From d950005138190915bef25bcbe463efd9bcf6ccd5 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Thu, 19 Jan 2023 17:32:47 +0000 Subject: [PATCH] openvpn: upgrade openvpn from 2.3.6 to 2.5.8 Our openvpn server has meanwhile been migrated to 2.5.x, and establishing backwards compatibility with 2.3.x means we have to disable ciphers + tls versions that are no longer considered secure. Related: SYS#6303 --- ...minate-build-path-from-openvpn-versi.patch | 48 ++++++++++++ recipes-extra/openvpn/openvpn/openvpn | 34 ++++---- .../openvpn/openvpn/openvpn-generator | 40 ---------- recipes-extra/openvpn/openvpn/openvpn.service | 18 ----- .../openvpn/openvpn/openvpn@.service | 17 ---- recipes-extra/openvpn/openvpn_2.3.6.bb | 63 --------------- recipes-extra/openvpn/openvpn_2.5.8.bb | 77 +++++++++++++++++++ 7 files changed, 146 insertions(+), 151 deletions(-) create mode 100644 recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch delete mode 100755 recipes-extra/openvpn/openvpn/openvpn-generator delete mode 100644 recipes-extra/openvpn/openvpn/openvpn.service delete mode 100644 recipes-extra/openvpn/openvpn/openvpn@.service delete mode 100644 recipes-extra/openvpn/openvpn_2.3.6.bb create mode 100644 recipes-extra/openvpn/openvpn_2.5.8.bb diff --git a/recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch b/recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch new file mode 100644 index 0000000..03b454d --- /dev/null +++ b/recipes-extra/openvpn/openvpn/0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch @@ -0,0 +1,48 @@ +From ea179d83b0aa62719d90748cd1fb260f40055f15 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Mon, 13 Jun 2022 22:44:28 +0800 +Subject: [PATCH] configure.ac: eliminate build path from openvpn --version + option + +Before the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes +with_libtool_sysroot=/buildarea/build/tmp/work/core2-64-poky-linux/openvpn/2.5.7-r0/recipe-sysroot +with_mem_check=no with_openssl_engine=auto + +After the patch: +$ openvpn --version +OpenVPN 2.5.7 x86_64-poky-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] +[snip] +Compile time defines: enable_async_push=no enable_comp_stub=no +[snip] +with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no +with_openssl_engine=auto + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 2f5f6bc..eddcbc5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1377,7 +1377,7 @@ if test "${enable_async_push}" = "yes"; then + esac + fi + +-CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*='`" ++CONFIGURE_DEFINES="`set | grep '^enable_.*=' ; set | grep '^with_.*=' | grep -v 'libtool_sysroot'`" + AC_DEFINE_UNQUOTED([CONFIGURE_DEFINES], ["`echo ${CONFIGURE_DEFINES}`"], [Configuration settings]) + + TAP_WIN_COMPONENT_ID="PRODUCT_TAP_WIN_COMPONENT_ID" +-- +2.25.1 + diff --git a/recipes-extra/openvpn/openvpn/openvpn b/recipes-extra/openvpn/openvpn/openvpn index 28ab37b..e5af4b2 100644 --- a/recipes-extra/openvpn/openvpn/openvpn +++ b/recipes-extra/openvpn/openvpn/openvpn @@ -1,32 +1,40 @@ #!/bin/sh -e -# +# # Original version by Robert Leslie # , edited by iwj and cs # Modified for openvpn by Alberto Gonzalez Iniesta # Modified for restarting / starting / stopping single tunnels by Richard Mueller - +# Modified for respecting pid file on service start by Fabian Klemp + test $DEBIAN_SCRIPT_DEBUG && set -v -x - + DAEMON=/usr/sbin/openvpn CONFIG_DIR=/etc/openvpn test -x $DAEMON || exit 0 test -d $CONFIG_DIR || exit 0 - + start_vpn () { modprobe tun >/dev/null 2>&1 || true - $DAEMON --daemon --writepid /var/run/openvpn.$NAME.pid \ - --config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || echo -n " FAILED->" + start-stop-daemon --start --quiet --pidfile /var/run/openvpn.$NAME.pid \ + --exec $DAEMON -- \ + --daemon --writepid /var/run/openvpn.$NAME.pid \ + --config $CONFIG_DIR/$NAME.conf --cd $CONFIG_DIR || rc="$?" + case $rc in + 1) echo -n " ALREADY STARTED->";; + 3) echo -n " FAILED->";; + esac echo -n " $NAME" -} +} + stop_vpn () { kill `cat $PIDFILE` || true rm $PIDFILE -} - +} + case "$1" in start) echo -n "Starting openvpn:" - + if test -z $2 ; then for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do NAME=${CONFIG%%.conf} @@ -41,11 +49,11 @@ start) fi fi echo "." - + ;; stop) echo -n "Stopping openvpn:" - + if test -z $2 ; then for PIDFILE in `ls /var/run/openvpn.*.pid 2> /dev/null`; do NAME=`echo $PIDFILE | cut -c18-` @@ -87,7 +95,7 @@ reload|force-reload) done echo "." ;; - + restart) $0 stop $2 sleep 1 diff --git a/recipes-extra/openvpn/openvpn/openvpn-generator b/recipes-extra/openvpn/openvpn/openvpn-generator deleted file mode 100755 index d6ac1aa..0000000 --- a/recipes-extra/openvpn/openvpn/openvpn-generator +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -# This systemd generator creates dependency symlinks that make all OpenVPN -# tunnels listed in /etc/default/openvpn's AUTOSTART be started/stopped/reloaded -# when openvpn.service is started/stopped/reloaded. - -set -eu - -GENDIR="$1" -WANTDIR="$1/openvpn.service.wants" -SERVICEFILE="/lib/systemd/system/openvpn@.service" -AUTOSTART="all" -CONFIG_DIR=/etc/openvpn - -mkdir -p "$WANTDIR" - -if test -e /etc/default/openvpn ; then - . /etc/default/openvpn -fi - -# No VPNs automatically started -if test "x$AUTOSTART" = "xnone" ; then - exit 0 -fi - -if test "x$AUTOSTART" = "xall" -o -z "$AUTOSTART" ; then - for CONFIG in `cd $CONFIG_DIR; ls *.conf 2> /dev/null`; do - NAME=${CONFIG%%.conf} - ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service" - done -else - for NAME in $AUTOSTART ; do - if test -e $CONFIG_DIR/$NAME.conf ; then - ln -s "$SERVICEFILE" "$WANTDIR/openvpn@$NAME.service" - fi - done -fi - -exit 0 - diff --git a/recipes-extra/openvpn/openvpn/openvpn.service b/recipes-extra/openvpn/openvpn/openvpn.service deleted file mode 100644 index 0075cc4..0000000 --- a/recipes-extra/openvpn/openvpn/openvpn.service +++ /dev/null @@ -1,18 +0,0 @@ -# This service is actually a systemd target, -# but we are using a service since targets cannot be reloaded. - -[Unit] -Description=OpenVPN service -After=network.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/bin/true -ExecReload=/bin/true -WorkingDirectory=/etc/openvpn - -[Install] -WantedBy=multi-user.target - - diff --git a/recipes-extra/openvpn/openvpn/openvpn@.service b/recipes-extra/openvpn/openvpn/openvpn@.service deleted file mode 100644 index 75b0298..0000000 --- a/recipes-extra/openvpn/openvpn/openvpn@.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=OpenVPN connection to %i -PartOf=openvpn.service -ReloadPropagatedFrom=openvpn.service - -[Service] -Type=forking -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn.%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf -ExecReload=/bin/kill -HUP $MAINPID -WorkingDirectory=/etc/openvpn -Restart=always -RestartSec=2 - -[Install] -WantedBy=multi-user.target - - diff --git a/recipes-extra/openvpn/openvpn_2.3.6.bb b/recipes-extra/openvpn/openvpn_2.3.6.bb deleted file mode 100644 index 51bb0b1..0000000 --- a/recipes-extra/openvpn/openvpn_2.3.6.bb +++ /dev/null @@ -1,63 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "http://openvpn.sourceforge.net" -SECTION = "console/network" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=5aac200199fde47501876cba7263cb0c" -DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" - -inherit autotools - -PR = "r3" - -SRC_URI = "http://swupdate.openvpn.org/community/releases/openvpn-${PV}.tar.gz \ - file://openvpn \ - file://openvpn-generator \ - file://openvpn@.service \ - file://openvpn.service" - -SRC_URI[md5sum] = "6ca03fe0fd093e0d01601abee808835c" -SRC_URI[sha256sum] = "7baed2ff39c12e1a1a289ec0b46fcc49ff094ca58b8d8d5f29b36ac649ee5b26" - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "--enable-password-save --enable-iproute2" -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=/sbin/ip" - -do_install_append() { - install -d ${D}/${sysconfdir}/init.d - install -d ${D}/${sysconfdir}/openvpn - install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d - - # systemd files - install -d ${D}${systemd_system_unitdir} - install -d ${D}${systemd_unitdir}/system-generators - install -m 0644 ${WORKDIR}/openvpn.service ${D}${systemd_system_unitdir} - install -m 0644 ${WORKDIR}/openvpn@.service ${D}${systemd_system_unitdir} - install -m 0755 ${WORKDIR}/openvpn-generator ${D}${systemd_unitdir}/system-generators -} - -RDEPENDS_${PN} += "update-rc.d" -RRECOMMENDS_${PN} = "kernel-module-tun" - -FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug" - -# Don't go through the systemd.bbclass as we do not want magic to happen -# during install and upgrade. Simply ship the files. -FILES_${PN} += "${systemd_unitdir}" - -pkg_postinst_${PN} () { - if [ "x$D" != "x" ]; then - exit 1 - fi - - if [ -L /etc/rc2.d/S*openvpn ]; then - update-rc.d -f openvpn remove - if [ ! -L /etc/systemd/system/multi-user.target.wants/openvpn.service ]; then - ln -s '/lib/systemd/system/openvpn.service' '/etc/systemd/system/multi-user.target.wants/openvpn.service' - fi - fi -} diff --git a/recipes-extra/openvpn/openvpn_2.5.8.bb b/recipes-extra/openvpn/openvpn_2.5.8.bb new file mode 100644 index 0000000..c3c7a55 --- /dev/null +++ b/recipes-extra/openvpn/openvpn_2.5.8.bb @@ -0,0 +1,77 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=b76abd82c14ee01cc34c4ff5e3627b89" +DEPENDS = "lzo openssl iproute2 ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" + +inherit autotools systemd update-rc.d pkgconfig + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ + file://openvpn \ + " + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[sha256sum] = "a6f315b7231d44527e65901ff646f87d7f07862c87f33531daa109fb48c53db2" + +# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. +CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME_${PN} = "openvpn" +INITSCRIPT_PARAMS_${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "--enable-iproute2" +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + " + +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + +do_install_append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${WORKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts + + install -d -m 710 ${D}/${localstatedir}/lib/openvpn +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS_${PN} = "kernel-module-tun" + +FILES_${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES_${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ + " +FILES_${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + "