[arch-commits] Commit in openvpn/trunk (5 files)

Christian Hesse eworm at archlinux.org
Wed Mar 22 19:22:11 UTC 2017


    Date: Wednesday, March 22, 2017 @ 19:22:10
  Author: eworm
Revision: 291212

upgpkg: openvpn 2.4.1-1

new upstream release

Modified:
  openvpn/trunk/0004-openssl-1-1-0.patch
  openvpn/trunk/PKGBUILD
Deleted:
  openvpn/trunk/0001-Clean-up-plugin-path-handling.patch
  openvpn/trunk/0002-do-not-race-on-RuntimeDirectory.patch
  openvpn/trunk/0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch

-----------------------------------------------------------------+
 0001-Clean-up-plugin-path-handling.patch                        |  217 -
 0002-do-not-race-on-RuntimeDirectory.patch                      |  262 --
 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch |  124 -
 0004-openssl-1-1-0.patch                                        | 1176 ----------
 PKGBUILD                                                        |   25 
 5 files changed, 13 insertions(+), 1791 deletions(-)

Deleted: 0001-Clean-up-plugin-path-handling.patch
===================================================================
--- 0001-Clean-up-plugin-path-handling.patch	2017-03-22 16:06:42 UTC (rev 291211)
+++ 0001-Clean-up-plugin-path-handling.patch	2017-03-22 19:22:10 UTC (rev 291212)
@@ -1,217 +0,0 @@
-From 4590c3831d0400096fab08aa1ed7f909da870ced Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail at eworm.de>
-Date: Wed, 25 Jan 2017 21:19:47 +0100
-Subject: [PATCH 1/2] Clean up plugin path handling
-
-Drop --with-plugindir, instead use an environment variable PLUGINDIR
-to specify the plugin directory.
-
-This puts a define into include/openvpn-plugin.h.in which has the plugin
-directory.
-
-The configure script does not know about the final plugin path. Thus we
-have to make Make generate the final header file for us.
-
-As the path is always available remove the compile time condition (and
-dead code) from src/openvpn/plugin.c.
-
-v2: The configure script can not evaluate the final $libdir path. So
-    use make to create a header file on the containing the final path.
-
-v3: Fix whitespace errors and gitignore location.
-
-v4: No extra header file, generate src/openvpn/plugin.h on the fly.
-    Remove condition and dead code.
-
-v5: Move the define to include/openvpn-plugin.h.in and let make generate
-    the final header file.
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
-Acked-by: David Sommerseth <davids at openvpn.net>
-Message-Id: <20170125201947.17197-1-list at eworm.de>
-URL: http://www.mail-archive.com/search?l=mid&q=20170125201947.17197-1-list@eworm.de
-Signed-off-by: David Sommerseth <davids at openvpn.net>
----
- configure.ac                | 16 +++++++---------
- include/Makefile.am         |  7 +++++++
- include/openvpn-plugin.h.in |  2 ++
- src/openvpn/plugin.c        | 10 +---------
- 4 files changed, 17 insertions(+), 18 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 79fb1ba..f305c54 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor versi
- AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer])
- 
- AC_CONFIG_AUX_DIR([.])
--AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])
-+AC_CONFIG_HEADERS([config.h])
- AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
- AC_CONFIG_MACRO_DIR([m4])
- 
-@@ -301,13 +301,12 @@ AC_ARG_WITH(
- 	[with_crypto_library="openssl"]
- )
- 
--AC_ARG_WITH(
--	[plugindir],
--	[AS_HELP_STRING([--with-plugindir], [plugin directory @<:@default=LIBDIR/openvpn@:>@])],
--	,
--	[with_plugindir="\$(libdir)/openvpn/plugins"]
--)
--
-+AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
-+if test -n "${PLUGINDIR}"; then
-+	plugindir="${PLUGINDIR}"
-+else
-+	plugindir="\${libdir}/openvpn/plugins"
-+fi
- 
- AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host])
- case "$host" in
-@@ -1284,7 +1283,6 @@ AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "
- AM_CONDITIONAL([ENABLE_CRYPTO], [test "${enable_crypto}" = "yes"])
- AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"])
- 
--plugindir="${with_plugindir}"
- sampledir="\$(docdir)/sample"
- AC_SUBST([plugindir])
- AC_SUBST([sampledir])
-diff --git a/include/Makefile.am b/include/Makefile.am
-index a52c427..37962a6 100644
---- a/include/Makefile.am
-+++ b/include/Makefile.am
-@@ -16,3 +16,10 @@ MAINTAINERCLEANFILES = \
- include_HEADERS = \
- 	openvpn-plugin.h \
- 	openvpn-msg.h
-+
-+openvpn-plugin.h: openvpn-plugin.h.in Makefile
-+	$(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
-+		-e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \
-+		-e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \
-+		-e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \
-+               $< > $@.tmp && mv $@.tmp $@
-diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
-index 0b30352..a084fc1 100644
---- a/include/openvpn-plugin.h.in
-+++ b/include/openvpn-plugin.h.in
-@@ -27,6 +27,8 @@
- 
- #define OPENVPN_PLUGIN_VERSION 3
- 
-+#define PLUGIN_LIBDIR "@PLUGINDIR@"
-+
- #ifdef ENABLE_CRYPTO
- #ifdef ENABLE_CRYPTO_MBEDTLS
- #include <mbedtls/x509_crt.h>
-diff --git a/src/openvpn/plugin.c b/src/openvpn/plugin.c
-index e530c0c..f777027 100644
---- a/src/openvpn/plugin.c
-+++ b/src/openvpn/plugin.c
-@@ -234,23 +234,15 @@ plugin_init_item(struct plugin *p, const struct plugin_option *o)
- #ifndef _WIN32
- 
-     p->handle = NULL;
--#if defined(PLUGIN_LIBDIR)
-+
-     if (!absolute_pathname(p->so_pathname))
-     {
-         char full[PATH_MAX];
- 
-         openvpn_snprintf(full, sizeof(full), "%s/%s", PLUGIN_LIBDIR, p->so_pathname);
-         p->handle = dlopen(full, RTLD_NOW);
--#if defined(ENABLE_PLUGIN_SEARCH)
--        if (!p->handle)
--        {
--            rel = true;
--            p->handle = dlopen(p->so_pathname, RTLD_NOW);
--        }
--#endif
-     }
-     else
--#endif
-     {
-         rel = !absolute_pathname(p->so_pathname);
-         p->handle = dlopen(p->so_pathname, RTLD_NOW);
-From 631812fe29c69d0034628ab8321cb4016cb4fc2d Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail at eworm.de>
-Date: Fri, 27 Jan 2017 09:49:27 +0100
-Subject: [PATCH 2/2] plugin: Remove GNUism in openvpn-plugin.h generation
-
-The plugin path handling cleanup (4590c383) introduced GNUism and broke
-builds on system not using GNU Make (like *BSD).
-
-Revert back to let configure generate the header file. Instead let make
-add an extra CFLAG that defines PLUGIN_LIBDIR.
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <20170127084927.21040-1-list at eworm.de>
-URL: http://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13966.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
----
- configure.ac                | 2 +-
- include/Makefile.am         | 7 -------
- include/openvpn-plugin.h.in | 2 --
- src/openvpn/Makefile.am     | 4 +++-
- 4 files changed, 4 insertions(+), 11 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index f305c54..b29f8b4 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -38,7 +38,7 @@ AC_DEFINE([OPENVPN_VERSION_MINOR], [PRODUCT_VERSION_MINOR], [OpenVPN minor versi
- AC_DEFINE([OPENVPN_VERSION_PATCH], ["PRODUCT_VERSION_PATCH"], [OpenVPN patch level - may be a string or integer])
- 
- AC_CONFIG_AUX_DIR([.])
--AC_CONFIG_HEADERS([config.h])
-+AC_CONFIG_HEADERS([config.h include/openvpn-plugin.h])
- AC_CONFIG_SRCDIR([src/openvpn/syshead.h])
- AC_CONFIG_MACRO_DIR([m4])
- 
-diff --git a/include/Makefile.am b/include/Makefile.am
-index 37962a6..a52c427 100644
---- a/include/Makefile.am
-+++ b/include/Makefile.am
-@@ -16,10 +16,3 @@ MAINTAINERCLEANFILES = \
- include_HEADERS = \
- 	openvpn-plugin.h \
- 	openvpn-msg.h
--
--openvpn-plugin.h: openvpn-plugin.h.in Makefile
--	$(AM_V_GEN)sed -e 's|\@PLUGINDIR\@|$(plugindir)|' \
--		-e 's|\@OPENVPN_VERSION_MAJOR\@|$(OPENVPN_VERSION_MAJOR)|' \
--		-e 's|\@OPENVPN_VERSION_MINOR\@|$(OPENVPN_VERSION_MINOR)|' \
--		-e 's|\@OPENVPN_VERSION_PATCH\@|$(OPENVPN_VERSION_PATCH)|' \
--               $< > $@.tmp && mv $@.tmp $@
-diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
-index a084fc1..0b30352 100644
---- a/include/openvpn-plugin.h.in
-+++ b/include/openvpn-plugin.h.in
-@@ -27,8 +27,6 @@
- 
- #define OPENVPN_PLUGIN_VERSION 3
- 
--#define PLUGIN_LIBDIR "@PLUGINDIR@"
--
- #ifdef ENABLE_CRYPTO
- #ifdef ENABLE_CRYPTO_MBEDTLS
- #include <mbedtls/x509_crt.h>
-diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
-index bea294b..3f97855 100644
---- a/src/openvpn/Makefile.am
-+++ b/src/openvpn/Makefile.am
-@@ -27,7 +27,9 @@ AM_CFLAGS = \
- 	$(OPTIONAL_CRYPTO_CFLAGS) \
- 	$(OPTIONAL_LZO_CFLAGS) \
- 	$(OPTIONAL_LZ4_CFLAGS) \
--	$(OPTIONAL_PKCS11_HELPER_CFLAGS)
-+	$(OPTIONAL_PKCS11_HELPER_CFLAGS) \
-+	-DPLUGIN_LIBDIR=\"${plugindir}\"
-+
- if WIN32
- # we want unicode entry point but not the macro
- AM_CFLAGS += -municode -UUNICODE

Deleted: 0002-do-not-race-on-RuntimeDirectory.patch
===================================================================
--- 0002-do-not-race-on-RuntimeDirectory.patch	2017-03-22 16:06:42 UTC (rev 291211)
+++ 0002-do-not-race-on-RuntimeDirectory.patch	2017-03-22 19:22:10 UTC (rev 291212)
@@ -1,262 +0,0 @@
-From ca5b4c2aad2370be7862660d274b7485f2d0af71 Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail at eworm.de>
-Date: Tue, 24 Jan 2017 15:39:46 +0100
-Subject: [PATCH 1/2] systemd: Use automake tools to install unit files
-
-If systemd is enabled we install unit files to $libdir/systemd/system
-(or the path specified by SYSTEMD_UNIT_DIR).
-The unit files are generated on the fly with matching $sbindir.
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
-Acked-by: David Sommerseth <davids at openvpn.net>
-Message-Id: <20170124143947.27385-1-list at eworm.de>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13940.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
----
- configure.ac                                       | 10 +++++++++
- distro/Makefile.am                                 |  4 +---
- distro/systemd/Makefile.am                         | 26 ++++++++++++++++++++++
- ...-client at .service => openvpn-client at .service.in} |  2 +-
- ...-server at .service => openvpn-server at .service.in} |  2 +-
- 6 files changed, 40 insertions(+), 5 deletions(-)
- create mode 100644 distro/systemd/Makefile.am
- rename distro/systemd/{openvpn-client at .service => openvpn-client at .service.in} (90%)
- rename distro/systemd/{openvpn-server at .service => openvpn-server at .service.in} (91%)
-
-diff --git a/configure.ac b/configure.ac
-index 8783109..48d8f0c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -378,6 +378,7 @@ AC_ARG_VAR([NETSTAT], [path to netstat utility]) # tests
- AC_ARG_VAR([MAN2HTML], [path to man2html utility])
- AC_ARG_VAR([GIT], [path to git utility])
- AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
-+AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@])
- AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
- AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
- AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
-@@ -1099,6 +1100,12 @@ if test "$enable_systemd" = "yes" ; then
-     OPTIONAL_SYSTEMD_LIBS="${libsystemd_LIBS}"
-     AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd integration])
-     LIBS="${saved_LIBS}"
-+
-+    if test -n "${SYSTEMD_UNIT_DIR}"; then
-+        systemdunitdir="${SYSTEMD_UNIT_DIR}"
-+    else
-+        systemdunitdir="\${libdir}/systemd/system"
-+    fi
- fi
- 
- 
-@@ -1275,6 +1282,8 @@ sampledir="\$(docdir)/sample"
- AC_SUBST([plugindir])
- AC_SUBST([sampledir])
- 
-+AC_SUBST([systemdunitdir])
-+
- VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
- VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
- VENDOR_BUILD_ROOT="\$(abs_top_builddir)/vendor/.build"
-@@ -1313,6 +1322,7 @@ AC_CONFIG_FILES([
- 	distro/Makefile
- 	distro/rpm/Makefile
- 	distro/rpm/openvpn.spec
-+	distro/systemd/Makefile
- 	include/Makefile
- 	src/Makefile
- 	src/compat/Makefile
-diff --git a/distro/Makefile.am b/distro/Makefile.am
-index 7a9ffd0..eb0e554 100644
---- a/distro/Makefile.am
-+++ b/distro/Makefile.am
-@@ -12,6 +12,4 @@
- MAINTAINERCLEANFILES = \
- 	$(srcdir)/Makefile.in
- 
--SUBDIRS = rpm
--
--EXTRA_DIST = systemd/openvpn-client at .service systemd/openvpn-server at .service
-+SUBDIRS = rpm systemd
-diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
-new file mode 100644
-index 0000000..b10c6ed
---- /dev/null
-+++ b/distro/systemd/Makefile.am
-@@ -0,0 +1,26 @@
-+#
-+#  OpenVPN -- An application to securely tunnel IP networks
-+#             over a single UDP port, with support for SSL/TLS-based
-+#             session authentication and key exchange,
-+#             packet encryption, packet authentication, and
-+#             packet compression.
-+#
-+#  Copyright (C) 2017 OpenVPN Technologies, Inc. <sales at openvpn.net>
-+#
-+
-+%.service: %.service.in Makefile
-+	$(AM_V_GEN)sed -e 's|\@sbindir\@|$(sbindir)|' \
-+		$< > $@.tmp && mv $@.tmp $@
-+
-+EXTRA_DIST = \
-+	openvpn-client at .service.in \
-+	openvpn-server at .service.in
-+
-+if ENABLE_SYSTEMD
-+systemdunit_DATA = \
-+	openvpn-client at .service \
-+	openvpn-server at .service
-+endif
-+
-+MAINTAINERCLEANFILES = \
-+	$(srcdir)/Makefile.in
-diff --git a/distro/systemd/openvpn-client at .service b/distro/systemd/openvpn-client at .service.in
-similarity index 90%
-rename from distro/systemd/openvpn-client at .service
-rename to distro/systemd/openvpn-client at .service.in
-index 5618af3..d933772 100644
---- a/distro/systemd/openvpn-client at .service
-+++ b/distro/systemd/openvpn-client at .service.in
-@@ -12,7 +12,7 @@ PrivateTmp=true
- RuntimeDirectory=openvpn-client
- RuntimeDirectoryMode=0710
- WorkingDirectory=/etc/openvpn/client
--ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf
-+ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
- CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
- LimitNPROC=10
- DeviceAllow=/dev/null rw
-diff --git a/distro/systemd/openvpn-server at .service b/distro/systemd/openvpn-server at .service.in
-similarity index 91%
-rename from distro/systemd/openvpn-server at .service
-rename to distro/systemd/openvpn-server at .service.in
-index b9b4dba..da5c78e 100644
---- a/distro/systemd/openvpn-server at .service
-+++ b/distro/systemd/openvpn-server at .service.in
-@@ -12,7 +12,7 @@ PrivateTmp=true
- RuntimeDirectory=openvpn-server
- RuntimeDirectoryMode=0710
- WorkingDirectory=/etc/openvpn/server
--ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
-+ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
- CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
- LimitNPROC=10
- DeviceAllow=/dev/null rw
-From 3de7be7b17de879a78eea4afe4c918c6104c635d Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail at eworm.de>
-Date: Tue, 24 Jan 2017 15:39:47 +0100
-Subject: [PATCH 2/2] systemd: Do not race on RuntimeDirectory
-
-Different unit instances create and destroy the same RuntimeDirectory.
-This leads to running instances where the status file (and possibly
-more runtime data) is no longer accessible.
-
-So do not handle this in unit files but provide a tmpfiles.d
-configuration and let systemd-tmpfiles do the work.
-Nobody will (unintentionally) delete the directories and its content.
-As /run is volatile we do not have to care about cleanup.
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
-Acked-by: David Sommerseth <davids at openvpn.net>
-Message-Id: <20170124143947.27385-2-list at eworm.de>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13939.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
----
- configure.ac                              | 8 ++++++++
- distro/systemd/Makefile.am                | 6 ++++++
- distro/systemd/openvpn-client at .service.in | 2 --
- distro/systemd/openvpn-server at .service.in | 2 --
- distro/systemd/tmpfiles-openvpn.conf      | 2 ++
- 5 files changed, 16 insertions(+), 4 deletions(-)
- create mode 100644 distro/systemd/tmpfiles-openvpn.conf
-
-diff --git a/configure.ac b/configure.ac
-index 48d8f0c..79fb1ba 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -379,6 +379,7 @@ AC_ARG_VAR([MAN2HTML], [path to man2html utility])
- AC_ARG_VAR([GIT], [path to git utility])
- AC_ARG_VAR([SYSTEMD_ASK_PASSWORD], [path to systemd-ask-password utility])
- AC_ARG_VAR([SYSTEMD_UNIT_DIR], [Path of systemd unit directory @<:@default=LIBDIR/systemd/system@:>@])
-+AC_ARG_VAR([TMPFILES_DIR], [Path of tmpfiles directory @<:@default=LIBDIR/tmpfiles.d@:>@])
- AC_PATH_PROGS([IFCONFIG], [ifconfig],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
- AC_PATH_PROGS([ROUTE], [route],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
- AC_PATH_PROGS([IPROUTE], [ip],, [$PATH:/usr/local/sbin:/usr/sbin:/sbin])
-@@ -1106,6 +1107,12 @@ if test "$enable_systemd" = "yes" ; then
-     else
-         systemdunitdir="\${libdir}/systemd/system"
-     fi
-+
-+    if test -n "${TMPFILES_DIR}"; then
-+        tmpfilesdir="${TMPFILES_DIR}"
-+    else
-+        tmpfilesdir="\${libdir}/tmpfiles.d"
-+    fi
- fi
- 
- 
-@@ -1283,6 +1290,7 @@ AC_SUBST([plugindir])
- AC_SUBST([sampledir])
- 
- AC_SUBST([systemdunitdir])
-+AC_SUBST([tmpfilesdir])
- 
- VENDOR_SRC_ROOT="\$(abs_top_srcdir)/vendor/"
- VENDOR_DIST_ROOT="\$(abs_top_builddir)/vendor/dist"
-diff --git a/distro/systemd/Makefile.am b/distro/systemd/Makefile.am
-index b10c6ed..1e3f3ea 100644
---- a/distro/systemd/Makefile.am
-+++ b/distro/systemd/Makefile.am
-@@ -13,6 +13,7 @@
- 		$< > $@.tmp && mv $@.tmp $@
- 
- EXTRA_DIST = \
-+	tmpfiles-openvpn.conf \
- 	openvpn-client at .service.in \
- 	openvpn-server at .service.in
- 
-@@ -20,6 +21,11 @@ if ENABLE_SYSTEMD
- systemdunit_DATA = \
- 	openvpn-client at .service \
- 	openvpn-server at .service
-+tmpfiles_DATA = \
-+	tmpfiles-openvpn.conf
-+
-+install-data-hook:
-+	mv $(DESTDIR)$(tmpfilesdir)/tmpfiles-openvpn.conf $(DESTDIR)$(tmpfilesdir)/openvpn.conf
- endif
- 
- MAINTAINERCLEANFILES = \
-diff --git a/distro/systemd/openvpn-client at .service.in b/distro/systemd/openvpn-client at .service.in
-index d933772..1be1e33 100644
---- a/distro/systemd/openvpn-client at .service.in
-+++ b/distro/systemd/openvpn-client at .service.in
-@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
- [Service]
- Type=notify
- PrivateTmp=true
--RuntimeDirectory=openvpn-client
--RuntimeDirectoryMode=0710
- WorkingDirectory=/etc/openvpn/client
- ExecStart=@sbindir@/openvpn --suppress-timestamps --nobind --config %i.conf
- CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-diff --git a/distro/systemd/openvpn-server at .service.in b/distro/systemd/openvpn-server at .service.in
-index da5c78e..3dccaf2 100644
---- a/distro/systemd/openvpn-server at .service.in
-+++ b/distro/systemd/openvpn-server at .service.in
-@@ -9,8 +9,6 @@ Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
- [Service]
- Type=notify
- PrivateTmp=true
--RuntimeDirectory=openvpn-server
--RuntimeDirectoryMode=0710
- WorkingDirectory=/etc/openvpn/server
- ExecStart=@sbindir@/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
- CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-diff --git a/distro/systemd/tmpfiles-openvpn.conf b/distro/systemd/tmpfiles-openvpn.conf
-new file mode 100644
-index 0000000..bb79671
---- /dev/null
-+++ b/distro/systemd/tmpfiles-openvpn.conf
-@@ -0,0 +1,2 @@
-+d /run/openvpn-client 0710 root root -
-+d /run/openvpn-server 0710 root root -

Deleted: 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch
===================================================================
--- 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch	2017-03-22 16:06:42 UTC (rev 291211)
+++ 0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch	2017-03-22 19:22:10 UTC (rev 291212)
@@ -1,124 +0,0 @@
-From e83a8684f0a0d944e9d53cdad2b543cfd1b6fbae Mon Sep 17 00:00:00 2001
-From: David Sommerseth <davids at openvpn.net>
-Date: Wed, 25 Jan 2017 00:23:44 +0100
-Subject: [PATCH 1/2] systemd: Move the READY=1 signalling to an earlier
- point
-
-Currently, OpenVPN will first tell systemd it is ready once the
-log will be appended with "Initialization Sequence Completed".
-This turns out to cause some issues several places.
-
-First, it adds challenges if --chroot is used in the configuration;
-this is already fixed.  Secondly, it will cause havoc on static key
-p2p mode configurations where the log line above will not happen
-before either sides have completed establishing a connection.  And
-thirdly, if a client configuration fails to establish a connection
-within 90 seconds, it will also fail.  For the third case this may
-not be a critical issue itself, as the host just needs to get
-an Internet access established first - which in some scenarios may
-take much longer than those 90 seconds systemd grants after the
-OpenVPN client configuration is started.
-
-The approach this patch takes is to consider OpenVPN ready when
-all the initial preparations and configurations have completed - but
-before a connection to a remote side have been attempted.  This
-also removes the need for specially handling the --chroot scenario.
-
-The final "Initialization Sequence Completed" message update is
-kept (though slightly simplified) to indicate we're in a good
-state - even though this update will not be visible if --chroot
-is used (which was the situation also before this patch).
-
-Trac: #827, #801
-Signed-off-by: David Sommerseth <davids at openvpn.net>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Acked-by: Christian Hesse <mail at eworm.de>
-Message-Id: <20170124232344.7825-1-davids at openvpn.net>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13945.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/init.c | 29 ++++++++++-------------------
- 1 file changed, 10 insertions(+), 19 deletions(-)
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index 756bf36..ff1551e 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -562,6 +562,15 @@ context_init_1(struct context *c)
-     }
- #endif
- 
-+#ifdef ENABLE_SYSTEMD
-+    /* We can report the PID via getpid() to systemd here as OpenVPN will not
-+     * do any fork due to daemon() a future call.
-+     * See possibly_become_daemon() [init.c] for more details.
-+     */
-+    sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization succesfull\nMAINPID=%lu",
-+               (unsigned long) getpid());
-+#endif
-+
- }
- 
- void
-@@ -1042,24 +1051,6 @@ do_uid_gid_chroot(struct context *c, bool no_delay)
-         {
-             if (no_delay)
-             {
--#ifdef ENABLE_SYSTEMD
--                /* If OpenVPN is started by systemd, the OpenVPN process needs
--                 * to provide a preliminary status report to systemd.  This is
--                 * needed as $NOTIFY_SOCKET will not be available inside the
--                 * chroot, which sd_notify()/sd_notifyf() depends on.
--                 *
--                 * This approach is the simplest and the most non-intrusive
--                 * solution right before the 2.4_rc2 release.
--                 *
--                 * TODO: Consider altnernative solutions - bind mount?
--                 * systemd does not grok OpenVPN configuration files, thus cannot
--                 * have a sane way to know if OpenVPN will chroot or not and to
--                 * which subdirectory it will chroot into.
--                 */
--                sd_notifyf(0, "READY=1\n"
--                           "STATUS=Entering chroot, most of the init completed successfully\n"
--                           "MAINPID=%lu", (unsigned long) getpid());
--#endif
-                 platform_chroot(c->options.chroot_dir);
-             }
-             else if (c->first_time)
-@@ -1409,7 +1400,7 @@ initialization_sequence_completed(struct context *c, const unsigned int flags)
-     else
-     {
- #ifdef ENABLE_SYSTEMD
--        sd_notifyf(0, "READY=1\nSTATUS=%s\nMAINPID=%lu", message, (unsigned long) getpid());
-+        sd_notifyf(0, "STATUS=%s", message);
- #endif
-         msg(M_INFO, "%s", message);
-     }
-From b13bc6c9570e00d12e26bb3b8e5bf9bdb0b16eff Mon Sep 17 00:00:00 2001
-From: Christian Hesse <mail at eworm.de>
-Date: Fri, 24 Feb 2017 13:22:52 +0100
-Subject: [PATCH 2/2] fix typo in notification message
-
-Signed-off-by: Christian Hesse <mail at eworm.de>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <20170224122252.15199-1-list at eworm.de>
-URL: http://www.mail-archive.com/search?l=mid&q=20170224122252.15199-1-list@eworm.de
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/init.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index ff1551e..7da0061 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -567,7 +567,7 @@ context_init_1(struct context *c)
-      * do any fork due to daemon() a future call.
-      * See possibly_become_daemon() [init.c] for more details.
-      */
--    sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization succesfull\nMAINPID=%lu",
-+    sd_notifyf(0, "READY=1\nSTATUS=Pre-connection initialization successful\nMAINPID=%lu",
-                (unsigned long) getpid());
- #endif
- 

