From 8ab00508018dc48c44b304eed62f1844c0293393 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 22 May 2023 15:15:00 +0200 Subject: [PATCH 1/9] Init windows CRL monitor --- IDE/WIN/user_settings.h | 3 + src/crl.c | 189 +++++++++++++++++++++++++++++------- src/pk.c | 2 +- tests/api.c | 68 +++++++------ testsuite/testsuite.c | 8 +- wolfcrypt/src/wc_port.c | 97 ++++++++++++++++++ wolfssl/internal.h | 21 +++- wolfssl/test.h | 8 +- wolfssl/wolfcrypt/types.h | 35 ++++++- wolfssl/wolfcrypt/wc_port.h | 3 + 10 files changed, 353 insertions(+), 81 deletions(-) diff --git a/IDE/WIN/user_settings.h b/IDE/WIN/user_settings.h index 919924e9e..225108946 100644 --- a/IDE/WIN/user_settings.h +++ b/IDE/WIN/user_settings.h @@ -37,6 +37,9 @@ #define WC_RSA_BLINDING #define NO_MULTIBYTE_PRINT + #define HAVE_CRL + #define HAVE_CRL_MONITOR + #if defined(WOLFSSL_LIB) /* The lib */ #define OPENSSL_EXTRA diff --git a/src/crl.c b/src/crl.c index 559e459c1..c7c210ebd 100644 --- a/src/crl.c +++ b/src/crl.c @@ -46,10 +46,11 @@ CRL Options: #endif #ifdef HAVE_CRL_MONITOR - #if (defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__)) - static int StopMonitor(int mfd); + #if defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__) || \ + defined(_MSC_VER) + static int StopMonitor(wolfSSL_CRL_mfd_t mfd); #else - #error "CRL monitor only currently supported on linux or mach" + #error "CRL monitor only currently supported on linux or mach or windows" #endif #endif /* HAVE_CRL_MONITOR */ @@ -68,10 +69,10 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm) crl->monitors[0].path = NULL; crl->monitors[1].path = NULL; #ifdef HAVE_CRL_MONITOR - crl->tid = 0; - crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ - crl->setup = 0; /* thread setup done predicate */ - if (pthread_cond_init(&crl->cond, 0) != 0) { + crl->tid = INVALID_THREAD_VAL; + crl->mfd = WOLFSSL_CRL_MFD_INIT_VAL; + crl->setup = 0; /* thread setup done predicate */ + if (wolfSSL_CondInit(&crl->cond) != 0) { WOLFSSL_MSG("Pthread condition init failed"); return BAD_COND_E; } @@ -221,22 +222,18 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) } #ifdef HAVE_CRL_MONITOR - if (crl->tid != 0) { + if (crl->tid != INVALID_THREAD_VAL) { WOLFSSL_MSG("stopping monitor thread"); if (StopMonitor(crl->mfd) == 0) { - int _pthread_ret = pthread_join(crl->tid, NULL); - if (_pthread_ret != 0) + if (wolfSSL_JoinThread(crl->tid) != 0) WOLFSSL_MSG("stop monitor failed in pthread_join"); } else { WOLFSSL_MSG("stop monitor failed"); } } - { - int _pthread_ret = pthread_cond_destroy(&crl->cond); - if (_pthread_ret != 0) - WOLFSSL_MSG("pthread_cond_destroy failed in FreeCRL"); - } + if (wolfSSL_CondFree(&crl->cond) != 0) + WOLFSSL_MSG("pthread_cond_destroy failed in FreeCRL"); #endif wc_FreeMutex(&crl->crlLock); if (dynamic) /* free self */ @@ -931,15 +928,19 @@ static int SignalSetup(WOLFSSL_CRL* crl, int status) int ret; /* signal to calling thread we're setup */ +#ifndef COND_NO_REQUIRE_LOCKED_MUTEX if (wc_LockMutex(&crl->crlLock) != 0) { WOLFSSL_MSG("wc_LockMutex crlLock failed"); return BAD_MUTEX_E; } +#endif - crl->setup = status; - ret = pthread_cond_signal(&crl->cond); + crl->setup = status; + ret = wolfSSL_CondSignal(&crl->cond); +#ifndef COND_NO_REQUIRE_LOCKED_MUTEX wc_UnLockMutex(&crl->crlLock); +#endif if (ret != 0) return BAD_COND_E; @@ -1047,7 +1048,7 @@ static int SwapLists(WOLFSSL_CRL* crl) /* shutdown monitor thread, 0 on success */ -static int StopMonitor(int mfd) +static int StopMonitor(wolfSSL_CRL_mfd_t mfd) { struct kevent change; @@ -1063,7 +1064,7 @@ static int StopMonitor(int mfd) /* OS X monitoring */ -static void* DoMonitor(void* arg) +static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg) { int fPEM, fDER; struct kevent change; @@ -1180,7 +1181,7 @@ static void* DoMonitor(void* arg) /* shutdown monitor thread, 0 on success */ -static int StopMonitor(int mfd) +static int StopMonitor(wolfSSL_CRL_mfd_t mfd) { word64 w64 = 1; @@ -1195,7 +1196,7 @@ static int StopMonitor(int mfd) /* linux monitoring */ -static void* DoMonitor(void* arg) +static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg) { int notifyFd; int wd = -1; @@ -1326,7 +1327,120 @@ static void* DoMonitor(void* arg) return NULL; } -#endif /* MACH or linux */ +#elif defined(_MSC_VER) + +/* shutdown monitor thread, 0 on success */ +static int StopMonitor(wolfSSL_CRL_mfd_t mfd) +{ + if (SetEvent(mfd) == 0) { + WOLFSSL_MSG("SetEvent custom event trigger failed"); + return -1; + } + return 0; +} + +#define DM_ERROR() do { status = MONITOR_SETUP_E; goto cleanup; } while(0) + +/* windows monitoring + * Tested initially by hand by running + * .\server.exe -A certs/ca-cert.pem + * and connecting to with + * .\client.exe -C -c certs/server-cert.pem -k certs/server-key.pem + * This connection succeeds by default. By deleting all files from certs/crl + * except for crl.revoked we disallow the client to connect. Deleting files + * is done while the server is running to show that the monitor reacts to + * changes in the crl directory. */ +static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg) +{ + WOLFSSL_CRL* crl = (WOLFSSL_CRL*)arg; + int status = 0; + HANDLE handles[WOLFSSL_CRL_MONITORS_LEN + 1]; + DWORD handlesLen = 0; + int i; + + WOLFSSL_ENTER("DoMonitor"); + + handles[0] = crl->mfd = CreateEventA(NULL, FALSE, FALSE, NULL); + if (crl->mfd == NULL) { + WOLFSSL_MSG("CreateEventA failed"); + DM_ERROR(); + } + handlesLen++; + + for (i = 0; i < WOLFSSL_CRL_MONITORS_LEN; i++) { + if (crl->monitors[i].path) { + handles[handlesLen] = FindFirstChangeNotificationA( + crl->monitors[i].path, TRUE, + /* Watch for any changes that may affect what CRL's we load. + * This may trigger on the same file multiple times but this + * way we are certain that we have the most up to date and + * accurate set of CRL's. We don't expect this to trigger + * often enough for it to be a bottleneck. */ + FILE_NOTIFY_CHANGE_FILE_NAME | FILE_NOTIFY_CHANGE_ATTRIBUTES | + FILE_NOTIFY_CHANGE_SIZE | FILE_NOTIFY_CHANGE_LAST_WRITE | + FILE_NOTIFY_CHANGE_SECURITY); + if (handles[handlesLen] == INVALID_HANDLE_VALUE) { + WOLFSSL_MSG("FindFirstChangeNotificationA failed"); + DM_ERROR(); + } + handlesLen++; + } + } + + if (handlesLen == 1) { + WOLFSSL_MSG("Nothing to watch. Only custom event handle set."); + DM_ERROR(); + } + + if (SignalSetup(crl, 1) != 0) { + WOLFSSL_MSG("Call to SignalSetup failed"); + DM_ERROR(); + } + + for (;;) { + DWORD waitRet = WaitForMultipleObjects(handlesLen, handles, FALSE, + INFINITE); + WOLFSSL_MSG("Got notify event"); + + if (waitRet >= WAIT_OBJECT_0 && waitRet < WAIT_OBJECT_0 + handlesLen) { + if (waitRet == WAIT_OBJECT_0) { + WOLFSSL_MSG("got custom shutdown event, breaking out"); + break; + } + else if (SwapLists(crl) < 0) { + WOLFSSL_MSG("SwapLists problem, continue"); + } + } + else { + WOLFSSL_MSG("Unexpected WaitForMultipleObjects return. Continue."); + } + + for (i = 1; i < (int)handlesLen; i++) { + if (FindNextChangeNotification(handles[i]) == 0) { + WOLFSSL_MSG("FindNextChangeNotification failed"); + DM_ERROR(); + } + } + } + +cleanup: + if (status != 0) + SignalSetup(crl, status); + for (i = 0; i < (int)handlesLen; i++) { + BOOL closeRet; + if (i == 0) /* First handle is our custom event */ + closeRet = CloseHandle(handles[i]); + else + closeRet = FindCloseChangeNotification(handles[i]); + if (closeRet == 0) { + WOLFSSL_MSG("Failed to close handle"); + } + } + crl->mfd = INVALID_HANDLE_VALUE; + return 0; +} + +#endif /* MACH or linux or windows */ /* Start Monitoring the CRL path(s) in a thread */ @@ -1339,36 +1453,40 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) if (crl == NULL) return BAD_FUNC_ARG; - if (crl->tid != 0) { + if (crl->tid != INVALID_THREAD_VAL) { WOLFSSL_MSG("Monitor thread already running"); return ret; /* that's ok, someone already started */ } - if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) { + if (wolfSSL_NewThread(&crl->tid, DoMonitor, crl) != 0) { WOLFSSL_MSG("Thread creation error"); return THREAD_CREATE_E; } +#ifndef COND_NO_REQUIRE_LOCKED_MUTEX /* wait for setup to complete */ if (wc_LockMutex(&crl->crlLock) != 0) { WOLFSSL_MSG("wc_LockMutex crlLock error"); return BAD_MUTEX_E; } +#endif - while (crl->setup == 0) { - if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) { - ret = BAD_COND_E; - break; - } + while (crl->setup == 0) { + if (wolfSSL_CondWait(&crl->cond, &crl->crlLock) != 0) { + ret = BAD_COND_E; + break; } - if (crl->setup < 0) - ret = crl->setup; /* store setup error */ + } + if (crl->setup < 0) + ret = crl->setup; /* store setup error */ +#ifndef COND_NO_REQUIRE_LOCKED_MUTEX wc_UnLockMutex(&crl->crlLock); +#endif if (ret < 0) { WOLFSSL_MSG("DoMonitor setup failure"); - crl->tid = 0; /* thread already done */ + crl->tid = INVALID_THREAD_VAL; /* thread already done */ } return ret; @@ -1451,13 +1569,14 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) #endif if (monitor & WOLFSSL_CRL_MONITOR) { +#ifdef HAVE_CRL_MONITOR word32 pathLen; char* pathBuf; WOLFSSL_MSG("monitor path requested"); pathLen = (word32)XSTRLEN(path); - pathBuf = (char*)XMALLOC(pathLen+1, crl->heap,DYNAMIC_TYPE_CRL_MONITOR); + pathBuf = (char*)XMALLOC(pathLen+1, crl->heap, DYNAMIC_TYPE_CRL_MONITOR); if (pathBuf) { XMEMCPY(pathBuf, path, pathLen+1); @@ -1488,6 +1607,10 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor) else { ret = MEMORY_E; } +#else + WOLFSSL_MSG("CRL monitoring requested but not compiled in"); + ret = NOT_COMPILED_IN; +#endif } return ret; diff --git a/src/pk.c b/src/pk.c index 07a8c97c4..05ff40a22 100644 --- a/src/pk.c +++ b/src/pk.c @@ -10209,7 +10209,7 @@ static int ec_point_convert_to_affine(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *point) { int err = 0; - mp_digit mp; + mp_digit mp = 0; #ifdef WOLFSSL_SMALL_STACK mp_int* modulus; #else diff --git a/tests/api.c b/tests/api.c index 6881328e0..779ca74fb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -54588,50 +54588,58 @@ static int test_wolfSSL_CTX_LoadCRL(void) const char* issuerCert = "./certs/client-cert.pem"; int derType = WOLFSSL_FILETYPE_ASN1; int pemType = WOLFSSL_FILETYPE_PEM; +#ifdef HAVE_CRL_MONITOR int monitor = WOLFSSL_CRL_MONITOR; +#else + int monitor = 0; +#endif WOLFSSL_CERT_MANAGER* cm = NULL; - ExpectIntEQ(wolfSSL_CTX_LoadCRL(ctx, validPath, pemType, monitor), - BAD_FUNC_ARG); - + #define FAIL_T1(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + BAD_FUNC_ARG) + #define FAIL_T2(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + NOT_COMPILED_IN) + #define SUCC_T(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + WOLFSSL_SUCCESS) #ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + #define NEW_CTX(ctx) AssertNotNull( \ + ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())) +#elif !defined(NO_WOLFSSL_SERVER) + #define NEW_CTX(ctx) AssertNotNull( \ + ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())) #else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + #define NEW_CTX(ctx) return #endif - ExpectIntEQ(wolfSSL_CTX_LoadCRL(ctx, validPath, pemType, monitor), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_LoadCRL(ctx, badPath, pemType, monitor), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_LoadCRL(ctx, badPath, derType, monitor), - WOLFSSL_SUCCESS); + FAIL_T1(wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor); + + NEW_CTX(ctx); + +#ifndef HAVE_CRL_MONITOR + FAIL_T2(wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, WOLFSSL_CRL_MONITOR); + wolfSSL_CTX_free(ctx); + NEW_CTX(ctx); +#endif + + SUCC_T (wolfSSL_CTX_LoadCRL, ctx, validPath, pemType, monitor); + SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, pemType, monitor); + SUCC_T (wolfSSL_CTX_LoadCRL, ctx, badPath, derType, monitor); wolfSSL_CTX_free(ctx); ctx = NULL; -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), - WOLFSSL_SUCCESS); - ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), - WOLFSSL_SUCCESS); + NEW_CTX(ctx); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), + WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS); wolfSSL_CTX_free(ctx); ctx = NULL; -#ifndef NO_WOLFSSL_CLIENT - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); -#else - ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); -#endif - ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), - WOLFSSL_SUCCESS); - ExpectNotNull(ssl = wolfSSL_new(ctx)); - ExpectIntEQ(wolfSSL_LoadCRLFile(ssl, validFilePath, pemType), - WOLFSSL_SUCCESS); + NEW_CTX(ctx); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), + WOLFSSL_SUCCESS); + AssertNotNull(ssl = wolfSSL_new(ctx)); + AssertIntEQ(wolfSSL_LoadCRLFile(ssl, validFilePath, pemType), WOLFSSL_SUCCESS); wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index a4e25a17b..25dd8f0f1 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -469,7 +469,7 @@ void wait_tcp_ready(func_args* args) * @param [in] args Object to send to function in thread. * @param [out] thread Handle to thread. */ -void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread) +void start_thread(THREAD_CB fun, func_args* args, THREAD_TYPE* thread) { #if defined(HAVE_PTHREAD) PTHREAD_CHECK_RET(pthread_create(thread, 0, fun, args)); @@ -529,8 +529,8 @@ void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread) } /* end if NETOS */ #else - /* custom / external thread type */ - *thread = (THREAD_TYPE)_beginthreadex(0, 0, fun, args, 0, 0); + /* windows thread type */ + *thread = (THREAD_TYPE)_beginthreadex(NULL, 0, fun, args, 0, 0); #endif /* thread types */ } @@ -554,7 +554,7 @@ void join_thread(THREAD_TYPE thread) #elif defined(NETOS) /* TODO: */ #else - int res = WaitForSingleObject((HANDLE)thread, INFINITE); + DWORD res = WaitForSingleObject((HANDLE)thread, INFINITE); assert(res == WAIT_OBJECT_0); res = CloseHandle((HANDLE)thread); assert(res); diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 1318e78d9..10d41bb0e 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -3344,3 +3344,100 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) #include /* sha256 */ #endif #endif + + +#ifndef SINGLE_THREADED + +#ifdef _MSC_VER + int wolfSSL_NewThread(THREAD_TYPE* thread, + THREAD_CB cb, void* arg) + { + if (thread == NULL || cb == NULL) + return BAD_FUNC_ARG; + + /* Use _beginthreadex instead of _beginthread because of: + * _beginthreadex is safer to use than _beginthread. If the thread + * that's generated by _beginthread exits quickly, the handle that's + * returned to the caller of _beginthread might be invalid or point + * to another thread. However, the handle that's returned by + * _beginthreadex has to be closed by the caller of _beginthreadex, + * so it's guaranteed to be a valid handle if _beginthreadex didn't + * return an error.*/ + *thread = _beginthreadex(NULL, 0, cb, arg, 0, NULL); + if (*thread == 0) { + *thread = INVALID_THREAD_VAL; + return MEMORY_ERROR; + } + + return 0; + } + + int wolfSSL_JoinThread(THREAD_TYPE thread) + { + if (thread == INVALID_THREAD_VAL) + return BAD_FUNC_ARG; + + if (WaitForSingleObject((HANDLE)thread, INFINITE) == WAIT_FAILED) + return MEMORY_ERROR; + + if (CloseHandle((HANDLE)thread) == 0) + return MEMORY_ERROR; + + return 0; + } + +#ifdef WOLFSSL_COND + int wolfSSL_CondInit(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + *cond = CreateEventA(NULL, FALSE, FALSE, NULL); + if (*cond == NULL) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondFree(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + if (CloseHandle(*cond) == 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondSignal(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + if (SetEvent(*cond) == 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondWait(COND_TYPE* cond, + wolfSSL_Mutex* mutex) + { + (void)mutex; + + if (cond == NULL) + return BAD_FUNC_ARG; + + if (WaitForSingleObject(*cond, INFINITE) == WAIT_FAILED) + return MEMORY_ERROR; + + return 0; + } +#endif /* WOLFSSL_COND */ + +#else /* pthread */ + +#endif + +#endif /* SINGLE_THREADED */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index fba891061..ec47b4352 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2408,6 +2408,19 @@ struct CRL_Monitor { #undef HAVE_CRL_MONITOR #endif +/* PEM and DER possible */ +#define WOLFSSL_CRL_MONITORS_LEN (2) + +#if defined(__MACH__) || defined(__FreeBSD__) || defined(__linux__) +typedef int wolfSSL_CRL_mfd_t; /* monitor fd, -1 if no init yet */ +/* mfd for bsd is kqueue fd, eventfd for linux */ +#define WOLFSSL_CRL_MFD_INIT_VAL (-1) +#elif defined(_MSC_VER) +typedef HANDLE wolfSSL_CRL_mfd_t; /* monitor fd, INVALID_HANDLE_VALUE if + * no init yet */ +#define WOLFSSL_CRL_MFD_INIT_VAL (INVALID_HANDLE_VALUE) +#endif + /* wolfSSL CRL controller */ struct WOLFSSL_CRL { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ @@ -2417,11 +2430,11 @@ struct WOLFSSL_CRL { CbCrlIO crlIOCb; #endif wolfSSL_Mutex crlLock; /* CRL list lock */ - CRL_Monitor monitors[2]; /* PEM and DER possible */ + CRL_Monitor monitors[WOLFSSL_CRL_MONITORS_LEN]; #ifdef HAVE_CRL_MONITOR - pthread_cond_t cond; /* condition to signal setup */ - pthread_t tid; /* monitoring thread */ - int mfd; /* monitor fd, -1 if no init yet */ + COND_TYPE cond; /* condition to signal setup */ + THREAD_TYPE tid; /* monitoring thread */ + wolfSSL_CRL_mfd_t mfd; int setup; /* thread is setup predicate */ #endif void* heap; /* heap hint for dynamic memory */ diff --git a/wolfssl/test.h b/wolfssl/test.h index 0b36a5e74..63dfb97c9 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -633,13 +633,7 @@ typedef struct func_args { void wait_tcp_ready(func_args* args); -#ifdef WOLFSSL_ZEPHYR -typedef void THREAD_FUNC(void*, void*, void*); -#else -typedef THREAD_RETURN WOLFSSL_THREAD THREAD_FUNC(void*); -#endif - -void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread); +void start_thread(THREAD_CB fun, func_args* args, THREAD_TYPE* thread); void join_thread(THREAD_TYPE thread); typedef int (*cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl); diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 17f774db8..4318174c0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1360,18 +1360,49 @@ typedef struct w64wrapper { typedef void* THREAD_RETURN; typedef pthread_t THREAD_TYPE; #define WOLFSSL_THREAD - #define INFINITE (-1) - #define WAIT_OBJECT_0 0L +#error TODO implement threading with pthreads #elif defined(FREERTOS) typedef unsigned int THREAD_RETURN; typedef TaskHandle_t THREAD_TYPE; #define WOLFSSL_THREAD + #elif defined(_MSC_VER) + typedef unsigned THREAD_RETURN; + typedef uintptr_t THREAD_TYPE; + typedef HANDLE COND_TYPE; + #define WOLFSSL_COND + #define INVALID_THREAD_VAL ((THREAD_TYPE)(INVALID_HANDLE_VALUE)) + #define COND_NO_REQUIRE_LOCKED_MUTEX + #define WOLFSSL_THREAD __stdcall #else typedef unsigned int THREAD_RETURN; typedef size_t THREAD_TYPE; #define WOLFSSL_THREAD __stdcall #endif + + #ifndef SINGLE_THREADED + /* Necessary headers should already be included. */ + + /* We don't support returns from threads */ + typedef THREAD_RETURN (WOLFSSL_THREAD *THREAD_CB)(void* arg); + + #ifndef INVALID_THREAD_VAL + #define INVALID_THREAD_VAL (-1) + #endif + + WOLFSSL_LOCAL int wolfSSL_NewThread(THREAD_TYPE* thread, + THREAD_CB cb, void* arg); + WOLFSSL_LOCAL int wolfSSL_JoinThread(THREAD_TYPE thread); + + #ifdef WOLFSSL_COND + WOLFSSL_LOCAL int wolfSSL_CondInit(COND_TYPE* cond); + WOLFSSL_LOCAL int wolfSSL_CondFree(COND_TYPE* cond); + WOLFSSL_LOCAL int wolfSSL_CondSignal(COND_TYPE* cond); + WOLFSSL_LOCAL int wolfSSL_CondWait(COND_TYPE* cond, + wolfSSL_Mutex* mutex); + #endif + #endif /* SINGLE_THREADED */ + #if defined(HAVE_STACK_SIZE) #define EXIT_TEST(ret) return (THREAD_RETURN)((size_t)(ret)) #else diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 01e5ed6d9..975b668d7 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -77,6 +77,9 @@ #endif #endif /* WOLFSSL_SGX */ #endif + #ifndef SINGLE_THREADED + #include + #endif #elif defined(THREADX) #ifndef SINGLE_THREADED #ifdef NEED_THREADX_TYPES From bff2cf569097266b335efdc6dba56d0857eacccb Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 23 May 2023 17:03:18 +0200 Subject: [PATCH 2/9] Add crl monitor unit testing --- examples/server/server.c | 15 +++- src/crl.c | 2 +- testsuite/testsuite.c | 181 +++++++++++++++++++++++++++++++++++++++ wolfssl/test.h | 11 +++ 4 files changed, 206 insertions(+), 3 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 326f3b28d..bceeca1db 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1410,6 +1410,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef HAVE_SUPPORTED_CURVES {"onlyPskDheKe", 2, 264}, #endif /* HAVE_SUPPORTED_CURVES */ +#ifdef HAVE_CRL + {"crl-dir", 1, 265}, +#endif { 0, 0, 0 } }; #endif @@ -1531,6 +1534,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) int useDtlsCID = 0; char dtlsCID[DTLS_CID_BUFFER_SIZE] = { 0 }; #endif /* WOLFSSL_DTLS_CID */ +#ifdef HAVE_CRL + char* crlDir = NULL; +#endif #ifdef WOLFSSL_STATIC_MEMORY /* Note: Actual memory used is much less, this is the entire buffer buckets, @@ -2279,6 +2285,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef WOLFSSL_TLS13 onlyPskDheKe = 1; #endif +#endif + break; + case 265: +#ifdef HAVE_CRL + crlDir = myoptarg; #endif break; @@ -3029,8 +3040,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to enable CRL"); - if (wolfSSL_LoadCRL(ssl, crlPemDir, WOLFSSL_FILETYPE_PEM, crlFlags) - != WOLFSSL_SUCCESS) + if (wolfSSL_LoadCRL(ssl, crlDir != NULL ? crlDir : crlPemDir, + WOLFSSL_FILETYPE_PEM, crlFlags) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to load CRL"); if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS) err_sys_ex(runWithErrors, "unable to set CRL callback url"); diff --git a/src/crl.c b/src/crl.c index c7c210ebd..02a347360 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1343,7 +1343,7 @@ static int StopMonitor(wolfSSL_CRL_mfd_t mfd) /* windows monitoring * Tested initially by hand by running - * .\server.exe -A certs/ca-cert.pem + * .\server.exe -A certs/ca-cert.pem -i -x * and connecting to with * .\client.exe -C -c certs/server-cert.pem -k certs/server-key.pem * This connection succeeds by default. By deleting all files from certs/crl diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 25dd8f0f1..910e19730 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -57,6 +57,7 @@ static THREAD_RETURN simple_test(func_args *args); static void simple_test(func_args *args); #endif static int test_tls(func_args* server_args); +static int test_crl_monitor(void); static void show_ciphers(void); static void cleanup_output(void); static int validate_cleanup_output(void); @@ -214,6 +215,15 @@ int testsuite_test(int argc, char** argv) cleanup_output(); return server_args.return_code; } + +#ifdef HAVE_CRL_MONITOR + ret = test_crl_monitor(); + if (ret != 0) { + cleanup_output(); + return ret; + } +#endif + #endif /* !NETOS */ show_ciphers(); @@ -246,6 +256,109 @@ int testsuite_test(int argc, char** argv) return EXIT_SUCCESS; } +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ + defined(HAVE_CRL_MONITOR) +#define CRL_MONITOR_TEST_ROUNDS 6 + +static int test_crl_monitor(void) +{ + func_args server_args; + func_args client_args; + THREAD_TYPE serverThread; + tcp_ready ready; + char buf[128]; + char tmpDir[16]; + char rounds[4]; + char* serverArgv[] = { + "testsuite", + "-A", "certs/ca-cert.pem", + "--crl-dir", tmpDir, + "-C", rounds, + "-x" + }; + char* clientArgv[] = { + "testsuite", + "-C", + "-c", "certs/server-cert.pem", + "-k", "certs/server-key.pem", + "-H", "exitWithRet" + }; + int ret = -1; + int i; + + sprintf(rounds, "%d", CRL_MONITOR_TEST_ROUNDS); + + XMEMSET(&server_args, 0, sizeof(func_args)); + XMEMSET(&client_args, 0, sizeof(func_args)); + + /* Create temp dir */ + if (create_tmp_dir(tmpDir, sizeof(tmpDir) - 1) == NULL) { + fprintf(stderr, "Failed to create tmp dir"); + goto cleanup; + } + + server_args.argv = serverArgv; + server_args.argc = sizeof(serverArgv) / sizeof(*serverArgv); + client_args.signal = server_args.signal = &ready; + client_args.argv = clientArgv; + client_args.argc = sizeof(clientArgv) / sizeof(*clientArgv); + + InitTcpReady(&ready); + start_thread(server_test, &server_args, &serverThread); + wait_tcp_ready(&server_args); + + for (i = 0; i < CRL_MONITOR_TEST_ROUNDS; i++) { + int expectFail; + if (i % 2 == 0) { + /* succeed on even rounds */ + sprintf(buf, "%s/%s", tmpDir, "crl.pem"); + copy_file("certs/crl/crl.pem", buf); + sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); + /* The monitor can be holding the file handle and this will cause + * the remove call to fail. Let's give the monitor a second to + * finish up. */ + XSLEEP_MS(1000); + rem_file(buf); + expectFail = 0; + } + else { + /* fail on odd rounds */ + sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); + copy_file("certs/crl/crl.revoked", buf); + sprintf(buf, "%s/%s", tmpDir, "crl.pem"); + /* The monitor can be holding the file handle and this will cause + * the remove call to fail. Let's give the monitor a second to + * finish up. */ + XSLEEP_MS(1000); + rem_file(buf); + expectFail = 1; + } + + client_args.return_code = 0; + client_test(&client_args); + + if (!expectFail) { + if (client_args.return_code != 0) + goto cleanup; + } + else { + if (client_args.return_code == 0) + goto cleanup; + } + } + + join_thread(serverThread); + ret = 0; +cleanup: + sprintf(buf, "%s/%s", tmpDir, "crl.pem"); + rem_file(buf); + sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); + rem_file(buf); + (void)rem_dir(tmpDir); + return ret; +} +#endif + #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ (!defined(WOLF_CRYPTO_CB_ONLY_RSA) && !defined(WOLF_CRYPTO_CB_ONLY_ECC)) /* Perform a basic TLS handshake. @@ -562,6 +675,74 @@ void join_thread(THREAD_TYPE thread) #endif } +#include + +#define TMP_DIR_PREFIX "tmpDir-" +/* len is length of tmpDir name, assuming + * len does not include null terminating character */ +char* create_tmp_dir(char *tmpDir, int len) +{ + if (len < XSTR_SIZEOF(TMP_DIR_PREFIX)) + return NULL; + + XMEMCPY(tmpDir, TMP_DIR_PREFIX, XSTR_SIZEOF(TMP_DIR_PREFIX)); + + if (mymktemp(tmpDir, len, len - XSTR_SIZEOF(TMP_DIR_PREFIX)) == NULL) + return NULL; + + if (_mkdir(tmpDir) != 0) + return NULL; + + return tmpDir; +} + +int rem_dir(const char* dirName) +{ + if (_rmdir(dirName) != 0) + return -1; + return 0; +} + +int rem_file(const char* fileName) +{ + if (_unlink(fileName) != 0) + return -1; + return 0; +} + +int copy_file(const char* in, const char* out) +{ + byte buf[2500]; + XFILE inFile = XBADFILE; + XFILE outFile = XBADFILE; + size_t sz; + int ret = -1; + + inFile = XFOPEN(in, "rb"); + if (inFile == XBADFILE) + goto cleanup; + + outFile = XFOPEN(out, "wb"); + if (outFile == XBADFILE) + goto cleanup; + + sz = XFREAD(buf, 1, sizeof(buf), inFile); + /* 2500 bytes should be more than enough to read the entire files. + * Error out if we can't read the file all at once. */ + if (sz == sizeof(buf) || sz == 0) + goto cleanup; + + if (XFWRITE(buf, 1, sz, outFile) != sz) + goto cleanup; + + ret = 0; +cleanup: + if (inFile != XBADFILE) + XFCLOSE(inFile); + if (outFile != XBADFILE) + XFCLOSE(outFile); + return ret; +} #ifndef NO_SHA256 /* Create SHA-256 hash of the file based on filename. diff --git a/wolfssl/test.h b/wolfssl/test.h index 63dfb97c9..c15aa09ac 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -643,6 +643,17 @@ void test_wolfSSL_client_server_nofail_ex(callback_functions* client_cb, void test_wolfSSL_client_server_nofail(callback_functions* client_cb, callback_functions* server_cb); +/* Return + * tmpDir on success + * NULL on failure */ +char* create_tmp_dir(char* tmpDir, int len); +/* Remaining functions return + * 0 on success + * -1 on failure */ +int rem_dir(const char* dirName); +int rem_file(const char* fileName); +int copy_file(const char* in, const char* out); + /* wolfSSL */ #ifndef TEST_IPV6 static const char* const wolfSSLIP = "127.0.0.1"; From ca77da92e5aff57990241e9d9c0c8283d827eda2 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 24 May 2023 11:53:57 +0200 Subject: [PATCH 3/9] Implement pthreads threading --- tests/unit.c | 2 +- testsuite/testsuite.c | 30 +++++-- wolfcrypt/src/wc_port.c | 82 ++++++++++++++++++- wolfssl/wolfcrypt/types.h | 5 +- .../samples/wolfssl_tls_sock/src/tls_sock.c | 2 +- .../wolfssl_tls_thread/src/tls_threaded.c | 2 +- 6 files changed, 110 insertions(+), 13 deletions(-) diff --git a/tests/unit.c b/tests/unit.c index 1f1bfd327..825c5550f 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -291,7 +291,7 @@ void wait_tcp_ready(func_args* args) } -void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread) +void start_thread(THREAD_CB fun, func_args* args, THREAD_TYPE* thread) { #if defined(SINGLE_THREADED) (void)fun; diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 910e19730..7b227531a 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -269,14 +269,14 @@ static int test_crl_monitor(void) char buf[128]; char tmpDir[16]; char rounds[4]; - char* serverArgv[] = { + const char* serverArgv[] = { "testsuite", "-A", "certs/ca-cert.pem", "--crl-dir", tmpDir, "-C", rounds, "-x" }; - char* clientArgv[] = { + const char* clientArgv[] = { "testsuite", "-C", "-c", "certs/server-cert.pem", @@ -297,10 +297,10 @@ static int test_crl_monitor(void) goto cleanup; } - server_args.argv = serverArgv; + server_args.argv = (char**)serverArgv; server_args.argc = sizeof(serverArgv) / sizeof(*serverArgv); client_args.signal = server_args.signal = &ready; - client_args.argv = clientArgv; + client_args.argv = (char**)clientArgv; client_args.argc = sizeof(clientArgv) / sizeof(*clientArgv); InitTcpReady(&ready); @@ -675,14 +675,18 @@ void join_thread(THREAD_TYPE thread) #endif } +#ifndef NO_FILESYSTEM + +#ifdef _MSC_VER #include +#endif #define TMP_DIR_PREFIX "tmpDir-" /* len is length of tmpDir name, assuming * len does not include null terminating character */ char* create_tmp_dir(char *tmpDir, int len) { - if (len < XSTR_SIZEOF(TMP_DIR_PREFIX)) + if (len < (int)XSTR_SIZEOF(TMP_DIR_PREFIX)) return NULL; XMEMCPY(tmpDir, TMP_DIR_PREFIX, XSTR_SIZEOF(TMP_DIR_PREFIX)); @@ -690,23 +694,38 @@ char* create_tmp_dir(char *tmpDir, int len) if (mymktemp(tmpDir, len, len - XSTR_SIZEOF(TMP_DIR_PREFIX)) == NULL) return NULL; +#ifdef _MSC_VER if (_mkdir(tmpDir) != 0) return NULL; +#else + if (mkdir(tmpDir, 0700) != 0) + return NULL; +#endif return tmpDir; } int rem_dir(const char* dirName) { +#ifdef _MSC_VER if (_rmdir(dirName) != 0) return -1; +#else + if (rmdir(dirName) != 0) + return -1; +#endif return 0; } int rem_file(const char* fileName) { +#ifdef _MSC_VER if (_unlink(fileName) != 0) return -1; +#else + if (unlink(fileName) != 0) + return -1; +#endif return 0; } @@ -743,6 +762,7 @@ cleanup: XFCLOSE(outFile); return ret; } +#endif /* !NO_FILESYSTEM */ #ifndef NO_SHA256 /* Create SHA-256 hash of the file based on filename. diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 10d41bb0e..84c96af4f 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -3374,16 +3374,19 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) int wolfSSL_JoinThread(THREAD_TYPE thread) { + int ret = 0; + if (thread == INVALID_THREAD_VAL) return BAD_FUNC_ARG; + /* We still want to attempt to close the thread handle even on error */ if (WaitForSingleObject((HANDLE)thread, INFINITE) == WAIT_FAILED) - return MEMORY_ERROR; + ret = MEMORY_ERROR; if (CloseHandle((HANDLE)thread) == 0) - return MEMORY_ERROR; + ret = MEMORY_ERROR; - return 0; + return ret; } #ifdef WOLFSSL_COND @@ -3438,6 +3441,79 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) #else /* pthread */ + int wolfSSL_NewThread(THREAD_TYPE* thread, + THREAD_CB cb, void* arg) + { + if (thread == NULL || cb == NULL) + return BAD_FUNC_ARG; + + if (pthread_create(thread, NULL, cb, arg) != 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_JoinThread(THREAD_TYPE thread) + { + if (thread == INVALID_THREAD_VAL) + return BAD_FUNC_ARG; + + if (pthread_join(thread, NULL) != 0) + return MEMORY_ERROR; + + return 0; + } + +#ifdef WOLFSSL_COND + int wolfSSL_CondInit(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + if (pthread_cond_init(cond, NULL) != 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondFree(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + if (pthread_cond_destroy(cond) != 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondSignal(COND_TYPE* cond) + { + if (cond == NULL) + return BAD_FUNC_ARG; + + if (pthread_cond_signal(cond) != 0) + return MEMORY_ERROR; + + return 0; + } + + int wolfSSL_CondWait(COND_TYPE* cond, + wolfSSL_Mutex* mutex) + { + if (cond == NULL || mutex == NULL) + return BAD_FUNC_ARG; + + /* mutex has to be locked on entry so we can't touch */ + + if (pthread_cond_wait(cond, mutex) != 0) + return MEMORY_ERROR; + + return 0; + } + +#endif /* WOLFSSL_COND */ + #endif #endif /* SINGLE_THREADED */ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 4318174c0..6354dd763 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1359,8 +1359,9 @@ typedef struct w64wrapper { !defined(__MINGW32__) typedef void* THREAD_RETURN; typedef pthread_t THREAD_TYPE; + typedef pthread_cond_t COND_TYPE; + #define WOLFSSL_COND #define WOLFSSL_THREAD -#error TODO implement threading with pthreads #elif defined(FREERTOS) typedef unsigned int THREAD_RETURN; typedef TaskHandle_t THREAD_TYPE; @@ -1387,7 +1388,7 @@ typedef struct w64wrapper { typedef THREAD_RETURN (WOLFSSL_THREAD *THREAD_CB)(void* arg); #ifndef INVALID_THREAD_VAL - #define INVALID_THREAD_VAL (-1) + #define INVALID_THREAD_VAL ((THREAD_TYPE)(-1)) #endif WOLFSSL_LOCAL int wolfSSL_NewThread(THREAD_TYPE* thread, diff --git a/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c b/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c index 8e71527db..d821f1edd 100644 --- a/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c +++ b/zephyr/samples/wolfssl_tls_sock/src/tls_sock.c @@ -294,7 +294,7 @@ static void wolfssl_memstats(WOLFSSL* ssl) /* Start the server thread. */ -void start_thread(THREAD_FUNC func, func_args* args, THREAD_TYPE* thread) +void start_thread(THREAD_CB func, func_args* args, THREAD_TYPE* thread) { k_thread_create(thread, server_stack, K_THREAD_STACK_SIZEOF(server_stack), func, args, NULL, NULL, 5, 0, K_NO_WAIT); diff --git a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c index 57990ab99..3a59669f8 100644 --- a/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c +++ b/zephyr/samples/wolfssl_tls_thread/src/tls_threaded.c @@ -517,7 +517,7 @@ static void wolfssl_memstats(WOLFSSL* ssl) /* Start the server thread. */ -void start_thread(THREAD_FUNC func, func_args* args, THREAD_TYPE* thread) +void start_thread(THREAD_CB func, func_args* args, THREAD_TYPE* thread) { k_thread_create(thread, server_stack, K_THREAD_STACK_SIZEOF(server_stack), func, args, NULL, NULL, 5, 0, K_NO_WAIT); From 3d68bcd6f7e6660dac96abb847639f66e59774c8 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 24 May 2023 11:58:41 +0200 Subject: [PATCH 4/9] Jenkins fixes --- configure.ac | 2 +- examples/client/client.c | 85 +++++++++++++++----------- examples/server/server.c | 112 +++++++++++++++++++++-------------- src/crl.c | 19 +----- src/internal.c | 1 + src/ssl.c | 19 +++++- tests/api.c | 16 ++--- tests/suites.c | 6 +- tests/unit.c | 3 + testsuite/testsuite.c | 24 ++++++-- wolfcrypt/src/wc_port.c | 30 +++++----- wolfssl/internal.h | 7 +++ wolfssl/test.h | 4 +- wolfssl/wolfcrypt/settings.h | 17 ------ wolfssl/wolfcrypt/types.h | 2 +- wolfssl/wolfcrypt/wc_port.h | 17 ++++++ 16 files changed, 216 insertions(+), 148 deletions(-) diff --git a/configure.ac b/configure.ac index fd3e5fa9b..e193038f5 100644 --- a/configure.ac +++ b/configure.ac @@ -8816,7 +8816,7 @@ rm cyassl/options.h.bak if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "$ENABLED_LINUXKM" = "no" then SAVE_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS -I. -I$srcdir" + CFLAGS="$CFLAGS $DEFS -I. -I$srcdir" if test "$ENABLED_INTEL_QA" = "yes" then CFLAGS="$CFLAGS $QAT_FLAGS" diff --git a/examples/client/client.c b/examples/client/client.c index 2eb36b9d7..bd2b14873 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -138,6 +138,15 @@ static int lng_index = 0; #endif +static int quieter = 0; /* Print fewer messages. This is helpful with overly + * ambitious log parsers. */ + +#define LOG_ERROR(...) \ + do { \ + if (!quieter) \ + fprintf(stderr, __VA_ARGS__); \ + } while(0) + #ifdef HAVE_SESSION_TICKET #ifndef SESSION_TICKET_LEN @@ -435,7 +444,7 @@ static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, const char* msg, } } while (err == WC_PENDING_E); if (ret != msgSz) { - fprintf(stderr, "SSL_write_early_data msg error %d, %s\n", err, + LOG_ERROR("SSL_write_early_data msg error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; @@ -455,7 +464,7 @@ static void EarlyData(WOLFSSL_CTX* ctx, WOLFSSL* ssl, const char* msg, } } while (err == WC_PENDING_E); if (ret != msgSz) { - fprintf(stderr, "SSL_write_early_data msg error %d, %s\n", err, + LOG_ERROR("SSL_write_early_data msg error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); @@ -723,7 +732,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, } } while (err == WC_PENDING_E); if (ret != len) { - fprintf(stderr, "SSL_write bench error %d!\n", err); + LOG_ERROR("SSL_write bench error %d!\n", err); if (!exitWithRet) err_sys("SSL_write failed"); goto doExit; @@ -749,7 +758,7 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, #endif if (err != WOLFSSL_ERROR_WANT_READ && err != WOLFSSL_ERROR_WANT_WRITE) { - fprintf(stderr, "SSL_read bench error %d\n", err); + LOG_ERROR("SSL_read bench error %d\n", err); err_sys("SSL_read failed"); } } @@ -943,7 +952,7 @@ static int SMTP_Shutdown(WOLFSSL* ssl, int wc_shutdown) printf("Bidirectional shutdown complete\n"); } if (ret != WOLFSSL_SUCCESS) - fprintf(stderr, "Bidirectional shutdown failed\n"); + LOG_ERROR("Bidirectional shutdown failed\n"); } return WOLFSSL_SUCCESS; @@ -974,7 +983,7 @@ static int ClientWrite(WOLFSSL* ssl, const char* msg, int msgSz, const char* str ); if (ret != msgSz) { char buffer[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "SSL_write%s msg error %d, %s\n", str, err, + LOG_ERROR("SSL_write%s msg error %d, %s\n", str, err, wolfSSL_ERR_error_string(err, buffer)); if (!exitWithRet) { err_sys("SSL_write failed"); @@ -1005,7 +1014,7 @@ static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead, #endif if (err != WOLFSSL_ERROR_WANT_READ && err != WOLFSSL_ERROR_WANT_WRITE && err != APP_DATA_READY) { - fprintf(stderr, "SSL_read reply error %d, %s\n", err, + LOG_ERROR("SSL_read reply error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); if (!exitWithRet) { err_sys("SSL_read failed"); @@ -1021,7 +1030,7 @@ static int ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead, || err == WOLFSSL_ERROR_WANT_WRITE)) { elapsed = current_time(0) - start; if (elapsed > MAX_NON_BLOCK_SEC) { - fprintf(stderr, "Nonblocking read timeout\n"); + LOG_ERROR("Nonblocking read timeout\n"); ret = WOLFSSL_FATAL_ERROR; break; } @@ -1505,12 +1514,12 @@ static void showPeerPEM(WOLFSSL* ssl) if (peer) { WOLFSSL_BIO* bioOut = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); if (bioOut == NULL) { - fprintf(stderr, "failed to get bio on stdout\n"); + LOG_ERROR("failed to get bio on stdout\n"); } else { if (wolfSSL_BIO_set_fp(bioOut, stdout, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { - fprintf(stderr, "failed to set stdout to bio output\n"); + LOG_ERROR("failed to set stdout to bio output\n"); wolfSSL_BIO_free(bioOut); bioOut = NULL; } @@ -1751,7 +1760,7 @@ static int client_srtp_test(WOLFSSL *ssl, func_args *args) ret = wolfSSL_export_dtls_srtp_keying_material(ssl, NULL, &srtp_secret_length); if (ret != LENGTH_ONLY_E) { - fprintf(stderr, "DTLS SRTP: Error getting keying material length\n"); + LOG_ERROR("DTLS SRTP: Error getting keying material length\n"); return ret; } @@ -1765,7 +1774,7 @@ static int client_srtp_test(WOLFSSL *ssl, func_args *args) &srtp_secret_length); if (ret != WOLFSSL_SUCCESS) { XFREE(srtp_secret, NULL, DYNAMIC_TYPE_TMP_BUFFER); - fprintf(stderr, "DTLS SRTP: Error getting keying material\n"); + LOG_ERROR("DTLS SRTP: Error getting keying material\n"); return ret; } @@ -1862,6 +1871,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef NO_PSK { "openssl-psk", 0, 265 }, #endif + { "quieter", 0, 266 }, { 0, 0, 0 } }; #endif @@ -2597,7 +2607,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) nonBlocking = 1; simulateWantWrite = 1; #else - fprintf(stderr, "Ignoring -6 since async I/O support not " + LOG_ERROR("Ignoring -6 since async I/O support not " "compiled in.\n"); #endif break; @@ -2696,6 +2706,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) opensslPsk = 1; #endif break; + case 266: + quieter = 1; + break; default: Usage(); XEXIT_T(MY_EX_USAGE); @@ -2780,7 +2793,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif if (done) { - fprintf(stderr, "external test can't be run in this mode\n"); + LOG_ERROR("external test can't be run in this mode\n"); ((func_args*)args)->return_code = 0; XEXIT_T(EXIT_SUCCESS); @@ -2818,7 +2831,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef HAVE_SESSION_TICKET if ((version >= 4) && resumeSession) { - fprintf(stderr, "Can't do TLS 1.3 resumption; need session tickets!\n"); + LOG_ERROR("Can't do TLS 1.3 resumption; need session tickets!\n"); } #endif @@ -2831,7 +2844,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (usePqc) { if (version == CLIENT_DOWNGRADE_VERSION || version == EITHER_DOWNGRADE_VERSION) - fprintf(stderr, + LOG_ERROR( "WARNING: If a TLS 1.3 connection is not negotiated, you " "will not be using a post-quantum group.\n"); else if (version != 4 && version != -4) @@ -2928,11 +2941,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef DEBUG_WOLFSSL /* print off helper buffer sizes for use with static memory * printing to stderr in case of debug mode turned on */ - fprintf(stderr, "static memory management size = %d\n", + LOG_ERROR("static memory management size = %d\n", wolfSSL_MemoryPaddingSz()); - fprintf(stderr, "calculated optimum general buffer size = %d\n", + LOG_ERROR("calculated optimum general buffer size = %d\n", wolfSSL_StaticBufferSz(memory, sizeof(memory), 0)); - fprintf(stderr, "calculated optimum IO buffer size = %d\n", + LOG_ERROR("calculated optimum IO buffer size = %d\n", wolfSSL_StaticBufferSz(memoryIO, sizeof(memoryIO), WOLFMEM_IO_POOL_FIXED)); #endif /* DEBUG_WOLFSSL */ @@ -3331,7 +3344,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef WOLFSSL_ASYNC_CRYPT ret = wolfAsync_DevOpen(&devId); if (ret < 0) { - fprintf(stderr, "Async device open failed\nRunning without async\n"); + LOG_ERROR("Async device open failed\nRunning without async\n"); } wolfSSL_CTX_SetDevId(ctx, devId); #endif /* WOLFSSL_ASYNC_CRYPT */ @@ -3469,7 +3482,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) - fprintf(stderr, "Before creating SSL\n"); + LOG_ERROR("Before creating SSL\n"); if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1) err_sys("ctx not using static memory"); if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */ @@ -3560,7 +3573,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) - fprintf(stderr, "After creating SSL\n"); + LOG_ERROR("After creating SSL\n"); if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1) err_sys("ctx not using static memory"); if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */ @@ -3796,7 +3809,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); - fprintf(stderr, "wolfSSL_connect error %d, %s\n", err, + LOG_ERROR("wolfSSL_connect error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); /* cleanup */ @@ -4052,7 +4065,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); - fprintf(stderr, "wolfSSL_Rehandshake error %d, %s\n", err, + LOG_ERROR("wolfSSL_Rehandshake error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; @@ -4061,7 +4074,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } } else { - fprintf(stderr, "not doing secure resumption with non-blocking"); + LOG_ERROR("not doing secure resumption with non-blocking"); } } else { if (!resumeScr) { @@ -4243,12 +4256,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) break; } else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) { - fprintf(stderr, "Bidirectional shutdown failed\n"); + LOG_ERROR("Bidirectional shutdown failed\n"); break; } } if (ret != WOLFSSL_SUCCESS) - fprintf(stderr, "Bidirectional shutdown failed\n"); + LOG_ERROR("Bidirectional shutdown failed\n"); } #if defined(ATOMIC_USER) && !defined(WOLFSSL_AEAD_ONLY) if (atomicUser) @@ -4260,8 +4273,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_is_static_memory(ssl, &ssl_stats) != 1) err_sys("static memory was not used with ssl"); - fprintf(stderr, "\nprint off SSL memory stats\n"); - fprintf(stderr, "*** This is memory state before wolfSSL_free is called\n"); + LOG_ERROR("\nprint off SSL memory stats\n"); + LOG_ERROR("*** This is memory state before wolfSSL_free is called\n"); wolfSSL_PrintStatsConn(&ssl_stats); #endif @@ -4384,7 +4397,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) ret = NonBlockingSSL_Connect(sslResume); /* will keep retrying on timeout */ #endif if (ret != WOLFSSL_SUCCESS) { - fprintf(stderr, "wolfSSL_connect resume error %d, %s\n", err, + LOG_ERROR("wolfSSL_connect resume error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(sslResume); sslResume = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; @@ -4397,7 +4410,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_session_reused(sslResume)) printf("reused session id\n"); else - fprintf(stderr, "didn't reuse session id!!!\n"); + LOG_ERROR("didn't reuse session id!!!\n"); #ifdef HAVE_ALPN if (alpnList != NULL) { @@ -4432,7 +4445,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("Beginning secure renegotiation.\n"); if (wolfSSL_Rehandshake(sslResume) != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(sslResume, 0); - fprintf(stderr, "err = %d, %s\n", err, + LOG_ERROR("err = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(sslResume); sslResume = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; @@ -4446,7 +4459,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) printf("Beginning secure resumption.\n"); if (wolfSSL_SecureResume(sslResume) != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(sslResume, 0); - fprintf(stderr, "err = %d, %s\n", err, + LOG_ERROR("err = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(sslResume); sslResume = NULL; wolfSSL_CTX_free(ctx); ctx = NULL; @@ -4483,8 +4496,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_is_static_memory(sslResume, &ssl_stats) != 1) err_sys("static memory was not used with ssl"); - fprintf(stderr, "\nprint off SSLresume memory stats\n"); - fprintf(stderr, "*** This is memory state before wolfSSL_free is called\n"); + LOG_ERROR("\nprint off SSLresume memory stats\n"); + LOG_ERROR("*** This is memory state before wolfSSL_free is called\n"); wolfSSL_PrintStatsConn(&ssl_stats); #endif @@ -4503,7 +4516,7 @@ exit: wolfsentry_ret = wolfsentry_shutdown(WOLFSENTRY_CONTEXT_ARGS_OUT_EX4(&wolfsentry, NULL)); if (wolfsentry_ret < 0) { - fprintf(stderr, + LOG_ERROR( "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } diff --git a/examples/server/server.c b/examples/server/server.c index bceeca1db..6d05e4779 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -148,8 +148,16 @@ int catastrophic = 0; /* Use with -x flag to still exit when an error is * cert to send to clients attempting to connect. The * server should error out completely in that case */ +static int quieter = 0; /* Print fewer messages. This is helpful with overly + * ambitious log parsers. */ static int lng_index = 0; +#define LOG_ERROR(...) \ + do { \ + if (!quieter) \ + fprintf(stderr, __VA_ARGS__); \ + } while(0) + #ifdef WOLFSSL_CALLBACKS #if !defined(NO_OLD_TIMEVAL_NAME) Timeval srvTo; @@ -186,8 +194,8 @@ static int lng_index = 0; static void err_sys_ex(int out, const char* msg) { if (out == 1) { /* if server is running w/ -x flag, print error w/o exit */ - fprintf(stderr, "wolfSSL error: %s\n", msg); - fprintf(stderr, "Continuing server execution...\n\n"); + LOG_ERROR("wolfSSL error: %s\n", msg); + LOG_ERROR("Continuing server execution...\n\n"); } else { err_sys(msg); } @@ -448,7 +456,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, err != WOLFSSL_ERROR_WANT_WRITE && err != WOLFSSL_ERROR_ZERO_RETURN && err != APP_DATA_READY) { - fprintf(stderr, "SSL_read echo error %d\n", err); + LOG_ERROR("SSL_read echo error %d\n", err); err_sys_ex(runWithErrors, "SSL_read failed"); break; } @@ -483,7 +491,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, } } while (err == WC_PENDING_E); if (ret != (int)min(len, rx_pos)) { - fprintf(stderr, "SSL_write echo error %d\n", err); + LOG_ERROR("SSL_write echo error %d\n", err); err_sys_ex(runWithErrors, "SSL_write failed"); } @@ -557,7 +565,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) #endif #ifdef WOLFSSL_DTLS if (wolfSSL_dtls(ssl) && err == DECRYPT_ERROR) { - fprintf(stderr, "Dropped client's message due to a bad MAC\n"); + LOG_ERROR("Dropped client's message due to a bad MAC\n"); } else #endif @@ -568,7 +576,7 @@ static void ServerRead(WOLFSSL* ssl, char* input, int inputLen) && err != APP_DATA_READY #endif ) { - fprintf(stderr, "SSL_read input error %d, %s\n", err, + LOG_ERROR("SSL_read input error %d, %s\n", err, ERR_error_string(err, buffer)); err_sys_ex(runWithErrors, "SSL_read failed"); } @@ -641,7 +649,7 @@ static void ServerWrite(WOLFSSL* ssl, const char* output, int outputLen) } while (err == WC_PENDING_E || err == WOLFSSL_ERROR_WANT_WRITE); if (ret != outputLen) { char buffer[WOLFSSL_MAX_ERROR_SZ]; - fprintf(stderr, "SSL_write msg error %d, %s\n", err, + LOG_ERROR("SSL_write msg error %d, %s\n", err, ERR_error_string(err, buffer)); err_sys_ex(runWithErrors, "SSL_write failed"); } @@ -1328,7 +1336,7 @@ static int server_srtp_test(WOLFSSL *ssl, func_args *args) ret = wolfSSL_export_dtls_srtp_keying_material(ssl, NULL, &srtp_secret_length); if (ret != LENGTH_ONLY_E) { - fprintf(stderr, "DTLS SRTP: Error getting key material length\n"); + LOG_ERROR("DTLS SRTP: Error getting key material length\n"); return ret; } @@ -1342,7 +1350,7 @@ static int server_srtp_test(WOLFSSL *ssl, func_args *args) &srtp_secret_length); if (ret != WOLFSSL_SUCCESS) { XFREE(srtp_secret, NULL, DYNAMIC_TYPE_TMP_BUFFER); - fprintf(stderr, "DTLS SRTP: Error getting key material\n"); + LOG_ERROR("DTLS SRTP: Error getting key material\n"); return ret; } @@ -1413,6 +1421,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef HAVE_CRL {"crl-dir", 1, 265}, #endif + {"quieter", 0, 266}, { 0, 0, 0 } }; #endif @@ -2113,7 +2122,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) nonBlocking = 1; simulateWantWrite = 1; #else - fprintf(stderr, "Ignoring -6 since async I/O support not " + LOG_ERROR("Ignoring -6 since async I/O support not " "compiled in.\n"); #endif break; @@ -2258,9 +2267,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (force_curve_group_id <= 0) { if (lng_index == 1) { /* TODO: Need Japanese translation */ - fprintf(stderr, "Invalid curve '%s'\n", myoptarg); + LOG_ERROR("Invalid curve '%s'\n", myoptarg); } else { - fprintf(stderr, "Invalid curve '%s'\n", myoptarg); + LOG_ERROR("Invalid curve '%s'\n", myoptarg); } XEXIT_T(EXIT_FAILURE); } @@ -2293,6 +2302,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif break; + case 266: + quieter = 1; + break; + + case -1: default: Usage(); XEXIT_T(MY_EX_USAGE); @@ -2338,7 +2352,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifndef HAVE_SESSION_TICKET if ((version >= 4) && resume) { - fprintf(stderr, "Can't do TLS 1.3 resumption; need session tickets!\n"); + LOG_ERROR("Can't do TLS 1.3 resumption; need session tickets!\n"); } #endif @@ -2352,7 +2366,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (usePqc) { if (version == SERVER_DOWNGRADE_VERSION || version == EITHER_DOWNGRADE_VERSION) { - fprintf(stderr, + LOG_ERROR( "WARNING: If a TLS 1.3 connection is not negotiated, you " "will not be using a post-quantum group.\n"); } else if (version != 4 && version != -4) { @@ -2449,11 +2463,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef DEBUG_WOLFSSL /* print off helper buffer sizes for use with static memory * printing to stderr in case of debug mode turned on */ - fprintf(stderr, "static memory management size = %d\n", + LOG_ERROR("static memory management size = %d\n", wolfSSL_MemoryPaddingSz()); - fprintf(stderr, "calculated optimum general buffer size = %d\n", + LOG_ERROR("calculated optimum general buffer size = %d\n", wolfSSL_StaticBufferSz(memory, sizeof(memory), 0)); - fprintf(stderr, "calculated optimum IO buffer size = %d\n", + LOG_ERROR("calculated optimum IO buffer size = %d\n", wolfSSL_StaticBufferSz(memoryIO, sizeof(memoryIO), WOLFMEM_IO_POOL_FIXED)); #endif /* DEBUG_WOLFSSL */ @@ -2834,7 +2848,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef WOLFSSL_ASYNC_CRYPT ret = wolfAsync_DevOpen(&devId); if (ret < 0) { - fprintf(stderr, "Async device open failed\nRunning without async\n"); + LOG_ERROR("Async device open failed\nRunning without async\n"); } wolfSSL_CTX_SetDevId(ctx, devId); #endif /* WOLFSSL_ASYNC_CRYPT */ @@ -2857,6 +2871,30 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) wolfSSL_CTX_NoTicketTLSv12(ctx); #endif #endif +#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM) + if (!disableCRL) { + /* Need to load CA's to confirm CRL signatures */ + unsigned int verify_flags = 0; +#ifdef TEST_BEFORE_DATE + verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY; +#endif + if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, + verify_flags) != WOLFSSL_SUCCESS) { + err_sys_ex(catastrophic, + "can't load ca file, Please run from wolfSSL home dir"); + } +#ifdef HAVE_CRL_MONITOR + crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON; +#endif + if (wolfSSL_CTX_EnableCRL(ctx, 0) != WOLFSSL_SUCCESS) + err_sys_ex(runWithErrors, "unable to enable CRL"); + if (wolfSSL_CTX_LoadCRL(ctx, crlDir != NULL ? crlDir : crlPemDir, + WOLFSSL_FILETYPE_PEM, crlFlags) != WOLFSSL_SUCCESS) + err_sys_ex(runWithErrors, "unable to load CRL"); + if (wolfSSL_CTX_SetCRL_Cb(ctx, CRL_CallBack) != WOLFSSL_SUCCESS) + err_sys_ex(runWithErrors, "unable to set CRL callback url"); + } +#endif while (1) { @@ -2876,7 +2914,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } } #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) - fprintf(stderr, "Before creating SSL\n"); + LOG_ERROR("Before creating SSL\n"); if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1) err_sys_ex(runWithErrors, "ctx not using static memory"); if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */ @@ -2965,7 +3003,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif #if defined(WOLFSSL_STATIC_MEMORY) && defined(DEBUG_WOLFSSL) - fprintf(stderr, "After creating SSL\n"); + LOG_ERROR("After creating SSL\n"); if (wolfSSL_CTX_is_static_memory(ctx, &mem_stats) != 1) err_sys_ex(runWithErrors, "ctx not using static memory"); if (wolfSSL_PrintStats(&mem_stats) != 1) /* function in test.h */ @@ -3033,20 +3071,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifndef NO_HANDSHAKE_DONE_CB wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL); #endif -#if defined(HAVE_CRL) && !defined(NO_FILESYSTEM) - if (!disableCRL) { -#ifdef HAVE_CRL_MONITOR - crlFlags = WOLFSSL_CRL_MONITOR | WOLFSSL_CRL_START_MON; -#endif - if (wolfSSL_EnableCRL(ssl, 0) != WOLFSSL_SUCCESS) - err_sys_ex(runWithErrors, "unable to enable CRL"); - if (wolfSSL_LoadCRL(ssl, crlDir != NULL ? crlDir : crlPemDir, - WOLFSSL_FILETYPE_PEM, crlFlags) != WOLFSSL_SUCCESS) - err_sys_ex(runWithErrors, "unable to load CRL"); - if (wolfSSL_SetCRL_Cb(ssl, CRL_CallBack) != WOLFSSL_SUCCESS) - err_sys_ex(runWithErrors, "unable to set CRL callback url"); - } -#endif #ifdef HAVE_OCSP if (useOcsp) { if (ocspUrl != NULL) { @@ -3357,8 +3381,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif if (ret != WOLFSSL_SUCCESS) { err = SSL_get_error(ssl, 0); - fprintf(stderr, "SSL_accept error %d, %s\n", err, - ERR_error_string(err, buffer)); + LOG_ERROR("SSL_accept error %d, %s\n", err, + ERR_error_string(err, buffer)); if (!exitWithRet) { err_sys_ex(runWithErrors, "SSL_accept failed"); } else { @@ -3571,7 +3595,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } if (ret != WOLFSSL_SUCCESS) { err = wolfSSL_get_error(ssl, 0); - fprintf(stderr, + LOG_ERROR( "wolfSSL_Rehandshake error %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); wolfSSL_free(ssl); ssl = NULL; @@ -3631,10 +3655,10 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) if (sendTicket) { if (wolfSSL_send_SessionTicket(ssl) != WOLFSSL_SUCCESS) { - fprintf(stderr, "Sending new session ticket failed\n"); + LOG_ERROR("Sending new session ticket failed\n"); } else { - fprintf(stderr, "New session ticket sent\n"); + LOG_ERROR("New session ticket sent\n"); } } #endif @@ -3703,12 +3727,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) break; } else if (ret != WOLFSSL_SHUTDOWN_NOT_DONE) { - fprintf(stderr, "Bidirectional shutdown failed\n"); + LOG_ERROR("Bidirectional shutdown failed\n"); break; } } if (ret != WOLFSSL_SUCCESS) - fprintf(stderr, "Bidirectional shutdown failed\n"); + LOG_ERROR("Bidirectional shutdown failed\n"); } /* display collected statistics */ @@ -3716,8 +3740,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (wolfSSL_is_static_memory(ssl, &ssl_stats) != 1) err_sys_ex(runWithErrors, "static memory was not used with ssl"); - fprintf(stderr, "\nprint off SSL memory stats\n"); - fprintf(stderr, "*** This is memory state before wolfSSL_free is " + LOG_ERROR("\nprint off SSL memory stats\n"); + LOG_ERROR("*** This is memory state before wolfSSL_free is " "called\n"); wolfSSL_PrintStatsConn(&ssl_stats); @@ -3757,7 +3781,7 @@ exit: wolfsentry_ret = wolfsentry_shutdown(WOLFSENTRY_CONTEXT_ARGS_OUT_EX4(&wolfsentry, NULL)); if (wolfsentry_ret < 0) { - fprintf(stderr, + LOG_ERROR( "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } diff --git a/src/crl.c b/src/crl.c index 02a347360..6fd82c986 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1342,7 +1342,7 @@ static int StopMonitor(wolfSSL_CRL_mfd_t mfd) #define DM_ERROR() do { status = MONITOR_SETUP_E; goto cleanup; } while(0) /* windows monitoring - * Tested initially by hand by running + * Tested initially by hand by running * .\server.exe -A certs/ca-cert.pem -i -x * and connecting to with * .\client.exe -C -c certs/server-cert.pem -k certs/server-key.pem @@ -1492,23 +1492,6 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) return ret; } - -#else /* HAVE_CRL_MONITOR */ - -#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) - -static int StartMonitorCRL(WOLFSSL_CRL* crl) -{ - (void)crl; - - WOLFSSL_ENTER("StartMonitorCRL"); - WOLFSSL_MSG("Not compiled in"); - - return NOT_COMPILED_IN; -} - -#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ - #endif /* HAVE_CRL_MONITOR */ #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) diff --git a/src/internal.c b/src/internal.c index 9d3cf0117..fdb381798 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13805,6 +13805,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* CA already verified above in ParseCertRelative */ WOLFSSL_MSG("Adding CA from chain"); + SSL_CM_WARNING(ssl); ret = AddCA(SSL_CM(ssl), &add, WOLFSSL_CHAIN_CA, NO_VERIFY); if (ret == WOLFSSL_SUCCESS) { diff --git a/src/ssl.c b/src/ssl.c index bf2bd820f..55827657a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7441,8 +7441,10 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, /* add trusted peer cert. der is freed within */ if (ctx != NULL) ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone); - else + else { + SSL_CM_WARNING(ssl); ret = AddTrustedPeer(SSL_CM(ssl), &der, !ssl->options.verifyNone); + } if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error adding trusted peer"); } @@ -8198,6 +8200,7 @@ int wolfSSL_LoadCRLBuffer(WOLFSSL* ssl, const unsigned char* buff, if (ssl == NULL || ssl->ctx == NULL) return BAD_FUNC_ARG; + SSL_CM_WARNING(ssl); return wolfSSL_CertManagerLoadCRLBuffer(SSL_CM(ssl), buff, sz, type); } @@ -8648,6 +8651,7 @@ int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER* cm, int wolfSSL_EnableOCSP(WOLFSSL* ssl, int options) { WOLFSSL_ENTER("wolfSSL_EnableOCSP"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerEnableOCSP(SSL_CM(ssl), options); else @@ -8657,6 +8661,7 @@ int wolfSSL_EnableOCSP(WOLFSSL* ssl, int options) int wolfSSL_DisableOCSP(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_DisableOCSP"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerDisableOCSP(SSL_CM(ssl)); else @@ -8667,6 +8672,7 @@ int wolfSSL_DisableOCSP(WOLFSSL* ssl) int wolfSSL_EnableOCSPStapling(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_EnableOCSPStapling"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerEnableOCSPStapling(SSL_CM(ssl)); else @@ -8676,6 +8682,7 @@ int wolfSSL_EnableOCSPStapling(WOLFSSL* ssl) int wolfSSL_DisableOCSPStapling(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_DisableOCSPStapling"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerDisableOCSPStapling(SSL_CM(ssl)); else @@ -8685,6 +8692,7 @@ int wolfSSL_DisableOCSPStapling(WOLFSSL* ssl) int wolfSSL_SetOCSP_OverrideURL(WOLFSSL* ssl, const char* url) { WOLFSSL_ENTER("wolfSSL_SetOCSP_OverrideURL"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerSetOCSPOverrideURL(SSL_CM(ssl), url); else @@ -8696,6 +8704,7 @@ int wolfSSL_SetOCSP_Cb(WOLFSSL* ssl, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) { WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb"); + SSL_CM_WARNING(ssl); if (ssl) { ssl->ocspIOCtx = ioCbCtx; /* use SSL specific ioCbCtx */ return wolfSSL_CertManagerSetOCSP_Cb(SSL_CM(ssl), @@ -9484,6 +9493,7 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file, int wolfSSL_EnableCRL(WOLFSSL* ssl, int options) { WOLFSSL_ENTER("wolfSSL_EnableCRL"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerEnableCRL(SSL_CM(ssl), options); else @@ -9494,6 +9504,7 @@ int wolfSSL_EnableCRL(WOLFSSL* ssl, int options) int wolfSSL_DisableCRL(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_DisableCRL"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerDisableCRL(SSL_CM(ssl)); else @@ -9504,6 +9515,7 @@ int wolfSSL_DisableCRL(WOLFSSL* ssl) int wolfSSL_LoadCRL(WOLFSSL* ssl, const char* path, int type, int monitor) { WOLFSSL_ENTER("wolfSSL_LoadCRL"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerLoadCRL(SSL_CM(ssl), path, type, monitor); else @@ -9513,6 +9525,7 @@ int wolfSSL_LoadCRL(WOLFSSL* ssl, const char* path, int type, int monitor) int wolfSSL_LoadCRLFile(WOLFSSL* ssl, const char* file, int type) { WOLFSSL_ENTER("wolfSSL_LoadCRL"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerLoadCRLFile(SSL_CM(ssl), file, type); else @@ -9524,6 +9537,7 @@ int