Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #2 from nmav/master

Browse source 
Added openconnect + ocserv related packages
This commit is contained in:
sbyx 2014-06-03 21:03:59 +02:00
commit f72a2648d5
23 changed files with 5077 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
libs/gmp/Makefile Normal file
View file

@ -0,0 +1,64 @@
#
# Copyright (C) 2006-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=gmp
PKG_VERSION:=5.1.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=ftp://ftp.gmplib.org/pub/$(PKG_NAME)-$(PKG_VERSION)/
PKG_MD5SUM:=a082867cbca5e898371a97bb27b31fea
PKG_BUILD_PARALLEL:=1
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
PKG_USE_MIPS16:=0
include $(INCLUDE_DIR)/package.mk
define Package/libgmp
SECTION:=libs
CATEGORY:=Libraries
TITLE:=GNU multiprecision arithmetic library
URL:=http://gmplib.org/
endef
define Package/libgmp/description
GMP is a free library for arbitrary precision arithmetic, operating on
signed integers, rational numbers, and floating point numbers.
endef
TARGET_CFLAGS += $(FPIC)
CONFIGURE_VARS += CC="$(TARGET_CROSS)gcc"
CONFIGURE_ARGS += \
--enable-shared \
--enable-static \
define Build/Compile
$(call Build/Compile/Default, \
DESTDIR="$(PKG_INSTALL_DIR)" \
CC="$(TARGET_CC)" \
all \
)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/gmp* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgmp.{a,so*} $(1)/usr/lib/
endef
define Package/libgmp/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgmp.so.* $(1)/usr/lib/
endef
$(eval $(call BuildPackage,libgmp))

34
libs/gnutls/Config.in Normal file
View file

@ -0,0 +1,34 @@
# gnutls avanced configuration
menu "Configuration"
depends on PACKAGE_libgnutls
config GNUTLS_DTLS_SRTP
bool "enable DTLS SRTP support"
config GNUTLS_ALPN
bool "enable ALPN support"
config GNUTLS_OCSP
bool "enable ocsp support"
config GNUTLS_CRYPTODEV
bool "enable /dev/crypto support"
depends on BROKEN
config GNUTLS_HEARTBEAT
bool "enable DTLS heartbeat support"
config GNUTLS_OPENPGP
bool "enable OPENPGP authentication support"
config GNUTLS_SRP
bool "enable SRP authentication support"
config GNUTLS_PSK
bool "enable PSK authentication support"
config GNUTLS_ANON
bool "enable anonymous authentication support"
endmenu

231
libs/gnutls/Makefile Normal file
View file

@ -0,0 +1,231 @@
#
# Copyright (C) 2005-2010 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=gnutls
PKG_VERSION:=3.2.15
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2
PKG_MD5SUM:=ec3b06f80e312137386c5d322183ca5a
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <nmav@gnutls.org>
PKG_INSTALL:=1
PKG_LIBTOOL_PATHS:=. lib
include $(INCLUDE_DIR)/package.mk
define Package/gnutls/Default
SUBMENU:=SSL
SECTION:=libs
CATEGORY:=Libraries
TITLE:=GNU TLS
URL:=http://www.gnutls.org/
endef
define Package/gnutls/Default/description
GnuTLS is a secure communications library implementing the SSL, TLS
and DTLS protocols and technologies around them. It provides a simple
C language application programming interface (API) to access the secure
communications protocols as well as APIs to parse and write X.509, PKCS12,
OpenPGP and other required structures. It is aimed to be portable and
efficient with focus on security and interoperability.
endef
define Package/certtool
$(call Package/gnutls/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE+= (certool utility)
DEPENDS+= +libgnutls
endef
define Package/certtool/description
$(call Package/gnutls/Default/description)
This package contains the GnuTLS certtool utility.
endef
define Package/gnutls-utils
$(call Package/gnutls/Default)
SECTION:=utils
CATEGORY:=Utilities
TITLE+= (utilities)
DEPENDS+= +libgnutls
endef
define Package/gnutls-utils/description
$(call Package/gnutls/Default/description)
This package contains the GnuTLS gnutls-cli, gnutls-serv, psktool,
and srptool utilities.
endef
define Package/libgnutls/config
source "$(SOURCE)/Config.in"
endef
define Package/libgnutls
$(call Package/gnutls/Default)
TITLE+= (library)
DEPENDS+= +libnettle +!LIBNETTLE_MINI:libgmp
endef
define Package/libgnutls/description
$(call Package/gnutls/Default/description)
This package contains the GnuTLS shared library, needed by other programs.
endef
define Package/libgnutls-openssl
$(call Package/gnutls/Default)
TITLE+= (OpenSSL compat library)
DEPENDS+= +libgnutls
endef
define Package/libgnutls-openssl/description
$(call Package/gnutls/Default/description)
This package contains the GnuTLS OpenSSL compatibility layer shared library.
endef
CONFIGURE_ARGS+= \
--enable-shared \
--enable-static \
--disable-libdane \
--disable-guile \
--disable-nls \
--without-zlib \
--with-included-libtasn1 \
--enable-local-libopts \
--disable-doc \
--disable-tests \
--disable-rsa-export \
--disable-crywrap \
--without-p11-kit
ifeq ($(CONFIG_LIBNETTLE_MINI),y)
CONFIGURE_ARGS += --with-nettle-mini
endif
ifneq ($(CONFIG_GNUTLS_DTLS_SRTP),y)
CONFIGURE_ARGS += --disable-dtls-srtp-support
endif
ifneq ($(CONFIG_GNUTLS_ALPN),y)
CONFIGURE_ARGS += --disable-alpn-support
endif
ifneq ($(CONFIG_GNUTLS_HEARTBEAT),y)
CONFIGURE_ARGS += --disable-heartbeat-support
endif
ifneq ($(CONFIG_GNUTLS_SRP),y)
CONFIGURE_ARGS += --disable-srp-authentication
endif
ifneq ($(CONFIG_GNUTLS_PSK),y)
CONFIGURE_ARGS += --disable-psk-authentication
endif
ifneq ($(CONFIG_GNUTLS_OPENPGP),y)
CONFIGURE_ARGS += --disable-openpgp-authentication
endif
ifneq ($(CONFIG_GNUTLS_ANON),y)
CONFIGURE_ARGS += --disable-anon-authentication
endif
ifneq ($(CONFIG_GNUTLS_OCSP),y)
CONFIGURE_ARGS += --disable-ocsp
endif
ifeq ($(CONFIG_GNUTLS_CRYPTODEV),y)
CONFIGURE_ARGS += --enable-cryptodev
endif
# XXX: AM_CFLAGS duplicates with CFLAGS
MAKE_FLAGS:= \
AM_CFLAGS="" \
TARGET_CFLAGS += $(FPIC)
TARGET_LDFLAGS += -Wl,-rpath-link=$(STAGING_DIR)/usr/lib
define Build/Configure
$(SED) 's,-I$$$${includedir},,g' $(PKG_BUILD_DIR)/configure
$(SED) 's,-L$$$${libdir},,g' $(PKG_BUILD_DIR)/configure
$(call Build/Configure/Default)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig
$(CP) \
$(PKG_INSTALL_DIR)/usr/include/gnutls \
$(1)/usr/include/
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/libgnutls{,-openssl}.{a,so*} \
$(1)/usr/lib/
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/gnutls.pc \
$(1)/usr/lib/pkgconfig/
endef
define Package/certtool/conffiles
/etc/gnutls/certtool.cfg
endef
define Package/certtool/install
$(INSTALL_DIR) $(1)/etc/gnutls
$(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/certtool.cfg $(1)/etc/gnutls/
$(INSTALL_DIR) $(1)/usr/bin
$(CP) $(PKG_INSTALL_DIR)/usr/bin/certtool $(1)/usr/bin/
endef
define Package/gnutls-utils/install
$(INSTALL_DIR) $(1)/usr/bin
ifeq ($(CONFIG_GNUTLS_OCSP),y)
ifeq ($(CONFIG_GNUTLS_ANON),y)
$(CP) \
$(PKG_INSTALL_DIR)/usr/bin/gnutls-{cli,serv} \
$(1)/usr/bin/
endif
$(CP) \
$(PKG_INSTALL_DIR)/usr/bin/ocsptool \
$(1)/usr/bin/
endif
ifeq ($(CONFIG_GNUTLS_SRP),y)
$(CP) \
$(PKG_INSTALL_DIR)/usr/bin/srptool \
$(1)/usr/bin/
endif
ifeq ($(CONFIG_GNUTLS_PSK),y)
$(CP) \
$(PKG_INSTALL_DIR)/usr/bin/psktool \
$(1)/usr/bin/
endif
endef
define Package/libgnutls/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgnutls.so.* $(1)/usr/lib/
endef
define Package/libgnutls-openssl/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libgnutls-openssl.so.* $(1)/usr/lib/
endef
$(eval $(call BuildPackage,certtool))
$(eval $(call BuildPackage,gnutls-utils))
$(eval $(call BuildPackage,libgnutls))
$(eval $(call BuildPackage,libgnutls-openssl))

