1 |
commit: c16af66cd6e5903520a80e73c6f594449e654a5f |
2 |
Author: Stefan Strogin <stefan.strogin <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Mar 4 20:24:24 2019 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Mar 13 00:43:18 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c16af66c |
7 |
|
8 |
net-vpn/openvpn: update LibreSSL patch to accepted upstream |
9 |
|
10 |
Bug: https://bugs.gentoo.org/678604 |
11 |
Package-Manager: Portage-2.3.62, Repoman-2.3.12 |
12 |
Signed-off-by: Stefan Strogin <stefan.strogin <AT> gmail.com> |
13 |
Closes: https://github.com/gentoo/gentoo/pull/11260 |
14 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
15 |
|
16 |
net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch | 133 +++++++++++++++++---- |
17 |
...vpn-2.4.7-r1.ebuild => openvpn-2.4.7-r2.ebuild} | 0 |
18 |
2 files changed, 113 insertions(+), 20 deletions(-) |
19 |
|
20 |
diff --git a/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch b/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch |
21 |
index 210189cd4d4..414f132b336 100644 |
22 |
--- a/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch |
23 |
+++ b/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch |
24 |
@@ -1,49 +1,142 @@ |
25 |
-From 4faf695e3c42a81131c2aae96c4a60228aa237a5 Mon Sep 17 00:00:00 2001 |
26 |
+From a47508606be2c6359d4b27c3b65b72dfe4786222 Mon Sep 17 00:00:00 2001 |
27 |
From: Stefan Strogin <stefan.strogin@×××××.com> |
28 |
-Date: Sat, 23 Feb 2019 20:13:41 +0200 |
29 |
-Subject: [PATCH] Fix compilation with LibreSSL |
30 |
+Date: Mon, 25 Feb 2019 20:35:31 +0200 |
31 |
+Subject: [PATCH] Use correct ifdefs for LibreSSL support |
32 |
|
33 |
-TLS 1.3 is not ready yet in LibreSSL. |
34 |
-Also SSL_get1_supported_ciphers() has been just added into master (not yet |
35 |
-released). |
36 |
+- TLS 1.3 is not ready yet in LibreSSL. Also there is a theoretical |
37 |
+possibility of OpenSSL >=1.1.1 built without TLS 1.3 support. |
38 |
+- EC_KEY_METHOD API and SSL_get1_supported_ciphers are added into LibreSSL |
39 |
+master (not yet released in 2.9.0). |
40 |
+- Some methods that are available since LibreSSL 2.7.0 were thrown away |
41 |
+in ssl_openssl.c regardless of LibreSSL version. Use them with newer |
42 |
+LibreSSL. |
43 |
|
44 |
-Upstream-Status: Submitted [https://github.com/OpenVPN/openvpn/pull/123] |
45 |
Signed-off-by: Stefan Strogin <stefan.strogin@×××××.com> |
46 |
+Acked-by: Arne Schwabe <arne@×××××××.org> |
47 |
+Message-Id: <20190225183531.27399-1-stefan.strogin@×××××.com> |
48 |
+URL: https://www.mail-archive.com/openvpn-devel@×××××××××××××××××.net/msg18239.html |
49 |
+Signed-off-by: Gert Doering <gert@×××××××××××.de> |
50 |
+Upstream-Status: Accepted |
51 |
+[https://github.com/OpenVPN/openvpn/commit/a47508606be2c6359d4b27c3b65b72dfe4786222] |
52 |
--- |
53 |
- src/openvpn/ssl_openssl.c | 6 +++--- |
54 |
- 1 file changed, 3 insertions(+), 3 deletions(-) |
55 |
+ src/openvpn/ssl_openssl.c | 33 +++++++++++++++++++++------------ |
56 |
+ 1 file changed, 21 insertions(+), 12 deletions(-) |
57 |
|
58 |
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c |
59 |
-index a78dae99..6a8fcef3 100644 |
60 |
+index ddb78da7..8bcebac4 100644 |
61 |
--- a/src/openvpn/ssl_openssl.c |
62 |
+++ b/src/openvpn/ssl_openssl.c |
63 |
-@@ -459,7 +459,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) |
64 |
+@@ -465,7 +465,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) |
65 |
return; |
66 |
} |
67 |
|
68 |
-#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) |
69 |
-+#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || defined(LIBRESSL_VERSION_NUMBER) |
70 |
- crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " |
71 |
- "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", |
72 |
- ciphers); |
73 |
-@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list, |
74 |
++#if !defined(TLS1_3_VERSION) |
75 |
+ crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " |
76 |
+ "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", |
77 |
+ ciphers); |
78 |
+@@ -526,7 +526,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) |
79 |
+ |
80 |
+ ASSERT(ctx); |
81 |
+ |
82 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
83 |
++#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
84 |
++ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL |
85 |
+ /* OpenSSL 1.0.2 and up */ |
86 |
+ cert = SSL_CTX_get0_certificate(ctx->ctx); |
87 |
+ #else |
88 |
+@@ -561,7 +562,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) |
89 |
+ } |
90 |
+ |
91 |
+ cleanup: |
92 |
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
93 |
++#if OPENSSL_VERSION_NUMBER < 0x10002000L \ |
94 |
++ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) |
95 |
+ SSL_free(ssl); |
96 |
+ #endif |
97 |
+ return; |
98 |
+@@ -1209,7 +1211,9 @@ err: |
99 |
+ return 0; |
100 |
+ } |
101 |
+ |
102 |
+-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) |
103 |
++#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
104 |
++ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ |
105 |
++ && !defined(OPENSSL_NO_EC) |
106 |
+ |
107 |
+ /* called when EC_KEY is destroyed */ |
108 |
+ static void |
109 |
+@@ -1331,7 +1335,7 @@ err: |
110 |
+ } |
111 |
+ return 0; |
112 |
+ } |
113 |
+-#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ |
114 |
++#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
115 |
+ |
116 |
+ int |
117 |
+ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
118 |
+@@ -1340,7 +1344,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
119 |
+ |
120 |
+ ASSERT(NULL != ctx); |
121 |
+ |
122 |
+-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) |
123 |
++#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
124 |
++ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL |
125 |
+ /* OpenSSL 1.0.2 and up */ |
126 |
+ X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); |
127 |
+ #else |
128 |
+@@ -1362,7 +1367,9 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
129 |
+ goto cleanup; |
130 |
+ } |
131 |
+ } |
132 |
+-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) |
133 |
++#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ |
134 |
++ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ |
135 |
++ && !defined(OPENSSL_NO_EC) |
136 |
+ else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) |
137 |
+ { |
138 |
+ if (!tls_ctx_use_external_ec_key(ctx, pkey)) |
139 |
+@@ -1375,17 +1382,18 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) |
140 |
+ crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); |
141 |
+ goto cleanup; |
142 |
+ } |
143 |
+-#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */ |
144 |
++#else /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
145 |
+ else |
146 |
+ { |
147 |
+ crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); |
148 |
+ goto cleanup; |
149 |
+ } |
150 |
+-#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ |
151 |
++#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ |
152 |
+ |
153 |
+ ret = 0; |
154 |
+ cleanup: |
155 |
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) |
156 |
++#if OPENSSL_VERSION_NUMBER < 0x10002000L \ |
157 |
++ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) |
158 |
+ if (ssl) |
159 |
+ { |
160 |
+ SSL_free(ssl); |
161 |
+@@ -1998,7 +2006,7 @@ show_available_tls_ciphers_list(const char *cipher_list, |
162 |
crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); |
163 |
} |
164 |
|
165 |
-#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) |
166 |
-+#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)) |
167 |
++#if defined(TLS1_3_VERSION) |
168 |
if (tls13) |
169 |
{ |
170 |
SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); |
171 |
-@@ -1867,7 +1867,7 @@ show_available_tls_ciphers_list(const char *cipher_list, |
172 |
+@@ -2019,7 +2027,8 @@ show_available_tls_ciphers_list(const char *cipher_list, |
173 |
crypto_msg(M_FATAL, "Cannot create SSL object"); |
174 |
} |
175 |
|
176 |
-#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) |
177 |
-+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) |
178 |
++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ |
179 |
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL) |
180 |
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); |
181 |
#else |
182 |
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); |
183 |
-- |
184 |
-2.20.1 |
185 |
+2.21.0 |
186 |
|
187 |
|
188 |
diff --git a/net-vpn/openvpn/openvpn-2.4.7-r1.ebuild b/net-vpn/openvpn/openvpn-2.4.7-r2.ebuild |
189 |
similarity index 100% |
190 |
rename from net-vpn/openvpn/openvpn-2.4.7-r1.ebuild |
191 |
rename to net-vpn/openvpn/openvpn-2.4.7-r2.ebuild |