[LEDE-DEV] [PATCH RFC 1/2] openvpn: update to 2.4_rc2

Magnus Kroken mkroken at gmail.com
Fri Dec 16 16:53:39 PST 2016


OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
variant to openvpn-mbedtls.

Some feature highlights:
* Data channel cipher negotiation
* AEAD cipher support for data channel encryption (currently only AES-GCM)
* ECDH key exchange for control channel
* LZ4 compression support

See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.

Signed-off-by: Magnus Kroken <mkroken at gmail.com>
---
 package/network/services/openvpn/Config-mbedtls.in | 70 ++++++++++++++++++++++
 package/network/services/openvpn/Config-nossl.in   |  4 ++
 package/network/services/openvpn/Config-openssl.in |  4 ++
 .../network/services/openvpn/Config-polarssl.in    | 66 --------------------
 package/network/services/openvpn/Makefile          | 17 +++---
 .../network/services/openvpn/files/openvpn.config  | 11 +++-
 .../patches/001-reproducible-remove_DATE.patch     |  8 +--
 ...100-mbedtls-disable-runtime-version-check.patch | 11 ++++
 ...00-polarssl-disable-runtime-version-check.patch | 11 ----
 ...101-backport_upstream_polarssl_debug_call.patch | 33 ----------
 .../patches/200-small_build_enable_occ.patch       |  2 +-
 .../210-build_always_use_internal_lz4.patch        | 41 +++++++++++++
 12 files changed, 153 insertions(+), 125 deletions(-)
 create mode 100644 package/network/services/openvpn/Config-mbedtls.in
 delete mode 100644 package/network/services/openvpn/Config-polarssl.in
 create mode 100644 package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
 delete mode 100644 package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
 delete mode 100644 package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
 create mode 100644 package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in b/package/network/services/openvpn/Config-mbedtls.in
new file mode 100644
index 0000000..c1c8c7a
--- /dev/null
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -0,0 +1,70 @@
+if PACKAGE_openvpn-mbedtls
+
+config OPENVPN_mbedtls_ENABLE_LZO
+	bool "Enable LZO compression support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_X509_ALT_USERNAME
+	bool "Enable the --x509-username-field feature"
+	default n
+
+config OPENVPN_mbedtls_ENABLE_SERVER
+	bool "Enable server support (otherwise only client mode is support)"
+	default y
+
+#config OPENVPN_mbedtls_ENABLE_EUREPHIA
+#	bool "Enable support for the eurephia plug-in"
+#	default n
+
+config OPENVPN_mbedtls_ENABLE_MANAGEMENT
+	bool "Enable management server support"
+	default n
+
+#config OPENVPN_mbedtls_ENABLE_PKCS11
+#	bool "Enable pkcs11 support"
+#	default n
+
+config OPENVPN_mbedtls_ENABLE_HTTP
+	bool "Enable HTTP proxy support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_SOCKS
+	bool "Enable SOCKS proxy support"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_FRAGMENT
+	bool "Enable internal fragmentation support (--fragment)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_MULTIHOME
+	bool "Enable multi-homed UDP server support (--multihome)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_PORT_SHARE
+	bool "Enable TCP server port-share support (--port-share)"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_DEF_AUTH
+	bool "Enable deferred authentication"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_PF
+	bool "Enable internal packet filter"
+	default y
+
+config OPENVPN_mbedtls_ENABLE_IPROUTE2
+	bool "Enable support for iproute2"
+	default n
+
+config OPENVPN_mbedtls_ENABLE_SMALL
+	bool "Enable size optimization"
+	default y
+	help
+	  enable smaller executable size (disable OCC, usage
+	  message, and verb 4 parm list)
+
+endif
diff --git a/package/network/services/openvpn/Config-nossl.in b/package/network/services/openvpn/Config-nossl.in
index 3eaa228..199cda0 100644
--- a/package/network/services/openvpn/Config-nossl.in
+++ b/package/network/services/openvpn/Config-nossl.in
@@ -4,6 +4,10 @@ config OPENVPN_nossl_ENABLE_LZO
 	bool "Enable LZO compression support"
 	default y
 
+config OPENVPN_nossl_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
 config OPENVPN_nossl_ENABLE_SERVER
 	bool "Enable server support (otherwise only client mode is support)"
 	default y
diff --git a/package/network/services/openvpn/Config-openssl.in b/package/network/services/openvpn/Config-openssl.in
index ac4c774..a2bc3de 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -4,6 +4,10 @@ config OPENVPN_openssl_ENABLE_LZO
 	bool "Enable LZO compression support"
 	default y
 
