[Openvpn-devel] Support for wolfSSL with OpenVPN master branch

Message ID 20200207174818.21050-1-juliusz@wolfssl.com
State Changes Requested
Headers show
Series [Openvpn-devel] Support for wolfSSL with OpenVPN master branch | expand

Commit Message

Juliusz Sosinowicz Feb. 7, 2020, 5:48 p.m. UTC
wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```
---
 configure.ac                               | 77 +++++++++++++++++++++-
 include/openvpn-plugin.h.in                |  3 +
 sample/sample-config-files/loopback-client |  1 +
 sample/sample-config-files/loopback-server |  1 +
 src/openvpn/crypto.c                       |  2 +-
 src/openvpn/crypto_openssl.h               |  3 +
 src/openvpn/cryptoapi.c                    |  4 ++
 src/openvpn/openssl_compat.h               |  4 ++
 src/openvpn/ssl_openssl.h                  |  3 +
 src/openvpn/ssl_verify_openssl.h           |  3 +
 10 files changed, 98 insertions(+), 3 deletions(-)

Comments

Gert Doering Feb. 8, 2020, 8:45 a.m. UTC | #1
Hi Juliusz,

please send patches out of a git tree, coming from a git commit with
"git commit -s", and having a somewhat relevant commit message.

Besides this, please do not

> --- a/sample/sample-config-files/loopback-client
> +++ b/sample/sample-config-files/loopback-client
> @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1
>  cipher AES-256-GCM
>  ping 1
>  inactive 120 10000000
> +cipher AES-256-CBC

... modify the sample config files (and *if* you do, do not just add
a second cipher line, which will confuse users quite a bit).

If WolfSSL does not support GCM, this needs to be documented, but our
sample config files contain the recommended cipher for the existing
crypto systems, and this is (and will continue to be for the time) 
GCM - faster, and lower overhead.

gert
Juliusz Sosinowicz Feb. 9, 2020, 9:18 a.m. UTC | #2
Hi Gert,

thank you for your comments. My intention was not to add a second cipher 
line in the sample config file. I added "cipher AES-256-CBC" to an 
earlier version of OpenVPN when there was no cipher specified in the 
loopback-client and loopback-server files. After rebasing my commit onto 
master I didn't notice the double cipher lines in the config files. I 
will remove this in my next patch as wolfSSL does support GCM mode but 
not yet in the compatibility layer.

I will add GCM support to our compatibility layer and send an updated 
signed-off patch with a better commit message explaining what is 
happening in the patch.

Thanks
Juliusz

On 08/02/2020 09:45, Gert Doering wrote:
> Hi Juliusz,
>
> please send patches out of a git tree, coming from a git commit with
> "git commit -s", and having a somewhat relevant commit message.
>
> Besides this, please do not
>
>> --- a/sample/sample-config-files/loopback-client
>> +++ b/sample/sample-config-files/loopback-client
>> @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1
>>   cipher AES-256-GCM
>>   ping 1
>>   inactive 120 10000000
>> +cipher AES-256-CBC
> ... modify the sample config files (and *if* you do, do not just add
> a second cipher line, which will confuse users quite a bit).
>
> If WolfSSL does not support GCM, this needs to be documented, but our
> sample config files contain the recommended cipher for the existing
> crypto systems, and this is (and will continue to be for the time)
> GCM - faster, and lower overhead.
>
> gert
Antonio Quartulli Feb. 9, 2020, 9:44 a.m. UTC | #3
Hi Juliusz,

if wolfssl support is being introduced by means of the openssl
compatibility layer, why do people need to configure OpenVPN with
"./configure --with-crypto-library=wolfssl", rather than just using
openssl and specifying a different path for headers/libraries?

Isn't the compat layer in wolfssl operating as a drop-in replacement for
openssl?

