feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add Apache HTTP Server compatibility and --enable-apachehttpd option (#2466)

Browse Source 
* Added Apache httpd support `--enable-apachehttpd`.

* Added `SSL_CIPHER_get_version`, `BIO_new_fp`, `SSL_SESSION_print` and `SSL_in_connect_init` compatibility API's.

* Fix to expose `ASN1_UTCTIME_print` stub.

* Pulled in `wolfSSL_X509_get_ext_count` from QT.

* Added `X509_get_ext_count`, `BIO_set_callback`, `BIO_set_callback_arg` and `BIO_get_callback_arg`.

* Added `wolfSSL_ERR_print_errors`.

* Added `BIO_set_nbio` template.

* Fixes for building with Apache httpd.

* Added DH prime functions required for Apache httpd.

* Fix and move the BN DH prime macros.

* Fix for `SSL_CTX_set_tlsext_servername_arg` to have return code.

* Only add the `BN_get_rfc*_prime_*` macro's if older than 1.1.0.

* Added `ERR_GET_FUNC`, `SSL_CTX_clear_extra_chain_certs` prototypes.

* Added `wolfSSL_CTX_set_client_cert_cb` template and `OPENSSL_load_builtin_modules` stub macro.

* Added `X509_INFO` templates (`X509_INFO_new`, `X509_INFO_free`, `sk_X509_INFO_new_null`, `sk_X509_INFO_num`, `sk_X509_INFO_value`, `sk_X509_INFO_free`). Added `sk_X509_shift`.

* Added BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg

* add BIO_set_nbio, ERR_print_errors and tests

* add X509 INFO stack push function

* Add ASN1_UTCTIME_print and unit test

* Add X509_get_ext_count unit test

* initial commit of wolfSSL_PEM_X509_INFO_read_bio

* Added `sk_X509_NAME_new`, `sk_X509_NAME_push`, `sk_X509_NAME_find`, `sk_X509_NAME_set_cmp_func` and `sk_X509_NAME_free`. Grouped `sk_X509_NAME_*` functions.

* Cleanup sk X509 NAME/INFO pop free template.

* Advance openssl compatibility to v1.1.0 for Apache httpd. Added TLS version macros. Implemented sk X509 NAME/INFO pop and pop_free.

* Added `TLS_client_method` support.

* Added `SSL_get_server_tmp_key` and `EC_curve_nid2nist`.

* Added `SSL_CTX_set_min_proto_version` and `SSL_CTX_set_max_proto_version`. Fix for `BN_get_rfc*_prime_*` with the v1.1.0 change.

* add test cases for PEM_X509_INFO_read_bio

* Fixes for `BN_get_rfc*_prime_*` macros. Added template for `SSL_DH_set0_pqg`. Fix for `SSL_OP_NO_` to use Macro's (as is done in openssl). Added `SSL_set_verify_result`. Added stub for `OPENSSL_malloc_init`.

* Apache httpd compatibility functions. BIO setter/getters.

* implement ASN1_TIME_check and add test case

* add SSL_get_client_CA_list

* add initial implementation of wolfSSL_DH_set0_pqg

* Add apache support to OBJ_txt2nid and unit test, add stub for OBJ_create

* add X509_STORE_CTX_get1_chain, sk_free, sk_X509_dup

* Add sk_SSL_COMP_num and SSL_COMP struct

* implement and test of SSL_SESSION_print

* add SSL_CTX_set_client_cert_cb

* expand BIO_printf and add test case

* Added `OCSP_CERTID_dup`. Added `ASN1_TYPE`.

* add implementation for wolfSSL_get_server_tmp_key

* add wolfSSL_BIO_puts and test case

* Add X509_EXTENSION_get_object and X509_EXTENSION_get_data

* add helper for bio flag set and null x509 stack

* add test adn implementation for wolfSSL_i2d_PrivateKey

* Added `ASN1_OTHERNAME`, `ACCESS_DESCRIPTION` and `GENERAL_NAME`. Added `sk_ACCESS_DESCRIPTION_pop_free` and `ACCESS_DESCRIPTION_free` stubs.

* add wolfSSL_PEM_read_bio_ECPKParameters

* add BIO_vfree

* add X509_up_ref

* add X509_STORE_CTX_set_ex_data

* add _GNU_SOURCE macro and wolfSSL_EVP_read_pw_string

* add wolfSSL_EVP_PKEY_ref_up function

* X509_get_ext, X509V3_EXT_print, and d2i_DISPLAYTEXT stubs

* add X509_set_issuer_name

* add wolfSSL_sk_SSL_CIPHER_* functions and tests

* add prototype for sk_X509_EXTENSION and ACCESS_DESCRIPTION

* fix casting to avoid clang warning

* adjust test_wolfSSL_X509_STORE_CTX test case

* Added `OpenSSL_version`

* renegotiate functions and additional stack functions

* add aditional stub functions

* Add Apache httpd requirements for ALPN, CRL, Cert Gen/Req/Ext and SecRen. Fix for `sk_X509_INFO_new_null`.

