Re: [Openvpn-devel] [PATCH applied] Re: Change include order for tests
Thanks Gert. I see that our tests for the "release/2.6" branch are passing. This was discovered by testing against the master branch so I don't think this patch needs backporting. Sincerely Juliusz Sosinowicz On 12/02/2024 18:10, Gert Doering wrote: Thanks for this updated patch, which fixes the issue in a much nicer way. I'm not sure if you observe the problem in release/2.6 as well - if yes, I need a release/2.6-specific patch for that (as half the new test drivers are not in that branch). Quick test with an in-tree build on FreeBSD and GHA builds passes fine. Your patch has been applied to the master branch. commit 54475711eb119f6fbb263880fca08d4b10df752a Author: Juliusz Sosinowicz Date: Mon Feb 12 14:25:22 2024 +0100 Change include order for tests Signed-off-by: Juliusz Sosinowicz Acked-by: Arne Schwabe Message-Id: <20240212132522.125903-1-juli...@wolfssl.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Hi Gert, that is the direction I went with the latest patch I sent over. Sincerely Juliusz Sosinowicz On 12/02/2024 13:53, Gert Doering wrote: Hi, On Mon, Feb 12, 2024 at 10:57:41AM +0100, Juliusz Sosinowicz wrote: commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 has added the use of ACK_SIZE and RELIABLE_ACK_SIZE in test_ssl.c. These are defined in reliable.h which should be included through your ssl.h. Since our ssl.h is being picked up, these never get defined and make check results in the following error: Seems the unit test compile flags could use a bit of shuffling to have our local include first... and that should solve it (if nothing else breaks, just test_ssl.c) gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Change include order for tests
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The openvpn/src directory needs to be included before include/wolfssl. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths. src/openvpn/Makefile.am does not need to be modified because AM_CPPFLAGS is placed before AM_CFLAGS in the output Makefile. Signed-off-by: Juliusz Sosinowicz --- tests/unit_tests/openvpn/Makefile.am | 62 +++- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index ce6f8127..a4e6235f 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -41,7 +41,7 @@ if HAVE_SITNL check_PROGRAMS += networking_testdriver endif -argv_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat +argv_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ mock_get_random.c \ @@ -50,15 +50,16 @@ argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \ $(top_srcdir)/src/openvpn/win32-util.c \ $(top_srcdir)/src/openvpn/argv.c -buffer_testdriver_CFLAGS = @TEST_CFLAGS@ -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat +buffer_testdriver_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat @TEST_CFLAGS@ buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn -Wl,--wrap=parse_line buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \ mock_get_random.c \ $(top_srcdir)/src/openvpn/win32-util.c \ $(top_srcdir)/src/openvpn/platform.c -crypto_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +crypto_testdriver_CFLAGS = \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \ + @TEST_CFLAGS@ crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ $(top_srcdir)/src/openvpn/buffer.c \ @@ -72,8 +73,9 @@ crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \ $(top_srcdir)/src/openvpn/win32-util.c \ $(top_srcdir)/src/openvpn/mss.c -ssl_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +ssl_testdriver_CFLAGS = \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \ + @TEST_CFLAGS@ ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@ $(OPTIONAL_CRYPTO_LIBS) ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \ mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \ @@ -106,8 +108,9 @@ if WIN32 ssl_testdriver_LDADD = -lcrypt32 -lncrypt -lfwpuclnt -liphlpapi -lws2_32 endif -packet_id_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +packet_id_testdriver_CFLAGS = \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \ + @TEST_CFLAGS@ packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@ packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ mock_get_random.c \ @@ -119,8 +122,9 @@ packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \ $(top_srcdir)/src/openvpn/win32-util.c \ $(top_srcdir)/src/openvpn/session_id.c -pkt_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +pkt_testdriver_CFLAGS = \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \ + @TEST_CFLAGS@ pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@ pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ $(top_srcdir)/src/openvpn/argv.c \ @@ -141,8 +145,9 @@ pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \ $(top_srcdir)/src/openvpn/tls_crypt.c if !WIN32 -tls_crypt_testdriver_CFLAGS = @TEST_CFLAGS@ \ - -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn +tls_crypt_testdriver_CFLAGS = \ + -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(top_srcdir)/src/openvpn \ + @TEST_CFLAGS@ tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \ -Wl,--wrap=buffer_read_from_file \ -Wl,--wrap=buffer_write_file \ @@ -164,9 +169,9 @@ tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c mock_msg.h \ endif if HAVE_SITNL -networking_testdriver_CFLAGS = @TEST_CFLAGS@ \ +networking_testdriver_CFLAGS = \ -I$(top_srcdir)/include -I$(top_srcdir)/src/compat -I$(
Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Hi Arne, commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 has added the use of ACK_SIZE and RELIABLE_ACK_SIZE in test_ssl.c. These are defined in reliable.h which should be included through your ssl.h. Since our ssl.h is being picked up, these never get defined and make check results in the following error: test_ssl.c: In function ‘init_frame_parameters’: test_ssl.c:160:17: warning: implicit declaration of function ‘ACK_SIZE’ [-Wimplicit-function-declaration] 160 | overhead += ACK_SIZE(RELIABLE_ACK_SIZE); | ^~~~ test_ssl.c:160:26: error: ‘RELIABLE_ACK_SIZE’ undeclared (first use in this function) 160 | overhead += ACK_SIZE(RELIABLE_ACK_SIZE); | ^ Somehow, this has never come up as an issue. Sincerely Juliusz Sosinowicz On 09/02/2024 21:50, Arne Schwabe wrote: Am 09.02.24 um 16:51 schrieb Juliusz Sosinowicz: Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The include/wolfssl directory is included before openvpn/src. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths. Neither the ssl.h (2005, so forever) in OpenVPN nor the ssl.h in wolfssl (2014 according to git blame) are particulary new. Why is this now a problem when it was never before? Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Hi Frank, thank you for the explanation. I did not test out-of-tree builds before submitting the patch. I'll try to implement Gert's solution and write a Makefile patch instead. Sincerely Juliusz Sosinowicz On 09/02/2024 17:39, Frank Lichtenheld wrote: On Fri, Feb 09, 2024 at 04:51:09PM +0100, Juliusz Sosinowicz wrote: Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The include/wolfssl directory is included before openvpn/src. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths. This breaks out-of-tree builds. Currently we only add top_buildir to CFLAGS (for config.h) but NOT top_srcdir. For in-tree builds these are identical so the patch might appear to work. But it breaks otherwise. Further changes to buildsystem configuration would be required. Regards, ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The include/wolfssl directory is included before openvpn/src. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths. --- src/openvpn/auth_token.c | 2 +- src/openvpn/dco_linux.c | 2 +- src/openvpn/manage.c | 2 +- src/openvpn/openvpn.h| 2 +- src/openvpn/options.c| 2 +- src/openvpn/ps.h | 2 +- src/openvpn/push.c | 2 +- src/openvpn/ssl.c| 2 +- src/openvpn/tls_crypt.c | 2 +- tests/unit_tests/openvpn/mock_ssl_dependencies.c | 2 +- tests/unit_tests/openvpn/test_pkcs11.c | 2 +- tests/unit_tests/openvpn/test_ssl.c | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6787ea7d..e020bdcb 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -12,7 +12,7 @@ #include "auth_token.h" #include "push.h" #include "integer.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 3c91606b..eac81924 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -37,7 +37,7 @@ #include "socket.h" #include "tun.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "fdmisc.h" #include "multi.h" #include "ssl_verify.h" diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 27b6f90e..11c922c5 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -37,7 +37,7 @@ #include "otime.h" #include "integer.h" #include "misc.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "common.h" #include "manage.h" #include "openvpn.h" diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index dabc5be4..3a3d1733 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -28,7 +28,7 @@ #include "options.h" #include "socket.h" #include "crypto.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "packet_id.h" #include "comp.h" #include "tun.h" diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1ec..cb06063e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -42,7 +42,7 @@ #include "run_command.h" #include "shaper.h" #include "crypto.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_ncp.h" #include "options.h" #include "misc.h" diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index 2fe0c4c5..21427480 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -28,7 +28,7 @@ #include "basic.h" #include "buffer.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" typedef void (*post_fork_cleanup_func_t)(void *arg); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 22494340..854bf471 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -29,7 +29,7 @@ #include "push.h" #include "options.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include "ssl_ncp.h" #include "manage.h" diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 33c86704..ac077a1c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -54,7 +54,7 @@ #include "route.h" #include "tls_crypt.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include "ssl_backend.h" #include "ssl_ncp.h" diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 975d31fa..3df2bc61 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -33,7 +33,7 @@ #include "platform.h" #include "run_command.h" #include "session_id.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "tls_crypt.h" diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c b/tests/unit_tests/openvpn/mock_ssl_dependencies.c index 9231d655..da22bbfe 100644 --- a/tests/unit_tests/openvpn/mock_ssl_dependencies.c +++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c @@ -34,7 +34,7 @@ #include -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" int diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c index 81cdf882..76cb80e5 100644 --- a/tests/unit_tests/openvpn/test_pkcs11.c +++ b/tests/unit_tests/openvpn/test_pkcs11.c @@ -33,7 +33,7 @@ #include "xkey_common.h" #include "cert_data.h" #include "pkcs11.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include #include diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 8c1fb5b2..893bf8ec 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -44,7 +44,7 @@ #include "ssl_verify_backend.h" #include "win32.h" #include "test_common.h" -#include
[Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The include/wolfssl directory is included before openvpn/src. include/wolfssl needs to be included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL headers without changing the paths. Signed-off-by: Juliusz Sosinowicz --- src/openvpn/auth_token.c | 2 +- src/openvpn/dco_linux.c | 2 +- src/openvpn/manage.c | 2 +- src/openvpn/openvpn.h| 2 +- src/openvpn/options.c| 2 +- src/openvpn/ps.h | 2 +- src/openvpn/push.c | 2 +- src/openvpn/ssl.c| 2 +- src/openvpn/tls_crypt.c | 2 +- tests/unit_tests/openvpn/mock_ssl_dependencies.c | 2 +- tests/unit_tests/openvpn/test_pkcs11.c | 2 +- tests/unit_tests/openvpn/test_ssl.c | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 6787ea7d..e020bdcb 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -12,7 +12,7 @@ #include "auth_token.h" #include "push.h" #include "integer.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 3c91606b..eac81924 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -37,7 +37,7 @@ #include "socket.h" #include "tun.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "fdmisc.h" #include "multi.h" #include "ssl_verify.h" diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 27b6f90e..11c922c5 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -37,7 +37,7 @@ #include "otime.h" #include "integer.h" #include "misc.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "common.h" #include "manage.h" #include "openvpn.h" diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index dabc5be4..3a3d1733 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -28,7 +28,7 @@ #include "options.h" #include "socket.h" #include "crypto.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "packet_id.h" #include "comp.h" #include "tun.h" diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2c79a1ec..cb06063e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -42,7 +42,7 @@ #include "run_command.h" #include "shaper.h" #include "crypto.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_ncp.h" #include "options.h" #include "misc.h" diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h index 2fe0c4c5..21427480 100644 --- a/src/openvpn/ps.h +++ b/src/openvpn/ps.h @@ -28,7 +28,7 @@ #include "basic.h" #include "buffer.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" typedef void (*post_fork_cleanup_func_t)(void *arg); diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 22494340..854bf471 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -29,7 +29,7 @@ #include "push.h" #include "options.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include "ssl_ncp.h" #include "manage.h" diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 33c86704..ac077a1c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -54,7 +54,7 @@ #include "route.h" #include "tls_crypt.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" #include "ssl_backend.h" #include "ssl_ncp.h" diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 975d31fa..3df2bc61 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -33,7 +33,7 @@ #include "platform.h" #include "run_command.h" #include "session_id.h" -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "tls_crypt.h" diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c b/tests/unit_tests/openvpn/mock_ssl_dependencies.c index 9231d655..da22bbfe 100644 --- a/tests/unit_tests/openvpn/mock_ssl_dependencies.c +++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c @@ -34,7 +34,7 @@ #include -#include "ssl.h" +#include "src/openvpn/ssl.h" #include "ssl_verify.h" int
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Arne, the type casting warning was fixed in https://github.com/wolfSSL/wolfssl/pull/5571. OpenVPN should now compile without any warnings. Juliusz On 02/09/2022 11:50, Juliusz Sosinowicz wrote: I'll try to propose a solution to avoid this warning. Juliusz On 01/09/2022 14:39, Arne Schwabe wrote: (*)(const X509_NAME * const*, const X509_NAME * const*) {aka int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)} In file included from /usr/local/include/wolfssl/openssl/ssl.h:35, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/local/include/wolfssl/ssl.h:3534:47: note: expected ‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void * const*)’} but argument is of type ‘int (*)(const X509_NAME * const*, const X509_NAME * const*)’ {aka ‘int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)’} 3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_sk_X509_NAME_new( | ^~~~ To make wolfSSL_sk_X509_NAME_new more universal we accept a function with void* parameters. This will unfortunately generate a warning when compiling with wolfSSL but won't affect functionality. This issue is still present and still breaks compiling with -Werror . Are there any plans to address this? Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
I'll try to propose a solution to avoid this warning. Juliusz On 01/09/2022 14:39, Arne Schwabe wrote: (*)(const X509_NAME * const*, const X509_NAME * const*) {aka int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)} In file included from /usr/local/include/wolfssl/openssl/ssl.h:35, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/local/include/wolfssl/ssl.h:3534:47: note: expected ‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void * const*)’} but argument is of type ‘int (*)(const X509_NAME * const*, const X509_NAME * const*)’ {aka ‘int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)’} 3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_sk_X509_NAME_new( | ^~~~ To make wolfSSL_sk_X509_NAME_new more universal we accept a function with void* parameters. This will unfortunately generate a warning when compiling with wolfSSL but won't affect functionality. This issue is still present and still breaks compiling with -Werror . Are there any plans to address this? Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] wolfSSL unit test failures
Hi Everyone, this leak has been fixed in wolfSSL in this pull request: https://github.com/wolfSSL/wolfssl/pull/5514 Sincerely Juliusz On 18/08/2022 00:40, Arne Schwabe wrote: Hey, currently we still have test failures in wolfSSL in EVP_PKEY_CTX_new with clang asan. Github action patch that reproduces this also attached. With the OpenVPN 2.6 release coming up in the next months it would be good if these can be fixed. These look like problems in the upstream wolfSSL code. Details are below: = ==19723==ERROR: LeakSanitizer: detected memory leaks Direct leak of 160 byte(s) in 4 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e8318291 in wolfSSL_EVP_PKEY_CTX_new (/usr/local/lib/libwolfssl.so.34+0x9e291) Indirect leak of 400 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e833c537 in wolfSSL_EVP_PKEY_new_ex (/usr/local/lib/libwolfssl.so.34+0xc2537) Indirect leak of 240 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e82b4ac2 in _InitRng.isra.0 (/usr/local/lib/libwolfssl.so.34+0x3aac2) Indirect leak of 118 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e833c72b in wolfSSL_EVP_PKEY_new_mac_key (/usr/local/lib/libwolfssl.so.34+0xc272b) SUMMARY: AddressSanitizer: 918 byte(s) leaked in 10 allocation(s). FAIL: crypto_testdriver ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] wolfSSL unit test failures
Hi Arne, thank you for your report. In the future, please send reports to supp...@wolfssl.com to guarantee the fastest possible response. This also helps us track bug reports. I have forwarded this report for you. Either I or someone else will investigate this and get back to you with a solution soon. Sincerely Juliusz On 18/08/2022 00:40, Arne Schwabe wrote: Hey, currently we still have test failures in wolfSSL in EVP_PKEY_CTX_new with clang asan. Github action patch that reproduces this also attached. With the OpenVPN 2.6 release coming up in the next months it would be good if these can be fixed. These look like problems in the upstream wolfSSL code. Details are below: = ==19723==ERROR: LeakSanitizer: detected memory leaks Direct leak of 160 byte(s) in 4 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e8318291 in wolfSSL_EVP_PKEY_CTX_new (/usr/local/lib/libwolfssl.so.34+0x9e291) Indirect leak of 400 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e833c537 in wolfSSL_EVP_PKEY_new_ex (/usr/local/lib/libwolfssl.so.34+0xc2537) Indirect leak of 240 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e82b4ac2 in _InitRng.isra.0 (/usr/local/lib/libwolfssl.so.34+0x3aac2) Indirect leak of 118 byte(s) in 2 object(s) allocated from: #0 0x49604d in malloc (/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d) #1 0x7f64e833c72b in wolfSSL_EVP_PKEY_new_mac_key (/usr/local/lib/libwolfssl.so.34+0xc272b) SUMMARY: AddressSanitizer: 918 byte(s) leaked in 10 allocation(s). FAIL: crypto_testdriver ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] README.wolfssl Update
Updates for the wolfSSL README file: - fix typos - correct wolfSSL company spelling - add a point of contact for users having problems using OpenVPN + wolfSSL Signed-off-by: Juliusz Sosinowicz --- README.wolfssl | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.wolfssl b/README.wolfssl index d417807b..a5dfe31f 100644 --- a/README.wolfssl +++ b/README.wolfssl @@ -1,10 +1,11 @@ -Support for WolfSSL is implemented and maintained by WolfSSL Inc. The support is -implemented using WolfSSL's compatiblity layer. The WolfSSL support in OpenVPN +Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support is +implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN receives very limited testing/support from the OpenVPN community itself. -If bugs in OpenVPN when using WolfSSL are encountered, the user should try to -also compile OpenVPN with OpenSSL to determinate if these are bugs in the -WolfSSL TLS implemenation or OpenVPN itself. +If bugs in OpenVPN when using wolfSSL are encountered, the user should try to +also compile OpenVPN with OpenSSL to determine if these are bugs in the +wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling +with wolfSSL, please contact supp...@wolfssl.com directly. To Build and Install, @@ -21,7 +22,7 @@ make make install * -Due to limitations in the wolfSSL TLS library or its compability layer, the +Due to limitations in the wolfSSL TLS library or its compatibility layer, the following features are missing * blowfish support (BF-CBC), you must use something like -- 2.25.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Add README.wolfssl documentating the state of WolfSSL in OpenVPN
Could we get something like "For issues with using OpenVPN with wolfSSL, please contact supp...@wolfssl.com." in the README.wolfssl? This would help streamline comms for users and improve user experience. I can prepare a patch with this change. Thanks. Sincerely Juliusz On 18/03/2021 14:22, Gert Doering wrote: Acked-by: Gert Doering Your patch has been applied to the master branch. (This is a fairly old patch which has been sitting in my queue, waiting for the WolfSSL patch to be merged) commit f38819b7e42ea99f6ae218be6e6345c397c1af4c Author: Arne Schwabe Date: Fri Apr 17 09:43:45 2020 +0200 Add README.wolfssl documentating the state of WolfSSL in OpenVPN Acked-by: Gert Doering Message-Id: <20200417074345.5694-1-a...@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions
For reference, the version of pkg-config shipped on my Ubuntu 14 vm is 0.26-1ubuntu4. It looks like the default packages are very outdated. Juliusz On 18/03/2021 21:52, David Sommerseth wrote: On 18/03/2021 19:12, Juliusz Sosinowicz wrote: PKG_CHECK_VAR is not available on older versions of autoconf. This patch copies the definition generated by newer versions of autoconf to be used for compatibility with older versions. Tested with automake 1.14.1-2ubuntu1 and autoconf 2.69-6. Signed-off-by: Juliusz Sosinowicz I ended up doing some more investigation here, to better understand where this could fail. So it seems this is not related to automake/autoconf versions. It is related to pkg-config version, which is the one providing /usr/share/aclocal/pkg.m4 which provides the PKG_CHECK_VAR() macro. <https://gitlab.freedesktop.org/pkg-config/pkg-config/-/commit/5b463c927b6caeb332bb147572ea82b1650ceb7d> What surprises me is that this was added to pkg-config 0.28, which was released in 2013-01-24. The latest release, 0.29.2 was released 2017-03-20. <https://gitlab.freedesktop.org/pkg-config/pkg-config/-/commit/74ceac54ef6f9247c00f08eecd8cca811a3c5934> <https://gitlab.freedesktop.org/pkg-config/pkg-config/-/tags> It would be great to figure out if pkg-config is available on those build hosts failing without this change. If it is present, it needs to be checked which version it is. If this is due to an outdated pkg-config, I'm reluctant to give this patch an ACK. Using properly up-to-date dependency stack should be a reasonable precondition to build OpenVPN. If it is due to unavailable pkg-config, it's a different story. Regardless, the commit message is incorrect. But that can probably be fixed at commit time. ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions
PKG_CHECK_VAR is not available on older versions of autoconf. This patch copies the definition generated by newer versions of autoconf to be used for compatibility with older versions. Tested with automake 1.14.1-2ubuntu1 and autoconf 2.69-6. Signed-off-by: Juliusz Sosinowicz --- compat.m4 | 16 1 file changed, 16 insertions(+) diff --git a/compat.m4 b/compat.m4 index e54a7203..47650f6d 100644 --- a/compat.m4 +++ b/compat.m4 @@ -64,6 +64,22 @@ ifdef( AC_DEFUN([AC_TYPE_UINT64_T], []) ] ) +ifdef( + [PKG_CHECK_VAR], + , + [ + AC_DEFUN([PKG_CHECK_VAR], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) + AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config]) + + _PKG_CONFIG([$1], [variable="][$3]["], [$2]) + AS_VAR_COPY([$1], [pkg_cv_][$1]) + + AS_VAR_IF([$1], [""], [$5], [$4]) + ]) + ] +) + if test -z "${docdir}"; then docdir="\$(datadir)/doc/\$(PACKAGE_NAME)" AC_SUBST([docdir]) -- 2.25.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions
Signed-off-by: Juliusz Sosinowicz --- compat.m4 | 16 1 file changed, 16 insertions(+) diff --git a/compat.m4 b/compat.m4 index e54a7203..47650f6d 100644 --- a/compat.m4 +++ b/compat.m4 @@ -64,6 +64,22 @@ ifdef( AC_DEFUN([AC_TYPE_UINT64_T], []) ] ) +ifdef( + [PKG_CHECK_VAR], + , + [ + AC_DEFUN([PKG_CHECK_VAR], + [AC_REQUIRE([PKG_PROG_PKG_CONFIG]) + AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config]) + + _PKG_CONFIG([$1], [variable="][$3]["], [$2]) + AS_VAR_COPY([$1], [pkg_cv_][$1]) + + AS_VAR_IF([$1], [""], [$5], [$4]) + ]) + ] +) + if test -z "${docdir}"; then docdir="\$(datadir)/doc/\$(PACKAGE_NAME)" AC_SUBST([docdir]) -- 2.25.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH applied] Re: Support for wolfSSL in OpenVPN
Hi Gert, which version of autoconf exactly is causing this explosion? Juliusz On 18/03/2021 14:56, Gert Doering wrote: Hi, On Thu, Mar 18, 2021 at 02:21:02PM +0100, Gert Doering wrote: Your patch has been applied to the master branch. I have not tested actual WolfSSL builds, but done a quick compile test to see if it would break old/new openssl or old/new mbedtls configure runs. All works :-) Well. That was too fast. I did not test with older autoconf versions, and it turns out that PKG_CHECK_VAR() is not supported on older versions - this got introduced by the WolfSSL patch, and half our buildbots have exploded (Ubuntu 16, Ubuntu 18, NetBSD 8.1). So, we need a fix for that... possibly some addition to our m4/ directory, or a rewrite of this configure.ac hunk. And we want it quick, because our buildbot infrastructure is half-down now... gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. The wolfSSL installation directory is detected using pkg-config. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac | 110 +- src/openvpn/syshead.h | 3 +- 2 files changed, 110 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index c65df3e2c..61ed56500 100644 --- a/configure.ac +++ b/configure.ac @@ -264,16 +264,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1019,6 +1026,105 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should + contain the regular wolfSSL header files but also the + wolfSSL OpenSSL header files. Ex: -I/usr/local/include + -I/usr/local/include/wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + PKG_CHECK_MODULES( + [WOLFSSL], + [wolfssl], + [], + [AC_MSG_ERROR([Could not find wolfSSL.])] + ) + PKG_CHECK_VAR( + [WOLFSSL_INCLUDEDIR], + [wolfssl], + [includedir], + [], + [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] + ) + WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" + fi + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" + LIBS="${LIBS} ${WOLFSSL_LIBS}" + + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + + # wolfSSL signal EKM support + have_export_keying_material="yes" + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these a
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
My apologies. I didn't notice your reply Gert. I will submit an updated patch. Sincerely Juliusz On 17/03/2021 18:22, Gert Doering wrote: Hi, On Wed, Mar 17, 2021 at 06:13:04PM +0100, Arne Schwabe wrote: I would consider this an ACK. @Gert do you want a new version with the configure.ac fixed? Since this is a real code change, I'd prefer to have an updated patch with that change included. gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, wolfSSL does not support Ed25519 certificates in the compatibility layer. I added the EKM signaling locally. I can submit the patch with this modification if you would like me to. Sincerely Juliusz On 17/03/2021 18:13, Arne Schwabe wrote: Am 12.03.21 um 16:12 schrieb Juliusz Sosinowicz: Hi Arne, I found that the connecting issue is that wolfSSL_CTX_set_min_proto_version will fail when the user (in this case OpenVPN) tries to set a protocol version that was not compiled in. I modified our configure.ac script when building for OpenVPN along with some additional fixes in this pull request: https://github.com/wolfSSL/wolfssl/pull/3871 I also found an error in one of OpenVPN's unit tests. I submitted a patch for that test in a separate email. Using an Ed25519 certificate results in 2021-03-17 14:57:23 us=212254 OpenSSL: unknown error number 2021-03-17 14:57:23 us=212262 Cannot load certificate file /Users/arne/tmp/alice.pem 2021-03-17 14:57:23 us=212265 Exiting due to fatal error The configure.ac of WolfSSL should be updated to signal EKM support: AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) fi + # Wolfssl emulate OpenSSL and has EKM + have_export_keying_material="yes" + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) Other than it seem to work in the tests that I threw at it. I would consider this an ACK. @Gert do you want a new version with the configure.ac fixed? Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, I found that the connecting issue is that wolfSSL_CTX_set_min_proto_version will fail when the user (in this case OpenVPN) tries to set a protocol version that was not compiled in. I modified our configure.ac script when building for OpenVPN along with some additional fixes in this pull request: https://github.com/wolfSSL/wolfssl/pull/3871 I also found an error in one of OpenVPN's unit tests. I submitted a patch for that test in a separate email. Sincerely Juliusz On 03/03/2021 13:34, Arne Schwabe wrote: Am 22.02.21 um 16:28 schrieb Juliusz Sosinowicz: Hi Arne, have you had any success in compiling OpenVPN with wolfSSL? Yes, sorry for taking so long. However the client does not work with my test config (those are on my mac): 2021-03-03 13:19:11 library versions: wolfSSL 4.7.1 2021-03-03 13:19:11 tls_ctx_set_tls_versions: failed to set minimum TLS version 2021-03-03 13:19:11 Error: private key password verification failed 2021-03-03 13:19:11 Exiting due to fatal error Note that this profile just has an inline , and section. Another profile, just with and without certificates fails with: sudo ./src/openvpn/openvpn ~/dl/focal_generic.ovpn 2021-03-03 13:21:52 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2021-03-03 13:21:52 OpenVPN 2.6_git [git:review/wolfsll/5594040c534f20e3+] x86_64-apple-darwin20.3.0 [SSL (OpenSSL)] [LZ4] [MH/RECVDA] [AEAD] built on Mar 3 2021 2021-03-03 13:21:52 library versions: wolfSSL 4.7.1 Enter Auth Username:arne Enter Auth Password: 2021-03-03 13:21:58 Cannot load CA certificate file [[INLINE]] (no entries were read) 2021-03-03 13:21:58 Exiting due to fatal error To see if the problem is isolated to my macbook, I tried again on Ubuntu 20.10. % make check [...] If the addresses are in use, this test will retry up to two times. 2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 2021-03-03 12:28:25 WARNING: file 'sample-keys/server.key' is group or others accessible 2021-03-03 12:28:25 WARNING: file 'sample-keys/ta.key' is group or others accessible 2021-03-03 12:28:25 OpenVPN 2.6_git [git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 3 2021 2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10 2021-03-03 12:28:25 net_route_v4_best_gw query: dst 0.0.0.0 2021-03-03 12:28:25 net_route_v4_best_gw result: via 192.168.188.1 dev eth0 2021-03-03 12:28:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP client nor server mode is enabled 2021-03-03 12:28:25 OpenVPN 2.6_git [git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 3 2021 2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10 2021-03-03 12:28:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-03-03 12:28:25 tls_ctx_set_tls_versions: failed to set minimum TLS version 2021-03-03 12:28:25 Error: private key password verification failed 2021-03-03 12:28:25 Exiting due to fatal error FAIL: t_cltsrv.sh Test 0: OK Test 1: OK Test 2: OK Test 3: OK Test 4: OK Test 5: OK Test 6: OK Test 7: OK PASS: t_net.sh 1 of 3 tests failed (1 test was not run) Please report to openvpn-us...@lists.sourceforge.net Same result for the configs. I tested a config with an not inlined file then: [12:32]arne@bionic-client:~% ./wolfo2build/./src/openvpn/openvpn focal_generic.ovpn 2021-03-03 12:32:54 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2021-03-03 12:32:54 OpenVPN 2.6_git [git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 3 2021 2021-03-03 12:32:54 library versions: wolfSSL 4.7.1, LZO 2.10 Enter Auth Username:j Enter Auth Password: 2021-03-03 12:32:56 Cannot load CA certificate file focal-ca.pem (no entries were read) 2021-03-03 12:32:56 Exiting due to fatal error [12:32]{1}arne@bionic-client:~% openssl x509 -in focal-ca.pem -BEGIN CERTIFICATE- MIHzMIGmoAMCAQICAgDrMAUGAytlcDASMRAwDgYDVQQDDAdlZDI1IENBMB4XDTIx MDEwNzE3MjQxNloXDTMxMDEwNjE3MjQxNlowEjEQMA4GA1UEAwwHZWQyNSBDQTAq
[Openvpn-devel] [PATCH] EVP_DigestSignFinal siglen parameter correction
In the EVP_DigestSignFinal API, "before the call the siglen parameter should contain the length of the sig buffer". Signed-off-by: Juliusz Sosinowicz --- src/openvpn/crypto_openssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 49698e4b3..4486d246d 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1195,7 +1195,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, EVP_MD_CTX ctx, ctx_tmp, ctx_init; EVP_PKEY *mac_key; unsigned char A1[EVP_MAX_MD_SIZE]; -size_t A1_len; +size_t A1_len = EVP_MAX_MD_SIZE; int ret = false; chunk = EVP_MD_size(md); @@ -1249,6 +1249,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, if (olen > chunk) { +j = olen; if (!EVP_DigestSignFinal(, out, )) { goto err; @@ -1263,6 +1264,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, } else { +A1_len = EVP_MAX_MD_SIZE; /* last one */ if (!EVP_DigestSignFinal(, A1, _len)) { -- 2.25.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, have you had any success in compiling OpenVPN with wolfSSL? Sincerely Juliusz On 15/02/2021 13:13, Juliusz Sosinowicz wrote: Hi Arne, the pull request has been merged to the wolfSSL master branch and will be included in the next wolfSSL release. Your issue has been resolved. Are able to try compiling again? Sincerely Juliusz On 27/01/2021 20:07, Arne Schwabe wrote: Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz: Hi Arne, I believe I fixed the issues that you mentioned in your review of the patch for wolfSSL. I have sent a new patch tested on the latest master branch on OpenVPN along with the version of wolfSSL found in this pull request: https://github.com/wolfSSL/wolfssl/pull/3697 . Unfortunatel,y I am still not able to compile that branch on macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick check I also don't see an option to disable this behaviour in configure. The master branch compiles but that doesn't work for OpenVPN. src/tls13.c:806:50: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] protocol, protocolLen, (byte*)label, labelLen, ^~~~ src/tls13.c:812:38: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); ~~~ ^~ src/tls13.c:816:34: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, ~ ^~ CC examples/server/testsuite_testsuite_test-server.o CC testsuite/testsuite_test-testsuite.o CC tests/unit_test-unit.o 3 errors generated. make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1 make[2]: *** Waiting for unfinished jobs src/ssl.c:11527:61: error: implicit conversion loses integer precision: 'unsigned long' to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; ~~~ ~^~~~ src/ssl.c:11591:25: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, ~~ ^~ src/ssl.c:11592:27: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), ^~~~ 3 errors generated. make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Time: 0h:00m:27s ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, the pull request has been merged to the wolfSSL master branch and will be included in the next wolfSSL release. Your issue has been resolved. Are able to try compiling again? Sincerely Juliusz On 27/01/2021 20:07, Arne Schwabe wrote: Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz: Hi Arne, I believe I fixed the issues that you mentioned in your review of the patch for wolfSSL. I have sent a new patch tested on the latest master branch on OpenVPN along with the version of wolfSSL found in this pull request: https://github.com/wolfSSL/wolfssl/pull/3697 . Unfortunatel,y I am still not able to compile that branch on macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick check I also don't see an option to disable this behaviour in configure. The master branch compiles but that doesn't work for OpenVPN. src/tls13.c:806:50: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] protocol, protocolLen, (byte*)label, labelLen, ^~~~ src/tls13.c:812:38: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); ~~~^~ src/tls13.c:816:34: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, ~ ^~ CC examples/server/testsuite_testsuite_test-server.o CC testsuite/testsuite_test-testsuite.o CC tests/unit_test-unit.o 3 errors generated. make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1 make[2]: *** Waiting for unfinished jobs src/ssl.c:11527:61: error: implicit conversion loses integer precision: 'unsigned long' to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; ~~~ ~^~~~ src/ssl.c:11591:25: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, ~~ ^~ src/ssl.c:11592:27: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), ^~~~ 3 errors generated. make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Time: 0h:00m:27s ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, our CI tests caught that as well. I was able to fix it quickly but it looks like you were even quicker :D The latest version of the PR should be free from the implicit conversion errors. Sincerely Juliusz On 27/01/2021 20:07, Arne Schwabe wrote: Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz: Hi Arne, I believe I fixed the issues that you mentioned in your review of the patch for wolfSSL. I have sent a new patch tested on the latest master branch on OpenVPN along with the version of wolfSSL found in this pull request: https://github.com/wolfSSL/wolfssl/pull/3697 . Unfortunatel,y I am still not able to compile that branch on macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick check I also don't see an option to disable this behaviour in configure. The master branch compiles but that doesn't work for OpenVPN. src/tls13.c:806:50: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] protocol, protocolLen, (byte*)label, labelLen, ^~~~ src/tls13.c:812:38: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); ~~~^~ src/tls13.c:816:34: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, ~ ^~ CC examples/server/testsuite_testsuite_test-server.o CC testsuite/testsuite_test-testsuite.o CC tests/unit_test-unit.o 3 errors generated. make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1 make[2]: *** Waiting for unfinished jobs src/ssl.c:11527:61: error: implicit conversion loses integer precision: 'unsigned long' to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; ~~~ ~^~~~ src/ssl.c:11591:25: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, ~~ ^~ src/ssl.c:11592:27: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), ^~~~ 3 errors generated. make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2 Time: 0h:00m:27s ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. The wolfSSL installation directory is detected using pkg-config. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac | 107 +- src/openvpn/syshead.h | 3 +- 2 files changed, 107 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 1ab8fe59d..96321a1e4 100644 --- a/configure.ac +++ b/configure.ac @@ -264,16 +264,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1019,6 +1026,102 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include directory should + contain the regular wolfSSL header files but also the + wolfSSL OpenSSL header files. Ex: -I/usr/local/include + -I/usr/local/include/wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + PKG_CHECK_MODULES( + [WOLFSSL], + [wolfssl], + [], + [AC_MSG_ERROR([Could not find wolfSSL.])] + ) + PKG_CHECK_VAR( + [WOLFSSL_INCLUDEDIR], + [wolfssl], + [includedir], + [], + [AC_MSG_ERROR([Could not find wolfSSL includedir variable.])] + ) + WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} -I${WOLFSSL_INCLUDEDIR}/wolfssl" + fi + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}" + LIBS="${LIBS} ${WOLFSSL_LIBS}" + + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FU
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, I didn't send a new patch yet because I only wanted to provide an update that progress is being made. I'm attaching an updated patch if you are interested. I didn't get that error when compiling wolfSSL with the compile options you provided. Is it possible that you didn't run `autoreconf` after pulling in the latest commit in the branch but before running the configure script? The warning is due to wolfSSL using a generic compare function definition with pointers to void as parameters. Sincerely Juliusz On 03/12/2020 13:22, Arne Schwabe wrote: Am 19.11.20 um 13:23 schrieb Juliusz Sosinowicz: Hi Arne, some time has passed and I was able to address most of your comments in my branch https://github.com/julek-wolfssl/wolfssl/tree/openvpn-2.5-missing-stuff To summarize what has been done regarding your comments: * SHA1 was indeed being called SHA in wolfSSL. I changed this in favor of just using SHA1. * in configure.ac I used David Sommerseth's suggestion to use PKG_CHECK_MODULES to get the wolfSSL installation directory. Do you that new patch posted here? I don't see an updated patch. * setting tls min and max is currently not working in the branch that I linked above but we have a big compatibility layer PR pending that appears to fix these issues. Once it is merged I'll revisit this issue and make sure it is solved. * show-tls is fixed but it also relies on the PR I mentioned earlier. After that is merged this should be solved. * tls-ciphersuites and tls-cipher appears to be working in general. Should wolfSSL reject the specified cipher if for example a TLS 1.3 cipher is set using --tls-cipher? Well that is a general question you have to answer yourself on OpenSSL compatibility. I don't think this is just for OpenVPN. * unfortunately wolfSSL does not support ed448 certificates. That is not a show stopper. Mbed TLS does not support them either. * tls-groups now checks the validity of the passed in curves * since OpenVPN will make use TLS EKM, exporting keying material has been implemented in wolfSSL. Great! * I haven't tested OpenVPN with the FIPS mode patch so that issue is still pending. Once I get a chance to test it I will also change wolfSSL to target 1.1.0+ API Thanks for your patience! Hey I am trying to check on this. Since I haven't found the new patch. I am trying to use it with the old one: I am getting an error related to EKM: ./../../openvpn-git/src/openvpn/ssl_openssl.c:166:9: error: implicit declaration of function 'wolfSSL_export_keying_material' is invalid in C99 [-Werror,-Wimplicit-function-declaration] if (SSL_export_keying_material(ssl, ekm, ekm_size, label, So I tried ./configure --enable-openvpn --enable-keying-material for WolfSSL but that failed during compile: src/tls13.c:806:50: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] protocol, protocolLen, (byte*)label, labelLen, ^~~~ src/tls13.c:812:38: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE); ~~~^~ src/tls13.c:816:34: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen, ~ ^~ CC tests/unit_test-unit.o src/ssl.c:11526:61: error: implicit conversion loses integer precision: 'unsigned long' to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen; ~~~ ~^~~~ src/ssl.c:11590:25: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN, ~~ ^~ src/ssl.c:11591:27: error: implicit conversion loses integer precision: 'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int') [-Werror,-Wshorten-64-to-32] (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl), I am also seeing another warning during the compilation: ../../../openvpn-git/src/openvpn/ssl_openssl.c:1559:55: warning: incompatible pointer types passing 'int (const X509_NAME *const *, const X509_NAME *const *)' (aka 'int (const struct WOLFSSL_X509_NAME *const *, const struct WOLFSSL_X509_NAME *const *)') to parameter of type 'wolf_sk_compare_cb' (aka 'int (*)(cons
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, some time has passed and I was able to address most of your comments in my branch https://github.com/julek-wolfssl/wolfssl/tree/openvpn-2.5-missing-stuff To summarize what has been done regarding your comments: * SHA1 was indeed being called SHA in wolfSSL. I changed this in favor of just using SHA1. * in configure.ac I used David Sommerseth's suggestion to use PKG_CHECK_MODULES to get the wolfSSL installation directory. * setting tls min and max is currently not working in the branch that I linked above but we have a big compatibility layer PR pending that appears to fix these issues. Once it is merged I'll revisit this issue and make sure it is solved. * show-tls is fixed but it also relies on the PR I mentioned earlier. After that is merged this should be solved. * tls-ciphersuites and tls-cipher appears to be working in general. Should wolfSSL reject the specified cipher if for example a TLS 1.3 cipher is set using --tls-cipher? * unfortunately wolfSSL does not support ed448 certificates. * tls-groups now checks the validity of the passed in curves * since OpenVPN will make use TLS EKM, exporting keying material has been implemented in wolfSSL. * I haven't tested OpenVPN with the FIPS mode patch so that issue is still pending. Once I get a chance to test it I will also change wolfSSL to target 1.1.0+ API Thanks for your patience! Sincerely Juliusz On 17/09/2020 00:05, Arne Schwabe wrote: Am 16.09.20 um 11:45 schrieb Juliusz Sosinowicz: Hi Arne, a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master. This is the version that I could actually take a deeper look at, so here are my results. It generally works but there seems some loose ends: I am still seeing this warning: 2020-09-16 23:20:14 WARNING: 'auth' is used inconsistently, local='auth SHA', remote='auth SHA1' Are you internally calling SHA1 just SHA and are also returned that as name when querying for the name? And do the other SHA variant also just return SHA? This snippet in the configure.ac looks strange: if test -n "${WOLFSSL_DIR}"; then wolfssldir="${WOLFSSL_DIR}" else wolfssldir="/usr/local/include/wolfssl" fi I am not sure hardcoding a /usr/local path is something we want/allow. The people better at autoconf might have a better idea on this. have_crypto_aead_modes="yes" have_crypto="yes" While the have_crypto_aead removal is a rather new removal, the have_crypto removal happened over 4 years ago (31b0bebe). I think the configure.ac should be cleaned up a bit more. --tls-version-max 1.2 option is ignored. --tls-version-min 1.3 against a (OpenSSL) server with --tls-version-max 1.2 results in: 2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string 2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string (A quick fix with just trying to do a malloc of a buffer that leaks memory transformed this in the also useless message OpenSSL: unknown error number) openvpn --show-tls does not work at all Setting tls-ciphersuites results in (on the server side for the TLS 1.2 max server): 2020-09-16 23:54:22 us=503265 79.229.32.216:57019 TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive. I can also set TLS 1.3 cipher to tls-cipher. The design of TLS 1.3 ciphersuites and 1.0-1.2 cipher suites using different command is an artificat of OpenSSL's behaviour but basically setting using tls-cipher/tls-ciphersuites in the way the were intended seems to break wolfSSL. Loading the ed448 cert I have resulted in: 2020-09-16 23:58:28 OpenSSL: Please supply a buffer for error string again. --tls-groups meinekurve does not give me an error. So this option is probably also ignored. I am not expecting you test all the zillion options that OpenVPN has but at least testing the TLS related option would be good. And what I am currently seeing is not really a good coverage/buggy. Even if some of the option might be a good option for support in WolfSSL, we need to document this and/or your API needs to throw reaonable errors. Same notes since I ran WolfSSL also on my own development that includes a few patches already sent to the mailing list but not merged: This definition in WolfSSL: wolfssl/openssl/ssl.h:#define SSL_export_keying_material(...) 0 This just breaks TLS EKM as WolfSSL pretensd to be able to do keying material export but then cannot really do it. The patches to use TLS EKM are currently not in master but will be definitively added until 2.6. The macro have_export_keying_material="yes" currently also missing in the wolfssl configure.ac section but if enabling it, it just breaks: =2020-09-16 23:31:17 TLS Error: Keying material export failed 202=0-09-16 23:31:17 TLS Error: generate_key_expansion failed The "al
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, thank you for your extensive review of OpenVPN with wolfSSL. On 17/09/2020 00:05, Arne Schwabe wrote: ... I am still seeing this warning: 2020-09-16 23:20:14 WARNING: 'auth' is used inconsistently, local='auth SHA', remote='auth SHA1' Are you internally calling SHA1 just SHA and are also returned that as name when querying for the name? And do the other SHA variant also just return SHA? Could you describe how you generated this warning? Looking into our sources, we do call SHA1 just SHA in wolfSSL. Other variants have names in the format of SHA. This snippet in the configure.ac looks strange: if test -n "${WOLFSSL_DIR}"; then wolfssldir="${WOLFSSL_DIR}" else wolfssldir="/usr/local/include/wolfssl" fi I am not sure hardcoding a /usr/local path is something we want/allow. The people better at autoconf might have a better idea on this. Our default installation path is /usr/local/include which is why we set it as the default path in projects that use wolfSSL. Additionally, adding /usr/local/include/wolfssl to the include path allows including wolfSSL without changing *.c and *.h files. I'll look into David Sommerseth's suggestion of using pkg-config to get the path and see if it would be possible to append wolfssl to the path. ... I am surprised you are targeting OpenSSL < 1.1.0 API. We will probably drop OpenSSL 1.0.2 support from our code base as soon as we drop RHEL7 support. The 1.1.0+ code path in that patch uses the EVP_PKEY_derive_*/EVP_PKEY_CTX_set_tls1_prf functions and those will be needed then. I think that for now we will target OpenSSL < 1.1.0 API. Once other issues have been resolved we will start moving to OpenSSL >= 1.1.0 APIs. I am still in the process of going through your report but I can reproduce most of the other issues and have found some additional ones as well. I have closed the PR for now until your comments are resolved and will re-open to include all fixes in one PR. Sincerely Juliusz ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master. Sincerely Juliusz On 10/09/2020 14:16, Arne Schwabe wrote: Am 10.09.20 um 14:11 schrieb Juliusz Sosinowicz: Hi Arne, I understand your concern and apologize for the delay. We have been busy with the release of wolfSSL 4.5.0. I will make sure that the fixes necessary for OpenVPN support will be prioritized. Sincerely Juliusz I think the best way forward is to include wolfSSL support into OpenVPN master now and if we have proper a proper support of wolfSSL that is kept up to from your side then it will be part of the next release. And otherwise we remove the support before the next release. That should our concerns of wanting to see ongoing support and also your concern of it not being included. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, I understand your concern and apologize for the delay. We have been busy with the release of wolfSSL 4.5.0. I will make sure that the fixes necessary for OpenVPN support will be prioritized. Sincerely Juliusz On 10/09/2020 12:18, Arne Schwabe wrote: Am 22.07.20 um 16:02 schrieb Juliusz Sosinowicz: Hi Arne, thank you for your feedback. I tested the patch on the latest master version at the time of writing and it looks like these requirements were added in the last week which is why I wasn't able to address them before.I will look into the new issues and get back to you when they are fixed. I agree that most of these functions only require exposing existing functionality on our side. We already progressed to OpenVPN 2.5-beta4 now. I think it is fair to say that WolfSSL missed the window to be included in 2.5.0. And seeing that these rather simple fixes take now over 1,5months does not exactly inspire confidence that WolfSSL is committed to maintaining OpenVPN support. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, thank you for your feedback. I tested the patch on the latest master version at the time of writing and it looks like these requirements were added in the last week which is why I wasn't able to address them before.I will look into the new issues and get back to you when they are fixed. I agree that most of these functions only require exposing existing functionality on our side. Sincerely Juliusz On 22/07/2020 15:37, Arne Schwabe wrote: Am 15.07.20 um 10:26 schrieb Juliusz Sosinowicz: Hi Everyone, do you have an update on the latest patch I sent? There have been updates to wolfSSL to fix the remaining issues brought up last time. Yes. I looked at this today in the expectation that I just compile test, do a few quick tests and the ACK+merge it: However during our preperation for the next OpenVPN release, we reevaluated the minimum OpenSSL version and decided that OpenSSL 1.0.2 is our minimum target for the next release and removed the OpenSSL 1.0.1 compatibility defines. I was not aware that WolfSSL depended on the compatibility to 1.0.1 but rather surprised since we added all the tests compatibility in autoconf that made the OpenSSL 1.1.0+ API checks also work for WolfSSL. We also removed the option to compile OpenVPN without AEAD support and since WolfSSL supports TLS 1.3, I also did not expect that this would be problematic for WolfSSL. The missing functions that I can see quickly are: SSL_CTX_set1_curves/SSL_CTX_set1_groups SSL_CTX_get0_certificate X509_get0_notBefore X509_get0_notAfter SSL_CTX_set_ecdh_auto (Would not be need if WolfSSL declared >= 1.1.0 version) CRYPTO_memcmp Also EVP_CIPH_FLAG_AEAD_CIPHER was undefined. It looks that in the older version/patch the use of the define was ifdef'ed under the assumption that support of AEAD implies existence of the macro, which is seems not to have been true in the case of WolfSSL. None of the offending functions looks particularly bad. The get0 are just the more modern name of older identical OpenSSL version. The set groups is probably already somehow support but not exposed and I would be surprised if a constant time memcmp does not already exist in WolfSSL. Reverting the patch that removed 1.0.1 feel like a bad option at this point and will also raise (rightfully) eyebrows and questions. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Everyone, do you have an update on the latest patch I sent? There have been updates to wolfSSL to fix the remaining issues brought up last time. Thanks Juliusz On 16/06/2020 20:00, Juliusz Sosinowicz wrote: This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac | 94 ++- src/openvpn/syshead.h | 3 +- 2 files changed, 94 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 273a8d1b..56d63555 100644 --- a/configure.ac +++ b/configure.ac @@ -269,16 +269,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1022,6 +1029,89 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macro
[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac | 94 ++- src/openvpn/syshead.h | 3 +- 2 files changed, 94 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 273a8d1b..56d63555 100644 --- a/configure.ac +++ b/configure.ac @@ -269,16 +269,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1022,6 +1029,89 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since the
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Antonio, thank you for reviewing and testing OpenVPN with wolfSSL. Let me explain the warnings: On 07/05/2020 12:28, Antonio Quartulli wrote: Hi Juliusz, There are some warnings when compiling with wolfssl v4.0.0-stable: In file included from crypto_openssl.c:44: openssl_compat.h:93: warning: "EVP_CIPHER_CTX_reset" redefined 93 | #define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init | In file included from crypto_openssl.h:32, from crypto_backend.h:33, from crypto.h:125, from crypto_openssl.c:42: /usr/local/include/wolfssl/openssl/evp.h:769: note: this is the location of the previous definition 769 | #define EVP_CIPHER_CTX_reset wolfSSL_EVP_CIPHER_CTX_reset | OpenVPN recently started using EVP_CIPHER_CTX_reset and HAVE_ EVP_CIPHER_CTX_RESET wasn't being defined in the wolfSSL configure section. I will fix this for the next version of the patch as well as all other missing defines I found. ssl_openssl.c: In function ‘tls_ctx_load_ca’: ssl_openssl.c:1601:55: warning: passing argument 1 of ‘wolfSSL_sk_X509_NAME_new’ from incompatible pointer type [-Wincompatible-pointer-types] 1601 | cert_names = sk_X509_NAME_new(sk_x509_name_cmp); | ^~~~ | | | int (*)(const X509_NAME * const*, const X509_NAME * const*) {aka int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)} In file included from /usr/local/include/wolfssl/openssl/ssl.h:35, from ssl_openssl.h:32, from ssl_backend.h:36, from ssl_openssl.c:44: /usr/local/include/wolfssl/ssl.h:3534:47: note: expected ‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void * const*)’} but argument is of type ‘int (*)(const X509_NAME * const*, const X509_NAME * const*)’ {aka ‘int (*)(const struct WOLFSSL_X509_NAME * const*, const struct WOLFSSL_X509_NAME * const*)’} 3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_sk_X509_NAME_new( | ^~~~ To make wolfSSL_sk_X509_NAME_new more universal we accept a function with void* parameters. This will unfortunately generate a warning when compiling with wolfSSL but won't affect functionality. ssl_openssl.c: In function ‘print_details’: ssl_openssl.c:2082:22: warning: unused variable ‘dsa’ [-Wunused-variable] 2082 | DSA *dsa = EVP_PKEY_get0_DSA(pkey); | ^~~ DSA_bits is defined as #define DSA_bits(...) 0 which means that the dsa variable will not be used. I will look into fixing this as DSA support has been added to our EVP layer since this definition. On top of that, unfortunately something is not working. While openvpn can connect if provided with a config that references key material from external files, i.e. "key a/b/c.key" or "cert a/b/c/d.crt", it does not work when trying to connect using inline material, i.e. "$something here". This is what I see: Thu May 7 12:16:12 2020 OpenVPN 2.5_git [git:master/6acb2a69e47a8da0] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 7 2020 Thu May 7 12:16:12 2020 library versions: 4.4.0, LZO 2.10 Thu May 7 12:16:12 2020 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Thu May 7 12:16:12 2020 OpenSSL: Please supply a buffer for error string Thu May 7 12:16:12 2020 Cannot load inline certificate file Thu May 7 12:16:12 2020 Exiting due to fatal error Any clue why this is failing? - openvpn is: master openvpn + your patch - for wolfssl I tested both master and 4.4.0 I will investigate this issue and see what can be done about it. Thank you for catching it. Thanks Juliusz On 29/04/2020 16:51, Juliusz Sosinowicz wrote: This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, currently it is macro'ed to wolfSSL_lib_version which only returns the version string. I will add our library name to the front of the OpenSSL_version return string. Thanks, Juliusz On 07/05/2020 12:35, Arne Schwabe wrote: Am 07.05.20 um 12:28 schrieb Antonio Quartulli: Thu May 7 12:16:12 2020 library versions: 4.4.0, LZO 2.10 Additionally it seems the OpenSSL_version(OPENSSL_VERSION) function does not include the library name. OpenSSL reports itself here: library versions: OpenSSL 1.1.1g 21 Apr 2020 also other library will say LibreSSL or BoringSSL in place of OpenSSL here. It would be nice to have here wolfSSL or OpenSSL (wolfSSL compat layer) or something that indicates wolfSSL in the OpenSSL_version(OPENSSL_VERSION) result. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option `--disable-wolfssl-options-h` in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac | 91 ++- src/openvpn/syshead.h | 3 +- 2 files changed, 91 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index fcec7389..53ad3181 100644 --- a/configure.ac +++ b/configure.ac @@ -276,16 +276,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1029,6 +1036,86 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS sin
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
