bool "Enable internal fragmentation support (--fragment)"
default y
-config OPENVPN_mbedtls_ENABLE_MULTIHOME
- bool "Enable multi-homed UDP server support (--multihome)"
- default y
-
config OPENVPN_mbedtls_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)"
default y
-config OPENVPN_mbedtls_ENABLE_DEF_AUTH
- bool "Enable deferred authentication"
- default y
-
-config OPENVPN_mbedtls_ENABLE_PF
- bool "Enable internal packet filter"
- default y
-
config OPENVPN_mbedtls_ENABLE_IPROUTE2
bool "Enable support for iproute2"
default n
+config OPENVPN_mbedtls_ENABLE_DCO
+ depends on !OPENVPN_mbedtls_ENABLE_IPROUTE2
+ bool "Enable support for data channel offload"
+ default n if OPENVPN_mbedtls_ENABLE_IPROUTE2
+ help
+ enable data channel offload support
+ using the ovpn-dco-v2 kernel module
+
config OPENVPN_mbedtls_ENABLE_SMALL
bool "Enable size optimization"
default y
bool "Enable internal fragmentation support (--fragment)"
default y
-config OPENVPN_openssl_ENABLE_MULTIHOME
- bool "Enable multi-homed UDP server support (--multihome)"
- default y
-
config OPENVPN_openssl_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)"
default y
-config OPENVPN_openssl_ENABLE_DEF_AUTH
- bool "Enable deferred authentication"
- default y
-
-config OPENVPN_openssl_ENABLE_PF
- bool "Enable internal packet filter"
- default y
-
config OPENVPN_openssl_ENABLE_IPROUTE2
bool "Enable support for iproute2"
default n
+config OPENVPN_openssl_ENABLE_DCO
+ depends on !OPENVPN_openssl_ENABLE_IPROUTE2
+ bool "Enable support for data channel offload"
+ default n if OPENVPN_openssl_ENABLE_IPROUTE2
+ help
+ enable data channel offload support
+ using the ovpn-dco-v2 kernel module
+
config OPENVPN_openssl_ENABLE_SMALL
bool "Enable size optimization"
default y
bool "Enable internal fragmentation support (--fragment)"
default y
-config OPENVPN_wolfssl_ENABLE_MULTIHOME
- bool "Enable multi-homed UDP server support (--multihome)"
- default y
-
config OPENVPN_wolfssl_ENABLE_PORT_SHARE
bool "Enable TCP server port-share support (--port-share)"
default y
-config OPENVPN_wolfssl_ENABLE_DEF_AUTH
- bool "Enable deferred authentication"
- default y
-
-config OPENVPN_wolfssl_ENABLE_PF
- bool "Enable internal packet filter"
- default y
-
config OPENVPN_wolfssl_ENABLE_IPROUTE2
bool "Enable support for iproute2"
default n
+config OPENVPN_wolfssl_ENABLE_DCO
+ depends on !OPENVPN_wolfssl_ENABLE_IPROUTE2
+ bool "Enable support for data channel offload"
+ default n if OPENVPN_openssl_ENABLE_IPROUTE2
+ help
+ enable data channel offload support
+ using the ovpn-dco-v2 kernel module
+
config OPENVPN_wolfssl_ENABLE_SMALL
bool "Enable size optimization"
default y
PKG_NAME:=openvpn
-PKG_VERSION:=2.5.8
-PKG_RELEASE:=3
+PKG_VERSION:=2.6.5
+PKG_RELEASE:=1
PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_HASH:=e34efdb9a3789a760cfc91d57349dfb1e31da169c98c06cb490c6a8a015638e2
PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
URL:=http://openvpn.net
SUBMENU:=VPN
MENU:=1
- DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3)
+ DEPENDS:=+kmod-tun +libcap-ng +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_LZ4:liblz4 +OPENVPN_$(1)_ENABLE_IPROUTE2:ip +OPENVPN_$(1)_ENABLE_DCO:libnl-genl $(3)
VARIANT:=$(1)
PROVIDES:=openvpn openvpn-crypto
endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl)
define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in"
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
+ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DCO),--enable,--disable)-dco \
$(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
$(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \
keepalive
key
key_direction
-keysize
learn_address
link_mtu
lladdr
+++ /dev/null
---- a/src/openvpn/options.c
-+++ b/src/openvpn/options.c
-@@ -105,7 +105,6 @@ const char title_string[] =
- #endif
- #endif
- " [AEAD]"
-- " built on " __DATE__
- ;
-
- #ifndef ENABLE_SMALL
+++ /dev/null
-From: Gert Doering <gert@greenie.muc.de>
-
-Support for wolfSSL in OpenVPN
-
-This patch adds support for wolfSSL in OpenVPN. Support is added by using
-wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
-and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
-linked against the wolfSSL library. The wolfSSL installation directory is
-detected using pkg-config.
-
-As requested by OpenVPN maintainers, this patch does not include
-wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
-in the configure script wolfSSL will include wolfssl/options.h on its own
-(change added in wolfSSL/wolfssl#2825). The patch
-adds an option '--disable-wolfssl-options-h' in case the user would like
-to supply their own settings file for wolfSSL.
-
-wolfSSL:
-Support added in: wolfSSL/wolfssl#2503
-
-git clone https://github.com/wolfSSL/wolfssl.git
-cd wolfssl
-./autogen.sh
-./configure --enable-openvpn
-make
-sudo make install
-
-OpenVPN:
-
-autoreconf -i -v -f
-./configure --with-crypto-library=wolfssl
-make
-make check
-sudo make install
-
-Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
-Acked-by: Arne Schwabe <arne@rfc2549.org>
-Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
- src/openvpn/syshead.h | 3 ++-
- 2 files changed, 110 insertions(+), 3 deletions(-)
---- a/configure.ac
-+++ b/configure.ac
-@@ -271,16 +271,23 @@ AC_ARG_WITH(
-
- AC_ARG_WITH(
- [crypto-library],
-- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
-+ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
- [
- case "${withval}" in
-- openssl|mbedtls) ;;
-+ openssl|mbedtls|wolfssl) ;;
- *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
- esac
- ],
- [with_crypto_library="openssl"]
- )
-
-+AC_ARG_ENABLE(
-+ [wolfssl-options-h],
-+ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
-+ ,
-+ [enable_wolfssl_options_h="yes"]
-+)
-+
- AC_ARG_WITH(
- [openssl-engine],
- [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
-@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
- AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
- CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
- CRYPTO_LIBS="${MBEDTLS_LIBS}"
-+
-+elif test "${with_crypto_library}" = "wolfssl"; then
-+ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
-+ contain the regular wolfSSL header files but also the
-+ wolfSSL OpenSSL header files. Ex: -I/usr/local/include
-+ -I/usr/local/include/wolfssl])
-+ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
-+
-+ saved_CFLAGS="${CFLAGS}"
-+ saved_LIBS="${LIBS}"
-+
-+ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
-+ # if the user did not explicitly specify flags, try to autodetect
-+ PKG_CHECK_MODULES(
-+ [WOLFSSL],
-+ [wolfssl],
-+ [],
-+ [AC_MSG_ERROR([Could not find wolfSSL.])]
-+ )
-+ PKG_CHECK_VAR(
-+ [WOLFSSL_INCLUDEDIR],
-+ [wolfssl],
-+ [includedir],
-+ [],
-+ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
-+ )
-+ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
-+ fi
-+ saved_CFLAGS="${CFLAGS}"
-+ saved_LIBS="${LIBS}"
-+ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
-+ LIBS="${LIBS} ${WOLFSSL_LIBS}"
-+
-+ AC_CHECK_LIB(
-+ [wolfssl],
-+ [wolfSSL_Init],
-+ [],
-+ [AC_MSG_ERROR([Could not link wolfSSL library.])]
-+ )
-+ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
-+
-+ # wolfSSL signal EKM support
-+ have_export_keying_material="yes"
-+
-+ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
-+
-+ if test "${enable_wolfssl_options_h}" = "yes"; then
-+ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
-+ else
-+ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
-+ fi
-+
-+ have_export_keying_material="yes"
-+
-+ CFLAGS="${saved_CFLAGS}"
-+ LIBS="${saved_LIBS}"
-+
-+ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
-+ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
-+ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
-+ CRYPTO_LIBS="${WOLFSSL_LIBS}"
- else
- AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
- fi
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
- /*
- * Do we have CryptoAPI capability?
- */
--#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
-+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
-+ !defined(ENABLE_CRYPTO_WOLFSSL)
- #define ENABLE_CRYPTOAPI
- #endif
-
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
-@@ -1539,7 +1539,7 @@ const char *
+@@ -1535,7 +1535,7 @@ const char *
get_ssl_library_version(void)
{
static char mbedtls_version[30];
--- /dev/null
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -51,7 +51,7 @@
+ #include <openssl/rand.h>
+ #include <openssl/ssl.h>
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
+ #include <openssl/kdf.h>
+ #endif
+ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+@@ -1419,7 +1419,7 @@ engine_load_key(const char *file, SSL_CT
+ #endif /* if HAVE_OPENSSL_ENGINE */
+ }
+
+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
+ bool
+ ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
+ int secret_len, uint8_t *output, int output_len)
--- /dev/null
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -1351,7 +1351,7 @@ err:
+ return 0;
+ }
+
+-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
++#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
+
+ /* called when EC_KEY is destroyed */
+ static void
+@@ -1512,7 +1512,7 @@ tls_ctx_use_management_external_key(stru
+ goto cleanup;
+ }
+ }
+-#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
++#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+ else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+ #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
--- /dev/null
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -269,6 +269,9 @@ backend_x509_get_username(char *common_n
+ return FAILURE;
+ }
+ }
++#if defined(ENABLE_CRYPTO_WOLFSSL)
++ #define LN_serialNumber "serialNumber"
++#endif
+ else if (strcmp(LN_serialNumber, x509_username_field) == 0)
+ {
+ ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
+++ /dev/null
---- a/configure.ac
-+++ b/configure.ac
-@@ -1211,68 +1211,15 @@ dnl
- AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
- AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
- if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
-- if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
-- # if the user did not explicitly specify flags, try to autodetect
-- PKG_CHECK_MODULES([LZ4],
-- [liblz4 >= 1.7.1 liblz4 < 100],
-- [have_lz4="yes"],
-- [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
-- # We also add set LZ4_LIBS otherwise the
-- # linker will not know about the lz4 library
-- )
-- fi
-
- saved_CFLAGS="${CFLAGS}"
- saved_LIBS="${LIBS}"
- CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
- LIBS="${LIBS} ${LZ4_LIBS}"
-
-- # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
-- # are used, check the version directly in the LZ4 include file
-- if test "${have_lz4}" != "yes"; then
-- AC_CHECK_HEADERS([lz4.h],
-- [have_lz4h="yes"],
-- [])
--
-- if test "${have_lz4h}" = "yes" ; then
-- AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
-- AC_COMPILE_IFELSE(
-- [AC_LANG_PROGRAM([[
--#include <lz4.h>
-- ]],
-- [[
--/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
--#if LZ4_VERSION_NUMBER < 10701L
--#error LZ4 is too old
--#endif
-- ]]
-- )],
-- [
-- AC_MSG_RESULT([ok])
-- have_lz4="yes"
-- ],
-- [AC_MSG_RESULT([system LZ4 library is too old])]
-- )
-- fi
-- fi
--
-- # Double check we have a few needed functions
-- if test "${have_lz4}" = "yes" ; then
-- AC_CHECK_LIB([lz4],
-- [LZ4_compress_default],
-- [],
-- [have_lz4="no"])
-- AC_CHECK_LIB([lz4],
-- [LZ4_decompress_safe],
-- [],
-- [have_lz4="no"])
-- fi
--
-- if test "${have_lz4}" != "yes" ; then
-- AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
-- AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
-- LZ4_LIBS=""
-- fi
-+ AC_MSG_RESULT([ usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
-+ AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
-+ LZ4_LIBS=""
- OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
- OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
- AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])
+++ /dev/null
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
- /*
- * Should we include NTLM proxy functionality
- */
--#define NTLM 1
-+//#define NTLM 1
-
- /*
- * Should we include proxy digest auth functionality
---- a/src/openvpn/crypto_mbedtls.c
-+++ b/src/openvpn/crypto_mbedtls.c
-@@ -396,6 +396,7 @@ int
- key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
- {
- int ret = 0;
-+#ifdef MBEDTLS_DES_C
- if (kt->type == MBEDTLS_CIPHER_DES_CBC)
- {
- ret = 1;
-@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
- {
- ret = 3;
- }
-+#endif
-
- dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
- return ret;
-@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
- bool
- key_des_check(uint8_t *key, int key_len, int ndc)
- {
-+#ifdef MBEDTLS_DES_C
- int i;
- struct buffer b;
-
-@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
-
- err:
- return false;
-+#else
-+ return true;
-+#endif
- }
-
- void
- key_des_fixup(uint8_t *key, int key_len, int ndc)
- {
-+#ifdef MBEDTLS_DES_C
- int i;
- struct buffer b;
-
-@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
- }
- mbedtls_des_key_set_parity(key);
- }
-+#endif
- }
-
- /*
-@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
- unsigned char *src,
- unsigned char *dst)
- {
-+#ifdef MBEDTLS_DES_C
- mbedtls_des_context ctx;
-
- ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
- ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
-+#endif
- }
-
-