wolfSSL_LoadCRLFile(WOLFSSL* ssl, const char* file, int type) int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb) { WOLFSSL_ENTER("wolfSSL_SetCRL_Cb"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerSetCRL_Cb(SSL_CM(ssl), cb); else @@ -9534,6 +9548,7 @@ int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb) int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb) { WOLFSSL_ENTER("wolfSSL_SetCRL_Cb"); + SSL_CM_WARNING(ssl); if (ssl) return wolfSSL_CertManagerSetCRL_IOCb(SSL_CM(ssl), cb); else @@ -17117,6 +17132,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ssl == NULL) return BAD_FUNC_ARG; + SSL_CM_WARNING(ssl); return wolfSSL_CertManagerUnload_trust_peers(SSL_CM(ssl)); } #endif /* WOLFSSL_LOCAL_X509_STORE */ @@ -20773,6 +20789,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) if (ret == 0 && i == ssl->session->chain.count-1) { /* On the last element in the chain try to add the CA chain * first if we have one for this cert */ + SSL_CM_WARNING(ssl); if (PushCAx509Chain(SSL_CM(ssl), x509, sk) == WOLFSSL_FATAL_ERROR) { ret = WOLFSSL_FATAL_ERROR; diff --git a/tests/api.c b/tests/api.c index 779ca74fb..81455591c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -54595,11 +54595,11 @@ static int test_wolfSSL_CTX_LoadCRL(void) #endif WOLFSSL_CERT_MANAGER* cm = NULL; - #define FAIL_T1(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + #define FAIL_T1(x, y, z, p, d) ExpectIntEQ((int) x(y, z, p, d), \ BAD_FUNC_ARG) - #define FAIL_T2(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + #define FAIL_T2(x, y, z, p, d) ExpectIntEQ((int) x(y, z, p, d), \ NOT_COMPILED_IN) - #define SUCC_T(x, y, z, p, d) AssertIntEQ((int) x(y, z, p, d), \ + #define SUCC_T(x, y, z, p, d) ExpectIntEQ((int) x(y, z, p, d), \ WOLFSSL_SUCCESS) #ifndef NO_WOLFSSL_CLIENT #define NEW_CTX(ctx) AssertNotNull( \ @@ -54629,17 +54629,17 @@ static int test_wolfSSL_CTX_LoadCRL(void) ctx = NULL; NEW_CTX(ctx); - AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), WOLFSSL_SUCCESS); - AssertIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, validFilePath, pemType), WOLFSSL_SUCCESS); wolfSSL_CTX_free(ctx); ctx = NULL; NEW_CTX(ctx); - AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), + ExpectIntEQ(wolfSSL_CTX_load_verify_locations(ctx, issuerCert, NULL), WOLFSSL_SUCCESS); - AssertNotNull(ssl = wolfSSL_new(ctx)); - AssertIntEQ(wolfSSL_LoadCRLFile(ssl, validFilePath, pemType), WOLFSSL_SUCCESS); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(wolfSSL_LoadCRLFile(ssl, validFilePath, pemType), WOLFSSL_SUCCESS); wolfSSL_free(ssl); ssl = NULL; wolfSSL_CTX_free(ctx); diff --git a/tests/suites.c b/tests/suites.c index b8049a54c..d5d17eebb 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -61,7 +61,8 @@ #include "examples/client/client.h" #include "examples/server/server.h" -#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(SINGLE_THREADED) static WOLFSSL_CTX* cipherSuiteCtx = NULL; static char nonblockFlag[] = "-N"; static char noVerifyFlag[] = "-d"; @@ -791,7 +792,8 @@ static void test_harness(void* vargs) int SuiteTest(int argc, char** argv) { #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ - !defined(WOLF_CRYPTO_CB_ONLY_RSA) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) + !defined(WOLF_CRYPTO_CB_ONLY_RSA) && !defined(WOLF_CRYPTO_CB_ONLY_ECC) && \ + !defined(SINGLE_THREADED) func_args args; char argv0[3][80]; char* myArgv[3]; diff --git a/tests/unit.c b/tests/unit.c index 825c5550f..d537929fb 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -27,6 +27,7 @@ #endif #include +#include #include #include @@ -290,6 +291,7 @@ void wait_tcp_ready(func_args* args) #endif } +#ifndef SINGLE_THREADED void start_thread(THREAD_CB fun, func_args* args, THREAD_TYPE* thread) { @@ -341,4 +343,5 @@ void join_thread(THREAD_TYPE thread) #endif } +#endif /* SINGLE_THREADED */ diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 7b227531a..62e4598ae 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -25,6 +25,7 @@ #endif #include +#include #include #include @@ -57,7 +58,10 @@ static THREAD_RETURN simple_test(func_args *args); static void simple_test(func_args *args); #endif static int test_tls(func_args* server_args); +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ + defined(HAVE_CRL) && defined(HAVE_CRL_MONITOR) static int test_crl_monitor(void); +#endif static void show_ciphers(void); static void cleanup_output(void); static int validate_cleanup_output(void); @@ -216,7 +220,8 @@ int testsuite_test(int argc, char** argv) return server_args.return_code; } -#ifdef HAVE_CRL_MONITOR +#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ + defined(HAVE_CRL) && defined(HAVE_CRL_MONITOR) ret = test_crl_monitor(); if (ret != 0) { cleanup_output(); @@ -257,7 +262,7 @@ int testsuite_test(int argc, char** argv) } #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ - defined(HAVE_CRL_MONITOR) + defined(HAVE_CRL) && defined(HAVE_CRL_MONITOR) #define CRL_MONITOR_TEST_ROUNDS 6 static int test_crl_monitor(void) @@ -274,6 +279,7 @@ static int test_crl_monitor(void) "-A", "certs/ca-cert.pem", "--crl-dir", tmpDir, "-C", rounds, + "--quieter", "-x" }; const char* clientArgv[] = { @@ -281,11 +287,14 @@ static int test_crl_monitor(void) "-C", "-c", "certs/server-cert.pem", "-k", "certs/server-key.pem", + "--quieter", "-H", "exitWithRet" }; int ret = -1; int i; + printf("\nRunning CRL monitor test\n"); + sprintf(rounds, "%d", CRL_MONITOR_TEST_ROUNDS); XMEMSET(&server_args, 0, sizeof(func_args)); @@ -333,7 +342,7 @@ static int test_crl_monitor(void) rem_file(buf); expectFail = 1; } - + client_args.return_code = 0; client_test(&client_args); @@ -376,6 +385,8 @@ static int test_tls(func_args* server_args) char* myArgv[NUMARGS]; char arg[3][128]; + printf("\nRunning TLS test\n"); + /* Set up command line arguments for echoclient to send input file * and write echoed data to temporary output file. */ myArgv[0] = arg[0]; @@ -487,6 +498,8 @@ static void simple_test(func_args* args) char *cliArgv[NUMARGS]; char argvc[3][32]; + printf("\nRunning simple test\n"); + for (i = 0; i < 9; i++) svrArgv[i] = argvs[i]; for (i = 0; i < 3; i++) @@ -575,6 +588,7 @@ void wait_tcp_ready(func_args* args) #endif /* thread checks */ } +#ifndef SINGLE_THREADED /* Start a thread. * @@ -675,6 +689,8 @@ void join_thread(THREAD_TYPE thread) #endif } +#endif /* SINGLE_THREADED */ + #ifndef NO_FILESYSTEM #ifdef _MSC_VER @@ -753,7 +769,7 @@ int copy_file(const char* in, const char* out) if (XFWRITE(buf, 1, sz, outFile) != sz) goto cleanup; - + ret = 0; cleanup: if (inFile != XBADFILE) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 84c96af4f..a8c14b166 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -3366,7 +3366,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) *thread = _beginthreadex(NULL, 0, cb, arg, 0, NULL); if (*thread == 0) { *thread = INVALID_THREAD_VAL; - return MEMORY_ERROR; + return MEMORY_E; } return 0; @@ -3381,10 +3381,10 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) /* We still want to attempt to close the thread handle even on error */ if (WaitForSingleObject((HANDLE)thread, INFINITE) == WAIT_FAILED) - ret = MEMORY_ERROR; + ret = MEMORY_E; if (CloseHandle((HANDLE)thread) == 0) - ret = MEMORY_ERROR; + ret = MEMORY_E; return ret; } @@ -3394,10 +3394,10 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) { if (cond == NULL) return BAD_FUNC_ARG; - + *cond = CreateEventA(NULL, FALSE, FALSE, NULL); if (*cond == NULL) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3408,7 +3408,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (CloseHandle(*cond) == 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3419,7 +3419,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (SetEvent(*cond) == 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3433,13 +3433,13 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (WaitForSingleObject(*cond, INFINITE) == WAIT_FAILED) - return MEMORY_ERROR; + return MEMORY_E; return 0; } #endif /* WOLFSSL_COND */ -#else /* pthread */ +#elif defined(WOLFSSL_PTHREADS) int wolfSSL_NewThread(THREAD_TYPE* thread, THREAD_CB cb, void* arg) @@ -3448,7 +3448,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (pthread_create(thread, NULL, cb, arg) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3459,7 +3459,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (pthread_join(thread, NULL) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3471,7 +3471,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (pthread_cond_init(cond, NULL) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3482,7 +3482,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (pthread_cond_destroy(cond) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3493,7 +3493,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) return BAD_FUNC_ARG; if (pthread_cond_signal(cond) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } @@ -3507,7 +3507,7 @@ char* mystrnstr(const char* s1, const char* s2, unsigned int n) /* mutex has to be locked on entry so we can't touch */ if (pthread_cond_wait(cond, mutex) != 0) - return MEMORY_ERROR; + return MEMORY_E; return 0; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ec47b4352..ca7047529 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5683,6 +5683,13 @@ struct WOLFSSL { #else #define SSL_CM(ssl) (ssl)->ctx->cm #endif +/* Issue warning when we are modifying the overall context CM */ +#define SSL_CM_WARNING(ssl) \ + do { \ + if (SSL_CM( (ssl) ) == (ssl)->ctx->cm) { \ + WOLFSSL_MSG("Modifying SSL_CTX CM not SSL specific CM"); \ + } \ + } while (0) #define SSL_CA_NAMES(ssl) ((ssl)->ca_names != NULL ? (ssl)->ca_names : \ (ssl)->ctx->ca_names) diff --git a/wolfssl/test.h b/wolfssl/test.h index c15aa09ac..89661674b 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -633,8 +633,10 @@ typedef struct func_args { void wait_tcp_ready(func_args* args); +#ifndef SINGLE_THREADED void start_thread(THREAD_CB fun, func_args* args, THREAD_TYPE* thread); void join_thread(THREAD_TYPE thread); +#endif typedef int (*cbType)(WOLFSSL_CTX *ctx, WOLFSSL *ssl); @@ -643,7 +645,7 @@ void test_wolfSSL_client_server_nofail_ex(callback_functions* client_cb, void test_wolfSSL_client_server_nofail(callback_functions* client_cb, callback_functions* server_cb); -/* Return +/* Return * tmpDir on success * NULL on failure */ char* create_tmp_dir(char* tmpDir, int len); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9017c9357..a14364d4d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -275,23 +275,6 @@ #include -/* AFTER user_settings.h is loaded, -** determine if POSIX multi-threaded: HAVE_PTHREAD */ -#if defined(SINGLE_THREADED) || defined(__MINGW32__) - /* Never HAVE_PTHREAD in single thread, or non-POSIX mode. - ** Reminder: MING32 is win32 threads, not POSIX threads */ - #undef HAVE_PTHREAD -#else - #ifdef _POSIX_THREADS - /* HAVE_PTHREAD == POSIX threads capable and enabled. */ - #undef HAVE_PTHREAD - #define HAVE_PTHREAD 1 - #else - /* Not manually disabled, but POSIX threads not found. */ - #undef HAVE_PTHREAD - #endif -#endif - #define WOLFSSL_MAKE_FIPS_VERSION(major, minor) (((major) * 256) + (minor)) #if !defined(HAVE_FIPS) #define WOLFSSL_FIPS_VERSION_CODE WOLFSSL_MAKE_FIPS_VERSION(0,0) diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 6354dd763..dc0eff721 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1383,7 +1383,7 @@ typedef struct w64wrapper { #ifndef SINGLE_THREADED /* Necessary headers should already be included. */ - + /* We don't support returns from threads */ typedef THREAD_RETURN (WOLFSSL_THREAD *THREAD_CB)(void* arg); diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 975b668d7..6a6bf87bc 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -1160,6 +1160,23 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void); #endif #endif + + /* AFTER user_settings.h is loaded, + ** determine if POSIX multi-threaded: HAVE_PTHREAD */ + #if defined(SINGLE_THREADED) || defined(__MINGW32__) + /* Never HAVE_PTHREAD in single thread, or non-POSIX mode. + ** Reminder: MING32 is win32 threads, not POSIX threads */ + #undef HAVE_PTHREAD + #else + /* _POSIX_THREADS is defined by unistd.h so this check needs to happen + * after we include all the platform relevant libs. */ + #ifdef _POSIX_THREADS + /* HAVE_PTHREAD == POSIX threads capable and enabled. */ + #undef HAVE_PTHREAD + #define HAVE_PTHREAD 1 + #endif + #endif + #ifdef __cplusplus } /* extern "C" */ #endif From 3d2db844c18ac9557d4b7e6baa0b32388ba63af5 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 3 Jul 2023 14:21:27 +0200 Subject: [PATCH 5/9] Speed up waiting for file removal --- testsuite/testsuite.c | 53 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 11 deletions(-) diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 62e4598ae..bdcac6b50 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -264,6 +264,7 @@ int testsuite_test(int argc, char** argv) #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_WOLFSSL_CLIENT) && \ defined(HAVE_CRL) && defined(HAVE_CRL_MONITOR) #define CRL_MONITOR_TEST_ROUNDS 6 +#define CRL_MONITOR_REM_FILE_ATTEMPTS 20 static int test_crl_monitor(void) { @@ -291,7 +292,7 @@ static int test_crl_monitor(void) "-H", "exitWithRet" }; int ret = -1; - int i; + int i = -1, j; printf("\nRunning CRL monitor test\n"); @@ -321,44 +322,74 @@ static int test_crl_monitor(void) if (i % 2 == 0) { /* succeed on even rounds */ sprintf(buf, "%s/%s", tmpDir, "crl.pem"); - copy_file("certs/crl/crl.pem", buf); + if (copy_file("certs/crl/crl.pem", buf) != 0) { + fprintf(stderr, "[%d] Failed to copy file to %s\n", i, buf); + goto cleanup; + } sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); /* The monitor can be holding the file handle and this will cause - * the remove call to fail. Let's give the monitor a second to + * the remove call to fail. Let's give the monitor a some time to * finish up. */ - XSLEEP_MS(1000); - rem_file(buf); + for (j = 0; j < CRL_MONITOR_REM_FILE_ATTEMPTS; j++) { + /* i == 0 since there is nothing to delete in the first round */ + if (i == 0 || rem_file(buf) == 0) + break; + XSLEEP_MS(100); + } + if (j == CRL_MONITOR_REM_FILE_ATTEMPTS) { + fprintf(stderr, "[%d] Failed to remove file %s\n", i, buf); + goto cleanup; + } expectFail = 0; } else { /* fail on odd rounds */ sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); - copy_file("certs/crl/crl.revoked", buf); + if (copy_file("certs/crl/crl.revoked", buf) != 0) { + fprintf(stderr, "[%d] Failed to copy file to %s\n", i, buf); + goto cleanup; + } sprintf(buf, "%s/%s", tmpDir, "crl.pem"); /* The monitor can be holding the file handle and this will cause - * the remove call to fail. Let's give the monitor a second to + * the remove call to fail. Let's give the monitor a some time to * finish up. */ - XSLEEP_MS(1000); - rem_file(buf); + for (j = 0; j < CRL_MONITOR_REM_FILE_ATTEMPTS; j++) { + if (rem_file(buf) == 0) + break; + XSLEEP_MS(100); + } + if (j == CRL_MONITOR_REM_FILE_ATTEMPTS) { + fprintf(stderr, "[%d] Failed to remove file %s\n", i, buf); + goto cleanup; + } expectFail = 1; } + /* Give server a moment to register the file change */ + XSLEEP_MS(100); client_args.return_code = 0; client_test(&client_args); if (!expectFail) { - if (client_args.return_code != 0) + if (client_args.return_code != 0) { + fprintf(stderr, "[%d] Incorrect return %d\n", i, + client_args.return_code); goto cleanup; + } } else { - if (client_args.return_code == 0) + if (client_args.return_code == 0) { + fprintf(stderr, "[%d] Expected failure\n", i); goto cleanup; + } } } join_thread(serverThread); ret = 0; cleanup: + if (ret != 0 && i >= 0) + fprintf(stderr, "test_crl_monitor failed on iteration %d\n", i); sprintf(buf, "%s/%s", tmpDir, "crl.pem"); rem_file(buf); sprintf(buf, "%s/%s", tmpDir, "crl.revoked"); From 713670dcc7f412cca2400163d3c8e83e7dfcf182 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 3 Jul 2023 14:30:06 +0200 Subject: [PATCH 6/9] Use smaller buffer for copying --- testsuite/testsuite.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index bdcac6b50..3a5434eaa 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -778,7 +778,7 @@ int rem_file(const char* fileName) int copy_file(const char* in, const char* out) { - byte buf[2500]; + byte buf[100]; XFILE inFile = XBADFILE; XFILE outFile = XBADFILE; size_t sz; @@ -792,14 +792,10 @@ int copy_file(const char* in, const char* out) if (outFile == XBADFILE) goto cleanup; - sz = XFREAD(buf, 1, sizeof(buf), inFile); - /* 2500 bytes should be more than enough to read the entire files. - * Error out if we can't read the file all at once. */ - if (sz == sizeof(buf) || sz == 0) - goto cleanup; - - if (XFWRITE(buf, 1, sz, outFile) != sz) - goto cleanup; + while ((sz = XFREAD(buf, 1, sizeof(buf), inFile)) != 0) { + if (XFWRITE(buf, 1, sz, outFile) != sz) + goto cleanup; + } ret = 0; cleanup: From 2feec887027e119256ba5e3b6042d4e697411f93 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 3 Jul 2023 14:40:48 +0200 Subject: [PATCH 7/9] Add comment explaining threading usage --- wolfssl/wolfcrypt/types.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index dc0eff721..8deca1b89 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1391,6 +1391,12 @@ typedef struct w64wrapper { #define INVALID_THREAD_VAL ((THREAD_TYPE)(-1)) #endif + /* Internal wolfSSL threading interface. It does NOT need to be ported + * during initial porting efforts. + * + * It is currently used for: + * - CRL monitor */ + WOLFSSL_LOCAL int wolfSSL_NewThread(THREAD_TYPE* thread, THREAD_CB cb, void* arg); WOLFSSL_LOCAL int wolfSSL_JoinThread(THREAD_TYPE thread); From f58539581d4e52fec8252bd51119ef08a6e3b42a Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 4 Jul 2023 13:24:00 +0200 Subject: [PATCH 8/9] Fix DoMonitor for Mac/BSD --- src/crl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/crl.c b/src/crl.c index 6fd82c986..0bb061b7a 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1036,7 +1036,7 @@ static int SwapLists(WOLFSSL_CRL* crl) #ifdef __MACH__ #define XEVENT_MODE O_EVTONLY #elif defined(__FreeBSD__) - #define XEVENT_MODE EVFILT_VNODE + #define XEVENT_MODE O_RDONLY #endif @@ -1115,11 +1115,11 @@ static THREAD_RETURN WOLFSSL_THREAD DoMonitor(void* arg) } if (fPEM != -1) - EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, + EV_SET(&change, fPEM, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_CLEAR, NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); if (fDER != -1) - EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, + EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_CLEAR, NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); /* signal to calling thread we're setup */ From 7af1f0cf05604f5d30d3a451863181bc9b88dee5 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 4 Jul 2023 13:44:04 +0200 Subject: [PATCH 9/9] Add additional windows logging for DoMonitor --- src/crl.c | 27 ++++++++++++++++++++++++++- wolfcrypt/src/logging.c | 2 +- wolfssl/wolfcrypt/logging.h | 2 +- 3 files changed, 28 insertions(+), 3 deletions(-) diff --git a/src/crl.c b/src/crl.c index 0bb061b7a..b32eae19e 100644 --- a/src/crl.c +++ b/src/crl.c @@ -1339,7 +1339,32 @@ static int StopMonitor(wolfSSL_CRL_mfd_t mfd) return 0; } -#define DM_ERROR() do { status = MONITOR_SETUP_E; goto cleanup; } while(0) +#ifdef DEBUG_WOLFSSL +#define SHOW_WINDOWS_ERROR() do { \ + LPVOID lpMsgBuf; \ + DWORD dw = GetLastError(); \ + FormatMessageA( \ + FORMAT_MESSAGE_ALLOCATE_BUFFER | \ + FORMAT_MESSAGE_FROM_SYSTEM | \ + FORMAT_MESSAGE_IGNORE_INSERTS, \ + NULL, \ + dw, \ + MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), \ + (LPSTR) &lpMsgBuf, \ + 0, NULL ); \ + WOLFSSL_MSG_EX("DoMonitor failed with error %d: %s\n", \ + dw, lpMsgBuf); \ + LocalFree(lpMsgBuf); \ +} while(0) +#else +#define SHOW_WINDOWS_ERROR() +#endif + +#define DM_ERROR() do { \ + SHOW_WINDOWS_ERROR(); \ + status = MONITOR_SETUP_E; \ + goto cleanup; \ +} while(0) /* windows monitoring * Tested initially by hand by running diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 04d218d17..88d019d06 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -323,7 +323,7 @@ static void wolfssl_log(const int logLevel, const char *const logMessage) #ifndef WOLFSSL_DEBUG_ERRORS_ONLY -#if !defined(_WIN32) && defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) +#if defined(XVSNPRINTF) && !defined(NO_WOLFSSL_MSG_EX) #include /* for var args */ #ifndef WOLFSSL_MSG_EX_BUF_SZ #define WOLFSSL_MSG_EX_BUF_SZ 100 diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index d47abec87..8100b8b10 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -166,7 +166,7 @@ WOLFSSL_API void wolfSSL_Debugging_OFF(void); #define WOLFSSL_STUB(m) \ WOLFSSL_MSG(WOLFSSL_LOG_CAT(wolfSSL Stub, m, not implemented)) WOLFSSL_API int WOLFSSL_IS_DEBUG_ON(void); -#if !defined(_WIN32) && defined(XVSNPRINTF) +#if defined(XVSNPRINTF) WOLFSSL_API void WOLFSSL_MSG_EX(const char* fmt, ...); #define HAVE_WOLFSSL_MSG_EX #else