From 034248b96462007fd1e0a5cefaab46f6336f9505 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sat, 5 Dec 2020 15:33:56 -0500 Subject: [PATCH 1/3] add more missing HAVE_LIGHTY --- src/tls13.c | 2 +- wolfssl/wolfcrypt/settings.h | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 1b071bbbb..85b68d316 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4002,7 +4002,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) + defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) if ((ret = SNI_Callback(ssl)) != 0) return ret; ssl->options.side = WOLFSSL_SERVER_END; diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a4614f01b..bff77aabb 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2173,7 +2173,8 @@ extern void uITRON4_free(void *p) ; #undef HAVE_GMTIME_R /* don't trust macro with windows */ #endif /* WOLFSSL_MYSQL_COMPATIBLE */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(HAVE_LIGHTY) #define SSL_OP_NO_COMPRESSION SSL_OP_NO_COMPRESSION #define OPENSSL_NO_ENGINE #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT @@ -2194,7 +2195,8 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) \ + || defined(HAVE_LIGHTY) #define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 #endif @@ -2267,7 +2269,8 @@ extern void uITRON4_free(void *p) ; #endif /* Parts of the openssl compatibility layer require peer certs */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(HAVE_LIGHTY) #undef KEEP_PEER_CERT #define KEEP_PEER_CERT #endif From 9d095066eb7726dadc540ba8e3ef146728266113 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sat, 5 Dec 2020 17:09:19 -0500 Subject: [PATCH 2/3] wrap SNI-related code with HAVE_SNI perhaps some of this code should additionally be wrapped in - #ifndef NO_WOLFSSL_SERVER It is fragile and ugly to litter the code with the likes of - #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) )) while it is much clearer and much more maintainable to wrap SNI-related code with an SNI-specific feature-define HAVE_SNI (and possibly further restrict with feature-define #ifndef NO_WOLFSSL_SERVER). --- src/internal.c | 7 +++---- src/ssl.c | 10 ++++++---- src/tls.c | 8 ++++++++ src/tls13.c | 5 ++--- wolfssl/internal.h | 10 ++++++---- wolfssl/ssl.h | 13 ++++++++++--- wolfssl/wolfcrypt/settings.h | 3 +-- 7 files changed, 36 insertions(+), 20 deletions(-) diff --git a/src/internal.c b/src/internal.c index 69a4bb84b..eb3a2059b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -27868,7 +27868,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto out; } #endif - #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) + #ifdef HAVE_SNI if((ret=SNI_Callback(ssl))) goto out; ssl->options.side = WOLFSSL_SERVER_END; @@ -30327,8 +30327,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif /* !WOLFSSL_NO_TLS12 */ -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI int SNI_Callback(WOLFSSL* ssl) { /* Stunnel supports a custom sni callback to switch an SSL's ctx @@ -30344,7 +30343,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } return 0; } -#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* HAVE_SNI */ #endif /* NO_WOLFSSL_SERVER */ diff --git a/src/ssl.c b/src/ssl.c index 1d11f052b..33b190ab6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -41283,17 +41283,14 @@ long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) switch (cmd) { #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) + #ifdef HAVE_SNI case SSL_CTRL_SET_TLSEXT_HOSTNAME: WOLFSSL_MSG("Entering Case: SSL_CTRL_SET_TLSEXT_HOSTNAME."); - #ifdef HAVE_SNI if (pt == NULL) { WOLFSSL_MSG("Passed in NULL Host Name."); break; } return wolfSSL_set_tlsext_host_name(ssl, (const char*) pt); - #else - WOLFSSL_MSG("SNI not enabled."); - break; #endif /* HAVE_SNI */ #endif /* WOLFSSL_NGINX || WOLFSSL_QT || OPENSSL_ALL */ default: @@ -42750,6 +42747,8 @@ VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) } +#ifdef HAVE_SNI + void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb) { WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback"); @@ -42778,6 +42777,9 @@ int wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) return WOLFSSL_FAILURE; } +#endif /* HAVE_SNI */ + + #ifndef NO_BIO void wolfSSL_ERR_load_BIO_strings(void) { WOLFSSL_ENTER("ERR_load_BIO_strings"); diff --git a/src/tls.c b/src/tls.c index 6fa50f9ec..1817876e4 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9186,9 +9186,11 @@ void TLSX_FreeAll(TLSX* list, void* heap) switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: SNI_FREE_ALL((SNI*)extension->data, heap); break; +#endif case TLSX_TRUSTED_CA_KEYS: TCA_FREE_ALL((TCA*)extension->data, heap); @@ -9316,11 +9318,13 @@ static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: /* SNI only sends the name on the request. */ if (isRequest) length += SNI_GET_SIZE((SNI*)extension->data); break; +#endif case TLSX_TRUSTED_CA_KEYS: /* TCA only sends the list on the request. */ @@ -9464,12 +9468,14 @@ static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* extension data should be written internally. */ switch (extension->type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: if (isRequest) { WOLFSSL_MSG("SNI extension to write"); offset += SNI_WRITE((SNI*)extension->data, output + offset); } break; +#endif case TLSX_TRUSTED_CA_KEYS: WOLFSSL_MSG("Trusted CA Indication extension to write"); @@ -10871,6 +10877,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, return BUFFER_ERROR; switch (type) { +#ifdef HAVE_SNI case TLSX_SERVER_NAME: WOLFSSL_MSG("SNI extension received"); #ifdef WOLFSSL_DEBUG_TLS @@ -10891,6 +10898,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType, #endif ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; +#endif case TLSX_TRUSTED_CA_KEYS: WOLFSSL_MSG("Trusted CA extension received"); diff --git a/src/tls13.c b/src/tls13.c index 85b68d316..82a030672 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4001,12 +4001,11 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return ret; } -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI if ((ret = SNI_Callback(ssl)) != 0) return ret; ssl->options.side = WOLFSSL_SERVER_END; -#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif i += totalExtSz; *inOutIdx = i; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c9613e25d..1852267c0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1713,9 +1713,11 @@ WOLFSSL_LOCAL int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz); WOLFSSL_LOCAL int HashInput(WOLFSSL* ssl, const byte* input, int sz); -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI +#ifndef NO_WOLFSSL_SERVER WOLFSSL_LOCAL int SNI_Callback(WOLFSSL* ssl); #endif +#endif #ifdef WOLFSSL_TLS13 WOLFSSL_LOCAL int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, const byte* aad, word16 aadSz); @@ -2163,7 +2165,9 @@ typedef struct Keys { #ifdef HAVE_TLS_EXTENSIONS typedef enum { +#ifdef HAVE_SNI TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ +#endif TLSX_MAX_FRAGMENT_LENGTH = 0x0001, TLSX_TRUSTED_CA_KEYS = 0x0003, TLSX_TRUNCATED_HMAC = 0x0004, @@ -2818,9 +2822,7 @@ struct WOLFSSL_CTX { CallbackALPNSelect alpnSelect; void* alpnSelectArg; #endif -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) )) +#ifdef HAVE_SNI CallbackSniRecv sniRecvCb; void* sniRecvCbArg; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b2e8a9836..a1d5a3c23 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3544,9 +3544,6 @@ WOLFSSL_API int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, #include -/* SNI received callback type */ -typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); - WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); @@ -3677,12 +3674,22 @@ WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*); WOLFSSL_API VerifyCallback wolfSSL_get_verify_callback(WOLFSSL*); +#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */ + +#ifdef HAVE_SNI +/* SNI received callback type */ +typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); + WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); WOLFSSL_API int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); WOLFSSL_API int wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); +#endif + +#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ + || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) WOLFSSL_API void wolfSSL_ERR_remove_thread_state(void*); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index bff77aabb..53c1e1073 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2195,8 +2195,7 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) \ - || defined(HAVE_LIGHTY) +#ifdef HAVE_SNI #define SSL_CTRL_SET_TLSEXT_HOSTNAME 55 #endif From 59cefd2c9937ad7dd08fc69750cba30672a97e44 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Thu, 10 Dec 2020 15:44:37 -0500 Subject: [PATCH 3/3] match preproc defs around wolfSSL_ctrl() match preproc defs around wolfSSL_ctrl() in src/ssl.c --- wolfssl/ssl.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a1d5a3c23..bdf3c515d 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3310,7 +3310,6 @@ WOLFSSL_LOCAL int NIDToEccEnum(int n); /* end of object functions */ WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line); -WOLFSSL_API long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt); WOLFSSL_API long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt,void* pt); WOLFSSL_API long wolfSSL_CTX_callback_ctrl(WOLFSSL_CTX* ctx, int cmd, void (*fp)(void)); WOLFSSL_API long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx); @@ -3340,6 +3339,11 @@ WOLFSSL_API int wolfSSL_check_private_key(const WOLFSSL* ssl); #endif /* !NO_CERTS */ #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) +WOLFSSL_API long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt); +#endif + #ifdef WOLFSSL_WPAS_SMALL /* WPA Supplicant requires GEN_ values */ #include