Welcome to the wolfSSL Forums!

alem · 2024-12-10 16:11:43

alem
Member
Offline

Registered: 2024-12-04
Posts: 7

Topic: Wolfssl with Wireguard

Hi Wolfssl Devs,

How can I use libwolfssl.ko with Wireguard Kernel module ?

Do I need to compile my own Wireguard kernel module against the Wolfssl headers that are generated when I configure Wolfssl package ?

Can Wireguard directly use or consume libwolfssl.ko that I have already built using config "./configure --enable-linuxkm --with-linux-source=/usr/src/kernels/$(uname -r)" or does Wireguard itself have to be re-built against my libwolfssl.ko and or libwolfssl headers ?

What configure options are needed for Wolfssl for Wireguard to be able to use libwolfssl.ko for its crypto functions ?

Thanks in advance !

douzzer · 2024-12-10 17:13:12

douzzer
Member
Offline

Registered: 2021-08-11
Posts: 4

Re: Wolfssl with Wireguard

Our current technique for getting Wireguard to consume the crypto implementations in libwolfssl.ko is a patched Wireguard kernel module.

Recipe:

Clone the fork at https://github.com/douzzer/wolf-wireguard-kernel -- you'll need the branch named "wolfcryptified", which is the default branch for this fork.

Build libwolfssl.ko using

./configure --enable-linuxkm --enable-xchacha --enable-poly1305 --enable-curve25519

at a bare minimum. You can just use --enable-all-crypto to assure you get everything you could possible need crypto-wise, and it's wise to use --enable-cryptonly to disable the TLS/DTLS layer from the module (it's irrelevant to Wireguard obviously).

Then at the top of the patched Wireguard source tree:

make WOLFCRYPT=1 KERNELRELEASE="the-kernel-release" KERNELDIR="the-kernel-source-tree-top" WOLFSSL_ROOT="the-wolfssl-top"

The kernel release is something like "6.12.3-gentoo" or, if you're testing on the ragged edge, "6.13-rc1".

We test this nightly, on the latest release and mainline kernels, and have for several years, so it should just-work for you.

Note that if you are currently building the in-tree Wireguard module statically linked into your kernel ('Y' in .config) rather than as a dynamically loaded module ('M'), then you'll need to rebuild the kernel with in-tree Wireguard either 'M' or 'N' to avoid a conflict between the out-of-tree and in-tree implementation.

alem · 2024-12-11 11:02:39

alem
Member
Offline

Registered: 2024-12-04
Posts: 7

Re: Wolfssl with Wireguard

Hi douzzer

Thank you very much for your prompt reply, greatly appreciate your help.

My follow-on question is how would I go about making a FIPS capable Wireguard + Wolfssl build ?

Do you also have a recipe for a FIPS WolfSSL + Wireguard ?

Thanks in advance for all the help !

Regards.

Alem

alem · 2024-12-11 16:48:32

alem
Member
Offline

Registered: 2024-12-04
Posts: 7

Re: Wolfssl with Wireguard

Hi douzzer

Used the recipe above to build wolfssl and Wireguard, getting the following errors, any suggestion how to get past these compile errors ?

Posted the wolfssl configure config at end of the below message for your reference.

Thanks

----
# make WOLFCRYPT=1 KERNELRELEASE=$(uname -r) KERNELDIR=/usr/src/kernels/$(uname -r) WOLFSSL_ROOT=/root/wolfssl_plus_wireguard/wolfssl
CC [M] /root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/main.o
In file included from ./include/linux/string.h:254,
from ./include/linux/bitmap.h:11,
from ./include/linux/cpumask.h:12,
from ./arch/x86/include/asm/cpumask.h:5,
from ./arch/x86/include/asm/msr.h:11,
from ./arch/x86/include/asm/processor.h:23,
from ./arch/x86/include/asm/cpufeature.h:5,
from ./arch/x86/include/asm/thread_info.h:53,
from ./include/linux/thread_info.h:60,
from ./arch/x86/include/asm/preempt.h:9,
from ./include/linux/preempt.h:79,
from ./include/linux/spinlock.h:56,
from ./include/linux/mmzone.h:8,
from ./include/linux/gfp.h:7,
from ./include/linux/slab.h:16,
from /root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/wolfcrypto_shim.h:24,
from <command-line>:
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h: In function ‘wg_reset_packet’:
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:89:41: error: ‘struct sk_buff’ has no member named ‘headers_end’; did you mean ‘headers’?
89 | offsetof(struct sk_buff, headers_end) -
| ^~~~~~~~~~~
./include/linux/fortify-string.h:325:42: note: in definition of macro ‘__fortify_memset_chk’
325 | size_t __fortify_size = (size_t)(size); \
| ^~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
./include/linux/stddef.h:17:33: note: in expansion of macro ‘__compiler_offsetof’
17 | #define offsetof(TYPE, MEMBER) __compiler_offsetof(TYPE, MEMBER)
| ^~~~~~~~~~~~~~~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:89:16: note: in expansion of macro ‘offsetof’
89 | offsetof(struct sk_buff, headers_end) -
| ^~~~~~~~
././include/linux/compiler_types.h:146:41: error: ‘struct sk_buff’ has no member named ‘headers_start’
146 | #define __compiler_offsetof(a, b) __builtin_offsetof(a, b)
| ^~~~~~~~~~~~~~~~~~
./include/linux/fortify-string.h:325:42: note: in definition of macro ‘__fortify_memset_chk’
325 | size_t __fortify_size = (size_t)(size); \
| ^~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
./include/linux/stddef.h:17:33: note: in expansion of macro ‘__compiler_offsetof’
17 | #define offsetof(TYPE, MEMBER) __compiler_offsetof(TYPE, MEMBER)
| ^~~~~~~~~~~~~~~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:90:24: note: in expansion of macro ‘offsetof’
90 | offsetof(struct sk_buff, headers_start));
| ^~~~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:20: error: ‘struct sk_buff’ has no member named ‘headers_start’
88 | memset(&skb->headers_start, 0,
| ^~
./include/linux/fortify-string.h:326:44: note: in definition of macro ‘__fortify_memset_chk’
326 | fortify_memset_chk(__fortify_size, p_size, p_size_field), \
| ^~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:20: error: ‘struct sk_buff’ has no member named ‘headers_start’
88 | memset(&skb->headers_start, 0,
| ^~
./include/linux/fortify-string.h:326:52: note: in definition of macro ‘__fortify_memset_chk’
326 | fortify_memset_chk(__fortify_size, p_size, p_size_field), \
| ^~~~~~~~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:20: error: ‘struct sk_buff’ has no member named ‘headers_start’
88 | memset(&skb->headers_start, 0,
| ^~
./include/linux/fortify-string.h:327:29: note: in definition of macro ‘__fortify_memset_chk’
327 | __underlying_memset(p, c, __fortify_size); \
| ^
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
./include/linux/fortify-string.h:326:65: warning: left-hand operand of comma expression has no effect [-Wunused-value]
326 | fortify_memset_chk(__fortify_size, p_size, p_size_field), \
| ^
./include/linux/fortify-string.h:335:25: note: in expansion of macro ‘__fortify_memset_chk’
335 | #define memset(p, c, s) __fortify_memset_chk(p, c, s, \
| ^~~~~~~~~~~~~~~~~~~~
/root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/queueing.h:88:9: note: in expansion of macro ‘memset’
88 | memset(&skb->headers_start, 0,
| ^~~~~~
make[2]: *** [scripts/Makefile.build:299: /root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src/main.o] Error 1
make[1]: *** [Makefile:1936: /root/wolfssl_plus_wireguard/wolf-wireguard-kernel/src] Error 2
make: *** [Makefile:26: module] Error 2

My Wolfssl config was as follows:

======================

Configuration summary for wolfssl version 5.7.4

* Installation prefix: /usr/local
* System type: pc-linux-gnu
* Host CPU: x86_64
* C Compiler: gcc
* C Flags: -Werror -Wno-pragmas -Wall -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
* C++ Compiler:
* C++ Flags:
* CPP Flags:
* CCAS Flags:
* LD Flags:
* LIB Flags: -pie -z relro -z now -Werror
* Library Suffix:
* Linux Kernel Build Root: /usr/src/kernels/5.14.0-427.37.1.el9_4.x86_64
* Linux Kernel Build Arch: x86_64
* fpu disable C flags: -mno-80387 -mno-fp-ret-in-387
* fpu enable C flags: -m80387
* SIMD disable C flags: -mno-sse -mgeneral-regs-only
* SIMD enable C flags: -msse -mmmx -msse2 -msse4 -mavx -mavx2
* No-auto-vectorize C flags: -fno-builtin -fno-tree-vectorize -fno-tree-loop-vectorize -fno-tree-slp-vectorize
* Auto-vectorize C flags: -fbuiltin -ftree-vectorize -ftree-loop-vectorize -ftree-slp-vectorize
* SIMD enable as flags: -Wa,-march=+no87+no287+no387+no687+sse+sse2+sse3+ssse3+sse4.1+sse4.2+sse4+avx+avx2+avx512f
* FPU enable as flags: -Wa,-march=+387+687+nosse+nosse2+nosse3+nossse3+nosse4.1+nosse4.2+nosse4+noavx+noavx2+noavx512f
* SIMD+FPU disable as flags: -Wa,-march=+no387+no687+nosse+nosse2+nosse3+nossse3+nosse4.1+nosse4.2+nosse4+noavx+noavx2+noavx512f
* SIMD+FPU enable as flags: -Wa,-march=+387+687+sse+sse2+sse3+ssse3+sse4.1+sse4.2+sse4+avx+avx2+avx512f
* Linux kernel module PIE: no
* Debug enabled: no
* Coverage enabled:
* Warnings as failure: yes
* make -j: 17
* VCS checkout: yes

Features
* Experimental settings: Forbidden
* FIPS: no
* Single threaded: no
* Filesystem: no
* OpenSSH Build: no
* OpenSSL Extra API: no
* OpenSSL Coexist: no
* Old Names: yes
* Max Strength Build: no
* Distro Build: no
* Reproducible Build: no
* Side-channel Hardening: yes
* Single Precision Math: no
* SP implementation: all
* Fast Math: no
* Heap Math: no
* Assembly Allowed: yes
* sniffer: no
* snifftest: no
* ARC4: yes
* AES: yes
* AES-NI: no
* AES-CBC: yes
* AES-CBC length checks: yes
* AES-GCM: yes
* AES-GCM streaming: yes
* AES-CCM: yes
* AES-CTR: yes
* AES-CFB: yes
* AES-OFB: yes
* AES-XTS: yes
* AES-XTS streaming: yes
* AES-SIV: yes
* AES-EAX: yes
* AES Bitspliced: no
* AES Key Wrap: yes
* ARIA: no
* DES3: yes
* DES3 TLS Suites: no
* Camellia: yes
* CUDA: no
* SM4-ECB: no
* SM4-CBC: no
* SM4-CTR: no
* SM4-GCM: no
* SM4-CCM: no
* NULL Cipher: yes
* MD2: yes
* MD4: yes
* MD5: yes
* RIPEMD: yes
* SHA: yes
* SHA-224: yes
* SHA-384: yes
* SHA-512: yes
* SHA3: yes
* SHAKE128: yes
* SHAKE256: yes
* SM3: no
* BLAKE2: yes
* BLAKE2S: yes
* SipHash: yes
* CMAC: yes
* keygen: yes
* acert: no
* certgen: yes
* certreq: yes
* certext: yes
* certgencache: no
* CHACHA: yes
* XCHACHA: yes
* Hash DRBG: yes
* MmemUse Entropy:
* (AKA: wolfEntropy): no
* PWDBASED: yes
* Encrypted keys: yes
* scrypt: yes
* wolfCrypt Only: yes
* HKDF: yes
* HPKE: no
* X9.63 KDF: yes
* SRTP-KDF: yes
* PSK: yes
* Poly1305: yes
* LEANPSK: no
* LEANTLS: no
* RSA: yes
* RSA-PSS: yes
* DSA: yes
* DH: yes
* DH Default Parameters: yes
* ECC: yes
* ECC Custom Curves: yes
* ECC Minimum Bits: 224
* FPECC: yes
* ECC_ENCRYPT: yes
* Brainpool: yes
* SM2: no
* CURVE25519: noasm
* ED25519: yes
* ED25519 streaming: yes
* CURVE448: yes
* ED448: yes
* ED448 streaming: yes
* LMS: no
* LMS wolfSSL impl:
* XMSS: no
* XMSS wolfSSL impl:
* KYBER: no
* KYBER wolfSSL impl: no
* DILITHIUM: no
* ECCSI no
* SAKKE no
* ASN: yes
* Anonymous cipher: yes
* CODING: yes
* MEMORY: yes
* I/O POOL: no
* wolfSentry: no
* LIGHTY: no
* WPA Supplicant: no
* HAPROXY: no
* STUNNEL: no
* tcpdump: no
* libssh2: no
* ntp: no
* rsyslog: no
* Apache httpd: no
* NGINX: no
* OpenResty: no
* ASIO: no
* LIBWEBSOCKETS: no
* Qt: no
* Qt Unit Testing: no
* SIGNAL: no
* chrony: no
* strongSwan: no
* OpenLDAP: no
* hitch: no
* memcached: no
* Mosquitto no
* ERROR_STRINGS: yes
* DTLS: no
* DTLS v1.3: no
* SCTP: no
* SRTP: no
* Indefinite Length: yes
* Multicast: no
* SSL v3.0 (Old): no
* TLS v1.0 (Old): no
* TLS v1.1 (Old): no
* TLS v1.2: no
* TLS v1.3: no
* RPK: no
* Post-handshake Auth: no
* Early Data: no
* QUIC: no
* Send State in HRR Cookie: undefined
* OCSP: yes
* OCSP Stapling: yes
* OCSP Stapling v2: yes
* CRL: yes
* CRL-MONITOR: no
* Persistent session cache: no
* Persistent cert cache: no
* Atomic User Record Layer: yes
* Public Key Callbacks: yes
* libxmss: no
* liblms: no
* liboqs: no
* Whitewood netRandom: no
* Server Name Indication: yes
* ALPN: yes
* Maximum Fragment Length: yes
* Trusted CA Indication: yes
* Truncated HMAC: yes
* Supported Elliptic Curves: yes
* FFDHE only in client: no
* Session Ticket: no
* Extended Master Secret: no
* Renegotiation Indication: no
* Secure Renegotiation: no
* Fallback SCSV: no
* Keying Material Exporter: no
* All TLS Extensions: yes
* S/MIME: no
* PKCS#7: yes
* PKCS#8: yes
* PKCS#11: no
* PKCS#12: yes
* wolfSSH: yes
* wolfEngine: no
* wolfTPM: no
* wolfCLU: no
* wolfSCEP: no
* Secure Remote Password: yes
* Small Stack: yes
* Linux Kernel Module: yes
* Linux kernel module bench: no
* Linux kernel alg register: none
* valgrind unit tests: no
* LIBZ: no
* Examples: no
* Crypt tests: no
* Stack sizes in tests: no
* Heap stats in tests: no
* Asynchronous Crypto: no
* Asynchronous Crypto (sim): no
* Cavium Nitrox: no
* Cavium Octeon (Sync): no
* Intel Quick Assist: no
* ARM ASM: no
* ARM ASM SHA512/SHA3 Crypto no
* ARM ASM SM3/SM4 Crypto no
* RISC-V ASM no
* Write duplicate: no
* Xilinx Hardware Acc.: no
* C89: no
* Inline Code: yes
* Linux AF_ALG: no
* Linux KCAPI: no
* Linux devcrypto: no
* PK callbacks: yes
* Crypto callbacks: yes
* i.MX CAAM: no
* IoT-Safe: no
* IoT-Safe HWRNG: no
* NXP SE050: no
* Maxim Integrated MAXQ10XX: no
* PSA: no
* System CA certs: no
* Dual alg cert support: no
* ERR Queues per Thread: yes
* rwlock: no
* keylog export: no
* AutoSAR : no

---
./configure flags: '--enable-linuxkm' '--enable-all-crypto' '--enable-cryptonly' '--enable-blake2' '--enable-blake2s' '--enable-xchacha' '--enable-poly1305' '--enable-curve25519' '--with-linux-source=/usr/src/kernels/5.14.0-427.37.1.el9_4.x86_64'
---

alem · 2024-12-11 17:47:22

alem
Member
Offline

Registered: 2024-12-04
Posts: 7

Re: Wolfssl with Wireguard

PRETTY_NAME="Red Hat Enterprise Linux 9.5 (Plow)"

# uname -r
5.14.0-427.37.1.el9_4.x86_64

# uname -a
Linux localhost.dev.zpath.net 5.14.0-427.37.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Sep 13 12:41:50 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
{
const int pfmemalloc = skb->pfmemalloc;
u32 hash = skb->hash;
u8 l4_hash = skb->l4_hash;
u8 sw_hash = skb->sw_hash;

skb_scrub_packet(skb, true);

#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 17, 0)
memset(&skb->headers, 0,
sizeof skb->headers);
#else
memset(&skb->headers_start, 0, <==== Build failing on this line since Kernel version < 5.17
offsetof(struct sk_buff, headers_end) -
offsetof(struct sk_buff, headers_start));
#endif

Welcome to the wolfSSL Forums!

Wolfssl with Wireguard

Posts: 5

1 Topic by alem 2024-12-10 16:11:43

Topic: Wolfssl with Wireguard

2 Reply by douzzer 2024-12-10 17:13:12

Re: Wolfssl with Wireguard

3 Reply by alem 2024-12-11 11:02:39

Re: Wolfssl with Wireguard

4 Reply by alem 2024-12-11 16:48:32

Re: Wolfssl with Wireguard

5 Reply by alem 2024-12-11 17:47:22

Re: Wolfssl with Wireguard

Posts: 5