From 9e865ef063d738efd666967efcd8970b52c4a1d1 Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Mon, 28 Dec 2020 22:21:56 -0500 Subject: [PATCH] openvpn: Bump to 2.4.10 OpenVPN in the upstream 19.07 branch is no longer being maintained; in master, openvpn has been removed from base and was bump'ed to 2.5.x. This moves openvpn forward with the last patches from 2.4.x (excluding hotplug patches). --- package/network/services/openvpn/Makefile | 19 ++---- ...bedtls-disable-runtime-version-check.patch | 2 +- ...l-dont-use-deprecated-ssleay-symbols.patch | 58 +++++++++++++++++ ...enssl-add-missing-include-statements.patch | 65 +++++++++++++++++++ .../210-build_always_use_internal_lz4.patch | 2 +- .../openvpn/patches/220-disable_des.patch | 2 +- 6 files changed, 130 insertions(+), 18 deletions(-) create mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch create mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile index aed9f43f80..66c72bfc7a 100644 --- a/package/network/services/openvpn/Makefile +++ b/package/network/services/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.4.7 -PKG_RELEASE:=2 +PKG_VERSION:=2.4.10 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648 +PKG_HASH:=cf285395a679f0b68c0acde2cb2480e8ead6ca07ff14c1bc52ae65a1243aa377 PKG_MAINTAINER:=Felix Fietkau @@ -37,16 +37,11 @@ define Package/openvpn/Default MENU:=1 DEPENDS:=+kmod-tun +OPENVPN_$(1)_ENABLE_LZO:liblzo +OPENVPN_$(1)_ENABLE_IPROUTE2:ip $(3) VARIANT:=$(1) -ifeq ($(1),nossl) - PROVIDES:=openvpn -else PROVIDES:=openvpn openvpn-crypto -endif endef -Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED) +Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) -Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL)) define Package/openvpn/config/Default source "$(SOURCE)/Config-$(1).in" @@ -54,7 +49,6 @@ endef Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) -Package/openvpn-nossl/config=$(call Package/openvpn/config/Default,nossl) ifeq ($(BUILD_VARIANT),mbedtls) CONFIG_OPENVPN_MBEDTLS:=y @@ -62,9 +56,6 @@ endif ifeq ($(BUILD_VARIANT),openssl) CONFIG_OPENVPN_OPENSSL:=y endif -ifeq ($(BUILD_VARIANT),nossl) -CONFIG_OPENVPN_NOSSL:=y -endif CONFIGURE_VARS += \ IFCONFIG=/sbin/ifconfig \ @@ -94,7 +85,6 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \ $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ - $(if $(CONFIG_OPENVPN_NOSSL),--disable-crypto,--enable-crypto) \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ ) @@ -134,4 +124,3 @@ endef $(eval $(call BuildPackage,openvpn-openssl)) $(eval $(call BuildPackage,openvpn-mbedtls)) -$(eval $(call BuildPackage,openvpn-nossl)) diff --git a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index 7fc0089000..cb16a906fe 100644 --- a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1406,7 +1406,7 @@ const char * +@@ -1415,7 +1415,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch new file mode 100644 index 0000000000..c7faf7c0c0 --- /dev/null +++ b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch @@ -0,0 +1,58 @@ +From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Sun, 26 Nov 2017 16:04:00 +0100 +Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols + +Compiling our current master against OpenSSL 1.1 with +-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes +the errors about the deprecated SSLEAY/SSLeay symbols and defines. + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <20171126150401.28565-1-steffan@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html +Signed-off-by: Gert Doering +--- + configure.ac | 1 + + src/openvpn/openssl_compat.h | 8 ++++++++ + src/openvpn/ssl_openssl.c | 2 +- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/configure.ac ++++ b/configure.ac +@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$ + EVP_MD_CTX_free \ + EVP_MD_CTX_reset \ + EVP_CIPHER_CTX_reset \ ++ OpenSSL_version \ + SSL_CTX_get_default_passwd_cb \ + SSL_CTX_get_default_passwd_cb_userdata \ + SSL_CTX_set_security_level \ +--- a/src/openvpn/openssl_compat.h ++++ b/src/openvpn/openssl_compat.h +@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou + #endif + + /* SSLeay symbols have been renamed in OpenSSL 1.1 */ ++#ifndef OPENSSL_VERSION ++#define OPENSSL_VERSION SSLEAY_VERSION ++#endif ++ ++#ifndef HAVE_OPENSSL_VERSION ++#define OpenSSL_version SSLeay_version ++#endif ++ + #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT) + #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT + #endif +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char * + const char * + get_ssl_library_version(void) + { +- return SSLeay_version(SSLEAY_VERSION); ++ return OpenSSL_version(OPENSSL_VERSION); + } + + #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */ diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch new file mode 100644 index 0000000000..6a62b16500 --- /dev/null +++ b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch @@ -0,0 +1,65 @@ +From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001 +From: Steffan Karger +Date: Sun, 26 Nov 2017 16:49:12 +0100 +Subject: [PATCH] openssl: add missing #include statements + +Compiling our current master against OpenSSL 1.1 with +-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes +the errors caused by missing includes. Previous openssl versions would +usually include 'the rest of the world', but they're fixing that. So we +should no longer rely on it. + +(And sneaking in alphabetic ordering of the includes while touching them.) + +Signed-off-by: Steffan Karger +Acked-by: Gert Doering +Message-Id: <20171126154912.13283-1-steffan@karger.me> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html +Signed-off-by: Gert Doering +--- + src/openvpn/openssl_compat.h | 1 + + src/openvpn/ssl_openssl.c | 6 +++++- + src/openvpn/ssl_verify_openssl.c | 3 ++- + 3 files changed, 8 insertions(+), 2 deletions(-) + +--- a/src/openvpn/openssl_compat.h ++++ b/src/openvpn/openssl_compat.h +@@ -42,6 +42,7 @@ + + #include "buffer.h" + ++#include + #include + #include + +--- a/src/openvpn/ssl_openssl.c ++++ b/src/openvpn/ssl_openssl.c +@@ -52,10 +52,14 @@ + + #include "ssl_verify_openssl.h" + ++#include ++#include ++#include ++#include + #include + #include ++#include + #include +-#include + #ifndef OPENSSL_NO_EC + #include + #endif +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -44,8 +44,9 @@ + #include "ssl_verify_backend.h" + #include "openssl_compat.h" + +-#include ++#include + #include ++#include + + int + verify_callback(int preverify_ok, X509_STORE_CTX *ctx) diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch index dc4039c3e6..5cf5174a9d 100644 --- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1078,68 +1078,15 @@ dnl +@@ -1080,68 +1080,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch index 030958d1bc..2b8f47a802 100644 --- a/package/network/services/openvpn/patches/220-disable_des.patch +++ b/package/network/services/openvpn/patches/220-disable_des.patch @@ -66,7 +66,7 @@ } /* -@@ -710,10 +718,12 @@ cipher_des_encrypt_ecb(const unsigned ch +@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch unsigned char *src, unsigned char *dst) { -- 2.25.1