mptcp/openmptcprouter-feeds
1
0
Fork 0
mirror of https://github.com/Ysurac/openmptcprouter-feeds.git synced 2025-02-12 10:31:51 +00:00
Code Issues Releases Wiki Activity

Update OpenVPN and MPTCP patch

Browse source
This commit is contained in:
Ycarus (Yannick Chabanois) 2023-08-31 10:07:18 +02:00
parent d5b8e6751f
commit da1744ae8a
14 changed files with 144 additions and 470 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
openvpn/Config-mbedtls.in
View file

@ -24,26 +24,22 @@ config OPENVPN_mbedtls_ENABLE_FRAGMENT
bool "Enable internal fragmentation support (--fragment)" bool "Enable internal fragmentation support (--fragment)"
default y default y
config OPENVPN_mbedtls_ENABLE_MULTIHOME
bool "Enable multi-homed UDP server support (--multihome)"
default y
config OPENVPN_mbedtls_ENABLE_PORT_SHARE config OPENVPN_mbedtls_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)" bool "Enable TCP server port-share support (--port-share)"
default y default y
config OPENVPN_mbedtls_ENABLE_DEF_AUTH
bool "Enable deferred authentication"
default y
config OPENVPN_mbedtls_ENABLE_PF
bool "Enable internal packet filter"
default y
config OPENVPN_mbedtls_ENABLE_IPROUTE2 config OPENVPN_mbedtls_ENABLE_IPROUTE2
bool "Enable support for iproute2" bool "Enable support for iproute2"
default n default n
config OPENVPN_mbedtls_ENABLE_DCO
depends on !OPENVPN_mbedtls_ENABLE_IPROUTE2
bool "Enable support for data channel offload"
default n if OPENVPN_mbedtls_ENABLE_IPROUTE2
help
enable data channel offload support
using the ovpn-dco-v2 kernel module
config OPENVPN_mbedtls_ENABLE_SMALL config OPENVPN_mbedtls_ENABLE_SMALL
bool "Enable size optimization" bool "Enable size optimization"
default y default y

20
openvpn/Config-openssl.in
View file

@ -28,26 +28,22 @@ config OPENVPN_openssl_ENABLE_FRAGMENT
bool "Enable internal fragmentation support (--fragment)" bool "Enable internal fragmentation support (--fragment)"
default y default y
config OPENVPN_openssl_ENABLE_MULTIHOME
bool "Enable multi-homed UDP server support (--multihome)"
default y
config OPENVPN_openssl_ENABLE_PORT_SHARE config OPENVPN_openssl_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)" bool "Enable TCP server port-share support (--port-share)"
default y default y
config OPENVPN_openssl_ENABLE_DEF_AUTH
bool "Enable deferred authentication"
default y
config OPENVPN_openssl_ENABLE_PF
bool "Enable internal packet filter"
default y
config OPENVPN_openssl_ENABLE_IPROUTE2 config OPENVPN_openssl_ENABLE_IPROUTE2
bool "Enable support for iproute2" bool "Enable support for iproute2"
default n default n
config OPENVPN_openssl_ENABLE_DCO
depends on !OPENVPN_openssl_ENABLE_IPROUTE2
bool "Enable support for data channel offload"
default n if OPENVPN_openssl_ENABLE_IPROUTE2
help
enable data channel offload support
using the ovpn-dco-v2 kernel module
config OPENVPN_openssl_ENABLE_SMALL config OPENVPN_openssl_ENABLE_SMALL
bool "Enable size optimization" bool "Enable size optimization"
default y default y

20
openvpn/Config-wolfssl.in
View file

@ -33,26 +33,22 @@ config OPENVPN_wolfssl_ENABLE_FRAGMENT
bool "Enable internal fragmentation support (--fragment)" bool "Enable internal fragmentation support (--fragment)"
default y default y
config OPENVPN_wolfssl_ENABLE_MULTIHOME
bool "Enable multi-homed UDP server support (--multihome)"
default y
config OPENVPN_wolfssl_ENABLE_PORT_SHARE config OPENVPN_wolfssl_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)" bool "Enable TCP server port-share support (--port-share)"
default y default y
config OPENVPN_wolfssl_ENABLE_DEF_AUTH
bool "Enable deferred authentication"
default y
config OPENVPN_wolfssl_ENABLE_PF
bool "Enable internal packet filter"
default y
config OPENVPN_wolfssl_ENABLE_IPROUTE2 config OPENVPN_wolfssl_ENABLE_IPROUTE2
bool "Enable support for iproute2" bool "Enable support for iproute2"
default n default n
config OPENVPN_wolfssl_ENABLE_DCO
depends on !OPENVPN_wolfssl_ENABLE_IPROUTE2
bool "Enable support for data channel offload"
default n if OPENVPN_openssl_ENABLE_IPROUTE2
help
enable data channel offload support
using the ovpn-dco-v2 kernel module
config OPENVPN_wolfssl_ENABLE_SMALL config OPENVPN_wolfssl_ENABLE_SMALL
bool "Enable size optimization" bool "Enable size optimization"
default y default y

