From: Florian Fainelli Date: Fri, 19 May 2006 13:14:02 +0000 (+0000) Subject: Backport openvpn freatures from kamikaze to whiterussian Add easy-rsa package to... X-Git-Tag: whiterussian_rc6~245 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=ebb1864fd0e133d50f848e97034d6a762da5ef70;p=openwrt%2Fsvn-archive%2Fopenwrt.git Backport openvpn freatures from kamikaze to whiterussian Add easy-rsa package to openvpn, closes #541 Fix kmod-ipip module (wrong kernel extension) SVN-Revision: 3800 --- diff --git a/openwrt/package/openvpn/Config.in b/openwrt/package/openvpn/Config.in index 12c35ba79e..65a1bf8dc8 100644 --- a/openwrt/package/openvpn/Config.in +++ b/openwrt/package/openvpn/Config.in @@ -9,7 +9,12 @@ config BR2_PACKAGE_OPENVPN http://openvpn.net/ Depends: kmod-tun, libpthread, openssl - + +config BR2_PACKAGE_OPENVPN_EASY_RSA + tristate "openvpn-easy-rsa - simple shell scripts to manage a Certificate Authority" + default m + depends BR2_PACKAGE_OPENVPN + select BR2_PACKAGE_OPENSSL_UTIL config BR2_PACKAGE_OPENVPN_SERVER bool "Enable server support" @@ -21,8 +26,24 @@ config BR2_PACKAGE_OPENVPN_HTTP default y depends BR2_PACKAGE_OPENVPN +config BR2_PACKAGE_OPENVPN_OPENSSL + bool "Enable openssl support" + default y + depends BR2_PACKAGE_OPENVPN + select BR2_PACKAGE_LIBOPENSSL + config BR2_PACKAGE_OPENVPN_LZO bool "Enable transparent compression (lzo)" default y depends BR2_PACKAGE_OPENVPN select BR2_PACKAGE_LIBLZO + +config BR2_PACKAGE_OPENVPN_PASSWORD_SAVE + bool "Enable password saving" + default y + depends BR2_PACKAGE_OPENPVN + +config BR2_PACKAGE_OPENVPN_SMALL + bool "Enable smaller executable size (disable OCC, usage message, and verb 4 parm list)" + default n + depends BR2_PACKAGE_OPENVPN diff --git a/openwrt/package/openvpn/Makefile b/openwrt/package/openvpn/Makefile index 28acf6d2a1..ab92fedbdd 100644 --- a/openwrt/package/openvpn/Makefile +++ b/openwrt/package/openvpn/Makefile @@ -17,20 +17,31 @@ PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install include $(TOPDIR)/package/rules.mk $(eval $(call PKG_template,OPENVPN,openvpn,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH))) +$(eval $(call PKG_template,OPENVPN_EASY_RSA,openvpn-easy-rsa,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH))) -PKG_DEPEND:="libopenssl, kmod-tun" +PKG_DEPEND:="kmod-tun" +ifneq ($(BR2_PACKAGE_OPENVPN_OPENSSL),y) +DISABLE_OPENSSL:=--disable-ssl --disable-crypto +else +PKG_DEPEND+=", libopenssl" +endif ifneq ($(BR2_PACKAGE_OPENVPN_LZO),y) DISABLE_LZO:=--disable-lzo else PKG_DEPEND+=", liblzo" endif - ifneq ($(BR2_PACKAGE_OPENVPN_SERVER),y) DISABLE_SERVER:=--disable-server endif ifneq ($(BR2_PACKAGE_OPENVPN_HTTP),y) DISABLE_HTTP:=--disable-http endif +ifeq ($(BR2_PACKAGE_OPENVPN_PASSWORD_SAVE),y) +ENABLE_PASSWORD_SAVE:=--enable-password-save +endif +ifeq ($(BR2_PACKAGE_OPENVPN_SMALL),y) +ENABLE_SMALL:=--enable-small +endif $(PKG_BUILD_DIR)/.configured: $(PKG_BUILD_DIR)/.prepared (cd $(PKG_BUILD_DIR); rm -rf config.{cache,status} ; \ @@ -66,8 +77,11 @@ $(PKG_BUILD_DIR)/.configured: $(PKG_BUILD_DIR)/.prepared --disable-management \ --disable-socks \ $(DISABLE_LZO) \ + $(DISABLE_OPENSSL) \ $(DISABLE_SERVER) \ $(DISABLE_HTTP) \ + $(ENABLE_PASSWORD_SAVE) \ + $(ENABLE_SMALL) \ ); touch $(PKG_BUILD_DIR)/.configured @@ -86,3 +100,9 @@ $(IPKG_OPENVPN): echo "Depends: $(PKG_DEPEND)" >> $(IDIR_OPENVPN)/CONTROL/control $(IPKG_BUILD) $(IDIR_OPENVPN) $(PACKAGE_DIR) +$(IPKG_OPENVPN_EASY_RSA): + install -d -m0755 $(IDIR_OPENVPN_EASY_RSA)/usr/sbin $(IDIR_OPENVPN_EASY_RSA)/etc/easy-rsa + cp -fpR $(PKG_BUILD_DIR)/easy-rsa/2.0/{build-*,clean-all,inherit-inter,list-crl,pkitool,revoke-full,sign-req} $(IDIR_OPENVPN_EASY_RSA)/usr/sbin + install -m 0644 $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl.cnf $(IDIR_OPENVPN_EASY_RSA)/etc/easy-rsa/openssl.cnf + install -m 0644 $(PKG_BUILD_DIR)/easy-rsa/2.0/vars $(IDIR_OPENVPN_EASY_RSA)/etc/easy-rsa/vars + $(IPKG_BUILD) $(IDIR_OPENVPN_EASY_RSA) $(PACKAGE_DIR) diff --git a/openwrt/package/openvpn/ipkg/openvpn-easy-rsa.control b/openwrt/package/openvpn/ipkg/openvpn-easy-rsa.control new file mode 100644 index 0000000000..6ce25a46a8 --- /dev/null +++ b/openwrt/package/openvpn/ipkg/openvpn-easy-rsa.control @@ -0,0 +1,5 @@ +Package: openvpn-easy-rsa +Priority: optional +Section: net +Description: collection of shell scripts to manage a simple CA infrastructure +Depends: openssl-util diff --git a/openwrt/package/openvpn/patches/easy-rsa.patch b/openwrt/package/openvpn/patches/easy-rsa.patch new file mode 100644 index 0000000000..c5332b7906 --- /dev/null +++ b/openwrt/package/openvpn/patches/easy-rsa.patch @@ -0,0 +1,159 @@ +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-ca openvpn-2.0.7/easy-rsa/2.0/build-ca +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-ca 2005-11-02 19:42:38.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-ca 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # + # Build a root certificate +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-dh openvpn-2.0.7/easy-rsa/2.0/build-dh +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-dh 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-dh 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,6 @@ +-#!/bin/bash ++#!/bin/sh ++ ++. /etc/easy-rsa/vars + + # Build Diffie-Hellman parameters for the server side + # of an SSL/TLS connection. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-inter openvpn-2.0.7/easy-rsa/2.0/build-inter +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-inter 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-inter 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Make an intermediate CA certificate/private key pair using a locally generated + # root certificate. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-key openvpn-2.0.7/easy-rsa/2.0/build-key +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-key 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-key 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Make a certificate/private key pair using a locally generated + # root certificate. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-key-pass openvpn-2.0.7/easy-rsa/2.0/build-key-pass +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-key-pass 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-key-pass 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Similar to build-key, but protect the private key + # with a password. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.0.7/easy-rsa/2.0/build-key-pkcs12 +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-key-pkcs12 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-key-pkcs12 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Make a certificate/private key pair using a locally generated + # root certificate and convert it to a PKCS #12 file including the +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-key-server openvpn-2.0.7/easy-rsa/2.0/build-key-server +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-key-server 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-key-server 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Make a certificate/private key pair using a locally generated + # root certificate. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-req openvpn-2.0.7/easy-rsa/2.0/build-req +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-req 2005-11-02 19:42:38.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-req 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Build a certificate signing request and private key. Use this + # when your root certificate and key is not available locally. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/build-req-pass openvpn-2.0.7/easy-rsa/2.0/build-req-pass +--- openvpn-2.0.7.orig/easy-rsa/2.0/build-req-pass 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/build-req-pass 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Like build-req, but protect your private key + # with a password. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/clean-all openvpn-2.0.7/easy-rsa/2.0/clean-all +--- openvpn-2.0.7.orig/easy-rsa/2.0/clean-all 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/clean-all 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,6 @@ +-#!/bin/bash ++#!/bin/sh ++ ++. /etc/easy-rsa/vars + + # Initialize the $KEY_DIR directory. + # Note that this script does a +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/inherit-inter openvpn-2.0.7/easy-rsa/2.0/inherit-inter +--- openvpn-2.0.7.orig/easy-rsa/2.0/inherit-inter 2005-11-02 19:42:38.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/inherit-inter 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,6 @@ +-#!/bin/bash ++#!/bin/sh ++ ++. /etc/easy-rsa/vars + + # Build a new PKI which is rooted on an intermediate certificate generated + # by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/list-crl openvpn-2.0.7/easy-rsa/2.0/list-crl +--- openvpn-2.0.7.orig/easy-rsa/2.0/list-crl 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/list-crl 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,6 @@ +-#!/bin/bash ++#!/bin/sh ++ ++. /etc/easy-rsa/vars + + # list revoked certificates + +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/pkitool openvpn-2.0.7/easy-rsa/2.0/pkitool +--- openvpn-2.0.7.orig/easy-rsa/2.0/pkitool 2005-11-02 19:42:38.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/pkitool 2006-05-09 17:47:40.000000000 +0200 +@@ -1,5 +1,7 @@ + #!/bin/sh + ++. /etc/easy-rsa/vars ++ + # OpenVPN -- An application to securely tunnel IP networks + # over a single TCP/UDP port, with support for SSL/TLS-based + # session authentication and key exchange, +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/revoke-full openvpn-2.0.7/easy-rsa/2.0/revoke-full +--- openvpn-2.0.7.orig/easy-rsa/2.0/revoke-full 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/revoke-full 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,6 @@ +-#!/bin/bash ++#!/bin/sh ++ ++. /etc/easy-rsa/vars + + # revoke a certificate, regenerate CRL, + # and verify revocation +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/sign-req openvpn-2.0.7/easy-rsa/2.0/sign-req +--- openvpn-2.0.7.orig/easy-rsa/2.0/sign-req 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/sign-req 2006-05-09 17:47:40.000000000 +0200 +@@ -1,4 +1,4 @@ +-#!/bin/bash ++#!/bin/sh + + # Sign a certificate signing request (a .csr file) + # with a local root certificate and key. +diff -ur openvpn-2.0.7.orig/easy-rsa/2.0/vars openvpn-2.0.7/easy-rsa/2.0/vars +--- openvpn-2.0.7.orig/easy-rsa/2.0/vars 2005-11-02 19:42:39.000000000 +0100 ++++ openvpn-2.0.7/easy-rsa/2.0/vars 2006-05-09 17:47:40.000000000 +0200 +@@ -12,7 +12,7 @@ + # This variable should point to + # the top level of the easy-rsa + # tree. +-export EASY_RSA="`pwd`" ++export EASY_RSA="/etc/easy-rsa" + + # This variable should point to + # the openssl.cnf file included