From 23d8df720e709a45b92ea910e29d898a4f97b5b5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 9 Apr 2021 11:29:13 -0500 Subject: [PATCH] remove WOLFSSL_NETWORK_INTROSPECTION code; add wolfSSL_X509_STORE_set_ex_data_with_cleanup(); refactor WOLFSSL_WOLFSENTRY_HOOKS code in server.c to use HAVE_EX_DATA/HAVE_EX_DATA_CLEANUP_HOOKS. --- configure.ac | 25 +- examples/server/server.c | 185 +++++++-------- src/internal.c | 22 +- src/ssl.c | 468 +++++++++++++++++++------------------- src/tls13.c | 12 +- wolfssl/internal.h | 5 - wolfssl/openssl/rsa.h | 8 +- wolfssl/ssl.h | 140 +++++------- wolfssl/wolfcrypt/types.h | 6 + 9 files changed, 424 insertions(+), 447 deletions(-) diff --git a/configure.ac b/configure.ac index 1b961bb42..56b0beeeb 100644 --- a/configure.ac +++ b/configure.ac @@ -2511,10 +2511,7 @@ AC_ARG_ENABLE([wolfsentry], if test "$ENABLED_WOLFSENTRY" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS" - ENABLED_NETWORK_INTROSPECTION_DEFAULT=yes -else - ENABLED_NETWORK_INTROSPECTION_DEFAULT=no + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" fi AC_ARG_WITH([wolfsentry-lib], @@ -2536,25 +2533,6 @@ AC_SUBST([WOLFSENTRY_LIB]) AC_SUBST([WOLFSENTRY_INCLUDE]) -# API for tracking network connection attributes -AC_ARG_ENABLE([network-introspection], - [AS_HELP_STRING([--enable-network-introspection],[Enable network connection attribute tracking and callbacks (default: disabled)])], - [ ENABLED_NETWORK_INTROSPECTION=$enableval ], - [ ENABLED_NETWORK_INTROSPECTION=$ENABLED_NETWORK_INTROSPECTION_DEFAULT ] - ) - -if test "$ENABLED_NETWORK_INTROSPECTION" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NETWORK_INTROSPECTION" -fi - - -if test "$ENABLED_WOLFSENTRY" = "yes" && test "$ENABLED_NETWORK_INTROSPECTION" != "yes" -then - AC_MSG_ERROR([--enable-wolfsentry requires --enable-network-introspection]) -fi - - if test "$ENABLED_QT" = "yes" then # Requires opensslextra and opensslall @@ -6636,7 +6614,6 @@ echo " * Anonymous cipher: $ENABLED_ANON" echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" -echo " * Connection tracking: $ENABLED_NETWORK_INTROSPECTION" echo " * wolfSentry: $ENABLED_WOLFSENTRY" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * HAPROXY: $ENABLED_HAPROXY" diff --git a/examples/server/server.c b/examples/server/server.c index 8ebd03c8f..9f7bff9a2 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -282,48 +282,83 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #ifdef WOLFSSL_WOLFSENTRY_HOOKS -static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { - const void *remote_addr2; - const void *local_addr2; - char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; - int ret; - struct { - struct wolfsentry_sockaddr s; - byte buf[16]; - } remote, local; - wolfsentry_action_res_t action_results; +struct wolfsentry_data { + struct wolfsentry_sockaddr remote; + byte remote_addrbuf[16]; + struct wolfsentry_sockaddr local; + byte local_addrbuf[16]; + wolfsentry_route_flags_t flags; + void *heap; + int alloctype; +}; - (void)ssl; +static void free_wolfsentry_data(struct wolfsentry_data *data) { + char inet_ntop_buf[INET6_ADDRSTRLEN]; + fprintf(stderr, "free_wolfsentry_data() for remote %s:%d\n", inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), data->remote.sa_port); + XFREE(data, data->heap, data->alloctype); +} - if ((ret = wolfSSL_get_endpoint_addrs(nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { - printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); +static int wolfsentry_data_index = -1; + +static int wolfsentry_store_endpoints( + WOLFSSL *ssl, + SOCKADDR_IN_T *remote, + SOCKADDR_IN_T *local, + int proto, + wolfsentry_route_flags_t flags) +{ + struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC(sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); + if (data == NULL) + return WOLFSSL_FAILURE; + + data->heap = NULL; + data->alloctype = DYNAMIC_TYPE_SOCKADDR; + +#ifdef TEST_IPV6 + if ((sizeof data->remote_addrbuf < sizeof remote->sin6_addr) || + (sizeof data->local_addrbuf < sizeof local->sin6_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin6_family; + data->remote.sa_port = ntohs(remote->sin6_port); + data->local.sa_port = ntohs(local->sin6_port); + data->remote.addr_len = sizeof remote->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin6_addr, sizeof remote->sin6_addr); + data->local.addr_len = sizeof local->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin6_addr, sizeof local->sin6_addr); +#else + if ((sizeof data->remote_addrbuf < sizeof remote->sin_addr) || + (sizeof data->local_addrbuf < sizeof local->sin_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin_family; + data->remote.sa_port = ntohs(remote->sin_port); + data->local.sa_port = ntohs(local->sin_port); + data->remote.addr_len = sizeof remote->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin_addr, sizeof remote->sin_addr); + data->local.addr_len = sizeof local->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin_addr, sizeof local->sin_addr); +#endif + data->remote.sa_proto = data->local.sa_proto = proto; + data->remote.interface = data->local.interface = 0; + data->flags = flags; + + if (wolfSSL_set_ex_data_with_cleanup(ssl, wolfsentry_data_index, data, (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != WOLFSSL_SUCCESS) { + free_wolfsentry_data(data); + return WOLFSSL_FAILURE; } - printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", - nc->family, - nc->proto, - nc->remote_port, - nc->local_port, - inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), - nc->interface); + return WOLFSSL_SUCCESS; +} - remote.s.sa_family = nc->family; - remote.s.sa_proto = nc->proto; - remote.s.sa_port = nc->remote_port; - remote.s.addr_len = nc->remote_addr_len; - remote.s.interface = nc->interface; - memcpy(remote.s.addr, remote_addr2, nc->remote_addr_len); +static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { + struct wolfsentry_data *data; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + int ret; + wolfsentry_action_res_t action_results; - local.s.sa_family = nc->family; - local.s.sa_proto = nc->proto; - local.s.sa_port = nc->local_port; - local.s.addr_len = nc->local_addr_len; - local.s.interface = nc->interface; - memcpy(local.s.addr, local_addr2, nc->local_addr_len); + if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) + return WOLFSSL_FAILURE; - ret = wolfsentry_route_event_dispatch(wolfsentry, &remote.s, &local.s, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); + ret = wolfsentry_route_event_dispatch(wolfsentry, &data->remote, &data->local, data->flags, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); if (ret == 0) { if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) @@ -332,8 +367,20 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network *decision = WOLFSSL_NETFILTER_ACCEPT; else *decision = WOLFSSL_NETFILTER_PASS; - } else + } else { + printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(ret)); *decision = WOLFSSL_NETFILTER_PASS; + } + + printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d\n", + data->remote.sa_family, + data->remote.sa_proto, + data->remote.sa_port, + data->local.sa_port, + inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), + inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, sizeof inet_ntop_buf2), + data->remote.interface, + *decision); return WOLFSSL_SUCCESS; } @@ -1909,12 +1956,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, 0 /* route_private_data_size */, 0 /* route_private_data_alignment */, &wolfsentry); + ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, NULL /* default config */, &wolfsentry); if (ret != 0) { fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); } + if (wolfsentry_data_index < 0) + wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + { struct wolfsentry_route_table *table; @@ -2333,6 +2383,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) ssl = SSL_new(ctx); if (ssl == NULL) err_sys_ex(catastrophic, "unable to create an SSL object"); + #ifdef OPENSSL_EXTRA wolfSSL_KeepArrays(ssl); #endif @@ -2659,7 +2710,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS { SOCKADDR_IN_T local_addr; socklen_t local_len = sizeof(local_addr); @@ -2668,62 +2719,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); -#ifdef TEST_IPV6 - - if ((ret = wolfSSL_set_endpoints( - ssl, - 0 /* interface_id */, - client_addr.sin6_family, - IPPROTO_TCP, - sizeof(client_addr.sin6_addr), - (byte *)&client_addr.sin6_addr, - (byte *)&local_addr.sin6_addr, - client_addr.sin6_port, - local_addr.sin6_port) != WOLFSSL_SUCCESS)) { - printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); - } - -#else /* !TEST_IPV6 */ - - if ((ret = wolfSSL_set_endpoints( - ssl, - 0 /* interface_id */, - client_addr.sin_family, - IPPROTO_TCP, - sizeof(struct in_addr), - (byte *)&client_addr.sin_addr, - (byte *)&local_addr.sin_addr, - client_addr.sin_port, - local_addr.sin_port) != WOLFSSL_SUCCESS)) { - printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); - } - -#endif /* TEST_IPV6 */ - - { - const struct wolfSSL_network_connection *nc; - const void *remote_addr2; - const void *local_addr2; - char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; - - if ((ret = wolfSSL_get_endpoints(ssl, &nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { - printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); - } - - printf("stored connection attrs: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", - nc->family, - nc->proto, - nc->remote_port, - nc->local_port, - inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), - nc->interface); + if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) { + printf("wolfsentry_store_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfsentry_store_endpoints()"); } } -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL || needDH == 1) { diff --git a/src/internal.c b/src/internal.c index 43e8515c9..8e601caf9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1892,6 +1892,14 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) int i; #endif +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); + } +#endif + #ifdef HAVE_WOLF_EVENT wolfEventQueue_Free(&ctx->event_queue); #endif /* HAVE_WOLF_EVENT */ @@ -6423,6 +6431,14 @@ void SSL_ResourceFree(WOLFSSL* ssl) * example with the RNG, it isn't used beyond the handshake except when * using stream ciphers where it is retained. */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, NULL, NULL); + } +#endif + FreeCiphers(ssl); FreeArrays(ssl, 0); FreeKeyExchange(ssl); @@ -6465,12 +6481,6 @@ void SSL_ResourceFree(WOLFSSL* ssl) FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); ssl->peerRsaKeyPresent = 0; #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection)) - XFREE(ssl->buffers.network_connection.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection_layer2)) - XFREE(ssl->buffers.network_connection_layer2.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifdef WOLFSSL_RENESAS_TSIP_TLS XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); #endif diff --git a/src/ssl.c b/src/ssl.c index 1f3c0f6c2..0aa7c22f2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1013,215 +1013,6 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) } #endif /* NO_CERTS */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION - -/* all ints in host byte order, addresses in network order (big endian). */ -static WC_INLINE int wolfSSL_set_endpoints_1( - WOLFSSL* ssl, - struct wolfSSL_network_connection *nc, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int remote_addr_len, - const byte *remote_addr, - unsigned int local_addr_len, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port) -{ - size_t current_dynamic_alloc, needed_dynamic_alloc; - - if ((ssl == NULL) || (nc == NULL) || (remote_addr_len == 0) || (local_addr_len == 0)) - return BAD_FUNC_ARG; - - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) - current_dynamic_alloc = nc->local_addr_len + nc->remote_addr_len; - else - current_dynamic_alloc = 0; - - if (local_addr_len + remote_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) - needed_dynamic_alloc = local_addr_len + remote_addr_len; - else - needed_dynamic_alloc = 0; - - nc->local_addr_len = nc->remote_addr_len = 0; - - if (current_dynamic_alloc != needed_dynamic_alloc) { - if (current_dynamic_alloc > 0) - XFREE(nc->addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (needed_dynamic_alloc > 0) { - nc->addr_buffer_dynamic = (byte *)XMALLOC - (needed_dynamic_alloc, - ssl->heap, - DYNAMIC_TYPE_SOCKADDR); - if (nc->addr_buffer_dynamic == NULL) - return MEMORY_E; - } - } - - nc->family = family; - nc->proto = proto; - nc->remote_addr_len = remote_addr_len; - nc->local_addr_len = local_addr_len; - nc->interface = interface_id; - nc->remote_port = remote_port; - nc->local_port = local_port; - - if (needed_dynamic_alloc == 0) { - XMEMCPY(nc->addr_buffer, remote_addr, remote_addr_len); - XMEMCPY(nc->addr_buffer + remote_addr_len, local_addr, local_addr_len); - } else { - XMEMCPY(nc->addr_buffer_dynamic, remote_addr, remote_addr_len); - XMEMCPY((nc->addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); - } - nc->remote_addr_len = remote_addr_len; - nc->local_addr_len = local_addr_len; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_set_endpoints( - WOLFSSL* ssl, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port) -{ - return wolfSSL_set_endpoints_1( - ssl, - &ssl->buffers.network_connection, - interface_id, - family, - proto, - addr_len, - remote_addr, - addr_len, - local_addr, - remote_port, - local_port); -} - -int wolfSSL_set_endpoints_layer2( - WOLFSSL* ssl, - unsigned int interface_id, - unsigned int family, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr) -{ - return wolfSSL_set_endpoints_1( - ssl, - &ssl->buffers.network_connection_layer2, - interface_id, - family, - 0 /* proto */, - addr_len, - remote_addr, - addr_len, - local_addr, - 0 /* remote_port */, - 0 /* local_port */); -} - -WOLFSSL_API int wolfSSL_get_endpoint_addrs( - const struct wolfSSL_network_connection *nc, - const void **remote_addr, - const void **local_addr) -{ - if ((remote_addr == NULL) || (local_addr == NULL)) - return BAD_FUNC_ARG; - if (nc->remote_addr_len == 0) - return INCOMPLETE_DATA; - - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) { - *remote_addr = nc->addr_buffer_dynamic; - *local_addr = nc->addr_buffer_dynamic + nc->remote_addr_len; - } else { - *remote_addr = nc->addr_buffer; - *local_addr = nc->addr_buffer + nc->remote_addr_len; - } - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_API int wolfSSL_get_endpoints( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr) -{ - *nc = &ssl->buffers.network_connection; - return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); -} - -WOLFSSL_API int wolfSSL_get_endpoints_layer2( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr) -{ - *nc = &ssl->buffers.network_connection_layer2; - return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); -} - -static WC_INLINE int wolfSSL_copy_endpoints_1( - struct wolfSSL_network_connection *nc_src, - struct wolfSSL_network_connection *nc_dst, - size_t nc_dst_size, - const void **remote_addr, - const void **local_addr) -{ - size_t nc_bufsiz; - - if ((nc_dst == NULL) || (remote_addr == NULL) || (local_addr == NULL)) - return BAD_FUNC_ARG; - if (nc_src->remote_addr_len == 0) - return INCOMPLETE_DATA; - - nc_bufsiz = WOLFSSL_NETWORK_CONNECTION_BUFSIZ(nc_src->remote_addr_len, nc_src->local_addr_len); - if (nc_dst_size < nc_bufsiz) - return BUFFER_E; - XMEMCPY(nc_dst, nc_src, ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]))); - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc_src)) - XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); - else - XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer, nc_src->remote_addr_len + nc_src->local_addr_len); - *remote_addr = nc_dst->addr_buffer; - *local_addr = nc_dst->addr_buffer + nc_dst->remote_addr_len; - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_API int wolfSSL_copy_endpoints( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, nc, nc_size, remote_addr, local_addr); -} - -WOLFSSL_API int wolfSSL_copy_endpoints_layer2( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, nc, nc_size, remote_addr, local_addr); -} - #ifdef WOLFSSL_WOLFSENTRY_HOOKS WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { @@ -1238,8 +1029,6 @@ WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t A #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ - #ifndef WOLFSSL_LEANPSK int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) { @@ -13126,17 +12915,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ #ifdef WOLFSSL_WOLFSENTRY_HOOKS - if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && - (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); - return WOLFSSL_FATAL_ERROR; - } - } - if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { - wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; @@ -16522,6 +16303,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* unchain?, doesn't matter in goahead since from free all */ WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, NULL, NULL); + } +#endif if (bio->infoCb) { /* info callback is called before free */ @@ -18967,6 +18755,13 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, NULL, NULL); + } +#endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) if (wc_LockMutex(&x509->refMutex) != 0) { @@ -22167,6 +21962,14 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) if (session == NULL) return; +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, NULL, NULL); + } +#endif + #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) if (session->peer) { wolfSSL_X509_free(session->peer); @@ -24944,6 +24747,31 @@ int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* Set ex_data for WOLFSSL_BIO + * + * bio : BIO structure to set ex_data in + * idx : Index of ex_data to set + * data : Data to set in ex_data + * cleanup_routine : Function pointer to clean up data + * + * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_ex_data_with_cleanup"); + if (bio != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + /* Get ex_data in WOLFSSL_BIO at given index * * bio : BIO structure to get ex_data from @@ -26263,7 +26091,18 @@ err_exit: void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { - if (store != NULL && store->isDynamic) { + if (store == NULL) + return; + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, NULL, NULL); + } +#endif + + if (store->isDynamic) { if (store->cm != NULL) { wolfSSL_CertManagerFree(store->cm); store->cm = NULL; @@ -26288,6 +26127,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } } + /** * Get ex_data in WOLFSSL_STORE at given index * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26307,6 +26147,7 @@ void* wolfSSL_X509_STORE_get_ex_data(WOLFSSL_X509_STORE* store, int idx) #endif return NULL; } + /** * Set ex_data for WOLFSSL_STORE * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26329,6 +26170,31 @@ int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/** + * Set ex_data for WOLFSSL_STORE + * @param store a pointer to WOLFSSL_X509_STORE structure + * @param idx Index of ex data to set + * @param data Data to set in ex data + * @return WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_set_ex_data_with_cleanup"); + if (store != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} + +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #ifdef OPENSSL_EXTRA @@ -26450,6 +26316,13 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); + } +#endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); @@ -27808,6 +27681,25 @@ int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS + * on success, WOLFSSL_FAILURE on error. */ +int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth) { @@ -40532,6 +40424,22 @@ int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup"); + if (rsa) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + int wolfSSL_RSA_set0_key(WOLFSSL_RSA *r, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e, WOLFSSL_BIGNUM *d) { @@ -44915,9 +44823,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) #endif /* OPENSSL_EXTRA */ -#if ((defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && defined(HAVE_EX_DATA)) || \ - defined(FORTRESS) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); @@ -44985,7 +44891,24 @@ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) return WOLFSSL_FAILURE; } -#endif /* ((OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) && HAVE_EX_DATA) || FORTRESS || WOLFSSL_WPAS_SMALL */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + +#endif /* defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) @@ -45037,6 +44960,23 @@ int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_set_ex_data_with_cleanup"); + if (ssl != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) { WOLFSSL_ENTER("wolfSSL_get_ex_data"); @@ -46663,6 +46603,22 @@ int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data_with_cleanup"); + if(session != NULL) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) { WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); @@ -48869,8 +48825,8 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif /* !NO_WOLFSSL_STUB */ #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) +#if defined(HAVE_EX_DATA) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { @@ -48887,8 +48843,6 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) } #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) #if defined(HAVE_EX_DATA) || defined(FORTRESS) void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) { @@ -48909,6 +48863,13 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data"); #ifdef MAX_EX_DATA if (ex_data && idx < MAX_EX_DATA && idx >= 0) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + if (ex_data->ex_data_cleanup_routines[idx]) { + if (ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data_cleanup_routines[idx] = NULL; + } +#endif ex_data->ex_data[idx] = data; return WOLFSSL_SUCCESS; } @@ -48919,8 +48880,30 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data_with_cleanup"); + if (ex_data && idx < MAX_EX_DATA && idx >= 0) { + if (ex_data->ex_data_cleanup_routines[idx] && ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data[idx] = data; + ex_data->ex_data_cleanup_routines[idx] = cleanup_routine; + return WOLFSSL_SUCCESS; + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* HAVE_EX_DATA || FORTRESS */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_WPAS_SMALL) void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) { WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); @@ -48950,6 +48933,24 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_set_ex_data_with_cleanup"); + if (x509 != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ @@ -53457,6 +53458,13 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) WOLFSSL_ENTER("wolfSSL_RSA_free"); if (rsa) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, NULL, NULL); + } +#endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; if (wc_LockMutex(&rsa->refMutex) != 0) { diff --git a/src/tls13.c b/src/tls13.c index ec0c303c7..3290dd2c6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8357,17 +8357,9 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) } #ifdef WOLFSSL_WOLFSENTRY_HOOKS - if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && - (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); - return WOLFSSL_FATAL_ERROR; - } - } - if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { - wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b36d7f9a4..ed98f041b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3449,11 +3449,6 @@ typedef struct Buffers { #ifdef WOLFSSL_SEND_HRR_COOKIE buffer tls13CookieSecret; /* HRR cookie secret */ #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION - struct wolfSSL_network_connection network_connection; - struct wolfSSL_network_connection network_connection_layer2; - #define WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(x) ((x).remote_addr_len + (x).local_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) -#endif #ifdef WOLFSSL_DTLS WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ #ifndef NO_WOLFSSL_SERVER diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index dd07fd49e..af9d3ca5e 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -152,7 +152,13 @@ WOLFSSL_API WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa); WOLFSSL_API void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx); WOLFSSL_API int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data); - +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #define WOLFSSL_RSA_LOAD_PRIVATE 1 #define WOLFSSL_RSA_LOAD_PUBLIC 2 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a754e6db9..786f14b20 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1141,79 +1141,7 @@ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl, int use_context); #endif /* HAVE_KEYING_MATERIAL */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION - -#ifndef WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES -#define WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES 32 /* enough for 2 IPv6 addresses. */ -#endif - -struct wolfSSL_network_connection { - word16 family; - word16 proto; - word16 remote_port; - word16 local_port; - word16 remote_addr_len; - word16 local_addr_len; - byte interface; - union { - byte addr_buffer[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *addr_buffer_dynamic; - }; -}; - -#define WOLFSSL_NETWORK_CONNECTION_BUFSIZ(remote_addr_len, local_addr_len) \ - ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]) + \ - (remote_addr_len) + (local_addr_len)); - -WOLFSSL_API int wolfSSL_set_endpoints( - WOLFSSL *ssl, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port); - -WOLFSSL_API int wolfSSL_get_endpoint_addrs( - const struct wolfSSL_network_connection *nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_get_endpoints( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_copy_endpoints( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_set_endpoints_layer2( - WOLFSSL *ssl, - unsigned int interface_id, - unsigned int family, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr); - -WOLFSSL_API int wolfSSL_get_endpoints_layer2( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_copy_endpoints_layer2( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr); +#ifdef WOLFSSL_WOLFSENTRY_HOOKS typedef enum { WOLFSSL_NETFILTER_PASS = 0, @@ -1221,13 +1149,11 @@ typedef enum { WOLFSSL_NETFILTER_REJECT = 2 } wolfSSL_netfilter_decision_t; -#ifdef WOLFSSL_WOLFSENTRY_HOOKS -typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision); +typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, void *AcceptFilter_arg, wolfSSL_netfilter_decision_t *decision); WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); -#endif -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ /* Nonblocking DTLS helper functions */ WOLFSSL_API void wolfSSL_dtls_set_using_nonblock(WOLFSSL*, int); @@ -1355,6 +1281,13 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx); WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL*); WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL*, int); WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL*, int); @@ -1437,6 +1370,13 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void); WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int); WOLFSSL_API void wolfSSL_BIO_clear_flags(WOLFSSL_BIO *bio, int flags); WOLFSSL_API int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void *wolfSSL_BIO_get_ex_data(WOLFSSL_BIO *bio, int idx); WOLFSSL_API long wolfSSL_BIO_set_nbio(WOLFSSL_BIO*, long); @@ -1761,10 +1701,24 @@ WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data( WOLFSSL_X509_STORE_CTX* ctx, int idx); WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void* wolfSSL_X509_STORE_get_ex_data( WOLFSSL_X509_STORE* store, int idx); WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer( @@ -2323,10 +2277,17 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *s WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); WOLFSSL_API void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i); -#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL)) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) + WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *data); #endif @@ -2334,6 +2295,13 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int /* stunnel 4.28 needs */ WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX*, int); WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX*, WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)); WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX*, @@ -3992,6 +3960,13 @@ WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int); WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ @@ -4141,6 +4116,13 @@ WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 0032884a0..c6cf1f9b0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -48,8 +48,14 @@ decouple library dependencies with standard string, memory and so on. * (with minimal depencencies). */ #if defined(HAVE_EX_DATA) || defined(FORTRESS) + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + typedef void (*wolfSSL_ex_data_cleanup_routine_t)(void *data); + #endif typedef struct WOLFSSL_CRYPTO_EX_DATA { void* ex_data[MAX_EX_DATA]; + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_ex_data_cleanup_routine_t ex_data_cleanup_routines[MAX_EX_DATA]; + #endif } WOLFSSL_CRYPTO_EX_DATA; #endif