mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add hitch support to wolfSSL. 

Add support for cipher aliases DHE, EDH and EECDH.

Add define SSL_CTRL_GET_CHAIN_CERTS to help hitch and other programs detect SSL_CTX_get0_chain_certs is supported.

Add wolfSSL_get_locking_callback.

Allow using ECDHE+RSA cipher suites when ECDHE alias is used while in OpenSSL compatibility mode.

Add more alerts for hitch.

SSL_CM should use the CTX's x509_store_pt if available.

Add support for SSL_CERT_FILE and SSL_CERT_DIR.  Load default OpenSSL TLS 1.3 ciphers when using OPENSSL_COMPATIBLE_DEFAULTS.

Use wolfSSL_sk_X509_new_null to allocate WOLFSSL_STACK in wolfSSL_CTX_get_extra_chain_certs.  Previous approach of malloc'ing without setting type/memsetting was leading to a segfault.

Add --enable-hitch.

hitch: Add unit tests for new APIs, fix a couple of issues uncovered by unit testing.

Correct behavior of wolfSSL_BIO_set_mem_buf for BIO_CLOSE/NOCLOSE and update unit test accordingly.

Add Github action test for hitch.
This commit is contained in:
Kareem 2023-06-22 16:43:10 -07:00
parent 9d18648dfb
commit e871b1c04d
14 changed files with 463 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
.github/workflows/hitch.yml vendored Normal file
View File

@ -0,0 +1,71 @@
name: hitch Tests
on:
workflow_call:
jobs:
build_wolfssl:
name: Build wolfSSL
# Just to keep it the same as the testing target
runs-on: ubuntu-latest
steps:
- name: Build wolfSSL
uses: wolfSSL/actions-build-autotools-project@v1
with:
path: wolfssl
configure: --enable-hitch
install: true
- name: Upload built lib
uses: actions/upload-artifact@v3
with:
name: wolf-install-hitch
path: build-dir
retention-days: 1
hitch_check:
strategy:
fail-fast: false
matrix:
# List of releases to test
ref: [ 1.7.3 ]
name: ${{ matrix.ref }}
runs-on: ubuntu-latest
needs: build_wolfssl
steps:
- name: Download lib
uses: actions/download-artifact@v3
with:
name: wolf-install-hitch
path: build-dir
- name: Checkout OSP
uses: actions/checkout@v3
with:
# TODO: change to wolfssl repo once merged
repository: kareem-wolfssl/osp
ref: hitch
path: osp
- name: Build hitch
uses: wolfSSL/actions-build-autotools-project@v1
with:
repository: varnish/hitch
ref: ${{ matrix.ref }}
path: hitch
patch-file: $GITHUB_WORKSPACE/osp/hitch/hitch_${{ matrix.ref }}.patch
run: |
autoreconf -i
configure: --with-wolfssl --enable-warnings
- name: Confirm hitch built with wolfSSL
working-directory: ./hitch
run: ldd src/hitch | grep wolfssl
- name: Run hitch tests, skipping 13, 15 and 39
run: |
for test in ./test*.sh; do
if ! [[ "$test" = ./test13* ]] && ! [[ "$test" = ./test15* ]] && ! [[ "$test" = ./test39* ]]; then
$test
fi
done

2
.github/workflows/main.yml vendored
View File

@ -30,6 +30,8 @@ jobs:
uses: ./.github/workflows/nginx.yml
zephyr:
uses: ./.github/workflows/zephyr.yml
hitch:
uses: ./.github/workflows/hitch.yml
# TODO: Currently this test fails. Enable it once it becomes passing.
# haproxy:
# uses: ./.github/workflows/haproxy.yml

