[LEDE-DEV] [PATCH RFC 3/3] openvpn: update to 2.4_rc1

Magnus Kroken mkroken at gmail.com
Fri Dec 9 12:07:39 PST 2016


OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
variant to openvpn-mbedtls.

Some feature highlights:
* Data channel cipher negotiation
* AEAD cipher support for data channel encryption (currently only AES-GCM)
* ECDH key exchange for control channel
* LZ4 compression support

See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.

Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
I'd like feedback on these issues:

* Package renaming
OpenVPN 2.4 uses mbedTLS 2.x, so I have renamed the openvpn-polarssl
package to openvpn-mbedtls. Thoughts? Are there any additional steps
needed to rename a package?

* LZ4 compression support
OpenVPN 2.4 can use LZ4 for compression, in addition to LZO.
By default it uses liblz4 if available, or an included minimal
lz4 if liblz4 is unavailable. Liblz4 is now packaged in the
packages feed on Github, but a package in base shouldn't depend
on a package in feeds/packages, IMO.

For now I've patched configure.ac to ignore external liblz4.
Without this patch, if liblz4 package happens to be selected and
the build order is just right, openvpn will link it, but the 
openvpn install step will fail with missing dependencies 
if it doesn't have liblz4 in DEPENDS, this was the most 
reasonable workaround I found. I tried some hackish dependency 
like +(PACKAGE_liblz4&&OPENVPN_$(1)_ENABLE_LZ4):liblz4,
but that leads to a recursive dependency error. Here are
some size figures of the uncompressed binary:

LZ4 support, internal library:
412604 openvpn
LZ4 support, liblz4: (liblz4.so itself is 66k)
384144 openvpn
No LZ4 support:
383108 openvpn

Any suggestions on how to better handle liblz4? OpenVPN can
move to feeds/packages, liblz4 can move to base, or OpenVPN
can ignore liblz4 (like now), those are the options I see.
Moving OpenVPN to feeds/packages will cause issues for OpenWrt
and other forks with openvpn still in their base feed.

 package/network/services/openvpn/Config-mbedtls.in | 70 ++++++++++++++++++++++
 package/network/services/openvpn/Config-nossl.in   |  4 ++
 package/network/services/openvpn/Config-openssl.in |  4 ++
 .../network/services/openvpn/Config-polarssl.in    | 66 --------------------
 package/network/services/openvpn/Makefile          | 17 +++---
 .../network/services/openvpn/files/openvpn.config  | 11 +++-
 .../network/services/openvpn/files/openvpn.init    | 16 ++---
 .../patches/001-reproducible-remove_DATE.patch     |  6 +-
 ...00-polarssl-disable-runtime-version-check.patch | 16 ++---
 ...101-backport_upstream_polarssl_debug_call.patch | 33 ----------
 .../101-fix_mbedtls_net_sockets_include.patch      | 39 ++++++++++++
 .../patches/200-small_build_enable_occ.patch       |  2 +-
 .../210-build_always_use_internal_lz4.patch        | 41 +++++++++++++
 13 files changed, 196 insertions(+), 129 deletions(-)
 create mode 100644 package/network/services/openvpn/Config-mbedtls.in
 delete mode 100644 package/network/services/openvpn/Config-polarssl.in
 delete mode 100644 package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
 create mode 100644 package/network/services/openvpn/patches/101-fix_mbedtls_net_sockets_include.patch
 create mode 100644 package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in
new file mode 100644
index 0000000..c1c8c7a
--- /dev/null
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -0,0 +1,70 @@
+if PACKAGE_openvpn-mbedtls
+
+config OPENVPN_mbedtls_ENABLE_LZO
+	bool "Enable LZO compression support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_X509_ALT_USERNAME
+	bool "Enable the --x509-username-field feature"
+	default n
+
+config OPENVPN_mbedtls_ENABLE_SERVER
+	bool "Enable server support (otherwise only client mode is support)"
+	default y
+
+#config OPENVPN_mbedtls_ENABLE_EUREPHIA
+#	bool "Enable support for the eurephia plug-in"
+#	default n
+
+config OPENVPN_mbedtls_ENABLE_MANAGEMENT
+	bool "Enable management server support"
+	default n
+
+#config OPENVPN_mbedtls_ENABLE_PKCS11
+#	bool "Enable pkcs11 support"
+#	default n
+
+config OPENVPN_mbedtls_ENABLE_HTTP
+	bool "Enable HTTP proxy support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_SOCKS
+	bool "Enable SOCKS proxy support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_FRAGMENT
+	bool "Enable internal fragmentation support (--fragment)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_MULTIHOME
+	bool "Enable multi-homed UDP server support (--multihome)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_PORT_SHARE
+	bool "Enable TCP server port-share support (--port-share)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_DEF_AUTH
+	bool "Enable deferred authentication"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_PF
+	bool "Enable internal packet filter"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_IPROUTE2
+	bool "Enable support for iproute2"
+	default n
+
+config OPENVPN_mbedtls_ENABLE_SMALL
+	bool "Enable size optimization"
+	default y
+	help
+	  enable smaller executable size (disable OCC, usage
+	  message, and verb 4 parm list)
+
+endif
diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in
index 3eaa228..199cda0 100644
--- a/package/network/services/openvpn/Config-nossl.in
+++ b/package/network/services/openvpn/Config-nossl.in
@@ -4,6 +4,10 @@ config OPENVPN_nossl_ENABLE_LZO
 	bool "Enable LZO compression support"
 	default y
 