Modified: 0004-openssl-1-1-0.patch
===================================================================
--- 0004-openssl-1-1-0.patch	2017-03-22 16:06:42 UTC (rev 291211)
+++ 0004-openssl-1-1-0.patch	2017-03-22 19:22:10 UTC (rev 291212)
@@ -1,1072 +1,7 @@
-From 5b48e8c9f85442936f744c3c550d9d41fe8c7b60 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan at karger.me>
-Date: Sun, 22 Jan 2017 17:04:41 +0100
-Subject: [PATCH 01/20] Use SHA256 for the internal digest, instead of MD5
-
-Our internal options digest uses MD5 hashes to store the state, instead of
-storing the full options string.  There's nothing wrong with that, but it
-would still be better to use SHA256 because:
- * That makes it easier to make OpenVPN "FIPS-compliant" (forbids MD5)
- * We don't have to explain anymore that MD5 is fine too
-
-The slightly less bytes for the digest (16 instead of 32) and operations
-per connection setup are not worth sticking to MD5.
-
-Note that might SHA256 not be available in de crypto lib, OpenVPN will
-refuse to start and shout "Message hash algorithm 'SHA256' not found".
-
-Signed-off-by: Steffan Karger <steffan at karger.me>
-Acked-by: David Sommerseth <davids at openvpn.net>
-Message-Id: <1485101081-9784-1-git-send-email-steffan at karger.me>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg13926.html
-Signed-off-by: David Sommerseth <davids at openvpn.net>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/crypto.h         |  6 +++---
- src/openvpn/crypto_mbedtls.h |  1 +
- src/openvpn/crypto_openssl.h |  1 +
- src/openvpn/init.c           | 10 +++++-----
- src/openvpn/openvpn.h        |  6 +++---
- src/openvpn/push.c           |  8 ++++----
- 6 files changed, 17 insertions(+), 15 deletions(-)
-
-diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
-index 42a46d9..afd6fe5 100644
---- a/src/openvpn/crypto.h
-+++ b/src/openvpn/crypto.h
-@@ -131,9 +131,9 @@
- #include "packet_id.h"
- #include "mtu.h"
- 
--/** Wrapper struct to pass around MD5 digests */
--struct md5_digest {
--    uint8_t digest[MD5_DIGEST_LENGTH];
-+/** Wrapper struct to pass around SHA256 digests */
-+struct sha256_digest {
-+    uint8_t digest[SHA256_DIGEST_LENGTH];
- };
- 
- /*
-diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h
-index 525b256..da2db16 100644
---- a/src/openvpn/crypto_mbedtls.h
-+++ b/src/openvpn/crypto_mbedtls.h
-@@ -73,6 +73,7 @@ typedef mbedtls_md_context_t hmac_ctx_t;
- #define MD4_DIGEST_LENGTH       16
- #define MD5_DIGEST_LENGTH       16
- #define SHA_DIGEST_LENGTH       20
-+#define SHA256_DIGEST_LENGTH    32
- #define DES_KEY_LENGTH 8
- 
- /**
-diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
-index 56ec6e1..f8ddbc8 100644
---- a/src/openvpn/crypto_openssl.h
-+++ b/src/openvpn/crypto_openssl.h
-@@ -33,6 +33,7 @@
- #include <openssl/evp.h>
- #include <openssl/hmac.h>
- #include <openssl/md5.h>
-+#include <openssl/sha.h>
- 
- /** Generic cipher key type %context. */
- typedef EVP_CIPHER cipher_kt_t;
-diff --git a/src/openvpn/init.c b/src/openvpn/init.c
-index f2e75c8..756bf36 100644
---- a/src/openvpn/init.c
-+++ b/src/openvpn/init.c
-@@ -1919,12 +1919,12 @@ tun_abort()
-  * equal, or either one is all-zeroes.
-  */
- static bool
--options_hash_changed_or_zero(const struct md5_digest *a,
--                             const struct md5_digest *b)
-+options_hash_changed_or_zero(const struct sha256_digest *a,
-+                             const struct sha256_digest *b)
- {
--    const struct md5_digest zero = {{0}};
--    return memcmp(a, b, sizeof(struct md5_digest))
--           || !memcmp(a, &zero, sizeof(struct md5_digest));
-+    const struct sha256_digest zero = {{0}};
-+    return memcmp(a, b, sizeof(struct sha256_digest))
-+           || !memcmp(a, &zero, sizeof(struct sha256_digest));
- }
- #endif /* P2MP */
- 
-diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
-index 37edec4..893296e 100644
---- a/src/openvpn/openvpn.h
-+++ b/src/openvpn/openvpn.h
-@@ -202,7 +202,7 @@ struct context_1
- #endif
- 
-     /* if client mode, hash of option strings we pulled from server */
--    struct md5_digest pulled_options_digest_save;
-+    struct sha256_digest pulled_options_digest_save;
-     /**< Hash of option strings received from the
-      *   remote OpenVPN server.  Only used in
-      *   client-mode. */
-@@ -471,9 +471,9 @@ struct context_2
-     bool did_pre_pull_restore;
- 
-     /* hash of pulled options, so we can compare when options change */
--    bool pulled_options_md5_init_done;
-+    bool pulled_options_digest_init_done;
-     md_ctx_t pulled_options_state;
--    struct md5_digest pulled_options_digest;
-+    struct sha256_digest pulled_options_digest;
- 
-     struct event_timeout scheduled_exit;
-     int scheduled_exit_signal;
-diff --git a/src/openvpn/push.c b/src/openvpn/push.c
-index c9c04a6..8c3104e 100644
---- a/src/openvpn/push.c
-+++ b/src/openvpn/push.c
-@@ -720,10 +720,10 @@ process_incoming_push_msg(struct context *c,
-         if (ch == ',')
-         {
-             struct buffer buf_orig = buf;
--            if (!c->c2.pulled_options_md5_init_done)
-+            if (!c->c2.pulled_options_digest_init_done)
-             {
--                md_ctx_init(&c->c2.pulled_options_state, md_kt_get("MD5"));
--                c->c2.pulled_options_md5_init_done = true;
-+                md_ctx_init(&c->c2.pulled_options_state, md_kt_get("SHA256"));
-+                c->c2.pulled_options_digest_init_done = true;
-             }
-             if (!c->c2.did_pre_pull_restore)
-             {
-@@ -744,7 +744,7 @@ process_incoming_push_msg(struct context *c,
-                     case 1:
-                         md_ctx_final(&c->c2.pulled_options_state, c->c2.pulled_options_digest.digest);
-                         md_ctx_cleanup(&c->c2.pulled_options_state);
--                        c->c2.pulled_options_md5_init_done = false;
-+                        c->c2.pulled_options_digest_init_done = false;
-                         ret = PUSH_MSG_REPLY;
-                         break;
- 
-From dcfd3b6173d8cdb4658de23db1dd0bd932b390d2 Mon Sep 17 00:00:00 2001
-From: Olivier Wahrenberger <olivierw.ml at gmail.com>
-Date: Mon, 13 Feb 2017 19:38:26 +0100
-Subject: [PATCH 02/20] Fix building with LibreSSL 2.5.1 by cleaning a hack.
-
-Similar to what is done in curl: https://github.com/curl/curl/blob/028391df5d84d9fae3433afdee9261d565900355/lib/vtls/openssl.c#L603-L619
-
-Use SSL_CTX_get0_privatekey() for OpenSSL >= 1.0.2
-
-Signed-off-by: Olivier Wahrenberger <olivierw.ml at gmail.com>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <20170213183826.73008-1-O2Graphics at users.noreply.github.com>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14045.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/ssl_openssl.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 8266595..abf69c9 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -508,10 +508,18 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
-         const EC_GROUP *ecgrp = NULL;
-         EVP_PKEY *pkey = NULL;
- 
-+#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-+        pkey = SSL_CTX_get0_privatekey(ctx->ctx);
-+#else
-         /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
--        SSL ssl;
--        ssl.cert = ctx->ctx->cert;
--        pkey = SSL_get_privatekey(&ssl);
-+        SSL *ssl = SSL_new(ctx->ctx);
-+        if (!ssl)
-+        {
-+            crypto_msg(M_FATAL, "SSL_new failed");
-+        }
-+        pkey = SSL_get_privatekey(ssl);
-+        SSL_free(ssl);
-+#endif
- 
-         msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
- 
-From 6ddc43d1bf9b3ea3ee5db8c50d56a98fe4db4c97 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:53 +0100
-Subject: [PATCH 03/20] OpenSSL: check for the SSL reason, not the full error
-
-OpenSSL 1.1 changed the SSLv3 API and removed many SSL_L_SSL3_*
-constants. Moreover, new code might use different function
-code for the same error.
-
-Thus, we extract the error reason from the error code before
-we compare it instead of trying to rebuild an error code
-that might not be correct.
-
-The new version is compatible with OpenSSL 1.0.x as well as
-with older versions (starting at 0.9.8).
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <0e0d4a67192b563cd07d3f06685f85e34c304142.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14087.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/crypto_openssl.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index e455715..a66ee71 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -193,8 +193,7 @@ crypto_print_openssl_errors(const unsigned int flags)
-     while ((err = ERR_get_error()))
-     {
-         /* Be more clear about frequently occurring "no shared cipher" error */