56
configure.ac
View File

@ -1377,6 +1377,7 @@ AC_ARG_ENABLE([mcast],
# FFmpeg (--enable-ffmpeg) WOLFSSL_FFMPEG
# strongSwan (--enable-strongswan)
# OpenLDAP (--enable-openldap)
# hitch (--enable-hitch)
# Bind DNS compatibility Build
AC_ARG_ENABLE([bind],
@ -1580,6 +1581,13 @@ AC_ARG_ENABLE([strongswan],
[ ENABLED_STRONGSWAN=no ]
)
# hitch support
AC_ARG_ENABLE([hitch],
[AS_HELP_STRING([--enable-hitch],[Enable hitch support (default: disabled)])],
[ ENABLED_HITCH=$enableval ],
[ ENABLED_HITCH=no ]
)
# OpenSSL Coexist
AC_ARG_ENABLE([opensslcoexist],
[AS_HELP_STRING([--enable-opensslcoexist],[Enable coexistence of wolfssl/openssl (default: disabled)])],
@ -1691,7 +1699,7 @@ if test "$ENABLED_LIBWEBSOCKETS" = "yes" || test "$ENABLED_OPENVPN" = "yes" || \
test "$ENABLED_OPENRESTY" = "yes" || test "$ENABLED_RSYSLOG" = "yes" || \
test "$ENABLED_KRB" = "yes" || test "$ENABLED_CHRONY" = "yes" || \
test "$ENABLED_FFMPEG" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes"
test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
then
ENABLED_OPENSSLALL="yes"
fi
@ -3109,7 +3117,7 @@ AC_ARG_ENABLE([sessioncerts],
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" || \
test "x$ENABLED_STRONGSWAN" = "xyes"
test "x$ENABLED_STRONGSWAN" = "xyes" || test "x$ENABLED_HITCH" = "xyes"
then
ENABLED_SESSIONCERTS=yes
fi
@ -3149,7 +3157,7 @@ AC_ARG_ENABLE([certgen],
if test "$ENABLED_OPENVPN" = "yes" || test "$ENABLED_OPENSSH" = "yes" || \
test "$ENABLED_BIND" = "yes" || test "$ENABLED_NTP" = "yes" || \
test "$ENABLED_CHRONY" = "yes" || test "$ENABLED_STRONGSWAN" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes"
test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
then
ENABLED_CERTGEN=yes
fi
@ -5961,6 +5969,45 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB -DHAVE_EX_DATA -DWOLFSSL_KEY_GEN"
fi
if test "$ENABLED_HITCH" = "yes"
then
# Requires opensslextra make sure on
if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"
then
ENABLED_OPENSSLEXTRA="yes"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA"
fi
# Requires OCSP make sure on
if test "x$ENABLED_OCSP" = "xno"
then
ENABLED_OCSP="yes"
fi
# Requires ALPN
if test "x$ENABLED_ALPN" = "xno"
then
ENABLED_ALPN="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ALPN"
fi
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
fi
# Requires sessioncerts make sure on
if test "x$ENABLED_SESSIONCERTS" = "xno"
then
ENABLED_SESSIONCERTS="yes"
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HITCH -DHAVE_EX_DATA -DWOLFSSL_SIGNER_DER_CERT"
AM_CFLAGS="$AM_CFLAGS -DOPENSSL_COMPATIBLE_DEFAULTS -DWOLFSSL_CIPHER_INTERNALNAME"
fi
if test "$ENABLED_NGINX" = "yes"|| test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_LIGHTY" = "xyes"
then
@ -8003,7 +8050,7 @@ if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes" || \
test "$ENABLED_LIBWEBSOCKETS" = "yes" || \
test "x$ENABLED_LIGHTY" = "xyes" || test "$ENABLED_LIBSSH2" = "yes" || \
test "x$ENABLED_NTP" = "xyes" || test "$ENABLED_RSYSLOG" = "yes" || \
test "$ENABLED_OPENLDAP" = "yes"
test "$ENABLED_OPENLDAP" = "yes" || test "$ENABLED_HITCH" = "yes"
then
ENABLED_OPENSSLEXTRA="yes"
fi
@ -9189,6 +9236,7 @@ echo " * SIGNAL: $ENABLED_SIGNAL"
echo " * chrony: $ENABLED_CHRONY"
echo " * strongSwan: $ENABLED_STRONGSWAN"
echo " * OpenLDAP: $ENABLED_OPENLDAP"
echo " * hitch: $ENABLED_HITCH"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS"
echo " * DTLS v1.3: $ENABLED_DTLS13"

95
src/bio.c
View File

@ -1155,6 +1155,32 @@ long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **ptr)
return ret;
}
#ifdef OPENSSL_ALL
int wolfSSL_BIO_set_mem_buf(WOLFSSL_BIO* bio, WOLFSSL_BUF_MEM* bufMem,
int closeFlag)
{
if (!bio || !bufMem ||
(closeFlag != BIO_NOCLOSE && closeFlag != BIO_CLOSE))
return BAD_FUNC_ARG;
if (bio->mem_buf)
if (closeFlag == BIO_CLOSE)
wolfSSL_BUF_MEM_free(bio->mem_buf);
bio->mem_buf = bufMem;
bio->shutdown = closeFlag;
bio->wrSz = (int)bio->mem_buf->length;
bio->wrSzReset = bio->wrSz;
bio->num = (int)bio->mem_buf->max;
bio->ptr = bio->mem_buf->data;
bio->wrIdx = 0;
bio->rdIdx = 0;
return WOLFSSL_SUCCESS;
}
#endif
WOLFSSL_API long wolfSSL_BIO_int_ctrl(WOLFSSL_BIO *bp, int cmd, long larg, int iarg)
{
(void) bp;
@ -2334,6 +2360,55 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
return WOLFSSL_SUCCESS;
}
#ifdef OPENSSL_ALL
WOLFSSL_BIO* wolfSSL_BIO_new_ssl(WOLFSSL_CTX* ctx, int client)
{
WOLFSSL* ssl = NULL;
WOLFSSL_BIO* sslBio = NULL;
int err = 0;
WOLFSSL_ENTER("wolfSSL_BIO_new_ssl");
if (ctx == NULL) {
WOLFSSL_MSG("ctx is NULL.");
err = 1;
}
if (err == 0) {
ssl = wolfSSL_new(ctx);
if (ssl == NULL) {
WOLFSSL_MSG("Failed to create SSL object from ctx.");
err = 1;
}
}
if (err == 0) {
sslBio = wolfSSL_BIO_new(wolfSSL_BIO_f_ssl());
if (sslBio == NULL) {
WOLFSSL_MSG("Failed to create SSL BIO.");
err = 1;
}
}
if (err == 0) {
if (!client)
wolfSSL_set_accept_state(ssl);
else
wolfSSL_set_connect_state(ssl);
}
if (err == 0 && wolfSSL_BIO_set_ssl(sslBio, ssl, BIO_CLOSE) !=
WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Failed to set SSL pointer in BIO.");
err = 1;
}
if (err) {
wolfSSL_free(ssl);
wolfSSL_BIO_free(sslBio);
}
return sslBio;
}
#endif
WOLFSSL_BIO* wolfSSL_BIO_new_ssl_connect(WOLFSSL_CTX* ctx)
{
WOLFSSL* ssl = NULL;
@ -3219,6 +3294,26 @@ int wolfSSL_BIO_should_retry(WOLFSSL_BIO *bio)
return ret;
}
int wolfSSL_BIO_should_read(WOLFSSL_BIO *bio)
{
int ret = 0;
if (bio != NULL) {
ret = (int)(bio->flags & WOLFSSL_BIO_FLAG_READ);
}
return ret;
}
int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio)
{
int ret = 0;
if (bio != NULL) {
ret = (int)(bio->flags & WOLFSSL_BIO_FLAG_WRITE);
}
return ret;
}
#endif /* OPENSSL_ALL */
#endif /* WOLFSSL_BIO_INCLUDED */

