wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3308 from julek-wolfssl/thread-safety

Browse Source 
Introduce thread safety to unsafe functions in wolfSSL
This commit is contained in:
toddouska
2020-10-20 14:56:04 -07:00
committed by GitHub
parent 7c89d10e53 147cb8e60c
commit c863ca54a3
2 changed files with 91 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

152
src/ssl.c
View File

@ -145,13 +145,13 @@
#define WOLFSSL_EVP_INCLUDED #define WOLFSSL_EVP_INCLUDED
#include "wolfcrypt/src/evp.c" #include "wolfcrypt/src/evp.c"
#ifndef WOLFCRYPT_ONLY
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* Global pointer to constant BN on */ /* Global pointer to constant BN on */
static WOLFSSL_BIGNUM* bn_one = NULL; static WOLFSSL_BIGNUM* bn_one = NULL;
#endif #endif
#ifndef WOLFCRYPT_ONLY
#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
const WOLF_EC_NIST_NAME kNistCurves[] = { const WOLF_EC_NIST_NAME kNistCurves[] = {
{XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1}, {XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1},
@ -4786,6 +4786,13 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
#endif /* NO_SESSION_CACHE */ #endif /* NO_SESSION_CACHE */
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
static WC_RNG globalRNG;
static int initGlobalRNG = 0;
static wolfSSL_Mutex globalRNGMutex;
#endif
WOLFSSL_ABI WOLFSSL_ABI
int wolfSSL_Init(void) int wolfSSL_Init(void)
{ {
@ -4798,6 +4805,14 @@ int wolfSSL_Init(void)
return WC_INIT_E; return WC_INIT_E;
} }
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
if (wc_InitMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Init Mutex rng");
return BAD_MUTEX_E;
}
#endif
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) { if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_RAND_Seed failed"); WOLFSSL_MSG("wolfSSL_RAND_Seed failed");
@ -17829,43 +17844,40 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* used by JSSE (not a standard compatibility function) */ /* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI WOLFSSL_ABI
const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509) const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509)
{ {
static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notBefore"); WOLFSSL_ENTER("wolfSSL_X509_notBefore");
if (x509 == NULL) if (x509 == NULL)
return NULL; return NULL;
XMEMSET(notBeforeData, 0, sizeof(notBeforeData)); XMEMSET(x509->notBeforeData, 0, sizeof(x509->notBeforeData));
notBeforeData[0] = (byte)x509->notBefore.type; x509->notBeforeData[0] = (byte)x509->notBefore.type;
notBeforeData[1] = (byte)x509->notBefore.length; x509->notBeforeData[1] = (byte)x509->notBefore.length;
XMEMCPY(&notBeforeData[2], x509->notBefore.data, x509->notBefore.length); XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, x509->notBefore.length);
return notBeforeData; return x509->notBeforeData;
} }
/* used by JSSE (not a standard compatibility function) */ /* used by JSSE (not a standard compatibility function) */
/* this is not thread safe */
WOLFSSL_ABI WOLFSSL_ABI
const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509) const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
{ {
static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */
WOLFSSL_ENTER("wolfSSL_X509_notAfter"); WOLFSSL_ENTER("wolfSSL_X509_notAfter");
if (x509 == NULL) if (x509 == NULL)
return NULL; return NULL;
XMEMSET(notAfterData, 0, sizeof(notAfterData)); XMEMSET(x509->notAfterData, 0, sizeof(x509->notAfterData));
notAfterData[0] = (byte)x509->notAfter.type; x509->notAfterData[0] = (byte)x509->notAfter.type;
notAfterData[1] = (byte)x509->notAfter.length; x509->notAfterData[1] = (byte)x509->notAfter.length;
XMEMCPY(&notAfterData[2], x509->notAfter.data, x509->notAfter.length); XMEMCPY(&x509->notAfterData[2], x509->notAfter.data, x509->notAfter.length);
return notAfterData; return x509->notAfterData;
} }
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB)
WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj) WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj)
{ {
@ -28018,7 +28030,6 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
} }
