Re: [Openvpn-devel] [PATCH applied] Re: Change include order for tests

[Juliusz Sosinowicz]

Thanks Gert. I see that our tests for the "release/2.6" branch are 
passing. This was discovered by testing against the master branch so I 
don't think this patch needs backporting.


Sincerely
Juliusz Sosinowicz

On 12/02/2024 18:10, Gert Doering wrote:

Thanks for this updated patch, which fixes the issue in a much nicer
way.  I'm not sure if you observe the problem in release/2.6 as well
- if yes, I need a release/2.6-specific patch for that (as half the
new test drivers are not in that branch).

Quick test with an in-tree build on FreeBSD and GHA builds passes fine.

Your patch has been applied to the master branch.

commit 54475711eb119f6fbb263880fca08d4b10df752a
Author: Juliusz Sosinowicz
Date:   Mon Feb 12 14:25:22 2024 +0100

  Change include order for tests

  Signed-off-by: Juliusz Sosinowicz 
  Acked-by: Arne Schwabe 
  Message-Id: <20240212132522.125903-1-juli...@wolfssl.com>
  URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28229.html
  Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"

[Juliusz Sosinowicz]

Hi Gert,

that is the direction I went with the latest patch I sent over.

Sincerely
Juliusz Sosinowicz

On 12/02/2024 13:53, Gert Doering wrote:

Hi,

On Mon, Feb 12, 2024 at 10:57:41AM +0100, Juliusz Sosinowicz wrote:

commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 has added the use of
ACK_SIZE and RELIABLE_ACK_SIZE in test_ssl.c. These are defined in
reliable.h which should be included through your ssl.h. Since our ssl.h is
being picked up, these never get defined and make check results in the
following error:

Seems the unit test compile flags could use a bit of shuffling to
have our local include first... and that should solve it (if nothing
else breaks, just test_ssl.c)

gert



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Change include order for tests

[Juliusz Sosinowicz]

Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The openvpn/src 
directory needs to be included before include/wolfssl. include/wolfssl needs to 
be included so that openvpn can pick up wolfSSL compatibility headers instead 
of OpenSSL headers without changing the paths.

src/openvpn/Makefile.am does not need to be modified because AM_CPPFLAGS is 
placed before AM_CFLAGS in the output Makefile.

Signed-off-by: Juliusz Sosinowicz 
---
 tests/unit_tests/openvpn/Makefile.am | 62 +++-
 1 file changed, 34 insertions(+), 28 deletions(-)

diff --git a/tests/unit_tests/openvpn/Makefile.am 
b/tests/unit_tests/openvpn/Makefile.am
index ce6f8127..a4e6235f 100644
--- a/tests/unit_tests/openvpn/Makefile.am
+++ b/tests/unit_tests/openvpn/Makefile.am
@@ -41,7 +41,7 @@ if HAVE_SITNL
 check_PROGRAMS += networking_testdriver
 endif
 
-argv_testdriver_CFLAGS  = @TEST_CFLAGS@ -I$(top_srcdir)/src/openvpn 
-I$(top_srcdir)/src/compat
+argv_testdriver_CFLAGS  = -I$(top_srcdir)/src/openvpn 
-I$(top_srcdir)/src/compat @TEST_CFLAGS@
 argv_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn 
-Wl,--wrap=parse_line
 argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h \
mock_get_random.c \
@@ -50,15 +50,16 @@ argv_testdriver_SOURCES = test_argv.c mock_msg.c mock_msg.h 
\
$(top_srcdir)/src/openvpn/win32-util.c \
$(top_srcdir)/src/openvpn/argv.c
 
-buffer_testdriver_CFLAGS  = @TEST_CFLAGS@ -I$(top_srcdir)/src/openvpn 
-I$(top_srcdir)/src/compat
+buffer_testdriver_CFLAGS  = -I$(top_srcdir)/src/openvpn 
-I$(top_srcdir)/src/compat @TEST_CFLAGS@
 buffer_testdriver_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn 
-Wl,--wrap=parse_line
 buffer_testdriver_SOURCES = test_buffer.c mock_msg.c mock_msg.h \
mock_get_random.c \
$(top_srcdir)/src/openvpn/win32-util.c \
$(top_srcdir)/src/openvpn/platform.c
 
-crypto_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+crypto_testdriver_CFLAGS  = \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn \
+   @TEST_CFLAGS@
 crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@
 crypto_testdriver_SOURCES = test_crypto.c mock_msg.c mock_msg.h \
$(top_srcdir)/src/openvpn/buffer.c \
@@ -72,8 +73,9 @@ crypto_testdriver_SOURCES = test_crypto.c mock_msg.c 
mock_msg.h \
$(top_srcdir)/src/openvpn/win32-util.c \
$(top_srcdir)/src/openvpn/mss.c
 
-ssl_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+ssl_testdriver_CFLAGS  = \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn \
+   @TEST_CFLAGS@
 ssl_testdriver_LDFLAGS = @TEST_LDFLAGS@  $(OPTIONAL_CRYPTO_LIBS)
 ssl_testdriver_SOURCES = test_ssl.c mock_msg.c mock_msg.h \
mock_management.c mock_ssl_dependencies.c mock_win32_execve.c \
@@ -106,8 +108,9 @@ if WIN32
 ssl_testdriver_LDADD =  -lcrypt32 -lncrypt -lfwpuclnt -liphlpapi -lws2_32
 endif
 
-packet_id_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+packet_id_testdriver_CFLAGS  = \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn \
+   @TEST_CFLAGS@
 packet_id_testdriver_LDFLAGS = @TEST_LDFLAGS@
 packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c mock_msg.h \
mock_get_random.c \
@@ -119,8 +122,9 @@ packet_id_testdriver_SOURCES = test_packet_id.c mock_msg.c 
mock_msg.h \
$(top_srcdir)/src/openvpn/win32-util.c \
$(top_srcdir)/src/openvpn/session_id.c
 
-pkt_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+pkt_testdriver_CFLAGS  = \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn \
+   @TEST_CFLAGS@
 pkt_testdriver_LDFLAGS = @TEST_LDFLAGS@
 pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h mock_win32_execve.c \
$(top_srcdir)/src/openvpn/argv.c \
@@ -141,8 +145,9 @@ pkt_testdriver_SOURCES = test_pkt.c mock_msg.c mock_msg.h 
mock_win32_execve.c \
$(top_srcdir)/src/openvpn/tls_crypt.c
 
 if !WIN32
-tls_crypt_testdriver_CFLAGS  = @TEST_CFLAGS@ \
-   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn
+tls_crypt_testdriver_CFLAGS  = \
+   -I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(top_srcdir)/src/openvpn \
+   @TEST_CFLAGS@
 tls_crypt_testdriver_LDFLAGS = @TEST_LDFLAGS@ \
-Wl,--wrap=buffer_read_from_file \
-Wl,--wrap=buffer_write_file \
@@ -164,9 +169,9 @@ tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c 
mock_msg.h \
 endif
 
 if HAVE_SITNL
-networking_testdriver_CFLAGS = @TEST_CFLAGS@ \
+networking_testdriver_CFLAGS = \
-I$(top_srcdir)/include -I$(top_srcdir)/src/compat 
-I$(

Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"

[Juliusz Sosinowicz]

Hi Arne,

commit 70b39f2bea9fd6e57f31e32b2041246731140cb2 has added the use of 
ACK_SIZE and RELIABLE_ACK_SIZE in test_ssl.c. These are defined in 
reliable.h which should be included through your ssl.h. Since our ssl.h 
is being picked up, these never get defined and make check results in 
the following error:


test_ssl.c: In function ‘init_frame_parameters’:
test_ssl.c:160:17: warning: implicit declaration of function ‘ACK_SIZE’ 
[-Wimplicit-function-declaration]

  160 | overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
  | ^~~~
test_ssl.c:160:26: error: ‘RELIABLE_ACK_SIZE’ undeclared (first use in 
this function)

  160 | overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
  |  ^

Somehow, this has never come up as an issue.

Sincerely
Juliusz Sosinowicz

On 09/02/2024 21:50, Arne Schwabe wrote:

Am 09.02.24 um 16:51 schrieb Juliusz Sosinowicz:
Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The 
include/wolfssl directory is included before openvpn/src. 
include/wolfssl needs to be included so that openvpn can pick up 
wolfSSL compatibility headers instead of OpenSSL headers without 
changing the paths.


Neither the ssl.h (2005, so forever) in OpenVPN nor the ssl.h in 
wolfssl (2014 according to git blame) are particulary new. Why is this 
now a problem when it was never before?


Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"

[Juliusz Sosinowicz]

Hi Frank,

thank you for the explanation. I did not test out-of-tree builds before 
submitting the patch. I'll try to implement Gert's solution and write a 
Makefile patch instead.


Sincerely
Juliusz Sosinowicz

On 09/02/2024 17:39, Frank Lichtenheld wrote:

On Fri, Feb 09, 2024 at 04:51:09PM +0100, Juliusz Sosinowicz wrote:

Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The 
include/wolfssl directory is included before openvpn/src. include/wolfssl needs to be 
included so that openvpn can pick up wolfSSL compatibility headers instead of OpenSSL 
headers without changing the paths.

This breaks out-of-tree builds. Currently we only add top_buildir to CFLAGS
(for config.h) but NOT top_srcdir. For in-tree builds these are identical
so the patch might appear to work. But it breaks otherwise. Further changes
to buildsystem configuration would be required.

Regards,



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"

[Juliusz Sosinowicz]

Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The 
include/wolfssl directory is included before openvpn/src. include/wolfssl needs 
to be included so that openvpn can pick up wolfSSL compatibility headers 
instead of OpenSSL headers without changing the paths.
---
 src/openvpn/auth_token.c | 2 +-
 src/openvpn/dco_linux.c  | 2 +-
 src/openvpn/manage.c | 2 +-
 src/openvpn/openvpn.h| 2 +-
 src/openvpn/options.c| 2 +-
 src/openvpn/ps.h | 2 +-
 src/openvpn/push.c   | 2 +-
 src/openvpn/ssl.c| 2 +-
 src/openvpn/tls_crypt.c  | 2 +-
 tests/unit_tests/openvpn/mock_ssl_dependencies.c | 2 +-
 tests/unit_tests/openvpn/test_pkcs11.c   | 2 +-
 tests/unit_tests/openvpn/test_ssl.c  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 6787ea7d..e020bdcb 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -12,7 +12,7 @@
 #include "auth_token.h"
 #include "push.h"
 #include "integer.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include 
 
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 3c91606b..eac81924 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -37,7 +37,7 @@
 
 #include "socket.h"
 #include "tun.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "fdmisc.h"
 #include "multi.h"
 #include "ssl_verify.h"
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 27b6f90e..11c922c5 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -37,7 +37,7 @@
 #include "otime.h"
 #include "integer.h"
 #include "misc.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "common.h"
 #include "manage.h"
 #include "openvpn.h"
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index dabc5be4..3a3d1733 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -28,7 +28,7 @@
 #include "options.h"
 #include "socket.h"
 #include "crypto.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "packet_id.h"
 #include "comp.h"
 #include "tun.h"
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2c79a1ec..cb06063e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -42,7 +42,7 @@
 #include "run_command.h"
 #include "shaper.h"
 #include "crypto.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_ncp.h"
 #include "options.h"
 #include "misc.h"
diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h
index 2fe0c4c5..21427480 100644
--- a/src/openvpn/ps.h
+++ b/src/openvpn/ps.h
@@ -28,7 +28,7 @@
 
 #include "basic.h"
 #include "buffer.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 
 typedef void (*post_fork_cleanup_func_t)(void *arg);
 
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 22494340..854bf471 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -29,7 +29,7 @@
 
 #include "push.h"
 #include "options.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include "ssl_ncp.h"
 #include "manage.h"
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 33c86704..ac077a1c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -54,7 +54,7 @@
 #include "route.h"
 #include "tls_crypt.h"
 
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include "ssl_backend.h"
 #include "ssl_ncp.h"
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31fa..3df2bc61 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -33,7 +33,7 @@
 #include "platform.h"
 #include "run_command.h"
 #include "session_id.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 
 #include "tls_crypt.h"
 
diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c 
b/tests/unit_tests/openvpn/mock_ssl_dependencies.c
index 9231d655..da22bbfe 100644
--- a/tests/unit_tests/openvpn/mock_ssl_dependencies.c
+++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c
@@ -34,7 +34,7 @@
 #include 
 
 
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 
 int
diff --git a/tests/unit_tests/openvpn/test_pkcs11.c 
b/tests/unit_tests/openvpn/test_pkcs11.c
index 81cdf882..76cb80e5 100644
--- a/tests/unit_tests/openvpn/test_pkcs11.c
+++ b/tests/unit_tests/openvpn/test_pkcs11.c
@@ -33,7 +33,7 @@
 #include "xkey_common.h"
 #include "cert_data.h"
 #include "pkcs11.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 
 #include 
 #include 
diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 8c1fb5b2..893bf8ec 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -44,7 +44,7 @@
 #include "ssl_verify_backend.h"
 #include "win32.h"
 #include "test_common.h"
-#include 

[Openvpn-devel] [PATCH] wolfssl: include "ssl.h" by "src/openvpn/ssl.h"

[Juliusz Sosinowicz]

Including "ssl.h" conflicts with the wolfSSL ssl.h header file. The 
include/wolfssl directory is included before openvpn/src. include/wolfssl needs 
to be included so that openvpn can pick up wolfSSL compatibility headers 
instead of OpenSSL headers without changing the paths.

Signed-off-by: Juliusz Sosinowicz 
---
 src/openvpn/auth_token.c | 2 +-
 src/openvpn/dco_linux.c  | 2 +-
 src/openvpn/manage.c | 2 +-
 src/openvpn/openvpn.h| 2 +-
 src/openvpn/options.c| 2 +-
 src/openvpn/ps.h | 2 +-
 src/openvpn/push.c   | 2 +-
 src/openvpn/ssl.c| 2 +-
 src/openvpn/tls_crypt.c  | 2 +-
 tests/unit_tests/openvpn/mock_ssl_dependencies.c | 2 +-
 tests/unit_tests/openvpn/test_pkcs11.c   | 2 +-
 tests/unit_tests/openvpn/test_ssl.c  | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index 6787ea7d..e020bdcb 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -12,7 +12,7 @@
 #include "auth_token.h"
 #include "push.h"
 #include "integer.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include 
 
diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c
index 3c91606b..eac81924 100644
--- a/src/openvpn/dco_linux.c
+++ b/src/openvpn/dco_linux.c
@@ -37,7 +37,7 @@
 
 #include "socket.h"
 #include "tun.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "fdmisc.h"
 #include "multi.h"
 #include "ssl_verify.h"
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index 27b6f90e..11c922c5 100644
--- a/src/openvpn/manage.c
+++ b/src/openvpn/manage.c
@@ -37,7 +37,7 @@
 #include "otime.h"
 #include "integer.h"
 #include "misc.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "common.h"
 #include "manage.h"
 #include "openvpn.h"
diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h
index dabc5be4..3a3d1733 100644
--- a/src/openvpn/openvpn.h
+++ b/src/openvpn/openvpn.h
@@ -28,7 +28,7 @@
 #include "options.h"
 #include "socket.h"
 #include "crypto.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "packet_id.h"
 #include "comp.h"
 #include "tun.h"
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2c79a1ec..cb06063e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -42,7 +42,7 @@
 #include "run_command.h"
 #include "shaper.h"
 #include "crypto.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_ncp.h"
 #include "options.h"
 #include "misc.h"
diff --git a/src/openvpn/ps.h b/src/openvpn/ps.h
index 2fe0c4c5..21427480 100644
--- a/src/openvpn/ps.h
+++ b/src/openvpn/ps.h
@@ -28,7 +28,7 @@
 
 #include "basic.h"
 #include "buffer.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 
 typedef void (*post_fork_cleanup_func_t)(void *arg);
 
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index 22494340..854bf471 100644
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@@ -29,7 +29,7 @@
 
 #include "push.h"
 #include "options.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include "ssl_ncp.h"
 #include "manage.h"
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 33c86704..ac077a1c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -54,7 +54,7 @@
 #include "route.h"
 #include "tls_crypt.h"
 
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 #include "ssl_backend.h"
 #include "ssl_ncp.h"
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 975d31fa..3df2bc61 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -33,7 +33,7 @@
 #include "platform.h"
 #include "run_command.h"
 #include "session_id.h"
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 
 #include "tls_crypt.h"
 
diff --git a/tests/unit_tests/openvpn/mock_ssl_dependencies.c 
b/tests/unit_tests/openvpn/mock_ssl_dependencies.c
index 9231d655..da22bbfe 100644
--- a/tests/unit_tests/openvpn/mock_ssl_dependencies.c
+++ b/tests/unit_tests/openvpn/mock_ssl_dependencies.c
@@ -34,7 +34,7 @@
 #include 
 
 
-#include "ssl.h"
+#include "src/openvpn/ssl.h"
 #include "ssl_verify.h"
 
 int

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Arne,

the type casting warning was fixed in 
https://github.com/wolfSSL/wolfssl/pull/5571. OpenVPN should now compile 
without any warnings.


Juliusz

On 02/09/2022 11:50, Juliusz Sosinowicz wrote:

I'll try to propose a solution to avoid this warning.

Juliusz

On 01/09/2022 14:39, Arne Schwabe wrote:

(*)(const X509_NAME * const*, const X509_NAME * const*) {aka int
(*)(const struct WOLFSSL_X509_NAME * const*, const struct
WOLFSSL_X509_NAME * const*)}
In file included from /usr/local/include/wolfssl/openssl/ssl.h:35,
  from ssl_openssl.h:32,
  from ssl_backend.h:36,
  from ssl_openssl.c:44:
/usr/local/include/wolfssl/ssl.h:3534:47: note: expected
‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void *
const*)’} but argument is of type ‘int (*)(const X509_NAME * const*,
const X509_NAME * const*)’ {aka ‘int (*)(const struct 
WOLFSSL_X509_NAME

* const*, const struct WOLFSSL_X509_NAME * const*)’}
  3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)*
wolfSSL_sk_X509_NAME_new(
   |
^~~~
To make wolfSSL_sk_X509_NAME_new more universal we accept a function 
with void* parameters. This will unfortunately generate a warning 
when compiling with wolfSSL but won't affect functionality.



This issue is still present and still breaks compiling with -Werror . 
Are there any plans to address this?


Arne



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

I'll try to propose a solution to avoid this warning.

Juliusz

On 01/09/2022 14:39, Arne Schwabe wrote:

(*)(const X509_NAME * const*, const X509_NAME * const*) {aka int
(*)(const struct WOLFSSL_X509_NAME * const*, const struct
WOLFSSL_X509_NAME * const*)}
In file included from /usr/local/include/wolfssl/openssl/ssl.h:35,
  from ssl_openssl.h:32,
  from ssl_backend.h:36,
  from ssl_openssl.c:44:
/usr/local/include/wolfssl/ssl.h:3534:47: note: expected
‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void *
const*)’} but argument is of type ‘int (*)(const X509_NAME * const*,
const X509_NAME * const*)’ {aka ‘int (*)(const struct WOLFSSL_X509_NAME
* const*, const struct WOLFSSL_X509_NAME * const*)’}
  3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)*
wolfSSL_sk_X509_NAME_new(
   |
^~~~
To make wolfSSL_sk_X509_NAME_new more universal we accept a function 
with void* parameters. This will unfortunately generate a warning 
when compiling with wolfSSL but won't affect functionality.



This issue is still present and still breaks compiling with -Werror . 
Are there any plans to address this?


Arne



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] wolfSSL unit test failures

[Juliusz Sosinowicz]

Hi Everyone,

this leak has been fixed in wolfSSL in this pull request: 
https://github.com/wolfSSL/wolfssl/pull/5514


Sincerely
Juliusz

On 18/08/2022 00:40, Arne Schwabe wrote:

Hey,

currently we still have test failures in wolfSSL in

EVP_PKEY_CTX_new with clang asan. Github action patch that reproduces 
this also attached. With the OpenVPN 2.6 release coming up in the next 
months it would be good if these can be fixed. These look like problems

in the upstream wolfSSL code.


Details are below:

=
==19723==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e8318291 in wolfSSL_EVP_PKEY_CTX_new 
(/usr/local/lib/libwolfssl.so.34+0x9e291)


Indirect leak of 400 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e833c537 in wolfSSL_EVP_PKEY_new_ex 
(/usr/local/lib/libwolfssl.so.34+0xc2537)


Indirect leak of 240 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e82b4ac2 in _InitRng.isra.0 
(/usr/local/lib/libwolfssl.so.34+0x3aac2)


Indirect leak of 118 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e833c72b in wolfSSL_EVP_PKEY_new_mac_key 
(/usr/local/lib/libwolfssl.so.34+0xc272b)


SUMMARY: AddressSanitizer: 918 byte(s) leaked in 10 allocation(s).
FAIL: crypto_testdriver




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] wolfSSL unit test failures

[Juliusz Sosinowicz]

Hi Arne,

thank you for your report. In the future, please send reports to 
supp...@wolfssl.com to guarantee the fastest possible response. This 
also helps us track bug reports. I have forwarded this report for you.


Either I or someone else will investigate this and get back to you with 
a solution soon.


Sincerely
Juliusz

On 18/08/2022 00:40, Arne Schwabe wrote:

Hey,

currently we still have test failures in wolfSSL in

EVP_PKEY_CTX_new with clang asan. Github action patch that reproduces 
this also attached. With the OpenVPN 2.6 release coming up in the next 
months it would be good if these can be fixed. These look like problems

in the upstream wolfSSL code.


Details are below:

=
==19723==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 160 byte(s) in 4 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e8318291 in wolfSSL_EVP_PKEY_CTX_new 
(/usr/local/lib/libwolfssl.so.34+0x9e291)


Indirect leak of 400 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e833c537 in wolfSSL_EVP_PKEY_new_ex 
(/usr/local/lib/libwolfssl.so.34+0xc2537)


Indirect leak of 240 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e82b4ac2 in _InitRng.isra.0 
(/usr/local/lib/libwolfssl.so.34+0x3aac2)


Indirect leak of 118 byte(s) in 2 object(s) allocated from:
    #0 0x49604d in malloc 
(/home/runner/work/openvpn/openvpn/tests/unit_tests/openvpn/crypto_testdriver+0x49604d)
    #1 0x7f64e833c72b in wolfSSL_EVP_PKEY_new_mac_key 
(/usr/local/lib/libwolfssl.so.34+0xc272b)


SUMMARY: AddressSanitizer: 918 byte(s) leaked in 10 allocation(s).
FAIL: crypto_testdriver




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] README.wolfssl Update

[Juliusz Sosinowicz]

Updates for the wolfSSL README file:
- fix typos
- correct wolfSSL company spelling
- add a point of contact for users having problems using OpenVPN + wolfSSL

Signed-off-by: Juliusz Sosinowicz 
---
 README.wolfssl | 13 +++--
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/README.wolfssl b/README.wolfssl
index d417807b..a5dfe31f 100644
--- a/README.wolfssl
+++ b/README.wolfssl
@@ -1,10 +1,11 @@
-Support for WolfSSL is implemented and maintained by WolfSSL Inc. The support 
is
-implemented using WolfSSL's compatiblity layer. The WolfSSL support in OpenVPN
+Support for wolfSSL is implemented and maintained by wolfSSL Inc. The support 
is
+implemented using wolfSSL's compatibility layer. The wolfSSL support in OpenVPN
 receives very limited testing/support from the OpenVPN community itself.
 
-If bugs in OpenVPN when using WolfSSL are encountered, the user should try to
-also compile OpenVPN with OpenSSL to determinate if these are bugs in the
-WolfSSL TLS implemenation or OpenVPN itself.
+If bugs in OpenVPN when using wolfSSL are encountered, the user should try to
+also compile OpenVPN with OpenSSL to determine if these are bugs in the
+wolfSSL TLS implementation or OpenVPN itself. If bugs are caused by compiling
+with wolfSSL, please contact supp...@wolfssl.com directly.
 
 To Build and Install,
 
@@ -21,7 +22,7 @@ make
 make install
 
 *
-Due to limitations in the wolfSSL TLS library or its compability layer, the
+Due to limitations in the wolfSSL TLS library or its compatibility layer, the
 following features are missing
 
  * blowfish support (BF-CBC), you must use something like
-- 
2.25.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Add README.wolfssl documentating the state of WolfSSL in OpenVPN

[Juliusz Sosinowicz]

Could we get something like
"For issues with using OpenVPN with wolfSSL, please contact 
supp...@wolfssl.com."
in the README.wolfssl? This would help streamline comms for users and 
improve user experience. I can prepare a patch with this change. Thanks.


Sincerely
Juliusz

On 18/03/2021 14:22, Gert Doering wrote:

Acked-by: Gert Doering 

Your patch has been applied to the master branch.

(This is a fairly old patch which has been sitting in my queue, waiting
for the WolfSSL patch to be merged)

commit f38819b7e42ea99f6ae218be6e6345c397c1af4c
Author: Arne Schwabe
Date:   Fri Apr 17 09:43:45 2020 +0200

  Add README.wolfssl documentating the state of WolfSSL in OpenVPN

  Acked-by: Gert Doering 
  Message-Id: <20200417074345.5694-1-a...@rfc2549.org>
  URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19758.html
  Signed-off-by: Gert Doering 


--
kind regards,

Gert Doering



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions

[Juliusz Sosinowicz]

For reference, the version of pkg-config shipped on my Ubuntu 14 vm is 
0.26-1ubuntu4. It looks like the default packages are very outdated.


Juliusz

On 18/03/2021 21:52, David Sommerseth wrote:

On 18/03/2021 19:12, Juliusz Sosinowicz wrote:

PKG_CHECK_VAR is not available on older versions of autoconf. This
patch copies the definition generated by newer versions of autoconf to
be used for compatibility with older versions. Tested with automake
1.14.1-2ubuntu1 and autoconf 2.69-6.

Signed-off-by: Juliusz Sosinowicz 


I ended up doing some more investigation here, to better understand 
where this could fail.


So it seems this is not related to automake/autoconf versions.  It is 
related to pkg-config version, which is the one providing 
/usr/share/aclocal/pkg.m4 which provides the PKG_CHECK_VAR() macro.


<https://gitlab.freedesktop.org/pkg-config/pkg-config/-/commit/5b463c927b6caeb332bb147572ea82b1650ceb7d> 



What surprises me is that this was added to pkg-config 0.28, which was 
released in 2013-01-24.  The latest release, 0.29.2 was released 
2017-03-20.


<https://gitlab.freedesktop.org/pkg-config/pkg-config/-/commit/74ceac54ef6f9247c00f08eecd8cca811a3c5934> 


<https://gitlab.freedesktop.org/pkg-config/pkg-config/-/tags>

It would be great to figure out if pkg-config is available on those 
build hosts failing without this change.  If it is present, it needs 
to be checked which version it is.


If this is due to an outdated pkg-config, I'm reluctant to give this 
patch an ACK.  Using properly up-to-date dependency stack should be a 
reasonable precondition to build OpenVPN.  If it is due to unavailable 
pkg-config, it's a different story.


Regardless, the commit message is incorrect.  But that can probably be 
fixed at commit time.






___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions

[Juliusz Sosinowicz]

PKG_CHECK_VAR is not available on older versions of autoconf. This patch copies 
the definition generated by newer versions of autoconf to be used for 
compatibility with older versions. Tested with automake 1.14.1-2ubuntu1 and 
autoconf 2.69-6.

Signed-off-by: Juliusz Sosinowicz 
---
 compat.m4 | 16 
 1 file changed, 16 insertions(+)

diff --git a/compat.m4 b/compat.m4
index e54a7203..47650f6d 100644
--- a/compat.m4
+++ b/compat.m4
@@ -64,6 +64,22 @@ ifdef(
AC_DEFUN([AC_TYPE_UINT64_T], [])
]
 )
+ifdef(
+   [PKG_CHECK_VAR],
+   ,
+   [
+   AC_DEFUN([PKG_CHECK_VAR],
+   [AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+   AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])
+
+   _PKG_CONFIG([$1], [variable="][$3]["], [$2])
+   AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+   AS_VAR_IF([$1], [""], [$5], [$4])
+   ])
+   ]
+)
+
 if test -z "${docdir}"; then
docdir="\$(datadir)/doc/\$(PACKAGE_NAME)"
AC_SUBST([docdir])
-- 
2.25.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Add PKG_CHECK_VAR compatibility definition for old autoconf versions

[Juliusz Sosinowicz]

Signed-off-by: Juliusz Sosinowicz 
---
 compat.m4 | 16 
 1 file changed, 16 insertions(+)

diff --git a/compat.m4 b/compat.m4
index e54a7203..47650f6d 100644
--- a/compat.m4
+++ b/compat.m4
@@ -64,6 +64,22 @@ ifdef(
AC_DEFUN([AC_TYPE_UINT64_T], [])
]
 )
+ifdef(
+   [PKG_CHECK_VAR],
+   ,
+   [
+   AC_DEFUN([PKG_CHECK_VAR],
+   [AC_REQUIRE([PKG_PROG_PKG_CONFIG])
+   AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])
+
+   _PKG_CONFIG([$1], [variable="][$3]["], [$2])
+   AS_VAR_COPY([$1], [pkg_cv_][$1])
+
+   AS_VAR_IF([$1], [""], [$5], [$4])
+   ])
+   ]
+)
+
 if test -z "${docdir}"; then
docdir="\$(datadir)/doc/\$(PACKAGE_NAME)"
AC_SUBST([docdir])
-- 
2.25.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH applied] Re: Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Gert,

which version of autoconf exactly is causing this explosion?

Juliusz

On 18/03/2021 14:56, Gert Doering wrote:

Hi,

On Thu, Mar 18, 2021 at 02:21:02PM +0100, Gert Doering wrote:

Your patch has been applied to the master branch.

I have not tested actual WolfSSL builds, but done a quick compile test
to see if it would break old/new openssl or old/new mbedtls configure
runs.  All works :-)

Well.  That was too fast.

I did not test with older autoconf versions, and it turns out that
PKG_CHECK_VAR() is not supported on older versions - this got introduced
by the WolfSSL patch, and half our buildbots have exploded (Ubuntu 16,
Ubuntu 18, NetBSD 8.1).

So, we need a fix for that... possibly some addition to our m4/ directory,
or a rewrite of this configure.ac hunk.

And we want it quick, because our buildbot infrastructure is half-down
now...

gert




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library. The wolfSSL installation directory is detected 
using pkg-config.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac  | 110 +-
 src/openvpn/syshead.h |   3 +-
 2 files changed, 110 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index c65df3e2c..61ed56500 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,16 +264,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1019,6 +1026,105 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include 
directory should
+ contain the 
regular wolfSSL header files but also the 
+ wolfSSL 
OpenSSL header files. Ex: -I/usr/local/include 
+ 
-I/usr/local/include/wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   PKG_CHECK_MODULES(
+   [WOLFSSL],
+   [wolfssl],
+   [],
+   [AC_MSG_ERROR([Could not find wolfSSL.])]
+   )
+   PKG_CHECK_VAR(
+   [WOLFSSL_INCLUDEDIR], 
+   [wolfssl], 
+   [includedir], 
+   [],
+   [AC_MSG_ERROR([Could not find wolfSSL includedir 
variable.])]
+   )
+   WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} 
-I${WOLFSSL_INCLUDEDIR}/wolfssl"
+   fi
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+   CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
+   LIBS="${LIBS} ${WOLFSSL_LIBS}"
+
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header 
wolfssl/options.h not found!])])
+   
+   # wolfSSL signal EKM support
+   have_export_keying_material="yes"
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these a

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

My apologies. I didn't notice your reply Gert. I will submit an updated 
patch.


Sincerely
Juliusz

On 17/03/2021 18:22, Gert Doering wrote:

Hi,

On Wed, Mar 17, 2021 at 06:13:04PM +0100, Arne Schwabe wrote:

I would consider this an ACK. @Gert do you want a new version with the
configure.ac fixed?

Since this is a real code change, I'd prefer to have an updated patch
with that change included.

gert




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

wolfSSL does not support Ed25519 certificates in the compatibility layer.

I added the EKM signaling locally. I can submit the patch with this 
modification if you would like me to.


Sincerely
Juliusz

On 17/03/2021 18:13, Arne Schwabe wrote:

Am 12.03.21 um 16:12 schrieb Juliusz Sosinowicz:

Hi Arne,

I found that the connecting issue is that
wolfSSL_CTX_set_min_proto_version will fail when the user (in this case
OpenVPN) tries to set a protocol version that was not compiled in. I
modified our configure.ac script when building for OpenVPN along with
some additional fixes in this pull request:
https://github.com/wolfSSL/wolfssl/pull/3871

I also found an error in one of OpenVPN's unit tests. I submitted a
patch for that test in a separate email.

Using an Ed25519 certificate results in

2021-03-17 14:57:23 us=212254 OpenSSL: unknown error number
2021-03-17 14:57:23 us=212262 Cannot load certificate file
/Users/arne/tmp/alice.pem
2021-03-17 14:57:23 us=212265 Exiting due to fatal error


The configure.ac of WolfSSL should be updated to signal EKM support:


AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header
wolfssl/options.h not found!])])
 fi

+ # Wolfssl emulate OpenSSL and has EKM
+   have_export_keying_material="yes"
+
 AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])
 AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])
 AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS
since these are defined as macros])

Other than it seem to work in the tests that I threw at it.

I would consider this an ACK. @Gert do you want a new version with the
configure.ac fixed?

Arne




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

I found that the connecting issue is that 
wolfSSL_CTX_set_min_proto_version will fail when the user (in this case 
OpenVPN) tries to set a protocol version that was not compiled in. I 
modified our configure.ac script when building for OpenVPN along with 
some additional fixes in this pull request: 
https://github.com/wolfSSL/wolfssl/pull/3871


I also found an error in one of OpenVPN's unit tests. I submitted a 
patch for that test in a separate email.


Sincerely
Juliusz

On 03/03/2021 13:34, Arne Schwabe wrote:

Am 22.02.21 um 16:28 schrieb Juliusz Sosinowicz:

Hi Arne,

have you had any success in compiling OpenVPN with wolfSSL?


Yes, sorry for taking so long. However the client does not work with my
test config (those are on my mac):

2021-03-03 13:19:11 library versions: wolfSSL 4.7.1
2021-03-03 13:19:11 tls_ctx_set_tls_versions: failed to set minimum TLS
version
2021-03-03 13:19:11 Error: private key password verification failed
2021-03-03 13:19:11 Exiting due to fatal error

Note that this profile just has an inline ,  and  section.

Another profile, just with  and without certificates fails with:

sudo ./src/openvpn/openvpn ~/dl/focal_generic.ovpn
2021-03-03 13:21:52 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN
version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to
--data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-03-03 13:21:52 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-apple-darwin20.3.0 [SSL
(OpenSSL)] [LZ4] [MH/RECVDA] [AEAD] built on Mar  3 2021
2021-03-03 13:21:52 library versions: wolfSSL 4.7.1
Enter Auth Username:arne
Enter Auth Password:
2021-03-03 13:21:58 Cannot load CA certificate file [[INLINE]] (no
entries were read)
2021-03-03 13:21:58 Exiting due to fatal error

To see if the problem is isolated to my macbook, I tried again on Ubuntu
20.10.

% make check
[...]
If the addresses are in use, this test will retry up to two times.
2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP
client nor server mode is enabled
2021-03-03 12:28:25 WARNING: file 'sample-keys/server.key' is group or
others accessible
2021-03-03 12:28:25 WARNING: file 'sample-keys/ta.key' is group or
others accessible
2021-03-03 12:28:25 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10
2021-03-03 12:28:25 net_route_v4_best_gw query: dst 0.0.0.0
2021-03-03 12:28:25 net_route_v4_best_gw result: via 192.168.188.1 dev eth0
2021-03-03 12:28:25 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2021-03-03 12:28:25 Cipher negotiation is disabled since neither P2MP
client nor server mode is enabled
2021-03-03 12:28:25 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:28:25 library versions: wolfSSL 4.7.1, LZO 2.10
2021-03-03 12:28:25 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2021-03-03 12:28:25 tls_ctx_set_tls_versions: failed to set minimum TLS
version
2021-03-03 12:28:25 Error: private key password verification failed
2021-03-03 12:28:25 Exiting due to fatal error
FAIL: t_cltsrv.sh
Test 0: OK
Test 1: OK
Test 2: OK
Test 3: OK
Test 4: OK
Test 5: OK
Test 6: OK
Test 7: OK
PASS: t_net.sh

1 of 3 tests failed
(1 test was not run)
Please report to openvpn-us...@lists.sourceforge.net


Same result for the configs. I tested a config with an not inlined file
then:

[12:32]arne@bionic-client:~% ./wolfo2build/./src/openvpn/openvpn
focal_generic.ovpn
2021-03-03 12:32:54 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but
missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN
version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC'
to --data-ciphers or change --cipher 'AES-256-CBC' to
--data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-03-03 12:32:54 OpenVPN 2.6_git
[git:review/wolfsll/5594040c534f20e3+] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar  3 2021
2021-03-03 12:32:54 library versions: wolfSSL 4.7.1, LZO 2.10
Enter Auth Username:j
Enter Auth Password:
2021-03-03 12:32:56 Cannot load CA certificate file focal-ca.pem (no
entries were read)
2021-03-03 12:32:56 Exiting due to fatal error
[12:32]{1}arne@bionic-client:~% openssl x509 -in focal-ca.pem
-BEGIN CERTIFICATE-
MIHzMIGmoAMCAQICAgDrMAUGAytlcDASMRAwDgYDVQQDDAdlZDI1IENBMB4XDTIx
MDEwNzE3MjQxNloXDTMxMDEwNjE3MjQxNlowEjEQMA4GA1UEAwwHZWQyNSBDQTAq

[Openvpn-devel] [PATCH] EVP_DigestSignFinal siglen parameter correction

[Juliusz Sosinowicz]

In the EVP_DigestSignFinal API, "before the call the siglen parameter should 
contain the length of the sig buffer".

Signed-off-by: Juliusz Sosinowicz 
---
 src/openvpn/crypto_openssl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 49698e4b3..4486d246d 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -1195,7 +1195,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 EVP_MD_CTX ctx, ctx_tmp, ctx_init;
 EVP_PKEY *mac_key;
 unsigned char A1[EVP_MAX_MD_SIZE];
-size_t A1_len;
+size_t A1_len = EVP_MAX_MD_SIZE;
 int ret = false;
 
 chunk = EVP_MD_size(md);
@@ -1249,6 +1249,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 
 if (olen > chunk)
 {
+j = olen;
 if (!EVP_DigestSignFinal(, out, ))
 {
 goto err;
@@ -1263,6 +1264,7 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 }
 else
 {
+A1_len = EVP_MAX_MD_SIZE;
 /* last one */
 if (!EVP_DigestSignFinal(, A1, _len))
 {
-- 
2.25.1



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

have you had any success in compiling OpenVPN with wolfSSL?

Sincerely
Juliusz

On 15/02/2021 13:13, Juliusz Sosinowicz wrote:

Hi Arne,

the pull request has been merged to the wolfSSL master branch and will 
be included in the next wolfSSL release. Your issue has been resolved. 
Are able to try compiling again?


Sincerely
Juliusz

On 27/01/2021 20:07, Arne Schwabe wrote:

Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz:

Hi Arne,

I believe I fixed the issues that you mentioned in your review of the
patch for wolfSSL. I have sent a new patch tested on the latest master
branch on OpenVPN along with the version of wolfSSL found in this pull
request: https://github.com/wolfSSL/wolfssl/pull/3697 .


Unfortunatel,y I am still not able to compile that branch on
macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick
check I also don't see an option to disable this behaviour in configure.

The master branch compiles but that doesn't work for OpenVPN.

