config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
- default y
+ default n
config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
-config OPENVPN_mbedtls_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_mbedtls_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
bool "Enable the --x509-username-field feature"
default n
-config OPENVPN_openssl_ENABLE_SERVER
- bool "Enable server support (otherwise only client mode is support)"
- default y
-
#config OPENVPN_openssl_ENABLE_EUREPHIA
# bool "Enable support for the eurephia plug-in"
# default n
--- /dev/null
+if PACKAGE_openvpn-wolfssl
+
+config OPENVPN_wolfssl
+ bool
+ default y
+ select WOLFSSL_HAS_OPENVPN
+
+config OPENVPN_wolfssl_ENABLE_LZO
+ bool "Enable LZO compression support"
+ default n
+
+config OPENVPN_wolfssl_ENABLE_LZ4
+ bool "Enable LZ4 compression support"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_X509_ALT_USERNAME
+ bool "Enable the --x509-username-field feature"
+ default n
+
+#config OPENVPN_wolfssl_ENABLE_EUREPHIA
+# bool "Enable support for the eurephia plug-in"
+# default n
+
+config OPENVPN_wolfssl_ENABLE_MANAGEMENT
+ bool "Enable management server support"
+ default n
+
+#config OPENVPN_wolfssl_ENABLE_PKCS11
+# bool "Enable pkcs11 support"
+# default n
+
+config OPENVPN_wolfssl_ENABLE_FRAGMENT
+ bool "Enable internal fragmentation support (--fragment)"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_MULTIHOME
+ bool "Enable multi-homed UDP server support (--multihome)"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_PORT_SHARE
+ bool "Enable TCP server port-share support (--port-share)"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_DEF_AUTH
+ bool "Enable deferred authentication"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_PF
+ bool "Enable internal packet filter"
+ default y
+
+config OPENVPN_wolfssl_ENABLE_IPROUTE2
+ bool "Enable support for iproute2"
+ default n
+
+config OPENVPN_wolfssl_ENABLE_SMALL
+ bool "Enable size optimization"
+ default y
+ help
+ enable smaller executable size (disable OCC, usage
+ message, and verb 4 parm list)
+
+endif
PKG_NAME:=openvpn
-PKG_VERSION:=2.4.12
+PKG_VERSION:=2.5.8
PKG_RELEASE:=1
PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=7426b99b2058b942552af2680ee58546fbf63712992557328bd0014093aa7da4
+PKG_HASH:=2bbd0026469902037ee6499b68283d5ab36c74e36cae3112082cfdf6c77a0c57
-PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
+PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com>
PKG_INSTALL:=1
PKG_FIXUP:=autoreconf
Package/openvpn-openssl=$(call Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
Package/openvpn-mbedtls=$(call Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
+Package/openvpn-wolfssl=$(call Package/openvpn/Default,wolfssl,WolfSSL \(experimental\),+PACKAGE_openvpn-wolfssl:libwolfssl)
define Package/openvpn/config/Default
source "$(SOURCE)/Config-$(1).in"
Package/openvpn-openssl/config=$(call Package/openvpn/config/Default,openssl)
Package/openvpn-mbedtls/config=$(call Package/openvpn/config/Default,mbedtls)
+Package/openvpn-wolfssl/config=$(call Package/openvpn/config/Default,wolfssl)
ifeq ($(BUILD_VARIANT),mbedtls)
CONFIG_OPENVPN_MBEDTLS:=y
ifeq ($(BUILD_VARIANT),openssl)
CONFIG_OPENVPN_OPENSSL:=y
endif
+ifeq ($(BUILD_VARIANT),wolfssl)
+CONFIG_OPENVPN_WOLFSSL:=y
+endif
CONFIGURE_VARS += \
- IFCONFIG=/sbin/ifconfig \
- ROUTE=/sbin/route \
IPROUTE=/sbin/ip \
NETSTAT=/sbin/netstat
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZ4),--enable,--disable)-lz4 \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),--enable,--disable)-x509-alt-username \
- $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_DEF_AUTH),--enable,--disable)-def-auth \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PF),--enable,--disable)-pf \
$(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_PORT_SHARE),--enable,--disable)-port-share \
- $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl) \
+ $(if $(CONFIG_OPENVPN_OPENSSL),--with-crypto-library=openssl --with-openssl-engine=no) \
$(if $(CONFIG_OPENVPN_MBEDTLS),--with-crypto-library=mbedtls) \
+ $(if $(CONFIG_OPENVPN_WOLFSSL),--with-crypto-library=wolfssl) \
)
endef
define Package/openvpn-$(BUILD_VARIANT)/conffiles
/etc/config/openvpn
+/etc/openvpn.user
endef
define Package/openvpn-$(BUILD_VARIANT)/install
$(1)/etc/init.d \
$(1)/etc/config \
$(1)/etc/openvpn \
- $(1)/lib/upgrade/keep.d
+ $(1)/lib/functions \
+ $(1)/lib/upgrade/keep.d \
+ $(1)/usr/libexec \
+ $(1)/etc/hotplug.d/openvpn
$(INSTALL_BIN) \
$(PKG_INSTALL_DIR)/usr/sbin/openvpn \
$(INSTALL_BIN) \
files/openvpn.init \
$(1)/etc/init.d/openvpn
+
+ $(INSTALL_BIN) \
+ files/usr/libexec/openvpn-hotplug \
+ $(1)/usr/libexec/openvpn-hotplug
+
+ $(INSTALL_DATA) \
+ files/lib/functions/openvpn.sh \
+ $(1)/lib/functions/openvpn.sh
+
+ $(INSTALL_DATA) \
+ files/etc/hotplug.d/openvpn/01-user \
+ $(1)/etc/hotplug.d/openvpn/01-user
+
+ $(INSTALL_DATA) \
+ files/etc/openvpn.user \
+ $(1)/etc/openvpn.user
+
$(INSTALL_DATA) \
files/openvpn.options \
$(1)/usr/share/openvpn/openvpn.options
$(eval $(call BuildPackage,openvpn-openssl))
$(eval $(call BuildPackage,openvpn-mbedtls))
+$(eval $(call BuildPackage,openvpn-wolfssl))
--- /dev/null
+#!/bin/sh
+
+[ -e "/etc/openvpn.user" ] && {
+ env -i ACTION="$ACTION" INSTANCE="$INSTANCE" \
+ /bin/sh \
+ /etc/openvpn.user \
+ $*
+}
+
+# Wrap user defined scripts on up/down events
+case "$ACTION" in
+ up) command=$user_up ;;
+ down) command=$user_down ;;
+ *) command= ;;
+esac
+
+if [ -n "$command" ]; then
+ shift
+ exec /bin/sh -c "$command $*"
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh
+#
+# This file is interpreted as shell script.
+# Put your custom openvpn action here, they will
+# be executed with each opevnp event.
+#
+# $ACTION
+# <down> down action is generated after the TUN/TAP device is closed
+# <up> up action is generated after the TUN/TAP device is opened
+# $INSTANCE Name of the openvpn instance which went up or down
+
--- /dev/null
+#!/bin/sh
+
+get_openvpn_option() {
+ local config="$1"
+ local variable="$2"
+ local option="$3"
+
+ local value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+'"'([^']+)'"'[ \t]*$/\1/p' "$config" | tail -n1)"
+ [ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+"(([^"\\]|\\.)+)"[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
+ [ -n "$value" ] || value="$(sed -rne 's/^[ \t]*'"$option"'[ \t]+(([^ \t\\]|\\.)+)[ \t]*$/\1/p' "$config" | tail -n1 | sed -re 's/\\(.)/\1/g')"
+ [ -n "$value" ] || return 1
+
+ export -n "$variable=$value"
+ return 0
+}
+
# Set to 1 to enable this instance:
option enabled 0
+ # Credentials to login
+ #option username 'login'
+ #option password 'password'
+
+ # Password for client certificate
+ #option cert_password 'cert_password'
+
# Include OpenVPN configuration
option config /etc/openvpn/my-vpn.conf
# Diffie hellman parameters.
# Generate your own with:
- # openssl dhparam -out dh1024.pem 1024
+ # openssl dhparam -out dh2048.pem 2048
# Substitute 2048 for 1024 if you are using
- # 2048 bit keys.
- option dh /etc/openvpn/dh1024.pem
+ # 1024 bit keys.
+ option dh /etc/openvpn/dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# This file is secret:
# option tls_auth "/etc/openvpn/ta.key 0"
- # Select a cryptographic cipher.
- # This config item must be copied to
- # the client config file as well.
- # Blowfish (default):
-# option cipher BF-CBC
- # AES:
-# option cipher AES-128-CBC
- # Triple-DES:
-# option cipher DES-EDE3-CBC
+ # For additional privacy, a shared secret key
+ # can be used for both authentication (as in tls_auth)
+ # and encryption of the TLS control channel.
+ #
+ # Generate a shared secret with:
+ # openvpn --genkey --secret ta.key
+ #
+ # The server and each client must have
+ # a copy of this key.
+ #
+ # tls_auth and tls_crypt should NOT
+ # be combined, as tls_crypt implies tls_auth.
+ # Use EITHER tls_crypt, tls_auth, or neither option.
+# option tls_crypt "/etc/openvpn/ta.key"
+
+ # Set the minimum required TLS protocol version
+ # for all connections.
+ #
+ # Require at least TLS 1.1
+# option tls_version_min "1.1"
+ # Require at least TLS 1.2
+# option tls_version_min "1.2"
+ # Require TLS 1.2, or the highest version supported
+ # on the system
+# option tls_version_min "1.2 'or-highest'"
+
+ # List the preferred ciphers to use for the data channel.
+ # Run openvpn --show-ciphers to see all supported ciphers.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher in order to be compatible with
+ # peers that do not support cipher negotiation.
+ #
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option data_ciphers_fallback 'DES-EDE3-CBC'
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
+
+ # OpenVPN versions 2.4 and later will attempt to
+ # automatically negotiate the most secure cipher
+ # between the client and server, regardless of a
+ # configured "option cipher" (see below).
+ # Automatic negotiation is recommended.
+ #
+ # Uncomment this option to disable this behavior,
+ # and force all OpenVPN peers to use the configured
+ # cipher option instead (not recommended).
+# option ncp_disable
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
+ #
+ # Compression is not recommended, as compression and
+ # encryption in combination can weaken the security
+ # of the connection.
+ #
# LZ4 requires OpenVPN 2.4+ client and server
# option compress lz4
+ # LZO is available by default only in openvpn-openssl variant
# LZO is compatible with most OpenVPN versions
- # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older clients)
- option compress lzo
+# option compress lzo
+
+ # Control how OpenVPN handles peers using compression
+ #
+ # Do not allow any connections using compression
+# option allow_compression 'no'
+ # Allow incoming compressed packets, but do not send compressed packets to other peers
+ # This can be useful when migrating old configurations with compression activated
+# option allow_compression 'asym'
+ # Both incoming and outgoing packets may be compressed
+# option allow_compression 'yes'
# The maximum number of concurrently connected
# clients we want to allow.
option key /etc/openvpn/client.key
# Verify server certificate by checking
- # that the certicate has the nsCertType
+ # that the certicate has the key usage
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# your server certificates with the nsCertType
# field set to "server". The build_key_server
# script in the easy_rsa folder will do this.
-# option ns_cert_type server
+# option remote_cert_tls server
# If a tls_auth key is used on the server
# then every client must also have the key.
# option tls_auth "/etc/openvpn/ta.key 1"
- # Select a cryptographic cipher.
