From 0cf9bacf1b542b5d7b5861cb5c9694437414620e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 17:34:47 -0500 Subject: [PATCH] WOLFSSL_WOLFSENTRY_HOOKS/HAVE_EX_DATA*: refactor wolfSSL_CRYPTO_cleanup_ex_data() to take only one arg (the WOLFSSL_CRYPTO_EX_DATA *); fix preprocessor gates on wolfSSL_set_ex_data() and wolfSSL_X509_get_ex_new_index(); fix line lengths. --- examples/server/server.c | 100 +++++++++++++++++++++++++++++---------- src/internal.c | 10 ++-- src/ssl.c | 35 +++++++++----- src/tls13.c | 3 +- wolfssl/internal.h | 2 +- wolfssl/ssl.h | 15 ++++-- 6 files changed, 118 insertions(+), 47 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index e587b3f27..8836c55b8 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -305,7 +305,8 @@ static int wolfsentry_store_endpoints( int proto, wolfsentry_route_flags_t flags) { - struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC(sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); + struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC( + sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); if (data == NULL) return WOLFSSL_FAILURE; @@ -339,7 +340,10 @@ static int wolfsentry_store_endpoints( data->remote.interface = data->local.interface = 0; data->flags = flags; - if (wolfSSL_set_ex_data_with_cleanup(ssl, wolfsentry_data_index, data, (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != WOLFSSL_SUCCESS) { + if (wolfSSL_set_ex_data_with_cleanup( + ssl, wolfsentry_data_index, data, + (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != + WOLFSSL_SUCCESS) { free_wolfsentry_data(data); return WOLFSSL_FAILURE; } @@ -347,7 +351,11 @@ static int wolfsentry_store_endpoints( return WOLFSSL_SUCCESS; } -static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { +static int wolfSentry_NetworkFilterCallback( + WOLFSSL *ssl, + struct wolfsentry_context *wolfsentry, + wolfSSL_netfilter_decision_t *decision) +{ struct wolfsentry_data *data; char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; wolfsentry_errcode_t ret; @@ -356,7 +364,17 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) return WOLFSSL_FAILURE; - ret = wolfsentry_route_event_dispatch(wolfsentry, &data->remote, &data->local, data->flags, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); + ret = wolfsentry_route_event_dispatch( + wolfsentry, + &data->remote, + &data->local, + data->flags, + NULL /* event_label */, + 0 /* event_label_len */, + NULL /* caller_context */, + NULL /* id */, + NULL /* inexact_matches */, + &action_results); if (ret >= 0) { if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) @@ -366,17 +384,21 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont else *decision = WOLFSSL_NETFILTER_PASS; } else { - printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + printf("wolfsentry_route_event_dispatch error " + WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); *decision = WOLFSSL_NETFILTER_PASS; } - printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", + printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d" + "lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", data->remote.sa_family, data->remote.sa_proto, data->remote.sa_port, data->local.sa_port, - inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, sizeof inet_ntop_buf2), + inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, + sizeof inet_ntop_buf), + inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, + sizeof inet_ntop_buf2), data->remote.interface, *decision, *decision == WOLFSSL_NETFILTER_REJECT ? "REJECT" : @@ -1959,23 +1981,35 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, &wolfsentry); + wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, + &wolfsentry); if (wolfsentry_ret < 0) { - fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); } if (wolfsentry_data_index < 0) - wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, + NULL); { struct wolfsentry_route_table *table; - if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, &table)) < 0) - fprintf(stderr, "wolfsentry_route_get_table_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, + &table)) < 0) + fprintf(stderr, "wolfsentry_route_get_table_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); if (wolfsentry_ret >= 0) { - if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set(wolfsentry, table, WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) < 0) - fprintf(stderr, "wolfsentry_route_table_default_policy_set(WOLFSENTRY_ACTION_RES_REJECT) returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set( + wolfsentry, table, + WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) + < 0) + fprintf(stderr, + "wolfsentry_route_table_default_policy_set() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } if (wolfsentry_ret >= 0) { @@ -2008,8 +2042,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSENTRY_ROUTE_FLAG_SA_PROTO_WILDCARD | WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD | WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, - 0 /* event_label_len */, 0 /* event_label */, &id, &action_results)) < 0) - fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + 0 /* event_label_len */, 0 /* event_label */, &id, + &action_results)) < 0) + fprintf(stderr, "wolfsentry_route_insert_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } if (wolfsentry_ret < 0) @@ -2017,8 +2054,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } - if (wolfSSL_CTX_set_AcceptFilter(ctx, (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, wolfsentry) < 0) - err_sys_ex(catastrophic, "unable to install wolfSentry_NetworkFilterCallback"); + if (wolfSSL_CTX_set_AcceptFilter( + ctx, + (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, + wolfsentry) < 0) + err_sys_ex(catastrophic, + "unable to install wolfSentry_NetworkFilterCallback"); #endif if (simulateWantWrite) @@ -2713,13 +2754,20 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { SOCKADDR_IN_T local_addr; socklen_t local_len = sizeof(local_addr); - getsockname(clientfd, (struct sockaddr *)&local_addr, (socklen_t *)&local_len); + getsockname(clientfd, (struct sockaddr *)&local_addr, + (socklen_t *)&local_len); - if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) - err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); + if (((struct sockaddr *)&client_addr)->sa_family != + ((struct sockaddr *)&local_addr)->sa_family) + err_sys_ex(catastrophic, + "client_addr.sa_family != local_addr.sa_family"); - if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) - err_sys_ex(catastrophic, "error in wolfsentry_store_endpoints()"); + if (wolfsentry_store_endpoints( + ssl, &client_addr, &local_addr, + dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, + WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) + err_sys_ex(catastrophic, + "error in wolfsentry_store_endpoints()"); } #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ @@ -3107,7 +3155,9 @@ exit: #ifdef WOLFSSL_WOLFSENTRY_HOOKS wolfsentry_ret = wolfsentry_shutdown(&wolfsentry); if (wolfsentry_ret < 0) { - fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + fprintf(stderr, + "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } #endif diff --git a/src/internal.c b/src/internal.c index eb977bac1..fcf5a49f3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1884,11 +1884,13 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) } #ifdef HAVE_EX_DATA_CLEANUP_HOOKS -void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data) +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data) { + int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]); for (--n_ex_data; n_ex_data >= 0; --n_ex_data) { if (ex_data->ex_data[n_ex_data] != NULL) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, NULL, NULL); + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, + NULL, NULL); } } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ @@ -1902,7 +1904,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #endif #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); #endif #ifdef HAVE_WOLF_EVENT @@ -6437,7 +6439,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) * using stream ciphers where it is retained. */ #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data); #endif FreeCiphers(ssl); diff --git a/src/ssl.c b/src/ssl.c index ea8ccfc60..1dd3f0706 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1015,7 +1015,11 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) #ifdef WOLFSSL_WOLFSENTRY_HOOKS -int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ if (ctx == NULL) return BAD_FUNC_ARG; ctx->AcceptFilter = AcceptFilter; @@ -1023,7 +1027,11 @@ int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t Accep return WOLFSSL_SUCCESS; } -int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ if (ssl == NULL) return BAD_FUNC_ARG; ssl->AcceptFilter = AcceptFilter; @@ -12921,7 +12929,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; @@ -16308,7 +16317,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data); #endif if (bio->infoCb) { /* info callback is called before free */ @@ -18755,7 +18764,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data); #endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) @@ -21958,7 +21967,7 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data); #endif #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) @@ -26086,7 +26095,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data); #endif if (store->isDynamic) { @@ -26304,7 +26313,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); #endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ @@ -44923,8 +44932,8 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || + defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { @@ -48808,8 +48817,8 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif /* !NO_WOLFSSL_STUB */ #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ -#if defined(HAVE_EX_DATA) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { @@ -53442,7 +53451,7 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) if (rsa) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data); #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; diff --git a/src/tls13.c b/src/tls13.c index 3290dd2c6..fd686a747 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8359,7 +8359,8 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) #ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 266b8589c..9ceb7a1fd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3044,7 +3044,7 @@ WOLFSSL_LOCAL void SSL_CtxResourceFree(WOLFSSL_CTX*); #ifdef HAVE_EX_DATA_CLEANUP_HOOKS -void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data); +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data); #endif WOLFSSL_LOCAL diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 786f14b20..ef2b7143b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1149,9 +1149,18 @@ typedef enum { WOLFSSL_NETFILTER_REJECT = 2 } wolfSSL_netfilter_decision_t; -typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, void *AcceptFilter_arg, wolfSSL_netfilter_decision_t *decision); -WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); -WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); +typedef int (*NetworkFilterCallback_t)( + WOLFSSL *ssl, + void *AcceptFilter_arg, + wolfSSL_netfilter_decision_t *decision); +WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); +WOLFSSL_API int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); #endif /* WOLFSSL_WOLFSENTRY_HOOKS */