From bbb514fa6da2083783971c17f50a6519d6c59313 Mon Sep 17 00:00:00 2001 From: Hayden Roche Date: Thu, 12 Aug 2021 09:50:06 -0700 Subject: [PATCH] Add support for rsyslog. - Add an --enable-rsyslog option to configure.ac. - Add a few missing `WOLFSSL_ERROR` calls that were expected by rsyslog unit tests. - Add better documentation around `WOLFSSL_SHUTDOWN_NOT_DONE` and define it to be 0 (rather than 2) when `WOLFSSL_ERROR_CODE_OPENSSL` is defined. This is in accordance with OpenSSL documentation. Without this change, rsyslog was failing to do the bidirectional shutdown properly because it was checking the shutdown return value against 0. I'm keeping the old value when `WOLFSSL_ERROR_CODE_OPENSSL` isn't defined because it's part of the public wolfssl interface (it's in ssl.h). --- configure.ac | 31 ++++++++++++++++++++++++++++--- src/ssl.c | 1 + wolfcrypt/src/asn.c | 4 +++- wolfssl/openssl/opensslv.h | 4 +++- wolfssl/ssl.h | 15 ++++++++++++++- 5 files changed, 49 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index bc72485ea..092cddad2 100644 --- a/configure.ac +++ b/configure.ac @@ -785,6 +785,7 @@ AC_ARG_ENABLE([mcast], # ssl bump (--enable-bump) # signal (--enable-signal) # lighty (--enable-lighty) HAVE_LIGHTY +# rsyslog (--enable-rsyslog) # stunnel (--enable-stunnel) HAVE_STUNNEL # libest (--enable-libest) HAVE_LIBEST # asio (--enable-asio) WOLFSSL_ASIO @@ -845,6 +846,12 @@ AC_ARG_ENABLE([lighty], [ ENABLED_LIGHTY=$enableval ], [ ENABLED_LIGHTY=no ] ) +# rsyslog Support +AC_ARG_ENABLE([rsyslog], + [AS_HELP_STRING([--enable-rsyslog],[Enable rsyslog (default: disabled)])], + [ ENABLED_RSYSLOG=$enableval ], + [ ENABLED_RSYSLOG=no ] + ) # haproxy compatibility build AC_ARG_ENABLE([haproxy], @@ -978,7 +985,11 @@ AC_ARG_ENABLE([opensslall], [ ENABLED_OPENSSLALL=$enableval ], [ ENABLED_OPENSSLALL=no ] ) -if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes" || test "$ENABLED_HAPROXY" = "yes" || test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" == "yes" || test "$ENABLED_NETSNMP" = "yes" || test "$ENABLED_OPENRESTY" = "yes" +if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \ + test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes" || \ + test "$ENABLED_HAPROXY" = "yes" || test "$ENABLED_BIND" = "yes" || \ + test "$ENABLED_NTP" == "yes" || test "$ENABLED_NETSNMP" = "yes" || \ + test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" == "yes" then ENABLED_OPENSSLALL="yes" fi @@ -994,7 +1005,13 @@ AC_ARG_ENABLE([opensslextra], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] ) -if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || test "x$ENABLED_NTP" = "xyes" +if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \ + test "$ENABLED_SIGNAL" = "yes" || test "$ENABLED_WPAS" = "yes" || \ + test "$ENABLED_FORTRESS" = "yes" || test "$ENABLED_BUMP" = "yes" || \ + test "$ENABLED_SNIFFER" = "yes" || test "$ENABLED_OPENSSLALL" = "yes" || \ + test "$ENABLED_LIBWEBSOCKETS" = "yes" || \ + test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \ + test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" == "yes" then ENABLED_OPENSSLEXTRA="yes" fi @@ -2869,7 +2886,7 @@ AC_ARG_ENABLE([anon], [ ENABLED_ANON=no ] ) -if test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" +if test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "$ENABLED_RSYSLOG" == "yes" then ENABLED_ANON=yes fi @@ -4442,6 +4459,13 @@ then ENABLED_SHA512="yes" fi +if test "$ENABLED_RSYSLOG" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_RSYSLOG -DFP_MAX_BITS=16384" + AM_CFLAGS="$AM_CFLAGS -DRSA_MAX_SIZE=8196 -DWOLFSSL_ERROR_CODE_OPENSSL" + AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA -DOPENSSL_COMPATIBLE_DEFAULTS" +fi + if test "$ENABLED_OPENVPN" = "yes" then ENABLED_SUPPORTED_CURVES="yes" @@ -7009,6 +7033,7 @@ echo " * STUNNEL: $ENABLED_STUNNEL" echo " * tcpdump: $ENABLED_TCPDUMP" echo " * libssh2: $ENABLED_LIBSSH2" echo " * ntp: $ENABLED_NTP" +echo " * rsyslog: $ENABLED_RSYSLOG" echo " * Apache httpd: $ENABLED_APACHE_HTTPD" echo " * NGINX: $ENABLED_NGINX" echo " * OpenResty: $ENABLED_OPENRESTY" diff --git a/src/ssl.c b/src/ssl.c index 34b407e90..d04b4eb35 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5733,6 +5733,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (info->passwd_cb) EVPerr(0, EVP_R_BAD_DECRYPT); #endif + WOLFSSL_ERROR(WOLFSSL_BAD_FILE); return WOLFSSL_BAD_FILE; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 032794ccc..8874144c4 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -11519,8 +11519,10 @@ int PemToDer(const unsigned char* buff, long longSz, int type, der = *pDer; if (Base64_Decode((byte*)headerEnd, (word32)neededSz, - der->buffer, &der->length) < 0) + der->buffer, &der->length) < 0) { + WOLFSSL_ERROR(BUFFER_E); return BUFFER_E; + } if ((header == BEGIN_PRIV_KEY #ifdef OPENSSL_EXTRA diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index 38bf2be34..f0c874cd8 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -30,7 +30,9 @@ defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER == 0x10100000L) ||\ defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER == 0x10001040L) /* valid version */ -#elif defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIBEST) || defined(WOLFSSL_BIND) || defined(WOLFSSL_NGINX) +#elif defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIBEST) || \ + defined(WOLFSSL_BIND) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_RSYSLOG) /* For Apache httpd, Use 1.1.0 compatibility */ #define OPENSSL_VERSION_NUMBER 0x10100000L #elif defined(WOLFSSL_QT) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 8c7a609a4..4d546e432 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2218,7 +2218,20 @@ enum { /* ssl Constants */ WOLFSSL_ERROR_NONE = 0, /* for most functions */ WOLFSSL_FAILURE = 0, /* for some functions */ WOLFSSL_SUCCESS = 1, - WOLFSSL_SHUTDOWN_NOT_DONE = 2, /* call wolfSSL_shutdown again to complete */ + +/* WOLFSSL_SHUTDOWN_NOT_DONE is returned by wolfSSL_shutdown when the other end + * of the connection has yet to send its close notify alert as part of the + * bidirectional shutdown. To complete the shutdown, either keep calling + * wolfSSL_shutdown until it returns WOLFSSL_SUCCESS or call wolfSSL_read until + * it returns <= 0 AND SSL_get_error returns SSL_ERROR_ZERO_RETURN. See OpenSSL + * docs for more: https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html + */ +#ifdef WOLFSSL_ERROR_CODE_OPENSSL +/* SSL_shutdown returns 0 when not done, per OpenSSL documentation. */ + WOLFSSL_SHUTDOWN_NOT_DONE = 0, +#else + WOLFSSL_SHUTDOWN_NOT_DONE = 2, +#endif WOLFSSL_ALPN_NOT_FOUND = -9, WOLFSSL_BAD_CERTTYPE = -8,