feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3889 from douzzer/network-introspection

Browse Source 
--enable-wolfsentry
This commit is contained in:
toddouska
2021-04-23 15:38:01 -07:00
committed by GitHub
parent 878e0006ad 9c7ee3fa64
commit c3fefc6e27
15 changed files with 769 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

92
configure.ac
View File

@ -2501,6 +2501,77 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STACK_LOG -finstrument-functions"
fi
ENABLED_WOLFSENTRY=no
AC_ARG_WITH([wolfsentry],
[AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])],
[WOLFSENTRY_INSTALLDIR=$withval],
[WOLFSENTRY_INSTALLDIR=""])
AC_ARG_WITH([wolfsentry-lib],
[AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])],
[WOLFSENTRY_LIB=$withval],
[WOLFSENTRY_LIB=""])
AC_ARG_WITH([wolfsentry-include],
[AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])],
[WOLFSENTRY_INCLUDE=$withval],
[WOLFSENTRY_INCLUDE=""])
if test -n "$WOLFSENTRY_INSTALLDIR" || test -n "$WOLFSENTRY_LIB" || test -n "$WOLFSENTRY_INCLUDE"
then
ENABLED_WOLFSENTRY=yes
fi
AC_ARG_ENABLE([wolfsentry],
[AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])],
[ ENABLED_WOLFSENTRY=$enableval ],
[ ]
)
if test "$WOLFSENTRY_LIB" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
then
WOLFSENTRY_LIB="${WOLFSENTRY_INSTALLDIR}/lib"
fi
if test "$WOLFSENTRY_INCLUDE" = "" && test -n "$WOLFSENTRY_INSTALLDIR"
then
WOLFSENTRY_INCLUDE="${WOLFSENTRY_INSTALLDIR}/include"
fi
if test -n "$WOLFSENTRY_LIB"
then
AC_MSG_CHECKING([for $WOLFSENTRY_LIB])
if ! test -d "$WOLFSENTRY_LIB"
then
AC_MSG_ERROR([wolfSentry lib dir $WOLFSENTRY_LIB not found.])
fi
AC_MSG_RESULT([yes])
WOLFSENTRY_LIB="-L$WOLFSENTRY_LIB"
fi
if test -n "$WOLFSENTRY_INCLUDE"
then
AC_MSG_CHECKING([for $WOLFSENTRY_INCLUDE])
if ! test -d "$WOLFSENTRY_INCLUDE"
then
AC_MSG_ERROR([wolfSentry include dir $WOLFSENTRY_INCLUDE not found.])
fi
AC_MSG_RESULT([yes])
WOLFSENTRY_INCLUDE="-I$WOLFSENTRY_INCLUDE"
fi
if test "$ENABLED_WOLFSENTRY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS"
WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry"
fi
AC_SUBST([WOLFSENTRY_LIB])
AC_SUBST([WOLFSENTRY_INCLUDE])
if test "$ENABLED_QT" = "yes"
then
# Requires opensslextra and opensslall
@ -6567,8 +6638,8 @@ echo " * DSA: $ENABLED_DSA"
echo " * DH: $ENABLED_DH"
echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS"
echo " * ECC: $ENABLED_ECC"
echo " * ECC Custom Curves $ENABLED_ECCCUSTCURVES"
echo " * ECC Minimum Bits $ENABLED_ECCMINSZ"
echo " * ECC Custom Curves: $ENABLED_ECCCUSTCURVES"
echo " * ECC Minimum Bits: $ENABLED_ECCMINSZ"
echo " * CURVE25519: $ENABLED_CURVE25519"
echo " * ED25519: $ENABLED_ED25519"
echo " * CURVE448: $ENABLED_CURVE448"
@ -6582,6 +6653,7 @@ echo " * Anonymous cipher: $ENABLED_ANON"
echo " * CODING: $ENABLED_CODING"
echo " * MEMORY: $ENABLED_MEMORY"
echo " * I/O POOL: $ENABLED_IOPOOL"
echo " * wolfSentry: $ENABLED_WOLFSENTRY"
echo " * LIGHTY: $ENABLED_LIGHTY"
echo " * HAPROXY: $ENABLED_HAPROXY"
echo " * STUNNEL: $ENABLED_STUNNEL"
@ -6589,8 +6661,8 @@ echo " * Apache httpd: $ENABLED_APACHE_HTTPD"
echo " * NGINX: $ENABLED_NGINX"
echo " * ASIO: $ENABLED_ASIO"
echo " * LIBWEBSOCKETS: $ENABLED_LIBWEBSOCKETS"
echo " * Qt $ENABLED_QT"
echo " * Qt Unit Testing $ENABLED_QT_TEST"
echo " * Qt: $ENABLED_QT"
echo " * Qt Unit Testing: $ENABLED_QT_TEST"
echo " * SIGNAL: $ENABLED_SIGNAL"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS"
@ -6631,12 +6703,12 @@ echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
echo " * Fallback SCSV: $ENABLED_FALLBACK_SCSV"
echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL"
echo " * All TLS Extensions: $ENABLED_TLSX"
echo " * PKCS#7 $ENABLED_PKCS7"
echo " * S/MIME $ENABLED_SMIME"
echo " * wolfSSH $ENABLED_WOLFSSH"
echo " * wolfTPM $ENABLED_WOLFTPM"
echo " * wolfSCEP $ENABLED_WOLFSCEP"
echo " * Secure Remote Password $ENABLED_SRP"
echo " * PKCS#7: $ENABLED_PKCS7"
echo " * S/MIME: $ENABLED_SMIME"
echo " * wolfSSH: $ENABLED_WOLFSSH"
echo " * wolfTPM: $ENABLED_WOLFTPM"
echo " * wolfSCEP: $ENABLED_WOLFSCEP"
echo " * Secure Remote Password: $ENABLED_SRP"
echo " * Small Stack: $ENABLED_SMALL_STACK"
echo " * Linux Kernel Module: $ENABLED_LINUXKM"
echo " * valgrind unit tests: $ENABLED_VALGRIND"

