diff --git a/openvpn/Config-mbedtls.in b/openvpn/Config-mbedtls.in index 3cf233b8f..edcfbdf9d 100644 --- a/openvpn/Config-mbedtls.in +++ b/openvpn/Config-mbedtls.in @@ -24,26 +24,22 @@ config OPENVPN_mbedtls_ENABLE_FRAGMENT bool "Enable internal fragmentation support (--fragment)" default y -config OPENVPN_mbedtls_ENABLE_MULTIHOME - bool "Enable multi-homed UDP server support (--multihome)" - default y - config OPENVPN_mbedtls_ENABLE_PORT_SHARE bool "Enable TCP server port-share support (--port-share)" default y -config OPENVPN_mbedtls_ENABLE_DEF_AUTH - bool "Enable deferred authentication" - default y - -config OPENVPN_mbedtls_ENABLE_PF - bool "Enable internal packet filter" - default y - config OPENVPN_mbedtls_ENABLE_IPROUTE2 bool "Enable support for iproute2" default n +config OPENVPN_mbedtls_ENABLE_DCO + depends on !OPENVPN_mbedtls_ENABLE_IPROUTE2 + bool "Enable support for data channel offload" + default n if OPENVPN_mbedtls_ENABLE_IPROUTE2 + help + enable data channel offload support + using the ovpn-dco-v2 kernel module + config OPENVPN_mbedtls_ENABLE_SMALL bool "Enable size optimization" default y diff --git a/openvpn/Config-openssl.in b/openvpn/Config-openssl.in index 7a7be74db..c09b45e10 100644 --- a/openvpn/Config-openssl.in +++ b/openvpn/Config-openssl.in @@ -28,26 +28,22 @@ config OPENVPN_openssl_ENABLE_FRAGMENT bool "Enable internal fragmentation support (--fragment)" default y -config OPENVPN_openssl_ENABLE_MULTIHOME - bool "Enable multi-homed UDP server support (--multihome)" - default y - config OPENVPN_openssl_ENABLE_PORT_SHARE bool "Enable TCP server port-share support (--port-share)" default y -config OPENVPN_openssl_ENABLE_DEF_AUTH - bool "Enable deferred authentication" - default y - -config OPENVPN_openssl_ENABLE_PF - bool "Enable internal packet filter" - default y - config OPENVPN_openssl_ENABLE_IPROUTE2 bool "Enable support for iproute2" default n +config OPENVPN_openssl_ENABLE_DCO + depends on !OPENVPN_openssl_ENABLE_IPROUTE2 + bool "Enable support for data channel offload" + default n if OPENVPN_openssl_ENABLE_IPROUTE2 + help + enable data channel offload support + using the ovpn-dco-v2 kernel module + config OPENVPN_openssl_ENABLE_SMALL bool "Enable size optimization" default y diff --git a/openvpn/Config-wolfssl.in b/openvpn/Config-wolfssl.in index ef8b9dcb3..bd076460a 100644 --- a/openvpn/Config-wolfssl.in +++ b/openvpn/Config-wolfssl.in @@ -33,26 +33,22 @@ config OPENVPN_wolfssl_ENABLE_FRAGMENT bool "Enable internal fragmentation support (--fragment)" default y -config OPENVPN_wolfssl_ENABLE_MULTIHOME - bool "Enable multi-homed UDP server support (--multihome)" - default y - config OPENVPN_wolfssl_ENABLE_PORT_SHARE bool "Enable TCP server port-share support (--port-share)" default y -config OPENVPN_wolfssl_ENABLE_DEF_AUTH - bool "Enable deferred authentication" - default y - -config OPENVPN_wolfssl_ENABLE_PF - bool "Enable internal packet filter" - default y - config OPENVPN_wolfssl_ENABLE_IPROUTE2 bool "Enable support for iproute2" default n +config OPENVPN_wolfssl_ENABLE_DCO + depends on !OPENVPN_wolfssl_ENABLE_IPROUTE2 + bool "Enable support for data channel offload" + default n if OPENVPN_openssl_ENABLE_IPROUTE2 + help + enable data channel offload support + using the ovpn-dco-v2 kernel module + config OPENVPN_wolfssl_ENABLE_SMALL bool "Enable size optimization" default y diff --git a/openvpn/Makefile b/openvpn/Makefile index ac76841b8..752d38535 100644 --- a/openvpn/Makefile +++ b/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.5.8 -PKG_RELEASE:=3 +PKG_VERSION:=2.6.5 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_HASH:=e34efdb9a3789a760cfc91d57349dfb1e31da169c98c06cb490c6a8a015638e2 PKG_MAINTAINER:=Magnus Kroken @@ -36,14 +36,14 @@ define Package/openvpn/Default URL:=http://openvpn.net SUBMENU:=VPN MENU:=1 - DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) + DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip +OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3) VARIANT:=$(1) PROVIDES:=openvpn openvpn-crypto endef Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) -Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl) +Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl) define