diff --git a/configure.ac b/configure.ac index 1800ba856..8245723ab 100644 --- a/configure.ac +++ b/configure.ac @@ -954,16 +954,12 @@ then AM_CFLAGS="-DHAVE_EXT_CACHE $AM_CFLAGS" fi -if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_SMALL" = "yes" -then - AC_MSG_ERROR([cannot enable small and opensslextra, only one or the other.]) -fi - if test "$ENABLED_OPENSSLEXTRA" = "x509small" then AC_MSG_NOTICE([Enabling only a subset of X509 opensslextra]) AM_CFLAGS="-DOPENSSL_EXTRA_X509_SMALL $AM_CFLAGS" AM_CFLAGS="-DWOLFSSL_EKU_OID -DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" + AM_CFLAGS="-DWOLFSSL_NO_OPENSSL_RAND_CB $AM_CFLAGS" fi # One Error Queue per Thread @@ -5208,11 +5204,6 @@ if test "$ENABLED_SP_NONBLOCK" = "yes"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_NONBLOCK" AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_NONBLOCK" fi -if test "$ENABLED_SMALL" = "yes"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_SMALL" - AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_SP_SMALL" -fi - if test "$ENABLED_SP_MATH" = "yes"; then if test "$ENABLED_SP" = "no"; then diff --git a/src/ssl.c b/src/ssl.c index 5bcbe43ee..7432ffe73 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -151,9 +151,17 @@ #ifndef WOLFCRYPT_ONLY #ifdef OPENSSL_EXTRA -/* Global pointer to constant BN on */ -static WOLFSSL_BIGNUM* bn_one = NULL; -#endif + /* Global pointer to constant BN on */ + static WOLFSSL_BIGNUM* bn_one = NULL; + + /* WOLFSSL_NO_OPENSSL_RAND_CB: Allows way to reduce code size for + * OPENSSL_EXTRA where RAND callbacks are not used */ + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB + static const WOLFSSL_RAND_METHOD* gRandMethods = NULL; + static int gRandMethodsInit = 0; + static wolfSSL_Mutex gRandMethodMutex; + #endif /* !WOLFSSL_NO_OPENSSL_RAND_CB */ +#endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) const WOLF_EC_NIST_NAME kNistCurves[] = { @@ -4933,9 +4941,25 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #if defined(OPENSSL_EXTRA) || \ (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) -static WC_RNG globalRNG; -static int initGlobalRNG = 0; -static wolfSSL_Mutex globalRNGMutex; + + #define HAVE_GLOBAL_RNG /* consolidate flags for using globalRNG */ + static WC_RNG globalRNG; + static int initGlobalRNG = 0; + static wolfSSL_Mutex globalRNGMutex; +#endif + +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) +static int wolfSSL_RAND_InitMutex(void) +{ + if (gRandMethodsInit == 0) { + if (wc_InitMutex(&gRandMethodMutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex rand methods"); + return BAD_MUTEX_E; + } + gRandMethodsInit = 1; + } + return 0; +} #endif WOLFSSL_ABI @@ -4950,8 +4974,7 @@ int wolfSSL_Init(void) return WC_INIT_E; } -#if defined(OPENSSL_EXTRA) || \ - (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) +#ifdef HAVE_GLOBAL_RNG if (wc_InitMutex(&globalRNGMutex) != 0) { WOLFSSL_MSG("Bad Init Mutex rng"); return BAD_MUTEX_E; @@ -4959,6 +4982,11 @@ int wolfSSL_Init(void) #endif #ifdef OPENSSL_EXTRA + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() != 0) { + return BAD_MUTEX_E; + } + #endif if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_RAND_Seed failed"); return WC_INIT_E; @@ -17816,24 +17844,62 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #endif } + /* If a valid struct is provided with function pointers, will override + RAND_seed, bytes, cleanup, add, pseudo_bytes and status. If a NULL + pointer is passed in, it will cancel any previous function overrides. - int wolfSSL_RAND_status(void) + Returns WOLFSSL_SUCCESS on success, WOLFSSL_FAILURE on failure. */ + int wolfSSL_RAND_set_rand_method(const WOLFSSL_RAND_METHOD *methods) { - return WOLFSSL_SUCCESS; /* wolfCrypt provides enough seed internally */ + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + gRandMethods = methods; + wc_UnLockMutex(&gRandMethodMutex); + return WOLFSSL_SUCCESS; + } + #else + (void)methods; + #endif + return WOLFSSL_FAILURE; } + /* Returns WOLFSSL_SUCCESS if the RNG has been seeded with enough data */ + int wolfSSL_RAND_status(void) + { + int ret = WOLFSSL_SUCCESS; + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->status) + ret = gRandMethods->status(); + wc_UnLockMutex(&gRandMethodMutex); + } + else { + ret = WOLFSSL_FAILURE; + } + #else + /* wolfCrypt provides enough seed internally, so return success */ + #endif + return ret; + } - #ifndef NO_WOLFSSL_STUB void wolfSSL_RAND_add(const void* add, int len, double entropy) { + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->add) { + /* callback has return code, but RAND_add does not */ + (void)gRandMethods->add(add, len, entropy); + } + wc_UnLockMutex(&gRandMethodMutex); + } + #else + /* wolfSSL seeds/adds internally, use explicit RNG if you want + to take control */ (void)add; (void)len; (void)entropy; - WOLFSSL_STUB("RAND_add"); - /* wolfSSL seeds/adds internally, use explicit RNG if you want - to take control */ - } #endif + } #ifndef NO_DES3 /* 0 on ok */ @@ -31500,33 +31566,41 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng) */ static int wolfSSL_RAND_Init(void) { - if (wc_LockMutex(&globalRNGMutex) != 0) { - WOLFSSL_MSG("Bad Lock Mutex rng"); - return 0; - } - if (initGlobalRNG == 0) { - if (wc_InitRng(&globalRNG) < 0) { - WOLFSSL_MSG("wolfSSL Init Global RNG failed"); - wc_UnLockMutex(&globalRNGMutex); - return 0; + int ret = WOLFSSL_FAILURE; +#ifdef HAVE_GLOBAL_RNG + if (wc_LockMutex(&globalRNGMutex) == 0) { + if (initGlobalRNG == 0) { + ret = wc_InitRng(&globalRNG); + if (ret == 0) { + initGlobalRNG = 1; + ret = WOLFSSL_SUCCESS; + } } - initGlobalRNG = 1; + wc_UnLockMutex(&globalRNGMutex); } - - wc_UnLockMutex(&globalRNGMutex); - return WOLFSSL_SUCCESS; +#endif + return ret; } /* WOLFSSL_SUCCESS on ok */ int wolfSSL_RAND_seed(const void* seed, int len) { - - WOLFSSL_MSG("wolfSSL_RAND_seed"); - +#ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->seed) { + int ret = gRandMethods->seed(seed, len); + wc_UnLockMutex(&gRandMethodMutex); + return ret; + } + wc_UnLockMutex(&gRandMethodMutex); + } +#else (void)seed; (void)len; +#endif + /* Make sure global shared RNG (globalRNG) is initialized */ return wolfSSL_RAND_Init(); } @@ -31830,48 +31904,75 @@ int wolfSSL_RAND_egd(const char* nm) void wolfSSL_RAND_Cleanup(void) { - WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()"); +#ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->cleanup) + gRandMethods->cleanup(); + wc_UnLockMutex(&gRandMethodMutex); + } - if (wc_LockMutex(&globalRNGMutex) != 0) { - WOLFSSL_MSG("Bad Lock Mutex rng"); - return; + if (wc_FreeMutex(&gRandMethodMutex) == 0) + gRandMethodsInit = 0; +#endif +#ifdef HAVE_GLOBAL_RNG + if (wc_LockMutex(&globalRNGMutex) == 0) { + if (initGlobalRNG) { + wc_FreeRng(&globalRNG); + initGlobalRNG = 0; + } + wc_UnLockMutex(&globalRNGMutex); } - if (initGlobalRNG != 0) { - wc_FreeRng(&globalRNG); - initGlobalRNG = 0; - } - wc_UnLockMutex(&globalRNGMutex); +#endif } - +/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise WOLFSSL_FAILURE */ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) { +#ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->pseudorand) { + int ret = gRandMethods->pseudorand(buf, num); + wc_UnLockMutex(&gRandMethodMutex); + return ret; + } + wc_UnLockMutex(&gRandMethodMutex); + } +#endif + + /* fallback to using the global shared RNG */ return wolfSSL_RAND_bytes(buf, num); } - -/* WOLFSSL_SUCCESS on ok */ +/* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise WOLFSSL_FAILURE */ int wolfSSL_RAND_bytes(unsigned char* buf, int num) { int ret = 0; - int initTmpRng = 0; WC_RNG* rng = NULL; #ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG; + WC_RNG* tmpRNG = NULL; #else WC_RNG tmpRNG[1]; #endif - int used_global = 0; + int initTmpRng = 0; int blockCount = 0; +#ifdef HAVE_GLOBAL_RNG + int used_global = 0; +#endif WOLFSSL_ENTER("wolfSSL_RAND_bytes"); -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return