openvpn: update to 2.7.1

The new DCO module depends on OpenVPN 2.7.1. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst Removed upstreamed wolfSSL patches: - 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch - 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch Reworked 100-mbedtls-disable-runtime-version-check.patch to use MBEDTLS_VERSION_STRING instead of a mutable buffer. Signed-off-by: Qingfang Deng <dqfext@gmail.com>
2026-04-15 10:51:55 +00:00 · 2026-04-02 10:42:16 +08:00
parent 5f02f01359
commit 9faf26770b
6 changed files with 60 additions and 50 deletions
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openvpn
-PKG_VERSION:=2.6.19
+PKG_VERSION:=2.7.1
-PKG_RELEASE:=3
+PKG_RELEASE:=1
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=13702526f687c18b2540c1a3f2e189187baaa65211edcf7ff6772fa69f0536cf
+PKG_HASH:=9858477ec2894a8a672974d8650dcb1af2eeffb468981a2b619f0fa387081167
 PKG_MAINTAINER:=
--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,11 +1,15 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1611,7 +1611,7 @@ const char *
+@@ -1573,11 +1573,7 @@ show_available_curves(void)
 const char *
 get_ssl_library_version(void)
 {
-     static char mbedtls_version[30];
+-    static char mbedtls_version[30];
 -    unsigned int pv = mbedtls_version_get_number();
-+    unsigned int pv = MBEDTLS_VERSION_NUMBER;
+-    snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff,
-     snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
+-             (pv >> 16) & 0xff, (pv >> 8) & 0xff);
-              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+-    return mbedtls_version;
-     return mbedtls_version;
+    return "mbed TLS " MBEDTLS_VERSION_STRING;
 }
 void
--- a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
+++ b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
@@ -1,20 +0,0 @@
 --- a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c
@@ -49,7 +49,7 @@
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/kdf.h>
 #endif
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -1399,7 +1399,7 @@ memcmp_constant_time(const void *a, cons
     return CRYPTO_memcmp(a, b, size);
 }
 -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
              int secret_len, uint8_t *output, int output_len)
--- a/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
+++ b/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
@@ -0,0 +1,46 @@
 Subject: [PATCH] Revert "ssl_verify_openssl: use official ASN1_STRING_ API"
 This reverts commit 388800782687793ea968b722e22319b8a13fddbd.
 It breaks wolfSSL build on version <= 5.9.0.
 ---
 src/openvpn/ssl_verify_openssl.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
@@ -257,7 +257,7 @@ backend_x509_get_username(char *common_n
     {
         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
         struct gc_arena gc = gc_new();
 -        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
 +        char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
         if (!serial || cn_len <= strlen(serial) + 2)
         {
@@ -311,7 +311,7 @@ backend_x509_get_serial_hex(openvpn_x509
 {
     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
 -    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
 +    return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
 }
 result_t
@@ -624,7 +624,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
         {
             ASN1_BIT_STRING *ns;
             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
 -            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
 +            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
             if (result == SUCCESS)
             {
                 msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
@@ -652,7 +652,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
         {
             ASN1_BIT_STRING *ns;
             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
 -            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
 +            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
             if (result == SUCCESS)
             {
                 msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
--- a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
+++ b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
@@ -1,20 +0,0 @@
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
@@ -1347,7 +1347,7 @@ err:
     return 0;
 }
 -#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
 +#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
 /* called when EC_KEY is destroyed */
 static void
@@ -1508,7 +1508,7 @@ tls_ctx_use_management_external_key(stru
             goto cleanup;
         }
     }
 -#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
 +#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
 #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
--- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
+++ b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
-@@ -267,6 +267,9 @@ backend_x509_get_username(char *common_n
+@@ -253,6 +253,9 @@ backend_x509_get_username(char *common_n
             return FAILURE;
         }
     }