MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode

This adds a USE_OPENSSL_WOLFSSL option, wolfSSL must be used with the
OpenSSL compatibility layer. This must be used with USE_OPENSSL=1.

WolfSSL build options:

   ./configure --prefix=/opt/wolfssl --enable-haproxy

HAProxy build options:

  USE_OPENSSL=1 USE_OPENSSL_WOLFSSL=1 WOLFSSL_INC=/opt/wolfssl/include/ WOLFSSL_LIB=/opt/wolfssl/lib/ ADDLIB='-Wl,-rpath=/opt/wolfssl/lib'

Using at least the commit 54466b6 ("Merge pull request #5810 from
Uriah-wolfSSL/haproxy-integration") from WolfSSL. (2022-11-23).

This is still to be improved, reg-tests are not supported yet, and more
tests are to be done.

Signed-off-by: William Lallemand <wlallemand@haproxy.org>

Makefile

@@ -32,6 +32,7 @@
 #   USE_CRYPT_H          : set it if your system requires including crypt.h
 #   USE_GETADDRINFO      : use getaddrinfo() to resolve IPv6 host names.
 #   USE_OPENSSL          : enable use of OpenSSL. Recommended, but see below.
+#   USE_OPENSSL_WOLFSSL  : enable use of wolfSSL with the OpenSSL API
 #   USE_ENGINE           : enable use of OpenSSL Engine.
 #   USE_LUA              : enable Lua support.
 #   USE_ACCEPT4          : enable use of accept4() on linux. Automatic.
@@ -106,6 +107,8 @@
 #                                                               pcre2-config)
 #   SSL_LIB        : force the lib path to libssl/libcrypto
 #   SSL_INC        : force the include path to libssl/libcrypto
+#   WOLFSSL_INC    : force the include path to wolfSSL
+#   WOLFSSL_LIB    : force the lib path to wolfSSL
 #   LUA_LIB        : force the lib path to lua
 #   LUA_INC        : force the include path to lua
 #   LUA_LIB_NAME   : force the lib name (or automatically evaluated, by order of
@@ -295,12 +298,12 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER                                 \
            USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE                     \
            USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY       \
            USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE               \
-           USE_GETADDRINFO USE_OPENSSL USE_LUA USE_ACCEPT4                    \
-           USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS     \
-           USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD  \
-           USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL USE_THREAD_DUMP          \
-           USE_EVPORTS USE_OT USE_QUIC USE_PROMEX USE_MEMORY_PROFILING        \
-           USE_SHM_OPEN
+           USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_LUA            \
+           USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY        \
+           USE_TFO USE_NS USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES         \
+           USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL    \
+           USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX             \
+           USE_MEMORY_PROFILING USE_SHM_OPEN
 
 #### Target system options
 # Depending on the target platform, some options are set, as well as some
@@ -580,13 +583,27 @@ SSL_LIB =
 # pass it in the "ADDLIB" variable if needed. If your SSL libraries are not
 # in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
 OPTIONS_CFLAGS  += $(if $(SSL_INC),-I$(SSL_INC))
+ifeq ($(USE_OPENSSL_WOLFSSL),)
 OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
+endif
 ifneq ($(USE_DL),)
 OPTIONS_LDFLAGS += -ldl
 endif
 OPTIONS_OBJS  += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o
 endif
 
+ifneq ($(USE_OPENSSL_WOLFSSL),)
+ifneq ($(WOLFSSL_INC),)
+OPTIONS_CFLAGS  += -I$(WOLFSSL_INC) -I$(WOLFSSL_INC)/wolfssl
+else
+OPTIONS_CFLAGS  += -I/usr/local/include/wolfssl -I/usr/local/include/wolfssl/openssl -I/usr/local/include
+endif
+ifneq ($(WOLFSSL_LIB),)
+OPTIONS_LDFLAGS  += -L$(WOLFSSL_LIB)
+endif
+OPTIONS_LDFLAGS  += -lwolfssl
+endif
+
 ifneq ($(USE_ENGINE),)
 # OpenSSL 3.0 emits loud deprecation warnings by default when building with
 # engine support, and this option is made to silence them. Better use it

include/haproxy/openssl-compat.h

@@ -2,6 +2,11 @@
 #define _HAPROXY_OPENSSL_COMPAT_H
 #ifdef USE_OPENSSL
 
+#ifdef USE_OPENSSL_WOLFSSL
+#define TLSEXT_MAXLEN_host_name 255
+#include <wolfssl/options.h>
+#endif
+
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
 #include <openssl/ssl.h>

src/haproxy.c

@@ -2297,6 +2297,11 @@ static void init(int argc, char **argv)
 	}
 
 #ifdef USE_OPENSSL
+#ifdef USE_OPENSSL_WOLFSSL
+        wolfSSL_Init();
+        wolfSSL_Debugging_ON();
+#endif
+
 #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
 	/* Initialize the error strings of OpenSSL
 	 * It only needs to be done explicitely with older versions of the SSL

src/ssl_ckch.c

@@ -751,8 +751,14 @@ struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_
 	}
 
 	if (src->dh) {
+#ifndef USE_OPENSSL_WOLFSSL
 		HASSL_DH_up_ref(src->dh);
 		dst->dh = src->dh;
+#else
+       dst->dh = wolfSSL_DH_dup(src->dh);
+       if (!dst->dh)
+           goto error;
+#endif
 	}
 
 	if (src->sctl) {
@@ -3627,9 +3633,11 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
 	long version;
 	X509_NAME *issuer;
 	int write = -1;
+#ifndef USE_OPENSSL_WOLFSSL
 	STACK_OF(X509_REVOKED) *rev = NULL;
 	X509_REVOKED *rev_entry = NULL;
 	int i;
+#endif
 
 	if (!tmp)
 		return -1;
@@ -3676,7 +3684,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
 	tmp->area[write] = '\0';
 	chunk_appendf(out, "%s\n", tmp->area);
 
-
+#ifndef USE_OPENSSL_WOLFSSL
 	/* Revoked Certificates */
 	rev = X509_CRL_get_REVOKED(crl);
 	if (sk_X509_REVOKED_num(rev) > 0)
@@ -3701,6 +3709,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
 		tmp->area[write] = '\0';
 		chunk_appendf(out, "%s", tmp->area);
 	}
+#endif /* not USE_OPENSSL_WOLFSSL */
 
 end:
 	free_trash_chunk(tmp);

src/ssl_sock.c

@@ -1430,7 +1430,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
 		return SSL_TLSEXT_ERR_NOACK;
 
 	memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
-	SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data);
+	SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
 
 	return SSL_TLSEXT_ERR_OK;
 }
@@ -1480,7 +1480,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
 	struct certificate_ocsp *ocsp = NULL, *iocsp;
 	char *warn = NULL;
 	unsigned char *p;
+#ifndef USE_OPENSSL_WOLFSSL
 	void (*callback) (void);
+#else
+	tlsextStatusCb callback;
+#endif
 
 
 	x = ckch->cert;
@@ -7626,9 +7630,17 @@ static inline int ocsp_certid_print(BIO *bp, OCSP_CERTID *certid, int indent)
 		BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
 		indent += 2;
 		BIO_printf(bp, "%*sIssuer Name Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
 		i2a_ASN1_STRING(bp, piNameHash, 0);
+#else
+        wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
 		BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
+#ifndef USE_OPENSSL_WOLFSSL
 		i2a_ASN1_STRING(bp, piKeyHash, 0);
+#else
+		wolfSSL_ASN1_STRING_print(bp, piNameHash);
+#endif
 		BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
 		i2a_ASN1_INTEGER(bp, pSerial);
 	}
@@ -7834,7 +7846,11 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
 		goto end;
 	}
 
-	if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#ifndef USE_OPENSSL_WOLFSSL
+   if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
+#else
+   if (wolfSSL_d2i_OCSP_RESPONSE_bio(bio, &resp) != 0) {
+#endif
 		struct buffer *trash = get_trash_chunk();
 		struct ist ist_block = IST_NULL;
 		struct ist ist_double_lf = IST_NULL;