|
| 1 | +commit 7afa1dc73a768423ec5d3823e62a58c6d0bd4aeb |
| 2 | +Author: Kareem <kareem@wolfssl.com> |
| 3 | +Date: Thu Mar 5 16:34:26 2026 -0700 |
| 4 | + |
| 5 | + Add wolfSSL support to hitch. |
| 6 | + |
| 7 | + To use it, build wolfSSL with: |
| 8 | + ./autogen.sh |
| 9 | + ./configure --enable-hitch |
| 10 | + make |
| 11 | + sudo make install |
| 12 | + |
| 13 | + Then build hitch with: |
| 14 | + patch -p1 < </path/to/patch/file> |
| 15 | + ./bootstrap --with-wolfssl |
| 16 | + make |
| 17 | + make check-recursive |
| 18 | + |
| 19 | + Note that, due to differences between wolfSSL and OpenSSL, hitch tests 13, 15 |
| 20 | + and 39 are expected to fail. Additionally, tests 12 and 41 are currently failing |
| 21 | + in upstream hitch and will fail in the patched version as well. |
| 22 | + |
| 23 | +diff --git a/configure.ac b/configure.ac |
| 24 | +index e95e213..fc88cbe 100644 |
| 25 | +--- a/configure.ac |
| 26 | ++++ b/configure.ac |
| 27 | +@@ -83,8 +83,24 @@ PKG_CHECK_EXISTS([libev], [ |
| 28 | + [AC_MSG_ERROR([Cannot find libev.])]) |
| 29 | + ]) |
| 30 | + |
| 31 | +-PKG_CHECK_MODULES([SSL], [libssl]) |
| 32 | +-PKG_CHECK_MODULES([CRYPTO], [libcrypto]) |
| 33 | ++AC_ARG_WITH([wolfssl], |
| 34 | ++ AS_HELP_STRING([--with-wolfssl], [Build with wolfssl]), |
| 35 | ++ [ |
| 36 | ++ if test "$withval" = yes |
| 37 | ++ then |
| 38 | ++ wolfssl_path=/usr/local |
| 39 | ++ else |
| 40 | ++ wolfssl_path=$withval |
| 41 | ++ fi |
| 42 | ++ ], [with_wolfssl=no]) |
| 43 | ++ |
| 44 | ++if test "$with_wolfssl" != no |
| 45 | ++then |
| 46 | ++ PKG_CHECK_MODULES([SSL], [wolfssl]) |
| 47 | ++else |
| 48 | ++ PKG_CHECK_MODULES([SSL], [libssl]) |
| 49 | ++ PKG_CHECK_MODULES([CRYPTO], [libcrypto]) |
| 50 | ++fi |
| 51 | + HITCH_SEARCH_LIBS([SOCKET], [socket], [socket]) |
| 52 | + HITCH_SEARCH_LIBS([NSL], [nsl], [inet_ntop]) |
| 53 | + HITCH_SEARCH_LIBS([RT], [rt], [clock_gettime]) |
| 54 | +@@ -197,51 +213,75 @@ fi |
| 55 | + AC_CHECK_HEADERS([linux/futex.h]) |
| 56 | + AM_CONDITIONAL([HAVE_LINUX_FUTEX], [test $ac_cv_header_linux_futex_h = yes]) |
| 57 | + |
| 58 | +-HITCH_CHECK_FUNC([SSL_get0_alpn_selected], [$SSL_LIBS], [ |
| 59 | +- AC_DEFINE([OPENSSL_WITH_ALPN], [1], [OpenSSL supports ALPN]) |
| 60 | +-]) |
| 61 | ++if test "$with_wolfssl" != no |
| 62 | ++then |
| 63 | ++ AC_DEFINE([WITH_WOLFSSL], [1], [Hitch is being built with wolfSSL]) |
| 64 | ++ AC_DEFINE([HAVE_TLS_1_3], [1], [Define to 1 if TLSv1.3 is available]) |
| 65 | ++ AC_DEFINE([OPENSSL_WITH_ALPN], [1], [wolfSSL supports ALPN]) |
| 66 | ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], |
| 67 | ++ [wolfSSL has SSL_CTX_get_default_passwd_cb()]) |
| 68 | ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], |
| 69 | ++ [wolfSSL has SSL_CTX_get_default_passwd_cb_userdata()]) |
| 70 | ++ AC_DEFINE([OPENSSL_WITH_LOCKS], [1], [wolfSSL needs explicit locking]) |
| 71 | ++ AC_DEFINE([HAVE_X509_NAME_ENTRY_GET_DATA], [1], |
| 72 | ++ [wolfSSL has X509_NAME_ENTRY_get_data()]) |
| 73 | ++ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], |
| 74 | ++ [wolfSSL has X509_STORE_get0_objects()]) |
| 75 | ++ AC_DEFINE([HAVE_X509_OBJECT_GET0_X509], [1], |
| 76 | ++ [wolfSSL has X509_OBJECT_get0_X509()]) |
| 77 | + |
| 78 | +-HITCH_CHECK_FUNC([SSL_get0_next_proto_negotiated], [$SSL_LIBS], [ |
| 79 | +- AC_DEFINE([OPENSSL_WITH_NPN], [1], [OpenSSL supports NPN]) |
| 80 | +-]) |
| 81 | ++ HITCH_CHECK_FLAGS([HITCH_CFLAGS], [ |
| 82 | ++ -I$wolfssl_path/include, |
| 83 | ++ -I$wolfssl_path/include/wolfssl, |
| 84 | ++ -DEXTERNAL_OPTS_OPENVPN |
| 85 | ++ ]) |
| 86 | ++else |
| 87 | ++ HITCH_CHECK_FUNC([SSL_get0_alpn_selected], [$SSL_LIBS], [ |
| 88 | ++ AC_DEFINE([OPENSSL_WITH_ALPN], [1], [OpenSSL supports ALPN]) |
| 89 | ++ ]) |
| 90 | + |
| 91 | +-HITCH_CHECK_FUNC([SSL_CTX_get_default_passwd_cb], [$SSL_LIBS], [ |
| 92 | +- AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], |
| 93 | +- [OpenSSL has SSL_CTX_get_default_passwd_cb()]) |
| 94 | +-]) |
| 95 | ++ HITCH_CHECK_FUNC([SSL_get0_next_proto_negotiated], [$SSL_LIBS], [ |
| 96 | ++ AC_DEFINE([OPENSSL_WITH_NPN], [1], [OpenSSL supports NPN]) |
| 97 | ++ ]) |
| 98 | + |
| 99 | +-HITCH_CHECK_FUNC([SSL_CTX_get_default_passwd_cb_userdata], [$SSL_LIBS], [ |
| 100 | +- AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], |
| 101 | +- [OpenSSL has SSL_CTX_get_default_passwd_cb_userdata()]) |
| 102 | +-]) |
| 103 | ++ HITCH_CHECK_FUNC([SSL_CTX_get_default_passwd_cb], [$SSL_LIBS], [ |
| 104 | ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB], [1], |
| 105 | ++ [OpenSSL has SSL_CTX_get_default_passwd_cb()]) |
| 106 | ++ ]) |
| 107 | + |
| 108 | +-HITCH_CHECK_FUNC([CRYPTO_get_locking_callback], [$CRYPTO_LIBS], [ |
| 109 | +- AC_DEFINE([OPENSSL_WITH_LOCKS], [1], [OpenSSL needs explicit locking]) |
| 110 | +-]) |
| 111 | ++ HITCH_CHECK_FUNC([SSL_CTX_get_default_passwd_cb_userdata], [$SSL_LIBS], [ |
| 112 | ++ AC_DEFINE([HAVE_SSL_CTX_GET_DEFAULT_PASSWD_CB_USERDATA], [1], |
| 113 | ++ [OpenSSL has SSL_CTX_get_default_passwd_cb_userdata()]) |
| 114 | ++ ]) |
| 115 | + |
| 116 | +-HITCH_CHECK_FUNC([X509_NAME_ENTRY_get_data], [$CRYPTO_LIBS], [ |
| 117 | +- AC_DEFINE([HAVE_X509_NAME_ENTRY_GET_DATA], [1], |
| 118 | +- [OpenSSL has X509_NAME_ENTRY_get_data()]) |
| 119 | +-]) |
| 120 | ++ HITCH_CHECK_FUNC([CRYPTO_get_locking_callback], [$CRYPTO_LIBS], [ |
| 121 | ++ AC_DEFINE([OPENSSL_WITH_LOCKS], [1], [OpenSSL needs explicit locking]) |
| 122 | ++ ]) |
| 123 | + |
| 124 | +-HITCH_CHECK_FUNC([X509_STORE_get0_objects], [$CRYPTO_LIBS], [ |
| 125 | +- AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], |
| 126 | +- [OpenSSL has X509_STORE_get0_objects()]) |
| 127 | +-]) |
| 128 | ++ HITCH_CHECK_FUNC([X509_NAME_ENTRY_get_data], [$CRYPTO_LIBS], [ |
| 129 | ++ AC_DEFINE([HAVE_X509_NAME_ENTRY_GET_DATA], [1], |
| 130 | ++ [OpenSSL has X509_NAME_ENTRY_get_data()]) |
| 131 | ++ ]) |
| 132 | + |
| 133 | +-HITCH_CHECK_FUNC([X509_OBJECT_get0_X509], [$CRYPTO_LIBS], [ |
| 134 | +- AC_DEFINE([HAVE_X509_OBJECT_GET0_X509], [1], |
| 135 | +- [OpenSSL has X509_OBJECT_get0_X509()]) |
| 136 | +-]) |
| 137 | ++ HITCH_CHECK_FUNC([X509_STORE_get0_objects], [$CRYPTO_LIBS], [ |
| 138 | ++ AC_DEFINE([HAVE_X509_STORE_GET0_OBJECTS], [1], |
| 139 | ++ [OpenSSL has X509_STORE_get0_objects()]) |
| 140 | ++ ]) |
| 141 | ++ |
| 142 | ++ HITCH_CHECK_FUNC([X509_OBJECT_get0_X509], [$CRYPTO_LIBS], [ |
| 143 | ++ AC_DEFINE([HAVE_X509_OBJECT_GET0_X509], [1], |
| 144 | ++ [OpenSSL has X509_OBJECT_get0_X509()]) |
| 145 | ++ ]) |
| 146 | + |
| 147 | +-AC_CHECK_MEMBERS([struct ssl_st.s3], [], [], [[#include <openssl/ssl.h>]]) |
| 148 | ++ AC_CHECK_MEMBERS([struct ssl_st.s3], [], [], [[#include <openssl/ssl.h>]]) |
| 149 | + |
| 150 | +-AS_VERSION_COMPARE([$($PKG_CONFIG --modversion openssl)], [1.1.1], |
| 151 | +- [openssl111=no], |
| 152 | +- [openssl111=yes], [openssl111=yes]) |
| 153 | ++ AS_VERSION_COMPARE([$($PKG_CONFIG --modversion openssl)], [1.1.1], |
| 154 | ++ [openssl111=no], |
| 155 | ++ [openssl111=yes], [openssl111=yes]) |
| 156 | + |
| 157 | +-AS_IF([test "x$openssl111" = xyes], |
| 158 | +- [AC_DEFINE([HAVE_TLS_1_3], [1], [Define to 1 if TLSv1.3 is available])], []) |
| 159 | ++ AS_IF([test "x$openssl111" = xyes], |
| 160 | ++ [AC_DEFINE([HAVE_TLS_1_3], [1], [Define to 1 if TLSv1.3 is available])], []) |
| 161 | ++fi |
| 162 | + |
| 163 | + SH_TESTS="$(cd $srcdir/src && echo tests/test*.sh)" |
| 164 | + AC_SUBST(SH_TESTS) |
| 165 | +diff --git a/src/hitch.c b/src/hitch.c |
| 166 | +index a499c98..8f4da3a 100644 |
| 167 | +--- a/src/hitch.c |
| 168 | ++++ b/src/hitch.c |
| 169 | +@@ -1332,6 +1332,7 @@ init_openssl(void) |
| 170 | + SSL_load_error_strings(); |
| 171 | + OpenSSL_add_all_digests(); |
| 172 | + |
| 173 | ++#ifndef WITH_WOLFSSL |
| 174 | + if (CONFIG->ENGINE) { |
| 175 | + ENGINE *e = NULL; |
| 176 | + ENGINE_load_builtin_engines(); |
| 177 | +@@ -1352,6 +1353,7 @@ init_openssl(void) |
| 178 | + ENGINE_free(e); |
| 179 | + } |
| 180 | + } |
| 181 | ++#endif |
| 182 | + } |
| 183 | + |
| 184 | + static void |
| 185 | +@@ -2041,7 +2043,7 @@ proxy_tlv_cert(struct proxystate *ps, char *dst, ssize_t dstlen) |
| 186 | + { |
| 187 | + X509 *crt; |
| 188 | + BIO *bio; |
| 189 | +- struct buf_mem_st bm[1]; |
| 190 | ++ BUF_MEM bm[1]; |
| 191 | + |
| 192 | + crt = SSL_get_peer_certificate(ps->ssl); |
| 193 | + if (crt == NULL) |
0 commit comments