From 008243a45116f1828c9f750fd07ffc34d8680a18 Mon Sep 17 00:00:00 2001 From: Emil Velikov Date: Tue, 10 Sep 2024 22:41:50 +0100 Subject: [PATCH 1/4] VDE Cryptcab: add mbedtls chacha20 impl Add mbedtls as an option, defaulting to the initial wolfssl. To use make you'd need to pass `--with-crypt=mbedtls` to configure. Signed-off-by: Emil Velikov --- configure.ac | 59 +++++++++++++++++++++++++++++++++--- src/vde_cryptcab/Makefile.am | 2 +- src/vde_cryptcab/cryptcab.c | 22 ++++++++++++-- src/vde_cryptcab/cryptcab.h | 6 ++++ 4 files changed, 81 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 1cf669a8..3edb24a2 100644 --- a/configure.ac +++ b/configure.ac @@ -22,8 +22,12 @@ AC_DEFINE_UNQUOTED(MODULES_EXT, "$shrext_cmds", [Extension of shared objects]) # Checks for libraries. AC_CHECK_LIB([dl], [dlopen]) AC_CHECK_LIB([wolfssl], [wc_Chacha_Process], - [add_cryptcab_support=yes], - [add_cryptcab_support=no ; warn_cryptcab=yes]) + [have_wolfssl=yes], + [have_wolfssl=no]) +AC_CHECK_LIB([mbedcrypto], [mbedtls_chacha20_starts], + [have_mbedtls=yes], + [have_mbedtls=no]) + AC_CHECK_LIB([pthread], [pthread_create], [enable_router=yes], [enable_router=no ; warn_router=yes]) @@ -43,7 +47,10 @@ AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stddef.h stdint.h \ AC_CHECK_HEADERS([syslimits.h sys/syslimits.h]) AC_CHECK_HEADERS([wolfssl/wolfcrypt/chacha.h], [], - [add_cryptcab_support=no ; warn_cryptcab=yes]) + [have_wolfssl=no]) + +AC_CHECK_HEADERS([mbedtls/chacha20.h], [], + [have_mbedtls=no]) AC_CHECK_HEADERS([sysexits.h], [add_over_ns_support=yes], @@ -128,7 +135,43 @@ AC_ARG_ENABLE([experimental], [Enable experimental features (async notifies, plugin support, packet counter)]), [if test $enableval = "yes"; then enable_experimental=yes; fi]) -# Disable vde_cryptcab? (depends on wolfssl, maybe unwanted) +# Select crypt implementation for cryptcab +AC_ARG_WITH([crypt], + AS_HELP_STRING([], + [Choose implementation for cryptcab - wolfssl, mbedtls]), + [crypt="$withval"], + [crypt='wolfssl']) + +case "$crypt" in + 'wolfssl') + if test $have_wolfssl = yes; then + add_cryptcab_support=yes + warn_cryptcab=no + else + add_cryptcab_support=no + warn_cryptcab=yes + fi + AC_DEFINE([USE_WOLFSSL], 1, [Define to 1 if you want to use the wolfssl crypt implementation.]) + SSL_LIB="-lwolfssl" + AC_SUBST(SSL_LIB) + ;; + 'mbedtls') + if test $have_mbedtls = yes; then + add_cryptcab_support=yes + warn_cryptcab=no + else + add_cryptcab_support=no + warn_cryptcab=yes + fi + AC_DEFINE([USE_WOLFSSL], 0, [Define to 1 if you want to use the wolfssl crypt implementation.]) + SSL_LIB="-lmbedcrypto" + AC_SUBST(SSL_LIB) + ;; + *) + AC_MSG_ERROR([Unsupported crypt option: $crypt. At the moment, only wolfssl and mbedlts are supported. Contributions are appreciated! :-)]) +esac + +# Disable vde_cryptcab? (depends on wolfssl/mbedtls, maybe unwanted) AC_ARG_ENABLE([cryptcab], AS_HELP_STRING([--disable-cryptcab], [Disable vde_cryptcab compilation]), @@ -282,12 +325,18 @@ fi AS_ECHO AS_ECHO if ! test x$add_cryptcab_support = "xyes" ; then - if test x$warn_cryptcab = "xyes" ; then + if test x$warn_cryptcab = "xyes" && test x$crypt = "xwolfssl"; then AC_MSG_WARN([VDE CryptCab support has been disabled because wolfSSL is not installed on your system, or because wolfssl/wolfcrypt/chacha.h could not be found. Please install libwolfssl if you want CryptCab to be compiled and installed.]) AS_ECHO fi + if test x$warn_cryptcab = "xyes" && test x$crypt = "xmbedtls"; then + AC_MSG_WARN([VDE CryptCab support has been disabled because MbedTLS is +not installed on your system, or because mbedtls/chacha20.h could not be found. +Please install mbedtls if you want CryptCab to be compiled and installed.]) + AS_ECHO + fi fi if ! test x$add_over_ns_support = "xyes" ; then diff --git a/src/vde_cryptcab/Makefile.am b/src/vde_cryptcab/Makefile.am index 9e13fae8..f4de771b 100644 --- a/src/vde_cryptcab/Makefile.am +++ b/src/vde_cryptcab/Makefile.am @@ -11,4 +11,4 @@ if ENABLE_PROFILE endif vde_cryptcab_SOURCES = crc32.c crc32.h cryptcab.h cryptcab.c vde_cryptcab_server.c vde_cryptcab_client.c -vde_cryptcab_LDADD = $(top_builddir)/src/common/libvdecommon.la -lwolfssl $(top_builddir)/src/lib/libvdeplug.la +vde_cryptcab_LDADD = $(top_builddir)/src/common/libvdecommon.la $(SSL_LIB) $(top_builddir)/src/lib/libvdeplug.la diff --git a/src/vde_cryptcab/cryptcab.c b/src/vde_cryptcab/cryptcab.c index f0c3a0dd..d1464858 100644 --- a/src/vde_cryptcab/cryptcab.c +++ b/src/vde_cryptcab/cryptcab.c @@ -21,7 +21,12 @@ static void Usage(char *programname) exit(1); } -ChaCha ctx; +#if USE_WOLFSSL +static ChaCha ctx; +#else +static mbedtls_chacha20_context ctx; +#include +#endif static int encryption_disabled = 0; static int nfd; static unsigned long long mycounter=1; @@ -95,11 +100,24 @@ int data_encrypt_decrypt(unsigned char *src, unsigned char *dst, int len, unsign memcpy(dst,src,len); return len; } +#if USE_WOLFSSL wc_Chacha_SetKey(&ctx, key, CHACHA_MAX_KEY_SZ); wc_Chacha_SetIV(&ctx, iv, CHACHA_IV_BYTES); if (wc_Chacha_Process(&ctx, dst, src, len) == 0) return len; - return -1; +#else + mbedtls_chacha20_init(&ctx); + mbedtls_chacha20_setkey(&ctx, key); + mbedtls_chacha20_starts(&ctx, iv, 0); + + if (mbedtls_chacha20_update(&ctx, len, src, dst) == 0) { + mbedtls_chacha20_free(&ctx); + return len; + } + + mbedtls_chacha20_free(&ctx); +#endif + return -1; } diff --git a/src/vde_cryptcab/cryptcab.h b/src/vde_cryptcab/cryptcab.h index fe9f42b7..3bdbe1ff 100644 --- a/src/vde_cryptcab/cryptcab.h +++ b/src/vde_cryptcab/cryptcab.h @@ -42,7 +42,13 @@ #define PORTNO 7667 +#if USE_WOLFSSL #include +#else +#include +#define CHACHA_MAX_KEY_SZ 32 +#define CHACHA_IV_BYTES 12 +#endif #include #include #include From 8fe259a6ad01cfe80768f04af2e3486b60a08164 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 21 Oct 2024 12:38:54 +0200 Subject: [PATCH 2/4] Changed reference to gh actions runners --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0ce4dbec..cbd9a05d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,7 @@ jobs: name: "Smoke test" strategy: matrix: - os: [ubuntu-20.04, macos-11] + os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} timeout-minutes: 30 steps: From 13def521d0b96d0c10381bb4c134b0c6e4933bfd Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 21 Oct 2024 12:43:00 +0200 Subject: [PATCH 3/4] Run 'autoupdate' --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cbd9a05d..3cc56914 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -23,7 +23,9 @@ jobs: sudo apt-get install -y autoconf automake - name: "Install dependencies (macOS)" if: runner.os == 'macOS' - run: brew install autoconf automake + run: | + brew install autoconf automake + autoupdate - name: "Build" run: | autoreconf -fis From 547dfdd1ab08b2e36fafdd30d88a74ac35cca669 Mon Sep 17 00:00:00 2001 From: Daniele Lacamera Date: Mon, 21 Oct 2024 12:44:56 +0200 Subject: [PATCH 4/4] Added 'brew install libtool' --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3cc56914..26dd551c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: - name: "Install dependencies (macOS)" if: runner.os == 'macOS' run: | - brew install autoconf automake + brew install autoconf automake libtool autoupdate - name: "Build" run: |