[PATCH 1/7] openvpn: Update to version 2.7.1

[Adolf Belka <adolf.belka@ipfire.org>]

- Update from version 2.6.19 to 2.7.1
- Update of rootfile
- Changelog
2.7.1
Bugfixes
    Fix usage of --lport inside a <connection> block - this got broken with the multi-socket patchset (GH #995)
    Do not try to run auto-pam unit test when cross-compiling.
    Do not break private-key passphrases of length >= 64 (GH #993)
    Fix obscure ASSERT() crash on TCP connects with TAP and no ip config.
    Make DCO work on FreeBSD systems that have no IPv4 support in kernel (FreeBSD PR 286263)
    Make DCO work on Linux on big endian systems (namely, MIPS and PowerPC) (GH OpenVPN/ovpn-dco#96)
New features
    Add a new username-only flag argument to --auth-user-pass which will now make OpenVPN only query for username and send a dummy password to the server. This is only useful if auth schemes are used on the server side that will do some sort of external challenge base on username, and not password authentication. See discussion in GH #501 (starting Jan 30, 2024).
    Increase default sizing of internal hash maps to 4 * --max-clients. The default used to be 256 with a --max-clients default of 1024 - this is bad for performance, while the memory savings are minimal. On a very memory constrained system, reduce --max-clients.
Long-term code maintenance
    Work on OpenSSL 4.0 API support, reducing use of ASN1_STRING members.
    Remove obsolete OpenSSL 1.0.x support code from unit tests.
    Improve documentation of management client versioning, replace magic numbers in the code with an enum type.
    Fixup responses to management interface version command (for >= 4).
    Make --enable-async-push work on FreeBSD 15 (which has native inotify support, and consequently no libinotify.pc anymore)
    Adjust some code parts to new "const" handling on string function returns (ISO C23, as implemented by glibc 2.43 and newer).
    Remove erroneous usage of M_ERR | M_ERRNO throughout the code.
User-visible Changes
    When compiled with the AWS-LC SSL library, using --tls-cert-profile will now print a run-time warning - the library does not support it, so it would silently do nothing.
    Systemd unit files: change LimitNPROC to TasksMax and increase limit (GH: #929)
    Documentation improvements.
    port-share: log incoming connections at verb 3, not on error level anymore (GH: #976).
2.7.0
New features
	Multi-socket support for servers
	    OpenVPN servers now can listen on multiple sockets at the same time. Multiple --local statements in the configuration can be used to configure this. This way the same server can e.g. listen for UDP and TCP connections at the same time, or listen on multiple addresses and/or ports.
	Client implementations for DNS options sent by server for Linux/BSD/macOS
	    Linux, BSD and macOS versions of OpenVPN now ship with a per-platform default --dns-updown script that implements proper handling of DNS configuration sent by the server. The scripts should work on systems that use systemd or resolveconf to manage the DNS setup, as well as raw /etc/resolv.conf files. However, the exact features supported will depend on the configuration method. On Linux and MacOS this should usually make split-DNS configurations supported out-of-the-box now.
	    Note that this new script will not be used by default if a --up script is already in use to reduce problems with backwards compatibility.
	    See documentation for --dns-updown and --dns for more details.
	New client implementation for DNS options sent by server for Windows
	    The Windows client now uses NRPT (Name Resolution Policy Table) to handle DNS configurations. This adds support for split-DNS and DNSSEC and improves the compatbility with local DNS resolvers. Requires the interactive service.
	On Windows the block-local flag is now enforced with WFP filters.
	    The block-local flag to --redirect-gateway and --redirect-private is now also enforced via the Windows Firewall, making sure packets can't be sent to the local network. This provides stronger protection against TunnelCrack-style attacks.
	Windows network adapters are now generated on demand
	    This means that on systems that run multiple OpenVPN connections at the same time the users don't need to manually create enough network adapters anymore (in addition to the ones created by the installer).
	Windows automatic service now runs as an unpriviledged user
	    All tasks that need privileges are now delegated to the interactive service. NOTE this has the risk of breaking existing setups if the Windows certificate store is used (cryptoapi), and the certificates are not readable for NT SERVICE\OpenVPNService.
	Support for new version of Linux DCO module
	    OpenVPN DCO module is moving upstream and being merged into the main Linux kernel. For this process some API changes were required. OpenVPN 2.7 will only support the new API. The new module is called ovpn. Out-of-tree builds for older kernels are available. Please see the release announcements for futher information.
	Support for server mode in win-dco driver
	    On Windows the win-dco driver can now be used in server setups.
	Support for TLS client floating in DCO implementations
	    The kernel modules will detect clients floating to a new IP address and notify userland so both data packets (kernel) and TLS packets (sent by userland) can reach the new client IP. (Actual support depends on recent-enough kernel implementation)
	Enforcement of AES-GCM usage limit
	    OpenVPN will now enforce the usage limits on AES-GCM with the same confidentiality margin as TLS 1.3 does. This mean that renegotiation will be triggered after roughly 2^28 to 2^31 packets depending of the packet size. More details about usage limit of AES-GCM can be found here:
	    https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/
	Epoch data keys and packet format
	    This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of improvements over the standard "DATA_V2" format.
	        AEAD tag at the end of packet which is more hardware implementation friendly
	        Automatic key switchover when cipher usage limits are hit, similar to the epoch data keys in (D)TLS 1.3
	        64 bit instead of 32 bit packet ids to allow the data channel to be ready for 10 GBit/s without having frequent renegotiation
	        IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire
	Support for Epoch data channel on Windows, using the win-dco driver (2.8.0+)
	Default ciphers in --data-ciphers
	    Ciphers in --data-ciphers can contain the string DEFAULT that is replaced by the default ciphers used by OpenVPN, making it easier to add an allowed cipher without having to spell out the default ciphers.
	TLS alerts
	    OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS session shuts down or when the TLS implementation informs the peer about an error in the TLS session (e.g. mismatching TLS versions). This improves the user experience as the client shows an error instead of running into a timeout when the server just stops responding completely.
	Support for tun/tap via unix domain socket and lwipovpn support
	    To allow better testing and emulating a full client with a full network stack OpenVPN now allows a program executed to provide a tun/tap device instead of opening a device.
	    The co-developed lwipovpn program based on lwIP stack allows to simulate full IP stack. An OpenVPN client using --dev-node unix:/path/to/lwipovpn can emulate a full client that can be pinged, can serve a website and more without requiring any elevated permission. This can make testing OpenVPN much easier.
	    For more details see lwipovpn on Github.
	Allow overriding username with --override-username
	    This is intended to allow using --auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a push "auth-token-user newusername" directive in push replies.
	--port-share now properly supports IPv6
	    Issues with logging of IPv6 addresses were fixed. The feature now allows IPv6 connections towards the proxy receiver.
	Support for Haiku OS
	TLS1.3 support with mbedTLS (requires mbedTLS >= 3.6.4)
	PUSH_UPDATE client support
	    It is now possible to update parts of the client-side configuration (IP address, routes, MTU, DNS) by sending a new server-to-client control message, PUSH_UPDATE,<options>. See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html NOTE: PUSH_UPDATE client support is currently disabled if DCO is active (on all platforms).
	PUSH_UPDATE server support (minimal)
	    New management interface commands push-update-broad and push-update-cid to send PUSH_UPDATE option updates to all clients ("there is a new DNS server") or only a specific client ID ("privileges have changed, here's a new IP address"). See doc/management-notes.txt NOTE: PUSH_UPDATE server support is currently disabled if DCO is active (on all platforms).
	Support for user-defined routing tables on Linux
	    See the --route-table option in the manpage
	PQE support for WolfSSL
	Two new environment variables have been introduced to communicate desired
	    default gateway redirection to plugins like Network Manager, route_redirect_gateway_ipv4 and route_redirect_gateway_ipv6. See the "Environmental Variables" section in the man page
	Improved logging of service events/errors to event log on Windows.
	"Recursive Routing" check is now more granular, and will only drop
	    packets-in-tunnel if destination IP, protocol and port matches with those needed to reach the VPN server. With that change, you can now use policies that direct "everything that is not OpenVPN" into the tunnel, and have IP packets to the VPN server address arrive as expected (no such policies are currently installed by OpenVPN) (GH: #669).
	COPYING: license details only relevant to our Windows installers have
	    been updated and moved to the openvpn-build repo
	Improved BYTECOUNT support - more strictly adhere to timing interval
	    requested, correctly support client and server counters with Linux and Windows DCO offloading.
	Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest)
	New option --tls-crypt-v2-max-age n to check tls-crypt-v2 timestamps
	    (When a client is older than n days or has no timestamp, the server
	        will reject it)
	mbedTLS 4 support has been added.
	    Note that with mbedTLS 4 algorithms need to be translated to mbedTLS 4 internal IDs by OpenVPN, and some names might be missing.
Deprecated features
	secret support has been removed (by default).
	    static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using --peer-fingerprint makes TLS mode about as easy as using --secret.
	    This mode can still be enabled by using --allow-deprecated-insecure-static-crypto but will be removed in OpenVPN 2.8.
	Support for wintun Windows driver has been removed.
	    OpenVPN 2.6 added support for the new dco-win driver, so it supported three different device drivers: dco-win, wintun, and tap-windows6. OpenVPN 2.7 now drops the support for wintun driver. By default all modern configs should be supported by dco-win driver. In all other cases OpenVPN will fall back automatically to tap-windows6 driver.
	NTLMv1 authentication support for HTTP proxies has been removed.
	    This is considered an insecure method of authentication that uses obsolete crypto algorithms. NTLMv2 support is still available, but will be removed in a future release. When configured to authenticate with NTLMv1 (ntlm keyword in --http-proxy) OpenVPN will try NTLMv2 instead.
	persist-key option has been enabled by default.
	    All the keys will be kept in memory across restart.
	OpenSSL 1.0.2 support has been removed.
	    Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0.
	mbedTLS 2.x support has been removed
	    Support for building with mbedTLS 2.x has been removed (it is out of support since March 2025, and the necessary compatibility code is making maintenance and support for mbedTLS 4.x hard). The minimum supported mbedTLS version is now 3.2.1.
	Compression on send has been removed.
	    OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. --allow-compression yes is now an alias for --allow-compression asym.
	--memstats feature removed
	    The --memstats option was largely undocumented and there is no known user of this feature. This feature provided very limited statistics (number of users, link bytes read/written) and we do not except any usage because of this.
	Using --push in a mode that is not --mode server will now print a
	    clear warning that this is an unsupported operation and might cause negotiation failures.
	--reneg-bytes and --reneg-packets do not work in DCO mode, and will
	    now print an appropriate warning.
	On-connect resolving of --remote addresses in --tcp-server mode
	    was not working since 2.4, so the code was completely removed.
	--opt-verify feature removed
	    This option was already deprecated and it is now being converted to a no-op. Using this option will only print a warning.
User-visible Changes
	Default for --topology changed to subnet for --mode server. Previous releases always used net30 as default. This only affects configs with --mode server or --server (the latter implies the former), and --dev tun, and only if IPv4 is enabled. Note that this changes the semantics of --ifconfig, so if you have manual settings for that in your config but not set --topology your config might fail to parse with the new version. Just adding --topology net30 to the config should fix the problem. By default --topology is pushed from server to client.
	--x509-username-field will no longer automatically convert fieldnames to uppercase. This was deprecated since OpenVPN 2.4, and has now been removed.
	--dh none is now the default if --dh is not specified. Modern TLS implementations will prefer ECDH and other more modern algorithms anyway. And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex)
	--lport 0 does not imply --bind anymore.
	--redirect-gateway now works correctly if the VPN remote is not reachable by the default gateway.
	--show-gateway now supports querying the gateway for IPv4 addresses.
	--static-challenge option now has a third parameter format that can change how password and challenge response should be combined.
	--key and --cert now accept URIs implemented in OpenSSL 3 as well as optional OpenSSL 3 providers loaded using --providers option.
	--cryptoapicert now supports issuer name as well as Windows CA template name or OID as selector string.
	TLS handshake debugging information contains much more details now when using recent versions of OpenSSL.
	The IV_PLAT_VER variable sent by Windows clients now contains the full Windows build version to make it possible to determine the Windows 10 or Windows 11 version used.
	The --windows-driver option to select between various windows drivers will no longer do anything - it's kept so existing configs will not become invalid, but it is ignored with a warning. The default is now ovpn-dco if all options used are compatible with DCO, with a fallback to tap-windows6. To force TAP (for example because a server pushes DCO incompatible options), use the --disable-dco option.
	Apply more checks to incoming TLS handshake packets before creating new state - namely, verify message ID / acked ID for "valid range for an initial packet". This fixes a problem with clients that float very early but send control channel packet from the pre-float IP (Github: #704).
	Use of --dh dh2048.pem in all sample configs has been replaced with --dh none. The dh2048.pem file has been removed.
	The startup delay in t_client.sh has been reduced from 3s to 1s, making a noticeable difference for setups with many tests.
	Changed from using uncrustify for code formatting and pre-commit checks to clang-format. This reformatted quite a bit of code, and requires that regular committers change their pre-commit checks accordingly.
	On Linux, on interfaces where applicable, OpenVPN explicitly configures the broadcast address again. This was dropped for 2.6.0 "because computers are smart and can do it themselves", but the kernel netlink interface isn't, and will install "0.0.0.0". This does not normally matter, but for broadcast-based applications that get the address to use from "ifconfig", this change repairs functionality (this has been backported to 2.6.15, but is not in earlier 2.6 versions).
	max-routes-per-client 0 used to be silently upgraded to 1. This now produces an error.
	ifconfig and ifconfig-ipv6 values are now stored in pre-connect options cache, and will be restored to pre-connect values on reconnects if the server stops pushing the respective option.
	tapctl.exe helper binary on Windows has been reworked to improve help texts (making clear that it can not only do TAP-Adapters but Win-DCO as well), add printing of the hwid to all adapter outputs, and change the default adapter type created to ovpn-dco.
	The default for multihome egress interface handling has changed. 2.7.0 will default to ipi_ifindex=0, that is, leave the decision to the routing/policy setup of the operating system. The pre-2.7 behaviour (force egress = ingress interface) can be achieved with the new --multihome same-interface sub-option.
	Windows openvpn.exe binary manifest now sets code page UTF8 - which has no direct effect on OpenVPN itself, but this repairs OpenSSL file loading for key/cert files with non-ASCII characters in their file names (GH: #920).
	The test-crypto option no longer requires a --secret argument and will automatically generate a random key.
	The configure-time option --enable-x509-alt-username is no longer conditional, and always-on (GH: #917).

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openvpn | 3 ++-
 lfs/openvpn                     | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index 760fafd99..46c242d10 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -8,6 +8,8 @@ usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 #usr/lib/openvpn/plugins/openvpn-plugin-down-root.la
 usr/lib/openvpn/plugins/openvpn-plugin-down-root.so
 usr/lib/openvpn/verify
+#usr/libexec/openvpn
+usr/libexec/openvpn/dns-updown
 usr/sbin/openvpn
 usr/sbin/openvpn-authenticator
 #usr/share/doc/openvpn
@@ -15,7 +17,6 @@ usr/sbin/openvpn-authenticator
 #usr/share/doc/openvpn/COPYRIGHT.GPL
 #usr/share/doc/openvpn/Changes.rst
 #usr/share/doc/openvpn/README
-#usr/share/doc/openvpn/README.IPv6
 #usr/share/doc/openvpn/README.auth-pam
 #usr/share/doc/openvpn/README.down-root
 #usr/share/doc/openvpn/README.mbedtls
diff --git a/lfs/openvpn b/lfs/openvpn
index 10f1f54c4..80eb94032 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 2.6.19
+VER        = 2.7.1
 
 THISAPP    = openvpn-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 4eabecd3be43c7a45dbf2fb92236f568d5273978b18d5068200277771a5f6cad5fd3cc138232812c7f2e3c9a7812e73ca63c362ec942f361401c0712dc7d8498
+$(DL_FILE)_BLAKE2 = a5f598a4f2366c3134578af6bf08750c3d4269ab036f1b49b44799174bca01dc4d79c8ddfce2b5948f186a7729cd96e428b74dda4a685bf44323aaa188739405
 
 install : $(TARGET)
 
-- 
2.53.0