Add support for WolfSSL's OpenSSL compatibility layer.

Based on changes from Hayden Roche

INSTALL

@@ -643,6 +643,11 @@ Authentication options:
         to be used instead.  This makes it possible to link with
         the OpenSSL 3.0 package on OpenBSD.  Defaults to "%s".
 
+  --enable-wolfssl[=DIR]
+        Use WolfSSL's TLS and SHA-2 message digest functions.  If
+        specified, DIR should contain the OpenSSL include and lib
+        directories.
+
 Development options:
   --enable-env-debug
         Enable debugging of the environment setting functions.  This

config.h.in

@@ -1009,6 +1009,9 @@
 /* Define to 1 if you have the <wchar.h> header file. */
 #undef HAVE_WCHAR_H
 
+/* Define to 1 if you are using WolfSSL's TLS and sha2 functions. */
+#undef HAVE_WOLFSSL
+
 /* Define to 1 if you have the `wordexp' function. */
 #undef HAVE_WORDEXP
 

configure

@@ -1045,6 +1045,7 @@ enable_log_server
 enable_log_client
 enable_openssl
 enable_openssl_pkgconfig_template
+enable_wolfssl
 enable_gcrypt
 enable_python
 enable_shared
@@ -1763,6 +1764,7 @@ Optional Features:
   --enable-openssl-pkgconfig-template
                           A printf format string used to construct the OpenSSL
                           pkg-config name
+  --enable-wolfssl        Use WolfSSL's TLS and sha2 functions
   --enable-gcrypt         Use GNU crypt's sha2 functions
   --enable-python         Compile python plugin support
   --enable-shared[=PKGS]  build shared libraries [default=yes]
@@ -6985,13 +6987,22 @@ else $as_nop
 fi
 
 
+# Check whether --enable-wolfssl was given.
+if test ${enable_wolfssl+y}
+then :
+  enableval=$enable_wolfssl;
+    enable_openssl=no
+
+fi
+
+
 # Check whether --enable-gcrypt was given.
 if test ${enable_gcrypt+y}
 then :
   enableval=$enable_gcrypt;
-    if test "${enable_openssl-no}" != no; then
+    if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then
-	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&5
+	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&5
-printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&2;}
+printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&2;}
 	enable_gcrypt=no
     fi
 
@@ -24313,6 +24324,655 @@ fi
 
     fi
 fi
+if test "${enable_wolfssl-no}" != no; then
+    # Use pkg-config to find the wolfssl cflags and libs if possible.
+    if test "$enable_wolfssl" != "yes"; then
+	PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
+	export PKG_CONFIG_LIBDIR
+    elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
+	# Cannot use pkg-config when cross-compiling
+	PKG_CONFIG=false
+    fi
+    : ${PKG_CONFIG='pkg-config'}
+    if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
+	printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h
+
+	printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h
+
+
+	O_CPPFLAGS="$CPPFLAGS"
+	CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
+	O_LDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
+
+	# Check whether --static is needed
+	libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
+	libssl_extra=`echo $libssl | sed 's/^[^ ]* *//'`
+	libssl=`echo $libssl | sed 's/ .*//'`
+	as_ac_Lib=`printf "%s\n" "ac_cv_lib_$libssl''_wolfSSL_new$libssl_extra" | $as_tr_sh`
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for wolfSSL_new in -l$libssl" >&5
+printf %s "checking for wolfSSL_new in -l$libssl... " >&6; }
+if eval test \${$as_ac_Lib+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-l$libssl $libssl_extra $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+char wolfSSL_new ();
+int
+main (void)
+{
+return wolfSSL_new ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+  eval "$as_ac_Lib=yes"
+else $as_nop
+  eval "$as_ac_Lib=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+eval ac_res=\$$as_ac_Lib
+	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+printf "%s\n" "$ac_res" >&6; }
+if eval test \"x\$"$as_ac_Lib"\" = x"yes"
+then :
+  STATIC=""
+else $as_nop
+  STATIC="--static"
+fi
+
+
+	# Use WolfSSL's sha2 functions if possible
+	ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" "
+	    $ac_includes_default
+	    #include <wolfssl/options.h>
+	    #include <wolfssl/openssl/evp.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes
+then :
+  DIGEST=digest_openssl.lo
+fi
+	CPPFLAGS="$O_CPPFLAGS"
+	LDFLAGS="$O_LDFLAGS"
+
+	# Use pkg-config to determine WolfSSL libs and cflags
+	for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
+	    case "$f" in
+		-L*)
+		    f="${f#-L}"
+
+
+if test ${LIBTLS+y}
+then :
+
+  case " $LIBTLS " in #(
+  *" -L$f "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\$f"; } >&5
+  (: LIBTLS already contains -L$f) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBTLS " -L$f"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBTLS=-L$f
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    if test X"$enable_rpath" = X"yes"; then
+
+if test ${LIBTLS_R+y}
+then :
+
+  case " $LIBTLS_R " in #(
+  *" -R$f "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\$f"; } >&5
+  (: LIBTLS_R already contains -R$f) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBTLS_R " -R$f"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
+  (: LIBTLS_R="$LIBTLS_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBTLS_R=-R$f
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
+  (: LIBTLS_R="$LIBTLS_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    fi
+
+		    ;;
+		*)
+
+if test ${LIBTLS+y}
+then :
+
+  case " $LIBTLS " in #(
+  *" $f "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains \$f"; } >&5
+  (: LIBTLS already contains $f) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBTLS " $f"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBTLS=$f
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+		    ;;
+	    esac
+	done
+	# No separate pkg config for libcrypto
+	LIBCRYPTO="$LIBTLS"
+	LIBCRYPTO_R="$LIBTLS_R"
+	for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" $f "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f"; } >&5
+  (: CPPFLAGS already contains $f) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " $f"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=$f
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	    # So we find the openssl compat headers under wolfssl
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" $f/wolfssl "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f/wolfssl"; } >&5
+  (: CPPFLAGS already contains $f/wolfssl) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " $f/wolfssl"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=$f/wolfssl
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	done
+	if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
+	    # So we find the openssl compat headers under wolfssl (XXX)
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" -I/usr/include/wolfssl "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5
+  (: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I/usr/include/wolfssl"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=-I/usr/include/wolfssl
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	fi
+    else
+	printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h
+
+	printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h
+
+
+	# No pkg-config file present, try to do it manually
+	if test "$enable_wolfssl" != "yes"; then
+
+
+if test ${LIBCRYPTO+y}
+then :
+
+  case " $LIBCRYPTO " in #(
+  *" -L${enable_wolfssl}/lib "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO already contains -L\${enable_wolfssl}/lib"; } >&5
+  (: LIBCRYPTO already contains -L${enable_wolfssl}/lib) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBCRYPTO " -L${enable_wolfssl}/lib"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5
+  (: LIBCRYPTO="$LIBCRYPTO") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBCRYPTO=-L${enable_wolfssl}/lib
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5
+  (: LIBCRYPTO="$LIBCRYPTO") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    if test X"$enable_rpath" = X"yes"; then
+
+if test ${LIBCRYPTO_R+y}
+then :
+
+  case " $LIBCRYPTO_R " in #(
+  *" -R${enable_wolfssl}/lib "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R already contains -R\${enable_wolfssl}/lib"; } >&5
+  (: LIBCRYPTO_R already contains -R${enable_wolfssl}/lib) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBCRYPTO_R " -R${enable_wolfssl}/lib"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5
+  (: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBCRYPTO_R=-R${enable_wolfssl}/lib
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5
+  (: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    fi
+
+
+
+if test ${LIBTLS+y}
+then :
+
+  case " $LIBTLS " in #(
+  *" -L${enable_wolfssl}/lib "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\${enable_wolfssl}/lib"; } >&5
+  (: LIBTLS already contains -L${enable_wolfssl}/lib) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBTLS " -L${enable_wolfssl}/lib"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBTLS=-L${enable_wolfssl}/lib
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
+  (: LIBTLS="$LIBTLS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    if test X"$enable_rpath" = X"yes"; then
+
+if test ${LIBTLS_R+y}
+then :
+
+  case " $LIBTLS_R " in #(
+  *" -R${enable_wolfssl}/lib "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\${enable_wolfssl}/lib"; } >&5
+  (: LIBTLS_R already contains -R${enable_wolfssl}/lib) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append LIBTLS_R " -R${enable_wolfssl}/lib"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
+  (: LIBTLS_R="$LIBTLS_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  LIBTLS_R=-R${enable_wolfssl}/lib
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
+  (: LIBTLS_R="$LIBTLS_R") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+    fi
+
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" -I${enable_wolfssl}/include "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include"; } >&5
+  (: CPPFLAGS already contains -I${enable_wolfssl}/include) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I${enable_wolfssl}/include"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=-I${enable_wolfssl}/include
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	    # So we find the openssl compat headers under wolfssl
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" -I${enable_wolfssl}/include/wolfssl "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include/wolfssl"; } >&5
+  (: CPPFLAGS already contains -I${enable_wolfssl}/include/wolfssl) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I${enable_wolfssl}/include/wolfssl"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=-I${enable_wolfssl}/include/wolfssl
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	else
+	    # So we find the openssl compat headers under wolfssl (XXX)
+
+if test ${CPPFLAGS+y}
+then :
+
+  case " $CPPFLAGS " in #(
+  *" -I/usr/include/wolfssl "*) :
+    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5
+  (: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; } ;; #(
+  *) :
+
+     as_fn_append CPPFLAGS " -I/usr/include/wolfssl"
+     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+     ;;
+esac
+
+else $as_nop
+
+  CPPFLAGS=-I/usr/include/wolfssl
+  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
+  (: CPPFLAGS="$CPPFLAGS") 2>&5
+  ac_status=$?
+  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+  test $ac_status = 0; }
+
+fi
+
+	fi
+	LIBTLS="${LIBTLS} -lwolfssl"
+	LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
+
+	# Use WolfSSL's sha2 functions if possible
+	ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" "
+	    $ac_includes_default
+	    #include <wolfssl/options.h>
+	    #include <wolfssl/openssl/evp.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes
+then :
+  DIGEST=digest_openssl.lo
+fi
+    fi
+                ac_fn_check_decl "$LINENO" "X509_STORE_CTX_get0_cert" "ac_cv_have_decl_X509_STORE_CTX_get0_cert" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/x509.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_X509_STORE_CTX_get0_cert" = xyes
+then :
+  printf "%s\n" "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "ASN1_STRING_get0_data" "ac_cv_have_decl_ASN1_STRING_get0_data" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/asn1.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_ASN1_STRING_get0_data" = xyes
+then :
+  printf "%s\n" "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "SSL_CTX_get0_certificate" "ac_cv_have_decl_SSL_CTX_get0_certificate" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_get0_certificate" = xyes
+then :
+  printf "%s\n" "#define HAVE_SSL_CTX_GET0_CERTIFICATE 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "SSL_CTX_set0_tmp_dh_pkey" "ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" = xyes
+then :
+  printf "%s\n" "#define HAVE_SSL_CTX_SET0_TMP_DH_PKEY 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "TLS_method" "ac_cv_have_decl_TLS_method" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_TLS_method" = xyes
+then :
+  printf "%s\n" "#define HAVE_TLS_METHOD 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "SSL_CTX_set_min_proto_version" "ac_cv_have_decl_SSL_CTX_set_min_proto_version" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_set_min_proto_version" = xyes
+then :
+  printf "%s\n" "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h
+
+fi
+    ac_fn_check_decl "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_have_decl_SSL_CTX_set_ciphersuites" "
+	$ac_includes_default
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_SSL_CTX_set_ciphersuites" = xyes
+then :
+  printf "%s\n" "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
+
+fi
+fi
 if test "$DIGEST" = "digest.lo"; then
     FOUND_SHA2=no
     ac_fn_c_check_header_compile "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default"
@@ -33631,6 +34291,9 @@ printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2
 fi
 
 
+if test ${LIBTLS+y}; then
+    have_tls=yes
+fi
 echo "" >&6
 echo "Configured Sudo version $PACKAGE_VERSION" >&6
 echo " Compiler settings:" >&6
@@ -33662,7 +34325,7 @@ fi
 echo " Optional features:" >&6
 echo "  log client			: ${enable_log_client-yes}" >&6
 echo "  log server			: ${enable_log_server-yes}" >&6
-echo "  log client/server TLS		: ${enable_openssl-no}" >&6
+echo "  log client/server TLS		: ${have_tls-no}" >&6
 case "$host_os" in
     linux*) echo "  SELinux RBAC			: ${with_selinux-yes}" >&6;;
 esac
@@ -33940,5 +34603,6 @@ fi
 
 
 
+
 
 

configure.ac

@@ -1561,7 +1561,7 @@ if test X"$LOGSRVD_SRC" != X""; then
 fi
 
 dnl
-dnl Do OpenSSL / gcrypt after logsrv options
+dnl Do OpenSSL / WolfSSL / gcrypt after logsrv options
 dnl
 AC_ARG_ENABLE(openssl,
 [AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
@@ -1575,10 +1575,15 @@ AC_ARG_ENABLE(openssl-pkgconfig-template,
 [AS_HELP_STRING([--enable-openssl-pkgconfig-template], [A printf format string used to construct the OpenSSL pkg-config name])],
 [], [enable_openssl_pkgconfig_template="%s"])
 
+AC_ARG_ENABLE(wolfssl,
+[AS_HELP_STRING([--enable-wolfssl], [Use WolfSSL's TLS and sha2 functions])], [
+    enable_openssl=no
+])
+
 AC_ARG_ENABLE(gcrypt,
 [AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's sha2 functions])], [
-    if test "${enable_openssl-no}" != no; then
+    if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then
-	AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL is enabled.])
+	AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled.])
 	enable_gcrypt=no
     fi
 ])
@@ -3102,7 +3107,132 @@ elif test "${enable_gcrypt-no}" != no; then
     fi
 fi
 dnl
-dnl Check for sha2 functions if not using openssl or gcrypt
+dnl Check for OpenSSL compatibility functions in WolfSSL
+dnl
+if test "${enable_wolfssl-no}" != no; then
+    # Use pkg-config to find the wolfssl cflags and libs if possible.
+    if test "$enable_wolfssl" != "yes"; then
+	PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
+	export PKG_CONFIG_LIBDIR
+    elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
+	# Cannot use pkg-config when cross-compiling
+	PKG_CONFIG=false
+    fi
+    : ${PKG_CONFIG='pkg-config'}
+    if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
+	AC_DEFINE(HAVE_OPENSSL)
+	AC_DEFINE(HAVE_WOLFSSL)
+
+	O_CPPFLAGS="$CPPFLAGS"
+	CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
+	O_LDFLAGS="$LDFLAGS"
+	LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
+
+	# Check whether --static is needed
+	libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
+	libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'`
+	libssl=`echo $libssl | sed 's/ .*//'`
+	AC_CHECK_LIB($libssl, wolfSSL_new, [STATIC=""], [STATIC="--static"], [$libssl_extra])
+
+	# Use WolfSSL's sha2 functions if possible
+	AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
+	    AC_INCLUDES_DEFAULT
+	    #include <wolfssl/options.h>
+	    #include <wolfssl/openssl/evp.h>
+	])
+	CPPFLAGS="$O_CPPFLAGS"
+	LDFLAGS="$O_LDFLAGS"
+
+	# Use pkg-config to determine WolfSSL libs and cflags
+	for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
+	    case "$f" in
+		-L*)
+		    f="${f#-L}"
+		    SUDO_APPEND_LIBPATH([LIBTLS], [$f])
+		    ;;
+		*)
+		    AX_APPEND_FLAG([$f], [LIBTLS])
+		    ;;
+	    esac
+	done
+	# No separate pkg config for libcrypto
+	LIBCRYPTO="$LIBTLS"
+	LIBCRYPTO_R="$LIBTLS_R"
+	for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
+	    AX_APPEND_FLAG([$f], [CPPFLAGS])
+	    # So we find the openssl compat headers under wolfssl
+	    AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS])
+	done
+	if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
+	    # So we find the openssl compat headers under wolfssl (XXX)
+	    AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
+	fi
+    else
+	AC_DEFINE(HAVE_OPENSSL)
+	AC_DEFINE(HAVE_WOLFSSL)
+
+	# No pkg-config file present, try to do it manually
+	if test "$enable_wolfssl" != "yes"; then
+	    SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib])
+	    SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib])
+	    AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS])
+	    # So we find the openssl compat headers under wolfssl
+	    AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS])
+	else
+	    # So we find the openssl compat headers under wolfssl (XXX)
+	    AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
+	fi
+	LIBTLS="${LIBTLS} -lwolfssl"
+	LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
+
+	# Use WolfSSL's sha2 functions if possible
+	AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
+	    AC_INCLUDES_DEFAULT
+	    #include <wolfssl/options.h>
+	    #include <wolfssl/openssl/evp.h>
+	])
+    fi
+    dnl
+    dnl Check for specific OpenSSL API compatibility macros
+    dnl
+    AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/x509.h>
+    ])
+    AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/asn1.h>
+    ])
+    AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+    ])
+    AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+    ])
+    AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+    ])
+    AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+    ])
+    AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
+	AC_INCLUDES_DEFAULT
+	#include <wolfssl/options.h>
+	#include <wolfssl/openssl/ssl.h>
+    ])
+fi
+dnl
+dnl Check for sha2 functions if not using openssl, wolfssl or gcrypt
 dnl
 if test "$DIGEST" = "digest.lo"; then
     FOUND_SHA2=no
@@ -4965,6 +5095,9 @@ AC_OUTPUT
 dnl
 dnl Summarize configuration
 dnl
+if test ${LIBTLS+y}; then
+    have_tls=yes
+fi
 echo "" >&AS_MESSAGE_FD
 echo "Configured Sudo version $PACKAGE_VERSION" >&AS_MESSAGE_FD
 echo " Compiler settings:" >&AS_MESSAGE_FD
@@ -4996,7 +5129,7 @@ fi
 echo " Optional features:" >&AS_MESSAGE_FD
 echo "  log client			: ${enable_log_client-yes}" >&AS_MESSAGE_FD
 echo "  log server			: ${enable_log_server-yes}" >&AS_MESSAGE_FD
-echo "  log client/server TLS		: ${enable_openssl-no}" >&AS_MESSAGE_FD
+echo "  log client/server TLS		: ${have_tls-no}" >&AS_MESSAGE_FD
 case "$host_os" in
     linux*) echo "  SELinux RBAC			: ${with_selinux-yes}" >&AS_MESSAGE_FD;;
 esac
@@ -5267,6 +5400,7 @@ AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-s
 AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
 AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
 AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
+AH_TEMPLATE(HAVE_WOLFSSL, [Define to 1 if you are using WolfSSL's TLS and sha2 functions.])
 AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
 AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.])
 AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function or macro.])

include/sudo_compat.h

@@ -380,7 +380,7 @@ int getdomainname(char *, size_t);
 /*
  * Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x)
  */
-#if defined(HAVE_OPENSSL)
+#if defined(HAVE_OPENSSL) && !defined(HAVE_WOLFSSL)
 # ifndef HAVE_X509_STORE_CTX_GET0_CERT
 #  define X509_STORE_CTX_get0_cert(x)   ((x)->cert)
 # endif
@@ -390,7 +390,7 @@ int getdomainname(char *, size_t);
 # ifndef HAVE_TLS_METHOD
 #  define TLS_method()                  SSLv23_method()
 # endif
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_OPENSSL && !HAVE_WOLFSSL */
 
 /*
  * Functions "missing" from libc.

lib/iolog/hostcheck.c

@@ -22,6 +22,9 @@
 #include "config.h"
 
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <sys/types.h>
 # include <sys/socket.h>
 # include <netinet/in.h>

lib/util/digest_openssl.c

@@ -26,6 +26,9 @@
 #include <stdlib.h>
 #include <errno.h>
 
+#if defined(HAVE_WOLFSSL)
+# include <wolfssl/options.h>
+#endif
 #include <openssl/evp.h>
 
 #include "sudo_compat.h"

lib/util/getentropy.c

@@ -65,6 +65,9 @@
 # include <link.h>
 #endif
 #ifdef HAVE_OPENSSL
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <openssl/rand.h>
 #endif
 

logsrvd/logsrvd.c

@@ -49,11 +49,6 @@
 # include "compat/getopt.h"
 #endif /* HAVE_GETOPT_LONG */
 
-#if defined(HAVE_OPENSSL)
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#endif
-
 #define NEED_INET_NTOP		/* to expose sudo_inet_ntop in sudo_compat.h */
 
 #include "pathnames.h"
@@ -70,8 +65,8 @@
 #include "sudo_rand.h"
 #include "sudo_util.h"
 
-#include "hostcheck.h"
 #include "logsrvd.h"
+#include "hostcheck.h"
 
 #ifndef O_NOFOLLOW
 # define O_NOFOLLOW 0

logsrvd/logsrvd.h

@@ -27,7 +27,11 @@
 #include "config.h"
 
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <openssl/ssl.h>
+# include <openssl/err.h>
 #endif
 
 #include "logsrv_util.h"

logsrvd/logsrvd_relay.c

@@ -44,11 +44,6 @@
 #include <time.h>
 #include <unistd.h>
 
-#if defined(HAVE_OPENSSL)
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#endif
-
 #define NEED_INET_NTOP		/* to expose sudo_inet_ntop in sudo_compat.h */
 
 #include "sudo_compat.h"
@@ -756,11 +751,14 @@ relay_server_msg_cb(int fd, int what, void *v)
                      * message and hope that no actual internal error occurs.
                      */
                     err = ERR_get_error();
+#if !defined(HAVE_WOLFSSL)
                     if (closure->state == INITIAL &&
                         ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
                         errstr = _("relay host name does not match certificate");
 			closure->errstr = errstr;
-                    } else {
+                    } else
+#endif
+		    {
                         errstr = ERR_reason_error_string(err);
 			closure->errstr = _("error reading from relay");
                     }

logsrvd/sendlog.c

@@ -54,11 +54,6 @@
 # include "compat/getopt.h"
 #endif /* HAVE_GETOPT_LONG */
 
-#if defined(HAVE_OPENSSL)
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#endif
-
 #include "sudo_compat.h"
 #include "sudo_conf.h"
 #include "sudo_debug.h"
@@ -69,8 +64,8 @@
 #include "sudo_iolog.h"
 #include "sudo_util.h"
 
-#include "hostcheck.h"
 #include "sendlog.h"
+#include "hostcheck.h"
 
 #if defined(HAVE_OPENSSL)
 # define TLS_HANDSHAKE_TIMEO_SEC 10
@@ -1334,10 +1329,13 @@ server_msg_cb(int fd, int what, void *v)
                      * message and hope that no actual internal error occurs.
                      */
                     err = ERR_get_error();
+#if !defined(HAVE_WOLFSSL)
                     if (closure->state == RECV_HELLO &&
                         ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
                         errstr = "host name does not match certificate";
-                    } else {
+                    } else
+#endif
+		    {
                         errstr = ERR_reason_error_string(err);
                     }
                     sudo_warnx("%s", errstr);

logsrvd/sendlog.h

@@ -27,7 +27,11 @@
 #include "config.h"
 
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <openssl/ssl.h>
+# include <openssl/err.h>
 #endif
 
 #include "logsrv_util.h"

logsrvd/tls_client.c

@@ -34,11 +34,6 @@
 #include <string.h>
 #include <time.h>
 
-#if defined(HAVE_OPENSSL)
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#endif
-
 #include "sudo_compat.h"
 #include "sudo_debug.h"
 #include "sudo_event.h"
@@ -46,9 +41,9 @@
 #include "sudo_gettext.h"
 #include "sudo_util.h"
 
-#include "hostcheck.h"
 #include "logsrv_util.h"
 #include "tls_common.h"
+#include "hostcheck.h"
 
 #if defined(HAVE_OPENSSL)
 

logsrvd/tls_common.h

@@ -22,7 +22,11 @@
 #include "config.h"
 
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <openssl/ssl.h>
+# include <openssl/err.h>
 
 struct tls_client_closure {
     SSL *ssl;

logsrvd/tls_init.c

@@ -33,19 +33,14 @@
 #include <fcntl.h>
 #include <unistd.h>
 
-#if defined(HAVE_OPENSSL)
-# include <openssl/ssl.h>
-# include <openssl/err.h>
-#endif
-
 #include "sudo_compat.h"
 #include "sudo_debug.h"
 #include "sudo_event.h"
 #include "sudo_fatal.h"
 #include "sudo_gettext.h"
 
-#include "hostcheck.h"
 #include "tls_common.h"
+#include "hostcheck.h"
 
 #define DEFAULT_CIPHER_LST12 "HIGH:!aNULL"
 #define DEFAULT_CIPHER_LST13 "TLS_AES_256_GCM_SHA384"
@@ -82,8 +77,10 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
         goto done;
     }
 
+#if !defined(HAVE_WOLFSSL)
     if ((ca_store = SSL_CTX_get_cert_store(ctx)) != NULL)
         X509_STORE_set_flags(ca_store, X509_V_FLAG_X509_STRICT);
+#endif
 
     if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) {
 	errstr = ERR_reason_error_string(ERR_get_error());

plugins/sudoers/log_client.c

@@ -49,6 +49,9 @@
 #endif
 
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif
 # include <openssl/ssl.h>
 # include <openssl/err.h>
 # include <openssl/x509v3.h>
@@ -1744,10 +1747,13 @@ server_msg_cb(int fd, int what, void *v)
                      * message and hope that no actual internal error occurs.
                      */
                     err = ERR_get_error();
+#if !defined(HAVE_WOLFSSL)
                     if (closure->state == RECV_HELLO &&
                         ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
                         errstr = "host name does not match certificate";
-                    } else {
+                    } else
+#endif
+		    {
                         errstr = ERR_reason_error_string(err);
                     }
                     sudo_warnx("%s", errstr);

plugins/sudoers/log_client.h

@@ -21,6 +21,9 @@
 
 #include <netinet/in.h>			/* for INET6?_ADDRSTRLEN */
 #if defined(HAVE_OPENSSL)
+# if defined(HAVE_WOLFSSL)
+#  include <wolfssl/options.h>
+# endif /* HAVE_WOLFSSL */
 # include <openssl/ssl.h>
 #endif /* HAVE_OPENSSL */