Regards,

On 09/02/2020 10:18, Juliusz Sosinowicz wrote:
> Hi Gert,
> 
> thank you for your comments. My intention was not to add a second cipher
> line in the sample config file. I added "cipher AES-256-CBC" to an
> earlier version of OpenVPN when there was no cipher specified in the
> loopback-client and loopback-server files. After rebasing my commit onto
> master I didn't notice the double cipher lines in the config files. I
> will remove this in my next patch as wolfSSL does support GCM mode but
> not yet in the compatibility layer.
> 
> I will add GCM support to our compatibility layer and send an updated
> signed-off patch with a better commit message explaining what is
> happening in the patch.
> 
> Thanks
> Juliusz
> 
> On 08/02/2020 09:45, Gert Doering wrote:
>> Hi Juliusz,
>>
>> please send patches out of a git tree, coming from a git commit with
>> "git commit -s", and having a somewhat relevant commit message.
>>
>> Besides this, please do not
>>
>>> --- a/sample/sample-config-files/loopback-client
>>> +++ b/sample/sample-config-files/loopback-client
>>> @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1
>>>   cipher AES-256-GCM
>>>   ping 1
>>>   inactive 120 10000000
>>> +cipher AES-256-CBC
>> ... modify the sample config files (and *if* you do, do not just add
>> a second cipher line, which will confuse users quite a bit).
>>
>> If WolfSSL does not support GCM, this needs to be documented, but our
>> sample config files contain the recommended cipher for the existing
>> crypto systems, and this is (and will continue to be for the time)
>> GCM - faster, and lower overhead.
>>
>> gert
> 
> 
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
Gert Doering Feb. 9, 2020, 9:50 a.m. UTC | #4
Hi,

On Sun, Feb 09, 2020 at 10:44:48AM +0100, Antonio Quartulli wrote:
> if wolfssl support is being introduced by means of the openssl
> compatibility layer, why do people need to configure OpenVPN with
> "./configure --with-crypto-library=wolfssl", rather than just using
> openssl and specifying a different path for headers/libraries?
> 
> Isn't the compat layer in wolfssl operating as a drop-in replacement for
> openssl?

This question has been asked before and answered :-) - most of the
compat functions seem to be implemented as macros, which our configure
will not find.  So, configure needs to explicitely define what is there
and what not.

I do not like the extra include very much, but that seems to be hard 
to avoid with the current WolfSSL header file setup.

gert
Antonio Quartulli Feb. 9, 2020, 9:51 a.m. UTC | #5
Hi,

On 09/02/2020 10:50, Gert Doering wrote:
> Hi,
> 
> On Sun, Feb 09, 2020 at 10:44:48AM +0100, Antonio Quartulli wrote:
>> if wolfssl support is being introduced by means of the openssl
>> compatibility layer, why do people need to configure OpenVPN with
>> "./configure --with-crypto-library=wolfssl", rather than just using
>> openssl and specifying a different path for headers/libraries?
>>
>> Isn't the compat layer in wolfssl operating as a drop-in replacement for
>> openssl?
> 
> This question has been asked before and answered :-) - most of the
> compat functions seem to be implemented as macros, which our configure
> will not find.  So, configure needs to explicitely define what is there
> and what not.
> 
> I do not like the extra include very much, but that seems to be hard 
> to avoid with the current WolfSSL header file setup.
> 

ouch, thanks for the reminder :-)
Juliusz Sosinowicz Feb. 9, 2020, 11:08 a.m. UTC | #6
Hi Antonio,Gert is correct, our compatibility layer is a set of functions in wolfSSL which emulate the OpenSSL API. These functions are then macro defined to have the same names as the OpenSSL functions. The configure script needs to know where the wolfSSL headers are and that it should link against the wolfSSL binary, not OpenSSL. This is the reason for the configure script changes.Sincerely Juliusz 
-------- Original message --------From: Antonio Quartulli <a@unstable.cc> Date: 09/02/2020  10:52  (GMT+01:00) To: Gert Doering <gert@greenie.muc.de> Cc: Juliusz Sosinowicz <juliusz@wolfssl.com>, openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master
  branch Hi,On 09/02/2020 10:50, Gert Doering wrote:> Hi,> > On Sun, Feb 09, 2020 at 10:44:48AM +0100, Antonio Quartulli wrote:>> if wolfssl support is being introduced by means of the openssl>> compatibility layer, why do people need to configure OpenVPN with>> "./configure --with-crypto-library=wolfssl", rather than just using>> openssl and specifying a different path for headers/libraries?>>>> Isn't the compat layer in wolfssl operating as a drop-in replacement for>> openssl?> > This question has been asked before and answered :-) - most of the> compat functions seem to be implemented as macros, which our configure> will not find.  So, configure needs to explicitely define what is there> and what not.> > I do not like the extra include very much, but that seems to be hard > to avoid with the current WolfSSL header file setup.> ouch, thanks for the reminder :-)-- Antonio Quartulli
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body dir="auto">Hi Antonio,<div dir="auto"><br></div><div dir="auto">Gert is correct, our compatibility layer is a set of functions in wolfSSL which emulate the OpenSSL API. These functions are then macro defined to have the same names as the OpenSSL functions. The configure script needs to know where the wolfSSL headers are and that it should link against the wolfSSL binary, not OpenSSL. This is the reason for the configure script changes.</div><div dir="auto"><br></div><div dir="auto">Sincerely&nbsp;</div><div dir="auto">Juliusz&nbsp;</div><div><br></div><div style="font-size:100%;color:#000000" dir="auto"><!-- originalMessage --><div>-------- Original message --------</div><div>From: Antonio Quartulli &lt;a@unstable.cc&gt; </div><div>Date: 09/02/2020  10:52  (GMT+01:00) </div><div>To: Gert Doering &lt;gert@greenie.muc.de&gt; </div><div>Cc: Juliusz Sosinowicz &lt;juliusz@wolfssl.com&gt;, openvpn-devel@lists.sourceforge.net </div><div>Subject: Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master
&nbsp; branch </div><div><br></div></div>Hi,<br><br>On 09/02/2020 10:50, Gert Doering wrote:<br>&gt; Hi,<br>&gt; <br>&gt; On Sun, Feb 09, 2020 at 10:44:48AM +0100, Antonio Quartulli wrote:<br>&gt;&gt; if wolfssl support is being introduced by means of the openssl<br>&gt;&gt; compatibility layer, why do people need to configure OpenVPN with<br>&gt;&gt; "./configure --with-crypto-library=wolfssl", rather than just using<br>&gt;&gt; openssl and specifying a different path for headers/libraries?<br>&gt;&gt;<br>&gt;&gt; Isn't the compat layer in wolfssl operating as a drop-in replacement for<br>&gt;&gt; openssl?<br>&gt; <br>&gt; This question has been asked before and answered :-) - most of the<br>&gt; compat functions seem to be implemented as macros, which our configure<br>&gt; will not find.&nbsp; So, configure needs to explicitely define what is there<br>&gt; and what not.<br>&gt; <br>&gt; I do not like the extra include very much, but that seems to be hard <br>&gt; to avoid with the current WolfSSL header file setup.<br>&gt; <br><br>ouch, thanks for the reminder :-)<br><br><br><br>-- <br>Antonio Quartulli<br></body></html>
Arne Schwabe Feb. 21, 2020, 1:01 p.m. UTC | #7
Am 09.02.20 um 12:08 schrieb Juliusz Sosinowicz:
> Hi Antonio,
> 
> Gert is correct, our compatibility layer is a set of functions in
> wolfSSL which emulate the OpenSSL API. These functions are then macro
> defined to have the same names as the OpenSSL functions. The configure
> script needs to know where the wolfSSL headers are and that it should
> link against the wolfSSL binary, not OpenSSL. This is the reason for the
> configure script changes.

But OpenSSL also its opensslconf.h header and does not force you to
important into each file it uses. I find that argument very weak. If it
is something that is essential for your compat layer then you should
probably include it in the top of each compatibility header.

Arne

Patch

diff --git a/configure.ac b/configure.ac
index 98fd39ce..564f21a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,10 +276,10 @@  AC_ARG_WITH(
 
 AC_ARG_WITH(
 	[crypto-library],
-	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
 	[
 		case "${withval}" in
-			openssl|mbedtls) ;;
+			openssl|mbedtls|wolfssl) ;;
 			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
 		esac
 	],
@@ -1029,6 +1029,79 @@  elif test "${with_crypto_library}" = "mbedtls"; then
 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
 	CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
 	CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+	AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+	AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+	AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@])
+	if test -n "${WOLFSSL_DIR}"; then
+		wolfssldir="${WOLFSSL_DIR}"
+	else
+		wolfssldir="/usr/local/include/wolfssl"
+	fi
+
+	saved_CFLAGS="${CFLAGS}"
+	saved_LIBS="${LIBS}"
+
+	if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+		# if the user did not explicitly specify flags, try to autodetect
+		LIBS="${LIBS} -lwolfssl -lm -pthread"
+		AC_CHECK_LIB(
+			[wolfssl],
+			[wolfSSL_Init],
+			[],
+			[AC_MSG_ERROR([Could not link wolfSSL library.])]
+		)
+		AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])])
+	fi
+
+	AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros])
+	
+	have_crypto_aead_modes="no"
+	have_crypto="yes"
+	
+	WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${wolfssldir}"
+	CFLAGS="${WOLFSSL_CFLAGS} ${CFLAGS}"
+	LIBS="${WOLFSSL_LIBS} ${LIBS}"
+	AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
+	AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer])
+	CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
+	CRYPTO_LIBS="${WOLFSSL_LIBS}"
 else
 	AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
 fi
diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
index 103844f7..f6d116da 100644
--- a/include/openvpn-plugin.h.in
+++ b/include/openvpn-plugin.h.in
@@ -33,6 +33,9 @@ 
 typedef mbedtls_x509_crt openvpn_x509_cert_t;
 #endif
 #else  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#endif
 #include <openssl/x509.h>
 #ifndef __OPENVPN_X509_CERT_T_DECLARED
 #define __OPENVPN_X509_CERT_T_DECLARED
diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client
index 1734aa8b..e0f5b23e 100644
--- a/sample/sample-config-files/loopback-client
+++ b/sample/sample-config-files/loopback-client
@@ -25,3 +25,4 @@  tls-auth sample-keys/ta.key 1
 cipher AES-256-GCM
 ping 1
 inactive 120 10000000
+cipher AES-256-CBC
diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server
index 58daeb56..7abc0213 100644
--- a/sample/sample-config-files/loopback-server
+++ b/sample/sample-config-files/loopback-server
@@ -25,3 +25,4 @@  tls-auth sample-keys/ta.key 0
 cipher AES-256-GCM
 ping 1
 inactive 120 10000000
+cipher AES-256-CBC
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 65e789ed..8b8f97ea 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -428,7 +428,7 @@  openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
     tag_ptr = BPTR(buf);
     ASSERT(buf_advance(buf, tag_size));
     dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc));
-#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L && !defined(ENABLE_CRYPTO_WOLFSSL)
     /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
     if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr))
     {
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 64754480..db0c4ccd 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -29,6 +29,9 @@ 
 #ifndef CRYPTO_OPENSSL_H_
 #define CRYPTO_OPENSSL_H_
 
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#endif
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/md5.h>
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 2f2eee77..5618ad1a 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -39,6 +39,10 @@ 
 
 #ifdef ENABLE_CRYPTOAPI
 
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#error wolfSSL does not support CryptoAPI
+#endif
+
 #include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/err.h>
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 4ac8f24d..c8ce9933 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -42,6 +42,10 @@ 
 
 #include "buffer.h"
 
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#include <openssl/err.h>
+#endif
 #include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index 835878c3..1ec6944d 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -29,6 +29,9 @@ 
 #ifndef SSL_OPENSSL_H_
 #define SSL_OPENSSL_H_
 
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#endif
 #include <openssl/ssl.h>
 
 /**
diff --git a/src/openvpn/ssl_verify_openssl.h b/src/openvpn/ssl_verify_openssl.h
index 118e16fc..1707a76e 100644
--- a/src/openvpn/ssl_verify_openssl.h
+++ b/src/openvpn/ssl_verify_openssl.h
@@ -30,6 +30,9 @@ 
 #ifndef SSL_VERIFY_OPENSSL_H_
 #define SSL_VERIFY_OPENSSL_H_
 
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include <wolfssl/options.h>
+#endif
 #include <openssl/x509.h>
 
 #ifndef __OPENVPN_X509_CERT_T_DECLARED