ret; + /* if a RAND callback has been set try and use it */ +#ifndef WOLFSSL_NO_OPENSSL_RAND_CB + if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { + if (gRandMethods && gRandMethods->bytes) { + ret = gRandMethods->bytes(buf, num); + wc_UnLockMutex(&gRandMethodMutex); + return ret; + } + wc_UnLockMutex(&gRandMethodMutex); + } #endif - +#ifdef HAVE_GLOBAL_RNG if (initGlobalRNG) { if (wc_LockMutex(&globalRNGMutex) != 0) { WOLFSSL_MSG("Bad Lock Mutex rng"); @@ -31881,41 +31982,51 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) rng = &globalRNG; used_global = 1; } - else if(wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; + else +#endif + { + #ifdef WOLFSSL_SMALL_STACK + tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); + if (tmpRNG == NULL) + return ret; + #endif + if (wc_InitRng(tmpRNG) == 0) { + rng = tmpRNG; + initTmpRng = 1; + } } if (rng) { - /* handles size grater than RNG_MAX_BLOCK_LEN */ + /* handles size greater than RNG_MAX_BLOCK_LEN */ blockCount = num / RNG_MAX_BLOCK_LEN; - - while(blockCount--) { - if((ret = wc_RNG_GenerateBlock(rng, buf, RNG_MAX_BLOCK_LEN) != 0)){ + + while (blockCount--) { + ret = wc_RNG_GenerateBlock(rng, buf, RNG_MAX_BLOCK_LEN); + if (ret != 0) { WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); break; } num -= RNG_MAX_BLOCK_LEN; buf += RNG_MAX_BLOCK_LEN; } - + if (ret == 0 && num) ret = wc_RNG_GenerateBlock(rng, buf, num); - + if (ret != 0) WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); else ret = WOLFSSL_SUCCESS; } - if (used_global == 1) { +#ifdef HAVE_GLOBAL_RNG + if (used_global == 1) wc_UnLockMutex(&globalRNGMutex); - } - +#endif if (initTmpRng) wc_FreeRng(tmpRNG); - #ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + if (tmpRNG) + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); #endif return ret; @@ -45769,19 +45880,6 @@ int wolfSSL_FIPS_mode_set(int r) } #endif -#ifndef NO_WOLFSSL_STUB -int wolfSSL_RAND_set_rand_method(const void *meth) -{ - (void) meth; - WOLFSSL_ENTER("wolfSSL_RAND_set_rand_method"); - WOLFSSL_STUB("RAND_set_rand_method"); - - /* if implemented RAND_bytes and RAND_pseudo_bytes need updated - * those two functions will call the respective functions from meth */ - return SSL_FAILURE; -} -#endif - int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits) { int ret = WOLFSSL_FAILURE; diff --git a/tests/api.c b/tests/api.c index dde3d5406..dac2330bc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -307,6 +307,7 @@ #include #include #include + #include #ifdef OPENSSL_ALL #include #include @@ -30582,6 +30583,125 @@ static void test_wolfSSL_BUF(void) #endif /* OPENSSL_EXTRA */ } +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) +static int stub_rand_seed(const void *buf, int num) +{ + (void)buf; + (void)num; + + return 123; +} + +static int stub_rand_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 456; +} + +static byte* was_stub_rand_cleanup_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static void stub_rand_cleanup(void) +{ + byte* was_called = was_stub_rand_cleanup_called(); + + *was_called = 1; + + return; +} + +static byte* was_stub_rand_add_called(void) +{ + static byte was_called = 0; + + return &was_called; +} + +static int stub_rand_add(const void *buf, int num, double entropy) +{ + byte* was_called = was_stub_rand_add_called(); + + (void)buf; + (void)num; + (void)entropy; + + *was_called = 1; + + return 0; +} + +static int stub_rand_pseudo_bytes(unsigned char *buf, int num) +{ + (void)buf; + (void)num; + + return 9876; +} + +static int stub_rand_status(void) +{ + return 5432; +} +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ + +static void test_wolfSSL_RAND_set_rand_method(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_NO_OPENSSL_RAND_CB) + WOLFSSL_RAND_METHOD rand_methods = {NULL, NULL, NULL, NULL, NULL, NULL}; + unsigned char* buf = NULL; + int num = 0; + double entropy = 0; + byte* was_cleanup_called = was_stub_rand_cleanup_called(); + byte* was_add_called = was_stub_rand_add_called(); + + printf(testingFmt, "wolfSSL_RAND_set_rand_method()"); + + AssertIntNE(wolfSSL_RAND_status(), 5432); + AssertIntEQ(*was_cleanup_called, 0); + wolfSSL_RAND_Cleanup(); + AssertIntEQ(*was_cleanup_called, 0); + + + rand_methods.seed = &stub_rand_seed; + rand_methods.bytes = &stub_rand_bytes; + rand_methods.cleanup = &stub_rand_cleanup; + rand_methods.add = &stub_rand_add; + rand_methods.pseudorand = &stub_rand_pseudo_bytes; + rand_methods.status = &stub_rand_status; + + AssertIntEQ(wolfSSL_RAND_set_rand_method(&rand_methods), WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_RAND_seed(buf, num), 123); + AssertIntEQ(wolfSSL_RAND_bytes(buf, num), 456); + AssertIntEQ(wolfSSL_RAND_pseudo_bytes(buf, num), 9876); + AssertIntEQ(wolfSSL_RAND_status(), 5432); + + AssertIntEQ(*was_add_called, 0); + /* The function pointer for RAND_add returns int, but RAND_add itself returns void. */ + wolfSSL_RAND_add(buf, num, entropy); + AssertIntEQ(*was_add_called, 1); + was_add_called = 0; + AssertIntEQ(*was_cleanup_called, 0); + wolfSSL_RAND_Cleanup(); + AssertIntEQ(*was_cleanup_called, 1); + *was_cleanup_called = 0; + + + AssertIntEQ(wolfSSL_RAND_set_rand_method(NULL), WOLFSSL_SUCCESS); + AssertIntNE(wolfSSL_RAND_status(), 5432); + AssertIntEQ(*was_cleanup_called, 0); + wolfSSL_RAND_Cleanup(); + AssertIntEQ(*was_cleanup_called, 0); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA && !WOLFSSL_NO_OPENSSL_RAND_CB */ +} + static void test_wolfSSL_RAND_bytes(void) { #if defined(OPENSSL_EXTRA) @@ -41734,6 +41854,7 @@ void ApiTest(void) test_wolfSSL_CTX_set_srp_password(); test_wolfSSL_CTX_set_ecdh_auto(); test_wolfSSL_THREADID_hash(); + test_wolfSSL_RAND_set_rand_method(); test_wolfSSL_RAND_bytes(); test_wolfSSL_pseudo_rand(); test_wolfSSL_PKCS8_Compat(); diff --git a/wolfssl/openssl/engine.h b/wolfssl/openssl/engine.h index e4a1ff193..ba147ff74 100644 --- a/wolfssl/openssl/engine.h +++ b/wolfssl/openssl/engine.h @@ -4,5 +4,7 @@ #undef HAVE_OPENSSL_ENGINE_H -#define ENGINE_load_builtin_engines() /*ENGINE_load_builtin_engines not needed*/ +/* ENGINE_load_builtin_engines not needed, as all builtin engines are already + loaded into memory and used on startup. */ +#define ENGINE_load_builtin_engines() diff --git a/wolfssl/openssl/rand.h b/wolfssl/openssl/rand.h index 25d1419e2..11af818f6 100644 --- a/wolfssl/openssl/rand.h +++ b/wolfssl/openssl/rand.h @@ -24,4 +24,6 @@ #include #include +typedef WOLFSSL_RAND_METHOD RAND_METHOD; + #define RAND_set_rand_method wolfSSL_RAND_set_rand_method diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a6697e8bc..de93537ed 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -639,6 +639,25 @@ struct WOLFSSL_X509_STORE_CTX { typedef char* WOLFSSL_STRING; +typedef struct WOLFSSL_RAND_METHOD { + /* seed = Data to mix into the random generator. + * len = Number of bytes to mix from seed. */ + int (*seed)(const void* seed, int len); + /* buf = Buffer to store random bytes in. + * len = Number of bytes to store in buf. */ + int (*bytes)(unsigned char* buf, int len); + void (*cleanup)(void); + /* add = Data to mix into the random generator. + * len = Number of bytes to mix from add. + * entropy = Estimate of randomness contained in seed. + * Should be between 0 and len. */ + int (*add)(const void* add, int len, double entropy); + /* buf = Buffer to store pseudorandom bytes in. + * len = Number of bytes to store in buf. */ + int (*pseudorand)(unsigned char *buf, int len); + int (*status)(void); +} WOLFSSL_RAND_METHOD; + /* Valid Alert types from page 16/17 * Add alert string to the function wolfSSL_alert_type_string_long in src/ssl.c */ @@ -3769,7 +3788,7 @@ WOLFSSL_API int wolfSSL_FIPS_mode(void); WOLFSSL_API int wolfSSL_FIPS_mode_set(int r); -WOLFSSL_API int wolfSSL_RAND_set_rand_method(const void *meth); +WOLFSSL_API int wolfSSL_RAND_set_rand_method(const WOLFSSL_RAND_METHOD *methods); WOLFSSL_API int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits);