From 3fba5d17c361fd2867e1d3cc38d3efcf059472a0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 17 Mar 2022 14:00:55 -0700 Subject: [PATCH] Various portability improvements: * Change DTLS epoch size word16. * Allow override of the `RECORD_SIZE` and `STATIC_BUFFER_LEN`. * Remove endianness force from game build. * Add `gmtime_s` option. * Fix for macro conflict with `MAX_KEY_SIZE`. * Expose functions `wolfSSL_X509_notBefore`, `wolfSSL_X509_notAfter`, `wolfSSL_X509_version` without `OPENSSL_EXTRA`. --- configure.ac | 6 ++--- cyassl/ctaocrypt/settings.h | 3 --- src/internal.c | 12 +++++----- src/ssl.c | 43 ++++++++++++++++++++---------------- wolfcrypt/src/pkcs12.c | 2 +- wolfcrypt/src/wc_encrypt.c | 26 +++++++++++----------- wolfssl/internal.h | 38 ++++++++++++++++++++++--------- wolfssl/wolfcrypt/asn.h | 8 +++++-- wolfssl/wolfcrypt/settings.h | 3 --- wolfssl/wolfcrypt/wc_port.h | 6 ++++- 10 files changed, 85 insertions(+), 62 deletions(-) diff --git a/configure.ac b/configure.ac index 534e0295a..07b32559b 100644 --- a/configure.ac +++ b/configure.ac @@ -86,15 +86,15 @@ else fi -AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h]) +AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h sys/un.h]) AC_CHECK_LIB([network],[socket]) AC_C_BIGENDIAN # check if functions of interest are linkable, but also check if # they're declared by the expected headers, and if not, supersede the # unusable positive from AC_CHECK_FUNCS(). -AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r inet_ntoa memset socket strftime atexit]) -AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, inet_ntoa, memset, socket, strftime], [], [ +AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit]) +AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime], [], [ if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes" then AC_MSG_NOTICE([ note: earlier check for $(eval 'echo ${as_decl_name}') superseded.]) diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index ef3e03099..26487433f 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -350,9 +350,6 @@ #ifdef CYASSL_GAME_BUILD #define SIZEOF_LONG_LONG 8 - #if defined(__PPU) || defined(__XENON) - #define BIG_ENDIAN_ORDER - #endif #endif #ifdef CYASSL_LSR diff --git a/src/internal.c b/src/internal.c index f8a9afb14..109b256a9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6734,7 +6734,7 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey) wc_curve448_free((curve448_key*)*pKey); break; #endif /* HAVE_CURVE448 */ - #if defined(HAVE_PQC) && defined(HAVE_FALCON) + #if defined(HAVE_PQC) && defined(HAVE_FALCON) case DYNAMIC_TYPE_FALCON: wc_falcon_free((falcon_key*)*pKey); break; @@ -6801,7 +6801,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey) sz = sizeof(curve448_key); break; #endif /* HAVE_CURVE448 */ - #if defined(HAVE_PQC) && defined(HAVE_FALCON) + #if defined(HAVE_PQC) && defined(HAVE_FALCON) case DYNAMIC_TYPE_FALCON: sz = sizeof(falcon_key); break; @@ -6851,7 +6851,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey) ret = 0; break; #endif /* HAVE_CURVE448 */ - #if defined(HAVE_PQC) && defined(HAVE_FALCON) + #if defined(HAVE_PQC) && defined(HAVE_FALCON) case DYNAMIC_TYPE_FALCON: wc_falcon_init((falcon_key*)*pKey); ret = 0; @@ -7878,7 +7878,7 @@ int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte ty } -DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq) +DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq) { WOLFSSL_ENTER("DtlsMsgFind()"); while (head != NULL && !(head->epoch == epoch && head->seq == seq)) { @@ -7888,7 +7888,7 @@ DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq) } -void DtlsMsgStore(WOLFSSL* ssl, word32 epoch, word32 seq, const byte* data, +void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq, const byte* data, word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap) { /* See if seq exists in the list. If it isn't in the list, make @@ -13091,7 +13091,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */ - #if defined(HAVE_PQC) && defined(HAVE_FALCON) + #if defined(HAVE_PQC) && defined(HAVE_FALCON) case FALCON_LEVEL1k: case FALCON_LEVEL5k: { diff --git a/src/ssl.c b/src/ssl.c index d92f81313..d75990251 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2411,7 +2411,7 @@ static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek) /* Add some bytes so that we can operate with slight difference * in set MTU size on each peer */ ssl->dtls_expected_rx = max(ssl->dtls_expected_rx, - ssl->dtlsMtuSz + DTLS_MTU_ADDITIONAL_READ_BUFFER); + ssl->dtlsMtuSz + (word32)DTLS_MTU_ADDITIONAL_READ_BUFFER); #endif } #endif @@ -5070,7 +5070,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) } break; #endif /* HAVE_ED448 */ - #if defined(HAVE_PQC) && defined(HAVE_FALCON) + #if defined(HAVE_PQC) && defined(HAVE_FALCON) case FALCON_LEVEL1k: if (cm->minFalconKeySz < 0 || FALCON_LEVEL1_KEY_SIZE < (word16)cm->minFalconKeySz) { @@ -5396,7 +5396,7 @@ int wolfSSL_Init(void) WOLFSSL_ENTER("wolfSSL_Init"); - #if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1))) + #if FIPS_VERSION_GE(5,1) ret = wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL); if (ret != 0) return ret; @@ -15275,7 +15275,7 @@ int wolfSSL_Cleanup(void) ret = WC_CLEANUP_E; } -#if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1))) +#if FIPS_VERSION_GE(5,1) if (wolfCrypt_SetPrivateKeyReadEnable_fips(0, WC_KEYTYPE_ALL) < 0) { if (ret == WOLFSSL_SUCCESS) ret = WC_CLEANUP_E; @@ -21701,7 +21701,9 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz) #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_OUR_CERT || KEEP_PEER_CERT || SESSION_CERTS */ -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || \ + defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) /* used by JSSE (not a standard compatibility function) */ WOLFSSL_ABI @@ -21737,6 +21739,19 @@ const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509) return x509->notAfterData; } +int wolfSSL_X509_version(WOLFSSL_X509* x509) +{ + WOLFSSL_ENTER("wolfSSL_X509_version"); + + if (x509 == NULL) + return 0; + + return x509->version; +} +#endif + +#ifdef OPENSSL_EXTRA + /* get the buffer to be signed (tbs) from the WOLFSSL_X509 certificate * * outSz : gets set to the size of the buffer @@ -21771,16 +21786,6 @@ const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509* x509, int* outSz) return tbs; } -int wolfSSL_X509_version(WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("wolfSSL_X509_version"); - - if (x509 == NULL) - return 0; - - return x509->version; -} - #ifdef WOLFSSL_SEP /* copy oid into in buffer, at most *inOutSz bytes, if buffer is null will @@ -58576,7 +58581,8 @@ int wolfSSL_RAND_write_file(const char* fname) #ifndef FREERTOS_TCP /* These constant values are protocol values made by egd */ -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(NETOS) +#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \ + defined(HAVE_HASHDRBG) && !defined(NETOS) && defined(HAVE_SYS_UN_H) #define WOLFSSL_EGD_NBLOCK 0x01 #include #endif @@ -58589,8 +58595,7 @@ int wolfSSL_RAND_write_file(const char* fname) */ int wolfSSL_RAND_egd(const char* nm) { -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \ - defined(HAVE_HASHDRBG) +#ifdef WOLFSSL_EGD_NBLOCK struct sockaddr_un rem; int fd; int ret = WOLFSSL_SUCCESS; @@ -58728,7 +58733,7 @@ int wolfSSL_RAND_egd(const char* nm) (void)nm; return WOLFSSL_FATAL_ERROR; -#endif /* USE_WOLFSSL_IO && !USE_WINDOWS_API && !HAVE_FIPS && HAVE_HASHDRBG */ +#endif /* WOLFSSL_EGD_NBLOCK */ } #endif /* !FREERTOS_TCP */ diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index b9825aa57..dad96fe54 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -512,7 +512,7 @@ static int wc_PKCS12_create_mac(WC_PKCS12* pkcs12, byte* data, word32 dataSz, int id = 3; /* value from RFC 7292 indicating key is used for MAC */ word32 i; byte unicodePasswd[MAX_UNICODE_SZ]; - byte key[MAX_KEY_SIZE]; + byte key[PKCS_MAX_KEY_SIZE]; if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL || out == NULL) { diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 311140f13..d64920880 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -381,7 +381,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, #ifdef WOLFSSL_SMALL_STACK byte* key; #else - byte key[MAX_KEY_SIZE]; + byte key[PKCS_MAX_KEY_SIZE]; #endif (void)input; @@ -469,7 +469,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, } #ifdef WOLFSSL_SMALL_STACK - key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); + key = (byte*)XMALLOC(PKCS_MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL) return MEMORY_E; #endif @@ -494,7 +494,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, byte unicodePasswd[MAX_UNICODE_SZ]; if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -519,7 +519,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, } #endif /* HAVE_PKCS12 */ default: - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -528,7 +528,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, } /* switch (version) */ if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -554,7 +554,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_Des_SetKey(&des, key, desIv, DES_DECRYPTION); } if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -582,7 +582,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_Des3Init(&des, NULL, INVALID_DEVID); if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -595,7 +595,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_Des3_SetKey(&des, key, desIv, DES_DECRYPTION); } if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -608,7 +608,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_Des3_CbcDecrypt(&des, input, input, length); } if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -669,7 +669,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, XFREE(aes, NULL, DYNAMIC_TYPE_AES); #endif if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -692,7 +692,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, ret = wc_Rc2CbcDecrypt(&rc2, input, input, length); } if (ret != 0) { - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -704,7 +704,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, #endif default: - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -712,7 +712,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, return ALGO_ID_E; } - ForceZero(key, MAX_KEY_SIZE); + ForceZero(key, PKCS_MAX_KEY_SIZE); #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 22f3f48a3..3832f3aa9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1805,14 +1805,22 @@ enum { #endif -/* give user option to use 16K static buffers */ -#if defined(LARGE_STATIC_BUFFERS) - #define RECORD_SIZE MAX_RECORD_SIZE +/* determine maximum record size */ +#ifdef RECORD_SIZE + /* user supplied value */ + #if RECORD_SIZE < 128 || RECORD_SIZE > MAX_RECORD_SIZE + #error Invalid record size + #endif #else - #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU + /* give user option to use 16K static buffers */ + #if defined(LARGE_STATIC_BUFFERS) + #define RECORD_SIZE MAX_RECORD_SIZE #else - #define RECORD_SIZE 128 + #ifdef WOLFSSL_DTLS + #define RECORD_SIZE MAX_MTU + #else + #define RECORD_SIZE 128 + #endif #endif #endif @@ -1835,7 +1843,13 @@ enum { The length (in bytes) of the following TLSPlaintext.fragment. The length should not exceed 2^14. */ -#if defined(LARGE_STATIC_BUFFERS) +#ifdef STATIC_BUFFER_LEN + /* user supplied option */ + #if STATIC_BUFFER_LEN < 5 || STATIC_BUFFER_LEN > (RECORD_HEADER_SZ + \ + RECORD_SIZE + COMP_EXTRA + MTU_EXTRA + MAX_MSG_EXTRA)) + #error Invalid static buffer length + #endif +#elif defined(LARGE_STATIC_BUFFERS) #define STATIC_BUFFER_LEN RECORD_HEADER_SZ + RECORD_SIZE + COMP_EXTRA + \ MTU_EXTRA + MAX_MSG_EXTRA #else @@ -4047,8 +4061,9 @@ struct WOLFSSL_X509 { WOLFSSL_X509_ALGOR algor; WOLFSSL_X509_PUBKEY key; #endif -#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \ - defined(SESSION_CERTS) +#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || \ + defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) byte notBeforeData[CTC_DATE_SIZE]; byte notAfterData[CTC_DATE_SIZE]; #endif @@ -4936,8 +4951,9 @@ WOLFSSL_LOCAL void DoCertFatalAlert(WOLFSSL* ssl, int ret); WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte type, word32 fragOffset, word32 fragSz, void* heap); - WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq); - WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL* ssl, word32 epoch, word32 seq, + WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq); + + WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq, const byte* data, word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap); diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index c97463315..8d0048f73 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2278,8 +2278,12 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl); #if !defined(NO_ASN) || !defined(NO_PWDBASED) -#ifndef MAX_KEY_SIZE - #define MAX_KEY_SIZE 64 /* MAX PKCS Key length */ +#ifndef PKCS_MAX_KEY_SIZE + #define PKCS_MAX_KEY_SIZE 64 /* MAX PKCS Key length */ +#endif +#if !defined(WOLFSSL_GAME_BUILD) && !defined(MAX_KEY_SIZE) + /* for backwards compatibility */ + #define MAX_KEY_SIZE PKCS_MAX_KEY_SIZE #endif #ifndef MAX_UNICODE_SZ #define MAX_UNICODE_SZ 256 diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 724a59ad7..afb7c2ffe 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -915,9 +915,6 @@ extern void uITRON4_free(void *p) ; #ifdef WOLFSSL_GAME_BUILD #define SIZEOF_LONG_LONG 8 - #if defined(__PPU) || defined(__XENON) - #define BIG_ENDIAN_ORDER - #endif #endif #ifdef WOLFSSL_LSR diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 95365c3e2..9c056ba4f 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -882,7 +882,11 @@ WOLFSSL_API int wolfCrypt_Cleanup(void); #endif #if !defined(XGMTIME) && !defined(TIME_OVERRIDES) /* Always use gmtime_r if available. */ - #if defined(HAVE_GMTIME_R) + #if defined(HAVE_GMTIME_S) + /* reentrant version */ + #define XGMTIME(c, t) gmtime_s((c), (t)) + #define NEED_TMP_TIME + #elif defined(HAVE_GMTIME_R) #define XGMTIME(c, t) gmtime_r((c), (t)) #define NEED_TMP_TIME #else