[packages_10.03.2] openvpn: merge r28098, r28120, r29167, r29184, r29355
authorJo-Philipp Wich <jow@openwrt.org>
Sun, 5 Feb 2012 15:52:03 +0000 (15:52 +0000)
committerJo-Philipp Wich <jow@openwrt.org>
Sun, 5 Feb 2012 15:52:03 +0000 (15:52 +0000)
SVN-Revision: 30235

net/openvpn/Config.in [new file with mode: 0644]
net/openvpn/Makefile
net/openvpn/files/openvpn.config
net/openvpn/files/openvpn.init
net/openvpn/patches/001-easy_rsa.patch

diff --git a/net/openvpn/Config.in b/net/openvpn/Config.in
new file mode 100644 (file)
index 0000000..aea6f3e
--- /dev/null
@@ -0,0 +1,84 @@
+menu "Configuration"
+       depends on PACKAGE_openvpn
+
+config OPENVPN_DISABLE_LZO
+       bool "Disable LZO compression support"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_CRYPTO
+       bool "Disable OpenSSL crypto support"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_SSL
+       bool "Disable OpenSSL SSL support for TLS-based key exchange"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_X509_ALT_USERNAME
+       bool "Enable the --x509-username-field feature"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_MULTI
+       bool "Disable client/server support (--mode server + client mode)"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_SERVER
+       bool "Disable server support only (but retain client support)"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_EUREPHIA
+       bool "Disable support for the eurephia plug-in"
+       depends on PACKAGE_openvpn
+       default y
+
+config OPENVPN_DISABLE_MANAGEMENT
+       bool "Disable management server support"
+       depends on PACKAGE_openvpn
+       default y
+
+config OPENVPN_DISABLE_PKCS11
+       bool "Disable pkcs11 support"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_HTTP
+       bool "Disable HTTP proxy support"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_FRAGMENT
+       bool "Disable internal fragmentation support (--fragment)"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_MULTIHOME
+       bool "Disable multi-homed UDP server support (--multihome)"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_PORT_SHARE
+       bool "Disable TCP server port-share support (--port-share)"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_ENABLE_PASSWORD_SAVE
+       bool "Allow --askpass and --auth-user-pass passwords to be read from a file"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_DEF_AUTH
+       bool "Disable deferred authentication"
+       depends on PACKAGE_openvpn
+       default n
+
+config OPENVPN_DISABLE_PF
+       bool "Disable internal packet filter"
+       depends on PACKAGE_openvpn
+       default n
+
+endmenu
index c618988ec7ce2f26467bcc4049fb9521c6907076..c80c587e2297292afcf6b09627b0f93869e9c915 100644 (file)
@@ -8,40 +8,36 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
-PKG_VERSION:=2.1.4
-PKG_RELEASE:=3
+PKG_VERSION:=2.2.1
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases @SF/openvpn
-PKG_MD5SUM:=96a11868082685802489254f03ff3bde
+PKG_MD5SUM:=500bee5449b29906150569aaf2eb2730
 
 PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
 
 include $(INCLUDE_DIR)/package.mk
 
 define Package/openvpn
   SECTION:=net
   CATEGORY:=Network
-  DEPENDS:=+kmod-tun +libopenssl +PACKAGE_openvpn_complzo:liblzo
+  SUBMENU:=VPN
+  DEPENDS:=+kmod-tun +libopenssl +!OPENVPN_DISABLE_LZO:liblzo
   TITLE:=Open source VPN solution using SSL
   URL:=http://openvpn.net
-  SUBMENU:=VPN
+  MENU:=1
 endef
 
-define Package/openvpn/config
-config PACKAGE_openvpn_complzo
-       bool "Enable --comp-lzo compression option"
-       depends on PACKAGE_openvpn
-       default y
+define Package/openvpn/description
+ Open source VPN solution using SSL
 endef
 
-define Package/openvpn/conffiles
-/etc/config/openvpn
+define Package/openvpn/config
+       source "$(SOURCE)/Config.in"
 endef
 
-define Package/openvpn/description
-        Open source VPN solution using SSL
-endef
 
 define Package/openvpn-easy-rsa
   $(call Package/openvpn)
@@ -59,19 +55,97 @@ CONFIGURE_ARGS+= \
        --with-ifconfig-path=/sbin/ifconfig \
        --with-iproute-path=/usr/sbin/ip \
        --with-route-path=/sbin/route \
-       --disable-pthread \
        --disable-debug \
        --disable-plugins \
-       --enable-management \
+       --disable-pthread \
+       --disable-selinux \
        --disable-socks \
-       --enable-password-save \
        --enable-small
 