* add ocsp stub functions

* Proper fix for `sk_X509_INFO_new_null`. Added templates for `X509_get_ext_by_NID` and `X509_add_ext`. Added templates for `ASN1_TIME_diff` and `ASN1_TIME_set`.

* x509 extension stack additions

* Fixed template for `OCSP_id_get0_info`.

* add X509 stub functions

* add X509_STORE_CTX_get0_store() and unit test

* Added `EVP_PKEY_CTX_new_id`, `EVP_PKEY_CTX_set_rsa_keygen_bits`, `EVP_PKEY_keygen_init`, `EVP_PKEY_keygen` and `BN_to_ASN1_INTEGER`.

* x509v3 stubs and req add extensions

* Add OBJ_txt2obj and unit test; add long name to wolfssl_object_info table for use by OBJ_* functions

* wolfSSL_set_alpn_protos implementation

* Added `EVP_SignInit_ex` and `TLS_server_method` implementation. Added stubs for  `RSA_get0_key` and `i2d_OCSP_REQUEST_bio`. Fix typo on `OCSP_response_create`. Fix warning in `wolfSSL_set_alpn_protos`.

* Added `X509_EXTENSION_free` stub. Fixed a few macro typos/adding missing.

* add X509_STORE_CTX_get0_current_issuer and unit test

* add OBJ_cmp and unit test

* add RSA_get0_key and unit test

* add OCSP_check_nonce

* Implement X509_set_notAfter/notBefore/serialNumber/version,X509_STORE_CTX_set_depth,X509V3_set_ctx.

* Modify wolfSSL_X509_set_notAfter/notBefore and add tests for each.

* Add test_wolfSSL_X509_set_version w/ fixes to _set_version and fix _set_notBefore/notAfter tests

* add OCSP_id_get0_info and unit test, move WOLFSSL_ASN1_INTEGER to asn_public.h from ssl.h

* inital implementation of wolfSSL_X509_sign

* add debugging messages and set data for BIO's

* Add i2d_OCSP_REQUEST_bio.

* implementation of some WOLFSSL_BIO_METHOD custom functions

* fix for ASN time structure and remove log node

* initial eNULL support and sanity checks

* fixes after rebasing code

* adjust test cases and ASN1_TIME print

* Various fixes for memory leaks

* Apache compatibility in CTX_set_client_CA_list for X509_NAME use; add X509_NAME_dup as supporting function

* Add initial X509_STORE_load_locations stub for Apache

* Updates to X509_get_ext_d2i to return GENERAL_NAME struct instead of ASN1_OBJECT for alternative names and add supporting GENERAL_NAME functions

* Add X509_STORE_load_locations implementation; add wolfSSL_CertManagerLoadCRL_ex; initial renegotiation fixes/updates

* Fix for freeing peer cert in wolfSSL_Rehandshake instead of FreeHandShakeResources during secure renegotiation

* Add X509_ALGOR and X509_PUBKEY structs for X509_PUBKEY_get0_param and X509_get_X509_PUBKEY implementation

* Initial implementation of wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param

* Add implementation for X509_get0_tbs_sigalg and X509_ALGOR_get0

* Add OBJ_nid2ln implementation

* Fix compile errors in tests/api.c for some build options

* Updates to X509_STORE_load_locations for non-CRL types; Add additional DETECT_CERT_TYPE enum and logic for detecting certificate type in ProcessFile

* Add X509_STORE_load_locations unit test and minor error handling fixes

* Add unit test for X509_sign

* Set correct alert type for revoked certificates; add/fix a few WOLFSSL_ENTER messages

* Add X509_ALGOR member to X509 struct; refactoring and unit tests for wolfSSL_X509_ALGOR_get0 and wolfSSL_X509_get0_tbs_sigalg

* Add X509_PUBKEY member to X509 struct; refactoring and unit tests for wolfSSL_X509_get_X509_PUBKEY and wolfSSL_X509_PUBKEY_get0_param

* Stack fixes after rebase

* Secure renegotiation refactoring: add ACCEPT_BEGIN_RENEG to AcceptState for use in wolfSSL_SSL_in_connect_init; free old peer cert when receiving new cert to fix memory leak

