From 5d911f8acc4acd6da661e57e4d86d08139fdb4bd Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Sat, 1 Apr 2023 15:24:50 -0400 Subject: [PATCH] openvpn : Bump to 2.5.8 --- .../services/openvpn/Config-mbedtls.in | 6 +- .../services/openvpn/Config-openssl.in | 4 - .../services/openvpn/Config-wolfssl.in | 63 ++++++ package/network/services/openvpn/Makefile | 41 +++- .../files/etc/hotplug.d/openvpn/01-user | 22 ++ .../services/openvpn/files/etc/openvpn.user | 11 + .../openvpn/files/lib/functions/openvpn.sh | 16 ++ .../services/openvpn/files/openvpn.config | 141 +++++++++++-- .../services/openvpn/files/openvpn.init | 103 +++++++++- .../services/openvpn/files/openvpn.options | 19 +- .../openvpn/files/usr/libexec/openvpn-hotplug | 10 + .../001-reproducible-remove_DATE.patch | 6 +- .../patches/002-add-wolfssl-support.patch | 190 ++++++++++++++++++ ...bedtls-disable-runtime-version-check.patch | 2 +- .../210-build_always_use_internal_lz4.patch | 2 +- .../openvpn/patches/220-disable_des.patch | 21 +- package/network/services/openvpn/test.sh | 10 + 17 files changed, 597 insertions(+), 70 deletions(-) create mode 100644 package/network/services/openvpn/Config-wolfssl.in create mode 100644 package/network/services/openvpn/files/etc/hotplug.d/openvpn/01-user create mode 100644 package/network/services/openvpn/files/etc/openvpn.user create mode 100644 package/network/services/openvpn/files/lib/functions/openvpn.sh create mode 100644 package/network/services/openvpn/files/usr/libexec/openvpn-hotplug create mode 100644 package/network/services/openvpn/patches/002-add-wolfssl-support.patch create mode 100755 package/network/services/openvpn/test.sh diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in index beac492022..3cf233b8f7 100644 --- a/package/network/services/openvpn/Config-mbedtls.in +++ b/package/network/services/openvpn/Config-mbedtls.in @@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls config OPENVPN_mbedtls_ENABLE_LZO bool "Enable LZO compression support" - default y + default n config OPENVPN_mbedtls_ENABLE_LZ4 bool "Enable LZ4 compression support" default y -config OPENVPN_mbedtls_ENABLE_SERVER - bool "Enable server support (otherwise only client mode is support)" - default y - #config OPENVPN_mbedtls_ENABLE_EUREPHIA # bool "Enable support for the eurephia plug-in" # default n diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in index f2b618eff1..7a7be74db9 100644 --- a/package/network/services/openvpn/Config-openssl.in +++ b/package/network/services/openvpn/Config-openssl.in @@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME bool "Enable the --x509-username-field feature" default n -config OPENVPN_openssl_ENABLE_SERVER - bool "Enable server support (otherwise only client mode is support)" - default y - #config OPENVPN_openssl_ENABLE_EUREPHIA # bool "Enable support for the eurephia plug-in" # default n diff --git a/package/network/services/openvpn/Config-wolfssl.in b/package/network/services/openvpn/Config-wolfssl.in new file mode 100644 index 0000000000..ef8b9dcb34 --- /dev/null +++ b/package/network/services/openvpn/Config-wolfssl.in @@ -0,0 +1,63 @@ +if PACKAGE_openvpn-wolfssl + +config OPENVPN_wolfssl + bool + default y + select WOLFSSL_HAS_OPENVPN + +config OPENVPN_wolfssl_ENABLE_LZO + bool "Enable LZO compression support" + default n + +config OPENVPN_wolfssl_ENABLE_LZ4 + bool "Enable LZ4 compression support" + default y + +config OPENVPN_wolfssl_ENABLE_X509_ALT_USERNAME + bool "Enable the --x509-username-field feature" + default n + +#config OPENVPN_wolfssl_ENABLE_EUREPHIA +# bool "Enable support for the eurephia plug-in" +# default n + +config OPENVPN_wolfssl_ENABLE_MANAGEMENT + bool "Enable management server support" + default n + +#config OPENVPN_wolfssl_ENABLE_PKCS11 +# bool "Enable pkcs11 support" +# default n + +config OPENVPN_wolfssl_ENABLE_FRAGMENT + bool "Enable internal fragmentation support (--fragment)" + default y + +config OPENVPN_wolfssl_ENABLE_MULTIHOME + bool "Enable multi-homed UDP server support (--multihome)" + default y + +config OPENVPN_wolfssl_ENABLE_PORT_SHARE + bool "Enable TCP server port-share support (--port-share)" + default y + +config OPENVPN_wolfssl_ENABLE_DEF_AUTH + bool "Enable deferred authentication" + default y + +config OPENVPN_wolfssl_ENABLE_PF + bool "Enable internal packet filter" + default y + +config OPENVPN_wolfssl_ENABLE_IPROUTE2 + bool "Enable support for iproute2" + default n + +config OPENVPN_wolfssl_ENABLE_SMALL + bool "Enable size optimization" + default y + help + enable smaller executable size (disable OCC, usage + message, and verb 4 parm list) + +endif diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 5f2f600a2f..a512e364fe 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,16 +9,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.12 +PKG_VERSION:=2.5.8 PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=7426b99b2058b942552af2680ee58546fbf63712992557328bd0014093aa7da4 +PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57 -PKG_MAINTAINER:=Felix Fietkau +PKG_MAINTAINER:=Magnus Kroken PKG_INSTALL:=1 PKG_FIXUP:=autoreconf @@ -42,6 +42,7 @@ endef Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) +Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl) define Package/openvpn/config/Default source "$(SOURCE)/Config-$(1).in" @@ -49,6 +50,7 @@ endef Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) +Package/openvpn-wolfssl/config=$(call Package/openvpn/config/Default,wolfssl) ifeq ($(BUILD_VARIANT),mbedtls) CONFIG_OPENVPN_MBEDTLS:=y @@ -56,10 +58,11 @@ endif ifeq ($(BUILD_VARIANT),openssl) CONFIG_OPENVPN_OPENSSL:=y endif +ifeq ($(BUILD_VARIANT),wolfssl) +CONFIG_OPENVPN_WOLFSSL:=y +endif CONFIGURE_VARS += \ - IFCONFIG=/sbin/ifconfig \ - ROUTE=/sbin/route \ IPROUTE=/sbin/ip \ NETSTAT=/sbin/netstat @@ -77,7 +80,6 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ @@ -85,13 +87,15 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ - $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ + $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ + $(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \ ) endef define Package/openvpn-$(BUILD_VARIANT)/conffiles /etc/config/openvpn +/etc/openvpn.user endef define Package/openvpn-$(BUILD_VARIANT)/install @@ -101,7 +105,10 @@ define Package/openvpn-$(BUILD_VARIANT)/install $(1)/etc/init.d \ $(1)/etc/config \ $(1)/etc/openvpn \ - $(1)/lib/upgrade/keep.d + $(1)/lib/functions \ + $(1)/lib/upgrade/keep.d \ + $(1)/usr/libexec \ + $(1)/etc/hotplug.d/openvpn $(INSTALL_BIN) \ $(PKG_INSTALL_DIR)/usr/sbin/openvpn \ @@ -110,6 +117,23 @@ define Package/openvpn-$(BUILD_VARIANT)/install $(INSTALL_BIN) \ files/openvpn.init \ $(1)/etc/init.d/openvpn + + $(INSTALL_BIN) \ + files/usr/libexec/openvpn-hotplug \ + $(1)/usr/libexec/openvpn-hotplug + + $(INSTALL_DATA) \ + files/lib/functions/openvpn.sh \ + $(1)/lib/functions/openvpn.sh + + $(INSTALL_DATA) \ + files/etc/hotplug.d/openvpn/01-user \ + $(1)/etc/hotplug.d/openvpn/01-user + + $(INSTALL_DATA) \ + files/etc/openvpn.user \ + $(1)/etc/openvpn.user + $(INSTALL_DATA) \ files/openvpn.options \ $(1)/usr/share/openvpn/openvpn.options @@ -124,3 +148,4 @@ endef $(eval $(call BuildPackage,openvpn-openssl)) $(eval $(call BuildPackage,openvpn-mbedtls)) +$(eval $(call BuildPackage,openvpn-wolfssl)) diff --git a/package/network/services/openvpn/files/etc/hotplug.d/openvpn/01-user b/package/network/services/openvpn/files/etc/hotplug.d/openvpn/01-user new file mode 100644 index 0000000000..4c72f1c4bd --- /dev/null +++ b/package/network/services/openvpn/files/etc/hotplug.d/openvpn/01-user @@ -0,0 +1,22 @@ +#!/bin/sh + +[ -e "/etc/openvpn.user" ] && { + env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \ + /bin/sh \ + /etc/openvpn.user \ + $* +} + +# Wrap user defined scripts on up/down events +case "$ACTION" in + up) command=$user_up ;; + down) command=$user_down ;; + *) command= ;; +esac + +if [ -n "$command" ]; then + shift + exec /bin/sh -c "$command $*" +fi + +exit 0 diff --git a/package/network/services/openvpn/files/etc/openvpn.user b/package/network/services/openvpn/files/etc/openvpn.user new file mode 100644 index 0000000000..a77566556a --- /dev/null +++ b/package/network/services/openvpn/files/etc/openvpn.user @@ -0,0 +1,11 @@ +#!/bin/sh +# +# This file is interpreted as shell script. +# Put your custom openvpn action here, they will +# be executed with each opevnp event. +# +# $ACTION +# down action is generated after the TUN/TAP device is closed +# up action is generated after the TUN/TAP device is opened +# $INSTANCE Name of the openvpn instance which went up or down + diff --git a/package/network/services/openvpn/files/lib/functions/openvpn.sh b/package/network/services/openvpn/files/lib/functions/openvpn.sh new file mode 100644 index 0000000000..2de6fb730a --- /dev/null +++ b/package/network/services/openvpn/files/lib/functions/openvpn.