diff --git a/certs/crl/crl.der b/certs/crl/crl.der new file mode 100644 index 000000000..f8726dd52 Binary files /dev/null and b/certs/crl/crl.der differ diff --git a/certs/crl/crl2.der b/certs/crl/crl2.der new file mode 100644 index 000000000..f8726dd52 Binary files /dev/null and b/certs/crl/crl2.der differ diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index 7cf4bf6e4..4f2e22ad0 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -177,4 +177,9 @@ echo "Step 22" openssl ca -config ./wolfssl.cnf -gencrl -crldays 1000 -out caEcc384Crl.pem -keyfile ../ca-ecc384-key.pem -cert ../ca-ecc384-cert.pem check_result $? +# create crl and crl2 der files for unit test +echo "Step 23" +openssl crl -in crl.pem -inform PEM -out crl.der -outform DER +openssl crl -in crl2.pem -inform PEM -out crl2.der -outform DER + exit 0 diff --git a/certs/crl/include.am b/certs/crl/include.am index c5da8de99..6d6d9b2c6 100644 --- a/certs/crl/include.am +++ b/certs/crl/include.am @@ -10,7 +10,9 @@ EXTRA_DIST += \ certs/crl/crl2.pem \ certs/crl/caEccCrl.pem \ certs/crl/caEcc384Crl.pem \ - certs/crl/wolfssl.cnf + certs/crl/wolfssl.cnf \ + certs/crl/crl.der \ + certs/crl/crl2.der EXTRA_DIST += \ certs/crl/crl.revoked diff --git a/configure.ac b/configure.ac index 507fe147d..08414bb7d 100644 --- a/configure.ac +++ b/configure.ac @@ -5625,7 +5625,7 @@ AC_ARG_ENABLE([oldnames], if test "x$ENABLED_OLDNAMES" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="$AM_CFLAGS -DNO_OLD_RNGNAME -DNO_OLD_WC_NAMES -DNO_OLD_SSL_NAMES" - AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES" + AM_CFLAGS="$AM_CFLAGS -DNO_OLD_SHA_NAMES -DNO_OLD_MD5_NAME" fi diff --git a/examples/client/client.c b/examples/client/client.c index 79aece83e..729aacdee 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -466,6 +466,9 @@ static int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, do { err = 0; /* reset error */ ret = wolfSSL_connect(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/examples/server/server.c b/examples/server/server.c index 05b6f2f54..00e17e80e 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2501,6 +2501,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) do { err = 0; /* reset error */ ret = SSL_accept(ssl); +#ifdef WOLFSSL_EARLY_DATA + EarlyDataStatus(ssl); +#endif if (ret != WOLFSSL_SUCCESS) { err = SSL_get_error(ssl, 0); #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/scripts/tls13.test b/scripts/tls13.test index 7f4c927d3..70f007265 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -257,7 +257,7 @@ if [ "$early_data" = "yes" ]; then grep 'Session Ticket' $client_out_file session_ticket=$? early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then + if [ $session_ticket -eq 0 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then @@ -280,11 +280,11 @@ if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then RESULT=$? remove_ready_file early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` - if [ $early_data_cnt -ne 2 -a $early_data_cnt -ne 4 ]; then + if [ $early_data_cnt -ne 3 -a $early_data_cnt -ne 4 ]; then RESULT=1 fi if [ $RESULT -ne 0 ]; then - echo -e "\n\nIssue with TLS v1.3 Early Data - session ticket" + echo -e "\n\nIssue with TLS v1.3 Early Data - PSK" do_cleanup exit 1 fi diff --git a/src/internal.c b/src/internal.c index 79ec90351..20df4f998 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1800,6 +1800,15 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) #ifdef OPENSSL_EXTRA /* setup WOLFSSL_X509_STORE */ ctx->x509_store.cm = ctx->cm; + + /* WOLFSSL_X509_VERIFY_PARAM */ + if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + WOLFSSL_MSG("ctx->param memory error"); + return MEMORY_E; + } + XMEMSET(ctx->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); #endif #endif @@ -1948,6 +1957,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) XFREE((void *)ctx->alpn_cli_protos, NULL, DYNAMIC_TYPE_OPENSSL); ctx->alpn_cli_protos = NULL; } + if (ctx->param) { + XFREE(ctx->param, ctx->heap, DYNAMIC_TYPE_OPENSSL); + } #endif #ifdef WOLFSSL_STATIC_EPHEMERAL #ifndef NO_DH @@ -18915,6 +18927,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NO_CERT_ERROR: return "TLS1.3 No Certificate Set Error"; + case TOO_MUCH_EARLY_DATA: + return "Too much early data"; + default : return "unknown error number"; } diff --git a/src/ssl.c b/src/ssl.c index c483d36b3..7ca132336 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2272,7 +2272,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) #ifdef WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST /* The following is a non-standard way to reconfigure the max packet size - post-handshake for wolfSSL_write/woflSSL_read */ + post-handshake for wolfSSL_write/wolfSSL_read */ if (ssl->options.handShakeState == HANDSHAKE_DONE) { switch (mfl) { case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; @@ -16832,6 +16832,31 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + /* Apply MD5 transformation to the data */ + int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX* md5, const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("MD5_Transform"); + + /* sanity check */ + if (md5 == NULL || data == NULL) { + return 0; + } + #if defined(BIG_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_MD5_BLOCK_SIZE); + } + #endif + + ret = wc_Md5Transform((wc_Md5*)md5, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } #endif /* !NO_MD5 */ @@ -16884,7 +16909,36 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ + int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA_Transform"); + /* sanity check */ + if (sha == NULL || data == NULL) { + return 0; + } + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA_BLOCK_SIZE); + } + #endif + ret = wc_ShaTransform((wc_Sha*)sha, data); + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif + #endif + int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) { WOLFSSL_ENTER("SHA1_Init"); @@ -16905,6 +16959,18 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("SHA1_Final"); return SHA_Final(input, sha); } + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA1 transformation to the data */ + int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, + const unsigned char* data) + { + WOLFSSL_ENTER("SHA1_Transform"); + return (wolfSSL_SHA_Transform(sha, data)); + } + #endif + #endif #endif /* !NO_SHA */ #ifdef WOLFSSL_SHA224 @@ -17007,8 +17073,37 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + + #if defined(OPENSSL_EXTRA) + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA256 transformation to the data */ + int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, + const unsigned char* data) + { + int ret; + + WOLFSSL_ENTER("SHA256_Transform"); + /* sanity check */ + if (sha256 == NULL || data == NULL) { + return 0; + } + #if defined(LITTLE_ENDIAN_ORDER) + { + ByteReverseWords((word32*)data, (word32*)data, WC_SHA256_BLOCK_SIZE); + } + #endif + ret = wc_Sha256Transform((wc_Sha256*)sha256, data); - + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif + #endif + #ifdef WOLFSSL_SHA384 int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha) @@ -17112,6 +17207,30 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, return 0; } + #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + /* Apply SHA512 transformation to the data */ + int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX* sha512, + const unsigned char* data) + { + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("SHA512_Transform"); + /* sanity check */ + if (sha512 == NULL || data == NULL) { + return 0; + } + + ret = wc_Sha512Transform((wc_Sha512*)sha512, data); + + /* return 1 on success, 0 otherwise */ + if (ret == 0) + return 1; + else + return 0; + } + #endif /* !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \ + (HAVE_FIPS_VERSION > 2)) */ #endif /* WOLFSSL_SHA512 */ #ifdef WOLFSSL_SHA3 @@ -21592,7 +21711,7 @@ WOLFSSL_SESSION* wolfSSL_SESSION_new(void) } /* add one to session reference count - * return WOFLSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ + * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session) { if (session == NULL) @@ -25980,12 +26099,106 @@ WOLFSSL_X509 *wolfSSL_d2i_X509_fp(XFILE fp, WOLFSSL_X509 **x509) #ifdef HAVE_CRL + +#ifndef NO_BIO +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **x) +{ + int derSz; + byte* der = NULL; + WOLFSSL_X509_CRL* crl = NULL; + + if (bp == NULL) + return NULL; + + if ((derSz = wolfSSL_BIO_get_len(bp)) > 0) { + der = (byte*)XMALLOC(derSz, 0, DYNAMIC_TYPE_DER); + if (der != NULL) { + if (wolfSSL_BIO_read(bp, der, derSz) == derSz) { + crl = wolfSSL_d2i_X509_CRL(x, der, derSz); + } + } + } + + if (der != NULL) { + XFREE(der, 0, DYNAMIC_TYPE_DER); + } + + return crl; +} +#endif + #ifndef NO_FILESYSTEM WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) { WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL_fp"); return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); } + +/* Read CRL file, and add it to store and corresponding cert manager */ +/* @param ctx a pointer of X509_LOOKUP back to the X509_STORE */ +/* @param file a file to read */ +/* @param type WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1 */ +/* @return WOLFSSL_SUCCESS(1) on successful, othewise WOLFSSL_FAILURE(0)*/ +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type) +{ + int ret = WOLFSSL_FAILURE; + int count = 0; + WOLFSSL_BIO *bio = NULL; + WOLFSSL_X509_CRL *crl =NULL; + + WOLFSSL_ENTER("wolfSSL_X509_load_crl_file"); + + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); + + if ((bio == NULL) || (wolfSSL_BIO_read_filename(bio, file) <= 0)) { + return ret; + } + + if (type == WOLFSSL_FILETYPE_PEM) { + do { + crl = wolfSSL_PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); + if (crl == NULL) { + if (count <= 0) { + WOLFSSL_MSG("Load crl failed"); + } + break; + } + + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + break; + } + count++; + wolfSSL_X509_CRL_free(crl); + crl = NULL; + } while(crl == NULL); + + ret = count; + } else if (type == WOLFSSL_FILETYPE_ASN1) { + crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); + if (crl == NULL) { + WOLFSSL_MSG("Load crl failed"); + } else { + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Adding crl failed"); + } else { + ret = 1;/* handled a file */ + } + } + } else { + WOLFSSL_MSG("Invalid file type"); + } + + wolfSSL_X509_CRL_free(crl); + wolfSSL_BIO_free(bio); + + WOLFSSL_LEAVE("wolfSSL_X509_load_crl_file", ret); + return ret; +} #endif /* !NO_FILESYSTEM */ @@ -26195,6 +26408,69 @@ int wolfSSL_X509_VERIFY_PARAM_clear_flags(WOLFSSL_X509_VERIFY_PARAM *param, } +/* inherits properties of param "to" to param "from" +* +* WOLFSSL_VPARAM_DEFAULT any values in "src" is copied +* if "src" value is new for "to". +* WOLFSSL_VPARAM_OVERWRITE all values of "form" are copied to "to" +* WOLFSSL_VPARAM_RESET_FLAGS the flag values are copied, not Ored +* WOLFSSL_VPARAM_LOCKED don't copy any values +* WOLFSSL_VPARAM_ONCE the current inherit_flags is zerroed +*/ +static int wolfSSL_X509_VERIFY_PARAM_inherit(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + int isOverWrite = 0; + int isDefault = 0; + unsigned int flags; + + /* sanity check */ + if (!to || !from) { + /* be compatible to openssl return value */ + return WOLFSSL_SUCCESS; + } + flags = to->inherit_flags | from->inherit_flags; + + if (flags & WOLFSSL_VPARAM_LOCKED) { + return WOLFSSL_SUCCESS; + } + + if (flags & WOLFSSL_VPARAM_ONCE) { + to->inherit_flags = 0; + } + + isOverWrite = (flags & WOLFSSL_VPARAM_OVERWRITE); + isDefault = (flags & WOLFSSL_VPARAM_DEFAULT); + + /* copy check_time if check time is not set */ + if ((to->flags & WOLFSSL_USE_CHECK_TIME) == 0 || isOverWrite) { + to->check_time = from->check_time; + to->flags &= ~WOLFSSL_USE_CHECK_TIME; + } + /* host name */ + if (isOverWrite || + (from->hostName[0] != 0 && (to->hostName[0] == 0 || isDefault))) { + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_host(to, from->hostName, + (int)XSTRLEN(from->hostName)))) + return ret; + to->hostFlags = from->hostFlags; + } + /* ip ascii */ + if (isOverWrite || + (from->ipasc[0] != 0 && (to->ipasc[0] == 0 || isDefault))) { + + if (!(ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(to, from->ipasc))) + return ret; + } + + if (flags & WOLFSSL_VPARAM_RESET_FLAGS) + to->flags = 0; + + to->flags |= from->flags; + + return ret; +} /****************************************************************************** * wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name * hostnames is cleared if name is NULL or empty. @@ -26236,12 +26512,32 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, return WOLFSSL_SUCCESS; } /****************************************************************************** -* wolfSSL_get0_param - return a pointer to the SSL verification parameters +* wolfSSL_CTX_set1_param - set a pointer to the SSL verification parameters +* +* RETURNS: +* WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE +*/ +int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm) +{ + return wolfSSL_X509_VERIFY_PARAM_set1(ctx->param, vpm); +} + +/****************************************************************************** +* wolfSSL_CTX/_get0_param - return a pointer to the SSL verification parameters * * RETURNS: * returns pointer to the SSL verification parameters on success, * otherwise returns NULL */ +WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx) +{ + if (ctx == NULL) { + return NULL; + } + + return ctx->param; +} + WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) { if (ssl == NULL) { @@ -26250,6 +26546,32 @@ WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) return ssl->param; } +/* Set VERIFY PARAM from "from" pointer to "to" pointer */ +int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM *to, + const WOLFSSL_X509_VERIFY_PARAM *from) +{ + int ret = WOLFSSL_FAILURE; + unsigned int _inherit_flags; + + if (!to) { + return ret; + } + /* keeps the inherit flags for save */ + _inherit_flags = to->inherit_flags; + + /* Ored DEFAULT inherit flag proerty to copy "from" contents to "to" + * contents + */ + to->inherit_flags |= WOLFSSL_VPARAM_DEFAULT; + + ret = wolfSSL_X509_VERIFY_PARAM_inherit(to, from); + + /* restore inherit flag */ + to->inherit_flags = _inherit_flags; + + return ret; +} + /* Set the host flag in the X509_VERIFY_PARAM structure */ void wolfSSL_X509_VERIFY_PARAM_set_hostflags(WOLFSSL_X509_VERIFY_PARAM* param, unsigned int flags) @@ -42737,6 +43059,53 @@ err: } #endif /* ! NO_SHA */ +#ifdef WOLFSSL_SHA224 + /* One shot SHA224 hash of message. + * + * d message to hash + * n size of d buffer + * md buffer to hold digest. Should be WC_SHA224_DIGEST_SIZE. + * + * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. + * When the static buffer is used this function is not thread safe. + * + * Returns a pointer to the message digest on success and NULL on failure. + */ + unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, + unsigned char *md) + { + static byte dig[WC_SHA224_DIGEST_SIZE]; + byte* ret = md; + wc_Sha256 sha; + + WOLFSSL_ENTER("wolfSSL_SHA224"); + + if (wc_InitSha224_ex(&sha, NULL, 0) != 0) { + WOLFSSL_MSG("SHA224 Init failed"); + return NULL; + } + + if (wc_Sha224Update(&sha, (const byte*)d, (word32)n) != 0) { + WOLFSSL_MSG("SHA224 Update failed"); + return NULL; + } + + if (md == NULL) { + WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA224 IS NOT " + "THREAD SAFE WHEN md == NULL"); + ret = dig; + } + if (wc_Sha224Final(&sha, ret) != 0) { + WOLFSSL_MSG("SHA224 Final failed"); + wc_Sha224Free(&sha); + return NULL; + } + wc_Sha224Free(&sha); + + return ret; + } +#endif + #ifndef NO_SHA256 /* One shot SHA256 hash of message. * diff --git a/src/tls.c b/src/tls.c index 0df44fc9b..33e0fbaf6 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9107,9 +9107,17 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (length != 0) return BUFFER_E; - if (ssl->earlyData == expecting_early_data) + if (ssl->earlyData == expecting_early_data) { + + if (ssl->options.maxEarlyDataSz != 0) + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + else + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; + return TLSX_EarlyData_Use(ssl, 0); + } ssl->earlyData = early_data_ext; + return 0; } if (msgType == encrypted_extensions) { @@ -9122,6 +9130,11 @@ static int TLSX_EarlyData_Parse(WOLFSSL* ssl, byte* input, word16 length, if (ssl->options.pskIdIndex != 1) return PSK_KEY_ERROR; + if (ssl->options.side == WOLFSSL_CLIENT_END) { + /* the extension from server comes in */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; + } + return TLSX_EarlyData_Use(ssl, 1); } if (msgType == session_ticket) { diff --git a/src/tls13.c b/src/tls13.c index 83e78a7ab..16b449f91 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8656,11 +8656,25 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) ret = wolfSSL_connect_TLSv13(ssl); if (ret != WOLFSSL_SUCCESS) return WOLFSSL_FATAL_ERROR; + /* on client side, status is set to rejected */ + /* until sever accepts the early data extension. */ + ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; } if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { +#ifdef OPENSSL_EXTRA + /* when processed early data exceeds max size */ + if (ssl->session.maxEarlyDataSz > 0 && + (ssl->earlyDataSz + sz > ssl->session.maxEarlyDataSz)) { + ssl->error = TOO_MUCH_EARLY_DATA; + return WOLFSSL_FATAL_ERROR; + } +#endif ret = SendData(ssl, data, sz); - if (ret > 0) + if (ret > 0) { *outSz = ret; + /* store amount of processed early data from client */ + ssl->earlyDataSz += ret; + } } #else return SIDE_ERROR; @@ -8724,6 +8738,21 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) ret = WOLFSSL_FATAL_ERROR; return ret; } + +/* Returns early data status + * + * ssl The SSL/TLS object. + * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted + * WOLFSSL_EARLY_DATA_REJECTED if the data was rejected + * WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent + */ +int wolfSSL_get_early_data_status(const WOLFSSL* ssl) +{ + if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) + return BAD_FUNC_ARG; + + return ssl->earlyDataStatus; +} #endif #ifdef HAVE_SECRET_CALLBACK diff --git a/tests/api.c b/tests/api.c index 63e329fb0..1aaa4911e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28045,6 +28045,51 @@ static void test_wolfSSL_X509_STORE_CTX_set_time(void) #endif /* OPENSSL_EXTRA */ } +static void test_wolfSSL_CTX_get0_set1_param(void) +{ +#if defined(OPENSSL_EXTRA) + int ret; + SSL_CTX* ctx; + WOLFSSL_X509_VERIFY_PARAM* pParam; + WOLFSSL_X509_VERIFY_PARAM* pvpm; + char testIPv4[] = "127.0.0.1"; + char testhostName[] = "foo.hoge.com"; + + printf(testingFmt, "wolfSSL_CTX_get0_set1_param()"); + + #ifndef NO_WOLFSSL_SERVER + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + #else + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); + #endif + + AssertNotNull(pParam = SSL_CTX_get0_param(ctx)); + + pvpm = (WOLFSSL_X509_VERIFY_PARAM *)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), NULL, DYNAMIC_TYPE_OPENSSL); + AssertNotNull(pvpm); + XMEMSET(pvpm, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + wolfSSL_X509_VERIFY_PARAM_set1_host(pvpm, testhostName, + (int)XSTRLEN(testhostName)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(pvpm, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(pvpm, 0x01); + + ret = SSL_CTX_set1_param(ctx, pvpm); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(pParam->hostName, testhostName, + (int)XSTRLEN(testhostName))); + AssertIntEQ(0x01, pParam->hostFlags); + AssertIntEQ(0, XSTRNCMP(pParam->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + SSL_CTX_free(ctx); + + XFREE(pvpm, NULL, DYNAMIC_TYPE_OPENSSL); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ +} + static void test_wolfSSL_get0_param(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) @@ -29903,50 +29948,128 @@ static void test_wolfSSL_X509_ALGOR_get0(void) static void test_wolfSSL_X509_VERIFY_PARAM(void) { #if defined(OPENSSL_EXTRA) - WOLFSSL_X509_VERIFY_PARAM *param; + WOLFSSL_X509_VERIFY_PARAM *paramTo; + WOLFSSL_X509_VERIFY_PARAM *paramFrom; int ret; char testIPv4[] = "127.0.0.1"; char testIPv6[] = "0001:0000:0000:0000:0000:0000:0000:0000/32"; - + char testhostName1[] = "foo.hoge.com"; + char testhostName2[] = "foobar.hoge.com"; + printf(testingFmt, "wolfSSL_X509()"); - param = wolfSSL_X509_VERIFY_PARAM_new(); - AssertNotNull(param); + paramTo = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramTo); + XMEMSET(paramTo, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); - XMEMSET(param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + paramFrom = wolfSSL_X509_VERIFY_PARAM_new(); + AssertNotNull(paramFrom); + XMEMSET(paramFrom, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM )); + ret = wolfSSL_X509_VERIFY_PARAM_set1_host(paramFrom, testhostName1, + (int)XSTRLEN(testhostName1)); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramFrom->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(NULL, 0x00); - wolfSSL_X509_VERIFY_PARAM_set_hostflags(param, 0x01); - AssertIntEQ(0x01, param->hostFlags); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramFrom, 0x01); + AssertIntEQ(0x01, paramFrom->hostFlags); ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(NULL, testIPv4); AssertIntEQ(0, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv4); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv4); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, NULL); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, NULL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, testIPv6); + ret = wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramFrom, testIPv6); AssertIntEQ(1, ret); - AssertIntEQ(0, XSTRNCMP(param->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + AssertIntEQ(0, XSTRNCMP(paramFrom->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); - ret = wolfSSL_X509_VERIFY_PARAM_set_flags(param, WOLFSSL_CRL_CHECKALL); + /* null pointer */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, paramFrom); + AssertIntEQ(WOLFSSL_FAILURE, ret); + /* in the case of "from" null, returns success */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, NULL); + AssertIntEQ(WOLFSSL_SUCCESS, ret); + + ret = wolfSSL_X509_VERIFY_PARAM_set1(NULL, NULL); + AssertIntEQ(WOLFSSL_FAILURE, ret); + + /* inherit flags test : VPARAM_DEFAULT */ + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM OVERWRITE */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_OVERWRITE; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_RESET_FLAGS */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x10); + + paramTo->inherit_flags = WOLFSSL_VPARAM_RESET_FLAGS; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName1, + (int)XSTRLEN(testhostName1))); + AssertIntEQ(0x01, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv6, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_LOCKED */ + wolfSSL_X509_VERIFY_PARAM_set1_host(paramTo, testhostName2, + (int)XSTRLEN(testhostName2)); + wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(paramTo, testIPv4); + wolfSSL_X509_VERIFY_PARAM_set_hostflags(paramTo, 0x00); + + paramTo->inherit_flags = WOLFSSL_VPARAM_LOCKED; + + ret = wolfSSL_X509_VERIFY_PARAM_set1(paramTo, paramFrom); + AssertIntEQ(1, ret); + AssertIntEQ(0, XSTRNCMP(paramTo->hostName, testhostName2, + (int)XSTRLEN(testhostName2))); + AssertIntEQ(0x00, paramTo->hostFlags); + AssertIntEQ(0, XSTRNCMP(paramTo->ipasc, testIPv4, WOLFSSL_MAX_IPSTR)); + + /* inherit flags test : VPARAM_ONCE, not testable yet */ + + ret = wolfSSL_X509_VERIFY_PARAM_set_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(WOLFSSL_CRL_CHECKALL, ret); - ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(param, WOLFSSL_CRL_CHECKALL); + ret = wolfSSL_X509_VERIFY_PARAM_clear_flags(paramTo, WOLFSSL_CRL_CHECKALL); AssertIntEQ(1, ret); - ret = wolfSSL_X509_VERIFY_PARAM_get_flags(param); + ret = wolfSSL_X509_VERIFY_PARAM_get_flags(paramTo); AssertIntEQ(0, ret); - wolfSSL_X509_VERIFY_PARAM_free(param); + wolfSSL_X509_VERIFY_PARAM_free(paramTo); + wolfSSL_X509_VERIFY_PARAM_free(paramFrom); printf(resultFmt, passed); @@ -32662,7 +32785,7 @@ static void test_wolfSSL_SHA(void) #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) printf(testingFmt, "wolfSSL_SHA()"); - #if !defined(NO_SHA) + #if !defined(NO_SHA) && defined(NO_OLD_SHA_NAMES) { const unsigned char in[] = "abc"; unsigned char expected[] = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E" @@ -32672,6 +32795,11 @@ static void test_wolfSSL_SHA(void) XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); AssertNotNull(SHA1(in, XSTRLEN((char*)in), out)); AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); + + /* SHA interface test */ + XMEMSET(out, 0, WC_SHA_DIGEST_SIZE); + AssertNotNull(SHA(in, XSTRLEN((char*)in), out)); + AssertIntEQ(XMEMCMP(out, expected, WC_SHA_DIGEST_SIZE), 0); } #endif @@ -32881,6 +33009,229 @@ static void test_wolfSSL_AES_ecb_encrypt(void) #endif } +static void test_wolfSSL_MD5(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "message digest"; + byte hash[WC_MD5_DIGEST_SIZE]; + unsigned char output1[] = + "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e"; + unsigned char output2[] = + "\xf9\x6b\x69\x7d\x7c\xb7\x93\x8d\x52\x5a\x2f\x31\xaa\xf1\x61\xd0"; + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5()"); + + XMEMSET(&md5, 0, sizeof(md5)); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input1, + XSTRLEN((const char*)&input1)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + AssertIntEQ(wolfSSL_MD5_Update(&md5, input2, + (int)XSTRLEN((const char*)input2)), 1); + AssertIntEQ(wolfSSL_MD5_Final(hash, &md5), 1); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#if !defined(NO_OLD_NAMES) && \ + (!defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2))) + AssertIntEQ(MD5(input1, (int)XSTRLEN((const char*)&input1), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output1, WC_MD5_DIGEST_SIZE), 0); + + AssertIntEQ(MD5(input2, (int)XSTRLEN((const char*)&input2), (byte*)&hash), 0); + AssertIntEQ(XMEMCMP(&hash, output2, WC_MD5_DIGEST_SIZE), 0); +#endif + + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_MD5_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_MD5) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_MD5_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xac\x1d\x1f\x03\xd0\x8e\xa5\x6e\xb7\x67\xab\x1f\x91\x77\x31\x74"; + unsigned char output2[] = + "\x8d\x79\xd3\xef\x90\x25\x17\x67\xc7\x79\x13\xa4\xbc\x7b\xa7\xe3"; + + WOLFSSL_MD5_CTX md5; + + printf(testingFmt, "wolfSSL_MD5_Transform()"); + + XMEMSET(&md5, 0, sizeof(md5)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_MD5_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_MD5_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, NULL), 0); + AssertIntEQ(wc_Md5Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Md5Transform((wc_Md5*)&md5, NULL), BAD_FUNC_ARG); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output1, + WC_MD5_DIGEST_SIZE), 0); + + /* Init MD5 CTX */ + AssertIntEQ(wolfSSL_MD5_Init(&md5), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_MD5_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_MD5_Transform(&md5, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Md5*)&md5)->digest[0], output2, + WC_MD5_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_SHA224(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA224) && \ + !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + unsigned char input[] = + "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"; + unsigned char output[] = + "\x75\x38\x8b\x16\x51\x27\x76\xcc\x5d\xba\x5d\xa1\xfd\x89\x01" + "\x50\xb0\xc6\x45\x5c\xb4\xf5\x8b\x19\x52\x52\x25\x25"; + size_t inLen; + byte hash[WC_SHA224_DIGEST_SIZE]; + + printf(testingFmt, "wolfSSL_SHA224()"); + inLen = XSTRLEN((char*)input); + + XMEMSET(hash, 0, WC_SHA224_DIGEST_SIZE); + AssertNotNull(SHA224(input, inLen, hash)); + AssertIntEQ(XMEMCMP(hash, output, WC_SHA224_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +} +static void test_wolfSSL_SHA_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xe5\x04\xb4\x92\xed\x8c\x58\x56\x4e\xcd\x1a\x6c\x68\x3f\x05\xbf" + "\x93\x3a\xf7\x09"; + unsigned char output2[] = + "\x8b\x74\xb2\x97\xca\xbc\x5b\x4f\xea\xe6\xc0\x5b\xa0\xb4\x40\x2d" + "\xb8\x08\x6e\x7c"; + + WOLFSSL_SHA_CTX sha; + + printf(testingFmt, "wolfSSL_SHA_Transform()"); + + XMEMSET(&sha, 0, sizeof(sha)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, NULL), 0); + AssertIntEQ(wc_ShaTransform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_ShaTransform((wc_Sha*)&sha, NULL), BAD_FUNC_ARG); + + /* Init SHA CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output1, + WC_SHA_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA_Init(&sha), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA_Transform(&sha, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha*)&sha)->digest[0], output2, + WC_SHA_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +#endif +} + +static void test_wolfSSL_SHA256_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA256_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xbe\x98\x56\xda\x69\xb4\xb9\x17\x99\x57\x33\x62\xca\xbe\x9f\x77" + "\x91\xd4\xe5\x8c\x43\x62\xd2\xc0\xea\xf9\xfe\xba\xd8\xa9\x37\x18"; + unsigned char output2[] = + "\x67\xd4\x4e\x1d\x67\x61\x7c\x67\x26\x76\x10\x44\xb8\xff\x10\x78" + "\x39\x9a\xc8\x40\x8c\x60\x16\x73\x05\xd6\x61\xa6\x35\x8c\xf2\x91"; + + WOLFSSL_SHA256_CTX sha256; + + printf(testingFmt, "wolfSSL_SHA256_Transform()"); + + XMEMSET(&sha256, 0, sizeof(sha256)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, NULL), 0); + AssertIntEQ(wc_Sha256Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha256Transform((wc_Sha256*)&sha256, NULL), BAD_FUNC_ARG); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output1, + WC_SHA256_DIGEST_SIZE), 0); + + /* Init SHA256 CTX */ + AssertIntEQ(wolfSSL_SHA256_Init(&sha256), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA256_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA256_Transform(&sha256, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha256*)&sha256)->digest[0], output2, + WC_SHA256_DIGEST_SIZE), 0); + + printf(resultFmt, passed); +#endif +#endif +} + static void test_wolfSSL_SHA256(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && \ @@ -32905,6 +33256,65 @@ static void test_wolfSSL_SHA256(void) #endif } +static void test_wolfSSL_SHA512_Transform(void) +{ +#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_SHA512) +#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + byte input1[] = ""; + byte input2[] = "abc"; + byte local[WC_SHA512_BLOCK_SIZE]; + word32 sLen = 0; + unsigned char output1[] = + "\xe8\xcb\x4a\x77\xd5\x81\x78\xcf\x70\x80\xc7\xfb\xe0\x62\x33\x53" + "\xda\x0e\x46\x87\x9d\x63\x67\x02\xb0\x31\x59\xe8\x40\xcb\x86\x30" + "\xa3\x23\xa0\x88\x52\xc9\x7d\x71\xe0\xb5\xe0\x4c\xc1\xb2\xba\x96" + "\x0b\x3e\xe3\xea\x04\xfe\xc4\x6f\xee\x8b\x66\xbd\x0c\xd8\xf4\x91"; + unsigned char output2[] = + "\x0d\xcc\xa0\xeb\x4e\x93\x10\x11\x21\xc8\x04\xfb\x9c\x43\x33\xfd" + "\x41\x31\xab\xca\x3d\x26\xb4\xa9\xab\xd7\x67\xe1\xaf\xaa\xc6\xe2" + "\x83\x4e\xba\x2c\x54\x2e\x8f\x31\x98\x38\x2b\x8f\x9d\xec\x88\xbe" + "\x4d\x5e\x8b\x53\x9d\x4e\xd2\x14\xf0\x96\x20\xaf\x69\x6c\x68\xde"; + + WOLFSSL_SHA512_CTX sha512; + + printf(testingFmt, "wolfSSL_SHA512_Transform()"); + + XMEMSET(&sha512, 0, sizeof(sha512)); + XMEMSET(&local, 0, sizeof(local)); + + /* sanity check */ + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, NULL), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(NULL, (const byte*)&input1), 0); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, NULL), 0); + AssertIntEQ(wc_Sha512Transform(NULL, NULL), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform(NULL, (const byte*)&input1), BAD_FUNC_ARG); + AssertIntEQ(wc_Sha512Transform((wc_Sha512*)&sha512, NULL), BAD_FUNC_ARG); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + + /* Do Transform*/ + sLen = (word32)XSTRLEN((char*)input1); + XMEMCPY(local, input1, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output1, + WC_SHA512_DIGEST_SIZE), 0); + + /* Init SHA512 CTX */ + AssertIntEQ(wolfSSL_SHA512_Init(&sha512), 1); + sLen = (word32)XSTRLEN((char*)input2); + XMEMSET(local, 0, WC_SHA512_BLOCK_SIZE); + XMEMCPY(local, input2, sLen); + AssertIntEQ(wolfSSL_SHA512_Transform(&sha512, (const byte*)&local[0]), 1); + AssertIntEQ(XMEMCMP(&((wc_Sha512*)&sha512)->digest[0], output2, + WC_SHA512_DIGEST_SIZE), 0); + (void)input1; + printf(resultFmt, passed); +#endif +#endif +} + static void test_wolfSSL_X509_get_serialNumber(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) @@ -38667,6 +39077,90 @@ static void test_wolfSSL_X509_CRL(void) return; } +static void test_wolfSSL_X509_load_crl_file(void) +{ +#if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) && !defined(NO_FILESYSTEM) + int i; + char pem[][100] = { + "./certs/crl/crl.pem", + "./certs/crl/crl2.pem", + "./certs/crl/caEccCrl.pem", + "./certs/crl/eccCliCRL.pem", + "./certs/crl/eccSrvCRL.pem", + "" + }; + char der[][100] = { + "./certs/crl/crl.der", + "./certs/crl/crl2.der", + "" + }; + WOLFSSL_X509_STORE* store; + WOLFSSL_X509_LOOKUP* lookup; + + printf(testingFmt, "wolfSSL_X509_laod_crl_file"); + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; pem[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + /* once feeing store */ + wolfSSL_X509_STORE_free(store); + store = NULL; + + AssertNotNull(store = wolfSSL_X509_STORE_new()); + AssertNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); + + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/ca-cert.pem", + X509_FILETYPE_PEM), 1); + AssertIntEQ(wolfSSL_X509_LOOKUP_load_file(lookup, "certs/server-revoked-cert.pem", + X509_FILETYPE_PEM), 1); + if (store) { + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, svrCertFile, + WOLFSSL_FILETYPE_PEM), 1); + /* since store hasn't yet known the revoked cert*/ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM), 1); + } + + for (i = 0; der[i][0] != '\0'; i++) + { + AssertIntEQ(wolfSSL_X509_load_crl_file(lookup, der[i], WOLFSSL_FILETYPE_ASN1), 1); + } + + if (store) { + /* since store knows crl list */ + AssertIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/server-revoked-cert.pem", + WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); + } + + wolfSSL_X509_STORE_free(store); + store = NULL; + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_d2i_X509_REQ(void) { #if defined(WOLFSSL_CERT_REQ) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) @@ -40636,7 +41130,9 @@ void ApiTest(void) test_wolfSSL_X509_STORE_CTX_get0_store(); test_wolfSSL_X509_STORE(); test_wolfSSL_X509_STORE_load_locations(); + test_wolfSSL_X509_load_crl_file(); test_wolfSSL_BN(); + test_wolfSSL_CTX_get0_set1_param(); #ifndef NO_BIO test_wolfSSL_PEM_read_bio(); test_wolfSSL_BIO(); @@ -40706,7 +41202,13 @@ void ApiTest(void) test_wolfSSL_DH_1536_prime(); test_wolfSSL_PEM_write_DHparams(); test_wolfSSL_AES_ecb_encrypt(); + test_wolfSSL_MD5(); + test_wolfSSL_MD5_Transform(); + test_wolfSSL_SHA_Transform(); test_wolfSSL_SHA256(); + test_wolfSSL_SHA256_Transform(); + test_wolfSSL_SHA224(); + test_wolfSSL_SHA512_Transform(); test_wolfSSL_X509_get_serialNumber(); test_wolfSSL_X509_CRL(); test_wolfSSL_d2i_X509_REQ(); diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index 7bc2489e8..e4ffc2f09 100644 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -550,7 +550,20 @@ int wc_Md5Copy(wc_Md5* src, wc_Md5* dst) return ret; } - +#ifdef OPENSSL_EXTRA +/* Apply MD5 transformation to the data */ +/* @param md5 a pointer to wc_MD5 structure */ +/* @param data data to be applied MD5 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_Md5Transform(wc_Md5* md5, const byte* data) +{ + /* sanity check */ + if (md5 == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return Transform(md5, data); +} +#endif #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) int wc_Md5SetFlags(wc_Md5* md5, word32 flags) { diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 63f4ed402..0d16521cd 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -773,6 +773,21 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash) return ret; } +#if defined(OPENSSL_EXTRA) +/* Apply SHA1 transformation to the data */ +/* @param sha a pointer to wc_Sha structure */ +/* @param data data to be applied SHA1 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_ShaTransform(wc_Sha* sha, const unsigned char* data) +{ + /* sanity check */ + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return (Transform(sha, data)); +} +#endif + #endif /* USE_SHA_SOFTWARE_IMPL */ diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 50b8cf60f..249bc5d6d 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -1295,6 +1295,19 @@ static int InitSha256(wc_Sha256* sha256) return InitSha256(sha256); /* reset state */ } + #if defined(OPENSSL_EXTRA) +/* Apply SHA256 transformation to the data */ +/* @param sha a pointer to wc_Sha256 structure */ +/* @param data data to be applied SHA256 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ + int wc_Sha256Transform(wc_Sha256* sha, const unsigned char* data) + { + if (sha == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + return (Transform_Sha256(sha, data)); + } + #endif #endif /* XTRANSFORM */ #ifdef WOLFSSL_SHA224 diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index ef09e5404..bc576da21 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -916,7 +916,58 @@ void wc_Sha512Free(wc_Sha512* sha512) wolfAsync_DevCtxFree(&sha512->asyncDev, WOLFSSL_ASYNC_MARKER_SHA512); #endif /* WOLFSSL_ASYNC_CRYPT */ } +#if defined(OPENSSL_EXTRA) +/* Apply SHA512 transformation to the data */ +/* @param sha a pointer to wc_Sha512 structure */ +/* @param data data to be applied SHA512 transformation */ +/* @return 0 on successful, otherwise non-zero on failure */ +int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data) +{ + int ret ; + /* back up buffer */ + #if defined(WOLFSSL_SMALL_STACK) + word64* buffer; + buffer = (word64*) XMALLOC(sizeof(word64) * 16, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (buffer == NULL) + return MEMORY_E; + #else + word64 buffer[WC_SHA512_BLOCK_SIZE / sizeof(word64)]; + #endif + + /* sanity check */ + if (sha == NULL || data == NULL) { + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return BAD_FUNC_ARG; + } +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + Sha512_SetTransform(); +#endif +#if defined(LITTLE_ENDIAN_ORDER) +#if defined(HAVE_INTEL_AVX1) || defined(HAVE_INTEL_AVX2) + if (!IS_INTEL_AVX1(intel_flags) && !IS_INTEL_AVX2(intel_flags)) +#endif + { + ByteReverseWords64((word64*)data, (word64*)data, + WC_SHA512_BLOCK_SIZE); + } +#endif + + XMEMCPY(buffer, sha->buffer, WC_SHA512_BLOCK_SIZE); + XMEMCPY(sha->buffer, data, WC_SHA512_BLOCK_SIZE); + + ret = Transform_Sha512(sha); + + XMEMCPY(sha->buffer, buffer, WC_SHA512_BLOCK_SIZE); + #if defined(WOLFSSL_SMALL_STACK) + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; +} +#endif #endif /* WOLFSSL_SHA512 */ /* -------------------------------------------------------------------------- */ diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 88c47b9c6..68ace3053 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -170,7 +170,8 @@ enum wolfSSL_ErrorCodes { DTLS_SIZE_ERROR = -439, /* Trying to send too much data */ NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ - + TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ + /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index aebfb3a69..7c3491546 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2837,6 +2837,7 @@ struct WOLFSSL_CTX { byte sessionCtxSz; byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ CallbackInfoState* CBIS; /* used to get info about SSL state */ + WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; @@ -4366,6 +4367,7 @@ struct WOLFSSL { #ifdef WOLFSSL_EARLY_DATA EarlyDataState earlyData; word32 earlyDataSz; + byte earlyDataStatus; #endif #ifdef OPENSSL_ALL long verifyCallbackResult; diff --git a/wolfssl/openssl/md5.h b/wolfssl/openssl/md5.h index 49ac1e32f..08cbd527e 100644 --- a/wolfssl/openssl/md5.h +++ b/wolfssl/openssl/md5.h @@ -52,13 +52,14 @@ typedef struct WOLFSSL_MD5_CTX { WOLFSSL_API int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX*); WOLFSSL_API int wolfSSL_MD5_Update(WOLFSSL_MD5_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_MD5_Final(unsigned char*, WOLFSSL_MD5_CTX*); - +WOLFSSL_API int wolfSSL_MD5_Transform(WOLFSSL_MD5_CTX*, const unsigned char*); typedef WOLFSSL_MD5_CTX MD5_CTX; #define MD5_Init wolfSSL_MD5_Init #define MD5_Update wolfSSL_MD5_Update #define MD5_Final wolfSSL_MD5_Final +#define MD5_Transform wolfSSL_MD5_Transform #ifdef OPENSSL_EXTRA_BSD #define MD5Init wolfSSL_MD5_Init diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index e3a814717..c8ee6d4c6 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -52,12 +52,14 @@ typedef struct WOLFSSL_SHA_CTX { WOLFSSL_API int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); /* SHA1 points to above, shouldn't use SHA0 ever */ WOLFSSL_API int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX*); WOLFSSL_API int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX*, const void*, unsigned long); WOLFSSL_API int wolfSSL_SHA1_Final(unsigned char*, WOLFSSL_SHA_CTX*); - +WOLFSSL_API int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX*, + const unsigned char *data); enum { SHA_DIGEST_LENGTH = 20 }; @@ -68,6 +70,13 @@ typedef WOLFSSL_SHA_CTX SHA_CTX; #define SHA_Init wolfSSL_SHA_Init #define SHA_Update wolfSSL_SHA_Update #define SHA_Final wolfSSL_SHA_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA is only available in non-fips mode or fips version > 2 mode + * because of SHA enum in FIPS build. */ + #define SHA wolfSSL_SHA1 +#endif #define SHA1_Init wolfSSL_SHA1_Init #define SHA1_Update wolfSSL_SHA1_Update @@ -99,6 +108,13 @@ typedef WOLFSSL_SHA224_CTX SHA224_CTX; #define SHA224_Init wolfSSL_SHA224_Init #define SHA224_Update wolfSSL_SHA224_Update #define SHA224_Final wolfSSL_SHA224_Final +#if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_SELFTEST) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) + /* SHA224 is only available in non-fips mode or fips version > 2 mode + * because of SHA224 enum in FIPS build. */ + #define SHA224 wolfSSL_SHA224 +#endif #endif /* WOLFSSL_SHA224 */ @@ -113,9 +129,10 @@ typedef struct WOLFSSL_SHA256_CTX { WOLFSSL_API int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX*); WOLFSSL_API int wolfSSL_SHA256_Update(WOLFSSL_SHA256_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA256_Final(unsigned char*, WOLFSSL_SHA256_CTX*); - +WOLFSSL_API int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX*, + const unsigned char *data); enum { SHA256_DIGEST_LENGTH = 32 }; @@ -126,6 +143,8 @@ typedef WOLFSSL_SHA256_CTX SHA256_CTX; #define SHA256_Init wolfSSL_SHA256_Init #define SHA256_Update wolfSSL_SHA256_Update #define SHA256_Final wolfSSL_SHA256_Final +#define SHA256_Transform wolfSSL_SHA256_Transform + #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA256 is only available in non-fips mode because of SHA256 enum in FIPS * build. */ @@ -171,9 +190,10 @@ typedef struct WOLFSSL_SHA512_CTX { WOLFSSL_API int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX*); WOLFSSL_API int wolfSSL_SHA512_Update(WOLFSSL_SHA512_CTX*, const void*, - unsigned long); + unsigned long); WOLFSSL_API int wolfSSL_SHA512_Final(unsigned char*, WOLFSSL_SHA512_CTX*); - +WOLFSSL_API int wolfSSL_SHA512_Transform(WOLFSSL_SHA512_CTX*, + const unsigned char*); enum { SHA512_DIGEST_LENGTH = 64 }; @@ -184,6 +204,7 @@ typedef WOLFSSL_SHA512_CTX SHA512_CTX; #define SHA512_Init wolfSSL_SHA512_Init #define SHA512_Update wolfSSL_SHA512_Update #define SHA512_Final wolfSSL_SHA512_Final +#define SHA512_Transform wolfSSL_SHA512_Transform #if defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) /* SHA512 is only available in non-fips mode because of SHA512 enum in FIPS * build. */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 8b7604ea3..2668fd891 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -558,6 +558,12 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_V_FLAG_NO_CHECK_TIME WOLFSSL_NO_CHECK_TIME #define X509_CHECK_FLAG_NO_WILDCARDS WOLFSSL_NO_WILDCARDS +#define X509_VP_FLAG_DEFAULT WOLFSSL_VPARAM_DEFAULT +#define X509_VP_FLAG_OVERWRITE WOLFSSL_VPARAM_OVERWRITE +#define X509_VP_FLAG_RESET_FLAGS WOLFSSL_VPARAM_RESET_FLAGS +#define X509_VP_FLAG_LOCKED WOLFSSL_VPARAM_LOCKED +#define X509_VP_FLAG_ONCE WOLFSSL_VPARAM_ONCE + #define X509_STORE_CTX_get_current_cert wolfSSL_X509_STORE_CTX_get_current_cert #define X509_STORE_CTX_set_verify_cb wolfSSL_X509_STORE_CTX_set_verify_cb #define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new @@ -605,6 +611,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_VERIFY_PARAM_set_hostflags wolfSSL_X509_VERIFY_PARAM_set_hostflags #define X509_VERIFY_PARAM_set1_host wolfSSL_X509_VERIFY_PARAM_set1_host #define X509_VERIFY_PARAM_set1_ip_asc wolfSSL_X509_VERIFY_PARAM_set1_ip_asc +#define X509_VERIFY_PARAM_set1 wolfSSL_X509_VERIFY_PARAM_set1 #define X509_STORE_load_locations wolfSSL_X509_STORE_load_locations #define X509_LOOKUP_add_dir wolfSSL_X509_LOOKUP_add_dir @@ -622,6 +629,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED +#define X509_load_crl_file wolfSSL_X509_load_crl_file #define X509_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY #define X509_REQ_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY @@ -1312,6 +1320,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_CTX_set_srp_strength wolfSSL_CTX_set_srp_strength #define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX #define SSL_get0_param wolfSSL_get0_param +#define SSL_CTX_get0_param wolfSSL_CTX_get0_param +#define SSL_CTX_set1_param wolfSSL_CTX_set1_param #define SSL_get_srp_username wolfSSL_get_srp_username #define ERR_NUM_ERRORS 16 @@ -1323,6 +1333,11 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL_get_rbio wolfSSL_SSL_get_rbio #define SSL_get_wbio wolfSSL_SSL_get_wbio #define SSL_do_handshake wolfSSL_SSL_do_handshake + +#if defined(WOLFSSL_EARLY_DATA) +#define SSL_get_early_data_status wolfSSL_get_early_data_status +#endif + #endif /* OPENSSL_EXTRA */ /* cipher suites for compatibility */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index c3372b3f0..d2bdfcf09 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -563,8 +563,16 @@ struct WOLFSSL_X509_STORE { #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 #define WOLFSSL_HOST_NAME_MAX 256 + +#define WOLFSSL_VPARAM_DEFAULT 0x1 +#define WOLFSSL_VPARAM_OVERWRITE 0x2 +#define WOLFSSL_VPARAM_RESET_FLAGS 0x4 +#define WOLFSSL_VPARAM_LOCKED 0x8 +#define WOLFSSL_VPARAM_ONCE 0x10 + struct WOLFSSL_X509_VERIFY_PARAM { time_t check_time; + unsigned int inherit_flags; unsigned long flags; char hostName[WOLFSSL_HOST_NAME_MAX]; unsigned int hostFlags; @@ -877,7 +885,9 @@ WOLFSSL_API int wolfSSL_CTX_up_ref(WOLFSSL_CTX*); #endif WOLFSSL_ABI WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*); WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl); +WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_CTX_get0_param(WOLFSSL_CTX* ctx); WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_set1_param(WOLFSSL_CTX* ctx, WOLFSSL_X509_VERIFY_PARAM *vpm); WOLFSSL_API int wolfSSL_is_server(WOLFSSL*); WOLFSSL_API WOLFSSL* wolfSSL_write_dup(WOLFSSL*); WOLFSSL_ABI WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int); @@ -937,6 +947,11 @@ WOLFSSL_API int wolfSSL_connect_TLSv13(WOLFSSL*); WOLFSSL_API int wolfSSL_accept_TLSv13(WOLFSSL*); #ifdef WOLFSSL_EARLY_DATA + +#define WOLFSSL_EARLY_DATA_NOT_SENT 0 +#define WOLFSSL_EARLY_DATA_REJECTED 1 +#define WOLFSSL_EARLY_DATA_ACCEPTED 2 + WOLFSSL_API int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz); WOLFSSL_API int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz); @@ -944,6 +959,7 @@ WOLFSSL_API int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz); WOLFSSL_API int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz); +WOLFSSL_API int wolfSSL_get_early_data_status(const WOLFSSL* ssl); #endif /* WOLFSSL_EARLY_DATA */ #endif /* WOLFSSL_TLS13 */ WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_free(WOLFSSL_CTX*); @@ -1544,6 +1560,10 @@ WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* p unsigned int nameSz); WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc( WOLFSSL_X509_VERIFY_PARAM *param, const char *ipasc); +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1(WOLFSSL_X509_VERIFY_PARAM* to, + const WOLFSSL_X509_VERIFY_PARAM* from); +WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, + const char *file, int type); #endif WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( @@ -2254,6 +2274,8 @@ WOLFSSL_API WOLFSSL_X509* WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out); WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl, const unsigned char *in, int len); +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **crl); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE file, WOLFSSL_X509_CRL **crl); #endif @@ -3617,6 +3639,7 @@ WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); +WOLFSSL_API unsigned char *wolfSSL_SHA224(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, unsigned char *md); WOLFSSL_API unsigned char *wolfSSL_SHA512(const unsigned char *d, size_t n, unsigned char *md); diff --git a/wolfssl/test.h b/wolfssl/test.h index 5da853e60..50a5c96a2 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4088,4 +4088,30 @@ static WC_INLINE word16 GetRandomPort(void) return port; } +#ifdef WOLFSSL_EARLY_DATA +static WC_INLINE void EarlyDataStatus(WOLFSSL* ssl) +{ + int earlyData_status; + + earlyData_status = wolfSSL_get_early_data_status(ssl); + if (earlyData_status < 0) return; + + printf("Early Data was "); + + switch(earlyData_status) { + case WOLFSSL_EARLY_DATA_NOT_SENT: + printf("not sent.\n"); + break; + case WOLFSSL_EARLY_DATA_REJECTED: + printf("rejected.\n"); + break; + case WOLFSSL_EARLY_DATA_ACCEPTED: + printf("accepted\n"); + break; + default: + printf("unknown...\n"); + } +} +#endif /* WOLFSSL_EARLY_DATA */ + #endif /* wolfSSL_TEST_H */ diff --git a/wolfssl/wolfcrypt/md5.h b/wolfssl/wolfcrypt/md5.h index e2ee13c32..290c5ec91 100644 --- a/wolfssl/wolfcrypt/md5.h +++ b/wolfssl/wolfcrypt/md5.h @@ -42,9 +42,12 @@ extern "C" { #endif +#if !defined(NO_OLD_MD5_NAME) + #define MD5 WC_MD5 +#endif + #ifndef NO_OLD_WC_NAMES #define Md5 wc_Md5 - #define MD5 WC_MD5 #define MD5_BLOCK_SIZE WC_MD5_BLOCK_SIZE #define MD5_DIGEST_SIZE WC_MD5_DIGEST_SIZE #define WC_MD5_PAD_SIZE WC_MD5_PAD_SIZE @@ -109,6 +112,9 @@ WOLFSSL_API int wc_InitMd5_ex(wc_Md5*, void*, int); WOLFSSL_API int wc_Md5Update(wc_Md5*, const byte*, word32); WOLFSSL_API int wc_Md5Final(wc_Md5*, byte*); WOLFSSL_API void wc_Md5Free(wc_Md5*); +#ifdef OPENSSL_EXTRA +WOLFSSL_API int wc_Md5Transform(wc_Md5*, const byte*); +#endif WOLFSSL_API int wc_Md5GetHash(wc_Md5*, byte*); WOLFSSL_API int wc_Md5Copy(wc_Md5*, wc_Md5*); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index f480d190f..31a33a57b 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2274,9 +2274,14 @@ extern void uITRON4_free(void *p) ; #if defined(NO_OLD_WC_NAMES) || defined(OPENSSL_EXTRA) /* added to have compatibility with SHA256() */ - #if !defined(NO_OLD_SHA_NAMES) && !defined(HAVE_FIPS) + #if !defined(NO_OLD_SHA_NAMES) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) #define NO_OLD_SHA_NAMES #endif + #if !defined(NO_OLD_MD5_NAME) && (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) + #define NO_OLD_MD5_NAME + #endif #endif /* switch for compatibility layer functionality. Has subparts i.e. BIO/X509 diff --git a/wolfssl/wolfcrypt/sha.h b/wolfssl/wolfcrypt/sha.h index 6203d648d..f074f28c4 100644 --- a/wolfssl/wolfcrypt/sha.h +++ b/wolfssl/wolfcrypt/sha.h @@ -169,6 +169,9 @@ WOLFSSL_API void wc_ShaFree(wc_Sha*); WOLFSSL_API int wc_ShaGetHash(wc_Sha*, byte*); WOLFSSL_API int wc_ShaCopy(wc_Sha*, wc_Sha*); +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_ShaTransform(wc_Sha*, const byte*); +#endif #ifdef WOLFSSL_PIC32MZ_HASH WOLFSSL_API void wc_ShaSizeSet(wc_Sha* sha, word32 len); diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index 9538fed7b..93c794f31 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -198,7 +198,9 @@ WOLFSSL_API int wc_Sha256Update(wc_Sha256*, const byte*, word32); WOLFSSL_API int wc_Sha256FinalRaw(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Final(wc_Sha256*, byte*); WOLFSSL_API void wc_Sha256Free(wc_Sha256*); - +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha256Transform(wc_Sha256*, const byte*); +#endif WOLFSSL_API int wc_Sha256GetHash(wc_Sha256*, byte*); WOLFSSL_API int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst); @@ -216,9 +218,12 @@ WOLFSSL_API void wc_Sha256SizeSet(wc_Sha256*, word32); #if !defined(HAVE_FIPS) || \ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)) +#if !defined(NO_OLD_SHA_NAMES) + #define SHA224 WC_SHA224 +#endif + #ifndef NO_OLD_WC_NAMES #define Sha224 wc_Sha224 - #define SHA224 WC_SHA224 #define SHA224_BLOCK_SIZE WC_SHA224_BLOCK_SIZE #define SHA224_DIGEST_SIZE WC_SHA224_DIGEST_SIZE #define SHA224_PAD_SIZE WC_SHA224_PAD_SIZE diff --git a/wolfssl/wolfcrypt/sha512.h b/wolfssl/wolfcrypt/sha512.h index f3e79a263..6b6ad84e9 100644 --- a/wolfssl/wolfcrypt/sha512.h +++ b/wolfssl/wolfcrypt/sha512.h @@ -180,6 +180,9 @@ WOLFSSL_API int wc_Sha512Copy(wc_Sha512* src, wc_Sha512* dst); WOLFSSL_API int wc_Sha512GetFlags(wc_Sha512* sha512, word32* flags); #endif +#if defined(OPENSSL_EXTRA) +WOLFSSL_API int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data); +#endif #endif /* WOLFSSL_SHA512 */ #if defined(WOLFSSL_SHA384)