WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Get Nginx working with wolfSSL

pull/698/head
Sean Parkinson 2016-12-22 12:53:29 +10:00
parent b86dfd582f
commit e6434f380b
28 changed files with 3691 additions and 551 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
configure.ac
View File

@ -190,6 +190,7 @@ then
enable_jni=yes
enable_lighty=yes
enable_stunnel=yes
enable_nginx=yes
enable_pwdbased=yes
fi
AM_CONDITIONAL([BUILD_DISTRO], [test "x$ENABLED_DISTRO" = "xyes"])
@ -268,6 +269,12 @@ AC_ARG_ENABLE([openssh],
[ENABLED_OPENSSH=$enableval],
[ENABLED_OPENSSH=no])
# nginx compatibility build
AC_ARG_ENABLE([nginx],
[ --enable-nginx Enable nginx (default: disabled)],
[ ENABLED_NGINX=$enableval ],
[ ENABLED_NGINX=no ]
)
# OPENSSL Extra Compatibility
AC_ARG_ENABLE([opensslextra],
@ -275,7 +282,7 @@ AC_ARG_ENABLE([opensslextra],
[ ENABLED_OPENSSLEXTRA=$enableval ],
[ ENABLED_OPENSSLEXTRA=no ]
)
if test "$ENABLED_OPENSSH" = "yes"
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes"
then
ENABLED_OPENSSLEXTRA="yes"
fi
@ -761,6 +768,11 @@ AC_ARG_ENABLE([sessioncerts],
[ ENABLED_SESSIONCERTS=no ]
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_SESSIONCERTS=yes
fi
if test "$ENABLED_SESSIONCERTS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DSESSION_CERTS"
@ -870,7 +882,7 @@ AC_ARG_ENABLE([dsa],
[ ENABLED_DSA=no ]
)
if test "$ENABLED_OPENSSH" = "yes"
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes"
then
ENABLED_DSA="yes"
fi
@ -912,7 +924,7 @@ then
ENABLED_ECC=no
fi
if test "$ENABLED_OPENSSH" = "yes"
if test "$ENABLED_OPENSSH" = "yes" || test "$ENABLED_NGINX" = "yes"
then
ENABLED_ECC="yes"
fi
@ -1689,6 +1701,11 @@ AC_ARG_ENABLE([ocsp],
[ ENABLED_OCSP=no ],
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_OCSP=yes
fi
if test "$ENABLED_OCSP" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"
@ -1718,6 +1735,11 @@ AC_ARG_ENABLE([ocspstapling],
[ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_CERTIFICATE_STATUS_REQUEST=yes
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
@ -1740,6 +1762,11 @@ AC_ARG_ENABLE([ocspstapling2],
[ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ]
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_CERTIFICATE_STATUS_REQUEST_V2=yes
fi
if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
@ -1762,6 +1789,12 @@ AC_ARG_ENABLE([crl],
[ ENABLED_CRL=no ],
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_CRL=yes
fi
if test "$ENABLED_CRL" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
@ -2034,6 +2067,11 @@ AC_ARG_ENABLE([session-ticket],
[ ENABLED_SESSION_TICKET=no ]
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_SESSION_TICKET=yes
fi
if test "x$ENABLED_SESSION_TICKET" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SESSION_TICKET"
@ -2058,6 +2096,11 @@ AC_ARG_ENABLE([tlsx],
[ ENABLED_TLSX=no ]
)
if test "x$ENABLED_NGINX" = "xyes"
then
ENABLED_TLSX=yes
fi
if test "x$ENABLED_TLSX" = "xyes"
then
ENABLED_SNI=yes
@ -2302,6 +2345,16 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_LIGHTY -DHAVE_WOLFSSL_SSL_H=1"
fi
if test "$ENABLED_NGINX" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NGINX"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DKEEP_OUR_CERT -DKEEP_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE -DOPENSSL_ERR_ONE -DHAVE_EX_DATA"
fi
# stunnel Support
AC_ARG_ENABLE([stunnel],
[ --enable-stunnel Enable stunnel (default: disabled)],
@ -2374,7 +2427,7 @@ then
fi
AM_CFLAGS="$AM_CFLAGS -DHAVE_STUNNEL -DWOLFSSL_ALWAYS_VERIFY_CB"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI -DHAVE_EX_DATA"
fi
if test "$ENABLED_PSK" = "no" && test "$ENABLED_LEANPSK" = "no" \
@ -3352,6 +3405,7 @@ echo " * MEMORY: $ENABLED_MEMORY"
echo " * I/O POOL: $ENABLED_IOPOOL"
echo " * LIGHTY: $ENABLED_LIGHTY"
echo " * STUNNEL: $ENABLED_STUNNEL"
echo " * NGINX: $ENABLED_NGINX"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS"
echo " * SCTP: $ENABLED_SCTP"

48
examples/server/server.c
View File

@ -74,7 +74,19 @@
int myHsDoneCb(WOLFSSL* ssl, void* user_ctx);
#endif
static const char webServerMsg[] =
"HTTP/1.1 200 OK\n"
"Content-Type: text/html\n"
"Connection: close\n"
"\n"
"<html>\n"
"<head>\n"
"<title>Welcome to wolfSSL!</title>\n"
"</head>\n"
"<body>\n"
"<p>wolfSSL has successfully performed handshake!</p>\n"
"</body>\n"
"</html>\n";
static int NonBlockingSSL_Accept(SSL* ssl)
{
@ -253,6 +265,8 @@ static void Usage(void)
#ifdef HAVE_WNR
printf("-q <file> Whitewood config file, default %s\n", wnrConfig);
#endif
printf("-g Return basic HTML web page\n");
printf("-C <num> The number of connections to accept, default: 1\n");
}
THREAD_RETURN CYASSL_THREAD server_test(void* args)
@ -269,6 +283,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#else
const char msg[] = "I hear you fa shizzle!\n";
#endif
int useWebServerMsg = 0;
char input[80];
int ch;
int version = SERVER_DEFAULT_VERSION;
@ -290,7 +305,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int wc_shutdown = 0;
int resume = 0;
int resumeCount = 0;
int loopIndefinitely = 0;
int loops = 1;
int echoData = 0;
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
@ -376,7 +391,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
useAnyAddr = 1;
#else
while ((ch = mygetopt(argc, argv,
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:")) != -1) {
"?jdbstnNuGfrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:E:q:gC:")) != -1) {
switch (ch) {
case '?' :
Usage();
@ -541,7 +556,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
break;
case 'i' :
loopIndefinitely = 1;
loops = -1;
break;
case 'C' :
loops = atoi(myoptarg);
if (loops <= 0) {
Usage();
exit(MY_EX_USAGE);
}
break;
case 'e' :
@ -568,6 +591,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif
break;
case 'g' :
useWebServerMsg = 1;
break;
default:
Usage();
exit(MY_EX_USAGE);
@ -1096,8 +1123,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
err_sys("SSL_read failed");
}
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
if (!useWebServerMsg) {
if (SSL_write(ssl, msg, sizeof(msg)) != sizeof(msg))
err_sys("SSL_write failed");
}
else {
if (SSL_write(ssl, webServerMsg, sizeof(webServerMsg))
!= sizeof(webServerMsg))
err_sys("SSL_write failed");
}
}
else {
ServerEchoData(ssl, clientfd, echoData, throughput);
@ -1139,7 +1173,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
resumeCount = 0;
if(!loopIndefinitely) {
if (loops > 0 && --loops == 0) {
break; /* out of while loop, done with normal and resume option */
}
} /* while(1) */

