openvpn: upgrade openvpn from 2.3.6 to 2.5.8

Our openvpn server has meanwhile been migrated to 2.5.x, and establishing backwards compatibility with 2.3.x means we have to disable ciphers + tls versions that are no longer considered secure. Related: SYS#6303
2023-01-19 17:32:47 +00:00 · 2023-01-19 17:32:47 +00:00 · d950005138
parent fae46a5d5a
commit d950005138
7 changed files with 146 additions and 151 deletions
--- a/recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch
+++ b/recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch
@ -0,0 +1,48 @@
+From ea179d83b0aa62719d90748cd1fb260f40055f15 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Mon, 13 Jun 2022 22:44:28 +0800
+Subject: [PATCH] configure.ac: eliminate build path from openvpn --version
+ option
+
+Before the patch:
+$ openvpn  --version
+OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
+[snip]
+Compile time defines: enable_async_push=no enable_comp_stub=no
+[snip]
+with_crypto_library=openssl with_gnu_ld=yes
+with_libtool_sysroot=/buildarea/build/tmp/work/core2-64-poky-linux/openvpn/2.5.7-r0/recipe-sysroot
+with_mem_check=no with_openssl_engine=auto
+
+After the patch:
+$ openvpn  --version
+OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL]
+[snip]
+Compile time defines: enable_async_push=no enable_comp_stub=no
+[snip]
+with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no
+with_openssl_engine=auto
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 2f5f6bc..eddcbc5 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -1377,7 +1377,7 @@ if test "${enable_async_push}" = "yes"; then
+ 	esac
+ fi
+ 
+-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`"
+CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*=' | grep -v 'libtool_sysroot'`"
+ AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings])
+ 
+ TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID"
+-- 
+2.25.1
+
--- a/recipes-extra/openvpn/openvpn/openvpn
+++ b/recipes-extra/openvpn/openvpn/openvpn
@ -1,32 +1,40 @@
 #!/bin/sh -e
-#  
+#
 # Original version by Robert Leslie
 # <rob@mars.org>, edited by iwj and cs
 # Modified for openvpn by Alberto Gonzalez Iniesta <agi@agi.as>
 # Modified for restarting / starting / stopping single tunnels by Richard Mueller <mueller@teamix.net>
-   
+# Modified for respecting pid file on service start by Fabian Klemp <fabian.klemp@axino-group.com>
+
 test $DEBIAN_SCRIPT_DEBUG && set -v -x
-   
+
 DAEMON=/usr/sbin/openvpn
 CONFIG_DIR=/etc/openvpn
 test -x $DAEMON || exit 0
 test -d $CONFIG_DIR || exit 0
-   
+
 start_vpn () {
    modprobe tun >/dev/null 2>&1 || true
-    $DAEMON --daemon --writepid /var/run/openvpn.$NAME.pid \
-            --config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || echo -n " FAILED->"
+    start-stop-daemon --start --quiet --pidfile /var/run/openvpn.$NAME.pid \
+            --exec $DAEMON -- \
+            --daemon --writepid /var/run/openvpn.$NAME.pid \
+            --config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || rc="$?"
+    case $rc in
+        1) echo -n " ALREADY STARTED->";;
+        3) echo -n " FAILED->";;
+    esac
    echo -n " $NAME"
-}  
+}
+
 stop_vpn () {
   kill `cat $PIDFILE` || true
  rm $PIDFILE
-}  
-   
+}
+
 case "$1" in
 start)
  echo -n "Starting openvpn:"
-   
+
  if test -z $2 ; then
    for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
      NAME=${CONFIG%%.conf}
@ -41,11 +49,11 @@ start)
    fi
  fi
  echo "."
-   
+
  ;;
 stop)
  echo -n "Stopping openvpn:"
-   
+
  if test -z $2 ; then
    for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do
      NAME=`echo $PIDFILE | cut -c18-`
@ -87,7 +95,7 @@ reload|force-reload)
  done
  echo "."
  ;;
- 
+
 restart)
  $0 stop $2
  sleep 1
--- a/recipes-extra/openvpn/openvpn/openvpn-generator
+++ b/recipes-extra/openvpn/openvpn/openvpn-generator
@ -1,40 +0,0 @@
-#!/bin/sh
-
-# This systemd generator creates dependency symlinks that make all OpenVPN
-# tunnels listed in /etc/default/openvpn's AUTOSTART be started/stopped/reloaded
-# when openvpn.service is started/stopped/reloaded.
-
-set -eu
-
-GENDIR="$1"
-WANTDIR="$1/openvpn.service.wants"
-SERVICEFILE="/lib/systemd/system/openvpn@.service"
-AUTOSTART="all"
-CONFIG_DIR=/etc/openvpn
-
-mkdir -p "$WANTDIR"
-
-if test -e /etc/default/openvpn ; then
-	. /etc/default/openvpn
-fi
-
-# No VPNs automatically started
-if test "x$AUTOSTART" = "xnone" ; then
-	exit 0
-fi
-
-if test "x$AUTOSTART" = "xall" -o -z "$AUTOSTART" ; then
-	for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do
-		NAME=${CONFIG%%.conf}
-		ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service"
-	done
-else
-	for NAME in $AUTOSTART ; do
-		if test -e $CONFIG_DIR/$NAME.conf ; then
-			ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service"
-		fi
-	done
-fi
-
-exit 0
-
--- a/recipes-extra/openvpn/openvpn/openvpn.service
+++ b/recipes-extra/openvpn/openvpn/openvpn.service
@ -1,18 +0,0 @@
-# This service is actually a systemd target,
-# but we are using a service since targets cannot be reloaded.
