wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2026-01-29 16:32:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix-conversion' of github.com:gasbytes/wolfssl into fix-conversion

Browse Source
This commit is contained in:
Reda Chouk
2024-09-09 16:06:16 +02:00
parent 65db4b15d6 398f8c90e2
commit 884b51151b
268 changed files with 9667 additions and 2656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/bio.c
View File

@@ -453,8 +453,9 @@ static int wolfSSL_BIO_BASE64_write(WOLFSSL_BIO* bio, const void* data,
}
}
else {
if (Base64_Encode((const byte*)data, inLen, NULL, &sz) !=
LENGTH_ONLY_E) {
if (Base64_Encode((const byte*)data, inLen, NULL, &sz)
!= WC_NO_ERR_TRACE(LENGTH_ONLY_E))
{
WOLFSSL_MSG("Error with base64 get length");
return WOLFSSL_FATAL_ERROR;
}

5
src/include.am
View File

@@ -992,14 +992,13 @@ src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/blake2s.c
endif
if BUILD_CHACHA
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/chacha.c
if BUILD_ARMASM_NEON
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/arm/armv8-chacha.c
else
if BUILD_RISCV_ASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/riscv/riscv-64-chacha.c
else
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/chacha.c
endif !BUILD_RISCV_ASM
endif BUILD_RISCV_ASM
if !BUILD_X86_ASM
if BUILD_INTELASM
src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/chacha_asm.S

28
src/internal.c
View File

@@ -2563,7 +2563,7 @@ void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data)
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
/* free all ech configs in the list */
static void FreeEchConfigs(WOLFSSL_EchConfig* configs, void* heap)
void FreeEchConfigs(WOLFSSL_EchConfig* configs, void* heap)
{
WOLFSSL_EchConfig* working_config = configs;
WOLFSSL_EchConfig* next_config;
@@ -3268,9 +3268,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
int haveRSAsig = 1;
#ifdef WOLFSSL_DTLS
/* If DTLS v1.2 or later than set tls1_2 flag */
if (pv.major == DTLS_MAJOR && pv.minor <= DTLSv1_2_MINOR) {
tls1_2 = 1;
if (pv.major == DTLS_MAJOR) {
dtls = 1;
tls = 1;
/* May be dead assignments dependent upon configuration */
(void) dtls;
(void) tls;
tls1_2 = pv.minor <= DTLSv1_2_MINOR;
}
#endif
@@ -3381,17 +3385,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
haveRSAsig = 0; /* can't have RSA sig if don't have RSA */
#endif
#ifdef WOLFSSL_DTLS
if (pv.major == DTLS_MAJOR) {
dtls = 1;
tls = 1;
/* May be dead assignments dependent upon configuration */
(void) dtls;
(void) tls;
tls1_2 = pv.minor <= DTLSv1_2_MINOR;
}
#endif
#ifdef HAVE_RENEGOTIATION_INDICATION
if (side == WOLFSSL_CLIENT_END) {
suites->suites[idx++] = CIPHER_BYTE;
@@ -7512,6 +7505,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
ssl->options.disallowEncThenMac = ctx->disallowEncThenMac;
#endif
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
ssl->options.disableECH = ctx->disableECH;
#endif
/* default alert state (none) */
ssl->alert_history.last_rx.code = -1;
@@ -40374,7 +40370,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
lenErrMask = 0 - (SECRET_LEN != args->sigSz);
args->lastErr = (ret & (~lenErrMask)) |
(RSA_PAD_E & lenErrMask);
(WC_NO_ERR_TRACE(RSA_PAD_E) & lenErrMask);
ret = 0;
break;
} /* rsa_kea */