-ifndef CONFIG_PACKAGE_openvpn_complzo
+ifeq ($(CONFIG_OPENVPN_DISABLE_LZO),y)
 CONFIGURE_ARGS += \
        --disable-lzo
 endif
 
+ifeq ($(CONFIG_OPENVPN_DISABLE_CRYPTO),y)
+CONFIGURE_ARGS += \
+       --disable-crypto
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_SSL),y)
+CONFIGURE_ARGS += \
+       --disable-ssl
+endif
+
+ifeq ($(CONFIG_OPENVPN_X509_ALT_USERNAME),y)
+CONFIGURE_ARGS += \
+       --enable-x509-alt-username
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_MULTI),y)
+CONFIGURE_ARGS += \
+       --disable-multi
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_SERVER),y)
+CONFIGURE_ARGS += \
+       --disable-server
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_EUREPHIA),y)
+CONFIGURE_ARGS += \
+       --disable-eurephia
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_MANAGEMENT),y)
+CONFIGURE_ARGS += \
+       --disable-management
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_PKCS11),y)
+CONFIGURE_ARGS += \
+       --disable-pkcs11
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_HTTP),y)
+CONFIGURE_ARGS += \
+       --disable-http
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_FRAGMENT),y)
+CONFIGURE_ARGS += \
+       --disable-fragment
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_MULTIHOME),y)
+CONFIGURE_ARGS += \
+       --disable-multihome
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_PORT_SHARE),y)
+CONFIGURE_ARGS += \
+       --disable-port-share
+endif
+
+ifeq ($(CONFIG_OPENVPN_ENABLE_PASSWORD_SAVE),y)
+CONFIGURE_ARGS += \
+       --enable-password-save
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_DEF_AUTH),y)
+CONFIGURE_ARGS += \
+       --disable-def-auth
+endif
+
+ifeq ($(CONFIG_OPENVPN_DISABLE_PF),y)
+CONFIGURE_ARGS += \
+       --disable-pf
+endif
+
+define Package/openvpn/conffiles
+/etc/config/openvpn
+endef
+
 define Package/openvpn/install
        $(INSTALL_DIR) $(1)/usr/sbin
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/openvpn $(1)/usr/sbin/
@@ -88,7 +162,7 @@ define Package/openvpn-easy-rsa/install
        $(INSTALL_DIR) $(1)/usr/sbin
        $(CP) $(PKG_BUILD_DIR)/easy-rsa/2.0/{build-*,clean-all,inherit-inter,list-crl,pkitool,revoke-full,sign-req,whichopensslcnf} $(1)/usr/sbin/
        $(INSTALL_DIR) $(1)/etc/easy-rsa
-       $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl.cnf $(1)/etc/easy-rsa/openssl.cnf
+       $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl-1.0.0.cnf $(1)/etc/easy-rsa/openssl-1.0.0.cnf
        $(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/vars $(1)/etc/easy-rsa/vars
        $(INSTALL_DIR) $(1)/etc/easy-rsa/keys
        $(INSTALL_DATA) files/easy-rsa.index $(1)/etc/easy-rsa/keys/index.txt
index a0539dfd2eff4328e9c8e83cd70c00c413f5f6b1..4a1f66733a55e26a1c7e966e8df2acdf9bddb92a 100644 (file)
@@ -7,7 +7,7 @@ package openvpn
 config openvpn custom_config
 
        # Set to 1 to enable this instance:
-       option enable 0
+       option enabled 0
 
        # Include OpenVPN configuration
        option config /etc/openvpn/my-vpn.conf
@@ -21,7 +21,7 @@ config openvpn custom_config
 config openvpn sample_server
 
        # Set to 1 to enable this instance:
-       option enable 0
+       option enabled 0
 
        # Which local IP address should OpenVPN
        # listen on? (optional)
@@ -292,7 +292,7 @@ config openvpn sample_server
 config openvpn sample_client
 
        # Set to 1 to enable this instance:
-       option enable 0
+       option enabled 0
 
        # Specify that we are a client and that we
        # will be pulling certain config file directives
index 0fee06d8d4e4f527f86a42d3ae75cc1b0aff5d9d..c5f3f95ca8afb03fe8bcb922f781263422b344ef 100644 (file)
@@ -1,12 +1,14 @@
 #!/bin/sh /etc/rc.common
-# OpenVPN init script
+# Copyright (C) 2008-2011 OpenWrt.org
 # Copyright (C) 2008 Jo-Philipp Wich
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
 
 START=95
-BIN=/usr/sbin/openvpn
-SSD=start-stop-daemon
+
+SERVICE_DAEMONIZE=1
+SERVICE_WRITE_PID=1
+
 EXTRA_COMMANDS="up down"
 
