mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-19 11:16:32 +00:00
openvpn: update to 2.4_rc2
OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl variant to openvpn-mbedtls. Some feature highlights: * Data channel cipher negotiation * AEAD cipher support for data channel encryption (currently only * AES-GCM) * ECDH key exchange for control channel * LZ4 compression support See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for additional change notes. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This commit is contained in:
parent
f67867adb0
commit
13592c1454
@ -1,62 +1,66 @@
|
|||||||
if PACKAGE_openvpn-polarssl
|
if PACKAGE_openvpn-mbedtls
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_LZO
|
config OPENVPN_mbedtls_ENABLE_LZO
|
||||||
bool "Enable LZO compression support"
|
bool "Enable LZO compression support"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_X509_ALT_USERNAME
|
config OPENVPN_mbedtls_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_mbedtls_ENABLE_X509_ALT_USERNAME
|
||||||
bool "Enable the --x509-username-field feature"
|
bool "Enable the --x509-username-field feature"
|
||||||
default n
|
default n
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_SERVER
|
config OPENVPN_mbedtls_ENABLE_SERVER
|
||||||
bool "Enable server support (otherwise only client mode is support)"
|
bool "Enable server support (otherwise only client mode is support)"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
#config OPENVPN_polarssl_ENABLE_EUREPHIA
|
#config OPENVPN_mbedtls_ENABLE_EUREPHIA
|
||||||
# bool "Enable support for the eurephia plug-in"
|
# bool "Enable support for the eurephia plug-in"
|
||||||
# default n
|
# default n
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_MANAGEMENT
|
config OPENVPN_mbedtls_ENABLE_MANAGEMENT
|
||||||
bool "Enable management server support"
|
bool "Enable management server support"
|
||||||
default n
|
default n
|
||||||
|
|
||||||
#config OPENVPN_polarssl_ENABLE_PKCS11
|
#config OPENVPN_mbedtls_ENABLE_PKCS11
|
||||||
# bool "Enable pkcs11 support"
|
# bool "Enable pkcs11 support"
|
||||||
# default n
|
# default n
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_HTTP
|
config OPENVPN_mbedtls_ENABLE_HTTP
|
||||||
bool "Enable HTTP proxy support"
|
bool "Enable HTTP proxy support"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_SOCKS
|
config OPENVPN_mbedtls_ENABLE_SOCKS
|
||||||
bool "Enable SOCKS proxy support"
|
bool "Enable SOCKS proxy support"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_FRAGMENT
|
config OPENVPN_mbedtls_ENABLE_FRAGMENT
|
||||||
bool "Enable internal fragmentation support (--fragment)"
|
bool "Enable internal fragmentation support (--fragment)"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_MULTIHOME
|
config OPENVPN_mbedtls_ENABLE_MULTIHOME
|
||||||
bool "Enable multi-homed UDP server support (--multihome)"
|
bool "Enable multi-homed UDP server support (--multihome)"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_PORT_SHARE
|
config OPENVPN_mbedtls_ENABLE_PORT_SHARE
|
||||||
bool "Enable TCP server port-share support (--port-share)"
|
bool "Enable TCP server port-share support (--port-share)"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_DEF_AUTH
|
config OPENVPN_mbedtls_ENABLE_DEF_AUTH
|
||||||
bool "Enable deferred authentication"
|
bool "Enable deferred authentication"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_PF
|
config OPENVPN_mbedtls_ENABLE_PF
|
||||||
bool "Enable internal packet filter"
|
bool "Enable internal packet filter"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_IPROUTE2
|
config OPENVPN_mbedtls_ENABLE_IPROUTE2
|
||||||
bool "Enable support for iproute2"
|
bool "Enable support for iproute2"
|
||||||
default n
|
default n
|
||||||
|
|
||||||
config OPENVPN_polarssl_ENABLE_SMALL
|
config OPENVPN_mbedtls_ENABLE_SMALL
|
||||||
bool "Enable size optimization"
|
bool "Enable size optimization"
|
||||||
default y
|
default y
|
||||||
help
|
help
|
@ -4,6 +4,10 @@ config OPENVPN_nossl_ENABLE_LZO
|
|||||||
bool "Enable LZO compression support"
|
bool "Enable LZO compression support"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_nossl_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
config OPENVPN_nossl_ENABLE_SERVER
|
