From 900edc04e5ef67fd6999a76870cb27b43d7978f7 Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Wed, 12 Aug 2015 10:10:30 -0600 Subject: [PATCH 1/9] Adding sni to mimic openssl functionality --- configure.ac | 11 +- src/internal.c | 319 ++++++++++++++++++++++--------------- src/ssl.c | 352 +++++++++++++++++++++++++++++++++++++++++ src/tls.c | 38 +++-- wolfssl/internal.h | 4 + wolfssl/openssl/ocsp.h | 69 +++++++- wolfssl/openssl/ssl.h | 50 +++++- wolfssl/ssl.h | 94 ++++++++++- 8 files changed, 789 insertions(+), 148 deletions(-) diff --git a/configure.ac b/configure.ac index 57d6eb83d..27184b1d6 100644 --- a/configure.ac +++ b/configure.ac @@ -1815,6 +1815,14 @@ then AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS" fi + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi + # Requires coding make sure on if test "x$ENABLED_CODING" = "xno" then @@ -1835,7 +1843,8 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) fi - AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL" + AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" fi diff --git a/src/internal.c b/src/internal.c index edc6cd33e..ec49495fa 100644 --- a/src/internal.c +++ b/src/internal.c @@ -107,6 +107,9 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, #if !defined(NO_RSA) || defined(HAVE_ECC) static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32); #endif + #ifdef HAVE_STUNNEL + static int SNI_Callback(WOLFSSL* ssl); + #endif #endif @@ -1557,25 +1560,179 @@ void FreeX509(WOLFSSL_X509* x509) #endif /* NO_CERTS */ +/* This function inherits a WOLFSSL_CTX's fields into an SSL object. + It is used during initialization and to switch an ssl's CTX with + wolfSSL_Set_SSL_CTX */ +int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) +{ + if(!ssl || !ctx) + return BAD_FUNC_ARG; + + byte havePSK = 0; + byte haveAnon = 0; + byte haveRSA = 0; + byte newSSL = ssl->ctx == NULL; + (void) haveAnon; /* Squash unused var warnings */ + +#ifndef NO_RSA + haveRSA = 1; +#endif +#ifndef NO_PSK + havePSK = ctx->havePSK; +#endif /* NO_PSK */ +#ifdef HAVE_ANON + haveAnon = ctx->haveAnon; +#endif /* HAVE_ANON*/ + + /* decrement previous CTX reference count if exists. + * This should only happen if switching ctxs!*/ + if (!newSSL) { + if(LockMutex(&ssl->ctx->countMutex) != 0) { + WOLFSSL_MSG("Couldn't lock on previous CTX count mutex"); + return BAD_MUTEX_E; + } + WOLFSSL_MSG("Decrementing previous ctx reference count. Switching ctx."); + ssl->ctx->refCount--; + UnLockMutex(&ssl->ctx->countMutex); + } + + /* increment CTX reference count */ + if (LockMutex(&ctx->countMutex) != 0) { + WOLFSSL_MSG("Couldn't lock CTX count mutex"); + return BAD_MUTEX_E; + } + ctx->refCount++; + UnLockMutex(&ctx->countMutex); + ssl->ctx = ctx; /* only for passing to calls, options could change */ + ssl->version = ctx->method->version; + +#ifdef HAVE_ECC + ssl->eccTempKeySz = ctx->eccTempKeySz; + ssl->pkCurveOID = ctx->pkCurveOID; +#endif + + ssl->timeout = ctx->timeout; + ssl->verifyCallback = ctx->verifyCallback; + ssl->options.side = ctx->method->side; + ssl->options.downgrade = ctx->method->downgrade; + ssl->options.minDowngrade = ctx->minDowngrade; + + if (ssl->options.side == WOLFSSL_SERVER_END) + ssl->options.haveDH = ctx->haveDH; + + ssl->options.haveNTRU = ctx->haveNTRU; + ssl->options.haveECDSAsig = ctx->haveECDSAsig; + ssl->options.haveStaticECC = ctx->haveStaticECC; + +#ifndef NO_PSK + ssl->options.havePSK = ctx->havePSK; + ssl->options.client_psk_cb = ctx->client_psk_cb; + ssl->options.server_psk_cb = ctx->server_psk_cb; +#endif /* NO_PSK */ + +#ifdef HAVE_ANON + ssl->options.haveAnon = ctx->haveAnon; +#endif +#ifndef NO_DH + ssl->options.minDhKeySz = ctx->minDhKeySz; +#endif + + ssl->options.sessionCacheOff = ctx->sessionCacheOff; + ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; + + ssl->options.verifyPeer = ctx->verifyPeer; + ssl->options.verifyNone = ctx->verifyNone; + ssl->options.failNoCert = ctx->failNoCert; + ssl->options.sendVerify = ctx->sendVerify; + + ssl->heap = ctx->heap; /* defaults to self */ + ssl->options.partialWrite = ctx->partialWrite; + ssl->options.quietShutdown = ctx->quietShutdown; + ssl->options.groupMessages = ctx->groupMessages; + +#ifndef NO_DH + if (ssl->options.side == WOLFSSL_SERVER_END) { + ssl->buffers.serverDH_P = ctx->serverDH_P; + ssl->buffers.serverDH_G = ctx->serverDH_G; + } +#endif + +#ifndef NO_CERTS + /* ctx still owns certificate, certChain, key, dh, and cm */ + ssl->buffers.certificate = ctx->certificate; + ssl->buffers.certChain = ctx->certChain; + ssl->buffers.key = ctx->privateKey; +#endif + +#ifdef HAVE_CAVIUM + ssl->devId = ctx->devId; +#endif + +#ifndef NO_PSK + if (ctx->server_hint[0]) { /* set in CTX */ + XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, MAX_PSK_ID_LEN); + ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; + } +#endif /* NO_PSK */ + + if (ctx->suites) + *ssl->suites = *ctx->suites; + else + XMEMSET(ssl->suites, 0, sizeof(Suites)); + + /* make sure server has DH parms, and add PSK if there, add NTRU too */ + if (ssl->options.side == WOLFSSL_SERVER_END) + InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, + ssl->options.haveDH, ssl->options.haveNTRU, + ssl->options.haveECDSAsig, ssl->options.haveStaticECC, + ssl->options.side); + else + InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, + ssl->options.haveNTRU, ssl->options.haveECDSAsig, + ssl->options.haveStaticECC, ssl->options.side); + +#ifndef NO_CERTS + /* make sure server has cert and key unless using PSK or Anon + * This should be true even if just switching ssl ctx */ + if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon) + if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) { + WOLFSSL_MSG("Server missing certificate and/or private key"); + return NO_PRIVATE_KEY; + } +#endif + + return SSL_SUCCESS; +} + + /* init everything to 0, NULL, default values before calling anything that may fail so that desctructor has a "good" state to cleanup */ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) { int ret; - byte haveRSA = 0; - byte havePSK = 0; - byte haveAnon = 0; - - (void) haveAnon; XMEMSET(ssl, 0, sizeof(WOLFSSL)); - ssl->ctx = ctx; /* only for passing to calls, options could change */ - ssl->version = ctx->method->version; + /* arrays */ + ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, + DYNAMIC_TYPE_ARRAYS); + if (ssl->arrays == NULL) { + WOLFSSL_MSG("Arrays Memory error"); + return MEMORY_E; + } + XMEMSET(ssl->arrays, 0, sizeof(Arrays)); -#ifndef NO_RSA - haveRSA = 1; -#endif + /* suites */ + ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, + DYNAMIC_TYPE_SUITES); + if (ssl->suites == NULL) { + WOLFSSL_MSG("Suites Memory error"); + return MEMORY_E; + } + + /* Initialize SSL with the appropriate fields from it's ctx */ + if((ret = SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS) + return ret; ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; @@ -1587,12 +1744,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) InitX509(&ssl->peerCert, 0); #endif -#ifdef HAVE_ECC - ssl->eccTempKeySz = ctx->eccTempKeySz; - ssl->pkCurveOID = ctx->pkCurveOID; -#endif - - ssl->timeout = ctx->timeout; ssl->rfd = -1; /* set to invalid descriptor */ ssl->wfd = -1; @@ -1607,30 +1758,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->dtls_expected_rx = MAX_MTU; #endif - ssl->verifyCallback = ctx->verifyCallback; - ssl->options.side = ctx->method->side; - ssl->options.downgrade = ctx->method->downgrade; - ssl->options.minDowngrade = ctx->minDowngrade; - - if (ssl->options.side == WOLFSSL_SERVER_END) - ssl->options.haveDH = ctx->haveDH; - - ssl->options.haveNTRU = ctx->haveNTRU; - ssl->options.haveECDSAsig = ctx->haveECDSAsig; - ssl->options.haveStaticECC = ctx->haveStaticECC; - -#ifndef NO_PSK - havePSK = ctx->havePSK; - ssl->options.havePSK = ctx->havePSK; - ssl->options.client_psk_cb = ctx->client_psk_cb; - ssl->options.server_psk_cb = ctx->server_psk_cb; -#endif /* NO_PSK */ - -#ifdef HAVE_ANON - haveAnon = ctx->haveAnon; - ssl->options.haveAnon = ctx->haveAnon; -#endif - ssl->options.serverState = NULL_STATE; ssl->options.clientState = NULL_STATE; ssl->options.connectState = CONNECT_BEGIN; @@ -1638,49 +1765,19 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->options.handShakeState = NULL_STATE; ssl->options.processReply = doProcessInit; -#ifndef NO_DH - ssl->options.minDhKeySz = ctx->minDhKeySz; -#endif - #ifdef WOLFSSL_DTLS ssl->dtls_timeout_init = DTLS_TIMEOUT_INIT; ssl->dtls_timeout_max = DTLS_TIMEOUT_MAX; ssl->dtls_timeout = ssl->dtls_timeout_init; #endif - ssl->options.sessionCacheOff = ctx->sessionCacheOff; - ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff; - - ssl->options.verifyPeer = ctx->verifyPeer; - ssl->options.verifyNone = ctx->verifyNone; - ssl->options.failNoCert = ctx->failNoCert; - ssl->options.sendVerify = ctx->sendVerify; - #ifndef NO_OLD_TLS ssl->hmac = SSL_hmac; /* default to SSLv3 */ #else ssl->hmac = TLS_hmac; #endif - ssl->heap = ctx->heap; /* defaults to self */ - ssl->options.dtls = ssl->version.major == DTLS_MAJOR; - ssl->options.partialWrite = ctx->partialWrite; - ssl->options.quietShutdown = ctx->quietShutdown; - ssl->options.groupMessages = ctx->groupMessages; - -#ifndef NO_DH - if (ssl->options.side == WOLFSSL_SERVER_END) { - ssl->buffers.serverDH_P = ctx->serverDH_P; - ssl->buffers.serverDH_G = ctx->serverDH_G; - } -#endif -#ifndef NO_CERTS - /* ctx still owns certificate, certChain, key, dh, and cm */ - ssl->buffers.certificate = ctx->certificate; - ssl->buffers.certChain = ctx->certChain; - ssl->buffers.key = ctx->privateKey; -#endif #ifdef WOLFSSL_DTLS ssl->buffers.dtlsCtx.fd = -1; @@ -1688,10 +1785,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->cipher.ssl = ssl; -#ifdef HAVE_CAVIUM - ssl->devId = ctx->devId; -#endif - #ifdef HAVE_TLS_EXTENSIONS #ifdef HAVE_MAX_FRAGMENT ssl->max_fragment = MAX_RECORD_SIZE; @@ -1747,30 +1840,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) } #endif - /* increment CTX reference count */ - if (LockMutex(&ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock CTX count mutex"); - return BAD_MUTEX_E; - } - ctx->refCount++; - UnLockMutex(&ctx->countMutex); - - /* arrays */ - ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->arrays, 0, sizeof(Arrays)); - -#ifndef NO_PSK - if (ctx->server_hint[0]) { /* set in CTX */ - XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint, MAX_PSK_ID_LEN); - ssl->arrays->server_hint[MAX_PSK_ID_LEN - 1] = '\0'; - } -#endif /* NO_PSK */ - /* RNG */ ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap, DYNAMIC_TYPE_RNG); if (ssl->rng == NULL) { @@ -1783,43 +1852,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) return ret; } - /* suites */ - ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, - DYNAMIC_TYPE_SUITES); - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites Memory error"); - return MEMORY_E; - } - if (ctx->suites) - *ssl->suites = *ctx->suites; - else - XMEMSET(ssl->suites, 0, sizeof(Suites)); - - -#ifndef NO_CERTS - /* make sure server has cert and key unless using PSK or Anon */ - if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon) - if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) { - WOLFSSL_MSG("Server missing certificate and/or private key"); - return NO_PRIVATE_KEY; - } -#endif #ifdef HAVE_SECRET_CALLBACK ssl->sessionSecretCb = NULL; ssl->sessionSecretCtx = NULL; #endif - - /* make sure server has DH parms, and add PSK if there, add NTRU too */ - if (ssl->options.side == WOLFSSL_SERVER_END) - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveStaticECC, - ssl->options.side); - else - InitSuites(ssl->suites, ssl->version, haveRSA, havePSK, TRUE, - ssl->options.haveNTRU, ssl->options.haveECDSAsig, - ssl->options.haveStaticECC, ssl->options.side); - return 0; } @@ -14336,6 +14372,10 @@ int DoSessionTicket(WOLFSSL* ssl, if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, 1, &clSuites))) return ret; +#ifdef HAVE_STUNNEL + if((ret=SNI_Callback(ssl))) + return ret; +#endif /*HAVE_STUNNEL*/ i += totalExtSz; #else @@ -15439,4 +15479,21 @@ int DoSessionTicket(WOLFSSL* ssl, return ret; } +#ifdef HAVE_STUNNEL + static int SNI_Callback(WOLFSSL* ssl) + { + /* Stunnel supports a custom sni callback to switch an SSL's ctx + * when SNI is received. Call it now if exists */ + if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) { + WOLFSSL_MSG("Calling custom sni callback"); + if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg) + == alert_fatal) { + WOLFSSL_MSG("Error in custom sni callback. Fatal alert"); + SendAlert(ssl, alert_fatal, unrecognized_name); + return FATAL_ERROR; + } + } + return 0; + } +#endif /* HAVE_STUNNEL */ #endif /* NO_WOLFSSL_SERVER */ diff --git a/src/ssl.c b/src/ssl.c index 74194b2ca..9fc826450 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -70,6 +70,9 @@ #include #include #include + #ifdef HAVE_STUNNEL + #include + #endif /* WITH_STUNNEL */ #ifdef WOLFSSL_SHA512 #include #endif @@ -16343,6 +16346,355 @@ const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen) *idLen = sess->sessionIDSz; return sess->sessionID; } + +int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *a, const WOLFSSL_X509_NAME *b) +{ + (void) a; + (void) b; + WOLFSSL_ENTER("wolfSSL_X509_NAME_cmp"); + WOLFSSL_STUB("wolfSSL_X509_NAME_cmp"); + WOLFSSL_LEAVE("wolfSSL_X509_NAME_cmp",0); + return SSL_SUCCESS; +} + +void wolfSSL_X509_email_free(void *sk) +{ + (void)sk; + WOLFSSL_ENTER("wolfSSL_X509_email_free"); + WOLFSSL_STUB("wolfSSL_X509_email_free"); + WOLFSSL_LEAVE("wolfSSL_X509_email_free",0); +} + +WOLFSSL_STRING* wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *cert) +{ + WOLFSSL_ENTER("wolfSSL_X509_get1_ocsp"); + WOLFSSL_STUB("wolfSSL_X509_get1_ocsp"); + WOLFSSL_LEAVE("wolfSSL_X509_get1_ocsp",0); + (void)cert; + return NULL; +} + +void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* ocsp) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free"); + WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0); + (void)ocsp; + return; +} + +WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void){ + WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_new"); + WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_new"); + WOLFSSL_OCSP_REQUEST *or = NULL; + return or; +} + +WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD* dgst, + WOLFSSL_X509* subject, WOLFSSL_X509* issuer) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free"); + WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0); + (void)dgst; + (void)subject; + (void)issuer; + return NULL; +} + + +void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST* request) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_free"); + WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_REQUEST_free",0); + (void)request; + return; +} + +int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio) +{ + WOLFSSL_ENTER("wolfSSL_BIO_should_write"); + WOLFSSL_STUB("wolfSSL_BIO_should_write"); + WOLFSSL_LEAVE("wolfSSL_BIO_should_write",0); + (void) bio; + return SSL_SUCCESS; +} + +int BIO_should_read(WOLFSSL_BIO *bio) +{ + WOLFSSL_ENTER("BIO_should_read"); + WOLFSSL_STUB("BIO_should_read"); + WOLFSSL_LEAVE("BIO_should_read",0); + (void) bio; + return SSL_SUCCESS; +} + +int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_BASICRESP *bs) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_check_nonce"); + WOLFSSL_STUB("wolfSSL_OCSP_check_nonce"); + WOLFSSL_LEAVE("wolfSSL_OCSP_check_nonce",0); + (void) req; + (void) bs; + return SSL_SUCCESS; +} + +int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, STACK_OF(WOLFSSL_X509) *certs, + WOLFSSL_X509_STORE *st, unsigned long flags) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_basic_verify"); + WOLFSSL_STUB("wolfSSL_OCSP_basic_verify"); + WOLFSSL_LEAVE("wolfSSL_OCSP_basic_verify",0); + (void) bs; + (void) certs; + (void) st; + (void) flags; + return SSL_SUCCESS; +} + +void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *rctx) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_REQ_CTX_free"); + WOLFSSL_STUB("wolfSSL_OCSP_REQ_CTX_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_REQ_CTX_free",0); + (void) rctx; +} + +int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE* r) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_RESPONSE_free"); + WOLFSSL_STUB("wolfSSL_OCSP_RESPONSE_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_RESPONSE_free",0); + (void) r; + return SSL_SUCCESS; +} + +int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP *basic_response) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_BASICRESP_free"); + WOLFSSL_STUB("wolfSSL_OCSP_BASICRESP_free"); + WOLFSSL_LEAVE("wolfSSL_OCSP_BASICRESP_free",0); + (void) basic_response; + return SSL_SUCCESS; +} + + +WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE *resp) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_response_get1_basic"); + WOLFSSL_STUB("wolfSSL_OCSP_response_get1_basic"); + WOLFSSL_LEAVE("wolfSSL_OCSP_response_get1_basic",0); + (void) resp; + return NULL; +} + +int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, + WOLFSSL_OCSP_CERTID *id, int *status, + int *reason, WOLFSSL_ASN1_TIME**revtime, + WOLFSSL_ASN1_TIME**thisupd, WOLFSSL_ASN1_TIME**nextupd) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_resp_find_status"); + WOLFSSL_STUB("wolfSSL_OCSP_resp_find_status"); + WOLFSSL_LEAVE("wolfSSL_OCSP_resp_find_status",0); + (void) bs; + (void) id; + (void) status; + (void) reason; + (void) revtime; + (void) thisupd; + (void) nextupd; + return SSL_SUCCESS; +} + +int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *req, unsigned char *val, int len) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_request_add1_nonce"); + WOLFSSL_STUB("wolfSSL_OCSP_request_add1_nonce"); + WOLFSSL_LEAVE("wolfSSL_OCSP_request_add1_nonce",0); + (void) req; + (void) val; + (void) len; + return SSL_SUCCESS; +} + +WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_CERTID *cid) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_request_add0_id"); + WOLFSSL_STUB("wolfSSL_OCSP_request_add0_id"); + WOLFSSL_LEAVE("wolfSSL_OCSP_request_add0_id",0); + (void) req; + (void) cid; + return NULL; +} + +const char *wolfSSL_OCSP_crl_reason_str(long s) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_crl_reason_str"); + WOLFSSL_STUB("wolfSSL_OCSP_crl_reason_str"); + WOLFSSL_LEAVE("wolfSSL_OCSP_crl_reason_str",0); + (void) s; + return NULL; +} + +int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME*thisupd, + WOLFSSL_ASN1_TIME*nextupd, long sec, long maxsec) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_check_validity"); + WOLFSSL_STUB("wolfSSL_OCSP_check_validity"); + WOLFSSL_LEAVE("wolfSSL_OCSP_check_validity",0); + (void) thisupd; + (void) nextupd; + (void) sec; + (void) maxsec; + return SSL_SUCCESS; +} + +STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *ctx) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain"); + WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_get_chain"); + WOLFSSL_LEAVE("wolfSSL_X509_STORE_CTX_get_chain",0); + (void) ctx; + return NULL; +} + +WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io, const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_new"); + WOLFSSL_STUB("wolfSSL_OCSP_sendreq_new"); + WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_new",0); + (void) io; + (void) path; + (void) req; + (void) maxline; + return NULL; +} + +int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE **presp, WOLFSSL_OCSP_REQ_CTX *rctx) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_nbio"); + WOLFSSL_STUB("wolfSSL_OCSP_sendreq_nbio"); + WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_nbio",0); + (void) presp; + (void) rctx; + return SSL_SUCCESS; +} + + +const char *wolfSSL_OCSP_cert_status_str(long s) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_cert_status_str"); + WOLFSSL_STUB("wolfSSL_OCSP_cert_status_str"); + WOLFSSL_LEAVE("wolfSSL_OCSP_cert_status_str",0); + (void) s; + return NULL; +} + +int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *resp) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_response_status"); + WOLFSSL_STUB("wolfSSL_OCSP_response_status"); + WOLFSSL_LEAVE("wolfSSL_OCSP_response_status",0); + (void) resp; + return SSL_SUCCESS; +} + + +const char *wolfSSL_OCSP_response_status_str(long s) +{ + WOLFSSL_ENTER("wolfSSL_OCSP_response_status_str"); + WOLFSSL_STUB("wolfSSL_OCSP_response_status_str"); + WOLFSSL_LEAVE("wolfSSL_OCSP_response_status_str",0); + (void) s; + return NULL; +} + + +int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)* string) +{ + WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_num"); + WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_num"); + WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_num",0); + (void) string; + return 0; +} + + +WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value( + const STACK_OF(WOLFSSL_STRING)* string, int idx) +{ + WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_value"); + WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_value"); + WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_value",0); + (void) string; + (void) idx; + return 0; +} + + +int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name) +{ + int ret; + WOLFSSL_ENTER("wolfSSL_set_tlsext_host_name"); + ret = wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, + host_name, XSTRLEN(host_name)); + WOLFSSL_LEAVE("wolfSSL_set_tlsext_host_name", ret); + return ret; +} + + +const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type) +{ + void * serverName = NULL; + if (ssl == NULL) + return NULL; + TLSX_SNI_GetRequest(ssl->extensions, type, &serverName); + return (const char *)serverName; +} + + +WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) +{ + if (ssl && ctx && SetSSL_CTX(ssl, ctx) == SSL_SUCCESS) + return ssl->ctx; + return NULL; +} + + +VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_get_verify_callback"); + if(ctx) + return ctx->verifyCallback; + return NULL; +} + + +int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) +{ + (void)ctx; + WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); + WOLFSSL_STUB("wolfSSL_CTX_get_verify_mode"); + WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode",0); + return 0; +} + + +void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback"); + if (ctx) + ctx->sniRecvCb = cb; +} + + +void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_servername_arg"); + if (ctx) + ctx->sniRecvCbArg = arg; +} #endif /* OPENSSL_EXTRA and HAVE_STUNNEL */ #if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519) diff --git a/src/tls.c b/src/tls.c index 59bafa0ed..8c8e14181 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1003,6 +1003,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, #ifndef NO_WOLFSSL_SERVER word16 size = 0; word16 offset = 0; + byte forceKeep = 0; #endif TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); @@ -1010,9 +1011,17 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (!extension) extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); - if (!extension || !extension->data) + + + if (!extension || !extension->data) { +#if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER) + forceKeep = 1; + WOLFSSL_MSG("Forcing SSL object to store SNI parameter"); +#else return isRequest ? 