4
src/ocsp.c
View File

@@ -852,7 +852,7 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
WOLF_STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags)
{
int ret = WOLFSSL_FAILURE;
int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
#ifdef WOLFSSL_SMALL_STACK
DecodedCert *cert;
#else
@@ -1432,7 +1432,7 @@ WOLFSSL_OCSP_REQ_CTX* wolfSSL_OCSP_REQ_CTX_new(WOLFSSL_BIO *bio, int maxline)
DYNAMIC_TYPE_OPENSSL);
if (ret != NULL) {
XMEMSET(ret, 0, sizeof(*ret));
ret->buf = (byte*)XMALLOC(maxline, NULL, DYNAMIC_TYPE_OPENSSL);
ret->buf = (byte*)XMALLOC((word32)maxline, NULL, DYNAMIC_TYPE_OPENSSL);
if (ret->buf == NULL)
goto error;
ret->reqResp = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());

76
src/pk.c
View File

@@ -2052,6 +2052,32 @@ WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio,
}
return rsa;
}
WOLFSSL_RSA *wolfSSL_d2i_RSA_PUBKEY_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out)
{
char* data = NULL;
int dataSz = 0;
int memAlloced = 0;
WOLFSSL_RSA* rsa = NULL;
WOLFSSL_ENTER("wolfSSL_d2i_RSA_PUBKEY_bio");
if (bio == NULL)
return NULL;
if (wolfssl_read_bio(bio, &data, &dataSz, &memAlloced) != 0) {
if (memAlloced)
XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return NULL;
}
rsa = wolfssl_rsa_d2i(out, (const unsigned char*)data, dataSz,
WOLFSSL_RSA_LOAD_PUBLIC);
if (memAlloced)
XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return rsa;
}
#endif /* !NO_BIO */
#ifndef NO_FILESYSTEM
@@ -12342,6 +12368,56 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf,
return res;
}
#ifndef NO_BIO
WOLFSSL_EC_KEY *wolfSSL_d2i_EC_PUBKEY_bio(WOLFSSL_BIO *bio,
WOLFSSL_EC_KEY **out)
{
char* data = NULL;
int dataSz = 0;
int memAlloced = 0;
WOLFSSL_EC_KEY* ec = NULL;
int err = 0;
WOLFSSL_ENTER("wolfSSL_d2i_EC_PUBKEY_bio");
if (bio == NULL)
return NULL;
if (err == 0 && wolfssl_read_bio(bio, &data, &dataSz, &memAlloced) != 0) {
WOLFSSL_ERROR_MSG("wolfssl_read_bio failed");
err = 1;
}
if (err == 0 && (ec = wolfSSL_EC_KEY_new()) == NULL) {
WOLFSSL_ERROR_MSG("wolfSSL_EC_KEY_new failed");
err = 1;
}
/* Load the EC key with the public key from the DER encoding. */
if (err == 0 && wolfSSL_EC_KEY_LoadDer_ex(ec, (const unsigned char*)data,
dataSz, WOLFSSL_EC_KEY_LOAD_PUBLIC) != 1) {
WOLFSSL_ERROR_MSG("wolfSSL_EC_KEY_LoadDer_ex failed");
err = 1;
}
if (memAlloced)
XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (err) { /* on error */
wolfSSL_EC_KEY_free(ec);
ec = NULL;
}
else { /* on success */
if (out != NULL)
*out = ec;
}
return ec;
}
#endif /* !NO_BIO */
/*
* EC key PEM APIs
*/

91
src/ssl.c
View File

@@ -553,6 +553,18 @@ int wolfSSL_CTX_GetEchConfigs(WOLFSSL_CTX* ctx, byte* output,
return GetEchConfigsEx(ctx->echConfigs, output, outputLen);
}
void wolfSSL_CTX_SetEchEnable(WOLFSSL_CTX* ctx, byte enable)
{
if (ctx != NULL) {
ctx->disableECH = !enable;
if (ctx->disableECH) {
TLSX_Remove(&ctx->extensions, TLSX_ECH, ctx->heap);
FreeEchConfigs(ctx->echConfigs, ctx->heap);
ctx->echConfigs = NULL;
}
}
}
/* set the ech config from base64 for our client ssl object, base64 is the
* format ech configs are sent using dns records */
int wolfSSL_SetEchConfigsBase64(WOLFSSL* ssl, char* echConfigs64,
@@ -942,6 +954,18 @@ int wolfSSL_GetEchConfigs(WOLFSSL* ssl, byte* output, word32* outputLen)
return GetEchConfigsEx(ssl->echConfigs, output, outputLen);
}
void wolfSSL_SetEchEnable(WOLFSSL* ssl, byte enable)
{
if (ssl != NULL) {
ssl->options.disableECH = !enable;
if (ssl->options.disableECH) {
TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap);
FreeEchConfigs(ssl->echConfigs, ssl->heap);
ssl->echConfigs = NULL;
}
}
}
/* get the raw ech configs from our linked list of ech config structs */
int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen)
{
@@ -2881,8 +2905,9 @@ static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
/* make sure bidirectional TLS shutdown completes */
if (ssl->error == WOLFSSL_ERROR_SYSCALL || ssl->options.shutdownDone) {
/* ask the underlying transport the connection is closed */
if (ssl->CBIORecv(ssl, (char*)data, 0, ssl->IOCB_ReadCtx) ==
WOLFSSL_CBIO_ERR_CONN_CLOSE) {
if (ssl->CBIORecv(ssl, (char*)data, 0, ssl->IOCB_ReadCtx)
== WC_NO_ERR_TRACE(WOLFSSL_CBIO_ERR_CONN_CLOSE))
{
ssl->options.isClosed = 1;
ssl->error = WOLFSSL_ERROR_ZERO_RETURN;
}
@@ -3400,7 +3425,7 @@ int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
char *list, *ptr, **token;
word16 len;
int idx = 0;
int ret = WOLFSSL_FAILURE;
int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
WOLFSSL_ENTER("wolfSSL_UseALPN");
@@ -5102,6 +5127,42 @@ Signer* GetCA(void* vp, byte* hash)
return ret;
}
#if defined(HAVE_OCSP)
Signer* GetCAByKeyHash(void* vp, const byte* keyHash)
{
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
Signer* ret = NULL;
Signer* signers;
int row;
if (cm == NULL || keyHash == NULL)
return NULL;
/* try lookup using keyHash as subjKeyID first */
ret = GetCA(vp, (byte*)keyHash);
if (ret != NULL && XMEMCMP(ret->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
return ret;
}
/* if we can't find the cert, we have to scan the full table */
if (wc_LockMutex(&cm->caLock) != 0)
return NULL;
/* Unfortunately we need to look through the entire table */
for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) {
for (signers = cm->caTable[row]; signers != NULL;
signers = signers->next) {
if (XMEMCMP(signers->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
ret = signers;
break;
}
}
}
wc_UnLockMutex(&cm->caLock);
return ret;
}
#endif
#ifdef WOLFSSL_AKID_NAME
Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
const byte* serial, word32 serialSz)
@@ -6209,7 +6270,7 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey,
#endif
word32 size;
byte* buff;
int ret = WOLFSSL_FAILURE;
int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
WOLFSSL_ENTER("check_cert_key");
@@ -8480,10 +8541,6 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
}
/* list contains ciphers either only for TLS 1.3 or <= TLS 1.2 */
if (suites->suiteSz == 0) {
WOLFSSL_MSG("Warning suites->suiteSz = 0 set to WOLFSSL_MAX_SUITE_SZ");
suites->suiteSz = WOLFSSL_MAX_SUITE_SZ;
}
#ifdef WOLFSSL_SMALL_STACK
if (suites->suiteSz > 0) {
suitesCpy = (byte*)XMALLOC(suites->suiteSz, NULL,
@@ -8510,6 +8567,12 @@ static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
return WOLFSSL_FAILURE;
}
/* The idea in this section is that OpenSSL has two API to set ciphersuites.
* - SSL_CTX_set_cipher_list for setting TLS <= 1.2 suites
* - SSL_CTX_set_ciphersuites for setting TLS 1.3 suites
* Since we direct both API here we attempt to provide API compatibility. If
* we only get suites from <= 1.2 or == 1.3 then we will only update those
* suites and keep the suites from the other group. */
for (i = 0; i < suitesCpySz &&
suites->suiteSz <= (WOLFSSL_MAX_SUITE_SZ - SUITE_LEN); i += 2) {
/* Check for duplicates */
@@ -10466,7 +10529,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
static int wolfSSL_ex_wrapper(WOLFSSL* ssl, HandShakeCallBack hsCb,
TimeoutCallBack toCb, WOLFSSL_TIMEVAL timeout)
{
int ret = WOLFSSL_FATAL_ERROR;
int ret = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR);
int oldTimerOn = 0; /* was timer already on */
WOLFSSL_TIMEVAL startTime;
WOLFSSL_TIMEVAL endTime;
@@ -12190,8 +12253,9 @@ int wolfSSL_get_peer_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
int sz;
PRIVATE_KEY_UNLOCK();
if (wc_ecc_export_x963(ssl->peerEccKey, NULL, &derSz) !=
LENGTH_ONLY_E) {
if (wc_ecc_export_x963(ssl->peerEccKey, NULL, &derSz)
!= WC_NO_ERR_TRACE(LENGTH_ONLY_E))
{
WOLFSSL_MSG("get ecc der size failed");
PRIVATE_KEY_LOCK();
return WOLFSSL_FAILURE;
@@ -14375,9 +14439,6 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl)
return "P384_KYBER_LEVEL3";
case WOLFSSL_P521_KYBER_LEVEL5:
return "P521_KYBER_LEVEL5";
#elif defined(HAVE_PQM4)
case WOLFSSL_KYBER_LEVEL1:
return "KYBER_LEVEL1";
#elif defined(WOLFSSL_WC_KYBER)
#ifdef WOLFSSL_KYBER512
case WOLFSSL_KYBER_LEVEL1:
@@ -15481,7 +15542,7 @@ int wolfSSL_ERR_GET_REASON(unsigned long err)
/* Nginx looks for this error to know to stop parsing certificates.
* Same for HAProxy. */
if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) ||
((err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) ||
((err & 0xFFFFFFL) == -WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)) ||
((err & 0xFFFL) == PEM_R_NO_START_LINE ))
return PEM_R_NO_START_LINE;
if (err == ((ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST))

27
src/ssl_asn1.c
View File

@@ -3986,7 +3986,7 @@ unsigned char* wolfSSL_ASN1_TIME_get_data(const WOLFSSL_ASN1_TIME *t)
*/
int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a)
{
int ret = 1;
int ret = WOLFSSL_SUCCESS;
char buf[MAX_TIME_STRING_SZ];
WOLFSSL_ENTER("wolfSSL_ASN1_TIME_check");
@@ -3994,7 +3994,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a)
/* If can convert to human readable then format good. */
if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)a, buf,
MAX_TIME_STRING_SZ) == NULL) {
ret = 0;
ret = WOLFSSL_FAILURE;
}
return ret;
@@ -4012,7 +4012,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a)
*/
int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str)
{
int ret = 1;
int ret = WOLFSSL_SUCCESS;
int slen = 0;
WOLFSSL_ENTER("wolfSSL_ASN1_TIME_set_string");
@@ -4021,15 +4021,15 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str)
WOLFSSL_MSG("Bad parameter");
ret = 0;
}
if (ret == 1) {
if (ret == WOLFSSL_SUCCESS) {
/* Get length of string including NUL terminator. */
slen = (int)XSTRLEN(str) + 1;
if (slen > CTC_DATE_SIZE) {
WOLFSSL_MSG("Date string too long");
ret = 0;
ret = WOLFSSL_FAILURE;
}
}
if ((ret == 1) && (t != NULL)) {
if ((ret == WOLFSSL_SUCCESS) && (t != NULL)) {
/* Copy in string including NUL terminator. */
XMEMCPY(t->data, str, (size_t)slen);
/* Do not include NUL terminator in length. */
@@ -4042,6 +4042,21 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str)
return ret;
}
int wolfSSL_ASN1_TIME_set_string_X509(WOLFSSL_ASN1_TIME *t, const char *str)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_ASN1_TIME_set_string_X509");
if (t == NULL)
ret = WOLFSSL_FAILURE;
if (ret == WOLFSSL_SUCCESS)
ret = wolfSSL_ASN1_TIME_set_string(t, str);
if (ret == WOLFSSL_SUCCESS)
ret = wolfSSL_ASN1_TIME_check(t);
return ret;
}
/* Convert ASN.1 TIME object to ASN.1 GENERALIZED TIME object.
*
* @param [in] t ASN.1 TIME object.