191
src/internal.c
View File

@ -105,7 +105,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
#if !defined(NO_RSA) || defined(HAVE_ECC)
static int DoCertificateVerify(WOLFSSL* ssl, byte*, word32*, word32);
#endif
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
static int SNI_Callback(WOLFSSL* ssl);
#endif
#ifdef WOLFSSL_DTLS
@ -1452,13 +1452,30 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
FreeDer(&ctx->privateKey);
FreeDer(&ctx->certificate);
#ifdef KEEP_OUR_CERT
FreeX509(ctx->ourCert);
if (ctx->ourCert) {
if (ctx->ourCert && ctx->ownOurCert) {
FreeX509(ctx->ourCert);
XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509);
}
#endif /* KEEP_OUR_CERT */
FreeDer(&ctx->certChain);
wolfSSL_CertManagerFree(ctx->cm);
#ifdef OPENSSL_EXTRA
while (ctx->ca_names != NULL) {
WOLFSSL_STACK *next = ctx->ca_names->next;
wolfSSL_X509_NAME_free(ctx->ca_names->data.name);
XFREE(ctx->ca_names->data.name, NULL, DYNAMIC_TYPE_OPENSSL);
XFREE(ctx->ca_names, NULL, DYNAMIC_TYPE_OPENSSL);
ctx->ca_names = next;
}
#endif
#ifdef WOLFSSL_NGINX
while (ctx->x509Chain != NULL) {
WOLFSSL_STACK *next = ctx->x509Chain->next;
wolfSSL_X509_free(ctx->x509Chain->data.x509);
XFREE(ctx->x509Chain, NULL, DYNAMIC_TYPE_OPENSSL);
ctx->x509Chain = next;
}
#endif
#endif /* !NO_CERTS */
#ifdef HAVE_TLS_EXTENSIONS
@ -3079,8 +3096,15 @@ int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer)
keySz = peer->dp->size;
}
/* TODO: Implement _ex version here */
ret = wc_ecc_make_key(ssl->rng, keySz, key);
if (ssl->ecdhCurveOID > 0) {
ret = wc_ecc_make_key_ex(ssl->rng, keySz, key,
wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL));
}
else {
ret = wc_ecc_make_key(ssl->rng, keySz, key);
if (ret == 0)
ssl->ecdhCurveOID = key->dp->oidSum;
}
/* Handle async pending response */
#if defined(WOLFSSL_ASYNC_CRYPT)
@ -3212,17 +3236,19 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#ifdef HAVE_ECC
ssl->eccTempKeySz = ctx->eccTempKeySz;
ssl->pkCurveOID = ctx->pkCurveOID;
ssl->ecdhCurveOID = ctx->ecdhCurveOID;
#endif
#ifdef OPENSSL_EXTRA
ssl->options.mask = ctx->mask;
#endif
ssl->timeout = ctx->timeout;
ssl->verifyCallback = ctx->verifyCallback;
ssl->options.side = ctx->method->side;
ssl->options.downgrade = ctx->method->downgrade;
ssl->options.minDowngrade = ctx->minDowngrade;
if (ssl->options.side == WOLFSSL_SERVER_END)
ssl->options.haveDH = ctx->haveDH;
ssl->options.haveDH = ctx->haveDH;
ssl->options.haveNTRU = ctx->haveNTRU;
ssl->options.haveECDSAsig = ctx->haveECDSAsig;
ssl->options.haveECC = ctx->haveECC;
@ -3249,6 +3275,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->options.sessionCacheOff = ctx->sessionCacheOff;
ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
#ifdef HAVE_EXT_CACHE
ssl->options.internalCacheOff = ctx->internalCacheOff;
#endif
ssl->options.verifyPeer = ctx->verifyPeer;
ssl->options.verifyNone = ctx->verifyNone;
@ -3261,10 +3290,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->options.groupMessages = ctx->groupMessages;
#ifndef NO_DH
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
}
ssl->buffers.serverDH_P = ctx->serverDH_P;
ssl->buffers.serverDH_G = ctx->serverDH_G;
#endif
#ifndef NO_CERTS
@ -3491,6 +3518,10 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#endif
#ifdef HAVE_ALPN
ssl->alpn_client_list = NULL;
#ifdef WOLFSSL_NGINX
ssl->alpnSelect = ctx->alpnSelect;
ssl->alpnSelectArg = ctx->alpnSelectArg;
#endif
#endif
#ifdef HAVE_SUPPORTED_CURVES
ssl->options.userCurves = ctx->userCurves;
@ -3805,6 +3836,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
ssl->session.ticketLen = 0;
}
#endif
#ifdef HAVE_EXT_CACHE
wolfSSL_SESSION_free(ssl->extSession);
#endif
#ifdef WOLFSSL_STATIC_MEMORY
/* check if using fixed io buffers and free them */
@ -6234,6 +6268,78 @@ static int CheckAltNames(DecodedCert* dCert, char* domain)
}
#ifdef OPENSSL_EXTRA
/* Check that alternative names, if they exists, match the domain.
* Fail if there are wild patterns and they didn't match.
* Check the common name if no alternative names matched.
*
* dCert Decoded cert to get the alternative names from.
* domain Domain name to compare against.
* checkCN Whether to check the common name.
* returns whether there was a problem in matching.
*/
static int CheckForAltNames(DecodedCert* dCert, char* domain, int* checkCN)
{
int match;
DNS_entry* altName = NULL;
WOLFSSL_MSG("Checking AltNames");
if (dCert)
altName = dCert->altNames;
*checkCN = altName == NULL;
match = 0;
while (altName) {
WOLFSSL_MSG("\tindividual AltName check");
if (MatchDomainName(altName->name, (int)XSTRLEN(altName->name),
domain)) {
match = 1;
*checkCN = 0;
break;
}
/* No matches and wild pattern match failed. */
else if (altName->name[0] == '*' && match == 0)
match = -1;
altName = altName->next;
}
return match != -1;
}
/* Check the domain name matches the subject alternative name or the subject
* name.
*
* dcert Decoded certificate.
* domainName The domain name.
* domainNameLen The length of the domain name.
* returns DOMAIN_NAME_MISMATCH when no match found and 0 on success.
*/
int CheckHostName(DecodedCert* dCert, char *domainName, size_t domainNameLen)
{
int checkCN;
/* Assume name is NUL terminated. */
(void)domainNameLen;
if (CheckForAltNames(dCert, domainName, &checkCN) == 0) {
WOLFSSL_MSG("DomainName match on alt names failed too");
return DOMAIN_NAME_MISMATCH;
}
if (checkCN == 1) {
if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
domainName) == 0) {
WOLFSSL_MSG("DomainName match on common name failed");
return DOMAIN_NAME_MISMATCH;
}
}
return 0;
}
#endif
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
/* Copy parts X509 needs from Decoded cert, 0 on success */
@ -6662,6 +6768,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else if (ret != 0) {
WOLFSSL_MSG("Failed to verify CA from chain");
#ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
#endif
}
else {
WOLFSSL_MSG("Verified CA from chain and already had it");
@ -6746,6 +6855,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
else {
WOLFSSL_MSG("Failed to verify Peer's cert");
#ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
#endif
if (ssl->verifyCallback) {
WOLFSSL_MSG("\tCallback override available, will continue");
fatal = 0;
@ -6808,6 +6920,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok");
fatal = 0;
#ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
}
}
#endif /* HAVE_OCSP */
@ -6819,6 +6934,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret != 0) {
WOLFSSL_MSG("\tCRL check not ok");
fatal = 0;
#ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
#endif
}
}
#endif /* HAVE_CRL */
@ -7086,7 +7204,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#else
store->current_cert = NULL;
#endif
#if defined(HAVE_FORTRESS) || defined(HAVE_STUNNEL)
#if defined(HAVE_EX_DATA) || defined(HAVE_FORTRESS)
store->ex_data = ssl;
#endif
ok = ssl->verifyCallback(0, store);
@ -7242,10 +7360,15 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
InitOcspResponse(response, status, input +*inOutIdx, status_length);
if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap) != 0)
|| (response->responseStatus != OCSP_SUCCESSFUL)
|| (response->status->status != CERT_GOOD)
|| (CompareOcspReqResp(request, response) != 0))
if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap) != 0)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (CompareOcspReqResp(request, response) != 0)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (response->responseStatus != OCSP_SUCCESSFUL)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (response->status->status == CERT_REVOKED)
ret = OCSP_CERT_REVOKED;
else if (response->status->status != CERT_GOOD)
ret = BAD_CERTIFICATE_STATUS_ERROR;
*inOutIdx += status_length;
@ -10990,6 +11113,9 @@ int SendCertificateStatus(WOLFSSL* ssl)
}
if (ret == 0) {
#ifdef WOLFSSL_NGINX
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&response);
@ -11088,6 +11214,9 @@ int SendCertificateStatus(WOLFSSL* ssl)
}
if (ret == 0) {
#ifdef WOLFSSL_NGINX
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
&responses[0]);
@ -11160,6 +11289,9 @@ int SendCertificateStatus(WOLFSSL* ssl)
&ssl->ctx->cm->ocsp_stapling->ocspLock);
}
#ifdef WOLFSSL_NGINX
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[i + 1]);
@ -11185,6 +11317,9 @@ int SendCertificateStatus(WOLFSSL* ssl)
else {
while (ret == 0 &&
NULL != (request = ssl->ctx->chainOcspRequest[i])) {
#ifdef WOLFSSL_NGINX
request->ssl = ssl;
#endif
ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
request, &responses[++i]);
@ -13276,7 +13411,8 @@ int SetCipherList(Suites* suites, const char* list)
return 0;
}
if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0)
if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0 ||
XSTRNCMP(next, "DEFAULT", 7) == 0)
return 1; /* wolfSSL defualt */
do {
@ -14458,6 +14594,7 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
if ((curveOid = CheckCurveId(b)) < 0) {
ERROR_OUT(ECC_CURVE_ERROR, exit_dske);
}
ssl->ecdhCurveOID = curveOid;
length = input[idx++];
if ((idx - begin) + length > size) {
@ -17029,6 +17166,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
idx += RAN_LEN;
output[idx++] = sessIdSz;
XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz);
ssl->arrays->sessionIDSz = sessIdSz;
}
else {
/* If resuming, use info from SSL */
@ -17344,6 +17482,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
ssl->options.dhKeySz =
(word16)ssl->buffers.serverDH_P.length;
ret = DhGenKeyPair(ssl,
ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
@ -18844,6 +18985,9 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_MSG("Session lookup for resume failed");
ssl->options.resuming = 0;
} else {
#ifdef HAVE_EXT_CACHE
wolfSSL_SESSION_free(session);
#endif
if (MatchSuite(ssl, &clSuites) < 0) {
WOLFSSL_MSG("Unsupported cipher suite, OldClientHello");
return UNSUPPORTED_SUITE;
@ -19207,9 +19351,10 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if ((ret = TLSX_Parse(ssl, (byte *) input + i,
totalExtSz, 1, &clSuites)))
return ret;
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
if((ret=SNI_Callback(ssl)))
return ret;
ssl->options.side = WOLFSSL_SERVER_END;
#endif /*HAVE_STUNNEL*/
i += totalExtSz;
@ -19294,8 +19439,14 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
"using EMS");
return EXT_MASTER_SECRET_NEEDED_E;
}
#ifdef HAVE_EXT_CACHE
wolfSSL_SESSION_free(session);
#endif
}
else {
#ifdef HAVE_EXT_CACHE
wolfSSL_SESSION_free(session);
#endif
if (MatchSuite(ssl, &clSuites) < 0) {
WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
return UNSUPPORTED_SUITE;
@ -20893,7 +21044,7 @@ int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
static int SNI_Callback(WOLFSSL* ssl)
{
/* Stunnel supports a custom sni callback to switch an SSL's ctx

603
src/ocsp.c
View File

@ -244,6 +244,135 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
return ret;
}
/* Check that the response for validity. Store result in status.
*
* ocsp Context object for OCSP status.
* response OCSP response message data.
* responseSz Length of OCSP response message data.
* reponseBuffer Buffer object to return the response with.
* status The certificate status object.
* entry The OCSP entry for this certificate.
* returns OCSP_LOOKUP_FAIL when the response is bad and 0 otherwise.
*/
static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz,
buffer* responseBuffer, CertStatus* status,
OcspEntry* entry, OcspRequest* ocspRequest)
{
#ifdef WOLFSSL_SMALL_STACK
CertStatus* newStatus;
OcspResponse* ocspResponse;
#else
CertStatus newStatus[1];
OcspResponse ocspResponse[1];
#endif
int ret;
int validated = 0; /* ocsp validation flag */
#ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (newStatus == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E;
}
#endif
XMEMSET(newStatus, 0, sizeof(CertStatus));
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap);
if (ret != 0) {
WOLFSSL_MSG("OcspResponseDecode failed");
goto end;
}
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
WOLFSSL_MSG("OcspResponse status bad");
goto end;
}
if (ocspRequest != NULL) {
ret = CompareOcspReqResp(ocspRequest, ocspResponse);
if (ret != 0) {
goto end;
}
}
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(responseSz, ocsp->cm->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (responseBuffer->buffer) {
responseBuffer->length = responseSz;
XMEMCPY(responseBuffer->buffer, response, responseSz);
}
}
ret = xstat2err(ocspResponse->status->status);
if (ret == 0) {
validated = 1;
}
if (wc_LockMutex(&ocsp->ocspLock) != 0) {
ret = BAD_MUTEX_E;
goto end;
}
if (status != NULL) {
if (status->rawOcspResponse) {
XFREE(status->rawOcspResponse, ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
}
/* Replace existing certificate entry with updated */
XMEMCPY(status, newStatus, sizeof(CertStatus));
}
else {
/* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) {
XMEMCPY(status, newStatus, sizeof(CertStatus));
status->next = entry->status;
entry->status = status;
entry->totalStatus++;
}
}
if (status && responseBuffer && responseBuffer->buffer) {
status->rawOcspResponse = (byte*)XMALLOC(responseBuffer->length,
ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
if (status->rawOcspResponse) {
status->rawOcspResponseSz = responseBuffer->length;
XMEMCPY(status->rawOcspResponse, responseBuffer->buffer,
responseBuffer->length);
}
}
wc_UnLockMutex(&ocsp->ocspLock);
end:
if (ret == 0 && validated == 1) {
WOLFSSL_MSG("New OcspResponse validated");
} else if (ret != OCSP_CERT_REVOKED) {
ret = OCSP_LOOKUP_FAIL;
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret;
}
/* 0 on success */
int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
buffer* responseBuffer)
@ -257,15 +386,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
const char* url = NULL;
int urlSz = 0;
int ret = -1;
int validated = 0; /* ocsp validation flag */
#ifdef WOLFSSL_SMALL_STACK
CertStatus* newStatus;
OcspResponse* ocspResponse;
#else
CertStatus newStatus[1];
OcspResponse ocspResponse[1];
#endif
WOLFSSL_ENTER("CheckOcspRequest");
@ -282,6 +402,22 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
if (ret != OCSP_INVALID_STATUS)
return ret;
#ifdef WOLFSSL_NGINX
if (ocsp->statusCb != NULL && ocspRequest->ssl != NULL) {
ret = ocsp->statusCb((WOLFSSL*)ocspRequest->ssl, NULL);
if (ret == 0) {
ret = wolfSSL_get_ocsp_response((WOLFSSL*)ocspRequest->ssl,
&response);
ret = CheckResponse(ocsp, response, ret, responseBuffer, status,
entry, NULL);
if (response != NULL)
XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
return ret;
}
return OCSP_LOOKUP_FAIL;
}
#endif
if (ocsp->cm->ocspUseOverrideURL) {
url = ocsp->cm->ocspOverrideURL;
if (url != NULL && url[0] != '\0')
@ -304,120 +440,373 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
return MEMORY_ERROR;
}
#ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (newStatus == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E;
}
#endif
requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
if (requestSz > 0 && ocsp->cm->ocspIOCb) {
responseSz = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
request, requestSz, &response);
}
XFREE(request, ocsp->cm->heap, DYNAMIC_TYPE_OCSP);
if (responseSz >= 0 && response) {
XMEMSET(newStatus, 0, sizeof(CertStatus));
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
if (OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap) != 0) {
WOLFSSL_MSG("OcspResponseDecode failed");
}
else if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) {
WOLFSSL_MSG("OcspResponse status bad");
}
else {
if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
if (responseBuffer) {
responseBuffer->buffer = (byte*)XMALLOC(responseSz,
ocsp->cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (responseBuffer->buffer) {
responseBuffer->length = responseSz;
XMEMCPY(responseBuffer->buffer, response, responseSz);
}
}
/* only way to get to good state */
ret = xstat2err(ocspResponse->status->status);
if (ret == 0) {
validated = 1;
}
if (wc_LockMutex(&ocsp->ocspLock) != 0)
ret = BAD_MUTEX_E;
else {
if (status != NULL) {
if (status->rawOcspResponse)
XFREE(status->rawOcspResponse, ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
/* Replace existing certificate entry with updated */
XMEMCPY(status, newStatus, sizeof(CertStatus));
}
else {
/* Save new certificate entry */
status = (CertStatus*)XMALLOC(sizeof(CertStatus),
ocsp->cm->heap, DYNAMIC_TYPE_OCSP_STATUS);
if (status != NULL) {
XMEMCPY(status, newStatus, sizeof(CertStatus));
status->next = entry->status;
entry->status = status;
entry->totalStatus++;
}
}
if (status && responseBuffer && responseBuffer->buffer) {
status->rawOcspResponse = (byte*)XMALLOC(
responseBuffer->length,
ocsp->cm->heap,
DYNAMIC_TYPE_OCSP_STATUS);
if (status->rawOcspResponse) {
status->rawOcspResponseSz = responseBuffer->length;
XMEMCPY(status->rawOcspResponse,
responseBuffer->buffer,
responseBuffer->length);
}
}
wc_UnLockMutex(&ocsp->ocspLock);
}
}
}
ret = CheckResponse(ocsp, response, responseSz, responseBuffer, status,
entry, ocspRequest);
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
if (response != NULL && ocsp->cm->ocspRespFreeCb)
ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
if (ret == 0 && validated == 1) {
WOLFSSL_MSG("New OcspResponse validated");
} else {
ret = OCSP_LOOKUP_FAIL;
}
WOLFSSL_LEAVE("CheckOcspRequest", ret);
return ret;
}
#ifdef WOLFSSL_NGINX
int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
WOLFSSL_ASN1_TIME** nextupd)
{
if (bs == NULL || id == NULL)
return SSL_FAILURE;
/* Only supporting one certificate status in asn.c. */
if (CompareOcspReqResp(id, bs) != 0)
return SSL_FAILURE;
if (status != NULL)
*status = bs->status->status;
if (thisupd != NULL)
*thisupd = (WOLFSSL_ASN1_TIME*)bs->status->thisDateAsn;
if (nextupd != NULL)
*nextupd = (WOLFSSL_ASN1_TIME*)bs->status->nextDateAsn;
/* TODO: Not needed for Nginx. */
if (reason != NULL)
*reason = 0;
if (revtime != NULL)
*revtime = NULL;
return SSL_SUCCESS;
}
const char *wolfSSL_OCSP_cert_status_str(long s)
{
switch (s) {
case CERT_GOOD:
return "good";
case CERT_REVOKED:
return "revoked";
case CERT_UNKNOWN:
return "unknown";
default:
return "(UNKNOWN)";
}
}
int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec)
{
(void)thisupd;
(void)nextupd;
(void)sec;
(void)maxsec;
/* Dates validated in DecodeSingleResponse. */
return SSL_SUCCESS;
}
void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId)
{
FreeOcspRequest(certId);
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
}
WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject,
const WOLFSSL_X509 *issuer)
{
WOLFSSL_OCSP_CERTID* certId;
DecodedCert cert;
WOLFSSL_CERT_MANAGER* cm;
int ret;
DerBuffer* derCert = NULL;
(void)dgst;
cm = wolfSSL_CertManagerNew();
if (cm == NULL)
return NULL;
ret = AllocDer(&derCert, issuer->derCert->length,
issuer->derCert->type, NULL);
if (ret == 0) {
/* AddCA() frees the buffer. */
XMEMCPY(derCert->buffer, issuer->derCert->buffer,
issuer->derCert->length);
AddCA(cm, &derCert, WOLFSSL_USER_CA, 1);
}
certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL,
DYNAMIC_TYPE_OPENSSL);
if (certId != NULL) {
InitDecodedCert(&cert, subject->derCert->buffer,
subject->derCert->length, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) {
XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
certId = NULL;
}
else
InitOcspRequest(certId, &cert, 0, NULL);
FreeDecodedCert(&cert);
}
wolfSSL_CertManagerFree(cm);
return certId;
}
void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse)
{
wolfSSL_OCSP_RESPONSE_free(basicResponse);
}
/* Signature verified in DecodeBasicOcspResponse.
* But no store available to verify certificate. */
int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags)
{
DecodedCert cert;
int ret = SSL_SUCCESS;
(void)certs;
if (flags & OCSP_NOVERIFY)
return SSL_SUCCESS;
InitDecodedCert(&cert, bs->cert, bs->certSz, NULL);
if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0)
ret = SSL_FAILURE;
FreeDecodedCert(&cert);
return ret;
}
void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response)
{
if (response->status != NULL)
XFREE(response->status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (response->source != NULL)
XFREE(response->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(response, NULL, DYNAMIC_TYPE_OPENSSL);
}
OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio,
OcspResponse** response)
{
byte* data;
byte* p;
int len;
int dataAlloced = 0;
OcspResponse* ret;
if (bio == NULL)
return NULL;
if (bio->type == BIO_MEMORY) {
len = wolfSSL_BIO_get_mem_data(bio, &data);
if (len <= 0 || data == NULL) {
return NULL;
}
}
else if (bio->type == BIO_FILE) {
long i;
long l;
i = XFTELL(bio->file);
XFSEEK(bio->file, 0, SEEK_END);
l = XFTELL(bio->file);
XFSEEK(bio->file, i, SEEK_SET);
data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER);
if (data == NULL)
return NULL;
dataAlloced = 1;
len = wolfSSL_BIO_read(bio, (char *)data, (int)l);
}
else
return NULL;
p = data;
ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len);
if (dataAlloced)
XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
const unsigned char** data, int len)
{
OcspResponse *resp = NULL;
word32 idx = 0;
int length = 0;
if (data == NULL)
return NULL;
if (response != NULL)
resp = *response;
if (resp == NULL) {
resp = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_OPENSSL);
if (resp == NULL)
return NULL;
XMEMSET(resp, 0, sizeof(OcspResponse));
}
resp->source = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (resp->source == NULL) {
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
return NULL;
}
resp->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (resp->status == NULL) {
XFREE(resp->source, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(resp, NULL, DYNAMIC_TYPE_OPENSSL);
return NULL;
}
XMEMCPY(resp->source, *data, len);
resp->maxIdx = len;
if (OcspResponseDecode(resp, NULL, NULL) != 0) {
wolfSSL_OCSP_RESPONSE_free(resp);
return NULL;
}
GetSequence(*data, &idx, &length, len);
(*data) += idx + length;
return resp;
}
int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
unsigned char** data)
{
if (data == NULL)
return response->maxIdx;
XMEMCPY(*data, response->source, response->maxIdx);
return response->maxIdx;
}
int wolfSSL_OCSP_response_status(OcspResponse *response)
{
return response->responseStatus;
}
const char *wolfSSL_OCSP_response_status_str(long s)
{
switch (s) {
case OCSP_SUCCESSFUL:
return "successful";
case OCSP_MALFORMED_REQUEST:
return "malformedrequest";
case OCSP_INTERNAL_ERROR:
return "internalerror";
case OCSP_TRY_LATER:
return "trylater";
case OCSP_SIG_REQUIRED:
return "sigrequired";
case OCSP_UNAUTHROIZED:
return "unauthorized";
default:
return "(UNKNOWN)";
}
}
WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(OcspResponse* response)
{
WOLFSSL_OCSP_BASICRESP* bs;
bs = (WOLFSSL_OCSP_BASICRESP*)XMALLOC(sizeof(WOLFSSL_OCSP_BASICRESP), NULL,
DYNAMIC_TYPE_OPENSSL);
if (bs == NULL)
return NULL;
XMEMCPY(bs, response, sizeof(OcspResponse));
bs->status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
bs->source = (byte*)XMALLOC(bs->maxIdx, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (bs->status == NULL || bs->source == NULL) {
wolfSSL_OCSP_RESPONSE_free(bs);
bs = NULL;
}
XMEMCPY(bs->status, response->status, sizeof(CertStatus));
XMEMCPY(bs->source, response->source, response->maxIdx);
return bs;
}
OcspRequest* wolfSSL_OCSP_REQUEST_new(void)
{
OcspRequest* request;
request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
DYNAMIC_TYPE_OPENSSL);
if (request != NULL)
XMEMSET(request, 0, sizeof(OcspRequest));
return request;
}
void wolfSSL_OCSP_REQUEST_free(OcspRequest* request)
{
FreeOcspRequest(request);
XFREE(request, 0, DYNAMIC_TYPE_OPENSSL);
}
int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request, unsigned char** data)
{
word32 size;
size = EncodeOcspRequest(request, NULL, 0);
if (size <= 0 || data == NULL)
return size;
return EncodeOcspRequest(request, *data, size);
}
WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
WOLFSSL_OCSP_CERTID *cid)
{
if (req == NULL || cid == NULL)
return NULL;
FreeOcspRequest(req);
XMEMCPY(req, cid, sizeof(OcspRequest));
if (cid->serial != NULL) {
req->serial = (byte*)XMALLOC(cid->serialSz, NULL,
DYNAMIC_TYPE_OCSP_REQUEST);
req->url = (byte*)XMALLOC(cid->urlSz, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
if (req->serial == NULL || req->url == NULL) {
FreeOcspRequest(req);
return NULL;
}
XMEMCPY(req->serial, cid->serial, cid->serialSz);
XMEMCPY(req->url, cid->url, cid->urlSz);
}
wolfSSL_OCSP_REQUEST_free(cid);
return req;
}
#endif
#else /* HAVE_OCSP */

2472
src/ssl.c
View File

File diff suppressed because it is too large Load Diff

86
src/tls.c
View File

@ -1095,23 +1095,42 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
TLSX *extension;
ALPN *alpn = NULL, *list;
if (OPAQUE16_LEN > length)
return BUFFER_ERROR;
ato16(input, &size);
offset += OPAQUE16_LEN;
extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL)
extension = TLSX_Find(ssl->ctx->extensions,
TLSX_APPLICATION_LAYER_PROTOCOL);
#ifdef WOLFSSL_NGINX
if (ssl->alpnSelect != NULL) {
const byte* out;
unsigned char outLen;
if (ssl->alpnSelect(ssl, &out, &outLen, input + offset, size,
ssl->alpnSelectArg) == 0) {
WOLFSSL_MSG("ALPN protocol match");
if (TLSX_UseALPN(&ssl->extensions, (char*)out, outLen, 0, ssl->heap)
== SSL_SUCCESS) {
if (extension == NULL) {
extension = TLSX_Find(ssl->extensions,
TLSX_APPLICATION_LAYER_PROTOCOL);
}
}
}
}
#endif
if (extension == NULL || extension->data == NULL) {
WOLFSSL_MSG("No ALPN extensions not used or bad");
return isRequest ? 0 /* not using ALPN */
: BUFFER_ERROR; /* unexpected ALPN response */
}
if (OPAQUE16_LEN > length)
return BUFFER_ERROR;
ato16(input, &size);
offset += OPAQUE16_LEN;
/* validating alpn list length */
if (length != OPAQUE16_LEN + size)
return BUFFER_ERROR;
@ -2232,9 +2251,13 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
if (csr) {
switch (csr->status_type) {
case WOLFSSL_CSR_OCSP:
if (ssl->ctx->cm->ocspEnabled)
if (ssl->ctx->cm->ocspEnabled) {
#ifdef WOLFSSL_NGINX
csr->request.ocsp.ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr->request.ocsp, NULL);
}
else
return OCSP_LOOKUP_FAIL;
}
@ -2640,9 +2663,13 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
/* followed by */
case WOLFSSL_CSR2_OCSP_MULTI:
if (ssl->ctx->cm->ocspEnabled)
if (ssl->ctx->cm->ocspEnabled) {
#ifdef WOLFSSL_NGINX
csr2->request.ocsp[0].ssl = ssl;
#endif
return CheckOcspRequest(ssl->ctx->cm->ocsp,
&csr2->request.ocsp[0], NULL);
}
else
return OCSP_LOOKUP_FAIL;
}
@ -2861,12 +2888,10 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
: NULL;
EllipticCurve* curve = NULL;
word32 oid = 0;
word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */
int sig = 0; /* validate signature */
int key = 0; /* validate key */
(void)oid;
(void)octets;
if (!extension)
return 1; /* no suite restriction */
@ -2879,63 +2904,66 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
switch (curve->name) {
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP160R1: oid = ECC_SECP160R1_OID; octets = 20; break;
case WOLFSSL_ECC_SECP160R1: oid = ECC_SECP160R1_OID; break;
#endif /* !NO_ECC_SECP */
#ifdef HAVE_ECC_SECPR2
case WOLFSSL_ECC_SECP160R2: oid = ECC_SECP160R2_OID; octets = 20; break;
case WOLFSSL_ECC_SECP160R2: oid = ECC_SECP160R2_OID; break;
#endif /* HAVE_ECC_SECPR2 */
#ifdef HAVE_ECC_KOBLITZ
case WOLFSSL_ECC_SECP160K1: oid = ECC_SECP160K1_OID; octets = 20; break;
case WOLFSSL_ECC_SECP160K1: oid = ECC_SECP160K1_OID; break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP192R1: oid = ECC_SECP192R1_OID; octets = 24; break;
case WOLFSSL_ECC_SECP192R1: oid = ECC_SECP192R1_OID; break;
#endif /* !NO_ECC_SECP */
#ifdef HAVE_ECC_KOBLITZ
case WOLFSSL_ECC_SECP192K1: oid = ECC_SECP192K1_OID; octets = 24; break;
case WOLFSSL_ECC_SECP192K1: oid = ECC_SECP192K1_OID; break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP224R1: oid = ECC_SECP224R1_OID; octets = 28; break;
case WOLFSSL_ECC_SECP224R1: oid = ECC_SECP224R1_OID; break;
#endif /* !NO_ECC_SECP */
#ifdef HAVE_ECC_KOBLITZ
case WOLFSSL_ECC_SECP224K1: oid = ECC_SECP224K1_OID; octets = 28; break;
case WOLFSSL_ECC_SECP224K1: oid = ECC_SECP224K1_OID; break;
#endif /* HAVE_ECC_KOBLITZ */
#endif
#if !defined(NO_ECC256) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP256R1: oid = ECC_SECP256R1_OID; octets = 32; break;
case WOLFSSL_ECC_SECP256R1: oid = ECC_SECP256R1_OID; break;
#endif /* !NO_ECC_SECP */
#ifdef HAVE_ECC_KOBLITZ
case WOLFSSL_ECC_SECP256K1: oid = ECC_SECP256K1_OID; octets = 32; break;
case WOLFSSL_ECC_SECP256K1: oid = ECC_SECP256K1_OID; break;
#endif /* HAVE_ECC_KOBLITZ */
#ifdef HAVE_ECC_BRAINPOOL
case WOLFSSL_ECC_BRAINPOOLP256R1: oid = ECC_BRAINPOOLP256R1_OID; octets = 32; break;
case WOLFSSL_ECC_BRAINPOOLP256R1: oid = ECC_BRAINPOOLP256R1_OID; break;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP384R1: oid = ECC_SECP384R1_OID; octets = 48; break;
case WOLFSSL_ECC_SECP384R1: oid = ECC_SECP384R1_OID; break;
#endif /* !NO_ECC_SECP */
#ifdef HAVE_ECC_BRAINPOOL
case WOLFSSL_ECC_BRAINPOOLP384R1: oid = ECC_BRAINPOOLP384R1_OID; octets = 48; break;
case WOLFSSL_ECC_BRAINPOOLP384R1: oid = ECC_BRAINPOOLP384R1_OID; break;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)
#ifdef HAVE_ECC_BRAINPOOL
case WOLFSSL_ECC_BRAINPOOLP512R1: oid = ECC_BRAINPOOLP512R1_OID; octets = 64; break;
case WOLFSSL_ECC_BRAINPOOLP512R1: oid = ECC_BRAINPOOLP512R1_OID; break;
#endif /* HAVE_ECC_BRAINPOOL */
#endif
#if defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
case WOLFSSL_ECC_SECP521R1: oid = ECC_SECP521R1_OID; octets = 66; break;
case WOLFSSL_ECC_SECP521R1: oid = ECC_SECP521R1_OID; break;
#endif /* !NO_ECC_SECP */
#endif
default: continue; /* unsupported curve */
}
if (ssl->ecdhCurveOID == 0)
ssl->ecdhCurveOID = oid;
if (first == ECC_BYTE) {
switch (second) {
/* ECDHE_ECDSA */
@ -2950,7 +2978,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
sig |= ssl->pkCurveOID == oid;
key |= ssl->eccTempKeySz == octets;
key |= ssl->ecdhCurveOID == oid;
break;
#ifdef WOLFSSL_STATIC_DH
@ -2978,7 +3006,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
sig = 1;
key |= ssl->eccTempKeySz == octets;
key |= ssl->ecdhCurveOID == oid;
break;
#ifdef WOLFSSL_STATIC_DH
@ -3010,14 +3038,14 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig |= ssl->pkCurveOID == oid;
key |= ssl->eccTempKeySz == octets;
key |= ssl->ecdhCurveOID == oid;
break;
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
sig = 1;
key |= ssl->eccTempKeySz == octets;
key |= ssl->ecdhCurveOID == oid;
break;
#endif
default:
@ -4568,6 +4596,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
#ifndef HAVE_FIPS
#if defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP160R1, ssl->heap);
@ -4592,6 +4621,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
if (ret != SSL_SUCCESS) return ret;
#endif
#endif
#endif
#if defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)
#ifndef NO_ECC_SECP
ret = TLSX_UseSupportedCurve(&ssl->extensions, WOLFSSL_ECC_SECP224R1, ssl->heap);

40
wolfcrypt/src/asn.c
View File

@ -3418,7 +3418,7 @@ static INLINE int DateLessThan(const struct tm* a, const struct tm* b)
}
#if defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
int GetTimeString(byte* date, int format, char* buf, int len)
{
struct tm t;
@ -5808,7 +5808,7 @@ const char* END_DSA_PRIV = "-----END DSA PRIVATE KEY-----";
const char* BEGIN_PUB_KEY = "-----BEGIN PUBLIC KEY-----";
const char* END_PUB_KEY = "-----END PUBLIC KEY-----";
#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)
#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA)
/* Used for compatibility API */
int wc_DerToPem(const byte* der, word32 derSz,
@ -9498,6 +9498,9 @@ static int DecodeSingleResponse(byte* source,
return ASN_PARSE_E;
}
#ifdef WOLFSSL_NGINX
cs->thisDateAsn = source + idx;
#endif
if (GetBasicDate(source, &idx, cs->thisDate,
&cs->thisDateFormat, size) < 0)
return ASN_PARSE_E;
@ -9513,6 +9516,9 @@ static int DecodeSingleResponse(byte* source,
idx++;
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
#ifdef WOLFSSL_NGINX
cs->nextDateAsn = source + idx;
#endif
if (GetBasicDate(source, &idx, cs->nextDate,
&cs->nextDateFormat, size) < 0)
return ASN_PARSE_E;
@ -9759,7 +9765,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ASN_PARSE_E;
InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
/* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE,
cm == NULL ? NO_VERIFY : VERIFY, cm);
if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert);
@ -9818,6 +9826,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap)
{
int ret;
int length = 0;
word32 idx = 0;
byte* source = resp->source;
@ -9860,8 +9869,9 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
if (DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap) < 0)
return ASN_PARSE_E;
ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap);
if (ret < 0)
return ret;
return 0;
}
@ -9871,8 +9881,8 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
{
static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x30, 0x01, 0x02 };
byte seqArray[6][MAX_SEQ_SZ];
word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId);
byte seqArray[5][MAX_SEQ_SZ];
word32 seqSz[5], totalSz = (word32)sizeof(NonceObjId);
WOLFSSL_ENTER("SetOcspReqExtensions");
@ -9886,16 +9896,12 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]);
totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]);
if (totalSz > size)
return 0;
totalSz = 0;
XMEMCPY(output + totalSz, seqArray[5], seqSz[5]);
totalSz += seqSz[5];
XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
totalSz += seqSz[4];
@ -9946,8 +9952,14 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
snSz = SetSerialNumber(req->serial, req->serialSz, snArray);
extSz = 0;
if (req->nonceSz)
extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ);
if (req->nonceSz) {
/* TLS Extensions use this function too - put extensions after
* ASN.1: Context Specific [2].
*/
extSz = EncodeOcspRequestExtensions(req, extArray + 2,
OCSP_NONCE_EXT_SZ);
extSz += SetExplicit(2, extSz, extArray);
}
totalSz = algoSz + issuerSz + issuerKeySz + snSz;
for (i = 4; i >= 0; i--) {
@ -9956,6 +9968,8 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
if (i == 2) totalSz += extSz;
}
if (output == NULL)
return totalSz;
if (totalSz > size)
return BUFFER_E;

16
wolfcrypt/src/ecc.c
View File

@ -1195,6 +1195,22 @@ void wc_ecc_curve_cache_free(void)
#endif /* WOLFSSL_ATECC508A */
/* Retrieve the curve name for the ECC curve id.
*
* curve_id The id of the curve.
* returns the name stored from the curve if available, otherwise NULL.
*/
const char* wc_ecc_get_name(int curve_id)
{
int x;
for (x = 0; ecc_sets[x].size != 0; x++) {
if (curve_id == ecc_sets[x].id)
return ecc_sets[x].name;
}
return NULL;
}
static int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id)
{

2
wolfcrypt/src/evp.c
View File

@ -277,7 +277,7 @@ WOLFSSL_API int wolfSSL_EVP_CipherUpdate(WOLFSSL_EVP_CIPHER_CTX *ctx,
blocks = inl / ctx->block_size;
if (blocks > 0) {
/* process blocks */
if (evpCipherBlock(ctx, out, ctx->buf, blocks) == 0)
if (evpCipherBlock(ctx, out, in, blocks*ctx->block_size) == 0)
return 0;
PRINT_BUF(ctx->buf, ctx->block_size);
PRINT_BUF(out, ctx->block_size);

109
wolfssl/internal.h
View File

@ -1058,8 +1058,8 @@ enum Misc {
MAX_WOLFSSL_FILE_SIZE = 1024 * 1024 * 4, /* 4 mb file size alloc limit */
#if defined(FORTRESS) || defined (HAVE_STUNNEL)
MAX_EX_DATA = 3, /* allow for three items of ex_data */
#if defined(HAVE_EX_DATA) || defined(FORTRESS)
MAX_EX_DATA = 4, /* allow for four items of ex_data */
#endif
MAX_X509_SIZE = 2048, /* max static x509 buffer size */
@ -1463,6 +1463,9 @@ struct WOLFSSL_OCSP {
WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */
OcspEntry* ocspList; /* OCSP response list */
wolfSSL_Mutex ocspLock; /* OCSP list lock */
#ifdef WOLFSSL_NGINX
int(*statusCb)(WOLFSSL*, void*);
#endif
};
#ifndef MAX_DATE_SIZE
@ -1944,11 +1947,18 @@ struct WOLFSSL_CTX {
DerBuffer* certificate;
DerBuffer* certChain;
/* chain after self, in DER, with leading size for each cert */
#ifdef OPENSSL_EXTRA
STACK_OF(WOLFSSL_X509_NAME)* ca_names;
#endif
#ifdef WOLFSSL_NGINX
STACK_OF(WOLFSSL_X509)* x509Chain;
#endif
DerBuffer* privateKey;
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
#endif
#ifdef KEEP_OUR_CERT
WOLFSSL_X509* ourCert; /* keep alive a X509 struct of cert */
int ownOurCert; /* Dispose of certificate if we own */
#endif
Suites* suites; /* make dynamic, user may not need/set */
void* heap; /* for user memory overrides */
@ -1958,6 +1968,9 @@ struct WOLFSSL_CTX {
byte failNoCertxPSK; /* fail if no cert with the exception of PSK*/
byte sessionCacheOff;
byte sessionCacheFlushOff;
#ifdef HAVE_EXT_CACHE
byte internalCacheOff;
#endif
byte sendVerify; /* for client side */
byte haveRSA; /* RSA available */
byte haveECC; /* ECC available */
@ -1982,6 +1995,9 @@ struct WOLFSSL_CTX {
#endif
#ifdef HAVE_ECC
short minEccKeySz; /* minimum ECC key size */
#endif
#ifdef OPENSSL_EXTRA
unsigned long mask; /* store SSL_OP_ flags */
#endif
CallbackIORecv CBIORecv;
CallbackIOSend CBIOSend;
@ -1997,6 +2013,7 @@ struct WOLFSSL_CTX {
word32 timeout; /* session timeout */
#ifdef HAVE_ECC
word16 eccTempKeySz; /* in octets 20 - 66 */
word32 ecdhCurveOID; /* curve Ecc_Sum */
word32 pkCurveOID; /* curve Ecc_Sum */
#endif
#ifndef NO_PSK
@ -2015,8 +2032,14 @@ struct WOLFSSL_CTX {
byte readAhead;
void* userPRFArg; /* passed to prf callback */
#endif /* OPENSSL_EXTRA */
#ifdef HAVE_STUNNEL
#ifdef HAVE_EX_DATA
void* ex_data[MAX_EX_DATA];
#endif
#if defined(HAVE_ALPN) && defined(WOLFSSL_NGINX)
CallbackALPNSelect alpnSelect;
void* alpnSelectArg;
#endif
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
CallbackSniRecv sniRecvCb;
void* sniRecvCbArg;
#endif
@ -2064,6 +2087,11 @@ struct WOLFSSL_CTX {
#ifdef HAVE_WOLF_EVENT
WOLF_EVENT_QUEUE event_queue;
#endif /* HAVE_WOLF_EVENT */
#ifdef HAVE_EXT_CACHE
WOLFSSL_SESSION*(*get_sess_cb)(WOLFSSL*, unsigned char*, int, int*);
int (*new_sess_cb)(WOLFSSL*, WOLFSSL_SESSION*);
void (*rem_sess_cb)(WOLFSSL_CTX*, WOLFSSL_SESSION*);
#endif
};
@ -2261,30 +2289,33 @@ struct WOLFSSL_X509_CHAIN {
/* wolfSSL session type */
struct WOLFSSL_SESSION {
word32 bornOn; /* create time in seconds */
word32 timeout; /* timeout in seconds */
byte sessionID[ID_LEN]; /* id for protocol */
byte sessionIDSz;
byte masterSecret[SECRET_LEN]; /* stored secret */
word16 haveEMS; /* ext master secret flag */
word32 bornOn; /* create time in seconds */
word32 timeout; /* timeout in seconds */
byte sessionID[ID_LEN]; /* id for protocol */
byte sessionIDSz;
byte masterSecret[SECRET_LEN]; /* stored secret */
word16 haveEMS; /* ext master secret flag */
#ifdef SESSION_CERTS
WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */
ProtocolVersion version; /* which version was used */
byte cipherSuite0; /* first byte, normally 0 */
byte cipherSuite; /* 2nd byte, actual suite */
WOLFSSL_X509_CHAIN chain; /* peer cert chain, static */
ProtocolVersion version; /* which version was used */
byte cipherSuite0; /* first byte, normally 0 */
byte cipherSuite; /* 2nd byte, actual suite */
#endif
#ifndef NO_CLIENT_CACHE
word16 idLen; /* serverID length */
byte serverID[SERVER_ID_LEN]; /* for easier client lookup */
word16 idLen; /* serverID length */
byte serverID[SERVER_ID_LEN]; /* for easier client lookup */
#endif
#ifdef HAVE_SESSION_TICKET
byte* ticket;
word16 ticketLen;
byte staticTicket[SESSION_TICKET_LEN];
byte isDynamic;
byte* ticket;
word16 ticketLen;
byte staticTicket[SESSION_TICKET_LEN];
byte isDynamic;
#endif
#ifdef HAVE_STUNNEL
void* ex_data[MAX_EX_DATA];
#ifdef HAVE_EXT_CACHE
byte isAlloced;
#endif
#ifdef HAVE_EX_DATA
void* ex_data[MAX_EX_DATA];
#endif
};
@ -2402,6 +2433,9 @@ typedef struct Options {
word16 sendVerify:2; /* false = 0, true = 1, sendBlank = 2 */
word16 sessionCacheOff:1;
word16 sessionCacheFlushOff:1;
#ifdef HAVE_EXT_CACHE
word16 internalCacheOff:1;
#endif
word16 side:1; /* client or server end */
word16 verifyPeer:1;
word16 verifyNone:1;
@ -2522,9 +2556,11 @@ struct WOLFSSL_STACK {
unsigned long num; /* number of nodes in stack
* (saftey measure for freeing and shortcut for count) */
union {
WOLFSSL_X509* x509;
WOLFSSL_BIO* bio;
WOLFSSL_X509* x509;
WOLFSSL_X509_NAME* name;
WOLFSSL_BIO* bio;
WOLFSSL_ASN1_OBJECT* obj;
char* string;
} data;
WOLFSSL_STACK* next;
};
@ -2593,6 +2629,9 @@ struct WOLFSSL_X509 {
int certPoliciesNb;
#endif /* WOLFSSL_CERT_EXT */
#ifdef OPENSSL_EXTRA
#ifdef HAVE_EX_DATA
void* ex_data[MAX_EX_DATA];
#endif
word32 pathLength;
word16 keyUsage;
byte CRLdistSet;
@ -2752,6 +2791,9 @@ struct WOLFSSL {
Ciphers decrypt;
Buffers buffers;
WOLFSSL_SESSION session;
#ifdef HAVE_EXT_CACHE
WOLFSSL_SESSION* extSession;
#endif
WOLFSSL_ALERT_HISTORY alert_history;
int error;
int rfd; /* read file descriptor */
@ -2803,6 +2845,7 @@ struct WOLFSSL {
ecc_key* peerEccDsaKey; /* peer's ECDSA key */
ecc_key* eccTempKey; /* private ECDHE key */
word32 pkCurveOID; /* curve Ecc_Sum */
word32 ecdhCurveOID; /* curve Ecc_Sum */
word16 eccTempKeySz; /* in octets 20 - 66 */
byte peerEccKeyPresent;
byte peerEccDsaKeyPresent;
@ -2847,8 +2890,8 @@ struct WOLFSSL {
flag found in buffers.weOwnCert) */
#endif
byte keepCert; /* keep certificate after handshake */
#if defined(FORTRESS) || defined(HAVE_STUNNEL)
void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */
#if defined(HAVE_EX_DATA) || defined(FORTRESS)
void* ex_data[MAX_EX_DATA]; /* external data, for Fortress */
#endif
int devId; /* async device id to use */
#ifdef HAVE_ONE_TIME_AUTH
@ -2874,6 +2917,10 @@ struct WOLFSSL {
#endif /* user turned on */
#ifdef HAVE_ALPN
char* alpn_client_list; /* keep the client's list */
#ifdef WOLFSSL_NGINX
CallbackALPNSelect alpnSelect;
void* alpnSelectArg;
#endif
#endif /* of accepted protocols */
#if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET)
CallbackSessionTicket session_ticket_cb;
@ -2881,6 +2928,13 @@ struct WOLFSSL {
byte expect_session_ticket;
#endif
#endif /* HAVE_TLS_EXTENSIONS */
#ifdef OPENSSL_EXTRA
byte* ocspResp;
int ocspRespSz;
#ifdef WOLFSSL_NGINX
char* url;
#endif
#endif
#ifdef HAVE_NETX
NetX_Ctx nxCtx; /* NetX IO Context */
#endif
@ -2957,6 +3011,11 @@ typedef struct EncryptedInfo {
WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format,
int type, WOLFSSL* ssl, int userChain,
WOLFSSL_CRL* crl);
#ifdef OPENSSL_EXTRA
WOLFSSL_LOCAL int CheckHostName(DecodedCert* dCert, char *domainName,
size_t domainNameLen);
#endif
#endif

50
wolfssl/ocsp.h
View File

@ -37,6 +37,14 @@
typedef struct WOLFSSL_OCSP WOLFSSL_OCSP;
#ifdef WOLFSSL_NGINX
typedef struct OcspResponse WOLFSSL_OCSP_BASICRESP;
typedef struct OcspRequest WOLFSSL_OCSP_CERTID;
typedef struct OcspRequest WOLFSSL_OCSP_ONEREQ;
#endif
WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic);
@ -45,6 +53,48 @@ WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*,
WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp,
OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer);
#ifdef WOLFSSL_NGINX
WOLFSSL_API int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
WOLFSSL_ASN1_TIME** nextupd);
WOLFSSL_API const char *wolfSSL_OCSP_cert_status_str(long s);
WOLFSSL_API int wolfSSL_OCSP_check_validity(WOLFSSL_ASN1_TIME* thisupd,
WOLFSSL_ASN1_TIME* nextupd, long sec, long maxsec);
WOLFSSL_API void wolfSSL_OCSP_CERTID_free(WOLFSSL_OCSP_CERTID* certId);
WOLFSSL_API WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject,
const WOLFSSL_X509 *issuer);
WOLFSSL_API void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse);
WOLFSSL_API int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags);
WOLFSSL_API void wolfSSL_OCSP_RESPONSE_free(OcspResponse* response);
WOLFSSL_API OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio,
OcspResponse** response);
WOLFSSL_API OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
const unsigned char** data, int len);
WOLFSSL_API int wolfSSL_i2d_OCSP_RESPONSE(OcspResponse* response,
unsigned char** data);
WOLFSSL_API int wolfSSL_OCSP_response_status(OcspResponse *response);
WOLFSSL_API const char *wolfSSL_OCSP_response_status_str(long s);
WOLFSSL_API WOLFSSL_OCSP_BASICRESP* wolfSSL_OCSP_response_get1_basic(
OcspResponse* response);
WOLFSSL_API OcspRequest* wolfSSL_OCSP_REQUEST_new(void);
WOLFSSL_API void wolfSSL_OCSP_REQUEST_free(OcspRequest* request);
WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST(OcspRequest* request,
unsigned char** data);
WOLFSSL_API WOLFSSL_OCSP_ONEREQ* wolfSSL_OCSP_request_add0_id(OcspRequest *req,
WOLFSSL_OCSP_CERTID *cid);
#endif
#ifdef __cplusplus
} /* extern "C" */
#endif

7
wolfssl/openssl/crypto.h
View File

@ -3,6 +3,7 @@
#ifndef WOLFSSL_CRYPTO_H_
#define WOLFSSL_CRYPTO_H_
#include <wolfssl/openssl/opensslv.h>
#include <wolfssl/wolfcrypt/settings.h>
@ -23,7 +24,7 @@ WOLFSSL_API unsigned long wolfSSLeay(void);
#define SSLEAY_VERSION 0x0090600fL
#define SSLEAY_VERSION_NUMBER SSLEAY_VERSION
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
#define CRYPTO_set_mem_ex_functions wolfSSL_CRYPTO_set_mem_ex_functions
#define FIPS_mode wolfSSL_FIPS_mode
#define FIPS_mode_set wolfSSL_FIPS_mode_set
@ -41,7 +42,9 @@ typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int i
#define CRYPTO_THREAD_r_lock wc_LockMutex
#define CRYPTO_THREAD_unlock wc_UnLockMutex
#endif /* HAVE_STUNNEL */
#define OPENSSL_malloc(a) XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL)
#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */
#endif /* header */

8
wolfssl/openssl/dsa.h
View File

@ -4,13 +4,19 @@
#ifndef WOLFSSL_DSA_H_
#define WOLFSSL_DSA_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/bn.h>
#ifdef __cplusplus
extern "C" {
#endif
#ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_DSA WOLFSSL_DSA;
#define WOLFSSL_DSA_TYPE_DEFINED
#endif
typedef WOLFSSL_DSA DSA;
struct WOLFSSL_DSA {
WOLFSSL_BIGNUM* p;
WOLFSSL_BIGNUM* q;

13
wolfssl/openssl/ec.h
View File

@ -3,7 +3,6 @@
#ifndef WOLFSSL_EC_H_
#define WOLFSSL_EC_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/bn.h>
#include <wolfssl/wolfcrypt/ecc.h>
@ -44,6 +43,17 @@ enum {
OPENSSL_EC_NAMED_CURVE = 0x001
};
#ifndef WOLFSSL_EC_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY;
typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT;
typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_GROUP;
#define WOLFSSL_EC_TYPE_DEFINED
#endif
typedef WOLFSSL_EC_KEY EC_KEY;
typedef WOLFSSL_EC_GROUP EC_GROUP;
typedef WOLFSSL_EC_POINT EC_POINT;
struct WOLFSSL_EC_POINT {
WOLFSSL_BIGNUM *X;
WOLFSSL_BIGNUM *Y;
@ -57,6 +67,7 @@ struct WOLFSSL_EC_POINT {
struct WOLFSSL_EC_GROUP {
int curve_idx; /* index of curve, used by WolfSSL as reference */
int curve_nid; /* NID of curve, used by OpenSSL/OpenSSH as reference */
int curve_oid; /* OID of curve, used by OpenSSL/OpenSSH as reference */
};
struct WOLFSSL_EC_KEY {

8
wolfssl/openssl/ecdsa.h
View File

@ -3,7 +3,6 @@
#ifndef WOLFSSL_ECDSA_H_
#define WOLFSSL_ECDSA_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/bn.h>
@ -11,6 +10,13 @@
extern "C" {
#endif
#ifndef WOLFSSL_ECDSA_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_ECDSA_SIG WOLFSSL_ECDSA_SIG;
#define WOLFSSL_ECDSA_TYPE_DEFINED
#endif
typedef WOLFSSL_ECDSA_SIG ECDSA_SIG;
struct WOLFSSL_ECDSA_SIG {
WOLFSSL_BIGNUM *r;
WOLFSSL_BIGNUM *s;

22
wolfssl/openssl/evp.h
View File

@ -56,6 +56,7 @@
#endif
typedef char WOLFSSL_EVP_CIPHER;
typedef char WOLFSSL_EVP_MD;
#ifndef NO_MD5
WOLFSSL_API const WOLFSSL_EVP_MD* wolfSSL_EVP_md5(void);
@ -173,6 +174,24 @@ typedef struct WOLFSSL_EVP_CIPHER_CTX {
int lastUsed;
} WOLFSSL_EVP_CIPHER_CTX;
#ifndef WOLFSSL_EVP_PKEY_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_EVP_PKEY WOLFSSL_EVP_PKEY;
#define WOLFSSL_EVP_PKEY_TYPE_DEFINED
#endif
struct WOLFSSL_EVP_PKEY {
int type; /* openssh dereference */
int save_type; /* openssh dereference */
int pkey_sz;
union {
char* ptr; /* der format of key / or raw for NTRU */
} pkey;
#ifdef HAVE_ECC
int pkey_curve;
#endif
};
typedef int WOLFSSL_ENGINE ;
typedef WOLFSSL_ENGINE ENGINE;
@ -210,6 +229,7 @@ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_init(WOLFSSL_EVP_CIPHER_CTX* ctx);
WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_cleanup(WOLFSSL_EVP_CIPHER_CTX* ctx);
WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_iv_length(const WOLFSSL_EVP_CIPHER_CTX*);
WOLFSSL_API int wolfSSL_EVP_CIPHER_iv_length(const WOLFSSL_EVP_CIPHER*);
WOLFSSL_API int wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx,
@ -370,6 +390,8 @@ typedef WOLFSSL_EVP_CIPHER_CTX EVP_CIPHER_CTX;
#define EVP_CIPHER_CTX_set_key_length wolfSSL_EVP_CIPHER_CTX_set_key_length
#define EVP_CIPHER_CTX_mode wolfSSL_EVP_CIPHER_CTX_mode
#define EVP_CIPHER_iv_length wolfSSL_EVP_CIPHER_iv_length
#define EVP_CipherInit wolfSSL_EVP_CipherInit
#define EVP_CipherInit_ex wolfSSL_EVP_CipherInit_ex
#define EVP_EncryptInit wolfSSL_EVP_EncryptInit

