openvpn: allow build with OpenSSL 4.0.0

heitbaum · heitbaum · commit c4354e3327ee · 2026-03-25T10:35:06.000Z
diff --git a/packages/network/openvpn/package.mk b/packages/network/openvpn/package.mk
@@ -17,6 +17,7 @@ PKG_CONFIGURE_OPTS_TARGET="ac_cv_have_decl_TUNSETPERSIST=no \
                            --enable-iproute2 IPROUTE=/sbin/ip \
                            --enable-management \
                            --enable-fragment \
+                           --without-openssl-engine \
                            --disable-port-share \
                            --disable-debug"
 
diff --git a/packages/network/openvpn/patches/openvpn-0001-ssl_verify_openssl-Clean-up-extract_x509_extension.patch b/packages/network/openvpn/patches/openvpn-0001-ssl_verify_openssl-Clean-up-extract_x509_extension.patch
@@ -0,0 +1,83 @@
+From a07f388d3aeb7a23df19fac82789b5d0928de90f Mon Sep 17 00:00:00 2001
+From: Rudi Heitbaum <rudi@heitbaum.com>
+Date: Sun, 22 Mar 2026 04:45:58 +0000
+Subject: [PATCH] ssl_verify_openssl: Clean up extract_x509_extension
+
+* Avoid sign-compare warning when comparing string
+  lengths
+* Use the nicer alias rfc822Name instead of the general ia5
+  from the GENERAL_NAME union.
+* Use the official ASN1_STRING_length API instead of accessing
+  the struct directly.
+* C11 changes
+
+Change-Id: I23cc00aee47aef007ab2e7d50b52c6de299505db
+Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
+Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
+Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1507
+Message-Id: <20260309133236.29732-1-frank@lichtenheld.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35980.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ src/openvpn/ssl_verify_openssl.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
+index 60d5756a..46401cd3 100644
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -122,7 +122,6 @@ static bool
+ extract_x509_extension(X509 *cert, char *fieldname, char *out, size_t size)
+ {
+     bool retval = false;
+-    char *buf = 0;
+ 
+     if (!x509_username_field_ext_supported(fieldname))
+     {
+@@ -134,29 +133,28 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, size_t size)
+     GENERAL_NAMES *extensions = X509_get_ext_d2i(cert, nid, NULL, NULL);
+     if (extensions)
+     {
+-        int numalts;
+-        int i;
+         /* get amount of alternatives,
+          * RFC2459 claims there MUST be at least
+          * one, but we don't depend on it...
+          */
+ 
+-        numalts = sk_GENERAL_NAME_num(extensions);
++        int numalts = sk_GENERAL_NAME_num(extensions);
+ 
+         /* loop through all alternatives */
+-        for (i = 0; i < numalts; i++)
++        for (int i = 0; i < numalts; i++)
+         {
+             /* get a handle to alternative name number i */
+             const GENERAL_NAME *name = sk_GENERAL_NAME_value(extensions, i);
++            char *buf = NULL;
+ 
+             switch (name->type)
+             {
+                 case GEN_EMAIL:
+-                    if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.ia5) < 0)
++                    if (ASN1_STRING_to_UTF8((unsigned char **)&buf, name->d.rfc822Name) < 0)
+                     {
+                         continue;
+                     }
+-                    if (strlen(buf) != name->d.ia5->length)
++                    if ((ssize_t)strlen(buf) != ASN1_STRING_length(name->d.rfc822Name))
+                     {
+                         msg(D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
+                         OPENSSL_free(buf);
+@@ -170,7 +168,7 @@ extract_x509_extension(X509 *cert, char *fieldname, char *out, size_t size)
+                     break;
+ 
+                 default:
+-                    msg(D_TLS_DEBUG, "%s: ignoring general name field type %i", __func__,
++                    msg(D_TLS_DEBUG, "%s: ignoring general name field type %d", __func__,
+                         name->type);
+                     break;
+             }
+-- 
+2.53.0
+
diff --git a/packages/network/openvpn/patches/openvpn-0002-ssl_verify_openssl-use-official-ASN1_STRING_-API.patch b/packages/network/openvpn/patches/openvpn-0002-ssl_verify_openssl-use-official-ASN1_STRING_-API.patch
@@ -0,0 +1,64 @@
+From 17b35e1d635cd70f6d6589031f5f846a369b4748 Mon Sep 17 00:00:00 2001
+From: Rudi Heitbaum <rudi@heitbaum.com>
+Date: Sun, 22 Mar 2026 00:14:23 +0000
+Subject: [PATCH 18/18] ssl_verify_openssl: use official ASN1_STRING_ API
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+ASN1_STRING are now opaque types in OpenSSL 4.x — the internal data and
+length fields are no longer directly accessible. Use the accessor API
+instead. Accessors have been available since OpenSSL 1.1.0
+
+The ASN1_STRING_length accessor is already in use, but not consistently
+applied. Standardise on using ASN1_STRING_length and ASN1_STRING_get0_data
+which allows for successful build of OpenSSL 4.x
+
+Signed-off-by: Rudi Heitbaum <rudi@heitbaum.com>
+---
+ src/openvpn/ssl_verify_openssl.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
+index 46401cd3..d96879bd 100644
+--- a/src/openvpn/ssl_verify_openssl.c
++++ b/src/openvpn/ssl_verify_openssl.c
+@@ -259,7 +259,7 @@ backend_x509_get_username(char *common_name, size_t cn_len, char *x509_username_
+     {
+         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
+         struct gc_arena gc = gc_new();
+-        char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
++        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
+ 
+         if (!serial || cn_len <= strlen(serial) + 2)
+         {
+@@ -313,7 +313,7 @@ backend_x509_get_serial_hex(openvpn_x509_cert_t *cert, struct gc_arena *gc)
+ {
+     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+ 
+-    return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
++    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
+ }
+ 
+ result_t
+@@ -626,7 +626,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
+         {
+             ASN1_BIT_STRING *ns;
+             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+-            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
++            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
+             if (result == SUCCESS)
+             {
+                 msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
+@@ -654,7 +654,7 @@ x509_verify_ns_cert_type(openvpn_x509_cert_t *peer_cert, const int usage)
+         {
+             ASN1_BIT_STRING *ns;
+             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
+-            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
++            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
+             if (result == SUCCESS)
+             {
+                 msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
+-- 
+2.53.0
+