The Readme looks good. Just one suggestion. On 16/04/2020 13:11, Arne Schwabe wrote: Am 16.04.20 um 12:42 schrieb Juliusz Sosinowicz: Hi Arne, On 15/04/2020 11:31, Arne Schwabe wrote: Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz: This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL. Thanks the patch is lot less intrusive then the last version. We will have to discuss in our meeting under what condition we want to include the patch. We might add a note or statement that the WolfSSL support in OpenVPN is mainly developed and tested by WolfSSL itself or something along these lines. This is understandable since we will be maintaining wolfSSL within OpenVPN. Could you take a look if this is an acceptable text for a README.wolfssl? Support for WolfSSL is implemented and maintained by WolfSSL Inc. The support is implemented using WolfSSL's compatiblity layer. The WolfSSL support in OpenVPN receives very limited testing/support from the OpenVPN community itself. If bugs in OpenVPN when using WolfSSL are encountered, the user should try to also compile OpenVPN with OpenSSL to determinate if these are bugs in the WolfSSL TLS implemenation or OpenVPN itself. To Build and Install, ./configure --with-crypto-library=wolfssl make make install I would add here: The wolfSSL library will include the installed options.h file by default. To include a custom user_settings.h file for wolfSSL, ./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h make make install * Due to limitations in the wolfSSL TLS library or its compability layer, the following features are missing * blowfish support (BF-CBC), you must use something like cipher AES-128-CBC to avoid trying to use BF-CBC * Windows CryptoAPI support ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Arne, On 15/04/2020 11:31, Arne Schwabe wrote: Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz: This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL. Thanks the patch is lot less intrusive then the last version. We will have to discuss in our meeting under what condition we want to include the patch. We might add a note or statement that the WolfSSL support in OpenVPN is mainly developed and tested by WolfSSL itself or something along these lines. This is understandable since we will be maintaining wolfSSL within OpenVPN. diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 453cb20a..73da5fa7 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, tag_ptr = BPTR(buf); ASSERT(buf_advance(buf, tag_size)); dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, )); -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L +#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) || defined(ENABLE_CRYPTO_WOLFSSL) /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */ if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr)) { Are you sure that WolfSSL requires a workaround for old OpenSSL version before 1.0.1d? wolfSSL is built around one-shot APIs as oppose to OpenSSL's stream APIs. The reason for using this workaround is that the authentication tag is checked in the Update call not the Final call. I'll look into fixing this issue. Arne Thanks! Juliusz ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
Hi Gert, thanks for the suggestion. I will change this in the next patch after looking into the issue that Arne brought up. On 15/04/2020 11:48, Gert Doering wrote: Hi, as Arne said, this is much better. On Tue, Apr 14, 2020 at 08:52:14PM +0200, Juliusz Sosinowicz wrote: This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. [..] There is one thing, though: index 30eba7b2..a82c52ad 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -39,6 +39,10 @@ #ifdef ENABLE_CRYPTOAPI +#ifdef ENABLE_CRYPTO_WOLFSSL +#error wolfSSL does not support CryptoAPI +#endif + I do not like this very much. It will, effectively, break win32 builds with WolfSSL - and add yet another #ifdef to our .c files. ENABLE_CRYPTOAPI is defined in syshead.h #if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) #define ENABLE_CRYPTOAPI #endif ... could you investigate whether it would be sufficient to just conditionalize this on WolfSSL, like this? #if defined(_WIN32) && defined(ENABLE_CRYPTO) && \ defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL) #define ENABLE_CRYPTOAPI #endif so you can have WolfSSL-linked binaries for Windows, just without CryptoAPI support (as with mbedtls)... gert Sincerely Juliusz ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN
This patch adds support for wolfSSL in OpenVPN. Support is added by using wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked against the wolfSSL library. As requested by OpenVPN maintainers, this patch does not include wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include wolfssl/options.h on its own (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an option '--disable-wolfssl-options-h' in case the user would like to supply their own settings file for wolfSSL. wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` Signed-off-by: Juliusz Sosinowicz --- configure.ac| 91 - src/openvpn/crypto.c| 2 +- src/openvpn/cryptoapi.c | 4 ++ 3 files changed, 94 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index fcec7389..53ad3181 100644 --- a/configure.ac +++ b/configure.ac @@ -276,16 +276,23 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], [with_crypto_library="openssl"] ) +AC_ARG_ENABLE( + [wolfssl-options-h], + [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h in wolfSSL @<:@default=yes@:>@])], + , + [enable_wolfssl_options_h="yes"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -1029,6 +1036,86 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_S
Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch
Hi Antonio,Gert is correct, our compatibility layer is a set of functions in wolfSSL which emulate the OpenSSL API. These functions are then macro defined to have the same names as the OpenSSL functions. The configure script needs to know where the wolfSSL headers are and that it should link against the wolfSSL binary, not OpenSSL. This is the reason for the configure script changes.Sincerely Juliusz Original message From: Antonio Quartulli Date: 09/02/2020 10:52 (GMT+01:00) To: Gert Doering Cc: Juliusz Sosinowicz , openvpn-devel@lists.sourceforge.net Subject: Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch Hi,On 09/02/2020 10:50, Gert Doering wrote:> Hi,> > On Sun, Feb 09, 2020 at 10:44:48AM +0100, Antonio Quartulli wrote:>> if wolfssl support is being introduced by means of the openssl>> compatibility layer, why do people need to configure OpenVPN with>> "./configure --with-crypto-library=wolfssl", rather than just using>> openssl and specifying a different path for headers/libraries?>>>> Isn't the compat layer in wolfssl operating as a drop-in replacement for>> openssl?> > This question has been asked before and answered :-) - most of the> compat functions seem to be implemented as macros, which our configure> will not find. So, configure needs to explicitely define what is there> and what not.> > I do not like the extra include very much, but that seems to be hard > to avoid with the current WolfSSL header file setup.> ouch, thanks for the reminder :-)-- Antonio Quartulli___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch
Hi Gert, thank you for your comments. My intention was not to add a second cipher line in the sample config file. I added "cipher AES-256-CBC" to an earlier version of OpenVPN when there was no cipher specified in the loopback-client and loopback-server files. After rebasing my commit onto master I didn't notice the double cipher lines in the config files. I will remove this in my next patch as wolfSSL does support GCM mode but not yet in the compatibility layer. I will add GCM support to our compatibility layer and send an updated signed-off patch with a better commit message explaining what is happening in the patch. Thanks Juliusz On 08/02/2020 09:45, Gert Doering wrote: Hi Juliusz, please send patches out of a git tree, coming from a git commit with "git commit -s", and having a somewhat relevant commit message. Besides this, please do not --- a/sample/sample-config-files/loopback-client +++ b/sample/sample-config-files/loopback-client @@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1 cipher AES-256-GCM ping 1 inactive 120 1000 +cipher AES-256-CBC ... modify the sample config files (and *if* you do, do not just add a second cipher line, which will confuse users quite a bit). If WolfSSL does not support GCM, this needs to be documented, but our sample config files contain the recommended cipher for the existing crypto systems, and this is (and will continue to be for the time) GCM - faster, and lower overhead. gert ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch
wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ``` git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-openvpn make sudo make install ``` OpenVPN: ``` autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` --- configure.ac | 77 +- include/openvpn-plugin.h.in| 3 + sample/sample-config-files/loopback-client | 1 + sample/sample-config-files/loopback-server | 1 + src/openvpn/crypto.c | 2 +- src/openvpn/crypto_openssl.h | 3 + src/openvpn/cryptoapi.c| 4 ++ src/openvpn/openssl_compat.h | 4 ++ src/openvpn/ssl_openssl.h | 3 + src/openvpn/ssl_verify_openssl.h | 3 + 10 files changed, 98 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 98fd39ce..564f21a6 100644 --- a/configure.ac +++ b/configure.ac @@ -276,10 +276,10 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], @@ -1029,6 +1029,79 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) +
Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8
