[19.07,1/3] openvpn: update to 2.4.8

Message ID	20210421201058.7043-2-mkroken@gmail.com
State	Accepted
Delegated to:	Hauke Mehrtens
Headers	show Return-Path: <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org> From: Magnus Kroken <mkroken@gmail.com> To: openwrt-devel@lists.openwrt.org Subject: [PATCH 19.07 1/3] openvpn: update to 2.4.8 Date: Wed, 21 Apr 2021 22:10:56 +0200 Message-Id: <20210421201058.7043-2-mkroken@gmail.com> In-Reply-To: <20210421201058.7043-1-mkroken@gmail.com> References: <20210421201058.7043-1-mkroken@gmail.com> MIME-Version: 1.0 preview: Backport two upstream commits that allow building openvpn-openssl without OpenSSLs deprecated APIs. Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8 Signed-off-by: Magnus Kroken (cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9) --- package/network/services/openvpn/Makefile \| 8 +-- ...l-dont-use-deprecated-ssleay-symbols.patch [...] Content analysis details: (-0.1 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:229 listed in] [list.dnswl.org] 0.1 URIBL_CSS_A Contains URL's A record listed in the Spamhaus CSS blocklist [URIs: build.openvpn.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [mkroken[at]gmail.com] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org> Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org
Series	openvpn: update to 2.4.11 \| expand [19.07,0/3] openvpn: update to 2.4.11 [19.07,1/3] openvpn: update to 2.4.8 [19.07,2/3] openvpn: update to 2.4.9 [19.07,3/3] openvpn: update to 2.4.11

Message ID

20210421201058.7043-2-mkroken@gmail.com

State

Accepted

Delegated to:

Hauke Mehrtens

Headers

From: Magnus Kroken <mkroken@gmail.com>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH 19.07 1/3] openvpn: update to 2.4.8
Date: Wed, 21 Apr 2021 22:10:56 +0200
Message-Id: <20210421201058.7043-2-mkroken@gmail.com>
In-Reply-To: <20210421201058.7043-1-mkroken@gmail.com>
References: <20210421201058.7043-1-mkroken@gmail.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Series

openvpn: update to 2.4.11 | expand

Commit Message

Magnus Kroken April 21, 2021, 8:10 p.m. UTC

Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9)
---
 package/network/services/openvpn/Makefile     |  8 +--
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 +++++++++++++++++
 ...enssl-add-missing-include-statements.patch | 65 +++++++++++++++++++
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch     |  2 +-
 5 files changed, 129 insertions(+), 6 deletions(-)
 create mode 100644 package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 create mode 100644 package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index aed9f43f80..baa8c1d07e 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@  include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.7
-PKG_RELEASE:=2
+PKG_VERSION:=2.4.8
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
+PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 
@@ -44,7 +44,7 @@  else
 endif
 endef
 
-Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED)
+Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
diff --git a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
new file mode 100644
index 0000000000..7e9931f0f3
--- /dev/null
+++ b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -0,0 +1,58 @@ 
+From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 26 Nov 2017 16:04:00 +0100
+Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
+the errors about the deprecated SSLEAY/SSLeay symbols and defines.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20171126150401.28565-1-steffan@karger.me>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ configure.ac                 | 1 +
+ src/openvpn/openssl_compat.h | 8 ++++++++
+ src/openvpn/ssl_openssl.c    | 2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
+ 			EVP_MD_CTX_free \
+ 			EVP_MD_CTX_reset \
+ 			EVP_CIPHER_CTX_reset \
++			OpenSSL_version \
+ 			SSL_CTX_get_default_passwd_cb \
+ 			SSL_CTX_get_default_passwd_cb_userdata \
+ 			SSL_CTX_set_security_level \
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
+ #endif
+ 
+ /* SSLeay symbols have been renamed in OpenSSL 1.1 */
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#endif
++
++#ifndef HAVE_OPENSSL_VERSION
++#define OpenSSL_version SSLeay_version
++#endif
++
+ #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
+ const char *
+ get_ssl_library_version(void)
+ {
+-    return SSLeay_version(SSLEAY_VERSION);
++    return OpenSSL_version(OPENSSL_VERSION);
+ }
+ 
+ #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
diff --git a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
new file mode 100644
index 0000000000..6a62b16500
--- /dev/null
+++ b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
@@ -0,0 +1,65 @@ 
+From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 26 Nov 2017 16:49:12 +0100
+Subject: [PATCH] openssl: add missing #include statements
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
+the errors caused by missing includes.  Previous openssl versions would
+usually include 'the rest of the world', but they're fixing that.  So we
+should no longer rely on it.
+
+(And sneaking in alphabetic ordering of the includes while touching them.)
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20171126154912.13283-1-steffan@karger.me>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/openssl_compat.h     | 1 +
+ src/openvpn/ssl_openssl.c        | 6 +++++-
+ src/openvpn/ssl_verify_openssl.c | 3 ++-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -42,6 +42,7 @@
+ 
+ #include "buffer.h"
+ 
++#include <openssl/rsa.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509.h>
+ 
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -52,10 +52,14 @@
+ 
+ #include "ssl_verify_openssl.h"
+ 
++#include <openssl/bn.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/dsa.h>
+ #include <openssl/err.h>
+ #include <openssl/pkcs12.h>
++#include <openssl/rsa.h>
+ #include <openssl/x509.h>
+-#include <openssl/crypto.h>
+ #ifndef OPENSSL_NO_EC
+ #include <openssl/ec.h>
+ #endif
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -44,8 +44,9 @@
+ #include "ssl_verify_backend.h"
+ #include "openssl_compat.h"
+ 
+-#include <openssl/x509v3.h>
++#include <openssl/bn.h>
+ #include <openssl/err.h>
++#include <openssl/x509v3.h>
+ 
+ int
+ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
diff --git a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
index dc4039c3e6..5cf5174a9d 100644
--- a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -1,6 +1,6 @@ 
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1078,68 +1078,15 @@ dnl
+@@ -1080,68 +1080,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
diff --git a/package/network/services/openvpn/patches/220-disable_des.patch b/package/network/services/openvpn/patches/220-disable_des.patch
index 030958d1bc..2b8f47a802 100644
--- a/package/network/services/openvpn/patches/220-disable_des.patch
+++ b/package/network/services/openvpn/patches/220-disable_des.patch
@@ -66,7 +66,7 @@ 
  }
  
  /*
-@@ -710,10 +718,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
                         unsigned char *src,
                         unsigned char *dst)
  {

[19.07,1/3] openvpn: update to 2.4.8

Commit Message

Patch