[RFC PATCH] openvpn: update to 2.5 beta1
Magnus Kroken
mkroken at gmail.com
Fri Aug 14 17:27:53 EDT 2020
New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
(unless iproute2 support is enabled).
* VLAN support when using a TAP device
Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
OpenVPN peers prior to 2.4, or peers with data cipher negotiation
disabled, will not be able to connect to a 2.5 peer unless
option data_fallback_ciphers is set on the 2.5 peer and it contains a
cipher supported by the client.
Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.
Hopefully more people will test this and give feedback, I'd suggest
merging this later in the release cycle or at 2.5.0 release.
I propose disabling LZO compression support by default, due to:
* Compression is not recommended, as it may weaken the security of the
connection
* For users who need compression, we build with LZ4 support by default
* LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also
adds about 1 kB to the OpenVPN package itself. LZ4 support (using OpenVPN
bundled LZ4) adds about 6 kB to the OpenVPN package in total.
This means OpenWrt users will not be able to connect to OpenVPN peers
that require LZO compression, unless they build the package themselves.
I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl variant
will no longer exist and all OpenVPN packages will cover both cases
I am not entirely sure how this should be handled.
.../services/openvpn/Config-mbedtls.in | 6 +-
.../network/services/openvpn/Config-nossl.in | 50 --------------
.../services/openvpn/Config-openssl.in | 6 +-
package/network/services/openvpn/Makefile | 20 +-----
.../services/openvpn/files/openvpn.config | 67 ++++++++++++-------
.../services/openvpn/files/openvpn.options | 14 +++-
.../001-reproducible-remove_DATE.patch | 6 +-
...bedtls-disable-runtime-version-check.patch | 2 +-
...l-dont-use-deprecated-ssleay-symbols.patch | 58 ----------------
...enssl-add-missing-include-statements.patch | 65 ------------------
.../210-build_always_use_internal_lz4.patch | 2 +-
.../openvpn/patches/220-disable_des.patch | 21 ++----
12 files changed, 72 insertions(+), 245 deletions(-)
delete mode 100644 package/network/services/openvpn/Config-nossl.in
delete mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
delete mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls
config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
- default y
+ default n
config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
-config OPENVPN_mbedtls_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_mbedtls_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..0000000000
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
- bool "Enable LZO compression support"
- default y
-
-config OPENVPN_nossl_ENABLE_LZ4
- bool "Enable LZ4 compression support"
- default y
-
-config OPENVPN_nossl_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
- bool "Enable management server support"
- default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
- bool "Enable internal fragmentation support (--fragment)"
- default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
- bool "Enable multi-homed UDP server support (--multihome)"
- default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
- bool "Enable TCP server port-share support (--port-share)"
- default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
- bool "Enable deferred authentication"
- default y
-
-config OPENVPN_nossl_ENABLE_PF
- bool "Enable internal packet filter"
- default y
-
-config OPENVPN_nossl_ENABLE_IPROUTE2
- bool "Enable support for iproute2"
- default n
-
-config OPENVPN_nossl_ENABLE_SMALL
- bool "Enable size optimization"
- default y
- help
- enable smaller executable size (disable OCC, usage
- message, and verb 4 parm list)
-
-endif
diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in
index f2b618eff1..335bbaa2c4 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -2,7 +2,7 @@ if PACKAGE_openvpn-openssl
config OPENVPN_openssl_ENABLE_LZO
bool "Enable LZO compression support"
- default y
+ default n
config OPENVPN_openssl_ENABLE_LZ4
bool "Enable LZ4 compression support"
@@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
