openvpn: update to 2.7.1

The new DCO module depends on OpenVPN 2.7.1. For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst Removed upstreamed wolfSSL patches: - 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch - 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch Reworked 100-mbedtls-disable-runtime-version-check.patch to use MBEDTLS_VERSION_STRING instead of a mutable buffer. Signed-off-by: Qingfang Deng <dqfext@gmail.com>
2026-04-15 10:51:55 +00:00 · 2026-04-02 10:42:16 +08:00
parent 5f02f01359
commit 9faf26770b
6 changed files with 60 additions and 50 deletions
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=openvpn

-PKG_VERSION:=2.6.19
-PKG_RELEASE:=3
+PKG_VERSION:=2.7.1
+PKG_RELEASE:=1

 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=13702526f687c18b2540c1a3f2e189187baaa65211edcf7ff6772fa69f0536cf
+PKG_HASH:=9858477ec2894a8a672974d8650dcb1af2eeffb468981a2b619f0fa387081167

 PKG_MAINTAINER:=

--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,11 +1,15 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1611,7 +1611,7 @@ const char *
+@@ -1573,11 +1573,7 @@ show_available_curves(void)
+ const char *
 get_ssl_library_version(void)
 {
-     static char mbedtls_version[30];
+-    static char mbedtls_version[30];
 -    unsigned int pv = mbedtls_version_get_number();
-+    unsigned int pv = MBEDTLS_VERSION_NUMBER;
-     snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d",
-              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
-     return mbedtls_version;
+-    snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff,
+-             (pv >> 16) & 0xff, (pv >> 8) & 0xff);
+-    return mbedtls_version;
+    return "mbed TLS " MBEDTLS_VERSION_STRING;
+ }
+ 
+ void
--- a/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
+++ b/net/openvpn/patches/101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
@@ -1,20 +0,0 @@
--- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -49,7 +49,7 @@
- #include <openssl/rand.h>
- #include <openssl/ssl.h>
- 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- #include <openssl/kdf.h>
- #endif
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
-@@ -1399,7 +1399,7 @@ memcmp_constant_time(const void *a, cons
-     return CRYPTO_memcmp(a, b, size);
- }
- 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
-+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(ENABLE_CRYPTO_WOLFSSL) && !defined(LIBRESSL_VERSION_NUMBER)
- bool
- ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,
-              int secret_len, uint8_t *output, int output_len)
--- a/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
+++ b/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
@@ -0,0 +1,46 @@
+Subject: [PATCH] Revert "ssl_verify_openssl: use official ASN1_STRING_ API"
+
+This reverts commit 388800782687793ea968b722e22319b8a13fddbd.
+It breaks wolfSSL build on version <= 5.9.0.
+---
+ src/openvpn/ssl_verify_openssl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
+@@ -257,7 +257,7 @@ backend_x509_get_username(char *common_n
+     {
+         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
+         struct gc_arena gc = gc_new();
+-        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
+        char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
+ 
+         if (!serial || cn_len <= strlen(serial) + 2)
+         {
+@@ -311,7 +311,7 @@ backend_x509_get_serial_hex(openvpn_x509
+ {
+     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+ 
+-    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
+    return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
+ }
+ 
+ result_t
+@@ -624,7 +624,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
+         {
+             ASN1_BIT_STRING *ns;
+             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+-            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+             if (result == SUCCESS)
+             {
+                 msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
+@@ -652,7 +652,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
+         {
+             ASN1_BIT_STRING *ns;
+             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+-            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
+             if (result == SUCCESS)
+             {
+                 msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
--- a/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
+++ b/net/openvpn/patches/102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
@@ -1,20 +0,0 @@
--- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -1347,7 +1347,7 @@ err:
-     return 0;
- }
- 
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
-+#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
- 
- /* called when EC_KEY is destroyed */
- static void
-@@ -1508,7 +1508,7 @@ tls_ctx_use_management_external_key(stru
-             goto cleanup;
-         }
-     }
-#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
-+#if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC) && !defined(ENABLE_CRYPTO_WOLFSSL)
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
-     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
- #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
--- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
+++ b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_verify_openssl.c
 +++ b/src/openvpn/ssl_verify_openssl.c
-@@ -267,6 +267,9 @@ backend_x509_get_username(char *common_n
+@@ -253,6 +253,9 @@ backend_x509_get_username(char *common_n
             return FAILURE;
         }
     }