diff --git a/src/ssl.c b/src/ssl.c index 0618f1dae..80dd24828 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -145,13 +145,13 @@ #define WOLFSSL_EVP_INCLUDED #include "wolfcrypt/src/evp.c" +#ifndef WOLFCRYPT_ONLY + #ifdef OPENSSL_EXTRA /* Global pointer to constant BN on */ static WOLFSSL_BIGNUM* bn_one = NULL; #endif -#ifndef WOLFCRYPT_ONLY - #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) const WOLF_EC_NIST_NAME kNistCurves[] = { {XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1}, @@ -4786,6 +4786,13 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif /* NO_SESSION_CACHE */ +#if defined(OPENSSL_EXTRA) || \ + (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) +static WC_RNG globalRNG; +static int initGlobalRNG = 0; +static wolfSSL_Mutex globalRNGMutex; +#endif + WOLFSSL_ABI int wolfSSL_Init(void) { @@ -4798,6 +4805,14 @@ int wolfSSL_Init(void) return WC_INIT_E; } +#if defined(OPENSSL_EXTRA) || \ + (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) + if (wc_InitMutex(&globalRNGMutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex rng"); + return BAD_MUTEX_E; + } +#endif + #ifdef OPENSSL_EXTRA if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_RAND_Seed failed"); @@ -17829,43 +17844,40 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz) #ifdef OPENSSL_EXTRA /* used by JSSE (not a standard compatibility function) */ -/* this is not thread safe */ WOLFSSL_ABI const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509) { - static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */ WOLFSSL_ENTER("wolfSSL_X509_notBefore"); if (x509 == NULL) return NULL; - XMEMSET(notBeforeData, 0, sizeof(notBeforeData)); - notBeforeData[0] = (byte)x509->notBefore.type; - notBeforeData[1] = (byte)x509->notBefore.length; - XMEMCPY(¬BeforeData[2], x509->notBefore.data, x509->notBefore.length); + XMEMSET(x509->notBeforeData, 0, sizeof(x509->notBeforeData)); + x509->notBeforeData[0] = (byte)x509->notBefore.type; + x509->notBeforeData[1] = (byte)x509->notBefore.length; + XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, x509->notBefore.length); - return notBeforeData; + return x509->notBeforeData; } /* used by JSSE (not a standard compatibility function) */ -/* this is not thread safe */ WOLFSSL_ABI const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509) { - static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */ WOLFSSL_ENTER("wolfSSL_X509_notAfter"); if (x509 == NULL) return NULL; - XMEMSET(notAfterData, 0, sizeof(notAfterData)); - notAfterData[0] = (byte)x509->notAfter.type; - notAfterData[1] = (byte)x509->notAfter.length; - XMEMCPY(¬AfterData[2], x509->notAfter.data, x509->notAfter.length); + XMEMSET(x509->notAfterData, 0, sizeof(x509->notAfterData)); + x509->notAfterData[0] = (byte)x509->notAfter.type; + x509->notAfterData[1] = (byte)x509->notAfter.length; + XMEMCPY(&x509->notAfterData[2], x509->notAfter.data, x509->notAfter.length); - return notAfterData; + return x509->notAfterData; } + #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj) { @@ -28018,7 +28030,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) } #endif #endif /* OPENSSL_EXTRA */ -#endif /* !WOLFCRYPT_ONLY */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #ifndef NO_CERTS @@ -28327,11 +28338,6 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { (sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info)) const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ; #endif -#if defined(OPENSSL_EXTRA) || \ - (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) -static WC_RNG globalRNG; -static int initGlobalRNG = 0; -#endif #if defined(OPENSSL_EXTRA) && \ !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng) @@ -28379,25 +28385,29 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng) return rng; } #endif -#ifndef WOLFCRYPT_ONLY #ifdef OPENSSL_EXTRA -/* Not thread safe! Can be called multiple times. - * Checks if the global RNG has been created. If not then one is created. +/* Checks if the global RNG has been created. If not then one is created. * * Returns SSL_SUCCESS when no error is encountered. */ static int wolfSSL_RAND_Init(void) { + if (wc_LockMutex(&globalRNGMutex) != 0) { + WOLFSSL_MSG("Bad Lock Mutex rng"); + return 0; + } if (initGlobalRNG == 0) { if (wc_InitRng(&globalRNG) < 0) { WOLFSSL_MSG("wolfSSL Init Global RNG failed"); + wc_UnLockMutex(&globalRNGMutex); return 0; } initGlobalRNG = 1; } + wc_UnLockMutex(&globalRNGMutex); return SSL_SUCCESS; } @@ -28555,7 +28565,6 @@ int wolfSSL_RAND_write_file(const char* fname) #endif /* This collects entropy from the path nm and seeds the global PRNG with it. - * Makes a call to wolfSSL_RAND_Init which is not thread safe. * * nm is the file path to the egd server * @@ -28668,14 +28677,18 @@ int wolfSSL_RAND_egd(const char* nm) } if (bytes > 0 && ret == WOLFSSL_SUCCESS) { - wolfSSL_RAND_Init(); /* call to check global RNG is created */ - if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) + /* call to check global RNG is created */ + if (wolfSSL_RAND_Init() != SSL_SUCCESS) { + WOLFSSL_MSG("Error with initializing global RNG structure"); + ret = WOLFSSL_FATAL_ERROR; + } + else if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) != 0) { WOLFSSL_MSG("Error with reseeding DRBG structure"); ret = WOLFSSL_FATAL_ERROR; } #ifdef SHOW_SECRETS - { /* print out entropy found */ + else { /* print out entropy found only when no error occured */ word32 i; printf("EGD Entropy = "); for (i = 0; i < bytes; i++) { @@ -28713,10 +28726,15 @@ void wolfSSL_RAND_Cleanup(void) { WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()"); + if (wc_LockMutex(&globalRNGMutex) != 0) { + WOLFSSL_MSG("Bad Lock Mutex rng"); + return; + } if (initGlobalRNG != 0) { wc_FreeRng(&globalRNG); initGlobalRNG = 0; } + wc_UnLockMutex(&globalRNGMutex); } @@ -39183,6 +39201,7 @@ err: unsigned char *md) { static byte dig[WC_SHA_DIGEST_SIZE]; + byte* ret = md; wc_Sha sha; WOLFSSL_ENTER("wolfSSL_SHA1"); @@ -39197,20 +39216,19 @@ err: return NULL; } - if (wc_ShaFinal(&sha, dig) != 0) { + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA1 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_ShaFinal(&sha, ret) != 0) { WOLFSSL_MSG("SHA1 Final failed"); + wc_ShaFree(&sha); return NULL; } - wc_ShaFree(&sha); - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } + return ret; } #endif /* ! NO_SHA */ @@ -39230,6 +39248,7 @@ err: unsigned char *md) { static byte dig[WC_SHA256_DIGEST_SIZE]; + byte* ret = md; wc_Sha256 sha; WOLFSSL_ENTER("wolfSSL_SHA256"); @@ -39244,20 +39263,19 @@ err: return NULL; } - if (wc_Sha256Final(&sha, dig) != 0) { + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA256 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha256Final(&sha, ret) != 0) { WOLFSSL_MSG("SHA256 Final failed"); + wc_Sha256Free(&sha); return NULL; } - wc_Sha256Free(&sha); - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA256_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } + return ret; } #endif /* ! NO_SHA256 */ @@ -39277,6 +39295,7 @@ err: unsigned char *md) { static byte dig[WC_SHA384_DIGEST_SIZE]; + byte* ret = md; wc_Sha384 sha; WOLFSSL_ENTER("wolfSSL_SHA384"); @@ -39291,20 +39310,19 @@ err: return NULL; } - if (wc_Sha384Final(&sha, dig) != 0) { + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA384 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha384Final(&sha, ret) != 0) { WOLFSSL_MSG("SHA384 Final failed"); + wc_Sha384Free(&sha); return NULL; } - wc_Sha384Free(&sha); - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA384_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } + return ret; } #endif /* WOLFSSL_SHA384 */ @@ -39325,6 +39343,7 @@ err: unsigned char *md) { static byte dig[WC_SHA512_DIGEST_SIZE]; + byte* ret = md; wc_Sha512 sha; WOLFSSL_ENTER("wolfSSL_SHA512"); @@ -39339,20 +39358,19 @@ err: return NULL; } - if (wc_Sha512Final(&sha, dig) != 0) { + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA512 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha512Final(&sha, ret) != 0) { WOLFSSL_MSG("SHA512 Final failed"); + wc_Sha512Free(&sha); return NULL; } - wc_Sha512Free(&sha); - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA512_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } + return ret; } #endif /* WOLFSSL_SHA512 */ #endif /* OPENSSL_EXTRA */ @@ -44793,8 +44811,6 @@ int wolfSSL_set_alpn_protos(WOLFSSL* ssl, #endif /* HAVE_ALPN */ #endif -#endif /* WOLFCRYPT_ONLY */ - #if defined(OPENSSL_EXTRA) #define WOLFSSL_BIO_INCLUDED @@ -48672,3 +48688,5 @@ int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo, } #endif /* WOLFSSL_STATIC_EPHEMERAL */ + +#endif /* WOLFCRYPT_ONLY */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d1651b943..b2f4a103f 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3731,6 +3731,7 @@ struct WOLFSSL_X509 { byte subjAltNameCrit:1; byte authKeyIdSet:1; byte authKeyIdCrit:1; + byte issuerSet:1; #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ byte serial[EXTERNAL_SERIAL_SIZE]; char subjectCN[ASN_NAME_MAX]; /* common name short cut */ @@ -3743,7 +3744,11 @@ struct WOLFSSL_X509 { WOLFSSL_X509_ALGOR algor; WOLFSSL_X509_PUBKEY key; #endif - byte issuerSet:1; +#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \ + defined(SESSION_CERTS) + byte notBeforeData[CTC_DATE_SIZE]; + byte notAfterData[CTC_DATE_SIZE]; +#endif };