3
examples/server/include.am
View File

@ -7,8 +7,9 @@ if BUILD_EXAMPLE_SERVERS
noinst_PROGRAMS += examples/server/server
noinst_HEADERS += examples/server/server.h
examples_server_server_SOURCES = examples/server/server.c
examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD)
examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
examples_server_server_DEPENDENCIES = src/libwolfssl.la
examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE)
endif
EXTRA_DIST += examples/server/server.sln
EXTRA_DIST += examples/server/server-ntru.vcproj

277
examples/server/server.c
View File

@ -35,6 +35,10 @@
#include <wolfssl/wolfcrypt/ecc.h> /* wc_ecc_fp_free */
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
# include <wolfsentry/wolfsentry.h>
#endif
#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
#include <stdio.h>
#include <string.h>
@ -276,6 +280,136 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx)
#endif /* WOLFSSL_DTLS */
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
struct wolfsentry_data {
struct wolfsentry_sockaddr remote;
byte remote_addrbuf[16];
struct wolfsentry_sockaddr local;
byte local_addrbuf[16];
wolfsentry_route_flags_t flags;
void *heap;
int alloctype;
};
static void free_wolfsentry_data(struct wolfsentry_data *data) {
XFREE(data, data->heap, data->alloctype);
}
static int wolfsentry_data_index = -1;
static int wolfsentry_store_endpoints(
WOLFSSL *ssl,
SOCKADDR_IN_T *remote,
SOCKADDR_IN_T *local,
int proto,
wolfsentry_route_flags_t flags)
{
struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC(
sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR);
if (data == NULL)
return WOLFSSL_FAILURE;
data->heap = NULL;
data->alloctype = DYNAMIC_TYPE_SOCKADDR;
#ifdef TEST_IPV6
if ((sizeof data->remote_addrbuf < sizeof remote->sin6_addr) ||
(sizeof data->local_addrbuf < sizeof local->sin6_addr))
return WOLFSSL_FAILURE;
data->remote.sa_family = data->local.sa_family = remote->sin6_family;
data->remote.sa_port = ntohs(remote->sin6_port);
data->local.sa_port = ntohs(local->sin6_port);
data->remote.addr_len = sizeof remote->sin6_addr * BITS_PER_BYTE;
XMEMCPY(data->remote.addr, &remote->sin6_addr, sizeof remote->sin6_addr);
data->local.addr_len = sizeof local->sin6_addr * BITS_PER_BYTE;
XMEMCPY(data->local.addr, &local->sin6_addr, sizeof local->sin6_addr);
#else
if ((sizeof data->remote_addrbuf < sizeof remote->sin_addr) ||
(sizeof data->local_addrbuf < sizeof local->sin_addr))
return WOLFSSL_FAILURE;
data->remote.sa_family = data->local.sa_family = remote->sin_family;
data->remote.sa_port = ntohs(remote->sin_port);
data->local.sa_port = ntohs(local->sin_port);
data->remote.addr_len = sizeof remote->sin_addr * BITS_PER_BYTE;
XMEMCPY(data->remote.addr, &remote->sin_addr, sizeof remote->sin_addr);
data->local.addr_len = sizeof local->sin_addr * BITS_PER_BYTE;
XMEMCPY(data->local.addr, &local->sin_addr, sizeof local->sin_addr);
#endif
data->remote.sa_proto = data->local.sa_proto = proto;
data->remote.interface = data->local.interface = 0;
data->flags = flags;
if (wolfSSL_set_ex_data_with_cleanup(
ssl, wolfsentry_data_index, data,
(wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) !=
WOLFSSL_SUCCESS) {
free_wolfsentry_data(data);
return WOLFSSL_FAILURE;
}
return WOLFSSL_SUCCESS;
}
static int wolfSentry_NetworkFilterCallback(
WOLFSSL *ssl,
struct wolfsentry_context *wolfsentry,
wolfSSL_netfilter_decision_t *decision)
{
struct wolfsentry_data *data;
char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN];
wolfsentry_errcode_t ret;
wolfsentry_action_res_t action_results;
if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL)
return WOLFSSL_FAILURE;
ret = wolfsentry_route_event_dispatch(
wolfsentry,
&data->remote,
&data->local,
data->flags,
NULL /* event_label */,
0 /* event_label_len */,
NULL /* caller_context */,
NULL /* id */,
NULL /* inexact_matches */,
&action_results);
if (ret >= 0) {
if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT))
*decision = WOLFSSL_NETFILTER_REJECT;
else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT))
*decision = WOLFSSL_NETFILTER_ACCEPT;
else
*decision = WOLFSSL_NETFILTER_PASS;
} else {
printf("wolfsentry_route_event_dispatch error "
WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret));
*decision = WOLFSSL_NETFILTER_PASS;
}
printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d"
"lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n",
data->remote.sa_family,
data->remote.sa_proto,
data->remote.sa_port,
data->local.sa_port,
inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf,
sizeof inet_ntop_buf),
inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2,
sizeof inet_ntop_buf2),
data->remote.interface,
*decision,
*decision == WOLFSSL_NETFILTER_REJECT ? "REJECT" :
*decision == WOLFSSL_NETFILTER_ACCEPT ? "ACCEPT" :
*decision == WOLFSSL_NETFILTER_PASS ? "PASS" :
"???");
return WOLFSSL_SUCCESS;
}
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
static int NonBlockingSSL_Accept(SSL* ssl)
{
@ -1001,10 +1135,16 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
{
SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID;
SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID;
SOCKADDR_IN_T client_addr;
socklen_t client_len;
wolfSSL_method_func method = NULL;
SSL_CTX* ctx = 0;
SSL* ssl = 0;
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
struct wolfsentry_context *wolfsentry = NULL;
wolfsentry_errcode_t wolfsentry_ret;
#endif
int useWebServerMsg = 0;
char input[SRV_READ_SZ];
@ -1840,6 +1980,89 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (ctx == NULL)
err_sys_ex(catastrophic, "unable to get ctx");
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */,
