Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

openvpn: update to 2.5.0

Browse source 
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This commit is contained in:
Magnus Kroken 2020-12-01 10:57:07 +01:00 committed by Rosen Penev
parent 4434915571
commit 2e55fc8b2d
No known key found for this signature in database
GPG key ID: 36D31CFA845F0E3B
12 changed files with 69 additions and 238 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/openvpn/Config-mbedtls.in
View file

@ -8,10 +8,6 @@ config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support" bool "Enable LZ4 compression support"
default y default y
config OPENVPN_mbedtls_ENABLE_SERVER
bool "Enable server support (otherwise only client mode is support)"
default y
#config OPENVPN_mbedtls_ENABLE_EUREPHIA #config OPENVPN_mbedtls_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in" # bool "Enable support for the eurephia plug-in"
# default n # default n

50
net/openvpn/Config-nossl.in
View file

@ -1,50 +0,0 @@
if PACKAGE_openvpn-nossl
config OPENVPN_nossl_ENABLE_LZO
bool "Enable LZO compression support"
default y
config OPENVPN_nossl_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
config OPENVPN_nossl_ENABLE_SERVER
bool "Enable server support (otherwise only client mode is support)"
default y
config OPENVPN_nossl_ENABLE_MANAGEMENT
bool "Enable management server support"
default n
config OPENVPN_nossl_ENABLE_FRAGMENT
bool "Enable internal fragmentation support (--fragment)"
default y
config OPENVPN_nossl_ENABLE_MULTIHOME
bool "Enable multi-homed UDP server support (--multihome)"
default y
config OPENVPN_nossl_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)"
default y
config OPENVPN_nossl_ENABLE_DEF_AUTH
bool "Enable deferred authentication"
default y
config OPENVPN_nossl_ENABLE_PF
bool "Enable internal packet filter"
default y
config OPENVPN_nossl_ENABLE_IPROUTE2
bool "Enable support for iproute2"
default n
config OPENVPN_nossl_ENABLE_SMALL
bool "Enable size optimization"
default y
help
enable smaller executable size (disable OCC, usage
message, and verb 4 parm list)
endif

4
net/openvpn/Config-openssl.in
View file

@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
bool "Enable the --x509-username-field feature" bool "Enable the --x509-username-field feature"
default n default n
config OPENVPN_openssl_ENABLE_SERVER
bool "Enable server support (otherwise only client mode is support)"
default y
#config OPENVPN_openssl_ENABLE_EUREPHIA #config OPENVPN_openssl_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in" # bool "Enable support for the eurephia plug-in"
# default n # default n

20
net/openvpn/Makefile
View file

@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn PKG_NAME:=openvpn
PKG_VERSION:=2.4.9 PKG_VERSION:=2.5.0
PKG_RELEASE:=5 PKG_RELEASE:=1
PKG_SOURCE_URL:=\ PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \ https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/ https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2 PKG_HASH:=029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name> PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
@ -37,16 +37,11 @@ define Package/openvpn/Default
MENU:=1 MENU:=1
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
VARIANT:=$(1) VARIANT:=$(1)
ifeq ($(1),nossl)
PROVIDES:=openvpn
else
PROVIDES:=openvpn openvpn-crypto PROVIDES:=openvpn openvpn-crypto
endif
endef endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
define Package/openvpn/config/Default define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in" source "$(SOURCE)/Config-$(1).in"
@ -54,7 +49,6 @@ endef
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
ifeq ($(BUILD_VARIANT),mbedtls) ifeq ($(BUILD_VARIANT),mbedtls)
CONFIG_OPENVPN_MBEDTLS:=y CONFIG_OPENVPN_MBEDTLS:=y
@ -62,13 +56,8 @@ endif
ifeq ($(BUILD_VARIANT),openssl) ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y CONFIG_OPENVPN_OPENSSL:=y
endif endif
ifeq ($(BUILD_VARIANT),nossl)
CONFIG_OPENVPN_NOSSL:=y
endif
CONFIGURE_VARS += \ CONFIGURE_VARS += \
IFCONFIG=/sbin/ifconfig \
ROUTE=/sbin/route \
IPROUTE=/sbin/ip \ IPROUTE=/sbin/ip \
NETSTAT=/sbin/netstat NETSTAT=/sbin/netstat
@ -86,7 +75,6 @@ define Build/Configure
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
@ -94,7 +82,6 @@ define Build/Configure
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
$(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
) )
@ -155,4 +142,3 @@ endef
$(eval $(call BuildPackage,openvpn-openssl)) $(eval $(call BuildPackage,openvpn-openssl))
$(eval $(call BuildPackage,openvpn-mbedtls)) $(eval $(call BuildPackage,openvpn-mbedtls))
$(eval $(call BuildPackage,openvpn-nossl))

