From fcc41104e4f17b6545c86f2dddd06b7b9256504c Mon Sep 17 00:00:00 2001
From: Ivan Pavlov <AuthorReflex@gmail.com>
Date: Fri, 18 Jun 2021 10:10:57 +0300
Subject: [PATCH] openvpn: update to 2.5.3

Fix a possible security issue with OpenSSL config autoloading on Windows (CVE-2021-3606).
Include a number of small improvements and bug fixes.

remove upstreamed: 115-fix-mbedtls-without-renegotiation.patch

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
---
 net/openvpn/Makefile                          |  6 +--
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...15-fix-mbedtls-without-renegotiation.patch | 42 -------------------
 net/openvpn/test.sh                           |  5 +--
 4 files changed, 5 insertions(+), 50 deletions(-)
 delete mode 100644 net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch

diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile
index 9aeb43a84..8afad6f15 100644
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.5.2
-PKG_RELEASE:=2
+PKG_VERSION:=2.5.3
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
 	https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=b12743836901f365efaf82ab2493967e1b21c21eb43ce9a8da1002a17c9c1dc8
+PKG_HASH:=fb6a9943c603a1951ca13e9267653f8dd650c02f84bccd2b9d20f06a4c9c9a7e
 
 PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
 
diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index c54277006..8d49d167c 100644
--- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1535,7 +1535,7 @@ const char *
+@@ -1538,7 +1538,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];
diff --git a/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch
deleted file mode 100644
index 532d64f60..000000000
--- a/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001
-From: Max Fillinger <maximilian.fillinger@foxcrypto.com>
-Date: Mon, 12 Apr 2021 19:46:17 +0200
-Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support
-
-In mbedtls, support for SSL renegotiation can be disabled at
-compile-time. However, OpenVPN cannot be built with such a library
-because it calls mbedtls_ssl_conf_renegotiation() to disable this
-feature at runtime. This function doesn't exist when mbedtls was built
-without support for SSL renegotiation.
-
-This commit fixes the build by ifdef'ing out the function call when
-mbedtls was built without support for SSL renegotiation.
-
-Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
-Acked-by: Antonio Quartulli <antonio@openvpn.net>
-Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com>
-URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com
-Signed-off-by: Gert Doering <gert@greenie.muc.de>
----
- src/openvpn/ssl_mbedtls.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
---- a/src/openvpn/ssl_mbedtls.c
-+++ b/src/openvpn/ssl_mbedtls.c
-@@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl
-     {
-         mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups);
-     }
--    /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
--     * session and does not depend on this feature. And TLS renegotiations have
--     * been problematic in the past */
-+
-+    /* Disable TLS renegotiations if the mbedtls library supports that feature.
-+     * OpenVPN's renegotiation creates new SSL sessions and does not depend on
-+     * this feature and TLS renegotiations have been problematic in the past. */
-+#if defined(MBEDTLS_SSL_RENEGOTIATION)
-     mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
-+#endif /* MBEDTLS_SSL_RENEGOTIATION */
- 
-     /* Disable record splitting (for now).  OpenVPN assumes records are sent
-      * unfragmented, and changing that will require thorough review and
diff --git a/net/openvpn/test.sh b/net/openvpn/test.sh
index c2b0cc4b0..71cdc35db 100755
--- a/net/openvpn/test.sh
+++ b/net/openvpn/test.sh
@@ -4,10 +4,7 @@ case "$1" in
 	"openvpn-mbedtls")
 		openvpn --version | grep "$2.*SSL (mbed TLS)"
 		;;
-	"openvpn-openssl")
-		openvpn --version | grep "$2.*SSL (OpenSSL)"
-		;;
-	"openvpn-wolfssl")
+	"openvpn-openssl"|"openvpn-wolfssl")
 		openvpn --version | grep "$2.*SSL (OpenSSL)"
 		;;
 esac