9
libs/nettle/Config.in Normal file
View file

@ -0,0 +1,9 @@
# nettle avanced configuration
menu "Configuration"
depends on PACKAGE_libnettle
config LIBNETTLE_MINI
bool "use mini-gmp instead of gmp; the library will be much smaller at a 10x performance penalty. Note that this option may have side effects to programs that link to both nettle and gmp."
endmenu

85
libs/nettle/Makefile Normal file
View file

@ -0,0 +1,85 @@
#
# Copyright (C) 2014 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=nettle
PKG_VERSION:=2.7.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@GNU/nettle
PKG_MD5SUM:=003d5147911317931dd453520eb234a5
PKG_MAINTAINER:=Nikos Mavrogiannopoulos <nmav@gnutls.org>
PKG_LICENSE:=LGPLv2
PKG_LICENSE_FILES:=COPYING
PKG_FIXUP:=autoreconf
PKG_BUILD_PARALLEL:=0
include $(INCLUDE_DIR)/package.mk
define Package/libnettle
SECTION:=libs
CATEGORY:=Libraries
TITLE:=GNU crypto library
URL:=http://www.lysator.liu.se/~nisse/nettle/
DEPENDS+= +!LIBNETTLE_MINI:libgmp
endef
define Package/libnettle/config
source "$(SOURCE)/Config.in"
endef
TARGET_CFLAGS += $(FPIC)
CONFIGURE_ARGS += \
--enable-shared \
--disable-openssl \
--disable-documentation \
--enable-static
ifeq ($(CONFIG_LIBNETTLE_MINI),y)
CONFIGURE_ARGS += --enable-mini-gmp
endif
ifeq ($(CONFIG_CPU_SUBTYPE),neon)
CONFIGURE_ARGS += \
--enable-arm-neon
endif
define Build/Compile
$(call Build/Compile/Default, \
DESTDIR="$(PKG_INSTALL_DIR)" \
CC="$(TARGET_CC)" \
libnettle.so libhogweed.so
+$(MAKE) -i $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \
install)
endef
define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include/nettle
$(CP) $(PKG_INSTALL_DIR)/usr/include/nettle/*.h $(1)/usr/include/nettle/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnettle.{a,so*} $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libhogweed.{a,so*} $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/nettle.pc \
$(PKG_INSTALL_DIR)/usr/lib/pkgconfig/hogweed.pc \
$(1)/usr/lib/pkgconfig/
endef
define Package/libnettle/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libnettle.so.* $(1)/usr/lib/
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libhogweed.so.* $(1)/usr/lib/
endef
$(eval $(call BuildPackage,libnettle))

1738
libs/nettle/patches/0001-Updated-mini-gmp.patch Normal file
View file

File diff suppressed because it is too large Load diff

463
libs/nettle/patches/0002-Added-option-to-use-mini-gmp-in-hogweed.patch Normal file
View file

@ -0,0 +1,463 @@
From 8d5360e3e5eea3c9dbfd44f9b981f18a41605e45 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 9 Mar 2014 11:30:25 +0100
Subject: [PATCH 2/5] Added option to use mini-gmp in hogweed.
---
Makefile.in | 8 +++--
bignum.h | 6 +++-
configure.ac | 76 +++++++++++++++++++++++++++++++++++-------------
dsa.h | 2 +-
ecc-internal.h | 2 +-
ecc.h | 2 +-
eccdata.c | 12 +++++++-
examples/Makefile.in | 2 +-
examples/ecc-benchmark.c | 2 ++
gmp-glue.c | 1 +
gmp-glue.h | 2 +-
hogweed.pc.in | 2 +-
mini-gmp.c | 2 +-
mini-gmp.h | 9 ++++++
pkcs1.h | 2 +-
rsa.h | 2 +-
testsuite/Makefile.in | 4 +--
testsuite/testutils.h | 5 ++--
18 files changed, 102 insertions(+), 39 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index 3b0e1cb..42be3a9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -16,6 +16,10 @@ MKDIR_P = @MKDIR_P@
OPT_ASM_SOURCES = @OPT_ASM_SOURCES@
+OPT_HOGWEED_SOURCES = @OPT_HOGWEED_SOURCES@
+
+OPT_HOGWEED_HEADERS = @OPT_HOGWEED_HEADERS@
+
SUBDIRS = tools testsuite examples
include config.make
@@ -106,7 +110,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
nettle-meta-armors.c \
write-be32.c write-le32.c write-le64.c
-hogweed_SOURCES = sexp.c sexp-format.c \
+hogweed_SOURCES = $(OPT_HOGWEED_SOURCES) sexp.c sexp-format.c \
sexp-transport.c sexp-transport-format.c \
bignum.c bignum-next-prime.c \
bignum-random.c bignum-random-prime.c \
@@ -156,7 +160,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
pgp.h pkcs1.h realloc.h ripemd160.h rsa.h rsa-compat.h \
salsa20.h sexp.h \
serpent.h sha.h sha1.h sha2.h sha3.h twofish.h \
- umac.h yarrow.h
+ umac.h yarrow.h $(OPT_HOGWEED_HEADERS)
INSTALL_HEADERS = $(HEADERS) nettle-stdint.h
diff --git a/bignum.h b/bignum.h
index 746b21f..1f2ff07 100644
--- a/bignum.h
+++ b/bignum.h
@@ -28,7 +28,11 @@
#include "nettle-meta.h"
-#include <gmp.h>
+#ifdef USE_MINI_GMP
+# include "mini-gmp.h"
+#else
+# include <gmp.h>
+#endif
#include "nettle-types.h"
#ifdef __cplusplus
diff --git a/configure.ac b/configure.ac
index 78a3d4e..93eb09a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -72,6 +72,16 @@ AC_ARG_ENABLE(arm-neon,
AC_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),,
[enable_arm_neon=auto])
+AC_ARG_ENABLE(mini-gmp,
+ AC_HELP_STRING([--enable-mini-gmp], [Disable gmp support and enable mini-gmp. (default=disabled)]),,
+ [enable_mini_gmp=no])
+
+if test "x$enable_mini_gmp" = xyes ; then
+GMP_LIBS=""
+else
+GMP_LIBS="-lgmp"
+fi
+
LSH_RPATH_INIT([`echo $with_lib_path | sed 's/:/ /g'` \
`echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \
/usr/local/lib /sw/local/lib /sw/lib \
@@ -409,7 +419,7 @@ case "$host_os" in
LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib'
LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib'
LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)'
- LIBHOGWEED_LIBS='-lnettle -lgmp'
+ LIBHOGWEED_LIBS='-lnettle $(GMP_LIBS)'
;;
solaris*)
# Sun's ld uses -h to set the soname, and this option is passed
@@ -425,7 +435,7 @@ case "$host_os" in
LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)'
LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)'
LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -L. -G -h $(LIBHOGWEED_SONAME)'
- LIBHOGWEED_LIBS='-lnettle -lgmp'
+ LIBHOGWEED_LIBS='-lnettle $(GMP_LIBS)'
;;
*)
LIBNETTLE_FORLINK=libnettle.so
@@ -443,7 +453,7 @@ case "$host_os" in
# -lhogweed -lgmp -lnettle are still required). Also makes dlopen
# of libhogweed.so work, without having to use RTLD_GLOBAL.
# Depends on -L. above, to locate nettle.so.
- LIBHOGWEED_LIBS='-lnettle -lgmp'
+ LIBHOGWEED_LIBS='-lnettle $(GMP_LIBS)'
;;
esac
@@ -644,32 +654,55 @@ if test "x$nettle_cv_fcntl_locking" = "xyes" ; then
AC_DEFINE(HAVE_FCNTL_LOCKING)
fi
-# Checks for libraries
-AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
- [AC_MSG_WARN(
+TESTSUITE_LIBS=""
+
+OPT_HOGWEED_SOURCES=""
+OPT_HOGWEED_HEADERS=""
+if test "x$enable_mini_gmp" = xyes ; then
+ OPT_HOGWEED_SOURCES="$OPT_HOGWEED_SOURCES mini-gmp.c"
+ OPT_HOGWEED_HEADERS="$OPT_HOGWEED_HEADERS mini-gmp.h"
+ AC_DEFINE([USE_MINI_GMP], 1, [Use mini-gmp instead of gmp])
+ IF_NOT_MINI_GMP='#'
+ GMP_NUMB_BITS="0"
+else
+
+ # Checks for libraries
+ AC_CHECK_LIB(gmp, __gmpz_getlimbn,,
+ [AC_MSG_WARN(
[GNU MP not found, or not 3.1 or up, see http://gmplib.org/.
Support for public key algorithms will be unavailable.])]
- enable_public_key=no)
+ enable_public_key=no)
-# Add -R flags needed to run programs linked with gmp
-LSH_RPATH_FIX
+ # Add -R flags needed to run programs linked with gmp
+ LSH_RPATH_FIX
-# Check for gmp limb size
-nettle_cv_gmp_numb_bits=0
-if test "$enable_public_key" = yes; then
- AC_MSG_CHECKING([for GMP limb size])
- AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS],
- [#include <gmp.h>],
- [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])])
+ # Check for gmp limb size
+ nettle_cv_gmp_numb_bits=0
+ if test "$enable_public_key" = yes; then
+ AC_MSG_CHECKING([for GMP limb size])
+ AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS],
+ [#include <gmp.h>],
+ [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])])
- AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits])
+ AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits])
+ fi
+
+ GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits"
+
+ AH_TEMPLATE([HAVE_MPZ_POWM_SEC], [Define if mpz_powm_sec is available (appeared in GMP-5)])
+ AC_CHECK_FUNC(__gmpz_powm_sec, [AC_DEFINE(HAVE_MPZ_POWM_SEC)])
+
+ IF_NOT_MINI_GMP=''
+ TESTSUITE_LIBS="-lgmp"
fi
-GMP_NUMB_BITS="$nettle_cv_gmp_numb_bits"
-AC_SUBST([GMP_NUMB_BITS])
+AC_SUBST([GMP_LIBS])
-AH_TEMPLATE([HAVE_MPZ_POWM_SEC], [Define if mpz_powm_sec is available (appeared in GMP-5)])
-AC_CHECK_FUNC(__gmpz_powm_sec, [AC_DEFINE(HAVE_MPZ_POWM_SEC)])
+dnl The testsuite requires gmp
+AC_SUBST([TESTSUITE_LIBS])
+AC_SUBST([GMP_NUMB_BITS])
+AC_SUBST([OPT_HOGWEED_SOURCES])
+AC_SUBST([OPT_HOGWEED_HEADERS])
AH_TEMPLATE([WITH_HOGWEED], [Defined if public key features are enabled])
@@ -714,6 +747,7 @@ else
IF_DOCUMENTATION='#'
