diff --git a/.codespellexcludelines b/.codespellexcludelines new file mode 100644 index 0000000000..f55aca32cc --- /dev/null +++ b/.codespellexcludelines @@ -0,0 +1,18 @@ +############################################################################### +# In this file, you should add the line of the file that needs to be ignored. +# The line should be exactly as it appears in the file. +############################################################################### + 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, /* .Enginee */ + 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, /* fo@wolfs */ + 0x0a, 0x8b, 0x98, 0xf3, 0xe3, 0xff, 0x4e, 0x44, /* ......ND */ +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd\n\ +static const byte plaintext[] = "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras lacus odio, pretium vel sagittis ac, facilisis quis diam. Vivamus condimentum velit sed dolor consequat interdum. Etiam eleifend ornare felis, eleifend egestas odio vulputate eu. Sed nec orci nunc. Etiam quis mi augue. Donec ullamcorper suscipit lorem, vel luctus augue cursus fermentum. Etiam a porta arcu, in convallis sem. Integer efficitur elementum diam, vel scelerisque felis posuere placerat. Donec vestibulum sit amet leo sit amet tincidunt. Etiam et vehicula turpis. Phasellus quis finibus sapien. Sed et tristique turpis. Nullam vitae sagittis tortor, et aliquet lorem. Cras a leo scelerisque, convallis lacus ut, fermentum urna. Mauris quis urna diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nam aliquam vehicula orci id pulvinar. Proin mollis, libero sollicitudin tempor ultrices, massa augue tincidunt turpis, sit amet aliquam neque nibh nec dui. Fusce finibus massa quis rutrum suscipit cras amet"; +rsource "Kconfig.tls-generic" + /* Loop over authenticated associated data AD1..ADn */ + /* no easy answer [c'est la vie]. Just division */ + const uint8_t* hashIn, int hashSz) + XMEMCPY(hash + (curveSz - hashSz), hashIn, hashSz); + 0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f, 0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69, /* creen would be i */ +\pagenumbering{alph} + DES3_KEY_SIZE = 24, /* 3 des ede */ +/* functions added to support above needed, removed TOOM and KARATSUBA */ diff --git a/.github/workflows/async.yml b/.github/workflows/async.yml index 07a2b5088c..3ad8e86860 100644 --- a/.github/workflows/async.yml +++ b/.github/workflows/async.yml @@ -24,7 +24,7 @@ jobs: ] name: make check if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 steps: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml new file mode 100644 index 0000000000..328b1ffe62 --- /dev/null +++ b/.github/workflows/codespell.yml @@ -0,0 +1,30 @@ +name: Codespell test + +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + codespell: + if: github.repository_owner == 'wolfssl' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: codespell-project/actions-codespell@v2.1 + with: + check_filenames: true + check_hidden: true + # Add comma separated list of words that occur multiple times that should be ignored (sorted alphabetically, case sensitive) + ignore_words_list: adin,aNULL,carryIn,chainG,ciph,cLen,cliKs,dout,haveA,inCreated,inOut,inout,larg,LEAPYEAR,Merget,optionA,parm,parms,repid,rIn,userA,ser,siz,te,Te + # The exclude_file contains lines of code that should be ignored. This is useful for individual lines which have non-words that can safely be ignored. + exclude_file: '.codespellexcludelines' + # To skip files entirely from being processed, add it to the following list: + skip: '*.cproject,*.der,*.mtpj,*.pem,*.vcxproj,.git,*.launch,*.scfg' diff --git a/.github/workflows/coverity-scan-fixes.yml b/.github/workflows/coverity-scan-fixes.yml index 5034e884f4..6d63f3bf11 100644 --- a/.github/workflows/coverity-scan-fixes.yml +++ b/.github/workflows/coverity-scan-fixes.yml @@ -1,24 +1,39 @@ -name: Coverity Scan master branch on a daily basis +name: Coverity Scan master branch on: workflow_dispatch: schedule: - - cron: "0 0 * * *" + - cron: '0 0 * * 1-5' + - cron: '0 0 * * 0' + - cron: '0 12 * * 0' jobs: coverity: if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: ref: master - - name: Configure wolfSSL + - name: Configure wolfSSL with enable-all M-F + if: github.event.schedule == '0 0 * * 1-5' run: | ./autogen.sh ./configure --enable-all + - name: Configure wolfSSL with enable-all enable-smallstack Sun at 00:00 + if: github.event.schedule == '0 0 * * 0' + run: | + ./autogen.sh + ./configure --enable-all --enable-smallstack + + - name: Configure wolfSSL with bigendian Sun at 12:00 + if: github.event.schedule == '0 12 * * 0' + run: | + ./autogen.sh + ./configure --enable-all CFLAGS="-DBIG_ENDIAN_ORDER" + - name: Check secrets env: token_var: ${{ secrets.COVERITY_SCAN_TOKEN }} diff --git a/.github/workflows/curl.yml b/.github/workflows/curl.yml index 43ae746057..b6fe4cc2d3 100644 --- a/.github/workflows/curl.yml +++ b/.github/workflows/curl.yml @@ -16,7 +16,7 @@ jobs: build_wolfssl: name: Build wolfSSL if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -40,7 +40,7 @@ jobs: test_curl: name: ${{ matrix.curl_ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 15 needs: build_wolfssl @@ -52,8 +52,7 @@ jobs: - name: Install test dependencies run: | sudo apt-get update - sudo apt-get install nghttp2 libpsl5 libpsl-dev - sudo pip install impacket + sudo apt-get install nghttp2 libpsl5 libpsl-dev python3-impacket - name: Download lib uses: actions/download-artifact@v4 diff --git a/.github/workflows/cyrus-sasl.yml b/.github/workflows/cyrus-sasl.yml index 910c871224..790d8886a7 100644 --- a/.github/workflows/cyrus-sasl.yml +++ b/.github/workflows/cyrus-sasl.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -48,7 +48,7 @@ jobs: ref: [ 2.1.28 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl diff --git a/.github/workflows/disabled/haproxy.yml b/.github/workflows/disabled/haproxy.yml index c7a927a947..0a92dac0c8 100644 --- a/.github/workflows/disabled/haproxy.yml +++ b/.github/workflows/disabled/haproxy.yml @@ -21,7 +21,7 @@ jobs: ref: [ master ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - name: Build wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 diff --git a/.github/workflows/docker-Espressif.yml b/.github/workflows/docker-Espressif.yml index 70f1dea276..699981f350 100644 --- a/.github/workflows/docker-Espressif.yml +++ b/.github/workflows/docker-Espressif.yml @@ -15,7 +15,7 @@ jobs: espressif_latest: name: latest Docker container if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 12 container: @@ -27,7 +27,7 @@ jobs: espressif_v4_4: name: v4.4 Docker container if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest container: image: espressif/idf:release-v4.4 steps: @@ -37,7 +37,7 @@ jobs: espressif_v5_0: name: v5.0 Docker container if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest container: image: espressif/idf:release-v5.0 steps: diff --git a/.github/workflows/docker-OpenWrt.yml b/.github/workflows/docker-OpenWrt.yml index 05890ffaed..0a3768d613 100644 --- a/.github/workflows/docker-OpenWrt.yml +++ b/.github/workflows/docker-OpenWrt.yml @@ -18,7 +18,7 @@ jobs: build_library: name: Compile libwolfssl.so if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 container: @@ -42,7 +42,7 @@ jobs: compile_container: name: Compile container if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 2 needs: build_library diff --git a/.github/workflows/grpc.yml b/.github/workflows/grpc.yml index 2804756eb6..e8d549b7a4 100644 --- a/.github/workflows/grpc.yml +++ b/.github/workflows/grpc.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 steps: @@ -52,7 +52,7 @@ jobs: h2_ssl_cert_test h2_ssl_session_reuse_test name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 30 needs: build_wolfssl diff --git a/.github/workflows/hitch.yml b/.github/workflows/hitch.yml index 54eee9c6fc..5f0b58986b 100644 --- a/.github/workflows/hitch.yml +++ b/.github/workflows/hitch.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -49,7 +49,7 @@ jobs: test13-r82.sh test15-proxy-v2-npn.sh test39-client-cert-proxy.sh name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl diff --git a/.github/workflows/hostap-vm.yml b/.github/workflows/hostap-vm.yml index 80075d0303..4c52175d46 100644 --- a/.github/workflows/hostap-vm.yml +++ b/.github/workflows/hostap-vm.yml @@ -28,7 +28,7 @@ jobs: --enable-tlsv10 --enable-oldtls name: Build wolfSSL if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 steps: @@ -66,7 +66,7 @@ jobs: build_uml_linux: name: Build UML (UserMode Linux) if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 steps: @@ -143,7 +143,7 @@ jobs: name: hwsim test # For openssl 1.1 if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 45 needs: [build_wolfssl, build_uml_linux] @@ -196,8 +196,7 @@ jobs: # hostap dependencies sudo apt-get install -y libpcap0.8 libpcap-dev curl libcurl4-openssl-dev \ libnl-3-dev binutils-dev libssl-dev libiberty-dev libnl-genl-3-dev \ - libnl-route-3-dev libdbus-1-dev bridge-utils tshark - sudo pip3 install pycryptodome + libnl-route-3-dev libdbus-1-dev bridge-utils tshark python3-pycryptodome - name: Checkout hostap uses: actions/checkout@v4 diff --git a/.github/workflows/ipmitool.yml b/.github/workflows/ipmitool.yml index 3fcc04428d..1dc2c18e58 100644 --- a/.github/workflows/ipmitool.yml +++ b/.github/workflows/ipmitool.yml @@ -17,7 +17,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest if: github.repository_owner == 'wolfssl' # This should be a safe limit for the tests to run. timeout-minutes: 4 @@ -48,9 +48,11 @@ jobs: git_ref: [ c3939dac2c060651361fc71516806f9ab8c38901 ] name: ${{ matrix.git_ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest needs: build_wolfssl steps: + - name: Install dependencies + run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y libreadline8 - name: Download lib uses: actions/download-artifact@v4 with: diff --git a/.github/workflows/jwt-cpp.yml b/.github/workflows/jwt-cpp.yml index fa7bc9c1cb..3b8348ad77 100644 --- a/.github/workflows/jwt-cpp.yml +++ b/.github/workflows/jwt-cpp.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -41,13 +41,17 @@ jobs: retention-days: 5 build_pam-ipmi: + if: github.repository_owner == 'wolfssl' strategy: fail-fast: false matrix: - ref: [ 0.6.0 ] - name: ${{ matrix.ref }} - if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + config: + - ref: 0.7.0 + runner: ubuntu-latest + - ref: 0.6.0 + runner: ubuntu-22.04 + name: ${{ matrix.config.ref }} + runs-on: ${{ matrix.config.runner }} needs: build_wolfssl steps: - name: Install dependencies @@ -76,12 +80,12 @@ jobs: with: repository: Thalhammer/jwt-cpp path: jwt-cpp - ref: v${{ matrix.ref }} + ref: v${{ matrix.config.ref }} - name: Build pam-ipmi working-directory: jwt-cpp run: | - patch -p1 < ../osp/jwt-cpp/${{ matrix.ref }}.patch + patch -p1 < ../osp/jwt-cpp/${{ matrix.config.ref }}.patch PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \ cmake -B build -DJWT_SSL_LIBRARY:STRING=wolfSSL -DJWT_BUILD_TESTS=ON . make -j -C build diff --git a/.github/workflows/krb5.yml b/.github/workflows/krb5.yml index af6f9e7953..2b69761d2d 100644 --- a/.github/workflows/krb5.yml +++ b/.github/workflows/krb5.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 5 steps: @@ -50,7 +50,7 @@ jobs: ref: [ 1.21.1 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 8 needs: build_wolfssl diff --git a/.github/workflows/libssh2.yml b/.github/workflows/libssh2.yml index 1658cbbbb8..121595954f 100644 --- a/.github/workflows/libssh2.yml +++ b/.github/workflows/libssh2.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,7 @@ jobs: ref: [ 1.11.0 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 8 needs: build_wolfssl diff --git a/.github/workflows/libvncserver.yml b/.github/workflows/libvncserver.yml index 371ba2a56b..942b7aa3ff 100644 --- a/.github/workflows/libvncserver.yml +++ b/.github/workflows/libvncserver.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,7 @@ jobs: ref: [ 0.9.13 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest needs: build_wolfssl steps: - name: Download lib diff --git a/.github/workflows/memcached.yml b/.github/workflows/memcached.yml index bdd0c0593e..a111e30027 100644 --- a/.github/workflows/memcached.yml +++ b/.github/workflows/memcached.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - name: Build wolfSSL uses: wolfSSL/actions-build-autotools-project@v1 @@ -48,7 +48,7 @@ jobs: - ref: 1.6.22 name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest needs: build_wolfssl steps: - name: Download lib diff --git a/.github/workflows/mosquitto.yml b/.github/workflows/mosquitto.yml index e95169e1a0..6d9961cc9e 100644 --- a/.github/workflows/mosquitto.yml +++ b/.github/workflows/mosquitto.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL # Just to keep it the same as the testing target if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -45,7 +45,7 @@ jobs: ref: [ 2.0.18 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl @@ -68,8 +68,7 @@ jobs: run: | export DEBIAN_FRONTEND=noninteractive sudo apt-get update - sudo apt-get install -y build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make - sudo pip install --upgrade psutil + sudo apt-get install -y build-essential libev-dev libssl-dev automake python3-docutils libcunit1 libcunit1-doc libcunit1-dev pkg-config make python3-psutil - name: Checkout mosquitto uses: actions/checkout@v4 diff --git a/.github/workflows/multi-arch.yml b/.github/workflows/multi-arch.yml index 729048a6cf..33ea970ae5 100644 --- a/.github/workflows/multi-arch.yml +++ b/.github/workflows/multi-arch.yml @@ -37,7 +37,7 @@ jobs: ARCH: armel EXTRA_OPTS: --enable-sp-asm if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 steps: diff --git a/.github/workflows/multi-compiler.yml b/.github/workflows/multi-compiler.yml index d2ede71aaa..0606833025 100644 --- a/.github/workflows/multi-compiler.yml +++ b/.github/workflows/multi-compiler.yml @@ -21,16 +21,16 @@ jobs: include: - CC: gcc-9 CXX: g++-9 - OS: ubuntu-22.04 + OS: ubuntu-latest - CC: gcc-10 CXX: g++-10 - OS: ubuntu-22.04 + OS: ubuntu-latest - CC: gcc-11 CXX: g++-11 - OS: ubuntu-22.04 + OS: ubuntu-latest - CC: gcc-12 CXX: g++-12 - OS: ubuntu-22.04 + OS: ubuntu-latest - CC: clang-10 CXX: clang++-10 OS: ubuntu-20.04 @@ -42,15 +42,17 @@ jobs: OS: ubuntu-20.04 - CC: clang-13 CXX: clang++-13 - OS: ubuntu-22.04 + OS: ubuntu-latest - CC: clang-14 CXX: clang++-14 - OS: ubuntu-22.04 + OS: ubuntu-latest if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.OS }} # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: + - name: Install dependencies + run: export DEBIAN_FRONTEND=noninteractive && sudo apt-get update && sudo apt-get install -y ${{ matrix.CC }} - uses: actions/checkout@v4 - name: Build env: diff --git a/.github/workflows/net-snmp.yml b/.github/workflows/net-snmp.yml index 7ce030b80c..0275e0f12c 100644 --- a/.github/workflows/net-snmp.yml +++ b/.github/workflows/net-snmp.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -48,7 +48,7 @@ jobs: test_opts: -e 'agentxperl' name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index 868a02abaf..e6729f11ea 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -107,7 +107,7 @@ jobs: stream_proxy_ssl_verify.t name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 needs: build_wolfssl diff --git a/.github/workflows/no-malloc.yml b/.github/workflows/no-malloc.yml index 25c9c82887..a5888caa47 100644 --- a/.github/workflows/no-malloc.yml +++ b/.github/workflows/no-malloc.yml @@ -22,7 +22,7 @@ jobs: ] name: make check if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 6 steps: diff --git a/.github/workflows/ntp.yml b/.github/workflows/ntp.yml index 56e405f089..89f330f9a9 100644 --- a/.github/workflows/ntp.yml +++ b/.github/workflows/ntp.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,7 @@ jobs: ref: [ 4.2.8p15 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 needs: build_wolfssl diff --git a/.github/workflows/ocsp.yml b/.github/workflows/ocsp.yml index b7c8f8ef5f..fab41650ab 100644 --- a/.github/workflows/ocsp.yml +++ b/.github/workflows/ocsp.yml @@ -16,7 +16,7 @@ jobs: ocsp_stapling: name: ocsp stapling if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest timeout-minutes: 10 steps: - name: Checkout wolfSSL diff --git a/.github/workflows/openldap.yml b/.github/workflows/openldap.yml index e20743118e..950435b5cc 100644 --- a/.github/workflows/openldap.yml +++ b/.github/workflows/openldap.yml @@ -16,7 +16,7 @@ jobs: build_wolfssl: name: Build wolfSSL # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,7 @@ jobs: - osp_ref: 2.5.13 git_ref: OPENLDAP_REL_ENG_2_5_13 name: ${{ matrix.osp_ref }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 20 needs: build_wolfssl diff --git a/.github/workflows/openssh.yml b/.github/workflows/openssh.yml index 83b122773c..586d21edfa 100644 --- a/.github/workflows/openssh.yml +++ b/.github/workflows/openssh.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -49,7 +49,7 @@ jobs: osp_ver: '9.6' name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest needs: build_wolfssl steps: - name: Download lib diff --git a/.github/workflows/openvpn.yml b/.github/workflows/openvpn.yml index 9746301451..b9ae65114e 100644 --- a/.github/workflows/openvpn.yml +++ b/.github/workflows/openvpn.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -46,7 +46,7 @@ jobs: ref: [ release/2.6, master ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 needs: build_wolfssl diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml index 223ac8c300..d4c1a8bc22 100644 --- a/.github/workflows/os-check.yml +++ b/.github/workflows/os-check.yml @@ -17,7 +17,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04, macos-latest ] + os: [ ubuntu-latest, macos-latest ] config: [ # Add new configs here '', @@ -57,7 +57,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04, macos-latest ] + os: [ ubuntu-latest, macos-latest ] user-settings: [ # Add new user_settings.h here 'examples/configs/user_settings_all.h', @@ -79,7 +79,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04, macos-latest ] + os: [ ubuntu-latest, macos-latest ] user-settings: [ # Add new user_settings.h here 'examples/configs/user_settings_min_ecc.h', @@ -109,7 +109,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04, macos-latest ] + os: [ ubuntu-latest, macos-latest ] name: make user_setting.h (with sed) if: github.repository_owner == 'wolfssl' runs-on: ${{ matrix.os }} diff --git a/.github/workflows/packaging.yml b/.github/workflows/packaging.yml index e498e33af9..83eff907a7 100644 --- a/.github/workflows/packaging.yml +++ b/.github/workflows/packaging.yml @@ -16,7 +16,7 @@ jobs: build_wolfssl: name: Package wolfSSL if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 10 steps: diff --git a/.github/workflows/pam-ipmi.yml b/.github/workflows/pam-ipmi.yml index 9a22aac8cc..ec254d6f3d 100644 --- a/.github/workflows/pam-ipmi.yml +++ b/.github/workflows/pam-ipmi.yml @@ -18,7 +18,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -48,7 +48,7 @@ jobs: git_ref: [ e4b13e6725abb178f62ee897fe1c0e81b06a9431 ] name: ${{ matrix.git_ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest needs: build_wolfssl steps: - name: Install dependencies @@ -56,8 +56,7 @@ jobs: # Don't prompt for anything export DEBIAN_FRONTEND=noninteractive sudo apt-get update - sudo apt-get install libpam-dev ninja-build - sudo pip3 install meson + sudo apt-get install libpam-dev ninja-build meson - name: Download lib uses: actions/download-artifact@v4 diff --git a/.github/workflows/rng-tools.yml b/.github/workflows/rng-tools.yml index 44d3a20e20..859c6e6bdd 100644 --- a/.github/workflows/rng-tools.yml +++ b/.github/workflows/rng-tools.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -47,7 +47,7 @@ jobs: ref: [ 6.16 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl diff --git a/.github/workflows/socat.yml b/.github/workflows/socat.yml index ba7bba3715..fe3da235b5 100644 --- a/.github/workflows/socat.yml +++ b/.github/workflows/socat.yml @@ -16,7 +16,7 @@ jobs: build_wolfssl: name: Build wolfSSL if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest timeout-minutes: 4 steps: - name: Build wolfSSL @@ -39,7 +39,7 @@ jobs: socat_check: if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 30 needs: build_wolfssl @@ -70,7 +70,7 @@ jobs: run: | patch -p1 < ../osp/socat/1.8.0.0/socat-1.8.0.0.patch autoreconf -vfi - ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir + ./configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --enable-default-ipv=4 make - name: Run socat tests @@ -78,4 +78,4 @@ jobs: run: | export LD_LIBRARY_PATH=$GITHUB_WORKSPACE/build-dir/lib:$LD_LIBRARY_PATH export SHELL=/bin/bash - SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 146,216,309,310,386,399,402,459,460,467,468,478,492,528,530 + SOCAT=$GITHUB_WORKSPACE/socat-1.8.0.0/socat ./test.sh -t 0.5 --expect-fail 36,64,146,214,216,217,309,310,386,399,402,403,459,460,467,468,478,492,528,530 diff --git a/.github/workflows/sssd.yml b/.github/workflows/sssd.yml index 22f3c315e1..7ab859133a 100644 --- a/.github/workflows/sssd.yml +++ b/.github/workflows/sssd.yml @@ -14,9 +14,10 @@ concurrency: jobs: build_wolfssl: + if: github.repository_owner == 'wolfssl' name: Build wolfSSL # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -39,13 +40,14 @@ jobs: retention-days: 5 sssd_check: + if: github.repository_owner == 'wolfssl' strategy: fail-fast: false matrix: # List of releases to test ref: [ 2.9.1 ] name: ${{ matrix.ref }} - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest container: image: quay.io/sssd/ci-client-devel:ubuntu-latest env: diff --git a/.github/workflows/stunnel.yml b/.github/workflows/stunnel.yml index 701a4e51b0..0bef67a8f6 100644 --- a/.github/workflows/stunnel.yml +++ b/.github/workflows/stunnel.yml @@ -17,7 +17,7 @@ jobs: name: Build wolfSSL if: github.repository_owner == 'wolfssl' # Just to keep it the same as the testing target - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 steps: @@ -46,7 +46,7 @@ jobs: ref: [ 5.67 ] name: ${{ matrix.ref }} if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 4 needs: build_wolfssl diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml index 68a488ebad..0582154c8f 100644 --- a/.github/workflows/zephyr.yml +++ b/.github/workflows/zephyr.yml @@ -26,7 +26,7 @@ jobs: - zephyr-ref: v2.7.4 zephyr-sdk: 0.16.3 if: github.repository_owner == 'wolfssl' - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest # This should be a safe limit for the tests to run. timeout-minutes: 25 steps: @@ -46,7 +46,7 @@ jobs: libglib2.0-dev libgtk2.0-0 liblocale-gettext-perl libncurses5-dev libpcap-dev \ libpopt0 libsdl1.2-dev libsdl2-dev libssl-dev libtool libtool-bin locales make \ net-tools ninja-build openssh-client parallel pkg-config python3-dev python3-pip \ - python3-ply python3-setuptools python-is-python3 qemu rsync socat srecord sudo \ + python3-ply python3-setuptools python-is-python3 qemu-kvm rsync socat srecord sudo \ texinfo unzip wget ovmf xz-utils - name: Install west diff --git a/.gitignore b/.gitignore index 9986ac406e..060dd4800e 100644 --- a/.gitignore +++ b/.gitignore @@ -461,7 +461,9 @@ wrapper/Ada/obj/ /**/.vscode/ipch /**/sdkconfig.esp32dev - +# Autogenerated debug trace headers +wolfssl/debug-trace-error-codes.h +wolfssl/debug-untrace-error-codes.h ## My excludes (includes dupes, see above) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras new file mode 100644 index 0000000000..e691433d8f --- /dev/null +++ b/.wolfssl_known_macro_extras @@ -0,0 +1,982 @@ +AES_GCM_GMULT_NCT +AFX_RESOURCE_DLL +AFX_TARG_ENU +ALLOW_BINARY_MISMATCH_INTROSPECTION +ALLOW_V1_EXTENSIONS +ANDROID +APP_ESP_HTTP_CLIENT +APP_ESP_HTTP_CLIENT_EXAMPLE +APSTUDIO_INVOKED +ARCH_sim +ARDUINO +ARDUINO_ARCH_RP2040 +ARDUINO_SAMD_NANO_33_IOT +ARDUINO_SAM_DUE +ASN_DUMP_OID +ASN_TEMPLATE_SKIP_ISCA_CHECK +ATCAPRINTF +ATCA_ENABLE_DEPRECATED +AVR +BASE64_NO_TABLE +BLAKE2B_SELFTEST +BLAKE2S_SELFTEST +BLOCKING +BSP_DEFAULT_IO_CHANNEL_DEFINED +BSP_LED_0 +BSP_LED_1 +BSP_SDCARD_ESDHC_CHANNEL +BSP_SDCARD_SDHC_CHANNEL +BSP_SDCARD_SPI_CHANNEL +CAAM_OUT_INVALIDATE +CIOCASYMFEAT +CIOCGSESSINFO +CMSIS_OS2_H_ +COMPONENT_WOLFSSL +CONFIG_ARCH_CHIP_STM32F746ZG +CONFIG_ARCH_CHIP_STM32H743ZI +CONFIG_ARCH_CHIP_STM32L552ZE +CONFIG_ARCH_POSIX +CONFIG_ARM +CONFIG_ARM64 +CONFIG_BOARD_NATIVE_POSIX +CONFIG_COMPILER_OPTIMIZATION_DEFAULT +CONFIG_COMPILER_OPTIMIZATION_NONE +CONFIG_COMPILER_OPTIMIZATION_PERF +CONFIG_COMPILER_OPTIMIZATION_SIZE +CONFIG_CRYPTO_FIPS +CONFIG_CRYPTO_MANAGER +CONFIG_CSPRNG_ENABLED +CONFIG_ESP32C2_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP32C3_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP32H2_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP32S2_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP32S3_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP32_DEFAULT_CPU_FREQ_MHZ +CONFIG_ESP8266_XTAL_FREQ_26 +CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_160 +CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240 +CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_80 +CONFIG_ESP_ENABLE_WOLFSSH +CONFIG_ESP_MAIN_TASK_STACK_SIZE +CONFIG_ESP_TLS_USING_WOLFSSL +CONFIG_ESP_WIFI_PASSWORD +CONFIG_ESP_WIFI_SSID +CONFIG_ESP_WOLFSSL_ENABLE_KYBER +CONFIG_ESP_WOLFSSL_ENABLE_WOLFSSH +CONFIG_ESP_WOLFSSL_NO_ESP32_CRYPT +CONFIG_ESP_WOLFSSL_NO_HW_AES +CONFIG_ESP_WOLFSSL_NO_HW_HASH +CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI +CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_EXPTMOD +CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MP_MUL +CONFIG_ESP_WOLFSSL_NO_HW_RSA_PRI_MULMOD +CONFIG_FREERTOS_HZ +CONFIG_FREERTOS_UNICORE +CONFIG_IDF_TARGET +CONFIG_IDF_TARGET_ARCH_RISCV +CONFIG_IDF_TARGET_ARCH_XTENSA +CONFIG_IDF_TARGET_ESP32 +CONFIG_IDF_TARGET_ESP32C2 +CONFIG_IDF_TARGET_ESP32C3 +CONFIG_IDF_TARGET_ESP32C6 +CONFIG_IDF_TARGET_ESP32H2 +CONFIG_IDF_TARGET_ESP32S2 +CONFIG_IDF_TARGET_ESP32S3 +CONFIG_IDF_TARGET_ESP8266 +CONFIG_IDF_TARGET_ESP8684 +CONFIG_MAIN_TASK_STACK_SIZE +CONFIG_MBEDTLS_CERTIFICATE_BUNDLE +CONFIG_MBEDTLS_PSA_CRYPTO_C +CONFIG_MIPS +CONFIG_MODULE_SIG +CONFIG_NET_SOCKETS_SOCKOPT_TLS +CONFIG_NEWLIB_LIBC +CONFIG_NEWLIB_NANO_FORMAT +CONFIG_PICOLIBC +CONFIG_POSIX_API +CONFIG_POSIX_THREADS +CONFIG_PREEMPT_COUNT +CONFIG_PTHREAD_IPC +CONFIG_SMP +CONFIG_SNTP_TIME_SYNC_METHOD_SMOOTH +CONFIG_TIMER_TASK_STACK_DEPTH +CONFIG_TIMER_TASK_STACK_SIZE +CONFIG_TLS_STACK_WOLFSSL +CONFIG_USE_WOLFSSL_ESP_SDK_TIME +CONFIG_USE_WOLFSSL_ESP_SDK_WIFI +CONFIG_WOLFCRYPT_ARMASM +CONFIG_WOLFCRYPT_FIPS +CONFIG_WOLFCRYPT_INTELASM +CONFIG_WOLFSSL +CONFIG_WOLFSSL_ALLOW_TLS13 +CONFIG_WOLFSSL_ALPN +CONFIG_WOLFSSL_ALT_CERT_CHAINS +CONFIG_WOLFSSL_APPLE_HOMEKIT +CONFIG_WOLFSSL_ASN_ALLOW_0_SERIAL +CONFIG_WOLFSSL_CERTIFICATE_BUNDLE +CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE +CONFIG_WOLFSSL_DTLS +CONFIG_WOLFSSL_ENABLE_KYBER +CONFIG_WOLFSSL_EXAMPLE_NAME_ESP32_SSH_SERVER +CONFIG_WOLFSSL_EXAMPLE_NAME_ESP8266_SSH_SERVER +CONFIG_WOLFSSL_EXAMPLE_NAME_NONE +CONFIG_WOLFSSL_EXAMPLE_NAME_TEMPLATE +CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_CLIENT +CONFIG_WOLFSSL_EXAMPLE_NAME_TLS_SERVER +CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_AWS_IOT_MQTT +CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFMQTT_TEMPLATE +CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_ECHOSERVER +CONFIG_WOLFSSL_EXAMPLE_NAME_WOLFSSH_TEMPLATE +CONFIG_WOLFSSL_HKDF +CONFIG_WOLFSSL_MAX_FRAGMENT_LEN +CONFIG_WOLFSSL_NO_ASN_STRICT +CONFIG_WOLFSSL_PSK +CONFIG_WOLFSSL_RSA_PSS +CONFIG_WOLFSSL_TARGET_HOST +CONFIG_WOLFSSL_TARGET_PORT +CONFIG_WOLFSSL_TLS13_ENABLED +CONFIG_WOLFSSL_TLS_VERSION_1_2 +CONFIG_WOLFSSL_TLS_VERSION_1_3 +CONFIG_WOLFTPM_EXAMPLE_NAME_ESPRESSIF +CONFIG_X86 +CONV_WITH_DIV +CPA_CY_API_VERSION_NUM_MAJOR +CPU_MIMXRT1176DVMAA_cm7 +CPU_MK82FN256VLL15 +CRLDP_VALIDATE_DATA +CRL_REPORT_LOAD_ERRORS +CRL_STATIC_REVOKED_LIST +CRYPTOCELL_KEY_SIZE +CRYP_HEADERWIDTHUNIT_BYTE +CRYP_KEYIVCONFIG_ONCE +CRYP_KEYSIZE_192B +CSM_UNSUPPORTED_ALGS +CTYPE_USER +CURVED448_SMALL +CY_USING_HAL +DCP_USE_DCACHE +DILITHIUM_MUL_11_SLOW +DILITHIUM_MUL_44_SLOW +DILITHIUM_MUL_QINV_SLOW +DILITHIUM_MUL_Q_SLOW +DILITHIUM_MUL_SLOW +DILITHIUM_USE_HINT_CT +DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER +ECCSI_ORDER_MORE_BITS_THAN_PRIME +ECC_DUMP_OID +ECDHE_SIZE +ENABLE_SECURE_SOCKETS_LOGS +ESP32 +ESP8266 +ESP_ENABLE_WOLFSSH +ESP_IDF_VERSION_MAJOR +ESP_IDF_VERSION_MINOR +ESP_PLATFORM +ESP_TASK_MAIN_STACK +EV_TRIGGER +FP_ECC_CONTROL +FREERTOS_TCP_WINSIM +FREESCALE +FREESCALE_RNGB +FREESCALE_USE_MMCAU_CLASSIC +FSL_FEATURE_HAS_L1CACHE +FSL_FEATURE_LTC_HAS_DES +FSL_FEATURE_LTC_HAS_GCM +FSL_FEATURE_LTC_HAS_PKHA +FSL_FEATURE_LTC_HAS_SHA +FSL_FEATURE_SOC_LTC_COUNT +FSL_FEATURE_SOC_MMCAU_COUNT +FSL_FEATURE_SOC_RNG_COUNT +FSL_FEATURE_SOC_TRNG_COUNT +FUSION_RTOS +GENERATE_MACHINE_PARSEABLE_REPORT +GE_P3_TOBYTES_IMPL +GOAHEAD_WS +HAL_RTC_MODULE_ENABLED +HARDWARE_CACHE_COHERENCY +HASH_AlgoMode_HASH +HASH_BYTE_SWAP +HASH_CR_LKEY +HASH_DIGEST +HASH_DataType_8b +HASH_IMR_DCIE +HASH_IMR_DINIE +HAVE_AESGCM_DECRYPT +HAVE_BYTEREVERSE64 +HAVE_CERTIFICATE_STATUS_V2 +HAVE_COLDFIRE_SEC +HAVE_CRL_UPDATE_CB +HAVE_CSHARP +HAVE_CURL +HAVE_CURVE22519 +HAVE_DANE +HAVE_ECC239 +HAVE_ECC320 +HAVE_ECC512 +HAVE_ECC_CDH_CAST +HAVE_ECC_SM2 +HAVE_ESP_CLK +HAVE_EX_DATA_CRYPTO +HAVE_EX_DATA_CLEANUP_HOOKS +HAVE_FACON +HAVE_FIPS_VERSION_PORT +HAVE_FUZZER +HAVE_INTEL_MULX +HAVE_INTEL_QAT_SYNC +HAVE_INTEL_SPEEDUP +HAVE_MDK_RTX +HAVE_NETX_BSD +HAVE_PKCS7_RSA_RAW_SIGN_CALLBACK +HAVE_POCO_LIB +HAVE_RTP_SYS +HAVE_SECURE_GETENV +HAVE_STACK_SIZE_VERBOSE_LOG +HAVE_THREADX +HAVE_TM_TYPE +HAVE_VALIDATE_DATE +HAVE_VA_COPY +HAVE_X448 +HONOR_MATH_USED_LENGTH +HSM_KEY_TYPE_HMAC_224 +HSM_KEY_TYPE_HMAC_256 +HSM_KEY_TYPE_HMAC_384 +HSM_KEY_TYPE_HMAC_512 +HSM_OP_KEY_GENERATION_FLAGS_CREATE +HSM_OP_KEY_GENERATION_FLAGS_UPDATE +HSM_SVC_KEY_STORE_FLAGS_UPDATE +IDIRECT_DEV_RANDOM +IDIRECT_DEV_TIME +ID_TRNG +IGNORE_KEY_EXTENSIONS +IGNORE_NETSCAPE_CERT_TYPE +INCLUDE_uxTaskGetStackHighWaterMark +INTEGRITY +INTIMEVER +IOTSAFE_NO_GETDATA +IOTSAFE_SIG_8BIT_LENGTH +KCAPI_USE_XMALLOC +KYBER_NONDETERMINISTIC +K_SERIES +LIBWOLFSSL_VERSION_GIT_BRANCH +LIBWOLFSSL_VERSION_GIT_HASH +LIBWOLFSSL_VERSION_GIT_HASH_DATE +LIBWOLFSSL_VERSION_GIT_ORIGIN +LIBWOLFSSL_VERSION_GIT_SHORT_HASH +LIBWOLFSSL_VERSION_GIT_TAG +LINUXKM_FPU_STATES_FOLLOW_THREADS +LINUXKM_LKCAPI_PRIORITY_ALLOW_MASKING +LINUX_CYCLE_COUNT +LINUX_RUSAGE_UTIME +LP64 +MAX3266X_AESGCM +MAX3266X_RSA +MAXQ10XX_PRODUCTION_KEY +MAXQ_EXPORT_TLS_KEYS +MAXQ_SHA1 +MAXSEG_64K +MAX_WOLFSSL_FILE_SIZE +MDK_CONF_BARE_METAL +MDK_CONF_FS +MDK_CONF_RTX_TCP_FS +MDK_CONF_TCP_FS +MDK_WOLFLIB +MICRIUM_MALLOC +MICROCHIP_MPLAB_HARMONY +MICROCHIP_MPLAB_HARMONY_3 +MICRO_SESSION_CACHEx +MODULE_SOCK_TCP +MP_31BIT +MP_8BIT +MQX_USE_IO_OLD +MULTI_VALUE_STATISTICS +MUTEX_DURING_INIT +NEED_THREADX_TYPES +NETX_DUO +NET_SECURE_MODULE_EN +NOTE_TRIGGER +NO_AES_DECRYPT +NO_ARDUINO_DEFAULT +NO_ASM +NO_ASN_OLD_TYPE_NAMES +NO_CAMELLIA_CBC +NO_CERT +NO_CIPHER_SUITE_ALIASES +NO_CLIENT_CACHE +NO_CLOCK_SPEEDUP +NO_CURVE25519_KEY_EXPORT +NO_CURVE25519_KEY_IMPORT +NO_CURVE25519_SHARED_SECRET +NO_CURVE448_KEY_EXPORT +NO_CURVE448_KEY_IMPORT +NO_CURVE448_SHARED_SECRET +NO_DEV_URANDOM +NO_ECC384 +NO_ECC521 +NO_ECC_CACHE_CURVE +NO_ECC_CHECK_KEY +NO_ECC_KEY_IMPORT +NO_ECC_MAKE_PUB +NO_ED25519_CLIENT_AUTH +NO_ED25519_KEY_EXPORT +NO_ED25519_KEY_IMPORT +NO_ED25519_MAKE_KEY +NO_ED25519_SIGN +NO_ED25519_VERIFY +NO_ED448_CLIENT_AUTH +NO_ED448_KEY_EXPORT +NO_ED448_KEY_IMPORT +NO_ED448_SIGN +NO_ED448_VERIFY +NO_ESP_MP_MUL_EVEN_ALT_CALC +NO_FORCE_SCR_SAME_SUITE +NO_GCM_ENCRYPT_EXTRA +NO_GETENV +NO_HANDSHAKE_DONE_CB +NO_IMX6_CAAM_AES +NO_IMX6_CAAM_HASH +NO_OLD_NAMES +NO_OLD_POLY1305 +NO_OLD_TIMEVAL_NAME +NO_PBKDF1 +NO_PIC32MZ_CRYPT +NO_PIC32MZ_HASH +NO_PIC32MZ_RNG +NO_PKCS11_AES +NO_PKCS11_AESCBC +NO_PKCS11_AESGCM +NO_PKCS11_ECC +NO_PKCS11_ECDH +NO_PKCS11_EC_KEYGEN +NO_PKCS11_HMAC +NO_PKCS11_RNG +NO_PKCS11_RSA +NO_PKCS11_RSA_PKCS +NO_PKCS7 +NO_PKCS7_COMPRESSED_DATA +NO_PKCS7_ENCRYPTED_DATA +NO_PKCS7_STREAM +NO_POLY1305_ASM +NO_PUBLIC_CCM_SET_NONCE +NO_PUBLIC_GCM_SET_IV +NO_RESUME_SUITE_CHECK +NO_RNG +NO_RNG_MUTEX +NO_SESSION_CACHE_ROW_LOCK +NO_SKID +NO_SKIP_PREVIEW +NO_STDIO_FGETS_REMAP +NO_TKERNEL_MEM_POOL +NO_TLSX_PSKKEM_PLAIN_ANNOUNCE +NO_VERIFY_OID +NO_WC_SSIZE_TYPE +NO_WOLFSSL_ALLOC_ALIGN +NO_WOLFSSL_AUTOSAR_CRYIF +NO_WOLFSSL_AUTOSAR_CRYPTO +NO_WOLFSSL_AUTOSAR_CSM +NO_WOLFSSL_BASE64_DECODE +NO_WOLFSSL_MSG_EX +NO_WOLFSSL_RENESAS_FSPSM_AES +NO_WOLFSSL_RENESAS_FSPSM_HASH +NO_WOLFSSL_RENESAS_TSIP_CRYPT_AES +NO_WOLFSSL_SHA256 +NO_WOLFSSL_SHA256_INTERLEAVE +NO_WOLFSSL_SHA512_INTERLEAVE +NO_WOLFSSL_SKIP_TRAILING_PAD +NO_WOLFSSL_SMALL_STACK_STATIC +NO_WOLFSSL_XILINX_TAG_MALLOC +NRF52 +NRF52_SERIES +NRF_ERROR_MODULE_ALREADY_INITIALIZED +OLD_HELLO_ALLOWED +OPENSSL_EXTRA_BSD +OPENSSL_EXTRA_NO_ASN1 +OPENSSL_EXTRA_NO_BN +OPENSSL_NO_PK +OS_WINDOWS +OTHERBOARD +OTHER_BOARD +PEER_INFO +PKA_ECC_SCALAR_MUL_IN_B_COEFF +PLATFORMIO +PLUTON_CRYPTO_ECC +PRINT_SESSION_STATS +PTHREAD_STACK_MIN +QAT_ENABLE_HASH +QAT_ENABLE_RNG +QAT_USE_POLLING_CHECK +RC_NO_RNG +REDIRECTION_IN3_KEYELMID +REDIRECTION_IN3_KEYID +REDIRECTION_OUT1_KEYELMID +REDIRECTION_OUT1_KEYID +REDIRECTION_OUT2_KEYELMID +REDIRECTION_OUT2_KEYID +RENESAS_T4_USE +RTC_ALARMSUBSECONDMASK_ALL +RTE_CMSIS_RTOS_RTX +RTOS_MODULE_NET_AVAIL +RTPLATFORM +SA_INTERRUPT +SCEKEY_INSTALLED +SHA256_MANY_REGISTERS +SHA3_BY_SPEC +SHOW_CERTS +SHOW_GEN +SHOW_SIZES +SHOW_SSID_AND_PASSWORD +SIM_SCGC3_RNGA_MASK +SIM_SCGC5_PORTC_MASK +SIM_SCGC5_PORTD_MASK +SIM_SCGC5_PORTE_MASK +SIM_SCGC6_RNGA_MASK +SL_SE_KEY_TYPE_ECC_P384 +SL_SE_KEY_TYPE_ECC_P521 +SL_SE_KEY_TYPE_ECC_X25519 +SL_SE_KEY_TYPE_ECC_X448 +SL_SE_PRF_HMAC_SHA1 +SOFTDEVICE_PRESENT +SO_NOSIGPIPE +SO_REUSEPORT +SP_INT_NO_ASM +SP_MATH_NEED_ADD_OFF +SP_USE_DIVTI3 +SQRTMOD_USE_MOD_EXP +SSL_SNIFFER_EXPORTS +SSN_BUILDING_LIBYASSL +STATIC_CHUNKS_ONLY +STM32F107xC +STM32F207xx +STM32F217xx +STM32F401xE +STM32F407xx +STM32F437xx +STM32F756xx +STM32F777xx +STM32G071xx +STM32G491xx +STM32H563xx +STM32H723xx +STM32H725xx +STM32H743xx +STM32H753xx +STM32L475xx +STM32L4A6xx +STM32L552xx +STM32L562xx +STM32MP135Fxx +STM32U575xx +STM32U585xx +STM32U5A9xx +STM32WB55xx +STM32WL55xx +STM32_AESGCM_PARTIAL +STM32_HW_CLOCK_AUTO +STM32_NUTTX_RNG +TASK_EXTRA_STACK_SIZE +TCP_NODELAY +TFM_ALREADY_SET +TFM_SMALL_MONT_SET +THREADED_SNIFFTEST +TIME_T_NOT_LONG +TI_DUMMY_BUILD +TLS13_RSA_PSS_SIGN_CB_NO_PREHASH +UNICODE +USER_CA_CB +USER_CUSTOM_SNIFFX +USER_MATH_LIB +USE_ALT_MPRIME +USE_ANY_ADDR +USE_CERT_BUFFERS_25519 +USE_CERT_BUFFERS_3072 +USE_ECDSA_KEYSZ_HASH_ALGO +USE_FULL_ASSERT +USE_HAL_DRIVER +USE_NXP_LTC +USE_NXP_MMCAU +USE_QAE_THREAD_LS +USE_SECRET_CALLBACK +USE_STSAFE_RNG_SEED +USE_STSAFE_VERBOSE +USE_TLSV13 +USE_WOLF_STRNSTR +USS_API +WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING +WC_AES_BS_WORD_SIZE +WC_AES_GCM_DEC_AUTH_EARLY +WC_ASN_HASH_SHA256 +WC_ASYNC_ENABLE_3DES +WC_ASYNC_ENABLE_AES +WC_ASYNC_ENABLE_ARC4 +WC_ASYNC_ENABLE_DH +WC_ASYNC_ENABLE_ECC +WC_ASYNC_ENABLE_ECC_KEYGEN +WC_ASYNC_ENABLE_HMAC +WC_ASYNC_ENABLE_MD5 +WC_ASYNC_ENABLE_RSA +WC_ASYNC_ENABLE_RSA_KEYGEN +WC_ASYNC_ENABLE_SHA +WC_ASYNC_ENABLE_SHA224 +WC_ASYNC_ENABLE_SHA256 +WC_ASYNC_ENABLE_SHA3 +WC_ASYNC_ENABLE_SHA384 +WC_ASYNC_ENABLE_SHA512 +WC_ASYNC_NO_CRYPT +WC_ASYNC_NO_HASH +WC_DILITHIUM_CACHE_PRIV_VECTORS +WC_DILITHIUM_CACHE_PUB_VECTORS +WC_DILITHIUM_FIXED_ARRAY +WC_DISABLE_RADIX_ZERO_PAD +WC_ECC_NONBLOCK_ONLY +WC_KDF_NIST_SP_800_56C +WC_LMS_FULL_HASH +WC_NO_RNG_SIMPLE +WC_NO_STATIC_ASSERT +WC_PKCS11_FIND_WITH_ID_ONLY +WC_PROTECT_ENCRYPTED_MEM +WC_RNG_BLOCKING +WC_RSA_DIRECT +WC_RSA_NONBLOCK +WC_RSA_NONBLOCK_TIME +WC_RSA_NO_FERMAT_CHECK +WC_SHA384 +WC_SHA384_DIGEST_SIZE +WC_SHA512 +WC_SHA512_DIGEST_SIZE +WC_SSIZE_TYPE +WC_STRICT_SIG +WC_XMSS_FULL_HASH +WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE +WOLFSENTRY_H +WOLFSENTRY_NO_JSON +WOLFSSL_32BIT_MILLI_TIME +WOLFSSL_AESNI_BY4 +WOLFSSL_AESNI_BY6 +WOLFSSL_AFTER_DATE_CLOCK_SKEW +WOLFSSL_ALGO_HW_MUTEX +WOLFSSL_ALLOW_CRIT_AIA +WOLFSSL_ALLOW_CRIT_AKID +WOLFSSL_ALLOW_CRIT_SKID +WOLFSSL_ALLOW_ENCODING_CA_FALSE +WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST +WOLFSSL_ALLOW_NO_CN_IN_SAN +WOLFSSL_ALLOW_NO_SUITES +WOLFSSL_ALLOW_SERVER_SC_EXT +WOLFSSL_ALLOW_TLS_SHA1 +WOLFSSL_ALTERNATIVE_DOWNGRADE +WOLFSSL_ALT_NAMES_NO_REV +WOLFSSL_ARM_ARCH_NEON_64BIT +WOLFSSL_ASNC_CRYPT +WOLFSSL_ASN_EXTRA +WOLFSSL_ASN_INT_LEAD_0_ANY +WOLFSSL_ASN_TEMPLATE_NEED_SET_INT32 +WOLFSSL_ASN_TEMPLATE_TYPE_CHECK +WOLFSSL_ATECC508 +WOLFSSL_ATECC508A_NOIDLE +WOLFSSL_ATECC508A_NOSOFTECC +WOLFSSL_ATECC508A_TLS +WOLFSSL_ATECC_ECDH_IOENC +WOLFSSL_ATECC_NO_ECDH_ENC +WOLFSSL_ATECC_RNG +WOLFSSL_ATECC_TFLXTLS +WOLFSSL_ATECC_TNGTLS +WOLFSSL_ATMEL +WOLFSSL_ATMEL_TIME +WOLFSSL_BEFORE_DATE_CLOCK_SKEW +WOLFSSL_BIGINT_TYPES +WOLFSSL_BIO_NO_FLOW_STATS +WOLFSSL_BLAKE2B_INIT_EACH_FIELD +WOLFSSL_BLAKE2S_INIT_EACH_FIELD +WOLFSSL_BLIND_PRIVATE_KEY +WOLFSSL_BYTESWAP32_ASM +WOLFSSL_CAAM_BLACK_KEY_AESCCM +WOLFSSL_CAAM_BLACK_KEY_SM +WOLFSSL_CAAM_NO_BLACK_KEY +WOLFSSL_CALLBACKS +WOLFSSL_CHECK_DESKEY +WOLFSSL_CHECK_MEM_ZERO +WOLFSSL_CHIBIOS +WOLFSSL_CLANG_TIDY +WOLFSSL_COMMERCIAL_LICENSE +WOLFSSL_CONTIKI +WOLFSSL_CRL_ALLOW_MISSING_CDP +WOLFSSL_DILITHIUM_ASSIGN_KEY +WOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM +WOLFSSL_DILITHIUM_NO_ASN1 +WOLFSSL_DILITHIUM_NO_CHECK_KEY +WOLFSSL_DILITHIUM_NO_LARGE_CODE +WOLFSSL_DILITHIUM_NO_MAKE +WOLFSSL_DILITHIUM_REVERSE_HASH_OID +WOLFSSL_DILITHIUM_SIGN_CHECK_W0 +WOLFSSL_DILITHIUM_SIGN_CHECK_Y +WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC +WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC_A +WOLFSSL_DILITHIUM_SMALL_MEM_POLY64 +WOLFSSL_DILITHIUM_VERIFY_NO_MALLOC +WOLFSSL_DILITHIUM_VERIFY_SMALL_MEM +WOLFSSL_DISABLE_EARLY_SANITY_CHECKS +WOLFSSL_DTLS_DISALLOW_FUTURE +WOLFSSL_DTLS_DROP_STATS +WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT +WOLFSSL_DUMP_MEMIO_STREAM +WOLFSSL_DUP_CERTPOL +WOLFSSL_ECC_BLIND_K +WOLFSSL_ECC_GEN_REJECT_SAMPLING +WOLFSSL_ECC_NO_SMALL_STACK +WOLFSSL_ECC_SIGALG_PARAMS_NULL_ALLOWED +WOLFSSL_ECDHX_SHARED_NOT_ZERO +WOLFSSL_ECDSA_MATCH_HASH +WOLFSSL_ECDSA_SET_K_ONE_LOOP +WOLFSSL_EC_POINT_CMP_JACOBIAN +WOLFSSL_EDDSA_CHECK_PRIV_ON_SIGN +WOLFSSL_EMNET +WOLFSSL_ESPWROOM32 +WOLFSSL_EVP_PRINT +WOLFSSL_EXPORT_INT +WOLFSSL_EXPORT_SPC_SZ +WOLFSSL_EXTRA +WOLFSSL_FORCE_OCSP_NONCE_CHECK +WOLFSSL_FRDM_K64 +WOLFSSL_FRDM_K64_JENKINS +WOLFSSL_FUNC_TIME +WOLFSSL_FUNC_TIME_LOG +WOLFSSL_GEN_CERT +WOLFSSL_GETRANDOM +WOLFSSL_GNRC +WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES +WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS +WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC +WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK +WOLFSSL_HARDEN_TLS_NO_SCR_CHECK +WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY +WOLFSSL_I2D_ECDSA_SIG_ALLOC +WOLFSSL_IAR_ARM_TIME +WOLFSSL_IGNORE_BAD_CERT_PATH +WOLFSSL_IMX6 +WOLFSSL_IMX6_CAAM +WOLFSSL_IMX6_CAAM_BLOB +WOLFSSL_IMX6_CAAM_RNG +WOLFSSL_IMXRT_DCP +WOLFSSL_ISOTP +WOLFSSL_KEIL +WOLFSSL_KEIL_NET +WOLFSSL_KYBER_INVNTT_UNROLL +WOLFSSL_KYBER_NO_LARGE_CODE +WOLFSSL_KYBER_NTT_UNROLL +WOLFSSL_LIB +WOLFSSL_LMS_CACHE_BITS +WOLFSSL_LMS_FULL_HASH +WOLFSSL_LMS_LARGE_CACHES +WOLFSSL_LMS_MAX_HEIGHT +WOLFSSL_LMS_MAX_LEVELS +WOLFSSL_LMS_NO_SIG_CACHE +WOLFSSL_LMS_ROOT_LEVELS +WOLFSSL_LPC43xx +WOLFSSL_MAKE_SYSTEM_NAME_LINUX +WOLFSSL_MAKE_SYSTEM_NAME_WSL +WOLFSSL_MDK5 +WOLFSSL_MEM_FAIL_COUNT +WOLFSSL_MONT_RED_CT +WOLFSSL_MP_COND_COPY +WOLFSSL_MP_INVMOD_CONSTANT_TIME +WOLFSSL_MULTICIRCULATE_ALTNAMELIST +WOLFSSL_NONBLOCK_OCSP +WOLFSSL_NOSHA3_384 +WOLFSSL_NOT_WINDOWS_API +WOLFSSL_NO_BIO_ADDR_IN +WOLFSSL_NO_CLIENT +WOLFSSL_NO_CLIENT_CERT_ERROR +WOLFSSL_NO_COPY_CERT +WOLFSSL_NO_COPY_KEY +WOLFSSL_NO_CRL_DATE_CHECK +WOLFSSL_NO_CRL_NEXT_DATE +WOLFSSL_NO_DECODE_EXTRA +WOLFSSL_NO_DER_TO_PEM +WOLFSSL_NO_DH186 +WOLFSSL_NO_DTLS_SIZE_CHECK +WOLFSSL_NO_ETM_ALERT +WOLFSSL_NO_FENCE +WOLFSSL_NO_FSEEK +WOLFSSL_NO_INIT_CTX_KEY +WOLFSSL_NO_ISSUERHASH_TDPEER +WOLFSSL_NO_KCAPI_AES_CBC +WOLFSSL_NO_KCAPI_HMAC_SHA1 +WOLFSSL_NO_KCAPI_HMAC_SHA224 +WOLFSSL_NO_KCAPI_HMAC_SHA256 +WOLFSSL_NO_KCAPI_HMAC_SHA384 +WOLFSSL_NO_KCAPI_HMAC_SHA512 +WOLFSSL_NO_KCAPI_SHA224 +WOLFSSL_NO_OCSP_DATE_CHECK +WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK +WOLFSSL_NO_OCSP_OPTIONAL_CERTS +WOLFSSL_NO_PUBLIC_FFDHE +WOLFSSL_NO_RSA_KEY_CHECK +WOLFSSL_NO_SERVER_GROUPS_EXT +WOLFSSL_NO_SESSION_STATS +WOLFSSL_NO_SIGALG +WOLFSSL_NO_SOCKADDR_UN +WOLFSSL_NO_SPHINCS +WOLFSSL_NO_STRICT_CIPHER_SUITE +WOLFSSL_NO_TICKET_EXPIRE +WOLFSSL_NO_TRUSTED_CERTS_VERIFY +WOLFSSL_NO_XOR_OPS +WOLFSSL_NRF51_AES +WOLFSSL_OLDTLS_AEAD_CIPHERSUITES +WOLFSSL_OLDTLS_SHA2_CIPHERSUITES +WOLFSSL_OLD_SET_CURVES_LIST +WOLFSSL_OLD_UNSUPPORTED_EXTENSION +WOLFSSL_OPTIONS_IGNORE_SYS +WOLFSSL_PASSTHRU_ERR +WOLFSSL_PB +WOLFSSL_PEER_ADDRESS_CHANGES +WOLFSSL_PKCS11_RW_TOKENS +WOLFSSL_PRCONNECT_PRO +WOLFSSL_PREFIX +WOLFSSL_PSA_NO_AES +WOLFSSL_PSA_NO_HASH +WOLFSSL_PSA_NO_PKCB +WOLFSSL_PSA_NO_PKCBS +WOLFSSL_PSA_NO_RNG +WOLFSSL_PSK_IDENTITY_ALERT +WOLFSSL_PSK_ID_PROTECTION +WOLFSSL_PSK_MULTI_ID_PER_CS +WOLFSSL_PSK_TLS13_CB +WOLFSSL_PSOC6_CRYPTO +WOLFSSL_PYTHON +WOLFSSL_RENESAS_FSPSM_CRYPT_ONLY +WOLFSSL_RENESAS_RA6M3 +WOLFSSL_RENESAS_RA6M3G +WOLFSSL_RENESAS_RSIP +WOLFSSL_RENESAS_RZN2L +WOLFSSL_RENESAS_TLS +WOLFSSL_RENESAS_TSIP_CRYPTONLY +WOLFSSL_RENESAS_TSIP_IAREWRX +WOLFSSL_RSA_CHECK_D_ON_DECRYPT +WOLFSSL_RSA_DECRYPT_TO_0_LEN +WOLFSSL_RW_THREADED +WOLFSSL_SAKKE_SMALL +WOLFSSL_SAKKE_SMALL_MODEXP +WOLFSSL_SE050_CRYPT +WOLFSSL_SE050_HASH +WOLFSSL_SE050_INIT +WOLFSSL_SE050_NO_TRNG +WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT +WOLFSSL_SETTINGS_FILE +WOLFSSL_SH224 +WOLFSSL_SHA256_ALT_CH_MAJ +WOLFSSL_SHUTDOWNONCE +WOLFSSL_SILABS_TRNG +WOLFSSL_SM4_EBC +WOLFSSL_SNIFFER_NO_RECOVERY +WOLFSSL_SP_ARM32_UDIV +WOLFSSL_SP_DH +WOLFSSL_SP_FAST_NCT_EXPTMOD +WOLFSSL_SP_INT_SQR_VOLATILE +WOLFSSL_STACK_CHECK +WOLFSSL_STM32F427_RNG +WOLFSSL_STM32_RNG_NOLIB +WOLFSSL_STRONGEST_HASH_SIG +WOLFSSL_STSAFE_TAKES_SLOT +WOLFSSL_TELIT_M2MB +WOLFSSL_THREADED_CRYPT +WOLFSSL_TICKET_DECRYPT_NO_CREATE +WOLFSSL_TICKET_ENC_AES128_GCM +WOLFSSL_TICKET_ENC_AES256_CBC +WOLFSSL_TICKET_ENC_AES256_GCM +WOLFSSL_TICKET_ENC_CBC_HMAC +WOLFSSL_TICKET_ENC_CHACHA20_POLY1305 +WOLFSSL_TICKET_ENC_HMAC_SHA384 +WOLFSSL_TICKET_ENC_HMAC_SHA512 +WOLFSSL_TI_CURRTIME +WOLFSSL_TLS13_DRAFT +WOLFSSL_TLS13_IGNORE_AEAD_LIMITS +WOLFSSL_TLS13_MIDDLEBOX_COMPAT +WOLFSSL_TLS13_SHA512 +WOLFSSL_TLS13_TICKET_BEFORE_FINISHED +WOLFSSL_TRACK_MEMORY_FULL +WOLFSSL_TRAP_MALLOC_SZ +WOLFSSL_UNALIGNED_64BIT_ACCESS +WOLFSSL_USER_FILESYSTEM +WOLFSSL_USER_LOG +WOLFSSL_USER_MUTEX +WOLFSSL_USER_THREADING +WOLFSSL_USE_ESP32C3_CRYPT_HASH_HW +WOLFSSL_USE_FLASHMEM +WOLFSSL_USE_OPTIONS_H +WOLFSSL_USE_POPEN_HOST +WOLFSSL_VALIDATE_DH_KEYGEN +WOLFSSL_WC_XMSS_NO_SHA256 +WOLFSSL_WC_XMSS_NO_SHAKE256 +WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME +WOLFSSL_X509_STORE_CERTS +WOLFSSL_X509_TRUSTED_CERTIFICATE_CALLBACK +WOLFSSL_XFREE_NO_NULLNESS_CHECK +WOLFSSL_XILINX_CRYPTO_OLD +WOLFSSL_XILINX_PATCH +WOLFSSL_XIL_MSG_NO_SLEEP +WOLFSSL_XMSS_LARGE_SECRET_KEY +WOLFSSL_ZEPHYR +WOLFSS_SP_MATH_ALL +WOLF_ALLOW_BUILTIN +WOLF_CONF_IO +WOLF_CONF_KYBER +WOLF_CONF_PK +WOLF_CONF_RESUMPTION +WOLF_CONF_TPM +WOLF_CRYPTO_CB_CMD +WOLF_CRYPTO_CB_FIND +WOLF_CRYPTO_CB_ONLY_ECC +WOLF_CRYPTO_CB_ONLY_RSA +WOLF_CRYPTO_CB_RSA_PAD +WOLF_CRYPTO_DEV +WOLF_NO_TRAILING_ENUM_COMMAS +WOLSSL_OLD_TIMINGPADVERIFY +XGETPASSWD +XMSS_CALL_PRF_KEYGEN +XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ +XSECURE_CACHE_DISABLE +_ABI64 +_ABIO64 +_ARCH_PPC64 +_COMPILER_VERSION +_INTPTR_T_DECLARED +_LP64 +_MSC_VER +_MSVC_LANG +_M_ARM64 +_M_X64 +_NETOS +_POSIX_C_SOURCE +_SDCC_VERSION_PATCHLEVEL +_SH3 +_SILICON_LABS_SECURITY_FEATURE +_SOCKLEN_T +_SYS_DEVCON_LOCAL_H +_TIME_HELPER_H +_UINTPTR_T_DECLARED +_WIN32 +_WIN32_WCE +_WIN64 +__32MZ2048ECH144__ +__32MZ2048ECM144__ +__32MZ2048EFM144__ +__ANDROID__ +__APPLE__ +__ARCH_STRCASECMP_NO_REDIRECT +__ARCH_STRCMP_NO_REDIRECT +__ARCH_STRNCASECMP_NO_REDIRECT +__ARCH_STRNCAT_NO_REDIRECT +__ARCH_STRNCMP_NO_REDIRECT +__ARCH_STRNCPY_NO_REDIRECT +__ARCH_STRSTR_NO_REDIRECT +__ARM_ARCH_7M__ +__ARM_FEATURE_CRYPTO +__ASSEMBLER__ +__ATOMIC_RELAXED +__AVR__ +__BCPLUSPLUS__ +__BIG_ENDIAN__ +__BORLANDC__ +__CCRX__ +__COMPILER_VER__ +__CYGWIN__ +__DATE__ +__DCACHE_PRESENT +__DCC__ +__DECC_VER +__ELF__ +__EMSCRIPTEN__ +__FPU_PRESENT +__FreeBSD__ +__GLIBC__ +__GNUC_MINOR__ +__GNUC__ +__HP_cc +__IAR_SYSTEMS_ICC__ +__ICCARM__ +__ILP32__ +__INCLUDE_NUTTX_CONFIG_H +__INTEGRITY +__INTEL_COMPILER +__KEIL__ +__KEY_DATA_H__ +__LP64 +__LP64__ +__MACH__ +__MICROBLAZE__ +__MINGW32__ +__MINGW64_VERSION_MAJOR +__MINGW64__ +__MWERKS__ +__PIE__ +__POWERPC__ +__PPC__ +__PPU +__QNXNTO__ +__QNX__ +__ROPI__ +__SAM3A4C__ +__SAM3A8C__ +__SAM3A8H__ +__SAM3X4C__ +__SAM3X4E__ +__SAM3X8C__ +__SAM3X8E__ +__SANITIZE_ADDRESS__ +__SDCC_VERSION_MAJOR +__SDCC_VERSION_MINOR +__SDCC_VERSION_PATCH +__SIZEOF_INT128__ +__SIZEOF_LONG_LONG__ +__STDC_VERSION__ +__STDC__ +__STM32__ +__STRICT_ANSI__ +__SUNPRO_C +__SUNPRO_CC +__SVR4 +__TI_COMPILER_VERSION__ +__TURBOC__ +__USE_GNU +__USE_MISC +__USE_XOPEN2K +__WATCOMC__ +__WATCOM_INT64__ +__XC32 +__XTENSA__ +__aarch64__ +__alpha__ +__arch64__ +__arm__ +__clang__ +__clang_major__ +__cplusplus +__ghc__ +__ghs__ +__hpux__ +__i386 +__i386__ +__ia64__ +__linux__ +__llvm__ +__mips +__mips64 +__must_check +__ppc64__ +__ppc__ +__riscv +__riscv_xlen +__s390x__ +__sparc64__ +__sun +__svr4__ +__thumb__ +__ti__ +__x86_64__ +byte +configTICK_RATE_HZ +fallthrough +noinline +ssize_t +sun +versal +wc_Tls13_HKDF_Expand_Label diff --git a/CMakeLists.txt b/CMakeLists.txt index a581df8146..72e6550b5c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,7 +34,7 @@ if("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_BINARY_DIR}") You must delete them, or cmake will refuse to work.") endif() -project(wolfssl VERSION 5.7.2 LANGUAGES C ASM) +project(wolfssl VERSION 5.7.4 LANGUAGES C ASM) # Set WOLFSSL_ROOT if not already defined if ("${WOLFSSL_ROOT}" STREQUAL "") @@ -53,7 +53,7 @@ set(WOLFSSL_LIBRARY_VERSION_FIRST 42) # increment if interfaces have been added # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented -set(WOLFSSL_LIBRARY_VERSION_SECOND 2) +set(WOLFSSL_LIBRARY_VERSION_SECOND 3) # increment if source code has changed # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or diff --git a/ChangeLog.md b/ChangeLog.md index bee6e614ee..a0585b3c26 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,196 @@ +# wolfSSL Release 5.7.4 (Oct 24, 2024) + +Release 5.7.4 has been developed according to wolfSSL's development and QA +process (see link below) and successfully passed the quality criteria. +https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance + +NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024 + +PR stands for Pull Request, and PR references a GitHub pull request + number where the code change was added. + + +## Vulnerabilities +* [Low] When the OpenSSL compatibility layer is enabled, certificate + verification behaved differently in wolfSSL than OpenSSL, in the + X509_STORE_add_cert() and X509_STORE_load_locations() implementations. + Previously, in cases where an application explicitly loaded an intermediate + certificate, wolfSSL was verifying only up to that intermediate certificate, + rather than verifying up to the root CA. This only affects use cases where the + API is called directly, and does not affect TLS connections. Users that call + the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their + applications are recommended to update the version of wolfSSL used or to have + additional sanity checks on certificates loaded into the X509_STORE when + verifying a certificate. (https://github.com/wolfSSL/wolfssl/pull/8087) + + +## PQC TLS Experimental Build Fix +* When using TLS with post quantum algorithms enabled, the connection uses a + smaller EC curve than agreed on. Users building with --enable-experimental and + enabling PQC cipher suites with TLS connections are recommended to update the + version of wolfSSL used. Thanks to Daniel Correa for the report. + (https://github.com/wolfSSL/wolfssl/pull/8084) + + +## New Feature Additions +* RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20, + Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916) +* Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995) +* Add support for (DevkitPro)libnds (PR 7990) +* Add port for Mosquitto OSP (Open Source Project) (PR 6460) +* Add port for init sssd (PR 7781) +* Add port for eXosip2 (PR 7648) +* Add support for STM32G4 (PR 7997) +* Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback + Support (PR 7777) +* Add support for building wolfSSL to be used in libspdm (PR 7869) +* Add port for use with Nucleus Plus 2.3 (PR 7732) +* Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with + --enable-acert (PR 7926) +* PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS + (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt). + (PR 7750) +* Added “new” and “delete” style functions for heap/pool allocation and freeing + of low level crypto structures (PR 3166 and 8089) + + +## Enhancements and Optimizations +* Increase default max alt. names from 128 to 1024 (PR 7762) +* Added new constant time DH agree function wc_DhAgree_ct (PR 7802) +* Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804) +* Add option to disable cryptocb test software test using + --disable-cryptocb-sw-test (PR 7862) +* Add a call to certificate verify callback before checking certificate dates + (PR 7895) +* Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding + support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and + Hashing (PR 3166) +* Expand MMCAU support for use with DES ECB (PR 7960) +* Update AES SIV to handle multiple associated data inputs (PR 7911) +* Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811) +* Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839) +* Set RSA_MIN_SIZE default to 2048 bits (PR 7923) +* Added support for wolfSSL to be used as the default TLS in the zephyr kernel + (PR 7731) +* Add enable provider build using --enable-wolfprovider with autotools (PR 7550) +* Renesas RX TSIP ECDSA support (PR 7685) +* Support DTLS1.3 downgrade when the server supports CID (PR 7841) +* Server-side checks OCSP even if it uses v2 multi (PR 7828) +* Add handling of absent hash params in PKCS7 bundle parsing and creation + (PR 7845) +* Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in + environments that do not have a word64 type (PR 7759) +* Update to the maxq10xx support (PR 7824) +* Add support for parsing over optional PKCS8 attributes (PR 7944) +* Add support for either side method with DTLS 1.3 (PR 8012) +* Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704) +* Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962) +* Add left-most wildcard matching support to X509_check_host() (PR 7966) +* Add option to set custom SKID with PKCS7 bundle creation (PR 7954) +* Building wolfSSL as a library with Ada and corrections to Alire manifest + (PR 7303,7940) +* Renesas RX72N support updated (PR 7849) +* New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object + (PR 8005) +* Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each + SSL object (PR 7867) +* Add an option to use AES-CBC with HMAC for default session ticket enc/dec. + Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703) +* Memory usage improvements in wc_PRF, sha256 (for small code when many + registers are available) and sp_int objects (PR 7901) +* Change in the configure script to work around ">>" with no command. In older + /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876) +* Don't attempt to include system headers when not required (PR 7813) +* Certificates: DER encoding of ECC signature algorithm parameter is now + allowed to be NULL with a define (PR 7903) +* SP x86_64 asm: check for AVX2 support for VMs (PR 7979) +* Update rx64n support on gr-rose (PR 7889) +* Update FSP version to v5.4.0 for RA6M4 (PR 7994) +* Update TSIP driver version to v1.21 for RX65N RSK (PR 7993) +* Add a new crypto callback for RSA with padding (PR 7907) +* Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA + (PR 7924) +* Modernized memory fence support for C11 and clang (PR 7938) +* Add a CRL error override callback (PR 7986) +* Extend the X509 unknown extension callback for use with a user context + (PR 7730) +* Additional debug error tracing added with TLS (PR 7917) +* Added runtime support for library call stack traces with + –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846) +* Expanded C89 conformance (PR 8077) +* Expanded support for WOLFSSL_NO_MALLOC (PR 8065) +* Added support for cross-compilation of Linux kernel module (PR 7746) +* Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826) +* Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a + serial number of 0 (PR 7893) +* Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871) + +### Espressif / Arduino Updates +* Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953) +* Update Espressif sha, util, mem, time helpers (PR 7955) +* Espressif _thread_local_start and _thread_local_end fix (PR 8030) +* Improve benchmark for Espressif devices (PR 8037) +* Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866) +* Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF + (PR 7936) +* Update wolfssl Release for Arduino (PR 7775) + +### Post Quantum Crypto Updates +* Dilithium: support fixed size arrays in dilithium_key (PR 7727) +* Dilithium: add option to use precalc with small sign (PR 7744) +* Allow Kyber to be built with FIPS (PR 7788) +* Allow Kyber asm to be used in the Linux kernel module (PR 7872) +* Dilithium, Kyber: Update to final specification (PR 7877) +* Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016) + +### ARM Assembly Optimizations +* ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020) +* Poly1305 assembly optimizations improvements for Aarch64 (PR 7859) +* Poly1305 assembly optimizations added for Thumb-2 (PR 7939) +* Adding ARM ASM build option to STM32CubePack (PR 7747) +* Add ARM64 to Visual Studio Project (PR 8010) +* Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998) +* Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706) + + +## Fixes +* ECC key load: fixes for certificates with parameters that are not default for + size (PR 7751) +* Fixes for building x86 in Visual Studio for non-windows OS (PR 7884) +* Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret + (PR 7812) +* Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931) +* Fix for detecting older versions of Mac OS when trying to link with + libdispatch (PR 7932) +* Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake + packets combined into a single transmission. (PR 7840) +* Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest + (PR 7779) +* Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934) +* Fix for staticmemory and singlethreaded build (PR 7737) +* Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708) +* Fix to support PKCS11 without RSA key generation (PR 7738) +* Fix not calling the signing callback when using PK callbacks + TLS 1.3 + (PR 7761) +* Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753) +* Fix with PKCS11 to iterate correctly over slotId (PR 7736) +* Stop stripping out the sequence header on the AltSigAlg extension (PR 7710) +* Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value + (PR 7742) +* Use max key length for PSK encrypt buffer size (PR 7707) +* DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951) +* Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787) +* Fix CMake build error for curl builds (PR 8021) +* SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038) +* SSL loading of keys/certs: testing and fixes (PR 7789) +* Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904) +* Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868) +* Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773) +* Fix for edge cases with session resumption with TLS 1.2 (PR 8097) +* Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member + (PR 8099) + + # wolfSSL Release 5.7.2 (July 08, 2024) Release 5.7.2 has been developed according to wolfSSL's development and QA diff --git a/Docker/Dockerfile b/Docker/Dockerfile index 1d17aae4ea..d2c01b05d3 100644 --- a/Docker/Dockerfile +++ b/Docker/Dockerfile @@ -10,7 +10,7 @@ ARG DEPS_WOLFSSL="build-essential autoconf libtool clang clang-tools zlib1g-dev ARG DEPS_LIBOQS="astyle cmake gcc ninja-build libssl-dev python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind git" ARG DEPS_UDP_PROXY="wget libevent-dev" ARG DEPS_TESTS="abi-dumper libcurl4-openssl-dev tcpdump libpsl-dev python3-pandas python3-tabulate libnl-genl-3-dev libcap-ng-dev python3-virtualenv curl jq" -ARG DEPS_TOOLS="ccache clang-tidy maven libfile-util-perl" +ARG DEPS_TOOLS="ccache clang-tidy maven libfile-util-perl android-tools-adb usbutils shellcheck" RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \ && apt install -y ${DEPS_WOLFSSL} ${DEPS_LIBOQS} ${DEPS_UDP_PROXY} ${DEPS_TESTS} ${DEPS_TOOLS} \ && apt clean -y && rm -rf /var/lib/apt/lists/* diff --git a/Docker/wolfCLU/Dockerfile b/Docker/wolfCLU/Dockerfile index da10d73dd6..1e9099df4a 100644 --- a/Docker/wolfCLU/Dockerfile +++ b/Docker/wolfCLU/Dockerfile @@ -1,5 +1,5 @@ ARG DOCKER_BASE_IMAGE=ubuntu -FROM ubuntu as BUILDER +FROM ubuntu AS builder ARG DEPS_WOLFSSL="build-essential autoconf libtool zlib1g-dev libuv1-dev libpam0g-dev git libpcap-dev libcurl4-openssl-dev bsdmainutils netcat-traditional iputils-ping bubblewrap" RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y apt-utils \ @@ -18,8 +18,8 @@ RUN git clone --depth=1 --single-branch --branch=main http://github.com/wolfssl/ FROM ${DOCKER_BASE_IMAGE} USER root -COPY --from=BUILDER /usr/local/lib/libwolfssl.so /usr/local/lib/ -COPY --from=BUILDER /usr/local/bin/wolfssl* /usr/local/bin/ +COPY --from=builder /usr/local/lib/libwolfssl.so /usr/local/lib/ +COPY --from=builder /usr/local/bin/wolfssl* /usr/local/bin/ RUN ldconfig ENTRYPOINT ["/usr/local/bin/wolfssl"] LABEL org.opencontainers.image.source=https://github.com/wolfssl/wolfssl diff --git a/IDE/Espressif/ESP-IDF/setup.sh b/IDE/Espressif/ESP-IDF/setup.sh old mode 100755 new mode 100644 index 908580b712..495b629219 --- a/IDE/Espressif/ESP-IDF/setup.sh +++ b/IDE/Espressif/ESP-IDF/setup.sh @@ -158,3 +158,4 @@ popd > /dev/null # if [ "${WOLFSSL_SETUP_VERBOSE}" == "true" ]; then echo "Copy complete!" fi + diff --git a/IDE/IAR-EWARM/Projects/benchmark/wolfCrypt-benchmark.ewp b/IDE/IAR-EWARM/Projects/benchmark/wolfCrypt-benchmark.ewp index 43d316fb94..18aa7462f8 100644 --- a/IDE/IAR-EWARM/Projects/benchmark/wolfCrypt-benchmark.ewp +++ b/IDE/IAR-EWARM/Projects/benchmark/wolfCrypt-benchmark.ewp @@ -937,7 +937,7 @@ diff --git a/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp b/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp index e3e4d78363..685c9f6fd8 100644 --- a/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp +++ b/IDE/IAR-EWARM/Projects/lib/wolfSSL-Lib.ewp @@ -1593,7 +1593,7 @@ diff --git a/IDE/IAR-EWARM/Projects/test/wolfCrypt-test.ewp b/IDE/IAR-EWARM/Projects/test/wolfCrypt-test.ewp index ca0a950672..e48aba5f07 100644 --- a/IDE/IAR-EWARM/Projects/test/wolfCrypt-test.ewp +++ b/IDE/IAR-EWARM/Projects/test/wolfCrypt-test.ewp @@ -937,7 +937,7 @@ diff --git a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_benchmark_SAMV71_XULT/wolfcrypt_benchmark.ewp b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_benchmark_SAMV71_XULT/wolfcrypt_benchmark.ewp index 979e366374..b927b650c0 100644 --- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_benchmark_SAMV71_XULT/wolfcrypt_benchmark.ewp +++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_benchmark_SAMV71_XULT/wolfcrypt_benchmark.ewp @@ -958,7 +958,7 @@ @@ -1627,7 +1627,7 @@ diff --git a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_lib_SAMV71_XULT/wolfcrypt_lib.ewp b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_lib_SAMV71_XULT/wolfcrypt_lib.ewp index 1f00a1fb39..bb7170c66d 100644 --- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_lib_SAMV71_XULT/wolfcrypt_lib.ewp +++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_lib_SAMV71_XULT/wolfcrypt_lib.ewp @@ -1624,7 +1624,7 @@ diff --git a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_test_SAMV71_XULT/wolfcrypt_test.ewp b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_test_SAMV71_XULT/wolfcrypt_test.ewp index 9ed45e93af..f871fcef91 100644 --- a/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_test_SAMV71_XULT/wolfcrypt_test.ewp +++ b/IDE/IAR-EWARM/embOS/SAMV71_XULT/embOS_wolfcrypt_test_SAMV71_XULT/wolfcrypt_test.ewp @@ -958,7 +958,7 @@ @@ -1627,7 +1627,7 @@ diff --git a/IDE/MPLABX16/README.md b/IDE/MPLABX16/README.md index a35b6dec27..4402639561 100644 --- a/IDE/MPLABX16/README.md +++ b/IDE/MPLABX16/README.md @@ -38,7 +38,7 @@ steps below to generate that code. 2. Set the Project path to the wolfSSL/IDE/MPLABX16 and enter your PIC device into the interface. -3. Select MCC Clasic as the content type and click `Finish`. +3. Select MCC Classic as the content type and click `Finish`. 4. Under the Device Resources section, find the UART entry and add the UART1 peripheral. diff --git a/IDE/MPLABX16/wolfcrypt_test.X/Makefile b/IDE/MPLABX16/wolfcrypt_test.X/Makefile index fca8e2ccd1..3b52a8ba8d 100644 --- a/IDE/MPLABX16/wolfcrypt_test.X/Makefile +++ b/IDE/MPLABX16/wolfcrypt_test.X/Makefile @@ -22,7 +22,7 @@ # clean remove built files from a configuration # clobber remove all built files # all build all configurations -# help print help mesage +# help print help message # # Targets .build-impl, .clean-impl, .clobber-impl, .all-impl, and # .help-impl are implemented in nbproject/makefile-impl.mk. diff --git a/IDE/MPLABX16/wolfssl.X/Makefile b/IDE/MPLABX16/wolfssl.X/Makefile index fca8e2ccd1..3b52a8ba8d 100644 --- a/IDE/MPLABX16/wolfssl.X/Makefile +++ b/IDE/MPLABX16/wolfssl.X/Makefile @@ -22,7 +22,7 @@ # clean remove built files from a configuration # clobber remove all built files # all build all configurations -# help print help mesage +# help print help message # # Targets .build-impl, .clean-impl, .clobber-impl, .all-impl, and # .help-impl are implemented in nbproject/makefile-impl.mk. diff --git a/IDE/NDS/README.md b/IDE/NDS/README.md index 3a846d5871..4bacccb980 100644 --- a/IDE/NDS/README.md +++ b/IDE/NDS/README.md @@ -2,11 +2,34 @@ ## Requirements -[Devkitpro](https://devkitpro.org/wiki/Getting_Started) with libnds. +[Devkitpro](https://devkitpro.org/wiki/Getting_Started) with libnds, nds-tool and nds-dev. ## Building +For MelonDS +``` +$ ./configure \ + --host=arm-none-eabi \ + CC=$DEVKITARM/bin/arm-none-eabi-g++ \ + AR=$DEVKITARM/bin/arm-none-eabi-ar \ + STRIP=$DEVKITARM/bin/arm-none-eabi-strip \ + RANLIB=$DEVKITARM/bin/arm-none-eabi-ranlib \ + LIBS="-lfat -lnds9" \ + LDFLAGS="-L/opt/devkitpro/libnds/lib" \ + --prefix=$DEVKITPRO/portlibs/nds \ + CFLAGS="-march=armv5te -mtune=arm946e-s \ + --specs=ds_arm9.specs -DARM9 -DWOLFSSL_NDS \ + -DWOLFSSL_MELONDS \ + -DWOLFSSL_USER_IO \ + -I$DEVKITPRO/libnds/include" \ + --enable-fastmath --disable-benchmark \ + --disable-shared --disable-examples --disable-ecc +$ make +$ sudo make install +``` + +For Hardware ``` $ ./configure \ --host=arm-none-eabi \ @@ -30,7 +53,58 @@ $ sudo make install ## Run the Tests To run the Crypttests type the following. -1. Run `$ ndstool -9 ./wolfcrypt/test/testwolfcrypt -c ./wolfcrypt/test/testwolfcrypt.nds` -2. copy `./certs` to `your_nds_sd_card/_nds/certs` +Run `$ ndstool -9 ./wolfcrypt/test/testwolfcrypt -c ./wolfcrypt/test/testwolfcrypt.nds` + +copy `./certs` to `your_nds_sd_card/_nds/certs` (Follow Virtual SD card steps below for Emulator) + +Run the Rom (located in ./wolfcrypt/test/testwolfcrypt.nds) in an Emulator or real Hardware. -3. Run the Rom (located in ./wolfcrypt/test/testwolfcrypt.nds) in an Emulator or real Hardware. +If running on MelonDS it must be using the DSi mode in order to use certs from an SD card. + +## Making a virtual SD card (MacOS) + +``` +Create Virtual SD card image + +$ dd if=/dev/zero of=~/my_sd_card.img bs=1M count=64 + +Format image to FAT32 + +$ hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount ~/my_sd_card.img +$ diskutil eraseDisk FAT32 MYSDCARD MBRFormat /dev/diskX +$ hdiutil detach /dev/diskX + +Mount to Create Folder Structure and Copy Certs + +$ mkdir -p /Volumes/MYSDCARD/_nds +$ cp -r ~/wolfssl/certs /Volumes/MYSDCARD/_nds/ + +Unmount + +hdiutil detach /dev/diskX +``` + +## Making a virtual SD card (Linux) + +``` +Create Virtual SD card image + +$ dd if=/dev/zero of=~/my_sd_card.img bs=1M count=64 + +Format image to FAT32 + +$ sudo losetup -fP ~/my_sd_card.img +$ sudo losetup -l +$ sudo mkfs.vfat -F 32 /dev/loop0 +$ sudo losetup -d /dev/loop0 + +Mount to Create Folder Structure and Copy Certs + +$ sudo mount ~/my_sd_card.img /mnt +$ sudo mkdir -p /mnt/_nds +$ sudo cp -r ~/wolfssl/certs /mnt/_nds/ + +Unmount + +hdiutil detach /dev/diskX +``` diff --git a/IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt b/IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt index d03d443714..deeec5c618 100644 --- a/IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt +++ b/IDE/Renesas/cs+/Projects/t4_demo/README_jp.txt @@ -1,71 +1,71 @@ -wolfSSL/AlphaProject{[hf@ZbgAbvKCh +wolfSSL/AlphaProjectボードデモ セットアップガイド -̃f͈ȉ̊‹ŃeXgĂ܂B +このデモは以下の環境でテストしています。 Renesas : CS+ v6.01, v8.01 Board : AP-RX71M-0A wolfSSL : 3.15.3, 4.0.0 -ZbgAbv菇F +セットアップ手順: -PD\tgEFA̓ -@- AP{[ht̃\tgEFAꎮKȃtH_[ɉ𓀂܂B -@- tH_[wolfsslꎮ𓀂܂B +1.ソフトウェアの入手 + - APボード付属のソフトウェア一式を適当なフォルダー下に解凍します。 + - 同じフォルダー下にwolfssl一式を解凍します。 -QDwolfSSL̃ZbgAbv -@- CS+ɂwolfssl\IDE\Renesas\cs+\Projectwolfssl\wolfssl_lib.mtpjJ -@@wolfSSLCu[̃rh܂B -@- tH_̉t4_demo.mtpjJAfvÕrh܂B -@̃vOCu[`Ńrh܂B +2.wolfSSLのセットアップ + - CS+にてwolfssl¥IDE¥Renesas¥cs+¥Project下のwolfssl¥wolfssl_lib.mtpjを開き +  wolfSSLライブラリーのビルドをします。 + - 同じフォルダの下のt4_demo.mtpjを開き、デモプログラムのビルドをします。 + このプログラムもライブラリー形式でビルドされます。 -RDAlphaProject̃ZbgAbv +3.AlphaProject側のセットアップ - !!** TvvO v2.0 gpꍇ́A_ether_ => _usbfunc_ **!! - !!** ƒuĂ **!! + !!** サンプルプログラム v2.0 を使用する場合は、_ether_ => _usbfunc_ **!! + !!** と置き換えてください **!! -@fap_rx71m_0a_sample_cs\Sample\ap_rx71m_0a_ether_sample_cstH_ -@ap_rx71m_0a_ether_sample_cs.mtpjvWFNg𗘗p܂B -@ -@- ap_rx71m_0a_sample_cs\Sample\ap_rx71m_0a_ether_sample_cs\srctH_ -@AP_RX71M_0A.ct@CJA -@XVsڂecho_srv_init()̉wolfSSL_init()}܂B + デモはap_rx71m_0a_sample_cs¥Sample¥ap_rx71m_0a_ether_sample_csフォルダ下の + ap_rx71m_0a_ether_sample_cs.mtpjプロジェクトを利用します。 +  + - ap_rx71m_0a_sample_cs¥Sample¥ap_rx71m_0a_ether_sample_cs¥srcフォルダ下の + AP_RX71M_0A.cファイルを開き、 + 97行目のecho_srv_init()の下にwolfSSL_init()を挿入します。 === sci_init(); can_init(); echo_srv_init(); - wolfSSL_init(); <- ̍s} + wolfSSL_init(); <- この行を挿入 === -!!** TvvO v2.0 gpꍇ́AL **!! +!!** サンプルプログラム v2.0 を使用する場合は、下記 **!! === CanInit(); SciInit(); EthernetAppInit(); UsbfInit(); - wolfSSL_init(); <- ̍s} + wolfSSL_init(); <- この行を挿入 === !!**********************************************************************!! -@- ap_rx71m_0a_sample_cs\Sample\ap_rx71m_0a_ether_sample_cs\src\smc_gen\r_bsp_config.h -@JAX^bNTCYƃq[vTCYȉ̂悤ɐݒ肵܂B -@ -@120s #pragma stacksize su=0x2000 -@139s #define BSP_CFG_HEAP_BYTES (0xa000) - -!!** TvvO v2.0 gpꍇ́AL **!! -@- ap_rx71m_0a_sample_cs\Sample\ap_rx71m_0a_usbfunc_sample_cs\src\smc_gen\r_bsp_config.h -@JAX^bNTCYƃq[vTCYȉ̂悤ɐݒ肵܂B -@154s #pragma stacksize su=0x2000 -@175s #define BSP_CFG_HEAP_BYTES (0xa000) + - ap_rx71m_0a_sample_cs¥Sample¥ap_rx71m_0a_ether_sample_cs¥src¥smc_gen¥r_bsp_config.h + を開き、スタックサイズとヒープサイズを以下のように設定します。 +  + 120行目 #pragma stacksize su=0x2000 + 139行目 #define BSP_CFG_HEAP_BYTES (0xa000) + +!!** サンプルプログラム v2.0 を使用する場合は、下記 **!! + - ap_rx71m_0a_sample_cs¥Sample¥ap_rx71m_0a_usbfunc_sample_cs¥src¥smc_gen¥r_bsp_config.h + を開き、スタックサイズとヒープサイズを以下のように設定します。 + 154行目 #pragma stacksize su=0x2000 + 175行目 #define BSP_CFG_HEAP_BYTES (0xa000) !!**********************************************************************!! -@- IPAhX̃ftHgl͈ȉ̂悤ɂȂĂ܂B -@Kv΁ASample\ap_rx71m_0a_ether_sample_cs\src\r_t4_rx\src\config_tcpudp.c -@139sڂ̒`ύX܂B -@!!** TvvO v2.0 gpꍇ́AL **!! - Sample\ap_rx71m_0a_usbfunc_sample_cs\src\tcp_sample\src\config_tcpudp.c - 166sڂ̒`ύX܂B + - IPアドレスのデフォルト値は以下のようになっています。 + 必要があれば、Sample¥ap_rx71m_0a_ether_sample_cs¥src¥r_t4_rx¥src¥config_tcpudp.c + 内の139行目からの定義を変更します。 + !!** サンプルプログラム v2.0 を使用する場合は、下記 **!! + Sample¥ap_rx71m_0a_usbfunc_sample_cs¥src¥tcp_sample¥src¥config_tcpudp.c + 内の166行目からの定義を変更します。 !!**********************************************************************!! === @@ -75,74 +75,74 @@ wolfSSL/AlphaProject === -@- CS+ap_rx71m_0a_ether_sample_cs.mtpjvWFNgJAwolfSSLƃfCu -@o^܂BCC-RX(rhc[)->NEIvV^u->gp郉Cu -@ȉ̓‚̃t@Co^܂B -@wolfssl\IDE\Renesas\cs+\Projects\wolfssl_lib\DefaultBuild\wolfssl_lib.lib -@wolfssl\IDE\Renesas\cs+\Projects\t4_demo\DefaultBuild\t4_demo.lib + - CS+でap_rx71m_0a_ether_sample_cs.mtpjプロジェクトを開き、wolfSSLとデモライブラリを + 登録します。CC-RX(ビルドツール)->リンク・オプションタブ->使用するライブラリに + 以下の二つのファイルを登録します。 + wolfssl¥IDE¥Renesas¥cs+¥Projects¥wolfssl_lib¥DefaultBuild¥wolfssl_lib.lib + wolfssl¥IDE¥Renesas¥cs+¥Projects¥t4_demo¥DefaultBuild¥t4_demo.lib -- CC-RX(rhc[)->Cu[WFl[V^u->Cu[\uC99vɁA -ctype.hLɂu͂vɐݒ肵܂B +- CC-RX(ビルドツール)->ライブラリージェネレーションタブ->ライブラリー構成を「C99」に、 +ctype.hを有効にするを「はい」に設定します。 -@- vWFNg̃rhA^[Qbgւ̃_E[ĥA\->fobOER\[ -@R\[\܂BsJnƃR\[Ɉȉ̕\o͂܂B -@ + - プロジェクトのビルド、ターゲットへのダウンロードをしたのち、表示->デバッグ・コンソール + からコンソールを表示させます。実行を開始するとコンソールに以下の表示が出力されます。 +  === -@wolfSSL Demo + wolfSSL Demo t: test, b: benchmark, s: server, or c : client $ === -tR}hFeÍASY̊ȒPȃeXgs܂BṽASY -@gݍ܂Ă邩mF邱Ƃł܂BgݍރASY̓rhIvV -@ŕύX邱Ƃł܂Bڂ̓[U}jAQƂĂB -bR}hFeÍASYƂ̊ȒPȃx`}[Ns܂B -sR}hFȒPTLST[oN܂BNƃrhIPAhXA -@|[g50000ɂTLSڑ҂܂B -cR}hFȒPTLSNCAgN܂BNƑA[MgŎw肳ꂽ -@IPAhXAA[MgŎw肳ꂽ|[gɑ΂TLSڑ܂B - -̃R}hP̂ݎs܂BJԂsꍇ́AMPUZbg -ċN܂B - -SDΌeXg -@f̂AR}hgāA̋@ƊȒPȑΌeXg邱Ƃł܂B -@UbuntuȂǂGCC, make‹AWindowsVisual StudioȂǂ -@ΌeXgp̃T[oANCAgrh邱Ƃł܂B - -@GCC,makeR}h‹ł́A_E[h𓀂wolfssl̃fBNgňȉ -@R}h𔭍sƁACuAeXgp̃NCAgAT[oȂLjꎮrh -@܂B -@ -@$ ./configure -@$ make check -@ -@̌Aȉ̂悤ȎwŃNCAg܂̓T[oNāA{[h -@fƑΌeXg邱Ƃł܂B -@ -@PCF -@$ ./examples/server/server -b -d -@{[hF -@@> c 11111 - -@{[hF -@@> s -@PCF@ -@$ ./examples/client/client -h -p 50000 -@ -@ -@WindowsVisual Studioł́A_E[h𓀂wolfssltH_wolfssl64.sln -@JA\[Vrh܂BDebugtH_Ƀrhclient.exe -@server.exe𗘗p܂B -@ - PCF -@Debug> .\server -b -d -@{[hF -@@> c 11111 - -@{[hF -@@> s -@PCF -@Debug> .\client -h -p 50000 - -ȏA \ No newline at end of file +tコマンド:各暗号化アルゴリズムの簡単なテストを実行します。所要のアルゴリズムが + 組み込まれているか確認することができます。組み込むアルゴリズムはビルドオプション + で変更することができます。詳しくはユーザマニュアルを参照してください。 +bコマンド:各暗号アルゴリズムごとの簡単なベンチマークを実行します。 +sコマンド:簡単なTLSサーバを起動します。起動するとビルド時のIPアドレス、 + ポート50000にてTLS接続を待ちます。 +cコマンド:簡単なTLSクライアントを起動します。起動すると第一アーギュメントで指定された + IPアドレス、第二アーギュメントで指定されたポートに対してTLS接続します。 + +いずれのコマンドも1回のみ実行します。繰り返し実行したい場合は、MPUをリセットして +再起動します。 + +4.対向テスト + デモのs、cコマンドを使って、他の機器と簡単な対向テストをすることができます。 + UbuntuなどのGCC, make環境、WindowsのVisual Studioなどで + 対向テスト用のサーバ、クライアントをビルドすることができます。 + + GCC,makeコマンド環境では、ダウンロード解凍したwolfsslのディレクトリ下で以下の + コマンドを発行すると、ライブラリ、テスト用のクライアント、サーバなど一式がビルド + されます。 +  + $ ./configure + $ make check +  + その後、以下のような指定でクライアントまたはサーバを起動して、ボード上の + デモと対向テストすることができます。 +  + PC側: + $ ./examples/server/server -b -d + ボード側: +  > c 11111 + + ボード側: +  > s + PC側:  + $ ./examples/client/client -h -p 50000 +  +  + WindowsのVisual Studioでは、ダウンロード解凍したwolfsslフォルダ下のwolfssl64.sln + を開き、ソリューションをビルドします。Debugフォルダ下にビルドされるclient.exeと + server.exeを利用します。 +  + PC側: + Debug> .¥server -b -d + ボード側: +  > c 11111 + + ボード側: +  > s + PC側: + Debug> .¥client -h -p 50000 + +以上、 \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M3/README.md b/IDE/Renesas/e2studio/RA6M3/README.md index a1cc8b9e62..285d897992 100644 --- a/IDE/Renesas/e2studio/RA6M3/README.md +++ b/IDE/Renesas/e2studio/RA6M3/README.md @@ -67,7 +67,7 @@ The following steps explain how to generate the missing files and where to place |Thread Symbol|wolfssl_tst_thread| |Thread Name|wolf_tst_thread| |Thread Stack size|increase depending on your environment
e.g. 0xA000| -|Thread MemoryAllocation|Dyamic| +|Thread MemoryAllocation|Dynamic| |Common General Use Mutexes|Enabled| |Common General Enable Backward Compatibility|Enabled| |Common Memory Allocation Support Dynamic Allocation|Enabled| diff --git a/IDE/Renesas/e2studio/RA6M4/README.md b/IDE/Renesas/e2studio/RA6M4/README.md index b93879d986..5afae29841 100644 --- a/IDE/Renesas/e2studio/RA6M4/README.md +++ b/IDE/Renesas/e2studio/RA6M4/README.md @@ -74,7 +74,7 @@ The wolfssl Project Summary is listed below and is relevant for every project. |Thread Symbol|sce_tst_thread| |Thread Name|sce_tst_thread| |Thread Stack size|increase depending on your environment
e.g. 0xA000| -|Thread MemoryAllocation|Dyamic| +|Thread MemoryAllocation|Dynamic| |Common General Use Mutexes|Enabled| |Common General Enable Backward Compatibility|Enabled| |Common Memory Allocation Support Dynamic Allocation|Enabled| diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c b/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c index eb025be711..f5f5375128 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c @@ -18,6 +18,8 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ + +#include #include "SEGGER_RTT.h" #define SEGGER_INDEX (0) diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c index 19c523f6c9..67dc25983c 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c @@ -23,6 +23,7 @@ #include #include +#include /* var_arg */ #include #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/ssl.h" diff --git a/IDE/Renesas/e2studio/RA6M4/tools/README.md b/IDE/Renesas/e2studio/RA6M4/tools/README.md index dcb17b70ab..0658c03a12 100644 --- a/IDE/Renesas/e2studio/RA6M4/tools/README.md +++ b/IDE/Renesas/e2studio/RA6M4/tools/README.md @@ -1,7 +1,7 @@ # Create/Update Signed CA This document describes how to create/update Signed CA data that is used at an example program. -## Signed CA Creatation +## Signed CA Creation ### Generate RSA Key pair ``` 2048 bit RSA key pair @@ -35,5 +35,5 @@ There are multiple example keys for testing in the `example_keys` folder. | +----+ rsa_private.pem an example 2048-bit rsa private key for signing CA cert + rsa_public.pem an example 2048-bit rsa public key for verifying CA cert - + generate_signCA.sh an example script to genearte signed-certificate data for the example program + + generate_signCA.sh an example script to generate signed-certificate data for the example program ``` diff --git a/IDE/Renesas/e2studio/RA6M4/tools/example_keys/generate_SignedCA.sh b/IDE/Renesas/e2studio/RA6M4/tools/example_keys/generate_SignedCA.sh index 772f5ddfa1..ad73a5edcc 100755 --- a/IDE/Renesas/e2studio/RA6M4/tools/example_keys/generate_SignedCA.sh +++ b/IDE/Renesas/e2studio/RA6M4/tools/example_keys/generate_SignedCA.sh @@ -37,7 +37,7 @@ openssl dgst -sha256 -sign $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -out ${CURRENT}/$ echo Verify by private key openssl dgst -sha256 -prverify $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 -echo Verifiy by public key +echo Verify by public key openssl dgst -sha256 -verify $2 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 # Convert Signed CA to c source diff --git a/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/README.md b/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/README.md index dcb17b70ab..0658c03a12 100644 --- a/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/README.md +++ b/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/README.md @@ -1,7 +1,7 @@ # Create/Update Signed CA This document describes how to create/update Signed CA data that is used at an example program. -## Signed CA Creatation +## Signed CA Creation ### Generate RSA Key pair ``` 2048 bit RSA key pair @@ -35,5 +35,5 @@ There are multiple example keys for testing in the `example_keys` folder. | +----+ rsa_private.pem an example 2048-bit rsa private key for signing CA cert + rsa_public.pem an example 2048-bit rsa public key for verifying CA cert - + generate_signCA.sh an example script to genearte signed-certificate data for the example program + + generate_signCA.sh an example script to generate signed-certificate data for the example program ``` diff --git a/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/example_keys/generate_SignedCA.sh b/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/example_keys/generate_SignedCA.sh index dd56430ae2..c5b3fa91e5 100755 --- a/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/example_keys/generate_SignedCA.sh +++ b/IDE/Renesas/e2studio/RX65N/GR-ROSE/tools/example_keys/generate_SignedCA.sh @@ -37,7 +37,7 @@ openssl dgst -sha256 -sign $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -out ${CURRENT}/$ echo Verify by private key openssl dgst -sha256 -prverify $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 -echo Verifiy by public key +echo Verify by public key openssl dgst -sha256 -verify $2 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 # Convert Signed CA to c source diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/common/wolfssl_dummy.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/common/wolfssl_dummy.c index 3e4c1e56ea..987436d93a 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/common/wolfssl_dummy.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/common/wolfssl_dummy.c @@ -21,15 +21,32 @@ #include -#define YEAR 2024 -#define MON 7 - static int tick = 0; +#define YEAR ( \ + ((__DATE__)[7] - '0') * 1000 + \ + ((__DATE__)[8] - '0') * 100 + \ + ((__DATE__)[9] - '0') * 10 + \ + ((__DATE__)[10] - '0') * 1 \ +) + +#define MONTH ( \ + __DATE__[2] == 'n' ? (__DATE__[1] == 'a' ? 1 : 6) \ + : __DATE__[2] == 'b' ? 2 \ + : __DATE__[2] == 'r' ? (__DATE__[0] == 'M' ? 3 : 4) \ + : __DATE__[2] == 'y' ? 5 \ + : __DATE__[2] == 'l' ? 7 \ + : __DATE__[2] == 'g' ? 8 \ + : __DATE__[2] == 'p' ? 9 \ + : __DATE__[2] == 't' ? 10 \ + : __DATE__[2] == 'v' ? 11 \ + : 12 \ + ) + time_t time(time_t *t) { (void)t; - return ((YEAR-1970)*365+30*MON)*24*60*60 + tick++; + return ((YEAR-1970)*365+30*MONTH)*24*60*60 + tick++; } #include diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/test_main.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/test_main.c index 276ab79a7f..e9869f7db2 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/test_main.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/Simple/test/src/test_main.c @@ -65,6 +65,7 @@ extern "C" { static long tick; static void timeTick(void *pdata) { + (void)pdata; tick++; } diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/README.md b/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/README.md index 6a4ea144ee..58f5d6f552 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/README.md +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/README.md @@ -1,7 +1,7 @@ # Create/Update Signed CA This document describes how to create/update Signed CA data that is used at an example program. -## Signed CA Creatation +## Signed CA Creation ### Generate RSA Key pair ``` 2048 bit RSA key pair @@ -35,5 +35,5 @@ There are multiple example keys for testing in the `example_keys` folder. | +----+ rsa_private.pem an example 2048-bit rsa private key for signing CA cert + rsa_public.pem an example 2048-bit rsa public key for verifying CA cert - + generate_signCA.sh an example script to genearte signed-certificate data for the example program + + generate_signCA.sh an example script to generate signed-certificate data for the example program ``` diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/example_keys/generate_SignedCA.sh b/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/example_keys/generate_SignedCA.sh index d603f2c6e7..aeb994f8a9 100755 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/example_keys/generate_SignedCA.sh +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/tools/example_keys/generate_SignedCA.sh @@ -37,7 +37,7 @@ openssl dgst -sha256 -sign $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -out ${CURRENT}/$ echo Verify by private key openssl dgst -sha256 -prverify $1 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 -echo Verifiy by public key +echo Verify by public key openssl dgst -sha256 -verify $2 -sigopt $SIGOPT -sigopt $SIGOPT2 -signature ${CURRENT}/${signed_file}.sign $3 # Convert Signed CA to c source diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/user_settings.h b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/user_settings.h index 06841e3191..7c03487e22 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/user_settings.h +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/user_settings.h @@ -240,12 +240,17 @@ #if defined(WOLFSSL_RENESAS_TSIP) /*-- TSIP TLS and/or CRYPTONLY Definition --------------------------------*/ /* Enable TSIP TLS (default) - * TSIP CRYPTONLY is also enabled. + * TSIP CRYPT is also enabled. * Disable TSIP TLS + * TSIP CRYPT is also disabled * TSIP CRYPTONLY is only enabled. */ #define WOLFSSL_RENESAS_TSIP_TLS + /* #define WOLFSSL_RENESAS_TSIP_CRYPTONLY */ + /* #define WOLFSSL_KEY_GEN */ + /* #define RSA_MIN_SIZE 1024 */ + #if !defined(NO_RENESAS_TSIP_CRYPT) #define HAVE_PK_CALLBACKS #define WOLF_CRYPTO_CB @@ -267,13 +272,13 @@ * directly. Comment out the macro will generate random number by * wolfSSL Hash DRBG by using a seed which is generated by TSIP API. *-----------------------------------------------------------------------*/ - #define CUSTOM_RAND_GENERATE_BLOCK wc_tsip_GenerateRandBlock + #define CUSTOM_RAND_GENERATE_BLOCK wc_tsip_GenerateRandBlock #else #define OPENSSL_EXTRA #define WOLFSSL_GENSEED_FORTEST /* Warning: define your own seed gen */ - #if !defined(min) - #define min(data1, data2) _builtin_min(data1, data2) - #endif + #if !defined(min) + #define min(data1, data2) _builtin_min(data1, data2) + #endif #endif diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_demo.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_demo.c index 73c001457b..b5771d4b42 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_demo.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_demo.c @@ -23,9 +23,7 @@ #include #include #include - - - +#include #include #include "wolfssl/ssl.h" diff --git a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_tsip_unit_test.c b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_tsip_unit_test.c index 1b84878d3c..b7f9df1383 100644 --- a/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_tsip_unit_test.c +++ b/IDE/Renesas/e2studio/RX72N/EnvisionKit/wolfssl_demo/wolfssl_tsip_unit_test.c @@ -56,11 +56,11 @@ #endif #ifndef NO_SHA - int sha_test(); + int sha_test(void); #endif #ifndef NO_SHA256 - int sha256_test(); + int sha256_test(void); #endif #define SMALL_STACK_SIZE (1 * 1024) @@ -408,10 +408,10 @@ static int tsip_aesgcm256_test(int prnt, tsip_aes_key_index_t* aes256_key) printf(" tsip_aes256_gcm_test() "); } - ForceZero(resultT, sizeof(resultT)); - ForceZero(resultC, sizeof(resultC)); - ForceZero(resultP, sizeof(resultP)); - ForceZero(&userContext, sizeof(TsipUserCtx)); + XMEMSET(resultT, 0, sizeof(resultT)); + XMEMSET(resultC, 0, sizeof(resultC)); + XMEMSET(resultP, 0, sizeof(resultP)); + XMEMSET(&userContext, 0, sizeof(TsipUserCtx)); if (wc_AesInit(enc, NULL, INVALID_DEVID) != 0) { ret = -1; @@ -434,10 +434,11 @@ static int tsip_aesgcm256_test(int prnt, tsip_aes_key_index_t* aes256_key) } /* AES-GCM encrypt and decrypt both use AES encrypt internally */ - result = wc_tsip_AesGcmEncrypt(enc, resultC, p, sizeof(p), - (byte*)iv1, sizeof(iv1), resultT, sizeof(resultT), - a, sizeof(a), &userContext); - + result = wc_tsip_AesGcmEncrypt(enc, + resultC, p, sizeof(p), + (byte*)iv1, sizeof(iv1), resultT, sizeof(resultT), + a, sizeof(a), &userContext + ); if (result != 0) { ret = -4; goto out; @@ -451,9 +452,11 @@ static int tsip_aesgcm256_test(int prnt, tsip_aes_key_index_t* aes256_key) dec->ctx.keySize = enc->keylen; } - result = wc_tsip_AesGcmDecrypt(dec, resultP, resultC, sizeof(c1), - iv1, sizeof(iv1), resultT, sizeof(resultT), - a, sizeof(a), &userContext); + result = wc_tsip_AesGcmDecrypt(dec, + resultP, resultC, sizeof(c1), + iv1, sizeof(iv1), resultT, sizeof(resultT), + a, sizeof(a), &userContext + ); if (result != 0){ ret = -8; goto out; @@ -469,18 +472,21 @@ static int tsip_aesgcm256_test(int prnt, tsip_aes_key_index_t* aes256_key) wc_AesGcmSetKey(enc, k1, sizeof(k1)); /* AES-GCM encrypt and decrypt both use AES encrypt internally */ - result = wc_tsip_AesGcmEncrypt(enc, resultC, p, sizeof(p), iv1, sizeof(iv1), - resultT + 1, sizeof(resultT) - 1, - a, sizeof(a), &userContext); + result = wc_tsip_AesGcmEncrypt(enc, + resultC, p, sizeof(p), iv1, sizeof(iv1), + resultT + 1, sizeof(resultT) - 1, + a, sizeof(a), &userContext + ); if (result != 0) { ret = -10; goto out; } - result = wc_tsip_AesGcmDecrypt(enc, resultP, resultC, sizeof(p), - iv1, sizeof(iv1), resultT + 1, sizeof(resultT) - 1, - a, sizeof(a), &userContext); - + result = wc_tsip_AesGcmDecrypt(enc, + resultP, resultC, sizeof(p), + iv1, sizeof(iv1), resultT + 1, sizeof(resultT) - 1, + a, sizeof(a), &userContext + ); if (result != 0) { ret = -11; goto out; @@ -523,7 +529,7 @@ static void tskAes256_Gcm_Test(void *pvParam) #endif /* FREERTOS */ #endif -#if defined(WOLFSSL_AES_128) +#if defined(WOLFSSL_AES_128) && defined(HAVE_AESGCM) static int tsip_aesgcm128_test(int prnt, tsip_aes_key_index_t* aes128_key) { @@ -568,9 +574,9 @@ static int tsip_aesgcm128_test(int prnt, tsip_aes_key_index_t* aes128_key) 0x31, 0x2e, 0x2a, 0xf9, 0x57, 0x7a, 0x1e, 0xa6 }; - byte resultT[16]; - byte resultP[60 + AES_BLOCK_SIZE]; - byte resultC[60 + AES_BLOCK_SIZE]; + byte resultT[sizeof(t3)]; + byte resultP[sizeof(p3) + AES_BLOCK_SIZE]; + byte resultC[sizeof(p3) + AES_BLOCK_SIZE]; int result = 0; int ret; @@ -581,10 +587,10 @@ static int tsip_aesgcm128_test(int prnt, tsip_aes_key_index_t* aes128_key) printf(" tsip_aes128_gcm_test() "); } - ForceZero(resultT, sizeof(resultT)); - ForceZero(resultC, sizeof(resultC)); - ForceZero(resultP, sizeof(resultP)); - ForceZero(&userContext, sizeof(TsipUserCtx)); + XMEMSET(resultT, 0, sizeof(resultT)); + XMEMSET(resultC, 0, sizeof(resultC)); + XMEMSET(resultP, 0, sizeof(resultP)); + XMEMSET(&userContext, 0, sizeof(TsipUserCtx)); if (wc_AesInit(enc, NULL, INVALID_DEVID) != 0) { ret = -1; @@ -607,21 +613,27 @@ static int tsip_aesgcm128_test(int prnt, tsip_aes_key_index_t* aes128_key) enc->ctx.keySize = enc->keylen; } /* AES-GCM encrypt and decrypt both use AES encrypt internally */ - result = wc_tsip_AesGcmEncrypt(enc, resultC, p3, sizeof(p3), - iv3, sizeof(iv3), - resultT, sizeof(t3), - a3, sizeof(a3), &userContext); + result = wc_tsip_AesGcmEncrypt(enc, + resultC, p3, sizeof(p3), + iv3, sizeof(iv3), + resultT, sizeof(t3), + a3, sizeof(a3), &userContext + ); if (result != 0) { ret = -4; goto out; } - result = wc_tsip_AesGcmDecrypt(enc, resultP, resultC, sizeof(c3), - iv3, sizeof(iv3), resultT, sizeof(resultT), - a3, sizeof(a3), &userContext); + + result = wc_tsip_AesGcmDecrypt(enc, + resultP, resultC, sizeof(c3), + iv3, sizeof(iv3), resultT, sizeof(resultT), + a3, sizeof(a3), &userContext + ); if (result != 0) { ret = -5; goto out; } + if (XMEMCMP(p3, resultP, sizeof(p3))) { ret = -6; goto out; @@ -711,41 +723,128 @@ static void tskSha256_Test(void *pvParam) #define TEST_STRING_SZ 25 #define RSA_TEST_BYTES 256 /* up to 2048-bit key */ +static int tsip_rsa_test(int prnt, int keySize) +{ + int ret = 0; + + RsaKey *key = NULL; + WC_RNG rng; + const char inStr [] = TEST_STRING; + const word32 inLen = (word32)TEST_STRING_SZ; + const word32 outSz = RSA_TEST_BYTES; + word32 out_actual_len = 0; + byte *in = NULL; + byte *out= NULL; + byte *outplain = NULL; + int initRsa = 0; + int devId = 7890; /* fixed devid for TSIP/SCE */ + + XMEMSET(&rng, 0, sizeof(rng)); + + key = (RsaKey *)XMALLOC(sizeof(*key), NULL, DYNAMIC_TYPE_TMP_BUFFER); + in = (byte*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + out = (byte*)XMALLOC(outSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + outplain = (byte*)XMALLOC(outSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (key == NULL || in == NULL || out == NULL || outplain == NULL) { + ret = -1; + goto out; + } + + XMEMSET(key, 0, sizeof(*key)); + XMEMCPY(in, inStr, inLen); + XMEMSET(out, 0, outSz); + XMEMSET(outplain, 0, outSz); + + ret = wc_InitRsaKey_ex(key, NULL, devId); + if (ret != 0) { + goto out; + } + initRsa = 1; + + if ((ret = wc_InitRng(&rng)) != 0) + goto out; + + if ((ret = wc_RsaSetRNG(key, &rng)) != 0) + goto out; + + /* Generate a new RSA key to use with TSIP/SCE */ + if ((ret = wc_MakeRsaKey(key, keySize, 65537, &rng)) != 0) { + goto out; + } + + ret = wc_RsaPublicEncrypt(in, inLen, out, outSz, key, &rng); + if (ret < 0) { + goto out; + } + + ret = wc_RsaPrivateDecrypt(out, (word32)(keySize/8), outplain, outSz, key); + if (ret < 0) { + ret = -1; + goto out; + } + + if (XMEMCMP(in, outplain, inLen) != 0) { + ret = -2; + goto out; + } + + ret = 0; +out: + + wc_FreeRng(&rng); + if (key != NULL) { + if (initRsa) + wc_FreeRsaKey(key); + XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + XFREE(in, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outplain, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + (void)prnt; + return ret; +} + + static int tsip_rsa_SignVerify_test(int prnt, int keySize) { int ret = 0; - RsaKey *key = (RsaKey *)XMALLOC(sizeof *key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + RsaKey *key = NULL; WC_RNG rng; const char inStr [] = TEST_STRING; const char inStr2[] = TEST_STRING2; const word32 inLen = (word32)TEST_STRING_SZ; const word32 outSz = RSA_TEST_BYTES; - + word32 signSz = 0; byte *in = NULL; byte *in2 = NULL; byte *out= NULL; + int initRsa = 0; + int devId = 7890; /* fixed devid for TSIP/SCE */ + + XMEMSET(&rng, 0, sizeof(rng)); + key = (RsaKey *)XMALLOC(sizeof(*key), NULL, DYNAMIC_TYPE_TMP_BUFFER); in = (byte*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); in2 = (byte*)XMALLOC(inLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - out= (byte*)XMALLOC(outSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - (void) prnt; + out = (byte*)XMALLOC(outSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL || in == NULL || out == NULL) { ret = -1; goto out; } - XMEMSET(&rng, 0, sizeof(rng)); - XMEMSET(key, 0, sizeof *key); + XMEMSET(key, 0, sizeof(*key)); XMEMCPY(in, inStr, inLen); XMEMCPY(in2, inStr2, inLen); - ret = wc_InitRsaKey_ex(key, NULL, 7890/* fixed devid for TSIP/SCE*/); + ret = wc_InitRsaKey_ex(key, NULL, devId); if (ret != 0) { goto out; } + initRsa = 1; if ((ret = wc_InitRng(&rng)) != 0) goto out; @@ -753,7 +852,7 @@ static int tsip_rsa_SignVerify_test(int prnt, int keySize) if ((ret = wc_RsaSetRNG(key, &rng)) != 0) goto out; - /* make rsa key by SCE */ + /* Generate a new RSA key to use with TSIP/SCE */ if ((ret = wc_MakeRsaKey(key, keySize, 65537, &rng)) != 0) { goto out; } @@ -762,36 +861,42 @@ static int tsip_rsa_SignVerify_test(int prnt, int keySize) if (ret < 0) { goto out; } + signSz = ret; /* this should fail */ - ret = wc_RsaSSL_Verify(in2, inLen, out, keySize/8, key); + ret = wc_RsaSSL_Verify(out, signSz, in2, inLen, key); if (ret != SIG_VERIFY_E) { ret = -1; goto out; } /* this should succeed */ - ret = wc_RsaSSL_Verify(in, inLen, out, keySize/8, key); + ret = wc_RsaSSL_Verify(out, signSz, in, inLen, key); if (ret < 0) { ret = -1; goto out; } ret = 0; + out: + + wc_FreeRng(&rng); if (key != NULL) { - wc_FreeRsaKey(key); + if (initRsa) + wc_FreeRsaKey(key); XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); } XFREE(in, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(in2, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + (void)prnt; return ret; } #endif /* NO_RSA */ #ifdef TSIP_MULTIUNIT_TEST -int tsip_crypt_sha_multitest() +int tsip_crypt_sha_multitest(void) { int ret = 0; int num = 0; @@ -849,7 +954,7 @@ int tsip_crypt_sha_multitest() } -int tsip_crypt_AesCbc_multitest() +int tsip_crypt_AesCbc_multitest(void) { int ret = 0; int num = 0; @@ -930,7 +1035,7 @@ int tsip_crypt_AesCbc_multitest() } -int tsip_crypt_AesGcm_multitest() +int tsip_crypt_AesGcm_multitest(void) { int ret = 0; int num = 0; @@ -1009,7 +1114,7 @@ int tsip_crypt_AesGcm_multitest() return ret; } -int tsip_crypt_Sha_AesCbcGcm_multitest() +int tsip_crypt_Sha_AesCbcGcm_multitest(void) { int ret = 0; int num = 0; @@ -1089,7 +1194,7 @@ int tsip_crypt_Sha_AesCbcGcm_multitest() #endif -int tsip_crypt_test() +int tsip_crypt_test(void) { int ret = 0; e_tsip_err_t tsip_error_code; @@ -1132,6 +1237,7 @@ int tsip_crypt_test() } +#ifdef HAVE_AESGCM if (ret == 0) { ret = tsip_aesgcm128_test(1, &g_user_aes128_key_index1); @@ -1143,8 +1249,10 @@ int tsip_crypt_test() ret = tsip_aesgcm256_test(1, &g_user_aes256_key_index1); } - #if defined(WOLFSSL_KEY_GEN) && \ - defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) +#endif + +#if defined(WOLFSSL_KEY_GEN) && \ + defined(WOLFSSL_RENESAS_TSIP_CRYPTONLY) if (ret == 0) { Clr_CallbackCtx(&userContext); @@ -1155,6 +1263,23 @@ int tsip_crypt_test() ret = 0; } +#if RSA_MIN_SIZE <= 1024 + if (ret == 0) { + userContext.wrappedKeyType = TSIP_KEY_TYPE_RSA1024; + printf(" tsip_rsa_test(1024)"); + ret = tsip_rsa_test(1, 1024); + RESULT_STR(ret) + } +#endif + if (ret == 0) { + userContext.wrappedKeyType = TSIP_KEY_TYPE_RSA2048; + printf(" tsip_rsa_test(2048)"); + ret = tsip_rsa_test(1, 2048); + RESULT_STR(ret) + } + + +#if RSA_MIN_SIZE <= 1024 if (ret == 0) { printf(" tsip_rsa_SignVerify_test(1024)"); @@ -1167,6 +1292,7 @@ int tsip_crypt_test() } Clr_CallbackCtx(&userContext); +#endif if (ret == 0) { printf(" tsip_rsa_SignVerify_test(2048)"); @@ -1180,12 +1306,11 @@ int tsip_crypt_test() } Clr_CallbackCtx(&userContext); - #endif +#endif /* WOLFSSL_KEY_GEN && WOLFSSL_RENESAS_TSIP_CRYPTONLY */ } - else + else { ret = -1; - - + } return ret; } diff --git a/IDE/STM32Cube/README.md b/IDE/STM32Cube/README.md index 7268d81f82..7a7125cd6f 100644 --- a/IDE/STM32Cube/README.md +++ b/IDE/STM32Cube/README.md @@ -37,6 +37,9 @@ You need both the STM32 IDE and the STM32 initialization code generator (STM32Cu 8. The Benchmark example uses float. To enable go to "Project Properties" -> "C/C++ Build" -> "Settings" -> "Tool Settings" -> "MCU Settings" -> Check "Use float with printf". 9. To enable printf make the `main.c` changes below in the [STM32 Printf](#stm32-printf) section. + +**Note:** The STM32MP13 will likely require you to use DDR RAM, as well as enabling MMU and caches for optimum performance. Please see the `STM32MP13.md` file in `wolfcrypt/src/port/st` for more information on how to do this. + ### Creating your own STM32CubeMX configuration If none of the examples fit your STM32 type then you can create your own in STM32CubeMX by doing the following: @@ -90,10 +93,11 @@ The section for "Hardware platform" may need to be adjusted depending on your pr * To enable STM32WL support define `WOLFSSL_STM32WL`. * To enable STM32U5 support define `WOLFSSL_STM32U5`. * To enable STM32H5 support define `WOLFSSL_STM32H5`. +* To enable STM32MP13 support define `WOLFSSL_STM32MP13`. To use the STM32 Cube HAL support make sure `WOLFSSL_STM32_CUBEMX` is defined. -The PKA acceleration for ECC is available on some U5, L5 and WB55 chips. +The PKA acceleration for ECC is available on some U5, L5, WB55 and MP13 chips. This is enabled with `WOLFSSL_STM32_PKA`. You can see some of the benchmarks [here](STM32_Benchmarks.md). To disable hardware crypto acceleration you can define: diff --git a/IDE/STM32Cube/default_conf.ftl b/IDE/STM32Cube/default_conf.ftl index 6041dc90a1..73ddbd2dd3 100644 --- a/IDE/STM32Cube/default_conf.ftl +++ b/IDE/STM32Cube/default_conf.ftl @@ -165,14 +165,22 @@ extern ${variable.value} ${variable.name}; #define HAL_CONSOLE_UART huart3 #define STM32_HAL_V2 #undef NO_STM32_HASH - +#elif defined(STM32MP135Fxx) + #define WOLFSSL_STM32MP13 + #define HAL_CONSOLE_UART huart4 + #define STM32_HAL_V2 + #undef NO_STM32_HASH + #undef NO_STM32_CRYPTO + #define WOLFSSL_STM32_PKA + #define WOLFSSL_STM32_PKA_V2 #else #warning Please define a hardware platform! /* This means there is not a pre-defined platform for your board/CPU */ /* You need to define a CPU type, HW crypto and debug UART */ /* CPU Type: WOLFSSL_STM32F1, WOLFSSL_STM32F2, WOLFSSL_STM32F4, WOLFSSL_STM32F7, WOLFSSL_STM32H7, WOLFSSL_STM32L4, WOLFSSL_STM32L5, - WOLFSSL_STM32G0, WOLFSSL_STM32G4, WOLFSSL_STM32WB and WOLFSSL_STM32U5 */ + WOLFSSL_STM32G0, WOLFSSL_STM32G4, WOLFSSL_STM32WB, WOLFSSL_STM32U5 and + WOLFSSL_STM32MP13 */ #define WOLFSSL_STM32F4 /* Debug UART used for printf */ @@ -539,7 +547,7 @@ extern ${variable.value} ${variable.name}; //#define USE_SLOW_SHA512 #define WOLFSSL_SHA512 - #define HAVE_SHA512 /* freeRTOS settings.h requires this */ + #define HAVE_SHA512 /* old freeRTOS settings.h requires this */ #endif /* Sha2-384 */ diff --git a/IDE/STM32Cube/wolfssl_example.c b/IDE/STM32Cube/wolfssl_example.c index 342e8ee9d0..b6d76b3a7e 100644 --- a/IDE/STM32Cube/wolfssl_example.c +++ b/IDE/STM32Cube/wolfssl_example.c @@ -1751,9 +1751,15 @@ static int tls13_uart_client(void) wolfSSL_SetIOReadCtx(ssl, tbuf); #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + if (wolfSSL_UseKeyShare(ssl, WOLFSSL_ML_KEM_512) != WOLFSSL_SUCCESS) { + printf("wolfSSL_UseKeyShare Error!!"); + } +#else if (wolfSSL_UseKeyShare(ssl, WOLFSSL_KYBER_LEVEL1) != WOLFSSL_SUCCESS) { printf("wolfSSL_UseKeyShare Error!!"); } +#endif #endif do { diff --git a/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc b/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc index 956269fb67..b85f44bb9a 100644 --- a/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc +++ b/IDE/WIN-SRTP-KDF-140-3/wolfssl-fips.rc @@ -51,8 +51,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 5,7,0,0 - PRODUCTVERSION 5,7,0,0 + FILEVERSION 5,7,4,0 + PRODUCTVERSION 5,7,4,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -69,12 +69,12 @@ BEGIN BEGIN VALUE "CompanyName", "wolfSSL Inc." VALUE "FileDescription", "The wolfSSL FIPS embedded SSL library is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments primarily because of its size, speed, and feature set." - VALUE "FileVersion", "5.7.0.0" + VALUE "FileVersion", "5.7.4.0" VALUE "InternalName", "wolfssl-fips" VALUE "LegalCopyright", "Copyright (C) 2023" VALUE "OriginalFilename", "wolfssl-fips.dll" VALUE "ProductName", "wolfSSL FIPS" - VALUE "ProductVersion", "5.7.0.0" + VALUE "ProductVersion", "5.7.4.0" END END BLOCK "VarFileInfo" diff --git a/IDE/WIN10/wolfssl-fips.rc b/IDE/WIN10/wolfssl-fips.rc index aa46cb8a9b..86fe62d976 100644 --- a/IDE/WIN10/wolfssl-fips.rc +++ b/IDE/WIN10/wolfssl-fips.rc @@ -51,8 +51,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 5,7,2,0 - PRODUCTVERSION 5,7,2,0 + FILEVERSION 5,7,4,0 + PRODUCTVERSION 5,7,4,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -69,12 +69,12 @@ BEGIN BEGIN VALUE "CompanyName", "wolfSSL Inc." VALUE "FileDescription", "The wolfSSL FIPS embedded SSL library is a lightweight, portable, C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments primarily because of its size, speed, and feature set." - VALUE "FileVersion", "5.7.2.0" + VALUE "FileVersion", "5.7.4.0" VALUE "InternalName", "wolfssl-fips" VALUE "LegalCopyright", "Copyright (C) 2024" VALUE "OriginalFilename", "wolfssl-fips.dll" VALUE "ProductName", "wolfSSL FIPS" - VALUE "ProductVersion", "5.7.2.0" + VALUE "ProductVersion", "5.7.4.0" END END BLOCK "VarFileInfo" diff --git a/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/simple_client_example.h b/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/simple_client_example.h index 915f7cc2e5..ebce3eee61 100644 --- a/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/simple_client_example.h +++ b/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/simple_client_example.h @@ -19,9 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef simple_client_example_h -#define simple_client_example_h +#ifndef SIMPLE_CLIENT_EXAMPLE_H +#define SIMPLE_CLIENT_EXAMPLE_H int simple_client_example(void); -#endif /* simple_client_example_h */ +#endif /* SIMPLE_CLIENT_EXAMPLE_H */ diff --git a/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/wolfssl_test_driver.h b/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/wolfssl_test_driver.h index 768518554e..9d9c09d7a3 100644 --- a/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/wolfssl_test_driver.h +++ b/IDE/apple-universal/wolfssl-multiplatform/wolfssl-multiplatform/wolfssl_test_driver.h @@ -19,9 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifndef wolfssl_test_driver_h -#define wolfssl_test_driver_h +#ifndef WOLFSSL_TEST_DRIVER_H +#define WOLFSSL_TEST_DRIVER_H void wolfssl_test(void); -#endif /* wolfssl_test_driver_h */ +#endif /* WOLFSSL_TEST_DRIVER_H */ diff --git a/IDE/iotsafe/user_settings.h b/IDE/iotsafe/user_settings.h index 368a76ed43..a03361a008 100644 --- a/IDE/iotsafe/user_settings.h +++ b/IDE/iotsafe/user_settings.h @@ -150,8 +150,10 @@ static inline long XTIME(long *x) { return jiffies;} #define WOLFSSL_AES_DIRECT /* Hashing */ -#define HAVE_SHA384 -#define HAVE_SHA512 +#define WOLFSSL_SHA384 +#define HAVE_SHA384 /* old freeRTOS settings.h requires this */ +#define WOLFSSL_SHA512 +#define HAVE_SHA512 /* old freeRTOS settings.h requires this */ #define HAVE_HKDF /* TLS */ diff --git a/README b/README index 261eb200d6..2b462bc517 100644 --- a/README +++ b/README @@ -70,112 +70,197 @@ should be used for the enum name. *** end Notes *** -# wolfSSL Release 5.7.2 (July 08, 2024) +# wolfSSL Release 5.7.4 (Oct 24, 2024) -Release 5.7.2 has been developed according to wolfSSL's development and QA +Release 5.7.4 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024 -## Vulnerabilities -* [Medium] CVE-2024-1544 -Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24. -Fixed https://github.com/wolfSSL/wolfssl/pull/7020 - - -* [Medium] CVE-2024-5288 -A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute) -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7416 - - -* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7597 +PR stands for Pull Request, and PR references a GitHub pull request + number where the code change was added. -* [Low] CVE-2024-5991 -In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7604 -* [Medium] CVE-2024-5814 -A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7619 - -* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702 - -* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702 +## Vulnerabilities +* [Low] When the OpenSSL compatibility layer is enabled, certificate + verification behaved differently in wolfSSL than OpenSSL, in the + X509_STORE_add_cert() and X509_STORE_load_locations() implementations. + Previously, in cases where an application explicitly loaded an intermediate + certificate, wolfSSL was verifying only up to that intermediate certificate, + rather than verifying up to the root CA. This only affects use cases where the + API is called directly, and does not affect TLS connections. Users that call + the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their + applications are recommended to update the version of wolfSSL used or to have + additional sanity checks on certificates loaded into the X509_STORE when + verifying a certificate. (https://github.com/wolfSSL/wolfssl/pull/8087) + + +## PQC TLS Experimental Build Fix +* When using TLS with post quantum algorithms enabled, the connection uses a + smaller EC curve than agreed on. Users building with --enable-experimental and + enabling PQC cipher suites with TLS connections are recommended to update the + version of wolfSSL used. Thanks to Daniel Correa for the report. + (https://github.com/wolfSSL/wolfssl/pull/8084) ## New Feature Additions -* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622) -* AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569) -* Added CUDA support for AES encryption (PR 7436) -* Added support for gRPC (PR 7445) -* Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608) -* Added crypto callback for SHA-3 (PR 7670) -* Support for Infineon Modus Toolbox with wolfSSL (PR 7369) -* Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590) -* C# wrapper SNI support added (PR 7610) -* Quantum-safe algorithm support added to the Linux kernel module (PR 7574) -* Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589) -* AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424) -* PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542) +* RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20, + Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916) +* Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995) +* Add support for (DevkitPro)libnds (PR 7990) +* Add port for Mosquitto OSP (Open Source Project) (PR 6460) +* Add port for init sssd (PR 7781) +* Add port for eXosip2 (PR 7648) +* Add support for STM32G4 (PR 7997) +* Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback + Support (PR 7777) +* Add support for building wolfSSL to be used in libspdm (PR 7869) +* Add port for use with Nucleus Plus 2.3 (PR 7732) +* Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with + --enable-acert (PR 7926) +* PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS + (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt). + (PR 7750) +* Added “new” and “delete” style functions for heap/pool allocation and freeing + of low level crypto structures (PR 3166 and 8089) ## Enhancements and Optimizations -* Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578) -* Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393) -* Added the --enable-rpk option to autotools build for using raw public key support (PR 7379) -* SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667) -* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612) -* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594) -* cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380) -* Improvements for Renesas RZ support (PR 7474) -* Improvements to dual algorithm certificates for post-quantum keys (PR 7286) -* Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430) -* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446) -* Changed subject name comparison to match different upper and lower cases (PR 7420) -* Support for DTLS 1.3 downgrade when using PSK (PR 7367) -* Update to static memory build for more generic memory pools used (PR 7418) -* Improved performance of Kyber C implementation (PR 7654) -* Support for ECC_CACHE_CURVE with no malloc (PR 7490) -* Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634) -* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362) -* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319) -* Cortex-M inline assembly labels with unique number appended (PR 7649) -* Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372) -* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386) -* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315) -* Added stubs required for latest nginx (1.25.5) (PR 7449) -* Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552) -* Added PQ files for Windows (PR 7419) -* Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597) -* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557) -* Exposed DTLS in Ada wrapper and updated examples (PR 7397) -* Added additional minimum TLS extension size sanity checks (PR 7602) -* ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535) -* Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599) -* Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295) -* XCODE support for v5.2.3 of the FIPS module (PR 7140) -* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191) +* Increase default max alt. names from 128 to 1024 (PR 7762) +* Added new constant time DH agree function wc_DhAgree_ct (PR 7802) +* Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804) +* Add option to disable cryptocb test software test using + --disable-cryptocb-sw-test (PR 7862) +* Add a call to certificate verify callback before checking certificate dates + (PR 7895) +* Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding + support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and + Hashing (PR 3166) +* Expand MMCAU support for use with DES ECB (PR 7960) +* Update AES SIV to handle multiple associated data inputs (PR 7911) +* Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811) +* Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839) +* Set RSA_MIN_SIZE default to 2048 bits (PR 7923) +* Added support for wolfSSL to be used as the default TLS in the zephyr kernel + (PR 7731) +* Add enable provider build using --enable-wolfprovider with autotools (PR 7550) +* Renesas RX TSIP ECDSA support (PR 7685) +* Support DTLS1.3 downgrade when the server supports CID (PR 7841) +* Server-side checks OCSP even if it uses v2 multi (PR 7828) +* Add handling of absent hash params in PKCS7 bundle parsing and creation + (PR 7845) +* Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in + environments that do not have a word64 type (PR 7759) +* Update to the maxq10xx support (PR 7824) +* Add support for parsing over optional PKCS8 attributes (PR 7944) +* Add support for either side method with DTLS 1.3 (PR 8012) +* Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704) +* Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962) +* Add left-most wildcard matching support to X509_check_host() (PR 7966) +* Add option to set custom SKID with PKCS7 bundle creation (PR 7954) +* Building wolfSSL as a library with Ada and corrections to Alire manifest + (PR 7303,7940) +* Renesas RX72N support updated (PR 7849) +* New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object + (PR 8005) +* Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each + SSL object (PR 7867) +* Add an option to use AES-CBC with HMAC for default session ticket enc/dec. + Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703) +* Memory usage improvements in wc_PRF, sha256 (for small code when many + registers are available) and sp_int objects (PR 7901) +* Change in the configure script to work around ">>" with no command. In older + /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876) +* Don't attempt to include system headers when not required (PR 7813) +* Certificates: DER encoding of ECC signature algorithm parameter is now + allowed to be NULL with a define (PR 7903) +* SP x86_64 asm: check for AVX2 support for VMs (PR 7979) +* Update rx64n support on gr-rose (PR 7889) +* Update FSP version to v5.4.0 for RA6M4 (PR 7994) +* Update TSIP driver version to v1.21 for RX65N RSK (PR 7993) +* Add a new crypto callback for RSA with padding (PR 7907) +* Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA + (PR 7924) +* Modernized memory fence support for C11 and clang (PR 7938) +* Add a CRL error override callback (PR 7986) +* Extend the X509 unknown extension callback for use with a user context + (PR 7730) +* Additional debug error tracing added with TLS (PR 7917) +* Added runtime support for library call stack traces with + –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846) +* Expanded C89 conformance (PR 8077) +* Expanded support for WOLFSSL_NO_MALLOC (PR 8065) +* Added support for cross-compilation of Linux kernel module (PR 7746) +* Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826) +* Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a + serial number of 0 (PR 7893) +* Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871) + +### Espressif / Arduino Updates +* Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953) +* Update Espressif sha, util, mem, time helpers (PR 7955) +* Espressif _thread_local_start and _thread_local_end fix (PR 8030) +* Improve benchmark for Espressif devices (PR 8037) +* Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866) +* Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF + (PR 7936) +* Update wolfssl Release for Arduino (PR 7775) + +### Post Quantum Crypto Updates +* Dilithium: support fixed size arrays in dilithium_key (PR 7727) +* Dilithium: add option to use precalc with small sign (PR 7744) +* Allow Kyber to be built with FIPS (PR 7788) +* Allow Kyber asm to be used in the Linux kernel module (PR 7872) +* Dilithium, Kyber: Update to final specification (PR 7877) +* Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016) + +### ARM Assembly Optimizations +* ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020) +* Poly1305 assembly optimizations improvements for Aarch64 (PR 7859) +* Poly1305 assembly optimizations added for Thumb-2 (PR 7939) +* Adding ARM ASM build option to STM32CubePack (PR 7747) +* Add ARM64 to Visual Studio Project (PR 8010) +* Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998) +* Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706) + ## Fixes -* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report -* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389) -* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431) -* Fixed use of %rip with SHA-256 x64 assembly (PR 7409) -* Fixed OCSP response message build for DTLS (PR 7671) -* Handled edge case in wc_ecc_mulmod() with zero (PR 7532) -* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375) -* Added sanity check on record header with QUIC use (PR 7638) -* Added sanity check for empty directory strings in X.509 when parsing (PR 7669) -* Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625) -* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693) -* Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577) -* Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388) -* Added sanity check that the ed25519 signature is smaller than the order (PR 7513) -* Fixed Segger emNet to handle non-blocking want read/want write (PR 7581) +* ECC key load: fixes for certificates with parameters that are not default for + size (PR 7751) +* Fixes for building x86 in Visual Studio for non-windows OS (PR 7884) +* Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret + (PR 7812) +* Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931) +* Fix for detecting older versions of Mac OS when trying to link with + libdispatch (PR 7932) +* Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake + packets combined into a single transmission. (PR 7840) +* Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest + (PR 7779) +* Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934) +* Fix for staticmemory and singlethreaded build (PR 7737) +* Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708) +* Fix to support PKCS11 without RSA key generation (PR 7738) +* Fix not calling the signing callback when using PK callbacks + TLS 1.3 + (PR 7761) +* Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753) +* Fix with PKCS11 to iterate correctly over slotId (PR 7736) +* Stop stripping out the sequence header on the AltSigAlg extension (PR 7710) +* Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value + (PR 7742) +* Use max key length for PSK encrypt buffer size (PR 7707) +* DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951) +* Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787) +* Fix CMake build error for curl builds (PR 8021) +* SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038) +* SSL loading of keys/certs: testing and fixes (PR 7789) +* Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904) +* Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868) +* Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773) +* Fix for edge cases with session resumption with TLS 1.2 (PR 8097) +* Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member + (PR 8099) diff --git a/README.md b/README.md index 28aac26695..11f82fb357 100644 --- a/README.md +++ b/README.md @@ -75,112 +75,197 @@ single call hash function. Instead the name `WC_SHA`, `WC_SHA256`, `WC_SHA384` a `WC_SHA512` should be used for the enum name. -# wolfSSL Release 5.7.2 (July 08, 2024) +# wolfSSL Release 5.7.4 (Oct 24, 2024) -Release 5.7.2 has been developed according to wolfSSL's development and QA +Release 5.7.4 has been developed according to wolfSSL's development and QA process (see link below) and successfully passed the quality criteria. https://www.wolfssl.com/about/wolfssl-software-development-process-quality-assurance NOTE: * --enable-heapmath is being deprecated and will be removed by end of 2024 -## Vulnerabilities -* [Medium] CVE-2024-1544 -Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Analyzing the division through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. Thanks to Luca Wilke, Florian Sieck and Thomas Eisenbarth (University of Lübeck) for reporting the vulnerability. Details will appear in the proceedings of CCS 24. -Fixed https://github.com/wolfSSL/wolfssl/pull/7020 - - -* [Medium] CVE-2024-5288 -A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. If performing ECC private key operations in an environment where a malicious user could gain fine control over the device and perform row hammer style attacks it is recommended to update the version of wolfSSL used and to build with WOLFSSL_BLIND_PRIVATE_KEY defined. Thanks to Kemal Derya, M. Caner Tol, Berk Sunar for the report (Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute) -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7416 - - -* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. There are existing sanity checks during a TLS handshake with wolfSSL which mitigate this issue. Thanks to Bing Shi for the report. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7597 +PR stands for Pull Request, and PR references a GitHub pull request + number where the code change was added. -* [Low] CVE-2024-5991 -In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the Openssl compatibility function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. While calling without a NULL terminated string is very uncommon, it is still technically allowed. If a caller was attempting to do a name check on a non*NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7604 -* [Medium] CVE-2024-5814 -A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello when downgrading from TLS 1.3. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7619 - -* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. Found with internal testing. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702 - -* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. A revoked CA certificate could incorrectly be loaded into the trusted signers list and used in a repeat connection attempt. Found with internal testing. -Fixed in github pull request https://github.com/wolfSSL/wolfssl/pull/7702 +## Vulnerabilities +* [Low] When the OpenSSL compatibility layer is enabled, certificate + verification behaved differently in wolfSSL than OpenSSL, in the + X509_STORE_add_cert() and X509_STORE_load_locations() implementations. + Previously, in cases where an application explicitly loaded an intermediate + certificate, wolfSSL was verifying only up to that intermediate certificate, + rather than verifying up to the root CA. This only affects use cases where the + API is called directly, and does not affect TLS connections. Users that call + the API X509_STORE_add_cert() or X509_STORE_load_locations() directly in their + applications are recommended to update the version of wolfSSL used or to have + additional sanity checks on certificates loaded into the X509_STORE when + verifying a certificate. (https://github.com/wolfSSL/wolfssl/pull/8087) + + +## PQC TLS Experimental Build Fix +* When using TLS with post quantum algorithms enabled, the connection uses a + smaller EC curve than agreed on. Users building with --enable-experimental and + enabling PQC cipher suites with TLS connections are recommended to update the + version of wolfSSL used. Thanks to Daniel Correa for the report. + (https://github.com/wolfSSL/wolfssl/pull/8084) ## New Feature Additions -* Added Dilithium/ML-DSA: Implementation of ML-DSA-44/65/87 (PR 7622) -* AES RISC-V 64-bit ASM: ECB/CBC/CTR/GCM/CCM (PR 7569) -* Added CUDA support for AES encryption (PR 7436) -* Added support for gRPC (PR 7445) -* Added function wc_RsaPrivateKeyDecodeRaw to import raw RSA private keys (PR 7608) -* Added crypto callback for SHA-3 (PR 7670) -* Support for Infineon Modus Toolbox with wolfSSL (PR 7369) -* Allow user to send a user_canceled alert by calling wolfSSL_SendUserCanceled (PR 7590) -* C# wrapper SNI support added (PR 7610) -* Quantum-safe algorithm support added to the Linux kernel module (PR 7574) -* Support for NIST 800-56C Option 1 KDF, using the macro WC_KDF_NIST_SP_800_56C added (PR 7589) -* AES-XTS streaming mode added, along with hardware acceleration and kernel module use (PR 7522, 7560, 7424) -* PlatformIO FreeRTOS with ESP build and addition of benchmark and test example applications (PR 7528, 7413, 7559, 7542) +* RISC-V 64 new assembly optimizations added for SHA-256, SHA-512, ChaCha20, + Poly1305, and SHA-3 (PR 7758,7833,7818,7873,7916) +* Implement support for Connection ID (CID) with DTLS 1.2 (PR 7995) +* Add support for (DevkitPro)libnds (PR 7990) +* Add port for Mosquitto OSP (Open Source Project) (PR 6460) +* Add port for init sssd (PR 7781) +* Add port for eXosip2 (PR 7648) +* Add support for STM32G4 (PR 7997) +* Add support for MAX32665 and MAX32666 TPU HW and ARM ASM Crypto Callback + Support (PR 7777) +* Add support for building wolfSSL to be used in libspdm (PR 7869) +* Add port for use with Nucleus Plus 2.3 (PR 7732) +* Initial support for RFC5755 x509 attribute certificates (acerts). Enabled with + --enable-acert (PR 7926) +* PKCS#11 RSA Padding offload allows tokens to perform CKM_RSA_PKCS + (sign/encrypt), CKM_RSA_PKCS_PSS (sign), and CKM_RSA_PKCS_OAEP (encrypt). + (PR 7750) +* Added “new” and “delete” style functions for heap/pool allocation and freeing + of low level crypto structures (PR 3166 and 8089) ## Enhancements and Optimizations -* Expanded STM32 AES hardware acceleration support for use with STM32H5 (PR 7578) -* Adjusted wc_xmss and wc_lms settings to support use with wolfBoot (PR 7393) -* Added the --enable-rpk option to autotools build for using raw public key support (PR 7379) -* SHA-3 Thumb2, ARM32 assembly implementation added (PR 7667) -* Improvements to RSA padding to expose Pad/Unpad APIs (PR 7612) -* Updates and API additions for supporting socat version 1.8.0.0 (PR 7594) -* cmake build improvements, expanding build options with SINGLE_THREADED and post-quantum algorithms, adjusting the generation of options.h file and using “yes;no” boolean instead of strings (PR 7611, 7546, 7479, 7480, 7380) -* Improvements for Renesas RZ support (PR 7474) -* Improvements to dual algorithm certificates for post-quantum keys (PR 7286) -* Added wolfSSL_SessionIsSetup so the user can check if a session ticket has been sent by the server (PR 7430) -* hostap updates: Implement PACs for EAP-FAST and filter cipher list on TLS version change (PR 7446) -* Changed subject name comparison to match different upper and lower cases (PR 7420) -* Support for DTLS 1.3 downgrade when using PSK (PR 7367) -* Update to static memory build for more generic memory pools used (PR 7418) -* Improved performance of Kyber C implementation (PR 7654) -* Support for ECC_CACHE_CURVE with no malloc (PR 7490) -* Added the configure option --enable-debug-trace-errcodes (macro WOLFSSL_DEBUG_TRACE_ERROR_CODES) which enables more debug tracking of error code values (PR 7634) -* Enhanced wc_MakeRsaKey and wc_RsaKeyToDer to work with WOLFSSL_NO_MALLOC (PR 7362) -* Improvements to assembly implementations of ChaCha20 and Poly1305 ASM for use with MSVC (PR 7319) -* Cortex-M inline assembly labels with unique number appended (PR 7649) -* Added secret logging callback to TLS <= 1.2, enabled with the macro HAVE_SECRET_CALLBACK (PR 7372) -* Made wc_RNG_DRBG_Reseed() a public wolfCrypt API (PR 7386) -* Enabled DES3 support without the DES3 ciphers. To re-enable DES3 cipher suites, use the configure flag --enable-des3-tls-suites (PR 7315) -* Added stubs required for latest nginx (1.25.5) (PR 7449) -* Added option for using a custom salt with the function wc_ecc_ctx_set_own_salt (PR 7552) -* Added PQ files for Windows (PR 7419) -* Enhancements to static memory feature, adding the option for a global heap hint (PR 7478) and build options for a lean or debug setting, enabled with --enable-staticmemory=small or --enable-staticmemory=debug (PR 7597) -* Updated --enable-jni to define SESSION_CERTS for wolfJSSE (PR 7557) -* Exposed DTLS in Ada wrapper and updated examples (PR 7397) -* Added additional minimum TLS extension size sanity checks (PR 7602) -* ESP improvements: updating the examples and libraries, updates for Apple HomeKit SHA/SRP, and fix for endianness with SHA512 software fallback (PR 7607, 7392, 7505, 7535) -* Made the wc_CheckCertSigPubKey API publicly available with the define of the macro WOLFSSL_SMALL_CERT_VERIFY (PR 7599) -* Added an alpha/preview of additional FIPS 140-3 full submission, bringing additional algorithms such as SRTP-KDF, AES-XTS, GCM streaming, AES-CFB, ED25519, and ED448 into the FIPS module boundary (PR 7295) -* XCODE support for v5.2.3 of the FIPS module (PR 7140) -* Expanded OpenSSL compatibility layer and added EC_POINT_hex2point (PR 7191) +* Increase default max alt. names from 128 to 1024 (PR 7762) +* Added new constant time DH agree function wc_DhAgree_ct (PR 7802) +* Expanded compatibility layer with the API EVP_PKEY_is_a (PR 7804) +* Add option to disable cryptocb test software test using + --disable-cryptocb-sw-test (PR 7862) +* Add a call to certificate verify callback before checking certificate dates + (PR 7895) +* Expanded algorithms supported with the wolfCrypt CSharp wrapper. Adding + support for RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and + Hashing (PR 3166) +* Expand MMCAU support for use with DES ECB (PR 7960) +* Update AES SIV to handle multiple associated data inputs (PR 7911) +* Remove HAVE_NULL_CIPHER from --enable-openssh (PR 7811) +* Removed duplicate if(NULL) checks when calling XFREE (macro does) (PR 7839) +* Set RSA_MIN_SIZE default to 2048 bits (PR 7923) +* Added support for wolfSSL to be used as the default TLS in the zephyr kernel + (PR 7731) +* Add enable provider build using --enable-wolfprovider with autotools (PR 7550) +* Renesas RX TSIP ECDSA support (PR 7685) +* Support DTLS1.3 downgrade when the server supports CID (PR 7841) +* Server-side checks OCSP even if it uses v2 multi (PR 7828) +* Add handling of absent hash params in PKCS7 bundle parsing and creation + (PR 7845) +* Add the use of w64wrapper for Poly1305, enabling Poly1305 to be used in + environments that do not have a word64 type (PR 7759) +* Update to the maxq10xx support (PR 7824) +* Add support for parsing over optional PKCS8 attributes (PR 7944) +* Add support for either side method with DTLS 1.3 (PR 8012) +* Added PKCS7 PEM support for parsing PEM data with BEGIN/END PKCS7 (PR 7704) +* Add CMake support for WOLFSSL_CUSTOM_CURVES (PR 7962) +* Add left-most wildcard matching support to X509_check_host() (PR 7966) +* Add option to set custom SKID with PKCS7 bundle creation (PR 7954) +* Building wolfSSL as a library with Ada and corrections to Alire manifest + (PR 7303,7940) +* Renesas RX72N support updated (PR 7849) +* New option WOLFSSL_COPY_KEY added to always copy the key to the SSL object + (PR 8005) +* Add the new option WOLFSSL_COPY_CERT to always copy the cert buffer for each + SSL object (PR 7867) +* Add an option to use AES-CBC with HMAC for default session ticket enc/dec. + Defaults to AES-128-CBC with HMAC-SHA256 (PR 7703) +* Memory usage improvements in wc_PRF, sha256 (for small code when many + registers are available) and sp_int objects (PR 7901) +* Change in the configure script to work around ">>" with no command. In older + /bin/sh it can be ambiguous, as used in OS’s such as FreeBSD 9.2 (PR 7876) +* Don't attempt to include system headers when not required (PR 7813) +* Certificates: DER encoding of ECC signature algorithm parameter is now + allowed to be NULL with a define (PR 7903) +* SP x86_64 asm: check for AVX2 support for VMs (PR 7979) +* Update rx64n support on gr-rose (PR 7889) +* Update FSP version to v5.4.0 for RA6M4 (PR 7994) +* Update TSIP driver version to v1.21 for RX65N RSK (PR 7993) +* Add a new crypto callback for RSA with padding (PR 7907) +* Replaced the use of pqm4 with wolfSSL implementations of Kyber/MLDSA + (PR 7924) +* Modernized memory fence support for C11 and clang (PR 7938) +* Add a CRL error override callback (PR 7986) +* Extend the X509 unknown extension callback for use with a user context + (PR 7730) +* Additional debug error tracing added with TLS (PR 7917) +* Added runtime support for library call stack traces with + –enable-debug-trace-errcodes=backtrace, using libbacktrace (PR 7846) +* Expanded C89 conformance (PR 8077) +* Expanded support for WOLFSSL_NO_MALLOC (PR 8065) +* Added support for cross-compilation of Linux kernel module (PR 7746) +* Updated Linux kernel module with support for kernel 6.11 and 6.12 (PR 7826) +* Introduce WOLFSSL_ASN_ALLOW_0_SERIAL to allow parsing of certificates with a + serial number of 0 (PR 7893) +* Add conditional repository_owner to all wolfSSL GitHub workflows (PR 7871) + +### Espressif / Arduino Updates +* Update wolfcrypt settings.h for Espressif ESP-IDF, template update (PR 7953) +* Update Espressif sha, util, mem, time helpers (PR 7955) +* Espressif _thread_local_start and _thread_local_end fix (PR 8030) +* Improve benchmark for Espressif devices (PR 8037) +* Introduce Espressif common CONFIG_WOLFSSL_EXAMPLE_NAME, Kconfig (PR 7866) +* Add wolfSSL esp-tls and Certificate Bundle Support for Espressif ESP-IDF + (PR 7936) +* Update wolfssl Release for Arduino (PR 7775) + +### Post Quantum Crypto Updates +* Dilithium: support fixed size arrays in dilithium_key (PR 7727) +* Dilithium: add option to use precalc with small sign (PR 7744) +* Allow Kyber to be built with FIPS (PR 7788) +* Allow Kyber asm to be used in the Linux kernel module (PR 7872) +* Dilithium, Kyber: Update to final specification (PR 7877) +* Dilithium: Support FIPS 204 Draft and Final Draft (PR 7909,8016) + +### ARM Assembly Optimizations +* ARM32 assembly optimizations added for ChaCha20 and Poly1305 (PR 8020) +* Poly1305 assembly optimizations improvements for Aarch64 (PR 7859) +* Poly1305 assembly optimizations added for Thumb-2 (PR 7939) +* Adding ARM ASM build option to STM32CubePack (PR 7747) +* Add ARM64 to Visual Studio Project (PR 8010) +* Kyber assembly optimizations for ARM32 and Aarch64 (PR 8040,7998) +* Kyber assembly optimizations for ARMv7E-M/ARMv7-M (PR 7706) + ## Fixes -* Fixed Kyber control-flow timing leak. Thanks to Antoon Purnal from PQShield for the report -* Fixed the NXP MMCAU HW acceleration for SHA-256 (PR 7389) -* Fixed AES-CFB1 encrypt/decrypt on size (8*x-1) bits (PR 7431) -* Fixed use of %rip with SHA-256 x64 assembly (PR 7409) -* Fixed OCSP response message build for DTLS (PR 7671) -* Handled edge case in wc_ecc_mulmod() with zero (PR 7532) -* Fixed RPK (Raw Public Key) to follow certificate use correctly (PR 7375) -* Added sanity check on record header with QUIC use (PR 7638) -* Added sanity check for empty directory strings in X.509 when parsing (PR 7669) -* Added sanity check on non-conforming serial number of 0 in certificates being parsed (PR 7625) -* Fixed wolfSSL_CTX_set1_sigalgs_list() to make the TLS connection conform to the selected sig hash algorithm (PR 7693) -* Various fixes for dual algorithm certificates including small stack use and support for Certificate Signing Requests (PR 7577) -* Added sanity check for critical policy extension when wolfSSL is built without policy extension support enabled (PR 7388) -* Added sanity check that the ed25519 signature is smaller than the order (PR 7513) -* Fixed Segger emNet to handle non-blocking want read/want write (PR 7581) +* ECC key load: fixes for certificates with parameters that are not default for + size (PR 7751) +* Fixes for building x86 in Visual Studio for non-windows OS (PR 7884) +* Fix for TLS v1.2 secret callback, incorrectly detecting bad master secret + (PR 7812) +* Fixes for PowerPC assembly use with Darwin and SP math all (PR 7931) +* Fix for detecting older versions of Mac OS when trying to link with + libdispatch (PR 7932) +* Fix for DTLS1.3 downgrade to DTLS1.2 when the server sends multiple handshake + packets combined into a single transmission. (PR 7840) +* Fix for OCSP to save the request if it was stored in ssl->ctx->certOcspRequest + (PR 7779) +* Fix to OCSP for searching for CA by key hash instead of ext. key id (PR 7934) +* Fix for staticmemory and singlethreaded build (PR 7737) +* Fix to not allow Shake128/256 with Xilinx AFALG (PR 7708) +* Fix to support PKCS11 without RSA key generation (PR 7738) +* Fix not calling the signing callback when using PK callbacks + TLS 1.3 + (PR 7761) +* Cortex-M/Thumb2 ASM fix label for IAR compiler (PR 7753) +* Fix with PKCS11 to iterate correctly over slotId (PR 7736) +* Stop stripping out the sequence header on the AltSigAlg extension (PR 7710) +* Fix ParseCRL_AuthKeyIdExt with ASN template to set extAuthKeyIdSet value + (PR 7742) +* Use max key length for PSK encrypt buffer size (PR 7707) +* DTLS 1.3 fix for size check to include headers and CID fixes (PR 7912,7951) +* Fix STM32 Hash FIFO and add support for STM32U5A9xx (PR 7787) +* Fix CMake build error for curl builds (PR 8021) +* SP Maths: PowerPC ASM fix to use XOR instead of LI (PR 8038) +* SSL loading of keys/certs: testing and fixes (PR 7789) +* Misc. fixes for Dilithium and Kyber (PR 7721,7765,7803,8027,7904) +* Fixes for building wolfBoot sources for PQ LMS/XMSS (PR 7868) +* Fixes for building with Kyber enabled using CMake and zephyr port (PR 7773) +* Fix for edge cases with session resumption with TLS 1.2 (PR 8097) +* Fix issue with ARM ASM with AES CFB/OFB not initializing the "left" member + (PR 8099) For additional vulnerability information visit the vulnerability page at: https://www.wolfssl.com/docs/security-vulnerabilities/ diff --git a/certs/intermediate/ca_false_intermediate/gentestcert.sh b/certs/intermediate/ca_false_intermediate/gentestcert.sh new file mode 100755 index 0000000000..d10f593565 --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/gentestcert.sh @@ -0,0 +1,161 @@ +#!/bin/bash + +# Script for generating RSA CA and server certs based on it. +# +SERVER_PEM='test_sign_bynoca_srv.pem' +INTCA_PEM='test_int_not_cacert.pem' +CA_PEM='test_ca.pem' + +CURRENT=$(cd $(dirname $0);pwd) +# OpenSSL configuration files +OPENSSL_BASE_CA_CONF='wolfssl_base.conf' +OPENSSL_CA_CONF='wolfssl_ca.conf' +OPENSSL_INTCA_CONF='wolfssl_int_ca.conf' +OPENSSL_SRV_CONF='wolfssl_srv.conf' +# SEt ver +CA_NAME="test_ca" +INTCA_NAME="int_ca" +SRVCERT_NAME="server_ext" +CRT_HOSTNAME="WOLFSSL" +CRT_DN="${CRT_HOSTNAME%% *}" +CRT_ALT_NAME="$(echo $CRT_HOSTNAME | sed -e "s/^/DNS:/" -e "s/ /,DNS:/g")" + +CA_HOME=$(cd $(dirname $0);pwd)/pki/$CA_NAME +INT_CA_HOME="$CA_HOME/gen_int/$CRT_DN" +SRV_CRT_HOME="$CA_HOME/gen_srv/$CRT_DN" + +Prepare_folder_file(){ + mkdir -m 700 pki + + # Create folders for CA + mkdir "$CA_HOME"/{,certs,db,gen_srv,gen_int} + mkdir -m 700 "$CA_HOME/private" + # Create folders for Intermediate CA + mkdir "$INT_CA_HOME" + mkdir "$INT_CA_HOME"/{,certs,db} + mkdir -m 700 "$INT_CA_HOME/private" + # Create folders for Server + mkdir "$SRV_CRT_HOME" + mkdir -m 700 "$SRV_CRT_HOME/private" + + # Create and populate openssl CA files + touch "$CA_HOME"/db/index + openssl rand -hex 16 > "$CA_HOME"/db/serial + + touch "$INT_CA_HOME"/db/index + openssl rand -hex 16 > "$INT_CA_HOME"/db/serial + + # Copy openssl config and private key + cp "$OPENSSL_CA_CONF" "$CA_HOME" + cp ./"$CA_NAME".key ./pki/$CA_NAME/private/"$CA_NAME".key + + cp "$OPENSSL_INTCA_CONF" "$INT_CA_HOME" + cp ./"$INTCA_NAME".key "$INT_CA_HOME"/private/"$INTCA_NAME".key + + cp "$OPENSSL_SRV_CONF" "$SRV_CRT_HOME" + cp ./server.key "$SRV_CRT_HOME"/private/server.key +} + +Generate_conf(){ + # copy conf from base + cp $OPENSSL_BASE_CA_CONF $OPENSSL_CA_CONF + cp $OPENSSL_BASE_CA_CONF $OPENSSL_INTCA_CONF + # Replace contents + # For CA + sed -i "s/_CA_NAME_/$CA_NAME/" "$OPENSSL_CA_CONF" + sed -i "s/_CERT_NAME_/$INTCA_NAME/" "$OPENSSL_CA_CONF" + sed -i "s/_CA_DEPART_/Development/" "$OPENSSL_CA_CONF" + # For Intermediate CA + sed -i "s/_CA_NAME_/$INTCA_NAME/" "$OPENSSL_INTCA_CONF" + sed -i "s/_CERT_NAME_/$SRVCERT_NAME/" "$OPENSSL_INTCA_CONF" + sed -i "s/_CA_DEPART_/Product_Support/" "$OPENSSL_INTCA_CONF" +} + +cleanup_files(){ + rm -f wolfssl_ca.conf + rm -f wolfssl_int_ca.conf + rm -rf pki/ +} + +# clean up +if [ "$1" = "clean" ]; then + echo "Cleaning temp files" + cleanup_files + exit 0 +fi +if [ "$1" = "cleanall" ]; then + echo "Cleaning all files" + rm -f ./"$SERVER_PEM" + rm -f ./"$INTCA_PEM" + rm -f ./"$CA_PEM" + cleanup_files + exit 0 +fi +# Generate OpenSSL Conf files +Generate_conf +# Prepare folders and files +Prepare_folder_file +########################################## +## Create CA, Intermediate and Server Cert +########################################## +# Generate CA +cd "$CA_HOME" + +# Generate CA private key and csr - use config file info +openssl req -new -config "$OPENSSL_CA_CONF" \ + -out "$CA_NAME.csr" -key "private/$CA_NAME.key" + +# Self-sign CA certificate - use config file info +# Note: Use extension from config "ca_ext" section +openssl ca -selfsign -config "$OPENSSL_CA_CONF" \ + -notext -in "$CA_NAME.csr" -out "$CA_NAME.crt" -extensions ca_ext -batch + +# Generate Intermediate CA +# cd into Cert generation folder +cd "$INT_CA_HOME" + +# Create private key and csr +openssl req -new -config "$OPENSSL_INTCA_CONF" \ + -out "$INTCA_NAME.csr" -key "private/$INTCA_NAME.key" + +cd "$CA_HOME" +# Sign certificate with CA +openssl ca -config "$OPENSSL_CA_CONF" -notext \ + -in "$INT_CA_HOME/$INTCA_NAME.csr" -out "$INT_CA_HOME/$INTCA_NAME.crt" \ + -extensions "$INTCA_NAME" -batch + +# cd into Cert generation folder +cd "$SRV_CRT_HOME" +# Create private key and csr +openssl req -new -config "$OPENSSL_SRV_CONF" \ + -out server.csr -key private/server.key + +# cd into intermediate CA home +cd "$CA_HOME/gen_int/WOLFSSL/" + +# Sign certificate with CA +openssl ca -config "$OPENSSL_INTCA_CONF" -notext \ + -in "$SRV_CRT_HOME/server.csr" -out "$SRV_CRT_HOME/server.crt" \ + -extensions server_ext -batch + + +# cp generate certificates +cd $CURRENT +# CA +openssl x509 -in ./pki/$CA_NAME/$CA_NAME.crt -inform PEM -noout -text > ./pki/$CA_NAME/$CA_NAME.pem +cat ./pki/$CA_NAME/$CA_NAME.crt >> ./pki/$CA_NAME/$CA_NAME.pem +mv ./pki/$CA_NAME/$CA_NAME.pem $CA_PEM + +# Intermediate CA +openssl x509 -in $INT_CA_HOME/$INTCA_NAME.crt -inform PEM -noout -text > $INT_CA_HOME/$INTCA_NAME.pem +cat $INT_CA_HOME/$INTCA_NAME.crt >> $INT_CA_HOME/$INTCA_NAME.pem +mv $INT_CA_HOME/$INTCA_NAME.pem $INTCA_PEM +# Server +openssl x509 -in $SRV_CRT_HOME/server.crt -inform PEM -noout -text > $SRV_CRT_HOME/server.pem +cat $SRV_CRT_HOME/server.crt >> $SRV_CRT_HOME/server.pem +mv $SRV_CRT_HOME/server.pem $SERVER_PEM + +# clean up +cleanup_files + +echo "Completed" diff --git a/certs/intermediate/ca_false_intermediate/int_ca.key b/certs/intermediate/ca_false_intermediate/int_ca.key new file mode 100644 index 0000000000..558acd2ff1 --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/int_ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4VOnmv/SyU9w8 +kloGnogOLqerpp0HNI8/fOU3+CYr4M0mETKuBvI7PkXBV0VLNpupt5MmAgi/H1QX +bejxNiBsQOLo278NgFYPoNm1OdazQ5PeX8+lNFJ7OEq8TBHSriwfJuJRyNaU5Mr+ +qxcTDZx4+Mvr8cZbmVoSK8s5S6DT7CJmYjSdV52aB8ZFOj3psoLnEsavPKi5Wk+O +BRvQnWNy0yxjZ9k+Md39gZiEbezfQyy3UzHi7aUc6MrfUDOpmAwmuaE6I/caztFP +HpgZqT7sva20RPvOKtBhuVyxd27h9dzHr+ZD7rc8FohFRg5tVtccDq41/oRvy9CN +1uM99eyHAgMBAAECggEADBW/wq8caIHy/c2iiq3jbE/xZ4w5iKVmLDAQtHCtH/yn +C93eHWa7Lth6/kgDH6vph2D6YWg0u+2z4lgEXlFsIsIbnk9PNqAOrwuepQZbuyOt +Esvj8zLQ+DR37IxthrXV6Aeb7ZIQmhu960sQQjbcPATOacj6IOXsRSYLNtXB1OLu +Xo4UbjLX3uOrAg5uMsi/Z/2s9jy3eDBf8FWmM6fBDsejRl18MzY2Y7bYS1yL3762 +4ydB4yHJEEkiFurtjgdX2pscF+ftivYrVqZDUWhM7htFLJz6bS4sRpgjfQegYs4f +RLTuef/+ozFVhpH/HuPrV2jH67T90Z5lHgZ6Nm5qwQKBgQDybcwCKcFFWKac84ln +JDJuqPHyyRgH09cia6C7Y/t1/caSJvJP6KR4c7TuEvIYpc6hSsO1Pd1k6ajFkDdN +IWYfOF3R6K3vR956LPWPdxkYWdONjmwBvVaKozWmxR01RHeGXk+VxFb7PBudAvEu +cGOzDEaTuE5RC1RxNHjZYxZ98QKBgQDCpoljVMR+/7+pwKoIEmw1FmH+DEEgL+so +U1pBcaPU1poBRYKH+1yah7M+eFhTEzV4XbJCjMYeynSCWMSqGXrHwWq0AmA3jhSM +OyDuwboTXVHCkqIuAs/Q/8A9dcyTejsgLuU6mLU1eXzNeWm0/0VjfvPgOziM7SHt +14tip/P59wKBgQDTY74yXKp0h3qw/QLg9wUqzRI8O/FCUgwTrXm4LNSF7EWMB33f +A+L2TR6FQevsZhgpOIIytcEpTz2lF73A+dCMhJ/6e0O/lBGAw1dUQ+uT+i+oDXpM +ggbGWM5dnx965Tq75dzLoSqfY6hIXtpjPgkRhTC9ekaAELsPA0wlcmuYYQKBgDVT +Llw6AsLQCY/Vqj8f3OkGQr44WTcaKZAYladMHJfYWsRyaHocUJg9CMvaaEgKASIC +eS1mJ3iT+isjam03Ib3LrRG3fOh7UgHAyRrfk7xuWlG1nhyAxLH6/o1X0j2sxLni +XwYYg7wslhYsZtsg+79wLhuF3c4twJfJ7vOOE3atAoGBAKiH+9h5SdQ2L4gjM+dl +0dr1fTZpJta+l0FIEiOdQcbGp7ia9G9WglV5HkzyhETG+wTNNuG8GD/jTlg23AVE +vVf2vPq7La3juAT7oOoEkm13vQ//2VUJum4g34dP4V9FpWP5FLiAAu9H8op5P9Hp +LqbpMcrAkbexh41ZEZlmzSx5 +-----END PRIVATE KEY----- diff --git a/certs/intermediate/ca_false_intermediate/server.key b/certs/intermediate/ca_false_intermediate/server.key new file mode 100644 index 0000000000..156364df15 --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC6IGIrgaxYzvMi +XZ9GkLfppLP84bdp07YUh8u7MR67YPI/jGoNY1WiyANKjdajY937KO8xlXDMKJUf +8JyJ9PZWHgCBUxt4G/mf4xBljMZANiHNV1WyFHGaVznu2pgbr4ngwyv5oZM/TWVB +K2YdZpyVld8Z3I14RvQV62Rclxbs4uzK6+IDuEGBxfTKpOSr3u0a2qONAjmNACxd +fu+RsdeWumXBQ//UajX6F1DNdj4dvqRp9u5Hw3pJmoBv5puD4OhYcfvNbcG0FtI3 +ZKa8sPT++/Rypjx5MnrAtTAhsTXf2UV/xPbFHJhtU9b/NsE4GLd2ExDIRWpSc2V+ +ublm1DwnAgMBAAECggEAA92CTGb//kQl9nO9SAjfWOHLvxes6Gy2Hk0HpRaLDdcg +kMNIvIhwkdXXg6fYakI7rOiXtw7kbcj199jWV2MX7ofm+MiSDHeAQprDj2hSAale +IFaM+ArGpS7kjBpMCF8n3NwQwLljRnBEBwtwrnGgFNcs7+uNoI7QqNffmLCmkDrJ +BCK3kXXbjENOuzlddgxsb1mipsXot3uwDaByB8Tl2OtI7ezZvhCraeYZMyRXuq2o +JDPk3FZ9O/mPgULZrqnlvxyJmog2ajgyED4M0mqM29L4YB3MOOz8Wgeksp20VEQJ +lHJtpHK+zcodnT3rXGMj2A1Qu4HHoYEdKvAb8XzuUQKBgQD/nP7ZFOCJGR+q/Wu1 +CSLYwO9YM8sn7gMy3R1C1Ps7UKvjVWDv9cjsgId7XnYSQQ/52kV8HbIMqr9EOlwS +pHkHmAbqDNhLY++hhqf9nPHo6e0AiMY4uF/JcfYb8A4PE8/x8Iv5HVjH9WYJFwcL +UNDgm0ULrSbRR7ULtaSpZjyXfwKBgQC6aHlpNIvqa3+KmFmZFI4Xx5EB6fHBy02R +PJKk/B2SVsW+kq0kAwsYdnS6rbkYS8ZmfyJKzvacXpDYvUfFV93s+ewoT5J2a4Ab +WmELmWABqqCwvyT7h2oO+hqLljGNIJxygR0iu9F/fHVYp8G/oHZBeDZEJt+PNR0G +cuG7/6zvWQKBgF/dforl1Iw2evUDFFkSMxp9yYYX7rJsBpEV8np1LEADsmORSsjU +MmXYkndHZxrTge1f2j2BWZx8kT1CcfOf8bBSaQ1wgdJMibvXp7trGCMVUIipw0XU +iEAh2H6D2pH3CT8gyy5Dvl9H/tub4k1xItWKBiwp5WwJ67GXj0jlCgZ7AoGARYmz +wQtZJpnzekBbLD/+weAwuAYNqb2tsgBmtCVY4r58Bhuxez2nZfjKktk7s1SRLqs+ +n6mVVb/xSOlTXMrqfvy8nE0S1hpEL/AHQ8xzhCuixkyH/00Ew5GJVYkx8vO3aP/B +XrOx81z6aZgrLtEtTD8L/2CBBWtK6JzymK9IVAECgYAfoFaqRVl0JJlQJttfQtc+ +cYyVzZEBzckIH3BriHuNwDpnPOq6iSx5JUp6mh03G3/3mHx4G45tD6GvsK53WIAH +TCrHQv6vRjrA2oay/AlO2x/ElBOkdOVo8x20YGAAhIRAh65rwFrdTREnfUwChwSV +QVeI7CdToIyIiZGhYmmO/g== +-----END PRIVATE KEY----- diff --git a/certs/intermediate/ca_false_intermediate/test_ca.key b/certs/intermediate/ca_false_intermediate/test_ca.key new file mode 100644 index 0000000000..b40399f05a --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/test_ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8QEMO8Y4eCzs2 +9n6qVnfSp9tVSxQQUtgkAVgmIJX+5g3MZef9vR2ZOSeXVXibOluq2SBjRlzrorJQ +AXY8r07l1+PNFpf4UQr70yaI1xO8VAlC/zmFqmE5zI8OjqbH4Ck8r6yaM+ZPNM20 +VClvkoIAzlGnVe6vziHpNuGnDXXfMtYOFeNmeCFBe87VnOjFCZR+hHtZKmRrkUtL +9w30UJKP9QMNcyBMTnugjcpflM82HObhuxRBkBZoAkFTksbEbNOtVgUiSq6aKt78 +6tiZolplL/5DrivplHCuNdyPE3Jhv7r8SLeh7VysXJxLxU1J2oZldzS7uq5uTPl9 +9sKCkJzhAgMBAAECggEABxk4Ph3DMWRUhwnL9HHewlGEjoaOeuAY2OC5GXT0mwBD +SHAWS6XgMhkq4kS9j8LnVn2qADxUwCjqJuSrN/YXWEjoBOGDeQBbVOwdIZ9Ule8o +Sz+zBFSMpoCNa2vbI6HTBEAOluD6oAV6dUCQMG4am1usTg5KOhRgiHoCj8lM5s3j +/f0KWkJReql92o//bLDXDjeGGDtIzaWfIKpsW7gwPe6nHsR7n854sbkdRT9b6BMa +EZPg17XD8Dg1ZkvUemShrvgPrGFPMH/JFcvpX1s4/l2kM88xQEL+s45E4IyTT2gh +FlDFC3QXrFI7M7emid3rwXIVEkEIO4Aw4xW34OAVnQKBgQD5cJE/WojeHI3Pyo3L +sMDaWabzWWAAsev5EpDo41BalPDpBig29qO31afkIwIgCQyLNMXn9VqxoxILOg5d +uopBaPWHihmME5qgLp6F6nDeOYril1b1LU1/7G2Ehu9lGYLJd6hdQ6tC/iKMfrIz +fnsHEH/FC4woWmXdFMozujyZNQKBgQDBM7jeBtdIOOZhcwc98y9mQUr+ttlUODC6 +BNI2xAcV6ZJg/y0JXby84jM0fP5MuCkGHdNvufpvT68Dn9NRhrOBz8JyhCy5m4Rz +/dIr3JUT5Y0r4+2l5MgfZMlcYCWESNcJPwchSstzAthLhtrgP2ZFGfzzZUZGAMxR +f6sZK7pWfQKBgQCYpp4NAm/eVeUndBNAw4PSXKlCJcENy9TYkdci3vHu7VVdlgoI +UPoyZ8ueXxpO1prZmks/QDTnnx9MxZPDIoS3sO8JqqclxV2Mh9s1oxq9tMNdFjb+ +RmI2Vk9TmmxpF6qldtgPc3kcv4APMP4Ha3EJCrzWrtFwZJoQKUfxThkFvQKBgQCI +Scs0XJELMpBZ2AIY0m7ybEbSDfyba5P79SCxX3E8JOuMnxWPEN/uQocqlK3zQso1 +tV6M5x3h3c0w+lLgpOwGO6AIlnLScAFsrXXQWSeUxI7kkkH3j78YXkmpb22ntpZy +wFJwSsngFPatuLC4FiE3x9Bnhl6fTTrUlwIEnJMzJQKBgFc5ej1NXuPWDlLKjC7w +0N4YPs5BJRuhoUxyajYC3FxiWvr5bTz7zqc5DAPcH0nGAH/UVWZzWXMUw+Je3dej +chkmVUuKjfTZTZHOBAqJDCNRfZcfzWnzAcXkcmsAHr53UKYnH8XGuHsPVHujQVu/ +0Hx7AKuJK48fZeo8LTZufg1l +-----END PRIVATE KEY----- diff --git a/certs/intermediate/ca_false_intermediate/test_ca.pem b/certs/intermediate/ca_false_intermediate/test_ca.pem new file mode 100644 index 0000000000..c40c1467d6 --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/test_ca.pem @@ -0,0 +1,80 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:1d:6e:96:2e:32:85:de:99:5a:63:dd:49:1c:eb:cc + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = Wahington, O = Seattle, OU = Development, CN = www.wolfssl.com + Validity + Not Before: Oct 10 03:44:23 2024 GMT + Not After : Oct 8 03:44:23 2034 GMT + Subject: C = US, ST = Wahington, O = Seattle, OU = Development, CN = www.wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bc:40:43:0e:f1:8e:1e:0b:3b:36:f6:7e:aa:56: + 77:d2:a7:db:55:4b:14:10:52:d8:24:01:58:26:20: + 95:fe:e6:0d:cc:65:e7:fd:bd:1d:99:39:27:97:55: + 78:9b:3a:5b:aa:d9:20:63:46:5c:eb:a2:b2:50:01: + 76:3c:af:4e:e5:d7:e3:cd:16:97:f8:51:0a:fb:d3: + 26:88:d7:13:bc:54:09:42:ff:39:85:aa:61:39:cc: + 8f:0e:8e:a6:c7:e0:29:3c:af:ac:9a:33:e6:4f:34: + cd:b4:54:29:6f:92:82:00:ce:51:a7:55:ee:af:ce: + 21:e9:36:e1:a7:0d:75:df:32:d6:0e:15:e3:66:78: + 21:41:7b:ce:d5:9c:e8:c5:09:94:7e:84:7b:59:2a: + 64:6b:91:4b:4b:f7:0d:f4:50:92:8f:f5:03:0d:73: + 20:4c:4e:7b:a0:8d:ca:5f:94:cf:36:1c:e6:e1:bb: + 14:41:90:16:68:02:41:53:92:c6:c4:6c:d3:ad:56: + 05:22:4a:ae:9a:2a:de:fc:ea:d8:99:a2:5a:65:2f: + fe:43:ae:2b:e9:94:70:ae:35:dc:8f:13:72:61:bf: + ba:fc:48:b7:a1:ed:5c:ac:5c:9c:4b:c5:4d:49:da: + 86:65:77:34:bb:ba:ae:6e:4c:f9:7d:f6:c2:82:90: + 9c:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 49:CB:00:BF:AC:AD:4B:18:2C:DB:69:21:1E:60:EF:00:4E:FC:69:52 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 24:1c:cf:b6:3e:20:6e:99:e8:36:b3:7e:2d:67:0d:cb:b5:1c: + 69:ff:5a:bb:0b:2f:52:fd:d6:3e:73:5c:a2:47:8e:8d:1d:fc: + 96:e7:e0:ca:e6:b6:3d:af:fa:f1:77:77:e6:2e:67:e6:44:d7: + 84:36:ce:dc:cb:3e:3d:bf:bc:8b:48:53:30:fa:bf:43:81:5b: + e0:a3:a7:db:44:c2:29:cd:4c:8a:68:e8:b9:3e:5d:eb:e4:06: + 17:6d:de:cf:76:e9:5a:6a:16:27:f8:6f:96:43:8a:4f:65:be: + 3a:f2:7e:fd:ad:55:93:ad:ac:00:b4:b5:f3:85:b0:d7:83:6d: + ab:d0:8f:1a:23:36:e1:1f:c4:9d:54:e8:ee:20:cd:b9:da:56: + a7:92:5a:a5:bd:36:c5:a2:ea:ac:06:24:98:e5:32:0a:e0:00: + 64:63:9c:7d:01:18:66:5a:7a:b1:d5:b4:24:9b:5e:8a:6b:a0: + 25:eb:39:52:cd:12:61:d0:62:6c:19:e7:f5:ae:32:a3:aa:d5: + 2f:05:fe:6f:cb:47:20:a0:32:1d:cb:88:96:59:ed:8e:69:dd: + cf:f0:6f:83:85:ff:0a:59:ef:80:94:16:99:a6:35:ee:a7:b8: + d4:e9:3c:4f:56:5b:77:0e:b5:bd:61:21:b9:93:ad:be:2c:55: + 9b:bf:01:19 +-----BEGIN CERTIFICATE----- +MIIDkjCCAnqgAwIBAgIQOx1uli4yhd6ZWmPdSRzrzDANBgkqhkiG9w0BAQsFADBj +MQswCQYDVQQGEwJVUzESMBAGA1UECAwJV2FoaW5ndG9uMRAwDgYDVQQKDAdTZWF0 +dGxlMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMB4XDTI0MTAxMDAzNDQyM1oXDTM0MTAwODAzNDQyM1owYzELMAkGA1UEBhMC +VVMxEjAQBgNVBAgMCVdhaGluZ3RvbjEQMA4GA1UECgwHU2VhdHRsZTEUMBIGA1UE +CwwLRGV2ZWxvcG1lbnQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBALxAQw7xjh4LOzb2fqpWd9Kn21VLFBBS +2CQBWCYglf7mDcxl5/29HZk5J5dVeJs6W6rZIGNGXOuislABdjyvTuXX480Wl/hR +CvvTJojXE7xUCUL/OYWqYTnMjw6OpsfgKTyvrJoz5k80zbRUKW+SggDOUadV7q/O +Iek24acNdd8y1g4V42Z4IUF7ztWc6MUJlH6Ee1kqZGuRS0v3DfRQko/1Aw1zIExO +e6CNyl+UzzYc5uG7FEGQFmgCQVOSxsRs061WBSJKrpoq3vzq2JmiWmUv/kOuK+mU +cK413I8TcmG/uvxIt6HtXKxcnEvFTUnahmV3NLu6rm5M+X32woKQnOECAwEAAaNC +MEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEnL +AL+srUsYLNtpIR5g7wBO/GlSMA0GCSqGSIb3DQEBCwUAA4IBAQAkHM+2PiBumeg2 +s34tZw3LtRxp/1q7Cy9S/dY+c1yiR46NHfyW5+DK5rY9r/rxd3fmLmfmRNeENs7c +yz49v7yLSFMw+r9DgVvgo6fbRMIpzUyKaOi5Pl3r5AYXbd7PdulaahYn+G+WQ4pP +Zb468n79rVWTrawAtLXzhbDXg22r0I8aIzbhH8SdVOjuIM252lanklqlvTbFouqs +BiSY5TIK4ABkY5x9ARhmWnqx1bQkm16Ka6Al6zlSzRJh0GJsGef1rjKjqtUvBf5v +y0cgoDIdy4iWWe2Oad3P8G+Dhf8KWe+AlBaZpjXup7jU6TxPVlt3DrW9YSG5k62+ +LFWbvwEZ +-----END CERTIFICATE----- diff --git a/certs/intermediate/ca_false_intermediate/test_int_not_cacert.pem b/certs/intermediate/ca_false_intermediate/test_int_not_cacert.pem new file mode 100644 index 0000000000..bcfef819ea --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/test_int_not_cacert.pem @@ -0,0 +1,87 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 3b:1d:6e:96:2e:32:85:de:99:5a:63:dd:49:1c:eb:cd + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = Wahington, O = Seattle, OU = Development, CN = www.wolfssl.com + Validity + Not Before: Oct 10 03:44:23 2024 GMT + Not After : Oct 8 03:44:23 2034 GMT + Subject: C = US, ST = Wahington, O = Seattle, OU = Product_Support, CN = www.wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b8:54:e9:e6:bf:f4:b2:53:dc:3c:92:5a:06:9e: + 88:0e:2e:a7:ab:a6:9d:07:34:8f:3f:7c:e5:37:f8: + 26:2b:e0:cd:26:11:32:ae:06:f2:3b:3e:45:c1:57: + 45:4b:36:9b:a9:b7:93:26:02:08:bf:1f:54:17:6d: + e8:f1:36:20:6c:40:e2:e8:db:bf:0d:80:56:0f:a0: + d9:b5:39:d6:b3:43:93:de:5f:cf:a5:34:52:7b:38: + 4a:bc:4c:11:d2:ae:2c:1f:26:e2:51:c8:d6:94:e4: + ca:fe:ab:17:13:0d:9c:78:f8:cb:eb:f1:c6:5b:99: + 5a:12:2b:cb:39:4b:a0:d3:ec:22:66:62:34:9d:57: + 9d:9a:07:c6:45:3a:3d:e9:b2:82:e7:12:c6:af:3c: + a8:b9:5a:4f:8e:05:1b:d0:9d:63:72:d3:2c:63:67: + d9:3e:31:dd:fd:81:98:84:6d:ec:df:43:2c:b7:53: + 31:e2:ed:a5:1c:e8:ca:df:50:33:a9:98:0c:26:b9: + a1:3a:23:f7:1a:ce:d1:4f:1e:98:19:a9:3e:ec:bd: + ad:b4:44:fb:ce:2a:d0:61:b9:5c:b1:77:6e:e1:f5: + dc:c7:af:e6:43:ee:b7:3c:16:88:45:46:0e:6d:56: + d7:1c:0e:ae:35:fe:84:6f:cb:d0:8d:d6:e3:3d:f5: + ec:87 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Server + X509v3 Subject Key Identifier: + D9:9F:9A:2E:FE:80:7F:EB:6C:92:A1:91:60:9B:65:7B:36:2A:F4:35 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Authority Key Identifier: + 49:CB:00:BF:AC:AD:4B:18:2C:DB:69:21:1E:60:EF:00:4E:FC:69:52 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 87:de:e3:93:74:f5:56:64:e7:d9:43:14:20:2e:69:8a:e7:c4: + aa:38:c7:61:49:f5:b6:aa:43:46:c3:a0:b7:91:9f:4d:b9:c1: + 94:5c:89:5d:21:cb:b7:16:9b:d2:fb:d1:ea:bf:0d:9d:c5:2e: + f1:1d:4c:a3:14:22:1b:46:7c:f7:9f:cc:02:97:88:73:e0:12: + 8e:14:59:ae:ac:39:59:2a:79:65:a7:65:19:8e:a8:d1:00:a3: + 62:80:bb:4c:fc:d9:7e:46:e4:cc:fb:0b:81:91:52:8e:1d:7f: + fb:31:51:25:02:7d:5d:a3:c5:d9:9b:1a:94:4e:68:04:56:17: + 04:8d:ba:ed:75:76:b2:f9:ef:d8:60:af:7a:6b:24:57:b9:02: + 38:83:66:a5:97:dc:af:64:b7:33:3e:43:04:46:7f:79:83:7f: + c7:55:a5:78:1e:9d:b0:75:8c:6b:09:db:5f:0a:e7:0c:61:95: + 70:9c:6a:6f:a7:8c:4d:bf:74:dd:ee:55:94:21:ba:63:d4:f1: + fb:af:fc:8f:76:8d:29:e7:0f:6e:ff:54:81:59:ac:10:0a:e5: + 65:1c:bb:de:83:85:1c:5a:23:26:9c:e0:c9:50:8c:ac:cd:09: + 9c:50:ed:e9:1d:c9:c3:a0:a3:da:00:b1:9b:03:b6:97:cc:eb: + 02:a9:e2:41 +-----BEGIN CERTIFICATE----- +MIID6DCCAtCgAwIBAgIQOx1uli4yhd6ZWmPdSRzrzTANBgkqhkiG9w0BAQsFADBj +MQswCQYDVQQGEwJVUzESMBAGA1UECAwJV2FoaW5ndG9uMRAwDgYDVQQKDAdTZWF0 +dGxlMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEYMBYGA1UEAwwPd3d3LndvbGZzc2wu +Y29tMB4XDTI0MTAxMDAzNDQyM1oXDTM0MTAwODAzNDQyM1owZzELMAkGA1UEBhMC +VVMxEjAQBgNVBAgMCVdhaGluZ3RvbjEQMA4GA1UECgwHU2VhdHRsZTEYMBYGA1UE +CwwPUHJvZHVjdF9TdXBwb3J0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4VOnmv/SyU9w8kloGnogOLqer +pp0HNI8/fOU3+CYr4M0mETKuBvI7PkXBV0VLNpupt5MmAgi/H1QXbejxNiBsQOLo +278NgFYPoNm1OdazQ5PeX8+lNFJ7OEq8TBHSriwfJuJRyNaU5Mr+qxcTDZx4+Mvr +8cZbmVoSK8s5S6DT7CJmYjSdV52aB8ZFOj3psoLnEsavPKi5Wk+OBRvQnWNy0yxj +Z9k+Md39gZiEbezfQyy3UzHi7aUc6MrfUDOpmAwmuaE6I/caztFPHpgZqT7sva20 +RPvOKtBhuVyxd27h9dzHr+ZD7rc8FohFRg5tVtccDq41/oRvy9CN1uM99eyHAgMB +AAGjgZMwgZAwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0O +BBYEFNmfmi7+gH/rbJKhkWCbZXs2KvQ1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE +FjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHwYDVR0jBBgwFoAUScsAv6ytSxgs22kh +HmDvAE78aVIwDQYJKoZIhvcNAQELBQADggEBAIfe45N09VZk59lDFCAuaYrnxKo4 +x2FJ9baqQ0bDoLeRn025wZRciV0hy7cWm9L70eq/DZ3FLvEdTKMUIhtGfPefzAKX +iHPgEo4UWa6sOVkqeWWnZRmOqNEAo2KAu0z82X5G5Mz7C4GRUo4df/sxUSUCfV2j +xdmbGpROaARWFwSNuu11drL579hgr3prJFe5AjiDZqWX3K9ktzM+QwRGf3mDf8dV +pXgenbB1jGsJ218K5wxhlXCcam+njE2/dN3uVZQhumPU8fuv/I92jSnnD27/VIFZ +rBAK5WUcu96DhRxaIyac4MlQjKzNCZxQ7ekdycOgo9oAsZsDtpfM6wKp4kE= +-----END CERTIFICATE----- diff --git a/certs/intermediate/ca_false_intermediate/test_sign_bynoca_srv.pem b/certs/intermediate/ca_false_intermediate/test_sign_bynoca_srv.pem new file mode 100644 index 0000000000..4cf39cf70f --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/test_sign_bynoca_srv.pem @@ -0,0 +1,90 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + df:0d:6c:4b:d6:db:eb:35:5f:41:a1:3a:7a:56:16:93 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = US, ST = Wahington, O = Seattle, OU = Product_Support, CN = www.wolfssl.com + Validity + Not Before: Oct 10 03:44:23 2024 GMT + Not After : Oct 8 03:44:23 2034 GMT + Subject: C = US, ST = Wahington, O = Seattle, OU = Support, CN = www.wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ba:20:62:2b:81:ac:58:ce:f3:22:5d:9f:46:90: + b7:e9:a4:b3:fc:e1:b7:69:d3:b6:14:87:cb:bb:31: + 1e:bb:60:f2:3f:8c:6a:0d:63:55:a2:c8:03:4a:8d: + d6:a3:63:dd:fb:28:ef:31:95:70:cc:28:95:1f:f0: + 9c:89:f4:f6:56:1e:00:81:53:1b:78:1b:f9:9f:e3: + 10:65:8c:c6:40:36:21:cd:57:55:b2:14:71:9a:57: + 39:ee:da:98:1b:af:89:e0:c3:2b:f9:a1:93:3f:4d: + 65:41:2b:66:1d:66:9c:95:95:df:19:dc:8d:78:46: + f4:15:eb:64:5c:97:16:ec:e2:ec:ca:eb:e2:03:b8: + 41:81:c5:f4:ca:a4:e4:ab:de:ed:1a:da:a3:8d:02: + 39:8d:00:2c:5d:7e:ef:91:b1:d7:96:ba:65:c1:43: + ff:d4:6a:35:fa:17:50:cd:76:3e:1d:be:a4:69:f6: + ee:47:c3:7a:49:9a:80:6f:e6:9b:83:e0:e8:58:71: + fb:cd:6d:c1:b4:16:d2:37:64:a6:bc:b0:f4:fe:fb: + f4:72:a6:3c:79:32:7a:c0:b5:30:21:b1:35:df:d9: + 45:7f:c4:f6:c5:1c:98:6d:53:d6:ff:36:c1:38:18: + b7:76:13:10:c8:45:6a:52:73:65:7e:b9:b9:66:d4: + 3c:27 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + Netscape Cert Type: + SSL Server + X509v3 Subject Key Identifier: + 10:71:71:98:BD:C2:B2:97:DD:6F:B6:CD:28:EA:23:0E:51:AE:44:34 + X509v3 Key Usage: critical + Digital Signature, Key Encipherment + X509v3 Extended Key Usage: + TLS Web Client Authentication, TLS Web Server Authentication + X509v3 Subject Alternative Name: + DNS:www.wolfssl.com, DNS:wolfssl.jp + X509v3 Authority Key Identifier: + D9:9F:9A:2E:FE:80:7F:EB:6C:92:A1:91:60:9B:65:7B:36:2A:F4:35 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 54:7d:68:93:69:e0:3b:ea:3d:d8:68:ae:b1:97:97:2b:17:5d: + 76:7c:0d:0b:70:c5:a4:ec:3c:23:55:a5:bc:d7:dd:42:57:32: + dd:7e:9b:c9:b0:9c:8a:30:de:b6:7c:f9:ff:93:46:29:82:cf: + 8a:05:bb:b2:64:cf:22:db:15:bd:8e:56:14:2e:a4:5c:44:c2: + 3c:9d:3c:a0:dd:bd:a1:40:df:c3:8d:ff:71:73:6f:88:d6:57: + f2:c8:6c:20:18:ad:48:b8:2f:4c:41:ba:2a:f6:36:21:97:1b: + ee:7c:83:a8:43:80:08:8b:ac:a8:ed:df:dd:9c:7a:64:c9:6a: + 16:09:3b:57:1d:fc:f3:db:82:8f:c1:0e:e3:48:b7:d1:e8:19: + 1c:90:f0:b8:e6:ad:17:c5:82:b3:d5:15:bf:a3:c0:a6:4b:a7: + 97:98:86:93:4b:b0:1b:0e:62:61:16:d0:68:c2:e2:22:8a:f5: + 89:c7:bd:9d:38:65:0f:df:b1:38:9a:c7:e9:df:76:f4:5a:9f: + f5:2b:17:aa:9b:32:37:0a:72:93:8a:db:1d:b2:81:ff:0e:12: + b6:0a:31:46:7e:86:5e:0b:03:0d:7f:d0:bf:60:f2:f5:93:94: + f2:78:4f:80:34:b9:f7:66:ee:d6:b9:80:ca:bb:52:d0:e2:2f: + 1a:ac:99:a7 +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIRAN8NbEvW2+s1X0GhOnpWFpMwDQYJKoZIhvcNAQELBQAw +ZzELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVdhaGluZ3RvbjEQMA4GA1UECgwHU2Vh +dHRsZTEYMBYGA1UECwwPUHJvZHVjdF9TdXBwb3J0MRgwFgYDVQQDDA93d3cud29s +ZnNzbC5jb20wHhcNMjQxMDEwMDM0NDIzWhcNMzQxMDA4MDM0NDIzWjBfMQswCQYD +VQQGEwJVUzESMBAGA1UECAwJV2FoaW5ndG9uMRAwDgYDVQQKDAdTZWF0dGxlMRAw +DgYDVQQLDAdTdXBwb3J0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20wggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6IGIrgaxYzvMiXZ9GkLfppLP84bdp +07YUh8u7MR67YPI/jGoNY1WiyANKjdajY937KO8xlXDMKJUf8JyJ9PZWHgCBUxt4 +G/mf4xBljMZANiHNV1WyFHGaVznu2pgbr4ngwyv5oZM/TWVBK2YdZpyVld8Z3I14 +RvQV62Rclxbs4uzK6+IDuEGBxfTKpOSr3u0a2qONAjmNACxdfu+RsdeWumXBQ//U +ajX6F1DNdj4dvqRp9u5Hw3pJmoBv5puD4OhYcfvNbcG0FtI3ZKa8sPT++/Rypjx5 +MnrAtTAhsTXf2UV/xPbFHJhtU9b/NsE4GLd2ExDIRWpSc2V+ublm1DwnAgMBAAGj +gbswgbgwDAYDVR0TAQH/BAIwADARBglghkgBhvhCAQEEBAMCBkAwHQYDVR0OBBYE +FBBxcZi9wrKX3W+2zSjqIw5RrkQ0MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU +BggrBgEFBQcDAgYIKwYBBQUHAwEwJgYDVR0RBB8wHYIPd3d3LndvbGZzc2wuY29t +ggp3b2xmc3NsLmpwMB8GA1UdIwQYMBaAFNmfmi7+gH/rbJKhkWCbZXs2KvQ1MA0G +CSqGSIb3DQEBCwUAA4IBAQBUfWiTaeA76j3YaK6xl5crF112fA0LcMWk7DwjVaW8 +191CVzLdfpvJsJyKMN62fPn/k0Ypgs+KBbuyZM8i2xW9jlYULqRcRMI8nTyg3b2h +QN/Djf9xc2+I1lfyyGwgGK1IuC9MQboq9jYhlxvufIOoQ4AIi6yo7d/dnHpkyWoW +CTtXHfzz24KPwQ7jSLfR6BkckPC45q0XxYKz1RW/o8CmS6eXmIaTS7AbDmJhFtBo +wuIiivWJx72dOGUP37E4msfp33b0Wp/1KxeqmzI3CnKTitsdsoH/DhK2CjFGfoZe +CwMNf9C/YPL1k5TyeE+ANLn3Zu7WuYDKu1LQ4i8arJmn +-----END CERTIFICATE----- diff --git a/certs/intermediate/ca_false_intermediate/wolfssl_base.conf b/certs/intermediate/ca_false_intermediate/wolfssl_base.conf new file mode 100644 index 0000000000..3d5ca1d1db --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/wolfssl_base.conf @@ -0,0 +1,72 @@ +# OpenSSL config: certificate authority (CA) +# Default value +[ default ] +ca_name = _CA_NAME_ # CA name +home = . # Top dir +default_ca = ca # Default CA section +name_opt = utf8,esc_ctrl,multiline,lname,align # Display UTF-8 characters + +# Certificate request +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = yes # Encrypted CA private key +default_md = sha256 # Message Digest to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = ca_dn # DN section +req_extensions = ca_ext # Desired extensions + +# CA certificate info +[ ca_dn ] +countryName = "US" # CA cert info +stateOrProvinceName = "Wahington" # CA cert info +organizationName = "Seattle" # CA cert info +localityName = "WOLFSSL" # CA cert info +organizationalUnitName = "_CA_DEPART_" # CA cert info +commonName = "www.wolfssl.com" # Replaced during build proceduce + +# Extensions for signing CA certificate +[ ca_ext ] +keyUsage = critical,keyCertSign,cRLSign,digitalSignature # Limit key usage +basicConstraints = critical,CA:true # Dont allow intermediary CA +subjectKeyIdentifier = hash # SKI validation + +# CA operational settings +[ ca ] +default_ca = _CA_NAME_ # Default CA section + +# CA Section +[ _CA_NAME_ ] +certificate = $home/$ca_name.crt # CA certificate +private_key = $home/private/$ca_name.key # CA private key +new_certs_dir = $home/certs # Generated certificates +database = $home/db/index # Index file of generated crt +serial = $home/db/serial # Serial number file +RANDFILE = $home/ca/private/random # Random file +unique_subject = no # Dont require unique subject +default_days = 3650 # How long to certify for +default_md = sha256 # Message Digest to use +policy = match_pol # Default naming policy +email_in_dn = no # Dont add email to cert DN +copy_extensions = copy # Copy extensions from CSR (!) +x509_extensions = server_ext # Default cert extensions + +# Matching policy +# Enforce that all cert issued by the CA match criteria +# Useful for CA used internally with limited scope +[ match_pol ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# Extension used when signing server cert +[ _CERT_NAME_ ] +basicConstraints = critical,CA:false # Dont allow intermediary CA +nsCertType = server # Certificate type +subjectKeyIdentifier = hash # SKI validation +keyUsage = critical,digitalSignature,keyEncipherment # Define key usage +extendedKeyUsage = clientAuth,serverAuth # key usage continued diff --git a/certs/intermediate/ca_false_intermediate/wolfssl_srv.conf b/certs/intermediate/ca_false_intermediate/wolfssl_srv.conf new file mode 100644 index 0000000000..3498f64d28 --- /dev/null +++ b/certs/intermediate/ca_false_intermediate/wolfssl_srv.conf @@ -0,0 +1,26 @@ +############################################ +# OpenSSL config: generate server key/csr +############################################ +# Certificate request +[ req ] +default_bits = 2048 # RSA key size +encrypt_key = no # Encrypted CA private key +default_md = sha256 # Message Digest to use +utf8 = yes # Input is UTF-8 +string_mask = utf8only # Emit UTF-8 strings +prompt = no # Don't prompt for DN +distinguished_name = server_dn # DN section +req_extensions = server_ext # Desired extensions + +# Server certificate info +[ server_dn ] +countryName = "US" +stateOrProvinceName = "Wahington" +organizationName = "Seattle" +localityName = "wolfSSL" +organizationalUnitName = "Support" +commonName = "www.wolfssl.com" + +# Extension - add alternative name to cert +[ server_ext ] +subjectAltName = "DNS:www.wolfssl.com,DNS:wolfssl.jp" diff --git a/certs/intermediate/include.am b/certs/intermediate/include.am index f480880da2..ad3a66b217 100644 --- a/certs/intermediate/include.am +++ b/certs/intermediate/include.am @@ -40,4 +40,12 @@ EXTRA_DIST += \ certs/intermediate/server-int-cert.der \ certs/intermediate/server-int-cert.pem \ certs/intermediate/server-int-ecc-cert.der \ - certs/intermediate/server-int-ecc-cert.pem + certs/intermediate/ca_false_intermediate/gentestcert.sh \ + certs/intermediate/ca_false_intermediate/int_ca.key \ + certs/intermediate/ca_false_intermediate/server.key \ + certs/intermediate/ca_false_intermediate/test_ca.key \ + certs/intermediate/ca_false_intermediate/test_ca.pem \ + certs/intermediate/ca_false_intermediate/test_int_not_cacert.pem \ + certs/intermediate/ca_false_intermediate/test_sign_bynoca_srv.pem \ + certs/intermediate/ca_false_intermediate/wolfssl_base.conf \ + certs/intermediate/ca_false_intermediate/wolfssl_srv.conf diff --git a/certs/taoCert.txt b/certs/taoCert.txt index 0973defb26..a34b517a03 100644 --- a/certs/taoCert.txt +++ b/certs/taoCert.txt @@ -95,7 +95,7 @@ to use PKCS#5 v2 instead of v1.5 which is default add -v2 des3 # file Pkcs8Enc2 -to use PKCS#12 instead use -v1 witch a 12 algo like +to use PKCS#12 instead use -v1 which a 12 algo like -v1 PBE-SHA1-3DES # file Pkcs8Enc12 , see man pkcs8 for more info -v1 PBE-SHA1-RC4-128 # no longer file Pkcs8Enc12, arc4 now off by default diff --git a/cmake/options.h.in b/cmake/options.h.in index f63953627b..797d180fbd 100644 --- a/cmake/options.h.in +++ b/cmake/options.h.in @@ -65,7 +65,7 @@ extern "C" { #undef GCM_WORD32 #cmakedefine GCM_WORD32 #undef HAVE___UINT128_T -#cmakedefine HAVE___UINT128_T +#cmakedefine HAVE___UINT128_T 1 #undef HAVE_AES_KEYWRAP #cmakedefine HAVE_AES_KEYWRAP #undef HAVE_AESCCM @@ -131,7 +131,7 @@ extern "C" { #undef HAVE_POLY1305 #cmakedefine HAVE_POLY1305 #undef HAVE_PTHREAD -#cmakedefine HAVE_PTHREAD +#cmakedefine HAVE_PTHREAD 1 #undef HAVE_REPRODUCIBLE_BUILD #cmakedefine HAVE_REPRODUCIBLE_BUILD #undef HAVE_SESSION_TICKET diff --git a/configure.ac b/configure.ac index cc0217b441..218b1659b2 100644 --- a/configure.ac +++ b/configure.ac @@ -7,9 +7,12 @@ # AC_COPYRIGHT([Copyright (C) 2006-2024 wolfSSL Inc.]) AC_PREREQ([2.69]) -AC_INIT([wolfssl],[5.7.2],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com]) +AC_INIT([wolfssl],[5.7.4],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) +# Inhibit unwanted regeneration of autotools artifacts by Makefile. +AM_MAINTAINER_MODE([disable]) + # The following sets CFLAGS to empty if unset on command line. We do not # want the default "-g -O2" that AC_PROG_CC sets automatically. : ${CFLAGS=""} @@ -51,7 +54,7 @@ WOLFSSL_LIBRARY_VERSION_FIRST=42 # increment if interfaces have been added # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented -WOLFSSL_LIBRARY_VERSION_SECOND=2 +WOLFSSL_LIBRARY_VERSION_SECOND=3 # increment if source code has changed # set to zero if WOLFSSL_LIBRARY_VERSION_FIRST is incremented or @@ -573,16 +576,15 @@ then AM_CFLAGS="$AM_CFLAGS -ffile-prefix-map=\$(abs_top_srcdir)/= -ffile-prefix-map=\$(top_srcdir)/=" fi - # opportunistically use linker option --build-id=none - - if "$CC" -Wl,--build-id=none -x c - -o /dev/null >/dev/null 2>&1 <<' EOF' + # opportunistically force linker option --build-id=sha1 (usually the default) + if "$CC" -Wl,--build-id=sha1 -x c - -o /dev/null >/dev/null 2>&1 <<' EOF' #include int main(int argc, char **argv) { (void)argc; (void)argv; return 0; } EOF then - AM_LDFLAGS="$AM_LDFLAGS -Wl,--build-id=none" + AM_LDFLAGS="$AM_LDFLAGS -Wl,--build-id=sha1" fi fi @@ -894,8 +896,7 @@ then fi - -# ALL FEATURES +# All features, except conflicting or experimental: AC_ARG_ENABLE([all], [AS_HELP_STRING([--enable-all],[Enable all wolfSSL features, except SSLv3 (default: disabled)])], [ ENABLED_ALL=$enableval ], @@ -903,13 +904,14 @@ AC_ARG_ENABLE([all], ) if test "$ENABLED_ALL" = "yes" then - enable_all_crypto=yes + test "$enable_all_crypto" = "" && enable_all_crypto=yes + + test "$enable_all_osp" = "" && test "$ENABLED_LINUXKM_DEFAULTS" != "yes" && enable_all_osp=yes test "$enable_dtls" = "" && enable_dtls=yes if test "x$FIPS_VERSION" != "xv1" then test "$enable_tls13" = "" && enable_tls13=yes - test "$enable_rsapss" = "" && enable_rsapss=yes fi test "$enable_savesession" = "" && enable_savesession=yes @@ -917,13 +919,12 @@ then test "$enable_postauth" = "" && enable_postauth=yes test "$enable_hrrcookie" = "" && enable_hrrcookie=yes test "$enable_fallback_scsv" = "" && enable_fallback_scsv=yes - test "$enable_webserver" = "" && enable_webserver=yes test "$enable_crl_monitor" = "" && enable_crl_monitor=yes test "$enable_sni" = "" && enable_sni=yes test "$enable_maxfragment" = "" && enable_maxfragment=yes test "$enable_alpn" = "" && enable_alpn=yes test "$enable_truncatedhmac" = "" && enable_truncatedhmac=yes - test "$enable_trusted_ca" = "" && enable_trusted_ca=yes + test "$enable_trustedca" = "" && enable_trustedca=yes test "$enable_session_ticket" = "" && enable_session_ticket=yes test "$enable_earlydata" = "" && enable_earlydata=yes test "$enable_ech" = "" && enable_ech=yes @@ -940,26 +941,9 @@ then # linuxkm is incompatible with opensslextra and its dependents. if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" then - if test "$ENABLED_FIPS" = "no" - then - if test "$ENABLED_32BIT" != "yes" - then - test "$enable_openssh" = "" && enable_openssh=yes - fi - # S/MIME support requires PKCS7, which requires no FIPS. - test "$enable_smime" = "" && enable_smime=yes - fi test "$enable_opensslextra" = "" && enable_opensslextra=yes test "$enable_opensslall" = "" && enable_opensslall=yes test "$enable_certservice" = "" && enable_certservice=yes - test "$enable_lighty" = "" && enable_lighty=yes - test "$enable_nginx" = "" && enable_nginx=yes - test "$enable_openvpn" = "" && enable_openvpn=yes - test "$enable_asio" = "" && enable_asio=yes - test "$enable_libwebsockets" = "" && enable_libwebsockets=yes - if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then - test "$enable_qt" = "" && enable_qt=yes - fi fi fi @@ -967,14 +951,6 @@ then then test "$enable_scep" = "" && enable_scep=yes test "$enable_mcast" = "" && enable_mcast=yes - - if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" - then - # these use DES3: - test "$enable_stunnel" = "" && enable_stunnel=yes - test "$enable_curl" = "" && enable_curl=yes - test "$enable_tcpdump" = "" && enable_tcpdump=yes - fi fi if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6 @@ -995,6 +971,57 @@ then fi +# All OSP meta-features: +AC_ARG_ENABLE([all-osp], + [AS_HELP_STRING([--enable-all-osp],[Enable all OSP meta feature sets (default: disabled)])], + [ ENABLED_ALL_OSP=$enableval ], + [ ENABLED_ALL_OSP=no] + ) + +if test "$ENABLED_ALL_OSP" = "yes" +then + if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" + then + AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults]) + fi + + test "$enable_webserver" = "" && enable_webserver=yes + + if test "$ENABLED_SP_MATH" = "no" + then + if test "$ENABLED_FIPS" = "no" + then + # S/MIME support requires PKCS7, which requires no FIPS. + test "$enable_smime" = "" && enable_smime=yes + if test "$ENABLED_32BIT" != "yes" + then + test "$enable_openssh" = "" && enable_openssh=yes + fi + fi + + if test "$ENABLED_ALL_OSP" != "no" + then + test "$enable_lighty" = "" && enable_lighty=yes + test "$enable_nginx" = "" && enable_nginx=yes + test "$enable_openvpn" = "" && enable_openvpn=yes + test "$enable_asio" = "" && enable_asio=yes + test "$enable_libwebsockets" = "" && enable_libwebsockets=yes + if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then + test "$enable_qt" = "" && enable_qt=yes + fi + fi + fi + + if test "$ENABLED_FIPS" = "no" + then + # these use DES3: + test "$enable_stunnel" = "" && enable_stunnel=yes + test "$enable_curl" = "" && enable_curl=yes + test "$enable_tcpdump" = "" && enable_tcpdump=yes + fi +fi + + # Auto-selected activation of all applicable asm accelerations # Enable asm automatically only if the compiler advertises itself as full Gnu C. @@ -1091,7 +1118,7 @@ then fi -# ALL CRYPTO FEATURES +# All wolfCrypt features: AC_ARG_ENABLE([all-crypto], [AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])], [ ENABLED_ALL_CRYPT=$enableval ], @@ -1150,13 +1177,19 @@ then test "$enable_anon" = "" && enable_anon=yes test "$enable_ssh" = "" && test "$enable_hmac" != "no" && enable_ssh=yes + if test "x$FIPS_VERSION" != "xv1" + then + test "$enable_rsapss" = "" && enable_rsapss=yes + fi + # sp-math is incompatible with opensslextra, ECC custom curves, and DSA. if test "$ENABLED_SP_MATH" = "no" then test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then test "$enable_ecccustcurves" = "" && enable_ecccustcurves=yes - test "$enable_brainpool" = "" && enable_brainpool=yes + test "$enable_ecccustcurves" != "no" && test "$enable_brainpool" = "" && enable_brainpool=yes + test "$enable_ecccustcurves" != "no" && AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC_CDH -DHAVE_ECC_KOBLITZ -DHAVE_ECC_SECPR2 -DHAVE_ECC_SECPR3" fi test "$enable_srp" = "" && enable_srp=yes fi @@ -1195,6 +1228,7 @@ then if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then test "$enable_des3" = "" && enable_des3=yes + test "$enable_des3" != "no" && AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DES_ECB" fi AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES" @@ -1275,6 +1309,7 @@ AC_ARG_ENABLE([kyber], ) ENABLED_WC_KYBER=no +ENABLED_ML_KEM=unset for v in `echo $ENABLED_KYBER | tr "," " "` do case $v in @@ -1300,6 +1335,9 @@ do original) ENABLED_ORIGINAL=yes ;; + ml-kem) + ENABLED_ML_KEM=yes + ;; *) AC_MSG_ERROR([Invalid choice for KYBER []: $ENABLED_KYBER.]) break;; @@ -1316,17 +1354,36 @@ then AM_CCASFLAGS="$AM_CCASFLAGS -DWOLFSSL_WC_KYBER" fi - if test "$ENABLED_KYBER512" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512" - fi - if test "$ENABLED_KYBER768" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768" - fi - if test "$ENABLED_KYBER1024" = ""; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024" - fi if test "$ENABLED_ORIGINAL" = "yes"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KYBER_ORIGINAL" + if test "$ENABLED_KYBER512" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER512" + fi + if test "$ENABLED_KYBER768" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER768" + fi + if test "$ENABLED_KYBER1024" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_KYBER1024" + fi + if test "$ENABLED_ML_KEM" = "unset"; then + ENABLED_ML_KEM=no + fi + fi + if test "$ENABLED_ML_KEM" = "unset"; then + ENABLED_ML_KEM=yes + fi + if test "$ENABLED_ML_KEM" = "yes"; then + if test "$ENABLED_KYBER512" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_512" + fi + if test "$ENABLED_KYBER768" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_768" + fi + if test "$ENABLED_KYBER1024" = ""; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM_1024" + fi + else + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_ML_KEM" fi if test "$ENABLED_WC_KYBER" = "yes" @@ -2241,7 +2298,7 @@ fi # OPENSSL Extra Compatibility AC_ARG_ENABLE([opensslextra], - [AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled)])], + [AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled). Skip compat header install using "noinstall"])], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] ) @@ -4605,6 +4662,11 @@ fi if test "$ENABLED_WOLFSENTRY" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_WOLFSENTRY_HOOKS -DHAVE_EX_DATA -DHAVE_EX_DATA_CLEANUP_HOOKS" + if test "$ENABLED_OPENSSLEXTRA" = "no" + then + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA" + fi WOLFSENTRY_LIB="$WOLFSENTRY_LIB -lwolfsentry" fi @@ -5966,6 +6028,19 @@ else fi +# C89 build +AC_ARG_ENABLE([c89], + [AS_HELP_STRING([--enable-c89],[Build with C89 toolchain (default: disabled)])], + [ ENABLED_C89=$enableval ], + [ ENABLED_C89=no ] + ) + +if test "$ENABLED_C89" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLF_C89" + test "$enable_inline" = "" && enable_inline=no +fi + # inline Build AC_ARG_ENABLE([inline], [AS_HELP_STRING([--enable-inline],[Enable inline functions (default: enabled)])], @@ -7354,7 +7429,7 @@ then ENABLED_WOLFSSH="yes" fi - if test "x$ENABLED_OPENSSLEXTRA" = "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" + if test "x$ENABLED_OPENSSLEXTRA" = "xno" then ENABLED_OPENSSLEXTRA="yes" fi @@ -8186,10 +8261,12 @@ if test "$ENABLED_SP_RSA" = "yes" || test "$ENABLED_SP_DH" = "yes"; then case $host_cpu in *x86_64* | *aarch64* | *amd64*) - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_LARGE_CODE" - ;; + if test "$ENABLED_SP_SMALL" = "no"; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SP_LARGE_CODE" + fi + ;; *) - ;; + ;; esac fi if test "$ENABLED_ECC" != "no" && test "$ENABLED_SP_ECC" = "yes"; then @@ -8901,6 +8978,8 @@ AC_ARG_ENABLE([dual-alg-certs], AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([dual-alg-certs requires --enable-experimental.]) ]) +AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_CRYPTONLY" = "yes" ],[ AC_MSG_ERROR([dual-alg-certs is incompatible with --enable-cryptonly.]) ]) + # Adds functionality to support Raw Public Key (RPK) RFC7250 AC_ARG_ENABLE([rpk], [AS_HELP_STRING([--enable-rpk],[Enable support for Raw Public Key (RPK) RFC7250 (default: disabled)])], @@ -9092,6 +9171,12 @@ then ENABLED_DES3="yes" fi + # Has support for PKCS7 + if test "$ENABLED_PKCS7" = "no" + then + ENABLED_PKCS7=yes + fi + # Uses alt name ENABLED_ALTNAMES="yes" @@ -9348,7 +9433,7 @@ then AM_CFLAGS="$AM_CFLAGS -DNO_HMAC" fi -if test "$ENABLED_OPENSSLEXTRA" = "yes" && test "x$ENABLED_OPENSSLCOEXIST" = "xno" +if test "$ENABLED_OPENSSLEXTRA" = "yes" then AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA" fi @@ -9569,9 +9654,6 @@ if test "x$ENABLED_OPENSSLCOEXIST" = "xyes"; then if test "x$ENABLED_OPENSSLALL" = "xyes"; then AC_MSG_ERROR([Cannot use --enable-opensslcoexist with --enable-opensslall]) fi - if test "x$ENABLED_OPENSSLEXTRA" = "xyes"; then - AC_MSG_ERROR([Cannot use --enable-opensslcoexist with --enable-opensslextra]) - fi fi if test "$ENABLED_WOLFSSH" = "yes" && test "$ENABLED_HMAC" = "no" @@ -9611,7 +9693,7 @@ if test "$ENABLED_DH" != "no" && test "$ENABLED_DH" != "const"; then LT_LIB_M fi -# mulitple OCSP stapling for TLS 1.3 Certificate extension +# multiple OCSP stapling for TLS 1.3 Certificate extension if test "$ENABLED_CERTIFICATE_STATUS_REQUEST" = "yes" then if test "$ENABLED_TLS13" = "yes" @@ -9724,8 +9806,8 @@ if test "x$ENABLED_LINUXKM" = "xyes"; then AC_SUBST([ASFLAGS_FPUSIMD_DISABLE]) AC_SUBST([ASFLAGS_FPUSIMD_ENABLE]) - if test "$ENABLED_OPENSSLEXTRA" != "no" && test "$ENABLED_CRYPTONLY" = "no"; then - AC_MSG_ERROR([--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm.]) + if test "$ENABLED_OPENSSLEXTRA" != "no" && test "$ENABLED_LINUXKM_PIE" = "yes" && test "$ENABLED_CRYPTONLY" = "no"; then + AC_MSG_ERROR([--enable-opensslextra with --enable-linuxkm-pie and without --enable-cryptonly is incompatible with --enable-linuxkm.]) fi if test "$ENABLED_FILESYSTEM" = "yes"; then AC_MSG_ERROR([--enable-filesystem is incompatible with --enable-linuxkm.]) @@ -9784,6 +9866,7 @@ fi # Some of these affect build targets and objects, some trigger different # test scripts for make check. AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"]) +AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xnoinstall"]) AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"]) AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) @@ -9889,7 +9972,7 @@ AM_CONDITIONAL([USE_VALGRIND],[test "x$ENABLED_VALGRIND" = "xyes"]) AM_CONDITIONAL([BUILD_MD4],[test "x$ENABLED_MD4" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_PWDBASED],[test "x$ENABLED_PWDBASED" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_SCRYPT],[test "x$ENABLED_SCRYPT" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) -AM_CONDITIONAL([BUILD_CRYPTONLY],[test "x$ENABLED_CRYPTONLY" = "xyes" && test "x$ENABLED_OPENSSLEXTRA" = "xno"]) +AM_CONDITIONAL([BUILD_CRYPTONLY],[test "x$ENABLED_CRYPTONLY" = "xyes"]) AM_CONDITIONAL([BUILD_FASTMATH],[test "x$ENABLED_FASTMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_HEAPMATH],[test "x$ENABLED_HEAPMATH" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS],[test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"]) @@ -10458,6 +10541,7 @@ echo " * ARM ASM SM3/SM4 Crypto $ENABLED_ARMASM_CRYPTO_SM4" echo " * RISC-V ASM $ENABLED_RISCV_ASM" echo " * Write duplicate: $ENABLED_WRITEDUP" echo " * Xilinx Hardware Acc.: $ENABLED_XILINX" +echo " * C89: $ENABLED_C89" echo " * Inline Code: $ENABLED_INLINE" echo " * Linux AF_ALG: $ENABLED_AFALG" echo " * Linux KCAPI: $ENABLED_KCAPI" diff --git a/doc/dox_comments/header_files/asn_public.h b/doc/dox_comments/header_files/asn_public.h index 30ea784b00..3b9cc72826 100644 --- a/doc/dox_comments/header_files/asn_public.h +++ b/doc/dox_comments/header_files/asn_public.h @@ -1557,6 +1557,219 @@ int wc_EccPublicKeyToDer(ecc_key* key, byte* output, int wc_EccPublicKeyToDer_ex(ecc_key* key, byte* output, word32 inLen, int with_AlgCurve, int comp); + +/*! + \ingroup ASN + + \brief This function decodes a Curve25519 private key (only) from a DER + encoded buffer + + \return 0 Success + \return BAD_FUNC_ARG Returns if input, inOutIdx or key is null + \return ASN_PARSE_E Returns if there is an error parsing the DER encoded + data + \return ECC_BAD_ARG_E Returns if the key length is not CURVE25519_KEYSIZE or + the DER key contains other issues despite being properly formatted. + \return BUFFER_E Returns if the input buffer is too small to contain a + valid DER encoded key. + + \param input Pointer to buffer containing DER encoded private key + \param inOutIdx Index to start reading input buffer from. On output, + index is set to last position parsed of input buffer. + \param key Pointer to curve25519_key structure to store decoded key + \param inSz Size of input DER buffer + + \sa wc_Curve25519KeyDecode + \sa wc_Curve25519PublicKeyDecode + + _Example_ + \code + byte der[] = { // DER encoded key }; + word32 idx = 0; + curve25519_key key; + wc_curve25519_init(&key); + + if (wc_Curve25519PrivateKeyDecode(der, &idx, &key, sizeof(der)) != 0) { + // Error decoding private key + } + \endcode +*/ +int wc_Curve25519PrivateKeyDecode(const byte* input, word32* inOutIdx, + curve25519_key* key, word32 inSz); + +/*! + \ingroup ASN + + \brief This function decodes a Curve25519 public key (only) from a DER + encoded buffer. + + \return 0 Success + \return BAD_FUNC_ARG Returns if input, inOutIdx or key is null + \return ASN_PARSE_E Returns if there is an error parsing the DER encoded + data + \return ECC_BAD_ARG_E Returns if the key length is not CURVE25519_KEYSIZE or + the DER key contains other issues despite being properly formatted. + \return BUFFER_E Returns if the input buffer is too small to contain a + valid DER encoded key. + + \param input Pointer to buffer containing DER encoded public key + \param inOutIdx Index to start reading input buffer from. On output, + index is set to last position parsed of input buffer. + \param key Pointer to curve25519_key structure to store decoded key + \param inSz Size of input DER buffer + + \sa wc_Curve25519KeyDecode + \sa wc_Curve25519PrivateKeyDecode + + _Example_ + \code + byte der[] = { // DER encoded key }; + word32 idx = 0; + curve25519_key key; + wc_curve25519_init(&key); + if (wc_Curve25519PublicKeyDecode(der, &idx, &key, sizeof(der)) != 0) { + // Error decoding public key + } + \endcode +*/ +int wc_Curve25519PublicKeyDecode(const byte* input, word32* inOutIdx, + curve25519_key* key, word32 inSz); + +/*! + \ingroup ASN + + \brief This function decodes a Curve25519 key from a DER encoded buffer. It + can decode either a private key, a public key, or both. + + \return 0 Success + \return BAD_FUNC_ARG Returns if input, inOutIdx or key is null + \return ASN_PARSE_E Returns if there is an error parsing the DER encoded + data + \return ECC_BAD_ARG_E Returns if the key length is not CURVE25519_KEYSIZE or + the DER key contains other issues despite being properly formatted. + \return BUFFER_E Returns if the input buffer is too small to contain a + valid DER encoded key. + + \param input Pointer to buffer containing DER encoded key + \param inOutIdx Index to start reading input buffer from. On output, + index is set to last position parsed of input buffer. + \param key Pointer to curve25519_key structure to store decoded key + \param inSz Size of input DER buffer + + \sa wc_Curve25519PrivateKeyDecode + \sa wc_Curve25519PublicKeyDecode + + _Example_ + \code + byte der[] = { // DER encoded key }; + word32 idx = 0; + curve25519_key key; + wc_curve25519_init(&key); + if (wc_Curve25519KeyDecode(der, &idx, &key, sizeof(der)) != 0) { + // Error decoding key + } + \endcode +*/ +int wc_Curve25519KeyDecode(const byte* input, word32* inOutIdx, + curve25519_key* key, word32 inSz); + +/*! + \ingroup ASN + + \brief This function encodes a Curve25519 private key to DER format. If the + input key structure contains a public key, it will be ignored. + + \return >0 Success, length of DER encoding + \return BAD_FUNC_ARG Returns if key or output is null + \return MEMORY_E Returns if there is an allocation failure + \return BUFFER_E Returns if output buffer is too small + + \param key Pointer to curve25519_key structure containing private key to + encode + \param output Buffer to hold DER encoding + \param inLen Size of output buffer + + \sa wc_Curve25519KeyToDer + \sa wc_Curve25519PublicKeyToDer + + _Example_ + \code + curve25519_key key; + wc_curve25519_init(&key); + ... + int derSz = 128; // Some appropriate size for output DER + byte der[derSz]; + wc_Curve25519PrivateKeyToDer(&key, der, derSz); + \endcode +*/ +int wc_Curve25519PrivateKeyToDer(curve25519_key* key, byte* output, + word32 inLen); + +/*! + \ingroup ASN + + \brief This function encodes a Curve25519 public key to DER format. If the + input key structure contains a private key, it will be ignored. + + \return >0 Success, length of DER encoding + \return BAD_FUNC_ARG Returns if key or output is null + \return MEMORY_E Returns if there is an allocation failure + \return BUFFER_E Returns if output buffer is too small + + \param key Pointer to curve25519_key structure containing public key to + encode + \param output Buffer to hold DER encoding + \param inLen Size of output buffer + \param withAlg Whether to include algorithm identifier in the DER encoding + + \sa wc_Curve25519KeyToDer + \sa wc_Curve25519PrivateKeyToDer + + _Example_ + \code + curve25519_key key; + wc_curve25519_init(&key); + ... + int derSz = 128; // Some appropriate size for output DER + byte der[derSz]; + wc_Curve25519PublicKeyToDer(&key, der, derSz, 1); + \endcode +*/ +int wc_Curve25519PublicKeyToDer(curve25519_key* key, byte* output, word32 inLen, + int withAlg); + +/*! + \ingroup ASN + + \brief This function encodes a Curve25519 key to DER format. It can encode + either a private key, a public key, or both. + + \return >0 Success, length of DER encoding + \return BAD_FUNC_ARG Returns if key or output is null + \return MEMORY_E Returns if there is an allocation failure + \return BUFFER_E Returns if output buffer is too small + + \param key Pointer to curve25519_key structure containing key to encode + \param output Buffer to hold DER encoding + \param inLen Size of output buffer + \param withAlg Whether to include algorithm identifier in the DER encoding + + \sa wc_Curve25519PrivateKeyToDer + \sa wc_Curve25519PublicKeyToDer + + _Example_ + \code + curve25519_key key; + wc_curve25519_init(&key); + ... + int derSz = 128; // Some appropriate size for output DER + byte der[derSz]; + wc_Curve25519KeyToDer(&key, der, derSz, 1); + \endcode +*/ +int wc_Curve25519KeyToDer(curve25519_key* key, byte* output, word32 inLen, + int withAlg); + /*! \ingroup ASN diff --git a/doc/dox_comments/header_files/ecc.h b/doc/dox_comments/header_files/ecc.h index bad010751e..20bd89ccd5 100644 --- a/doc/dox_comments/header_files/ecc.h +++ b/doc/dox_comments/header_files/ecc.h @@ -2006,3 +2006,29 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, \endcode */ int wc_ecc_set_nonblock(ecc_key *key, ecc_nb_ctx_t* ctx); + +/*! + \ingroup ECC + + \brief Compare a curve which has larger key than specified size or the curve matched curve ID, + set a curve with smaller key size to the key. + + \return 0 Returned upon successfully setting the key + + \param keysize Key size in bytes + \param curve_id Curve ID + + _Example_ + \code int ret; + ecc_key ecc; + + ret = wc_ecc_init(&ecc); + if (ret != 0) + return ret; + ret = wc_ecc_set_curve(&ecc, 32, ECC_SECP256R1)); + if (ret != 0) + return ret; + + \endcode +*/ +int wc_ecc_set_curve(ecc_key *key, int keysize, int curve_id); diff --git a/doc/dox_comments/header_files/ed25519.h b/doc/dox_comments/header_files/ed25519.h index 41705ce33a..9ab61de62c 100644 --- a/doc/dox_comments/header_files/ed25519.h +++ b/doc/dox_comments/header_files/ed25519.h @@ -188,8 +188,7 @@ int wc_ed25519ctx_sign_msg(const byte* in, word32 inlen, byte* out, \brief This function signs a message digest using an ed25519_key object to guarantee authenticity. The context is included as part of the data - signed. The message is pre-hashed before signature calculation. The hash - algorithm used to create message digest must be SHAKE-256. + signed. The message is pre-hashed before signature calculation. \return 0 Returned upon successfully generating a signature for the message digest. diff --git a/doc/dox_comments/header_files/ed448.h b/doc/dox_comments/header_files/ed448.h index a3ea82088a..2f186b56b1 100644 --- a/doc/dox_comments/header_files/ed448.h +++ b/doc/dox_comments/header_files/ed448.h @@ -133,7 +133,6 @@ int wc_ed448_sign_msg(const byte* in, word32 inlen, byte* out, \brief This function signs a message digest using an ed448_key object to guarantee authenticity. The context is included as part of the data signed. The hash is the pre-hashed message before signature calculation. - The hash algorithm used to create message digest must be SHAKE-256. \return 0 Returned upon successfully generating a signature for the message digest. @@ -162,7 +161,7 @@ int wc_ed448_sign_msg(const byte* in, word32 inlen, byte* out, byte sig[114]; // will hold generated signature sigSz = sizeof(sig); - byte hash[] = { initialize with SHAKE-256 hash of message }; + byte hash[] = { initialize hash of message }; byte context[] = { initialize with context of signing }; wc_InitRng(&rng); // initialize rng @@ -297,7 +296,6 @@ int wc_ed448_verify_msg(const byte* sig, word32 siglen, const byte* msg, \brief This function verifies the Ed448 signature of the digest of a message to ensure authenticity. The context is included as part of the data verified. The hash is the pre-hashed message before signature calculation. - The hash algorithm used to create message digest must be SHAKE-256. The answer is returned through res, with 1 corresponding to a valid signature, and 0 corresponding to an invalid signature. @@ -325,7 +323,7 @@ int wc_ed448_verify_msg(const byte* sig, word32 siglen, const byte* msg, int ret, verified = 0; byte sig[] { initialize with received signature }; - byte hash[] = { initialize with SHAKE-256 hash of message }; + byte hash[] = { initialize hash of message }; byte context[] = { initialize with context of signature }; // initialize key with received public key ret = wc_ed448ph_verify_hash(sig, sizeof(sig), hash, sizeof(hash), diff --git a/doc/dox_comments/header_files/ssl.h b/doc/dox_comments/header_files/ssl.h index bdf1d49f02..04407dfd9f 100644 --- a/doc/dox_comments/header_files/ssl.h +++ b/doc/dox_comments/header_files/ssl.h @@ -2088,7 +2088,7 @@ int wolfSSL_get_using_nonblock(WOLFSSL*); session if the handshake has not already been performed yet by wolfSSL_connect() or wolfSSL_accept(). When using (D)TLSv1.3 and early data feature is compiled in, this function progresses the handshake only up to - the point when it is possible to send data. Next invokations of + the point when it is possible to send data. Next invocations of wolfSSL_Connect()/wolfSSL_Accept()/wolfSSL_read() will complete the handshake. wolfSSL_write() works with both blocking and non-blocking I/O. When the underlying I/O is non-blocking, wolfSSL_write() will return when @@ -7756,9 +7756,9 @@ int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte certBuff[...]; + long sz = sizeof(certBuff); ... ret = wolfSSL_CTX_load_verify_buffer(ctx, certBuff, sz, SSL_FILETYPE_PEM); @@ -7813,9 +7813,9 @@ int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte certBuff[...]; + long sz = sizeof(certBuff); ... // Example for force loading an expired certificate @@ -7869,9 +7869,9 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte certBuff[...]; + long sz = sizeof(certBuff); ... ret = wolfSSL_CTX_load_verify_chain_buffer_format(ctx, @@ -7920,9 +7920,9 @@ int wolfSSL_CTX_load_verify_chain_buffer_format(WOLFSSL_CTX* ctx, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte certBuff[...]; + long sz = sizeof(certBuff); ... ret = wolfSSL_CTX_use_certificate_buffer(ctx, certBuff, sz, SSL_FILETYPE_PEM); if (ret != SSL_SUCCESS) { @@ -7970,9 +7970,9 @@ int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte keyBuff[...]; + long sz = sizeof(certBuff); ... ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, keyBuff, sz, SSL_FILETYPE_PEM); if (ret != SSL_SUCCESS) { @@ -8019,9 +8019,9 @@ int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, _Example_ \code int ret = 0; - int sz = 0; WOLFSSL_CTX* ctx; byte certChainBuff[...]; + long sz = sizeof(certBuff); ... ret = wolfSSL_CTX_use_certificate_chain_buffer(ctx, certChainBuff, sz); if (ret != SSL_SUCCESS) { @@ -8065,10 +8065,10 @@ int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX* ctx, _Example_ \code - int buffSz; int ret; byte certBuff[...]; WOLFSSL* ssl = 0; + long buffSz = sizeof(certBuff); ... ret = wolfSSL_use_certificate_buffer(ssl, certBuff, buffSz, SSL_FILETYPE_PEM); @@ -8114,10 +8114,10 @@ int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, const unsigned char* in, _Example_ \code - int buffSz; int ret; byte keyBuff[...]; WOLFSSL* ssl = 0; + long buffSz = sizeof(certBuff); ... ret = wolfSSL_use_PrivateKey_buffer(ssl, keyBuff, buffSz, SSL_FILETYPE_PEM); if (ret != SSL_SUCCESS) { @@ -8161,10 +8161,10 @@ int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in, _Example_ \code - int buffSz; int ret; byte certChainBuff[...]; WOLFSSL* ssl = 0; + long buffSz = sizeof(certBuff); ... ret = wolfSSL_use_certificate_chain_buffer(ssl, certChainBuff, buffSz); if (ret != SSL_SUCCESS) { @@ -10012,6 +10012,85 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm, int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm, CbMissingCRL cb); +/*! + \ingroup CertManager + \brief This function sets the CRL Update callback. If + HAVE_CRL and HAVE_CRL_UPDATE_CB is defined , and an entry with the same + issuer and a lower CRL number exists when a CRL is added, then the + CbUpdateCRL is called with the details of the existing entry and the + new one replacing it. + + \return SSL_SUCCESS returned upon successful execution of the function and + subroutines. + \return BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL. + + \param cm the WOLFSSL_CERT_MANAGER structure holding the information for + the certificate. + \param cb a function pointer to (*CbUpdateCRL) that is set to the + cbUpdateCRL member of the WOLFSSL_CERT_MANAGER. + Signature requirement: + void (*CbUpdateCRL)(CrlInfo *old, CrlInfo *new); + + _Example_ + \code + #include + + WOLFSSL_CTX* ctx = wolfSSL_CTX_new(protocol method); + WOLFSSL* ssl = wolfSSL_new(ctx); + … + void cb(CrlInfo *old, CrlInfo *new){ + Function body. + } + … + CbUpdateCRL cb = CbUpdateCRL; + … + if(ctx){ + return wolfSSL_CertManagerSetCRLUpdate_Cb(SSL_CM(ssl), cb); + } + \endcode + + \sa CbUpdateCRL +*/ +int wolfSSL_CertManagerSetCRLUpdate_Cb(WOLFSSL_CERT_MANAGER* cm, + CbUpdateCRL cb); + +/*! + \ingroup CertManager + \brief This function yields a structure with parsed CRL information from + an encoded CRL buffer. + + \return SSL_SUCCESS returned upon successful execution of the function and + subroutines. + \return BAD_FUNC_ARG returned if the WOLFSSL_CERT_MANAGER structure is NULL. + + \param cm the WOLFSSL_CERT_MANAGER structure.. + \param info pointer to caller managed CrlInfo structure that will receive + the CRL information. + \param buff input buffer containing encoded CRL. + \param sz the length in bytes of the input CRL data in buff. + \param type WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_DER + + _Example_ + \code + #include + + CrlInfo info; + WOLFSSL_CERT_MANAGER* cm = NULL; + + cm = wolfSSL_CertManagerNew(); + + // Read crl data from file into buffer + + wolfSSL_CertManagerGetCRLInfo(cm, &info, crlData, crlDataLen, + WOLFSSL_FILETYPE_PEM); + \endcode + + \sa CbUpdateCRL + \sa wolfSSL_SetCRL_Cb +*/ +int wolfSSL_CertManagerGetCRLInfo(WOLFSSL_CERT_MANAGER* cm, CrlInfo* info, + const byte* buff, long sz, int type) + /*! \ingroup CertManager \brief This function frees the CRL stored in the Cert Manager. An @@ -11251,7 +11330,7 @@ int wolfSSL_ALPN_GetPeerProtocol(WOLFSSL* ssl, char **list, \return MEMORY_E is the error returned when there is not enough memory. \param ssl pointer to a SSL object, created with wolfSSL_new(). - \param mfl indicates witch is the Maximum Fragment Length requested for the + \param mfl indicates which is the Maximum Fragment Length requested for the session. The available options are: enum { WOLFSSL_MFL_2_9 = 1, 512 bytes WOLFSSL_MFL_2_10 = 2, 1024 bytes WOLFSSL_MFL_2_11 = 3, 2048 bytes WOLFSSL_MFL_2_12 = 4, 4096 bytes WOLFSSL_MFL_2_13 = 5, 8192 @@ -14015,7 +14094,7 @@ int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, Call this function instead of wolfSSL_accept() or wolfSSL_accept_TLSv13() to accept a client and read any early data in the handshake. The function should be invoked until wolfSSL_is_init_finished() returns true. Early data - may be sent by the client in multiple messsages. If there is no early data + may be sent by the client in multiple messages. If there is no early data then the handshake will be processed as normal. This function is only used with servers. @@ -15014,7 +15093,7 @@ WOLFSSL_CIPHERSUITE_INFO wolfSSL_get_ciphersuite_info(byte first, \param [out] sigAlgo The enum Key_Sum of the authentication algorithm \return 0 when info was correctly set - \return BAD_FUNC_ARG when either input paramters are NULL or the bytes + \return BAD_FUNC_ARG when either input parameters are NULL or the bytes are not a recognized sigalg suite _Example_ diff --git a/examples/asn1/asn1.c b/examples/asn1/asn1.c index 92a0a19528..654b6f1613 100644 --- a/examples/asn1/asn1.c +++ b/examples/asn1/asn1.c @@ -66,7 +66,7 @@ static int asn1App_ReadFile(FILE* fp, unsigned char** pdata, word32* plen) word32 len = 0; size_t read_len; /* Allocate a minimum amount. */ - unsigned char* data = (unsigned char*)malloc(DATA_INC_LEN); + unsigned char* data = (unsigned char*)XMALLOC(DATA_INC_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (data != NULL) { /* Read more data. */ @@ -74,7 +74,7 @@ static int asn1App_ReadFile(FILE* fp, unsigned char** pdata, word32* plen) unsigned char* p; if (ferror(fp)) { - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); return IO_FAILED_E; } @@ -87,10 +87,10 @@ static int asn1App_ReadFile(FILE* fp, unsigned char** pdata, word32* plen) } /* Make space for more data to be added to buffer. */ - p = (unsigned char*)realloc(data, len + DATA_INC_LEN); + p = (unsigned char*)XREALLOC(data, len + DATA_INC_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (p == NULL) { /* Reallocation failed - free current buffer. */ - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); data = NULL; break; } @@ -132,7 +132,7 @@ static int PrintDer(FILE* fp) /* Print DER/BER. */ ret = wc_Asn1_PrintAll(&asn1, &opts, data, len); /* Dispose of buffer. */ - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); } return ret; @@ -168,7 +168,7 @@ static int PrintBase64(FILE* fp) ret = wc_Asn1_PrintAll(&asn1, &opts, data, len); } /* Dispose of buffer. */ - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); } return ret; @@ -280,7 +280,7 @@ static int PrintPem(FILE* fp, int pem_skip) ret = wc_Asn1_PrintAll(&asn1, &opts, data, len); } /* Dispose of buffer. */ - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); } return ret; diff --git a/examples/benchmark/tls_bench.c b/examples/benchmark/tls_bench.c index 609481a3e0..e969e155a5 100644 --- a/examples/benchmark/tls_bench.c +++ b/examples/benchmark/tls_bench.c @@ -32,7 +32,6 @@ Or bench_tls(args); */ - #ifdef HAVE_CONFIG_H #include #endif @@ -40,6 +39,10 @@ Or #include #endif #include + +#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#undef OPENSSL_COEXIST /* can't use this option with this example */ + #include #include #include @@ -288,12 +291,22 @@ static struct group_info groups[] = { { WOLFSSL_FFDHE_6144, "FFDHE_6144" }, { WOLFSSL_FFDHE_8192, "FFDHE_8192" }, #ifdef HAVE_PQC +#ifndef WOLFSSL_NO_ML_KEM + { WOLFSSL_ML_KEM_512, "ML_KEM_512" }, + { WOLFSSL_ML_KEM_768, "ML_KEM_768" }, + { WOLFSSL_ML_KEM_1024, "ML_KEM_1024" }, + { WOLFSSL_P256_ML_KEM_512, "P256_ML_KEM_512" }, + { WOLFSSL_P384_ML_KEM_768, "P384_ML_KEM_768" }, + { WOLFSSL_P521_ML_KEM_1024, "P521_ML_KEM_1024" }, +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL { WOLFSSL_KYBER_LEVEL1, "KYBER_LEVEL1" }, { WOLFSSL_KYBER_LEVEL3, "KYBER_LEVEL3" }, { WOLFSSL_KYBER_LEVEL5, "KYBER_LEVEL5" }, { WOLFSSL_P256_KYBER_LEVEL1, "P256_KYBER_LEVEL1" }, { WOLFSSL_P384_KYBER_LEVEL3, "P384_KYBER_LEVEL3" }, { WOLFSSL_P521_KYBER_LEVEL5, "P521_KYBER_LEVEL5" }, +#endif #endif { 0, NULL } }; diff --git a/examples/client/client.c b/examples/client/client.c index bbe826d4ae..d5fb2ae6f6 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -32,6 +32,9 @@ #endif #include +#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#undef OPENSSL_COEXIST /* can't use this option with this example */ + #include #ifdef WOLFSSL_WOLFSENTRY_HOOKS @@ -398,6 +401,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, if (usePqc) { int group = 0; + #ifndef WOLFSSL_NO_ML_KEM + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) { + group = WOLFSSL_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) { + group = WOLFSSL_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) { + group = WOLFSSL_ML_KEM_1024; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) { + group = WOLFSSL_P256_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) { + group = WOLFSSL_P384_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) { + group = WOLFSSL_P521_ML_KEM_1024; + } + else + #endif + #endif /* WOLFSSL_NO_ML_KEM */ + #ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { group = WOLFSSL_KYBER_LEVEL1; @@ -434,6 +476,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, } else #endif + #endif /* WOLFSSL_KYBER_ORIGINAL */ { err_sys("invalid post-quantum KEM specified"); } @@ -786,9 +829,9 @@ static int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, /* Compare TX and RX buffers */ if (XMEMCMP(tx_buffer, rx_buffer, (size_t)len) != 0) { - free(tx_buffer); + XFREE(tx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); tx_buffer = NULL; - free(rx_buffer); + XFREE(rx_buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); rx_buffer = NULL; err_sys("Compare TX and RX buffers failed"); } @@ -1330,8 +1373,19 @@ static const char* client_usage_msg[][77] = { " SSLv3(0) - TLS1.3(4)\n", /* 68 */ #endif #ifdef HAVE_PQC - "--pqc Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */ + "--pqc Key Share with specified post-quantum algorithm only:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 69 */ #endif #ifdef WOLFSSL_SRTP "--srtp (default is SRTP_AES128_CM_SHA1_80)\n", /* 70 */ @@ -1564,8 +1618,19 @@ static const char* client_usage_msg[][77] = { " SSLv3(0) - TLS1.3(4)\n", /* 68 */ #endif #ifdef HAVE_PQC - "--pqc post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 69 */ + "--pqc post-quantum 名前付きグループとの鍵共有のみ:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 69 */ #endif #ifdef WOLFSSL_SRTP "--srtp (デフォルトは SRTP_AES128_CM_SHA1_80)\n", /* 70 */ @@ -3728,7 +3793,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef NO_PSK if (usePsk) { - #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && defined(TEST_PSK_USE_SESSION) + #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13) && \ + defined(TEST_PSK_USE_SESSION) SSL_set_psk_use_session_callback(ssl, my_psk_use_session_cb); #endif } diff --git a/examples/configs/user_settings_stm32.h b/examples/configs/user_settings_stm32.h index b0182ae447..eb7822f27d 100644 --- a/examples/configs/user_settings_stm32.h +++ b/examples/configs/user_settings_stm32.h @@ -602,7 +602,7 @@ extern "C" { //#define USE_SLOW_SHA512 #define WOLFSSL_SHA512 - #define HAVE_SHA512 /* freeRTOS settings.h requires this */ + #define HAVE_SHA512 /* old freeRTOS settings.h requires this */ #endif /* Sha2-384 */ diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index ec01e756be..a7dd0ad2f9 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -25,11 +25,19 @@ #endif #include -/* let's use cyassl layer AND cyassl openssl layer */ -#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ -#include +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif /* Force enable the compatibility macros for this example */ +#undef TEST_OPENSSL_COEXIST +#undef OPENSSL_COEXIST +#ifndef OPENSSL_EXTRA_X509_SMALL +#define OPENSSL_EXTRA_X509_SMALL +#endif + +#include + #ifdef WOLFSSL_DTLS #include #endif @@ -45,9 +53,6 @@ #include -#ifndef OPENSSL_EXTRA_X509_SMALL -#define OPENSSL_EXTRA_X509_SMALL -#endif #include #include diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 2f4d004cbf..bf649ab52b 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -24,6 +24,14 @@ #include #endif +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif +#include + +#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#undef OPENSSL_COEXIST /* can't use this option with this example */ + #include /* name change portability layer */ #include #ifdef HAVE_ECC diff --git a/examples/pem/pem.c b/examples/pem/pem.c index 75ea0222d3..f4e2d91ae0 100644 --- a/examples/pem/pem.c +++ b/examples/pem/pem.c @@ -100,7 +100,7 @@ static int pemApp_ReadFile(FILE* fp, unsigned char** pdata, word32* plen) word32 len = 0; size_t read_len; /* Allocate a minimum amount. */ - unsigned char* data = (unsigned char*)malloc(DATA_INC_LEN + BLOCK_SIZE_MAX); + unsigned char* data = (unsigned char*)XMALLOC(DATA_INC_LEN + BLOCK_SIZE_MAX, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (data != NULL) { /* Read more data. */ @@ -116,11 +116,11 @@ static int pemApp_ReadFile(FILE* fp, unsigned char** pdata, word32* plen) } /* Make space for more data to be added to buffer. */ - p = (unsigned char*)realloc(data, len + DATA_INC_LEN + - BLOCK_SIZE_MAX); + p = (unsigned char*)XREALLOC(data, len + DATA_INC_LEN + + BLOCK_SIZE_MAX, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (p == NULL) { /* Reallocation failed - free current buffer. */ - free(data); + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); data = NULL; break; } @@ -560,7 +560,7 @@ static int EncryptDer(unsigned char* in, word32 in_len, char* password, } if (ret == 0) { /* Allocate memory for encrypted DER data. */ - *enc = (unsigned char*)malloc(*enc_len); + *enc = (unsigned char*)XMALLOC(*enc_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (*enc == NULL) { ret = 1; } @@ -613,7 +613,7 @@ static int ConvDerToPem(unsigned char* in, word32 offset, word32 len, } if ((ret == 0) && (pem_len > 0)) { /* Allocate memory to hold PEM encoding. */ - pem = (unsigned char*)malloc(pem_len); + pem = (unsigned char*)XMALLOC(pem_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) { ret = 1; } @@ -624,7 +624,7 @@ static int ConvDerToPem(unsigned char* in, word32 offset, word32 len, type); if (ret <= 0) { fprintf(stderr, "Could not convert DER to PEM\n"); - free(pem); + XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); } if (ret > 0) { *out = pem; @@ -1025,16 +1025,16 @@ int main(int argc, char* argv[]) wc_FreeDer(&der); } else if (out != NULL) { - free(out); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); } #if defined(WOLFSSL_DER_TO_PEM) && defined(WOLFSSL_ENCRYPTED_KEYS) && \ !defined(NO_PWDBASED) if (enc != NULL) { - free(enc); + XFREE(enc, NULL, DYNAMIC_TYPE_TMP_BUFFER); } #endif if (in != NULL) { - free(in); + XFREE(in, NULL, DYNAMIC_TYPE_TMP_BUFFER); } if (ret < 0) { fprintf(stderr, "%s\n", wc_GetErrorString(ret)); diff --git a/examples/server/server.c b/examples/server/server.c index 8c90b1f82b..f43da6ee85 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -33,6 +33,15 @@ #include #undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#undef OPENSSL_COEXIST /* can't use this option with this example */ + +/* Force enable the compatibility macros for this example */ +#ifndef OPENSSL_EXTRA_X509_SMALL +#define OPENSSL_EXTRA_X509_SMALL +#endif +#include + +#undef OPENSSL_EXTRA_X509_SMALL #include /* name change portability layer */ #ifdef HAVE_ECC @@ -64,12 +73,6 @@ static const char *wolfsentry_config_path = NULL; #include #include -/* Force enable the compatibility macros for this example */ -#ifndef OPENSSL_EXTRA_X509_SMALL -#define OPENSSL_EXTRA_X509_SMALL -#endif -#include - #include "examples/server/server.h" #ifndef NO_WOLFSSL_SERVER @@ -420,7 +423,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, size_t xfer_bytes = 0; char* buffer; - buffer = (char*)malloc((size_t)block); + buffer = (char*)XMALLOC((size_t)block, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (!buffer) { err_sys_ex(runWithErrors, "Server buffer malloc failed"); } @@ -463,7 +466,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, break; } if (err == WOLFSSL_ERROR_ZERO_RETURN) { - free(buffer); + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); return WOLFSSL_ERROR_ZERO_RETURN; } } @@ -505,7 +508,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int block, } } - free(buffer); + XFREE(buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (throughput) { #ifdef __MINGW32__ @@ -712,6 +715,45 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, else if (usePqc == 1) { #ifdef HAVE_PQC groups[count] = 0; + #ifndef WOLFSSL_NO_ML_KEM + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "ML_KEM_512") == 0) { + groups[count] = WOLFSSL_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "ML_KEM_768") == 0) { + groups[count] = WOLFSSL_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "ML_KEM_1024") == 0) { + groups[count] = WOLFSSL_ML_KEM_1024; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRCMP(pqcAlg, "P256_ML_KEM_512") == 0) { + groups[count] = WOLFSSL_P256_ML_KEM_512; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRCMP(pqcAlg, "P384_ML_KEM_768") == 0) { + groups[count] = WOLFSSL_P384_ML_KEM_768; + } + else + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + if (XSTRCMP(pqcAlg, "P521_ML_KEM_1024") == 0) { + groups[count] = WOLFSSL_P521_ML_KEM_1024; + } + else + #endif + #endif /* WOLFSSL_NO_ML_KEM */ + #ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 if (XSTRCMP(pqcAlg, "KYBER_LEVEL1") == 0) { groups[count] = WOLFSSL_KYBER_LEVEL1; @@ -748,6 +790,7 @@ static void SetKeyShare(WOLFSSL* ssl, int onlyKeyShare, int useX25519, } else #endif + #endif { err_sys("invalid post-quantum KEM specified"); } @@ -980,8 +1023,19 @@ static const char* server_usage_msg[][65] = { " SSLv3(0) - TLS1.3(4)\n", /* 59 */ #endif #ifdef HAVE_PQC - "--pqc Key Share with specified post-quantum algorithm only [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5] \n", /* 60 */ + "--pqc Key Share with specified post-quantum algorithm only:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 60 */ #endif #ifdef WOLFSSL_SRTP "--srtp (default is SRTP_AES128_CM_SHA1_80)\n", /* 61 */ @@ -1172,8 +1226,19 @@ static const char* server_usage_msg[][65] = { " SSLv3(0) - TLS1.3(4)\n", /* 59 */ #endif #ifdef HAVE_PQC - "--pqc post-quantum 名前付きグループとの鍵共有のみ [KYBER_LEVEL1, KYBER_LEVEL3,\n" - " KYBER_LEVEL5, P256_KYBER_LEVEL1, P384_KYBER_LEVEL3, P521_KYBER_LEVEL5]\n", /* 60 */ + "--pqc post-quantum 名前付きグループとの鍵共有のみ:\n" +#ifndef WOLFSSL_NO_ML_KEM + " ML_KEM_512, ML_KEM_768, ML_KEM_1024, P256_ML_KEM_512," + "\n" + " P384_ML_KEM_768, P521_ML_KEM_1024\n" +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL + " KYBER_LEVEL1, KYBER_LEVEL3, KYBER_LEVEL5, " + "P256_KYBER_LEVEL1,\n" + " P384_KYBER_LEVEL3, P521_KYBER_LEVEL5\n" +#endif + "", + /* 60 */ #endif #ifdef WOLFSSL_SRTP "--srtp (デフォルトはSRTP_AES128_CM_SHA1_80)\n", /* 61 */ @@ -3636,7 +3701,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) else printf("Get list of client's protocol name failed\n"); - free(list); + (void)wolfSSL_ALPN_FreePeerProtocol(ssl, &list); } #endif diff --git a/fips-check.sh b/fips-check.sh index 806c8a1426..5ee63a7045 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -17,6 +17,7 @@ TEST_DIR="${TEST_DIR:-XXX-fips-test}" FLAVOR="${FLAVOR:-linux}" KEEP="${KEEP:-no}" MAKECHECK=${MAKECHECK:-yes} +DOCONFIGURE=${DOCONFIGURE:-yes} FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" Usage() { @@ -33,6 +34,7 @@ Flavor is one of: fips-dev (dev FIPS 140-3) wolfrand wolfentropy + v6.0.0 Keep (default off) retains the temp dir $TEST_DIR for inspection. Example: @@ -43,6 +45,7 @@ usageText while [ "$1" ]; do if [ "$1" = 'keep' ]; then KEEP='yes'; elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no'; + elif [ "$1" = 'nodoconfigure' ]; then DOCONFIGURE='no'; else FLAVOR="$1"; fi shift done @@ -190,7 +193,7 @@ linuxv5.2.1) 'wolfcrypt/src/fips_test.c:v5.2.1-stable' 'wolfcrypt/src/wolfcrypt_first.c:v5.2.1-stable' 'wolfcrypt/src/wolfcrypt_last.c:v5.2.1-stable' - 'wolfssl/wolfcrypt/fips.h:v5.2.1-stable' + 'wolfssl/wolfcrypt/fips.h:v5.2.1-stable-OS_Seed-HdrOnly' ) WOLFCRYPT_FILES=( 'wolfcrypt/src/aes.c:v5.2.1-stable' @@ -217,7 +220,7 @@ linuxv5.2.1) 'wolfssl/wolfcrypt/fips_test.h:v5.2.1-stable' 'wolfssl/wolfcrypt/hmac.h:v5.2.1-stable' 'wolfssl/wolfcrypt/kdf.h:v5.2.1-stable' - 'wolfssl/wolfcrypt/random.h:v5.2.1-stable' + 'wolfssl/wolfcrypt/random.h:v5.2.1-stable-OS_Seed-HdrOnly' 'wolfssl/wolfcrypt/rsa.h:v5.2.1-stable' 'wolfssl/wolfcrypt/sha.h:v5.2.1-stable' 'wolfssl/wolfcrypt/sha256.h:v5.2.1-stable' @@ -225,6 +228,98 @@ linuxv5.2.1) 'wolfssl/wolfcrypt/sha512.h:v5.2.1-stable' ) ;; +v6.0.0) + WOLF_REPO_TAG='WCv6.0.0-RC1' + FIPS_REPO_TAG='WCv6.0.0-RC1' + ASM_PICKUPS_TAG='WCv6.0.0-RC2' + FIPS_OPTION='v6' + FIPS_FILES=( + "wolfcrypt/src/fips.c:${FIPS_REPO_TAG}" + "wolfcrypt/src/fips_test.c:${FIPS_REPO_TAG}" + "wolfcrypt/src/wolfcrypt_first.c:${FIPS_REPO_TAG}" + "wolfcrypt/src/wolfcrypt_last.c:${FIPS_REPO_TAG}" + "wolfssl/wolfcrypt/fips.h:${FIPS_REPO_TAG}" + ) + WOLFCRYPT_FILES=( + "wolfcrypt/src/aes_asm.asm:${WOLF_REPO_TAG}" + "wolfcrypt/src/aes_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/aes_gcm_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/aes_gcm_x86_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/aes_xts_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/aes.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-32-aes-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-32-curve25519_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-32-curve25519.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-32-sha256-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-32-sha512-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-aes.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-curve25519_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-curve25519.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-sha256.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-sha3-asm.S:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-sha512-asm_c.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/armv8-sha512-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/armv8-sha512.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/cmac.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/curve25519.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/curve448.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/dh.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/ecc.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/ed25519.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/ed448.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/hmac.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/kdf.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/pwdbased.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/random.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/rsa.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha256_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha256.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha3.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha3_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha512_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/sha512.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/sp_arm32.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_arm64.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_armthumb.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_c32.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_c64.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_cortexm.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/sp_x86_64_asm.asm:${WOLF_REPO_TAG}" + "wolfcrypt/src/sp_x86_64_asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/sp_x86_64.c:${ASM_PICKUPS_TAG}" + "wolfcrypt/src/port/arm/thumb2-aes-asm_c.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-aes-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-curve25519_c.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-curve25519.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-sha256-asm.S:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c:${WOLF_REPO_TAG}" + "wolfcrypt/src/port/arm/thumb2-sha512-asm.S:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/aes.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/cmac.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/curve25519.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/curve448.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/dh.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/ecc.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/ed25519.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/ed448.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/fips_test.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/hmac.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/kdf.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/pwdbased.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/random.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/rsa.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/sha.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/sha256.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/sha3.h:${WOLF_REPO_TAG}" + "wolfssl/wolfcrypt/sha512.h:${WOLF_REPO_TAG}" + ) + ;; fips-ready|fips-dev) FIPS_OPTION='ready' FIPS_FILES=( @@ -368,36 +463,38 @@ fi # run the make test ./autogen.sh -case "$FIPS_OPTION" in -cavp-selftest) - ./configure --enable-selftest - ;; -cavp-selftest-v2) - ./configure --enable-selftest=v2 - ;; -*) - ./configure --enable-fips=$FIPS_OPTION - ;; -esac +if [ "$DOCONFIGURE" = "yes" ]; then + case "$FIPS_OPTION" in + cavp-selftest) + ./configure --enable-selftest + ;; + cavp-selftest-v2) + ./configure --enable-selftest=v2 + ;; + *) + ./configure --enable-fips=$FIPS_OPTION + ;; + esac -if ! $MAKE; then - echo 'fips-check: Make failed. Debris left for analysis.' - exit 3 -fi + if ! $MAKE; then + echo 'fips-check: Make failed. Debris left for analysis.' + exit 3 + fi -if [ -s wolfcrypt/src/fips_test.c ]; then - NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') - if [ -n "$NEWHASH" ]; then - cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak - sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c - make clean + if [ -s wolfcrypt/src/fips_test.c ]; then + NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p') + if [ -n "$NEWHASH" ]; then + cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak + sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c + make clean + fi fi -fi -if [ "$MAKECHECK" = "yes" ]; then - if ! $MAKE check; then - echo 'fips-check: Test failed. Debris left for analysis.' - exit 3 + if [ "$MAKECHECK" = "yes" ]; then + if ! $MAKE check; then + echo 'fips-check: Test failed. Debris left for analysis.' + exit 3 + fi fi fi diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 1d53adc057..5200e942d4 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -118,6 +118,11 @@ _Pragma("GCC diagnostic ignored \"-Wcast-function-type\""); /* needed for kernel 4.14.336 */ #include + + #if defined(__PIE__) && defined(CONFIG_ARM64) + #define alt_cb_patch_nops my__alt_cb_patch_nops + #endif + #include #include @@ -471,6 +476,16 @@ unsigned int serialSz); #endif #endif /* NO_SKID */ + + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + struct WOLFSSL_X509_NAME; + extern int wolfSSL_X509_NAME_add_entry_by_NID(struct WOLFSSL_X509_NAME *name, int nid, + int type, const unsigned char *bytes, + int len, int loc, int set); + extern void wolfSSL_X509_NAME_free(struct WOLFSSL_X509_NAME* name); + extern struct WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new_ex(void *heap); + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #if defined(__PIE__) && !defined(USE_WOLFSSL_LINUXKM_PIE_REDIRECT_TABLE) @@ -645,12 +660,31 @@ #ifdef WOLFSSL_AKID_NAME typeof(GetCAByAKID) *GetCAByAKID; #endif /* WOLFSSL_AKID_NAME */ + + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + typeof(wolfSSL_X509_NAME_add_entry_by_NID) *wolfSSL_X509_NAME_add_entry_by_NID; + typeof(wolfSSL_X509_NAME_free) *wolfSSL_X509_NAME_free; + typeof(wolfSSL_X509_NAME_new_ex) *wolfSSL_X509_NAME_new_ex; + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES typeof(dump_stack) *dump_stack; #endif + #ifdef CONFIG_ARM64 + #ifdef __PIE__ + /* alt_cb_patch_nops defined early to allow shimming in system + * headers, but now we need the native one. + */ + #undef alt_cb_patch_nops + typeof(my__alt_cb_patch_nops) *alt_cb_patch_nops; + #else + typeof(alt_cb_patch_nops) *alt_cb_patch_nops; + #endif + #endif + const void *_last_slot; }; @@ -800,6 +834,13 @@ #ifdef WOLFSSL_AKID_NAME #define GetCAByAKID (wolfssl_linuxkm_get_pie_redirect_table()->GetCAByAKID) #endif + + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + #define wolfSSL_X509_NAME_add_entry_by_NID (wolfssl_linuxkm_get_pie_redirect_table()->wolfSSL_X509_NAME_add_entry_by_NID) + #define wolfSSL_X509_NAME_free (wolfssl_linuxkm_get_pie_redirect_table()->wolfSSL_X509_NAME_free) + #define wolfSSL_X509_NAME_new_ex (wolfssl_linuxkm_get_pie_redirect_table()->wolfSSL_X509_NAME_new_ex) + #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES @@ -918,6 +959,13 @@ #include + #ifndef INT32_MAX + #define INT32_MAX INT_MAX + #endif + #ifndef UINT32_MAX + #define UINT32_MAX UINT_MAX + #endif + /* Linux headers define these using C expressions, but we need * them to be evaluable by the preprocessor, for use in sp_int.h. */ diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index faf88fd56f..94a41bf015 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -26,6 +26,14 @@ #error lkcapi_glue.c included in non-LINUXKM_LKCAPI_REGISTER project. #endif +/* kernel crypto self-test includes test setups that have different expected + * results FIPS vs non-FIPS. + */ +#if defined(CONFIG_CRYPTO_MANAGER) && \ + (defined(CONFIG_CRYPTO_FIPS) != defined(HAVE_FIPS)) +#error CONFIG_CRYPTO_MANAGER requires that CONFIG_CRYPTO_FIPS match HAVE_FIPS. +#endif + #ifndef WOLFSSL_LINUXKM_LKCAPI_PRIORITY /* Larger number means higher priority. The highest in-tree priority is 4001, * in the Cavium driver. @@ -359,14 +367,14 @@ static struct skcipher_alg cbcAesAlg = { .base.cra_name = WOLFKM_AESCBC_NAME, .base.cra_driver_name = WOLFKM_AESCBC_DRIVER, .base.cra_priority = WOLFSSL_LINUXKM_LKCAPI_PRIORITY, - .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_blocksize = WC_AES_BLOCK_SIZE, .base.cra_ctxsize = sizeof(struct km_AesCtx), .base.cra_module = THIS_MODULE, .init = km_AesCbcInit, .exit = km_AesExit, .min_keysize = AES_128_KEY_SIZE, .max_keysize = AES_256_KEY_SIZE, - .ivsize = AES_BLOCK_SIZE, + .ivsize = WC_AES_BLOCK_SIZE, .setkey = km_AesCbcSetKey, .encrypt = km_AesCbcEncrypt, .decrypt = km_AesCbcDecrypt, @@ -498,14 +506,14 @@ static struct skcipher_alg cfbAesAlg = { .base.cra_name = WOLFKM_AESCFB_NAME, .base.cra_driver_name = WOLFKM_AESCFB_DRIVER, .base.cra_priority = WOLFSSL_LINUXKM_LKCAPI_PRIORITY, - .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_blocksize = WC_AES_BLOCK_SIZE, .base.cra_ctxsize = sizeof(struct km_AesCtx), .base.cra_module = THIS_MODULE, .init = km_AesCfbInit, .exit = km_AesExit, .min_keysize = AES_128_KEY_SIZE, .max_keysize = AES_256_KEY_SIZE, - .ivsize = AES_BLOCK_SIZE, + .ivsize = WC_AES_BLOCK_SIZE, .setkey = km_AesCfbSetKey, .encrypt = km_AesCfbEncrypt, .decrypt = km_AesCfbDecrypt, @@ -557,7 +565,7 @@ static int km_AesGcmSetKey(struct crypto_aead *tfm, const u8 *in_key, static int km_AesGcmSetAuthsize(struct crypto_aead *tfm, unsigned int authsize) { (void)tfm; - if (authsize > AES_BLOCK_SIZE || + if (authsize > WC_AES_BLOCK_SIZE || authsize < WOLFSSL_MIN_AUTH_TAG_SZ) { pr_err("%s: invalid authsize: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), authsize); @@ -567,7 +575,7 @@ static int km_AesGcmSetAuthsize(struct crypto_aead *tfm, unsigned int authsize) } /* - * aead ciphers recieve data in scatterlists in following order: + * aead ciphers receive data in scatterlists in following order: * encrypt * req->src: aad||plaintext * req->dst: aad||ciphertext||tag @@ -583,7 +591,7 @@ static int km_AesGcmEncrypt(struct aead_request *req) struct skcipher_walk walk; struct scatter_walk assocSgWalk; unsigned int nbytes = 0; - u8 authTag[AES_BLOCK_SIZE]; + u8 authTag[WC_AES_BLOCK_SIZE]; int err = 0; unsigned int assocLeft = 0; unsigned int cryptLeft = 0; @@ -604,7 +612,7 @@ static int km_AesGcmEncrypt(struct aead_request *req) } err = wc_AesGcmInit(ctx->aes_encrypt, NULL /*key*/, 0 /*keylen*/, walk.iv, - AES_BLOCK_SIZE); + WC_AES_BLOCK_SIZE); if (unlikely(err)) { pr_err("%s: wc_AesGcmInit failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), err); @@ -684,7 +692,7 @@ static int km_AesGcmDecrypt(struct aead_request *req) struct skcipher_walk walk; struct scatter_walk assocSgWalk; unsigned int nbytes = 0; - u8 origAuthTag[AES_BLOCK_SIZE]; + u8 origAuthTag[WC_AES_BLOCK_SIZE]; int err = 0; unsigned int assocLeft = 0; unsigned int cryptLeft = 0; @@ -710,7 +718,7 @@ static int km_AesGcmDecrypt(struct aead_request *req) } err = wc_AesGcmInit(ctx->aes_encrypt, NULL /*key*/, 0 /*keylen*/, walk.iv, - AES_BLOCK_SIZE); + WC_AES_BLOCK_SIZE); if (unlikely(err)) { pr_err("%s: wc_AesGcmInit failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), err); @@ -797,9 +805,9 @@ static struct aead_alg gcmAesAead = { .setauthsize = km_AesGcmSetAuthsize, .encrypt = km_AesGcmEncrypt, .decrypt = km_AesGcmDecrypt, - .ivsize = AES_BLOCK_SIZE, - .maxauthsize = AES_BLOCK_SIZE, - .chunksize = AES_BLOCK_SIZE, + .ivsize = WC_AES_BLOCK_SIZE, + .maxauthsize = WC_AES_BLOCK_SIZE, + .chunksize = WC_AES_BLOCK_SIZE, }; static int gcmAesAead_loaded = 0; @@ -886,7 +894,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) tfm = crypto_skcipher_reqtfm(req); ctx = crypto_skcipher_ctx(tfm); - if (req->cryptlen < AES_BLOCK_SIZE) + if (req->cryptlen < WC_AES_BLOCK_SIZE) return -EINVAL; err = skcipher_walk_virt(&walk, req, false); @@ -910,12 +918,12 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) err = skcipher_walk_done(&walk, 0); } else { - int tail = req->cryptlen % AES_BLOCK_SIZE; + int tail = req->cryptlen % WC_AES_BLOCK_SIZE; struct skcipher_request subreq; struct XtsAesStreamData stream; if (tail > 0) { - int blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; + int blocks = DIV_ROUND_UP(req->cryptlen, WC_AES_BLOCK_SIZE) - 2; skcipher_walk_abort(&walk); @@ -924,7 +932,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) skcipher_request_flags(req), NULL, NULL); skcipher_request_set_crypt(&subreq, req->src, req->dst, - blocks * AES_BLOCK_SIZE, req->iv); + blocks * WC_AES_BLOCK_SIZE, req->iv); req = &subreq; err = skcipher_walk_virt(&walk, req, false); @@ -947,9 +955,9 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) * end-of-message ciphertext stealing. */ if (nbytes < walk.total) - nbytes &= ~(AES_BLOCK_SIZE - 1); + nbytes &= ~(WC_AES_BLOCK_SIZE - 1); - if (nbytes & ((unsigned int)AES_BLOCK_SIZE - 1U)) + if (nbytes & ((unsigned int)WC_AES_BLOCK_SIZE - 1U)) err = wc_AesXtsEncryptFinal(ctx->aesXts, walk.dst.virt.addr, walk.src.virt.addr, nbytes, &stream); @@ -981,7 +989,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) if (req->dst != req->src) dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); - skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, + skcipher_request_set_crypt(req, src, dst, WC_AES_BLOCK_SIZE + tail, req->iv); err = skcipher_walk_virt(&walk, &subreq, false); @@ -999,7 +1007,7 @@ static int km_AesXtsEncrypt(struct skcipher_request *req) } err = skcipher_walk_done(&walk, 0); - } else if (! (stream.bytes_crypted_with_this_tweak & ((word32)AES_BLOCK_SIZE - 1U))) { + } else if (! (stream.bytes_crypted_with_this_tweak & ((word32)WC_AES_BLOCK_SIZE - 1U))) { err = wc_AesXtsEncryptFinal(ctx->aesXts, NULL, NULL, 0, &stream); } } @@ -1018,7 +1026,7 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) tfm = crypto_skcipher_reqtfm(req); ctx = crypto_skcipher_ctx(tfm); - if (req->cryptlen < AES_BLOCK_SIZE) + if (req->cryptlen < WC_AES_BLOCK_SIZE) return -EINVAL; err = skcipher_walk_virt(&walk, req, false); @@ -1042,12 +1050,12 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) err = skcipher_walk_done(&walk, 0); } else { - int tail = req->cryptlen % AES_BLOCK_SIZE; + int tail = req->cryptlen % WC_AES_BLOCK_SIZE; struct skcipher_request subreq; struct XtsAesStreamData stream; if (unlikely(tail > 0)) { - int blocks = DIV_ROUND_UP(req->cryptlen, AES_BLOCK_SIZE) - 2; + int blocks = DIV_ROUND_UP(req->cryptlen, WC_AES_BLOCK_SIZE) - 2; skcipher_walk_abort(&walk); @@ -1056,7 +1064,7 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) skcipher_request_flags(req), NULL, NULL); skcipher_request_set_crypt(&subreq, req->src, req->dst, - blocks * AES_BLOCK_SIZE, req->iv); + blocks * WC_AES_BLOCK_SIZE, req->iv); req = &subreq; err = skcipher_walk_virt(&walk, req, false); @@ -1079,9 +1087,9 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) * end-of-message ciphertext stealing. */ if (nbytes < walk.total) - nbytes &= ~(AES_BLOCK_SIZE - 1); + nbytes &= ~(WC_AES_BLOCK_SIZE - 1); - if (nbytes & ((unsigned int)AES_BLOCK_SIZE - 1U)) + if (nbytes & ((unsigned int)WC_AES_BLOCK_SIZE - 1U)) err = wc_AesXtsDecryptFinal(ctx->aesXts, walk.dst.virt.addr, walk.src.virt.addr, nbytes, &stream); @@ -1113,7 +1121,7 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) if (req->dst != req->src) dst = scatterwalk_ffwd(sg_dst, req->dst, req->cryptlen); - skcipher_request_set_crypt(req, src, dst, AES_BLOCK_SIZE + tail, + skcipher_request_set_crypt(req, src, dst, WC_AES_BLOCK_SIZE + tail, req->iv); err = skcipher_walk_virt(&walk, &subreq, false); @@ -1131,7 +1139,7 @@ static int km_AesXtsDecrypt(struct skcipher_request *req) } err = skcipher_walk_done(&walk, 0); - } else if (! (stream.bytes_crypted_with_this_tweak & ((word32)AES_BLOCK_SIZE - 1U))) { + } else if (! (stream.bytes_crypted_with_this_tweak & ((word32)WC_AES_BLOCK_SIZE - 1U))) { err = wc_AesXtsDecryptFinal(ctx->aesXts, NULL, NULL, 0, &stream); } } @@ -1142,14 +1150,14 @@ static struct skcipher_alg xtsAesAlg = { .base.cra_name = WOLFKM_AESXTS_NAME, .base.cra_driver_name = WOLFKM_AESXTS_DRIVER, .base.cra_priority = WOLFSSL_LINUXKM_LKCAPI_PRIORITY, - .base.cra_blocksize = AES_BLOCK_SIZE, + .base.cra_blocksize = WC_AES_BLOCK_SIZE, .base.cra_ctxsize = sizeof(struct km_AesXtsCtx), .base.cra_module = THIS_MODULE, .min_keysize = 2 * AES_128_KEY_SIZE, .max_keysize = 2 * AES_256_KEY_SIZE, - .ivsize = AES_BLOCK_SIZE, - .walksize = 2 * AES_BLOCK_SIZE, + .ivsize = WC_AES_BLOCK_SIZE, + .walksize = 2 * WC_AES_BLOCK_SIZE, .init = km_AesXtsInit, .exit = km_AesXtsExit, .setkey = km_AesXtsSetKey, @@ -1221,7 +1229,7 @@ static int linuxkm_test_aescbc(void) } aes_inited = 1; - ret = wc_AesSetKey(aes, key32, AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); + ret = wc_AesSetKey(aes, key32, WC_AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); if (ret) { pr_err("wolfcrypt wc_AesSetKey failed with return code %d\n", ret); goto test_cbc_end; @@ -1249,7 +1257,7 @@ static int linuxkm_test_aescbc(void) } aes_inited = 1; - ret = wc_AesSetKey(aes, key32, AES_BLOCK_SIZE * 2, iv, AES_DECRYPTION); + ret = wc_AesSetKey(aes, key32, WC_AES_BLOCK_SIZE * 2, iv, AES_DECRYPTION); if (ret) { pr_err("wolfcrypt wc_AesSetKey failed with return code %d.\n", ret); goto test_cbc_end; @@ -1302,7 +1310,7 @@ static int linuxkm_test_aescbc(void) } #endif - ret = crypto_skcipher_setkey(tfm, key32, AES_BLOCK_SIZE * 2); + ret = crypto_skcipher_setkey(tfm, key32, WC_AES_BLOCK_SIZE * 2); if (ret) { pr_err("error: crypto_skcipher_setkey returned: %d\n", ret); goto test_cbc_end; @@ -1427,7 +1435,7 @@ static int linuxkm_test_aescfb(void) } aes_inited = 1; - ret = wc_AesSetKey(aes, key32, AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); + ret = wc_AesSetKey(aes, key32, WC_AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); if (ret) { pr_err("wolfcrypt wc_AesSetKey failed with return code %d\n", ret); goto test_cfb_end; @@ -1455,7 +1463,7 @@ static int linuxkm_test_aescfb(void) } aes_inited = 1; - ret = wc_AesSetKey(aes, key32, AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); + ret = wc_AesSetKey(aes, key32, WC_AES_BLOCK_SIZE * 2, iv, AES_ENCRYPTION); if (ret) { pr_err("wolfcrypt wc_AesSetKey failed with return code %d.\n", ret); goto test_cfb_end; @@ -1508,7 +1516,7 @@ static int linuxkm_test_aescfb(void) } #endif - ret = crypto_skcipher_setkey(tfm, key32, AES_BLOCK_SIZE * 2); + ret = crypto_skcipher_setkey(tfm, key32, WC_AES_BLOCK_SIZE * 2); if (ret) { pr_err("error: crypto_skcipher_setkey returned: %d\n", ret); goto test_cfb_end; @@ -1624,7 +1632,7 @@ static int linuxkm_test_aesgcm(void) 0xe4,0x28,0x90,0xaa,0x09,0xab,0xf9,0x7c }; byte enc[sizeof(p_vector)]; - byte authTag[AES_BLOCK_SIZE]; + byte authTag[WC_AES_BLOCK_SIZE]; byte dec[sizeof(p_vector)]; u8 * assoc2 = NULL; u8 * enc2 = NULL; @@ -1636,7 +1644,7 @@ static int linuxkm_test_aesgcm(void) /* Init stack variables. */ XMEMSET(enc, 0, sizeof(p_vector)); XMEMSET(dec, 0, sizeof(p_vector)); - XMEMSET(authTag, 0, AES_BLOCK_SIZE); + XMEMSET(authTag, 0, WC_AES_BLOCK_SIZE); aes = (Aes *)malloc(sizeof(*aes)); if (aes == NULL) @@ -1650,7 +1658,7 @@ static int linuxkm_test_aesgcm(void) aes_inited = 1; ret = wc_AesGcmInit(aes, key32, sizeof(key32)/sizeof(byte), ivstr, - AES_BLOCK_SIZE); + WC_AES_BLOCK_SIZE); if (ret) { pr_err("error: wc_AesGcmInit failed with return code %d.\n", ret); goto test_gcm_end; @@ -1676,7 +1684,7 @@ static int linuxkm_test_aesgcm(void) goto test_gcm_end; } - ret = wc_AesGcmEncryptFinal(aes, authTag, AES_BLOCK_SIZE); + ret = wc_AesGcmEncryptFinal(aes, authTag, WC_AES_BLOCK_SIZE); if (ret) { pr_err("error: wc_AesGcmEncryptFinal failed with return code %d\n", ret); @@ -1690,7 +1698,7 @@ static int linuxkm_test_aesgcm(void) } ret = wc_AesGcmInit(aes, key32, sizeof(key32)/sizeof(byte), ivstr, - AES_BLOCK_SIZE); + WC_AES_BLOCK_SIZE); if (ret) { pr_err("error: wc_AesGcmInit failed with return code %d.\n", ret); goto test_gcm_end; @@ -1704,7 +1712,7 @@ static int linuxkm_test_aesgcm(void) goto test_gcm_end; } - ret = wc_AesGcmDecryptFinal(aes, authTag, AES_BLOCK_SIZE); + ret = wc_AesGcmDecryptFinal(aes, authTag, WC_AES_BLOCK_SIZE); if (ret) { pr_err("error: wc_AesGcmEncryptFinal failed with return code %d\n", ret); @@ -1726,13 +1734,13 @@ static int linuxkm_test_aesgcm(void) memset(assoc2, 0, sizeof(assoc)); memcpy(assoc2, assoc, sizeof(assoc)); - iv = malloc(AES_BLOCK_SIZE); + iv = malloc(WC_AES_BLOCK_SIZE); if (IS_ERR(iv)) { pr_err("error: malloc failed\n"); goto test_gcm_end; } - memset(iv, 0, AES_BLOCK_SIZE); - memcpy(iv, ivstr, AES_BLOCK_SIZE); + memset(iv, 0, WC_AES_BLOCK_SIZE); + memcpy(iv, ivstr, WC_AES_BLOCK_SIZE); enc2 = malloc(decryptLen); if (IS_ERR(enc2)) { @@ -1769,7 +1777,7 @@ static int linuxkm_test_aesgcm(void) } #endif - ret = crypto_aead_setkey(tfm, key32, AES_BLOCK_SIZE * 2); + ret = crypto_aead_setkey(tfm, key32, WC_AES_BLOCK_SIZE * 2); if (ret) { pr_err("error: crypto_aead_setkey returned: %d\n", ret); goto test_gcm_end; @@ -1883,7 +1891,7 @@ static int aes_xts_128_test(void) XtsAes *aes = NULL; int aes_inited = 0; int ret = 0; -#define AES_XTS_128_TEST_BUF_SIZ (AES_BLOCK_SIZE * 2 + 8) +#define AES_XTS_128_TEST_BUF_SIZ (WC_AES_BLOCK_SIZE * 2 + 8) unsigned char *buf = NULL; unsigned char *cipher = NULL; u8 * enc2 = NULL; @@ -2041,12 +2049,12 @@ static int aes_xts_128_test(void) ret = wc_AesXtsEncryptInit(aes, i2, sizeof(i2), &stream); if (ret != 0) goto out; - ret = wc_AesXtsEncryptUpdate(aes, buf, p2, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptUpdate(aes, buf, p2, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - ret = wc_AesXtsEncryptFinal(aes, buf + AES_BLOCK_SIZE, - p2 + AES_BLOCK_SIZE, - sizeof(p2) - AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptFinal(aes, buf + WC_AES_BLOCK_SIZE, + p2 + WC_AES_BLOCK_SIZE, + sizeof(p2) - WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; if (XMEMCMP(c2, buf, sizeof(c2))) { @@ -2062,7 +2070,7 @@ static int aes_xts_128_test(void) ret = wc_AesXtsEncrypt(aes, buf, p1, sizeof(p1), i1, sizeof(i1)); if (ret != 0) goto out; - if (XMEMCMP(c1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(c1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2073,7 +2081,7 @@ static int aes_xts_128_test(void) WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL(0); if (ret != 0) goto out; - if (XMEMCMP(c1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(c1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2133,7 +2141,7 @@ static int aes_xts_128_test(void) ret = wc_AesXtsDecrypt(aes, buf, c1, sizeof(c1), i1, sizeof(i1)); if (ret != 0) goto out; - if (XMEMCMP(p1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(p1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2145,7 +2153,7 @@ static int aes_xts_128_test(void) WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL(0); if (ret != 0) goto out; - if (XMEMCMP(p1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(p1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2227,14 +2235,14 @@ static int aes_xts_128_test(void) ret = wc_AesXtsEncryptInit(aes, i1, sizeof(i1), &stream); if (ret != 0) goto out; - for (k = 0; k < j; k += AES_BLOCK_SIZE) { - if ((j - k) < AES_BLOCK_SIZE*2) + for (k = 0; k < j; k += WC_AES_BLOCK_SIZE) { + if ((j - k) < WC_AES_BLOCK_SIZE*2) ret = wc_AesXtsEncryptFinal(aes, large_input + k, large_input + k, j - k, &stream); else - ret = wc_AesXtsEncryptUpdate(aes, large_input + k, large_input + k, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptUpdate(aes, large_input + k, large_input + k, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - if ((j - k) < AES_BLOCK_SIZE*2) + if ((j - k) < WC_AES_BLOCK_SIZE*2) break; } ret = wc_AesXtsSetKeyNoInit(aes, k1, sizeof(k1), AES_DECRYPTION); @@ -2267,14 +2275,14 @@ static int aes_xts_128_test(void) ret = wc_AesXtsDecryptInit(aes, i1, sizeof(i1), &stream); if (ret != 0) goto out; - for (k = 0; k < j; k += AES_BLOCK_SIZE) { - if ((j - k) < AES_BLOCK_SIZE*2) + for (k = 0; k < j; k += WC_AES_BLOCK_SIZE) { + if ((j - k) < WC_AES_BLOCK_SIZE*2) ret = wc_AesXtsDecryptFinal(aes, large_input + k, large_input + k, j - k, &stream); else - ret = wc_AesXtsDecryptUpdate(aes, large_input + k, large_input + k, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsDecryptUpdate(aes, large_input + k, large_input + k, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - if ((j - k) < AES_BLOCK_SIZE*2) + if ((j - k) < WC_AES_BLOCK_SIZE*2) break; } for (i = 0; i < j; i++) { @@ -2483,7 +2491,7 @@ static int aes_xts_256_test(void) XtsAes *aes = NULL; int aes_inited = 0; int ret = 0; -#define AES_XTS_256_TEST_BUF_SIZ (AES_BLOCK_SIZE * 3) +#define AES_XTS_256_TEST_BUF_SIZ (WC_AES_BLOCK_SIZE * 3) unsigned char *buf = NULL; unsigned char *cipher = NULL; u8 * enc2 = NULL; @@ -2617,12 +2625,12 @@ static int aes_xts_256_test(void) ret = wc_AesXtsEncryptInit(aes, i2, sizeof(i2), &stream); if (ret != 0) goto out; - ret = wc_AesXtsEncryptUpdate(aes, buf, p2, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptUpdate(aes, buf, p2, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - ret = wc_AesXtsEncryptFinal(aes, buf + AES_BLOCK_SIZE, - p2 + AES_BLOCK_SIZE, - sizeof(p2) - AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptFinal(aes, buf + WC_AES_BLOCK_SIZE, + p2 + WC_AES_BLOCK_SIZE, + sizeof(p2) - WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; if (XMEMCMP(c2, buf, sizeof(c2))) { @@ -2637,7 +2645,7 @@ static int aes_xts_256_test(void) ret = wc_AesXtsEncrypt(aes, buf, p1, sizeof(p1), i1, sizeof(i1)); if (ret != 0) goto out; - if (XMEMCMP(c1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(c1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2666,7 +2674,7 @@ static int aes_xts_256_test(void) ret = wc_AesXtsDecrypt(aes, buf, c1, sizeof(c1), i1, sizeof(i1)); if (ret != 0) goto out; - if (XMEMCMP(p1, buf, AES_BLOCK_SIZE)) { + if (XMEMCMP(p1, buf, WC_AES_BLOCK_SIZE)) { ret = LINUXKM_LKCAPI_AES_KAT_MISMATCH_E; goto out; } @@ -2707,14 +2715,14 @@ static int aes_xts_256_test(void) ret = wc_AesXtsEncryptInit(aes, i1, sizeof(i1), &stream); if (ret != 0) goto out; - for (k = 0; k < j; k += AES_BLOCK_SIZE) { - if ((j - k) < AES_BLOCK_SIZE*2) + for (k = 0; k < j; k += WC_AES_BLOCK_SIZE) { + if ((j - k) < WC_AES_BLOCK_SIZE*2) ret = wc_AesXtsEncryptFinal(aes, large_input + k, large_input + k, j - k, &stream); else - ret = wc_AesXtsEncryptUpdate(aes, large_input + k, large_input + k, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsEncryptUpdate(aes, large_input + k, large_input + k, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - if ((j - k) < AES_BLOCK_SIZE*2) + if ((j - k) < WC_AES_BLOCK_SIZE*2) break; } ret = wc_AesXtsSetKeyNoInit(aes, k1, sizeof(k1), AES_DECRYPTION); @@ -2747,14 +2755,14 @@ static int aes_xts_256_test(void) ret = wc_AesXtsDecryptInit(aes, i1, sizeof(i1), &stream); if (ret != 0) goto out; - for (k = 0; k < j; k += AES_BLOCK_SIZE) { - if ((j - k) < AES_BLOCK_SIZE*2) + for (k = 0; k < j; k += WC_AES_BLOCK_SIZE) { + if ((j - k) < WC_AES_BLOCK_SIZE*2) ret = wc_AesXtsDecryptFinal(aes, large_input + k, large_input + k, j - k, &stream); else - ret = wc_AesXtsDecryptUpdate(aes, large_input + k, large_input + k, AES_BLOCK_SIZE, &stream); + ret = wc_AesXtsDecryptUpdate(aes, large_input + k, large_input + k, WC_AES_BLOCK_SIZE, &stream); if (ret != 0) goto out; - if ((j - k) < AES_BLOCK_SIZE*2) + if ((j - k) < WC_AES_BLOCK_SIZE*2) break; } for (i = 0; i < j; i++) { diff --git a/linuxkm/module_exports.c.template b/linuxkm/module_exports.c.template index 77beef5bd1..76b7131d5c 100644 --- a/linuxkm/module_exports.c.template +++ b/linuxkm/module_exports.c.template @@ -215,3 +215,6 @@ #include #endif +#if defined(OPENSSL_EXTRA) && !defined(WC_NO_RNG) && defined(HAVE_HASHDRBG) +#include +#endif diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 2972011919..988343e475 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -584,12 +584,21 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { #ifdef WOLFSSL_AKID_NAME wolfssl_linuxkm_pie_redirect_table.GetCAByAKID = GetCAByAKID; #endif /* WOLFSSL_AKID_NAME */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) + wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_add_entry_by_NID = wolfSSL_X509_NAME_add_entry_by_NID; + wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_free = wolfSSL_X509_NAME_free; + wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_new_ex = wolfSSL_X509_NAME_new_ex; +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #ifdef WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES wolfssl_linuxkm_pie_redirect_table.dump_stack = dump_stack; #endif +#ifdef CONFIG_ARM64 + wolfssl_linuxkm_pie_redirect_table.alt_cb_patch_nops = alt_cb_patch_nops; +#endif + /* runtime assert that the table has no null slots after initialization. */ { unsigned long *i; diff --git a/linuxkm/x86_vector_register_glue.c b/linuxkm/x86_vector_register_glue.c index 8f0ffb4caf..552ac40c97 100644 --- a/linuxkm/x86_vector_register_glue.c +++ b/linuxkm/x86_vector_register_glue.c @@ -305,7 +305,7 @@ static struct wc_thread_fpu_count_ent *wc_linuxkm_fpu_state_assoc_unlikely(int c } } else { /* check for migration. this can happen despite our best efforts if any - * I/O occured while locked, e.g. kernel messages like "uninitialized + * I/O occurred while locked, e.g. kernel messages like "uninitialized * urandom read". since we're locked now, we can safely migrate the * entry in wc_linuxkm_fpu_states[], freeing up the slot on the previous * cpu. diff --git a/src/bio.c b/src/bio.c index ac4eb0332f..df177293d5 100644 --- a/src/bio.c +++ b/src/bio.c @@ -146,7 +146,7 @@ static int wolfSSL_BIO_MEMORY_read(WOLFSSL_BIO* bio, void* buf, int len) bio->rdIdx += sz; if (bio->rdIdx >= bio->wrSz) { - if (bio->flags & BIO_FLAGS_MEM_RDONLY) { + if (bio->flags & WOLFSSL_BIO_FLAG_MEM_RDONLY) { bio->wrSz = bio->wrSzReset; } else { @@ -163,7 +163,7 @@ static int wolfSSL_BIO_MEMORY_read(WOLFSSL_BIO* bio, void* buf, int len) bio->ptr.mem_buf_data = (byte *)bio->mem_buf->data; } else if (bio->rdIdx >= WOLFSSL_BIO_RESIZE_THRESHOLD && - !(bio->flags & BIO_FLAGS_MEM_RDONLY)) { + !(bio->flags & WOLFSSL_BIO_FLAG_MEM_RDONLY)) { /* Resize the memory so we are not taking up more than necessary. * memmove reverts internally to memcpy if areas don't overlap */ XMEMMOVE(bio->mem_buf->data, bio->mem_buf->data + bio->rdIdx, @@ -234,7 +234,7 @@ static int wolfSSL_BIO_SSL_read(WOLFSSL_BIO* bio, void* buf, static int wolfSSL_BIO_MD_read(WOLFSSL_BIO* bio, void* buf, int sz) { - if (wolfSSL_EVP_MD_CTX_type(bio->ptr.md_ctx) == NID_hmac) { + if (wolfSSL_EVP_MD_CTX_type(bio->ptr.md_ctx) == WC_NID_hmac) { if (wolfSSL_EVP_DigestSignUpdate(bio->ptr.md_ctx, buf, (unsigned int)sz) != WOLFSSL_SUCCESS) { @@ -601,7 +601,7 @@ static int wolfSSL_BIO_MEMORY_write(WOLFSSL_BIO* bio, const void* data, WOLFSSL_MSG("one of input parameters is null"); return WOLFSSL_FAILURE; } - if (bio->flags & BIO_FLAGS_MEM_RDONLY) { + if (bio->flags & WOLFSSL_BIO_FLAG_MEM_RDONLY) { return WOLFSSL_FAILURE; } @@ -642,7 +642,7 @@ static int wolfSSL_BIO_MD_write(WOLFSSL_BIO* bio, const void* data, int len) return BAD_FUNC_ARG; } - if (wolfSSL_EVP_MD_CTX_type(bio->ptr.md_ctx) == NID_hmac) { + if (wolfSSL_EVP_MD_CTX_type(bio->ptr.md_ctx) == WC_NID_hmac) { if (wolfSSL_EVP_DigestSignUpdate(bio->ptr.md_ctx, data, (unsigned int)len) != WOLFSSL_SUCCESS) { ret = WOLFSSL_BIO_ERROR; @@ -866,23 +866,23 @@ long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg) } switch(cmd) { - case BIO_CTRL_PENDING: - case BIO_CTRL_WPENDING: + case WOLFSSL_BIO_CTRL_PENDING: + case WOLFSSL_BIO_CTRL_WPENDING: ret = (long)wolfSSL_BIO_ctrl_pending(bio); break; - case BIO_CTRL_INFO: + case WOLFSSL_BIO_CTRL_INFO: ret = (long)wolfSSL_BIO_get_mem_data(bio, parg); break; - case BIO_CTRL_FLUSH: + case WOLFSSL_BIO_CTRL_FLUSH: ret = (long)wolfSSL_BIO_flush(bio); break; - case BIO_CTRL_RESET: + case WOLFSSL_BIO_CTRL_RESET: ret = (long)wolfSSL_BIO_reset(bio); break; #ifdef WOLFSSL_HAVE_BIO_ADDR - case BIO_CTRL_DGRAM_CONNECT: - case BIO_CTRL_DGRAM_SET_PEER: + case WOLFSSL_BIO_CTRL_DGRAM_CONNECT: + case WOLFSSL_BIO_CTRL_DGRAM_SET_PEER: { socklen_t addr_size; if (parg == NULL) { @@ -899,7 +899,7 @@ long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg) break; } - case BIO_CTRL_DGRAM_SET_CONNECTED: + case WOLFSSL_BIO_CTRL_DGRAM_SET_CONNECTED: if (parg == NULL) { wolfSSL_BIO_ADDR_clear(&bio->peer_addr); bio->connected = 0; @@ -916,7 +916,7 @@ long wolfSSL_BIO_ctrl(WOLFSSL_BIO *bio, int cmd, long larg, void *parg) ret = WOLFSSL_SUCCESS; break; - case BIO_CTRL_DGRAM_QUERY_MTU: + case WOLFSSL_BIO_CTRL_DGRAM_QUERY_MTU: ret = 0; /* not implemented */ break; @@ -1717,7 +1717,7 @@ int wolfSSL_BIO_reset(WOLFSSL_BIO *bio) case WOLFSSL_BIO_MEMORY: bio->rdIdx = 0; - if (bio->flags & BIO_FLAGS_MEM_RDONLY) { + if (bio->flags & WOLFSSL_BIO_FLAG_MEM_RDONLY) { bio->wrIdx = bio->wrSzReset; bio->wrSz = bio->wrSzReset; } @@ -1826,7 +1826,7 @@ int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name) } if (bio->type == WOLFSSL_BIO_FILE) { - if (bio->ptr.fh != XBADFILE && bio->shutdown == BIO_CLOSE) { + if (bio->ptr.fh != XBADFILE && bio->shutdown == WOLFSSL_BIO_CLOSE) { XFCLOSE(bio->ptr.fh); } @@ -1839,7 +1839,7 @@ int wolfSSL_BIO_write_filename(WOLFSSL_BIO *bio, char *name) if (bio->ptr.fh == XBADFILE) { return WOLFSSL_FAILURE; } - bio->shutdown = BIO_CLOSE; + bio->shutdown = WOLFSSL_BIO_CLOSE; return WOLFSSL_SUCCESS; } @@ -2201,7 +2201,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) if (bio->method != NULL && bio->method->ctrlCb != NULL) { WOLFSSL_MSG("Calling custom BIO flush callback"); - return (int)bio->method->ctrlCb(bio, BIO_CTRL_FLUSH, 0, NULL); + return (int)bio->method->ctrlCb(bio, WOLFSSL_BIO_CTRL_FLUSH, 0, NULL); } else if (bio->type == WOLFSSL_BIO_FILE) { #if !defined(NO_FILESYSTEM) && defined(XFFLUSH) @@ -2387,7 +2387,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) bio->type = WOLFSSL_BIO_SOCKET; } else { - BIO_free(bio); + wolfSSL_BIO_free(bio); bio = NULL; } } @@ -2477,7 +2477,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) } b->num.fd = sfd; - b->shutdown = BIO_CLOSE; + b->shutdown = WOLFSSL_BIO_CLOSE; return WOLFSSL_SUCCESS; } @@ -2506,7 +2506,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) return WOLFSSL_FAILURE; } b->num.fd = sfd; - b->shutdown = BIO_CLOSE; + b->shutdown = WOLFSSL_BIO_CLOSE; } else { WOLFSSL_BIO* new_bio; @@ -2516,7 +2516,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) return WOLFSSL_FAILURE; } /* Create a socket BIO for using the accept'ed connection */ - new_bio = wolfSSL_BIO_new_socket(newfd, BIO_CLOSE); + new_bio = wolfSSL_BIO_new_socket(newfd, WOLFSSL_BIO_CLOSE); if (new_bio == NULL) { WOLFSSL_MSG("wolfSSL_BIO_new_socket error"); CloseSocket(newfd); @@ -2595,7 +2595,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) if (b->ptr.ssl != NULL) { int rc = wolfSSL_shutdown(b->ptr.ssl); - if (rc == SSL_SHUTDOWN_NOT_DONE) { + if (rc == WOLFSSL_SHUTDOWN_NOT_DONE) { /* In this case, call again to give us a chance to read the * close notify alert from the other end. */ wolfSSL_shutdown(b->ptr.ssl); @@ -2682,7 +2682,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) else wolfSSL_set_connect_state(ssl); } - if (err == 0 && wolfSSL_BIO_set_ssl(sslBio, ssl, BIO_CLOSE) != + if (err == 0 && wolfSSL_BIO_set_ssl(sslBio, ssl, WOLFSSL_BIO_CLOSE) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Failed to set SSL pointer in BIO."); err = 1; @@ -2831,13 +2831,20 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) #else bio->method = method; #endif - bio->shutdown = BIO_CLOSE; /* default to close things */ + bio->shutdown = WOLFSSL_BIO_CLOSE; /* default to close things */ if ((bio->type == WOLFSSL_BIO_SOCKET) || (bio->type == WOLFSSL_BIO_DGRAM)) { bio->num.fd = SOCKET_INVALID; - } else { + } + else if (bio->type == WOLFSSL_BIO_FILE) { +#ifndef NO_FILESYSTEM + bio->ptr.fh = XBADFILE; +#endif + bio->num.fd = SOCKET_INVALID; + } + else { bio->num.length = 0; } bio->init = 1; @@ -2916,7 +2923,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) bio->ptr.mem_buf_data = (byte *)bio->mem_buf->data; if (len > 0 && bio->ptr.mem_buf_data != NULL) { XMEMCPY(bio->ptr.mem_buf_data, buf, len); - bio->flags |= BIO_FLAGS_MEM_RDONLY; + bio->flags |= WOLFSSL_BIO_FLAG_MEM_RDONLY; bio->wrSzReset = bio->wrSz; } @@ -2994,7 +3001,9 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) } #ifndef NO_FILESYSTEM - if (bio->type == WOLFSSL_BIO_FILE && bio->shutdown == BIO_CLOSE) { + if (bio->type == WOLFSSL_BIO_FILE && + bio->shutdown == WOLFSSL_BIO_CLOSE) + { if (bio->ptr.fh) { XFCLOSE(bio->ptr.fh); } @@ -3007,7 +3016,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) } #endif - if (bio->shutdown != BIO_NOCLOSE) { + if (bio->shutdown != WOLFSSL_BIO_NOCLOSE) { if (bio->type == WOLFSSL_BIO_MEMORY && bio->ptr.mem_buf_data != NULL) { @@ -3409,7 +3418,7 @@ int wolfSSL_BIO_dump(WOLFSSL_BIO *bio, const char *buf, int length) if (fp == XBADFILE) return WOLFSSL_BAD_FILE; - if (wolfSSL_BIO_set_fp(b, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) { + if (wolfSSL_BIO_set_fp(b, fp, WOLFSSL_BIO_CLOSE) != WOLFSSL_SUCCESS) { XFCLOSE(fp); return WOLFSSL_BAD_FILE; } @@ -3446,7 +3455,7 @@ WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) return bio; } - if (wolfSSL_BIO_set_fp(bio, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) { + if (wolfSSL_BIO_set_fp(bio, fp, WOLFSSL_BIO_CLOSE) != WOLFSSL_SUCCESS) { XFCLOSE(fp); wolfSSL_BIO_free(bio); bio = NULL; diff --git a/src/conf.c b/src/conf.c index c9a35c12d2..8f92fe465e 100644 --- a/src/conf.c +++ b/src/conf.c @@ -603,7 +603,7 @@ char *wolfSSL_NCONF_get_string(const WOLFSSL_CONF *conf, return NULL; } -int wolfSSL_NCONF_get_number(const CONF *conf, const char *group, +int wolfSSL_NCONF_get_number(const WOLFSSL_CONF *conf, const char *group, const char *name, long *result) { char *str; @@ -1582,7 +1582,7 @@ int wolfSSL_CONF_cmd_value_type(WOLFSSL_CONF_CTX *cctx, const char *cmd) confcmd = wolfssl_conf_find_cmd(cctx, cmd); if (confcmd == NULL) - return SSL_CONF_TYPE_UNKNOWN; + return WOLFSSL_CONF_TYPE_UNKNOWN; return (int)confcmd->data_type; } @@ -1594,21 +1594,21 @@ int wolfSSL_CONF_cmd_value_type(WOLFSSL_CONF_CTX *cctx, const char *cmd) ******************************************************************************/ #if defined(OPENSSL_EXTRA) -OPENSSL_INIT_SETTINGS* wolfSSL_OPENSSL_INIT_new(void) +WOLFSSL_INIT_SETTINGS* wolfSSL_OPENSSL_INIT_new(void) { - OPENSSL_INIT_SETTINGS* init = (OPENSSL_INIT_SETTINGS*)XMALLOC( - sizeof(OPENSSL_INIT_SETTINGS), NULL, DYNAMIC_TYPE_OPENSSL); + WOLFSSL_INIT_SETTINGS* init = (WOLFSSL_INIT_SETTINGS*)XMALLOC( + sizeof(WOLFSSL_INIT_SETTINGS), NULL, DYNAMIC_TYPE_OPENSSL); return init; } -void wolfSSL_OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS* init) +void wolfSSL_OPENSSL_INIT_free(WOLFSSL_INIT_SETTINGS* init) { XFREE(init, NULL, DYNAMIC_TYPE_OPENSSL); } #ifndef NO_WOLFSSL_STUB -int wolfSSL_OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS* init, +int wolfSSL_OPENSSL_INIT_set_config_appname(WOLFSSL_INIT_SETTINGS* init, char* appname) { (void)init; diff --git a/src/crl.c b/src/crl.c index 5e359c7ae9..9d2fcb074e 100644 --- a/src/crl.c +++ b/src/crl.c @@ -311,7 +311,6 @@ static int FindRevokedSerial(RevokedCert* rc, byte* serial, int serialSz, #else (void)totalCerts; /* search in the linked list*/ - while (rc) { if (serialHash == NULL) { if (rc->serialSz == serialSz && @@ -560,12 +559,45 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) NULL, cert->extCrlInfo, cert->extCrlInfoSz, issuerName); } +#ifdef HAVE_CRL_UPDATE_CB +static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info) +{ + info->issuerHash = (byte *)entry->issuerHash; + info->issuerHashLen = CRL_DIGEST_SIZE; + info->lastDate = (byte *)entry->lastDate; + info->lastDateMaxLen = MAX_DATE_SIZE; + info->lastDateFormat = entry->lastDateFormat; + info->nextDate = (byte *)entry->nextDate; + info->nextDateMaxLen = MAX_DATE_SIZE; + info->nextDateFormat = entry->nextDateFormat; + info->crlNumber = (sword32)entry->crlNumber; +} + +static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) +{ + info->issuerHash = (byte *)entry->issuerHash; + info->issuerHashLen = SIGNER_DIGEST_SIZE; + info->lastDate = (byte *)entry->lastDate; + info->lastDateMaxLen = MAX_DATE_SIZE; + info->lastDateFormat = entry->lastDateFormat; + info->nextDate = (byte *)entry->nextDate; + info->nextDateMaxLen = MAX_DATE_SIZE; + info->nextDateFormat = entry->nextDateFormat; + info->crlNumber = (sword32)entry->crlNumber; +} +#endif /* Add Decoded CRL, 0 on success */ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, int verified) { CRL_Entry* crle = NULL; + CRL_Entry* curr = NULL; + CRL_Entry* prev = NULL; +#ifdef HAVE_CRL_UPDATE_CB + CrlInfo old; + CrlInfo cnew; +#endif WOLFSSL_ENTER("AddCRL"); @@ -594,8 +626,43 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, return BAD_MUTEX_E; } - crle->next = crl->crlList; - crl->crlList = crle; + for (curr = crl->crlList; curr != NULL; curr = curr->next) { + if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) { + if (crle->crlNumber <= curr->crlNumber) { + WOLFSSL_MSG("Same or newer CRL entry already exists"); + CRL_Entry_free(crle, crl->heap); + wc_UnLockRwLock(&crl->crlLock); + return BAD_FUNC_ARG; + } + + crle->next = curr->next; + if (prev != NULL) { + prev->next = crle; + } + else { + crl->crlList = crle; + } + +#ifdef HAVE_CRL_UPDATE_CB + if (crl->cm && crl->cm->cbUpdateCRL != NULL) { + SetCrlInfo(curr, &old); + SetCrlInfo(crle, &cnew); + crl->cm->cbUpdateCRL(&old, &cnew); + } +#endif + + break; + } + prev = curr; + } + + if (curr != NULL) { + CRL_Entry_free(curr, crl->heap); + } + else { + crle->next = crl->crlList; + crl->crlList = crle; + } wc_UnLockRwLock(&crl->crlLock); /* Avoid heap-use-after-free after crl->crlList is released */ crl->currentEntry = NULL; @@ -686,6 +753,87 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, return ret ? ret : WOLFSSL_SUCCESS; /* convert 0 to WOLFSSL_SUCCESS */ } +#ifdef HAVE_CRL_UPDATE_CB +/* Fill out CRL info structure, WOLFSSL_SUCCESS on ok */ +int GetCRLInfo(WOLFSSL_CRL* crl, CrlInfo* info, const byte* buff, + long sz, int type) +{ + int ret = WOLFSSL_SUCCESS; + const byte* myBuffer = buff; /* if DER ok, otherwise switch */ + DerBuffer* der = NULL; + CRL_Entry* crle = NULL; +#ifdef WOLFSSL_SMALL_STACK + DecodedCRL* dcrl; +#else + DecodedCRL dcrl[1]; +#endif + + WOLFSSL_ENTER("GetCRLInfo"); + + if (crl == NULL || info == NULL || buff == NULL || sz == 0) + return BAD_FUNC_ARG; + + if (type == WOLFSSL_FILETYPE_PEM) { + #ifdef WOLFSSL_PEM_TO_DER + ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, NULL, NULL); + if (ret == 0) { + myBuffer = der->buffer; + sz = der->length; + } + else { + WOLFSSL_MSG("Pem to Der failed"); + FreeDer(&der); + return -1; + } + #else + ret = NOT_COMPILED_IN; + #endif + } + +#ifdef WOLFSSL_SMALL_STACK + dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (dcrl == NULL) { + FreeDer(&der); + return MEMORY_E; + } +#endif + + crle = CRL_Entry_new(crl->heap); + if (crle == NULL) { + WOLFSSL_MSG("alloc CRL Entry failed"); + #ifdef WOLFSSL_SMALL_STACK + XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + FreeDer(&der); + return MEMORY_E; + } + + InitDecodedCRL(dcrl, crl->heap); + ret = ParseCRL(crle->certs, dcrl, myBuffer, (word32)sz, + 0, crl->cm); + if (ret != 0 && !(ret == WC_NO_ERR_TRACE(ASN_CRL_NO_SIGNER_E))) { + WOLFSSL_MSG("ParseCRL error"); + CRL_Entry_free(crle, crl->heap); + crle = NULL; + } + else { + SetCrlInfoFromDecoded((DecodedCRL*)dcrl, info); + } + + FreeDecodedCRL(dcrl); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + FreeDer(&der); + CRL_Entry_free(crle, crl->heap); + + return ret ? ret : WOLFSSL_SUCCESS; /* convert 0 to WOLFSSL_SUCCESS */ +} +#endif + #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) /* helper function to create a new dynamic WOLFSSL_X509_CRL structure */ static WOLFSSL_X509_CRL* wolfSSL_X509_crl_new(WOLFSSL_CERT_MANAGER* cm) @@ -784,7 +932,7 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) #endif if (dupl->toBeSigned == NULL || dupl->signature == NULL #ifdef WC_RSA_PSS - /* allow sigParamsSz is zero and malloc(0) to return NULL */ + /* allow sigParamsSz is zero and XMALLOC(0) to return NULL */ || (dupl->sigParams == NULL && dupl->sigParamsSz != 0) #endif ) { diff --git a/src/dtls13.c b/src/dtls13.c index 6f2f014895..5011f7d85b 100644 --- a/src/dtls13.c +++ b/src/dtls13.c @@ -260,7 +260,8 @@ static int Dtls13GetRnMask(WOLFSSL* ssl, const byte* ciphertext, byte* mask, if (c->aes == NULL) return BAD_STATE_E; #if !defined(HAVE_SELFTEST) && \ - (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) + (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) \ + || defined(WOLFSSL_LINUXKM)) return wc_AesEncryptDirect(c->aes, mask, ciphertext); #else wc_AesEncryptDirect(c->aes, mask, ciphertext); diff --git a/src/internal.c b/src/internal.c index 005075f88d..756f2812fc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -796,16 +796,16 @@ static int ExportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver, ssl->specs.bulk_cipher_algorithm == wolfssl_aes) { byte *pt = (byte*)ssl->encrypt.aes->reg; - if ((idx + 2*AES_BLOCK_SIZE) > len) { + if ((idx + 2*WC_AES_BLOCK_SIZE) > len) { WOLFSSL_MSG("Can not fit AES state into buffer"); return BUFFER_E; } - XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE); - idx += AES_BLOCK_SIZE; + XMEMCPY(exp + idx, pt, WC_AES_BLOCK_SIZE); + idx += WC_AES_BLOCK_SIZE; pt = (byte*)ssl->decrypt.aes->reg; - XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE); - idx += AES_BLOCK_SIZE; + XMEMCPY(exp + idx, pt, WC_AES_BLOCK_SIZE); + idx += WC_AES_BLOCK_SIZE; } WOLFSSL_LEAVE("ExportCipherSpecState", idx); @@ -1048,12 +1048,12 @@ static int ImportCipherSpecState(WOLFSSL* ssl, const byte* exp, word32 len, if (type == WOLFSSL_EXPORT_TLS && ssl->specs.bulk_cipher_algorithm == wolfssl_aes) { byte *pt = (byte*)ssl->encrypt.aes->reg; - XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE); - idx += AES_BLOCK_SIZE; + XMEMCPY(pt, exp + idx, WC_AES_BLOCK_SIZE); + idx += WC_AES_BLOCK_SIZE; pt = (byte*)ssl->decrypt.aes->reg; - XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE); - idx += AES_BLOCK_SIZE; + XMEMCPY(pt, exp + idx, WC_AES_BLOCK_SIZE); + idx += WC_AES_BLOCK_SIZE; } WOLFSSL_LEAVE("ImportCipherSpecState", idx); @@ -2108,7 +2108,7 @@ int wolfSSL_session_export_internal(WOLFSSL* ssl, byte* buf, word32* sz, /* possible AES state needed */ if (type == WOLFSSL_EXPORT_TLS) { - *sz += AES_BLOCK_SIZE*2; + *sz += WC_AES_BLOCK_SIZE*2; } ret = WC_NO_ERR_TRACE(LENGTH_ONLY_E); } @@ -2297,7 +2297,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) ctx->minDowngrade = WOLFSSL_MIN_DOWNGRADE; } - wolfSSL_RefInit(&ctx->ref, &ret); + wolfSSL_RefWithMutexInit(&ctx->ref, &ret); #ifdef WOLFSSL_REFCNT_ERROR_RETURN if (ret < 0) { WOLFSSL_MSG("Mutex error on CTX init"); @@ -2769,25 +2769,6 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) (void)heapAtCTXInit; } -#ifdef WOLFSSL_STATIC_MEMORY -static void SSL_CtxResourceFreeStaticMem(void* heap) -{ -#ifndef SINGLE_THREADED - if (heap != NULL - #ifdef WOLFSSL_HEAP_TEST - /* avoid dereferencing a test value */ - && heap != (void*)WOLFSSL_HEAP_TEST - #endif - ) { - WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap; - WOLFSSL_HEAP* mem = hint->memory; - wc_FreeMutex(&mem->memory_mutex); - } -#else - (void)heap; -#endif -} -#endif /* WOLFSSL_STATIC_MEMORY */ void FreeSSL_Ctx(WOLFSSL_CTX* ctx) { @@ -2801,7 +2782,7 @@ void FreeSSL_Ctx(WOLFSSL_CTX* ctx) #endif /* decrement CTX reference count */ - wolfSSL_RefDec(&ctx->ref, &isZero, &ret); + wolfSSL_RefWithMutexDec(&ctx->ref, &isZero, &ret); #ifdef WOLFSSL_REFCNT_ERROR_RETURN if (ret < 0) { /* check error state, if mutex error code then mutex init failed but @@ -2809,9 +2790,6 @@ void FreeSSL_Ctx(WOLFSSL_CTX* ctx) if (ctx->err == WC_NO_ERR_TRACE(CTX_INIT_MUTEX_E)) { SSL_CtxResourceFree(ctx); XFREE(ctx, heap, DYNAMIC_TYPE_CTX); - #ifdef WOLFSSL_STATIC_MEMORY - SSL_CtxResourceFreeStaticMem(heap); - #endif } return; } @@ -2829,9 +2807,6 @@ void FreeSSL_Ctx(WOLFSSL_CTX* ctx) #endif wolfSSL_RefFree(&ctx->ref); XFREE(ctx, heap, DYNAMIC_TYPE_CTX); - #ifdef WOLFSSL_STATIC_MEMORY - SSL_CtxResourceFreeStaticMem(heap); - #endif } else { WOLFSSL_MSG("CTX ref count not 0 yet, no free"); @@ -3298,17 +3273,17 @@ void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA, return; /* trust user settings, don't override */ #ifdef WOLFSSL_TLS13 -#ifdef BUILD_TLS_AES_128_GCM_SHA256 +#ifdef BUILD_TLS_AES_256_GCM_SHA384 if (tls1_3) { suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_128_GCM_SHA256; + suites->suites[idx++] = TLS_AES_256_GCM_SHA384; } #endif -#ifdef BUILD_TLS_AES_256_GCM_SHA384 +#ifdef BUILD_TLS_AES_128_GCM_SHA256 if (tls1_3) { suites->suites[idx++] = TLS13_BYTE; - suites->suites[idx++] = TLS_AES_256_GCM_SHA384; + suites->suites[idx++] = TLS_AES_128_GCM_SHA256; } #endif @@ -6627,7 +6602,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifdef OPENSSL_EXTRA #ifdef WOLFSSL_TLS13 if (ssl->version.minor == TLSv1_3_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { + (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == WOLFSSL_OP_NO_TLSv1_3) { if (!ctx->method->downgrade) { WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not " "allowed and downgrading disabled."); @@ -6639,7 +6614,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) } #endif if (ssl->version.minor == TLSv1_2_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == WOLFSSL_OP_NO_TLSv1_2) { if (!ctx->method->downgrade) { WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not " "allowed and downgrading disabled."); @@ -6650,7 +6625,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->version.minor = TLSv1_1_MINOR; } if (ssl->version.minor == TLSv1_1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == WOLFSSL_OP_NO_TLSv1_1) { if (!ctx->method->downgrade) { WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not " "allowed and downgrading disabled."); @@ -6662,7 +6637,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->version.minor = TLSv1_MINOR; } if (ssl->version.minor == TLSv1_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == WOLFSSL_OP_NO_TLSv1) { if (!ctx->method->downgrade) { WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not " "allowed and downgrading disabled."); @@ -6675,7 +6650,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->version.minor = SSLv3_MINOR; } if (ssl->version.minor == SSLv3_MINOR && - (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + (ssl->options.mask & WOLFSSL_OP_NO_SSLv3) == WOLFSSL_OP_NO_SSLv3) { WOLFSSL_MSG("\tError, option set to not allow SSLv3"); WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); return VERSION_ERROR; @@ -8163,7 +8138,7 @@ void FreeSuites(WOLFSSL* ssl) /* In case holding SSL object in array and don't want to free actual ssl */ -void SSL_ResourceFree(WOLFSSL* ssl) +void wolfSSL_ResourceFree(WOLFSSL* ssl) { /* Note: any resources used during the handshake should be released in the * function FreeHandshakeResources(). Be careful with the special cases @@ -8799,7 +8774,7 @@ void FreeHandshakeResources(WOLFSSL* ssl) void FreeSSL(WOLFSSL* ssl, void* heap) { WOLFSSL_CTX* ctx = ssl->ctx; - SSL_ResourceFree(ssl); + wolfSSL_ResourceFree(ssl); XFREE(ssl, heap, DYNAMIC_TYPE_SSL); if (ctx) FreeSSL_Ctx(ctx); /* will decrement and free underlying CTX if 0 */ @@ -12917,7 +12892,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) x509->challengePw[dCert->cPwdLen] = '\0'; #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_pkcs9_challengePassword, + WC_NID_pkcs9_challengePassword, MBSTRING_ASC, (const byte*)dCert->cPwd, dCert->cPwdLen) != WOLFSSL_SUCCESS) { @@ -12939,7 +12914,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_pkcs9_contentType, + WC_NID_pkcs9_contentType, MBSTRING_ASC, (const byte*)dCert->contentType, dCert->contentTypeLen) != @@ -12953,7 +12928,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) if (dCert->sNum) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_serialNumber, + WC_NID_serialNumber, MBSTRING_ASC, (const byte*)dCert->sNum, dCert->sNumLen) != WOLFSSL_SUCCESS) { @@ -12963,7 +12938,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } if (dCert->unstructuredName) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_pkcs9_unstructuredName, + WC_NID_pkcs9_unstructuredName, MBSTRING_ASC, (const byte*)dCert->unstructuredName, dCert->unstructuredNameLen) @@ -12974,7 +12949,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } if (dCert->surname) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_surname, + WC_NID_surname, MBSTRING_ASC, (const byte*)dCert->surname, dCert->surnameLen) != WOLFSSL_SUCCESS) { @@ -12984,7 +12959,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } if (dCert->givenName) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_givenName, + WC_NID_givenName, MBSTRING_ASC, (const byte*)dCert->givenName, dCert->givenNameLen) != WOLFSSL_SUCCESS) { @@ -12994,7 +12969,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } if (dCert->dnQualifier) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_dnQualifier, + WC_NID_dnQualifier, MBSTRING_ASC, (const byte*)dCert->dnQualifier, dCert->dnQualifierLen) != WOLFSSL_SUCCESS) { @@ -13004,7 +12979,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert) } if (dCert->initials) { if (wolfSSL_X509_REQ_add1_attr_by_NID(x509, - NID_initials, + WC_NID_initials, MBSTRING_ASC, (const byte*)dCert->initials, dCert->initialsLen) != WOLFSSL_SUCCESS) { @@ -14817,7 +14792,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ)) { /* Re-entry after non-blocking OCSP */ #ifdef WOLFSSL_ASYNC_CRYPT - /* if async operationg not pending, reset error code */ + /* if async operations not pending, reset error code */ if (ret == WC_NO_ERR_TRACE(WC_NO_PENDING_E)) ret = 0; #endif @@ -15232,7 +15207,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, else /* skips OCSP and force CRL check */ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) - if (IsAtLeastTLSv1_3(ssl->version)) { + if (IsAtLeastTLSv1_3(ssl->version) && + ssl->options.side == WOLFSSL_CLIENT_END && + ssl->status_request) { + /* We check CSR in Certificate message sent from + * Server. Server side will check client + * certificates by traditional OCSP if enabled + */ ret = TLSX_CSR_InitRequest_ex(ssl->extensions, args->dCert, ssl->heap, args->certIdx); } @@ -16827,13 +16808,13 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, if (ssl->options.side == WOLFSSL_CLIENT_END) { ssl->options.serverState = SERVER_FINISHED_COMPLETE; #ifdef OPENSSL_EXTRA - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; ssl->options.clientState = CLIENT_FINISHED_COMPLETE; #endif if (!ssl->options.resuming) { #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); } #endif ssl->options.handShakeState = HANDSHAKE_DONE; @@ -16846,13 +16827,13 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, else { ssl->options.clientState = CLIENT_FINISHED_COMPLETE; #ifdef OPENSSL_EXTRA - ssl->cbmode = SSL_CB_MODE_READ; + ssl->cbmode = WOLFSSL_CB_MODE_READ; ssl->options.serverState = SERVER_FINISHED_COMPLETE; #endif if (ssl->options.resuming) { #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); } #endif ssl->options.handShakeState = HANDSHAKE_DONE; @@ -17471,6 +17452,18 @@ int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, case certificate_request: case server_hello_done: if (ssl->options.resuming) { + /* Client requested resumption, but server is doing a + * full handshake */ + + /* The server's decision to resume isn't known until after the + * "server_hello". If subsequent handshake messages like + * "certificate" or "server_key_exchange" are received then we + * are doing a full handshake */ + + /* If the server included a session id then we + * treat this as a fatal error, since the server said it was + * doing resumption, but did not. */ + /* https://www.rfc-editor.org/rfc/rfc5077.html#section-3.4 * Alternatively, the client MAY include an empty Session ID * in the ClientHello. In this case, the client ignores the @@ -17479,7 +17472,7 @@ int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, * messages. */ #ifndef WOLFSSL_WPAS - if (ssl->session->sessionIDSz != 0) { + if (ssl->arrays->sessionIDSz != 0) { /* Fatal error. Only try to send an alert. RFC 5246 does not * allow for reverting back to a full handshake after the * server has indicated the intention to do a resumption. */ @@ -17501,9 +17494,9 @@ int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL){ - ssl->cbmode = SSL_CB_MODE_READ; + ssl->cbmode = WOLFSSL_CB_MODE_READ; ssl->cbtype = type; - ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); } #endif @@ -20629,33 +20622,54 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff) #ifdef HAVE_LIBZ byte decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA]; #endif - #ifdef WOLFSSL_EARLY_DATA - if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) { - int process = 0; + int isEarlyData = ssl->options.tls1_3 && + ssl->options.handShakeDone == 0 && + ssl->options.side == WOLFSSL_SERVER_END; + int acceptEarlyData = ssl->earlyData != no_early_data && + ssl->options.clientState == CLIENT_HELLO_COMPLETE; +#endif - if (ssl->options.side == WOLFSSL_SERVER_END) { - if ((ssl->earlyData != no_early_data) && - (ssl->options.clientState == CLIENT_HELLO_COMPLETE)) { - process = 1; - } - if (!process) { - WOLFSSL_MSG("Ignoring EarlyData!"); - *inOutIdx += ssl->curSize; - if (*inOutIdx > ssl->buffers.inputBuffer.length) - return BUFFER_E; +#if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_DTLS13) + if (ssl->options.tls1_3 && ssl->options.dtls) + isEarlyData = isEarlyData && w64Equal(ssl->keys.curEpoch64, + w64From32(0x0, DTLS13_EPOCH_EARLYDATA)); +#endif - return 0; - } - } - if (!process) { - WOLFSSL_MSG("Received App data before a handshake completed"); - if (sniff == NO_SNIFF) { - SendAlert(ssl, alert_fatal, unexpected_message); - } - WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); - return OUT_OF_ORDER_E; - } +#ifdef WOLFSSL_EARLY_DATA + if (isEarlyData && acceptEarlyData) { + WOLFSSL_MSG("Processing EarlyData"); + } + else if (isEarlyData && !acceptEarlyData) { + WOLFSSL_MSG("Ignoring EarlyData!"); + *inOutIdx += ssl->curSize; + if (*inOutIdx > ssl->buffers.inputBuffer.length) + return BUFFER_E; +#ifdef WOLFSSL_DTLS13 + /* Receiving app data from the traffic epoch before the handshake is + * done means that there was a disruption. */ + if (ssl->options.dtls && !w64Equal(ssl->keys.curEpoch64, + w64From32(0x0, DTLS13_EPOCH_EARLYDATA))) + ssl->dtls13Rtx.sendAcks = 1; +#endif + return 0; + } + else +#endif +#ifdef WOLFSSL_DTLS + if (ssl->options.handShakeDone == 0 && ssl->options.dtls) { + WOLFSSL_MSG("Dropping app data received before handshake complete"); + *inOutIdx += ssl->curSize; + if (*inOutIdx > ssl->buffers.inputBuffer.length) + return BUFFER_E; +#ifdef WOLFSSL_DTLS13 + /* Receiving app data from the traffic epoch before the handshake is + * done means that there was a disruption. */ + if (ssl->options.tls1_3 && !w64Equal(ssl->keys.curEpoch64, + w64From32(0x0, DTLS13_EPOCH_EARLYDATA))) + ssl->dtls13Rtx.sendAcks = 1; +#endif + return 0; } else #endif @@ -22456,17 +22470,17 @@ int SendChangeCipher(WOLFSSL* ssl) int ret; #ifdef OPENSSL_EXTRA - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; if (ssl->options.side == WOLFSSL_SERVER_END){ ssl->options.serverState = SERVER_CHANGECIPHERSPEC_COMPLETE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_ACCEPT_LOOP, WOLFSSL_SUCCESS); } - else{ + else { ssl->options.clientState = CLIENT_CHANGECIPHERSPEC_COMPLETE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); } #endif @@ -23545,9 +23559,9 @@ int SendFinished(WOLFSSL* ssl) if (ssl->options.side == WOLFSSL_SERVER_END) { #ifdef OPENSSL_EXTRA ssl->options.serverState = SERVER_FINISHED_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS); #endif ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; @@ -23560,9 +23574,9 @@ int SendFinished(WOLFSSL* ssl) if (ssl->options.side == WOLFSSL_CLIENT_END) { #ifdef OPENSSL_EXTRA ssl->options.clientState = CLIENT_FINISHED_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_HANDSHAKE_DONE, WOLFSSL_SUCCESS); #endif ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; @@ -24886,15 +24900,15 @@ int SendData(WOLFSSL* ssl, const void* data, int sz) groupMsgs = 1; #endif } - else if (IsAtLeastTLSv1_3(ssl->version) && + else +#endif + if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.side == WOLFSSL_SERVER_END && ssl->options.acceptState >= TLS13_ACCEPT_FINISHED_SENT) { /* We can send data without waiting on peer finished msg */ WOLFSSL_MSG("server sending data before receiving client finished"); } - else -#endif - if (ssl_in_handshake(ssl, 1)) { + else if (ssl_in_handshake(ssl, 1)) { int err; WOLFSSL_MSG("handshake not complete, trying to finish"); if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) { @@ -25446,7 +25460,7 @@ static int SendAlert_ex(WOLFSSL* ssl, int severity, int type) #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_ALERT, type); + ssl->CBIS(ssl, WOLFSSL_CB_ALERT, type); } #endif #ifdef WOLFSSL_DTLS @@ -25654,7 +25668,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) } /* pass to wolfCrypt */ - if (error <= WC_FIRST_E && error >= WC_LAST_E) { + if ((error <= WC_SPAN1_FIRST_E && error >= WC_SPAN1_MIN_CODE_E) || + (error <= WC_SPAN2_FIRST_E && error >= WC_SPAN2_MIN_CODE_E)) + { return wc_GetErrorString(error); } @@ -25666,7 +25682,7 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) #endif } - switch ((enum wolfSSL_ErrorCodes)error) { + switch ((enum wolfSSL_ErrorCodes)error) { /* // NOLINT(clang-analyzer-optin.core.EnumCastOutOfRange) */ case UNSUPPORTED_SUITE : return "unsupported cipher suite"; @@ -26177,6 +26193,33 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case WOLFSSL_FATAL_ERROR: return "fatal error"; + + case WOLFSSL_PEM_R_NO_START_LINE_E: + return "No more matching objects found (PEM)"; + + case WOLFSSL_PEM_R_PROBLEMS_GETTING_PASSWORD_E: + return "Error getting password (PEM)"; + + case WOLFSSL_PEM_R_BAD_PASSWORD_READ_E: + return "Bad password (PEM)"; + + case WOLFSSL_PEM_R_BAD_DECRYPT_E : + return "Decryption failed (PEM)"; + + case WOLFSSL_ASN1_R_HEADER_TOO_LONG_E: + return "ASN header too long (compat)"; + + case WOLFSSL_EVP_R_BAD_DECRYPT_E : + return "Decryption failed (EVP)"; + + case WOLFSSL_EVP_R_BN_DECODE_ERROR: + return "Bignum decode error (EVP)"; + + case WOLFSSL_EVP_R_DECODE_ERROR : + return "Decode error (EVP)"; + + case WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR: + return "Private key decode error (EVP)"; } #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ @@ -26261,9 +26304,9 @@ const char* wolfSSL_ERR_lib_error_string(unsigned long e) #if defined(OPENSSL_EXTRA) libe = wolfSSL_ERR_GET_LIB(e); switch (libe) { - case ERR_LIB_PEM: + case WOLFSSL_ERR_LIB_PEM: return "wolfSSL PEM routines"; - case ERR_LIB_EVP: + case WOLFSSL_ERR_LIB_EVP: return "wolfSSL digital envelope routines"; default: return ""; @@ -30132,9 +30175,9 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, ssl->options.clientState = CLIENT_HELLO_COMPLETE; #ifdef OPENSSL_EXTRA - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); #endif #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) @@ -30270,7 +30313,7 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_START, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_HANDSHAKE_START, WOLFSSL_SUCCESS); } #endif @@ -32437,9 +32480,9 @@ int SendClientKeyExchange(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); + ssl->CBIS(ssl, WOLFSSL_CB_CONNECT_LOOP, WOLFSSL_SUCCESS); #endif #ifdef WOLFSSL_ASYNC_IO @@ -33763,7 +33806,7 @@ int SendCertificateVerify(WOLFSSL* ssl) return 0; /* sent blank cert, can't verify */ } - args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; + args->sendSz = WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; if (IsEncryptionOn(ssl, 1)) { args->sendSz += MAX_MSG_EXTRA; } @@ -34510,6 +34553,29 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifndef WOLFSSL_NO_TLS12 + static int getSessionID(WOLFSSL* ssl) + { + int sessIdSz = 0; + (void)ssl; +#ifndef NO_SESSION_CACHE + /* if no session cache don't send a session ID */ + if (!ssl->options.sessionCacheOff) + sessIdSz = ID_LEN; +#endif +#ifdef HAVE_SESSION_TICKET + /* we may be echoing an ID as part of session tickets */ + if (ssl->options.useTicket) { + /* echo session id sz can be 0,32 or bogus len in between */ + sessIdSz = ssl->arrays->sessionIDSz; + if (sessIdSz > ID_LEN) { + WOLFSSL_MSG("Bad bogus session id len"); + return BUFFER_ERROR; + } + } +#endif /* HAVE_SESSION_TICKET */ + return sessIdSz; + } + /* handle generation of server_hello (2) */ int SendServerHello(WOLFSSL* ssl) { @@ -34518,17 +34584,18 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word16 length; word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; int sendSz; - byte sessIdSz = ID_LEN; - #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET) - byte echoId = 0; /* ticket echo id flag */ - #endif - byte cacheOff = 0; /* session cache off flag */ + byte sessIdSz; WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND); WOLFSSL_ENTER("SendServerHello"); + ret = getSessionID(ssl); + if (ret < 0) + return ret; + sessIdSz = (byte)ret; + length = VERSION_SZ + RAN_LEN - + ID_LEN + ENUM_LEN + + ENUM_LEN + sessIdSz + SUITE_LEN + ENUM_LEN; @@ -34536,45 +34603,12 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = TLSX_GetResponseSize(ssl, server_hello, &length); if (ret != 0) return ret; - #ifdef HAVE_SESSION_TICKET - if (ssl->options.useTicket) { - /* echo session id sz can be 0,32 or bogus len in between */ - sessIdSz = ssl->arrays->sessionIDSz; - if (sessIdSz > ID_LEN) { - WOLFSSL_MSG("Bad bogus session id len"); - return BUFFER_ERROR; - } - if (!IsAtLeastTLSv1_3(ssl->version)) - length -= (ID_LEN - sessIdSz); /* adjust ID_LEN assumption */ - echoId = 1; - } - #endif /* HAVE_SESSION_TICKET */ #else if (ssl->options.haveEMS) { length += HELLO_EXT_SZ_SZ + HELLO_EXT_SZ; } #endif - /* is the session cache off at build or runtime */ -#ifdef NO_SESSION_CACHE - cacheOff = 1; -#else - if (ssl->options.sessionCacheOff == 1) { - cacheOff = 1; - } -#endif - - /* if no session cache don't send a session ID unless we're echoing - * an ID as part of session tickets */ - if (cacheOff == 1 - #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET) - && echoId == 0 - #endif - ) { - length -= ID_LEN; /* adjust ID_LEN assumption */ - sessIdSz = 0; - } - sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { @@ -34605,11 +34639,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* then random and session id */ if (!ssl->options.resuming) { - /* generate random part and session id */ - ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, - RAN_LEN + sizeof(sessIdSz) + sessIdSz); - if (ret != 0) - return ret; + word32 genRanLen = RAN_LEN; #ifdef WOLFSSL_TLS13 if (TLSv1_3_Capable(ssl)) { @@ -34617,6 +34647,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1), tls13Downgrade, TLS13_DOWNGRADE_SZ); output[idx + RAN_LEN - 1] = (byte)IsAtLeastTLSv1_2(ssl); + genRanLen -= TLS13_DOWNGRADE_SZ + 1; } else #endif @@ -34628,12 +34659,21 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1), tls13Downgrade, TLS13_DOWNGRADE_SZ); output[idx + RAN_LEN - 1] = 0; + genRanLen -= TLS13_DOWNGRADE_SZ + 1; } - /* store info in SSL for later */ + /* generate random part */ + ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, genRanLen); + if (ret != 0) + return ret; XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); idx += RAN_LEN; + + /* generate session id */ output[idx++] = sessIdSz; + ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, sessIdSz); + if (ret != 0) + return ret; XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); ssl->arrays->sessionIDSz = sessIdSz; } @@ -34929,7 +34969,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto exit_sske; if (ssl->buffers.serverDH_Pub.buffer == NULL) { - /* Free'd in SSL_ResourceFree and + /* Free'd in wolfSSL_ResourceFree and * FreeHandshakeResources */ ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); @@ -34943,7 +34983,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, pSz = wc_DhGetNamedKeyMinSize(ssl->namedGroup); if (ssl->buffers.serverDH_Priv.buffer == NULL) { - /* Free'd in SSL_ResourceFree and + /* Free'd in wolfSSL_ResourceFree and * FreeHandshakeResources */ ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( pSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); @@ -35012,7 +35052,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } if (ssl->buffers.serverDH_Pub.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ + /* Free'd in wolfSSL_ResourceFree + * and FreeHandshakeResources + */ ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); @@ -35024,7 +35066,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } if (ssl->buffers.serverDH_Priv.buffer == NULL) { - /* Free'd in SSL_ResourceFree and FreeHandshakeResources */ + /* Free'd in wolfSSL_ResourceFree + * and FreeHandshakeResources + */ ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); @@ -36268,7 +36312,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, goto exit_sske; } } - #if defined(HAVE_E25519) || defined(HAVE_ED448) + #if defined(HAVE_ED25519) || defined(HAVE_ED448) FALL_THROUGH; #endif #endif /* WOLFSSL_CHECK_SIG_FAULTS */ @@ -36861,7 +36905,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->options.usingCompression = 0; /* turn off */ ssl->options.clientState = CLIENT_HELLO_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->cbmode = WOLFSSL_CB_MODE_WRITE; *inOutIdx = idx; ssl->options.haveSessionId = 1; @@ -38459,7 +38503,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->ctx->ticketEncCb == NULL #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) || - /* SSL_OP_NO_TICKET turns off tickets in <= 1.2. Forces + /* WOLFSSL_OP_NO_TICKET turns off tickets in <= 1.2. Forces * "stateful" tickets for 1.3 so just use the regular * stateless ones. */ (!IsAtLeastTLSv1_3(ssl->version) && @@ -38583,7 +38627,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->ctx->ticketEncCb == NULL #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL) || - /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces + /* WOLFSSL_OP_NO_TICKET turns off tickets in < 1.2. Forces * "stateful" tickets for 1.3 so just use the regular * stateless ones. */ (!IsAtLeastTLSv1_3(ssl->version) && @@ -39510,7 +39554,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz, } if (ret == 0) { ret = wc_AesGcmEncrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ, - tag, AES_BLOCK_SIZE, aad, aadSz); + tag, WC_AES_BLOCK_SIZE, aad, aadSz); } wc_AesFree(aes); } @@ -39521,7 +39565,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz, } if (ret == 0) { ret = wc_AesGcmDecrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ, - tag, AES_BLOCK_SIZE, aad, aadSz); + tag, WC_AES_BLOCK_SIZE, aad, aadSz); } wc_AesFree(aes); } @@ -41294,7 +41338,7 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], WOLFSSL_EXTRA_ALERTS is defined, indicating user is OK with potential information disclosure from alerts. */ #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_EXTRA_ALERTS) - ad = SSL_AD_UNRECOGNIZED_NAME; + ad = WOLFSSL_AD_UNRECOGNIZED_NAME; #endif /* Stunnel supports a custom sni callback to switch an SSL's ctx * when SNI is received. Call it now if exists */ diff --git a/src/keys.c b/src/keys.c index b5b982c1b3..693e6b1333 100644 --- a/src/keys.c +++ b/src/keys.c @@ -341,7 +341,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -358,7 +358,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -374,7 +374,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -431,7 +431,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -448,7 +448,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -466,7 +466,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -503,7 +503,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -530,7 +530,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -547,7 +547,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -601,7 +601,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -618,7 +618,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -635,7 +635,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -653,7 +653,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -671,7 +671,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -689,7 +689,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -707,7 +707,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -747,7 +747,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -764,7 +764,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -781,7 +781,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -798,7 +798,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; specs->iv_size = AES_IV_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; break; #endif @@ -814,7 +814,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -907,7 +907,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -924,7 +924,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -941,7 +941,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -958,7 +958,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -976,7 +976,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -994,7 +994,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1012,7 +1012,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 1; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1068,7 +1068,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -1086,7 +1086,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -1104,7 +1104,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -1124,7 +1124,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -1144,7 +1144,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -1164,7 +1164,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -1184,7 +1184,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -1204,7 +1204,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_IMP_IV_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -1273,7 +1273,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_NONCE_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1291,7 +1291,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_NONCE_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1329,7 +1329,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_NONCE_SZ; specs->aead_mac_size = AES_CCM_16_AUTH_SZ; @@ -1347,7 +1347,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESCCM_NONCE_SZ; specs->aead_mac_size = AES_CCM_8_AUTH_SZ; @@ -1375,7 +1375,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1564,7 +1564,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -1581,7 +1581,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -1649,7 +1649,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -1666,7 +1666,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -1683,7 +1683,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1703,7 +1703,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1723,7 +1723,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1743,7 +1743,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1763,7 +1763,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -1783,7 +1783,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1802,7 +1802,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1821,7 +1821,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1840,7 +1840,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1859,7 +1859,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1878,7 +1878,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -1992,7 +1992,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -2026,7 +2026,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -2043,7 +2043,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -2060,7 +2060,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; break; @@ -2077,7 +2077,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -2095,7 +2095,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -2113,7 +2113,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -2131,7 +2131,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_256_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AESGCM_IMP_IV_SZ; specs->aead_mac_size = AES_GCM_AUTH_SZ; @@ -2149,7 +2149,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_128_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2166,7 +2166,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_256_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2183,7 +2183,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_128_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2200,7 +2200,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_256_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2217,7 +2217,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_128_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2234,7 +2234,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_256_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2251,7 +2251,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_128_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2268,7 +2268,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = CAMELLIA_256_KEY_SIZE; - specs->block_size = CAMELLIA_BLOCK_SIZE; + specs->block_size = WC_CAMELLIA_BLOCK_SIZE; specs->iv_size = CAMELLIA_IV_SIZE; break; @@ -2285,7 +2285,7 @@ int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite, specs->pad_size = PAD_SHA; specs->static_ecdh = 0; specs->key_size = AES_128_KEY_SIZE; - specs->block_size = AES_BLOCK_SIZE; + specs->block_size = WC_AES_BLOCK_SIZE; specs->iv_size = AES_IV_SIZE; if (opts != NULL) @@ -2976,13 +2976,13 @@ int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, if (enc && enc->cam == NULL) enc->cam = - (Camellia*)XMALLOC(sizeof(Camellia), heap, DYNAMIC_TYPE_CIPHER); + (wc_Camellia*)XMALLOC(sizeof(wc_Camellia), heap, DYNAMIC_TYPE_CIPHER); if (enc && enc->cam == NULL) return MEMORY_E; if (dec && dec->cam == NULL) dec->cam = - (Camellia*)XMALLOC(sizeof(Camellia), heap, DYNAMIC_TYPE_CIPHER); + (wc_Camellia*)XMALLOC(sizeof(wc_Camellia), heap, DYNAMIC_TYPE_CIPHER); if (dec && dec->cam == NULL) return MEMORY_E; diff --git a/src/ocsp.c b/src/ocsp.c index 493d8268f7..cf824f698c 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -866,7 +866,7 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, (void)certs; - if (flags & OCSP_NOVERIFY) + if (flags & WOLFSSL_OCSP_NOVERIFY) return WOLFSSL_SUCCESS; #ifdef WOLFSSL_SMALL_STACK @@ -880,7 +880,7 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) goto out; - if (flags & OCSP_TRUSTOTHER) { + if (flags & WOLFSSL_OCSP_TRUSTOTHER) { for (idx = 0; idx < wolfSSL_sk_X509_num(certs); idx++) { WOLFSSL_X509* x = wolfSSL_sk_X509_value(certs, idx); int derSz = 0; @@ -898,7 +898,7 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm, NULL) < 0) goto out; - if (!(flags & OCSP_NOCHECKS)) { + if (!(flags & WOLFSSL_OCSP_NOCHECKS)) { if (CheckOcspResponder(bs, cert, st->cm) != 0) goto out; } @@ -1634,7 +1634,7 @@ int wolfSSL_OCSP_REQ_CTX_nbio(WOLFSSL_OCSP_REQ_CTX *ctx) case ORIOS_WRITE: { const unsigned char *req; - int reqLen = wolfSSL_BIO_get_mem_data(ctx->reqResp, &req); + int reqLen = wolfSSL_BIO_get_mem_data(ctx->reqResp, (void*)&req); if (reqLen <= 0) { WOLFSSL_MSG("wolfSSL_BIO_get_mem_data error"); return WOLFSSL_FAILURE; @@ -1710,7 +1710,7 @@ int wolfSSL_OCSP_sendreq_nbio(OcspResponse **presp, WOLFSSL_OCSP_REQ_CTX *ctx) if (ret != WOLFSSL_SUCCESS) return ret; - len = wolfSSL_BIO_get_mem_data(ctx->reqResp, &resp); + len = wolfSSL_BIO_get_mem_data(ctx->reqResp, (void*)&resp); if (len <= 0) return WOLFSSL_FAILURE; return wolfSSL_d2i_OCSP_RESPONSE(presp, &resp, len) != NULL diff --git a/src/pk.c b/src/pk.c index 42468bfed4..7790d98b79 100644 --- a/src/pk.c +++ b/src/pk.c @@ -165,7 +165,26 @@ static int pem_read_bio_key(WOLFSSL_BIO* bio, wc_pem_password_cb* cb, /* Write left over data back to BIO if not a file BIO */ if ((ret > 0) && ((memSz - ret) > 0) && (bio->type != WOLFSSL_BIO_FILE)) { - int res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret); + int res; + if (!alloced) { + /* If wolfssl_read_bio() points mem at the buffer internal to + * bio, we need to dup it before calling wolfSSL_BIO_write(), + * because the latter may reallocate the bio, invalidating the + * mem pointer before reading from it. + */ + char *mem_dup = (char *)XMALLOC((size_t)(memSz - ret), + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (mem_dup != NULL) { + XMEMCPY(mem_dup, mem + ret, (size_t)(memSz - ret)); + res = wolfSSL_BIO_write(bio, mem_dup, memSz - ret); + mem = mem_dup; + alloced = 1; + } + else + res = MEMORY_E; + } + else + res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret); if (res != memSz - ret) { WOLFSSL_ERROR_MSG("Unable to write back excess data"); if (res < 0) { @@ -348,7 +367,7 @@ static int der_write_to_file_as_pem(const unsigned char* der, int derSz, * @return 1 on success. * @return 0 on error. */ -int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, +int EncryptDerKey(byte *der, int *derSz, const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, byte **cipherInfo, int maxDerSz) { int ret = 0; @@ -482,8 +501,8 @@ int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, * @return 0 on failure. */ static int der_to_enc_pem_alloc(unsigned char* der, int derSz, - const EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, int type, - void* heap, byte** out, int* outSz) + const WOLFSSL_EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, + int type, void* heap, byte** out, int* outSz) { int ret = 1; byte* tmp = NULL; @@ -2155,8 +2174,9 @@ WOLFSSL_RSA* wolfSSL_PEM_read_RSAPublicKey(XFILE fp, WOLFSSL_RSA** rsa, * @return 1 on success. * @return 0 on failure. */ -int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, unsigned char **pem, int *pLen) +int wolfSSL_PEM_write_mem_RSAPrivateKey(WOLFSSL_RSA* rsa, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, + unsigned char **pem, int *pLen) { int ret = 1; byte* derBuf = NULL; @@ -2261,7 +2281,7 @@ int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, * @return 0 on failure. */ int wolfSSL_PEM_write_RSAPrivateKey(XFILE fp, WOLFSSL_RSA *rsa, - const EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, + const WOLFSSL_EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, wc_pem_password_cb *cb, void *arg) { int ret = 1; @@ -3857,15 +3877,15 @@ static int wolfssl_rsa_sig_encode(int hashAlg, const unsigned char* hash, ret = 0; } - if ((ret == 1) && (hashAlg != NID_undef) && - (padding == RSA_PKCS1_PADDING)) { + if ((ret == 1) && (hashAlg != WC_NID_undef) && + (padding == WC_RSA_PKCS1_PADDING)) { /* Convert hash algorithm to hash type for PKCS#1.5 padding. */ hType = (int)nid2oid(hashAlg, oidHashType); if (hType == -1) { ret = 0; } } - if ((ret == 1) && (padding == RSA_PKCS1_PADDING)) { + if ((ret == 1) && (padding == WC_RSA_PKCS1_PADDING)) { /* PKCS#1.5 encoding. */ word32 encSz = wc_EncodeSignature(enc, hash, hLen, hType); if (encSz == 0) { @@ -3877,7 +3897,7 @@ static int wolfssl_rsa_sig_encode(int hashAlg, const unsigned char* hash, } } /* Other padding schemes require the hash as is. */ - if ((ret == 1) && (padding != RSA_PKCS1_PADDING)) { + if ((ret == 1) && (padding != WC_RSA_PKCS1_PADDING)) { XMEMCPY(enc, hash, hLen); *encLen = hLen; } @@ -3905,7 +3925,7 @@ int wolfSSL_RSA_sign(int hashAlg, const unsigned char* hash, unsigned int hLen, } /* flag is 1: output complete signature. */ return wolfSSL_RSA_sign_generic_padding(hashAlg, hash, hLen, sigRet, - sigLen, rsa, 1, RSA_PKCS1_PADDING); + sigLen, rsa, 1, WC_RSA_PKCS1_PADDING); } /* Sign the message hash using hash algorithm and RSA key. @@ -3935,7 +3955,7 @@ int wolfSSL_RSA_sign_ex(int hashAlg, const unsigned char* hash, *sigLen = RSA_MAX_SIZE / CHAR_BIT; } ret = wolfSSL_RSA_sign_generic_padding(hashAlg, hash, hLen, sigRet, - sigLen, rsa, flag, RSA_PKCS1_PADDING); + sigLen, rsa, flag, WC_RSA_PKCS1_PADDING); } return ret; @@ -3957,7 +3977,7 @@ int wolfSSL_RSA_sign_ex(int hashAlg, const unsigned char* hash, * 0: Output the value that the unpadded signature * should be compared to. * @param [in] padding Padding to use. Only RSA_PKCS1_PSS_PADDING and - * RSA_PKCS1_PADDING are currently supported for + * WC_RSA_PKCS1_PADDING are currently supported for * signing. * @return 1 on success. * @return 0 on failure. @@ -4046,7 +4066,7 @@ int wolfSSL_RSA_sign_generic_padding(int hashAlg, const unsigned char* hash, if (ret == 1) { switch (padding) { #if defined(WC_RSA_NO_PADDING) || defined(WC_RSA_DIRECT) - case RSA_NO_PADDING: + case WC_RSA_NO_PAD: if ((signSz = wc_RsaDirect(encodedSig, encSz, sigRet, &outLen, (RsaKey*)rsa->internal, RSA_PRIVATE_ENCRYPT, rng)) <= 0) { WOLFSSL_ERROR_MSG("Bad Rsa Sign no pad"); @@ -4056,7 +4076,7 @@ int wolfSSL_RSA_sign_generic_padding(int hashAlg, const unsigned char* hash, #endif #if defined(WC_RSA_PSS) && !defined(HAVE_SELFTEST) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,1)) - case RSA_PKCS1_PSS_PADDING: + case WC_RSA_PKCS1_PSS_PADDING: { enum wc_HashType hType = wc_OidGetHash((int)nid2oid(hashAlg, oidHashType)); @@ -4075,14 +4095,14 @@ int wolfSSL_RSA_sign_generic_padding(int hashAlg, const unsigned char* hash, } #endif #ifndef WC_NO_RSA_OAEP - case RSA_PKCS1_OAEP_PADDING: + case WC_RSA_PKCS1_OAEP_PADDING: /* Not a signature padding scheme. */ WOLFSSL_ERROR_MSG("RSA_PKCS1_OAEP_PADDING not supported for " "signing"); ret = 0; break; #endif - case RSA_PKCS1_PADDING: + case WC_RSA_PKCS1_PADDING: { /* Sign (private encrypt) PKCS#1 encoded signature. */ if ((signSz = wc_RsaSSL_Sign(encodedSig, encSz, sigRet, outLen, @@ -4135,7 +4155,7 @@ int wolfSSL_RSA_verify(int hashAlg, const unsigned char* hash, WOLFSSL_RSA* rsa) { return wolfSSL_RSA_verify_ex(hashAlg, hash, hLen, sig, sigLen, rsa, - RSA_PKCS1_PADDING); + WC_RSA_PKCS1_PADDING); } /** @@ -4150,7 +4170,7 @@ int wolfSSL_RSA_verify(int hashAlg, const unsigned char* hash, * @param [in] sigLen Length of signature data. * @param [in] rsa RSA key used to sign the input * @param [in] padding Padding to use. Only RSA_PKCS1_PSS_PADDING and - * RSA_PKCS1_PADDING are currently supported for + * WC_RSA_PKCS1_PADDING are currently supported for * signing. * @return 1 on success. * @return 0 on failure. @@ -4190,7 +4210,7 @@ int wolfSSL_RSA_verify_ex(int hashAlg, const unsigned char* hash, } } #ifdef WOLFSSL_SMALL_STACK - if ((ret == 1) && (padding != RSA_PKCS1_PSS_PADDING)) { + if ((ret == 1) && (padding != WC_RSA_PKCS1_PSS_PADDING)) { /* Allocate memory for encoded signature. */ encodedSig = (unsigned char *)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -4200,7 +4220,7 @@ int wolfSSL_RSA_verify_ex(int hashAlg, const unsigned char* hash, } } #endif - if ((ret == 1) && (padding != RSA_PKCS1_PSS_PADDING)) { + if ((ret == 1) && (padding != WC_RSA_PKCS1_PSS_PADDING)) { /* Make encoded signature to compare with decrypted signature. */ if (wolfssl_rsa_sig_encode(hashAlg, hash, hLen, encodedSig, &len, padding) <= 0) { @@ -4229,7 +4249,7 @@ int wolfSSL_RSA_verify_ex(int hashAlg, const unsigned char* hash, if (ret == 1) { #if defined(WC_RSA_PSS) && !defined(HAVE_SELFTEST) && \ (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5, 1)) - if (padding == RSA_PKCS1_PSS_PADDING) { + if (padding == WC_RSA_PKCS1_PSS_PADDING) { /* Check PSS padding is valid. */ if (wc_RsaPSS_CheckPadding_ex(hash, hLen, sigDec, (word32)verLen, hType, DEF_PSS_SALT_LEN, @@ -4305,15 +4325,15 @@ int wolfSSL_RSA_public_encrypt(int len, const unsigned char* from, #if !defined(HAVE_FIPS) /* Convert to wolfCrypt padding, hash and MGF. */ switch (padding) { - case RSA_PKCS1_PADDING: + case WC_RSA_PKCS1_PADDING: pad_type = WC_RSA_PKCSV15_PAD; break; - case RSA_PKCS1_OAEP_PADDING: + case WC_RSA_PKCS1_OAEP_PADDING: pad_type = WC_RSA_OAEP_PAD; hash = WC_HASH_TYPE_SHA; mgf = WC_MGF1SHA1; break; - case RSA_NO_PADDING: + case WC_RSA_NO_PAD: pad_type = WC_RSA_NO_PAD; break; default: @@ -4324,7 +4344,7 @@ int wolfSSL_RSA_public_encrypt(int len, const unsigned char* from, #else /* Check for supported padding schemes in FIPS. */ /* TODO: Do we support more schemes in later versions of FIPS? */ - if (padding != RSA_PKCS1_PADDING) { + if (padding != WC_RSA_PKCS1_PADDING) { WOLFSSL_ERROR_MSG("RSA_public_encrypt pad type not supported in " "FIPS"); ret = WOLFSSL_FATAL_ERROR; @@ -4417,15 +4437,15 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* from, if (ret == 0) { #if !defined(HAVE_FIPS) switch (padding) { - case RSA_PKCS1_PADDING: + case WC_RSA_PKCS1_PADDING: pad_type = WC_RSA_PKCSV15_PAD; break; - case RSA_PKCS1_OAEP_PADDING: + case WC_RSA_PKCS1_OAEP_PADDING: pad_type = WC_RSA_OAEP_PAD; hash = WC_HASH_TYPE_SHA; mgf = WC_MGF1SHA1; break; - case RSA_NO_PADDING: + case WC_RSA_NO_PAD: pad_type = WC_RSA_NO_PAD; break; default: @@ -4435,7 +4455,7 @@ int wolfSSL_RSA_private_decrypt(int len, const unsigned char* from, #else /* Check for supported padding schemes in FIPS. */ /* TODO: Do we support more schemes in later versions of FIPS? */ - if (padding != RSA_PKCS1_PADDING) { + if (padding != WC_RSA_PKCS1_PADDING) { WOLFSSL_ERROR_MSG("RSA_public_encrypt pad type not supported in " "FIPS"); ret = WOLFSSL_FATAL_ERROR; @@ -4508,10 +4528,10 @@ int wolfSSL_RSA_public_decrypt(int len, const unsigned char* from, if (ret == 0) { #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) switch (padding) { - case RSA_PKCS1_PADDING: + case WC_RSA_PKCS1_PADDING: pad_type = WC_RSA_PKCSV15_PAD; break; - case RSA_NO_PADDING: + case WC_RSA_NO_PAD: pad_type = WC_RSA_NO_PAD; break; /* TODO: RSA_X931_PADDING not supported */ @@ -4520,7 +4540,7 @@ int wolfSSL_RSA_public_decrypt(int len, const unsigned char* from, ret = WOLFSSL_FATAL_ERROR; } #else - if (padding != RSA_PKCS1_PADDING) { + if (padding != WC_RSA_PKCS1_PADDING) { WOLFSSL_ERROR_MSG("RSA_public_decrypt pad type not supported in " "FIPS"); ret = WOLFSSL_FATAL_ERROR; @@ -4599,9 +4619,9 @@ int wolfSSL_RSA_private_encrypt(int len, const unsigned char* from, if (ret == 0) { switch (padding) { - case RSA_PKCS1_PADDING: + case WC_RSA_PKCS1_PADDING: #ifdef WC_RSA_NO_PADDING - case RSA_NO_PADDING: + case WC_RSA_NO_PAD: #endif break; /* TODO: RSA_X931_PADDING not supported */ @@ -4627,12 +4647,12 @@ int wolfSSL_RSA_private_encrypt(int len, const unsigned char* from, if (ret == 0) { /* Use wolfCrypt to private-encrypt with RSA key. * Size of output buffer must be size of RSA key. */ - if (padding == RSA_PKCS1_PADDING) { + if (padding == WC_RSA_PKCS1_PADDING) { ret = wc_RsaSSL_Sign(from, (word32)len, to, (word32)wolfSSL_RSA_size(rsa), (RsaKey*)rsa->internal, rng); } #ifdef WC_RSA_NO_PADDING - else if (padding == RSA_NO_PADDING) { + else if (padding == WC_RSA_NO_PAD) { word32 outLen = (word32)wolfSSL_RSA_size(rsa); ret = wc_RsaFunction(from, (word32)len, to, &outLen, RSA_PRIVATE_ENCRYPT, (RsaKey*)rsa->internal, rng); @@ -5824,7 +5844,7 @@ WOLFSSL_DSA* wolfSSL_d2i_DSAparams(WOLFSSL_DSA** dsa, const unsigned char** der, * Returns 1 or 0 */ int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, - const EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, wc_pem_password_cb* cb, void* arg) { int ret = 1; @@ -5942,7 +5962,7 @@ int wolfSSL_PEM_write_bio_DSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa) * 1 if success, 0 if error */ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, - const EVP_CIPHER* cipher, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, unsigned char **pem, int *pLen) { @@ -6062,7 +6082,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, * 1 if success, 0 if error */ int wolfSSL_PEM_write_DSAPrivateKey(XFILE fp, WOLFSSL_DSA *dsa, - const EVP_CIPHER *enc, + const WOLFSSL_EVP_CIPHER *enc, unsigned char *kstr, int klen, wc_pem_password_cb *cb, void *u) { @@ -6508,17 +6528,17 @@ static int wolfssl_dh_set_nid(WOLFSSL_DH* dh, int nid) * FIPS v2 module */ switch (nid) { #ifdef HAVE_FFDHE_2048 - case NID_ffdhe2048: + case WC_NID_ffdhe2048: params = wc_Dh_ffdhe2048_Get(); break; #endif /* HAVE_FFDHE_2048 */ #ifdef HAVE_FFDHE_3072 - case NID_ffdhe3072: + case WC_NID_ffdhe3072: params = wc_Dh_ffdhe3072_Get(); break; #endif /* HAVE_FFDHE_3072 */ #ifdef HAVE_FFDHE_4096 - case NID_ffdhe4096: + case WC_NID_ffdhe4096: params = wc_Dh_ffdhe4096_Get(); break; #endif /* HAVE_FFDHE_4096 */ @@ -6604,17 +6624,17 @@ static int wolfssl_dh_set_nid(WOLFSSL_DH* dh, int nid) switch (nid) { #ifdef HAVE_FFDHE_2048 - case NID_ffdhe2048: + case WC_NID_ffdhe2048: name = WC_FFDHE_2048; break; #endif /* HAVE_FFDHE_2048 */ #ifdef HAVE_FFDHE_3072 - case NID_ffdhe3072: + case WC_NID_ffdhe3072: name = WC_FFDHE_3072; break; #endif /* HAVE_FFDHE_3072 */ #ifdef HAVE_FFDHE_4096 - case NID_ffdhe4096: + case WC_NID_ffdhe4096: name = WC_FFDHE_4096; break; #endif /* HAVE_FFDHE_4096 */ @@ -8763,7 +8783,7 @@ static int _DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub, ret = WOLFSSL_FATAL_ERROR; } /* Get the maximum size of computed DH key. */ - if ((ret == 0) && ((keySz = (word32)DH_size(dh)) == 0)) { + if ((ret == 0) && ((keySz = (word32)wolfSSL_DH_size(dh)) == 0)) { WOLFSSL_ERROR_MSG("Bad DH_size"); ret = WOLFSSL_FATAL_ERROR; } @@ -9028,7 +9048,7 @@ int wolfSSL_EC_METHOD_get_field_type(const WOLFSSL_EC_METHOD *meth) if (meth != NULL) { /* Only field type supported by code base. */ - nid = NID_X9_62_prime_field; + nid = WC_NID_X9_62_prime_field; } return nid; @@ -9052,62 +9072,62 @@ int EccEnumToNID(int n) switch(n) { case ECC_SECP192R1: - return NID_X9_62_prime192v1; + return WC_NID_X9_62_prime192v1; case ECC_PRIME192V2: - return NID_X9_62_prime192v2; + return WC_NID_X9_62_prime192v2; case ECC_PRIME192V3: - return NID_X9_62_prime192v3; + return WC_NID_X9_62_prime192v3; case ECC_PRIME239V1: - return NID_X9_62_prime239v1; + return WC_NID_X9_62_prime239v1; case ECC_PRIME239V2: - return NID_X9_62_prime239v2; + return WC_NID_X9_62_prime239v2; case ECC_PRIME239V3: - return NID_X9_62_prime239v3; + return WC_NID_X9_62_prime239v3; case ECC_SECP256R1: - return NID_X9_62_prime256v1; + return WC_NID_X9_62_prime256v1; case ECC_SECP112R1: - return NID_secp112r1; + return WC_NID_secp112r1; case ECC_SECP112R2: - return NID_secp112r2; + return WC_NID_secp112r2; case ECC_SECP128R1: - return NID_secp128r1; + return WC_NID_secp128r1; case ECC_SECP128R2: - return NID_secp128r2; + return WC_NID_secp128r2; case ECC_SECP160R1: - return NID_secp160r1; + return WC_NID_secp160r1; case ECC_SECP160R2: - return NID_secp160r2; + return WC_NID_secp160r2; case ECC_SECP224R1: - return NID_secp224r1; + return WC_NID_secp224r1; case ECC_SECP384R1: - return NID_secp384r1; + return WC_NID_secp384r1; case ECC_SECP521R1: - return NID_secp521r1; + return WC_NID_secp521r1; case ECC_SECP160K1: - return NID_secp160k1; + return WC_NID_secp160k1; case ECC_SECP192K1: - return NID_secp192k1; + return WC_NID_secp192k1; case ECC_SECP224K1: - return NID_secp224k1; + return WC_NID_secp224k1; case ECC_SECP256K1: - return NID_secp256k1; + return WC_NID_secp256k1; case ECC_BRAINPOOLP160R1: - return NID_brainpoolP160r1; + return WC_NID_brainpoolP160r1; case ECC_BRAINPOOLP192R1: - return NID_brainpoolP192r1; + return WC_NID_brainpoolP192r1; case ECC_BRAINPOOLP224R1: - return NID_brainpoolP224r1; + return WC_NID_brainpoolP224r1; case ECC_BRAINPOOLP256R1: - return NID_brainpoolP256r1; + return WC_NID_brainpoolP256r1; case ECC_BRAINPOOLP320R1: - return NID_brainpoolP320r1; + return WC_NID_brainpoolP320r1; case ECC_BRAINPOOLP384R1: - return NID_brainpoolP384r1; + return WC_NID_brainpoolP384r1; case ECC_BRAINPOOLP512R1: - return NID_brainpoolP512r1; + return WC_NID_brainpoolP512r1; #ifdef WOLFSSL_SM2 case ECC_SM2P256V1: - return NID_sm2; + return WC_NID_sm2; #endif default: WOLFSSL_MSG("NID not found"); @@ -9132,85 +9152,85 @@ int NIDToEccEnum(int nid) WOLFSSL_ENTER("NIDToEccEnum"); switch (nid) { - case NID_X9_62_prime192v1: + case WC_NID_X9_62_prime192v1: id = ECC_SECP192R1; break; - case NID_X9_62_prime192v2: + case WC_NID_X9_62_prime192v2: id = ECC_PRIME192V2; break; - case NID_X9_62_prime192v3: + case WC_NID_X9_62_prime192v3: id = ECC_PRIME192V3; break; - case NID_X9_62_prime239v1: + case WC_NID_X9_62_prime239v1: id = ECC_PRIME239V1; break; - case NID_X9_62_prime239v2: + case WC_NID_X9_62_prime239v2: id = ECC_PRIME239V2; break; - case NID_X9_62_prime239v3: + case WC_NID_X9_62_prime239v3: id = ECC_PRIME239V3; break; - case NID_X9_62_prime256v1: + case WC_NID_X9_62_prime256v1: id = ECC_SECP256R1; break; - case NID_secp112r1: + case WC_NID_secp112r1: id = ECC_SECP112R1; break; - case NID_secp112r2: + case WC_NID_secp112r2: id = ECC_SECP112R2; break; - case NID_secp128r1: + case WC_NID_secp128r1: id = ECC_SECP128R1; break; - case NID_secp128r2: + case WC_NID_secp128r2: id = ECC_SECP128R2; break; - case NID_secp160r1: + case WC_NID_secp160r1: id = ECC_SECP160R1; break; - case NID_secp160r2: + case WC_NID_secp160r2: id = ECC_SECP160R2; break; - case NID_secp224r1: + case WC_NID_secp224r1: id = ECC_SECP224R1; break; - case NID_secp384r1: + case WC_NID_secp384r1: id = ECC_SECP384R1; break; - case NID_secp521r1: + case WC_NID_secp521r1: id = ECC_SECP521R1; break; - case NID_secp160k1: + case WC_NID_secp160k1: id = ECC_SECP160K1; break; - case NID_secp192k1: + case WC_NID_secp192k1: id = ECC_SECP192K1; break; - case NID_secp224k1: + case WC_NID_secp224k1: id = ECC_SECP224K1; break; - case NID_secp256k1: + case WC_NID_secp256k1: id = ECC_SECP256K1; break; - case NID_brainpoolP160r1: + case WC_NID_brainpoolP160r1: id = ECC_BRAINPOOLP160R1; break; - case NID_brainpoolP192r1: + case WC_NID_brainpoolP192r1: id = ECC_BRAINPOOLP192R1; break; - case NID_brainpoolP224r1: + case WC_NID_brainpoolP224r1: id = ECC_BRAINPOOLP224R1; break; - case NID_brainpoolP256r1: + case WC_NID_brainpoolP256r1: id = ECC_BRAINPOOLP256R1; break; - case NID_brainpoolP320r1: + case WC_NID_brainpoolP320r1: id = ECC_BRAINPOOLP320R1; break; - case NID_brainpoolP384r1: + case WC_NID_brainpoolP384r1: id = ECC_BRAINPOOLP384R1; break; - case NID_brainpoolP512r1: + case WC_NID_brainpoolP512r1: id = ECC_BRAINPOOLP512R1; break; default: @@ -9622,53 +9642,53 @@ int wolfSSL_EC_GROUP_get_degree(const WOLFSSL_EC_GROUP *group) } else { switch (group->curve_nid) { - case NID_secp112r1: - case NID_secp112r2: + case WC_NID_secp112r1: + case WC_NID_secp112r2: degree = 112; break; - case NID_secp128r1: - case NID_secp128r2: + case WC_NID_secp128r1: + case WC_NID_secp128r2: degree = 128; break; - case NID_secp160k1: - case NID_secp160r1: - case NID_secp160r2: - case NID_brainpoolP160r1: + case WC_NID_secp160k1: + case WC_NID_secp160r1: + case WC_NID_secp160r2: + case WC_NID_brainpoolP160r1: degree = 160; break; - case NID_secp192k1: - case NID_brainpoolP192r1: - case NID_X9_62_prime192v1: - case NID_X9_62_prime192v2: - case NID_X9_62_prime192v3: + case WC_NID_secp192k1: + case WC_NID_brainpoolP192r1: + case WC_NID_X9_62_prime192v1: + case WC_NID_X9_62_prime192v2: + case WC_NID_X9_62_prime192v3: degree = 192; break; - case NID_secp224k1: - case NID_secp224r1: - case NID_brainpoolP224r1: + case WC_NID_secp224k1: + case WC_NID_secp224r1: + case WC_NID_brainpoolP224r1: degree = 224; break; - case NID_X9_62_prime239v1: - case NID_X9_62_prime239v2: - case NID_X9_62_prime239v3: + case WC_NID_X9_62_prime239v1: + case WC_NID_X9_62_prime239v2: + case WC_NID_X9_62_prime239v3: degree = 239; break; - case NID_secp256k1: - case NID_brainpoolP256r1: - case NID_X9_62_prime256v1: + case WC_NID_secp256k1: + case WC_NID_brainpoolP256r1: + case WC_NID_X9_62_prime256v1: degree = 256; break; - case NID_brainpoolP320r1: + case WC_NID_brainpoolP320r1: degree = 320; break; - case NID_secp384r1: - case NID_brainpoolP384r1: + case WC_NID_secp384r1: + case WC_NID_brainpoolP384r1: degree = 384; break; - case NID_brainpoolP512r1: + case WC_NID_brainpoolP512r1: degree = 512; break; - case NID_secp521r1: + case WC_NID_secp521r1: degree = 521; break; } @@ -10139,7 +10159,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group, if (!err) { /* [] */ len = sz + 1; - if (form == POINT_CONVERSION_UNCOMPRESSED) { + if (form == WC_POINT_CONVERSION_UNCOMPRESSED) { /* Include y ordinate when uncompressed. */ len += sz; } @@ -10165,7 +10185,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group, } } if (!err) { - if (form == POINT_CONVERSION_COMPRESSED) { + if (form == WC_POINT_CONVERSION_COMPRESSED) { /* Compressed format byte value dependent on whether y-ordinate is * odd. */ @@ -10222,13 +10242,13 @@ static size_t hex_to_bytes(const char *hex, unsigned char *output, size_t sz) return sz; } -WOLFSSL_EC_POINT* wolfSSL_EC_POINT_hex2point(const EC_GROUP *group, +WOLFSSL_EC_POINT* wolfSSL_EC_POINT_hex2point(const WOLFSSL_EC_GROUP *group, const char *hex, WOLFSSL_EC_POINT*p, WOLFSSL_BN_CTX *ctx) { /* for uncompressed mode */ size_t str_sz; - BIGNUM *Gx = NULL; - BIGNUM *Gy = NULL; + WOLFSSL_BIGNUM *Gx = NULL; + WOLFSSL_BIGNUM *Gy = NULL; char strGx[MAX_ECC_BYTES * 2 + 1]; /* for compressed mode */ @@ -10295,7 +10315,7 @@ WOLFSSL_EC_POINT* wolfSSL_EC_POINT_hex2point(const EC_GROUP *group, wolfSSL_BN_free(Gx); wolfSSL_BN_free(Gy); if (p_alloc) { - EC_POINT_free(p); + wolfSSL_EC_POINT_free(p); } return NULL; @@ -10473,7 +10493,7 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group, int err = 0; word32 enc_len = (word32)len; #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || FIPS_VERSION_GT(2,0)) - int compressed = ((form == POINT_CONVERSION_COMPRESSED) ? 1 : 0); + int compressed = ((form == WC_POINT_CONVERSION_COMPRESSED) ? 1 : 0); #endif /* !HAVE_SELFTEST */ WOLFSSL_ENTER("wolfSSL_EC_POINT_point2oct"); @@ -10498,7 +10518,7 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group, if (buf != NULL) { /* Check whether buffer has space. */ if (len < 1) { - ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); + wolfSSL_ECerr(WOLFSSL_EC_F_EC_GFP_SIMPLE_POINT2OCT, BUFFER_E); err = 1; } else { @@ -10510,9 +10530,9 @@ size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group, /* Not infinity. */ else if (!err) { /* Validate format. */ - if (form != POINT_CONVERSION_UNCOMPRESSED + if (form != WC_POINT_CONVERSION_UNCOMPRESSED #ifndef HAVE_SELFTEST - && form != POINT_CONVERSION_COMPRESSED + && form != WC_POINT_CONVERSION_COMPRESSED #endif /* !HAVE_SELFTEST */ ) { WOLFSSL_MSG("Unsupported point form"); @@ -10593,8 +10613,8 @@ int wolfSSL_EC_POINT_oct2point(const WOLFSSL_EC_GROUP *group, * @param [in] group EC group. * @param [in] point EC point. * @param [in] form Format of encoding. Valid values: - * POINT_CONVERSION_UNCOMPRESSED, - * POINT_CONVERSION_COMPRESSED. + * WC_POINT_CONVERSION_UNCOMPRESSED, + * WC_POINT_CONVERSION_COMPRESSED. * @param [in, out] bn BN to hold point value. * When NULL a new BN is allocated otherwise this is * returned on success. @@ -10811,10 +10831,10 @@ int wolfSSL_EC_POINT_get_affine_coordinates_GFp(const WOLFSSL_EC_GROUP* group, } /* Copy the externally set x and y ordinates. */ - if ((ret == 1) && (BN_copy(x, point->X) == NULL)) { + if ((ret == 1) && (wolfSSL_BN_copy(x, point->X) == NULL)) { ret = 0; } - if ((ret == 1) && (BN_copy(y, point->Y) == NULL)) { + if ((ret == 1) && (wolfSSL_BN_copy(y, point->Y) == NULL)) { ret = 0; } @@ -11831,7 +11851,7 @@ WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new_ex(void* heap, int devId) /* Cache heap hint. */ key->heap = heap; /* Initialize fields to defaults. */ - key->form = POINT_CONVERSION_UNCOMPRESSED; + key->form = WC_POINT_CONVERSION_UNCOMPRESSED; /* Initialize reference count. */ wolfSSL_RefInit(&key->ref, &err); @@ -11857,7 +11877,7 @@ WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new_ex(void* heap, int devId) if (!err) { /* Group unknown at creation */ - key->group = wolfSSL_EC_GROUP_new_by_curve_name(NID_undef); + key->group = wolfSSL_EC_GROUP_new_by_curve_name(WC_NID_undef); if (key->group == NULL) { WOLFSSL_MSG("wolfSSL_EC_KEY_new malloc WOLFSSL_EC_GROUP failure"); err = 1; @@ -12194,7 +12214,7 @@ int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *key, unsigned char **out) { int ret = 1; size_t len = 0; - int form = POINT_CONVERSION_UNCOMPRESSED; + int form = WC_POINT_CONVERSION_UNCOMPRESSED; WOLFSSL_ENTER("wolfSSL_i2o_ECPublicKey"); @@ -12214,9 +12234,9 @@ int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *key, unsigned char **out) if (ret == 1) { #ifdef HAVE_COMP_KEY /* Default to compressed form if not set */ - form = (key->form != POINT_CONVERSION_UNCOMPRESSED) ? - POINT_CONVERSION_UNCOMPRESSED : - POINT_CONVERSION_COMPRESSED; + form = (key->form != WC_POINT_CONVERSION_UNCOMPRESSED) ? + WC_POINT_CONVERSION_UNCOMPRESSED : + WC_POINT_CONVERSION_COMPRESSED; #endif /* Calculate length of point encoding. */ @@ -12880,7 +12900,7 @@ int wolfSSL_PEM_write_bio_EC_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec) * @return 0 on error. */ int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, - const EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, wc_pem_password_cb* cb, void* arg) { int ret = 1; @@ -12928,7 +12948,7 @@ int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, * @return 0 on error. */ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ec, - const EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, + const WOLFSSL_EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, unsigned char **pem, int *pLen) { #if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) @@ -12960,7 +12980,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ec, /* Calculate maximum size of DER encoding. * 4 > size of pub, priv + ASN.1 additional information */ der_max_len = 4 * (word32)wc_ecc_size((ecc_key*)ec->internal) + - AES_BLOCK_SIZE; + WC_AES_BLOCK_SIZE; /* Allocate buffer big enough to hold encoding. */ derBuf = (byte*)XMALLOC((size_t)der_max_len, NULL, @@ -13017,7 +13037,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ec, * @return 0 on error. */ int wolfSSL_PEM_write_ECPrivateKey(XFILE fp, WOLFSSL_EC_KEY *ec, - const EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, + const WOLFSSL_EVP_CIPHER *cipher, unsigned char *passwd, int passwdSz, wc_pem_password_cb *cb, void *pass) { int ret = 1; @@ -13120,7 +13140,7 @@ int wolfSSL_EC_KEY_print_fp(XFILE fp, WOLFSSL_EC_KEY* key, int indent) if ((ret == 1) && (key->pub_key != NULL) && (key->pub_key->exSet)) { /* Get the public key point as one BN. */ WOLFSSL_BIGNUM* pubBn = wolfSSL_EC_POINT_point2bn(key->group, - key->pub_key, POINT_CONVERSION_UNCOMPRESSED, NULL, NULL); + key->pub_key, WC_POINT_CONVERSION_UNCOMPRESSED, NULL, NULL); if (pubBn == NULL) { WOLFSSL_MSG("wolfSSL_EC_POINT_point2bn failed."); ret = 0; @@ -13311,7 +13331,8 @@ int SetECKeyInternal(WOLFSSL_EC_KEY* eckey) * @return Point conversion format on success. * @return -1 on error. */ -point_conversion_form_t wolfSSL_EC_KEY_get_conv_form(const WOLFSSL_EC_KEY* key) +wc_point_conversion_form_t wolfSSL_EC_KEY_get_conv_form( + const WOLFSSL_EC_KEY* key) { if (key == NULL) return WOLFSSL_FATAL_ERROR; @@ -13322,17 +13343,17 @@ point_conversion_form_t wolfSSL_EC_KEY_get_conv_form(const WOLFSSL_EC_KEY* key) * * @param [in, out] key EC key to set format into. * @param [in] form Point conversion format. Valid values: - * POINT_CONVERSION_UNCOMPRESSED, - * POINT_CONVERSION_COMPRESSED (when HAVE_COMP_KEY) + * WC_POINT_CONVERSION_UNCOMPRESSED, + * WC_POINT_CONVERSION_COMPRESSED (when HAVE_COMP_KEY) */ void wolfSSL_EC_KEY_set_conv_form(WOLFSSL_EC_KEY *key, int form) { if (key == NULL) { WOLFSSL_MSG("Key passed in NULL"); } - else if (form == POINT_CONVERSION_UNCOMPRESSED + else if (form == WC_POINT_CONVERSION_UNCOMPRESSED #ifdef HAVE_COMP_KEY - || form == POINT_CONVERSION_COMPRESSED + || form == WC_POINT_CONVERSION_COMPRESSED #endif ) { key->form = (unsigned char)form; @@ -14041,7 +14062,7 @@ int wolfSSL_ECDSA_size(const WOLFSSL_EC_KEY *key) { int err = 0; int len = 0; - const EC_GROUP *group = NULL; + const WOLFSSL_EC_GROUP *group = NULL; int bits = 0; /* Validate parameter. */ @@ -15478,24 +15499,24 @@ int wolfSSL_PEM_write_bio_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key) if ((bio != NULL) && (key != NULL)) { switch (key->type) { #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: ret = wolfSSL_PEM_write_bio_RSA_PUBKEY(bio, key->rsa); break; #endif /* WOLFSSL_KEY_GEN && !NO_RSA */ #if !defined(NO_DSA) && !defined(HAVE_SELFTEST) && \ (defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN)) - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: ret = wolfSSL_PEM_write_bio_DSA_PUBKEY(bio, key->dsa); break; #endif /* !NO_DSA && !