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +get_openvpn_option() { + local config="$1" + local variable="$2" + local option="$3" + + local value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+'"'([^']+)'"'[ \t]*$/\1/p' "$config" | tail -n1)" + [ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+"(([^"\\]|\\.)+)"[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')" + [ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+(([^ \t\\]|\\.)+)[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')" + [ -n "$value" ] || return 1 + + export -n "$variable=$value" + return 0 +} + diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config index 1fd846f558..ea442c7656 100644 --- a/package/network/services/openvpn/files/openvpn.config +++ b/package/network/services/openvpn/files/openvpn.config @@ -9,6 +9,13 @@ config openvpn custom_config # Set to 1 to enable this instance: option enabled 0 + # Credentials to login + #option username 'login' + #option password 'password' + + # Password for client certificate + #option cert_password 'cert_password' + # Include OpenVPN configuration option config /etc/openvpn/my-vpn.conf @@ -77,10 +84,10 @@ config openvpn sample_server # Diffie hellman parameters. # Generate your own with: - # openssl dhparam -out dh1024.pem 1024 + # openssl dhparam -out dh2048.pem 2048 # Substitute 2048 for 1024 if you are using - # 2048 bit keys. - option dh /etc/openvpn/dh1024.pem + # 1024 bit keys. + option dh /etc/openvpn/dh2048.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. @@ -228,24 +235,84 @@ config openvpn sample_server # This file is secret: # option tls_auth "/etc/openvpn/ta.key 0" - # Select a cryptographic cipher. - # This config item must be copied to - # the client config file as well. - # Blowfish (default): -# option cipher BF-CBC - # AES: -# option cipher AES-128-CBC - # Triple-DES: -# option cipher DES-EDE3-CBC + # For additional privacy, a shared secret key + # can be used for both authentication (as in tls_auth) + # and encryption of the TLS control channel. + # + # Generate a shared secret with: + # openvpn --genkey --secret ta.key + # + # The server and each client must have + # a copy of this key. + # + # tls_auth and tls_crypt should NOT + # be combined, as tls_crypt implies tls_auth. + # Use EITHER tls_crypt, tls_auth, or neither option. +# option tls_crypt "/etc/openvpn/ta.key" + + # Set the minimum required TLS protocol version + # for all connections. + # + # Require at least TLS 1.1 +# option tls_version_min "1.1" + # Require at least TLS 1.2 +# option tls_version_min "1.2" + # Require TLS 1.2, or the highest version supported + # on the system +# option tls_version_min "1.2 'or-highest'" + + # List the preferred ciphers to use for the data channel. + # Run openvpn --show-ciphers to see all supported ciphers. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher in order to be compatible with + # peers that do not support cipher negotiation. + # + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' + + # OpenVPN versions 2.4 and later will attempt to + # automatically negotiate the most secure cipher + # between the client and server, regardless of a + # configured "option cipher" (see below). + # Automatic negotiation is recommended. + # + # Uncomment this option to disable this behavior, + # and force all OpenVPN peers to use the configured + # cipher option instead (not recommended). +# option ncp_disable # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. + # + # Compression is not recommended, as compression and + # encryption in combination can weaken the security + # of the connection. + # # LZ4 requires OpenVPN 2.4+ client and server # option compress lz4 + # LZO is available by default only in openvpn-openssl variant # LZO is compatible with most OpenVPN versions - # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) - option compress lzo +# option compress lzo + + # Control how OpenVPN handles peers using compression + # + # Do