61
net/openvpn/files/openvpn.config
View file

@ -254,6 +254,24 @@ config openvpn sample_server
# on the system # on the system
# option tls_version_min "1.2 'or-highest'" # option tls_version_min "1.2 'or-highest'"
# List the preferred ciphers to use for the data channel.
# Run openvpn --show-ciphers to see all supported ciphers.
# list data_ciphers 'AES-256-GCM'
# list data_ciphers 'AES-128-GCM'
# list data_ciphers 'CHACHA20-POLY1305'
# Set a fallback cipher in order to be compatible with
# peers that do not support cipher negotiation.
#
# Use AES-256-CBC as fallback
# option data_ciphers_fallback 'AES-128-CBC'
# Use AES-128-CBC as fallback
# option data_ciphers_fallback 'AES-256-CBC'
# Use Triple-DES as fallback
# option data_ciphers_fallback 'DES-EDE3-CBC'
# Use BF-CBC as fallback
# option data_ciphers_fallback 'BF-CBC'
# OpenVPN versions 2.4 and later will attempt to # OpenVPN versions 2.4 and later will attempt to
# automatically negotiate the most secure cipher # automatically negotiate the most secure cipher
# between the client and server, regardless of a # between the client and server, regardless of a
@ -265,21 +283,6 @@ config openvpn sample_server
# cipher option instead (not recommended). # cipher option instead (not recommended).
# option ncp_disable # option ncp_disable
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
#
# To see all supported ciphers, run:
# openvpn --show-ciphers
#
# Blowfish (default for backwards compatibility,
# but not recommended due to weaknesses):
# option cipher BF-CBC
# AES:
# option cipher AES-128-CBC
# Triple-DES:
# option cipher DES-EDE3-CBC
# Enable compression on the VPN link. # Enable compression on the VPN link.
# If you enable it here, you must also # If you enable it here, you must also
# enable it in the client config file. # enable it in the client config file.
@ -293,6 +296,15 @@ config openvpn sample_server
# LZO is compatible with most OpenVPN versions # LZO is compatible with most OpenVPN versions
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients) # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
# option compress lzo # option compress lzo
# Control how OpenVPN handles peers using compression
#
# Do not allow any connections using compression
# option allow_compression 'no'
# Allow incoming compressed packets, but do not send compressed packets to other peers
# This can be useful when migrating old configurations with compression activated
# option allow_compression 'asym'
# Both incoming and outgoing packets may be compressed
# option allow_compression 'yes'
# The maximum number of concurrently connected # The maximum number of concurrently connected
# clients we want to allow. # clients we want to allow.
@ -449,10 +461,21 @@ config openvpn sample_client
# on the system # on the system
# option tls_version_min "1.2 'or-highest'" # option tls_version_min "1.2 'or-highest'"
# Select a cryptographic cipher. # List the preferred ciphers for the data channel.
# If the cipher option is used on the server # list data_ciphers 'AES-256-GCM'
# then you must also specify it here. # list data_ciphers 'AES-128-GCM'
# option cipher x # list data_ciphers 'CHACHA20-POLY1305'
# Set a fallback cipher if you connect to a peer that does
# not support cipher negotiation.
# Use AES-256-CBC as fallback
# option data_ciphers_fallback 'AES-128-CBC'
# Use AES-128-CBC as fallback
# option data_ciphers_fallback 'AES-256-CBC'
# Use Triple-DES as fallback
# option data_ciphers_fallback 'DES-EDE3-CBC'
# Use BF-CBC as fallback
# option data_ciphers_fallback 'BF-CBC'
# Enable compression on the VPN link. # Enable compression on the VPN link.
# Don't enable this unless it is also # Don't enable this unless it is also

