Nginx 1.19.6 Fixes

configure.ac

@@ -2530,7 +2530,7 @@ AC_ARG_ENABLE([anon],
     [ ENABLED_ANON=no ]
     )
 
-if test "x$ENABLED_WPAS" = "xyes"
+if test "x$ENABLED_WPAS" = "xyes" || test "$ENABLED_NGINX" = "yes"
 then
     ENABLED_ANON=yes
 fi

src/internal.c

@@ -31113,16 +31113,22 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
 #ifdef HAVE_SNI
     int SNI_Callback(WOLFSSL* ssl)
     {
+        int ad = 0;
+        int sniRet = 0;
         /* Stunnel supports a custom sni callback to switch an SSL's ctx
         * when SNI is received. Call it now if exists */
         if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
             WOLFSSL_MSG("Calling custom sni callback");
-            if(ssl->ctx->sniRecvCb(ssl, NULL, ssl->ctx->sniRecvCbArg)
+            sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg);
-                    == alert_fatal) {
+            if (sniRet == alert_fatal) {
                 WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
-                SendAlert(ssl, alert_fatal, unrecognized_name);
+                SendAlert(ssl, alert_fatal, ad);
                 return FATAL_ERROR;
             }
+            else if (sniRet == alert_warning) {
+                WOLFSSL_MSG("Error in custom sni callback. Warning alert");
+                SendAlert(ssl, alert_warning, ad);
+            }
         }
         return 0;
     }

src/ocsp.c

@@ -598,7 +598,9 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
     (void)dgst;
 
     cm = wolfSSL_CertManagerNew();
-    if (cm == NULL)
+    if (cm == NULL
+            || subject == NULL || subject->derCert == NULL
+            || issuer  == NULL || issuer->derCert  == NULL)
         return NULL;
 
     ret = AllocDer(&derCert, issuer->derCert->length,

src/ssl.c

@@ -18260,37 +18260,22 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
 
 #endif /* KEEP_PEER_CERT */
 
-#if defined(SESSION_CERTS)
+#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
-/*  Return stack of peer certs.
+/* Return stack of peer certs.
- *      If Qt or OPENSSL_ALL is defined then return ssl->peerCertChain.
- *      All other cases return &ssl->session.chain
- * ssl->peerCertChain is type WOLFSSL_STACK*
- * ssl->session.chain is type WOLFSSL_X509_CHAIN
  * Caller does not need to free return. The stack is Free'd when WOLFSSL* ssl is.
  */
 WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl)
 {
-    WOLFSSL_STACK* sk;
     WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain");
 
     if (ssl == NULL)
         return NULL;
 
-    #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
+    if (ssl->peerCertChain == NULL)
-        if (ssl->peerCertChain == NULL)
+        wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl);
-            wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl);
+    return ssl->peerCertChain;
-        sk = ssl->peerCertChain;
-    #else
-        sk = (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain;
-    #endif
-
-    if (sk == NULL) {
-        WOLFSSL_MSG("Error: Null Peer Cert Chain");
-    }
-    return sk;
 }
 
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
 /* Builds up and creates a stack of peer certificates for ssl->peerCertChain
     based off of the ssl session chain. Returns stack of WOLFSSL_X509 certs or
     NULL on failure */
@@ -18335,8 +18320,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
     ssl->peerCertChain = sk;
     return sk;
 }
-#endif /* OPENSSL_ALL || WOLFSSL_QT */
+#endif /* SESSION_CERTS && OPENSSL_EXTRA */
-#endif /* SESSION_CERTS */
 
 #ifndef NO_CERTS
 #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
@@ -29759,6 +29743,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
 
         switch (sk->type) {
             case STACK_TYPE_X509:
+                if (!sk->data.x509)
+                    break;
                 cur->data.x509 = wolfSSL_X509_dup(sk->data.x509);
                 if (!cur->data.x509) {
                     WOLFSSL_MSG("wolfSSL_X509_dup error");
@@ -29769,6 +29755,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
                 wolfSSL_CIPHER_copy(&sk->data.cipher, &cur->data.cipher);
                 break;
             case STACK_TYPE_GEN_NAME:
+                if (!sk->data.gn)
+                    break;
                 cur->data.gn = wolfSSL_GENERAL_NAME_dup(sk->data.gn);
                 if (!cur->data.gn) {
                     WOLFSSL_MSG("wolfSSL_GENERAL_NAME_new error");
@@ -29776,6 +29764,8 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk)
                 }
                 break;
             case STACK_TYPE_OBJ:
+                if (!sk->data.obj)
+                    break;
                 cur->data.obj = wolfSSL_ASN1_OBJECT_dup(sk->data.obj);
                 if (!cur->data.obj) {
                     WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_dup error");
@@ -48010,7 +48000,7 @@ WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
     WOLFSSL_STACK* list = NULL;
     char*          url;
 
-    if (x->authInfoSz == 0)
+    if (x == NULL || x->authInfoSz == 0)
         return NULL;
 
     list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1,

tests/api.c

@@ -28547,7 +28547,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl)
 {
     (void) ctx;
     (void) ssl;
-    #ifdef WOLFSSL_QT
+    #ifdef OPENSSL_EXTRA
         STACK_OF(X509)* sk;
         X509* x509;
         int i, num;
@@ -28559,7 +28559,7 @@ static int msgCb(SSL_CTX *ctx, SSL *ssl)
     AssertIntEQ(((WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl))->count, 1);
     #endif
 
-    #ifdef WOLFSSL_QT
+    #ifdef OPENSSL_EXTRA
     bio = BIO_new(BIO_s_file());
     BIO_set_fp(bio, stdout, BIO_NOCLOSE);
     sk = SSL_get_peer_cert_chain(ssl);

wolfssl/internal.h

@@ -4369,7 +4369,7 @@ struct WOLFSSL {
 #ifdef OPENSSL_ALL
     long verifyCallbackResult;
 #endif
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
+#if defined(OPENSSL_EXTRA)
     WOLFSSL_STACK* supportedCiphers; /* Used in wolfSSL_get_ciphers_compat */
     WOLFSSL_STACK* peerCertChain;    /* Used in wolfSSL_get_peer_cert_chain */
 #endif

wolfssl/openssl/ssl.h

@@ -1128,6 +1128,8 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define SSL3_AD_BAD_CERTIFICATE          bad_certificate
 #define SSL_AD_BAD_CERTIFICATE           SSL3_AD_BAD_CERTIFICATE
 #define SSL_AD_UNRECOGNIZED_NAME         unrecognized_name
+#define SSL_AD_NO_RENEGOTIATION          no_renegotiation
+#define SSL_AD_INTERNAL_ERROR            80
 
 #define ASN1_STRFLGS_ESC_MSB             4
 
@@ -1168,6 +1170,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define SSL3_AL_FATAL                   2
 #define SSL_TLSEXT_ERR_OK               0
 #define SSL_TLSEXT_ERR_ALERT_FATAL      alert_fatal
+#define SSL_TLSEXT_ERR_ALERT_WARNING    alert_warning
 #define SSL_TLSEXT_ERR_NOACK            alert_warning
 #define TLSEXT_NAMETYPE_host_name       WOLFSSL_SNI_HOST_NAME
 

wolfssl/ssl.h

@@ -2114,8 +2114,8 @@ WOLFSSL_API int  wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX*);
 WOLFSSL_API int  wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX*,
                                             const unsigned char*, unsigned int);
 WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL*);
+#ifdef OPENSSL_EXTRA
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL*);
-#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl);
 #endif