wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3646 from julek-wolfssl/nginx-1.19.6

Browse Source 
Add support for Nginx 1.19.6
This commit is contained in:
toddouska
2021-02-24 12:21:51 -08:00
committed by GitHub
parent d8a053ac35 d074e7443f
commit 94a23c1d48
10 changed files with 434 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
configure.ac
View File

@ -2597,7 +2597,7 @@ AC_ARG_ENABLE([anon],
[ ENABLED_ANON=no ]
)
if test "x$ENABLED_WPAS" = "xyes"
if test "x$ENABLED_WPAS" = "xyes" || test "$ENABLED_NGINX" = "yes"
then
ENABLED_ANON=yes
fi

45
src/internal.c
View File

@ -1828,7 +1828,8 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
#endif
#ifdef HAVE_WOLF_EVENT
ret = wolfEventQueue_Init(&ctx->event_queue);
if (ret == 0)
ret = wolfEventQueue_Init(&ctx->event_queue);
#endif /* HAVE_WOLF_EVENT */
#ifdef WOLFSSL_EARLY_DATA
@ -2291,7 +2292,7 @@ void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
word16 havePSK, word16 haveDH, word16 haveNTRU,
word16 haveECDSAsig, word16 haveECC,
word16 haveStaticECC, int side)
word16 haveStaticECC, word16 haveAnon, int side)
{
word16 idx = 0;
int tls = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
@ -2313,6 +2314,7 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
(void)side;
(void)haveRSA; /* some builds won't read */
(void)haveRSAsig; /* non ecc builds won't read */
(void)haveAnon; /* anon ciphers optional */
if (suites == NULL) {
WOLFSSL_MSG("InitSuites pointer error");
@ -2532,14 +2534,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
if (tls1_2 && haveDH) {
if (tls1_2 && haveDH && haveAnon) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
}
#endif
#ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
if (tls1_2 && haveDH) {
if (tls1_2 && haveDH && haveAnon) {
suites->suites[idx++] = CIPHER_BYTE;
suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384;
}
@ -3393,15 +3395,9 @@ void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap)
(void)heap;
if (name != NULL) {
XMEMSET(name, 0, sizeof(WOLFSSL_X509_NAME));
name->name = name->staticName;
name->dynamicName = 0;
name->sz = 0;
name->heap = heap;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
XMEMSET(name->entry, 0, sizeof(name->entry));
name->x509 = NULL;
name->entrySz = 0;
#endif /* OPENSSL_EXTRA */
}
}
@ -5209,13 +5205,15 @@ int InitSSL_Suites(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
else {
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
TRUE, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
@ -27529,7 +27527,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
/* suite size */
@ -27859,7 +27858,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
#ifdef OPENSSL_EXTRA
@ -27921,7 +27921,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
}
#endif
@ -31122,16 +31123,22 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
#ifdef HAVE_SNI
int SNI_Callback(WOLFSSL* ssl)
{
int ad = 0;
int sniRet = 0;
/* Stunnel supports a custom sni callback to switch an SSL's ctx
* when SNI is received. Call it now if exists */
if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
WOLFSSL_MSG("Calling custom sni callback");
if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg)
== alert_fatal) {
sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg);
if (sniRet == alert_fatal) {
WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
SendAlert(ssl, alert_fatal, unrecognized_name);
SendAlert(ssl, alert_fatal, ad);
return FATAL_ERROR;
}
else if (sniRet == alert_warning) {
WOLFSSL_MSG("Error in custom sni callback. Warning alert");
SendAlert(ssl, alert_warning, ad);
}
}
return 0;
}

20
src/ocsp.c
View File

@ -75,7 +75,7 @@ static void FreeOcspEntry(OcspEntry* entry, void* heap)
{
CertStatus *status, *next;
if (entry == NULL)
if (entry == NULL || !entry->ownStatus)
return;
WOLFSSL_ENTER("FreeOcspEntry");
@ -371,6 +371,7 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
XMEMCPY(status, newSingle->status, sizeof(CertStatus));
status->next = entry->status;
entry->status = status;
entry->ownStatus = 1;
entry->totalStatus++;
}
}
@ -598,7 +599,9 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
(void)dgst;
cm = wolfSSL_CertManagerNew();
if (cm == NULL)
if (cm == NULL
|| subject == NULL || subject->derCert == NULL
|| issuer == NULL || issuer->derCert == NULL)
return NULL;
ret = AllocDer(&derCert, issuer->derCert->length,
@ -628,6 +631,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
XMEMSET(certStatus, 0, sizeof(CertStatus));
certId->status = certStatus;
certId->ownStatus = 1;
InitDecodedCert(&cert, subject->derCert->buffer,
subject->derCert->length, NULL);
@ -797,6 +801,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
XMEMSET(resp->single, 0, sizeof(OcspEntry));
resp->single->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_OCSP_STATUS);
resp->single->ownStatus = 1;
if (resp->single->status == NULL) {
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(resp, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
@ -876,6 +881,7 @@ WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
else {
XMEMCPY(bs->single, response->single, sizeof(OcspEntry));
XMEMCPY(bs->source, response->source, response->maxIdx);
bs->single->ownStatus = 0;
}
return bs;
}
@ -912,11 +918,19 @@ int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data)
WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
WOLFSSL_OCSP_CERTID *cid)
{
if (req == NULL || cid == NULL)
if (req == NULL || cid == NULL || cid->status == NULL)
return NULL;
XMEMCPY(req->issuerHash, cid->issuerHash, KEYID_SIZE);
XMEMCPY(req->issuerKeyHash, cid->issuerKeyHash, KEYID_SIZE);
if (cid->status->serialSz > req->serialSz) {
if (req->serial != NULL)
XFREE(req->serial, req->heap, DYNAMIC_TYPE_OCSP);
req->serial = (byte*)XMALLOC(cid->status->serialSz,
req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
if (req->serial == NULL)
return NULL;
}
XMEMCPY(req->serial, cid->status->serial, cid->status->serialSz);
req->serialSz = cid->status->serialSz;