--        if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO,
--                            SSL_R_NO_SHARED_CIPHER))
-+        if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
-         {
-             msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
-                 "in common with the client. Your --tls-cipher setting might be "
-From 88046ad9e8e333259ae6fb4a295a9931a1a0e47f Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:48 +0100
-Subject: [PATCH 04/20] OpenSSL: don't use direct access to the internal of
- X509_STORE_CTX
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including X509_STORE_CTX. We have to use the defined
-functions to do so.
-
-Fortunately, these functions have existed since the dawn of time so
-we don't have any compatibility issue here.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <11477a0a3cf636572c84e0110a6f1b726bc60c2c.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14085.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/ssl_verify_openssl.c | 19 ++++++++++---------
- 1 file changed, 10 insertions(+), 9 deletions(-)
-
-diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
-index 274e2bb..0dca099 100644
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -61,14 +61,15 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-     session = (struct tls_session *) SSL_get_ex_data(ssl, mydata_index);
-     ASSERT(session);
- 
--    struct buffer cert_hash = x509_get_sha256_fingerprint(ctx->current_cert, &gc);
--    cert_hash_remember(session, ctx->error_depth, &cert_hash);
-+    X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
-+    struct buffer cert_hash = x509_get_sha256_fingerprint(current_cert, &gc);
-+    cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
- 
-     /* did peer present cert which was signed by our root cert? */
-     if (!preverify_ok)
-     {
-         /* get the X509 name */
--        char *subject = x509_get_subject(ctx->current_cert, &gc);
-+        char *subject = x509_get_subject(current_cert, &gc);
- 
-         if (!subject)
-         {
-@@ -76,11 +77,11 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-         }
- 
-         /* Log and ignore missing CRL errors */
--        if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
-+        if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
-         {
-             msg(D_TLS_DEBUG_LOW, "VERIFY WARNING: depth=%d, %s: %s",
--                ctx->error_depth,
--                X509_verify_cert_error_string(ctx->error),
-+                X509_STORE_CTX_get_error_depth(ctx),
-+                X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
-                 subject);
-             ret = 1;
-             goto cleanup;
-@@ -88,8 +89,8 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
- 
-         /* Remote site specified a certificate, but it's not correct */
-         msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
--            ctx->error_depth,
--            X509_verify_cert_error_string(ctx->error),
-+            X509_STORE_CTX_get_error_depth(ctx),
-+            X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
-             subject);
- 
-         ERR_clear_error();
-@@ -98,7 +99,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-         goto cleanup;
-     }
- 
--    if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth))
-+    if (SUCCESS != verify_cert(session, current_cert, X509_STORE_CTX_get_error_depth(ctx)))
-     {
-         goto cleanup;
-     }
-From 6554ac9fed9c5680f22aa4722e6e07ebf3aa3441 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:40 +0100
-Subject: [PATCH 05/20] OpenSSL: don't use direct access to the internal of
- SSL_CTX
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including SSL_CTX. We have to use the defined functions
-to do so.
-
-Compatibility with OpenSSL 1.0 is kept by defining the corresponding
-functions when they are not found in the library.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <a77187a66affdba318ef70e0e218b69cdad509d1.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14088.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- configure.ac                 |  9 ++++++
- src/openvpn/openssl_compat.h | 74 ++++++++++++++++++++++++++++++++++++++++++++
- src/openvpn/ssl_openssl.c    | 13 +++++---
- 3 files changed, 91 insertions(+), 5 deletions(-)
- create mode 100644 src/openvpn/openssl_compat.h
-
-diff --git a/configure.ac b/configure.ac
-index b29f8b4..5fe5d60 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -898,6 +898,15 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
- 		[have_crypto_aead_modes="no"; break]
- 	)
- 
-+	AC_CHECK_FUNCS(
-+		[ \
-+			SSL_CTX_get_default_passwd_cb \
-+			SSL_CTX_get_default_passwd_cb_userdata \
-+		],
-+		,
-+		[]
-+	)
-+
- 	CFLAGS="${saved_CFLAGS}"
- 	LIBS="${saved_LIBS}"
- 
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-new file mode 100644
-index 0000000..59bad9f
---- /dev/null
-+++ b/src/openvpn/openssl_compat.h
-@@ -0,0 +1,74 @@
-+/*
-+ *  OpenVPN -- An application to securely tunnel IP networks
-+ *             over a single TCP/UDP port, with support for SSL/TLS-based
-+ *             session authentication and key exchange,
-+ *             packet encryption, packet authentication, and
-+ *             packet compression.
-+ *
-+ *  Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales at openvpn.net>
-+ *  Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn at fox-it.com>
-+ *
-+ *  This program is free software; you can redistribute it and/or modify
-+ *  it under the terms of the GNU General Public License version 2
-+ *  as published by the Free Software Foundation.
-+ *
-+ *  This program is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+ *  GNU General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU General Public License
-+ *  along with this program (see the file COPYING included with this
-+ *  distribution); if not, write to the Free Software Foundation, Inc.,
-+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-+ */
-+
-+/**
-+ * @file OpenSSL compatibility stub
-+ *
-+ * This file provide compatibility stubs for the OpenSSL libraries
-+ * prior to version 1.1. This version introduces many changes in the
-+ * library interface, including the fact that various objects and
-+ * structures are not fully opaque.
-+ */
-+
-+#ifndef OPENSSL_COMPAT_H_
-+#define OPENSSL_COMPAT_H_
-+
-+#ifdef HAVE_CONFIG_H
-+#include "config.h"
-+#elif defined(_MSC_VER)
-+#include "config-msvc.h"
-+#endif
-+
-+#include <openssl/ssl.h>
-+
-+#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA)
-+/**
-+ * Fetch the default password callback user data from the SSL context
-+ *
-+ * @param ctx                SSL context
-+ * @return                   The password callback user data
-+ */
-+static inline void *
-+SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
-+{
-+    return ctx ? ctx->default_passwd_callback_userdata : NULL;
-+}
-+#endif
-+
-+#if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB)
-+/**
-+ * Fetch the default password callback from the SSL context
-+ *
-+ * @param ctx                SSL context
-+ * @return                   The password callback
-+ */
-+static inline pem_password_cb *
-+SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
-+{
-+    return ctx ? ctx->default_passwd_callback : NULL;
-+}
-+#endif
-+
-+#endif /* OPENSSL_COMPAT_H_ */
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index abf69c9..39e92f8 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -45,6 +45,7 @@
- #include "ssl_backend.h"
- #include "ssl_common.h"
- #include "base64.h"
-+#include "openssl_compat.h"
- 
- #ifdef ENABLE_CRYPTOAPI
- #include "cryptoapi.h"
-@@ -658,7 +659,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
-         {
-             for (i = 0; i < sk_X509_num(ca); i++)
-             {
--                if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
-+                X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
-+                if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i)))
-                 {
-                     crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)");
-                 }
-@@ -760,8 +762,9 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx,
-         goto end;
-     }
- 
--    x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback,
--                          ctx->ctx->default_passwd_callback_userdata);
-+    x = PEM_read_bio_X509(in, NULL,
-+                          SSL_CTX_get_default_passwd_cb(ctx->ctx),
-+                          SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
-     if (x == NULL)
-     {
-         SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
-@@ -843,8 +846,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
-     }
- 
-     pkey = PEM_read_bio_PrivateKey(in, NULL,
--                                   ssl_ctx->default_passwd_callback,
--                                   ssl_ctx->default_passwd_callback_userdata);
-+                                   SSL_CTX_get_default_passwd_cb(ctx->ctx),
-+                                   SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
-     if (!pkey)
-     {
-         goto end;
-From f05665df4150c6a345eec5432a02fd799bea0f2c Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:41 +0100
-Subject: [PATCH 06/20] OpenSSL: don't use direct access to the internal of
- X509_STORE
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including X509_STORE. We have to use the defined functions
-to do so.
-
-Compatibility with OpenSSL 1.0 is kept by defining the corresponding
-functions when they are not found in the library.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <8e6d66e3a9a40abb3d7c99c48ba59bad1037d0ef.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14076.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- configure.ac                     |  1 +
- src/openvpn/openssl_compat.h     | 15 +++++++++++++++
- src/openvpn/ssl_openssl.c        |  7 ++++---
- src/openvpn/ssl_verify_openssl.c |  6 ++++--
- 4 files changed, 24 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 5fe5d60..415128c 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -902,6 +902,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
- 		[ \
- 			SSL_CTX_get_default_passwd_cb \
- 			SSL_CTX_get_default_passwd_cb_userdata \
-+			X509_STORE_get0_objects \
- 		],
- 		,
- 		[]
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index 59bad9f..016008b 100644
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -42,6 +42,7 @@
- #endif
- 
- #include <openssl/ssl.h>
-+#include <openssl/x509.h>
- 
- #if !defined(HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA)
- /**
-@@ -71,4 +72,18 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
- }
- #endif
- 
-+#if !defined(HAVE_X509_STORE_GET0_OBJECTS)
-+/**
-+ * Fetch the X509 object stack from the X509 store
-+ *
-+ * @param store              X509 object store
-+ * @return                   the X509 object stack
-+ */
-+static inline STACK_OF(X509_OBJECT) *
-+X509_STORE_get0_objects(X509_STORE *store)
-+{
-+    return store ? store->objs : NULL;
-+}
-+#endif
-+
- #endif /* OPENSSL_COMPAT_H_ */
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 39e92f8..e57de43 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -900,13 +900,14 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
-     /* Always start with a cleared CRL list, for that we
-      * we need to manually find the CRL object from the stack
-      * and remove it */
--    for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
-+    STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
-+    for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
-     {
--        X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
-+        X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
-         ASSERT(obj);
-         if (obj->type == X509_LU_CRL)
-         {
--            sk_X509_OBJECT_delete(store->objs, i);
-+            sk_X509_OBJECT_delete(objs, i);
-             X509_OBJECT_free_contents(obj);
-             OPENSSL_free(obj);
-         }
-diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
-index 0dca099..2389248 100644
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -43,6 +43,7 @@
- #include "ssl_openssl.h"
- #include "ssl_verify.h"
- #include "ssl_verify_backend.h"
-+#include "openssl_compat.h"
- 
- #include <openssl/x509v3.h>
- #include <openssl/err.h>
-@@ -716,9 +717,10 @@ tls_verify_crl_missing(const struct tls_options *opt)
-         crypto_msg(M_FATAL, "Cannot get certificate store");
-     }
- 
--    for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
-+    STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
-+    for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
-     {
--        X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
-+        X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
-         ASSERT(obj);
-         if (obj->type == X509_LU_CRL)
-         {
-From 47191f49890ee5c53fa78a8ce9bf96b9c8d27a82 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:42 +0100
-Subject: [PATCH 07/20] OpenSSL: don't use direct access to the internal of
- X509_OBJECT
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including X509_OBJECT. We have to use the defined
-functions to do so.
-
-Compatibility with OpenSSL 1.0 is kept by defining the corresponding
-functions when they are not found in the library.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <c849c9778d2b2faa4eb4d31367b37d993da5eb85.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14080.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- configure.ac                     |  2 ++
- src/openvpn/openssl_compat.h     | 31 +++++++++++++++++++++++++++++++
- src/openvpn/ssl_openssl.c        |  5 ++---
- src/openvpn/ssl_verify_openssl.c |  2 +-
- 4 files changed, 36 insertions(+), 4 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 415128c..789ad08 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -903,6 +903,8 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
- 			SSL_CTX_get_default_passwd_cb \
- 			SSL_CTX_get_default_passwd_cb_userdata \
- 			X509_STORE_get0_objects \
-+			X509_OBJECT_free \
-+			X509_OBJECT_get_type \
- 		],
- 		,
- 		[]
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index 016008b..458a6ad 100644
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -86,4 +86,35 @@ X509_STORE_get0_objects(X509_STORE *store)
- }
- #endif
- 
-+#if !defined(HAVE_X509_OBJECT_FREE)
-+/**
-+ * Destroy a X509 object
-+ *
-+ * @param obj                X509 object
-+ */
-+static inline void
-+X509_OBJECT_free(X509_OBJECT *obj)
-+{
-+    if (obj)
-+    {
-+        X509_OBJECT_free_contents(obj);
-+        OPENSSL_free(obj);
-+    }
-+}
-+#endif
-+
-+#if !defined(HAVE_X509_OBJECT_GET_TYPE)
-+/**
-+ * Get the type of an X509 object
-+ *
-+ * @param obj                X509 object
-+ * @return                   The underlying object type
-+ */
-+static inline int
-+X509_OBJECT_get_type(const X509_OBJECT *obj)
-+{
-+    return obj ? obj->type : X509_LU_FAIL;
-+}
-+#endif
-+
- #endif /* OPENSSL_COMPAT_H_ */
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index e57de43..bf0f643 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -905,11 +905,10 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
-     {
-         X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
-         ASSERT(obj);
--        if (obj->type == X509_LU_CRL)
-+        if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
-         {
-             sk_X509_OBJECT_delete(objs, i);
--            X509_OBJECT_free_contents(obj);
--            OPENSSL_free(obj);
-+            X509_OBJECT_free(obj);
-         }
-     }
- 
-diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
-index 2389248..5c2c5b7 100644
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -722,7 +722,7 @@ tls_verify_crl_missing(const struct tls_options *opt)
-     {
-         X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
-         ASSERT(obj);
--        if (obj->type == X509_LU_CRL)
-+        if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
-         {
-             return false;
-         }
-From 827c05732b0414dbf3cc05bf4ae6bfda042eadd3 Mon Sep 17 00:00:00 2001
-From: Gert Doering <gert at greenie.muc.de>
-Date: Thu, 23 Feb 2017 09:49:54 +0100
-Subject: [PATCH 08/20] Add openssl_compat.h to openvpn_SOURCES
-
-Commit b936ddfb63 introduced a new header file but forgot to include
-it in the list of openvpn_SOURCES, so it did not get bundled in the
-generated tarballs.
-
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <20170223084954.58464-1-gert at greenie.muc.de>
-URL: http://www.mail-archive.com/search?l=mid&q=20170223084954.58464-1-gert@greenie.muc.de
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/Makefile.am | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
-index 3f97855..fcc22d6 100644
---- a/src/openvpn/Makefile.am
-+++ b/src/openvpn/Makefile.am
-@@ -81,6 +81,7 @@ openvpn_SOURCES = \
- 	multi.c multi.h \
- 	ntlm.c ntlm.h \
- 	occ.c occ.h occ-inline.h \
-+	openssl_compat.h \
- 	pkcs11.c pkcs11.h pkcs11_backend.h \
- 	pkcs11_openssl.c \
- 	pkcs11_mbedtls.c \
-From 07372a0fdeb3638204d197d0614f776a0eb73ab9 Mon Sep 17 00:00:00 2001
-From: Steffan Karger <steffan.karger at fox-it.com>
-Date: Thu, 23 Feb 2017 11:35:38 +0100
-Subject: [PATCH 09/20] OpenSSL: 1.1 fallout - fix configure on old autoconf
-
