From 2e55fc8b2d42682cd1c26e9827b7b6f47fb51398 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Tue, 1 Dec 2020 10:57:07 +0100 Subject: openvpn: update to 2.5.0 New features: * Per client tls-crypt keys * ChaCha20-Poly1305 can be used to encrypt the data channel * Routes are added/removed via Netlink instead of ifconfig/route (unless iproute2 support is enabled). * VLAN support when using a TAP device Significant changes: * Server support can no longer be disabled. * Crypto support can no longer be disabled, remove nossl variant. * Blowfish (BF-CBC) is no longer implicitly the default cipher. OpenVPN peers prior to 2.4, or peers with data cipher negotiation disabled, will not be able to connect to a 2.5 peer unless option data_fallback_ciphers is set on the 2.5 peer and it contains a cipher supported by the client. Signed-off-by: Magnus Kroken --- net/openvpn/patches/220-disable_des.patch | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) (limited to 'net/openvpn/patches/220-disable_des.patch') diff --git a/net/openvpn/patches/220-disable_des.patch b/net/openvpn/patches/220-disable_des.patch index 2b8f47a80..9ddf1047b 100644 --- a/net/openvpn/patches/220-disable_des.patch +++ b/net/openvpn/patches/220-disable_des.patch @@ -1,24 +1,17 @@ --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h -@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t +@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t /* * Should we include NTLM proxy functionality */ --#if defined(ENABLE_CRYPTO) -#define NTLM 1 --#else -+//#if defined(ENABLE_CRYPTO) +//#define NTLM 1 -+//#else - #define NTLM 0 --#endif -+//#endif /* * Should we include proxy digest auth functionality --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c -@@ -319,6 +319,7 @@ int +@@ -383,6 +383,7 @@ int key_des_num_cblocks(const mbedtls_cipher_info_t *kt) { int ret = 0; @@ -26,7 +19,7 @@ if (kt->type == MBEDTLS_CIPHER_DES_CBC) { ret = 1; -@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher { ret = 3; } @@ -34,7 +27,7 @@ dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); return ret; -@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher +@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher bool key_des_check(uint8_t *key, int key_len, int ndc) { @@ -42,7 +35,7 @@ int i; struct buffer b; -@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len, +@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len, err: return false; @@ -58,7 +51,7 @@ int i; struct buffer b; -@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len, +@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len, } mbedtls_des_key_set_parity(key); } @@ -66,7 +59,7 @@ } /* -@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch +@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch unsigned char *src, unsigned char *dst) { -- cgit v1.2.3