[01/16] Kbuild: Add wolfSSL as SSL implementation

Message ID	20200916135825.40367-2-bage@linutronix.de
State	Accepted
Headers	show Return-Path: <swupdate+bncBDPPPP7KYILBBDFURD5QKGQEJCNLLBA@googlegroups.com> Sender: swupdate@googlegroups.com Received-SPF: pass (google.com: domain of bage@linutronix.de designates 193.142.43.55 as permitted sender) client-ip=193.142.43.55; From: bage@linutronix.de To: swupdate@googlegroups.com Cc: Bastian Germann <bage@linutronix.de>, Torben Hohn <torben.hohn@linutronix.de> Subject: [swupdate] [PATCH 01/16] Kbuild: Add wolfSSL as SSL implementation Date: Wed, 16 Sep 2020 15:58:10 +0200 Message-Id: <20200916135825.40367-2-bage@linutronix.de> In-Reply-To: <20200916135825.40367-1-bage@linutronix.de> References: <20200916135825.40367-1-bage@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com
Series	wolfssl SSL impl, PKCS#11 AES, AES key len \| expand [00/16] wolfssl SSL impl, PKCS#11 AES, AES key len [01/16] Kbuild: Add wolfSSL as SSL implementation [02/16] Rename wolfSSL incompatible definition [03/16] sslapi: Move CMS-only functions to conditional [04/16] sslapi: Add X509 related wolfSSL definitions [05/16] Makefile.flags: Add missing wolfSSL definitions [06/16] mongoose: Hide deprecated function for wolfSSL [07/16] sslapi: Add wolfSSL compatibility macro [08/16] pkcs11: Implement based on wolfSSL and p11-kit [09/16] Kbuild: Add PKCS11 option [10/16] pkcs11: Differentiate key handling based on config [11/16] doc: Add note on the PKCS#11 libraries [12/16] doc: encrypted images: Add a PKCS#11 section [13/16] encrypted images: Accept other AES key lengths [14/16] encrypted images: Implement other key lengths in providers [15/16] doc: encrypted images: Using different key lenghts [16/16] encrypted images: Test other key lengths

Message ID

20200916135825.40367-2-bage@linutronix.de

State

Accepted

Headers

Sender: swupdate@googlegroups.com
Received-SPF: pass (google.com: domain of bage@linutronix.de designates
 193.142.43.55 as permitted sender) client-ip=193.142.43.55;
From: bage@linutronix.de
To: swupdate@googlegroups.com
Cc: Bastian Germann <bage@linutronix.de>,
	Torben Hohn <torben.hohn@linutronix.de>
Subject: [swupdate] [PATCH 01/16] Kbuild: Add wolfSSL as SSL implementation
Date: Wed, 16 Sep 2020 15:58:10 +0200
Message-Id: <20200916135825.40367-2-bage@linutronix.de>
In-Reply-To: <20200916135825.40367-1-bage@linutronix.de>
References: <20200916135825.40367-1-bage@linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com

Series

wolfssl SSL impl, PKCS#11 AES, AES key len | expand

Commit Message

Bastian Germann Sept. 16, 2020, 1:58 p.m. UTC

From: Bastian Germann <bage@linutronix.de>

wolfSSL has an OpenSSL compatibility layer which lacks CMS support
as of version 4.5.0.  All other code can be built with wolfSSL.
Add it as a new SSL implementation.

Signed-off-by: Bastian Germann <bage@linutronix.de>
Reviewed-by: Torben Hohn <torben.hohn@linutronix.de>
---
 Kconfig             | 24 ++++++++++++++++--------
 Makefile.deps       |  4 ++++
 Makefile.flags      |  5 +++++
 corelib/Makefile    |  5 ++++-
 include/sslapi.h    |  2 +-
 mongoose/Config.in  |  4 ++--
 mongoose/Makefile   |  2 +-
 suricatta/Config.in |  4 ++--
 8 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/Kconfig b/Kconfig
index 444eb1f..2d2cca6 100644
--- a/Kconfig
+++ b/Kconfig
@@ -77,6 +77,10 @@  config HAVE_LIBCRYPTO
 	bool
 	option env="HAVE_LIBCRYPTO"
 
+config HAVE_WOLFSSL
+	bool
+	option env="HAVE_WOLFSSL"
+
 config HAVE_MBEDTLS
 	bool
 	option env="HAVE_MBEDTLS"
@@ -347,6 +351,10 @@  choice
 		bool "OpenSSL"
 		depends on HAVE_LIBSSL
 
+	config SSL_IMPL_WOLFSSL
+		bool "wolfSSL (with OpenSSL compatibility layer)"
+		depends on HAVE_WOLFSSL
+
 	config SSL_IMPL_MBEDTLS
 		bool "mbedTLS"
 		depends on HAVE_MBEDTLS
@@ -369,7 +377,7 @@  config DOWNLOAD_SSL
 	bool "Enable SSL support for image downloading"
 	default n
 	depends on DOWNLOAD
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	select CHANNEL_CURL_SSL
 	help
 	  Enable SSL and checksum verification support in channels
@@ -383,18 +391,18 @@  config CHANNEL_CURL
 config CHANNEL_CURL_SSL
 	bool
 	depends on CHANNEL_CURL
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	select CURL_SSL
 
 config HASH_VERIFY
 	bool "Allow to add sha256 hash to each image"
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	help
 	  Allow to add a sha256 hash to an artifact.
 	  This is automatically set in case of Signed Image
 
 comment "Hash checking needs an SSL implementation"
-	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_MBEDTLS
+	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
 config DISABLE_CPIO_CRC
 	bool "Disable cpio CRC verify if SHA 256 is enabled"
@@ -410,10 +418,10 @@  config DISABLE_CPIO_CRC
 
 config SIGNED_IMAGES
 	bool "Enable verification of signed images"
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	select HASH_VERIFY
 comment "Image signature verification needs an SSL implementation"
-	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_MBEDTLS
+	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
 choice
 	prompt "Signature verification algorithm"
@@ -450,9 +458,9 @@  endmenu
 
 config ENCRYPTED_IMAGES
 	bool "Images can be encrypted with a symmetric key"
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 comment "Image encryption needs an SSL implementation"
-	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_MBEDTLS
+	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
 source suricatta/Config.in
 
diff --git a/Makefile.deps b/Makefile.deps
index b90ca0d..0949628 100644
--- a/Makefile.deps
+++ b/Makefile.deps
@@ -62,6 +62,10 @@  ifeq ($(HAVE_LIBCRYPTO),)
 export HAVE_LIBCRYPTO = y
 endif
 
+ifeq ($(HAVE_WOLFSSL),)
+export HAVE_WOLFSSL = y
+endif
+
 ifeq ($(HAVE_MBEDTLS),)
 export HAVE_MBEDTLS = y
 endif
diff --git a/Makefile.flags b/Makefile.flags
index dfd7531..a5d3b0e 100644
--- a/Makefile.flags
+++ b/Makefile.flags
@@ -149,6 +149,11 @@  ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
 LDLIBS += crypto ssl
 endif
 
+ifeq ($(CONFIG_SSL_IMPL_WOLFSSL),y)
+KBUILD_CPPFLAGS += -I/usr/include/wolfssl
+LDLIBS += wolfssl
+endif
+
 ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
 LDLIBS += mbedcrypto mbedtls mbedx509
 endif
diff --git a/corelib/Makefile b/corelib/Makefile
index f4dca4c..8a9fea0 100644
--- a/corelib/Makefile
+++ b/corelib/Makefile
@@ -5,11 +5,14 @@ 
 lib-$(CONFIG_DOWNLOAD)		+= downloader.o
 lib-$(CONFIG_MTD)		+= mtd-interface.o
 lib-$(CONFIG_LUA)		+= lua_interface.o lua_compat.o
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
 lib-$(CONFIG_HASH_VERIFY)	+= verify_signature.o
 lib-$(CONFIG_ENCRYPTED_IMAGES)	+= swupdate_decrypt.o
 lib-$(CONFIG_SIGALG_RAWRSA)	+= swupdate_rsa_verify.o
 lib-$(CONFIG_SIGALG_RSAPSS)	+= swupdate_rsa_verify.o
+endif
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
+# wolfSSL does not support CMS in the compatibility layer yet
 lib-$(CONFIG_SIGALG_CMS)	+= swupdate_cms_verify.o
 endif
 ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
diff --git a/include/sslapi.h b/include/sslapi.h
index 12591a3..5336920 100644
--- a/include/sslapi.h
+++ b/include/sslapi.h
@@ -18,7 +18,7 @@ 
  */
 #if defined(CONFIG_HASH_VERIFY) || defined(CONFIG_ENCRYPTED_IMAGES) || \
 	defined(CONFIG_CHANNEL_CURL_SSL)
-#if defined(CONFIG_SSL_IMPL_OPENSSL)
+#if defined(CONFIG_SSL_IMPL_OPENSSL) || defined(CONFIG_SSL_IMPL_WOLFSSL)
 #include <openssl/bio.h>
 #include <openssl/objects.h>
 #include <openssl/err.h>
diff --git a/mongoose/Config.in b/mongoose/Config.in
index e315eb2..e0944fd 100644
--- a/mongoose/Config.in
+++ b/mongoose/Config.in
@@ -28,11 +28,11 @@  config MONGOOSEIPV6
 config MONGOOSESSL
 	bool "SSL support"
 	depends on MONGOOSE
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	help
 	   It enables SSL support into mongoose
 
 comment "SSL support needs an SSL implementation"
-	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_MBEDTLS
+	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
 endif
diff --git a/mongoose/Makefile b/mongoose/Makefile
index 59bf508..851a476 100644
--- a/mongoose/Makefile
+++ b/mongoose/Makefile
@@ -7,7 +7,7 @@  KBUILD_CFLAGS += -DMG_ENABLE_IPV6=1
 endif
 ifneq ($(CONFIG_MONGOOSESSL),)
 KBUILD_CFLAGS += -DMG_ENABLE_SSL=1
-ifeq ($(CONFIG_SSL_IMPL_OPENSSL),y)
+ifeq ($(CONFIG_SSL_IMPL_OPENSSL)$(CONFIG_SSL_IMPL_WOLFSSL),y)
 KBUILD_CFLAGS += -DMG_SSL_IF=MG_SSL_IF_OPENSSL
 endif
 ifeq ($(CONFIG_SSL_IMPL_MBEDTLS),y)
diff --git a/suricatta/Config.in b/suricatta/Config.in
index 8ae27e2..1e340ec 100644
--- a/suricatta/Config.in
+++ b/suricatta/Config.in
@@ -21,13 +21,13 @@  menu "Features"
 config SURICATTA_SSL
 	bool "SSL support"
 	default n
-	depends on SSL_IMPL_OPENSSL || SSL_IMPL_MBEDTLS
+	depends on SSL_IMPL_OPENSSL || SSL_IMPL_WOLFSSL || SSL_IMPL_MBEDTLS
 	select CHANNEL_CURL_SSL
 	help
 	  Enable SSL and checksum verification support in suricatta.
 
 comment "SSL support needs an SSL implementation"
-	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_MBEDTLS
+	depends on !SSL_IMPL_OPENSSL && !SSL_IMPL_WOLFSSL && !SSL_IMPL_MBEDTLS
 
 
 endmenu

[01/16] Kbuild: Add wolfSSL as SSL implementation

Commit Message

Patch