openwrtv4/package/network/services/openvpn/Makefile
Jo-Philipp Wich a28deda590 openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101)
OpenVPN assumes that its control channel messages are sent and received
unfragmented, this assumption is broken when CBC record splitting is
enabled in mbedTLS.

The record splitting is intended as countermeasure against BEAST attacks
which do not apply to OpenVPN, therefore we simply disable it until
upstream OpenVPN gains the ability to process fragmented control
messages.

Disabling the splitting also works around a (not remotely triggerable)
segmentation fault in mbedTLS.

References:

 * https://dev.openwrt.org/ticket/19101
 * https://community.openvpn.net/openvpn/ticket/524
 * https://github.com/ARMmbed/mbedtls/pull/185

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45602
2015-05-04 08:49:21 +00:00

125 lines
3.9 KiB
Makefile

#
# Copyright (C) 2010-2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
PKG_VERSION:=2.3.6
PKG_RELEASE:=4
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
PKG_BUILD_PARALLEL:=1
PKG_LICENSE:=GPL-2.0
include $(INCLUDE_DIR)/package.mk
define Package/openvpn/Default
TITLE:=Open source VPN solution using $(2)
SECTION:=net
CATEGORY:=Network
URL:=http://openvpn.net
SUBMENU:=VPN
MENU:=1
DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
VARIANT:=$(1)
MAINTAINER:=Mirko Vogt <mirko@openwrt.org>
endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+libopenssl)
Package/openvpn-polarssl=$(call Package/openvpn/Default,polarssl,PolarSSL,+libpolarssl)
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in"
endef
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-polarssl/config=$(call Package/openvpn/config/Default,polarssl)
Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl)
ifeq ($(BUILD_VARIANT),polarssl)
CONFIG_OPENVPN_POLARSSL:=y
endif
ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y
endif
ifeq ($(BUILD_VARIANT),nossl)
CONFIG_OPENVPN_NOSSL:=y
endif
CONFIGURE_VARS += \
IFCONFIG=/sbin/ifconfig \
ROUTE=/sbin/route \
IPROUTE=/usr/sbin/ip \
NETSTAT=/sbin/netstat
define Build/Configure
$(call Build/Configure/Default, \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SMALL),--enable-small) \
--disable-selinux \
--disable-systemd \
--disable-plugins \
--disable-debug \
--disable-eurephia \
--disable-pkcs11 \
--enable-password-save \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_NOSSL),--disable-ssl --disable-crypto,--enable-ssl --enable-crypto) \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
$(if $(CONFIG_OPENVPN_POLARSSL),--with-crypto-library=polarssl) \
)
endef
define Package/openvpn-$(BUILD_VARIANT)/conffiles
/etc/config/openvpn
endef
define Package/openvpn-$(BUILD_VARIANT)/install
$(INSTALL_DIR) \
$(1)/usr/sbin \
$(1)/etc/init.d \
$(1)/etc/config \
$(1)/etc/openvpn \
$(1)/lib/upgrade/keep.d
$(INSTALL_BIN) \
$(PKG_INSTALL_DIR)/usr/sbin/openvpn \
$(1)/usr/sbin/
$(INSTALL_BIN) \
files/openvpn.init \
$(1)/etc/init.d/openvpn
$(INSTALL_CONF) files/openvpn.config \
$(1)/etc/config/openvpn
$(INSTALL_DATA) \
files/openvpn.upgrade \
$(1)/lib/upgrade/keep.d/openvpn
endef
$(eval $(call BuildPackage,openvpn-openssl))
$(eval $(call BuildPackage,openvpn-polarssl))
$(eval $(call BuildPackage,openvpn-nossl))