Various OpenSSL compatibility expansion items, for Python 3.8.5 (#4347)

* make ASN1_OBJECT arg const in OBJ_obj2txt

* add ERR_LIB values to openssl/ssl.h

* add missing alert type definitions in openssl/ssl.h

* add definition for X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, no support

* define value for X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT

* use correct CRYPTO_THREADID arg type for wolfSSL_THREADID_set_callback callback

* add handshake type defines for compat layer message callback types

* define ASN1_R_HEADER_TOO_LONG for compatibility builds

* use correct return type for wolfSSL_THREADID_set_callback, remove Qt code no longer needed

src/internal.c

@@ -15830,6 +15830,13 @@ const char* AlertTypeToString(int type)
                 return unknown_ca_str;
             }
 
+        case access_denied:
+            {
+                static const char access_denied_str[] =
+                    "access_denied";
+                return access_denied_str;
+            }
+
         case decode_error:
             {
                 static const char decode_error_str[] =
@@ -15862,12 +15869,27 @@ const char* AlertTypeToString(int type)
             }
 
     #endif
+        case insufficient_security:
+            {
+                static const char insufficient_security_str[] =
+                    "insufficient_security";
+                return insufficient_security_str;
+            }
+
         case internal_error:
             {
                 static const char internal_error_str[] =
                     "internal_error";
                 return internal_error_str;
             }
+
+        case user_canceled:
+            {
+                static const char user_canceled_str[] =
+                    "user_canceled";
+                return user_canceled_str;
+            }
+
         case no_renegotiation:
             {
                 static const char no_renegotiation_str[] =

src/ssl.c

@@ -43856,11 +43856,12 @@ err:
         return NULL;
     }
 
-    /* if no_name is one than use numerical form otherwise can be short name.
+    /* If no_name is one then use numerical form, otherwise short name.
      *
-     * returns the buffer size on success
+     * Returns the buffer size on success, WOLFSSL_FAILURE on error
      */
-    int wolfSSL_OBJ_obj2txt(char *buf, int bufLen, WOLFSSL_ASN1_OBJECT *a, int no_name)
+    int wolfSSL_OBJ_obj2txt(char *buf, int bufLen, const WOLFSSL_ASN1_OBJECT *a,
+                            int no_name)
     {
         int bufSz;
         const char* desc;
@@ -43938,13 +43939,7 @@ err:
         }
 
         buf[bufSz] = '\0';
-        #ifdef WOLFSSL_QT
+
-            /* For unknown extension types, QT expects the short name to be the
-                text representation of the oid */
-            if (XSTRLEN(a->sName) == 0) {
-                XMEMCPY(a->sName, buf, bufSz);
-            }
-        #endif
         return bufSz;
     }
 #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
@@ -47116,12 +47111,14 @@ void wolfSSL_ERR_load_BIO_strings(void) {
 #endif
 
 #ifndef NO_WOLFSSL_STUB
-void wolfSSL_THREADID_set_callback(void(*threadid_func)(void*))
+/* Set THREADID callback, return 1 on success, 0 on error */
+int wolfSSL_THREADID_set_callback(
+        void(*threadid_func)(WOLFSSL_CRYPTO_THREADID*))
 {
     WOLFSSL_ENTER("wolfSSL_THREADID_set_callback");
     WOLFSSL_STUB("CRYPTO_THREADID_set_callback");
     (void)threadid_func;
-    return;
+    return 1;
 }
 #endif
 
@@ -48607,6 +48604,10 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen,
         WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented");
         return WOLFSSL_FAILURE;
     }
+    if (flags == WOLFSSL_NO_PARTIAL_WILDCARDS) {
+        WOLFSSL_MSG("X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS not yet implemented");
+        return WOLFSSL_FAILURE;
+    }
 
     InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL);
     ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL);

wolfssl/openssl/ssl.h

@@ -598,7 +598,9 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
 
 #define X509_V_FLAG_USE_CHECK_TIME WOLFSSL_USE_CHECK_TIME
 #define X509_V_FLAG_NO_CHECK_TIME  WOLFSSL_NO_CHECK_TIME
-#define X509_CHECK_FLAG_NO_WILDCARDS WOLFSSL_NO_WILDCARDS
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT WOLFSSL_ALWAYS_CHECK_SUBJECT
+#define X509_CHECK_FLAG_NO_WILDCARDS         WOLFSSL_NO_WILDCARDS
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS WOLFSSL_NO_PARTIAL_WILDCARDS
 
 #define X509_VP_FLAG_DEFAULT        WOLFSSL_VPARAM_DEFAULT
 #define X509_VP_FLAG_OVERWRITE      WOLFSSL_VPARAM_OVERWRITE
@@ -1094,7 +1096,10 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #include <wolfssl/openssl/pem.h>
 
 #define SSL_CTRL_CHAIN       88
+#define ERR_LIB_RSA          4
+#define ERR_LIB_EC           16
 #define ERR_LIB_SSL          20
+#define ERR_LIB_PKCS12       35
 #define SSL_R_SHORT_READ     10
 #define ERR_R_PEM_LIB        9
 #define SSL_CTRL_MODE        33
@@ -1224,6 +1229,12 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define DTLS1_VERSION                    0xFEFF
 #define DTLS1_2_VERSION                  0xFEFD
 