not allow any connections using compression +# option allow_compression 'no' + # Allow incoming compressed packets, but do not send compressed packets to other peers + # This can be useful when migrating old configurations with compression activated +# option allow_compression 'asym' + # Both incoming and outgoing packets may be compressed +# option allow_compression 'yes' # The maximum number of concurrently connected # clients we want to allow. @@ -371,7 +438,7 @@ config openvpn sample_client option key /etc/openvpn/client.key # Verify server certificate by checking - # that the certicate has the nsCertType + # that the certicate has the key usage # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: @@ -381,24 +448,56 @@ config openvpn sample_client # your server certificates with the nsCertType # field set to "server". The build_key_server # script in the easy_rsa folder will do this. -# option ns_cert_type server +# option remote_cert_tls server # If a tls_auth key is used on the server # then every client must also have the key. # option tls_auth "/etc/openvpn/ta.key 1" - # Select a cryptographic cipher. - # If the cipher option is used on the server - # then you must also specify it here. -# option cipher x + # If a tls_crypt key is used on the server + # every client must also have the key. +# option tls_crypt "/etc/openvpn/ta.key" + + # Set the minimum required TLS protocol version + # for all connections. + # + # Require at least TLS 1.1 +# option tls_version_min "1.1" + # Require at least TLS 1.2 +# option tls_version_min "1.2" + # Require TLS 1.2, or the highest version supported + # on the system +# option tls_version_min "1.2 'or-highest'" + + # List the preferred ciphers for the data channel. +# list data_ciphers 'AES-256-GCM' +# list data_ciphers 'AES-128-GCM' +# list data_ciphers 'CHACHA20-POLY1305' + + # Set a fallback cipher if you connect to a peer that does + # not support cipher negotiation. + # Use AES-256-CBC as fallback +# option data_ciphers_fallback 'AES-128-CBC' + # Use AES-128-CBC as fallback +# option data_ciphers_fallback 'AES-256-CBC' + # Use Triple-DES as fallback +# option data_ciphers_fallback 'DES-EDE3-CBC' + # Use BF-CBC as fallback +# option data_ciphers_fallback 'BF-CBC' # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. + # + # Compression is not recommended, as compression and + # encryption in combination can weaken the security + # of the connection. + # # LZ4 requires OpenVPN 2.4+ on server and client # option compress lz4 + # LZO is available by default only in openvpn-openssl variant # LZO is compatible with most OpenVPN versions - option compress lzo +# option compress lzo # Set log file verbosity. option verb 3 diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index a7d35d1a98..380b423495 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -42,8 +42,9 @@ append_params() { config_get v "$s" "$p" IFS="$LIST_SEP" for v in $v; do + [ "$v" = "frames_only" ] && [ "$p" = "compress" ] && unset v && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf" [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" - [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf" + [ -n "$v" ] && [ "$p" = "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf" done unset IFS done @@ -69,17 +70,94 @@ section_enabled() { [ $enable -gt 0 ] || [ $enabled -gt 0 ] } +create_temp_file() { + mkdir -p "$(dirname "$1")" + rm -f "$1" + touch "$1" + chown root "$1" + chmod 0600 "$1" +} + +openvpn_get_dev() { + local dev dev_type + local name="$1" + local conf="$2" + + # Do override only for configurations with config_file + config_get config_file "$name" config + [ -n "$config_file" ] || return + + # Check there is someething to override + config_get dev "$name" dev + config_get dev_type "$name" dev_type + [ -n "$dev" ] || return + + # If there is a no dev_type, try to guess it + if [ -z "$dev_type" ]; then + . /lib/functions/openvpn.sh + + local odev odev_type + get_openvpn_option "$conf" odev dev + get_openvpn_option "$conf" odev_type dev-type + [ -n "$odev_type" ] || odev_type="$odev" + + case "$odev_type" in + tun*) dev_type="tun" ;; + tap*) dev_type="tap" ;; + *) return;; + esac + fi + + # Return overrides + echo "--dev-type $dev_type --dev $dev" +} + +openvpn_get_credentials() { + local name="$1" + local ret="" + + config_get cert_password "$name" cert_password + config_get password "$name" password + config_get username "$name" username + + if [ -n "$cert_password" ]; then + create_temp_file /var/run/openvpn.