Am 19.11.20 um 13:23 schrieb Juliusz Sosinowicz: > Hi Arne, > > some time has passed and I was able to address most of your comments in > my branch > https://github.com/julek-wolfssl/wolfssl/tree/openvpn-2.5-missing-stuff > > To summarize what has been done regarding your comments: > > * SHA1 was indeed being called SHA in wolfSSL. I changed this in favor > of just using SHA1. > * in configure.ac I used David Sommerseth's suggestion to use > PKG_CHECK_MODULES to get the wolfSSL installation directory.
Do you that new patch posted here? I don't see an updated patch. > * setting tls min and max is currently not working in the branch that > I linked above but we have a big compatibility layer PR pending that > appears to fix these issues. Once it is merged I'll revisit this > issue and make sure it is solved. > * show-tls is fixed but it also relies on the PR I mentioned earlier. > After that is merged this should be solved. > * tls-ciphersuites and tls-cipher appears to be working in general. > Should wolfSSL reject the specified cipher if for example a TLS 1.3 > cipher is set using --tls-cipher? Well that is a general question you have to answer yourself on OpenSSL compatibility. I don't think this is just for OpenVPN. > * unfortunately wolfSSL does not support ed448 certificates. That is not a show stopper. Mbed TLS does not support them either. > * tls-groups now checks the validity of the passed in curves > * since OpenVPN will make use TLS EKM, exporting keying material has > been implemented in wolfSSL. Great! > * I haven't tested OpenVPN with the FIPS mode patch so that issue is > still pending. Once I get a chance to test it I will also change > wolfSSL to target 1.1.0+ API > > Thanks for your patience! > Hey I am trying to check on this. Since I haven't found the new patch. I am trying to use it with the old one: I am getting an error related to EKM: ./../../openvpn-git/src/openvpn/ssl_openssl.c:166:9: error: implicit declaration of function 'wolfSSL_export_keying_material' is invalid in C99 [-Werror,-Wimplicit-function-declaration] if (SSL_export_keying_material(ssl, ekm, ekm_size, label, So I tried ./configure --enable-openvpn --enable-keying-material for WolfSSL but that failed during compile: src/tls13.c:806:50: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] protocol, protocolLen, (byte*)label, labelLen, ^~~~~~~~ src/tls13.c:812:38: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); ~~~~~~~ ^~~~~~~~~~ src/tls13.c:816:34: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, ~~~~~~~~~~~~~~~~~ ^~~~~~ CC tests/unit_test-unit.o src/ssl.c:11526:61: error: implicit conversion loses integer precision: 'unsigned long' to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; ~~~~~~~ ~~~~~~~~~~~~~^~~~~~~~~~~~ src/ssl.c:11590:25: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, ~~~~~~~~~~ ^~~~~~ src/ssl.c:11591:27: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), I am also seeing another warning during the compilation: ../../../openvpn-git/src/openvpn/ssl_openssl.c:1559:55: warning: incompatible pointer types passing 'int (const X509_NAME *const *, const X509_NAME *const *)' (aka 'int (const struct WOLFSSL_X509_NAME *const *, const struct WOLFSSL_X509_NAME *const *)') to parameter of type 'wolf_sk_compare_cb' (aka 'int (*)(const void *const *, const void *const *)') [-Wincompatible-pointer-types] cert_names = sk_X509_NAME_new(sk_x509_name_cmp); ^~~~~~~~~~~~~~~~ Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel