feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3871 from julek-wolfssl/openvpn-master

Browse Source 
OpenVPN additions and fixes
This commit is contained in:
Sean Parkinson
2021-06-08 13:54:14 +10:00
committed by GitHub
parent 194b494741 5865dc08dd
commit 88322b82a5
6 changed files with 151 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
src/ssl.c
View File

@@ -16759,19 +16759,78 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
#endif /* !NO_WOLFSSL_SERVER */ #endif /* !NO_WOLFSSL_SERVER */
static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx) /**
* This function checks if any compiled in protocol versions are
* left enabled after calls to set_min or set_max API.
* @param ctx The WOLFSSL_CTX to check
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
static int CheckSslMethodVersion(byte major, unsigned long options)
{ {
if ((ctx->mask & WOLFSSL_OP_NO_SSLv3) && int sanityConfirmed = 0;
(ctx->mask & WOLFSSL_OP_NO_TLSv1) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_1) && (void)options;
(ctx->mask & WOLFSSL_OP_NO_TLSv1_2) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) { switch (major) {
WOLFSSL_MSG("All TLS versions disabled"); #ifndef NO_TLS
case SSLv3_MAJOR:
#ifdef WOLFSSL_ALLOW_SSLV3
if (!(options & WOLFSSL_OP_NO_SSLv3)) {
sanityConfirmed = 1;
}
#endif
#ifndef NO_OLD_TLS
if (!(options & WOLFSSL_OP_NO_TLSv1))
sanityConfirmed = 1;
if (!(options & WOLFSSL_OP_NO_TLSv1_1))
sanityConfirmed = 1;
#endif
#ifndef WOLFSSL_NO_TLS12
if (!(options & WOLFSSL_OP_NO_TLSv1_2))
sanityConfirmed = 1;
#endif
#ifdef WOLFSSL_TLS13
if (!(options & WOLFSSL_OP_NO_TLSv1_3))
sanityConfirmed = 1;
#endif
break;
#endif
#ifdef WOLFSSL_DTLS
case DTLS_MAJOR:
sanityConfirmed = 1;
break;
#endif
default:
WOLFSSL_MSG("Invalid major version");
return WOLFSSL_FAILURE;
}
if (!sanityConfirmed) {
WOLFSSL_MSG("All compiled in TLS versions disabled");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
/**
* This function attempts to set the minimum protocol version to use by SSL
* objects created from this WOLFSSL_CTX. This API guarantees that a version
* of SSL/TLS lower than specified here will not be allowed. If the version
* specified is not compiled in then this API sets the lowest compiled in
* protocol version. CheckSslMethodVersion() is called to check if any
* remaining protocol versions are enabled.
* @param ctx
* @param version Any of the following
* * SSL3_VERSION
* * TLS1_VERSION
* * TLS1_1_VERSION
* * TLS1_2_VERSION
* * TLS1_3_VERSION
* * DTLS1_VERSION
* * DTLS1_2_VERSION
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
{ {
WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version"); WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version");
@@ -16781,36 +16840,36 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
} }
switch (version) { switch (version) {
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) #ifndef NO_TLS
case SSL3_VERSION: case SSL3_VERSION:
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
ctx->minDowngrade = SSLv3_MINOR; ctx->minDowngrade = SSLv3_MINOR;
break; break;
#endif #endif
#ifndef NO_TLS
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_TLSV10
case TLS1_VERSION: case TLS1_VERSION:
#ifdef WOLFSSL_ALLOW_TLSV10
ctx->minDowngrade = TLSv1_MINOR; ctx->minDowngrade = TLSv1_MINOR;
break; break;
#endif #endif
case TLS1_1_VERSION: case TLS1_1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = TLSv1_1_MINOR; ctx->minDowngrade = TLSv1_1_MINOR;
break; break;
#endif #endif
#ifndef WOLFSSL_NO_TLS12
case TLS1_2_VERSION: case TLS1_2_VERSION:
#ifndef WOLFSSL_NO_TLS12
ctx->minDowngrade = TLSv1_2_MINOR; ctx->minDowngrade = TLSv1_2_MINOR;
break; break;
#endif #endif
#ifdef WOLFSSL_TLS13
case TLS1_3_VERSION: case TLS1_3_VERSION:
#ifdef WOLFSSL_TLS13
ctx->minDowngrade = TLSv1_3_MINOR; ctx->minDowngrade = TLSv1_3_MINOR;
break; break;
#endif #endif
#endif #endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION: case DTLS1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = DTLS_MINOR; ctx->minDowngrade = DTLS_MINOR;
break; break;
#endif #endif
@@ -16837,17 +16896,13 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
case TLS1_VERSION: case TLS1_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3); wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3);
break; break;
#endif
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case SSL3_VERSION: case SSL3_VERSION:
case SSL2_VERSION: case SSL2_VERSION:
/* Nothing to do here */ /* Nothing to do here */
#endif
break; break;
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif #endif
#ifdef WOLFSSL_DTLS
case DTLS1_VERSION:
case DTLS1_2_VERSION: case DTLS1_2_VERSION:
break; break;
#endif #endif
@@ -16856,9 +16911,28 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
return sanityCheckProtoVersion(ctx); return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
} }
/**
* This function attempts to set the maximum protocol version to use by SSL
* objects created from this WOLFSSL_CTX. This API guarantees that a version
* of SSL/TLS higher than specified here will not be allowed. If the version
* specified is not compiled in then this API sets the highest compiled in
* protocol version. CheckSslMethodVersion() is called to check if any
* remaining protocol versions are enabled.
* @param ctx
* @param version Any of the following
* * SSL3_VERSION
* * TLS1_VERSION
* * TLS1_1_VERSION
* * TLS1_2_VERSION
* * TLS1_3_VERSION
* * DTLS1_VERSION
* * DTLS1_2_VERSION
* @return WOLFSSL_SUCCESS on valid settings and WOLFSSL_FAILURE when no
* protocol versions are left enabled.
*/
int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
{ {
WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version"); WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version");
@@ -16872,7 +16946,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
case SSL2_VERSION: case SSL2_VERSION:
WOLFSSL_MSG("wolfSSL does not support SSLv2"); WOLFSSL_MSG("wolfSSL does not support SSLv2");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
#if (defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)) || !defined(NO_TLS) #ifndef NO_TLS
case SSL3_VERSION: case SSL3_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1); wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1);
FALL_THROUGH; FALL_THROUGH;
@@ -16890,9 +16964,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
break; break;
#endif #endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION: case DTLS1_VERSION:
#endif
case DTLS1_2_VERSION: case DTLS1_2_VERSION:
break; break;
#endif #endif
@@ -16901,7 +16973,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
return sanityCheckProtoVersion(ctx); return CheckSslMethodVersion(ctx->method->version.major, ctx->mask);
} }
static int GetMinProtoVersion(int minDowngrade) static int GetMinProtoVersion(int minDowngrade)

71
tests/api.c
View File

@@ -42956,55 +42956,46 @@ static void test_wolfSSL_CTX_get_min_proto_version(void)
printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()"); printf(testingFmt, "wolfSSL_CTX_get_min_proto_version()");
#ifndef NO_OLD_TLS AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
#ifdef WOLFSSL_ALLOW_SSLV3 AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
#ifdef NO_WOLFSSL_SERVER #ifdef WOLFSSL_ALLOW_SSLV3
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
#else #else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, SSL3_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), SSL3_VERSION);
wolfSSL_CTX_free(ctx);
#endif
#ifdef WOLFSSL_ALLOW_TLSV10
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
wolfSSL_CTX_free(ctx);
#endif
#ifdef NO_WOLFSSL_SERVER
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_1_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
wolfSSL_CTX_free(ctx);
#endif #endif
wolfSSL_CTX_free(ctx);
#ifdef WOLFSSL_ALLOW_TLSV10
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_VERSION), WOLFSSL_SUCCESS);
#ifdef WOLFSSL_ALLOW_TLSV10
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
#else
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_VERSION);
#endif
wolfSSL_CTX_free(ctx);
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION), WOLFSSL_SUCCESS);
#ifndef NO_OLD_TLS
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
#else
AssertIntGT(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_1_VERSION);
#endif
wolfSSL_CTX_free(ctx);
#ifndef WOLFSSL_NO_TLS12 #ifndef WOLFSSL_NO_TLS12
#ifdef NO_WOLFSSL_SERVER AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_method()));
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION); AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_2_VERSION);
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
#endif #endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
#ifdef NO_WOLFSSL_SERVER AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_method()));
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()));
#else
AssertNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_3_server_method()));
#endif
AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION); AssertIntEQ(wolfSSL_CTX_get_min_proto_version(ctx), TLS1_3_VERSION);
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);

3
wolfcrypt/src/asn.c
View File

@@ -11021,6 +11021,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 || XSTR_SIZEOF(BEGIN_PRIV_KEY_PREFIX)) != 0 ||
beginEnd - headerEnd > PEM_LINE_LEN) { beginEnd - headerEnd > PEM_LINE_LEN) {
WOLFSSL_MSG("Couldn't find PEM header"); WOLFSSL_MSG("Couldn't find PEM header");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER; return ASN_NO_PEM_HEADER;
} }
@@ -11033,6 +11034,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
(unsigned int)((char*)buff + sz - beginEnd)); (unsigned int)((char*)buff + sz - beginEnd));
if (!footer) { if (!footer) {
WOLFSSL_MSG("Couldn't find PEM footer"); WOLFSSL_MSG("Couldn't find PEM footer");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER; return ASN_NO_PEM_HEADER;
} }
@@ -11058,6 +11060,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
if (!headerEnd) { if (!headerEnd) {
WOLFSSL_MSG("Couldn't find PEM header"); WOLFSSL_MSG("Couldn't find PEM header");
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
return ASN_NO_PEM_HEADER; return ASN_NO_PEM_HEADER;
} }
#else #else

8
wolfcrypt/src/evp.c
View File

@@ -1262,7 +1262,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
case AES_128_GCM_TYPE: case AES_128_GCM_TYPE:
case AES_192_GCM_TYPE: case AES_192_GCM_TYPE:
case AES_256_GCM_TYPE: case AES_256_GCM_TYPE:
return WOLFSSL_EVP_CIPH_GCM_MODE & return WOLFSSL_EVP_CIPH_GCM_MODE |
WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER; WOLFSSL_EVP_CIPH_FLAG_AEAD_CIPHER;
#endif #endif
#if defined(WOLFSSL_AES_COUNTER) #if defined(WOLFSSL_AES_COUNTER)
@@ -1319,7 +1319,7 @@ unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher) unsigned long WOLFSSL_EVP_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher)
{ {
if (cipher == NULL) return 0; if (cipher == NULL) return 0;
return WOLFSSL_CIPHER_mode(cipher); return WOLFSSL_CIPHER_mode(cipher) & WOLFSSL_EVP_CIPH_MODE;
} }
void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags) void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags)
@@ -3724,7 +3724,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
{ {
int ret; int ret;
if (src->isHMAC) { if (src->isHMAC) {
ret = wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac); return wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
} }
else { else {
switch (src->macType) { switch (src->macType) {
@@ -3818,8 +3818,8 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
ret = BAD_FUNC_ARG; ret = BAD_FUNC_ARG;
break; break;
} }
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
} }
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
} }
/* copies structure in to the structure out /* copies structure in to the structure out

9
wolfssl/openssl/crypto.h
View File

@@ -87,6 +87,15 @@ typedef struct crypto_threadid_st CRYPTO_THREADID;
#define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto #define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto
#ifdef WOLFSSL_OPENVPN
# define OPENSSL_assert(e) \
if (!(e)) { \
fprintf(stderr, "%s:%d wolfSSL internal error: assertion failed: " #e, \
__FILE__, __LINE__); \
raise(SIGABRT); \
_exit(3); \
}
#endif
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_EX_DATA) defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_EX_DATA)

5
wolfssl/openssl/evp.h
View File

@@ -742,6 +742,9 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_MD_CTX_size wolfSSL_EVP_MD_CTX_size #define EVP_MD_CTX_size wolfSSL_EVP_MD_CTX_size
#define EVP_MD_CTX_block_size wolfSSL_EVP_MD_CTX_block_size #define EVP_MD_CTX_block_size wolfSSL_EVP_MD_CTX_block_size
#define EVP_MD_type wolfSSL_EVP_MD_type #define EVP_MD_type wolfSSL_EVP_MD_type
#ifndef NO_WOLFSSL_STUB
#define EVP_MD_CTX_set_flags(...)
#endif
#define EVP_Digest wolfSSL_EVP_Digest #define EVP_Digest wolfSSL_EVP_Digest
#define EVP_DigestInit wolfSSL_EVP_DigestInit #define EVP_DigestInit wolfSSL_EVP_DigestInit
@@ -935,7 +938,7 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_PKEY_NONE NID_undef #define EVP_PKEY_NONE NID_undef
#define EVP_PKEY_DH 28 #define EVP_PKEY_DH 28
#define EVP_CIPHER_mode WOLFSSL_CIPHER_mode #define EVP_CIPHER_mode WOLFSSL_EVP_CIPHER_mode
/* WOLFSSL_EVP_CIPHER is just the string name of the cipher */ /* WOLFSSL_EVP_CIPHER is just the string name of the cipher */
#define EVP_CIPHER_name(x) x #define EVP_CIPHER_name(x) x
#define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup #define EVP_MD_CTX_reset wolfSSL_EVP_MD_CTX_cleanup