OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl variant to openvpn-mbedtls. Some feature highlights: * Data channel cipher negotiation * AEAD cipher support for data channel encryption (currently only * AES-GCM) * ECDH key exchange for control channel * LZ4 compression support See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for additional change notes. Signed-off-by: Magnus Kroken <mkroken@gmail.com>master
parent
f67867adb0
commit
13592c1454
@ -1,62 +1,66 @@ |
||||
if PACKAGE_openvpn-polarssl |
||||
if PACKAGE_openvpn-mbedtls |
||||
|
||||
config OPENVPN_polarssl_ENABLE_LZO |
||||
config OPENVPN_mbedtls_ENABLE_LZO |
||||
bool "Enable LZO compression support" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_X509_ALT_USERNAME |
||||
config OPENVPN_mbedtls_ENABLE_LZ4 |
||||
bool "Enable LZ4 compression support" |
||||
default y |
||||
|
||||
config OPENVPN_mbedtls_ENABLE_X509_ALT_USERNAME |
||||
bool "Enable the --x509-username-field feature" |
||||
default n |
||||
|
||||
config OPENVPN_polarssl_ENABLE_SERVER |
||||
config OPENVPN_mbedtls_ENABLE_SERVER |
||||
bool "Enable server support (otherwise only client mode is support)" |
||||
default y |
||||
|
||||
#config OPENVPN_polarssl_ENABLE_EUREPHIA |
||||
#config OPENVPN_mbedtls_ENABLE_EUREPHIA |
||||
# bool "Enable support for the eurephia plug-in" |
||||
# default n |
||||
|
||||
config OPENVPN_polarssl_ENABLE_MANAGEMENT |
||||
config OPENVPN_mbedtls_ENABLE_MANAGEMENT |
||||
bool "Enable management server support" |
||||
default n |
||||
|
||||
#config OPENVPN_polarssl_ENABLE_PKCS11 |
||||
#config OPENVPN_mbedtls_ENABLE_PKCS11 |
||||
# bool "Enable pkcs11 support" |
||||
# default n |
||||
|
||||
config OPENVPN_polarssl_ENABLE_HTTP |
||||
config OPENVPN_mbedtls_ENABLE_HTTP |
||||
bool "Enable HTTP proxy support" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_SOCKS |
||||
config OPENVPN_mbedtls_ENABLE_SOCKS |
||||
bool "Enable SOCKS proxy support" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_FRAGMENT |
||||
config OPENVPN_mbedtls_ENABLE_FRAGMENT |
||||
bool "Enable internal fragmentation support (--fragment)" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_MULTIHOME |
||||
config OPENVPN_mbedtls_ENABLE_MULTIHOME |
||||
bool "Enable multi-homed UDP server support (--multihome)" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_PORT_SHARE |
||||
config OPENVPN_mbedtls_ENABLE_PORT_SHARE |
||||
bool "Enable TCP server port-share support (--port-share)" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_DEF_AUTH |
||||
config OPENVPN_mbedtls_ENABLE_DEF_AUTH |
||||
bool "Enable deferred authentication" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_PF |
||||
config OPENVPN_mbedtls_ENABLE_PF |
||||
bool "Enable internal packet filter" |
||||
default y |
||||
|
||||
config OPENVPN_polarssl_ENABLE_IPROUTE2 |
||||
config OPENVPN_mbedtls_ENABLE_IPROUTE2 |
||||
bool "Enable support for iproute2" |
||||
default n |
||||
|
||||
config OPENVPN_polarssl_ENABLE_SMALL |
||||
config OPENVPN_mbedtls_ENABLE_SMALL |
||||
bool "Enable size optimization" |
||||
default y |
||||
help |
@ -0,0 +1,11 @@ |
||||
--- a/src/openvpn/ssl_mbedtls.c
|
||||
+++ b/src/openvpn/ssl_mbedtls.c
|
||||
@@ -1333,7 +1333,7 @@ const char *
|
||||
get_ssl_library_version(void)
|
||||
{
|
||||
static char mbedtls_version[30];
|
||||
- unsigned int pv = mbedtls_version_get_number();
|
||||
+ unsigned int pv = MBEDTLS_VERSION_NUMBER;
|
||||
sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
|
||||
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
|
||||
return mbedtls_version;
|
@ -1,11 +0,0 @@ |
||||
--- a/src/openvpn/ssl_polarssl.c
|
||||
+++ b/src/openvpn/ssl_polarssl.c
|
||||
@@ -1156,7 +1156,7 @@ const char *
|
||||
get_ssl_library_version(void)
|
||||
{
|
||||
static char polar_version[30];
|
||||
- unsigned int pv = version_get_number();
|
||||
+ unsigned int pv = POLARSSL_VERSION_NUMBER;
|
||||
sprintf( polar_version, "PolarSSL %d.%d.%d",
|
||||
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
|
||||
return polar_version;
|
@ -1,33 +0,0 @@ |
||||
openvpn: fix build without POLARSSL_DEBUG_C
|
||||
|
||||
Backport of upstream master commit
|
||||
b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
|
||||
|
||||
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
||||
|
||||
From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
|
||||
From: Steffan Karger <steffan@karger.me>
|
||||
Date: Tue, 14 Jun 2016 22:00:03 +0200
|
||||
Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
|
||||
MBEDTLS_DEBUG_C
|
||||
|
||||
For targets with space constraints, one might want to compile mbed TLS
|
||||
without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
|
||||
sure OpenVPN still compiles if that is the case.
|
||||
|
||||
Signed-off-by: Steffan Karger <steffan@karger.me>
|
||||
Acked-by: Gert Doering <gert@greenie.muc.de>
|
||||
Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
|
||||
URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
|
||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||||
--- a/src/openvpn/ssl_polarssl.c
|
||||
+++ b/src/openvpn/ssl_polarssl.c
|
||||
@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
|
||||
if (polar_ok(ssl_init(ks_ssl->ctx)))
|
||||
{
|
||||
/* Initialise SSL context */
|
||||
+ #ifdef POLARSSL_DEBUG_C
|
||||
debug_set_threshold(3);
|
||||
+ #endif
|
||||
ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
|
||||
ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
|
@ -0,0 +1,41 @@ |
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1014,37 +1014,14 @@ dnl
|
||||
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
|
||||
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
|
||||
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
|
||||
- AC_CHECKING([for LZ4 Library and Header files])
|
||||
- havelz4lib=1
|
||||
|
||||
- # if LZ4_LIBS is set, we assume it will work, otherwise test
|
||||
- if test -z "${LZ4_LIBS}"; then
|
||||
- AC_CHECK_LIB(lz4, LZ4_compress,
|
||||
- [ LZ4_LIBS="-llz4" ],
|
||||
- [
|
||||
- AC_MSG_RESULT([LZ4 library not found.])
|
||||
- havelz4lib=0
|
||||
- ])
|
||||
- fi
|
||||
+ AC_MSG_RESULT([Using LZ4 library in src/compat/compat-lz4.*])
|
||||
+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||
+ LZ4_LIBS=""
|
||||
|
||||
- saved_CFLAGS="${CFLAGS}"
|
||||
- CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
|
||||
- AC_CHECK_HEADERS(lz4.h,
|
||||
- ,
|
||||
- [
|
||||
- AC_MSG_RESULT([LZ4 headers not found.])
|
||||
- havelz4lib=0
|
||||
- ])
|
||||
-
|
||||
- if test $havelz4lib = 0 ; then
|
||||
- AC_MSG_RESULT([LZ4 library or header not found, using version in src/compat/compat-lz4.*])
|
||||
- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
|
||||
- LZ4_LIBS=""
|
||||
- fi
|
||||
OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
|
||||
OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
|
||||
AC_DEFINE(ENABLE_LZ4, 1, [Enable LZ4 compression library])
|
||||
- CFLAGS="${saved_CFLAGS}"
|
||||
fi
|
Loading…
Reference in new issue