openvpn: upgrade openvpn from 2.3.6 to 2.5.8
Our openvpn server has meanwhile been migrated to 2.5.x, and establishing backwards compatibility with 2.3.x means we have to disable ciphers + tls versions that are no longer considered secure. Related: SYS#6303
This commit is contained in:
parent
4415a15865
commit
8bc56d57f6
|
@ -0,0 +1,48 @@
|
|||
From ea179d83b0aa62719d90748cd1fb260f40055f15 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Mon, 13 Jun 2022 22:44:28 +0800
|
||||
Subject: [PATCH] configure.ac: eliminate build path from openvpn --version
|
||||
option
|
||||
|
||||
Before the patch:
|
||||
$ openvpn --version
|
||||
OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
|
||||
[snip]
|
||||
Compile time defines: enable_async_push=no enable_comp_stub=no
|
||||
[snip]
|
||||
with_crypto_library=openssl with_gnu_ld=yes
|
||||
with_libtool_sysroot=/buildarea/build/tmp/work/core2-64-poky-linux/openvpn/2.5.7-r0/recipe-sysroot
|
||||
with_mem_check=no with_openssl_engine=auto
|
||||
|
||||
After the patch:
|
||||
$ openvpn --version
|
||||
OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
|
||||
[snip]
|
||||
Compile time defines: enable_async_push=no enable_comp_stub=no
|
||||
[snip]
|
||||
with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no
|
||||
with_openssl_engine=auto
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
configure.ac | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 2f5f6bc..eddcbc5 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1377,7 +1377,7 @@ if test "${enable_async_push}" = "yes"; then
|
||||
esac
|
||||
fi
|
||||
|
||||
-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
|
||||
+CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*=' | grep -v 'libtool_sysroot'`"
|
||||
AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])
|
||||
|
||||
TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID"
|
||||
--
|
||||
2.25.1
|
||||
|
|
@ -4,6 +4,7 @@
|
|||
# <rob@mars.org>, edited by iwj and cs
|
||||
# Modified for openvpn by Alberto Gonzalez Iniesta <agi@agi.as>
|
||||
# Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
|
||||
# Modified for respecting pid file on service start by Fabian Klemp <fabian.klemp@axino-group.com>
|
||||
|
||||
test $DEBIAN_SCRIPT_DEBUG && set -v -x
|
||||
|
||||
|
@ -14,10 +15,17 @@ test -d $CONFIG_DIR || exit 0
|
|||
|
||||
start_vpn () {
|
||||
modprobe tun >/dev/null 2>&1 || true
|
||||
$DAEMON --daemon --writepid /var/run/openvpn.$NAME.pid \
|
||||
--config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || echo -n " FAILED->"
|
||||
start-stop-daemon --start --quiet --pidfile /var/run/openvpn.$NAME.pid \
|
||||
--exec $DAEMON -- \
|
||||
--daemon --writepid /var/run/openvpn.$NAME.pid \
|
||||
--config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || rc="$?"
|
||||
case $rc in
|
||||
1) echo -n " ALREADY STARTED->";;
|
||||
3) echo -n " FAILED->";;
|
||||
esac
|
||||
echo -n " $NAME"
|
||||
}
|
||||
|
||||
stop_vpn () {
|
||||
kill `cat $PIDFILE` || true
|
||||
rm $PIDFILE
|
||||
|
|
|
@ -1,40 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
# This systemd generator creates dependency symlinks that make all OpenVPN
|
||||
# tunnels listed in /etc/default/openvpn's AUTOSTART be started/stopped/reloaded
|
||||
# when openvpn.service is started/stopped/reloaded.
|
||||
|
||||
set -eu
|
||||
|
||||
GENDIR="$1"
|
||||
WANTDIR="$1/openvpn.service.wants"
|
||||
SERVICEFILE="/lib/systemd/system/openvpn@.service"
|
||||
AUTOSTART="all"
|
||||
CONFIG_DIR=/etc/openvpn
|
||||
|
||||
mkdir -p "$WANTDIR"
|
||||
|
||||
if test -e /etc/default/openvpn ; then
|
||||
. /etc/default/openvpn
|
||||
fi
|
||||
|
||||
# No VPNs automatically started
|
||||
if test "x$AUTOSTART" = "xnone" ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if test "x$AUTOSTART" = "xall" -o -z "$AUTOSTART" ; then
|
||||
for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
|
||||
NAME=${CONFIG%%.conf}
|
||||
ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service"
|
||||
done
|
||||
else
|
||||
for NAME in $AUTOSTART ; do
|
||||
if test -e $CONFIG_DIR/$NAME.conf ; then
|
||||
ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
# This service is actually a systemd target,
|
||||
# but we are using a service since targets cannot be reloaded.
|
||||
|
||||
[Unit]
|
||||
Description=OpenVPN service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/bin/true
|
||||
ExecReload=/bin/true
|
||||
WorkingDirectory=/etc/openvpn
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
[Unit]
|
||||
Description=OpenVPN connection to %i
|
||||
PartOf=openvpn.service
|
||||
ReloadPropagatedFrom=openvpn.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn.%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
WorkingDirectory=/etc/openvpn
|
||||
Restart=always
|
||||
RestartSec=2
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
SUMMARY = "A full-featured SSL VPN solution via tun device."