3
wolfssl/openssl/hmac.h
View File

@ -57,6 +57,8 @@ typedef struct WOLFSSL_HMAC_CTX {
WOLFSSL_API void wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key,
int keylen, const EVP_MD* type);
WOLFSSL_API int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key,
int len, const EVP_MD* md, void* impl);
WOLFSSL_API void wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx,
const unsigned char* data, int len);
WOLFSSL_API void wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash,
@ -69,6 +71,7 @@ typedef struct WOLFSSL_HMAC_CTX HMAC_CTX;
#define HMAC(a,b,c,d,e,f,g) wolfSSL_HMAC((a),(b),(c),(d),(e),(f),(g))
#define HMAC_Init wolfSSL_HMAC_Init
#define HMAC_Init_ex wolfSSL_HMAC_Init_ex
#define HMAC_Update wolfSSL_HMAC_Update
#define HMAC_Final wolfSSL_HMAC_Final
#define HMAC_cleanup wolfSSL_HMAC_cleanup

43
wolfssl/openssl/ocsp.h
View File

@ -1 +1,44 @@
/* ocsp.h for libcurl */
#ifndef WOLFSSL_OCSP_H_
#define WOLFSSL_OCSP_H_
#ifdef HAVE_OCSP
#include <wolfssl/ocsp.h>
#define OCSP_REQUEST OcspRequest
#define OCSP_RESPONSE OcspResponse
#define OCSP_BASICRESP WOLFSSL_OCSP_BASICRESP
#define OCSP_CERTID WOLFSSL_OCSP_CERTID
#define OCSP_ONEREQ WOLFSSL_OCSP_ONEREQ
#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
#define V_OCSP_CERTSTATUS_GOOD 0
#define OCSP_resp_find_status wolfSSL_OCSP_resp_find_status
#define OCSP_cert_status_str wolfSSL_OCSP_cert_status_str
#define OCSP_check_validity wolfSSL_OCSP_check_validity
#define OCSP_CERTID_free wolfSSL_OCSP_CERTID_free
#define OCSP_cert_to_id wolfSSL_OCSP_cert_to_id
#define OCSP_BASICRESP_free wolfSSL_OCSP_BASICRESP_free
#define OCSP_basic_verify wolfSSL_OCSP_basic_verify
#define OCSP_RESPONSE_free wolfSSL_OCSP_RESPONSE_free
#define d2i_OCSP_RESPONSE_bio wolfSSL_d2i_OCSP_RESPONSE_bio
#define d2i_OCSP_RESPONSE wolfSSL_d2i_OCSP_RESPONSE
#define i2d_OCSP_RESPONSE wolfSSL_i2d_OCSP_RESPONSE
#define OCSP_response_status wolfSSL_OCSP_response_status
#define OCSP_response_status_str wolfSSL_OCSP_response_status_str
#define OCSP_response_get1_basic wolfSSL_OCSP_response_get1_basic
#define OCSP_REQUEST_new wolfSSL_OCSP_REQUEST_new
#define OCSP_REQUEST_free wolfSSL_OCSP_REQUEST_free
#define i2d_OCSP_REQUEST wolfSSL_i2d_OCSP_REQUEST
#define OCSP_request_add0_id wolfSSL_OCSP_request_add0_id
#endif /* HAVE_OCSP */
#endif /* WOLFSSL_OCSP_H_ */

2
wolfssl/openssl/opensslv.h
View File

@ -5,7 +5,7 @@
/* api version compatibility */
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY)
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) || defined(WOLFSSL_NGINX)
/* version number can be increased for Lighty after compatibility for ECDH
is added */
#define OPENSSL_VERSION_NUMBER 0x10001000L

8
wolfssl/openssl/rsa.h
View File

@ -4,7 +4,6 @@
#ifndef WOLFSSL_RSA_H_
#define WOLFSSL_RSA_H_
#include <wolfssl/openssl/ssl.h>
#include <wolfssl/openssl/bn.h>
@ -24,6 +23,13 @@ enum {
NID_sha512 = 674
};
#ifndef WOLFSSL_RSA_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_RSA WOLFSSL_RSA;
#define WOLFSSL_RSA_TYPE_DEFINED
#endif
typedef WOLFSSL_RSA RSA;
struct WOLFSSL_RSA {
WOLFSSL_BIGNUM* n;
WOLFSSL_BIGNUM* e;

162
wolfssl/openssl/ssl.h
View File

@ -32,6 +32,8 @@
/* wolfssl_openssl compatibility layer */
#include <wolfssl/ssl.h>
#include <wolfssl/openssl/evp.h>
#ifdef __cplusplus
extern "C" {
#endif
@ -61,39 +63,34 @@ typedef WOLFSSL_X509_CHAIN X509_CHAIN;
#define WOLFSSL_TYPES_DEFINED
typedef WOLFSSL_EVP_PKEY EVP_PKEY;
typedef WOLFSSL_RSA RSA;
typedef WOLFSSL_DSA DSA;
typedef WOLFSSL_EC_KEY EC_KEY;
typedef WOLFSSL_EC_GROUP EC_GROUP;
typedef WOLFSSL_EC_POINT EC_POINT;
typedef WOLFSSL_ECDSA_SIG ECDSA_SIG;
typedef WOLFSSL_BIO BIO;
typedef WOLFSSL_BIO_METHOD BIO_METHOD;
typedef WOLFSSL_CIPHER SSL_CIPHER;
typedef WOLFSSL_X509_LOOKUP X509_LOOKUP;
typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD;
typedef WOLFSSL_X509_CRL X509_CRL;
typedef WOLFSSL_X509_EXTENSION X509_EXTENSION;
typedef WOLFSSL_ASN1_TIME ASN1_TIME;
typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER;
typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT;
typedef WOLFSSL_ASN1_STRING ASN1_STRING;
typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value;
typedef WOLFSSL_BUF_MEM BUF_MEM;
typedef WOLFSSL_EVP_PKEY EVP_PKEY;
typedef WOLFSSL_BIO BIO;
typedef WOLFSSL_BIO_METHOD BIO_METHOD;
typedef WOLFSSL_CIPHER SSL_CIPHER;
typedef WOLFSSL_X509_LOOKUP X509_LOOKUP;
typedef WOLFSSL_X509_LOOKUP_METHOD X509_LOOKUP_METHOD;
typedef WOLFSSL_X509_CRL X509_CRL;
typedef WOLFSSL_X509_EXTENSION X509_EXTENSION;
typedef WOLFSSL_ASN1_TIME ASN1_TIME;
typedef WOLFSSL_ASN1_INTEGER ASN1_INTEGER;
typedef WOLFSSL_ASN1_OBJECT ASN1_OBJECT;
typedef WOLFSSL_ASN1_STRING ASN1_STRING;
typedef WOLFSSL_dynlock_value CRYPTO_dynlock_value;
typedef WOLFSSL_BUF_MEM BUF_MEM;
/* GENERAL_NAME and BASIC_CONSTRAINTS structs may need implemented as
* compatibility layer expands. For now treating them as an ASN1_OBJECT */
typedef WOLFSSL_ASN1_OBJECT GENERAL_NAME;
typedef WOLFSSL_ASN1_OBJECT BASIC_CONSTRAINTS;
#define ASN1_UTCTIME WOLFSSL_ASN1_TIME
#define ASN1_UTCTIME WOLFSSL_ASN1_TIME
#define ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME
typedef WOLFSSL_MD4_CTX MD4_CTX;
typedef WOLFSSL_COMP_METHOD COMP_METHOD;
typedef WOLFSSL_X509_STORE X509_STORE;
typedef WOLFSSL_X509_REVOKED X509_REVOKED;
typedef WOLFSSL_X509_OBJECT X509_OBJECT;
typedef WOLFSSL_X509_STORE X509_STORE;
typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
#define CRYPTO_free XFREE
@ -104,7 +101,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
#define SSL_get_cipher_list(ctx,i) wolfSSL_get_cipher_list((i))
#define SSL_get_cipher_name(ctx) wolfSSL_get_cipher((ctx))
#define SSL_get_shared_ciphers(ctx,buf,len) \
strncpy(buf, "Not Implemented, SSLv2 only", len)
wolfSSL_get_shared_ciphers((ctx),(buf),(len))
#define ERR_print_errors_fp(file) wolfSSL_ERR_dump_errors_fp((file))
@ -335,7 +332,8 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
#define X509_get_serialNumber wolfSSL_X509_get_serialNumber
#define ASN1_TIME_print wolfSSL_ASN1_TIME_print
#define ASN1_TIME_print wolfSSL_ASN1_TIME_print
#define ASN1_GENERALIZEDTIME_print wolfSSL_ASN1_GENERALIZEDTIME_print
#define ASN1_INTEGER_cmp wolfSSL_ASN1_INTEGER_cmp
#define ASN1_INTEGER_get wolfSSL_ASN1_INTEGER_get
@ -343,6 +341,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
#define SSL_load_client_CA_file wolfSSL_load_client_CA_file
#define SSL_CTX_get_client_CA_list wolfSSL_SSL_CTX_get_client_CA_list
#define SSL_CTX_set_client_CA_list wolfSSL_CTX_set_client_CA_list
#define SSL_CTX_set_cert_store wolfSSL_CTX_set_cert_store
#define SSL_CTX_get_cert_store wolfSSL_CTX_get_cert_store
@ -472,7 +471,9 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX;
/* Lighthttp compatibility */
#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL)
#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \
|| defined(HAVE_STUNNEL) \
|| defined(WOLFSSL_NGINX)
typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define X509_NAME_free wolfSSL_X509_NAME_free
@ -484,6 +485,7 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define OBJ_obj2nid wolfSSL_OBJ_obj2nid
#define OBJ_sn2nid wolfSSL_OBJ_sn2nid
#define SSL_CTX_set_verify_depth wolfSSL_CTX_set_verify_depth
#define SSL_set_verify_depth wolfSSL_set_verify_depth
#define SSL_get_app_data wolfSSL_get_app_data
#define SSL_set_app_data wolfSSL_set_app_data
#define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count
@ -501,16 +503,17 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define NID_commonName 0x03 /* matchs ASN_COMMON_NAME in asn.h */
#endif
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) \
|| defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \
|| defined(HAVE_STUNNEL) \
|| defined(WOLFSSL_NGINX)
#define OBJ_nid2ln wolfSSL_OBJ_nid2ln
#define OBJ_txt2nid wolfSSL_OBJ_txt2nid
#define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams
#define PEM_read_bio_DSAparams wolfSSL_PEM_read_bio_DSAparams
#define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509
#define PEM_write_bio_X509 wolfSSL_PEM_write_bio_X509
#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE */
#endif /* HAVE_STUNNEL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX */
#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh
#define BIO_new_file wolfSSL_BIO_new_file
@ -590,15 +593,18 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define SSL_CTRL_GET_READ_AHEAD 40
#define SSL_CTRL_SET_READ_AHEAD 41
#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB 63
#define SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG 64
#define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
#define SSL_ctrl wolfSSL_ctrl
#define SSL_CTX_ctrl wolfSSL_CTX_ctrl
#define X509_V_FLAG_CRL_CHECK WOLFSSL_CRL_CHECK
#define X509_V_FLAG_CRL_CHECK_ALL WOLFSSL_CRL_CHECKALL
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
#include <wolfssl/openssl/asn1.h>
#define SSL2_VERSION 0x0002
@ -646,7 +652,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define SSL_get_servername wolfSSL_get_servername
#define SSL_set_SSL_CTX wolfSSL_set_SSL_CTX
#define SSL_CTX_get_verify_callback wolfSSL_CTX_get_verify_callback
#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_servername_callback
#define SSL_CTX_set_tlsext_servername_callback wolfSSL_CTX_set_tlsext_servername_callback
#define SSL_CTX_set_tlsext_servername_arg wolfSSL_CTX_set_servername_arg
#define PSK_MAX_PSK_LEN 256
@ -655,7 +661,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define SSL_CTX_clear_options wolfSSL_CTX_clear_options
#endif /* HAVE_STUNNEL */
#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */
#define SSL_CTX_get_default_passwd_cb wolfSSL_CTX_get_default_passwd_cb
#define SSL_CTX_get_default_passwd_cb_userdata wolfSSL_CTX_get_default_passwd_cb_userdata
@ -683,6 +689,98 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define SSL_CTX_set_msg_callback_arg wolfSSL_CTX_set_msg_callback_arg
#define SSL_set_msg_callback_arg wolfSSL_set_msg_callback_arg
/* certificate extension NIDs */
#define NID_basic_constraints 133
#define NID_key_usage 129 /* 2.5.29.15 */
#define NID_ext_key_usage 151 /* 2.5.29.37 */
#define NID_subject_key_identifier 128
#define NID_authority_key_identifier 149
#define NID_private_key_usage_period 130 /* 2.5.29.16 */
#define NID_subject_alt_name 131
#define NID_issuer_alt_name 132
#define NID_info_access 69
#define NID_sinfo_access 79 /* id-pe 11 */
#define NID_name_constraints 144 /* 2.5.29.30 */
#define NID_certificate_policies 146
#define NID_policy_mappings 147
#define NID_policy_constraints 150
#define NID_inhibit_any_policy 168 /* 2.5.29.54 */
#define NID_tlsfeature 92 /* id-pe 24 */
#ifdef WOLFSSL_NGINX
#include <wolfssl/error-ssl.h>
#define OPENSSL_STRING WOLFSSL_STRING
#define TLSEXT_TYPE_application_layer_protocol_negotiation 16
#define OPENSSL_NPN_UNSUPPORTED 0
#define OPENSSL_NPN_NEGOTIATED 1
#define OPENSSL_NPN_NO_OVERLAP 2
/* Nginx checks these to see if the error was a handshake error. */
#define SSL_R_BAD_CHANGE_CIPHER_SPEC LENGTH_ERROR
#define SSL_R_BLOCK_CIPHER_PAD_IS_WRONG BUFFER_E
#define SSL_R_DIGEST_CHECK_FAILED VERIFY_MAC_ERROR
#define SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST SUITES_ERROR
#define SSL_R_EXCESSIVE_MESSAGE_SIZE BUFFER_ERROR
#define SSL_R_LENGTH_MISMATCH LENGTH_ERROR
#define SSL_R_NO_CIPHERS_SPECIFIED SUITES_ERROR
#define SSL_R_NO_COMPRESSION_SPECIFIED COMPRESSION_ERROR
#define SSL_R_NO_SHARED_CIPHER MATCH_SUITE_ERROR
#define SSL_R_RECORD_LENGTH_MISMATCH HANDSHAKE_SIZE_ERROR
#define SSL_R_UNEXPECTED_MESSAGE OUT_OF_ORDER_E
#define SSL_R_UNEXPECTED_RECORD SANITY_MSG_E
#define SSL_R_UNKNOWN_ALERT_TYPE BUFFER_ERROR
#define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR
#define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR
#define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR
/* Nginx uses this to determine if reached end of certs in file.
* PEM_read_bio_X509 is called and the return error is lost.
* The error that needs to be detected is: SSL_NO_PEM_HEADER.
*/
#define ERR_GET_LIB(l) (int)((((unsigned long)l)>>24L)&0xffL)
#define PEM_R_NO_START_LINE 108
#define ERR_LIB_PEM 9
#ifdef HAVE_SESSION_TICKET
#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
#endif
#define OPENSSL_config wolfSSL_OPENSSL_config
#define X509_get_ex_new_index wolfSSL_X509_get_ex_new_index
#define X509_get_ex_data wolfSSL_X509_get_ex_data
#define X509_set_ex_data wolfSSL_X509_set_ex_data
#define X509_NAME_digest wolfSSL_X509_NAME_digest
#define SSL_CTX_get_timeout wolfSSL_SSL_CTX_get_timeout
#define SSL_CTX_set_tmp_ecdh wolfSSL_SSL_CTX_set_tmp_ecdh
#define SSL_CTX_remove_session wolfSSL_SSL_CTX_remove_session
#define SSL_get_rbio wolfSSL_SSL_get_rbio
#define SSL_get_wbio wolfSSL_SSL_get_wbio
#define SSL_do_handshake wolfSSL_SSL_do_handshake
#define SSL_in_init wolfSSL_SSL_in_init
#define SSL_get0_session wolfSSL_SSL_get0_session
#define X509_check_host wolfSSL_X509_check_host
#define i2a_ASN1_INTEGER wolfSSL_i2a_ASN1_INTEGER
#define ERR_peek_error_line_data wolfSSL_ERR_peek_error_line_data
#define SSL_CTX_set_tlsext_ticket_key_cb wolfSSL_CTX_set_tlsext_ticket_key_cb
#define X509_email_free wolfSSL_X509_email_free
#define X509_get1_ocsp wolfSSL_X509_get1_ocsp
#define SSL_CTX_set_tlsext_status_cb wolfSSL_CTX_set_tlsext_status_cb
#define X509_check_issued wolfSSL_X509_check_issued
#define X509_dup wolfSSL_X509_dup
#define X509_STORE_CTX_new wolfSSL_X509_STORE_CTX_new
#define X509_STORE_CTX_free wolfSSL_X509_STORE_CTX_free
#define SSL_CTX_get_extra_chain_certs wolfSSL_CTX_get_extra_chain_certs
#define X509_STORE_CTX_get1_issuer wolfSSL_X509_STORE_CTX_get1_issuer
#define sk_OPENSSL_STRING_value wolfSSL_sk_WOLFSSL_STRING_value
#define SSL_get0_alpn_selected wolfSSL_get0_alpn_selected
#define SSL_select_next_proto wolfSSL_select_next_proto
#define SSL_CTX_set_alpn_select_cb wolfSSL_CTX_set_alpn_select_cb
#endif
#ifdef __cplusplus
} /* extern "C" */