$name.pass + echo "$cert_password" > /var/run/openvpn.$name.pass + ret=" --askpass /var/run/openvpn.$name.pass " + fi + + if [ -n "$username" ]; then + create_temp_file /var/run/openvpn.$name.userpass + echo "$username" > /var/run/openvpn.$name.userpass + echo "$password" >> /var/run/openvpn.$name.userpass + ret=" --auth-user-pass /var/run/openvpn.$name.userpass " + fi + + # Return overrides + echo "$ret" +} + openvpn_add_instance() { local name="$1" local dir="$2" local conf="$3" + local security="$4" + local up="$5" + local down="$6" procd_open_instance "$name" procd_set_param command "$PROG" \ --syslog "openvpn($name)" \ --status "/var/run/openvpn.$name.status" \ --cd "$dir" \ - --config "$conf" + --config "$conf" \ + --up "/usr/libexec/openvpn-hotplug up $name" \ + --down "/usr/libexec/openvpn-hotplug down $name" \ + ${up:+--setenv user_up "$up"} \ + ${down:+--setenv user_down "$down"} \ + --script-security "${security:-2}" \ + $(openvpn_get_dev "$name" "$conf") \ + $(openvpn_get_credentials "$name" "$conf") procd_set_param file "$dir/$conf" procd_set_param term_timeout 15 procd_set_param respawn @@ -100,22 +178,28 @@ start_instance() { return 1 } + local up down script_security + config_get up "$s" up + config_get down "$s" down + config_get script_security "$s" script_security + [ ! -d "/var/run" ] && mkdir -p "/var/run" if [ ! -z "$config" ]; then append UCI_STARTED "$config" "$LIST_SEP" - openvpn_add_instance "$s" "${config%/*}" "$config" + [ -n "$up" ] || get_openvpn_option "$config" up up + [ -n "$down" ] || get_openvpn_option "$config" down down + openvpn_add_instance "$s" "${config%/*}" "$config" "$script_security" "$up" "$down" return fi - [ ! -d "/var/etc" ] && mkdir -p "/var/etc" - [ -f "/var/etc/openvpn-$s.conf" ] && rm "/var/etc/openvpn-$s.conf" + create_temp_file "/var/etc/openvpn-$s.conf" append_bools "$s" $OPENVPN_BOOLS append_params "$s" $OPENVPN_PARAMS append_list "$s" $OPENVPN_LIST - openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" + openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" "$script_security" "$up" "$down" } start_service() { @@ -132,6 +216,7 @@ start_service() { fi } + . /lib/functions/openvpn.sh . /usr/share/openvpn/openvpn.options config_load 'openvpn' @@ -141,7 +226,7 @@ start_service() { else config_foreach start_instance 'openvpn' - local path name + local path name up down for path in /etc/openvpn/*.conf; do if [ -f "$path" ]; then name="${path##*/}"; name="${name%.conf}" @@ -156,7 +241,9 @@ start_service() { continue fi - openvpn_add_instance "$name" "${path%/*}" "$path" + get_openvpn_option "$path" up up || up="" + get_openvpn_option "$path" down down || down="" + openvpn_add_instance "$name" "${path%/*}" "$path" "" "$up" "$down" fi done fi diff --git a/package/network/services/openvpn/files/openvpn.options b/package/network/services/openvpn/files/openvpn.options index 2da563968c..5a7c756f7d 100644 --- a/package/network/services/openvpn/files/openvpn.options +++ b/package/network/services/openvpn/files/openvpn.options @@ -1,10 +1,12 @@ OPENVPN_PARAMS=' +allow_compression askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers +bind_dev ca capath cd @@ -21,11 +23,11 @@ connect_retry connect_retry_max connect_timeout crl_verify +data_ciphers_fallback dev dev_node dev_type dh -down ecdh_curve echo engine @@ -52,7 +54,6 @@ iroute_ipv6 keepalive key key_direction -key_method keysize learn_address link_mtu @@ -70,7 +71,6 @@ mssfix mtu_disc mute nice -ns_cert_type ping ping_exit ping_restart @@ -103,11 +103,11 @@ route_metric route_pre_down route_up rport -script_security secret server server_bridge server_ipv6 +server_poll_timeout setenv shaper sndbuf @@ -118,6 +118,9 @@ syslog tcp_queue_limit tls_auth tls_crypt +tls_crypt_v2 +tls_crypt_v2_verify +tls_export_cert tls_timeout tls_verify tls_version_min @@ -127,11 +130,12 @@ tran_window tun_mtu tun_mtu_extra txqueuelen -up user verb verify_client_cert verify_x509_name +vlan_accept +vlan_pvid x509_username_field ' @@ -140,6 +144,7 @@ allow_recursive_routing auth_nocache auth_user_pass_optional bind +block_ipv6 ccd_exclusive client client_to_client @@ -172,6 +177,7 @@ persist_remote_ip persist_tun ping_timer_rem pull +push_peer_info push_reset remote_random rmtun @@ -188,10 +194,13 @@ tls_server up_delay up_restart username_as_common_name +vlan_tagging ' OPENVPN_LIST=' +data_ciphers ncp_ciphers tls_cipher tls_ciphersuites +tls_groups ' diff --git a/package/network/services/openvpn/files/usr/libexec/openvpn-hotplug b/package/network/services/openvpn/files/usr/libexec/openvpn-hotplug new file mode 100644 index 0000000000..9235fbacfe --- /dev/null +++ b/package/network/services/openvpn/files/usr/libexec/openvpn-hotplug @@ -0,0 +1,10 @@ +#!/bin/sh + +ACTION=$1 +shift +INSTANCE=$1 +shift + +export ACTION=$ACTION +export INSTANCE=$INSTANCE +exec /sbin/hotplug-call openvpn "$@" diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch index 101fa12ba2..e4e6d39413 100644 --- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch +++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch @@ -1,9 +1,9 @@ --- a/src/openvpn/options.c +++ b/src/openvpn/options.c -@@ -106,7 +106,6 @@ const char title_string[] = - #ifdef HAVE_AEAD_CIPHER_MODES - " [AEAD]" +@@ -105,7 +105,6 @@ const char title_string[] = + #endif #endif + " [AEAD]" - " built on " __DATE__ ; diff --git a/package/network/services/openvpn/patches/002-add-wolfssl-support.patch b/package/network/services/openvpn/patches/002-add-wolfssl-support.patch new file mode 100644 index 0000000000..7311a36eb3 --- /dev/null +++ b/package/network/services/openvpn/patches/002-add-wolfssl-support.patch @@ -0,0 +1,190 @@ +From: Gert Doering + +Support for wolfSSL in OpenVPN + +This patch adds support for wolfSSL in OpenVPN. Support is added by using +wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged +and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is +linked against the wolfSSL library. The wolfSSL installation directory is +detected using pkg-config. + +As requested by OpenVPN maintainers, this patch does not include +wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN +in the configure script wolfSSL will include wolfssl/options.h on its own +(change added in wolfSSL/wolfssl#2825). The patch +adds an option '--disable-wolfssl-options-h' in case the user would like +to supply their own settings file for wolfSSL. + +wolfSSL: +Support added in: wolfSSL/wolfssl#2503 + +git clone https://github.com/wolfSSL/wolfssl.git +cd wolfssl +./autogen.sh +./configure --enable-openvpn +make +sudo make install + +OpenVPN: + +autoreconf -i -v -f +./configure --with-crypto-library=wolfssl +make +make check +sudo make install + +Signed-off-by: Juliusz Sosinowicz +Acked-by: Arne Schwabe +Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html +Signed-off-by: Gert Doering +--- + configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + src/openvpn/syshead.h | 3 ++- + 2 files changed, 110 insertions(+), 3 deletions(-) +--- a/configure.ac ++++ b/configure.ac +@@ -271,16 +271,23 @@ AC_ARG_WITH( + + AC_ARG_WITH( + [crypto-library], +- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], ++ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], + [ + case "${withval}" in +- openssl|mbedtls) ;; ++ openssl|mbedtls|wolfssl) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; + esac + ], + [with_crypto_library="openssl"] + ) + ++AC_ARG_ENABLE( ++ [wolfssl-options-h], ++ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], ++ , ++ [enable_wolfssl_options_h="yes"] ++) ++ + AC_ARG_WITH( + [openssl-engine], + [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], +@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb + AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) + CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" + CRYPTO_LIBS="${MBEDTLS_LIBS}" ++ ++elif test "${with_crypto_library}" = "wolfssl"; then ++ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should ++ contain the regular wolfSSL header files but also the ++ wolfSSL OpenSSL header files. Ex: -I/usr/local/include ++ -I/usr/local/include/wolfssl]) ++ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) ++ ++ saved_CFLAGS="${CFLAGS}" ++ saved_LIBS="${LIBS}" ++ ++ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then ++ # if the user did not explicitly specify flags, try to