src/tls13.c:806:50: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 protocol, protocolLen, (byte*)label, labelLen,
  ^~~~
src/tls13.c:812:38: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = wc_Hash(hashType, context, contextLen, hashOut,
WC_MAX_DIGEST_SIZE);
   ~~~    ^~
src/tls13.c:816:34: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen,
   ~  ^~
   CC   examples/server/testsuite_testsuite_test-server.o
   CC   testsuite/testsuite_test-testsuite.o
   CC   tests/unit_test-unit.o
3 errors generated.
make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1
make[2]: *** Waiting for unfinished jobs
src/ssl.c:11527:61: error: implicit conversion loses integer precision:
'unsigned long' to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + 
contextLen;

    ~~~ ~^~~~
src/ssl.c:11591:25: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN,
 ~~  ^~
src/ssl.c:11592:27: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 (byte*)label, labelLen, seed, seedLen, 
IsAtLeastTLSv1_2(ssl),

   ^~~~
3 errors generated.
make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
Time: 0h:00m:27s





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

the pull request has been merged to the wolfSSL master branch and will 
be included in the next wolfSSL release. Your issue has been resolved. 
Are able to try compiling again?


Sincerely
Juliusz

On 27/01/2021 20:07, Arne Schwabe wrote:

Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz:

Hi Arne,

I believe I fixed the issues that you mentioned in your review of the
patch for wolfSSL. I have sent a new patch tested on the latest master
branch on OpenVPN along with the version of wolfSSL found in this pull
request: https://github.com/wolfSSL/wolfssl/pull/3697 .


Unfortunatel,y I am still not able to compile that branch on
macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick
check I also don't see an option to disable this behaviour in configure.

The master branch compiles but that doesn't work for OpenVPN.

src/tls13.c:806:50: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 protocol, protocolLen, (byte*)label, labelLen,
  ^~~~
src/tls13.c:812:38: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = wc_Hash(hashType, context, contextLen, hashOut,
WC_MAX_DIGEST_SIZE);
   ~~~^~
src/tls13.c:816:34: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen,
   ~  ^~
   CC   examples/server/testsuite_testsuite_test-server.o
   CC   testsuite/testsuite_test-testsuite.o
   CC   tests/unit_test-unit.o
3 errors generated.
make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1
make[2]: *** Waiting for unfinished jobs
src/ssl.c:11527:61: error: implicit conversion loses integer precision:
'unsigned long' to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen;
~~~ ~^~~~
src/ssl.c:11591:25: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN,
 ~~  ^~
src/ssl.c:11592:27: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl),
   ^~~~
3 errors generated.
make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
Time: 0h:00m:27s





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

our CI tests caught that as well. I was able to fix it quickly but it 
looks like you were even quicker :D The latest version of the PR should 
be free from the implicit conversion errors.


Sincerely
Juliusz

On 27/01/2021 20:07, Arne Schwabe wrote:

Am 27.01.21 um 18:25 schrieb Juliusz Sosinowicz:

Hi Arne,

I believe I fixed the issues that you mentioned in your review of the
patch for wolfSSL. I have sent a new patch tested on the latest master
branch on OpenVPN along with the version of wolfSSL found in this pull
request: https://github.com/wolfSSL/wolfssl/pull/3697 .


Unfortunatel,y I am still not able to compile that branch on
macOS/clang. It seem wolfssl uses -Werror and this breaks it. On a quick
check I also don't see an option to disable this behaviour in configure.

The master branch compiles but that doesn't work for OpenVPN.

src/tls13.c:806:50: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 protocol, protocolLen, (byte*)label, labelLen,
  ^~~~
src/tls13.c:812:38: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = wc_Hash(hashType, context, contextLen, hashOut,
WC_MAX_DIGEST_SIZE);
   ~~~^~
src/tls13.c:816:34: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen,
   ~  ^~
   CC   examples/server/testsuite_testsuite_test-server.o
   CC   testsuite/testsuite_test-testsuite.o
   CC   tests/unit_test-unit.o
3 errors generated.
make[2]: *** [src/libwolfssl_la-tls13.lo] Error 1
make[2]: *** Waiting for unfinished jobs
src/ssl.c:11527:61: error: implicit conversion loses integer precision:
'unsigned long' to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen;
~~~ ~^~~~
src/ssl.c:11591:25: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN,
 ~~  ^~
src/ssl.c:11592:27: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl),
   ^~~~
3 errors generated.
make[2]: *** [src/libwolfssl_la-ssl.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
Time: 0h:00m:27s





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library. The wolfSSL installation directory is detected 
using pkg-config.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac  | 107 +-
 src/openvpn/syshead.h |   3 +-
 2 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 1ab8fe59d..96321a1e4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,16 +264,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1019,6 +1026,102 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl. The include 
directory should
+ contain the 
regular wolfSSL header files but also the 
+ wolfSSL 
OpenSSL header files. Ex: -I/usr/local/include 
+ 
-I/usr/local/include/wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   PKG_CHECK_MODULES(
+   [WOLFSSL],
+   [wolfssl],
+   [],
+   [AC_MSG_ERROR([Could not find wolfSSL.])]
+   )
+   PKG_CHECK_VAR(
+   [WOLFSSL_INCLUDEDIR], 
+   [wolfssl], 
+   [includedir], 
+   [],
+   [AC_MSG_ERROR([Could not find wolfSSL includedir 
variable.])]
+   )
+   WOLFSSL_CFLAGS="${WOLFSSL_CFLAGS} 
-I${WOLFSSL_INCLUDEDIR}/wolfssl"
+   fi
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+   CFLAGS="${CFLAGS} ${WOLFSSL_CFLAGS}"
+   LIBS="${LIBS} ${WOLFSSL_LIBS}"
+
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL header 
wolfssl/options.h not found!])])
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FU

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

I didn't send a new patch yet because I only wanted to provide an update 
that progress is being made. I'm attaching an updated patch if you are 
interested.


I didn't get that error when compiling wolfSSL with the compile options 
you provided. Is it possible that you didn't run `autoreconf` after 
pulling in the latest commit in the branch but before running the 
configure script?


The warning is due to wolfSSL using a generic compare function 
definition with pointers to void as parameters.


Sincerely
Juliusz

On 03/12/2020 13:22, Arne Schwabe wrote:

Am 19.11.20 um 13:23 schrieb Juliusz Sosinowicz:

Hi Arne,

some time has passed and I was able to address most of your comments in
my branch
https://github.com/julek-wolfssl/wolfssl/tree/openvpn-2.5-missing-stuff

To summarize what has been done regarding your comments:

   * SHA1 was indeed being called SHA in wolfSSL. I changed this in favor
 of just using SHA1.
   * in configure.ac I used David Sommerseth's suggestion to use
 PKG_CHECK_MODULES to get the wolfSSL installation directory.

Do you that new patch posted here? I don't see an updated patch.


   * setting tls min and max is currently not working in the branch that
 I linked above but we have a big compatibility layer PR pending that
 appears to fix these issues. Once it is merged I'll revisit this
 issue and make sure it is solved.
   * show-tls is fixed but it also relies on the PR I mentioned earlier.
 After that is merged this should be solved.
   * tls-ciphersuites and tls-cipher appears to be working in general.
 Should wolfSSL reject the specified cipher if for example a TLS 1.3
 cipher is set using --tls-cipher?

Well that is a general question you have to answer yourself on OpenSSL
compatibility. I don't think this is just for OpenVPN.


   * unfortunately wolfSSL does not support ed448 certificates.

That is not a show stopper. Mbed TLS does not support them either.


   * tls-groups now checks the validity of the passed in curves
   * since OpenVPN will make use TLS EKM, exporting keying material has
 been implemented in wolfSSL.

Great!


   * I haven't tested OpenVPN with the FIPS mode patch so that issue is
 still pending. Once I get a chance to test it I will also change
 wolfSSL to target 1.1.0+ API

Thanks for your patience!


Hey I am trying to check on this. Since I haven't found the new patch. I
am trying to use it with the old one:

I am getting an error related to EKM:

./../../openvpn-git/src/openvpn/ssl_openssl.c:166:9: error: implicit
declaration of function 'wolfSSL_export_keying_material' is invalid in C99
   [-Werror,-Wimplicit-function-declaration]
 if (SSL_export_keying_material(ssl, ekm, ekm_size, label,


So I tried ./configure --enable-openvpn --enable-keying-material for
WolfSSL but that failed during compile:

src/tls13.c:806:50: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
   [-Werror,-Wshorten-64-to-32]
 protocol, protocolLen, (byte*)label, labelLen,
  ^~~~
src/tls13.c:812:38: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
   [-Werror,-Wshorten-64-to-32]
 ret = wc_Hash(hashType, context, contextLen, hashOut,
WC_MAX_DIGEST_SIZE);
   ~~~^~
src/tls13.c:816:34: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
   [-Werror,-Wshorten-64-to-32]
 ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen,
   ~  ^~
   CC   tests/unit_test-unit.o
src/ssl.c:11526:61: error: implicit conversion loses integer precision:
'unsigned long' to 'word32' (aka 'unsigned int')
[-Werror,-Wshorten-64-to-32]
 word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen;
~~~ ~^~~~
src/ssl.c:11590:25: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
   [-Werror,-Wshorten-64-to-32]
 if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN,
 ~~  ^~
src/ssl.c:11591:27: error: implicit conversion loses integer precision:
'size_t' (aka 'unsigned long') to 'word32' (aka 'unsigned int')
   [-Werror,-Wshorten-64-to-32]
 (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl),



I am also seeing another warning during the compilation:

../../../openvpn-git/src/openvpn/ssl_openssl.c:1559:55: warning:
incompatible pointer types passing 'int (const X509_NAME *const *, const
   X509_NAME *const *)' (aka 'int (const struct WOLFSSL_X509_NAME
*const *, const struct WOLFSSL_X509_NAME *const *)') to parameter of type
   'wolf_sk_compare_cb' (aka 'int (*)(cons

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

some time has passed and I was able to address most of your comments in 
my branch 
https://github.com/julek-wolfssl/wolfssl/tree/openvpn-2.5-missing-stuff


To summarize what has been done regarding your comments:

 * SHA1 was indeed being called SHA in wolfSSL. I changed this in favor
   of just using SHA1.
 * in configure.ac I used David Sommerseth's suggestion to use
   PKG_CHECK_MODULES to get the wolfSSL installation directory.
 * setting tls min and max is currently not working in the branch that
   I linked above but we have a big compatibility layer PR pending that
   appears to fix these issues. Once it is merged I'll revisit this
   issue and make sure it is solved.
 * show-tls is fixed but it also relies on the PR I mentioned earlier.
   After that is merged this should be solved.
 * tls-ciphersuites and tls-cipher appears to be working in general.
   Should wolfSSL reject the specified cipher if for example a TLS 1.3
   cipher is set using --tls-cipher?
 * unfortunately wolfSSL does not support ed448 certificates.
 * tls-groups now checks the validity of the passed in curves
 * since OpenVPN will make use TLS EKM, exporting keying material has
   been implemented in wolfSSL.
 * I haven't tested OpenVPN with the FIPS mode patch so that issue is
   still pending. Once I get a chance to test it I will also change
   wolfSSL to target 1.1.0+ API

Thanks for your patience!

Sincerely
Juliusz

On 17/09/2020 00:05, Arne Schwabe wrote:

Am 16.09.20 um 11:45 schrieb Juliusz Sosinowicz:

Hi Arne,

a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master.

This is the version that I could actually take a deeper look at, so here
are my results. It generally works but there seems some loose ends:


I am still seeing this warning:


2020-09-16 23:20:14 WARNING: 'auth' is used inconsistently, local='auth
SHA', remote='auth SHA1'

Are you internally calling SHA1 just SHA and are also returned that as
name when querying for the name? And do the other SHA variant also just
return SHA?


This snippet in the configure.ac looks strange:

if test -n "${WOLFSSL_DIR}"; then
wolfssldir="${WOLFSSL_DIR}"
else
wolfssldir="/usr/local/include/wolfssl"
fi

I am not sure hardcoding a /usr/local path is something we want/allow.
The people better at autoconf might have a better idea on this.

have_crypto_aead_modes="yes"
have_crypto="yes"

While the have_crypto_aead removal is a rather new removal, the
have_crypto removal happened over 4 years ago (31b0bebe). I think the
configure.ac should be cleaned up a bit more.


--tls-version-max 1.2 option is ignored.

--tls-version-min 1.3 against a (OpenSSL) server with --tls-version-max
1.2 results in:

2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string
2020-09-16 23:45:26 OpenSSL: Please supply a buffer for error string

(A quick fix with just trying to do a malloc of a buffer that leaks
memory transformed this in the also useless message OpenSSL: unknown
error number)

openvpn --show-tls does not work at all


Setting tls-ciphersuites results in (on the server side for the TLS 1.2
max server):

2020-09-16 23:54:22 us=503265 79.229.32.216:57019 TLS error: The server
has no TLS ciphersuites in common with the client. Your --tls-cipher
setting might be too restrictive.

I can also set TLS 1.3 cipher to tls-cipher. The design of TLS 1.3
ciphersuites and 1.0-1.2 cipher suites using different command is an
artificat of OpenSSL's behaviour but basically setting using
tls-cipher/tls-ciphersuites in the way the were intended seems to break
wolfSSL.

Loading the ed448 cert I have resulted in:

2020-09-16 23:58:28 OpenSSL: Please supply a buffer for error string

again.


--tls-groups meinekurve does not give me an error. So this option is
probably also ignored.

I am not expecting you test all the zillion options that OpenVPN has but
at least testing the TLS related option would be good. And what I am
currently seeing is not really a good coverage/buggy.

Even if some of the option might be a good option for support in
WolfSSL, we need to document this and/or your API needs to throw
reaonable errors.


Same notes since I ran WolfSSL also on my own development that includes
a few patches already sent to the mailing list but not merged:


This definition in WolfSSL:

wolfssl/openssl/ssl.h:#define SSL_export_keying_material(...) 0


This just breaks TLS EKM as WolfSSL pretensd to be able to do keying
material export but then cannot really do it. The patches to use TLS EKM
are currently not in master but will be definitively added until 2.6.

The macro have_export_keying_material="yes"  currently also missing in
the wolfssl configure.ac section but if enabling it, it just breaks:

=2020-09-16 23:31:17 TLS Error: Keying material export failed
202=0-09-16 23:31:17 TLS Error: generate_key_expansion failed

The "al

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

thank you for your extensive review of OpenVPN with wolfSSL.

On 17/09/2020 00:05, Arne Schwabe wrote:

...
I am still seeing this warning:


2020-09-16 23:20:14 WARNING: 'auth' is used inconsistently, local='auth
SHA', remote='auth SHA1'

Are you internally calling SHA1 just SHA and are also returned that as
name when querying for the name? And do the other SHA variant also just
return SHA?
Could you describe how you generated this warning? Looking into our 
sources, we do call SHA1 just SHA in wolfSSL. Other variants have names 
in the format of SHA.

This snippet in the configure.ac looks strange:

if test -n "${WOLFSSL_DIR}"; then
wolfssldir="${WOLFSSL_DIR}"
else
wolfssldir="/usr/local/include/wolfssl"
fi

I am not sure hardcoding a /usr/local path is something we want/allow.
The people better at autoconf might have a better idea on this.
Our default installation path is /usr/local/include which is why we set 
it as the default path in projects that use wolfSSL. Additionally, 
adding /usr/local/include/wolfssl to the include path allows including 
wolfSSL without changing *.c and *.h files. I'll look into David 
Sommerseth's suggestion of using pkg-config to get the path and see if 
it would be possible to append wolfssl to the path.

...

I am surprised you are targeting OpenSSL < 1.1.0 API. We will probably
drop OpenSSL 1.0.2 support from our code base as soon as we drop RHEL7
support. The 1.1.0+ code path in that patch uses the
EVP_PKEY_derive_*/EVP_PKEY_CTX_set_tls1_prf functions and those will be
needed then.

I think that for now we will target OpenSSL < 1.1.0 API. Once other 
issues have been resolved we will start moving to OpenSSL >= 1.1.0 APIs.


I am still in the process of going through your report but I can 
reproduce most of the other issues and have found some additional ones 
as well. I have closed the PR for now until your comments are resolved 
and will re-open to include all fixes in one PR.


Sincerely
Juliusz



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

a quick update. A PR is now open in wolfSSL with fixes for OpenVPN master.

Sincerely
Juliusz

On 10/09/2020 14:16, Arne Schwabe wrote:

Am 10.09.20 um 14:11 schrieb Juliusz Sosinowicz:

Hi Arne,

I understand your concern and apologize for the delay. We have been busy
with the release of wolfSSL 4.5.0. I will make sure that the fixes
necessary for OpenVPN support will be prioritized.

Sincerely
Juliusz

I think the best way forward is to include wolfSSL support into OpenVPN
master now and if we have proper a proper support of wolfSSL that is
kept up to from your side then it will be part of the next release. And
otherwise we remove the support before the next release. That should our
concerns of wanting to see ongoing support and also your concern of it
not being included.

Arne




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

I understand your concern and apologize for the delay. We have been busy 
with the release of wolfSSL 4.5.0. I will make sure that the fixes 
necessary for OpenVPN support will be prioritized.


Sincerely
Juliusz

On 10/09/2020 12:18, Arne Schwabe wrote:

Am 22.07.20 um 16:02 schrieb Juliusz Sosinowicz:

Hi Arne,

thank you for your feedback. I tested the patch on the latest master
version at the time of writing and it looks like these requirements were
added in the last week which is why I wasn't able to address them
before.I will look into the new issues and get back to you when they are
fixed.

I agree that most of these functions only require exposing existing
functionality on our side.

We already progressed to OpenVPN 2.5-beta4 now. I think it is fair to
say that WolfSSL missed the window to be included in 2.5.0. And seeing
that these rather simple fixes take now over 1,5months does not exactly
inspire confidence that WolfSSL is committed to maintaining OpenVPN support.

Arne





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

thank you for your feedback. I tested the patch on the latest master 
version at the time of writing and it looks like these requirements were 
added in the last week which is why I wasn't able to address them 
