From c74c2ce00c3b92e564987db1e64e425e1b516b4b Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Thu, 30 Mar 2017 11:53:35 +1000 Subject: [PATCH] FIPS changes and fixups Enable ex data explicitly. Keep the peer cert for verification callback. External session cache for hostapd. Enable DES_ECB when not FIPS. Don't send the peer cert if it is not received from peer. Initialize the peer cert after free as will be freed on tear down of SSL. Allow a server to become a client. --- configure.ac | 12 +++++++++--- src/internal.c | 10 ++++++++-- src/ssl.c | 22 +++++++++++++++++++--- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 12e6fed6f..baef3057c 100644 --- a/configure.ac +++ b/configure.ac @@ -342,7 +342,8 @@ if test "$ENABLED_WPAS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK -DWOLFSSL_STATIC_RSA" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP -DWOLFSSL_PUBLIC_ECC_ADD_DBL" - AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER" + AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER -DHAVE_EX_DATA -DWOLFSSL_KEEP_PEER_CERT" + AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WPAS" fi @@ -361,7 +362,7 @@ fi if test "$ENABLED_FORTRESS" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DOPENSSL_EXTRA -DWOLFSSL_DES_ECB -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_KEY_GEN" + AM_CFLAGS="$AM_CFLAGS -DFORTRESS -DWOLFSSL_ALWAYS_VERIFY_CB -DOPENSSL_EXTRA -DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_DER_LOAD -DWOLFSSL_SHA512 -DWOLFSSL_SHA384 -DWOLFSSL_KEY_GEN" fi @@ -1578,6 +1579,11 @@ then ENABLED_DES3="yes" fi AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS" +else + if test "x$ENABLED_FORTRESS" = "xyes" + then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB" + fi fi AM_CONDITIONAL([BUILD_FIPS], [test "x$ENABLED_FIPS" = "xyes"]) @@ -3002,7 +3008,7 @@ AC_ARG_ENABLE([aeskeywrap], [ ENABLED_AESKEYWRAP=no ] ) -if test "$ENABLED_WPAS" = "yes" +if test "$ENABLED_WPAS" = "yes" && test "$ENABLED_FIPS" = "no" then ENABLED_AESKEYWRAP="yes" fi diff --git a/src/internal.c b/src/internal.c index 6e0275f73..b8a9ba46a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7203,7 +7203,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->certs = certs; store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT - store->current_cert = &ssl->peerCert; + if (ssl->peerCert.subject.sz > 0) + store->current_cert = &ssl->peerCert; + else + store->current_cert = NULL; #else store->current_cert = NULL; #endif @@ -7246,7 +7249,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->certs = certs; store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT - store->current_cert = &ssl->peerCert; + if (ssl->peerCert.subject.sz > 0) + store->current_cert = &ssl->peerCert; + else + store->current_cert = NULL; #endif store->ex_data = ssl; diff --git a/src/ssl.c b/src/ssl.c index 2d5fb50a5..11986cc12 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10213,7 +10213,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert"); - if(ctx) + if (ctx) return ctx->current_cert; return NULL; } @@ -12400,6 +12400,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) #ifdef KEEP_PEER_CERT FreeX509(&ssl->peerCert); + InitX509(&ssl->peerCert, 0, ssl->heap); #endif return SSL_SUCCESS; @@ -13672,8 +13673,23 @@ int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, void wolfSSL_set_connect_state(WOLFSSL* ssl) { - (void)ssl; - /* client by default */ + word16 haveRSA = 1; + word16 havePSK = 0; + + if (ssl->options.side == WOLFSSL_SERVER_END) { + ssl->options.side = WOLFSSL_CLIENT_END; + + #ifdef NO_RSA + haveRSA = 0; + #endif + #ifndef NO_PSK + havePSK = ssl->options.havePSK; + #endif + InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, + ssl->options.haveDH, ssl->options.haveNTRU, + ssl->options.haveECDSAsig, ssl->options.haveECC, + ssl->options.haveStaticECC, ssl->options.side); + } } #endif