autodetect ++ PKG_CHECK_MODULES( ++ [WOLFSSL], ++ [wolfssl], ++ [], ++ [AC_MSG_ERROR([Could not find wolfSSL.])] ++ ) ++ PKG_CHECK_VAR( ++ [WOLFSSL_INCLUDEDIR], ++ [wolfssl], ++ [includedir], ++ [], ++ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] ++ ) ++ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" ++ fi ++ saved_CFLAGS="${CFLAGS}" ++ saved_LIBS="${LIBS}" ++ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" ++ LIBS="${LIBS} ${WOLFSSL_LIBS}" ++ ++ AC_CHECK_LIB( ++ [wolfssl], ++ [wolfSSL_Init], ++ [], ++ [AC_MSG_ERROR([Could not link wolfSSL library.])] ++ ) ++ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) ++ ++ # wolfSSL signal EKM support ++ have_export_keying_material="yes" ++ ++ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ ++ if test "${enable_wolfssl_options_h}" = "yes"; then ++ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library]) ++ else ++ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library]) ++ fi ++ ++ have_export_keying_material="yes" ++ ++ CFLAGS="${saved_CFLAGS}" ++ LIBS="${saved_LIBS}" ++ ++ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) ++ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer]) ++ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" ++ CRYPTO_LIBS="${WOLFSSL_LIBS}" + else + AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) + fi +--- a/src/openvpn/syshead.h ++++ b/src/openvpn/syshead.h +@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t + /* + * Do we have CryptoAPI capability? + */ +-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) ++#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \ ++ !defined(ENABLE_CRYPTO_WOLFSSL) + #define ENABLE_CRYPTOAPI + #endif + diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index cb16a906fe..42665db872 100644 --- a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1415,7 +1415,7 @@ const char * +@@ -1539,7 +1539,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch index 90252ce9f3..b5f675adec 100644 --- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1074,68 +1074,15 @@ dnl +@@ -1211,68 +1211,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch index 2b8f47a802..a49c463c4d 100644 --- a/package/network/services/openvpn/patches/220-disable_des.patch +++ b/package/network/services/openvpn/patches/220-disable_des.patch @@ -1,24 +1,17 @@ --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h -@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t +@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t /* * Should we include NTLM proxy functionality */ --#if defined(ENABLE_CRYPTO) -#define NTLM 1 --#else -+//#if defined(ENABLE_CRYPTO) +//#define NTLM 1 -+//#else - #define NTLM 0 --#endif -+//#endif /* * Should we include proxy digest auth functionality --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c -@@ -319,6 +319,7 @@ int +@@ -396,6 +396,7 @@ int key_des_num_cblocks(const mbedtls_cipher_info_t *kt) { int ret = 0; @@ -26,7 +19,7 @@ if (kt->type == MBEDTLS_CIPHER_DES_CBC) { ret = 1; -@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher { ret = 3; } @@ -34,7 +27,7 @@ dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); return ret; -@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher bool key_des_check(uint8_t *key, int key_len, int ndc) { @@ -42,7 +35,7 @@ int i; struct buffer b; -@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len, +@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len, err: return false; @@ -58,7 +51,7 @@ int i; struct buffer b; -@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len, +@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len, } mbedtls_des_key_set_parity(key); } @@ -66,7 +59,7 @@ } /* -@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch +@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch unsigned char *src, unsigned char *dst) { diff --git a/package/network/services/openvpn/test.sh b/package/network/services/openvpn/test.sh new file mode 100755 index 0000000000..71cdc35db1 --- /dev/null +++ b/package/network/services/openvpn/test.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +case "$1" in + "openvpn-mbedtls") + openvpn --version | grep "$2.*SSL (mbed TLS)" + ;; + "openvpn-openssl"|"openvpn-wolfssl") + openvpn --version | grep "$2.*SSL (OpenSSL)" + ;; +esac -- 2.25.1