7
src/ssl_bn.c
View File

@@ -492,7 +492,7 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len,
WOLFSSL_ENTER("wolfSSL_BN_bin2bn");
/* Validate parameters. */
if ((data == NULL) || (len < 0)) {
if (len < 0) {
ret = NULL;
}
/* Allocate a new big number when ret is NULL. */
@@ -507,7 +507,7 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len,
if (ret->internal == NULL) {
ret = NULL;
}
else {
else if (data != NULL) {
/* Decode into big number. */
if (mp_read_unsigned_bin((mp_int*)ret->internal, data, (word32)len)
!= 0) {
@@ -520,6 +520,9 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len,
bn = NULL;
}
}
else if (data == NULL) {
wolfSSL_BN_zero(ret);
}
}
/* Dispose of allocated BN not being returned. */

10
src/ssl_misc.c
View File

@@ -165,7 +165,15 @@ static int wolfssl_read_bio(WOLFSSL_BIO* bio, char** data, int* dataSz,
if (bio->type == WOLFSSL_BIO_MEMORY) {
ret = wolfSSL_BIO_get_mem_data(bio, data);
if (ret > 0) {
bio->rdIdx += ret;
/* Advance the write index in the memory bio */
WOLFSSL_BIO* mem_bio = bio;
for (; mem_bio != NULL; mem_bio = mem_bio->next) {
if (mem_bio->type == WOLFSSL_BIO_MEMORY)
break;
}
if (mem_bio == NULL)
mem_bio = bio; /* Default to input */
mem_bio->rdIdx += ret;
}
*memAlloced = 0;
}

39
src/tls.c
View File

@@ -52,7 +52,7 @@
#include <wolfssl/wolfcrypt/kyber.h>
#ifdef WOLFSSL_WC_KYBER
#include <wolfssl/wolfcrypt/wc_kyber.h>
#elif defined(HAVE_LIBOQS) || defined(HAVE_PQM4)
#elif defined(HAVE_LIBOQS)
#include <wolfssl/wolfcrypt/ext_kyber.h>
#endif
#endif
@@ -1830,7 +1830,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length,
byte isRequest)
{
word16 size = 0, offset = 0, wlen;
int r = BUFFER_ERROR;
int r = WC_NO_ERR_TRACE(BUFFER_ERROR);
const byte *s;
if (OPAQUE16_LEN > length)
@@ -9458,9 +9458,6 @@ static int TLSX_KeyShare_IsSupported(int namedGroup)
}
break;
}
#elif defined(HAVE_PQM4)
case WOLFSSL_KYBER_LEVEL1:
break;
#endif
#endif
default:
@@ -9529,8 +9526,6 @@ static const word16 preferredGroup[] = {
WOLFSSL_P256_KYBER_LEVEL1,
WOLFSSL_P384_KYBER_LEVEL3,
WOLFSSL_P521_KYBER_LEVEL5,
#elif defined(HAVE_PQM4)
WOLFSSL_KYBER_LEVEL1,
#endif
WOLFSSL_NAMED_GROUP_INVALID
};
@@ -12083,6 +12078,11 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
if (size == 0)
return BAD_FUNC_ARG;
if (ssl->options.disableECH) {
WOLFSSL_MSG("TLSX_ECH_Parse: ECH disabled. Ignoring.");
return 0;
}
if (msgType == encrypted_extensions) {
ret = wolfSSL_SetEchConfigs(ssl, readBuf, size);
@@ -13166,8 +13166,6 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
if (ret == WOLFSSL_SUCCESS)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5,
ssl->heap);
#elif defined(HAVE_PQM4)
ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL1, ssl->heap);
#endif /* HAVE_LIBOQS */
#endif /* WOLFSSL_HAVE_KYBER */
@@ -13588,18 +13586,21 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#endif
#if defined(HAVE_ECH)
/* GREASE ECH */
if (ssl->echConfigs == NULL) {
ret = GREASE_ECH_USE(&(ssl->extensions), ssl->heap, ssl->rng);
}
else if (ssl->echConfigs != NULL) {
ret = ECH_USE(ssl->echConfigs, &(ssl->extensions), ssl->heap,
ssl->rng);
if (!ssl->options.disableECH) {
if (ssl->echConfigs == NULL) {
ret = GREASE_ECH_USE(&(ssl->extensions), ssl->heap,
ssl->rng);
}
else if (ssl->echConfigs != NULL) {
ret = ECH_USE(ssl->echConfigs, &(ssl->extensions),
ssl->heap, ssl->rng);
}
}
#endif
}
#if defined(HAVE_ECH)
else if (IsAtLeastTLSv1_3(ssl->version)) {
if (ssl->ctx->echConfigs != NULL) {
if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
ret = SERVER_ECH_USE(&(ssl->extensions), ssl->heap,
ssl->ctx->echConfigs);
@@ -13789,7 +13790,8 @@ int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength)
}
#endif
#if defined(HAVE_ECH)
if (ssl->options.useEch == 1 && msgType == client_hello) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH
&& msgType == client_hello) {
ret = TLSX_GetSizeWithEch(ssl, semaphore, msgType, &length);
if (ret != 0)
return ret;
@@ -14034,7 +14036,8 @@ int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset)
#endif
#endif
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
if (ssl->options.useEch == 1 && msgType == client_hello) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH
&& msgType == client_hello) {
ret = TLSX_WriteWithEch(ssl, output, semaphore,
msgType, &offset);
if (ret != 0)

16
src/tls13.c
View File

@@ -4415,7 +4415,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
/* find length of outer and inner */
#if defined(HAVE_ECH)
if (ssl->options.useEch == 1) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH) {
TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX == NULL)
return -1;
@@ -4566,7 +4566,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#if defined(HAVE_ECH)
/* write inner then outer */
if (ssl->options.useEch == 1) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH) {
/* set the type to inner */
args->ech->type = ECH_TYPE_INNER;
@@ -4626,7 +4626,7 @@ int SendTls13ClientHello(WOLFSSL* ssl)
#if defined(HAVE_ECH)
/* encrypt and pack the ech innerClientHello */
if (ssl->options.useEch == 1) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH) {
ret = TLSX_FinalizeEch(args->ech,
args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
(word32)(args->sendSz - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ)));
@@ -4656,11 +4656,9 @@ int SendTls13ClientHello(WOLFSSL* ssl)
{
#if defined(HAVE_ECH)
/* compute the inner hash */
if (ssl->options.useEch == 1) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH)
ret = EchHashHelloInner(ssl, args->ech);
}
#endif
/* compute the outer hash */
if (ret == 0)
ret = HashOutput(ssl, args->output, (int)args->idx, 0);
@@ -5475,7 +5473,7 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#if defined(HAVE_ECH)
/* check for acceptConfirmation and HashInput with 8 0 bytes */
if (ssl->options.useEch == 1) {
if (ssl->options.useEch == 1 && !ssl->options.disableECH) {
ret = EchCheckAcceptance(ssl, input, args->serverRandomOffset, (int)helloSz);
if (ret != 0)
return ret;
@@ -6935,7 +6933,7 @@ int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
goto exit_dch;
#if defined(HAVE_ECH)
if (ssl->ctx->echConfigs != NULL) {
if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
/* save the start of the buffer so we can use it when parsing ech */
echX = TLSX_Find(ssl->extensions, TLSX_ECH);
@@ -7407,7 +7405,7 @@ int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
#endif /* WOLFSSL_DTLS13 */
{
#if defined(HAVE_ECH)
if (ssl->ctx->echConfigs != NULL) {
if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
echX = TLSX_Find(ssl->extensions, TLSX_ECH);
if (echX == NULL)