before.I will look into the new issues and get back to you when they are 
fixed.


I agree that most of these functions only require exposing existing 
functionality on our side.


Sincerely
Juliusz

On 22/07/2020 15:37, Arne Schwabe wrote:

Am 15.07.20 um 10:26 schrieb Juliusz Sosinowicz:

Hi Everyone,

do you have an update on the latest patch I sent? There have been
updates to wolfSSL to fix the remaining issues brought up last time.


Yes. I looked at this today in the expectation that I just compile test,
do a few quick tests and the ACK+merge it:

However during our preperation for the next OpenVPN release, we
reevaluated the minimum OpenSSL version and decided that OpenSSL 1.0.2
is our minimum target for the next release and removed the OpenSSL 1.0.1
compatibility defines. I was not aware that WolfSSL depended on the
compatibility to 1.0.1 but rather surprised since we added all the tests
compatibility in autoconf that made the OpenSSL 1.1.0+ API checks also
work for WolfSSL. We also removed the option to compile OpenVPN without
AEAD support and since WolfSSL supports TLS 1.3, I also did not expect
that this would be problematic for WolfSSL.


The missing functions that I can see quickly are:

SSL_CTX_set1_curves/SSL_CTX_set1_groups
SSL_CTX_get0_certificate
X509_get0_notBefore
X509_get0_notAfter
SSL_CTX_set_ecdh_auto (Would not be need if WolfSSL declared >= 1.1.0
version)
CRYPTO_memcmp

Also EVP_CIPH_FLAG_AEAD_CIPHER was undefined. It looks that in the older
version/patch the use of the define was ifdef'ed under the assumption
that support of AEAD implies existence of the macro, which is seems not
to have been true in the case of WolfSSL.

None of the offending functions looks particularly bad. The get0 are
just the more modern name of older identical OpenSSL version. The set
groups is probably already somehow support but not exposed and I would
be surprised if a constant time memcmp does not already exist in WolfSSL.

Reverting the patch that removed 1.0.1 feel like a bad option at this
point and will also raise (rightfully) eyebrows and questions.

Arne





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Everyone,

do you have an update on the latest patch I sent? There have been 
updates to wolfSSL to fix the remaining issues brought up last time.


Thanks
Juliusz

On 16/06/2020 20:00, Juliusz Sosinowicz wrote:

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
  configure.ac  | 94 ++-
  src/openvpn/syshead.h |  3 +-
  2 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 273a8d1b..56d63555 100644
--- a/configure.ac
+++ b/configure.ac
@@ -269,16 +269,23 @@ AC_ARG_WITH(
  
  AC_ARG_WITH(

[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto 
library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto 
library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
  )
  
+AC_ARG_ENABLE(

+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including options.h 
in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
  AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
  if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1022,6 +1029,89 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macro

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac  | 94 ++-
 src/openvpn/syshead.h |  3 +-
 2 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 273a8d1b..56d63555 100644
--- a/configure.ac
+++ b/configure.ac
@@ -269,16 +269,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1022,6 +1029,89 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_CIPHER_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since the

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Antonio,

thank you for reviewing and testing OpenVPN with wolfSSL. Let me explain 
the warnings:


On 07/05/2020 12:28, Antonio Quartulli wrote:

Hi Juliusz,

There are some warnings when compiling with wolfssl v4.0.0-stable:


In file included from crypto_openssl.c:44:
openssl_compat.h:93: warning: "EVP_CIPHER_CTX_reset" redefined
93 | #define EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_init
   |
In file included from crypto_openssl.h:32,
  from crypto_backend.h:33,
  from crypto.h:125,
  from crypto_openssl.c:42:
/usr/local/include/wolfssl/openssl/evp.h:769: note: this is the location
of the previous definition
   769 | #define EVP_CIPHER_CTX_reset  wolfSSL_EVP_CIPHER_CTX_reset
   |
OpenVPN recently started using EVP_CIPHER_CTX_reset and HAVE_ 
EVP_CIPHER_CTX_RESET wasn't being defined in the wolfSSL configure 
section. I will fix this for the next version of the patch as well as 
all other missing defines I found.

ssl_openssl.c: In function ‘tls_ctx_load_ca’:
ssl_openssl.c:1601:55: warning: passing argument 1 of
‘wolfSSL_sk_X509_NAME_new’ from incompatible pointer type
[-Wincompatible-pointer-types]
  1601 | cert_names =
sk_X509_NAME_new(sk_x509_name_cmp);
   |
^~~~
   |   |
   |   int
(*)(const X509_NAME * const*, const X509_NAME * const*) {aka int
(*)(const struct WOLFSSL_X509_NAME * const*, const struct
WOLFSSL_X509_NAME * const*)}
In file included from /usr/local/include/wolfssl/openssl/ssl.h:35,
  from ssl_openssl.h:32,
  from ssl_backend.h:36,
  from ssl_openssl.c:44:
/usr/local/include/wolfssl/ssl.h:3534:47: note: expected
‘wolf_sk_compare_cb’ {aka ‘int (*)(const void * const*, const void *
const*)’} but argument is of type ‘int (*)(const X509_NAME * const*,
const X509_NAME * const*)’ {aka ‘int (*)(const struct WOLFSSL_X509_NAME
* const*, const struct WOLFSSL_X509_NAME * const*)’}
  3534 | WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)*
wolfSSL_sk_X509_NAME_new(
   |
^~~~
To make wolfSSL_sk_X509_NAME_new more universal we accept a function 
with void* parameters. This will unfortunately generate a warning when 
compiling with wolfSSL but won't affect functionality.

ssl_openssl.c: In function ‘print_details’:
ssl_openssl.c:2082:22: warning: unused variable ‘dsa’ [-Wunused-variable]
  2082 | DSA *dsa = EVP_PKEY_get0_DSA(pkey);
   |  ^~~

DSA_bits is defined as
#define DSA_bits(...)   0
which means that the dsa variable will not be used. I will look into 
fixing this as DSA support has been added to our EVP layer since this 
definition.

On top of that, unfortunately something is not working.

While openvpn can connect if provided with a config that references key
material from external files, i.e. "key a/b/c.key" or "cert
a/b/c/d.crt", it does not work when trying to connect using inline
material, i.e. "$something here".


This is what I see:

Thu May  7 12:16:12 2020 OpenVPN 2.5_git [git:master/6acb2a69e47a8da0]
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO]
[AEAD] built on May  7 2020
Thu May  7 12:16:12 2020 library versions: 4.4.0, LZO 2.10
Thu May  7 12:16:12 2020 WARNING: --ns-cert-type is DEPRECATED.  Use
--remote-cert-tls instead.
Thu May  7 12:16:12 2020 OpenSSL: Please supply a buffer for error string
Thu May  7 12:16:12 2020 Cannot load inline certificate file
Thu May  7 12:16:12 2020 Exiting due to fatal error


Any clue why this is failing?

- openvpn is: master openvpn + your patch
- for wolfssl I tested both master and 4.4.0


I will investigate this issue and see what can be done about it. Thank 
you for catching it.


Thanks
Juliusz


On 29/04/2020 16:51, Juliusz Sosinowicz wrote:

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

currently it is macro'ed to wolfSSL_lib_version which only returns the 
version string. I will add our library name to the front of the 
OpenSSL_version return string.


Thanks,
Juliusz

On 07/05/2020 12:35, Arne Schwabe wrote:

Am 07.05.20 um 12:28 schrieb Antonio Quartulli:

Thu May  7 12:16:12 2020 library versions: 4.4.0, LZO 2.10

Additionally it seems the OpenSSL_version(OPENSSL_VERSION) function does
not include the library name. OpenSSL reports itself here:

  library versions: OpenSSL 1.1.1g  21 Apr 2020

also other library will say LibreSSL or BoringSSL in place of OpenSSL
here. It would be nice to have here wolfSSL or OpenSSL (wolfSSL compat
layer) or something that indicates wolfSSL in the
OpenSSL_version(OPENSSL_VERSION) result.

Arne




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option `--disable-wolfssl-options-h` in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac  | 91 ++-
 src/openvpn/syshead.h |  3 +-
 2 files changed, 91 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index fcec7389..53ad3181 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,16 +276,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1029,6 +1036,86 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate 
AC_CHECK_FUNCS sin

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

The Readme looks good. Just one suggestion.

On 16/04/2020 13:11, Arne Schwabe wrote:

Am 16.04.20 um 12:42 schrieb Juliusz Sosinowicz:

Hi Arne,

On 15/04/2020 11:31, Arne Schwabe wrote:

Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:

This patch adds support for wolfSSL in OpenVPN. Support is added by
using wolfSSL's OpenSSL compatibility layer. Function calls are left
unchanged and instead the OpenSSL includes point to wolfSSL headers
and OpenVPN is linked against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include
wolfssl/options.h on its own. By defining the macro
EXTERNAL_OPTS_OPENVPN in the configure script wolfSSL will include
wolfssl/options.h on its own (change added in
https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an
option '--disable-wolfssl-options-h' in case the user would like to
supply their own settings file for wolfSSL.


Thanks the patch is lot less intrusive then the last version. We will
have to discuss in our meeting under what condition we want to include
the patch. We might add a note or statement that the WolfSSL support in
OpenVPN is mainly developed and tested by WolfSSL itself or something
along these lines.

This is understandable since we will be maintaining wolfSSL within OpenVPN.


Could you take a look if this is an acceptable text for a README.wolfssl?

Support for WolfSSL is implemented and maintained by WolfSSL Inc. The
support is implemented using WolfSSL's compatiblity layer. The WolfSSL
support in OpenVPN receives very limited testing/support from the
OpenVPN community itself.

If bugs in OpenVPN when using WolfSSL are encountered, the user should
try to also compile OpenVPN with OpenSSL to determinate if these are
bugs in the WolfSSL TLS implemenation or OpenVPN itself.

To Build and Install,

./configure --with-crypto-library=wolfssl
make
make install


I would add here:

The wolfSSL library will include the installed options.h file by 
default. To include a custom user_settings.h file for wolfSSL,


./configure --with-crypto-library=wolfssl --disable-wolfssl-options-h
make
make install



*
Due to limitations in the wolfSSL TLS library or its compability layer, the
following features are missing

  * blowfish support (BF-CBC), you must use something like
cipher AES-128-CBC to avoid trying to use BF-CBC
  * Windows CryptoAPI support




___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Arne,

On 15/04/2020 11:31, Arne Schwabe wrote:

Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option '--disable-wolfssl-options-h' in case the user would like to supply 
their own settings file for wolfSSL.


Thanks the patch is lot less intrusive then the last version. We will
have to discuss in our meeting under what condition we want to include
the patch. We might add a note or statement that the WolfSSL support in
OpenVPN is mainly developed and tested by WolfSSL itself or something
along these lines.

This is understandable since we will be maintaining wolfSSL within OpenVPN.

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 453cb20a..73da5fa7 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work,
  tag_ptr = BPTR(buf);
  ASSERT(buf_advance(buf, tag_size));
  dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 0, 
));
-#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
+#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) 
|| defined(ENABLE_CRYPTO_WOLFSSL)
  /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
  if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, 
tag_ptr))
  {

Are you sure that WolfSSL requires a workaround for old OpenSSL version
before 1.0.1d?
wolfSSL is built around one-shot APIs as oppose to OpenSSL's stream 
APIs. The reason for using this workaround is that the authentication 
tag is checked in the Update call not the Final call. I'll look into 
fixing this issue.

Arne


Thanks!
Juliusz


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

Hi Gert,

thanks for the suggestion. I will change this in the next patch after 
looking into the issue that Arne brought up.


On 15/04/2020 11:48, Gert Doering wrote:

Hi,

as Arne said, this is much better.

On Tue, Apr 14, 2020 at 08:52:14PM +0200, Juliusz Sosinowicz wrote:

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

[..]

There is one thing, though:


index 30eba7b2..a82c52ad 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -39,6 +39,10 @@
  
  #ifdef ENABLE_CRYPTOAPI
  
+#ifdef ENABLE_CRYPTO_WOLFSSL

+#error wolfSSL does not support CryptoAPI
+#endif
+

I do not like this very much.  It will, effectively, break win32 builds
with WolfSSL - and add yet another #ifdef to our .c files.

ENABLE_CRYPTOAPI is defined in syshead.h

#if defined(_WIN32) && defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
#define ENABLE_CRYPTOAPI
#endif

... could you investigate whether it would be sufficient to just
conditionalize this on WolfSSL, like this?

#if defined(_WIN32) && defined(ENABLE_CRYPTO) && \
defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_WOLFSSL)
#define ENABLE_CRYPTOAPI
#endif

so you can have WolfSSL-linked binaries for Windows, just without
CryptoAPI support (as with mbedtls)...

gert


Sincerely
Juliusz


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

[Juliusz Sosinowicz]

This patch adds support for wolfSSL in OpenVPN. Support is added by using 
wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
against the wolfSSL library.

As requested by OpenVPN maintainers, this patch does not include 
wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
the configure script wolfSSL will include wolfssl/options.h on its own (change 
added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch adds an 
option '--disable-wolfssl-options-h' in case the user would like to supply 
their own settings file for wolfSSL.

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

Signed-off-by: Juliusz Sosinowicz 
---
 configure.ac| 91 -
 src/openvpn/crypto.c|  2 +-
 src/openvpn/cryptoapi.c |  4 ++
 3 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index fcec7389..53ad3181 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,16 +276,23 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
[with_crypto_library="openssl"]
 )
 
+AC_ARG_ENABLE(
+   [wolfssl-options-h],
+   [AS_HELP_STRING([--disable-wolfssl-options-h], [Disable including 
options.h in wolfSSL @<:@default=yes@:>@])],
+   ,
+   [enable_wolfssl_options_h="yes"]
+)
+
 AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory 
@<:@default=LIBDIR/openvpn/plugins@:>@])
 if test -n "${PLUGINDIR}"; then
plugindir="${PLUGINDIR}"
@@ -1029,6 +1036,86 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_S

Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch

[Juliusz Sosinowicz]

Hi Antonio,Gert is correct, our compatibility layer is a set of functions in 
wolfSSL which emulate the OpenSSL API. These functions are then macro defined 
to have the same names as the OpenSSL functions. The configure script needs to 
know where the wolfSSL headers are and that it should link against the wolfSSL 
binary, not OpenSSL. This is the reason for the configure script 
changes.Sincerely Juliusz 
 Original message From: Antonio Quartulli  
Date: 09/02/2020  10:52  (GMT+01:00) To: Gert Doering  Cc: 
Juliusz Sosinowicz , openvpn-devel@lists.sourceforge.net 
Subject: Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master
  branch Hi,On 09/02/2020 10:50, Gert Doering wrote:> Hi,> > On Sun, Feb 09, 
2020 at 10:44:48AM +0100, Antonio Quartulli wrote:>> if wolfssl support is 
being introduced by means of the openssl>> compatibility layer, why do people 
need to configure OpenVPN with>> "./configure --with-crypto-library=wolfssl", 
rather than just using>> openssl and specifying a different path for 
headers/libraries?>>>> Isn't the compat layer in wolfssl operating as a drop-in 
replacement for>> openssl?> > This question has been asked before and answered 
:-) - most of the> compat functions seem to be implemented as macros, which our 
configure> will not find.  So, configure needs to explicitely define what is 
there> and what not.> > I do not like the extra include very much, but that 
seems to be hard > to avoid with the current WolfSSL header file setup.> ouch, 
thanks for the reminder :-)-- Antonio Quartulli___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch

[Juliusz Sosinowicz]

Hi Gert,

thank you for your comments. My intention was not to add a second cipher 
line in the sample config file. I added "cipher AES-256-CBC" to an 
earlier version of OpenVPN when there was no cipher specified in the 
loopback-client and loopback-server files. After rebasing my commit onto 
master I didn't notice the double cipher lines in the config files. I 
will remove this in my next patch as wolfSSL does support GCM mode but 
not yet in the compatibility layer.


I will add GCM support to our compatibility layer and send an updated 
signed-off patch with a better commit message explaining what is 
happening in the patch.


Thanks
Juliusz

On 08/02/2020 09:45, Gert Doering wrote:

Hi Juliusz,

please send patches out of a git tree, coming from a git commit with
"git commit -s", and having a somewhat relevant commit message.

Besides this, please do not


--- a/sample/sample-config-files/loopback-client
+++ b/sample/sample-config-files/loopback-client
@@ -25,3 +25,4 @@ tls-auth sample-keys/ta.key 1
  cipher AES-256-GCM
  ping 1
  inactive 120 1000
+cipher AES-256-CBC

... modify the sample config files (and *if* you do, do not just add
a second cipher line, which will confuse users quite a bit).

If WolfSSL does not support GCM, this needs to be documented, but our
sample config files contain the recommended cipher for the existing
crypto systems, and this is (and will continue to be for the time)
GCM - faster, and lower overhead.

gert



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN master branch

[Juliusz Sosinowicz]

wolfSSL:
Support added in: https://github.com/wolfSSL/wolfssl/pull/2503
```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-openvpn
make
sudo make install
```

OpenVPN:
```
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```
---
 configure.ac   | 77 +-
 include/openvpn-plugin.h.in|  3 +
 sample/sample-config-files/loopback-client |  1 +
 sample/sample-config-files/loopback-server |  1 +
 src/openvpn/crypto.c   |  2 +-
 src/openvpn/crypto_openssl.h   |  3 +
 src/openvpn/cryptoapi.c|  4 ++
 src/openvpn/openssl_compat.h   |  4 ++
 src/openvpn/ssl_openssl.h  |  3 +
 src/openvpn/ssl_verify_openssl.h   |  3 +
 10 files changed, 98 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index 98fd39ce..564f21a6 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,10 +276,10 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
@@ -1029,6 +1029,79 @@ elif test "${with_crypto_library}" = "mbedtls"; then
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${with_crypto_library}" = "wolfssl"; then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_EVP_PKEY_GET0_RSA], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_PKEY_GET0_DSA], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_PKEY_GET0_EC_KEY], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   