312
src/ssl.c
View File

@ -1792,7 +1792,8 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0);
@ -4260,7 +4261,8 @@ int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
return WOLFSSL_SUCCESS;
}
@ -5939,7 +5941,8 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA,
havePSK, ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
return WOLFSSL_SUCCESS;
@ -10408,6 +10411,29 @@ int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest,
WOLFSSL_LEAVE("wolfSSL_X509_digest", ret);
return ret;
}
int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509,
const WOLFSSL_EVP_MD *digest, unsigned char* buf, unsigned int* len)
{
int ret;
WOLFSSL_ENTER("wolfSSL_X509_pubkey_digest");
if (x509 == NULL || digest == NULL) {
WOLFSSL_MSG("Null argument found");
return WOLFSSL_FAILURE;
}
if (x509->pubKey.buffer == NULL || x509->pubKey.length == 0) {
WOLFSSL_MSG("No DER public key stored in X509");
return WOLFSSL_FAILURE;
}
ret = wolfSSL_EVP_Digest(x509->pubKey.buffer, x509->pubKey.length, buf,
len, digest, NULL);
WOLFSSL_LEAVE("wolfSSL_X509_pubkey_digest", ret);
return ret;
}
#endif
int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey)
@ -14467,7 +14493,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx,
@ -14501,7 +14528,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl)
@ -15689,6 +15717,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->mask = wolf_set_options(ctx->mask, opt);
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
defined(OPENSSL_EXTRA)
if (ctx->mask & SSL_OP_NO_TICKET) {
ctx->ticketEncCb = NULL;
ctx->ticketEncCtx = NULL;
WOLFSSL_MSG("\tSSL_OP_NO_TICKET");
}
#endif
return ctx->mask;
}
@ -18248,39 +18285,68 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
#endif /* KEEP_PEER_CERT */
#if defined(SESSION_CERTS)
/* Return stack of peer certs.
* If Qt or OPENSSL_ALL is defined then return ssl->peerCertChain.
* All other cases return &ssl->session.chain
* ssl->peerCertChain is type WOLFSSL_STACK*
* ssl->session.chain is type WOLFSSL_X509_CHAIN
#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
/* Return stack of peer certs.
* Caller does not need to free return. The stack is Free'd when WOLFSSL* ssl is.
*/
WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl)
{
WOLFSSL_STACK* sk;
WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain");
if (ssl == NULL)
return NULL;
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
if (ssl->peerCertChain == NULL)
wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl);
sk = ssl->peerCertChain;
#else
sk = (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain;
#endif
if (sk == NULL) {
WOLFSSL_MSG("Error: Null Peer Cert Chain");
}
return sk;
if (ssl->peerCertChain == NULL)
wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl);
return ssl->peerCertChain;
}
static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm,
WOLFSSL_X509 *x);
/**
* Recursively push the issuer CA chain onto the stack
* @param cm The cert manager that is queried for the issuer
* @param x This cert's issuer will be queried in cm
* @param sk The issuer is pushed onto this stack
* @return WOLFSSL_SUCCESS on success
* WOLFSSL_FAILURE on no issuer found
* WOLFSSL_FATAL_ERROR on a fatal error
*/
static int pushCAx509Chain(WOLFSSL_CERT_MANAGER* cm,
WOLFSSL_X509 *x, WOLFSSL_STACK* sk)
{
WOLFSSL_X509* issuer[MAX_CHAIN_DEPTH];
int i;
int push = 1;
int ret = WOLFSSL_SUCCESS;
for (i = 0; i < MAX_CHAIN_DEPTH; i++) {
if (x509GetIssuerFromCM(&issuer[i], cm, x)
!= WOLFSSL_SUCCESS)
break;
x = issuer[i];
}
if (i == 0) /* No further chain found */
return WOLFSSL_FAILURE;
i--;
for (; i >= 0; i--) {
if (push) {
if (wolfSSL_sk_X509_push(sk, issuer[i]) != WOLFSSL_SUCCESS) {
wolfSSL_X509_free(issuer[i]);
ret = WOLFSSL_FATAL_ERROR;
push = 0; /* Free the rest of the unpushed certs */
}
}
else {
wolfSSL_X509_free(issuer[i]);
}
}
return ret;
}
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
/* Builds up and creates a stack of peer certificates for ssl->peerCertChain
based off of the ssl session chain. Returns stack of WOLFSSL_X509 certs or
based off of the ssl session chain. Attempts to place CA certificates
at the bottom of the stack. Returns stack of WOLFSSL_X509 certs or
NULL on failure */
WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
{
@ -18296,10 +18362,6 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
sk = wolfSSL_sk_X509_new();
i = ssl->session.chain.count-1;
for (; i >= 0; i--) {
