From b911928851c37c20370e0ff14d13590b90c2b753 Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Fri, 29 Jun 2018 14:49:08 -0400 Subject: [PATCH] Update OpenVPN, ustream-ssl, add wolfssl and remove cyassl --- package/libs/cyassl/Config.in | 48 ----- package/libs/cyassl/Makefile | 139 -------------- package/libs/ustream-ssl/Makefile | 22 +-- package/libs/wolfssl/Config.in | 60 ++++++ package/libs/wolfssl/Makefile | 175 ++++++++++++++++++ .../patches/100-disable-hardening-check.patch | 11 ++ .../400-additional_compatibility.patch | 0 package/network/services/openvpn/Makefile | 7 +- .../services/openvpn/files/openvpn.options | 8 +- 9 files changed, 262 insertions(+), 208 deletions(-) delete mode 100644 package/libs/cyassl/Config.in delete mode 100644 package/libs/cyassl/Makefile create mode 100644 package/libs/wolfssl/Config.in create mode 100644 package/libs/wolfssl/Makefile create mode 100644 package/libs/wolfssl/patches/100-disable-hardening-check.patch rename package/libs/{cyassl => wolfssl}/patches/400-additional_compatibility.patch (100%) diff --git a/package/libs/cyassl/Config.in b/package/libs/cyassl/Config.in deleted file mode 100644 index 371bb564f8..0000000000 --- a/package/libs/cyassl/Config.in +++ /dev/null @@ -1,48 +0,0 @@ -if PACKAGE_libcyassl - -config CYASSL_HAS_AES_CCM - bool "Include AES-CCM support" - default n - -config CYASSL_HAS_AES_GCM - bool "Include AES-GCM support" - default n - -config CYASSL_HAS_CHACHA - bool "Include ChaCha cipher suite support" - default n - -config CYASSL_HAS_ECC - bool "Include ECC (Elliptic Curve Cryptography) support" - default y - -config CYASSL_HAS_DH - bool "Include DH (Diffie-Hellman) support" - default n - -config CYASSL_HAS_ARC4 - bool "Include ARC4 support" - default n - -config CYASSL_HAS_DES3 - bool "Include DES3 (Tripple-DES) support" - default n - -config CYASSL_HAS_PSK - bool "Include PKS (Pre Share Key) support" - default n - -config CYASSL_HAS_DTLS - bool "Include DTLS support" - default n - -config CYASSL_HAS_ECC25519 - bool "Include ECC Curve 22519 support" - depends on CYASSL_HAS_ECC - default n - -config CYASSL_HAS_POLY_1305 - bool "Include Poly-1305 support" - default n - -endif diff --git a/package/libs/cyassl/Makefile b/package/libs/cyassl/Makefile deleted file mode 100644 index 68646d9b00..0000000000 --- a/package/libs/cyassl/Makefile +++ /dev/null @@ -1,139 +0,0 @@ -# -# Copyright (C) 2006-2016 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=wolfssl -PKG_VERSION:=3.10.0 -PKG_RELEASE:=1 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip -PKG_SOURCE_URL:=https://www.wolfssl.com/ -PKG_HASH:=66f7f2a8b8ee37d6b4beab3cb0dcb6a6980fd4674373bfd3bf1214b9d0d2c02e - -PKG_FIXUP:=libtool -PKG_INSTALL:=1 -PKG_USE_MIPS16:=0 -PKG_BUILD_PARALLEL:=1 -PKG_LICENSE:=GPL-2.0+ - -include $(INCLUDE_DIR)/package.mk - -define Package/libcyassl - SECTION:=libs - SUBMENU:=SSL - CATEGORY:=Libraries - TITLE:=CyaSSL library - URL:=http://www.wolfssl.com/ - MENU:=1 -endef - -define Package/libcyassl/description -CyaSSL is an SSL library optimized for small footprint, both on disk and for -memory use. -endef - -define Package/libcyassl/config - source "$(SOURCE)/Config.in" -endef - -TARGET_CFLAGS += $(FPIC) - -# --enable-stunnel needed for OpenSSL API compatibility bits -CONFIGURE_ARGS += \ - --enable-opensslextra \ - --enable-sni \ - --enable-stunnel \ - --disable-examples - -ifeq ($(CONFIG_IPV6),y) -CONFIGURE_ARGS += \ - --enable-ipv6 -endif - -ifeq ($(CONFIG_CYASSL_HAS_AES_CCM),y) -CONFIGURE_ARGS += \ - --enable-aesccm -endif - -ifeq ($(CONFIG_CYASSL_HAS_AES_GCM),y) -CONFIGURE_ARGS += \ - --enable-aesgcm -endif - -ifeq ($(CONFIG_CYASSL_HAS_CHACHA),y) -CONFIGURE_ARGS += \ - --enable-chacha -endif - -ifeq ($(CONFIG_CYASSL_HAS_ECC),y) -CONFIGURE_ARGS += \ - --enable-ecc \ - --enable-supportedcurves -endif - -ifeq ($(CONFIG_CYASSL_HAS_DH),y) -CONFIGURE_ARGS += \ - --enable-dh -endif - -ifeq ($(CONFIG_CYASSL_HAS_ARC4),n) -CONFIGURE_ARGS += \ - --disable-arc4 -endif - -ifeq ($(CONFIG_CYASSL_HAS_DES3),y) -CONFIGURE_ARGS += \ - --disable-des3 -endif - -ifeq ($(CONFIG_CYASSL_HAS_PSK),y) -CONFIGURE_ARGS += \ - --enable-psk -endif - -ifeq ($(CONFIG_CYASSL_HAS_DTLS),y) -CONFIGURE_ARGS += \ - --enable-dtls -endif - -ifeq ($(CONFIG_CYASSL_HAS_ECC25519),y) -CONFIGURE_ARGS += \ - --enable-ecc25519 -endif - -ifeq ($(CONFIG_CYASSL_HAS_POLY1305),y) -CONFIGURE_ARGS += \ - --enable-poly1305 -endif - -#ifneq ($(CONFIG_TARGET_x86),) -# CONFIGURE_ARGS += --enable-intelasm -#endif -#ifneq ($(CONFIG_TARGET_x86_64),) -# CONFIGURE_ARGS += --enable-intelasm -#endif - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.{so*,la} $(1)/usr/lib/ - ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so - ln -s libwolfssl.la $(1)/usr/lib/libcyassl.la - - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig -endef - -define Package/libcyassl/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so* $(1)/usr/lib/ - ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so -endef - -$(eval $(call BuildPackage,libcyassl)) diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile index dfd84dfe2b..eca0417133 100644 --- a/package/libs/ustream-ssl/Makefile +++ b/package/libs/ustream-ssl/Makefile @@ -1,13 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ustream-ssl -PKG_RELEASE:=3 +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL=$(PROJECT_GIT)/ustream-ssl.git -PKG_SOURCE_DATE:=2018-04-30 -PKG_SOURCE_VERSION:=527e7002d0429465bd49c0c0d416ef22fbf5ae86 -PKG_MIRROR_HASH:=b0b4219730a369741a192a67d4fbf7328bd62df8ae4f0d0e3084461e3bbaba54 +PKG_SOURCE_DATE:=2018-05-24 +PKG_SOURCE_VERSION:=189cd38b4188bfcb4c8cf67d8ae71741ffc2b906 +PKG_MIRROR_HASH:=114d229828d95229e2b7134f668c0d2c3cee63ffa90e970d4c50a331f505b17d CMAKE_INSTALL:=1 PKG_BUILD_DIR=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_SOURCE_SUBDIR) @@ -35,11 +35,11 @@ define Package/libustream-openssl VARIANT:=openssl endef -define Package/libustream-cyassl +define Package/libustream-wolfssl $(Package/libustream/default) - TITLE += (cyassl) - DEPENDS += +PACKAGE_libustream-cyassl:libcyassl - VARIANT:=cyassl + TITLE += (wolfssl) + DEPENDS += +PACKAGE_libustream-wolfssl:libwolfssl + VARIANT:=wolfssl endef define Package/libustream-mbedtls @@ -50,7 +50,7 @@ define Package/libustream-mbedtls DEFAULT_VARIANT:=1 endef -ifeq ($(BUILD_VARIANT),cyassl) +ifeq ($(BUILD_VARIANT),wolfssl) TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/cyassl -DHAVE_SNI CMAKE_OPTIONS += -DCYASSL=on endif @@ -64,9 +64,9 @@ define Package/libustream/default/install endef Package/libustream-openssl/install = $(Package/libustream/default/install) -Package/libustream-cyassl/install = $(Package/libustream/default/install) +Package/libustream-wolfssl/install = $(Package/libustream/default/install) Package/libustream-mbedtls/install = $(Package/libustream/default/install) $(eval $(call BuildPackage,libustream-mbedtls)) -$(eval $(call BuildPackage,libustream-cyassl)) +$(eval $(call BuildPackage,libustream-wolfssl)) $(eval $(call BuildPackage,libustream-openssl)) diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in new file mode 100644 index 0000000000..50b0bb9cdf --- /dev/null +++ b/package/libs/wolfssl/Config.in @@ -0,0 +1,60 @@ +if PACKAGE_libwolfssl + +config WOLFSSL_HAS_AES_CCM + bool "Include AES-CCM support" + default y + +config WOLFSSL_HAS_AES_GCM + bool "Include AES-GCM support" + default y + +config WOLFSSL_HAS_CHACHA + bool "Include ChaCha cipher suite support" + default n + +config WOLFSSL_HAS_ECC + bool "Include ECC (Elliptic Curve Cryptography) support" + default y + +config WOLFSSL_HAS_DH + bool "Include DH (Diffie-Hellman) support" + default y + +config WOLFSSL_HAS_ARC4 + bool "Include ARC4 support" + default y + +config WOLFSSL_HAS_DES3 + bool "Include DES3 (Tripple-DES) support" + default y + +config WOLFSSL_HAS_PSK + bool "Include PKS (Pre Share Key) support" + default y + +config WOLFSSL_HAS_SESSION_TICKET + bool "Include session ticket support" + default y + +config WOLFSSL_HAS_DTLS + bool "Include DTLS support" + default n + +config WOLFSSL_HAS_OCSP + bool "Include OSCP support" + default y + +config WOLFSSL_HAS_WPAS + bool "Include wpa_supplicant support" + default y + +config WOLFSSL_HAS_ECC25519 + bool "Include ECC Curve 22519 support" + depends on WOLFSSL_HAS_ECC + default n + +config WOLFSSL_HAS_POLY_1305 + bool "Include Poly-1305 support" + default n + +endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile new file mode 100644 index 0000000000..e08b6f3929 --- /dev/null +++ b/package/libs/wolfssl/Makefile @@ -0,0 +1,175 @@ +# +# Copyright (C) 2006-2017 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=wolfssl +PKG_VERSION:=3.14.4 +PKG_RELEASE:=3 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip +# PKG_SOURCE_URL:=https://www.wolfssl.com/ +PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) +PKG_HASH:=1da1b45dec4a455716c8547074ad883c737865225f69443bb173c0dc21683fd1 + +PKG_FIXUP:=libtool +PKG_INSTALL:=1 +PKG_USE_MIPS16:=0 +PKG_BUILD_PARALLEL:=1 +PKG_LICENSE:=GPL-2.0+ +PKG_CPE_ID:=cpe:/a:yassl:cyassl + +PKG_CONFIG_DEPENDS:=\ + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ + CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA \ + CONFIG_WOLFSSL_HAS_DES3 CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ + CONFIG_WOLFSSL_HAS_ECC CONFIG_WOLFSSL_HAS_ECC25519 \ + CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_POLY_1305 \ + CONFIG_WOLFSSL_HAS_PSK CONFIG_WOLFSSL_HAS_SESSION_TICKET \ + CONFIG_WOLFSSL_HAS_WPAS + +include $(INCLUDE_DIR)/package.mk + +define Package/libwolfssl + SECTION:=libs + SUBMENU:=SSL + CATEGORY:=Libraries + TITLE:=wolfSSL library + URL:=http://www.wolfssl.com/ + MAINTAINER:=Alexandru Ardelean + MENU:=1 + PROVIDES:=libcyassl +endef + +define Package/libwolfssl/description +wolfSSL (formerly CyaSSL) is an SSL library optimized for small +footprint, both on disk and for memory use. +endef + +define Package/libwolfssl/config + source "$(SOURCE)/Config.in" +endef + +TARGET_CFLAGS += $(FPIC) + +# --enable-stunnel needed for OpenSSL API compatibility bits +CONFIGURE_ARGS += \ + --enable-opensslextra \ + --enable-sni \ + --enable-stunnel \ + --disable-examples \ + --disable-leanpsk \ + --disable-leantls \ + +ifeq ($(CONFIG_IPV6),y) +CONFIGURE_ARGS += \ + --enable-ipv6 +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_AES_CCM),y) +CONFIGURE_ARGS += \ + --enable-aesccm +endif + +ifneq ($(CONFIG_WOLFSSL_HAS_AES_GCM),y) +CONFIGURE_ARGS += \ + --disable-aesgcm +endif + +ifneq ($(CONFIG_WOLFSSL_HAS_CHACHA),y) +CONFIGURE_ARGS += \ + --disable-chacha +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_ECC),y) +CONFIGURE_ARGS += \ + --enable-ecc \ + --enable-supportedcurves +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_DH),y) +CONFIGURE_ARGS += \ + --enable-dh +endif + +ifneq ($(CONFIG_WOLFSSL_HAS_ARC4),y) +CONFIGURE_ARGS += \ + --disable-arc4 +else +CONFIGURE_ARGS += \ + --enable-arc4 +endif + +ifneq ($(CONFIG_WOLFSSL_HAS_DES3),y) +CONFIGURE_ARGS += \ + --disable-des3 +else +CONFIGURE_ARGS += \ + --enable-des3 +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_PSK),y) +CONFIGURE_ARGS += \ + --enable-psk +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_SESSION_TICKET),y) +CONFIGURE_ARGS += \ + --enable-session-ticket +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_DTLS),y) +CONFIGURE_ARGS += \ + --enable-dtls +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_OCSP),y) +CONFIGURE_ARGS += \ + --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y) +CONFIGURE_ARGS += \ + --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath +endif + +ifeq ($(CONFIG_WOLFSSL_HAS_ECC25519),y) +CONFIGURE_ARGS += \ + --enable-curve25519 +endif + +ifneq ($(CONFIG_WOLFSSL_HAS_POLY1305),y) +CONFIGURE_ARGS += \ + --enable-poly1305 +endif + +#ifneq ($(CONFIG_TARGET_x86),) +# CONFIGURE_ARGS += --enable-intelasm +#endif +#ifneq ($(CONFIG_TARGET_x86_64),) +# CONFIGURE_ARGS += --enable-intelasm +#endif + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig + $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.{so*,la} $(1)/usr/lib/ + ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so + ln -s libwolfssl.la $(1)/usr/lib/libcyassl.la + + $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig +endef + +define Package/libwolfssl/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so* $(1)/usr/lib/ + ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so +endef + +$(eval $(call BuildPackage,libwolfssl)) diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch new file mode 100644 index 0000000000..d913b5fdea --- /dev/null +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -0,0 +1,11 @@ +--- a/wolfssl/wolfcrypt/settings.h ++++ b/wolfssl/wolfcrypt/settings.h +@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ; + #endif + + /* warning for not using harden build options (default with ./configure) */ +-#ifndef WC_NO_HARDEN ++#if 0 + #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \ + (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \ + (!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS)) diff --git a/package/libs/cyassl/patches/400-additional_compatibility.patch b/package/libs/wolfssl/patches/400-additional_compatibility.patch similarity index 100% rename from package/libs/cyassl/patches/400-additional_compatibility.patch rename to package/libs/wolfssl/patches/400-additional_compatibility.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 118d95e5df..1cb3db1f22 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.5 -PKG_RELEASE:=1 +PKG_VERSION:=2.4.6 +PKG_RELEASE:=4 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=43c0a363a332350f620d1cd93bb431e082bedbc93d4fb872f758650d53c1d29e +PKG_HASH:=4f6434fa541cc9e363434ea71a16a62cf2615fb2f16af5b38f43ab5939998c26 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) PKG_MAINTAINER:=Felix Fietkau @@ -25,6 +25,7 @@ PKG_INSTALL:=1 PKG_FIXUP:=autoreconf PKG_BUILD_PARALLEL:=1 PKG_LICENSE:=GPL-2.0 +PKG_CPE_ID:=cpe:/a:openvpn:openvpn include $(INCLUDE_DIR)/package.mk diff --git a/package/network/services/openvpn/files/openvpn.options b/package/network/services/openvpn/files/openvpn.options index a6a3ded061..6c084d22dc 100644 --- a/package/network/services/openvpn/files/openvpn.options +++ b/package/network/services/openvpn/files/openvpn.options @@ -14,7 +14,6 @@ cipher client_config_dir client_connect client_disconnect -comp_lzo compress connect_freq connect_retry @@ -132,6 +131,7 @@ txqueuelen up user verb +verify_client_cert verify_x509_name x509_username_field ' @@ -143,7 +143,6 @@ auth_user_pass_optional bind ccd_exclusive client -client_cert_not_required client_to_client comp_noadapt disable @@ -155,7 +154,6 @@ float http_proxy_retry ifconfig_noexec ifconfig_nowarn -ifconfig_pool_linear management_forget_disconnect management_hold management_query_passwords @@ -167,9 +165,6 @@ multihome mute_replay_warnings ncp_disable nobind -no_iv -no_name_remapping -no_replay opt_verify passtos persist_key @@ -191,7 +186,6 @@ test_crypto tls_client tls_exit tls_server -tun_ipv6 up_delay up_restart username_as_common_name -- 2.25.1