Skip to content

Commit

Permalink
Fixes from compatibility header decoupling PR wolfSSL#8182. Fixes iss…
Browse files Browse the repository at this point in the history
…ue with wolfEngine and wolfProvider. Change behavior for openssl compatibility headers to be installed unless `--enable-opensslextra=noinstall` is used. Removed dependency on X509 small with SESSION_CERTS, KEEP_PEER_CERTS and KEEP_OUR_CERT.
  • Loading branch information
dgarske committed Nov 21, 2024
1 parent 39d4832 commit 3444d5c
Show file tree
Hide file tree
Showing 5 changed files with 74 additions and 55 deletions.
4 changes: 2 additions & 2 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -2298,7 +2298,7 @@ fi

# OPENSSL Extra Compatibility
AC_ARG_ENABLE([opensslextra],
[AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled)])],
[AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled). Skip compat header install using "noinstall"])],
[ ENABLED_OPENSSLEXTRA=$enableval ],
[ ENABLED_OPENSSLEXTRA=no ]
)
Expand Down Expand Up @@ -9859,7 +9859,7 @@ fi
# Some of these affect build targets and objects, some trigger different
# test scripts for make check.
AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"])
AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"])
AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xnoinstall"])
AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"])
AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
Expand Down
19 changes: 11 additions & 8 deletions src/x509.c
Original file line number Diff line number Diff line change
Expand Up @@ -3295,6 +3295,7 @@ int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509,
#endif /* OPENSSL_EXTRA */

#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
defined(KEEP_OUR_CERT) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

/* user externally called free X509, if dynamic go ahead with free, otherwise
Expand All @@ -3317,9 +3318,6 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
if (ret != 0) {
WOLFSSL_MSG("Couldn't lock x509 mutex");
}
#endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */

#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
if (doFree)
#endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */
{
Expand All @@ -3337,10 +3335,13 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
WOLFSSL_ABI
void wolfSSL_X509_free(WOLFSSL_X509* x509)
{
WOLFSSL_ENTER("wolfSSL_FreeX509");
WOLFSSL_ENTER("wolfSSL_X509_free");
ExternalFreeX509(x509);
}
#endif

#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)

/* copy name into in buffer, at most sz bytes, if buffer is null will
malloc buffer, call responsible for freeing */
Expand Down Expand Up @@ -3766,7 +3767,7 @@ int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME* name)
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

#if defined(OPENSSL_EXTRA) || \
defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT)

/* return the next, if any, altname from the peer cert */
WOLFSSL_ABI
Expand Down Expand Up @@ -5354,7 +5355,8 @@ WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer(
}
#endif

#endif /* KEEP_PEER_CERT || SESSION_CERTS */
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \
SESSION_CERTS */

#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(KEEP_PEER_CERT) || \
defined(SESSION_CERTS)
Expand Down Expand Up @@ -14405,7 +14407,7 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject)
#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */

#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \
defined(KEEP_PEER_CERT)
defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x)
{
WOLFSSL_ENTER("wolfSSL_X509_dup");
Expand All @@ -14423,7 +14425,8 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x)
return wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, x->derCert->length,
x->heap);
}
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \
SESSION_CERTS */

#if defined(OPENSSL_EXTRA)
int wolfSSL_X509_check_ca(WOLFSSL_X509 *x509)
Expand Down
2 changes: 2 additions & 0 deletions src/x509_str.c
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,9 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx,
wolfSSL_sk_X509_free(ctx->chain);
ctx->chain = NULL;
}
#ifdef SESSION_CERTS
ctx->sesChain = NULL;
#endif
ctx->domain = NULL;
#ifdef HAVE_EX_DATA
XMEMSET(&ctx->ex_data, 0, sizeof(ctx->ex_data));
Expand Down
97 changes: 59 additions & 38 deletions wolfssl/ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -553,14 +553,16 @@ struct WOLFSSL_X509_STORE_CTX {
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */
WOLFSSL_X509* current_cert; /* current X509 (OPENSSL_EXTRA) */
#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA)
#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA)
WOLFSSL_X509* current_issuer; /* asio dereference */
#endif
#endif
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
WOLFSSL_X509_CHAIN* sesChain; /* pointer to WOLFSSL_SESSION peer chain */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_STACK* chain;
#ifdef OPENSSL_EXTRA
#ifdef OPENSSL_EXTRA
WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */
#endif
#endif
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */

char* domain; /* subject CN domain name */
Expand Down Expand Up @@ -1408,11 +1410,6 @@ WOLFSSL_API int wolfSSL_GetSessionIndex(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_GetSessionAtIndex(int index, WOLFSSL_SESSION* session);
#endif /* SESSION_INDEX */

#ifdef SESSION_CERTS
WOLFSSL_API
WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session);
WOLFSSL_API WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session);
#endif /* SESSION_CERTS */

#ifdef OPENSSL_EXTRA
/* compatibility callback for TLS state */
Expand Down Expand Up @@ -1864,9 +1861,6 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI
WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value(
const WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx);

WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa);
WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509);
Expand Down Expand Up @@ -2101,7 +2095,6 @@ WOLFSSL_API unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x5
WOLFSSL_API int wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509* x509, int nid);
WOLFSSL_API int wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509* x509, int nid);
WOLFSSL_API int wolfSSL_X509_EXTENSION_set_critical(WOLFSSL_X509_EXTENSION* ex, int crit);
WOLFSSL_API int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_X509_get_isSet_pathLength(WOLFSSL_X509* x509);
WOLFSSL_API unsigned int wolfSSL_X509_get_pathLength(WOLFSSL_X509* x509);
WOLFSSL_API unsigned int wolfSSL_X509_get_keyUsage(WOLFSSL_X509* x509);
Expand Down Expand Up @@ -2164,11 +2157,6 @@ WOLFSSL_API int wolfSSL_ASN1_STRING_copy(WOLFSSL_ASN1_STRING* dst,
const WOLFSSL_ASN1_STRING* src);
WOLFSSL_API int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx);
WOLFSSL_API const char* wolfSSL_X509_verify_cert_error_string(long err);
WOLFSSL_API int wolfSSL_X509_get_signature_type(WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_X509_get_signature(WOLFSSL_X509* x509, unsigned char* buf, int* bufSz);
WOLFSSL_API int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509, unsigned char* buf,
int* bufSz);
WOLFSSL_API int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509);

WOLFSSL_API int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup,const char* dir,long type);
WOLFSSL_API int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, const char* file,
Expand Down Expand Up @@ -2774,10 +2762,6 @@ WOLFSSL_API void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx);
WOLFSSL_API long wolfSSL_set_options(WOLFSSL *s, long op);
WOLFSSL_API long wolfSSL_get_options(const WOLFSSL *s);

WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(
WOLFSSL_X509* cert);
WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(
WOLFSSL_X509* cert);
WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name,
char* in, int sz);

Expand Down Expand Up @@ -3118,6 +3102,21 @@ WOLFSSL_API unsigned long wolfSSL_SESSION_get_ticket_lifetime_hint(
WOLFSSL_API long wolfSSL_SESSION_get_timeout(const WOLFSSL_SESSION* session);
WOLFSSL_API long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* session);


#ifdef SESSION_CERTS
#ifdef OPENSSL_EXTRA
WOLFSSL_API const char *wolfSSL_get0_peername(WOLFSSL *ssl);
#endif

WOLFSSL_API
WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session);
WOLFSSL_API WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session);

WOLFSSL_API int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx,
unsigned char* buf, int inLen, int* outLen);
#endif /* SESSION_CERTS */


/* extra ends */


Expand All @@ -3127,9 +3126,6 @@ WOLFSSL_API long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* session);
date check and signature check */
WOLFSSL_ABI WOLFSSL_API int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn);

#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
WOLFSSL_API const char *wolfSSL_get0_peername(WOLFSSL *ssl);
#endif

/* need to call once to load library (session cache) */
WOLFSSL_ABI WOLFSSL_API int wolfSSL_Init(void);
Expand Down Expand Up @@ -3171,13 +3167,49 @@ WOLFSSL_API int wolfSSL_get_chain_length(WOLFSSL_X509_CHAIN* chain, int idx);
WOLFSSL_API unsigned char* wolfSSL_get_chain_cert(WOLFSSL_X509_CHAIN* chain, int idx);
/* index cert in X509 */
WOLFSSL_API WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx);


#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || defined(SESSION_CERTS)

WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x);

WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(
WOLFSSL_X509* cert);
WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(
WOLFSSL_X509* cert);

WOLFSSL_API int wolfSSL_X509_get_signature_type(WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509);
WOLFSSL_API int wolfSSL_X509_get_signature(WOLFSSL_X509* x509,
unsigned char* buf, int* bufSz);
WOLFSSL_API int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509,
unsigned char* buf, int* bufSz);
WOLFSSL_API int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509);

#ifndef NO_FILESYSTEM
WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509*
wolfSSL_X509_load_certificate_file(const char* fname, int format);
#endif
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer(
const unsigned char* buf, int sz, int format);
#ifdef WOLFSSL_CERT_REQ
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer(
const unsigned char* buf, int sz, int format);
#endif

/* free X509 */
#define wolfSSL_FreeX509(x509) wolfSSL_X509_free((x509))
WOLFSSL_ABI WOLFSSL_API void wolfSSL_X509_free(WOLFSSL_X509* x509);

#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || KEEP_PEER_CERT || \
KEEP_OUR_CERT || SESSION_CERTS */


/* get index cert in PEM */
WOLFSSL_API int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx,
unsigned char* buf, int inLen, int* outLen);

WOLFSSL_ABI WOLFSSL_API const unsigned char* wolfSSL_get_sessionID(
const WOLFSSL_SESSION* s);
WOLFSSL_API int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509,unsigned char* in,int* inOutSz);
Expand Down Expand Up @@ -3302,17 +3334,6 @@ const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const
/* connect enough to get peer cert */
WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl);

#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509*
wolfSSL_X509_load_certificate_file(const char* fname, int format);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer(
const unsigned char* buf, int sz, int format);
#ifdef WOLFSSL_CERT_REQ
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer(
const unsigned char* buf, int sz, int format);
#endif
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */


#ifdef OPENSSL_EXTRA
/* PKCS12 compatibility */
Expand Down
7 changes: 0 additions & 7 deletions wolfssl/wolfcrypt/settings.h
Original file line number Diff line number Diff line change
Expand Up @@ -3721,13 +3721,6 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_HAVE_TLS_UNIQUE
#endif

/* Keep peer cert, keep our cert and session certs requires WOLFSSL_X509 */
#if (defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || \
defined(SESSION_CERTS)) && \
!defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL)
#define OPENSSL_EXTRA_X509_SMALL
#endif

/* WPAS Small option requires OPENSSL_EXTRA_X509_SMALL */
#if defined(WOLFSSL_WPAS_SMALL) && !defined(OPENSSL_EXTRA_X509_SMALL)
#define OPENSSL_EXTRA_X509_SMALL
Expand Down

0 comments on commit 3444d5c

Please sign in to comment.