226
wolfssl/ssl.h
View File

@ -61,6 +61,7 @@
#ifdef OPENSSL_EXTRA
#include <wolfssl/openssl/bn.h>
#include <wolfssl/openssl/hmac.h>
#endif
#ifdef __cplusplus
@ -95,15 +96,28 @@ typedef struct WOLFSSL_RSA WOLFSSL_RSA;
#define WC_RNG_TYPE_DEFINED
#endif
#ifndef WOLFSSL_DSA_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_DSA WOLFSSL_DSA;
#define WOLFSSL_DSA_TYPE_DEFINED
#endif
#ifndef WOLFSSL_EC_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY;
typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT;
typedef struct WOLFSSL_EC_GROUP WOLFSSL_EC_GROUP;
#define WOLFSSL_EC_TYPE_DEFINED
#endif
#ifndef WOLFSSL_ECDSA_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_ECDSA_SIG WOLFSSL_ECDSA_SIG;
#define WOLFSSL_ECDSA_TYPE_DEFINED
#endif
typedef struct WOLFSSL_CIPHER WOLFSSL_CIPHER;
typedef struct WOLFSSL_X509_LOOKUP WOLFSSL_X509_LOOKUP;
typedef struct WOLFSSL_X509_LOOKUP_METHOD WOLFSSL_X509_LOOKUP_METHOD;
typedef struct WOLFSSL_X509_CRL WOLFSSL_X509_CRL;
typedef struct WOLFSSL_X509_STORE WOLFSSL_X509_STORE;
typedef struct WOLFSSL_BIO WOLFSSL_BIO;
typedef struct WOLFSSL_BIO_METHOD WOLFSSL_BIO_METHOD;
typedef struct WOLFSSL_X509_EXTENSION WOLFSSL_X509_EXTENSION;
@ -117,7 +131,8 @@ typedef struct WOLFSSL_DH WOLFSSL_DH;
typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING;
typedef unsigned char* WOLFSSL_BUF_MEM;
#define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME
#define WOLFSSL_ASN1_UTCTIME WOLFSSL_ASN1_TIME
#define WOLFSSL_ASN1_GENERALIZEDTIME WOLFSSL_ASN1_TIME
struct WOLFSSL_ASN1_INTEGER {
/* size can be increased set at 20 for tag, length then to hold at least 16
@ -126,18 +141,16 @@ struct WOLFSSL_ASN1_INTEGER {
/* ASN_INTEGER | LENGTH | hex of number */
};
typedef char WOLFSSL_EVP_MD;
typedef struct WOLFSSL_EVP_PKEY {
int type; /* openssh dereference */
int save_type; /* openssh dereference */
int pkey_sz;
union {
char* ptr; /* der format of key / or raw for NTRU */
} pkey;
#ifdef HAVE_ECC
int pkey_curve;
#endif
} WOLFSSL_EVP_PKEY;
struct WOLFSSL_ASN1_TIME {
/* MAX_DATA_SIZE is 32 */
unsigned char data[32 + 2];
/* ASN_TIME | LENGTH | date bytes */
};
#ifndef WOLFSSL_EVP_PKEY_TYPE_DEFINED /* guard on redeclaration */
typedef struct WOLFSSL_EVP_PKEY WOLFSSL_EVP_PKEY;
#define WOLFSSL_EVP_PKEY_TYPE_DEFINED
#endif
typedef struct WOLFSSL_MD4_CTX {
int buffer[32]; /* big enough to hold, check size in Init */
@ -148,11 +161,22 @@ typedef struct WOLFSSL_COMP_METHOD {
int type; /* stunnel dereference */
} WOLFSSL_COMP_METHOD;
struct WOLFSSL_X509_LOOKUP_METHOD {
int type;
};
typedef struct WOLFSSL_X509_STORE {
int cache; /* stunnel dereference */
struct WOLFSSL_X509_LOOKUP {
WOLFSSL_X509_STORE *store;
};
struct WOLFSSL_X509_STORE {
int cache; /* stunnel dereference */
WOLFSSL_CERT_MANAGER* cm;
} WOLFSSL_X509_STORE;
WOLFSSL_X509_LOOKUP lookup;
#ifdef OPENSSL_EXTRA
int isDynamic;
#endif
};
typedef struct WOLFSSL_ALERT {
int code;
@ -196,6 +220,7 @@ typedef struct WOLFSSL_X509_STORE_CTX {
WOLFSSL_BUFFER_INFO* certs; /* peer certs */
} WOLFSSL_X509_STORE_CTX;
typedef char* WOLFSSL_STRING;
/* Valid Alert types from page 16/17 */
enum AlertDescription {
@ -347,6 +372,9 @@ WOLFSSL_API int wolfSSL_set_read_fd (WOLFSSL*, int);
WOLFSSL_API char* wolfSSL_get_cipher_list(int priority);
WOLFSSL_API int wolfSSL_get_ciphers(char*, int);
WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl);
WOLFSSL_API const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf,
int len);
WOLFSSL_API const char* wolfSSL_get_curve_name(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_get_fd(const WOLFSSL*);
WOLFSSL_API void wolfSSL_set_using_nonblock(WOLFSSL*, int);
WOLFSSL_API int wolfSSL_get_using_nonblock(WOLFSSL*);
@ -475,7 +503,7 @@ WOLFSSL_API int wolfSSL_is_init_finished(WOLFSSL*);
WOLFSSL_API const char* wolfSSL_get_version(WOLFSSL*);
WOLFSSL_API int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl);
WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL*);
WOLFSSL_API char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER*, char*, int);
WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
WOLFSSL_API const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher);
WOLFSSL_API const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session);
WOLFSSL_API const char* wolfSSL_get_cipher(WOLFSSL*);
@ -517,7 +545,7 @@ WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_mem(void);
WOLFSSL_API WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void);
WOLFSSL_API void wolfSSL_BIO_set_flags(WOLFSSL_BIO*, int);
WOLFSSL_API int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio,const unsigned char** p);
WOLFSSL_API int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio,void* p);
WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_mem_buf(void* buf, int len);
@ -662,6 +690,8 @@ WOLFSSL_API WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGE
WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char*);
#endif
WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_SSL_CTX_get_client_CA_list(
const WOLFSSL_CTX *s);
WOLFSSL_API void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX*,
STACK_OF(WOLFSSL_X509_NAME)*);
WOLFSSL_API void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX*, int);
@ -830,18 +860,25 @@ enum {
X509_LU_X509 = 9,
X509_LU_CRL = 12,
X509_V_OK = 0,
X509_V_ERR_CRL_SIGNATURE_FAILURE = 13,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14,
X509_V_ERR_CRL_HAS_EXPIRED = 15,
X509_V_ERR_CERT_REVOKED = 16,
X509_V_ERR_CERT_CHAIN_TOO_LONG = 17,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18,
X509_V_ERR_CERT_NOT_YET_VALID = 19,
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20,
X509_V_ERR_CERT_HAS_EXPIRED = 21,
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22,
X509_V_ERR_CERT_REJECTED = 23,
X509_V_OK = 0,
X509_V_ERR_CRL_SIGNATURE_FAILURE = 13,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 14,
X509_V_ERR_CRL_HAS_EXPIRED = 15,
X509_V_ERR_CERT_REVOKED = 16,
X509_V_ERR_CERT_CHAIN_TOO_LONG = 17,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 18,
X509_V_ERR_CERT_NOT_YET_VALID = 19,
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 20,
X509_V_ERR_CERT_HAS_EXPIRED = 21,
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 22,
X509_V_ERR_CERT_REJECTED = 23,
/* Required for Nginx */
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 24,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 25,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 26,
X509_V_ERR_CERT_UNTRUSTED = 27,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 28,
X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29,
/* additional X509_V_ERR_* enums not used in wolfSSL */
X509_V_ERR_UNABLE_TO_GET_CRL,
X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE,
@ -851,15 +888,9 @@ enum {
X509_V_ERR_CRL_NOT_YET_VALID,
X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD,
X509_V_ERR_OUT_OF_MEM,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE,
X509_V_ERR_INVALID_CA,
X509_V_ERR_PATH_LENGTH_EXCEEDED,
X509_V_ERR_INVALID_PURPOSE,
X509_V_ERR_CERT_UNTRUSTED,
X509_V_ERR_SUBJECT_ISSUER_MISMATCH,
X509_V_ERR_AKID_SKID_MISMATCH,
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH,
X509_V_ERR_KEYUSAGE_NO_CERTSIGN,
@ -878,6 +909,7 @@ enum {
XN_FLAG_SPC_EQ = (1 << 23),
XN_FLAG_ONELINE = 0,
XN_FLAG_RFC2253 = 1,
CRYPTO_LOCK = 1,
CRYPTO_NUM_LOCKS = 10,
@ -924,12 +956,14 @@ enum { /* ssl Constants */
SSL_VERIFY_CLIENT_ONCE = 4,
SSL_VERIFY_FAIL_EXCEPT_PSK = 8,
SSL_SESS_CACHE_OFF = 30,
SSL_SESS_CACHE_CLIENT = 31,
SSL_SESS_CACHE_SERVER = 32,
SSL_SESS_CACHE_BOTH = 33,
SSL_SESS_CACHE_NO_AUTO_CLEAR = 34,
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP = 35,
SSL_SESS_CACHE_OFF = 0x0000,
SSL_SESS_CACHE_CLIENT = 0x0001,
SSL_SESS_CACHE_SERVER = 0x0002,
SSL_SESS_CACHE_BOTH = 0x0003,
SSL_SESS_CACHE_NO_AUTO_CLEAR = 0x0008,
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP = 0x0100,
SSL_SESS_CACHE_NO_INTERNAL_STORE = 0x0200,
SSL_SESS_CACHE_NO_INTERNAL = 0x0300,
SSL_ERROR_WANT_READ = 2,
SSL_ERROR_WANT_WRITE = 3,
@ -1037,6 +1071,8 @@ WOLFSSL_API int wolfSSL_want_write(WOLFSSL*);
WOLFSSL_API int wolfSSL_BIO_printf(WOLFSSL_BIO*, const char*, ...);
WOLFSSL_API int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO*,
const WOLFSSL_ASN1_UTCTIME*);
WOLFSSL_API int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO*,
const WOLFSSL_ASN1_GENERALIZEDTIME*);
WOLFSSL_API int wolfSSL_sk_num(WOLFSSL_X509_REVOKED*);
WOLFSSL_API void* wolfSSL_sk_value(WOLFSSL_X509_REVOKED*, int);
@ -1690,6 +1726,12 @@ enum {
WOLFSSL_MAX_ALPN_NUMBER = 257
};
#ifdef WOLFSSL_NGINX
typedef int (*CallbackALPNSelect)(WOLFSSL* ssl, const unsigned char** out,
unsigned char* outLen, const unsigned char* in, unsigned int inLen,
void *arg);
#endif
WOLFSSL_API int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
unsigned int protocol_name_listSz,
unsigned char options);
@ -1960,7 +2002,7 @@ WOLFSSL_API int wolfSSL_accept_ex(WOLFSSL*, HandShakeCallBack, TimeoutCallBack,
WOLFSSL_API void wolfSSL_cert_service(void);
#endif
#if defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
WOLFSSL_API char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* time,
char* buf, int len);
#endif /* WOLFSSL_MYSQL_COMPATIBLE */
@ -2028,7 +2070,10 @@ struct WOLFSSL_X509_NAME_ENTRY {
int size;
};
#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL)
#if defined(HAVE_LIGHTY) || defined(WOLFSSL_MYSQL_COMPATIBLE) \
|| defined(HAVE_STUNNEL) \
|| defined(WOLFSSL_NGINX) \
|| defined(OPENSSL_EXTRA)
WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name);
WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x);
WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name);
@ -2037,6 +2082,7 @@ WOLFSSL_API const char * wolfSSL_OBJ_nid2sn(int n);
WOLFSSL_API int wolfSSL_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o);
WOLFSSL_API int wolfSSL_OBJ_sn2nid(const char *sn);
WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth);
WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth);
WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl);
WOLFSSL_API void wolfSSL_set_app_data(WOLFSSL *ssl, void *arg);
WOLFSSL_API WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne);
@ -2070,7 +2116,7 @@ WOLFSSL_API long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx);
#endif /* HAVE_STUNNEL || HAVE_LIGHTY */
#ifdef HAVE_STUNNEL
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)
#include <wolfssl/openssl/crypto.h>
@ -2145,6 +2191,8 @@ WOLFSSL_API VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX*);
WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *,
CallbackSniRecv);
WOLFSSL_API int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX *,
CallbackSniRecv);
WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*);
@ -2164,9 +2212,10 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX*,
WOLFSSL_X509_NAME*);
WOLFSSL_API void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*));
#endif /* HAVE_STUNNEL */
#endif /* HAVE_STUNNEL || WOLFSSL_NGINX */
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) \
|| defined(WOLFSSL_NGINX)
WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx);
@ -2194,6 +2243,89 @@ WOLFSSL_API int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg);
WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg);
#endif
#ifdef WOLFSSL_NGINX
/* Not an OpenSSL API. */
WOLFSSL_LOCAL int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response);
/* Not an OpenSSL API. */
WOLFSSL_LOCAL char* wolfSSL_get_ocsp_url(WOLFSSL* ssl);
/* Not an OpenSSL API. */
WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url);
WOLFSSL_API void wolfSSL_OPENSSL_config(char *config_name);
WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a,
void *b, void *c);
WOLFSSL_API void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx);
WOLFSSL_API int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx,
void *data);
WOLFSSL_API int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *data,
const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len);
WOLFSSL_API long wolfSSL_SSL_CTX_get_timeout(const WOLFSSL_CTX *ctx);
WOLFSSL_API int wolfSSL_SSL_CTX_set_tmp_ecdh(WOLFSSL_CTX *ctx,
WOLFSSL_EC_KEY *ecdh);
WOLFSSL_API int wolfSSL_SSL_CTX_remove_session(WOLFSSL_CTX *,
WOLFSSL_SESSION *c);
WOLFSSL_API WOLFSSL_BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s);
WOLFSSL_API WOLFSSL_BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s);
WOLFSSL_API int wolfSSL_SSL_do_handshake(WOLFSSL *s);
WOLFSSL_API int wolfSSL_SSL_in_init(WOLFSSL *a); /* #define in OpenSSL */
WOLFSSL_API WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *s);
WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
size_t chklen, unsigned int flags, char **peername);
WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
const WOLFSSL_ASN1_INTEGER *a);
WOLFSSL_API unsigned long wolfSSL_ERR_peek_error_line_data(const char **file,
int *line, const char **data, int *flags);
#ifdef HAVE_SESSION_TICKET
WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc));
#endif
#ifdef HAVE_OCSP
WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx,
STACK_OF(X509)** chain);
WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx,
int(*)(WOLFSSL*, void*));
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x);
WOLFSSL_API void wolfSSL_X509_email_free(STACK_OF(WOLFSSL_STRING) *sk);
WOLFSSL_API STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x);
WOLFSSL_API int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer,
WOLFSSL_X509 *subject);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x);
WOLFSSL_API char* wolfSSL_sk_WOLFSSL_STRING_value(
STACK_OF(WOLFSSL_STRING)* strings, int idx);
#endif /* HAVE_OCSP */
WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bio,
WOLFSSL_X509 *cert);
#endif /* WOLFSSL_NGINX */
WOLFSSL_API void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl,
const unsigned char **data, unsigned int *len);
WOLFSSL_API int wolfSSL_select_next_proto(unsigned char **out,
unsigned char *outlen,
const unsigned char *in, unsigned int inlen,
const unsigned char *client,
unsigned int client_len);
WOLFSSL_API void wolfSSL_CTX_set_alpn_select_cb(WOLFSSL_CTX *ctx,
int (*cb) (WOLFSSL *ssl,
const unsigned char **out,
unsigned char *outlen,
const unsigned char *in,
unsigned int inlen,
void *arg), void *arg);
#ifdef __cplusplus
} /* extern "C" */