Hi David, I apologize for the delayed response. I will rebase our OpenVPN work off of the master branch this week in anticipation for a possible inclusion in version 2.5. Regarding your question "What kind of commitment will we see from the WolfSSL organization?": We have a large customer driving the use of wolfSSL with OpenVPN. We've done the initial porting and testing. We will update the port when needed and continue to support this effort. We will also be making public marketing posts and annoucements for OpenVPN support on our blog (https://www.wolfssl.com/blog/) and subscribed mailing lists. We understand your concern about the intrusiveness of this patch. The majority of insertions occur in the configure and try to follow the structure of how other cryptographic backends are compiled against. The "Emulate X since these are defined as macros" additions are unfortunately necessary as these functions are defined as macros in our library. AC_CHECK_FUNCS will not check if the function exists behind a macro. Defining these macros in the configure script allows for minimal interference in the rest of OpenVPN code. The rest of the changes in the patch are library inclusions as some things are defined in slightly different locations than OpenSSL. The file holds the configure options for the wolfSSL library. It is necessary to include so that the header files know what should be included and defined. I hope this email clears things up as to why some changes were necessary. Sincerely Juliusz On 14/11/2019 12:25, David Sommerseth wrote: On 14/11/2019 11:22, Juliusz Sosinowicz wrote: From: David Garske wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ```sh git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen --enable-certext --enable-aesctr --enable-sessioncerts CFLAGS="-DWOLFSSL_DES_ECB -DHAVE_EX_DATA" make sudo make install ``` OpenVPN: ```sh autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` NAK. This patch adds a new feature to the 2.4 branch. We don't really want to do that, especially if the change is intrusive (13 files changed, 108 insertions << that is intrusive). WolfSSL support will at best see the light in the coming 2.5 release (At the hackathon we aim for late 2020Q1 or 2020Q2) In previous rounds we have asked a lot of questions; there has been no real responses to those. This has not even been touched in the relation to this patch. One good thing I do see, is that it seems to try to use an OpenSSL support layer in WolfSSL - which is good. But then I wonder why we see additions like this all over. +#ifdef ENABLE_CRYPTO_WOLFSSL +#include +#endif In addition, the change in configure.ac with all the AC_DEFINE lines, tagged with "Emulate X since these are defined as macros" is also making a lot of mess. And then comes the most critical point to all of this: Who will maintain WolfSSL support in OpenVPN once this has been applied? What kind of commitment will we see from the WolfSSL organization? The OpenVPN developers community will have an IRC meeting next Thursday (Nov 21 @ 20:00 CET, #openvpn-meeting on FreeNode [1]). I strongly recommend you to attend this meeting to follow up your request. [1] You need to have your nick registered to join <https://freenode.net/kb/answer/registration> ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8
From: David Garske wolfSSL: Support added in: https://github.com/wolfSSL/wolfssl/pull/2503 ```sh git clone https://github.com/wolfSSL/wolfssl.git cd wolfssl ./autogen.sh ./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen --enable-certext --enable-aesctr --enable-sessioncerts CFLAGS="-DWOLFSSL_DES_ECB -DHAVE_EX_DATA" make sudo make install ``` OpenVPN: ```sh autoreconf -i -v -f ./configure --with-crypto-library=wolfssl make make check sudo make install ``` --- configure.ac | 77 +- include/openvpn-plugin.h.in| 3 + sample/sample-config-files/loopback-client | 1 + sample/sample-config-files/loopback-server | 1 + src/openvpn/crypto.c | 2 +- src/openvpn/crypto_openssl.c | 3 + src/openvpn/crypto_openssl.h | 3 + src/openvpn/cryptoapi.c| 4 ++ src/openvpn/openssl_compat.h | 5 ++ src/openvpn/ssl_openssl.c | 3 + src/openvpn/ssl_openssl.h | 3 + src/openvpn/ssl_verify_openssl.c | 3 + src/openvpn/ssl_verify_openssl.h | 3 + 13 files changed, 108 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e45ce2f3..63cf3001 100644 --- a/configure.ac +++ b/configure.ac @@ -283,10 +283,10 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], @@ -1028,6 +1028,79 @@ elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "mbedtls"; th AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" + +elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory @<:@default=/usr/local/include/wolfssl@:>@]) + if test -n "${WOLFSSL_DIR}"; then + wolfssldir="${WOLFSSL_DIR}" + else + wolfssldir="/usr/local/include/wolfssl" + fi + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_Init], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header wolfssl/options.h not found!])]) + fi + + AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS since these are defined as macros]) + AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate
Re: [Openvpn-devel] [PATCH] Adding support for wolfSSL backend
Hi, thank you for the feedback. To answer your questions: - Why WolfSSL in OpenVPN instead of mbed or OpenSSL wolfSSL can be compiled to use very few resources in a wide array of embedded environments. wolfSSL is FIPS ready - that is it has all the code available to be FIPS 140 validated on a platform. - What features does WolfSSL offer in OpenVPN that mbed/OpenSSL don't have wolfSSL has a large customer base and some of them would like to use OpenVPN with wolfSSL. - What is missing with WolfSSL? wolfSSL doesn’t support some older, weaker algorithms like Blowfish. wolfSSL also lacks support for CryptoAPI and exporting of keying material. - What are your future plans in terms of involvement in OpenVPN development and maintaince? Our plans are to help support and maintain the wolfSSL component of any project, including OpenVPN, that decides to incorporate our technology. Regarding our OpenSSL compatibility layer: we do have a compatibility layer for OpenSSL but it still lacks many features. In addition, using wolfSSL directly without an additional layer allows for better efficiency and performance. Sincerely Juliusz On 8/16/19 8:30 AM, Arne Schwabe wrote: Am 16.08.19 um 16:14 schrieb Juliusz Sosinowicz: This patch adds the option to use wolfSSL as the ssl backend. To build this patch: That is great and it is also a very big patch. I skimmed only through the patch. +#ifdef ENABLE_CRYPTO_WOLFSSL +o->ciphername = "AES-256-CBC"; +#else o->ciphername = "BF-CBC"; +#endif Such silent changes that OpenVPN behaves different, is something we would like to avoid. Better to error out in this case than to behave diffently. Overall the WolfSSL feels to be a bit similar to OpenSSL. Is there any compatibility you are aiming at? Also it would be nice to have a summary for people on the OpenVPN perspective - Why WolfSSL in OpenVPN instead of mbed or OpenSSL - What features does WolfSSL offer in OpenVPN that mbed/OpenSSL don't have - What is missing with WolfSSL? That should also good to have in the patch like README.mbedtls. And one of the important question is: What are your future plans in terms of involvement in OpenVPN development and maintaince? I think since you are first time contributer and this a big patch, that is something resonable to ask. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH] Adding support for wolfSSL backend
This patch adds the option to use wolfSSL as the ssl backend. To build this patch: 1. wolfSSL needs to be built with the `--enable-all` configure option. 2. OpenVPN must be built with the `--with-crypto-library=wolfssl` configure option. Documentation regarding the wolfSSL SSL library may be found here: https://www.wolfssl.com/ Sincerely Juliusz diff --git a/.gitignore b/.gitignore index 0d68ec4b..d007cf62 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,8 @@ nbproject test-driver compile stamp-h2 + +\.settings/ +\.project +\.cproject +\.autotools diff --git a/configure.ac b/configure.ac index e9f8a2f9..1013e5a0 100644 --- a/configure.ac +++ b/configure.ac @@ -276,10 +276,10 @@ AC_ARG_WITH( AC_ARG_WITH( [crypto-library], - [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], + [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])], [ case "${withval}" in - openssl|mbedtls) ;; + openssl|mbedtls|wolfssl) ;; *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; esac ], @@ -1011,6 +1011,31 @@ elif test "${with_crypto_library}" = "mbedtls"; then AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" CRYPTO_LIBS="${MBEDTLS_LIBS}" +elif test "${with_crypto_library}" = "wolfssl"; then + AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl]) + AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl]) + + saved_CFLAGS="${CFLAGS}" + saved_LIBS="${LIBS}" + + if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then + # if the user did not explicitly specify flags, try to autodetect + LIBS="${LIBS} -lwolfssl -lm -pthread" + AC_CHECK_LIB( + [wolfssl], + [wolfSSL_get_ciphers], + [], + [AC_MSG_ERROR([Could not link wolfSSL library.])] + ) + fi + + have_crypto_aead_modes="yes" + + CFLAGS="${WOLFSSL_CFLAGS} ${CFLAGS}" + LIBS="${WOLFSSL_LIBS} ${LIBS}" + AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library]) + CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}" + CRYPTO_LIBS="${WOLFSSL_LIBS}" else AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) fi diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in index 103844f7..75b33a62 100644 --- a/include/openvpn-plugin.h.in +++ b/include/openvpn-plugin.h.in @@ -32,6 +32,12 @@ #define __OPENVPN_X509_CERT_T_DECLARED typedef mbedtls_x509_crt openvpn_x509_cert_t; #endif +#elif defined(ENABLE_CRYPTO_WOLFSSL) /* ifdef ENABLE_CRYPTO_WOLFSSL */ +#include +#ifndef __OPENVPN_X509_CERT_T_DECLARED +#define __OPENVPN_X509_CERT_T_DECLARED +typedef WOLFSSL_X509 openvpn_x509_cert_t; +#endif #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ #include #ifndef __OPENVPN_X509_CERT_T_DECLARED @@ -332,7 +338,8 @@ struct openvpn_plugin_callbacks typedef enum { SSLAPI_NONE, SSLAPI_OPENSSL, -SSLAPI_MBEDTLS +SSLAPI_MBEDTLS, +SSLAPI_WOLFSSL } ovpnSSLAPI; /** diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 30caa01f..5c19384e 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -50,6 +50,7 @@ openvpn_SOURCES = \ crypto.c crypto.h crypto_backend.h \ crypto_openssl.c crypto_openssl.h \ crypto_mbedtls.c crypto_mbedtls.h \ + crypto_wolfssl.c crypto_wolfssl.h \ dhcp.c dhcp.h \ env_set.c env_set.h \ errlevel.h \ @@ -115,10 +116,12 @@ openvpn_SOURCES = \ ssl.c ssl.h ssl_backend.h \ ssl_openssl.c ssl_openssl.h \ ssl_mbedtls.c ssl_mbedtls.h \ + ssl_wolfssl.c ssl_wolfssl.h \ ssl_common.h \ ssl_verify.c ssl_verify.h ssl_verify_backend.h \ ssl_verify_openssl.c ssl_verify_openssl.h \ ssl_verify_mbedtls.c ssl_verify_mbedtls.h \ + ssl_verify_wolfssl.c ssl_verify_wolfssl.h \ status.c status.h \ syshead.h \ tls_crypt.c tls_crypt.h \ diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 7e9a4bd2..9699b50c 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -29,18 +29,21 @@ #ifndef CRYPTO_BACKEND_H_ #define CRYPTO_BACKEND_H_ +/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ +#define OPENVPN_AEAD_TAG_LENGTH 16 + #ifdef ENABLE_CRYPTO_OPENSSL #include "crypto_openssl.h" #endif #ifdef ENABLE_CRYPTO_MBEDTLS #include "crypto_mbedtls.h" #endif +#ifdef ENABLE_CRYPTO_WOLFSSL +#include "crypto_wolfssl.h" +#endif #include "basic.h" #include "buffer.h" -/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ -#define OPENVPN_AEAD_TAG_LENGTH 16 - /* Maximum cipher block size (bytes) */ #define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32 @@ -355,7 +358,7 @@ void cipher_ctx_free(cipher_ctx_t *ctx); * @param key_len Length of the key, in bytes * @param ktStatic cipher parameters to use * @param enc Whether to encrypt or decrypt (either - * \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).