#
-# Copyright (C) 2006-2012 OpenWrt.org
+# Copyright (C) 2006-2016 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
PKG_NAME:=lzo
-PKG_VERSION:=2.08
+PKG_VERSION:=2.10
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/
-PKG_MD5SUM:=fcec64c26a0f4f4901468f360029678f
+PKG_MD5SUM:=39d3f3f9c55c87b1e5d6888e1420f4b5
PKG_FIXUP:=autoreconf
PKG_INSTALL:=1
PKG_NAME:=polarssl
SRC_PKG_NAME:=mbedtls
-PKG_VERSION:=1.3.14
+PKG_VERSION:=1.3.17
PKG_RELEASE:=1
PKG_USE_MIPS16:=0
PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz
-PKG_SOURCE_URL:=https://polarssl.org/download/
-PKG_MD5SUM:=869c7b5798b8769902880c7cf0212fed
+PKG_SOURCE_URL:=https://tls.mbed.org/download/
+PKG_MD5SUM:=f5beb43e850283915e3e0f8d37495eade3bfb5beedfb61e7b8da70d4c68edb82
PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION)
+++ /dev/null
---- a/include/polarssl/config.h
-+++ b/include/polarssl/config.h
-@@ -1011,8 +1011,8 @@
- * POLARSSL_SHA1_C
- *
- * Comment this macro to disable support for SSL 3.0
-- */
- #define POLARSSL_SSL_PROTO_SSL3
-+ */
-
- /**
- * \def POLARSSL_SSL_PROTO_TLS1
/**
* \def POLARSSL_SSL_AEAD_RANDOM_IV
-@@ -1138,8 +1138,8 @@
+@@ -1151,8 +1151,8 @@
* Requires: POLARSSL_VERSION_C
*
* Comment this to disable run-time checking and save ROM space
/**
* \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1457,8 +1457,8 @@
+@@ -1470,8 +1470,8 @@
* TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
* TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
* TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
/**
* \def POLARSSL_CCM_C
-@@ -1485,8 +1485,8 @@
+@@ -1498,8 +1498,8 @@
* Requires: POLARSSL_PEM_PARSE_C
*
* This module is used for testing (ssl_client/server).
/**
* \def POLARSSL_CIPHER_C
-@@ -1525,8 +1525,8 @@
+@@ -1538,8 +1538,8 @@
* library/ssl_tls.c
*
* This module provides debugging functions.
/**
* \def POLARSSL_DES_C
-@@ -1581,8 +1581,8 @@
+@@ -1594,8 +1594,8 @@
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
*
* Requires: POLARSSL_ECP_C
/**
* \def POLARSSL_ECDSA_C
-@@ -1596,8 +1596,8 @@
+@@ -1609,8 +1609,8 @@
* ECDHE-ECDSA
*
* Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
/**
* \def POLARSSL_ECP_C
-@@ -1609,8 +1609,8 @@
+@@ -1622,8 +1622,8 @@
* library/ecdsa.c
*
* Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
/**
* \def POLARSSL_ENTROPY_C
-@@ -1649,8 +1649,8 @@
- *
- * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
- * requisites are enabled as well.
-- */
- #define POLARSSL_GCM_C
-+ */
-
- /**
- * \def POLARSSL_HAVEGE_C
-@@ -1686,8 +1686,8 @@
+@@ -1699,8 +1699,8 @@
* Requires: POLARSSL_MD_C
*
* Uncomment to enable the HMAC_DRBG random number geerator.
/**
* \def POLARSSL_MD_C
-@@ -1813,8 +1813,8 @@
+@@ -1826,8 +1826,8 @@
* Requires: POLARSSL_HAVE_ASM
*
* This modules adds support for the VIA PadLock on x86.
