diff --git a/package/libs/lzo/Makefile b/package/libs/lzo/Makefile index 6a88a6f384..b631759705 100644 --- a/package/libs/lzo/Makefile +++ b/package/libs/lzo/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006-2012 OpenWrt.org +# Copyright (C) 2006-2016 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lzo -PKG_VERSION:=2.08 +PKG_VERSION:=2.10 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/ -PKG_MD5SUM:=fcec64c26a0f4f4901468f360029678f +PKG_MD5SUM:=39d3f3f9c55c87b1e5d6888e1420f4b5 PKG_FIXUP:=autoreconf PKG_INSTALL:=1 diff --git a/package/libs/polarssl/Makefile b/package/libs/polarssl/Makefile index dc13679e41..8c6da9fa93 100644 --- a/package/libs/polarssl/Makefile +++ b/package/libs/polarssl/Makefile @@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=polarssl SRC_PKG_NAME:=mbedtls -PKG_VERSION:=1.3.14 +PKG_VERSION:=1.3.17 PKG_RELEASE:=1 PKG_USE_MIPS16:=0 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz -PKG_SOURCE_URL:=https://polarssl.org/download/ -PKG_MD5SUM:=869c7b5798b8769902880c7cf0212fed +PKG_SOURCE_URL:=https://tls.mbed.org/download/ +PKG_MD5SUM:=f5beb43e850283915e3e0f8d37495eade3bfb5beedfb61e7b8da70d4c68edb82 PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION) diff --git a/package/libs/polarssl/patches/100-disable_sslv3.patch b/package/libs/polarssl/patches/100-disable_sslv3.patch deleted file mode 100644 index 56c6c4d235..0000000000 --- a/package/libs/polarssl/patches/100-disable_sslv3.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/include/polarssl/config.h -+++ b/include/polarssl/config.h -@@ -1011,8 +1011,8 @@ - * POLARSSL_SHA1_C - * - * Comment this macro to disable support for SSL 3.0 -- */ - #define POLARSSL_SSL_PROTO_SSL3 -+ */ - - /** - * \def POLARSSL_SSL_PROTO_TLS1 diff --git a/package/libs/polarssl/patches/200-reduce_config.patch b/package/libs/polarssl/patches/200-reduce_config.patch index 80b07ef93f..9e2734aa6c 100644 --- a/package/libs/polarssl/patches/200-reduce_config.patch +++ b/package/libs/polarssl/patches/200-reduce_config.patch @@ -100,7 +100,7 @@ /** * \def POLARSSL_SSL_AEAD_RANDOM_IV -@@ -1138,8 +1138,8 @@ +@@ -1151,8 +1151,8 @@ * Requires: POLARSSL_VERSION_C * * Comment this to disable run-time checking and save ROM space @@ -110,7 +110,7 @@ /** * \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3 -@@ -1457,8 +1457,8 @@ +@@ -1470,8 +1470,8 @@ * TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 * TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 @@ -120,7 +120,7 @@ /** * \def POLARSSL_CCM_C -@@ -1485,8 +1485,8 @@ +@@ -1498,8 +1498,8 @@ * Requires: POLARSSL_PEM_PARSE_C * * This module is used for testing (ssl_client/server). @@ -130,7 +130,7 @@ /** * \def POLARSSL_CIPHER_C -@@ -1525,8 +1525,8 @@ +@@ -1538,8 +1538,8 @@ * library/ssl_tls.c * * This module provides debugging functions. @@ -140,7 +140,7 @@ /** * \def POLARSSL_DES_C -@@ -1581,8 +1581,8 @@ +@@ -1594,8 +1594,8 @@ * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK * * Requires: POLARSSL_ECP_C @@ -150,7 +150,7 @@ /** * \def POLARSSL_ECDSA_C -@@ -1596,8 +1596,8 @@ +@@ -1609,8 +1609,8 @@ * ECDHE-ECDSA * * Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C @@ -160,7 +160,7 @@ /** * \def POLARSSL_ECP_C -@@ -1609,8 +1609,8 @@ +@@ -1622,8 +1622,8 @@ * library/ecdsa.c * * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED @@ -170,17 +170,7 @@ /** * \def POLARSSL_ENTROPY_C -@@ -1649,8 +1649,8 @@ - * - * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other - * requisites are enabled as well. -- */ - #define POLARSSL_GCM_C -+ */ - - /** - * \def POLARSSL_HAVEGE_C -@@ -1686,8 +1686,8 @@ +@@ -1699,8 +1699,8 @@ * Requires: POLARSSL_MD_C * * Uncomment to enable the HMAC_DRBG random number geerator. @@ -190,7 +180,7 @@ /** * \def POLARSSL_MD_C -@@ -1813,8 +1813,8 @@ +@@ -1826,8 +1826,8 @@ * Requires: POLARSSL_HAVE_ASM * * This modules adds support for the VIA PadLock on x86. @@ -200,7 +190,7 @@ /** * \def POLARSSL_PBKDF2_C -@@ -1979,8 +1979,8 @@ +@@ -1992,8 +1992,8 @@ * Module: library/ripemd160.c * Caller: library/md.c * @@ -210,7 +200,7 @@ /** * \def POLARSSL_RSA_C -@@ -2059,8 +2059,8 @@ +@@ -2072,8 +2072,8 @@ * Caller: * * Requires: POLARSSL_SSL_CACHE_C @@ -220,7 +210,7 @@ /** * \def POLARSSL_SSL_CLI_C -@@ -2136,8 +2136,8 @@ +@@ -2149,8 +2149,8 @@ * Caller: library/havege.c * * This module is used by the HAVEGE random number generator. @@ -230,7 +220,7 @@ /** * \def POLARSSL_VERSION_C -@@ -2147,8 +2147,8 @@ +@@ -2160,8 +2160,8 @@ * Module: library/version.c * * This module provides run-time version information. @@ -240,7 +230,7 @@ /** * \def POLARSSL_X509_USE_C -@@ -2257,8 +2257,8 @@ +@@ -2270,8 +2270,8 @@ * * Module: library/xtea.c * Caller: diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index 81d800719a..d3158b5952 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.3.6 -PKG_RELEASE:=5 +PKG_VERSION:=2.3.18 +PKG_RELEASE:=1 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_MD5SUM:=844ec9c64aae62051478784b8562f881 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION) @@ -72,15 +72,13 @@ define Build/Configure --disable-systemd \ --disable-plugins \ --disable-debug \ - --disable-eurephia \ --disable-pkcs11 \ - --enable-password-save \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \ - $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \ + $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http-proxy \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \ diff --git a/package/network/services/openvpn/files/openvpn.init b/package/network/services/openvpn/files/openvpn.init index 861d0d62b3..0fcdc7eea0 100644 --- a/package/network/services/openvpn/files/openvpn.init +++ b/package/network/services/openvpn/files/openvpn.init @@ -42,7 +42,8 @@ append_params() { config_get v "$s" "$p" IFS="$LIST_SEP" for v in $v; do - [ -n "$v" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" + [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf" + [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf" done unset IFS done @@ -107,7 +108,7 @@ start_instance() { # append params append_params "$s" \ - cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert \ + cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \ chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \ connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \ echo engine explicit_exit_notify fragment group hand_window hash_size \ @@ -120,10 +121,11 @@ start_instance() { redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \ reneg_bytes reneg_pkts reneg_sec \ replay_persist replay_window resolv_retry route route_delay route_gateway \ - route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \ - socks_proxy status status_version syslog tcp_queue_limit tls_auth \ + route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \ + socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \ tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \ tun_mtu tun_mtu_extra txqueuelen user verb down push up \ + verify_x509_name x509_username_field \ ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6 openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" @@ -152,3 +154,7 @@ start_service() { fi done } + +service_triggers() { + procd_add_reload_trigger openvpn +} diff --git a/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch b/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch deleted file mode 100644 index af445e3bc8..0000000000 --- a/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch +++ /dev/null @@ -1,57 +0,0 @@ -commit 98156e90e1e83133a6a6a020db8e7333ada6156b -Author: Steffan Karger -Date: Tue Dec 2 21:42:00 2014 +0100 - - Really fix '--cipher none' regression - - ... by not incorrectly hinting to the compiler the function argument of - cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the - case. - - Verified the fix on Debian Wheezy, one of the platforms the reporter in - trac #473 mentions with a compiler that would optimize out the required - checks. - - Also add a testcase for --cipher none to t_lpback, to prevent further - regressions. - - Signed-off-by: Steffan Karger - Acked-by: Gert Doering - Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me> - URL: http://article.gmane.org/gmane.network.openvpn.devel/9300 - Signed-off-by: Gert Doering - ---- a/src/openvpn/crypto_backend.h -+++ b/src/openvpn/crypto_backend.h -@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *c - * - * @return true iff the cipher is a CBC mode cipher. - */ --bool cipher_kt_mode_cbc(const cipher_kt_t *cipher) -- __attribute__((nonnull)); -+bool cipher_kt_mode_cbc(const cipher_kt_t *cipher); - - /** - * Check if the supplied cipher is a supported OFB or CFB mode cipher. -@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_ - * - * @return true iff the cipher is a OFB or CFB mode cipher. - */ --bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) -- __attribute__((nonnull)); -+bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher); - - - /** ---- a/tests/t_lpback.sh -+++ b/tests/t_lpback.sh -@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/op - # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5) - CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' ) - -+# Also test cipher 'none' -+CIPHERS=${CIPHERS}$(printf "\nnone") -+ - "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$ - set +e - diff --git a/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch similarity index 91% rename from package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch rename to package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch index c97e9f26af..c7955c2460 100644 --- a/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c -@@ -1119,7 +1119,7 @@ const char * +@@ -1156,7 +1156,7 @@ const char * get_ssl_library_version(void) { static char polar_version[30]; diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h deleted file mode 100644 index 4def9670f0..0000000000 --- a/package/network/services/openvpn/patches/100-polarssl_compat.h +++ /dev/null @@ -1,257 +0,0 @@ ---- a/src/openvpn/ssl_polarssl.h -+++ b/src/openvpn/ssl_polarssl.h -@@ -38,6 +38,8 @@ - #include - #endif - -+#include -+ - typedef struct _buffer_entry