Package/openvpn/config/Default source "$(SOURCE)/Config-$(1).in" @@ -80,11 +80,9 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ + $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DCO),--enable,--disable)-dco \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ $(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \ diff --git a/openvpn/files/openvpn.options b/openvpn/files/openvpn.options index 5a7c756f7..7e3aedb0d 100644 --- a/openvpn/files/openvpn.options +++ b/openvpn/files/openvpn.options @@ -54,7 +54,6 @@ iroute_ipv6 keepalive key key_direction -keysize learn_address link_mtu lladdr diff --git a/openvpn/patches/001-reproducible-remove_DATE.patch b/openvpn/patches/001-reproducible-remove_DATE.patch deleted file mode 100644 index e4e6d3941..000000000 --- a/openvpn/patches/001-reproducible-remove_DATE.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/openvpn/options.c -+++ b/src/openvpn/options.c -@@ -105,7 +105,6 @@ const char title_string[] = - #endif - #endif - " [AEAD]" -- " built on " __DATE__ - ; - - #ifndef ENABLE_SMALL diff --git a/openvpn/patches/002-add-wolfssl-support.patch b/openvpn/patches/002-add-wolfssl-support.patch deleted file mode 100644 index 7311a36eb..000000000 --- a/openvpn/patches/002-add-wolfssl-support.patch +++ /dev/null @@ -1,190 +0,0 @@ -From: Gert Doering - -Support for wolfSSL in OpenVPN - -This patch adds support for wolfSSL in OpenVPN. Support is added by using -wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged -and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is -linked against the wolfSSL library. The wolfSSL installation directory is -detected using pkg-config. - -As requested by OpenVPN maintainers, this patch does not include -wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN -in the configure script wolfSSL will include wolfssl/options.h on its own -(change added in wolfSSL/wolfssl#2825). The patch -adds an option '--disable-wolfssl-options-h' in case the user would like -to supply their own settings file for wolfSSL. - -wolfSSL: -Support added in: wolfSSL/wolfssl#2503 - -git clone https://github.com/wolfSSL/wolfssl.git -cd wolfssl -./autogen.sh -./configure --enable-openvpn -make -sudo make install - -OpenVPN: - -autoreconf -i -v -f -./configure --with-crypto-library=wolfssl -make -make check -sudo make install - -Signed-off-by: Juliusz Sosinowicz -Acked-by: Arne Schwabe -Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html -Signed-off-by: Gert Doering ---- - configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- - src/openvpn/syshead.h | 3 ++- - 2 files changed, 110 insertions(+), 3 deletions(-) ---- a/configure.ac -+++ b/configure.ac -@@ -271,16 +271,23 @@ AC_ARG_WITH( - - AC_ARG_WITH( - [crypto-library], -- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], -+ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], - [ - case "${withval}" in -- openssl|mbedtls) ;; -+ openssl|mbedtls|wolfssl) ;; - *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; - esac - ], - [with_crypto_library="openssl"] - ) - -+AC_ARG_ENABLE( -+ [wolfssl-options-h], -+ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], -+ , -+ [enable_wolfssl_options_h="yes"] -+) -+ - AC_ARG_WITH( - [openssl-engine], - [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], -@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb - AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) - CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" - CRYPTO_LIBS="${MBEDTLS_LIBS}" -+ -+elif test "${with_crypto_library}" = "wolfssl"; then -+ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should -+ contain the regular wolfSSL header files but also the -+ wolfSSL OpenSSL header files. Ex: -I/usr/local/include -+ -I/usr/local/include/wolfssl]) -+ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) -+ -+ saved_CFLAGS="${CFLAGS}" -+ saved_LIBS="${LIBS}" -+ -+ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then -+ # if the user did not explicitly specify flags, try to autodetect -+ PKG_CHECK_MODULES( -+ [WOLFSSL], -+ [wolfssl], -+ [], -+ [AC_MSG_ERROR([Could not find wolfSSL.])] -+ ) -+ PKG_CHECK_VAR( -+ [WOLFSSL_INCLUDEDIR], -+ [wolfssl], -+ [includedir], -+ [], -+ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] -+ ) -+ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" -+ fi -+ saved_CFLAGS="${CFLAGS}" -+ saved_LIBS="${LIBS}" -+ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" -+ LIBS="${LIBS} ${WOLFSSL_LIBS}" -+ -+ AC_CHECK_LIB( -+ [wolfssl], -+ [wolfSSL_Init], -+ [], -+ [AC_MSG_ERROR([Could not link wolfSSL library.])] -+ ) -+ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) -+ -+ # wolfSSL signal EKM support -+ have_export_keying_material="yes" -+ -+ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) -+ -+ if test "${enable_wolfssl_options_h}" = "yes"; then -+ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library]) -+ else -+ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library]) -+ fi -+ -+ have_export_keying_material="yes" -+ -+ CFLAGS="${saved_CFLAGS}" -+ LIBS="${saved_LIBS}" -+ -+ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) -+ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer]) -+ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" -+ CRYPTO_LIBS="${WOLFSSL_LIBS}" - else - AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) - fi ---- a/src/openvpn/syshead.h -+++ b/src/openvpn/syshead.h -@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t - /* - * Do we have CryptoAPI capability? - */ --#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) -+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \ -+ !defined(ENABLE_CRYPTO_WOLFSSL) - #define ENABLE_CRYPTOAPI - #endif - diff --git a/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index 42665db87..c54277006 100644 --- a/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1539,7 +1539,7 @@ const char * +@@ -1535,7 +1535,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch b/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch new file mode 100644 index 000000000..81c09c1e8 --- /dev/null +++ b/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch @@ -0,0 +1,20 @@ +--- a/src/openvpn/crypto_openssl.c ++++ b/src/openvpn/crypto_openssl.c +@@ -51,7 +51,7 @@ + #include + #include + +-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER) + #include + #endif + #if OPENSSL_VERSION_NUMBER >= 0x30000000L +@@ -1419,7 +1419,7 @@ engine_load_key(const char *file, SSL_CT + #endif /* if HAVE_OPENSSL_ENGINE */ + } + +-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) ++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER) + bool + ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) diff --git a/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch b/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch new file mode 100644 index 000000000..f0e7361f2 --- /dev/null +++ b/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch @@ -0,0 +1,20 @@ +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -1351,7 +1351,7 @@ err: + return 0; + } + +-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) ++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL) + + /* called when EC_KEY is destroyed */ + static void +@@ -1512,7 +1512,7 @@ tls_ctx_use_management_external_key(stru + goto cleanup; + } + } +-#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) ++#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL) + #if OPENSSL_VERSION_NUMBER < 0x30000000L + else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) + #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ diff --git a/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch new file mode 100644 index 000000000..30e1822a1 --- /dev/null +++ b/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch @@ -0,0 +1,12 @@ +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -269,6 +269,9 @@ backend_x509_get_username(char *common_n + return FAILURE; + } + } ++#if defined(ENABLE_CRYPTO_WOLFSSL) ++ #define LN_serialNumber "serialNumber" ++#endif + else if (strcmp(LN_serialNumber, x509_username_field) == 0) + { + ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); diff --git a/openvpn/patches/210-build_always_use_internal_lz4.patch b/openvpn/patches/210-build_always_use_internal_lz4.patch deleted file mode 100644 index b5f675ade..000000000 --- a/openvpn/patches/210-build_always_use_internal_lz4.