-Older versions of autoconf generate an empty "else fi" block for empty
-fields in an AC_CHECK_FUNCS() macro.  This breaks on e.g. RHEL6.
-
-Signed-off-by: Steffan Karger <steffan.karger at fox-it.com>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <1487846138-22231-1-git-send-email-steffan.karger at fox-it.com>
-URL: http://www.mail-archive.com/search?l=mid&q=1487846138-22231-1-git-send-email-steffan.karger@fox-it.com
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- configure.ac | 4 +---
- 1 file changed, 1 insertion(+), 3 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 789ad08..0c55d78 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -905,9 +905,7 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
- 			X509_STORE_get0_objects \
- 			X509_OBJECT_free \
- 			X509_OBJECT_get_type \
--		],
--		,
--		[]
-+		]
- 	)
- 
- 	CFLAGS="${saved_CFLAGS}"
-From 09776c5b52df13121504e07894a26d5cd1883317 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Thu, 23 Feb 2017 15:35:56 +0100
-Subject: [PATCH 10/20] OpenSSL: don't use direct access to the internal of
- RSA_METHOD
-
-OpenSSL 1.1 does not allow us to directly access the internal of
-any data type, including RSA_METHOD. We have to use the defined
-functions to do so.
-
-Compatibility with OpenSSL 1.0 is kept by defining the corresponding
-functions when they are not found in the library.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <79d89580db6fd92c059dabc4f5f4d83b72bb9d3d.1487859361.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14175.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- configure.ac                 |   9 ++
- src/openvpn/openssl_compat.h | 190 +++++++++++++++++++++++++++++++++++++++++++
- src/openvpn/ssl_openssl.c    |  22 ++---
- 3 files changed, 210 insertions(+), 11 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 0c55d78..2406ad8 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -905,6 +905,15 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
- 			X509_STORE_get0_objects \
- 			X509_OBJECT_free \
- 			X509_OBJECT_get_type \
-+			RSA_meth_new \
-+			RSA_meth_free \
-+			RSA_meth_set_pub_enc \
-+			RSA_meth_set_pub_dec \
-+			RSA_meth_set_priv_enc \
-+			RSA_meth_set_priv_dec \
-+			RSA_meth_set_init \
-+			RSA_meth_set_finish \
-+			RSA_meth_set0_app_data \
- 		]
- 	)
- 
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index 458a6ad..e98e8df 100644
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -41,6 +41,8 @@
- #include "config-msvc.h"
- #endif
- 
-+#include "buffer.h"
-+
- #include <openssl/ssl.h>
- #include <openssl/x509.h>
- 
-@@ -117,4 +119,192 @@ X509_OBJECT_get_type(const X509_OBJECT *obj)
- }
- #endif
- 
-+#if !defined(HAVE_RSA_METH_NEW)
-+/**
-+ * Allocate a new RSA method object
-+ *
-+ * @param name               The object name
-+ * @param flags              Configuration flags
-+ * @return                   A new RSA method object
-+ */
-+static inline RSA_METHOD *
-+RSA_meth_new(const char *name, int flags)
-+{
-+    RSA_METHOD *rsa_meth = NULL;
-+    ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD);
-+    rsa_meth->name = string_alloc(name, NULL);
-+    rsa_meth->flags = flags;
-+    return rsa_meth;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_FREE)
-+/**
-+ * Free an existing RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ */
-+static inline void
-+RSA_meth_free(RSA_METHOD *meth)
-+{
-+    if (meth)
-+    {
-+        free(meth->name);
-+        free(meth);
-+    }
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_PUB_ENC)
-+/**
-+ * Set the public encoding function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param pub_enc            the public encoding function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_pub_enc(RSA_METHOD *meth,
-+                     int (*pub_enc) (int flen, const unsigned char *from,
-+                                     unsigned char *to, RSA *rsa,
-+                                     int padding))
-+{
-+    if (meth)
-+    {
-+        meth->rsa_pub_enc = pub_enc;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_PUB_DEC)
-+/**
-+ * Set the public decoding function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param pub_dec            the public decoding function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_pub_dec(RSA_METHOD *meth,
-+                     int (*pub_dec) (int flen, const unsigned char *from,
-+                                     unsigned char *to, RSA *rsa,
-+                                     int padding))
-+{
-+    if (meth)
-+    {
-+        meth->rsa_pub_dec = pub_dec;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_PRIV_ENC)
-+/**
-+ * Set the private encoding function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param priv_enc           the private encoding function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_priv_enc(RSA_METHOD *meth,
-+                      int (*priv_enc) (int flen, const unsigned char *from,
-+                                       unsigned char *to, RSA *rsa,
-+                                       int padding))
-+{
-+    if (meth)
-+    {
-+        meth->rsa_priv_enc = priv_enc;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_PRIV_DEC)
-+/**
-+ * Set the private decoding function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param priv_dec           the private decoding function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_priv_dec(RSA_METHOD *meth,
-+                      int (*priv_dec) (int flen, const unsigned char *from,
-+                                       unsigned char *to, RSA *rsa,
-+                                       int padding))
-+{
-+    if (meth)
-+    {
-+        meth->rsa_priv_dec = priv_dec;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_INIT)
-+/**
-+ * Set the init function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param init               the init function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_init(RSA_METHOD *meth, int (*init) (RSA *rsa))
-+{
-+    if (meth)
-+    {
-+        meth->init = init;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET_FINISH)
-+/**
-+ * Set the finish function of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param finish             the finish function
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa))
-+{
-+    if (meth)
-+    {
-+        meth->finish = finish;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
-+#if !defined(HAVE_RSA_METH_SET0_APP_DATA)
-+/**
-+ * Set the application data of an RSA_METHOD object
-+ *
-+ * @param meth               The RSA_METHOD object
-+ * @param app_data           Application data
-+ * @return                   1 on success, 0 on error
-+ */
-+static inline int
-+RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
-+{
-+    if (meth)
-+    {
-+        meth->app_data = app_data;
-+        return 1;
-+    }
-+    return 0;
-+}
-+#endif
-+
- #endif /* OPENSSL_COMPAT_H_ */
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index bf0f643..f011e06 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -978,7 +978,7 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
- static int
- rsa_finish(RSA *rsa)
- {
--    free((void *)rsa->meth);
-+    RSA_meth_free(rsa->meth);
-     rsa->meth = NULL;
-     return 1;
- }
-@@ -1053,16 +1053,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
-     ASSERT(NULL != cert);
- 
-     /* allocate custom RSA method object */
--    ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD);
--    rsa_meth->name = "OpenVPN external private key RSA Method";
--    rsa_meth->rsa_pub_enc = rsa_pub_enc;
--    rsa_meth->rsa_pub_dec = rsa_pub_dec;
--    rsa_meth->rsa_priv_enc = rsa_priv_enc;
--    rsa_meth->rsa_priv_dec = rsa_priv_dec;
--    rsa_meth->init = NULL;
--    rsa_meth->finish = rsa_finish;
--    rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
--    rsa_meth->app_data = NULL;
-+    rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
-+                            RSA_METHOD_FLAG_NO_CHECK);
-+    check_malloc_return(rsa_meth);
-+    RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
-+    RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
-+    RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
-+    RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
-+    RSA_meth_set_init(rsa_meth, NULL);
-+    RSA_meth_set_finish(rsa_meth, rsa_finish);
-+    RSA_meth_set0_app_data(rsa_meth, NULL);
- 
-     /* allocate RSA object */
-     rsa = RSA_new();
 From 166ab46e4ff9e44f31ce9713995516538da105ec Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 14:39:07 +0100
-Subject: [PATCH 11/20] OpenSSL: don't use direct access to the internal of
+Subject: [PATCH 1/8] OpenSSL: don't use direct access to the internal of
  X509
 
