[Buildroot] [PATCH 1/2] openvpn: remove polarssl crypto backend options
Gustavo Zacarias
gustavo at zacarias.com.ar
Tue May 10 15:11:13 UTC 2016
Now that we need to bump openvpn to version 2.3.11 for security fixes
the time has come to remove the polarssl option.
Add legacy handling explaining the situation:
PolarSSL 1.2.x can coexist with mbedTLS 2.x+, but OpenVPN requires
PolarSSL/mbedTLS 1.3.x (the transition branch) >= 1.3.8 but doesn't
build/work with the 2.x series. And PolarSSL/mbedTLS 1.3.x can't coexist
with mbedTLS 2.x on the same target.
So, unfortunately, openssl is now the only option (until libressl
arrives).
Signed-off-by: Gustavo Zacarias <gustavo at zacarias.com.ar>
---
Config.in.legacy | 18 ++++++++++++++++++
package/openvpn/Config.in | 21 +--------------------
package/openvpn/openvpn.mk | 13 ++-----------
3 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/Config.in.legacy b/Config.in.legacy
index 824a220..394e61b 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -145,6 +145,24 @@ endif
###############################################################################
comment "Legacy options removed in 2016.05"
+config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL
+ bool "openvpn openssl crypto backend option removed"
+ select BR2_LEGACY
+ help
+ The OpenVPN openssl crypto backend options has been removed.
+ It's now the only possible option.
+
+config BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL
+ bool "openvpn polarssl crypto backend removed"
+ select BR2_LEGACY
+ help
+ The OpenVPN polarssl crypto backend option has been removed.
+ Version from 2.3.10 onwards need polarssl >= 1.3.8 but aren't
+ compatible with mbedtls (polarssl) series 2.x which is the
+ version provided in buildroot. And both can't coexist.
+ It now uses OpenSSL as the only option.
+
+
config BR2_PACKAGE_NGINX_HTTP_SPDY_MODULE
bool "nginx http spdy module removed"
select BR2_LEGACY
diff --git a/package/openvpn/Config.in b/package/openvpn/Config.in
index 2e37125..8ba4ea1 100644
--- a/package/openvpn/Config.in
+++ b/package/openvpn/Config.in
@@ -1,6 +1,7 @@
config BR2_PACKAGE_OPENVPN
bool "openvpn"
depends on BR2_USE_MMU # fork()
+ select BR2_PACKAGE_OPENSSL
help
OpenVPN is a full-featured SSL VPN solution which can
accomodate a wide range of configurations, including road
@@ -33,24 +34,4 @@ config BR2_PACKAGE_OPENVPN_PWSAVE
Allow --askpass and --auth-user-pass passwords to be read
from a file.
-choice
- prompt "Crypto backend"
- default BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL
- help
- Select the cryptographic library to use.
-
- config BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL
- bool "OpenSSL"
- select BR2_PACKAGE_OPENSSL
- help
- Enable TLS-based key exchange and OpenSSL crypto support.
-
- config BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL
- bool "PolarSSL"
- select BR2_PACKAGE_POLARSSL
- help
- Enable TLS-based key exchange and PolarSSL crypto support.
-
-endchoice
-
endif
diff --git a/package/openvpn/openvpn.mk b/package/openvpn/openvpn.mk
index 8f02792..1d06636 100644
--- a/package/openvpn/openvpn.mk
+++ b/package/openvpn/openvpn.mk
@@ -7,12 +7,13 @@
OPENVPN_VERSION = 2.3.9
OPENVPN_SOURCE = openvpn-$(OPENVPN_VERSION).tar.xz
OPENVPN_SITE = http://swupdate.openvpn.net/community/releases
-OPENVPN_DEPENDENCIES = host-pkgconf
+OPENVPN_DEPENDENCIES = host-pkgconf openssl
OPENVPN_LICENSE = GPLv2
OPENVPN_LICENSE_FILES = COPYRIGHT.GPL
OPENVPN_CONF_OPTS = \
--disable-plugin-auth-pam \
--enable-iproute2 \
+ --with-crypto-library=openssl \
$(if $(BR2_STATIC_LIBS),--disable-plugins)
OPENVPN_CONF_ENV = IFCONFIG=/sbin/ifconfig \
NETSTAT=/bin/netstat \
@@ -47,16 +48,6 @@ else
OPENVPN_CONF_OPTS += --disable-password-save
endif
-ifeq ($(BR2_PACKAGE_OPENVPN_CRYPTO_OPENSSL),y)
-OPENVPN_CONF_OPTS += --with-crypto-library=openssl
-OPENVPN_DEPENDENCIES += openssl
-endif
-
-ifeq ($(BR2_PACKAGE_OPENVPN_CRYPTO_POLARSSL),y)
-OPENVPN_CONF_OPTS += --with-crypto-library=polarssl
-OPENVPN_DEPENDENCIES += polarssl
-endif
-
define OPENVPN_INSTALL_TARGET_CMDS
$(INSTALL) -m 755 $(@D)/src/openvpn/openvpn \
$(TARGET_DIR)/usr/sbin/openvpn
--
2.7.3
More information about the buildroot
mailing list