/* For servers, the peer certificate chain does not include the peer
certificate, so do not add it to the stack */
if (ssl->options.side == WOLFSSL_SERVER_END && i == 0)
continue;
x509 = wolfSSL_X509_new();
if (x509 == NULL) {
WOLFSSL_MSG("Error Creating X509");
@ -18307,6 +18369,14 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
}
ret = DecodeToX509(x509, ssl->session.chain.certs[i].buffer,
ssl->session.chain.certs[i].length);
if (ret == 0 && i == ssl->session.chain.count-1) {
/* On the last element in the chain try to add the CA chain
* first if we have one for this cert */
if (pushCAx509Chain(ssl->ctx->cm, x509, sk)
== WOLFSSL_FATAL_ERROR) {
ret = WOLFSSL_FATAL_ERROR;
}
}
if (ret != 0 || wolfSSL_sk_X509_push(sk, x509) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Error decoding cert");
@ -18323,8 +18393,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
ssl->peerCertChain = sk;
return sk;
}
#endif /* OPENSSL_ALL || WOLFSSL_QT */
#endif /* SESSION_CERTS */
#endif /* SESSION_CERTS && OPENSSL_EXTRA */
#ifndef NO_CERTS
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
@ -27542,9 +27611,10 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
return ssl->options.mask;
}
@ -29754,6 +29824,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
switch (sk->type) {
case STACK_TYPE_X509:
if (!sk->data.x509)
break;
cur->data.x509 = wolfSSL_X509_dup(sk->data.x509);
if (!cur->data.x509) {
WOLFSSL_MSG("wolfSSL_X509_dup error");
@ -29764,6 +29836,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
wolfSSL_CIPHER_copy(&sk->data.cipher, &cur->data.cipher);
break;
case STACK_TYPE_GEN_NAME:
if (!sk->data.gn)
break;
cur->data.gn = wolfSSL_GENERAL_NAME_dup(sk->data.gn);
if (!cur->data.gn) {
WOLFSSL_MSG("wolfSSL_GENERAL_NAME_new error");
@ -29771,6 +29845,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
}
break;
case STACK_TYPE_OBJ:
if (!sk->data.obj)
break;
cur->data.obj = wolfSSL_ASN1_OBJECT_dup(sk->data.obj);
if (!cur->data.obj) {
WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_dup error");
@ -47579,10 +47655,6 @@ int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a)
#define TICKET_KEY_CB_RET_OK 1
#define TICKET_KEY_CB_RET_RENEW 2
/* The ticket key callback as used in OpenSSL is stored here. */
static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL;
/* Implementation of session ticket encryption/decryption using OpenSSL
* callback to initialize the cipher and HMAC.
*
@ -47600,11 +47672,11 @@ static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
* WOLFSSL_TICKET_RET_FATAL on error.
*/
static int wolfSSL_TicketKeyCb(WOLFSSL* ssl,
unsigned char keyName[WOLFSSL_TICKET_NAME_SZ],
unsigned char iv[WOLFSSL_TICKET_IV_SZ],
unsigned char mac[WOLFSSL_TICKET_MAC_SZ],
int enc, unsigned char* encTicket,
int encTicketLen, int* encLen, void* ctx)
unsigned char keyName[WOLFSSL_TICKET_NAME_SZ],
unsigned char iv[WOLFSSL_TICKET_IV_SZ],
unsigned char mac[WOLFSSL_TICKET_MAC_SZ],
int enc, unsigned char* encTicket,
int encTicketLen, int* encLen, void* ctx)
{
byte digest[WC_MAX_DIGEST_SIZE];
WOLFSSL_EVP_CIPHER_CTX evpCtx;
@ -47616,14 +47688,25 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl,
(void)ctx;
if (ticketKeyCb == NULL)
return WOLFSSL_TICKET_RET_FATAL;
WOLFSSL_ENTER("wolfSSL_TicketKeyCb");
wolfSSL_EVP_CIPHER_CTX_init(&evpCtx);
/* Initialize the cipher and HMAC. */
res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc);
if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW)
if (ssl == NULL || ssl->ctx == NULL || ssl->ctx->ticketEncCtx == NULL) {
WOLFSSL_MSG("Bad parameter");
return WOLFSSL_TICKET_RET_FATAL;
}
/* Initialize the cipher and HMAC. */
wolfSSL_EVP_CIPHER_CTX_init(&evpCtx);
if (wolfSSL_HMAC_CTX_Init(&hmacCtx) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_HMAC_CTX_Init error");
return WOLFSSL_TICKET_RET_FATAL;
}
res = ((ticketCompatCb)ssl->ctx->ticketEncCtx)(ssl, keyName,
iv, &evpCtx, &hmacCtx, enc);
if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) {
WOLFSSL_MSG("Ticket callback error");
return WOLFSSL_TICKET_RET_FATAL;
}
if (enc)
{
@ -47682,16 +47765,13 @@ end:
* cb The OpenSSL session ticket callback.
* returns WOLFSSL_SUCCESS to indicate success.
*/
int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, int (*cb)(
WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc))
int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, ticketCompatCb cb)
{
/* Store callback in a global. */
ticketKeyCb = cb;
/* Set the ticket encryption callback to be a wrapper around OpenSSL
* callback.
*/
ctx->ticketEncCb = wolfSSL_TicketKeyCb;
ctx->ticketEncCtx = cb;
return WOLFSSL_SUCCESS;
}
@ -47924,10 +48004,18 @@ int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx,
return WOLFSSL_SUCCESS;
}
int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x)
/**
* Find the issuing cert of the input cert. On a self-signed cert this
* function will return an error.
* @param issuer The issuer x509 struct is returned here
* @param cm The cert manager that is queried for the issuer
* @param x This cert's issuer will be queried in cm
* @return WOLFSSL_SUCCESS on success
* WOLFSSL_FAILURE on error
*/
static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm,
WOLFSSL_X509 *x)
{
WOLFSSL_STACK* node;
Signer* ca = NULL;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
@ -47935,6 +48023,56 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
DecodedCert cert[1];
#endif
#ifdef WOLFSSL_SMALL_STACK
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT);
if (cert == NULL)
return WOLFSSL_FAILURE;
#endif
/* Use existing CA retrieval APIs that use DecodedCert. */
InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL);
if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0
&& !cert->selfSigned) {
#ifndef NO_SKID
if (cert->extAuthKeyIdSet)
ca = GetCA(cm, cert->extAuthKeyId);
if (ca == NULL)
ca = GetCAByName(cm, cert->issuerHash);
#else /* NO_SKID */
ca = GetCA(cm, cert->issuerHash);
#endif /* NO SKID */
}
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
XFREE(cert, NULL, DYNAMIC_TYPE_DCERT);
#endif
if (ca == NULL)
return WOLFSSL_FAILURE;
#ifdef WOLFSSL_SIGNER_DER_CERT
/* populate issuer with Signer DER */
if (wolfSSL_X509_d2i(issuer, ca->derCert->buffer,
ca->derCert->length) == NULL)
return WOLFSSL_FAILURE;
#else
/* Create an empty certificate as CA doesn't have a certificate. */
*issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0,
DYNAMIC_TYPE_OPENSSL);
if (*issuer == NULL)
return WOLFSSL_FAILURE;
InitX509((*issuer), 1, NULL);
#endif
return WOLFSSL_SUCCESS;
}
int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x)
{
WOLFSSL_STACK* node;
if (issuer == NULL || ctx == NULL || x == NULL)
return WOLFSSL_FATAL_ERROR;
@ -47947,52 +48085,9 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
}
}
#ifdef WOLFSSL_SMALL_STACK
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT);
if (cert == NULL)
return WOLFSSL_FAILURE;
#endif
/* Use existing CA retrieval APIs that use DecodedCert. */
InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL);
if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) {
#ifndef NO_SKID
if (cert->extAuthKeyIdSet)
ca = GetCA(ctx->store->cm, cert->extAuthKeyId);
if (ca == NULL)
ca = GetCAByName(ctx->store->cm, cert->issuerHash);
#else /* NO_SKID */
ca = GetCA(ctx->store->cm, cert->issuerHash);
#endif /* NO SKID */
}
FreeDecodedCert(cert);
#ifdef WOLFSSL_SMALL_STACK
XFREE(cert, NULL, DYNAMIC_TYPE_DCERT);
#endif
if (ca == NULL)
return WOLFSSL_FAILURE;
#ifdef WOLFSSL_SIGNER_DER_CERT
/* populate issuer with Signer DER */
*issuer = wolfSSL_X509_d2i(issuer, ca->derCert->buffer,
ca->derCert->length);
if (*issuer == NULL)
return WOLFSSL_FAILURE;
#else
/* Create an empty certificate as CA doesn't have a certificate. */
*issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0,
DYNAMIC_TYPE_OPENSSL);
if (*issuer == NULL)
return WOLFSSL_FAILURE;
InitX509((*issuer), 1, NULL);
#endif
/* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */
return WOLFSSL_SUCCESS;
return x509GetIssuerFromCM(issuer, ctx->store->cm, x);
}
void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk)
@ -48012,7 +48107,7 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
WOLFSSL_STACK* list = NULL;
char* url;
if (x->authInfoSz == 0)
if (x == NULL || x->authInfoSz == 0)
return NULL;
list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1,
@ -52921,6 +53016,17 @@ int wolfSSL_X509_NAME_copy(WOLFSSL_X509_NAME* from, WOLFSSL_X509_NAME* to)
return BAD_FUNC_ARG;
}
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
if (from->rawLen > 0) {
if (from->rawLen > ASN_NAME_MAX) {
WOLFSSL_MSG("Bad raw size");
return BAD_FUNC_ARG;
}
XMEMCPY(to->raw, from->raw, from->rawLen);
to->rawLen = from->rawLen;
}
#endif
if (from->dynamicName) {
to->name = (char*)XMALLOC(from->sz, to->heap, DYNAMIC_TYPE_SUBJECT_CN);
if (to->name == NULL)

