From 9588b78eb0a53c40ce96606f5329eec9df86217c Mon Sep 17 00:00:00 2001 From: Christian Marangi Date: Thu, 14 Dec 2023 15:00:52 +0100 Subject: [PATCH] simple_http: Convert to WolfSSL Fully convert to WolfSSL as recent version of WolfSSL dropped the support shims for CyaSSL. Signed-off-by: Christian Marangi --- configure.in | 45 ++++++++--------- src/simple_http.c | 122 +++++++++++++++++++++++----------------------- 2 files changed, 81 insertions(+), 86 deletions(-) --- a/configure.in +++ b/configure.in @@ -85,48 +85,45 @@ AC_SUBST(enable_latex_docs) # Acutally perform the doxygen check BB_ENABLE_DOXYGEN -# Enable cyassl? -AC_DEFUN([BB_CYASSL], +# Enable wolfssl? +AC_DEFUN([BB_WOLFSSL], [ -AC_ARG_ENABLE(cyassl, [ --enable-cyassl enable TLS support for auth server communication (no)], [], [enable_cyassl=no]) -if test "x$enable_cyassl" = xyes; then - # CyaSSL has been renamed wolfSSL. Old method names are still available - # via cyassl/ssl.h, which maps old methods to new methods via macros. - # To find the proper lib to link against (cyassl or wolfssl), we do have - # the use the new naming scheme below as cyassl/ssl.h is not available for - # AC_SEARCH_LIBS - AC_CHECK_HEADERS(cyassl/ssl.h) - AC_SEARCH_LIBS([CyaTLSv1_client_method], [cyassl], [], [ - AC_SEARCH_LIBS([wolfTLSv1_client_method], [wolfssl], [], [ - AC_MSG_ERROR([unable to locate SSL lib: either wolfSSL or CyaSSL needed.]) - ]) +AC_ARG_ENABLE(wolfssl, [ --enable-wolfssl enable TLS support for auth server communication (no)], [], [enable_wolfssl=no]) +if test "x$enable_wolfssl" = xyes; then + AC_CHECK_HEADERS(wolfssl/ssl.h, [], [], + [ + #include + ]) + AC_SEARCH_LIBS([wolfTLSv1_client_method], [wolfssl], [], [ + AC_MSG_ERROR([unable to locate SSL lib: wolfSSL needed.]) ]) - AC_MSG_CHECKING([for the CyaSSL SNI enabled]) + AC_MSG_CHECKING([for the Wolfssl SNI enabled]) AC_LINK_IFELSE([AC_LANG_PROGRAM( [[ #define HAVE_SNI - #include + #include + #include ]], [[ - CYASSL_CTX *ctx; - CyaSSL_Init(); - ctx = CyaSSL_CTX_new(CyaTLSv1_client_method()); - CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, "wifidog.org", 11); + WOLFSSL_CTX *ctx; + wolfSSL_Init(); + ctx = wolfSSL_CTX_new(wolfTLSv1_client_method()); + wolfSSL_CTX_UseSNI(ctx, WOLFSSL_SNI_HOST_NAME, "wifidog.org", 11); ]])], [enabled_sni=yes], [enabled_sni=no]) if test "x$enabled_sni" = xyes; then AC_MSG_RESULT([yes]) - AC_DEFINE([HAVE_SNI],, "Compile with CyaSSL SNI support") + AC_DEFINE([HAVE_SNI],, "Compile with wolfssl SNI support") else AC_MSG_RESULT([no]) fi - AC_DEFINE(USE_CYASSL,, "Compile with CyaSSL support") + AC_DEFINE(USE_WOLFSSL,, "Compile with wolfssl support") fi ]) -# Actually perform the cyassl check -BB_CYASSL +# Actually perform the wolfssl check +BB_WOLFSSL --- a/src/simple_http.c +++ b/src/simple_http.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include @@ -36,17 +37,14 @@ #include "debug.h" #include "pstring.h" -#ifdef USE_CYASSL -#include +#ifdef USE_WOLFSSL +#include +#include #include "conf.h" -/* For CYASSL_MAX_ERROR_SZ */ -#include -/* For COMPRESS_E */ -#include #endif -#ifdef USE_CYASSL -static CYASSL_CTX *get_cyassl_ctx(const char *hostname); +#ifdef USE_WOLFSSL +static WOLFSSL_CTX *get_wolfssl_ctx(const char *hostname); #endif /** @@ -133,48 +131,48 @@ http_get(const int sockfd, const char *r return NULL; } -#ifdef USE_CYASSL +#ifdef USE_WOLFSSL -static CYASSL_CTX *cyassl_ctx = NULL; -static pthread_mutex_t cyassl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; +static WOLFSSL_CTX *wolfssl_ctx = NULL; +static pthread_mutex_t wolfssl_ctx_mutex = PTHREAD_MUTEX_INITIALIZER; -#define LOCK_CYASSL_CTX() do { \ - debug(LOG_DEBUG, "Locking CyaSSL Context"); \ - pthread_mutex_lock(&cyassl_ctx_mutex); \ - debug(LOG_DEBUG, "CyaSSL Context locked"); \ +#define LOCK_WOLFSSL_CTX() do { \ + debug(LOG_DEBUG, "Locking WolfSSL Context"); \ + pthread_mutex_lock(&wolfssl_ctx_mutex); \ + debug(LOG_DEBUG, "WolfSSL Context locked"); \ } while (0) -#define UNLOCK_CYASSL_CTX() do { \ - debug(LOG_DEBUG, "Unlocking CyaSSL Context"); \ - pthread_mutex_unlock(&cyassl_ctx_mutex); \ - debug(LOG_DEBUG, "CyaSSL Context unlocked"); \ +#define UNLOCK_WOLFSSL_CTX() do { \ + debug(LOG_DEBUG, "Unlocking WolfSSL Context"); \ + pthread_mutex_unlock(&wolfssl_ctx_mutex); \ + debug(LOG_DEBUG, "WolfSSL Context unlocked"); \ } while (0) -static CYASSL_CTX * -get_cyassl_ctx(const char *hostname) +static WOLFSSL_CTX * +get_wolfssl_ctx(const char *hostname) { int err; - CYASSL_CTX *ret; + WOLFSSL_CTX *ret; s_config *config = config_get_config(); - LOCK_CYASSL_CTX(); + LOCK_WOLFSSL_CTX(); - if (NULL == cyassl_ctx) { - CyaSSL_Init(); - /* Create the CYASSL_CTX */ + if (NULL == wolfssl_ctx) { + wolfSSL_Init(); + /* Create the WOLFSSL_CTX */ /* Allow TLSv1.0 up to TLSv1.2 */ - if ((cyassl_ctx = CyaSSL_CTX_new(CyaTLSv1_client_method())) == NULL) { - debug(LOG_ERR, "Could not create CYASSL context."); - UNLOCK_CYASSL_CTX(); + if ((wolfssl_ctx = wolfSSL_CTX_new(wolfTLSv1_client_method())) == NULL) { + debug(LOG_ERR, "Could not create WOLFSSL context."); + UNLOCK_WOLFSSL_CTX(); return NULL; } if (config->ssl_cipher_list) { debug(LOG_INFO, "Setting SSL cipher list to [%s]", config->ssl_cipher_list); - err = CyaSSL_CTX_set_cipher_list(cyassl_ctx, config->ssl_cipher_list); + err = wolfSSL_CTX_set_cipher_list(wolfssl_ctx, config->ssl_cipher_list); if (SSL_SUCCESS != err) { debug(LOG_ERR, "Could not load SSL cipher list (error %d)", err); - UNLOCK_CYASSL_CTX(); + UNLOCK_WOLFSSL_CTX(); return NULL; } } @@ -183,12 +181,12 @@ get_cyassl_ctx(const char *hostname) if (config->ssl_use_sni) { debug(LOG_INFO, "Setting SSL using SNI for hostname %s", hostname); - err = CyaSSL_CTX_UseSNI(cyassl_ctx, CYASSL_SNI_HOST_NAME, hostname, + err = wolfSSL_CTX_UseSNI(wolfssl_ctx, WOLFSSL_SNI_HOST_NAME, hostname, strlen(hostname)); if (SSL_SUCCESS != err) { debug(LOG_ERR, "Could not setup SSL using SNI for hostname %s", hostname); - UNLOCK_CYASSL_CTX(); + UNLOCK_WOLFSSL_CTX(); return NULL; } } @@ -196,28 +194,28 @@ get_cyassl_ctx(const char *hostname) if (config->ssl_verify) { /* Use trusted certs */ - /* Note: CyaSSL requires that the certificates are named by their hash values */ + /* Note: WolfSSL requires that the certificates are named by their hash values */ debug(LOG_INFO, "Loading SSL certificates from %s", config->ssl_certs); - err = CyaSSL_CTX_load_verify_locations(cyassl_ctx, NULL, config->ssl_certs); + err = wolfSSL_CTX_load_verify_locations(wolfssl_ctx, NULL, config->ssl_certs); if (err != SSL_SUCCESS) { debug(LOG_ERR, "Could not load SSL certificates (error %d)", err); if (err == ASN_UNKNOWN_OID_E) { - debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling cyassl/wolfssl with --enable-ecc"); + debug(LOG_ERR, "Error is ASN_UNKNOWN_OID_E - try compiling wolfssl/wolfssl with --enable-ecc"); } else { debug(LOG_ERR, "Make sure that SSLCertPath points to the correct path in the config file"); debug(LOG_ERR, "Or disable certificate loading with 'SSLPeerVerification No'."); } - UNLOCK_CYASSL_CTX(); + UNLOCK_WOLFSSL_CTX(); return NULL; } } else { - CyaSSL_CTX_set_verify(cyassl_ctx, SSL_VERIFY_NONE, 0); + wolfSSL_CTX_set_verify(wolfssl_ctx, SSL_VERIFY_NONE, 0); debug(LOG_INFO, "Disabling