bool "Enable the --x509-username-field feature"
default n
-config OPENVPN_openssl_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_openssl_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 9482e9ce39..be4dd2acfb 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
-PKG_VERSION:=2.4.9
-PKG_RELEASE:=4
+PKG_VERSION:=2.5_beta1
+PKG_RELEASE:=1
PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
+PKG_HASH:=0838362a42b227c6b85554e493c189258ba7d6eac31a2c2e71f4dcf07464a44b
PKG_MAINTAINER:=Felix Fietkau <nbd at nbd.name>
@@ -37,16 +37,11 @@ define Package/openvpn/Default
MENU:=1
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
VARIANT:=$(1)
-ifeq ($(1),nossl)
- PROVIDES:=openvpn
-else
PROVIDES:=openvpn openvpn-crypto
-endif
endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in"
@@ -54,7 +49,6 @@ endef
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
-Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
ifeq ($(BUILD_VARIANT),mbedtls)
CONFIG_OPENVPN_MBEDTLS:=y
@@ -62,13 +56,8 @@ endif
ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y
endif
-ifeq ($(BUILD_VARIANT),nossl)
-CONFIG_OPENVPN_NOSSL:=y
-endif
CONFIGURE_VARS += \
- IFCONFIG=/sbin/ifconfig \
- ROUTE=/sbin/route \
IPROUTE=/sbin/ip \
NETSTAT=/sbin/netstat
@@ -86,7 +75,6 @@ define Build/Configure
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
@@ -94,7 +82,6 @@ define Build/Configure
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
- $(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
)
@@ -155,4 +142,3 @@ endef
$(eval $(call BuildPackage,openvpn-openssl))
$(eval $(call BuildPackage,openvpn-mbedtls))
-$(eval $(call BuildPackage,openvpn-nossl))
diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 3de1881e35..50d6cf9544 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -254,6 +254,24 @@ config openvpn sample_server
# on the system
# option tls_version_min "1.2 'or-highest'"
+ # List the preferred ciphers to use for the data channel.
+ # Run openvpn --show-ciphers to see all supported ciphers.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher in order to be compatible with
+ # peers that do not support cipher negotiation.
+ #
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option cipher DES-EDE3-CBC
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
+
# OpenVPN versions 2.4 and later will attempt to
# automatically negotiate the most secure cipher
# between the client and server, regardless of a
@@ -265,21 +283,6 @@ config openvpn sample_server
# cipher option instead (not recommended).
# option ncp_disable
- # Select a cryptographic cipher.
- # This config item must be copied to
- # the client config file as well.
- #
- # To see all supported ciphers, run:
- # openvpn --show-ciphers
- #
- # Blowfish (default for backwards compatibility,
- # but not recommended due to weaknesses):
-# option cipher BF-CBC
- # AES:
-# option cipher AES-128-CBC
- # Triple-DES:
-# option cipher DES-EDE3-CBC
-
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
@@ -290,9 +293,16 @@ config openvpn sample_server
#
# LZ4 requires OpenVPN 2.4+ client and server
# option compress lz4
- # LZO is compatible with most OpenVPN versions
- # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
-# option compress lzo
+
+ # Control how OpenVPN handles peers using compression
+ #
+ # Do not allow any connections using compression
+# option allow_compression 'no'
+ # Allow incoming compressed packets, but do not send compressed packets to other peers
+ # This can be useful when migrating old configurations with compression activated
+# option allow_compression 'asym'
+ # Both incoming and outgoing packets may be compressed
+# option allow_compression 'yes'
# The maximum number of concurrently connected
# clients we want to allow.
@@ -449,10 +459,21 @@ config openvpn sample_client
# on the system
# option tls_version_min "1.2 'or-highest'"
- # Select a cryptographic cipher.
- # If the cipher option is used on the server
- # then you must also specify it here.
-# option cipher x
+ # List the preferred ciphers for the data channel.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher if you connect to a peer that does
+ # not support cipher negotiation.
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option cipher DES-EDE3-CBC
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
# Enable compression on the VPN link.
# Don't enable this unless it is also
@@ -464,8 +485,6 @@ config openvpn sample_client
#
# LZ4 requires OpenVPN 2.4+ on server and client
# option compress lz4
- # LZO is compatible with most OpenVPN versions
-# option compress lzo
# Set log file verbosity.
option verb 3
diff --git a/package/network/services/openvpn/files/openvpn.options b/package/network/services/openvpn/files/openvpn.options
index 5d7a387cd3..02558ca3bf 100644
--- a/package/network/services/openvpn/files/openvpn.options
+++ b/package/network/services/openvpn/files/openvpn.options
@@ -1,10 +1,12 @@
OPENVPN_PARAMS='
+allow_compression
askpass
auth
auth_retry
auth_user_pass
auth_user_pass_verify
bcast_buffers
+bind_dev
ca
capath
cd
@@ -21,6 +23,7 @@ connect_retry
connect_retry_max
connect_timeout
crl_verify
+data_ciphers_fallback
dev
dev_node
dev_type
@@ -51,7 +54,6 @@ iroute_ipv6
keepalive
key
key_direction
-key_method
keysize
learn_address
link_mtu
@@ -69,7 +71,6 @@ mssfix
mtu_disc
mute
nice
-ns_cert_type
ping
ping_exit
ping_restart
@@ -116,6 +117,9 @@ syslog
tcp_queue_limit
tls_auth
tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
tls_timeout
tls_verify
tls_version_min
@@ -129,6 +133,8 @@ user
verb
verify_client_cert
verify_x509_name
+vlan_accept
+vlan_pvid
x509_username_field
'
@@ -137,6 +143,7 @@ allow_recursive_routing
auth_nocache
auth_user_pass_optional
bind
+block-ipv6
ccd_exclusive
client
client_to_client
@@ -185,10 +192,13 @@ tls_server
up_delay
up_restart
username_as_common_name
+vlan_tagging
'
OPENVPN_LIST='
+data_ciphers
ncp_ciphers
tls_cipher
tls_ciphersuites
+tls_groups
'
diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
index 101fa12ba2..e4e6d39413 100644
--- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
+++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
@@ -1,9 +1,9 @@
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
-@@ -106,7 +106,6 @@ const char title_string[] =
- #ifdef HAVE_AEAD_CIPHER_MODES
- " [AEAD]"
+@@ -105,7 +105,6 @@ const char title_string[] =
+ #endif
#endif
+ " [AEAD]"
- " built on " __DATE__
;
diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index cb16a906fe..4141c2863c 100644
--- a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
-@@ -1415,7 +1415,7 @@ const char *
+@@ -1520,7 +1520,7 @@ const char *
get_ssl_library_version(void)
{
static char mbedtls_version[30];
diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
deleted file mode 100644
index c7faf7c0c0..0000000000
--- a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan at karger.me>
-Date: Sun, 26 Nov 2017 16:04:00 +0100
-Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
-the errors about the deprecated SSLEAY/SSLeay symbols and defines.
-
-Signed-off-by: Steffan Karger <steffan at karger.me>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <20171126150401.28565-1-steffan at karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- configure.ac | 1 +
- src/openvpn/openssl_compat.h | 8 ++++++++
- src/openvpn/ssl_openssl.c | 2 +-
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
- EVP_MD_CTX_free \
- EVP_MD_CTX_reset \
- EVP_CIPHER_CTX_reset \
-+ OpenSSL_version \
- SSL_CTX_get_default_passwd_cb \
- SSL_CTX_get_default_passwd_cb_userdata \
- SSL_CTX_set_security_level \
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
- #endif
-
- /* SSLeay symbols have been renamed in OpenSSL 1.1 */
-+#ifndef OPENSSL_VERSION
-+#define OPENSSL_VERSION SSLEAY_VERSION
-+#endif
-+
-+#ifndef HAVE_OPENSSL_VERSION
-+#define OpenSSL_version SSLeay_version
-+#endif
-+
- #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
- #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
- #endif
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
- const char *
- get_ssl_library_version(void)
- {
-- return SSLeay_version(SSLEAY_VERSION);
-+ return OpenSSL_version(OPENSSL_VERSION);
- }
-
- #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
deleted file mode 100644
index 6a62b16500..0000000000
--- a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan at karger.me>
-Date: Sun, 26 Nov 2017 16:49:12 +0100
-Subject: [PATCH] openssl: add missing #include statements
-
-Compiling our current master against OpenSSL 1.1 with
--DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
-the errors caused by missing includes. Previous openssl versions would
-usually include 'the rest of the world', but they're fixing that. So we
-should no longer rely on it.
