MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode
This adds a USE_OPENSSL_WOLFSSL option, wolfSSL must be used with the
OpenSSL compatibility layer. This must be used with USE_OPENSSL=1.
WolfSSL build options:
./configure --prefix=/opt/wolfssl --enable-haproxy
HAProxy build options:
USE_OPENSSL=1 USE_OPENSSL_WOLFSSL=1 WOLFSSL_INC=/opt/wolfssl/include/ WOLFSSL_LIB=/opt/wolfssl/lib/ ADDLIB='-Wl,-rpath=/opt/wolfssl/lib'
Using at least the commit 54466b6 ("Merge pull request #5810 from
Uriah-wolfSSL/haproxy-integration") from WolfSSL. (2022-11-23).
This is still to be improved, reg-tests are not supported yet, and more
tests are to be done.
Signed-off-by: William Lallemand <wlallemand@haproxy.org>
diff --git a/src/haproxy.c b/src/haproxy.c
index 50850e9..1650147 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -2297,6 +2297,11 @@
}
#ifdef USE_OPENSSL
+#ifdef USE_OPENSSL_WOLFSSL
+ wolfSSL_Init();
+ wolfSSL_Debugging_ON();
+#endif
+
#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
/* Initialize the error strings of OpenSSL
* It only needs to be done explicitely with older versions of the SSL
diff --git a/src/ssl_ckch.c b/src/ssl_ckch.c
index f947961..674513e 100644
--- a/src/ssl_ckch.c
+++ b/src/ssl_ckch.c
@@ -751,8 +751,14 @@
}
if (src->dh) {
+#ifndef USE_OPENSSL_WOLFSSL
HASSL_DH_up_ref(src->dh);
dst->dh = src->dh;
+#else
+ dst->dh = wolfSSL_DH_dup(src->dh);
+ if (!dst->dh)
+ goto error;
+#endif
}
if (src->sctl) {
@@ -3627,9 +3633,11 @@
long version;
X509_NAME *issuer;
int write = -1;
+#ifndef USE_OPENSSL_WOLFSSL
STACK_OF(X509_REVOKED) *rev = NULL;
X509_REVOKED *rev_entry = NULL;
int i;
+#endif
if (!tmp)
return -1;
@@ -3676,7 +3684,7 @@
tmp->area[write] = '\0';
chunk_appendf(out, "%s\n", tmp->area);
-
+#ifndef USE_OPENSSL_WOLFSSL
/* Revoked Certificates */
rev = X509_CRL_get_REVOKED(crl);
if (sk_X509_REVOKED_num(rev) > 0)
@@ -3701,6 +3709,7 @@
tmp->area[write] = '\0';
chunk_appendf(out, "%s", tmp->area);
}
+#endif /* not USE_OPENSSL_WOLFSSL */
end:
free_trash_chunk(tmp);
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index ad40b75..5592a6b 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -1430,7 +1430,7 @@
return SSL_TLSEXT_ERR_NOACK;
memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
- SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data);
+ SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
return SSL_TLSEXT_ERR_OK;
}
@@ -1480,7 +1480,11 @@
struct certificate_ocsp *ocsp = NULL, *iocsp;
char *warn = NULL;
unsigned char *p;
+#ifndef USE_OPENSSL_WOLFSSL
void (*callback) (void);
+#else
+ tlsextStatusCb callback;
+#endif
x = ckch->cert;
@@ -7626,9 +7630,17 @@
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
indent += 2;
BIO_printf(bp, "%*sIssuer Name Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
i2a_ASN1_STRING(bp, piNameHash, 0);
+#else
+ wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
i2a_ASN1_STRING(bp, piKeyHash, 0);
+#else
+ wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
i2a_ASN1_INTEGER(bp, pSerial);
}
@@ -7834,7 +7846,11 @@
goto end;
}
- if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#ifndef USE_OPENSSL_WOLFSSL
+ if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#else
+ if (wolfSSL_d2i_OCSP_RESPONSE_bio(bio, &resp) != 0) {
+#endif
struct buffer *trash = get_trash_chunk();
struct ist ist_block = IST_NULL;
struct ist ist_double_lf = IST_NULL;