feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Adding sni to mimic openssl functionality

Browse Source
This commit is contained in:
Nickolas Lapp
2015-08-12 10:10:30 -06:00
parent 30067d4f59
commit 900edc04e5
8 changed files with 789 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
configure.ac
View File

@ -1815,6 +1815,14 @@ then
AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS"
fi
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"
AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"])
fi
# Requires coding make sure on
if test "x$ENABLED_CODING" = "xno"
then
@ -1835,7 +1843,8 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"])
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL"
AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
fi

319
src/internal.c
View File

@ -107,6 +107,9 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
#if !defined(NO_RSA) || defined(HAVE_ECC)
static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32);
#endif
#ifdef HAVE_STUNNEL
static int SNI_Callback(WOLFSSL* ssl);
#endif
#endif
@ -1557,25 +1560,179 @@ void FreeX509(WOLFSSL_X509* x509)
#endif /* NO_CERTS */
/* This function inherits a WOLFSSL_CTX's fields into an SSL object.
It is used during initialization and to switch an ssl's CTX with
wolfSSL_Set_SSL_CTX */
int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
{
if(!ssl || !ctx)
return BAD_FUNC_ARG;
byte havePSK = 0;
byte haveAnon = 0;
byte haveRSA = 0;
byte newSSL = ssl->ctx == NULL;
(void) haveAnon; /* Squash unused var warnings */
#ifndef NO_RSA
haveRSA = 1;
#endif
#ifndef NO_PSK
havePSK = ctx->havePSK;
#endif /* NO_PSK */
#ifdef HAVE_ANON
haveAnon = ctx->haveAnon;
#endif /* HAVE_ANON*/
/* decrement previous CTX reference count if exists.
* This should only happen if switching ctxs!*/
if (!newSSL) {
if(LockMutex(&ssl->ctx->countMutex) != 0) {
WOLFSSL_MSG("Couldn't lock on previous CTX count mutex");
return BAD_MUTEX_E;
}
WOLFSSL_MSG("Decrementing previous ctx reference count. Switching ctx.");
ssl->ctx->refCount--;
UnLockMutex(&ssl->ctx->countMutex);
}
/* increment CTX reference count */
if (LockMutex(&ctx->countMutex) != 0) {
WOLFSSL_MSG("Couldn't lock CTX count mutex");
return BAD_MUTEX_E;
}
ctx->refCount++;
UnLockMutex(&ctx->countMutex);
ssl->ctx = ctx; /* only for passing to calls, options could change */
ssl->version = ctx->method->version;
#ifdef HAVE_ECC
ssl->eccTempKeySz = ctx->eccTempKeySz;
ssl->pkCurveOID = ctx->pkCurveOID;
#endif
ssl->timeout = ctx->timeout;
ssl->verifyCallback = ctx->verifyCallback;
ssl->options.side = ctx->method->side;
ssl->options.downgrade = ctx->method->downgrade;
ssl->options.minDowngrade = ctx->minDowngrade;
if (ssl->options.side == WOLFSSL_SERVER_END)
ssl->options.haveDH = ctx->haveDH;
ssl->options.haveNTRU = ctx->haveNTRU;
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveStaticECC = ctx->haveStaticECC;
#ifndef NO_PSK
ssl->options.havePSK = ctx->havePSK;
ssl->options.client_psk_cb = ctx->client_psk_cb;
ssl->options.server_psk_cb = ctx->server_psk_cb;
#endif /* NO_PSK */
#ifdef HAVE_ANON
ssl->options.haveAnon = ctx->haveAnon;
#endif
#ifndef NO_DH
ssl->options.minDhKeySz = ctx->minDhKeySz;
#endif
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
ssl->options.verifyPeer = ctx->verifyPeer;
ssl->options.verifyNone = ctx->verifyNone;
ssl->options.failNoCert = ctx->failNoCert;
ssl->options.sendVerify = ctx->sendVerify;
ssl->heap = ctx->heap; /* defaults to self */
ssl->options.partialWrite = ctx->partialWrite;
ssl->options.quietShutdown = ctx->quietShutdown;
ssl->options.groupMessages = ctx->groupMessages;
#ifndef NO_DH
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
}
#endif
#ifndef NO_CERTS
/* ctx still owns certificate, certChain, key, dh, and cm */
ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain;
ssl->buffers.key = ctx->privateKey;
#endif
#ifdef HAVE_CAVIUM
ssl->devId = ctx->devId;
#endif
#ifndef NO_PSK
if (ctx->server_hint[0]) { /* set in CTX */
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, MAX_PSK_ID_LEN);
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
}
#endif /* NO_PSK */
if (ctx->suites)
*ssl->suites = *ctx->suites;
else
XMEMSET(ssl->suites, 0, sizeof(Suites));
/* make sure server has DH parms, and add PSK if there, add NTRU too */
if (ssl->options.side == WOLFSSL_SERVER_END)
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
else
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
#ifndef NO_CERTS
/* make sure server has cert and key unless using PSK or Anon
* This should be true even if just switching ssl ctx */
if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
WOLFSSL_MSG("Server missing certificate and/or private key");
return NO_PRIVATE_KEY;
}
#endif
return SSL_SUCCESS;
}
/* init everything to 0, NULL, default values before calling anything that may
fail so that desctructor has a "good" state to cleanup */
int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
{
int ret;
byte haveRSA = 0;
byte havePSK = 0;
byte haveAnon = 0;
(void) haveAnon;
XMEMSET(ssl, 0, sizeof(WOLFSSL));
ssl->ctx = ctx; /* only for passing to calls, options could change */
ssl->version = ctx->method->version;
/* arrays */
ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
DYNAMIC_TYPE_ARRAYS);
if (ssl->arrays == NULL) {
WOLFSSL_MSG("Arrays Memory error");
return MEMORY_E;
}
XMEMSET(ssl->arrays, 0, sizeof(Arrays));
#ifndef NO_RSA
haveRSA = 1;
#endif
/* suites */
ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
DYNAMIC_TYPE_SUITES);
if (ssl->suites == NULL) {
WOLFSSL_MSG("Suites Memory error");
return MEMORY_E;
}
/* Initialize SSL with the appropriate fields from it's ctx */
if((ret = SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS)
return ret;
ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN;
@ -1587,12 +1744,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
InitX509(&ssl->peerCert, 0);
#endif
#ifdef HAVE_ECC
ssl->eccTempKeySz = ctx->eccTempKeySz;
ssl->pkCurveOID = ctx->pkCurveOID;
#endif
ssl->timeout = ctx->timeout;
ssl->rfd = -1; /* set to invalid descriptor */
ssl->wfd = -1;
@ -1607,30 +1758,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->dtls_expected_rx = MAX_MTU;
#endif
ssl->verifyCallback = ctx->verifyCallback;
ssl->options.side = ctx->method->side;
ssl->options.downgrade = ctx->method->downgrade;
ssl->options.minDowngrade = ctx->minDowngrade;
if (ssl->options.side == WOLFSSL_SERVER_END)
ssl->options.haveDH = ctx->haveDH;
ssl->options.haveNTRU = ctx->haveNTRU;
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveStaticECC = ctx->haveStaticECC;
#ifndef NO_PSK
havePSK = ctx->havePSK;
ssl->options.havePSK = ctx->havePSK;
ssl->options.client_psk_cb = ctx->client_psk_cb;
ssl->options.server_psk_cb = ctx->server_psk_cb;
#endif /* NO_PSK */
#ifdef HAVE_ANON
haveAnon = ctx->haveAnon;
ssl->options.haveAnon = ctx->haveAnon;
#endif
ssl->options.serverState = NULL_STATE;
ssl->options.clientState = NULL_STATE;
ssl->options.connectState = CONNECT_BEGIN;
@ -1638,49 +1765,19 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->options.handShakeState = NULL_STATE;
ssl->options.processReply = doProcessInit;
#ifndef NO_DH
ssl->options.minDhKeySz = ctx->minDhKeySz;
#endif
#ifdef WOLFSSL_DTLS
ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT;
ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX;
ssl->dtls_timeout = ssl->dtls_timeout_init;
#endif
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
ssl->options.verifyPeer = ctx->verifyPeer;
ssl->options.verifyNone = ctx->verifyNone;
ssl->options.failNoCert = ctx->failNoCert;
ssl->options.sendVerify = ctx->sendVerify;
#ifndef NO_OLD_TLS
ssl->hmac = SSL_hmac; /* default to SSLv3 */
#else
ssl->hmac = TLS_hmac;
#endif
ssl->heap = ctx->heap; /* defaults to self */
ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
ssl->options.partialWrite = ctx->partialWrite;
ssl->options.quietShutdown = ctx->quietShutdown;
ssl->options.groupMessages = ctx->groupMessages;
#ifndef NO_DH
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
}
#endif
#ifndef NO_CERTS
/* ctx still owns certificate, certChain, key, dh, and cm */
ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain;
ssl->buffers.key = ctx->privateKey;
#endif
#ifdef WOLFSSL_DTLS
ssl->buffers.dtlsCtx.fd = -1;
@ -1688,10 +1785,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->cipher.ssl = ssl;
#ifdef HAVE_CAVIUM
ssl->devId = ctx->devId;
#endif
#ifdef HAVE_TLS_EXTENSIONS
#ifdef HAVE_MAX_FRAGMENT
ssl->max_fragment = MAX_RECORD_SIZE;
@ -1747,30 +1840,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
}
#endif
/* increment CTX reference count */
if (LockMutex(&ctx->countMutex) != 0) {
WOLFSSL_MSG("Couldn't lock CTX count mutex");
return BAD_MUTEX_E;
}
ctx->refCount++;
UnLockMutex(&ctx->countMutex);
/* arrays */
ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
DYNAMIC_TYPE_ARRAYS);
if (ssl->arrays == NULL) {
WOLFSSL_MSG("Arrays Memory error");
return MEMORY_E;
}
XMEMSET(ssl->arrays, 0, sizeof(Arrays));
#ifndef NO_PSK
if (ctx->server_hint[0]) { /* set in CTX */
XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, MAX_PSK_ID_LEN);
ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0';
}
#endif /* NO_PSK */
/* RNG */
ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap, DYNAMIC_TYPE_RNG);
if (ssl->rng == NULL) {
@ -1783,43 +1852,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
return ret;
}
/* suites */
ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
DYNAMIC_TYPE_SUITES);
if (ssl->suites == NULL) {
WOLFSSL_MSG("Suites Memory error");
return MEMORY_E;
}
if (ctx->suites)
*ssl->suites = *ctx->suites;
else
XMEMSET(ssl->suites, 0, sizeof(Suites));
#ifndef NO_CERTS
/* make sure server has cert and key unless using PSK or Anon */
if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
WOLFSSL_MSG("Server missing certificate and/or private key");
return NO_PRIVATE_KEY;
}
#endif
#ifdef HAVE_SECRET_CALLBACK
ssl->sessionSecretCb = NULL;
ssl->sessionSecretCtx = NULL;
#endif
/* make sure server has DH parms, and add PSK if there, add NTRU too */
if (ssl->options.side == WOLFSSL_SERVER_END)
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
ssl->options.side);
else
InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSAsig,
ssl->options.haveStaticECC, ssl->options.side);
return 0;
}
@ -14336,6 +14372,10 @@ int DoSessionTicket(WOLFSSL* ssl,
if ((ret = TLSX_Parse(ssl, (byte *) input + i,
totalExtSz, 1, &clSuites)))
return ret;
#ifdef HAVE_STUNNEL
if((ret=SNI_Callback(ssl)))
return ret;
#endif /*HAVE_STUNNEL*/
i += totalExtSz;
#else
@ -15439,4 +15479,21 @@ int DoSessionTicket(WOLFSSL* ssl,
return ret;
}
#ifdef HAVE_STUNNEL
static int SNI_Callback(WOLFSSL* ssl)
{
/* Stunnel supports a custom sni callback to switch an SSL's ctx
* when SNI is received. Call it now if exists */
if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
WOLFSSL_MSG("Calling custom sni callback");
if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg)
== alert_fatal) {
WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
SendAlert(ssl, alert_fatal, unrecognized_name);
return FATAL_ERROR;
}
}
return 0;
}
#endif /* HAVE_STUNNEL */
#endif /* NO_WOLFSSL_SERVER */

352
src/ssl.c
View File

@ -70,6 +70,9 @@
#include <wolfssl/wolfcrypt/arc4.h>
#include <wolfssl/wolfcrypt/curve25519.h>
#include <wolfssl/wolfcrypt/ed25519.h>
#ifdef HAVE_STUNNEL
#include <wolfssl/openssl/ocsp.h>
#endif /* WITH_STUNNEL */
#ifdef WOLFSSL_SHA512
#include <wolfssl/wolfcrypt/sha512.h>
#endif
@ -16343,6 +16346,355 @@ const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen)
*idLen = sess->sessionIDSz;
return sess->sessionID;
}
int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *a, const WOLFSSL_X509_NAME *b)
{
(void) a;
(void) b;
WOLFSSL_ENTER("wolfSSL_X509_NAME_cmp");
WOLFSSL_STUB("wolfSSL_X509_NAME_cmp");
WOLFSSL_LEAVE("wolfSSL_X509_NAME_cmp",0);
return SSL_SUCCESS;
}
void wolfSSL_X509_email_free(void *sk)
{
(void)sk;
WOLFSSL_ENTER("wolfSSL_X509_email_free");
WOLFSSL_STUB("wolfSSL_X509_email_free");
WOLFSSL_LEAVE("wolfSSL_X509_email_free",0);
}
WOLFSSL_STRING* wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *cert)
{
WOLFSSL_ENTER("wolfSSL_X509_get1_ocsp");
WOLFSSL_STUB("wolfSSL_X509_get1_ocsp");
WOLFSSL_LEAVE("wolfSSL_X509_get1_ocsp",0);
(void)cert;
return NULL;
}
void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* ocsp)
{
WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free");
WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0);
(void)ocsp;
return;
}
WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void){
WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_new");
WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_new");
WOLFSSL_OCSP_REQUEST *or = NULL;
return or;
}
WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD* dgst,
WOLFSSL_X509* subject, WOLFSSL_X509* issuer)
{
WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free");
WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0);
(void)dgst;
(void)subject;
(void)issuer;
return NULL;
}
void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST* request)
{
WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_free");
WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_REQUEST_free",0);
(void)request;
return;
}
int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio)
{
WOLFSSL_ENTER("wolfSSL_BIO_should_write");
WOLFSSL_STUB("wolfSSL_BIO_should_write");
WOLFSSL_LEAVE("wolfSSL_BIO_should_write",0);
(void) bio;
return SSL_SUCCESS;
}
int BIO_should_read(WOLFSSL_BIO *bio)
{
WOLFSSL_ENTER("BIO_should_read");
WOLFSSL_STUB("BIO_should_read");
WOLFSSL_LEAVE("BIO_should_read",0);
(void) bio;
return SSL_SUCCESS;
}
int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_BASICRESP *bs)
{
WOLFSSL_ENTER("wolfSSL_OCSP_check_nonce");
WOLFSSL_STUB("wolfSSL_OCSP_check_nonce");
WOLFSSL_LEAVE("wolfSSL_OCSP_check_nonce",0);
(void) req;
(void) bs;
return SSL_SUCCESS;
}
int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, STACK_OF(WOLFSSL_X509) *certs,
WOLFSSL_X509_STORE *st, unsigned long flags)
{
WOLFSSL_ENTER("wolfSSL_OCSP_basic_verify");
WOLFSSL_STUB("wolfSSL_OCSP_basic_verify");
WOLFSSL_LEAVE("wolfSSL_OCSP_basic_verify",0);
(void) bs;
(void) certs;
(void) st;
(void) flags;
return SSL_SUCCESS;
}
void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *rctx)
{
WOLFSSL_ENTER("wolfSSL_OCSP_REQ_CTX_free");
WOLFSSL_STUB("wolfSSL_OCSP_REQ_CTX_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_REQ_CTX_free",0);
(void) rctx;
}
int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE* r)
{
WOLFSSL_ENTER("wolfSSL_OCSP_RESPONSE_free");
WOLFSSL_STUB("wolfSSL_OCSP_RESPONSE_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_RESPONSE_free",0);
(void) r;
return SSL_SUCCESS;
}
int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP *basic_response)
{
WOLFSSL_ENTER("wolfSSL_OCSP_BASICRESP_free");
WOLFSSL_STUB("wolfSSL_OCSP_BASICRESP_free");
WOLFSSL_LEAVE("wolfSSL_OCSP_BASICRESP_free",0);
(void) basic_response;
return SSL_SUCCESS;
}
WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE *resp)
{
WOLFSSL_ENTER("wolfSSL_OCSP_response_get1_basic");
WOLFSSL_STUB("wolfSSL_OCSP_response_get1_basic");
WOLFSSL_LEAVE("wolfSSL_OCSP_response_get1_basic",0);
(void) resp;
return NULL;
}
int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_OCSP_CERTID *id, int *status,
int *reason, WOLFSSL_ASN1_TIME**revtime,
WOLFSSL_ASN1_TIME**thisupd, WOLFSSL_ASN1_TIME**nextupd)
{
WOLFSSL_ENTER("wolfSSL_OCSP_resp_find_status");
WOLFSSL_STUB("wolfSSL_OCSP_resp_find_status");
WOLFSSL_LEAVE("wolfSSL_OCSP_resp_find_status",0);
(void) bs;
(void) id;
(void) status;
(void) reason;
(void) revtime;
(void) thisupd;
(void) nextupd;
return SSL_SUCCESS;
}
int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *req, unsigned char *val, int len)
{
WOLFSSL_ENTER("wolfSSL_OCSP_request_add1_nonce");