0 /* not using SNI. */ : BUFFER_ERROR; /* unexpected SNI response. */ +#endif + } if (!isRequest) return length ? BUFFER_ERROR /* SNI response MUST be empty. */ @@ -1043,14 +1052,16 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (offset + size > length) return BUFFER_ERROR; - if (!(sni = TLSX_SNI_Find((SNI*)extension->data, type))) + if (!forceKeep && !(sni = TLSX_SNI_Find((SNI*)extension->data, type))) continue; /* not using this type of SNI. */ switch(type) { case WOLFSSL_SNI_HOST_NAME: { - byte matched = (XSTRLEN(sni->data.host_name) == size) + int matchStat; + byte matched = forceKeep || + ((XSTRLEN(sni->data.host_name) == size) && (XSTRNCMP(sni->data.host_name, - (const char*)input + offset, size) == 0); + (const char*)input + offset, size) == 0)); if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) { int r = TLSX_UseSNI(&ssl->extensions, @@ -1059,12 +1070,21 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (r != SSL_SUCCESS) return r; /* throws error. */ - TLSX_SNI_SetStatus(ssl->extensions, type, - matched ? WOLFSSL_SNI_REAL_MATCH - : WOLFSSL_SNI_FAKE_MATCH); + if(forceKeep) { + WOLFSSL_MSG("Forcing storage of SNI, Fake match"); + matchStat = WOLFSSL_SNI_FORCE_KEEP; + } else if(matched) { + WOLFSSL_MSG("SNI did match!"); + matchStat = WOLFSSL_SNI_REAL_MATCH; + } else { + WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH"); + matchStat = WOLFSSL_SNI_FAKE_MATCH; + } - TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); - WOLFSSL_MSG("SNI did match!"); + TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); + + if(!forceKeep) + TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { SendAlert(ssl, alert_fatal, unrecognized_name); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 18617e20f..5b690d1cd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1668,6 +1668,8 @@ struct WOLFSSL_CTX { #endif /* OPENSSL_EXTRA */ #ifdef HAVE_STUNNEL void* ex_data[MAX_EX_DATA]; + CallbackSniRecv sniRecvCb; + void* sniRecvCbArg; #endif #ifdef HAVE_OCSP WOLFSSL_OCSP ocsp; @@ -2418,6 +2420,8 @@ struct WOLFSSL { }; +WOLFSSL_LOCAL +int SetSSL_CTX(WOLFSSL*, WOLFSSL_CTX*); WOLFSSL_LOCAL int InitSSL(WOLFSSL*, WOLFSSL_CTX*); WOLFSSL_LOCAL diff --git a/wolfssl/openssl/ocsp.h b/wolfssl/openssl/ocsp.h index 7463eec96..768674601 100644 --- a/wolfssl/openssl/ocsp.h +++ b/wolfssl/openssl/ocsp.h @@ -1 +1,68 @@ -/* ocsp.h for libcurl */ +/* ocsp.h + * + * Copyright (C) 2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + + +#ifndef WOLFSSL_OCSP_H_ +#define WOLFSSL_OCSP_H_ + +#include +#include + +#ifdef __cplusplus + extern "C" { +#endif + +#ifdef HAVE_STUNNEL + #define X509_get1_ocsp wolfSSL_X509_get1_ocsp + #define OCSP_CERTID_free wolfSSL_OCSP_CERTID_free + #define OCSP_cert_to_id wolfSSL_OCSP_cert_to_id + #define OCSP_REQUEST_free wolfSSL_OCSP_REQUEST_free + + #define OPENSSL_STRING WOLFSSL_STRING + #define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value + #define sk_OPENSSL_STRING_num wolfSSL_sk_WOLFSSL_STRING_num + + typedef WOLFSSL_OCSP_CERTID OCSP_CERTID; + typedef char* WOLFSSL_STRING; + typedef WOLFSSL_OCSP_RESPONSE OCSP_RESPONSE; + + + WOLFSSL_API WOLFSSL_STRING *wolfSSL_X509_get1_ocsp(WOLFSSL_X509*); + WOLFSSL_API void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* cert); + WOLFSSL_API + WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD*, + WOLFSSL_X509*, WOLFSSL_X509*); + + WOLFSSL_API + int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)*); + WOLFSSL_API WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value( + const STACK_OF(WOLFSSL_STRING)*, int); + + + WOLFSSL_API void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST*); +#endif /* HAVE_STUNNEL */ + +#ifdef __cplusplus + } /* extern "C" */ +#endif + + +#endif /* WOLFSSL_EVP_H_ */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index cae159e55..1d6058b20 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -96,7 +96,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_get_verify_result(ctx) X509_V_OK #define SSL_get_verify_mode wolfSSL_SSL_get_mode #define SSL_get_verify_depth wolfSSL_get_verify_depth -#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_mode +#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth #define SSL_get_certificate(ctx) 0 /* used to pass to get_privatekey */ @@ -477,8 +477,56 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_SESSION_get_id wolfSSL_SESSION_get_id #define CRYPTO_dynlock_value WOLFSSL_dynlock_value typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; +typedef WOLFSSL_OCSP_REQUEST OCSP_REQUEST; +typedef WOLFSSL_OCSP_BASICRESP OCSP_BASICRESP; +typedef WOLFSSL_OCSP_REQ_CTX OCSP_REQ_CTX; +typedef WOLFSSL_OCSP_ONEREQ OCSP_ONEREQ; +#define V_OCSP_CERTSTATUS_UNKNOWN 2 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define V_OCSP_CERTSTATUS_GOOD 0 +#define V_OCSP_CERTSTATUS_REVOKED 1 +#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 +#define SSL_TLSEXT_ERR_OK 0 +#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal +#define SSL_TLSEXT_ERR_NOACK alert_warning +#define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME + +#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME +#define X509_NAME_cmp wolfSSL_X509_NAME_cmp +#define X509_email_free wolfSSL_X509_email_free +#define OCSP_REQUEST_new wolfSSL_OCSP_REQUEST_new +#define BIO_should_write wolfSSL_BIO_should_write +#define BIO_should_read wolfSSL_BIO_should_read + +#define OCSP_check_nonce wolfSSL_OCSP_check_nonce +#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str +#define OCSP_basic_verify wolfSSL_OCSP_basic_verify +#define OCSP_REQ_CTX_free wolfSSL_OCSP_REQ_CTX_free +#define OCSP_RESPONSE_free wolfSSL_OCSP_RESPONSE_free +#define OCSP_BASICRESP_free wolfSSL_OCSP_BASICRESP_free + +#define OCSP_response_get1_basic wolfSSL_OCSP_response_get1_basic +#define OCSP_resp_find_status wolfSSL_OCSP_resp_find_status +#define OCSP_request_add1_nonce wolfSSL_OCSP_request_add1_nonce +#define OCSP_request_add0_id wolfSSL_OCSP_request_add0_id +#define OCSP_crl_reason_str wolfSSL_OCSP_crl_reason_str +#define OCSP_check_validity wolfSSL_OCSP_check_validity + +#define X509_STORE_CTX_get_chain wolfSSL_X509_STORE_CTX_get_chain +#define OCSP_sendreq_new wolfSSL_OCSP_sendreq_new +#define OCSP_sendreq_nbio wolfSSL_OCSP_sendreq_nbio +#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str +#define OCSP_response_status wolfSSL_OCSP_response_status + +#define OCSP_response_status_str wolfSSL_OCSP_response_status_str +#define SSL_set_tlsext_host_name wolfSSL_set_tlsext_host_name +#define SSL_get_servername wolfSSL_get_servername +#define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX +#define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback +#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback +#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg #endif /* HAVE_STUNNEL */ #ifdef __cplusplus diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f1c492afa..edec77555 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -573,12 +573,12 @@ enum { OCSP_TRUSTOTHER = 512, OCSP_RESPID_KEY = 1024, OCSP_NOTIME = 2048, - +#ifndef HAVE_STUNNEL OCSP_CERTID = 2, OCSP_REQUEST = 4, OCSP_RESPONSE = 8, OCSP_BASICRESP = 16, - +#endif WOLFSSL_OCSP_URL_OVERRIDE = 1, WOLFSSL_OCSP_NO_NONCE = 2, WOLFSSL_OCSP_CHECKALL = 4, @@ -1315,7 +1315,8 @@ WOLFSSL_API void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, enum { WOLFSSL_SNI_NO_MATCH = 0, WOLFSSL_SNI_FAKE_MATCH = 1, /**< @see WOLFSSL_SNI_ANSWER_ON_MISMATCH */ - WOLFSSL_SNI_REAL_MATCH = 2 + WOLFSSL_SNI_REAL_MATCH = 2, + WOLFSSL_SNI_FORCE_KEEP = 3 /** Used with -DWOLFSSL_ALWAYS_KEEP_SNI */ }; WOLFSSL_API unsigned char wolfSSL_SNI_Status(WOLFSSL* ssl, unsigned char type); @@ -1559,6 +1560,16 @@ WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); #include +/* SNI received callback type */ +typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); + +typedef struct WOLFSSL_OCSP_CERTID WOLFSSL_OCSP_CERTID; +typedef struct WOLFSSL_OCSP_RESPONSE WOLFSSL_OCSP_RESPONSE; +typedef struct WOLFSSL_OCSP_REQUEST WOLFSSL_OCSP_REQUEST; +typedef struct WOLFSSL_OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP; +typedef struct WOLFSSL_OCSP_REQ_CTX WOLFSSL_OCSP_REQ_CTX; +typedef struct WOLFSSL_OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ; + WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); @@ -1581,7 +1592,8 @@ WOLFSSL_API int wolfSSL_sk_X509_NAME_num(const STACK_OF(WOLFSSL_X509_NAME) *s); WOLFSSL_API int wolfSSL_sk_X509_num(const STACK_OF(WOLFSSL_X509) *s); -WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int,unsigned long); +WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int, + unsigned long); WOLFSSL_API WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr( const WOLFSSL_X509*); @@ -1612,7 +1624,79 @@ WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long,void*,void*,void*, WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*); -WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*, unsigned int*); +WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*, + unsigned int*); + +WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *, + const WOLFSSL_X509_NAME *); + +WOLFSSL_API void wolfSSL_X509_email_free(void *); + +WOLFSSL_API WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void); + +WOLFSSL_API int wolfSSL_BIO_should_write(WOLFSSL_BIO *); + +WOLFSSL_API int wolfSSL_BIO_should_read(WOLFSSL_BIO *); + +WOLFSSL_API int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST*, + WOLFSSL_OCSP_BASICRESP*); + +WOLFSSL_API int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP*, + STACK_OF(WOLFSSL_X509)*, WOLFSSL_X509_STORE*,unsigned long); + +WOLFSSL_API void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *); + +WOLFSSL_API int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE*); + +WOLFSSL_API int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP*); + +WOLFSSL_API +WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE*); + +WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP*, + WOLFSSL_OCSP_CERTID *, int *, int *, + WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**); + +WOLFSSL_API int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *, + unsigned char *, int ); + +WOLFSSL_API +WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *, + WOLFSSL_OCSP_CERTID *); + +WOLFSSL_API const char *wolfSSL_OCSP_crl_reason_str(long ); + +WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME *, + WOLFSSL_ASN1_TIME*, long, long); +WOLFSSL_API +STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *); + +WOLFSSL_API WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io, + const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline); + +WOLFSSL_API int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE**, + WOLFSSL_OCSP_REQ_CTX *); + +WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long); + +WOLFSSL_API int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *); + +WOLFSSL_API const char *wolfSSL_OCSP_response_status_str(long); + +WOLFSSL_API int wolfSSL_set_tlsext_host_name(WOLFSSL *, const char *); + +WOLFSSL_API const char* wolfSSL_get_servername(WOLFSSL *, unsigned char); + +WOLFSSL_API WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL*,WOLFSSL_CTX*); + +WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*); + +WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx); + +WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *, + CallbackSniRecv); + +WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); #endif /* HAVE_STUNNEL */ #ifdef __cplusplus From 90ad5336fc9a20a95cfe04be5547264ab9d1af4e Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Wed, 12 Aug 2015 14:22:23 -0600 Subject: [PATCH 2/9] Fix uninitialized warning --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 8c8e14181..83d962529 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1040,7 +1040,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, return BUFFER_ERROR; for (size = 0; offset < length; offset += size) { - SNI *sni; + SNI *sni = NULL; byte type = input[offset++]; if (offset + OPAQUE16_LEN > length) From 1787e04b23a2558b30316a94a51b6b81525745ac Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Wed, 12 Aug 2015 15:48:30 -0600 Subject: [PATCH 3/9] Enum should be int, not byte --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 83d962529..9c3e33903 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1003,7 +1003,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, #ifndef NO_WOLFSSL_SERVER word16 size = 0; word16 offset = 0; - byte forceKeep = 0; + int forceKeep = 0; #endif TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); From 122b94ea6e572d30c3d99c15ca625d1f024c48ab Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Wed, 12 Aug 2015 20:38:51 -0600 Subject: [PATCH 4/9] Stunnel needs sni and tlsext --- configure.ac | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/configure.ac b/configure.ac index 27184b1d6..d373d1d16 100644 --- a/configure.ac +++ b/configure.ac @@ -1843,6 +1843,14 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) fi + + # Requires tlsx, make sure on + if test "x$ENABLED_TLSX" = "xno" + then + ENABLED_TLSX="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES" + fi + AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" fi From 0b72b28b13ece2e1d58d723044580e94f15b402e Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 13 Aug 2015 15:32:22 -0600 Subject: [PATCH 5/9] reorganize InitSSL. Rename forcekeep->cacheOnly. Free instead of decrement --- src/internal.c | 54 +++++++++++++++++++++++--------------------------- src/tls.c | 15 ++++++++------ 2 files changed, 34 insertions(+), 35 deletions(-) diff --git a/src/internal.c b/src/internal.c index ec49495fa..dedd2c4d8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1587,13 +1587,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) /* decrement previous CTX reference count if exists. * This should only happen if switching ctxs!