feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3308 from julek-wolfssl/thread-safety

Browse Source 
Introduce thread safety to unsafe functions in wolfSSL
This commit is contained in:
toddouska
2020-10-20 14:56:04 -07:00
committed by GitHub
parent 7c89d10e53 147cb8e60c
commit c863ca54a3
2 changed files with 91 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
src/ssl.c
View File

@ -145,13 +145,13 @@
#define WOLFSSL_EVP_INCLUDED
#include "wolfcrypt/src/evp.c"
#ifndef WOLFCRYPT_ONLY
#ifdef OPENSSL_EXTRA
/* Global pointer to constant BN on */
static WOLFSSL_BIGNUM* bn_one = NULL;
#endif
#ifndef WOLFCRYPT_ONLY
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
const WOLF_EC_NIST_NAME kNistCurves[] = {
{XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1},
@ -4786,6 +4786,13 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
#endif /* NO_SESSION_CACHE */
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
static WC_RNG globalRNG;
static int initGlobalRNG = 0;
static wolfSSL_Mutex globalRNGMutex;
#endif
WOLFSSL_ABI
int wolfSSL_Init(void)
{
@ -4798,6 +4805,14 @@ int wolfSSL_Init(void)
return WC_INIT_E;
}
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
if (wc_InitMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Init Mutex rng");
return BAD_MUTEX_E;
}
#endif
#ifdef OPENSSL_EXTRA
if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_RAND_Seed failed");
@ -17829,43 +17844,40 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
#ifdef OPENSSL_EXTRA
/* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI
const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509)
{
static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notBefore");
if (x509 == NULL)
return NULL;
XMEMSET(notBeforeData, 0, sizeof(notBeforeData));
notBeforeData[0] = (byte)x509->notBefore.type;
notBeforeData[1] = (byte)x509->notBefore.length;
XMEMCPY(&notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
XMEMSET(x509->notBeforeData, 0, sizeof(x509->notBeforeData));
x509->notBeforeData[0] = (byte)x509->notBefore.type;
x509->notBeforeData[1] = (byte)x509->notBefore.length;
XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
return notBeforeData;
return x509->notBeforeData;
}
/* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI
const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
{
static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notAfter");
if (x509 == NULL)
return NULL;
XMEMSET(notAfterData, 0, sizeof(notAfterData));
notAfterData[0] = (byte)x509->notAfter.type;
notAfterData[1] = (byte)x509->notAfter.length;
XMEMCPY(&notAfterData[2], x509->notAfter.data, x509->notAfter.length);
XMEMSET(x509->notAfterData, 0, sizeof(x509->notAfterData));
x509->notAfterData[0] = (byte)x509->notAfter.type;
x509->notAfterData[1] = (byte)x509->notAfter.length;
XMEMCPY(&x509->notAfterData[2], x509->notAfter.data, x509->notAfter.length);
return notAfterData;
return x509->notAfterData;
}
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB)
WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
{
@ -28018,7 +28030,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
}
#endif
#endif /* OPENSSL_EXTRA */
#endif /* !WOLFCRYPT_ONLY */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
#ifndef NO_CERTS
@ -28327,11 +28338,6 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
(sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info))
const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ;
#endif
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
static WC_RNG globalRNG;
static int initGlobalRNG = 0;
#endif
#if defined(OPENSSL_EXTRA) && \
!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
@ -28379,25 +28385,29 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
return rng;
}
#endif
#ifndef WOLFCRYPT_ONLY
#ifdef OPENSSL_EXTRA
/* Not thread safe! Can be called multiple times.
* Checks if the global RNG has been created. If not then one is created.
/* Checks if the global RNG has been created. If not then one is created.
*
* Returns SSL_SUCCESS when no error is encountered.
*/
static int wolfSSL_RAND_Init(void)
{
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return 0;
}
if (initGlobalRNG == 0) {
if (wc_InitRng(&globalRNG) < 0) {
WOLFSSL_MSG("wolfSSL Init Global RNG failed");
wc_UnLockMutex(&globalRNGMutex);
return 0;
}
initGlobalRNG = 1;
}
wc_UnLockMutex(&globalRNGMutex);
return SSL_SUCCESS;
}
@ -28555,7 +28565,6 @@ int wolfSSL_RAND_write_file(const char* fname)
#endif
/* This collects entropy from the path nm and seeds the global PRNG with it.