WOLFSSL_STUB("wolfSSL_OCSP_request_add1_nonce");
WOLFSSL_LEAVE("wolfSSL_OCSP_request_add1_nonce",0);
(void) req;
(void) val;
(void) len;
return SSL_SUCCESS;
}
WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_CERTID *cid)
{
WOLFSSL_ENTER("wolfSSL_OCSP_request_add0_id");
WOLFSSL_STUB("wolfSSL_OCSP_request_add0_id");
WOLFSSL_LEAVE("wolfSSL_OCSP_request_add0_id",0);
(void) req;
(void) cid;
return NULL;
}
const char *wolfSSL_OCSP_crl_reason_str(long s)
{
WOLFSSL_ENTER("wolfSSL_OCSP_crl_reason_str");
WOLFSSL_STUB("wolfSSL_OCSP_crl_reason_str");
WOLFSSL_LEAVE("wolfSSL_OCSP_crl_reason_str",0);
(void) s;
return NULL;
}
int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME*thisupd,
WOLFSSL_ASN1_TIME*nextupd, long sec, long maxsec)
{
WOLFSSL_ENTER("wolfSSL_OCSP_check_validity");
WOLFSSL_STUB("wolfSSL_OCSP_check_validity");
WOLFSSL_LEAVE("wolfSSL_OCSP_check_validity",0);
(void) thisupd;
(void) nextupd;
(void) sec;
(void) maxsec;
return SSL_SUCCESS;
}
STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *ctx)
{
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain");
WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_get_chain");
WOLFSSL_LEAVE("wolfSSL_X509_STORE_CTX_get_chain",0);
(void) ctx;
return NULL;
}
WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io, const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline)
{
WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_new");
WOLFSSL_STUB("wolfSSL_OCSP_sendreq_new");
WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_new",0);
(void) io;
(void) path;
(void) req;
(void) maxline;
return NULL;
}
int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE **presp, WOLFSSL_OCSP_REQ_CTX *rctx)
{
WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_nbio");
WOLFSSL_STUB("wolfSSL_OCSP_sendreq_nbio");
WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_nbio",0);
(void) presp;
(void) rctx;
return SSL_SUCCESS;
}
const char *wolfSSL_OCSP_cert_status_str(long s)
{
WOLFSSL_ENTER("wolfSSL_OCSP_cert_status_str");
WOLFSSL_STUB("wolfSSL_OCSP_cert_status_str");
WOLFSSL_LEAVE("wolfSSL_OCSP_cert_status_str",0);
(void) s;
return NULL;
}
int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *resp)
{
WOLFSSL_ENTER("wolfSSL_OCSP_response_status");
WOLFSSL_STUB("wolfSSL_OCSP_response_status");
WOLFSSL_LEAVE("wolfSSL_OCSP_response_status",0);
(void) resp;
return SSL_SUCCESS;
}
const char *wolfSSL_OCSP_response_status_str(long s)
{
WOLFSSL_ENTER("wolfSSL_OCSP_response_status_str");
WOLFSSL_STUB("wolfSSL_OCSP_response_status_str");
WOLFSSL_LEAVE("wolfSSL_OCSP_response_status_str",0);
(void) s;
return NULL;
}
int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)* string)
{
WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_num");
WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_num");
WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_num",0);
(void) string;
return 0;
}
WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value(
const STACK_OF(WOLFSSL_STRING)* string, int idx)
{
WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_value");
WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_value");
WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_value",0);
(void) string;
(void) idx;
return 0;
}
int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name)
{
int ret;
WOLFSSL_ENTER("wolfSSL_set_tlsext_host_name");
ret = wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME,
host_name, XSTRLEN(host_name));
WOLFSSL_LEAVE("wolfSSL_set_tlsext_host_name", ret);
return ret;
}
const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type)
{
void * serverName = NULL;
if (ssl == NULL)
return NULL;
TLSX_SNI_GetRequest(ssl->extensions, type, &serverName);
return (const char *)serverName;
}
WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
{
if (ssl && ctx && SetSSL_CTX(ssl, ctx) == SSL_SUCCESS)
return ssl->ctx;
return NULL;
}
VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx)
{
WOLFSSL_ENTER("wolfSSL_CTX_get_verify_callback");
if(ctx)
return ctx->verifyCallback;
return NULL;
}
int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
{
(void)ctx;
WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode");
WOLFSSL_STUB("wolfSSL_CTX_get_verify_mode");
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode",0);
return 0;
}
void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback");
if (ctx)
ctx->sniRecvCb = cb;
}
void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_servername_arg");
if (ctx)
ctx->sniRecvCbArg = arg;
}
#endif /* OPENSSL_EXTRA and HAVE_STUNNEL */
#if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519)

38
src/tls.c
View File

@ -1003,6 +1003,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
#ifndef NO_WOLFSSL_SERVER
word16 size = 0;
word16 offset = 0;
byte forceKeep = 0;
#endif
TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
@ -1010,9 +1011,17 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (!extension)
extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
if (!extension || !extension->data)
if (!extension || !extension->data) {
#if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER)
forceKeep = 1;
WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
#else
return isRequest ? 0 /* not using SNI. */
: BUFFER_ERROR; /* unexpected SNI response. */
#endif
}
if (!isRequest)
return length ? BUFFER_ERROR /* SNI response MUST be empty. */
@ -1043,14 +1052,16 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (offset + size > length)
return BUFFER_ERROR;
if (!(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
if (!forceKeep && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
continue; /* not using this type of SNI. */
switch(type) {
case WOLFSSL_SNI_HOST_NAME: {
byte matched = (XSTRLEN(sni->data.host_name) == size)
int matchStat;
byte matched = forceKeep ||
((XSTRLEN(sni->data.host_name) == size)
&& (XSTRNCMP(sni->data.host_name,
(const char*)input + offset, size) == 0);
(const char*)input + offset, size) == 0));
if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) {
int r = TLSX_UseSNI(&ssl->extensions,
@ -1059,12 +1070,21 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (r != SSL_SUCCESS)
return r; /* throws error. */
TLSX_SNI_SetStatus(ssl->extensions, type,
matched ? WOLFSSL_SNI_REAL_MATCH
: WOLFSSL_SNI_FAKE_MATCH);
TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
if(forceKeep) {
WOLFSSL_MSG("Forcing storage of SNI, Fake match");
matchStat = WOLFSSL_SNI_FORCE_KEEP;
} else if(matched) {
WOLFSSL_MSG("SNI did match!");
matchStat = WOLFSSL_SNI_REAL_MATCH;
} else {
WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH");
matchStat = WOLFSSL_SNI_FAKE_MATCH;
}
TLSX_SNI_SetStatus(ssl->extensions, type, matchStat);
if(!forceKeep)
TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
} else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
SendAlert(ssl, alert_fatal, unrecognized_name);

4
wolfssl/internal.h
View File

@ -1668,6 +1668,8 @@ struct WOLFSSL_CTX {
#endif /* OPENSSL_EXTRA */
#ifdef HAVE_STUNNEL
void* ex_data[MAX_EX_DATA];
CallbackSniRecv sniRecvCb;
void* sniRecvCbArg;
#endif
#ifdef HAVE_OCSP
WOLFSSL_OCSP ocsp;
@ -2418,6 +2420,8 @@ struct WOLFSSL {
};
WOLFSSL_LOCAL
int SetSSL_CTX(WOLFSSL*, WOLFSSL_CTX*);
WOLFSSL_LOCAL
int InitSSL(WOLFSSL*, WOLFSSL_CTX*);
WOLFSSL_LOCAL

69
wolfssl/openssl/ocsp.h
View File

@ -1 +1,68 @@
/* ocsp.h for libcurl */
/* ocsp.h
*
* Copyright (C) 2015 wolfSSL Inc.
*
* This file is part of wolfSSL. (formerly known as CyaSSL)
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
#ifndef WOLFSSL_OCSP_H_
#define WOLFSSL_OCSP_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/evp.h>
#ifdef __cplusplus
extern "C" {
#endif
#ifdef HAVE_STUNNEL
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
#define OCSP_CERTID_free wolfSSL_OCSP_CERTID_free
#define OCSP_cert_to_id wolfSSL_OCSP_cert_to_id
#define OCSP_REQUEST_free wolfSSL_OCSP_REQUEST_free
#define OPENSSL_STRING WOLFSSL_STRING
#define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value
#define sk_OPENSSL_STRING_num wolfSSL_sk_WOLFSSL_STRING_num
typedef WOLFSSL_OCSP_CERTID OCSP_CERTID;
typedef char* WOLFSSL_STRING;
typedef WOLFSSL_OCSP_RESPONSE OCSP_RESPONSE;
WOLFSSL_API WOLFSSL_STRING *wolfSSL_X509_get1_ocsp(WOLFSSL_X509*);
WOLFSSL_API void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* cert);
WOLFSSL_API
WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD*,
WOLFSSL_X509*, WOLFSSL_X509*);
WOLFSSL_API
int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)*);
WOLFSSL_API WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value(
const STACK_OF(WOLFSSL_STRING)*, int);
WOLFSSL_API void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST*);
#endif /* HAVE_STUNNEL */
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* WOLFSSL_EVP_H_ */

50
wolfssl/openssl/ssl.h
View File

@ -96,7 +96,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
#define SSL_get_verify_result(ctx) X509_V_OK
#define SSL_get_verify_mode wolfSSL_SSL_get_mode
#define SSL_get_verify_depth wolfSSL_get_verify_depth
#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_mode
#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode
#define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth
#define SSL_get_certificate(ctx) 0 /* used to pass to get_privatekey */
@ -477,8 +477,56 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define SSL_SESSION_get_id wolfSSL_SESSION_get_id
#define CRYPTO_dynlock_value WOLFSSL_dynlock_value
typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
typedef WOLFSSL_OCSP_REQUEST OCSP_REQUEST;
typedef WOLFSSL_OCSP_BASICRESP OCSP_BASICRESP;
typedef WOLFSSL_OCSP_REQ_CTX OCSP_REQ_CTX;
typedef WOLFSSL_OCSP_ONEREQ OCSP_ONEREQ;
#define V_OCSP_CERTSTATUS_UNKNOWN 2
#define X509_V_ERR_APPLICATION_VERIFICATION 50
#define V_OCSP_CERTSTATUS_GOOD 0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal
#define SSL_TLSEXT_ERR_NOACK alert_warning
#define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME
#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME
#define X509_NAME_cmp wolfSSL_X509_NAME_cmp
#define X509_email_free wolfSSL_X509_email_free
#define OCSP_REQUEST_new wolfSSL_OCSP_REQUEST_new
#define BIO_should_write wolfSSL_BIO_should_write
#define BIO_should_read wolfSSL_BIO_should_read
#define OCSP_check_nonce wolfSSL_OCSP_check_nonce
#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str
#define OCSP_basic_verify wolfSSL_OCSP_basic_verify
#define OCSP_REQ_CTX_free wolfSSL_OCSP_REQ_CTX_free
#define OCSP_RESPONSE_free wolfSSL_OCSP_RESPONSE_free
#define OCSP_BASICRESP_free wolfSSL_OCSP_BASICRESP_free
#define OCSP_response_get1_basic wolfSSL_OCSP_response_get1_basic
#define OCSP_resp_find_status wolfSSL_OCSP_resp_find_status
#define OCSP_request_add1_nonce wolfSSL_OCSP_request_add1_nonce
#define OCSP_request_add0_id wolfSSL_OCSP_request_add0_id
#define OCSP_crl_reason_str wolfSSL_OCSP_crl_reason_str
#define OCSP_check_validity wolfSSL_OCSP_check_validity
#define X509_STORE_CTX_get_chain wolfSSL_X509_STORE_CTX_get_chain
#define OCSP_sendreq_new wolfSSL_OCSP_sendreq_new
#define OCSP_sendreq_nbio wolfSSL_OCSP_sendreq_nbio
#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str
#define OCSP_response_status wolfSSL_OCSP_response_status
#define OCSP_response_status_str wolfSSL_OCSP_response_status_str
#define SSL_set_tlsext_host_name wolfSSL_set_tlsext_host_name
#define SSL_get_servername wolfSSL_get_servername
#define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX
#define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback
#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback
#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg
#endif /* HAVE_STUNNEL */
#ifdef __cplusplus

94
wolfssl/ssl.h
View File

@ -573,12 +573,12 @@ enum {
OCSP_TRUSTOTHER = 512,
OCSP_RESPID_KEY = 1024,
OCSP_NOTIME = 2048,
#ifndef HAVE_STUNNEL
OCSP_CERTID = 2,
OCSP_REQUEST = 4,
OCSP_RESPONSE = 8,
OCSP_BASICRESP = 16,
#endif
WOLFSSL_OCSP_URL_OVERRIDE = 1,
WOLFSSL_OCSP_NO_NONCE = 2,
WOLFSSL_OCSP_CHECKALL = 4,
@ -1315,7 +1315,8 @@ WOLFSSL_API void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx,
enum {
WOLFSSL_SNI_NO_MATCH = 0,
WOLFSSL_SNI_FAKE_MATCH = 1, /**< @see WOLFSSL_SNI_ANSWER_ON_MISMATCH */
WOLFSSL_SNI_REAL_MATCH = 2
WOLFSSL_SNI_REAL_MATCH = 2,
WOLFSSL_SNI_FORCE_KEEP = 3 /** Used with -DWOLFSSL_ALWAYS_KEEP_SNI */
};
WOLFSSL_API unsigned char wolfSSL_SNI_Status(WOLFSSL* ssl, unsigned char type);
@ -1559,6 +1560,16 @@ WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x);
#include <wolfssl/openssl/crypto.h>
/* SNI received callback type */
typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg);
typedef struct WOLFSSL_OCSP_CERTID WOLFSSL_OCSP_CERTID;
typedef struct WOLFSSL_OCSP_RESPONSE WOLFSSL_OCSP_RESPONSE;
typedef struct WOLFSSL_OCSP_REQUEST WOLFSSL_OCSP_REQUEST;
typedef struct WOLFSSL_OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP;
typedef struct WOLFSSL_OCSP_REQ_CTX WOLFSSL_OCSP_REQ_CTX;
typedef struct WOLFSSL_OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ;
WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int),
void *(*r) (void *, size_t, const char *, int), void (*f) (void *));
@ -1581,7 +1592,8 @@ WOLFSSL_API int wolfSSL_sk_X509_NAME_num(const STACK_OF(WOLFSSL_X509_NAME) *s);
WOLFSSL_API int wolfSSL_sk_X509_num(const STACK_OF(WOLFSSL_X509) *s);
WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,unsigned long);
WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,
unsigned long);
WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(
const WOLFSSL_X509*);
@ -1612,7 +1624,79 @@ WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long,void*,void*,void*,
WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*);
WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*, unsigned int*);
WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*,
unsigned int*);
WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *,
const WOLFSSL_X509_NAME *);
WOLFSSL_API void wolfSSL_X509_email_free(void *);
WOLFSSL_API WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void);
WOLFSSL_API int wolfSSL_BIO_should_write(WOLFSSL_BIO *);
WOLFSSL_API int wolfSSL_BIO_should_read(WOLFSSL_BIO *);
WOLFSSL_API int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST*,
WOLFSSL_OCSP_BASICRESP*);
WOLFSSL_API int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP*,
STACK_OF(WOLFSSL_X509)*, WOLFSSL_X509_STORE*,unsigned long);
WOLFSSL_API void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *);
WOLFSSL_API int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE*);
WOLFSSL_API int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP*);
WOLFSSL_API
WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE*);
WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP*,
WOLFSSL_OCSP_CERTID *, int *, int *,
WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**);
WOLFSSL_API int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *,
unsigned char *, int );
WOLFSSL_API
WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *,
WOLFSSL_OCSP_CERTID *);
WOLFSSL_API const char *wolfSSL_OCSP_crl_reason_str(long );
WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME *,
WOLFSSL_ASN1_TIME*, long, long);
WOLFSSL_API
STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *);
WOLFSSL_API WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io,
const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline);
WOLFSSL_API int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE**,
WOLFSSL_OCSP_REQ_CTX *);
WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long);
WOLFSSL_API int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *);
WOLFSSL_API const char *wolfSSL_OCSP_response_status_str(long);
WOLFSSL_API int wolfSSL_set_tlsext_host_name(WOLFSSL *, const char *);
WOLFSSL_API const char* wolfSSL_get_servername(WOLFSSL *, unsigned char);
WOLFSSL_API WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL*,WOLFSSL_CTX*);
WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx);
WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *,
CallbackSniRecv);
WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*);
#endif /* HAVE_STUNNEL */
#ifdef __cplusplus