From 64a3333870215d740d5234db22b9223388f88830 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 2 Dec 2016 11:22:53 -0700 Subject: [PATCH] adjust wolfSSL_set_options and test case --- src/internal.c | 26 ++++++++++++++++ src/ssl.c | 77 ++++++++++++++++++++++++++++++++++++++-------- tests/api.c | 41 ++++++++++++++++++++++-- wolfssl/internal.h | 3 ++ wolfssl/ssl.h | 63 ++++++++++++++++++++----------------- 5 files changed, 168 insertions(+), 42 deletions(-) diff --git a/src/internal.c b/src/internal.c index 287e683ff..53d2be619 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5328,6 +5328,32 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif +#ifdef OPENSSL_EXTRA + /* case where specific protocols are turned off */ + if (!ssl->options.dtls && ssl->options.mask > 0) { + if (rh->pvMinor == SSLv3_MINOR && + (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + WOLFSSL_MSG("Option set to not allow SSLv3"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + WOLFSSL_MSG("Option set to not allow TLSv1"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_1_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("Option set to not allow TLSv1.1"); + return VERSION_ERROR; + } + if (rh->pvMinor == TLSv1_2_MINOR && + (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("Option set to not allow TLSv1.2"); + return VERSION_ERROR; + } + } +#endif /* OPENSSL_EXTRA */ + /* catch version mismatch */ if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){ if (ssl->options.side == WOLFSSL_SERVER_END && diff --git a/src/ssl.c b/src/ssl.c index 8d9b77c3d..20f3fc257 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14086,24 +14086,77 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key) } -/* wolfSSL options are set through API calls and macros. - * return 0 for no options set */ unsigned long wolfSSL_set_options(WOLFSSL* ssl, unsigned long op) { - (void)ssl; - (void)op; - WOLFSSL_MSG("Set options in wolfSSL through API and macros"); - return 0; + WOLFSSL_ENTER("wolfSSL_set_options"); + + if (ssl == NULL) { + return 0; + } + + /* if SSL_OP_ALL then turn all bug workarounds one */ + if ((op & SSL_OP_ALL) == SSL_OP_ALL) { + WOLFSSL_MSG("\tSSL_OP_ALL"); + + op |= SSL_OP_MICROSOFT_SESS_ID_BUG; + op |= SSL_OP_NETSCAPE_CHALLENGE_BUG; + op |= SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; + op |= SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG; + op |= SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER; + op |= SSL_OP_MSIE_SSLV2_RSA_PADDING; + op |= SSL_OP_SSLEAY_080_CLIENT_DH_BUG; + op |= SSL_OP_TLS_D5_BUG; + op |= SSL_OP_TLS_BLOCK_PADDING_BUG; + op |= SSL_OP_TLS_ROLLBACK_BUG; + op |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + } + + + /* by default cookie exchange is on with DTLS */ + if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { + WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default"); + } + + if ((op & SSL_OP_NO_SSLv2) == SSL_OP_NO_SSLv2) { + WOLFSSL_MSG("\tSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2"); + } + + if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); + } + + if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); + } + + if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); + } + + if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); + } + + if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { + #ifdef HAVE_LIBZ + WOLFSSL_MSG("SSL_OP_NO_COMPRESSION"); + ssl->options.usingCompression = 0; + #else + WOLFSSL_MSG("SSL_OP_NO_COMPRESSION: compression not compiled in"); + #endif + } + + ssl->options.mask |= op; + + return ssl->options.mask; } -/* wolfSSL options are set through API calls and macros. - * return 0 for no options set */ -WOLFSSL_API unsigned long wolfSSL_get_options(const WOLFSSL* ssl) +unsigned long wolfSSL_get_options(const WOLFSSL* ssl) { - (void)ssl; - WOLFSSL_MSG("Set options in wolfSSL through API and macros"); - return 0; + WOLFSSL_ENTER("wolfSSL_get_options"); + + return ssl->options.mask; } /*** TBD ***/ diff --git a/tests/api.c b/tests/api.c index de22ba030..a7ef652c6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2690,7 +2690,7 @@ static void test_wolfSSL_ERR_peek_last_error_line(void) static void test_wolfSSL_X509_STORE_set_flags(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) + !defined(NO_FILESYSTEM) && !defined(NO_RSA) X509_STORE* store; X509* x509; @@ -2713,7 +2713,7 @@ static void test_wolfSSL_X509_STORE_set_flags(void) printf(resultFmt, passed); #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) */ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ } @@ -2760,6 +2760,42 @@ static void test_wolfSSL_BN(void) #endif /* defined(OPENSSL_EXTRA) */ } + +static void test_wolfSSL_set_options(void) +{ + #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + SSL* ssl; + SSL_CTX* ctx; + + printf(testingFmt, "wolfSSL_set_options()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + AssertTrue(SSL_set_options(ssl, SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1); + AssertTrue(SSL_get_options(ssl) == SSL_OP_NO_TLSv1); + + AssertIntGT((int)SSL_set_options(ssl, (SSL_OP_COOKIE_EXCHANGE | + SSL_OP_NO_SSLv2)), 0); + AssertTrue((SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE) & + SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE); + AssertTrue((SSL_set_options(ssl, SSL_OP_NO_TLSv1_2) & + SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2); + AssertTrue((SSL_set_options(ssl, SSL_OP_NO_COMPRESSION) & + SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION); + + SSL_free(ssl); + SSL_CTX_free(ctx); + + printf(resultFmt, passed); + #endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ +} + + /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -2815,6 +2851,7 @@ void ApiTest(void) test_wolfSSL_ERR_peek_last_error_line(); test_wolfSSL_X509_STORE_set_flags(); test_wolfSSL_BN(); + test_wolfSSL_set_options(); AssertIntEQ(test_wolfSSL_Cleanup(), SSL_SUCCESS); printf(" End API Tests\n"); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9c35e020c..e4be17b18 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2379,6 +2379,9 @@ typedef struct Options { wc_psk_server_callback server_psk_cb; word16 havePSK:1; /* psk key set by user */ #endif /* NO_PSK */ +#ifdef OPENSSL_EXTRA + unsigned long mask; /* store SSL_OP_ flags */ +#endif /* on/off or small bit flags, optimize layout */ word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 0950aeef7..6823d4587 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -728,6 +728,41 @@ WOLFSSL_API unsigned long wolfSSL_get_verify_result(const WOLFSSL *ssl); #define WOLFSSL_DEFAULT_CIPHER_LIST "" /* default all */ #define WOLFSSL_RSA_F4 0x10001L +/* seperated out from other enums because of size */ +enum { + /* bit flags (ie 0001 vs 0010) : each is 2 times previous value */ + SSL_OP_MICROSOFT_SESS_ID_BUG = 1, + SSL_OP_NETSCAPE_CHALLENGE_BUG = 2, + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 4, + SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 8, + SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 16, + SSL_OP_MSIE_SSLV2_RSA_PADDING = 32, + SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 64, + SSL_OP_TLS_D5_BUG = 128, + SSL_OP_TLS_BLOCK_PADDING_BUG = 256, + SSL_OP_TLS_ROLLBACK_BUG = 512, + SSL_OP_ALL = 1024, + SSL_OP_EPHEMERAL_RSA = 2048, + SSL_OP_NO_SSLv3 = 4096, + SSL_OP_NO_TLSv1 = 8192, + SSL_OP_PKCS1_CHECK_1 = 16384, + SSL_OP_PKCS1_CHECK_2 = 32768, + SSL_OP_NETSCAPE_CA_DN_BUG = 65536, + SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 131072, + SSL_OP_SINGLE_DH_USE = 262144, + SSL_OP_NO_TICKET = 524288, + SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 1048576, + SSL_OP_NO_QUERY_MTU = 2097152, + SSL_OP_COOKIE_EXCHANGE = 4194304, + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 8388608, + SSL_OP_SINGLE_ECDH_USE = 16777216, + SSL_OP_CIPHER_SERVER_PREFERENCE = 33554432, + SSL_OP_NO_TLSv1_1 = 67108864, + SSL_OP_NO_TLSv1_2 = 134217728, + SSL_OP_NO_COMPRESSION = 268435456, +}; + + enum { OCSP_NOCERTS = 1, OCSP_NOINTERN = 2, @@ -755,34 +790,6 @@ enum { WOLFSSL_CRL_CHECK = 27, ASN1_GENERALIZEDTIME = 4, - - SSL_OP_MICROSOFT_SESS_ID_BUG = 1, - SSL_OP_NETSCAPE_CHALLENGE_BUG = 2, - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 3, - SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 4, - SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 5, - SSL_OP_MSIE_SSLV2_RSA_PADDING = 6, - SSL_OP_SSLEAY_080_CLIENT_DH_BUG = 7, - SSL_OP_TLS_D5_BUG = 8, - SSL_OP_TLS_BLOCK_PADDING_BUG = 9, - SSL_OP_TLS_ROLLBACK_BUG = 10, - SSL_OP_ALL = 11, - SSL_OP_EPHEMERAL_RSA = 12, - SSL_OP_NO_SSLv3 = 13, - SSL_OP_NO_TLSv1 = 14, - SSL_OP_PKCS1_CHECK_1 = 15, - SSL_OP_PKCS1_CHECK_2 = 16, - SSL_OP_NETSCAPE_CA_DN_BUG = 17, - SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 18, - SSL_OP_SINGLE_DH_USE = 19, - SSL_OP_NO_TICKET = 20, - SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 21, - SSL_OP_NO_QUERY_MTU = 22, - SSL_OP_COOKIE_EXCHANGE = 23, - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 24, - SSL_OP_SINGLE_ECDH_USE = 25, - SSL_OP_CIPHER_SERVER_PREFERENCE = 26, - SSL_MAX_SSL_SESSION_ID_LENGTH = 32, EVP_R_BAD_DECRYPT = 2,