From a575f7910b8bb2eb4627552f6a8e675d65fd0027 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 18 Jun 2015 06:41:49 +0000 Subject: [PATCH 01/23] CC: openvpn: bump to 2.3.7. Two patches are dropped as they were already applied upstream. Signed-off-by: Yousong Zhou SVN-Revision: 46027 --- package/network/services/openvpn/Makefile | 6 +- .../001-backport_cipher_none_fix.patch | 57 ------------------- .../openvpn/patches/100-polarssl_compat.h | 2 +- .../openvpn/patches/110-musl_compat.patch | 13 ----- ...20-polarssl-disable-record-splitting.patch | 6 +- 5 files changed, 6 insertions(+), 78 deletions(-) delete mode 100644 package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch delete mode 100644 package/network/services/openvpn/patches/110-musl_compat.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 81d800719a..f3de63d0c6 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.6 -PKG_RELEASE:=5 +PKG_VERSION:=2.3.7 +PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c +PKG_MD5SUM:=070bca95e478f88dff9ec6a221e2c3f7 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch b/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch deleted file mode 100644 index af445e3bc8..0000000000 --- a/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit 98156e90e1e83133a6a6a020db8e7333ada6156b -Author: Steffan Karger -Date: Tue Dec 2 21:42:00 2014 +0100 - - Really fix '--cipher none' regression - - ... by not incorrectly hinting to the compiler the function argument of - cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the - case. - - Verified the fix on Debian Wheezy, one of the platforms the reporter in - trac #473 mentions with a compiler that would optimize out the required - checks. - - Also add a testcase for --cipher none to t_lpback, to prevent further - regressions. - - Signed-off-by: Steffan Karger - Acked-by: Gert Doering - Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me> - URL: http://article.gmane.org/gmane.network.openvpn.devel/9300 - Signed-off-by: Gert Doering - ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *c - * - * @return true iff the cipher is a CBC mode cipher. - */ --bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) -- __attribute__((nonnull)); -+bool cipher_kt_mode_cbc(const cipher_kt_t *cipher); - - /** - * Check if the supplied cipher is a supported OFB or CFB mode cipher. -@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_ - * - * @return true iff the cipher is a OFB or CFB mode cipher. - */ --bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) -- __attribute__((nonnull)); -+bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); - - - /** ---- a/tests/t_lpback.sh -+++ b/tests/t_lpback.sh -@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/op - # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) - CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) - -+# Also test cipher 'none' -+CIPHERS=${CIPHERS}$(printf "\nnone") -+ - "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ - set +e - diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h index 4def9670f0..a1c83b0e42 100644 --- a/package/network/services/openvpn/patches/100-polarssl_compat.h +++ b/package/network/services/openvpn/patches/100-polarssl_compat.h @@ -239,7 +239,7 @@ { --- a/configure.ac +++ b/configure.ac -@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola +@@ -832,13 +832,13 @@ if test "${with_crypto_library}" = "pola #include ]], [[ diff --git a/package/network/services/openvpn/patches/110-musl_compat.patch b/package/network/services/openvpn/patches/110-musl_compat.patch deleted file mode 100644 index 566c17f062..0000000000 --- a/package/network/services/openvpn/patches/110-musl_compat.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/src/openvpn/syshead.h -+++ b/src/openvpn/syshead.h -@@ -214,10 +214,6 @@ - - #ifdef TARGET_LINUX - --#if defined(HAVE_NETINET_IF_ETHER_H) --#include --#endif -- - #ifdef HAVE_LINUX_IF_TUN_H - #include - #endif diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch index 9e1511b6b6..b05592e149 100644 --- a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch +++ b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch @@ -1,7 +1,5 @@ -Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c -=================================================================== ---- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c -+++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c @@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state if (ssl_ctx->allowed_ciphers) ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); From 2b9f94520620bf2b6ea8fdfaf3d3d8a321ed4ae0 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Mon, 5 Oct 2015 10:28:47 +0000 Subject: [PATCH 02/23] CC: openvpn: add handling for route-pre-down option OpenVPN 2.3 added a route-pre-down option, to run a command before routes are removed upon disconnection. Signed-off-by: Jeffery To SVN-Revision: 47134 --- package/network/services/openvpn/files/openvpn.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 861d0d62b3..994973b7d9 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -120,7 +120,7 @@ start_instance() { redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \ reneg_bytes reneg_pkts reneg_sec \ replay_persist replay_window resolv_retry route route_delay route_gateway \ - route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \ + route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \ socks_proxy status status_version syslog tcp_queue_limit tls_auth \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ From b8471452d367c2d932153997fb3a876b179ec008 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 10 Nov 2015 12:04:04 +0000 Subject: [PATCH 03/23] CC: openvpn: enable options consistency check even in the small build Only costs about 3k compressed, but significantly improves handling of configuration mismatch Signed-off-by: Felix Fietkau SVN-Revision: 47439 --- .../openvpn/patches/200-small_build_enable_occ.patch | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 package/network/services/openvpn/patches/200-small_build_enable_occ.patch diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch new file mode 100644 index 0000000000..929d881038 --- /dev/null +++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch @@ -0,0 +1,12 @@ +--- a/src/openvpn/syshead.h ++++ b/src/openvpn/syshead.h +@@ -597,9 +597,7 @@ socket_defined (const socket_descriptor_ + /* + * Should we include OCC (options consistency check) code? + */ +-#ifndef ENABLE_SMALL + #define ENABLE_OCC +-#endif + + /* + * Should we include NTLM proxy functionality From da9cb1893eeda50851553c41f49916ccb4111d3b Mon Sep 17 00:00:00 2001 From: John Crispin Date: Wed, 23 Dec 2015 14:44:24 +0000 Subject: [PATCH 04/23] CC: openvpn: fix configure options - eurephia: commit: Remove the --disable-eurephia configure option - fix option name: http proxy option is now called http-proxy (see configure.ac) fixes: configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http Signed-off-by: Dirk Neukirchen SVN-Revision: 47979 --- package/network/services/openvpn/Makefile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index f3de63d0c6..64e3fbad50 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -72,7 +72,6 @@ define Build/Configure --disable-systemd \ --disable-plugins \ --disable-debug \ - --disable-eurephia \ --disable-pkcs11 \ --enable-password-save \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ @@ -80,7 +79,7 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \ + $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http-proxy \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \ From 5d8ce68c95ae20c3cf056d8601124a925434037a Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Thu, 7 Jan 2016 21:08:05 +0000 Subject: [PATCH 05/23] CC: openvpn: added service_triggers() to init script Follow up of #21469 This patch enables autoreloading openvpn via procd. Signed-off-by: Federico Capoano SVN-Revision: 48150 --- package/network/services/openvpn/files/openvpn.init | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 994973b7d9..342e5d8c70 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -152,3 +152,7 @@ start_service() { fi done } + +service_triggers() { + procd_add_reload_trigger openvpn +} From 9c573ae811c39b63d11f721cfd2bd2c0a8bb745e Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 11 Jan 2016 18:37:28 +0000 Subject: [PATCH 06/23] CC: openvpn: update to version 2.3.10 Signed-off-by: Felix Fietkau SVN-Revision: 48201 --- package/network/services/openvpn/Makefile | 6 +- ...arssl-disable-runtime-version-check.patch} | 2 +- .../openvpn/patches/100-polarssl_compat.h | 257 ------------------ ...20-polarssl-disable-record-splitting.patch | 14 - .../patches/200-small_build_enable_occ.patch | 2 +- 5 files changed, 5 insertions(+), 276 deletions(-) rename package/network/services/openvpn/patches/{130-polarssl-disable-runtime-version-check.patch => 100-polarssl-disable-runtime-version-check.patch} (91%) delete mode 100644 package/network/services/openvpn/patches/100-polarssl_compat.h delete mode 100644 package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 64e3fbad50..78ddcb340a 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.7 +PKG_VERSION:=2.3.10 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MD5SUM:=070bca95e478f88dff9ec6a221e2c3f7 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_MD5SUM:=8831ded42db4317e287157b6b8cba74c PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch similarity index 91% rename from package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch rename to package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch index c97e9f26af..73ab40649d 100644 --- a/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -1119,7 +1119,7 @@ const char * +@@ -1153,7 +1153,7 @@ const char * get_ssl_library_version(void) { static char polar_version[30]; diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h deleted file mode 100644 index a1c83b0e42..0000000000 --- a/package/network/services/openvpn/patches/100-polarssl_compat.h +++ /dev/null @@ -1,257 +0,0 @@ ---- a/src/openvpn/ssl_polarssl.h -+++ b/src/openvpn/ssl_polarssl.h -@@ -38,6 +38,8 @@ - #include - #endif - -+#include -+ - typedef struct _buffer_entry buffer_entry; - - struct _buffer_entry { ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -46,7 +46,7 @@ - #include "manage.h" - #include "ssl_common.h" - --#include -+#include - #include - - #include "ssl_verify_polarssl.h" -@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_ - { - if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) - { -- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, -+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, - strlen(dh_inline))) - msg (M_FATAL, "Cannot read inline DH parameters"); - } - else - { -- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file)) -+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)) - msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); - } - -@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_ - - if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) - { -- if (0 != x509parse_crt(ctx->crt_chain, -+ if (0 != x509_crt_parse(ctx->crt_chain, - (const unsigned char *) cert_inline, strlen(cert_inline))) - msg (M_FATAL, "Cannot load inline certificate file"); - } - else - { -- if (0 != x509parse_crtfile(ctx->crt_chain, cert_file)) -+ if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file)) - msg (M_FATAL, "Cannot load certificate file %s", cert_file); - } - } -@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_ - status = x509parse_key(ctx->priv_key, - (const unsigned char *) priv_key_inline, strlen(priv_key_inline), - NULL, 0); -- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) -+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) - { - char passbuf[512] = {0}; - pem_password_callback(passbuf, 512, 0, NULL); -@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_ - else - { - status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL); -- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) -+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) - { - char passbuf[512] = {0}; - pem_password_callback(passbuf, 512, 0, NULL); -@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct - - if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline) - { -- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline, -+ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline, - strlen(ca_inline))) - msg (M_FATAL, "Cannot load inline CA certificates"); - } - else - { - /* Load CA file for verifying peer supplied certificate */ -- if (0 != x509parse_crtfile(ctx->ca_chain, ca_file)) -+ if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file)) - msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); - } - } -@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo - - if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) - { -- if (0 != x509parse_crt(ctx->crt_chain, -+ if (0 != x509_crt_parse(ctx->crt_chain, - (const unsigned char *) extra_certs_inline, - strlen(extra_certs_inline))) - msg (M_FATAL, "Cannot load inline extra-certs file"); - } - else - { -- if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file)) -+ if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file)) - msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); - } - } -@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state - external_key_len ); - else - #endif -- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); -+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); - - /* Initialise SSL verification */ - #if P2MP_SERVER -@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks - cert = ssl_get_peer_cert(ks_ssl->ctx); - if (cert != NULL) - { -- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); -+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8); - } - - msg (D_HANDSHAKE, "%s%s", s1, s2); ---- a/src/openvpn/crypto_polarssl.c -+++ b/src/openvpn/crypto_polarssl.c -@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c - - int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) - { -- return 0 == cipher_reset(ctx, iv_buf); -+ int retval = cipher_reset(ctx); -+ -+ if (0 == retval) -+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size); -+ -+ return 0 == retval; - } - - int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, ---- a/src/openvpn/ssl_verify_polarssl.h -+++ b/src/openvpn/ssl_verify_polarssl.h -@@ -34,6 +34,7 @@ - #include "misc.h" - #include "manage.h" - #include -+#include - - #ifndef __OPENVPN_X509_CERT_T_DECLARED - #define __OPENVPN_X509_CERT_T_DECLARED ---- a/src/openvpn/ssl_verify_polarssl.c -+++ b/src/openvpn/ssl_verify_polarssl.c -@@ -40,6 +40,7 @@ - #include "ssl_verify.h" - #include - #include -+#include - #include - - #define MAX_SUBJECT_LENGTH 256 -@@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len, - /* Find common name */ - while( name != NULL ) - { -- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0) -+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) - break; - - name = name->next; -@@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer - while( name != NULL ) - { - char name_expand[64+8]; -+ const char *shortname; - -- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 ) -+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) - { -- switch( name->oid.p[2] ) -- { -- case X520_COMMON_NAME: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN", -- cert_depth); break; -- -- case X520_COUNTRY: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C", -- cert_depth); break; -- -- case X520_LOCALITY: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L", -- cert_depth); break; -- -- case X520_STATE: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST", -- cert_depth); break; -- -- case X520_ORGANIZATION: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O", -- cert_depth); break; -- -- case X520_ORG_UNIT: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU", -- cert_depth); break; -- -- default: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_0x%02X", cert_depth, name->oid.p[2]); -- break; -- } -+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", -+ cert_depth, shortname); -+ } -+ else -+ { -+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", -+ cert_depth); - } -- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) -- { -- switch( name->oid.p[8] ) -- { -- case PKCS9_EMAIL: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_emailAddress", cert_depth); break; -- -- default: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_0x%02X", cert_depth, name->oid.p[8]); -- break; -- } -- } -- else -- { -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", -- cert_depth); -- } - - for( i = 0; i < name->val.len; i++ ) - { ---- a/configure.ac -+++ b/configure.ac -@@ -832,13 +832,13 @@ if test "${with_crypto_library}" = "pola - #include - ]], - [[ --#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000 -+#if POLARSSL_VERSION_NUMBER < 0x01030000 - #error invalid version - #endif - ]] - )], - [AC_MSG_RESULT([ok])], -- [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])] -+ [AC_MSG_ERROR([PolarSSL 1.3.x required])] - ) - - polarssl_with_pkcs11="no" diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch deleted file mode 100644 index b05592e149..0000000000 --- a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state - if (ssl_ctx->allowed_ciphers) - ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); - -+ /* Disable record splitting (breaks current ssl handling) */ -+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) -+ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED); -+#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ -+ - /* Initialise authentication information */ - if (is_server) - ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx ); diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch index 929d881038..eef4da2d26 100644 --- a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch +++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h -@@ -597,9 +597,7 @@ socket_defined (const socket_descriptor_ +@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_ /* * Should we include OCC (options consistency check) code? */ From 02f55130645da112ae903fb87389268e1bb921cb Mon Sep 17 00:00:00 2001 From: John Crispin Date: Tue, 8 Mar 2016 18:12:02 +0000 Subject: [PATCH 07/23] CC: openvpn: add support for X.509 name options x509-username-field was added in OpenVPN 2.2, and verify-x509-name was added in 2.3. This fixes ticket #18807. Signed-off-by: Jeffery To SVN-Revision: 48969 --- package/network/services/openvpn/files/openvpn.init | 1 + 1 file changed, 1 insertion(+) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 342e5d8c70..5396d0bf47 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -124,6 +124,7 @@ start_instance() { socks_proxy status status_version syslog tcp_queue_limit tls_auth \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ + verify_x509_name x509_username_field \ ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6 openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" From 1c459c426df40701fea6b54c0c6d19cc3020904a Mon Sep 17 00:00:00 2001 From: Dirk Neukirchen Date: Tue, 31 May 2016 09:23:53 +0200 Subject: [PATCH 08/23] CC: openvpn: remove unrecognized option removed upstream in https://github.com/OpenVPN/openvpn/commit/9ffd00e7541d83571b9eec087c6b3545ff68441f now its always on Signed-off-by: Dirk Neukirchen --- package/network/services/openvpn/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 78ddcb340a..861632aaaf 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -73,7 +73,6 @@ define Build/Configure --disable-plugins \ --disable-debug \ --disable-pkcs11 \ - --enable-password-save \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ From f1b980a651b2f4acfdb38b89d977fdd0afa862b1 Mon Sep 17 00:00:00 2001 From: Matteo Panella Date: Sat, 4 Jun 2016 15:15:03 +0200 Subject: [PATCH 09/23] CC: openvpn: add support for tls-version-min Currently, the uci data model does not provide support for specifying the minimum TLS version supported in an OpenVPN instance (be it server or client). This patch adds support for writing the relevant option to the openvpn configuration file at service startup. Signed-off-by: Matteo Panella [Jo-Philipp Wich: shorten commit title, bump pkg release] Signed-off-by: Jo-Philipp Wich --- package/network/services/openvpn/Makefile | 2 +- package/network/services/openvpn/files/openvpn.init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 861632aaaf..70ce7d4ff4 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn PKG_VERSION:=2.3.10 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 5396d0bf47..6dac7b3fa1 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -121,7 +121,7 @@ start_instance() { reneg_bytes reneg_pkts reneg_sec \ replay_persist replay_window resolv_retry route route_delay route_gateway \ route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \ - socks_proxy status status_version syslog tcp_queue_limit tls_auth \ + socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ verify_x509_name x509_username_field \ From ec663dd70820b2b64da1c713fb7599d59ecbfe6d Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Sun, 12 Jun 2016 23:49:42 +0200 Subject: [PATCH 10/23] CC: openvpn: update to 2.3.11 Security fixes: * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Makefile | 6 +++--- ...larssl-disable-runtime-version-check.patch | 2 +- .../101-remove_polarssl_debug_call.patch | 21 +++++++++++++++++++ 3 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 70ce7d4ff4..3f8b76251d 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.10 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.11 +PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MD5SUM:=8831ded42db4317e287157b6b8cba74c +PKG_MD5SUM:=0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch index 73ab40649d..bd8e5b780d 100644 --- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -1153,7 +1153,7 @@ const char * +@@ -1151,7 +1151,7 @@ const char * get_ssl_library_version(void) { static char polar_version[30]; diff --git a/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch new file mode 100644 index 0000000000..3cef32395e --- /dev/null +++ b/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch @@ -0,0 +1,21 @@ +openvpn: remove call to PolarSSL debug function + +OpenVPN >=2.3.11 uses PolarSSL debug functions for improved logging. +This requires that PolarSSL is built with POLARSSL_DEBUG_C, which increases +its size significantly. + +This change does not impact OpenVPN operation, see: +https://sourceforge.net/p/openvpn/mailman/message/35153943/ + +Signed-off-by: Magnus Kroken + +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -742,7 +742,7 @@ void key_state_ssl_init(struct key_state + if (polar_ok(ssl_init(ks_ssl->ctx))) + { + /* Initialise SSL context */ +- debug_set_threshold(3); ++ /*debug_set_threshold(3);*/ + ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); + ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); From d78a40b384c7a65705b2e2b66042cdfc605fad5f Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 28 Jun 2016 10:47:22 +0200 Subject: [PATCH 11/23] CC: openvpn: fix missing cipher list for polarssl in v2.3.11 Upstream OpenSSL hardening work introduced a change in shared code that causes polarssl / mbedtls builds to break when no --tls-cipher is specified. Import the upstream fix commit as patch until the next OpenVPN release gets released and packaged. Reported-by: Sebastian Koch Signed-off-by: Jo-Philipp Wich --- package/network/services/openvpn/Makefile | 2 +- ...upstream-fix-polarssl-mbedtls-builds.patch | 42 +++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 3f8b76251d..770dc6e6fb 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn PKG_VERSION:=2.3.11 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz diff --git a/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch b/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch new file mode 100644 index 0000000000..0a5c49c791 --- /dev/null +++ b/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch @@ -0,0 +1,42 @@ +From 629baad8f89af261445a2ace03694601f8e476f9 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Fri, 13 May 2016 08:54:52 +0200 +Subject: [PATCH] Fix polarssl / mbedtls builds + +Commit 8a399cd3 hardened the OpenSSL default cipher list, +but also introduced a change in shared code that causes +polarssl / mbedtls builds to break when no --tls-cipher is +specified. + +This fix is backported code from the master branch. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me> +URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 +Signed-off-by: Gert Doering +--- + src/openvpn/ssl_polarssl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c +index 1f58369..9263698 100644 +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) + { + char *tmp_ciphers, *tmp_ciphers_orig, *token; + int i, cipher_count; +- int ciphers_len = strlen (ciphers); ++ int ciphers_len; ++ ++ if (NULL == ciphers) ++ return; /* Nothing to do */ ++ ++ ciphers_len = strlen (ciphers); + + ASSERT (NULL != ctx); + ASSERT (0 != ciphers_len); +-- +2.8.1 + From 07f58462218f2d49cd7233b6bec7b6266cfae66e Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Wed, 24 Aug 2016 00:14:46 +0200 Subject: [PATCH 12/23] CC: openvpn: update to 2.3.12 300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream. Replaced 101-remove_polarssl_debug_call.patch with upstream backport. Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12 Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Makefile | 6 +-- ...larssl-disable-runtime-version-check.patch | 2 +- ...ackport_upstream_polarssl_debug_call.patch | 33 +++++++++++++++ .../101-remove_polarssl_debug_call.patch | 21 ---------- ...upstream-fix-polarssl-mbedtls-builds.patch | 42 ------------------- 5 files changed, 37 insertions(+), 67 deletions(-) create mode 100644 package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch delete mode 100644 package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch delete mode 100644 package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 770dc6e6fb..c9f6542f74 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.11 -PKG_RELEASE:=2 +PKG_VERSION:=2.3.12 +PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MD5SUM:=0f5f1ca1dc5743fa166d93dd4ec952f014b5f33bafd88f0ea34b455cae1434a7 +PKG_MD5SUM:=e3d6cdf2fb58b7569bd628ddb3d76352aa7e85b9 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch index bd8e5b780d..c7955c2460 100644 --- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -1151,7 +1151,7 @@ const char * +@@ -1156,7 +1156,7 @@ const char * get_ssl_library_version(void) { static char polar_version[30]; diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch new file mode 100644 index 0000000000..2155a4c79b --- /dev/null +++ b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch @@ -0,0 +1,33 @@ +openvpn: fix build without POLARSSL_DEBUG_C + +Backport of upstream master commit +b63f98633dbe2ca92cd43fc6f8597ab283a600bf. + +Signed-off-by: Magnus Kroken + +From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Tue, 14 Jun 2016 22:00:03 +0200 +Subject: [PATCH] mbedtls: don't set debug threshold if compiled without + MBEDTLS_DEBUG_C + +For targets with space constraints, one might want to compile mbed TLS +without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make +sure OpenVPN still compiles if that is the case. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me> +URL: http://article.gmane.org/gmane.network.openvpn.devel/11922 +Signed-off-by: Gert Doering +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state + if (polar_ok(ssl_init(ks_ssl->ctx))) + { + /* Initialise SSL context */ ++ #ifdef POLARSSL_DEBUG_C + debug_set_threshold(3); ++ #endif + ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); + ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); diff --git a/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch deleted file mode 100644 index 3cef32395e..0000000000 --- a/package/network/services/openvpn/patches/101-remove_polarssl_debug_call.patch +++ /dev/null @@ -1,21 +0,0 @@ -openvpn: remove call to PolarSSL debug function - -OpenVPN >=2.3.11 uses PolarSSL debug functions for improved logging. -This requires that PolarSSL is built with POLARSSL_DEBUG_C, which increases -its size significantly. - -This change does not impact OpenVPN operation, see: -https://sourceforge.net/p/openvpn/mailman/message/35153943/ - -Signed-off-by: Magnus Kroken - ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -742,7 +742,7 @@ void key_state_ssl_init(struct key_state - if (polar_ok(ssl_init(ks_ssl->ctx))) - { - /* Initialise SSL context */ -- debug_set_threshold(3); -+ /*debug_set_threshold(3);*/ - ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); - ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); diff --git a/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch b/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch deleted file mode 100644 index 0a5c49c791..0000000000 --- a/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 629baad8f89af261445a2ace03694601f8e476f9 Mon Sep 17 00:00:00 2001 -From: Steffan Karger -Date: Fri, 13 May 2016 08:54:52 +0200 -Subject: [PATCH] Fix polarssl / mbedtls builds - -Commit 8a399cd3 hardened the OpenSSL default cipher list, -but also introduced a change in shared code that causes -polarssl / mbedtls builds to break when no --tls-cipher is -specified. - -This fix is backported code from the master branch. - -Signed-off-by: Steffan Karger -Acked-by: Gert Doering -Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me> -URL: http://article.gmane.org/gmane.network.openvpn.devel/11647 -Signed-off-by: Gert Doering ---- - src/openvpn/ssl_polarssl.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c -index 1f58369..9263698 100644 ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) - { - char *tmp_ciphers, *tmp_ciphers_orig, *token; - int i, cipher_count; -- int ciphers_len = strlen (ciphers); -+ int ciphers_len; -+ -+ if (NULL == ciphers) -+ return; /* Nothing to do */ -+ -+ ciphers_len = strlen (ciphers); - - ASSERT (NULL != ctx); - ASSERT (0 != ciphers_len); --- -2.8.1 - From 267377389ea5f62003671e4223a18033557ce035 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 27 Oct 2016 15:19:59 +0200 Subject: [PATCH 13/23] CC: openvpn: add handling for capath and cafile Signed-off-by: John Crispin --- package/network/services/openvpn/files/openvpn.init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 6dac7b3fa1..38337600ae 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -124,7 +124,7 @@ start_instance() { socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ - verify_x509_name x509_username_field \ + capath cafile verify_x509_name x509_username_field \ ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6 openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" From 7cb5f862e4f4aa6af075adaaa9936533196734cf Mon Sep 17 00:00:00 2001 From: John Crispin Date: Thu, 27 Oct 2016 19:52:33 +0200 Subject: [PATCH 14/23] CC: openvpn: cacert does not exist cacert is really called ca and already in the script Signed-off-by: John Crispin --- package/network/services/openvpn/files/openvpn.init | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 38337600ae..4c8f77f92e 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -107,7 +107,7 @@ start_instance() { # append params append_params "$s" \ - cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert \ + cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \ chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \ connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \ echo engine explicit_exit_notify fragment group hand_window hash_size \ @@ -124,7 +124,7 @@ start_instance() { socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ - capath cafile verify_x509_name x509_username_field \ + verify_x509_name x509_username_field \ ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6 openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" From 6f6a00bd57968bb6683e62857165e7a34302a5e4 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Thu, 17 Nov 2016 18:43:25 +0100 Subject: [PATCH 15/23] CC: openvpn: update to 2.3.13 Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13 Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index c9f6542f74..8b3cf8de2e 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.12 +PKG_VERSION:=2.3.13 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MD5SUM:=e3d6cdf2fb58b7569bd628ddb3d76352aa7e85b9 +PKG_MD5SUM:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) From f5a98630db4970d5c1b5372bb9b6a43f9e3b5717 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Sat, 10 Dec 2016 12:02:03 +0100 Subject: [PATCH 16/23] CC: openvpn: quote parameters to --push in openvpn config file OpenVPN requires arguments to --push to be enclosed in double quotes. One set of quotes is stripped when the UCI config is parsed. Change append_params() of openvpn.init to enclose push parameters in double quotes. Unquoted push parameters do not cause errors in OpenVPN 2.3, but OpenVPN 2.4 fails to start with unquoted push parameters. Fixes: FS#290. Signed-off-by: Magnus Kroken --- package/network/services/openvpn/files/openvpn.init | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 4c8f77f92e..0fcdc7eea0 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -42,7 +42,8 @@ append_params() { config_get v "$s" "$p" IFS="$LIST_SEP" for v in $v; do - [ -n "$v" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" + [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" + [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf" done unset IFS done From 726667d4f1309c4cb1c206d82b3e61678df8def4 Mon Sep 17 00:00:00 2001 From: Zoltan HERPAI Date: Thu, 12 Oct 2017 17:07:59 +0200 Subject: [PATCH 17/23] CC: openvpn: bump to 2.3.18 Fixes (above various bugs): CVE-2017-7478 CVE-2017-7479 CVE-2017-7521 Signed-off-by: Zoltan HERPAI --- package/network/services/openvpn/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 8b3cf8de2e..d3158b5952 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.13 +PKG_VERSION:=2.3.18 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_MD5SUM:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0 +PKG_MD5SUM:=844ec9c64aae62051478784b8562f881 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) From bc23a9bae132fbd2d801cb2b9a759c1d9ba0caf9 Mon Sep 17 00:00:00 2001 From: John Crispin Date: Fri, 1 Apr 2016 07:12:11 +0000 Subject: [PATCH 18/23] CC: package/libs/lzo: update version to 2.09 Updates lzo to version 2.09 and changes copyright to 2016. Signed-off-by: Daniel Engberg SVN-Revision: 49110 --- package/libs/lzo/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package/libs/lzo/Makefile b/package/libs/lzo/Makefile index 6a88a6f384..d4e5e72bb5 100644 --- a/package/libs/lzo/Makefile +++ b/package/libs/lzo/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2012 OpenWrt.org +# Copyright (C) 2006-2016 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lzo -PKG_VERSION:=2.08 +PKG_VERSION:=2.09 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/ -PKG_MD5SUM:=fcec64c26a0f4f4901468f360029678f +PKG_MD5SUM:=c7ffc9a103afe2d1bba0b015e7aa887f PKG_FIXUP:=autoreconf PKG_INSTALL:=1 From 3560533f9b72cfb7b645341988720d16987c2312 Mon Sep 17 00:00:00 2001 From: Zoltan HERPAI Date: Thu, 12 Oct 2017 17:12:05 +0200 Subject: [PATCH 19/23] CC: lzo: update to 2.10 Signed-off-by: Zoltan HERPAI --- package/libs/lzo/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/lzo/Makefile b/package/libs/lzo/Makefile index d4e5e72bb5..b631759705 100644 --- a/package/libs/lzo/Makefile +++ b/package/libs/lzo/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lzo -PKG_VERSION:=2.09 +PKG_VERSION:=2.10 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/ -PKG_MD5SUM:=c7ffc9a103afe2d1bba0b015e7aa887f +PKG_MD5SUM:=39d3f3f9c55c87b1e5d6888e1420f4b5 PKG_FIXUP:=autoreconf PKG_INSTALL:=1 From 7e043b48248ff11ccacc725715d1eabc37e9ba5e Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Thu, 3 Dec 2015 21:00:45 +0000 Subject: [PATCH 20/23] CC: polarssl: update to version 1.3.15 This is a minor version update which fixes some small bugs. None of these bugs were exploitable according to the release notes. Signed-off-by: Martin Blumenstingl SVN-Revision: 47724 --- package/libs/polarssl/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index dc13679e41..00076912c0 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl SRC_PKG_NAME:=mbedtls -PKG_VERSION:=1.3.14 +PKG_VERSION:=1.3.15 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz PKG_SOURCE_URL:=https://polarssl.org/download/ -PKG_MD5SUM:=869c7b5798b8769902880c7cf0212fed +PKG_MD5SUM:=59662a9daaf0cfe96c349bd5ad246d1b PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION) From 7333f9defb84abbf6e253b60314542007f0a5db0 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sat, 16 Jan 2016 00:20:05 +0000 Subject: [PATCH 21/23] CC: polarssl: update to 1.3.16, fixes intermediate certificate validation Signed-off-by: Felix Fietkau SVN-Revision: 48257 --- package/libs/polarssl/Makefile | 4 +-- .../polarssl/patches/200-reduce_config.patch | 30 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index 00076912c0..a8d7953659 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl SRC_PKG_NAME:=mbedtls -PKG_VERSION:=1.3.15 +PKG_VERSION:=1.3.16 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz PKG_SOURCE_URL:=https://polarssl.org/download/ -PKG_MD5SUM:=59662a9daaf0cfe96c349bd5ad246d1b +PKG_MD5SUM:=f413146c177c52d4ad8f48015e2fb21dd3a029ca30a2ea000cbc4f9bd092c933 PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION) diff --git a/package/libs/polarssl/patches/200-reduce_config.patch b/package/libs/polarssl/patches/200-reduce_config.patch index 80b07ef93f..6fef1a6f5c 100644 --- a/package/libs/polarssl/patches/200-reduce_config.patch +++ b/package/libs/polarssl/patches/200-reduce_config.patch @@ -100,7 +100,7 @@ /** * \def POLARSSL_SSL_AEAD_RANDOM_IV -@@ -1138,8 +1138,8 @@ +@@ -1151,8 +1151,8 @@ * Requires: POLARSSL_VERSION_C * * Comment this to disable run-time checking and save ROM space @@ -110,7 +110,7 @@ /** * \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -1457,8 +1457,8 @@ +@@ -1470,8 +1470,8 @@ * TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 * TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 @@ -120,7 +120,7 @@ /** * \def POLARSSL_CCM_C -@@ -1485,8 +1485,8 @@ +@@ -1498,8 +1498,8 @@ * Requires: POLARSSL_PEM_PARSE_C * * This module is used for testing (ssl_client/server). @@ -130,7 +130,7 @@ /** * \def POLARSSL_CIPHER_C -@@ -1525,8 +1525,8 @@ +@@ -1538,8 +1538,8 @@ * library/ssl_tls.c * * This module provides debugging functions. @@ -140,7 +140,7 @@ /** * \def POLARSSL_DES_C -@@ -1581,8 +1581,8 @@ +@@ -1594,8 +1594,8 @@ * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK * * Requires: POLARSSL_ECP_C @@ -150,7 +150,7 @@ /** * \def POLARSSL_ECDSA_C -@@ -1596,8 +1596,8 @@ +@@ -1609,8 +1609,8 @@ * ECDHE-ECDSA * * Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C @@ -160,7 +160,7 @@ /** * \def POLARSSL_ECP_C -@@ -1609,8 +1609,8 @@ +@@ -1622,8 +1622,8 @@ * library/ecdsa.c * * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED @@ -170,7 +170,7 @@ /** * \def POLARSSL_ENTROPY_C -@@ -1649,8 +1649,8 @@ +@@ -1662,8 +1662,8 @@ * * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. @@ -180,7 +180,7 @@ /** * \def POLARSSL_HAVEGE_C -@@ -1686,8 +1686,8 @@ +@@ -1699,8 +1699,8 @@ * Requires: POLARSSL_MD_C * * Uncomment to enable the HMAC_DRBG random number geerator. @@ -190,7 +190,7 @@ /** * \def POLARSSL_MD_C -@@ -1813,8 +1813,8 @@ +@@ -1826,8 +1826,8 @@ * Requires: POLARSSL_HAVE_ASM * * This modules adds support for the VIA PadLock on x86. @@ -200,7 +200,7 @@ /** * \def POLARSSL_PBKDF2_C -@@ -1979,8 +1979,8 @@ +@@ -1992,8 +1992,8 @@ * Module: library/ripemd160.c * Caller: library/md.c * @@ -210,7 +210,7 @@ /** * \def POLARSSL_RSA_C -@@ -2059,8 +2059,8 @@ +@@ -2072,8 +2072,8 @@ * Caller: * * Requires: POLARSSL_SSL_CACHE_C @@ -220,7 +220,7 @@ /** * \def POLARSSL_SSL_CLI_C -@@ -2136,8 +2136,8 @@ +@@ -2149,8 +2149,8 @@ * Caller: library/havege.c * * This module is used by the HAVEGE random number generator. @@ -230,7 +230,7 @@ /** * \def POLARSSL_VERSION_C -@@ -2147,8 +2147,8 @@ +@@ -2160,8 +2160,8 @@ * Module: library/version.c * * This module provides run-time version information. @@ -240,7 +240,7 @@ /** * \def POLARSSL_X509_USE_C -@@ -2257,8 +2257,8 @@ +@@ -2270,8 +2270,8 @@ * * Module: library/xtea.c * Caller: From ac36e05e8659cf32b18388092cdbeb358e5a9f86 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Sat, 11 Jun 2016 03:18:07 +0200 Subject: [PATCH 22/23] CC: polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites Recent versions of Chrome require this ciphers to successfully handshake with a TLS enabled uhttpd server using the ustream-polarssl backend. If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL` when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()` to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`. Signed-off-by: Jo-Philipp Wich --- package/libs/polarssl/Makefile | 2 +- package/libs/polarssl/patches/200-reduce_config.patch | 10 ---------- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index a8d7953659..57f1675fca 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl SRC_PKG_NAME:=mbedtls PKG_VERSION:=1.3.16 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz diff --git a/package/libs/polarssl/patches/200-reduce_config.patch b/package/libs/polarssl/patches/200-reduce_config.patch index 6fef1a6f5c..9e2734aa6c 100644 --- a/package/libs/polarssl/patches/200-reduce_config.patch +++ b/package/libs/polarssl/patches/200-reduce_config.patch @@ -170,16 +170,6 @@ /** * \def POLARSSL_ENTROPY_C -@@ -1662,8 +1662,8 @@ - * - * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other - * requisites are enabled as well. -- */ - #define POLARSSL_GCM_C -+ */ - - /** - * \def POLARSSL_HAVEGE_C @@ -1699,8 +1699,8 @@ * Requires: POLARSSL_MD_C * From b130306800d0df657d82bc74fcb13fbd74da213d Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 13 Jul 2016 17:44:26 +0200 Subject: [PATCH 23/23] CC: polarssl: update to version 1.3.17 This fixes 3 minor security problems. SSLv3 is deactivated by default now. Signed-off-by: Hauke Mehrtens --- package/libs/polarssl/Makefile | 8 ++++---- .../libs/polarssl/patches/100-disable_sslv3.patch | 12 ------------ 2 files changed, 4 insertions(+), 16 deletions(-) delete mode 100644 package/libs/polarssl/patches/100-disable_sslv3.patch diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index 57f1675fca..8c6da9fa93 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl SRC_PKG_NAME:=mbedtls -PKG_VERSION:=1.3.16 -PKG_RELEASE:=2 +PKG_VERSION:=1.3.17 +PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz -PKG_SOURCE_URL:=https://polarssl.org/download/ -PKG_MD5SUM:=f413146c177c52d4ad8f48015e2fb21dd3a029ca30a2ea000cbc4f9bd092c933 +PKG_SOURCE_URL:=https://tls.mbed.org/download/ +PKG_MD5SUM:=f5beb43e850283915e3e0f8d37495eade3bfb5beedfb61e7b8da70d4c68edb82 PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION) diff --git a/package/libs/polarssl/patches/100-disable_sslv3.patch b/package/libs/polarssl/patches/100-disable_sslv3.patch deleted file mode 100644 index 56c6c4d235..0000000000 --- a/package/libs/polarssl/patches/100-disable_sslv3.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/include/polarssl/config.h -+++ b/include/polarssl/config.h -@@ -1011,8 +1011,8 @@ - * POLARSSL_SHA1_C - * - * Comment this macro to disable support for SSL 3.0 -- */ - #define POLARSSL_SSL_PROTO_SSL3 -+ */ - - /** - * \def POLARSSL_SSL_PROTO_TLS1