mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-25 14:12:13 +00:00
MEDIUM: ssl: add minimal WolfSSL support with OpenSSL compatibility mode
This adds a USE_OPENSSL_WOLFSSL option, wolfSSL must be used with the OpenSSL compatibility layer. This must be used with USE_OPENSSL=1. WolfSSL build options: ./configure --prefix=/opt/wolfssl --enable-haproxy HAProxy build options: USE_OPENSSL=1 USE_OPENSSL_WOLFSSL=1 WOLFSSL_INC=/opt/wolfssl/include/ WOLFSSL_LIB=/opt/wolfssl/lib/ ADDLIB='-Wl,-rpath=/opt/wolfssl/lib' Using at least the commit 54466b6 ("Merge pull request #5810 from Uriah-wolfSSL/haproxy-integration") from WolfSSL. (2022-11-23). This is still to be improved, reg-tests are not supported yet, and more tests are to be done. Signed-off-by: William Lallemand <wlallemand@haproxy.org>
This commit is contained in:
parent
79320cb074
commit
3cbf09ed64
29
Makefile
29
Makefile
@ -32,6 +32,7 @@
|
||||
# USE_CRYPT_H : set it if your system requires including crypt.h
|
||||
# USE_GETADDRINFO : use getaddrinfo() to resolve IPv6 host names.
|
||||
# USE_OPENSSL : enable use of OpenSSL. Recommended, but see below.
|
||||
# USE_OPENSSL_WOLFSSL : enable use of wolfSSL with the OpenSSL API
|
||||
# USE_ENGINE : enable use of OpenSSL Engine.
|
||||
# USE_LUA : enable Lua support.
|
||||
# USE_ACCEPT4 : enable use of accept4() on linux. Automatic.
|
||||
@ -106,6 +107,8 @@
|
||||
# pcre2-config)
|
||||
# SSL_LIB : force the lib path to libssl/libcrypto
|
||||
# SSL_INC : force the include path to libssl/libcrypto
|
||||
# WOLFSSL_INC : force the include path to wolfSSL
|
||||
# WOLFSSL_LIB : force the lib path to wolfSSL
|
||||
# LUA_LIB : force the lib path to lua
|
||||
# LUA_INC : force the include path to lua
|
||||
# LUA_LIB_NAME : force the lib name (or automatically evaluated, by order of
|
||||
@ -295,12 +298,12 @@ use_opts = USE_EPOLL USE_KQUEUE USE_NETFILTER \
|
||||
USE_THREAD USE_PTHREAD_EMULATION USE_BACKTRACE \
|
||||
USE_STATIC_PCRE USE_STATIC_PCRE2 USE_TPROXY USE_LINUX_TPROXY \
|
||||
USE_LINUX_SPLICE USE_LIBCRYPT USE_CRYPT_H USE_ENGINE \
|
||||
USE_GETADDRINFO USE_OPENSSL USE_LUA USE_ACCEPT4 \
|
||||
USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY USE_TFO USE_NS \
|
||||
USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES USE_WURFL USE_SYSTEMD \
|
||||
USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL USE_THREAD_DUMP \
|
||||
USE_EVPORTS USE_OT USE_QUIC USE_PROMEX USE_MEMORY_PROFILING \
|
||||
USE_SHM_OPEN
|
||||
USE_GETADDRINFO USE_OPENSSL USE_OPENSSL_WOLFSSL USE_LUA \
|
||||
USE_ACCEPT4 USE_CLOSEFROM USE_ZLIB USE_SLZ USE_CPU_AFFINITY \
|
||||
USE_TFO USE_NS USE_DL USE_RT USE_DEVICEATLAS USE_51DEGREES \
|
||||
USE_WURFL USE_SYSTEMD USE_OBSOLETE_LINKER USE_PRCTL USE_PROCCTL \
|
||||
USE_THREAD_DUMP USE_EVPORTS USE_OT USE_QUIC USE_PROMEX \
|
||||
USE_MEMORY_PROFILING USE_SHM_OPEN
|
||||
|
||||
#### Target system options
|
||||
# Depending on the target platform, some options are set, as well as some
|
||||
@ -580,13 +583,27 @@ SSL_LIB =
|
||||
# pass it in the "ADDLIB" variable if needed. If your SSL libraries are not
|
||||
# in the usual path, use SSL_INC=/path/to/inc and SSL_LIB=/path/to/lib.
|
||||
OPTIONS_CFLAGS += $(if $(SSL_INC),-I$(SSL_INC))
|
||||
ifeq ($(USE_OPENSSL_WOLFSSL),)
|
||||
OPTIONS_LDFLAGS += $(if $(SSL_LIB),-L$(SSL_LIB)) -lssl -lcrypto
|
||||
endif
|
||||
ifneq ($(USE_DL),)
|
||||
OPTIONS_LDFLAGS += -ldl
|
||||
endif
|
||||
OPTIONS_OBJS += src/ssl_sock.o src/ssl_ckch.o src/ssl_sample.o src/ssl_crtlist.o src/cfgparse-ssl.o src/ssl_utils.o src/jwt.o
|
||||
endif
|
||||
|
||||
ifneq ($(USE_OPENSSL_WOLFSSL),)
|
||||
ifneq ($(WOLFSSL_INC),)
|
||||
OPTIONS_CFLAGS += -I$(WOLFSSL_INC) -I$(WOLFSSL_INC)/wolfssl
|
||||
else
|
||||
OPTIONS_CFLAGS += -I/usr/local/include/wolfssl -I/usr/local/include/wolfssl/openssl -I/usr/local/include
|
||||
endif
|
||||
ifneq ($(WOLFSSL_LIB),)
|
||||
OPTIONS_LDFLAGS += -L$(WOLFSSL_LIB)
|
||||
endif
|
||||
OPTIONS_LDFLAGS += -lwolfssl
|
||||
endif
|
||||
|
||||
ifneq ($(USE_ENGINE),)
|
||||
# OpenSSL 3.0 emits loud deprecation warnings by default when building with
|
||||
# engine support, and this option is made to silence them. Better use it
|
||||
|
@ -2,6 +2,11 @@
|
||||
#define _HAPROXY_OPENSSL_COMPAT_H
|
||||
#ifdef USE_OPENSSL
|
||||
|
||||
#ifdef USE_OPENSSL_WOLFSSL
|
||||
#define TLSEXT_MAXLEN_host_name 255
|
||||
#include <wolfssl/options.h>
|
||||
#endif
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/ssl.h>
|
||||
|
@ -2297,6 +2297,11 @@ static void init(int argc, char **argv)
|
||||
}
|
||||
|
||||
#ifdef USE_OPENSSL
|
||||
#ifdef USE_OPENSSL_WOLFSSL
|
||||
wolfSSL_Init();
|
||||
wolfSSL_Debugging_ON();
|
||||
#endif
|
||||
|
||||
#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL)
|
||||
/* Initialize the error strings of OpenSSL
|
||||
* It only needs to be done explicitely with older versions of the SSL
|
||||
|
@ -751,8 +751,14 @@ struct cert_key_and_chain *ssl_sock_copy_cert_key_and_chain(struct cert_key_and_
|
||||
}
|
||||
|
||||
if (src->dh) {
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
HASSL_DH_up_ref(src->dh);
|
||||
dst->dh = src->dh;
|
||||
#else
|
||||
dst->dh = wolfSSL_DH_dup(src->dh);
|
||||
if (!dst->dh)
|
||||
goto error;
|
||||
#endif
|
||||
}
|
||||
|
||||
if (src->sctl) {
|
||||
@ -3627,9 +3633,11 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
|
||||
long version;
|
||||
X509_NAME *issuer;
|
||||
int write = -1;
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
STACK_OF(X509_REVOKED) *rev = NULL;
|
||||
X509_REVOKED *rev_entry = NULL;
|
||||
int i;
|
||||
#endif
|
||||
|
||||
if (!tmp)
|
||||
return -1;
|
||||
@ -3676,7 +3684,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
|
||||
tmp->area[write] = '\0';
|
||||
chunk_appendf(out, "%s\n", tmp->area);
|
||||
|
||||
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
/* Revoked Certificates */
|
||||
rev = X509_CRL_get_REVOKED(crl);
|
||||
if (sk_X509_REVOKED_num(rev) > 0)
|
||||
@ -3701,6 +3709,7 @@ static int show_crl_detail(X509_CRL *crl, struct buffer *out)
|
||||
tmp->area[write] = '\0';
|
||||
chunk_appendf(out, "%s", tmp->area);
|
||||
}
|
||||
#endif /* not USE_OPENSSL_WOLFSSL */
|
||||
|
||||
end:
|
||||
free_trash_chunk(tmp);
|
||||
|
@ -1430,7 +1430,7 @@ int ssl_sock_ocsp_stapling_cbk(SSL *ssl, void *arg)
|
||||
return SSL_TLSEXT_ERR_NOACK;
|
||||
|
||||
memcpy(ssl_buf, ocsp->response.area, ocsp->response.data);
|
||||
SSL_set_tlsext_status_ocsp_resp(ssl, ssl_buf, ocsp->response.data);
|
||||
SSL_set_tlsext_status_ocsp_resp(ssl, (unsigned char*)ssl_buf, ocsp->response.data);
|
||||
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
@ -1480,7 +1480,11 @@ static int ssl_sock_load_ocsp(SSL_CTX *ctx, const struct cert_key_and_chain *ckc
|
||||
struct certificate_ocsp *ocsp = NULL, *iocsp;
|
||||
char *warn = NULL;
|
||||
unsigned char *p;
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
void (*callback) (void);
|
||||
#else
|
||||
tlsextStatusCb callback;
|
||||
#endif
|
||||
|
||||
|
||||
x = ckch->cert;
|
||||
@ -7626,9 +7630,17 @@ static inline int ocsp_certid_print(BIO *bp, OCSP_CERTID *certid, int indent)
|
||||
BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
|
||||
indent += 2;
|
||||
BIO_printf(bp, "%*sIssuer Name Hash: ", indent, "");
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
i2a_ASN1_STRING(bp, piNameHash, 0);
|
||||
#else
|
||||
wolfSSL_ASN1_STRING_print(bp, piNameHash);
|
||||
#endif
|
||||
BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
i2a_ASN1_STRING(bp, piKeyHash, 0);
|
||||
#else
|
||||
wolfSSL_ASN1_STRING_print(bp, piNameHash);
|
||||
#endif
|
||||
BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
|
||||
i2a_ASN1_INTEGER(bp, pSerial);
|
||||
}
|
||||
@ -7834,7 +7846,11 @@ int ssl_ocsp_response_print(struct buffer *ocsp_response, struct buffer *out)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
|
||||
#ifndef USE_OPENSSL_WOLFSSL
|
||||
if (OCSP_RESPONSE_print(bio, resp, 0) != 0) {
|
||||
#else
|
||||
if (wolfSSL_d2i_OCSP_RESPONSE_bio(bio, &resp) != 0) {
|
||||
#endif
|
||||
struct buffer *trash = get_trash_chunk();
|
||||
struct ist ist_block = IST_NULL;
|
||||
struct ist ist_double_lf = IST_NULL;
|
||||
|
Loading…
Reference in New Issue
Block a user