*/ if (!newSSL) { - if(LockMutex(&ssl->ctx->countMutex) != 0) { - WOLFSSL_MSG("Couldn't lock on previous CTX count mutex"); - return BAD_MUTEX_E; - } - WOLFSSL_MSG("Decrementing previous ctx reference count. Switching ctx."); - ssl->ctx->refCount--; - UnLockMutex(&ssl->ctx->countMutex); + WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx."); + wolfSSL_CTX_free(ssl->ctx); } /* increment CTX reference count */ @@ -1713,27 +1708,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) XMEMSET(ssl, 0, sizeof(WOLFSSL)); - /* arrays */ - ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, - DYNAMIC_TYPE_ARRAYS); - if (ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays Memory error"); - return MEMORY_E; - } - XMEMSET(ssl->arrays, 0, sizeof(Arrays)); - - /* suites */ - ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, - DYNAMIC_TYPE_SUITES); - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites Memory error"); - return MEMORY_E; - } - - /* Initialize SSL with the appropriate fields from it's ctx */ - if((ret = SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS) - return ret; - ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer; ssl->buffers.inputBuffer.bufferSize = STATIC_BUFFER_LEN; @@ -1777,7 +1751,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->hmac = TLS_hmac; #endif - ssl->options.dtls = ssl->version.major == DTLS_MAJOR; #ifdef WOLFSSL_DTLS ssl->buffers.dtlsCtx.fd = -1; @@ -1802,6 +1775,29 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx) /* all done with init, now can return errors, call other stuff */ + /* arrays */ + ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap, + DYNAMIC_TYPE_ARRAYS); + if (ssl->arrays == NULL) { + WOLFSSL_MSG("Arrays Memory error"); + return MEMORY_E; + } + XMEMSET(ssl->arrays, 0, sizeof(Arrays)); + + /* suites */ + ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, + DYNAMIC_TYPE_SUITES); + if (ssl->suites == NULL) { + WOLFSSL_MSG("Suites Memory error"); + return MEMORY_E; + } + + /* Initialize SSL with the appropriate fields from it's ctx */ + if((ret = SetSSL_CTX(ssl, ctx)) != SSL_SUCCESS) + return ret; + + ssl->options.dtls = ssl->version.major == DTLS_MAJOR; + /* hsHashes */ ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap, DYNAMIC_TYPE_HASHES); diff --git a/src/tls.c b/src/tls.c index 9c3e33903..c0bdcd305 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1003,7 +1003,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, #ifndef NO_WOLFSSL_SERVER word16 size = 0; word16 offset = 0; - int forceKeep = 0; + int cacheOnly = 0; #endif TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); @@ -1015,7 +1015,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (!extension || !extension->data) { #if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER) - forceKeep = 1; + /* This will keep SNI even though TLSX_UseSNI has not been called. + * Enable it so that the received sni is available to functions + * that use a custom callback when SNI is received */ + cacheOnly = 1; WOLFSSL_MSG("Forcing SSL object to store SNI parameter"); #else return isRequest ? 0 /* not using SNI. */ @@ -1052,13 +1055,13 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (offset + size > length) return BUFFER_ERROR; - if (!forceKeep && !(sni = TLSX_SNI_Find((SNI*)extension->data, type))) + if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type))) continue; /* not using this type of SNI. */ switch(type) { case WOLFSSL_SNI_HOST_NAME: { int matchStat; - byte matched = forceKeep || + byte matched = cacheOnly || ((XSTRLEN(sni->data.host_name) == size) && (XSTRNCMP(sni->data.host_name, (const char*)input + offset, size) == 0)); @@ -1070,7 +1073,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, if (r != SSL_SUCCESS) return r; /* throws error. */ - if(forceKeep) { + if(cacheOnly) { WOLFSSL_MSG("Forcing storage of SNI, Fake match"); matchStat = WOLFSSL_SNI_FORCE_KEEP; } else if(matched) { @@ -1083,7 +1086,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); - if(!forceKeep) + if(!cacheOnly) TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { From 565f2ce1d773cdb84b14c5af3dac114e6b09b8fa Mon Sep 17 00:00:00 2001 From: Ada Lovelace Date: Fri, 14 Aug 2015 10:19:09 -0600 Subject: [PATCH 6/9] Stunnel with psk compiles against --- wolfssl/openssl/ssl.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 1d6058b20..0bcd77a63 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -527,6 +527,12 @@ typedef WOLFSSL_OCSP_ONEREQ OCSP_ONEREQ; #define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback #define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback #define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg + +/*changes for PSK*/ +#define PSK_MAX_PSK_LEN 256 +#define PSK_MAX_IDENTITY_LEN 128 + + #endif /* HAVE_STUNNEL */ #ifdef __cplusplus From d336268caa94c1aa55f636803675c4664daaa5c5 Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 27 Aug 2015 11:05:29 -0600 Subject: [PATCH 7/9] Turns on PSK when compiling for stunnel --- configure.ac | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index d373d1d16..a4453f573 100644 --- a/configure.ac +++ b/configure.ac @@ -836,16 +836,6 @@ AC_ARG_ENABLE([psk], [ ENABLED_PSK=no ] ) -if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" -then - AM_CFLAGS="$AM_CFLAGS -DNO_PSK" -fi - -if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "yes" -then - ENABLED_PSK=yes -fi - # ERROR STRINGS AC_ARG_ENABLE([errorstrings], @@ -1855,6 +1845,20 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" fi +if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" \ + && test "x$ENABLED_STUNNEL" = "xno" +then + echo "Defining NO PSK" + echo "ENABLED_STUNNEL = $ENABLED_STUNNEL" + echo "ENABLED_LEANPSK = $ENABLED_LEANPSK" + AM_CFLAGS="$AM_CFLAGS -DNO_PSK" +fi + +if test "$ENABLED_PSK" = "no" && \ + (test "$ENABLED_LEANPSK" = "yes" || test "x$ENABLED_STUNNEL" = "xyes") +then + ENABLED_PSK=yes +fi # MD4 AC_ARG_ENABLE([md4], From 42428f10ad3d95bf65136fadca682299453fe69c Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 27 Aug 2015 13:27:33 -0600 Subject: [PATCH 8/9] Remove uneccessary defines from compat. layer --- src/ssl.c | 304 ++--------------------------------------- wolfssl/openssl/ocsp.h | 69 +--------- wolfssl/openssl/ssl.h | 39 ------ wolfssl/ssl.h | 67 +-------- 4 files changed, 18 insertions(+), 461 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 9fc826450..8980aff21 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16347,291 +16347,6 @@ const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen) return sess->sessionID; } -int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *a, const WOLFSSL_X509_NAME *b) -{ - (void) a; - (void) b; - WOLFSSL_ENTER("wolfSSL_X509_NAME_cmp"); - WOLFSSL_STUB("wolfSSL_X509_NAME_cmp"); - WOLFSSL_LEAVE("wolfSSL_X509_NAME_cmp",0); - return SSL_SUCCESS; -} - -void wolfSSL_X509_email_free(void *sk) -{ - (void)sk; - WOLFSSL_ENTER("wolfSSL_X509_email_free"); - WOLFSSL_STUB("wolfSSL_X509_email_free"); - WOLFSSL_LEAVE("wolfSSL_X509_email_free",0); -} - -WOLFSSL_STRING* wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *cert) -{ - WOLFSSL_ENTER("wolfSSL_X509_get1_ocsp"); - WOLFSSL_STUB("wolfSSL_X509_get1_ocsp"); - WOLFSSL_LEAVE("wolfSSL_X509_get1_ocsp",0); - (void)cert; - return NULL; -} - -void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* ocsp) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free"); - WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0); - (void)ocsp; - return; -} - -WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void){ - WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_new"); - WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_new"); - WOLFSSL_OCSP_REQUEST *or = NULL; - return or; -} - -WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD* dgst, - WOLFSSL_X509* subject, WOLFSSL_X509* issuer) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_CERTID_free"); - WOLFSSL_STUB("wolfSSL_OCSP_CERTID_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_CERTID_free",0); - (void)dgst; - (void)subject; - (void)issuer; - return NULL; -} - - -void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST* request) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_REQUEST_free"); - WOLFSSL_STUB("wolfSSL_OCSP_REQUEST_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_REQUEST_free",0); - (void)request; - return; -} - -int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio) -{ - WOLFSSL_ENTER("wolfSSL_BIO_should_write"); - WOLFSSL_STUB("wolfSSL_BIO_should_write"); - WOLFSSL_LEAVE("wolfSSL_BIO_should_write",0); - (void) bio; - return SSL_SUCCESS; -} - -int BIO_should_read(WOLFSSL_BIO *bio) -{ - WOLFSSL_ENTER("BIO_should_read"); - WOLFSSL_STUB("BIO_should_read"); - WOLFSSL_LEAVE("BIO_should_read",0); - (void) bio; - return SSL_SUCCESS; -} - -int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_BASICRESP *bs) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_check_nonce"); - WOLFSSL_STUB("wolfSSL_OCSP_check_nonce"); - WOLFSSL_LEAVE("wolfSSL_OCSP_check_nonce",0); - (void) req; - (void) bs; - return SSL_SUCCESS; -} - -int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, STACK_OF(WOLFSSL_X509) *certs, - WOLFSSL_X509_STORE *st, unsigned long flags) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_basic_verify"); - WOLFSSL_STUB("wolfSSL_OCSP_basic_verify"); - WOLFSSL_LEAVE("wolfSSL_OCSP_basic_verify",0); - (void) bs; - (void) certs; - (void) st; - (void) flags; - return SSL_SUCCESS; -} - -void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *rctx) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_REQ_CTX_free"); - WOLFSSL_STUB("wolfSSL_OCSP_REQ_CTX_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_REQ_CTX_free",0); - (void) rctx; -} - -int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE* r) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_RESPONSE_free"); - WOLFSSL_STUB("wolfSSL_OCSP_RESPONSE_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_RESPONSE_free",0); - (void) r; - return SSL_SUCCESS; -} - -int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP *basic_response) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_BASICRESP_free"); - WOLFSSL_STUB("wolfSSL_OCSP_BASICRESP_free"); - WOLFSSL_LEAVE("wolfSSL_OCSP_BASICRESP_free",0); - (void) basic_response; - return SSL_SUCCESS; -} - - -WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE *resp) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_response_get1_basic"); - WOLFSSL_STUB("wolfSSL_OCSP_response_get1_basic"); - WOLFSSL_LEAVE("wolfSSL_OCSP_response_get1_basic",0); - (void) resp; - return NULL; -} - -int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, - WOLFSSL_OCSP_CERTID *id, int *status, - int *reason, WOLFSSL_ASN1_TIME**revtime, - WOLFSSL_ASN1_TIME**thisupd, WOLFSSL_ASN1_TIME**nextupd) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_resp_find_status"); - WOLFSSL_STUB("wolfSSL_OCSP_resp_find_status"); - WOLFSSL_LEAVE("wolfSSL_OCSP_resp_find_status",0); - (void) bs; - (void) id; - (void) status; - (void) reason; - (void) revtime; - (void) thisupd; - (void) nextupd; - return SSL_SUCCESS; -} - -int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *req, unsigned char *val, int len) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_request_add1_nonce"); - WOLFSSL_STUB("wolfSSL_OCSP_request_add1_nonce"); - WOLFSSL_LEAVE("wolfSSL_OCSP_request_add1_nonce",0); - (void) req; - (void) val; - (void) len; - return SSL_SUCCESS; -} - -WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *req, WOLFSSL_OCSP_CERTID *cid) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_request_add0_id"); - WOLFSSL_STUB("wolfSSL_OCSP_request_add0_id"); - WOLFSSL_LEAVE("wolfSSL_OCSP_request_add0_id",0); - (void) req; - (void) cid; - return NULL; -} - -const char *wolfSSL_OCSP_crl_reason_str(long s) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_crl_reason_str"); - WOLFSSL_STUB("wolfSSL_OCSP_crl_reason_str"); - WOLFSSL_LEAVE("wolfSSL_OCSP_crl_reason_str",0); - (void) s; - return NULL; -} - -int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME*thisupd, - WOLFSSL_ASN1_TIME*nextupd, long sec, long maxsec) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_check_validity"); - WOLFSSL_STUB("wolfSSL_OCSP_check_validity"); - WOLFSSL_LEAVE("wolfSSL_OCSP_check_validity",0); - (void) thisupd; - (void) nextupd; - (void) sec; - (void) maxsec; - return SSL_SUCCESS; -} - -STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *ctx) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain"); - WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_get_chain"); - WOLFSSL_LEAVE("wolfSSL_X509_STORE_CTX_get_chain",0); - (void) ctx; - return NULL; -} - -WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io, const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_new"); - WOLFSSL_STUB("wolfSSL_OCSP_sendreq_new"); - WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_new",0); - (void) io; - (void) path; - (void) req; - (void) maxline; - return NULL; -} - -int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE **presp, WOLFSSL_OCSP_REQ_CTX *rctx) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_sendreq_nbio"); - WOLFSSL_STUB("wolfSSL_OCSP_sendreq_nbio"); - WOLFSSL_LEAVE("wolfSSL_OCSP_sendreq_nbio",0); - (void) presp; - (void) rctx; - return SSL_SUCCESS; -} - - -const char *wolfSSL_OCSP_cert_status_str(long s) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_cert_status_str"); - WOLFSSL_STUB("wolfSSL_OCSP_cert_status_str"); - WOLFSSL_LEAVE("wolfSSL_OCSP_cert_status_str",0); - (void) s; - return NULL; -} - -int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *resp) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_response_status"); - WOLFSSL_STUB("wolfSSL_OCSP_response_status"); - WOLFSSL_LEAVE("wolfSSL_OCSP_response_status",0); - (void) resp; - return SSL_SUCCESS; -} - - -const char *wolfSSL_OCSP_response_status_str(long s) -{ - WOLFSSL_ENTER("wolfSSL_OCSP_response_status_str"); - WOLFSSL_STUB("wolfSSL_OCSP_response_status_str"); - WOLFSSL_LEAVE("wolfSSL_OCSP_response_status_str",0); - (void) s; - return NULL; -} - - -int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)* string) -{ - WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_num"); - WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_num"); - WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_num",0); - (void) string; - return 0; -} - - -WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value( - const STACK_OF(WOLFSSL_STRING)* string, int idx) -{ - WOLFSSL_ENTER("wolfSSL_sk_WOLFSSL_STRING_value"); - WOLFSSL_STUB("wolfSSL_sk_WOLFSSL_STRING_value"); - WOLFSSL_LEAVE("wolfSSL_sk_WOLFSSL_STRING_value",0); - (void) string; - (void) idx; - return 0; -} - int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name) { @@ -16673,11 +16388,22 @@ VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) { - (void)ctx; WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); - WOLFSSL_STUB("wolfSSL_CTX_get_verify_mode"); - WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode",0); - return 0; + int mode = 0; + + if(!ctx) + return SSL_FATAL_ERROR; + + if (ctx->verifyPeer) + mode |= SSL_VERIFY_PEER; + else if (ctx->verifyNone) + mode |= SSL_VERIFY_NONE; + + if (ctx->failNoCert) + mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + + WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); + return mode; } diff --git a/wolfssl/openssl/ocsp.h b/wolfssl/openssl/ocsp.h index 768674601..7463eec96 100644 --- a/wolfssl/openssl/ocsp.h +++ b/wolfssl/openssl/ocsp.h @@ -1,68 +1 @@ -/* ocsp.h - * - * Copyright (C) 2015 wolfSSL Inc. - * - * This file is part of wolfSSL. (formerly known as CyaSSL) - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - - -#ifndef WOLFSSL_OCSP_H_ -#define WOLFSSL_OCSP_H_ - -#include -#include - -#ifdef __cplusplus - extern "C" { -#endif - -#ifdef HAVE_STUNNEL - #define X509_get1_ocsp wolfSSL_X509_get1_ocsp - #define OCSP_CERTID_free wolfSSL_OCSP_CERTID_free - #define OCSP_cert_to_id wolfSSL_OCSP_cert_to_id - #define OCSP_REQUEST_free wolfSSL_OCSP_REQUEST_free - - #define OPENSSL_STRING WOLFSSL_STRING - #define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value - #define sk_OPENSSL_STRING_num wolfSSL_sk_WOLFSSL_STRING_num - - typedef WOLFSSL_OCSP_CERTID OCSP_CERTID; - typedef char* WOLFSSL_STRING; - typedef WOLFSSL_OCSP_RESPONSE OCSP_RESPONSE; - - - WOLFSSL_API WOLFSSL_STRING *wolfSSL_X509_get1_ocsp(WOLFSSL_X509*); - WOLFSSL_API void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* cert); - WOLFSSL_API - WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(const WOLFSSL_EVP_MD*, - WOLFSSL_X509*, WOLFSSL_X509*); - - WOLFSSL_API - int wolfSSL_sk_WOLFSSL_STRING_num(const STACK_OF(WOLFSSL_STRING)*); - WOLFSSL_API WOLFSSL_STRING wolfSSL_sk_WOLFSSL_STRING_value( - const STACK_OF(WOLFSSL_STRING)*, int); - - - WOLFSSL_API void wolfSSL_OCSP_REQUEST_free(WOLFSSL_OCSP_REQUEST*); -#endif /* HAVE_STUNNEL */ - -#ifdef __cplusplus - } /* extern "C" */ -#endif - - -#endif /* WOLFSSL_EVP_H_ */ +/* ocsp.h for libcurl */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 0bcd77a63..05b77a7ea 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -477,50 +477,12 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_SESSION_get_id wolfSSL_SESSION_get_id #define CRYPTO_dynlock_value WOLFSSL_dynlock_value typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; -typedef WOLFSSL_OCSP_REQUEST OCSP_REQUEST; -typedef WOLFSSL_OCSP_BASICRESP OCSP_BASICRESP; -typedef WOLFSSL_OCSP_REQ_CTX OCSP_REQ_CTX; -typedef WOLFSSL_OCSP_ONEREQ OCSP_ONEREQ; - -#define V_OCSP_CERTSTATUS_UNKNOWN 2 -#define X509_V_ERR_APPLICATION_VERIFICATION 50 -#define V_OCSP_CERTSTATUS_GOOD 0 -#define V_OCSP_CERTSTATUS_REVOKED 1 -#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 #define SSL_TLSEXT_ERR_OK 0 #define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal #define SSL_TLSEXT_ERR_NOACK alert_warning #define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME -#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME -#define X509_NAME_cmp wolfSSL_X509_NAME_cmp -#define X509_email_free wolfSSL_X509_email_free -#define OCSP_REQUEST_new wolfSSL_OCSP_REQUEST_new -#define BIO_should_write wolfSSL_BIO_should_write -#define BIO_should_read wolfSSL_BIO_should_read - -#define OCSP_check_nonce wolfSSL_OCSP_check_nonce -#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str -#define OCSP_basic_verify wolfSSL_OCSP_basic_verify -#define OCSP_REQ_CTX_free wolfSSL_OCSP_REQ_CTX_free -#define OCSP_RESPONSE_free wolfSSL_OCSP_RESPONSE_free -#define OCSP_BASICRESP_free wolfSSL_OCSP_BASICRESP_free - -#define OCSP_response_get1_basic wolfSSL_OCSP_response_get1_basic -#define OCSP_resp_find_status wolfSSL_OCSP_resp_find_status -#define OCSP_request_add1_nonce wolfSSL_OCSP_request_add1_nonce -#define OCSP_request_add0_id wolfSSL_OCSP_request_add0_id -#define OCSP_crl_reason_str wolfSSL_OCSP_crl_reason_str -#define OCSP_check_validity wolfSSL_OCSP_check_validity - -#define X509_STORE_CTX_get_chain wolfSSL_X509_STORE_CTX_get_chain -#define OCSP_sendreq_new wolfSSL_OCSP_sendreq_new -#define OCSP_sendreq_nbio wolfSSL_OCSP_sendreq_nbio -#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str -#define OCSP_response_status wolfSSL_OCSP_response_status - -#define OCSP_response_status_str wolfSSL_OCSP_response_status_str #define SSL_set_tlsext_host_name wolfSSL_set_tlsext_host_name #define SSL_get_servername wolfSSL_get_servername #define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX @@ -528,7 +490,6 @@ typedef WOLFSSL_OCSP_ONEREQ OCSP_ONEREQ; #define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback #define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg -/*changes for PSK*/ #define PSK_MAX_PSK_LEN 256 #define PSK_MAX_IDENTITY_LEN 128 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index edec77555..a9d350d50 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -573,12 +573,12 @@ enum { OCSP_TRUSTOTHER = 512, OCSP_RESPID_KEY = 1024, OCSP_NOTIME = 2048, -#ifndef HAVE_STUNNEL + OCSP_CERTID = 2, OCSP_REQUEST = 4, OCSP_RESPONSE = 8, OCSP_BASICRESP = 16, -#endif + WOLFSSL_OCSP_URL_OVERRIDE = 1, WOLFSSL_OCSP_NO_NONCE = 2, WOLFSSL_OCSP_CHECKALL = 4, @@ -1563,13 +1563,6 @@ WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); /* SNI received callback type */ typedef int (*CallbackSniRecv)(WOLFSSL *ssl, int *ret, void* exArg); -typedef struct WOLFSSL_OCSP_CERTID WOLFSSL_OCSP_CERTID; -typedef struct WOLFSSL_OCSP_RESPONSE WOLFSSL_OCSP_RESPONSE; -typedef struct WOLFSSL_OCSP_REQUEST WOLFSSL_OCSP_REQUEST; -typedef struct WOLFSSL_OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP; -typedef struct WOLFSSL_OCSP_REQ_CTX WOLFSSL_OCSP_REQ_CTX; -typedef struct WOLFSSL_OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ; - WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); @@ -1627,62 +1620,6 @@ WOLFSSL_API int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME*); WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id(WOLFSSL_SESSION*, unsigned int*); -WOLFSSL_API int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME *, - const WOLFSSL_X509_NAME *); - -WOLFSSL_API void wolfSSL_X509_email_free(void *); - -WOLFSSL_API WOLFSSL_OCSP_REQUEST* wolfSSL_OCSP_REQUEST_new(void); - -WOLFSSL_API int wolfSSL_BIO_should_write(WOLFSSL_BIO *); - -WOLFSSL_API int wolfSSL_BIO_should_read(WOLFSSL_BIO *); - -WOLFSSL_API int wolfSSL_OCSP_check_nonce(WOLFSSL_OCSP_REQUEST*, - WOLFSSL_OCSP_BASICRESP*); - -WOLFSSL_API int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP*, - STACK_OF(WOLFSSL_X509)*, WOLFSSL_X509_STORE*,unsigned long); - -WOLFSSL_API void wolfSSL_OCSP_REQ_CTX_free(WOLFSSL_OCSP_REQ_CTX *); - -WOLFSSL_API int wolfSSL_OCSP_RESPONSE_free( WOLFSSL_OCSP_RESPONSE*); - -WOLFSSL_API int wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP*); - -WOLFSSL_API -WOLFSSL_OCSP_BASICRESP *wolfSSL_OCSP_response_get1_basic(WOLFSSL_OCSP_RESPONSE*); - -WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP*, - WOLFSSL_OCSP_CERTID *, int *, int *, - WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**, WOLFSSL_ASN1_TIME**); - -WOLFSSL_API int wolfSSL_OCSP_request_add1_nonce(WOLFSSL_OCSP_REQUEST *, - unsigned char *, int ); - -WOLFSSL_API -WOLFSSL_OCSP_ONEREQ *wolfSSL_OCSP_request_add0_id(WOLFSSL_OCSP_REQUEST *, - WOLFSSL_OCSP_CERTID *); - -WOLFSSL_API const char *wolfSSL_OCSP_crl_reason_str(long ); - -WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME *, - WOLFSSL_ASN1_TIME*, long, long); -WOLFSSL_API -STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX *); - -WOLFSSL_API WOLFSSL_OCSP_REQ_CTX *wolfSSL_OCSP_sendreq_new(WOLFSSL_BIO *io, - const char *path, WOLFSSL_OCSP_REQUEST *req, int maxline); - -WOLFSSL_API int wolfSSL_OCSP_sendreq_nbio(WOLFSSL_OCSP_RESPONSE**, - WOLFSSL_OCSP_REQ_CTX *); - -WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long); - -WOLFSSL_API int wolfSSL_OCSP_response_status(WOLFSSL_OCSP_RESPONSE *); - -WOLFSSL_API const char *wolfSSL_OCSP_response_status_str(long); - WOLFSSL_API int wolfSSL_set_tlsext_host_name(WOLFSSL *, const char *); WOLFSSL_API const char* wolfSSL_get_servername(WOLFSSL *, unsigned char); From 10b2cf4f2fff422c580e67d8d8de1f75d4add59a Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 27 Aug 2015 17:44:55 -0600 Subject: [PATCH 9/9] turn on ecc with Stunnel --- configure.ac | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index a4453f573..1aa47db10 100644 --- a/configure.ac +++ b/configure.ac @@ -1841,6 +1841,14 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_SUPPORTED_CURVES" fi + # Requires ecc make sure on + if test "x$ENABLED_ECC" = "xno" + then + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" + AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) + fi + AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" fi @@ -1848,9 +1856,6 @@ fi if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" \ && test "x$ENABLED_STUNNEL" = "xno" then - echo "Defining NO PSK" - echo "ENABLED_STUNNEL = $ENABLED_STUNNEL" - echo "ENABLED_LEANPSK = $ENABLED_LEANPSK" AM_CFLAGS="$AM_CFLAGS -DNO_PSK" fi