&wolfsentry);
if (wolfsentry_ret < 0) {
fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n",
WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret));
err_sys_ex(catastrophic, "unable to initialize wolfSentry");
}
if (wolfsentry_data_index < 0)
wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL,
NULL);
{
struct wolfsentry_route_table *table;
if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry,
&table)) < 0)
fprintf(stderr, "wolfsentry_route_get_table_static() returned "
WOLFSENTRY_ERROR_FMT "\n",
WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret));
if (wolfsentry_ret >= 0) {
if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set(
wolfsentry, table,
WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP))
< 0)
fprintf(stderr,
"wolfsentry_route_table_default_policy_set() returned "
WOLFSENTRY_ERROR_FMT "\n",
WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret));
}
if (wolfsentry_ret >= 0) {
struct {
struct wolfsentry_sockaddr sa;
byte buf[16];
} remote, local;
wolfsentry_ent_id_t id;
wolfsentry_action_res_t action_results;
memset(&remote, 0, sizeof remote);
memset(&local, 0, sizeof local);
#ifdef TEST_IPV6
remote.sa.sa_family = local.sa.sa_family = AF_INET6;
remote.sa.addr_len = 128;
memcpy(remote.sa.addr, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001", 16);
#else
remote.sa.sa_family = local.sa.sa_family = AF_INET;
remote.sa.addr_len = 32;
memcpy(remote.sa.addr, "\177\000\000\001", 4);
#endif
if ((wolfsentry_ret = wolfsentry_route_insert_static
(wolfsentry, NULL /* caller_context */, &remote.sa, &local.sa,
WOLFSENTRY_ROUTE_FLAG_GREENLISTED |
WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN |
WOLFSENTRY_ROUTE_FLAG_TRIGGER_WILDCARD |
WOLFSENTRY_ROUTE_FLAG_REMOTE_INTERFACE_WILDCARD|
WOLFSENTRY_ROUTE_FLAG_LOCAL_INTERFACE_WILDCARD |
WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD |
WOLFSENTRY_ROUTE_FLAG_SA_PROTO_WILDCARD |
WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD |
WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD,
0 /* event_label_len */, 0 /* event_label */, &id,
&action_results)) < 0)
fprintf(stderr, "wolfsentry_route_insert_static() returned "
WOLFSENTRY_ERROR_FMT "\n",
WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret));
}
if (wolfsentry_ret < 0)
err_sys_ex(catastrophic, "unable to configure route table");
}
if (wolfSSL_CTX_set_AcceptFilter(
ctx,
(NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback,
wolfsentry) < 0)
err_sys_ex(catastrophic,
"unable to install wolfSentry_NetworkFilterCallback");
#endif
if (simulateWantWrite)
{
wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb);
@ -2157,9 +2380,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
/* allow resume option */
if (resumeCount > 1) {
if (dtlsUDP == 0) {
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
clientfd = accept(sockfd, (struct sockaddr*)&client,
client_len = sizeof client_addr;
clientfd = accept(sockfd, (struct sockaddr*)&client_addr,
(ACCEPT_THIRD_T)&client_len);
}
else {
@ -2468,8 +2690,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
if (readySignal) {
readySignal->srfName = serverReadyFile;
}
client_len = sizeof client_addr;
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr,
dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen);
dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen,
&client_addr, &client_len);
doListen = 0; /* Don't listen next time */
if (port == 0) {
@ -2498,32 +2724,54 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#ifdef WOLFSSL_DTLS
if (doDTLS && dtlsUDP) {
SOCKADDR_IN_T cliaddr;
byte b[1500];
int n;
socklen_t len = sizeof(cliaddr);
client_len = sizeof client_addr;
/* For DTLS, peek at the next datagram so we can get the client's
* address and set it into the ssl object later to generate the
* cookie. */
n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK,
(struct sockaddr*)&cliaddr, &len);
(struct sockaddr*)&client_addr, &client_len);
if (n <= 0)
err_sys_ex(runWithErrors, "recvfrom failed");
if (doBlockSeq) {
XMEMCPY(&dtlsCtx.peer.sa, &cliaddr, len);
dtlsCtx.peer.sz = len;
XMEMCPY(&dtlsCtx.peer.sa, &client_addr, client_len);
dtlsCtx.peer.sz = client_len;
dtlsCtx.wfd = clientfd;
dtlsCtx.failOnce = 1;
wolfSSL_SetIOWriteCtx(ssl, &dtlsCtx);
}
else {
wolfSSL_dtls_set_peer(ssl, &cliaddr, len);
wolfSSL_dtls_set_peer(ssl, &client_addr, client_len);
}
}
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
{
SOCKADDR_IN_T local_addr;
socklen_t local_len = sizeof(local_addr);
getsockname(clientfd, (struct sockaddr *)&local_addr,
(socklen_t *)&local_len);
if (((struct sockaddr *)&client_addr)->sa_family !=
((struct sockaddr *)&local_addr)->sa_family)
err_sys_ex(catastrophic,
"client_addr.sa_family != local_addr.sa_family");
if (wolfsentry_store_endpoints(
ssl, &client_addr, &local_addr,
dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP,
WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS)
err_sys_ex(catastrophic,
"error in wolfsentry_store_endpoints()");
}
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL
|| needDH == 1) {
#if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN)
@ -2905,6 +3153,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
exit:
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
wolfsentry_ret = wolfsentry_shutdown(&wolfsentry);
if (wolfsentry_ret < 0) {
fprintf(stderr,
"wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n",
WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret));
}
#endif
#if defined(HAVE_ECC) && defined(FP_ECC) && defined(HAVE_THREAD_LS) \
&& (defined(NO_MAIN_DRIVER) || defined(HAVE_STACK_SIZE))
wc_ecc_fp_free(); /* free per thread cache */