16
openvpn/Makefile
View file

@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn PKG_NAME:=openvpn
PKG_VERSION:=2.5.8 PKG_VERSION:=2.6.5
PKG_RELEASE:=3 PKG_RELEASE:=1
PKG_SOURCE_URL:=\ PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \ https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/ https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57 PKG_HASH:=e34efdb9a3789a760cfc91d57349dfb1e31da169c98c06cb490c6a8a015638e2
PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com> PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
@ -36,14 +36,14 @@ define Package/openvpn/Default
URL:=http://openvpn.net URL:=http://openvpn.net
SUBMENU:=VPN SUBMENU:=VPN
MENU:=1 MENU:=1
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip +OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3)
VARIANT:=$(1) VARIANT:=$(1)
PROVIDES:=openvpn openvpn-crypto PROVIDES:=openvpn openvpn-crypto
endef endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl) Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl)
define Package/openvpn/config/Default define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in" source "$(SOURCE)/Config-$(1).in"
@ -80,11 +80,9 @@ define Build/Configure
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DCO),--enable,--disable)-dco \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
$(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \ $(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \

1
openvpn/files/openvpn.options
View file

@ -54,7 +54,6 @@ iroute_ipv6
keepalive keepalive
key key
key_direction key_direction
keysize
learn_address learn_address
link_mtu link_mtu
lladdr lladdr

10
openvpn/patches/001-reproducible-remove_DATE.patch
View file

@ -1,10 +0,0 @@
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -105,7 +105,6 @@ const char title_string[] =
#endif
#endif
" [AEAD]"
- " built on " __DATE__
;
#ifndef ENABLE_SMALL

190
openvpn/patches/002-add-wolfssl-support.patch
View file

@ -1,190 +0,0 @@
From: Gert Doering <gert@greenie.muc.de>
Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
linked against the wolfSSL library. The wolfSSL installation directory is
detected using pkg-config.
As requested by OpenVPN maintainers, this patch does not include
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
in the configure script wolfSSL will include wolfssl/options.h on its own
(change added in wolfSSL/wolfssl#2825). The patch
adds an option '--disable-wolfssl-options-h' in case the user would like
to supply their own settings file for wolfSSL.
wolfSSL:
Support added in: wolfSSL/wolfssl#2503
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
OpenVPN:
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
src/openvpn/syshead.h | 3 ++-
2 files changed, 110 insertions(+), 3 deletions(-)
--- a/configure.ac
+++ b/configure.ac
@@ -271,16 +271,23 @@ AC_ARG_WITH(
AC_ARG_WITH(
[crypto-library],
- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
- openssl|mbedtls) ;;
+ openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
)
+AC_ARG_ENABLE(
+ [wolfssl-options-h],
+ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
+ ,
+ [enable_wolfssl_options_h="yes"]
+)
+
AC_ARG_WITH(
[openssl-engine],
[AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
+ contain the regular wolfSSL header files but also the
+ wolfSSL OpenSSL header files. Ex: -I/usr/local/include
+ -I/usr/local/include/wolfssl])
+ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+
+ saved_CFLAGS="${CFLAGS}"
+ saved_LIBS="${LIBS}"
+
+ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+ # if the user did not explicitly specify flags, try to autodetect
+ PKG_CHECK_MODULES(
+ [WOLFSSL],
+ [wolfssl],
+ [],
+ [AC_MSG_ERROR([Could not find wolfSSL.])]
+ )
+ PKG_CHECK_VAR(
+ [WOLFSSL_INCLUDEDIR],
+ [wolfssl],
+ [includedir],
+ [],
+ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
+ )
+ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
+ fi
+ saved_CFLAGS="${CFLAGS}"
+ saved_LIBS="${LIBS}"
+ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
+ LIBS="${LIBS} ${WOLFSSL_LIBS}"
+
+ AC_CHECK_LIB(
+ [wolfssl],
+ [wolfSSL_Init],
+ [],
+ [AC_MSG_ERROR([Could not link wolfSSL library.])]
+ )
+ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
+
+ # wolfSSL signal EKM support
+ have_export_keying_material="yes"
+
+ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+
+ if test "${enable_wolfssl_options_h}" = "yes"; then
+ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
+ else
+ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
+ fi
+
+ have_export_keying_material="yes"
+
+ CFLAGS="${saved_CFLAGS}"
+ LIBS="${saved_LIBS}"
+
+ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
+ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
+ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
+ CRYPTO_LIBS="${WOLFSSL_LIBS}"
else
AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
fi
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
/*
* Do we have CryptoAPI capability?
*/
-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
+ !defined(ENABLE_CRYPTO_WOLFSSL)
#define ENABLE_CRYPTOAPI
#endif

2
openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
View file

@ -1,6 +1,6 @@
--- a/src/openvpn/ssl_mbedtls.c --- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c
@@ -1539,7 +1539,7 @@ const char * @@ -1535,7 +1535,7 @@ const char *
get_ssl_library_version(void) get_ssl_library_version(void)
{ {
static char mbedtls_version[30]; static char mbedtls_version[30];

20
openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch Normal file
View file

@ -0,0 +1,20 @@
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -51,7 +51,7 @@
#include <openssl/rand.h>
#include <openssl/ssl.h>
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
#include <openssl/kdf.h>
#endif
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1419,7 +1419,7 @@ engine_load_key(const char *file, SSL_CT
#endif /* if HAVE_OPENSSL_ENGINE */
}
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
bool
ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
int secret_len, uint8_t *output, int output_len)

20
openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch Normal file
View file

@ -0,0 +1,20 @@
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1351,7 +1351,7 @@ err:
return 0;
}
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
/* called when EC_KEY is destroyed */
static void
@@ -1512,7 +1512,7 @@ tls_ctx_use_management_external_key(stru
goto cleanup;
}
}
-#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
#if OPENSSL_VERSION_NUMBER < 0x30000000L
else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */

12
openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch Normal file
View file

@ -0,0 +1,12 @@
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -269,6 +269,9 @@ backend_x509_get_username(char *common_n
return FAILURE;
}
}
+#if defined(ENABLE_CRYPTO_WOLFSSL)
+ #define LN_serialNumber "serialNumber"
+#endif
else if (strcmp(LN_serialNumber, x509_username_field) == 0)
{
ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);

74
openvpn/patches/210-build_always_use_internal_lz4.patch
View file

@ -1,74 +0,0 @@
--- a/configure.ac
+++ b/configure.ac
@@ -1211,68 +1211,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
- # if the user did not explicitly specify flags, try to autodetect
- PKG_CHECK_MODULES([LZ4],
- [liblz4 >= 1.7.1 liblz4 < 100],
- [have_lz4="yes"],
- [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
- # We also add set LZ4_LIBS otherwise the
- # linker will not know about the lz4 library
- )
- fi
saved_CFLAGS="${CFLAGS}"
saved_LIBS="${LIBS}"
CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
LIBS="${LIBS} ${LZ4_LIBS}"
- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
- # are used, check the version directly in the LZ4 include file
- if test "${have_lz4}" != "yes"; then
- AC_CHECK_HEADERS([lz4.h],
- [have_lz4h="yes"],
- [])
-
- if test "${have_lz4h}" = "yes" ; then
- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
- AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([[
-#include <lz4.h>
- ]],
- [[
-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
-#if LZ4_VERSION_NUMBER < 10701L
-#error LZ4 is too old
-#endif
- ]]
- )],
- [
- AC_MSG_RESULT([ok])
- have_lz4="yes"
- ],
- [AC_MSG_RESULT([system LZ4 library is too old])]
- )
- fi
- fi
-
- # Double check we have a few needed functions
- if test "${have_lz4}" = "yes" ; then
- AC_CHECK_LIB([lz4],
- [LZ4_compress_default],
- [],
- [have_lz4="no"])
- AC_CHECK_LIB([lz4],
- [LZ4_decompress_safe],
- [],
- [have_lz4="no"])
- fi
-
- if test "${have_lz4}" != "yes" ; then
- AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
- LZ4_LIBS=""
- fi
+ AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
+ LZ4_LIBS=""
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])

74
openvpn/patches/220-disable_des.patch
View file

@ -1,74 +0,0 @@
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
/*
* Should we include NTLM proxy functionality
*/
-#define NTLM 1
+//#define NTLM 1
/*
* Should we include proxy digest auth functionality
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -396,6 +396,7 @@ int
key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
{
int ret = 0;
+#ifdef MBEDTLS_DES_C
if (kt->type == MBEDTLS_CIPHER_DES_CBC)
{
ret = 1;
@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
{
ret = 3;
}
+#endif
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
return ret;
@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
bool
key_des_check(uint8_t *key, int key_len, int ndc)
{
+#ifdef MBEDTLS_DES_C
int i;
struct buffer b;
@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
err:
return false;
+#else
+ return true;
+#endif
}
void
key_des_fixup(uint8_t *key, int key_len, int ndc)
{
+#ifdef MBEDTLS_DES_C
int i;
struct buffer b;
@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
}
mbedtls_des_key_set_parity(key);
}
+#endif
}
/*
@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src,
unsigned char *dst)
{
+#ifdef MBEDTLS_DES_C
mbedtls_des_context ctx;
ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
+#endif
}

135
openvpn/patches/900-add_mptcp_support.patch → openvpn/patches/900-add-MPTCP-support.patch
View file

@ -1,8 +1,8 @@
diff --git a/configure.ac b/configure.ac diff --git a/configure.ac b/configure.ac
index 2f5f6bc7..d15c0910 100644 index 16c40bb5..04609ebf 100644
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -293,6 +293,12 @@ AC_ARG_WITH( @@ -314,6 +314,12 @@ AC_ARG_WITH(
[with_openssl_engine="auto"] [with_openssl_engine="auto"]
) )
@ -15,9 +15,9 @@ index 2f5f6bc7..d15c0910 100644
AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
if test -n "${PLUGINDIR}"; then if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}" plugindir="${PLUGINDIR}"
@@ -846,6 +852,22 @@ PKG_CHECK_MODULES( @@ -879,6 +885,22 @@ case "$host" in
[] esac
)
+dnl +dnl
+dnl Checking Multipath TCP support on Linux +dnl Checking Multipath TCP support on Linux
@ -39,50 +39,47 @@ index 2f5f6bc7..d15c0910 100644
AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL]) AC_ARG_VAR([OPENSSL_CFLAGS], [C compiler flags for OpenSSL])
AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL]) AC_ARG_VAR([OPENSSL_LIBS], [linker flags for OpenSSL])
diff --git a/src/openvpn/init.c b/src/openvpn/init.c diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index be8ff80f..b4fe11e2 100644 index d358ad00..6e5b2d3b 100644
--- a/src/openvpn/init.c --- a/src/openvpn/init.c
+++ b/src/openvpn/init.c +++ b/src/openvpn/init.c
@@ -3449,6 +3449,9 @@ do_init_socket_1(struct context *c, const int mode) @@ -3359,7 +3359,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags)
c->c1.socks_proxy,
#ifdef ENABLE_DEBUG #ifdef ENABLE_DEBUG
c->options.gremlin, to.gremlin = c->options.gremlin;
+#endif
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
+ c->options.enable_mptcp,
#endif #endif
c->options.ce.bind_local, -
c->options.ce.remote_float, to.plugins = c->plugins;
#ifdef ENABLE_MANAGEMENT
diff --git a/src/openvpn/options.c b/src/openvpn/options.c diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 20d1273f..3222fda6 100644 index 2c51efa6..dac82a68 100644
--- a/src/openvpn/options.c --- a/src/openvpn/options.c
+++ b/src/openvpn/options.c +++ b/src/openvpn/options.c
@@ -130,6 +130,9 @@ static const char usage_message[] = @@ -137,6 +137,9 @@ static const char usage_message[] =
" udp6, tcp6-server, tcp6-client\n" " udp6, tcp6-server, tcp6-client\n"
"--proto-force p : only consider protocol p in list of connection profiles.\n" "--proto-force p : only consider protocol p in list of connection profiles.\n"
" p = udp or tcp\n" " p = udp or tcp\n"
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ "--mptcp : Enable Multipath TCP on the TCP connections.\n" + "--mptcp : Enable Multipath TCP on the TCP connections.\n"
+#endif +#endif
"--connect-retry n [m] : For client, number of seconds to wait between\n" "--connect-retry n [m] : For client, number of seconds to wait between\n"
" connection retries (default=%d). On repeated retries\n" " connection retries (default=%d). On repeated retries\n"
" the wait time is exponentially increased to a maximum of m\n" " the wait time is exponentially increased to a maximum of m\n"
@@ -903,6 +906,11 @@ init_options(struct options *o, const bool init_gc) @@ -908,7 +911,9 @@ init_options(struct options *o, const bool init_gc)
} }
#endif /* _WIN32 */ #endif /* _WIN32 */
o->allow_recursive_routing = false; o->allow_recursive_routing = false;
+ -
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ o->enable_mptcp = false; + o->enable_mptcp = false;
+#endif +#endif
+ #ifndef ENABLE_DCO
} o->tuntap_options.disable_dco = true;
#endif /* ENABLE_DCO */
void @@ -9475,6 +9480,18 @@ add_option(struct options *options,
@@ -8834,6 +8842,18 @@ add_option(struct options *options,
goto err; goto err;
} }
} }
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ else if (streq(p[0], "mptcp")) + else if (streq(p[0], "mptcp"))
+ { + {
+ VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL);
@ -98,10 +95,10 @@ index 20d1273f..3222fda6 100644
{ {
int i; int i;
diff --git a/src/openvpn/options.h b/src/openvpn/options.h diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 37220904..465eff52 100644 index f5890b90..765ce90e 100644
--- a/src/openvpn/options.h --- a/src/openvpn/options.h
+++ b/src/openvpn/options.h +++ b/src/openvpn/options.h
@@ -430,6 +430,9 @@ struct options @@ -461,6 +461,9 @@ struct options
#define SF_NO_PUSH_ROUTE_GATEWAY (1<<2) #define SF_NO_PUSH_ROUTE_GATEWAY (1<<2)
unsigned int server_flags; unsigned int server_flags;
@ -112,7 +109,7 @@ index 37220904..465eff52 100644
bool server_bridge_defined; bool server_bridge_defined;
diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c
index e79cb0d3..754cdfc5 100644 index 3609630a..c5f364ff 100644
--- a/src/openvpn/ps.c --- a/src/openvpn/ps.c
+++ b/src/openvpn/ps.c +++ b/src/openvpn/ps.c
@@ -39,6 +39,14 @@ @@ -39,6 +39,14 @@
@ -120,7 +117,7 @@ index e79cb0d3..754cdfc5 100644
#include "memdbg.h" #include "memdbg.h"
+ +
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+#ifndef IPPROTO_MPTCP +#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262 +#define IPPROTO_MPTCP 262
+#endif +#endif
@ -134,7 +131,7 @@ index e79cb0d3..754cdfc5 100644
struct proxy_connection *cp; struct proxy_connection *cp;
/* connect to port share server */ /* connect to port share server */
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_MPTCP)) < 0) + if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_MPTCP)) < 0)
+#else +#else
if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) if ((sd_server = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
@ -143,27 +140,27 @@ index e79cb0d3..754cdfc5 100644
msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket"); msg(M_WARN|M_ERRNO, "PORT SHARE PROXY: cannot create socket");
return false; return false;
diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c diff --git a/src/openvpn/socket.c b/src/openvpn/socket.c
index 28fabe76..e7242020 100644 index fc643c1c..fba2cdc5 100644
--- a/src/openvpn/socket.c --- a/src/openvpn/socket.c
+++ b/src/openvpn/socket.c +++ b/src/openvpn/socket.c
@@ -55,6 +55,12 @@ const int proto_overhead[] = { /* indexed by PROTO_x */ @@ -61,6 +61,12 @@ sf2gaf(const unsigned int getaddr_flags,
IPv6_TCP_HEADER_SIZE, }
}; }
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+#ifndef IPPROTO_MPTCP +#ifndef IPPROTO_MPTCP
+#define IPPROTO_MPTCP 262 +#define IPPROTO_MPTCP 262
+#endif +#endif
+#endif +#endif
+ +
/* /*
* Convert sockflags/getaddr_flags into getaddr_flags * Functions related to the translation of DNS names to IP addresses.
*/ */
@@ -1093,6 +1099,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags) @@ -1085,6 +1091,39 @@ create_socket_udp(struct addrinfo *addrinfo, const unsigned int flags)
return sd; return sd;
