From de47b9d88a82fe6083d3927fe47f928aea2bb736 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 4 Jan 2021 16:32:44 -0600 Subject: [PATCH 1/3] Adding X509_VERIFY_PARAM API --- src/ssl.c | 62 +++++++++++++++++++++++++++++++++++++++++++ tests/api.c | 20 +++++++++----- wolfssl/openssl/ssl.h | 5 ++++ wolfssl/ssl.h | 7 +++++ 4 files changed, 88 insertions(+), 6 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 284dad50b..d8b5bd21c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -25743,6 +25743,68 @@ char* wolfSSL_CONF_get1_default_config_file(void) return NULL; } #endif + + +WOLFSSL_X509_VERIFY_PARAM* wolfSSL_X509_VERIFY_PARAM_new(void) +{ + WOLFSSL_X509_VERIFY_PARAM *param = NULL; + param = XMALLOC(sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, + DYNAMIC_TYPE_OPENSSL); + if (param != NULL) + XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + + return(param); +} + + +void wolfSSL_X509_VERIFY_PARAM_free(WOLFSSL_X509_VERIFY_PARAM *param) +{ + if (param != NULL) + XFREE(param, NULL, DYNAMIC_TYPE_OPENSSL); +} + + +/* Sets flags by OR'ing with existing value. */ +int wolfSSL_X509_VERIFY_PARAM_set_flags(WOLFSSL_X509_VERIFY_PARAM *param, + unsigned long flags) +{ + int ret = WOLFSSL_FAILURE; + + if (param != NULL) { + param->flags |= flags; + ret = WOLFSSL_SUCCESS; + } + + return ret; +} + + +int wolfSSL_X509_VERIFY_PARAM_get_flags(WOLFSSL_X509_VERIFY_PARAM *param) +{ + int ret = 0; + + if (param != NULL) { + ret = param->flags; + } + + return ret; +} + + +int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, + unsigned long flags) +{ + int ret = WOLFSSL_FAILURE; + + if (param != NULL) { + param->flags &= ~flags; + ret = WOLFSSL_SUCCESS; + } + + return ret; +} + + /****************************************************************************** * wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name * hostnames is cleared if name is NULL or empty. diff --git a/tests/api.c b/tests/api.c index e51b7434d..81a4a221b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -29793,11 +29793,7 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) printf(testingFmt, "wolfSSL_X509()"); - /* Initializer function is not ported */ - /* param = wolfSSL_X509_VERIFY_PARAM_new(); */ - - param = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); + param = wolfSSL_X509_VERIFY_PARAM_new(); AssertNotNull(param); XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); @@ -29821,7 +29817,19 @@ static void test_wolfSSL_X509_VERIFY_PARAM(void) AssertIntEQ(1, ret); AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); - XFREE(param, NULL, DYNAMIC_TYPE_OPENSSL); + ret = wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECKALL); + AssertIntEQ(1, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + AssertIntEQ(WOLFSSL_CRL_CHECKALL, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(param, WOLFSSL_CRL_CHECKALL); + AssertIntEQ(1, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + AssertIntEQ(0, ret); + + wolfSSL_X509_VERIFY_PARAM_free(param); printf(resultFmt, passed); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 95c0fdb57..eeea765a4 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -586,6 +586,11 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_STORE_get_by_subject wolfSSL_X509_STORE_get_by_subject #define X509_STORE_CTX_get1_issuer wolfSSL_X509_STORE_CTX_get1_issuer #define X509_STORE_CTX_set_time wolfSSL_X509_STORE_CTX_set_time +#define X509_VERIFY_PARAM_new wolfSSL_X509_VERIFY_PARAM_new +#define X509_VERIFY_PARAM_free wolfSSL_X509_VERIFY_PARAM_free +#define X509_VERIFY_PARAM_set_flags wolfSSL_X509_VERIFY_PARAM_set_flags +#define X509_VERIFY_PARAM_get_flags wolfSSL_X509_VERIFY_PARAM_get_flags +#define X509_VERIFY_PARAM_clear_flags wolfSSL_X509_VERIFY_PARAM_clear_flags #define X509_VERIFY_PARAM_set_hostflags wolfSSL_X509_VERIFY_PARAM_set_hostflags #define X509_VERIFY_PARAM_set1_host wolfSSL_X509_VERIFY_PARAM_set1_host #define X509_VERIFY_PARAM_set1_ip_asc wolfSSL_X509_VERIFY_PARAM_set1_ip_asc diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b32aaf7d9..723a8f61a 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1505,6 +1505,13 @@ WOLFSSL_API int wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*); WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX*, unsigned long flags, time_t t); +WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_X509_VERIFY_PARAM_new(void); +WOLFSSL_API void wolfSSL_X509_VERIFY_PARAM_free(WOLFSSL_X509_VERIFY_PARAM *param); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set_flags(WOLFSSL_X509_VERIFY_PARAM *param, + unsigned long flags); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_get_flags(WOLFSSL_X509_VERIFY_PARAM *param); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, + unsigned long flags); WOLFSSL_API void wolfSSL_X509_VERIFY_PARAM_set_hostflags( WOLFSSL_X509_VERIFY_PARAM* param, unsigned int flags); WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, From 47b9c5b054d616c347625a4a0a7d19e4de3b78eb Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 11 Jan 2021 16:39:28 -0600 Subject: [PATCH 2/3] Adding X509_STORE_CTX API --- src/ssl.c | 20 ++++++++++++++++++-- wolfssl/openssl/ssl.h | 1 + wolfssl/ssl.h | 2 ++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d8b5bd21c..3211d6e80 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -25328,10 +25328,26 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx) { - (void)ctx; - /* Do nothing */ + if (ctx != NULL) { +#ifdef OPENSSL_EXTRA + if (ctx->param != NULL){ + XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); + ctx->param = NULL; + } +#endif + wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL); + } } + +void wolfSSL_X509_STORE_CTX_trusted_stack(WOLFSSL_X509_STORE_CTX *ctx, WOLF_STACK_OF(WOLFSSL_X509) *sk) +{ + if (ctx != NULL) { + ctx->chain = sk; + } +} + + /* Returns corresponding X509 error from internal ASN error */ static int GetX509Error(int e) { diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index eeea765a4..d3bff7f8f 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -569,6 +569,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; wolfSSL_X509_STORE_CTX_get0_current_issuer #define X509_STORE_CTX_get0_store wolfSSL_X509_STORE_CTX_get0_store #define X509_STORE_CTX_get0_cert wolfSSL_X509_STORE_CTX_get0_cert +#define X509_STORE_CTX_trusted_stack wolfSSL_X509_STORE_CTX_trusted_stack #define X509_STORE_set_verify_cb(s, c) \ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_CTX_verify_cb)(c)) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 723a8f61a..081cc3dba 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1472,6 +1472,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX*, WOLFSSL_X509_STORE*, WOLFSSL_X509*, WOLF_STACK_OF(WOLFSSL_X509)*); WOLFSSL_API void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX*); WOLFSSL_API void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX*); +WOLFSSL_API void wolfSSL_X509_STORE_CTX_trusted_stack(WOLFSSL_X509_STORE_CTX *ctx, + WOLF_STACK_OF(WOLFSSL_X509) *sk); WOLFSSL_API WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL*); From 6cff3f84884d226300b33c33e57cd7bef1435978 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 18 Jan 2021 16:10:00 -0600 Subject: [PATCH 3/3] Adding X509_LOOKUP_ctrl --- src/ssl.c | 37 ++++++++++++++++++++++++++++++++++--- wolfssl/openssl/ssl.h | 6 ++++++ wolfssl/ssl.h | 7 +++++++ 3 files changed, 47 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 3211d6e80..bcb6896dd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -24298,6 +24298,37 @@ WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_file(void) } +int wolfSSL_X509_LOOKUP_ctrl(WOLFSSL_X509_LOOKUP *ctx, int cmd, + const char *argc, long argl, char **ret) +{ + /* control commands: + * X509_L_FILE_LOAD, X509_L_ADD_DIR, X509_L_ADD_STORE, X509_L_LOAD_STORE + */ + + /* returns -1 if the X509_LOOKUP doesn't have an associated X509_LOOKUP_METHOD */ + + + + if (ctx != NULL) { + switch (cmd) { + case WOLFSSL_X509_L_FILE_LOAD: + case WOLFSSL_X509_L_ADD_DIR: + case WOLFSSL_X509_L_ADD_STORE: + case WOLFSSL_X509_L_LOAD_STORE: + return WOLFSSL_SUCCESS; + + default: + break; + } + + } + + (void)argc; (void)argl; (void)ret; + + return WOLFSSL_FAILURE; +} + + WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, WOLFSSL_X509_LOOKUP_METHOD* m) { @@ -25764,8 +25795,8 @@ char* wolfSSL_CONF_get1_default_config_file(void) WOLFSSL_X509_VERIFY_PARAM* wolfSSL_X509_VERIFY_PARAM_new(void) { WOLFSSL_X509_VERIFY_PARAM *param = NULL; - param = XMALLOC(sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, - DYNAMIC_TYPE_OPENSSL); + param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); if (param != NULL) XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); @@ -25800,7 +25831,7 @@ int wolfSSL_X509_VERIFY_PARAM_get_flags(WOLFSSL_X509_VERIFY_PARAM *param) int ret = 0; if (param != NULL) { - ret = param->flags; + ret = (int)param->flags; } return ret; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index d3bff7f8f..355b9f29f 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -112,6 +112,11 @@ typedef WOLFSSL_BUF_MEM BUF_MEM; typedef WOLFSSL_GENERAL_NAMES GENERAL_NAMES; typedef WOLFSSL_GENERAL_NAME GENERAL_NAME; +#define X509_L_FILE_LOAD WOLFSSL_X509_L_FILE_LOAD +#define X509_L_ADD_DIR WOLFSSL_X509_L_ADD_DIR +#define X509_L_ADD_STORE WOLFSSL_X509_L_ADD_STORE +#define X509_L_LOAD_STORE WOLFSSL_X509_L_LOAD_STORE + #define ASN1_UTCTIME WOLFSSL_ASN1_TIME #define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME @@ -601,6 +606,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_LOOKUP_load_file wolfSSL_X509_LOOKUP_load_file #define X509_LOOKUP_hash_dir wolfSSL_X509_LOOKUP_hash_dir #define X509_LOOKUP_file wolfSSL_X509_LOOKUP_file +#define X509_LOOKUP_ctrl wolfSSL_X509_LOOKUP_ctrl #define d2i_X509_CRL wolfSSL_d2i_X509_CRL #define d2i_X509_CRL_fp wolfSSL_d2i_X509_CRL_fp diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 081cc3dba..97b88811b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -520,6 +520,11 @@ typedef struct WOLFSSL_COMP { WOLFSSL_COMP_METHOD *method; } WOLFSSL_COMP; +#define WOLFSSL_X509_L_FILE_LOAD 0x1 +#define WOLFSSL_X509_L_ADD_DIR 0x2 +#define WOLFSSL_X509_L_ADD_STORE 0x3 +#define WOLFSSL_X509_L_LOAD_STORE 0x4 + struct WOLFSSL_X509_LOOKUP_METHOD { int type; }; @@ -1449,6 +1454,8 @@ WOLFSSL_API int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP*, const char*, long); WOLFSSL_API WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_hash_dir(void); WOLFSSL_API WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_file(void); +WOLFSSL_API int wolfSSL_X509_LOOKUP_ctrl(WOLFSSL_X509_LOOKUP *ctx, int cmd, + const char *argc, long argl, char **ret); WOLFSSL_API WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE*, WOLFSSL_X509_LOOKUP_METHOD*);