66
src/internal.c
View File

@ -3286,14 +3286,23 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
/* OpenSSL enables ECDHE when using ECDHE aliases without RSA */
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
}
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
}
@ -3405,7 +3414,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
}
@ -3429,7 +3442,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
}
@ -3457,7 +3474,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
}
@ -3541,7 +3562,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
#ifdef OPENSSL_EXTRA
if ((tls && haveRSA) || (tls && haveECDSAsig)) {
#else
if (tls && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
}
@ -3555,7 +3580,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
#ifdef OPENSSL_EXTRA
if ((tls && haveRSA) || (tls && haveECDSAsig)) {
#else
if (tls && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
}
@ -3583,7 +3612,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
#ifdef OPENSSL_EXTRA
if ((tls && haveRSA) || (tls && haveECDSAsig)) {
#else
if (tls && haveRSA) {
#endif
suites->suites[idx++] = ECC_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
}
@ -3726,14 +3759,22 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
}
#endif
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
#ifdef OPENSSL_EXTRA
if ((tls1_2 && haveRSA) || (tls1_2 && haveECDSAsig)) {
#else
if (tls1_2 && haveRSA) {
#endif
suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
}
@ -25410,17 +25451,24 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
}
if (XSTRCMP(name, "kDH") == 0) {
haveStaticECC = allowing;
if (allowing) {
haveECC = 1;
haveSig |= SIG_ECDSA;
haveDH = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "ECDHE") == 0) {
if (XSTRCMP(name, "DHE") == 0 || XSTRCMP(name, "EDH") == 0) {
if (allowing) {
haveDH = 1;
callInitSuites = 1;
ret = 1;
}
continue;
}
if (XSTRCMP(name, "ECDHE") == 0 || XSTRCMP(name, "EECDH") == 0) {
if (allowing) {
haveECC = 1;
haveSig |= SIG_ECDSA;
@ -34470,6 +34518,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_OP_NO_SSLv3) {
WOLFSSL_MSG("\tError, option set to not allow SSLv3");
ret = VERSION_ERROR;
#ifdef WOLFSSL_EXTRA_ALERTS
SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
#endif
goto out;
}
@ -38304,6 +38355,13 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
int ad = 0;
int sniRet = 0;
int ret = 0;
/* OpenSSL defaults alert to SSL_AD_UNRECOGNIZED_NAME, use this if
WOLFSSL_EXTRA_ALERTS is defined, indicating user is OK with
potential information disclosure from alerts. */
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_EXTRA_ALERTS)
ad = SSL_AD_UNRECOGNIZED_NAME;
#endif
/* Stunnel supports a custom sni callback to switch an SSL's ctx
* when SNI is received. Call it now if exists */
if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {

84
src/ssl.c
View File

@ -16149,17 +16149,50 @@ cleanup:
/*
* This is an OpenSSL compatibility layer function, but it doesn't mirror
* the exact functionality of its OpenSSL counterpart. We don't support the
* notion of an "OpenSSL directory," nor do we support the environment
* variables SSL_CERT_DIR or SSL_CERT_FILE. This function is simply a
* wrapper around our native wolfSSL_CTX_load_system_CA_certs function. This
