diff --git a/src/crl.c b/src/crl.c index 51316d5bc..54a5253f7 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1176,7 +1176,7 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) #else /* HAVE_CRL_MONITOR */ -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) static int StartMonitorCRL(WOLFSSL_CRL* crl) { @@ -1188,7 +1188,7 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) return NOT_COMPILED_IN; } -#endif /* NO_FILESYSTEM */ +#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ #endif /* HAVE_CRL_MONITOR */ diff --git a/src/internal.c b/src/internal.c index 3aaeb836f..36eed125f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9397,7 +9397,6 @@ int CheckAltNames(DecodedCert* dCert, char* domain) return match; } -#ifdef OPENSSL_EXTRA /* Check that alternative names, if they exists, match the domain. * Fail if there are wild patterns and they didn't match. * Check the common name if no alternative names matched. @@ -9405,9 +9404,11 @@ int CheckAltNames(DecodedCert* dCert, char* domain) * dCert Decoded cert to get the alternative names from. * domain Domain name to compare against. * checkCN Whether to check the common name. - * returns whether there was a problem in matching. + * returns 1 : match was found. + * 0 : no match found. + * -1 : No matches and wild pattern match failed. */ -static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) +static int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) { int match; DNS_entry* altName = NULL; @@ -9425,20 +9426,23 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) if (MatchDomainName(altName->name, altName->len, domain)) { match = 1; *checkCN = 0; + WOLFSSL_MSG("\tmatch found"); break; } /* No matches and wild pattern match failed. */ else if (altName->name && altName->len >=1 && altName->name[0] == '*' && match == 0) { match = -1; + WOLFSSL_MSG("\twildcard match failed"); } altName = altName->next; } - return match != -1; + return match; } + /* Check the domain name matches the subject alternative name or the subject * name. * @@ -9447,14 +9451,14 @@ static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN) * domainNameLen The length of the domain name. * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success. */ -int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) +int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) { int checkCN; /* Assume name is NUL terminated. */ (void)domainNameLen; - if (CheckForAltNames(dCert, domainName, &checkCN) == 0) { + if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { WOLFSSL_MSG("DomainName match on alt names failed too"); return DOMAIN_NAME_MISMATCH; } @@ -9469,13 +9473,13 @@ int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen) return 0; } -int CheckIPAddr(DecodedCert* dCert, char* ipasc) +int CheckIPAddr(DecodedCert* dCert, const char* ipasc) { WOLFSSL_MSG("Checking IPAddr"); return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc)); } -#endif + #ifdef SESSION_CERTS static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain, diff --git a/src/ssl.c b/src/ssl.c index 959f0547d..66fba61a5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -14657,8 +14657,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - static long wolf_set_options(long old_op, long op); long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { @@ -14672,8 +14670,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ctx->mask; } -#endif - #ifdef OPENSSL_EXTRA long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt) @@ -24731,7 +24727,6 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key) #endif /* OPENSSL_EXTRA */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) static long wolf_set_options(long old_op, long op) { /* if SSL_OP_ALL then turn all bug workarounds on */ @@ -24754,19 +24749,19 @@ static long wolf_set_options(long old_op, long op) } #endif - if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + if ((op & WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); } - if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + if ((op & WOLFSSL_OP_NO_TLSv1_1) == WOLFSSL_OP_NO_TLSv1_1) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); } - if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + if ((op & WOLFSSL_OP_NO_TLSv1) == WOLFSSL_OP_NO_TLSv1) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); } - if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + if ((op & WOLFSSL_OP_NO_SSLv3) == WOLFSSL_OP_NO_SSLv3) { WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); } @@ -24784,7 +24779,6 @@ static long wolf_set_options(long old_op, long op) return old_op | op; } -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) long wolfSSL_set_options(WOLFSSL* ssl, long