[Openvpn-devel] Summary of the community meeting (29th April 2020)

2020-04-29 Thread Samuli Seppänen 
Hi,

Here's the summary of the IRC meeting.

---

COMMUNITY MEETING

Place: #openvpn-meeting on irc.freenode.net
Date: Wed 29th April 2020
Time: 11:30 CEST (09:30 UTC)

Planned meeting topics for this meeting were here:



Your local meeting time is easy to check from services such as



SUMMARY

cron2, lev, mattock, ordex and plaisthos participated in this meeting.

---

Talked about broken IPv6 connectivity to community.openvpn.net. This is
caused by Cloudflare, where IPv6 is turned off, apparently for the whole
openvpn.net domain. It apparently can't be selectively turned on for
just community.openvpn.net.

Mattock and plaisthos will try to convince the ops team to turn on IPv6
across the board, or otherwise resolve this issue.

--

Noted that right now it is still possible to amend the coding style for
the future. Nobody had any strong opinions on it.

--

Ordex sent the "ipv6-only" patch to OpenVPN Inc's QA team for testing.
This will pave the way for approval. Ordex will check the end of this
week to see what progress QA has made.

--

Mattock will try to reach the person who is responsible for corporate
(e.g. OpenVPN Connect) MSI packaging and recruit him/her to help with
OpenVPN 2.5 MSI installers.

--

Talked about the remaining 2.5 patches:

- client-connect (requires review)
- auth-token breakage when server is restarted and explicit-exit-notify
is set

--

Full chatlog attached

(12:31:32) ***plaisthos is here
(12:31:36) cron2: barely made it
(12:32:39) mattock: hi!
(12:33:33) lev__: hello
(12:34:00) cron2: good
(12:34:52) mattock: seems like we have a fair number of participants today
(12:36:28) mattock: ok let's start
(12:37:04) mattock: https://community.openvpn.net/openvpn/wiki/Topics-2020-04-29
(12:37:18) mattock: I can give an update on the IPv6 situation on 
community.openvpn.net
(12:37:24) mattock: before we even start
(12:37:42) mattock: so, as I assumed, it is cloudflare that's breaking IPv6 
there
(12:38:12) cron2: why, and what can we do about it?
(12:38:28) mattock: basically IPv6 is turned off at the cloudflare end 
site-wide (*.openvpn.net I presume) and turning it on for community.openvpn.net 
was not trivially possible 
(12:39:05) cron2: why is turned off for *.openvpn.net?
(12:39:12) mattock: it may be possible, but if not, then there are two options:
(12:39:12) mattock: - take community.openvpn.net off off cloudflare (DoS 
becomes way more likely)
(12:39:12) mattock: - enable IPv6 site-wide
(12:39:16) mattock: I have no clue
(12:39:17) cron2: and why can it not be turned on for community?
(12:39:40) mattock: usually overrides are done with "page rules" and there did 
not seem to be an option for enabling IPv6 selectively
(12:39:55) mattock: but I did not look myself and I won't dare touch stuff 
there because everything could break if I did
(12:40:22) mattock: I will put pressure on raidz who is responsible for this to 
get this resolved somehow
(12:41:14) mattock: anyways, that all about it
(12:41:37) cron2: just break stuff, again and again, so they get aware of the 
consequences of not having IPv6! :-)
(12:41:52) cron2: 11:41 -!- There is no such nick raidz
(12:41:59) cron2: mmmh, smart man, hiding from me
(12:42:04) mattock: yes I guess so :P
(12:42:44) mattock: I think disabling IPv6 must be some "security" thing, 
though I don't see the point myself
(12:43:25) plaisthos: Yeah not supporting IPv6 in 2020 is really stupid
(12:43:47) cron2: if it's cloudflared, having IPv6 enabled on the outside is 
totally decoupled from IPv6 "between couldflare and the origin servers", so 
there is no security argument whatsoever
(12:43:47) mattock: plaisthos: maybe you can also help convince the ops team to 
agree on that
(12:44:00) plaisthos: mattock: sure
(12:44:30) mattock: I will bring this up again in tomorrow's meeting on a more 
"enable IPv6 across the board" level
(12:44:32) cron2: not having IPv6 inside is sort of "typical enterprise IT 
thinking" (this is new stuff, we do not know new stuff, we never want new 
stuff).  Seems OpenVPN has become quite a big success :-)
(12:44:47) cron2: plaisthos, mattock: thanks!
(12:45:22) mattock: np!
(12:45:26) mattock: shall we move on?
(12:45:42) cron2: yes
(12:45:54) mattock: any topics besides "2.5"?
(12:46:11) ordex: ops
(12:46:24) mattock: oops or ops? :)
(12:46:34) ordex: both
(12:46:36) cron2: I had planned on discussing uncrustify style for 
tests/unit_tests/ today, but events overtook it
(12:46:49) cron2: syzzer decided "we want a uniform coding style!" and so we did
(12:46:59) ordex: agreed
(12:47:03) ordex: better have it uniform
(12:47:13) ordex: having two styles in the same project can easily become .. 
annoying
(12:47:49) cron2: right (just for completeness: my argument was "test code is 
different shape anyway, so we *could* agree on a more compact style") - but I 
am perfectly fine with this
(12:48:06) plaisthos: yeah if we

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

2020-04-29 Thread Juliusz Sosinowicz 
This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac  | 91 ++-
 src/openvpn/syshead.h |  3 +-
 2 files changed, 91 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index fcec7389..53ad3181 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,16 +276,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1029,6 +1036,86 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS