wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 12:44:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4012 from julek-wolfssl/haproxy

Browse Source 
HaProxy 2.4-dev18 support
This commit is contained in:
JacobBarthelmeh
2021-07-14 15:46:04 +07:00
committed by GitHub
parent 81f3f417e8 b7bd3766c7
commit 18399091ce
19 changed files with 1268 additions and 216 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
configure.ac
View File

@@ -928,7 +928,7 @@ AC_ARG_ENABLE([opensslall],
[ ENABLED_OPENSSLALL=$enableval ],
[ ENABLED_OPENSSLALL=no ]
)
if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes"
if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_WPAS_DPP" = "yes" || test "$ENABLED_SMIME" = "yes" || test "$ENABLED_HAPROXY" = "yes"
then
ENABLED_OPENSSLALL="yes"
fi
@@ -2771,7 +2771,7 @@ AC_ARG_ENABLE([anon],
[ ENABLED_ANON=no ]
)
if test "x$ENABLED_WPAS" = "xyes" || test "$ENABLED_NGINX" = "yes"
if test "x$ENABLED_WPAS" = "xyes" || test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes"
then
ENABLED_ANON=yes
fi
@@ -3722,6 +3722,11 @@ AC_ARG_ENABLE([secure-renegotiation],
[ ENABLED_SECURE_RENEGOTIATION=no ]
)
if test "x$ENABLED_HAPROXY" = "xyes"
then
ENABLED_SECURE_RENEGOTIATION=yes
fi
if test "x$ENABLED_SECURE_RENEGOTIATION" = "xyes"
then
if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
@@ -4266,13 +4271,40 @@ fi
if test "$ENABLED_HAPROXY" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY"
# Requires opensslextra make sure on
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HAPROXY -DOPENSSL_COMPATIBLE_DEFAULTS"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SIGNER_DER_CERT"
# --enable-all defines its own FP_MAX_BITS
if test "$ENABLED_ALL" != "yes"
then
AM_CFLAGS="$AM_CFLAGS -DFP_MAX_BITS=16384"
fi
# Requires opensslextra and opensslall
if test "x$ENABLED_OPENSSLALL" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLALL="yes"
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS"
AM_CFLAGS="-DOPENSSL_EXTRA -DOPENSSL_ALL $AM_CFLAGS"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_REQ"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
fi
if test "$ENABLED_SIGNAL" = "yes"

10
examples/client/client.c
View File

@@ -933,7 +933,7 @@ static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
}
else
#endif
if (err != WOLFSSL_ERROR_WANT_READ) {
if (err != WOLFSSL_ERROR_WANT_READ && err != APP_DATA_READY) {
printf("SSL_read reply error %d, %s\n", err,
wolfSSL_ERR_error_string(err, buffer));
if (!exitWithRet) {
@@ -957,6 +957,7 @@ static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead,
#ifdef WOLFSSL_ASYNC_CRYPT
|| err == WC_PENDING_E
#endif
|| err == APP_DATA_READY
);
if (ret > 0) {
reply[ret] = 0; /* null terminate */
@@ -2577,7 +2578,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#endif
#ifdef OPENSSL_COMPATIBLE_DEFAULTS
/* Restore wolfSSL verify defaults */
if (ctx) {
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_DEFAULT, NULL);
}
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if (wolfsentry_setup(&wolfsentry, wolfsentry_config_path,

5
examples/server/server.c
View File

@@ -2008,6 +2008,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
wolfSSL_CTX_SetMinVersion(ctx, minVersion);
}
#ifdef OPENSSL_COMPATIBLE_DEFAULTS
/* Restore wolfSSL verify defaults */
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_DEFAULT, NULL);
#endif
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
if (wolfsentry_setup(&wolfsentry, wolfsentry_config_path,
WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) < 0) {

160
src/internal.c
View File

@@ -2173,6 +2173,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
#ifndef NO_CERTS
FreeDer(&ctx->privateKey);
#ifdef OPENSSL_ALL
wolfSSL_EVP_PKEY_free(ctx->privateKeyPKey);
#endif
FreeDer(&ctx->certificate);
#ifdef KEEP_OUR_CERT
if (ctx->ourCert && ctx->ownOurCert) {
@@ -2183,6 +2186,12 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
FreeDer(&ctx->certChain);
wolfSSL_CertManagerFree(ctx->cm);
ctx->cm = NULL;
#ifdef OPENSSL_ALL
if (ctx->x509_store.objs != NULL) {
wolfSSL_sk_X509_OBJECT_free(ctx->x509_store.objs);
ctx->x509_store.objs = NULL;
}
#endif
#ifdef OPENSSL_EXTRA
wolfSSL_X509_STORE_free(ctx->x509_store_pt);
while (ctx->ca_names != NULL) {
@@ -3751,7 +3760,7 @@ void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap)
InitX509Name(&x509->issuer, 0, heap);
InitX509Name(&x509->subject, 0, heap);
x509->dynamicMemory = (byte)dynamicFlag;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
x509->refCount = 1;
(void)wc_InitMutex(&x509->refMutex);
#endif
@@ -5868,11 +5877,19 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
ssl->ConnectFilter_arg = ctx->ConnectFilter_arg;
#endif
ssl->CBIORecv = ctx->CBIORecv;
ssl->CBIOSend = ctx->CBIOSend;
#ifdef OPENSSL_EXTRA
ssl->readAhead = ctx->readAhead;
#endif
#ifdef OPENSSL_EXTRA
/* Don't change recv callback if currently using BIO's */
if (ssl->CBIORecv != BioReceive)
#endif
ssl->CBIORecv = ctx->CBIORecv;
#ifdef OPENSSL_EXTRA
/* Don't change send callback if currently using BIO's */
if (ssl->CBIOSend != BioSend)
#endif
ssl->CBIOSend = ctx->CBIOSend;
ssl->verifyDepth = ctx->verifyDepth;
return ret;
@@ -8636,7 +8653,7 @@ retry:
if (recvd < 0) {
switch (recvd) {
case WOLFSSL_CBIO_ERR_GENERAL: /* general/unknown error */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)
#ifdef WOLFSSL_APACHE_HTTPD
#ifndef NO_BIO
if (ssl->biord) {
/* If retry and read flags are set, return WANT_READ */
@@ -11631,7 +11648,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (args->totalCerts >= MAX_CHAIN_DEPTH) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH");
break; /* break out to avoid reading more certs then buffer
@@ -11848,7 +11866,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
else {
WOLFSSL_MSG("Failed to verify CA from chain");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
#endif
}
@@ -11907,7 +11926,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* extend the limit "+1" until reaching
* an ultimately trusted issuer.*/
args->count > (ssl->verifyDepth + 1)) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
}
#endif
@@ -12034,7 +12054,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
!ssl->options.verifyNone ? VERIFY : NO_VERIFY,
&subjectHash, &alreadySigner);
} else
ret = ASN_NO_SIGNER_E;
ret = ASN_NO_SIGNER_E;
}
#endif
#ifdef WOLFSSL_ASYNC_CRYPT
@@ -12044,7 +12064,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret == 0) {
WOLFSSL_MSG("Verified Peer's cert");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_OK;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_OK;
#endif
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
/* if using alternate chain, store the cert used */
@@ -12083,15 +12104,25 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
DoCertFatalAlert(ssl, ret);
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
args->fatal = 1;
}
else {
WOLFSSL_MSG("Failed to verify Peer's cert");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
if (ret == ASN_BEFORE_DATE_E)
ssl->peerVerifyRet = X509_V_ERR_CERT_NOT_YET_VALID;
else if (ret == ASN_AFTER_DATE_E)
ssl->peerVerifyRet = X509_V_ERR_CERT_HAS_EXPIRED;
else {
ssl->peerVerifyRet =
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
}
}
#endif
if (ssl->verifyCallback) {
WOLFSSL_MSG(
"\tCallback override available, will continue");
@@ -12214,7 +12245,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tOCSP Lookup not ok");
args->fatal = 0;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
if (ssl->peerVerifyRet == 0) {
/* Return first cert error here */
ssl->peerVerifyRet =
ret == OCSP_CERT_REVOKED
? X509_V_ERR_CERT_REVOKED
: X509_V_ERR_CERT_REJECTED;
}
#endif
}
}
@@ -12233,7 +12270,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tCRL check not ok");
args->fatal = 0;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
if (ssl->peerVerifyRet == 0) {
/* Return first cert error here */
ssl->peerVerifyRet =
ret == CRL_CERT_REVOKED
? X509_V_ERR_CERT_REVOKED
: X509_V_ERR_CERT_REJECTED;;
}
#endif
}
}
@@ -12331,7 +12374,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ssl->error = ret;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
SendAlert(ssl, alert_fatal, bad_certificate);
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
goto exit_ppc;
}
@@ -12674,7 +12718,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
* we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
*/
if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
}
#endif
@@ -18398,10 +18443,13 @@ int SendCertificateRequest(WOLFSSL* ssl)
names = ssl->ctx->ca_names;
while (names != NULL) {
byte seq[MAX_SEQ_SZ];
WOLFSSL_X509_NAME* name = names->data.name;
/* 16-bit length | SEQ | Len | DER of name */
dnLen += OPAQUE16_LEN + SetSequence(names->data.name->rawLen, seq) +
names->data.name->rawLen;
if (name != NULL) {
/* 16-bit length | SEQ | Len | DER of name */
dnLen += OPAQUE16_LEN + SetSequence(name->rawLen, seq) +
name->rawLen;
}
names = names->next;
}
reqSz += dnLen;
@@ -18466,13 +18514,16 @@ int SendCertificateRequest(WOLFSSL* ssl)
names = ssl->ctx->ca_names;
while (names != NULL) {
byte seq[MAX_SEQ_SZ];
WOLFSSL_X509_NAME* name = names->data.name;
c16toa((word16)names->data.name->rawLen +
SetSequence(names->data.name->rawLen, seq), &output[i]);
i += OPAQUE16_LEN;
i += SetSequence(names->data.name->rawLen, output + i);
XMEMCPY(output + i, names->data.name->raw, names->data.name->rawLen);
i += names->data.name->rawLen;
if (name != NULL) {
c16toa((word16)name->rawLen +
SetSequence(name->rawLen, seq), &output[i]);
i += OPAQUE16_LEN;
i += SetSequence(name->rawLen, output + i);
XMEMCPY(output + i, name->raw, name->rawLen);
i += name->rawLen;
}
names = names->next;
}
#endif
@@ -19817,6 +19868,15 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
#endif /* NO_ERROR_STRINGS */
}
const char* wolfSSL_ERR_func_error_string(unsigned long e)
{
(void)e;
WOLFSSL_MSG("wolfSSL_ERR_func_error_string does not return the name of "
"the function that failed. Please inspect the wolfSSL debug "
"logs to determine where the error occurred.");
return "";
}
void SetErrorString(int error, char* str)
{
XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ);
@@ -26830,6 +26890,26 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
#ifdef HAVE_SECURE_RENEGOTIATION
/* Check that the DH public key buffer is large
* enough to hold the key. This may occur on a
* renegotiation when the key generated in the
* initial handshake is shorter than the key
* generated in the renegotiation. */
if (ssl->buffers.serverDH_Pub.length <
ssl->buffers.serverDH_P.length) {
byte* tmp = (byte*)XREALLOC(
ssl->buffers.serverDH_Pub.buffer,
ssl->buffers.serverDH_P.length +
OPAQUE16_LEN,
ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
if (tmp == NULL)
ERROR_OUT(MEMORY_E, exit_sske);
ssl->buffers.serverDH_Pub.buffer = tmp;
ssl->buffers.serverDH_Pub.length =
ssl->buffers.serverDH_P.length + OPAQUE16_LEN;
}
#endif
ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
ssl->buffers.serverDH_Priv.buffer,
(word32*)&ssl->buffers.serverDH_Priv.length,
@@ -28803,11 +28883,17 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Client trying to connect with lesser version");
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA)
SendAlert(ssl, alert_fatal, handshake_failure);
#endif
ret = VERSION_ERROR;
goto out;
}
if (pv.minor < ssl->options.minDowngrade) {
WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA)
SendAlert(ssl, alert_fatal, handshake_failure);
#endif
ret = VERSION_ERROR;
goto out;
}
@@ -32123,14 +32209,20 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
WOLFSSL_MSG("Calling custom sni callback");
sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg);
if (sniRet == alert_fatal) {
WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
SendAlert(ssl, alert_fatal, ad);
return FATAL_ERROR;
}
else if (sniRet == alert_warning) {
WOLFSSL_MSG("Error in custom sni callback. Warning alert");
SendAlert(ssl, alert_warning, ad);
switch (sniRet) {
case warning_return:
WOLFSSL_MSG("Error in custom sni callback. Warning alert");
SendAlert(ssl, alert_warning, ad);
break;
case fatal_return:
WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
SendAlert(ssl, alert_fatal, ad);
return FATAL_ERROR;
case noack_return:
WOLFSSL_MSG("Server quietly not acking servername.");
break;
default:
break;
}
}
return 0;

39
src/ocsp.c
View File

@@ -959,7 +959,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_CERTID_dup(WOLFSSL_OCSP_CERTID* id)
}
#endif
#if defined(OPENSSL_ALL) || defined(APACHE_HTTPD)
#if defined(OPENSSL_ALL) || defined(APACHE_HTTPD) || defined(WOLFSSL_HAPROXY)
#ifndef NO_BIO
int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
WOLFSSL_OCSP_REQUEST *req)
@@ -1021,6 +1021,40 @@ const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SI
return single;
}
/**
* Compare two WOLFSSL_OCSP_CERTID objects
* @param a
* @param b
* @return 0 on success and when objects have the same id otherwise either
* the id's don't match or an error occurred
*/
int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b)
{
int ret = 0;
if (a == NULL || b == NULL)
return WOLFSSL_FATAL_ERROR;
ret = a->hashAlgoOID != b->hashAlgoOID;
if (ret == 0)
ret = XMEMCMP(a->issuerHash, b->issuerHash, OCSP_DIGEST_SIZE);
if (ret == 0)
ret = XMEMCMP(a->issuerKeyHash, b->issuerKeyHash, OCSP_DIGEST_SIZE);
if (ret == 0) {
if (a->status != NULL && b->status != NULL) {
if (a->status->serialSz == b->status->serialSz)
ret = XMEMCMP(a->status->serial, b->status->serial,
a->status->serialSz);
else
ret = -1;
}
else if (a->status != b->status) {
/* If either is not null then return non-zero */
ret = -1;
}
}
return ret;
}
int wolfSSL_OCSP_single_get0_status(WOLFSSL_OCSP_SINGLERESP *single,
int *reason,
WOLFSSL_ASN1_TIME **revtime,
@@ -1152,7 +1186,7 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
ser->dataMax = WOLFSSL_ASN1_INTEGER_MAX;
}
#ifdef WOLFSSL_QT
#if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY)
/* Serial number starts at 0 index of ser->data */
XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
ser->length = cid->status->serialSz;
@@ -1160,6 +1194,7 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
ser->data[i++] = ASN_INTEGER;
i += SetLength(cid->status->serialSz, ser->data + i);
XMEMCPY(&ser->data[i], cid->status->serial, cid->status->serialSz);
ser->length = i + cid->status->serialSz;
#endif
cid->status->serialInt = ser;

750
src/ssl.c
View File

File diff suppressed because it is too large Load Diff

10
src/tls13.c
View File

@@ -4694,11 +4694,19 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Client trying to connect with lesser version than "
"TLS v1.3");
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA)
SendAlert(ssl, alert_fatal, handshake_failure);
#endif
ERROR_OUT(VERSION_ERROR, exit_dch);
}
if (args->pv.minor < ssl->options.minDowngrade)
if (args->pv.minor < ssl->options.minDowngrade) {
WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
#if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA)
SendAlert(ssl, alert_fatal, handshake_failure);
#endif
ERROR_OUT(VERSION_ERROR, exit_dch);
}
ret = HashInput(ssl, input + args->begin, helloSz);
if (ret == 0) {

15
src/wolfio.c
View File

@@ -180,6 +180,12 @@ int BioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx)
return recvd;
}
/* If retry and read flags are set, return WANT_READ */
if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_READ) &&
(ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
return WOLFSSL_CBIO_ERR_WANT_READ;
}
WOLFSSL_MSG("BIO general error");
return WOLFSSL_CBIO_ERR_GENERAL;
}
@@ -211,13 +217,20 @@ int BioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx)
}
sent = wolfSSL_BIO_write(ssl->biowr, buf, sz);
if (sent < 0) {
if (sent <= 0) {
if (ssl->biowr->type == WOLFSSL_BIO_SOCKET) {
#ifdef USE_WOLFSSL_IO
sent = TranslateIoError(sent);
#endif
return sent;
}
/* If retry and write flags are set, return WANT_WRITE */
if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_WRITE) &&
(ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
return WOLFSSL_CBIO_ERR_WANT_WRITE;
}
return WOLFSSL_CBIO_ERR_GENERAL;
}
(void)ctx;

299
tests/api.c
View File

@@ -1105,13 +1105,23 @@ static int test_cm_load_ca_file(const char* ca_cert_file)
/* normal test */
ret = test_cm_load_ca_buffer(cert_buf, cert_sz, WOLFSSL_FILETYPE_PEM);
if (ret == 0) {
if (ret == WOLFSSL_SUCCESS) {
/* test including null terminator in length */
ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1, WOLFSSL_FILETYPE_PEM);
byte* tmp = (byte*)realloc(cert_buf, cert_sz+1);
if (tmp == NULL) {
ret = MEMORY_E;
}
else {
cert_buf = tmp;
cert_buf[cert_sz] = '\0';
ret = test_cm_load_ca_buffer(cert_buf, cert_sz+1,
WOLFSSL_FILETYPE_PEM);
}
}
#if defined(WOLFSSL_PEM_TO_DER)
if (ret == 0) {
if (ret == WOLFSSL_SUCCESS) {
/* test loading DER */
ret = wc_PemToDer(cert_buf, cert_sz, CA_TYPE, &pDer, NULL, NULL, NULL);
if (ret == 0 && pDer != NULL) {
@@ -1337,8 +1347,11 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void)
#ifdef NO_RSA
AssertIntEQ(ret, ASN_UNKNOWN_OID_E);
#else
#if !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY)
#if !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \
!defined(OPENSSL_COMPATIBLE_DEFAULTS)
AssertIntEQ(ret, ASN_AFTER_DATE_E);
#else
AssertIntEQ(ret, WOLFSSL_SUCCESS);
#endif
#endif
#endif
@@ -1687,12 +1700,15 @@ static void test_wolfSSL_CTX_load_verify_locations_ex(void)
WOLFSSL_LOAD_FLAG_NONE));
/* test expired CA */
AssertTrue(WOLFSSL_SUCCESS !=
wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL,
WOLFSSL_LOAD_FLAG_NONE));
AssertTrue(WOLFSSL_SUCCESS ==
wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY));
#ifndef OPENSSL_COMPATIBLE_DEFAULTS
AssertIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL,
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#else
AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL,
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#endif
AssertIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, ca_expired_cert, NULL,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
@@ -1731,16 +1747,21 @@ static void test_wolfSSL_CTX_load_verify_buffer_ex(void)
XFCLOSE(fp);
/* test expired CA failure */
AssertTrue(WOLFSSL_SUCCESS !=
wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_NONE));
/* test expired CA success */
AssertTrue(WOLFSSL_SUCCESS ==
wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
#ifndef OPENSSL_COMPATIBLE_DEFAULTS
AssertIntNE(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY));
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#else
AssertIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#endif
/* test expired CA success */
AssertIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
@@ -2033,7 +2054,7 @@ static void test_server_wolfSSL_new(void)
/* invalid context */
AssertNull(ssl = wolfSSL_new(NULL));
#if !defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_QT)
#if !defined(WOLFSSL_SESSION_EXPORT) && !defined(WOLFSSL_QT) && !defined(OPENSSL_EXTRA)
AssertNull(ssl = wolfSSL_new(ctx_nocert));
#endif
@@ -27216,6 +27237,26 @@ static void test_wolfSSL_X509_NAME(void)
#endif /* defined(OPENSSL_EXTRA) && !defined(NO_DES3) */
}
static void test_wolfSSL_X509_NAME_hash(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) && !defined(NO_SHA)
BIO* bio;
X509* x509 = NULL;
printf(testingFmt, "wolfSSL_X509_NAME_hash");
AssertNotNull(bio = BIO_new(BIO_s_file()));
AssertIntGT(BIO_read_filename(bio, svrCertFile), 0);
AssertNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));
AssertIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0xF6CF410E);
AssertIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0x677DD39A);
X509_free(x509);
BIO_free(bio);
printf(resultFmt, passed);
#endif
}
#ifndef NO_BIO
static void test_wolfSSL_X509_INFO(void)
{
@@ -29397,6 +29438,11 @@ static void test_wolfSSL_CTX_add_extra_chain_cert(void)
char clientFile[] = "./certs/client-cert.pem";
SSL_CTX* ctx;
X509* x509;
BIO *bio = NULL;
X509 *cert = NULL;
X509 *ca;
STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *chain2 = NULL;
printf(testingFmt, "wolfSSL_CTX_add_extra_chain_cert()");
@@ -29455,7 +29501,29 @@ static void test_wolfSSL_CTX_add_extra_chain_cert(void)
AssertNull(SSL_CTX_get_default_passwd_cb(ctx));
AssertNull(SSL_CTX_get_default_passwd_cb_userdata(ctx));
#endif
SSL_CTX_free(ctx);
#ifndef NO_WOLFSSL_SERVER
AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method()));
#else
AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method()));
#endif
/* Test haproxy use case */
AssertNotNull(bio = BIO_new_file(svrCertFile, "r"));
/* Read Certificate */
AssertNotNull(cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL));
AssertNotNull(ca = PEM_read_bio_X509(bio, NULL, NULL, NULL));
AssertNotNull(chain = sk_X509_new_null());
AssertIntEQ(sk_X509_push(chain, ca), 1);
AssertNotNull(chain2 = X509_chain_up_ref(chain));
AssertNotNull(ca = sk_X509_shift(chain2));
AssertIntEQ(SSL_CTX_use_certificate(ctx, cert), 1);
AssertIntEQ(SSL_CTX_add_extra_chain_cert(ctx, ca), 1);
BIO_free(bio);
X509_free(cert);
sk_X509_pop_free(chain, X509_free);
sk_X509_pop_free(chain2, X509_free);
SSL_CTX_free(ctx);
printf(resultFmt, passed);
#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \
@@ -30992,6 +31060,78 @@ static void test_wolfSSL_X509_STORE_load_locations(void)
#endif
}
static void test_X509_STORE_get0_objects(void)
{
#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
X509_STORE *store;
X509_STORE *store_cpy;
SSL_CTX *ctx;
X509_OBJECT *obj;
STACK_OF(X509_OBJECT) *objs;
int i;
printf(testingFmt, "wolfSSL_X509_STORE_get0_objects");
/* Setup store */
#ifndef NO_WOLFSSL_SERVER
AssertNotNull(ctx = SSL_CTX_new(SSLv23_server_method()));
#else
AssertNotNull(ctx = SSL_CTX_new(SSLv23_client_method()));
#endif
AssertNotNull(store_cpy = X509_STORE_new());
AssertNotNull(store = SSL_CTX_get_cert_store(ctx));
AssertIntEQ(X509_STORE_load_locations(store, cliCertFile, NULL), WOLFSSL_SUCCESS);
AssertIntEQ(X509_STORE_load_locations(store, caCertFile, NULL), WOLFSSL_SUCCESS);
AssertIntEQ(X509_STORE_load_locations(store, svrCertFile, NULL), WOLFSSL_SUCCESS);
#ifdef HAVE_CRL
AssertIntEQ(X509_STORE_load_locations(store, NULL, crlPemDir), WOLFSSL_SUCCESS);
#endif
/* Store ready */
/* Similar to HaProxy ssl_set_cert_crl_file use case */
AssertNotNull(objs = X509_STORE_get0_objects(store));
#ifdef HAVE_CRL
#ifdef WOLFSSL_SIGNER_DER_CERT
AssertIntEQ(sk_X509_OBJECT_num(objs), 4);
#else
AssertIntEQ(sk_X509_OBJECT_num(objs), 1);
#endif
#else
#ifdef WOLFSSL_SIGNER_DER_CERT
AssertIntEQ(sk_X509_OBJECT_num(objs), 3);
#else
AssertIntEQ(sk_X509_OBJECT_num(objs), 0);
#endif
#endif
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
obj = sk_X509_OBJECT_value(objs, i);
switch (X509_OBJECT_get_type(obj)) {
case X509_LU_X509:
AssertNotNull(X509_OBJECT_get0_X509(obj));
AssertIntEQ(X509_STORE_add_cert(store_cpy,
X509_OBJECT_get0_X509(obj)), WOLFSSL_SUCCESS);
break;
case X509_LU_CRL:
#ifdef HAVE_CRL
AssertNotNull(X509_OBJECT_get0_X509_CRL(obj));
AssertIntEQ(X509_STORE_add_crl(store_cpy,
X509_OBJECT_get0_X509_CRL(obj)), WOLFSSL_SUCCESS);
break;
#endif
case X509_LU_NONE:
default:
Fail(("X509_OBJECT_get_type should return x509 or crl "
"(when built with crl support)"),
("Unrecognized X509_OBJECT type or none"));
}
}
X509_STORE_free(store_cpy);
SSL_CTX_free(ctx);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_BN(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_ASN)
@@ -39357,6 +39497,51 @@ static void test_wolfSSL_X509V3_EXT_get(void) {
#endif
}
static void test_wolfSSL_X509V3_EXT_nconf(void)
{
#if defined (OPENSSL_ALL)
const char *ext_names[] = {
"subjectKeyIdentifier",
"authorityKeyIdentifier",
"subjectAltName",
"keyUsage",
};
size_t ext_names_count = sizeof(ext_names)/sizeof(*ext_names);
int ext_nids[] = {
NID_subject_key_identifier,
NID_authority_key_identifier,
NID_subject_alt_name,
NID_key_usage,
};
size_t ext_nids_count = sizeof(ext_nids)/sizeof(*ext_nids);
const char *ext_values[] = {
"hash",
"hash",
"DNS:example.com, IP:127.0.0.1",
"digitalSignature,keyEncipherment,dataEncipherment",
};
size_t i;
printf(testingFmt, "wolfSSL_X509V3_EXT_nconf()");
for (i = 0; i < ext_names_count; i++) {
X509_EXTENSION* ext = X509V3_EXT_nconf(NULL, NULL, ext_names[i],
ext_values[i]);
AssertNotNull(ext);
X509_EXTENSION_free(ext);
}
for (i = 0; i < ext_nids_count; i++) {
X509_EXTENSION* ext = X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[i],
ext_values[i]);
AssertNotNull(ext);
X509_EXTENSION_free(ext);
}
printf(resultFmt, "passed");
#endif
}
static void test_wolfSSL_X509V3_EXT(void) {
#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA)
FILE* f;
@@ -39844,11 +40029,12 @@ static void test_wolfSSL_i2d_PrivateKey(void)
static void test_wolfSSL_OCSP_id_get0_info(void)
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && !defined(NO_FILESYSTEM) && \
!defined(NO_RSA)
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP) && \
!defined(NO_FILESYSTEM) && !defined(NO_RSA)
X509* cert;
X509* issuer;
OCSP_CERTID* id;
OCSP_CERTID* id2;
ASN1_STRING* name = NULL;
ASN1_OBJECT* pmd = NULL;
@@ -39865,6 +40051,8 @@ static void test_wolfSSL_OCSP_id_get0_info(void)
id = OCSP_cert_to_id(NULL, cert, issuer);
AssertNotNull(id);
id2 = OCSP_cert_to_id(NULL, cert, issuer);
AssertNotNull(id2);
AssertIntEQ(OCSP_id_get0_info(NULL, NULL, NULL, NULL, NULL), 0);
AssertIntEQ(OCSP_id_get0_info(NULL, NULL, NULL, NULL, id), 1);
@@ -39880,10 +40068,19 @@ static void test_wolfSSL_OCSP_id_get0_info(void)
/* compare serial number to one in cert, should be equal */
x509Int = X509_get_serialNumber(cert);
AssertNotNull(x509Int);
AssertIntEQ(x509Int->dataMax, serial->dataMax);
AssertIntEQ(XMEMCMP(x509Int->data, serial->data, serial->dataMax), 0);
AssertIntEQ(x509Int->length, serial->length);
AssertIntEQ(XMEMCMP(x509Int->data, serial->data, serial->length), 0);
/* test OCSP_id_cmp */
AssertIntNE(OCSP_id_cmp(NULL, NULL), 0);
AssertIntNE(OCSP_id_cmp(id, NULL), 0);
AssertIntNE(OCSP_id_cmp(NULL, id2), 0);
AssertIntEQ(OCSP_id_cmp(id, id2), 0);
id->issuerHash[0] = ~id->issuerHash[0];
AssertIntNE(OCSP_id_cmp(id, id2), 0);
OCSP_CERTID_free(id);
OCSP_CERTID_free(id2);
X509_free(cert); /* free's x509Int */
X509_free(issuer);
@@ -39893,7 +40090,7 @@ static void test_wolfSSL_OCSP_id_get0_info(void)
static void test_wolfSSL_i2d_OCSP_CERTID(void)
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP)
WOLFSSL_OCSP_CERTID certId;
byte* targetBuffer;
byte* beginTargetBuffer;
@@ -39946,6 +40143,21 @@ static void test_wolfSSL_i2d_OCSP_CERTID(void)
#endif
}
static void test_wolfSSL_OCSP_id_cmp(void)
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
OCSP_CERTID id1;
OCSP_CERTID id2;
printf(testingFmt, "wolfSSL_OCSP_id_cmp()");
XMEMSET(&id1, 0, sizeof(id1));
XMEMSET(&id2, 0, sizeof(id2));
AssertIntEQ(OCSP_id_cmp(&id1, &id2), 0);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_OCSP_SINGLERESP_get0_id(void)
{
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
@@ -44259,6 +44471,40 @@ static void test_SetTmpEC_DHE_Sz(void)
#endif
}
static void test_wolfSSL_CTX_get0_privatekey(void)
{
#ifdef OPENSSL_ALL
WOLFSSL_CTX* ctx = NULL;
printf(testingFmt, "wolfSSL_CTX_get0_privatekey()");
#ifndef NO_RSA
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
AssertNull(SSL_CTX_get0_privatekey(ctx));
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM));
AssertNull(SSL_CTX_get0_privatekey(ctx));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(SSL_CTX_get0_privatekey(ctx));
wolfSSL_CTX_free(ctx);
#endif
#ifdef HAVE_ECC
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_method()));
AssertNull(SSL_CTX_get0_privatekey(ctx));
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, eccCertFile,
WOLFSSL_FILETYPE_PEM));
AssertNull(SSL_CTX_get0_privatekey(ctx));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, eccKeyFile,
WOLFSSL_FILETYPE_PEM));
AssertNotNull(SSL_CTX_get0_privatekey(ctx));
wolfSSL_CTX_free(ctx);
#endif
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_dtls_set_mtu(void)
{
#if (defined(WOLFSSL_DTLS_MTU) || defined(WOLFSSL_SCTP)) && \
@@ -45531,6 +45777,7 @@ void ApiTest(void)
test_wolfSSL_SetTmpDH_buffer();
test_wolfSSL_SetMinMaxDhKey_Sz();
test_SetTmpEC_DHE_Sz();
test_wolfSSL_CTX_get0_privatekey();
test_wolfSSL_dtls_set_mtu();
test_wolfSSL_DH_get0_pqg();
#if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_WOLFSSL_SERVER) && \
@@ -45586,6 +45833,7 @@ void ApiTest(void)
/* compatibility tests */
test_wolfSSL_lhash();
test_wolfSSL_X509_NAME();
test_wolfSSL_X509_NAME_hash();
#ifndef NO_BIO
test_wolfSSL_X509_INFO();
#endif
@@ -45661,6 +45909,7 @@ void ApiTest(void)
test_wolfSSL_X509_STORE_CTX_get0_store();
test_wolfSSL_X509_STORE();
test_wolfSSL_X509_STORE_load_locations();
test_X509_STORE_get0_objects();
test_wolfSSL_X509_load_crl_file();
test_wolfSSL_BN();
test_wolfSSL_CTX_get0_set1_param();
@@ -45780,6 +46029,7 @@ void ApiTest(void)
test_wolfSSL_i2d_PrivateKey();
test_wolfSSL_OCSP_id_get0_info();
test_wolfSSL_i2d_OCSP_CERTID();
test_wolfSSL_OCSP_id_cmp();
test_wolfSSL_OCSP_SINGLERESP_get0_id();
test_wolfSSL_OCSP_single_get0_status();
test_wolfSSL_OCSP_resp_count();
@@ -45864,6 +46114,7 @@ void ApiTest(void)
#endif
test_wolfSSL_RSA_verify();
test_wolfSSL_X509V3_EXT_get();
test_wolfSSL_X509V3_EXT_nconf();
test_wolfSSL_X509V3_EXT();
test_wolfSSL_X509_get_ext();
test_wolfSSL_X509_get_ext_by_NID();

16
wolfssl/internal.h
View File

@@ -1496,7 +1496,11 @@ enum Misc {
MAX_WOLFSSL_FILE_SIZE = 1024ul * 1024ul * 4, /* 4 mb file size alloc limit */
#endif
#ifdef WOLFSSL_HAPROXY
MAX_X509_SIZE = 3072, /* max static x509 buffer size */
#else
MAX_X509_SIZE = 2048, /* max static x509 buffer size */
#endif
CERT_MIN_SIZE = 256, /* min PEM cert size with header/footer */
MAX_NTRU_PUB_KEY_SZ = 1027, /* NTRU max for now */
@@ -2799,6 +2803,9 @@ struct WOLFSSL_CTX {
byte privateKeyLabel:1;
int privateKeySz;
int privateKeyDevId;
#ifdef OPENSSL_ALL
WOLFSSL_EVP_PKEY* privateKeyPKey;
#endif
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
#endif
#ifdef KEEP_OUR_CERT
@@ -3058,7 +3065,7 @@ struct WOLFSSL_CTX {
WOLF_EVENT_QUEUE event_queue;
#endif /* HAVE_WOLF_EVENT */
#ifdef HAVE_EXT_CACHE
WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, const unsigned char*, int, int*);
int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
#endif
@@ -3351,6 +3358,9 @@ struct WOLFSSL_SESSION {
wolfSSL_Mutex refMutex; /* ref count mutex */
int refCount; /* reference count */
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
byte peerVerifyRet; /* cert verify error */
#endif
#ifdef WOLFSSL_TLS13
word16 namedGroup;
#endif
@@ -3764,6 +3774,7 @@ typedef struct Arrays {
#define STACK_TYPE_X509_INFO 11
#define STACK_TYPE_BY_DIR_entry 12
#define STACK_TYPE_BY_DIR_hash 13
#define STACK_TYPE_X509_OBJ 14
struct WOLFSSL_STACK {
unsigned long num; /* number of nodes in stack
@@ -3791,6 +3802,7 @@ struct WOLFSSL_STACK {
WOLFSSL_GENERAL_NAME* gn;
WOLFSSL_BY_DIR_entry* dir_entry;
WOLFSSL_BY_DIR_HASH* dir_hash;
WOLFSSL_X509_OBJECT* x509_obj;
} data;
void* heap; /* memory heap hint */
WOLFSSL_STACK* next;
@@ -3868,7 +3880,7 @@ struct WOLFSSL_X509 {
char certPolicies[MAX_CERTPOL_NB][MAX_CERTPOL_SZ];
int certPoliciesNb;
#endif /* WOLFSSL_CERT_EXT */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
wolfSSL_Mutex refMutex; /* ref count mutex */
int refCount; /* reference count */
#endif

1
wolfssl/ocsp.h
View File

@@ -111,6 +111,7 @@ WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
WOLFSSL_API int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID *, unsigned char **);
WOLFSSL_API const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single);
WOLFSSL_API int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b);
WOLFSSL_API int wolfSSL_OCSP_single_get0_status(WOLFSSL_OCSP_SINGLERESP *single,
int *reason,
WOLFSSL_ASN1_TIME **revtime,

7
wolfssl/openssl/conf.h
View File

@@ -75,6 +75,11 @@ WOLFSSL_API WOLFSSL_CONF_VALUE *wolfSSL_CONF_new_section(WOLFSSL_CONF *conf,
WOLFSSL_API WOLFSSL_CONF_VALUE *wolfSSL_CONF_get_section(WOLFSSL_CONF *conf,
const char *section);
WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf_nid(WOLFSSL_CONF* conf,
WOLFSSL_X509V3_CTX *ctx, int nid, const char *value);
WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf(WOLFSSL_CONF *conf,
WOLFSSL_X509V3_CTX *ctx, const char *sName, const char *value);
#define sk_CONF_VALUE_new wolfSSL_sk_CONF_VALUE_new
#define sk_CONF_VALUE_free wolfSSL_sk_CONF_VALUE_free
#define sk_CONF_VALUE_pop_free(a,b) wolfSSL_sk_CONF_VALUE_free(a)
@@ -95,6 +100,8 @@ WOLFSSL_API WOLFSSL_CONF_VALUE *wolfSSL_CONF_get_section(WOLFSSL_CONF *conf,
#define _CONF_new_section wolfSSL_CONF_new_section
#define _CONF_get_section wolfSSL_CONF_get_section
#define X509V3_EXT_nconf_nid wolfSSL_X509V3_EXT_nconf_nid
#define X509V3_EXT_nconf wolfSSL_X509V3_EXT_nconf
#define X509V3_conf_free wolfSSL_X509V3_conf_free
#endif /* OPENSSL_EXTRA */

1
wolfssl/openssl/ocsp.h
View File

@@ -79,6 +79,7 @@
#define i2d_OCSP_CERTID wolfSSL_i2d_OCSP_CERTID
#define OCSP_SINGLERESP_get0_id wolfSSL_OCSP_SINGLERESP_get0_id
#define OCSP_id_cmp wolfSSL_OCSP_id_cmp
#define OCSP_single_get0_status wolfSSL_OCSP_single_get0_status
#define OCSP_resp_count wolfSSL_OCSP_resp_count
#define OCSP_resp_get0 wolfSSL_OCSP_resp_get0

5
wolfssl/openssl/opensslv.h
View File

@@ -35,9 +35,10 @@
#define OPENSSL_VERSION_NUMBER 0x10100000L
#elif defined(WOLFSSL_QT)
#define OPENSSL_VERSION_NUMBER 0x10101000L
#elif defined(WOLFSSL_HAPROXY)
#define OPENSSL_VERSION_NUMBER 0x1010000fL
#elif defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_OPENVPN)
defined(WOLFSSL_NGINX) || defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_OPENVPN)
/* version number can be increased for Lighty after compatibility for ECDH
is added */
#define OPENSSL_VERSION_NUMBER 0x10001040L

2
wolfssl/openssl/rsa.h
View File

@@ -86,7 +86,7 @@ typedef struct WOLFSSL_RSA {
#if defined(HAVE_EX_DATA)
WOLFSSL_CRYPTO_EX_DATA ex_data; /* external data */
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
wolfSSL_Mutex refMutex; /* ref count mutex */
int refCount; /* reference count */
#endif

33
wolfssl/openssl/ssl.h
View File

@@ -123,11 +123,15 @@ typedef WOLFSSL_GENERAL_NAME GENERAL_NAME;
typedef WOLFSSL_COMP_METHOD COMP_METHOD;
typedef WOLFSSL_COMP SSL_COMP;
typedef WOLFSSL_X509_REVOKED X509_REVOKED;
typedef WOLFSSL_X509_LOOKUP_TYPE X509_LOOKUP_TYPE;
typedef WOLFSSL_X509_OBJECT X509_OBJECT;
typedef WOLFSSL_X509_STORE X509_STORE;
typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM;
typedef int OSSL_HANDSHAKE_STATE;
#define TLS_ST_BEFORE 0 /* NULL_STATE from enum states */
#define EVP_CIPHER_INFO EncryptedInfo
#define STACK_OF(x) WOLFSSL_STACK
@@ -450,9 +454,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define X509_get_ex_data wolfSSL_X509_get_ex_data
#define X509_set_ex_data wolfSSL_X509_set_ex_data
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
#ifndef WOLFSSL_HAPROXY
#define X509_get_version wolfSSL_X509_get_version
#endif
#define X509_get_signature_nid wolfSSL_X509_get_signature_nid
#define X509_set_subject_name wolfSSL_X509_set_subject_name
#define X509_set_issuer_name wolfSSL_X509_set_issuer_name
@@ -500,6 +502,10 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define sk_X509_pop_free wolfSSL_sk_X509_pop_free
#define sk_X509_dup wolfSSL_sk_dup
#define sk_X509_free wolfSSL_sk_X509_free
#define X509_chain_up_ref wolfSSL_X509_chain_up_ref
#define sk_X509_OBJECT_new wolfSSL_sk_X509_OBJECT_new
#define sk_X509_OBJECT_free wolfSSL_sk_X509_OBJECT_free
#define sk_X509_EXTENSION_num wolfSSL_sk_X509_EXTENSION_num
#define sk_X509_EXTENSION_value wolfSSL_sk_X509_EXTENSION_value
@@ -535,6 +541,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define X509_NAME_add_entry_by_txt wolfSSL_X509_NAME_add_entry_by_txt
#define X509_NAME_add_entry_by_NID wolfSSL_X509_NAME_add_entry_by_NID
#define X509_NAME_delete_entry wolfSSL_X509_NAME_delete_entry
#define X509_NAME_hash wolfSSL_X509_NAME_hash
#define X509_NAME_oneline wolfSSL_X509_NAME_oneline
#define X509_NAME_get_index_by_NID wolfSSL_X509_NAME_get_index_by_NID
#define X509_NAME_print_ex wolfSSL_X509_NAME_print_ex
@@ -549,6 +556,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define sk_ACCESS_DESCRIPTION_value wolfSSL_sk_ACCESS_DESCRIPTION_value
#define sk_X509_NAME_new wolfSSL_sk_X509_NAME_new
#define sk_X509_NAME_new_null() wolfSSL_sk_X509_NAME_new(NULL)
#define sk_X509_NAME_push wolfSSL_sk_X509_NAME_push
#define sk_X509_NAME_find wolfSSL_sk_X509_NAME_find
#define sk_X509_NAME_set_cmp_func wolfSSL_sk_X509_NAME_set_cmp_func
@@ -668,6 +676,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define X509_OBJECT_free_contents wolfSSL_X509_OBJECT_free_contents
#define X509_OBJECT_get0_X509 wolfSSL_X509_OBJECT_get0_X509
#define X509_OBJECT_get0_X509_CRL wolfSSL_X509_OBJECT_get0_X509_CRL
#define X509_check_purpose(...) 0
#define OCSP_parse_url wolfSSL_OCSP_parse_url
@@ -787,6 +798,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define ASN1_STRING_set_default_mask_asc(...) 1
#endif
#define ASN1_OCTET_STRING_free wolfSSL_ASN1_STRING_free
#define ASN1_PRINTABLE_type(...) V_ASN1_PRINTABLESTRING
#define ASN1_UTCTIME_pr wolfSSL_ASN1_UTCTIME_pr
@@ -903,6 +916,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define ERR_error_string wolfSSL_ERR_error_string
#define ERR_error_string_n wolfSSL_ERR_error_string_n
#define ERR_reason_error_string wolfSSL_ERR_reason_error_string
#define ERR_func_error_string wolfSSL_ERR_func_error_string
#define ERR_load_BIO_strings wolfSSL_ERR_load_BIO_strings
#ifndef WOLFCRYPT_ONLY
@@ -926,6 +940,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL_CTX_clear_options wolfSSL_CTX_clear_options
#define SSL_CTX_check_private_key wolfSSL_CTX_check_private_key
#define SSL_CTX_get0_privatekey wolfSSL_CTX_get0_privatekey
#define SSL_check_private_key wolfSSL_check_private_key
#define SSL_CTX_set_mode wolfSSL_CTX_set_mode
@@ -1102,12 +1117,16 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL_CTX_set_min_proto_version wolfSSL_CTX_set_min_proto_version
#define SSL_CTX_set_max_proto_version wolfSSL_CTX_set_max_proto_version
#define SSL_set_min_proto_version wolfSSL_set_min_proto_version
#define SSL_set_max_proto_version wolfSSL_set_max_proto_version
#define SSL_CTX_get_min_proto_version wolfSSL_CTX_get_min_proto_version
#define SSL_get_tlsext_status_exts wolfSSL_get_tlsext_status_exts
#define SSL_CTX_get_tlsext_ticket_keys wolfSSL_CTX_get_tlsext_ticket_keys
#define SSL_CTX_set_tlsext_ticket_keys wolfSSL_CTX_set_tlsext_ticket_keys
#define SSL_CTX_get_tlsext_status_cb wolfSSL_CTX_get_tlsext_status_cb
#define SSL_CTX_set_tlsext_status_cb wolfSSL_CTX_set_tlsext_status_cb
#define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS 11
#define SSL_CTRL_GET_TOTAL_RENEGOTIATIONS 12
@@ -1225,9 +1244,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL3_AL_FATAL 2
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal
#define SSL_TLSEXT_ERR_ALERT_WARNING alert_warning
#define SSL_TLSEXT_ERR_NOACK alert_warning
#define SSL_TLSEXT_ERR_ALERT_WARNING warning_return
#define SSL_TLSEXT_ERR_ALERT_FATAL fatal_return
#define SSL_TLSEXT_ERR_NOACK noack_return
#define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME
#define SSL_set_tlsext_host_name wolfSSL_set_tlsext_host_name
@@ -1241,6 +1260,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define PSK_MAX_IDENTITY_LEN 128
#define SSL_CTX_clear_options wolfSSL_CTX_clear_options
#define SSL_CTX_add_server_custom_ext(...) 0
#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */
@@ -1400,8 +1420,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define sk_X509_OBJECT_num wolfSSL_sk_X509_OBJECT_num
#define sk_X509_OBJECT_value wolfSSL_sk_X509_OBJECT_value
#define sk_X509_OBJECT_delete wolfSSL_sk_X509_OBJECT_delete
#define X509_OBJECT_new wolfSSL_X509_OBJECT_new
#define X509_OBJECT_free wolfSSL_X509_OBJECT_free
#define X509_OBJECT_get_type(x) 0
#define X509_OBJECT_get_type wolfSSL_X509_OBJECT_get_type
#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
#define OpenSSL_version(x) wolfSSL_OpenSSL_version(x)
#else

