Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

Thu, 16 Apr 2020 04:02:03 -0700 

Hi Arne,

On 15/04/2020 11:31, Arne Schwabe wrote:

Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option '--disable-wolfssl-options-h' in case the user would like to supply 
their own settings file for wolfSSL.


Thanks the patch is lot less intrusive then the last version. We will
have to discuss in our meeting under what condition we want to include
the patch. We might add a note or statement that the WolfSSL support in
OpenVPN is mainly developed and tested by WolfSSL itself or something
along these lines.

This is understandable since we will be maintaining wolfSSL within OpenVPN.

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 453cb20a..73da5fa7 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
      tag_ptr = BPTR(buf);
      ASSERT(buf_advance(buf, tag_size));
      dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, 
&gc));
-#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
+#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) 
|| defined(ENABLE_CRYPTO_WOLFSSL)
      /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
      if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, 
tag_ptr))
      {

Are you sure that WolfSSL requires a workaround for old OpenSSL version
before 1.0.1d?
wolfSSL is built around one-shot APIs as oppose to OpenSSL's stream APIs. The reason for using this workaround is that the authentication tag is checked in the Update call not the Final call. I'll look into fixing this issue. 
Arne


Thanks!
Juliusz


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to