wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-04 05:04:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8926 from dgarske/various_20250625

Browse Source 
Improvement to allow building OPENSSL_EXTRA without KEEP_PEER_CERT
This commit is contained in:
Daniel Pouzzner
2025-06-27 22:29:24 -05:00
committed by GitHub
parent 89148f98b0 1db3dbcc28
commit 1127dabe98
7 changed files with 46 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.wolfssl_known_macro_extras
View File

@@ -368,6 +368,7 @@ NO_GETENV
NO_HANDSHAKE_DONE_CB
NO_IMX6_CAAM_AES
NO_IMX6_CAAM_HASH
NO_KEEP_PEER_CERT
NO_OLD_NAMES
NO_OLD_POLY1305
NO_OLD_TIMEVAL_NAME

5
examples/client/client.c
View File

@@ -1718,7 +1718,8 @@ static const char* client_usage_msg[][78] = {
static void showPeerPEM(WOLFSSL* ssl)
{
#if defined(OPENSSL_ALL) && !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN)
#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && !defined(NO_BIO) && \
defined(WOLFSSL_CERT_GEN)
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
if (peer) {
WOLFSSL_BIO* bioOut = wolfSSL_BIO_new(wolfSSL_BIO_s_file());
@@ -1742,7 +1743,7 @@ static void showPeerPEM(WOLFSSL* ssl)
wolfSSL_BIO_free(bioOut);
}
wolfSSL_FreeX509(peer);
#endif /* OPENSSL_ALL && WOLFSSL_CERT_GEN && !NO_BIO */
#endif
(void)ssl;
}

25
src/pk.c
View File

@@ -360,11 +360,13 @@ static int der_write_to_file_as_pem(const unsigned char* der, int derSz,
* @param [in] passedSz Size of password in bytes.
* @param [out] cipherInfo PEM cipher information lines.
* @param [in] maxDerSz Maximum size of DER buffer.
* @param [in] hashType Hash algorithm
* @return 1 on success.
* @return 0 on error.
*/
int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz)
unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz,
int hashType)
{
int ret = 0;
int paddingSz = 0;
@@ -433,7 +435,7 @@ int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
/* Encrypt DER buffer. */
ret = wc_BufferKeyEncrypt(info, der, (word32)*derSz, passwd, passwdSz,
WC_MD5);
hashType);
if (ret != 0) {
WOLFSSL_MSG("encrypt key failed");
}
@@ -504,6 +506,14 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
byte* tmp = NULL;
byte* cipherInfo = NULL;
int pemSz = 0;
int hashType = WC_HASH_TYPE_NONE;
#if !defined(NO_SHA256)
hashType = WC_SHA256;
#elif !defined(NO_SHA)
hashType = WC_SHA;
#elif !defined(NO_MD5)
hashType = WC_MD5;
#endif
/* Macro doesn't always use it. */
(void)heap;
@@ -536,7 +546,7 @@ static int der_to_enc_pem_alloc(unsigned char* der, int derSz,
/* Encrypt DER inline. */
ret = EncryptDerKey(der, &derSz, cipher, passwd, passwdSz,
&cipherInfo, derSz + blockSz);
&cipherInfo, derSz + blockSz, hashType);
if (ret != 1) {
WOLFSSL_ERROR_MSG("EncryptDerKey failed");
}
@@ -5978,7 +5988,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
unsigned char* passwd, int passwdSz,
unsigned char **pem, int *pLen)
{
#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)
#if (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \
!defined(NO_MD5)
byte *derBuf, *tmp, *cipherInfo = NULL;
int der_max_len = 0, derSz = 0;
const int type = DSA_PRIVATEKEY_TYPE;
@@ -6024,8 +6035,8 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
if (passwd != NULL && passwdSz > 0 && cipher != NULL) {
int ret;
ret = EncryptDerKey(derBuf, &derSz, cipher,
passwd, passwdSz, &cipherInfo, der_max_len);
ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz,
&cipherInfo, der_max_len, WC_MD5);
if (ret != 1) {
WOLFSSL_MSG("EncryptDerKey failed");
XFREE(derBuf, NULL, DYNAMIC_TYPE_DER);
@@ -6086,7 +6097,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
(void)pem;
(void)pLen;
return 0;
#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */
#endif /* (WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM) && !NO_MD5 */
}
#ifndef NO_FILESYSTEM

11
src/ssl.c
View File

@@ -11447,8 +11447,10 @@ const char *wolfSSL_get0_peername(WOLFSSL *ssl) {
return (const char *)ssl->buffers.domainName.buffer;
else if (ssl->session && ssl->session->peer)
return ssl->session->peer->subjectCN;
#ifdef KEEP_PEER_CERT
else if (ssl->peerCert.subjectCN[0])
return ssl->peerCert.subjectCN;
#endif
else {
ssl->error = NO_PEER_CERT;
return NULL;
@@ -14634,7 +14636,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
return sk;
}
#ifdef KEEP_PEER_CERT
/**
* Implemented in a similar way that ngx_ssl_ocsp_validate does it when
* SSL_get0_verified_chain is not available.
@@ -14695,6 +14697,7 @@ WOLF_STACK_OF(WOLFSSL_X509) *wolfSSL_get0_verified_chain(const WOLFSSL *ssl)
wolfSSL_X509_STORE_CTX_free(storeCtx);
return chain;
}
#endif /* KEEP_PEER_CERT */
#endif /* SESSION_CERTS && OPENSSL_EXTRA */
#ifndef NO_CERTS
@@ -18405,9 +18408,8 @@ int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk)
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#ifdef OPENSSL_EXTRA
#if defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM)
#if defined(OPENSSL_EXTRA) && defined(KEEP_PEER_CERT) && \
defined(HAVE_EX_DATA) && !defined(NO_FILESYSTEM)
int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
{
int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
@@ -18478,7 +18480,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
return ret;
}
#endif
#endif /* OPENSSL_EXTRA */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
const WOLFSSL_ObjectInfo wolfssl_object_info[] = {

20
tests/api.c
View File

@@ -10307,9 +10307,11 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
* for all connections. TLS 1.3 only has tickets so if we don't
* include the session id in the ticket then the certificates
* will not be available on resumption. */
#ifdef KEEP_PEER_CERT
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
AssertNotNull(peer);
wolfSSL_X509_free(peer);
#endif
AssertNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
#ifdef OPENSSL_EXTRA
AssertNotNull(SSL_SESSION_get0_peer(*sess));
@@ -10708,9 +10710,11 @@ static int twcase_server_sess_ctx_pre_shutdown(WOLFSSL* ssl)
* for all connections. TLS 1.3 only has tickets so if we don't
* include the session id in the ticket then the certificates
* will not be available on resumption. */
#ifdef KEEP_PEER_CERT
WOLFSSL_X509* peer = NULL;
ExpectNotNull(peer = wolfSSL_get_peer_certificate(ssl));
wolfSSL_X509_free(peer);
#endif
ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
}
#endif
@@ -10737,10 +10741,11 @@ static int twcase_client_sess_ctx_pre_shutdown(WOLFSSL* ssl)
wolfSSL_session_reused(ssl))
#endif
{
#ifdef KEEP_PEER_CERT
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
ExpectNotNull(peer);
wolfSSL_X509_free(peer);
#endif
ExpectNotNull(wolfSSL_SESSION_get_peer_chain(*sess));
#ifdef OPENSSL_EXTRA
ExpectNotNull(wolfSSL_SESSION_get0_peer(*sess));
@@ -30287,16 +30292,16 @@ static int msgSrvCb(SSL_CTX *ctx, SSL *ssl)
#endif
#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO)
#ifdef KEEP_PEER_CERT
{
WOLFSSL_X509* peer = NULL;
ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl));
ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE));
fprintf(stderr, "Peer Certificate = :\n");
X509_print(bio, peer);
X509_free(peer);
}
#endif
ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl));
if (sk == NULL) {
@@ -53684,8 +53689,8 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void)
{
EXPECT_DECLS;
#if !defined(NO_RSA) && defined(OPENSSL_EXTRA) && defined(WOLFSSL_KEY_GEN) && \
(defined(WOLFSSL_PEM_TO_DER) || \
defined(WOLFSSL_DER_TO_PEM)) && !defined(NO_FILESYSTEM)
(defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) && \
!defined(NO_FILESYSTEM)
RSA* rsa = NULL;
#ifdef USE_CERT_BUFFERS_1024
const unsigned char* privDer = client_key_der_1024;
@@ -53715,12 +53720,13 @@ static int test_wolfSSL_PEM_write_RSAPrivateKey(void)
ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, NULL, NULL, 0,
NULL, NULL), 1);
#ifndef NO_AES
#if !defined(NO_AES) && defined(HAVE_AES_CBC)
ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(),
NULL, 0, NULL, NULL), 1);
ExpectIntEQ(wolfSSL_PEM_write_RSAPrivateKey(stderr, rsa, EVP_aes_128_cbc(),
passwd, sizeof(passwd) - 1, NULL, NULL), 1);
#endif
RSA_free(rsa);
#endif
return EXPECT_RESULT();
@@ -53766,7 +53772,7 @@ static int test_wolfSSL_PEM_write_mem_RSAPrivateKey(void)
&plen), 1);
XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
pem = NULL;
#ifndef NO_AES
#if !defined(NO_AES) && defined(HAVE_AES_CBC)
ExpectIntEQ(wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, EVP_aes_128_cbc(),
NULL, 0, &pem, &plen), 1);
XFREE(pem, NULL, DYNAMIC_TYPE_KEY);

5
wolfssl/internal.h
View File

@@ -7149,8 +7149,9 @@ WOLFSSL_LOCAL WC_RNG* wolfssl_make_global_rng(void);
#if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA)
#if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_PEM_TO_DER)
WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher,
unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz);
WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz,
const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz,
byte **cipherInfo, int maxDerSz, int hashType);
#endif
#endif

2
wolfssl/wolfcrypt/settings.h
View File

@@ -3916,7 +3916,7 @@ extern void uITRON4_free(void *p) ;
/* Parts of the openssl compatibility layer require peer certs */
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(HAVE_LIGHTY)) && !defined(NO_CERTS)
defined(HAVE_LIGHTY)) && !defined(NO_CERTS) && !defined(NO_KEEP_PEER_CERT)
#undef KEEP_PEER_CERT
#define KEEP_PEER_CERT
#endif