From patchwork Wed Mar 17 07:11:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Juliusz Sosinowicz X-Patchwork-Id: 1623 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kHIFJdVGUmDrJwAAIUCqbw (envelope-from ) for ; Wed, 17 Mar 2021 14:13:41 -0400 Received: from proxy13.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id YLfmJNVGUmAxdgAAeJ7fFg (envelope-from ) for ; Wed, 17 Mar 2021 14:13:41 -0400 Received: from smtp37.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3b.rsapps.net with LMTPS id gMV0HdVGUmC7AwAAvUvv+w (envelope-from ) for ; Wed, 17 Mar 2021 14:13:41 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=wolfssl.com X-Suspicious-Flag: YES X-Classification-ID: 7fc24526-874c-11eb-82d5-5254002ca64a-1-1 Received: from [216.105.38.7] ([216.105.38.7:48266] helo=lists.sourceforge.net) by smtp37.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/94-09035-4D642506; Wed, 17 Mar 2021 14:13:40 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lMaew-0003Kk-Il; Wed, 17 Mar 2021 18:12:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMaeu-0003Kc-IM for openvpn-devel@lists.sourceforge.net; Wed, 17 Mar 2021 18:12:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xjuB/1Pkrkql1oq1SAyg9iKG5zr2l2q5aeGb7uQGvIM=; b=Q/VILzfOF8FRAM1GZqX/WqX9gY O0BR7qLFHhadi/j+7ZCf+KZXFiNKyGPE8RauEwbOLcfttAA/J79JRXkZmi/Mw4u6/AfbKSSp2GFvg elmFQsNy51r++KfqyplHMGCj30jYKOt6rvN1D4Pi1rF8voMVyDUVjuJ/MA64K6kWHYNo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=xjuB/1Pkrkql1oq1SAyg9iKG5zr2l2q5aeGb7uQGvIM=; b=Q SBkeQQWqlC9Uaqsk43gH/3U6kT/67nziooZ/+ralwwCRRYQ70iHiUUoeJ6AJmDDoA1cGTAcy77oBH 4pNY0iKqFkKW5ZCO0KeFlEVCJLrydvvxgJ5DObMbbru63r95FclLQaUQiH3dZO6CpZHcmhPJ1lb3r bL5CRm6WUUf+bgM8=; Received: from p3plsmtpa12-04.prod.phx3.secureserver.net ([68.178.252.233]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lMaem-0003EQ-03 for openvpn-devel@lists.sourceforge.net; Wed, 17 Mar 2021 18:12:40 +0000 Received: from localhost.localdomain ([77.254.7.13]) by :SMTPAUTH: with ESMTPSA id MaeElwr9FFYpdMaeflTx4B; Wed, 17 Mar 2021 11:12:26 -0700 X-CMAE-Analysis: v=2.4 cv=bfqu7MDB c=1 sm=1 tr=0 ts=6052468a a=wJoMW5e4oyNtTtYMQykkDQ==:117 a=wJoMW5e4oyNtTtYMQykkDQ==:17 a=17OIDZiGAAAA:20 a=VTTltBjBAAAA:8 a=dbYXmbBlh3fziYSIqvMA:9 a=on_vo79ac8RWgsiwd8Ea:22 X-SECURESERVER-ACCT: juliusz@wolfssl.com From: Juliusz Sosinowicz To: openvpn-devel@lists.sourceforge.net Date: Wed, 17 Mar 2021 19:11:53 +0100 Message-Id: <20210317181153.83716-1-juliusz@wolfssl.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CMAE-Envelope: MS4xfOSzVBoqIt2dAJUO0FSomnJKl9Cnw510cjuxRNFIdc0V8na9lzptuD9YwuTMaetfFKUaWcfiOdmszx048QzAKri8K5+1atoG6oa1M7Swuk15HzKe8+Kx xgGDhYBc2CT2RUpl1ZqZSqEyjYqBRamxdb4koanLTYoXS/UQwjbf86V36kRytbH2Fsloz1VMrUsXTGSk8CripXrWqB7NsSoKYsz3/2C6rHUWX/qfrSAVE4cj RRoOZWTlPPD+psl+vCF1eg== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [68.178.252.233 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [68.178.252.233 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1lMaem-0003EQ-03 Subject: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. The wolfSSL installation directory is detected using pkg-config. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz Acked-By: Arne Schwabe --- configure.ac | 110 +++++++++++++++++++++++++++++++++++++++++- src/openvpn/syshead.h | 3 +- 2 files changed, 110 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index c65df3e2c..61ed56500 100644 --- a/configure.ac +++ b/configure.ac @@ -264,16 +264,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1019,6 +1026,105 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should + contain the regular wolfSSL header files but also the + wolfSSL OpenSSL header files. Ex: -I/usr/local/include + -I/usr/local/include/wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + PKG_CHECK_MODULES( + [WOLFSSL], + [wolfssl], + [], + [AC_MSG_ERROR([Could not find wolfSSL.])] + ) + PKG_CHECK_VAR( + [WOLFSSL_INCLUDEDIR], + [wolfssl], + [includedir], + [], + [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] + ) + WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" + fi + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" + LIBS="${LIBS} ${WOLFSSL_LIBS}" + + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + + # wolfSSL signal EKM support + have_export_keying_material="yes" + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_NOTBEFORE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_NOTAFTER], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_SET_FLAGS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_GET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_SET0_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_DSA_GET0_PQG], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_DSA_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PUB_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PUB_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PRIV_ENC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_PRIV_DEC], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_INIT], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_SIGN], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET_FINISH], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_SET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_RSA_METH_GET0_APP_DATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EC_GROUP_ORDER_BITS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + + if test "${enable_wolfssl_options_h}" = "yes"; then + AC_DEFINE([EXTERNAL_OPTS_OPENVPN], [1], [Include options.h from wolfSSL library]) + else + AC_DEFINE([WOLFSSL_USER_SETTINGS], [1], [Use custom user_settings.h file for wolfSSL library]) + fi + + have_export_keying_material="yes" + + CFLAGS="${saved_CFLAGS}" + LIBS="${saved_LIBS}" + + AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) + AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use wolfSSL openssl compatibility layer]) + CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" + CRYPTO_LIBS="${WOLFSSL_LIBS}" else AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) fi diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 2ad5afc20..a20de1f65 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -569,7 +569,8 @@ socket_defined(const socket_descriptor_t sd) /* * Do we have CryptoAPI capability? */ -#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) +#if defined(_WIN32) && defined(ENABLE_CRYPTO_OPENSSL) && \ + !defined(ENABLE_CRYPTO_WOLFSSL) #define ENABLE_CRYPTOAPI #endif