diff --git a/INSTALL b/INSTALL index 0f2c2bcb1..7646aa807 100644 --- a/INSTALL +++ b/INSTALL @@ -643,6 +643,11 @@ Authentication options: to be used instead. This makes it possible to link with the OpenSSL 3.0 package on OpenBSD. Defaults to "%s". + --enable-wolfssl[=DIR] + Use WolfSSL's TLS and SHA-2 message digest functions. If + specified, DIR should contain the OpenSSL include and lib + directories. + Development options: --enable-env-debug Enable debugging of the environment setting functions. This diff --git a/config.h.in b/config.h.in index ff5960bc4..22c6e11ed 100644 --- a/config.h.in +++ b/config.h.in @@ -1009,6 +1009,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_WCHAR_H +/* Define to 1 if you are using WolfSSL's TLS and sha2 functions. */ +#undef HAVE_WOLFSSL + /* Define to 1 if you have the `wordexp' function. */ #undef HAVE_WORDEXP diff --git a/configure b/configure index 802ccf2ce..174f1b64c 100755 --- a/configure +++ b/configure @@ -1045,6 +1045,7 @@ enable_log_server enable_log_client enable_openssl enable_openssl_pkgconfig_template +enable_wolfssl enable_gcrypt enable_python enable_shared @@ -1763,6 +1764,7 @@ Optional Features: --enable-openssl-pkgconfig-template A printf format string used to construct the OpenSSL pkg-config name + --enable-wolfssl Use WolfSSL's TLS and sha2 functions --enable-gcrypt Use GNU crypt's sha2 functions --enable-python Compile python plugin support --enable-shared[=PKGS] build shared libraries [default=yes] @@ -6985,13 +6987,22 @@ else $as_nop fi +# Check whether --enable-wolfssl was given. +if test ${enable_wolfssl+y} +then : + enableval=$enable_wolfssl; + enable_openssl=no + +fi + + # Check whether --enable-gcrypt was given. if test ${enable_gcrypt+y} then : enableval=$enable_gcrypt; - if test "${enable_openssl-no}" != no; then - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&5 -printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&2;} + if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&5 +printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&2;} enable_gcrypt=no fi @@ -24313,6 +24324,655 @@ fi fi fi +if test "${enable_wolfssl-no}" != no; then + # Use pkg-config to find the wolfssl cflags and libs if possible. + if test "$enable_wolfssl" != "yes"; then + PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig" + export PKG_CONFIG_LIBDIR + elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then + # Cannot use pkg-config when cross-compiling + PKG_CONFIG=false + fi + : ${PKG_CONFIG='pkg-config'} + if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then + printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h + + printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h + + + O_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`" + O_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`" + + # Check whether --static is needed + libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`" + libssl_extra=`echo $libssl | sed 's/^[^ ]* *//'` + libssl=`echo $libssl | sed 's/ .*//'` + as_ac_Lib=`printf "%s\n" "ac_cv_lib_$libssl''_wolfSSL_new$libssl_extra" | $as_tr_sh` +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for wolfSSL_new in -l$libssl" >&5 +printf %s "checking for wolfSSL_new in -l$libssl... " >&6; } +if eval test \${$as_ac_Lib+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-l$libssl $libssl_extra $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char wolfSSL_new (); +int +main (void) +{ +return wolfSSL_new (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + eval "$as_ac_Lib=yes" +else $as_nop + eval "$as_ac_Lib=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +eval ac_res=\$$as_ac_Lib + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +printf "%s\n" "$ac_res" >&6; } +if eval test \"x\$"$as_ac_Lib"\" = x"yes" +then : + STATIC="" +else $as_nop + STATIC="--static" +fi + + + # Use WolfSSL's sha2 functions if possible + ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes +then : + DIGEST=digest_openssl.lo +fi + CPPFLAGS="$O_CPPFLAGS" + LDFLAGS="$O_LDFLAGS" + + # Use pkg-config to determine WolfSSL libs and cflags + for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do + case "$f" in + -L*) + f="${f#-L}" + + +if test ${LIBTLS+y} +then : + + case " $LIBTLS " in #( + *" -L$f "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\$f"; } >&5 + (: LIBTLS already contains -L$f) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBTLS " -L$f" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBTLS=-L$f + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + if test X"$enable_rpath" = X"yes"; then + +if test ${LIBTLS_R+y} +then : + + case " $LIBTLS_R " in #( + *" -R$f "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\$f"; } >&5 + (: LIBTLS_R already contains -R$f) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBTLS_R " -R$f" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5 + (: LIBTLS_R="$LIBTLS_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBTLS_R=-R$f + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5 + (: LIBTLS_R="$LIBTLS_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + fi + + ;; + *) + +if test ${LIBTLS+y} +then : + + case " $LIBTLS " in #( + *" $f "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains \$f"; } >&5 + (: LIBTLS already contains $f) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBTLS " $f" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBTLS=$f + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + ;; + esac + done + # No separate pkg config for libcrypto + LIBCRYPTO="$LIBTLS" + LIBCRYPTO_R="$LIBTLS_R" + for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" $f "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f"; } >&5 + (: CPPFLAGS already contains $f) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " $f" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=$f + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + # So we find the openssl compat headers under wolfssl + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" $f/wolfssl "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f/wolfssl"; } >&5 + (: CPPFLAGS already contains $f/wolfssl) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " $f/wolfssl" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=$f/wolfssl + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + done + if test "$CPPFLAGS" = "$O_CPPFLAGS"; then + # So we find the openssl compat headers under wolfssl (XXX) + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" -I/usr/include/wolfssl "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5 + (: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " -I/usr/include/wolfssl" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=-I/usr/include/wolfssl + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + fi + else + printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h + + printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h + + + # No pkg-config file present, try to do it manually + if test "$enable_wolfssl" != "yes"; then + + +if test ${LIBCRYPTO+y} +then : + + case " $LIBCRYPTO " in #( + *" -L${enable_wolfssl}/lib "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO already contains -L\${enable_wolfssl}/lib"; } >&5 + (: LIBCRYPTO already contains -L${enable_wolfssl}/lib) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBCRYPTO " -L${enable_wolfssl}/lib" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5 + (: LIBCRYPTO="$LIBCRYPTO") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBCRYPTO=-L${enable_wolfssl}/lib + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5 + (: LIBCRYPTO="$LIBCRYPTO") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + if test X"$enable_rpath" = X"yes"; then + +if test ${LIBCRYPTO_R+y} +then : + + case " $LIBCRYPTO_R " in #( + *" -R${enable_wolfssl}/lib "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R already contains -R\${enable_wolfssl}/lib"; } >&5 + (: LIBCRYPTO_R already contains -R${enable_wolfssl}/lib) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBCRYPTO_R " -R${enable_wolfssl}/lib" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5 + (: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBCRYPTO_R=-R${enable_wolfssl}/lib + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5 + (: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + fi + + + +if test ${LIBTLS+y} +then : + + case " $LIBTLS " in #( + *" -L${enable_wolfssl}/lib "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\${enable_wolfssl}/lib"; } >&5 + (: LIBTLS already contains -L${enable_wolfssl}/lib) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBTLS " -L${enable_wolfssl}/lib" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBTLS=-L${enable_wolfssl}/lib + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5 + (: LIBTLS="$LIBTLS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + if test X"$enable_rpath" = X"yes"; then + +if test ${LIBTLS_R+y} +then : + + case " $LIBTLS_R " in #( + *" -R${enable_wolfssl}/lib "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\${enable_wolfssl}/lib"; } >&5 + (: LIBTLS_R already contains -R${enable_wolfssl}/lib) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append LIBTLS_R " -R${enable_wolfssl}/lib" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5 + (: LIBTLS_R="$LIBTLS_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + LIBTLS_R=-R${enable_wolfssl}/lib + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5 + (: LIBTLS_R="$LIBTLS_R") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + fi + + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" -I${enable_wolfssl}/include "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include"; } >&5 + (: CPPFLAGS already contains -I${enable_wolfssl}/include) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " -I${enable_wolfssl}/include" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=-I${enable_wolfssl}/include + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + # So we find the openssl compat headers under wolfssl + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" -I${enable_wolfssl}/include/wolfssl "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include/wolfssl"; } >&5 + (: CPPFLAGS already contains -I${enable_wolfssl}/include/wolfssl) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " -I${enable_wolfssl}/include/wolfssl" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=-I${enable_wolfssl}/include/wolfssl + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + else + # So we find the openssl compat headers under wolfssl (XXX) + +if test ${CPPFLAGS+y} +then : + + case " $CPPFLAGS " in #( + *" -I/usr/include/wolfssl "*) : + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5 + (: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } ;; #( + *) : + + as_fn_append CPPFLAGS " -I/usr/include/wolfssl" + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + ;; +esac + +else $as_nop + + CPPFLAGS=-I/usr/include/wolfssl + { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5 + (: CPPFLAGS="$CPPFLAGS") 2>&5 + ac_status=$? + printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + +fi + + fi + LIBTLS="${LIBTLS} -lwolfssl" + LIBCRYPTO="${LIBCRYPTO} -lwolfssl" + + # Use WolfSSL's sha2 functions if possible + ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes +then : + DIGEST=digest_openssl.lo +fi + fi + ac_fn_check_decl "$LINENO" "X509_STORE_CTX_get0_cert" "ac_cv_have_decl_X509_STORE_CTX_get0_cert" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_X509_STORE_CTX_get0_cert" = xyes +then : + printf "%s\n" "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "ASN1_STRING_get0_data" "ac_cv_have_decl_ASN1_STRING_get0_data" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_ASN1_STRING_get0_data" = xyes +then : + printf "%s\n" "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "SSL_CTX_get0_certificate" "ac_cv_have_decl_SSL_CTX_get0_certificate" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_get0_certificate" = xyes +then : + printf "%s\n" "#define HAVE_SSL_CTX_GET0_CERTIFICATE 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "SSL_CTX_set0_tmp_dh_pkey" "ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" = xyes +then : + printf "%s\n" "#define HAVE_SSL_CTX_SET0_TMP_DH_PKEY 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "TLS_method" "ac_cv_have_decl_TLS_method" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_TLS_method" = xyes +then : + printf "%s\n" "#define HAVE_TLS_METHOD 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "SSL_CTX_set_min_proto_version" "ac_cv_have_decl_SSL_CTX_set_min_proto_version" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_set_min_proto_version" = xyes +then : + printf "%s\n" "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h + +fi + ac_fn_check_decl "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_have_decl_SSL_CTX_set_ciphersuites" " + $ac_includes_default + #include + #include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_set_ciphersuites" = xyes +then : + printf "%s\n" "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h + +fi +fi if test "$DIGEST" = "digest.lo"; then FOUND_SHA2=no ac_fn_c_check_header_compile "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default" @@ -33631,6 +34291,9 @@ printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 fi +if test ${LIBTLS+y}; then + have_tls=yes +fi echo "" >&6 echo "Configured Sudo version $PACKAGE_VERSION" >&6 echo " Compiler settings:" >&6 @@ -33662,7 +34325,7 @@ fi echo " Optional features:" >&6 echo " log client : ${enable_log_client-yes}" >&6 echo " log server : ${enable_log_server-yes}" >&6 -echo " log client/server TLS : ${enable_openssl-no}" >&6 +echo " log client/server TLS : ${have_tls-no}" >&6 case "$host_os" in linux*) echo " SELinux RBAC : ${with_selinux-yes}" >&6;; esac @@ -33940,5 +34603,6 @@ fi + diff --git a/configure.ac b/configure.ac index 5c95c3da8..5d0bef902 100644 --- a/configure.ac +++ b/configure.ac @@ -1561,7 +1561,7 @@ if test X"$LOGSRVD_SRC" != X""; then fi dnl -dnl Do OpenSSL / gcrypt after logsrv options +dnl Do OpenSSL / WolfSSL / gcrypt after logsrv options dnl AC_ARG_ENABLE(openssl, [AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])], @@ -1575,10 +1575,15 @@ AC_ARG_ENABLE(openssl-pkgconfig-template, [AS_HELP_STRING([--enable-openssl-pkgconfig-template], [A printf format string used to construct the OpenSSL pkg-config name])], [], [enable_openssl_pkgconfig_template="%s"]) +AC_ARG_ENABLE(wolfssl, +[AS_HELP_STRING([--enable-wolfssl], [Use WolfSSL's TLS and sha2 functions])], [ + enable_openssl=no +]) + AC_ARG_ENABLE(gcrypt, [AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's sha2 functions])], [ - if test "${enable_openssl-no}" != no; then - AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL is enabled.]) + if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then + AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled.]) enable_gcrypt=no fi ]) @@ -3102,7 +3107,132 @@ elif test "${enable_gcrypt-no}" != no; then fi fi dnl -dnl Check for sha2 functions if not using openssl or gcrypt +dnl Check for OpenSSL compatibility functions in WolfSSL +dnl +if test "${enable_wolfssl-no}" != no; then + # Use pkg-config to find the wolfssl cflags and libs if possible. + if test "$enable_wolfssl" != "yes"; then + PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig" + export PKG_CONFIG_LIBDIR + elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then + # Cannot use pkg-config when cross-compiling + PKG_CONFIG=false + fi + : ${PKG_CONFIG='pkg-config'} + if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then + AC_DEFINE(HAVE_OPENSSL) + AC_DEFINE(HAVE_WOLFSSL) + + O_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`" + O_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`" + + # Check whether --static is needed + libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`" + libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'` + libssl=`echo $libssl | sed 's/ .*//'` + AC_CHECK_LIB($libssl, wolfSSL_new, [STATIC=""], [STATIC="--static"], [$libssl_extra]) + + # Use WolfSSL's sha2 functions if possible + AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + CPPFLAGS="$O_CPPFLAGS" + LDFLAGS="$O_LDFLAGS" + + # Use pkg-config to determine WolfSSL libs and cflags + for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do + case "$f" in + -L*) + f="${f#-L}" + SUDO_APPEND_LIBPATH([LIBTLS], [$f]) + ;; + *) + AX_APPEND_FLAG([$f], [LIBTLS]) + ;; + esac + done + # No separate pkg config for libcrypto + LIBCRYPTO="$LIBTLS" + LIBCRYPTO_R="$LIBTLS_R" + for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do + AX_APPEND_FLAG([$f], [CPPFLAGS]) + # So we find the openssl compat headers under wolfssl + AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS]) + done + if test "$CPPFLAGS" = "$O_CPPFLAGS"; then + # So we find the openssl compat headers under wolfssl (XXX) + AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS]) + fi + else + AC_DEFINE(HAVE_OPENSSL) + AC_DEFINE(HAVE_WOLFSSL) + + # No pkg-config file present, try to do it manually + if test "$enable_wolfssl" != "yes"; then + SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib]) + SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib]) + AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS]) + # So we find the openssl compat headers under wolfssl + AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS]) + else + # So we find the openssl compat headers under wolfssl (XXX) + AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS]) + fi + LIBTLS="${LIBTLS} -lwolfssl" + LIBCRYPTO="${LIBCRYPTO} -lwolfssl" + + # Use WolfSSL's sha2 functions if possible + AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + fi + dnl + dnl Check for specific OpenSSL API compatibility macros + dnl + AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) + AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [ + AC_INCLUDES_DEFAULT + #include + #include + ]) +fi +dnl +dnl Check for sha2 functions if not using openssl, wolfssl or gcrypt dnl if test "$DIGEST" = "digest.lo"; then FOUND_SHA2=no @@ -4965,6 +5095,9 @@ AC_OUTPUT dnl dnl Summarize configuration dnl +if test ${LIBTLS+y}; then + have_tls=yes +fi echo "" >&AS_MESSAGE_FD echo "Configured Sudo version $PACKAGE_VERSION" >&AS_MESSAGE_FD echo " Compiler settings:" >&AS_MESSAGE_FD @@ -4996,7 +5129,7 @@ fi echo " Optional features:" >&AS_MESSAGE_FD echo " log client : ${enable_log_client-yes}" >&AS_MESSAGE_FD echo " log server : ${enable_log_server-yes}" >&AS_MESSAGE_FD -echo " log client/server TLS : ${enable_openssl-no}" >&AS_MESSAGE_FD +echo " log client/server TLS : ${have_tls-no}" >&AS_MESSAGE_FD case "$host_os" in linux*) echo " SELinux RBAC : ${with_selinux-yes}" >&AS_MESSAGE_FD;; esac @@ -5267,6 +5400,7 @@ AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-s AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.]) AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.]) AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.]) +AH_TEMPLATE(HAVE_WOLFSSL, [Define to 1 if you are using WolfSSL's TLS and sha2 functions.]) AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.]) AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function or macro.]) diff --git a/include/sudo_compat.h b/include/sudo_compat.h index 95b0969ed..8bc9f37d9 100644 --- a/include/sudo_compat.h +++ b/include/sudo_compat.h @@ -380,7 +380,7 @@ int getdomainname(char *, size_t); /* * Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x) */ -#if defined(HAVE_OPENSSL) +#if defined(HAVE_OPENSSL) && !defined(HAVE_WOLFSSL) # ifndef HAVE_X509_STORE_CTX_GET0_CERT # define X509_STORE_CTX_get0_cert(x) ((x)->cert) # endif @@ -390,7 +390,7 @@ int getdomainname(char *, size_t); # ifndef HAVE_TLS_METHOD # define TLS_method() SSLv23_method() # endif -#endif /* HAVE_OPENSSL */ +#endif /* HAVE_OPENSSL && !HAVE_WOLFSSL */ /* * Functions "missing" from libc. diff --git a/lib/iolog/hostcheck.c b/lib/iolog/hostcheck.c index 4bfa856ea..fc664cf71 100644 --- a/lib/iolog/hostcheck.c +++ b/lib/iolog/hostcheck.c @@ -22,6 +22,9 @@ #include "config.h" #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif # include # include # include diff --git a/lib/util/digest_openssl.c b/lib/util/digest_openssl.c index 37609dbee..20be7341e 100644 --- a/lib/util/digest_openssl.c +++ b/lib/util/digest_openssl.c @@ -26,6 +26,9 @@ #include #include +#if defined(HAVE_WOLFSSL) +# include +#endif #include #include "sudo_compat.h" diff --git a/lib/util/getentropy.c b/lib/util/getentropy.c index 98df88937..7cffa0d89 100644 --- a/lib/util/getentropy.c +++ b/lib/util/getentropy.c @@ -65,6 +65,9 @@ # include #endif #ifdef HAVE_OPENSSL +# if defined(HAVE_WOLFSSL) +# include +# endif # include #endif diff --git a/logsrvd/logsrvd.c b/logsrvd/logsrvd.c index 9abc521de..63df2ce26 100644 --- a/logsrvd/logsrvd.c +++ b/logsrvd/logsrvd.c @@ -49,11 +49,6 @@ # include "compat/getopt.h" #endif /* HAVE_GETOPT_LONG */ -#if defined(HAVE_OPENSSL) -# include -# include -#endif - #define NEED_INET_NTOP /* to expose sudo_inet_ntop in sudo_compat.h */ #include "pathnames.h" @@ -70,8 +65,8 @@ #include "sudo_rand.h" #include "sudo_util.h" -#include "hostcheck.h" #include "logsrvd.h" +#include "hostcheck.h" #ifndef O_NOFOLLOW # define O_NOFOLLOW 0 diff --git a/logsrvd/logsrvd.h b/logsrvd/logsrvd.h index 71400b0dc..ef8191b65 100644 --- a/logsrvd/logsrvd.h +++ b/logsrvd/logsrvd.h @@ -27,7 +27,11 @@ #include "config.h" #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif # include +# include #endif #include "logsrv_util.h" diff --git a/logsrvd/logsrvd_relay.c b/logsrvd/logsrvd_relay.c index a68729a3d..abba74e84 100644 --- a/logsrvd/logsrvd_relay.c +++ b/logsrvd/logsrvd_relay.c @@ -44,11 +44,6 @@ #include #include -#if defined(HAVE_OPENSSL) -# include -# include -#endif - #define NEED_INET_NTOP /* to expose sudo_inet_ntop in sudo_compat.h */ #include "sudo_compat.h" @@ -756,11 +751,14 @@ relay_server_msg_cb(int fd, int what, void *v) * message and hope that no actual internal error occurs. */ err = ERR_get_error(); +#if !defined(HAVE_WOLFSSL) if (closure->state == INITIAL && ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) { errstr = _("relay host name does not match certificate"); closure->errstr = errstr; - } else { + } else +#endif + { errstr = ERR_reason_error_string(err); closure->errstr = _("error reading from relay"); } diff --git a/logsrvd/sendlog.c b/logsrvd/sendlog.c index 9c7a91758..f0710563b 100644 --- a/logsrvd/sendlog.c +++ b/logsrvd/sendlog.c @@ -54,11 +54,6 @@ # include "compat/getopt.h" #endif /* HAVE_GETOPT_LONG */ -#if defined(HAVE_OPENSSL) -# include -# include -#endif - #include "sudo_compat.h" #include "sudo_conf.h" #include "sudo_debug.h" @@ -69,8 +64,8 @@ #include "sudo_iolog.h" #include "sudo_util.h" -#include "hostcheck.h" #include "sendlog.h" +#include "hostcheck.h" #if defined(HAVE_OPENSSL) # define TLS_HANDSHAKE_TIMEO_SEC 10 @@ -1334,10 +1329,13 @@ server_msg_cb(int fd, int what, void *v) * message and hope that no actual internal error occurs. */ err = ERR_get_error(); +#if !defined(HAVE_WOLFSSL) if (closure->state == RECV_HELLO && ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) { errstr = "host name does not match certificate"; - } else { + } else +#endif + { errstr = ERR_reason_error_string(err); } sudo_warnx("%s", errstr); diff --git a/logsrvd/sendlog.h b/logsrvd/sendlog.h index 005cfd456..49d6f6273 100644 --- a/logsrvd/sendlog.h +++ b/logsrvd/sendlog.h @@ -27,7 +27,11 @@ #include "config.h" #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif # include +# include #endif #include "logsrv_util.h" diff --git a/logsrvd/tls_client.c b/logsrvd/tls_client.c index d7e5a669b..210ff8b26 100644 --- a/logsrvd/tls_client.c +++ b/logsrvd/tls_client.c @@ -34,11 +34,6 @@ #include #include -#if defined(HAVE_OPENSSL) -# include -# include -#endif - #include "sudo_compat.h" #include "sudo_debug.h" #include "sudo_event.h" @@ -46,9 +41,9 @@ #include "sudo_gettext.h" #include "sudo_util.h" -#include "hostcheck.h" #include "logsrv_util.h" #include "tls_common.h" +#include "hostcheck.h" #if defined(HAVE_OPENSSL) diff --git a/logsrvd/tls_common.h b/logsrvd/tls_common.h index a498d7417..2524037b9 100644 --- a/logsrvd/tls_common.h +++ b/logsrvd/tls_common.h @@ -22,7 +22,11 @@ #include "config.h" #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif # include +# include struct tls_client_closure { SSL *ssl; diff --git a/logsrvd/tls_init.c b/logsrvd/tls_init.c index c1aec1c4d..244df9742 100644 --- a/logsrvd/tls_init.c +++ b/logsrvd/tls_init.c @@ -33,19 +33,14 @@ #include #include -#if defined(HAVE_OPENSSL) -# include -# include -#endif - #include "sudo_compat.h" #include "sudo_debug.h" #include "sudo_event.h" #include "sudo_fatal.h" #include "sudo_gettext.h" -#include "hostcheck.h" #include "tls_common.h" +#include "hostcheck.h" #define DEFAULT_CIPHER_LST12 "HIGH:!aNULL" #define DEFAULT_CIPHER_LST13 "TLS_AES_256_GCM_SHA384" @@ -82,8 +77,10 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file) goto done; } +#if !defined(HAVE_WOLFSSL) if ((ca_store = SSL_CTX_get_cert_store(ctx)) != NULL) X509_STORE_set_flags(ca_store, X509_V_FLAG_X509_STRICT); +#endif if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) { errstr = ERR_reason_error_string(ERR_get_error()); diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c index d0ddaac92..9183390a6 100644 --- a/plugins/sudoers/log_client.c +++ b/plugins/sudoers/log_client.c @@ -49,6 +49,9 @@ #endif #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif # include # include # include @@ -1744,10 +1747,13 @@ server_msg_cb(int fd, int what, void *v) * message and hope that no actual internal error occurs. */ err = ERR_get_error(); +#if !defined(HAVE_WOLFSSL) if (closure->state == RECV_HELLO && ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) { errstr = "host name does not match certificate"; - } else { + } else +#endif + { errstr = ERR_reason_error_string(err); } sudo_warnx("%s", errstr); diff --git a/plugins/sudoers/log_client.h b/plugins/sudoers/log_client.h index 028cdf71e..769d97d5f 100644 --- a/plugins/sudoers/log_client.h +++ b/plugins/sudoers/log_client.h @@ -21,6 +21,9 @@ #include /* for INET6?_ADDRSTRLEN */ #if defined(HAVE_OPENSSL) +# if defined(HAVE_WOLFSSL) +# include +# endif /* HAVE_WOLFSSL */ # include #endif /* HAVE_OPENSSL */