Re: [Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8

[Juliusz Sosinowicz]

Hi David,

I apologize for the delayed response. I will rebase our OpenVPN work off 
of the master branch this week in anticipation for a possible inclusion 
in version 2.5.


Regarding your question "What kind of commitment will we see from the 
WolfSSL organization?":
We have a large customer driving the use of wolfSSL with OpenVPN. We've 
done the initial porting and testing. We will update the port when 
needed and continue to support this effort.
We will also be making public marketing posts and annoucements for 
OpenVPN support on our blog (https://www.wolfssl.com/blog/) and 
subscribed mailing lists.


We understand your concern about the intrusiveness of this patch. The 
majority of insertions occur in the configure and try to follow the 
structure of how other cryptographic backends are compiled against. The 
"Emulate X since these are defined as macros" additions are 
unfortunately necessary as these functions are defined as macros in our 
library. AC_CHECK_FUNCS will not check if the function exists behind a 
macro. Defining these macros in the configure script allows for minimal 
interference in the rest of OpenVPN code. The rest of the changes in the 
patch are library inclusions as some things are defined in slightly 
different locations than OpenSSL. The file  holds the 
configure options for the wolfSSL library. It is necessary to include so 
that the header files know what should be included and defined.


I hope this email clears things up as to why some changes were necessary.

Sincerely
Juliusz

On 14/11/2019 12:25, David Sommerseth wrote:

On 14/11/2019 11:22, Juliusz Sosinowicz wrote:

From: David Garske 

wolfSSL:

Support added in: https://github.com/wolfSSL/wolfssl/pull/2503

```sh
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen 
--enable-certext --enable-aesctr --enable-sessioncerts CFLAGS="-DWOLFSSL_DES_ECB 
-DHAVE_EX_DATA"
make
sudo make install
```

OpenVPN:

```sh
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```

NAK.

This patch adds a new feature to the 2.4 branch.  We don't really want to do
that, especially if the change is intrusive (13 files changed, 108 insertions
<< that is intrusive).  WolfSSL support will at best see the light in the
coming 2.5 release (At the hackathon we aim for late 2020Q1 or 2020Q2)

In previous rounds we have asked a lot of questions; there has been no real
responses to those.  This has not even been touched in the relation to this 
patch.

One good thing I do see, is that it seems to try to use an OpenSSL support
layer in WolfSSL - which is good.  But then I wonder why we see additions like
this all over.

+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include 
+#endif

In addition, the change in configure.ac with all the AC_DEFINE lines, tagged
with "Emulate X since these are defined as macros" is also making a lot of
mess.

And then comes the most critical point to all of this:  Who will maintain
WolfSSL support in OpenVPN once this has been applied?  What kind of
commitment will we see from the WolfSSL organization?

The OpenVPN developers community will have an IRC meeting next Thursday (Nov
21 @ 20:00 CET, #openvpn-meeting on FreeNode [1]).  I strongly recommend you
to attend this meeting to follow up your request.


[1] You need to have your nick registered to join
 <https://freenode.net/kb/answer/registration>





___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Support for wolfSSL with OpenVPN v2.4.8

[Juliusz Sosinowicz]

From: David Garske 

wolfSSL:

Support added in: https://github.com/wolfSSL/wolfssl/pull/2503

```sh
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-opensslall --enable-des3 --enable-crl --enable-certgen 
--enable-certext --enable-aesctr --enable-sessioncerts 
CFLAGS="-DWOLFSSL_DES_ECB -DHAVE_EX_DATA"
make
sudo make install
```

OpenVPN:

```sh
autoreconf -i -v -f
./configure --with-crypto-library=wolfssl
make
make check
sudo make install
```
---
 configure.ac   | 77 +-
 include/openvpn-plugin.h.in|  3 +
 sample/sample-config-files/loopback-client |  1 +
 sample/sample-config-files/loopback-server |  1 +
 src/openvpn/crypto.c   |  2 +-
 src/openvpn/crypto_openssl.c   |  3 +
 src/openvpn/crypto_openssl.h   |  3 +
 src/openvpn/cryptoapi.c|  4 ++
 src/openvpn/openssl_compat.h   |  5 ++
 src/openvpn/ssl_openssl.c  |  3 +
 src/openvpn/ssl_openssl.h  |  3 +
 src/openvpn/ssl_verify_openssl.c   |  3 +
 src/openvpn/ssl_verify_openssl.h   |  3 +
 13 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/configure.ac b/configure.ac
index e45ce2f3..63cf3001 100644
--- a/configure.ac
+++ b/configure.ac
@@ -283,10 +283,10 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
[crypto-library],
-   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+   [AS_HELP_STRING([--with-crypto-library=library], [build with the given 
crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
[
case "${withval}" in
-   openssl|mbedtls) ;;
+   openssl|mbedtls|wolfssl) ;;
*) AC_MSG_ERROR([bad value ${withval} for 
--with-crypto-library]) ;;
esac
],
@@ -1028,6 +1028,79 @@ elif test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "mbedtls"; th
AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
CRYPTO_LIBS="${MBEDTLS_LIBS}"
+
+elif test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "wolfssl"; 
then
+   AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+   AC_ARG_VAR([WOLFSSL_DIR], [Path to the wolfssl directory 
@<:@default=/usr/local/include/wolfssl@:>@])
+   if test -n "${WOLFSSL_DIR}"; then
+   wolfssldir="${WOLFSSL_DIR}"
+   else
+   wolfssldir="/usr/local/include/wolfssl"
+   fi
+
+   saved_CFLAGS="${CFLAGS}"
+   saved_LIBS="${LIBS}"
+
+   if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+   # if the user did not explicitly specify flags, try to 
autodetect
+   LIBS="${LIBS} -lwolfssl -lm -pthread"
+   AC_CHECK_LIB(
+   [wolfssl],
+   [wolfSSL_Init],
+   [],
+   [AC_MSG_ERROR([Could not link wolfSSL library.])]
+   )
+   AC_CHECK_HEADER([wolfssl/options.h],,[AC_MSG_ERROR([wolfSSL 
header wolfssl/options.h not found!])])
+   fi
+
+   AC_DEFINE([HAVE_HMAC_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since these 
are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_HMAC_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_NEW], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_EVP_MD_CTX_RESET], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_OPENSSL_VERSION], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_SSL_CTX_SET_SECURITY_LEVEL], [1], [Emulate 
AC_CHECK_FUNCS since these are defined as macros])
+   AC_DEFINE([HAVE_X509_GET0_PUBKEY], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_X509_OBJECT_FREE], [1], [Emulate AC_CHECK_FUNCS since 
these are defined as macros])
+   AC_DEFINE([HAVE_X509_OBJECT_GET_TYPE], [1], [Emulate AC_CHECK_FUNCS 
since these are defined as macros])
+   AC_DEFINE([HAVE_EVP_PKEY_ID], [1], [Emulate 

Re: [Openvpn-devel] [PATCH] Adding support for wolfSSL backend

[Juliusz Sosinowicz]

Hi,

thank you for the feedback. To answer your questions:


- Why WolfSSL in OpenVPN instead of mbed or OpenSSL
wolfSSL can be compiled to use very few resources in a wide array of 
embedded environments.
wolfSSL is FIPS ready - that is it has all the code available to be FIPS 
140 validated on a platform.

- What features does WolfSSL offer in OpenVPN that mbed/OpenSSL don't have
wolfSSL has a large customer base and some of them would like to use 
OpenVPN with wolfSSL.

- What is missing with WolfSSL?
wolfSSL doesn’t support some older, weaker algorithms like Blowfish.
wolfSSL also lacks support for CryptoAPI and exporting of keying material.
- What are your future plans in terms of involvement in OpenVPN
development and maintaince?
Our plans are to help support and maintain the wolfSSL component of any 
project, including OpenVPN, that decides to incorporate our technology.


Regarding our OpenSSL compatibility layer: we do have a compatibility 
layer for OpenSSL but it still lacks many features. In addition, using 
wolfSSL directly without an additional layer allows for better 
efficiency and performance.


Sincerely
Juliusz

On 8/16/19 8:30 AM, Arne Schwabe wrote:

Am 16.08.19 um 16:14 schrieb Juliusz Sosinowicz:

This patch adds the option to use wolfSSL as the ssl backend. To build
this patch:


That is great and it is also a very big patch. I skimmed only through
the patch.


+#ifdef ENABLE_CRYPTO_WOLFSSL
+o->ciphername = "AES-256-CBC";
+#else
  o->ciphername = "BF-CBC";
+#endif

Such silent changes that OpenVPN behaves different, is something we
would like to avoid. Better to error out in this case than to behave
diffently.

Overall the WolfSSL feels to be a bit similar to OpenSSL. Is there any
compatibility you are aiming at?

Also it would be nice to have a summary for people on the OpenVPN
perspective

- Why WolfSSL in OpenVPN instead of mbed or OpenSSL
- What features does WolfSSL offer in OpenVPN that mbed/OpenSSL don't have
- What is missing with WolfSSL?

That should also good to have in the patch like README.mbedtls.

And one of the important question is:

What are your future plans in terms of involvement in OpenVPN
development and maintaince? I think since you are first time contributer
and this a big patch, that is something resonable to ask.

Arne



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] Adding support for wolfSSL backend

[Juliusz Sosinowicz]

This patch adds the option to use wolfSSL as the ssl backend. To build 
this patch:


1. wolfSSL needs to be built with the `--enable-all` configure option.
2. OpenVPN must be built with the `--with-crypto-library=wolfssl`
   configure option.

Documentation regarding the wolfSSL SSL library may be found here: 
https://www.wolfssl.com/


Sincerely
Juliusz

diff --git a/.gitignore b/.gitignore
index 0d68ec4b..d007cf62 100644
--- a/.gitignore
+++ b/.gitignore
@@ -72,3 +72,8 @@ nbproject
 test-driver
 compile
 stamp-h2
+
+\.settings/
+\.project
+\.cproject
+\.autotools
diff --git a/configure.ac b/configure.ac
index e9f8a2f9..1013e5a0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -276,10 +276,10 @@ AC_ARG_WITH(
 
 AC_ARG_WITH(
 	[crypto-library],
-	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])],
+	[AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls|wolfssl @<:@default=openssl@:>@])],
 	[
 		case "${withval}" in
-			openssl|mbedtls) ;;
+			openssl|mbedtls|wolfssl) ;;
 			*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
 		esac
 	],
@@ -1011,6 +1011,31 @@ elif test "${with_crypto_library}" = "mbedtls"; then
 	AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library])
 	CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}"
 	CRYPTO_LIBS="${MBEDTLS_LIBS}"
+elif test "${with_crypto_library}" = "wolfssl"; then
+	AC_ARG_VAR([WOLFSSL_CFLAGS], [C compiler flags for wolfssl])
+	AC_ARG_VAR([WOLFSSL_LIBS], [linker flags for wolfssl])
+	
+	saved_CFLAGS="${CFLAGS}"
+	saved_LIBS="${LIBS}"
+	
+	if test -z "${WOLFSSL_CFLAGS}" -a -z "${WOLFSSL_LIBS}"; then
+		# if the user did not explicitly specify flags, try to autodetect
+		LIBS="${LIBS} -lwolfssl -lm -pthread"
+		AC_CHECK_LIB(
+			[wolfssl],
+			[wolfSSL_get_ciphers],
+			[],
+			[AC_MSG_ERROR([Could not link wolfSSL library.])]
+		)
+	fi
+	
+	have_crypto_aead_modes="yes"
+	
+	CFLAGS="${WOLFSSL_CFLAGS} ${CFLAGS}"
+	LIBS="${WOLFSSL_LIBS} ${LIBS}"
+	AC_DEFINE([ENABLE_CRYPTO_WOLFSSL], [1], [Use wolfSSL crypto library])
+	CRYPTO_CFLAGS="${WOLFSSL_CFLAGS}"
+	CRYPTO_LIBS="${WOLFSSL_LIBS}"
 else
 	AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}])
 fi
diff --git a/include/openvpn-plugin.h.in b/include/openvpn-plugin.h.in
index 103844f7..75b33a62 100644
--- a/include/openvpn-plugin.h.in
+++ b/include/openvpn-plugin.h.in
@@ -32,6 +32,12 @@
 #define __OPENVPN_X509_CERT_T_DECLARED
 typedef mbedtls_x509_crt openvpn_x509_cert_t;
 #endif
+#elif defined(ENABLE_CRYPTO_WOLFSSL)  /* ifdef ENABLE_CRYPTO_WOLFSSL */
+#include 
+#ifndef __OPENVPN_X509_CERT_T_DECLARED
+#define __OPENVPN_X509_CERT_T_DECLARED
+typedef WOLFSSL_X509 openvpn_x509_cert_t;
+#endif
 #else  /* ifdef ENABLE_CRYPTO_MBEDTLS */
 #include 
 #ifndef __OPENVPN_X509_CERT_T_DECLARED
@@ -332,7 +338,8 @@ struct openvpn_plugin_callbacks
 typedef enum {
 SSLAPI_NONE,
 SSLAPI_OPENSSL,
-SSLAPI_MBEDTLS
+SSLAPI_MBEDTLS,
+SSLAPI_WOLFSSL
 } ovpnSSLAPI;
 
 /**
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 30caa01f..5c19384e 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -50,6 +50,7 @@ openvpn_SOURCES = \
 	crypto.c crypto.h crypto_backend.h \
 	crypto_openssl.c crypto_openssl.h \
 	crypto_mbedtls.c crypto_mbedtls.h \
+	crypto_wolfssl.c crypto_wolfssl.h \
 	dhcp.c dhcp.h \
 	env_set.c env_set.h \
 	errlevel.h \
@@ -115,10 +116,12 @@ openvpn_SOURCES = \
 	ssl.c ssl.h  ssl_backend.h \
 	ssl_openssl.c ssl_openssl.h \
 	ssl_mbedtls.c ssl_mbedtls.h \
+	ssl_wolfssl.c ssl_wolfssl.h \
 	ssl_common.h \
 	ssl_verify.c ssl_verify.h ssl_verify_backend.h \
 	ssl_verify_openssl.c ssl_verify_openssl.h \
 	ssl_verify_mbedtls.c ssl_verify_mbedtls.h \
+	ssl_verify_wolfssl.c ssl_verify_wolfssl.h \
 	status.c status.h \
 	syshead.h \
 	tls_crypt.c tls_crypt.h \
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 7e9a4bd2..9699b50c 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -29,18 +29,21 @@
 #ifndef CRYPTO_BACKEND_H_
 #define CRYPTO_BACKEND_H_
 
+/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */
+#define OPENVPN_AEAD_TAG_LENGTH 16
+
 #ifdef ENABLE_CRYPTO_OPENSSL
 #include "crypto_openssl.h"
 #endif
 #ifdef ENABLE_CRYPTO_MBEDTLS
 #include "crypto_mbedtls.h"
 #endif
+#ifdef ENABLE_CRYPTO_WOLFSSL
+#include "crypto_wolfssl.h"
+#endif
 #include "basic.h"
 #include "buffer.h"
 
-/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */
-#define OPENVPN_AEAD_TAG_LENGTH 16
-
 /* Maximum cipher block size (bytes) */
 #define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32
 
@@ -355,7 +358,7 @@ void cipher_ctx_free(cipher_ctx_t *ctx);
  * @param key_len   Length of the key, in bytes
  * @param ktStatic cipher parameters to use
  * @param enc   Whether to encrypt or decrypt (either
- *  \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT).