From ef67b1c06afe5b1c18abafadea6714d2f3d9b5f1 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 20 Nov 2024 12:32:32 -0800 Subject: [PATCH] Support for building without wolfssl/openssl header files. ZD 18465 * Fix for `TlsSessionCacheGetAndLock` that was not checking the sessionIDSz, so could return a pointer to an invalid session (if 0's). Resolves issue with `test_wolfSSL_CTX_sess_set_remove_cb` test. * Fix cast warning with `HAVE_EX_DATA` in Windows VS. * Fix openssl_extra without PKCS12. * Refactor the EX data crypto and session API's to gate on `HAVE_EX_DATA_CRYPTO`. * Grouped the EX data API's in ssl.h * Moved API's in ssl.h to separate the compatibility ones from ours. --- .wolfssl_known_macro_extras | 3 + configure.ac | 1 + examples/client/client.c | 3 +- examples/server/server.c | 13 +- src/ssl.c | 63 ++-- src/ssl_certman.c | 2 +- src/ssl_sess.c | 35 +- src/x509.c | 14 +- tests/api.c | 27 +- wolfcrypt/src/signature.c | 13 +- wolfssl/include.am | 2 + wolfssl/internal.h | 25 +- wolfssl/openssl/ssl.h | 5 +- wolfssl/ssl.h | 687 +++++++++++++++++++---------------- wolfssl/test.h | 10 +- wolfssl/wolfcrypt/asn.h | 21 +- wolfssl/wolfcrypt/settings.h | 85 +++-- wolfssl/wolfio.h | 2 + 18 files changed, 542 insertions(+), 469 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index b98c72e5bc..7f39547e64 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -205,6 +205,7 @@ HAVE_AESGCM_DECRYPT HAVE_BYTEREVERSE64 HAVE_CERTIFICATE_STATUS_V2 HAVE_COLDFIRE_SEC +HAVE_CRL_UPDATE_CB HAVE_CSHARP HAVE_CURL HAVE_CURVE22519 @@ -215,6 +216,8 @@ HAVE_ECC512 HAVE_ECC_CDH_CAST HAVE_ECC_SM2 HAVE_ESP_CLK +HAVE_EX_DATA_CRYPTO +HAVE_EX_DATA_CLEANUP_HOOKS HAVE_FACON HAVE_FIPS_VERSION_PORT HAVE_FUZZER diff --git a/configure.ac b/configure.ac index 4c33e4b0d1..a35d87e8ba 100644 --- a/configure.ac +++ b/configure.ac @@ -9859,6 +9859,7 @@ fi # Some of these affect build targets and objects, some trigger different # test scripts for make check. AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"]) +AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"]) AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"]) AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) diff --git a/examples/client/client.c b/examples/client/client.c index 5c4b77610e..13f26e20fb 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -3765,7 +3765,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef NO_PSK if (usePsk) { - #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && defined(TEST_PSK_USE_SESSION) + #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + defined(TEST_PSK_USE_SESSION) SSL_set_psk_use_session_callback(ssl, my_psk_use_session_cb); #endif } diff --git a/examples/server/server.c b/examples/server/server.c index 68647473bf..de1b56318b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -35,6 +35,13 @@ #undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ #undef OPENSSL_COEXIST /* can't use this option with this example */ +/* Force enable the compatibility macros for this example */ +#ifndef OPENSSL_EXTRA_X509_SMALL +#define OPENSSL_EXTRA_X509_SMALL +#endif +#include + +#undef OPENSSL_EXTRA_X509_SMALL #include /* name change portability layer */ #ifdef HAVE_ECC @@ -66,12 +73,6 @@ static const char *wolfsentry_config_path = NULL; #include #include -/* Force enable the compatibility macros for this example */ -#ifndef OPENSSL_EXTRA_X509_SMALL -#define OPENSSL_EXTRA_X509_SMALL -#endif -#include - #include "examples/server/server.h" #ifndef NO_WOLFSSL_SERVER diff --git a/src/ssl.c b/src/ssl.c index d7fac0e3f0..b95fb0ab8d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10537,11 +10537,7 @@ int wolfSSL_Cleanup(void) #endif #endif -#if defined(HAVE_EX_DATA) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY)) || defined(HAVE_EX_DATA) || \ - defined(WOLFSSL_WPAS_SMALL) +#ifdef HAVE_EX_DATA_CRYPTO crypto_ex_cb_free(crypto_ex_cb_ctx_session); crypto_ex_cb_ctx_session = NULL; #endif @@ -17435,6 +17431,7 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) } #endif #endif /* OPENSSL_EXTRA */ + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #ifndef NO_CERTS @@ -17893,7 +17890,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #define WOLFSSL_OBJECT_INFO_SZ \ (sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info)) const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ; -#endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* Free the dynamically allocated data. @@ -19676,11 +19673,7 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_EX_DATA) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY)) || defined(HAVE_EX_DATA) || \ - defined(WOLFSSL_WPAS_SMALL) +#ifdef HAVE_EX_DATA_CRYPTO CRYPTO_EX_cb_ctx* crypto_ex_cb_ctx_session = NULL; static int crypto_ex_cb_new(CRYPTO_EX_cb_ctx** dst, long ctx_l, void* ctx_ptr, @@ -19818,14 +19811,13 @@ int wolfssl_get_ex_new_index(int class_index, long ctx_l, void* ctx_ptr, return WOLFSSL_FATAL_ERROR; return idx; } -#endif /* HAVE_EX_DATA || WOLFSSL_WPAS_SMALL */ +#endif /* HAVE_EX_DATA_CRYPTO */ -#if defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) { WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); #ifdef HAVE_EX_DATA - if(ctx != NULL) { + if (ctx != NULL) { return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx); } #else @@ -19835,6 +19827,7 @@ void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) return NULL; } +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, @@ -19860,21 +19853,20 @@ int wolfSSL_get_ex_new_index(long argValue, void* arg, return wolfssl_get_ex_new_index(WOLF_CRYPTO_EX_INDEX_SSL, argValue, arg, cb1, cb2, cb3); } - +#endif /* HAVE_EX_DATA_CRYPTO */ int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data"); - #ifdef HAVE_EX_DATA - if (ctx != NULL) - { +#ifdef HAVE_EX_DATA_CRYPTO + if (ctx != NULL) { return wolfSSL_CRYPTO_set_ex_data(&ctx->ex_data, idx, data); } - #else +#else (void)ctx; (void)idx; (void)data; - #endif +#endif return WOLFSSL_FAILURE; } @@ -19895,7 +19887,6 @@ int wolfSSL_CTX_set_ex_data_with_cleanup( } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ -#endif /* defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) @@ -19927,15 +19918,11 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) - int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_set_ex_data"); #ifdef HAVE_EX_DATA - if (ssl != NULL) - { + if (ssl != NULL) { return wolfSSL_CRYPTO_set_ex_data(&ssl->ex_data, idx, data); } #else @@ -19979,8 +19966,6 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) return 0; } -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ - #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) @@ -24048,21 +24033,17 @@ void *wolfSSL_CRYPTO_malloc(size_t num, const char *file, int line) /******************************************************************************* * START OF EX_DATA APIs ******************************************************************************/ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH))) -void wolfSSL_CRYPTO_cleanup_all_ex_data(void){ - WOLFSSL_ENTER("CRYPTO_cleanup_all_ex_data"); +#ifdef HAVE_EX_DATA +void wolfSSL_CRYPTO_cleanup_all_ex_data(void) +{ + WOLFSSL_ENTER("wolfSSL_CRYPTO_cleanup_all_ex_data"); } -#endif -#ifdef HAVE_EX_DATA void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) { - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); + WOLFSSL_ENTER("wolfSSL_CRYPTO_get_ex_data"); #ifdef MAX_EX_DATA - if(ex_data && idx < MAX_EX_DATA && idx >= 0) { + if (ex_data && idx < MAX_EX_DATA && idx >= 0) { return ex_data->ex_data[idx]; } #else @@ -24080,6 +24061,8 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, if (ex_data && idx < MAX_EX_DATA && idx >= 0) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS if (ex_data->ex_data_cleanup_routines[idx]) { + /* call cleanup then remove cleanup callback, + * since different value is being set */ if (ex_data->ex_data[idx]) ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); ex_data->ex_data_cleanup_routines[idx] = NULL; @@ -24114,7 +24097,9 @@ int wolfSSL_CRYPTO_set_ex_data_with_cleanup( return WOLFSSL_FAILURE; } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ +#endif /* HAVE_EX_DATA */ +#ifdef HAVE_EX_DATA_CRYPTO /** * Issues unique index for the class specified by class_index. * Other parameter except class_index are ignored. @@ -24140,7 +24125,7 @@ int wolfSSL_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, return wolfssl_get_ex_new_index(class_index, argl, argp, new_func, dup_func, free_func); } -#endif /* HAVE_EX_DATA */ +#endif /* HAVE_EX_DATA_CRYPTO */ /******************************************************************************* * END OF EX_DATA APIs diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 76ad42a2e9..55f3c7be49 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -624,7 +624,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc) cm->verifyCallback = vc; } } -#endif /* NO_WOLFSSL_CM_VERIFY */ +#endif /* !NO_WOLFSSL_CM_VERIFY */ #ifdef WC_ASN_UNKNOWN_EXT_CB void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm, diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 65f14e0e48..b1e03cbbbe 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -191,7 +191,7 @@ void EvictSessionFromCache(WOLFSSL_SESSION* session) { #ifdef HAVE_EX_DATA - int save_ownExData = session->ownExData; + byte save_ownExData = session->ownExData; session->ownExData = 1; /* Make sure ex_data access doesn't lead back * into the cache. */ #endif @@ -1120,7 +1120,9 @@ static int TlsSessionCacheGetAndLock(const byte *id, #else s = &sessRow->Sessions[idx]; #endif - if (s && XMEMCMP(s->sessionID, id, ID_LEN) == 0 && s->side == side) { + /* match session ID value and length */ + if (s && s->sessionIDSz == ID_LEN && s->side == side && + XMEMCMP(s->sessionID, id, ID_LEN) == 0) { *sess = s; break; } @@ -1839,7 +1841,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, } preallocNonceLen = addSession->ticketNonce.len; } -#endif /* WOLFSSL_TLS13 && WOLFSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3) */ +#endif /* WOLFSSL_TLS13 && WOLFSSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3)*/ #endif /* HAVE_SESSION_TICKET */ /* Find a position for the new session in cache and use that */ @@ -1916,7 +1918,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, cacheSession = &sessRow->Sessions[idx]; #endif -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (overwrite) { /* Figure out who owns the ex_data */ if (cacheSession->ownExData) { @@ -3108,7 +3110,7 @@ long wolfSSL_SESSION_set_time(WOLFSSL_SESSION *ses, long t) return t; } -#endif /* !NO_SESSION_CACHE && OPENSSL_EXTRA || HAVE_EXT_CACHE */ +#endif /* !NO_SESSION_CACHE && (OPENSSL_EXTRA || HAVE_EXT_CACHE) */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ defined(HAVE_EX_DATA) @@ -3682,10 +3684,12 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap) #endif #ifdef HAVE_EX_DATA ret->ownExData = 1; + #ifdef HAVE_EX_DATA_CRYPTO if (crypto_ex_cb_ctx_session != NULL) { crypto_ex_cb_setup_new_data(ret, crypto_ex_cb_ctx_session, &ret->ex_data); } + #endif #endif } return ret; @@ -3739,7 +3743,7 @@ int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session) * @param ticketNonceBuf If not null and @avoidSysCalls is true, the copy of the * ticketNonce will happen in this pre allocated buffer * @param ticketNonceLen @ticketNonceBuf len as input, used length on output - * @param ticketNonceUsed if @ticketNonceBuf was used to copy the ticket noncet + * @param ticketNonceUsed if @ticketNonceBuf was used to copy the ticket nonce * @return WOLFSSL_SUCCESS on success * WOLFSSL_FAILURE on failure */ @@ -3964,7 +3968,7 @@ static int wolfSSL_DupSessionEx(const WOLFSSL_SESSION* input, #endif /* HAVE_SESSION_TICKET */ -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (input->type != WOLFSSL_SESSION_TYPE_CACHE && output->type != WOLFSSL_SESSION_TYPE_CACHE) { /* Not called with cache as that passes ownership of ex_data */ @@ -4044,7 +4048,7 @@ void wolfSSL_FreeSession(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) WOLFSSL_MSG("wolfSSL_FreeSession full free"); -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (session->ownExData) { crypto_ex_cb_free_data(session, crypto_ex_cb_ctx_session, &session->ex_data); @@ -4230,8 +4234,7 @@ const byte* wolfSSL_get_sessionID(const WOLFSSL_SESSION* session) #endif -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ - defined(HAVE_EX_DATA) +#ifdef HAVE_EX_DATA int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) { @@ -4301,13 +4304,8 @@ void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) #endif return ret; } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || HAVE_EX_DATA */ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB))) -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, WOLFSSL_CRYPTO_EX_free* free_func) @@ -4316,9 +4314,8 @@ int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, return wolfssl_get_ex_new_index(WOLF_CRYPTO_EX_INDEX_SSL_SESSION, ctx_l, ctx_ptr, new_func, dup_func, free_func); } -#endif -#endif - +#endif /* HAVE_EX_DATA_CRYPTO */ +#endif /* HAVE_EX_DATA */ #if defined(OPENSSL_ALL) || \ defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \ diff --git a/src/x509.c b/src/x509.c index ff8e7c64ae..aa46164b97 100644 --- a/src/x509.c +++ b/src/x509.c @@ -14055,10 +14055,7 @@ int wolfSSL_sk_X509_num(const WOLF_STACK_OF(WOLFSSL_X509) *s) #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_EX_DATA) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) \ - || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) \ - || defined(HAVE_LIGHTY)) - +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_X509_get_ex_new_index(int idx, void *arg, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, @@ -14071,8 +14068,7 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, } #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx) { WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); @@ -14091,8 +14087,7 @@ int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, void *data) { WOLFSSL_ENTER("wolfSSL_X509_set_ex_data"); #ifdef HAVE_EX_DATA - if (x509 != NULL) - { + if (x509 != NULL) { return wolfSSL_CRYPTO_set_ex_data(&x509->ex_data, idx, data); } #else @@ -14119,8 +14114,7 @@ int wolfSSL_X509_set_ex_data_with_cleanup( return WOLFSSL_FAILURE; } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ - -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #ifndef NO_ASN diff --git a/tests/api.c b/tests/api.c index 5e825055f9..451baa7103 100644 --- a/tests/api.c +++ b/tests/api.c @@ -65136,7 +65136,7 @@ static int test_wolfSSL_X509(void) ExpectNotNull(x509 = (X509 *)d2i_X509_fp(fp, (X509 **)NULL)); ExpectNotNull(x509); -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO ExpectIntEQ(wolfSSL_X509_get_ex_new_index(1, NULL, NULL, NULL, NULL), 0); #endif ExpectNull(wolfSSL_X509_get_ex_data(NULL, 1)); @@ -71980,15 +71980,12 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ !defined(WOLFSSL_NO_TLS12) - - WOLFSSL_CTX* ctx = NULL; callback_functions server_cbf, client_cbf; XMEMSET(&server_cbf, 0, sizeof(callback_functions)); XMEMSET(&client_cbf, 0, sizeof(callback_functions)); /* force server side to use TLS 1.2 */ - server_cbf.ctx = ctx; server_cbf.method = wolfTLSv1_2_server_method; client_cbf.method = wolfSSLv23_client_method; @@ -72000,9 +71997,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - /* set the previously created session and wait till expired */ - server_cbf.ctx = ctx; - client_cbf.method = wolfSSLv23_client_method; server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; @@ -72013,9 +72007,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - /* set the previously created expired session */ - server_cbf.ctx = ctx; - client_cbf.method = wolfSSLv23_client_method; server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; @@ -72027,8 +72018,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); - wolfSSL_CTX_free(ctx); - #endif return EXPECT_RESULT(); } @@ -72112,8 +72101,8 @@ static int SessRemSslSetupCb(WOLFSSL* ssl) else { side = &sessRemCtx_Client; (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); - #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) ExpectNotNull(clientSess = SSL_get1_session(ssl)); ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), SSL_SUCCESS); @@ -92164,7 +92153,7 @@ static int test_CONF_CTX_FILE(void) static int test_wolfSSL_CRYPTO_get_ex_new_index(void) { EXPECT_DECLS; -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO int idx1, idx2; /* test for unsupported class index */ @@ -92229,15 +92218,11 @@ static int test_wolfSSL_CRYPTO_get_ex_new_index(void) ExpectIntNE(idx1, -1); ExpectIntNE(idx2, -1); ExpectIntNE(idx1, idx2); -#endif /* HAVE_EX_DATA */ +#endif /* HAVE_EX_DATA_CRYPTO */ return EXPECT_RESULT(); } -#if defined(HAVE_EX_DATA) && defined(HAVE_EXT_CACHE) && \ - (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) +#if defined(HAVE_EX_DATA_CRYPTO) && defined(OPENSSL_EXTRA) #define SESSION_NEW_IDX_LONG 0xDEADBEEF #define SESSION_NEW_IDX_VAL ((void*)0xAEADAEAD) diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index 09ae526b61..83c92d8156 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -48,6 +48,16 @@ /* Signature wrapper disabled check */ #ifndef NO_SIG_WRAPPER +#if !defined(NO_RSA) && defined(NO_ASN) + #ifndef MAX_DER_DIGEST_ASN_SZ + #define MAX_DER_DIGEST_ASN_SZ 36 + #endif + #ifndef MAX_ENCODED_SIG_SZ + #define MAX_ENCODED_SIG_SZ 1024 /* Supports 8192 bit keys */ + #endif +#endif + + #if !defined(NO_RSA) && defined(WOLFSSL_CRYPTOCELL) extern int cc310_RsaSSL_Verify(const byte* in, word32 inLen, byte* sig, RsaKey* key, CRYS_RSA_HASH_OpMode_t mode); @@ -225,7 +235,8 @@ int wc_SignatureVerifyHash( WC_ASYNC_FLAG_CALL_AGAIN); #endif if (ret >= 0) - ret = wc_RsaSSL_VerifyInline(plain_data, sig_len, &plain_ptr, (RsaKey*)key); + ret = wc_RsaSSL_VerifyInline(plain_data, sig_len, + &plain_ptr, (RsaKey*)key); } while (ret == WC_NO_ERR_TRACE(WC_PENDING_E)); if (ret >= 0 && plain_ptr) { if ((word32)ret == hash_len && diff --git a/wolfssl/include.am b/wolfssl/include.am index 4a77614785..8fba008b8a 100644 --- a/wolfssl/include.am +++ b/wolfssl/include.am @@ -3,7 +3,9 @@ # include wolfssl/wolfcrypt/include.am +if BUILD_OPENSSL_COMPAT include wolfssl/openssl/include.am +endif EXTRA_DIST+= wolfssl/sniffer_error.rc diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 33b5b63926..cb070baa31 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2786,6 +2786,7 @@ typedef struct WOLFSSL_DTLS_PEERSEQ { #endif } WOLFSSL_DTLS_PEERSEQ; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) struct WOLFSSL_BIO { WOLFSSL_BUF_MEM* mem_buf; WOLFSSL_BIO_METHOD* method; @@ -2846,6 +2847,7 @@ struct WOLFSSL_BIO { wolfSSL_Ref ref; #endif }; +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(WOLFSSL_HAVE_BIO_ADDR) && defined(OPENSSL_EXTRA) WOLFSSL_LOCAL socklen_t wolfSSL_BIO_ADDR_size(const WOLFSSL_BIO_ADDR *addr); @@ -5193,6 +5195,8 @@ typedef enum { STACK_TYPE_X509_REQ_ATTR = 18, } WOLF_STACK_TYPE; +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + struct WOLFSSL_STACK { unsigned long num; /* number of nodes in stack * (safety measure for freeing and shortcut for count) */ @@ -5228,6 +5232,8 @@ struct WOLFSSL_STACK { WOLF_STACK_TYPE type; /* Identifies type of stack. */ }; +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + struct WOLFSSL_X509_NAME { char *name; int dynamicName; @@ -5318,7 +5324,7 @@ struct WOLFSSL_X509 { byte* rawCRLInfo; byte* CRLInfo; byte* authInfo; -#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_QT) +#ifdef WOLFSSL_ASN_CA_ISSUER byte* authInfoCaIssuer; int authInfoCaIssuerSz; #endif @@ -6527,8 +6533,10 @@ static WC_INLINE int wolfSSL_curve_is_disabled(const WOLFSSL* ssl, } #endif +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng); +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #ifndef NO_CERTS #ifndef NO_RSA @@ -6810,6 +6818,7 @@ WOLFSSL_LOCAL int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, WOLFSSL_LOCAL int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side); /* Set*Internal and Set*External functions */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_LOCAL int SetDsaInternal(WOLFSSL_DSA* dsa); WOLFSSL_LOCAL int SetDsaExternal(WOLFSSL_DSA* dsa); WOLFSSL_LOCAL int SetRsaExternal(WOLFSSL_RSA* rsa); @@ -6825,6 +6834,7 @@ typedef enum elem_set { WOLFSSL_LOCAL int SetDhExternal_ex(WOLFSSL_DH *dh, int elm ); WOLFSSL_LOCAL int SetDhInternal(WOLFSSL_DH* dh); WOLFSSL_LOCAL int SetDhExternal(WOLFSSL_DH *dh); +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK)) WOLFSSL_LOCAL int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey, @@ -7005,11 +7015,7 @@ WOLFSSL_LOCAL int GetX509Error(int e); #endif #endif -#if defined(HAVE_EX_DATA) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY)) || defined(HAVE_EX_DATA) || \ - defined(WOLFSSL_WPAS_SMALL) +#ifdef HAVE_EX_DATA_CRYPTO typedef struct CRYPTO_EX_cb_ctx { long ctx_l; void *ctx_ptr; @@ -7018,6 +7024,7 @@ typedef struct CRYPTO_EX_cb_ctx { WOLFSSL_CRYPTO_EX_dup* dup_func; struct CRYPTO_EX_cb_ctx* next; } CRYPTO_EX_cb_ctx; + /* use wolfSSL_API visibility to be able to clear in tests/api.c */ WOLFSSL_API extern CRYPTO_EX_cb_ctx* crypto_ex_cb_ctx_session; WOLFSSL_API void crypto_ex_cb_free(CRYPTO_EX_cb_ctx* cb_ctx); @@ -7030,7 +7037,7 @@ WOLFSSL_LOCAL int crypto_ex_cb_dup_data(const WOLFSSL_CRYPTO_EX_DATA *in, WOLFSSL_LOCAL int wolfssl_get_ex_new_index(int class_index, long ctx_l, void* ctx_ptr, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, WOLFSSL_CRYPTO_EX_free* free_func); -#endif +#endif /* HAVE_EX_DATA_CRYPTO */ WOLFSSL_LOCAL WC_RNG* wolfssl_get_global_rng(void); WOLFSSL_LOCAL WC_RNG* wolfssl_make_global_rng(void); @@ -7042,7 +7049,7 @@ WOLFSSL_LOCAL int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* #endif #endif -#if !defined(NO_RSA) +#if !defined(NO_RSA) && defined(OPENSSL_EXTRA) WOLFSSL_LOCAL int wolfSSL_RSA_To_Der(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey, void* heap); #endif @@ -7108,11 +7115,13 @@ WOLFSSL_LOCAL int wolfssl_asn1_obj_set(WOLFSSL_ASN1_OBJECT* obj, const byte* der, word32 len, int addHdr); #endif +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_LOCAL int pkcs8_encode(WOLFSSL_EVP_PKEY* pkey, byte* key, word32* keySz); WOLFSSL_LOCAL int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, const WOLFSSL_EVP_CIPHER* enc, char* passwd, int passwdSz, byte* key, word32* keySz); +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 543e873821..959d1e6391 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -31,6 +31,8 @@ #include +#include + /* wolfssl_openssl compatibility layer */ #ifndef OPENSSL_EXTRA_SSL_GUARD #define OPENSSL_EXTRA_SSL_GUARD @@ -127,7 +129,8 @@ HAVE_LIGHTY || HAVE_STUNNEL || \ WOLFSSL_WPAS_SMALL */ -#if !defined(OPENSSL_COEXIST) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) +#if !defined(OPENSSL_COEXIST) && \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) typedef WOLFSSL SSL; typedef WOLFSSL_SESSION SSL_SESSION; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ef54647887..8ffd1213f9 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -39,8 +39,16 @@ #include #include +#if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \ + defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING)) || \ + defined(WC_ASN_UNKNOWN_EXT_CB) +#include "wolfssl/wolfcrypt/asn.h" +#endif + /* For the types */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #include +#endif #ifdef HAVE_WOLF_EVENT #include @@ -184,7 +192,9 @@ typedef struct WOLFSSL_BY_DIR WOLFSSL_BY_DIR; #include /* The WOLFSSL_RSA type is required in all build configurations. */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #include +#endif #ifndef WC_RNG_TYPE_DEFINED /* guard on redeclaration */ typedef struct WC_RNG WC_RNG; @@ -245,7 +255,6 @@ typedef struct WOLFSSL_DIST_POINT WOLFSSL_DIST_POINT; typedef struct WOLFSSL_CONF_CTX WOLFSSL_CONF_CTX; -typedef int (*WOLFSSL_X509_STORE_CTX_verify_cb)(int, WOLFSSL_X509_STORE_CTX *); typedef int (*WOLFSSL_X509_STORE_CTX_get_crl_cb)(WOLFSSL_X509_STORE_CTX *, WOLFSSL_X509_CRL **, WOLFSSL_X509 *); typedef int (*WOLFSSL_X509_STORE_CTX_check_crl_cb)(WOLFSSL_X509_STORE_CTX *, @@ -476,7 +485,7 @@ struct WOLFSSL_EVP_PKEY { union { char* ptr; /* der format of key */ } pkey; -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #ifndef NO_RSA WOLFSSL_RSA* rsa; #endif @@ -516,6 +525,74 @@ struct WOLFSSL_EVP_PKEY { WC_BITFIELD ownRsa:1; /* if struct owns RSA and should free it */ }; + +#define WOLFSSL_ALWAYS_CHECK_SUBJECT 0x1 +#define WOLFSSL_NO_WILDCARDS 0x2 +#define WOLFSSL_NO_PARTIAL_WILDCARDS 0x4 +#define WOLFSSL_MULTI_LABEL_WILDCARDS 0x8 +/* Custom to wolfSSL, OpenSSL compat goes up to 0x20 */ +#define WOLFSSL_LEFT_MOST_WILDCARD_ONLY 0x40 + + +typedef struct WOLFSSL_BUFFER_INFO { + unsigned char* buffer; + unsigned int length; +} WOLFSSL_BUFFER_INFO; + +typedef struct WOLFSSL_BUF_MEM { + char* data; /* dereferenced */ + size_t length; /* current length */ + size_t max; /* maximum length */ +} WOLFSSL_BUF_MEM; + + +typedef int (*VerifyCallback)(int, WOLFSSL_X509_STORE_CTX*); +typedef int (*WOLFSSL_X509_STORE_CTX_verify_cb)(int, WOLFSSL_X509_STORE_CTX *); + +struct WOLFSSL_X509_STORE_CTX { +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */ + WOLFSSL_X509* current_cert; /* current X509 (OPENSSL_EXTRA) */ +#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA) + WOLFSSL_X509* current_issuer; /* asio dereference */ +#endif + WOLFSSL_X509_CHAIN* sesChain; /* pointer to WOLFSSL_SESSION peer chain */ + WOLFSSL_STACK* chain; +#ifdef OPENSSL_EXTRA + WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */ +#endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + + char* domain; /* subject CN domain name */ +#ifdef HAVE_EX_DATA + WOLFSSL_CRYPTO_EX_DATA ex_data; /* external data */ +#endif +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_EXTRA) + int depth; /* used in X509_STORE_CTX_*_depth */ +#endif + void* userCtx; /* user ctx */ + int error; /* current error */ + int error_depth; /* index of cert depth for this error */ + int discardSessionCerts; /* so verify callback can flag for discard */ + int totalCerts; /* number of peer cert buffers */ + WOLFSSL_BUFFER_INFO* certs; /* peer certs */ + WOLFSSL_X509_STORE_CTX_verify_cb verify_cb; /* verify callback */ + void* heap; + int flags; + +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + WOLF_STACK_OF(WOLFSSL_X509)* owned; /* Certs owned by this CTX */ + WOLF_STACK_OF(WOLFSSL_X509)* ctxIntermediates; /* Intermediates specified + * on store ctx init */ + WOLF_STACK_OF(WOLFSSL_X509)* setTrustedSk;/* A trusted stack override + * set with + * X509_STORE_CTX_trusted_stack */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +}; + + +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + struct WOLFSSL_X509_PKEY { WOLFSSL_EVP_PKEY* dec_pkey; /* dereferenced by Apache */ void* heap; @@ -582,12 +659,6 @@ enum BIO_CB_OPS { WOLFSSL_BIO_CB_RETURN = 0x80 }; -typedef struct WOLFSSL_BUF_MEM { - char* data; /* dereferenced */ - size_t length; /* current length */ - size_t max; /* maximum length */ -} WOLFSSL_BUF_MEM; - /* custom method with user set callbacks */ typedef int (*wolfSSL_BIO_meth_write_cb)(WOLFSSL_BIO*, const char*, int); typedef int (*wolfSSL_BIO_meth_read_cb)(WOLFSSL_BIO *, char *, int); @@ -679,13 +750,6 @@ struct WOLFSSL_X509_STORE { word32 numAdded; /* Number of objs in objs that are in certs sk */ }; -#define WOLFSSL_ALWAYS_CHECK_SUBJECT 0x1 -#define WOLFSSL_NO_WILDCARDS 0x2 -#define WOLFSSL_NO_PARTIAL_WILDCARDS 0x4 -#define WOLFSSL_MULTI_LABEL_WILDCARDS 0x8 -/* Custom to wolfSSL, OpenSSL compat goes up to 0x20 */ -#define WOLFSSL_LEFT_MOST_WILDCARD_ONLY 0x40 - #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 @@ -713,16 +777,6 @@ struct WOLFSSL_X509_VERIFY_PARAM { }; #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ -typedef struct WOLFSSL_ALERT { - int code; - int level; -} WOLFSSL_ALERT; - -typedef struct WOLFSSL_ALERT_HISTORY { - WOLFSSL_ALERT last_rx; - WOLFSSL_ALERT last_tx; -} WOLFSSL_ALERT_HISTORY; - typedef struct WOLFSSL_X509_REVOKED { WOLFSSL_ASN1_INTEGER* serialNumber; /* stunnel dereference */ } WOLFSSL_X509_REVOKED; @@ -744,46 +798,6 @@ typedef struct WOLFSSL_X509_OBJECT { #define WOLFSSL_ASN1_BOOLEAN int -typedef struct WOLFSSL_BUFFER_INFO { - unsigned char* buffer; - unsigned int length; -} WOLFSSL_BUFFER_INFO; - -struct WOLFSSL_X509_STORE_CTX { - WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */ - WOLFSSL_X509* current_cert; /* current X509 (OPENSSL_EXTRA) */ -#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA) - WOLFSSL_X509* current_issuer; /* asio dereference */ -#endif - WOLFSSL_X509_CHAIN* sesChain; /* pointer to WOLFSSL_SESSION peer chain */ - WOLFSSL_STACK* chain; -#ifdef OPENSSL_EXTRA - WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */ -#endif - char* domain; /* subject CN domain name */ -#ifdef HAVE_EX_DATA - WOLFSSL_CRYPTO_EX_DATA ex_data; /* external data */ -#endif -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_EXTRA) - int depth; /* used in X509_STORE_CTX_*_depth */ -#endif - void* userCtx; /* user ctx */ - int error; /* current error */ - int error_depth; /* index of cert depth for this error */ - int discardSessionCerts; /* so verify callback can flag for discard */ - int totalCerts; /* number of peer cert buffers */ - WOLFSSL_BUFFER_INFO* certs; /* peer certs */ - WOLFSSL_X509_STORE_CTX_verify_cb verify_cb; /* verify callback */ - void* heap; - int flags; - WOLF_STACK_OF(WOLFSSL_X509)* owned; /* Certs owned by this CTX */ - WOLF_STACK_OF(WOLFSSL_X509)* ctxIntermediates; /* Intermediates specified - * on store ctx init */ - WOLF_STACK_OF(WOLFSSL_X509)* setTrustedSk;/* A trusted stack override - * set with - * X509_STORE_CTX_trusted_stack*/ -}; - typedef char* WOLFSSL_STRING; typedef struct WOLFSSL_RAND_METHOD { @@ -805,6 +819,20 @@ typedef struct WOLFSSL_RAND_METHOD { int (*status)(void); } WOLFSSL_RAND_METHOD; +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + + +typedef struct WOLFSSL_ALERT { + int code; + int level; +} WOLFSSL_ALERT; + +typedef struct WOLFSSL_ALERT_HISTORY { + WOLFSSL_ALERT last_rx; + WOLFSSL_ALERT last_tx; +} WOLFSSL_ALERT_HISTORY; + + /* Valid Alert types from page 16/17 * Add alert string to the function wolfSSL_alert_type_string_long in src/ssl.c */ @@ -1339,7 +1367,6 @@ WOLFSSL_API void wolfSSL_CTX_set_quiet_shutdown(WOLFSSL_CTX* ctx, int mode); WOLFSSL_API void wolfSSL_set_quiet_shutdown(WOLFSSL* ssl, int mode); WOLFSSL_ABI WOLFSSL_API int wolfSSL_get_error(WOLFSSL* ssl, int ret); -WOLFSSL_API int wolfSSL_get_alert_history(WOLFSSL* ssl, WOLFSSL_ALERT_HISTORY *h); WOLFSSL_ABI WOLFSSL_API int wolfSSL_set_session(WOLFSSL* ssl, WOLFSSL_SESSION* session); WOLFSSL_API long wolfSSL_SSL_SESSION_set_timeout(WOLFSSL_SESSION* ses, long t); @@ -1381,15 +1408,43 @@ WOLFSSL_API int wolfSSL_GetSessionIndex(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_GetSessionAtIndex(int index, WOLFSSL_SESSION* session); #endif /* SESSION_INDEX */ -#if defined(SESSION_CERTS) +#ifdef SESSION_CERTS WOLFSSL_API WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session); WOLFSSL_API WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session); -#endif /* SESSION_INDEX && SESSION_CERTS */ +#endif /* SESSION_CERTS */ -typedef int (*VerifyCallback)(int, WOLFSSL_X509_STORE_CTX*); -typedef void (CallbackInfoState)(const WOLFSSL* ssl, int, int); +#ifdef OPENSSL_EXTRA +/* compatibility callback for TLS state */ +typedef void (CallbackInfoState)(const WOLFSSL* ssl, int state, int err); +#endif + + +/* ----- EX DATA BEGIN ----- */ +WOLFSSL_API void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx); +WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data); + +#ifdef HAVE_EX_DATA +WOLFSSL_API void wolfSSL_CRYPTO_cleanup_all_ex_data(void); +WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data( + const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx); +WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data( + WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup( + WOLFSSL_CRYPTO_EX_DATA* ex_data, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup( + WOLFSSL* ssl, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif + +#ifdef HAVE_EX_DATA_CRYPTO /* class index for wolfSSL_CRYPTO_get_ex_new_index */ #define WOLF_CRYPTO_EX_INDEX_SSL 0 #define WOLF_CRYPTO_EX_INDEX_SSL_CTX 1 @@ -1409,8 +1464,6 @@ typedef void (CallbackInfoState)(const WOLFSSL* ssl, int, int); #define WOLF_CRYPTO_EX_INDEX_DRBG 15 #define WOLF_CRYPTO_EX_INDEX__COUNT 16 -#ifdef HAVE_EX_DATA - /* Helper macro to log that input arguments should not be used */ #define WOLFSSL_CRYPTO_EX_DATA_IGNORE_PARAMS(a1, a2, a3, a4, a5) \ (void)(a1); \ @@ -1425,11 +1478,57 @@ typedef void (CallbackInfoState)(const WOLFSSL* ssl, int, int); } \ } while(0) -WOLFSSL_API int wolfSSL_get_ex_new_index(long argValue, void* arg, - WOLFSSL_CRYPTO_EX_new* a, WOLFSSL_CRYPTO_EX_dup* b, - WOLFSSL_CRYPTO_EX_free* c); +WOLFSSL_API int wolfSSL_get_ex_new_index( + long argValue, void* arg, + WOLFSSL_CRYPTO_EX_new* a, WOLFSSL_CRYPTO_EX_dup* b, + WOLFSSL_CRYPTO_EX_free* c); +WOLFSSL_API int wolfSSL_CTX_get_ex_new_index( + long idx, void* arg, + WOLFSSL_CRYPTO_EX_new* new_func, + WOLFSSL_CRYPTO_EX_dup* dup_func, + WOLFSSL_CRYPTO_EX_free* free_func); +WOLFSSL_API int wolfSSL_CRYPTO_get_ex_new_index( + int class_index, long argl, void *argp, + WOLFSSL_CRYPTO_EX_new* new_func, + WOLFSSL_CRYPTO_EX_dup* dup_func, + WOLFSSL_CRYPTO_EX_free* free_func); +WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, + WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, + WOLFSSL_CRYPTO_EX_free* free_func); +#endif /* HAVE_EX_DATA_CRYPTO */ +#endif /* HAVE_EX_DATA */ + +/* Exposed EX data API's, guarded internally by HAVE_EX_DATA */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); +WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, + void *data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup( + WOLFSSL_X509 *x509, + int idx, + void *data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); +#endif + +#ifdef HAVE_EX_DATA_CRYPTO +WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, + WOLFSSL_CRYPTO_EX_new* new_func, + WOLFSSL_CRYPTO_EX_dup* dup_func, + WOLFSSL_CRYPTO_EX_free* free_func); +#endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx); +WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data); +#ifdef HAVE_EX_DATA_CLEANUP_HOOKS +WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup( + WOLFSSL_CTX* ctx, + int idx, + void* data, + wolfSSL_ex_data_cleanup_routine_t cleanup_routine); #endif +/* ----- EX DATA END ----- */ WOLFSSL_ABI WOLFSSL_API void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback verify_callback); @@ -1649,7 +1748,9 @@ WOLFSSL_API const char* wolfSSL_ERR_reason_error_string(unsigned long e); WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long e); WOLFSSL_API const char* wolfSSL_ERR_lib_error_string(unsigned long e); -/* extras */ +/* -------- EXTRAS BEGIN -------- */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio); WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_node(void* heap); WOLFSSL_API void wolfSSL_sk_free(WOLFSSL_STACK* sk); @@ -1661,16 +1762,11 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx); WOLFSSL_API int wolfSSL_sk_push(WOLFSSL_STACK *st, const void *data); WOLFSSL_API int wolfSSL_sk_insert(WOLFSSL_STACK *sk, const void *data, int idx); -#if defined(HAVE_OCSP) || defined(HAVE_CRL) || (defined(WOLFSSL_CUSTOM_OID) && \ - defined(WOLFSSL_ASN_TEMPLATE) && defined(HAVE_OID_DECODING)) -#include "wolfssl/wolfcrypt/asn.h" -#endif - #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(WOLFSSL_QT) WOLFSSL_API int wolfSSL_sk_ACCESS_DESCRIPTION_push( WOLF_STACK_OF(ACCESS_DESCRIPTION)* sk, WOLFSSL_ACCESS_DESCRIPTION* a); -#endif /* defined(OPENSSL_ALL) || OPENSSL_EXTRA || defined(WOLFSSL_QT) */ +#endif /* OPENSSL_ALL || OPENSSL_EXTRA || WOLFSSL_QT */ typedef WOLF_STACK_OF(WOLFSSL_GENERAL_NAME) WOLFSSL_GENERAL_NAMES; typedef WOLF_STACK_OF(WOLFSSL_DIST_POINT) WOLFSSL_DIST_POINTS; @@ -1765,57 +1861,6 @@ WOLFSSL_API int wolfSSL_ASN1_UNIVERSALSTRING_to_string(WOLFSSL_ASN1_STRING *s); WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk); WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( const WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx); -WOLFSSL_API int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data); -#ifdef HAVE_EX_DATA_CLEANUP_HOOKS -WOLFSSL_API int wolfSSL_set_ex_data_with_cleanup( - WOLFSSL* ssl, - int idx, - void* data, - wolfSSL_ex_data_cleanup_routine_t cleanup_routine); -#endif -WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL* ssl, int rfd); -WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL* ssl, int wfd); -WOLFSSL_API void wolfSSL_set_shutdown(WOLFSSL* ssl, int opt); -WOLFSSL_API int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, - unsigned int len); -WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL* ssl); -WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_session_reused(WOLFSSL* ssl); -#ifdef OPENSSL_EXTRA -/* using unsigned char instead of uint8_t here to avoid stdint include */ -WOLFSSL_API unsigned char wolfSSL_SESSION_get_max_fragment_length( - WOLFSSL_SESSION* session); -#endif -WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session); -WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session); -WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void); -WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new_ex(void* heap); -WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session); -WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, - WOLFSSL_SESSION* session); -WOLFSSL_API int wolfSSL_SESSION_set_cipher(WOLFSSL_SESSION* session, - const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_is_init_finished(const WOLFSSL* ssl); - -WOLFSSL_API const char* wolfSSL_get_version(const WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl); -WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL* ssl); -WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, int len); -WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API const char* wolfSSL_CIPHER_get_version(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API word32 wolfSSL_CIPHER_get_id(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API int wolfSSL_CIPHER_is_aead(const WOLFSSL_CIPHER* cipher); -WOLFSSL_API const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value); -WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(const WOLFSSL_SESSION* session); -WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL* ssl); -WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); -WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_SessionIsSetup(WOLFSSL_SESSION* session); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap); @@ -2045,17 +2090,11 @@ WOLFSSL_API void wolfSSL_X509_get0_signature(const WOLFSSL_ASN1_BIT_STRING **psi const WOLFSSL_X509_ALGOR **palg, const WOLFSSL_X509 *x509); WOLFSSL_API int wolfSSL_X509_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509); -WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, - char* in, int sz); WOLFSSL_API unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name); #if defined(OPENSSL_EXTRA) && defined(XSNPRINTF) WOLFSSL_API char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz); #endif -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name( - WOLFSSL_X509* cert); WOLFSSL_API unsigned long wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509); -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name( - WOLFSSL_X509* cert); WOLFSSL_API unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509* x509, int nid); WOLFSSL_API int wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509* x509, int nid); @@ -2161,11 +2200,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CT int idx, WOLFSSL_X509_NAME* name, WOLFSSL_X509_OBJECT* obj); WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM *wolfSSL_X509_STORE_CTX_get0_param( WOLFSSL_X509_STORE_CTX *ctx); -WOLFSSL_API WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void); -WOLFSSL_API WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new_ex(void* heap); WOLFSSL_API int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, WOLF_STACK_OF(WOLFSSL_X509)*); -WOLFSSL_API void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx); WOLFSSL_API void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx); WOLFSSL_API void wolfSSL_X509_STORE_CTX_trusted_stack(WOLFSSL_X509_STORE_CTX *ctx, WOLF_STACK_OF(WOLFSSL_X509) *sk); @@ -2356,14 +2392,6 @@ WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_error( WOLFSSL_X509_STORE_CTX* ctx, int er); void wolfSSL_X509_STORE_CTX_set_error_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth); -WOLFSSL_API void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx); - -WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb_userdata(WOLFSSL_CTX* ctx, - void* userdata); -WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb(WOLFSSL_CTX* ctx, - wc_pem_password_cb* cb); -WOLFSSL_API wc_pem_password_cb* wolfSSL_CTX_get_default_passwd_cb(WOLFSSL_CTX* ctx); -WOLFSSL_API void *wolfSSL_CTX_get_default_passwd_cb_userdata(WOLFSSL_CTX *ctx); WOLFSSL_API void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX* ctx, void (*f)(const WOLFSSL* ssl, int type, int val)); @@ -2422,89 +2450,27 @@ WOLFSSL_API int wolfSSL_CTX_set_srp_strength(WOLFSSL_CTX *ctx, int strength); WOLFSSL_API char* wolfSSL_get_srp_username(WOLFSSL *ssl); -WOLFSSL_API long wolfSSL_set_options(WOLFSSL *s, long op); -WOLFSSL_API long wolfSSL_get_options(const WOLFSSL *s); WOLFSSL_API long wolfSSL_clear_options(WOLFSSL *s, long op); -WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s); -WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s); -WOLFSSL_API long wolfSSL_num_renegotiations(WOLFSSL* s); -WOLFSSL_API int wolfSSL_SSL_renegotiate_pending(WOLFSSL *s); WOLFSSL_API long wolfSSL_set_tmp_dh(WOLFSSL *s, WOLFSSL_DH *dh); WOLFSSL_API long wolfSSL_set_tlsext_debug_arg(WOLFSSL *s, void *arg); WOLFSSL_API long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type); WOLFSSL_API long wolfSSL_get_tlsext_status_type(WOLFSSL *s); -WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg); -WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg); -WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg); -WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp); -WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len); -WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length - (WOLFSSL *s, unsigned char mode); -WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length - (WOLFSSL_CTX *c, unsigned char mode); -WOLFSSL_API void wolfSSL_CONF_modules_unload(int all); -WOLFSSL_API char* wolfSSL_CONF_get1_default_config_file(void); -WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg); -WOLFSSL_API long wolfSSL_get_verify_result(const WOLFSSL *ssl); - -#define WOLFSSL_DEFAULT_CIPHER_LIST "" /* default all */ - -/* These are bit-masks */ -enum { - WOLFSSL_OCSP_URL_OVERRIDE = 1, - WOLFSSL_OCSP_NO_NONCE = 2, - WOLFSSL_OCSP_CHECKALL = 4, - - WOLFSSL_CRL_CHECKALL = 1, - WOLFSSL_CRL_CHECK = 2 -}; - -/* Separated out from other enums because of size */ -enum { - WOLFSSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001, - WOLFSSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002, - WOLFSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000004, - WOLFSSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000008, - WOLFSSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000010, - WOLFSSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000020, - WOLFSSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000040, - WOLFSSL_OP_TLS_D5_BUG = 0x00000080, - WOLFSSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000100, - WOLFSSL_OP_TLS_ROLLBACK_BUG = 0x00000200, - WOLFSSL_OP_NO_RENEGOTIATION = 0x00000400, - WOLFSSL_OP_EPHEMERAL_RSA = 0x00000800, - WOLFSSL_OP_NO_SSLv3 = 0x00001000, - WOLFSSL_OP_NO_TLSv1 = 0x00002000, - WOLFSSL_OP_PKCS1_CHECK_1 = 0x00004000, - WOLFSSL_OP_PKCS1_CHECK_2 = 0x00008000, - WOLFSSL_OP_NETSCAPE_CA_DN_BUG = 0x00010000, - WOLFSSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x00020000, - WOLFSSL_OP_SINGLE_DH_USE = 0x00040000, - WOLFSSL_OP_NO_TICKET = 0x00080000, - WOLFSSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00100000, - WOLFSSL_OP_NO_QUERY_MTU = 0x00200000, - WOLFSSL_OP_COOKIE_EXCHANGE = 0x00400000, - WOLFSSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00800000, - WOLFSSL_OP_SINGLE_ECDH_USE = 0x01000000, - WOLFSSL_OP_CIPHER_SERVER_PREFERENCE = 0x02000000, - WOLFSSL_OP_NO_TLSv1_1 = 0x04000000, - WOLFSSL_OP_NO_TLSv1_2 = 0x08000000, - WOLFSSL_OP_NO_COMPRESSION = 