From 9a1e54cfd50baf486302c1d87fab40f8b1780e11 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 19 Jan 2021 16:25:00 +0100 Subject: [PATCH] Nginx 1.19.6 Fixes --- configure.ac | 2 +- src/internal.c | 12 +++++++++--- src/ocsp.c | 4 +++- src/ssl.c | 36 +++++++++++++----------------------- tests/api.c | 4 ++-- wolfssl/internal.h | 2 +- wolfssl/openssl/ssl.h | 3 +++ wolfssl/ssl.h | 2 +- 8 files changed, 33 insertions(+), 32 deletions(-) diff --git a/configure.ac b/configure.ac index dd8a6ac74..052569e58 100644 --- a/configure.ac +++ b/configure.ac @@ -2530,7 +2530,7 @@ AC_ARG_ENABLE([anon], [ ENABLED_ANON=no ] ) -if test "x$ENABLED_WPAS" = "xyes" +if test "x$ENABLED_WPAS" = "xyes" || test "$ENABLED_NGINX" = "yes" then ENABLED_ANON=yes fi diff --git a/src/internal.c b/src/internal.c index 2d8ad5687..1b8eec9b9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -31113,16 +31113,22 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], #ifdef HAVE_SNI int SNI_Callback(WOLFSSL* ssl) { + int ad = 0; + int sniRet = 0; /* Stunnel supports a custom sni callback to switch an SSL's ctx * when SNI is received. Call it now if exists */ if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) { WOLFSSL_MSG("Calling custom sni callback"); - if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg) - == alert_fatal) { + sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg); + if (sniRet == alert_fatal) { WOLFSSL_MSG("Error in custom sni callback. Fatal alert"); - SendAlert(ssl, alert_fatal, unrecognized_name); + SendAlert(ssl, alert_fatal, ad); return FATAL_ERROR; } + else if (sniRet == alert_warning) { + WOLFSSL_MSG("Error in custom sni callback. Warning alert"); + SendAlert(ssl, alert_warning, ad); + } } return 0; } diff --git a/src/ocsp.c b/src/ocsp.c index 4862cf939..216ed23bc 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -598,7 +598,9 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( (void)dgst; cm = wolfSSL_CertManagerNew(); - if (cm == NULL) + if (cm == NULL + || subject == NULL || subject->derCert == NULL + || issuer == NULL || issuer->derCert == NULL) return NULL; ret = AllocDer(&derCert, issuer->derCert->length, diff --git a/src/ssl.c b/src/ssl.c index ef1f645da..ebccbeb7e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -18260,37 +18260,22 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, #endif /* KEEP_PEER_CERT */ -#if defined(SESSION_CERTS) -/* Return stack of peer certs. - * If Qt or OPENSSL_ALL is defined then return ssl->peerCertChain. - * All other cases return &ssl->session.chain - * ssl->peerCertChain is type WOLFSSL_STACK* - * ssl->session.chain is type WOLFSSL_X509_CHAIN +#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) +/* Return stack of peer certs. * Caller does not need to free return. The stack is Free'd when WOLFSSL* ssl is. */ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl) { - WOLFSSL_STACK* sk; WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain"); if (ssl == NULL) return NULL; - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - if (ssl->peerCertChain == NULL) - wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl); - sk = ssl->peerCertChain; - #else - sk = (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain; - #endif - - if (sk == NULL) { - WOLFSSL_MSG("Error: Null Peer Cert Chain"); - } - return sk; + if (ssl->peerCertChain == NULL) + wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl); + return ssl->peerCertChain; } -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) /* Builds up and creates a stack of peer certificates for ssl->peerCertChain based off of the ssl session chain. Returns stack of WOLFSSL_X509 certs or NULL on failure */ @@ -18335,8 +18320,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) ssl->peerCertChain = sk; return sk; } -#endif /* OPENSSL_ALL || WOLFSSL_QT */ -#endif /* SESSION_CERTS */ +#endif /* SESSION_CERTS && OPENSSL_EXTRA */ #ifndef NO_CERTS #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ @@ -29759,6 +29743,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) switch (sk->type) { case STACK_TYPE_X509: + if (!sk->data.x509) + break; cur->data.x509 = wolfSSL_X509_dup(sk->data.x509); if (!cur->data.x509) { WOLFSSL_MSG("wolfSSL_X509_dup error"); @@ -29769,6 +29755,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) wolfSSL_CIPHER_copy(&sk->data.cipher, &cur->data.cipher); break; case STACK_TYPE_GEN_NAME: + if (!sk->data.gn) + break; cur->data.gn = wolfSSL_GENERAL_NAME_dup(sk->data.gn); if (!cur->data.gn) { WOLFSSL_MSG("wolfSSL_GENERAL_NAME_new error"); @@ -29776,6 +29764,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) } break; case STACK_TYPE_OBJ: + if (!sk->data.obj) + break; cur->data.obj = wolfSSL_ASN1_OBJECT_dup(sk->data.obj); if (!cur->data.obj) { WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_dup error"); @@ -48010,7 +48000,7 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) WOLFSSL_STACK* list = NULL; char* url; - if (x->authInfoSz == 0) + if (x == NULL || x->authInfoSz == 0) return NULL; list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1, diff --git a/tests/api.c b/tests/api.c index 6b3af3092..cde3746e4 100644 --- a/tests/api.c +++ b/tests/api.c @@ -28547,7 +28547,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl) { (void) ctx; (void) ssl; - #ifdef WOLFSSL_QT + #ifdef OPENSSL_EXTRA STACK_OF(X509)* sk; X509* x509; int i, num; @@ -28559,7 +28559,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl) AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 1); #endif - #ifdef WOLFSSL_QT + #ifdef OPENSSL_EXTRA bio = BIO_new(BIO_s_file()); BIO_set_fp(bio, stdout, BIO_NOCLOSE); sk = SSL_get_peer_cert_chain(ssl); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d4f68a815..2cbc325a0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4369,7 +4369,7 @@ struct WOLFSSL { #ifdef OPENSSL_ALL long verifyCallbackResult; #endif -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +#if defined(OPENSSL_EXTRA) WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */ WOLFSSL_STACK* peerCertChain; /* Used in wolfSSL_get_peer_cert_chain */ #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 05296b582..ae5869ea4 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1128,6 +1128,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL3_AD_BAD_CERTIFICATE bad_certificate #define SSL_AD_BAD_CERTIFICATE SSL3_AD_BAD_CERTIFICATE #define SSL_AD_UNRECOGNIZED_NAME unrecognized_name +#define SSL_AD_NO_RENEGOTIATION no_renegotiation +#define SSL_AD_INTERNAL_ERROR 80 #define ASN1_STRFLGS_ESC_MSB 4 @@ -1168,6 +1170,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define SSL3_AL_FATAL 2 #define SSL_TLSEXT_ERR_OK 0 #define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal +#define SSL_TLSEXT_ERR_ALERT_WARNING alert_warning #define SSL_TLSEXT_ERR_NOACK alert_warning #define TLSEXT_NAMETYPE_host_name WOLFSSL_SNI_HOST_NAME diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5c412cab5..9a5496918 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2114,8 +2114,8 @@ WOLFSSL_API int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*); WOLFSSL_API int wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*, const unsigned char*, unsigned int); WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL*); +#ifdef OPENSSL_EXTRA WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*); -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl); #endif