16
wolfssl/test.h
View File

@ -514,6 +514,12 @@ static INLINE void showPeer(WOLFSSL* ssl)
{
WOLFSSL_CIPHER* cipher;
#ifdef HAVE_ECC
const char *name;
#endif
#ifndef NO_DH
int bits;
#endif
#ifdef KEEP_PEER_CERT
WOLFSSL_X509* peer = wolfSSL_get_peer_certificate(ssl);
if (peer)
@ -535,6 +541,16 @@ static INLINE void showPeer(WOLFSSL* ssl)
#else
printf("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher));
#endif
#ifdef HAVE_ECC
if ((name = wolfSSL_get_curve_name(ssl)) != NULL)
printf("SSL curve name is %s\n", name);
#endif
#ifndef NO_DH
if ((bits = wolfSSL_GetDhKey_Sz(ssl)) > 0)
printf("SSL DH size is %d bits\n", bits);
#endif
if (wolfSSL_session_reused(ssl))
printf("SSL reused session\n");
#if defined(SESSION_CERTS) && defined(SHOW_CERTS)
{

17
wolfssl/wolfcrypt/asn.h
View File

@ -188,7 +188,7 @@ enum Misc_ASN {
MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
#endif
OCSP_NONCE_EXT_SZ = 37, /* OCSP Nonce Extension size */
OCSP_NONCE_EXT_SZ = 35, /* OCSP Nonce Extension size */
MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
EIGHTK_BUF = 8192, /* Tmp buffer size */
@ -196,7 +196,10 @@ enum Misc_ASN {
/* use bigger NTRU size */
HEADER_ENCRYPTED_KEY_SIZE = 88,/* Extra header size for encrypted key */
TRAILING_ZERO = 1, /* Used for size of zero pad */
MIN_VERSION_SZ = 3 /* Min bytes needed for GetMyVersion */
MIN_VERSION_SZ = 3, /* Min bytes needed for GetMyVersion */
#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
MAX_TIME_STRING_SZ = 21, /* Max length of formatted time string */
#endif
};
@ -681,7 +684,7 @@ WOLFSSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*,int);
WOLFSSL_LOCAL int DecryptContent(byte* input, word32 sz,const char* psw,int pswSz);
typedef struct tm wolfssl_tm;
#if defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
#endif
WOLFSSL_LOCAL int ExtractDate(const unsigned char* date, unsigned char format,
@ -807,6 +810,10 @@ struct CertStatus {
byte nextDate[MAX_DATE_SIZE];
byte thisDateFormat;
byte nextDateFormat;
#ifdef WOLFSSL_NGINX
byte* thisDateAsn;
byte* nextDateAsn;
#endif
byte* rawOcspResponse;
word32 rawOcspResponseSz;
@ -853,6 +860,10 @@ struct OcspRequest {
byte nonce[MAX_OCSP_NONCE_SZ];
int nonceSz;
void* heap;
#ifdef WOLFSSL_NGINX
void* ssl;
#endif
};

3
wolfssl/wolfcrypt/asn_public.h
View File

@ -240,7 +240,8 @@ WOLFSSL_API int wc_SetKeyUsage(Cert *cert, const char *value);
#endif /* WOLFSSL_PEMPUBKEY_TODER_DEFINED */
#endif /* WOLFSSL_CERT_EXT || WOLFSSL_PUB_PEM_TO_DER */
#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA)
#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) || !defined(NO_DSA) \
|| defined(OPENSSL_EXTRA)
WOLFSSL_API int wc_DerToPem(const byte* der, word32 derSz, byte* output,
word32 outputSz, int type);
WOLFSSL_API int wc_DerToPemEx(const byte* der, word32 derSz, byte* output,

2
wolfssl/wolfcrypt/ecc.h
View File

@ -286,6 +286,8 @@ typedef struct ecc_key {
/* ECC predefined curve sets */
extern const ecc_set_type ecc_sets[];
WOLFSSL_API
const char* wc_ecc_get_name(int curve_id);
WOLFSSL_API
int wc_ecc_make_key(WC_RNG* rng, int keysize, ecc_key* key);

21
wolfssl/wolfcrypt/settings.h
View File

@ -1495,6 +1495,27 @@ static char *fgets(char *buff, int sz, FILE *fp)
#undef HAVE_GMTIME_R /* don't trust macro with windows */
#endif /* WOLFSSL_MYSQL_COMPATIBLE */
#ifdef WOLFSSL_NGINX
#define SSL_OP_NO_COMPRESSION SSL_OP_NO_COMPRESSION
#define OPENSSL_NO_ENGINE
#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
#ifndef OPENSSL_EXTRA
#define OPENSSL_EXTRA
#endif
#ifndef HAVE_SESSION_TICKET
#define HAVE_SESSION_TICKET
#endif
#ifndef HAVE_OCSP
#define HAVE_OCSP
#endif
#ifndef KEEP_OUR_CERT
#define KEEP_OUR_CERT
#endif
#ifndef HAVE_SNI
#define HAVE_SNI
#endif
#define SSL_CTRL_SET_TLSEXT_HOSTNAME
#endif
#ifdef __cplusplus
} /* extern "C" */

2
wolfssl/wolfcrypt/types.h
View File

@ -242,7 +242,7 @@
#define XSTRNCASECMP(s1,s2,n) _strnicmp((s1),(s2),(n))
#endif
#if defined(WOLFSSL_MYSQL_COMPATIBLE)
#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
#ifndef USE_WINDOWS_API
#define XSNPRINTF snprintf
#else