bool "Enable LZ4 compression support"
default y
-config OPENVPN_mbedtls_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_mbedtls_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
+++ /dev/null
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
- bool "Enable LZO compression support"
- default y
-
-config OPENVPN_nossl_ENABLE_LZ4
- bool "Enable LZ4 compression support"
- default y
-
-config OPENVPN_nossl_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
- bool "Enable management server support"
- default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
- bool "Enable internal fragmentation support (--fragment)"
- default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
- bool "Enable multi-homed UDP server support (--multihome)"
- default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
- bool "Enable TCP server port-share support (--port-share)"
- default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
- bool "Enable deferred authentication"
- default y
-
-config OPENVPN_nossl_ENABLE_PF
- bool "Enable internal packet filter"
- default y
-
-config OPENVPN_nossl_ENABLE_IPROUTE2
- bool "Enable support for iproute2"
- default n
-
-config OPENVPN_nossl_ENABLE_SMALL
- bool "Enable size optimization"
- default y
- help
- enable smaller executable size (disable OCC, usage
- message, and verb 4 parm list)
-
-endif
bool "Enable the --x509-username-field feature"
default n
-config OPENVPN_openssl_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_openssl_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
PKG_NAME:=openvpn
-PKG_VERSION:=2.4.9
-PKG_RELEASE:=5
+PKG_VERSION:=2.5.0
+PKG_RELEASE:=1
PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
+PKG_HASH:=029a426e44d656cb4e1189319c95fe6fc9864247724f5599d99df9c4c3478fbd
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
MENU:=1
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
VARIANT:=$(1)
-ifeq ($(1),nossl)
- PROVIDES:=openvpn
-else
PROVIDES:=openvpn openvpn-crypto
-endif
endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in"
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
-Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
ifeq ($(BUILD_VARIANT),mbedtls)
CONFIG_OPENVPN_MBEDTLS:=y
ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y
endif
-ifeq ($(BUILD_VARIANT),nossl)
-CONFIG_OPENVPN_NOSSL:=y
-endif
CONFIGURE_VARS += \
- IFCONFIG=/sbin/ifconfig \
- ROUTE=/sbin/route \
IPROUTE=/sbin/ip \
NETSTAT=/sbin/netstat
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
- $(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
)
$(eval $(call BuildPackage,openvpn-openssl))
$(eval $(call BuildPackage,openvpn-mbedtls))
-$(eval $(call BuildPackage,openvpn-nossl))
# on the system
# option tls_version_min "1.2 'or-highest'"
+ # List the preferred ciphers to use for the data channel.
+ # Run openvpn --show-ciphers to see all supported ciphers.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher in order to be compatible with
+ # peers that do not support cipher negotiation.
+ #
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option data_ciphers_fallback 'DES-EDE3-CBC'
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
+
# OpenVPN versions 2.4 and later will attempt to
# automatically negotiate the most secure cipher
# between the client and server, regardless of a
# cipher option instead (not recommended).
# option ncp_disable
- # Select a cryptographic cipher.
- # This config item must be copied to
- # the client config file as well.
- #
- # To see all supported ciphers, run:
- # openvpn --show-ciphers
- #
- # Blowfish (default for backwards compatibility,
- # but not recommended due to weaknesses):
-# option cipher BF-CBC
- # AES:
-# option cipher AES-128-CBC
- # Triple-DES:
-# option cipher DES-EDE3-CBC
-
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# LZO is compatible with most OpenVPN versions
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
# option compress lzo
+ # Control how OpenVPN handles peers using compression
+ #
+ # Do not allow any connections using compression
+# option allow_compression 'no'
+ # Allow incoming compressed packets, but do not send compressed packets to other peers
+ # This can be useful when migrating old configurations with compression activated
+# option allow_compression 'asym'
+ # Both incoming and outgoing packets may be compressed
+# option allow_compression 'yes'
# The maximum number of concurrently connected
# clients we want to allow.
# on the system
# option tls_version_min "1.2 'or-highest'"
- # Select a cryptographic cipher.
- # If the cipher option is used on the server
- # then you must also specify it here.
-# option cipher x
+ # List the preferred ciphers for the data channel.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher if you connect to a peer that does
+ # not support cipher negotiation.
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option data_ciphers_fallback 'DES-EDE3-CBC'
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
# Enable compression on the VPN link.
# Don't enable this unless it is also
OPENVPN_PARAMS='
+allow_compression
askpass
auth
auth_retry
auth_user_pass
auth_user_pass_verify
bcast_buffers
+bind_dev
ca
capath
cd
connect_retry_max
connect_timeout
crl_verify
+data_ciphers_fallback
dev
dev_node
dev_type
keepalive
key
key_direction
-key_method
keysize
learn_address
link_mtu
mtu_disc
mute
nice
-ns_cert_type
ping
ping_exit
ping_restart
tcp_queue_limit
tls_auth
tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
tls_timeout
tls_verify
tls_version_min
verb
verify_client_cert
verify_x509_name
+vlan_accept
+vlan_pvid
x509_username_field
'
auth_nocache
auth_user_pass_optional
bind
+block_ipv6
ccd_exclusive
client
client_to_client
up_delay
up_restart
username_as_common_name
+vlan_tagging
'
OPENVPN_LIST='
+data_ciphers
ncp_ciphers
tls_cipher
tls_ciphersuites
+tls_groups
'
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
-@@ -106,7 +106,6 @@ const char title_string[] =
- #ifdef HAVE_AEAD_CIPHER_MODES
- " [AEAD]"
+@@ -105,7 +105,6 @@ const char title_string[] =
+ #endif
#endif
+ " [AEAD]"
- " built on " __DATE__
;
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
-@@ -1415,7 +1415,7 @@ const char *
+@@ -1520,7 +1520,7 @@ const char *
get_ssl_library_version(void)
{
static char mbedtls_version[30];
+++ /dev/null
-From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan@karger.me>
-Date: Sun, 26 Nov 2017 16:04:00 +0100
-Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
-the errors about the deprecated SSLEAY/SSLeay symbols and defines.
-
-Signed-off-by: Steffan Karger <steffan@karger.me>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20171126150401.28565-1-steffan@karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- configure.ac | 1 +
- src/openvpn/openssl_compat.h | 8 ++++++++
- src/openvpn/ssl_openssl.c | 2 +-
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
- EVP_MD_CTX_free \
- EVP_MD_CTX_reset \
- EVP_CIPHER_CTX_reset \
-+ OpenSSL_version \
- SSL_CTX_get_default_passwd_cb \
- SSL_CTX_get_default_passwd_cb_userdata \
- SSL_CTX_set_security_level \
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
- #endif
-
- /* SSLeay symbols have been renamed in OpenSSL 1.1 */
-+#ifndef OPENSSL_VERSION
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#endif
-+
-+#ifndef HAVE_OPENSSL_VERSION
-+#define OpenSSL_version SSLeay_version
-+#endif
-+
- #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
- #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
- #endif
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
- const char *
- get_ssl_library_version(void)
- {
-- return SSLeay_version(SSLEAY_VERSION);
-+ return OpenSSL_version(OPENSSL_VERSION);
- }
-
- #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
+++ /dev/null
-From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan@karger.me>
-Date: Sun, 26 Nov 2017 16:49:12 +0100
-Subject: [PATCH] openssl: add missing #include statements
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
-the errors caused by missing includes. Previous openssl versions would
-usually include 'the rest of the world', but they're fixing that. So we
-should no longer rely on it.
-
-(And sneaking in alphabetic ordering of the includes while touching them.)
-
-Signed-off-by: Steffan Karger <steffan@karger.me>
-Acked-by: Gert Doering <gert@greenie.muc.de>
-Message-Id: <20171126154912.13283-1-steffan@karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/openssl_compat.h | 1 +
- src/openvpn/ssl_openssl.c | 6 +++++-
- src/openvpn/ssl_verify_openssl.c | 3 ++-
- 3 files changed, 8 insertions(+), 2 deletions(-)
-
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -42,6 +42,7 @@
-
- #include "buffer.h"
-
-+#include <openssl/rsa.h>
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
-
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -52,10 +52,14 @@
-
- #include "ssl_verify_openssl.h"
-
-+#include <openssl/bn.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/dsa.h>
- #include <openssl/err.h>
- #include <openssl/pkcs12.h>
-+#include <openssl/rsa.h>
- #include <openssl/x509.h>
--#include <openssl/crypto.h>
- #ifndef OPENSSL_NO_EC
- #include <openssl/ec.h>
- #endif
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -44,8 +44,9 @@
- #include "ssl_verify_backend.h"
- #include "openssl_compat.h"
-
--#include <openssl/x509v3.h>
-+#include <openssl/bn.h>
- #include <openssl/err.h>
-+#include <openssl/x509v3.h>
-
- int
- verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
--- a/configure.ac
+++ b/configure.ac
-@@ -1080,68 +1080,15 @@ dnl
+@@ -1077,68 +1077,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
-@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
/*
* Should we include NTLM proxy functionality
*/
--#if defined(ENABLE_CRYPTO)
-#define NTLM 1
--#else
-+//#if defined(ENABLE_CRYPTO)
+//#define NTLM 1
-+//#else
- #define NTLM 0
--#endif
-+//#endif
/*
* Should we include proxy digest auth functionality
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
-@@ -319,6 +319,7 @@ int
+@@ -383,6 +383,7 @@ int
key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
{
int ret = 0;
if (kt->type == MBEDTLS_CIPHER_DES_CBC)
{
ret = 1;
-@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher
{
ret = 3;
}
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
return ret;
-@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher
bool
key_des_check(uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
-@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len,
err:
return false;
int i;
struct buffer b;
-@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len,
}
mbedtls_des_key_set_parity(key);
}
}
/*
-@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src,
unsigned char *dst)
{
git.99rst.org / openwrt-packages.git / commitdiff