wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-02-04 00:05:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added support for SHOW_CERTS with OPENSSL_EXTRA_X509_SMALL for embedded debugging of certs. Minor build warning fixes with OPENSSL_EXTRA and STM32_HASH on IAR.

Browse Source
This commit is contained in:
David Garske
2019-05-14 07:00:36 -07:00
parent f923409f1f
commit 10dde24363
10 changed files with 72 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/internal.c
View File

@@ -1451,8 +1451,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
ctx->minEccKeySz = MIN_ECCKEY_SZ;
ctx->eccTempKeySz = ECDHE_SIZE;
#endif
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ctx->verifyDepth = MAX_CHAIN_DEPTH;
#endif
#ifdef OPENSSL_EXTRA
ctx->cbioFlag = WOLFSSL_CBIO_NONE;
#endif
@@ -4427,7 +4429,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#ifdef HAVE_ECC
ssl->options.minEccKeySz = ctx->minEccKeySz;
#endif
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->options.verifyDepth = ctx->verifyDepth;
#endif
@@ -8695,7 +8697,7 @@ typedef struct ProcPeerCertArgs {
#ifdef WOLFSSL_TLS13
byte ctxSz;
#endif
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
char untrustedDepth;
#endif
word16 fatal:1;
@@ -9272,7 +9274,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
while (listSz) {
word32 certSz;
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (args->totalCerts > ssl->verifyDepth) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
@@ -9469,7 +9471,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else {
WOLFSSL_MSG("Failed to verify CA from chain");
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
#endif
}
@@ -9585,7 +9587,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif
if (ret == 0) {
WOLFSSL_MSG("Verified Peer's cert");
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_OK;
#endif
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
@@ -9610,7 +9612,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else if (ret == ASN_PARSE_E || ret == BUFFER_E) {
WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
SendAlert(ssl, alert_fatal, bad_certificate);
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
@@ -9618,7 +9620,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else {
WOLFSSL_MSG("Failed to verify Peer's cert");
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
#endif
if (ssl->verifyCallback) {
@@ -9724,7 +9726,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok");
args->fatal = 0;
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
}
@@ -9743,7 +9745,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok");
args->fatal = 0;
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
}
@@ -9820,7 +9822,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (args->fatal) {
ssl->error = ret;
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
SendAlert(ssl, alert_fatal, bad_certificate);
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
@@ -10064,7 +10066,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = args->lastErr;
}
#if defined(OPENSSL_EXTRA)
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (args->untrustedDepth > ssl->options.verifyDepth) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;

18
src/ssl.c
View File

@@ -5756,7 +5756,7 @@ WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm,
CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest)
{
int ret;
WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple");
if (cm == NULL || response == NULL)
return BAD_FUNC_ARG;
@@ -12383,8 +12383,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
if (bio->close) {
if (bio->ssl)
wolfSSL_free(bio->ssl);
#ifdef CloseSocket
if (bio->fd)
CloseSocket(bio->fd);
#endif
}
#ifndef NO_FILESYSTEM
@@ -15313,7 +15315,10 @@ WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len)
#endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA ||
OPENSSL_EXTRA_X509_SMALL */
#if defined(OPENSSL_ALL) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
defined(SESSION_CERTS)
/* return the next, if any, altname from the peer cert */
char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert)
{
@@ -15334,7 +15339,6 @@ WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len)
return ret;
}
int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509)
{
int isCA = 0;
@@ -16074,7 +16078,8 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer(
/* OPENSSL_EXTRA is needed for wolfSSL_X509_d21 function
KEEP_OUR_CERT is to insure ability for returning ssl certificate */
#if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT)
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
defined(KEEP_OUR_CERT)
WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl)
{
if (ssl == NULL) {
@@ -21148,6 +21153,9 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *
}
#endif /* HAVE_OCSP */
#endif /* OPENSSL_EXTRA */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
long wolfSSL_get_verify_result(const WOLFSSL *ssl)
{
if (ssl == NULL) {
@@ -21156,7 +21164,9 @@ long wolfSSL_get_verify_result(const WOLFSSL *ssl)
return ssl->peerVerifyRet;
}
#endif
#ifdef OPENSSL_EXTRA
#ifndef NO_WOLFSSL_STUB
/* shows the number of accepts attempted by CTX in it's lifetime */

4
wolfcrypt/src/evp.c
View File

@@ -738,7 +738,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt(WOLFSSL_EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen)
{
int len;
int len = 0;
if (ctx == NULL) return 0;
WOLFSSL_ENTER("EVP_PKEY_decrypt");
@@ -809,7 +809,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_encrypt(WOLFSSL_EVP_PKEY_CTX *ctx,
unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen)
{
int len;
int len = 0;
if (ctx == NULL) return WOLFSSL_FAILURE;
WOLFSSL_ENTER("EVP_PKEY_encrypt");
if (ctx->op != EVP_PKEY_OP_ENCRYPT) return WOLFSSL_FAILURE;

4
wolfcrypt/test/test.c
View File

@@ -13470,9 +13470,13 @@ int openssl_test(void)
testVector a, b, c, d, e, f;
byte hash[WC_SHA256_DIGEST_SIZE*2]; /* max size */
a.inLen = 0;
b = c = d = e = f = a;
(void)a;
(void)b;
(void)c;
(void)d;
(void)e;
(void)f;

2
wolfssl/callbacks.h
View File

@@ -52,7 +52,7 @@ typedef struct handShakeInfo_st {
} HandShakeInfo;
#ifdef HAVE_SYS_TIME_H
#if defined(HAVE_SYS_TIME_H) && !defined(NO_TIMEVAL)
typedef struct timeval Timeval;
#else /* HAVE_SYS_TIME_H */
/* Define the Timeval explicitly. */

8
wolfssl/internal.h
View File

@@ -1815,7 +1815,7 @@ struct WOLFSSL_OCSP {
int(*statusCb)(WOLFSSL*, void*);
#endif
};
#endif
#endif
#ifndef MAX_DATE_SIZE
#define MAX_DATE_SIZE 32
@@ -3306,7 +3306,7 @@ typedef struct Options {
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
short minEccKeySz; /* minimum ECC key size */
#endif
#ifdef OPENSSL_EXTRA
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
byte verifyDepth; /* maximum verification depth */
#endif
#ifdef WOLFSSL_EARLY_DATA
@@ -3697,7 +3697,11 @@ struct WOLFSSL {
WOLFSSL_BIO* biord; /* socket bio read to free/close */
WOLFSSL_BIO* biowr; /* socket bio write to free/close */
byte sessionCtx[ID_LEN]; /* app session context ID */
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
unsigned long peerVerifyRet;
#endif
#ifdef OPENSSL_EXTRA
byte readAhead;
byte sessionCtxSz; /* size of sessionCtx stored */
#ifdef HAVE_PK_CALLBACKS

7
wolfssl/openssl/md5.h
View File

@@ -41,7 +41,12 @@
typedef struct WOLFSSL_MD5_CTX {
void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)]; /* big enough to hold wolfcrypt md5, but check on init */
/* big enough to hold wolfcrypt md5, but check on init */
#ifdef STM32_HASH
void* holder[(112 + WC_ASYNC_DEV_SIZE + sizeof(STM32_HASH_Context)) / sizeof(void*)];
#else
void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)];
#endif
} WOLFSSL_MD5_CTX;
WOLFSSL_API int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX*);

4
wolfssl/openssl/sha.h
View File

@@ -39,7 +39,11 @@
typedef struct WOLFSSL_SHA_CTX {
/* big enough to hold wolfcrypt Sha, but check on init */
#if defined(STM32_HASH)
void* holder[(112 + WC_ASYNC_DEV_SIZE + sizeof(STM32_HASH_Context)) / sizeof(void*)];
#else
void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)];
#endif
#ifdef WOLF_CRYPTO_CB
void* cryptocb_holder[(sizeof(int) + sizeof(void*) + 4) / sizeof(void*)];
#endif

6
wolfssl/ssl.h
View File

@@ -1128,7 +1128,8 @@ enum {
WOLFSSL_CRL_CHECK = 27,
};
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(HAVE_WEBSERVER)
/* seperated out from other enums because of size */
enum {
SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001,
@@ -1768,7 +1769,8 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len,
const unsigned char*, long);
WOLFSSL_API int wolfSSL_UnloadCertsKeys(WOLFSSL*);
#if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT)
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
defined(KEEP_OUR_CERT)
WOLFSSL_API WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl);
#endif
#endif

31
wolfssl/test.h
View File

@@ -11,7 +11,8 @@
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/mem_track.h>
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS)
#if defined(SHOW_CERTS) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
#include <wolfssl/wolfcrypt/asn.h> /* for domain component NID value */
#endif
@@ -576,7 +577,7 @@ static const char* client_showpeer_msg[][8] = {
#endif
};
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
#if defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || defined(SESSION_CERTS)
static const char* client_showx509_msg[][5] = {
/* English */
{
@@ -643,13 +644,12 @@ static WC_INLINE void ShowX509Ex(WOLFSSL_X509* x509, const char* hdr,
XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL);
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS)
#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA)
{
WOLFSSL_BIO* bio;
char buf[256]; /* should be size of ASN_NAME_MAX */
int textSz;
/* print out domain component if certificate has it */
textSz = wolfSSL_X509_NAME_get_text_by_NID(
wolfSSL_X509_get_subject_name(x509), NID_domainComponent,
@@ -665,7 +665,7 @@ static WC_INLINE void ShowX509Ex(WOLFSSL_X509* x509, const char* hdr,
wolfSSL_BIO_free(bio);
}
}
#endif
#endif /* SHOW_CERTS && OPENSSL_EXTRA */
}
/* original ShowX509 to maintain compatibility */
static WC_INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr)
@@ -673,9 +673,10 @@ static WC_INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr)
ShowX509Ex(x509, hdr, 0);
}
#endif /* KEEP_PEER_CERT || SESSION_CERTS */
#endif /* KEEP_PEER_CERT || KEEP_OUR_CERT || SESSION_CERTS */
#if defined(SESSION_CERTS) && defined(SHOW_CERTS)
#if defined(SHOW_CERTS) && defined(SESSION_CERTS) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
static WC_INLINE void ShowX509Chain(WOLFSSL_X509_CHAIN* chain, int count,
const char* hdr)
{
@@ -697,7 +698,7 @@ static WC_INLINE void ShowX509Chain(WOLFSSL_X509_CHAIN* chain, int count,
wolfSSL_FreeX509(chainX509);
}
}
#endif
#endif /* SHOW_CERTS && SESSION_CERTS */
/* lng_index is to specify the language for displaying message. */
/* 0:English, 1:Japanese */
@@ -720,10 +721,11 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index)
printf("peer has no cert!\n");
wolfSSL_FreeX509(peer);
#endif
#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT)
#if defined(SHOW_CERTS) && defined(KEEP_OUR_CERT) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
ShowX509(wolfSSL_get_certificate(ssl), "our cert info:");
printf("Peer verify result = %lu\n", wolfSSL_get_verify_result(ssl));
#endif /* SHOW_CERTS */
#endif /* SHOW_CERTS && KEEP_OUR_CERT */
printf("%s %s\n", words[0], wolfSSL_get_version(ssl));
cipher = wolfSSL_get_current_cipher(ssl);
@@ -748,7 +750,8 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index)
printf("%s\n", words[5]);
#endif
#if defined(SESSION_CERTS) && defined(SHOW_CERTS)
#if defined(SHOW_CERTS) && defined(SESSION_CERTS) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
{
WOLFSSL_X509_CHAIN* chain;
@@ -762,7 +765,7 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index)
}
#endif
}
#endif /* SESSION_CERTS && SHOW_CERTS */
#endif /* SHOW_CERTS && SESSION_CERTS */
(void)ssl;
}
/* original showPeer to maintain compatibility */
@@ -1687,8 +1690,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
printf("\t\tCert %d: Ptr %p, Len %u\n", i, cert->buffer, cert->length);
}
}
#endif
#endif
#endif /* SHOW_CERTS */
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
printf("\tSubject's domain name at %d is %s\n", store->error_depth, store->domain);