+config OPENVPN_openssl_ENABLE_LZ4
+	bool "Enable LZ4 compression support"
+	default y
+
 config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
 	bool "Enable the --x509-username-field feature"
 	default n
diff --git a/package/network/services/openvpn/Config-polarssl.in b/package/network/services/openvpn/Config-polarssl.in
deleted file mode 100644
index 26692ce..0000000
--- a/package/network/services/openvpn/Config-polarssl.in
+++ /dev/null
@@ -1,66 +0,0 @@
-if PACKAGE_openvpn-polarssl
-
-config OPENVPN_polarssl_ENABLE_LZO
-	bool "Enable LZO compression support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_X509_ALT_USERNAME
-	bool "Enable the --x509-username-field feature"
-	default n
-
-config OPENVPN_polarssl_ENABLE_SERVER
-	bool "Enable server support (otherwise only client mode is support)"
-	default y
-
-#config OPENVPN_polarssl_ENABLE_EUREPHIA
-#	bool "Enable support for the eurephia plug-in"
-#	default n
-
-config OPENVPN_polarssl_ENABLE_MANAGEMENT
-	bool "Enable management server support"
-	default n
-
-#config OPENVPN_polarssl_ENABLE_PKCS11
-#	bool "Enable pkcs11 support"
-#	default n
-
-config OPENVPN_polarssl_ENABLE_HTTP
-	bool "Enable HTTP proxy support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_SOCKS
-	bool "Enable SOCKS proxy support"
-	default y
-
-config OPENVPN_polarssl_ENABLE_FRAGMENT
-	bool "Enable internal fragmentation support (--fragment)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_MULTIHOME
-	bool "Enable multi-homed UDP server support (--multihome)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_PORT_SHARE
-	bool "Enable TCP server port-share support (--port-share)"
-	default y
-
-config OPENVPN_polarssl_ENABLE_DEF_AUTH
-	bool "Enable deferred authentication"
-	default y
-
-config OPENVPN_polarssl_ENABLE_PF
-	bool "Enable internal packet filter"
-	default y
-
-config OPENVPN_polarssl_ENABLE_IPROUTE2
-	bool "Enable support for iproute2"
-	default n
-
-config OPENVPN_polarssl_ENABLE_SMALL
-	bool "Enable size optimization"
-	default y
-	help
-	  enable smaller executable size (disable OCC, usage
-	  message, and verb 4 parm list)
-
-endif
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index abe1adf..11b6aab 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.3.13
+PKG_VERSION:=2.4_rc2
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=9cde0c8000fd32d5275adb55f8bb1d8ba429ff3de35f60a36e81f3859b7537e0
+PKG_HASH:=3e5dbfda2c1c941bc61e5e067601b31f578ad4cdf3683e569014e18c2cc6e2e9
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -38,7 +38,7 @@ define Package/openvpn/Default
 endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl)
-Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpolarssl)
+Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
 define Package/openvpn/config/Default
@@ -46,11 +46,11 @@ define Package/openvpn/config/Default
 endef
 
 Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
-Package/openvpn-polarssl/config=$(call Package/openvpn/config/Default,polarssl)
+Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
 Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
 
-ifeq ($(BUILD_VARIANT),polarssl)
-CONFIG_OPENVPN_POLARSSL:=y
+ifeq ($(BUILD_VARIANT),mbedtls)
+CONFIG_OPENVPN_MBEDTLS:=y
 endif
 ifeq ($(BUILD_VARIANT),openssl)
 CONFIG_OPENVPN_OPENSSL:=y
@@ -74,6 +74,7 @@ define Build/Configure
 		--disable-debug \
 		--disable-pkcs11 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
+		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
@@ -86,7 +87,7 @@ define Build/Configure
 		$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
 		$(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \
 		$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
-		$(if $(CONFIG_OPENVPN_POLARSSL),--with-crypto-library=polarssl) \
+		$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
 	)
 endef
 
@@ -119,5 +120,5 @@ define Package/openvpn-$(BUILD_VARIANT)/install
 endef
 
 $(eval $(call BuildPackage,openvpn-openssl))
-$(eval $(call BuildPackage,openvpn-polarssl))
+$(eval $(call BuildPackage,openvpn-mbedtls))
 $(eval $(call BuildPackage,openvpn-nossl))
diff --git a/package/network/services/openvpn/files/openvpn.config b/package/network/services/openvpn/files/openvpn.config
index 3e053c3..1fd846f 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -241,7 +241,11 @@ config openvpn sample_server
 	# Enable compression on the VPN link.
 	# If you enable it here, you must also
 	# enable it in the client config file.
-	option comp_lzo yes
+	# LZ4 requires OpenVPN 2.4+ client and server
+#	option compress lz4
+	# LZO is compatible with most OpenVPN versions
+	# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
+	option compress lzo
 
