Changeset 14001


Ignorieren:
Zeitstempel:
07.01.2017 23:03:06 (vor 11 Monaten)
Autor:
er13
Nachricht:

OpenVPN:

  • add preliminary support for OpenVPN 2.4.x (by me + some patches by MaxMuster)
  • compile-tested only
  • refs #2873
Ort:
trunk
Dateien:
3 hinzugefügt
4 bearbeitet
4 kopiert

Legende:

Unverändert
Hinzugefügt
Entfernt
  • trunk/CHANGELOG

    r14000 r14001  
    152152    * openssh 7.4p1 
    153153    * openssl 0.9.8zh/1.0.1u/1.0.2j 
    154     * openvpn 2.3.14 
     154    * openvpn 2.3.14/2.4.0 
    155155    * pcre 8.39 
    156156    * pcscd 1.8.12 
  • trunk/make/openvpn-cgi/files/root/usr/lib/cgi-bin/openvpn.cgi

    r13841 r14001  
    1212#   HASLZO=$(openvpn --version | grep -q LZO && echo true) 
    1313#else 
    14     HASBLOWFISH=$([ "$FREETZ_PACKAGE_OPENVPN_POLARSSL" != y -o "$FREETZ_LIB_libpolarssl13_WITH_BLOWFISH" == y ] && echo true) 
     14    HASBLOWFISH=$([ "$FREETZ_PACKAGE_OPENVPN_WITH_BLOWFISH" == y ] && echo true) 
    1515    HASLZO=$([ "$FREETZ_PACKAGE_OPENVPN_WITH_LZO" == y ] && echo true) 
    1616#fi 
  • trunk/make/openvpn/Config.in

    r13998 r14001  
    1515    bool "2.3.14" 
    1616 
    17 #   config FREETZ_PACKAGE_OPENVPN_VERSION_2_4 
    18 #   bool "2.4.0 - EXPERIMENTAL" 
     17    config FREETZ_PACKAGE_OPENVPN_VERSION_2_4 
     18    bool "2.4.0 - EXPERIMENTAL" 
    1919endchoice 
    2020 
     
    3232    config FREETZ_PACKAGE_OPENVPN_POLARSSL 
    3333        bool "PolarSSL" 
     34        depends on FREETZ_PACKAGE_OPENVPN_VERSION_2_3 
    3435        select FREETZ_LIB_libpolarssl13 if ! FREETZ_PACKAGE_OPENVPN_STATIC 
     36        help 
     37            Leads to smaller binaries, but lacks support for some openssl features. 
     38 
     39    config FREETZ_PACKAGE_OPENVPN_MBEDTLS 
     40        bool "mbed TLS" 
     41        depends on FREETZ_PACKAGE_OPENVPN_VERSION_2_4 
     42        select FREETZ_LIB_libmbedcrypto if ! FREETZ_PACKAGE_OPENVPN_STATIC 
     43        select FREETZ_LIB_libmbedtls    if ! FREETZ_PACKAGE_OPENVPN_STATIC 
     44        select FREETZ_LIB_libmbedx509   if ! FREETZ_PACKAGE_OPENVPN_STATIC 
    3545        help 
    3646            Leads to smaller binaries, but lacks support for some openssl features. 
     
    3848endchoice 
    3949 
    40 config FREETZ_PACKAGE_OPENVPN_POLARSSL_WITH_BLOWFISH 
    41     bool "Include cipher blowfish in PolarSSL" 
    42     depends on FREETZ_PACKAGE_OPENVPN && FREETZ_PACKAGE_OPENVPN_POLARSSL 
    43     select FREETZ_LIB_libpolarssl13_WITH_BLOWFISH 
     50config FREETZ_PACKAGE_OPENVPN_FORCE_BLOWFISH 
     51    bool "Include cipher blowfish in PolarSSL/mbedTLS" 
     52    depends on FREETZ_PACKAGE_OPENVPN && (FREETZ_PACKAGE_OPENVPN_POLARSSL || FREETZ_PACKAGE_OPENVPN_MBEDTLS) 
     53    select FREETZ_LIB_libpolarssl13_WITH_BLOWFISH if FREETZ_PACKAGE_OPENVPN_POLARSSL 
     54    select FREETZ_LIB_libmbedcrypto_WITH_BLOWFISH if FREETZ_PACKAGE_OPENVPN_MBEDTLS 
    4455    default n 
    4556    help 
    46         Compile PolarSSL with support for OpenVPN default cipher "blowfish" (BF-CBC). 
     57        Compile PolarSSL/mbedTLS with support for OpenVPN default cipher "blowfish" (BF-CBC). 
    4758        Library/Binary size will increase approx. 7k (uncompressed). 
     59 
     60config FREETZ_PACKAGE_OPENVPN_WITH_BLOWFISH 
     61    bool 
     62    depends on FREETZ_PACKAGE_OPENVPN_OPENSSL \ 
     63        || (FREETZ_PACKAGE_OPENVPN_POLARSSL && FREETZ_LIB_libpolarssl13_WITH_BLOWFISH) \ 
     64        || (FREETZ_PACKAGE_OPENVPN_MBEDTLS  && FREETZ_LIB_libmbedcrypto_WITH_BLOWFISH) 
     65    default y 
    4866 
    4967config FREETZ_PACKAGE_OPENVPN_STATIC 
     
    6583    bool "With traffic obfuscation" 
    6684    depends on FREETZ_PACKAGE_OPENVPN 
     85    depends on FREETZ_PACKAGE_OPENVPN_VERSION_2_3 
    6786    default n 
    6887    help 
  • trunk/make/openvpn/openvpn.mk

    r13998 r14001  
    1 $(call PKG_INIT_BIN, 2.3.14) 
     1$(call PKG_INIT_BIN, $(if $(FREETZ_PACKAGE_OPENVPN_VERSION_2_4),2.4.0,2.3.14)) 
    22$(PKG)_SOURCE_MD5_2.3.14:=70fc1e9c74ba2e6d7f7e320313dc3a7b 
     3$(PKG)_SOURCE_MD5_2.4.0 :=e49431542f065dd60a0181233927669e 
    34$(PKG)_SOURCE_MD5:=$($(PKG)_SOURCE_MD5_$($(PKG)_VERSION)) 
    45$(PKG)_SOURCE:=$(pkg)-$($(PKG)_VERSION).tar.xz 
     
    1011endif 
    1112 
     13ifeq ($(strip $(FREETZ_PACKAGE_OPENVPN_VERSION_2_3)),y) 
    1214$(PKG)_PATCH_POST_CMDS += $(call POLARSSL_HARDCODE_VERSION,13,configure include/*.h src/openvpn/*.h src/openvpn/*.c) 
     15endif 
    1316 
    1417$(PKG)_BINARY:=$($(PKG)_DIR)/src/openvpn/openvpn 
     
    1922$(PKG)_DEPENDS_ON += $(if $(FREETZ_PACKAGE_OPENVPN_OPENSSL),openssl) 
    2023$(PKG)_DEPENDS_ON += $(if $(FREETZ_PACKAGE_OPENVPN_POLARSSL),polarssl13) 
     24$(PKG)_DEPENDS_ON += $(if $(FREETZ_PACKAGE_OPENVPN_MBEDTLS),mbedtls) 
    2125$(PKG)_DEPENDS_ON += $(if $(FREETZ_PACKAGE_OPENVPN_WITH_LZO),lzo) 
    2226 
     
    2630$(PKG)_REBUILD_SUBOPTS += FREETZ_OPENSSL_SHLIB_VERSION 
    2731$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_OPENVPN_POLARSSL 
     32$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_OPENVPN_MBEDTLS 
    2833$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_OPENVPN_WITH_LZO 
    2934$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_OPENVPN_WITH_TRAFFIC_OBFUSCATION 
     
    3338$(PKG)_REBUILD_SUBOPTS += FREETZ_PACKAGE_OPENVPN_STATIC 
    3439$(PKG)_REBUILD_SUBOPTS += FREETZ_TARGET_IPV6_SUPPORT 
    35 $(PKG)_REBUILD_SUBOPTS += FREETZ_LIB_libpolarssl13_WITH_BLOWFISH 
     40$(PKG)_REBUILD_SUBOPTS += $(if $(FREETZ_PACKAGE_OPENVPN_POLARSSL),FREETZ_LIB_libpolarssl13_WITH_BLOWFISH) 
     41$(PKG)_REBUILD_SUBOPTS += $(if $(FREETZ_PACKAGE_OPENVPN_MBEDTLS),FREETZ_LIB_libmbedcrypto_WITH_BLOWFISH) 
    3642 
    3743$(PKG)_CONFIGURE_OPTIONS += --disable-http-proxy 
    3844$(PKG)_CONFIGURE_PRE_CMDS += $(call PKG_PREVENT_RPATH_HARDCODING,./configure) 
    3945$(PKG)_CONFIGURE_PRE_CMDS += $(call PKG_MAKE_AC_VARIABLES_PACKAGE_SPECIFIC,lib_polarssl_ssl_init lib_polarssl_aes_crypt_cbc) 
     46$(PKG)_CONFIGURE_PRE_CMDS += $(call PKG_MAKE_AC_VARIABLES_PACKAGE_SPECIFIC,lib_mbedtls_mbedtls_ssl_init) 
    4047 
    4148$(PKG)_CONFIGURE_PRE_CMDS += $(call PKG_MAKE_AC_VARIABLES_PACKAGE_SPECIFIC,path_IFCONFIG path_IPROUTE path_ROUTE) 
     
    6067$(PKG)_CONFIGURE_OPTIONS += --disable-pkcs11 
    6168$(PKG)_CONFIGURE_OPTIONS += --disable-socks 
     69$(PKG)_CONFIGURE_OPTIONS += $(if $(FREETZ_PACKAGE_OPENVPN_OPENSSL),--with-crypto-library=openssl) 
    6270$(PKG)_CONFIGURE_OPTIONS += $(if $(FREETZ_PACKAGE_OPENVPN_POLARSSL),--with-crypto-library=polarssl) 
     71$(PKG)_CONFIGURE_OPTIONS += $(if $(FREETZ_PACKAGE_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) 
    6372$(PKG)_CONFIGURE_OPTIONS += $(if $(FREETZ_PACKAGE_OPENVPN_USE_IPROUTE),--enable-iproute2) 
    6473$(PKG)_CONFIGURE_OPTIONS += $(if $(FREETZ_PACKAGE_OPENVPN_ENABLE_SMALL),--enable-small,--disable-small) 
  • trunk/make/openvpn/patches/2.4/100-tun-tcp-inetd-nowait.patch

    r14000 r14001  
    11--- src/openvpn/mtcp.c 
    22+++ src/openvpn/mtcp.c 
    3 @@ -542,9 +542,23 @@ 
    4         */ 
    5        if (touched && IS_SIG (&touched->context)) 
    6     { 
    7 +     int exit_after_close = 0; 
     3@@ -625,11 +625,27 @@ 
     4              */ 
     5             if (touched && IS_SIG(&touched->context)) 
     6             { 
     7+                int exit_after_close = 0; 
    88+ 
    9 +     if (touched->context.c2.link_socket->inetd == INETD_NOWAIT) 
    10 +       { 
    11 +         exit_after_close = 1; 
    12 +       } 
     9+                if (touched->context.c2.link_socket->inetd == INETD_NOWAIT) 
     10+                { 
     11+                    exit_after_close = 1; 
     12+                } 
    1313+ 
    14       if (mi == touched) 
    15         mi = NULL; 
    16       multi_close_instance_on_signal (m, touched); 
     14                 if (mi == touched) 
     15                 { 
     16                     mi = NULL; 
     17                 } 
     18                 multi_close_instance_on_signal(m, touched); 
    1719+ 
    18 +     /* 
    19 +      * If this socket results from an inetd-nowait - connection 
    20 +      * it has to be the only one and we have to exit. 
    21 +      */ 
    22 +     if (exit_after_close) 
    23 +       m->top.sig->signal_received = SIGTERM; 
    24     } 
    25      } 
     20+                /* 
     21+                 * If this socket results from an inetd-nowait - connection 
     22+                 * it has to be the only one and we have to exit. 
     23+                 */ 
     24+                if (exit_after_close) 
     25+                { 
     26+                    m->top.sig->signal_received = SIGTERM; 
     27+                } 
     28             } 
     29         } 
    2630  
    2731--- src/openvpn/options.c 
    2832+++ src/openvpn/options.c 
    29 @@ -1881,8 +1881,10 @@ 
    30        ) 
    31      msg (M_USAGE, "--inetd nowait can only be used in TLS mode"); 
     33@@ -2065,10 +2065,12 @@ 
     34         msg(M_USAGE, "--inetd nowait can only be used in TLS mode"); 
     35     } 
    3236  
    3337+#if 0 
    34    if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP) 
    35      msg (M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); 
     38     if (options->inetd == INETD_NOWAIT && dev != DEV_TYPE_TAP) 
     39     { 
     40         msg(M_USAGE, "--inetd nowait only makes sense in --dev tap mode"); 
     41     } 
    3642+#endif 
    3743  
    3844  
    39    if (options->lladdr && dev != DEV_TYPE_TAP) 
    40 @@ -2065,8 +2067,10 @@ 
    41  #endif 
    42        if (options->shaper) 
    43     msg (M_USAGE, "--shaper cannot be used with --mode server"); 
     45     if (options->lladdr && dev != DEV_TYPE_TAP) 
     46@@ -2298,10 +2300,12 @@ 
     47         { 
     48             msg(M_USAGE, "--shaper cannot be used with --mode server"); 
     49         } 
    4450+#if 0 
    45        if (options->inetd) 
    46     msg (M_USAGE, "--inetd cannot be used with --mode server"); 
     51         if (options->inetd) 
     52         { 
     53             msg(M_USAGE, "--inetd cannot be used with --mode server"); 
     54         } 
    4755+#endif 
    48        if (options->ipchange) 
    49     msg (M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); 
    50        if (!(proto_is_dgram(ce->proto) || ce->proto == PROTO_TCPv4_SERVER 
    51 @@ -2457,8 +2461,10 @@ 
    52     * In forking TCP server mode, you don't need to ifconfig 
    53     * the tap device (the assumption is that it will be bridged). 
    54     */ 
     56         if (options->ipchange) 
     57         { 
     58             msg(M_USAGE, "--ipchange cannot be used with --mode server (use --client-connect instead)"); 
     59@@ -2875,10 +2879,12 @@ 
     60      * In forking TCP server mode, you don't need to ifconfig 
     61      * the tap device (the assumption is that it will be bridged). 
     62      */ 
    5563+#if 0 
    56    if (options->inetd == INETD_NOWAIT) 
    57      options->ifconfig_noexec = true; 
     64     if (options->inetd == INETD_NOWAIT) 
     65     { 
     66         options->ifconfig_noexec = true; 
     67     } 
    5868+#endif 
    5969  
    60  #ifdef WIN32 
    61    if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) 
     70 #ifdef _WIN32 
     71     if ((dev == DEV_TYPE_TUN || dev == DEV_TYPE_TAP) && !options->route_delay_defined) 
    6272--- src/openvpn/socket.c 
    6373+++ src/openvpn/socket.c 
    64 @@ -1428,7 +1428,9 @@ 
    65        ASSERT (sock->info.proto == PROTO_TCPv4_SERVER 
    66           || sock->info.proto == PROTO_TCPv6_SERVER 
    67          ); 
     74@@ -1783,7 +1783,9 @@ 
     75     { 
     76         ASSERT(accept_from); 
     77         ASSERT(sock->info.proto == PROTO_TCP_SERVER); 
    6878+#if 0 
    69        ASSERT (!sock->inetd); 
     79         ASSERT(!sock->inetd); 
    7080+#endif 
    71        sock->sd = accept_from->sd; 
     81         sock->sd = accept_from->sd; 
    7282     } 
    7383  
  • trunk/make/openvpn/patches/2.4/110-omit_configure_params.patch

