From 0393b2260c31957b8fa03e8284dccec8f56404f2 Mon Sep 17 00:00:00 2001
From: Sander van Deijck <sander@vandeijck.com>
Date: Sat, 2 May 2026 23:31:15 +0200
Subject: [PATCH] openvpn: disable wolfssl support

WolfSSL support for OpenVPN is currently broken:
https://github.com/wolfSSL/wolfssl/pull/10309

Until a fix is available, disable WolfSSL as variant.
Support can be re-enabled when WolfSSL is updated.

Signed-off-by: Sander van Deijck <sander@vandeijck.com>
---
 net/openvpn/Makefile                          |  2 +-
 ...y_openssl-use-official-ASN1_STRING_-.patch | 46 -------------------
 ...3-define-LN_serialNumber-for-wolfSSL.patch | 12 -----
 3 files changed, 1 insertion(+), 59 deletions(-)
 delete mode 100644 net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
 delete mode 100644 net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch

diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile
index f73198cd9d..b0254e9f6f 100644
--- a/net/openvpn/Makefile
+++ b/net/openvpn/Makefile
@@ -49,7 +49,7 @@ endef
 
 Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
-Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL,+PACKAGE_openvpn-wolfssl:libwolfssl @BROKEN)
 
 define Package/openvpn/config/Default
 	source "$(SOURCE)/Config-$(1).in"
diff --git a/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch b/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
deleted file mode 100644
index deb23f3f0d..0000000000
--- a/net/openvpn/patches/101-Revert-ssl_verify_openssl-use-official-ASN1_STRING_-.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Subject: [PATCH] Revert "ssl_verify_openssl: use official ASN1_STRING_ API"
-
-This reverts commit 388800782687793ea968b722e22319b8a13fddbd.
-It breaks wolfSSL build on version <= 5.9.0.
----
- src/openvpn/ssl_verify_openssl.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -257,7 +257,7 @@ backend_x509_get_username(char *common_n
-     {
-         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);
-         struct gc_arena gc = gc_new();
--        char *serial = format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1 | FHE_CAPS, NULL, &gc);
-+        char *serial = format_hex_ex(asn1_i->data, asn1_i->length, 0, 1 | FHE_CAPS, NULL, &gc);
- 
-         if (!serial || cn_len <= strlen(serial) + 2)
-         {
-@@ -311,7 +311,7 @@ backend_x509_get_serial_hex(openvpn_x509
- {
-     const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
- 
--    return format_hex_ex(ASN1_STRING_get0_data(asn1_i), ASN1_STRING_length(asn1_i), 0, 1, ":", gc);
-+    return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc);
- }
- 
- result_t
-@@ -624,7 +624,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
-         {
-             ASN1_BIT_STRING *ns;
-             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
--            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
-+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_CLIENT)) ? SUCCESS : FAILURE;
-             if (result == SUCCESS)
-             {
-                 msg(M_WARN, "X509: Certificate is a client certificate yet it's purpose "
-@@ -652,7 +652,7 @@ x509_verify_ns_cert_type(openvpn_x509_ce
-         {
-             ASN1_BIT_STRING *ns;
-             ns = X509_get_ext_d2i(peer_cert, NID_netscape_cert_type, NULL, NULL);
--            result = (ns && ASN1_STRING_length(ns) > 0 && (ASN1_STRING_get0_data(ns)[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
-+            result = (ns && ns->length > 0 && (ns->data[0] & NS_SSL_SERVER)) ? SUCCESS : FAILURE;
-             if (result == SUCCESS)
-             {
-                 msg(M_WARN, "X509: Certificate is a server certificate yet it's purpose "
diff --git a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch b/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
deleted file mode 100644
index e79f75fae3..0000000000
--- a/net/openvpn/patches/103-define-LN_serialNumber-for-wolfSSL.patch
+++ /dev/null
@@ -1,12 +0,0 @@
---- a/src/openvpn/ssl_verify_openssl.c
-+++ b/src/openvpn/ssl_verify_openssl.c
-@@ -253,6 +253,9 @@ backend_x509_get_username(char *common_n
-             return FAILURE;
-         }
-     }
-+#if defined(ENABLE_CRYPTO_WOLFSSL)
-+ #define LN_serialNumber "serialNumber"
-+#endif
-     else if (strcmp(LN_serialNumber, x509_username_field) == 0)
-     {
-         ASN1_INTEGER *asn1_i = X509_get_serialNumber(peer_cert);