From a892f2a95a507908a65630c34e41c51682413428 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 21 Oct 2019 22:59:07 +0200 Subject: [PATCH 01/22] Changes for nginx 1.15 - ssl.c: add to check to overwrite existing session ID if found - evp.c: wolfSSL_EVP_DecryptFinal* was checking for wrong value --- src/ssl.c | 37 ++++++++++++++++++++++++++++++++----- wolfcrypt/src/evp.c | 4 ++-- 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 090561b1f..814872906 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10095,7 +10095,7 @@ WOLFSSL_SESSION* wolfSSL_get_session(WOLFSSL* ssl) { WOLFSSL_ENTER("SSL_get_session"); if (ssl) - return GetSession(ssl, 0, 0); + return GetSession(ssl, 0, 1); return NULL; } @@ -12618,6 +12618,7 @@ int AddSession(WOLFSSL* ssl) int ticLen = 0; #endif WOLFSSL_SESSION* session; + int overwrite = 0; if (ssl->options.sessionCacheOff) return 0; @@ -12686,7 +12687,27 @@ int AddSession(WOLFSSL* ssl) return BAD_MUTEX_E; } - idx = SessionCache[row].nextIdx++; + for (int i=0; ioptions.tls1_3) { + if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { + WOLFSSL_MSG("Session already exists. Overwriting."); + overwrite = 1; + idx = i; + break; + } + } else { + if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { + WOLFSSL_MSG("Session already exists. Overwriting."); + overwrite = 1; + idx = i; + break; + } + } + } + + if (!overwrite) { + idx = SessionCache[row].nextIdx++; + } #ifdef SESSION_INDEX ssl->sessionIndex = (row << SESSIDX_ROW_SHIFT) | idx; #endif @@ -12760,9 +12781,15 @@ int AddSession(WOLFSSL* ssl) #ifdef SESSION_CERTS if (error == 0) { - session->chain.count = ssl->session.chain.count; - XMEMCPY(session->chain.certs, ssl->session.chain.certs, - sizeof(x509_buffer) * MAX_CHAIN_DEPTH); + if (!overwrite || (overwrite && ssl->session.chain.count > 0)) { + /* + * If we are overwriting and no certs present in ssl->session.chain + * then keep the old chain. + */ + session->chain.count = ssl->session.chain.count; + XMEMCPY(session->chain.certs, ssl->session.chain.certs, + sizeof(x509_buffer) * session->chain.count); + } } #endif /* SESSION_CERTS */ #if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 9ff2ff59d..1a2d3780f 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -184,7 +184,7 @@ int wolfSSL_EVP_EncryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, int wolfSSL_EVP_DecryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { - if (ctx && ctx->enc) { + if (ctx && !ctx->enc) { WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal"); return wolfSSL_EVP_CipherFinal(ctx, out, outl); } @@ -196,7 +196,7 @@ int wolfSSL_EVP_DecryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, int wolfSSL_EVP_DecryptFinal_ex(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { - if (ctx && ctx->enc) { + if (ctx && !ctx->enc) { WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal_ex"); return wolfSSL_EVP_CipherFinal(ctx, out, outl); } From de3c11d55c306992849947fb7c84d1f4c5bbde16 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 22 Oct 2019 16:14:22 +0200 Subject: [PATCH 02/22] opensslall required --- configure.ac | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 9de62ae66..86b6e08c7 100644 --- a/configure.ac +++ b/configure.ac @@ -553,7 +553,10 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$EN then ENABLED_OPENSSLEXTRA="yes" fi - +if test "$ENABLED_NGINX" = "yes" +then + ENABLED_OPENSSLALL="yes" +fi if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS" From 31c0abd610a91df77234e916e7417e50c60616cb Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 23 Oct 2019 12:20:35 +0200 Subject: [PATCH 03/22] wolfSSL_X509_NAME_print_ex should not put the null terminator in the BIO --- configure.ac | 8 ++++---- src/ssl.c | 11 ++++++++--- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 86b6e08c7..c0d84e739 100644 --- a/configure.ac +++ b/configure.ac @@ -538,6 +538,10 @@ then ENABLED_OPENSSLALL="yes" fi +if test "$ENABLED_NGINX" = "yes" +then + ENABLED_OPENSSLALL="yes" +fi if test "$ENABLED_OPENSSLALL" = "yes" then AM_CFLAGS="-DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE $AM_CFLAGS" @@ -553,10 +557,6 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$EN then ENABLED_OPENSSLEXTRA="yes" fi -if test "$ENABLED_NGINX" = "yes" -then - ENABLED_OPENSSLALL="yes" -fi if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS" diff --git a/src/ssl.c b/src/ssl.c index 814872906..193ae1d63 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -39497,6 +39497,9 @@ static int get_dn_attr_by_nid(int n, const char** buf) } #endif +/* + * The BIO output of wolfSSL_X509_NAME_print_ex does NOT include the null terminator + */ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { @@ -39519,7 +39522,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, /* If XN_FLAG_DN_REV is present, print X509_NAME in reverse order */ if (flags == (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)) { -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) fullName[0] = '\0'; count = wolfSSL_X509_NAME_entry_count(name); for (i = 0; i < count; i++) { @@ -39551,17 +39554,19 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, } totalSz += tmpSz; } + if (fullName[totalSz-1] == '\0') + totalSz--; if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; -#endif /* WOLFSSL_APACHE_HTTPD || OPENSSL_ALL */ +#endif /* WOLFSSL_APACHE_HTTPD || OPENSSL_ALL || WOLFSSL_NGINX */ } else if (flags == XN_FLAG_RFC2253) { if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2) != name->sz - 2) return WOLFSSL_FAILURE; } - else if (wolfSSL_BIO_write(bio, name->name, name->sz) != name->sz) + else if (wolfSSL_BIO_write(bio, name->name, name->sz - 1) != name->sz - 1) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; From 9064de1e755905b390ee855386e483be496cad2f Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 24 Oct 2019 14:20:09 +0200 Subject: [PATCH 04/22] Set proper WOLFSSL_ASN1_TIME in thisupd and nextupd in wolfSSL_OCSP_resp_find_status --- src/ocsp.c | 4 ++-- src/ssl.c | 12 ++++++------ wolfcrypt/src/asn.c | 16 ++++++++++++++++ wolfssl/ssl.h | 7 ------- wolfssl/wolfcrypt/asn.h | 2 ++ wolfssl/wolfcrypt/asn_public.h | 6 ++++++ 6 files changed, 32 insertions(+), 15 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index f8ae8bb62..81dae7b00 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -509,9 +509,9 @@ int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, if (status != NULL) *status = bs->status->status; if (thisupd != NULL) - *thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn; + *thisupd = &bs->status->thisDateParsed; if (nextupd != NULL) - *nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn; + *nextupd = &bs->status->nextDateParsed; /* TODO: Not needed for Nginx. */ if (reason != NULL) diff --git a/src/ssl.c b/src/ssl.c index 193ae1d63..4964cb514 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26510,19 +26510,19 @@ int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO* bio, } p = (const char *)(asnTime->data); /* GetTimeString not always available. */ - wolfSSL_BIO_write(bio, MonthStr(p + 2), 3); + wolfSSL_BIO_write(bio, MonthStr(p + 4), 3); wolfSSL_BIO_write(bio, " ", 1); /* Day */ - wolfSSL_BIO_write(bio, p + 4, 2); + wolfSSL_BIO_write(bio, p + 6, 2); wolfSSL_BIO_write(bio, " ", 1); /* Hour */ - wolfSSL_BIO_write(bio, p + 6, 2); - wolfSSL_BIO_write(bio, ":", 1); - /* Min */ wolfSSL_BIO_write(bio, p + 8, 2); wolfSSL_BIO_write(bio, ":", 1); - /* Secs */ + /* Min */ wolfSSL_BIO_write(bio, p + 10, 2); + wolfSSL_BIO_write(bio, ":", 1); + /* Secs */ + wolfSSL_BIO_write(bio, p + 12, 2); wolfSSL_BIO_write(bio, " ", 1); wolfSSL_BIO_write(bio, p, 4); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5668b5fb1..fc6187a08 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14878,6 +14878,14 @@ static int DecodeSingleResponse(byte* source, #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) cs->thisDateAsn = source + idx; + localIdx = 0; + if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL, + (byte*)&cs->thisDateParsed.type, + &cs->thisDateParsed.length, size) < 0) + return ASN_PARSE_E; + XMEMCPY(cs->thisDateParsed.data, + cs->thisDateAsn + localIdx - cs->thisDateParsed.length, + cs->thisDateParsed.length); #endif if (GetBasicDate(source, &idx, cs->thisDate, &cs->thisDateFormat, size) < 0) @@ -14903,6 +14911,14 @@ static int DecodeSingleResponse(byte* source, return ASN_PARSE_E; #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) cs->nextDateAsn = source + idx; + localIdx = 0; + if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL, + (byte*)&cs->nextDateParsed.type, + &cs->nextDateParsed.length, size) < 0) + return ASN_PARSE_E; + XMEMCPY(cs->nextDateParsed.data, + cs->nextDateAsn + localIdx - cs->nextDateParsed.length, + cs->nextDateParsed.length); #endif if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e06bbee1d..06eda54e3 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -202,13 +202,6 @@ struct WOLFSSL_BASIC_CONSTRAINTS { #define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME #define WOLFSSL_ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME - -struct WOLFSSL_ASN1_TIME { - unsigned char data[CTC_DATE_SIZE]; /* date bytes */ - int length; - int type; -}; - struct WOLFSSL_ASN1_STRING { char strData[CTC_NAME_SIZE]; int length; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 1d70fd7e4..2baa991c0 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1226,6 +1226,8 @@ struct CertStatus { byte