diff --git a/CMakeLists.txt b/CMakeLists.txt index ac41b964c..690ed9f5c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -110,7 +110,6 @@ add_library(wolfssl wolfcrypt/src/cryptocb.c wolfcrypt/src/curve25519.c wolfcrypt/src/curve448.c - wolfcrypt/src/debug.c wolfcrypt/src/des3.c wolfcrypt/src/dh.c wolfcrypt/src/dsa.c diff --git a/configure.ac b/configure.ac index 08308a93d..383b4f8be 100644 --- a/configure.ac +++ b/configure.ac @@ -5783,9 +5783,16 @@ AM_CONDITIONAL([BUILD_PKCS7],[test "x$ENABLED_PKCS7" = "xyes" || test "x$ENABLED AM_CONDITIONAL([BUILD_HASHFLAGS],[test "x$ENABLED_HASHFLAGS" = "xyes"]) AM_CONDITIONAL([BUILD_LINUXKM],[test "$ENABLED_LINUXKM" = "yes"]) AM_CONDITIONAL([BUILD_NO_LIBRARY],[test "$ENABLED_NO_LIBRARY" = "yes"]) -AM_CONDITIONAL([BUILD_DEBUG],[test "$ax_enable_debug" = "yes" || test "$ENABLED_STACKSIZE" = "yes"]) AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"]) +if test "$ax_enable_debug" = "yes" || + test "$ENABLED_STACKSIZE" = "yes" || + (test "$ENABLED_LEANTLS" = "no" && + test "$ENABLED_LEANPSK" = "no" && + test "$ENABLED_LOWRESOURCE" = "no") +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_WC_INTROSPECTION" +fi CREATE_HEX_VERSION AC_SUBST([AM_CPPFLAGS]) @@ -6091,6 +6098,11 @@ echo " * Crypto callbacks: $ENABLED_CRYPTOCB" echo "" echo "---" +echo >> config.h +echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ac_configure_args\"" >> config.h +echo >> config.h +echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS\"" >> config.h + ################################################################################ # Show warnings at bottom so they are noticed ################################################################################ diff --git a/examples/client/client.c b/examples/client/client.c index 88795ac0d..75e9d7e21 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -24,6 +24,9 @@ #include #endif +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif #include #include @@ -952,7 +955,9 @@ static const char* client_usage_msg[][66] = { #ifdef NO_RSA "RSA not supported\n", /* 2 */ #elif defined(WOLFSSL_SP_MATH) /* case of SP math only */ -#ifndef WOLFSSL_SP_NO_3072 +#ifdef WOLFSSL_SP_4096 + "4096\n", /* 2 */ +#elif !defined(WOLFSSL_SP_NO_3072) "3072\n", /* 2 */ #elif !defined(WOLFSSL_SP_NO_2048) "2048\n", /* 2 */ @@ -1655,7 +1660,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) while ((ch = mygetopt(argc, argv, "?:" "ab:c:defgh:i;jk:l:mnop:q:rstuv:wxyz" "A:B:CDE:F:GH:IJKL:M:NO:PQRS:TUVW:XYZ:" - "01:23:458")) != -1) { + "01:23:458" + "@#")) != -1) { switch (ch) { case '?' : if(myoptarg!=NULL) { @@ -2122,6 +2128,40 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + case '@' : + { +#ifdef HAVE_WC_INTROSPECTION + const char *conf_args = wolfSSL_configure_args(); + if (conf_args) { + puts(conf_args); + XEXIT_T(EXIT_SUCCESS); + } else { + fputs("configure args not compiled in.\n",stderr); + XEXIT_T(MY_EX_USAGE); + } +#else + fputs("compiled without BUILD_INTROSPECTION.\n",stderr); + XEXIT_T(MY_EX_USAGE); +#endif + } + + case '#' : + { +#ifdef HAVE_WC_INTROSPECTION + const char *cflags = wolfSSL_global_cflags(); + if (cflags) { + puts(cflags); + XEXIT_T(EXIT_SUCCESS); + } else { + fputs("CFLAGS not compiled in.\n",stderr); + XEXIT_T(MY_EX_USAGE); + } +#else + fputs("compiled without BUILD_INTROSPECTION.\n",stderr); + XEXIT_T(MY_EX_USAGE); +#endif + } + default: Usage(); XEXIT_T(MY_EX_USAGE); diff --git a/examples/server/server.c b/examples/server/server.c index 09eb86025..0bd6efd2c 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -23,9 +23,14 @@ #ifdef HAVE_CONFIG_H #include #endif + +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif +#include + #include /* name change portability layer */ -#include #ifdef HAVE_ECC #include /* wc_ecc_fp_free */ #endif @@ -1152,7 +1157,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) while ((ch = mygetopt(argc, argv, "?:" "abc:defgijk:l:mnop:q:rstuv:wxy" "A:B:C:D:E:FGH:IJKL:MNO:PQR:S:TUVYZ:" - "01:23:4:58")) != -1) { + "01:23:4:58" + "@#")) != -1) { switch (ch) { case '?' : if(myoptarg!=NULL) { @@ -1552,6 +1558,40 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif break; + case '@' : + { +#ifdef HAVE_WC_INTROSPECTION + const char *conf_args = wolfSSL_configure_args(); + if (conf_args) { + puts(conf_args); + XEXIT_T(EXIT_SUCCESS); + } else { + fputs("configure args not compiled in.\n",stderr); + XEXIT_T(MY_EX_USAGE); + } +#else + fputs("compiled without BUILD_INTROSPECTION.\n",stderr); + XEXIT_T(MY_EX_USAGE); +#endif + } + + case '#' : + { +#ifdef HAVE_WC_INTROSPECTION + const char *cflags = wolfSSL_global_cflags(); + if (cflags) { + puts(cflags); + XEXIT_T(EXIT_SUCCESS); + } else { + fputs("CFLAGS not compiled in.\n",stderr); + XEXIT_T(MY_EX_USAGE); + } +#else + fputs("compiled without BUILD_INTROSPECTION.\n",stderr); + XEXIT_T(MY_EX_USAGE); +#endif + } + default: Usage(); XEXIT_T(MY_EX_USAGE); diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 7ef60ea8f..0d93dda92 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -16,6 +16,31 @@ if [ $? -eq 0 ]; then exit 0 fi +if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then + IPV6_SUPPORTED=yes +else + IPV6_SUPPORTED=no +fi + +if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then + if [[ "$IPV6_SUPPORTED" == "no" ]]; then + echo 'Skipping IPV6 test in environment lacking IPV6 support.' + exit 0 + fi + LOCALHOST='[::1]' + LOCALHOST_FOR_NC='::1' + V4V6=6 + V4V6_FLAG=-6 +else + LOCALHOST='127.0.0.1' + LOCALHOST_FOR_NC='127.0.0.1' + if [[ "$IPV6_SUPPORTED" == "yes" ]]; then + V4V6_FLAG=-4 + else + V4V6_FLAG= + fi + V4V6=4 +fi PARENTDIR="$PWD" @@ -71,7 +96,7 @@ remove_single_rF(){ #create a configure file for cert generation with the port 0 solution create_new_cnf() { - printf '%s\n' "Random Port Selected: $RPORTSELECTED" + printf '%s\n' "Random Port Selected: $1" printf '%s\n' "#" > $test_cnf printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf @@ -183,7 +208,7 @@ get_first_free_port() { if [[ "$ret" -ge 65536 ]]; then ret=1024 fi - if ! nc -z 127.0.0.1 "$ret"; then + if ! nc -z $V4V6_FLAG $LOCALHOST_FOR_NC "$ret"; then break fi ret=$((ret+1)) @@ -201,7 +226,7 @@ port3=$(get_first_free_port $((port2 + 1))) # test interop fail case ready_file=$PWD/wolf_ocsp_readyF$$ printf '%s\n' "ready file: $ready_file" -./examples/server/server -b -p $port1 -o -R $ready_file & +timeout 60 ./examples/server/server -b -p $port1 -o -R $ready_file & wolf_pid=$! wait_for_readyFile $ready_file $wolf_pid $port1 if [ ! -f $ready_file ]; then @@ -209,9 +234,9 @@ if [ ! -f $ready_file ]; then exit 1 else # should fail if ocspstapling is also enabled - echo "hi" | openssl s_client -status -connect 127.0.0.1:$port1 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem - if [ $? -eq 0 ]; then - printf '%s\n' "Succeeded when should have failed" + echo "hi" | openssl s_client -status $V4V6_FLAG -connect ${LOCALHOST}:$port1 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem 2>&1 | tee /dev/stderr | fgrep -q 'self signed certificate in certificate chain' + if [ $? -neq 0 ]; then + printf '%s\n' "Expected verification error from s_client is missing." remove_single_rF $ready_file exit 1 fi @@ -247,10 +272,13 @@ server=login.live.com #ca=certs/external/baltimore-cybertrust-root.pem ca=certs/external/ca_collection.pem -./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 -RESULT=$? -[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 - +if [[ "$V4V6" == "4" ]]; then + ./examples/client/client -C -h $server -p 443 -A $ca -g -W 1 + RESULT=$? + [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 +else + echo "Skipping OCSP test on $server (IPv6 test client)" +fi # Test with example server @@ -341,7 +369,7 @@ generate_port() { # Start OpenSSL server that has no OCSP responses to return generate_port -openssl s_server -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port & +openssl s_server $V4V6_FLAG -cert ./certs/server-cert.pem -key certs/server-key.pem -www -port $port & openssl_pid=$! sleep 0.1 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index f51e03fe4..c8787ec7d 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -24,6 +24,24 @@ if [ $? -eq 0 ]; then exit 0 fi +if openssl s_server -help 2>&1 | fgrep -q -i ipv6 && nc -h 2>&1 | fgrep -q -i ipv6; then + IPV6_SUPPORTED=yes +else + IPV6_SUPPORTED=no +fi + +if ./examples/client/client '-#' | fgrep -q -e ' -DTEST_IPV6 '; then + if [[ "$IPV6_SUPPORTED" == "no" ]]; then + echo 'Skipping IPV6 test in environment lacking IPV6 support.' + exit 0 + fi + LOCALHOST='[::1]' + LOCALHOST_FOR_NC='-6 ::1' +else + LOCALHOST='127.0.0.1' + LOCALHOST_FOR_NC='127.0.0.1' +fi + PARENTDIR="$PWD" # create a unique workspace directory ending in PID for the script instance ($$) @@ -87,7 +105,7 @@ remove_single_rF(){ #create a configure file for cert generation with the port 0 solution create_new_cnf() { - printf '%s\n' "Random Port Selected: $RPORTSELECTED" + printf '%s\n' "Random Ports Selected: $1 $2 $3 $4" printf '%s\n' "#" > $test_cnf printf '%s\n' "# openssl configuration file for OCSP certificates" >> $test_cnf @@ -209,7 +227,7 @@ get_first_free_port() { if [[ "$ret" -ge 65536 ]]; then ret=1024 fi - if ! nc -z 127.0.0.1 "$ret"; then + if ! nc -z ${LOCALHOST_FOR_NC} "$ret"; then break fi ret=$((ret+1)) @@ -396,7 +414,7 @@ remove_single_rF $ready_file5 -p $port5 -H loadSSL & server_pid5=$! wait_for_readyFile $ready_file5 $server_pid5 $port5 -echo "test connection" | openssl s_client -status -connect 127.0.0.1:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem +echo "test connection" | openssl s_client -status -connect ${LOCALHOST}:$port5 -cert ./certs/client-cert.pem -key ./certs/client-key.pem -CAfile ./certs/ocsp/root-ca-cert.pem RESULT=$? [ $RESULT -ne 0 ] && printf '\n\n%s\n' "Client connection failed $RESULT" && exit 1 wait $server_pid5 @@ -407,7 +425,7 @@ fi printf '%s\n\n' "Test successful" printf '%s\n\n' "------------- TEST CASE 8 SHOULD REVOKE ----------------------" remove_single_rF $ready_file5 -./examples/server/server -c certs/ocsp/server4-cert.pem \ +timeout 60 ./examples/server/server -c certs/ocsp/server4-cert.pem \ -k certs/ocsp/server4-key.pem -R $ready_file5 \ -p $port5 -H loadSSL & server_pid5=$! diff --git a/scripts/openssl.test b/scripts/openssl.test index ed5cd2d85..059d9f551 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -204,7 +204,7 @@ start_wolfssl_server() { echo "# $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL" $WOLFSSL_SERVER -p $server_port $wolfssl_cert $wolfssl_key $wolfssl_caCert -g -v d -x -i $psk $crl -l ALL & server_pid=$! - # wait to see if s_server successfully starts before continuing + # wait to see if server successfully starts before continuing sleep 0.1 check_process_running diff --git a/src/include.am b/src/include.am index 577a81e82..bb4fc1625 100644 --- a/src/include.am +++ b/src/include.am @@ -317,11 +317,6 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wc_port.c \ wolfcrypt/src/error.c -if BUILD_DEBUG -src_libwolfssl_la_SOURCES += \ - wolfcrypt/src/debug.c -endif - if !BUILD_FIPS_RAND src_libwolfssl_la_SOURCES += \ wolfcrypt/src/wc_encrypt.c \ diff --git a/wolfcrypt/src/chacha20_poly1305.c b/wolfcrypt/src/chacha20_poly1305.c index 20827e041..5d55b9208 100644 --- a/wolfcrypt/src/chacha20_poly1305.c +++ b/wolfcrypt/src/chacha20_poly1305.c @@ -435,7 +435,8 @@ static WC_INLINE int wc_XChaCha20Poly1305_crypt_oneshot( out: - XMEMSET(aead, 0, sizeof *aead); + ForceZero(aead, sizeof *aead); + #if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_NO_MALLOC) XFREE(aead, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif diff --git a/wolfcrypt/src/debug.c b/wolfcrypt/src/debug.c deleted file mode 100644 index cf51fc639..000000000 --- a/wolfcrypt/src/debug.c +++ /dev/null @@ -1,37 +0,0 @@ -/* debug.c - * - * Copyright (C) 2006-2020 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - -#ifdef HAVE_CONFIG_H - #include -#endif - -#include -#include -#include - -#ifdef HAVE_STACK_SIZE_VERBOSE -WOLFSSL_API THREAD_LS_T unsigned char *StackSizeCheck_myStack = NULL; -WOLFSSL_API THREAD_LS_T size_t StackSizeCheck_stackSize = 0; -WOLFSSL_API THREAD_LS_T size_t StackSizeCheck_stackSizeHWM = 0; -WOLFSSL_API THREAD_LS_T size_t *StackSizeCheck_stackSizeHWM_ptr = 0; -WOLFSSL_API THREAD_LS_T void *StackSizeCheck_stackOffsetPointer = 0; -#endif diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index bf2ae5085..738cc5419 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -111,6 +111,38 @@ static WC_INLINE double current_time(int reset) } #endif /* WOLFSSL_FUNC_TIME */ +#ifdef HAVE_WC_INTROSPECTION + +const char *wolfSSL_configure_args(void) { +#ifdef LIBWOLFSSL_CONFIGURE_ARGS + /* the spaces on either side are to make matching simple and efficient. */ + return " " LIBWOLFSSL_CONFIGURE_ARGS " "; +#else + return NULL; +#endif +} + +const char *wolfSSL_global_cflags(void) { +#ifdef LIBWOLFSSL_GLOBAL_CFLAGS + /* the spaces on either side are to make matching simple and efficient. */ + return " " LIBWOLFSSL_GLOBAL_CFLAGS " "; +#else + return NULL; +#endif +} + +#endif /* HAVE_WC_INTROSPECTION */ + +#ifdef HAVE_STACK_SIZE_VERBOSE + +THREAD_LS_T unsigned char *StackSizeCheck_myStack = NULL; +THREAD_LS_T size_t StackSizeCheck_stackSize = 0; +THREAD_LS_T size_t StackSizeCheck_stackSizeHWM = 0; +THREAD_LS_T size_t *StackSizeCheck_stackSizeHWM_ptr = 0; +THREAD_LS_T void *StackSizeCheck_stackOffsetPointer = 0; + +#endif /* HAVE_STACK_SIZE_VERBOSE */ + #ifdef DEBUG_WOLFSSL /* Set these to default values initially. */ diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 3dcd7de29..a6438cc2f 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -100,6 +100,10 @@ WOLFSSL_API int wolfSSL_Debugging_ON(void); /* turn logging off */ WOLFSSL_API void wolfSSL_Debugging_OFF(void); +#ifdef HAVE_WC_INTROSPECTION + WOLFSSL_API const char *wolfSSL_configure_args(void); + WOLFSSL_API const char *wolfSSL_global_cflags(void); +#endif #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) WOLFSSL_LOCAL int wc_LoggingInit(void); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 7ee84a288..dc7c36a80 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -228,7 +228,6 @@ #include "wolfSSL.wolfSSL_conf.h" #endif - /* make sure old RNG name is used with CTaoCrypt FIPS */ #ifdef HAVE_FIPS #if !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)