14
net/openvpn/files/openvpn.options
View file

@ -1,10 +1,12 @@
OPENVPN_PARAMS=' OPENVPN_PARAMS='
allow_compression
askpass askpass
auth auth
auth_retry auth_retry
auth_user_pass auth_user_pass
auth_user_pass_verify auth_user_pass_verify
bcast_buffers bcast_buffers
bind_dev
ca ca
capath capath
cd cd
@ -21,6 +23,7 @@ connect_retry
connect_retry_max connect_retry_max
connect_timeout connect_timeout
crl_verify crl_verify
data_ciphers_fallback
dev dev
dev_node dev_node
dev_type dev_type
@ -51,7 +54,6 @@ iroute_ipv6
keepalive keepalive
key key
key_direction key_direction
key_method
keysize keysize
learn_address learn_address
link_mtu link_mtu
@ -69,7 +71,6 @@ mssfix
mtu_disc mtu_disc
mute mute
nice nice
ns_cert_type
ping ping
ping_exit ping_exit
ping_restart ping_restart
@ -116,6 +117,9 @@ syslog
tcp_queue_limit tcp_queue_limit
tls_auth tls_auth
tls_crypt tls_crypt
tls_crypt_v2
tls_crypt_v2_verify
tls_export_cert
tls_timeout tls_timeout
tls_verify tls_verify
tls_version_min tls_version_min
@ -129,6 +133,8 @@ user
verb verb
verify_client_cert verify_client_cert
verify_x509_name verify_x509_name
vlan_accept
vlan_pvid
x509_username_field x509_username_field
' '
@ -137,6 +143,7 @@ allow_recursive_routing
auth_nocache auth_nocache
auth_user_pass_optional auth_user_pass_optional
bind bind
block_ipv6
ccd_exclusive ccd_exclusive
client client
client_to_client client_to_client
@ -185,10 +192,13 @@ tls_server
up_delay up_delay
up_restart up_restart
username_as_common_name username_as_common_name
vlan_tagging
' '
OPENVPN_LIST=' OPENVPN_LIST='
data_ciphers
ncp_ciphers ncp_ciphers
tls_cipher tls_cipher
tls_ciphersuites tls_ciphersuites
tls_groups
' '

6
net/openvpn/patches/001-reproducible-remove_DATE.patch
View file

@ -1,9 +1,9 @@
--- a/src/openvpn/options.c --- a/src/openvpn/options.c
+++ b/src/openvpn/options.c +++ b/src/openvpn/options.c
@@ -106,7 +106,6 @@ const char title_string[] = @@ -105,7 +105,6 @@ const char title_string[] =
#ifdef HAVE_AEAD_CIPHER_MODES
" [AEAD]"
#endif #endif
#endif
" [AEAD]"
- " built on " __DATE__ - " built on " __DATE__
; ;

2
net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
View file

@ -1,6 +1,6 @@
--- a/src/openvpn/ssl_mbedtls.c --- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c
@@ -1415,7 +1415,7 @@ const char * @@ -1520,7 +1520,7 @@ const char *
get_ssl_library_version(void) get_ssl_library_version(void)
{ {
static char mbedtls_version[30]; static char mbedtls_version[30];

58
net/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
View file

@ -1,58 +0,0 @@
From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 26 Nov 2017 16:04:00 +0100
Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors about the deprecated SSLEAY/SSLeay symbols and defines.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126150401.28565-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
configure.ac | 1 +
src/openvpn/openssl_compat.h | 8 ++++++++
src/openvpn/ssl_openssl.c | 2 +-
3 files changed, 10 insertions(+), 1 deletion(-)
--- a/configure.ac
+++ b/configure.ac
@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
EVP_CIPHER_CTX_reset \
+ OpenSSL_version \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
#endif
/* SSLeay symbols have been renamed in OpenSSL 1.1 */
+#ifndef OPENSSL_VERSION
+#define OPENSSL_VERSION SSLEAY_VERSION
+#endif
+
+#ifndef HAVE_OPENSSL_VERSION
+#define OpenSSL_version SSLeay_version
+#endif
+
#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
#endif
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
const char *
get_ssl_library_version(void)
{
- return SSLeay_version(SSLEAY_VERSION);
+ return OpenSSL_version(OPENSSL_VERSION);
}
#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */

65
net/openvpn/patches/111-openssl-add-missing-include-statements.patch
View file

@ -1,65 +0,0 @@
From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 26 Nov 2017 16:49:12 +0100
Subject: [PATCH] openssl: add missing #include statements
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors caused by missing includes. Previous openssl versions would
usually include 'the rest of the world', but they're fixing that. So we
should no longer rely on it.
(And sneaking in alphabetic ordering of the includes while touching them.)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126154912.13283-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/openssl_compat.h | 1 +
src/openvpn/ssl_openssl.c | 6 +++++-
src/openvpn/ssl_verify_openssl.c | 3 ++-
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -42,6 +42,7 @@
#include "buffer.h"
+#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -52,10 +52,14 @@
#include "ssl_verify_openssl.h"
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
+#include <openssl/rsa.h>
#include <openssl/x509.h>
-#include <openssl/crypto.h>
#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
#endif
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -44,8 +44,9 @@
#include "ssl_verify_backend.h"
#include "openssl_compat.h"
-#include <openssl/x509v3.h>
+#include <openssl/bn.h>
#include <openssl/err.h>
+#include <openssl/x509v3.h>
int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)

2
net/openvpn/patches/210-build_always_use_internal_lz4.patch
View file

@ -1,6 +1,6 @@
--- a/configure.ac --- a/configure.ac
+++ b/configure.ac +++ b/configure.ac
@@ -1080,68 +1080,15 @@ dnl @@ -1077,68 +1077,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then

21
net/openvpn/patches/220-disable_des.patch
View file

@ -1,24 +1,17 @@
--- a/src/openvpn/syshead.h --- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h
@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t @@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
/* /*
* Should we include NTLM proxy functionality * Should we include NTLM proxy functionality
*/ */
-#if defined(ENABLE_CRYPTO)
-#define NTLM 1 -#define NTLM 1
-#else
+//#if defined(ENABLE_CRYPTO)
+//#define NTLM 1 +//#define NTLM 1
+//#else
#define NTLM 0
-#endif
+//#endif
/* /*
* Should we include proxy digest auth functionality * Should we include proxy digest auth functionality
--- a/src/openvpn/crypto_mbedtls.c --- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c
@@ -319,6 +319,7 @@ int @@ -383,6 +383,7 @@ int
key_des_num_cblocks(const mbedtls_cipher_info_t *kt) key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
{ {
int ret = 0; int ret = 0;
@ -26,7 +19,7 @@
if (kt->type == MBEDTLS_CIPHER_DES_CBC) if (kt->type == MBEDTLS_CIPHER_DES_CBC)
{ {
ret = 1; ret = 1;
@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher @@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher
{ {
ret = 3; ret = 3;
} }
@ -34,7 +27,7 @@
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
return ret; return ret;
@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher @@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher
bool bool
key_des_check(uint8_t *key, int key_len, int ndc) key_des_check(uint8_t *key, int key_len, int ndc)
{ {
@ -42,7 +35,7 @@
int i; int i;
struct buffer b; struct buffer b;
@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len, @@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len,
err: err:
return false; return false;
@ -58,7 +51,7 @@
int i; int i;
struct buffer b; struct buffer b;
@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len, @@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len,
} }
mbedtls_des_key_set_parity(key); mbedtls_des_key_set_parity(key);
} }
@ -66,7 +59,7 @@
} }
/* /*
@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch @@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src, unsigned char *src,
unsigned char *dst) unsigned char *dst)
{ {