op) @@ -42915,6 +42909,80 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ + +#ifndef NO_ASN +int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, + unsigned int flags, char **peername) +{ + int ret; + DecodedCert dCert; + + WOLFSSL_ENTER("wolfSSL_X509_check_host"); + + /* flags and peername not needed for Nginx. */ + (void)flags; + (void)peername; + + if (flags == WOLFSSL_NO_WILDCARDS) { + WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); + return WOLFSSL_FAILURE; + } + + InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + if (ret != 0) { + FreeDecodedCert(&dCert); + return WOLFSSL_FAILURE; + } + + ret = CheckHostName(&dCert, (char *)chk, chklen); + FreeDecodedCert(&dCert); + if (ret != 0) + return WOLFSSL_FAILURE; + return WOLFSSL_SUCCESS; +} + + +int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, + unsigned int flags) +{ + int ret = WOLFSSL_FAILURE; + DecodedCert dCert; + + WOLFSSL_ENTER("wolfSSL_X509_check_ip_asc"); + + /* flags not yet implemented */ + (void)flags; + + if ((x == NULL) || (x->derCert == NULL) || (ipasc == NULL)) { + WOLFSSL_MSG("Invalid parameter"); + } + else { + ret = WOLFSSL_SUCCESS; + } + + if (ret == WOLFSSL_SUCCESS) { + InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + if (ret != 0) { + ret = WOLFSSL_FAILURE; + } + else { + ret = CheckIPAddr(&dCert, ipasc); + if (ret != 0) { + ret = WOLFSSL_FAILURE; + } + else { + ret = WOLFSSL_SUCCESS; + } + } + FreeDecodedCert(&dCert); + } + + return ret; +} +#endif + #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) @@ -43095,37 +43163,6 @@ WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *ssl) #endif /* NO_SESSION_CACHE */ -int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername) -{ - int ret; - DecodedCert dCert; - - WOLFSSL_ENTER("wolfSSL_X509_check_host"); - - /* flags and peername not needed for Nginx. */ - (void)flags; - (void)peername; - - if (flags == WOLFSSL_NO_WILDCARDS) { - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); - return WOLFSSL_FAILURE; - } - - InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); - if (ret != 0) { - FreeDecodedCert(&dCert); - return WOLFSSL_FAILURE; - } - - ret = CheckHostName(&dCert, (char *)chk, chklen); - FreeDecodedCert(&dCert); - if (ret != 0) - return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} - int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) { static char num[16] = { '0', '1', '2', '3', '4', '5', '6', '7', diff --git a/tests/api.c b/tests/api.c index f35f58041..0a8c7f9d5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4290,8 +4290,8 @@ static void test_wolfSSL_UseMaxFragment(void) #if defined(HAVE_MAX_FRAGMENT) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) #ifndef NO_WOLFSSL_SERVER WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); #else WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); #endif @@ -4332,8 +4332,8 @@ static void test_wolfSSL_UseTruncatedHMAC(void) #if defined(HAVE_TRUNCATED_HMAC) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) #ifndef NO_WOLFSSL_SERVER WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()); - AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); #else WOLFSSL_CTX* ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()); #endif @@ -10767,7 +10767,7 @@ static int test_wc_InitCmac (void) if (ret == BAD_FUNC_ARG) { ret = 0; } else { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } @@ -10828,7 +10828,7 @@ static int test_wc_CmacUpdate (void) if (ret == BAD_FUNC_ARG) { ret = 0; } else if (ret == 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } @@ -10891,7 +10891,7 @@ static int test_wc_CmacFinal (void) if (ret == 0) { ret = wc_CmacFinal(&cmac, mac, &macSz); if (ret == 0 && XMEMCMP(mac, expMac, expMacSz) != 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } /* Pass in bad args. */ if (ret == 0) { @@ -10905,7 +10905,7 @@ static int test_wc_CmacFinal (void) ret = 0; } } else if (ret == 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } } @@ -10957,7 +10957,7 @@ static int test_wc_AesCmacGenerate (void) ret = wc_AesCmacGenerate(mac, &macSz, msg, msgSz, key, keySz); if (ret == 0 && XMEMCMP(mac, expMac, expMacSz) != 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } /* Pass in bad args. */ if (ret == 0) { @@ -10974,7 +10974,7 @@ static int test_wc_AesCmacGenerate (void) if (ret == BAD_FUNC_ARG) { ret = 0; } else if (ret == 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } printf(resultFmt, ret == 0 ? passed : failed); @@ -11001,7 +11001,7 @@ static int test_wc_AesCmacGenerate (void) if (ret == BAD_FUNC_ARG) { ret = 0; } else if (ret == 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } @@ -29524,6 +29524,25 @@ static void