openvpn: disable wolfssl support

WolfSSL support for OpenVPN is currently broken: https://github.com/wolfSSL/wolfssl/pull/10309 Until a fix is available, disable WolfSSL as variant. Support can be re-enabled when WolfSSL is updated. Signed-off-by: Sander van Deijck <sander@vandeijck.com>
2026-05-31 06:51:51 +08:00 · 2026-05-02 23:31:15 +02:00
parent 3e779d0564
commit 0393b2260c
3 changed files with 1 additions and 59 deletions
@@ -49,7 +49,7 @@ endef

 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl @BROKEN)

 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
@@ -1,46 +0,0 @@
-Subject: [PATCH] Revert "ssl_verify_openssl: use official ASN1_STRING_ API"
-
-This reverts commit 388800782687793ea968b722e22319b8a13fddbd.
-It breaks wolfSSL build on version <= 5.9.0.
---
- src/openvpn/ssl_verify_openssl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
--- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -257,7 +257,7 @@ backend_x509_get_username(char *common_n
-     {
-         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
-         struct gc_arena gc = gc_new();
-        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
-+        char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
- 
-         if (!serial || cn_len <= strlen(serial) + 2)
-         {
-@@ -311,7 +311,7 @@ backend_x509_get_serial_hex(openvpn_x509
- {
-     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
- 
-    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
-+    return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
- }
- 
- result_t
-@@ -624,7 +624,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
-         {
-             ASN1_BIT_STRING *ns;
-             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
-            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
-+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
-             if (result == SUCCESS)
-             {
-                 msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
-@@ -652,7 +652,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
-         {
-             ASN1_BIT_STRING *ns;
-             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
-            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
-+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
-             if (result == SUCCESS)
-             {
-                 msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
@@ -1,12 +0,0 @@
--- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -253,6 +253,9 @@ backend_x509_get_username(char *common_n
-             return FAILURE;
-         }
-     }
-+#if defined(ENABLE_CRYPTO_WOLFSSL)
-+ #define LN_serialNumber "serialNumber"
-+#endif
-     else if (strcmp(LN_serialNumber, x509_username_field) == 0)
-     {
-         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);