wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 19:54:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Introduce thread safety to unsafe functions in wolfSSL

Browse Source 
Add warnings to one shot hash functions
This commit is contained in:
Juliusz Sosinowicz
2020-09-18 13:54:22 +02:00
parent 679b107044
commit 52be7c94b8
2 changed files with 90 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
src/ssl.c
View File

@@ -4815,6 +4815,14 @@ int wolfSSL_Init(void)
WOLFSSL_MSG("Bad Init Mutex count"); WOLFSSL_MSG("Bad Init Mutex count");
return BAD_MUTEX_E; return BAD_MUTEX_E;
} }
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
if (wc_InitMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Init Mutex rng");
return BAD_MUTEX_E;
}
#endif
} }
if (wc_LockMutex(&count_mutex) != 0) { if (wc_LockMutex(&count_mutex) != 0) {
@@ -17828,43 +17836,40 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* used by JSSE (not a standard compatibility function) */ /* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI WOLFSSL_ABI
const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509) const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509)
{ {
static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notBefore"); WOLFSSL_ENTER("wolfSSL_X509_notBefore");
if (x509 == NULL) if (x509 == NULL)
return NULL; return NULL;
XMEMSET(notBeforeData, 0, sizeof(notBeforeData)); XMEMSET(x509->notBeforeData, 0, sizeof(x509->notBeforeData));
notBeforeData[0] = (byte)x509->notBefore.type; x509->notBeforeData[0] = (byte)x509->notBefore.type;
notBeforeData[1] = (byte)x509->notBefore.length; x509->notBeforeData[1] = (byte)x509->notBefore.length;
XMEMCPY(&notBeforeData[2], x509->notBefore.data, x509->notBefore.length); XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
return notBeforeData; return x509->notBeforeData;
} }
/* used by JSSE (not a standard compatibility function) */ /* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI WOLFSSL_ABI
const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509) const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
{ {
static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notAfter"); WOLFSSL_ENTER("wolfSSL_X509_notAfter");
if (x509 == NULL) if (x509 == NULL)
return NULL; return NULL;
XMEMSET(notAfterData, 0, sizeof(notAfterData)); XMEMSET(x509->notAfterData, 0, sizeof(x509->notAfterData));
notAfterData[0] = (byte)x509->notAfter.type; x509->notAfterData[0] = (byte)x509->notAfter.type;
notAfterData[1] = (byte)x509->notAfter.length; x509->notAfterData[1] = (byte)x509->notAfter.length;
XMEMCPY(&notAfterData[2], x509->notAfter.data, x509->notAfter.length); XMEMCPY(&x509->notAfterData[2], x509->notAfter.data, x509->notAfter.length);
return notAfterData; return x509->notAfterData;
} }
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB)
WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj) WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
{ {
@@ -28328,8 +28333,9 @@ const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ;
#endif #endif
#if defined(OPENSSL_EXTRA) || \ #if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
static WC_RNG globalRNG; WC_RNG globalRNG;
static int initGlobalRNG = 0; int initGlobalRNG = 0;
wolfSSL_Mutex globalRNGMutex;
#endif #endif
#if defined(OPENSSL_EXTRA) && \ #if defined(OPENSSL_EXTRA) && \
!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
@@ -28382,21 +28388,26 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* Not thread safe! Can be called multiple times. /* Checks if the global RNG has been created. If not then one is created.
* Checks if the global RNG has been created. If not then one is created.
* *
* Returns SSL_SUCCESS when no error is encountered. * Returns SSL_SUCCESS when no error is encountered.
*/ */
static int wolfSSL_RAND_Init(void) static int wolfSSL_RAND_Init(void)
{ {
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return 0;
}
if (initGlobalRNG == 0) { if (initGlobalRNG == 0) {
if (wc_InitRng(&globalRNG) < 0) { if (wc_InitRng(&globalRNG) < 0) {
WOLFSSL_MSG("wolfSSL Init Global RNG failed"); WOLFSSL_MSG("wolfSSL Init Global RNG failed");
wc_UnLockMutex(&globalRNGMutex);
return 0; return 0;
} }
initGlobalRNG = 1; initGlobalRNG = 1;
} }
wc_UnLockMutex(&globalRNGMutex);
return SSL_SUCCESS; return SSL_SUCCESS;
} }
@@ -28554,7 +28565,6 @@ int wolfSSL_RAND_write_file(const char* fname)
#endif #endif
/* This collects entropy from the path nm and seeds the global PRNG with it. /* This collects entropy from the path nm and seeds the global PRNG with it.
* Makes a call to wolfSSL_RAND_Init which is not thread safe.
* *
* nm is the file path to the egd server * nm is the file path to the egd server
* *
@@ -28667,14 +28677,18 @@ int wolfSSL_RAND_egd(const char* nm)
} }
if (bytes > 0 && ret == WOLFSSL_SUCCESS) { if (bytes > 0 && ret == WOLFSSL_SUCCESS) {
wolfSSL_RAND_Init(); /* call to check global RNG is created */ /* call to check global RNG is created */
if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) if (wolfSSL_RAND_Init() != SSL_SUCCESS) {
WOLFSSL_MSG("Error with initializing global RNG structure");
ret = WOLFSSL_FATAL_ERROR;
}
else if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes)
!= 0) { != 0) {
WOLFSSL_MSG("Error with reseeding DRBG structure"); WOLFSSL_MSG("Error with reseeding DRBG structure");
ret = WOLFSSL_FATAL_ERROR; ret = WOLFSSL_FATAL_ERROR;
} }
#ifdef SHOW_SECRETS #ifdef SHOW_SECRETS
{ /* print out entropy found */ else { /* print out entropy found only when no error occured */
word32 i; word32 i;
printf("EGD Entropy = "); printf("EGD Entropy = ");
for (i = 0; i < bytes; i++) { for (i = 0; i < bytes; i++) {
@@ -28712,10 +28726,15 @@ void wolfSSL_RAND_Cleanup(void)
{ {
WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()"); WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()");
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return;
}
if (initGlobalRNG != 0) { if (initGlobalRNG != 0) {
wc_FreeRng(&globalRNG); wc_FreeRng(&globalRNG);
initGlobalRNG = 0; initGlobalRNG = 0;
} }
wc_UnLockMutex(&globalRNGMutex);
} }
@@ -39100,6 +39119,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA_DIGEST_SIZE]; static byte dig[WC_SHA_DIGEST_SIZE];
byte* ret = md;
wc_Sha sha; wc_Sha sha;
WOLFSSL_ENTER("wolfSSL_SHA1"); WOLFSSL_ENTER("wolfSSL_SHA1");
@@ -39114,20 +39134,19 @@ err:
return NULL; return NULL;
} }
if (wc_ShaFinal(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA1 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_ShaFinal(&sha, ret) != 0) {
WOLFSSL_MSG("SHA1 Final failed"); WOLFSSL_MSG("SHA1 Final failed");
wc_ShaFree(&sha);
return NULL; return NULL;
} }
wc_ShaFree(&sha); wc_ShaFree(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* ! NO_SHA */ #endif /* ! NO_SHA */
@@ -39147,6 +39166,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA256_DIGEST_SIZE]; static byte dig[WC_SHA256_DIGEST_SIZE];
byte* ret = md;
wc_Sha256 sha; wc_Sha256 sha;
WOLFSSL_ENTER("wolfSSL_SHA256"); WOLFSSL_ENTER("wolfSSL_SHA256");
@@ -39161,20 +39181,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha256Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA256 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha256Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA256 Final failed"); WOLFSSL_MSG("SHA256 Final failed");
wc_Sha256Free(&sha);
return NULL; return NULL;
} }
wc_Sha256Free(&sha); wc_Sha256Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA256_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* ! NO_SHA256 */ #endif /* ! NO_SHA256 */
@@ -39194,6 +39213,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA384_DIGEST_SIZE]; static byte dig[WC_SHA384_DIGEST_SIZE];
byte* ret = md;
wc_Sha384 sha; wc_Sha384 sha;
WOLFSSL_ENTER("wolfSSL_SHA384"); WOLFSSL_ENTER("wolfSSL_SHA384");
@@ -39208,20 +39228,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha384Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA384 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha384Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA384 Final failed"); WOLFSSL_MSG("SHA384 Final failed");
wc_Sha384Free(&sha);
return NULL; return NULL;
} }
wc_Sha384Free(&sha); wc_Sha384Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA384_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* WOLFSSL_SHA384 */ #endif /* WOLFSSL_SHA384 */
@@ -39242,6 +39261,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA512_DIGEST_SIZE]; static byte dig[WC_SHA512_DIGEST_SIZE];
byte* ret = md;
wc_Sha512 sha; wc_Sha512 sha;
WOLFSSL_ENTER("wolfSSL_SHA512"); WOLFSSL_ENTER("wolfSSL_SHA512");
@@ -39256,20 +39276,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha512Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA512 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha512Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA512 Final failed"); WOLFSSL_MSG("SHA512 Final failed");
wc_Sha512Free(&sha);
return NULL; return NULL;
} }
wc_Sha512Free(&sha); wc_Sha512Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA512_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* WOLFSSL_SHA512 */ #endif /* WOLFSSL_SHA512 */
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */

14
wolfssl/internal.h
View File

@@ -3726,6 +3726,7 @@ struct WOLFSSL_X509 {
byte subjAltNameCrit:1; byte subjAltNameCrit:1;
byte authKeyIdSet:1; byte authKeyIdSet:1;
byte authKeyIdCrit:1; byte authKeyIdCrit:1;
byte issuerSet:1;
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
byte serial[EXTERNAL_SERIAL_SIZE]; byte serial[EXTERNAL_SERIAL_SIZE];
char subjectCN[ASN_NAME_MAX]; /* common name short cut */ char subjectCN[ASN_NAME_MAX]; /* common name short cut */
@@ -3738,7 +3739,11 @@ struct WOLFSSL_X509 {
WOLFSSL_X509_ALGOR algor; WOLFSSL_X509_ALGOR algor;
WOLFSSL_X509_PUBKEY key; WOLFSSL_X509_PUBKEY key;
#endif #endif
byte issuerSet:1; #if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
defined(SESSION_CERTS)
byte notBeforeData[CTC_DATE_SIZE];
byte notAfterData[CTC_DATE_SIZE];
#endif
}; };
@@ -4375,6 +4380,13 @@ extern const WOLF_EC_NIST_NAME kNistCurves[];
#define kNistCurves_MAX_NAME_LEN 7 #define kNistCurves_MAX_NAME_LEN 7
#endif #endif
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
extern WC_RNG globalRNG;
extern int initGlobalRNG;
extern wolfSSL_Mutex globalRNGMutex;
#endif
/* internal functions */ /* internal functions */
WOLFSSL_LOCAL int SendChangeCipher(WOLFSSL*); WOLFSSL_LOCAL int SendChangeCipher(WOLFSSL*);
WOLFSSL_LOCAL int SendTicket(WOLFSSL*); WOLFSSL_LOCAL int SendTicket(WOLFSSL*);