test_wolfSSL_X509_check_ca(void){ #endif } +static void test_wolfSSL_X509_check_ip_asc(void){ +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) + WOLFSSL_X509 *x509; + + printf(testingFmt, "wolfSSL_X509_check_ip_asc()"); + + x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM); +#if 0 + /* TODO: add cert gen for testing positive case */ + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); +#endif + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0); + AssertIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0); + wolfSSL_X509_free(x509); + + printf(resultFmt, passed); +#endif +} + static void test_wolfSSL_DC_cert(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ @@ -34943,6 +34962,7 @@ void ApiTest(void) test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS(); test_wolfSSL_i2c_ASN1_INTEGER(); test_wolfSSL_X509_check_ca(); + test_wolfSSL_X509_check_ip_asc(); test_wolfSSL_DC_cert(); test_wolfSSL_DES_ncbc(); test_wolfSSL_AES_cbc_encrypt(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 1f88df1f5..a7ad54fc0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1689,9 +1689,7 @@ WOLFSSL_LOCAL int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_LOCAL int MatchDomainName(const char* pattern, int len, const char* str); #ifndef NO_CERTS WOLFSSL_LOCAL int CheckAltNames(DecodedCert* dCert, char* domain); -#ifdef OPENSSL_EXTRA -WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, char* ipasc); -#endif +WOLFSSL_LOCAL int CheckIPAddr(DecodedCert* dCert, const char* ipasc); #endif WOLFSSL_LOCAL int CreateTicket(WOLFSSL* ssl); WOLFSSL_LOCAL int HashOutputRaw(WOLFSSL* ssl, const byte* output, int sz); @@ -2705,9 +2703,7 @@ struct WOLFSSL_CTX { #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) short minEccKeySz; /* minimum ECC key size */ #endif -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) unsigned long mask; /* store SSL_OP_ flags */ -#endif #ifdef OPENSSL_EXTRA byte sessionCtx[ID_LEN]; /* app session context ID */ word32 disabledCurves; /* curves disabled by user */ @@ -4243,10 +4239,8 @@ WOLFSSL_API void SSL_ResourceFree(WOLFSSL*); /* Micrium uses */ int type, WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl, int verify); - #ifdef OPENSSL_EXTRA - WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName, + WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen); - #endif #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 5f0e3c12c..289cb3d98 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -411,6 +411,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define X509_check_private_key wolfSSL_X509_check_private_key #define X509_check_ca wolfSSL_X509_check_ca #define X509_check_host wolfSSL_X509_check_host +#define X509_check_ip_asc wolfSSL_X509_check_ip_asc #define X509_email_free wolfSSL_X509_email_free #define X509_check_issued wolfSSL_X509_check_issued #define X509_dup wolfSSL_X509_dup diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 8b8e7e394..8714786cb 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -521,10 +521,10 @@ struct WOLFSSL_X509_STORE { #endif }; +#define WOLFSSL_NO_WILDCARDS 0x4 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 -#define WOLFSSL_NO_WILDCARDS 0x4 #define WOLFSSL_HOST_NAME_MAX 256 #define WOLFSSL_MAX_IPSTR 46 /* max ip size IPv4 mapped IPv6 */ struct WOLFSSL_X509_VERIFY_PARAM { @@ -1603,8 +1603,6 @@ enum { WOLFSSL_CRL_CHECK = 2, }; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(HAVE_WEBSERVER) /* Separated out from other enums because of size */ enum { SSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001, @@ -1651,6 +1649,8 @@ enum { | SSL_OP_TLS_ROLLBACK_BUG), }; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(HAVE_WEBSERVER) /* for compatibility these must be macros */ #define SSL_OP_NO_SSLv2 WOLFSSL_OP_NO_SSLv2 #define SSL_OP_NO_SSLv3 WOLFSSL_OP_NO_SSLv3 @@ -3763,8 +3763,6 @@ WOLFSSL_API int wolfSSL_SSL_in_connect_init(WOLFSSL*); #ifndef NO_SESSION_CACHE WOLFSSL_API WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *s); #endif -WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, - size_t chklen, unsigned int flags, char **peername); WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp, const WOLFSSL_ASN1_INTEGER *a); @@ -3830,6 +3828,12 @@ WOLFSSL_API void wolfSSL_CTX_set_next_proto_select_cb(WOLFSSL_CTX *s, WOLFSSL_API void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **data, unsigned *len); +#ifndef NO_ASN +WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, + size_t chklen, unsigned int flags, char **peername); +WOLFSSL_API int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, + unsigned int flags); +#endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)