openvpn: update to 2.4.8

Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This commit is contained in:
Magnus Kroken 2019-11-02 00:30:02 +01:00 committed by Hans Dedecker
parent e2eb6d5829
commit bf43e5bbf9
5 changed files with 129 additions and 6 deletions

View File

@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openvpn
PKG_VERSION:=2.4.7
PKG_RELEASE:=2
PKG_VERSION:=2.4.8
PKG_RELEASE:=1
PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
@ -44,7 +44,7 @@ else
endif
endef
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl +@OPENSSL_WITH_DEPRECATED)
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))

View File

@ -0,0 +1,58 @@
From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 26 Nov 2017 16:04:00 +0100
Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors about the deprecated SSLEAY/SSLeay symbols and defines.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126150401.28565-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
configure.ac | 1 +
src/openvpn/openssl_compat.h | 8 ++++++++
src/openvpn/ssl_openssl.c | 2 +-
3 files changed, 10 insertions(+), 1 deletion(-)
--- a/configure.ac
+++ b/configure.ac
@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
EVP_MD_CTX_free \
EVP_MD_CTX_reset \
EVP_CIPHER_CTX_reset \
+ OpenSSL_version \
SSL_CTX_get_default_passwd_cb \
SSL_CTX_get_default_passwd_cb_userdata \
SSL_CTX_set_security_level \
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
#endif
/* SSLeay symbols have been renamed in OpenSSL 1.1 */
+#ifndef OPENSSL_VERSION
+#define OPENSSL_VERSION SSLEAY_VERSION
+#endif
+
+#ifndef HAVE_OPENSSL_VERSION
+#define OpenSSL_version SSLeay_version
+#endif
+
#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT
#endif
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
const char *
get_ssl_library_version(void)
{
- return SSLeay_version(SSLEAY_VERSION);
+ return OpenSSL_version(OPENSSL_VERSION);
}
#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */

View File

@ -0,0 +1,65 @@
From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Sun, 26 Nov 2017 16:49:12 +0100
Subject: [PATCH] openssl: add missing #include statements
Compiling our current master against OpenSSL 1.1 with
-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder. This patch fixes
the errors caused by missing includes. Previous openssl versions would
usually include 'the rest of the world', but they're fixing that. So we
should no longer rely on it.
(And sneaking in alphabetic ordering of the includes while touching them.)
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20171126154912.13283-1-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/openssl_compat.h | 1 +
src/openvpn/ssl_openssl.c | 6 +++++-
src/openvpn/ssl_verify_openssl.c | 3 ++-
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -42,6 +42,7 @@
#include "buffer.h"
+#include <openssl/rsa.h>
#include <openssl/ssl.h>
#include <openssl/x509.h>
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -52,10 +52,14 @@
#include "ssl_verify_openssl.h"
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
#include <openssl/err.h>
#include <openssl/pkcs12.h>
+#include <openssl/rsa.h>
#include <openssl/x509.h>
-#include <openssl/crypto.h>
#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
#endif
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -44,8 +44,9 @@
#include "ssl_verify_backend.h"
#include "openssl_compat.h"
-#include <openssl/x509v3.h>
+#include <openssl/bn.h>
#include <openssl/err.h>
+#include <openssl/x509v3.h>
int
verify_callback(int preverify_ok, X509_STORE_CTX *ctx)

View File

@ -1,6 +1,6 @@
--- a/configure.ac
+++ b/configure.ac
@@ -1078,68 +1078,15 @@ dnl
@@ -1080,68 +1080,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then

View File

@ -66,7 +66,7 @@
}
/*
@@ -710,10 +718,12 @@ cipher_des_encrypt_ecb(const unsigned ch
@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src,
unsigned char *dst)
{