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) */ #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) && \ defined(WOLFSSL_KEY_GEN) - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: ret = wolfSSL_PEM_write_bio_EC_PUBKEY(bio, key->ecc); break; #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */ #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) - case EVP_PKEY_DH: + case WC_EVP_PKEY_DH: /* DH public key not supported. */ WOLFSSL_MSG("Writing DH PUBKEY not supported!"); break; @@ -15546,21 +15567,21 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, #ifdef WOLFSSL_KEY_GEN switch (key->type) { #ifndef NO_RSA - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: /* Write using RSA specific API. */ ret = wolfSSL_PEM_write_bio_RSAPrivateKey(bio, key->rsa, cipher, passwd, len, cb, arg); break; #endif #ifndef NO_DSA - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: /* Write using DSA specific API. */ ret = wolfSSL_PEM_write_bio_DSAPrivateKey(bio, key->dsa, cipher, passwd, len, cb, arg); break; #endif #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: #if defined(HAVE_ECC_KEY_EXPORT) /* Write using EC specific API. */ ret = wolfSSL_PEM_write_bio_ECPrivateKey(bio, key->ecc, @@ -15572,7 +15593,7 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, break; #endif #ifndef NO_DH - case EVP_PKEY_DH: + case WC_EVP_PKEY_DH: /* Write using generic API with DH type. */ ret = der_write_to_bio_as_pem((byte*)key->pkey.ptr, key->pkey_sz, bio, DH_PRIVATEKEY_TYPE); @@ -15588,22 +15609,22 @@ int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, switch (key->type) { #ifndef NO_DSA - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: type = DSA_PRIVATEKEY_TYPE; break; #endif #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: type = ECC_PRIVATEKEY_TYPE; break; #endif #ifndef NO_DH - case EVP_PKEY_DH: + case WC_EVP_PKEY_DH: type = DH_PRIVATEKEY_TYPE; break; #endif #ifndef NO_RSA - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: type = PRIVATEKEY_TYPE; break; #endif @@ -15719,16 +15740,16 @@ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, /* No key format set - default to RSA. */ case 0: case RSAk: - type = EVP_PKEY_RSA; + type = WC_EVP_PKEY_RSA; break; case DSAk: - type = EVP_PKEY_DSA; + type = WC_EVP_PKEY_DSA; break; case ECDSAk: - type = EVP_PKEY_EC; + type = WC_EVP_PKEY_EC; break; case DHk: - type = EVP_PKEY_DH; + type = WC_EVP_PKEY_DH; break; default: type = WOLFSSL_FATAL_ERROR; @@ -15761,8 +15782,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, } -PKCS8_PRIV_KEY_INFO* wolfSSL_PEM_read_bio_PKCS8_PRIV_KEY_INFO(WOLFSSL_BIO* bio, - PKCS8_PRIV_KEY_INFO** key, wc_pem_password_cb* cb, void* arg) +WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_PEM_read_bio_PKCS8_PRIV_KEY_INFO( + WOLFSSL_BIO* bio, WOLFSSL_PKCS8_PRIV_KEY_INFO** key, wc_pem_password_cb* cb, + void* arg) { return wolfSSL_PEM_read_bio_PrivateKey(bio, key, cb, arg); } @@ -15865,16 +15887,16 @@ WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_PrivateKey(XFILE fp, WOLFSSL_EVP_PKEY **key, /* No key format set - default to RSA. */ case 0: case RSAk: - type = EVP_PKEY_RSA; + type = WC_EVP_PKEY_RSA; break; case DSAk: - type = EVP_PKEY_DSA; + type = WC_EVP_PKEY_DSA; break; case ECDSAk: - type = EVP_PKEY_EC; + type = WC_EVP_PKEY_EC; break; case DHk: - type = EVP_PKEY_DH; + type = WC_EVP_PKEY_DH; break; default: type = WOLFSSL_FATAL_ERROR; @@ -16478,13 +16500,13 @@ int pkcs8_encrypt(WOLFSSL_EVP_PKEY* pkey, int pkcs8_encode(WOLFSSL_EVP_PKEY* pkey, byte* key, word32* keySz) { int ret = 0; - int algId; + int algId = 0; const byte* curveOid; - word32 oidSz; + word32 oidSz = 0; /* Get the details of the private key. */ #ifdef HAVE_ECC - if (pkey->type == EVP_PKEY_EC) { + if (pkey->type == WC_EVP_PKEY_EC) { /* ECC private and get curve OID information. */ algId = ECDSAk; ret = wc_ecc_get_oid(pkey->ecc->group->curve_oid, &curveOid, @@ -16492,19 +16514,20 @@ int pkcs8_encode(WOLFSSL_EVP_PKEY* pkey, byte* key, word32* keySz) } else #endif - if (pkey->type == EVP_PKEY_RSA) { + if (pkey->type == WC_EVP_PKEY_RSA) { /* RSA private has no curve information. */ algId = RSAk; curveOid = NULL; oidSz = 0; } - else if (pkey->type == EVP_PKEY_DSA) { + else if (pkey->type == WC_EVP_PKEY_DSA) { /* DSA has no curve information. */ algId = DSAk; curveOid = NULL; oidSz = 0; } - else if (pkey->type == EVP_PKEY_DH) { +#ifndef NO_DH + else if (pkey->type == WC_EVP_PKEY_DH) { if (pkey->dh == NULL) return BAD_FUNC_ARG; @@ -16526,6 +16549,7 @@ int pkcs8_encode(WOLFSSL_EVP_PKEY* pkey, byte* key, word32* keySz) curveOid = NULL; oidSz = 0; } +#endif else { ret = NOT_COMPILED_IN; } diff --git a/src/quic.c b/src/quic.c index f709ea6935..64cf14fc86 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1193,7 +1193,7 @@ int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md, WOLFSSL_ENTER("wolfSSL_quic_hkdf_extract"); - pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL); + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; goto cleanup; @@ -1201,7 +1201,7 @@ int wolfSSL_quic_hkdf_extract(uint8_t* dest, const WOLFSSL_EVP_MD* md, if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_hkdf_mode( - pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS + pctx, WOLFSSL_EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt( pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS @@ -1230,7 +1230,7 @@ int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand"); - pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL); + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; goto cleanup; @@ -1238,7 +1238,7 @@ int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen, if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_hkdf_mode( - pctx, EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS + pctx, WOLFSSL_EVP_PKEY_HKDEF_MODE_EXPAND_ONLY) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt( pctx, (byte*)"", 0) != WOLFSSL_SUCCESS @@ -1253,7 +1253,7 @@ int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen, cleanup: if (pctx) - EVP_PKEY_CTX_free(pctx); + wolfSSL_EVP_PKEY_CTX_free(pctx); WOLFSSL_LEAVE("wolfSSL_quic_hkdf_expand", ret); return ret; } @@ -1270,7 +1270,7 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf"); - pctx = wolfSSL_EVP_PKEY_CTX_new_id(NID_hkdf, NULL); + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; goto cleanup; @@ -1278,7 +1278,7 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen, if (wolfSSL_EVP_PKEY_derive_init(pctx) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_hkdf_mode( - pctx, EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS + pctx, WOLFSSL_EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set_hkdf_md(pctx, md) != WOLFSSL_SUCCESS || wolfSSL_EVP_PKEY_CTX_set1_hkdf_salt( pctx, (byte*)salt, (int)saltlen) != WOLFSSL_SUCCESS @@ -1293,7 +1293,7 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen, cleanup: if (pctx) - EVP_PKEY_CTX_free(pctx); + wolfSSL_EVP_PKEY_CTX_free(pctx); WOLFSSL_LEAVE("wolfSSL_quic_hkdf", ret); return ret; } @@ -1346,7 +1346,7 @@ int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, ctx, dest, &len, plain, (int)plainlen) != WOLFSSL_SUCCESS || wolfSSL_EVP_CipherFinal(ctx, dest + len, &len) != WOLFSSL_SUCCESS || wolfSSL_EVP_CIPHER_CTX_ctrl( - ctx, EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen) + ctx, WOLFSSL_EVP_CTRL_AEAD_GET_TAG, ctx->authTagSz, dest + plainlen) != WOLFSSL_SUCCESS) { return WOLFSSL_FAILURE; } @@ -1373,7 +1373,7 @@ int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 0) != WOLFSSL_SUCCESS || wolfSSL_EVP_CIPHER_CTX_ctrl( - ctx, EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag) + ctx, WOLFSSL_EVP_CTRL_AEAD_SET_TAG, ctx->authTagSz, (uint8_t*)tag) != WOLFSSL_SUCCESS || wolfSSL_EVP_CipherUpdate(ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS diff --git a/src/sniffer.c b/src/sniffer.c index 758e7be74d..a606a6114d 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -227,8 +227,8 @@ BOOL APIENTRY DllMain( HMODULE hModule, #endif /* _WIN32 */ -static WOLFSSL_GLOBAL int TraceOn = 0; /* Trace is off by default */ -static WOLFSSL_GLOBAL XFILE TraceFile = 0; +static WC_THREADSHARED int TraceOn = 0; /* Trace is off by default */ +static WC_THREADSHARED XFILE TraceFile = 0; /* windows uses .rc table for this */ @@ -566,52 +566,52 @@ typedef struct SnifferSession { /* Sniffer Server List and mutex */ -static THREAD_LS_T WOLFSSL_GLOBAL SnifferServer* ServerList = NULL; +static THREAD_LS_T SnifferServer* ServerList = NULL; #ifndef HAVE_C___ATOMIC -static WOLFSSL_GLOBAL wolfSSL_Mutex ServerListMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(ServerListMutex); +static WC_THREADSHARED wolfSSL_Mutex ServerListMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(ServerListMutex); #endif /* Session Hash Table, mutex, and count */ -static THREAD_LS_T WOLFSSL_GLOBAL SnifferSession* SessionTable[HASH_SIZE]; +static THREAD_LS_T SnifferSession* SessionTable[HASH_SIZE]; #ifndef HAVE_C___ATOMIC -static WOLFSSL_GLOBAL wolfSSL_Mutex SessionMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(SessionMutex); +static WC_THREADSHARED wolfSSL_Mutex SessionMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(SessionMutex); #endif -static THREAD_LS_T WOLFSSL_GLOBAL int SessionCount = 0; +static THREAD_LS_T int SessionCount = 0; -static WOLFSSL_GLOBAL int RecoveryEnabled = 0; /* global switch */ -static WOLFSSL_GLOBAL int MaxRecoveryMemory = -1; +static WC_THREADSHARED int RecoveryEnabled = 0; /* global switch */ +static WC_THREADSHARED int MaxRecoveryMemory = -1; /* per session max recovery memory */ #ifndef WOLFSSL_SNIFFER_NO_RECOVERY /* Recovery of missed data switches and stats */ -static WOLFSSL_GLOBAL wolfSSL_Mutex RecoveryMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(RecoveryMutex); /* for stats */ +static WC_THREADSHARED wolfSSL_Mutex RecoveryMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(RecoveryMutex); /* for stats */ /* # of sessions with missed data */ -static WOLFSSL_GLOBAL word32 MissedDataSessions = 0; +static WC_THREADSHARED word32 MissedDataSessions = 0; #endif /* Connection Info Callback */ -static WOLFSSL_GLOBAL SSLConnCb ConnectionCb; -static WOLFSSL_GLOBAL void* ConnectionCbCtx = NULL; +static WC_THREADSHARED SSLConnCb ConnectionCb; +static WC_THREADSHARED void* ConnectionCbCtx = NULL; #ifdef WOLFSSL_SNIFFER_STATS /* Sessions Statistics */ -static WOLFSSL_GLOBAL SSLStats SnifferStats; -static WOLFSSL_GLOBAL wolfSSL_Mutex StatsMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(StatsMutex); +static WC_THREADSHARED SSLStats SnifferStats; +static WC_THREADSHARED wolfSSL_Mutex StatsMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(StatsMutex); #endif #ifdef WOLFSSL_SNIFFER_KEY_CALLBACK -static WOLFSSL_GLOBAL SSLKeyCb KeyCb; -static WOLFSSL_GLOBAL void* KeyCbCtx = NULL; +static WC_THREADSHARED SSLKeyCb KeyCb; +static WC_THREADSHARED void* KeyCbCtx = NULL; #endif #ifdef WOLFSSL_SNIFFER_WATCH /* Watch Key Callback */ -static WOLFSSL_GLOBAL SSLWatchCb WatchCb; -static WOLFSSL_GLOBAL void* WatchCbCtx = NULL; +static WC_THREADSHARED SSLWatchCb WatchCb; +static WC_THREADSHARED void* WatchCbCtx = NULL; #endif #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB /* Store Data Callback */ -static WOLFSSL_GLOBAL SSLStoreDataCb StoreDataCb; +static WC_THREADSHARED SSLStoreDataCb StoreDataCb; #endif @@ -656,7 +656,7 @@ static void UpdateMissedDataSessions(void) #if defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_ASYNC_CRYPT) - static WOLFSSL_GLOBAL int CryptoDeviceId = INVALID_DEVID; + static WC_THREADSHARED int CryptoDeviceId = INVALID_DEVID; #endif #if defined(WOLFSSL_SNIFFER_KEYLOGFILE) @@ -4292,8 +4292,8 @@ static int KeyWatchCall(SnifferSession* session, const byte* data, int dataSz, char* error) { int ret; - Sha256 sha; - byte digest[SHA256_DIGEST_SIZE]; + wc_Sha256 sha; + byte digest[WC_SHA256_DIGEST_SIZE]; if (WatchCb == NULL) { SetError(WATCH_CB_MISSING_STR, error, session, FATAL_ERROR_STATE); @@ -6023,8 +6023,7 @@ static int CheckSequence(IpInfo* ipInfo, TcpInfo* tcpInfo, /* returns 0 on success (continue), -1 on error, 1 on success (end) */ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte** sslFrame, SnifferSession** pSession, - int* sslBytes, const byte** end, - void* vChain, word32 chainSz, char* error) + int* sslBytes, const byte** end, char* error) { word32 length; SnifferSession* session = *pSession; @@ -6094,53 +6093,12 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo, return WOLFSSL_FATAL_ERROR; } } - if (vChain == NULL) { - XMEMCPY(&ssl->buffers.inputBuffer.buffer[length], - *sslFrame, *sslBytes); - *sslBytes += length; - ssl->buffers.inputBuffer.length = *sslBytes; - *sslFrame = ssl->buffers.inputBuffer.buffer; - *end = *sslFrame + *sslBytes; - } - else { - #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT - struct iovec* chain = (struct iovec*)vChain; - word32 i, offset, headerSz, qty, remainder; - - Trace(CHAIN_INPUT_STR); - headerSz = (word32)((const byte*)*sslFrame - (const byte*)chain[0].iov_base); - remainder = *sslBytes; - - if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) { - if (GrowInputBuffer(ssl, *sslBytes, length) < 0) { - SetError(MEMORY_STR, error, session, FATAL_ERROR_STATE); - return WOLFSSL_FATAL_ERROR; - } - } - - qty = min(*sslBytes, (word32)chain[0].iov_len - headerSz); - XMEMCPY(&ssl->buffers.inputBuffer.buffer[length], - (byte*)chain[0].iov_base + headerSz, qty); - offset = length; - for (i = 1; i < chainSz; i++) { - offset += qty; - remainder -= qty; - - if (chain[i].iov_len > remainder) - qty = remainder; - else - qty = (word32)chain[i].iov_len; - XMEMCPY(ssl->buffers.inputBuffer.buffer + offset, - chain[i].iov_base, qty); - } - - *sslBytes += length; - ssl->buffers.inputBuffer.length = *sslBytes; - *sslFrame = ssl->buffers.inputBuffer.buffer; - *end = *sslFrame + *sslBytes; - #endif - (void)chainSz; - } + XMEMCPY(&ssl->buffers.inputBuffer.buffer[length], + *sslFrame, *sslBytes); + *sslBytes += length; + ssl->buffers.inputBuffer.length = *sslBytes; + *sslFrame = ssl->buffers.inputBuffer.buffer; + *end = *sslFrame + *sslBytes; } if (session->flags.clientHello == 0 && **sslFrame != handshake) { @@ -6616,27 +6574,33 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, { TcpInfo tcpInfo; IpInfo ipInfo; + byte* tmpPacket = NULL; /* Assemble the chain */ const byte* sslFrame; const byte* end; int sslBytes; /* ssl bytes unconsumed */ int ret; SnifferSession* session = NULL; - void* vChain = NULL; - word32 chainSz = 0; if (isChain) { #ifdef WOLFSSL_SNIFFER_CHAIN_INPUT struct iovec* chain; word32 i; - vChain = (void*)packet; - chainSz = (word32)length; + word32 chainSz = (word32)length; - chain = (struct iovec*)vChain; + chain = (struct iovec*)packet; length = 0; - for (i = 0; i < chainSz; i++) + for (i = 0; i < chainSz; i++) length += chain[i].iov_len; + + tmpPacket = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_SNIFFER_CHAIN_BUFFER); + if (tmpPacket == NULL) return MEMORY_E; + + length = 0; + for (i = 0; i < chainSz; i++) { + XMEMCPY(tmpPacket+length,chain[i].iov_base,chain[i].iov_len); length += chain[i].iov_len; - packet = (const byte*)chain[0].iov_base; + } + packet = (const byte*)tmpPacket; #else SetError(BAD_INPUT_STR, error, session, FATAL_ERROR_STATE); return WOLFSSL_SNIFFER_ERROR; @@ -6645,18 +6609,27 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, if (CheckHeaders(&ipInfo, &tcpInfo, packet, length, &sslFrame, &sslBytes, error, 1, 1) != 0) { - return WOLFSSL_SNIFFER_ERROR; + ret = WOLFSSL_SNIFFER_ERROR; + goto exit_decode; } end = sslFrame + sslBytes; ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); - if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) - return WOLFSSL_SNIFFER_FATAL_ERROR; + if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) { + ret = WOLFSSL_SNIFFER_FATAL_ERROR; + goto exit_decode; + } #ifdef WOLFSSL_ASYNC_CRYPT - else if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) return WC_PENDING_E; + else if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { + ret = WC_PENDING_E; + goto exit_decode; + } #endif - else if (ret == -1) return WOLFSSL_SNIFFER_ERROR; + else if (ret == -1) { + ret = WOLFSSL_SNIFFER_ERROR; + goto exit_decode; + } else if (ret == 1) { #ifdef WOLFSSL_SNIFFER_STATS if (sslBytes > 0) { @@ -6669,7 +6642,8 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, INC_STAT(SnifferStats.sslDecryptedPackets); } #endif - return 0; /* done for now */ + ret = 0; + goto exit_decode; /* done for now */ } #ifdef WOLFSSL_ASYNC_CRYPT @@ -6677,30 +6651,41 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, #endif ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error); - if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) - return WOLFSSL_SNIFFER_FATAL_ERROR; - else if (ret == -1) return WOLFSSL_SNIFFER_ERROR; + if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) { + ret = WOLFSSL_SNIFFER_FATAL_ERROR; + goto exit_decode; + } + else if (ret == -1) { + ret = WOLFSSL_SNIFFER_ERROR; + goto exit_decode; + } else if (ret == 1) { #ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslDecryptedPackets); #endif - return 0; /* done for now */ + ret = 0; + goto exit_decode; /* done for now */ } else if (ret != 0) { - /* return specific error case */ - return ret; + goto exit_decode; /* return specific error case */ } ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes, - &end, vChain, chainSz, error); - if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) - return WOLFSSL_SNIFFER_FATAL_ERROR; - else if (ret == -1) return WOLFSSL_SNIFFER_ERROR; + &end, error); + if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) { + ret = WOLFSSL_SNIFFER_FATAL_ERROR; + goto exit_decode; + } + else if (ret == -1) { + ret = WOLFSSL_SNIFFER_ERROR; + goto exit_decode; + } else if (ret == 1) { #ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslDecryptedPackets); #endif - return 0; /* done for now */ + ret = 0; + goto exit_decode; /* done for now */ } #ifdef WOLFSSL_ASYNC_CRYPT @@ -6708,7 +6693,8 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, if (asyncOkay && session->sslServer->error == WC_NO_ERR_TRACE(WC_PENDING_E) && !session->flags.wasPolled) { - return WC_PENDING_E; + ret = WC_PENDING_E; + goto exit_decode; } #endif @@ -6745,7 +6731,7 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, wolfSSL_AsyncPoll(session->sslServer, WOLF_POLL_FLAG_CHECK_HW); } else { - return ret; /* return to caller */ + goto exit_decode; /* return to caller */ } } else { @@ -6756,12 +6742,18 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, int isChain, (void)asyncOkay; #endif - if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) - return WOLFSSL_SNIFFER_FATAL_ERROR; + if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) { + ret = WOLFSSL_SNIFFER_FATAL_ERROR; + goto exit_decode; + } if (CheckFinCapture(&ipInfo, &tcpInfo, session) == 0) { CopySessionInfo(session, sslInfo); } +exit_decode: + if (isChain) { + XFREE(tmpPacket, NULL, DYNAMIC_TYPE_SNIFFER_CHAIN_BUFFER); + } return ret; } @@ -6868,11 +6860,15 @@ int ssl_Trace(const char* traceFile, char* error) if (traceFile) { /* Don't try to reopen the file */ if (TraceFile == NULL) { - TraceFile = XFOPEN(traceFile, "a"); - if (!TraceFile) { - SetError(BAD_TRACE_FILE_STR, error, NULL, 0); - return WOLFSSL_FATAL_ERROR; - } + if (XSTRCMP(traceFile, "-") == 0) { + TraceFile = stdout; + } else { + TraceFile = XFOPEN(traceFile, "a"); + if (!TraceFile) { + SetError(BAD_TRACE_FILE_STR, error, NULL, 0); + return WOLFSSL_FATAL_ERROR; + } + } TraceOn = 1; } } @@ -7238,11 +7234,11 @@ typedef struct SecretNode { #define WOLFSSL_SNIFFER_KEYLOGFILE_HASH_TABLE_SIZE HASH_SIZE #endif -static THREAD_LS_T WOLFSSL_GLOBAL +static THREAD_LS_T SecretNode* secretHashTable[WOLFSSL_SNIFFER_KEYLOGFILE_HASH_TABLE_SIZE] = {NULL}; #ifndef HAVE_C___ATOMIC -static WOLFSSL_GLOBAL wolfSSL_Mutex secretListMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(secretListMutex); +static WC_THREADSHARED wolfSSL_Mutex secretListMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(secretListMutex); #endif static unsigned int secretHashFunction(unsigned char* clientRandom); diff --git a/src/ssl.c b/src/ssl.c index 1bdcc8be6c..b11ed59a7e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -53,7 +53,7 @@ #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(WOLFSSL_STATIC_RSA) \ && !defined(WOLFSSL_STATIC_DH) && !defined(WOLFSSL_STATIC_PSK) \ && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) - #error "No cipher suites defined because DH disabled, ECC disabled, " + #error "No cipher suites defined because DH disabled, ECC disabled, " \ "and no static suites defined. Please see top of README" #endif #ifdef WOLFSSL_CERT_GEN @@ -208,7 +208,7 @@ * * @param [in] sn Short name of OID. * @return NID corresponding to shortname on success. - * @return NID_undef when not recognized. + * @return WC_NID_undef when not recognized. */ int wc_OBJ_sn2nid(const char *sn) { @@ -217,21 +217,21 @@ int wc_OBJ_sn2nid(const char *sn) int nid; } sn2nid[] = { #ifndef NO_CERTS - {WOLFSSL_COMMON_NAME, NID_commonName}, - {WOLFSSL_COUNTRY_NAME, NID_countryName}, - {WOLFSSL_LOCALITY_NAME, NID_localityName}, - {WOLFSSL_STATE_NAME, NID_stateOrProvinceName}, - {WOLFSSL_ORG_NAME, NID_organizationName}, - {WOLFSSL_ORGUNIT_NAME, NID_organizationalUnitName}, + {WOLFSSL_COMMON_NAME, WC_NID_commonName}, + {WOLFSSL_COUNTRY_NAME, WC_NID_countryName}, + {WOLFSSL_LOCALITY_NAME, WC_NID_localityName}, + {WOLFSSL_STATE_NAME, WC_NID_stateOrProvinceName}, + {WOLFSSL_ORG_NAME, WC_NID_organizationName}, + {WOLFSSL_ORGUNIT_NAME, WC_NID_organizationalUnitName}, #ifdef WOLFSSL_CERT_NAME_ALL - {WOLFSSL_NAME, NID_name}, - {WOLFSSL_INITIALS, NID_initials}, - {WOLFSSL_GIVEN_NAME, NID_givenName}, - {WOLFSSL_DNQUALIFIER, NID_dnQualifier}, + {WOLFSSL_NAME, WC_NID_name}, + {WOLFSSL_INITIALS, WC_NID_initials}, + {WOLFSSL_GIVEN_NAME, WC_NID_givenName}, + {WOLFSSL_DNQUALIFIER, WC_NID_dnQualifier}, #endif - {WOLFSSL_EMAIL_ADDR, NID_emailAddress}, + {WOLFSSL_EMAIL_ADDR, WC_NID_emailAddress}, #endif - {"SHA1", NID_sha1}, + {"SHA1", WC_NID_sha1}, {NULL, -1}}; int i; #ifdef HAVE_ECC @@ -249,7 +249,7 @@ int wc_OBJ_sn2nid(const char *sn) #ifdef HAVE_ECC if (XSTRLEN(sn) > ECC_MAXNAME) - return NID_undef; + return WC_NID_undef; /* Nginx uses this OpenSSL string. */ if (XSTRCMP(sn, "prime256v1") == 0) @@ -275,7 +275,7 @@ int wc_OBJ_sn2nid(const char *sn) } #endif /* HAVE_ECC */ - return NID_undef; + return WC_NID_undef; } #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ @@ -1032,12 +1032,12 @@ int GetEchConfigsEx(WOLFSSL_EchConfig* configs, byte* output, word32* outputLen) #endif /* prevent multiple mutex initializations */ -static volatile WOLFSSL_GLOBAL int initRefCount = 0; +static volatile WC_THREADSHARED int initRefCount = 0; /* init ref count mutex */ -static WOLFSSL_GLOBAL wolfSSL_Mutex inits_count_mutex +static WC_THREADSHARED wolfSSL_Mutex inits_count_mutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(inits_count_mutex); #ifndef WOLFSSL_MUTEX_INITIALIZER -static WOLFSSL_GLOBAL int inits_count_mutex_valid = 0; +static WC_THREADSHARED volatile int inits_count_mutex_valid = 0; #endif /* Create a new WOLFSSL_CTX struct and return the pointer to created struct. @@ -1136,7 +1136,7 @@ WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD* method) int wolfSSL_CTX_up_ref(WOLFSSL_CTX* ctx) { int ret; - wolfSSL_RefInc(&ctx->ref, &ret); + wolfSSL_RefWithMutexInc(&ctx->ref, &ret); #ifdef WOLFSSL_REFCNT_ERROR_RETURN return ((ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE); #else @@ -1976,9 +1976,9 @@ int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, word16 newMtu) #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) int wolfSSL_set_mtu_compat(WOLFSSL* ssl, unsigned short mtu) { if (wolfSSL_dtls_set_mtu(ssl, mtu) == 0) - return SSL_SUCCESS; + return WOLFSSL_SUCCESS; else - return SSL_FAILURE; + return WOLFSSL_FAILURE; } #endif /* OPENSSL_ALL || OPENSSL_EXTRA */ @@ -2860,8 +2860,8 @@ int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz) #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_WRITE, WOLFSSL_SUCCESS); - ssl->cbmode = SSL_CB_WRITE; + ssl->CBIS(ssl, WOLFSSL_CB_WRITE, WOLFSSL_SUCCESS); + ssl->cbmode = WOLFSSL_CB_WRITE; } #endif ret = SendData(ssl, data, sz); @@ -2972,8 +2972,8 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz) return BAD_FUNC_ARG; } if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_READ, WOLFSSL_SUCCESS); - ssl->cbmode = SSL_CB_READ; + ssl->CBIS(ssl, WOLFSSL_CB_READ, WOLFSSL_SUCCESS); + ssl->cbmode = WOLFSSL_CB_READ; } #endif return wolfSSL_read_internal(ssl, data, sz, FALSE); @@ -3297,6 +3297,17 @@ static int isValidCurveGroup(word16 name) case WOLFSSL_FFDHE_8192: #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + case WOLFSSL_ML_KEM_512: + case WOLFSSL_ML_KEM_768: + case WOLFSSL_ML_KEM_1024: + #if defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS) + case WOLFSSL_P256_ML_KEM_512: + case WOLFSSL_P384_ML_KEM_768: + case WOLFSSL_P521_ML_KEM_1024: + #endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL case WOLFSSL_KYBER_LEVEL1: case WOLFSSL_KYBER_LEVEL3: case WOLFSSL_KYBER_LEVEL5: @@ -3305,6 +3316,7 @@ static int isValidCurveGroup(word16 name) case WOLFSSL_P384_KYBER_LEVEL3: case WOLFSSL_P521_KYBER_LEVEL5: #endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ #endif return 1; @@ -4156,12 +4168,12 @@ int wolfSSL_get_alert_history(WOLFSSL* ssl, WOLFSSL_ALERT_HISTORY *h) /* returns SSL_WRITING, SSL_READING or SSL_NOTHING */ int wolfSSL_want(WOLFSSL* ssl) { - int rw_state = SSL_NOTHING; + int rw_state = WOLFSSL_NOTHING; if (ssl) { if (ssl->error == WC_NO_ERR_TRACE(WANT_READ)) - rw_state = SSL_READING; + rw_state = WOLFSSL_READING; else if (ssl->error == WC_NO_ERR_TRACE(WANT_WRITE)) - rw_state = SSL_WRITING; + rw_state = WOLFSSL_WRITING; } return rw_state; } @@ -5020,8 +5032,13 @@ int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DecodedCert* cert) return ret; tp = cm->tpTable[row]; while (tp) { - if (XMEMCMP(cert->subjectHash, tp->subjectNameHash, + if ((XMEMCMP(cert->subjectHash, tp->subjectNameHash, SIGNER_DIGEST_SIZE) == 0) + #ifndef WOLFSSL_NO_ISSUERHASH_TDPEER + && (XMEMCMP(cert->issuerHash, tp->issuerHash, + SIGNER_DIGEST_SIZE) == 0) + #endif + ) ret = 1; #ifndef NO_SKID if (cert->extSubjKeyIdSet) { @@ -5061,8 +5078,13 @@ TrustedPeerCert* GetTrustedPeer(void* vp, DecodedCert* cert) tp = cm->tpTable[row]; while (tp) { - if (XMEMCMP(cert->subjectHash, tp->subjectNameHash, + if ((XMEMCMP(cert->subjectHash, tp->subjectNameHash, SIGNER_DIGEST_SIZE) == 0) + #ifndef WOLFSSL_NO_ISSUERHASH_TDPEER + && (XMEMCMP(cert->issuerHash, tp->issuerHash, + SIGNER_DIGEST_SIZE) == 0) + #endif + ) ret = tp; #ifndef NO_SKID if (cert->extSubjKeyIdSet) { @@ -5328,6 +5350,10 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify) #endif XMEMCPY(peerCert->subjectNameHash, cert->subjectHash, SIGNER_DIGEST_SIZE); + #ifndef WOLFSSL_NO_ISSUERHASH_TDPEER + XMEMCPY(peerCert->issuerHash, cert->issuerHash, + SIGNER_DIGEST_SIZE); + #endif /* If Key Usage not set, all uses valid. */ peerCert->next = NULL; cert->subjectCN = 0; @@ -5535,13 +5561,15 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) } } - if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) { + if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA && + type != WOLFSSL_TEMP_CA) { WOLFSSL_MSG("\tCan't add as CA if not actually one"); ret = NOT_CA_ERROR; } #ifndef ALLOW_INVALID_CERTSIGN else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA && - !cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) { + type != WOLFSSL_TEMP_CA && !cert->selfSigned && + (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) { /* Intermediate CA certs are required to have the keyCertSign * extension set. User loaded root certs are not. */ WOLFSSL_MSG("\tDoesn't have key usage certificate signing"); @@ -5567,6 +5595,29 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) row = HashSigner(signer->subjectNameHash); #endif + #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_FSPSM_TLS) + /* Verify CA by TSIP so that generated tsip key is going to */ + /* be able to be used for peer's cert verification */ + /* TSIP is only able to handle USER CA, and only one CA. */ + /* Therefore, it doesn't need to call TSIP again if there is already */ + /* verified CA. */ + if ( ret == 0 && signer != NULL ) { + signer->cm_idx = row; + if (type == WOLFSSL_USER_CA) { + if ((ret = wc_Renesas_cmn_RootCertVerify(cert->source, + cert->maxIdx, + cert->sigCtx.CertAtt.pubkey_n_start, + cert->sigCtx.CertAtt.pubkey_n_len - 1, + cert->sigCtx.CertAtt.pubkey_e_start, + cert->sigCtx.CertAtt.pubkey_e_len - 1, + row/* cm index */)) + < 0) + WOLFSSL_MSG("Renesas_RootCertVerify() failed"); + else + WOLFSSL_MSG("Renesas_RootCertVerify() succeed or skipped"); + } + } + #endif /* TSIP or SCE */ if (ret == 0 && wc_LockMutex(&cm->caLock) == 0) { signer->next = cm->caTable[row]; @@ -5580,28 +5631,6 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) ret = BAD_MUTEX_E; } } -#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_FSPSM_TLS) - /* Verify CA by TSIP so that generated tsip key is going to be able to */ - /* be used for peer's cert verification */ - /* TSIP is only able to handle USER CA, and only one CA. */ - /* Therefore, it doesn't need to call TSIP again if there is already */ - /* verified CA. */ - if ( ret == 0 && signer != NULL ) { - signer->cm_idx = row; - if (type == WOLFSSL_USER_CA) { - if ((ret = wc_Renesas_cmn_RootCertVerify(cert->source, cert->maxIdx, - cert->sigCtx.CertAtt.pubkey_n_start, - cert->sigCtx.CertAtt.pubkey_n_len - 1, - cert->sigCtx.CertAtt.pubkey_e_start, - cert->sigCtx.CertAtt.pubkey_e_len - 1, - row/* cm index */)) - < 0) - WOLFSSL_MSG("Renesas_RootCertVerify() failed"); - else - WOLFSSL_MSG("Renesas_RootCertVerify() succeed or skipped"); - } - } -#endif /* TSIP or SCE */ WOLFSSL_MSG("\tFreeing Parsed CA"); FreeDecodedCert(cert); @@ -5626,12 +5655,48 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) static int wolfSSL_RAND_InitMutex(void); #endif +/* If we don't have static mutex initializers, but we do have static atomic + * initializers, activate WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS to leverage + * the latter. + * + * See further explanation below in wolfSSL_Init(). + */ +#ifndef WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + #if !defined(WOLFSSL_MUTEX_INITIALIZER) && !defined(SINGLE_THREADED) && \ + defined(WOLFSSL_ATOMIC_OPS) && defined(WOLFSSL_ATOMIC_INITIALIZER) + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 1 + #else + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 0 + #endif +#elif defined(WOLFSSL_MUTEX_INITIALIZER) || defined(SINGLE_THREADED) + #undef WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + #define WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS 0 +#endif + +#if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + #ifndef WOLFSSL_ATOMIC_OPS + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS requires WOLFSSL_ATOMIC_OPS + #endif + #ifndef WOLFSSL_ATOMIC_INITIALIZER + #error WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS requires WOLFSSL_ATOMIC_INITIALIZER + #endif + static wolfSSL_Atomic_Int inits_count_mutex_atomic_initing_flag = + WOLFSSL_ATOMIC_INITIALIZER(0); +#endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS && !WOLFSSL_MUTEX_INITIALIZER */ + #if defined(OPENSSL_EXTRA) && defined(HAVE_ATEXIT) static void AtExitCleanup(void) { if (initRefCount > 0) { initRefCount = 1; (void)wolfSSL_Cleanup(); +#if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + if (inits_count_mutex_valid == 1) { + (void)wc_FreeMutex(&inits_count_mutex); + inits_count_mutex_valid = 0; + inits_count_mutex_atomic_initing_flag = 0; + } +#endif } } #endif @@ -5648,8 +5713,31 @@ int wolfSSL_Init(void) #ifndef WOLFSSL_MUTEX_INITIALIZER if (inits_count_mutex_valid == 0) { + #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + + /* Without this mitigation, if two threads enter wolfSSL_Init() at the + * same time, and both see zero inits_count_mutex_valid, then both will + * run wc_InitMutex(&inits_count_mutex), leading to process corruption + * or (best case) a resource leak. + * + * When WOLFSSL_ATOMIC_INITIALIZER() is available, we can mitigate this + * by use an atomic counting int as a mutex. + */ + + if (wolfSSL_Atomic_Int_FetchAdd(&inits_count_mutex_atomic_initing_flag, + 1) != 0) + { + (void)wolfSSL_Atomic_Int_FetchSub( + &inits_count_mutex_atomic_initing_flag, 1); + return DEADLOCK_AVERTED_E; + } + #endif /* WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS */ if (wc_InitMutex(&inits_count_mutex) != 0) { WOLFSSL_MSG("Bad Init Mutex count"); + #if WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS + (void)wolfSSL_Atomic_Int_FetchSub( + &inits_count_mutex_atomic_initing_flag, 1); + #endif return BAD_MUTEX_E; } else { @@ -6509,17 +6597,17 @@ WOLFSSL_EVP_PKEY* wolfSSL_CTX_get0_privatekey(const WOLFSSL_CTX* ctx) switch (ctx->privateKeyType) { #ifndef NO_RSA case rsa_sa_algo: - type = EVP_PKEY_RSA; + type = WC_EVP_PKEY_RSA; break; #endif #ifdef HAVE_ECC case ecc_dsa_sa_algo: - type = EVP_PKEY_EC; + type = WC_EVP_PKEY_EC; break; #endif #ifdef WOLFSSL_SM2 case sm2_sa_algo: - type = EVP_PKEY_EC; + type = WC_EVP_PKEY_EC; break; #endif default: @@ -6614,7 +6702,7 @@ static int d2iTryRsaKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, } if (ret == 1) { XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_RSA; + pkey->type = WC_EVP_PKEY_RSA; pkey->ownRsa = 1; pkey->rsa = wolfssl_rsa_d2i(NULL, mem, memSz, @@ -6698,7 +6786,7 @@ static int d2iTryEccKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, } if (ret == 1) { XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_EC; + pkey->type = WC_EVP_PKEY_EC; pkey->ownEcc = 1; pkey->ecc = wolfSSL_EC_KEY_new(); @@ -6786,7 +6874,7 @@ static int d2iTryDsaKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, } if (ret == 1) { XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_DSA; + pkey->type = WC_EVP_PKEY_DSA; pkey->ownDsa = 1; pkey->dsa = wolfSSL_DSA_new(); @@ -6870,7 +6958,7 @@ static int d2iTryDhKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, } if (ret == 1) { XMEMCPY(pkey->pkey.ptr, mem, memSz); - pkey->type = EVP_PKEY_DH; + pkey->type = WC_EVP_PKEY_DH; pkey->ownDh = 1; pkey->dh = wolfSSL_DH_new(); @@ -6945,7 +7033,7 @@ static int d2iTryAltDhKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, } ret = 1; - pkey->type = EVP_PKEY_DH; + pkey->type = WC_EVP_PKEY_DH; pkey->pkey_sz = (int)memSz; pkey->pkey.ptr = (char*)XMALLOC(memSz, NULL, priv ? DYNAMIC_TYPE_PRIVATE_KEY : @@ -7061,7 +7149,7 @@ static int d2iTryFalconKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, return 0; } } - pkey->type = EVP_PKEY_FALCON; + pkey->type = WC_EVP_PKEY_FALCON; pkey->pkey.ptr = NULL; pkey->pkey_sz = 0; @@ -7146,7 +7234,7 @@ static int d2iTryDilithiumKey(WOLFSSL_EVP_PKEY** out, const unsigned char* mem, return 0; } } - pkey->type = EVP_PKEY_DILITHIUM; + pkey->type = WC_EVP_PKEY_DILITHIUM; pkey->pkey.ptr = NULL; pkey->pkey_sz = 0; @@ -7540,14 +7628,14 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, WOLFSSL_MSG("Found PKCS8 header"); pkcs8HeaderSz = (word16)idx; - if ((type == EVP_PKEY_RSA && algId != RSAk + if ((type == WC_EVP_PKEY_RSA && algId != RSAk #ifdef WC_RSA_PSS && algId != RSAPSSk #endif ) || - (type == EVP_PKEY_EC && algId != ECDSAk) || - (type == EVP_PKEY_DSA && algId != DSAk) || - (type == EVP_PKEY_DH && algId != DHk)) { + (type == WC_EVP_PKEY_EC && algId != ECDSAk) || + (type == WC_EVP_PKEY_DSA && algId != DSAk) || + (type == WC_EVP_PKEY_DH && algId != DHk)) { WOLFSSL_MSG("PKCS8 does not match EVP key type"); return NULL; } @@ -7587,7 +7675,7 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, switch (type) { #ifndef NO_RSA - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: opt = priv ? WOLFSSL_RSA_LOAD_PRIVATE : WOLFSSL_RSA_LOAD_PUBLIC; local->ownRsa = 1; local->rsa = wolfssl_rsa_d2i(NULL, @@ -7599,7 +7687,7 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, break; #endif /* NO_RSA */ #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: local->ownEcc = 1; local->ecc = wolfSSL_EC_KEY_new(); if (local->ecc == NULL) { @@ -7619,7 +7707,7 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, #endif /* HAVE_ECC */ #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) #ifndef NO_DSA - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: local->ownDsa = 1; local->dsa = wolfSSL_DSA_new(); if (local->dsa == NULL) { @@ -7638,7 +7726,7 @@ static WOLFSSL_EVP_PKEY* _d2i_PublicKey(int type, WOLFSSL_EVP_PKEY** out, #endif /* NO_DSA */ #ifndef NO_DH #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION>2)) - case EVP_PKEY_DH: + case WC_EVP_PKEY_DH: local->ownDh = 1; local->dh = wolfSSL_DH_new(); if (local->dh == NULL) { @@ -7723,7 +7811,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, switch (type) { #ifndef NO_RSA - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: { RsaKey* key; local->ownRsa = 1; @@ -7742,7 +7830,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_id(int type, WOLFSSL_EVP_PKEY** out, } #endif /* !NO_RSA */ #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: { ecc_key* key; local->ownEcc = 1; @@ -9339,8 +9427,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, #ifdef OPENSSL_EXTRA if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_ST_CONNECT, WOLFSSL_SUCCESS); - ssl->cbmode = SSL_CB_WRITE; + ssl->CBIS(ssl, WOLFSSL_ST_CONNECT, WOLFSSL_SUCCESS); + ssl->cbmode = WOLFSSL_CB_WRITE; } #endif #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ @@ -10407,7 +10495,8 @@ int wolfSSL_Cleanup(void) #endif #endif /* !NO_SESSION_CACHE */ -#ifndef WOLFSSL_MUTEX_INITIALIZER +#if !defined(WOLFSSL_MUTEX_INITIALIZER) && \ + !WOLFSSL_CLEANUP_THREADSAFE_BY_ATOMIC_OPS if ((inits_count_mutex_valid == 1) && (wc_FreeMutex(&inits_count_mutex) != 0)) { if (ret == WOLFSSL_SUCCESS) @@ -10448,11 +10537,7 @@ int wolfSSL_Cleanup(void) #endif #endif -#if defined(HAVE_EX_DATA) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY)) || defined(HAVE_EX_DATA) || \ - defined(WOLFSSL_WPAS_SMALL) +#ifdef HAVE_EX_DATA_CRYPTO crypto_ex_cb_free(crypto_ex_cb_ctx_session); crypto_ex_cb_ctx_session = NULL; #endif @@ -11029,18 +11114,30 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int wolfSSL_CTX_UnloadIntermediateCerts(WOLFSSL_CTX* ctx) { + int ret; + WOLFSSL_ENTER("wolfSSL_CTX_UnloadIntermediateCerts"); if (ctx == NULL) return BAD_FUNC_ARG; + ret = wolfSSL_RefWithMutexLock(&ctx->ref); + if (ret < 0) + return ret; + if (ctx->ref.count > 1) { WOLFSSL_MSG("ctx object must have a ref count of 1 before " "unloading intermediate certs"); - return BAD_STATE_E; + ret = BAD_STATE_E; + } + else { + ret = wolfSSL_CertManagerUnloadIntermediateCerts(ctx->cm); } - return wolfSSL_CertManagerUnloadIntermediateCerts(ctx->cm); + if (wolfSSL_RefWithMutexUnlock(&ctx->ref) != 0) + WOLFSSL_MSG("Failed to unlock mutex!"); + + return ret; } @@ -11188,11 +11285,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) /* User programs should always retry reading from these BIOs */ if (rd) { /* User writes to rd */ - BIO_set_retry_write(rd); + wolfSSL_BIO_set_retry_write(rd); } if (wr) { /* User reads from wr */ - BIO_set_retry_read(wr); + wolfSSL_BIO_set_retry_read(wr); } } @@ -13137,7 +13234,11 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, unsigned long wolfSSLeay(void) { +#ifdef SSLEAY_VERSION_NUMBER return SSLEAY_VERSION_NUMBER; +#else + return OPENSSL_VERSION_NUMBER; +#endif } unsigned long wolfSSL_OpenSSL_version_num(void) @@ -13294,7 +13395,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("wolfSSL_CTX_set_mode"); switch(mode) { - case SSL_MODE_ENABLE_PARTIAL_WRITE: + case WOLFSSL_MODE_ENABLE_PARTIAL_WRITE: ctx->partialWrite = 1; break; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -13302,14 +13403,14 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_MSG("SSL_MODE_RELEASE_BUFFERS not implemented."); break; #endif - case SSL_MODE_AUTO_RETRY: + case WOLFSSL_MODE_AUTO_RETRY: ctx->autoRetry = 1; break; default: WOLFSSL_MSG("Mode Not Implemented"); } - /* SSL_MODE_AUTO_RETRY + /* WOLFSSL_MODE_AUTO_RETRY * Should not return WOLFSSL_FATAL_ERROR with renegotiation on read/write */ return mode; @@ -13321,7 +13422,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("wolfSSL_CTX_clear_mode"); switch(mode) { - case SSL_MODE_ENABLE_PARTIAL_WRITE: + case WOLFSSL_MODE_ENABLE_PARTIAL_WRITE: ctx->partialWrite = 0; break; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) @@ -13329,14 +13430,14 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_MSG("SSL_MODE_RELEASE_BUFFERS not implemented."); break; #endif - case SSL_MODE_AUTO_RETRY: + case WOLFSSL_MODE_AUTO_RETRY: ctx->autoRetry = 0; break; default: WOLFSSL_MSG("Mode Not Implemented"); } - /* SSL_MODE_AUTO_RETRY + /* WOLFSSL_MODE_AUTO_RETRY * Should not return WOLFSSL_FATAL_ERROR with renegotiation on read/write */ return 0; @@ -13482,7 +13583,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, * * file output pointer to file where error happened * line output to line number of error - * data output data. Is a string if ERR_TXT_STRING flag is used + * data output data. Is a string if WOLFSSL_ERR_TXT_STRING flag is used * flags output format of output * * Returns the error value or 0 if no errors are in the queue @@ -13496,7 +13597,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("wolfSSL_ERR_get_error_line_data"); if (flags != NULL) - *flags = ERR_TXT_STRING; /* Clear the flags */ + *flags = WOLFSSL_ERR_TXT_STRING; /* Clear the flags */ ret = wc_PullErrorNode(file, data, line); if (ret < 0) { @@ -14538,6 +14639,42 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl) * check to override this result in the case of a hybrid. */ if (IsAtLeastTLSv1_3(ssl->version)) { switch (ssl->namedGroup) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef HAVE_LIBOQS + case WOLFSSL_ML_KEM_512: + return "ML_KEM_512"; + case WOLFSSL_ML_KEM_768: + return "ML_KEM_768"; + case WOLFSSL_ML_KEM_1024: + return "ML_KEM_1024"; + case WOLFSSL_P256_ML_KEM_512: + return "P256_ML_KEM_512"; + case WOLFSSL_P384_ML_KEM_768: + return "P384_ML_KEM_768"; + case WOLFSSL_P521_ML_KEM_1024: + return "P521_ML_KEM_1024"; +#elif defined(WOLFSSL_WC_KYBER) + #ifndef WOLFSSL_NO_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + return "ML_KEM_512"; + case WOLFSSL_P256_ML_KEM_512: + return "P256_ML_KEM_512"; + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + return "ML_KEM_768"; + case WOLFSSL_P384_ML_KEM_768: + return "P384_ML_KEM_768"; + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + return "ML_KEM_1024"; + case WOLFSSL_P521_ML_KEM_1024: + return "P521_ML_KEM_1024"; + #endif +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef HAVE_LIBOQS case WOLFSSL_KYBER_LEVEL1: return "KYBER_LEVEL1"; @@ -14552,24 +14689,25 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl) case WOLFSSL_P521_KYBER_LEVEL5: return "P521_KYBER_LEVEL5"; #elif defined(WOLFSSL_WC_KYBER) - #ifdef WOLFSSL_KYBER512 + #ifndef WOLFSSL_NO_KYBER512 case WOLFSSL_KYBER_LEVEL1: return "KYBER_LEVEL1"; case WOLFSSL_P256_KYBER_LEVEL1: return "P256_KYBER_LEVEL1"; #endif - #ifdef WOLFSSL_KYBER768 + #ifndef WOLFSSL_NO_KYBER768 case WOLFSSL_KYBER_LEVEL3: return "KYBER_LEVEL3"; case WOLFSSL_P384_KYBER_LEVEL3: return "P384_KYBER_LEVEL3"; #endif - #ifdef WOLFSSL_KYBER1024 + #ifndef WOLFSSL_NO_KYBER1024 case WOLFSSL_KYBER_LEVEL5: return "KYBER_LEVEL5"; case WOLFSSL_P521_KYBER_LEVEL5: return "P521_KYBER_LEVEL5"; #endif +#endif #endif } } @@ -14608,7 +14746,7 @@ const char* wolfSSL_get_curve_name(WOLFSSL* ssl) #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) /* return authentication NID corresponding to cipher suite * @param cipher a pointer to WOLFSSL_CIPHER - * return NID if found, NID_undef if not found + * return NID if found, WC_NID_undef if not found */ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher) { @@ -14616,12 +14754,12 @@ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher) const char* alg_name; const int nid; } authnid_tbl[] = { - {"RSA", NID_auth_rsa}, - {"PSK", NID_auth_psk}, - {"SRP", NID_auth_srp}, - {"ECDSA", NID_auth_ecdsa}, - {"None", NID_auth_null}, - {NULL, NID_undef} + {"RSA", WC_NID_auth_rsa}, + {"PSK", WC_NID_auth_psk}, + {"SRP", WC_NID_auth_srp}, + {"ECDSA", WC_NID_auth_ecdsa}, + {"None", WC_NID_auth_null}, + {NULL, WC_NID_undef} }; const char* authStr; @@ -14629,7 +14767,7 @@ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher) if (GetCipherSegment(cipher, n) == NULL) { WOLFSSL_MSG("no suitable cipher name found"); - return NID_undef; + return WC_NID_undef; } authStr = GetCipherAuthStr(n); @@ -14643,11 +14781,11 @@ int wolfSSL_CIPHER_get_auth_nid(const WOLFSSL_CIPHER* cipher) } } - return NID_undef; + return WC_NID_undef; } /* return cipher NID corresponding to cipher suite * @param cipher a pointer to WOLFSSL_CIPHER - * return NID if found, NID_undef if not found + * return NID if found, WC_NID_undef if not found */ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher) { @@ -14655,18 +14793,18 @@ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher) const char* alg_name; const int nid; } ciphernid_tbl[] = { - {"AESGCM(256)", NID_aes_256_gcm}, - {"AESGCM(128)", NID_aes_128_gcm}, - {"AESCCM(128)", NID_aes_128_ccm}, - {"AES(128)", NID_aes_128_cbc}, - {"AES(256)", NID_aes_256_cbc}, - {"CAMELLIA(256)", NID_camellia_256_cbc}, - {"CAMELLIA(128)", NID_camellia_128_cbc}, - {"RC4", NID_rc4}, - {"3DES", NID_des_ede3_cbc}, - {"CHACHA20/POLY1305(256)", NID_chacha20_poly1305}, - {"None", NID_undef}, - {NULL, NID_undef} + {"AESGCM(256)", WC_NID_aes_256_gcm}, + {"AESGCM(128)", WC_NID_aes_128_gcm}, + {"AESCCM(128)", WC_NID_aes_128_ccm}, + {"AES(128)", WC_NID_aes_128_cbc}, + {"AES(256)", WC_NID_aes_256_cbc}, + {"CAMELLIA(256)", WC_NID_camellia_256_cbc}, + {"CAMELLIA(128)", WC_NID_camellia_128_cbc}, + {"RC4", WC_NID_rc4}, + {"3DES", WC_NID_des_ede3_cbc}, + {"CHACHA20/POLY1305(256)", WC_NID_chacha20_poly1305}, + {"None", WC_NID_undef}, + {NULL, WC_NID_undef} }; const char* encStr; @@ -14676,7 +14814,7 @@ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher) if (GetCipherSegment(cipher, n) == NULL) { WOLFSSL_MSG("no suitable cipher name found"); - return NID_undef; + return WC_NID_undef; } encStr = GetCipherEncStr(n); @@ -14690,11 +14828,11 @@ int wolfSSL_CIPHER_get_cipher_nid(const WOLFSSL_CIPHER* cipher) } } - return NID_undef; + return WC_NID_undef; } /* return digest NID corresponding to cipher suite * @param cipher a pointer to WOLFSSL_CIPHER - * return NID if found, NID_undef if not found + * return NID if found, WC_NID_undef if not found */ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher) { @@ -14702,10 +14840,10 @@ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher) const char* alg_name; const int nid; } macnid_tbl[] = { - {"SHA1", NID_sha1}, - {"SHA256", NID_sha256}, - {"SHA384", NID_sha384}, - {NULL, NID_undef} + {"SHA1", WC_NID_sha1}, + {"SHA256", WC_NID_sha256}, + {"SHA384", WC_NID_sha384}, + {NULL, WC_NID_undef} }; const char* name; @@ -14717,12 +14855,12 @@ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher) if ((name = GetCipherSegment(cipher, n)) == NULL) { WOLFSSL_MSG("no suitable cipher name found"); - return NID_undef; + return WC_NID_undef; } - /* in MD5 case, NID will be NID_md5 */ + /* in MD5 case, NID will be WC_NID_md5 */ if (XSTRSTR(name, "MD5") != NULL) { - return NID_md5; + return WC_NID_md5; } macStr = GetCipherMacStr(n); @@ -14736,11 +14874,11 @@ int wolfSSL_CIPHER_get_digest_nid(const WOLFSSL_CIPHER* cipher) } } - return NID_undef; + return WC_NID_undef; } /* return key exchange NID corresponding to cipher suite * @param cipher a pointer to WOLFSSL_CIPHER - * return NID if found, NID_undef if not found + * return NID if found, WC_NID_undef if not found */ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher) { @@ -14748,15 +14886,15 @@ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher) const char* name; const int nid; } kxnid_table[] = { - {"ECDHEPSK", NID_kx_ecdhe_psk}, - {"ECDH", NID_kx_ecdhe}, - {"DHEPSK", NID_kx_dhe_psk}, - {"DH", NID_kx_dhe}, - {"RSAPSK", NID_kx_rsa_psk}, - {"SRP", NID_kx_srp}, - {"EDH", NID_kx_dhe}, - {"RSA", NID_kx_rsa}, - {NULL, NID_undef} + {"ECDHEPSK", WC_NID_kx_ecdhe_psk}, + {"ECDH", WC_NID_kx_ecdhe}, + {"DHEPSK", WC_NID_kx_dhe_psk}, + {"DH", WC_NID_kx_dhe}, + {"RSAPSK", WC_NID_kx_rsa_psk}, + {"SRP", WC_NID_kx_srp}, + {"EDH", WC_NID_kx_dhe}, + {"RSA", WC_NID_kx_rsa}, + {NULL, WC_NID_undef} }; const char* keaStr; @@ -14766,12 +14904,12 @@ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher) if (GetCipherSegment(cipher, n) == NULL) { WOLFSSL_MSG("no suitable cipher name found"); - return NID_undef; + return WC_NID_undef; } - /* in TLS 1.3 case, NID will be NID_kx_any */ + /* in TLS 1.3 case, NID will be WC_NID_kx_any */ if (XSTRCMP(n[0], "TLS13") == 0) { - return NID_kx_any; + return WC_NID_kx_any; } keaStr = GetCipherKeaStr(n); @@ -14785,7 +14923,7 @@ int wolfSSL_CIPHER_get_kx_nid(const WOLFSSL_CIPHER* cipher) } } - return NID_undef; + return WC_NID_undef; } /* check if cipher suite is AEAD * @param cipher a pointer to WOLFSSL_CIPHER @@ -14799,7 +14937,7 @@ int wolfSSL_CIPHER_is_aead(const WOLFSSL_CIPHER* cipher) if (GetCipherSegment(cipher, n) == NULL) { WOLFSSL_MSG("no suitable cipher name found"); - return NID_undef; + return WC_NID_undef; } return IsCipherAEAD(n); @@ -15108,7 +15246,7 @@ static WC_INLINE const char* wolfssl_mac_to_string(int mac) macStr = "SHA1"; break; #endif -#ifdef HAVE_SHA224 +#ifdef WOLFSSL_SHA224 case sha224_mac: macStr = "SHA224"; break; @@ -15118,12 +15256,12 @@ static WC_INLINE const char* wolfssl_mac_to_string(int mac) macStr = "SHA256"; break; #endif -#ifdef HAVE_SHA384 +#ifdef WOLFSSL_SHA384 case sha384_mac: macStr = "SHA384"; break; #endif -#ifdef HAVE_SHA512 +#ifdef WOLFSSL_SHA512 case sha512_mac: macStr = "SHA512"; break; @@ -15384,12 +15522,12 @@ int wolfSSL_i2d_PublicKey(const WOLFSSL_EVP_PKEY *key, unsigned char **der) } key_type = key->type; - if ((key_type != EVP_PKEY_EC) && (key_type != EVP_PKEY_RSA)) { + if ((key_type != WC_EVP_PKEY_EC) && (key_type != WC_EVP_PKEY_RSA)) { return WOLFSSL_FATAL_ERROR; } #ifndef NO_RSA - if (key_type == EVP_PKEY_RSA) { + if (key_type == WC_EVP_PKEY_RSA) { return wolfSSL_i2d_RSAPublicKey(key->rsa, der); } #endif @@ -15611,32 +15749,40 @@ unsigned long wolfSSL_ERR_peek_error(void) return wolfSSL_ERR_peek_error_line_data(NULL, NULL, NULL, NULL); } +#ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES_H +#include +#endif + int wolfSSL_ERR_GET_LIB(unsigned long err) { unsigned long value; value = (err & 0xFFFFFFL); switch (value) { - case -WC_NO_ERR_TRACE(PARSE_ERROR): - return ERR_LIB_SSL; - case -WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER): - case PEM_R_NO_START_LINE: - case PEM_R_PROBLEMS_GETTING_PASSWORD: - case PEM_R_BAD_PASSWORD_READ: - case PEM_R_BAD_DECRYPT: - return ERR_LIB_PEM; - case EVP_R_BAD_DECRYPT: - case EVP_R_BN_DECODE_ERROR: - case EVP_R_DECODE_ERROR: - case EVP_R_PRIVATE_KEY_DECODE_ERROR: - return ERR_LIB_EVP; - case ASN1_R_HEADER_TOO_LONG: - return ERR_LIB_ASN1; + case -PARSE_ERROR: + return WOLFSSL_ERR_LIB_SSL; + case -ASN_NO_PEM_HEADER: + case -WOLFSSL_PEM_R_NO_START_LINE_E: + case -WOLFSSL_PEM_R_PROBLEMS_GETTING_PASSWORD_E: + case -WOLFSSL_PEM_R_BAD_PASSWORD_READ_E: + case -WOLFSSL_PEM_R_BAD_DECRYPT_E: + return WOLFSSL_ERR_LIB_PEM; + case -WOLFSSL_EVP_R_BAD_DECRYPT_E: + case -WOLFSSL_EVP_R_BN_DECODE_ERROR: + case -WOLFSSL_EVP_R_DECODE_ERROR: + case -WOLFSSL_EVP_R_PRIVATE_KEY_DECODE_ERROR: + return WOLFSSL_ERR_LIB_EVP; + case -WOLFSSL_ASN1_R_HEADER_TOO_LONG_E: + return WOLFSSL_ERR_LIB_ASN1; default: return 0; } } +#ifdef WOLFSSL_DEBUG_TRACE_ERROR_CODES +#include +#endif + /* This function is to find global error values that are the same through out * all library version. With wolfSSL having only one set of error codes the * return value is pretty straight forward. The only thing needed is all wolfSSL @@ -15665,11 +15811,11 @@ int wolfSSL_ERR_GET_REASON(unsigned long err) return ASN1_R_HEADER_TOO_LONG; #endif - /* check if error value is in range of wolfSSL errors */ + /* check if error value is in range of wolfCrypt or wolfSSL errors */ ret = 0 - ret; /* setting as negative value */ - /* wolfCrypt range is less than MAX (-100) - wolfSSL range is MIN (-300) and lower */ - if ((ret <= WC_FIRST_E && ret >= WC_LAST_E) || + + if ((ret <= WC_SPAN1_FIRST_E && ret >= WC_SPAN1_LAST_E) || + (ret <= WC_SPAN2_FIRST_E && ret >= WC_SPAN2_LAST_E) || (ret <= WOLFSSL_FIRST_E && ret >= WOLFSSL_LAST_E)) { return ret; @@ -15848,10 +15994,10 @@ const char* wolfSSL_state_string_long(const WOLFSSL* ssl) } /* Get state of callback */ - if (ssl->cbmode == SSL_CB_MODE_WRITE) { + if (ssl->cbmode == WOLFSSL_CB_MODE_WRITE) { cbmode = SS_WRITE; } - else if (ssl->cbmode == SSL_CB_MODE_READ) { + else if (ssl->cbmode == WOLFSSL_CB_MODE_READ) { cbmode = SS_READ; } else { @@ -15901,7 +16047,7 @@ const char* wolfSSL_state_string_long(const WOLFSSL* ssl) } /* accept process */ - if (ssl->cbmode == SSL_CB_MODE_READ) { + if (ssl->cbmode == WOLFSSL_CB_MODE_READ) { state = ssl->cbtype; switch (state) { case hello_request: @@ -16349,7 +16495,7 @@ long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type) return BAD_FUNC_ARG; } - if (type == TLSEXT_STATUSTYPE_ocsp){ + if (type == WOLFSSL_TLSEXT_STATUSTYPE_ocsp){ int r = TLSX_UseCertificateStatusRequest(&s->extensions, (byte)type, 0, s, s->heap, s->devId); return (long)r; @@ -16368,7 +16514,7 @@ long wolfSSL_get_tlsext_status_type(WOLFSSL *s) if (s == NULL) return WOLFSSL_FATAL_ERROR; extension = TLSX_Find(s->extensions, TLSX_STATUS_REQUEST); - return extension != NULL ? TLSEXT_STATUSTYPE_ocsp : WOLFSSL_FATAL_ERROR; + return extension != NULL ? WOLFSSL_TLSEXT_STATUSTYPE_ocsp : WOLFSSL_FATAL_ERROR; } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ @@ -16427,20 +16573,20 @@ WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl) #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, +void WOLFSSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength)) { (void)ctx; (void)dh; - WOLFSSL_STUB("SSL_CTX_set_tmp_dh_callback"); + WOLFSSL_STUB("WOLFSSL_CTX_set_tmp_dh_callback"); } #endif #ifndef NO_WOLFSSL_STUB /*** TBD ***/ -WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) +WOLF_STACK_OF(WOLFSSL_COMP) *WOLFSSL_COMP_get_compression_methods(void) { - WOLFSSL_STUB("SSL_COMP_get_compression_methods"); + WOLFSSL_STUB("WOLFSSL_COMP_get_compression_methods"); return NULL; } #endif @@ -16462,7 +16608,7 @@ WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i) } #if !defined(NETOS) -void ERR_load_SSL_strings(void) +void wolfSSL_ERR_load_SSL_strings(void) { } @@ -17285,48 +17431,49 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) } #endif #endif /* OPENSSL_EXTRA */ + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #ifndef NO_CERTS /* oidCertExtType */ - { NID_basic_constraints, BASIC_CA_OID, oidCertExtType, "basicConstraints", + { WC_NID_basic_constraints, BASIC_CA_OID, oidCertExtType, "basicConstraints", "X509v3 Basic Constraints"}, - { NID_subject_alt_name, ALT_NAMES_OID, oidCertExtType, "subjectAltName", + { WC_NID_subject_alt_name, ALT_NAMES_OID, oidCertExtType, "subjectAltName", "X509v3 Subject Alternative Name"}, - { NID_crl_distribution_points, CRL_DIST_OID, oidCertExtType, + { WC_NID_crl_distribution_points, CRL_DIST_OID, oidCertExtType, "crlDistributionPoints", "X509v3 CRL Distribution Points"}, - { NID_info_access, AUTH_INFO_OID, oidCertExtType, "authorityInfoAccess", + { WC_NID_info_access, AUTH_INFO_OID, oidCertExtType, "authorityInfoAccess", "Authority Information Access"}, - { NID_authority_key_identifier, AUTH_KEY_OID, oidCertExtType, + { WC_NID_authority_key_identifier, AUTH_KEY_OID, oidCertExtType, "authorityKeyIdentifier", "X509v3 Authority Key Identifier"}, - { NID_subject_key_identifier, SUBJ_KEY_OID, oidCertExtType, + { WC_NID_subject_key_identifier, SUBJ_KEY_OID, oidCertExtType, "subjectKeyIdentifier", "X509v3 Subject Key Identifier"}, - { NID_key_usage, KEY_USAGE_OID, oidCertExtType, "keyUsage", + { WC_NID_key_usage, KEY_USAGE_OID, oidCertExtType, "keyUsage", "X509v3 Key Usage"}, - { NID_inhibit_any_policy, INHIBIT_ANY_OID, oidCertExtType, + { WC_NID_inhibit_any_policy, INHIBIT_ANY_OID, oidCertExtType, "inhibitAnyPolicy", "X509v3 Inhibit Any Policy"}, - { NID_ext_key_usage, EXT_KEY_USAGE_OID, oidCertExtType, + { WC_NID_ext_key_usage, EXT_KEY_USAGE_OID, oidCertExtType, "extendedKeyUsage", "X509v3 Extended Key Usage"}, - { NID_name_constraints, NAME_CONS_OID, oidCertExtType, + { WC_NID_name_constraints, NAME_CONS_OID, oidCertExtType, "nameConstraints", "X509v3 Name Constraints"}, - { NID_certificate_policies, CERT_POLICY_OID, oidCertExtType, + { WC_NID_certificate_policies, CERT_POLICY_OID, oidCertExtType, "certificatePolicies", "X509v3 Certificate Policies"}, /* oidCertAuthInfoType */ - { NID_ad_OCSP, AIA_OCSP_OID, oidCertAuthInfoType, "OCSP", + { WC_NID_ad_OCSP, AIA_OCSP_OID, oidCertAuthInfoType, "OCSP", "OCSP"}, - { NID_ad_ca_issuers, AIA_CA_ISSUER_OID, oidCertAuthInfoType, + { WC_NID_ad_ca_issuers, AIA_CA_ISSUER_OID, oidCertAuthInfoType, "caIssuers", "CA Issuers"}, /* oidCertPolicyType */ - { NID_any_policy, CP_ANY_OID, oidCertPolicyType, "anyPolicy", + { WC_NID_any_policy, CP_ANY_OID, oidCertPolicyType, "anyPolicy", "X509v3 Any Policy"}, /* oidCertAltNameType */ - { NID_hw_name_oid, HW_NAME_OID, oidCertAltNameType, "Hardware name",""}, + { WC_NID_hw_name_oid, HW_NAME_OID, oidCertAltNameType, "Hardware name",""}, /* oidCertKeyUseType */ - { NID_anyExtendedKeyUsage, EKU_ANY_OID, oidCertKeyUseType, + { WC_NID_anyExtendedKeyUsage, EKU_ANY_OID, oidCertKeyUseType, "anyExtendedKeyUsage", "Any Extended Key Usage"}, { EKU_SERVER_AUTH_OID, EKU_SERVER_AUTH_OID, oidCertKeyUseType, "serverAuth", "TLS Web Server Authentication"}, @@ -17336,192 +17483,192 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "OCSPSigning", "OCSP Signing"}, /* oidCertNameType */ - { NID_commonName, NID_commonName, oidCertNameType, "CN", "commonName"}, + { WC_NID_commonName, WC_NID_commonName, oidCertNameType, "CN", "commonName"}, #if !defined(WOLFSSL_CERT_REQ) - { NID_surname, NID_surname, oidCertNameType, "SN", "surname"}, + { WC_NID_surname, WC_NID_surname, oidCertNameType, "SN", "surname"}, #endif - { NID_serialNumber, NID_serialNumber, oidCertNameType, "serialNumber", + { WC_NID_serialNumber, WC_NID_serialNumber, oidCertNameType, "serialNumber", "serialNumber"}, - { NID_userId, NID_userId, oidCertNameType, "UID", "userid"}, - { NID_countryName, NID_countryName, oidCertNameType, "C", "countryName"}, - { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"}, - { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST", + { WC_NID_userId, WC_NID_userId, oidCertNameType, "UID", "userid"}, + { WC_NID_countryName, WC_NID_countryName, oidCertNameType, "C", "countryName"}, + { WC_NID_localityName, WC_NID_localityName, oidCertNameType, "L", "localityName"}, + { WC_NID_stateOrProvinceName, WC_NID_stateOrProvinceName, oidCertNameType, "ST", "stateOrProvinceName"}, - { NID_streetAddress, NID_streetAddress, oidCertNameType, "street", + { WC_NID_streetAddress, WC_NID_streetAddress, oidCertNameType, "street", "streetAddress"}, - { NID_organizationName, NID_organizationName, oidCertNameType, "O", + { WC_NID_organizationName, WC_NID_organizationName, oidCertNameType, "O", "organizationName"}, - { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType, + { WC_NID_organizationalUnitName, WC_NID_organizationalUnitName, oidCertNameType, "OU", "organizationalUnitName"}, - { NID_emailAddress, NID_emailAddress, oidCertNameType, "emailAddress", + { WC_NID_emailAddress, WC_NID_emailAddress, oidCertNameType, "emailAddress", "emailAddress"}, - { NID_domainComponent, NID_domainComponent, oidCertNameType, "DC", + { WC_NID_domainComponent, WC_NID_domainComponent, oidCertNameType, "DC", "domainComponent"}, - { NID_favouriteDrink, NID_favouriteDrink, oidCertNameType, "favouriteDrink", + { WC_NID_favouriteDrink, WC_NID_favouriteDrink, oidCertNameType, "favouriteDrink", "favouriteDrink"}, - { NID_businessCategory, NID_businessCategory, oidCertNameType, + { WC_NID_businessCategory, WC_NID_businessCategory, oidCertNameType, "businessCategory", "businessCategory"}, - { NID_jurisdictionCountryName, NID_jurisdictionCountryName, oidCertNameType, + { WC_NID_jurisdictionCountryName, WC_NID_jurisdictionCountryName, oidCertNameType, "jurisdictionC", "jurisdictionCountryName"}, - { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName, + { WC_NID_jurisdictionStateOrProvinceName, WC_NID_jurisdictionStateOrProvinceName, oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"}, - { NID_postalCode, NID_postalCode, oidCertNameType, "postalCode", + { WC_NID_postalCode, WC_NID_postalCode, oidCertNameType, "postalCode", "postalCode"}, - { NID_userId, NID_userId, oidCertNameType, "UID", "userId"}, + { WC_NID_userId, WC_NID_userId, oidCertNameType, "UID", "userId"}, #if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_NAME_ALL) - { NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID, + { WC_NID_pkcs9_challengePassword, CHALLENGE_PASSWORD_OID, oidCsrAttrType, "challengePassword", "challengePassword"}, - { NID_pkcs9_contentType, PKCS9_CONTENT_TYPE_OID, + { WC_NID_pkcs9_contentType, PKCS9_CONTENT_TYPE_OID, oidCsrAttrType, "contentType", "contentType" }, - { NID_pkcs9_unstructuredName, UNSTRUCTURED_NAME_OID, + { WC_NID_pkcs9_unstructuredName, UNSTRUCTURED_NAME_OID, oidCsrAttrType, "unstructuredName", "unstructuredName" }, - { NID_name, NAME_OID, oidCsrAttrType, "name", "name" }, - { NID_surname, SURNAME_OID, + { WC_NID_name, NAME_OID, oidCsrAttrType, "name", "name" }, + { WC_NID_surname, SURNAME_OID, oidCsrAttrType, "surname", "surname" }, - { NID_givenName, GIVEN_NAME_OID, + { WC_NID_givenName, GIVEN_NAME_OID, oidCsrAttrType, "givenName", "givenName" }, - { NID_initials, INITIALS_OID, + { WC_NID_initials, INITIALS_OID, oidCsrAttrType, "initials", "initials" }, - { NID_dnQualifier, DNQUALIFIER_OID, + { WC_NID_dnQualifier, DNQUALIFIER_OID, oidCsrAttrType, "dnQualifer", "dnQualifier" }, #endif #endif #ifdef OPENSSL_EXTRA /* OPENSSL_EXTRA_X509_SMALL only needs the above */ /* oidHashType */ #ifdef WOLFSSL_MD2 - { NID_md2, MD2h, oidHashType, "MD2", "md2"}, + { WC_NID_md2, MD2h, oidHashType, "MD2", "md2"}, #endif - #ifdef WOLFSSL_MD5 - { NID_md5, MD5h, oidHashType, "MD5", "md5"}, + #ifndef NO_MD5 + { WC_NID_md5, MD5h, oidHashType, "MD5", "md5"}, #endif #ifndef NO_SHA - { NID_sha1, SHAh, oidHashType, "SHA1", "sha1"}, + { WC_NID_sha1, SHAh, oidHashType, "SHA1", "sha1"}, #endif #ifdef WOLFSSL_SHA224 - { NID_sha224, SHA224h, oidHashType, "SHA224", "sha224"}, + { WC_NID_sha224, SHA224h, oidHashType, "SHA224", "sha224"}, #endif #ifndef NO_SHA256 - { NID_sha256, SHA256h, oidHashType, "SHA256", "sha256"}, + { WC_NID_sha256, SHA256h, oidHashType, "SHA256", "sha256"}, #endif #ifdef WOLFSSL_SHA384 - { NID_sha384, SHA384h, oidHashType, "SHA384", "sha384"}, + { WC_NID_sha384, SHA384h, oidHashType, "SHA384", "sha384"}, #endif #ifdef WOLFSSL_SHA512 - { NID_sha512, SHA512h, oidHashType, "SHA512", "sha512"}, + { WC_NID_sha512, SHA512h, oidHashType, "SHA512", "sha512"}, #endif #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 - { NID_sha3_224, SHA3_224h, oidHashType, "SHA3-224", "sha3-224"}, + { WC_NID_sha3_224, SHA3_224h, oidHashType, "SHA3-224", "sha3-224"}, #endif #ifndef WOLFSSL_NOSHA3_256 - { NID_sha3_256, SHA3_256h, oidHashType, "SHA3-256", "sha3-256"}, + { WC_NID_sha3_256, SHA3_256h, oidHashType, "SHA3-256", "sha3-256"}, #endif #ifndef WOLFSSL_NOSHA3_384 - { NID_sha3_384, SHA3_384h, oidHashType, "SHA3-384", "sha3-384"}, + { WC_NID_sha3_384, SHA3_384h, oidHashType, "SHA3-384", "sha3-384"}, #endif #ifndef WOLFSSL_NOSHA3_512 - { NID_sha3_512, SHA3_512h, oidHashType, "SHA3-512", "sha3-512"}, + { WC_NID_sha3_512, SHA3_512h, oidHashType, "SHA3-512", "sha3-512"}, #endif #endif /* WOLFSSL_SHA3 */ #ifdef WOLFSSL_SM3 - { NID_sm3, SM3h, oidHashType, "SM3", "sm3"}, + { WC_NID_sm3, SM3h, oidHashType, "SM3", "sm3"}, #endif /* oidSigType */ #ifndef NO_DSA #ifndef NO_SHA - { NID_dsaWithSHA1, CTC_SHAwDSA, oidSigType, "DSA-SHA1", "dsaWithSHA1"}, - { NID_dsa_with_SHA256, CTC_SHA256wDSA, oidSigType, "dsa_with_SHA256", + { WC_NID_dsaWithSHA1, CTC_SHAwDSA, oidSigType, "DSA-SHA1", "dsaWithSHA1"}, + { WC_NID_dsa_with_SHA256, CTC_SHA256wDSA, oidSigType, "dsa_with_SHA256", "dsa_with_SHA256"}, #endif #endif /* NO_DSA */ #ifndef NO_RSA #ifdef WOLFSSL_MD2 - { NID_md2WithRSAEncryption, CTC_MD2wRSA, oidSigType, "RSA-MD2", + { WC_NID_md2WithRSAEncryption, CTC_MD2wRSA, oidSigType, "RSA-MD2", "md2WithRSAEncryption"}, #endif #ifndef NO_MD5 - { NID_md5WithRSAEncryption, CTC_MD5wRSA, oidSigType, "RSA-MD5", + { WC_NID_md5WithRSAEncryption, CTC_MD5wRSA, oidSigType, "RSA-MD5", "md5WithRSAEncryption"}, #endif #ifndef NO_SHA - { NID_sha1WithRSAEncryption, CTC_SHAwRSA, oidSigType, "RSA-SHA1", + { WC_NID_sha1WithRSAEncryption, CTC_SHAwRSA, oidSigType, "RSA-SHA1", "sha1WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA224 - { NID_sha224WithRSAEncryption, CTC_SHA224wRSA, oidSigType, "RSA-SHA224", + { WC_NID_sha224WithRSAEncryption, CTC_SHA224wRSA, oidSigType, "RSA-SHA224", "sha224WithRSAEncryption"}, #endif #ifndef NO_SHA256 - { NID_sha256WithRSAEncryption, CTC_SHA256wRSA, oidSigType, "RSA-SHA256", + { WC_NID_sha256WithRSAEncryption, CTC_SHA256wRSA, oidSigType, "RSA-SHA256", "sha256WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA384 - { NID_sha384WithRSAEncryption, CTC_SHA384wRSA, oidSigType, "RSA-SHA384", + { WC_NID_sha384WithRSAEncryption, CTC_SHA384wRSA, oidSigType, "RSA-SHA384", "sha384WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA512 - { NID_sha512WithRSAEncryption, CTC_SHA512wRSA, oidSigType, "RSA-SHA512", + { WC_NID_sha512WithRSAEncryption, CTC_SHA512wRSA, oidSigType, "RSA-SHA512", "sha512WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 - { NID_RSA_SHA3_224, CTC_SHA3_224wRSA, oidSigType, "RSA-SHA3-224", + { WC_NID_RSA_SHA3_224, CTC_SHA3_224wRSA, oidSigType, "RSA-SHA3-224", "sha3-224WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_256 - { NID_RSA_SHA3_256, CTC_SHA3_256wRSA, oidSigType, "RSA-SHA3-256", + { WC_NID_RSA_SHA3_256, CTC_SHA3_256wRSA, oidSigType, "RSA-SHA3-256", "sha3-256WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_384 - { NID_RSA_SHA3_384, CTC_SHA3_384wRSA, oidSigType, "RSA-SHA3-384", + { WC_NID_RSA_SHA3_384, CTC_SHA3_384wRSA, oidSigType, "RSA-SHA3-384", "sha3-384WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_512 - { NID_RSA_SHA3_512, CTC_SHA3_512wRSA, oidSigType, "RSA-SHA3-512", + { WC_NID_RSA_SHA3_512, CTC_SHA3_512wRSA, oidSigType, "RSA-SHA3-512", "sha3-512WithRSAEncryption"}, #endif #endif #ifdef WC_RSA_PSS - { NID_rsassaPss, CTC_RSASSAPSS, oidSigType, "RSASSA-PSS", "rsassaPss" }, + { WC_NID_rsassaPss, CTC_RSASSAPSS, oidSigType, "RSASSA-PSS", "rsassaPss" }, #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA - { NID_ecdsa_with_SHA1, CTC_SHAwECDSA, oidSigType, "ecdsa-with-SHA1", + { WC_NID_ecdsa_with_SHA1, CTC_SHAwECDSA, oidSigType, "ecdsa-with-SHA1", "shaWithECDSA"}, #endif #ifdef WOLFSSL_SHA224 - { NID_ecdsa_with_SHA224, CTC_SHA224wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA224, CTC_SHA224wECDSA, oidSigType, "ecdsa-with-SHA224","sha224WithECDSA"}, #endif #ifndef NO_SHA256 - { NID_ecdsa_with_SHA256, CTC_SHA256wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA256, CTC_SHA256wECDSA, oidSigType, "ecdsa-with-SHA256","sha256WithECDSA"}, #endif #ifdef WOLFSSL_SHA384 - { NID_ecdsa_with_SHA384, CTC_SHA384wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA384, CTC_SHA384wECDSA, oidSigType, "ecdsa-with-SHA384","sha384WithECDSA"}, #endif #ifdef WOLFSSL_SHA512 - { NID_ecdsa_with_SHA512, CTC_SHA512wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA512, CTC_SHA512wECDSA, oidSigType, "ecdsa-with-SHA512","sha512WithECDSA"}, #endif #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 - { NID_ecdsa_with_SHA3_224, CTC_SHA3_224wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA3_224, CTC_SHA3_224wECDSA, oidSigType, "id-ecdsa-with-SHA3-224", "ecdsa_with_SHA3-224"}, #endif #ifndef WOLFSSL_NOSHA3_256 - { NID_ecdsa_with_SHA3_256, CTC_SHA3_256wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA3_256, CTC_SHA3_256wECDSA, oidSigType, "id-ecdsa-with-SHA3-256", "ecdsa_with_SHA3-256"}, #endif #ifndef WOLFSSL_NOSHA3_384 - { NID_ecdsa_with_SHA3_384, CTC_SHA3_384wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA3_384, CTC_SHA3_384wECDSA, oidSigType, "id-ecdsa-with-SHA3-384", "ecdsa_with_SHA3-384"}, #endif #ifndef WOLFSSL_NOSHA3_512 - { NID_ecdsa_with_SHA3_512, CTC_SHA3_512wECDSA, oidSigType, + { WC_NID_ecdsa_with_SHA3_512, CTC_SHA3_512wECDSA, oidSigType, "id-ecdsa-with-SHA3-512", "ecdsa_with_SHA3-512"}, #endif #endif @@ -17529,28 +17676,28 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { /* oidKeyType */ #ifndef NO_DSA - { NID_dsa, DSAk, oidKeyType, "DSA", "dsaEncryption"}, + { WC_NID_dsa, DSAk, oidKeyType, "DSA", "dsaEncryption"}, #endif /* NO_DSA */ #ifndef NO_RSA - { NID_rsaEncryption, RSAk, oidKeyType, "rsaEncryption", + { WC_NID_rsaEncryption, RSAk, oidKeyType, "rsaEncryption", "rsaEncryption"}, #ifdef WC_RSA_PSS - { NID_rsassaPss, RSAPSSk, oidKeyType, "RSASSA-PSS", "rsassaPss"}, + { WC_NID_rsassaPss, RSAPSSk, oidKeyType, "RSASSA-PSS", "rsassaPss"}, #endif #endif /* NO_RSA */ #ifdef HAVE_ECC - { NID_X9_62_id_ecPublicKey, ECDSAk, oidKeyType, "id-ecPublicKey", + { WC_NID_X9_62_id_ecPublicKey, ECDSAk, oidKeyType, "id-ecPublicKey", "id-ecPublicKey"}, #endif /* HAVE_ECC */ #ifndef NO_DH - { NID_dhKeyAgreement, DHk, oidKeyType, "dhKeyAgreement", + { WC_NID_dhKeyAgreement, DHk, oidKeyType, "dhKeyAgreement", "dhKeyAgreement"}, #endif #ifdef HAVE_ED448 - { NID_ED448, ED448k, oidKeyType, "ED448", "ED448"}, + { WC_NID_ED448, ED448k, oidKeyType, "ED448", "ED448"}, #endif #ifdef HAVE_ED25519 - { NID_ED25519, ED25519k, oidKeyType, "ED25519", "ED25519"}, + { WC_NID_ED25519, ED25519k, oidKeyType, "ED25519", "ED25519"}, #endif #ifdef HAVE_FALCON { CTC_FALCON_LEVEL1, FALCON_LEVEL1k, oidKeyType, "Falcon Level 1", @@ -17569,71 +17716,71 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { /* oidCurveType */ #ifdef HAVE_ECC - { NID_X9_62_prime192v1, ECC_SECP192R1_OID, oidCurveType, "prime192v1", + { WC_NID_X9_62_prime192v1, ECC_SECP192R1_OID, oidCurveType, "prime192v1", "prime192v1"}, - { NID_X9_62_prime192v2, ECC_PRIME192V2_OID, oidCurveType, "prime192v2", + { WC_NID_X9_62_prime192v2, ECC_PRIME192V2_OID, oidCurveType, "prime192v2", "prime192v2"}, - { NID_X9_62_prime192v3, ECC_PRIME192V3_OID, oidCurveType, "prime192v3", + { WC_NID_X9_62_prime192v3, ECC_PRIME192V3_OID, oidCurveType, "prime192v3", "prime192v3"}, - { NID_X9_62_prime239v1, ECC_PRIME239V1_OID, oidCurveType, "prime239v1", + { WC_NID_X9_62_prime239v1, ECC_PRIME239V1_OID, oidCurveType, "prime239v1", "prime239v1"}, - { NID_X9_62_prime239v2, ECC_PRIME239V2_OID, oidCurveType, "prime239v2", + { WC_NID_X9_62_prime239v2, ECC_PRIME239V2_OID, oidCurveType, "prime239v2", "prime239v2"}, - { NID_X9_62_prime239v3, ECC_PRIME239V3_OID, oidCurveType, "prime239v3", + { WC_NID_X9_62_prime239v3, ECC_PRIME239V3_OID, oidCurveType, "prime239v3", "prime239v3"}, - { NID_X9_62_prime256v1, ECC_SECP256R1_OID, oidCurveType, "prime256v1", + { WC_NID_X9_62_prime256v1, ECC_SECP256R1_OID, oidCurveType, "prime256v1", "prime256v1"}, - { NID_secp112r1, ECC_SECP112R1_OID, oidCurveType, "secp112r1", + { WC_NID_secp112r1, ECC_SECP112R1_OID, oidCurveType, "secp112r1", "secp112r1"}, - { NID_secp112r2, ECC_SECP112R2_OID, oidCurveType, "secp112r2", + { WC_NID_secp112r2, ECC_SECP112R2_OID, oidCurveType, "secp112r2", "secp112r2"}, - { NID_secp128r1, ECC_SECP128R1_OID, oidCurveType, "secp128r1", + { WC_NID_secp128r1, ECC_SECP128R1_OID, oidCurveType, "secp128r1", "secp128r1"}, - { NID_secp128r2, ECC_SECP128R2_OID, oidCurveType, "secp128r2", + { WC_NID_secp128r2, ECC_SECP128R2_OID, oidCurveType, "secp128r2", "secp128r2"}, - { NID_secp160r1, ECC_SECP160R1_OID, oidCurveType, "secp160r1", + { WC_NID_secp160r1, ECC_SECP160R1_OID, oidCurveType, "secp160r1", "secp160r1"}, - { NID_secp160r2, ECC_SECP160R2_OID, oidCurveType, "secp160r2", + { WC_NID_secp160r2, ECC_SECP160R2_OID, oidCurveType, "secp160r2", "secp160r2"}, - { NID_secp224r1, ECC_SECP224R1_OID, oidCurveType, "secp224r1", + { WC_NID_secp224r1, ECC_SECP224R1_OID, oidCurveType, "secp224r1", "secp224r1"}, - { NID_secp384r1, ECC_SECP384R1_OID, oidCurveType, "secp384r1", + { WC_NID_secp384r1, ECC_SECP384R1_OID, oidCurveType, "secp384r1", "secp384r1"}, - { NID_secp521r1, ECC_SECP521R1_OID, oidCurveType, "secp521r1", + { WC_NID_secp521r1, ECC_SECP521R1_OID, oidCurveType, "secp521r1", "secp521r1"}, - { NID_secp160k1, ECC_SECP160K1_OID, oidCurveType, "secp160k1", + { WC_NID_secp160k1, ECC_SECP160K1_OID, oidCurveType, "secp160k1", "secp160k1"}, - { NID_secp192k1, ECC_SECP192K1_OID, oidCurveType, "secp192k1", + { WC_NID_secp192k1, ECC_SECP192K1_OID, oidCurveType, "secp192k1", "secp192k1"}, - { NID_secp224k1, ECC_SECP224K1_OID, oidCurveType, "secp224k1", + { WC_NID_secp224k1, ECC_SECP224K1_OID, oidCurveType, "secp224k1", "secp224k1"}, - { NID_secp256k1, ECC_SECP256K1_OID, oidCurveType, "secp256k1", + { WC_NID_secp256k1, ECC_SECP256K1_OID, oidCurveType, "secp256k1", "secp256k1"}, - { NID_brainpoolP160r1, ECC_BRAINPOOLP160R1_OID, oidCurveType, + { WC_NID_brainpoolP160r1, ECC_BRAINPOOLP160R1_OID, oidCurveType, "brainpoolP160r1", "brainpoolP160r1"}, - { NID_brainpoolP192r1, ECC_BRAINPOOLP192R1_OID, oidCurveType, + { WC_NID_brainpoolP192r1, ECC_BRAINPOOLP192R1_OID, oidCurveType, "brainpoolP192r1", "brainpoolP192r1"}, - { NID_brainpoolP224r1, ECC_BRAINPOOLP224R1_OID, oidCurveType, + { WC_NID_brainpoolP224r1, ECC_BRAINPOOLP224R1_OID, oidCurveType, "brainpoolP224r1", "brainpoolP224r1"}, - { NID_brainpoolP256r1, ECC_BRAINPOOLP256R1_OID, oidCurveType, + { WC_NID_brainpoolP256r1, ECC_BRAINPOOLP256R1_OID, oidCurveType, "brainpoolP256r1", "brainpoolP256r1"}, - { NID_brainpoolP320r1, ECC_BRAINPOOLP320R1_OID, oidCurveType, + { WC_NID_brainpoolP320r1, ECC_BRAINPOOLP320R1_OID, oidCurveType, "brainpoolP320r1", "brainpoolP320r1"}, - { NID_brainpoolP384r1, ECC_BRAINPOOLP384R1_OID, oidCurveType, + { WC_NID_brainpoolP384r1, ECC_BRAINPOOLP384R1_OID, oidCurveType, "brainpoolP384r1", "brainpoolP384r1"}, - { NID_brainpoolP512r1, ECC_BRAINPOOLP512R1_OID, oidCurveType, + { WC_NID_brainpoolP512r1, ECC_BRAINPOOLP512R1_OID, oidCurveType, "brainpoolP512r1", "brainpoolP512r1"}, #ifdef WOLFSSL_SM2 - { NID_sm2, ECC_SM2P256V1_OID, oidCurveType, "sm2", "sm2"}, + { WC_NID_sm2, ECC_SM2P256V1_OID, oidCurveType, "sm2", "sm2"}, #endif #endif /* HAVE_ECC */ @@ -17648,17 +17795,17 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { { AES256CBCb, AES256CBCb, oidBlkType, "AES-256-CBC", "aes-256-cbc"}, #endif #ifndef NO_DES3 - { NID_des, DESb, oidBlkType, "DES-CBC", "des-cbc"}, - { NID_des3, DES3b, oidBlkType, "DES-EDE3-CBC", "des-ede3-cbc"}, + { WC_NID_des, DESb, oidBlkType, "DES-CBC", "des-cbc"}, + { WC_NID_des3, DES3b, oidBlkType, "DES-EDE3-CBC", "des-ede3-cbc"}, #endif /* !NO_DES3 */ #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - { NID_chacha20_poly1305, NID_chacha20_poly1305, oidBlkType, + { WC_NID_chacha20_poly1305, WC_NID_chacha20_poly1305, oidBlkType, "ChaCha20-Poly1305", "chacha20-poly1305"}, #endif /* oidOcspType */ #ifdef HAVE_OCSP - { NID_id_pkix_OCSP_basic, OCSP_BASIC_OID, oidOcspType, + { WC_NID_id_pkix_OCSP_basic, OCSP_BASIC_OID, oidOcspType, "basicOCSPResponse", "Basic OCSP Response"}, { OCSP_NONCE_OID, OCSP_NONCE_OID, oidOcspType, "Nonce", "OCSP Nonce"}, #endif /* HAVE_OCSP */ @@ -17726,15 +17873,15 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #endif #if defined(WOLFSSL_APACHE_HTTPD) /* "1.3.6.1.5.5.7.8.7" */ - { NID_id_on_dnsSRV, NID_id_on_dnsSRV, oidCertNameType, + { WC_NID_id_on_dnsSRV, WC_NID_id_on_dnsSRV, oidCertNameType, WOLFSSL_SN_DNS_SRV, WOLFSSL_LN_DNS_SRV }, /* "1.3.6.1.4.1.311.20.2.3" */ - { NID_ms_upn, WOLFSSL_MS_UPN_SUM, oidCertExtType, WOLFSSL_SN_MS_UPN, + { WC_NID_ms_upn, WOLFSSL_MS_UPN_SUM, oidCertExtType, WOLFSSL_SN_MS_UPN, WOLFSSL_LN_MS_UPN }, /* "1.3.6.1.5.5.7.1.24" */ - { NID_tlsfeature, WOLFSSL_TLS_FEATURE_SUM, oidTlsExtType, + { WC_NID_tlsfeature, WOLFSSL_TLS_FEATURE_SUM, oidTlsExtType, WOLFSSL_SN_TLS_FEATURE, WOLFSSL_LN_TLS_FEATURE }, #endif #endif /* OPENSSL_EXTRA */ @@ -17743,7 +17890,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { #define WOLFSSL_OBJECT_INFO_SZ \ (sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info)) const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ; -#endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* Free the dynamically allocated data. @@ -17810,7 +17957,7 @@ unsigned char *wolfSSL_OPENSSL_hexstr2buf(const char *str, long *len) return targetBuf; } -int wolfSSL_OPENSSL_init_ssl(word64 opts, const OPENSSL_INIT_SETTINGS *settings) +int wolfSSL_OPENSSL_init_ssl(word64 opts, const WOLFSSL_INIT_SETTINGS *settings) { (void)opts; (void)settings; @@ -17818,7 +17965,7 @@ int wolfSSL_OPENSSL_init_ssl(word64 opts, const OPENSSL_INIT_SETTINGS *settings) } int wolfSSL_OPENSSL_init_crypto(word64 opts, - const OPENSSL_INIT_SETTINGS* settings) + const WOLFSSL_INIT_SETTINGS* settings) { (void)opts; (void)settings; @@ -17869,31 +18016,31 @@ static int HashToNid(byte hashAlgo, int* nid) switch ((enum wc_MACAlgorithm)hashAlgo) { case no_mac: case rmd_mac: - *nid = NID_undef; + *nid = WC_NID_undef; break; case md5_mac: - *nid = NID_md5; + *nid = WC_NID_md5; break; case sha_mac: - *nid = NID_sha1; + *nid = WC_NID_sha1; break; case sha224_mac: - *nid = NID_sha224; + *nid = WC_NID_sha224; break; case sha256_mac: - *nid = NID_sha256; + *nid = WC_NID_sha256; break; case sha384_mac: - *nid = NID_sha384; + *nid = WC_NID_sha384; break; case sha512_mac: - *nid = NID_sha512; + *nid = WC_NID_sha512; break; case blake2b_mac: - *nid = NID_blake2b512; + *nid = WC_NID_blake2b512; break; case sm3_mac: - *nid = NID_sm3; + *nid = WC_NID_sm3; break; default: ret = WOLFSSL_FAILURE; @@ -17909,33 +18056,33 @@ static int SaToNid(byte sa, int* nid) /* Cast for compiler to check everything is implemented */ switch ((enum SignatureAlgorithm)sa) { case anonymous_sa_algo: - *nid = NID_undef; + *nid = WC_NID_undef; break; case rsa_sa_algo: - *nid = NID_rsaEncryption; + *nid = WC_NID_rsaEncryption; break; case dsa_sa_algo: - *nid = NID_dsa; + *nid = WC_NID_dsa; break; case ecc_dsa_sa_algo: - *nid = NID_X9_62_id_ecPublicKey; + *nid = WC_NID_X9_62_id_ecPublicKey; break; case rsa_pss_sa_algo: - *nid = NID_rsassaPss; + *nid = WC_NID_rsassaPss; break; case ed25519_sa_algo: #ifdef HAVE_ED25519 - *nid = NID_ED25519; + *nid = WC_NID_ED25519; #else ret = WOLFSSL_FAILURE; #endif break; case rsa_pss_pss_algo: - *nid = NID_rsassaPss; + *nid = WC_NID_rsassaPss; break; case ed448_sa_algo: #ifdef HAVE_ED448 - *nid = NID_ED448; + *nid = WC_NID_ED448; #else ret = WOLFSSL_FAILURE; #endif @@ -17956,7 +18103,7 @@ static int SaToNid(byte sa, int* nid) *nid = CTC_DILITHIUM_LEVEL5; break; case sm2_sa_algo: - *nid = NID_sm2; + *nid = WC_NID_sm2; break; case invalid_sa_algo: default: @@ -19058,8 +19205,8 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) if (bufSz) { XMEMCPY(buf, name, bufSz); } - else if (a->type == GEN_DNS || a->type == GEN_EMAIL || - a->type == GEN_URI) { + else if (a->type == WOLFSSL_GEN_DNS || a->type == WOLFSSL_GEN_EMAIL || + a->type == WOLFSSL_GEN_URI) { bufSz = (int)XSTRLEN((const char*)a->obj); XMEMCPY(buf, a->obj, min((word32)bufSz, (word32)bufLen)); } @@ -19114,10 +19261,10 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) size_t i; WOLFSSL_ENTER("wolfSSL_OBJ_nid2sn"); - if (n == NID_md5) { - /* NID_surname == NID_md5 and NID_surname comes before NID_md5 in + if (n == WC_NID_md5) { + /* WC_NID_surname == WC_NID_md5 and WC_NID_surname comes before WC_NID_md5 in * wolfssl_object_info. As a result, the loop below will incorrectly - * return "SN" instead of "MD5." NID_surname isn't the true OpenSSL + * return "SN" instead of "MD5." WC_NID_surname isn't the true OpenSSL * NID, but other functions rely on this table and modifying it to * conform with OpenSSL's NIDs isn't trivial. */ return "MD5"; @@ -19135,7 +19282,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) int wolfSSL_OBJ_sn2nid(const char *sn) { WOLFSSL_ENTER("wolfSSL_OBJ_sn2nid"); if (sn == NULL) - return NID_undef; + return WC_NID_undef; return wc_OBJ_sn2nid(sn); } #endif @@ -19215,9 +19362,9 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) #ifdef WOLFSSL_QT if (o->grp == oidCertExtType) { - /* If nid is an unknown extension, return NID_undef */ + /* If nid is an unknown extension, return WC_NID_undef */ if (wolfSSL_OBJ_nid2sn(o->nid) == NULL) - return NID_undef; + return WC_NID_undef; } #endif @@ -19252,7 +19399,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) } /* Return the corresponding NID for the long name - * or NID_undef if NID can't be found. + * or WC_NID_undef if NID can't be found. */ int wolfSSL_OBJ_ln2nid(const char *ln) { @@ -19279,7 +19426,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) } } } - return NID_undef; + return WC_NID_undef; } /* compares two objects, return 0 if equal */ @@ -19331,7 +19478,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) /* Gets the NID value that is related to the OID string passed in. Example * string would be "2.5.29.14" for subject key ID. * - * returns NID value on success and NID_undef on error + * returns NID value on success and WC_NID_undef on error */ int wolfSSL_OBJ_txt2nid(const char* s) { @@ -19346,7 +19493,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) WOLFSSL_ENTER("wolfSSL_OBJ_txt2nid"); if (s == NULL) { - return NID_undef; + return WC_NID_undef; } #ifdef WOLFSSL_CERT_EXT @@ -19385,7 +19532,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) } } - return NID_undef; + return WC_NID_undef; } #endif #if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \ @@ -19404,7 +19551,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_txt2obj(const char* s, int no_name) { int i, ret; - int nid = NID_undef; + int nid = WC_NID_undef; unsigned int outSz = MAX_OID_SZ; unsigned char out[MAX_OID_SZ]; WOLFSSL_ASN1_OBJECT* obj; @@ -19451,7 +19598,7 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) } } - if (nid != NID_undef) + if (nid != WC_NID_undef) return wolfSSL_OBJ_nid2obj(nid); return NULL; @@ -19526,11 +19673,7 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_EX_DATA) && \ - (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY)) || defined(HAVE_EX_DATA) || \ - defined(WOLFSSL_WPAS_SMALL) +#ifdef HAVE_EX_DATA_CRYPTO CRYPTO_EX_cb_ctx* crypto_ex_cb_ctx_session = NULL; static int crypto_ex_cb_new(CRYPTO_EX_cb_ctx** dst, long ctx_l, void* ctx_ptr, @@ -19668,23 +19811,9 @@ int wolfssl_get_ex_new_index(int class_index, long ctx_l, void* ctx_ptr, return WOLFSSL_FATAL_ERROR; return idx; } -#endif /* HAVE_EX_DATA || WOLFSSL_WPAS_SMALL */ - -#if defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) -void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); -#ifdef HAVE_EX_DATA - if(ctx != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx); - } -#else - (void)ctx; - (void)idx; -#endif - return NULL; -} +#endif /* HAVE_EX_DATA_CRYPTO */ +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, @@ -19710,21 +19839,35 @@ int wolfSSL_get_ex_new_index(long argValue, void* arg, return wolfssl_get_ex_new_index(WOLF_CRYPTO_EX_INDEX_SSL, argValue, arg, cb1, cb2, cb3); } +#endif /* HAVE_EX_DATA_CRYPTO */ +#ifdef OPENSSL_EXTRA +void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); +#ifdef HAVE_EX_DATA + if (ctx != NULL) { + return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx); + } +#else + (void)ctx; + (void)idx; +#endif + return NULL; +} int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data"); - #ifdef HAVE_EX_DATA - if (ctx != NULL) - { +#ifdef HAVE_EX_DATA + if (ctx != NULL) { return wolfSSL_CRYPTO_set_ex_data(&ctx->ex_data, idx, data); } - #else +#else (void)ctx; (void)idx; (void)data; - #endif +#endif return WOLFSSL_FAILURE; } @@ -19736,16 +19879,14 @@ int wolfSSL_CTX_set_ex_data_with_cleanup( wolfSSL_ex_data_cleanup_routine_t cleanup_routine) { WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data_with_cleanup"); - if (ctx != NULL) - { + if (ctx != NULL) { return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, cleanup_routine); } return WOLFSSL_FAILURE; } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ - -#endif /* defined(HAVE_EX_DATA) || defined(WOLFSSL_WPAS_SMALL) */ +#endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) @@ -19777,15 +19918,11 @@ int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ -#if defined(HAVE_EX_DATA) || defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) - int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_set_ex_data"); #ifdef HAVE_EX_DATA - if (ssl != NULL) - { + if (ssl != NULL) { return wolfSSL_CRYPTO_set_ex_data(&ssl->ex_data, idx, data); } #else @@ -19829,8 +19966,6 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) return 0; } -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ - #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) @@ -20010,10 +20145,10 @@ long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) if ((ctrl_opt & WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) == WOLFSSL_OP_CIPHER_SERVER_PREFERENCE) { WOLFSSL_MSG("Using Server's Cipher Preference."); - ctx->useClientOrder = FALSE; + ctx->useClientOrder = 0; } else { WOLFSSL_MSG("Using Client's Cipher Preference."); - ctx->useClientOrder = TRUE; + ctx->useClientOrder = 1; } #endif /* WOLFSSL_QT */ @@ -20455,7 +20590,7 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) InitSSL_CTX_Suites(ctx); } - wolfSSL_RefInc(&ctx->ref, &ret); + wolfSSL_RefWithMutexInc(&ctx->ref, &ret); #ifdef WOLFSSL_REFCNT_ERROR_RETURN if (ret != 0) { /* can only fail on serious stuff, like mutex not working @@ -20699,10 +20834,10 @@ unsigned long wolfSSL_ERR_peek_last_error(void) return 0; } if (ret == -WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)) - return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + return (WOLFSSL_ERR_LIB_PEM << 24) | -WC_NO_ERR_TRACE(WOLFSSL_PEM_R_NO_START_LINE_E); #if defined(WOLFSSL_PYTHON) if (ret == WC_NO_ERR_TRACE(ASN1_R_HEADER_TOO_LONG)) - return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; + return (WOLFSSL_ERR_LIB_ASN1 << 24) | -WC_NO_ERR_TRACE(WOLFSSL_ASN1_R_HEADER_TOO_LONG_E); #endif return (unsigned long)ret; } @@ -20905,15 +21040,15 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, err = wc_PeekErrorNodeLineData(file, line, data, flags, peek_ignore_err); if (err == -WC_NO_ERR_TRACE(ASN_NO_PEM_HEADER)) - return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + return (WOLFSSL_ERR_LIB_PEM << 24) | -WC_NO_ERR_TRACE(WOLFSSL_PEM_R_NO_START_LINE_E); #ifdef OPENSSL_ALL /* PARSE_ERROR is returned if an HTTP request is detected. */ else if (err == -WC_NO_ERR_TRACE(PARSE_ERROR)) - return (ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST; + return (WOLFSSL_ERR_LIB_SSL << 24) | -WC_NO_ERR_TRACE(PARSE_ERROR) /* SSL_R_HTTP_REQUEST */; #endif #if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) else if (err == WC_NO_ERR_TRACE(ASN1_R_HEADER_TOO_LONG)) - return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; + return (WOLFSSL_ERR_LIB_ASN1 << 24) | -WC_NO_ERR_TRACE(WOLFSSL_ASN1_R_HEADER_TOO_LONG_E); #endif return err; } @@ -21089,9 +21224,7 @@ WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl) } #endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || \ - defined(HAVE_LIGHTY) || defined(HAVE_SECRET_CALLBACK) +#if defined(OPENSSL_EXTRA) || defined(HAVE_SECRET_CALLBACK) long wolfSSL_SSL_CTX_get_timeout(const WOLFSSL_CTX *ctx) { WOLFSSL_ENTER("wolfSSL_SSL_CTX_get_timeout"); @@ -21131,7 +21264,7 @@ int wolfSSL_SSL_CTX_set_tmp_ecdh(WOLFSSL_CTX *ctx, WOLFSSL_EC_KEY *ecdh) } #endif #ifndef NO_BIO -BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s) +WOLFSSL_BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s) { WOLFSSL_ENTER("wolfSSL_SSL_get_rbio"); /* Nginx sets the buffer size if the read BIO is different to write BIO. @@ -21142,7 +21275,7 @@ BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s) return s->biord; } -BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s) +WOLFSSL_BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s) { WOLFSSL_ENTER("wolfSSL_SSL_get_wbio"); (void)s; @@ -21750,7 +21883,7 @@ int wolfSSL_select_next_proto(unsigned char **out, unsigned char *outLen, byte lenIn, lenClient; if (out == NULL || outLen == NULL || in == NULL || clientNames == NULL) - return OPENSSL_NPN_UNSUPPORTED; + return WOLFSSL_NPN_UNSUPPORTED; for (i = 0; i < inLen; i += lenIn) { lenIn = in[i++]; @@ -21763,14 +21896,14 @@ int wolfSSL_select_next_proto(unsigned char **out, unsigned char *outLen, if (XMEMCMP(in + i, clientNames + j, lenIn) == 0) { *out = (unsigned char *)(in + i); *outLen = lenIn; - return OPENSSL_NPN_NEGOTIATED; + return WOLFSSL_NPN_NEGOTIATED; } } } *out = (unsigned char *)clientNames + 1; *outLen = clientNames[0]; - return OPENSSL_NPN_NO_OVERLAP; + return WOLFSSL_NPN_NO_OVERLAP; } void wolfSSL_set_alpn_select_cb(WOLFSSL *ssl, @@ -21874,28 +22007,42 @@ int wolfSSL_curve_is_disabled(const WOLFSSL* ssl, word16 curve_id) const WOLF_EC_NIST_NAME kNistCurves[] = { #ifdef HAVE_ECC - {CURVE_NAME("P-160"), NID_secp160r1, WOLFSSL_ECC_SECP160R1}, - {CURVE_NAME("P-160-2"), NID_secp160r2, WOLFSSL_ECC_SECP160R2}, - {CURVE_NAME("P-192"), NID_X9_62_prime192v1, WOLFSSL_ECC_SECP192R1}, - {CURVE_NAME("P-224"), NID_secp224r1, WOLFSSL_ECC_SECP224R1}, - {CURVE_NAME("P-256"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, - {CURVE_NAME("P-384"), NID_secp384r1, WOLFSSL_ECC_SECP384R1}, - {CURVE_NAME("P-521"), NID_secp521r1, WOLFSSL_ECC_SECP521R1}, - {CURVE_NAME("K-160"), NID_secp160k1, WOLFSSL_ECC_SECP160K1}, - {CURVE_NAME("K-192"), NID_secp192k1, WOLFSSL_ECC_SECP192K1}, - {CURVE_NAME("K-224"), NID_secp224k1, WOLFSSL_ECC_SECP224R1}, - {CURVE_NAME("K-256"), NID_secp256k1, WOLFSSL_ECC_SECP256K1}, - {CURVE_NAME("B-256"), NID_brainpoolP256r1, WOLFSSL_ECC_BRAINPOOLP256R1}, - {CURVE_NAME("B-384"), NID_brainpoolP384r1, WOLFSSL_ECC_BRAINPOOLP384R1}, - {CURVE_NAME("B-512"), NID_brainpoolP512r1, WOLFSSL_ECC_BRAINPOOLP512R1}, + {CURVE_NAME("P-160"), WC_NID_secp160r1, WOLFSSL_ECC_SECP160R1}, + {CURVE_NAME("P-160-2"), WC_NID_secp160r2, WOLFSSL_ECC_SECP160R2}, + {CURVE_NAME("P-192"), WC_NID_X9_62_prime192v1, WOLFSSL_ECC_SECP192R1}, + {CURVE_NAME("P-224"), WC_NID_secp224r1, WOLFSSL_ECC_SECP224R1}, + {CURVE_NAME("P-256"), WC_NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("P-384"), WC_NID_secp384r1, WOLFSSL_ECC_SECP384R1}, + {CURVE_NAME("P-521"), WC_NID_secp521r1, WOLFSSL_ECC_SECP521R1}, + {CURVE_NAME("K-160"), WC_NID_secp160k1, WOLFSSL_ECC_SECP160K1}, + {CURVE_NAME("K-192"), WC_NID_secp192k1, WOLFSSL_ECC_SECP192K1}, + {CURVE_NAME("K-224"), WC_NID_secp224k1, WOLFSSL_ECC_SECP224R1}, + {CURVE_NAME("K-256"), WC_NID_secp256k1, WOLFSSL_ECC_SECP256K1}, + {CURVE_NAME("B-256"), WC_NID_brainpoolP256r1, WOLFSSL_ECC_BRAINPOOLP256R1}, + {CURVE_NAME("B-384"), WC_NID_brainpoolP384r1, WOLFSSL_ECC_BRAINPOOLP384R1}, + {CURVE_NAME("B-512"), WC_NID_brainpoolP512r1, WOLFSSL_ECC_BRAINPOOLP512R1}, #endif #ifdef HAVE_CURVE25519 - {CURVE_NAME("X25519"), NID_X25519, WOLFSSL_ECC_X25519}, + {CURVE_NAME("X25519"), WC_NID_X25519, WOLFSSL_ECC_X25519}, #endif #ifdef HAVE_CURVE448 - {CURVE_NAME("X448"), NID_X448, WOLFSSL_ECC_X448}, + {CURVE_NAME("X448"), WC_NID_X448, WOLFSSL_ECC_X448}, #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + {CURVE_NAME("ML_KEM_512"), WOLFSSL_ML_KEM_512, WOLFSSL_ML_KEM_512}, + {CURVE_NAME("ML_KEM_768"), WOLFSSL_ML_KEM_768, WOLFSSL_ML_KEM_768}, + {CURVE_NAME("ML_KEM_1024"), WOLFSSL_ML_KEM_1024, WOLFSSL_ML_KEM_1024}, +#if (defined(WOLFSSL_WC_KYBER) || defined(HAVE_LIBOQS)) && defined(HAVE_ECC) + {CURVE_NAME("P256_ML_KEM_512"), WOLFSSL_P256_ML_KEM_512, + WOLFSSL_P256_ML_KEM_512}, + {CURVE_NAME("P384_ML_KEM_768"), WOLFSSL_P384_ML_KEM_768, + WOLFSSL_P384_ML_KEM_768}, + {CURVE_NAME("P521_ML_KEM_1024"), WOLFSSL_P521_ML_KEM_1024, + WOLFSSL_P521_ML_KEM_1024}, +#endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL {CURVE_NAME("KYBER_LEVEL1"), WOLFSSL_KYBER_LEVEL1, WOLFSSL_KYBER_LEVEL1}, {CURVE_NAME("KYBER_LEVEL3"), WOLFSSL_KYBER_LEVEL3, WOLFSSL_KYBER_LEVEL3}, {CURVE_NAME("KYBER_LEVEL5"), WOLFSSL_KYBER_LEVEL5, WOLFSSL_KYBER_LEVEL5}, @@ -21904,19 +22051,20 @@ const WOLF_EC_NIST_NAME kNistCurves[] = { {CURVE_NAME("P384_KYBER_LEVEL3"), WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P384_KYBER_LEVEL3}, {CURVE_NAME("P521_KYBER_LEVEL5"), WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_P521_KYBER_LEVEL5}, #endif -#endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ +#endif /* WOLFSSL_HAVE_KYBER */ #ifdef WOLFSSL_SM2 - {CURVE_NAME("SM2"), NID_sm2, WOLFSSL_ECC_SM2P256V1}, + {CURVE_NAME("SM2"), WC_NID_sm2, WOLFSSL_ECC_SM2P256V1}, #endif #ifdef HAVE_ECC /* Alternative curve names */ - {CURVE_NAME("prime256v1"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, - {CURVE_NAME("secp256r1"), NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, - {CURVE_NAME("secp384r1"), NID_secp384r1, WOLFSSL_ECC_SECP384R1}, - {CURVE_NAME("secp521r1"), NID_secp521r1, WOLFSSL_ECC_SECP521R1}, + {CURVE_NAME("prime256v1"), WC_NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("secp256r1"), WC_NID_X9_62_prime256v1, WOLFSSL_ECC_SECP256R1}, + {CURVE_NAME("secp384r1"), WC_NID_secp384r1, WOLFSSL_ECC_SECP384R1}, + {CURVE_NAME("secp521r1"), WC_NID_secp521r1, WOLFSSL_ECC_SECP521R1}, #endif #ifdef WOLFSSL_SM2 - {CURVE_NAME("sm2p256v1"), NID_sm2, WOLFSSL_ECC_SM2P256V1}, + {CURVE_NAME("sm2p256v1"), WC_NID_sm2, WOLFSSL_ECC_SM2P256V1}, #endif {0, NULL, 0, 0}, }; @@ -22172,7 +22320,7 @@ void *wolfSSL_OPENSSL_memdup(const void *data, size_t siz, const char* file, if (data == NULL || siz >= INT_MAX) return NULL; - ret = OPENSSL_malloc(siz); + ret = wolfSSL_OPENSSL_malloc(siz); if (ret == NULL) { return NULL; } @@ -22327,45 +22475,45 @@ word32 nid2oid(int nid, int grp) case oidHashType: switch (nid) { #ifdef WOLFSSL_MD2 - case NID_md2: + case WC_NID_md2: return MD2h; #endif #ifndef NO_MD5 - case NID_md5: + case WC_NID_md5: return MD5h; #endif #ifndef NO_SHA - case NID_sha1: + case WC_NID_sha1: return SHAh; #endif - case NID_sha224: + case WC_NID_sha224: return SHA224h; #ifndef NO_SHA256 - case NID_sha256: + case WC_NID_sha256: return SHA256h; #endif #ifdef WOLFSSL_SHA384 - case NID_sha384: + case WC_NID_sha384: return SHA384h; #endif #ifdef WOLFSSL_SHA512 - case NID_sha512: + case WC_NID_sha512: return SHA512h; #endif #ifndef WOLFSSL_NOSHA3_224 - case NID_sha3_224: + case WC_NID_sha3_224: return SHA3_224h; #endif #ifndef WOLFSSL_NOSHA3_256 - case NID_sha3_256: + case WC_NID_sha3_256: return SHA3_256h; #endif #ifndef WOLFSSL_NOSHA3_384 - case NID_sha3_384: + case WC_NID_sha3_384: return SHA3_384h; #endif #ifndef WOLFSSL_NOSHA3_512 - case NID_sha3_512: + case WC_NID_sha3_512: return SHA3_512h; #endif } @@ -22375,56 +22523,56 @@ word32 nid2oid(int nid, int grp) case oidSigType: switch (nid) { #ifndef NO_DSA - case NID_dsaWithSHA1: + case WC_NID_dsaWithSHA1: return CTC_SHAwDSA; - case NID_dsa_with_SHA256: + case WC_NID_dsa_with_SHA256: return CTC_SHA256wDSA; #endif /* NO_DSA */ #ifndef NO_RSA - case NID_md2WithRSAEncryption: + case WC_NID_md2WithRSAEncryption: return CTC_MD2wRSA; - case NID_md5WithRSAEncryption: + case WC_NID_md5WithRSAEncryption: return CTC_MD5wRSA; - case NID_sha1WithRSAEncryption: + case WC_NID_sha1WithRSAEncryption: return CTC_SHAwRSA; - case NID_sha224WithRSAEncryption: + case WC_NID_sha224WithRSAEncryption: return CTC_SHA224wRSA; - case NID_sha256WithRSAEncryption: + case WC_NID_sha256WithRSAEncryption: return CTC_SHA256wRSA; - case NID_sha384WithRSAEncryption: + case WC_NID_sha384WithRSAEncryption: return CTC_SHA384wRSA; - case NID_sha512WithRSAEncryption: + case WC_NID_sha512WithRSAEncryption: return CTC_SHA512wRSA; #ifdef WOLFSSL_SHA3 - case NID_RSA_SHA3_224: + case WC_NID_RSA_SHA3_224: return CTC_SHA3_224wRSA; - case NID_RSA_SHA3_256: + case WC_NID_RSA_SHA3_256: return CTC_SHA3_256wRSA; - case NID_RSA_SHA3_384: + case WC_NID_RSA_SHA3_384: return CTC_SHA3_384wRSA; - case NID_RSA_SHA3_512: + case WC_NID_RSA_SHA3_512: return CTC_SHA3_512wRSA; #endif #endif /* NO_RSA */ #ifdef HAVE_ECC - case NID_ecdsa_with_SHA1: + case WC_NID_ecdsa_with_SHA1: return CTC_SHAwECDSA; - case NID_ecdsa_with_SHA224: + case WC_NID_ecdsa_with_SHA224: return CTC_SHA224wECDSA; - case NID_ecdsa_with_SHA256: + case WC_NID_ecdsa_with_SHA256: return CTC_SHA256wECDSA; - case NID_ecdsa_with_SHA384: + case WC_NID_ecdsa_with_SHA384: return CTC_SHA384wECDSA; - case NID_ecdsa_with_SHA512: + case WC_NID_ecdsa_with_SHA512: return CTC_SHA512wECDSA; #ifdef WOLFSSL_SHA3 - case NID_ecdsa_with_SHA3_224: + case WC_NID_ecdsa_with_SHA3_224: return CTC_SHA3_224wECDSA; - case NID_ecdsa_with_SHA3_256: + case WC_NID_ecdsa_with_SHA3_256: return CTC_SHA3_256wECDSA; - case NID_ecdsa_with_SHA3_384: + case WC_NID_ecdsa_with_SHA3_384: return CTC_SHA3_384wECDSA; - case NID_ecdsa_with_SHA3_512: + case WC_NID_ecdsa_with_SHA3_512: return CTC_SHA3_512wECDSA; #endif #endif /* HAVE_ECC */ @@ -22435,15 +22583,15 @@ word32 nid2oid(int nid, int grp) case oidKeyType: switch (nid) { #ifndef NO_DSA - case NID_dsa: + case WC_NID_dsa: return DSAk; #endif /* NO_DSA */ #ifndef NO_RSA - case NID_rsaEncryption: + case WC_NID_rsaEncryption: return RSAk; #endif /* NO_RSA */ #ifdef HAVE_ECC - case NID_X9_62_id_ecPublicKey: + case WC_NID_X9_62_id_ecPublicKey: return ECDSAk; #endif /* HAVE_ECC */ } @@ -22453,59 +22601,59 @@ word32 nid2oid(int nid, int grp) #ifdef HAVE_ECC case oidCurveType: switch (nid) { - case NID_X9_62_prime192v1: + case WC_NID_X9_62_prime192v1: return ECC_SECP192R1_OID; - case NID_X9_62_prime192v2: + case WC_NID_X9_62_prime192v2: return ECC_PRIME192V2_OID; - case NID_X9_62_prime192v3: + case WC_NID_X9_62_prime192v3: return ECC_PRIME192V3_OID; - case NID_X9_62_prime239v1: + case WC_NID_X9_62_prime239v1: return ECC_PRIME239V1_OID; - case NID_X9_62_prime239v2: + case WC_NID_X9_62_prime239v2: return ECC_PRIME239V2_OID; - case NID_X9_62_prime239v3: + case WC_NID_X9_62_prime239v3: return ECC_PRIME239V3_OID; - case NID_X9_62_prime256v1: + case WC_NID_X9_62_prime256v1: return ECC_SECP256R1_OID; - case NID_secp112r1: + case WC_NID_secp112r1: return ECC_SECP112R1_OID; - case NID_secp112r2: + case WC_NID_secp112r2: return ECC_SECP112R2_OID; - case NID_secp128r1: + case WC_NID_secp128r1: return ECC_SECP128R1_OID; - case NID_secp128r2: + case WC_NID_secp128r2: return ECC_SECP128R2_OID; - case NID_secp160r1: + case WC_NID_secp160r1: return ECC_SECP160R1_OID; - case NID_secp160r2: + case WC_NID_secp160r2: return ECC_SECP160R2_OID; - case NID_secp224r1: + case WC_NID_secp224r1: return ECC_SECP224R1_OID; - case NID_secp384r1: + case WC_NID_secp384r1: return ECC_SECP384R1_OID; - case NID_secp521r1: + case WC_NID_secp521r1: return ECC_SECP521R1_OID; - case NID_secp160k1: + case WC_NID_secp160k1: return ECC_SECP160K1_OID; - case NID_secp192k1: + case WC_NID_secp192k1: return ECC_SECP192K1_OID; - case NID_secp224k1: + case WC_NID_secp224k1: return ECC_SECP224K1_OID; - case NID_secp256k1: + case WC_NID_secp256k1: return ECC_SECP256K1_OID; - case NID_brainpoolP160r1: + case WC_NID_brainpoolP160r1: return ECC_BRAINPOOLP160R1_OID; - case NID_brainpoolP192r1: + case WC_NID_brainpoolP192r1: return ECC_BRAINPOOLP192R1_OID; - case NID_brainpoolP224r1: + case WC_NID_brainpoolP224r1: return ECC_BRAINPOOLP224R1_OID; - case NID_brainpoolP256r1: + case WC_NID_brainpoolP256r1: return ECC_BRAINPOOLP256R1_OID; - case NID_brainpoolP320r1: + case WC_NID_brainpoolP320r1: return ECC_BRAINPOOLP320R1_OID; - case NID_brainpoolP384r1: + case WC_NID_brainpoolP384r1: return ECC_BRAINPOOLP384R1_OID; - case NID_brainpoolP512r1: + case WC_NID_brainpoolP512r1: return ECC_BRAINPOOLP512R1_OID; } break; @@ -22527,9 +22675,9 @@ word32 nid2oid(int nid, int grp) return AES256CBCb; #endif #ifndef NO_DES3 - case NID_des: + case WC_NID_des: return DESb; - case NID_des3: + case WC_NID_des3: return DES3b; #endif } @@ -22538,7 +22686,7 @@ word32 nid2oid(int nid, int grp) #ifdef HAVE_OCSP case oidOcspType: switch (nid) { - case NID_id_pkix_OCSP_basic: + case WC_NID_id_pkix_OCSP_basic: return OCSP_BASIC_OID; case OCSP_NONCE_OID: return OCSP_NONCE_OID; @@ -22549,27 +22697,27 @@ word32 nid2oid(int nid, int grp) /* oidCertExtType */ case oidCertExtType: switch (nid) { - case NID_basic_constraints: + case WC_NID_basic_constraints: return BASIC_CA_OID; - case NID_subject_alt_name: + case WC_NID_subject_alt_name: return ALT_NAMES_OID; - case NID_crl_distribution_points: + case WC_NID_crl_distribution_points: return CRL_DIST_OID; - case NID_info_access: + case WC_NID_info_access: return AUTH_INFO_OID; - case NID_authority_key_identifier: + case WC_NID_authority_key_identifier: return AUTH_KEY_OID; - case NID_subject_key_identifier: + case WC_NID_subject_key_identifier: return SUBJ_KEY_OID; - case NID_inhibit_any_policy: + case WC_NID_inhibit_any_policy: return INHIBIT_ANY_OID; - case NID_key_usage: + case WC_NID_key_usage: return KEY_USAGE_OID; - case NID_name_constraints: + case WC_NID_name_constraints: return NAME_CONS_OID; - case NID_certificate_policies: + case WC_NID_certificate_policies: return CERT_POLICY_OID; - case NID_ext_key_usage: + case WC_NID_ext_key_usage: return EXT_KEY_USAGE_OID; } break; @@ -22577,9 +22725,9 @@ word32 nid2oid(int nid, int grp) /* oidCertAuthInfoType */ case oidCertAuthInfoType: switch (nid) { - case NID_ad_OCSP: + case WC_NID_ad_OCSP: return AIA_OCSP_OID; - case NID_ad_ca_issuers: + case WC_NID_ad_ca_issuers: return AIA_CA_ISSUER_OID; } break; @@ -22587,7 +22735,7 @@ word32 nid2oid(int nid, int grp) /* oidCertPolicyType */ case oidCertPolicyType: switch (nid) { - case NID_any_policy: + case WC_NID_any_policy: return CP_ANY_OID; } break; @@ -22595,7 +22743,7 @@ word32 nid2oid(int nid, int grp) /* oidCertAltNameType */ case oidCertAltNameType: switch (nid) { - case NID_hw_name_oid: + case WC_NID_hw_name_oid: return HW_NAME_OID; } break; @@ -22603,7 +22751,7 @@ word32 nid2oid(int nid, int grp) /* oidCertKeyUseType */ case oidCertKeyUseType: switch (nid) { - case NID_anyExtendedKeyUsage: + case WC_NID_anyExtendedKeyUsage: return EKU_ANY_OID; case EKU_SERVER_AUTH_OID: return EKU_SERVER_AUTH_OID; @@ -22682,15 +22830,15 @@ word32 nid2oid(int nid, int grp) #ifdef WOLFSSL_CERT_REQ case oidCsrAttrType: switch (nid) { - case NID_pkcs9_contentType: + case WC_NID_pkcs9_contentType: return PKCS9_CONTENT_TYPE_OID; - case NID_pkcs9_challengePassword: + case WC_NID_pkcs9_challengePassword: return CHALLENGE_PASSWORD_OID; - case NID_serialNumber: + case WC_NID_serialNumber: return SERIAL_NUMBER_OID; - case NID_userId: + case WC_NID_userId: return USER_ID_OID; - case NID_surname: + case WC_NID_surname: return SURNAME_OID; } break; @@ -22716,29 +22864,29 @@ int oid2nid(word32 oid, int grp) switch (oid) { #ifdef WOLFSSL_MD2 case MD2h: - return NID_md2; + return WC_NID_md2; #endif #ifndef NO_MD5 case MD5h: - return NID_md5; + return WC_NID_md5; #endif #ifndef NO_SHA case SHAh: - return NID_sha1; + return WC_NID_sha1; #endif case SHA224h: - return NID_sha224; + return WC_NID_sha224; #ifndef NO_SHA256 case SHA256h: - return NID_sha256; + return WC_NID_sha256; #endif #ifdef WOLFSSL_SHA384 case SHA384h: - return NID_sha384; + return WC_NID_sha384; #endif #ifdef WOLFSSL_SHA512 case SHA512h: - return NID_sha512; + return WC_NID_sha512; #endif } break; @@ -22748,60 +22896,60 @@ int oid2nid(word32 oid, int grp) switch (oid) { #ifndef NO_DSA case CTC_SHAwDSA: - return NID_dsaWithSHA1; + return WC_NID_dsaWithSHA1; case CTC_SHA256wDSA: - return NID_dsa_with_SHA256; + return WC_NID_dsa_with_SHA256; #endif /* NO_DSA */ #ifndef NO_RSA case CTC_MD2wRSA: - return NID_md2WithRSAEncryption; + return WC_NID_md2WithRSAEncryption; case CTC_MD5wRSA: - return NID_md5WithRSAEncryption; + return WC_NID_md5WithRSAEncryption; case CTC_SHAwRSA: - return NID_sha1WithRSAEncryption; + return WC_NID_sha1WithRSAEncryption; case CTC_SHA224wRSA: - return NID_sha224WithRSAEncryption; + return WC_NID_sha224WithRSAEncryption; case CTC_SHA256wRSA: - return NID_sha256WithRSAEncryption; + return WC_NID_sha256WithRSAEncryption; case CTC_SHA384wRSA: - return NID_sha384WithRSAEncryption; + return WC_NID_sha384WithRSAEncryption; case CTC_SHA512wRSA: - return NID_sha512WithRSAEncryption; + return WC_NID_sha512WithRSAEncryption; #ifdef WOLFSSL_SHA3 case CTC_SHA3_224wRSA: - return NID_RSA_SHA3_224; + return WC_NID_RSA_SHA3_224; case CTC_SHA3_256wRSA: - return NID_RSA_SHA3_256; + return WC_NID_RSA_SHA3_256; case CTC_SHA3_384wRSA: - return NID_RSA_SHA3_384; + return WC_NID_RSA_SHA3_384; case CTC_SHA3_512wRSA: - return NID_RSA_SHA3_512; + return WC_NID_RSA_SHA3_512; #endif #ifdef WC_RSA_PSS case CTC_RSASSAPSS: - return NID_rsassaPss; + return WC_NID_rsassaPss; #endif #endif /* NO_RSA */ #ifdef HAVE_ECC case CTC_SHAwECDSA: - return NID_ecdsa_with_SHA1; + return WC_NID_ecdsa_with_SHA1; case CTC_SHA224wECDSA: - return NID_ecdsa_with_SHA224; + return WC_NID_ecdsa_with_SHA224; case CTC_SHA256wECDSA: - return NID_ecdsa_with_SHA256; + return WC_NID_ecdsa_with_SHA256; case CTC_SHA384wECDSA: - return NID_ecdsa_with_SHA384; + return WC_NID_ecdsa_with_SHA384; case CTC_SHA512wECDSA: - return NID_ecdsa_with_SHA512; + return WC_NID_ecdsa_with_SHA512; #ifdef WOLFSSL_SHA3 case CTC_SHA3_224wECDSA: - return NID_ecdsa_with_SHA3_224; + return WC_NID_ecdsa_with_SHA3_224; case CTC_SHA3_256wECDSA: - return NID_ecdsa_with_SHA3_256; + return WC_NID_ecdsa_with_SHA3_256; case CTC_SHA3_384wECDSA: - return NID_ecdsa_with_SHA3_384; + return WC_NID_ecdsa_with_SHA3_384; case CTC_SHA3_512wECDSA: - return NID_ecdsa_with_SHA3_512; + return WC_NID_ecdsa_with_SHA3_512; #endif #endif /* HAVE_ECC */ } @@ -22812,19 +22960,19 @@ int oid2nid(word32 oid, int grp) switch (oid) { #ifndef NO_DSA case DSAk: - return NID_dsa; + return WC_NID_dsa; #endif /* NO_DSA */ #ifndef NO_RSA case RSAk: - return NID_rsaEncryption; + return WC_NID_rsaEncryption; #ifdef WC_RSA_PSS case RSAPSSk: - return NID_rsassaPss; + return WC_NID_rsassaPss; #endif #endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: - return NID_X9_62_id_ecPublicKey; + return WC_NID_X9_62_id_ecPublicKey; #endif /* HAVE_ECC */ } break; @@ -22834,59 +22982,59 @@ int oid2nid(word32 oid, int grp) case oidCurveType: switch (oid) { case ECC_SECP192R1_OID: - return NID_X9_62_prime192v1; + return WC_NID_X9_62_prime192v1; case ECC_PRIME192V2_OID: - return NID_X9_62_prime192v2; + return WC_NID_X9_62_prime192v2; case ECC_PRIME192V3_OID: - return NID_X9_62_prime192v3; + return WC_NID_X9_62_prime192v3; case ECC_PRIME239V1_OID: - return NID_X9_62_prime239v1; + return WC_NID_X9_62_prime239v1; case ECC_PRIME239V2_OID: - return NID_X9_62_prime239v2; + return WC_NID_X9_62_prime239v2; case ECC_PRIME239V3_OID: - return NID_X9_62_prime239v3; + return WC_NID_X9_62_prime239v3; case ECC_SECP256R1_OID: - return NID_X9_62_prime256v1; + return WC_NID_X9_62_prime256v1; case ECC_SECP112R1_OID: - return NID_secp112r1; + return WC_NID_secp112r1; case ECC_SECP112R2_OID: - return NID_secp112r2; + return WC_NID_secp112r2; case ECC_SECP128R1_OID: - return NID_secp128r1; + return WC_NID_secp128r1; case ECC_SECP128R2_OID: - return NID_secp128r2; + return WC_NID_secp128r2; case ECC_SECP160R1_OID: - return NID_secp160r1; + return WC_NID_secp160r1; case ECC_SECP160R2_OID: - return NID_secp160r2; + return WC_NID_secp160r2; case ECC_SECP224R1_OID: - return NID_secp224r1; + return WC_NID_secp224r1; case ECC_SECP384R1_OID: - return NID_secp384r1; + return WC_NID_secp384r1; case ECC_SECP521R1_OID: - return NID_secp521r1; + return WC_NID_secp521r1; case ECC_SECP160K1_OID: - return NID_secp160k1; + return WC_NID_secp160k1; case ECC_SECP192K1_OID: - return NID_secp192k1; + return WC_NID_secp192k1; case ECC_SECP224K1_OID: - return NID_secp224k1; + return WC_NID_secp224k1; case ECC_SECP256K1_OID: - return NID_secp256k1; + return WC_NID_secp256k1; case ECC_BRAINPOOLP160R1_OID: - return NID_brainpoolP160r1; + return WC_NID_brainpoolP160r1; case ECC_BRAINPOOLP192R1_OID: - return NID_brainpoolP192r1; + return WC_NID_brainpoolP192r1; case ECC_BRAINPOOLP224R1_OID: - return NID_brainpoolP224r1; + return WC_NID_brainpoolP224r1; case ECC_BRAINPOOLP256R1_OID: - return NID_brainpoolP256r1; + return WC_NID_brainpoolP256r1; case ECC_BRAINPOOLP320R1_OID: - return NID_brainpoolP320r1; + return WC_NID_brainpoolP320r1; case ECC_BRAINPOOLP384R1_OID: - return NID_brainpoolP384r1; + return WC_NID_brainpoolP384r1; case ECC_BRAINPOOLP512R1_OID: - return NID_brainpoolP512r1; + return WC_NID_brainpoolP512r1; } break; #endif /* HAVE_ECC */ @@ -22908,9 +23056,9 @@ int oid2nid(word32 oid, int grp) #endif #ifndef NO_DES3 case DESb: - return NID_des; + return WC_NID_des; case DES3b: - return NID_des3; + return WC_NID_des3; #endif } break; @@ -22919,7 +23067,7 @@ int oid2nid(word32 oid, int grp) case oidOcspType: switch (oid) { case OCSP_BASIC_OID: - return NID_id_pkix_OCSP_basic; + return WC_NID_id_pkix_OCSP_basic; case OCSP_NONCE_OID: return OCSP_NONCE_OID; } @@ -22930,27 +23078,27 @@ int oid2nid(word32 oid, int grp) case oidCertExtType: switch (oid) { case BASIC_CA_OID: - return NID_basic_constraints; + return WC_NID_basic_constraints; case ALT_NAMES_OID: - return NID_subject_alt_name; + return WC_NID_subject_alt_name; case CRL_DIST_OID: - return NID_crl_distribution_points; + return WC_NID_crl_distribution_points; case AUTH_INFO_OID: - return NID_info_access; + return WC_NID_info_access; case AUTH_KEY_OID: - return NID_authority_key_identifier; + return WC_NID_authority_key_identifier; case SUBJ_KEY_OID: - return NID_subject_key_identifier; + return WC_NID_subject_key_identifier; case INHIBIT_ANY_OID: - return NID_inhibit_any_policy; + return WC_NID_inhibit_any_policy; case KEY_USAGE_OID: - return NID_key_usage; + return WC_NID_key_usage; case NAME_CONS_OID: - return NID_name_constraints; + return WC_NID_name_constraints; case CERT_POLICY_OID: - return NID_certificate_policies; + return WC_NID_certificate_policies; case EXT_KEY_USAGE_OID: - return NID_ext_key_usage; + return WC_NID_ext_key_usage; } break; @@ -22958,9 +23106,9 @@ int oid2nid(word32 oid, int grp) case oidCertAuthInfoType: switch (oid) { case AIA_OCSP_OID: - return NID_ad_OCSP; + return WC_NID_ad_OCSP; case AIA_CA_ISSUER_OID: - return NID_ad_ca_issuers; + return WC_NID_ad_ca_issuers; } break; @@ -22968,7 +23116,7 @@ int oid2nid(word32 oid, int grp) case oidCertPolicyType: switch (oid) { case CP_ANY_OID: - return NID_any_policy; + return WC_NID_any_policy; } break; @@ -22976,7 +23124,7 @@ int oid2nid(word32 oid, int grp) case oidCertAltNameType: switch (oid) { case HW_NAME_OID: - return NID_hw_name_oid; + return WC_NID_hw_name_oid; } break; @@ -22984,7 +23132,7 @@ int oid2nid(word32 oid, int grp) case oidCertKeyUseType: switch (oid) { case EKU_ANY_OID: - return NID_anyExtendedKeyUsage; + return WC_NID_anyExtendedKeyUsage; case EKU_SERVER_AUTH_OID: return EKU_SERVER_AUTH_OID; case EKU_CLIENT_AUTH_OID: @@ -23062,13 +23210,13 @@ int oid2nid(word32 oid, int grp) case oidCsrAttrType: switch (oid) { case PKCS9_CONTENT_TYPE_OID: - return NID_pkcs9_contentType; + return WC_NID_pkcs9_contentType; case CHALLENGE_PASSWORD_OID: - return NID_pkcs9_challengePassword; + return WC_NID_pkcs9_challengePassword; case SERIAL_NUMBER_OID: - return NID_serialNumber; + return WC_NID_serialNumber; case USER_ID_OID: - return NID_userId; + return WC_NID_userId; } break; #endif @@ -23228,9 +23376,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(WOLFSSL_EVP_PKEY** pkey, int type; /* ECC includes version, private[, curve][, public key] */ if (cnt >= 2 && cnt <= 4) - type = EVP_PKEY_EC; + type = WC_EVP_PKEY_EC; else - type = EVP_PKEY_RSA; + type = WC_EVP_PKEY_RSA; key = wolfSSL_d2i_PrivateKey(type, pkey, &der, keyLen); *pp = der; @@ -23883,21 +24031,17 @@ void *wolfSSL_CRYPTO_malloc(size_t num, const char *file, int line) /******************************************************************************* * START OF EX_DATA APIs ******************************************************************************/ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH))) -void wolfSSL_CRYPTO_cleanup_all_ex_data(void){ - WOLFSSL_ENTER("CRYPTO_cleanup_all_ex_data"); +#ifdef HAVE_EX_DATA +void wolfSSL_CRYPTO_cleanup_all_ex_data(void) +{ + WOLFSSL_ENTER("wolfSSL_CRYPTO_cleanup_all_ex_data"); } -#endif -#ifdef HAVE_EX_DATA void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) { - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); + WOLFSSL_ENTER("wolfSSL_CRYPTO_get_ex_data"); #ifdef MAX_EX_DATA - if(ex_data && idx < MAX_EX_DATA && idx >= 0) { + if (ex_data && idx < MAX_EX_DATA && idx >= 0) { return ex_data->ex_data[idx]; } #else @@ -23915,6 +24059,8 @@ int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, if (ex_data && idx < MAX_EX_DATA && idx >= 0) { #ifdef HAVE_EX_DATA_CLEANUP_HOOKS if (ex_data->ex_data_cleanup_routines[idx]) { + /* call cleanup then remove cleanup callback, + * since different value is being set */ if (ex_data->ex_data[idx]) ex_data->ex_data_cleanup_routines[idx](ex_data->ex_data[idx]); ex_data->ex_data_cleanup_routines[idx] = NULL; @@ -23949,7 +24095,9 @@ int wolfSSL_CRYPTO_set_ex_data_with_cleanup( return WOLFSSL_FAILURE; } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ +#endif /* HAVE_EX_DATA */ +#ifdef HAVE_EX_DATA_CRYPTO /** * Issues unique index for the class specified by class_index. * Other parameter except class_index are ignored. @@ -23975,7 +24123,7 @@ int wolfSSL_CRYPTO_get_ex_new_index(int class_index, long argl, void *argp, return wolfssl_get_ex_new_index(class_index, argl, argp, new_func, dup_func, free_func); } -#endif /* HAVE_EX_DATA */ +#endif /* HAVE_EX_DATA_CRYPTO */ /******************************************************************************* * END OF EX_DATA APIs @@ -24799,150 +24947,150 @@ int wolfSSL_RAND_load_file(const char* fname, long len) switch (ctx->cipherType) { #ifndef NO_AES #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - case AES_128_CBC_TYPE : - case AES_192_CBC_TYPE : - case AES_256_CBC_TYPE : + case WC_AES_128_CBC_TYPE : + case WC_AES_192_CBC_TYPE : + case WC_AES_256_CBC_TYPE : WOLFSSL_MSG("AES CBC"); XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, ctx->ivSz); break; #endif #ifdef HAVE_AESGCM - case AES_128_GCM_TYPE : - case AES_192_GCM_TYPE : - case AES_256_GCM_TYPE : + case WC_AES_128_GCM_TYPE : + case WC_AES_192_GCM_TYPE : + case WC_AES_256_GCM_TYPE : WOLFSSL_MSG("AES GCM"); XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, ctx->ivSz); break; #endif /* HAVE_AESGCM */ #ifdef HAVE_AESCCM - case AES_128_CCM_TYPE : - case AES_192_CCM_TYPE : - case AES_256_CCM_TYPE : + case WC_AES_128_CCM_TYPE : + case WC_AES_192_CCM_TYPE : + case WC_AES_256_CCM_TYPE : WOLFSSL_MSG("AES CCM"); XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, ctx->ivSz); break; #endif /* HAVE_AESCCM */ #ifdef HAVE_AES_ECB - case AES_128_ECB_TYPE : - case AES_192_ECB_TYPE : - case AES_256_ECB_TYPE : + case WC_AES_128_ECB_TYPE : + case WC_AES_192_ECB_TYPE : + case WC_AES_256_ECB_TYPE : WOLFSSL_MSG("AES ECB"); break; #endif #ifdef WOLFSSL_AES_COUNTER - case AES_128_CTR_TYPE : - case AES_192_CTR_TYPE : - case AES_256_CTR_TYPE : + case WC_AES_128_CTR_TYPE : + case WC_AES_192_CTR_TYPE : + case WC_AES_256_CTR_TYPE : WOLFSSL_MSG("AES CTR"); - XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); + XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, WC_AES_BLOCK_SIZE); break; #endif /* WOLFSSL_AES_COUNTER */ #ifdef WOLFSSL_AES_CFB #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - case AES_128_CFB1_TYPE: - case AES_192_CFB1_TYPE: - case AES_256_CFB1_TYPE: + case WC_AES_128_CFB1_TYPE: + case WC_AES_192_CFB1_TYPE: + case WC_AES_256_CFB1_TYPE: WOLFSSL_MSG("AES CFB1"); break; - case AES_128_CFB8_TYPE: - case AES_192_CFB8_TYPE: - case AES_256_CFB8_TYPE: + case WC_AES_128_CFB8_TYPE: + case WC_AES_192_CFB8_TYPE: + case WC_AES_256_CFB8_TYPE: WOLFSSL_MSG("AES CFB8"); break; #endif /* !HAVE_SELFTEST && !HAVE_FIPS */ - case AES_128_CFB128_TYPE: - case AES_192_CFB128_TYPE: - case AES_256_CFB128_TYPE: + case WC_AES_128_CFB128_TYPE: + case WC_AES_192_CFB128_TYPE: + case WC_AES_256_CFB128_TYPE: WOLFSSL_MSG("AES CFB128"); break; #endif /* WOLFSSL_AES_CFB */ #if defined(WOLFSSL_AES_OFB) - case AES_128_OFB_TYPE: - case AES_192_OFB_TYPE: - case AES_256_OFB_TYPE: + case WC_AES_128_OFB_TYPE: + case WC_AES_192_OFB_TYPE: + case WC_AES_256_OFB_TYPE: WOLFSSL_MSG("AES OFB"); break; #endif /* WOLFSSL_AES_OFB */ #ifdef WOLFSSL_AES_XTS - case AES_128_XTS_TYPE: - case AES_256_XTS_TYPE: + case WC_AES_128_XTS_TYPE: + case WC_AES_256_XTS_TYPE: WOLFSSL_MSG("AES XTS"); break; #endif /* WOLFSSL_AES_XTS */ #endif /* NO_AES */ #ifdef HAVE_ARIA - case ARIA_128_GCM_TYPE : - case ARIA_192_GCM_TYPE : - case ARIA_256_GCM_TYPE : + case WC_ARIA_128_GCM_TYPE : + case WC_ARIA_192_GCM_TYPE : + case WC_ARIA_256_GCM_TYPE : WOLFSSL_MSG("ARIA GCM"); XMEMCPY(ctx->iv, &ctx->cipher.aria.nonce, ARIA_BLOCK_SIZE); break; #endif /* HAVE_ARIA */ #ifndef NO_DES3 - case DES_CBC_TYPE : + case WC_DES_CBC_TYPE : WOLFSSL_MSG("DES CBC"); XMEMCPY(ctx->iv, &ctx->cipher.des.reg, DES_BLOCK_SIZE); break; - case DES_EDE3_CBC_TYPE : + case WC_DES_EDE3_CBC_TYPE : WOLFSSL_MSG("DES EDE3 CBC"); XMEMCPY(ctx->iv, &ctx->cipher.des3.reg, DES_BLOCK_SIZE); break; #endif #ifdef WOLFSSL_DES_ECB - case DES_ECB_TYPE : + case WC_DES_ECB_TYPE : WOLFSSL_MSG("DES ECB"); break; - case DES_EDE3_ECB_TYPE : + case WC_DES_EDE3_ECB_TYPE : WOLFSSL_MSG("DES3 ECB"); break; #endif - case ARC4_TYPE : + case WC_ARC4_TYPE : WOLFSSL_MSG("ARC4"); break; #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case CHACHA20_POLY1305_TYPE: + case WC_CHACHA20_POLY1305_TYPE: break; #endif #ifdef HAVE_CHACHA - case CHACHA20_TYPE: + case WC_CHACHA20_TYPE: break; #endif #ifdef WOLFSSL_SM4_ECB - case SM4_ECB_TYPE: + case WC_SM4_ECB_TYPE: break; #endif #ifdef WOLFSSL_SM4_CBC - case SM4_CBC_TYPE: + case WC_SM4_CBC_TYPE: WOLFSSL_MSG("SM4 CBC"); XMEMCPY(&ctx->cipher.sm4.iv, ctx->iv, SM4_BLOCK_SIZE); break; #endif #ifdef WOLFSSL_SM4_CTR - case SM4_CTR_TYPE: + case WC_SM4_CTR_TYPE: WOLFSSL_MSG("SM4 CTR"); XMEMCPY(&ctx->cipher.sm4.iv, ctx->iv, SM4_BLOCK_SIZE); break; #endif #ifdef WOLFSSL_SM4_GCM - case SM4_GCM_TYPE: + case WC_SM4_GCM_TYPE: WOLFSSL_MSG("SM4 GCM"); XMEMCPY(&ctx->cipher.sm4.iv, ctx->iv, SM4_BLOCK_SIZE); break; #endif #ifdef WOLFSSL_SM4_CCM - case SM4_CCM_TYPE: + case WC_SM4_CCM_TYPE: WOLFSSL_MSG("SM4 CCM"); XMEMCPY(&ctx->cipher.sm4.iv, ctx->iv, SM4_BLOCK_SIZE); break; #endif - case NULL_CIPHER_TYPE : + case WC_NULL_CIPHER_TYPE : WOLFSSL_MSG("NULL"); break; @@ -24969,112 +25117,112 @@ int wolfSSL_RAND_load_file(const char* fname, long len) #ifndef NO_AES #if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) - case AES_128_CBC_TYPE : - case AES_192_CBC_TYPE : - case AES_256_CBC_TYPE : + case WC_AES_128_CBC_TYPE : + case WC_AES_192_CBC_TYPE : + case WC_AES_256_CBC_TYPE : WOLFSSL_MSG("AES CBC"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); + XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, WC_AES_BLOCK_SIZE); break; #endif #ifdef HAVE_AESGCM - case AES_128_GCM_TYPE : - case AES_192_GCM_TYPE : - case AES_256_GCM_TYPE : + case WC_AES_128_GCM_TYPE : + case WC_AES_192_GCM_TYPE : + case WC_AES_256_GCM_TYPE : WOLFSSL_MSG("AES GCM"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); + XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, WC_AES_BLOCK_SIZE); break; #endif #ifdef HAVE_AES_ECB - case AES_128_ECB_TYPE : - case AES_192_ECB_TYPE : - case AES_256_ECB_TYPE : + case WC_AES_128_ECB_TYPE : + case WC_AES_192_ECB_TYPE : + case WC_AES_256_ECB_TYPE : WOLFSSL_MSG("AES ECB"); break; #endif #ifdef WOLFSSL_AES_COUNTER - case AES_128_CTR_TYPE : - case AES_192_CTR_TYPE : - case AES_256_CTR_TYPE : + case WC_AES_128_CTR_TYPE : + case WC_AES_192_CTR_TYPE : + case WC_AES_256_CTR_TYPE : WOLFSSL_MSG("AES CTR"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); + XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, WC_AES_BLOCK_SIZE); break; #endif #endif /* NO_AES */ #ifdef HAVE_ARIA - case ARIA_128_GCM_TYPE : - case ARIA_192_GCM_TYPE : - case ARIA_256_GCM_TYPE : + case WC_ARIA_128_GCM_TYPE : + case WC_ARIA_192_GCM_TYPE : + case WC_ARIA_256_GCM_TYPE : WOLFSSL_MSG("ARIA GCM"); XMEMCPY(&ctx->cipher.aria.nonce, ctx->iv, ARIA_BLOCK_SIZE); break; #endif /* HAVE_ARIA */ #ifndef NO_DES3 - case DES_CBC_TYPE : + case WC_DES_CBC_TYPE : WOLFSSL_MSG("DES CBC"); XMEMCPY(&ctx->cipher.des.reg, ctx->iv, DES_BLOCK_SIZE); break; - case DES_EDE3_CBC_TYPE : + case WC_DES_EDE3_CBC_TYPE : WOLFSSL_MSG("DES EDE3 CBC"); XMEMCPY(&ctx->cipher.des3.reg, ctx->iv, DES_BLOCK_SIZE); break; #endif #ifdef WOLFSSL_DES_ECB - case DES_ECB_TYPE : + case WC_DES_ECB_TYPE : WOLFSSL_MSG("DES ECB"); break; - case DES_EDE3_ECB_TYPE : + case WC_DES_EDE3_ECB_TYPE : WOLFSSL_MSG("DES3 ECB"); break; #endif - case ARC4_TYPE : + case WC_ARC4_TYPE : WOLFSSL_MSG("ARC4"); break; #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) - case CHACHA20_POLY1305_TYPE: + case WC_CHACHA20_POLY1305_TYPE: break; #endif #ifdef HAVE_CHACHA - case CHACHA20_TYPE: + case WC_CHACHA20_TYPE: break; #endif #ifdef WOLFSSL_SM4_ECB - case SM4_ECB_TYPE: + case WC_SM4_ECB_TYPE: break; #endif #ifdef WOLFSSL_SM4_CBC - case SM4_CBC_TYPE: + case WC_SM4_CBC_TYPE: WOLFSSL_MSG("SM4 CBC"); XMEMCPY(ctx->iv, &ctx->cipher.sm4.iv, ctx->ivSz); break; #endif #ifdef WOLFSSL_SM4_CTR - case SM4_CTR_TYPE: + case WC_SM4_CTR_TYPE: WOLFSSL_MSG("SM4 CTR"); XMEMCPY(ctx->iv, &ctx->cipher.sm4.iv, ctx->ivSz); break; #endif #ifdef WOLFSSL_SM4_GCM - case SM4_GCM_TYPE: + case WC_SM4_GCM_TYPE: WOLFSSL_MSG("SM4 GCM"); XMEMCPY(ctx->iv, &ctx->cipher.sm4.iv, ctx->ivSz); break; #endif #ifdef WOLFSSL_SM4_CCM - case SM4_CCM_TYPE: + case WC_SM4_CCM_TYPE: WOLFSSL_MSG("SM4 CCM"); XMEMCPY(ctx->iv, &ctx->cipher.sm4.iv, ctx->ivSz); break; #endif - case NULL_CIPHER_TYPE : + case WC_NULL_CIPHER_TYPE : WOLFSSL_MSG("NULL"); break; @@ -25126,7 +25274,7 @@ void wolfSSL_aes_ctr_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, int doset, if (doset) (void)wc_AesSetIV(&ctx->cipher.aes, iv); /* OpenSSL compat, no ret */ else - XMEMCPY(iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); + XMEMCPY(iv, &ctx->cipher.aes.reg, WC_AES_BLOCK_SIZE); } #endif /* NO_AES */ diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c index 95f9cca156..402fcf7a4b 100644 --- a/src/ssl_asn1.c +++ b/src/ssl_asn1.c @@ -456,7 +456,7 @@ static void* d2i_obj(const WOLFSSL_ASN1_TEMPLATE* mem, const byte** src, mem->free_func(ret); /* never a stack so we can call this directly */ return NULL; } - *len -= (tmp - *src); + *len -= (long)(tmp - *src); *src = tmp; return ret; } @@ -586,7 +586,7 @@ static void* d2i_generic(const WOLFSSL_ASN1_TEMPLATE* mem, WOLFSSL_MSG("ptr not advanced enough"); goto error; } - *len -= tmp - *src; + *len -= (long)(tmp - *src); *src = tmp; return ret; error: @@ -1019,7 +1019,7 @@ static void wolfssl_asn1_integer_reset_data(WOLFSSL_ASN1_INTEGER* a) /* No data, not negative. */ a->negative = 0; /* Set type to positive INTEGER. */ - a->type = V_ASN1_INTEGER; + a->type = WOLFSSL_V_ASN1_INTEGER; } #endif /* OPENSSL_EXTRA */ @@ -1318,7 +1318,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a, } if (!err) { /* Set type. */ - ret->type = V_ASN1_INTEGER; + ret->type = WOLFSSL_V_ASN1_INTEGER; /* Copy DER encoding and length. */ XMEMCPY(ret->data, *in, (size_t)(idx + (word32)len)); @@ -1331,7 +1331,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_d2i_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER** a, } if ((!err) && ret->negative) { /* Update type if number was negative. */ - ret->type |= V_ASN1_NEG_INTEGER; + ret->type |= WOLFSSL_V_ASN1_NEG_INTEGER; } if (err) { @@ -1490,7 +1490,7 @@ int wolfSSL_a2i_ASN1_INTEGER(WOLFSSL_BIO *bio, WOLFSSL_ASN1_INTEGER *asn1, * @return 0 when bp or a is NULL. * @return 0 DER header in data is invalid. */ -int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) +int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp, const WOLFSSL_ASN1_INTEGER *a) { int err = 0; word32 idx = 1; /* Skip ASN.1 INTEGER tag byte. */ @@ -1751,10 +1751,10 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_BN_to_ASN1_INTEGER(const WOLFSSL_BIGNUM *bn, int length; /* Set type and negative. */ - a->type = V_ASN1_INTEGER; + a->type = WOLFSSL_V_ASN1_INTEGER; if (wolfSSL_BN_is_negative(bn) && !wolfSSL_BN_is_zero(bn)) { a->negative = 1; - a->type |= V_ASN1_NEG_INTEGER; + a->type |= WOLFSSL_V_ASN1_NEG_INTEGER; } /* Get length in bytes of encoded number. */ @@ -1883,7 +1883,7 @@ int wolfSSL_ASN1_INTEGER_set(WOLFSSL_ASN1_INTEGER *a, long v) if (v < 0) { /* Set negative and 2's complement the value. */ a->negative = 1; - a->type |= V_ASN1_NEG; + a->type |= WOLFSSL_V_ASN1_NEG; v = -v; } @@ -2345,7 +2345,7 @@ int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, WOLFSSL_ASN1_OBJECT *a) length = wolfSSL_BIO_write(bp, null_str, (int)XSTRLEN(null_str)); } /* Try getting text version and write it out. */ - else if ((length = i2t_ASN1_OBJECT(buf, sizeof(buf), a)) > 0) { + else if ((length = wolfSSL_i2t_ASN1_OBJECT(buf, sizeof(buf), a)) > 0) { length = wolfSSL_BIO_write(bp, buf, length); } /* Look for DER header. */ @@ -2651,7 +2651,7 @@ int wolfSSL_ASN1_UNIVERSALSTRING_to_string(WOLFSSL_ASN1_STRING *s) } /* Check type of ASN.1 STRING. */ - if ((ret == 1) && (s->type != V_ASN1_UNIVERSALSTRING)) { + if ((ret == 1) && (s->type != WOLFSSL_V_ASN1_UNIVERSALSTRING)) { WOLFSSL_MSG("Input is not a universal string"); ret = 0; } @@ -2685,7 +2685,7 @@ int wolfSSL_ASN1_UNIVERSALSTRING_to_string(WOLFSSL_ASN1_STRING *s) *copy = '\0'; /* Update length and type. */ s->length /= 4; - s->type = V_ASN1_PRINTABLESTRING; + s->type = WOLFSSL_V_ASN1_PRINTABLESTRING; } return ret; @@ -2912,7 +2912,7 @@ static WOLFSSL_ASN1_STRING* d2i_ASN1_STRING(WOLFSSL_ASN1_STRING** out, byte tag = 0; int length = 0; - WOLFSSL_ENTER("d2i_ASN1_GENERALSTRING"); + WOLFSSL_ENTER("d2i_ASN1_STRING"); if (src == NULL || *src == NULL || len == 0) return NULL; @@ -3207,10 +3207,10 @@ int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out, if (ret == 1) { switch (asn_in->type) { - case MBSTRING_UTF8: - case V_ASN1_PRINTABLESTRING: + case WOLFSSL_MBSTRING_UTF8: + case WOLFSSL_V_ASN1_PRINTABLESTRING: /* Set type to UTF8. */ - asn_out->type = MBSTRING_UTF8; + asn_out->type = WOLFSSL_MBSTRING_UTF8; /* Dispose of any dynamic data already in asn_out. */ if (asn_out->isDynamic) { XFREE(asn_out->data, NULL, DYNAMIC_TYPE_OPENSSL); @@ -3327,8 +3327,8 @@ const char* wolfSSL_ASN1_tag2str(int tag) const char* str = "(unknown)"; /* Clear negative flag. */ - if ((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED)) { - tag &= ~V_ASN1_NEG; + if ((tag == WOLFSSL_V_ASN1_NEG_INTEGER) || (tag == WOLFSSL_V_ASN1_NEG_ENUMERATED)) { + tag &= ~WOLFSSL_V_ASN1_NEG; } /* Check for known basic types. */ if ((tag >= 0) && (tag <= 30)) { @@ -3514,7 +3514,7 @@ int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *bio, WOLFSSL_ASN1_STRING *str, err = 1; } /* Check if ASN.1 type is to be printed. */ - if ((!err) && (flags & ASN1_STRFLGS_SHOW_TYPE)) { + if ((!err) && (flags & WOLFSSL_ASN1_STRFLGS_SHOW_TYPE)) { /* Print type and colon to BIO. */ type_len = wolfssl_string_print_type(bio, str); if (type_len == 0) { @@ -3523,12 +3523,12 @@ int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *bio, WOLFSSL_ASN1_STRING *str, } if (!err) { - if (flags & ASN1_STRFLGS_DUMP_ALL) { + if (flags & WOLFSSL_ASN1_STRFLGS_DUMP_ALL) { /* Dump hex. */ str_len = wolfssl_asn1_string_dump_hex(bio, str, - flags & ASN1_STRFLGS_DUMP_DER); + flags & WOLFSSL_ASN1_STRFLGS_DUMP_DER); } - else if (flags & ASN1_STRFLGS_ESC_2253) { + else if (flags & WOLFSSL_ASN1_STRFLGS_ESC_2253) { /* Print out string with escaping. */ str_len = wolfssl_asn1_string_print_esc_2253(bio, str); } @@ -3621,7 +3621,7 @@ int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO* bio, ret = BAD_FUNC_ARG; } /* Check type is GENERALIZED TIME. */ - if ((ret == 1) && (asnTime->type != V_ASN1_GENERALIZEDTIME)) { + if ((ret == 1) && (asnTime->type != WOLFSSL_V_ASN1_GENERALIZEDTIME)) { WOLFSSL_MSG("Error, not GENERALIZED_TIME"); ret = 0; } @@ -4036,8 +4036,8 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str) /* Do not include NUL terminator in length. */ t->length = slen - 1; /* Set ASN.1 type based on string length. */ - t->type = ((slen == ASN_UTC_TIME_SIZE) ? V_ASN1_UTCTIME : - V_ASN1_GENERALIZEDTIME); + t->type = ((slen == ASN_UTC_TIME_SIZE) ? WOLFSSL_V_ASN1_UTCTIME : + WOLFSSL_V_ASN1_GENERALIZEDTIME); } return ret; @@ -4078,8 +4078,8 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, WOLFSSL_MSG("Invalid ASN_TIME value"); } /* Ensure ASN.1 type is one that is supported. */ - else if ((t->type != V_ASN1_UTCTIME) && - (t->type != V_ASN1_GENERALIZEDTIME)) { + else if ((t->type != WOLFSSL_V_ASN1_UTCTIME) && + (t->type != WOLFSSL_V_ASN1_GENERALIZEDTIME)) { WOLFSSL_MSG("Invalid ASN_TIME type."); } /* Check for ASN.1 GENERALIZED TIME object being passed in. */ @@ -4097,9 +4097,9 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, if (ret != NULL) { /* Set the ASN.1 type and length of string. */ - ret->type = V_ASN1_GENERALIZEDTIME; + ret->type = WOLFSSL_V_ASN1_GENERALIZEDTIME; - if (t->type == V_ASN1_GENERALIZEDTIME) { + if (t->type == WOLFSSL_V_ASN1_GENERALIZEDTIME) { ret->length = ASN_GENERALIZED_TIME_SIZE; /* Just copy as data already appropriately formatted. */ @@ -4151,7 +4151,7 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_UTCTIME_set(WOLFSSL_ASN1_TIME *s, time_t t) ret = NULL; } else { - ret->type = V_ASN1_UTCTIME; + ret->type = WOLFSSL_V_ASN1_UTCTIME; } return ret; @@ -4311,7 +4311,7 @@ static int wolfssl_asn1_time_to_tm(const WOLFSSL_ASN1_TIME* asnTime, /* Zero out values in broken-down time. */ XMEMSET(tm, 0, sizeof(struct tm)); - if (asnTime->type == V_ASN1_UTCTIME) { + if (asnTime->type == WOLFSSL_V_ASN1_UTCTIME) { /* Get year from UTC TIME string. */ int tm_year; if ((ret = wolfssl_utctime_year(asn1TimeBuf, asn1TimeBufLen, @@ -4321,7 +4321,7 @@ static int wolfssl_asn1_time_to_tm(const WOLFSSL_ASN1_TIME* asnTime, i = 2; } } - else if (asnTime->type == V_ASN1_GENERALIZEDTIME) { + else if (asnTime->type == WOLFSSL_V_ASN1_GENERALIZEDTIME) { /* Get year from GENERALIZED TIME string. */ int tm_year; if ((ret = wolfssl_gentime_year(asn1TimeBuf, asn1TimeBufLen, @@ -4522,7 +4522,7 @@ int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_UTCTIME* a) ret = 0; } /* Validate ASN.1 UTC TIME object is of type UTC_TIME. */ - if ((ret == 1) && (a->type != V_ASN1_UTCTIME)) { + if ((ret == 1) && (a->type != WOLFSSL_V_ASN1_UTCTIME)) { WOLFSSL_MSG("Error, not UTC_TIME"); ret = 0; } @@ -4574,28 +4574,28 @@ WOLFSSL_ASN1_TYPE* wolfSSL_ASN1_TYPE_new(void) static void wolfssl_asn1_type_free_value(WOLFSSL_ASN1_TYPE* at) { switch (at->type) { - case V_ASN1_NULL: + case WOLFSSL_V_ASN1_NULL: break; - case V_ASN1_OBJECT: + case WOLFSSL_V_ASN1_OBJECT: wolfSSL_ASN1_OBJECT_free(at->value.object); break; - case V_ASN1_UTCTIME: + case WOLFSSL_V_ASN1_UTCTIME: #if !defined(NO_ASN_TIME) && defined(OPENSSL_EXTRA) wolfSSL_ASN1_TIME_free(at->value.utctime); #endif break; - case V_ASN1_GENERALIZEDTIME: + case WOLFSSL_V_ASN1_GENERALIZEDTIME: #if !defined(NO_ASN_TIME) && defined(OPENSSL_EXTRA) wolfSSL_ASN1_TIME_free(at->value.generalizedtime); #endif break; - case V_ASN1_UTF8STRING: - case V_ASN1_OCTET_STRING: - case V_ASN1_PRINTABLESTRING: - case V_ASN1_T61STRING: - case V_ASN1_IA5STRING: - case V_ASN1_UNIVERSALSTRING: - case V_ASN1_SEQUENCE: + case WOLFSSL_V_ASN1_UTF8STRING: + case WOLFSSL_V_ASN1_OCTET_STRING: + case WOLFSSL_V_ASN1_PRINTABLESTRING: + case WOLFSSL_V_ASN1_T61STRING: + case WOLFSSL_V_ASN1_IA5STRING: + case WOLFSSL_V_ASN1_UNIVERSALSTRING: + case WOLFSSL_V_ASN1_SEQUENCE: wolfSSL_ASN1_STRING_free(at->value.asn1_string); break; default: @@ -4626,25 +4626,25 @@ int wolfSSL_i2d_ASN1_TYPE(WOLFSSL_ASN1_TYPE* at, unsigned char** pp) return WOLFSSL_FATAL_ERROR; switch (at->type) { - case V_ASN1_NULL: + case WOLFSSL_V_ASN1_NULL: break; - case V_ASN1_OBJECT: + case WOLFSSL_V_ASN1_OBJECT: ret = wolfSSL_i2d_ASN1_OBJECT(at->value.object, pp); break; - case V_ASN1_UTF8STRING: + case WOLFSSL_V_ASN1_UTF8STRING: ret = wolfSSL_i2d_ASN1_UTF8STRING(at->value.utf8string, pp); break; - case V_ASN1_GENERALIZEDTIME: + case WOLFSSL_V_ASN1_GENERALIZEDTIME: ret = wolfSSL_i2d_ASN1_GENERALSTRING(at->value.utf8string, pp); break; - case V_ASN1_SEQUENCE: + case WOLFSSL_V_ASN1_SEQUENCE: ret = wolfSSL_i2d_ASN1_SEQUENCE(at->value.sequence, pp); break; - case V_ASN1_UTCTIME: - case V_ASN1_PRINTABLESTRING: - case V_ASN1_T61STRING: - case V_ASN1_IA5STRING: - case V_ASN1_UNIVERSALSTRING: + case WOLFSSL_V_ASN1_UTCTIME: + case WOLFSSL_V_ASN1_PRINTABLESTRING: + case WOLFSSL_V_ASN1_T61STRING: + case WOLFSSL_V_ASN1_IA5STRING: + case WOLFSSL_V_ASN1_UNIVERSALSTRING: default: WOLFSSL_MSG("asn1 i2d type not supported"); break; @@ -4661,16 +4661,16 @@ int wolfSSL_i2d_ASN1_TYPE(WOLFSSL_ASN1_TYPE* at, unsigned char** pp) * Set ASN.1 TYPE object with a type and value. * * Type of value for different types: - * V_ASN1_NULL : Value should be NULL. - * V_ASN1_OBJECT : WOLFSSL_ASN1_OBJECT. - * V_ASN1_UTCTIME : WOLFSSL_ASN1_TIME. - * V_ASN1_GENERALIZEDTIME : WOLFSSL_ASN1_TIME. - * V_ASN1_UTF8STRING : WOLFSSL_ASN1_STRING. - * V_ASN1_PRINTABLESTRING : WOLFSSL_ASN1_STRING. - * V_ASN1_T61STRING : WOLFSSL_ASN1_STRING. - * V_ASN1_IA5STRING : WOLFSSL_ASN1_STRING. - * V_ASN1_UNINVERSALSTRING: WOLFSSL_ASN1_STRING. - * V_ASN1_SEQUENCE : WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_NULL : Value should be NULL. + * WOLFSSL_V_ASN1_OBJECT : WOLFSSL_ASN1_OBJECT. + * WOLFSSL_V_ASN1_UTCTIME : WOLFSSL_ASN1_TIME. + * WOLFSSL_V_ASN1_GENERALIZEDTIME : WOLFSSL_ASN1_TIME. + * WOLFSSL_V_ASN1_UTF8STRING : WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_PRINTABLESTRING : WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_T61STRING : WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_IA5STRING : WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_UNINVERSALSTRING: WOLFSSL_ASN1_STRING. + * WOLFSSL_V_ASN1_SEQUENCE : WOLFSSL_ASN1_STRING. * * @param [in, out] a ASN.1 TYPE object to set. * @param [in] type ASN.1 type of value. @@ -4680,22 +4680,22 @@ void wolfSSL_ASN1_TYPE_set(WOLFSSL_ASN1_TYPE *a, int type, void *value) { if (a != NULL) { switch (type) { - case V_ASN1_NULL: + case WOLFSSL_V_ASN1_NULL: if (value != NULL) { WOLFSSL_MSG("NULL tag meant to be always empty!"); /* No way to return error - value will not be used. */ } FALL_THROUGH; - case V_ASN1_OBJECT: - case V_ASN1_UTCTIME: - case V_ASN1_GENERALIZEDTIME: - case V_ASN1_UTF8STRING: - case V_ASN1_OCTET_STRING: - case V_ASN1_PRINTABLESTRING: - case V_ASN1_T61STRING: - case V_ASN1_IA5STRING: - case V_ASN1_UNIVERSALSTRING: - case V_ASN1_SEQUENCE: + case WOLFSSL_V_ASN1_OBJECT: + case WOLFSSL_V_ASN1_UTCTIME: + case WOLFSSL_V_ASN1_GENERALIZEDTIME: + case WOLFSSL_V_ASN1_UTF8STRING: + case WOLFSSL_V_ASN1_OCTET_STRING: + case WOLFSSL_V_ASN1_PRINTABLESTRING: + case WOLFSSL_V_ASN1_T61STRING: + case WOLFSSL_V_ASN1_IA5STRING: + case WOLFSSL_V_ASN1_UNIVERSALSTRING: + case WOLFSSL_V_ASN1_SEQUENCE: /* Dispose of any value currently set. */ wolfssl_asn1_type_free_value(a); /* Assign anonymously typed input to anonymously typed field. */ @@ -4712,7 +4712,7 @@ void wolfSSL_ASN1_TYPE_set(WOLFSSL_ASN1_TYPE *a, int type, void *value) int wolfSSL_ASN1_TYPE_get(const WOLFSSL_ASN1_TYPE *a) { - if (a != NULL && (a->type == V_ASN1_BOOLEAN || a->type == V_ASN1_NULL + if (a != NULL && (a->type == WOLFSSL_V_ASN1_BOOLEAN || a->type == WOLFSSL_V_ASN1_NULL || a->value.ptr != NULL)) return a->type; return 0; diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 227fc71606..1c05b14799 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -166,7 +166,7 @@ int wolfssl_bn_set_value(WOLFSSL_BIGNUM** bn, mp_int* mpi) /* Dispose of any allocated big number on error. */ if ((ret == -1) && (a != NULL)) { - BN_free(a); + wolfSSL_BN_free(a); *bn = NULL; } return ret; diff --git a/src/ssl_certman.c b/src/ssl_certman.c index a5b622dede..55f3c7be49 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -455,11 +455,12 @@ int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm) return ret; } -int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm) +static int wolfSSL_CertManagerUnloadIntermediateCertsEx( + WOLFSSL_CERT_MANAGER* cm, byte type) { int ret = WOLFSSL_SUCCESS; - WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts"); + WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCertsEx"); /* Validate parameter. */ if (cm == NULL) { @@ -471,7 +472,7 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm) } if (ret == WOLFSSL_SUCCESS) { /* Dispose of CA table. */ - FreeSignerTableType(cm->caTable, CA_TABLE_SIZE, WOLFSSL_CHAIN_CA, + FreeSignerTableType(cm->caTable, CA_TABLE_SIZE, type, cm->heap); /* Unlock CA table. */ @@ -481,6 +482,22 @@ int wolfSSL_CertManagerUnloadIntermediateCerts(WOLFSSL_CERT_MANAGER* cm) return ret; } +#if defined(OPENSSL_EXTRA) +static int wolfSSL_CertManagerUnloadTempIntermediateCerts( + WOLFSSL_CERT_MANAGER* cm) +{ + WOLFSSL_ENTER("wolfSSL_CertManagerUnloadTempIntermediateCerts"); + return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_TEMP_CA); +} +#endif + +int wolfSSL_CertManagerUnloadIntermediateCerts( + WOLFSSL_CERT_MANAGER* cm) +{ + WOLFSSL_ENTER("wolfSSL_CertManagerUnloadIntermediateCerts"); + return wolfSSL_CertManagerUnloadIntermediateCertsEx(cm, WOLFSSL_CHAIN_CA); +} + #ifdef WOLFSSL_TRUST_PEER_CERT /* Unload the trusted peers table. * @@ -607,7 +624,7 @@ void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc) cm->verifyCallback = vc; } } -#endif /* NO_WOLFSSL_CM_VERIFY */ +#endif /* !NO_WOLFSSL_CM_VERIFY */ #ifdef WC_ASN_UNKNOWN_EXT_CB void wolfSSL_CertManagerSetUnknownExtCallback(WOLFSSL_CERT_MANAGER* cm, @@ -1878,6 +1895,41 @@ int wolfSSL_CertManagerSetCRL_ErrorCb(WOLFSSL_CERT_MANAGER* cm, crlErrorCb cb, return ret; } +#ifdef HAVE_CRL_UPDATE_CB +int wolfSSL_CertManagerGetCRLInfo(WOLFSSL_CERT_MANAGER* cm, CrlInfo* info, + const byte* buff, long sz, int type) +{ + return GetCRLInfo(cm->crl, info, buff, sz, type); +} + +/* Set the callback to be called when a CRL entry has + * been updated (new entry had the same issuer hash and + * a newer CRL number). + * + * @param [in] cm Certificate manager. + * @param [in] cb CRL update callback. + * @return WOLFSSL_SUCCESS on success. + * @return BAD_FUNC_ARG when cm is NULL. + */ +int wolfSSL_CertManagerSetCRLUpdate_Cb(WOLFSSL_CERT_MANAGER* cm, CbUpdateCRL cb) +{ + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_CertManagerSetCRLUpdate_Cb"); + + /* Validate parameters. */ + if (cm == NULL) { + ret = BAD_FUNC_ARG; + } + if (ret == WOLFSSL_SUCCESS) { + /* Store callback. */ + cm->cbUpdateCRL = cb; + } + + return ret; +} +#endif + #ifdef HAVE_CRL_IO /* Set the CRL I/O callback. * diff --git a/src/ssl_crypto.c b/src/ssl_crypto.c index 0730c45218..6907822a64 100644 --- a/src/ssl_crypto.c +++ b/src/ssl_crypto.c @@ -45,12 +45,12 @@ void wolfSSL_MD4_Init(WOLFSSL_MD4_CTX* md4) { /* Ensure WOLFSSL_MD4_CTX is big enough for wolfCrypt Md4. */ - WOLFSSL_ASSERT_SIZEOF_GE(md4->buffer, Md4); + WOLFSSL_ASSERT_SIZEOF_GE(md4->buffer, wc_Md4); WOLFSSL_ENTER("MD4_Init"); /* Initialize wolfCrypt MD4 object. */ - wc_InitMd4((Md4*)md4); + wc_InitMd4((wc_Md4*)md4); } /* Update MD4 hash with data. @@ -65,7 +65,7 @@ void wolfSSL_MD4_Update(WOLFSSL_MD4_CTX* md4, const void* data, WOLFSSL_ENTER("MD4_Update"); /* Update wolfCrypt MD4 object with data. */ - wc_Md4Update((Md4*)md4, (const byte*)data, (word32)len); + wc_Md4Update((wc_Md4*)md4, (const byte*)data, (word32)len); } /* Finalize MD4 hash and return output. @@ -79,7 +79,7 @@ void wolfSSL_MD4_Final(unsigned char* digest, WOLFSSL_MD4_CTX* md4) WOLFSSL_ENTER("MD4_Final"); /* Finalize wolfCrypt MD4 hash into digest. */ - wc_Md4Final((Md4*)md4, digest); + wc_Md4Final((wc_Md4*)md4, digest); } #endif /* NO_MD4 */ @@ -293,7 +293,7 @@ int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) { WOLFSSL_ENTER("SHA1_Init"); - return SHA_Init(sha); + return wolfSSL_SHA_Init(sha); } @@ -310,7 +310,7 @@ int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX* sha, const void* input, { WOLFSSL_ENTER("SHA1_Update"); - return SHA_Update(sha, input, sz); + return wolfSSL_SHA_Update(sha, input, sz); } /* Finalize SHA-1 hash and return output. @@ -325,7 +325,7 @@ int wolfSSL_SHA1_Final(byte* output, WOLFSSL_SHA_CTX* sha) { WOLFSSL_ENTER("SHA1_Final"); - return SHA_Final(output, sha); + return wolfSSL_SHA_Final(output, sha); } #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ @@ -359,7 +359,7 @@ int wolfSSL_SHA1_Transform(WOLFSSL_SHA_CTX* sha, const unsigned char* data) int wolfSSL_SHA224_Init(WOLFSSL_SHA224_CTX* sha224) { /* Ensure WOLFSSL_SHA224_CTX is big enough for wolfCrypt wc_Sha224. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA224_CTX, wc_Sha224); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA224_CTX, wc_Sha224); WOLFSSL_ENTER("SHA224_Init"); @@ -418,7 +418,7 @@ int wolfSSL_SHA224_Final(byte* output, WOLFSSL_SHA224_CTX* sha224) int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX* sha256) { /* Ensure WOLFSSL_SHA256_CTX is big enough for wolfCrypt wc_Sha256. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA256_CTX, wc_Sha256); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA256_CTX, wc_Sha256); WOLFSSL_ENTER("SHA256_Init"); @@ -507,7 +507,7 @@ int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha384) { /* Ensure WOLFSSL_SHA384_CTX is big enough for wolfCrypt wc_Sha384. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA384_CTX, wc_Sha384); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA384_CTX, wc_Sha384); WOLFSSL_ENTER("SHA384_Init"); @@ -566,7 +566,7 @@ int wolfSSL_SHA384_Final(byte* output, WOLFSSL_SHA384_CTX* sha384) int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX* sha512) { /* Ensure WOLFSSL_SHA512_CTX is big enough for wolfCrypt wc_Sha512. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA512_CTX, wc_Sha512); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA512_CTX, wc_Sha512); WOLFSSL_ENTER("SHA512_Init"); @@ -802,7 +802,7 @@ int wolfSSL_SHA512_256_Transform(WOLFSSL_SHA512_CTX* sha512, int wolfSSL_SHA3_224_Init(WOLFSSL_SHA3_224_CTX* sha3_224) { /* Ensure WOLFSSL_SHA3_224_CTX is big enough for wolfCrypt wc_Sha3. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA3_224_CTX, wc_Sha3); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_224_CTX, wc_Sha3); WOLFSSL_ENTER("SHA3_224_Init"); @@ -861,7 +861,7 @@ int wolfSSL_SHA3_224_Final(byte* output, WOLFSSL_SHA3_224_CTX* sha3) int wolfSSL_SHA3_256_Init(WOLFSSL_SHA3_256_CTX* sha3_256) { /* Ensure WOLFSSL_SHA3_256_CTX is big enough for wolfCrypt wc_Sha3. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA3_256_CTX, wc_Sha3); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_256_CTX, wc_Sha3); WOLFSSL_ENTER("SHA3_256_Init"); @@ -920,7 +920,7 @@ int wolfSSL_SHA3_256_Final(byte* output, WOLFSSL_SHA3_256_CTX* sha3) int wolfSSL_SHA3_384_Init(WOLFSSL_SHA3_384_CTX* sha3_384) { /* Ensure WOLFSSL_SHA3_384_CTX is big enough for wolfCrypt wc_Sha3. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA3_384_CTX, wc_Sha3); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_384_CTX, wc_Sha3); WOLFSSL_ENTER("SHA3_384_Init"); @@ -979,7 +979,7 @@ int wolfSSL_SHA3_384_Final(byte* output, WOLFSSL_SHA3_384_CTX* sha3) int wolfSSL_SHA3_512_Init(WOLFSSL_SHA3_512_CTX* sha3_512) { /* Ensure WOLFSSL_SHA3_512_CTX is big enough for wolfCrypt wc_Sha3. */ - WOLFSSL_ASSERT_SIZEOF_GE(SHA3_512_CTX, wc_Sha3); + WOLFSSL_ASSERT_SIZEOF_GE(WOLFSSL_SHA3_512_CTX, wc_Sha3); WOLFSSL_ENTER("SHA3_512_Init"); @@ -1722,7 +1722,7 @@ const WOLFSSL_EVP_MD* wolfSSL_HMAC_CTX_get_md(const WOLFSSL_HMAC_CTX* ctx) * @return 0 on failure. */ int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, int keySz, - const EVP_MD* type, WOLFSSL_ENGINE* e) + const WOLFSSL_EVP_MD* type, WOLFSSL_ENGINE* e) { WOLFSSL_ENTER("wolfSSL_HMAC_Init_ex"); @@ -1746,7 +1746,7 @@ int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, int keySz, * @return 0 on failure. */ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, - const EVP_MD* type) + const WOLFSSL_EVP_MD* type) { int ret = 1; void* heap = NULL; @@ -2228,7 +2228,7 @@ int wolfSSL_CMAC_Update(WOLFSSL_CMAC_CTX* ctx, const void* data, size_t len) * * @param [in, out] ctx CMAC context object. * @param [out] out Buffer to place CMAC result into. - * Must be able to hold AES_BLOCK_SIZE bytes. + * Must be able to hold WC_AES_BLOCK_SIZE bytes. * @param [out] len Length of CMAC result. May be NULL. * @return 1 on success. * @return 0 when ctx is NULL. @@ -2248,7 +2248,7 @@ int wolfSSL_CMAC_Final(WOLFSSL_CMAC_CTX* ctx, unsigned char* out, size_t* len) if (ret == 1) { /* Get the expected output size. */ - blockSize = EVP_CIPHER_CTX_block_size(ctx->cctx); + blockSize = wolfSSL_EVP_CIPHER_CTX_block_size(ctx->cctx); /* Check value is valid. */ if (blockSize <= 0) { ret = 0; @@ -2567,7 +2567,7 @@ WOLFSSL_DES_LONG wolfSSL_DES_cbc_cksum(const unsigned char* in, if (!err) { /* Encrypt data into temporary. */ wolfSSL_DES_cbc_encrypt(data, tmp, dataSz, sc, (WOLFSSL_DES_cblock*)iv, - DES_ENCRYPT); + WC_DES_ENCRYPT); /* Copy out last block. */ XMEMCPY((unsigned char*)out, tmp + (dataSz - DES_BLOCK_SIZE), DES_BLOCK_SIZE); @@ -2614,7 +2614,7 @@ void wolfSSL_DES_cbc_encrypt(const unsigned char* input, unsigned char* output, WOLFSSL_ENTER("wolfSSL_DES_cbc_encrypt"); #ifdef WOLFSSL_SMALL_STACK - des = XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER); + des = (Des*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER); if (des == NULL) { WOLFSSL_MSG("Failed to allocate memory for Des object"); } @@ -2631,7 +2631,7 @@ void wolfSSL_DES_cbc_encrypt(const unsigned char* input, unsigned char* output, /* Length of data that is a multiple of a block. */ word32 len = (word32)(length - lb_sz); - if (enc == DES_ENCRYPT) { + if (enc == WC_DES_ENCRYPT) { /* Encrypt full blocks into output. */ wc_Des_CbcEncrypt(des, output, input, len); if (lb_sz != 0) { @@ -2687,7 +2687,7 @@ void wolfSSL_DES_ncbc_encrypt(const unsigned char* input, unsigned char* output, offset = (offset + DES_BLOCK_SIZE - 1) / DES_BLOCK_SIZE; offset *= DES_BLOCK_SIZE; offset -= DES_BLOCK_SIZE; - if (enc == DES_ENCRYPT) { + if (enc == WC_DES_ENCRYPT) { /* Encrypt data. */ wolfSSL_DES_cbc_encrypt(input, output, length, schedule, ivec, enc); /* Use last encrypted block as new IV. */ @@ -2732,7 +2732,7 @@ void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, WOLFSSL_ENTER("wolfSSL_DES_ede3_cbc_encrypt"); #ifdef WOLFSSL_SMALL_STACK - des3 = XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER); + des3 = (Des3*)XMALLOC(sizeof(Des3), NULL, DYNAMIC_TYPE_CIPHER); if (des3 == NULL) { WOLFSSL_MSG("Failed to allocate memory for Des3 object"); sz = 0; @@ -2761,7 +2761,7 @@ void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, ret = wc_Des3Init(des3, NULL, INVALID_DEVID); (void)ret; - if (enc == DES_ENCRYPT) { + if (enc == WC_DES_ENCRYPT) { /* Initialize wolfCrypt DES3 object. */ if (wc_Des3_SetKey(des3, key, (const byte*)ivec, DES_ENCRYPTION) == 0) { @@ -2858,22 +2858,24 @@ void wolfSSL_DES_ecb_encrypt(WOLFSSL_DES_cblock* in, WOLFSSL_DES_cblock* out, /* Validate parameters. */ if ((in == NULL) || (out == NULL) || (key == NULL) || - ((enc != DES_ENCRYPT) && (enc != DES_DECRYPT))) { + ((enc != WC_DES_ENCRYPT) && (enc != WC_DES_DECRYPT))) { WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_ecb_encrypt"); } #ifdef WOLFSSL_SMALL_STACK - else if ((des = XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_CIPHER)) == NULL) { + else if ((des = (Des*)XMALLOC(sizeof(Des), NULL, DYNAMIC_TYPE_CIPHER)) + == NULL) + { WOLFSSL_MSG("Failed to allocate memory for Des object"); } #endif /* Set key in wolfCrypt DES object for encryption or decryption. - * DES_ENCRYPT = 1, wolfSSL DES_ENCRYPTION = 0. - * DES_DECRYPT = 0, wolfSSL DES_DECRYPTION = 1. + * WC_DES_ENCRYPT = 1, wolfSSL DES_ENCRYPTION = 0. + * WC_DES_DECRYPT = 0, wolfSSL DES_DECRYPTION = 1. */ else if (wc_Des_SetKey(des, (const byte*)key, NULL, !enc) != 0) { WOLFSSL_MSG("wc_Des_SetKey return error."); } - else if (enc == DES_ENCRYPT) { + else if (enc == WC_DES_ENCRYPT) { /* Encrypt a block with wolfCrypt DES object. */ if (wc_Des_EcbEncrypt(des, (byte*)out, (const byte*)in, DES_KEY_SIZE) != 0) { @@ -2915,15 +2917,15 @@ void wolfSSL_DES_ecb_encrypt(WOLFSSL_DES_cblock* in, WOLFSSL_DES_cblock* out, * @param [in] key Key data. * @param [in] bits Number of bits in key. * @param [out] aes AES key object. - * @param [in] enc Whether to encrypt. AES_ENCRYPT or AES_DECRYPT. + * @param [in] enc Whether to encrypt. AES_ENCRYPTION or AES_DECRYPTION. * @return 0 on success. * @return -1 when key or aes is NULL. * @return -1 when setting key with wolfCrypt fails. */ static int wolfssl_aes_set_key(const unsigned char *key, const int bits, - AES_KEY *aes, int enc) + WOLFSSL_AES_KEY *aes, int enc) { - wc_static_assert(sizeof(AES_KEY) >= sizeof(Aes)); + wc_static_assert(sizeof(WOLFSSL_AES_KEY) >= sizeof(Aes)); /* Validate parameters. */ if ((key == NULL) || (aes == NULL)) { @@ -2931,7 +2933,7 @@ static int wolfssl_aes_set_key(const unsigned char *key, const int bits, return WOLFSSL_FATAL_ERROR; } - XMEMSET(aes, 0, sizeof(AES_KEY)); + XMEMSET(aes, 0, sizeof(WOLFSSL_AES_KEY)); if (wc_AesInit((Aes*)aes, NULL, INVALID_DEVID) != 0) { WOLFSSL_MSG("Error in initting AES key"); @@ -2955,11 +2957,11 @@ static int wolfssl_aes_set_key(const unsigned char *key, const int bits, * @return -1 when setting key with wolfCrypt fails. */ int wolfSSL_AES_set_encrypt_key(const unsigned char *key, const int bits, - AES_KEY *aes) + WOLFSSL_AES_KEY *aes) { WOLFSSL_ENTER("wolfSSL_AES_set_encrypt_key"); - return wolfssl_aes_set_key(key, bits, aes, AES_ENCRYPT); + return wolfssl_aes_set_key(key, bits, aes, AES_ENCRYPTION); } /* Sets the key into the AES key object for decryption. @@ -2972,11 +2974,11 @@ int wolfSSL_AES_set_encrypt_key(const unsigned char *key, const int bits, * @return -1 when setting key with wolfCrypt fails. */ int wolfSSL_AES_set_decrypt_key(const unsigned char *key, const int bits, - AES_KEY *aes) + WOLFSSL_AES_KEY *aes) { WOLFSSL_ENTER("wolfSSL_AES_set_decrypt_key"); - return wolfssl_aes_set_key(key, bits, aes, AES_DECRYPT); + return wolfssl_aes_set_key(key, bits, aes, AES_DECRYPTION); } #ifdef WOLFSSL_AES_DIRECT @@ -2984,15 +2986,15 @@ int wolfSSL_AES_set_decrypt_key(const unsigned char *key, const int bits, * * wolfSSL_AES_set_encrypt_key() must have been called. * - * #input must contain AES_BLOCK_SIZE bytes of data. - * #output must be a buffer at least AES_BLOCK_SIZE bytes in length. + * #input must contain WC_AES_BLOCK_SIZE bytes of data. + * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length. * * @param [in] input Data to encrypt. * @param [out] output Encrypted data. * @param [in] key AES key to use for encryption. */ void wolfSSL_AES_encrypt(const unsigned char* input, unsigned char* output, - AES_KEY *key) + WOLFSSL_AES_KEY *key) { WOLFSSL_ENTER("wolfSSL_AES_encrypt"); @@ -3002,7 +3004,8 @@ void wolfSSL_AES_encrypt(const unsigned char* input, unsigned char* output, } else #if !defined(HAVE_SELFTEST) && \ - (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) + (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) \ + || defined(WOLFSSL_LINUXKM)) /* Encrypt a block with wolfCrypt AES. */ if (wc_AesEncryptDirect((Aes*)key, output, input) != 0) { WOLFSSL_MSG("wc_AesEncryptDirect failed"); @@ -3020,15 +3023,15 @@ void wolfSSL_AES_encrypt(const unsigned char* input, unsigned char* output, * * wolfSSL_AES_set_decrypt_key() must have been called. * - * #input must contain AES_BLOCK_SIZE bytes of data. - * #output must be a buffer at least AES_BLOCK_SIZE bytes in length. + * #input must contain WC_AES_BLOCK_SIZE bytes of data. + * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length. * * @param [in] input Data to decrypt. * @param [out] output Decrypted data. * @param [in] key AES key to use for encryption. */ void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output, - AES_KEY *key) + WOLFSSL_AES_KEY *key) { WOLFSSL_ENTER("wolfSSL_AES_decrypt"); @@ -3038,7 +3041,7 @@ void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output, } else #if !defined(HAVE_SELFTEST) && \ - (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) + (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION3_GE(5,2,1))) /* Decrypt a block with wolfCrypt AES. */ if (wc_AesDecryptDirect((Aes*)key, output, input) != 0) { WOLFSSL_MSG("wc_AesDecryptDirect failed"); @@ -3060,17 +3063,17 @@ void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output, * wolfSSL_AES_set_encrypt_key() or wolfSSL_AES_set_decrypt_key ()must have been * called. * - * #input must contain AES_BLOCK_SIZE bytes of data. - * #output must be a buffer at least AES_BLOCK_SIZE bytes in length. + * #input must contain WC_AES_BLOCK_SIZE bytes of data. + * #output must be a buffer at least WC_AES_BLOCK_SIZE bytes in length. * * @param [in] in Data to encipher. * @param [out] out Enciphered data. * @param [in] key AES key to use for encryption/decryption. * @param [in] enc Whether to encrypt. - * AES_ENCRPT for encryption, AES_DECRYPT for decryption. + * AES_ENCRPT for encryption, AES_DECRYPTION for decryption. */ void wolfSSL_AES_ecb_encrypt(const unsigned char *in, unsigned char* out, - AES_KEY *key, const int enc) + WOLFSSL_AES_KEY *key, const int enc) { WOLFSSL_ENTER("wolfSSL_AES_ecb_encrypt"); @@ -3078,16 +3081,16 @@ void wolfSSL_AES_ecb_encrypt(const unsigned char *in, unsigned char* out, if ((key == NULL) || (in == NULL) || (out == NULL)) { WOLFSSL_MSG("Error, Null argument passed in"); } - else if (enc == AES_ENCRYPT) { + else if (enc == AES_ENCRYPTION) { /* Encrypt block. */ - if (wc_AesEcbEncrypt((Aes*)key, out, in, AES_BLOCK_SIZE) != 0) { + if (wc_AesEcbEncrypt((Aes*)key, out, in, WC_AES_BLOCK_SIZE) != 0) { WOLFSSL_MSG("Error with AES CBC encrypt"); } } else { #ifdef HAVE_AES_DECRYPT /* Decrypt block. */ - if (wc_AesEcbDecrypt((Aes*)key, out, in, AES_BLOCK_SIZE) != 0) { + if (wc_AesEcbDecrypt((Aes*)key, out, in, WC_AES_BLOCK_SIZE) != 0) { WOLFSSL_MSG("Error with AES CBC decrypt"); } #else @@ -3111,10 +3114,10 @@ void wolfSSL_AES_ecb_encrypt(const unsigned char *in, unsigned char* out, * On in, used with first block. * On out, IV for further operations. * @param [in] enc Whether to encrypt. - * AES_ENCRPT for encryption, AES_DECRYPT for decryption. + * AES_ENCRPT for encryption, AES_DECRYPTION for decryption. */ void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out, - size_t len, AES_KEY *key, unsigned char* iv, const int enc) + size_t len, WOLFSSL_AES_KEY *key, unsigned char* iv, const int enc) { WOLFSSL_ENTER("wolfSSL_AES_cbc_encrypt"); @@ -3131,7 +3134,7 @@ void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out, if ((ret = wc_AesSetIV(aes, (const byte*)iv)) != 0) { WOLFSSL_MSG("Error with setting iv"); } - else if (enc == AES_ENCRYPT) { + else if (enc == AES_ENCRYPTION) { /* Encrypt with wolfCrypt AES object. */ if ((ret = wc_AesCbcEncrypt(aes, out, in, (word32)len)) != 0) { WOLFSSL_MSG("Error with AES CBC encrypt"); @@ -3146,7 +3149,7 @@ void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out, if (ret == 0) { /* Get IV for next operation. */ - XMEMCPY(iv, (byte*)(aes->reg), AES_BLOCK_SIZE); + XMEMCPY(iv, (byte*)(aes->reg), WC_AES_BLOCK_SIZE); } } } @@ -3166,10 +3169,10 @@ void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out, * On out, IV for further operations. * @param [out] num Number of bytes used from last incomplete block. * @param [in] enc Whether to encrypt. - * AES_ENCRPT for encryption, AES_DECRYPT for decryption. + * AES_ENCRPT for encryption, AES_DECRYPTION for decryption. */ void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out, - size_t len, AES_KEY *key, unsigned char* iv, int* num, const int enc) + size_t len, WOLFSSL_AES_KEY *key, unsigned char* iv, int* num, const int enc) { #ifndef WOLFSSL_AES_CFB WOLFSSL_MSG("CFB mode not enabled please use macro WOLFSSL_AES_CFB"); @@ -3196,9 +3199,9 @@ void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out, * leftover bytes field "left", and this function relies on the leftover * bytes being preserved between calls. */ - XMEMCPY(aes->reg, iv, AES_BLOCK_SIZE); + XMEMCPY(aes->reg, iv, WC_AES_BLOCK_SIZE); - if (enc == AES_ENCRYPT) { + if (enc == AES_ENCRYPTION) { /* Encrypt data with AES-CFB. */ if ((ret = wc_AesCfbEncrypt(aes, out, in, (word32)len)) != 0) { WOLFSSL_MSG("Error with AES CBC encrypt"); @@ -3213,11 +3216,11 @@ void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out, if (ret == 0) { /* Copy IV out after operation. */ - XMEMCPY(iv, (byte*)(aes->reg), AES_BLOCK_SIZE); + XMEMCPY(iv, (byte*)(aes->reg), WC_AES_BLOCK_SIZE); /* Store number of left over bytes to num. */ if (num != NULL) { - *num = (AES_BLOCK_SIZE - aes->left) % AES_BLOCK_SIZE; + *num = (WC_AES_BLOCK_SIZE - aes->left) % WC_AES_BLOCK_SIZE; } } } @@ -3237,7 +3240,7 @@ void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out, * @return 0 when key, iv, out or in is NULL. * @return 0 when key length is not valid. */ -int wolfSSL_AES_wrap_key(AES_KEY *key, const unsigned char *iv, +int wolfSSL_AES_wrap_key(WOLFSSL_AES_KEY *key, const unsigned char *iv, unsigned char *out, const unsigned char *in, unsigned int inSz) { int ret = 0; @@ -3272,7 +3275,7 @@ int wolfSSL_AES_wrap_key(AES_KEY *key, const unsigned char *iv, * @return 0 when key, iv, out or in is NULL. * @return 0 when wrapped key data length is not valid. */ -int wolfSSL_AES_unwrap_key(AES_KEY *key, const unsigned char *iv, +int wolfSSL_AES_unwrap_key(WOLFSSL_AES_KEY *key, const unsigned char *iv, unsigned char *out, const unsigned char *in, unsigned int inSz) { int ret = 0; @@ -3333,7 +3336,7 @@ size_t wolfSSL_CRYPTO_cts128_encrypt(const unsigned char *in, } /* Encrypt data up to last block */ - (*cbc)(in, out, len - lastBlkLen, key, iv, AES_ENCRYPT); + (*cbc)(in, out, len - lastBlkLen, key, iv, AES_ENCRYPTION); /* Move to last block */ in += len - lastBlkLen; @@ -3346,7 +3349,7 @@ size_t wolfSSL_CRYPTO_cts128_encrypt(const unsigned char *in, XMEMCPY(out, out - WOLFSSL_CTS128_BLOCK_SZ, lastBlkLen); /* Encrypt last block. */ (*cbc)(lastBlk, out - WOLFSSL_CTS128_BLOCK_SZ, WOLFSSL_CTS128_BLOCK_SZ, - key, iv, AES_ENCRYPT); + key, iv, AES_ENCRYPTION); } return len; @@ -3401,13 +3404,13 @@ size_t wolfSSL_CRYPTO_cts128_decrypt(const unsigned char *in, * Use 0 buffer as IV to do straight decryption. * This places the Cn-1 block at lastBlk */ XMEMSET(lastBlk, 0, WOLFSSL_CTS128_BLOCK_SZ); - (*cbc)(in, prevBlk, WOLFSSL_CTS128_BLOCK_SZ, key, lastBlk, AES_DECRYPT); + (*cbc)(in, prevBlk, WOLFSSL_CTS128_BLOCK_SZ, key, lastBlk, AES_DECRYPTION); /* RFC2040: Append the tail (BB minus Ln) bytes of Xn to Cn * to create En. */ XMEMCPY(prevBlk, in + WOLFSSL_CTS128_BLOCK_SZ, lastBlkLen); /* Cn and Cn-1 can now be decrypted */ - (*cbc)(prevBlk, out, WOLFSSL_CTS128_BLOCK_SZ, key, iv, AES_DECRYPT); - (*cbc)(lastBlk, lastBlk, WOLFSSL_CTS128_BLOCK_SZ, key, iv, AES_DECRYPT); + (*cbc)(prevBlk, out, WOLFSSL_CTS128_BLOCK_SZ, key, iv, AES_DECRYPTION); + (*cbc)(lastBlk, lastBlk, WOLFSSL_CTS128_BLOCK_SZ, key, iv, AES_DECRYPTION); XMEMCPY(out + WOLFSSL_CTS128_BLOCK_SZ, lastBlk, lastBlkLen); } diff --git a/src/ssl_load.c b/src/ssl_load.c index 0361edbdf5..a15274b23f 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -1397,7 +1397,7 @@ static int ProcessBufferPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl, #ifdef OPENSSL_EXTRA /* Decryption password is probably wrong. */ if (info->passwd_cb) { - EVPerr(0, EVP_R_BAD_DECRYPT); + WOLFSSL_EVPerr(0, -WOLFSSL_EVP_R_BAD_DECRYPT_E); } #endif WOLFSSL_ERROR(WOLFSSL_BAD_FILE); @@ -2332,7 +2332,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, #endif } else if (ret == 0) { - /* Processing a cerificate. */ + /* Processing a certificate. */ if (userChain) { /* Take original buffer and add to user chain to send in TLS * handshake. */ @@ -2707,7 +2707,7 @@ static int wolfssl_ctx_load_path(WOLFSSL_CTX* ctx, const char* path, /* Load file. */ ret = wolfssl_ctx_load_path_file(ctx, name, verify, (int)flags, &failCount, &successCount); - /* Get next filenmae. */ + /* Get next filename. */ fileRet = wc_ReadDirNext(readCtx, path, &name); } /* Cleanup directory reading context. */ @@ -4791,7 +4791,7 @@ int wolfSSL_CTX_add1_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) /* Use the certificate. */ ret = wolfSSL_CTX_use_certificate(ctx, x509); } - /* Increate reference count as we will store it. */ + /* Increase reference count as we will store it. */ else if ((ret == 1) && ((ret = wolfSSL_X509_up_ref(x509)) == 1)) { /* Load the DER encoding. */ ret = wolfSSL_CTX_load_verify_buffer(ctx, x509->derCert->buffer, @@ -4946,19 +4946,19 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) if (ret == 1) { switch (pkey->type) { #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: WOLFSSL_MSG("populating RSA key"); ret = PopulateRSAEvpPkeyDer(pkey); break; #endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */ #if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \ defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA) - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: break; #endif /* !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) && * !NO_DSA */ #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: WOLFSSL_MSG("populating ECC key"); ret = ECC_populate_EVP_PKEY(pkey, pkey->ecc); break; @@ -4972,7 +4972,7 @@ int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) /* ptr for WOLFSSL_EVP_PKEY struct is expected to be DER format */ ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, (const unsigned char*)pkey->pkey.ptr, pkey->pkey_sz, - SSL_FILETYPE_ASN1); + WOLFSSL_FILETYPE_ASN1); } return ret; @@ -5001,7 +5001,7 @@ int wolfSSL_CTX_use_certificate_ASN1(WOLFSSL_CTX *ctx, int derSz, if ((ctx == NULL) || (der == NULL)) { ret = 0; } - /* Load DER encoded cerificate into SSL context. */ + /* Load DER encoded certificate into SSL context. */ if ((ret == 1) && (wolfSSL_CTX_use_certificate_buffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1) != 1)) { ret = 0; @@ -5060,7 +5060,7 @@ int wolfSSL_CTX_use_RSAPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL_RSA* rsa) } if (ret == 1) { - /* Load DER encoded cerificate into SSL context. */ + /* Load DER encoded certificate into SSL context. */ ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSize, SSL_FILETYPE_ASN1); if (ret != WOLFSSL_SUCCESS) { diff --git a/src/ssl_p7p12.c b/src/ssl_p7p12.c index fba27676db..9f51fa84f5 100644 --- a/src/ssl_p7p12.c +++ b/src/ssl_p7p12.c @@ -2012,7 +2012,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, #ifndef NO_RSA { const unsigned char* pt = pk; - if (wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, pkey, &pt, pkSz) != + if (wolfSSL_d2i_PrivateKey(WC_EVP_PKEY_RSA, pkey, &pt, pkSz) != NULL) { ret = 0; } @@ -2022,7 +2022,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, #ifdef HAVE_ECC if (ret != 0) { /* if is in fail state check if ECC key */ const unsigned char* pt = pk; - if (wolfSSL_d2i_PrivateKey(EVP_PKEY_EC, pkey, &pt, pkSz) != + if (wolfSSL_d2i_PrivateKey(WC_EVP_PKEY_EC, pkey, &pt, pkSz) != NULL) { ret = 0; } diff --git a/src/ssl_sess.c b/src/ssl_sess.c index 91f2c8473f..d55633bba1 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -113,10 +113,10 @@ } SessionRow; #define SIZEOF_SESSION_ROW (sizeof(WOLFSSL_SESSION) + (sizeof(int) * 2)) - static WOLFSSL_GLOBAL SessionRow SessionCache[SESSION_ROWS]; + static WC_THREADSHARED SessionRow SessionCache[SESSION_ROWS]; #if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) - static WOLFSSL_GLOBAL word32 PeakSessions; + static WC_THREADSHARED word32 PeakSessions; #endif #ifdef ENABLE_SESSION_CACHE_ROW_LOCK @@ -124,8 +124,8 @@ #define SESSION_ROW_WR_LOCK(row) wc_LockRwLock_Wr(&(row)->row_lock) #define SESSION_ROW_UNLOCK(row) wc_UnLockRwLock(&(row)->row_lock); #else - static WOLFSSL_GLOBAL wolfSSL_RwLock session_lock; /* SessionCache lock */ - static WOLFSSL_GLOBAL int session_lock_valid = 0; + static WC_THREADSHARED wolfSSL_RwLock session_lock; /* SessionCache lock */ + static WC_THREADSHARED int session_lock_valid = 0; #define SESSION_ROW_RD_LOCK(row) wc_LockRwLock_Rd(&session_lock) #define SESSION_ROW_WR_LOCK(row) wc_LockRwLock_Wr(&session_lock) #define SESSION_ROW_UNLOCK(row) wc_UnLockRwLock(&session_lock); @@ -176,22 +176,22 @@ ClientSession Clients[CLIENT_SESSIONS_PER_ROW]; } ClientRow; - static WOLFSSL_GLOBAL ClientRow ClientCache[CLIENT_SESSION_ROWS]; + static WC_THREADSHARED ClientRow ClientCache[CLIENT_SESSION_ROWS]; /* Client Cache */ /* uses session mutex */ /* ClientCache mutex */ - static WOLFSSL_GLOBAL wolfSSL_Mutex clisession_mutex + static WC_THREADSHARED wolfSSL_Mutex clisession_mutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(clisession_mutex); #ifndef WOLFSSL_MUTEX_INITIALIZER - static WOLFSSL_GLOBAL int clisession_mutex_valid = 0; + static WC_THREADSHARED int clisession_mutex_valid = 0; #endif #endif /* !NO_CLIENT_CACHE */ void EvictSessionFromCache(WOLFSSL_SESSION* session) { #ifdef HAVE_EX_DATA - int save_ownExData = session->ownExData; + byte save_ownExData = session->ownExData; session->ownExData = 1; /* Make sure ex_data access doesn't lead back * into the cache. */ #endif @@ -843,6 +843,7 @@ void wolfSSL_CTX_flush_sessions(WOLFSSL_CTX* ctx, long tm) #ifdef SESSION_CACHE_DYNAMIC_MEM s != NULL && #endif + s->sessionIDSz == ID_LEN && XMEMCMP(s->sessionID, id, ID_LEN) != 0 && s->bornOn + s->timeout < (word32)tm ) @@ -1120,7 +1121,9 @@ static int TlsSessionCacheGetAndLock(const byte *id, #else s = &sessRow->Sessions[idx]; #endif - if (s && XMEMCMP(s->sessionID, id, ID_LEN) == 0 && s->side == side) { + /* match session ID value and length */ + if (s && s->sessionIDSz == ID_LEN && s->side == side && + XMEMCMP(s->sessionID, id, ID_LEN) == 0) { *sess = s; break; } @@ -1839,7 +1842,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, } preallocNonceLen = addSession->ticketNonce.len; } -#endif /* WOLFSSL_TLS13 && WOLFSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3) */ +#endif /* WOLFSSL_TLS13 && WOLFSSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3)*/ #endif /* HAVE_SESSION_TICKET */ /* Find a position for the new session in cache and use that */ @@ -1916,7 +1919,7 @@ int AddSessionToCache(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* addSession, cacheSession = &sessRow->Sessions[idx]; #endif -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (overwrite) { /* Figure out who owns the ex_data */ if (cacheSession->ownExData) { @@ -3108,7 +3111,7 @@ long wolfSSL_SESSION_set_time(WOLFSSL_SESSION *ses, long t) return t; } -#endif /* !NO_SESSION_CACHE && OPENSSL_EXTRA || HAVE_EXT_CACHE */ +#endif /* !NO_SESSION_CACHE && (OPENSSL_EXTRA || HAVE_EXT_CACHE) */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ defined(HAVE_EX_DATA) @@ -3682,10 +3685,12 @@ WOLFSSL_SESSION* wolfSSL_NewSession(void* heap) #endif #ifdef HAVE_EX_DATA ret->ownExData = 1; + #ifdef HAVE_EX_DATA_CRYPTO if (crypto_ex_cb_ctx_session != NULL) { crypto_ex_cb_setup_new_data(ret, crypto_ex_cb_ctx_session, &ret->ex_data); } + #endif #endif } return ret; @@ -3739,7 +3744,7 @@ int wolfSSL_SESSION_up_ref(WOLFSSL_SESSION* session) * @param ticketNonceBuf If not null and @avoidSysCalls is true, the copy of the * ticketNonce will happen in this pre allocated buffer * @param ticketNonceLen @ticketNonceBuf len as input, used length on output - * @param ticketNonceUsed if @ticketNonceBuf was used to copy the ticket noncet + * @param ticketNonceUsed if @ticketNonceBuf was used to copy the ticket nonce * @return WOLFSSL_SUCCESS on success * WOLFSSL_FAILURE on failure */ @@ -3964,7 +3969,7 @@ static int wolfSSL_DupSessionEx(const WOLFSSL_SESSION* input, #endif /* HAVE_SESSION_TICKET */ -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (input->type != WOLFSSL_SESSION_TYPE_CACHE && output->type != WOLFSSL_SESSION_TYPE_CACHE) { /* Not called with cache as that passes ownership of ex_data */ @@ -4044,7 +4049,7 @@ void wolfSSL_FreeSession(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) WOLFSSL_MSG("wolfSSL_FreeSession full free"); -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO if (session->ownExData) { crypto_ex_cb_free_data(session, crypto_ex_cb_ctx_session, &session->ex_data); @@ -4230,8 +4235,7 @@ const byte* wolfSSL_get_sessionID(const WOLFSSL_SESSION* session) #endif -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ - defined(HAVE_EX_DATA) +#ifdef HAVE_EX_DATA int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) { @@ -4301,13 +4305,8 @@ void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) #endif return ret; } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || HAVE_EX_DATA */ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB))) -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, WOLFSSL_CRYPTO_EX_free* free_func) @@ -4316,9 +4315,8 @@ int wolfSSL_SESSION_get_ex_new_index(long ctx_l,void* ctx_ptr, return wolfssl_get_ex_new_index(WOLF_CRYPTO_EX_INDEX_SSL_SESSION, ctx_l, ctx_ptr, new_func, dup_func, free_func); } -#endif -#endif - +#endif /* HAVE_EX_DATA_CRYPTO */ +#endif /* HAVE_EX_DATA */ #if defined(OPENSSL_ALL) || \ defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \ diff --git a/src/tls.c b/src/tls.c index 48161c6da8..7618c696b6 100644 --- a/src/tls.c +++ b/src/tls.c @@ -3649,7 +3649,7 @@ int TLSX_CSR_InitRequest_ex(TLSX* extensions, DecodedCert* cert, request = &csr->request.ocsp[req_cnt]; if (request->serial != NULL) { - /* clear request contents before re-use */ + /* clear request contents before reuse */ FreeOcspRequest(request); if (csr->requests > 0) csr->requests--; @@ -5905,14 +5905,25 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input, /* SERVER: ticket is peer auth. */ ssl->options.peerAuthGood = 1; } - } else if (ret == WOLFSSL_TICKET_RET_REJECT) { + } else if (ret == WOLFSSL_TICKET_RET_REJECT || + ret == WC_NO_ERR_TRACE(VERSION_ERROR)) { WOLFSSL_MSG("Process client ticket rejected, not using"); - ssl->options.rejectTicket = 1; + if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) + WOLFSSL_MSG("\tbad TLS version"); ret = 0; /* not fatal */ - } else if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) { - WOLFSSL_MSG("Process client ticket rejected, bad TLS version"); + ssl->options.rejectTicket = 1; - ret = 0; /* not fatal */ + /* If we have session tickets enabled then send a new ticket */ + if (!TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) { + ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) { + ret = 0; + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); + ssl->options.createTicket = 1; + ssl->options.useTicket = 1; + } + } } else if (ret == WOLFSSL_TICKET_RET_FATAL) { WOLFSSL_MSG("Process client ticket fatal error, not using"); } else if (ret < 0) { @@ -6439,7 +6450,7 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz) if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13Minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0 #endif ) { cnt++; @@ -6451,7 +6462,7 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz) isDtls, ssl->options.minDowngrade, tls12Minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0 #endif ) { cnt++; @@ -6462,7 +6473,7 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz) isDtls, ssl->options.minDowngrade, tls11Minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0 #endif ) { cnt++; @@ -6471,7 +6482,7 @@ static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz) if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0 #endif ) { cnt++; @@ -6536,7 +6547,7 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output, if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_3) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0 #endif ) { *cnt += OPAQUE16_LEN; @@ -6556,7 +6567,7 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output, if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls12minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_2) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0 #endif ) { *cnt += OPAQUE16_LEN; @@ -6569,7 +6580,7 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output, if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls11minor) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1_1) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0 #endif ) { *cnt += OPAQUE16_LEN; @@ -6580,7 +6591,7 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output, if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) - && (ssl->options.mask & SSL_OP_NO_TLSv1) == 0 + && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0 #endif ) { *cnt += OPAQUE16_LEN; @@ -7157,15 +7168,16 @@ static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input, return 0; } -#define CAN_GET_SIZE TLSX_CA_Names_GetSize -#define CAN_WRITE TLSX_CA_Names_Write -#define CAN_PARSE TLSX_CA_Names_Parse +#define CAN_GET_SIZE(data) TLSX_CA_Names_GetSize(data) +#define CAN_WRITE(data, output) TLSX_CA_Names_Write(data, output) +#define CAN_PARSE(ssl, input, length, isRequest) \ + TLSX_CA_Names_Parse(ssl, input, length, isRequest) #else -#define CAN_GET_SIZE(...) 