77
wolfssl/ssl.h
View File

@@ -547,6 +547,9 @@ struct WOLFSSL_X509_STORE {
int isDynamic;
WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */
#endif
#ifdef OPENSSL_ALL
WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* objs; /* object stack cache */
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
WOLFSSL_X509_STORE_CTX_verify_cb verify_cb;
#endif
@@ -600,8 +603,14 @@ typedef struct WOLFSSL_X509_REVOKED {
WOLFSSL_ASN1_INTEGER* serialNumber; /* stunnel dereference */
} WOLFSSL_X509_REVOKED;
typedef enum {
WOLFSSL_X509_LU_NONE = 0,
WOLFSSL_X509_LU_X509,
WOLFSSL_X509_LU_CRL
} WOLFSSL_X509_LOOKUP_TYPE;
typedef struct WOLFSSL_X509_OBJECT {
WOLFSSL_X509_LOOKUP_TYPE type;
union {
char* ptr;
WOLFSSL_X509 *x509;
@@ -707,6 +716,12 @@ enum AlertLevel {
alert_fatal = 2
};
enum SNICbReturn {
warning_return = alert_warning,
fatal_return = alert_fatal,
noack_return,
};
/* WS_RETURN_CODE macro
* Some OpenSSL APIs specify "0" as the return value when an error occurs.
* However, some corresponding wolfSSL APIs return negative values. Such
@@ -1256,6 +1271,7 @@ WOLFSSL_API char* wolfSSL_ERR_error_string(unsigned long,char*);
WOLFSSL_API void wolfSSL_ERR_error_string_n(unsigned long e, char* buf,
unsigned long sz);
WOLFSSL_API const char* wolfSSL_ERR_reason_error_string(unsigned long);
WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long);
/* extras */
@@ -1367,10 +1383,12 @@ WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl);
/* what's ref count */
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void);
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_ALL)
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa);
WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_EVP_PKEY_up_ref(WOLFSSL_EVP_PKEY* pkey);
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)*
wolfSSL_X509_chain_up_ref(WOLF_STACK_OF(WOLFSSL_X509)* chain);
#endif
WOLFSSL_API int wolfSSL_OCSP_parse_url(char* url, char** host, char** port,
@@ -1545,6 +1563,7 @@ WOLFSSL_API void wolfSSL_X509_get0_signature(const WOLFSSL_ASN1_BIT_STRING **psi
WOLFSSL_API int wolfSSL_X509_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509);
WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME*,
char*, int);
WOLFSSL_API unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME*);
#if defined(OPENSSL_EXTRA) && defined(XSNPRINTF)
WOLFSSL_API char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME*, char*, int);
#endif
@@ -2001,28 +2020,29 @@ enum {
BIO_NOCLOSE = 0,
X509_FILETYPE_PEM = 8,
X509_LU_X509 = 9,
X509_LU_CRL = 12,
X509_LU_NONE = WOLFSSL_X509_LU_NONE,
X509_LU_X509 = WOLFSSL_X509_LU_X509,
X509_LU_CRL = WOLFSSL_X509_LU_CRL,
X509_V_OK = 0,
X509_V_ERR_CRL_SIGNATURE_FAILURE = 13,
X509_V_ERR_CRL_SIGNATURE_FAILURE = 8,
X509_V_ERR_CERT_HAS_EXPIRED = 10,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14,
X509_V_ERR_CRL_HAS_EXPIRED = 15,
X509_V_ERR_CERT_REVOKED = 16,
X509_V_ERR_CERT_CHAIN_TOO_LONG = 17,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18,
X509_V_ERR_CERT_NOT_YET_VALID = 19,
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20,
X509_V_ERR_CERT_HAS_EXPIRED = 21,
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22,
X509_V_ERR_CERT_REJECTED = 23,
X509_V_ERR_CERT_REVOKED = 23,
X509_V_ERR_CERT_REJECTED = 24,
/* Required for Nginx */
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 24,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 25,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 26,
X509_V_ERR_CERT_UNTRUSTED = 27,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 28,
X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 25,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 26,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 27,
X509_V_ERR_CERT_UNTRUSTED = 28,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 29,
X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 30,
/* additional X509_V_ERR_* enums not used in wolfSSL */
X509_V_ERR_UNABLE_TO_GET_CRL,
X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
@@ -2160,10 +2180,11 @@ enum { /* ssl Constants */
WOLFSSL_FILETYPE_RAW = 3, /* NTRU raw key blob */
WOLFSSL_VERIFY_NONE = 0,
WOLFSSL_VERIFY_PEER = 1,
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT = 2,
WOLFSSL_VERIFY_CLIENT_ONCE = 4,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 8,
WOLFSSL_VERIFY_PEER = 1 << 0,
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT = 1 << 1,
WOLFSSL_VERIFY_CLIENT_ONCE = 1 << 2,
WOLFSSL_VERIFY_FAIL_EXCEPT_PSK = 1 << 3,
WOLFSSL_VERIFY_DEFAULT = 1 << 9,
WOLFSSL_SESS_CACHE_OFF = 0x0000,
WOLFSSL_SESS_CACHE_CLIENT = 0x0001,
@@ -2300,6 +2321,8 @@ WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
#if !defined(NO_CHECK_PRIVATE_KEY)
WOLFSSL_API int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX*);
#endif
WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX*);
WOLFSSL_API void wolfSSL_ERR_free_strings(void);
WOLFSSL_API void wolfSSL_ERR_remove_state(unsigned long);
WOLFSSL_API int wolfSSL_clear(WOLFSSL* ssl);
@@ -2376,7 +2399,7 @@ WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup(
wolfSSL_ex_data_cleanup_routine_t cleanup_routine);
#endif
WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX*,
WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*));
WOLFSSL_SESSION*(*f)(WOLFSSL*, const unsigned char*, int, int*));
WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX*,
int (*f)(WOLFSSL*, WOLFSSL_SESSION*));
WOLFSSL_API void wolfSSL_CTX_sess_set_remove_cb(WOLFSSL_CTX*,
@@ -3794,6 +3817,8 @@ WOLFSSL_API int wolfSSL_get_server_tmp_key(const WOLFSSL*, WOLFSSL_EVP_PKEY**);
WOLFSSL_API int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX*, int);
WOLFSSL_API int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX*, int);
WOLFSSL_API int wolfSSL_set_min_proto_version(WOLFSSL*, int);
WOLFSSL_API int wolfSSL_set_max_proto_version(WOLFSSL*, int);
WOLFSSL_API int wolfSSL_CTX_get_min_proto_version(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey);
@@ -3977,6 +4002,10 @@ WOLFSSL_API int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits);
WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_X509_new(void);
WOLFSSL_API int wolfSSL_sk_X509_num(const WOLF_STACK_OF(WOLFSSL_X509) *s);
WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_X509_OBJECT_new(void);
WOLFSSL_API void wolfSSL_sk_X509_OBJECT_free(WOLFSSL_STACK* s);
WOLFSSL_API int wolfSSL_sk_X509_OBJECT_push(WOLFSSL_STACK* sk, WOLFSSL_X509_OBJECT* obj);
WOLFSSL_API WOLFSSL_X509_INFO *wolfSSL_X509_INFO_new(void);
WOLFSSL_API void wolfSSL_X509_INFO_free(WOLFSSL_X509_INFO* info);
@@ -4123,11 +4152,16 @@ WOLFSSL_API void wolfSSL_THREADID_current(WOLFSSL_CRYPTO_THREADID* id);
WOLFSSL_API unsigned long wolfSSL_THREADID_hash(
const WOLFSSL_CRYPTO_THREADID* id);
WOLFSSL_API WOLFSSL_X509_LOOKUP_TYPE wolfSSL_X509_OBJECT_get_type(
const WOLFSSL_X509_OBJECT*);
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_OBJECT)*
wolfSSL_X509_STORE_get0_objects(WOLFSSL_X509_STORE *);
WOLFSSL_API WOLFSSL_X509_OBJECT*
wolfSSL_sk_X509_OBJECT_delete(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int i);
WOLFSSL_API void wolfSSL_X509_OBJECT_free(WOLFSSL_X509_OBJECT *a);
WOLFSSL_API WOLFSSL_X509_OBJECT* wolfSSL_X509_OBJECT_new(void);
WOLFSSL_API void wolfSSL_X509_OBJECT_free(WOLFSSL_X509_OBJECT *obj);
WOLFSSL_API WOLFSSL_X509 *wolfSSL_X509_OBJECT_get0_X509(const WOLFSSL_X509_OBJECT *obj);
WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_X509_OBJECT_get0_X509_CRL(WOLFSSL_X509_OBJECT *obj);
#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
@@ -4275,8 +4309,9 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, ticketCompat
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx,
WOLF_STACK_OF(X509)** chain);
WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx,
int(*)(WOLFSSL*, void*));
typedef int(*tlsextStatusCb)(WOLFSSL*, void*);
WOLFSSL_API int wolfSSL_CTX_get_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb* cb);
WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, tlsextStatusCb cb);
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x);

4
wolfssl/test.h
View File

@@ -2572,8 +2572,8 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
#ifdef HAVE_EXT_CACHE
static WC_INLINE WOLFSSL_SESSION* mySessGetCb(WOLFSSL* ssl, unsigned char* id,
int id_len, int* copy)
static WC_INLINE WOLFSSL_SESSION* mySessGetCb(WOLFSSL* ssl,
const unsigned char* id, int id_len, int* copy)
{
(void)ssl;
(void)id;

6
wolfssl/wolfcrypt/asn.h
View File

@@ -316,7 +316,11 @@ enum Misc_ASN {
MAX_DATE_SIZE = 32,
ASN_GEN_TIME_SZ = 15, /* 7 numbers * 2 + Zulu tag */
#ifndef NO_RSA
MAX_ENCODED_SIG_SZ = 512,
#ifdef WOLFSSL_HAPROXY
MAX_ENCODED_SIG_SZ = 1024, /* Supports 8192 bit keys */
#else
MAX_ENCODED_SIG_SZ = 512, /* Supports 4096 bit keys */
#endif
#elif defined(HAVE_ECC)
MAX_ENCODED_SIG_SZ = 140,
#elif defined(HAVE_CURVE448)