commit: 5d0eadbc6aabbd869d57e042ab41563e888e6e2c Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> AuthorDate: Wed Mar 13 21:51:45 2019 +0000 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> CommitDate: Wed Mar 13 21:53:23 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d0eadbc
net-vpn/openvpn: Revert LibreSSL patch (bug #680184) This reverts commit c16af66cd6e5903520a80e73c6f594449e654a5f. The patch doesn't apply Closes: https://bugs.gentoo.org/680184 Signed-off-By: Patrick McLean <chutzpah <AT> gentoo.org> net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch | 133 ++++----------------- ...vpn-2.4.7-r2.ebuild => openvpn-2.4.7-r1.ebuild} | 0 2 files changed, 20 insertions(+), 113 deletions(-) diff --git a/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch b/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch index 414f132b336..210189cd4d4 100644 --- a/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch +++ b/net-vpn/openvpn/files/openvpn-2.4.7-libressl.patch @@ -1,142 +1,49 @@ -From a47508606be2c6359d4b27c3b65b72dfe4786222 Mon Sep 17 00:00:00 2001 +From 4faf695e3c42a81131c2aae96c4a60228aa237a5 Mon Sep 17 00:00:00 2001 From: Stefan Strogin <stefan.stro...@gmail.com> -Date: Mon, 25 Feb 2019 20:35:31 +0200 -Subject: [PATCH] Use correct ifdefs for LibreSSL support +Date: Sat, 23 Feb 2019 20:13:41 +0200 +Subject: [PATCH] Fix compilation with LibreSSL -- TLS 1.3 is not ready yet in LibreSSL. Also there is a theoretical -possibility of OpenSSL >=1.1.1 built without TLS 1.3 support. -- EC_KEY_METHOD API and SSL_get1_supported_ciphers are added into LibreSSL -master (not yet released in 2.9.0). -- Some methods that are available since LibreSSL 2.7.0 were thrown away -in ssl_openssl.c regardless of LibreSSL version. Use them with newer -LibreSSL. +TLS 1.3 is not ready yet in LibreSSL. +Also SSL_get1_supported_ciphers() has been just added into master (not yet +released). +Upstream-Status: Submitted [https://github.com/OpenVPN/openvpn/pull/123] Signed-off-by: Stefan Strogin <stefan.stro...@gmail.com> -Acked-by: Arne Schwabe <a...@rfc2549.org> -Message-Id: <20190225183531.27399-1-stefan.stro...@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg18239.html -Signed-off-by: Gert Doering <g...@greenie.muc.de> -Upstream-Status: Accepted -[https://github.com/OpenVPN/openvpn/commit/a47508606be2c6359d4b27c3b65b72dfe4786222] --- - src/openvpn/ssl_openssl.c | 33 +++++++++++++++++++++------------ - 1 file changed, 21 insertions(+), 12 deletions(-) + src/openvpn/ssl_openssl.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c -index ddb78da7..8bcebac4 100644 +index a78dae99..6a8fcef3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c -@@ -465,7 +465,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) +@@ -459,7 +459,7 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) return; } -#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) -+#if !defined(TLS1_3_VERSION) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " - "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", - ciphers); -@@ -526,7 +526,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) - - ASSERT(ctx); - --#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ -+ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL - /* OpenSSL 1.0.2 and up */ - cert = SSL_CTX_get0_certificate(ctx->ctx); - #else -@@ -561,7 +562,8 @@ tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) - } - - cleanup: --#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER < 0x10002000L \ -+ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) - SSL_free(ssl); - #endif - return; -@@ -1209,7 +1211,9 @@ err: - return 0; - } - --#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) -+#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ -+ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ -+ && !defined(OPENSSL_NO_EC) - - /* called when EC_KEY is destroyed */ - static void -@@ -1331,7 +1335,7 @@ err: - } - return 0; - } --#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ -+#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ - - int - tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) -@@ -1340,7 +1344,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) - - ASSERT(NULL != ctx); - --#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) -+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)) \ -+ || LIBRESSL_VERSION_NUMBER >= 0x2070000fL - /* OpenSSL 1.0.2 and up */ - X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); - #else -@@ -1362,7 +1367,9 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) - goto cleanup; - } - } --#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) -+#if ((OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) \ -+ || LIBRESSL_VERSION_NUMBER > 0x2090000fL) \ -+ && !defined(OPENSSL_NO_EC) - else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) - { - if (!tls_ctx_use_external_ec_key(ctx, pkey)) -@@ -1375,17 +1382,18 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) - crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); - goto cleanup; - } --#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) */ -+#else /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ - else - { - crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); - goto cleanup; - } --#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ -+#endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ - - ret = 0; - cleanup: --#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) -+#if OPENSSL_VERSION_NUMBER < 0x10002000L \ -+ || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL) - if (ssl) - { - SSL_free(ssl); -@@ -1998,7 +2006,7 @@ show_available_tls_ciphers_list(const char *cipher_list, ++#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || defined(LIBRESSL_VERSION_NUMBER) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " + "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", + ciphers); +@@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } -#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) -+#if defined(TLS1_3_VERSION) ++#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL && !defined(LIBRESSL_VERSION_NUMBER)) if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION); -@@ -2019,7 +2027,8 @@ show_available_tls_ciphers_list(const char *cipher_list, +@@ -1867,7 +1867,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL object"); } -#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) -+#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || \ -+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x2090000fL) ++#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); -- -2.21.0 +2.20.1 diff --git a/net-vpn/openvpn/openvpn-2.4.7-r2.ebuild b/net-vpn/openvpn/openvpn-2.4.7-r1.ebuild similarity index 100% rename from net-vpn/openvpn/openvpn-2.4.7-r2.ebuild rename to net-vpn/openvpn/openvpn-2.4.7-r1.ebuild
