feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3871 from julek-wolfssl/openvpn-master

Browse Source 
OpenVPN additions and fixes
This commit is contained in:
Sean Parkinson
2021-06-08 13:54:14 +10:00
committed by GitHub
parent 194b494741 5865dc08dd
commit 88322b82a5
6 changed files with 151 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
src/ssl.c
View File

@@ -16759,19 +16759,78 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
#endif /* !NO_WOLFSSL_SERVER */
static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx)
/**
* This function checks if any compiled in protocol versions are
* left enabled after calls to set_min or set_max API.
* @param ctx The WOLFSSL_CTX to check
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
static int CheckSslMethodVersion(byte major, unsigned long options)
{
if ((ctx->mask & WOLFSSL_OP_NO_SSLv3) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_1) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_2) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) {
WOLFSSL_MSG("All TLS versions disabled");
int sanityConfirmed = 0;
(void)options;
switch (major) {
#ifndef NO_TLS
case SSLv3_MAJOR:
#ifdef WOLFSSL_ALLOW_SSLV3
if (!(options & WOLFSSL_OP_NO_SSLv3)) {
sanityConfirmed = 1;
}
#endif
#ifndef NO_OLD_TLS
if (!(options & WOLFSSL_OP_NO_TLSv1))
sanityConfirmed = 1;
if (!(options & WOLFSSL_OP_NO_TLSv1_1))
sanityConfirmed = 1;
#endif
#ifndef WOLFSSL_NO_TLS12
if (!(options & WOLFSSL_OP_NO_TLSv1_2))
sanityConfirmed = 1;
#endif
#ifdef WOLFSSL_TLS13
if (!(options & WOLFSSL_OP_NO_TLSv1_3))
sanityConfirmed = 1;
#endif
break;
#endif
#ifdef WOLFSSL_DTLS
case DTLS_MAJOR:
sanityConfirmed = 1;
break;
#endif
default:
WOLFSSL_MSG("Invalid major version");
return WOLFSSL_FAILURE;
}
if (!sanityConfirmed) {
WOLFSSL_MSG("All compiled in TLS versions disabled");
return WOLFSSL_FAILURE;
}
return WOLFSSL_SUCCESS;
}
/**
* This function attempts to set the minimum protocol version to use by SSL
* objects created from this WOLFSSL_CTX. This API guarantees that a version
* of SSL/TLS lower than specified here will not be allowed. If the version
* specified is not compiled in then this API sets the lowest compiled in
* protocol version. CheckSslMethodVersion() is called to check if any
* remaining protocol versions are enabled.
* @param ctx
* @param version Any of the following
* * SSL3_VERSION
* * TLS1_VERSION
* * TLS1_1_VERSION
* * TLS1_2_VERSION
* * TLS1_3_VERSION
* * DTLS1_VERSION
* * DTLS1_2_VERSION
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version");
@@ -16781,36 +16840,36 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
}
switch (version) {
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
#ifndef NO_TLS
case SSL3_VERSION:
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
ctx->minDowngrade = SSLv3_MINOR;
break;
#endif
#ifndef NO_TLS
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_TLSV10
case TLS1_VERSION:
#ifdef WOLFSSL_ALLOW_TLSV10
ctx->minDowngrade = TLSv1_MINOR;
break;
#endif
case TLS1_1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = TLSv1_1_MINOR;
break;
#endif
#ifndef WOLFSSL_NO_TLS12
#endif
case TLS1_2_VERSION:
#ifndef WOLFSSL_NO_TLS12
ctx->minDowngrade = TLSv1_2_MINOR;
break;
#endif
#ifdef WOLFSSL_TLS13
#endif
case TLS1_3_VERSION:
#ifdef WOLFSSL_TLS13
ctx->minDowngrade = TLSv1_3_MINOR;
break;
#endif
#endif
#endif
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = DTLS_MINOR;
break;
#endif
@@ -16837,17 +16896,13 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
case TLS1_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3);
break;
#endif
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case SSL3_VERSION:
case SSL2_VERSION:
/* Nothing to do here */
#endif
break;
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif
#ifdef WOLFSSL_DTLS
case DTLS1_VERSION:
case DTLS1_2_VERSION:
break;
#endif
@@ -16856,9 +16911,28 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
return WOLFSSL_FAILURE;
}
return sanityCheckProtoVersion(ctx);
return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
}
/**
* This function attempts to set the maximum protocol version to use by SSL
* objects created from this WOLFSSL_CTX. This API guarantees that a version
* of SSL/TLS higher than specified here will not be allowed. If the version
* specified is not compiled in then this API sets the highest compiled in
* protocol version. CheckSslMethodVersion() is called to check if any
* remaining protocol versions are enabled.
* @param ctx
* @param version Any of the following
* * SSL3_VERSION
* * TLS1_VERSION
* * TLS1_1_VERSION
* * TLS1_2_VERSION
* * TLS1_3_VERSION
* * DTLS1_VERSION
* * DTLS1_2_VERSION
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version");
@@ -16872,7 +16946,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
case SSL2_VERSION:
WOLFSSL_MSG("wolfSSL does not support SSLv2");
return WOLFSSL_FAILURE;
#if (defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)) || !defined(NO_TLS)
#ifndef NO_TLS
case SSL3_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1);
FALL_THROUGH;
@@ -16890,9 +16964,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
break;
#endif
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif
case DTLS1_2_VERSION:
break;
#endif
@@ -16901,7 +16973,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
return WOLFSSL_FAILURE;
}
return sanityCheckProtoVersion(ctx);
return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
}
static int GetMinProtoVersion(int minDowngrade)

71
tests/api.c
View File

@@ -42956,55 +42956,46 @@ static void test_wolfSSL_CTX_get_min_proto_version(void)
printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()");
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_SSLV3
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
wolfSSL_CTX_free(ctx);
#endif
#ifdef WOLFSSL_ALLOW_TLSV10
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
wolfSSL_CTX_free(ctx);
#endif
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
wolfSSL_CTX_free(ctx);
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ALLOW_SSLV3
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
#else
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
#endif
wolfSSL_CTX_free(ctx);
#ifdef WOLFSSL_ALLOW_TLSV10
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ALLOW_TLSV10
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
#else
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
#endif
wolfSSL_CTX_free(ctx);
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
#ifndef NO_OLD_TLS
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
#else
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
#endif
wolfSSL_CTX_free(ctx);
#ifndef WOLFSSL_NO_TLS12
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()));
#endif
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_method()));
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION);
wolfSSL_CTX_free(ctx);
#endif
#ifdef WOLFSSL_TLS13
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
#endif
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_method()));
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION);
wolfSSL_CTX_free(ctx);

3
wolfcrypt/src/asn.c
View File

@@ -11021,6 +11021,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
beginEnd - headerEnd > PEM_LINE_LEN) {
WOLFSSL_MSG("Couldn't find PEM header");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER;
}
@@ -11033,6 +11034,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
(unsigned int)((char*)buff + sz - beginEnd));
if (!footer) {
WOLFSSL_MSG("Couldn't find PEM footer");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER;
}
@@ -11058,6 +11060,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
if (!headerEnd) {
WOLFSSL_MSG("Couldn't find PEM header");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER;
}
#else

8
wolfcrypt/src/evp.c
View File

@@ -1262,7 +1262,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
case AES_128_GCM_TYPE:
case AES_192_GCM_TYPE:
case AES_256_GCM_TYPE:
return WOLFSSL_EVP_CIPH_GCM_MODE &
return WOLFSSL_EVP_CIPH_GCM_MODE |
WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER;
#endif
#if defined(WOLFSSL_AES_COUNTER)
@@ -1319,7 +1319,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
{
if (cipher == NULL) return 0;
return WOLFSSL_CIPHER_mode(cipher);
return WOLFSSL_CIPHER_mode(cipher) & WOLFSSL_EVP_CIPH_MODE;
}
void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
@@ -3724,7 +3724,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
{
int ret;
if (src->isHMAC) {
ret = wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
return wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
}
else {
switch (src->macType) {
@@ -3818,8 +3818,8 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
ret = BAD_FUNC_ARG;
break;
}
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
}
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
}
/* copies structure in to the structure out

9
wolfssl/openssl/crypto.h
View File

@@ -87,6 +87,15 @@ typedef struct crypto_threadid_st CRYPTO_THREADID;
#define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto
#ifdef WOLFSSL_OPENVPN
# define OPENSSL_assert(e) \
if (!(e)) { \
fprintf(stderr, "%s:%d wolfSSL internal error: assertion failed: " #e, \
__FILE__, __LINE__); \
raise(SIGABRT); \
_exit(3); \
}
#endif
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_EX_DATA)

5
wolfssl/openssl/evp.h
View File

@@ -742,6 +742,9 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_MD_CTX_size wolfSSL_EVP_MD_CTX_size
#define EVP_MD_CTX_block_size wolfSSL_EVP_MD_CTX_block_size
#define EVP_MD_type wolfSSL_EVP_MD_type
#ifndef NO_WOLFSSL_STUB
#define EVP_MD_CTX_set_flags(...)
#endif
#define EVP_Digest wolfSSL_EVP_Digest
#define EVP_DigestInit wolfSSL_EVP_DigestInit
@@ -935,7 +938,7 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_PKEY_NONE NID_undef
#define EVP_PKEY_DH 28
#define EVP_CIPHER_mode WOLFSSL_CIPHER_mode
#define EVP_CIPHER_mode WOLFSSL_EVP_CIPHER_mode
/* WOLFSSL_EVP_CIPHER is just the string name of the cipher */
#define EVP_CIPHER_name(x) x
#define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup