MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode
This adds a USE_OPENSSL_WOLFSSL option, wolfSSL must be used with the
OpenSSL compatibility layer. This must be used with USE_OPENSSL=1.
WolfSSL build options:
./configure --prefix=/opt/wolfssl --enable-haproxy
HAProxy build options:
USE_OPENSSL=1 USE_OPENSSL_WOLFSSL=1 WOLFSSL_INC=/opt/wolfssl/include/ WOLFSSL_LIB=/opt/wolfssl/lib/ ADDLIB='-Wl,-rpath=/opt/wolfssl/lib'
Using at least the commit 54466b6 ("Merge pull request #5810 from
Uriah-wolfSSL/haproxy-integration") from WolfSSL. (2022-11-23).
This is still to be improved, reg-tests are not supported yet, and more
tests are to be done.
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/Makefile b/Makefile
index 2ab2d35..6bfdc4a 100644
--- a/Makefile
+++ b/Makefile
@@ -32,6 +32,7 @@
# USE_CRYPT_H : set it if your system requires including crypt.h
# USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names.
# USE_OPENSSL : enable use of OpenSSL. Recommended, but see below.
+# USE_OPENSSL_WOLFSSL : enable use of wolfSSL with the OpenSSL API
# USE_ENGINE : enable use of OpenSSL Engine.
# USE_LUA : enable Lua support.
# USE_ACCEPT4 : enable use of accept4() on linux. Automatic.
@@ -106,6 +107,8 @@
# pcre2-config)
# SSL_LIB : force the lib path to libssl/libcrypto
# SSL_INC : force the include path to libssl/libcrypto
+# WOLFSSL_INC : force the include path to wolfSSL
+# WOLFSSL_LIB : force the lib path to wolfSSL
# LUA_LIB : force the lib path to lua
# LUA_INC : force the include path to lua
# LUA_LIB_NAME : force the lib name (or automatically evaluated, by order of
@@ -295,12 +298,12 @@
USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \
USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY \
USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \
- USE_GETADDRINFO USE_OPENSSL USE_LUA USE_ACCEPT4 \
- USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \
- USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD \
- USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL USE_THREAD_DUMP \
- USE_EVPORTS USE_OT USE_QUIC USE_PROMEX USE_MEMORY_PROFILING \
- USE_SHM_OPEN
+ USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_LUA \
+ USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \
+ USE_TFO USE_NS USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES \
+ USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL \
+ USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX \
+ USE_MEMORY_PROFILING USE_SHM_OPEN
#### Target system options
# Depending on the target platform, some options are set, as well as some
@@ -580,13 +583,27 @@
# pass it in the "ADDLIB" variable if needed. If your SSL libraries are not
# in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
OPTIONS_CFLAGS += $(if $(SSL_INC),-I$(SSL_INC))
+ifeq ($(USE_OPENSSL_WOLFSSL),)
OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+endif
ifneq ($(USE_DL),)
OPTIONS_LDFLAGS += -ldl
endif
OPTIONS_OBJS += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o
endif
+ifneq ($(USE_OPENSSL_WOLFSSL),)
+ifneq ($(WOLFSSL_INC),)
+OPTIONS_CFLAGS += -I$(WOLFSSL_INC) -I$(WOLFSSL_INC)/wolfssl
+else
+OPTIONS_CFLAGS += -I/usr/local/include/wolfssl -I/usr/local/include/wolfssl/openssl -I/usr/local/include
+endif
+ifneq ($(WOLFSSL_LIB),)
+OPTIONS_LDFLAGS += -L$(WOLFSSL_LIB)
+endif
+OPTIONS_LDFLAGS += -lwolfssl
+endif
+
ifneq ($(USE_ENGINE),)
# OpenSSL 3.0 emits loud deprecation warnings by default when building with
# engine support, and this option is made to silence them. Better use it
diff --git a/include/haproxy/openssl-compat.h b/include/haproxy/openssl-compat.h
index 5aaa6c7..f520790 100644
--- a/include/haproxy/openssl-compat.h
+++ b/include/haproxy/openssl-compat.h
@@ -2,6 +2,11 @@
#define _HAPROXY_OPENSSL_COMPAT_H
#ifdef USE_OPENSSL
+#ifdef USE_OPENSSL_WOLFSSL
+#define TLSEXT_MAXLEN_host_name 255
+#include <wolfssl/options.h>
+#endif
+
#include <openssl/bn.h>
#include <openssl/crypto.h>
#include <openssl/ssl.h>
diff --git a/src/haproxy.c b/src/haproxy.c
index 50850e9..1650147 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -2297,6 +2297,11 @@
}
#ifdef USE_OPENSSL
+#ifdef USE_OPENSSL_WOLFSSL
+ wolfSSL_Init();
+ wolfSSL_Debugging_ON();
+#endif
+
#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
/* Initialize the error strings of OpenSSL
* It only needs to be done explicitely with older versions of the SSL
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index f947961..674513e 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -751,8 +751,14 @@
}
if (src->dh) {
+#ifndef USE_OPENSSL_WOLFSSL
HASSL_DH_up_ref(src->dh);
dst->dh = src->dh;
+#else
+ dst->dh = wolfSSL_DH_dup(src->dh);
+ if (!dst->dh)
+ goto error;
+#endif
}
if (src->sctl) {
@@ -3627,9 +3633,11 @@
long version;
X509_NAME *issuer;
int write = -1;
+#ifndef USE_OPENSSL_WOLFSSL
STACK_OF(X509_REVOKED) *rev = NULL;
X509_REVOKED *rev_entry = NULL;
int i;
+#endif
if (!tmp)
return -1;
@@ -3676,7 +3684,7 @@
tmp->area[write] = '\0';
chunk_appendf(out, "%s\n", tmp->area);
-
+#ifndef USE_OPENSSL_WOLFSSL
/* Revoked Certificates */
rev = X509_CRL_get_REVOKED(crl);
if (sk_X509_REVOKED_num(rev) > 0)
@@ -3701,6 +3709,7 @@
tmp->area[write] = '\0';
chunk_appendf(out, "%s", tmp->area);
}
+#endif /* not USE_OPENSSL_WOLFSSL */
end:
free_trash_chunk(tmp);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ad40b75..5592a6b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1430,7 +1430,7 @@
return SSL_TLSEXT_ERR_NOACK;
memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
- SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data);
+ SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
return SSL_TLSEXT_ERR_OK;
}
@@ -1480,7 +1480,11 @@
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
unsigned char *p;
+#ifndef USE_OPENSSL_WOLFSSL
void (*callback) (void);
+#else
+ tlsextStatusCb callback;
+#endif
x = ckch->cert;
@@ -7626,9 +7630,17 @@
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
indent += 2;
BIO_printf(bp, "%*sIssuer Name Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
i2a_ASN1_STRING(bp, piNameHash, 0);
+#else
+ wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
i2a_ASN1_STRING(bp, piKeyHash, 0);
+#else
+ wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
i2a_ASN1_INTEGER(bp, pSerial);
}
@@ -7834,7 +7846,11 @@
goto end;
}
- if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#ifndef USE_OPENSSL_WOLFSSL
+ if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#else
+ if (wolfSSL_d2i_OCSP_RESPONSE_bio(bio, &resp) != 0) {
+#endif
struct buffer *trash = get_trash_chunk();
struct ist ist_block = IST_NULL;
struct ist ist_double_lf = IST_NULL;