From 351ac662131944f4c40ea8410a0077cc715053a2 Mon Sep 17 00:00:00 2001 From: Wang Mingyu Date: Tue, 25 Nov 2025 17:11:39 +0800 Subject: openvpn: upgrade 2.6.15 -> 2.6.16 Code maintenance / Compat changes --------------------------------- - adapt to new "encrypt-then-mac" cipher suites in OpenSSL 3.6.0 - these need special handling which we don't do, so the t_lpback self-test failed on them. Exclude from list of allowed ciphers, as there is no strong reason today to make OpenVPN use these. - fix various compile-time warnings Documentation updates --------------------- - fix outdated and non-HTTPS URLs throughout the tree (doxygen, warnings, manpage, ...) Bugfixes -------- - Fix memcmp check for the hmac verification in the 3way handshake. This bug renders the HMAC based protection against state exhaustion on receiving spoofed TLS handshake packets in the OpenVPN server inefficient. CVE: 2025-13086 - fix invalid pointer creation in tls_pre_decrypt() - technically this is a memory over-read issue, in practice, the compilers optimize it away so no negative effects could be observed. - Windows: in the interactive service, fix the "undo DNS config" handling. - Windows: in the interactive service, disallow using of "stdin" for the config file, unless the caller is authorized OpenVPN Administrator - Windows: in the interactive service, change all netsh calls to use interface index and not interface name - sidesteps all possible attack avenues with special characters in interface names. - Windows: in the interactive service, improve error handling in some "unlikely to happen" paths. - auth plugin/script handling: properly check for errors in creation on $auth_failed_reason_file (arf). - for incoming TCP connections, close-on-exec option was applied to the wrong socket fd, leaking socket FDs to child processes. - sitnl: set close-on-exec flag on netlink socket - ssl_mbedtls: fix missing perf_pop() call (optional performance profiling) Signed-off-by: Wang Mingyu Signed-off-by: Khem Raj --- .../recipes-support/openvpn/openvpn_2.6.15.bb | 123 --------------------- .../recipes-support/openvpn/openvpn_2.6.16.bb | 123 +++++++++++++++++++++ 2 files changed, 123 insertions(+), 123 deletions(-) delete mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb create mode 100644 meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb (limited to 'meta-networking') diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb deleted file mode 100644 index 8a88282cd5..0000000000 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.15.bb +++ /dev/null @@ -1,123 +0,0 @@ -SUMMARY = "A full-featured SSL VPN solution via tun device." -HOMEPAGE = "https://openvpn.net/" -SECTION = "net" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=89196bacc47ed37a5b242a535661a049" -DEPENDS = "lzo lz4 openssl libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} ${@bb.utils.contains('PTEST_ENABLED', '1', 'cmocka', '', d)} " - -inherit autotools systemd update-rc.d pkgconfig ptest - -SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ - file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ - file://openvpn \ - file://run-ptest \ - " - -UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" - -SRC_URI[sha256sum] = "e35513ee15995e3c71adfd8891b9f33522896c70b3baa2ed9a23c7a42c4d7bde" - -CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME:${PN} = "openvpn" -INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." - -CFLAGS += "-fno-inline" - -# I want openvpn to be able to read password from file (hrw) -EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" - -# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. -EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" - -EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ - TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ - " - -PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ - ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ - iproute2 \ - " - -# dco and iproute2 are mutually incompatible -PACKAGECONFIG[dco] = ",--disable-dco,libnl" -PACKAGECONFIG[iproute2] = "--enable-iproute2,,iproute2,iproute2-ip" -PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" - -RDEPENDS:${PN}-ptest:append = " make bash" - -do_install:append() { - install -d ${D}/${sysconfdir}/init.d - install -m 755 ${UNPACKDIR}/openvpn ${D}/${sysconfdir}/init.d - - install -d ${D}/${sysconfdir}/openvpn - install -d ${D}/${sysconfdir}/openvpn/server - install -d ${D}/${sysconfdir}/openvpn/client - - install -d ${D}/${sysconfdir}/openvpn/sample - install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf - install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys - install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts - install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files - install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys - install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts - - install -d -m 710 ${D}/${localstatedir}/lib/openvpn -} - -do_compile_ptest () { - for x in `find ${B}/tests/unit_tests -name Makefile -exec grep -l buildtest-TESTS {} \;`; do - dir=`dirname ${x}` - case $dir in - *example*) - echo "Skipping directory: $dir" - ;; - *) - oe_runmake -C ${dir} buildtest-TESTS - ;; - esac - done -} - -do_install_ptest() { - for x in $(find ${B}/tests/unit_tests -name Makefile -exec grep -l buildtest-TESTS {} \;); do - dir=$(dirname ${x}) - - if [[ "$dir" == *example* ]]; then - continue - fi - - target_dir="${D}/${PTEST_PATH}/unit_tests/$(basename ${dir})" - mkdir -p ${target_dir} - cp -f ${dir}/Makefile ${target_dir}/ - sed -i "s/^Makefile:/MM:/g" ${target_dir}/Makefile - sed -i 's/^#TESTS = $(am__EXEEXT_4)/TESTS = $(am__EXEEXT_4)/' ${target_dir}/Makefile - - for testfile in $(find ${dir} -name "*testdriver"); do - cp -rf ${testfile} ${target_dir}/ - done - done - sed -i 's|find ./|find ${PTEST_PATH}|g' ${D}${PTEST_PATH}/run-ptest - sed -i 's|${top_builddir}/src/openvpn|${sbindir}|g' ${S}/tests/t_lpback.sh - cp -f ${S}/tests/t_lpback.sh ${D}/${PTEST_PATH} - cp -f ${B}/tests/Makefile ${D}/${PTEST_PATH} - sed -i "s/^Makefile:/MM:/g" ${D}/${PTEST_PATH}/Makefile - sed -i "s/^test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh/test_scripts = t_lpback.sh/g" ${D}/${PTEST_PATH}/Makefile - -} - -PACKAGES =+ " ${PN}-sample " - -RRECOMMENDS:${PN} = "kernel-module-tun" - -FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" -FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ - ${systemd_system_unitdir}/openvpn-client@.service \ - ${nonarch_libdir}/tmpfiles.d \ - " -FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ - " diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb new file mode 100644 index 0000000000..88f564313f --- /dev/null +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.16.bb @@ -0,0 +1,123 @@ +SUMMARY = "A full-featured SSL VPN solution via tun device." +HOMEPAGE = "https://openvpn.net/" +SECTION = "net" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=89196bacc47ed37a5b242a535661a049" +DEPENDS = "lzo lz4 openssl libcap-ng ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)} ${@bb.utils.contains('PTEST_ENABLED', '1', 'cmocka', '', d)} " + +inherit autotools systemd update-rc.d pkgconfig ptest + +SRC_URI = "http://swupdate.openvpn.org/community/releases/${BP}.tar.gz \ + file://0001-configure.ac-eliminate-build-path-from-openvpn-versi.patch \ + file://openvpn \ + file://run-ptest \ + " + +UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" + +SRC_URI[sha256sum] = "05cb5fdf1ea33fcba719580b31a97feaa019c4a3050563e88bc3b34675e6fed4" + +CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" + +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME:${PN} = "openvpn" +INITSCRIPT_PARAMS:${PN} = "start 10 2 3 4 5 . stop 70 0 1 6 ." + +CFLAGS += "-fno-inline" + +# I want openvpn to be able to read password from file (hrw) +EXTRA_OECONF += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '', '--disable-plugin-auth-pam', d)}" + +# Explicitly specify IPROUTE to bypass the configure-time check for /sbin/ip on the host. +EXTRA_OECONF += "IPROUTE=${base_sbindir}/ip" + +EXTRA_OECONF += "SYSTEMD_UNIT_DIR=${systemd_system_unitdir} \ + TMPFILES_DIR=${nonarch_libdir}/tmpfiles.d \ + " + +PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ + ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \ + iproute2 \ + " + +# dco and iproute2 are mutually incompatible +PACKAGECONFIG[dco] = ",--disable-dco,libnl" +PACKAGECONFIG[iproute2] = "--enable-iproute2,,iproute2,iproute2-ip" +PACKAGECONFIG[systemd] = "--enable-systemd,--disable-systemd,systemd" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux" + +RDEPENDS:${PN}-ptest:append = " make bash" + +do_install:append() { + install -d ${D}/${sysconfdir}/init.d + install -m 755 ${UNPACKDIR}/openvpn ${D}/${sysconfdir}/init.d + + install -d ${D}/${sysconfdir}/openvpn + install -d ${D}/${sysconfdir}/openvpn/server + install -d ${D}/${sysconfdir}/openvpn/client + + install -d ${D}/${sysconfdir}/openvpn/sample + install -m 644 ${S}/sample/sample-config-files/loopback-server ${D}${sysconfdir}/openvpn/sample/loopback-server.conf + install -m 644 ${S}/sample/sample-config-files/loopback-client ${D}${sysconfdir}/openvpn/sample/loopback-client.conf + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-keys + install -dm 755 ${D}${sysconfdir}/openvpn/sample/sample-scripts + install -m 644 ${S}/sample/sample-config-files/* ${D}${sysconfdir}/openvpn/sample/sample-config-files + install -m 644 ${S}/sample/sample-keys/* ${D}${sysconfdir}/openvpn/sample/sample-keys + install -m 644 ${S}/sample/sample-scripts/* ${D}${sysconfdir}/openvpn/sample/sample-scripts + + install -d -m 710 ${D}/${localstatedir}/lib/openvpn +} + +do_compile_ptest () { + for x in `find ${B}/tests/unit_tests -name Makefile -exec grep -l buildtest-TESTS {} \;`; do + dir=`dirname ${x}` + case $dir in + *example*) + echo "Skipping directory: $dir" + ;; + *) + oe_runmake -C ${dir} buildtest-TESTS + ;; + esac + done +} + +do_install_ptest() { + for x in $(find ${B}/tests/unit_tests -name Makefile -exec grep -l buildtest-TESTS {} \;); do + dir=$(dirname ${x}) + + if [[ "$dir" == *example* ]]; then + continue + fi + + target_dir="${D}/${PTEST_PATH}/unit_tests/$(basename ${dir})" + mkdir -p ${target_dir} + cp -f ${dir}/Makefile ${target_dir}/ + sed -i "s/^Makefile:/MM:/g" ${target_dir}/Makefile + sed -i 's/^#TESTS = $(am__EXEEXT_4)/TESTS = $(am__EXEEXT_4)/' ${target_dir}/Makefile + + for testfile in $(find ${dir} -name "*testdriver"); do + cp -rf ${testfile} ${target_dir}/ + done + done + sed -i 's|find ./|find ${PTEST_PATH}|g' ${D}${PTEST_PATH}/run-ptest + sed -i 's|${top_builddir}/src/openvpn|${sbindir}|g' ${S}/tests/t_lpback.sh + cp -f ${S}/tests/t_lpback.sh ${D}/${PTEST_PATH} + cp -f ${B}/tests/Makefile ${D}/${PTEST_PATH} + sed -i "s/^Makefile:/MM:/g" ${D}/${PTEST_PATH}/Makefile + sed -i "s/^test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh/test_scripts = t_lpback.sh/g" ${D}/${PTEST_PATH}/Makefile + +} + +PACKAGES =+ " ${PN}-sample " + +RRECOMMENDS:${PN} = "kernel-module-tun" + +FILES:${PN}-dbg += "${libdir}/openvpn/plugins/.debug" +FILES:${PN} += "${systemd_system_unitdir}/openvpn-server@.service \ + ${systemd_system_unitdir}/openvpn-client@.service \ + ${nonarch_libdir}/tmpfiles.d \ + " +FILES:${PN}-sample = "${sysconfdir}/openvpn/sample/ \ + " -- cgit v1.2.3-54-g00ecf