0x10000000, - WOLFSSL_OP_NO_TLSv1_3 = 0x20000000, - WOLFSSL_OP_NO_SSLv2 = 0x40000000, - WOLFSSL_OP_ALL = - (WOLFSSL_OP_MICROSOFT_SESS_ID_BUG - | WOLFSSL_OP_NETSCAPE_CHALLENGE_BUG - | WOLFSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - | WOLFSSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - | WOLFSSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - | WOLFSSL_OP_MSIE_SSLV2_RSA_PADDING - | WOLFSSL_OP_SSLEAY_080_CLIENT_DH_BUG - | WOLFSSL_OP_TLS_D5_BUG - | WOLFSSL_OP_TLS_BLOCK_PADDING_BUG - | WOLFSSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - | WOLFSSL_OP_TLS_ROLLBACK_BUG) -}; +WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp); +WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len); +WOLFSSL_API int wolfSSL_set_tlsext_max_fragment_length + (WOLFSSL *s, unsigned char mode); +WOLFSSL_API int wolfSSL_CTX_set_tlsext_max_fragment_length + (WOLFSSL_CTX *c, unsigned char mode); +WOLFSSL_API void wolfSSL_CONF_modules_unload(int all); +WOLFSSL_API char* wolfSSL_CONF_get1_default_config_file(void); +WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg); +WOLFSSL_API long wolfSSL_get_verify_result(const WOLFSSL *ssl); + +WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ defined(HAVE_WEBSERVER) || defined(HAVE_MEMCACHED) @@ -2680,8 +2646,138 @@ enum { #endif /* !OPENSSL_COEXIST */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */ +/* -------- EXTRAS END -------- */ + + +#define WOLFSSL_DEFAULT_CIPHER_LIST "" /* default all */ + +/* These are bit-masks */ +enum { + WOLFSSL_OCSP_URL_OVERRIDE = 1, + WOLFSSL_OCSP_NO_NONCE = 2, + WOLFSSL_OCSP_CHECKALL = 4, + + WOLFSSL_CRL_CHECKALL = 1, + WOLFSSL_CRL_CHECK = 2 +}; + +/* Separated out from other enums because of size */ +enum { + WOLFSSL_OP_MICROSOFT_SESS_ID_BUG = 0x00000001, + WOLFSSL_OP_NETSCAPE_CHALLENGE_BUG = 0x00000002, + WOLFSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000004, + WOLFSSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000008, + WOLFSSL_OP_MICROSOFT_BIG_SSLV3_BUFFER = 0x00000010, + WOLFSSL_OP_MSIE_SSLV2_RSA_PADDING = 0x00000020, + WOLFSSL_OP_SSLEAY_080_CLIENT_DH_BUG = 0x00000040, + WOLFSSL_OP_TLS_D5_BUG = 0x00000080, + WOLFSSL_OP_TLS_BLOCK_PADDING_BUG = 0x00000100, + WOLFSSL_OP_TLS_ROLLBACK_BUG = 0x00000200, + WOLFSSL_OP_NO_RENEGOTIATION = 0x00000400, + WOLFSSL_OP_EPHEMERAL_RSA = 0x00000800, + WOLFSSL_OP_NO_SSLv3 = 0x00001000, + WOLFSSL_OP_NO_TLSv1 = 0x00002000, + WOLFSSL_OP_PKCS1_CHECK_1 = 0x00004000, + WOLFSSL_OP_PKCS1_CHECK_2 = 0x00008000, + WOLFSSL_OP_NETSCAPE_CA_DN_BUG = 0x00010000, + WOLFSSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x00020000, + WOLFSSL_OP_SINGLE_DH_USE = 0x00040000, + WOLFSSL_OP_NO_TICKET = 0x00080000, + WOLFSSL_OP_DONT_INSERT_EMPTY_FRAGMENTS = 0x00100000, + WOLFSSL_OP_NO_QUERY_MTU = 0x00200000, + WOLFSSL_OP_COOKIE_EXCHANGE = 0x00400000, + WOLFSSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION = 0x00800000, + WOLFSSL_OP_SINGLE_ECDH_USE = 0x01000000, + WOLFSSL_OP_CIPHER_SERVER_PREFERENCE = 0x02000000, + WOLFSSL_OP_NO_TLSv1_1 = 0x04000000, + WOLFSSL_OP_NO_TLSv1_2 = 0x08000000, + WOLFSSL_OP_NO_COMPRESSION = 0x10000000, + WOLFSSL_OP_NO_TLSv1_3 = 0x20000000, + WOLFSSL_OP_NO_SSLv2 = 0x40000000, + WOLFSSL_OP_ALL = + (WOLFSSL_OP_MICROSOFT_SESS_ID_BUG + | WOLFSSL_OP_NETSCAPE_CHALLENGE_BUG + | WOLFSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + | WOLFSSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG + | WOLFSSL_OP_MICROSOFT_BIG_SSLV3_BUFFER + | WOLFSSL_OP_MSIE_SSLV2_RSA_PADDING + | WOLFSSL_OP_SSLEAY_080_CLIENT_DH_BUG + | WOLFSSL_OP_TLS_D5_BUG + | WOLFSSL_OP_TLS_BLOCK_PADDING_BUG + | WOLFSSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + | WOLFSSL_OP_TLS_ROLLBACK_BUG) +}; + +WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb_userdata(WOLFSSL_CTX* ctx, + void* userdata); +WOLFSSL_API void wolfSSL_CTX_set_default_passwd_cb(WOLFSSL_CTX* ctx, + wc_pem_password_cb* cb); +WOLFSSL_API wc_pem_password_cb* wolfSSL_CTX_get_default_passwd_cb(WOLFSSL_CTX* ctx); +WOLFSSL_API void *wolfSSL_CTX_get_default_passwd_cb_userdata(WOLFSSL_CTX *ctx); + +WOLFSSL_API int wolfSSL_SSL_renegotiate_pending(WOLFSSL *s); +WOLFSSL_API long wolfSSL_total_renegotiations(WOLFSSL *s); +WOLFSSL_API long wolfSSL_num_renegotiations(WOLFSSL* s); +WOLFSSL_API long wolfSSL_clear_num_renegotiations(WOLFSSL *s); +WOLFSSL_API int wolfSSL_get_alert_history(WOLFSSL* ssl, WOLFSSL_ALERT_HISTORY *h); +WOLFSSL_API int wolfSSL_get_shutdown(const WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_set_rfd(WOLFSSL* ssl, int rfd); +WOLFSSL_API int wolfSSL_set_wfd(WOLFSSL* ssl, int wfd); +WOLFSSL_API void wolfSSL_set_shutdown(WOLFSSL* ssl, int opt); +WOLFSSL_API int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, + unsigned int len); +WOLFSSL_API void wolfSSL_set_connect_state(WOLFSSL* ssl); +WOLFSSL_API void wolfSSL_set_accept_state(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_session_reused(WOLFSSL* ssl); +#ifdef OPENSSL_EXTRA +/* using unsigned char instead of uint8_t here to avoid stdint include */ +WOLFSSL_API unsigned char wolfSSL_SESSION_get_max_fragment_length( + WOLFSSL_SESSION* session); +#endif +WOLFSSL_API int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session); + +WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session); +WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new(void); +WOLFSSL_API WOLFSSL_SESSION* wolfSSL_SESSION_new_ex(void* heap); +WOLFSSL_API void wolfSSL_SESSION_free(WOLFSSL_SESSION* session); +WOLFSSL_API int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, + WOLFSSL_SESSION* session); +WOLFSSL_API int wolfSSL_SESSION_set_cipher(WOLFSSL_SESSION* session, + const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_is_init_finished(const WOLFSSL* ssl); + +WOLFSSL_API const char* wolfSSL_get_version(const WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl); +WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL* ssl); +WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, int len); +WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API const char* wolfSSL_CIPHER_get_version(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API word32 wolfSSL_CIPHER_get_id(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API int wolfSSL_CIPHER_is_aead(const WOLFSSL_CIPHER* cipher); +WOLFSSL_API const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value); +WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(const WOLFSSL_SESSION* session); +WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL* ssl); +WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); +WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_SessionIsSetup(WOLFSSL_SESSION* session); + +WOLFSSL_API WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void); +WOLFSSL_API WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new_ex(void* heap); +WOLFSSL_API void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx); + +WOLFSSL_API long wolfSSL_set_options(WOLFSSL *s, long op); +WOLFSSL_API long wolfSSL_get_options(const WOLFSSL *s); -/* extras end */ +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name( + WOLFSSL_X509* cert); +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name( + WOLFSSL_X509* cert); +WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, + char* in, int sz); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) /* wolfSSL extension, provide last error from SSL_get_error @@ -2698,8 +2794,6 @@ WOLFSSL_API void wolfSSL_ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u); #endif #endif -WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio); - #ifndef NO_OLD_SSL_NAMES #define SSL_ERROR_NONE WOLFSSL_ERROR_NONE @@ -2941,7 +3035,6 @@ WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt); #if !defined(NO_CHECK_PRIVATE_KEY) WOLFSSL_API int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx); #endif -WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx); WOLFSSL_API void wolfSSL_ERR_free_strings(void); WOLFSSL_API void wolfSSL_ERR_remove_state(unsigned long id); @@ -2969,12 +3062,14 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFS WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl); #endif -#ifdef OPENSSL_EXTRA -WOLFSSL_API int wolfSSL_want(WOLFSSL* ssl); -#endif WOLFSSL_API int wolfSSL_want_read(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_want_write(WOLFSSL* ssl); +#ifdef OPENSSL_EXTRA +WOLFSSL_API int wolfSSL_want(WOLFSSL* ssl); + +WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx); + #include /* var_arg */ WOLFSSL_API int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args); @@ -2990,41 +3085,20 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_diff(int* days, int* secs, const WOLFSSL_ASN1_ const WOLFSSL_ASN1_TIME* to); WOLFSSL_API int wolfSSL_ASN1_TIME_compare(const WOLFSSL_ASN1_TIME *a, const WOLFSSL_ASN1_TIME *b); -#ifdef OPENSSL_EXTRA WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_t t); WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *str); WOLFSSL_API int wolfSSL_ASN1_TIME_set_string_X509(WOLFSSL_ASN1_TIME *t, const char *str); -#endif +#endif /* OPENSSL_EXTRA */ + +#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); WOLFSSL_API void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i); - -#if defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) - -WOLFSSL_API void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, - int idx); -#ifdef HAVE_EX_DATA_CLEANUP_HOOKS -WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data_with_cleanup( - WOLFSSL_CRYPTO_EX_DATA* ex_data, - int idx, - void *data, - wolfSSL_ex_data_cleanup_routine_t cleanup_routine); -#endif -WOLFSSL_API int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, - void *data); #endif + /* stunnel 4.28 needs */ -WOLFSSL_API void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx); -WOLFSSL_API int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data); -#ifdef HAVE_EX_DATA_CLEANUP_HOOKS -WOLFSSL_API int wolfSSL_CTX_set_ex_data_with_cleanup( - WOLFSSL_CTX* ctx, - int idx, - void* data, - wolfSSL_ex_data_cleanup_routine_t cleanup_routine); -#endif WOLFSSL_API void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX* ctx, WOLFSSL_SESSION*(*f)(WOLFSSL* ssl, const unsigned char*, int, int*)); WOLFSSL_API void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX* ctx, @@ -3041,13 +3115,6 @@ WOLFSSL_API unsigned long wolfSSL_SESSION_get_ticket_lifetime_hint( const WOLFSSL_SESSION* sess); WOLFSSL_API long wolfSSL_SESSION_get_timeout(const WOLFSSL_SESSION* session); WOLFSSL_API long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* session); -#ifdef HAVE_EX_DATA -WOLFSSL_API int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, - WOLFSSL_CRYPTO_EX_new* new_func, - WOLFSSL_CRYPTO_EX_dup* dup_func, - WOLFSSL_CRYPTO_EX_free* free_func); -#endif - /* extra ends */ @@ -3141,12 +3208,12 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_REQ_INFO(WOLFSSL_X509** req, WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out); WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl, const unsigned char *in, int len); -WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, - WOLFSSL_X509_CRL **crl); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE file, WOLFSSL_X509_CRL **crl); #endif #if defined(HAVE_CRL) && defined(OPENSSL_EXTRA) +WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, + WOLFSSL_X509_CRL **crl); WOLFSSL_API int wolfSSL_X509_CRL_version(WOLFSSL_X509_CRL *crl); WOLFSSL_API int wolfSSL_X509_CRL_get_signature_type(WOLFSSL_X509_CRL* crl); WOLFSSL_API int wolfSSL_X509_CRL_get_signature_nid( @@ -3204,6 +3271,7 @@ WOLFSSL_API WOLFSSL_X509_ACERT * wolfSSL_X509_ACERT_load_certificate_buffer( const unsigned char* buf, int sz, int format); #endif /* WOLFSSL_ACERT && (OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA) */ +#ifdef OPENSSL_EXTRA WOLFSSL_API const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const WOLFSSL_X509_REVOKED *rev); @@ -3216,14 +3284,6 @@ const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_d2i_fp(WOLFSSL_X509** x509, XFILE file); #endif -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* - wolfSSL_X509_load_certificate_file(const char* fname, int format); -#endif -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( - const unsigned char* buf, int sz, int format); -#ifdef WOLFSSL_CERT_REQ -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( - const unsigned char* buf, int sz, int format); #endif #ifdef WOLFSSL_SEP @@ -3235,19 +3295,36 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( wolfSSL_X509_get_hw_serial_number(WOLFSSL_X509* x509, unsigned char* in, int* inOutSz); #endif +#endif /* OPENSSL_EXTRA */ + /* connect enough to get peer cert */ WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl); +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* + wolfSSL_X509_load_certificate_file(const char* fname, int format); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( + const unsigned char* buf, int sz, int format); +#ifdef WOLFSSL_CERT_REQ +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( + const unsigned char* buf, int sz, int format); +#endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#ifdef OPENSSL_EXTRA /* PKCS12 compatibility */ -WOLFSSL_API WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, - WC_PKCS12** pkcs12); -WOLFSSL_API int wolfSSL_i2d_PKCS12_bio(WOLFSSL_BIO *bio, WC_PKCS12 *pkcs12); +WOLFSSL_API void wolfSSL_PKCS12_PBE_add(void); #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) WOLFSSL_API WOLFSSL_X509_PKCS12* wolfSSL_d2i_PKCS12_fp(XFILE fp, WOLFSSL_X509_PKCS12** pkcs12); #endif + +#ifdef HAVE_PKCS12 +WOLFSSL_API WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, + WC_PKCS12** pkcs12); +WOLFSSL_API int wolfSSL_i2d_PKCS12_bio(WOLFSSL_BIO *bio, WC_PKCS12 *pkcs12); + WOLFSSL_API int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, WOLFSSL_EVP_PKEY** pkey, WOLFSSL_X509** cert, WOLF_STACK_OF(WOLFSSL_X509)** ca); @@ -3257,8 +3334,8 @@ WOLFSSL_API WC_PKCS12* wolfSSL_PKCS12_create(char* pass, char* name, WOLFSSL_EVP_PKEY* pkey, WOLFSSL_X509* cert, WOLF_STACK_OF(WOLFSSL_X509)* ca, int keyNID, int certNID, int itt, int macItt, int keytype); -WOLFSSL_API void wolfSSL_PKCS12_PBE_add(void); - +#endif /* HAVE_PKCS12 */ +#endif /* OPENSSL_EXTRA */ #ifndef NO_DH @@ -3956,8 +4033,10 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx, WOLFSSL_API int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options); WOLFSSL_API int wolfSSL_CertManagerDisableCRL(WOLFSSL_CERT_MANAGER* cm); +#ifndef NO_WOLFSSL_CM_VERIFY WOLFSSL_API void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc); +#endif WOLFSSL_API int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, int type, int monitor); WOLFSSL_API int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, @@ -4900,9 +4979,6 @@ struct WOLFSSL_CONF_CTX { WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NAME *name, int loc); #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)|| \ - defined(OPENSSL_EXTRA_X509_SMALL) - #if defined(OPENSSL_EXTRA) \ || defined(OPENSSL_ALL) \ || defined(HAVE_LIGHTY) \ @@ -4922,7 +4998,6 @@ WOLFSSL_API int wolfSSL_add1_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name); /* These are to be merged shortly */ WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth); -WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg); WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne); WOLFSSL_API unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, unsigned char *md); @@ -4939,9 +5014,9 @@ WOLFSSL_API long wolfSSL_BIO_set_fp(WOLFSSL_BIO *bio, XFILE fp, int c); WOLFSSL_API long wolfSSL_BIO_get_fp(WOLFSSL_BIO *bio, XFILE* fp); #endif -#endif /* OPENSSL_EXTRA || OPENSSL_ALL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ - -#endif /* OPENSSL_EXTRA || OPENSSL_ALL */ +#endif /* OPENSSL_EXTRA || OPENSSL_ALL || HAVE_LIGHTY || \ + WOLFSSL_MYSQL_COMPATIBLE || HAVE_STUNNEL || WOLFSSL_NGINX || \ + WOLFSSL_HAPROXY */ #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) @@ -5029,8 +5104,6 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_mem_functions( WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), void *(*r) (void *, size_t, const char *, int), void (*f) (void *)); -WOLFSSL_API void wolfSSL_CRYPTO_cleanup_all_ex_data(void); - WOLFSSL_API int wolfSSL_CRYPTO_memcmp(const void *a, const void *b, size_t size); WOLFSSL_API WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn); @@ -5175,12 +5248,6 @@ WOLFSSL_API int wolfSSL_SESSION_set_ex_data_with_cleanup( #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) -#ifdef HAVE_EX_DATA -WOLFSSL_API int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, - WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, - WOLFSSL_CRYPTO_EX_free* free_func); -#endif - WOLFSSL_API const unsigned char* wolfSSL_SESSION_get_id( const WOLFSSL_SESSION* sess, unsigned int* idLen); @@ -5347,29 +5414,9 @@ WOLFSSL_LOCAL char* wolfSSL_get_ocsp_url(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) \ - || defined(WOLFSSL_WPAS_SMALL) -WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx); -WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, - void *data); -#ifdef HAVE_EX_DATA_CLEANUP_HOOKS -WOLFSSL_API int wolfSSL_X509_set_ex_data_with_cleanup( - WOLFSSL_X509 *x509, - int idx, - void *data, - wolfSSL_ex_data_cleanup_routine_t cleanup_routine); -#endif -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || defined(HAVE_SECRET_CALLBACK) WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl); -#ifdef HAVE_EX_DATA -WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, - WOLFSSL_CRYPTO_EX_new* new_func, - WOLFSSL_CRYPTO_EX_dup* dup_func, - WOLFSSL_CRYPTO_EX_free* free_func); -#endif WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data, const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len); @@ -5683,12 +5730,6 @@ WOLFSSL_API int wolfSSL_CONF_CTX_finish(WOLFSSL_CONF_CTX* cctx); WOLFSSL_API int wolfSSL_CONF_cmd(WOLFSSL_CONF_CTX* cctx, const char* cmd, const char* value); WOLFSSL_API int wolfSSL_CONF_cmd_value_type(WOLFSSL_CONF_CTX *cctx, const char *cmd); #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) -WOLFSSL_API int wolfSSL_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, - WOLFSSL_CRYPTO_EX_new* new_func, - WOLFSSL_CRYPTO_EX_dup* dup_func, - WOLFSSL_CRYPTO_EX_free* free_func); -#endif /* HAVE_EX_DATA || WOLFSSL_WPAS_SMALL */ #if defined(WOLFSSL_DTLS_CID) WOLFSSL_API int wolfSSL_dtls_cid_use(WOLFSSL* ssl); diff --git a/wolfssl/test.h b/wolfssl/test.h index 12597fb54a..769119a171 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -2011,16 +2011,13 @@ static WC_INLINE unsigned int my_psk_server_tls13_cb(WOLFSSL* ssl, } #endif -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) -static unsigned char local_psk[32]; -#endif +#ifdef OPENSSL_EXTRA static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl, const WOLFSSL_EVP_MD* md, const unsigned char **id, size_t* idlen, WOLFSSL_SESSION **sess) { -#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) + static unsigned char local_psk[32]; int i; WOLFSSL_SESSION* lsess; char buf[256]; @@ -2083,6 +2080,7 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl, return 0; #endif } +#endif /* OPENSSL_EXTRA */ static WC_INLINE unsigned int my_psk_client_cs_cb(WOLFSSL* ssl, const char* hint, char* identity, unsigned int id_max_len, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 6422bbb90c..834e3487cc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -36,8 +36,7 @@ that can be serialized and deserialized in a cross-platform way. #include -#ifndef NO_ASN - +#if !defined(NO_ASN) || !defined(NO_PWDBASED) #if !defined(NO_ASN_TIME) && defined(NO_TIME_H) #define NO_ASN_TIME /* backwards compatibility with NO_TIME_H */ @@ -71,6 +70,8 @@ that can be serialized and deserialized in a cross-platform way. extern "C" { #endif +#ifndef NO_ASN + #ifndef EXTERNAL_SERIAL_SIZE #define EXTERNAL_SERIAL_SIZE 32 #endif @@ -744,7 +745,7 @@ typedef struct WOLFSSL_ObjectInfo { } WOLFSSL_ObjectInfo; extern const size_t wolfssl_object_info_sz; extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; -#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ /* DN Tag Strings */ #define WOLFSSL_COMMON_NAME "/CN=" @@ -850,6 +851,7 @@ extern const WOLFSSL_ObjectInfo wolfssl_object_info[]; #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + /* NIDs */ #define WC_NID_netscape_cert_type WC_NID_undef #define WC_NID_des 66 @@ -2888,12 +2890,6 @@ WOLFSSL_LOCAL int VerifyX509Acert(const byte* cert, word32 certSz, int pubKeyOID, void * heap); #endif /* WOLFSSL_ACERT */ -#ifdef __cplusplus - } /* extern "C" */ -#endif - -#endif /* !NO_ASN */ - #if ((defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)) \ || (defined(HAVE_CURVE25519) && defined(HAVE_CURVE25519_KEY_IMPORT)) \ @@ -2915,6 +2911,7 @@ WOLFSSL_LOCAL int SetAsymKeyDer(const byte* privKey, word32 privKeyLen, int keyType); #endif +#endif /* !NO_ASN */ #if !defined(NO_ASN) || !defined(NO_PWDBASED) @@ -2964,4 +2961,10 @@ enum PKCSTypes { #endif /* !NO_ASN || !NO_PWDBASED */ +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* !NO_ASN || !NO_PWDBASED */ + #endif /* WOLF_CRYPT_ASN_H */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index f72121dac1..3e2d64e33f 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1299,8 +1299,8 @@ #define XSTRNCMP(s1,s2,n) strncmp((s1),(s2),(n)) #define XSTRNCAT(s1,s2,n) strncat((s1),(s2),(n)) #define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n)) - #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) \ - || defined(HAVE_ALPN) + #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_ALL) || defined(HAVE_ALPN) #define XSTRTOK strtok_r #endif #endif @@ -2653,11 +2653,6 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) - #undef KEEP_PEER_CERT - #define KEEP_PEER_CERT -#endif - /* stream ciphers except arc4 need 32bit alignment, intel ok without */ #ifndef XSTREAM_ALIGN @@ -2915,7 +2910,7 @@ extern void uITRON4_free(void *p) ; #endif #endif /* HAVE_ECC */ -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) && \ +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && defined(HAVE_ECC) && \ !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \ !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SE050) && \ !defined(WOLF_CRYPTO_CB_ONLY_ECC) && !defined(WOLFSSL_STM32_PKA) @@ -3416,8 +3411,9 @@ extern void uITRON4_free(void *p) ; #endif #endif -#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ - defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ + defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) #undef WOLFSSL_ASN_TIME_STRING #define WOLFSSL_ASN_TIME_STRING #endif @@ -3436,13 +3432,14 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_OCSP_PARSE_STATUS #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_CERT_GEN) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_CERT_GEN) #undef WOLFSSL_MULTI_ATTRIB #define WOLFSSL_MULTI_ATTRIB #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(OPENSSL_EXTRA_X509_SMALL) #undef WOLFSSL_EKU_OID #define WOLFSSL_EKU_OID #endif @@ -3531,12 +3528,10 @@ extern void uITRON4_free(void *p) ; #undef HAVE_GMTIME_R /* don't trust macro with windows */ #endif /* WOLFSSL_MYSQL_COMPATIBLE */ -#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(HAVE_LIGHTY)) && !defined(NO_TLS) +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ + defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)) && !defined(NO_TLS) #define OPENSSL_NO_ENGINE - #ifndef OPENSSL_EXTRA - #define OPENSSL_EXTRA - #endif + /* Session Tickets will be enabled when --enable-opensslall is used. * Time is required for ticket expiration checking */ #if !defined(HAVE_SESSION_TICKET) && !defined(NO_ASN_TIME) @@ -3563,6 +3558,13 @@ extern void uITRON4_free(void *p) ; #define OPENSSL_EXTRA #endif + +#if (defined(OPENSSL_EXTRA) || defined(WOLFSSL_QT)) && \ + !defined(WOLFSSL_ASN_CA_ISSUER) + #define WOLFSSL_ASN_CA_ISSUER +#endif + + /* --------------------------------------------------------------------------- * OpenSSL compat layer * --------------------------------------------------------------------------- @@ -3686,8 +3688,9 @@ extern void uITRON4_free(void *p) ; #endif /* Parts of the openssl compatibility layer require peer certs */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(HAVE_LIGHTY) +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(HAVE_LIGHTY)) && !defined(NO_CERTS) #undef KEEP_PEER_CERT #define KEEP_PEER_CERT #endif @@ -3718,6 +3721,38 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_HAVE_TLS_UNIQUE #endif +/* Keep peer cert, keep our cert and session certs requires WOLFSSL_X509 */ +#if (defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || \ + defined(SESSION_CERTS)) && \ + !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL) + #define OPENSSL_EXTRA_X509_SMALL +#endif + +/* WPAS Small option requires OPENSSL_EXTRA_X509_SMALL */ +#if defined(WOLFSSL_WPAS_SMALL) && !defined(OPENSSL_EXTRA_X509_SMALL) + #define OPENSSL_EXTRA_X509_SMALL +#endif + +/* The EX data CRYPTO API's used with compatibility */ +#if !defined(HAVE_EX_DATA_CRYPTO) && \ + (defined(OPENSSL_ALL) || defined(WOLFSSL_WPAS_SMALL) || \ + defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ + defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)) + #define HAVE_EX_DATA_CRYPTO +#endif + +#if defined(WOLFSSL_WOLFSENTRY_HOOKS) && !defined(HAVE_EX_DATA_CLEANUP_HOOKS) + #define HAVE_EX_DATA_CLEANUP_HOOKS +#endif + +/* Enable EX Data support if required */ +#if (defined(HAVE_EX_DATA_CRYPTO) || defined(HAVE_EX_DATA_CLEANUP_HOOKS)) && \ + !defined(HAVE_EX_DATA) + #define HAVE_EX_DATA +#endif + + /* RAW hash function APIs are not implemented */ #if defined(WOLFSSL_ARMASM) || defined(WOLFSSL_AFALG_HASH) #undef WOLFSSL_NO_HASH_RAW @@ -3784,15 +3819,17 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_BASE64_DECODE #endif -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - #if defined(FORTRESS) && !defined(HAVE_EX_DATA) - #define HAVE_EX_DATA - #endif +#if defined(FORTRESS) && !defined(HAVE_EX_DATA) + #define HAVE_EX_DATA +#endif + +#ifdef HAVE_EX_DATA #ifndef MAX_EX_DATA #define MAX_EX_DATA 5 /* allow for five items of ex_data */ #endif #endif + #ifdef NO_WOLFSSL_SMALL_STACK #undef WOLFSSL_SMALL_STACK #endif diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h index dd1c1f49f9..934c282010 100644 --- a/wolfssl/wolfio.h +++ b/wolfssl/wolfio.h @@ -529,8 +529,10 @@ WOLFSSL_API int wolfSSL_BioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx); #endif WOLFSSL_LOCAL int SslBioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx); +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_LOCAL int BioReceiveInternal(WOLFSSL_BIO* biord, WOLFSSL_BIO* biowr, char* buf, int sz); +#endif WOLFSSL_LOCAL int SslBioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx); #if defined(USE_WOLFSSL_IO) /* default IO callbacks */