openvpn: Update to version 2.5.4

  - Update from 2.5.0 to 2.5.4
- Update rootfile
- Tested new version in vm testbed. Openvpn server successfully started.
   Client connections working with 2.5.0 also successfully worked with 2.5.4
- Changelog
   Overview of changes in 2.5.4
    Bugfixes
     - fix prompting for password on windows console if stderr redirection
       is in use - this breaks 2.5.x on Win11/ARM, and might also break
       on Win11/adm64 when released.
     - fix setting MAC address on TAP adapters (--lladdr) to use sitnl
       (was overlooked, and still used "ifconfig" calls)
     - various improvements for man page building (rst2man/rst2html etc)
     - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
       at least one platform strictly checking this)
     - fix minor memory leak under certain conditions in add_route() and
       add_route_ipv6()
    User-visible Changes
     - documentation improvements
     - copyright updates where needed
     - better error reporting when win32 console access fails
    New features
     - also build man page on Windows builds
   Overview of changes in 2.5.3
    Bugfixes
     - CVE-2121-3606
       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
       OpenVPN windows builds could possibly load OpenSSL Config files from
       world writeable locations, thus posing a security risk to OpenVPN.
       As a fix, disable OpenSSL config loading completely on Windows.
     - disable connect-retry backoff for p2p (--secret) instances
       (Trac #1010, #1384)
     - fix build with mbedtls w/o SSL renegotiation support
     - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
     - MSI installers: properly schedule reboot in the end of installation
     - fix small memory leak in free_key_ctx for auth_token
    User-visible Changes
     - update copyright messages in files and --version output
    New features
     - add --auth-token-user option (for --auth-token deployments without
       --auth-user-pass in client config)
     - improve MSVC building for Windows
     - official MSI installers will now contain arm64 drivers and binaries
       (x86, amd64, arm64)
   Overview of changes in 2.5.2
    Bugfixes
     - CVE-2020-15078
       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
       This bug allows - under very specific circumstances - to trick a
       server using delayed authentication (plugin or management) into
       returning a PUSH_REPLY before the AUTH_FAILED message, which can
       possibly be used to gather information about a VPN setup.
       In combination with "--auth-gen-token" or an user-specific token auth
       solution it can be possible to get access to a VPN with an
       otherwise-invalid account.
     - restore pushed "ping" settings correctly on a SIGUSR1 restart
     - avoid generating unecessary mbed debug messages - this is actually
       a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
       ED curves - mbedTLS crashes on preparing debug infos that we do not
       actually need unless running with "--verb 8"
     - do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
     - fix Linux/SITNL default route lookup in case of multiple routing tables
       with more than one default route present (always use "main table" for now)
     - Fix CRL file handling in combination with chroot
    User-visible Changes
     - OpenVPN will now refuse to start if CRL file is not present at startup
       time.  At "reload time" absense of the CRL file is still OK (and the
       in memory copy is used) but at startup it is now considered an error.
    New features
     - printing of the TLS ciphers negotiated has been extended, especially
       displaying TLS 1.3 and EC certificates more correctly.
   Overview of changes in 2.5.1
    New features
     - "echo msg" support, to enable the server to pushed messages that are
       then displayed by the client-side GUI.  See doc/gui-notes.txt and
       doc/management-notes.txt.
       Supported by the Windows GUI shipped in 2.5.1, not yet supported by
       Tunnelblick and the Android GUI.
    User-visible Changes
     - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
       to set the "openvpn packet filter", and returns a failure when requested
       to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
       structure members.  Since PF is going away in 2.6.0, this is just turning
       the crash into a well-defined program abort, and no further effort has
       been spent in rewriting the PF plugin error handling (see trac #1377).
    Documentation
     - rework sample-plugins/defer/simple.c - this is an extensive rewrite
       of the plugin to bring code quality to acceptable standards and add
       documentation on the various plugin API aspects.  Since it's just
       example code, filed under "Documentation", not under "Bugfix".
     - various man page improvements.
     - clarify ``--block-ipv6`` intent and direction
    Bugfixes
     - fix installation of openvpn.8 manpage on systems without docutils.
     - Windows: fix DNS search list setup for domains with "-" chars.
     - Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
     - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
       DHCP, so this was just causing an - harmless - error and needless delay).
     - Windows: Remove 1 second delay before running netsh - speeds up
       interface init for wintun setups not using the interactive service.
     - Windows: Fix too early argv freeing when registering DNS - this would
       cause a client side crash on Windows if ``register-dns`` is used,
       and the interactive service is not used.
     - Android: Zero initialise msghdr prior to calling sendmesg.
     - Fix line number reporting on config file errors after <inline> segments
       (see Trac #1325).
     - Fix port-share option with TLS-Crypt v2.
     - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
       dropping privs on the server would fail.
     - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
       client with tls-crypt-v2)
     - rework handling of server-pushed ``--auth-token`` in combination with
       ``--auth-nocache`` on reconnection / TLS renegotiation events.  This
       used to "forget" to update new incoming token after a reconnection event
       (leading to failure to reauth some time later) and now works in all
       tested cases.

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openvpn | 5 +++++
 lfs/openvpn                     | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)
  

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 10 Nov 2021, at 11:09, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> - Update from 2.5.0 to 2.5.4
> - Update rootfile
> - Tested new version in vm testbed. Openvpn server successfully started.
>   Client connections working with 2.5.0 also successfully worked with 2.5.4
> - Changelog
>   Overview of changes in 2.5.4
>    Bugfixes
>     - fix prompting for password on windows console if stderr redirection
>       is in use - this breaks 2.5.x on Win11/ARM, and might also break
>       on Win11/adm64 when released.
>     - fix setting MAC address on TAP adapters (--lladdr) to use sitnl
>       (was overlooked, and still used "ifconfig" calls)
>     - various improvements for man page building (rst2man/rst2html etc)
>     - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
>       at least one platform strictly checking this)
>     - fix minor memory leak under certain conditions in add_route() and
>       add_route_ipv6()
>    User-visible Changes
>     - documentation improvements
>     - copyright updates where needed
>     - better error reporting when win32 console access fails
>    New features
>     - also build man page on Windows builds
>   Overview of changes in 2.5.3
>    Bugfixes
>     - CVE-2121-3606
>       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>       OpenVPN windows builds could possibly load OpenSSL Config files from
>       world writeable locations, thus posing a security risk to OpenVPN.
>       As a fix, disable OpenSSL config loading completely on Windows.
>     - disable connect-retry backoff for p2p (--secret) instances
>       (Trac #1010, #1384)
>     - fix build with mbedtls w/o SSL renegotiation support
>     - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
>     - MSI installers: properly schedule reboot in the end of installation
>     - fix small memory leak in free_key_ctx for auth_token
>    User-visible Changes
>     - update copyright messages in files and --version output
>    New features
>     - add --auth-token-user option (for --auth-token deployments without
>       --auth-user-pass in client config)
>     - improve MSVC building for Windows
>     - official MSI installers will now contain arm64 drivers and binaries
>       (x86, amd64, arm64)
>   Overview of changes in 2.5.2
>    Bugfixes
>     - CVE-2020-15078
>       see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>       This bug allows - under very specific circumstances - to trick a
>       server using delayed authentication (plugin or management) into
>       returning a PUSH_REPLY before the AUTH_FAILED message, which can
>       possibly be used to gather information about a VPN setup.
>       In combination with "--auth-gen-token" or an user-specific token auth
>       solution it can be possible to get access to a VPN with an
>       otherwise-invalid account.
>     - restore pushed "ping" settings correctly on a SIGUSR1 restart
>     - avoid generating unecessary mbed debug messages - this is actually
>       a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
>       ED curves - mbedTLS crashes on preparing debug infos that we do not
>       actually need unless running with "--verb 8"
>     - do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
>     - fix Linux/SITNL default route lookup in case of multiple routing tables
>       with more than one default route present (always use "main table" for now)
>     - Fix CRL file handling in combination with chroot
>    User-visible Changes
>     - OpenVPN will now refuse to start if CRL file is not present at startup
>       time.  At "reload time" absense of the CRL file is still OK (and the
>       in memory copy is used) but at startup it is now considered an error.
>    New features
>     - printing of the TLS ciphers negotiated has been extended, especially
>       displaying TLS 1.3 and EC certificates more correctly.
>   Overview of changes in 2.5.1
>    New features
>     - "echo msg" support, to enable the server to pushed messages that are
>       then displayed by the client-side GUI.  See doc/gui-notes.txt and
>       doc/management-notes.txt.
>       Supported by the Windows GUI shipped in 2.5.1, not yet supported by
>       Tunnelblick and the Android GUI.
>    User-visible Changes
>     - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
>       to set the "openvpn packet filter", and returns a failure when requested
>       to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
>       structure members.  Since PF is going away in 2.6.0, this is just turning
>       the crash into a well-defined program abort, and no further effort has
>       been spent in rewriting the PF plugin error handling (see trac #1377).
>    Documentation
>     - rework sample-plugins/defer/simple.c - this is an extensive rewrite
>       of the plugin to bring code quality to acceptable standards and add
>       documentation on the various plugin API aspects.  Since it's just
>       example code, filed under "Documentation", not under "Bugfix".
>     - various man page improvements.
>     - clarify ``--block-ipv6`` intent and direction
>    Bugfixes
>     - fix installation of openvpn.8 manpage on systems without docutils.