* function does conform to OpenSSL's return value conventions, though.
* notion of an "OpenSSL directory". This function will attempt to load the
* environment variables SSL_CERT_DIR and SSL_CERT_FILE, if either are found,
* they will be loaded. Otherwise, it will act as a wrapper around our
* native wolfSSL_CTX_load_system_CA_certs function. This function does
* conform to OpenSSL's return value conventions.
*/
int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
{
int ret;
#ifdef XGETENV
char* certDir;
char* certFile;
word32 flags;
#endif
WOLFSSL_ENTER("wolfSSL_CTX_set_default_verify_paths");
#ifdef XGETENV
certDir = XGETENV("SSL_CERT_DIR");
certFile = XGETENV("SSL_CERT_FILE");
flags = WOLFSSL_LOAD_FLAG_PEM_CA_ONLY;
if (certDir || certFile) {
if (certDir) {
/*
* We want to keep trying to load more CAs even if one cert in
* the directory is bad and can't be used (e.g. if one is expired),
* so we use WOLFSSL_LOAD_FLAG_IGNORE_ERR.
*/
flags |= WOLFSSL_LOAD_FLAG_IGNORE_ERR;
}
ret = wolfSSL_CTX_load_verify_locations_ex(ctx, certFile, certDir,
flags);
if (ret != WOLFSSL_SUCCESS) {
WOLFSSL_MSG_EX("Failed to load CA certs from SSL_CERT_FILE: %s"
" SSL_CERT_DIR: %s. Error: %d", certFile,
certDir, ret);
return WOLFSSL_FAILURE;
}
return ret;
}
#endif
ret = wolfSSL_CTX_load_system_CA_certs(ctx);
if (ret == WOLFSSL_BAD_PATH) {
/*
@ -16649,6 +16682,32 @@ cleanup:
and free it with CTX free*/
}
#ifdef OPENSSL_ALL
int wolfSSL_CTX_set1_verify_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509_STORE* str)
{
WOLFSSL_ENTER("wolfSSL_CTX_set1_verify_cert_store");
if (ctx == NULL || str == NULL) {
WOLFSSL_MSG("Bad parameter");
return WOLFSSL_FAILURE;
}
/* NO-OP when setting existing store */
if (str == CTX_STORE(ctx))
return WOLFSSL_SUCCESS;
if (wolfSSL_X509_STORE_up_ref(str) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("wolfSSL_X509_STORE_up_ref error");
return WOLFSSL_FAILURE;
}
/* free existing store if it exists */
wolfSSL_X509_STORE_free(ctx->x509_store_pt);
ctx->x509_store_pt = str; /* take ownership of store and free it
with CTX free */
return WOLFSSL_SUCCESS;
}
#endif
int wolfSSL_set0_verify_cert_store(WOLFSSL *ssl, WOLFSSL_X509_STORE* str)
{
@ -16761,6 +16820,13 @@ cleanup:
}
}
void (*wolfSSL_get_locking_callback(void))(int, int, const char*, int)
{
WOLFSSL_ENTER("wolfSSL_get_locking_callback");
return wc_GetMutexCb();
}
typedef unsigned long (idCb)(void);
static idCb* inner_idCb = NULL;
@ -31977,8 +32043,7 @@ int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** ch
/* Create a new stack of WOLFSSL_X509 object from chain buffer. */
for (idx = 0; idx < ctx->certChain->length; ) {
node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
DYNAMIC_TYPE_OPENSSL);
node = wolfSSL_sk_X509_new_null();
if (node == NULL)
return WOLFSSL_FAILURE;
node->next = NULL;
@ -32065,8 +32130,11 @@ int wolfSSL_CTX_get0_chain_certs(WOLFSSL_CTX *ctx,
WOLFSSL_MSG("Bad parameter");
return WOLFSSL_FAILURE;
}
*sk = ctx->x509Chain;
return WOLFSSL_SUCCESS;
/* This function should return ctx->x509Chain if it is populated, otherwise
it should be populated from ctx->certChain. This matches the behavior of
wolfSSL_CTX_get_extra_chain_certs, so it is used directly. */
return wolfSSL_CTX_get_extra_chain_certs(ctx, sk);
}
#ifdef KEEP_OUR_CERT

70
tests/api.c
View File

@ -35198,8 +35198,10 @@ static int test_wolfSSL_X509_STORE(void)
SSL_SUCCESS);
}
else {
ExpectIntEQ(SSL_set1_verify_cert_store(ssl, store),
SSL_SUCCESS);
ExpectIntEQ(SSL_set1_verify_cert_store(ssl, store), SSL_SUCCESS);
#ifdef OPENSSL_ALL
ExpectIntEQ(SSL_CTX_set1_verify_cert_store(ctx, store), SSL_SUCCESS);
#endif
}
if (EXPECT_FAIL() || (i == 1)) {
X509_STORE_free(store);
@ -40189,9 +40191,16 @@ static int test_wolfSSL_BIO_gets(void)
char emp[] = "";
char bio_buffer[20];
int bufferSz = 20;
#ifdef OPENSSL_ALL
BUF_MEM* emp_bm = NULL;
BUF_MEM* msg_bm = NULL;
#endif
/* try with bad args */
ExpectNull(bio = BIO_new_mem_buf(NULL, sizeof(msg)));
#ifdef OPENSSL_ALL
ExpectIntEQ(BIO_set_mem_buf(bio, NULL, BIO_NOCLOSE), BAD_FUNC_ARG);
#endif
/* try with real msg */
ExpectNotNull(bio = BIO_new_mem_buf((void*)msg, -1));
@ -40213,6 +40222,42 @@ static int test_wolfSSL_BIO_gets(void)
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 8);
ExpectIntEQ(BIO_gets(bio, bio_buffer, -1), 0);
#ifdef OPENSSL_ALL
/* test setting the mem_buf manually */
BIO_free(bio);
ExpectNotNull(bio = BIO_new_mem_buf((void*)msg, -1));
ExpectNotNull(emp_bm = BUF_MEM_new());
ExpectNotNull(msg_bm = BUF_MEM_new());
ExpectIntEQ(BUF_MEM_grow(msg_bm, sizeof(msg)), sizeof(msg));
XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
/* emp size is 1 for terminator */
ExpectIntEQ(BUF_MEM_grow(emp_bm, sizeof(emp)), sizeof(emp));
XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
emp_bm->data = emp;
msg_bm->data = msg;
ExpectIntEQ(BIO_set_mem_buf(bio, emp_bm, BIO_CLOSE), WOLFSSL_SUCCESS);
/* check reading an empty string */
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 1); /* just terminator */
ExpectStrEQ(emp, bio_buffer);
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 0); /* Nothing to read */
/* BIO_gets reads a line of data */
ExpectIntEQ(BIO_set_mem_buf(bio, msg_bm, BIO_NOCLOSE), WOLFSSL_SUCCESS);
ExpectIntEQ(BIO_gets(bio, bio_buffer, -3), 0);
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 1);
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 14);
ExpectStrEQ(bio_buffer, "hello wolfSSL\n");
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 19);
ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 8);
ExpectIntEQ(BIO_gets(bio, bio_buffer, -1), 0);
emp_bm->data = NULL;
BUF_MEM_free(emp_bm);
msg_bm->data = NULL;
BUF_MEM_free(msg_bm);
#endif
/* check not null terminated string */
BIO_free(bio);
bio = NULL;
@ -40468,12 +40513,11 @@ static int test_wolfSSL_BIO_should_retry(void)
tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL);
/* force retry */
ExpectNotNull(ssl = wolfSSL_new(ctx));
ExpectNotNull(bio = wolfSSL_BIO_new_ssl(ctx, 1));
ExpectIntEQ(BIO_get_ssl(bio, &ssl), 1);
ExpectNotNull(ssl);
ExpectIntEQ(wolfSSL_set_fd(ssl, sockfd), WOLFSSL_SUCCESS);
wolfSSL_SSLSetIORecv(ssl, forceWantRead);
ExpectNotNull(bio = BIO_new(BIO_f_ssl()));
ExpectIntEQ(BIO_set_ssl(bio, ssl, BIO_CLOSE), 1);
if (EXPECT_FAIL()) {
wolfSSL_free(ssl);
ssl = NULL;
@ -40481,6 +40525,8 @@ static int test_wolfSSL_BIO_should_retry(void)
ExpectIntLE(BIO_write(bio, msg, msgSz), 0);
ExpectIntNE(BIO_should_retry(bio), 0);
ExpectIntEQ(BIO_should_read(bio), 0);
ExpectIntEQ(BIO_should_write(bio), 0);
/* now perform successful connection */
@ -40490,9 +40536,21 @@ static int test_wolfSSL_BIO_should_retry(void)
ret = wolfSSL_get_error(ssl, -1);
if (ret == WOLFSSL_ERROR_WANT_READ || ret == WOLFSSL_ERROR_WANT_WRITE) {
ExpectIntNE(BIO_should_retry(bio), 0);
if (ret == WOLFSSL_ERROR_WANT_READ)
ExpectIntEQ(BIO_should_read(bio), 1);
else
ExpectIntEQ(BIO_should_read(bio), 0);
if (ret == WOLFSSL_ERROR_WANT_WRITE)
ExpectIntEQ(BIO_should_write(bio), 1);
else
ExpectIntEQ(BIO_should_write(bio), 0);
}
else {
ExpectIntEQ(BIO_should_retry(bio), 0);
ExpectIntEQ(BIO_should_read(bio), 0);
ExpectIntEQ(BIO_should_write(bio), 0);
}
ExpectIntEQ(XMEMCMP(reply, "I hear you fa shizzle!",
XSTRLEN("I hear you fa shizzle!")), 0);

8
wolfcrypt/src/wc_port.c
View File

@ -1342,6 +1342,14 @@ int wolfSSL_CryptHwMutexUnLock(void)
compat_mutex_cb = cb;
return 0;
}
/* Gets the current callback function in use for locking/unlocking mutex
*
*/
mutex_cb* wc_GetMutexCb(void)
{
return compat_mutex_cb;
}
#endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) */
#ifdef SINGLE_THREADED

6
wolfssl/internal.h
View File

@ -5804,10 +5804,14 @@ struct WOLFSSL {
* Always use SSL specific objects when available and revert to CTX otherwise.
*/
#ifdef WOLFSSL_LOCAL_X509_STORE
#define SSL_CM(ssl) ((ssl)->x509_store_pt ? (ssl)->x509_store_pt->cm : (ssl)->ctx->cm)
#define SSL_CM(ssl) ((ssl)->x509_store_pt ? (ssl)->x509_store_pt->cm : \
((ssl)->ctx->x509_store_pt ? (ssl)->ctx->x509_store_pt->cm : \
(ssl)->ctx->cm))
#define SSL_STORE(ssl) ((ssl)->x509_store_pt ? (ssl)->x509_store_pt : \
((ssl)->ctx->x509_store_pt ? (ssl)->ctx->x509_store_pt : \
&(ssl)->ctx->x509_store))
#define CTX_STORE(ssl) ((ctx)->x509_store_pt ? (ctx)->x509_store_pt : \
&(ctx)->x509_store)
#else
#define SSL_CM(ssl) (ssl)->ctx->cm
#endif

