openvpn: fix missing cipher list for polarssl in v2.3.11

Upstream OpenSSL hardening work introduced a change in shared code that causes polarssl / mbedtls builds to break when no --tls-cipher is specified. Import the upstream fix commit as patch until the next OpenVPN release gets released and packaged. Reported-by: Sebastian Koch <seb@metafly.info> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2016-06-28 10:47:22 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2016-06-28 10:47:22 +0200
commit: f98f4601de762251c4644047786affd34d5fb10c (patch)
tree: 9399190f2f51929cc3e8114955365437ef3cd6c1 /package/network/services
parent: 4a3b8e05966e9883227eb0b6780c1bd9fe008d95 (diff)
download: master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.tar.gz
master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.tar.bz2
master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.zip
2 files changed, 43 insertions, 1 deletions
diff --git a/package/network/services/openvpn/Makefile b/package/network/services/openvpn/Makefile
index 19f78bc508..54a540f4f6 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openvpn
 
 PKG_VERSION:=2.3.11
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
diff --git a/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch b/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch
new file mode 100644
index 0000000000..0a5c49c791
--- /dev/null
+++ b/package/network/services/openvpn/patches/300-upstream-fix-polarssl-mbedtls-builds.patch
@@ -0,0 +1,42 @@
+From 629baad8f89af261445a2ace03694601f8e476f9 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Fri, 13 May 2016 08:54:52 +0200
+Subject: [PATCH] Fix polarssl / mbedtls builds
+
+Commit 8a399cd3 hardened the OpenSSL default cipher list,
+but also introduced a change in shared code that causes
+polarssl / mbedtls builds to break when no --tls-cipher is
+specified.
+
+This fix is backported code from the master branch.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <1463122492-701-1-git-send-email-steffan@karger.me>
+URL: http://article.gmane.org/gmane.network.openvpn.devel/11647
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl_polarssl.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
+index 1f58369..9263698 100644
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -176,7 +176,12 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+ {
+   char *tmp_ciphers, *tmp_ciphers_orig, *token;
+   int i, cipher_count;
+-  int ciphers_len = strlen (ciphers);
++  int ciphers_len;
++
++  if (NULL == ciphers)
++    return; /* Nothing to do */
++
++  ciphers_len = strlen (ciphers);
+ 
+   ASSERT (NULL != ctx);
+   ASSERT (0 != ciphers_len);
+-- 
+2.8.1
+
author	Jo-Philipp Wich <jo@mein.io>	2016-06-28 10:47:22 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2016-06-28 10:47:22 +0200
commit	f98f4601de762251c4644047786affd34d5fb10c (patch)
tree	9399190f2f51929cc3e8114955365437ef3cd6c1 /package/network/services
parent	4a3b8e05966e9883227eb0b6780c1bd9fe008d95 (diff)
download	master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.tar.gz master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.tar.bz2 master-31e0f0ae-f98f4601de762251c4644047786affd34d5fb10c.zip