87
src/x509.c
View File

@@ -367,38 +367,6 @@ int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk,WOLFSSL_X509_EXTENSION* ext
return wolfSSL_sk_push(sk, ext);
}
/* Free the structure for X509_EXTENSION stack
*
* sk stack to free nodes in
*/
void wolfSSL_sk_X509_EXTENSION_free(WOLFSSL_STACK* sk)
{
WOLFSSL_STACK* node;
WOLFSSL_ENTER("wolfSSL_sk_X509_EXTENSION_free");
if (sk == NULL) {
return;
}
/* parse through stack freeing each node */
node = sk->next;
while ((node != NULL) && (sk->num > 1)) {
WOLFSSL_STACK* tmp = node;
node = node->next;
wolfSSL_X509_EXTENSION_free(tmp->data.ext);
XFREE(tmp, NULL, DYNAMIC_TYPE_X509);
sk->num -= 1;
}
/* free head of stack */
if (sk->num == 1) {
wolfSSL_X509_EXTENSION_free(sk->data.ext);
}
XFREE(sk, NULL, DYNAMIC_TYPE_X509);
}
static WOLFSSL_STACK* generateExtStack(const WOLFSSL_X509 *x)
{
int numOfExt, i;
@@ -872,11 +840,37 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc)
switch (oid) {
case BASIC_CA_OID:
{
word32 dataIdx = idx;
word32 dummyOid;
int dataLen = 0;
if (!isSet)
break;
/* Set pathlength */
a = wolfSSL_ASN1_INTEGER_new();
if (a == NULL) {
/* Set the data */
ret = GetObjectId(input, &dataIdx, &dummyOid, oidCertExtType,
(word32)sz) == 0;
if (ret && dataIdx < (word32)sz) {
/* Skip the critical information */
if (input[dataIdx] == ASN_BOOLEAN) {
dataIdx++;
ret = GetLength(input, &dataIdx, &dataLen, sz) >= 0;
dataIdx += dataLen;
}
}
if (ret) {
ret = GetOctetString(input, &dataIdx, &dataLen,
(word32)sz) > 0;
}
if (ret) {
ret = wolfSSL_ASN1_STRING_set(&ext->value, input + dataIdx,
dataLen) == 1;
}
if (a == NULL || !ret) {
wolfSSL_X509_EXTENSION_free(ext);
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
@@ -892,7 +886,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc)
ext->obj->ca = x509->isCa;
ext->crit = x509->basicConstCrit;
break;
}
case AUTH_INFO_OID:
if (!isSet)
break;
@@ -3654,6 +3648,24 @@ WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509,
{
return d2i_X509orX509REQ(x509, in, len, 1, NULL);
}
WOLFSSL_X509* wolfSSL_d2i_X509_REQ_INFO(WOLFSSL_X509** req,
const unsigned char** in, int len)
{
WOLFSSL_X509* ret = NULL;
WOLFSSL_ENTER("wolfSSL_d2i_X509_REQ_INFO");
if (in == NULL) {
WOLFSSL_MSG("NULL input for wolfSSL_d2i_X509");
return NULL;
}
ret = wolfSSL_X509_REQ_d2i(req, *in, len);
if (ret != NULL) {
*in += ret->derCert->length;
}
return ret;
}
#endif
#endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA ||
@@ -5042,6 +5054,11 @@ void wolfSSL_sk_X509_EXTENSION_pop_free(
wolfSSL_sk_pop_free(sk, (wolfSSL_sk_freefunc)f);
}
void wolfSSL_sk_X509_EXTENSION_free(WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk)
{
wolfSSL_sk_pop_free(sk, NULL);
}
#endif /* OPENSSL_EXTRA */
#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
@@ -7073,7 +7090,7 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
{
#if !defined(NO_FILESYSTEM) && \
(defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM))
int ret = WOLFSSL_FAILURE;
int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
XFILE fp;
long sz;
byte* pem = NULL;