29
src/internal.c
View File

@ -1883,6 +1883,17 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
return ret;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data)
{
int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]);
for (--n_ex_data; n_ex_data >= 0; --n_ex_data) {
if (ex_data->ex_data[n_ex_data] != NULL)
(void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data,
NULL, NULL);
}
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
/* In case contexts are held in array and don't want to free actual ctx */
void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
@ -1892,6 +1903,10 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
int i;
#endif
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data);
#endif
#ifdef HAVE_WOLF_EVENT
wolfEventQueue_Free(&ctx->event_queue);
#endif /* HAVE_WOLF_EVENT */
@ -5581,6 +5596,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#endif
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
ssl->AcceptFilter = ctx->AcceptFilter;
ssl->AcceptFilter_arg = ctx->AcceptFilter_arg;
#endif
ssl->CBIORecv = ctx->CBIORecv;
ssl->CBIOSend = ctx->CBIOSend;
#ifdef OPENSSL_EXTRA
@ -6418,6 +6438,10 @@ void SSL_ResourceFree(WOLFSSL* ssl)
* example with the RNG, it isn't used beyond the handshake except when
* using stream ciphers where it is retained. */
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data);
#endif
FreeCiphers(ssl);
FreeArrays(ssl, 0);
FreeKeyExchange(ssl);
@ -19438,7 +19462,10 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case TOO_MUCH_EARLY_DATA:
return "Too much early data";
case SOCKET_FILTERED_E:
return "Session stopped by network filter";
default :
return "unknown error number";
}

262
src/ssl.c
View File

@ -1013,6 +1013,34 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req)
}
#endif /* NO_CERTS */
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
int wolfSSL_CTX_set_AcceptFilter(
WOLFSSL_CTX *ctx,
NetworkFilterCallback_t AcceptFilter,
void *AcceptFilter_arg)
{
if (ctx == NULL)
return BAD_FUNC_ARG;
ctx->AcceptFilter = AcceptFilter;
ctx->AcceptFilter_arg = AcceptFilter_arg;
return WOLFSSL_SUCCESS;
}
int wolfSSL_set_AcceptFilter(
WOLFSSL *ssl,
NetworkFilterCallback_t AcceptFilter,
void *AcceptFilter_arg)
{
if (ssl == NULL)
return BAD_FUNC_ARG;
ssl->AcceptFilter = AcceptFilter;
ssl->AcceptFilter_arg = AcceptFilter_arg;
return WOLFSSL_SUCCESS;
}
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
#ifndef WOLFSSL_LEANPSK
int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz)
{
@ -12898,6 +12926,18 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
}
#endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if (ssl->AcceptFilter) {
wolfSSL_netfilter_decision_t res;
if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
WOLFSSL_SUCCESS) &&
(res == WOLFSSL_NETFILTER_REJECT)) {
WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E);
return WOLFSSL_FATAL_ERROR;
}
}
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
#if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13)
return wolfSSL_accept_TLSv13(ssl);
#else
@ -16276,7 +16316,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
/* unchain?, doesn't matter in goahead since from free all */
WOLFSSL_ENTER("wolfSSL_BIO_free");
if (bio) {
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data);
#endif
if (bio->infoCb) {
/* info callback is called before free */
ret = (int)bio->infoCb(bio, WOLFSSL_BIO_CB_FREE, NULL, 0, 0, 1);
@ -18721,6 +18763,9 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
WOLFSSL_ENTER("ExternalFreeX509");
if (x509) {
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data);
#endif
if (x509->dynamicMemory) {
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
if (wc_LockMutex(&x509->refMutex) != 0) {
@ -21921,6 +21966,10 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced)
if (session == NULL)
return;
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data);
#endif
#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
if (session->peer) {
wolfSSL_X509_free(session->peer);
@ -24698,6 +24747,31 @@ int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data)
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
/* Set ex_data for WOLFSSL_BIO
*
* bio : BIO structure to set ex_data in
* idx : Index of ex_data to set
* data : Data to set in ex_data
* cleanup_routine : Function pointer to clean up data
*
* Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure
*/
int wolfSSL_BIO_set_ex_data_with_cleanup(
WOLFSSL_BIO *bio,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_BIO_set_ex_data_with_cleanup");
if (bio != NULL && idx < MAX_EX_DATA) {
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, data,
cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
/* Get ex_data in WOLFSSL_BIO at given index
*
* bio : BIO structure to get ex_data from
@ -26017,7 +26091,14 @@ err_exit:
void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store)
{
if (store != NULL && store->isDynamic) {
if (store == NULL)
return;
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data);
#endif
if (store->isDynamic) {
if (store->cm != NULL) {
wolfSSL_CertManagerFree(store->cm);
store->cm = NULL;
@ -26042,6 +26123,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store)
XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE);
}
}
/**
* Get ex_data in WOLFSSL_STORE at given index
* @param store a pointer to WOLFSSL_X509_STORE structure
@ -26061,6 +26143,7 @@ void* wolfSSL_X509_STORE_get_ex_data(WOLFSSL_X509_STORE* store, int idx)
#endif
return NULL;
}
/**
* Set ex_data for WOLFSSL_STORE
* @param store a pointer to WOLFSSL_X509_STORE structure
@ -26083,6 +26166,31 @@ int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx,
#endif
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
/**
* Set ex_data for WOLFSSL_STORE
* @param store a pointer to WOLFSSL_X509_STORE structure
* @param idx Index of ex data to set
* @param data Data to set in ex data
* @return WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure
*/
int wolfSSL_X509_STORE_set_ex_data_with_cleanup(
WOLFSSL_X509_STORE* store,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_X509_STORE_set_ex_data_with_cleanup");
if (store != NULL && idx < MAX_EX_DATA) {
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx,
data, cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#ifdef OPENSSL_EXTRA
@ -26204,6 +26312,9 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)
{
WOLFSSL_ENTER("X509_STORE_CTX_free");
if (ctx != NULL) {
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data);
#endif
#ifdef OPENSSL_EXTRA
if (ctx->param != NULL){
XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL);
@ -27562,6 +27673,25 @@ int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx,
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
/* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS
* on success, WOLFSSL_FAILURE on error. */
int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup(
WOLFSSL_X509_STORE_CTX* ctx,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup");
if (ctx != NULL)
{
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data,
cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL)
void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth)
{
@ -40286,6 +40416,22 @@ int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data)
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_RSA_set_ex_data_with_cleanup(
WOLFSSL_RSA *rsa,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup");
if (rsa) {
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data,
cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
int wolfSSL_RSA_set0_key(WOLFSSL_RSA *r, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e,
WOLFSSL_BIGNUM *d)
{
@ -44669,9 +44815,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey)
#endif /* OPENSSL_EXTRA */
#if ((defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && defined(HAVE_EX_DATA)) || \
defined(FORTRESS) || \
defined(WOLFSSL_WPAS_SMALL)
#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL)
void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx)
{
WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data");
@ -44739,7 +44883,24 @@ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data)
return WOLFSSL_FAILURE;
}
#endif /* ((OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) && HAVE_EX_DATA) || FORTRESS || WOLFSSL_WPAS_SMALL */
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_CTX_set_ex_data_with_cleanup(
WOLFSSL_CTX* ctx,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data_with_cleanup");
if (ctx != NULL)
{
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data,
cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
#endif /* defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
@ -44771,8 +44932,8 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) {
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(WOLFSSL_WPAS_SMALL)
#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || \
defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL)
int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data)
{
@ -44791,6 +44952,23 @@ int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data)
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_set_ex_data_with_cleanup(
WOLFSSL* ssl,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_set_ex_data_with_cleanup");
if (ssl != NULL)
{
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, data,
cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx)
{
WOLFSSL_ENTER("wolfSSL_get_ex_data");
@ -46417,6 +46595,22 @@ int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data)
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_SESSION_set_ex_data_with_cleanup(
WOLFSSL_SESSION* session,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data_with_cleanup");
if(session != NULL) {
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx,
data, cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx)
{
WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data");
@ -48641,8 +48835,6 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c)
}
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(WOLFSSL_WPAS_SMALL)
#if defined(HAVE_EX_DATA) || defined(FORTRESS)
void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx)
{
@ -48663,6 +48855,13 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d
WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data");
#ifdef MAX_EX_DATA
if (ex_data && idx < MAX_EX_DATA && idx >= 0) {
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
if (ex_data->ex_data_cleanup_routines[idx]) {
if (ex_data->ex_data[idx])
ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]);
ex_data->ex_data_cleanup_routines[idx] = NULL;
}
#endif
ex_data->ex_data[idx] = data;
return WOLFSSL_SUCCESS;
}
@ -48673,8 +48872,30 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d
#endif
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_CRYPTO_set_ex_data_with_cleanup(
WOLFSSL_CRYPTO_EX_DATA* ex_data,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data_with_cleanup");
if (ex_data && idx < MAX_EX_DATA && idx >= 0) {
if (ex_data->ex_data_cleanup_routines[idx] && ex_data->ex_data[idx])
ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]);
ex_data->ex_data[idx] = data;
ex_data->ex_data_cleanup_routines[idx] = cleanup_routine;
return WOLFSSL_SUCCESS;
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
#endif /* HAVE_EX_DATA || FORTRESS */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(WOLFSSL_WPAS_SMALL)
void *wolfSSL_X509_get_ex_data(X509 *x509, int idx)
{
WOLFSSL_ENTER("wolfSSL_X509_get_ex_data");
@ -48704,6 +48925,24 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data)
#endif
return WOLFSSL_FAILURE;
}
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
int wolfSSL_X509_set_ex_data_with_cleanup(
X509 *x509,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine)
{
WOLFSSL_ENTER("wolfSSL_X509_set_ex_data_with_cleanup");
if (x509 != NULL)
{
return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx,
data, cleanup_routine);
}
return WOLFSSL_FAILURE;
}
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */
@ -53211,6 +53450,9 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa)
WOLFSSL_ENTER("wolfSSL_RSA_free");
if (rsa) {
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data);
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
int doFree = 0;
if (wc_LockMutex(&rsa->refMutex) != 0) {