    r14000 r14001  
    11--- src/openvpn/options.c 
    22+++ src/openvpn/options.c 
    3 @@ -3540,7 +3540,7 @@ 
     3@@ -4144,7 +4144,7 @@ 
    44 #endif 
    5    msg (M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); 
    6    msg (M_INFO|M_NOPREFIX, "Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net>"); 
     5     msg(M_INFO|M_NOPREFIX, "Originally developed by James Yonan"); 
     6     msg(M_INFO|M_NOPREFIX, "Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>"); 
    77-#ifndef ENABLE_SMALL 
    88+#if 0 
    99 #ifdef CONFIGURE_DEFINES 
    10    msg (M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); 
     10     msg(M_INFO|M_NOPREFIX, "Compile time defines: %s", CONFIGURE_DEFINES); 
    1111 #endif 
     12 
  • trunk/make/openvpn/patches/2.4/200-no_in6addr_any_in_libc_without_IPv6_fix.patch

    r14000 r14001  
    11--- src/openvpn/pool.c 
    22+++ src/openvpn/pool.c 
    3 @@ -326,7 +326,7 @@ 
     3@@ -348,7 +348,7 @@ 
    44 static struct in6_addr 
    5  ifconfig_pool_handle_to_ipv6_base (const struct ifconfig_pool* pool, ifconfig_pool_handle hand) 
     5 ifconfig_pool_handle_to_ipv6_base(const struct ifconfig_pool *pool, ifconfig_pool_handle hand) 
    66 { 
    7 struct in6_addr ret = in6addr_any; 
    8 struct in6_addr ret = IN6ADDR_ANY_INIT; 
     7  struct in6_addr ret = in6addr_any; 
     8  struct in6_addr ret = IN6ADDR_ANY_INIT; 
    99  
    10    /* IPv6 pools are always INDIV (--linear) */ 
    11    if (hand >= 0 && hand < pool->size_ipv6 ) 
     10     /* IPv6 pools are always INDIV (--linear) */ 
     11     if (hand >= 0 && hand < pool->size_ipv6) 
    1212--- src/openvpn/socket.c 
    1313+++ src/openvpn/socket.c 
    14 @@ -1156,6 +1156,7 @@ 
    15     case AF_INET6: 
    16         { 
    17           int status; 
    18 +         static const struct in6_addr my_in6addr_any = IN6ADDR_ANY_INIT; 
    19           CLEAR(sock->info.lsa->local.addr.in6); 
    20           if (sock->local_host) 
    21         { 
    22 @@ -1171,7 +1172,7 @@ 
    23           else 
    24         { 
    25           sock->info.lsa->local.addr.in6.sin6_family = AF_INET6; 
    26 -         sock->info.lsa->local.addr.in6.sin6_addr = in6addr_any; 
    27 +         sock->info.lsa->local.addr.in6.sin6_addr = my_in6addr_any; 
    28           status = 0; 
    29         } 
    30           if (!status == 0) 
    31 @@ -1207,6 +1208,7 @@ 
     14@@ -2851,10 +2851,11 @@ 
     15 const char * 
     16 print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc) 
    3217 { 
    33    struct gc_arena gc = gc_new (); 
    34    int af; 
    35 +  static const struct in6_addr my_in6addr_any = IN6ADDR_ANY_INIT; 
     18+    static const struct in6_addr my_in6addr_any = IN6ADDR_ANY_INIT; 
     19     struct buffer out = alloc_buf_gc(64, gc); 
     20     char tmp_out_buf[64];       /* inet_ntop wants pointer to buffer */ 
    3621  
    37    if (!sock->did_resolve_remote) 
     22-    if (memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 
     23+    if (memcmp(&a6, &my_in6addr_any, sizeof(a6)) != 0 
     24         || !(flags & IA_EMPTY_IF_UNDEF)) 
    3825     { 
    39 @@ -1223,7 +1225,7 @@ 
    40                case AF_INET6: 
    41                  CLEAR(sock->info.lsa->remote.addr.in6); 
    42                  sock->info.lsa->remote.addr.in6.sin6_family = AF_INET6; 
    43 -                sock->info.lsa->remote.addr.in6.sin6_addr = in6addr_any; 
    44 +                sock->info.lsa->remote.addr.in6.sin6_addr = my_in6addr_any; 
    45                  break; 
    46              } 
    47   
    48 @@ -2330,10 +2332,11 @@ 
    49  const char * 
    50  print_in6_addr (struct in6_addr a6, unsigned int flags, struct gc_arena *gc) 
    51  { 
    52 +  static const struct in6_addr my_in6addr_any = IN6ADDR_ANY_INIT; 
    53    struct buffer out = alloc_buf_gc (64, gc); 
    54    char tmp_out_buf[64];        /* inet_ntop wants pointer to buffer */ 
    55   
    56 -  if ( memcmp(&a6, &in6addr_any, sizeof(a6)) != 0 ||  
    57 +  if ( memcmp(&a6, &my_in6addr_any, sizeof(a6)) != 0 ||  
    58         !(flags & IA_EMPTY_IF_UNDEF)) 
    59      { 
    60        inet_ntop (AF_INET6, &a6, tmp_out_buf, sizeof(tmp_out_buf)-1); 
     26         inet_ntop(AF_INET6, &a6, tmp_out_buf, sizeof(tmp_out_buf)-1); 
  • trunk/make/openvpn/patches/2.4/210-disable_epoll_poll_use_select.patch

    r14000 r14001  
    11--- configure 
    22+++ configure 
    3 @@ -14423,7 +14423,7 @@ 
     3@@ -14409,7 +14409,7 @@ 
    44    unistd.h signal.h libgen.h stropts.h \ 
    55    syslog.h pwd.h grp.h \ 
     
    1010 do : 
    1111   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` 
    12 @@ -14910,7 +14910,6 @@ 
     12@@ -14971,7 +14971,6 @@ 
    1313    ctime memset vsnprintf strdup \ 
    1414    setsid chdir putenv getpeername unlink \ 
     
    1818 do : 
    1919   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` 
    20 @@ -15191,7 +15190,7 @@ 
     20@@ -15304,7 +15303,7 @@ 
    2121 fi 
    2222 done 
Hinweis: Hilfe zur Verwendung der Changeset-Ansicht finden Sie unter TracChangeset.