|
||||
HOMEPAGE = "http://openvpn.sourceforge.net"
|
||||
SECTION = "console/network"
|
||||
LICENSE = "GPLv2"
|
||||
LIC_FILES_CHKSUM = "file://COPYING;md5=5aac200199fde47501876cba7263cb0c"
|
||||
DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
|
||||
|
||||
inherit autotools
|
||||
|
||||
PR = "r3"
|
||||
|
||||
SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
|
||||
file://openvpn \
|
||||
file://openvpn-generator \
|
||||
file://openvpn@.service \
|
||||
file://openvpn.service"
|
||||
|
||||
SRC_URI[md5sum] = "6ca03fe0fd093e0d01601abee808835c"
|
||||
SRC_URI[sha256sum] = "7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26"
|
||||
|
||||
CFLAGS += "-fno-inline"
|
||||
|
||||
# I want openvpn to be able to read password from file (hrw)
|
||||
EXTRA_OECONF += "--enable-password-save --enable-iproute2"
|
||||
EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}"
|
||||
|
||||
# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host.
|
||||
EXTRA_OECONF += "IPROUTE=/sbin/ip"
|
||||
|
||||
do_install_append() {
|
||||
install -d ${D}/${sysconfdir}/init.d
|
||||
install -d ${D}/${sysconfdir}/openvpn
|
||||
install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d
|
||||
|
||||
# systemd files
|
||||
install -d ${D}${systemd_system_unitdir}
|
||||
install -d ${D}${systemd_unitdir}/system-generators
|
||||
install -m 0644 ${WORKDIR}/openvpn.service ${D}${systemd_system_unitdir}
|
||||
install -m 0644 ${WORKDIR}/openvpn@.service ${D}${systemd_system_unitdir}
|
||||
install -m 0755 ${WORKDIR}/openvpn-generator ${D}${systemd_unitdir}/system-generators
|
||||
}
|
||||
|
||||
RDEPENDS_${PN} += "update-rc.d"
|
||||
RRECOMMENDS_${PN} = "kernel-module-tun"
|
||||
|
||||
FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug"
|
||||
|
||||
# Don't go through the systemd.bbclass as we do not want magic to happen
|
||||
# during install and upgrade. Simply ship the files.
|
||||
FILES_${PN} += "${systemd_unitdir}"
|
||||
|
||||
pkg_postinst_${PN} () {
|
||||
if [ "x$D" != "x" ]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -L /etc/rc2.d/S*openvpn ]; then
|
||||
update-rc.d -f openvpn remove
|
||||
if [ ! -L /etc/systemd/system/multi-user.target.wants/openvpn.service ]; then
|
||||
ln -s '/lib/systemd/system/openvpn.service' '/etc/systemd/system/multi-user.target.wants/openvpn.service'
|
||||
fi
|
||||
fi
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
SUMMARY = "A full-featured SSL VPN solution via tun device."
|
||||
HOMEPAGE = "https://openvpn.net/"
|
||||
SECTION = "net"
|
||||
LICENSE = "GPL-2.0-only"
|
||||
LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89"
|
||||
DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
|
||||
|
||||
inherit autotools systemd update-rc.d pkgconfig
|
||||
|
||||
SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
|
||||
file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
|
||||
file://openvpn \
|
||||
"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
|
||||
|
||||
SRC_URI[sha256sum] = "a6f315b7231d44527e65901ff646f87d7f07862c87f33531daa109fb48c53db2"
|
||||
|
||||
# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
|
||||
CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
|
||||
|
||||
INITSCRIPT_PACKAGES = "${PN}"
|
||||
INITSCRIPT_NAME_${PN} = "openvpn"
|
||||
INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ."
|
||||
|
||||
CFLAGS += "-fno-inline"
|
||||
|
||||
# I want openvpn to be able to read password from file (hrw)
|
||||
EXTRA_OECONF += "--enable-iproute2"
|
||||
EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}"
|
||||
|
||||
# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host.
|
||||
EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip"
|
||||
|
||||
EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
|
||||
TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \
|
||||
"
|
||||
|
||||
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
|
||||
${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \
|
||||
"
|
||||
|
||||
PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"
|
||||
PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
|
||||
|
||||
do_install_append() {
|
||||
install -d ${D}/${sysconfdir}/init.d
|
||||
install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d
|
||||
|
||||
install -d ${D}/${sysconfdir}/openvpn
|
||||
install -d ${D}/${sysconfdir}/openvpn/server
|
||||
install -d ${D}/${sysconfdir}/openvpn/client
|
||||
|
||||
install -d ${D}/${sysconfdir}/openvpn/sample
|
||||
install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf
|
||||
install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf
|
||||
install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files
|
||||
install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys
|
||||
install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts
|
||||
install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files
|
||||
install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys
|
||||
install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts
|
||||
|
||||
install -d -m 710 ${D}/${localstatedir}/lib/openvpn
|
||||
}
|
||||
|
||||
PACKAGES =+ " ${PN}-sample "
|
||||
|
||||
RRECOMMENDS_${PN} = "kernel-module-tun"
|
||||
|
||||
FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug"
|
||||
FILES_${PN} += "${systemd_system_unitdir}/openvpn-server@.service \
|
||||
${systemd_system_unitdir}/openvpn-client@.service \
|
||||
${nonarch_libdir}/tmpfiles.d \
|
||||
"
|
||||
FILES_${PN}-sample = "${sysconfdir}/openvpn/sample/ \
|
||||
"
|
Loading…
Reference in New Issue