thisDateFormat; byte nextDateFormat; #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) + WOLFSSL_ASN1_TIME thisDateParsed; + WOLFSSL_ASN1_TIME nextDateParsed; byte* thisDateAsn; byte* nextDateAsn; #endif diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 45597cb3e..d38aa2caf 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -166,6 +166,12 @@ typedef struct DerBuffer { int dynType; /* DYNAMIC_TYPE_* */ } DerBuffer; +typedef struct WOLFSSL_ASN1_TIME { + unsigned char data[CTC_DATE_SIZE]; /* date bytes */ + int length; + int type; +} WOLFSSL_ASN1_TIME; + enum { IV_SZ = 32, /* max iv sz */ NAME_SZ = 80, /* max one line */ From f0abd4ea82095912186abe6210dc820604885eac Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 25 Oct 2019 10:46:22 +0200 Subject: [PATCH 05/22] WIP --- configure.ac | 4 ---- src/ssl.c | 4 ++-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index c0d84e739..90c1bc32e 100644 --- a/configure.ac +++ b/configure.ac @@ -538,10 +538,6 @@ then ENABLED_OPENSSLALL="yes" fi -if test "$ENABLED_NGINX" = "yes" -then - ENABLED_OPENSSLALL="yes" -fi if test "$ENABLED_OPENSSLALL" = "yes" then AM_CFLAGS="-DOPENSSL_ALL -DWOLFSSL_EITHER_SIDE $AM_CFLAGS" diff --git a/src/ssl.c b/src/ssl.c index 4964cb514..f487741bc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -39448,7 +39448,7 @@ void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) wolfSSL_sk_X509_NAME_pop_free(sk, NULL); } -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) /* Helper function for X509_NAME_print_ex. Sets *buf to string for domain name attribute based on NID. Returns size of buf */ static int get_dn_attr_by_nid(int n, const char** buf) @@ -39503,7 +39503,7 @@ static int get_dn_attr_by_nid(int n, const char** buf) int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) int count = 0, len = 0, totalSz = 0, tmpSz = 0; char tmp[ASN_NAME_MAX]; char fullName[ASN_NAME_MAX]; From ea5ac675ed71bcd701a4d0e200b233fa33e385b8 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 29 Oct 2019 08:59:55 +0100 Subject: [PATCH 06/22] WIP --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 90c1bc32e..9de62ae66 100644 --- a/configure.ac +++ b/configure.ac @@ -553,6 +553,7 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || test "$EN then ENABLED_OPENSSLEXTRA="yes" fi + if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" then AM_CFLAGS="-DOPENSSL_EXTRA -DWOLFSSL_ALWAYS_VERIFY_CB $AM_CFLAGS" From d9ab0c4bcbad725de23bc45312884b856a3a6681 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 29 Oct 2019 12:08:47 +0100 Subject: [PATCH 07/22] Check bounds --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index f487741bc..f4984536b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -39554,7 +39554,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, } totalSz += tmpSz; } - if (fullName[totalSz-1] == '\0') + if (totalSz > 0 && fullName[totalSz-1] == '\0') totalSz--; if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) return WOLFSSL_FAILURE; From 9fbc167d0c85bd48842ba6315b1e9dc355810654 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 29 Oct 2019 12:11:52 +0100 Subject: [PATCH 08/22] Declare at start of scope --- src/ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index f4984536b..126a53b28 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12618,6 +12618,7 @@ int AddSession(WOLFSSL* ssl) int ticLen = 0; #endif WOLFSSL_SESSION* session; + int i; int overwrite = 0; if (ssl->options.sessionCacheOff) @@ -12687,7 +12688,7 @@ int AddSession(WOLFSSL* ssl) return BAD_MUTEX_E; } - for (int i=0; ioptions.tls1_3) { if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { WOLFSSL_MSG("Session already exists. Overwriting."); From b7913116c048582e418aac871f48a10d3dab6856 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 29 Oct 2019 12:45:56 +0100 Subject: [PATCH 09/22] Remove redeclaration --- wolfssl/ssl.h | 1 - 1 file changed, 1 deletion(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 06eda54e3..0f4f8ce51 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -167,7 +167,6 @@ typedef struct WOLFSSL_BIO WOLFSSL_BIO; typedef struct WOLFSSL_BIO_METHOD WOLFSSL_BIO_METHOD; typedef struct WOLFSSL_X509_EXTENSION WOLFSSL_X509_EXTENSION; typedef struct WOLFSSL_CONF_VALUE WOLFSSL_CONF_VALUE; -typedef struct WOLFSSL_ASN1_TIME WOLFSSL_ASN1_TIME; typedef struct WOLFSSL_ASN1_OBJECT WOLFSSL_ASN1_OBJECT; typedef struct WOLFSSL_ASN1_OTHERNAME WOLFSSL_ASN1_OTHERNAME; typedef struct WOLFSSL_X509V3_CTX WOLFSSL_X509V3_CTX; From b71758895e8710d7df38db5c1741bbc255607a38 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 30 Oct 2019 18:24:36 +0100 Subject: [PATCH 10/22] Add support for SSL_CTX_set0_chain --- src/ssl.