From 10dde24363810b97ef83492f9c550dfc2a827995 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 14 May 2019 07:00:36 -0700 Subject: [PATCH] Added support for `SHOW_CERTS` with `OPENSSL_EXTRA_X509_SMALL` for embedded debugging of certs. Minor build warning fixes with `OPENSSL_EXTRA` and `STM32_HASH` on IAR. --- src/internal.c | 26 ++++++++++++++------------ src/ssl.c | 18 ++++++++++++++---- wolfcrypt/src/evp.c | 4 ++-- wolfcrypt/test/test.c | 4 ++++ wolfssl/callbacks.h | 2 +- wolfssl/internal.h | 8 ++++++-- wolfssl/openssl/md5.h | 7 ++++++- wolfssl/openssl/sha.h | 4 ++++ wolfssl/ssl.h | 6 ++++-- wolfssl/test.h | 31 +++++++++++++++++-------------- 10 files changed, 72 insertions(+), 38 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5a92c78e8..f60d08f3c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1451,8 +1451,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) ctx->minEccKeySz = MIN_ECCKEY_SZ; ctx->eccTempKeySz = ECDHE_SIZE; #endif -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ctx->verifyDepth = MAX_CHAIN_DEPTH; +#endif +#ifdef OPENSSL_EXTRA ctx->cbioFlag = WOLFSSL_CBIO_NONE; #endif @@ -4427,7 +4429,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifdef HAVE_ECC ssl->options.minEccKeySz = ctx->minEccKeySz; #endif -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->options.verifyDepth = ctx->verifyDepth; #endif @@ -8695,7 +8697,7 @@ typedef struct ProcPeerCertArgs { #ifdef WOLFSSL_TLS13 byte ctxSz; #endif -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) char untrustedDepth; #endif word16 fatal:1; @@ -9272,7 +9274,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, while (listSz) { word32 certSz; - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (args->totalCerts > ssl->verifyDepth) { ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc); @@ -9469,7 +9471,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { WOLFSSL_MSG("Failed to verify CA from chain"); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; #endif } @@ -9585,7 +9587,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif if (ret == 0) { WOLFSSL_MSG("Verified Peer's cert"); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->peerVerifyRet = X509_V_OK; #endif #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS) @@ -9610,7 +9612,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else if (ret == ASN_PARSE_E || ret == BUFFER_E) { WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR"); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) SendAlert(ssl, alert_fatal, bad_certificate); ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif @@ -9618,7 +9620,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { WOLFSSL_MSG("Failed to verify Peer's cert"); - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; #endif if (ssl->verifyCallback) { @@ -9724,7 +9726,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); args->fatal = 0; - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif } @@ -9743,7 +9745,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret != 0) { WOLFSSL_MSG("\tCRL check not ok"); args->fatal = 0; - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif } @@ -9820,7 +9822,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (args->fatal) { ssl->error = ret; - #ifdef OPENSSL_EXTRA + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) SendAlert(ssl, alert_fatal, bad_certificate); ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif @@ -10064,7 +10066,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = args->lastErr; } - #if defined(OPENSSL_EXTRA) + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (args->untrustedDepth > ssl->options.verifyDepth) { ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; ret = MAX_CHAIN_ERROR; diff --git a/src/ssl.c b/src/ssl.c index bc0eb9bc3..28082b81c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5756,7 +5756,7 @@ WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) { int ret; - + WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); if (cm == NULL || response == NULL) return BAD_FUNC_ARG; @@ -12383,8 +12383,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (bio->close) { if (bio->ssl) wolfSSL_free(bio->ssl); + #ifdef CloseSocket if (bio->fd) CloseSocket(bio->fd); + #endif } #ifndef NO_FILESYSTEM @@ -15313,7 +15315,10 @@ WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) #endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(OPENSSL_ALL) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + + +#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \ + defined(SESSION_CERTS) /* return the next, if any, altname from the peer cert */ char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert) { @@ -15334,7 +15339,6 @@ WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) return ret; } - int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509) { int isCA = 0; @@ -16074,7 +16078,8 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( /* OPENSSL_EXTRA is needed for wolfSSL_X509_d21 function KEEP_OUR_CERT is to insure ability for returning ssl certificate */ -#if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + defined(KEEP_OUR_CERT) WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) { if (ssl == NULL) { @@ -21148,6 +21153,9 @@ WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char * } #endif /* HAVE_OCSP */ +#endif /* OPENSSL_EXTRA */ + +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) long wolfSSL_get_verify_result(const WOLFSSL *ssl) { if (ssl == NULL) { @@ -21156,7 +21164,9 @@ long wolfSSL_get_verify_result(const WOLFSSL *ssl) return ssl->peerVerifyRet; } +#endif +#ifdef OPENSSL_EXTRA #ifndef NO_WOLFSSL_STUB /* shows the number of accepts attempted by CTX in it's lifetime */ diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index b1d8ab348..f92d4e8d4 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -738,7 +738,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen) { - int len; + int len = 0; if (ctx == NULL) return 0; WOLFSSL_ENTER("EVP_PKEY_decrypt"); @@ -809,7 +809,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_encrypt(WOLFSSL_EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen) { - int len; + int len = 0; if (ctx == NULL) return WOLFSSL_FAILURE; WOLFSSL_ENTER("EVP_PKEY_encrypt"); if (ctx->op != EVP_PKEY_OP_ENCRYPT) return WOLFSSL_FAILURE; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 0df7ae611..d245277f3 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -13470,9 +13470,13 @@ int openssl_test(void) testVector a, b, c, d, e, f; byte hash[WC_SHA256_DIGEST_SIZE*2]; /* max size */ + a.inLen = 0; + b = c = d = e = f = a; + (void)a; (void)b; (void)c; + (void)d; (void)e; (void)f; diff --git a/wolfssl/callbacks.h b/wolfssl/callbacks.h index 77c88a9dc..619f8d2ac 100644 --- a/wolfssl/callbacks.h +++ b/wolfssl/callbacks.h @@ -52,7 +52,7 @@ typedef struct handShakeInfo_st { } HandShakeInfo; -#ifdef HAVE_SYS_TIME_H +#if defined(HAVE_SYS_TIME_H) && !defined(NO_TIMEVAL) typedef struct timeval Timeval; #else /* HAVE_SYS_TIME_H */ /* Define the Timeval explicitly. */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c657f299c..a494c5464 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1815,7 +1815,7 @@ struct WOLFSSL_OCSP { int(*statusCb)(WOLFSSL*, void*); #endif }; -#endif +#endif #ifndef MAX_DATE_SIZE #define MAX_DATE_SIZE 32 @@ -3306,7 +3306,7 @@ typedef struct Options { #if defined(HAVE_ECC) || defined(HAVE_ED25519) short minEccKeySz; /* minimum ECC key size */ #endif -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) byte verifyDepth; /* maximum verification depth */ #endif #ifdef WOLFSSL_EARLY_DATA @@ -3697,7 +3697,11 @@ struct WOLFSSL { WOLFSSL_BIO* biord; /* socket bio read to free/close */ WOLFSSL_BIO* biowr; /* socket bio write to free/close */ byte sessionCtx[ID_LEN]; /* app session context ID */ +#endif +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) unsigned long peerVerifyRet; +#endif +#ifdef OPENSSL_EXTRA byte readAhead; byte sessionCtxSz; /* size of sessionCtx stored */ #ifdef HAVE_PK_CALLBACKS diff --git a/wolfssl/openssl/md5.h b/wolfssl/openssl/md5.h index 1e60b7e9b..cf77bc9fb 100644 --- a/wolfssl/openssl/md5.h +++ b/wolfssl/openssl/md5.h @@ -41,7 +41,12 @@ typedef struct WOLFSSL_MD5_CTX { - void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)]; /* big enough to hold wolfcrypt md5, but check on init */ + /* big enough to hold wolfcrypt md5, but check on init */ +#ifdef STM32_HASH + void* holder[(112 + WC_ASYNC_DEV_SIZE + sizeof(STM32_HASH_Context)) / sizeof(void*)]; +#else + void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)]; +#endif } WOLFSSL_MD5_CTX; WOLFSSL_API int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX*); diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h index ba84ebb96..485cf96fc 100644 --- a/wolfssl/openssl/sha.h +++ b/wolfssl/openssl/sha.h @@ -39,7 +39,11 @@ typedef struct WOLFSSL_SHA_CTX { /* big enough to hold wolfcrypt Sha, but check on init */ +#if defined(STM32_HASH) + void* holder[(112 + WC_ASYNC_DEV_SIZE + sizeof(STM32_HASH_Context)) / sizeof(void*)]; +#else void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)]; +#endif #ifdef WOLF_CRYPTO_CB void* cryptocb_holder[(sizeof(int) + sizeof(void*) + 4) / sizeof(void*)]; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d768b041b..d63c9171b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1128,7 +1128,8 @@ enum { WOLFSSL_CRL_CHECK = 27, }; -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) /* seperated out from other enums because of size */ enum { SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001, @@ -1768,7 +1769,8 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL*, void* key, unsigned int len, const unsigned char*, long); WOLFSSL_API int wolfSSL_UnloadCertsKeys(WOLFSSL*); - #if defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) + #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + defined(KEEP_OUR_CERT) WOLFSSL_API WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl); #endif #endif diff --git a/wolfssl/test.h b/wolfssl/test.h index b9771ad5f..4f9bb5619 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -11,7 +11,8 @@ #include #include #include -#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) +#if defined(SHOW_CERTS) && \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) #include /* for domain component NID value */ #endif @@ -576,7 +577,7 @@ static const char* client_showpeer_msg[][8] = { #endif }; -#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) +#if defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || defined(SESSION_CERTS) static const char* client_showx509_msg[][5] = { /* English */ { @@ -643,13 +644,12 @@ static WC_INLINE void ShowX509Ex(WOLFSSL_X509* x509, const char* hdr, XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); -#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) +#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) { WOLFSSL_BIO* bio; char buf[256]; /* should be size of ASN_NAME_MAX */ int textSz; - /* print out domain component if certificate has it */ textSz = wolfSSL_X509_NAME_get_text_by_NID( wolfSSL_X509_get_subject_name(x509), NID_domainComponent, @@ -665,7 +665,7 @@ static WC_INLINE void ShowX509Ex(WOLFSSL_X509* x509, const char* hdr, wolfSSL_BIO_free(bio); } } -#endif +#endif /* SHOW_CERTS && OPENSSL_EXTRA */ } /* original ShowX509 to maintain compatibility */ static WC_INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr) @@ -673,9 +673,10 @@ static WC_INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr) ShowX509Ex(x509, hdr, 0); } -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ +#endif /* KEEP_PEER_CERT || KEEP_OUR_CERT || SESSION_CERTS */ -#if defined(SESSION_CERTS) && defined(SHOW_CERTS) +#if defined(SHOW_CERTS) && defined(SESSION_CERTS) && \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) static WC_INLINE void ShowX509Chain(WOLFSSL_X509_CHAIN* chain, int count, const char* hdr) { @@ -697,7 +698,7 @@ static WC_INLINE void ShowX509Chain(WOLFSSL_X509_CHAIN* chain, int count, wolfSSL_FreeX509(chainX509); } } -#endif +#endif /* SHOW_CERTS && SESSION_CERTS */ /* lng_index is to specify the language for displaying message. */ /* 0:English, 1:Japanese */ @@ -720,10 +721,11 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index) printf("peer has no cert!\n"); wolfSSL_FreeX509(peer); #endif -#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA) && defined(KEEP_OUR_CERT) +#if defined(SHOW_CERTS) && defined(KEEP_OUR_CERT) && \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) ShowX509(wolfSSL_get_certificate(ssl), "our cert info:"); printf("Peer verify result = %lu\n", wolfSSL_get_verify_result(ssl)); -#endif /* SHOW_CERTS */ +#endif /* SHOW_CERTS && KEEP_OUR_CERT */ printf("%s %s\n", words[0], wolfSSL_get_version(ssl)); cipher = wolfSSL_get_current_cipher(ssl); @@ -748,7 +750,8 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index) printf("%s\n", words[5]); #endif -#if defined(SESSION_CERTS) && defined(SHOW_CERTS) +#if defined(SHOW_CERTS) && defined(SESSION_CERTS) && \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) { WOLFSSL_X509_CHAIN* chain; @@ -762,7 +765,7 @@ static WC_INLINE void showPeerEx(WOLFSSL* ssl, int lng_index) } #endif } -#endif /* SESSION_CERTS && SHOW_CERTS */ +#endif /* SHOW_CERTS && SESSION_CERTS */ (void)ssl; } /* original showPeer to maintain compatibility */ @@ -1687,8 +1690,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) printf("\t\tCert %d: Ptr %p, Len %u\n", i, cert->buffer, cert->length); } } - #endif -#endif + #endif /* SHOW_CERTS */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ printf("\tSubject's domain name at %d is %s\n", store->error_depth, store->domain);