Thursday, January 02, 2025

net/openvpn,mbedtls: add pkcs11 support

I'd like to know whether the mbedtls FLAVOR can also use
pkcs11-helper. Seems to work just fine with ''openvpn
--show-pkcs11-ids'' but this is no actual test.

Klemens: could you please test the mbedtls FLAVOR for your use case?

Bjorn, do you see a drawback with enabling pkcs11 support? The
resulting openvpn--mbedtls binary starts being directly linked to
libcrypto, but:
- libcrypto comes from libpkcs11-helper-1.pc but openvpn itself
doesn't start using libcrypto itself
- mbedtls and libcrypto shouldn't conflict

Input and oks welcome.


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/openvpn/Makefile,v
diff -u -p -r1.131 Makefile
--- Makefile 2 Jan 2025 17:25:13 -0000 1.131
+++ Makefile 2 Jan 2025 22:59:20 -0000
@@ -1,7 +1,7 @@
COMMENT= easy-to-use, robust, and highly configurable VPN

DISTNAME= openvpn-2.6.12
-REVISION= 0
+REVISION= 1

CATEGORIES= net security

@@ -12,20 +12,24 @@ MAINTAINER= Jeremie Courreges-Anglas <jc
# GPLv2 only
PERMIT_PACKAGE= Yes

-WANTLIB += c lz4 lzo2
+WANTLIB += c crypto lz4 lzo2 pkcs11-helper

SITES= https://swupdate.openvpn.org/community/releases/

-BUILD_DEPENDS= textproc/py-docutils
+# ensure 'pkcs11-providers .../p11-kit-proxy.so' as default
+BUILD_DEPENDS+= security/p11-kit
+BUILD_DEPENDS+= textproc/py-docutils
LIB_DEPENDS= archivers/lzo2 \
archivers/lz4
+LIB_DEPENDS+= security/pkcs11-helper
TEST_DEPENDS= devel/cmocka

CONFIGURE_STYLE= gnu

CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
LDFLAGS="-L${LOCALBASE}/lib ${LDFLAGS}"
-CONFIGURE_ARGS+=--with-openssl-engine=no
+CONFIGURE_ARGS+=--enable-pkcs11 \
+ --with-openssl-engine=no

DEBUG_PACKAGES= ${BUILD_PACKAGES}

@@ -37,11 +41,7 @@ LIB_DEPENDS+= security/polarssl
CONFIGURE_ARGS+= --with-crypto-library=mbedtls
WANTLIB += mbedcrypto mbedtls mbedx509 pthread
.else
-# ensure 'pkcs11-providers .../p11-kit-proxy.so' as default
-BUILD_DEPENDS+= security/p11-kit
-LIB_DEPENDS+= security/pkcs11-helper
-CONFIGURE_ARGS+= --enable-pkcs11
-WANTLIB += crypto pkcs11-helper ssl
+WANTLIB += ssl
.endif

SAMPLES_DIR= ${PREFIX}/share/examples/openvpn

--
jca

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)