+/* Used as message callback types */
+#define SSL3_RT_CHANGE_CIPHER_SPEC       20
+#define SSL3_RT_ALERT                    21
+#define SSL3_RT_HANDSHAKE                22
+#define SSL3_RT_APPLICATION_DATA         23
+
 #define OPENSSL_INIT_LOAD_SSL_STRINGS    0x00200000L
 #define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L
 
@@ -1302,6 +1313,30 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define sk_ACCESS_DESCRIPTION_free      wolfSSL_sk_ACCESS_DESCRIPTION_free
 #define ACCESS_DESCRIPTION_free         wolfSSL_ACCESS_DESCRIPTION_free
 
+/* Alert types, matched to AlertDescription enum in wolfssl/ssl.h */
+#define SSL_AD_CLOSE_NOTIFY             close_notify
+#define SSL_AD_UNEXPECTED_MESSAGE       unexpected_message
+#define SSL_AD_BAD_RECORD_MAC           bad_record_mac
+#define SSL_AD_RECORD_OVERFLOW          record_overflow
+#define SSL_AD_DECOMPRESSION_FAILURE    decompression_failure
+#define SSL_AD_HANDSHAKE_FAILURE        handshake_failure
+#define SSL_AD_UNSUPPORTED_CERTIFICATE  unsupported_certificate
+#define SSL_AD_CERTIFICATE_REVOKED      certificate_revoked
+#define SSL_AD_CERTIFICATE_EXPIRED      certificate_expired
+#define SSL_AD_CERTIFICATE_UNKNOWN      certificate_unknown
+#define SSL_AD_ILLEGAL_PARAMETER        illegal_parameter
+#define SSL_AD_UNKNOWN_CA               unknown_ca
+#define SSL_AD_ACCESS_DENIED            access_denied
+#define SSL_AD_DECODE_ERROR             decode_error
+#define SSL_AD_DECRYPT_ERROR            decrypt_error
+#ifdef WOLFSSL_MYSQL_COMPATIBLE
+    #define SSL_AD_PROTOCOL_VERSION     wc_protocol_version
+#else
+    #define SSL_AD_PROTOCOL_VERSION     protocol_version
+#endif
+#define SSL_AD_INSUFFICIENT_SECURITY    insufficient_security
+#define SSL_AD_USER_CANCELLED           user_canceled
+
 #define SSL3_AL_FATAL                   2
 #define SSL_TLSEXT_ERR_OK               0
 #define SSL_TLSEXT_ERR_ALERT_WARNING    warning_return

wolfssl/ssl.h

@@ -609,7 +609,9 @@ struct WOLFSSL_X509_STORE {
     int             refCount;         /* reference count */
 };
 
-#define WOLFSSL_NO_WILDCARDS   0x4
+#define WOLFSSL_ALWAYS_CHECK_SUBJECT 0x1
+#define WOLFSSL_NO_WILDCARDS         0x2
+#define WOLFSSL_NO_PARTIAL_WILDCARDS 0x4
 
 #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
     defined(WOLFSSL_WPAS_SMALL) || defined(WOLFSSL_IP_ALT_NAME)
@@ -741,6 +743,7 @@ enum AlertDescription {
     certificate_unknown             =  46,
     illegal_parameter               =  47,
     unknown_ca                      =  48,
+    access_denied                   =  49,
     decode_error                    =  50,
     decrypt_error                   =  51,
     #ifdef WOLFSSL_MYSQL_COMPATIBLE
@@ -749,8 +752,10 @@ enum AlertDescription {
     #else
     protocol_version                =  70,
     #endif
+    insufficient_security           =  71,
     internal_error                  =  80,
     inappropriate_fallback          =  86,
+    user_canceled                   =  90,
     no_renegotiation                = 100,
     missing_extension               = 109,
     unsupported_extension           = 110, /**< RFC 5246, section 7.2.2 */
@@ -3826,7 +3831,8 @@ WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_txt2obj(const char* s, int no_name)
 
 WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_nid2obj(int n);
 WOLFSSL_LOCAL WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_nid2obj_ex(int n, WOLFSSL_ASN1_OBJECT *arg_obj);
-WOLFSSL_API int wolfSSL_OBJ_obj2txt(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a, int no_name);
+WOLFSSL_API int wolfSSL_OBJ_obj2txt(char *buf, int buf_len,
+            const WOLFSSL_ASN1_OBJECT *a, int no_name);
 
 WOLFSSL_API void wolfSSL_OBJ_cleanup(void);
 WOLFSSL_API int wolfSSL_OBJ_create(const char *oid, const char *sn, const char *ln);
@@ -4358,7 +4364,8 @@ WOLFSSL_API void wolfSSL_ERR_remove_thread_state(void*);
 WOLFSSL_API void wolfSSL_print_all_errors_fp(XFILE fp);
 #endif
 
-WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*));
+WOLFSSL_API int wolfSSL_THREADID_set_callback(
+                    void (*threadid_func)(WOLFSSL_CRYPTO_THREADID*));
 
 WOLFSSL_API void wolfSSL_THREADID_set_numeric(void* id, unsigned long val);
 WOLFSSL_API void wolfSSL_THREADID_current(WOLFSSL_CRYPTO_THREADID* id);

wolfssl/wolfcrypt/settings.h

@@ -2242,7 +2242,6 @@ extern void uITRON4_free(void *p) ;
  || defined(HAVE_LIGHTY)
     #define SSL_OP_NO_COMPRESSION    SSL_OP_NO_COMPRESSION
     #define OPENSSL_NO_ENGINE
-    #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
     #ifndef OPENSSL_EXTRA
         #define OPENSSL_EXTRA
     #endif