGXjcTq0LvpZe/uB5dfOgVbTAaSMUcx0k/d7vsPdzVkkaX4G2nVPO3lCU JeeFJLqqWaJsza1spdlJATI3Cqy79kBHyYwFAoycUxuvpBGMOxeY0w9Ro1iAv5HUvJEGk0ux8AgaL RO5NfS0A==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kYrZw-000083-GN; Sat, 31 Oct 2020 14:10:00 +0000 Received: from mail-lf1-x141.google.com ([2a00:1450:4864:20::141]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kYrZr-00007a-Kc for openwrt-devel@lists.openwrt.org; Sat, 31 Oct 2020 14:09:58 +0000 Received: by mail-lf1-x141.google.com with SMTP id v6so11475912lfa.13 for ; Sat, 31 Oct 2020 07:09:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=w+mlxty3gABzYGPLv5BWaz9Zo9ZtFev5KgnjWa5/vyQ=; b=FPDe3nyiDeYXcnNbSnjySTdMZwoiJe+zBzOq6vykahIhLLTbxmEWziR4WBPloBYlFF 0ET18ZTXEt0g+Z2de7NWtP755sVjRI7/Zms7yoblRnzz78+JAhUk5IZm2lD3oB2sLeO6 7gbva0iiUngRdXSbv4FCt1124iqKBQ20UUvSUDlYkWAEKSPrDz1hb1DlmqMcwkSRoZ6F GRLLsu/2fjw800F8pugQmw5erDmrXutWkd5WB+fBD626S8UXNz03ht0SliKgfS5MKB9G rklXzFSxlYOpYEXrPtMcE3DEvXavpTvc3kKXUOJkl8dwkp4sR60+G2dEPhzLXTgxA+YN TjbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=w+mlxty3gABzYGPLv5BWaz9Zo9ZtFev5KgnjWa5/vyQ=; b=qCy/zINiA3Z64XGh6dBAbOrBDaPvzKmmMPJFsl+s7IRM+emaOr3lVLi2N+6Jrnwkvc 742zDaaVVNq5VuL7fn6yRmQFC0P3qGfzoyiwNwdZp1DOwSYSal13kW7IuuJnKQ2QKAxB ALyDGbIkhpas3PgJ8ximG24aB2diEctgnSAquxXjmbpMEo9c3qBhzR5iSB3sgqCEwpH8 k6H1gvoXOD5RDNDgC1n7Mt0ejm44mHlfF84KhVVOhJzAaEKurs4/ZLdNAEmJXgPMyMu1 z451zfprEsXKNfRo9bLl/UvDeXRi+b6AQBAaTqDQMc47qElszSflaMmRXPtAavEZWOuR nfxw== X-Gm-Message-State: AOAM530ivjk8Vw2ifc5pa5uUWyC//Hn0afvOdCSeTDZLxriGvBIMCZgM TT+ex8M11GNQHd7/w7HYUovKgJQ+NV8= X-Google-Smtp-Source: ABdhPJxwaO1X97tAVRouEYWpXhGiFdknoCLrVbVngY09sDI2+HTRFJ0WWzxS4LUGuDDZs0QLWfCfAw== X-Received: by 2002:a19:e56:: with SMTP id 83mr2446825lfo.362.1604153391881; Sat, 31 Oct 2020 07:09:51 -0700 (PDT) Received: from localhost.localdomain (209.89-10-150.nextgentel.com. [89.10.150.209]) by smtp.gmail.com with ESMTPSA id s13sm1052908ljo.34.2020.10.31.07.09.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 31 Oct 2020 07:09:50 -0700 (PDT) From: Magnus Kroken To: openwrt-devel@lists.openwrt.org Subject: [PATCH] openvpn: update to 2.5.0 Date: Sat, 31 Oct 2020 15:06:15 +0100 Message-Id: <20201031140615.1687-1-mkroken@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201031_100955_702035_304044B8 X-CRM114-Status: GOOD ( 24.24 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:141 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [mkroken[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken --- Compile-tested openssl variant on mips_24kc, powerpc_8540 and arm_cortex-a9. Runtime-tested openssl variant as server on arm_cortex-a9. I have tested the earlier 2.5 beta and RC releases more extensively with both openssl and mbedtls in various configurations. I propose disabling LZO compression support by default, due to: * Compression is not recommended, as it may weaken the security of the connection * For users who need compression, we build with LZ4 support by default * LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also adds about 1 kB to the OpenVPN package itself. LZ4 support (using OpenVPN bundled LZ4) adds about 6 kB to the OpenVPN package in total. This means OpenWrt users will not be able to connect to OpenVPN peers that require LZO compression, unless they build the package themselves. I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl variant will no longer exist and all OpenVPN packages will cover both cases I am not entirely sure how this should be handled. .../services/openvpn/Config-mbedtls.in | 6 +- .../network/services/openvpn/Config-nossl.in | 50 -------------- .../services/openvpn/Config-openssl.in | 6 +- package/network/services/openvpn/Makefile | 20 +----- .../services/openvpn/files/openvpn.config | 67 ++++++++++++------- .../services/openvpn/files/openvpn.options | 14 +++- .../001-reproducible-remove_DATE.patch | 6 +- ...bedtls-disable-runtime-version-check.patch | 2 +- ...l-dont-use-deprecated-ssleay-symbols.patch | 58 ---------------- ...enssl-add-missing-include-statements.patch | 65 ------------------ .../210-build_always_use_internal_lz4.patch | 2 +- .../openvpn/patches/220-disable_des.patch | 21 ++---- 12 files changed, 72 insertions(+), 245 deletions(-) delete mode 100644 package/network/services/openvpn/Config-nossl.in delete mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch delete mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in index beac492022..3cf233b8f7 100644 --- a/package/network/services/openvpn/Config-mbedtls.in +++ b/package/network/services/openvpn/Config-mbedtls.in @@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls config OPENVPN_mbedtls_ENABLE_LZO bool "Enable LZO compression support" - default y + default n config OPENVPN_mbedtls_ENABLE_LZ4 bool "Enable LZ4 compression support" default y -config OPENVPN_mbedtls_ENABLE_SERVER - bool "Enable server support (otherwise only client mode is support)" - default y - #config OPENVPN_mbedtls_ENABLE_EUREPHIA # bool "Enable support for the eurephia plug-in" # default n diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in deleted file mode 100644 index 79140ad5d1..0000000000 --- a/package/network/services/openvpn/Config-nossl.in +++ /dev/null @@ -1,50 +0,0 @@ -if PACKAGE_openvpn-nossl - -config OPENVPN_nossl_ENABLE_LZO - bool "Enable LZO compression support" - default y - -config OPENVPN_nossl_ENABLE_LZ4 - bool "Enable LZ4 compression support" - default y - -config OPENVPN_nossl_ENABLE_SERVER - bool "Enable server support (otherwise only client mode is support)" - default y - -config OPENVPN_nossl_ENABLE_MANAGEMENT - bool "Enable management server support" - default n - -config OPENVPN_nossl_ENABLE_FRAGMENT - bool "Enable internal fragmentation support (--fragment)" - default y - -config OPENVPN_nossl_ENABLE_MULTIHOME - bool "Enable multi-homed UDP server support (--multihome)" - default y - -config OPENVPN_nossl_ENABLE_PORT_SHARE - bool "Enable TCP server port-share support (--port-share)" - default y - -config OPENVPN_nossl_ENABLE_DEF_AUTH - bool "Enable deferred authentication" - default y - -config OPENVPN_nossl_ENABLE_PF - bool "Enable internal packet filter" - default y - -config OPENVPN_nossl_ENABLE_IPROUTE2 - bool "Enable support for iproute2" - default n - -config OPENVPN_nossl_ENABLE_SMALL - bool "Enable size optimization" - default y - help - enable smaller executable size (disable OCC, usage - message, and verb 4 parm list) - -endif diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in index f2b618eff1..335bbaa2c4 100644 --- a/package/network/services/openvpn/Config-openssl.in +++ b/package/network/services/openvpn/Config-openssl.in @@ -2,7 +2,7 @@ if PACKAGE_openvpn-openssl config OPENVPN_openssl_ENABLE_LZO bool "Enable LZO compression support" - default y + default n config OPENVPN_openssl_ENABLE_LZ4 bool "Enable LZ4 compression support" @@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME bool "Enable the --x509-username-field feature" default n -config OPENVPN_openssl_ENABLE_SERVER - bool "Enable server support (otherwise only client mode is support)" - default y - #config OPENVPN_openssl_ENABLE_EUREPHIA # bool "Enable support for the eurephia plug-in" # default n diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 40570fbdb6..5c8a0a4fae 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.9 -PKG_RELEASE:=5 +PKG_VERSION:=2.5.0 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 +PKG_HASH:=029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd PKG_MAINTAINER:=Felix Fietkau @@ -37,16 +37,11 @@ define Package/openvpn/Default MENU:=1 DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) VARIANT:=$(1) -ifeq ($(1),nossl) - PROVIDES:=openvpn -else PROVIDES:=openvpn openvpn-crypto -endif endef Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) -Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) define Package/openvpn/config/Default source "$(SOURCE)/Config-$(1).in" @@ -54,7 +49,6 @@ endef Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) -Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl) ifeq ($(BUILD_VARIANT),mbedtls) CONFIG_OPENVPN_MBEDTLS:=y @@ -62,13 +56,8 @@ endif ifeq ($(BUILD_VARIANT),openssl) CONFIG_OPENVPN_OPENSSL:=y endif -ifeq ($(BUILD_VARIANT),nossl) -CONFIG_OPENVPN_NOSSL:=y -endif CONFIGURE_VARS += \ - IFCONFIG=/sbin/ifconfig \ - ROUTE=/sbin/route \ IPROUTE=/sbin/ip \ NETSTAT=/sbin/netstat @@ -86,7 +75,6 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ @@ -94,7 +82,6 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ - $(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ ) @@ -155,4 +142,3 @@ endef $(eval $(call BuildPackage,openvpn-openssl)) $(eval $(call BuildPackage,openvpn-mbedtls)) -$(eval $(call BuildPackage,openvpn-nossl)) diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config index 3de1881e35..78e519a7f9 100644 --- a/package/network/services/openvpn/files/openvpn.config +++ b/package/network/services/openvpn/files/openvpn.config @@ -254,6 +254,24 @@ config openvpn sample_server # on the system # option tls_version_min "1.2 'or-highest'" + # List the preferred ciphers to use for the data channel. + # Run openvpn --show-ciphers to see all supported ciphers. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher in order to be compatible with + # peers that do not support cipher negotiation. + # + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' + # OpenVPN versions 2.4 and later will attempt to # automatically negotiate the most secure cipher # between the client and server, regardless of a @@ -265,21 +283,6 @@ config openvpn sample_server # cipher option instead (not recommended). # option ncp_disable - # Select a cryptographic cipher. - # This config item must be copied to - # the client config file as well. - # - # To see all supported ciphers, run: - # openvpn --show-ciphers - # - # Blowfish (default for backwards compatibility, - # but not recommended due to weaknesses): -# option cipher BF-CBC - # AES: -# option cipher AES-128-CBC - # Triple-DES: -# option cipher DES-EDE3-CBC - # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. @@ -290,9 +293,16 @@ config openvpn sample_server # # LZ4 requires OpenVPN 2.4+ client and server # option compress lz4 - # LZO is compatible with most OpenVPN versions - # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) -# option compress lzo + + # Control how OpenVPN handles peers using compression + # + # Do not allow any connections using compression +# option allow_compression 'no' + # Allow incoming compressed packets, but do not send compressed packets to other peers + # This can be useful when migrating old configurations with compression activated +# option allow_compression 'asym' + # Both incoming and outgoing packets may be compressed +# option allow_compression 'yes' # The maximum number of concurrently connected # clients we want to allow. @@ -449,10 +459,21 @@ config openvpn sample_client # on the system # option tls_version_min "1.2 'or-highest'" - # Select a cryptographic cipher. - # If the cipher option is used on the server - # then you must also specify it here. -# option cipher x + # List the preferred ciphers for the data channel. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher if you connect to a peer that does + # not support cipher negotiation. + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' # Enable compression on the VPN link. # Don't enable this unless it is also @@ -464,8 +485,6 @@ config openvpn sample_client # # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 - # LZO is compatible with most OpenVPN versions -# option compress lzo # Set log file verbosity. option verb 3 diff --git a/package/network/services/openvpn/files/openvpn.options b/package/network/services/openvpn/files/openvpn.options index 5d7a387cd3..02558ca3bf 100644 --- a/package/network/services/openvpn/files/openvpn.options +++ b/package/network/services/openvpn/files/openvpn.options @@ -1,10 +1,12 @@ OPENVPN_PARAMS=' +allow_compression askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers +bind_dev ca capath cd @@ -21,6 +23,7 @@ connect_retry connect_retry_max connect_timeout crl_verify +data_ciphers_fallback dev dev_node dev_type @@ -51,7 +54,6 @@ iroute_ipv6 keepalive key key_direction -key_method keysize learn_address link_mtu @@ -69,7 +71,6 @@ mssfix mtu_disc mute nice -ns_cert_type ping ping_exit ping_restart @@ -116,6 +117,9 @@ syslog tcp_queue_limit tls_auth tls_crypt +tls_crypt_v2 +tls_crypt_v2_verify +tls_export_cert tls_timeout tls_verify tls_version_min @@ -129,6 +133,8 @@ user verb verify_client_cert verify_x509_name +vlan_accept +vlan_pvid x509_username_field ' @@ -137,6 +143,7 @@ allow_recursive_routing auth_nocache auth_user_pass_optional bind +block-ipv6 ccd_exclusive client client_to_client @@ -185,10 +192,13 @@ tls_server up_delay up_restart username_as_common_name +vlan_tagging ' OPENVPN_LIST=' +data_ciphers ncp_ciphers tls_cipher tls_ciphersuites +tls_groups ' diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch index 101fa12ba2..e4e6d39413 100644 --- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch +++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch @@ -1,9 +1,9 @@ --- a/src/openvpn/options.c +++ b/src/openvpn/options.c -@@ -106,7 +106,6 @@ const char title_string[] = - #ifdef HAVE_AEAD_CIPHER_MODES - " [AEAD]" +@@ -105,7 +105,6 @@ const char title_string[] = + #endif #endif + " [AEAD]" - " built on " __DATE__ ; diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index cb16a906fe..4141c2863c 100644 --- a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1415,7 +1415,7 @@ const char * +@@ -1520,7 +1520,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch deleted file mode 100644 index c7faf7c0c0..0000000000 --- a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001 -From: Steffan Karger -Date: Sun, 26 Nov 2017 16:04:00 +0100 -Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols - -Compiling our current master against OpenSSL 1.1 with --DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes -the errors about the deprecated SSLEAY/SSLeay symbols and defines. - -Signed-off-by: Steffan Karger -Acked-by: Gert Doering -Message-Id: <20171126150401.28565-1-steffan@karger.me> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html -Signed-off-by: Gert Doering ---- - configure.ac | 1 + - src/openvpn/openssl_compat.h | 8 ++++++++ - src/openvpn/ssl_openssl.c | 2 +- - 3 files changed, 10 insertions(+), 1 deletion(-) - ---- a/configure.ac -+++ b/configure.ac -@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$ - EVP_MD_CTX_free \ - EVP_MD_CTX_reset \ - EVP_CIPHER_CTX_reset \ -+ OpenSSL_version \ - SSL_CTX_get_default_passwd_cb \ - SSL_CTX_get_default_passwd_cb_userdata \ - SSL_CTX_set_security_level \ ---- a/src/openvpn/openssl_compat.h -+++ b/src/openvpn/openssl_compat.h -@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou - #endif - - /* SSLeay symbols have been renamed in OpenSSL 1.1 */ -+#ifndef OPENSSL_VERSION -+#define OPENSSL_VERSION SSLEAY_VERSION -+#endif -+ -+#ifndef HAVE_OPENSSL_VERSION -+#define OpenSSL_version SSLeay_version -+#endif -+ - #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) - #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT - #endif ---- a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char * - const char * - get_ssl_library_version(void) - { -- return SSLeay_version(SSLEAY_VERSION); -+ return OpenSSL_version(OPENSSL_VERSION); - } - - #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch deleted file mode 100644 index 6a62b16500..0000000000 --- a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001 -From: Steffan Karger -Date: Sun, 26 Nov 2017 16:49:12 +0100 -Subject: [PATCH] openssl: add missing #include statements - -Compiling our current master against OpenSSL 1.1 with --DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes -the errors caused by missing includes. Previous openssl versions would -usually include 'the rest of the world', but they're fixing that. So we -should no longer rely on it. - -(And sneaking in alphabetic ordering of the includes while touching them.) - -Signed-off-by: Steffan Karger -Acked-by: Gert Doering -Message-Id: <20171126154912.13283-1-steffan@karger.me> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html -Signed-off-by: Gert Doering ---- - src/openvpn/openssl_compat.h | 1 + - src/openvpn/ssl_openssl.c | 6 +++++- - src/openvpn/ssl_verify_openssl.c | 3 ++- - 3 files changed, 8 insertions(+), 2 deletions(-) - ---- a/src/openvpn/openssl_compat.h -+++ b/src/openvpn/openssl_compat.h -@@ -42,6 +42,7 @@ - - #include "buffer.h" - -+#include - #include - #include - ---- a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -52,10 +52,14 @@ - - #include "ssl_verify_openssl.h" - -+#include -+#include -+#include -+#include - #include - #include -+#include - #include --#include - #ifndef OPENSSL_NO_EC - #include - #endif ---- a/src/openvpn/ssl_verify_openssl.c -+++ b/src/openvpn/ssl_verify_openssl.c -@@ -44,8 +44,9 @@ - #include "ssl_verify_backend.h" - #include "openssl_compat.h" - --#include -+#include - #include -+#include - - int - verify_callback(int preverify_ok, X509_STORE_CTX *ctx) diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch index 5cf5174a9d..a99f923644 100644 --- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1080,68 +1080,15 @@ dnl +@@ -1077,68 +1077,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch index 2b8f47a802..9ddf1047b5 100644 --- a/package/network/services/openvpn/patches/220-disable_des.patch +++ b/package/network/services/openvpn/patches/220-disable_des.patch @@ -1,24 +1,17 @@ --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h -@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t +@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t /* * Should we include NTLM proxy functionality */ --#if defined(ENABLE_CRYPTO) -#define NTLM 1 --#else -+//#if defined(ENABLE_CRYPTO) +//#define NTLM 1 -+//#else - #define NTLM 0 --#endif -+//#endif /* * Should we include proxy digest auth functionality --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c -@@ -319,6 +319,7 @@ int +@@ -383,6 +383,7 @@ int key_des_num_cblocks(const mbedtls_cipher_info_t *kt) { int ret = 0; @@ -26,7 +19,7 @@ if (kt->type == MBEDTLS_CIPHER_DES_CBC) { ret = 1; -@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher { ret = 3; } @@ -34,7 +27,7 @@ dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); return ret; -@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher bool key_des_check(uint8_t *key, int key_len, int ndc) { @@ -42,7 +35,7 @@ int i; struct buffer b; -@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len, +@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len, err: return false; @@ -58,7 +51,7 @@ int i; struct buffer b; -@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len, +@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len, } mbedtls_des_key_set_parity(key); } @@ -66,7 +59,7 @@ } /* -@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch +@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch unsigned char *src, unsigned char *dst) {