openvpn: import from base

Signed-off-by: Rosen Penev <rosenp@gmail.com>

net/openvpn/patches/001-reproducible-remove_DATE.patch

@@ -0,0 +1,10 @@
+--- a/src/openvpn/options.c
++++ b/src/openvpn/options.c
+@@ -106,7 +106,6 @@ const char title_string[] =
+ #ifdef HAVE_AEAD_CIPHER_MODES
+     " [AEAD]"
+ #endif
+-    " built on " __DATE__
+ ;
+ 
+ #ifndef ENABLE_SMALL

net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch

@@ -0,0 +1,11 @@
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -1415,7 +1415,7 @@ const char *
+ get_ssl_library_version(void)
+ {
+     static char mbedtls_version[30];
+-    unsigned int pv = mbedtls_version_get_number();
++    unsigned int pv = MBEDTLS_VERSION_NUMBER;
+     sprintf( mbedtls_version, "mbed TLS %d.%d.%d",
+              (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+     return mbedtls_version;

net/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch

@@ -0,0 +1,58 @@
+From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 26 Nov 2017 16:04:00 +0100
+Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
+the errors about the deprecated SSLEAY/SSLeay symbols and defines.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20171126150401.28565-1-steffan@karger.me>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ configure.ac                 | 1 +
+ src/openvpn/openssl_compat.h | 8 ++++++++
+ src/openvpn/ssl_openssl.c    | 2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
+ 			EVP_MD_CTX_free \
+ 			EVP_MD_CTX_reset \
+ 			EVP_CIPHER_CTX_reset \
++			OpenSSL_version \
+ 			SSL_CTX_get_default_passwd_cb \
+ 			SSL_CTX_get_default_passwd_cb_userdata \
+ 			SSL_CTX_set_security_level \
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
+ #endif
+ 
+ /* SSLeay symbols have been renamed in OpenSSL 1.1 */
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#endif
++
++#ifndef HAVE_OPENSSL_VERSION
++#define OpenSSL_version SSLeay_version
++#endif
++
+ #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT       RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
+ const char *
+ get_ssl_library_version(void)
+ {
+-    return SSLeay_version(SSLEAY_VERSION);
++    return OpenSSL_version(OPENSSL_VERSION);
+ }
+ 
+ #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */

net/openvpn/patches/111-openssl-add-missing-include-statements.patch

@@ -0,0 +1,65 @@
+From 1987498271abadf042d8bb3feee1fe0d877a9d55 Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Sun, 26 Nov 2017 16:49:12 +0100
+Subject: [PATCH] openssl: add missing #include statements
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x10100000L screams bloody murder.  This patch fixes
+the errors caused by missing includes.  Previous openssl versions would
+usually include 'the rest of the world', but they're fixing that.  So we
+should no longer rely on it.
+
+(And sneaking in alphabetic ordering of the includes while touching them.)
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <20171126154912.13283-1-steffan@karger.me>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15936.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/openssl_compat.h     | 1 +
+ src/openvpn/ssl_openssl.c        | 6 +++++-
+ src/openvpn/ssl_verify_openssl.c | 3 ++-
+ 3 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/src/openvpn/openssl_compat.h
++++ b/src/openvpn/openssl_compat.h
+@@ -42,6 +42,7 @@
+ 
+ #include "buffer.h"
+ 
++#include <openssl/rsa.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509.h>
+ 
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -52,10 +52,14 @@
+ 
+ #include "ssl_verify_openssl.h"
+ 
++#include <openssl/bn.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/dsa.h>
+ #include <openssl/err.h>
+ #include <openssl/pkcs12.h>
++#include <openssl/rsa.h>
+ #include <openssl/x509.h>
+-#include <openssl/crypto.h>
+ #ifndef OPENSSL_NO_EC
+ #include <openssl/ec.h>
+ #endif
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -44,8 +44,9 @@
+ #include "ssl_verify_backend.h"
+ #include "openssl_compat.h"
+ 
+-#include <openssl/x509v3.h>
++#include <openssl/bn.h>
+ #include <openssl/err.h>
++#include <openssl/x509v3.h>
+ 
+ int
+ verify_callback(int preverify_ok, X509_STORE_CTX *ctx)

net/openvpn/patches/210-build_always_use_internal_lz4.patch

@@ -0,0 +1,74 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1080,68 +1080,15 @@ dnl
+ AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
+ AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
+ if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
+-    if test -z "${LZ4_CFLAGS}" -a -z "${LZ4_LIBS}"; then
+-	# if the user did not explicitly specify flags, try to autodetect
+-	PKG_CHECK_MODULES([LZ4],
+-			  [liblz4 >= 1.7.1 liblz4 < 100],
+-			  [have_lz4="yes"],
+-			  [LZ4_LIBS="-llz4"] # If this fails, we will do another test next.
+-					     # We also add set LZ4_LIBS otherwise the
+-					     # linker will not know about the lz4 library
+-	)
+-    fi
+ 
+     saved_CFLAGS="${CFLAGS}"
+     saved_LIBS="${LIBS}"
+     CFLAGS="${CFLAGS} ${LZ4_CFLAGS}"
+     LIBS="${LIBS} ${LZ4_LIBS}"
+ 
+-    # If pkgconfig check failed or LZ4_CFLAGS/LZ4_LIBS env vars
+-    # are used, check the version directly in the LZ4 include file
+-    if test "${have_lz4}" != "yes"; then
+-	AC_CHECK_HEADERS([lz4.h],
+-			 [have_lz4h="yes"],
+-			 [])
+-
+-	if test "${have_lz4h}" = "yes" ; then
+-	    AC_MSG_CHECKING([additionally if system LZ4 version >= 1.7.1])
+-	    AC_COMPILE_IFELSE(
+-		[AC_LANG_PROGRAM([[
+-#include <lz4.h>
+-				 ]],
+-				 [[
+-/* Version encoding: MMNNPP (Major miNor Patch) - see lz4.h for details */
+-#if LZ4_VERSION_NUMBER < 10701L
+-#error LZ4 is too old
+-#endif
+-				 ]]
+-				)],
+-		[
+-		    AC_MSG_RESULT([ok])
+-		    have_lz4="yes"
+-		],
+-		[AC_MSG_RESULT([system LZ4 library is too old])]
+-	    )
+-	fi
+-    fi
+-
+-    # Double check we have a few needed functions
+-    if test "${have_lz4}" = "yes" ; then
+-	AC_CHECK_LIB([lz4],
+-		     [LZ4_compress_default],
+-		     [],
+-		     [have_lz4="no"])
+-	AC_CHECK_LIB([lz4],
+-		     [LZ4_decompress_safe],
+-		     [],
+-		     [have_lz4="no"])
+-    fi
+-
+-    if test "${have_lz4}" != "yes" ; then
+-	AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
+-	AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
+-	LZ4_LIBS=""
+-    fi
++    AC_MSG_RESULT([		usable LZ4 library or header not found, using version in src/compat/compat-lz4.*])
++    AC_DEFINE([NEED_COMPAT_LZ4], [1], [use copy of LZ4 source in compat/])
++    LZ4_LIBS=""
+     OPTIONAL_LZ4_CFLAGS="${LZ4_CFLAGS}"
+     OPTIONAL_LZ4_LIBS="${LZ4_LIBS}"
+     AC_DEFINE(ENABLE_LZ4, [1], [Enable LZ4 compression library])

net/openvpn/patches/220-disable_des.patch

@@ -0,0 +1,81 @@
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+ /*
+  * Should we include NTLM proxy functionality
+  */
+-#if defined(ENABLE_CRYPTO)
+-#define NTLM 1
+-#else
++//#if defined(ENABLE_CRYPTO)
++//#define NTLM 1
++//#else
+ #define NTLM 0
+-#endif
++//#endif
+ 
+ /*
+  * Should we include proxy digest auth functionality
+--- a/src/openvpn/crypto_mbedtls.c
++++ b/src/openvpn/crypto_mbedtls.c
+@@ -319,6 +319,7 @@ int
+ key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
+ {
+     int ret = 0;
++#ifdef MBEDTLS_DES_C
+     if (kt->type == MBEDTLS_CIPHER_DES_CBC)
+     {
+         ret = 1;
+@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+     {
+         ret = 3;
+     }
++#endif
+ 
+     dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
+     return ret;
+@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+ bool
+ key_des_check(uint8_t *key, int key_len, int ndc)
+ {
++#ifdef MBEDTLS_DES_C
+     int i;
+     struct buffer b;
+ 
+@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+ 
+ err:
+     return false;
++#else
++    return true;
++#endif
+ }
+ 
+ void
+ key_des_fixup(uint8_t *key, int key_len, int ndc)
+ {
++#ifdef MBEDTLS_DES_C
+     int i;
+     struct buffer b;
+ 
+@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+         }
+         mbedtls_des_key_set_parity(key);
+     }
++#endif
+ }
+ 
+ /*
+@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+                        unsigned char *src,
+                        unsigned char *dst)
+ {
++#ifdef MBEDTLS_DES_C
+     mbedtls_des_context ctx;
+ 
+     ASSERT(mbed_ok(mbedtls_des_setkey_enc(&ctx, key)));
+     ASSERT(mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst)));
++#endif
+ }
+ 
+