From patchwork Fri Feb 7 06:48:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 985 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.7]) by backend30.mail.ord1d.rsapps.net with LMTP id uB4dDPmnPV6zXwAAIUCqbw for ; Fri, 07 Feb 2020 13:10:01 -0500 Received: from proxy1.mail.iad3a.rsapps.net ([172.27.255.7]) by director8.mail.ord1d.rsapps.net with LMTP id eEC2CfmnPV7bTgAAfY0hYg ; Fri, 07 Feb 2020 13:10:01 -0500 Received: from smtp10.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.iad3a.rsapps.net with LMTP id +EAIBfmnPV5DRwAA8TVjwQ ; Fri, 07 Feb 2020 13:10:01 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=wolfssl.com X-Suspicious-Flag: YES X-Classification-ID: 0da9cbcc-49d5-11ea-a9fa-525400a8203f-1-1 Received: from [216.105.38.7] ([216.105.38.7:33334] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 6A/04-08346-7F7AD3E5; Fri, 07 Feb 2020 13:10:00 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1j083g-0005n6-U8; Fri, 07 Feb 2020 18:08:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1j083c-0005mw-TV for openvpn-devel@lists.sourceforge.net; Fri, 07 Feb 2020 18:08:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0UtcWH+TWMhR6psZ0ZB+Eby4NKwaVjStTr2a7yU3KYs=; b=GLJwNiOkcn8bNPnOPqNRXvfGfV oXXCg2NU7XUTz4BwvaXrqv1muzc0JqCRX4Khr/Tn4lDBX4QPyM+fBCL2zFqnvc3pm+wFm+jql7f31 eyp8mHSw7/vgc7ecIic2PDSBa0sUlkn/vFR1DN183a63c5aKwAjY6iPcuG/EzgrONEGs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=0UtcWH+TWMhR6psZ0ZB+Eby4NKwaVjStTr2a7yU3KYs=; b=Ja7gPZdoToSjBrxZppRhv1Hf8/ 649R+O2/K9+1rq84MA1eg3gbMMNL40cC9cPhXXiIHlxg0Q+DZGjb/3N6/7TUaCoCZ8f30p2K6NoF4 a5xtqbURNZeYxnMubfScTGrnmcKfBVlj8FTMOkg1H9Ij81ONnrxrKlw3J7H9hOiEK7hk=; Received: from p3plsmtpa11-04.prod.phx3.secureserver.net ([68.178.252.105]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1j083a-00DLzl-4Q for openvpn-devel@lists.sourceforge.net; Fri, 07 Feb 2020 18:08:48 +0000 Received: from localhost.localdomain ([77.254.7.13]) by :SMTPAUTH: with ESMTPSA id 07kBjoEeBmxVa07kzjNe8a; Fri, 07 Feb 2020 10:49:34 -0700 From: Juliusz Sosinowicz To: openvpn-devel@lists.sourceforge.net Date: Fri, 7 Feb 2020 18:48:18 +0100 Message-Id: <20200207174818.21050-1-juliusz@wolfssl.com> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfD3BMODnTQ+4/y9uetDaoZEVvQmJg/FUDmYIgs23aGdL1JpJSSCAgB+cmzNAr8Jp+gPdvoAU9lZj33DAa8xpq5ik2nDCeoEYiZQ8Xp9aE9XA/tpSqLGM hoqRSgz+vTNWQoiNQoQDkMbL8JlL+KVpdiPVDLMfKOjjhjZWfLUrcKatra+uzvxOp/DVPq+db2jLO6Ydrp3GevDUHZmxTR+X5Ic3MeMtkKRkiHGeUGndl4hs X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [68.178.252.105 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1j083a-00DLzl-4Q Subject: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` --- configure.ac | 77 +++++++++++++++++++++- include/openvpn-plugin.h.in | 3 + sample/sample-config-files/loopback-client | 1 + sample/sample-config-files/loopback-server | 1 + src/openvpn/crypto.c | 2 +- src/openvpn/crypto_openssl.h | 3 + src/openvpn/cryptoapi.c | 4 ++ src/openvpn/openssl_compat.h | 4 ++ src/openvpn/ssl_openssl.h | 3 + src/openvpn/ssl_verify_openssl.h | 3 + 10 files changed, 98 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 98fd39ce..564f21a6 100644 --- a/configure.ac +++ b/configure.ac @@ -276,10 +276,10 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], @@ -1029,6 +1029,79 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + + have_crypto_aead_modes="no" + have_crypto="yes" + + WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${wolfssldir}" + CFLAGS="${WOLFSSL_CFLAGS} ${CFLAGS}" + LIBS="${WOLFSSL_LIBS} ${LIBS}" + AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) + AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer]) + CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" + CRYPTO_LIBS="${WOLFSSL_LIBS}" else AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) fi diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..f6d116da 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -33,6 +33,9 @@ typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#endif #include #ifndef __OPENVPN_X509_CERT_T_DECLARED #define __OPENVPN_X509_CERT_T_DECLARED diff --git a/sample/sample-config-files/loopback-client b/sample/sample-config-files/loopback-client index 1734aa8b..e0f5b23e 100644 --- a/sample/sample-config-files/loopback-client +++ b/sample/sample-config-files/loopback-client @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1 cipher AES-256-GCM ping 1 inactive 120 10000000 +cipher AES-256-CBC diff --git a/sample/sample-config-files/loopback-server b/sample/sample-config-files/loopback-server index 58daeb56..7abc0213 100644 --- a/sample/sample-config-files/loopback-server +++ b/sample/sample-config-files/loopback-server @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 0 cipher AES-256-GCM ping 1 inactive 120 10000000 +cipher AES-256-CBC diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 65e789ed..8b8f97ea 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, tag_ptr = BPTR(buf); ASSERT(buf_advance(buf, tag_size)); dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, &gc)); -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L && !defined(ENABLE_CRYPTO_WOLFSSL) /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */ if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr)) { diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 64754480..db0c4ccd 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -29,6 +29,9 @@ #ifndef CRYPTO_OPENSSL_H_ #define CRYPTO_OPENSSL_H_ +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#endif #include #include #include diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 2f2eee77..5618ad1a 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -39,6 +39,10 @@ #ifdef ENABLE_CRYPTOAPI +#ifdef ENABLE_CRYPTO_WOLFSSL +#error wolfSSL does not support CryptoAPI +#endif + #include #include #include diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 4ac8f24d..c8ce9933 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -42,6 +42,10 @@ #include "buffer.h" +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#include +#endif #include #include #include diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h index 835878c3..1ec6944d 100644 --- a/src/openvpn/ssl_openssl.h +++ b/src/openvpn/ssl_openssl.h @@ -29,6 +29,9 @@ #ifndef SSL_OPENSSL_H_ #define SSL_OPENSSL_H_ +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#endif #include /** diff --git a/src/openvpn/ssl_verify_openssl.h b/src/openvpn/ssl_verify_openssl.h index 118e16fc..1707a76e 100644 --- a/src/openvpn/ssl_verify_openssl.h +++ b/src/openvpn/ssl_verify_openssl.h @@ -30,6 +30,9 @@ #ifndef SSL_VERIFY_OPENSSL_H_ #define SSL_VERIFY_OPENSSL_H_ +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#endif #include #ifndef __OPENVPN_X509_CERT_T_DECLARED