fi
+AC_SUBST(IF_NOT_MINI_GMP)
AC_SUBST(IF_HOGWEED)
AC_SUBST(IF_STATIC)
AC_SUBST(IF_SHARED)
diff --git a/dsa.h b/dsa.h
index 7ee2624..478e4fc 100644
--- a/dsa.h
+++ b/dsa.h
@@ -26,7 +26,7 @@
#ifndef NETTLE_DSA_H_INCLUDED
#define NETTLE_DSA_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-types.h"
diff --git a/ecc-internal.h b/ecc-internal.h
index e8974fe..5cdd0e1 100644
--- a/ecc-internal.h
+++ b/ecc-internal.h
@@ -25,7 +25,7 @@
#ifndef NETTLE_ECC_INTERNAL_H_INCLUDED
#define NETTLE_ECC_INTERNAL_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-types.h"
#include "ecc-curve.h"
diff --git a/ecc.h b/ecc.h
index 609d246..924f8ec 100644
--- a/ecc.h
+++ b/ecc.h
@@ -25,7 +25,7 @@
#ifndef NETTLE_ECC_H_INCLUDED
#define NETTLE_ECC_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-types.h"
diff --git a/eccdata.c b/eccdata.c
index 466753c..24f64e3 100644
--- a/eccdata.c
+++ b/eccdata.c
@@ -24,11 +24,14 @@
/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
+#include "config.h"
+
#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include "mini-gmp.h"
#include "mini-gmp.c"
/* Affine coordinates, for simplicity. Infinity point represented as x
@@ -895,6 +898,7 @@ int
main (int argc, char **argv)
{
struct ecc_curve ecc;
+ unsigned bits;
if (argc < 4)
{
@@ -902,6 +906,7 @@ main (int argc, char **argv)
return EXIT_FAILURE;
}
+ bits = atoi(argv[4]);
ecc_curve_init (&ecc, atoi(argv[1]));
ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3]));
@@ -912,7 +917,12 @@ main (int argc, char **argv)
ecc_curve_check (&ecc);
if (argc > 4)
- output_curve (&ecc, atoi(argv[4]));
+ {
+ /* when using mini-gmp we cannot estimate it on configure */
+ if (bits == 0)
+ bits = GMP_NUMB_BITS;
+ output_curve (&ecc, bits);
+ }
return EXIT_SUCCESS;
}
diff --git a/examples/Makefile.in b/examples/Makefile.in
index 563d0dc..2bb0436 100644
--- a/examples/Makefile.in
+++ b/examples/Makefile.in
@@ -11,7 +11,7 @@ PRE_CPPFLAGS = -I.. -I$(top_srcdir)
PRE_LDFLAGS = -L..
OPENSSL_LIBFLAGS = @OPENSSL_LIBFLAGS@
-BENCH_LIBS = @BENCH_LIBS@ -lm
+BENCH_LIBS = @BENCH_LIBS@ $(TESTSUITE_LIBS) -lm
HOGWEED_TARGETS = rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT) \
rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT) \
diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c
index 1faf6dc..16a1fd6 100644
--- a/examples/ecc-benchmark.c
+++ b/examples/ecc-benchmark.c
@@ -37,6 +37,8 @@
#include "timing.h"
+#undef USE_MINI_GMP
+#include <gmp.h>
#include "../ecc.h"
#include "../ecc-internal.h"
#include "../gmp-glue.h"
diff --git a/gmp-glue.c b/gmp-glue.c
index a2633a5..d76fdea 100644
--- a/gmp-glue.c
+++ b/gmp-glue.c
@@ -239,3 +239,4 @@ gmp_free_limbs (mp_limb_t *p, mp_size_t n)
free_func (p, (size_t) n * sizeof(mp_limb_t));
}
+
diff --git a/gmp-glue.h b/gmp-glue.h
index 269667f..f51b5b5 100644
--- a/gmp-glue.h
+++ b/gmp-glue.h
@@ -23,7 +23,7 @@
#ifndef NETTLE_GMP_GLUE_H_INCLUDED
#define NETTLE_GMP_GLUE_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-stdint.h"
diff --git a/hogweed.pc.in b/hogweed.pc.in
index 457f5f2..9a9dea0 100644
--- a/hogweed.pc.in
+++ b/hogweed.pc.in
@@ -13,6 +13,6 @@ URL: http://www.lysator.liu.se/~nisse/nettle
Version: @PACKAGE_VERSION@
Requires.private: nettle
Libs: -L${libdir} -lhogweed
-Libs.private: -lgmp
+Libs.private: @GMP_LIBS@
Cflags: -I${includedir}
diff --git a/mini-gmp.c b/mini-gmp.c
index 766df30..cf76a2a 100644
--- a/mini-gmp.c
+++ b/mini-gmp.c
@@ -1388,7 +1388,7 @@ mpz_clear (mpz_t r)
gmp_free (r->_mp_d);
}
-static void *
+void *
mpz_realloc (mpz_t r, mp_size_t size)
{
size = GMP_MAX (size, 1);
diff --git a/mini-gmp.h b/mini-gmp.h
index d8f691f..dac7d1e 100644
--- a/mini-gmp.h
+++ b/mini-gmp.h
@@ -70,6 +70,11 @@ typedef struct
mp_limb_t *_mp_d; /* Pointer to the limbs. */
} __mpz_struct;
+typedef __mpz_struct MP_INT;
+
+#define GMP_NUMB_BITS (SIZEOF_LONG*8)
+#define GMP_NUMB_MASK (~0)
+
typedef __mpz_struct mpz_t[1];
typedef __mpz_struct *mpz_ptr;
@@ -119,6 +124,10 @@ void mpz_init (mpz_t);
void mpz_init2 (mpz_t, mp_bitcnt_t);
void mpz_clear (mpz_t);
+void *
+mpz_realloc (mpz_t r, mp_size_t size);
+#define _mpz_realloc mpz_realloc
+
#define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0])
#define mpz_even_p(z) (! mpz_odd_p (z))
diff --git a/pkcs1.h b/pkcs1.h
index fa27225..f402688 100644
--- a/pkcs1.h
+++ b/pkcs1.h
@@ -26,7 +26,7 @@
#ifndef NETTLE_PKCS1_H_INCLUDED
#define NETTLE_PKCS1_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-types.h"
#ifdef __cplusplus
diff --git a/rsa.h b/rsa.h
index 4226f38..c293cd1 100644
--- a/rsa.h
+++ b/rsa.h
@@ -26,7 +26,7 @@
#ifndef NETTLE_RSA_H_INCLUDED
#define NETTLE_RSA_H_INCLUDED
-#include <gmp.h>
+#include "bignum.h"
#include "nettle-types.h"
#include "md5.h"
diff --git a/testsuite/Makefile.in b/testsuite/Makefile.in
index 91f6e2a..c8ab5f6 100644
--- a/testsuite/Makefile.in
+++ b/testsuite/Makefile.in
@@ -47,7 +47,7 @@ TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT))
TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED)
TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT))
TARGETS = $(TS_C) $(TS_CXX)
-TS_SH = sexp-conv-test pkcs1-conv-test symbols-test
+TS_SH = sexp-conv-test pkcs1-conv-test @IF_NOT_MINI_GMP@ symbols-test
TS_ALL = $(TARGETS) $(TS_SH)
EXTRA_SOURCES = sha1-huge-test.c
EXTRA_TARGETS = $(EXTRA_SOURCES:.c=$(EXEEXT))
@@ -75,7 +75,7 @@ all: $(TARGETS) $(EXTRA_TARGETS)
LIB_HOGWEED = @IF_HOGWEED@ -lhogweed
TEST_OBJS = testutils.$(OBJEXT) ../nettle-internal.$(OBJEXT) \
- $(LIB_HOGWEED) -lnettle $(LIBS)
+ $(LIB_HOGWEED) -lnettle $(LIBS) $(TESTSUITE_LIBS)
../nettle-internal.$(OBJEXT):
( cd .. && $(MAKE) nettle-internal.$(OBJEXT) )
diff --git a/testsuite/testutils.h b/testsuite/testutils.h
index 123bae2..a677a2a 100644
--- a/testsuite/testutils.h
+++ b/testsuite/testutils.h
@@ -12,11 +12,10 @@
#include <stdio.h>
#include <string.h>
-#if HAVE_LIBGMP
-# include "bignum.h"
-#endif
#if WITH_HOGWEED
+# include <gmp.h>
+# undef USE_MINI_GMP
# include "rsa.h"
# include "dsa.h"
# include "ecc-curve.h"
--
1.9.2