SSL certificate verification!"); } } - ret = cyassl_ctx; - UNLOCK_CYASSL_CTX(); + ret = wolfssl_ctx; + UNLOCK_WOLFSSL_CTX(); return ret; } @@ -237,20 +235,20 @@ https_get(const int sockfd, const char * fd_set readfds; struct timeval timeout; unsigned long sslerr; - char sslerrmsg[CYASSL_MAX_ERROR_SZ]; + char sslerrmsg[WOLFSSL_MAX_ERROR_SZ]; size_t reqlen = strlen(req); char readbuf[MAX_BUF]; char *retval; pstr_t *response = pstr_new(); - CYASSL *ssl = NULL; - CYASSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; + WOLFSSL_CTX *ctx = NULL; s_config *config; config = config_get_config(); - ctx = get_cyassl_ctx(hostname); + ctx = get_wolfssl_ctx(hostname); if (NULL == ctx) { - debug(LOG_ERR, "Could not get CyaSSL Context!"); + debug(LOG_ERR, "Could not get WolfSSL Context!"); goto error; } @@ -260,28 +258,28 @@ https_get(const int sockfd, const char * goto error; } - /* Create CYASSL object */ - if ((ssl = CyaSSL_new(ctx)) == NULL) { - debug(LOG_ERR, "Could not create CyaSSL context."); + /* Create WOLFSSL object */ + if ((ssl = wolfSSL_new(ctx)) == NULL) { + debug(LOG_ERR, "Could not create WolfSSL context."); goto error; } if (config->ssl_verify) { // Turn on domain name check // Loading of CA certificates and verification of remote host name // go hand in hand - one is useless without the other. - CyaSSL_check_domain_name(ssl, hostname); + wolfSSL_check_domain_name(ssl, hostname); } - CyaSSL_set_fd(ssl, sockfd); + wolfSSL_set_fd(ssl, sockfd); debug(LOG_DEBUG, "Sending HTTPS request to auth server: [%s]\n", req); - numbytes = CyaSSL_send(ssl, req, (int)reqlen, 0); + numbytes = wolfSSL_send(ssl, req, (int)reqlen, 0); if (numbytes <= 0) { - sslerr = (unsigned long)CyaSSL_get_error(ssl, numbytes); - CyaSSL_ERR_error_string(sslerr, sslerrmsg); - debug(LOG_ERR, "CyaSSL_send failed: %s", sslerrmsg); + sslerr = (unsigned long)wolfSSL_get_error(ssl, numbytes); + wolfSSL_ERR_error_string(sslerr, sslerrmsg); + debug(LOG_ERR, "WolfSSL_send failed: %s", sslerrmsg); goto error; } else if ((size_t) numbytes != reqlen) { - debug(LOG_ERR, "CyaSSL_send failed: only %d bytes out of %d bytes sent!", numbytes, reqlen); + debug(LOG_ERR, "WolfSSL_send failed: only %d bytes out of %d bytes sent!", numbytes, reqlen); goto error; } @@ -300,14 +298,14 @@ https_get(const int sockfd, const char * /** We don't have to use FD_ISSET() because there * was only one fd. */ memset(readbuf, 0, MAX_BUF); - numbytes = CyaSSL_read(ssl, readbuf, MAX_BUF - 1); + numbytes = wolfSSL_read(ssl, readbuf, MAX_BUF - 1); if (numbytes < 0) { - sslerr = (unsigned long)CyaSSL_get_error(ssl, numbytes); - CyaSSL_ERR_error_string(sslerr, sslerrmsg); + sslerr = (unsigned long)wolfSSL_get_error(ssl, numbytes); + wolfSSL_ERR_error_string(sslerr, sslerrmsg); debug(LOG_ERR, "An error occurred while reading from server: %s", sslerrmsg); goto error; } else if (numbytes == 0) { - /* CyaSSL_read returns 0 on a clean shutdown or if the peer closed the + /* WolfSSL_read returns 0 on a clean shutdown or if the peer closed the connection. We can't distinguish between these cases right now. */ done = 1; } else { @@ -326,7 +324,7 @@ https_get(const int sockfd, const char * close(sockfd); - CyaSSL_free(ssl); + wolfSSL_free(ssl); retval = pstr_to_string(response); debug(LOG_DEBUG, "HTTPS Response from Server: [%s]", retval); @@ -334,7 +332,7 @@ https_get(const int sockfd, const char * error: if (ssl) { - CyaSSL_free(ssl); + wolfSSL_free(ssl); } if (sockfd >= 0) { close(sockfd); @@ -344,4 +342,4 @@ https_get(const int sockfd, const char * return NULL; } -#endif /* USE_CYASSL */ +#endif /* USE_WOLFSSL */