[Openvpn-devel] Support for wolfSSL in OpenVPN

Message ID 20210317181153.83716-1-juliusz@wolfssl.com
State Accepted
Headers show
Series
  • [Openvpn-devel] Support for wolfSSL in OpenVPN
Related show

Commit Message

Juliusz Sosinowicz March 17, 2021, 6:11 p.m.
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. The wolfSSL installation directory is detected using pkg-config.

As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
---
 configure.ac          | 110 +++++++++++++++++++++++++++++++++++++++++-
 src/openvpn/syshead.h |   3 +-
 2 files changed, 110 insertions(+), 3 deletions(-)

Comments

Arne Schwabe March 18, 2021, 12:28 p.m. | #1
Am 17.03.21 um 19:11 schrieb Juliusz Sosinowicz:
> This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. The wolfSSL installation directory is detected using pkg-config.
> 
> As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL.
> 
> wolfSSL:
> Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
> ```
> git clone https://github.com/wolfSSL/wolfssl.git
> cd wolfssl
> ./autogen.sh
> ./configure --enable-openvpn
> make
> sudo make install
> ```
> 
> OpenVPN:
> ```
> autoreconf -i -v -f
> ./configure --with-crypto-library=wolfssl
> make
> make check
> sudo make install
> ```
>

Acked-By: Arne Schwabe <arne@rfc2549.org>

@Gert, can you also ACK/commit the README patch?
(https://patchwork.openvpn.net/patch/1087/)
Gert Doering March 18, 2021, 1:21 p.m. | #2
Your patch has been applied to the master branch.

I have not tested actual WolfSSL builds, but done a quick compile test
to see if it would break old/new openssl or old/new mbedtls configure
runs.  All works :-)

commit f6dca235ae560597a0763f0c98fcc9130b80ccf4
Author: Juliusz Sosinowicz
Date:   Wed Mar 17 19:11:53 2021 +0100

     Support for wolfSSL in OpenVPN

     Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21686.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Gert Doering March 18, 2021, 1:56 p.m. | #3
Hi,

On Thu, Mar 18, 2021 at 02:21:02PM +0100, Gert Doering wrote:
> Your patch has been applied to the master branch.
> 
> I have not tested actual WolfSSL builds, but done a quick compile test
> to see if it would break old/new openssl or old/new mbedtls configure
> runs.  All works :-)

Well.  That was too fast.

I did not test with older autoconf versions, and it turns out that
PKG_CHECK_VAR() is not supported on older versions - this got introduced
by the WolfSSL patch, and half our buildbots have exploded (Ubuntu 16,
Ubuntu 18, NetBSD 8.1).

So, we need a fix for that... possibly some addition to our m4/ directory,
or a rewrite of this configure.ac hunk.

And we want it quick, because our buildbot infrastructure is half-down
now...

gert
Juliusz Sosinowicz March 18, 2021, 2:01 p.m. | #4
Hi Gert,

which version of autoconf exactly is causing this explosion?

Juliusz

On 18/03/2021 14:56, Gert Doering wrote:
> Hi,
>
> On Thu, Mar 18, 2021 at 02:21:02PM +0100, Gert Doering wrote:
>> Your patch has been applied to the master branch.
>>
>> I have not tested actual WolfSSL builds, but done a quick compile test
>> to see if it would break old/new openssl or old/new mbedtls configure
>> runs.  All works :-)
> Well.  That was too fast.
>
> I did not test with older autoconf versions, and it turns out that
> PKG_CHECK_VAR() is not supported on older versions - this got introduced
> by the WolfSSL patch, and half our buildbots have exploded (Ubuntu 16,
> Ubuntu 18, NetBSD 8.1).
>
> So, we need a fix for that... possibly some addition to our m4/ directory,
> or a rewrite of this configure.ac hunk.
>
> And we want it quick, because our buildbot infrastructure is half-down
> now...
>
> gert
>
Gert Doering March 18, 2021, 2:34 p.m. | #5
Hi,

On Thu, Mar 18, 2021 at 03:01:16PM +0100, Juliusz Sosinowicz wrote:
> which version of autoconf exactly is causing this explosion?

The one shipped with Ubuntu 16 is "2.69-9" and automake "1.15-4"

which matches NetBSD 8.1

nbsd81$ pkg_info |grep auto
autoconf-2.69nb8    Generates automatic source code configuration scripts
automake-1.16.1     GNU Standards-compliant Makefile generator

so, we need something that works with 2.69 (which seems to be "the gold
standard of autoconf for many years").

Interesting enough, FreeBSD 11.4 has "2.69" as well, and it did not
cause any problems there (that's where I run the "autoreconf -vif" for
my local test-before-push builds).


I do not understand autoconf intricacies well enough to understand
what exactly is going on, though.

gert

Patch

diff --git a/configure.ac b/configure.ac
index c65df3e2c..61ed56500 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,16 +264,23 @@  AC_ARG_WITH(
 
 AC_ARG_WITH(
 	[crypto-library],
-	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
 	[
 		case "${withval}" in
-			openssl|mbedtls) ;;
+			openssl|mbedtls|wolfssl) ;;
 			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
 		esac
 	],
 	[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+	[wolfssl-options-h],
+	[AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])],
+	,
+	[enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
 	plugindir="${PLUGINDIR}"
@@ -1019,6 +1026,105 @@  elif test "${with_crypto_library}" = "mbedtls"; then
 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
 	CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
 	CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+	AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should
+								  contain the regular wolfSSL header files but also the 
+								  wolfSSL OpenSSL header files. Ex: -I/usr/local/include 
+								  -I/usr/local/include/wolfssl])
+	AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+
+	saved_CFLAGS="${CFLAGS}"
+	saved_LIBS="${LIBS}"
+
+	if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+		# if the user did not explicitly specify flags, try to autodetect
+		PKG_CHECK_MODULES(
+			[WOLFSSL],
+			[wolfssl],
+			[],
+			[AC_MSG_ERROR([Could not find wolfSSL.])]
+		)
+		PKG_CHECK_VAR(
+			[WOLFSSL_INCLUDEDIR], 
+			[wolfssl], 
+			[includedir], 
+			[],
+			[AC_MSG_ERROR([Could not find wolfSSL includedir variable.])]
+		)
+		WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl"
+	fi
+	saved_CFLAGS="${CFLAGS}"
+	saved_LIBS="${LIBS}"
+	CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
+	LIBS="${LIBS} ${WOLFSSL_LIBS}"
+
+	AC_CHECK_LIB(
+		[wolfssl],
+		[wolfSSL_Init],
+		[],
+		[AC_MSG_ERROR([Could not link wolfSSL library.])]
+	)
+	AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
+	
+	# wolfSSL signal EKM support
+	have_export_keying_material="yes"
+
+	AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+
+	if test "${enable_wolfssl_options_h}" = "yes"; then
+		AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library])
+	else
+		AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library])
+	fi
+	
+	have_export_keying_material="yes"
+	
+	CFLAGS="${saved_CFLAGS}"
+	LIBS="${saved_LIBS}"
+	
+	AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
+	AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
+	CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
+	CRYPTO_LIBS="${WOLFSSL_LIBS}"
 else
 	AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
 fi
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 2ad5afc20..a20de1f65 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -569,7 +569,8 @@  socket_defined(const socket_descriptor_t sd)
 /*
  * Do we have CryptoAPI capability?
  */
-#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL)
+#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \
+        !defined(ENABLE_CRYPTO_WOLFSSL)
 #define ENABLE_CRYPTOAPI
 #endif