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -1211,68 +1211,15 @@ dnl - AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) - AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) - if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then -- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then -- # if the user did not explicitly specify flags, try to autodetect -- PKG_CHECK_MODULES([LZ4], -- [liblz4 >= 1.7.1 liblz4 < 100], -- [have_lz4="yes"], -- [LZ4_LIBS="-llz4"] # If this fails, we will do another test next. -- # We also add set LZ4_LIBS otherwise the -- # linker will not know about the lz4 library -- ) -- fi - - saved_CFLAGS="${CFLAGS}" - saved_LIBS="${LIBS}" - CFLAGS="${CFLAGS} ${LZ4_CFLAGS}" - LIBS="${LIBS} ${LZ4_LIBS}" - -- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars -- # are used, check the version directly in the LZ4 include file -- if test "${have_lz4}" != "yes"; then -- AC_CHECK_HEADERS([lz4.h], -- [have_lz4h="yes"], -- []) -- -- if test "${have_lz4h}" = "yes" ; then -- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1]) -- AC_COMPILE_IFELSE( -- [AC_LANG_PROGRAM([[ --#include -- ]], -- [[ --/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */ --#if LZ4_VERSION_NUMBER < 10701L --#error LZ4 is too old --#endif -- ]] -- )], -- [ -- AC_MSG_RESULT([ok]) -- have_lz4="yes" -- ], -- [AC_MSG_RESULT([system LZ4 library is too old])] -- ) -- fi -- fi -- -- # Double check we have a few needed functions -- if test "${have_lz4}" = "yes" ; then -- AC_CHECK_LIB([lz4], -- [LZ4_compress_default], -- [], -- [have_lz4="no"]) -- AC_CHECK_LIB([lz4], -- [LZ4_decompress_safe], -- [], -- [have_lz4="no"]) -- fi -- -- if test "${have_lz4}" != "yes" ; then -- AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) -- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) -- LZ4_LIBS="" -- fi -+ AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*]) -+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/]) -+ LZ4_LIBS="" - OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}" - OPTIONAL_LZ4_LIBS="${LZ4_LIBS}" - AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library]) diff --git a/openvpn/patches/220-disable_des.patch b/openvpn/patches/220-disable_des.patch deleted file mode 100644 index a49c463c4..000000000 --- a/openvpn/patches/220-disable_des.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- a/src/openvpn/syshead.h -+++ b/src/openvpn/syshead.h -@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t - /* - * Should we include NTLM proxy functionality - */ --#define NTLM 1 -+//#define NTLM 1 - - /* - * Should we include proxy digest auth functionality ---- a/src/openvpn/crypto_mbedtls.c -+++ b/src/openvpn/crypto_mbedtls.c -@@ -396,6 +396,7 @@ int - key_des_num_cblocks(const mbedtls_cipher_info_t *kt) - { - int ret = 0; -+#ifdef MBEDTLS_DES_C - if (kt->type == MBEDTLS_CIPHER_DES_CBC) - { - ret = 1; -@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher - { - ret = 3; - } -+#endif - - dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); - return ret; -@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher - bool - key_des_check(uint8_t *key, int key_len, int ndc) - { -+#ifdef MBEDTLS_DES_C - int i; - struct buffer b; - -@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len, - - err: - return false; -+#else -+ return true; -+#endif - } - - void - key_des_fixup(uint8_t *key, int key_len, int ndc) - { -+#ifdef MBEDTLS_DES_C - int i; - struct buffer b; - -@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len, - } - mbedtls_des_key_set_parity(key); - } -+#endif - } - - /* -@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch - unsigned char *src, - unsigned char *dst) - { -+#ifdef MBEDTLS_DES_C - mbedtls_des_context ctx; - - ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key))); - ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst))); -+#endif - } - - diff --git a/openvpn/patches/900-add_mptcp_support.patch b/openvpn/patches/900-add-MPTCP-support.patch