6
src/tls13.c
View File

@ -8217,7 +8217,8 @@ void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
@ -8254,7 +8255,8 @@ void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
ssl->options.haveDH, ssl->options.haveNTRU,
ssl->options.haveECDSAsig, ssl->options.haveECC,
ssl->options.haveStaticECC, ssl->options.side);
ssl->options.haveStaticECC, ssl->options.haveAnon,
ssl->options.side);
}
#endif

238
tests/api.c
View File

@ -2625,6 +2625,75 @@ static int nonblocking_accept_read(void* args, WOLFSSL* ssl, SOCKET_T* sockfd)
}
#endif /* WOLFSSL_SESSION_EXPORT */
#if defined(HAVE_SESSION_TICKET) && \
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) && \
defined(OPENSSL_EXTRA)
typedef struct openssl_key_ctx {
byte name[WOLFSSL_TICKET_NAME_SZ]; /* server name */
byte key[AES_256_KEY_SIZE]; /* cipher key */
byte hmacKey[WOLFSSL_TICKET_NAME_SZ]; /* hmac key */
byte iv[WOLFSSL_TICKET_IV_SZ]; /* cipher iv */
} openssl_key_ctx;
static THREAD_LS_T openssl_key_ctx myOpenSSLKey_ctx;
static THREAD_LS_T WC_RNG myOpenSSLKey_rng;
static WC_INLINE int OpenSSLTicketInit(void)
{
int ret = wc_InitRng(&myOpenSSLKey_rng);
if (ret != 0) return ret;
ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.name,
sizeof(myOpenSSLKey_ctx.name));
if (ret != 0) return ret;
ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.key,
sizeof(myOpenSSLKey_ctx.key));
if (ret != 0) return ret;
ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.hmacKey,
sizeof(myOpenSSLKey_ctx.hmacKey));
if (ret != 0) return ret;
ret = wc_RNG_GenerateBlock(&myOpenSSLKey_rng, myOpenSSLKey_ctx.iv,
sizeof(myOpenSSLKey_ctx.iv));
if (ret != 0) return ret;
return 0;
}
static WC_INLINE int myTicketEncCbOpenSSL(WOLFSSL* ssl,
byte name[WOLFSSL_TICKET_NAME_SZ],
byte iv[WOLFSSL_TICKET_IV_SZ],
WOLFSSL_EVP_CIPHER_CTX *ectx,
WOLFSSL_HMAC_CTX *hctx, int enc) {
(void)ssl;
if (enc) {
XMEMCPY(name, myOpenSSLKey_ctx.name, sizeof(myOpenSSLKey_ctx.name));
XMEMCPY(iv, myOpenSSLKey_ctx.iv, sizeof(myOpenSSLKey_ctx.iv));
}
else if (XMEMCMP(name, myOpenSSLKey_ctx.name,
sizeof(myOpenSSLKey_ctx.name)) != 0 ||
XMEMCMP(iv, myOpenSSLKey_ctx.iv,
sizeof(myOpenSSLKey_ctx.iv)) != 0) {
return 0;
}
HMAC_Init_ex(hctx, myOpenSSLKey_ctx.hmacKey, WOLFSSL_TICKET_NAME_SZ, EVP_sha256(), NULL);
if (enc)
EVP_EncryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv);
else
EVP_DecryptInit_ex(ectx, EVP_aes_256_cbc(), NULL, myOpenSSLKey_ctx.key, iv);
return 1;
}
static WC_INLINE void OpenSSLTicketCleanup(void)
{
wc_FreeRng(&myOpenSSLKey_rng);
}
#endif
static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
{
SOCKET_T sockfd = 0;
@ -2666,11 +2735,16 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args)
ctx = wolfSSL_CTX_new(method);
}
#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \
#if defined(HAVE_SESSION_TICKET) && \
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
#ifdef OPENSSL_EXTRA
OpenSSLTicketInit();
wolfSSL_CTX_set_tlsext_ticket_key_cb(ctx, myTicketEncCbOpenSSL);
#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
TicketInit();
wolfSSL_CTX_set_TicketEncCb(ctx, myTicketEncCb);
#endif
#endif
#if defined(USE_WINDOWS_API)
port = ((func_args*)args)->signal->port;
@ -2853,10 +2927,14 @@ done:
wc_ecc_fp_free(); /* free per thread cache */
#endif
#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) && \
#if defined(HAVE_SESSION_TICKET) && \
((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM))
#ifdef OPENSSL_EXTRA
OpenSSLTicketCleanup();
#elif defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
TicketCleanup();
#endif
#endif
#ifndef WOLFSSL_TIRTOS
return 0;
@ -4287,7 +4365,7 @@ static void test_wolfSSL_UseSNI_connection(void)
static void test_wolfSSL_SNI_GetFromBuffer(void)
{
byte buffer[] = { /* www.paypal.com */
byte buff[] = { /* www.paypal.com */
0x00, 0x00, 0x00, 0x00, 0xff, 0x01, 0x00, 0x00, 0x60, 0x03, 0x03, 0x5c,
0xc4, 0xb3, 0x8c, 0x87, 0xef, 0xa4, 0x09, 0xe0, 0x02, 0xab, 0x86, 0xca,
0x76, 0xf0, 0x9e, 0x01, 0x65, 0xf6, 0xa6, 0x06, 0x13, 0x1d, 0x0f, 0xa5,
@ -4299,7 +4377,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void)
0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01
};
byte buffer2[] = { /* api.textmate.org */
byte buff2[] = { /* api.textmate.org */
0x16, 0x03, 0x01, 0x00, 0xc6, 0x01, 0x00, 0x00, 0xc2, 0x03, 0x03, 0x52,
0x8b, 0x7b, 0xca, 0x69, 0xec, 0x97, 0xd5, 0x08, 0x03, 0x50, 0xfe, 0x3b,
0x99, 0xc3, 0x20, 0xce, 0xa5, 0xf6, 0x99, 0xa5, 0x71, 0xf9, 0x57, 0x7f,
@ -4319,7 +4397,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void)
0x0a, 0x05, 0x01, 0x04, 0x01, 0x02, 0x01, 0x04, 0x03, 0x02, 0x03
};
byte buffer3[] = { /* no sni extension */
byte buff3[] = { /* no sni extension */
0x16, 0x03, 0x03, 0x00, 0x4d, 0x01, 0x00, 0x00, 0x49, 0x03, 0x03, 0xea,
0xa1, 0x9f, 0x60, 0xdd, 0x52, 0x12, 0x13, 0xbd, 0x84, 0x34, 0xd5, 0x1c,
0x38, 0x25, 0xa8, 0x97, 0xd2, 0xd5, 0xc6, 0x45, 0xaf, 0x1b, 0x08, 0xe4,
@ -4329,7 +4407,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void)
0x00, 0x0d, 0x00, 0x06, 0x00, 0x04, 0x04, 0x01, 0x02, 0x01
};
byte buffer4[] = { /* last extension has zero size */
byte buff4[] = { /* last extension has zero size */
0x16, 0x03, 0x01, 0x00, 0xba, 0x01, 0x00, 0x00,
0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45,
0x15, 0xbd, 0x64, 0xa9, 0xb6, 0x07, 0xb4, 0x50, 0xc6, 0xdd, 0xff, 0xc2,
@ -4349,7 +4427,7 @@ static void test_wolfSSL_SNI_GetFromBuffer(void)
0x12, 0x00, 0x00
};