buffer_entry; - - struct _buffer_entry { ---- a/src/openvpn/ssl_polarssl.c -+++ b/src/openvpn/ssl_polarssl.c -@@ -46,7 +46,7 @@ - #include "manage.h" - #include "ssl_common.h" - --#include -+#include - #include - - #include "ssl_verify_polarssl.h" -@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_ - { - if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) - { -- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, -+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline, - strlen(dh_inline))) - msg (M_FATAL, "Cannot read inline DH parameters"); - } - else - { -- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file)) -+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)) - msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); - } - -@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_ - - if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) - { -- if (0 != x509parse_crt(ctx->crt_chain, -+ if (0 != x509_crt_parse(ctx->crt_chain, - (const unsigned char *) cert_inline, strlen(cert_inline))) - msg (M_FATAL, "Cannot load inline certificate file"); - } - else - { -- if (0 != x509parse_crtfile(ctx->crt_chain, cert_file)) -+ if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file)) - msg (M_FATAL, "Cannot load certificate file %s", cert_file); - } - } -@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_ - status = x509parse_key(ctx->priv_key, - (const unsigned char *) priv_key_inline, strlen(priv_key_inline), - NULL, 0); -- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) -+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) - { - char passbuf[512] = {0}; - pem_password_callback(passbuf, 512, 0, NULL); -@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_ - else - { - status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL); -- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status) -+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) - { - char passbuf[512] = {0}; - pem_password_callback(passbuf, 512, 0, NULL); -@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct - - if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline) - { -- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline, -+ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline, - strlen(ca_inline))) - msg (M_FATAL, "Cannot load inline CA certificates"); - } - else - { - /* Load CA file for verifying peer supplied certificate */ -- if (0 != x509parse_crtfile(ctx->ca_chain, ca_file)) -+ if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file)) - msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); - } - } -@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo - - if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) - { -- if (0 != x509parse_crt(ctx->crt_chain, -+ if (0 != x509_crt_parse(ctx->crt_chain, - (const unsigned char *) extra_certs_inline, - strlen(extra_certs_inline))) - msg (M_FATAL, "Cannot load inline extra-certs file"); - } - else - { -- if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file)) -+ if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file)) - msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); - } - } -@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state - external_key_len ); - else - #endif -- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); -+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); - - /* Initialise SSL verification */ - #if P2MP_SERVER -@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks - cert = ssl_get_peer_cert(ks_ssl->ctx); - if (cert != NULL) - { -- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); -+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8); - } - - msg (D_HANDSHAKE, "%s%s", s1, s2); ---- a/src/openvpn/crypto_polarssl.c -+++ b/src/openvpn/crypto_polarssl.c -@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c - - int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) - { -- return 0 == cipher_reset(ctx, iv_buf); -+ int retval = cipher_reset(ctx); -+ -+ if (0 == retval) -+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size); -+ -+ return 0 == retval; - } - - int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, ---- a/src/openvpn/ssl_verify_polarssl.h -+++ b/src/openvpn/ssl_verify_polarssl.h -@@ -34,6 +34,7 @@ - #include "misc.h" - #include "manage.h" - #include -+#include - - #ifndef __OPENVPN_X509_CERT_T_DECLARED - #define __OPENVPN_X509_CERT_T_DECLARED ---- a/src/openvpn/ssl_verify_polarssl.c -+++ b/src/openvpn/ssl_verify_polarssl.c -@@ -40,6 +40,7 @@ - #include "ssl_verify.h" - #include - #include -+#include - #include - - #define MAX_SUBJECT_LENGTH 256 -@@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len, - /* Find common name */ - while( name != NULL ) - { -- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0) -+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) - break; - - name = name->next; -@@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer - while( name != NULL ) - { - char name_expand[64+8]; -+ const char *shortname; - -- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 ) -+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) - { -- switch( name->oid.p[2] ) -- { -- case X520_COMMON_NAME: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN", -- cert_depth); break; -- -- case X520_COUNTRY: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C", -- cert_depth); break; -- -- case X520_LOCALITY: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L", -- cert_depth); break; -- -- case X520_STATE: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST", -- cert_depth); break; -- -- case X520_ORGANIZATION: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O", -- cert_depth); break; -- -- case X520_ORG_UNIT: -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU", -- cert_depth); break; -- -- default: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_0x%02X", cert_depth, name->oid.p[2]); -- break; -- } -+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", -+ cert_depth, shortname); -+ } -+ else -+ { -+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", -+ cert_depth); - } -- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) -- { -- switch( name->oid.p[8] ) -- { -- case PKCS9_EMAIL: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_emailAddress", cert_depth); break; -- -- default: -- openvpn_snprintf (name_expand, sizeof(name_expand), -- "X509_%d_0x%02X", cert_depth, name->oid.p[8]); -- break; -- } -- } -- else -- { -- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", -- cert_depth); -- } - - for( i = 0; i < name->val.len; i++ ) - { ---- a/configure.ac -+++ b/configure.ac -@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola - #include - ]], - [[ --#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000 -+#if POLARSSL_VERSION_NUMBER < 0x01030000 - #error invalid version - #endif - ]] - )], - [AC_MSG_RESULT([ok])], -- [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])] -+ [AC_MSG_ERROR([PolarSSL 1.3.x required])] - ) - - polarssl_with_pkcs11="no" diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch new file mode 100644 index 0000000000..2155a4c79b --- /dev/null +++ b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch @@ -0,0 +1,33 @@ +openvpn: fix build without POLARSSL_DEBUG_C + +Backport of upstream master commit +b63f98633dbe2ca92cd43fc6f8597ab283a600bf. + +Signed-off-by: Magnus Kroken + +From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Tue, 14 Jun 2016 22:00:03 +0200 +Subject: [PATCH] mbedtls: don't set debug threshold if compiled without + MBEDTLS_DEBUG_C + +For targets with space constraints, one might want to compile mbed TLS +without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make +sure OpenVPN still compiles if that is the case. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me> +URL: http://article.gmane.org/gmane.network.openvpn.devel/11922 +Signed-off-by: Gert Doering +--- a/src/openvpn/ssl_polarssl.c ++++ b/src/openvpn/ssl_polarssl.c +@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state + if (polar_ok(ssl_init(ks_ssl->ctx))) + { + /* Initialise SSL context */ ++ #ifdef POLARSSL_DEBUG_C + debug_set_threshold(3); ++ #endif + ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); + ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); diff --git a/package/network/services/openvpn/patches/110-musl_compat.patch b/package/network/services/openvpn/patches/110-musl_compat.patch deleted file mode 100644 index 566c17f062..0000000000 --- a/package/network/services/openvpn/patches/110-musl_compat.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/src/openvpn/syshead.h -+++ b/src/openvpn/syshead.h -@@ -214,10 +214,6 @@ - - #ifdef TARGET_LINUX - --#if defined(HAVE_NETINET_IF_ETHER_H) --#include --#endif -- - #ifdef HAVE_LINUX_IF_TUN_H - #include - #endif diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch deleted file mode 100644 index 9e1511b6b6..0000000000 --- a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c -=================================================================== ---- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c -+++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c -@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state - if (ssl_ctx->allowed_ciphers) - ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); - -+ /* Disable record splitting (breaks current ssl handling) */ -+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) -+ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED); -+#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ -+ - /* Initialise authentication information */ - if (is_server) - ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx ); diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch new file mode 100644 index 0000000000..eef4da2d26 --- /dev/null +++ b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch @@ -0,0 +1,12 @@ +--- a/src/openvpn/syshead.h ++++ b/src/openvpn/syshead.h +@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_ + /* + * Should we include OCC (options consistency check) code? + */ +-#ifndef ENABLE_SMALL + #define ENABLE_OCC +-#endif + + /* + * Should we include NTLM proxy functionality