From 13592c14541b6dbd9e572b68f30b38fe9788f23f Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Sat, 10 Dec 2016 12:11:33 +0100 Subject: [PATCH] openvpn: update to 2.4_rc2 OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl variant to openvpn-mbedtls. Some feature highlights: * Data channel cipher negotiation * AEAD cipher support for data channel encryption (currently only * AES-GCM) * ECDH key exchange for control channel * LZ4 compression support See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for additional change notes. Signed-off-by: Magnus Kroken --- .../{Config-polarssl.in => Config-mbedtls.in} | 36 ++++++++-------- .../network/services/openvpn/Config-nossl.in | 4 ++ .../services/openvpn/Config-openssl.in | 4 ++ package/network/services/openvpn/Makefile | 17 ++++---- .../services/openvpn/files/openvpn.config | 11 ++++- .../001-reproducible-remove_DATE.patch | 8 ++-- ...bedtls-disable-runtime-version-check.patch | 11 +++++ ...larssl-disable-runtime-version-check.patch | 11 ----- ...ackport_upstream_polarssl_debug_call.patch | 33 --------------- .../patches/200-small_build_enable_occ.patch | 2 +- .../210-build_always_use_internal_lz4.patch | 41 +++++++++++++++++++ 11 files changed, 103 insertions(+), 75 deletions(-) rename package/network/services/openvpn/{Config-polarssl.in => Config-mbedtls.in} (58%) create mode 100644 package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch delete mode 100644 package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch delete mode 100644 package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch create mode 100644 package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch diff --git a/package/network/services/openvpn/Config-polarssl.in b/package/network/services/openvpn/Config-mbedtls.in similarity index 58% rename from package/network/services/openvpn/Config-polarssl.in rename to package/network/services/openvpn/Config-mbedtls.in index 26692ce04d..c1c8c7ac10 100644 --- a/package/network/services/openvpn/Config-polarssl.in +++ b/package/network/services/openvpn/Config-mbedtls.in @@ -1,62 +1,66 @@ -if PACKAGE_openvpn-polarssl +if PACKAGE_openvpn-mbedtls -config OPENVPN_polarssl_ENABLE_LZO +config OPENVPN_mbedtls_ENABLE_LZO bool "Enable LZO compression support" default y -config OPENVPN_polarssl_ENABLE_X509_ALT_USERNAME +config OPENVPN_mbedtls_ENABLE_LZ4 + bool "Enable LZ4 compression support" + default y + +config OPENVPN_mbedtls_ENABLE_X509_ALT_USERNAME bool "Enable the --x509-username-field feature" default n -config OPENVPN_polarssl_ENABLE_SERVER +config OPENVPN_mbedtls_ENABLE_SERVER bool "Enable server support (otherwise only client mode is support)" default y -#config OPENVPN_polarssl_ENABLE_EUREPHIA +#config OPENVPN_mbedtls_ENABLE_EUREPHIA # bool "Enable support for the eurephia plug-in" # default n -config OPENVPN_polarssl_ENABLE_MANAGEMENT +config OPENVPN_mbedtls_ENABLE_MANAGEMENT bool "Enable management server support" default n -#config OPENVPN_polarssl_ENABLE_PKCS11 +#config OPENVPN_mbedtls_ENABLE_PKCS11 # bool "Enable pkcs11 support" # default n -config OPENVPN_polarssl_ENABLE_HTTP +config OPENVPN_mbedtls_ENABLE_HTTP bool "Enable HTTP proxy support" default y -config OPENVPN_polarssl_ENABLE_SOCKS +config OPENVPN_mbedtls_ENABLE_SOCKS bool "Enable SOCKS proxy support" default y -config OPENVPN_polarssl_ENABLE_FRAGMENT +config OPENVPN_mbedtls_ENABLE_FRAGMENT bool "Enable internal fragmentation support (--fragment)" default y -config OPENVPN_polarssl_ENABLE_MULTIHOME +config OPENVPN_mbedtls_ENABLE_MULTIHOME bool "Enable multi-homed UDP server support (--multihome)" default y -config OPENVPN_polarssl_ENABLE_PORT_SHARE +config OPENVPN_mbedtls_ENABLE_PORT_SHARE bool "Enable TCP server port-share support (--port-share)" default y -config OPENVPN_polarssl_ENABLE_DEF_AUTH +config OPENVPN_mbedtls_ENABLE_DEF_AUTH bool "Enable deferred authentication" default y -config OPENVPN_polarssl_ENABLE_PF +config OPENVPN_mbedtls_ENABLE_PF bool "Enable internal packet filter" default y -config OPENVPN_polarssl_ENABLE_IPROUTE2 +config OPENVPN_mbedtls_ENABLE_IPROUTE2 bool "Enable support for iproute2" default n -config OPENVPN_polarssl_ENABLE_SMALL +config OPENVPN_mbedtls_ENABLE_SMALL bool "Enable size optimization" default y help diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in index 3eaa228882..199cda0159 100644 --- a/package/network/services/openvpn/Config-nossl.in +++ b/package/network/services/openvpn/Config-nossl.in @@ -4,6 +4,10 @@ config OPENVPN_nossl_ENABLE_LZO bool "Enable LZO compression support" default y +config OPENVPN_nossl_ENABLE_LZ4 + bool "Enable LZ4 compression support" + default y + config OPENVPN_nossl_ENABLE_SERVER bool "Enable server support (otherwise only client mode is support)" default y diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in index ac4c774b03..a2bc3de2a2 100644 --- a/package/network/services/openvpn/Config-openssl.in +++ b/package/network/services/openvpn/Config-openssl.in @@ -4,6 +4,10 @@ config OPENVPN_openssl_ENABLE_LZO bool "Enable LZO compression support" default y +config OPENVPN_openssl_ENABLE_LZ4 + bool "Enable LZ4 compression support" + default y + config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME bool "Enable the --x509-username-field feature" default n diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index abe1adf3b8..11b6aabe25 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.13 +PKG_VERSION:=2.4_rc2 PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0 +PKG_HASH:=3e5dbfda2c1c941bc61e5e067601b31f578ad4cdf3683e569014e18c2cc6e2e9 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) @@ -38,7 +38,7 @@ define Package/openvpn/Default endef Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl) -Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpolarssl) +Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+libmbedtls) Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) define Package/openvpn/config/Default @@ -46,11 +46,11 @@ define Package/openvpn/config/Default endef Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) -Package/openvpn-polarssl/config=$(call Package/openvpn/config/Default,polarssl) +Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl) -ifeq ($(BUILD_VARIANT),polarssl) -CONFIG_OPENVPN_POLARSSL:=y +ifeq ($(BUILD_VARIANT),mbedtls) +CONFIG_OPENVPN_MBEDTLS:=y endif ifeq ($(BUILD_VARIANT),openssl) CONFIG_OPENVPN_OPENSSL:=y @@ -74,6 +74,7 @@ define Build/Configure --disable-debug \ --disable-pkcs11 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ + $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ @@ -86,7 +87,7 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ - $(if $(CONFIG_OPENVPN_POLARSSL),--with-crypto-library=polarssl) \ + $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ ) endef @@ -119,5 +120,5 @@ define Package/openvpn-$(BUILD_VARIANT)/install endef $(eval $(call BuildPackage,openvpn-openssl)) -$(eval $(call BuildPackage,openvpn-polarssl)) +$(eval $(call BuildPackage,openvpn-mbedtls)) $(eval $(call BuildPackage,openvpn-nossl)) diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config index 3e053c36a9..1fd846f558 100644 --- a/package/network/services/openvpn/files/openvpn.config +++ b/package/network/services/openvpn/files/openvpn.config @@ -241,7 +241,11 @@ config openvpn sample_server # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. - option comp_lzo yes + # LZ4 requires OpenVPN 2.4+ client and server +# option compress lz4 + # LZO is compatible with most OpenVPN versions + # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) + option compress lzo # The maximum number of concurrently connected # clients we want to allow. @@ -391,7 +395,10 @@ config openvpn sample_client # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. - option comp_lzo yes + # LZ4 requires OpenVPN 2.4+ on server and client +# option compress lz4 + # LZO is compatible with most OpenVPN versions + option compress lzo # Set log file verbosity. option verb 3 diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch index 3ceef6f0ff..5f23994b5c 100644 --- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch +++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch @@ -1,10 +1,10 @@ --- a/src/openvpn/options.c +++ b/src/openvpn/options.c -@@ -102,7 +102,6 @@ const char title_string[] = - " [MH]" +@@ -107,7 +107,6 @@ const char title_string[] = + #ifdef HAVE_AEAD_CIPHER_MODES + " [AEAD]" #endif - " [IPv6]" -- " built on " __DATE__ +- " built on " __DATE__ ; #ifndef ENABLE_SMALL diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch new file mode 100644 index 0000000000..3b8248dd60 --- /dev/null +++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -0,0 +1,11 @@ +--- a/src/openvpn/ssl_mbedtls.c ++++ b/src/openvpn/ssl_mbedtls.c +@@ -1333,7 +1333,7 @@ const char * + get_ssl_library_version(void) + { + static char mbedtls_version[30]; +- unsigned int pv = mbedtls_version_get_number(); ++ unsigned int pv = MBEDTLS_VERSION_NUMBER; + sprintf( mbedtls_version, "mbed TLS %d.%d.%d", + (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); + return mbedtls_version; diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch deleted file mode 100644 index c7955c2460..0000000000 --- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -1156,7 +1156,7 @@ const char * - get_ssl_library_version(void) - { - static char polar_version[30]; -- unsigned int pv = version_get_number(); -+ unsigned int pv = POLARSSL_VERSION_NUMBER; - sprintf( polar_version, "PolarSSL %d.%d.%d", - (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); - return polar_version; diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch deleted file mode 100644 index 2155a4c79b..0000000000 --- a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch +++ /dev/null @@ -1,33 +0,0 @@ -openvpn: fix build without POLARSSL_DEBUG_C - -Backport of upstream master commit -b63f98633dbe2ca92cd43fc6f8597ab283a600bf. - -Signed-off-by: Magnus Kroken - -From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001 -From: Steffan Karger -Date: Tue, 14 Jun 2016 22:00:03 +0200 -Subject: [PATCH] mbedtls: don't set debug threshold if compiled without - MBEDTLS_DEBUG_C - -For targets with space constraints, one might want to compile mbed TLS -without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make -sure OpenVPN still compiles if that is the case. - -Signed-off-by: Steffan Karger -Acked-by: Gert Doering -Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me> -URL: http://article.gmane.org/gmane.network.openvpn.devel/11922 -Signed-off-by: Gert Doering ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state - if (polar_ok(ssl_init(ks_ssl->ctx))) - { - /* Initialise SSL context */ -+ #ifdef POLARSSL_DEBUG_C - debug_set_threshold(3); -+ #endif - ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); - ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch index eef4da2d26..96276d4723 100644 --- a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch +++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h -@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_ +@@ -589,9 +589,7 @@ socket_defined (const socket_descriptor_ /* * Should we include OCC (options consistency check) code? */ diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch new file mode 100644 index 0000000000..67191076d5 --- /dev/null +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -0,0 +1,41 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -1014,37 +1014,14 @@ dnl + AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) + AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) + if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then +- AC_CHECKING([for LZ4 Library and Header files]) +- havelz4lib=1 + +- # if LZ4_LIBS is set, we assume it will work, otherwise test +- if test -z "${LZ4_LIBS}"; then +- AC_CHECK_LIB(lz4, LZ4_compress, +- [ LZ4_LIBS="-llz4" ], +- [ +- AC_MSG_RESULT([LZ4 library not found.]) +- havelz4lib=0 +- ]) +- fi ++ AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*]) ++ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) ++ LZ4_LIBS="" + +- saved_CFLAGS="${CFLAGS}" +- CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" +- AC_CHECK_HEADERS(lz4.h, +- , +- [ +- AC_MSG_RESULT([LZ4 headers not found.]) +- havelz4lib=0 +- ]) +- +- if test $havelz4lib = 0 ; then +- AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*]) +- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) +- LZ4_LIBS="" +- fi + OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" + OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" + AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library]) +- CFLAGS="${saved_CFLAGS}" + fi -- 2.25.1