diff options
Diffstat (limited to 'net/openvpn')
| -rw-r--r-- | net/openvpn/Config-wolfssl.in | 63 | ||||
| -rw-r--r-- | net/openvpn/Makefile | 9 | ||||
| -rw-r--r-- | net/openvpn/patches/002-add-wolfssl-support.patch | 190 | ||||
| -rw-r--r-- | net/openvpn/patches/210-build_always_use_internal_lz4.patch | 2 | ||||
| -rwxr-xr-x | net/openvpn/test.sh | 3 |
5 files changed, 265 insertions, 2 deletions
diff --git a/net/openvpn/Config-wolfssl.in b/net/openvpn/Config-wolfssl.in new file mode 100644 index 000000000..ef8b9dcb3 --- /dev/null +++ b/net/openvpn/Config-wolfssl.in @@ -0,0 +1,63 @@ +if PACKAGE_openvpn-wolfssl + +config OPENVPN_wolfssl + bool + default y + select WOLFSSL_HAS_OPENVPN + +config OPENVPN_wolfssl_ENABLE_LZO + bool "Enable LZO compression support" + default n + +config OPENVPN_wolfssl_ENABLE_LZ4 + bool "Enable LZ4 compression support" + default y + +config OPENVPN_wolfssl_ENABLE_X509_ALT_USERNAME + bool "Enable the --x509-username-field feature" + default n + +#config OPENVPN_wolfssl_ENABLE_EUREPHIA +# bool "Enable support for the eurephia plug-in" +# default n + +config OPENVPN_wolfssl_ENABLE_MANAGEMENT + bool "Enable management server support" + default n + +#config OPENVPN_wolfssl_ENABLE_PKCS11 +# bool "Enable pkcs11 support" +# default n + +config OPENVPN_wolfssl_ENABLE_FRAGMENT + bool "Enable internal fragmentation support (--fragment)" + default y + +config OPENVPN_wolfssl_ENABLE_MULTIHOME + bool "Enable multi-homed UDP server support (--multihome)" + default y + +config OPENVPN_wolfssl_ENABLE_PORT_SHARE + bool "Enable TCP server port-share support (--port-share)" + default y + +config OPENVPN_wolfssl_ENABLE_DEF_AUTH + bool "Enable deferred authentication" + default y + +config OPENVPN_wolfssl_ENABLE_PF + bool "Enable internal packet filter" + default y + +config OPENVPN_wolfssl_ENABLE_IPROUTE2 + bool "Enable support for iproute2" + default n + +config OPENVPN_wolfssl_ENABLE_SMALL + bool "Enable size optimization" + default y + help + enable smaller executable size (disable OCC, usage + message, and verb 4 parm list) + +endif diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index d46b7bb73..9aeb43a84 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn PKG_VERSION:=2.5.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ @@ -42,6 +42,7 @@ endef Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl) Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls) +Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl) define Package/openvpn/config/Default source "$(SOURCE)/Config-$(1).in" @@ -49,6 +50,7 @@ endef Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl) Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls) +Package/openvpn-wolfssl/config=$(call Package/openvpn/config/Default,wolfssl) ifeq ($(BUILD_VARIANT),mbedtls) CONFIG_OPENVPN_MBEDTLS:=y @@ -56,6 +58,9 @@ endif ifeq ($(BUILD_VARIANT),openssl) CONFIG_OPENVPN_OPENSSL:=y endif +ifeq ($(BUILD_VARIANT),wolfssl) +CONFIG_OPENVPN_WOLFSSL:=y +endif CONFIGURE_VARS += \ IPROUTE=/sbin/ip \ @@ -84,6 +89,7 @@ define Build/Configure $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \ $(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \ + $(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \ ) endef @@ -142,3 +148,4 @@ endef $(eval $(call BuildPackage,openvpn-openssl)) $(eval $(call BuildPackage,openvpn-mbedtls)) +$(eval $(call BuildPackage,openvpn-wolfssl)) diff --git a/net/openvpn/patches/002-add-wolfssl-support.patch b/net/openvpn/patches/002-add-wolfssl-support.patch new file mode 100644 index 000000000..98bc65815 --- /dev/null +++ b/net/openvpn/patches/002-add-wolfssl-support.patch @@ -0,0 +1,190 @@ +From: Gert Doering <gert@greenie.muc.de> + +Support for wolfSSL in OpenVPN + +This patch adds support for wolfSSL in OpenVPN. Support is added by using +wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged +and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is +linked against the wolfSSL library. The wolfSSL installation directory is +detected using pkg-config. + +As requested by OpenVPN maintainers, this patch does not include +wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN +in the configure script wolfSSL will include wolfssl/options.h on its own +(change added in wolfSSL/wolfssl#2825). The patch +adds an option '--disable-wolfssl-options-h' in case the user would like +to supply their own settings file for wolfSSL. + +wolfSSL: +Support added in: wolfSSL/wolfssl#2503 + +git clone https://github.com/wolfSSL/wolfssl.git +cd wolfssl +./autogen.sh +./configure --enable-openvpn +make +sudo make install + +OpenVPN: + +autoreconf -i -v -f +./configure --with-crypto-library=wolfssl +make +make check +sudo make install + +Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com> +Acked-by: Arne Schwabe <arne@rfc2549.org> +Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com> +URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- + src/openvpn/syshead.h | 3 ++- + 2 files changed, 110 insertions(+), 3 deletions(-) +--- a/configure.ac ++++ b/configure.ac +@@ -271,16 +271,23 @@ AC_ARG_WITH( + + AC_ARG_WITH( + [crypto-library], +- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], ++ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], + [ + case "${withval}" in +- openssl|mbedtls) ;; ++ openssl|mbedtls|wolfssl) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; + esac + ], + [with_crypto_library="openssl"] + ) + ++AC_ARG_ENABLE( ++ [wolfssl-options-h], ++ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], ++ , ++ [enable_wolfssl_options_h="yes"] ++) ++ + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) + if test -n "${PLUGINDIR}"; then + plugindir="${PLUGINDIR}" +@@ -1026,6 +1033,105 @@ elif test "${with_crypto_library}" = "mb + AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) + CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" + CRYPTO_LIBS="${MBEDTLS_LIBS}" ++ ++elif test "${with_crypto_library}" = "wolfssl"; then ++ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should ++ contain the regular wolfSSL header files but also the ++ wolfSSL OpenSSL header files. Ex: -I/usr/local/include ++ -I/usr/local/include/wolfssl]) ++ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) ++ ++ saved_CFLAGS="${CFLAGS}" ++ saved_LIBS="${LIBS}" ++ ++ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then ++ # if the user did not explicitly specify flags, try to autodetect ++ PKG_CHECK_MODULES( ++ [WOLFSSL], ++ [wolfssl], ++ [], ++ [AC_MSG_ERROR([Could not find wolfSSL.])] ++ ) ++ PKG_CHECK_VAR( ++ [WOLFSSL_INCLUDEDIR], ++ [wolfssl], ++ [includedir], ++ [], ++ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] ++ ) ++ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" ++ fi ++ saved_CFLAGS="${CFLAGS}" ++ saved_LIBS="${LIBS}" ++ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" ++ LIBS="${LIBS} ${WOLFSSL_LIBS}" ++ ++ AC_CHECK_LIB( ++ [wolfssl], ++ [wolfSSL_Init], ++ [], ++ [AC_MSG_ERROR([Could not link wolfSSL library.])] ++ ) ++ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) ++ ++ # wolfSSL signal EKM support ++ have_export_keying_material="yes" ++ ++ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) ++ ++ if test "${enable_wolfssl_options_h}" = "yes"; then ++ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library]) ++ else ++ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library]) ++ fi ++ ++ have_export_keying_material="yes" ++ ++ CFLAGS="${saved_CFLAGS}" ++ LIBS="${saved_LIBS}" ++ ++ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) ++ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer]) ++ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" ++ CRYPTO_LIBS="${WOLFSSL_LIBS}" + else + AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) + fi +--- a/src/openvpn/syshead.h ++++ b/src/openvpn/syshead.h +@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t + /* + * Do we have CryptoAPI capability? + */ +-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) ++#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \ ++ !defined(ENABLE_CRYPTO_WOLFSSL) + #define ENABLE_CRYPTOAPI + #endif + diff --git a/net/openvpn/patches/210-build_always_use_internal_lz4.patch b/net/openvpn/patches/210-build_always_use_internal_lz4.patch index a99f92364..267f62049 100644 --- a/net/openvpn/patches/210-build_always_use_internal_lz4.patch +++ b/net/openvpn/patches/210-build_always_use_internal_lz4.patch @@ -1,6 +1,6 @@ --- a/configure.ac +++ b/configure.ac -@@ -1077,68 +1077,15 @@ dnl +@@ -1183,68 +1183,15 @@ dnl AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4]) AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4]) if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then diff --git a/net/openvpn/test.sh b/net/openvpn/test.sh index b51ccd6a1..c2b0cc4b0 100755 --- a/net/openvpn/test.sh +++ b/net/openvpn/test.sh @@ -7,4 +7,7 @@ case "$1" in "openvpn-openssl") openvpn --version | grep "$2.*SSL (OpenSSL)" ;; + "openvpn-wolfssl") + openvpn --version | grep "$2.*SSL (OpenSSL)" + ;; esac |