byte buffer5[] = { /* SSL v2.0 client hello */
byte buff5[] = { /* SSL v2.0 client hello */
0x00, 0x2b, 0x01, 0x03, 0x01, 0x00, 0x09, 0x00, 0x00,
/* dummy bytes bellow, just to pass size check */
0xb6, 0x03, 0x03, 0x83, 0xa3, 0xe6, 0xdc, 0x16, 0xa1, 0x43, 0xe9, 0x45,
@ -4360,58 +4438,58 @@ static void test_wolfSSL_SNI_GetFromBuffer(void)
byte result[32] = {0};
word32 length = 32;
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer4, sizeof(buffer4),
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff4, sizeof(buff4),
0, result, &length));
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3),
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff3, sizeof(buff3),
0, result, &length));
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2),
AssertIntEQ(0, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2),
1, result, &length));
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer),
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff),
0, result, &length));
buffer[0] = 0x16;
buff[0] = 0x16;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer),
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff),
0, result, &length));
buffer[1] = 0x03;
buff[1] = 0x03;
AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer,
sizeof(buffer), 0, result, &length));
buffer[2] = 0x03;
AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buff,
sizeof(buff), 0, result, &length));
buff[2] = 0x03;
AssertIntEQ(INCOMPLETE_DATA, wolfSSL_SNI_GetFromBuffer(buffer,
sizeof(buffer), 0, result, &length));
buffer[4] = 0x64;
AssertIntEQ(INCOMPLETE_DATA, wolfSSL_SNI_GetFromBuffer(buff,
sizeof(buff), 0, result, &length));
buff[4] = 0x64;
AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer, sizeof(buffer),
AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff, sizeof(buff),
0, result, &length));
result[length] = 0;
AssertStrEQ("www.paypal.com", (const char*) result);
length = 32;
AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2),
AssertIntEQ(WOLFSSL_SUCCESS, wolfSSL_SNI_GetFromBuffer(buff2, sizeof(buff2),
0, result, &length));
result[length] = 0;
AssertStrEQ("api.textmate.org", (const char*) result);
/* SSL v2.0 tests */
AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buffer5,
sizeof(buffer5), 0, result, &length));
AssertIntEQ(SNI_UNSUPPORTED, wolfSSL_SNI_GetFromBuffer(buff5,
sizeof(buff5), 0, result, &length));
buffer5[2] = 0x02;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5,
sizeof(buffer5), 0, result, &length));
buff5[2] = 0x02;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5,
sizeof(buff5), 0, result, &length));
buffer5[2] = 0x01; buffer5[6] = 0x08;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5,
sizeof(buffer5), 0, result, &length));
buff5[2] = 0x01; buff5[6] = 0x08;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5,
sizeof(buff5), 0, result, &length));
buffer5[6] = 0x09; buffer5[8] = 0x01;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buffer5,
sizeof(buffer5), 0, result, &length));
buff5[6] = 0x09; buff5[8] = 0x01;
AssertIntEQ(BUFFER_ERROR, wolfSSL_SNI_GetFromBuffer(buff5,
sizeof(buff5), 0, result, &length));
}
#endif /* HAVE_SNI */
@ -5312,7 +5390,7 @@ static void test_wolfSSL_no_password_cb(void)
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8) \
&& defined(HAVE_ECC) && defined(WOLFSSL_ENCRYPTED_KEYS)
WOLFSSL_CTX* ctx;
byte buffer[FOURK_BUF];
byte buff[FOURK_BUF];
const char eccPkcs8PrivKeyDerFile[] = "./certs/ecc-privkeyPkcs8.der";
const char eccPkcs8PrivKeyPemFile[] = "./certs/ecc-privkeyPkcs8.pem";
XFILE f;
@ -5328,17 +5406,17 @@ static void test_wolfSSL_no_password_cb(void)
wolfSSL_CTX_set_default_passwd_cb(ctx, FailTestCallBack);
AssertTrue((f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb")) != XBADFILE);
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
AssertIntLE(bytes, sizeof(buffer));
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntLE(bytes, sizeof(buff));
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
AssertTrue((f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb")) != XBADFILE);
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
AssertIntLE(bytes, sizeof(buffer));
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntLE(bytes, sizeof(buff));
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
wolfSSL_CTX_free(ctx);
@ -5381,7 +5459,7 @@ static int PKCS8TestCallBack(char* passwd, int sz, int rw, void* userdata)
static void test_wolfSSL_PKCS8(void)
{
#if !defined(NO_FILESYSTEM) && !defined(NO_ASN) && defined(HAVE_PKCS8)
byte buffer[FOURK_BUF];
byte buff[FOURK_BUF];
byte der[FOURK_BUF];
#ifndef NO_RSA
const char serverKeyPkcs8PemFile[] = "./certs/server-keyPkcs8.pem";
@ -5436,36 +5514,36 @@ static void test_wolfSSL_PKCS8(void)
/* test loading PEM PKCS8 encrypted file */
f = XFOPEN(serverKeyPkcs8EncPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */
AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
AssertIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der),
"yassl123"), 0);
/* test that error value is returned with a bad password */
AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der),
"bad"), 0);
/* test loading PEM PKCS8 encrypted file */
f = XFOPEN(serverKeyPkcs8EncDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#endif /* !NO_RSA && !NO_SHA */
@ -5473,37 +5551,37 @@ static void test_wolfSSL_PKCS8(void)
/* test loading PEM PKCS8 encrypted ECC Key file */
f = XFOPEN(eccPkcs8EncPrivKeyPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format with not using WOLFSSL_CTX */
AssertIntGT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
AssertIntGT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der),
"yassl123"), 0);
/* test that error value is returned with a bad password */
AssertIntLT(wc_KeyPemToDer(buffer, bytes, der, (word32)sizeof(der),
AssertIntLT(wc_KeyPemToDer(buff, bytes, der, (word32)sizeof(der),
"bad"), 0);
/* test loading DER PKCS8 encrypted ECC Key file */
f = XFOPEN(eccPkcs8EncPrivKeyDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
flag = 1; /* used by password callback as return code */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* this next case should fail because of password callback return code */
flag = 0; /* used by password callback as return code */
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntNE(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* leave flag as "okay" */
@ -5516,32 +5594,32 @@ static void test_wolfSSL_PKCS8(void)
/* test loading ASN.1 (DER) PKCS8 private key file (not encrypted) */
f = XFOPEN(serverKeyPkcs8DerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
/* test loading PEM PKCS8 private key file (not encrypted) */
f = XFOPEN(serverKeyPkcs8PemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
#endif /* !NO_RSA */
/* Test PKCS8 PEM ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyPemFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
#ifdef HAVE_ECC
/* Test PKCS8 PEM ECC key no crypt */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
/* decrypt PKCS8 PEM to key in DER format */
AssertIntGT((bytes = wc_KeyPemToDer(buffer, bytes, der,
AssertIntGT((bytes = wc_KeyPemToDer(buff, bytes, der,
(word32)sizeof(der), NULL)), 0);
ret = wc_ecc_init(&key);
if (ret == 0) {
@ -5553,15 +5631,15 @@ static void test_wolfSSL_PKCS8(void)
/* Test PKCS8 DER ECC key no crypt */
f = XFOPEN(eccPkcs8PrivKeyDerFile, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
/* Test using a PKCS8 ECC PEM */
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buffer, bytes,
AssertIntEQ(wolfSSL_CTX_use_PrivateKey_buffer(ctx, buff, bytes,
WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
#else
/* if HAVE_ECC is not defined then BEGIN EC PRIVATE KEY is not found */
AssertIntEQ((bytes = wc_KeyPemToDer(buffer, bytes, der,
AssertIntEQ((bytes = wc_KeyPemToDer(buff, bytes, der,
(word32)sizeof(der), NULL)), ASN_NO_PEM_HEADER);
#endif /* HAVE_ECC */
@ -5722,7 +5800,7 @@ static void test_wolfSSL_X509_verify(void)
#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) \
&& defined(OPENSSL_EXTRA)
WOLFSSL_X509* ca;
WOLFSSL_X509* server;
WOLFSSL_X509* serv;
WOLFSSL_EVP_PKEY* pkey;
unsigned char buf[2048];
const unsigned char* pt = NULL;
@ -5746,7 +5824,7 @@ static void test_wolfSSL_X509_verify(void)
AssertIntEQ(wolfSSL_X509_get_pubkey_type(ca), RSAk);
AssertNotNull(server =
AssertNotNull(serv =
wolfSSL_X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM));
/* success case */
@ -5755,23 +5833,23 @@ static void test_wolfSSL_X509_verify(void)
AssertIntEQ(i2d_PUBKEY(pkey, NULL), bufSz);
AssertIntEQ(wolfSSL_X509_verify(server, pkey), WOLFSSL_SUCCESS);
AssertIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_SUCCESS);
wolfSSL_EVP_PKEY_free(pkey);
/* fail case */
bufSz = 2048;
AssertIntEQ(wolfSSL_X509_get_pubkey_buffer(server, buf, &bufSz),
AssertIntEQ(wolfSSL_X509_get_pubkey_buffer(serv, buf, &bufSz),
WOLFSSL_SUCCESS);
pt = buf;
AssertNotNull(pkey = wolfSSL_d2i_PUBKEY(NULL, &pt, bufSz));
AssertIntEQ(wolfSSL_X509_verify(server, pkey), WOLFSSL_FAILURE);
AssertIntEQ(wolfSSL_X509_verify(serv, pkey), WOLFSSL_FAILURE);
AssertIntEQ(wolfSSL_X509_verify(NULL, pkey), WOLFSSL_FATAL_ERROR);
AssertIntEQ(wolfSSL_X509_verify(server, NULL), WOLFSSL_FATAL_ERROR);
AssertIntEQ(wolfSSL_X509_verify(serv, NULL), WOLFSSL_FATAL_ERROR);
wolfSSL_EVP_PKEY_free(pkey);
wolfSSL_FreeX509(ca);
wolfSSL_FreeX509(server);
wolfSSL_FreeX509(serv);
printf(resultFmt, passed);
#endif
@ -26865,7 +26943,7 @@ static void test_wolfSSL_tmp_dh(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) && \
!defined(NO_DSA) && !defined(NO_RSA) && !defined(NO_DH) && !defined(NO_BIO)
byte buffer[6000];
byte buff[6000];
char file[] = "./certs/dsaparams.pem";
XFILE f;
int bytes;
@ -26891,10 +26969,10 @@ static void test_wolfSSL_tmp_dh(void)
f = XFOPEN(file, "rb");
AssertTrue((f != XBADFILE));
bytes = (int)XFREAD(buffer, 1, sizeof(buffer), f);
bytes = (int)XFREAD(buff, 1, sizeof(buff), f);
XFCLOSE(f);
bio = BIO_new_mem_buf((void*)buffer, bytes);
bio = BIO_new_mem_buf((void*)buff, bytes);
AssertNotNull(bio);
dsa = wolfSSL_PEM_read_bio_DSAparams(bio, NULL, NULL, NULL);
@ -28567,7 +28645,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl)
{
(void) ctx;
(void) ssl;
#ifdef WOLFSSL_QT
#ifdef OPENSSL_ALL
STACK_OF(X509)* sk;
X509* x509;
int i, num;
@ -28576,10 +28654,10 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl)
printf("\n===== msgcb called ====\n");
#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)
AssertTrue(SSL_get_peer_cert_chain(ssl) != NULL);
AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 1);
AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 2);
#endif
#ifdef WOLFSSL_QT
#ifdef OPENSSL_ALL
bio = BIO_new(BIO_s_file());
BIO_set_fp(bio, stdout, BIO_NOCLOSE);
sk = SSL_get_peer_cert_chain(ssl);

