| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
Remove deprecated config options in 2.5 as described in [0]
[0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5.
Replaced by param --verify-client-cert none|optional|require in v2.4 see
https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required
Signed-off-by: Christian Bayer <cave@cavebeat.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_ RELEASE increase]
|
| |
|
|
|
| |
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
| |
|
|
|
|
|
|
|
| |
Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions
were deprecated in favor of functions returning an int error code. Use
the new function mbedtls_sha256_ret().
Signed-off-by: Russell Senior <russell@personaltelco.net>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
|
| |
|
|
|
| |
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
|
| |
|
|
|
|
|
|
|
| |
Fixes CVE-2017-12166: out of bounds write in key-method 1.
Remove the mirror that was temporarily added during the
2.4.3 release.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
| |
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Update to version 2.4.2 in order to address two potential Denial-of-Service
vectors in OpenVPN.
CVE-2017-7478 - Don't assert out on receiving too-large control packets
CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over
Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2
Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
| |
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.
When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.
With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
|
| |
|
|
|
|
|
| |
So that future patches for addition/removal of them can be more
readable
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
|
|
| |
key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me.
Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>
|
| |
|
|
|
|
|
| |
Updates to openvpn.init were included in early OpenVPN 2.4 patch
series, but got lost along the way and were never merged.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
When relying on x.509 certs for auth and / or encryption of traffic you can't
use package openvpn-nossl.
Just have your package depend on openvpn-crypto to have SSL-encryption and
X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use
virtual packge openvpn, which is provided by all OpenVPN-variants.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
|
| |
|
|
|
|
|
|
|
|
| |
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.
The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
Saves around 9kb gzipped on MIPS
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
variant to openvpn-mbedtls.
Some feature highlights:
* Data channel cipher negotiation
* AEAD cipher support for data channel encryption (currently only
* AES-GCM)
* ECDH key exchange for control channel
* LZ4 compression support
See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
| |
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.
Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.
Fixes: FS#290.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
| |
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
| |
cacert is really called ca and already in the script
Signed-off-by: John Crispin <john@phrozen.org>
|
| |
|
|
| |
Signed-off-by: John Crispin <john@phrozen.org>
|
| |
|
|
|
|
|
|
|
| |
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.
Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.
Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
| |
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).
This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.
Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
| |
removed upstream in
https://github.com/OpenVPN/openvpn/commit/9ffd00e7541d83571b9eec087c6b3545ff68441f
now its always on
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
|
| |
|
|
|
|
|
|
|
| |
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48201
|
| |
|
|
|
|
|
|
|
| |
Follow up of #21469
This patch enables autoreloading openvpn via procd.
Signed-off-by: Federico Capoano <nemesis@ninux.org>
SVN-Revision: 48150
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- eurephia:
commit: Remove the --disable-eurephia configure option
- fix option name:
http proxy option is now called http-proxy (see configure.ac)
fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47979
|
| |
|
|
|
|
|
|
|
| |
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 47439
|
| |
|
|
|
|
|
|
|
| |
OpenVPN 2.3 added a route-pre-down option, to run a command before
routes are removed upon disconnection.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 47134
|
| |
|
|
|
|
|
|
|
| |
reported by:
https://reproducible.debian.net/openwrt/dbd/ar71xx/base/openvpn-nossl_2.3.7-1_ar71xx.ipk.html
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 46860
|
| |
|
|
|
|
| |
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46832
|
| |
|
|
|
|
|
|
| |
Two patches are dropped as they were already applied upstream.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 46027
|
| |
|
|
|
|
| |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45962
|
| |
|
|
|
|
|
|
|
| |
This is for security precautions. As persist_tun and persist_key are
already there, this should not cause compatibility issue.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45961
|
| |
|
|
|
|
|
|
|
| |
As reported in ticket #19104, auth_retry takes a <type> argument with 3
choices: none, nointeract, interact.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
SVN-Revision: 45960
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45608
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.
The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.
Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.
References:
* https://dev.openwrt.org/ticket/19101
* https://community.openvpn.net/openvpn/ticket/524
* https://github.com/ARMmbed/mbedtls/pull/185
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 45602
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Align init behaviour with other distros by starting an OpenVPN instance
for each config file found in /etc/openvpn/. This removes the additional
requirement to "register" the configs with uci and thus simplifies the
setup.
Make sure to respect the disabled state in uci to not suddenly autostart
instances which have been previously set to disabled, also skip configs
which are already started due to uci configuration.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 44310
|
| |
|
|
|
|
|
|
|
|
|
| |
Makes sure that the openvpn instance gets restarted in case of a crash.
Intentional stops using /etc/init.d/openvpn stop will not result in
respawning. Anything else will, e.g. killall openvpn.
Signed-off-by: Lars Gierth <larsg@systemli.org>
SVN-Revision: 43886
|