-
-[Unit]
-Description=OpenVPN service
-After=network.target
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/bin/true
-ExecReload=/bin/true
-WorkingDirectory=/etc/openvpn
-
-[Install]
-WantedBy=multi-user.target
-
-
--- a/recipes-extra/openvpn/openvpn/openvpn@.service
+++ b/recipes-extra/openvpn/openvpn/openvpn@.service
@ -1,17 +0,0 @@
-[Unit]
-Description=OpenVPN connection to %i
-PartOf=openvpn.service
-ReloadPropagatedFrom=openvpn.service
-
-[Service]
-Type=forking
-ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn.%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
-ExecReload=/bin/kill -HUP $MAINPID
-WorkingDirectory=/etc/openvpn
-Restart=always
-RestartSec=2
-
-[Install]
-WantedBy=multi-user.target
-
-
--- a/recipes-extra/openvpn/openvpn_2.3.6.bb
+++ b/recipes-extra/openvpn/openvpn_2.3.6.bb
@ -1,63 +0,0 @@
-SUMMARY = "A full-featured SSL VPN solution via tun device."
-HOMEPAGE = "http://openvpn.sourceforge.net"
-SECTION = "console/network"
-LICENSE = "GPLv2"
-LIC_FILES_CHKSUM = "file://COPYING;md5=5aac200199fde47501876cba7263cb0c"
-DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
-
-inherit autotools
-
-PR = "r3"
-
-SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \
-           file://openvpn \
-           file://openvpn-generator \
-           file://openvpn@.service \
-           file://openvpn.service"
-
-SRC_URI[md5sum] = "6ca03fe0fd093e0d01601abee808835c"
-SRC_URI[sha256sum] = "7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26"
-
-CFLAGS += "-fno-inline"
-
-# I want openvpn to be able to read password from file (hrw)
-EXTRA_OECONF += "--enable-password-save --enable-iproute2"
-EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}"
-
-# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host.
-EXTRA_OECONF += "IPROUTE=/sbin/ip"
-
-do_install_append() {
-    install -d ${D}/${sysconfdir}/init.d
-    install -d ${D}/${sysconfdir}/openvpn
-    install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d
-
-    # systemd files
-    install -d ${D}${systemd_system_unitdir}
-    install -d ${D}${systemd_unitdir}/system-generators
-    install -m 0644 ${WORKDIR}/openvpn.service ${D}${systemd_system_unitdir}
-    install -m 0644 ${WORKDIR}/openvpn@.service ${D}${systemd_system_unitdir}
-    install -m 0755 ${WORKDIR}/openvpn-generator ${D}${systemd_unitdir}/system-generators
-}
-
-RDEPENDS_${PN} += "update-rc.d"
-RRECOMMENDS_${PN} = "kernel-module-tun"
-
-FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug"
-
-# Don't go through the systemd.bbclass as we do not want magic to happen
-# during install and upgrade. Simply ship the files.
-FILES_${PN} += "${systemd_unitdir}"
-
-pkg_postinst_${PN} () {
-    if [ "x$D" != "x" ]; then
-        exit 1
-    fi
-
-    if [ -L /etc/rc2.d/S*openvpn ]; then
-        update-rc.d -f openvpn remove
-        if [ ! -L /etc/systemd/system/multi-user.target.wants/openvpn.service ]; then
-            ln -s '/lib/systemd/system/openvpn.service' '/etc/systemd/system/multi-user.target.wants/openvpn.service'
-        fi
-    fi
-}
--- a/recipes-extra/openvpn/openvpn_2.5.8.bb
+++ b/recipes-extra/openvpn/openvpn_2.5.8.bb
@ -0,0 +1,77 @@
+SUMMARY = "A full-featured SSL VPN solution via tun device."
+HOMEPAGE = "https://openvpn.net/"
+SECTION = "net"
+LICENSE = "GPL-2.0-only"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89"
+DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+
+inherit autotools systemd update-rc.d pkgconfig
+
+SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \
+           file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \
+           file://openvpn \
+          "
+
+UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
+
+SRC_URI[sha256sum] = "a6f315b7231d44527e65901ff646f87d7f07862c87f33531daa109fb48c53db2"
+
+# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME_${PN} = "openvpn"
+INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ."
+
+CFLAGS += "-fno-inline"
+
+# I want openvpn to be able to read password from file (hrw)
+EXTRA_OECONF += "--enable-iproute2"
+EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}"
+
+# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host.
+EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip"
+
+EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \
+                 TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \
+                "
+
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
+                   ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \
+                  "
+
+PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
+
+do_install_append() {
+    install -d ${D}/${sysconfdir}/init.d
+    install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d
+
+    install -d ${D}/${sysconfdir}/openvpn
+    install -d ${D}/${sysconfdir}/openvpn/server
+    install -d ${D}/${sysconfdir}/openvpn/client
+
+    install -d ${D}/${sysconfdir}/openvpn/sample
+    install -m 644 ${S}/sample/sample-config-files/loopback-server  ${D}${sysconfdir}/openvpn/sample/loopback-server.conf
+    install -m 644 ${S}/sample/sample-config-files/loopback-client  ${D}${sysconfdir}/openvpn/sample/loopback-client.conf
+    install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files
+    install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys
+    install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts
+    install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files
+    install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys
+    install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts
+
+    install -d -m 710 ${D}/${localstatedir}/lib/openvpn
+}
+
+PACKAGES =+ " ${PN}-sample "
+
+RRECOMMENDS_${PN} = "kernel-module-tun"
+
+FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug"
+FILES_${PN} += "${systemd_system_unitdir}/openvpn-server@.service \
+                ${systemd_system_unitdir}/openvpn-client@.service \
+                ${nonarch_libdir}/tmpfiles.d \
+               "
+FILES_${PN}-sample = "${sysconfdir}/openvpn/sample/ \
+                     "