12
src/tls13.c
View File

@ -8356,6 +8356,18 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
return WOLFSSL_FATAL_ERROR;
}
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if (ssl->AcceptFilter) {
wolfSSL_netfilter_decision_t res;
if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
WOLFSSL_SUCCESS) &&
(res == WOLFSSL_NETFILTER_REJECT)) {
WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E);
return WOLFSSL_FATAL_ERROR;
}
}
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
#ifndef NO_CERTS
/* allow no private key if using PK callbacks and CB is set */
if (!havePSK) {

18
tests/api.c
View File

@ -2777,7 +2777,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
#endif
/* do it here to detect failure */
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1);
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0);
CloseSocket(sockfd);
wolfSSL_CTX_set_verify(ctx,
@ -3072,7 +3072,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_loop(void* args)
cbf->ssl_ready(ssl);
}
/* do it here to detect failure */
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1);
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0);
CloseSocket(sockfd);
if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) {
/*err_sys("SSL_set_fd failed");*/
@ -3641,14 +3641,14 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args)
socklen_t cliLen;
cliLen = sizeof(cliAddr);
tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0);
tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0, 0, 0);
idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK,
(struct sockaddr*)&cliAddr, &cliLen);
AssertIntGT(idx, 0);
wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen);
}
else {
tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1);
tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0);
CloseSocket(sfd);
}
@ -42358,7 +42358,7 @@ static void test_wolfSSL_CTX_get_min_proto_version(void)
#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */
}
static void test_wolfSSL_security_level()
static void test_wolfSSL_security_level(void)
{
#if defined(OPENSSL_EXTRA)
printf(testingFmt, "test_wolfSSL_security_level()");
@ -42385,7 +42385,7 @@ static void test_wolfSSL_security_level()
#endif
}
static void test_wolfSSL_SSL_in_init()
static void test_wolfSSL_SSL_in_init(void)
{
#if defined(OPENSSL_ALL) && !defined(NO_BIO)
printf(testingFmt, "test_wolfSSL_SSL_in_init()");
@ -42432,7 +42432,7 @@ static void test_wolfSSL_SSL_in_init()
#endif
}
static void test_wolfSSL_EC_curve()
static void test_wolfSSL_EC_curve(void)
{
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
printf(testingFmt, "test_wolfSSL_EC_curve()");
@ -42448,7 +42448,7 @@ static void test_wolfSSL_EC_curve()
#endif
}
static void test_wolfSSL_OpenSSL_version()
static void test_wolfSSL_OpenSSL_version(void)
{
#if defined(OPENSSL_EXTRA)
printf(testingFmt, "test_wolfSSL_OpenSSL_version()");
@ -42522,7 +42522,7 @@ static void test_wolfSSL_CRYPTO_get_ex_new_index(void)
#endif
}
static void test_wolfSSL_set_psk_use_session_callback()
static void test_wolfSSL_set_psk_use_session_callback(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_PSK)
printf(testingFmt, "test_wolfSSL_set_psk_use_session_callback()");

4
tests/include.am
View File

@ -13,8 +13,8 @@ tests_unit_test_SOURCES = \
tests/srp.c \
examples/client/client.c \
examples/server/server.c
tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS)
tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD)
tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE)
tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
tests_unit_test_DEPENDENCIES = src/libwolfssl.la
endif
EXTRA_DIST += tests/unit.h

4
testsuite/include.am
View File

@ -13,8 +13,8 @@ testsuite_testsuite_test_SOURCES = \
examples/echoserver/echoserver.c \
examples/server/server.c \
testsuite/testsuite.c
testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS)
testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD)
testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE)
testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB)
testsuite_testsuite_test_DEPENDENCIES = src/libwolfssl.la
endif
EXTRA_DIST += testsuite/testsuite.sln

4
wolfssl/error-ssl.h
View File

@ -171,7 +171,9 @@ enum wolfSSL_ErrorCodes {
NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */
APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */
TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */
SOCKET_FILTERED_E = -443, /* Session stopped by network filter */
/* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */
/* begin negotiation parameter errors */

12
wolfssl/internal.h
View File

@ -2860,6 +2860,10 @@ struct WOLFSSL_CTX {
CallbackInfoState* CBIS; /* used to get info about SSL state */
WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
NetworkFilterCallback_t AcceptFilter;
void *AcceptFilter_arg;
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
CallbackIORecv CBIORecv;
CallbackIOSend CBIOSend;
#ifdef WOLFSSL_DTLS
@ -3039,6 +3043,10 @@ void FreeSSL_Ctx(WOLFSSL_CTX*);
WOLFSSL_LOCAL
void SSL_CtxResourceFree(WOLFSSL_CTX*);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data);
#endif
WOLFSSL_LOCAL
int DeriveTlsKeys(WOLFSSL* ssl);
WOLFSSL_LOCAL
@ -4075,6 +4083,10 @@ struct WOLFSSL {
#ifdef OPENSSL_EXTRA
byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
NetworkFilterCallback_t AcceptFilter;
void *AcceptFilter_arg;
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
CallbackIORecv CBIORecv;
CallbackIOSend CBIOSend;
#ifdef WOLFSSL_STATIC_MEMORY

8
wolfssl/openssl/rsa.h
View File

@ -152,7 +152,13 @@ WOLFSSL_API WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa);
WOLFSSL_API void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx);
WOLFSSL_API int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_RSA_set_ex_data_with_cleanup(
WOLFSSL_RSA *rsa,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
#define WOLFSSL_RSA_LOAD_PRIVATE 1
#define WOLFSSL_RSA_LOAD_PUBLIC 2