 OpenSSL 1.1 does not allow us to directly access the internal of
@@ -1204,7 +139,7 @@
 From 8addd59567a60fc2cf0d2e69f75af1653a6c17bb Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 14:53:52 +0100
-Subject: [PATCH 12/20] OpenSSL: don't use direct access to the internal of
+Subject: [PATCH 2/8] OpenSSL: don't use direct access to the internal of
  EVP_PKEY
 
 OpenSSL 1.1 does not allow us to directly access the internal of
@@ -1321,7 +256,7 @@
 From 8424472e58e7648712c8cdd12f6ca0f3d0a0b6fc Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 14:17:59 +0100
-Subject: [PATCH 13/20] OpenSSL: don't use direct access to the internal of RSA
+Subject: [PATCH 3/8] OpenSSL: don't use direct access to the internal of RSA
 
 OpenSSL 1.1 does not allow us to directly access the internal of
 any data type, including RSA. We have to use the defined
@@ -1500,7 +435,7 @@
 From 1b0088d4410d10810aea432bab2a80bca30a5f7e Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 15:23:50 +0100
-Subject: [PATCH 14/20] OpenSSL: don't use direct access to the internal of DSA
+Subject: [PATCH 4/8] OpenSSL: don't use direct access to the internal of DSA
 
 OpenSSL 1.1 does not allow us to directly access the internal of
 any data type, including DSA. We have to use the defined
@@ -1596,7 +531,7 @@
 From 15c77738757aaa15b3c9a2b5fce7bc4eb47702be Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 19:21:17 +0100
-Subject: [PATCH 15/20] OpenSSL: don't use direct access to the internal of
+Subject: [PATCH 5/8] OpenSSL: don't use direct access to the internal of
  EVP_MD_CTX
 
 OpenSSL 1.1 does not allow us to directly access the internal of
@@ -1986,7 +921,7 @@
 From bc7b51e81b3208df7ddc9b14df65a1161283f0af Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 19:38:39 +0100
-Subject: [PATCH 16/20] OpenSSL: don't use direct access to the internal of
+Subject: [PATCH 6/8] OpenSSL: don't use direct access to the internal of
  EVP_CIPHER_CTX
 
 OpenSSL 1.1 does not allow us to directly access the internal of
@@ -2166,7 +1101,7 @@
 From 6ca8f34a56353eb16f9e1aa24be153fa0a28dffc Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 19:48:32 +0100
-Subject: [PATCH 17/20] OpenSSL: don't use direct access to the internal of
+Subject: [PATCH 7/8] OpenSSL: don't use direct access to the internal of
  HMAC_CTX
 
 OpenSSL 1.1 does not allow us to directly access the internal of
@@ -2498,57 +1433,10 @@
      secure_memzero(A1, sizeof(A1));
  
      dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
-From c828ffc648eebda20e2f9087248944fa0f52a582 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Fri, 17 Feb 2017 23:00:52 +0100
-Subject: [PATCH 18/20] OpenSSL: SSLeay symbols are no longer available in
- OpenSSL 1.1
-
-The old symbols do not exist anymore but the library gained new
-equivalent symbols (OSSL). Use them instead of the old ones
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <9ce17efda7b1ed100e73554b1916c0bfa687d9d1.1487368114.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14089.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/openssl_compat.h | 5 +++++
- src/openvpn/ssl_openssl.c    | 2 +-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
-index e98e8df..92f014d 100644
---- a/src/openvpn/openssl_compat.h
-+++ b/src/openvpn/openssl_compat.h
-@@ -307,4 +307,9 @@ RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
- }
- #endif
- 
-+/* SSLeay symbols have been renamed in OpenSSL 1.1 */
-+#if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
-+#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
-+#endif
-+
- #endif /* OPENSSL_COMPAT_H_ */
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index f011e06..d7cc2ba 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -995,7 +995,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
- 
-     if (padding != RSA_PKCS1_PADDING)
-     {
--        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
-+        RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
-         goto done;
-     }
- 
 From 3da5a0180f9178ba783f675acb7277075b916ebe Mon Sep 17 00:00:00 2001
 From: Emmanuel Deloget <logout at free.fr>
 Date: Fri, 17 Feb 2017 15:27:35 +0100
-Subject: [PATCH 19/20] OpenSSL: constify getbio() parameters
+Subject: [PATCH 8/8] OpenSSL: constify getbio() parameters
 
 Although it is required by BIO_new() to have a non-const object,
 this is merely an OpenSSL interface accident. Newer versions of
@@ -2582,51 +1470,3 @@
      if (!ret)
      {
          crypto_msg(M_FATAL, "Error creating %s BIO", desc);
-From 8d00afae88b626c9cf14170a943b33a7ed378070 Mon Sep 17 00:00:00 2001
-From: Emmanuel Deloget <logout at free.fr>
-Date: Mon, 20 Feb 2017 15:32:34 +0100
-Subject: [PATCH 20/20] OpenSSL: use EVP_CipherInit_ex() instead of
- EVP_CipherInit()
-
-The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead
-of clearing the context when the cipher parameter was !NULL, it now
-clears the context unconditionnaly. As a result, subsequent calls
-to the function with additional information now fails.
-
-The bulk work is done by EVP_CipherInit_ex() which has been part of the
-OpenSSL interface since the dawn of time (0.9.8 already has it). Thus,
-the change allows us to get the old behavior back instead of relying
-on dirty tricks.
-
-Signed-off-by: Emmanuel Deloget <logout at free.fr>
-Acked-by: Steffan Karger <steffan.karger at fox-it.com>
-Message-Id: <2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.logout at free.fr>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
-Signed-off-by: Christian Hesse <mail at eworm.de>
----
- src/openvpn/crypto_openssl.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index a66ee71..5549d70 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len,
-         crypto_msg(M_FATAL, "EVP set key size");
-     }
- #endif
--    if (!EVP_CipherInit(ctx, NULL, key, NULL, enc))
-+    if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
-     {
-         crypto_msg(M_FATAL, "EVP cipher init #2");
-     }
-@@ -724,7 +724,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
- int
- cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf)
- {
--    return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1);
-+    return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
- }
- 
- int

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-03-22 16:06:42 UTC (rev 291211)
+++ PKGBUILD	2017-03-22 19:22:10 UTC (rev 291212)
@@ -2,8 +2,8 @@
 # Maintainer: Christian Hesse <mail at eworm.de>
 
 pkgname=openvpn
-pkgver=2.4.0
-pkgrel=3
+pkgver=2.4.1
+pkgrel=1
 pkgdesc='An easy-to-use, robust and highly configurable VPN (Virtual Private Network)'
 arch=('i686' 'x86_64')
 url='http://openvpn.net/index.php/open-source.html'
@@ -12,32 +12,17 @@
 makedepends=('systemd')
 license=('custom')
 install=openvpn.install
-validpgpkeys=('03300E11FED16F59715F9996C29D97ED198D22A3'  # Samuli Seppänen <samuli.seppanen at gmail.com>
+validpgpkeys=('6D04F8F1B0173111F499795E29584D9F40864578'  # Samuli Seppänen <samuli at openvpn.net>
               '7ACD56B74144925C6214329757DB9DAB613B8DA1') # David Sommerseth (OpenVPN Technologies, Inc) <davids at openvpn.net>
 source=("https://swupdate.openvpn.net/community/releases/openvpn-${pkgver}.tar.xz"{,.asc}
-        '0001-Clean-up-plugin-path-handling.patch'
-        '0002-do-not-race-on-RuntimeDirectory.patch'
-        '0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch'
         '0004-openssl-1-1-0.patch')
-sha256sums=('6f23ba49a1dbeb658f49c7ae17d9ea979de6d92c7357de3d55cd4525e1b2f87e'
+sha256sums=('fde9e22c6df7a335d2d58c6a4d5967be76df173c766a5c51ece57fd044c76ee5'
             'SKIP'
-            '162a21f78fc83071643341fb4198092d7d81b8196573d53ce43548424d757be2'
-            '58ee9d2f4d8a74c3dec037265b84963171f76f9fb6689a529728cdc76fac30dd'
-            'ae8fd591c05c04ad4b500494c55df242f3a2309f2af579b45820ce9959f1df06'
-            'f3f5ef72ebb000aaa0cdd0bd1138a3ac4b670430255e92bd7f9e0db76bdf161f')
+            'd801b1118d64c0667eae87ab1da920179f339614da22c5c8bed75d17650fad03')
 
 prepare() {
   cd "${srcdir}"/${pkgname}-${pkgver}
 
-  # Clean up plugin path handling
-  patch -Np1 < "${srcdir}"/0001-Clean-up-plugin-path-handling.patch
-
-  # do not race on RuntimeDirectory
-  patch -Np1 < "${srcdir}"/0002-do-not-race-on-RuntimeDirectory.patch
-
-  # systemd: Move the READY=1 signalling to an earlier point
-  patch -Np1 < "${srcdir}"/0003-systemd-Move-the-READY-1-signalling-to-an-earlier-po.patch
-
   # allow to build against openssl 1.1.0
   patch -Np1 < "${srcdir}"/0004-openssl-1-1-0.patch
 



More information about the arch-commits mailing list