 	# The maximum number of concurrently connected
 	# clients we want to allow.
@@ -391,7 +395,10 @@ config openvpn sample_client
 	# Enable compression on the VPN link.
 	# Don't enable this unless it is also
 	# enabled in the server config file.
-	option comp_lzo yes
+	# LZ4 requires OpenVPN 2.4+ on server and client
+#	option compress lz4
+	# LZO is compatible with most OpenVPN versions
+	option compress lzo
 
 	# Set log file verbosity.
 	option verb 3
diff --git a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
index 3ceef6f..5f23994 100644
--- a/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
+++ b/package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch
@@ -1,10 +1,10 @@
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -102,7 +102,6 @@ const char title_string[] =
-   " [MH]"
+@@ -107,7 +107,6 @@ const char title_string[] =
+ #ifdef HAVE_AEAD_CIPHER_MODES
+     " [AEAD]"
  #endif
-   " [IPv6]"
--  " built on " __DATE__
+-    " built on " __DATE__
  ;
  
  #ifndef ENABLE_SMALL
diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
new file mode 100644
index 0000000..3b8248d
--- /dev/null
+++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -0,0 +1,11 @@
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -1333,7 +1333,7 @@ const char *
+ get_ssl_library_version(void)
+ {
+     static char mbedtls_version[30];
+-    unsigned int pv = mbedtls_version_get_number();
++    unsigned int pv = MBEDTLS_VERSION_NUMBER;
+     sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+     return mbedtls_version;
diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
deleted file mode 100644
index c7955c2..0000000
--- a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -1156,7 +1156,7 @@ const char *
- get_ssl_library_version(void)
- {
-     static char polar_version[30];
--    unsigned int pv = version_get_number();
-+    unsigned int pv = POLARSSL_VERSION_NUMBER;
-     sprintf( polar_version, "PolarSSL %d.%d.%d",
- 		(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
-     return polar_version;
diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
deleted file mode 100644
index 2155a4c..0000000
--- a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-openvpn: fix build without POLARSSL_DEBUG_C
-
-Backport of upstream master commit
-b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
-
-Signed-off-by: Magnus Kroken <mkroken at gmail.com>
-
-From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan at karger.me>
-Date: Tue, 14 Jun 2016 22:00:03 +0200
-Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
- MBEDTLS_DEBUG_C
-
-For targets with space constraints, one might want to compile mbed TLS
-without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes.  Make
-sure OpenVPN still compiles if that is the case.
-
-Signed-off-by: Steffan Karger <steffan at karger.me>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <1465934403-22226-1-git-send-email-steffan at karger.me>
-URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
-   if (polar_ok(ssl_init(ks_ssl->ctx)))
-     {
-       /* Initialise SSL context */
-+      #ifdef POLARSSL_DEBUG_C
-       debug_set_threshold(3);
-+      #endif
-       ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
-       ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
index eef4da2..96276d4 100644
--- a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
+++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
-@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
+@@ -589,9 +589,7 @@ socket_defined (const socket_descriptor_
  /*
   * Should we include OCC (options consistency check) code?
   */
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
new file mode 100644
index 0000000..6719107
--- /dev/null
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -0,0 +1,41 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1014,37 +1014,14 @@ dnl
+ AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
+ AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
+ if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
+-    AC_CHECKING([for LZ4 Library and Header files])
+-    havelz4lib=1
+
+-    # if LZ4_LIBS is set, we assume it will work, otherwise test
+-    if test -z "${LZ4_LIBS}"; then
+-	AC_CHECK_LIB(lz4, LZ4_compress,
+-	    [ LZ4_LIBS="-llz4" ],
+-	    [
+-	        AC_MSG_RESULT([LZ4 library not found.])
+-	        havelz4lib=0
+-	    ])
+-    fi
++    AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*])
++    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
++    LZ4_LIBS=""
+
+-    saved_CFLAGS="${CFLAGS}"
+-    CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
+-    AC_CHECK_HEADERS(lz4.h,
+-       ,
+-       [
+-	   AC_MSG_RESULT([LZ4 headers not found.])
+-	   havelz4lib=0
+-       ])
+-
+-    if test $havelz4lib = 0 ; then
+-	AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+-	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
+-	LZ4_LIBS=""
+-    fi
+     OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
+     OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
+     AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library])
+-    CFLAGS="${saved_CFLAGS}"
+ fi
-- 
2.1.4




More information about the Lede-dev mailing list