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++---- tests/api.c | 21 ++++++++++++++++++- 2 files changed, 76 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 126a53b28..93743896b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -22095,27 +22095,32 @@ int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509) */ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out) { + WOLFSSL_ENTER("wolfSSL_i2d_X509"); const unsigned char* der; int derSz = 0; if (x509 == NULL || out == NULL) { + WOLFSSL_LEAVE("wolfSSL_i2d_X509", BAD_FUNC_ARG); return BAD_FUNC_ARG; } der = wolfSSL_X509_get_der(x509, &derSz); if (der == NULL) { + WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E); return MEMORY_E; } if (*out == NULL) { *out = (unsigned char*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_OPENSSL); if (*out == NULL) { + WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E); return MEMORY_E; } } XMEMCPY(*out, der, derSz); + WOLFSSL_LEAVE("wolfSSL_i2d_X509", derSz); return derSz; } @@ -38419,17 +38424,64 @@ long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) } #endif -#ifndef NO_WOLFSSL_STUB long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) { - WOLFSSL_STUB("SSL_CTX_ctrl"); + WOLFSSL_ENTER("SSL_CTX_ctrl"); + long ret = WOLFSSL_SUCCESS; + + switch (cmd) { + case SSL_CTRL_CHAIN: +#ifdef SESSION_CERTS + { + /* + * We don't care about opt here because a copy of the certificate is + * stored anyway so increasing the reference counter is not necessary. + * Just check to make sure that it is set to one of the correct values. + */ + WOLF_STACK_OF(WOLFSSL_X509)* sk = (WOLF_STACK_OF(WOLFSSL_X509)*) pt; + WOLFSSL_X509* x509; + int i; + if (!ctx || (opt != 0 && opt != 1)) { + ret = WOLFSSL_FAILURE; + break; + } + if (pt) { + for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) { + x509 = wolfSSL_sk_X509_value(sk, i); + /* Prevent wolfSSL_CTX_add_extra_chain_cert from freeing cert */ + if (wolfSSL_X509_up_ref(x509) != 1) { + WOLFSSL_MSG("Error increasing reference count"); + continue; + } + if (wolfSSL_CTX_add_extra_chain_cert(ctx, x509) != + WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error adding certificate to context"); + /* Decrease reference count on failure */ + wolfSSL_X509_free(x509); + } + } + } else { + /* Clear certificate chain */ + FreeDer(&ctx->certChain); + } + } +#else + WOLFSSL_MSG("Session certificates not compiled in"); + ret = WOLFSSL_FAILURE; +#endif + break; + default: + ret = WOLFSSL_FAILURE; + break; + } + (void)ctx; (void)cmd; (void)opt; (void)pt; - return WOLFSSL_FAILURE; + WOLFSSL_LEAVE("SSL_CTX_ctrl", ret); + return ret; } -#endif #ifndef NO_WOLFSSL_STUB long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx) diff --git a/tests/api.c b/tests/api.c index 91b2e9346..c02e980ca 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4409,7 +4409,10 @@ static void test_wolfSSL_PKCS12(void) WOLFSSL_X509 *cert; WOLFSSL_X509 *x509; WOLFSSL_X509 *tmp; - STACK_OF(WOLFSSL_X509) *ca; + WOLFSSL_CTX *ctx; + WOLFSSL *ssl; + WOLF_STACK_OF(WOLFSSL_X509) *ca; + WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; printf(testingFmt, "wolfSSL_PKCS12()"); @@ -4450,6 +4453,22 @@ static void test_wolfSSL_PKCS12(void) AssertNotNull(cert); AssertNotNull(ca); + /* Check that SSL_CTX_set0_chain correctly sets the certChain buffer */ +#ifndef NO_WOLFSSL_CLIENT + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); +#else + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); +#endif + AssertIntEQ(SSL_CTX_set0_chain(ctx, ca), 1); + AssertIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); + AssertNotNull(tmp_ca); + /* First cert becomes the main certificate of the context */ + AssertIntEQ(sk_X509_num(tmp_ca), 1); + /* Check that the main cert is also set */ + AssertNotNull(ssl = SSL_new(ctx)); + AssertNotNull(SSL_get_certificate(ssl)); + SSL_free(ssl); + SSL_CTX_free(ctx); /* should be 2 other certs on stack */ tmp = sk_X509_pop(ca); From 1962159d8955bb7f554d61399beded205e168e4d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 31 Oct 2019 11:12:35 +0100 Subject: [PATCH 11/22] more NGINX defines --- src/ssl.c | 3 ++- wolfssl/openssl/ssl.h | 3 ++- wolfssl/ssl.h | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 93743896b..74c8b787d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -38410,7 +38410,8 @@ int wolfSSL_get_state(const WOLFSSL* ssl) } #endif /* HAVE_LIGHTY || HAVE_STUNNEL || WOLFSSL_MYSQL_COMPATIBLE */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) #ifndef NO_WOLFSSL_STUB long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 73fe39ef3..7eb3fb797 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -850,7 +850,8 @@ enum { #define sk_SSL_CIPHER_free wolfSSL_sk_SSL_CIPHER_free #define sk_SSL_CIPHER_find wolfSSL_sk_SSL_CIPHER_find -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) #include #define SSL_CTRL_CHAIN 88 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 0f4f8ce51..773a35a2c 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -864,7 +864,8 @@ WOLFSSL_ABI WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get_session(WOLFSSL*); WOLFSSL_ABI WOLFSSL_API void wolfSSL_flush_sessions(WOLFSSL_CTX*, long); WOLFSSL_API int wolfSSL_SetServerID(WOLFSSL*, const unsigned char*, int, int); -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) WOLFSSL_API int wolfSSL_BIO_new_bio_pair(WOLFSSL_BIO**, size_t, WOLFSSL_BIO**, size_t); From 3c9d191a5b9d8c245810dc021bad19f3c96ce286 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 4 Nov 2019 22:30:14 +0100 Subject: [PATCH 12/22] Don't propogate ASN_NO_PEM_HEADER from wolfSSL_load_client_CA_file --- src/ssl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 74c8b787d..b9f57905e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14121,6 +14121,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_BIO* bio; WOLFSSL_X509 *cert = NULL; WOLFSSL_X509_NAME *subjectName = NULL; + unsigned long err; WOLFSSL_ENTER("wolfSSL_load_client_CA_file"); @@ -14156,6 +14157,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) cert = NULL; } + err = wolfSSL_ERR_peek_last_error(); + + if (ERR_GET_LIB(err) == ERR_LIB_PEM && + ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { + /* + * wolfSSL_PEM_read_bio_X509 pushes an ASN_NO_PEM_HEADER error + * to the error queue on file end. This should not be left + * for the caller to find so we clear the last error. + */ + wc_RemoveErrorNode(-1); + } + wolfSSL_X509_free(cert); wolfSSL_BIO_free(bio); return list; From dd0734449945f81bb9bc0d29c7b6ed8127d4f94d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 5 Nov 2019 22:46:11 +0100 Subject: [PATCH 13/22] SSL_SESSION_dup --- src/ssl.c | 40 ++++++++++++++++++++++++++++++++++++---- tests/api.c | 4 ++++ wolfssl/openssl/ssl.h | 1 + wolfssl/ssl.h | 1 + 4 files changed, 42 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index b9f57905e..4a639a864 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19724,6 +19724,36 @@ int wolfSSL_session_reused(WOLFSSL* ssl) } #if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE) +WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session) +{ + WOLFSSL_SESSION* copy; + WOLFSSL_ENTER("wolfSSL_SESSION_dup"); + + if (session == NULL) + return NULL; + if (session->isDynamic && !session->ticket) { + WOLFSSL_MSG("Session dynamic flag is set but ticket pointer is null"); + return NULL; + } + + copy = XMALLOC(sizeof(WOLFSSL_SESSION), NULL, DYNAMIC_TYPE_OPENSSL); + if (copy != NULL) { + XMEMCPY(copy, session, sizeof(WOLFSSL_SESSION)); + copy->isAlloced = 1; + #ifdef HAVE_SESSION_TICKET + if (session->isDynamic) { + copy->ticket = XMALLOC(session->ticketLen, NULL, + DYNAMIC_TYPE_SESSION_TICK); + XMEMCPY(copy->ticket, session->ticket, session->ticketLen); + } else { + copy->ticket = copy->staticTicket; + } + #endif + } + + return copy; +} + void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) { if (session == NULL) @@ -38459,7 +38489,9 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) ret = WOLFSSL_FAILURE; break; } - if (pt) { + /* Clear certificate chain */ + FreeDer(&ctx->certChain); + if (sk) { for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) { x509 = wolfSSL_sk_X509_value(sk, i); /* Prevent wolfSSL_CTX_add_extra_chain_cert from freeing cert */ @@ -38474,10 +38506,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) wolfSSL_X509_free(x509); } } - } else { - /* Clear certificate chain */ - FreeDer(&ctx->certChain); } + /* Free previous chain */ + wolfSSL_sk_X509_free(ctx->x509Chain); + ctx->x509Chain = sk; } #else WOLFSSL_MSG("Session certificates not compiled in"); diff --git a/tests/api.c b/tests/api.c index c02e980ca..36b5e2f90 100644 --- a/tests/api.c +++ b/tests/api.c @@ -23340,6 +23340,7 @@ static void test_wolfSSL_SESSION(void) WOLFSSL* ssl; WOLFSSL_CTX* ctx; WOLFSSL_SESSION* sess; + WOLFSSL_SESSION* sess_copy; const unsigned char context[] = "user app context"; unsigned char* sessDer = NULL; unsigned char* ptr = NULL; @@ -23413,6 +23414,9 @@ static void test_wolfSSL_SESSION(void) fdOpenSession(Task_self()); #endif + AssertNotNull(sess_copy = wolfSSL_SESSION_dup(sess)); + wolfSSL_SESSION_free(sess_copy); + /* get session from DER and update the timeout */ AssertIntEQ(wolfSSL_i2d_SSL_SESSION(NULL, &sessDer), BAD_FUNC_ARG); AssertIntGT((sz = wolfSSL_i2d_SSL_SESSION(sess, &sessDer)), 0); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 7eb3fb797..d7dbfcf3c 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -274,6 +274,7 