isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for WolfSSL's OpenSSL compatibility layer.

Browse Source 
Based on changes from Hayden Roche
This commit is contained in:
Todd C. Miller
2021-10-25 13:17:57 -06:00
parent 465bfbba72
commit cc6157d7d4
18 changed files with 862 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
INSTALL
View File

@@ -643,6 +643,11 @@ Authentication options:
to be used instead. This makes it possible to link with
the OpenSSL 3.0 package on OpenBSD. Defaults to "%s".
--enable-wolfssl[=DIR]
Use WolfSSL's TLS and SHA-2 message digest functions. If
specified, DIR should contain the OpenSSL include and lib
directories.
Development options:
--enable-env-debug
Enable debugging of the environment setting functions. This

3
config.h.in
View File

@@ -1009,6 +1009,9 @@
/* Define to 1 if you have the <wchar.h> header file. */
#undef HAVE_WCHAR_H
/* Define to 1 if you are using WolfSSL's TLS and sha2 functions. */
#undef HAVE_WOLFSSL
/* Define to 1 if you have the `wordexp' function. */
#undef HAVE_WORDEXP

672
configure vendored
View File

@@ -1045,6 +1045,7 @@ enable_log_server
enable_log_client
enable_openssl
enable_openssl_pkgconfig_template
enable_wolfssl
enable_gcrypt
enable_python
enable_shared
@@ -1763,6 +1764,7 @@ Optional Features:
--enable-openssl-pkgconfig-template
A printf format string used to construct the OpenSSL
pkg-config name
--enable-wolfssl Use WolfSSL's TLS and sha2 functions
--enable-gcrypt Use GNU crypt's sha2 functions
--enable-python Compile python plugin support
--enable-shared[=PKGS] build shared libraries [default=yes]
@@ -6985,13 +6987,22 @@ else $as_nop
fi
# Check whether --enable-wolfssl was given.
if test ${enable_wolfssl+y}
then :
enableval=$enable_wolfssl;
enable_openssl=no
fi
# Check whether --enable-gcrypt was given.
if test ${enable_gcrypt+y}
then :
enableval=$enable_gcrypt;
if test "${enable_openssl-no}" != no; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&5
printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL is enabled." >&2;}
if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&5
printf "%s\n" "$as_me: WARNING: ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled." >&2;}
enable_gcrypt=no
fi
@@ -24313,6 +24324,655 @@ fi
fi
fi
if test "${enable_wolfssl-no}" != no; then
# Use pkg-config to find the wolfssl cflags and libs if possible.
if test "$enable_wolfssl" != "yes"; then
PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
export PKG_CONFIG_LIBDIR
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h
printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h
O_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
# Check whether --static is needed
libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
libssl_extra=`echo $libssl | sed 's/^[^ ]* *//'`
libssl=`echo $libssl | sed 's/ .*//'`
as_ac_Lib=`printf "%s\n" "ac_cv_lib_$libssl''_wolfSSL_new$libssl_extra" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for wolfSSL_new in -l$libssl" >&5
printf %s "checking for wolfSSL_new in -l$libssl... " >&6; }
if eval test \${$as_ac_Lib+y}
then :
printf %s "(cached) " >&6
else $as_nop
ac_check_lib_save_LIBS=$LIBS
LIBS="-l$libssl $libssl_extra $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
char wolfSSL_new ();
int
main (void)
{
return wolfSSL_new ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"
then :
eval "$as_ac_Lib=yes"
else $as_nop
eval "$as_ac_Lib=no"
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
eval ac_res=\$$as_ac_Lib
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_Lib"\" = x"yes"
then :
STATIC=""
else $as_nop
STATIC="--static"
fi
# Use WolfSSL's sha2 functions if possible
ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes
then :
DIGEST=digest_openssl.lo
fi
CPPFLAGS="$O_CPPFLAGS"
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine WolfSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
case "$f" in
-L*)
f="${f#-L}"
if test ${LIBTLS+y}
then :
case " $LIBTLS " in #(
*" -L$f "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\$f"; } >&5
(: LIBTLS already contains -L$f) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBTLS " -L$f"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBTLS=-L$f
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
if test X"$enable_rpath" = X"yes"; then
if test ${LIBTLS_R+y}
then :
case " $LIBTLS_R " in #(
*" -R$f "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\$f"; } >&5
(: LIBTLS_R already contains -R$f) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBTLS_R " -R$f"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
(: LIBTLS_R="$LIBTLS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBTLS_R=-R$f
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
(: LIBTLS_R="$LIBTLS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
fi
;;
*)
if test ${LIBTLS+y}
then :
case " $LIBTLS " in #(
*" $f "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains \$f"; } >&5
(: LIBTLS already contains $f) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBTLS " $f"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBTLS=$f
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
;;
esac
done
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" $f "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f"; } >&5
(: CPPFLAGS already contains $f) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " $f"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=$f
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
# So we find the openssl compat headers under wolfssl
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" $f/wolfssl "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains \$f/wolfssl"; } >&5
(: CPPFLAGS already contains $f/wolfssl) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " $f/wolfssl"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=$f/wolfssl
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
done
if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
# So we find the openssl compat headers under wolfssl (XXX)
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I/usr/include/wolfssl "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5
(: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I/usr/include/wolfssl"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=-I/usr/include/wolfssl
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
fi
else
printf "%s\n" "#define HAVE_OPENSSL 1" >>confdefs.h
printf "%s\n" "#define HAVE_WOLFSSL 1" >>confdefs.h
# No pkg-config file present, try to do it manually
if test "$enable_wolfssl" != "yes"; then
if test ${LIBCRYPTO+y}
then :
case " $LIBCRYPTO " in #(
*" -L${enable_wolfssl}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO already contains -L\${enable_wolfssl}/lib"; } >&5
(: LIBCRYPTO already contains -L${enable_wolfssl}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBCRYPTO " -L${enable_wolfssl}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5
(: LIBCRYPTO="$LIBCRYPTO") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBCRYPTO=-L${enable_wolfssl}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO=\"\$LIBCRYPTO\""; } >&5
(: LIBCRYPTO="$LIBCRYPTO") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
if test X"$enable_rpath" = X"yes"; then
if test ${LIBCRYPTO_R+y}
then :
case " $LIBCRYPTO_R " in #(
*" -R${enable_wolfssl}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R already contains -R\${enable_wolfssl}/lib"; } >&5
(: LIBCRYPTO_R already contains -R${enable_wolfssl}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBCRYPTO_R " -R${enable_wolfssl}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5
(: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBCRYPTO_R=-R${enable_wolfssl}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBCRYPTO_R=\"\$LIBCRYPTO_R\""; } >&5
(: LIBCRYPTO_R="$LIBCRYPTO_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
fi
if test ${LIBTLS+y}
then :
case " $LIBTLS " in #(
*" -L${enable_wolfssl}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS already contains -L\${enable_wolfssl}/lib"; } >&5
(: LIBTLS already contains -L${enable_wolfssl}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBTLS " -L${enable_wolfssl}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBTLS=-L${enable_wolfssl}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS=\"\$LIBTLS\""; } >&5
(: LIBTLS="$LIBTLS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
if test X"$enable_rpath" = X"yes"; then
if test ${LIBTLS_R+y}
then :
case " $LIBTLS_R " in #(
*" -R${enable_wolfssl}/lib "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R already contains -R\${enable_wolfssl}/lib"; } >&5
(: LIBTLS_R already contains -R${enable_wolfssl}/lib) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append LIBTLS_R " -R${enable_wolfssl}/lib"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
(: LIBTLS_R="$LIBTLS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
LIBTLS_R=-R${enable_wolfssl}/lib
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LIBTLS_R=\"\$LIBTLS_R\""; } >&5
(: LIBTLS_R="$LIBTLS_R") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
fi
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I${enable_wolfssl}/include "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include"; } >&5
(: CPPFLAGS already contains -I${enable_wolfssl}/include) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I${enable_wolfssl}/include"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=-I${enable_wolfssl}/include
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
# So we find the openssl compat headers under wolfssl
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I${enable_wolfssl}/include/wolfssl "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I\${enable_wolfssl}/include/wolfssl"; } >&5
(: CPPFLAGS already contains -I${enable_wolfssl}/include/wolfssl) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I${enable_wolfssl}/include/wolfssl"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=-I${enable_wolfssl}/include/wolfssl
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
else
# So we find the openssl compat headers under wolfssl (XXX)
if test ${CPPFLAGS+y}
then :
case " $CPPFLAGS " in #(
*" -I/usr/include/wolfssl "*) :
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS already contains -I/usr/include/wolfssl"; } >&5
(: CPPFLAGS already contains -I/usr/include/wolfssl) 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; } ;; #(
*) :
as_fn_append CPPFLAGS " -I/usr/include/wolfssl"
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
;;
esac
else $as_nop
CPPFLAGS=-I/usr/include/wolfssl
{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : CPPFLAGS=\"\$CPPFLAGS\""; } >&5
(: CPPFLAGS="$CPPFLAGS") 2>&5
ac_status=$?
printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
test $ac_status = 0; }
fi
fi
LIBTLS="${LIBTLS} -lwolfssl"
LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
# Use WolfSSL's sha2 functions if possible
ac_fn_check_decl "$LINENO" "EVP_MD_CTX_new" "ac_cv_have_decl_EVP_MD_CTX_new" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_EVP_MD_CTX_new" = xyes
then :
DIGEST=digest_openssl.lo
fi
fi
ac_fn_check_decl "$LINENO" "X509_STORE_CTX_get0_cert" "ac_cv_have_decl_X509_STORE_CTX_get0_cert" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/x509.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_X509_STORE_CTX_get0_cert" = xyes
then :
printf "%s\n" "#define HAVE_X509_STORE_CTX_GET0_CERT 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "ASN1_STRING_get0_data" "ac_cv_have_decl_ASN1_STRING_get0_data" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/asn1.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_ASN1_STRING_get0_data" = xyes
then :
printf "%s\n" "#define HAVE_ASN1_STRING_GET0_DATA 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "SSL_CTX_get0_certificate" "ac_cv_have_decl_SSL_CTX_get0_certificate" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_SSL_CTX_get0_certificate" = xyes
then :
printf "%s\n" "#define HAVE_SSL_CTX_GET0_CERTIFICATE 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "SSL_CTX_set0_tmp_dh_pkey" "ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_SSL_CTX_set0_tmp_dh_pkey" = xyes
then :
printf "%s\n" "#define HAVE_SSL_CTX_SET0_TMP_DH_PKEY 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "TLS_method" "ac_cv_have_decl_TLS_method" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_TLS_method" = xyes
then :
printf "%s\n" "#define HAVE_TLS_METHOD 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "SSL_CTX_set_min_proto_version" "ac_cv_have_decl_SSL_CTX_set_min_proto_version" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_SSL_CTX_set_min_proto_version" = xyes
then :
printf "%s\n" "#define HAVE_SSL_CTX_SET_MIN_PROTO_VERSION 1" >>confdefs.h
fi
ac_fn_check_decl "$LINENO" "SSL_CTX_set_ciphersuites" "ac_cv_have_decl_SSL_CTX_set_ciphersuites" "
$ac_includes_default
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_SSL_CTX_set_ciphersuites" = xyes
then :
printf "%s\n" "#define HAVE_SSL_CTX_SET_CIPHERSUITES 1" >>confdefs.h
fi
fi
if test "$DIGEST" = "digest.lo"; then
FOUND_SHA2=no
ac_fn_c_check_header_compile "$LINENO" "sha2.h" "ac_cv_header_sha2_h" "$ac_includes_default"
@@ -33631,6 +34291,9 @@ printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2
fi
if test ${LIBTLS+y}; then
have_tls=yes
fi
echo "" >&6
echo "Configured Sudo version $PACKAGE_VERSION" >&6
echo " Compiler settings:" >&6
@@ -33662,7 +34325,7 @@ fi
echo " Optional features:" >&6
echo " log client : ${enable_log_client-yes}" >&6
echo " log server : ${enable_log_server-yes}" >&6
echo " log client/server TLS : ${enable_openssl-no}" >&6
echo " log client/server TLS : ${have_tls-no}" >&6
case "$host_os" in
linux*) echo " SELinux RBAC : ${with_selinux-yes}" >&6;;
esac
@@ -33940,5 +34603,6 @@ fi

144
configure.ac
View File

@@ -1561,7 +1561,7 @@ if test X"$LOGSRVD_SRC" != X""; then
fi
dnl
dnl Do OpenSSL / gcrypt after logsrv options
dnl Do OpenSSL / WolfSSL / gcrypt after logsrv options
dnl
AC_ARG_ENABLE(openssl,
[AS_HELP_STRING([--enable-openssl], [Use OpenSSL's TLS and sha2 functions])],
@@ -1575,10 +1575,15 @@ AC_ARG_ENABLE(openssl-pkgconfig-template,
[AS_HELP_STRING([--enable-openssl-pkgconfig-template], [A printf format string used to construct the OpenSSL pkg-config name])],
[], [enable_openssl_pkgconfig_template="%s"])
AC_ARG_ENABLE(wolfssl,
[AS_HELP_STRING([--enable-wolfssl], [Use WolfSSL's TLS and sha2 functions])], [
enable_openssl=no
])
AC_ARG_ENABLE(gcrypt,
[AS_HELP_STRING([--enable-gcrypt], [Use GNU crypt's sha2 functions])], [
if test "${enable_openssl-no}" != no; then
AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL is enabled.])
if test "${enable_openssl-no}${enable_wolfssl-no}" != "nono"; then
AC_MSG_WARN([ignoring --enable-gcrypt when OpenSSL or WolfSSL is enabled.])
enable_gcrypt=no
fi
])
@@ -3102,7 +3107,132 @@ elif test "${enable_gcrypt-no}" != no; then
fi
fi
dnl
dnl Check for sha2 functions if not using openssl or gcrypt
dnl Check for OpenSSL compatibility functions in WolfSSL
dnl
if test "${enable_wolfssl-no}" != no; then
# Use pkg-config to find the wolfssl cflags and libs if possible.
if test "$enable_wolfssl" != "yes"; then
PKG_CONFIG_LIBDIR="${enable_wolfssl}/lib/pkgconfig:${enable_wolfssl}/lib64/pkgconfig:${enable_wolfssl}/share/pkgconfig"
export PKG_CONFIG_LIBDIR
elif test "$cross_compiling" = "yes" -a -z "$PKG_CONFIG"; then
# Cannot use pkg-config when cross-compiling
PKG_CONFIG=false
fi
: ${PKG_CONFIG='pkg-config'}
if $PKG_CONFIG --exists wolfssl >/dev/null 2>&1; then
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
O_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags-only-I wolfssl`"
O_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS `$PKG_CONFIG --libs-only-L wolfssl`"
# Check whether --static is needed
libssl="`$PKG_CONFIG --libs-only-l wolfssl | sed 's/^ *-l//'`"
libssl_extra=`echo $libssl | sed 's/^[[^ ]]* *//'`
libssl=`echo $libssl | sed 's/ .*//'`
AC_CHECK_LIB($libssl, wolfSSL_new, [STATIC=""], [STATIC="--static"], [$libssl_extra])
# Use WolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
CPPFLAGS="$O_CPPFLAGS"
LDFLAGS="$O_LDFLAGS"
# Use pkg-config to determine WolfSSL libs and cflags
for f in `$PKG_CONFIG $STATIC --libs wolfssl`; do
case "$f" in
-L*)
f="${f#-L}"
SUDO_APPEND_LIBPATH([LIBTLS], [$f])
;;
*)
AX_APPEND_FLAG([$f], [LIBTLS])
;;
esac
done
# No separate pkg config for libcrypto
LIBCRYPTO="$LIBTLS"
LIBCRYPTO_R="$LIBTLS_R"
for f in `$PKG_CONFIG --cflags-only-I wolfssl`; do
AX_APPEND_FLAG([$f], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([$f/wolfssl], [CPPFLAGS])
done
if test "$CPPFLAGS" = "$O_CPPFLAGS"; then
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
else
AC_DEFINE(HAVE_OPENSSL)
AC_DEFINE(HAVE_WOLFSSL)
# No pkg-config file present, try to do it manually
if test "$enable_wolfssl" != "yes"; then
SUDO_APPEND_LIBPATH(LIBCRYPTO, [${enable_wolfssl}/lib])
SUDO_APPEND_LIBPATH(LIBTLS, [${enable_wolfssl}/lib])
AX_APPEND_FLAG([-I${enable_wolfssl}/include], [CPPFLAGS])
# So we find the openssl compat headers under wolfssl
AX_APPEND_FLAG([-I${enable_wolfssl}/include/wolfssl], [CPPFLAGS])
else
# So we find the openssl compat headers under wolfssl (XXX)
AX_APPEND_FLAG([-I/usr/include/wolfssl], [CPPFLAGS])
fi
LIBTLS="${LIBTLS} -lwolfssl"
LIBCRYPTO="${LIBCRYPTO} -lwolfssl"
# Use WolfSSL's sha2 functions if possible
AC_CHECK_DECL([EVP_MD_CTX_new], [DIGEST=digest_openssl.lo], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/evp.h>
])
fi
dnl
dnl Check for specific OpenSSL API compatibility macros
dnl
AC_CHECK_DECL([X509_STORE_CTX_get0_cert], [AC_DEFINE(HAVE_X509_STORE_CTX_GET0_CERT)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/x509.h>
])
AC_CHECK_DECL([ASN1_STRING_get0_data], [AC_DEFINE(HAVE_ASN1_STRING_GET0_DATA)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/asn1.h>
])
AC_CHECK_DECL([SSL_CTX_get0_certificate], [AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set0_tmp_dh_pkey], [AC_DEFINE(HAVE_SSL_CTX_SET0_TMP_DH_PKEY)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([TLS_method], [AC_DEFINE(HAVE_TLS_METHOD)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_min_proto_version], [AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
AC_CHECK_DECL([SSL_CTX_set_ciphersuites], [AC_DEFINE(HAVE_SSL_CTX_SET_CIPHERSUITES)], [], [
AC_INCLUDES_DEFAULT
#include <wolfssl/options.h>
#include <wolfssl/openssl/ssl.h>
])
fi
dnl
dnl Check for sha2 functions if not using openssl, wolfssl or gcrypt
dnl
if test "$DIGEST" = "digest.lo"; then
FOUND_SHA2=no
@@ -4965,6 +5095,9 @@ AC_OUTPUT
dnl
dnl Summarize configuration
dnl
if test ${LIBTLS+y}; then
have_tls=yes
fi
echo "" >&AS_MESSAGE_FD
echo "Configured Sudo version $PACKAGE_VERSION" >&AS_MESSAGE_FD
echo " Compiler settings:" >&AS_MESSAGE_FD
@@ -4996,7 +5129,7 @@ fi
echo " Optional features:" >&AS_MESSAGE_FD
echo " log client : ${enable_log_client-yes}" >&AS_MESSAGE_FD
echo " log server : ${enable_log_server-yes}" >&AS_MESSAGE_FD
echo " log client/server TLS : ${enable_openssl-no}" >&AS_MESSAGE_FD
echo " log client/server TLS : ${have_tls-no}" >&AS_MESSAGE_FD
case "$host_os" in
linux*) echo " SELinux RBAC : ${with_selinux-yes}" >&AS_MESSAGE_FD;;
esac
@@ -5267,6 +5400,7 @@ AH_TEMPLATE(HAVE_KINFO_PROC_FREEBSD, [Define to 1 if your system has a FreeBSD-s
AH_TEMPLATE(HAVE_KINFO_PROC2_NETBSD, [Define to 1 if your system has a NetBSD-style kinfo_proc2 struct.])
AH_TEMPLATE(HAVE_KINFO_PROC_OPENBSD, [Define to 1 if your system has an OpenBSD-style kinfo_proc struct.])
AH_TEMPLATE(HAVE_OPENSSL, [Define to 1 if you are using OpenSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_WOLFSSL, [Define to 1 if you are using WolfSSL's TLS and sha2 functions.])
AH_TEMPLATE(HAVE_GCRYPT, [Define to 1 if you are using gcrypt's sha2 functions.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION, [Define to 1 if you have the `SSL_CTX_set_min_proto_version' function or macro.])
AH_TEMPLATE(HAVE_SSL_CTX_SET_CIPHERSUITES, [Define to 1 if you have the `SSL_CTX_set_ciphersuites' function or macro.])

4
include/sudo_compat.h
View File

@@ -380,7 +380,7 @@ int getdomainname(char *, size_t);
/*
* Compatibility defines for OpenSSL 1.0.2 (not needed for 1.1.x)
*/
#if defined(HAVE_OPENSSL)
#if defined(HAVE_OPENSSL) && !defined(HAVE_WOLFSSL)
# ifndef HAVE_X509_STORE_CTX_GET0_CERT
# define X509_STORE_CTX_get0_cert(x) ((x)->cert)
# endif
@@ -390,7 +390,7 @@ int getdomainname(char *, size_t);
# ifndef HAVE_TLS_METHOD
# define TLS_method() SSLv23_method()
# endif
#endif /* HAVE_OPENSSL */
#endif /* HAVE_OPENSSL && !HAVE_WOLFSSL */
/*
* Functions "missing" from libc.

3
lib/iolog/hostcheck.c
View File

@@ -22,6 +22,9 @@
#include "config.h"
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <sys/types.h>
# include <sys/socket.h>
# include <netinet/in.h>

3
lib/util/digest_openssl.c
View File

@@ -26,6 +26,9 @@
#include <stdlib.h>
#include <errno.h>
#if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
#endif
#include <openssl/evp.h>
#include "sudo_compat.h"

3
lib/util/getentropy.c
View File

@@ -65,6 +65,9 @@
# include <link.h>
#endif
#ifdef HAVE_OPENSSL
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <openssl/rand.h>
#endif

7
logsrvd/logsrvd.c
View File

@@ -49,11 +49,6 @@
# include "compat/getopt.h"
#endif /* HAVE_GETOPT_LONG */
#if defined(HAVE_OPENSSL)
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#define NEED_INET_NTOP /* to expose sudo_inet_ntop in sudo_compat.h */
#include "pathnames.h"
@@ -70,8 +65,8 @@
#include "sudo_rand.h"
#include "sudo_util.h"
#include "hostcheck.h"
#include "logsrvd.h"
#include "hostcheck.h"
#ifndef O_NOFOLLOW
# define O_NOFOLLOW 0

4
logsrvd/logsrvd.h
View File

@@ -27,7 +27,11 @@
#include "config.h"
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#include "logsrv_util.h"

10
logsrvd/logsrvd_relay.c
View File

@@ -44,11 +44,6 @@
#include <time.h>
#include <unistd.h>
#if defined(HAVE_OPENSSL)
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#define NEED_INET_NTOP /* to expose sudo_inet_ntop in sudo_compat.h */
#include "sudo_compat.h"
@@ -756,11 +751,14 @@ relay_server_msg_cb(int fd, int what, void *v)
* message and hope that no actual internal error occurs.
*/
err = ERR_get_error();
#if !defined(HAVE_WOLFSSL)
if (closure->state == INITIAL &&
ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
errstr = _("relay host name does not match certificate");
closure->errstr = errstr;
} else {
} else
#endif
{
errstr = ERR_reason_error_string(err);
closure->errstr = _("error reading from relay");
}

12
logsrvd/sendlog.c
View File

@@ -54,11 +54,6 @@
# include "compat/getopt.h"
#endif /* HAVE_GETOPT_LONG */
#if defined(HAVE_OPENSSL)
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#include "sudo_compat.h"
#include "sudo_conf.h"
#include "sudo_debug.h"
@@ -69,8 +64,8 @@
#include "sudo_iolog.h"
#include "sudo_util.h"
#include "hostcheck.h"
#include "sendlog.h"
#include "hostcheck.h"
#if defined(HAVE_OPENSSL)
# define TLS_HANDSHAKE_TIMEO_SEC 10
@@ -1334,10 +1329,13 @@ server_msg_cb(int fd, int what, void *v)
* message and hope that no actual internal error occurs.
*/
err = ERR_get_error();
#if !defined(HAVE_WOLFSSL)
if (closure->state == RECV_HELLO &&
ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
errstr = "host name does not match certificate";
} else {
} else
#endif
{
errstr = ERR_reason_error_string(err);
}
sudo_warnx("%s", errstr);

4
logsrvd/sendlog.h
View File

@@ -27,7 +27,11 @@
#include "config.h"
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#include "logsrv_util.h"

7
logsrvd/tls_client.c
View File

@@ -34,11 +34,6 @@
#include <string.h>
#include <time.h>
#if defined(HAVE_OPENSSL)
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#include "sudo_compat.h"
#include "sudo_debug.h"
#include "sudo_event.h"
@@ -46,9 +41,9 @@
#include "sudo_gettext.h"
#include "sudo_util.h"
#include "hostcheck.h"
#include "logsrv_util.h"
#include "tls_common.h"
#include "hostcheck.h"
#if defined(HAVE_OPENSSL)

4
logsrvd/tls_common.h
View File

@@ -22,7 +22,11 @@
#include "config.h"
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <openssl/ssl.h>
# include <openssl/err.h>
struct tls_client_closure {
SSL *ssl;

9
logsrvd/tls_init.c
View File

@@ -33,19 +33,14 @@
#include <fcntl.h>
#include <unistd.h>
#if defined(HAVE_OPENSSL)
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif
#include "sudo_compat.h"
#include "sudo_debug.h"
#include "sudo_event.h"
#include "sudo_fatal.h"
#include "sudo_gettext.h"
#include "hostcheck.h"
#include "tls_common.h"
#include "hostcheck.h"
#define DEFAULT_CIPHER_LST12 "HIGH:!aNULL"
#define DEFAULT_CIPHER_LST13 "TLS_AES_256_GCM_SHA384"
@@ -82,8 +77,10 @@ verify_cert_chain(SSL_CTX *ctx, const char *cert_file)
goto done;
}
#if !defined(HAVE_WOLFSSL)
if ((ca_store = SSL_CTX_get_cert_store(ctx)) != NULL)
X509_STORE_set_flags(ca_store, X509_V_FLAG_X509_STRICT);
#endif
if (!X509_STORE_CTX_init(store_ctx, ca_store, x509, chain_certs)) {
errstr = ERR_reason_error_string(ERR_get_error());

8
plugins/sudoers/log_client.c
View File

@@ -49,6 +49,9 @@
#endif
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif
# include <openssl/ssl.h>
# include <openssl/err.h>
# include <openssl/x509v3.h>
@@ -1744,10 +1747,13 @@ server_msg_cb(int fd, int what, void *v)
* message and hope that no actual internal error occurs.
*/
err = ERR_get_error();
#if !defined(HAVE_WOLFSSL)
if (closure->state == RECV_HELLO &&
ERR_GET_REASON(err) == SSL_R_TLSV1_ALERT_INTERNAL_ERROR) {
errstr = "host name does not match certificate";
} else {
} else
#endif
{
errstr = ERR_reason_error_string(err);
}
sudo_warnx("%s", errstr);

3
plugins/sudoers/log_client.h
View File

@@ -21,6 +21,9 @@
#include <netinet/in.h> /* for INET6?_ADDRSTRLEN */
#if defined(HAVE_OPENSSL)
# if defined(HAVE_WOLFSSL)
# include <wolfssl/options.h>
# endif /* HAVE_WOLFSSL */
# include <openssl/ssl.h>
#endif /* HAVE_OPENSSL */