* Makes a call to wolfSSL_RAND_Init which is not thread safe.
*
* nm is the file path to the egd server
*
@ -28668,14 +28677,18 @@ int wolfSSL_RAND_egd(const char* nm)
}
if (bytes > 0 && ret == WOLFSSL_SUCCESS) {
wolfSSL_RAND_Init(); /* call to check global RNG is created */
if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes)
/* call to check global RNG is created */
if (wolfSSL_RAND_Init() != SSL_SUCCESS) {
WOLFSSL_MSG("Error with initializing global RNG structure");
ret = WOLFSSL_FATAL_ERROR;
}
else if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes)
!= 0) {
WOLFSSL_MSG("Error with reseeding DRBG structure");
ret = WOLFSSL_FATAL_ERROR;
}
#ifdef SHOW_SECRETS
{ /* print out entropy found */
else { /* print out entropy found only when no error occured */
word32 i;
printf("EGD Entropy = ");
for (i = 0; i < bytes; i++) {
@ -28713,10 +28726,15 @@ void wolfSSL_RAND_Cleanup(void)
{
WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()");
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return;
}
if (initGlobalRNG != 0) {
wc_FreeRng(&globalRNG);
initGlobalRNG = 0;
}
wc_UnLockMutex(&globalRNGMutex);
}
@ -39183,6 +39201,7 @@ err:
unsigned char *md)
{
static byte dig[WC_SHA_DIGEST_SIZE];
byte* ret = md;
wc_Sha sha;
WOLFSSL_ENTER("wolfSSL_SHA1");
@ -39197,20 +39216,19 @@ err:
return NULL;
}
if (wc_ShaFinal(&sha, dig) != 0) {
if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA1 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_ShaFinal(&sha, ret) != 0) {
WOLFSSL_MSG("SHA1 Final failed");
wc_ShaFree(&sha);
return NULL;
}
wc_ShaFree(&sha);
if (md != NULL) {
XMEMCPY(md, dig, WC_SHA_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
return ret;
}
#endif /* ! NO_SHA */
@ -39230,6 +39248,7 @@ err:
unsigned char *md)
{
static byte dig[WC_SHA256_DIGEST_SIZE];
byte* ret = md;
wc_Sha256 sha;
WOLFSSL_ENTER("wolfSSL_SHA256");
@ -39244,20 +39263,19 @@ err:
return NULL;
}
if (wc_Sha256Final(&sha, dig) != 0) {
if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA256 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha256Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA256 Final failed");
wc_Sha256Free(&sha);
return NULL;
}
wc_Sha256Free(&sha);
if (md != NULL) {
XMEMCPY(md, dig, WC_SHA256_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
return ret;
}
#endif /* ! NO_SHA256 */
@ -39277,6 +39295,7 @@ err:
unsigned char *md)
{
static byte dig[WC_SHA384_DIGEST_SIZE];
byte* ret = md;
wc_Sha384 sha;
WOLFSSL_ENTER("wolfSSL_SHA384");
@ -39291,20 +39310,19 @@ err:
return NULL;
}
if (wc_Sha384Final(&sha, dig) != 0) {
if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA384 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha384Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA384 Final failed");
wc_Sha384Free(&sha);
return NULL;
}
wc_Sha384Free(&sha);
if (md != NULL) {
XMEMCPY(md, dig, WC_SHA384_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
return ret;
}
#endif /* WOLFSSL_SHA384 */
@ -39325,6 +39343,7 @@ err:
unsigned char *md)
{
static byte dig[WC_SHA512_DIGEST_SIZE];
byte* ret = md;
wc_Sha512 sha;
WOLFSSL_ENTER("wolfSSL_SHA512");
@ -39339,20 +39358,19 @@ err:
return NULL;
}
if (wc_Sha512Final(&sha, dig) != 0) {
if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA512 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha512Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA512 Final failed");
wc_Sha512Free(&sha);
return NULL;
}
wc_Sha512Free(&sha);
if (md != NULL) {
XMEMCPY(md, dig, WC_SHA512_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
return ret;
}
#endif /* WOLFSSL_SHA512 */
#endif /* OPENSSL_EXTRA */
@ -44793,8 +44811,6 @@ int wolfSSL_set_alpn_protos(WOLFSSL* ssl,
#endif /* HAVE_ALPN */
#endif
#endif /* WOLFCRYPT_ONLY */
#if defined(OPENSSL_EXTRA)
#define WOLFSSL_BIO_INCLUDED
@ -48672,3 +48688,5 @@ int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo,
}
#endif /* WOLFSSL_STATIC_EPHEMERAL */
#endif /* WOLFCRYPT_ONLY */

7
wolfssl/internal.h
View File

@ -3731,6 +3731,7 @@ struct WOLFSSL_X509 {
byte subjAltNameCrit:1;
byte authKeyIdSet:1;
byte authKeyIdCrit:1;
byte issuerSet:1;
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
byte serial[EXTERNAL_SERIAL_SIZE];
char subjectCN[ASN_NAME_MAX]; /* common name short cut */
@ -3743,7 +3744,11 @@ struct WOLFSSL_X509 {
WOLFSSL_X509_ALGOR algor;
WOLFSSL_X509_PUBKEY key;
#endif
byte issuerSet:1;
#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
defined(SESSION_CERTS)
byte notBeforeData[CTC_DATE_SIZE];
byte notAfterData[CTC_DATE_SIZE];
#endif
};