+config OPENVPN_nossl_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
 config OPENVPN_nossl_ENABLE_SERVER
 	bool "Enable server support (otherwise only client mode is support)"
 	default y
diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in
index ac4c774..a2bc3de 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -4,6 +4,10 @@ config OPENVPN_openssl_ENABLE_LZO
 	bool "Enable LZO compression support"
 	default y
 
+config OPENVPN_openssl_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
 config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
 	bool "Enable the --x509-username-field feature"
 	default n
diff --git a/package/network/services/openvpn/Config-polarssl.in b/package/network/services/openvpn/Config-polarssl.in
deleted file mode 100644
index 26692ce..0000000
--- a/package/network/services/openvpn/Config-polarssl.in
+++ /dev/null
@@ -1,66 +0,0 @@
-if PACKAGE_openvpn-polarssl
-
-config OPENVPN_polarssl_ENABLE_LZO
-	bool "Enable LZO compression support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_X509_ALT_USERNAME
-	bool "Enable the --x509-username-field feature"
-	default n
-
-config OPENVPN_polarssl_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
-#config OPENVPN_polarssl_ENABLE_EUREPHIA
-#	bool "Enable support for the eurephia plug-in"
-#	default n
-
-config OPENVPN_polarssl_ENABLE_MANAGEMENT
-	bool "Enable management server support"
-	default n
-
-#config OPENVPN_polarssl_ENABLE_PKCS11
-#	bool "Enable pkcs11 support"
-#	default n
-
-config OPENVPN_polarssl_ENABLE_HTTP
-	bool "Enable HTTP proxy support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_SOCKS
-	bool "Enable SOCKS proxy support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_FRAGMENT
-	bool "Enable internal fragmentation support (--fragment)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_PORT_SHARE
-	bool "Enable TCP server port-share support (--port-share)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_polarssl_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
-config OPENVPN_polarssl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
-config OPENVPN_polarssl_ENABLE_SMALL
-	bool "Enable size optimization"
-	default y
-	help
-	  enable smaller executable size (disable OCC, usage
-	  message, and verb 4 parm list)
-
-endif
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 05f56ad..d777793 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.3.13
+PKG_VERSION:=2.4_rc1
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_MD5SUM:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
+PKG_MD5SUM:=50109a8804856083a8026b2f6a4e8d521e306a2a915ca1a53f5ba3a53f8591a8
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -38,7 +38,7 @@ define Package/openvpn/Default
 endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl)
-Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpolarssl)
+Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
 define Package/openvpn/config/Default
@@ -46,11 +46,11 @@ define Package/openvpn/config/Default
 endef
 
 Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
-Package/openvpn-polarssl/config=$(call Package/openvpn/config/Default,polarssl)
+Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
 Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
 
-ifeq ($(BUILD_VARIANT),polarssl)
-CONFIG_OPENVPN_POLARSSL:=y
+ifeq ($(BUILD_VARIANT),mbedtls)
+CONFIG_OPENVPN_MBEDTLS:=y
 endif
 ifeq ($(BUILD_VARIANT),openssl)
 CONFIG_OPENVPN_OPENSSL:=y
@@ -74,6 +74,7 @@ define Build/Configure
 		--disable-debug \
 		--disable-pkcs11 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
+		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
@@ -86,7 +87,7 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \
 		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
-		$(if $(CONFIG_OPENVPN_POLARSSL),--with-crypto-library=polarssl) \
+		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
 	)
 endef
 
@@ -119,5 +120,5 @@ define Package/openvpn-$(BUILD_VARIANT)/install
 endef
 
 $(eval $(call BuildPackage,openvpn-openssl))
-$(eval $(call BuildPackage,openvpn-polarssl))
+$(eval $(call BuildPackage,openvpn-mbedtls))
 $(eval $(call BuildPackage,openvpn-nossl))
diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 73c1abe..1ac00ae 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -241,7 +241,11 @@ config openvpn sample_server
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
-	option comp_lzo yes
+	# LZ4 requires OpenVPN 2.4+ client and server
+#	option compress lz4
+	# LZO is compatible with most OpenVPN versions
+	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
+	option compress lzo
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -391,7 +395,10 @@ config openvpn sample_client
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
 	# enabled in the server config file.
-	option comp_lzo yes
+	# LZ4 requires OpenVPN 2.4+ on server and client
+#	option compress lz4
+	# LZO is compatible with most OpenVPN versions
+	option compress lzo
 
 	# Set log file verbosity.
 	option verb 3
diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init
index 4c8f77f..818d201 100644
--- a/package/network/services/openvpn/files/openvpn.init
+++ b/package/network/services/openvpn/files/openvpn.init
@@ -94,12 +94,12 @@ start_instance() {
 
 	# append flags
 	append_bools "$s" \
-		auth_nocache auth_user_pass_optional bind ccd_exclusive client client_cert_not_required \
+		allow_recursive_routing auth_nocache auth_user_pass_optional bind ccd_exclusive client client_cert_not_required \
 		client_to_client comp_noadapt disable \
 		disable_occ down_pre duplicate_cn fast_io float http_proxy_retry \
 		ifconfig_noexec ifconfig_nowarn ifconfig_pool_linear management_forget_disconnect management_hold \
 		management_query_passwords management_signal mktun mlock mtu_test multihome mute_replay_warnings \
-		nobind no_iv no_name_remapping no_replay opt_verify passtos persist_key persist_local_ip \
+		ncp_disable nobind no_iv no_name_remapping no_replay opt_verify passtos persist_key persist_local_ip \
 		persist_remote_ip persist_tun ping_timer_rem pull push_reset \
 		remote_random rmtun route_noexec route_nopull single_session socks_proxy_retry \
 		suppress_timestamps tcp_nodelay test_crypto tls_client tls_exit tls_server \
@@ -108,21 +108,21 @@ start_instance() {
 	# append params
 	append_params "$s" \
 		cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \
-		chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \
+		chroot cipher client_config_dir client_connect client_disconnect comp_lzo compress connect_freq \
 		connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \
-		echo engine explicit_exit_notify fragment group hand_window hash_size \
+		ecdh_curve echo engine explicit_exit_notify fragment group hand_window hash_size \
 		http_proxy http_proxy_option http_proxy_timeout ifconfig ifconfig_pool \
 		ifconfig_pool_persist ifconfig_push inactive ipchange iroute keepalive \
 		key key_method keysize learn_address link_mtu lladdr local log log_append \
 		lport management management_log_cache max_clients \
-		max_routes_per_client mode mssfix mtu_disc mute nice ns_cert_type ping \
-		ping_exit ping_restart pkcs12 plugin port port_share prng proto rcvbuf \
+		max_routes_per_client mode mssfix mtu_disc mute ncp_ciphers nice ns_cert_type ping \
+		ping_exit ping_restart pkcs12 plugin port port_share prng proto pull_filter rcvbuf \
 		redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \
 		reneg_bytes reneg_pkts reneg_sec \
 		replay_persist replay_window resolv_retry route route_delay route_gateway \
 		route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \
-		socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \
-		tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \
+		socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_crypt tls_version_min \
+		tls_cipher tls_timeout tls_verify tmp_dir topology tran_window \
 		tun_mtu tun_mtu_extra txqueuelen user verb down push up \
 		verify_x509_name x509_username_field \
 		ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6
diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
index 3ceef6f..3dd29c8 100644
--- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
+++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
@@ -1,9 +1,9 @@
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -102,7 +102,6 @@ const char title_string[] =
-   " [MH]"
+@@ -107,7 +107,6 @@ const char title_string[] =
+ #ifdef HAVE_AEAD_CIPHER_MODES
+   " [AEAD]"
  #endif
-   " [IPv6]"
 -  " built on " __DATE__
  ;
  
diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
index c7955c2..6de7bb4 100644
--- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
+++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
@@ -1,11 +1,11 @@
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -1156,7 +1156,7 @@ const char *
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -1217,7 +1217,7 @@ const char *
  get_ssl_library_version(void)
  {
-     static char polar_version[30];
--    unsigned int pv = version_get_number();
-+    unsigned int pv = POLARSSL_VERSION_NUMBER;
-     sprintf( polar_version, "PolarSSL %d.%d.%d",
+     static char mbedtls_version[30];
+-    unsigned int pv = mbedtls_version_get_number();
++    unsigned int pv = MBEDTLS_VERSION_NUMBER;
+     sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
  		(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
-     return polar_version;
+     return mbedtls_version;
diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
deleted file mode 100644
index 2155a4c..0000000
--- a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-openvpn: fix build without POLARSSL_DEBUG_C
-
-Backport of upstream master commit
-b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
-
-Signed-off-by: Magnus Kroken <mkroken at gmail.com>
-
-From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan at karger.me>
-Date: Tue, 14 Jun 2016 22:00:03 +0200
-Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
- MBEDTLS_DEBUG_C
-
-For targets with space constraints, one might want to compile mbed TLS
-without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes.  Make
-sure OpenVPN still compiles if that is the case.
-
-Signed-off-by: Steffan Karger <steffan at karger.me>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <1465934403-22226-1-git-send-email-steffan at karger.me>
-URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
-   if (polar_ok(ssl_init(ks_ssl->ctx)))
-     {
-       /* Initialise SSL context */
-+      #ifdef POLARSSL_DEBUG_C
-       debug_set_threshold(3);
-+      #endif
-       ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
-       ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
diff --git a/package/network/services/openvpn/patches/101-fix_mbedtls_net_sockets_include.patch b/package/network/services/openvpn/patches/101-fix_mbedtls_net_sockets_include.patch
new file mode 100644
index 0000000..6823bc8
--- /dev/null
+++ b/package/network/services/openvpn/patches/101-fix_mbedtls_net_sockets_include.patch
@@ -0,0 +1,39 @@
+From 8c8af796d69cee36589923d6f6248ff9a5cfb979 Mon Sep 17 00:00:00 2001
+From: Magnus Kroken <mkroken at gmail.com>
+Date: Fri, 9 Dec 2016 09:47:47 +0100
+Subject: [PATCH] mbedtls: include correct net/net_sockets header according to
+ version
+
+<mbedtls/net.h> is deprecated as of mbedTLS 2.4.0, it is renamed
+<mbedtls/net_sockets.h>. OpenVPN will fail to build with
+mbedTLS 2.4.0 with MBEDTLS_DEPRECATED_REMOVED defined.
+
+Check MBEDTLS_VERSION_NUMBER, and include net.h for < 2.4.0 and
+net_sockets.h for >= 2.4.0.
+
+Signed-off-by: Magnus Kroken <mkroken at gmail.com>
+
+diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
+index 11ee65b..985a39f 100644
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -51,11 +51,17 @@
+ #include "ssl_verify_mbedtls.h"
+ #include <mbedtls/debug.h>
+ #include <mbedtls/error.h>
+-#include <mbedtls/net.h>
++#include <mbedtls/version.h>
++
++#if MBEDTLS_VERSION_NUMBER >= 0x02040000
++    #include <mbedtls/net_sockets.h>
++#else
++    #include <mbedtls/net.h>
++#endif
++
+ #include <mbedtls/oid.h>
+ #include <mbedtls/pem.h>
+ #include <mbedtls/sha256.h>
+-#include <mbedtls/version.h>
+
+ void
+ tls_init_lib()
diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
index eef4da2..96276d4 100644
--- a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
+++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
-@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
+@@ -589,9 +589,7 @@ socket_defined (const socket_descriptor_
  /*
   * Should we include OCC (options consistency check) code?
   */
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
new file mode 100644
index 0000000..6719107
--- /dev/null
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -0,0 +1,41 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1014,37 +1014,14 @@ dnl
+ AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
+ AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
+ if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
+-    AC_CHECKING([for LZ4 Library and Header files])
+-    havelz4lib=1
+
+-    # if LZ4_LIBS is set, we assume it will work, otherwise test
+-    if test -z "${LZ4_LIBS}"; then
+-	AC_CHECK_LIB(lz4, LZ4_compress,
+-	    [ LZ4_LIBS="-llz4" ],
+-	    [
+-	        AC_MSG_RESULT([LZ4 library not found.])
+-	        havelz4lib=0
+-	    ])
+-    fi
++    AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*])
++    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
++    LZ4_LIBS=""
+
+-    saved_CFLAGS="${CFLAGS}"
+-    CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
+-    AC_CHECK_HEADERS(lz4.h,
+-       ,
+-       [
+-	   AC_MSG_RESULT([LZ4 headers not found.])
+-	   havelz4lib=0
+-       ])
+-
+-    if test $havelz4lib = 0 ; then
+-	AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+-	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
+-	LZ4_LIBS=""
+-    fi
+     OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
+     OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
+     AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library])
+-    CFLAGS="${saved_CFLAGS}"
+ fi
-- 
2.1.4




More information about the Lede-dev mailing list