feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Added example client/server support for loading certificate and private key into WOLFSSL object using -H loadSSL. Added load_ssl_buffer function to load buffers into WOLFSSL objects. Changed wolfSSL_get_SSL_CTX API to always be exposed. Added TEST_LOAD_BUFFER build option to use the load_buffer and load_ssl_buffer calls for example client/server.

Browse Source
This commit is contained in:
David Garske
2018-10-09 12:54:41 -07:00
parent 1d7c4f96fa
commit 0293686990
5 changed files with 194 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
examples/client/client.c
View File

@ -1036,6 +1036,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
int useX25519 = 0;
int exitWithRet = 0;
int loadCertKeyIntoSSLObj = 0;
#ifdef HAVE_WNR
const char* wnrConfigFile = wnrConfig;
@ -1094,6 +1095,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
(void)helloRetry;
(void)onlyKeyShare;
(void)useSupCurve;
(void)loadCertKeyIntoSSLObj;
StackTrap();
@ -1201,6 +1203,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
else if (myoptarg[0] == 'e') {
version = EITHER_DOWNGRADE_VERSION;
loadCertKeyIntoSSLObj = 1;
break;
}
#endif
@ -1236,6 +1239,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
printf("Test use supported curve\n");
useSupCurve = 1;
}
else if (XSTRNCMP(myoptarg, "loadSSL", 7) == 0) {
printf("Load cert/key into wolfSSL object\n");
loadCertKeyIntoSSLObj = 1;
}
else {
Usage();
XEXIT_T(MY_EX_USAGE);
@ -1586,6 +1593,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (doDTLS) {
if (version == 3)
version = -2;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
else if (version == EITHER_DOWNGRADE_VERSION)
version = -3;
#endif
else
version = -1;
}
@ -1652,6 +1663,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
method = wolfDTLSv1_2_client_method_ex;
break;
#endif
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
case -3:
method = wolfDTLSv1_2_method_ex;
break;
#endif
#endif
default:
@ -1826,8 +1842,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
#ifndef NO_CERTS
if (useClientCert){
#ifndef NO_FILESYSTEM
if (useClientCert && !loadCertKeyIntoSSLObj){
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_use_certificate_chain_file(ctx, ourCert)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
@ -1837,14 +1853,17 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#else
load_buffer(ctx, ourCert, WOLFSSL_CERT_CHAIN);
#endif
}
#ifdef HAVE_PK_CALLBACKS
pkCbInfo.ourKey = ourKey;
#ifdef TEST_PK_PRIVKEY
if (!pkCallbacks)
#endif
#endif
#ifndef NO_FILESYSTEM
if (!loadCertKeyIntoSSLObj
#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY)
&& !pkCallbacks
#endif
) {
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_use_PrivateKey_file(ctx, ourKey, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
@ -1857,7 +1876,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
if (!usePsk && !useAnon && (!useVerifyCb || myVerifyFail)) {
#if !defined(NO_FILESYSTEM)
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
@ -1866,9 +1885,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#else
load_buffer(ctx, verifyCert, WOLFSSL_CA);
#endif /* !NO_FILESYSTEM */
#ifdef HAVE_ECC
/* load ecc verify too, echoserver uses it by default w/ ecc */
#ifndef NO_FILESYSTEM
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
@ -1876,7 +1896,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#else
load_buffer(ctx, eccCertFile, WOLFSSL_CA);
#endif /* !NO_FILESYSTEM */
#endif /* !TEST_LOAD_BUFFER */
#endif /* HAVE_ECC */
#if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM)
if (trustCert) {
@ -2039,19 +2059,52 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
err_sys("unable to get SSL object");
}
#ifdef OPENSSL_EXTRA
wolfSSL_KeepArrays(ssl);
#ifndef NO_CERTS
if (useClientCert && loadCertKeyIntoSSLObj){
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_use_certificate_chain_file(ssl, ourCert)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("can't load client cert file, check file and run from"
" wolfSSL home dir");
}
#else
load_ssl_buffer(ssl, ourCert, WOLFSSL_CERT_CHAIN);
#endif
}
if (loadCertKeyIntoSSLObj
#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY)
&& !pkCallbacks
#endif
) {
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_use_PrivateKey_file(ssl, ourKey, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("can't load client private key file, check file and run "
"from wolfSSL home dir");
}
#else
load_ssl_buffer(ssl, ourKey, WOLFSSL_KEY);
#endif
}
#endif /* !NO_CERTS */
#ifdef OPENSSL_EXTRA
wolfSSL_KeepArrays(ssl);
#endif
#if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL)
fprintf(stderr, "After creating SSL\n");
if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1)
err_sys("ctx not using static memory");
if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */
fprintf(stderr, "After creating SSL\n");
if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1)
err_sys("ctx not using static memory");
if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */
err_sys("error printing out memory stats");
#endif
#ifdef WOLFSSL_TLS13
#ifdef WOLFSSL_TLS13
if (!helloRetry) {
if (onlyKeyShare == 0 || onlyKeyShare == 2) {
#ifdef HAVE_CURVE25519
@ -2083,7 +2136,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
else {
wolfSSL_NoKeyShares(ssl);
}
#endif
#endif
if (doMcast) {
#ifdef WOLFSSL_MULTICAST

66
examples/server/server.c
View File

@ -572,6 +572,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif
int useX25519 = 0;
int exitWithRet = 0;
int loadCertKeyIntoSSLObj = 0;
((func_args*)args)->return_code = -1; /* error state */
@ -605,6 +606,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
(void)postHandAuth;
(void)mcastID;
(void)useX25519;
(void)loadCertKeyIntoSSLObj;
#ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self());
@ -701,6 +703,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
else if (myoptarg[0] == 'e') {
version = EITHER_DOWNGRADE_VERSION;
loadCertKeyIntoSSLObj = 1;
break;
}
#endif
@ -728,6 +731,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
printf("Verify should fail\n");
myVerifyFail = 1;
}
else if (XSTRNCMP(myoptarg, "loadSSL", 7) == 0) {
printf("Load cert/key into wolfSSL object\n");
loadCertKeyIntoSSLObj = 1;
}
else {
Usage();
XEXIT_T(MY_EX_USAGE);
@ -950,6 +957,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (doDTLS) {
if (version == 3)
version = -2;
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
else if (version == EITHER_DOWNGRADE_VERSION)
version = -3;
#endif
else
version = -1;
}
@ -1016,6 +1027,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
method = wolfDTLSv1_2_server_method_ex;
break;
#endif
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
case -3:
method = wolfDTLSv1_2_method_ex;
break;
#endif
#endif
default:
@ -1090,8 +1106,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#endif
#if !defined(NO_CERTS)
if ((!usePsk || usePskPlus) && !useAnon) {
#if !defined(NO_FILESYSTEM)
if ((!usePsk || usePskPlus) && !useAnon && !loadCertKeyIntoSSLObj) {
#ifndef TEST_LOAD_BUFFER
if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load server cert file, check file and run from"
@ -1128,14 +1144,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
}
#endif
#if !defined(NO_CERTS)
#ifdef HAVE_PK_CALLBACKS
pkCbInfo.ourKey = ourKey;
#ifdef TEST_PK_PRIVKEY
if (!pkCallbacks)
#ifdef HAVE_PK_CALLBACKS
pkCbInfo.ourKey = ourKey;
#endif
#endif
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon) {
#if !defined(NO_FILESYSTEM)
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon && !loadCertKeyIntoSSLObj
#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY)
&& !pkCallbacks
#endif /* HAVE_PK_CALLBACKS && TEST_PK_PRIVKEY */
) {
#ifndef TEST_LOAD_BUFFER
if (SSL_CTX_use_PrivateKey_file(ctx, ourKey, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load server private key file, check file and run "
@ -1294,6 +1311,37 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
wolfSSL_KeepArrays(ssl);
#endif
/* Support for loading private key and cert using WOLFSSL object */
#if !defined(NO_CERTS)
if ((!usePsk || usePskPlus) && !useAnon && loadCertKeyIntoSSLObj) {
#ifndef TEST_LOAD_BUFFER
if (SSL_use_certificate_chain_file(ssl, ourCert)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load server cert file, check file and run from"
" wolfSSL home dir");
#else
/* loads cert chain file using buffer API */
load_ssl_buffer(ssl, ourCert, WOLFSSL_CERT_CHAIN);
#endif
}
if (!useNtruKey && (!usePsk || usePskPlus) && !useAnon && loadCertKeyIntoSSLObj
#if defined(HAVE_PK_CALLBACKS) && defined(TEST_PK_PRIVKEY)
&& !pkCallbacks
#endif /* HAVE_PK_CALLBACKS && TEST_PK_PRIVKEY */
) {
#ifndef TEST_LOAD_BUFFER
if (SSL_use_PrivateKey_file(ssl, ourKey, WOLFSSL_FILETYPE_PEM)
!= WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load server private key file, check file and run "
"from wolfSSL home dir");
#else
/* loads private key file using buffer API */
load_ssl_buffer(ssl, ourKey, WOLFSSL_KEY);
#endif
}
#endif /* !NO_CERTS */
#ifdef WOLFSSL_SEND_HRR_COOKIE
if (hrrCookie && wolfSSL_send_hrr_cookie(ssl, NULL, 0) != WOLFSSL_SUCCESS) {
err_sys("unable to set use of cookie with HRR msg");

3
src/ssl.c
View File

@ -32626,12 +32626,13 @@ unsigned long wolfSSL_ERR_peek_last_error(void)
#endif
}
#endif /* OPENSSL_EXTRA */
WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl)
{
WOLFSSL_ENTER("wolfSSL_get_SSL_CTX");
return ssl->ctx;
}
#endif /* OPENSSL_EXTRA */
#if defined(OPENSSL_ALL) || \
(defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \

3
wolfssl/ssl.h
View File

@ -569,6 +569,7 @@ WOLFSSL_API int wolfSSL_use_RSAPrivateKey_file(WOLFSSL*, const char*, int);
WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD*);
WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*);
WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_is_server(WOLFSSL*);
WOLFSSL_API WOLFSSL* wolfSSL_write_dup(WOLFSSL*);
WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int);
@ -2776,8 +2777,6 @@ WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(
WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX*, WOLFSSL_SESSION*);
WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_version(WOLFSSL*);
WOLFSSL_API int wolfSSL_get_state(const WOLFSSL*);

42
wolfssl/test.h
View File

@ -1421,6 +1421,48 @@ static WC_INLINE void OCSPRespFreeCb(void* ioCtx, unsigned char* response)
free(buff);
}
static WC_INLINE void load_ssl_buffer(WOLFSSL* ssl, const char* fname, int type)
{
int format = WOLFSSL_FILETYPE_PEM;
byte* buff = NULL;
size_t sz = 0;
if (load_file(fname, &buff, &sz) != 0) {
err_sys("can't open file for buffer load "
"Please run from wolfSSL home directory if not");
}
/* determine format */
if (strstr(fname, ".der"))
format = WOLFSSL_FILETYPE_ASN1;
if (type == WOLFSSL_CA) {
/* verify certs (CA's) use the shared ctx->cm (WOLFSSL_CERT_MANAGER) */
WOLFSSL_CTX* ctx = wolfSSL_get_SSL_CTX(ssl);
if (wolfSSL_CTX_load_verify_buffer(ctx, buff, (long)sz, format)
!= WOLFSSL_SUCCESS)
err_sys("can't load buffer ca file");
}
else if (type == WOLFSSL_CERT) {
if (wolfSSL_use_certificate_buffer(ssl, buff, (long)sz,
format) != WOLFSSL_SUCCESS)
err_sys("can't load buffer cert file");
}
else if (type == WOLFSSL_KEY) {
if (wolfSSL_use_PrivateKey_buffer(ssl, buff, (long)sz,
format) != WOLFSSL_SUCCESS)
err_sys("can't load buffer key file");
}
else if (type == WOLFSSL_CERT_CHAIN) {
if (wolfSSL_use_certificate_chain_buffer_format(ssl, buff,
(long)sz, format) != WOLFSSL_SUCCESS)
err_sys("can't load cert chain buffer");
}
if (buff)
free(buff);
}
#ifdef TEST_PK_PRIVKEY
static WC_INLINE int load_key_file(const char* fname, byte** derBuf, word32* derLen)
{