/**
* \def POLARSSL_PBKDF2_C
-@@ -1979,8 +1979,8 @@
+@@ -1992,8 +1992,8 @@
* Module: library/ripemd160.c
* Caller: library/md.c
*
/**
* \def POLARSSL_RSA_C
-@@ -2059,8 +2059,8 @@
+@@ -2072,8 +2072,8 @@
* Caller:
*
* Requires: POLARSSL_SSL_CACHE_C
/**
* \def POLARSSL_SSL_CLI_C
-@@ -2136,8 +2136,8 @@
+@@ -2149,8 +2149,8 @@
* Caller: library/havege.c
*
* This module is used by the HAVEGE random number generator.
/**
* \def POLARSSL_VERSION_C
-@@ -2147,8 +2147,8 @@
+@@ -2160,8 +2160,8 @@
* Module: library/version.c
*
* This module provides run-time version information.
/**
* \def POLARSSL_X509_USE_C
-@@ -2257,8 +2257,8 @@
+@@ -2270,8 +2270,8 @@
*
* Module: library/xtea.c
* Caller:
PKG_NAME:=openvpn
-PKG_VERSION:=2.3.6
-PKG_RELEASE:=5
+PKG_VERSION:=2.3.18
+PKG_RELEASE:=1
PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_MD5SUM:=844ec9c64aae62051478784b8562f881
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
--disable-systemd \
--disable-plugins \
--disable-debug \
- --disable-eurephia \
--disable-pkcs11 \
- --enable-password-save \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \
+ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http-proxy \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
config_get v "$s" "$p"
IFS="$LIST_SEP"
for v in $v; do
- [ -n "$v" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
+ [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
+ [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
done
unset IFS
done
# append params
append_params "$s" \
- cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert \
+ cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \
chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \
connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \
echo engine explicit_exit_notify fragment group hand_window hash_size \
redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \
reneg_bytes reneg_pkts reneg_sec \
replay_persist replay_window resolv_retry route route_delay route_gateway \
- route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \
- socks_proxy status status_version syslog tcp_queue_limit tls_auth \
+ route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \
+ socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \
tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \
tun_mtu tun_mtu_extra txqueuelen user verb down push up \
+ verify_x509_name x509_username_field \
ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6
openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
fi
done
}
+
+service_triggers() {
+ procd_add_reload_trigger openvpn
+}
+++ /dev/null
-commit 98156e90e1e83133a6a6a020db8e7333ada6156b
-Author: Steffan Karger <steffan@karger.me>
-Date: Tue Dec 2 21:42:00 2014 +0100
-
- Really fix '--cipher none' regression
-
- ... by not incorrectly hinting to the compiler the function argument of
- cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
- case.
-
- Verified the fix on Debian Wheezy, one of the platforms the reporter in
- trac #473 mentions with a compiler that would optimize out the required
- checks.
-
- Also add a testcase for --cipher none to t_lpback, to prevent further
- regressions.
-
- Signed-off-by: Steffan Karger <steffan@karger.me>
- Acked-by: Gert Doering <gert@greenie.muc.de>
- Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
- URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
- Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *c
- *
- * @return true iff the cipher is a CBC mode cipher.
- */
--bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
-- __attribute__((nonnull));
-+bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
-
- /**
- * Check if the supplied cipher is a supported OFB or CFB mode cipher.
-@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_
- *
- * @return true iff the cipher is a OFB or CFB mode cipher.
- */
--bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
-- __attribute__((nonnull));
-+bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
-
-
- /**
---- a/tests/t_lpback.sh
-+++ b/tests/t_lpback.sh
-@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/op
- # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
- CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
-
-+# Also test cipher 'none'
-+CIPHERS=${CIPHERS}$(printf "\nnone")
-+
- "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
- set +e
-
--- /dev/null
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -1156,7 +1156,7 @@ const char *
+ get_ssl_library_version(void)
+ {
+ static char polar_version[30];
+- unsigned int pv = version_get_number();
++ unsigned int pv = POLARSSL_VERSION_NUMBER;
+ sprintf( polar_version, "PolarSSL %d.%d.%d",
+ (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+ return polar_version;
+++ /dev/null
---- a/src/openvpn/ssl_polarssl.h
-+++ b/src/openvpn/ssl_polarssl.h
-@@ -38,6 +38,8 @@
- #include <polarssl/pkcs11.h>
- #endif
-
-+#include <polarssl/compat-1.2.h>
-+
- typedef struct _buffer_entry buffer_entry;
-
- struct _buffer_entry {
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -46,7 +46,7 @@
- #include "manage.h"
- #include "ssl_common.h"
-
--#include <polarssl/sha2.h>
-+#include <polarssl/sha256.h>
- #include <polarssl/havege.h>
-
- #include "ssl_verify_polarssl.h"
-@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
- {
- if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
- {
-- if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
-+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
- strlen(dh_inline)))
- msg (M_FATAL, "Cannot read inline DH parameters");
- }
- else
- {
-- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
-+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
- msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
- }
-
-@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
-
- if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
- {
-- if (0 != x509parse_crt(ctx->crt_chain,
-+ if (0 != x509_crt_parse(ctx->crt_chain,
- (const unsigned char *) cert_inline, strlen(cert_inline)))
- msg (M_FATAL, "Cannot load inline certificate file");
- }
- else
- {
-- if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
-+ if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
- msg (M_FATAL, "Cannot load certificate file %s", cert_file);
- }
- }
-@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
- status = x509parse_key(ctx->priv_key,
- (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
- NULL, 0);
-- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
-+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
- {
- char passbuf[512] = {0};
- pem_password_callback(passbuf, 512, 0, NULL);
-@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
- else
- {
- status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
-- if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
-+ if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
- {
- char passbuf[512] = {0};
- pem_password_callback(passbuf, 512, 0, NULL);
-@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
-
- if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
- {
-- if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
-+ if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
- strlen(ca_inline)))
- msg (M_FATAL, "Cannot load inline CA certificates");
- }
- else
- {
- /* Load CA file for verifying peer supplied certificate */
-- if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
-+ if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
- msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
- }
- }
-@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
-
- if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
- {
-- if (0 != x509parse_crt(ctx->crt_chain,
-+ if (0 != x509_crt_parse(ctx->crt_chain,
- (const unsigned char *) extra_certs_inline,
- strlen(extra_certs_inline)))
- msg (M_FATAL, "Cannot load inline extra-certs file");
- }
- else
- {
-- if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
-+ if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
- msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
- }
- }
-@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
- external_key_len );
- else
- #endif
-- ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
-+ ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
-
- /* Initialise SSL verification */
- #if P2MP_SERVER
-@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
- cert = ssl_get_peer_cert(ks_ssl->ctx);
- if (cert != NULL)
- {
-- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
-+ openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
- }
-
- msg (D_HANDSHAKE, "%s%s", s1, s2);
---- a/src/openvpn/crypto_polarssl.c
-+++ b/src/openvpn/crypto_polarssl.c
-@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
-
- int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
- {
-- return 0 == cipher_reset(ctx, iv_buf);
-+ int retval = cipher_reset(ctx);
-+
-+ if (0 == retval)
-+ cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
-+
-+ return 0 == retval;
- }
-
- int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
---- a/src/openvpn/ssl_verify_polarssl.h
-+++ b/src/openvpn/ssl_verify_polarssl.h
-@@ -34,6 +34,7 @@
- #include "misc.h"
- #include "manage.h"
- #include <polarssl/x509.h>
-+#include <polarssl/compat-1.2.h>
-
- #ifndef __OPENVPN_X509_CERT_T_DECLARED
- #define __OPENVPN_X509_CERT_T_DECLARED
---- a/src/openvpn/ssl_verify_polarssl.c
-+++ b/src/openvpn/ssl_verify_polarssl.c
-@@ -40,6 +40,7 @@
- #include "ssl_verify.h"
- #include <polarssl/error.h>
- #include <polarssl/bignum.h>
-+#include <polarssl/oid.h>
- #include <polarssl/sha1.h>
-
- #define MAX_SUBJECT_LENGTH 256
-@@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
- /* Find common name */
- while( name != NULL )
- {
-- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
-+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
- break;
-
- name = name->next;
-@@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
- while( name != NULL )
- {
- char name_expand[64+8];
-+ const char *shortname;
-
-- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
-+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
- {
-- switch( name->oid.p[2] )
-- {
-- case X520_COMMON_NAME:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
-- cert_depth); break;
--
-- case X520_COUNTRY:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
-- cert_depth); break;
--
-- case X520_LOCALITY:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
-- cert_depth); break;
--
-- case X520_STATE:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
-- cert_depth); break;
--
-- case X520_ORGANIZATION:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
-- cert_depth); break;
--
-- case X520_ORG_UNIT:
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
-- cert_depth); break;
--
-- default:
-- openvpn_snprintf (name_expand, sizeof(name_expand),
-- "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
-- break;
-- }
-+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
-+ cert_depth, shortname);
-+ }
-+ else
-+ {
-+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
-+ cert_depth);
- }
-- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
-- {
-- switch( name->oid.p[8] )
-- {
-- case PKCS9_EMAIL:
-- openvpn_snprintf (name_expand, sizeof(name_expand),
-- "X509_%d_emailAddress", cert_depth); break;
--
-- default:
-- openvpn_snprintf (name_expand, sizeof(name_expand),
-- "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
-- break;
-- }
-- }
-- else
-- {
-- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
-- cert_depth);
-- }
-
- for( i = 0; i < name->val.len; i++ )
- {
---- a/configure.ac
-+++ b/configure.ac
-@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola
- #include <polarssl/version.h>
- ]],
- [[
--#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
-+#if POLARSSL_VERSION_NUMBER < 0x01030000
- #error invalid version
- #endif
- ]]
- )],
- [AC_MSG_RESULT([ok])],
-- [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
-+ [AC_MSG_ERROR([PolarSSL 1.3.x required])]
- )
-
- polarssl_with_pkcs11="no"
--- /dev/null
+openvpn: fix build without POLARSSL_DEBUG_C
+
+Backport of upstream master commit
+b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
+
+Signed-off-by: Magnus Kroken <mkroken@gmail.com>
+
+From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Tue, 14 Jun 2016 22:00:03 +0200
+Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
+ MBEDTLS_DEBUG_C
+
+For targets with space constraints, one might want to compile mbed TLS
+without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes. Make
+sure OpenVPN still compiles if that is the case.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
+URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
+ if (polar_ok(ssl_init(ks_ssl->ctx)))
+ {
+ /* Initialise SSL context */
++ #ifdef POLARSSL_DEBUG_C
+ debug_set_threshold(3);
++ #endif
+ ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
+ ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
+++ /dev/null
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -214,10 +214,6 @@
-
- #ifdef TARGET_LINUX
-
--#if defined(HAVE_NETINET_IF_ETHER_H)
--#include <netinet/if_ether.h>
--#endif
--
- #ifdef HAVE_LINUX_IF_TUN_H
- #include <linux/if_tun.h>
- #endif
+++ /dev/null
-Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c
-===================================================================
---- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c
-+++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c
-@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state
- if (ssl_ctx->allowed_ciphers)
- ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
-
-+ /* Disable record splitting (breaks current ssl handling) */
-+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
-+ ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED);
-+#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
-+
- /* Initialise authentication information */
- if (is_server)
- ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );
+++ /dev/null
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -1119,7 +1119,7 @@ const char *
- get_ssl_library_version(void)
- {
- static char polar_version[30];
-- unsigned int pv = version_get_number();
-+ unsigned int pv = POLARSSL_VERSION_NUMBER;
- sprintf( polar_version, "PolarSSL %d.%d.%d",
- (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
- return polar_version;
--- /dev/null
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
+ /*
+ * Should we include OCC (options consistency check) code?
+ */
+-#ifndef ENABLE_SMALL
+ #define ENABLE_OCC
+-#endif
+
+ /*
+ * Should we include NTLM proxy functionality