* Move enc-then-mac enable option in configure.ac for apache httpd compatibility

* Simplify wolfSSL_SSL_in_connect_init logic

* Remove unneeded wolfSSL_CertManagerLoadCRL_ex

* Fixes for jenkins test failures

* SSL_get_secure_renegotiation_support for print statement in Apache
This commit is contained in:
cariepointer
2019-09-19 18:11:10 -06:00
committed by David Garske
parent dfc00bf057
commit 2dafd2102c
40 changed files with 6929 additions and 856 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
configure.ac
View File

@@ -2941,19 +2941,6 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXTENDED_MASTER"
fi
# Encrypt-Then-Mac
AC_ARG_ENABLE([enc-then-mac],
[AS_HELP_STRING([--enable-enc-then-mac],[Enable Encryptr-Then-Mac extension (default: enabled)])],
[ ENABLED_ENCRYPT_THEN_MAC=$enableval ],
[ ENABLED_ENCRYPT_THEN_MAC=yes ]
)
if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
fi
# TLS Extensions
AC_ARG_ENABLE([tlsx],
[AS_HELP_STRING([--enable-tlsx],[Enable all TLS Extensions (default: disabled)])],
@@ -2974,7 +2961,7 @@ then
ENABLED_ALPN=yes
ENABLED_TRUSTED_CA=yes
ENABLED_ENCRYPT_THEN_MAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA -DHAVE_ENCRYPT_THEN_MAC"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_ALPN -DHAVE_TRUSTED_CA"
# Check the ECC supported curves prereq
AS_IF([test "x$ENABLED_ECC" = "xyes" || test "x$ENABLED_CURVE25519" = "xyes"],
[ENABLED_SUPPORTED_CURVES=yes
@@ -3348,6 +3335,103 @@ then
fi
fi
# Apache HTTPD
AC_ARG_ENABLE([apachehttpd],
[AS_HELP_STRING([--enable-apachehttpd],[Enable Apache httpd (default: disabled)])],
[ ENABLED_APACHE_HTTPD=$enableval ],
[ ENABLED_APACHE_HTTPD=no ]
)
if test "$ENABLED_APACHE_HTTPD" = "yes"
then
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="-DOPENSSL_EXTRA -DOPENSSL_ALL $AM_CFLAGS"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APACHE_HTTPD"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_NO_SSL2 -DOPENSSL_NO_SSL3 -DOPENSSL_NO_COMP"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT -DWOLFSSL_CERT_GEN"
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"
AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"])
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
# Requires ALPN
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
# Requires CRL
if test "x$ENABLED_CRL" = "xno"
then
ENABLED_CRL="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"])
fi
# Requires Certificate Generation, Request and Extensions
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
if test "x$ENABLED_CERTEXT" = "xno"
then
ENABLED_CERTEXT="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"
fi
# Requires Secure Renegotiation
if test "x$ENABLED_SECURE_RENEGOTIATION" = "xno"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_SECURE_RENEGOTIATION -DHAVE_SERVER_RENEGOTIATION_INFO"
fi
fi
# Encrypt-Then-Mac
AC_ARG_ENABLE([enc-then-mac],
[AS_HELP_STRING([--enable-enc-then-mac],[Enable Encryptr-Then-Mac extension (default: enabled)])],
[ ENABLED_ENCRYPT_THEN_MAC=$enableval ],
[ ENABLED_ENCRYPT_THEN_MAC=yes ]
)
if test "x$ENABLED_APACHE_HTTPD" = "xyes"
then
ENABLED_ENCRYPT_THEN_MAC=no
fi
if test "x$ENABLED_TLSX" = "xyes"
then
ENABLED_ENCRYPT_THEN_MAC=yes
fi
if test "x$ENABLED_ENCRYPT_THEN_MAC" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_ENCRYPT_THEN_MAC"
fi
# stunnel Support
AC_ARG_ENABLE([stunnel],
[AS_HELP_STRING([--enable-stunnel],[Enable stunnel (default: disabled)])],
@@ -5011,6 +5095,7 @@ echo " * I/O POOL: $ENABLED_IOPOOL"
echo " * LIGHTY: $ENABLED_LIGHTY"
echo " * HAPROXY: $ENABLED_HAPROXY"
echo " * STUNNEL: $ENABLED_STUNNEL"
echo " * Apache httpd: $ENABLED_APACHE_HTTPD"
echo " * NGINX: $ENABLED_NGINX"
echo " * ASIO: $ENABLED_ASIO"
echo " * SIGNAL: $ENABLED_SIGNAL"