>     - Windows: fix DNS search list setup for domains with "-" chars.
>     - Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
>     - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
>       DHCP, so this was just causing an - harmless - error and needless delay).
>     - Windows: Remove 1 second delay before running netsh - speeds up
>       interface init for wintun setups not using the interactive service.
>     - Windows: Fix too early argv freeing when registering DNS - this would
>       cause a client side crash on Windows if ``register-dns`` is used,
>       and the interactive service is not used.
>     - Android: Zero initialise msghdr prior to calling sendmesg.
>     - Fix line number reporting on config file errors after <inline> segments
>       (see Trac #1325).
>     - Fix port-share option with TLS-Crypt v2.
>     - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
>       dropping privs on the server would fail.
>     - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
>       client with tls-crypt-v2)
>     - rework handling of server-pushed ``--auth-token`` in combination with
>       ``--auth-nocache`` on reconnection / TLS renegotiation events.  This
>       used to "forget" to update new incoming token after a reconnection event
>       (leading to failure to reauth some time later) and now works in all
>       tested cases.
> 
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
> config/rootfiles/common/openvpn | 5 +++++
> lfs/openvpn                     | 4 ++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 41ccc885e..6c3457d01 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -18,7 +18,12 @@ usr/sbin/openvpn
> #usr/share/doc/openvpn/README.auth-pam
> #usr/share/doc/openvpn/README.down-root
> #usr/share/doc/openvpn/README.mbedtls
> +#usr/share/doc/openvpn/gui-notes.txt
> #usr/share/doc/openvpn/management-notes.txt
> +#usr/share/doc/openvpn/openvpn-examples.5.html
> +#usr/share/doc/openvpn/openvpn.8.html
> +#usr/share/man/man5/openvpn-examples.5
> +#usr/share/man/man8/openvpn.8
> var/ipfire/ovpn/ca
> var/ipfire/ovpn/caconfig
> var/ipfire/ovpn/ccd
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 81ccc52bf..82e819bfe 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 2.5.0
> +VER        = 2.5.4
> 
> THISAPP    = openvpn-$(VER)
> DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = ba426e2217833b522810d6c06f7cc8f7
> +$(DL_FILE)_MD5 = 336be3b2388cdc65dd8c81f22b1c2836
> 
> install : $(TARGET)
> 
> -- 
> 2.33.1
>
  

Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> - Update from 2.5.0 to 2.5.4
> - Update rootfile
> - Tested new version in vm testbed. Openvpn server successfully started.
>     Client connections working with 2.5.0 also successfully worked with 2.5.4
> - Changelog
>     Overview of changes in 2.5.4
>      Bugfixes
>       - fix prompting for password on windows console if stderr redirection
>         is in use - this breaks 2.5.x on Win11/ARM, and might also break
>         on Win11/adm64 when released.
>       - fix setting MAC address on TAP adapters (--lladdr) to use sitnl
>         (was overlooked, and still used "ifconfig" calls)
>       - various improvements for man page building (rst2man/rst2html etc)
>       - minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
>         at least one platform strictly checking this)
>       - fix minor memory leak under certain conditions in add_route() and
>         add_route_ipv6()
>      User-visible Changes
>       - documentation improvements
>       - copyright updates where needed
>       - better error reporting when win32 console access fails
>      New features
>       - also build man page on Windows builds
>     Overview of changes in 2.5.3
>      Bugfixes
>       - CVE-2121-3606
>         see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>         OpenVPN windows builds could possibly load OpenSSL Config files from
>         world writeable locations, thus posing a security risk to OpenVPN.
>         As a fix, disable OpenSSL config loading completely on Windows.
>       - disable connect-retry backoff for p2p (--secret) instances
>         (Trac #1010, #1384)
>       - fix build with mbedtls w/o SSL renegotiation support
>       - Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
>       - MSI installers: properly schedule reboot in the end of installation
>       - fix small memory leak in free_key_ctx for auth_token
>      User-visible Changes
>       - update copyright messages in files and --version output
>      New features
>       - add --auth-token-user option (for --auth-token deployments without
>         --auth-user-pass in client config)
>       - improve MSVC building for Windows
>       - official MSI installers will now contain arm64 drivers and binaries
>         (x86, amd64, arm64)
>     Overview of changes in 2.5.2
>      Bugfixes
>       - CVE-2020-15078
>         see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
>         This bug allows - under very specific circumstances - to trick a
>         server using delayed authentication (plugin or management) into
>         returning a PUSH_REPLY before the AUTH_FAILED message, which can
>         possibly be used to gather information about a VPN setup.
>         In combination with "--auth-gen-token" or an user-specific token auth
>         solution it can be possible to get access to a VPN with an
>         otherwise-invalid account.
>       - restore pushed "ping" settings correctly on a SIGUSR1 restart
>       - avoid generating unecessary mbed debug messages - this is actually
>         a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
>         ED curves - mbedTLS crashes on preparing debug infos that we do not
>         actually need unless running with "--verb 8"
>       - do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
>       - fix Linux/SITNL default route lookup in case of multiple routing tables
>         with more than one default route present (always use "main table" for now)
>       - Fix CRL file handling in combination with chroot
>      User-visible Changes
>       - OpenVPN will now refuse to start if CRL file is not present at startup
>         time.  At "reload time" absense of the CRL file is still OK (and the
>         in memory copy is used) but at startup it is now considered an error.
>      New features
>       - printing of the TLS ciphers negotiated has been extended, especially
>         displaying TLS 1.3 and EC certificates more correctly.
>     Overview of changes in 2.5.1
>      New features
>       - "echo msg" support, to enable the server to pushed messages that are
>         then displayed by the client-side GUI.  See doc/gui-notes.txt and
>         doc/management-notes.txt.
>         Supported by the Windows GUI shipped in 2.5.1, not yet supported by
>         Tunnelblick and the Android GUI.
>      User-visible Changes
>       - make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
>         to set the "openvpn packet filter", and returns a failure when requested
>         to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
>         structure members.  Since PF is going away in 2.6.0, this is just turning
>         the crash into a well-defined program abort, and no further effort has
>         been spent in rewriting the PF plugin error handling (see trac #1377).
>      Documentation
>       - rework sample-plugins/defer/simple.c - this is an extensive rewrite
>         of the plugin to bring code quality to acceptable standards and add
>         documentation on the various plugin API aspects.  Since it's just
>         example code, filed under "Documentation", not under "Bugfix".
>       - various man page improvements.
>       - clarify ``--block-ipv6`` intent and direction
>      Bugfixes
>       - fix installation of openvpn.8 manpage on systems without docutils.
>       - Windows: fix DNS search list setup for domains with "-" chars.
>       - Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
>       - Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
>         DHCP, so this was just causing an - harmless - error and needless delay).
>       - Windows: Remove 1 second delay before running netsh - speeds up
>         interface init for wintun setups not using the interactive service.
>       - Windows: Fix too early argv freeing when registering DNS - this would
>         cause a client side crash on Windows if ``register-dns`` is used,
>         and the interactive service is not used.
>       - Android: Zero initialise msghdr prior to calling sendmesg.
>       - Fix line number reporting on config file errors after <inline> segments
>         (see Trac #1325).
>       - Fix port-share option with TLS-Crypt v2.
>       - tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
>         dropping privs on the server would fail.
>       - tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
>         client with tls-crypt-v2)
>       - rework handling of server-pushed ``--auth-token`` in combination with
>         ``--auth-nocache`` on reconnection / TLS renegotiation events.  This
>         used to "forget" to update new incoming token after a reconnection event
>         (leading to failure to reauth some time later) and now works in all
>         tested cases.
> 
> Tested-by: Adolf Belka <adolf.belka@ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   config/rootfiles/common/openvpn | 5 +++++
>   lfs/openvpn                     | 4 ++--
>   2 files changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
> index 41ccc885e..6c3457d01 100644
> --- a/config/rootfiles/common/openvpn
> +++ b/config/rootfiles/common/openvpn
> @@ -18,7 +18,12 @@ usr/sbin/openvpn
>   #usr/share/doc/openvpn/README.auth-pam
>   #usr/share/doc/openvpn/README.down-root
>   #usr/share/doc/openvpn/README.mbedtls
> +#usr/share/doc/openvpn/gui-notes.txt
>   #usr/share/doc/openvpn/management-notes.txt
> +#usr/share/doc/openvpn/openvpn-examples.5.html
> +#usr/share/doc/openvpn/openvpn.8.html
> +#usr/share/man/man5/openvpn-examples.5
> +#usr/share/man/man8/openvpn.8
>   var/ipfire/ovpn/ca
>   var/ipfire/ovpn/caconfig
>   var/ipfire/ovpn/ccd
> diff --git a/lfs/openvpn b/lfs/openvpn
> index 81ccc52bf..82e819bfe 100644
> --- a/lfs/openvpn
> +++ b/lfs/openvpn
> @@ -24,7 +24,7 @@
>   
>   include Config
>   
> -VER        = 2.5.0
> +VER        = 2.5.4
>   
>   THISAPP    = openvpn-$(VER)
>   DL_FILE    = $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>   
>   $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>   
> -$(DL_FILE)_MD5 = ba426e2217833b522810d6c06f7cc8f7
> +$(DL_FILE)_MD5 = 336be3b2388cdc65dd8c81f22b1c2836
>   
>   install : $(TARGET)
>   
>