 LIST_SEP="
@@ -55,15 +57,17 @@ append_params_quoted() {
        done
 }
 
-start_service() {
+section_enabled() {
+       config_get_bool enable  "$1" 'enable'  0
+       config_get_bool enabled "$1" 'enabled' 0
+       [ $enable -gt 0 ] || [ $enabled -gt 0 ]
+}
+
+start_instance() {
        local s="$1"
-       local enable=0
 
-       # disabled?
-       config_get_bool enable "$s" enable 0
-       [ "$enable" == 0 ] && return 0
+       section_enabled "$s" || return 1
 
-       PID="/var/run/openvpn-$s.pid"
        ARGS=""
 
        # append flags
@@ -104,67 +108,63 @@ start_service() {
                down push up
 
 
-       [ -n "$ARGS" ] && \
-               eval "$SSD -q -b -p '$PID' -x $BIN -S -- --syslog 'openvpn($s)' --writepid '$PID' $ARGS"
+       SERVICE_PID_FILE="/var/run/openvpn-$s.pid"
+       service_start /usr/sbin/openvpn --syslog "openvpn($s)" --writepid "$SERVICE_PID_FILE" $ARGS
 }
 
-kill_service() {
+stop_instance() {
        local s="$1"
-       local S="${2:-TERM}"
-       local enable=0
-
-       # disabled?
-       config_get_bool enable "$s" enable 0
-       [ "$enable" == 1 ] || [ "$S" == "TERM" ] || return 0
 
-       PID="/var/run/openvpn-$s.pid"
+       section_enabled "$s" || return 1
 
-       $SSD -q -p $PID -x $BIN -K -s $S
-       [ "$S" == "TERM" ] && rm -f "$PID"
+       SERVICE_PID_FILE="/var/run/openvpn-$s.pid"
+       service_stop /usr/sbin/openvpn
 }
 
-hup_service()  { kill_service "$1" HUP;  }
-stop_service() { kill_service "$1" TERM; }
+reload_instance() {
+       local s="$1"
+
+       section_enabled "$s" || return 1
+
+       SERVICE_PID_FILE="/var/run/openvpn-$s.pid"
+       service_reload /usr/sbin/openvpn
+}
 
 start() {
-       config_load openvpn
-       config_foreach start_service openvpn
+       config_load 'openvpn'
+       config_foreach start_instance 'openvpn'
 }
 
 stop() {
-       config_load openvpn
-       config_foreach stop_service openvpn
+       config_load 'openvpn'
+       config_foreach stop_instance 'openvpn'
 }
 
 reload() {
-       config_load openvpn
-       config_foreach hup_service openvpn
-}
-
-restart() {
-       stop; sleep 5; start
+       config_load 'openvpn'
+       config_foreach reload_instance 'openvpn'
 }
 
 up() {
        local exists
-       local INSTANCE
-       config_load openvpn
-       for INSTANCE in "$@"; do
-               config_get exists "$INSTANCE" TYPE
+       local instance
+       config_load 'openvpn'
+       for instance in "$@"; do
+               config_get exists "$instance" 'TYPE'
                if [ "$exists" == "openvpn" ]; then
-                       start_service "$INSTANCE"
+                       start_instance "$instance"
                fi
        done
 }
 
 down() {
        local exists
-       local INSTANCE
-       config_load openvpn
-       for INSTANCE in "$@"; do
-               config_get exists "$INSTANCE" TYPE
+       local instance
+       config_load 'openvpn'
+       for instance in "$@"; do
+               config_get exists "$instance" 'TYPE'
                if [ "$exists" == "openvpn" ]; then
-                       stop_service "$INSTANCE"
+                       stop_instance "$instance"
                fi
        done
 }
index fa987a247c634a1622640719a88a289a5e3ba644..6b1d0b757503aceb8690975a59e0cad0edd5a8bd 100644 (file)
@@ -1,11 +1,6 @@
 --- a/easy-rsa/2.0/build-ca
 +++ b/easy-rsa/2.0/build-ca
-@@ -1,8 +1,8 @@
--#!/bin/bash
-+#!/bin/sh
- #
- # Build a root certificate
+@@ -5,4 +5,4 @@
  #
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --initca $*
 --- a/easy-rsa/2.0/build-dh
 +++ b/easy-rsa/2.0/build-dh
-@@ -1,4 +1,6 @@
--#!/bin/bash
-+#!/bin/sh
-+
-+. /etc/easy-rsa/vars
+@@ -1,5 +1,7 @@
+ #!/bin/sh
  