1241
libs/nettle/patches/0003-Include-local-macros-in-nettle.m4-to-allow-regenerat.patch Normal file
View file

File diff suppressed because it is too large Load diff

100
libs/nettle/patches/0004-Added-auto-generated-nettle-config.h.patch Normal file
View file

@ -0,0 +1,100 @@
From 7508bb15de94b38402152757f75ff3e2094fdd86 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sun, 9 Mar 2014 13:27:03 +0100
Subject: [PATCH 4/5] Added-auto-generated-nettle-config.h
---
Makefile.in | 4 ++--
bignum.h | 1 +
configure.ac | 1 +
examples/ecc-benchmark.c | 1 +
nettle-config.h.in | 6 ++++++
testsuite/testutils.h | 1 +
7 files changed, 13 insertions(+), 2 deletions(-)
create mode 100644 nettle-config.h.in
diff --git a/Makefile.in b/Makefile.in
index 42be3a9..280dd30 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -151,7 +151,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
des.h des-compat.h dsa.h ecc-curve.h ecc.h ecdsa.h \
gcm.h gosthash94.h hmac.h \
knuth-lfib.h \
- macros.h \
+ macros.h nettle-config.h \
md2.h md4.h \
md5.h md5-compat.h \
memxor.h \
@@ -174,7 +174,7 @@ DISTFILES = $(SOURCES) $(HEADERS) getopt.h .bootstrap run-tests \
config.guess config.sub install-sh texinfo.tex \
config.h.in config.m4.in config.make.in Makefile.in \
README AUTHORS COPYING.LIB INSTALL NEWS TODO ChangeLog \
- nettle.pc.in hogweed.pc.in \
+ nettle.pc.in hogweed.pc.in nettle-config.h.in \
memxor.c $(des_headers) descore.README \
aes-internal.h camellia-internal.h serpent-internal.h \
cast128_sboxes.h desinfo.h desCode.h \
diff --git a/bignum.h b/bignum.h
index 1f2ff07..c31ccaa 100644
--- a/bignum.h
+++ b/bignum.h
@@ -26,6 +26,7 @@
#ifndef NETTLE_BIGNUM_H_INCLUDED
#define NETTLE_BIGNUM_H_INCLUDED
+#include "nettle-config.h"
#include "nettle-meta.h"
#ifdef USE_MINI_GMP
diff --git a/configure.ac b/configure.ac
index c24f954..cb65bcd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,6 +10,7 @@ AC_CONFIG_AUX_DIR([.])
AC_CONFIG_MACRO_DIR([.])
AC_CONFIG_HEADER([config.h])
+AC_CONFIG_HEADER([nettle-config.h])
LIBNETTLE_MAJOR=4
LIBNETTLE_MINOR=7
diff --git a/examples/ecc-benchmark.c b/examples/ecc-benchmark.c
index 16a1fd6..eaaf3a5 100644
--- a/examples/ecc-benchmark.c
+++ b/examples/ecc-benchmark.c
@@ -38,6 +38,7 @@
#include "timing.h"
#undef USE_MINI_GMP
+#define NETTLE_CONFIG_H_INCLUDED
#include <gmp.h>
#include "../ecc.h"
#include "../ecc-internal.h"
diff --git a/nettle-config.h.in b/nettle-config.h.in
new file mode 100644
index 0000000..11330ff
--- /dev/null
+++ b/nettle-config.h.in
@@ -0,0 +1,6 @@
+#ifndef NETTLE_CONFIG_H_INCLUDED
+#define NETTLE_CONFIG_H_INCLUDED
+
+#undef USE_MINI_GMP
+
+#endif
diff --git a/testsuite/testutils.h b/testsuite/testutils.h
index a677a2a..6e9b30c 100644
--- a/testsuite/testutils.h
+++ b/testsuite/testutils.h
@@ -15,6 +15,7 @@
#if WITH_HOGWEED
# include <gmp.h>
+# define NETTLE_CONFIG_H_INCLUDED
# undef USE_MINI_GMP
# include "rsa.h"
# include "dsa.h"
--
1.9.2

34
libs/nettle/patches/0005-allow-der-iterator-to-be-used-with-mini-gmp.patch Normal file
View file

@ -0,0 +1,34 @@
From d71b3138cbdc3852c96a2639995f2d7f44b1c76c Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Sat, 29 Mar 2014 09:12:41 +0100
Subject: [PATCH 5/5] allow der-iterator to be used with mini-gmp
---
der-iterator.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/der-iterator.c b/der-iterator.c
index 2e6efd5..5ab15b9 100644
--- a/der-iterator.c
+++ b/der-iterator.c
@@ -30,7 +30,7 @@
#include <assert.h>
#include <stdlib.h>
-#if HAVE_LIBGMP
+#if defined(HAVE_LIBGMP) || defined(USE_MINI_GMP)
#include "bignum.h"
#endif
@@ -246,7 +246,7 @@ asn1_der_get_uint32(struct asn1_der_iterator *i,
return 1;
}
-#if HAVE_LIBGMP
+#if defined(HAVE_LIBGMP) || defined(USE_MINI_GMP)
int
asn1_der_get_bignum(struct asn1_der_iterator *i,
mpz_t x, unsigned max_bits)
--
1.9.2

14
net/ocserv/Config.in Normal file
View file

@ -0,0 +1,14 @@
# ocserv avanced configuration
menu "Configuration"
depends on PACKAGE_ocserv
config OCSERV_PAM
bool "enable PAM"
default n
config OCSERV_PROTOBUF
bool "use external libprotobuf"
default n
endmenu

77
net/ocserv/Makefile Normal file
View file

@ -0,0 +1,77 @@
#
# Copyright (C) 2007-2011 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=ocserv
PKG_VERSION:=0.8.0
PKG_RELEASE:=2
PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/
PKG_MD5SUM:=6383535a21f8eecfb1bbb7f7ac99c41f
PKG_LICENSE:=GPLv3
PKG_LICENSE_FILES:=COPYING
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk
define Package/ocserv/config
source "$(SOURCE)/Config.in"
endef
define Package/ocserv
SECTION:=net
CATEGORY:=Network
SUBMENU:=VPN
TITLE:=OpenConnect VPN server
URL:=http://www.infradead.org/ocserv/
MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
DEPENDS:= +libgnutls +libncurses +libreadline +OCSERV_PAM:libpam +OCSERV_PROTOBUF:libprotobuf-c
endef
define Package/ocserv/description
OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be
a secure, small, fast and configurable VPN server. It implements the
OpenConnect SSL VPN protocol, and has also (currently experimental)
compatibility with clients using the AnyConnect SSL VPN protocol. The
OpenConnect VPN protocol uses the standard IETF security protocols such
as TLS 1.2, and Datagram TLS to provide the secure VPN service.
endef
EXTRA_CPPFLAGS+=-I$(STAGING_DIR)/usr/include/readline/
EXTRA_LDFLAGS+=-lncurses
CONFIGURE_ARGS+= \
--enable-local-libopts \
--with-libreadline-prefix="$(STAGING_DIR)/" \
ifneq ($(CONFIG_OCSERV_PAM),y)
CONFIGURE_ARGS += --without-pam
endif
ifneq ($(CONFIG_OCSERV_PROTOBUF),y)
CONFIGURE_ARGS += --without-protobuf
endif
define Package/ocserv/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv
$(INSTALL_DIR) $(1)/etc/ocserv
$(INSTALL_CONF) ./files/ocserv.conf.template $(1)/etc/ocserv/ocserv.conf.template
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/config $(1)/etc/config/ocserv
endef
$(eval $(call BuildPackage,ocserv))

