From bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9 Mon Sep 17 00:00:00 2001 From: Magnus Kroken Date: Sat, 2 Nov 2019 00:30:02 +0100 Subject: [PATCH] openvpn: update to 2.4.8 Backport two upstream commits that allow building openvpn-openssl without OpenSSLs deprecated APIs. Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8 Signed-off-by: Magnus Kroken --- package/network/services/openvpn/Makefile | 8 +-- ...l-dont-use-deprecated-ssleay-symbols.patch | 58 +++++++++++++++++ ...enssl-add-missing-include-statements.patch | 65 +++++++++++++++++++ .../210-build_always_use_internal_lz4.patch | 2 +- .../openvpn/patches/220-disable_des.patch | 2 +- 5 files changed, 129 insertions(+), 6 deletions(-) create mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch create mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index aed9f43f80..baa8c1d07e 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.7 -PKG_RELEASE:=2 +PKG_VERSION:=2.4.8 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648 +PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91 PKG_MAINTAINER:=Felix Fietkau @@ -44,7 +44,7 @@ else endif endef -Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED) +Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch new file mode 100644 index 0000000000..7e9931f0f3 --- /dev/null +++ b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch @@ -0,0 +1,58 @@ +From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Sun, 26 Nov 2017 16:04:00 +0100 +Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols + +Compiling our current master against OpenSSL 1.1 with +-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes +the errors about the deprecated SSLEAY/SSLeay symbols and defines. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <20171126150401.28565-1-steffan@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html +Signed-off-by: Gert Doering +--- + configure.ac | 1 + + src/openvpn/openssl_compat.h | 8 ++++++++ + src/openvpn/ssl_openssl.c | 2 +- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$ + EVP_MD_CTX_free \ + EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ ++ OpenSSL_version \ + SSL_CTX_get_default_passwd_cb \ + SSL_CTX_get_default_passwd_cb_userdata \ + SSL_CTX_set_security_level \ +--- a/src/openvpn/openssl_compat.h ++++ b/src/openvpn/openssl_compat.h +@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou + #endif + + /* SSLeay symbols have been renamed in OpenSSL 1.1 */ ++#ifndef OPENSSL_VERSION ++#define OPENSSL_VERSION SSLEAY_VERSION ++#endif ++ ++#ifndef HAVE_OPENSSL_VERSION ++#define OpenSSL_version SSLeay_version ++#endif ++ + #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) + #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT + #endif +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char * + const char * + get_ssl_library_version(void) + { +- return SSLeay_version(SSLEAY_VERSION); ++ return OpenSSL_version(OPENSSL_VERSION); + } + + #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch new file mode 100644 index 0000000000..6a62b16500 --- /dev/null +++ b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch @@ -0,0 +1,65 @@ +From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Sun, 26 Nov 2017 16:49:12 +0100 +Subject: [PATCH] openssl: add missing #include statements + +Compiling our current master against OpenSSL 1.1 with +-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes +the errors caused by missing includes. Previous openssl versions would +usually include 'the rest of the world', but they're fixing that. So we +should no longer rely on it. + +(And sneaking in alphabetic ordering of the includes while touching them.) + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <20171126154912.13283-1-steffan@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html +Signed-off-by: Gert Doering +--- + src/openvpn/openssl_compat.h | 1 + + src/openvpn/ssl_openssl.c | 6 +++++- + src/openvpn/ssl_verify_openssl.c | 3 ++- + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/src/openvpn/openssl_compat.h ++++ b/src/openvpn/openssl_compat.h +@@ -42,6 +42,7 @@ + + #include "buffer.h" + ++#include + #include + #include + +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -52,10 +52,14 @@ + + #include "ssl_verify_openssl.h" + ++#include ++#include ++#include ++#include + #include + #include ++#include + #include +-#include + #ifndef OPENSSL_NO_EC + #include + #endif +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -44,8 +44,9 @@ + #include "ssl_verify_backend.h" + #include "openssl_compat.h" + +-#include ++#include + #include ++#include + + int + verify_callback(int preverify_ok, X509_STORE_CTX *ctx) diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch index dc4039c3e6..5cf5174a9d 100644 --- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1078,68 +1078,15 @@ dnl +@@ -1080,68 +1080,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch index 030958d1bc..2b8f47a802 100644 --- a/package/network/services/openvpn/patches/220-disable_des.patch +++ b/package/network/services/openvpn/patches/220-disable_des.patch @@ -66,7 +66,7 @@ } /* -@@ -710,10 +718,12 @@ cipher_des_encrypt_ecb(const unsigned ch +@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch unsigned char *src, unsigned char *dst) {