5
wolfssl/openssl/bio.h
View File

@ -52,6 +52,9 @@
#define BIO_ctrl_pending wolfSSL_BIO_ctrl_pending
#define BIO_wpending wolfSSL_BIO_wpending
#define BIO_get_mem_ptr wolfSSL_BIO_get_mem_ptr
#ifdef OPENSSL_ALL
#define BIO_set_mem_buf wolfSSL_BIO_set_mem_buf
#endif
#define BIO_int_ctrl wolfSSL_BIO_int_ctrl
#define BIO_reset wolfSSL_BIO_reset
#define BIO_s_file wolfSSL_BIO_s_file
@ -79,6 +82,8 @@
#define BIO_puts wolfSSL_BIO_puts
#define BIO_should_retry wolfSSL_BIO_should_retry
#define BIO_should_read wolfSSL_BIO_should_read
#define BIO_should_write wolfSSL_BIO_should_write
#define BIO_TYPE_FILE WOLFSSL_BIO_FILE
#define BIO_TYPE_BIO WOLFSSL_BIO_BIO

2
wolfssl/openssl/crypto.h
View File

@ -97,7 +97,7 @@ WOLFSSL_API int wolfSSL_OPENSSL_init_crypto(word64 opts, const OPENSSL_INIT_SETT
#define SSLeay wolfSSLeay
#define OpenSSL_version_num wolfSSL_OpenSSL_version_num
#ifdef WOLFSSL_QT
#if defined(WOLFSSL_QT) || defined(WOLFSSL_HITCH)
#define SSLEAY_VERSION 0x10001000L
#else
#define SSLEAY_VERSION 0x0090600fL

6
wolfssl/openssl/ssl.h
View File

@ -165,6 +165,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
#define CRYPTO_WRITE 0x08
#define CRYPTO_set_locking_callback wolfSSL_set_locking_callback
#define CRYPTO_get_locking_callback wolfSSL_get_locking_callback
#define CRYPTO_set_dynlock_create_callback wolfSSL_set_dynlock_create_callback
#define CRYPTO_set_dynlock_lock_callback wolfSSL_set_dynlock_lock_callback
#define CRYPTO_set_dynlock_destroy_callback wolfSSL_set_dynlock_destroy_callback
@ -783,6 +784,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define BIO_method_type wolfSSL_BIO_method_type
#define BIO_set_ssl wolfSSL_BIO_set_ssl
#define BIO_get_ssl wolfSSL_BIO_get_ssl
#define BIO_new_ssl wolfSSL_BIO_new_ssl
#define BIO_new_ssl_connect wolfSSL_BIO_new_ssl_connect
#define BIO_set_conn_hostname wolfSSL_BIO_set_conn_hostname
#define BIO_eof wolfSSL_BIO_eof
@ -899,6 +901,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
#define SSL_CTX_set_client_CA_list wolfSSL_CTX_set_client_CA_list
#define SSL_CTX_set_client_cert_cb wolfSSL_CTX_set_client_cert_cb
#define SSL_CTX_set_cert_store wolfSSL_CTX_set_cert_store
#ifdef OPENSSL_ALL
#define SSL_CTX_set1_verify_cert_store wolfSSL_CTX_set1_verify_cert_store
#endif
#define SSL_set0_verify_cert_store wolfSSL_set0_verify_cert_store
#define SSL_set1_verify_cert_store wolfSSL_set1_verify_cert_store
#define SSL_CTX_get_cert_store(x) wolfSSL_CTX_get_cert_store ((WOLFSSL_CTX*) (x))
@ -1269,6 +1274,7 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE;
#define SSL_CTRL_SET_GROUPS 91
#define SSL_CTRL_GET_PEER_TMP_KEY 109
#define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY
#define SSL_CTRL_GET_CHAIN_CERTS 115
#define SSL_CTRL_SET_MIN_PROTO_VERSION 123
#define SSL_CTRL_SET_MAX_PROTO_VERSION 124
#define SSL_CTRL_GET_MIN_PROTO_VERSION 125

15
wolfssl/ssl.h
View File

@ -1740,6 +1740,8 @@ WOLFSSL_API void wolfSSL_BIO_set_shutdown(WOLFSSL_BIO* bio, int shut);
WOLFSSL_API int wolfSSL_BIO_get_shutdown(WOLFSSL_BIO* bio);
WOLFSSL_API void wolfSSL_BIO_clear_retry_flags(WOLFSSL_BIO* bio);
WOLFSSL_API int wolfSSL_BIO_should_retry(WOLFSSL_BIO *bio);
WOLFSSL_API int wolfSSL_BIO_should_read(WOLFSSL_BIO *bio);
WOLFSSL_API int wolfSSL_BIO_should_write(WOLFSSL_BIO *bio);
WOLFSSL_API WOLFSSL_BIO_METHOD *wolfSSL_BIO_meth_new(int type, const char* name);
WOLFSSL_API void wolfSSL_BIO_meth_free(WOLFSSL_BIO_METHOD* biom);
@ -1775,6 +1777,9 @@ WOLFSSL_API long wolfSSL_BIO_set_conn_hostname(WOLFSSL_BIO* b, char* name);
WOLFSSL_API long wolfSSL_BIO_set_conn_port(WOLFSSL_BIO *b, char* port);
WOLFSSL_API long wolfSSL_BIO_do_connect(WOLFSSL_BIO *b);
WOLFSSL_API int wolfSSL_BIO_do_accept(WOLFSSL_BIO *b);
#ifdef OPENSSL_ALL
WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_ssl(WOLFSSL_CTX* ctx, int client);
#endif
WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_ssl_connect(WOLFSSL_CTX* ctx);
WOLFSSL_API long wolfSSL_BIO_do_handshake(WOLFSSL_BIO *b);
@ -1797,6 +1802,10 @@ WOLFSSL_API int wolfSSL_BIO_tell(WOLFSSL_BIO* bio);
WOLFSSL_API int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name);
WOLFSSL_API long wolfSSL_BIO_set_mem_eof_return(WOLFSSL_BIO *bio, int v);
WOLFSSL_API long wolfSSL_BIO_get_mem_ptr(WOLFSSL_BIO *bio, WOLFSSL_BUF_MEM **m);
#ifdef OPENSSL_ALL
WOLFSSL_API int wolfSSL_BIO_set_mem_buf(WOLFSSL_BIO* bio, WOLFSSL_BUF_MEM* bufMem,
int closeFlag);
#endif
WOLFSSL_API int wolfSSL_BIO_get_len(WOLFSSL_BIO *bio);
#endif
@ -1818,6 +1827,8 @@ WOLFSSL_API unsigned long wolfSSL_thread_id(void);
WOLFSSL_API void wolfSSL_set_id_callback(unsigned long (*f)(void));
WOLFSSL_API void wolfSSL_set_locking_callback(void (*f)(int, int, const char*,
int));
WOLFSSL_API void (*wolfSSL_get_locking_callback(void))(int, int, const char*,
int);
WOLFSSL_API void wolfSSL_set_dynlock_create_callback(WOLFSSL_dynlock_value* (*f)
(const char*, int));
WOLFSSL_API void wolfSSL_set_dynlock_lock_callback(void (*f)(int,
@ -4349,6 +4360,10 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509) *wolfSSL_get0_verified_chain(
const WOLFSSL *ssl);
WOLFSSL_API void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx,
WOLFSSL_X509_STORE* str);
#ifdef OPENSSL_ALL
WOLFSSL_API int wolfSSL_CTX_set1_verify_cert_store(WOLFSSL_CTX* ctx,
WOLFSSL_X509_STORE* str);
#endif
WOLFSSL_API int wolfSSL_set0_verify_cert_store(WOLFSSL *ssl,
WOLFSSL_X509_STORE* str);
WOLFSSL_API int wolfSSL_set1_verify_cert_store(WOLFSSL *ssl,

1
wolfssl/wolfcrypt/wc_port.h
View File

@ -447,6 +447,7 @@ typedef void (mutex_cb)(int flag, int type, const char* file, int line);
WOLFSSL_API int wc_LockMutex_ex(int flag, int type, const char* file, int line);
WOLFSSL_API int wc_SetMutexCb(mutex_cb* cb);
WOLFSSL_API mutex_cb* wc_GetMutexCb(void);
#endif
/* main crypto initialization function */