From 1db3dbcc28ffef3bcbb90f828bb96e26093120f0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 25 Jun 2025 13:54:07 -0700 Subject: [PATCH] Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT. Workaround to avoid large WOLFSSL structure size with compatibility layer enabled (the struct WOLFSSL_X509 is over 5KB). Note: May investigate way to place into heap instead. Fix issues building compatibility layer without MD5. --- .wolfssl_known_macro_extras | 1 + examples/client/client.c | 5 +++-- src/pk.c | 25 ++++++++++++++++++------- src/ssl.c | 11 ++++++----- tests/api.c | 22 ++++++++++++++-------- wolfssl/internal.h | 5 +++-- wolfssl/wolfcrypt/settings.h | 2 +- 7 files changed, 46 insertions(+), 25 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 6956c1d35..afd65480f 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -368,6 +368,7 @@ NO_GETENV NO_HANDSHAKE_DONE_CB NO_IMX6_CAAM_AES NO_IMX6_CAAM_HASH +NO_KEEP_PEER_CERT NO_OLD_NAMES NO_OLD_POLY1305 NO_OLD_TIMEVAL_NAME diff --git a/examples/client/client.c b/examples/client/client.c index 89d2b161d..198ab5c70 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1718,7 +1718,8 @@ static const char* client_usage_msg[][78] = { static void showPeerPEM(WOLFSSL* ssl) { -#if defined(OPENSSL_ALL) && !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN) +#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && !defined(NO_BIO) && \ + defined(WOLFSSL_CERT_GEN) WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); if (peer) { WOLFSSL_BIO* bioOut = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); @@ -1742,7 +1743,7 @@ static void showPeerPEM(WOLFSSL* ssl) wolfSSL_BIO_free(bioOut); } wolfSSL_FreeX509(peer); -#endif /* OPENSSL_ALL && WOLFSSL_CERT_GEN && !NO_BIO */ +#endif (void)ssl; } diff --git a/src/pk.c b/src/pk.c index 3136cf92b..c2d70d567 100644 --- a/src/pk.c +++ b/src/pk.c @@ -360,11 +360,13 @@ static int der_write_to_file_as_pem(const unsigned char* der, int derSz, * @param [in] passedSz Size of password in bytes. * @param [out] cipherInfo PEM cipher information lines. * @param [in] maxDerSz Maximum size of DER buffer. + * @param [in] hashType Hash algorithm * @return 1 on success. * @return 0 on error. */ int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz) + unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz, + int hashType) { int ret = 0; int paddingSz = 0; @@ -433,7 +435,7 @@ int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher, /* Encrypt DER buffer. */ ret = wc_BufferKeyEncrypt(info, der, (word32)*derSz, passwd, passwdSz, - WC_MD5); + hashType); if (ret != 0) { WOLFSSL_MSG("encrypt key failed"); } @@ -504,6 +506,14 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz, byte* tmp = NULL; byte* cipherInfo = NULL; int pemSz = 0; + int hashType = WC_HASH_TYPE_NONE; +#if !defined(NO_SHA256) + hashType = WC_SHA256; +#elif !defined(NO_SHA) + hashType = WC_SHA; +#elif !defined(NO_MD5) + hashType = WC_MD5; +#endif /* Macro doesn't always use it. */ (void)heap; @@ -536,7 +546,7 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz, /* Encrypt DER inline. */ ret = EncryptDerKey(der, &derSz, cipher, passwd, passwdSz, - &cipherInfo, derSz + blockSz); + &cipherInfo, derSz + blockSz, hashType); if (ret != 1) { WOLFSSL_ERROR_MSG("EncryptDerKey failed"); } @@ -5978,7 +5988,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, unsigned char* passwd, int passwdSz, unsigned char **pem, int *pLen) { -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) +#if (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ + !defined(NO_MD5) byte *derBuf, *tmp, *cipherInfo = NULL; int der_max_len = 0, derSz = 0; const int type = DSA_PRIVATEKEY_TYPE; @@ -6024,8 +6035,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, if (passwd != NULL && passwdSz > 0 && cipher != NULL) { int ret; - ret = EncryptDerKey(derBuf, &derSz, cipher, - passwd, passwdSz, &cipherInfo, der_max_len); + ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz, + &cipherInfo, der_max_len, WC_MD5); if (ret != 1) { WOLFSSL_MSG("EncryptDerKey failed"); XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); @@ -6086,7 +6097,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, (void)pem; (void)pLen; return 0; -#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ +#endif /* (WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM) && !NO_MD5 */ } #ifndef NO_FILESYSTEM diff --git a/src/ssl.c b/src/ssl.c index 8d80883e4..56882dbf0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11447,8 +11447,10 @@ const char *wolfSSL_get0_peername(WOLFSSL *ssl) { return (const char *)ssl->buffers.domainName.buffer; else if (ssl->session && ssl->session->peer) return ssl->session->peer->subjectCN; +#ifdef KEEP_PEER_CERT else if (ssl->peerCert.subjectCN[0]) return ssl->peerCert.subjectCN; +#endif else { ssl->error = NO_PEER_CERT; return NULL; @@ -14634,7 +14636,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) return sk; } - +#ifdef KEEP_PEER_CERT /** * Implemented in a similar way that ngx_ssl_ocsp_validate does it when * SSL_get0_verified_chain is not available. @@ -14695,6 +14697,7 @@ WOLF_STACK_OF(WOLFSSL_X509) *wolfSSL_get0_verified_chain(const WOLFSSL *ssl) wolfSSL_X509_STORE_CTX_free(storeCtx); return chain; } +#endif /* KEEP_PEER_CERT */ #endif /* SESSION_CERTS && OPENSSL_EXTRA */ #ifndef NO_CERTS @@ -18405,9 +18408,8 @@ int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk) #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ -#ifdef OPENSSL_EXTRA - -#if defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM) +#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && \ + defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM) int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) { int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR); @@ -18478,7 +18480,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) return ret; } #endif -#endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) const WOLFSSL_ObjectInfo wolfssl_object_info[] = { diff --git a/tests/api.c b/tests/api.c index 64df1c3d4..fd2643c0e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -10267,9 +10267,11 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) * for all connections. TLS 1.3 only has tickets so if we don't * include the session id in the ticket then the certificates * will not be available on resumption. */ + #ifdef KEEP_PEER_CERT WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); AssertNotNull(peer); wolfSSL_X509_free(peer); + #endif AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); #ifdef OPENSSL_EXTRA AssertNotNull(SSL_SESSION_get0_peer(*sess)); @@ -10668,9 +10670,11 @@ static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl) * for all connections. TLS 1.3 only has tickets so if we don't * include the session id in the ticket then the certificates * will not be available on resumption. */ + #ifdef KEEP_PEER_CERT WOLFSSL_X509* peer = NULL; ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl)); wolfSSL_X509_free(peer); + #endif ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); } #endif @@ -10697,10 +10701,11 @@ static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl) wolfSSL_session_reused(ssl)) #endif { - + #ifdef KEEP_PEER_CERT WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl); ExpectNotNull(peer); wolfSSL_X509_free(peer); + #endif ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess)); #ifdef OPENSSL_EXTRA ExpectNotNull(wolfSSL_SESSION_get0_peer(*sess)); @@ -30247,16 +30252,16 @@ static int msgSrvCb(SSL_CTX *ctx, SSL *ssl) #endif #if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO) +#ifdef KEEP_PEER_CERT { WOLFSSL_X509* peer = NULL; - ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl)); ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); - fprintf(stderr, "Peer Certificate = :\n"); - X509_print(bio,peer); + X509_print(bio, peer); X509_free(peer); } +#endif ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl)); if (sk == NULL) { @@ -53654,8 +53659,8 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void) { EXPECT_DECLS; #if !defined(NO_RSA) && defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && \ - (defined(WOLFSSL_PEM_TO_DER) || \ - defined(WOLFSSL_DER_TO_PEM)) && !defined(NO_FILESYSTEM) + (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \ + !defined(NO_FILESYSTEM) RSA* rsa = NULL; #ifdef USE_CERT_BUFFERS_1024 const unsigned char* privDer = client_key_der_1024; @@ -53685,12 +53690,13 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void) ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, NULL, NULL, 0, NULL, NULL), 1); -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(), NULL, 0, NULL, NULL), 1); ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(), passwd, sizeof(passwd) - 1, NULL, NULL), 1); #endif + RSA_free(rsa); #endif return EXPECT_RESULT(); @@ -53736,7 +53742,7 @@ static int test_wolfSSL_PEM_write_mem_RSAPrivateKey(void) &plen), 1); XFREE(pem, NULL, DYNAMIC_TYPE_KEY); pem = NULL; -#ifndef NO_AES +#if !defined(NO_AES) && defined(HAVE_AES_CBC) ExpectIntEQ(wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, EVP_aes_128_cbc(), NULL, 0, &pem, &plen), 1); XFREE(pem, NULL, DYNAMIC_TYPE_KEY); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ca9d4620b..a6ee640c1 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -7134,8 +7134,9 @@ WOLFSSL_LOCAL WC_RNG* wolfssl_make_global_rng(void); #if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA) #if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_PEM_TO_DER) -WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz); +WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, + byte **cipherInfo, int maxDerSz, int hashType); #endif #endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index ebca35213..a3c85b643 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3913,7 +3913,7 @@ extern void uITRON4_free(void *p) ; /* Parts of the openssl compatibility layer require peer certs */ #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ - defined(HAVE_LIGHTY)) && !defined(NO_CERTS) + defined(HAVE_LIGHTY)) && !defined(NO_CERTS) && !defined(NO_KEEP_PEER_CERT) #undef KEEP_PEER_CERT #define KEEP_PEER_CERT #endif