From 9faf26770b57f2350ebb0290204d80a227c0fe20 Mon Sep 17 00:00:00 2001 From: Qingfang Deng Date: Thu, 2 Apr 2026 10:42:16 +0800 Subject: [PATCH] openvpn: update to 2.7.1 The new DCO module depends on OpenVPN 2.7.1. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst Removed upstreamed wolfSSL patches: - 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch - 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch Reworked 100-mbedtls-disable-runtime-version-check.patch to use MBEDTLS_VERSION_STRING instead of a mutable buffer. Signed-off-by: Qingfang Deng --- net/openvpn/Makefile | 6 +-- ...bedtls-disable-runtime-version-check.patch | 16 ++++--- ...P_PKEY_CTX_-compilation-with-wolfSSL.patch | 20 -------- ...y_openssl-use-official-ASN1_STRING_-.patch | 46 +++++++++++++++++++ ...y-support-when-building-with-wolfSSL.patch | 20 -------- ...3-define-LN_serialNumber-for-wolfSSL.patch | 2 +- 6 files changed, 60 insertions(+), 50 deletions(-) delete mode 100644 net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch create mode 100644 net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch delete mode 100644 net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index 7e1358b9da..02befd9e74 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.6.19 -PKG_RELEASE:=3 +PKG_VERSION:=2.7.1 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_HASH:=13702526f687c18b2540c1a3f2e189187baaa65211edcf7ff6772fa69f0536cf +PKG_HASH:=9858477ec2894a8a672974d8650dcb1af2eeffb468981a2b619f0fa387081167 PKG_MAINTAINER:= diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index 919e5400e5..1e777330f0 100644 --- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,11 +1,15 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1611,7 +1611,7 @@ const char * +@@ -1573,11 +1573,7 @@ show_available_curves(void) + const char * get_ssl_library_version(void) { - static char mbedtls_version[30]; +- static char mbedtls_version[30]; - unsigned int pv = mbedtls_version_get_number(); -+ unsigned int pv = MBEDTLS_VERSION_NUMBER; - snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", - (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); - return mbedtls_version; +- snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff, +- (pv >> 16) & 0xff, (pv >> 8) & 0xff); +- return mbedtls_version; ++ return "mbed TLS " MBEDTLS_VERSION_STRING; + } + + void diff --git a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch deleted file mode 100644 index 2663790059..0000000000 --- a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/src/openvpn/crypto_openssl.c -+++ b/src/openvpn/crypto_openssl.c -@@ -49,7 +49,7 @@ - #include - #include - --#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER) - #include - #endif - #if OPENSSL_VERSION_NUMBER >= 0x30000000L -@@ -1399,7 +1399,7 @@ memcmp_constant_time(const void *a, cons - return CRYPTO_memcmp(a, b, size); - } - --#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER) - bool - ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, - int secret_len, uint8_t *output, int output_len) diff --git a/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch b/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch new file mode 100644 index 0000000000..deb23f3f0d --- /dev/null +++ b/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch @@ -0,0 +1,46 @@ +Subject: [PATCH] Revert "ssl_verify_openssl: use official ASN1_STRING_ API" + +This reverts commit 388800782687793ea968b722e22319b8a13fddbd. +It breaks wolfSSL build on version <= 5.9.0. +--- + src/openvpn/ssl_verify_openssl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/src/openvpn/ssl_verify_openssl.c ++++ b/src/openvpn/ssl_verify_openssl.c +@@ -257,7 +257,7 @@ backend_x509_get_username(char *common_n + { + ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert); + struct gc_arena gc = gc_new(); +- char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc); ++ char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc); + + if (!serial || cn_len <= strlen(serial) + 2) + { +@@ -311,7 +311,7 @@ backend_x509_get_serial_hex(openvpn_x509 + { + const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert); + +- return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc); ++ return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); + } + + result_t +@@ -624,7 +624,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce + { + ASN1_BIT_STRING *ns; + ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); +- result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; ++ result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE; + if (result == SUCCESS) + { + msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose " +@@ -652,7 +652,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce + { + ASN1_BIT_STRING *ns; + ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL); +- result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; ++ result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE; + if (result == SUCCESS) + { + msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose " diff --git a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch deleted file mode 100644 index 50834b3bb7..0000000000 --- a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/src/openvpn/ssl_openssl.c -+++ b/src/openvpn/ssl_openssl.c -@@ -1347,7 +1347,7 @@ err: - return 0; - } - --#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) -+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL) - - /* called when EC_KEY is destroyed */ - static void -@@ -1508,7 +1508,7 @@ tls_ctx_use_management_external_key(stru - goto cleanup; - } - } --#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) -+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL) - #if OPENSSL_VERSION_NUMBER < 0x30000000L - else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) - #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */ diff --git a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch index 690521ee64..e79f75fae3 100644 --- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch +++ b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c -@@ -267,6 +267,9 @@ backend_x509_get_username(char *common_n +@@ -253,6 +253,9 @@ backend_x509_get_username(char *common_n return FAILURE; } }