++. /etc/easy-rsa/vars
++
  # Build Diffie-Hellman parameters for the server side
  # of an SSL/TLS connection.
 --- a/easy-rsa/2.0/build-inter
 +++ b/easy-rsa/2.0/build-inter
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Make an intermediate CA certificate/private key pair using a locally generated
+@@ -4,4 +4,4 @@
  # root certificate.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --inter $*
 --- a/easy-rsa/2.0/build-key
 +++ b/easy-rsa/2.0/build-key
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Make a certificate/private key pair using a locally generated
+@@ -4,4 +4,4 @@
  # root certificate.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact $*
 --- a/easy-rsa/2.0/build-key-pass
 +++ b/easy-rsa/2.0/build-key-pass
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Similar to build-key, but protect the private key
+@@ -4,4 +4,4 @@
  # with a password.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --pass $*
 --- a/easy-rsa/2.0/build-key-pkcs12
 +++ b/easy-rsa/2.0/build-key-pkcs12
-@@ -1,8 +1,8 @@
--#!/bin/bash
-+#!/bin/sh
- # Make a certificate/private key pair using a locally generated
- # root certificate and convert it to a PKCS #12 file including the
+@@ -5,4 +5,4 @@
  # the CA certificate as well.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --pkcs12 $*
 --- a/easy-rsa/2.0/build-key-server
 +++ b/easy-rsa/2.0/build-key-server
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/bin/sh
- # Make a certificate/private key pair using a locally generated
- # root certificate.
 @@ -7,4 +7,4 @@
  # extension in the openssl.cnf file.
  
 +"/usr/sbin/pkitool" --interact --server $*
 --- a/easy-rsa/2.0/build-req
 +++ b/easy-rsa/2.0/build-req
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Build a certificate signing request and private key.  Use this
+@@ -4,4 +4,4 @@
  # when your root certificate and key is not available locally.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --csr $*
 --- a/easy-rsa/2.0/build-req-pass
 +++ b/easy-rsa/2.0/build-req-pass
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Like build-req, but protect your private key
+@@ -4,4 +4,4 @@
  # with a password.
  
  export EASY_RSA="${EASY_RSA:-.}"
 +"/usr/sbin/pkitool" --interact --csr --pass $*
 --- a/easy-rsa/2.0/clean-all
 +++ b/easy-rsa/2.0/clean-all
-@@ -1,4 +1,6 @@
--#!/bin/bash
-+#!/bin/sh
-+
-+. /etc/easy-rsa/vars
+@@ -1,5 +1,7 @@
+ #!/bin/sh
  
++. /etc/easy-rsa/vars
++
  # Initialize the $KEY_DIR directory.
  # Note that this script does a
+ # rm -rf on $KEY_DIR so be careful!
 --- a/easy-rsa/2.0/inherit-inter
 +++ b/easy-rsa/2.0/inherit-inter
-@@ -1,4 +1,6 @@
--#!/bin/bash
-+#!/bin/sh
-+
-+. /etc/easy-rsa/vars
+@@ -1,5 +1,7 @@
+ #!/bin/sh
  
++. /etc/easy-rsa/vars
++
  # Build a new PKI which is rooted on an intermediate certificate generated
  # by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
+ # have independent vars settings, and must use a different KEY_DIR directory
 --- a/easy-rsa/2.0/list-crl
 +++ b/easy-rsa/2.0/list-crl
-@@ -1,4 +1,6 @@
--#!/bin/bash
-+#!/bin/sh
-+
-+. /etc/easy-rsa/vars
+@@ -1,5 +1,7 @@
+ #!/bin/sh
  
++. /etc/easy-rsa/vars
++
  # list revoked certificates
  
+ CRL="${1:-crl.pem}"
 --- a/easy-rsa/2.0/pkitool
 +++ b/easy-rsa/2.0/pkitool
 @@ -1,5 +1,7 @@
  #             session authentication and key exchange,
 --- a/easy-rsa/2.0/revoke-full
 +++ b/easy-rsa/2.0/revoke-full
-@@ -1,4 +1,6 @@
--#!/bin/bash
-+#!/bin/sh
-+
-+. /etc/easy-rsa/vars
+@@ -1,5 +1,7 @@
+ #!/bin/sh
  
++. /etc/easy-rsa/vars
++
  # revoke a certificate, regenerate CRL,
  # and verify revocation
 --- a/easy-rsa/2.0/sign-req
 +++ b/easy-rsa/2.0/sign-req
-@@ -1,7 +1,7 @@
--#!/bin/bash
-+#!/bin/sh
- # Sign a certificate signing request (a .csr file)
+@@ -4,4 +4,4 @@
  # with a local root certificate and key.
  
  export EASY_RSA="${EASY_RSA:-.}"