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM; #define SSL_set_connect_state wolfSSL_set_connect_state #define SSL_set_accept_state wolfSSL_set_accept_state #define SSL_session_reused wolfSSL_session_reused +#define SSL_SESSION_dup wolfSSL_SESSION_dup #define SSL_SESSION_free wolfSSL_SESSION_free #define SSL_is_init_finished wolfSSL_is_init_finished diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 773a35a2c..f9232768e 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1092,6 +1092,7 @@ WOLFSSL_API int wolfSSL_set_session_id_context(WOLFSSL*, const unsigned char*, WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL*); WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL*); WOLFSSL_API int wolfSSL_session_reused(WOLFSSL*); +WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session); WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session); WOLFSSL_API int wolfSSL_is_init_finished(WOLFSSL*); From 8dde06bbca45d3b09af7596a912e264420c3b5c2 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 6 Nov 2019 14:35:16 +0100 Subject: [PATCH 14/22] Fix compile errors --- src/ssl.c | 16 ++++++++++++---- tests/api.c | 8 +++++++- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4a639a864..f43b6d0c6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19726,32 +19726,40 @@ int wolfSSL_session_reused(WOLFSSL* ssl) #if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE) WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session) { +#ifdef HAVE_EXT_CACHE WOLFSSL_SESSION* copy; WOLFSSL_ENTER("wolfSSL_SESSION_dup"); if (session == NULL) return NULL; +#ifdef HAVE_SESSION_TICKET if (session->isDynamic && !session->ticket) { WOLFSSL_MSG("Session dynamic flag is set but ticket pointer is null"); return NULL; } +#endif copy = XMALLOC(sizeof(WOLFSSL_SESSION), NULL, DYNAMIC_TYPE_OPENSSL); if (copy != NULL) { XMEMCPY(copy, session, sizeof(WOLFSSL_SESSION)); copy->isAlloced = 1; - #ifdef HAVE_SESSION_TICKET +#ifdef HAVE_SESSION_TICKET if (session->isDynamic) { copy->ticket = XMALLOC(session->ticketLen, NULL, - DYNAMIC_TYPE_SESSION_TICK); + DYNAMIC_TYPE_SESSION_TICK); XMEMCPY(copy->ticket, session->ticket, session->ticketLen); } else { copy->ticket = copy->staticTicket; } - #endif +#endif } - return copy; +#else + WOLFSSL_MSG("wolfSSL_SESSION_dup was called " + "but HAVE_EXT_CACHE is not defined"); + (void)session; + return NULL; +#endif /* HAVE_EXT_CACHE */ } void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) diff --git a/tests/api.c b/tests/api.c index 36b5e2f90..d335814d7 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4410,9 +4410,12 @@ static void test_wolfSSL_PKCS12(void) WOLFSSL_X509 *x509; WOLFSSL_X509 *tmp; WOLFSSL_CTX *ctx; - WOLFSSL *ssl; WOLF_STACK_OF(WOLFSSL_X509) *ca; +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) + WOLFSSL *ssl; WOLF_STACK_OF(WOLFSSL_X509) *tmp_ca = NULL; +#endif printf(testingFmt, "wolfSSL_PKCS12()"); @@ -4459,6 +4462,8 @@ static void test_wolfSSL_PKCS12(void) #else AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); #endif +#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ + || defined(WOLFSSL_NGINX) AssertIntEQ(SSL_CTX_set0_chain(ctx, ca), 1); AssertIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); AssertNotNull(tmp_ca); @@ -4469,6 +4474,7 @@ static void test_wolfSSL_PKCS12(void) AssertNotNull(SSL_get_certificate(ssl)); SSL_free(ssl); SSL_CTX_free(ctx); +#endif /* should be 2 other certs on stack */ tmp = sk_X509_pop(ca); From 5f39e12b2161ed489e8e372eff2e3c3accd378bc Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 6 Nov 2019 20:32:25 +0100 Subject: [PATCH 15/22] Fix leak in SSL_CTX_set0_chain --- src/ssl.c | 10 ++++++++++ tests/api.c | 9 ++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index f43b6d0c6..078b12ccf 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -38518,6 +38518,16 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) /* Free previous chain */ wolfSSL_sk_X509_free(ctx->x509Chain); ctx->x509Chain = sk; + if (sk) { + for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) { + x509 = wolfSSL_sk_X509_value(sk, i); + /* On successful setting of new chain up all refs */ + if (wolfSSL_X509_up_ref(x509) != 1) { + WOLFSSL_MSG("Error increasing reference count"); + continue; + } + } + } } #else WOLFSSL_MSG("Session certificates not compiled in"); diff --git a/tests/api.c b/tests/api.c index d335814d7..ddfc2df0f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4464,11 +4464,14 @@ static void test_wolfSSL_PKCS12(void) #endif #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ || defined(WOLFSSL_NGINX) - AssertIntEQ(SSL_CTX_set0_chain(ctx, ca), 1); + /* Copy stack structure */ + AssertNotNull(tmp_ca = sk_X509_dup(ca)); + AssertIntEQ(SSL_CTX_set0_chain(ctx, tmp_ca), 1); + /* CTX now owns the tmp_ca stack structure */ + tmp_ca = NULL; AssertIntEQ(wolfSSL_CTX_get_extra_chain_certs(ctx, &tmp_ca), 1); AssertNotNull(tmp_ca); - /* First cert becomes the main certificate of the context */ - AssertIntEQ(sk_X509_num(tmp_ca), 1); + AssertIntEQ(sk_X509_num(tmp_ca), sk_X509_num(ca)); /* Check that the main cert is also set */ AssertNotNull(ssl = SSL_new(ctx)); AssertNotNull(SSL_get_certificate(ssl)); From 308c5f3370c35edb7353c558bb4ff03fba6bcf16 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 6 Nov 2019 22:33:04 +0100 Subject: [PATCH 16/22] Fix implicit cast --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 078b12ccf..912437b55 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -38543,7 +38543,7 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) (void)cmd; (void)opt; (void)pt; - WOLFSSL_LEAVE("SSL_CTX_ctrl", ret); + WOLFSSL_LEAVE("SSL_CTX_ctrl", (int)ret); return ret; } From 7c1a1dfd1ffee59bde83af812a8d8b6bab45d8ed Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Nov 2019 00:32:03 +0100 Subject: [PATCH 17/22] Variable declaration at start of scope --- src/ssl.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 912437b55..33559f7f3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19728,6 +19728,7 @@ WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session) { #ifdef HAVE_EXT_CACHE WOLFSSL_SESSION* copy; + WOLFSSL_ENTER("wolfSSL_SESSION_dup"); if (session == NULL) @@ -22146,10 +22147,11 @@ int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509) */ int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out) { - WOLFSSL_ENTER("wolfSSL_i2d_X509"); const unsigned char* der; int derSz = 0; + WOLFSSL_ENTER("wolfSSL_i2d_X509"); + if (x509 == NULL || out == NULL) { WOLFSSL_LEAVE("wolfSSL_i2d_X509", BAD_FUNC_ARG); return BAD_FUNC_ARG; @@ -38478,9 +38480,10 @@ long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) { - WOLFSSL_ENTER("SSL_CTX_ctrl"); long ret = WOLFSSL_SUCCESS; + WOLFSSL_ENTER("SSL_CTX_ctrl"); + switch (cmd) { case SSL_CTRL_CHAIN: #ifdef SESSION_CERTS From 944d5e10454a74984664d51c94b56c61857d6a96 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Nov 2019 11:41:46 +0100 Subject: [PATCH 18/22] Don't count null char in better way --- src/ssl.c | 6 +++--- tests/api.c | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 33559f7f3..e23abee1c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -39658,24 +39658,24 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if (len == 0 || buf == NULL) return WOLFSSL_FAILURE; - tmpSz = str->length + len + 2; /* + 2 for '=' and null char */ + tmpSz = str->length + len + 2; /* + 2 for '=' and comma */ if (tmpSz > ASN_NAME_MAX) { WOLFSSL_MSG("Size greater than ASN_NAME_MAX"); return WOLFSSL_FAILURE; } if (i < count - 1) { + /* tmpSz+1 for last null char */ XSNPRINTF(tmp, tmpSz+1, "%s=%s,", buf, str->data); XSTRNCAT(fullName, tmp, tmpSz); } else { XSNPRINTF(tmp, tmpSz, "%s=%s", buf, str->data); XSTRNCAT(fullName, tmp, tmpSz-1); + tmpSz--; /* Don't include null char in tmpSz */ } totalSz += tmpSz; } - if (totalSz > 0 && fullName[totalSz-1] == '\0') - totalSz--; if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; diff --git a/tests/api.c b/tests/api.c index ddfc2df0f..ad21169ec 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4351,6 +4351,7 @@ static void test_wolfSSL_X509_NAME_get_entry(void) ASN1_STRING* asn; int idx; ASN1_OBJECT *object = NULL; + BIO* bio; #ifndef NO_FILESYSTEM x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM); @@ -4373,6 +4374,11 @@ static void test_wolfSSL_X509_NAME_get_entry(void) idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1); AssertIntGE(idx, 0); + AssertNotNull(bio = BIO_new(BIO_s_mem())); + AssertIntEQ(X509_NAME_print_ex(bio, name, 4, + (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); + BIO_free(bio); + ne = X509_NAME_get_entry(name, idx); AssertNotNull(ne); AssertNotNull(object = X509_NAME_ENTRY_get_object(ne)); From 9be1b4cfd8a1914c98dcf03f74bd11787c77c4fd Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Nov 2019 11:48:02 +0100 Subject: [PATCH 19/22] Remove tabs --- src/ssl.c | 36 ++++++++++++++++++------------------ wolfcrypt/src/asn.c | 16 ++++++++-------- 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index e23abee1c..0c9e5f094 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12690,19 +12690,19 @@ int AddSession(WOLFSSL* ssl) for (i=0; ioptions.tls1_3) { - if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { - WOLFSSL_MSG("Session already exists. Overwriting."); - overwrite = 1; - idx = i; - break; - } + if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { + WOLFSSL_MSG("Session already exists. Overwriting."); + overwrite = 