17
net/ocserv/files/config Normal file
View file

@ -0,0 +1,17 @@
config ocserv 'config'
option port '4443'
option dpd '180'
option max_clients '8'
option max_same '2'
option enable '0'
option zone 'lan'
config ocservusers
config dns
option ip '8.8.8.8'
config routes
option ip '192.168.1.0'
option netmask '255.255.255.0'

11
net/ocserv/files/ocserv-script Executable file
View file

@ -0,0 +1,11 @@
#!/bin/sh
ZONE=`uci get ocserv.config.ZONE`
if [ "$REASON" = "connect" ];then
env -i ACTION=ifup INTERFACE="$ZONE" DEVICE=$DEVICE /sbin/hotplug-call "iface"
else
env -i ACTION=ifdown INTERFACE="$ZONE" DEVICE=$DEVICE /sbin/hotplug-call "iface"
fi
exit 0

339
net/ocserv/files/ocserv.conf.template Normal file
View file

@ -0,0 +1,339 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
#auth = "certificate"
#auth = "pam"
# The gid-min option is used by auto-select-group option, in order to
# select the minimum group ID.
#auth = "pam[gid-min=1000]"
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
auth = "|AUTH|"
# A banner to be displayed on clients
banner = "Welcome to OpenWRT"
# Use listen-host to limit to specific IPs or to the IPs of a provided
# hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = |MAX_CLIENTS|
# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting
# multiple times). Unset or set to zero for unlimited.
max-same-clients = |MAX_SAME|
# TCP and UDP port number
tcp-port = |PORT|
|UDP|udp-port = |PORT|
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
dpd = |DPD|
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
#mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /etc/ocserv/ca.pem
# The object identifier that will be used to read the user ID in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the
# client certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are:
# OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /etc/ocserv/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie timeout (in seconds)
# which he can reconnect. That cookie will be invalided if not
# used within this timeout value. On a user disconnection, that
# cookie will also be active for this time amount prior to be
# invalid. That should allow a reasonable amount of time for roaming
# between different networks.
cookie-timeout = 300
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
# ssl: Will perform an efficient rehandshake on the channel allowing
# a seamless connection during rekey.
# new-tunnel: Will instruct the client to discard and re-establish the channel.
# Use this option only if the connecting clients have issues with the ssl
# option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
connect-script = /usr/bin/ocserv-script
disconnect-script = /usr/bin/ocserv-script
# UTMP
use-utmp = false
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
occtl-socket-file = /var/run/occtl.socket
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
chroot-dir = /var/lib/ocserv
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
#socket-file = /var/run/ocserv-socket
socket-file = ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = ocserv
run-as-group = ocserv
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name of the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = |PREDICTABLE_IPS|
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = |IPV4ADDR|
ipv4-netmask = |NETMASK|
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
|ENABLE_IPV6|ipv6-network = |IPV6ADDR|
|ENABLE_IPV6|ipv6-prefix = |IPV6PREFIX|
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu =
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
# net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
#select-group = group1
#select-group = group2[My group 2]
#select-group = tost[The tost group]
# The name of the group that if selected it would allow to use
# the assigned by default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list. That
# option is only functional on plain authentication.
#auto-select-group = true
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/24
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special strings '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/%{G}/hello
#
# The following options are for (experimental) AnyConnect client
# compatibility.
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# It is not used by the openconnect client.
#user-profile = profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be
# set for them.
cisco-client-compat = |CISCO_COMPAT|
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"

187
net/ocserv/files/ocserv.init Normal file
View file

@ -0,0 +1,187 @@
#!/bin/sh /etc/rc.common
SERVICE_USE_PID=1
START=50
setup_firewall() {
local port fw
config_get port $1 port
test -z "$port" && return
config_get fwport $1 "fwport"
test "$fwport" = "$port" && return
#can we remove the old rule?
uci add firewall rule
uci set firewall.@rule[-1].src=wan
uci set firewall.@rule[-1].target=ACCEPT
uci set firewall.@rule[-1].proto=tcpudp
uci set firewall.@rule[-1].dest_port=$port
uci commit firewall
/etc/init.d/firewall restart
uci set ocserv.config.fwport="$port"
uci commit ocserv
}
clear_firewall() {
iptables-save | grep -v ocserv-rule | iptables-restore
}
setup_config() {
config_get port $1 port "4443"
config_get max_clients $1 max_clients "8"
config_get max_same $1 max_same "2"
config_get dpd $1 dpd "120"
config_get predictable_ips $1 predictable_ips "1"
config_get udp $1 udp "1"
config_get auth $1 auth "plain"
config_get cisco_compat $1 cisco_compat "1"
config_get ipaddr $1 ipaddr "192.168.100.0"
config_get netmask $1 netmask "255.255.255.0"
config_get ip6addr $1 ip6addr ""
test $predictable_ips = "0" && predictable_ips="false"
test $predictable_ips = "1" && predictable_ips="true"
test $cisco_compat = "0" && cisco_compat="false"
test $cisco_compat = "1" && cisco_compat="true"
test $udp = "0" && udp="#"
test $udp = "1" && udp=""
test -z $ip6addr && enable_ipv6="#"
ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
test $auth = "plain" && authsuffix="[/var/etc/ocpasswd]"
mkdir -p /var/etc
sed -e "s/|PORT|/$port/g" \
-e "s/|MAX_CLIENTS|/$max_clients/g" \
-e "s/|MAX_SAME|/$max_same/g" \
-e "s/|DPD|/$dpd/g" \
-e "s/|AUTH|/$auth$authsuffix/g" \
-e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
-e "s/|CISCO_COMPAT|/$cisco_compat/g" \
-e "s/|UDP|/$udp/g" \
-e "s/|IPV4ADDR|/$ipaddr/g" \
-e "s/|NETMASK|/$netmask/g" \
-e "s/|IPV6ADDR|/$ipv6_addr/g" \
-e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
-e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
/etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
}
setup_users() {
local name
local password
config_get name $1 name
config_get password $1 password
[ -z "$name" -o -z "$password" ] && return
echo "$password"|ocpasswd -c /var/etc/ocpasswd "$name"
}
setup_routes() {
local routes
config_get ip $1 ip
config_get netmask $1 netmask
[ -z "$ip" -o -z "$netmask" ] && return
echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
}
setup_dns() {
local routes
config_get ip $1 ip
[ -z "$ip" ] && return
echo "dns = $ip" >> /var/etc/ocserv.conf
}
start() {
local hostname iface
user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
group_exists ocserv 72 || group_add ocserv 72
hostname=`uci get ddns.myddns.domain`
[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
echo "Generating CA certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
echo "ca" >>/etc/ocserv/pki/ca.tmpl
echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
certtool --template /etc/ocserv/pki/ca.tmpl \
--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
}
#generate server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
echo "Generating server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
echo "serial=2" >>/etc/ocserv/pki/server.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
echo "signing_key" >>/etc/ocserv/pki/server.tmpl
echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
certtool --template /etc/ocserv/pki/server.tmpl \
--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
}
[ -f /var/run/ocserv.pid ] || {
touch /var/run/ocserv.pid
chown ocserv:ocserv /var/run/ocserv.pid
}
[ -d /var/lib/ocserv ] || {
mkdir -m 0755 -p /var/lib/ocserv
chmod 0700 /var/lib/ocserv
chown ocserv:ocserv /var/lib/ocserv
}
config_load "ocserv"
rm -f /var/etc/ocserv.conf
touch /var/etc/ocserv.conf
setup_config config
config_foreach setup_routes routes
config_foreach setup_dns dns
rm -f /var/etc/ocpasswd
touch /var/etc/ocpasswd
config_foreach setup_users ocservusers
setup_firewall config
service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
}
stop() {
service_stop /usr/sbin/ocserv
clear_firewall
}
reload() {
/usr/bin/occtl show status >/dev/null 2>&1
if test $? != 0;then
start
else
/usr/bin/occtl reload
fi
}

