diff --git a/configure.ac b/configure.ac index 36fcc6d19..b5115d440 100644 --- a/configure.ac +++ b/configure.ac @@ -2501,6 +2501,77 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STACK_LOG -finstrument-functions" fi + +ENABLED_WOLFSENTRY=no + +AC_ARG_WITH([wolfsentry], + [AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])], + [WOLFSENTRY_INSTALLDIR=$withval], + [WOLFSENTRY_INSTALLDIR=""]) + +AC_ARG_WITH([wolfsentry-lib], + [AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])], + [WOLFSENTRY_LIB=$withval], + [WOLFSENTRY_LIB=""]) + +AC_ARG_WITH([wolfsentry-include], + [AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])], + [WOLFSENTRY_INCLUDE=$withval], + [WOLFSENTRY_INCLUDE=""]) + +if test -n "$WOLFSENTRY_INSTALLDIR" || test -n "$WOLFSENTRY_LIB" || test -n "$WOLFSENTRY_INCLUDE" +then + ENABLED_WOLFSENTRY=yes +fi + +AC_ARG_ENABLE([wolfsentry], + [AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])], + [ ENABLED_WOLFSENTRY=$enableval ], + [ ] + ) + +if test "$WOLFSENTRY_LIB" = "" && test -n "$WOLFSENTRY_INSTALLDIR" +then + WOLFSENTRY_LIB="${WOLFSENTRY_INSTALLDIR}/lib" +fi + +if test "$WOLFSENTRY_INCLUDE" = "" && test -n "$WOLFSENTRY_INSTALLDIR" +then + WOLFSENTRY_INCLUDE="${WOLFSENTRY_INSTALLDIR}/include" +fi + +if test -n "$WOLFSENTRY_LIB" +then + AC_MSG_CHECKING([for $WOLFSENTRY_LIB]) + if ! test -d "$WOLFSENTRY_LIB" + then + AC_MSG_ERROR([wolfSentry lib dir $WOLFSENTRY_LIB not found.]) + fi + AC_MSG_RESULT([yes]) + WOLFSENTRY_LIB="-L$WOLFSENTRY_LIB" +fi + +if test -n "$WOLFSENTRY_INCLUDE" +then + AC_MSG_CHECKING([for $WOLFSENTRY_INCLUDE]) + if ! test -d "$WOLFSENTRY_INCLUDE" + then + AC_MSG_ERROR([wolfSentry include dir $WOLFSENTRY_INCLUDE not found.]) + fi + AC_MSG_RESULT([yes]) + WOLFSENTRY_INCLUDE="-I$WOLFSENTRY_INCLUDE" +fi + +if test "$ENABLED_WOLFSENTRY" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" + WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry" +fi + +AC_SUBST([WOLFSENTRY_LIB]) +AC_SUBST([WOLFSENTRY_INCLUDE]) + + if test "$ENABLED_QT" = "yes" then # Requires opensslextra and opensslall @@ -6567,8 +6638,8 @@ echo " * DSA: $ENABLED_DSA" echo " * DH: $ENABLED_DH" echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS" echo " * ECC: $ENABLED_ECC" -echo " * ECC Custom Curves $ENABLED_ECCCUSTCURVES" -echo " * ECC Minimum Bits $ENABLED_ECCMINSZ" +echo " * ECC Custom Curves: $ENABLED_ECCCUSTCURVES" +echo " * ECC Minimum Bits: $ENABLED_ECCMINSZ" echo " * CURVE25519: $ENABLED_CURVE25519" echo " * ED25519: $ENABLED_ED25519" echo " * CURVE448: $ENABLED_CURVE448" @@ -6582,6 +6653,7 @@ echo " * Anonymous cipher: $ENABLED_ANON" echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" +echo " * wolfSentry: $ENABLED_WOLFSENTRY" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * HAPROXY: $ENABLED_HAPROXY" echo " * STUNNEL: $ENABLED_STUNNEL" @@ -6589,8 +6661,8 @@ echo " * Apache httpd: $ENABLED_APACHE_HTTPD" echo " * NGINX: $ENABLED_NGINX" echo " * ASIO: $ENABLED_ASIO" echo " * LIBWEBSOCKETS: $ENABLED_LIBWEBSOCKETS" -echo " * Qt $ENABLED_QT" -echo " * Qt Unit Testing $ENABLED_QT_TEST" +echo " * Qt: $ENABLED_QT" +echo " * Qt Unit Testing: $ENABLED_QT_TEST" echo " * SIGNAL: $ENABLED_SIGNAL" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" @@ -6631,12 +6703,12 @@ echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * Fallback SCSV: $ENABLED_FALLBACK_SCSV" echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL" echo " * All TLS Extensions: $ENABLED_TLSX" -echo " * PKCS#7 $ENABLED_PKCS7" -echo " * S/MIME $ENABLED_SMIME" -echo " * wolfSSH $ENABLED_WOLFSSH" -echo " * wolfTPM $ENABLED_WOLFTPM" -echo " * wolfSCEP $ENABLED_WOLFSCEP" -echo " * Secure Remote Password $ENABLED_SRP" +echo " * PKCS#7: $ENABLED_PKCS7" +echo " * S/MIME: $ENABLED_SMIME" +echo " * wolfSSH: $ENABLED_WOLFSSH" +echo " * wolfTPM: $ENABLED_WOLFTPM" +echo " * wolfSCEP: $ENABLED_WOLFSCEP" +echo " * Secure Remote Password: $ENABLED_SRP" echo " * Small Stack: $ENABLED_SMALL_STACK" echo " * Linux Kernel Module: $ENABLED_LINUXKM" echo " * valgrind unit tests: $ENABLED_VALGRIND" diff --git a/examples/server/include.am b/examples/server/include.am index 8a3d75119..4de1e2837 100644 --- a/examples/server/include.am +++ b/examples/server/include.am @@ -7,8 +7,9 @@ if BUILD_EXAMPLE_SERVERS noinst_PROGRAMS += examples/server/server noinst_HEADERS += examples/server/server.h examples_server_server_SOURCES = examples/server/server.c -examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) examples_server_server_DEPENDENCIES = src/libwolfssl.la +examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE) endif EXTRA_DIST += examples/server/server.sln EXTRA_DIST += examples/server/server-ntru.vcproj diff --git a/examples/server/server.c b/examples/server/server.c index 6a12e2cd2..c00de430c 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -35,6 +35,10 @@ #include /* wc_ecc_fp_free */ #endif +#ifdef WOLFSSL_WOLFSENTRY_HOOKS +# include +#endif + #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #include #include @@ -276,6 +280,136 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #endif /* WOLFSSL_DTLS */ +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + +struct wolfsentry_data { + struct wolfsentry_sockaddr remote; + byte remote_addrbuf[16]; + struct wolfsentry_sockaddr local; + byte local_addrbuf[16]; + wolfsentry_route_flags_t flags; + void *heap; + int alloctype; +}; + +static void free_wolfsentry_data(struct wolfsentry_data *data) { + XFREE(data, data->heap, data->alloctype); +} + +static int wolfsentry_data_index = -1; + +static int wolfsentry_store_endpoints( + WOLFSSL *ssl, + SOCKADDR_IN_T *remote, + SOCKADDR_IN_T *local, + int proto, + wolfsentry_route_flags_t flags) +{ + struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC( + sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); + if (data == NULL) + return WOLFSSL_FAILURE; + + data->heap = NULL; + data->alloctype = DYNAMIC_TYPE_SOCKADDR; + +#ifdef TEST_IPV6 + if ((sizeof data->remote_addrbuf < sizeof remote->sin6_addr) || + (sizeof data->local_addrbuf < sizeof local->sin6_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin6_family; + data->remote.sa_port = ntohs(remote->sin6_port); + data->local.sa_port = ntohs(local->sin6_port); + data->remote.addr_len = sizeof remote->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin6_addr, sizeof remote->sin6_addr); + data->local.addr_len = sizeof local->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin6_addr, sizeof local->sin6_addr); +#else + if ((sizeof data->remote_addrbuf < sizeof remote->sin_addr) || + (sizeof data->local_addrbuf < sizeof local->sin_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin_family; + data->remote.sa_port = ntohs(remote->sin_port); + data->local.sa_port = ntohs(local->sin_port); + data->remote.addr_len = sizeof remote->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin_addr, sizeof remote->sin_addr); + data->local.addr_len = sizeof local->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin_addr, sizeof local->sin_addr); +#endif + data->remote.sa_proto = data->local.sa_proto = proto; + data->remote.interface = data->local.interface = 0; + data->flags = flags; + + if (wolfSSL_set_ex_data_with_cleanup( + ssl, wolfsentry_data_index, data, + (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != + WOLFSSL_SUCCESS) { + free_wolfsentry_data(data); + return WOLFSSL_FAILURE; + } + + return WOLFSSL_SUCCESS; +} + +static int wolfSentry_NetworkFilterCallback( + WOLFSSL *ssl, + struct wolfsentry_context *wolfsentry, + wolfSSL_netfilter_decision_t *decision) +{ + struct wolfsentry_data *data; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + wolfsentry_errcode_t ret; + wolfsentry_action_res_t action_results; + + if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) + return WOLFSSL_FAILURE; + + ret = wolfsentry_route_event_dispatch( + wolfsentry, + &data->remote, + &data->local, + data->flags, + NULL /* event_label */, + 0 /* event_label_len */, + NULL /* caller_context */, + NULL /* id */, + NULL /* inexact_matches */, + &action_results); + + if (ret >= 0) { + if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) + *decision = WOLFSSL_NETFILTER_REJECT; + else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) + *decision = WOLFSSL_NETFILTER_ACCEPT; + else + *decision = WOLFSSL_NETFILTER_PASS; + } else { + printf("wolfsentry_route_event_dispatch error " + WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + *decision = WOLFSSL_NETFILTER_PASS; + } + + printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d" + "lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", + data->remote.sa_family, + data->remote.sa_proto, + data->remote.sa_port, + data->local.sa_port, + inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, + sizeof inet_ntop_buf), + inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, + sizeof inet_ntop_buf2), + data->remote.interface, + *decision, + *decision == WOLFSSL_NETFILTER_REJECT ? "REJECT" : + *decision == WOLFSSL_NETFILTER_ACCEPT ? "ACCEPT" : + *decision == WOLFSSL_NETFILTER_PASS ? "PASS" : + "???"); + + return WOLFSSL_SUCCESS; +} + +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ static int NonBlockingSSL_Accept(SSL* ssl) { @@ -1001,10 +1135,16 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID; SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID; + SOCKADDR_IN_T client_addr; + socklen_t client_len; wolfSSL_method_func method = NULL; SSL_CTX* ctx = 0; SSL* ssl = 0; +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + struct wolfsentry_context *wolfsentry = NULL; + wolfsentry_errcode_t wolfsentry_ret; +#endif int useWebServerMsg = 0; char input[SRV_READ_SZ]; @@ -1840,6 +1980,89 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (ctx == NULL) err_sys_ex(catastrophic, "unable to get ctx"); +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, + &wolfsentry); + if (wolfsentry_ret < 0) { + fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + err_sys_ex(catastrophic, "unable to initialize wolfSentry"); + } + + if (wolfsentry_data_index < 0) + wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, + NULL); + + { + struct wolfsentry_route_table *table; + + if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, + &table)) < 0) + fprintf(stderr, "wolfsentry_route_get_table_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if (wolfsentry_ret >= 0) { + if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set( + wolfsentry, table, + WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) + < 0) + fprintf(stderr, + "wolfsentry_route_table_default_policy_set() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + } + + if (wolfsentry_ret >= 0) { + struct { + struct wolfsentry_sockaddr sa; + byte buf[16]; + } remote, local; + wolfsentry_ent_id_t id; + wolfsentry_action_res_t action_results; + + memset(&remote, 0, sizeof remote); + memset(&local, 0, sizeof local); +#ifdef TEST_IPV6 + remote.sa.sa_family = local.sa.sa_family = AF_INET6; + remote.sa.addr_len = 128; + memcpy(remote.sa.addr, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001", 16); +#else + remote.sa.sa_family = local.sa.sa_family = AF_INET; + remote.sa.addr_len = 32; + memcpy(remote.sa.addr, "\177\000\000\001", 4); +#endif + + if ((wolfsentry_ret = wolfsentry_route_insert_static + (wolfsentry, NULL /* caller_context */, &remote.sa, &local.sa, + WOLFSENTRY_ROUTE_FLAG_GREENLISTED | + WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN | + WOLFSENTRY_ROUTE_FLAG_TRIGGER_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_REMOTE_INTERFACE_WILDCARD| + WOLFSENTRY_ROUTE_FLAG_LOCAL_INTERFACE_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_PROTO_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, + 0 /* event_label_len */, 0 /* event_label */, &id, + &action_results)) < 0) + fprintf(stderr, "wolfsentry_route_insert_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + } + + if (wolfsentry_ret < 0) + err_sys_ex(catastrophic, "unable to configure route table"); + } + + + if (wolfSSL_CTX_set_AcceptFilter( + ctx, + (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, + wolfsentry) < 0) + err_sys_ex(catastrophic, + "unable to install wolfSentry_NetworkFilterCallback"); +#endif + if (simulateWantWrite) { wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb); @@ -2157,9 +2380,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) /* allow resume option */ if (resumeCount > 1) { if (dtlsUDP == 0) { - SOCKADDR_IN_T client; - socklen_t client_len = sizeof(client); - clientfd = accept(sockfd, (struct sockaddr*)&client, + client_len = sizeof client_addr; + clientfd = accept(sockfd, (struct sockaddr*)&client_addr, (ACCEPT_THIRD_T)&client_len); } else { @@ -2468,8 +2690,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (readySignal) { readySignal->srfName = serverReadyFile; } + + client_len = sizeof client_addr; tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, - dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen); + dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen, + &client_addr, &client_len); + doListen = 0; /* Don't listen next time */ if (port == 0) { @@ -2498,32 +2724,54 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef WOLFSSL_DTLS if (doDTLS && dtlsUDP) { - SOCKADDR_IN_T cliaddr; byte b[1500]; int n; - socklen_t len = sizeof(cliaddr); + + client_len = sizeof client_addr; /* For DTLS, peek at the next datagram so we can get the client's * address and set it into the ssl object later to generate the * cookie. */ n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK, - (struct sockaddr*)&cliaddr, &len); + (struct sockaddr*)&client_addr, &client_len); if (n <= 0) err_sys_ex(runWithErrors, "recvfrom failed"); if (doBlockSeq) { - XMEMCPY(&dtlsCtx.peer.sa, &cliaddr, len); - dtlsCtx.peer.sz = len; + XMEMCPY(&dtlsCtx.peer.sa, &client_addr, client_len); + dtlsCtx.peer.sz = client_len; dtlsCtx.wfd = clientfd; dtlsCtx.failOnce = 1; wolfSSL_SetIOWriteCtx(ssl, &dtlsCtx); } else { - wolfSSL_dtls_set_peer(ssl, &cliaddr, len); + wolfSSL_dtls_set_peer(ssl, &client_addr, client_len); } } #endif + +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + { + SOCKADDR_IN_T local_addr; + socklen_t local_len = sizeof(local_addr); + getsockname(clientfd, (struct sockaddr *)&local_addr, + (socklen_t *)&local_len); + + if (((struct sockaddr *)&client_addr)->sa_family != + ((struct sockaddr *)&local_addr)->sa_family) + err_sys_ex(catastrophic, + "client_addr.sa_family != local_addr.sa_family"); + + if (wolfsentry_store_endpoints( + ssl, &client_addr, &local_addr, + dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, + WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) + err_sys_ex(catastrophic, + "error in wolfsentry_store_endpoints()"); + } +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL || needDH == 1) { #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) @@ -2905,6 +3153,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) exit: +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + wolfsentry_ret = wolfsentry_shutdown(&wolfsentry); + if (wolfsentry_ret < 0) { + fprintf(stderr, + "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + } +#endif + #if defined(HAVE_ECC) && defined(FP_ECC) && defined(HAVE_THREAD_LS) \ && (defined(NO_MAIN_DRIVER) || defined(HAVE_STACK_SIZE)) wc_ecc_fp_free(); /* free per thread cache */ diff --git a/src/internal.c b/src/internal.c index a07ec266c..fcf5a49f3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1883,6 +1883,17 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) return ret; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data) +{ + int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]); + for (--n_ex_data; n_ex_data >= 0; --n_ex_data) { + if (ex_data->ex_data[n_ex_data] != NULL) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, + NULL, NULL); + } +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) @@ -1892,6 +1903,10 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) int i; #endif +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); +#endif + #ifdef HAVE_WOLF_EVENT wolfEventQueue_Free(&ctx->event_queue); #endif /* HAVE_WOLF_EVENT */ @@ -5581,6 +5596,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #endif +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + ssl->AcceptFilter = ctx->AcceptFilter; + ssl->AcceptFilter_arg = ctx->AcceptFilter_arg; +#endif + ssl->CBIORecv = ctx->CBIORecv; ssl->CBIOSend = ctx->CBIOSend; #ifdef OPENSSL_EXTRA @@ -6418,6 +6438,10 @@ void SSL_ResourceFree(WOLFSSL* ssl) * example with the RNG, it isn't used beyond the handshake except when * using stream ciphers where it is retained. */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data); +#endif + FreeCiphers(ssl); FreeArrays(ssl, 0); FreeKeyExchange(ssl); @@ -19438,7 +19462,10 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case TOO_MUCH_EARLY_DATA: return "Too much early data"; - + + case SOCKET_FILTERED_E: + return "Session stopped by network filter"; + default : return "unknown error number"; } diff --git a/src/ssl.c b/src/ssl.c index e859db143..4f557898f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1013,6 +1013,34 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) } #endif /* NO_CERTS */ +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + +int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + ctx->AcceptFilter = AcceptFilter; + ctx->AcceptFilter_arg = AcceptFilter_arg; + return WOLFSSL_SUCCESS; +} + +int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + ssl->AcceptFilter = AcceptFilter; + ssl->AcceptFilter_arg = AcceptFilter_arg; + return WOLFSSL_SUCCESS; +} + +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + #ifndef WOLFSSL_LEANPSK int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) { @@ -12898,6 +12926,18 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + if (ssl->AcceptFilter) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); + return WOLFSSL_FATAL_ERROR; + } + } +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + #if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13) return wolfSSL_accept_TLSv13(ssl); #else @@ -16276,7 +16316,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* unchain?, doesn't matter in goahead since from free all */ WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { - +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data); +#endif if (bio->infoCb) { /* info callback is called before free */ ret = (int)bio->infoCb(bio, WOLFSSL_BIO_CB_FREE, NULL, 0, 0, 1); @@ -18721,6 +18763,9 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data); +#endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) if (wc_LockMutex(&x509->refMutex) != 0) { @@ -21921,6 +21966,10 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) if (session == NULL) return; +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data); +#endif + #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) if (session->peer) { wolfSSL_X509_free(session->peer); @@ -24698,6 +24747,31 @@ int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* Set ex_data for WOLFSSL_BIO + * + * bio : BIO structure to set ex_data in + * idx : Index of ex_data to set + * data : Data to set in ex_data + * cleanup_routine : Function pointer to clean up data + * + * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_ex_data_with_cleanup"); + if (bio != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + /* Get ex_data in WOLFSSL_BIO at given index * * bio : BIO structure to get ex_data from @@ -26017,7 +26091,14 @@ err_exit: void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { - if (store != NULL && store->isDynamic) { + if (store == NULL) + return; + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data); +#endif + + if (store->isDynamic) { if (store->cm != NULL) { wolfSSL_CertManagerFree(store->cm); store->cm = NULL; @@ -26042,6 +26123,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } } + /** * Get ex_data in WOLFSSL_STORE at given index * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26061,6 +26143,7 @@ void* wolfSSL_X509_STORE_get_ex_data(WOLFSSL_X509_STORE* store, int idx) #endif return NULL; } + /** * Set ex_data for WOLFSSL_STORE * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26083,6 +26166,31 @@ int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/** + * Set ex_data for WOLFSSL_STORE + * @param store a pointer to WOLFSSL_X509_STORE structure + * @param idx Index of ex data to set + * @param data Data to set in ex data + * @return WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_set_ex_data_with_cleanup"); + if (store != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} + +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #ifdef OPENSSL_EXTRA @@ -26204,6 +26312,9 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); +#endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); @@ -27562,6 +27673,25 @@ int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS + * on success, WOLFSSL_FAILURE on error. */ +int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth) { @@ -40286,6 +40416,22 @@ int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup"); + if (rsa) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + int wolfSSL_RSA_set0_key(WOLFSSL_RSA *r, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e, WOLFSSL_BIGNUM *d) { @@ -44669,9 +44815,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) #endif /* OPENSSL_EXTRA */ -#if ((defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && defined(HAVE_EX_DATA)) || \ - defined(FORTRESS) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); @@ -44739,7 +44883,24 @@ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) return WOLFSSL_FAILURE; } -#endif /* ((OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) && HAVE_EX_DATA) || FORTRESS || WOLFSSL_WPAS_SMALL */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + +#endif /* defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) @@ -44771,8 +44932,8 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { @@ -44791,6 +44952,23 @@ int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_set_ex_data_with_cleanup"); + if (ssl != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) { WOLFSSL_ENTER("wolfSSL_get_ex_data"); @@ -46417,6 +46595,22 @@ int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data_with_cleanup"); + if(session != NULL) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) { WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); @@ -48641,8 +48835,6 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) } #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) #if defined(HAVE_EX_DATA) || defined(FORTRESS) void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) { @@ -48663,6 +48855,13 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data"); #ifdef MAX_EX_DATA if (ex_data && idx < MAX_EX_DATA && idx >= 0) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + if (ex_data->ex_data_cleanup_routines[idx]) { + if (ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data_cleanup_routines[idx] = NULL; + } +#endif ex_data->ex_data[idx] = data; return WOLFSSL_SUCCESS; } @@ -48673,8 +48872,30 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data_with_cleanup"); + if (ex_data && idx < MAX_EX_DATA && idx >= 0) { + if (ex_data->ex_data_cleanup_routines[idx] && ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data[idx] = data; + ex_data->ex_data_cleanup_routines[idx] = cleanup_routine; + return WOLFSSL_SUCCESS; + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* HAVE_EX_DATA || FORTRESS */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_WPAS_SMALL) void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) { WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); @@ -48704,6 +48925,24 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_set_ex_data_with_cleanup"); + if (x509 != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ @@ -53211,6 +53450,9 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) WOLFSSL_ENTER("wolfSSL_RSA_free"); if (rsa) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data); +#endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; if (wc_LockMutex(&rsa->refMutex) != 0) { diff --git a/src/tls13.c b/src/tls13.c index 1097cf385..fd686a747 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8356,6 +8356,18 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + if (ssl->AcceptFilter) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); + return WOLFSSL_FATAL_ERROR; + } + } +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + #ifndef NO_CERTS /* allow no private key if using PK callbacks and CB is set */ if (!havePSK) { diff --git a/tests/api.c b/tests/api.c index a7b0acfe1..cf2fea238 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2777,7 +2777,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) #endif /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sockfd); wolfSSL_CTX_set_verify(ctx, @@ -3072,7 +3072,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_loop(void* args) cbf->ssl_ready(ssl); } /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sockfd); if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { /*err_sys("SSL_set_fd failed");*/ @@ -3641,14 +3641,14 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) socklen_t cliLen; cliLen = sizeof(cliAddr); - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0, 0, 0); idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK, (struct sockaddr*)&cliAddr, &cliLen); AssertIntGT(idx, 0); wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); } else { - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sfd); } @@ -42358,7 +42358,7 @@ static void test_wolfSSL_CTX_get_min_proto_version(void) #endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */ } -static void test_wolfSSL_security_level() +static void test_wolfSSL_security_level(void) { #if defined(OPENSSL_EXTRA) printf(testingFmt, "test_wolfSSL_security_level()"); @@ -42385,7 +42385,7 @@ static void test_wolfSSL_security_level() #endif } -static void test_wolfSSL_SSL_in_init() +static void test_wolfSSL_SSL_in_init(void) { #if defined(OPENSSL_ALL) && !defined(NO_BIO) printf(testingFmt, "test_wolfSSL_SSL_in_init()"); @@ -42432,7 +42432,7 @@ static void test_wolfSSL_SSL_in_init() #endif } -static void test_wolfSSL_EC_curve() +static void test_wolfSSL_EC_curve(void) { #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) printf(testingFmt, "test_wolfSSL_EC_curve()"); @@ -42448,7 +42448,7 @@ static void test_wolfSSL_EC_curve() #endif } -static void test_wolfSSL_OpenSSL_version() +static void test_wolfSSL_OpenSSL_version(void) { #if defined(OPENSSL_EXTRA) printf(testingFmt, "test_wolfSSL_OpenSSL_version()"); @@ -42522,7 +42522,7 @@ static void test_wolfSSL_CRYPTO_get_ex_new_index(void) #endif } -static void test_wolfSSL_set_psk_use_session_callback() +static void test_wolfSSL_set_psk_use_session_callback(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) printf(testingFmt, "test_wolfSSL_set_psk_use_session_callback()"); diff --git a/tests/include.am b/tests/include.am index 0601a0a6e..6a49cac42 100644 --- a/tests/include.am +++ b/tests/include.am @@ -13,8 +13,8 @@ tests_unit_test_SOURCES = \ tests/srp.c \ examples/client/client.c \ examples/server/server.c -tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE) +tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) tests_unit_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += tests/unit.h diff --git a/testsuite/include.am b/testsuite/include.am index ed2604427..a3eea3978 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -13,8 +13,8 @@ testsuite_testsuite_test_SOURCES = \ examples/echoserver/echoserver.c \ examples/server/server.c \ testsuite/testsuite.c -testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE) +testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) testsuite_testsuite_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += testsuite/testsuite.sln diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 4e2ab6e38..0c3399d3e 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -171,7 +171,9 @@ enum wolfSSL_ErrorCodes { NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ - + + SOCKET_FILTERED_E = -443, /* Session stopped by network filter */ + /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d3ca6c584..9ceb7a1fd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2860,6 +2860,10 @@ struct WOLFSSL_CTX { CallbackInfoState* CBIS; /* used to get info about SSL state */ WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + NetworkFilterCallback_t AcceptFilter; + void *AcceptFilter_arg; +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_DTLS @@ -3039,6 +3043,10 @@ void FreeSSL_Ctx(WOLFSSL_CTX*); WOLFSSL_LOCAL void SSL_CtxResourceFree(WOLFSSL_CTX*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data); +#endif + WOLFSSL_LOCAL int DeriveTlsKeys(WOLFSSL* ssl); WOLFSSL_LOCAL @@ -4075,6 +4083,10 @@ struct WOLFSSL { #ifdef OPENSSL_EXTRA byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ #endif +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + NetworkFilterCallback_t AcceptFilter; + void *AcceptFilter_arg; +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_STATIC_MEMORY diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index dd07fd49e..af9d3ca5e 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -152,7 +152,13 @@ WOLFSSL_API WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa); WOLFSSL_API void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx); WOLFSSL_API int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data); - +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #define WOLFSSL_RSA_LOAD_PRIVATE 1 #define WOLFSSL_RSA_LOAD_PUBLIC 2 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index bf0fe1201..bdbc846e1 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1143,6 +1143,29 @@ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl, int use_context); #endif /* HAVE_KEYING_MATERIAL */ +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + +typedef enum { + WOLFSSL_NETFILTER_PASS = 0, + WOLFSSL_NETFILTER_ACCEPT = 1, + WOLFSSL_NETFILTER_REJECT = 2 +} wolfSSL_netfilter_decision_t; + +typedef int (*NetworkFilterCallback_t)( + WOLFSSL *ssl, + void *AcceptFilter_arg, + wolfSSL_netfilter_decision_t *decision); +WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); +WOLFSSL_API int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); + +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + /* Nonblocking DTLS helper functions */ WOLFSSL_API void wolfSSL_dtls_set_using_nonblock(WOLFSSL*, int); WOLFSSL_API int wolfSSL_dtls_get_using_nonblock(WOLFSSL*); @@ -1269,6 +1292,13 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx); WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL*); WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL*, int); WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL*, int); @@ -1351,6 +1381,13 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void); WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int); WOLFSSL_API void wolfSSL_BIO_clear_flags(WOLFSSL_BIO *bio, int flags); WOLFSSL_API int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void *wolfSSL_BIO_get_ex_data(WOLFSSL_BIO *bio, int idx); WOLFSSL_API long wolfSSL_BIO_set_nbio(WOLFSSL_BIO*, long); @@ -1675,10 +1712,24 @@ WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data( WOLFSSL_X509_STORE_CTX* ctx, int idx); WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void* wolfSSL_X509_STORE_get_ex_data( WOLFSSL_X509_STORE* store, int idx); WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer( @@ -2237,10 +2288,17 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *s WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); WOLFSSL_API void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i); -#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL)) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) + WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *data); #endif @@ -2248,6 +2306,13 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int /* stunnel 4.28 needs */ WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX*, int); WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX*, WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)); WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX*, @@ -3912,6 +3977,13 @@ WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int); WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ @@ -4061,6 +4133,13 @@ WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ diff --git a/wolfssl/test.h b/wolfssl/test.h index a85871923..1d4cb9cf2 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1297,10 +1297,9 @@ static WC_INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, func_args* args, word16 port, int useAnyAddr, - int udp, int sctp, int ready_file, int do_listen) + int udp, int sctp, int ready_file, int do_listen, + SOCKADDR_IN_T *client_addr, socklen_t *client_len) { - SOCKADDR_IN_T client_addr; - socklen_t client_len = sizeof(client_addr); tcp_ready* ready = NULL; (void) ready; /* Account for case when "ready" is not used */ @@ -1357,8 +1356,8 @@ static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, } } - *clientfd = accept(*sockfd, (struct sockaddr*)&client_addr, - (ACCEPT_THIRD_T)&client_len); + *clientfd = accept(*sockfd, (struct sockaddr*)client_addr, + (ACCEPT_THIRD_T)client_len); if(WOLFSSL_SOCKET_IS_INVALID(*clientfd)) { err_sys_with_errno("tcp accept failed"); } diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 0032884a0..c6cf1f9b0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -48,8 +48,14 @@ decouple library dependencies with standard string, memory and so on. * (with minimal depencencies). */ #if defined(HAVE_EX_DATA) || defined(FORTRESS) + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + typedef void (*wolfSSL_ex_data_cleanup_routine_t)(void *data); + #endif typedef struct WOLFSSL_CRYPTO_EX_DATA { void* ex_data[MAX_EX_DATA]; + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_ex_data_cleanup_routine_t ex_data_cleanup_routines[MAX_EX_DATA]; + #endif } WOLFSSL_CRYPTO_EX_DATA; #endif