wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

OpenVPN additions and fixes

Browse Source 
- `SSL_CTX_set_min_proto_version` now allows setting not compiled in protocols but checks that the constraints leave any compiled in protocol available
- wolfSSL_HmacCopy return already returns `WOLFSSL_SUCCESS` or `WOLFSSL_FAILURE`
This commit is contained in:
Juliusz Sosinowicz
2021-03-12 15:49:51 +01:00
parent e247161b2e
commit ddbd26305f
4 changed files with 65 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
src/ssl.c
View File

@ -16756,12 +16756,45 @@ int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey)
static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx) static int sanityCheckProtoVersion(WOLFSSL_CTX* ctx)
{ {
if ((ctx->mask & WOLFSSL_OP_NO_SSLv3) && int sanityConfirmed = 0;
(ctx->mask & WOLFSSL_OP_NO_TLSv1) &&
(ctx->mask & WOLFSSL_OP_NO_TLSv1_1) && #ifndef NO_TLS
(ctx->mask & WOLFSSL_OP_NO_TLSv1_2) && if (ctx->method->version.major == SSLv3_MAJOR) {
(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) { #ifdef WOLFSSL_ALLOW_SSLV3
WOLFSSL_MSG("All TLS versions disabled"); if (!(ctx->mask & WOLFSSL_OP_NO_SSLv3)) {
sanityConfirmed = 1;
}
#endif
#ifndef NO_OLD_TLS
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1)) {
sanityConfirmed = 1;
}
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_1)) {
sanityConfirmed = 1;
}
#endif
#ifndef WOLFSSL_NO_TLS12
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_2)) {
sanityConfirmed = 1;
}
#endif
#ifdef WOLFSSL_TLS13
if (!(ctx->mask & WOLFSSL_OP_NO_TLSv1_3)) {
sanityConfirmed = 1;
}
#endif
}
#endif
#ifdef WOLFSSL_DTLS
if (ctx->method->version.major == DTLS_MAJOR) {
if (!sanityConfirmed) {
WOLFSSL_MSG("Only DTLS enabled");
sanityConfirmed = 1;
}
}
#endif
if (!sanityConfirmed) {
WOLFSSL_MSG("All compiled in TLS versions disabled");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
@ -16776,36 +16809,36 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
} }
switch (version) { switch (version) {
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case SSL3_VERSION: case SSL3_VERSION:
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
ctx->minDowngrade = SSLv3_MINOR; ctx->minDowngrade = SSLv3_MINOR;
break; break;
#endif #endif
#ifndef NO_TLS #ifndef NO_TLS
#ifndef NO_OLD_TLS
#ifdef WOLFSSL_ALLOW_TLSV10
case TLS1_VERSION: case TLS1_VERSION:
#ifdef WOLFSSL_ALLOW_TLSV10
ctx->minDowngrade = TLSv1_MINOR; ctx->minDowngrade = TLSv1_MINOR;
break; break;
#endif #endif
case TLS1_1_VERSION: case TLS1_1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = TLSv1_1_MINOR; ctx->minDowngrade = TLSv1_1_MINOR;
break; break;
#endif #endif
#ifndef WOLFSSL_NO_TLS12
case TLS1_2_VERSION: case TLS1_2_VERSION:
#ifndef WOLFSSL_NO_TLS12
ctx->minDowngrade = TLSv1_2_MINOR; ctx->minDowngrade = TLSv1_2_MINOR;
break; break;
#endif #endif
#ifdef WOLFSSL_TLS13
case TLS1_3_VERSION: case TLS1_3_VERSION:
#ifdef WOLFSSL_TLS13
ctx->minDowngrade = TLSv1_3_MINOR; ctx->minDowngrade = TLSv1_3_MINOR;
break; break;
#endif #endif
#endif #endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION: case DTLS1_VERSION:
#ifndef NO_OLD_TLS
ctx->minDowngrade = DTLS_MINOR; ctx->minDowngrade = DTLS_MINOR;
break; break;
#endif #endif
@ -16832,17 +16865,13 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
case TLS1_VERSION: case TLS1_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3); wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3);
break; break;
#endif
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
case SSL3_VERSION: case SSL3_VERSION:
case SSL2_VERSION: case SSL2_VERSION:
/* Nothing to do here */ /* Nothing to do here */
#endif
break; break;
#ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION:
#endif #endif
#ifdef WOLFSSL_DTLS
case DTLS1_VERSION:
case DTLS1_2_VERSION: case DTLS1_2_VERSION:
break; break;
#endif #endif
@ -16867,7 +16896,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
case SSL2_VERSION: case SSL2_VERSION:
WOLFSSL_MSG("wolfSSL does not support SSLv2"); WOLFSSL_MSG("wolfSSL does not support SSLv2");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
#if (defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)) || !defined(NO_TLS) #ifndef NO_TLS
case SSL3_VERSION: case SSL3_VERSION:
wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1); wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1);
FALL_THROUGH; FALL_THROUGH;
@ -16885,9 +16914,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
break; break;
#endif #endif
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
#ifndef NO_OLD_TLS
case DTLS1_VERSION: case DTLS1_VERSION:
#endif
case DTLS1_2_VERSION: case DTLS1_2_VERSION:
break; break;
#endif #endif

4
wolfcrypt/src/evp.c
View File

@ -3724,7 +3724,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
{ {
int ret; int ret;
if (src->isHMAC) { if (src->isHMAC) {
ret = wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac); return wolfSSL_HmacCopy(&des->hash.hmac, (Hmac*)&src->hash.hmac);
} }
else { else {
switch (src->macType) { switch (src->macType) {
@ -3818,8 +3818,8 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md)
ret = BAD_FUNC_ARG; ret = BAD_FUNC_ARG;
break; break;
} }
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
} }
return ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
} }
/* copies structure in to the structure out /* copies structure in to the structure out

9
wolfssl/openssl/crypto.h
View File

@ -87,6 +87,15 @@ typedef struct crypto_threadid_st CRYPTO_THREADID;
#define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto #define OPENSSL_init_crypto wolfSSL_OPENSSL_init_crypto
#ifdef WOLFSSL_OPENVPN
# define OPENSSL_assert(e) \
if (!(e)) { \
fprintf(stderr, "%s:%d wolfSSL internal error: assertion failed: " #e, \
__FILE__, __LINE__); \
raise(SIGABRT); \
_exit(3); \
}
#endif
#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_EX_DATA) defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_EX_DATA)

3
wolfssl/openssl/evp.h
View File

@ -742,6 +742,9 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_MD_CTX_size wolfSSL_EVP_MD_CTX_size #define EVP_MD_CTX_size wolfSSL_EVP_MD_CTX_size
#define EVP_MD_CTX_block_size wolfSSL_EVP_MD_CTX_block_size #define EVP_MD_CTX_block_size wolfSSL_EVP_MD_CTX_block_size
#define EVP_MD_type wolfSSL_EVP_MD_type #define EVP_MD_type wolfSSL_EVP_MD_type
#ifndef NO_WOLFSSL_STUB
#define EVP_MD_CTX_set_flags(...)
#endif
#define EVP_Digest wolfSSL_EVP_Digest #define EVP_Digest wolfSSL_EVP_Digest
#define EVP_DigestInit wolfSSL_EVP_DigestInit #define EVP_DigestInit wolfSSL_EVP_DigestInit