70
net/ocserv/patches/0001-native-endianess.patch Normal file
View file

@ -0,0 +1,70 @@
diff --git a/src/main-ctl-unix.c b/src/main-ctl-unix.c
index b4da5eb..90d604f 100644
--- a/src/main-ctl-unix.c
+++ b/src/main-ctl-unix.c
@@ -629,7 +629,7 @@ static void ctl_handle_commands(main_server_st * s)
}
goto cleanup;
}
- length = (buffer[2] << 8) | buffer[1];
+ memcpy(&length, &buffer[1], 2);
buffer_size = ret - 3;
if (length != buffer_size) {
diff --git a/src/occtl-unix.c b/src/occtl-unix.c
index 183825d..0c1b3e1 100644
--- a/src/occtl-unix.c
+++ b/src/occtl-unix.c
@@ -83,15 +83,14 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data,
struct iovec iov[2];
unsigned iov_len = 1;
int e, ret;
- unsigned length = 0;
+ uint16_t length = 0;
void *packed = NULL;
if (get_size)
length = get_size(data);
header[0] = cmd;
- header[1] = length;
- header[2] = length >> 8;
+ memcpy(&header[1], &length, 2);
iov[0].iov_base = header;
iov[0].iov_len = 3;
@@ -145,7 +144,7 @@ int send_cmd(struct unix_ctx *ctx, unsigned cmd, const void *data,
goto fail;
}
- length = (header[2] << 8) | header[1];
+ memcpy(&length, &header[1], 2);
rep->data_size = length;
rep->data = talloc_size(ctx, length);
diff --git a/src/sec-mod.c b/src/sec-mod.c
index 15ee32a..c3d4bad 100644
--- a/src/sec-mod.c
+++ b/src/sec-mod.c
@@ -354,6 +354,7 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
unsigned cmd, length;
unsigned i, buffer_size;
uint8_t *buffer, *tpool;
+ uint16_t l16;
struct pin_st pins;
int sd;
sec_mod_st *sec;
@@ -538,10 +539,11 @@ void sec_mod_server(void *main_pool, struct cfg_st *config, const char *socket_f
}
cmd = buffer[0];
- length = buffer[1] | buffer[2] << 8;
+ memcpy(&l16, &buffer[1], 2);
+ length = l16;
if (length > buffer_size - 4) {
- seclog(LOG_INFO, "too big message");
+ seclog(LOG_INFO, "too big message (%d)", length);
goto cont;
}

18
net/openconnect/Config.in Normal file
View file

@ -0,0 +1,18 @@
# openconnect avanced configuration
menu "Configuration"
depends on PACKAGE_openconnect
choice
prompt "SSL library"
default OPENCONNECT_GNUTLS
config OPENCONNECT_GNUTLS
bool "GnuTLS support"
config OPENCONNECT_OPENSSL
bool "OpenSSL"
endchoice
endmenu

58
net/openconnect/Makefile Normal file
View file

@ -0,0 +1,58 @@
#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=openconnect
PKG_VERSION:=5.03
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
PKG_MD5SUM:=ff43ed1dbaccd2537fd7c5bfb04295a6
include $(INCLUDE_DIR)/package.mk
define Package/openconnect/config
source "$(SOURCE)/Config.in"
endef
define Package/openconnect
SECTION:=net
CATEGORY:=Network
DEPENDS:=+libxml2 +kmod-tun +resolveip +OPENCONNECT_OPENSSL:libopenssl +OPENCONNECT_GNUTLS:libgnutls
TITLE:=VPN client for Cisco's AnyConnect SSL VPN
URL:=http://www.infradead.org/openconnect/
SUBMENU:=VPN
endef
define Package/openconnect/description
A VPN client compatible with Cisco's AnyConnect SSL VPN and ocserv.
OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is
supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800,
3800, 7200 Series and Cisco 7301 Routers.
endef
CONFIGURE_ARGS += \
--disable-shared \
--with-vpnc-script=/lib/netifd/vpnc-script
ifeq ($(CONFIG_OPENCONNECT_OPENSSL),y)
CONFIGURE_ARGS += \
--without-gnutls
endif
define Package/openconnect/install
$(INSTALL_DIR) $(1)/lib/netifd/proto
$(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/
$(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/openconnect $(1)/usr/sbin/
endef
$(eval $(call BuildPackage,openconnect))

56
net/openconnect/files/openconnect.sh Executable file
View file

@ -0,0 +1,56 @@
#!/bin/sh
. /lib/functions.sh
. ../netifd-proto.sh
init_proto "$@"
proto_openconnect_init_config() {
proto_config_add_string "server"
proto_config_add_int "port"
proto_config_add_string "username"
proto_config_add_string "cookie"
proto_config_add_string "password"
no_device=1
available=1
}
proto_openconnect_setup() {
local config="$1"
json_get_vars server port username cookie password
grep -q tun /proc/modules || insmod tun
serv_addr=
for ip in $(resolveip -t 5 "$server"); do
proto_add_host_dependency "$config" "$server"
serv_addr=1
done
[ -n "$serv_addr" ] || {
echo "Could not resolve server address"
sleep 5
proto_setup_failed "$config"
exit 1
}
[ -n "$port" ] && port=":$port"
cmdline="$server$port -i vpn-$config --no-cert-check --non-inter --syslog --script /lib/netifd/vpnc-script"
[ -n "$cookie" ] && append cmdline "-C $cookie"
[ -n "$username" ] && append cmdline "-u $username"
[ -n "$password" ] && {
umask 077
pwfile="/var/run/openconnect-$config.passwd"
echo "$password" > "$pwfile"
append cmdline "--passwd-on-stdin"
}
proto_export INTERFACE="$config"
proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile
}
proto_openconnect_teardown() {
proto_kill_command "$config"
}
add_protocol openconnect

156
net/openconnect/files/vpnc-script Executable file
View file

@ -0,0 +1,156 @@
#!/bin/sh
# List of parameters passed through environment
#* reason -- why this script was called, one of: pre-init connect disconnect
#* VPNGATEWAY -- vpn gateway address (always present)
#* TUNDEV -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS -- address (always present)
#* INTERNAL_IP4_MTU -- mtu (often unset)
#* INTERNAL_IP4_NETMASK -- netmask (often unset)
#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset)
#* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set)
#* INTERNAL_IP4_DNS -- list of dns servers
#* INTERNAL_IP4_NBNS -- list of wins servers
#* INTERNAL_IP6_ADDRESS -- IPv6 address
#* INTERNAL_IP6_NETMASK -- IPv6 netmask
#* INTERNAL_IP6_DNS -- IPv6 list of dns servers
#* CISCO_DEF_DOMAIN -- default domain name
#* CISCO_BANNER -- banner from server
#* CISCO_SPLIT_INC -- number of networks in split-network-list
#* CISCO_SPLIT_INC_%d_ADDR -- network address
#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0)
#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24)
#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0)
#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0)
#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0)
#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list
#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
# FIXMEs:
# Section A: route handling
# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored
# In order to use them, we'll probably need os specific solutions
# * Linux: iptables -t mangle -I PREROUTING <conditions> -j ROUTE --oif $TUNDEV
# This would be an *alternative* to changing the routes (and thus 2) and 3)
# shouldn't be relevant at all)
# 2) There are two different functions to set routes: generic routes and the
# default route. Why isn't the defaultroute handled via the generic route case?
# 3) In the split tunnel case, all routes but the default route might get replaced
# without getting restored later. We should explicitely check and save them just
# like the defaultroute
# 4) Replies to a dhcp-server should never be sent into the tunnel
# Section B: Split DNS handling
# 1) Maybe dnsmasq can do something like that
# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
do_connect() {
if [ -n "$CISCO_BANNER" ]; then
echo "Connect Banner:"
echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
echo
fi
proto_init_update "$TUNDEV" 1
if [ -n "$INTERNAL_IP4_MTU" ]; then
MTU=$INTERNAL_IP4_MTU
fi
if [ -z "$MTU" ]; then
MTU=1412
fi
proto_add_ipv4_address "$INTERNAL_IP4_ADDRESS" 32 "" "$INTERNAL_IP4_ADDRESS"
if [ -n "$INTERNAL_IP4_NETMASKLEN" ]; then
proto_add_ipv4_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASKLEN"
fi
# If the netmask is provided, it contains the address _and_ netmask
if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then
INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128"
fi
if [ -n "$INTERNAL_IP6_NETMASK" ]; then
addr="${INTERNAL_IP6_NETMASK%%/*}"
mask="${INTERNAL_IP6_NETMASK##*/}"
[[ "$addr" != "$mask" ]] && proto_add_ipv6_address "$addr" "$mask"
fi
[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
if [ -n "$CISCO_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}"
eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}"
eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}"
if [ $NETWORK != "0.0.0.0" ]; then
proto_add_ipv4_route "$NETWORK" "$NETMASKLEN"
else
proto_add_ipv4_route "0.0.0.0" 0
fi
i=$(($i + 1))
done
elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
proto_add_ipv4_route "0.0.0.0" 0
fi
if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
i=0
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
if [ $NETMASKLEN -lt 128 ]; then
proto_add_ipv6_route "$NETWORK" "$NETMASKLEN"
else
proto_add_ipv6_route "::0" 0
fi
i=$(($i + 1))
done
elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
proto_add_ipv6_route "::0" 0
fi
proto_send_update "$INTERFACE"
}
do_disconnect() {
proto_init_update "$TUNDEV" 0
proto_send_update "$INTERFACE"
}
#### Main
if [ -z "$reason" ]; then
echo "this script must be called from vpnc" 1>&2
exit 1
fi
if [ -z "$INTERFACE" ]; then
echo "this script must be called for an active interface"
exit 1
fi
. /lib/netifd/netifd-proto.sh
case "$reason" in
pre-init)
;;
connect)
do_connect
;;
disconnect)
do_disconnect
;;
reconnect)
;;
*)
echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
exit 1
;;
esac
exit 0

74
utils/cryptodev-linux/Makefile Normal file
View file

@ -0,0 +1,74 @@
#
# Copyright (C) 2014 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
# $Id$
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=cryptodev-linux
PKG_VERSION:=1.6
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://download.gna.org/cryptodev-linux/
PKG_MD5SUM:=eade38998313c25fd7934719cdf8a2ea
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
include $(INCLUDE_DIR)/package.mk
CRYPTODEV_AUTOLOAD:= \
cryptodev
define KernelPackage/cryptodev
SUBMENU:=Cryptographic API modules
DEFAULT:=m if ALL
TITLE:=Driver for cryptographic acceleration
URL:=http://cryptodev-linux.org/
VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE)
DEPENDS:=+kmod-crypto-core +kmod-crypto-authenc +kmod-crypto-hash
FILES:= \
$(PKG_BUILD_DIR)/cryptodev.$(LINUX_KMOD_SUFFIX)
AUTOLOAD:=$(call AutoLoad,50,$(CRYPTODEV_AUTOLOAD))
endef
define KernelPackage/cryptodev/description
This is a driver for that allows to use the Linux kernel supported
hardware ciphers by user-space applications.
endef
CRYPTODEV_MAKEOPTS= -C $(PKG_BUILD_DIR) \
PATH="$(TARGET_PATH)" \
ARCH="$(LINUX_KARCH)" \
CROSS_COMPILE="$(TARGET_CROSS)" \
TOOLPREFIX="$(KERNEL_CROSS)" \
TOOLPATH="$(KERNEL_CROSS)" \
KERNEL_DIR="$(LINUX_DIR)" \
LDOPTS=" " \
DOMULTI=1
define Build/Compile/cryptodev
$(MAKE) $(CRYPTODEV_MAKEOPTS)
endef
define Build/Compile
$(call Build/Compile/cryptodev)
endef
define Build/InstallDev
$(INSTALL_DIR) $(STAGING_DIR)/usr/include/crypto
$(CP) $(PKG_BUILD_DIR)/crypto/cryptodev.h $(STAGING_DIR)/usr/include/crypto/
endef
define KernelPackage/cryptodev/install
$(INSTALL_DIR) $(1)/etc/modules.d
$(INSTALL_DATA) ./files/cryptodev.modules $(1)/etc/modules.d/80-cryptodev
$(INSTALL_DIR) $(1)/lib/modules/$(LINUX_VERSION)
$(INSTALL_DIR) $(1)/usr/sbin
endef
$(eval $(call KernelPackage,cryptodev))

1
utils/cryptodev-linux/files/cryptodev.modules Normal file
View file

@ -0,0 +1 @@
cryptodev