config OPENVPN_nossl_ENABLE_SERVER
|
||||||
bool "Enable server support (otherwise only client mode is support)"
|
bool "Enable server support (otherwise only client mode is support)"
|
||||||
default y
|
default y
|
||||||
|
@ -4,6 +4,10 @@ config OPENVPN_openssl_ENABLE_LZO
|
|||||||
bool "Enable LZO compression support"
|
bool "Enable LZO compression support"
|
||||||
default y
|
default y
|
||||||
|
|
||||||
|
config OPENVPN_openssl_ENABLE_LZ4
|
||||||
|
bool "Enable LZ4 compression support"
|
||||||
|
default y
|
||||||
|
|
||||||
config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
|
config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
|
||||||
bool "Enable the --x509-username-field feature"
|
bool "Enable the --x509-username-field feature"
|
||||||
default n
|
default n
|
||||||
|
@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
|
|||||||
|
|
||||||
PKG_NAME:=openvpn
|
PKG_NAME:=openvpn
|
||||||
|
|
||||||
PKG_VERSION:=2.3.13
|
PKG_VERSION:=2.4_rc2
|
||||||
PKG_RELEASE:=1
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
|
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
|
||||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
|
||||||
PKG_HASH:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
|
PKG_HASH:=3e5dbfda2c1c941bc61e5e067601b31f578ad4cdf3683e569014e18c2cc6e2e9
|
||||||
|
|
||||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
|
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
|
||||||
|
|
||||||
@ -38,7 +38,7 @@ define Package/openvpn/Default
|
|||||||
endef
|
endef
|
||||||
|
|
||||||
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl)
|
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl)
|
||||||
Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpolarssl)
|
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+libmbedtls)
|
||||||
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
|
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
|
||||||
|
|
||||||
define Package/openvpn/config/Default
|
define Package/openvpn/config/Default
|
||||||
@ -46,11 +46,11 @@ define Package/openvpn/config/Default
|
|||||||
endef
|
endef
|
||||||
|
|
||||||
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
|
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
|
||||||
Package/openvpn-polarssl/config=$(call Package/openvpn/config/Default,polarssl)
|
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
|
||||||
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
|
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
|
||||||
|
|
||||||
ifeq ($(BUILD_VARIANT),polarssl)
|
ifeq ($(BUILD_VARIANT),mbedtls)
|
||||||
CONFIG_OPENVPN_POLARSSL:=y
|
CONFIG_OPENVPN_MBEDTLS:=y
|
||||||
endif
|
endif
|
||||||
ifeq ($(BUILD_VARIANT),openssl)
|
ifeq ($(BUILD_VARIANT),openssl)
|
||||||
CONFIG_OPENVPN_OPENSSL:=y
|
CONFIG_OPENVPN_OPENSSL:=y
|
||||||
@ -74,6 +74,7 @@ define Build/Configure
|
|||||||
--disable-debug \
|
--disable-debug \
|
||||||
--disable-pkcs11 \
|
--disable-pkcs11 \
|
||||||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
|
||||||
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
|
||||||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
|
||||||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
|
||||||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
|
||||||
@ -86,7 +87,7 @@ define Build/Configure
|
|||||||
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
|
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
|
||||||
$(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \
|
$(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \
|
||||||
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
|
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
|
||||||
$(if $(CONFIG_OPENVPN_POLARSSL),--with-crypto-library=polarssl) \
|
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
|
||||||
)
|
)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
@ -119,5 +120,5 @@ define Package/openvpn-$(BUILD_VARIANT)/install
|
|||||||
endef
|
endef
|
||||||
|
|
||||||
$(eval $(call BuildPackage,openvpn-openssl))
|
$(eval $(call BuildPackage,openvpn-openssl))
|
||||||
$(eval $(call BuildPackage,openvpn-polarssl))
|
$(eval $(call BuildPackage,openvpn-mbedtls))
|
||||||
$(eval $(call BuildPackage,openvpn-nossl))
|
$(eval $(call BuildPackage,openvpn-nossl))
