From ba2cc00e5d515e73fe9a3990c846bf7b181c3380 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 17 Mar 2021 22:49:07 -0500 Subject: [PATCH 01/16] initial implementation of WOLFSSL_NETWORK_INTROSPECTION: --enable-network-introspection, struct wolfSSL_network_connection, wolfSSL_*_endpoints*(), NetworkFilterCallback_t, wolfSSL_*set_AcceptFilter(). --- configure.ac | 36 ++++-- examples/server/server.c | 78 ++++++++++++- src/internal.c | 11 ++ src/ssl.c | 247 +++++++++++++++++++++++++++++++++++++++ src/tls13.c | 19 +++ tests/api.c | 8 +- wolfssl/internal.h | 25 ++++ wolfssl/ssl.h | 78 +++++++++++++ wolfssl/test.h | 9 +- 9 files changed, 490 insertions(+), 21 deletions(-) diff --git a/configure.ac b/configure.ac index 36fcc6d19..8b58d18cb 100644 --- a/configure.ac +++ b/configure.ac @@ -413,6 +413,7 @@ then test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes test "$enable_anon" = "" && enable_anon=yes test "$enable_mcast" = "" && enable_mcast=yes + test "$enable_network_introspection" = "" && enable_network_introspection=yes if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" then @@ -2501,6 +2502,20 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_STACK_LOG -finstrument-functions" fi + +# API for tracking network connection attributes +AC_ARG_ENABLE([network-introspection], + [AS_HELP_STRING([--enable-network-introspection],[Enable network connection attribute tracking and callbacks (default: disabled)])], + [ ENABLED_NETWORK_INTROSPECTION=$enableval ], + [ ENABLED_NETWORK_INTROSPECTION=no ] + ) + +if test "$ENABLED_NETWORK_INTROSPECTION" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NETWORK_INTROSPECTION" +fi + + if test "$ENABLED_QT" = "yes" then # Requires opensslextra and opensslall @@ -6567,8 +6582,8 @@ echo " * DSA: $ENABLED_DSA" echo " * DH: $ENABLED_DH" echo " * DH Default Parameters: $ENABLED_DHDEFAULTPARAMS" echo " * ECC: $ENABLED_ECC" -echo " * ECC Custom Curves $ENABLED_ECCCUSTCURVES" -echo " * ECC Minimum Bits $ENABLED_ECCMINSZ" +echo " * ECC Custom Curves: $ENABLED_ECCCUSTCURVES" +echo " * ECC Minimum Bits: $ENABLED_ECCMINSZ" echo " * CURVE25519: $ENABLED_CURVE25519" echo " * ED25519: $ENABLED_ED25519" echo " * CURVE448: $ENABLED_CURVE448" @@ -6582,6 +6597,7 @@ echo " * Anonymous cipher: $ENABLED_ANON" echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" +echo " * Connection tracking: $ENABLED_NETWORK_INTROSPECTION" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * HAPROXY: $ENABLED_HAPROXY" echo " * STUNNEL: $ENABLED_STUNNEL" @@ -6589,8 +6605,8 @@ echo " * Apache httpd: $ENABLED_APACHE_HTTPD" echo " * NGINX: $ENABLED_NGINX" echo " * ASIO: $ENABLED_ASIO" echo " * LIBWEBSOCKETS: $ENABLED_LIBWEBSOCKETS" -echo " * Qt $ENABLED_QT" -echo " * Qt Unit Testing $ENABLED_QT_TEST" +echo " * Qt: $ENABLED_QT" +echo " * Qt Unit Testing: $ENABLED_QT_TEST" echo " * SIGNAL: $ENABLED_SIGNAL" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * DTLS: $ENABLED_DTLS" @@ -6631,12 +6647,12 @@ echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * Fallback SCSV: $ENABLED_FALLBACK_SCSV" echo " * Keying Material Exporter: $ENABLED_KEYING_MATERIAL" echo " * All TLS Extensions: $ENABLED_TLSX" -echo " * PKCS#7 $ENABLED_PKCS7" -echo " * S/MIME $ENABLED_SMIME" -echo " * wolfSSH $ENABLED_WOLFSSH" -echo " * wolfTPM $ENABLED_WOLFTPM" -echo " * wolfSCEP $ENABLED_WOLFSCEP" -echo " * Secure Remote Password $ENABLED_SRP" +echo " * PKCS#7: $ENABLED_PKCS7" +echo " * S/MIME: $ENABLED_SMIME" +echo " * wolfSSH: $ENABLED_WOLFSSH" +echo " * wolfTPM: $ENABLED_WOLFTPM" +echo " * wolfSCEP: $ENABLED_WOLFSCEP" +echo " * Secure Remote Password: $ENABLED_SRP" echo " * Small Stack: $ENABLED_SMALL_STACK" echo " * Linux Kernel Module: $ENABLED_LINUXKM" echo " * valgrind unit tests: $ENABLED_VALGRIND" diff --git a/examples/server/server.c b/examples/server/server.c index 6a12e2cd2..214e96ad2 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2468,8 +2468,82 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (readySignal) { readySignal->srfName = serverReadyFile; } - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, - dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen); + + { + SOCKADDR_IN_T client_addr; + socklen_t client_len = sizeof(client_addr); + + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, + dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen, + &client_addr, &client_len); + +#ifdef WOLFSSL_NETWORK_INTROSPECTION + + SOCKADDR_IN_T local_addr; + socklen_t local_len = sizeof(local_addr); + getsockname(clientfd, (struct sockaddr *)&local_addr, (socklen_t *)&local_len); + + if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) + err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); + +#ifdef TEST_IPV6 + + if ((ret = wolfSSL_set_endpoints( + ssl, + 0 /* interface_id */, + client_addr.sin6_family, + IPPROTO_TCP, + sizeof(client_addr.sin6_addr), + (byte *)&client_addr.sin6_addr, + (byte *)&local_addr.sin6_addr, + client_addr.sin6_port, + local_addr.sin6_port) != WOLFSSL_SUCCESS)) { + printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); + } + +#else /* !TEST_IPV6 */ + + if ((ret = wolfSSL_set_endpoints( + ssl, + 0 /* interface_id */, + client_addr.sin_family, + IPPROTO_TCP, + sizeof(struct in_addr), + (byte *)&client_addr.sin_addr, + (byte *)&local_addr.sin_addr, + client_addr.sin_port, + local_addr.sin_port) != WOLFSSL_SUCCESS)) { + printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); + } + +#endif /* TEST_IPV6 */ + + { + const struct wolfSSL_network_connection *nc; + const void *remote_addr2; + const void *local_addr2; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + + if ((ret = wolfSSL_get_endpoints(ssl, &nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { + printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); + } + + printf("stored: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", + nc->family, + nc->proto, + nc->remote_port, + nc->local_port, + inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), + inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), + nc->interface); + } + +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ + } + doListen = 0; /* Don't listen next time */ if (port == 0) { diff --git a/src/internal.c b/src/internal.c index a07ec266c..9337b90b6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5581,6 +5581,11 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #endif +#ifdef WOLFSSL_NETWORK_INTROSPECTION + ssl->AcceptFilter = ctx->AcceptFilter; + ssl->AcceptFilter_arg = ctx->AcceptFilter_arg; +#endif + ssl->CBIORecv = ctx->CBIORecv; ssl->CBIOSend = ctx->CBIOSend; #ifdef OPENSSL_EXTRA @@ -6460,6 +6465,12 @@ void SSL_ResourceFree(WOLFSSL* ssl) FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); ssl->peerRsaKeyPresent = 0; #endif +#ifdef WOLFSSL_NETWORK_INTROSPECTION + if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection)) + XFREE(ssl->buffers.network_connection_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection_layer2)) + XFREE(ssl->buffers.network_connection_layer2_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifdef WOLFSSL_RENESAS_TSIP_TLS XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); #endif diff --git a/src/ssl.c b/src/ssl.c index ffc1e2ca4..ee8d010c6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1013,6 +1013,234 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) } #endif /* NO_CERTS */ +#ifdef WOLFSSL_NETWORK_INTROSPECTION + +/* all ints in host byte order, addresses in network order (big endian). */ +static WC_INLINE int wolfSSL_set_endpoints_1( + WOLFSSL* ssl, + struct wolfSSL_network_connection *nc, + byte **nc_addr_buffer_dynamic, + unsigned int interface_id, + unsigned int family, + unsigned int proto, + unsigned int remote_addr_len, + const byte *remote_addr, + unsigned int local_addr_len, + const byte *local_addr, + unsigned int remote_port, + unsigned int local_port) +{ + size_t current_dynamic_alloc, needed_dynamic_alloc; + + if ((ssl == NULL) || (nc == NULL) || (remote_addr_len == 0) || (local_addr_len == 0)) + return BAD_FUNC_ARG; + + if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) + current_dynamic_alloc = nc->local_addr_len + nc->remote_addr_len; + else + current_dynamic_alloc = 0; + + if (local_addr_len + remote_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) + needed_dynamic_alloc = local_addr_len + remote_addr_len; + else + needed_dynamic_alloc = 0; + + nc->local_addr_len = nc->remote_addr_len = 0; + + if (current_dynamic_alloc != needed_dynamic_alloc) { + if (current_dynamic_alloc > 0) + XFREE(*nc_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + if (needed_dynamic_alloc > 0) { + *nc_addr_buffer_dynamic = (byte *)XMALLOC + (needed_dynamic_alloc, + ssl->heap, + DYNAMIC_TYPE_SOCKADDR); + if (*nc_addr_buffer_dynamic == NULL) + return MEMORY_E; + } + } + + nc->family = family; + nc->proto = proto; + nc->remote_addr_len = remote_addr_len; + nc->local_addr_len = local_addr_len; + nc->interface = interface_id; + nc->remote_port = remote_port; + nc->local_port = local_port; + + if (needed_dynamic_alloc == 0) { + XMEMCPY(nc->addr_buffer, remote_addr, remote_addr_len); + XMEMCPY(nc->addr_buffer + remote_addr_len, local_addr, local_addr_len); + } else { + XMEMCPY(*nc_addr_buffer_dynamic, remote_addr, remote_addr_len); + XMEMCPY((*nc_addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); + } + nc->remote_addr_len = remote_addr_len; + nc->local_addr_len = local_addr_len; + + return WOLFSSL_SUCCESS; +} + +int wolfSSL_set_endpoints( + WOLFSSL* ssl, + unsigned int interface_id, + unsigned int family, + unsigned int proto, + unsigned int addr_len, + const byte *remote_addr, + const byte *local_addr, + unsigned int remote_port, + unsigned int local_port) +{ + return wolfSSL_set_endpoints_1( + ssl, + &ssl->buffers.network_connection, + &ssl->buffers.network_connection_addr_buffer_dynamic, + interface_id, + family, + proto, + addr_len, + remote_addr, + addr_len, + local_addr, + remote_port, + local_port); +} + +int wolfSSL_set_endpoints_layer2( + WOLFSSL* ssl, + unsigned int interface_id, + unsigned int family, + unsigned int addr_len, + const byte *remote_addr, + const byte *local_addr) +{ + return wolfSSL_set_endpoints_1( + ssl, + &ssl->buffers.network_connection_layer2, + &ssl->buffers.network_connection_layer2_addr_buffer_dynamic, + interface_id, + family, + 0 /* proto */, + addr_len, + remote_addr, + addr_len, + local_addr, + 0 /* remote_port */, + 0 /* local_port */); +} + +static WC_INLINE int wolfSSL_get_endpoints_1( + const struct wolfSSL_network_connection *nc, + byte *nc_addr_buffer_dynamic, + const void **remote_addr, + const void **local_addr) +{ + if ((remote_addr == NULL) || (local_addr == NULL)) + return BAD_FUNC_ARG; + if (nc->remote_addr_len == 0) + return INCOMPLETE_DATA; + + if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) { + *remote_addr = nc_addr_buffer_dynamic; + *local_addr = nc_addr_buffer_dynamic + nc->remote_addr_len; + } else { + *remote_addr = nc->addr_buffer; + *local_addr = nc->addr_buffer + nc->remote_addr_len; + } + + return WOLFSSL_SUCCESS; +} + +WOLFSSL_API int wolfSSL_get_endpoints( + WOLFSSL *ssl, + const struct wolfSSL_network_connection **nc, + const void **remote_addr, + const void **local_addr) +{ + *nc = &ssl->buffers.network_connection; + return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_addr_buffer_dynamic, remote_addr, local_addr); +} + +WOLFSSL_API int wolfSSL_get_endpoints_layer2( + WOLFSSL *ssl, + const struct wolfSSL_network_connection **nc, + const void **remote_addr, + const void **local_addr) +{ + *nc = &ssl->buffers.network_connection_layer2; + return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, remote_addr, local_addr); +} + +static WC_INLINE int wolfSSL_copy_endpoints_1( + struct wolfSSL_network_connection *nc_src, + byte *nc_addr_buffer_dynamic, + struct wolfSSL_network_connection *nc_dst, + size_t nc_dst_size, + const void **remote_addr, + const void **local_addr) +{ + size_t nc_bufsiz; + + if ((nc_dst == NULL) || (remote_addr == NULL) || (local_addr == NULL)) + return BAD_FUNC_ARG; + if (nc_src->remote_addr_len == 0) + return INCOMPLETE_DATA; + + nc_bufsiz = WOLFSSL_NETWORK_CONNECTION_BUFSIZ(nc_src->remote_addr_len, nc_src->local_addr_len); + if (nc_dst_size < nc_bufsiz) + return BUFFER_E; + XMEMCPY(nc_dst, nc_src, ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]))); + if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc_src)) + XMEMCPY(nc_dst->addr_buffer, nc_addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); + else + XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer, nc_src->remote_addr_len + nc_src->local_addr_len); + *remote_addr = nc_dst->addr_buffer; + *local_addr = nc_dst->addr_buffer + nc_dst->remote_addr_len; + + return WOLFSSL_SUCCESS; +} + +WOLFSSL_API int wolfSSL_copy_endpoints( + WOLFSSL *ssl, + struct wolfSSL_network_connection *nc, + size_t nc_size, + const void **remote_addr, + const void **local_addr) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, ssl->buffers.network_connection_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); +} + +WOLFSSL_API int wolfSSL_copy_endpoints_layer2( + WOLFSSL *ssl, + struct wolfSSL_network_connection *nc, + size_t nc_size, + const void **remote_addr, + const void **local_addr) +{ + if (ssl == NULL) + return BAD_FUNC_ARG; + + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); +} + +WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { + ctx->AcceptFilter = AcceptFilter; + ctx->AcceptFilter_arg = AcceptFilter_arg; + return WOLFSSL_SUCCESS; +} + +WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { + ssl->AcceptFilter = AcceptFilter; + ssl->AcceptFilter_arg = AcceptFilter_arg; + return WOLFSSL_SUCCESS; +} + +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ + #ifndef WOLFSSL_LEANPSK int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) { @@ -12898,6 +13126,25 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ +#ifdef WOLFSSL_NETWORK_INTROSPECTION + if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + return WOLFSSL_FATAL_ERROR; + } + } + if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + return WOLFSSL_FATAL_ERROR; + } + } +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ + #if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13) return wolfSSL_accept_TLSv13(ssl); #else diff --git a/src/tls13.c b/src/tls13.c index 1097cf385..cbc891458 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8356,6 +8356,25 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } +#ifdef WOLFSSL_NETWORK_INTROSPECTION + if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + return WOLFSSL_FATAL_ERROR; + } + } + if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { + wolfSSL_netfilter_decision_t res; + if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + (res == WOLFSSL_NETFILTER_REJECT)) { + WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + return WOLFSSL_FATAL_ERROR; + } + } +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ + #ifndef NO_CERTS /* allow no private key if using PK callbacks and CB is set */ if (!havePSK) { diff --git a/tests/api.c b/tests/api.c index 8af9d0bb1..60bc08a53 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2777,7 +2777,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) #endif /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sockfd); wolfSSL_CTX_set_verify(ctx, @@ -3072,7 +3072,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_loop(void* args) cbf->ssl_ready(ssl); } /* do it here to detect failure */ - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sockfd); if (wolfSSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { /*err_sys("SSL_set_fd failed");*/ @@ -3641,14 +3641,14 @@ static THREAD_RETURN WOLFSSL_THREAD run_wolfssl_server(void* args) socklen_t cliLen; cliLen = sizeof(cliAddr); - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 1, 0, 0, 0, 0, 0); idx = (int)recvfrom(sfd, input, sizeof(input), MSG_PEEK, (struct sockaddr*)&cliAddr, &cliLen); AssertIntGT(idx, 0); wolfSSL_dtls_set_peer(ssl, &cliAddr, cliLen); } else { - tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0, 0, 0, 1, 0, 0); CloseSocket(sfd); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d3ca6c584..6222c58e3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2860,6 +2860,10 @@ struct WOLFSSL_CTX { CallbackInfoState* CBIS; /* used to get info about SSL state */ WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif +#ifdef WOLFSSL_NETWORK_INTROSPECTION + NetworkFilterCallback_t AcceptFilter; + void *AcceptFilter_arg; +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_DTLS @@ -3445,6 +3449,23 @@ typedef struct Buffers { #ifdef WOLFSSL_SEND_HRR_COOKIE buffer tls13CookieSecret; /* HRR cookie secret */ #endif +#ifdef WOLFSSL_NETWORK_INTROSPECTION + struct { + struct wolfSSL_network_connection network_connection; + union { + byte network_connection_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; + byte *network_connection_addr_buffer_dynamic; + }; + }; + struct { + struct wolfSSL_network_connection network_connection_layer2; + union { + byte network_connection_layer2_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; + byte *network_connection_layer2_addr_buffer_dynamic; + }; + }; + #define WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(x) ((x).remote_addr_len + (x).local_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) +#endif #ifdef WOLFSSL_DTLS WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ #ifndef NO_WOLFSSL_SERVER @@ -4075,6 +4096,10 @@ struct WOLFSSL { #ifdef OPENSSL_EXTRA byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ #endif +#ifdef WOLFSSL_NETWORK_INTROSPECTION + NetworkFilterCallback_t AcceptFilter; + void *AcceptFilter_arg; +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_STATIC_MEMORY diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ff31dd662..56d6954f7 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1141,6 +1141,84 @@ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl, int use_context); #endif /* HAVE_KEYING_MATERIAL */ +#ifdef WOLFSSL_NETWORK_INTROSPECTION + +#ifndef WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES +#define WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES 32 /* enough for 2 IPv6 addresses. */ +#endif + +struct wolfSSL_network_connection { + word16 family; + word16 proto; + word16 remote_port; + word16 local_port; + word16 remote_addr_len; + word16 local_addr_len; + byte interface; + byte addr_buffer[0]; +}; + +#define WOLFSSL_NETWORK_CONNECTION_BUFSIZ(remote_addr_len, local_addr_len) \ + ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]) + \ + (remote_addr_len) + (local_addr_len)); + +WOLFSSL_API int wolfSSL_set_endpoints( + WOLFSSL *ssl, + unsigned int interface_id, + unsigned int family, + unsigned int proto, + unsigned int addr_len, + const byte *remote_addr, + const byte *local_addr, + unsigned int remote_port, + unsigned int local_port); + +WOLFSSL_API int wolfSSL_get_endpoints( + WOLFSSL *ssl, + const struct wolfSSL_network_connection **nc, + const void **remote_addr, + const void **local_addr); + +WOLFSSL_API int wolfSSL_copy_endpoints( + WOLFSSL *ssl, + struct wolfSSL_network_connection *nc, + size_t nc_size, + const void **remote_addr, + const void **local_addr); + +WOLFSSL_API int wolfSSL_set_endpoints_layer2( + WOLFSSL *ssl, + unsigned int interface_id, + unsigned int family, + unsigned int addr_len, + const byte *remote_addr, + const byte *local_addr); + +WOLFSSL_API int wolfSSL_get_endpoints_layer2( + WOLFSSL *ssl, + const struct wolfSSL_network_connection **nc, + const void **remote_addr, + const void **local_addr); + +WOLFSSL_API int wolfSSL_copy_endpoints_layer2( + WOLFSSL *ssl, + struct wolfSSL_network_connection *nc, + size_t nc_size, + const void **remote_addr, + const void **local_addr); + +typedef enum { + WOLFSSL_NETFILTER_PASS = 0, + WOLFSSL_NETFILTER_ACCEPT = 1, + WOLFSSL_NETFILTER_REJECT = 2 +} wolfSSL_netfilter_decision_t; + +typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision); +WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); +WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); + +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ + /* Nonblocking DTLS helper functions */ WOLFSSL_API void wolfSSL_dtls_set_using_nonblock(WOLFSSL*, int); WOLFSSL_API int wolfSSL_dtls_get_using_nonblock(WOLFSSL*); diff --git a/wolfssl/test.h b/wolfssl/test.h index a85871923..1d4cb9cf2 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1297,10 +1297,9 @@ static WC_INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, func_args* args, word16 port, int useAnyAddr, - int udp, int sctp, int ready_file, int do_listen) + int udp, int sctp, int ready_file, int do_listen, + SOCKADDR_IN_T *client_addr, socklen_t *client_len) { - SOCKADDR_IN_T client_addr; - socklen_t client_len = sizeof(client_addr); tcp_ready* ready = NULL; (void) ready; /* Account for case when "ready" is not used */ @@ -1357,8 +1356,8 @@ static WC_INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, } } - *clientfd = accept(*sockfd, (struct sockaddr*)&client_addr, - (ACCEPT_THIRD_T)&client_len); + *clientfd = accept(*sockfd, (struct sockaddr*)client_addr, + (ACCEPT_THIRD_T)client_len); if(WOLFSSL_SOCKET_IS_INVALID(*clientfd)) { err_sys_with_errno("tcp accept failed"); } From 734860f535c147ec9470ede9a7252cad6a6cc2bf Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 26 Mar 2021 12:55:13 -0500 Subject: [PATCH 02/16] WOLFSSL_NETWORK_INTROSPECTION WIP --- examples/server/server.c | 35 +++++++++++++++++++++++++++++++++++ src/internal.c | 4 ++-- src/ssl.c | 31 +++++++++++++------------------ wolfssl/internal.h | 16 ++-------------- wolfssl/ssl.h | 10 +++++++++- 5 files changed, 61 insertions(+), 35 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 214e96ad2..e8542fdb3 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -276,6 +276,36 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #endif /* WOLFSSL_DTLS */ +#ifdef WOLFSSL_NETWORK_INTROSPECTION + +static int test_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision) { + const void *remote_addr2; + const void *local_addr2; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + int ret; + + (void)ssl; + (void)ctx; + + if ((ret = wolfSSL_get_endpoint_addrs(nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { + printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); + } + + printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", + nc->family, + nc->proto, + nc->remote_port, + nc->local_port, + inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), + inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), + nc->interface); + + *decision = WOLFSSL_NETFILTER_ACCEPT; + return 0; +} + +#endif /* WOLFSSL_NETWORK_INTROSPECTION */ static int NonBlockingSSL_Accept(SSL* ssl) { @@ -1840,6 +1870,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (ctx == NULL) err_sys_ex(catastrophic, "unable to get ctx"); +#ifdef WOLFSSL_NETWORK_INTROSPECTION + if (wolfSSL_CTX_set_AcceptFilter(ctx, test_NetworkFilterCallback, NULL /* AcceptFilter_arg */) < 0) + err_sys_ex(catastrophic, "unable to install test_NetworkFilterCallback"); +#endif + if (simulateWantWrite) { wolfSSL_CTX_SetIOSend(ctx, SimulateWantWriteIOSendCb); diff --git a/src/internal.c b/src/internal.c index 9337b90b6..a86ca0a61 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6467,9 +6467,9 @@ void SSL_ResourceFree(WOLFSSL* ssl) #endif #ifdef WOLFSSL_NETWORK_INTROSPECTION if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection)) - XFREE(ssl->buffers.network_connection_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(ssl->buffers.network_connection.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection_layer2)) - XFREE(ssl->buffers.network_connection_layer2_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(ssl->buffers.network_connection_layer2.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); #endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifdef WOLFSSL_RENESAS_TSIP_TLS XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); diff --git a/src/ssl.c b/src/ssl.c index ee8d010c6..8dd44bffc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1019,7 +1019,6 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) static WC_INLINE int wolfSSL_set_endpoints_1( WOLFSSL* ssl, struct wolfSSL_network_connection *nc, - byte **nc_addr_buffer_dynamic, unsigned int interface_id, unsigned int family, unsigned int proto, @@ -1049,13 +1048,13 @@ static WC_INLINE int wolfSSL_set_endpoints_1( if (current_dynamic_alloc != needed_dynamic_alloc) { if (current_dynamic_alloc > 0) - XFREE(*nc_addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); + XFREE(nc->addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); if (needed_dynamic_alloc > 0) { - *nc_addr_buffer_dynamic = (byte *)XMALLOC + nc->addr_buffer_dynamic = (byte *)XMALLOC (needed_dynamic_alloc, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (*nc_addr_buffer_dynamic == NULL) + if (nc->addr_buffer_dynamic == NULL) return MEMORY_E; } } @@ -1072,8 +1071,8 @@ static WC_INLINE int wolfSSL_set_endpoints_1( XMEMCPY(nc->addr_buffer, remote_addr, remote_addr_len); XMEMCPY(nc->addr_buffer + remote_addr_len, local_addr, local_addr_len); } else { - XMEMCPY(*nc_addr_buffer_dynamic, remote_addr, remote_addr_len); - XMEMCPY((*nc_addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); + XMEMCPY(nc->addr_buffer_dynamic, remote_addr, remote_addr_len); + XMEMCPY((nc->addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); } nc->remote_addr_len = remote_addr_len; nc->local_addr_len = local_addr_len; @@ -1095,7 +1094,6 @@ int wolfSSL_set_endpoints( return wolfSSL_set_endpoints_1( ssl, &ssl->buffers.network_connection, - &ssl->buffers.network_connection_addr_buffer_dynamic, interface_id, family, proto, @@ -1118,7 +1116,6 @@ int wolfSSL_set_endpoints_layer2( return wolfSSL_set_endpoints_1( ssl, &ssl->buffers.network_connection_layer2, - &ssl->buffers.network_connection_layer2_addr_buffer_dynamic, interface_id, family, 0 /* proto */, @@ -1130,9 +1127,8 @@ int wolfSSL_set_endpoints_layer2( 0 /* local_port */); } -static WC_INLINE int wolfSSL_get_endpoints_1( +WOLFSSL_API int wolfSSL_get_endpoint_addrs( const struct wolfSSL_network_connection *nc, - byte *nc_addr_buffer_dynamic, const void **remote_addr, const void **local_addr) { @@ -1142,8 +1138,8 @@ static WC_INLINE int wolfSSL_get_endpoints_1( return INCOMPLETE_DATA; if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) { - *remote_addr = nc_addr_buffer_dynamic; - *local_addr = nc_addr_buffer_dynamic + nc->remote_addr_len; + *remote_addr = nc->addr_buffer_dynamic; + *local_addr = nc->addr_buffer_dynamic + nc->remote_addr_len; } else { *remote_addr = nc->addr_buffer; *local_addr = nc->addr_buffer + nc->remote_addr_len; @@ -1159,7 +1155,7 @@ WOLFSSL_API int wolfSSL_get_endpoints( const void **local_addr) { *nc = &ssl->buffers.network_connection; - return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_addr_buffer_dynamic, remote_addr, local_addr); + return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_get_endpoints_layer2( @@ -1169,12 +1165,11 @@ WOLFSSL_API int wolfSSL_get_endpoints_layer2( const void **local_addr) { *nc = &ssl->buffers.network_connection_layer2; - return wolfSSL_get_endpoints_1(*nc, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, remote_addr, local_addr); + return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); } static WC_INLINE int wolfSSL_copy_endpoints_1( struct wolfSSL_network_connection *nc_src, - byte *nc_addr_buffer_dynamic, struct wolfSSL_network_connection *nc_dst, size_t nc_dst_size, const void **remote_addr, @@ -1192,7 +1187,7 @@ static WC_INLINE int wolfSSL_copy_endpoints_1( return BUFFER_E; XMEMCPY(nc_dst, nc_src, ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]))); if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc_src)) - XMEMCPY(nc_dst->addr_buffer, nc_addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); + XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); else XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer, nc_src->remote_addr_len + nc_src->local_addr_len); *remote_addr = nc_dst->addr_buffer; @@ -1211,7 +1206,7 @@ WOLFSSL_API int wolfSSL_copy_endpoints( if (ssl == NULL) return BAD_FUNC_ARG; - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, ssl->buffers.network_connection_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, nc, nc_size, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_copy_endpoints_layer2( @@ -1224,7 +1219,7 @@ WOLFSSL_API int wolfSSL_copy_endpoints_layer2( if (ssl == NULL) return BAD_FUNC_ARG; - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, ssl->buffers.network_connection_layer2_addr_buffer_dynamic, nc, nc_size, remote_addr, local_addr); + return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, nc, nc_size, remote_addr, local_addr); } WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 6222c58e3..c16fbc2ff 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3450,20 +3450,8 @@ typedef struct Buffers { buffer tls13CookieSecret; /* HRR cookie secret */ #endif #ifdef WOLFSSL_NETWORK_INTROSPECTION - struct { - struct wolfSSL_network_connection network_connection; - union { - byte network_connection_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *network_connection_addr_buffer_dynamic; - }; - }; - struct { - struct wolfSSL_network_connection network_connection_layer2; - union { - byte network_connection_layer2_addr_buffer_static[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *network_connection_layer2_addr_buffer_dynamic; - }; - }; + struct wolfSSL_network_connection network_connection; + struct wolfSSL_network_connection network_connection_layer2; #define WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(x) ((x).remote_addr_len + (x).local_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) #endif #ifdef WOLFSSL_DTLS diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 56d6954f7..935a6b820 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1155,7 +1155,10 @@ struct wolfSSL_network_connection { word16 remote_addr_len; word16 local_addr_len; byte interface; - byte addr_buffer[0]; + union { + byte addr_buffer[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; + byte *addr_buffer_dynamic; + }; }; #define WOLFSSL_NETWORK_CONNECTION_BUFSIZ(remote_addr_len, local_addr_len) \ @@ -1173,6 +1176,11 @@ WOLFSSL_API int wolfSSL_set_endpoints( unsigned int remote_port, unsigned int local_port); +WOLFSSL_API int wolfSSL_get_endpoint_addrs( + const struct wolfSSL_network_connection *nc, + const void **remote_addr, + const void **local_addr); + WOLFSSL_API int wolfSSL_get_endpoints( WOLFSSL *ssl, const struct wolfSSL_network_connection **nc, From 1cbe6967163da6544494b41046e35a6c0ad444f6 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 1 Apr 2021 13:08:41 -0500 Subject: [PATCH 03/16] checkpoint: fully functioning demo via examples/server/ and unit.test (which produces a "filtered" error on a subtest when built --enable-wolfsentry). --- configure.ac | 42 ++++++++++++- examples/server/include.am | 3 +- examples/server/server.c | 122 ++++++++++++++++++++++++++++++++++--- src/internal.c | 5 +- src/ssl.c | 8 ++- src/tls13.c | 8 +-- tests/include.am | 4 +- testsuite/include.am | 4 +- wolfssl/error-ssl.h | 4 +- wolfssl/internal.h | 8 +-- wolfssl/ssl.h | 2 + 11 files changed, 182 insertions(+), 28 deletions(-) diff --git a/configure.ac b/configure.ac index 8b58d18cb..1b961bb42 100644 --- a/configure.ac +++ b/configure.ac @@ -2503,11 +2503,44 @@ then fi +AC_ARG_ENABLE([wolfsentry], + [AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])], + [ ENABLED_WOLFSENTRY=$enableval ], + [ ENABLED_WOLFSENTRY=no ] + ) + +if test "$ENABLED_WOLFSENTRY" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS" + ENABLED_NETWORK_INTROSPECTION_DEFAULT=yes +else + ENABLED_NETWORK_INTROSPECTION_DEFAULT=no +fi + +AC_ARG_WITH([wolfsentry-lib], + [AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])], + [WOLFSENTRY_LIB=-L$withval], + [WOLFSENTRY_LIB=""]) + +if test "$ENABLED_WOLFSENTRY" = "yes" +then + WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry" +fi + +AC_ARG_WITH([wolfsentry-include], + [AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])], + [WOLFSENTRY_INCLUDE=-I$withval], + [WOLFSENTRY_INCLUDE=""]) + +AC_SUBST([WOLFSENTRY_LIB]) +AC_SUBST([WOLFSENTRY_INCLUDE]) + + # API for tracking network connection attributes AC_ARG_ENABLE([network-introspection], [AS_HELP_STRING([--enable-network-introspection],[Enable network connection attribute tracking and callbacks (default: disabled)])], [ ENABLED_NETWORK_INTROSPECTION=$enableval ], - [ ENABLED_NETWORK_INTROSPECTION=no ] + [ ENABLED_NETWORK_INTROSPECTION=$ENABLED_NETWORK_INTROSPECTION_DEFAULT ] ) if test "$ENABLED_NETWORK_INTROSPECTION" = "yes" @@ -2516,6 +2549,12 @@ then fi +if test "$ENABLED_WOLFSENTRY" = "yes" && test "$ENABLED_NETWORK_INTROSPECTION" != "yes" +then + AC_MSG_ERROR([--enable-wolfsentry requires --enable-network-introspection]) +fi + + if test "$ENABLED_QT" = "yes" then # Requires opensslextra and opensslall @@ -6598,6 +6637,7 @@ echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" echo " * Connection tracking: $ENABLED_NETWORK_INTROSPECTION" +echo " * wolfSentry: $ENABLED_WOLFSENTRY" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * HAPROXY: $ENABLED_HAPROXY" echo " * STUNNEL: $ENABLED_STUNNEL" diff --git a/examples/server/include.am b/examples/server/include.am index 8a3d75119..4de1e2837 100644 --- a/examples/server/include.am +++ b/examples/server/include.am @@ -7,8 +7,9 @@ if BUILD_EXAMPLE_SERVERS noinst_PROGRAMS += examples/server/server noinst_HEADERS += examples/server/server.h examples_server_server_SOURCES = examples/server/server.c -examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) examples_server_server_DEPENDENCIES = src/libwolfssl.la +examples_server_server_CFLAGS = $(WOLFSENTRY_INCLUDE) endif EXTRA_DIST += examples/server/server.sln EXTRA_DIST += examples/server/server-ntru.vcproj diff --git a/examples/server/server.c b/examples/server/server.c index e8542fdb3..3264fc3f7 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -35,6 +35,11 @@ #include /* wc_ecc_fp_free */ #endif +#ifdef WOLFSSL_WOLFSENTRY_HOOKS +# include +# include +#endif + #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #include #include @@ -276,16 +281,20 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #endif /* WOLFSSL_DTLS */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS -static int test_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision) { +static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { const void *remote_addr2; const void *local_addr2; char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; int ret; + struct { + struct wolfsentry_sockaddr s; + byte buf[16]; + } remote, local; + wolfsentry_action_res_t action_results; (void)ssl; - (void)ctx; if ((ret = wolfSSL_get_endpoint_addrs(nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); @@ -301,11 +310,36 @@ static int test_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_conne inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), nc->interface); - *decision = WOLFSSL_NETFILTER_ACCEPT; - return 0; + remote.s.sa_family = nc->family; + remote.s.sa_proto = nc->proto; + remote.s.sa_port = nc->remote_port; + remote.s.addr_len = nc->remote_addr_len; + remote.s.interface = nc->interface; + memcpy(remote.s.addr, remote_addr2, nc->remote_addr_len); + + local.s.sa_family = nc->family; + local.s.sa_proto = nc->proto; + local.s.sa_port = nc->local_port; + local.s.addr_len = nc->local_addr_len; + local.s.interface = nc->interface; + memcpy(local.s.addr, local_addr2, nc->local_addr_len); + + ret = wolfsentry_route_event_dispatch(wolfsentry, &remote.s, &local.s, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); + + if (ret == 0) { + if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) + *decision = WOLFSSL_NETFILTER_REJECT; + else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) + *decision = WOLFSSL_NETFILTER_ACCEPT; + else + *decision = WOLFSSL_NETFILTER_PASS; + } else + *decision = WOLFSSL_NETFILTER_PASS; + + return WOLFSSL_SUCCESS; } -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ static int NonBlockingSSL_Accept(SSL* ssl) { @@ -1035,6 +1069,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) wolfSSL_method_func method = NULL; SSL_CTX* ctx = 0; SSL* ssl = 0; +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + struct wolfsentry_context *wolfsentry = NULL; +#endif int useWebServerMsg = 0; char input[SRV_READ_SZ]; @@ -1870,9 +1907,67 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (ctx == NULL) err_sys_ex(catastrophic, "unable to get ctx"); -#ifdef WOLFSSL_NETWORK_INTROSPECTION - if (wolfSSL_CTX_set_AcceptFilter(ctx, test_NetworkFilterCallback, NULL /* AcceptFilter_arg */) < 0) - err_sys_ex(catastrophic, "unable to install test_NetworkFilterCallback"); +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, 0 /* route_private_data_size */, 0 /* route_private_data_alignment */, &wolfsentry); + if (ret != 0) { + fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + err_sys_ex(catastrophic, "unable to initialize wolfSentry"); + } + + { + struct wolfsentry_route_table *table; + + if ((ret = wolfsentry_route_get_table_static(wolfsentry, &table)) != 0) + fprintf(stderr, "wolfsentry_route_get_table_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + if (ret == 0) { + if ((ret = wolfsentry_route_table_default_policy_set(wolfsentry, table, WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) != 0) + fprintf(stderr, "wolfsentry_route_table_default_policy_set(WOLFSENTRY_ACTION_RES_REJECT) returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + } + + if (ret == 0) { + struct { + struct wolfsentry_sockaddr sa; + byte buf[16]; + } remote, local; + wolfsentry_ent_id_t id; + wolfsentry_action_res_t action_results; + + memset(&remote, 0, sizeof remote); + memset(&local, 0, sizeof local); +#ifdef TEST_IPV6 + remote.sa.sa_family = local.sa.sa_family = AF_INET6; + remote.sa.addr_len = 128; +#else + remote.sa.sa_family = local.sa.sa_family = AF_INET; + remote.sa.addr_len = 32; + memcpy(remote.sa.addr, "\177\000\000\001", 4); +#endif +// remote.sa.sa_proto = local.sa.sa_proto = IPPROTO_TCP; + + if ((ret = wolfsentry_route_insert_static + (wolfsentry, NULL /* caller_context */, &remote.sa, &local.sa, + WOLFSENTRY_ROUTE_FLAG_GREENLISTED | + WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN | + WOLFSENTRY_ROUTE_FLAG_TRIGGER_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_REMOTE_INTERFACE_WILDCARD| + WOLFSENTRY_ROUTE_FLAG_LOCAL_INTERFACE_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_ADDR_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_PROTO_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD | + WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, + 0 /* event_label_len */, 0 /* event_label */, &id, &action_results)) < 0) + fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); +// else +// fprintf(stderr, "wolfsentry static greenlist rule for localhost has ID %u.\n",id); + } + + if (ret != 0) + err_sys_ex(catastrophic, "unable to configure route table"); + } + + + if (wolfSSL_CTX_set_AcceptFilter(ctx, (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, wolfsentry) < 0) + err_sys_ex(catastrophic, "unable to install wolfSentry_NetworkFilterCallback"); #endif if (simulateWantWrite) @@ -2566,7 +2661,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); } - printf("stored: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", + printf("stored connection attrs: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", nc->family, nc->proto, nc->remote_port, @@ -3014,6 +3109,13 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) exit: +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + ret = wolfsentry_shutdown(&wolfsentry); + if (ret != 0) { + fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(ret)); + } +#endif + #if defined(HAVE_ECC) && defined(FP_ECC) && defined(HAVE_THREAD_LS) \ && (defined(NO_MAIN_DRIVER) || defined(HAVE_STACK_SIZE)) wc_ecc_fp_free(); /* free per thread cache */ diff --git a/src/internal.c b/src/internal.c index a86ca0a61..4a43752cc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -19449,7 +19449,10 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case TOO_MUCH_EARLY_DATA: return "Too much early data"; - + + case SOCKET_FILTERED_E: + return "Session stopped by network filter"; + default : return "unknown error number"; } diff --git a/src/ssl.c b/src/ssl.c index 8dd44bffc..f10827580 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1222,6 +1222,8 @@ WOLFSSL_API int wolfSSL_copy_endpoints_layer2( return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, nc, nc_size, remote_addr, local_addr); } +#ifdef WOLFSSL_WOLFSENTRY_HOOKS + WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { ctx->AcceptFilter = AcceptFilter; ctx->AcceptFilter_arg = AcceptFilter_arg; @@ -1234,6 +1236,8 @@ WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t A return WOLFSSL_SUCCESS; } +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ + #endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifndef WOLFSSL_LEANPSK @@ -13126,7 +13130,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, wolfSSL_netfilter_decision_t res; if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; } } @@ -13134,7 +13138,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, wolfSSL_netfilter_decision_t res; if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; } } diff --git a/src/tls13.c b/src/tls13.c index cbc891458..ec0c303c7 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8356,12 +8356,12 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) return WOLFSSL_FATAL_ERROR; } -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { wolfSSL_netfilter_decision_t res; if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; } } @@ -8369,11 +8369,11 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) wolfSSL_netfilter_decision_t res; if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_ERROR_E); + WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; } } -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ #ifndef NO_CERTS /* allow no private key if using PK callbacks and CB is set */ diff --git a/tests/include.am b/tests/include.am index 0601a0a6e..6a49cac42 100644 --- a/tests/include.am +++ b/tests/include.am @@ -13,8 +13,8 @@ tests_unit_test_SOURCES = \ tests/srp.c \ examples/client/client.c \ examples/server/server.c -tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE) +tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) tests_unit_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += tests/unit.h diff --git a/testsuite/include.am b/testsuite/include.am index ed2604427..a3eea3978 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -13,8 +13,8 @@ testsuite_testsuite_test_SOURCES = \ examples/echoserver/echoserver.c \ examples/server/server.c \ testsuite/testsuite.c -testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) +testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) $(WOLFSENTRY_INCLUDE) +testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) $(WOLFSENTRY_LIB) testsuite_testsuite_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += testsuite/testsuite.sln diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 4e2ab6e38..0c3399d3e 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -171,7 +171,9 @@ enum wolfSSL_ErrorCodes { NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ - + + SOCKET_FILTERED_E = -443, /* Session stopped by network filter */ + /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ /* begin negotiation parameter errors */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c16fbc2ff..b36d7f9a4 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2860,10 +2860,10 @@ struct WOLFSSL_CTX { CallbackInfoState* CBIS; /* used to get info about SSL state */ WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS NetworkFilterCallback_t AcceptFilter; void *AcceptFilter_arg; -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_DTLS @@ -4084,10 +4084,10 @@ struct WOLFSSL { #ifdef OPENSSL_EXTRA byte cbioFlag; /* WOLFSSL_CBIO_RECV/SEND: CBIORecv/Send is set */ #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS NetworkFilterCallback_t AcceptFilter; void *AcceptFilter_arg; -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ CallbackIORecv CBIORecv; CallbackIOSend CBIOSend; #ifdef WOLFSSL_STATIC_MEMORY diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 935a6b820..a754e6db9 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1221,9 +1221,11 @@ typedef enum { WOLFSSL_NETFILTER_REJECT = 2 } wolfSSL_netfilter_decision_t; +#ifdef WOLFSSL_WOLFSENTRY_HOOKS typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision); WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); +#endif #endif /* WOLFSSL_NETWORK_INTROSPECTION */ From 2a05fcb59a0ad3d30e5726b1b52cf4f85220be26 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 2 Apr 2021 01:13:25 -0500 Subject: [PATCH 04/16] examples/server: fix wolfSentry integration to handle DTLS correctly. --- examples/server/server.c | 133 +++++++++++++++++++-------------------- 1 file changed, 65 insertions(+), 68 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 3264fc3f7..8ebd03c8f 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -36,8 +36,7 @@ #endif #ifdef WOLFSSL_WOLFSENTRY_HOOKS -# include -# include +# include #endif #if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) @@ -1065,6 +1064,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { SOCKET_T sockfd = WOLFSSL_SOCKET_INVALID; SOCKET_T clientfd = WOLFSSL_SOCKET_INVALID; + SOCKADDR_IN_T client_addr; + socklen_t client_len; wolfSSL_method_func method = NULL; SSL_CTX* ctx = 0; @@ -2287,9 +2288,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) /* allow resume option */ if (resumeCount > 1) { if (dtlsUDP == 0) { - SOCKADDR_IN_T client; - socklen_t client_len = sizeof(client); - clientfd = accept(sockfd, (struct sockaddr*)&client, + client_len = sizeof client_addr; + clientfd = accept(sockfd, (struct sockaddr*)&client_addr, (ACCEPT_THIRD_T)&client_len); } else { @@ -2599,16 +2599,68 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) readySignal->srfName = serverReadyFile; } - { - SOCKADDR_IN_T client_addr; - socklen_t client_len = sizeof(client_addr); + client_len = sizeof client_addr; + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, + dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen, + &client_addr, &client_len); - tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, - dtlsUDP, dtlsSCTP, serverReadyFile ? 1 : 0, doListen, - &client_addr, &client_len); + doListen = 0; /* Don't listen next time */ + + if (port == 0) { + port = readySignal->port; + } + + if (SSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { + err_sys_ex(catastrophic, "error in setting fd"); + } + +#ifdef HAVE_TRUSTED_CA + if (trustedCaKeyId) { + if (wolfSSL_UseTrustedCA(ssl, WOLFSSL_TRUSTED_CA_PRE_AGREED, + NULL, 0) != WOLFSSL_SUCCESS) { + err_sys_ex(runWithErrors, "UseTrustedCA failed"); + } + } +#endif /* HAVE_TRUSTED_CA */ + +#ifdef HAVE_ALPN + if (alpnList != NULL) { + printf("ALPN accepted protocols list : %s\n", alpnList); + wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); + } +#endif + +#ifdef WOLFSSL_DTLS + if (doDTLS && dtlsUDP) { + byte b[1500]; + int n; + + client_len = sizeof client_addr; + + /* For DTLS, peek at the next datagram so we can get the client's + * address and set it into the ssl object later to generate the + * cookie. */ + n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK, + (struct sockaddr*)&client_addr, &client_len); + if (n <= 0) + err_sys_ex(runWithErrors, "recvfrom failed"); + + if (doBlockSeq) { + XMEMCPY(&dtlsCtx.peer.sa, &client_addr, client_len); + dtlsCtx.peer.sz = client_len; + dtlsCtx.wfd = clientfd; + dtlsCtx.failOnce = 1; + + wolfSSL_SetIOWriteCtx(ssl, &dtlsCtx); + } + else { + wolfSSL_dtls_set_peer(ssl, &client_addr, client_len); + } + } +#endif #ifdef WOLFSSL_NETWORK_INTROSPECTION - + { SOCKADDR_IN_T local_addr; socklen_t local_len = sizeof(local_addr); getsockname(clientfd, (struct sockaddr *)&local_addr, (socklen_t *)&local_len); @@ -2670,64 +2722,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), nc->interface); } - + } #endif /* WOLFSSL_NETWORK_INTROSPECTION */ - } - doListen = 0; /* Don't listen next time */ - - if (port == 0) { - port = readySignal->port; - } - - if (SSL_set_fd(ssl, clientfd) != WOLFSSL_SUCCESS) { - err_sys_ex(catastrophic, "error in setting fd"); - } - -#ifdef HAVE_TRUSTED_CA - if (trustedCaKeyId) { - if (wolfSSL_UseTrustedCA(ssl, WOLFSSL_TRUSTED_CA_PRE_AGREED, - NULL, 0) != WOLFSSL_SUCCESS) { - err_sys_ex(runWithErrors, "UseTrustedCA failed"); - } - } -#endif /* HAVE_TRUSTED_CA */ - -#ifdef HAVE_ALPN - if (alpnList != NULL) { - printf("ALPN accepted protocols list : %s\n", alpnList); - wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); - } -#endif - -#ifdef WOLFSSL_DTLS - if (doDTLS && dtlsUDP) { - SOCKADDR_IN_T cliaddr; - byte b[1500]; - int n; - socklen_t len = sizeof(cliaddr); - - /* For DTLS, peek at the next datagram so we can get the client's - * address and set it into the ssl object later to generate the - * cookie. */ - n = (int)recvfrom(clientfd, (char*)b, sizeof(b), MSG_PEEK, - (struct sockaddr*)&cliaddr, &len); - if (n <= 0) - err_sys_ex(runWithErrors, "recvfrom failed"); - - if (doBlockSeq) { - XMEMCPY(&dtlsCtx.peer.sa, &cliaddr, len); - dtlsCtx.peer.sz = len; - dtlsCtx.wfd = clientfd; - dtlsCtx.failOnce = 1; - - wolfSSL_SetIOWriteCtx(ssl, &dtlsCtx); - } - else { - wolfSSL_dtls_set_peer(ssl, &cliaddr, len); - } - } -#endif if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL || needDH == 1) { #if !defined(NO_FILESYSTEM) && !defined(NO_DH) && !defined(NO_ASN) From 4458ed37c189bd47bc7437bddccad8051810e05b Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 2 Apr 2021 11:34:31 -0500 Subject: [PATCH 05/16] fix a couple stray WOLFSSL_NETWORK_INTROSPECTION gates that needed to be WOLFSSL_WOLFSENTRY_HOOKS. --- src/internal.c | 2 +- src/ssl.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 4a43752cc..43e8515c9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5581,7 +5581,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #endif #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS ssl->AcceptFilter = ctx->AcceptFilter; ssl->AcceptFilter_arg = ctx->AcceptFilter_arg; #endif diff --git a/src/ssl.c b/src/ssl.c index f10827580..1f3c0f6c2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13125,7 +13125,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, } #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { wolfSSL_netfilter_decision_t res; if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && @@ -13142,7 +13142,7 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, return WOLFSSL_FATAL_ERROR; } } -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ #if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13) return wolfSSL_accept_TLSv13(ssl); From 23d8df720e709a45b92ea910e29d898a4f97b5b5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 9 Apr 2021 11:29:13 -0500 Subject: [PATCH 06/16] remove WOLFSSL_NETWORK_INTROSPECTION code; add wolfSSL_X509_STORE_set_ex_data_with_cleanup(); refactor WOLFSSL_WOLFSENTRY_HOOKS code in server.c to use HAVE_EX_DATA/HAVE_EX_DATA_CLEANUP_HOOKS. --- configure.ac | 25 +- examples/server/server.c | 185 +++++++-------- src/internal.c | 22 +- src/ssl.c | 468 +++++++++++++++++++------------------- src/tls13.c | 12 +- wolfssl/internal.h | 5 - wolfssl/openssl/rsa.h | 8 +- wolfssl/ssl.h | 140 +++++------- wolfssl/wolfcrypt/types.h | 6 + 9 files changed, 424 insertions(+), 447 deletions(-) diff --git a/configure.ac b/configure.ac index 1b961bb42..56b0beeeb 100644 --- a/configure.ac +++ b/configure.ac @@ -2511,10 +2511,7 @@ AC_ARG_ENABLE([wolfsentry], if test "$ENABLED_WOLFSENTRY" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS" - ENABLED_NETWORK_INTROSPECTION_DEFAULT=yes -else - ENABLED_NETWORK_INTROSPECTION_DEFAULT=no + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" fi AC_ARG_WITH([wolfsentry-lib], @@ -2536,25 +2533,6 @@ AC_SUBST([WOLFSENTRY_LIB]) AC_SUBST([WOLFSENTRY_INCLUDE]) -# API for tracking network connection attributes -AC_ARG_ENABLE([network-introspection], - [AS_HELP_STRING([--enable-network-introspection],[Enable network connection attribute tracking and callbacks (default: disabled)])], - [ ENABLED_NETWORK_INTROSPECTION=$enableval ], - [ ENABLED_NETWORK_INTROSPECTION=$ENABLED_NETWORK_INTROSPECTION_DEFAULT ] - ) - -if test "$ENABLED_NETWORK_INTROSPECTION" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NETWORK_INTROSPECTION" -fi - - -if test "$ENABLED_WOLFSENTRY" = "yes" && test "$ENABLED_NETWORK_INTROSPECTION" != "yes" -then - AC_MSG_ERROR([--enable-wolfsentry requires --enable-network-introspection]) -fi - - if test "$ENABLED_QT" = "yes" then # Requires opensslextra and opensslall @@ -6636,7 +6614,6 @@ echo " * Anonymous cipher: $ENABLED_ANON" echo " * CODING: $ENABLED_CODING" echo " * MEMORY: $ENABLED_MEMORY" echo " * I/O POOL: $ENABLED_IOPOOL" -echo " * Connection tracking: $ENABLED_NETWORK_INTROSPECTION" echo " * wolfSentry: $ENABLED_WOLFSENTRY" echo " * LIGHTY: $ENABLED_LIGHTY" echo " * HAPROXY: $ENABLED_HAPROXY" diff --git a/examples/server/server.c b/examples/server/server.c index 8ebd03c8f..9f7bff9a2 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -282,48 +282,83 @@ static int TestEmbedSendTo(WOLFSSL* ssl, char *buf, int sz, void *ctx) #ifdef WOLFSSL_WOLFSENTRY_HOOKS -static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { - const void *remote_addr2; - const void *local_addr2; - char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; - int ret; - struct { - struct wolfsentry_sockaddr s; - byte buf[16]; - } remote, local; - wolfsentry_action_res_t action_results; +struct wolfsentry_data { + struct wolfsentry_sockaddr remote; + byte remote_addrbuf[16]; + struct wolfsentry_sockaddr local; + byte local_addrbuf[16]; + wolfsentry_route_flags_t flags; + void *heap; + int alloctype; +}; - (void)ssl; +static void free_wolfsentry_data(struct wolfsentry_data *data) { + char inet_ntop_buf[INET6_ADDRSTRLEN]; + fprintf(stderr, "free_wolfsentry_data() for remote %s:%d\n", inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), data->remote.sa_port); + XFREE(data, data->heap, data->alloctype); +} - if ((ret = wolfSSL_get_endpoint_addrs(nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { - printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); +static int wolfsentry_data_index = -1; + +static int wolfsentry_store_endpoints( + WOLFSSL *ssl, + SOCKADDR_IN_T *remote, + SOCKADDR_IN_T *local, + int proto, + wolfsentry_route_flags_t flags) +{ + struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC(sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); + if (data == NULL) + return WOLFSSL_FAILURE; + + data->heap = NULL; + data->alloctype = DYNAMIC_TYPE_SOCKADDR; + +#ifdef TEST_IPV6 + if ((sizeof data->remote_addrbuf < sizeof remote->sin6_addr) || + (sizeof data->local_addrbuf < sizeof local->sin6_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin6_family; + data->remote.sa_port = ntohs(remote->sin6_port); + data->local.sa_port = ntohs(local->sin6_port); + data->remote.addr_len = sizeof remote->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin6_addr, sizeof remote->sin6_addr); + data->local.addr_len = sizeof local->sin6_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin6_addr, sizeof local->sin6_addr); +#else + if ((sizeof data->remote_addrbuf < sizeof remote->sin_addr) || + (sizeof data->local_addrbuf < sizeof local->sin_addr)) + return WOLFSSL_FAILURE; + data->remote.sa_family = data->local.sa_family = remote->sin_family; + data->remote.sa_port = ntohs(remote->sin_port); + data->local.sa_port = ntohs(local->sin_port); + data->remote.addr_len = sizeof remote->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->remote.addr, &remote->sin_addr, sizeof remote->sin_addr); + data->local.addr_len = sizeof local->sin_addr * BITS_PER_BYTE; + XMEMCPY(data->local.addr, &local->sin_addr, sizeof local->sin_addr); +#endif + data->remote.sa_proto = data->local.sa_proto = proto; + data->remote.interface = data->local.interface = 0; + data->flags = flags; + + if (wolfSSL_set_ex_data_with_cleanup(ssl, wolfsentry_data_index, data, (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != WOLFSSL_SUCCESS) { + free_wolfsentry_data(data); + return WOLFSSL_FAILURE; } - printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", - nc->family, - nc->proto, - nc->remote_port, - nc->local_port, - inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), - nc->interface); + return WOLFSSL_SUCCESS; +} - remote.s.sa_family = nc->family; - remote.s.sa_proto = nc->proto; - remote.s.sa_port = nc->remote_port; - remote.s.addr_len = nc->remote_addr_len; - remote.s.interface = nc->interface; - memcpy(remote.s.addr, remote_addr2, nc->remote_addr_len); +static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { + struct wolfsentry_data *data; + char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; + int ret; + wolfsentry_action_res_t action_results; - local.s.sa_family = nc->family; - local.s.sa_proto = nc->proto; - local.s.sa_port = nc->local_port; - local.s.addr_len = nc->local_addr_len; - local.s.interface = nc->interface; - memcpy(local.s.addr, local_addr2, nc->local_addr_len); + if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) + return WOLFSSL_FAILURE; - ret = wolfsentry_route_event_dispatch(wolfsentry, &remote.s, &local.s, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); + ret = wolfsentry_route_event_dispatch(wolfsentry, &data->remote, &data->local, data->flags, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); if (ret == 0) { if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) @@ -332,8 +367,20 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfSSL_network *decision = WOLFSSL_NETFILTER_ACCEPT; else *decision = WOLFSSL_NETFILTER_PASS; - } else + } else { + printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(ret)); *decision = WOLFSSL_NETFILTER_PASS; + } + + printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d\n", + data->remote.sa_family, + data->remote.sa_proto, + data->remote.sa_port, + data->local.sa_port, + inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), + inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, sizeof inet_ntop_buf2), + data->remote.interface, + *decision); return WOLFSSL_SUCCESS; } @@ -1909,12 +1956,15 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, 0 /* route_private_data_size */, 0 /* route_private_data_alignment */, &wolfsentry); + ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, NULL /* default config */, &wolfsentry); if (ret != 0) { fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); } + if (wolfsentry_data_index < 0) + wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + { struct wolfsentry_route_table *table; @@ -2333,6 +2383,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) ssl = SSL_new(ctx); if (ssl == NULL) err_sys_ex(catastrophic, "unable to create an SSL object"); + #ifdef OPENSSL_EXTRA wolfSSL_KeepArrays(ssl); #endif @@ -2659,7 +2710,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION +#ifdef WOLFSSL_WOLFSENTRY_HOOKS { SOCKADDR_IN_T local_addr; socklen_t local_len = sizeof(local_addr); @@ -2668,62 +2719,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); -#ifdef TEST_IPV6 - - if ((ret = wolfSSL_set_endpoints( - ssl, - 0 /* interface_id */, - client_addr.sin6_family, - IPPROTO_TCP, - sizeof(client_addr.sin6_addr), - (byte *)&client_addr.sin6_addr, - (byte *)&local_addr.sin6_addr, - client_addr.sin6_port, - local_addr.sin6_port) != WOLFSSL_SUCCESS)) { - printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); - } - -#else /* !TEST_IPV6 */ - - if ((ret = wolfSSL_set_endpoints( - ssl, - 0 /* interface_id */, - client_addr.sin_family, - IPPROTO_TCP, - sizeof(struct in_addr), - (byte *)&client_addr.sin_addr, - (byte *)&local_addr.sin_addr, - client_addr.sin_port, - local_addr.sin_port) != WOLFSSL_SUCCESS)) { - printf("wolfSSL_set_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_set_endpoints()"); - } - -#endif /* TEST_IPV6 */ - - { - const struct wolfSSL_network_connection *nc; - const void *remote_addr2; - const void *local_addr2; - char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; - - if ((ret = wolfSSL_get_endpoints(ssl, &nc, &remote_addr2, &local_addr2)) != WOLFSSL_SUCCESS) { - printf("wolfSSL_get_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); - err_sys_ex(catastrophic, "error in wolfSSL_get_endpoints()"); - } - - printf("stored connection attrs: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d\n", - nc->family, - nc->proto, - nc->remote_port, - nc->local_port, - inet_ntop(nc->family, remote_addr2, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(nc->family, local_addr2, inet_ntop_buf2, sizeof inet_ntop_buf2), - nc->interface); + if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) { + printf("wolfsentry_store_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + err_sys_ex(catastrophic, "error in wolfsentry_store_endpoints()"); } } -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ if ((usePsk == 0 || usePskPlus) || useAnon == 1 || cipherList != NULL || needDH == 1) { diff --git a/src/internal.c b/src/internal.c index 43e8515c9..8e601caf9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1892,6 +1892,14 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) int i; #endif +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); + } +#endif + #ifdef HAVE_WOLF_EVENT wolfEventQueue_Free(&ctx->event_queue); #endif /* HAVE_WOLF_EVENT */ @@ -6423,6 +6431,14 @@ void SSL_ResourceFree(WOLFSSL* ssl) * example with the RNG, it isn't used beyond the handshake except when * using stream ciphers where it is retained. */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, NULL, NULL); + } +#endif + FreeCiphers(ssl); FreeArrays(ssl, 0); FreeKeyExchange(ssl); @@ -6465,12 +6481,6 @@ void SSL_ResourceFree(WOLFSSL* ssl) FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); ssl->peerRsaKeyPresent = 0; #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection)) - XFREE(ssl->buffers.network_connection.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(ssl->buffers.network_connection_layer2)) - XFREE(ssl->buffers.network_connection_layer2.addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ #ifdef WOLFSSL_RENESAS_TSIP_TLS XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); #endif diff --git a/src/ssl.c b/src/ssl.c index 1f3c0f6c2..0aa7c22f2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1013,215 +1013,6 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) } #endif /* NO_CERTS */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION - -/* all ints in host byte order, addresses in network order (big endian). */ -static WC_INLINE int wolfSSL_set_endpoints_1( - WOLFSSL* ssl, - struct wolfSSL_network_connection *nc, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int remote_addr_len, - const byte *remote_addr, - unsigned int local_addr_len, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port) -{ - size_t current_dynamic_alloc, needed_dynamic_alloc; - - if ((ssl == NULL) || (nc == NULL) || (remote_addr_len == 0) || (local_addr_len == 0)) - return BAD_FUNC_ARG; - - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) - current_dynamic_alloc = nc->local_addr_len + nc->remote_addr_len; - else - current_dynamic_alloc = 0; - - if (local_addr_len + remote_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) - needed_dynamic_alloc = local_addr_len + remote_addr_len; - else - needed_dynamic_alloc = 0; - - nc->local_addr_len = nc->remote_addr_len = 0; - - if (current_dynamic_alloc != needed_dynamic_alloc) { - if (current_dynamic_alloc > 0) - XFREE(nc->addr_buffer_dynamic, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (needed_dynamic_alloc > 0) { - nc->addr_buffer_dynamic = (byte *)XMALLOC - (needed_dynamic_alloc, - ssl->heap, - DYNAMIC_TYPE_SOCKADDR); - if (nc->addr_buffer_dynamic == NULL) - return MEMORY_E; - } - } - - nc->family = family; - nc->proto = proto; - nc->remote_addr_len = remote_addr_len; - nc->local_addr_len = local_addr_len; - nc->interface = interface_id; - nc->remote_port = remote_port; - nc->local_port = local_port; - - if (needed_dynamic_alloc == 0) { - XMEMCPY(nc->addr_buffer, remote_addr, remote_addr_len); - XMEMCPY(nc->addr_buffer + remote_addr_len, local_addr, local_addr_len); - } else { - XMEMCPY(nc->addr_buffer_dynamic, remote_addr, remote_addr_len); - XMEMCPY((nc->addr_buffer_dynamic) + remote_addr_len, local_addr, local_addr_len); - } - nc->remote_addr_len = remote_addr_len; - nc->local_addr_len = local_addr_len; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_set_endpoints( - WOLFSSL* ssl, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port) -{ - return wolfSSL_set_endpoints_1( - ssl, - &ssl->buffers.network_connection, - interface_id, - family, - proto, - addr_len, - remote_addr, - addr_len, - local_addr, - remote_port, - local_port); -} - -int wolfSSL_set_endpoints_layer2( - WOLFSSL* ssl, - unsigned int interface_id, - unsigned int family, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr) -{ - return wolfSSL_set_endpoints_1( - ssl, - &ssl->buffers.network_connection_layer2, - interface_id, - family, - 0 /* proto */, - addr_len, - remote_addr, - addr_len, - local_addr, - 0 /* remote_port */, - 0 /* local_port */); -} - -WOLFSSL_API int wolfSSL_get_endpoint_addrs( - const struct wolfSSL_network_connection *nc, - const void **remote_addr, - const void **local_addr) -{ - if ((remote_addr == NULL) || (local_addr == NULL)) - return BAD_FUNC_ARG; - if (nc->remote_addr_len == 0) - return INCOMPLETE_DATA; - - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc)) { - *remote_addr = nc->addr_buffer_dynamic; - *local_addr = nc->addr_buffer_dynamic + nc->remote_addr_len; - } else { - *remote_addr = nc->addr_buffer; - *local_addr = nc->addr_buffer + nc->remote_addr_len; - } - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_API int wolfSSL_get_endpoints( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr) -{ - *nc = &ssl->buffers.network_connection; - return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); -} - -WOLFSSL_API int wolfSSL_get_endpoints_layer2( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr) -{ - *nc = &ssl->buffers.network_connection_layer2; - return wolfSSL_get_endpoint_addrs(*nc, remote_addr, local_addr); -} - -static WC_INLINE int wolfSSL_copy_endpoints_1( - struct wolfSSL_network_connection *nc_src, - struct wolfSSL_network_connection *nc_dst, - size_t nc_dst_size, - const void **remote_addr, - const void **local_addr) -{ - size_t nc_bufsiz; - - if ((nc_dst == NULL) || (remote_addr == NULL) || (local_addr == NULL)) - return BAD_FUNC_ARG; - if (nc_src->remote_addr_len == 0) - return INCOMPLETE_DATA; - - nc_bufsiz = WOLFSSL_NETWORK_CONNECTION_BUFSIZ(nc_src->remote_addr_len, nc_src->local_addr_len); - if (nc_dst_size < nc_bufsiz) - return BUFFER_E; - XMEMCPY(nc_dst, nc_src, ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]))); - if (WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(*nc_src)) - XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer_dynamic, nc_src->remote_addr_len + nc_src->local_addr_len); - else - XMEMCPY(nc_dst->addr_buffer, nc_src->addr_buffer, nc_src->remote_addr_len + nc_src->local_addr_len); - *remote_addr = nc_dst->addr_buffer; - *local_addr = nc_dst->addr_buffer + nc_dst->remote_addr_len; - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_API int wolfSSL_copy_endpoints( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection, nc, nc_size, remote_addr, local_addr); -} - -WOLFSSL_API int wolfSSL_copy_endpoints_layer2( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_copy_endpoints_1(&ssl->buffers.network_connection_layer2, nc, nc_size, remote_addr, local_addr); -} - #ifdef WOLFSSL_WOLFSENTRY_HOOKS WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { @@ -1238,8 +1029,6 @@ WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t A #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ - #ifndef WOLFSSL_LEANPSK int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) { @@ -13126,17 +12915,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ #ifdef WOLFSSL_WOLFSENTRY_HOOKS - if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && - (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); - return WOLFSSL_FATAL_ERROR; - } - } - if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { - wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; @@ -16522,6 +16303,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* unchain?, doesn't matter in goahead since from free all */ WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, NULL, NULL); + } +#endif if (bio->infoCb) { /* info callback is called before free */ @@ -18967,6 +18755,13 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, NULL, NULL); + } +#endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) if (wc_LockMutex(&x509->refMutex) != 0) { @@ -22167,6 +21962,14 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) if (session == NULL) return; +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, NULL, NULL); + } +#endif + #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) if (session->peer) { wolfSSL_X509_free(session->peer); @@ -24944,6 +24747,31 @@ int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* Set ex_data for WOLFSSL_BIO + * + * bio : BIO structure to set ex_data in + * idx : Index of ex_data to set + * data : Data to set in ex_data + * cleanup_routine : Function pointer to clean up data + * + * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_BIO_set_ex_data_with_cleanup"); + if (bio != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + /* Get ex_data in WOLFSSL_BIO at given index * * bio : BIO structure to get ex_data from @@ -26263,7 +26091,18 @@ err_exit: void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { - if (store != NULL && store->isDynamic) { + if (store == NULL) + return; + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, NULL, NULL); + } +#endif + + if (store->isDynamic) { if (store->cm != NULL) { wolfSSL_CertManagerFree(store->cm); store->cm = NULL; @@ -26288,6 +26127,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } } + /** * Get ex_data in WOLFSSL_STORE at given index * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26307,6 +26147,7 @@ void* wolfSSL_X509_STORE_get_ex_data(WOLFSSL_X509_STORE* store, int idx) #endif return NULL; } + /** * Set ex_data for WOLFSSL_STORE * @param store a pointer to WOLFSSL_X509_STORE structure @@ -26329,6 +26170,31 @@ int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/** + * Set ex_data for WOLFSSL_STORE + * @param store a pointer to WOLFSSL_X509_STORE structure + * @param idx Index of ex data to set + * @param data Data to set in ex data + * @return WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure + */ +int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_set_ex_data_with_cleanup"); + if (store != NULL && idx < MAX_EX_DATA) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} + +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #ifdef OPENSSL_EXTRA @@ -26450,6 +26316,13 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); + } +#endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); @@ -27808,6 +27681,25 @@ int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +/* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS + * on success, WOLFSSL_FAILURE on error. */ +int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth) { @@ -40532,6 +40424,22 @@ int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data_with_cleanup"); + if (rsa) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + int wolfSSL_RSA_set0_key(WOLFSSL_RSA *r, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e, WOLFSSL_BIGNUM *d) { @@ -44915,9 +44823,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) #endif /* OPENSSL_EXTRA */ -#if ((defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && defined(HAVE_EX_DATA)) || \ - defined(FORTRESS) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); @@ -44985,7 +44891,24 @@ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) return WOLFSSL_FAILURE; } -#endif /* ((OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) && HAVE_EX_DATA) || FORTRESS || WOLFSSL_WPAS_SMALL */ +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data_with_cleanup"); + if (ctx != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + +#endif /* defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) @@ -45037,6 +44960,23 @@ int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_set_ex_data_with_cleanup"); + if (ssl != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, data, + cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) { WOLFSSL_ENTER("wolfSSL_get_ex_data"); @@ -46663,6 +46603,22 @@ int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) return WOLFSSL_FAILURE; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data_with_cleanup"); + if(session != NULL) { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) { WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); @@ -48869,8 +48825,8 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif /* !NO_WOLFSSL_STUB */ #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) +#if defined(HAVE_EX_DATA) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { @@ -48887,8 +48843,6 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) } #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) #if defined(HAVE_EX_DATA) || defined(FORTRESS) void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) { @@ -48909,6 +48863,13 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data"); #ifdef MAX_EX_DATA if (ex_data && idx < MAX_EX_DATA && idx >= 0) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + if (ex_data->ex_data_cleanup_routines[idx]) { + if (ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data_cleanup_routines[idx] = NULL; + } +#endif ex_data->ex_data[idx] = data; return WOLFSSL_SUCCESS; } @@ -48919,8 +48880,30 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *d #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data_with_cleanup"); + if (ex_data && idx < MAX_EX_DATA && idx >= 0) { + if (ex_data->ex_data_cleanup_routines[idx] && ex_data->ex_data[idx]) + ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); + ex_data->ex_data[idx] = data; + ex_data->ex_data_cleanup_routines[idx] = cleanup_routine; + return WOLFSSL_SUCCESS; + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* HAVE_EX_DATA || FORTRESS */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(WOLFSSL_WPAS_SMALL) void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) { WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); @@ -48950,6 +48933,24 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) #endif return WOLFSSL_FAILURE; } + +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine) +{ + WOLFSSL_ENTER("wolfSSL_X509_set_ex_data_with_cleanup"); + if (x509 != NULL) + { + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, + data, cleanup_routine); + } + return WOLFSSL_FAILURE; +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ @@ -53457,6 +53458,13 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) WOLFSSL_ENTER("wolfSSL_RSA_free"); if (rsa) { +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS + { + int idx; + for (idx = 0; idx < MAX_EX_DATA; ++idx) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, NULL, NULL); + } +#endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; if (wc_LockMutex(&rsa->refMutex) != 0) { diff --git a/src/tls13.c b/src/tls13.c index ec0c303c7..3290dd2c6 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8357,17 +8357,9 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) } #ifdef WOLFSSL_WOLFSENTRY_HOOKS - if (ssl->AcceptFilter && (ssl->buffers.network_connection.remote_addr_len > 0)) { + if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && - (res == WOLFSSL_NETFILTER_REJECT)) { - WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); - return WOLFSSL_FATAL_ERROR; - } - } - if (ssl->AcceptFilter && (ssl->buffers.network_connection_layer2.remote_addr_len > 0)) { - wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, &ssl->buffers.network_connection_layer2, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b36d7f9a4..ed98f041b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3449,11 +3449,6 @@ typedef struct Buffers { #ifdef WOLFSSL_SEND_HRR_COOKIE buffer tls13CookieSecret; /* HRR cookie secret */ #endif -#ifdef WOLFSSL_NETWORK_INTROSPECTION - struct wolfSSL_network_connection network_connection; - struct wolfSSL_network_connection network_connection_layer2; - #define WOLFSSL_NETWORK_INTROSPECTION_ADDR_BUFFER_IS_DYNAMIC(x) ((x).remote_addr_len + (x).local_addr_len > WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES) -#endif #ifdef WOLFSSL_DTLS WOLFSSL_DTLS_CTX dtlsCtx; /* DTLS connection context */ #ifndef NO_WOLFSSL_SERVER diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index dd07fd49e..af9d3ca5e 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -152,7 +152,13 @@ WOLFSSL_API WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa); WOLFSSL_API void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx); WOLFSSL_API int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data); - +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_RSA_set_ex_data_with_cleanup( + WOLFSSL_RSA *rsa, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #define WOLFSSL_RSA_LOAD_PRIVATE 1 #define WOLFSSL_RSA_LOAD_PUBLIC 2 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index a754e6db9..786f14b20 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1141,79 +1141,7 @@ WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl, int use_context); #endif /* HAVE_KEYING_MATERIAL */ -#ifdef WOLFSSL_NETWORK_INTROSPECTION - -#ifndef WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES -#define WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES 32 /* enough for 2 IPv6 addresses. */ -#endif - -struct wolfSSL_network_connection { - word16 family; - word16 proto; - word16 remote_port; - word16 local_port; - word16 remote_addr_len; - word16 local_addr_len; - byte interface; - union { - byte addr_buffer[WOLFSSL_NETWORK_INTROSPECTION_STATIC_ADDR_BYTES]; - byte *addr_buffer_dynamic; - }; -}; - -#define WOLFSSL_NETWORK_CONNECTION_BUFSIZ(remote_addr_len, local_addr_len) \ - ((unsigned int)(unsigned long int)(&((struct wolfSSL_network_connection *)0)->addr_buffer[0]) + \ - (remote_addr_len) + (local_addr_len)); - -WOLFSSL_API int wolfSSL_set_endpoints( - WOLFSSL *ssl, - unsigned int interface_id, - unsigned int family, - unsigned int proto, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr, - unsigned int remote_port, - unsigned int local_port); - -WOLFSSL_API int wolfSSL_get_endpoint_addrs( - const struct wolfSSL_network_connection *nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_get_endpoints( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_copy_endpoints( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_set_endpoints_layer2( - WOLFSSL *ssl, - unsigned int interface_id, - unsigned int family, - unsigned int addr_len, - const byte *remote_addr, - const byte *local_addr); - -WOLFSSL_API int wolfSSL_get_endpoints_layer2( - WOLFSSL *ssl, - const struct wolfSSL_network_connection **nc, - const void **remote_addr, - const void **local_addr); - -WOLFSSL_API int wolfSSL_copy_endpoints_layer2( - WOLFSSL *ssl, - struct wolfSSL_network_connection *nc, - size_t nc_size, - const void **remote_addr, - const void **local_addr); +#ifdef WOLFSSL_WOLFSENTRY_HOOKS typedef enum { WOLFSSL_NETFILTER_PASS = 0, @@ -1221,13 +1149,11 @@ typedef enum { WOLFSSL_NETFILTER_REJECT = 2 } wolfSSL_netfilter_decision_t; -#ifdef WOLFSSL_WOLFSENTRY_HOOKS -typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, struct wolfSSL_network_connection *nc, void *ctx, wolfSSL_netfilter_decision_t *decision); +typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, void *AcceptFilter_arg, wolfSSL_netfilter_decision_t *decision); WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); -#endif -#endif /* WOLFSSL_NETWORK_INTROSPECTION */ +#endif /* WOLFSSL_WOLFSENTRY_HOOKS */ /* Nonblocking DTLS helper functions */ WOLFSSL_API void wolfSSL_dtls_set_using_nonblock(WOLFSSL*, int); @@ -1355,6 +1281,13 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx); WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL*); WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL*, int); WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL*, int); @@ -1437,6 +1370,13 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void); WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int); WOLFSSL_API void wolfSSL_BIO_clear_flags(WOLFSSL_BIO *bio, int flags); WOLFSSL_API int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_BIO_set_ex_data_with_cleanup( + WOLFSSL_BIO *bio, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void *wolfSSL_BIO_get_ex_data(WOLFSSL_BIO *bio, int idx); WOLFSSL_API long wolfSSL_BIO_set_nbio(WOLFSSL_BIO*, long); @@ -1761,10 +1701,24 @@ WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data( WOLFSSL_X509_STORE_CTX* ctx, int idx); WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE_CTX* ctx, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void* wolfSSL_X509_STORE_get_ex_data( WOLFSSL_X509_STORE* store, int idx); WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_STORE_set_ex_data_with_cleanup( + WOLFSSL_X509_STORE* store, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer( @@ -2323,10 +2277,17 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *s WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); WOLFSSL_API void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i); -#if (defined(HAVE_EX_DATA) || defined(FORTRESS)) && \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL)) +#if defined(HAVE_EX_DATA) || defined(FORTRESS) || defined(WOLFSSL_WPAS_SMALL) + WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *data); #endif @@ -2334,6 +2295,13 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int /* stunnel 4.28 needs */ WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX*, int); WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX*, WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)); WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX*, @@ -3992,6 +3960,13 @@ WOLFSSL_API void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT WOLFSSL_API void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION*, int); WOLFSSL_API int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION*, int, void*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup( + WOLFSSL_SESSION* session, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ @@ -4141,6 +4116,13 @@ WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup( + X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 0032884a0..c6cf1f9b0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -48,8 +48,14 @@ decouple library dependencies with standard string, memory and so on. * (with minimal depencencies). */ #if defined(HAVE_EX_DATA) || defined(FORTRESS) + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + typedef void (*wolfSSL_ex_data_cleanup_routine_t)(void *data); + #endif typedef struct WOLFSSL_CRYPTO_EX_DATA { void* ex_data[MAX_EX_DATA]; + #ifdef HAVE_EX_DATA_CLEANUP_HOOKS + wolfSSL_ex_data_cleanup_routine_t ex_data_cleanup_routines[MAX_EX_DATA]; + #endif } WOLFSSL_CRYPTO_EX_DATA; #endif From 6175e111560aa7b9e68a31ae0cc393908000122e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 13 Apr 2021 12:54:43 -0500 Subject: [PATCH 07/16] server.c: update wolfsentry_init() usage (hpi pointer). --- examples/server/server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/server/server.c b/examples/server/server.c index 9f7bff9a2..f11986869 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -1956,7 +1956,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - ret = wolfsentry_init(NULL /* allocator */, NULL /* timecbs */, NULL /* default config */, &wolfsentry); + ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, &wolfsentry); if (ret != 0) { fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); From cb976db02b1dc1ce0501a27d6310f045055f4863 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 15 Apr 2021 01:36:48 -0500 Subject: [PATCH 08/16] server.c: update for wolfSentry API changes. --- examples/server/server.c | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index f11986869..364b231c3 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -352,7 +352,7 @@ static int wolfsentry_store_endpoints( static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { struct wolfsentry_data *data; char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; - int ret; + wolfsentry_errcode_t ret; wolfsentry_action_res_t action_results; if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) @@ -360,7 +360,7 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont ret = wolfsentry_route_event_dispatch(wolfsentry, &data->remote, &data->local, data->flags, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); - if (ret == 0) { + if (ret >= 0) { if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) *decision = WOLFSSL_NETFILTER_REJECT; else if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_ACCEPT)) @@ -1119,6 +1119,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) SSL* ssl = 0; #ifdef WOLFSSL_WOLFSENTRY_HOOKS struct wolfsentry_context *wolfsentry = NULL; + wolfsentry_errcode_t wolfsentry_ret; #endif int useWebServerMsg = 0; @@ -1956,9 +1957,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, &wolfsentry); - if (ret != 0) { - fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, &wolfsentry); + if (wolfsentry_ret < 0) { + fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); } @@ -1968,14 +1969,14 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { struct wolfsentry_route_table *table; - if ((ret = wolfsentry_route_get_table_static(wolfsentry, &table)) != 0) - fprintf(stderr, "wolfsentry_route_get_table_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); - if (ret == 0) { - if ((ret = wolfsentry_route_table_default_policy_set(wolfsentry, table, WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) != 0) - fprintf(stderr, "wolfsentry_route_table_default_policy_set(WOLFSENTRY_ACTION_RES_REJECT) returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, &table)) < 0) + fprintf(stderr, "wolfsentry_route_get_table_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if (wolfsentry_ret >= 0) { + if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set(wolfsentry, table, WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) < 0) + fprintf(stderr, "wolfsentry_route_table_default_policy_set(WOLFSENTRY_ACTION_RES_REJECT) returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } - if (ret == 0) { + if (wolfsentry_ret >= 0) { struct { struct wolfsentry_sockaddr sa; byte buf[16]; @@ -1995,7 +1996,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #endif // remote.sa.sa_proto = local.sa.sa_proto = IPPROTO_TCP; - if ((ret = wolfsentry_route_insert_static + if ((wolfsentry_ret = wolfsentry_route_insert_static (wolfsentry, NULL /* caller_context */, &remote.sa, &local.sa, WOLFSENTRY_ROUTE_FLAG_GREENLISTED | WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN | @@ -2007,12 +2008,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD | WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, 0 /* event_label_len */, 0 /* event_label */, &id, &action_results)) < 0) - fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); // else // fprintf(stderr, "wolfsentry static greenlist rule for localhost has ID %u.\n",id); } - if (ret != 0) + if (wolfsentry_ret < 0) err_sys_ex(catastrophic, "unable to configure route table"); } @@ -2719,10 +2720,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); - if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) { - printf("wolfsentry_store_endpoints(): %s\n", wolfSSL_ERR_error_string(ret, NULL)); + if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) err_sys_ex(catastrophic, "error in wolfsentry_store_endpoints()"); - } } #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ @@ -3108,9 +3107,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) exit: #ifdef WOLFSSL_WOLFSENTRY_HOOKS - ret = wolfsentry_shutdown(&wolfsentry); - if (ret != 0) { - fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(ret)); + wolfsentry_ret = wolfsentry_shutdown(&wolfsentry); + if (wolfsentry_ret < 0) { + fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } #endif From c874d9259c777d0584d6cd66e226e86058c51256 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 03:19:35 -0500 Subject: [PATCH 09/16] configure.ac: add --with-wolfsentry option. --- configure.ac | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 56b0beeeb..e2678f8e7 100644 --- a/configure.ac +++ b/configure.ac @@ -413,7 +413,6 @@ then test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes test "$enable_anon" = "" && enable_anon=yes test "$enable_mcast" = "" && enable_mcast=yes - test "$enable_network_introspection" = "" && enable_network_introspection=yes if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" then @@ -2514,14 +2513,26 @@ then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" fi +AC_ARG_WITH([wolfsentry], + [AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])], + [WOLFSENTRY_INSTALLDIR=$withval], + [WOLFSENTRY_INSTALLDIR=""]) + AC_ARG_WITH([wolfsentry-lib], [AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])], [WOLFSENTRY_LIB=-L$withval], [WOLFSENTRY_LIB=""]) +if test "$WOLFSENTRY_LIB" = "" && test "$WOLFSENTRY_INSTALLDIR" != "" +then + WOLFSENTRY_LIB="-L${WOLFSENTRY_INSTALLDIR}/lib" +fi + if test "$ENABLED_WOLFSENTRY" = "yes" then WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry" +else + WOLFSENTRY_LIB="" fi AC_ARG_WITH([wolfsentry-include], @@ -2529,6 +2540,16 @@ AC_ARG_WITH([wolfsentry-include], [WOLFSENTRY_INCLUDE=-I$withval], [WOLFSENTRY_INCLUDE=""]) +if test "$WOLFSENTRY_INCLUDE" = "" && test "$WOLFSENTRY_INSTALLDIR" != "" +then + WOLFSENTRY_INCLUDE="-I${WOLFSENTRY_INSTALLDIR}/include" +fi + +if test "$ENABLED_WOLFSENTRY" != "yes" +then + WOLFSENTRY_INCLUDE="" +fi + AC_SUBST([WOLFSENTRY_LIB]) AC_SUBST([WOLFSENTRY_INCLUDE]) From 660e64cdff642a33aec6b70a517fcfcafb584742 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 03:19:55 -0500 Subject: [PATCH 10/16] examples/server/server.c: clean up wolfsentry printfs. --- examples/server/server.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 364b231c3..e587b3f27 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -293,8 +293,6 @@ struct wolfsentry_data { }; static void free_wolfsentry_data(struct wolfsentry_data *data) { - char inet_ntop_buf[INET6_ADDRSTRLEN]; - fprintf(stderr, "free_wolfsentry_data() for remote %s:%d\n", inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), data->remote.sa_port); XFREE(data, data->heap, data->alloctype); } @@ -368,11 +366,11 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont else *decision = WOLFSSL_NETFILTER_PASS; } else { - printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(ret)); + printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); *decision = WOLFSSL_NETFILTER_PASS; } - printf("got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d\n", + printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", data->remote.sa_family, data->remote.sa_proto, data->remote.sa_port, @@ -380,7 +378,11 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, sizeof inet_ntop_buf2), data->remote.interface, - *decision); + *decision, + *decision == WOLFSSL_NETFILTER_REJECT ? "REJECT" : + *decision == WOLFSSL_NETFILTER_ACCEPT ? "ACCEPT" : + *decision == WOLFSSL_NETFILTER_PASS ? "PASS" : + "???"); return WOLFSSL_SUCCESS; } @@ -1994,7 +1996,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) remote.sa.addr_len = 32; memcpy(remote.sa.addr, "\177\000\000\001", 4); #endif -// remote.sa.sa_proto = local.sa.sa_proto = IPPROTO_TCP; if ((wolfsentry_ret = wolfsentry_route_insert_static (wolfsentry, NULL /* caller_context */, &remote.sa, &local.sa, @@ -2009,8 +2010,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, 0 /* event_label_len */, 0 /* event_label */, &id, &action_results)) < 0) fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); -// else -// fprintf(stderr, "wolfsentry static greenlist rule for localhost has ID %u.\n",id); } if (wolfsentry_ret < 0) @@ -2384,7 +2383,6 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) ssl = SSL_new(ctx); if (ssl == NULL) err_sys_ex(catastrophic, "unable to create an SSL object"); - #ifdef OPENSSL_EXTRA wolfSSL_KeepArrays(ssl); #endif @@ -3109,7 +3107,7 @@ exit: #ifdef WOLFSSL_WOLFSENTRY_HOOKS wolfsentry_ret = wolfsentry_shutdown(&wolfsentry); if (wolfsentry_ret < 0) { - fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT, WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } #endif From 89d7f4faf32ad62026ab0499309072b555dcd515 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 03:22:10 -0500 Subject: [PATCH 11/16] tests/api.c: add missing void arglists. --- tests/api.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/api.c b/tests/api.c index 60bc08a53..e15781105 100644 --- a/tests/api.c +++ b/tests/api.c @@ -42324,7 +42324,7 @@ static void test_wolfSSL_CTX_get_min_proto_version(void) #endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) */ } -static void test_wolfSSL_security_level() +static void test_wolfSSL_security_level(void) { #if defined(OPENSSL_EXTRA) printf(testingFmt, "test_wolfSSL_security_level()"); @@ -42351,7 +42351,7 @@ static void test_wolfSSL_security_level() #endif } -static void test_wolfSSL_SSL_in_init() +static void test_wolfSSL_SSL_in_init(void) { #if defined(OPENSSL_ALL) && !defined(NO_BIO) printf(testingFmt, "test_wolfSSL_SSL_in_init()"); @@ -42398,7 +42398,7 @@ static void test_wolfSSL_SSL_in_init() #endif } -static void test_wolfSSL_EC_curve() +static void test_wolfSSL_EC_curve(void) { #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) printf(testingFmt, "test_wolfSSL_EC_curve()"); @@ -42414,7 +42414,7 @@ static void test_wolfSSL_EC_curve() #endif } -static void test_wolfSSL_OpenSSL_version() +static void test_wolfSSL_OpenSSL_version(void) { #if defined(OPENSSL_EXTRA) printf(testingFmt, "test_wolfSSL_OpenSSL_version()"); @@ -42432,7 +42432,7 @@ static void test_wolfSSL_OpenSSL_version() #endif } -static void test_wolfSSL_set_psk_use_session_callback() +static void test_wolfSSL_set_psk_use_session_callback(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_PSK) printf(testingFmt, "test_wolfSSL_set_psk_use_session_callback()"); From 0afcd4227b86112796a4f9fe3c123a5c5e2338db Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 12:20:56 -0500 Subject: [PATCH 12/16] ssl.c/internal.c: refactor _EX_DATA_CLEANUP_HOOKS cleanup in _free() routines to use a common wolfSSL_CRYPTO_cleanup_ex_data() routine; remove superfluous WOLFSSL_API qualifiers in ssl.c. --- src/internal.c | 21 +++++++++++---------- src/ssl.c | 45 ++++++++++++--------------------------------- wolfssl/internal.h | 4 ++++ 3 files changed, 27 insertions(+), 43 deletions(-) diff --git a/src/internal.c b/src/internal.c index 8e601caf9..eb977bac1 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1883,6 +1883,15 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) return ret; } +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data) +{ + for (--n_ex_data; n_ex_data >= 0; --n_ex_data) { + if (ex_data->ex_data[n_ex_data] != NULL) + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, NULL, NULL); + } +} +#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) @@ -1893,11 +1902,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #endif #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); #endif #ifdef HAVE_WOLF_EVENT @@ -6432,11 +6437,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) * using stream ciphers where it is retained. */ #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ssl->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data, MAX_EX_DATA); #endif FreeCiphers(ssl); diff --git a/src/ssl.c b/src/ssl.c index 0aa7c22f2..ea8ccfc60 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1015,13 +1015,17 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) #ifdef WOLFSSL_WOLFSENTRY_HOOKS -WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { + if (ctx == NULL) + return BAD_FUNC_ARG; ctx->AcceptFilter = AcceptFilter; ctx->AcceptFilter_arg = AcceptFilter_arg; return WOLFSSL_SUCCESS; } -WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { + if (ssl == NULL) + return BAD_FUNC_ARG; ssl->AcceptFilter = AcceptFilter; ssl->AcceptFilter_arg = AcceptFilter_arg; return WOLFSSL_SUCCESS; @@ -16304,13 +16308,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&bio->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data, MAX_EX_DATA); #endif - if (bio->infoCb) { /* info callback is called before free */ ret = (int)bio->infoCb(bio, WOLFSSL_BIO_CB_FREE, NULL, 0, 0, 1); @@ -18756,11 +18755,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&x509->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data, MAX_EX_DATA); #endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) @@ -21963,11 +21958,7 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&session->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data, MAX_EX_DATA); #endif #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) @@ -26095,11 +26086,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&store->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data, MAX_EX_DATA); #endif if (store->isDynamic) { @@ -26317,11 +26304,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); #endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ @@ -53459,11 +53442,7 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) if (rsa) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - { - int idx; - for (idx = 0; idx < MAX_EX_DATA; ++idx) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(&rsa->ex_data, idx, NULL, NULL); - } + wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data, MAX_EX_DATA); #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ed98f041b..266b8589c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3043,6 +3043,10 @@ void FreeSSL_Ctx(WOLFSSL_CTX*); WOLFSSL_LOCAL void SSL_CtxResourceFree(WOLFSSL_CTX*); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data); +#endif + WOLFSSL_LOCAL int DeriveTlsKeys(WOLFSSL* ssl); WOLFSSL_LOCAL From 40d5aad8feee2876ce0101d643027379c79aace3 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 17:28:27 -0500 Subject: [PATCH 13/16] configure.ac: improve dynamics of --enable-wolfsentry and --with-wolfsentry*, including existence-checking user-supplied paths. --- configure.ac | 78 ++++++++++++++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/configure.ac b/configure.ac index e2678f8e7..b5115d440 100644 --- a/configure.ac +++ b/configure.ac @@ -2502,16 +2502,7 @@ then fi -AC_ARG_ENABLE([wolfsentry], - [AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])], - [ ENABLED_WOLFSENTRY=$enableval ], - [ ENABLED_WOLFSENTRY=no ] - ) - -if test "$ENABLED_WOLFSENTRY" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" -fi +ENABLED_WOLFSENTRY=no AC_ARG_WITH([wolfsentry], [AS_HELP_STRING([--with-wolfsentry=PATH],[PATH to directory with wolfSentry installation])], @@ -2520,34 +2511,61 @@ AC_ARG_WITH([wolfsentry], AC_ARG_WITH([wolfsentry-lib], [AS_HELP_STRING([--with-wolfsentry-lib=PATH],[PATH to directory with wolfSentry library])], - [WOLFSENTRY_LIB=-L$withval], + [WOLFSENTRY_LIB=$withval], [WOLFSENTRY_LIB=""]) -if test "$WOLFSENTRY_LIB" = "" && test "$WOLFSENTRY_INSTALLDIR" != "" +AC_ARG_WITH([wolfsentry-include], + [AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])], + [WOLFSENTRY_INCLUDE=$withval], + [WOLFSENTRY_INCLUDE=""]) + +if test -n "$WOLFSENTRY_INSTALLDIR" || test -n "$WOLFSENTRY_LIB" || test -n "$WOLFSENTRY_INCLUDE" then - WOLFSENTRY_LIB="-L${WOLFSENTRY_INSTALLDIR}/lib" + ENABLED_WOLFSENTRY=yes +fi + +AC_ARG_ENABLE([wolfsentry], + [AS_HELP_STRING([--enable-wolfsentry],[Enable wolfSentry hooks and plugins (default: disabled)])], + [ ENABLED_WOLFSENTRY=$enableval ], + [ ] + ) + +if test "$WOLFSENTRY_LIB" = "" && test -n "$WOLFSENTRY_INSTALLDIR" +then + WOLFSENTRY_LIB="${WOLFSENTRY_INSTALLDIR}/lib" +fi + +if test "$WOLFSENTRY_INCLUDE" = "" && test -n "$WOLFSENTRY_INSTALLDIR" +then + WOLFSENTRY_INCLUDE="${WOLFSENTRY_INSTALLDIR}/include" +fi + +if test -n "$WOLFSENTRY_LIB" +then + AC_MSG_CHECKING([for $WOLFSENTRY_LIB]) + if ! test -d "$WOLFSENTRY_LIB" + then + AC_MSG_ERROR([wolfSentry lib dir $WOLFSENTRY_LIB not found.]) + fi + AC_MSG_RESULT([yes]) + WOLFSENTRY_LIB="-L$WOLFSENTRY_LIB" +fi + +if test -n "$WOLFSENTRY_INCLUDE" +then + AC_MSG_CHECKING([for $WOLFSENTRY_INCLUDE]) + if ! test -d "$WOLFSENTRY_INCLUDE" + then + AC_MSG_ERROR([wolfSentry include dir $WOLFSENTRY_INCLUDE not found.]) + fi + AC_MSG_RESULT([yes]) + WOLFSENTRY_INCLUDE="-I$WOLFSENTRY_INCLUDE" fi if test "$ENABLED_WOLFSENTRY" = "yes" then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry" -else - WOLFSENTRY_LIB="" -fi - -AC_ARG_WITH([wolfsentry-include], - [AS_HELP_STRING([--with-wolfsentry-include=PATH],[PATH to directory with wolfSentry header files])], - [WOLFSENTRY_INCLUDE=-I$withval], - [WOLFSENTRY_INCLUDE=""]) - -if test "$WOLFSENTRY_INCLUDE" = "" && test "$WOLFSENTRY_INSTALLDIR" != "" -then - WOLFSENTRY_INCLUDE="-I${WOLFSENTRY_INSTALLDIR}/include" -fi - -if test "$ENABLED_WOLFSENTRY" != "yes" -then - WOLFSENTRY_INCLUDE="" fi AC_SUBST([WOLFSENTRY_LIB]) From 0cf9bacf1b542b5d7b5861cb5c9694437414620e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 17:34:47 -0500 Subject: [PATCH 14/16] WOLFSSL_WOLFSENTRY_HOOKS/HAVE_EX_DATA*: refactor wolfSSL_CRYPTO_cleanup_ex_data() to take only one arg (the WOLFSSL_CRYPTO_EX_DATA *); fix preprocessor gates on wolfSSL_set_ex_data() and wolfSSL_X509_get_ex_new_index(); fix line lengths. --- examples/server/server.c | 100 +++++++++++++++++++++++++++++---------- src/internal.c | 10 ++-- src/ssl.c | 35 +++++++++----- src/tls13.c | 3 +- wolfssl/internal.h | 2 +- wolfssl/ssl.h | 15 ++++-- 6 files changed, 118 insertions(+), 47 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index e587b3f27..8836c55b8 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -305,7 +305,8 @@ static int wolfsentry_store_endpoints( int proto, wolfsentry_route_flags_t flags) { - struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC(sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); + struct wolfsentry_data *data = (struct wolfsentry_data *)XMALLOC( + sizeof *data, NULL, DYNAMIC_TYPE_SOCKADDR); if (data == NULL) return WOLFSSL_FAILURE; @@ -339,7 +340,10 @@ static int wolfsentry_store_endpoints( data->remote.interface = data->local.interface = 0; data->flags = flags; - if (wolfSSL_set_ex_data_with_cleanup(ssl, wolfsentry_data_index, data, (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != WOLFSSL_SUCCESS) { + if (wolfSSL_set_ex_data_with_cleanup( + ssl, wolfsentry_data_index, data, + (wolfSSL_ex_data_cleanup_routine_t)free_wolfsentry_data) != + WOLFSSL_SUCCESS) { free_wolfsentry_data(data); return WOLFSSL_FAILURE; } @@ -347,7 +351,11 @@ static int wolfsentry_store_endpoints( return WOLFSSL_SUCCESS; } -static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_context *wolfsentry, wolfSSL_netfilter_decision_t *decision) { +static int wolfSentry_NetworkFilterCallback( + WOLFSSL *ssl, + struct wolfsentry_context *wolfsentry, + wolfSSL_netfilter_decision_t *decision) +{ struct wolfsentry_data *data; char inet_ntop_buf[INET6_ADDRSTRLEN], inet_ntop_buf2[INET6_ADDRSTRLEN]; wolfsentry_errcode_t ret; @@ -356,7 +364,17 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont if ((data = wolfSSL_get_ex_data(ssl, wolfsentry_data_index)) == NULL) return WOLFSSL_FAILURE; - ret = wolfsentry_route_event_dispatch(wolfsentry, &data->remote, &data->local, data->flags, NULL /* event_label */, 0 /* event_label_len */, NULL /* caller_context */, NULL /* id */, NULL /* inexact_matches */, &action_results); + ret = wolfsentry_route_event_dispatch( + wolfsentry, + &data->remote, + &data->local, + data->flags, + NULL /* event_label */, + 0 /* event_label_len */, + NULL /* caller_context */, + NULL /* id */, + NULL /* inexact_matches */, + &action_results); if (ret >= 0) { if (WOLFSENTRY_CHECK_BITS(action_results, WOLFSENTRY_ACTION_RES_REJECT)) @@ -366,17 +384,21 @@ static int wolfSentry_NetworkFilterCallback(WOLFSSL *ssl, struct wolfsentry_cont else *decision = WOLFSSL_NETFILTER_PASS; } else { - printf("wolfsentry_route_event_dispatch error " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); + printf("wolfsentry_route_event_dispatch error " + WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(ret)); *decision = WOLFSSL_NETFILTER_PASS; } - printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", + printf("wolfSentry got network filter callback: family=%d proto=%d rport=%d" + "lport=%d raddr=%s laddr=%s interface=%d; decision=%d (%s)\n", data->remote.sa_family, data->remote.sa_proto, data->remote.sa_port, data->local.sa_port, - inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, sizeof inet_ntop_buf), - inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, sizeof inet_ntop_buf2), + inet_ntop(data->remote.sa_family, data->remote.addr, inet_ntop_buf, + sizeof inet_ntop_buf), + inet_ntop(data->local.sa_family, data->local.addr, inet_ntop_buf2, + sizeof inet_ntop_buf2), data->remote.interface, *decision, *decision == WOLFSSL_NETFILTER_REJECT ? "REJECT" : @@ -1959,23 +1981,35 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) err_sys_ex(catastrophic, "unable to get ctx"); #ifdef WOLFSSL_WOLFSENTRY_HOOKS - wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, &wolfsentry); + wolfsentry_ret = wolfsentry_init(NULL /* hpi */, NULL /* default config */, + &wolfsentry); if (wolfsentry_ret < 0) { - fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + fprintf(stderr, "wolfsentry_init() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); err_sys_ex(catastrophic, "unable to initialize wolfSentry"); } if (wolfsentry_data_index < 0) - wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + wolfsentry_data_index = wolfSSL_get_ex_new_index(0, NULL, NULL, NULL, + NULL); { struct wolfsentry_route_table *table; - if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, &table)) < 0) - fprintf(stderr, "wolfsentry_route_get_table_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if ((wolfsentry_ret = wolfsentry_route_get_table_static(wolfsentry, + &table)) < 0) + fprintf(stderr, "wolfsentry_route_get_table_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); if (wolfsentry_ret >= 0) { - if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set(wolfsentry, table, WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) < 0) - fprintf(stderr, "wolfsentry_route_table_default_policy_set(WOLFSENTRY_ACTION_RES_REJECT) returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + if ((wolfsentry_ret = wolfsentry_route_table_default_policy_set( + wolfsentry, table, + WOLFSENTRY_ACTION_RES_REJECT|WOLFSENTRY_ACTION_RES_STOP)) + < 0) + fprintf(stderr, + "wolfsentry_route_table_default_policy_set() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } if (wolfsentry_ret >= 0) { @@ -2008,8 +2042,11 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) WOLFSENTRY_ROUTE_FLAG_SA_PROTO_WILDCARD | WOLFSENTRY_ROUTE_FLAG_SA_REMOTE_PORT_WILDCARD | WOLFSENTRY_ROUTE_FLAG_SA_LOCAL_PORT_WILDCARD, - 0 /* event_label_len */, 0 /* event_label */, &id, &action_results)) < 0) - fprintf(stderr, "wolfsentry_route_insert_static() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + 0 /* event_label_len */, 0 /* event_label */, &id, + &action_results)) < 0) + fprintf(stderr, "wolfsentry_route_insert_static() returned " + WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } if (wolfsentry_ret < 0) @@ -2017,8 +2054,12 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } - if (wolfSSL_CTX_set_AcceptFilter(ctx, (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, wolfsentry) < 0) - err_sys_ex(catastrophic, "unable to install wolfSentry_NetworkFilterCallback"); + if (wolfSSL_CTX_set_AcceptFilter( + ctx, + (NetworkFilterCallback_t)wolfSentry_NetworkFilterCallback, + wolfsentry) < 0) + err_sys_ex(catastrophic, + "unable to install wolfSentry_NetworkFilterCallback"); #endif if (simulateWantWrite) @@ -2713,13 +2754,20 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) { SOCKADDR_IN_T local_addr; socklen_t local_len = sizeof(local_addr); - getsockname(clientfd, (struct sockaddr *)&local_addr, (socklen_t *)&local_len); + getsockname(clientfd, (struct sockaddr *)&local_addr, + (socklen_t *)&local_len); - if (((struct sockaddr *)&client_addr)->sa_family != ((struct sockaddr *)&local_addr)->sa_family) - err_sys_ex(catastrophic, "client_addr.sa_family != local_addr.sa_family"); + if (((struct sockaddr *)&client_addr)->sa_family != + ((struct sockaddr *)&local_addr)->sa_family) + err_sys_ex(catastrophic, + "client_addr.sa_family != local_addr.sa_family"); - if (wolfsentry_store_endpoints(ssl, &client_addr, &local_addr, dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) - err_sys_ex(catastrophic, "error in wolfsentry_store_endpoints()"); + if (wolfsentry_store_endpoints( + ssl, &client_addr, &local_addr, + dtlsUDP ? IPPROTO_UDP : IPPROTO_TCP, + WOLFSENTRY_ROUTE_FLAG_DIRECTION_IN) != WOLFSSL_SUCCESS) + err_sys_ex(catastrophic, + "error in wolfsentry_store_endpoints()"); } #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ @@ -3107,7 +3155,9 @@ exit: #ifdef WOLFSSL_WOLFSENTRY_HOOKS wolfsentry_ret = wolfsentry_shutdown(&wolfsentry); if (wolfsentry_ret < 0) { - fprintf(stderr, "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); + fprintf(stderr, + "wolfsentry_shutdown() returned " WOLFSENTRY_ERROR_FMT "\n", + WOLFSENTRY_ERROR_FMT_ARGS(wolfsentry_ret)); } #endif diff --git a/src/internal.c b/src/internal.c index eb977bac1..fcf5a49f3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1884,11 +1884,13 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) } #ifdef HAVE_EX_DATA_CLEANUP_HOOKS -void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data) +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data) { + int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]); for (--n_ex_data; n_ex_data >= 0; --n_ex_data) { if (ex_data->ex_data[n_ex_data] != NULL) - (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, NULL, NULL); + (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data, + NULL, NULL); } } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ @@ -1902,7 +1904,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #endif #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); #endif #ifdef HAVE_WOLF_EVENT @@ -6437,7 +6439,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) * using stream ciphers where it is retained. */ #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data); #endif FreeCiphers(ssl); diff --git a/src/ssl.c b/src/ssl.c index ea8ccfc60..1dd3f0706 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1015,7 +1015,11 @@ int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) #ifdef WOLFSSL_WOLFSENTRY_HOOKS -int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ if (ctx == NULL) return BAD_FUNC_ARG; ctx->AcceptFilter = AcceptFilter; @@ -1023,7 +1027,11 @@ int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t Accep return WOLFSSL_SUCCESS; } -int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg) { +int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg) +{ if (ssl == NULL) return BAD_FUNC_ARG; ssl->AcceptFilter = AcceptFilter; @@ -12921,7 +12929,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; @@ -16308,7 +16317,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_BIO_free"); if (bio) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&bio->ex_data); #endif if (bio->infoCb) { /* info callback is called before free */ @@ -18755,7 +18764,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ENTER("ExternalFreeX509"); if (x509) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&x509->ex_data); #endif if (x509->dynamicMemory) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) @@ -21958,7 +21967,7 @@ void FreeSession(WOLFSSL_SESSION* session, int isAlloced) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&session->ex_data); #endif #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) @@ -26086,7 +26095,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) return; #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&store->ex_data); #endif if (store->isDynamic) { @@ -26304,7 +26313,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data); #endif #ifdef OPENSSL_EXTRA if (ctx->param != NULL){ @@ -44923,8 +44932,8 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || + defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { @@ -48808,8 +48817,8 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif /* !NO_WOLFSSL_STUB */ #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ -#if defined(HAVE_EX_DATA) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ + || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { @@ -53442,7 +53451,7 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) if (rsa) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS - wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data, MAX_EX_DATA); + wolfSSL_CRYPTO_cleanup_ex_data(&rsa->ex_data); #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int doFree = 0; diff --git a/src/tls13.c b/src/tls13.c index 3290dd2c6..fd686a747 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8359,7 +8359,8 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) #ifdef WOLFSSL_WOLFSENTRY_HOOKS if (ssl->AcceptFilter) { wolfSSL_netfilter_decision_t res; - if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == WOLFSSL_SUCCESS) && + if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == + WOLFSSL_SUCCESS) && (res == WOLFSSL_NETFILTER_REJECT)) { WOLFSSL_ERROR(ssl->error = SOCKET_FILTERED_E); return WOLFSSL_FATAL_ERROR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 266b8589c..9ceb7a1fd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3044,7 +3044,7 @@ WOLFSSL_LOCAL void SSL_CtxResourceFree(WOLFSSL_CTX*); #ifdef HAVE_EX_DATA_CLEANUP_HOOKS -void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int n_ex_data); +void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data); #endif WOLFSSL_LOCAL diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 786f14b20..ef2b7143b 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1149,9 +1149,18 @@ typedef enum { WOLFSSL_NETFILTER_REJECT = 2 } wolfSSL_netfilter_decision_t; -typedef int (*NetworkFilterCallback_t)(WOLFSSL *ssl, void *AcceptFilter_arg, wolfSSL_netfilter_decision_t *decision); -WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter(WOLFSSL_CTX *ctx, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); -WOLFSSL_API int wolfSSL_set_AcceptFilter(WOLFSSL *ssl, NetworkFilterCallback_t AcceptFilter, void *AcceptFilter_arg); +typedef int (*NetworkFilterCallback_t)( + WOLFSSL *ssl, + void *AcceptFilter_arg, + wolfSSL_netfilter_decision_t *decision); +WOLFSSL_API int wolfSSL_CTX_set_AcceptFilter( + WOLFSSL_CTX *ctx, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); +WOLFSSL_API int wolfSSL_set_AcceptFilter( + WOLFSSL *ssl, + NetworkFilterCallback_t AcceptFilter, + void *AcceptFilter_arg); #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ From 1650e8b88a20cbbf64dfadc3bf94d669d01d1f2c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 21 Apr 2021 17:45:08 -0500 Subject: [PATCH 15/16] ssl.c: add back missing line continuation backslash. --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 1dd3f0706..6b1004424 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -44932,7 +44932,7 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || +#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || \ defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) From 9c7ee3fa64e371e6743448e6de10436df3f3bc8f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 22 Apr 2021 00:20:12 -0500 Subject: [PATCH 16/16] examples/server/server.c: when TEST_IPV6, set the remote address to IPv6 localhost for wolfsentry_route_insert_static(). --- examples/server/server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/server/server.c b/examples/server/server.c index 8836c55b8..c00de430c 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2025,6 +2025,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) #ifdef TEST_IPV6 remote.sa.sa_family = local.sa.sa_family = AF_INET6; remote.sa.addr_len = 128; + memcpy(remote.sa.addr, "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\001", 16); #else remote.sa.sa_family = local.sa.sa_family = AF_INET; remote.sa.addr_len = 32;