11
wolfssl/internal.h
View File

@ -59,6 +59,9 @@
#ifdef HAVE_POLY1305
#include <wolfssl/wolfcrypt/poly1305.h>
#endif
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && defined(OPENSSL_EXTRA)
#include <wolfssl/wolfcrypt/chacha20_poly1305.h>
#endif
#ifdef HAVE_CAMELLIA
#include <wolfssl/wolfcrypt/camellia.h>
#endif
@ -1870,7 +1873,7 @@ WOLFSSL_LOCAL void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig,
int haveRSAsig, int haveAnon,
int tls1_2, int keySz);
WOLFSSL_LOCAL void InitSuites(Suites*, ProtocolVersion, int, word16, word16,
word16, word16, word16, word16, word16, int);
word16, word16, word16, word16, word16, word16, int);
WOLFSSL_LOCAL int MatchSuite(WOLFSSL* ssl, Suites* peerSuites);
WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list);
@ -2931,10 +2934,10 @@ struct WOLFSSL_CTX {
TicketEncCbCtx ticketKeyCtx;
#endif
#endif
#endif
#ifdef HAVE_SUPPORTED_CURVES
byte userCurves; /* indicates user called wolfSSL_CTX_UseSupportedCurve */
#endif
#endif
#ifdef ATOMIC_USER
CallbackMacEncrypt MacEncryptCb; /* Atomic User Mac/Encrypt Cb */
CallbackDecryptVerify DecryptVerifyCb; /* Atomic User Decrypt/Verify Cb */
@ -3534,9 +3537,7 @@ typedef struct Options {
#ifdef HAVE_POLY1305
word16 oldPoly:1; /* set when to use old rfc way of poly*/
#endif
#ifdef HAVE_ANON
word16 haveAnon:1; /* User wants to allow Anon suites */
#endif
#ifdef HAVE_SESSION_TICKET
word16 createTicket:1; /* Server to create new Ticket */
word16 useTicket:1; /* Use Ticket not session cache */
@ -4369,7 +4370,7 @@ struct WOLFSSL {
#ifdef OPENSSL_ALL
long verifyCallbackResult;
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
#if defined(OPENSSL_EXTRA)
WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */
WOLFSSL_STACK* peerCertChain; /* Used in wolfSSL_get_peer_cert_chain */
#endif

5
wolfssl/openssl/ssl.h
View File

@ -409,6 +409,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define X509_free wolfSSL_X509_free
#define X509_load_certificate_file wolfSSL_X509_load_certificate_file
#define X509_digest wolfSSL_X509_digest
#define X509_pubkey_digest wolfSSL_X509_pubkey_digest
#define X509_get_ext_count wolfSSL_X509_get_ext_count
#define X509_get_ext_d2i wolfSSL_X509_get_ext_d2i
#define X509V3_EXT_i2d wolfSSL_X509V3_EXT_i2d
@ -1126,6 +1127,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL3_AD_BAD_CERTIFICATE bad_certificate
#define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE
#define SSL_AD_UNRECOGNIZED_NAME unrecognized_name
#define SSL_AD_NO_RENEGOTIATION no_renegotiation
#define SSL_AD_INTERNAL_ERROR 80
#define ASN1_STRFLGS_ESC_MSB 4
@ -1166,6 +1170,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL3_AL_FATAL 2
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal
#define SSL_TLSEXT_ERR_ALERT_WARNING alert_warning
#define SSL_TLSEXT_ERR_NOACK alert_warning
#define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME

10
wolfssl/ssl.h
View File

@ -2115,8 +2115,8 @@ WOLFSSL_API int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*);
WOLFSSL_API int wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*,
const unsigned char*, unsigned int);
WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL*);
#ifdef OPENSSL_EXTRA
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*);
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl);
#endif
@ -3479,6 +3479,8 @@ WOLFSSL_API void wolfSSL_X509V3_set_ctx(WOLFSSL_X509V3_CTX* ctx,
WOLFSSL_API void wolfSSL_X509V3_set_ctx_nodb(WOLFSSL_X509V3_CTX* ctx);
WOLFSSL_API int wolfSSL_X509_digest(const WOLFSSL_X509* x509,
const WOLFSSL_EVP_MD* digest, unsigned char* buf, unsigned int* len);
WOLFSSL_API int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509,
const WOLFSSL_EVP_MD *digest, unsigned char* buf, unsigned int* len);
WOLFSSL_API int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey);
WOLFSSL_API int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl,
@ -3986,9 +3988,9 @@ WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
const WOLFSSL_ASN1_INTEGER *a);
#ifdef HAVE_SESSION_TICKET
WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc));
typedef int (*ticketCompatCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc);
WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, ticketCompatCb);
#endif
#if defined(HAVE_OCSP) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \

2
wolfssl/wolfcrypt/asn.h
View File

@ -1390,6 +1390,8 @@ struct OcspEntry
byte* rawCertId; /* raw bytes of the CertID */
int rawCertIdSize; /* num bytes in raw CertID */
/* option bits - using 32-bit for alignment */
word32 ownStatus:1; /* do we need to free the status
* response list */
word32 isDynamic:1; /* was dynamically allocated */
};