83
wolfssl/ssl.h
View File

@ -1143,6 +1143,29 @@ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl,
int use_context);
#endif /* HAVE_KEYING_MATERIAL */
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
typedef enum {
WOLFSSL_NETFILTER_PASS = 0,
WOLFSSL_NETFILTER_ACCEPT = 1,
WOLFSSL_NETFILTER_REJECT = 2
} wolfSSL_netfilter_decision_t;
typedef int (*NetworkFilterCallback_t)(
WOLFSSL *ssl,
void *AcceptFilter_arg,
wolfSSL_netfilter_decision_t *decision);
WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(
WOLFSSL_CTX *ctx,
NetworkFilterCallback_t AcceptFilter,
void *AcceptFilter_arg);
WOLFSSL_API int wolfSSL_set_AcceptFilter(
WOLFSSL *ssl,
NetworkFilterCallback_t AcceptFilter,
void *AcceptFilter_arg);
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
/* Nonblocking DTLS helper functions */
WOLFSSL_API void wolfSSL_dtls_set_using_nonblock(WOLFSSL*, int);
WOLFSSL_API int wolfSSL_dtls_get_using_nonblock(WOLFSSL*);
@ -1269,6 +1292,13 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI
WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value(
WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx);
WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL*, int, void*);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup(
WOLFSSL* ssl,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL*);
WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL*, int);
WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL*, int);
@ -1351,6 +1381,13 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void);
WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int);
WOLFSSL_API void wolfSSL_BIO_clear_flags(WOLFSSL_BIO *bio, int flags);
WOLFSSL_API int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_BIO_set_ex_data_with_cleanup(
WOLFSSL_BIO *bio,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API void *wolfSSL_BIO_get_ex_data(WOLFSSL_BIO *bio, int idx);
WOLFSSL_API long wolfSSL_BIO_set_nbio(WOLFSSL_BIO*, long);
@ -1675,10 +1712,24 @@ WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data(
WOLFSSL_X509_STORE_CTX* ctx, int idx);
WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx,
int idx, void *data);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup(
WOLFSSL_X509_STORE_CTX* ctx,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API void* wolfSSL_X509_STORE_get_ex_data(
WOLFSSL_X509_STORE* store, int idx);
WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store,
int idx, void *data);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data_with_cleanup(
WOLFSSL_X509_STORE* store,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx,
int depth);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer(
@ -2237,10 +2288,17 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *s
WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk);
WOLFSSL_API void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i);
#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL))
#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL)
WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data,
int idx);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup(
WOLFSSL_CRYPTO_EX_DATA* ex_data,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx,
void *data);
#endif
@ -2248,6 +2306,13 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int
/* stunnel 4.28 needs */
WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX*, int);
WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX*, int, void*);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup(
WOLFSSL_CTX* ctx,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX*,
WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*));
WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX*,
@ -3912,6 +3977,13 @@ WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT
WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int);
WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup(
WOLFSSL_SESSION* session,
int idx,
void* data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \
@ -4061,6 +4133,13 @@ WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url);
WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
void *data);
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup(
X509 *x509,
int idx,
void *data,
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \

9
wolfssl/test.h
View File

@ -1297,10 +1297,9 @@ static WC_INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
func_args* args, word16 port, int useAnyAddr,
int udp, int sctp, int ready_file, int do_listen)
int udp, int sctp, int ready_file, int do_listen,
SOCKADDR_IN_T *client_addr, socklen_t *client_len)
{
SOCKADDR_IN_T client_addr;
socklen_t client_len = sizeof(client_addr);
tcp_ready* ready = NULL;
(void) ready; /* Account for case when "ready" is not used */
@ -1357,8 +1356,8 @@ static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
}
}
*clientfd = accept(*sockfd, (struct sockaddr*)&client_addr,
(ACCEPT_THIRD_T)&client_len);
*clientfd = accept(*sockfd, (struct sockaddr*)client_addr,
(ACCEPT_THIRD_T)client_len);
if(WOLFSSL_SOCKET_IS_INVALID(*clientfd)) {
err_sys_with_errno("tcp accept failed");
}

6
wolfssl/wolfcrypt/types.h
View File

@ -48,8 +48,14 @@ decouple library dependencies with standard string, memory and so on.
* (with minimal depencencies).
*/
#if defined(HAVE_EX_DATA) || defined(FORTRESS)
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
typedef void (*wolfSSL_ex_data_cleanup_routine_t)(void *data);
#endif
typedef struct WOLFSSL_CRYPTO_EX_DATA {
void* ex_data[MAX_EX_DATA];
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
wolfSSL_ex_data_cleanup_routine_t ex_data_cleanup_routines[MAX_EX_DATA];
#endif
} WOLFSSL_CRYPTO_EX_DATA;
#endif