[packages/openvpn] 2.5.7 has minimal openssl 3 support, so rely only on that instead of us using more backports patches
arekm
arekm at pld-linux.org
Thu Jun 16 11:12:50 CEST 2022
commit 3cfd684f4f1415542846627b3ea244f87ed674dd
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Thu Jun 16 11:12:31 2022 +0200
2.5.7 has minimal openssl 3 support, so rely only on that instead of us using more backports patches
...cdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch | 64 -------
...se-EVP_PKEY-based-API-for-loading-DH-keys.patch | 68 --------
0040-Remove-DES-check-with-OpenSSL-3.0.patch | 47 -----
...on-t-manually-free-DH-params-in-OpenSSL-3.patch | 34 ----
0045-Do-not-allow-CTS-ciphers.patch | 33 ----
...e-new-EVP_MAC-API-for-HMAC-implementation.patch | 194 ---------------------
openvpn.spec | 12 --
7 files changed, 452 deletions(-)
---
diff --git a/openvpn.spec b/openvpn.spec
index 49bd0de..9bdcfea 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -22,12 +22,6 @@ Source6: %{name}@.service
Source7: %{name}-update-resolv-conf
Patch0: %{name}-pam.patch
Patch1: unsupported-ciphers.patch
-Patch100: 0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
-Patch101: 0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
-Patch102: 0040-Remove-DES-check-with-OpenSSL-3.0.patch
-Patch104: 0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
-Patch105: 0045-Do-not-allow-CTS-ciphers.patch
-Patch106: 0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
URL: https://www.openvpn.net/
BuildRequires: autoconf >= 2.59
BuildRequires: automake >= 1:1.9
@@ -146,12 +140,6 @@ Ten pakiet zawiera pliki nagłówkowe do tworzenia wtyczek OpenVPN.
%prep
%setup -q
-%patch100 -p1
-%patch101 -p1
-%patch102 -p1
-%patch104 -p1
-%patch105 -p1
-%patch106 -p1
%patch0 -p1
%patch1 -p1
diff --git a/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch b/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
deleted file mode 100644
index b44e25e..0000000
--- a/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 39eb3125e4f433fc61c92321175f663f13f163e7 Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Tue, 19 Oct 2021 20:31:12 +0200
-Subject: [PATCH 38/47] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed
- TLS message
-
-OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
-SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
-using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
-say that --ecdh-curve is ingored and --tls-groups should be used.
-
-Signed-off-by: Arne Schwabe <arne at rfc2549.org>
-Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Message-Id: <20211019183127.614175-7-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22999.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/ssl_mbedtls.c | 5 +++--
- src/openvpn/ssl_openssl.c | 12 +++++++++---
- 2 files changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
-index cea88f41..e7c45c09 100644
---- a/src/openvpn/ssl_mbedtls.c
-+++ b/src/openvpn/ssl_mbedtls.c
-@@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
- {
- if (NULL != curve_name)
- {
-- msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH "
-- "curve, using default curves.");
-+ msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
-+ "ECDH curve with --ecdh-curve, using default curves. Use "
-+ "--tls-groups to specify curves.");
- }
- }
-
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index 30fc7aef..f2f29607 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -690,10 +690,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- }
-
- void
--tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
-- )
-+tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
- {
--#ifndef OPENSSL_NO_EC
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ if (curve_name != NULL)
-+ {
-+ msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
-+ "ECDH curve with --ecdh-curve, using default curves. Use "
-+ "--tls-groups to specify groups.");
-+ }
-+#elif !defined(OPENSSL_NO_EC)
- int nid = NID_undef;
- EC_KEY *ecdh = NULL;
- const char *sname = NULL;
---
-2.33.1
-
diff --git a/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch b/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
deleted file mode 100644
index 3d2602e..0000000
--- a/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 658c72e6e651437943f46a975751109759abd858 Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Tue, 19 Oct 2021 20:31:11 +0200
-Subject: [PATCH 39/47] Use EVP_PKEY based API for loading DH keys
-
-OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
-load DH parameters.
-
-Signed-off-by: Arne Schwabe <arne at rfc2549.org>
-Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Message-Id: <20211019183127.614175-6-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23015.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
-
-diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
-index f2f29607..2414fc5e 100644
---- a/src/openvpn/ssl_openssl.c
-+++ b/src/openvpn/ssl_openssl.c
-@@ -649,7 +649,6 @@ void
- tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- bool dh_file_inline)
- {
-- DH *dh;
- BIO *bio;
-
- ASSERT(NULL != ctx);
-@@ -670,7 +669,26 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- }
- }
-
-- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
-+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-+ EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
-+ BIO_free(bio);
-+
-+ if (!dh)
-+ {
-+ crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
-+ print_key_filename(dh_file, dh_file_inline));
-+ }
-+ if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
-+ {
-+ crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
-+ }
-+
-+ msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
-+ 8 * EVP_PKEY_get_size(dh));
-+
-+ EVP_PKEY_free(dh);
-+#else
-+ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
- BIO_free(bio);
-
- if (!dh)
-@@ -687,6 +705,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
- 8 * DH_size(dh));
-
- DH_free(dh);
-+#endif
- }
-
- void
---
-2.33.1
-
diff --git a/0040-Remove-DES-check-with-OpenSSL-3.0.patch b/0040-Remove-DES-check-with-OpenSSL-3.0.patch
deleted file mode 100644
index 7232bd1..0000000
--- a/0040-Remove-DES-check-with-OpenSSL-3.0.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d67658feeab4742b9b6f57806ba8e93c8eec75b8 Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Tue, 19 Oct 2021 20:31:10 +0200
-Subject: [PATCH 40/47] Remove DES check with OpenSSL 3.0
-
-DES is very deprecated and accidently getting on the of the 16 insecure
-keys that OpenSSL checks is extremely unlikely so we no longer use the
-deprecated functions without replacement in OpenSSL 3.0.
-
-Signed-off-by: Arne Schwabe <arne at rfc2549.org>
-Acked-by: Gert Doering <gert at greenie.muc.de>
-Message-Id: <20211019183127.614175-5-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23004.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/crypto_openssl.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index 60fbec12..dda46c2f 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -525,6 +525,7 @@ key_des_num_cblocks(const EVP_CIPHER *kt)
- bool
- key_des_check(uint8_t *key, int key_len, int ndc)
- {
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
- int i;
- struct buffer b;
-
-@@ -557,6 +558,13 @@ key_des_check(uint8_t *key, int key_len, int ndc)
- err:
- ERR_clear_error();
- return false;
-+#else
-+ /* DES is deprecated and the method to even check the keys is deprecated
-+ * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
-+ * we just accept them in OpenSSL 3.0 since the risk of randomly getting
-+ * these is pretty low (and "all DES keys are weak" anyway) */
-+ return true;
-+#endif
- }
-
- void
---
-2.33.1
-
diff --git a/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch b/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
deleted file mode 100644
index c904806..0000000
--- a/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 4daed27f28f6bb3033e659328fe80322a8f4b5e1 Mon Sep 17 00:00:00 2001
-From: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Date: Mon, 25 Oct 2021 16:53:14 +0200
-Subject: [PATCH 44/47] Don't manually free DH params in OpenSSL 3
-
-When the EVP_PKEY object with the Diffie-Hellman parameters is passed
-to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
-pointer in the SSL_CTX. Therefore, we should not free it.
-
-The EVP_PKEY will be freed automatically when we free the SSL_CTX.
-
-Trac: #1436
-
-Signed-off-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Acked-by:
-Message-Id: <20211025145314.23009-1-maximilian.fillinger at foxcrypto.com>
-URL: https://www.mail-archive.com/search?l=mid&q=20211025145314.23009-1-maximilian.fillinger@foxcrypto.com
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/ssl_openssl.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff -urNp -x '*.orig' openvpn-2.5.4.org/src/openvpn/ssl_openssl.c openvpn-2.5.4/src/openvpn/ssl_openssl.c
---- openvpn-2.5.4.org/src/openvpn/ssl_openssl.c 2021-10-29 13:56:56.453449295 +0200
-+++ openvpn-2.5.4/src/openvpn/ssl_openssl.c 2021-10-29 13:56:56.593453411 +0200
-@@ -696,8 +696,6 @@ tls_ctx_load_dh_params(struct tls_root_c
-
- msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
- 8 * EVP_PKEY_get_size(dh));
--
-- EVP_PKEY_free(dh);
- #else
- DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
- BIO_free(bio);
diff --git a/0045-Do-not-allow-CTS-ciphers.patch b/0045-Do-not-allow-CTS-ciphers.patch
deleted file mode 100644
index 599657b..0000000
--- a/0045-Do-not-allow-CTS-ciphers.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 14e4f3b1583749adf104be362a3e2422e0c9e524 Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Tue, 19 Oct 2021 20:31:21 +0200
-Subject: [PATCH 45/47] Do not allow CTS ciphers
-
-We do not support CTS algorithms (cipher text stealing) algorithms.
-
-Signed-off-by: Arne Schwabe <arne at rfc2549.org>
-Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Message-Id: <20211019183127.614175-16-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23002.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/crypto_openssl.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index c8fe0d0f..d4792f46 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -708,6 +708,9 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher)
- {
- return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
- /* Exclude AEAD cipher modes, they require a different API */
-+#ifdef EVP_CIPH_FLAG_CTS
-+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
-+#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
- }
-
---
-2.33.1
-
diff --git a/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch b/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
deleted file mode 100644
index 47b7cf1..0000000
--- a/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
+++ /dev/null
@@ -1,194 +0,0 @@
-From 7865ffdcbc603894f268d892d638b111e8b61c36 Mon Sep 17 00:00:00 2001
-From: Arne Schwabe <arne at rfc2549.org>
-Date: Tue, 19 Oct 2021 20:31:07 +0200
-Subject: [PATCH 46/47] Use new EVP_MAC API for HMAC implementation
-
-The old API is deprecated in OpenSSL 3.0 and the new API does not yet
-exist in OpenSSL 1.1. Emulating the new API would be more complex than
-just having two implementations. So this switches to a new hmac
-implementation for OpenSSL 3.0.
-
-Unfortunately the new API does not have an easy to reset an HMAC,
-so we need to keep the key around to emulate a reset functionality.
-
-Signed-off-by: Arne Schwabe <arne at rfc2549.org>
-Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
-Message-Id: <20211019183127.614175-2-arne at rfc2549.org>
-URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23013.html
-Signed-off-by: Gert Doering <gert at greenie.muc.de>
----
- src/openvpn/crypto_backend.h | 2 +-
- src/openvpn/crypto_mbedtls.c | 2 +-
- src/openvpn/crypto_openssl.c | 96 +++++++++++++++++++++++++++++++++++-
- src/openvpn/crypto_openssl.h | 8 +++
- 4 files changed, 104 insertions(+), 4 deletions(-)
-
-diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
-index c201735d..cc897acf 100644
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -634,7 +634,7 @@ void hmac_ctx_cleanup(hmac_ctx_t *ctx);
- *
- * @return Size of the HMAC, or \0 if ctx is NULL.
- */
--int hmac_ctx_size(const hmac_ctx_t *ctx);
-+int hmac_ctx_size(hmac_ctx_t *ctx);
-
- /*
- * Resets the given HMAC context, preserving the associated key information
-diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
-index ef629136..2f7f00d1 100644
---- a/src/openvpn/crypto_mbedtls.c
-+++ b/src/openvpn/crypto_mbedtls.c
-@@ -915,7 +915,7 @@ hmac_ctx_cleanup(mbedtls_md_context_t *ctx)
- }
-
- int
--hmac_ctx_size(const mbedtls_md_context_t *ctx)
-+hmac_ctx_size(mbedtls_md_context_t *ctx)
- {
- if (NULL == ctx)
- {
-diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
-index d4792f46..6b18551e 100644
---- a/src/openvpn/crypto_openssl.c
-+++ b/src/openvpn/crypto_openssl.c
-@@ -989,7 +989,7 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
- * Generic HMAC functions
- *
- */
--
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
- HMAC_CTX *
- hmac_ctx_new(void)
- {
-@@ -1027,7 +1027,7 @@ hmac_ctx_cleanup(HMAC_CTX *ctx)
- }
-
- int
--hmac_ctx_size(const HMAC_CTX *ctx)
