Use wolfssl for ssl dependent features

README.md

@@ -950,5 +950,4 @@ To successfully build libbbfdm or libbbf_ubus, the following libraries are neede
 | libjson-c   | https://s3.amazonaws.com/json-c_releases    | MIT            |
 | libcurl     | https://dl.uxnr.de/mirror/curl              | MIT            |
 | libtrace    | https://github.com/apietila/libtrace.git    | GPLv2          |
-| libbbf_api  | https://dev.iopsys.eu/iopsys/bbf.git        | LGPL 2.1       |
+| libwolfssl  | https://github.com/wolfSSL/wolfssl          | GPL-2.0        |
-

bin/Makefile.am

@@ -167,7 +167,7 @@ libbbfdm_la_LDFLAGS = 		\
 	$(LIBUCI_LDFLAGS)		\
 	$(LIBUBOX_LDFLAGS)		\
 	$(LIBUBUS_LDFLAGS)		\
-	$(LIBOPENSSL_LIBS)		\
+	$(LIBSSL_LIBS)		\
 	$(LIBMBETLS_LIBS)			
 
 libbbfdm_la_LIBADD =		\
@@ -180,7 +180,7 @@ libbbfdm_la_LIBADD =		\
 	$(LBLOBMSG_LIBS) 		\
 	$(LIBDLOPEN_LIBS) 		\
 	$(LIBCURL_LIBS)			\
-	$(LIBOPENSSL_LIBS)		\
+	$(LIBSSL_LIBS)		\
 	$(LIBCRYPTO_LIBS)		\
 	-lbbf_api
 

configure.ac

@@ -14,8 +14,8 @@ AM_CONDITIONAL([BBF_TR104],[test "x$enable_tr104" = "xyes"])
 AC_ARG_ENABLE(tr143, [AS_HELP_STRING([--enable-tr143], [enable tr143 diagnostics feature])], AC_DEFINE(BBF_TR143),)
 AM_CONDITIONAL([BBF_TR143],[test "x$enable_tr143" = "xyes"])
 
-AC_ARG_ENABLE(libopenssl, [AS_HELP_STRING([--enable-libopenssl], [enable libopenssl feature])], AC_DEFINE(LOPENSSL),)
+AC_ARG_ENABLE(libssl, [AS_HELP_STRING([--enable-libssl], [enable libssl feature])], AC_DEFINE(LSSL),)
-AM_CONDITIONAL([LOPENSSL],[test "x$enable_libopenssl" = "xyes"])
+AM_CONDITIONAL([LSSL],[test "x$enable_libssl" = "xyes"])
 
 AC_ARG_ENABLE(vendor_extension, [AS_HELP_STRING([--enable-vendor-extension], [enable vendor extension])], AC_DEFINE(BBF_VENDOR_EXTENSION),)
 AM_CONDITIONAL([BBF_VENDOR_EXTENSION],[test "x$enable_vendor_extension" = "xyes"])
@@ -108,9 +108,9 @@ AC_SUBST([LIBCURL_LIBS])
 LIBCRYPTO_LIBS='-lcrypto'
 AC_SUBST([LIBCRYPTO_LIBS])
 
-AM_COND_IF([LOPENSSL], [
+AM_COND_IF([LSSL], [
-	LIBOPENSSL_LIBS='-lssl'
+	LIBSSL_LIBS='-lwolfssl'
-	AC_SUBST([LIBOPENSSL_LIBS])
+	AC_SUBST([LIBSSL_LIBS])
 ])
 
 # checks for header files

dmdiagnostics.c

@@ -9,7 +9,8 @@
  *
  */
 
-#include <openssl/sha.h>
+#include <wolfssl/options.h>
+#include <wolfssl/openssl/sha.h>
 #include <curl/curl.h>
 #include <libtrace.h>
 #include "dmentry.h"
@@ -237,12 +238,13 @@ end:
 
 const bool validate_sha224sum_value(const char *file_path, const char *checksum)
 {
+#ifdef WOLFSSL_SHA224
 	unsigned char hash[SHA224_DIGEST_LENGTH];
 	unsigned char buffer[READ_BUF_SIZE];
 	char sha224_res[1 + SHA224_DIGEST_LENGTH * 2];
 	bool res = false;
 	int bytes = 0;
-	SHA256_CTX ctx;
+	SHA224_CTX ctx;
 
 	FILE *file = fopen(file_path, "rb");
 	if (!file)
@@ -269,6 +271,9 @@ end:
 	fclose(file);
 
 	return res;
+#else
+	return false;
+#endif
 }
 
 const bool validate_sha256sum_value(const char *file_path, const char *checksum)
@@ -309,12 +314,13 @@ end:
 
 const bool validate_sha384sum_value(const char *file_path, const char *checksum)
 {
+#ifdef WOLFSSL_SHA384
 	unsigned char hash[SHA384_DIGEST_LENGTH];
 	unsigned char buffer[READ_BUF_SIZE];
 	char sha384_res[1 + SHA384_DIGEST_LENGTH * 2];
 	bool res = false;
 	int bytes = 0;
-	SHA512_CTX ctx;
+	SHA384_CTX ctx;
 
 	FILE *file = fopen(file_path, "rb");
 	if (!file)
@@ -341,10 +347,14 @@ end:
 	fclose(file);
 
 	return res;
+#else
+	return false;
+#endif
 }
 
 const bool validate_sha512sum_value(const char *file_path, const char *checksum)
 {
+#ifdef WOLFSSL_SHA512
 	unsigned char hash[SHA512_DIGEST_LENGTH];
 	unsigned char buffer[READ_BUF_SIZE];
 	char sha512_res[1 + SHA512_DIGEST_LENGTH * 2];
@@ -377,6 +387,9 @@ end:
 	fclose(file);
 
 	return res;
+#else
+	return false;
+#endif
 }
 
 const bool validate_checksum_value(const char *file_path, const char *checksum_algorithm, const char *checksum)

dmtree/tr181/device.c

@@ -115,9 +115,9 @@ DMOBJ tDeviceObj[] = {
 {"DynamicDNS", &DMREAD, NULL, NULL, "file:/etc/config/ddns", NULL, NULL, NULL, tDynamicDNSObj, tDynamicDNSParams, NULL, BBFDM_BOTH, NULL, "2.10"},
 {"QoS", &DMREAD, NULL, NULL, "file:/etc/config/qos", NULL, NULL, NULL, tQoSObj, tQoSParams, NULL, BBFDM_BOTH, NULL, "2.0"},
 {"LANConfigSecurity", &DMREAD, NULL, NULL, "file:/etc/config/users", NULL, NULL, NULL, NULL, tLANConfigSecurityParams, NULL, BBFDM_BOTH, NULL, "2.0"},
-#ifdef LOPENSSL
+#ifdef LSSL
 {"Security", &DMREAD, NULL, NULL, NULL, NULL, NULL, NULL, tSecurityObj, tSecurityParams, NULL, BBFDM_BOTH, NULL, "2.4"},
-#endif /* LOPENSSL */
+#endif /* LSSL */
 {"RouterAdvertisement", &DMREAD, NULL, NULL, "file:/etc/config/dhcp", NULL, NULL, NULL, tRouterAdvertisementObj, tRouterAdvertisementParams, NULL, BBFDM_BOTH, NULL, "2.2"},
 #ifdef BBF_TR104
 {"Services", &DMREAD, NULL, NULL, NULL, NULL, NULL, NULL, tServicesObj, NULL, NULL, BBFDM_BOTH, NULL, "2.0"},

dmtree/tr181/security.c

@@ -13,7 +13,11 @@
 #define DATE_LEN 128
 #define MAX_CERT 32
 
-#ifdef LOPENSSL
+#ifdef LSSL
+#include <wolfssl/openssl/x509.h>
+#include <wolfssl/openssl/pem.h>
+#include <wolfssl/openssl/evp.h>
+
 static char certifcates_paths[MAX_CERT][256];
 
 struct certificate_profile {
@@ -41,56 +45,21 @@ static char *get_certificate_sig_alg(int sig_nid)
 {
 	switch(sig_nid) {
 	case NID_sha256WithRSAEncryption:
-		return LN_sha256WithRSAEncryption;
+		return "sha256WithRSAEncryption";
 	case NID_sha384WithRSAEncryption:
-		return LN_sha384WithRSAEncryption;
+		return "sha384WithRSAEncryption";
 	case NID_sha512WithRSAEncryption:
-		return LN_sha512WithRSAEncryption;
+		return "sha512WithRSAEncryption";
 	case NID_sha224WithRSAEncryption:
-		return LN_sha224WithRSAEncryption;
+		return "sha224WithRSAEncryption";
-	case NID_sha512_224WithRSAEncryption:
-		return LN_sha512_224WithRSAEncryption;
-	case NID_sha512_256WithRSAEncryption:
-		return LN_sha512_224WithRSAEncryption;
-	case NID_pbeWithMD2AndDES_CBC:
-		return LN_pbeWithMD2AndDES_CBC;
-	case NID_pbeWithMD5AndDES_CBC:
-		return LN_pbeWithMD5AndDES_CBC;
-	case NID_pbeWithMD2AndRC2_CBC:
-		return LN_pbeWithMD5AndDES_CBC;
-	case NID_pbeWithMD5AndRC2_CBC:
-		return LN_pbeWithMD5AndRC2_CBC;
-	case NID_pbeWithSHA1AndDES_CBC:
-		return LN_pbeWithSHA1AndDES_CBC;
-	case NID_pbeWithSHA1AndRC2_CBC:
-		return LN_pbeWithSHA1AndDES_CBC;
-	case NID_pbe_WithSHA1And128BitRC4:
-		return LN_pbe_WithSHA1And128BitRC4;
-	case NID_pbe_WithSHA1And40BitRC4:
-		return LN_pbe_WithSHA1And40BitRC4;
-	case NID_pbe_WithSHA1And3_Key_TripleDES_CBC:
-		return LN_pbe_WithSHA1And3_Key_TripleDES_CBC;
-	case NID_pbe_WithSHA1And2_Key_TripleDES_CBC:
-		return LN_pbe_WithSHA1And2_Key_TripleDES_CBC;
-	case NID_pbe_WithSHA1And128BitRC2_CBC:
-		return LN_pbe_WithSHA1And128BitRC2_CBC;
-	case NID_pbe_WithSHA1And40BitRC2_CBC:
-		return LN_pbe_WithSHA1And40BitRC2_CBC;
-	case NID_sm3WithRSAEncryption:
-		return LN_sm3WithRSAEncryption;
-	case NID_shaWithRSAEncryption:
-		return LN_shaWithRSAEncryption;
-	case NID_md2WithRSAEncryption:
-		return LN_md2WithRSAEncryption;
-	case NID_md4WithRSAEncryption:
-		return LN_md4WithRSAEncryption;
 	case NID_md5WithRSAEncryption:
-		return LN_md5WithRSAEncryption;
+		return "md5WithRSAEncryption";
 	case NID_sha1WithRSAEncryption:
-		return LN_sha1WithRSAEncryption;
+		return "sha1WithRSAEncryption";
 	default:
 		return "";
 	}
+	return "";
 }
 
 static char *generate_serial_number(char *text, int length)
@@ -245,13 +214,10 @@ static int get_SecurityCertificate_Issuer(char *refparam, struct dmctx *ctx, voi
 
 static int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	*value = "0001-01-01T00:00:00Z";
-	struct tm not_before_time;
 	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
 	char not_before_str[DATE_LEN];
 	const ASN1_TIME *not_before = X509_get0_notBefore(cert_profile->openssl_cert);
-	ASN1_TIME_to_tm(not_before, &not_before_time);
+	ASN1_TIME_to_string((ASN1_TIME *)not_before, not_before_str, DATE_LEN);
-	strftime(not_before_str, sizeof(not_before_str), "%Y-%m-%dT%H:%M:%SZ", &not_before_time);
 	*value = dmstrdup(not_before_str);
 	return 0;
 }
@@ -259,12 +225,10 @@ static int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx,
 static int get_SecurityCertificate_NotAfter(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
 	*value = "0001-01-01T00:00:00Z";
-	struct tm not_after_time;
 	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
 	char not_after_str[DATE_LEN];
 	const ASN1_TIME *not_after = X509_get0_notAfter(cert_profile->openssl_cert);
-	ASN1_TIME_to_tm(not_after, &not_after_time);
+	ASN1_TIME_to_string((ASN1_TIME *)not_after, not_after_str, DATE_LEN);
-	strftime(not_after_str, sizeof(not_after_str), "%Y-%m-%dT%H:%M:%SZ", &not_after_time);
 	*value = dmstrdup(not_after_str);
 	return 0;
 }
@@ -321,4 +285,4 @@ DMLEAF tSecurityCertificateParams[] = {
 {0}
 };
 
-#endif /* LOPENSSL */
+#endif /* LSSL */

dmtree/tr181/security.h

@@ -11,17 +11,13 @@
 #ifndef __SECURITY_H
 #define __SECURITY_H
 
-#ifdef LOPENSSL
+#ifdef LSSL
 #include <libbbf_api/dmcommon.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/pem.h>
-#include <openssl/obj_mac.h>
 
 extern DMOBJ tSecurityObj[];
 extern DMLEAF tSecurityParams[];
 extern DMLEAF tSecurityCertificateParams[];
-#endif /* LOPENSSL */
+#endif /* LSSL */
 
 #endif //__SECURITY_H
 

gitlab-ci/shared.sh

@@ -38,6 +38,23 @@ function exec_cmd_verbose()
 
 function install_libbbf()
 {
+	CUR="${PWD}"
+
+	echo "Installing wolfssl-4.8.1"
+	cd /opt/dev/
+	rm -rf wolfssl*
+
+	wget -q https://github.com/wolfSSL/wolfssl/archive/refs/tags/v4.8.1-stable.tar.gz -O wolfssl.tgz
+	tar xf wolfssl.tgz
+
+	cd wolfssl-4.8.1-stable
+	autoreconf -i -f
+	exec_cmd ./configure --program-prefix="" --program-suffix="" --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls  --enable-reproducible-build --enable-lighty --enable-opensslall --enable-opensslextra --enable-sni --enable-stunnel --disable-crypttests --disable-examples --disable-jobserver --enable-ipv6 --enable-aesccm --enable-certgen --enable-chacha --enable-poly1305 --enable-dh --enable-arc4 --enable-tlsv10 --enable-tls13 --enable-session-ticket --disable-dtls --disable-curve25519 --disable-afalg --enable-devcrypto=no --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-wpas --enable-fortress --enable-fastmath
+
+	exec_cmd make
+	exec_cmd make install
+
+	cd ${CUR}
 	COV_CFLAGS='-fprofile-arcs -ftest-coverage'
 	COV_LDFLAGS='--coverage'
 	VENDOR_LIST='iopsys'
@@ -53,8 +70,8 @@ function install_libbbf()
 	fi
 
 	exec_cmd autoreconf -i
-	exec_cmd ./configure --enable-tr181 --enable-tr104 --enable-tr143 --enable-libopenssl --enable-json-plugin --enable-shared-library --enable-vendor-extension BBF_VENDOR_LIST="$VENDOR_LIST" BBF_VENDOR_PREFIX="$VENDOR_PREFIX"
+	exec_cmd ./configure --enable-tr181 --enable-tr104 --enable-tr143 --enable-libssl --enable-json-plugin --enable-shared-library --enable-vendor-extension BBF_VENDOR_LIST="$VENDOR_LIST" BBF_VENDOR_PREFIX="$VENDOR_PREFIX"
-	make CFLAGS="-D_GNU_SOURCE -Wall -Werror" CFLAGS+="$COV_CFLAGS" LDFLAGS="$COV_LDFLAGS" >/dev/null 2>&1
+	make CFLAGS="-D_GNU_SOURCE -Wall -Werror -DWC_NO_HARDEN" CFLAGS+="$COV_CFLAGS" LDFLAGS="$COV_LDFLAGS" >/dev/null 2>&1
 
 	echo "installing libbbf"
 	exec_cmd make install
@@ -96,7 +113,7 @@ function install_libbulkdata()
 	exec_cmd git clone -b devel https://dev.iopsys.eu/iopsys/bulkdata.git /opt/dev/bulkdata
 	echo "Compiling libbulkdata"
 	make clean -C /opt/dev/bulkdata/
-	make CFLAGS="-D_GNU_SOURCE" -C /opt/dev/bulkdata/
+	make CFLAGS="-D_GNU_SOURCE -DWC_NO_HARDEN" -C /opt/dev/bulkdata/
 
 	echo "installing libbulkdata"
 	cp -f /opt/dev/bulkdata/libbulkdata.so /usr/lib/bbfdm

libbbf_ubus/Makefile.am

@@ -28,10 +28,7 @@ libbbf_ubus_la_LIBADD =		\
 	$(LIBJSON_LIBS)			\
 	$(LIBTRACE_LIBS)		\
 	$(LBLOBMSG_LIBS) 		\
-	$(LIBDLOPEN_LIBS)		\
 	$(LIBCURL_LIBS)			\
-	$(LIBOPENSSL_LIBS)		\
-	$(LIBCRYPTO_LIBS)		\
 	-L../bin/ -lbbf_api
 
 libbbf_ubus_la_CFLAGS+=-I../