Re: [Openvpn-devel] [PATCH] Support for wolfSSL in OpenVPN

Wed, 15 Apr 2020 02:33:28 -0700 

Am 14.04.20 um 20:52 schrieb Juliusz Sosinowicz:
> This patch adds support for wolfSSL in OpenVPN. Support is added by using 
> wolfSSL's OpenSSL compatibility layer. Function calls are left unchanged and 
> instead the OpenSSL includes point to wolfSSL headers and OpenVPN is linked 
> against the wolfSSL library.
> 
> As requested by OpenVPN maintainers, this patch does not include 
> wolfssl/options.h on its own. By defining the macro EXTERNAL_OPTS_OPENVPN in 
> the configure script wolfSSL will include wolfssl/options.h on its own 
> (change added in https://github.com/wolfSSL/wolfssl/pull/2825). The patch 
> adds an option '--disable-wolfssl-options-h' in case the user would like to 
> supply their own settings file for wolfSSL.
> 

Thanks the patch is lot less intrusive then the last version. We will
have to discuss in our meeting under what condition we want to include
the patch. We might add a note or statement that the WolfSSL support in
OpenVPN is mainly developed and tested by WolfSSL itself or something
along these lines.

> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 453cb20a..73da5fa7 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -428,7 +428,7 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer 
> work,
>      tag_ptr = BPTR(buf);
>      ASSERT(buf_advance(buf, tag_size));
>      dmsg(D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex(tag_ptr, tag_size, 
> 0, &gc));
> -#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
> +#if (defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L) 
> || defined(ENABLE_CRYPTO_WOLFSSL)
>      /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
>      if (!EVP_CIPHER_CTX_ctrl(ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, 
> tag_ptr))
>      {

Are you sure that WolfSSL requires a workaround for old OpenSSL version
before 1.0.1d?

Arne

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to