|
||||||
|
@ -241,7 +241,11 @@ config openvpn sample_server
|
|||||||
# Enable compression on the VPN link.
|
# Enable compression on the VPN link.
|
||||||
# If you enable it here, you must also
|
# If you enable it here, you must also
|
||||||
# enable it in the client config file.
|
# enable it in the client config file.
|
||||||
option comp_lzo yes
|
# LZ4 requires OpenVPN 2.4+ client and server
|
||||||
|
# option compress lz4
|
||||||
|
# LZO is compatible with most OpenVPN versions
|
||||||
|
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
|
||||||
|
option compress lzo
|
||||||
|
|
||||||
# The maximum number of concurrently connected
|
# The maximum number of concurrently connected
|
||||||
# clients we want to allow.
|
# clients we want to allow.
|
||||||
@ -391,7 +395,10 @@ config openvpn sample_client
|
|||||||
# Enable compression on the VPN link.
|
# Enable compression on the VPN link.
|
||||||
# Don't enable this unless it is also
|
# Don't enable this unless it is also
|
||||||
# enabled in the server config file.
|
# enabled in the server config file.
|
||||||
option comp_lzo yes
|
# LZ4 requires OpenVPN 2.4+ on server and client
|
||||||
|
# option compress lz4
|
||||||
|
# LZO is compatible with most OpenVPN versions
|
||||||
|
option compress lzo
|
||||||
|
|
||||||
# Set log file verbosity.
|
# Set log file verbosity.
|
||||||
option verb 3
|
option verb 3
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
--- a/src/openvpn/options.c
|
--- a/src/openvpn/options.c
|
||||||
+++ b/src/openvpn/options.c
|
+++ b/src/openvpn/options.c
|
||||||
@@ -102,7 +102,6 @@ const char title_string[] =
|
@@ -107,7 +107,6 @@ const char title_string[] =
|
||||||
" [MH]"
|
#ifdef HAVE_AEAD_CIPHER_MODES
|
||||||
|
" [AEAD]"
|
||||||
#endif
|
#endif
|
||||||
" [IPv6]"
|
- " built on " __DATE__
|
||||||
- " built on " __DATE__
|
|
||||||
;
|
;
|
||||||
|
|
||||||
#ifndef ENABLE_SMALL
|
#ifndef ENABLE_SMALL
|
||||||
|
@ -0,0 +1,11 @@
|
|||||||
|
--- a/src/openvpn/ssl_mbedtls.c
|
||||||
|
+++ b/src/openvpn/ssl_mbedtls.c
|
||||||
|
@@ -1333,7 +1333,7 @@ const char *
|
||||||
|
get_ssl_library_version(void)
|
||||||
|
{
|
||||||
|
static char mbedtls_version[30];
|
||||||
|
- unsigned int pv = mbedtls_version_get_number();
|
||||||
|
+ unsigned int pv = MBEDTLS_VERSION_NUMBER;
|
||||||
|
sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
|
||||||
|
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
|
||||||
|
return mbedtls_version;
|
@ -1,11 +0,0 @@
|
|||||||
--- a/src/openvpn/ssl_polarssl.c
|
|
||||||
+++ b/src/openvpn/ssl_polarssl.c
|
|
||||||
@@ -1156,7 +1156,7 @@ const char *
|
|
||||||
get_ssl_library_version(void)
|
|
||||||
{
|
|
||||||
static char polar_version[30];
|
|
||||||
- unsigned int pv = version_get_number();
|
|
||||||
+ unsigned int pv = POLARSSL_VERSION_NUMBER;
|
|
||||||
sprintf( polar_version, "PolarSSL %d.%d.%d",
|
|
||||||
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
|
|
||||||
return polar_version;
|
|
@ -1,33 +0,0 @@
|
|||||||
openvpn: fix build without POLARSSL_DEBUG_C
|
|
||||||
|
|
||||||
Backport of upstream master commit
|
|
||||||
b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
|
|
||||||
|
|
||||||
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
|
||||||
|
|
||||||
From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Steffan Karger <steffan@karger.me>
|
|
||||||
Date: Tue, 14 Jun 2016 22:00:03 +0200
|
|
||||||
Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
|
|
||||||
MBEDTLS_DEBUG_C
|
|
||||||
|
|
||||||
For targets with space constraints, one might want to compile mbed TLS
|
|
||||||
without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
|
|
||||||
sure OpenVPN still compiles if that is the case.
|
|
||||||
|
|
||||||
Signed-off-by: Steffan Karger <steffan@karger.me>
|
|
||||||
Acked-by: Gert Doering <gert@greenie.muc.de>
|
|
||||||
Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
|
|
||||||
URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
|
|
||||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
|
||||||
--- a/src/openvpn/ssl_polarssl.c
|
|
||||||
+++ b/src/openvpn/ssl_polarssl.c
|
|
||||||
@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
|
|
||||||
if (polar_ok(ssl_init(ks_ssl->ctx)))
|
|
||||||
{
|
|
||||||
/* Initialise SSL context */
|
|
||||||
+ #ifdef POLARSSL_DEBUG_C
|
|
||||||
debug_set_threshold(3);
|
|
||||||
+ #endif
|
|
||||||
ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
|
|
||||||
ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
|
|
@ -1,6 +1,6 @@
|
|||||||
--- a/src/openvpn/syshead.h
|
--- a/src/openvpn/syshead.h
|
||||||
+++ b/src/openvpn/syshead.h
|
+++ b/src/openvpn/syshead.h
|
||||||
@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
|
@@ -589,9 +589,7 @@ socket_defined (const socket_descriptor_
|
||||||
/*
|
/*
|
||||||
* Should we include OCC (options consistency check) code?
|
* Should we include OCC (options consistency check) code?
|
||||||
*/
|
*/
|
||||||
|
@ -0,0 +1,41 @@
|
|||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1014,37 +1014,14 @@ dnl
|
||||||
|
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
|
||||||
|
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
|
||||||
|
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
|
||||||
|
- AC_CHECKING([for LZ4 Library and Header files])
|
||||||
|
- havelz4lib=1
|
||||||
|
|
||||||
|
- # if LZ4_LIBS is set, we assume it will work, otherwise test
|
||||||
|
- if test -z "${LZ4_LIBS}"; then
|
||||||
|
- AC_CHECK_LIB(lz4, LZ4_compress,
|
||||||
|
- [ LZ4_LIBS="-llz4" ],
|
||||||
|
- [
|
||||||
|
- AC_MSG_RESULT([LZ4 library not found.])
|
||||||
|
- havelz4lib=0
|
||||||
|
- ])
|
||||||
|
- fi
|
||||||
|
+ AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*])
|
||||||
|
+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||||
|
+ LZ4_LIBS=""
|
||||||
|
|
||||||
|
- saved_CFLAGS="${CFLAGS}"
|
||||||
|
- CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
|
||||||
|
- AC_CHECK_HEADERS(lz4.h,
|
||||||
|
- ,
|
||||||
|
- [
|
||||||
|
- AC_MSG_RESULT([LZ4 headers not found.])
|
||||||
|
- havelz4lib=0
|
||||||
|
- ])
|
||||||
|
-
|
||||||
|
- if test $havelz4lib = 0 ; then
|
||||||
|
- AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*])
|
||||||
|
- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||||
|
- LZ4_LIBS=""
|
||||||
|
- fi
|
||||||
|
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
|
||||||
|
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
|
||||||
|
AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library])
|
||||||
|
- CFLAGS="${saved_CFLAGS}"
|
||||||
|
fi
|
Loading…
Reference in New Issue
Block a user