- # If the cipher option is used on the server
- # then you must also specify it here.
-# option cipher x
+ # If a tls_crypt key is used on the server
+ # every client must also have the key.
+# option tls_crypt "/etc/openvpn/ta.key"
+
+ # Set the minimum required TLS protocol version
+ # for all connections.
+ #
+ # Require at least TLS 1.1
+# option tls_version_min "1.1"
+ # Require at least TLS 1.2
+# option tls_version_min "1.2"
+ # Require TLS 1.2, or the highest version supported
+ # on the system
+# option tls_version_min "1.2 'or-highest'"
+
+ # List the preferred ciphers for the data channel.
+# list data_ciphers 'AES-256-GCM'
+# list data_ciphers 'AES-128-GCM'
+# list data_ciphers 'CHACHA20-POLY1305'
+
+ # Set a fallback cipher if you connect to a peer that does
+ # not support cipher negotiation.
+ # Use AES-256-CBC as fallback
+# option data_ciphers_fallback 'AES-128-CBC'
+ # Use AES-128-CBC as fallback
+# option data_ciphers_fallback 'AES-256-CBC'
+ # Use Triple-DES as fallback
+# option data_ciphers_fallback 'DES-EDE3-CBC'
+ # Use BF-CBC as fallback
+# option data_ciphers_fallback 'BF-CBC'
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
+ #
+ # Compression is not recommended, as compression and
+ # encryption in combination can weaken the security
+ # of the connection.
+ #
# LZ4 requires OpenVPN 2.4+ on server and client
# option compress lz4
+ # LZO is available by default only in openvpn-openssl variant
# LZO is compatible with most OpenVPN versions
- option compress lzo
+# option compress lzo
# Set log file verbosity.
option verb 3
config_get v "$s" "$p"
IFS="$LIST_SEP"
for v in $v; do
+ [ "$v" = "frames_only" ] && [ "$p" = "compress" ] && unset v && append_param "$s" "$p" && echo >> "/var/etc/openvpn-$s.conf"
[ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
- [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
+ [ -n "$v" ] && [ "$p" = "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
done
unset IFS
done
[ $enable -gt 0 ] || [ $enabled -gt 0 ]
}
+create_temp_file() {
+ mkdir -p "$(dirname "$1")"
+ rm -f "$1"
+ touch "$1"
+ chown root "$1"
+ chmod 0600 "$1"
+}
+
+openvpn_get_dev() {
+ local dev dev_type
+ local name="$1"
+ local conf="$2"
+
+ # Do override only for configurations with config_file
+ config_get config_file "$name" config
+ [ -n "$config_file" ] || return
+
+ # Check there is someething to override
+ config_get dev "$name" dev
+ config_get dev_type "$name" dev_type
+ [ -n "$dev" ] || return
+
+ # If there is a no dev_type, try to guess it
+ if [ -z "$dev_type" ]; then
+ . /lib/functions/openvpn.sh
+
+ local odev odev_type
+ get_openvpn_option "$conf" odev dev
+ get_openvpn_option "$conf" odev_type dev-type
+ [ -n "$odev_type" ] || odev_type="$odev"
+
+ case "$odev_type" in
+ tun*) dev_type="tun" ;;
+ tap*) dev_type="tap" ;;
+ *) return;;
+ esac
+ fi
+
+ # Return overrides
+ echo "--dev-type $dev_type --dev $dev"
+}
+
+openvpn_get_credentials() {
+ local name="$1"
+ local ret=""
+
+ config_get cert_password "$name" cert_password
+ config_get password "$name" password
+ config_get username "$name" username
+
+ if [ -n "$cert_password" ]; then
+ create_temp_file /var/run/openvpn.$name.pass
+ echo "$cert_password" > /var/run/openvpn.$name.pass
+ ret=" --askpass /var/run/openvpn.$name.pass "
+ fi
+
+ if [ -n "$username" ]; then
+ create_temp_file /var/run/openvpn.$name.userpass
+ echo "$username" > /var/run/openvpn.$name.userpass
+ echo "$password" >> /var/run/openvpn.$name.userpass
+ ret=" --auth-user-pass /var/run/openvpn.$name.userpass "
+ fi
+
+ # Return overrides
+ echo "$ret"
+}
+
openvpn_add_instance() {
local name="$1"
local dir="$2"
local conf="$3"
+ local security="$4"
+ local up="$5"
+ local down="$6"
procd_open_instance "$name"
procd_set_param command "$PROG" \
--syslog "openvpn($name)" \
--status "/var/run/openvpn.$name.status" \
--cd "$dir" \
- --config "$conf"
+ --config "$conf" \
+ --up "/usr/libexec/openvpn-hotplug up $name" \
+ --down "/usr/libexec/openvpn-hotplug down $name" \
+ ${up:+--setenv user_up "$up"} \
+ ${down:+--setenv user_down "$down"} \
+ --script-security "${security:-2}" \
+ $(openvpn_get_dev "$name" "$conf") \
+ $(openvpn_get_credentials "$name" "$conf")
procd_set_param file "$dir/$conf"
procd_set_param term_timeout 15
procd_set_param respawn
return 1
}
+ local up down script_security
+ config_get up "$s" up
+ config_get down "$s" down
+ config_get script_security "$s" script_security
+
[ ! -d "/var/run" ] && mkdir -p "/var/run"
if [ ! -z "$config" ]; then
append UCI_STARTED "$config" "$LIST_SEP"
- openvpn_add_instance "$s" "${config%/*}" "$config"
+ [ -n "$up" ] || get_openvpn_option "$config" up up
+ [ -n "$down" ] || get_openvpn_option "$config" down down
+ openvpn_add_instance "$s" "${config%/*}" "$config" "$script_security" "$up" "$down"
return
fi
- [ ! -d "/var/etc" ] && mkdir -p "/var/etc"
- [ -f "/var/etc/openvpn-$s.conf" ] && rm "/var/etc/openvpn-$s.conf"
+ create_temp_file "/var/etc/openvpn-$s.conf"
append_bools "$s" $OPENVPN_BOOLS
append_params "$s" $OPENVPN_PARAMS
append_list "$s" $OPENVPN_LIST
- openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
+ openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf" "$script_security" "$up" "$down"
}
start_service() {
fi
}
+ . /lib/functions/openvpn.sh
. /usr/share/openvpn/openvpn.options
config_load 'openvpn'
else
config_foreach start_instance 'openvpn'
- local path name
+ local path name up down
for path in /etc/openvpn/*.conf; do
if [ -f "$path" ]; then
name="${path##*/}"; name="${name%.conf}"
continue
fi
- openvpn_add_instance "$name" "${path%/*}" "$path"
+ get_openvpn_option "$path" up up || up=""
+ get_openvpn_option "$path" down down || down=""
+ openvpn_add_instance "$name" "${path%/*}" "$path" "" "$up" "$down"
fi
done
fi
OPENVPN_PARAMS='
+allow_compression
askpass
auth
auth_retry
auth_user_pass
auth_user_pass_verify
bcast_buffers
+bind_dev
ca
capath
cd
connect_retry_max
connect_timeout
crl_verify
+data_ciphers_fallback
dev
dev_node
dev_type
dh
-down
ecdh_curve
echo
engine
keepalive
key
key_direction
-key_method
keysize
learn_address
link_mtu
mtu_disc
mute
nice
-ns_cert_type
ping
ping_exit
ping_restart
route_pre_down
route_up
rport
-script_security
secret
server
server_bridge
server_ipv6
+server_poll_timeout
setenv
shaper
sndbuf
tcp_queue_limit
tls_auth
tls_crypt
+tls_crypt_v2
+tls_crypt_v2_verify
+tls_export_cert
tls_timeout
tls_verify
tls_version_min
tun_mtu
tun_mtu_extra
txqueuelen
-up
user
verb
verify_client_cert
verify_x509_name
+vlan_accept
+vlan_pvid
x509_username_field
'
auth_nocache
auth_user_pass_optional
bind
+block_ipv6
ccd_exclusive
client
client_to_client
persist_tun
ping_timer_rem
pull
+push_peer_info
push_reset
remote_random
rmtun
up_delay
up_restart
username_as_common_name
+vlan_tagging
'
OPENVPN_LIST='
+data_ciphers
ncp_ciphers
tls_cipher
tls_ciphersuites
+tls_groups
'
--- /dev/null
+#!/bin/sh
+
+ACTION=$1
+shift
+INSTANCE=$1
+shift
+
+export ACTION=$ACTION
+export INSTANCE=$INSTANCE
+exec /sbin/hotplug-call openvpn "$@"
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
-@@ -106,7 +106,6 @@ const char title_string[] =
- #ifdef HAVE_AEAD_CIPHER_MODES
- " [AEAD]"
+@@ -105,7 +105,6 @@ const char title_string[] =
+ #endif
#endif
+ " [AEAD]"
- " built on " __DATE__
;
--- /dev/null
+From: Gert Doering <gert@greenie.muc.de>
+
+Support for wolfSSL in OpenVPN
+
+This patch adds support for wolfSSL in OpenVPN. Support is added by using
+wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged
+and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is
+linked against the wolfSSL library. The wolfSSL installation directory is
+detected using pkg-config.
+
+As requested by OpenVPN maintainers, this patch does not include
+wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN
+in the configure script wolfSSL will include wolfssl/options.h on its own
+(change added in wolfSSL/wolfssl#2825). The patch
+adds an option '--disable-wolfssl-options-h' in case the user would like
+to supply their own settings file for wolfSSL.
+
+wolfSSL:
+Support added in: wolfSSL/wolfssl#2503
+
+git clone https://github.com/wolfSSL/wolfssl.git
+cd wolfssl
+./autogen.sh
+./configure --enable-openvpn
+make
+sudo make install
+
+OpenVPN:
+
+autoreconf -i -v -f
+./configure --with-crypto-library=wolfssl
+make
+make check
+sudo make install
+
+Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Acked-by: Arne Schwabe <arne@rfc2549.org>
+Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+---
+ configure.ac | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ src/openvpn/syshead.h | 3 ++-
+ 2 files changed, 110 insertions(+), 3 deletions(-)
+--- a/configure.ac
++++ b/configure.ac
+@@ -271,16 +271,23 @@ AC_ARG_WITH(
+
+ AC_ARG_WITH(
+ [crypto-library],
+- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
++ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
+ [
+ case "${withval}" in
+- openssl|mbedtls) ;;
++ openssl|mbedtls|wolfssl) ;;
+ *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
+ esac
+ ],
+ [with_crypto_library="openssl"]
+ )
+
++AC_ARG_ENABLE(
++ [wolfssl-options-h],
++ [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
++ ,
++ [enable_wolfssl_options_h="yes"]
++)
++
+ AC_ARG_WITH(
+ [openssl-engine],
+ [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
+@@ -1054,6 +1061,105 @@ elif test "${with_crypto_library}" = "mb
+ AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
+ CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
+ CRYPTO_LIBS="${MBEDTLS_LIBS}"
++
++elif test "${with_crypto_library}" = "wolfssl"; then
++ AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
++ contain the regular wolfSSL header files but also the
++ wolfSSL OpenSSL header files. Ex: -I/usr/local/include
++ -I/usr/local/include/wolfssl])
++ AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
++
++ saved_CFLAGS="${CFLAGS}"
++ saved_LIBS="${LIBS}"
++
++ if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
++ # if the user did not explicitly specify flags, try to autodetect
++ PKG_CHECK_MODULES(
++ [WOLFSSL],
++ [wolfssl],
++ [],
++ [AC_MSG_ERROR([Could not find wolfSSL.])]
++ )
++ PKG_CHECK_VAR(
++ [WOLFSSL_INCLUDEDIR],
++ [wolfssl],
++ [includedir],
++ [],
++ [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
++ )
++ WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
++ fi
++ saved_CFLAGS="${CFLAGS}"
++ saved_LIBS="${LIBS}"
++ CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
++ LIBS="${LIBS} ${WOLFSSL_LIBS}"
++
++ AC_CHECK_LIB(
++ [wolfssl],
++ [wolfSSL_Init],
++ [],
++ [AC_MSG_ERROR([Could not link wolfSSL library.])]
++ )
++ AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
++
++ # wolfSSL signal EKM support
++ have_export_keying_material="yes"
++
++ AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++ AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
++
++ if test "${enable_wolfssl_options_h}" = "yes"; then
++ AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
++ else
++ AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
++ fi
++
++ have_export_keying_material="yes"
++
++ CFLAGS="${saved_CFLAGS}"
++ LIBS="${saved_LIBS}"
++
++ AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
++ AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
++ CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
++ CRYPTO_LIBS="${WOLFSSL_LIBS}"
+ else
+ AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
+ fi
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -582,7 +582,8 @@ socket_defined(const socket_descriptor_t
+ /*
+ * Do we have CryptoAPI capability?
+ */
+-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
++#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
++ !defined(ENABLE_CRYPTO_WOLFSSL)
+ #define ENABLE_CRYPTOAPI
+ #endif
+
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
-@@ -1415,7 +1415,7 @@ const char *
+@@ -1539,7 +1539,7 @@ const char *
get_ssl_library_version(void)
{
static char mbedtls_version[30];
--- a/configure.ac
+++ b/configure.ac
-@@ -1074,68 +1074,15 @@ dnl
+@@ -1211,68 +1211,15 @@ dnl
AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
-@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
+@@ -572,7 +572,7 @@ socket_defined(const socket_descriptor_t
/*
* Should we include NTLM proxy functionality
*/
--#if defined(ENABLE_CRYPTO)
-#define NTLM 1
--#else
-+//#if defined(ENABLE_CRYPTO)
+//#define NTLM 1
-+//#else
- #define NTLM 0
--#endif
-+//#endif
/*
* Should we include proxy digest auth functionality
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
-@@ -319,6 +319,7 @@ int
+@@ -396,6 +396,7 @@ int
key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
{
int ret = 0;
if (kt->type == MBEDTLS_CIPHER_DES_CBC)
{
ret = 1;
-@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -408,6 +409,7 @@ key_des_num_cblocks(const mbedtls_cipher
{
ret = 3;
}
dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
return ret;
-@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -416,6 +418,7 @@ key_des_num_cblocks(const mbedtls_cipher
bool
key_des_check(uint8_t *key, int key_len, int ndc)
{
int i;
struct buffer b;
-@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -444,11 +447,15 @@ key_des_check(uint8_t *key, int key_len,
err:
return false;
int i;
struct buffer b;
-@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -463,6 +470,7 @@ key_des_fixup(uint8_t *key, int key_len,
}
mbedtls_des_key_set_parity(key);
}
}
/*
-@@ -705,10 +713,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -783,10 +791,12 @@ cipher_des_encrypt_ecb(const unsigned ch
unsigned char *src,
unsigned char *dst)
{
--- /dev/null
+#!/bin/sh
+
+case "$1" in
+ "openvpn-mbedtls")
+ openvpn --version | grep "$2.*SSL (mbed TLS)"
+ ;;
+ "openvpn-openssl"|"openvpn-wolfssl")
+ openvpn --version | grep "$2.*SSL (OpenSSL)"
+ ;;
+esac