mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-04-29 02:13:50 +02:00
Add Apache 2.4.51 support
- Define `OPENSSL_COMPATIBLE_DEFAULTS` and `WOLFSSL_NO_OCSP_ISSUER_CHECK` for Apache config - Fix `SSL_set_timeout` to match OpenSSL signature - Implement `pkey` in `X509_INFO` - Detect attempt to connect with plain HTTP - Implement `wolfSSL_OCSP_request_add1_nonce` - Set `ssl->cipher.bits` when calling `wolfSSL_get_current_cipher` - Use custom flush method in `wolfSSL_BIO_flush` when set in BIO method - Set the TLS version options in the `ssl->options` at the end of ClientHello parsing - Don't modify the `ssl->version` when in a handshake (`ssl->msgsReceived.got_client_hello` is set) - `wolfSSL_get_shutdown` returns a full bidirectional return when the SSL object is cleared. `wolfSSL_get_shutdown` calls `wolfSSL_clear` on a successful shutdown so if we detect a cleared SSL object, assume full shutdown was performed.
This commit is contained in:
Juliusz Sosinowicz
+39
-13
@@ -29518,43 +29518,68 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
|
||||
WOLFSSL_ENTER("OcspResponseDecode");
|
||||
|
||||
/* peel the outer SEQUENCE wrapper */
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
/* First get the responseStatus, an ENUMERATED */
|
||||
if (GetEnumerated(source, &idx, &resp->responseStatus, size) < 0)
|
||||
if (GetEnumerated(source, &idx, &resp->responseStatus, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (resp->responseStatus != OCSP_SUCCESSFUL)
|
||||
if (resp->responseStatus != OCSP_SUCCESSFUL) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", 0);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
|
||||
if (idx >= size)
|
||||
return ASN_INPUT_E;
|
||||
if (GetASNTag(source, &idx, &tag, size) < 0)
|
||||
if (idx >= size) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
|
||||
}
|
||||
if (GetASNTag(source, &idx, &tag, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
}
|
||||
if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
if (GetLength(source, &idx, &length, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
/* Get the responseBytes SEQUENCE */
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
/* Check ObjectID for the resposeBytes */
|
||||
if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0)
|
||||
if (GetObjectId(source, &idx, &oid, oidOcspType, size) < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
if (oid != OCSP_BASIC_OID)
|
||||
}
|
||||
if (oid != OCSP_BASIC_OID) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ASN_PARSE_E);
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
ret = GetOctetString(source, &idx, &length, size);
|
||||
if (ret < 0)
|
||||
if (ret < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify);
|
||||
if (ret < 0)
|
||||
if (ret < 0) {
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", 0);
|
||||
return 0;
|
||||
#else
|
||||
DECL_ASNGETDATA(dataASN, ocspResponseASN_Length);
|
||||
@@ -29595,6 +29620,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
|
||||
}
|
||||
|
||||
FREE_ASNGETDATA(dataASN, resp->heap);
|
||||
WOLFSSL_LEAVE("OcspResponseDecode", ret);
|
||||
return ret;
|
||||
#endif /* WOLFSSL_ASN_TEMPLATE */
|
||||
}
|
||||
|
||||
+56
-1
@@ -1420,6 +1420,9 @@ WOLFSSL_EVP_PKEY_CTX *wolfSSL_EVP_PKEY_CTX_new(WOLFSSL_EVP_PKEY *pkey, WOLFSSL_E
|
||||
ctx->pkey = pkey;
|
||||
#if !defined(NO_RSA) && !defined(HAVE_USER_RSA)
|
||||
ctx->padding = RSA_PKCS1_PADDING;
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
ctx->curveNID = ECC_CURVE_DEF;
|
||||
#endif
|
||||
if (wolfSSL_EVP_PKEY_up_ref(pkey) != WOLFSSL_SUCCESS) {
|
||||
WOLFSSL_MSG("Couldn't increase key reference count");
|
||||
@@ -1920,6 +1923,49 @@ int wolfSSL_EVP_PKEY_bits(const WOLFSSL_EVP_PKEY *pkey)
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_EVP_PKEY_paramgen_init(WOLFSSL_EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
(void)ctx;
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
int wolfSSL_EVP_PKEY_CTX_set_ec_paramgen_curve_nid(WOLFSSL_EVP_PKEY_CTX *ctx,
|
||||
int nid)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_EVP_PKEY_CTX_set_ec_paramgen_curve_nid");
|
||||
#ifdef HAVE_ECC
|
||||
if (ctx != NULL && ctx->pkey != NULL && ctx->pkey->type == EVP_PKEY_EC) {
|
||||
ctx->curveNID = nid;
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
#ifndef HAVE_ECC
|
||||
(void)ctx;
|
||||
(void)nid;
|
||||
WOLFSSL_MSG("Support not compiled in");
|
||||
#else
|
||||
WOLFSSL_MSG("Bad parameter");
|
||||
#endif
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
}
|
||||
|
||||
/* wolfSSL only supports writing out named curves so no need to store the flag.
|
||||
* In short, it is preferred to write out the name of the curve chosen instead
|
||||
* of the explicit parameters.
|
||||
* The difference is nicely explained and illustrated in section
|
||||
* "ECDH and Named Curves" of
|
||||
* https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman */
|
||||
int EVP_PKEY_CTX_set_ec_param_enc(WOLFSSL_EVP_PKEY_CTX *ctx,
|
||||
int flag)
|
||||
{
|
||||
(void)ctx;
|
||||
(void)flag;
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
|
||||
int wolfSSL_EVP_PKEY_keygen_init(WOLFSSL_EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
(void)ctx;
|
||||
@@ -1933,14 +1979,23 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
|
||||
int ownPkey = 0;
|
||||
WOLFSSL_EVP_PKEY* pkey;
|
||||
|
||||
WOLFSSL_ENTER("wolfSSL_EVP_PKEY_keygen");
|
||||
|
||||
if (ctx == NULL || ppkey == NULL) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
pkey = *ppkey;
|
||||
if (pkey == NULL) {
|
||||
if (ctx->pkey == NULL ||
|
||||
(ctx->pkey->type != EVP_PKEY_EC &&
|
||||
ctx->pkey->type != EVP_PKEY_RSA)) {
|
||||
WOLFSSL_MSG("Key not set or key type not supported");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
ownPkey = 1;
|
||||
pkey = wolfSSL_EVP_PKEY_new();
|
||||
pkey->type = ctx->pkey->type;
|
||||
|
||||
if (pkey == NULL)
|
||||
return ret;
|
||||
@@ -1962,7 +2017,7 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx,
|
||||
#endif
|
||||
#ifdef HAVE_ECC
|
||||
case EVP_PKEY_EC:
|
||||
pkey->ecc = wolfSSL_EC_KEY_new();
|
||||
pkey->ecc = wolfSSL_EC_KEY_new_by_curve_name(ctx->curveNID);
|
||||
if (pkey->ecc) {
|
||||
ret = wolfSSL_EC_KEY_generate_key(pkey->ecc);
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
|
||||
Reference in New Issue
Block a user