openvpn: update to 2.5.3

Fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606). Include a number of small improvements and bug fixes. remove upstreamed: 115-fix-mbedtls-without-renegotiation.patch Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
3 years ago · fcc41104e4
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=openvpn

 PKG_VERSION:=2.5.2
 PKG_RELEASE:=2
 PKG_VERSION:=2.5.3
 PKG_RELEASE:=1

 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_HASH:=b12743836901f365efaf82ab2493967e1b21c21eb43ce9a8da1002a17c9c1dc8
 PKG_HASH:=fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e

 PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>

--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
@@ -1535,7 +1535,7 @@ const char *
@@ -1538,7 +1538,7 @@ const char *
 get_ssl_library_version(void)
 {
     static char mbedtls_version[30];
--- a/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch
+++ b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch
@ -1,42 +0,0 @@
 From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001
 From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 Date: Mon, 12 Apr 2021 19:46:17 +0200
 Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support

 In mbedtls, support for SSL renegotiation can be disabled at
 compile-time. However, OpenVPN cannot be built with such a library
 because it calls mbedtls_ssl_conf_renegotiation() to disable this
 feature at runtime. This function doesn't exist when mbedtls was built
 without support for SSL renegotiation.

 This commit fixes the build by ifdef'ing out the function call when
 mbedtls was built without support for SSL renegotiation.

 Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 Acked-by: Antonio Quartulli <antonio@openvpn.net>
 Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com>
 URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com
 Signed-off-by: Gert Doering <gert@greenie.muc.de>
 ---
 src/openvpn/ssl_mbedtls.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
@@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl
     {
         mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
     }
 -    /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
 -     * session and does not depend on this feature. And TLS renegotiations have
 -     * been problematic in the past */
 +
 +    /* Disable TLS renegotiations if the mbedtls library supports that feature.
 +     * OpenVPN's renegotiation creates new SSL sessions and does not depend on
 +     * this feature and TLS renegotiations have been problematic in the past. */
 +#if defined(MBEDTLS_SSL_RENEGOTIATION)
     mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
 +#endif /* MBEDTLS_SSL_RENEGOTIATION */
 
     /* Disable record splitting (for now).  OpenVPN assumes records are sent
      * unfragmented, and changing that will require thorough review and
--- a/net/openvpn/test.sh
+++ b/net/openvpn/test.sh
@ -4,10 +4,7 @@ case "$1" in
 	"openvpn-mbedtls")
 		openvpn --version | grep "$2.*SSL (mbed TLS)"
 		;;
 	"openvpn-openssl")
 		openvpn --version | grep "$2.*SSL (OpenSSL)"
 		;;
 	"openvpn-wolfssl")
 	"openvpn-openssl"|"openvpn-wolfssl")
 		openvpn --version | grep "$2.*SSL (OpenSSL)"
 		;;
 esac