From 76684de82e631c688d9f52b0e3762b32a13b27db Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Mon, 28 Dec 2015 15:19:43 +0100
Subject: [PATCH] freeradius2: completely disable runtime OpenSSL version
 checks

Whenever we ship fixed libopenssl binaries in BB, the Freeradius daemon fails
at startup because it detects a mismatch of the build time and runtime OpenSSL
version.

Since our OpenSSL updates for BB are ABI compatible we do not need or even want
this superflous check. Removing it saves us the effort to rebuild Freeradius
after every OpenSSL version bump.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
---
 net/freeradius2/Makefile                      |  2 +-
 ....patch => 010-disable-openssl-check.patch} | 18 ++++++
 ...011-upstram-relax-ssl-version-checks.patch | 62 -------------------
 3 files changed, 19 insertions(+), 63 deletions(-)
 rename net/freeradius2/patches/{010-disbale-openssl-check.patch => 010-disable-openssl-check.patch} (76%)
 delete mode 100644 net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch

diff --git a/net/freeradius2/Makefile b/net/freeradius2/Makefile
index 89619cc837..3f77189d2b 100644
--- a/net/freeradius2/Makefile
+++ b/net/freeradius2/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freeradius2
 PKG_VERSION:=2.2.5
-PKG_RELEASE:=2.1
+PKG_RELEASE:=2.2
 
 PKG_SOURCE:=freeradius-server-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=\
diff --git a/net/freeradius2/patches/010-disbale-openssl-check.patch b/net/freeradius2/patches/010-disable-openssl-check.patch
similarity index 76%
rename from net/freeradius2/patches/010-disbale-openssl-check.patch
rename to net/freeradius2/patches/010-disable-openssl-check.patch
index 4bf225276e..d0da5f403e 100644
--- a/net/freeradius2/patches/010-disbale-openssl-check.patch
+++ b/net/freeradius2/patches/010-disable-openssl-check.patch
@@ -36,3 +36,21 @@
    if test "x$OPENSSL_LIBS" = x; then
      LIBS=$old_LIBS
      LDFLAGS="$old_LDFLAGS"
+--- a/src/main/version.c
++++ b/src/main/version.c
+@@ -43,6 +43,7 @@ static long ssl_built = OPENSSL_VERSION_
+  */
+ int ssl_check_version(int allow_vulnerable)
+ {
++#if 0
+ 	long ssl_linked;
+ 
+ 	/*
+@@ -74,6 +75,7 @@ int ssl_check_version(int allow_vulnerab
+ 			return -1;
+ 		}
+ 	}
++#endif
+ 
+ 	return 0;
+ }
diff --git a/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch b/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch
deleted file mode 100644
index 2b11d2d4e6..0000000000
--- a/net/freeradius2/patches/011-upstram-relax-ssl-version-checks.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 5ae2a70a135062a025d8fabc104eeae3a2c53a7a Mon Sep 17 00:00:00 2001
-From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
-Date: Tue, 17 Jun 2014 10:09:24 +0100
-Subject: [PATCH] Relax libssl checks
-
----
- src/main/version.c |   35 ++++++++++++++++++++++++++++-------
- 1 file changed, 28 insertions(+), 7 deletions(-)
-
---- a/src/main/version.c
-+++ b/src/main/version.c
-@@ -34,7 +34,12 @@ RCSID("$Id: af82d4126a65d94929c22f44da2b
- 
- static long ssl_built = OPENSSL_VERSION_NUMBER;
- 
--/** Check build and linked versions of OpenSSL match
-+/** Check built and linked versions of OpenSSL match
-+ *
-+ * OpenSSL version number consists of:
-+ * MMNNFFPPS: major minor fix patch status
-+ *
-+ * Where status >= 0 && < 10 means beta, and status 10 means release.
-  *
-  * Startup check for whether the linked version of OpenSSL matches the
-  * version the server was built against.
-@@ -54,14 +59,30 @@ int ssl_check_version(int allow_vulnerab
- 
- 	ssl_linked = SSLeay();
- 
--	if (ssl_linked != ssl_built) {
--		radlog(L_ERR, "libssl version mismatch."
--		       "  Built with: %lx\n  Linked: %lx",
--		       (unsigned long) ssl_built,
--		       (unsigned long) ssl_linked);
-+	/*
-+	 *	Status mismatch always triggers error.
-+	 */
-+	if ((ssl_linked & 0x00000000f) != (ssl_built & 0x00000000f)) {
-+	mismatch:
-+		radlog(L_ERR, "libssl version mismatch.  built: %lx linked: %lx",
-+		       (unsigned long) ssl_built, (unsigned long) ssl_linked);
- 
- 		return -1;
--	};
-+	}
-+
-+	/*
-+	 *	Use the OpenSSH approach and relax fix checks after version
-+	 *	1.0.0 and only allow moving backwards within a patch
-+	 *	series.
-+	 */
-+	if (ssl_built & 0xff) {
-+		if ((ssl_built & 0xffff) != (ssl_linked & 0xffff) ||
-+		    (ssl_built & 0x0000ff) > (ssl_linked & 0x0000ff)) goto mismatch;
-+	/*
-+	 *	Before 1.0.0 we require the same major minor and fix version
-+	 *	and ignore the patch number.
-+	 */
-+	} else if ((ssl_built & 0xffffff) != (ssl_linked & 0xffffff)) goto mismatch;
- 
- 	if (!allow_vulnerable) {
- 		/* Check for bad versions */