1; + idx = i; + break; + } } else { - if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { - WOLFSSL_MSG("Session already exists. Overwriting."); - overwrite = 1; - idx = i; - break; - } + if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { + WOLFSSL_MSG("Session already exists. Overwriting."); + overwrite = 1; + idx = i; + break; + } } } @@ -12782,15 +12782,15 @@ int AddSession(WOLFSSL* ssl) #ifdef SESSION_CERTS if (error == 0) { - if (!overwrite || (overwrite && ssl->session.chain.count > 0)) { - /* - * If we are overwriting and no certs present in ssl->session.chain - * then keep the old chain. - */ + if (!overwrite || (overwrite && ssl->session.chain.count > 0)) { + /* + * If we are overwriting and no certs present in ssl->session.chain + * then keep the old chain. + */ session->chain.count = ssl->session.chain.count; XMEMCPY(session->chain.certs, ssl->session.chain.certs, sizeof(x509_buffer) * session->chain.count); - } + } } #endif /* SESSION_CERTS */ #if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index fc6187a08..a924cc534 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14880,12 +14880,12 @@ static int DecodeSingleResponse(byte* source, cs->thisDateAsn = source + idx; localIdx = 0; if (GetDateInfo(cs->thisDateAsn, &localIdx, NULL, - (byte*)&cs->thisDateParsed.type, - &cs->thisDateParsed.length, size) < 0) + (byte*)&cs->thisDateParsed.type, + &cs->thisDateParsed.length, size) < 0) return ASN_PARSE_E; XMEMCPY(cs->thisDateParsed.data, - cs->thisDateAsn + localIdx - cs->thisDateParsed.length, - cs->thisDateParsed.length); + cs->thisDateAsn + localIdx - cs->thisDateParsed.length, + cs->thisDateParsed.length); #endif if (GetBasicDate(source, &idx, cs->thisDate, &cs->thisDateFormat, size) < 0) @@ -14913,12 +14913,12 @@ static int DecodeSingleResponse(byte* source, cs->nextDateAsn = source + idx; localIdx = 0; if (GetDateInfo(cs->nextDateAsn, &localIdx, NULL, - (byte*)&cs->nextDateParsed.type, - &cs->nextDateParsed.length, size) < 0) + (byte*)&cs->nextDateParsed.type, + &cs->nextDateParsed.length, size) < 0) return ASN_PARSE_E; XMEMCPY(cs->nextDateParsed.data, - cs->nextDateAsn + localIdx - cs->nextDateParsed.length, - cs->nextDateParsed.length); + cs->nextDateAsn + localIdx - cs->nextDateParsed.length, + cs->nextDateParsed.length); #endif if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) From 0f4a002f4f13920c3350252937e2f02540187967 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Nov 2019 11:50:57 +0100 Subject: [PATCH 20/22] Formatting --- src/ssl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 0c9e5f094..a739561d4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12696,7 +12696,8 @@ int AddSession(WOLFSSL* ssl) idx = i; break; } - } else { + } + else { if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { WOLFSSL_MSG("Session already exists. Overwriting."); overwrite = 1; @@ -38533,8 +38534,8 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) } } #else - WOLFSSL_MSG("Session certificates not compiled in"); - ret = WOLFSSL_FAILURE; + WOLFSSL_MSG("Session certificates not compiled in"); + ret = WOLFSSL_FAILURE; #endif break; default: From 29a8262ea41160eff8b74a20f75c8271ab940e8c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 7 Nov 2019 13:51:30 +0100 Subject: [PATCH 21/22] Only test X509_NAME_print_ex when defines enabled --- tests/api.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/api.c b/tests/api.c index ad21169ec..a2ed490a5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4351,7 +4351,9 @@ static void test_wolfSSL_X509_NAME_get_entry(void) ASN1_STRING* asn; int idx; ASN1_OBJECT *object = NULL; +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) BIO* bio; +#endif #ifndef NO_FILESYSTEM x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM); @@ -4374,10 +4376,12 @@ static void test_wolfSSL_X509_NAME_get_entry(void) idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1); AssertIntGE(idx, 0); +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) AssertNotNull(bio = BIO_new(BIO_s_mem())); AssertIntEQ(X509_NAME_print_ex(bio, name, 4, (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); BIO_free(bio); +#endif ne = X509_NAME_get_entry(name, idx); AssertNotNull(ne); From b06cee333c7d6b786a19cffa77ca749d59654f96 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 27 Nov 2019 17:37:19 +0100 Subject: [PATCH 22/22] Add error on EOF --- src/ssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index a739561d4..6c06c594d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -35182,6 +35182,9 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } if ((l = wolfSSL_BIO_get_len(bp)) <= 0) { + #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); + #endif return NULL; }