-+hmac_ctx_size(HMAC_CTX *ctx)
- {
- return HMAC_size(ctx);
- }
-@@ -1054,6 +1054,98 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
-
- HMAC_Final(ctx, dst, &in_hmac_len);
- }
-+#else
-+hmac_ctx_t *
-+hmac_ctx_new(void)
-+{
-+ hmac_ctx_t *ctx;
-+ ALLOC_OBJ_CLEAR(ctx, hmac_ctx_t);
-+ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
-+ ctx->ctx = EVP_MAC_CTX_new(hmac);
-+ check_malloc_return(ctx->ctx);
-+ return ctx;
-+}
-+
-+void
-+hmac_ctx_free(hmac_ctx_t *ctx)
-+{
-+ EVP_MAC_CTX_free(ctx->ctx);
-+ secure_memzero(ctx, sizeof(hmac_ctx_t));
-+ free(ctx);
-+}
-+
-+void
-+hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_len,
-+ const EVP_MD *kt)
-+{
-+ ASSERT(NULL != kt && NULL != ctx && ctx->ctx != NULL);
-+ ASSERT(key_len <= EVP_MAX_KEY_LENGTH);
-+
-+ /* We need to make a copy of the key since the OSSL parameters
-+ * only reference it */
-+ memcpy(ctx->key, key, key_len);
-+
-+ /* Lookup/setting of parameters in OpenSSL 3.0 are string based
-+ *
-+ * The OSSL_PARAM_construct_utf8_string needs a non const str but this
-+ * only used for lookup so we cast (as OpenSSL also does internally)
-+ * the constness away here.
-+ */
-+ ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest",
-+ (char *) EVP_MD_get0_name(kt), 0);
-+ ctx->params[1] = OSSL_PARAM_construct_octet_string("key",
-+ ctx->key, key_len);
-+ ctx->params[2] = OSSL_PARAM_construct_end();
-+
-+ if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
-+ {
-+ crypto_msg(M_FATAL, "EVP_MAC_init failed");
-+ }
-+
-+ /* make sure we used a big enough key */
-+ ASSERT(EVP_MAC_CTX_get_mac_size(ctx->ctx) <= key_len);
-+}
-+
-+void
-+hmac_ctx_cleanup(hmac_ctx_t *ctx)
-+{
-+ EVP_MAC_init(ctx->ctx, NULL, 0, NULL);
-+}
-+
-+int
-+hmac_ctx_size(hmac_ctx_t *ctx)
-+{
-+ return (int)EVP_MAC_CTX_get_mac_size(ctx->ctx);
-+}
-+
-+void
-+hmac_ctx_reset(hmac_ctx_t *ctx)
-+{
-+ /* The OpenSSL MAC API lacks a reset method and passing NULL as params
-+ * does not reset it either, so use the params array to reinitialise it the
-+ * same way as before */
-+ if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
-+ {
-+ crypto_msg(M_FATAL, "EVP_MAC_init failed");
-+ }
-+}
-+
-+void
-+hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
-+{
-+ EVP_MAC_update(ctx->ctx, src, src_len);
-+}
-+
-+void
-+hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
-+{
-+ /* The calling code always gives us a buffer that has the size of our
-+ * algorithm */
-+ size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx->ctx);
-+
-+ EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len);
-+}
-+#endif
-
- int
- memcmp_constant_time(const void *a, const void *b, size_t size)
-diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
-index 59a31aac..e540a76b 100644
---- a/src/openvpn/crypto_openssl.h
-+++ b/src/openvpn/crypto_openssl.h
-@@ -51,7 +51,16 @@ typedef EVP_CIPHER_CTX cipher_ctx_t;
- typedef EVP_MD_CTX md_ctx_t;
-
- /** Generic HMAC %context. */
-+#if OPENSSL_VERSION_NUMBER < 0x30000000L
- typedef HMAC_CTX hmac_ctx_t;
-+#else
-+typedef struct {
-+ OSSL_PARAM params[3];
-+ uint8_t key[EVP_MAX_KEY_LENGTH];
-+ EVP_MAC_CTX *ctx;
-+} hmac_ctx_t;
-+#endif
-+
-
- #if OPENSSL_VERSION_NUMBER < 0x30000000L
- /* Use a dummy type for the provider */
-
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openvpn.git/commitdiff/3cfd684f4f1415542846627b3ea244f87ed674dd
More information about the pld-cvs-commit
mailing list