#endif #endif
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
#endif /* !WOLFCRYPT_ONLY */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
const WOLFSSL_ObjectInfo wolfssl_object_info[] = { const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
#ifndef NO_CERTS #ifndef NO_CERTS
@ -28327,11 +28338,6 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = {
(sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info)) (sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info))
const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ; const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ;
#endif #endif
#if defined(OPENSSL_EXTRA) || \
(defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA))
static WC_RNG globalRNG;
static int initGlobalRNG = 0;
#endif
#if defined(OPENSSL_EXTRA) && \ #if defined(OPENSSL_EXTRA) && \
!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)
WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng) WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
@ -28379,25 +28385,29 @@ WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng)
return rng; return rng;
} }
#endif #endif
#ifndef WOLFCRYPT_ONLY
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
/* Not thread safe! Can be called multiple times. /* Checks if the global RNG has been created. If not then one is created.
* Checks if the global RNG has been created. If not then one is created.
* *
* Returns SSL_SUCCESS when no error is encountered. * Returns SSL_SUCCESS when no error is encountered.
*/ */
static int wolfSSL_RAND_Init(void) static int wolfSSL_RAND_Init(void)
{ {
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return 0;
}
if (initGlobalRNG == 0) { if (initGlobalRNG == 0) {
if (wc_InitRng(&globalRNG) < 0) { if (wc_InitRng(&globalRNG) < 0) {
WOLFSSL_MSG("wolfSSL Init Global RNG failed"); WOLFSSL_MSG("wolfSSL Init Global RNG failed");
wc_UnLockMutex(&globalRNGMutex);
return 0; return 0;
} }
initGlobalRNG = 1; initGlobalRNG = 1;
} }
wc_UnLockMutex(&globalRNGMutex);
return SSL_SUCCESS; return SSL_SUCCESS;
} }
@ -28555,7 +28565,6 @@ int wolfSSL_RAND_write_file(const char* fname)
#endif #endif
/* This collects entropy from the path nm and seeds the global PRNG with it. /* This collects entropy from the path nm and seeds the global PRNG with it.
* Makes a call to wolfSSL_RAND_Init which is not thread safe.
* *
* nm is the file path to the egd server * nm is the file path to the egd server
* *
@ -28668,14 +28677,18 @@ int wolfSSL_RAND_egd(const char* nm)
} }
if (bytes > 0 && ret == WOLFSSL_SUCCESS) { if (bytes > 0 && ret == WOLFSSL_SUCCESS) {
wolfSSL_RAND_Init(); /* call to check global RNG is created */ /* call to check global RNG is created */
if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) if (wolfSSL_RAND_Init() != SSL_SUCCESS) {
WOLFSSL_MSG("Error with initializing global RNG structure");
ret = WOLFSSL_FATAL_ERROR;
}
else if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes)
!= 0) { != 0) {
WOLFSSL_MSG("Error with reseeding DRBG structure"); WOLFSSL_MSG("Error with reseeding DRBG structure");
ret = WOLFSSL_FATAL_ERROR; ret = WOLFSSL_FATAL_ERROR;
} }
#ifdef SHOW_SECRETS #ifdef SHOW_SECRETS
{ /* print out entropy found */ else { /* print out entropy found only when no error occured */
word32 i; word32 i;
printf("EGD Entropy = "); printf("EGD Entropy = ");
for (i = 0; i < bytes; i++) { for (i = 0; i < bytes; i++) {
@ -28713,10 +28726,15 @@ void wolfSSL_RAND_Cleanup(void)
{ {
WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()"); WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()");
if (wc_LockMutex(&globalRNGMutex) != 0) {
WOLFSSL_MSG("Bad Lock Mutex rng");
return;
}
if (initGlobalRNG != 0) { if (initGlobalRNG != 0) {
wc_FreeRng(&globalRNG); wc_FreeRng(&globalRNG);
initGlobalRNG = 0; initGlobalRNG = 0;
} }
wc_UnLockMutex(&globalRNGMutex);
} }
@ -39183,6 +39201,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA_DIGEST_SIZE]; static byte dig[WC_SHA_DIGEST_SIZE];
byte* ret = md;
wc_Sha sha; wc_Sha sha;
WOLFSSL_ENTER("wolfSSL_SHA1"); WOLFSSL_ENTER("wolfSSL_SHA1");
@ -39197,20 +39216,19 @@ err:
return NULL; return NULL;
} }
if (wc_ShaFinal(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA1 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_ShaFinal(&sha, ret) != 0) {
WOLFSSL_MSG("SHA1 Final failed"); WOLFSSL_MSG("SHA1 Final failed");
wc_ShaFree(&sha);
return NULL; return NULL;
} }
wc_ShaFree(&sha); wc_ShaFree(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* ! NO_SHA */ #endif /* ! NO_SHA */
@ -39230,6 +39248,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA256_DIGEST_SIZE]; static byte dig[WC_SHA256_DIGEST_SIZE];
byte* ret = md;
wc_Sha256 sha; wc_Sha256 sha;
WOLFSSL_ENTER("wolfSSL_SHA256"); WOLFSSL_ENTER("wolfSSL_SHA256");
@ -39244,20 +39263,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha256Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA256 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha256Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA256 Final failed"); WOLFSSL_MSG("SHA256 Final failed");
wc_Sha256Free(&sha);
return NULL; return NULL;
} }
wc_Sha256Free(&sha); wc_Sha256Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA256_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* ! NO_SHA256 */ #endif /* ! NO_SHA256 */
@ -39277,6 +39295,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA384_DIGEST_SIZE]; static byte dig[WC_SHA384_DIGEST_SIZE];
byte* ret = md;
wc_Sha384 sha; wc_Sha384 sha;
WOLFSSL_ENTER("wolfSSL_SHA384"); WOLFSSL_ENTER("wolfSSL_SHA384");
@ -39291,20 +39310,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha384Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA384 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha384Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA384 Final failed"); WOLFSSL_MSG("SHA384 Final failed");
wc_Sha384Free(&sha);
return NULL; return NULL;
} }
wc_Sha384Free(&sha); wc_Sha384Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA384_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* WOLFSSL_SHA384 */ #endif /* WOLFSSL_SHA384 */
@ -39325,6 +39343,7 @@ err:
unsigned char *md) unsigned char *md)
{ {
static byte dig[WC_SHA512_DIGEST_SIZE]; static byte dig[WC_SHA512_DIGEST_SIZE];
byte* ret = md;
wc_Sha512 sha; wc_Sha512 sha;
WOLFSSL_ENTER("wolfSSL_SHA512"); WOLFSSL_ENTER("wolfSSL_SHA512");
@ -39339,20 +39358,19 @@ err:
return NULL; return NULL;
} }
if (wc_Sha512Final(&sha, dig) != 0) { if (md == NULL) {
WOLFSSL_MSG("STATIC BUFFER BEING USED. wolfSSL_SHA512 IS NOT "
"THREAD SAFE WHEN md == NULL");
ret = dig;
}
if (wc_Sha512Final(&sha, ret) != 0) {
WOLFSSL_MSG("SHA512 Final failed"); WOLFSSL_MSG("SHA512 Final failed");
wc_Sha512Free(&sha);
return NULL; return NULL;
} }
wc_Sha512Free(&sha); wc_Sha512Free(&sha);
if (md != NULL) { return ret;
XMEMCPY(md, dig, WC_SHA512_DIGEST_SIZE);
return md;
}
else {
return (unsigned char*)dig;
}
} }
#endif /* WOLFSSL_SHA512 */ #endif /* WOLFSSL_SHA512 */
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
@ -44793,8 +44811,6 @@ int wolfSSL_set_alpn_protos(WOLFSSL* ssl,
#endif /* HAVE_ALPN */ #endif /* HAVE_ALPN */
#endif #endif
#endif /* WOLFCRYPT_ONLY */
#if defined(OPENSSL_EXTRA) #if defined(OPENSSL_EXTRA)
#define WOLFSSL_BIO_INCLUDED #define WOLFSSL_BIO_INCLUDED
@ -48672,3 +48688,5 @@ int wolfSSL_set_ephemeral_key(WOLFSSL* ssl, int keyAlgo,
} }
#endif /* WOLFSSL_STATIC_EPHEMERAL */ #endif /* WOLFSSL_STATIC_EPHEMERAL */
#endif /* WOLFCRYPT_ONLY */

7
wolfssl/internal.h
View File

@ -3731,6 +3731,7 @@ struct WOLFSSL_X509 {
byte subjAltNameCrit:1; byte subjAltNameCrit:1;
byte authKeyIdSet:1; byte authKeyIdSet:1;
byte authKeyIdCrit:1; byte authKeyIdCrit:1;
byte issuerSet:1;
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
byte serial[EXTERNAL_SERIAL_SIZE]; byte serial[EXTERNAL_SERIAL_SIZE];
char subjectCN[ASN_NAME_MAX]; /* common name short cut */ char subjectCN[ASN_NAME_MAX]; /* common name short cut */
@ -3743,7 +3744,11 @@ struct WOLFSSL_X509 {
WOLFSSL_X509_ALGOR algor; WOLFSSL_X509_ALGOR algor;
WOLFSSL_X509_PUBKEY key; WOLFSSL_X509_PUBKEY key;
#endif #endif
byte issuerSet:1; #if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
defined(SESSION_CERTS)
byte notBeforeData[CTC_DATE_SIZE];
byte notAfterData[CTC_DATE_SIZE];
#endif
}; };