similarity index 64% rename from openvpn/patches/900-add_mptcp_support.patch rename to openvpn/patches/900-add-MPTCP-support.patch index 7d3c3b8ad..efcef4f42 100644 --- a/openvpn/patches/900-add_mptcp_support.patch +++ b/openvpn/patches/900-add-MPTCP-support.patch @@ -1,8 +1,8 @@ diff --git a/configure.ac b/configure.ac -index 2f5f6bc7..d15c0910 100644 +index 16c40bb5..04609ebf 100644 --- a/configure.ac +++ b/configure.ac -@@ -293,6 +293,12 @@ AC_ARG_WITH( +@@ -314,6 +314,12 @@ AC_ARG_WITH( [with_openssl_engine="auto"] ) @@ -15,9 +15,9 @@ index 2f5f6bc7..d15c0910 100644 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" -@@ -846,6 +852,22 @@ PKG_CHECK_MODULES( - [] - ) +@@ -879,6 +885,22 @@ case "$host" in + esac + +dnl +dnl Checking Multipath TCP support on Linux @@ -39,50 +39,47 @@ index 2f5f6bc7..d15c0910 100644 AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL]) AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL]) diff --git a/src/openvpn/init.c b/src/openvpn/init.c -index be8ff80f..b4fe11e2 100644 +index d358ad00..6e5b2d3b 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c -@@ -3449,6 +3449,9 @@ do_init_socket_1(struct context *c, const int mode) - c->c1.socks_proxy, +@@ -3359,7 +3359,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) #ifdef ENABLE_DEBUG - c->options.gremlin, -+#endif -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) -+ c->options.enable_mptcp, + to.gremlin = c->options.gremlin; #endif - c->options.ce.bind_local, - c->options.ce.remote_float, +- + to.plugins = c->plugins; + + #ifdef ENABLE_MANAGEMENT diff --git a/src/openvpn/options.c b/src/openvpn/options.c -index 20d1273f..3222fda6 100644 +index 2c51efa6..dac82a68 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c -@@ -130,6 +130,9 @@ static const char usage_message[] = +@@ -137,6 +137,9 @@ static const char usage_message[] = " udp6, tcp6-server, tcp6-client\n" "--proto-force p : only consider protocol p in list of connection profiles.\n" " p = udp or tcp\n" -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) + "--mptcp : Enable Multipath TCP on the TCP connections.\n" +#endif "--connect-retry n [m] : For client, number of seconds to wait between\n" " connection retries (default=%d). On repeated retries\n" " the wait time is exponentially increased to a maximum of m\n" -@@ -903,6 +906,11 @@ init_options(struct options *o, const bool init_gc) +@@ -908,7 +911,9 @@ init_options(struct options *o, const bool init_gc) } #endif /* _WIN32 */ o->allow_recursive_routing = false; -+ -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +- ++#if defined(ENABLE_MPTCP) + o->enable_mptcp = false; +#endif -+ - } - - void -@@ -8834,6 +8842,18 @@ add_option(struct options *options, + #ifndef ENABLE_DCO + o->tuntap_options.disable_dco = true; + #endif /* ENABLE_DCO */ +@@ -9475,6 +9480,18 @@ add_option(struct options *options, goto err; } } -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) + else if (streq(p[0], "mptcp")) + { + VERIFY_PERMISSION(OPT_P_GENERAL); @@ -98,10 +95,10 @@ index 20d1273f..3222fda6 100644 { int i; diff --git a/src/openvpn/options.h b/src/openvpn/options.h -index 37220904..465eff52 100644 +index f5890b90..765ce90e 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h -@@ -430,6 +430,9 @@ struct options +@@ -461,6 +461,9 @@ struct options #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2) unsigned int server_flags; @@ -112,7 +109,7 @@ index 37220904..465eff52 100644 bool server_bridge_defined; diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c -index e79cb0d3..754cdfc5 100644 +index 3609630a..c5f364ff 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -39,6 +39,14 @@ @@ -120,7 +117,7 @@ index e79cb0d3..754cdfc5 100644 #include "memdbg.h" + -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) +#ifndef IPPROTO_MPTCP +#define IPPROTO_MPTCP 262 +#endif @@ -134,7 +131,7 @@ index e79cb0d3..754cdfc5 100644 struct proxy_connection *cp; /* connect to port share server */ -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) + if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_MPTCP)) < 0) +#else if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) @@ -143,27 +140,27 @@ index e79cb0d3..754cdfc5 100644 msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); return false; diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c -index 28fabe76..e7242020 100644 +index fc643c1c..fba2cdc5 100644 --- a/src/openvpn/socket.c +++ b/src/openvpn/socket.c -@@ -55,6 +55,12 @@ const int proto_overhead[] = { /* indexed by PROTO_x */ - IPv6_TCP_HEADER_SIZE, - }; +@@ -61,6 +61,12 @@ sf2gaf(const unsigned int getaddr_flags, + } + } -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) +#ifndef IPPROTO_MPTCP +#define IPPROTO_MPTCP 262 +#endif +#endif + /* - * Convert sockflags/getaddr_flags into getaddr_flags + * Functions related to the translation of DNS names to IP addresses. */ -@@ -1093,6 +1099,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags) +@@ -1085,6 +1091,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags) return sd; } -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) +socket_descriptor_t +create_socket_mptcp(struct addrinfo *addrinfo) +{ @@ -199,11 +196,11 @@ index 28fabe76..e7242020 100644 static void bind_local(struct link_socket *sock, const sa_family_t ai_family) { -@@ -1136,6 +1175,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr) +@@ -1128,6 +1167,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr) } else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM) { -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) + if(sock->info.multipath) + { + sock->sd = create_socket_mptcp(addr); @@ -221,63 +218,51 @@ index 28fabe76..e7242020 100644 sock->sd = create_socket_tcp(addr); } else -@@ -1891,6 +1945,9 @@ link_socket_init_phase1(struct link_socket *sock, - struct socks_proxy_info *socks_proxy, +@@ -1858,7 +1912,9 @@ link_socket_init_phase1(struct context *c, int mode) #ifdef ENABLE_DEBUG - int gremlin, -+#endif -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) -+ bool enable_mptcp, + sock->gremlin = o->gremlin; #endif - bool bind_local, - bool remote_float, -@@ -1920,7 +1977,11 @@ link_socket_init_phase1(struct link_socket *sock, - sock->inetd = inetd; - sock->resolve_retry_seconds = resolve_retry_seconds; - sock->mtu_discover_type = mtu_discover_type; - -+ -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) -+ sock->info.multipath = enable_mptcp; ++#if defined(ENABLE_MPTCP) ++ sock->info.multipath = o->enable_mptcp; +#endif -+ - #ifdef ENABLE_DEBUG - sock->gremlin = gremlin; + sock->socket_buffer_sizes.rcvbuf = o->rcvbuf; + sock->socket_buffer_sizes.sndbuf = o->sndbuf; + +@@ -2213,7 +2269,7 @@ link_socket_init_phase2(struct context *c) + else #endif -@@ -2305,7 +2366,7 @@ link_socket_init_phase2(struct link_socket *sock, - /* If a valid remote has been found, create the socket with its addrinfo */ - if (sock->info.lsa->current_remote) { - create_socket(sock, sock->info.lsa->current_remote); + create_socket(sock, sock->info.lsa->current_remote); } - /* If socket has not already been created create it now */ + } diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h -index 2ad6155f..0dcb0655 100644 +index bfc1253b..7009daf0 100644 --- a/src/openvpn/socket.h +++ b/src/openvpn/socket.h -@@ -120,6 +120,9 @@ struct link_socket_info +@@ -121,6 +121,9 @@ struct link_socket_info sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ bool bind_ipv6_only; int mtu_changed; /* Set to true when mtu value is changed */ -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) ++#if defined(ENABLE_MPTCP) + bool multipath; +#endif }; /* -@@ -315,6 +318,9 @@ link_socket_init_phase1(struct link_socket *sock, - struct socks_proxy_info *socks_proxy, +@@ -244,6 +247,9 @@ struct link_socket #ifdef ENABLE_DEBUG - int gremlin, -+#endif -+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) -+ bool enable_mptcp, + int gremlin; /* --gremlin bits */ #endif - bool bind_local, - bool remote_float, -@@ -476,6 +482,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr); ++#if defined(ENABLE_MPTCP) ++ bool enable_mptcp; ++#endif + }; + + /* +@@ -469,6 +475,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr); socket_descriptor_t create_socket_tcp(struct addrinfo *);