} }
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+socket_descriptor_t +socket_descriptor_t
+create_socket_mptcp(struct addrinfo *addrinfo) +create_socket_mptcp(struct addrinfo *addrinfo)
+{ +{
@ -199,11 +196,11 @@ index 28fabe76..e7242020 100644
static void static void
bind_local(struct link_socket *sock, const sa_family_t ai_family) bind_local(struct link_socket *sock, const sa_family_t ai_family)
{ {
@@ -1136,6 +1175,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr) @@ -1128,6 +1167,21 @@ create_socket(struct link_socket *sock, struct addrinfo *addr)
} }
else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM) else if (addr->ai_protocol == IPPROTO_TCP || addr->ai_socktype == SOCK_STREAM)
{ {
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ if(sock->info.multipath) + if(sock->info.multipath)
+ { + {
+ sock->sd = create_socket_mptcp(addr); + sock->sd = create_socket_mptcp(addr);
@ -221,63 +218,51 @@ index 28fabe76..e7242020 100644
sock->sd = create_socket_tcp(addr); sock->sd = create_socket_tcp(addr);
} }
else else
@@ -1891,6 +1945,9 @@ link_socket_init_phase1(struct link_socket *sock, @@ -1858,7 +1912,9 @@ link_socket_init_phase1(struct context *c, int mode)
struct socks_proxy_info *socks_proxy,
#ifdef ENABLE_DEBUG #ifdef ENABLE_DEBUG
int gremlin, sock->gremlin = o->gremlin;
+#endif
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
+ bool enable_mptcp,
#endif #endif
bool bind_local,
bool remote_float,
@@ -1920,7 +1977,11 @@ link_socket_init_phase1(struct link_socket *sock,
sock->inetd = inetd;
sock->resolve_retry_seconds = resolve_retry_seconds;
sock->mtu_discover_type = mtu_discover_type;
- -
+ +#if defined(ENABLE_MPTCP)
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) + sock->info.multipath = o->enable_mptcp;
+ sock->info.multipath = enable_mptcp;
+#endif +#endif
+ sock->socket_buffer_sizes.rcvbuf = o->rcvbuf;
#ifdef ENABLE_DEBUG sock->socket_buffer_sizes.sndbuf = o->sndbuf;
sock->gremlin = gremlin;
@@ -2213,7 +2269,7 @@ link_socket_init_phase2(struct context *c)
else
#endif #endif
@@ -2305,7 +2366,7 @@ link_socket_init_phase2(struct link_socket *sock,
/* If a valid remote has been found, create the socket with its addrinfo */
if (sock->info.lsa->current_remote)
{ {
- create_socket(sock, sock->info.lsa->current_remote); - create_socket(sock, sock->info.lsa->current_remote);
+ create_socket(sock, sock->info.lsa->current_remote); + create_socket(sock, sock->info.lsa->current_remote);
} }
/* If socket has not already been created create it now */ }
diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h diff --git a/src/openvpn/socket.h b/src/openvpn/socket.h
index 2ad6155f..0dcb0655 100644 index bfc1253b..7009daf0 100644
--- a/src/openvpn/socket.h --- a/src/openvpn/socket.h
+++ b/src/openvpn/socket.h +++ b/src/openvpn/socket.h
@@ -120,6 +120,9 @@ struct link_socket_info @@ -121,6 +121,9 @@ struct link_socket_info
sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/ sa_family_t af; /* Address family like AF_INET, AF_INET6 or AF_UNSPEC*/
bool bind_ipv6_only; bool bind_ipv6_only;
int mtu_changed; /* Set to true when mtu value is changed */ int mtu_changed; /* Set to true when mtu value is changed */
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP) +#if defined(ENABLE_MPTCP)
+ bool multipath; + bool multipath;
+#endif +#endif
}; };
/* /*
@@ -315,6 +318,9 @@ link_socket_init_phase1(struct link_socket *sock, @@ -244,6 +247,9 @@ struct link_socket
struct socks_proxy_info *socks_proxy,
#ifdef ENABLE_DEBUG #ifdef ENABLE_DEBUG
int gremlin, int gremlin; /* --gremlin bits */
+#endif
+#if defined(TARGET_LINUX) && defined(ENABLE_MPTCP)
+ bool enable_mptcp,
#endif #endif
bool bind_local, +#if defined(ENABLE_MPTCP)
bool remote_float, + bool enable_mptcp;
@@ -476,6 +482,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr); +#endif
};
/*
@@ -469,6 +475,10 @@ bool ipv6_addr_safe(const char *ipv6_text_addr);
socket_descriptor_t create_socket_tcp(struct addrinfo *); socket_descriptor_t create_socket_tcp(struct addrinfo *);