From: Uriah Pollock Date: Wed, 23 Nov 2022 15:41:25 +0000 (+0100) Subject: MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode X-Git-Tag: v2.7-dev10~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cbf09ed6411d6e28020eefd91f0e70d5b64bcb5;p=thirdparty%2Fhaproxy.git MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode This adds a USE_OPENSSL_WOLFSSL option, wolfSSL must be used with the OpenSSL compatibility layer. This must be used with USE_OPENSSL=1. WolfSSL build options: ./configure --prefix=/opt/wolfssl --enable-haproxy HAProxy build options: USE_OPENSSL=1 USE_OPENSSL_WOLFSSL=1 WOLFSSL_INC=/opt/wolfssl/include/ WOLFSSL_LIB=/opt/wolfssl/lib/ ADDLIB='-Wl,-rpath=/opt/wolfssl/lib' Using at least the commit 54466b6 ("Merge pull request #5810 from Uriah-wolfSSL/haproxy-integration") from WolfSSL. (2022-11-23). This is still to be improved, reg-tests are not supported yet, and more tests are to be done. Signed-off-by: William Lallemand --- diff --git a/Makefile b/Makefile index 2ab2d35b64..6bfdc4a418 100644 --- a/Makefile +++ b/Makefile @@ -32,6 +32,7 @@ # USE_CRYPT_H : set it if your system requires including crypt.h # USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names. # USE_OPENSSL : enable use of OpenSSL. Recommended, but see below. +# USE_OPENSSL_WOLFSSL : enable use of wolfSSL with the OpenSSL API # USE_ENGINE : enable use of OpenSSL Engine. # USE_LUA : enable Lua support. # USE_ACCEPT4 : enable use of accept4() on linux. Automatic. @@ -106,6 +107,8 @@ # pcre2-config) # SSL_LIB : force the lib path to libssl/libcrypto # SSL_INC : force the include path to libssl/libcrypto +# WOLFSSL_INC : force the include path to wolfSSL +# WOLFSSL_LIB : force the lib path to wolfSSL # LUA_LIB : force the lib path to lua # LUA_INC : force the include path to lua # LUA_LIB_NAME : force the lib name (or automatically evaluated, by order of @@ -295,12 +298,12 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER \ USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \ USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY \ USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \ - USE_GETADDRINFO USE_OPENSSL USE_LUA USE_ACCEPT4 \ - USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \ - USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD \ - USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL USE_THREAD_DUMP \ - USE_EVPORTS USE_OT USE_QUIC USE_PROMEX USE_MEMORY_PROFILING \ - USE_SHM_OPEN + USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_LUA \ + USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \ + USE_TFO USE_NS USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES \ + USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL \ + USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX \ + USE_MEMORY_PROFILING USE_SHM_OPEN #### Target system options # Depending on the target platform, some options are set, as well as some @@ -580,13 +583,27 @@ SSL_LIB = # pass it in the "ADDLIB" variable if needed. If your SSL libraries are not # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib. OPTIONS_CFLAGS += $(if $(SSL_INC),-I$(SSL_INC)) +ifeq ($(USE_OPENSSL_WOLFSSL),) OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto +endif ifneq ($(USE_DL),) OPTIONS_LDFLAGS += -ldl endif OPTIONS_OBJS += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o endif +ifneq ($(USE_OPENSSL_WOLFSSL),) +ifneq ($(WOLFSSL_INC),) +OPTIONS_CFLAGS += -I$(WOLFSSL_INC) -I$(WOLFSSL_INC)/wolfssl +else +OPTIONS_CFLAGS += -I/usr/local/include/wolfssl -I/usr/local/include/wolfssl/openssl -I/usr/local/include +endif +ifneq ($(WOLFSSL_LIB),) +OPTIONS_LDFLAGS += -L$(WOLFSSL_LIB) +endif +OPTIONS_LDFLAGS += -lwolfssl +endif + ifneq ($(USE_ENGINE),) # OpenSSL 3.0 emits loud deprecation warnings by default when building with # engine support, and this option is made to silence them. Better use it diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h index 5aaa6c7e97..f52079034d 100644 --- a/include/haproxy/openssl-compat.h +++ b/include/haproxy/openssl-compat.h @@ -2,6 +2,11 @@ #define _HAPROXY_OPENSSL_COMPAT_H #ifdef USE_OPENSSL +#ifdef USE_OPENSSL_WOLFSSL +#define TLSEXT_MAXLEN_host_name 255 +#include +#endif + #include #include #include diff --git a/src/haproxy.c b/src/haproxy.c index 50850e9e38..1650147cf7 100644 --- a/src/haproxy.c +++ b/src/haproxy.c @@ -2297,6 +2297,11 @@ static void init(int argc, char **argv) } #ifdef USE_OPENSSL +#ifdef USE_OPENSSL_WOLFSSL + wolfSSL_Init(); + wolfSSL_Debugging_ON(); +#endif + #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) /* Initialize the error strings of OpenSSL * It only needs to be done explicitely with older versions of the SSL diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c index f947961b0d..674513e013 100644 --- a/src/ssl_ckch.c +++ b/src/ssl_ckch.c @@ -751,8 +751,14 @@ struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_ } if (src->dh) { +#ifndef USE_OPENSSL_WOLFSSL HASSL_DH_up_ref(src->dh); dst->dh = src->dh; +#else + dst->dh = wolfSSL_DH_dup(src->dh); + if (!dst->dh) + goto error; +#endif } if (src->sctl) { @@ -3627,9 +3633,11 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out) long version; X509_NAME *issuer; int write = -1; +#ifndef USE_OPENSSL_WOLFSSL STACK_OF(X509_REVOKED) *rev = NULL; X509_REVOKED *rev_entry = NULL; int i; +#endif if (!tmp) return -1; @@ -3676,7 +3684,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out) tmp->area[write] = '\0'; chunk_appendf(out, "%s\n", tmp->area); - +#ifndef USE_OPENSSL_WOLFSSL /* Revoked Certificates */ rev = X509_CRL_get_REVOKED(crl); if (sk_X509_REVOKED_num(rev) > 0) @@ -3701,6 +3709,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out) tmp->area[write] = '\0'; chunk_appendf(out, "%s", tmp->area); } +#endif /* not USE_OPENSSL_WOLFSSL */ end: free_trash_chunk(tmp); diff --git a/src/ssl_sock.c b/src/ssl_sock.c index ad40b75ceb..5592a6b27a 100644 --- a/src/ssl_sock.c +++ b/src/ssl_sock.c @@ -1430,7 +1430,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg) return SSL_TLSEXT_ERR_NOACK; memcpy(ssl_buf, ocsp->response.area, ocsp->response.data); - SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data); + SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data); return SSL_TLSEXT_ERR_OK; } @@ -1480,7 +1480,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc struct certificate_ocsp *ocsp = NULL, *iocsp; char *warn = NULL; unsigned char *p; +#ifndef USE_OPENSSL_WOLFSSL void (*callback) (void); +#else + tlsextStatusCb callback; +#endif x = ckch->cert; @@ -7626,9 +7630,17 @@ static inline int ocsp_certid_print(BIO *bp, OCSP_CERTID *certid, int indent) BIO_printf(bp, "%*sCertificate ID:\n", indent, ""); indent += 2; BIO_printf(bp, "%*sIssuer Name Hash: ", indent, ""); +#ifndef USE_OPENSSL_WOLFSSL i2a_ASN1_STRING(bp, piNameHash, 0); +#else + wolfSSL_ASN1_STRING_print(bp, piNameHash); +#endif BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, ""); +#ifndef USE_OPENSSL_WOLFSSL i2a_ASN1_STRING(bp, piKeyHash, 0); +#else + wolfSSL_ASN1_STRING_print(bp, piNameHash); +#endif BIO_printf(bp, "\n%*sSerial Number: ", indent, ""); i2a_ASN1_INTEGER(bp, pSerial); } @@ -7834,7 +7846,11 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out) goto end; } - if (OCSP_RESPONSE_print(bio, resp, 0) != 0) { +#ifndef USE_OPENSSL_WOLFSSL + if (OCSP_RESPONSE_print(bio, resp, 0) != 0) { +#else + if (wolfSSL_d2i_OCSP_RESPONSE_bio(bio, &resp) != 0) { +#endif struct buffer *trash = get_trash_chunk(); struct ist ist_block = IST_NULL; struct ist ist_double_lf = IST_NULL;