[Openvpn-devel] Support for wolfSSL in OpenVPN

This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 configure.ac            | 91 ++++++++++++++++++++++++++++++++++++++++-
 src/openvpn/crypto.c    |  2 +-
 src/openvpn/cryptoapi.c |  4 ++
 3 files changed, 94 insertions(+), 3 deletions(-)

Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:
> This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library.
> 
> As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL.
> 

Thanks the patch is lot less intrusive then the last version. We will
have to discuss in our meeting under what condition we want to include
the patch. We might add a note or statement that the WolfSSL support in
OpenVPN is mainly developed and tested by WolfSSL itself or something
along these lines.

> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 453cb20a..73da5fa7 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
>      tag_ptr = BPTR(buf);
>      ASSERT(buf_advance(buf, tag_size));
>      dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc));
> -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
> +#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) || defined(ENABLE_CRYPTO_WOLFSSL)
>      /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
>      if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr))
>      {

Are you sure that WolfSSL requires a workaround for old OpenSSL version
before 1.0.1d?

Arne

Hi,

as Arne said, this is much better.

On Tue, Apr 14, 2020 at 08:52:14PM +0200, Juliusz Sosinowicz wrote:
> This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library.
[..]

There is one thing, though:

> index 30eba7b2..a82c52ad 100644
> --- a/src/openvpn/cryptoapi.c
> +++ b/src/openvpn/cryptoapi.c
> @@ -39,6 +39,10 @@
>  
>  #ifdef ENABLE_CRYPTOAPI
>  
> +#ifdef ENABLE_CRYPTO_WOLFSSL
> +#error wolfSSL does not support CryptoAPI
> +#endif
> +

I do not like this very much.  It will, effectively, break win32 builds
with WolfSSL - and add yet another #ifdef to our .c files.

ENABLE_CRYPTOAPI is defined in syshead.h

#if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
#define ENABLE_CRYPTOAPI
#endif

... could you investigate whether it would be sufficient to just 
conditionalize this on WolfSSL, like this?

#if defined(_WIN32) && defined(ENABLE_CRYPTO) && \
	defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL)
#define ENABLE_CRYPTOAPI
#endif

so you can have WolfSSL-linked binaries for Windows, just without
CryptoAPI support (as with mbedtls)...

gert

On 14/04/2020 20:52, Juliusz Sosinowicz wrote:
> diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
> index 30eba7b2..a82c52ad 100644
> --- a/src/openvpn/cryptoapi.c
> +++ b/src/openvpn/cryptoapi.c
> @@ -39,6 +39,10 @@
>  
>  #ifdef ENABLE_CRYPTOAPI
>  
> +#ifdef ENABLE_CRYPTO_WOLFSSL
> +#error wolfSSL does not support CryptoAPI
> +#endif
> +

Except of the documentation effect, wouldn't it be better to handle that in
syshead.h instead?

In syshead.h, I see this:
----------------------------------
#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
#define ENABLE_CRYPTOAPI
#endif
----------------------------------

This is the only place I could find defining this macro.  So extending it with
&& !defined(ENABLE_CRYPTO_WOLFSSL) would eliminate the need to worry about the
ENABLE_CRYPTOAPI elsewhere.

Has this patch been tested against Windows builds with WolfSSL enabled, like
via mingw?

Hi Arne,

On 15/04/2020 11:31, Arne Schwabe wrote:
> Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:
>> This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library.
>>
>> As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL.
>>
> Thanks the patch is lot less intrusive then the last version. We will
> have to discuss in our meeting under what condition we want to include
> the patch. We might add a note or statement that the WolfSSL support in
> OpenVPN is mainly developed and tested by WolfSSL itself or something
> along these lines.
This is understandable since we will be maintaining wolfSSL within OpenVPN.
>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
>> index 453cb20a..73da5fa7 100644
>> --- a/src/openvpn/crypto.c
>> +++ b/src/openvpn/crypto.c
>> @@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
>>       tag_ptr = BPTR(buf);
>>       ASSERT(buf_advance(buf, tag_size));
>>       dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc));
>> -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
>> +#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) || defined(ENABLE_CRYPTO_WOLFSSL)
>>       /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
>>       if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr))
>>       {
> Are you sure that WolfSSL requires a workaround for old OpenSSL version
> before 1.0.1d?
wolfSSL is built around one-shot APIs as oppose to OpenSSL's stream 
APIs. The reason for using this workaround is that the authentication 
tag is checked in the Update call not the Final call. I'll look into 
fixing this issue.
> Arne
>
Thanks!
Juliusz

Hi Gert,

thanks for the suggestion. I will change this in the next patch after 
looking into the issue that Arne brought up.

On 15/04/2020 11:48, Gert Doering wrote:
> Hi,
>
> as Arne said, this is much better.
>
> On Tue, Apr 14, 2020 at 08:52:14PM +0200, Juliusz Sosinowicz wrote:
>> This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library.
> [..]
>
> There is one thing, though:
>
>> index 30eba7b2..a82c52ad 100644
>> --- a/src/openvpn/cryptoapi.c
>> +++ b/src/openvpn/cryptoapi.c
>> @@ -39,6 +39,10 @@
>>   
>>   #ifdef ENABLE_CRYPTOAPI
>>   
>> +#ifdef ENABLE_CRYPTO_WOLFSSL
>> +#error wolfSSL does not support CryptoAPI
>> +#endif
>> +
> I do not like this very much.  It will, effectively, break win32 builds
> with WolfSSL - and add yet another #ifdef to our .c files.
>
> ENABLE_CRYPTOAPI is defined in syshead.h
>
> #if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
> #define ENABLE_CRYPTOAPI
> #endif
>
> ... could you investigate whether it would be sufficient to just
> conditionalize this on WolfSSL, like this?
>
> #if defined(_WIN32) && defined(ENABLE_CRYPTO) && \
> 	defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL)
> #define ENABLE_CRYPTOAPI
> #endif
>
> so you can have WolfSSL-linked binaries for Windows, just without
> CryptoAPI support (as with mbedtls)...
>
> gert
>
Sincerely
Juliusz

Am 16.04.20 um 12:42 schrieb Juliusz Sosinowicz:
> Hi Arne,
> 
> On 15/04/2020 11:31, Arne Schwabe wrote:
>> Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:
>>> This patch adds support for wolfSSL in OpenVPN. Support is added by
>>> using wolfSSL's OpenSSL compatibility layer. Function calls are left
>>> unchanged and instead the OpenSSL includes point to wolfSSL headers
>>> and OpenVPN is linked against the wolfSSL library.
>>>
>>> As requested by OpenVPN maintainers, this patch does not include
>>> wolfssl/options.h on its own. By defining the macro
>>> EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include
>>> wolfssl/options.h on its own (change added in
>>> https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an
>>> option '--disable-wolfssl-options-h' in case the user would like to
>>> supply their own settings file for wolfSSL.
>>>
>> Thanks the patch is lot less intrusive then the last version. We will
>> have to discuss in our meeting under what condition we want to include
>> the patch. We might add a note or statement that the WolfSSL support in
>> OpenVPN is mainly developed and tested by WolfSSL itself or something
>> along these lines.
> This is understandable since we will be maintaining wolfSSL within OpenVPN.


Could you take a look if this is an acceptable text for a README.wolfssl?

Support for WolfSSL is implemented and maintained by WolfSSL Inc. The
support is implemented using WolfSSL's compatiblity layer. The WolfSSL
support in OpenVPN receives very limited testing/support from the
OpenVPN community itself.

If bugs in OpenVPN when using WolfSSL are encountered, the user should
try to also compile OpenVPN with OpenSSL to determinate if these are
bugs in the WolfSSL TLS implemenation or OpenVPN itself.

To Build and Install,

	./configure --with-crypto-library=wolfssl
	make
	make install

*************************************************************************
Due to limitations in the wolfSSL TLS library or its compability layer, the
following features are missing

 * blowfish support (BF-CBC), you must use something like
   cipher AES-128-CBC to avoid trying to use BF-CBC
 * Windows CryptoAPI support

The Readme looks good. Just one suggestion.

On 16/04/2020 13:11, Arne Schwabe wrote:
> Am 16.04.20 um 12:42 schrieb Juliusz Sosinowicz:
>> Hi Arne,
>>
>> On 15/04/2020 11:31, Arne Schwabe wrote:
>>> Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:
>>>> This patch adds support for wolfSSL in OpenVPN. Support is added by
>>>> using wolfSSL's OpenSSL compatibility layer. Function calls are left
>>>> unchanged and instead the OpenSSL includes point to wolfSSL headers
>>>> and OpenVPN is linked against the wolfSSL library.
>>>>
>>>> As requested by OpenVPN maintainers, this patch does not include
>>>> wolfssl/options.h on its own. By defining the macro
>>>> EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include
>>>> wolfssl/options.h on its own (change added in
>>>> https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an
>>>> option '--disable-wolfssl-options-h' in case the user would like to
>>>> supply their own settings file for wolfSSL.
>>>>
>>> Thanks the patch is lot less intrusive then the last version. We will
>>> have to discuss in our meeting under what condition we want to include
>>> the patch. We might add a note or statement that the WolfSSL support in
>>> OpenVPN is mainly developed and tested by WolfSSL itself or something
>>> along these lines.
>> This is understandable since we will be maintaining wolfSSL within OpenVPN.
>
> Could you take a look if this is an acceptable text for a README.wolfssl?
>
> Support for WolfSSL is implemented and maintained by WolfSSL Inc. The
> support is implemented using WolfSSL's compatiblity layer. The WolfSSL
> support in OpenVPN receives very limited testing/support from the
> OpenVPN community itself.
>
> If bugs in OpenVPN when using WolfSSL are encountered, the user should
> try to also compile OpenVPN with OpenSSL to determinate if these are
> bugs in the WolfSSL TLS implemenation or OpenVPN itself.
>
> To Build and Install,
>
> 	./configure --with-crypto-library=wolfssl
> 	make
> 	make install

I would add here:

The wolfSSL library will include the installed options.h file by 
default. To include a custom user_settings.h file for wolfSSL,

./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h
make
make install

>
> *************************************************************************
> Due to limitations in the wolfSSL TLS library or its compability layer, the
> following features are missing
>
>   * blowfish support (BF-CBC), you must use something like
>     cipher AES-128-CBC to avoid trying to use BF-CBC
>   * Windows CryptoAPI support
>