-
-(And sneaking in alphabetic ordering of the includes while touching them.)
-
-Signed-off-by: Steffan Karger <steffan at karger.me>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <20171126154912.13283-1-steffan at karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/openssl_compat.h | 1 +
- src/openvpn/ssl_openssl.c | 6 +++++-
- src/openvpn/ssl_verify_openssl.c | 3 ++-
- 3 files changed, 8 insertions(+), 2 deletions(-)
-
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -42,6 +42,7 @@
-
- #include "buffer.h"
-
-+#include <openssl/rsa.h>
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
-
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -52,10 +52,14 @@
-
- #include "ssl_verify_openssl.h"
-
-+#include <openssl/bn.h>
-+#include <openssl/crypto.h>
-+#include <openssl/dh.h>
-+#include <openssl/dsa.h>
- #include <openssl/err.h>
- #include <openssl/pkcs12.h>
-+#include <openssl/rsa.h>
- #include <openssl/x509.h>
--#include <openssl/crypto.h>
- #ifndef OPENSSL_NO_EC
- #include <openssl/ec.h>
- #endif
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -44,8 +44,9 @@
- #include "ssl_verify_backend.h"
- #include "openssl_compat.h"
-
--#include <openssl/x509v3.h>
-+#include <openssl/bn.h>
- #include <openssl/err.h>
-+#include <openssl/x509v3.h>
-
- int
- verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
index 5cf5174a9d..a99f923644 100644
--- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
-@@ -1080,68 +1080,15 @@ dnl
+@@ -1077,68 +1077,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch
index 2b8f47a802..9ddf1047b5 100644
--- a/package/network/services/openvpn/patches/220-disable_des.patch
+++ b/package/network/services/openvpn/patches/220-disable_des.patch
@@ -1,24 +1,17 @@
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
-@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
/*
* Should we include NTLM proxy functionality
*/
--#if defined(ENABLE_CRYPTO)
-#define NTLM 1
--#else
-+//#if defined(ENABLE_CRYPTO)
+//#define NTLM 1
-+//#else
- #define NTLM 0
--#endif
-+//#endif
/*
* Should we include proxy digest auth functionality
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
-@@ -319,6 +319,7 @@ int
+@@ -383,6 +383,7 @@ int
key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
{
int ret = 0;
@@ -26,7 +19,7 @@
if (kt->type == MBEDTLS_CIPHER_DES_CBC)
{
ret = 1;
-@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -395,6 +396,7 @@ key_des_num_cblocks(const mbedtls_cipher
{
ret = 3;
}
@@ -34,7 +27,7 @@
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
return ret;
-@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -403,6 +405,7 @@ key_des_num_cblocks(const mbedtls_cipher
bool
key_des_check(uint8_t *key, int key_len, int ndc)
{
@@ -42,7 +35,7 @@
int i;
struct buffer b;
-@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -431,11 +434,15 @@ key_des_check(uint8_t *key, int key_len,
err:
return false;
@@ -58,7 +51,7 @@
int i;
struct buffer b;
-@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -450,6 +457,7 @@ key_des_fixup(uint8_t *key, int key_len,
}
mbedtls_des_key_set_parity(key);
}
@@ -66,7 +59,7 @@
}
/*
-@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -770,10 +778,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src,
unsigned char *dst)
{
--
2.20.1
More information about the openwrt-devel
mailing list