0 -#define CAN_WRITE(...) 0 -#define CAN_PARSE(...) 0 +#define CAN_GET_SIZE(data) 0 +#define CAN_WRITE(data, output) 0 +#define CAN_PARSE(ssl, input, length, isRequest) 0 #endif @@ -7971,6 +7983,24 @@ static int kyber_id2type(int id, int *type) int ret = 0; switch (id) { +#ifndef WOLFSSL_NO_ML_KEM + #ifndef WOLFSSL_NO_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + *type = WC_ML_KEM_512; + break; + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + *type = WC_ML_KEM_768; + break; + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + *type = WC_ML_KEM_1024; + break; + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case WOLFSSL_KYBER_LEVEL1: *type = KYBER512; @@ -7986,6 +8016,7 @@ static int kyber_id2type(int id, int *type) *type = KYBER1024; break; #endif +#endif default: ret = NOT_COMPILED_IN; break; @@ -8001,12 +8032,22 @@ typedef struct PqcHybridMapping { } PqcHybridMapping; static const PqcHybridMapping pqc_hybrid_mapping[] = { +#ifndef WOLFSSL_NO_ML_KEM + {.hybrid = WOLFSSL_P256_ML_KEM_512, .ecc = WOLFSSL_ECC_SECP256R1, + .pqc = WOLFSSL_ML_KEM_512}, + {.hybrid = WOLFSSL_P384_ML_KEM_768, .ecc = WOLFSSL_ECC_SECP384R1, + .pqc = WOLFSSL_ML_KEM_768}, + {.hybrid = WOLFSSL_P521_ML_KEM_1024, .ecc = WOLFSSL_ECC_SECP521R1, + .pqc = WOLFSSL_ML_KEM_1024}, +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL {.hybrid = WOLFSSL_P256_KYBER_LEVEL1, .ecc = WOLFSSL_ECC_SECP256R1, .pqc = WOLFSSL_KYBER_LEVEL1}, {.hybrid = WOLFSSL_P384_KYBER_LEVEL3, .ecc = WOLFSSL_ECC_SECP384R1, .pqc = WOLFSSL_KYBER_LEVEL3}, {.hybrid = WOLFSSL_P521_KYBER_LEVEL5, .ecc = WOLFSSL_ECC_SECP521R1, .pqc = WOLFSSL_KYBER_LEVEL5}, +#endif {.hybrid = 0, .ecc = 0, .pqc = 0} }; @@ -9651,6 +9692,45 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) #endif #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_WC_KYBER + #ifndef WOLFSSL_NO_ML_KEM_512 + case WOLFSSL_ML_KEM_512: + case WOLFSSL_P256_ML_KEM_512: + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + case WOLFSSL_ML_KEM_768: + case WOLFSSL_P384_ML_KEM_768: + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + case WOLFSSL_ML_KEM_1024: + case WOLFSSL_P521_ML_KEM_1024: + #endif + break; + #elif defined(HAVE_LIBOQS) + case WOLFSSL_ML_KEM_512: + case WOLFSSL_ML_KEM_768: + case WOLFSSL_ML_KEM_1024: + case WOLFSSL_P256_ML_KEM_512: + case WOLFSSL_P384_ML_KEM_768: + case WOLFSSL_P521_ML_KEM_1024: + { + int ret; + int id; + findEccPqc(NULL, &namedGroup, namedGroup); + ret = kyber_id2type(namedGroup, &id); + if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) { + return 0; + } + + if (! ext_kyber_enabled(id)) { + return 0; + } + break; + } + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 case WOLFSSL_KYBER_LEVEL1: @@ -9688,6 +9768,7 @@ static int TLSX_KeyShare_IsSupported(int namedGroup) } #endif #endif +#endif /* WOLFSSL_HAVE_KYBER */ default: return 0; } @@ -9733,6 +9814,31 @@ static const word16 preferredGroup[] = { #if defined(HAVE_FFDHE_8192) WOLFSSL_FFDHE_8192, #endif +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_KYBER + #ifndef WOLFSSL_NO_ML_KEM_512 + WOLFSSL_ML_KEM_512, + WOLFSSL_P256_ML_KEM_512, + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + WOLFSSL_ML_KEM_768, + WOLFSSL_P384_ML_KEM_768, + #endif + #ifndef WOLFSSL_NO_ML_KEM_1024 + WOLFSSL_ML_KEM_1024, + WOLFSSL_P521_ML_KEM_1024, + #endif +#elif defined(HAVE_LIBOQS) + /* These require a runtime call to TLSX_KeyShare_IsSupported to use */ + WOLFSSL_ML_KEM_512, + WOLFSSL_ML_KEM_768, + WOLFSSL_ML_KEM_1024, + WOLFSSL_P256_ML_KEM_512, + WOLFSSL_P384_ML_KEM_768, + WOLFSSL_P521_ML_KEM_1024, +#endif +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 WOLFSSL_KYBER_LEVEL1, @@ -9755,6 +9861,7 @@ static const word16 preferredGroup[] = { WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_P521_KYBER_LEVEL5, #endif +#endif /* WOLFSSL_KYBER_ORIGINAL */ WOLFSSL_NAMED_GROUP_INVALID }; @@ -9946,6 +10053,16 @@ int TLSX_CKS_Parse(WOLFSSL* ssl, byte* input, word16 length, } } + /* This could be a situation where the client tried to start with TLS 1.3 + * when it sent ClientHello and the server down-graded to TLS 1.2. In that + * case, erroring out because it is TLS 1.2 is not a reasonable thing to do. + * In the case of TLS 1.2, the CKS values will be ignored. */ + if (!IsAtLeastTLSv1_3(ssl->version)) { + ssl->sigSpec = NULL; + ssl->sigSpecSz = 0; + return 0; + } + /* Extension data is valid, but if we are the server and we don't have an * alt private key, do not respond with CKS extension. */ if (wolfSSL_is_server(ssl) && ssl->buffers.altKey == NULL) { @@ -12357,7 +12474,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, readBuf_p += ech->encLen; ato16(readBuf_p, &ech->innerClientHelloLen); - ech->innerClientHelloLen -= AES_BLOCK_SIZE; + ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE; readBuf_p += 2; ech->outerClientPayload = readBuf_p; @@ -12373,7 +12490,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, /* set the ech payload of the copy to zeros */ XMEMSET(aadCopy + (readBuf_p - ech->aad), 0, - ech->innerClientHelloLen + AES_BLOCK_SIZE); + ech->innerClientHelloLen + WC_AES_BLOCK_SIZE); /* allocate the inner payload buffer */ ech->innerClientHello = @@ -13365,6 +13482,52 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) #endif #ifdef WOLFSSL_HAVE_KYBER +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_KYBER +#ifndef WOLFSSL_NO_ML_KEM_512 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512, + ssl->heap); +#endif +#ifndef WOLFSSL_NO_ML_KEM_768 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768, + ssl->heap); +#endif +#ifndef WOLFSSL_NO_ML_KEM_1024 + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024, + ssl->heap); +#endif +#elif defined(HAVE_LIBOQS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_ML_KEM_512, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_ML_KEM_768, + ssl->heap); + if (ret == WOLFSSL_SUCCESS) + ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_ML_KEM_1024, + ssl->heap); +#endif /* HAVE_LIBOQS */ +#endif /* !WOLFSSL_NO_ML_KEM */ +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_WC_KYBER #ifdef WOLFSSL_KYBER512 if (ret == WOLFSSL_SUCCESS) @@ -13408,6 +13571,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5, ssl->heap); #endif /* HAVE_LIBOQS */ +#endif /* WOLFSSL_KYBER_ORIGINAL */ #endif /* WOLFSSL_HAVE_KYBER */ (void)ssl; @@ -14751,9 +14915,9 @@ static word16 TLSX_GetMinSize_Client(word16* type) return 0; } } - #define TLSX_GET_MIN_SIZE_CLIENT TLSX_GetMinSize_Client + #define TLSX_GET_MIN_SIZE_CLIENT(type) TLSX_GetMinSize_Client(type) #else - #define TLSX_GET_MIN_SIZE_CLIENT(...) 0 + #define TLSX_GET_MIN_SIZE_CLIENT(type) 0 #endif @@ -14820,9 +14984,9 @@ static word16 TLSX_GetMinSize_Server(const word16 *type) return 0; } } - #define TLSX_GET_MIN_SIZE_SERVER TLSX_GetMinSize_Server + #define TLSX_GET_MIN_SIZE_SERVER(type) TLSX_GetMinSize_Server(type) #else - #define TLSX_GET_MIN_SIZE_SERVER(...) 0 + #define TLSX_GET_MIN_SIZE_SERVER(type) 0 #endif @@ -15027,9 +15191,8 @@ int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, byte msgType, #ifdef WOLFSSL_DUAL_ALG_CERTS case TLSX_CKS: WOLFSSL_MSG("CKS extension received"); - if (!IsAtLeastTLSv1_3(ssl->version) || - (msgType != client_hello && - msgType != encrypted_extensions)) { + if (msgType != client_hello && + msgType != encrypted_extensions) { WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); return EXT_NOT_ALLOWED; } diff --git a/src/tls13.c b/src/tls13.c index e8268939ba..0d5a8b9365 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5285,7 +5285,9 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, defined(WOLFSSL_WPAS_SMALL) /* Check if client has disabled TLS 1.2 */ if (args->pv.minor == TLSv1_2_MINOR && - (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) + == WOLFSSL_OP_NO_TLSv1_2) + { WOLFSSL_MSG("\tOption set to not allow TLSv1.2"); WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); return VERSION_ERROR; @@ -8998,7 +9000,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) return 0; /* sent blank cert, can't verify */ } - args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; + args->sendSz = WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; /* Always encrypted. */ args->sendSz += MAX_MSG_EXTRA; @@ -9655,7 +9657,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) if (ssl->options.dtls) { ssl->options.buildingMsg = 0; ret = Dtls13HandshakeSend(ssl, args->output, - MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA, + WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA, (word16)args->sendSz, certificate_verify, 1); if (ret != 0) goto exit_scv; @@ -9666,7 +9668,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) /* This message is always encrypted. */ ret = BuildTls13Message(ssl, args->output, - MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, + WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, args->output + RECORD_HEADER_SZ, args->sendSz - RECORD_HEADER_SZ, handshake, 1, 0, 0); @@ -12797,7 +12799,7 @@ int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef WOLFSSL_QUIC if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData != no_early_data) { /* QUIC never sends/receives EndOfEarlyData, but having - * early data means the last encrpytion keys had not been + * early data means the last encryption keys had not been * set yet. */ if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) return ret; @@ -13033,7 +13035,7 @@ int wolfSSL_connect_TLSv13(WOLFSSL* ssl) } /* make sure this wolfSSL object has arrays and rng setup. Protects - * case where the WOLFSSL object is re-used via wolfSSL_clear() */ + * case where the WOLFSSL object is reused via wolfSSL_clear() */ if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) { return ret; } @@ -14134,7 +14136,7 @@ int wolfSSL_accept_TLSv13(WOLFSSL* ssl) } /* make sure this wolfSSL object has arrays and rng setup. Protects - * case where the WOLFSSL object is re-used via wolfSSL_clear() */ + * case where the WOLFSSL object is reused via wolfSSL_clear() */ if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) { return ret; } diff --git a/src/wolfio.c b/src/wolfio.c index a632ff8431..8d0b2f089b 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -32,6 +32,15 @@ #ifndef WOLFCRYPT_ONLY +#if defined(HAVE_ERRNO_H) && defined(WOLFSSL_NO_SOCK) && \ + (defined(USE_WOLFSSL_IO) || defined(HAVE_HTTP_CLIENT)) + /* error codes are needed for TranslateIoReturnCode() and + * wolfIO_TcpConnect() even if defined(WOLFSSL_NO_SOCK), which inhibits + * inclusion of errno.h by wolfio.h. + */ + #include +#endif + #ifdef _WIN32_WCE /* On WinCE winsock2.h must be included before windows.h for socket stuff */ #include @@ -116,7 +125,7 @@ Possible IO enable options: * * DTLS_RECEIVEFROM_NO_TIMEOUT_ON_INVALID_PEER: This flag has effect only if * ASN_NO_TIME is enabled. If enabled invalid peers messages are ignored - * indefinetely. If not enabled EmbedReceiveFrom will return timeout after + * indefinitely. If not enabled EmbedReceiveFrom will return timeout after * DTLS_RECEIVEFROM_MAX_INVALID_PEER number of packets from invalid peers. When * enabled, without a timer, EmbedReceivefrom can't check if the timeout is * expired and it may never return under a continuous flow of invalid packets. @@ -251,7 +260,7 @@ static int TranslateIoReturnCode(int err, SOCKET_T sd, int direction) NULL); WOLFSSL_MSG(errstr); #else - WOLFSSL_MSG("\tGeneral error"); + WOLFSSL_MSG_EX("\tGeneral error: %d", err); #endif return WOLFSSL_CBIO_ERR_GENERAL; } @@ -260,12 +269,12 @@ static int TranslateIoReturnCode(int err, SOCKET_T sd, int direction) #ifdef OPENSSL_EXTRA #ifndef NO_BIO -int BioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) +int wolfSSL_BioSend(WOLFSSL* ssl, char *buf, int sz, void *ctx) { return SslBioSend(ssl, buf, sz, ctx); } -int BioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx) +int wolfSSL_BioReceive(WOLFSSL* ssl, char* buf, int sz, void* ctx) { return SslBioReceive(ssl, buf, sz, ctx); } @@ -1032,7 +1041,7 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) } ((SOCKADDR_IN*)&addr)->sin_port = XHTONS(port); - /* peer sa is free'd in SSL_ResourceFree */ + /* peer sa is free'd in wolfSSL_ResourceFree */ if ((ret = wolfSSL_dtls_set_peer(ssl, (SOCKADDR_IN*)&addr, sizeof(SOCKADDR_IN)))!= WOLFSSL_SUCCESS) { WOLFSSL_MSG("Import DTLS peer info error"); @@ -1049,7 +1058,7 @@ int EmbedGenerateCookie(WOLFSSL* ssl, byte *buf, int sz, void *ctx) } ((SOCKADDR_IN6*)&addr)->sin6_port = XHTONS(port); - /* peer sa is free'd in SSL_ResourceFree */ + /* peer sa is free'd in wolfSSL_ResourceFree */ if ((ret = wolfSSL_dtls_set_peer(ssl, (SOCKADDR_IN6*)&addr, sizeof(SOCKADDR_IN6)))!= WOLFSSL_SUCCESS) { WOLFSSL_MSG("Import DTLS peer info error"); diff --git a/src/x509.c b/src/x509.c index bb6a1b9eea..415cfe754d 100644 --- a/src/x509.c +++ b/src/x509.c @@ -49,10 +49,10 @@ unsigned int wolfSSL_X509_get_extension_flags(WOLFSSL_X509* x509) if (x509 != NULL) { if (x509->keyUsageSet) { - flags |= EXFLAG_KUSAGE; + flags |= WOLFSSL_EXFLAG_KUSAGE; } if (x509->extKeyUsageSrc != NULL) { - flags |= EXFLAG_XKUSAGE; + flags |= WOLFSSL_EXFLAG_XKUSAGE; } } @@ -92,19 +92,19 @@ unsigned int wolfSSL_X509_get_extended_key_usage(WOLFSSL_X509* x509) if (x509 != NULL) { if (x509->extKeyUsage & EXTKEYUSE_OCSP_SIGN) - ret |= XKU_OCSP_SIGN; + ret |= WOLFSSL_XKU_OCSP_SIGN; if (x509->extKeyUsage & EXTKEYUSE_TIMESTAMP) - ret |= XKU_TIMESTAMP; + ret |= WOLFSSL_XKU_TIMESTAMP; if (x509->extKeyUsage & EXTKEYUSE_EMAILPROT) - ret |= XKU_SMIME; + ret |= WOLFSSL_XKU_SMIME; if (x509->extKeyUsage & EXTKEYUSE_CODESIGN) - ret |= XKU_CODE_SIGN; + ret |= WOLFSSL_XKU_CODE_SIGN; if (x509->extKeyUsage & EXTKEYUSE_CLIENT_AUTH) - ret |= XKU_SSL_CLIENT; + ret |= WOLFSSL_XKU_SSL_CLIENT; if (x509->extKeyUsage & EXTKEYUSE_SERVER_AUTH) - ret |= XKU_SSL_SERVER; + ret |= WOLFSSL_XKU_SSL_SERVER; if (x509->extKeyUsage & EXTKEYUSE_ANY) - ret |= XKU_ANYEKU; + ret |= WOLFSSL_XKU_ANYEKU; } WOLFSSL_LEAVE("wolfSSL_X509_get_extended_key_usage", ret); @@ -314,7 +314,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_create_by_OBJ( if (ret == NULL) { err = 1; } - } else { + } + else { /* Prevent potential memory leaks and dangling pointers. */ wolfSSL_ASN1_OBJECT_free(ret->obj); ret->obj = NULL; @@ -360,7 +361,8 @@ WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void) /* This function does NOT return 1 on success. It returns 0 on fail, and the * number of items in the stack upon success. This is for compatibility with * OpenSSL. */ -int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk,WOLFSSL_X509_EXTENSION* ext) +int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk, + WOLFSSL_X509_EXTENSION* ext) { WOLFSSL_ENTER("wolfSSL_sk_X509_EXTENSION_push"); @@ -532,7 +534,7 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns, goto err; } - tag = V_ASN1_UTF8STRING; + tag = WOLFSSL_V_ASN1_UTF8STRING; } else #endif @@ -555,7 +557,7 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns, len -= idx; /* Set the tag to object so that it gets output in raw form */ - tag = V_ASN1_SEQUENCE; + tag = WOLFSSL_V_ASN1_SEQUENCE; } @@ -587,6 +589,76 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns, #endif /* OPENSSL_ALL || WOLFSSL_WPAS_SMALL */ #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) +static int DNS_to_GENERAL_NAME(WOLFSSL_GENERAL_NAME* gn, DNS_entry* dns) +{ + gn->type = dns->type; + switch (gn->type) { + case WOLFSSL_GEN_OTHERNAME: + if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) { + WOLFSSL_MSG("OTHERNAME set failed"); + return WOLFSSL_FAILURE; + } + break; + + case WOLFSSL_GEN_EMAIL: + case WOLFSSL_GEN_DNS: + case WOLFSSL_GEN_URI: + case WOLFSSL_GEN_IPADD: + case WOLFSSL_GEN_IA5: + gn->d.ia5->length = dns->len; + if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, + gn->d.ia5->length) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("ASN1_STRING_set failed"); + return WOLFSSL_FAILURE; + } + break; + + + case WOLFSSL_GEN_DIRNAME: + /* wolfSSL_GENERAL_NAME_new() mallocs this by default */ + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.ia5 = NULL; + + gn->d.dirn = wolfSSL_X509_NAME_new();; + /* @TODO extract dir name info from DNS_entry */ + break; + +#ifdef WOLFSSL_RID_ALT_NAME + case WOLFSSL_GEN_RID: + /* wolfSSL_GENERAL_NAME_new() mallocs this by default */ + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.ia5 = NULL; + + gn->d.registeredID = wolfSSL_ASN1_OBJECT_new(); + if (gn->d.registeredID == NULL) { + return WOLFSSL_FAILURE; + } + gn->d.registeredID->obj = (const unsigned char*)XMALLOC(dns->len, + gn->d.registeredID->heap, DYNAMIC_TYPE_ASN1); + if (gn->d.registeredID->obj == NULL) { + /* registeredID gets free'd up by caller after failure */ + return WOLFSSL_FAILURE; + } + gn->d.registeredID->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; + XMEMCPY((byte*)gn->d.registeredID->obj, dns->ridString, dns->len); + gn->d.registeredID->objSz = dns->len; + gn->d.registeredID->grp = oidCertExtType; + gn->d.registeredID->nid = WC_NID_registeredAddress; + break; +#endif + + case WOLFSSL_GEN_X400: + /* Unsupported: fall through */ + case WOLFSSL_GEN_EDIPARTY: + /* Unsupported: fall through */ + default: + WOLFSSL_MSG("Unsupported type conversion"); + return WOLFSSL_FAILURE; + } + return WOLFSSL_SUCCESS; +} + + static int wolfssl_x509_alt_names_to_gn(WOLFSSL_X509* x509, WOLFSSL_X509_EXTENSION* ext) { @@ -624,24 +696,10 @@ static int wolfssl_x509_alt_names_to_gn(WOLFSSL_X509* x509, goto err; } - gn->type = dns->type; - if (gn->type == GEN_OTHERNAME) { - if (!wolfssl_dns_entry_othername_to_gn(dns, gn)) { - WOLFSSL_MSG("OTHERNAME set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_pop_free(sk, NULL); - goto err; - } - } - else { - gn->d.ia5->length = dns->len; - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - gn->d.ia5->length) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_pop_free(sk, NULL); - goto err; - } + if (DNS_to_GENERAL_NAME(gn, dns) != WOLFSSL_SUCCESS) { + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_pop_free(sk, NULL); + goto err; } if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) <= 0) { @@ -685,12 +743,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_ENTER("wolfSSL_X509_set_ext"); - if(x509 == NULL){ + if (x509 == NULL) { WOLFSSL_MSG("\tNot passed a certificate"); return NULL; } - if(loc <0 || (loc > wolfSSL_X509_get_ext_count(x509))){ + if (loc < 0 || (loc > wolfSSL_X509_get_ext_count(x509))) { WOLFSSL_MSG("\tBad location argument"); return NULL; } @@ -922,7 +980,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) obj->obj = (byte*)x509->authInfoCaIssuer; obj->objSz = (unsigned int)x509->authInfoCaIssuerSz; obj->grp = oidCertAuthInfoType; - obj->nid = NID_ad_ca_issuers; + obj->nid = WC_NID_ad_ca_issuers; ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj) > 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; @@ -958,7 +1016,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) obj->obj = x509->authInfo; obj->objSz = (unsigned int)x509->authInfoSz; obj->grp = oidCertAuthInfoType; - obj->nid = NID_ad_OCSP; + obj->nid = WC_NID_ad_OCSP; ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj) > 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; @@ -1124,8 +1182,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) } ext->obj->objSz = (unsigned int)objSz; - if(((ext->obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0) || - (ext->obj->obj == NULL)) { + if (((ext->obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0) || + (ext->obj->obj == NULL)) { ext->obj->obj =(byte*)XREALLOC((byte*)ext->obj->obj, ext->obj->objSz, NULL,DYNAMIC_TYPE_ASN1); @@ -1139,7 +1197,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) return NULL; } ext->obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; - } else { + } + else { ext->obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; } /* Get OID from input and copy to ASN1_OBJECT buffer */ @@ -1177,7 +1236,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) #endif return NULL; } - ext->value.data = (char*)XMALLOC(length, NULL, DYNAMIC_TYPE_ASN1); + ext->value.data = (char*)XMALLOC(length, NULL, + DYNAMIC_TYPE_ASN1); ext->value.isDynamic = 1; if (ext->value.data == NULL) { WOLFSSL_MSG("Failed to malloc ASN1_STRING data"); @@ -1221,16 +1281,13 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) * @return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on error */ static int asn1_string_copy_to_buffer(WOLFSSL_ASN1_STRING* str, byte** buf, - word32* len, void* heap) { - if (!str || !buf || !len) { - return WOLFSSL_FAILURE; - } + word32* len, void* heap) +{ if (str->data && str->length > 0) { if (*buf) XFREE(*buf, heap, DYNAMIC_TYPE_X509_EXT); *len = 0; - *buf = (byte*)XMALLOC(str->length, heap, - DYNAMIC_TYPE_X509_EXT); + *buf = (byte*)XMALLOC(str->length, heap, DYNAMIC_TYPE_X509_EXT); if (!*buf) { WOLFSSL_MSG("malloc error"); return WOLFSSL_FAILURE; @@ -1243,7 +1300,8 @@ static int asn1_string_copy_to_buffer(WOLFSSL_ASN1_STRING* str, byte** buf, return WOLFSSL_SUCCESS; } -int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int loc) +int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, + int loc) { int nid; @@ -1256,7 +1314,7 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo nid = (ext->obj != NULL) ? ext->obj->type : ext->value.nid; switch (nid) { - case NID_authority_key_identifier: + case WC_NID_authority_key_identifier: if (x509->authKeyIdSrc != NULL) { /* If authKeyId points into authKeyIdSrc then free it and * revert to old functionality */ @@ -1271,7 +1329,7 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo } x509->authKeyIdCrit = (byte)ext->crit; break; - case NID_subject_key_identifier: + case WC_NID_subject_key_identifier: if (asn1_string_copy_to_buffer(&ext->value, &x509->subjKeyId, &x509->subjKeyIdSz, x509->heap) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("asn1_string_copy_to_buffer error"); @@ -1279,7 +1337,7 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo } x509->subjKeyIdCrit = (byte)ext->crit; break; - case NID_subject_alt_name: + case WC_NID_subject_alt_name: { WOLFSSL_GENERAL_NAMES* gns = ext->ext_sk; while (gns) { @@ -1323,11 +1381,14 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo x509->subjAltNameCrit = (byte)ext->crit; break; } - case NID_key_usage: + case WC_NID_key_usage: if (ext && ext->value.data) { if (ext->value.length == sizeof(word16)) { /* if ext->value is already word16, set directly */ x509->keyUsage = *(word16*)ext->value.data; +#ifdef BIG_ENDIAN_ORDER + x509->keyUsage = rotlFixed16(x509->keyUsage, 8U); +#endif x509->keyUsageCrit = (byte)ext->crit; x509->keyUsageSet = 1; } @@ -1345,10 +1406,10 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo } } break; - case NID_ext_key_usage: + case WC_NID_ext_key_usage: if (ext && ext->value.data) { if (ext->value.length == sizeof(byte)) { - /* if ext->value is already word16, set directly */ + /* if ext->value is already 1 byte, set directly */ x509->extKeyUsage = *(byte*)ext->value.data; x509->extKeyUsageCrit = (byte)ext->crit; } @@ -1365,12 +1426,14 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo } } break; - case NID_basic_constraints: + case WC_NID_basic_constraints: if (ext->obj) { x509->isCa = (byte)ext->obj->ca; x509->basicConstCrit = (byte)ext->crit; - if (ext->obj->pathlen) + if (ext->obj->pathlen) { x509->pathLength = (word32)ext->obj->pathlen->length; + x509->basicConstPlSet = 1; + } x509->basicConstSet = 1; } break; @@ -1438,8 +1501,8 @@ int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int lo int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, unsigned long flag, int indent) { - ASN1_OBJECT* obj; - ASN1_STRING* str; + WOLFSSL_ASN1_OBJECT* obj; + WOLFSSL_ASN1_STRING* str; int nid; int rc = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); char tmp[CTC_NAME_SIZE*2 + 1]; @@ -1590,13 +1653,13 @@ int wolfSSL_X509_EXTENSION_set_critical(WOLFSSL_X509_EXTENSION* ex, int crit) * not NULL, get the NID of the extension object and populate the * extension type-specific X509V3_EXT_* function(s) in v3_ext_method. * - * Returns NULL on error or pointer to the v3_ext_method populated with extension - * type-specific X509V3_EXT_* function(s). + * Returns NULL on error or pointer to the v3_ext_method populated with + * extension type-specific X509V3_EXT_* function(s). * - * NOTE: NID_subject_key_identifier is currently the only extension implementing + * NOTE: WC_NID_subject_key_identifier is currently the only extension implementing * the X509V3_EXT_* functions, as it is the only type called directly by QT. The - * other extension types return a pointer to a v3_ext_method struct that contains - * only the NID. + * other extension types return a pointer to a v3_ext_method struct that + * contains only the NID. */ #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L const WOLFSSL_v3_ext_method* wolfSSL_X509V3_EXT_get(WOLFSSL_X509_EXTENSION* ex) @@ -1622,30 +1685,31 @@ WOLFSSL_v3_ext_method* wolfSSL_X509V3_EXT_get(WOLFSSL_X509_EXTENSION* ex) } XMEMSET(&method, 0, sizeof(WOLFSSL_v3_ext_method)); switch (nid) { - case NID_basic_constraints: + case WC_NID_basic_constraints: break; - case NID_subject_key_identifier: - method.i2s = (X509V3_EXT_I2S)wolfSSL_i2s_ASN1_STRING; + case WC_NID_subject_key_identifier: + method.i2s = (WOLFSSL_X509V3_EXT_I2S)wolfSSL_i2s_ASN1_STRING; break; - case NID_subject_alt_name: - WOLFSSL_MSG("i2v function not yet implemented for Subject Alternative Name"); + case WC_NID_subject_alt_name: + WOLFSSL_MSG("i2v function not yet implemented for Subject " + "Alternative Name"); break; - case NID_key_usage: + case WC_NID_key_usage: WOLFSSL_MSG("i2v function not yet implemented for Key Usage"); break; - case NID_authority_key_identifier: + case WC_NID_authority_key_identifier: WOLFSSL_MSG("i2v function not yet implemented for Auth Key Id"); break; - case NID_info_access: + case WC_NID_info_access: WOLFSSL_MSG("i2v function not yet implemented for Info Access"); break; - case NID_ext_key_usage: + case WC_NID_ext_key_usage: WOLFSSL_MSG("i2v function not yet implemented for Ext Key Usage"); break; - case NID_certificate_policies: + case WC_NID_certificate_policies: WOLFSSL_MSG("r2i function not yet implemented for Cert Policies"); break; - case NID_crl_distribution_points: + case WC_NID_crl_distribution_points: WOLFSSL_MSG("r2i function not yet implemented for CRL Dist Points"); break; default: @@ -1748,7 +1812,7 @@ static WOLFSSL_AUTHORITY_INFO_ACCESS* wolfssl_x509v3_ext_aia_d2i( } /* Set the type of general name to URI (only type supported). */ - ret = wolfSSL_GENERAL_NAME_set_type(ad->location, GEN_URI); + ret = wolfSSL_GENERAL_NAME_set_type(ad->location, WOLFSSL_GEN_URI); if (ret != WOLFSSL_SUCCESS) { err = 1; break; @@ -1812,27 +1876,27 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) WOLFSSL_ENTER("wolfSSL_X509V3_EXT_d2i"); - if(ext == NULL) { + if (ext == NULL) { WOLFSSL_MSG("Bad function Argument"); return NULL; } + object = wolfSSL_X509_EXTENSION_get_object(ext); + if (object == NULL) { + WOLFSSL_MSG("X509_EXTENSION_get_object failed"); + return NULL; + } /* extract extension info */ method = wolfSSL_X509V3_EXT_get(ext); if (method == NULL) { WOLFSSL_MSG("wolfSSL_X509V3_EXT_get error"); return NULL; } - object = wolfSSL_X509_EXTENSION_get_object(ext); - if (object == NULL) { - WOLFSSL_MSG("X509_EXTENSION_get_object failed"); - return NULL; - } /* Return pointer to proper internal structure based on NID */ switch (object->type) { /* basicConstraints */ - case (NID_basic_constraints): + case WC_NID_basic_constraints: WOLFSSL_MSG("basicConstraints"); /* Allocate new BASIC_CONSTRAINTS structure */ bc = wolfSSL_BASIC_CONSTRAINTS_new(); @@ -1842,7 +1906,7 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) } /* Copy pathlen and CA into BASIC_CONSTRAINTS from object */ bc->ca = object->ca; - if (object->pathlen->length > 0) { + if (object->pathlen != NULL && object->pathlen->length > 0) { bc->pathlen = wolfSSL_ASN1_INTEGER_dup(object->pathlen); if (bc->pathlen == NULL) { WOLFSSL_MSG("Failed to duplicate ASN1_INTEGER"); @@ -1855,7 +1919,7 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) return bc; /* subjectKeyIdentifier */ - case (NID_subject_key_identifier): + case WC_NID_subject_key_identifier: WOLFSSL_MSG("subjectKeyIdentifier"); asn1String = wolfSSL_X509_EXTENSION_get_data(ext); if (asn1String == NULL) { @@ -1878,7 +1942,7 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) return newString; /* authorityKeyIdentifier */ - case (NID_authority_key_identifier): + case WC_NID_authority_key_identifier: WOLFSSL_MSG("AuthorityKeyIdentifier"); akey = (WOLFSSL_AUTHORITY_KEYID*) @@ -1921,7 +1985,7 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) return akey; /* keyUsage */ - case (NID_key_usage): + case WC_NID_key_usage: WOLFSSL_MSG("keyUsage"); /* This may need to be updated for future use. The i2v method for keyUsage is not currently set. For now, return the ASN1_STRING @@ -1947,21 +2011,21 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) return newString; /* extKeyUsage */ - case (NID_ext_key_usage): + case WC_NID_ext_key_usage: WOLFSSL_MSG("extKeyUsage not supported yet"); return NULL; /* certificatePolicies */ - case (NID_certificate_policies): + case WC_NID_certificate_policies: WOLFSSL_MSG("certificatePolicies not supported yet"); return NULL; /* cRLDistributionPoints */ - case (NID_crl_distribution_points): + case WC_NID_crl_distribution_points: WOLFSSL_MSG("cRLDistributionPoints not supported yet"); return NULL; - case NID_subject_alt_name: + case WC_NID_subject_alt_name: if (ext->ext_sk == NULL) { WOLFSSL_MSG("Subject alt name stack NULL"); return NULL; @@ -1974,7 +2038,7 @@ void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) return sk; /* authorityInfoAccess */ - case NID_info_access: + case WC_NID_info_access: WOLFSSL_MSG("AuthorityInfoAccess"); return wolfssl_x509v3_ext_aia_d2i(ext); @@ -2009,12 +2073,12 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) WOLFSSL_ENTER("wolfSSL_X509_get_ext_by_NID"); - if(x509 == NULL){ + if (x509 == NULL) { WOLFSSL_MSG("\tNot passed a certificate"); return WOLFSSL_FATAL_ERROR; } - if(lastPos < -1 || (lastPos > (wolfSSL_X509_get_ext_count(x509) - 1))){ + if (lastPos < -1 || (lastPos > (wolfSSL_X509_get_ext_count(x509) - 1))) { WOLFSSL_MSG("\tBad location argument"); return WOLFSSL_FATAL_ERROR; } @@ -2095,8 +2159,8 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) if (extCount >= loc) { /* extCount >= loc. Now check if extension has been set */ - isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, (int)foundNID); - + isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, + (int)foundNID); if (isSet && ((word32)nid == foundNID)) { found = 1; break; @@ -2258,7 +2322,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, WOLFSSL_MSG("ASN1_STRING_set failed"); goto err; } - gn->d.dNSName->type = V_ASN1_IA5STRING; + gn->d.dNSName->type = WOLFSSL_V_ASN1_IA5STRING; } dns = dns->next; @@ -2296,7 +2360,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, goto err; } - if (wolfSSL_GENERAL_NAME_set_type(gn, GEN_URI) != + if (wolfSSL_GENERAL_NAME_set_type(gn, WOLFSSL_GEN_URI) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error setting GENERAL_NAME type"); goto err; @@ -2362,7 +2426,8 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, if (x509->authKeyIdSet) { WOLFSSL_AUTHORITY_KEYID* akey = wolfSSL_AUTHORITY_KEYID_new(); if (!akey) { - WOLFSSL_MSG("Issue creating WOLFSSL_AUTHORITY_KEYID struct"); + WOLFSSL_MSG( + "Issue creating WOLFSSL_AUTHORITY_KEYID struct"); return NULL; } @@ -2430,7 +2495,8 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, for (i = 0; i < x509->certPoliciesNb - 1; i++) { obj = wolfSSL_ASN1_OBJECT_new(); if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); + WOLFSSL_MSG( + "Issue creating WOLFSSL_ASN1_OBJECT struct"); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); return NULL; } @@ -2743,9 +2809,6 @@ static WOLFSSL_X509_EXTENSION* createExtFromStr(int nid, const char *value) { WOLFSSL_X509_EXTENSION* ext; - if (value == NULL) - return NULL; - ext = wolfSSL_X509_EXTENSION_new(); if (ext == NULL) { WOLFSSL_MSG("memory error"); @@ -2754,8 +2817,8 @@ static WOLFSSL_X509_EXTENSION* createExtFromStr(int nid, const char *value) ext->value.nid = nid; switch (nid) { - case NID_subject_key_identifier: - case NID_authority_key_identifier: + case WC_NID_subject_key_identifier: + case WC_NID_authority_key_identifier: if (wolfSSL_ASN1_STRING_set(&ext->value, value, -1) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_set error"); @@ -2763,7 +2826,7 @@ static WOLFSSL_X509_EXTENSION* createExtFromStr(int nid, const char *value) } ext->value.type = CTC_UTF8; break; - case NID_subject_alt_name: + case WC_NID_subject_alt_name: { WOLFSSL_GENERAL_NAMES* gns; WOLFSSL_GENERAL_NAME* gn; @@ -2802,7 +2865,7 @@ static WOLFSSL_X509_EXTENSION* createExtFromStr(int nid, const char *value) gn->type = ASN_DNS_TYPE; break; } - case NID_key_usage: + case WC_NID_key_usage: if (wolfSSL_ASN1_STRING_set(&ext->value, value, -1) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_set error"); @@ -2810,7 +2873,7 @@ static WOLFSSL_X509_EXTENSION* createExtFromStr(int nid, const char *value) } ext->value.type = KEY_USAGE_OID; break; - case NID_ext_key_usage: + case WC_NID_ext_key_usage: if (wolfSSL_ASN1_STRING_set(&ext->value, value, -1) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_set error"); @@ -2901,22 +2964,22 @@ static void wolfSSL_X509V3_EXT_METHOD_populate(WOLFSSL_v3_ext_method *method, WOLFSSL_ENTER("wolfSSL_X509V3_EXT_METHOD_populate"); switch (nid) { - case NID_subject_key_identifier: - method->i2s = (X509V3_EXT_I2S)wolfSSL_i2s_ASN1_STRING; + case WC_NID_subject_key_identifier: + method->i2s = (WOLFSSL_X509V3_EXT_I2S)wolfSSL_i2s_ASN1_STRING; FALL_THROUGH; - case NID_authority_key_identifier: - case NID_key_usage: - case NID_certificate_policies: - case NID_policy_mappings: - case NID_subject_alt_name: - case NID_issuer_alt_name: - case NID_basic_constraints: - case NID_name_constraints: - case NID_policy_constraints: - case NID_ext_key_usage: - case NID_crl_distribution_points: - case NID_inhibit_any_policy: - case NID_info_access: + case WC_NID_authority_key_identifier: + case WC_NID_key_usage: + case WC_NID_certificate_policies: + case WC_NID_policy_mappings: + case WC_NID_subject_alt_name: + case WC_NID_issuer_alt_name: + case WC_NID_basic_constraints: + case WC_NID_name_constraints: + case WC_NID_policy_constraints: + case WC_NID_ext_key_usage: + case WC_NID_crl_distribution_points: + case WC_NID_inhibit_any_policy: + case WC_NID_info_access: WOLFSSL_MSG("Nothing to populate for current NID"); break; default: @@ -2928,7 +2991,7 @@ static void wolfSSL_X509V3_EXT_METHOD_populate(WOLFSSL_v3_ext_method *method, } /** - * @param nid One of the NID_* constants defined in asn.h + * @param nid One of the WC_NID_* constants defined in asn.h * @param crit * @param data This data is copied to the returned extension. * @return @@ -2952,9 +3015,9 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, wolfSSL_X509V3_EXT_METHOD_populate(&ext->ext_method, nid); switch (nid) { - case NID_subject_key_identifier: + case WC_NID_subject_key_identifier: /* WOLFSSL_ASN1_STRING */ - case NID_key_usage: + case WC_NID_key_usage: /* WOLFSSL_ASN1_STRING */ { asn1str = (WOLFSSL_ASN1_STRING*)data; @@ -2981,13 +3044,13 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, break; } - case NID_subject_alt_name: + case WC_NID_subject_alt_name: /* typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES */ - case NID_issuer_alt_name: + case WC_NID_issuer_alt_name: /* typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES */ - case NID_ext_key_usage: + case WC_NID_ext_key_usage: /* typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE */ - case NID_info_access: + case WC_NID_info_access: /* typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS */ { WOLFSSL_STACK* sk = (WOLFSSL_STACK*)data; @@ -3008,7 +3071,7 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, break; } - case NID_basic_constraints: + case WC_NID_basic_constraints: { /* WOLFSSL_BASIC_CONSTRAINTS */ WOLFSSL_BASIC_CONSTRAINTS* bc = (WOLFSSL_BASIC_CONSTRAINTS*)data; @@ -3028,7 +3091,7 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, } break; } - case NID_authority_key_identifier: + case WC_NID_authority_key_identifier: { /* AUTHORITY_KEYID */ WOLFSSL_AUTHORITY_KEYID* akey = (WOLFSSL_AUTHORITY_KEYID*)data; @@ -3055,22 +3118,22 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, } } else { - WOLFSSL_MSG("NID_authority_key_identifier empty data"); + WOLFSSL_MSG("WC_NID_authority_key_identifier empty data"); goto err_cleanup; } break; } - case NID_inhibit_any_policy: + case WC_NID_inhibit_any_policy: /* ASN1_INTEGER */ - case NID_certificate_policies: + case WC_NID_certificate_policies: /* STACK_OF(POLICYINFO) */ - case NID_policy_mappings: + case WC_NID_policy_mappings: /* STACK_OF(POLICY_MAPPING) */ - case NID_name_constraints: + case WC_NID_name_constraints: /* NAME_CONSTRAINTS */ - case NID_policy_constraints: + case WC_NID_policy_constraints: /* POLICY_CONSTRAINTS */ - case NID_crl_distribution_points: + case WC_NID_crl_distribution_points: /* typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS */ default: WOLFSSL_MSG("Unknown or unsupported NID"); @@ -3088,11 +3151,11 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, } /* Returns pointer to ASN1_OBJECT from an X509_EXTENSION object */ -WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object \ - (WOLFSSL_X509_EXTENSION* ext) +WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object( + WOLFSSL_X509_EXTENSION* ext) { WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_get_object"); - if(ext == NULL) + if (ext == NULL) return NULL; return ext->obj; } @@ -3121,7 +3184,8 @@ int wolfSSL_X509_EXTENSION_set_object(WOLFSSL_X509_EXTENSION* ext, #endif /* OPENSSL_ALL */ /* Returns pointer to ASN1_STRING in X509_EXTENSION object */ -WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext) +WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data( + WOLFSSL_X509_EXTENSION* ext) { WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_get_data"); if (ext == NULL) @@ -3231,6 +3295,7 @@ int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509, #endif /* OPENSSL_EXTRA */ #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(KEEP_OUR_CERT) || \ defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* user externally called free X509, if dynamic go ahead with free, otherwise @@ -3253,16 +3318,14 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) if (ret != 0) { WOLFSSL_MSG("Couldn't lock x509 mutex"); } - #endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */ - - #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) if (doFree) #endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */ { FreeX509(x509); XFREE(x509, x509->heap, DYNAMIC_TYPE_X509); } - } else { + } + else { WOLFSSL_MSG("free called on non dynamic object, not freeing"); } } @@ -3272,10 +3335,13 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ABI void wolfSSL_X509_free(WOLFSSL_X509* x509) { - WOLFSSL_ENTER("wolfSSL_FreeX509"); + WOLFSSL_ENTER("wolfSSL_X509_free"); ExternalFreeX509(x509); } +#endif +#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* copy name into in buffer, at most sz bytes, if buffer is null will malloc buffer, call responsible for freeing */ @@ -3284,15 +3350,15 @@ char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) { int copySz; + WOLFSSL_ENTER("wolfSSL_X509_NAME_oneline"); + if (name == NULL) { WOLFSSL_MSG("WOLFSSL_X509_NAME pointer was NULL"); return NULL; } - copySz = (int)min((word32)sz, (word32)name->sz); - - WOLFSSL_ENTER("wolfSSL_X509_NAME_oneline"); - if (!name->sz) return in; + if (name->sz == 0) + return in; if (!in) { #ifdef WOLFSSL_STATIC_MEMORY @@ -3300,13 +3366,16 @@ char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) return NULL; #else in = (char*)XMALLOC(name->sz, NULL, DYNAMIC_TYPE_OPENSSL); - if (!in ) return in; + if (!in) + return in; copySz = name->sz; #endif } - - if (copySz <= 0) - return in; + else { + copySz = (int)min((word32)sz, (word32)name->sz); + if (copySz <= 0) + return in; + } XMEMCPY(in, name->name, copySz - 1); in[copySz - 1] = 0; @@ -3346,7 +3415,7 @@ static unsigned long X509NameHash(WOLFSSL_X509_NAME* name, return 0; } - rc = wc_Hash(hashType, (const byte*)canonName,(word32)size, digest, + rc = wc_Hash(hashType, (const byte*)canonName, (word32)size, digest, sizeof(digest)); if (rc == 0) { @@ -3511,7 +3580,8 @@ char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) WOLFSSL_MSG("Memory error"); return NULL; } - if ((strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s", sn, buf)) >= strSz) { + if ((strLen = XSNPRINTF(str, (size_t)strSz, "%s=%s", sn, + buf)) >= strSz) { WOLFSSL_MSG("buffer overrun"); XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); return NULL; @@ -3697,7 +3767,7 @@ int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME* name) #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(OPENSSL_EXTRA) || \ - defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) /* return the next, if any, altname from the peer cert */ WOLFSSL_ABI @@ -3874,7 +3944,8 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz) return x509->derCert->buffer; } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_OUR_CERT || KEEP_PEER_CERT || SESSION_CERTS */ +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_OUR_CERT || + * KEEP_PEER_CERT || SESSION_CERTS */ #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) || \ defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || \ @@ -3892,7 +3963,8 @@ const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509) XMEMSET(x509->notBeforeData, 0, sizeof(x509->notBeforeData)); x509->notBeforeData[0] = (byte)x509->notBefore.type; x509->notBeforeData[1] = (byte)x509->notBefore.length; - XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, x509->notBefore.length); + XMEMCPY(&x509->notBeforeData[2], x509->notBefore.data, + x509->notBefore.length); return x509->notBeforeData; } @@ -3971,6 +4043,7 @@ byte* wolfSSL_X509_get_device_type(WOLFSSL_X509* x509, byte* in, int *inOutSz) int copySz; WOLFSSL_ENTER("wolfSSL_X509_get_dev_type"); + if (x509 == NULL) return NULL; if (inOutSz == NULL) return NULL; if (!x509->deviceTypeSz) return in; @@ -3999,6 +4072,7 @@ byte* wolfSSL_X509_get_hw_type(WOLFSSL_X509* x509, byte* in, int* inOutSz) int copySz; WOLFSSL_ENTER("wolfSSL_X509_get_hw_type"); + if (x509 == NULL) return NULL; if (inOutSz == NULL) return NULL; if (!x509->hwTypeSz) return in; @@ -4028,6 +4102,7 @@ byte* wolfSSL_X509_get_hw_serial_number(WOLFSSL_X509* x509,byte* in, int copySz; WOLFSSL_ENTER("wolfSSL_X509_get_hw_serial_number"); + if (x509 == NULL) return NULL; if (inOutSz == NULL) return NULL; if (!x509->hwTypeSz) return in; @@ -4079,7 +4154,8 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_get_notAfter(const WOLFSSL_X509* x509) /* return 1 on success 0 on fail */ -int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509) +int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, + WOLFSSL_X509* x509) { WOLFSSL_ENTER("wolfSSL_sk_X509_push"); @@ -4114,7 +4190,7 @@ WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) } if (sk->num > 0) { - sk->num -= 1; + sk->num--; } return x509; @@ -4128,7 +4204,7 @@ WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) * returns a pointer to a WOLFSSL_X509 structure on success and NULL on * fail */ -WOLFSSL_X509* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)* sk, int i) +WOLFSSL_X509* wolfSSL_sk_X509_value(WOLF_STACK_OF(WOLFSSL_X509)* sk, int i) { WOLFSSL_ENTER("wolfSSL_sk_X509_value"); @@ -4187,7 +4263,7 @@ WOLFSSL_X509* wolfSSL_sk_X509_shift(WOLF_STACK_OF(WOLFSSL_X509)* sk) * sk stack to free nodes in * f X509 free function */ -void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, +void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void (*f) (WOLFSSL_X509*)) { WOLFSSL_ENTER("wolfSSL_sk_X509_pop_free"); @@ -4223,7 +4299,8 @@ void wolfSSL_sk_X509_CRL_free(WOLF_STACK_OF(WOLFSSL_X509_CRL)* sk) } /* return 1 on success 0 on fail */ -int wolfSSL_sk_X509_CRL_push(WOLF_STACK_OF(WOLFSSL_X509_CRL)* sk, WOLFSSL_X509_CRL* crl) +int wolfSSL_sk_X509_CRL_push(WOLF_STACK_OF(WOLFSSL_X509_CRL)* sk, + WOLFSSL_X509_CRL* crl) { WOLFSSL_ENTER("wolfSSL_sk_X509_CRL_push"); @@ -4338,7 +4415,7 @@ WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_new(void) wolfSSL_GENERAL_NAME_free(gn); return NULL; } - gn->type = GEN_IA5; + gn->type = WOLFSSL_GEN_IA5; return gn; } @@ -4362,33 +4439,33 @@ WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_dup(WOLFSSL_GENERAL_NAME* gn) dupl->d.ia5 = NULL; switch (gn->type) { /* WOLFSSL_ASN1_STRING types */ - case GEN_DNS: + case WOLFSSL_GEN_DNS: if (!(dupl->d.dNSName = wolfSSL_ASN1_STRING_dup(gn->d.dNSName))) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_dup error"); goto error; } break; - case GEN_IPADD: + case WOLFSSL_GEN_IPADD: if (!(dupl->d.iPAddress = wolfSSL_ASN1_STRING_dup(gn->d.iPAddress))) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_dup error"); goto error; } break; - case GEN_EMAIL: + case WOLFSSL_GEN_EMAIL: if (!(dupl->d.rfc822Name = wolfSSL_ASN1_STRING_dup(gn->d.rfc822Name))) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_dup error"); goto error; } break; - case GEN_URI: + case WOLFSSL_GEN_URI: if (!(dupl->d.uniformResourceIdentifier = wolfSSL_ASN1_STRING_dup(gn->d.uniformResourceIdentifier))) { WOLFSSL_MSG("wolfSSL_ASN1_STRING_dup error"); goto error; } break; - case GEN_OTHERNAME: - if (gn->d.otherName->value->type != V_ASN1_UTF8STRING) { + case WOLFSSL_GEN_OTHERNAME: + if (gn->d.otherName->value->type != WOLFSSL_V_ASN1_UTF8STRING) { WOLFSSL_MSG("Unsupported othername value type"); goto error; } @@ -4419,10 +4496,10 @@ WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_dup(WOLFSSL_GENERAL_NAME* gn) goto error; } break; - case GEN_X400: - case GEN_DIRNAME: - case GEN_EDIPARTY: - case GEN_RID: + case WOLFSSL_GEN_X400: + case WOLFSSL_GEN_DIRNAME: + case WOLFSSL_GEN_EDIPARTY: + case WOLFSSL_GEN_RID: default: WOLFSSL_MSG("Unrecognized or unsupported GENERAL_NAME type"); goto error; @@ -4431,9 +4508,7 @@ WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_dup(WOLFSSL_GENERAL_NAME* gn) return dupl; error: - if (dupl) { - wolfSSL_GENERAL_NAME_free(dupl); - } + wolfSSL_GENERAL_NAME_free(dupl); return NULL; } @@ -4446,7 +4521,7 @@ WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_dup(WOLFSSL_GENERAL_NAME* gn) * WOLFSSL_SUCCESS otherwise. */ int wolfSSL_GENERAL_NAME_set0_othername(WOLFSSL_GENERAL_NAME* gen, - ASN1_OBJECT* oid, ASN1_TYPE* value) + WOLFSSL_ASN1_OBJECT* oid, WOLFSSL_ASN1_TYPE* value) { WOLFSSL_ASN1_OBJECT *x = NULL; @@ -4460,7 +4535,7 @@ int wolfSSL_GENERAL_NAME_set0_othername(WOLFSSL_GENERAL_NAME* gen, return WOLFSSL_FAILURE; } - gen->type = GEN_OTHERNAME; + gen->type = WOLFSSL_GEN_OTHERNAME; gen->d.otherName->type_id = x; gen->d.otherName->value = value; return WOLFSSL_SUCCESS; @@ -4742,35 +4817,35 @@ static void wolfSSL_GENERAL_NAME_type_free(WOLFSSL_GENERAL_NAME* name) { if (name != NULL) { switch (name->type) { - case GEN_IA5: + case WOLFSSL_GEN_IA5: wolfSSL_ASN1_STRING_free(name->d.ia5); name->d.ia5 = NULL; break; - case GEN_EMAIL: + case WOLFSSL_GEN_EMAIL: wolfSSL_ASN1_STRING_free(name->d.rfc822Name); name->d.rfc822Name = NULL; break; - case GEN_DNS: + case WOLFSSL_GEN_DNS: wolfSSL_ASN1_STRING_free(name->d.dNSName); name->d.dNSName = NULL; break; - case GEN_DIRNAME: + case WOLFSSL_GEN_DIRNAME: wolfSSL_X509_NAME_free(name->d.dirn); name->d.dirn = NULL; break; - case GEN_URI: + case WOLFSSL_GEN_URI: wolfSSL_ASN1_STRING_free(name->d.uniformResourceIdentifier); name->d.uniformResourceIdentifier = NULL; break; - case GEN_IPADD: + case WOLFSSL_GEN_IPADD: wolfSSL_ASN1_STRING_free(name->d.iPAddress); name->d.iPAddress = NULL; break; - case GEN_RID: + case WOLFSSL_GEN_RID: wolfSSL_ASN1_OBJECT_free(name->d.registeredID); name->d.registeredID = NULL; break; - case GEN_OTHERNAME: + case WOLFSSL_GEN_OTHERNAME: if (name->d.otherName != NULL) { wolfSSL_ASN1_OBJECT_free(name->d.otherName->type_id); wolfSSL_ASN1_TYPE_free(name->d.otherName->value); @@ -4778,9 +4853,9 @@ static void wolfSSL_GENERAL_NAME_type_free(WOLFSSL_GENERAL_NAME* name) name->d.otherName = NULL; } break; - case GEN_X400: + case WOLFSSL_GEN_X400: /* Unsupported: fall through */ - case GEN_EDIPARTY: + case WOLFSSL_GEN_EDIPARTY: /* Unsupported: fall through */ default: WOLFSSL_MSG("wolfSSL_GENERAL_NAME_type_free: possible leak"); @@ -4801,13 +4876,13 @@ int wolfSSL_GENERAL_NAME_set_type(WOLFSSL_GENERAL_NAME* name, int typ) name->type = typ; switch (typ) { - case GEN_URI: + case WOLFSSL_GEN_URI: name->d.uniformResourceIdentifier = wolfSSL_ASN1_STRING_new(); if (name->d.uniformResourceIdentifier == NULL) ret = MEMORY_E; break; default: - name->type = GEN_IA5; + name->type = WOLFSSL_GEN_IA5; name->d.ia5 = wolfSSL_ASN1_STRING_new(); if (name->d.ia5 == NULL) ret = MEMORY_E; @@ -4842,16 +4917,15 @@ void wolfSSL_GENERAL_NAME_set0_value(WOLFSSL_GENERAL_NAME *a, int type, return; } - if (type != GEN_DNS) { - WOLFSSL_MSG("Only GEN_DNS is supported"); + if (type != WOLFSSL_GEN_DNS) { + WOLFSSL_MSG("Only WOLFSSL_GEN_DNS is supported"); return; } wolfSSL_GENERAL_NAME_type_free(a); a->type = type; - if (type == GEN_DNS) { - a->d.dNSName = val; - } + /* Only when WOLFSSL_GEN_DNS. */ + a->d.dNSName = val; } /* Frees GENERAL_NAME objects. @@ -5011,6 +5085,7 @@ int wolfSSL_GENERAL_NAME_print(WOLFSSL_BIO* out, WOLFSSL_GENERAL_NAME* gen) case GEN_RID: ret = wolfSSL_BIO_printf(out, "Registered ID:"); + ret = (ret > 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; if (ret == WOLFSSL_SUCCESS) { ret = wolfSSL_i2a_ASN1_OBJECT(out, gen->d.registeredID); } @@ -5070,7 +5145,8 @@ void wolfSSL_sk_X509_EXTENSION_free(WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk) #endif /* OPENSSL_EXTRA */ -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) +#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && \ + !defined(NO_STDIO_FILESYSTEM) WOLFSSL_X509* wolfSSL_X509_d2i_fp(WOLFSSL_X509** x509, XFILE file) { @@ -5140,12 +5216,12 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) if (file == XBADFILE) return NULL; - if (XFSEEK(file, 0, XSEEK_END) != 0){ + if (XFSEEK(file, 0, XSEEK_END) != 0) { XFCLOSE(file); return NULL; } sz = XFTELL(file); - if (XFSEEK(file, 0, XSEEK_SET) != 0){ + if (XFSEEK(file, 0, XSEEK_SET) != 0) { XFCLOSE(file); return NULL; } @@ -5279,7 +5355,8 @@ WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( } #endif -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \ + SESSION_CERTS */ #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(KEEP_PEER_CERT) || \ defined(SESSION_CERTS) @@ -5358,11 +5435,6 @@ static WOLFSSL_X509_NAME_ENTRY* GetEntryByNID(WOLFSSL_X509_NAME* name, int nid, int i; WOLFSSL_X509_NAME_ENTRY* ret = NULL; - /* and index of less than 0 is assumed to be starting from 0 */ - if (*idx < 0) { - *idx = 0; - } - for (i = *idx; i < MAX_NAME_ENTRIES; i++) { if (name->entry[i].nid == nid) { ret = &name->entry[i]; @@ -5424,14 +5496,15 @@ int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name, WOLFSSL_MSG("Buffer is NULL, returning buffer size only"); return textSz; } + if (len <= 0) { + return 0; + } - /* buf is not NULL from above */ - if (text != NULL) { - textSz = (int)min((word32)textSz + 1, (word32)len); /* + 1 to account for null char */ - if (textSz > 0) { - XMEMCPY(buf, text, textSz - 1); - buf[textSz - 1] = '\0'; - } + /* + 1 to account for null char */ + textSz = (int)min((word32)textSz + 1, (word32)len); + if (textSz > 0) { + XMEMCPY(buf, text, textSz - 1); + buf[textSz - 1] = '\0'; } WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_text_by_NID", textSz); @@ -5454,13 +5527,13 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) key = wolfSSL_EVP_PKEY_new_ex(x509->heap); if (key != NULL) { if (x509->pubKeyOID == RSAk) { - key->type = EVP_PKEY_RSA; + key->type = WC_EVP_PKEY_RSA; } else if (x509->pubKeyOID == DSAk) { - key->type = EVP_PKEY_DSA; + key->type = WC_EVP_PKEY_DSA; } else { - key->type = EVP_PKEY_EC; + key->type = WC_EVP_PKEY_EC; } key->save_type = 0; key->pkey.ptr = (char*)XMALLOC( @@ -5479,7 +5552,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) /* decode RSA key */ #ifndef NO_RSA - if (key->type == EVP_PKEY_RSA) { + if (key->type == WC_EVP_PKEY_RSA) { key->ownRsa = 1; key->rsa = wolfSSL_RSA_new(); if (key->rsa == NULL) { @@ -5498,7 +5571,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) /* decode ECC key */ #if defined(HAVE_ECC) && defined(OPENSSL_EXTRA) - if (key->type == EVP_PKEY_EC) { + if (key->type == WC_EVP_PKEY_EC) { word32 idx = 0; key->ownEcc = 1; @@ -5531,7 +5604,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) #endif /* HAVE_ECC && OPENSSL_EXTRA */ #ifndef NO_DSA - if (key->type == EVP_PKEY_DSA) { + if (key->type == WC_EVP_PKEY_DSA) { key->ownDsa = 1; key->dsa = wolfSSL_DSA_new(); if (key->dsa == NULL) { @@ -5559,7 +5632,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) * size of this subset and its memory usage */ #endif /* OPENSSL_EXTRA_X509_SMALL || KEEP_PEER_CERT || SESSION_CERTS */ -#if defined(OPENSSL_ALL) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) /* * Converts a and b to DER and then does an XMEMCMP to check if they match. * Returns 0 when certificates match and WOLFSSL_FATAL_ERROR when they don't. @@ -5571,17 +5644,17 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) int outSzA = 0; int outSzB = 0; - if (a == NULL || b == NULL){ + if (a == NULL || b == NULL) { return BAD_FUNC_ARG; } derA = wolfSSL_X509_get_der((WOLFSSL_X509*)a, &outSzA); - if (derA == NULL){ + if (derA == NULL) { WOLFSSL_MSG("wolfSSL_X509_get_der - certificate A has failed"); return WOLFSSL_FATAL_ERROR; } derB = wolfSSL_X509_get_der((WOLFSSL_X509*)b, &outSzB); - if (derB == NULL){ + if (derB == NULL) { WOLFSSL_MSG("wolfSSL_X509_get_der - certificate B has failed"); return WOLFSSL_FATAL_ERROR; } @@ -5606,18 +5679,26 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) if (x509 != NULL) { switch (nid) { - case NID_basic_constraints: isSet = x509->basicConstSet; break; - case NID_subject_alt_name: isSet = x509->subjAltNameSet; break; - case NID_authority_key_identifier: isSet = x509->authKeyIdSet; break; - case NID_subject_key_identifier: isSet = x509->subjKeyIdSet; break; - case NID_key_usage: isSet = x509->keyUsageSet; break; - case NID_crl_distribution_points: isSet = x509->CRLdistSet; break; - case NID_ext_key_usage: isSet = ((x509->extKeyUsageSrc) ? 1 : 0); - break; - case NID_info_access: isSet = x509->authInfoSet; break; - #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) - case NID_certificate_policies: isSet = x509->certPolicySet; break; - #endif /* WOLFSSL_SEP || WOLFSSL_QT */ + case WC_NID_basic_constraints: + isSet = x509->basicConstSet; break; + case WC_NID_subject_alt_name: + isSet = x509->subjAltNameSet; break; + case WC_NID_authority_key_identifier: + isSet = x509->authKeyIdSet; break; + case WC_NID_subject_key_identifier: + isSet = x509->subjKeyIdSet; break; + case WC_NID_key_usage: + isSet = x509->keyUsageSet; break; + case WC_NID_crl_distribution_points: + isSet = x509->CRLdistSet; break; + case WC_NID_ext_key_usage: + isSet = ((x509->extKeyUsageSrc) ? 1 : 0); break; + case WC_NID_info_access: + isSet = x509->authInfoSet; break; + #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) + case WC_NID_certificate_policies: + isSet = x509->certPolicySet; break; + #endif /* WOLFSSL_SEP || WOLFSSL_QT */ default: WOLFSSL_MSG("NID not in table"); } @@ -5637,15 +5718,23 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) if (x509 != NULL) { switch (nid) { - case NID_basic_constraints: crit = x509->basicConstCrit; break; - case NID_subject_alt_name: crit = x509->subjAltNameCrit; break; - case NID_authority_key_identifier: crit = x509->authKeyIdCrit; break; - case NID_subject_key_identifier: crit = x509->subjKeyIdCrit; break; - case NID_key_usage: crit = x509->keyUsageCrit; break; - case NID_crl_distribution_points: crit= x509->CRLdistCrit; break; - case NID_ext_key_usage: crit= x509->extKeyUsageCrit; break; + case WC_NID_basic_constraints: + crit = x509->basicConstCrit; break; + case WC_NID_subject_alt_name: + crit = x509->subjAltNameCrit; break; + case WC_NID_authority_key_identifier: + crit = x509->authKeyIdCrit; break; + case WC_NID_subject_key_identifier: + crit = x509->subjKeyIdCrit; break; + case WC_NID_key_usage: + crit = x509->keyUsageCrit; break; + case WC_NID_crl_distribution_points: + crit= x509->CRLdistCrit; break; + case WC_NID_ext_key_usage: + crit= x509->extKeyUsageCrit; break; #ifdef WOLFSSL_SEP - case NID_certificate_policies: crit = x509->certPolicyCrit; break; + case WC_NID_certificate_policies: + crit = x509->certPolicyCrit; break; #endif /* WOLFSSL_SEP */ } } @@ -5768,7 +5857,6 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) if (x509->subjKeyIdStr != NULL) { if (wolfSSL_ASN1_STRING_set(x509->subjKeyIdStr, x509->subjKeyId, x509->subjKeyIdSz) == 1) { - ret = x509->subjKeyIdStr; } else { wolfSSL_ASN1_STRING_free(x509->subjKeyIdStr); @@ -5776,9 +5864,7 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) } } } - else { - ret = x509->subjKeyIdStr; - } + ret = x509->subjKeyIdStr; } WOLFSSL_LEAVE("wolfSSL_X509_get0_subject_key_id", ret != NULL); @@ -5926,8 +6012,8 @@ static int X509PrintDirType(char * dst, int max_len, const DNS_entry * entry) /* Copy it in, decrement available space. */ XSTRNCPY(dst, pfx, bytes_left); dst += XSTRLEN(pfx); - total_len += XSTRLEN(pfx); - bytes_left -= XSTRLEN(pfx); + total_len += (int)XSTRLEN(pfx); + bytes_left -= (int)XSTRLEN(pfx); if (fld_len > bytes_left) { /* Not enough space left. */ @@ -6534,11 +6620,11 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) } nid = wolfSSL_OBJ_obj2nid(obj); switch (nid) { - case NID_subject_alt_name: + case WC_NID_subject_alt_name: ret = X509PrintSubjAltName(bio, x509, indent + 8); break; - case NID_subject_key_identifier: + case WC_NID_subject_key_identifier: if (!x509->subjKeyIdSet || x509->subjKeyId == NULL || x509->subjKeyIdSz == 0) { @@ -6583,7 +6669,7 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) } break; - case NID_authority_key_identifier: + case WC_NID_authority_key_identifier: if (!x509->authKeyIdSet || x509->authKeyId == NULL || x509->authKeyIdSz == 0) { ret = WOLFSSL_FAILURE; @@ -6632,7 +6718,7 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) } break; - case NID_basic_constraints: + case WC_NID_basic_constraints: if (!x509->basicConstSet) { ret = WOLFSSL_FAILURE; break; @@ -6653,11 +6739,11 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) } break; - case NID_key_usage: + case WC_NID_key_usage: ret = X509PrintKeyUsage(bio, x509, indent + 8); break; - case NID_ext_key_usage: + case WC_NID_ext_key_usage: ret = X509PrintExtendedKeyUsage(bio, x509, indent + 8); break; @@ -6882,7 +6968,8 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) if (bio == NULL || x509 == NULL) return BAD_FUNC_ARG; - len = XSNPRINTF(scratch, MAX_WIDTH, "%*sSubject Public Key Info:\n", indent, ""); + len = XSNPRINTF(scratch, MAX_WIDTH, "%*sSubject Public Key Info:\n", indent, + ""); if (len >= MAX_WIDTH) return WOLFSSL_FAILURE; if (wolfSSL_BIO_write(bio, scratch, len) <= 0) @@ -7067,8 +7154,10 @@ int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509) return WOLFSSL_FAILURE; } - /* print version of cert */ - if (X509PrintVersion(bio, wolfSSL_X509_version(x509), 8) + /* print version of cert. Note that we increment by 1 because for REQs, + * the value stored in x509->version is the actual value of the field; not + * the version. */ + if (X509PrintVersion(bio, (int)wolfSSL_X509_REQ_get_version(x509) + 1, 8) != WOLFSSL_SUCCESS) { return WOLFSSL_FAILURE; } @@ -7423,7 +7512,7 @@ int wolfSSL_X509_print_fp(XFILE fp, WOLFSSL_X509 *x509) return WOLFSSL_FAILURE; } - if (wolfSSL_BIO_set_fp(bio, fp, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { + if (wolfSSL_BIO_set_fp(bio, fp, WOLFSSL_BIO_NOCLOSE) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_BIO_set_fp error"); wolfSSL_BIO_free(bio); return WOLFSSL_FAILURE; @@ -7536,7 +7625,6 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, byte* pem = NULL; byte* curr = NULL; byte* prev = NULL; - WOLFSSL_X509* x509; const char* header = NULL; const char* footer = NULL; @@ -7547,12 +7635,12 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, if (fp == XBADFILE) return WS_RETURN_CODE(BAD_FUNC_ARG, (int)WOLFSSL_FAILURE); - if(XFSEEK(fp, 0, XSEEK_END) != 0) { + if (XFSEEK(fp, 0, XSEEK_END) != 0) { XFCLOSE(fp); return WS_RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE); } sz = XFTELL(fp); - if(XFSEEK(fp, 0, XSEEK_SET) != 0) { + if (XFSEEK(fp, 0, XSEEK_SET) != 0) { XFCLOSE(fp); return WS_RETURN_CODE(WOLFSSL_BAD_FILE,WOLFSSL_FAILURE); } @@ -7597,12 +7685,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, } else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 && XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) { - x509 = wolfSSL_X509_load_certificate_buffer(curr, (int)sz, - WOLFSSL_FILETYPE_PEM); - if (x509 == NULL) - goto end; - ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); - wolfSSL_X509_free(x509); + ret = X509StoreLoadCertBuffer(lookup->store, curr, + (word32)sz, WOLFSSL_FILETYPE_PEM); if (ret != WOLFSSL_SUCCESS) goto end; curr = (byte*)XSTRNSTR((char*)curr, footer, (unsigned int)sz); @@ -7841,7 +7925,8 @@ static int wolfssl_x509_make_der(WOLFSSL_X509* x509, int req, * * returns WOLFSSL_SUCCESS on success */ -static int loadX509orX509REQFromBio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int req) +static int loadX509orX509REQFromBio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, + int req) { int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); /* Get large buffer to hold cert der */ @@ -8018,7 +8103,7 @@ static WOLFSSL_X509* d2i_X509orX509REQ_bio(WOLFSSL_BIO* bio, size = wolfSSL_BIO_get_len(bio); if (size <= 0) { WOLFSSL_MSG("wolfSSL_BIO_get_len error. Possibly no pending data."); - WOLFSSL_ERROR(ASN1_R_HEADER_TOO_LONG); + WOLFSSL_ERROR(WOLFSSL_ASN1_R_HEADER_TOO_LONG_E); return NULL; } @@ -8076,7 +8161,8 @@ WOLFSSL_X509* wolfSSL_d2i_X509_REQ_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509) /* Use the public key to verify the signature. Note: this only verifies * the certificate signature. * returns WOLFSSL_SUCCESS on successful signature verification */ -static int verifyX509orX509REQ(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, int req) +static int verifyX509orX509REQ(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, + int req) { int ret; const byte* der; @@ -8096,15 +8182,15 @@ static int verifyX509orX509REQ(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, int r } switch (pkey->type) { - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: type = RSAk; break; - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: type = ECDSAk; break; - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: type = DSAk; break; @@ -8193,7 +8279,8 @@ static void *wolfSSL_d2i_X509_fp_ex(XFILE file, void **x509, int type) if ((newx509 = wc_PKCS12_new()) == NULL) { goto err_exit; } - if (wc_d2i_PKCS12(fileBuffer, (word32)sz, (WC_PKCS12*)newx509) < 0) { + if (wc_d2i_PKCS12(fileBuffer, (word32)sz, + (WC_PKCS12*)newx509) < 0) { goto err_exit; } } @@ -8265,16 +8352,19 @@ WOLFSSL_API int wolfSSL_X509_load_cert_crl_file(WOLFSSL_X509_LOOKUP *ctx, if (wolfSSL_X509_STORE_add_cert(ctx->store, x509) == WOLFSSL_SUCCESS) { cnt++; - } else { + } + else { WOLFSSL_MSG("wolfSSL_X509_STORE_add_cert error"); } wolfSSL_X509_free(x509); x509 = NULL; - } else { + } + else { WOLFSSL_MSG("wolfSSL_X509_load_certificate_file error"); } - } else { + } + else { #if defined(OPENSSL_ALL) #if !defined(NO_BIO) STACK_OF(WOLFSSL_X509_INFO) *info; @@ -8282,7 +8372,7 @@ WOLFSSL_API int wolfSSL_X509_load_cert_crl_file(WOLFSSL_X509_LOOKUP *ctx, int i; int num = 0; WOLFSSL_BIO *bio = wolfSSL_BIO_new_file(file, "rb"); - if(!bio) { + if (!bio) { WOLFSSL_MSG("wolfSSL_BIO_new error"); return cnt; } @@ -8300,19 +8390,21 @@ WOLFSSL_API int wolfSSL_X509_load_cert_crl_file(WOLFSSL_X509_LOOKUP *ctx, info_tmp = wolfSSL_sk_X509_INFO_value(info, i); if (info_tmp->x509) { - if(wolfSSL_X509_STORE_add_cert(ctx->store, info_tmp->x509) == + if (wolfSSL_X509_STORE_add_cert(ctx->store, info_tmp->x509) == WOLFSSL_SUCCESS) { cnt ++; - } else { + } + else { WOLFSSL_MSG("wolfSSL_X509_STORE_add_cert failed"); } } #ifdef HAVE_CRL if (info_tmp->crl) { - if(wolfSSL_X509_STORE_add_crl(ctx->store, info_tmp->crl) == + if (wolfSSL_X509_STORE_add_crl(ctx->store, info_tmp->crl) == WOLFSSL_SUCCESS) { cnt ++; - } else { + } + else { WOLFSSL_MSG("wolfSSL_X509_STORE_add_crl failed"); } } @@ -8405,7 +8497,8 @@ WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_bio(WOLFSSL_BIO *bp, WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) { WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL_fp"); - return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); + return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, + CRL_TYPE); } /* Read CRL file, and add it to store and corresponding cert manager */ @@ -8466,15 +8559,18 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); if (crl == NULL) { WOLFSSL_MSG("Load crl failed"); - } else { + } + else { ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) { WOLFSSL_MSG("Adding crl failed"); - } else { + } + else { ret = 1;/* handled a file */ } } - } else { + } + else { WOLFSSL_MSG("Invalid file type"); } @@ -8559,21 +8655,25 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, if (in == NULL) { WOLFSSL_MSG("Bad argument value"); - } else { + } + else { newcrl =(WOLFSSL_X509_CRL*)XMALLOC(sizeof(WOLFSSL_X509_CRL), NULL, DYNAMIC_TYPE_CRL); - if (newcrl == NULL){ + if (newcrl == NULL) { WOLFSSL_MSG("New CRL allocation failed"); - } else { + } + else { ret = InitCRL(newcrl, NULL); if (ret < 0) { WOLFSSL_MSG("Init tmp CRL failed"); - } else { + } + else { ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, NO_VERIFY); if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Buffer Load CRL failed"); - } else { + } + else { if (crl) { *crl = newcrl; } @@ -8582,7 +8682,7 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, } } - if((ret != WOLFSSL_SUCCESS) && (newcrl != NULL)) { + if ((ret != WOLFSSL_SUCCESS) && (newcrl != NULL)) { wolfSSL_X509_CRL_free(newcrl); newcrl = NULL; } @@ -8650,8 +8750,15 @@ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl, crl->crlList->signature == NULL || bufSz == NULL) return BAD_FUNC_ARG; - if (buf != NULL) - XMEMCPY(buf, crl->crlList->signature, *bufSz); + if (buf != NULL) { + if (*bufSz < (int)crl->crlList->signatureSz) { + WOLFSSL_MSG("Signature buffer too small"); + return BUFFER_E; + } + else { + XMEMCPY(buf, crl->crlList->signature, crl->crlList->signatureSz); + } + } *bufSz = (int)crl->crlList->signatureSz; return WOLFSSL_SUCCESS; @@ -8836,8 +8943,8 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, } tmp[0] = '\0'; } - if (XSNPRINTF(val, (size_t)valSz, ":%02X", crl->crlList->extAuthKeyId[i]) - >= valSz) + if (XSNPRINTF(val, (size_t)valSz, ":%02X", + crl->crlList->extAuthKeyId[i]) >= valSz) { WOLFSSL_MSG("buffer overrun"); return WOLFSSL_FAILURE; @@ -9200,10 +9307,16 @@ static const WOLFSSL_X509_VERIFY_PARAM x509_verify_param_builtins[] = { } }; -const WOLFSSL_X509_VERIFY_PARAM *wolfSSL_X509_VERIFY_PARAM_lookup(const char *name) +const WOLFSSL_X509_VERIFY_PARAM *wolfSSL_X509_VERIFY_PARAM_lookup( + const char *name) { const WOLFSSL_X509_VERIFY_PARAM *param = &x509_verify_param_builtins[0], - *param_end = &x509_verify_param_builtins[XELEM_CNT(x509_verify_param_builtins)]; + *param_end = &x509_verify_param_builtins[ + XELEM_CNT(x509_verify_param_builtins)]; + + if (name == NULL) { + return NULL; + } while (param < param_end) { if (XSTRCMP(name, param->name) == 0) return param; @@ -9408,6 +9521,10 @@ int wolfSSL_X509_VERIFY_PARAM_set1_ip(WOLFSSL_X509_VERIFY_PARAM* param, WOLFSSL_MSG("bad function arg"); return ret; } + if (ip == NULL && iplen != 0) { + WOLFSSL_MSG("bad function arg"); + return ret; + } #ifndef NO_FILESYSTEM if (iplen == 4) { /* ipv4 www.xxx.yyy.zzz max 15 length + Null termination */ @@ -9454,7 +9571,7 @@ int wolfSSL_X509_VERIFY_PARAM_set1_ip(WOLFSSL_X509_VERIFY_PARAM* param, p = buf; for (i = 0; i < 16; i += 2) { val = (((word32)(ip[i]<<8)) | (ip[i+1])) & 0xFFFF; - if (val == 0){ + if (val == 0) { if (!write_zero) { *p = ':'; } @@ -9524,7 +9641,8 @@ int wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME* asnTime) return wolfSSL_X509_cmp_time(asnTime, NULL); } -/* return WOLFSSL_FATAL_ERROR if asnTime is earlier than or equal to cmpTime, and 1 otherwise +/* return WOLFSSL_FATAL_ERROR if asnTime is earlier than or equal to cmpTime, + * and 1 otherwise * return 0 on error */ int wolfSSL_X509_cmp_time(const WOLFSSL_ASN1_TIME* asnTime, time_t* cmpTime) @@ -9609,7 +9727,7 @@ WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL* crl) { (void)crl; WOLFSSL_STUB("X509_CRL_get_REVOKED"); - return 0; + return NULL; } #endif @@ -9620,7 +9738,7 @@ WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( (void)revoked; (void)value; WOLFSSL_STUB("sk_X509_REVOKED_value"); - return 0; + return NULL; } #endif @@ -9658,7 +9776,8 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_X509_get_serialNumber(WOLFSSL_X509* x509) } a->dataMax = (unsigned int)x509->serialSz + 2; a->isDynamic = 1; - } else { + } + else { /* Use array instead of dynamic memory */ a->data = a->intData; a->dataMax = WOLFSSL_ASN1_INTEGER_MAX; @@ -9738,8 +9857,8 @@ void wolfSSL_X509_ALGOR_get0(const WOLFSSL_ASN1_OBJECT **paobj, int *pptype, *pptype = algor->parameter->type; } else { - /* Default to V_ASN1_OBJECT */ - *pptype = V_ASN1_OBJECT; + /* Default to WOLFSSL_V_ASN1_OBJECT */ + *pptype = WOLFSSL_V_ASN1_OBJECT; } } } @@ -9754,8 +9873,8 @@ void wolfSSL_X509_ALGOR_get0(const WOLFSSL_ASN1_OBJECT **paobj, int *pptype, * @return WOLFSSL_SUCCESS on success * WOLFSSL_FAILURE on missing parameters or bad malloc */ -int wolfSSL_X509_ALGOR_set0(WOLFSSL_X509_ALGOR *algor, WOLFSSL_ASN1_OBJECT *aobj, - int ptype, void *pval) +int wolfSSL_X509_ALGOR_set0(WOLFSSL_X509_ALGOR *algor, + WOLFSSL_ASN1_OBJECT *aobj, int ptype, void *pval) { if (!algor) { return WOLFSSL_FAILURE; @@ -10011,14 +10130,14 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) switch (key->type) { #ifndef NO_RSA - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: pval = NULL; - ptype = V_ASN1_NULL; + ptype = WOLFSSL_V_ASN1_NULL; pk->pubKeyOID = RSAk; break; #endif #ifndef NO_DSA - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: if (!key->dsa->p || !key->dsa->q || !key->dsa->g) goto error; @@ -10035,12 +10154,12 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) str->isDynamic = 1; pval = str; - ptype = V_ASN1_SEQUENCE; + ptype = WOLFSSL_V_ASN1_SEQUENCE; pk->pubKeyOID = DSAk; break; #endif #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: group = wolfSSL_EC_KEY_get0_group(key->ecc); if (!group) goto error; @@ -10056,7 +10175,7 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) if (!pval) goto error; - ptype = V_ASN1_OBJECT; + ptype = WOLFSSL_V_ASN1_OBJECT; pk->pubKeyOID = ECDSAk; break; #endif @@ -10067,7 +10186,7 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) keyTypeObj = wolfSSL_OBJ_nid2obj(key->type); if (keyTypeObj == NULL) { - if (ptype == V_ASN1_OBJECT) + if (ptype == WOLFSSL_V_ASN1_OBJECT) ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); else ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); @@ -10076,7 +10195,7 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) if (!wolfSSL_X509_ALGOR_set0(pk->algor, keyTypeObj, ptype, pval)) { WOLFSSL_MSG("Failed to create algorithm object"); ASN1_OBJECT_free(keyTypeObj); - if (ptype == V_ASN1_OBJECT) + if (ptype == WOLFSSL_V_ASN1_OBJECT) ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); else ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); @@ -10099,11 +10218,13 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) return WOLFSSL_FAILURE; } -#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY || WOLFSSL_WPAS */ +#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY || + * WOLFSSL_WPAS */ #if !defined(NO_CERTS) && !defined(NO_ASN) && !defined(NO_PWDBASED) -int wolfSSL_i2d_X509_PUBKEY(WOLFSSL_X509_PUBKEY* x509_PubKey, unsigned char** der) +int wolfSSL_i2d_X509_PUBKEY(WOLFSSL_X509_PUBKEY* x509_PubKey, + unsigned char** der) { if (x509_PubKey == NULL) return WOLFSSL_FATAL_ERROR; @@ -10159,7 +10280,7 @@ WOLFSSL_AUTHORITY_KEYID* wolfSSL_AUTHORITY_KEYID_new(void) void wolfSSL_AUTHORITY_KEYID_free(WOLFSSL_AUTHORITY_KEYID *id) { WOLFSSL_ENTER("wolfSSL_AUTHORITY_KEYID_free"); - if(id == NULL) { + if (id == NULL) { WOLFSSL_MSG("Argument is NULL"); return; } @@ -10277,7 +10398,8 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( #ifdef WOLFSSL_CERT_GEN -#if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) +#if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ + defined(OPENSSL_EXTRA) /* Helper function to copy cert name from a WOLFSSL_X509_NAME structure to * a Cert structure. * @@ -10352,7 +10474,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( #if defined(OPENSSL_ALL) idx = wolfSSL_X509_REQ_get_attr_by_NID(req, - NID_pkcs9_unstructuredName, -1); + WC_NID_pkcs9_unstructuredName, -1); if (idx != WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)) { WOLFSSL_X509_ATTRIBUTE *attr; attr = wolfSSL_X509_REQ_get_attr(req, idx); @@ -10410,221 +10532,221 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( } #endif /* WOLFSSL_CERT_REQ */ - /* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on - * success */ - static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t) - { - int sz, i; +/* converts WOLFSSL_AN1_TIME to Cert form, returns positive size on + * success */ +static int CertDateFromX509(byte* out, int outSz, WOLFSSL_ASN1_TIME* t) +{ + int sz, i; - if (t->length + 1 >= outSz) { - return BUFFER_E; - } + if (t->length + 1 >= outSz) { + return BUFFER_E; + } - out[0] = (byte) t->type; - sz = (int)SetLength((word32)t->length, out + 1) + 1; /* gen tag */ - for (i = 0; i < t->length; i++) { - out[sz + i] = t->data[i]; - } - return t->length + sz; + out[0] = (byte) t->type; + sz = (int)SetLength((word32)t->length, out + 1) + 1; /* gen tag */ + for (i = 0; i < t->length; i++) { + out[sz + i] = t->data[i]; } + return t->length + sz; +} - /* convert a WOLFSSL_X509 to a Cert structure for writing out */ - static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) - { - int ret; - #ifdef WOLFSSL_CERT_EXT - int i; - #endif +/* convert a WOLFSSL_X509 to a Cert structure for writing out */ +static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) +{ + int ret; +#ifdef WOLFSSL_CERT_EXT + int i; +#endif - WOLFSSL_ENTER("wolfSSL_X509_to_Cert"); + WOLFSSL_ENTER("wolfSSL_X509_to_Cert"); - if (x509 == NULL || cert == NULL) { - return BAD_FUNC_ARG; - } + if (x509 == NULL || cert == NULL) { + return BAD_FUNC_ARG; + } - wc_InitCert(cert); + wc_InitCert(cert); - cert->version = (int)wolfSSL_X509_get_version(x509); + cert->version = (int)wolfSSL_X509_get_version(x509); - if (x509->notBefore.length > 0) { - cert->beforeDateSz = CertDateFromX509(cert->beforeDate, - CTC_DATE_SIZE, &x509->notBefore); - if (cert->beforeDateSz <= 0){ - WOLFSSL_MSG("Error converting WOLFSSL_X509 not before date"); - return WOLFSSL_FAILURE; - } - } - else { - cert->beforeDateSz = 0; + if (x509->notBefore.length > 0) { + cert->beforeDateSz = CertDateFromX509(cert->beforeDate, + CTC_DATE_SIZE, &x509->notBefore); + if (cert->beforeDateSz <= 0) { + WOLFSSL_MSG("Error converting WOLFSSL_X509 not before date"); + return WOLFSSL_FAILURE; } + } + else { + cert->beforeDateSz = 0; + } - if (x509->notAfter.length > 0) { - cert->afterDateSz = CertDateFromX509(cert->afterDate, - CTC_DATE_SIZE, &x509->notAfter); - if (cert->afterDateSz <= 0){ - WOLFSSL_MSG("Error converting WOLFSSL_X509 not after date"); - return WOLFSSL_FAILURE; - } - } - else { - cert->afterDateSz = 0; + if (x509->notAfter.length > 0) { + cert->afterDateSz = CertDateFromX509(cert->afterDate, + CTC_DATE_SIZE, &x509->notAfter); + if (cert->afterDateSz <= 0) { + WOLFSSL_MSG("Error converting WOLFSSL_X509 not after date"); + return WOLFSSL_FAILURE; } + } + else { + cert->afterDateSz = 0; + } - #ifdef WOLFSSL_ALT_NAMES - cert->altNamesSz = FlattenAltNames(cert->altNames, - sizeof(cert->altNames), x509->altNames); - #endif /* WOLFSSL_ALT_NAMES */ +#ifdef WOLFSSL_ALT_NAMES + cert->altNamesSz = FlattenAltNames(cert->altNames, + sizeof(cert->altNames), x509->altNames); +#endif /* WOLFSSL_ALT_NAMES */ - cert->sigType = wolfSSL_X509_get_signature_type(x509); - cert->keyType = x509->pubKeyOID; - cert->isCA = wolfSSL_X509_get_isCA(x509); - cert->basicConstSet = x509->basicConstSet; + cert->sigType = wolfSSL_X509_get_signature_type(x509); + cert->keyType = x509->pubKeyOID; + cert->isCA = wolfSSL_X509_get_isCA(x509); + cert->basicConstSet = x509->basicConstSet; - #ifdef WOLFSSL_CERT_EXT - if (x509->subjKeyIdSz <= CTC_MAX_SKID_SIZE) { - if (x509->subjKeyId) { - XMEMCPY(cert->skid, x509->subjKeyId, x509->subjKeyIdSz); - } - cert->skidSz = (int)x509->subjKeyIdSz; +#ifdef WOLFSSL_CERT_EXT + if (x509->subjKeyIdSz <= CTC_MAX_SKID_SIZE) { + if (x509->subjKeyId) { + XMEMCPY(cert->skid, x509->subjKeyId, x509->subjKeyIdSz); } - else { - WOLFSSL_MSG("Subject Key ID too large"); - WOLFSSL_ERROR_VERBOSE(BUFFER_E); - return WOLFSSL_FAILURE; + cert->skidSz = (int)x509->subjKeyIdSz; + } + else { + WOLFSSL_MSG("Subject Key ID too large"); + WOLFSSL_ERROR_VERBOSE(BUFFER_E); + return WOLFSSL_FAILURE; + } + + if (x509->authKeyIdSz < sizeof(cert->akid)) { + #ifdef WOLFSSL_AKID_NAME + cert->rawAkid = 0; + if (x509->authKeyIdSrc) { + XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); + cert->akidSz = (int)x509->authKeyIdSrcSz; + cert->rawAkid = 1; + } + else + #endif + if (x509->authKeyId) { + XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); + cert->akidSz = (int)x509->authKeyIdSz; } + } + else { + WOLFSSL_MSG("Auth Key ID too large"); + WOLFSSL_ERROR_VERBOSE(BUFFER_E); + return WOLFSSL_FAILURE; + } - if (x509->authKeyIdSz < sizeof(cert->akid)) { - #ifdef WOLFSSL_AKID_NAME - cert->rawAkid = 0; - if (x509->authKeyIdSrc) { - XMEMCPY(cert->akid, x509->authKeyIdSrc, x509->authKeyIdSrcSz); - cert->akidSz = (int)x509->authKeyIdSrcSz; - cert->rawAkid = 1; - } - else - #endif - if (x509->authKeyId) { - XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); - cert->akidSz = (int)x509->authKeyIdSz; - } + for (i = 0; i < x509->certPoliciesNb; i++) { + /* copy the smaller of MAX macros, by default they are currently equal*/ + if ((int)CTC_MAX_CERTPOL_SZ <= (int)MAX_CERTPOL_SZ) { + XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], + CTC_MAX_CERTPOL_SZ); } else { - WOLFSSL_MSG("Auth Key ID too large"); + XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], + MAX_CERTPOL_SZ); + } + } + cert->certPoliciesNb = (word16)x509->certPoliciesNb; + + cert->keyUsage = x509->keyUsage; + cert->extKeyUsage = x509->extKeyUsage; + cert->nsCertType = x509->nsCertType; + + if (x509->rawCRLInfo != NULL) { + if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) { + WOLFSSL_MSG("CRL Info too large"); WOLFSSL_ERROR_VERBOSE(BUFFER_E); return WOLFSSL_FAILURE; } + XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz); + cert->crlInfoSz = x509->rawCRLInfoSz; + } - for (i = 0; i < x509->certPoliciesNb; i++) { - /* copy the smaller of MAX macros, by default they are currently equal*/ - if ((int)CTC_MAX_CERTPOL_SZ <= (int)MAX_CERTPOL_SZ) { - XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], - CTC_MAX_CERTPOL_SZ); - } - else { - XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], - MAX_CERTPOL_SZ); - } - } - cert->certPoliciesNb = (word16)x509->certPoliciesNb; +#ifdef WOLFSSL_DUAL_ALG_CERTS + /* We point to instance in x509 so DON'T need to be free'd. */ + cert->sapkiDer = x509->sapkiDer; + cert->sapkiLen = x509->sapkiLen; + cert->altSigAlgDer = x509->altSigAlgDer; + cert->altSigAlgLen = x509->altSigAlgLen; + cert->altSigValDer = x509->altSigValDer; + cert->altSigValLen = x509->altSigValLen; +#endif /* WOLFSSL_DUAL_ALG_CERTS */ +#endif /* WOLFSSL_CERT_EXT */ - cert->keyUsage = x509->keyUsage; - cert->extKeyUsage = x509->extKeyUsage; - cert->nsCertType = x509->nsCertType; +#ifdef WOLFSSL_CERT_REQ + /* copy over challenge password for REQ certs */ + XMEMCPY(cert->challengePw, x509->challengePw, CTC_NAME_SIZE); +#endif - if (x509->rawCRLInfo != NULL) { - if (x509->rawCRLInfoSz > CTC_MAX_CRLINFO_SZ) { - WOLFSSL_MSG("CRL Info too large"); - WOLFSSL_ERROR_VERBOSE(BUFFER_E); - return WOLFSSL_FAILURE; - } - XMEMCPY(cert->crlInfo, x509->rawCRLInfo, x509->rawCRLInfoSz); - cert->crlInfoSz = x509->rawCRLInfoSz; + /* Only makes sense to do this for OPENSSL_EXTRA because without + * this define the function will error out below */ + #ifdef OPENSSL_EXTRA + if (x509->serialSz == 0 && x509->serialNumber != NULL && + /* Check if the buffer contains more than just the + * ASN tag and length */ + x509->serialNumber->length > 2) { + if (wolfSSL_X509_set_serialNumber(x509, x509->serialNumber) + != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Failed to set serial number"); + return WOLFSSL_FAILURE; } + } + #endif - #ifdef WOLFSSL_DUAL_ALG_CERTS - /* We point to instance in x509 so DON'T need to be free'd. */ - cert->sapkiDer = x509->sapkiDer; - cert->sapkiLen = x509->sapkiLen; - cert->altSigAlgDer = x509->altSigAlgDer; - cert->altSigAlgLen = x509->altSigAlgLen; - cert->altSigValDer = x509->altSigValDer; - cert->altSigValLen = x509->altSigValLen; - #endif /* WOLFSSL_DUAL_ALG_CERTS */ - #endif /* WOLFSSL_CERT_EXT */ - - #ifdef WOLFSSL_CERT_REQ - /* copy over challenge password for REQ certs */ - XMEMCPY(cert->challengePw, x509->challengePw, CTC_NAME_SIZE); - #endif + /* set serial number */ + if (x509->serialSz > 0) { + #if defined(OPENSSL_EXTRA) + byte serial[EXTERNAL_SERIAL_SIZE]; + int serialSz = EXTERNAL_SERIAL_SIZE; - /* Only makes sense to do this for OPENSSL_EXTRA because without - * this define the function will error out below */ - #ifdef OPENSSL_EXTRA - if (x509->serialSz == 0 && x509->serialNumber != NULL && - /* Check if the buffer contains more than just the - * ASN tag and length */ - x509->serialNumber->length > 2) { - if (wolfSSL_X509_set_serialNumber(x509, x509->serialNumber) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Failed to set serial number"); - return WOLFSSL_FAILURE; - } + ret = wolfSSL_X509_get_serial_number(x509, serial, &serialSz); + if (ret != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Serial size error"); + return WOLFSSL_FAILURE; } - #endif - /* set serial number */ - if (x509->serialSz > 0) { - #if defined(OPENSSL_EXTRA) - byte serial[EXTERNAL_SERIAL_SIZE]; - int serialSz = EXTERNAL_SERIAL_SIZE; - - ret = wolfSSL_X509_get_serial_number(x509, serial, &serialSz); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Serial size error"); - return WOLFSSL_FAILURE; - } - - if (serialSz > EXTERNAL_SERIAL_SIZE || - serialSz > CTC_SERIAL_SIZE) { - WOLFSSL_MSG("Serial size too large error"); - WOLFSSL_ERROR_VERBOSE(BUFFER_E); - return WOLFSSL_FAILURE; - } - XMEMCPY(cert->serial, serial, serialSz); - cert->serialSz = serialSz; - #else - WOLFSSL_MSG("Getting X509 serial number not supported"); + if (serialSz > EXTERNAL_SERIAL_SIZE || + serialSz > CTC_SERIAL_SIZE) { + WOLFSSL_MSG("Serial size too large error"); + WOLFSSL_ERROR_VERBOSE(BUFFER_E); return WOLFSSL_FAILURE; - #endif } + XMEMCPY(cert->serial, serial, serialSz); + cert->serialSz = serialSz; + #else + WOLFSSL_MSG("Getting X509 serial number not supported"); + return WOLFSSL_FAILURE; + #endif + } - /* copy over Name structures */ - if (x509->issuerSet) - cert->selfSigned = 0; + /* copy over Name structures */ + if (x509->issuerSet) + cert->selfSigned = 0; - #if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) - ret = CopyX509NameToCert(&x509->subject, cert->sbjRaw); +#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) + ret = CopyX509NameToCert(&x509->subject, cert->sbjRaw); + if (ret < 0) { + WOLFSSL_MSG("Subject conversion error"); + return MEMORY_E; + } + if (cert->selfSigned) { + XMEMCPY(cert->issRaw, cert->sbjRaw, sizeof(CertName)); + } + else { + ret = CopyX509NameToCert(&x509->issuer, cert->issRaw); if (ret < 0) { - WOLFSSL_MSG("Subject conversion error"); + WOLFSSL_MSG("Issuer conversion error"); return MEMORY_E; } - if (cert->selfSigned) { - XMEMCPY(cert->issRaw, cert->sbjRaw, sizeof(CertName)); - } - else { - ret = CopyX509NameToCert(&x509->issuer, cert->issRaw); - if (ret < 0) { - WOLFSSL_MSG("Issuer conversion error"); - return MEMORY_E; - } - } - #endif + } +#endif - cert->heap = x509->heap; + cert->heap = x509->heap; - (void)ret; - return WOLFSSL_SUCCESS; - } + (void)ret; + return WOLFSSL_SUCCESS; +} /* returns the sig type to use on success i.e CTC_SHAwRSA and WOLFSSL_FALURE @@ -10643,7 +10765,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( return WOLFSSL_FAILURE; } - if (pkey->type == EVP_PKEY_RSA) { + if (pkey->type == WC_EVP_PKEY_RSA) { switch (hashType) { case WC_HASH_TYPE_SHA: sigType = CTC_SHAwRSA; @@ -10678,7 +10800,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( return WOLFSSL_FAILURE; } } - else if (pkey->type == EVP_PKEY_EC) { + else if (pkey->type == WC_EVP_PKEY_EC) { switch (hashType) { case WC_HASH_TYPE_SHA: sigType = CTC_SHAwECDSA; @@ -11186,13 +11308,13 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( /* Get the private key object and type from pkey. */ #ifndef NO_RSA - if (pkey->type == EVP_PKEY_RSA) { + if (pkey->type == WC_EVP_PKEY_RSA) { type = RSA_TYPE; key = pkey->rsa->internal; } #endif #ifdef HAVE_ECC - if (pkey->type == EVP_PKEY_EC) { + if (pkey->type == WC_EVP_PKEY_EC) { type = ECC_TYPE; key = pkey->ecc->internal; } @@ -11202,7 +11324,8 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( ret = wc_InitRng(&rng); if (ret != 0) return ret; - ret = wc_SignCert_ex(certBodySz, sigType, der, (word32)derSz, type, key, &rng); + ret = wc_SignCert_ex(certBodySz, sigType, der, (word32)derSz, type, key, + &rng); wc_FreeRng(&rng); if (ret < 0) { WOLFSSL_LEAVE("wolfSSL_X509_resign_cert", ret); @@ -11268,70 +11391,71 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( } - #ifndef WC_MAX_X509_GEN - /* able to override max size until dynamic buffer created */ - #define WC_MAX_X509_GEN 4096 - #endif +#ifndef WC_MAX_X509_GEN + /* able to override max size until dynamic buffer created */ + #define WC_MAX_X509_GEN 4096 +#endif - /* returns the size of signature on success */ - int wolfSSL_X509_sign(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, - const WOLFSSL_EVP_MD* md) - { - int ret; - /* @TODO dynamic set based on expected cert size */ - byte *der = (byte *)XMALLOC(WC_MAX_X509_GEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); - int derSz = WC_MAX_X509_GEN; +/* returns the size of signature on success */ +int wolfSSL_X509_sign(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, + const WOLFSSL_EVP_MD* md) +{ + int ret; + /* @TODO dynamic set based on expected cert size */ + byte *der = (byte *)XMALLOC(WC_MAX_X509_GEN, NULL, DYNAMIC_TYPE_TMP_BUFFER); + int derSz = WC_MAX_X509_GEN; - WOLFSSL_ENTER("wolfSSL_X509_sign"); + WOLFSSL_ENTER("wolfSSL_X509_sign"); - if (x509 == NULL || pkey == NULL || md == NULL) { - ret = WOLFSSL_FAILURE; - goto out; - } + if (x509 == NULL || pkey == NULL || md == NULL) { + ret = WOLFSSL_FAILURE; + goto out; + } - x509->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); - if ((ret = wolfssl_x509_make_der(x509, 0, der, &derSz, 0)) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to make DER for X509"); - WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); - (void)ret; - ret = WOLFSSL_FAILURE; - goto out; - } + x509->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); + if ((ret = wolfssl_x509_make_der(x509, 0, der, &derSz, 0)) != + WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Unable to make DER for X509"); + WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); + (void)ret; + ret = WOLFSSL_FAILURE; + goto out; + } - ret = wolfSSL_X509_resign_cert(x509, 0, der, WC_MAX_X509_GEN, derSz, - (WOLFSSL_EVP_MD*)md, pkey); - if (ret <= 0) { - WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); - ret = WOLFSSL_FAILURE; - goto out; - } + ret = wolfSSL_X509_resign_cert(x509, 0, der, WC_MAX_X509_GEN, derSz, + (WOLFSSL_EVP_MD*)md, pkey); + if (ret <= 0) { + WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); + ret = WOLFSSL_FAILURE; + goto out; + } - out: - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +out: + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } + return ret; +} #if defined(OPENSSL_EXTRA) - int wolfSSL_X509_sign_ctx(WOLFSSL_X509 *x509, WOLFSSL_EVP_MD_CTX *ctx) - { - WOLFSSL_ENTER("wolfSSL_X509_sign_ctx"); - - if (!x509 || !ctx || !ctx->pctx || !ctx->pctx->pkey) { - WOLFSSL_MSG("Bad parameter"); - return WOLFSSL_FAILURE; - } +int wolfSSL_X509_sign_ctx(WOLFSSL_X509 *x509, WOLFSSL_EVP_MD_CTX *ctx) +{ + WOLFSSL_ENTER("wolfSSL_X509_sign_ctx"); - return wolfSSL_X509_sign(x509, ctx->pctx->pkey, wolfSSL_EVP_MD_CTX_md(ctx)); + if (!x509 || !ctx || !ctx->pctx || !ctx->pctx->pkey) { + WOLFSSL_MSG("Bad parameter"); + return WOLFSSL_FAILURE; } + + return wolfSSL_X509_sign(x509, ctx->pctx->pkey, + wolfSSL_EVP_MD_CTX_md(ctx)); +} #endif /* OPENSSL_EXTRA */ #endif /* WOLFSSL_CERT_GEN */ #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ defined(OPENSSL_EXTRA_X509_SMALL) || defined(WOLFSSL_WPAS_SMALL) -/* Converts from NID_* value to wolfSSL value if needed. +/* Converts from WC_NID_* value to wolfSSL value if needed. * * @param [in] nid Numeric Id of a domain name component. * @return Domain name tag values - wolfSSL internal values. @@ -11340,28 +11464,28 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_chain_up_ref( static int ConvertNIDToWolfSSL(int nid) { switch (nid) { - case NID_commonName : return ASN_COMMON_NAME; + case WC_NID_commonName : return ASN_COMMON_NAME; #ifdef WOLFSSL_CERT_NAME_ALL - case NID_name : return ASN_NAME; - case NID_givenName: return ASN_GIVEN_NAME; - case NID_dnQualifier : return ASN_DNQUALIFIER; - case NID_initials: return ASN_INITIALS; + case WC_NID_name : return ASN_NAME; + case WC_NID_givenName: return ASN_GIVEN_NAME; + case WC_NID_dnQualifier : return ASN_DNQUALIFIER; + case WC_NID_initials: return ASN_INITIALS; #endif /* WOLFSSL_CERT_NAME_ALL */ - case NID_surname : return ASN_SUR_NAME; - case NID_countryName: return ASN_COUNTRY_NAME; - case NID_localityName: return ASN_LOCALITY_NAME; - case NID_stateOrProvinceName: return ASN_STATE_NAME; - case NID_streetAddress: return ASN_STREET_ADDR; - case NID_organizationName: return ASN_ORG_NAME; - case NID_organizationalUnitName: return ASN_ORGUNIT_NAME; - case NID_emailAddress: return ASN_EMAIL_NAME; - case NID_pkcs9_contentType: return ASN_CONTENT_TYPE; - case NID_serialNumber: return ASN_SERIAL_NUMBER; - case NID_userId: return ASN_USER_ID; - case NID_businessCategory: return ASN_BUS_CAT; - case NID_domainComponent: return ASN_DOMAIN_COMPONENT; - case NID_postalCode: return ASN_POSTAL_CODE; - case NID_favouriteDrink: return ASN_FAVOURITE_DRINK; + case WC_NID_surname : return ASN_SUR_NAME; + case WC_NID_countryName: return ASN_COUNTRY_NAME; + case WC_NID_localityName: return ASN_LOCALITY_NAME; + case WC_NID_stateOrProvinceName: return ASN_STATE_NAME; + case WC_NID_streetAddress: return ASN_STREET_ADDR; + case WC_NID_organizationName: return ASN_ORG_NAME; + case WC_NID_organizationalUnitName: return ASN_ORGUNIT_NAME; + case WC_NID_emailAddress: return ASN_EMAIL_NAME; + case WC_NID_pkcs9_contentType: return ASN_CONTENT_TYPE; + case WC_NID_serialNumber: return ASN_SERIAL_NUMBER; + case WC_NID_userId: return ASN_USER_ID; + case WC_NID_businessCategory: return ASN_BUS_CAT; + case WC_NID_domainComponent: return ASN_DOMAIN_COMPONENT; + case WC_NID_postalCode: return ASN_POSTAL_CODE; + case WC_NID_favouriteDrink: return ASN_FAVOURITE_DRINK; default: WOLFSSL_MSG("Attribute NID not found"); return WOLFSSL_FATAL_ERROR; @@ -11370,7 +11494,8 @@ static int ConvertNIDToWolfSSL(int nid) #endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL*/ -#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL) /* This is to convert the x509 name structure into canonical DER format */ /* , which has the following rules: */ /* convert to UTF8 */ @@ -11560,15 +11685,16 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) type = wolfSSL_ASN1_STRING_type(data); switch (type) { - case MBSTRING_UTF8: + case WOLFSSL_MBSTRING_UTF8: type = CTC_UTF8; break; - case MBSTRING_ASC: - case V_ASN1_PRINTABLESTRING: + case WOLFSSL_MBSTRING_ASC: + case WOLFSSL_V_ASN1_PRINTABLESTRING: type = CTC_PRINTABLE; break; default: - WOLFSSL_MSG("Unknown encoding type conversion UTF8 by default"); + WOLFSSL_MSG( + "Unknown encoding type conversion UTF8 by default"); type = CTC_UTF8; } ret = wc_EncodeName(&names[i], nameStr, (char)type, @@ -11739,96 +11865,96 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) #ifndef NO_BIO - static WOLFSSL_X509 *loadX509orX509REQFromPemBio(WOLFSSL_BIO *bp, - WOLFSSL_X509 **x, wc_pem_password_cb *cb, void *u, int type) - { - WOLFSSL_X509* x509 = NULL; +static WOLFSSL_X509 *loadX509orX509REQFromPemBio(WOLFSSL_BIO *bp, + WOLFSSL_X509 **x, wc_pem_password_cb *cb, void *u, int type) +{ + WOLFSSL_X509* x509 = NULL; #if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - unsigned char* pem = NULL; - int pemSz; - long i = 0, l, footerSz; - const char* footer = NULL; + unsigned char* pem = NULL; + int pemSz; + long i = 0, l, footerSz; + const char* footer = NULL; - WOLFSSL_ENTER("loadX509orX509REQFromPemBio"); + WOLFSSL_ENTER("loadX509orX509REQFromPemBio"); - if (bp == NULL || (type != CERT_TYPE && type != CERTREQ_TYPE)) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", BAD_FUNC_ARG); - return NULL; - } + if (bp == NULL || (type != CERT_TYPE && type != CERTREQ_TYPE)) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", BAD_FUNC_ARG); + return NULL; + } - if ((l = wolfSSL_BIO_get_len(bp)) <= 0) { - /* No certificate in buffer */ + if ((l = wolfSSL_BIO_get_len(bp)) <= 0) { + /* No certificate in buffer */ #if defined (WOLFSSL_HAPROXY) - WOLFSSL_ERROR(PEM_R_NO_START_LINE); + WOLFSSL_ERROR(PEM_R_NO_START_LINE); #else - WOLFSSL_ERROR(ASN_NO_PEM_HEADER); + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); #endif - return NULL; - } + return NULL; + } - pemSz = (int)l; - pem = (unsigned char*)XMALLOC(pemSz, 0, DYNAMIC_TYPE_PEM); - if (pem == NULL) - return NULL; - XMEMSET(pem, 0, pemSz); + pemSz = (int)l; + pem = (unsigned char*)XMALLOC(pemSz, 0, DYNAMIC_TYPE_PEM); + if (pem == NULL) + return NULL; + XMEMSET(pem, 0, pemSz); - i = 0; - if (wc_PemGetHeaderFooter(type, NULL, &footer) != 0) { - XFREE(pem, 0, DYNAMIC_TYPE_PEM); - return NULL; - } - footerSz = (long)XSTRLEN(footer); + i = 0; + if (wc_PemGetHeaderFooter(type, NULL, &footer) != 0) { + XFREE(pem, 0, DYNAMIC_TYPE_PEM); + return NULL; + } + footerSz = (long)XSTRLEN(footer); - /* TODO: Inefficient - * reading in one byte at a time until see the footer - */ - while ((l = wolfSSL_BIO_read(bp, (char *)&pem[i], 1)) == 1) { - i++; - if (i > footerSz && XMEMCMP((char *)&pem[i-footerSz], footer, - footerSz) == 0) { - if (wolfSSL_BIO_read(bp, (char *)&pem[i], 1) == 1) { - /* attempt to read newline following footer */ - i++; - if (pem[i-1] == '\r') { - /* found \r , Windows line ending is \r\n so try to read one - * more byte for \n, ignoring return value */ - (void)wolfSSL_BIO_read(bp, (char *)&pem[i++], 1); - } + /* TODO: Inefficient + * reading in one byte at a time until see the footer + */ + while ((l = wolfSSL_BIO_read(bp, (char *)&pem[i], 1)) == 1) { + i++; + if (i > footerSz && XMEMCMP((char *)&pem[i-footerSz], footer, + footerSz) == 0) { + if (wolfSSL_BIO_read(bp, (char *)&pem[i], 1) == 1) { + /* attempt to read newline following footer */ + i++; + if (pem[i-1] == '\r') { + /* found \r , Windows line ending is \r\n so try to read one + * more byte for \n, ignoring return value */ + (void)wolfSSL_BIO_read(bp, (char *)&pem[i++], 1); } - break; } + break; } - if (l == 0) - WOLFSSL_ERROR(ASN_NO_PEM_HEADER); - if (i > pemSz) { - WOLFSSL_MSG("Error parsing PEM"); - } - else { - pemSz = (int)i; - #ifdef WOLFSSL_CERT_REQ - if (type == CERTREQ_TYPE) - x509 = wolfSSL_X509_REQ_load_certificate_buffer(pem, pemSz, - WOLFSSL_FILETYPE_PEM); - else - #endif - x509 = wolfSSL_X509_load_certificate_buffer(pem, pemSz, - WOLFSSL_FILETYPE_PEM); - } + } + if (l == 0) + WOLFSSL_ERROR(ASN_NO_PEM_HEADER); + if (i > pemSz) { + WOLFSSL_MSG("Error parsing PEM"); + } + else { + pemSz = (int)i; + #ifdef WOLFSSL_CERT_REQ + if (type == CERTREQ_TYPE) + x509 = wolfSSL_X509_REQ_load_certificate_buffer(pem, pemSz, + WOLFSSL_FILETYPE_PEM); + else + #endif + x509 = wolfSSL_X509_load_certificate_buffer(pem, pemSz, + WOLFSSL_FILETYPE_PEM); + } - if (x != NULL) { - *x = x509; - } + if (x != NULL) { + *x = x509; + } - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); + XFREE(pem, NULL, DYNAMIC_TYPE_PEM); #endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ - (void)bp; - (void)x; - (void)cb; - (void)u; + (void)bp; + (void)x; + (void)cb; + (void)u; - return x509; - } + return x509; +} #if defined(WOLFSSL_ACERT) @@ -11916,11 +12042,11 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) } #ifdef WOLFSSL_CERT_REQ - WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509_REQ(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, +WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509_REQ(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, wc_pem_password_cb *cb, void *u) - { - return loadX509orX509REQFromPemBio(bp, x, cb, u, CERTREQ_TYPE); - } +{ + return loadX509orX509REQFromPemBio(bp, x, cb, u, CERTREQ_TYPE); +} #ifndef NO_FILESYSTEM WOLFSSL_X509* wolfSSL_PEM_read_X509_REQ(XFILE fp, WOLFSSL_X509** x, @@ -11944,7 +12070,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) err = 1; } } - if (err == 0 && wolfSSL_BIO_set_fp(bio, fp, BIO_CLOSE) + if (err == 0 && wolfSSL_BIO_set_fp(bio, fp, WOLFSSL_BIO_CLOSE) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Failed to set BIO file pointer."); err = 1; @@ -11953,9 +12079,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) ret = wolfSSL_PEM_read_bio_X509_REQ(bio, x, cb, u); } - if (bio != NULL) { - wolfSSL_BIO_free(bio); - } + wolfSSL_BIO_free(bio); return ret; } @@ -11985,17 +12109,17 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) goto err; } - if((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) { + if ((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) { goto err; } derSz = (int)der->length; - if((crl = wolfSSL_d2i_X509_CRL(x, der->buffer, derSz)) == NULL) { + if ((crl = wolfSSL_d2i_X509_CRL(x, der->buffer, derSz)) == NULL) { goto err; } err: XFREE(pem, 0, DYNAMIC_TYPE_PEM); - if(der != NULL) { + if (der != NULL) { FreeDer(&der); } @@ -12016,106 +12140,107 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) #endif /* !NO_BIO */ #if !defined(NO_FILESYSTEM) - static void* wolfSSL_PEM_read_X509_ex(XFILE fp, void **x, - wc_pem_password_cb *cb, void *u, int type) - { - unsigned char* pem = NULL; - int pemSz; - long i = 0, l; - void *newx509; - int derSz; - DerBuffer* der = NULL; - - WOLFSSL_ENTER("wolfSSL_PEM_read_X509"); +static void* wolfSSL_PEM_read_X509_ex(XFILE fp, void **x, + wc_pem_password_cb *cb, void *u, int type) +{ + unsigned char* pem = NULL; + int pemSz; + long i = 0, l; + void *newx509; + int derSz; + DerBuffer* der = NULL; - if (fp == XBADFILE) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); - return NULL; - } - /* Read cert from file */ - i = XFTELL(fp); - if (i < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); - return NULL; - } + WOLFSSL_ENTER("wolfSSL_PEM_read_X509"); - if (XFSEEK(fp, 0, XSEEK_END) != 0) - return NULL; - l = XFTELL(fp); - if (l < 0) - return NULL; - if (XFSEEK(fp, i, SEEK_SET) != 0) - return NULL; - pemSz = (int)(l - i); + if (fp == XBADFILE) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); + return NULL; + } + /* Read cert from file */ + i = XFTELL(fp); + if (i < 0) { + WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); + return NULL; + } - /* check calculated length */ - if (pemSz > MAX_WOLFSSL_FILE_SIZE || pemSz <= 0) { - WOLFSSL_MSG("PEM_read_X509_ex file size error"); - return NULL; - } + if (XFSEEK(fp, 0, XSEEK_END) != 0) + return NULL; + l = XFTELL(fp); + if (l < 0) + return NULL; + if (XFSEEK(fp, i, SEEK_SET) != 0) + return NULL; + pemSz = (int)(l - i); - /* allocate pem buffer */ - pem = (unsigned char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_PEM); - if (pem == NULL) - return NULL; + /* check calculated length */ + if (pemSz > MAX_WOLFSSL_FILE_SIZE || pemSz <= 0) { + WOLFSSL_MSG("PEM_read_X509_ex file size error"); + return NULL; + } - if ((int)XFREAD((char *)pem, 1, (size_t)pemSz, fp) != pemSz) - goto err_exit; + /* allocate pem buffer */ + pem = (unsigned char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_PEM); + if (pem == NULL) + return NULL; - switch (type) { - case CERT_TYPE: - newx509 = (void *)wolfSSL_X509_load_certificate_buffer(pem, - pemSz, WOLFSSL_FILETYPE_PEM); - break; + if ((int)XFREAD((char *)pem, 1, (size_t)pemSz, fp) != pemSz) + goto err_exit; - #ifdef HAVE_CRL - case CRL_TYPE: - if ((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) - goto err_exit; - derSz = (int)der->length; - newx509 = (void*)wolfSSL_d2i_X509_CRL((WOLFSSL_X509_CRL **)x, - (const unsigned char *)der->buffer, derSz); - if (newx509 == NULL) - goto err_exit; - FreeDer(&der); - break; - #endif + switch (type) { + case CERT_TYPE: + newx509 = (void *)wolfSSL_X509_load_certificate_buffer(pem, + pemSz, WOLFSSL_FILETYPE_PEM); + break; - default: + #ifdef HAVE_CRL + case CRL_TYPE: + if ((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) + goto err_exit; + derSz = (int)der->length; + newx509 = (void*)wolfSSL_d2i_X509_CRL((WOLFSSL_X509_CRL **)x, + (const unsigned char *)der->buffer, derSz); + if (newx509 == NULL) goto err_exit; - } - if (x != NULL) { - *x = newx509; - } - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); - return newx509; - - err_exit: - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); - if (der != NULL) FreeDer(&der); + break; + #endif - /* unused */ - (void)cb; - (void)u; - (void)derSz; - - return NULL; + default: + goto err_exit; } - - WOLFSSL_API WOLFSSL_X509* wolfSSL_PEM_read_X509(XFILE fp, WOLFSSL_X509 **x, - wc_pem_password_cb *cb, - void *u) - { - return (WOLFSSL_X509* )wolfSSL_PEM_read_X509_ex(fp, (void **)x, cb, u, CERT_TYPE); + if (x != NULL) { + *x = newx509; } + XFREE(pem, NULL, DYNAMIC_TYPE_PEM); + return newx509; + +err_exit: + XFREE(pem, NULL, DYNAMIC_TYPE_PEM); + if (der != NULL) + FreeDer(&der); + + /* unused */ + (void)cb; + (void)u; + (void)derSz; + + return NULL; +} + +WOLFSSL_API WOLFSSL_X509* wolfSSL_PEM_read_X509(XFILE fp, WOLFSSL_X509 **x, + wc_pem_password_cb *cb, void *u) +{ + return (WOLFSSL_X509* )wolfSSL_PEM_read_X509_ex(fp, (void **)x, cb, u, + CERT_TYPE); +} #if defined(HAVE_CRL) - WOLFSSL_API WOLFSSL_X509_CRL* wolfSSL_PEM_read_X509_CRL(XFILE fp, WOLFSSL_X509_CRL **crl, - wc_pem_password_cb *cb, void *u) - { - return (WOLFSSL_X509_CRL* )wolfSSL_PEM_read_X509_ex(fp, (void **)crl, cb, u, CRL_TYPE); - } +WOLFSSL_API WOLFSSL_X509_CRL* wolfSSL_PEM_read_X509_CRL(XFILE fp, + WOLFSSL_X509_CRL **crl, wc_pem_password_cb *cb, void *u) +{ + return (WOLFSSL_X509_CRL* )wolfSSL_PEM_read_X509_ex(fp, (void **)crl, cb, u, + CRL_TYPE); +} #endif #ifdef WOLFSSL_CERT_GEN @@ -12125,14 +12250,14 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) int ret; WOLFSSL_BIO* bio; - if (x == NULL) + if (x == NULL || fp == XBADFILE) return 0; bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); if (bio == NULL) return 0; - if (wolfSSL_BIO_set_fp(bio, fp, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { + if (wolfSSL_BIO_set_fp(bio, fp, WOLFSSL_BIO_NOCLOSE) != WOLFSSL_SUCCESS) { wolfSSL_BIO_free(bio); bio = NULL; } @@ -12307,7 +12432,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) "-----BEGIN X509 CRL-----")) { /* We have a crl */ WOLFSSL_MSG("Parsing crl"); - if((PemToDer((const unsigned char*) header, + if ((PemToDer((const unsigned char*) header, (long)(footerEnd - header), CRL_TYPE, &der, NULL, NULL, NULL)) < 0) { WOLFSSL_MSG("PemToDer error"); @@ -12378,7 +12503,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) XFILE fp, WOLF_STACK_OF(WOLFSSL_X509_INFO)* sk, pem_password_cb* cb, void* u) { - WOLFSSL_BIO* fileBio = wolfSSL_BIO_new_fp(fp, BIO_NOCLOSE); + WOLFSSL_BIO* fileBio = wolfSSL_BIO_new_fp(fp, WOLFSSL_BIO_NOCLOSE); WOLF_STACK_OF(WOLFSSL_X509_INFO)* ret = NULL; WOLFSSL_ENTER("wolfSSL_PEM_X509_INFO_read"); @@ -12550,7 +12675,9 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) /* Set the object when no error. */ ne->object = object; } - ne->value = wolfSSL_ASN1_STRING_type_new(type); + if (ne->value == NULL) { + ne->value = wolfSSL_ASN1_STRING_type_new(type); + } if (ne->value != NULL) { if (wolfSSL_ASN1_STRING_set(ne->value, (const void*)data, dataSz) == WOLFSSL_SUCCESS) { @@ -12584,7 +12711,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) } nid = wolfSSL_OBJ_txt2nid(txt); - if (nid == NID_undef) { + if (nid == WC_NID_undef) { WOLFSSL_MSG("Unable to find text"); ne = NULL; } @@ -12861,7 +12988,7 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_X509_NAME_ENTRY_get_object( if (name == NULL || field == NULL) return WOLFSSL_FAILURE; - if ((nid = wolfSSL_OBJ_txt2nid(field)) == NID_undef) { + if ((nid = wolfSSL_OBJ_txt2nid(field)) == WC_NID_undef) { WOLFSSL_MSG("Unable convert text to NID"); return WOLFSSL_FAILURE; } @@ -12931,7 +13058,8 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_X509_NAME_ENTRY_get_object( for (idx++; idx < MAX_NAME_ENTRIES; idx++) { /* Find index of desired name */ if (name->entry[idx].set) { - if (XSTRLEN(obj->sName) == XSTRLEN(name->entry[idx].object->sName) && + if (XSTRLEN(obj->sName) == + XSTRLEN(name->entry[idx].object->sName) && XSTRNCMP((const char*) obj->sName, name->entry[idx].object->sName, obj->objSz - 1) == 0) { return idx; @@ -12982,26 +13110,26 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_X509_NAME_ENTRY_get_object( #ifdef OPENSSL_EXTRA - int wolfSSL_X509_check_private_key(WOLFSSL_X509 *x509, WOLFSSL_EVP_PKEY *key) - { - WOLFSSL_ENTER("wolfSSL_X509_check_private_key"); - - if (!x509 || !key) { - WOLFSSL_MSG("Bad parameter"); - return WOLFSSL_FAILURE; - } +int wolfSSL_X509_check_private_key(WOLFSSL_X509 *x509, WOLFSSL_EVP_PKEY *key) +{ + WOLFSSL_ENTER("wolfSSL_X509_check_private_key"); - #ifndef NO_CHECK_PRIVATE_KEY - return wc_CheckPrivateKey((byte*)key->pkey.ptr, key->pkey_sz, - x509->pubKey.buffer, x509->pubKey.length, - (enum Key_Sum)x509->pubKeyOID, key->heap) == 1 ? - WOLFSSL_SUCCESS : WOLFSSL_FAILURE; - #else - /* not compiled in */ - return WOLFSSL_SUCCESS; - #endif + if (!x509 || !key) { + WOLFSSL_MSG("Bad parameter"); + return WOLFSSL_FAILURE; } +#ifndef NO_CHECK_PRIVATE_KEY + return wc_CheckPrivateKey((byte*)key->pkey.ptr, key->pkey_sz, + x509->pubKey.buffer, x509->pubKey.length, + (enum Key_Sum)x509->pubKeyOID, key->heap) == 1 ? + WOLFSSL_SUCCESS : WOLFSSL_FAILURE; +#else + /* not compiled in */ + return WOLFSSL_SUCCESS; +#endif +} + #endif /* OPENSSL_EXTRA */ #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ @@ -13163,9 +13291,10 @@ int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert) #endif /* !NO_BIO */ #endif /* HAVE_LIGHTY || HAVE_STUNNEL || WOLFSSL_MYSQL_COMPATIBLE */ -#if defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB) +#if defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \ + defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \ + defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH) || \ + defined(HAVE_SBLIM_SFCB) WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_sk_X509_NAME_new( WOLF_SK_COMPARE_CB(WOLFSSL_X509_NAME, cb)) @@ -13201,14 +13330,15 @@ int wolfSSL_sk_X509_NAME_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk) * returns a pointer to a WOLFSSL_X509_NAME structure on success and NULL on * fail */ -WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_value(const STACK_OF(WOLFSSL_X509_NAME)* sk, - int i) +WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_value( + const WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, int i) { WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_value"); return (WOLFSSL_X509_NAME*)wolfSSL_sk_value(sk, i); } -WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) +WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_pop( + WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) { WOLFSSL_STACK* node; WOLFSSL_X509_NAME* name; @@ -13301,7 +13431,8 @@ WOLFSSL_X509_NAME_ENTRY* wolfSSL_sk_X509_NAME_ENTRY_value( return (WOLFSSL_X509_NAME_ENTRY*)wolfSSL_sk_value(sk, i); } -int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) +int wolfSSL_sk_X509_NAME_ENTRY_num( + const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) { if (sk == NULL) return BAD_FUNC_ARG; @@ -13465,7 +13596,8 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( return copy; } -void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int i) +void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, + int i) { WOLFSSL_ENTER("wolfSSL_sk_X509_OBJECT_value"); for (; sk != NULL && i > 0; i--) @@ -13481,7 +13613,8 @@ int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJECT) *s) WOLFSSL_ENTER("wolfSSL_sk_X509_OBJECT_num"); if (s) { return (int)s->num; - } else { + } + else { return 0; } } @@ -13511,79 +13644,79 @@ static int get_dn_attr_by_nid(int n, const char** buf) switch(n) { - case NID_commonName : + case WC_NID_commonName : str = "CN"; len = 2; break; - case NID_countryName: + case WC_NID_countryName: str = "C"; len = 1; break; - case NID_localityName: + case WC_NID_localityName: str = "L"; len = 1; break; - case NID_stateOrProvinceName: + case WC_NID_stateOrProvinceName: str = "ST"; len = 2; break; - case NID_streetAddress: + case WC_NID_streetAddress: str = "street"; len = 6; break; - case NID_organizationName: + case WC_NID_organizationName: str = "O"; len = 1; break; - case NID_organizationalUnitName: + case WC_NID_organizationalUnitName: str = "OU"; len = 2; break; - case NID_postalCode: + case WC_NID_postalCode: str = "postalCode"; len = 10; break; - case NID_emailAddress: + case WC_NID_emailAddress: str = "emailAddress"; len = 12; break; - case NID_surname: + case WC_NID_surname: str = "SN"; len = 2; break; - case NID_givenName: + case WC_NID_givenName: str = "GN"; len = 2; break; - case NID_dnQualifier: + case WC_NID_dnQualifier: str = "dnQualifier"; len = 11; break; - case NID_name: + case WC_NID_name: str = "name"; len = 4; break; - case NID_initials: + case WC_NID_initials: str = "initials"; len = 8; break; - case NID_domainComponent: + case WC_NID_domainComponent: str = "DC"; len = 2; break; - case NID_pkcs9_contentType: + case WC_NID_pkcs9_contentType: str = "contentType"; len = 11; break; - case NID_userId: + case WC_NID_userId: str = "UID"; len = 3; break; - case NID_serialNumber: + case WC_NID_serialNumber: str = "serialNumber"; len = 12; break; - case NID_title: + case WC_NID_title: str = "title"; len = 5; break; @@ -13689,7 +13822,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, return WOLFSSL_FAILURE; XMEMSET(eqStr, 0, sizeof(eqStr)); - if (flags & XN_FLAG_SPC_EQ) { + if (flags & WOLFSSL_XN_FLAG_SPC_EQ) { eqSpace = 2; XSTRNCPY(eqStr, " = ", 4); } @@ -13709,9 +13842,10 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int tmpSz; /* reverse name order for RFC2253 and DN_REV */ - if ((flags & XN_FLAG_RFC2253) || (flags & XN_FLAG_DN_REV)) { + if ((flags & WOLFSSL_XN_FLAG_RFC2253) || (flags & WOLFSSL_XN_FLAG_DN_REV)) { ne = wolfSSL_X509_NAME_get_entry(name, count - i - 1); - } else { + } + else { ne = wolfSSL_X509_NAME_get_entry(name, i); } if (ne == NULL) @@ -13721,7 +13855,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if (str == NULL) return WOLFSSL_FAILURE; - if (flags & XN_FLAG_RFC2253) { + if (flags & WOLFSSL_XN_FLAG_RFC2253) { /* escape string for RFC 2253, ret sz not counting null term */ escapeSz = wolfSSL_EscapeString_RFC2253(str->data, str->length, escaped, sizeof(escaped)); @@ -13768,10 +13902,12 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, return WOLFSSL_FAILURE; } tmpSz = len + nameStrSz + 1 + eqSpace; /* 1 for '=' */ - if (bio->type != WOLFSSL_BIO_FILE && bio->type != WOLFSSL_BIO_MEMORY) + if (bio->type != WOLFSSL_BIO_FILE && + bio->type != WOLFSSL_BIO_MEMORY) { ++tmpSz; /* include the terminating null when not writing to a * file. */ + } } if (wolfSSL_BIO_write(bio, tmp, tmpSz) != tmpSz) { @@ -13794,7 +13930,7 @@ int wolfSSL_X509_NAME_print_ex_fp(XFILE file, WOLFSSL_X509_NAME* name, WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex_fp"); - if (!(bio = wolfSSL_BIO_new_fp(file, BIO_NOCLOSE))) { + if (!(bio = wolfSSL_BIO_new_fp(file, WOLFSSL_BIO_NOCLOSE))) { WOLFSSL_MSG("wolfSSL_BIO_new_fp error"); return WOLFSSL_FAILURE; } @@ -13866,7 +14002,8 @@ WOLFSSL_X509_OBJECT *wolfSSL_X509_OBJECT_retrieve_by_subject( return NULL; for (i = 0; i < wolfSSL_sk_X509_OBJECT_num(sk); i++) { - WOLFSSL_X509_OBJECT* obj = (WOLFSSL_X509_OBJECT *)wolfSSL_sk_X509_OBJECT_value(sk, i); + WOLFSSL_X509_OBJECT* obj = (WOLFSSL_X509_OBJECT *) + wolfSSL_sk_X509_OBJECT_value(sk, i); if (obj != NULL && obj->type == type && wolfSSL_X509_NAME_cmp( wolfSSL_X509_get_subject_name(obj->data.x509), name) == 0) @@ -13920,10 +14057,7 @@ int wolfSSL_sk_X509_num(const WOLF_STACK_OF(WOLFSSL_X509) *s) #endif /* OPENSSL_EXTRA */ -#if defined(HAVE_EX_DATA) && (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) \ - || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) \ - || defined(HAVE_LIGHTY)) - +#ifdef HAVE_EX_DATA_CRYPTO int wolfSSL_X509_get_ex_new_index(int idx, void *arg, WOLFSSL_CRYPTO_EX_new* new_func, WOLFSSL_CRYPTO_EX_dup* dup_func, @@ -13931,14 +14065,13 @@ int wolfSSL_X509_get_ex_new_index(int idx, void *arg, { WOLFSSL_ENTER("wolfSSL_X509_get_ex_new_index"); - return wolfssl_get_ex_new_index(CRYPTO_EX_INDEX_X509, idx, arg, + return wolfssl_get_ex_new_index(WOLF_CRYPTO_EX_INDEX_X509, idx, arg, new_func, dup_func, free_func); } #endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(WOLFSSL_WPAS_SMALL) -void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +void *wolfSSL_X509_get_ex_data(WOLFSSL_X509 *x509, int idx) { WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); #ifdef HAVE_EX_DATA @@ -13952,12 +14085,11 @@ void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) return NULL; } -int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) +int wolfSSL_X509_set_ex_data(WOLFSSL_X509 *x509, int idx, void *data) { WOLFSSL_ENTER("wolfSSL_X509_set_ex_data"); #ifdef HAVE_EX_DATA - if (x509 != NULL) - { + if (x509 != NULL) { return wolfSSL_CRYPTO_set_ex_data(&x509->ex_data, idx, data); } #else @@ -13970,7 +14102,7 @@ int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) #ifdef HAVE_EX_DATA_CLEANUP_HOOKS int wolfSSL_X509_set_ex_data_with_cleanup( - X509 *x509, + WOLFSSL_X509 *x509, int idx, void *data, wolfSSL_ex_data_cleanup_routine_t cleanup_routine) @@ -13984,8 +14116,7 @@ int wolfSSL_X509_set_ex_data_with_cleanup( return WOLFSSL_FAILURE; } #endif /* HAVE_EX_DATA_CLEANUP_HOOKS */ - -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || WOLFSSL_WPAS_SMALL */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #ifndef NO_ASN @@ -14121,7 +14252,9 @@ int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, } #ifdef WOLFSSL_SMALL_STACK - XFREE(dCert, x->heap, DYNAMIC_TYPE_DCERT); + if (x != NULL) { + XFREE(dCert, x->heap, DYNAMIC_TYPE_DCERT); + } #endif return ret; @@ -14150,7 +14283,7 @@ int wolfSSL_X509_check_email(WOLFSSL_X509 *x, const char *chk, size_t chkLen, return WOLFSSL_FAILURE; /* Call with NULL buffer to get required length. */ - emailLen = wolfSSL_X509_NAME_get_text_by_NID(subjName, NID_emailAddress, + emailLen = wolfSSL_X509_NAME_get_text_by_NID(subjName, WC_NID_emailAddress, NULL, 0); if (emailLen < 0) return WOLFSSL_FAILURE; @@ -14161,7 +14294,7 @@ int wolfSSL_X509_check_email(WOLFSSL_X509 *x, const char *chk, size_t chkLen, if (emailBuf == NULL) return WOLFSSL_FAILURE; - emailLen = wolfSSL_X509_NAME_get_text_by_NID(subjName, NID_emailAddress, + emailLen = wolfSSL_X509_NAME_get_text_by_NID(subjName, WC_NID_emailAddress, emailBuf, emailLen); if (emailLen < 0) { XFREE(emailBuf, x->heap, DYNAMIC_TYPE_OPENSSL); @@ -14209,76 +14342,6 @@ int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *name, #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) -/** - * Find the issuing cert of the input cert. On a self-signed cert this - * function will return an error. - * @param issuer The issuer x509 struct is returned here - * @param cm The cert manager that is queried for the issuer - * @param x This cert's issuer will be queried in cm - * @return WOLFSSL_SUCCESS on success - * WOLFSSL_FAILURE on error - */ -static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, - WOLFSSL_X509 *x) -{ - Signer* ca = NULL; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - - if (cm == NULL || x == NULL || x->derCert == NULL) { - WOLFSSL_MSG("No cert DER buffer or NULL cm. Defining " - "WOLFSSL_SIGNER_DER_CERT could solve the issue"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return WOLFSSL_FAILURE; -#endif - - /* Use existing CA retrieval APIs that use DecodedCert. */ - InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, cm->heap); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL) == 0 - && !cert->selfSigned) { - #ifndef NO_SKID - if (cert->extAuthKeyIdSet) - ca = GetCA(cm, cert->extAuthKeyId); - if (ca == NULL) - ca = GetCAByName(cm, cert->issuerHash); - #else /* NO_SKID */ - ca = GetCA(cm, cert->issuerHash); - #endif /* NO SKID */ - } - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - - if (ca == NULL) - return WOLFSSL_FAILURE; - -#ifdef WOLFSSL_SIGNER_DER_CERT - /* populate issuer with Signer DER */ - if (wolfSSL_X509_d2i_ex(issuer, ca->derCert->buffer, - ca->derCert->length, cm->heap) == NULL) - return WOLFSSL_FAILURE; -#else - /* Create an empty certificate as CA doesn't have a certificate. */ - *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, - DYNAMIC_TYPE_OPENSSL); - if (*issuer == NULL) - return WOLFSSL_FAILURE; - - InitX509((*issuer), 1, NULL); -#endif - - return WOLFSSL_SUCCESS; -} - void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk) { WOLFSSL_STACK *curr; @@ -14344,7 +14407,7 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ - defined(KEEP_PEER_CERT) + defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) { WOLFSSL_ENTER("wolfSSL_X509_dup"); @@ -14362,7 +14425,8 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) return wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, x->derCert->length, x->heap); } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \ + SESSION_CERTS */ #if defined(OPENSSL_EXTRA) int wolfSSL_X509_check_ca(WOLFSSL_X509 *x509) @@ -14387,7 +14451,7 @@ long wolfSSL_X509_get_version(const WOLFSSL_X509 *x509) WOLFSSL_ENTER("wolfSSL_X509_get_version"); - if (x509 == NULL){ + if (x509 == NULL) { WOLFSSL_MSG("invalid parameter"); return 0L; } @@ -14631,7 +14695,7 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) /* Regenerate since pkey->pkey.ptr may contain private key */ switch (pkey->type) { #if (defined(WOLFSSL_KEY_GEN) || defined(OPENSSL_EXTRA)) && !defined(NO_RSA) - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: { RsaKey* rsa; @@ -14657,7 +14721,7 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) #endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */ #if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \ defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA) - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: { DsaKey* dsa; @@ -14675,12 +14739,12 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) XFREE(p, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); return WOLFSSL_FAILURE; } - cert->pubKeyOID = RSAk; + cert->pubKeyOID = DSAk; } break; #endif /* !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) && !NO_DSA */ #ifdef HAVE_ECC - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: { ecc_key* ecc; @@ -14707,6 +14771,7 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) default: return WOLFSSL_FAILURE; } + XFREE(cert->pubKey.buffer, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); cert->pubKey.buffer = p; cert->pubKey.length = (unsigned int)derSz; @@ -14761,10 +14826,10 @@ void wolfSSL_X509V3_set_ctx(WOLFSSL_X509V3_CTX* ctx, WOLFSSL_X509* issuer, /* Set parameters in ctx as long as ret == WOLFSSL_SUCCESS */ if (ret == WOLFSSL_SUCCESS && issuer) - ret = wolfSSL_X509_set_issuer_name(ctx->x509,&issuer->issuer); + ret = wolfSSL_X509_set_issuer_name(ctx->x509, &issuer->issuer); if (ret == WOLFSSL_SUCCESS && subject) - ret = wolfSSL_X509_set_subject_name(ctx->x509,&subject->subject); + ret = wolfSSL_X509_set_subject_name(ctx->x509, &subject->subject); if (ret == WOLFSSL_SUCCESS && req) { WOLFSSL_MSG("req not implemented."); @@ -14838,6 +14903,25 @@ void wolfSSL_X509_REQ_free(WOLFSSL_X509* req) wolfSSL_X509_free(req); } +int wolfSSL_X509_REQ_set_version(WOLFSSL_X509 *x, long version) +{ + WOLFSSL_ENTER("wolfSSL_X509_REQ_set_version"); + if ((x == NULL) || (version < 0) || (version >= INT_MAX)) { + return WOLFSSL_FAILURE; + } + x->version = (int)version; + return WOLFSSL_SUCCESS; +} + +long wolfSSL_X509_REQ_get_version(const WOLFSSL_X509 *req) +{ + WOLFSSL_ENTER("wolfSSL_X509_REQ_get_version"); + if (req == NULL) { + return 0; /* invalid arg */ + } + return (long)req->version; +} + int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) { @@ -14900,20 +14984,22 @@ static int regenX509REQDerBuffer(WOLFSSL_X509* x509) { int derSz = X509_BUFFER_SZ; int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); -#ifdef WOLFSSL_SMALL_STACK +#ifndef WOLFSSL_SMALL_STACK + byte der[X509_BUFFER_SZ]; +#else byte* der; + der = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (!der) { WOLFSSL_MSG("malloc failed"); return WOLFSSL_FAILURE; } -#else - byte der[X509_BUFFER_SZ]; #endif if (wolfssl_x509_make_der(x509, 1, der, &derSz, 0) == WOLFSSL_SUCCESS) { FreeDer(&x509->derCert); - if (AllocDer(&x509->derCert, (word32)derSz, CERT_TYPE, x509->heap) == 0) { + if (AllocDer(&x509->derCert, (word32)derSz, CERT_TYPE, + x509->heap) == 0) { XMEMCPY(x509->derCert->buffer, der, derSz); ret = WOLFSSL_SUCCESS; } @@ -15039,13 +15125,13 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, WOLFSSL_ENTER("wolfSSL_X509_REQ_add1_attr_by_NID"); - if (!req || !bytes || type != MBSTRING_ASC) { + if (!req || !bytes || type != WOLFSSL_MBSTRING_ASC) { WOLFSSL_MSG("Bad parameter"); return WOLFSSL_FAILURE; } switch (nid) { - case NID_pkcs9_challengePassword: + case WC_NID_pkcs9_challengePassword: if (len < 0) len = (int)XSTRLEN((char*)bytes); if (len < CTC_NAME_SIZE) { @@ -15058,7 +15144,7 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, return WOLFSSL_FAILURE; } break; - case NID_serialNumber: + case WC_NID_serialNumber: if (len < 0) len = (int)XSTRLEN((char*)bytes); if (len + 1 > EXTERNAL_SERIAL_SIZE) { @@ -15070,12 +15156,12 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, req->serialSz = len; break; - case NID_pkcs9_unstructuredName: - case NID_pkcs9_contentType: - case NID_surname: - case NID_initials: - case NID_givenName: - case NID_dnQualifier: + case WC_NID_pkcs9_unstructuredName: + case WC_NID_pkcs9_contentType: + case WC_NID_surname: + case WC_NID_initials: + case WC_NID_givenName: + case WC_NID_dnQualifier: break; default: @@ -15085,7 +15171,7 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, attr = wolfSSL_X509_ATTRIBUTE_new(); ret = wolfSSL_X509_ATTRIBUTE_set(attr, (const char*)bytes, len, - V_ASN1_PRINTABLESTRING, nid); + WOLFSSL_V_ASN1_PRINTABLESTRING, nid); if (ret != WOLFSSL_SUCCESS) { wolfSSL_X509_ATTRIBUTE_free(attr); } @@ -15270,7 +15356,9 @@ void wolfSSL_X509_ATTRIBUTE_free(WOLFSSL_X509_ATTRIBUTE* attr) * */ WOLFSSL_X509_ACERT * wolfSSL_X509_ACERT_new_ex(void* heap) { - WOLFSSL_X509_ACERT* x509; + WOLFSSL_X509_ACERT * x509 = NULL; + + WOLFSSL_ENTER("wolfSSL_X509_ACERT_new"); x509 = (WOLFSSL_X509_ACERT*) XMALLOC(sizeof(WOLFSSL_X509_ACERT), heap, DYNAMIC_TYPE_X509_ACERT); @@ -15300,6 +15388,8 @@ WOLFSSL_X509_ACERT * wolfSSL_X509_ACERT_new(void) * */ void wolfSSL_X509_ACERT_init(WOLFSSL_X509_ACERT * x509, int dynamic, void* heap) { + WOLFSSL_ENTER("wolfSSL_X509_ACERT_init"); + if (x509 == NULL) { WOLFSSL_MSG("error: InitX509Acert: null parameter"); return; @@ -15325,6 +15415,8 @@ void wolfSSL_X509_ACERT_free(WOLFSSL_X509_ACERT * x509) int dynamic = 0; void * heap = NULL; + WOLFSSL_ENTER("wolfSSL_X509_ACERT_free"); + if (x509 == NULL) { WOLFSSL_MSG("error: wolfSSL_X509_ACERT_free: null parameter"); return; @@ -15339,6 +15431,11 @@ void wolfSSL_X509_ACERT_free(WOLFSSL_X509_ACERT * x509) x509->holderIssuerName = NULL; } + if (x509->holderEntityName) { + FreeAltNames(x509->holderEntityName, heap); + x509->holderEntityName = NULL; + } + if (x509->AttCertIssuerName) { FreeAltNames(x509->AttCertIssuerName, heap); x509->AttCertIssuerName = NULL; @@ -15510,15 +15607,15 @@ int wolfSSL_X509_ACERT_verify(WOLFSSL_X509_ACERT* x509, WOLFSSL_EVP_PKEY* pkey) } switch (pkey->type) { - case EVP_PKEY_RSA: + case WC_EVP_PKEY_RSA: pkey_type = RSAk; break; - case EVP_PKEY_EC: + case WC_EVP_PKEY_EC: pkey_type = ECDSAk; break; - case EVP_PKEY_DSA: + case WC_EVP_PKEY_DSA: pkey_type = DSAk; break; diff --git a/src/x509_str.c b/src/x509_str.c index dfb11fb026..b7134f079c 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -36,9 +36,21 @@ #ifndef NO_CERTS -/******************************************************************************* +#ifdef OPENSSL_EXTRA +static int X509StoreGetIssuerEx(WOLFSSL_X509 **issuer, + WOLFSSL_STACK *certs, WOLFSSL_X509 *x); +static int X509StoreAddCa(WOLFSSL_X509_STORE* store, + WOLFSSL_X509* x509, int type); +#endif + +/* Based on OpenSSL default max depth */ +#ifndef WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH +#define WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH 100 +#endif + +/****************************************************************************** * START OF X509_STORE_CTX APIs - ******************************************************************************/ + *****************************************************************************/ /* This API is necessary outside of OPENSSL_EXTRA because it is used in * SetupStoreCtxCallback */ @@ -53,11 +65,16 @@ WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new_ex(void* heap) XMEMSET(ctx, 0, sizeof(WOLFSSL_X509_STORE_CTX)); ctx->heap = heap; #ifdef OPENSSL_EXTRA - if (wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL) != - WOLFSSL_SUCCESS) { + if ((ctx->owned = wolfSSL_sk_X509_new_null()) == NULL) { XFREE(ctx, heap, DYNAMIC_TYPE_X509_CTX); ctx = NULL; } + if (ctx != NULL && + wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL) != + WOLFSSL_SUCCESS) { + wolfSSL_X509_STORE_CTX_free(ctx); + ctx = NULL; + } #endif } @@ -78,6 +95,17 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) #ifdef OPENSSL_EXTRA XFREE(ctx->param, ctx->heap, DYNAMIC_TYPE_OPENSSL); ctx->param = NULL; + + if (ctx->chain != NULL) { + wolfSSL_sk_X509_free(ctx->chain); + } + if (ctx->owned != NULL) { + wolfSSL_sk_X509_pop_free(ctx->owned, NULL); + } + + if (ctx->current_issuer != NULL) { + wolfSSL_X509_free(ctx->current_issuer); + } #endif XFREE(ctx, ctx->heap, DYNAMIC_TYPE_X509_CTX); @@ -86,6 +114,80 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) #ifdef OPENSSL_EXTRA +#if ((defined(SESSION_CERTS) && !defined(WOLFSSL_QT)) || \ + defined(WOLFSSL_SIGNER_DER_CERT)) + +/** + * Find the issuing cert of the input cert. On a self-signed cert this + * function will return an error. + * @param issuer The issuer x509 struct is returned here + * @param cm The cert manager that is queried for the issuer + * @param x This cert's issuer will be queried in cm + * @return WOLFSSL_SUCCESS on success + * WOLFSSL_FAILURE on error + */ +static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, + WOLFSSL_X509 *x) +{ + Signer* ca = NULL; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; +#else + DecodedCert cert[1]; +#endif + + if (cm == NULL || x == NULL || x->derCert == NULL) { + WOLFSSL_MSG("No cert DER buffer or NULL cm. Defining " + "WOLFSSL_SIGNER_DER_CERT could solve the issue"); + return WOLFSSL_FAILURE; + } + +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + if (cert == NULL) + return WOLFSSL_FAILURE; +#endif + + /* Use existing CA retrieval APIs that use DecodedCert. */ + InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, cm->heap); + if (ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL) == 0 + && !cert->selfSigned) { + #ifndef NO_SKID + if (cert->extAuthKeyIdSet) + ca = GetCA(cm, cert->extAuthKeyId); + if (ca == NULL) + ca = GetCAByName(cm, cert->issuerHash); + #else /* NO_SKID */ + ca = GetCA(cm, cert->issuerHash); + #endif /* NO SKID */ + } + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif + + if (ca == NULL) + return WOLFSSL_FAILURE; + +#ifdef WOLFSSL_SIGNER_DER_CERT + /* populate issuer with Signer DER */ + if (wolfSSL_X509_d2i_ex(issuer, ca->derCert->buffer, + ca->derCert->length, cm->heap) == NULL) + return WOLFSSL_FAILURE; +#else + /* Create an empty certificate as CA doesn't have a certificate. */ + *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, + DYNAMIC_TYPE_OPENSSL); + if (*issuer == NULL) + return WOLFSSL_FAILURE; + + InitX509((*issuer), 1, NULL); +#endif + + return WOLFSSL_SUCCESS; +} +#endif /* SESSION_CERTS || WOLFSSL_SIGNER_DER_CERT */ + WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_new"); @@ -96,8 +198,6 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, WOLF_STACK_OF(WOLFSSL_X509)* sk) { - int ret = 0; - (void)sk; WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_init"); if (ctx != NULL) { @@ -106,52 +206,24 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, ctx->current_cert = x509; #else if(x509 != NULL){ - ctx->current_cert = wolfSSL_X509_d2i_ex(NULL, x509->derCert->buffer, - x509->derCert->length, x509->heap); + ctx->current_cert = wolfSSL_X509_d2i_ex(NULL, + x509->derCert->buffer, + x509->derCert->length, + x509->heap); if(ctx->current_cert == NULL) return WOLFSSL_FAILURE; } else ctx->current_cert = NULL; #endif - ctx->chain = sk; - /* Add intermediate certs, that verify to a loaded CA, to the store */ - if (sk != NULL) { - byte addedAtLeastOne = 1; - WOLF_STACK_OF(WOLFSSL_X509)* head = wolfSSL_shallow_sk_dup(sk); - if (head == NULL) - return WOLFSSL_FAILURE; - while (addedAtLeastOne) { - WOLF_STACK_OF(WOLFSSL_X509)* cur = head; - WOLF_STACK_OF(WOLFSSL_X509)** prev = &head; - addedAtLeastOne = 0; - while (cur) { - WOLFSSL_X509* cert = cur->data.x509; - if (cert != NULL && cert->derCert != NULL && - wolfSSL_CertManagerVerifyBuffer(store->cm, - cert->derCert->buffer, - cert->derCert->length, - WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS) { - ret = wolfSSL_X509_STORE_add_cert(store, cert); - if (ret < 0) { - wolfSSL_sk_free(head); - return WOLFSSL_FAILURE; - } - addedAtLeastOne = 1; - *prev = cur->next; - wolfSSL_sk_free_node(cur); - cur = *prev; - } - else { - prev = &cur->next; - cur = cur->next; - } - } - } - wolfSSL_sk_free(head); + ctx->ctxIntermediates = sk; + if (ctx->chain != NULL) { + wolfSSL_sk_X509_free(ctx->chain); + ctx->chain = NULL; } - +#ifdef SESSION_CERTS ctx->sesChain = NULL; +#endif ctx->domain = NULL; #ifdef HAVE_EX_DATA XMEMSET(&ctx->ex_data, 0, sizeof(ctx->ex_data)); @@ -192,10 +264,11 @@ void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx) } -void wolfSSL_X509_STORE_CTX_trusted_stack(WOLFSSL_X509_STORE_CTX *ctx, WOLF_STACK_OF(WOLFSSL_X509) *sk) +void wolfSSL_X509_STORE_CTX_trusted_stack(WOLFSSL_X509_STORE_CTX *ctx, + WOLF_STACK_OF(WOLFSSL_X509) *sk) { if (ctx != NULL) { - ctx->chain = sk; + ctx->setTrustedSk = sk; } } @@ -224,11 +297,11 @@ int GetX509Error(int e) /* We can't disambiguate if its the before or after date that caused * the error. Assume expired. */ case WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR): - return X509_V_ERR_CRL_HAS_EXPIRED; + return WOLFSSL_X509_V_ERR_CRL_HAS_EXPIRED; case WC_NO_ERR_TRACE(CRL_CERT_REVOKED): return WOLFSSL_X509_V_ERR_CERT_REVOKED; case WC_NO_ERR_TRACE(CRL_MISSING): - return X509_V_ERR_UNABLE_TO_GET_CRL; + return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_CRL; case 0: case 1: return 0; @@ -242,45 +315,50 @@ int GetX509Error(int e) } } +static void SetupStoreCtxError_ex(WOLFSSL_X509_STORE_CTX* ctx, int ret, + int depth) +{ + int error = GetX509Error(ret); + + wolfSSL_X509_STORE_CTX_set_error(ctx, error); + wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); +} + static void SetupStoreCtxError(WOLFSSL_X509_STORE_CTX* ctx, int ret) { int depth = 0; - int error = GetX509Error(ret); /* Set error depth */ if (ctx->chain) depth = (int)ctx->chain->num; - wolfSSL_X509_STORE_CTX_set_error(ctx, error); - wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); + SetupStoreCtxError_ex(ctx, ret, depth); } -/* Verifies certificate chain using WOLFSSL_X509_STORE_CTX - * returns 0 on success or < 0 on failure. - */ -int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) +static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) { - WOLFSSL_ENTER("wolfSSL_X509_verify_cert"); - - if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL - && ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) { - int ret = wolfSSL_CertManagerVerifyBuffer(ctx->store->cm, - ctx->current_cert->derCert->buffer, - ctx->current_cert->derCert->length, - WOLFSSL_FILETYPE_ASN1); + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); + WOLFSSL_ENTER("X509StoreVerifyCert"); + + if (ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) { + ret = wolfSSL_CertManagerVerifyBuffer(ctx->store->cm, + ctx->current_cert->derCert->buffer, + ctx->current_cert->derCert->length, + WOLFSSL_FILETYPE_ASN1); SetupStoreCtxError(ctx, ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - if (ctx->store && ctx->store->verify_cb) - ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? 0 : ret; + if (ctx->store->verify_cb) + ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? + WOLFSSL_SUCCESS : ret; #endif #ifndef NO_ASN_TIME if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) && ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) { /* wolfSSL_CertManagerVerifyBuffer only returns ASN_AFTER_DATE_E or - ASN_BEFORE_DATE_E if there are no additional errors found in the - cert. Therefore, check if the cert is expired or not yet valid - in order to return the correct expected error. */ + * ASN_BEFORE_DATE_E if there are no additional errors found in the + * cert. Therefore, check if the cert is expired or not yet valid + * in order to return the correct expected error. */ byte *afterDate = ctx->current_cert->notAfter.data; byte *beforeDate = ctx->current_cert->notBefore.data; @@ -294,23 +372,219 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) } SetupStoreCtxError(ctx, ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - if (ctx->store && ctx->store->verify_cb) + if (ctx->store->verify_cb) ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, - ctx) == 1 ? 0 : -1; + ctx) == 1 ? WOLFSSL_SUCCESS : -1; + #endif + } + #endif + } + + return ret; +} + +static int addAllButSelfSigned(WOLF_STACK_OF(WOLFSSL_X509)*to, + WOLF_STACK_OF(WOLFSSL_X509)*from, int *numAdded) +{ + int ret = WOLFSSL_SUCCESS; + int i = 0; + int cnt = 0; + WOLFSSL_X509 *x = NULL; + + for (i = 0; i < wolfSSL_sk_X509_num(from); i++) { + x = wolfSSL_sk_X509_value(from, i); + if (wolfSSL_X509_NAME_cmp(&x->issuer, &x->subject) != 0) { + if (wolfSSL_sk_X509_push(to, x) <= 0) { + ret = WOLFSSL_FAILURE; + goto exit; + } + cnt++; + } + } + +exit: + if (numAdded != NULL) { + *numAdded = cnt; + } + return ret; +} + +/* Verifies certificate chain using WOLFSSL_X509_STORE_CTX + * returns 0 on success or < 0 on failure. + */ +int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) +{ + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); + int done = 0; + int added = 0; + int i = 0; + int numInterAdd = 0; + int depth = 0; + WOLFSSL_X509 *issuer = NULL; + WOLFSSL_X509 *orig = NULL; + WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL; + WOLF_STACK_OF(WOLFSSL_X509)* certsToUse = NULL; + WOLFSSL_ENTER("wolfSSL_X509_verify_cert"); + + if (ctx == NULL || ctx->store == NULL || ctx->store->cm == NULL + || ctx->current_cert == NULL || ctx->current_cert->derCert == NULL) { + return WOLFSSL_FATAL_ERROR; + } + + certs = ctx->store->certs; + if (ctx->setTrustedSk != NULL) { + certs = ctx->setTrustedSk; + } + + if (certs == NULL && + wolfSSL_sk_X509_num(ctx->ctxIntermediates) > 0) { + certsToUse = wolfSSL_sk_X509_new_null(); + ret = addAllButSelfSigned(certsToUse, ctx->ctxIntermediates, NULL); + } + else { + /* Add the intermediates provided on init to the list of untrusted + * intermediates to be used */ + ret = addAllButSelfSigned(certs, ctx->ctxIntermediates, &numInterAdd); + } + if (ret != WOLFSSL_SUCCESS) { + goto exit; + } + + if (ctx->chain != NULL) { + wolfSSL_sk_X509_free(ctx->chain); + } + ctx->chain = wolfSSL_sk_X509_new_null(); + + if (ctx->depth > 0) { + depth = ctx->depth + 1; + } + else { + depth = WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH + 1; + } + + orig = ctx->current_cert; + while(done == 0 && depth > 0) { + issuer = NULL; + + /* Try to find an untrusted issuer first */ + ret = X509StoreGetIssuerEx(&issuer, certs, + ctx->current_cert); + if (ret == WOLFSSL_SUCCESS) { + if (ctx->current_cert == issuer) { + wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + break; + } + + /* We found our issuer in the non-trusted cert list, add it + * to the CM and verify the current cert against it */ + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + /* OpenSSL doesn't allow the cert as CA if it is not CA:TRUE for + * intermediate certs. + */ + if (!issuer->isCa) { + /* error depth is current depth + 1 */ + SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA, + (ctx->chain) ? (int)(ctx->chain->num + 1) : 1); + if (ctx->store->verify_cb) { + ret = ctx->store->verify_cb(0, ctx); + if (ret != WOLFSSL_SUCCESS) { + goto exit; + } + } + } else { #endif + ret = X509StoreAddCa(ctx->store, issuer, + WOLFSSL_TEMP_CA); + if (ret != WOLFSSL_SUCCESS) { + goto exit; + } + added = 1; + ret = X509StoreVerifyCert(ctx); + if (ret != WOLFSSL_SUCCESS) { + goto exit; + } + /* Add it to the current chain and look at the issuer cert next */ + wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + } + #endif + ctx->current_cert = issuer; } + else if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) { + /* Could not find in untrusted list, only place left is + * a trusted CA in the CM */ + ret = X509StoreVerifyCert(ctx); + if (ret != WOLFSSL_SUCCESS) { + if (((ctx->flags & WOLFSSL_PARTIAL_CHAIN) || + (ctx->store->param->flags & WOLFSSL_PARTIAL_CHAIN)) && + (added == 1)) { + wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + ret = WOLFSSL_SUCCESS; + } + goto exit; + } + + /* Cert verified, finish building the chain */ + wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + issuer = NULL; + #ifdef WOLFSSL_SIGNER_DER_CERT + x509GetIssuerFromCM(&issuer, ctx->store->cm, ctx->current_cert); + if (issuer != NULL && ctx->owned != NULL) { + wolfSSL_sk_X509_push(ctx->owned, issuer); + } + #else + if (ctx->setTrustedSk == NULL) { + X509StoreGetIssuerEx(&issuer, + ctx->store->trusted, ctx->current_cert); + } + else { + X509StoreGetIssuerEx(&issuer, + ctx->setTrustedSk, ctx->current_cert); + } #endif + if (issuer != NULL) { + wolfSSL_sk_X509_push(ctx->chain, issuer); + } + + done = 1; + } + else { + goto exit; + } - return ret >= 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; + depth--; + } + +exit: + /* Remove additional intermediates from init from the store */ + if (ctx != NULL && numInterAdd > 0) { + for (i = 0; i < numInterAdd; i++) { + wolfSSL_sk_X509_pop(ctx->store->certs); + } } - return WOLFSSL_FATAL_ERROR; + /* Remove intermediates that were added to CM */ + if (ctx != NULL) { + if (ctx->store != NULL) { + if (added == 1) { + wolfSSL_CertManagerUnloadTempIntermediateCerts(ctx->store->cm); + } + } + if (orig != NULL) { + ctx->current_cert = orig; + } + } + if (certsToUse != NULL) { + wolfSSL_sk_X509_free(certsToUse); + } + + return ret == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert( - WOLFSSL_X509_STORE_CTX* ctx) + WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert"); if (ctx) @@ -408,14 +682,6 @@ int wolfSSL_X509_STORE_CTX_set_purpose(WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_purpose (not implemented)"); return 0; } - -void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx, - unsigned long flags) -{ - (void)ctx; - (void)flags; - WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_flags (not implemented)"); -} #endif /* !NO_WOLFSSL_STUB */ #endif /* WOLFSSL_QT || OPENSSL_ALL */ @@ -423,6 +689,14 @@ void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx, #ifdef OPENSSL_EXTRA +void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx, + unsigned long flags) +{ + if ((ctx != NULL) && (flags & WOLFSSL_PARTIAL_CHAIN)){ + ctx->flags |= WOLFSSL_PARTIAL_CHAIN; + } +} + /* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS * on success, WOLFSSL_FAILURE on error. */ int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, @@ -454,8 +728,8 @@ int wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup( WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data_with_cleanup"); if (ctx != NULL) { - return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, data, - cleanup_routine); + return wolfSSL_CRYPTO_set_ex_data_with_cleanup(&ctx->ex_data, idx, + data, cleanup_routine); } return WOLFSSL_FAILURE; } @@ -470,22 +744,24 @@ void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth) } #endif - WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer( WOLFSSL_X509_STORE_CTX* ctx) { - int ret; - WOLFSSL_X509* issuer; - + WOLFSSL_STACK* node; WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get0_current_issuer"); - if (ctx == NULL) { + if (ctx == NULL) return NULL; - } - ret = wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, ctx->current_cert); - if (ret == WOLFSSL_SUCCESS) { - return issuer; + /* get0 only checks currently built chain */ + if (ctx->chain != NULL) { + for (node = ctx->chain; node != NULL; node = node->next) { + if (wolfSSL_X509_check_issued(node->data.x509, + ctx->current_cert) == + WOLFSSL_X509_V_OK) { + return node->data.x509; + } + } } return NULL; @@ -505,7 +781,7 @@ void wolfSSL_X509_STORE_CTX_set_error(WOLFSSL_X509_STORE_CTX* ctx, int er) /* Set the error depth in the X509 STORE CTX */ void wolfSSL_X509_STORE_CTX_set_error_depth(WOLFSSL_X509_STORE_CTX* ctx, - int depth) + int depth) { WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_error_depth"); @@ -533,7 +809,8 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) if (sk == NULL) return NULL; -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(OPENSSL_EXTRA) /* add CA used to verify top of chain to the list */ if (c->count > 0) { WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1); @@ -734,34 +1011,63 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs( int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x) { - WOLFSSL_STACK* node; + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get1_issuer"); if (issuer == NULL || ctx == NULL || x == NULL) return WOLFSSL_FATAL_ERROR; - if (ctx->chain != NULL) { - for (node = ctx->chain; node != NULL; node = node->next) { - if (wolfSSL_X509_check_issued(node->data.x509, x) == - WOLFSSL_X509_V_OK) { - *issuer = x; + ret = X509StoreGetIssuerEx(issuer, ctx->store->certs, x); + if ((ret == WOLFSSL_SUCCESS) && (*issuer != NULL)) { + return wolfSSL_X509_up_ref(*issuer); + } + +#ifdef WOLFSSL_SIGNER_DER_CERT + ret = x509GetIssuerFromCM(issuer, ctx->store->cm, x); +#else + ret = X509StoreGetIssuerEx(issuer, ctx->store->trusted, x); + if ((ret == WOLFSSL_SUCCESS) && (*issuer != NULL)) { + return wolfSSL_X509_up_ref(*issuer); + } +#endif + + return ret; +} +#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ + +#ifdef OPENSSL_EXTRA + +static int X509StoreGetIssuerEx(WOLFSSL_X509 **issuer, + WOLFSSL_STACK * certs, WOLFSSL_X509 *x) +{ + int i; + + if (issuer == NULL || x == NULL) + return WOLFSSL_FATAL_ERROR; + + if (certs != NULL) { + for (i = 0; i < wolfSSL_sk_X509_num(certs); i++) { + if (wolfSSL_X509_check_issued( + wolfSSL_sk_X509_value(certs, i), x) == + WOLFSSL_X509_V_OK) { + *issuer = wolfSSL_sk_X509_value(certs, i); return WOLFSSL_SUCCESS; } } } - /* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */ - - return x509GetIssuerFromCM(issuer, ctx->store->cm, x); + return WOLFSSL_FAILURE; } -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ -/******************************************************************************* +#endif + +/****************************************************************************** * END OF X509_STORE_CTX APIs - ******************************************************************************/ + *****************************************************************************/ -/******************************************************************************* +/****************************************************************************** * START OF X509_STORE APIs - ******************************************************************************/ + *****************************************************************************/ #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ defined(WOLFSSL_WPAS_SMALL) @@ -789,10 +1095,25 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) if ((store->cm = wolfSSL_CertManagerNew()) == NULL) goto err_exit; +#ifdef OPENSSL_EXTRA + if ((store->certs = wolfSSL_sk_X509_new_null()) == NULL) + goto err_exit; + + if ((store->owned = wolfSSL_sk_X509_new_null()) == NULL) + goto err_exit; + +#if !defined(WOLFSSL_SIGNER_DER_CERT) + if ((store->trusted = wolfSSL_sk_X509_new_null()) == NULL) + goto err_exit; +#endif +#endif + #ifdef HAVE_CRL store->crl = store->cm->crl; #endif + store->numAdded = 0; + #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) /* Link store's new Certificate Manager to self by default */ @@ -827,6 +1148,30 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) return NULL; } +#ifdef OPENSSL_ALL +static void X509StoreFreeObjList(WOLFSSL_X509_STORE* store, + WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* objs) +{ + int i; + WOLFSSL_X509_OBJECT *obj = NULL; + int cnt = store->numAdded; + + i = wolfSSL_sk_X509_OBJECT_num(objs) - 1; + while (cnt > 0 && i > 0) { + /* The inner X509 is owned by somebody else, NULL out the reference */ + obj = (WOLFSSL_X509_OBJECT *)wolfSSL_sk_X509_OBJECT_value(objs, i); + if (obj != NULL) { + obj->type = (WOLFSSL_X509_LOOKUP_TYPE)0; + obj->data.ptr = NULL; + } + cnt--; + i--; + } + + wolfSSL_sk_X509_OBJECT_pop_free(objs, NULL); +} +#endif + void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { int doFree = 0; @@ -849,9 +1194,25 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) wolfSSL_CertManagerFree(store->cm); store->cm = NULL; } +#if defined(OPENSSL_EXTRA) + if (store->certs != NULL) { + wolfSSL_sk_X509_free(store->certs); + store->certs = NULL; + } + if (store->owned != NULL) { + wolfSSL_sk_X509_pop_free(store->owned, wolfSSL_X509_free); + store->owned = NULL; + } +#if !defined(WOLFSSL_SIGNER_DER_CERT) + if (store->trusted != NULL) { + wolfSSL_sk_X509_free(store->trusted); + store->trusted = NULL; + } +#endif +#endif #ifdef OPENSSL_ALL if (store->objs != NULL) { - wolfSSL_sk_X509_OBJECT_pop_free(store->objs, NULL); + X509StoreFreeObjList(store, store->objs); } #endif #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) @@ -861,7 +1222,8 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) if (store->lookup.dirs != NULL) { #if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) if (store->lookup.dirs->dir_entry) { - wolfSSL_sk_BY_DIR_entry_free(store->lookup.dirs->dir_entry); + wolfSSL_sk_BY_DIR_entry_free( + store->lookup.dirs->dir_entry); } #endif wc_FreeMutex(&store->lookup.dirs->lock); @@ -923,7 +1285,7 @@ int wolfSSL_X509_STORE_up_ref(WOLFSSL_X509_STORE* store) * @return WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure */ int wolfSSL_X509_STORE_set_ex_data(WOLFSSL_X509_STORE* store, int idx, - void *data) + void *data) { WOLFSSL_ENTER("wolfSSL_X509_STORE_set_ex_data"); #ifdef HAVE_EX_DATA @@ -1010,22 +1372,68 @@ WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, return &store->lookup; } -int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) +static int X509StoreAddCa(WOLFSSL_X509_STORE* store, + WOLFSSL_X509* x509, int type) { int result = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR); + DerBuffer* derCert = NULL; - WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert"); - if (store != NULL && store->cm != NULL && x509 != NULL - && x509->derCert != NULL) { - DerBuffer* derCert = NULL; - + WOLFSSL_ENTER("X509StoreAddCa"); + if (store != NULL && x509 != NULL && x509->derCert != NULL) { result = AllocDer(&derCert, x509->derCert->length, x509->derCert->type, NULL); if (result == 0) { /* AddCA() frees the buffer. */ XMEMCPY(derCert->buffer, x509->derCert->buffer, x509->derCert->length); - result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, VERIFY); + result = AddCA(store->cm, &derCert, type, VERIFY); + } + } + + return result; +} + + +int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) +{ + int result = WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR); + + WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert"); + if (store != NULL && store->cm != NULL && x509 != NULL + && x509->derCert != NULL) { + /* Mimic the openssl behavior, must be self signed to be considered + * trusted, addCA() internals will do additional checks for + * CA=TRUE */ + if (wolfSSL_X509_NAME_cmp(&x509->issuer, &x509->subject) == 0) { + result = X509StoreAddCa(store, x509, WOLFSSL_USER_CA); + #if !defined(WOLFSSL_SIGNER_DER_CERT) + if (result == WOLFSSL_SUCCESS && store->trusted != NULL) { + result = wolfSSL_sk_X509_push(store->trusted, x509); + if (result > 0) { + result = WOLFSSL_SUCCESS; + } + else { + result = WOLFSSL_FATAL_ERROR; + } + } + #endif + } + else { + if (store->certs != NULL) { + result = wolfSSL_sk_X509_push(store->certs, x509); + if (result > 0) { + result = WOLFSSL_SUCCESS; + } + else { + result = WOLFSSL_FATAL_ERROR; + } + } + else { + /* If store->certs is NULL, this is an X509_STORE managed by an + * SSL_CTX, preserve behavior and always add as USER_CA */ + result = X509StoreAddCa( + store, x509, WOLFSSL_USER_CA); + } } } @@ -1055,6 +1463,9 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag) ret = wolfSSL_CertManagerDisableCRL(store->cm); } #endif + if (flag & WOLFSSL_PARTIAL_CHAIN) { + store->param->flags |= WOLFSSL_PARTIAL_CHAIN; + } return ret; } @@ -1065,13 +1476,112 @@ int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store) return WOLFSSL_SUCCESS; } +int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str, + byte *buf, word32 bufLen, int type) +{ + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_X509 *x509 = NULL; + + if (str == NULL || buf == NULL) { + return WOLFSSL_FAILURE; + } + + /* OpenSSL X509_STORE_load_file fails on DER file, we will as well */ + x509 = wolfSSL_X509_load_certificate_buffer(buf, bufLen, type); + if (str->owned != NULL) { + if (wolfSSL_sk_X509_push(str->owned, x509) <= 0) { + ret = WOLFSSL_FAILURE; + } + } + if (ret == WOLFSSL_SUCCESS) { + ret = wolfSSL_X509_STORE_add_cert(str, x509); + } + if (ret != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Failed to load file"); + ret = WOLFSSL_FAILURE; + } + if (ret != WOLFSSL_SUCCESS || str->owned == NULL) { + wolfSSL_X509_free(x509); + } + + return ret; +} + #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) + +static int X509StoreReadFile(const char *fname, + StaticBuffer *content, word32 *bytesRead, int *type) +{ + int ret = -1; + long sz = 0; +#ifdef HAVE_CRL + const char* header = NULL; + const char* footer = NULL; +#endif + + ret = wolfssl_read_file_static(fname, content, NULL, DYNAMIC_TYPE_FILE, + &sz); + if (ret == 0) { + *type = CERT_TYPE; + *bytesRead = (word32)sz; +#ifdef HAVE_CRL + /* Look for CRL header and footer. */ + if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 && + (XSTRNSTR((char*)content->buffer, header, (word32)sz) != + NULL)) { + *type = CRL_TYPE; + } +#endif + } + + return (ret == 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE); +} + +static int X509StoreLoadFile(WOLFSSL_X509_STORE *str, + const char *fname) +{ + int ret = WOLFSSL_SUCCESS; + int type = 0; +#ifndef WOLFSSL_SMALL_STACK + byte stackBuffer[FILE_BUFFER_SIZE]; +#endif + StaticBuffer content; + word32 contentLen = 0; + +#ifdef WOLFSSL_SMALL_STACK + static_buffer_init(&content); +#else + static_buffer_init(&content, stackBuffer, FILE_BUFFER_SIZE); +#endif + + ret = X509StoreReadFile(fname, &content, &contentLen, &type); + if (ret != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Failed to load file"); + ret = WOLFSSL_FAILURE; + } + + if ((ret == WOLFSSL_SUCCESS) && (type == CERT_TYPE)) { + ret = X509StoreLoadCertBuffer(str, content.buffer, + contentLen, WOLFSSL_FILETYPE_PEM); + } +#ifdef HAVE_CRL + else if ((ret == WOLFSSL_SUCCESS) && (type == CRL_TYPE)) { + ret = BufferLoadCRL(str->cm->crl, content.buffer, contentLen, + WOLFSSL_FILETYPE_PEM, 0); + } +#endif + + static_buffer_free(&content, NULL, DYNAMIC_TYPE_FILE); + return ret; +} + /* Loads certificate(s) files in pem format into X509_STORE struct from either * a file or directory. * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE if an error occurs. */ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, - const char *file, const char *dir) + const char *file, const char *dir) { WOLFSSL_CTX* ctx; char *name = NULL; @@ -1111,10 +1621,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, /* Load individual file */ if (file) { - /* Try to process file with type DETECT_CERT_TYPE to parse the - correct certificate header and footer type */ - ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, DETECT_CERT_TYPE, - NULL, 0, str->cm->crl, 0); + ret = X509StoreLoadFile(str, file); if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Failed to load file"); ret = WOLFSSL_FAILURE; @@ -1127,7 +1634,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, #ifdef WOLFSSL_SMALL_STACK readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap, - DYNAMIC_TYPE_TMP_BUFFER); + DYNAMIC_TYPE_TMP_BUFFER); if (readCtx == NULL) { WOLFSSL_MSG("Memory error"); wolfSSL_CTX_free(ctx); @@ -1139,10 +1646,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, ret = wc_ReadDirFirst(readCtx, dir, &name); while (ret == 0 && name) { WOLFSSL_MSG(name); - /* Try to process file with type DETECT_CERT_TYPE to parse the - correct certificate header and footer type */ - ret = ProcessFile(ctx, name, WOLFSSL_FILETYPE_PEM, DETECT_CERT_TYPE, - NULL, 0, str->cm->crl, 0); + + ret = X509StoreLoadFile(str, name); /* Not failing on load errors */ if (ret != WOLFSSL_SUCCESS) WOLFSSL_MSG("Failed to load file in path, continuing"); @@ -1185,17 +1690,23 @@ int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store) } table = store->cm->caTable; - if (table){ + if (table || (store->certs != NULL)){ if (wc_LockMutex(&store->cm->caLock) == 0){ - int i = 0; - for (i = 0; i < CA_TABLE_SIZE; i++) { - Signer* signer = table[i]; - while (signer) { - Signer* next = signer->next; - cnt_ret++; - signer = next; + if (table) { + int i = 0; + for (i = 0; i < CA_TABLE_SIZE; i++) { + Signer* signer = table[i]; + while (signer) { + Signer* next = signer->next; + cnt_ret++; + signer = next; + } } } + + if (store->certs != NULL) { + cnt_ret += wolfSSL_sk_X509_num(store->certs); + } wc_UnLockMutex(&store->cm->caLock); } } @@ -1204,7 +1715,8 @@ int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store) } /****************************************************************************** -* wolfSSL_X509_STORE_GetCerts - retrieve stack of X509 in a certificate store ctx +* wolfSSL_X509_STORE_GetCerts - retrieve stack of X509 in a certificate +* store ctx * * This API can be used in SSL verify callback function to view cert chain * See examples/client/client.c and myVerify() function in test.h @@ -1235,7 +1747,8 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s) /* get certificate buffer */ cert = &s->certs[certIdx]; - dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_DCERT); if (dCert == NULL) { goto error; @@ -1298,7 +1811,14 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( { WOLFSSL_STACK* ret = NULL; WOLFSSL_STACK* cert_stack = NULL; +#if ((defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM)) || \ + (defined(HAVE_CRL))) + WOLFSSL_X509_OBJECT* obj = NULL; +#endif +#if defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) WOLFSSL_X509* x509 = NULL; + int i = 0; +#endif WOLFSSL_ENTER("wolfSSL_X509_STORE_get0_objects"); if (store == NULL || store->cm == NULL) { @@ -1309,7 +1829,7 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( if (store->objs != NULL) { #if defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) /* want to update objs stack by cm stack again before returning it*/ - wolfSSL_sk_X509_OBJECT_pop_free(store->objs, NULL); + X509StoreFreeObjList(store, store->objs); store->objs = NULL; #else if (wolfSSL_sk_X509_OBJECT_num(store->objs) == 0) { @@ -1329,9 +1849,25 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( #if defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) cert_stack = wolfSSL_CertManagerGetCerts(store->cm); - /* wolfSSL_sk_X509_pop checks for NULL */ - while ((x509 = wolfSSL_sk_X509_pop(cert_stack)) != NULL) { - WOLFSSL_X509_OBJECT* obj = wolfSSL_X509_OBJECT_new(); + store->numAdded = 0; + if (cert_stack == NULL && wolfSSL_sk_X509_num(store->certs) > 0) { + cert_stack = wolfSSL_sk_X509_new_null(); + if (cert_stack == NULL) { + WOLFSSL_MSG("wolfSSL_sk_X509_OBJECT_new error"); + goto err_cleanup; + } + } + for (i = 0; i < wolfSSL_sk_X509_num(store->certs); i++) { + if (wolfSSL_sk_X509_push(cert_stack, + wolfSSL_sk_X509_value(store->certs, i)) > 0) { + store->numAdded++; + } + } + /* Do not modify stack until after we guarantee success to + * simplify cleanup logic handling cert merging above */ + for (i = 0; i < wolfSSL_sk_X509_num(cert_stack); i++) { + x509 = (WOLFSSL_X509 *)wolfSSL_sk_value(cert_stack, i); + obj = wolfSSL_X509_OBJECT_new(); if (obj == NULL) { WOLFSSL_MSG("wolfSSL_X509_OBJECT_new error"); goto err_cleanup; @@ -1343,13 +1879,16 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( } obj->type = WOLFSSL_X509_LU_X509; obj->data.x509 = x509; - x509 = NULL; + } + + while (wolfSSL_sk_X509_num(cert_stack) > 0) { + wolfSSL_sk_X509_pop(cert_stack); } #endif #ifdef HAVE_CRL if (store->cm->crl != NULL) { - WOLFSSL_X509_OBJECT* obj = wolfSSL_X509_OBJECT_new(); + obj = wolfSSL_X509_OBJECT_new(); if (obj == NULL) { WOLFSSL_MSG("wolfSSL_X509_OBJECT_new error"); goto err_cleanup; @@ -1370,11 +1909,14 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( return ret; err_cleanup: if (ret != NULL) - wolfSSL_sk_X509_OBJECT_pop_free(ret, NULL); - if (cert_stack != NULL) + X509StoreFreeObjList(store, ret); + if (cert_stack != NULL) { + while (store->numAdded > 0) { + wolfSSL_sk_X509_pop(cert_stack); + store->numAdded--; + } wolfSSL_sk_X509_pop_free(cert_stack, NULL); - if (x509 != NULL) - wolfSSL_X509_free(x509); + } return NULL; } #endif /* OPENSSL_ALL */ @@ -1400,9 +1942,9 @@ int wolfSSL_X509_STORE_set1_param(WOLFSSL_X509_STORE *ctx, #endif #endif -/******************************************************************************* +/****************************************************************************** * END OF X509_STORE APIs - ******************************************************************************/ + *****************************************************************************/ #endif /* NO_CERTS */ diff --git a/sslSniffer/README.md b/sslSniffer/README.md index 27a6f52781..dbf68955ed 100644 --- a/sslSniffer/README.md +++ b/sslSniffer/README.md @@ -197,7 +197,7 @@ Frees all resources consumed by the wolfSSL sniffer and should be called when us int ssl_Trace(const char* traceFile, char* error); ``` -Enables Tracing when a file is passed in. Disables Tracing if previously on and a NULL value is passed in for the file. +Enables Tracing when a file is passed in. When `traceFile` is "-", then the trace will be printed to STDOUT. Disables Tracing if previously on and a NULL value is passed in for the file. Returns Values: diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 0cfb388597..de586f9595 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -145,7 +145,7 @@ enum { #endif #define DEFAULT_SERVER_IP "127.0.0.1" -#define DEFAULT_SERVER_PORT (443) +#define DEFAULT_SERVER_PORT (11111) #ifdef WOLFSSL_SNIFFER_WATCH static const byte rsaHash[] = { @@ -166,6 +166,7 @@ static const byte eccHash[] = { static pcap_t* pcap = NULL; static pcap_if_t* alldevs = NULL; static struct bpf_program pcap_fp; +static const char *traceFile = "./tracefile.txt"; static void FreeAll(void) { @@ -377,7 +378,6 @@ static int load_key(const char* name, const char* server, int port, if (loadCount == 0) { printf("Failed loading private key %s: ret %d\n", keyFile, ret); - printf("Please run directly from wolfSSL root dir\n"); ret = -1; } else { @@ -843,7 +843,7 @@ static void* snifferWorker(void* arg) char err[PCAP_ERRBUF_SIZE]; ssl_InitSniffer_ex2(worker->id); - ssl_Trace("./tracefile.txt", err); + ssl_Trace(traceFile, err); ssl_EnableRecovery(1, -1, err); #ifdef WOLFSSL_SNIFFER_WATCH ssl_SetWatchKeyCallback(myWatchCb, err); @@ -951,39 +951,90 @@ int main(int argc, char** argv) int i = 0, defDev = 0; int packetNumber = 0; int frame = ETHER_IF_FRAME_LEN; + char cmdLineArg[128]; + char *pcapFile = NULL; + char *deviceName = NULL; char err[PCAP_ERRBUF_SIZE]; - char filter[32]; + char filter[128]; const char *keyFilesSrc = NULL; #ifdef WOLFSSL_SNIFFER_KEYLOGFILE const char *sslKeyLogFile = NULL; #endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ char keyFilesBuf[MAX_FILENAME_SZ]; char keyFilesUser[MAX_FILENAME_SZ]; - const char *server = DEFAULT_SERVER_IP; - int port = DEFAULT_SERVER_PORT; + const char *server = NULL; + int port = -1; const char *sniName = NULL; const char *passwd = NULL; pcap_if_t *d; pcap_addr_t *a; #ifdef THREADED_SNIFFTEST int workerThreadCount; -#ifdef HAVE_SESSION_TICKET - /* Multiple threads on resume not yet supported */ - workerThreadCount = 1; -#else - workerThreadCount = 5; #endif + +#ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); #endif show_appinfo(); signal(SIGINT, sig_handler); + for (i = 1; i < argc; i++) { + if (strcmp(argv[i], "-pcap") == 0 && i + 1 < argc) { + pcapFile = argv[++i]; + } + else if (strcmp(argv[i], "-deviceName") == 0 && i + 1 < argc) { + deviceName = argv[++i]; + } + else if (strcmp(argv[i], "-key") == 0 && i + 1 < argc) { + keyFilesSrc = argv[++i]; + } + else if (strcmp(argv[i], "-server") == 0 && i + 1 < argc) { + server = argv[++i]; + } + else if (strcmp(argv[i], "-port") == 0 && i + 1 < argc) { + port = XATOI(argv[++i]); + } + else if (strcmp(argv[i], "-password") == 0 && i + 1 < argc) { + passwd = argv[++i]; + } + else if (strcmp(argv[i], "-tracefile") == 0 && i + 1 < argc) { + traceFile = argv[++i]; + } +#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) + else if (strcmp(argv[i], "-keylogfile") == 0 && i + 1 < argc) { + sslKeyLogFile = argv[++i]; + } +#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ +#if defined(THREADED_SNIFFTEST) + else if (strcmp(argv[i], "-threads") == 0 && i + 1 < argc) { + workerThreadCount = XATOI(argv[++i]); + } +#endif /* THREADED_SNIFFTEST */ + else { + fprintf(stderr, "Error parsing: %s\n", argv[i]); + fprintf(stderr, "Usage: %s -pcap pcap_arg -key key_arg" + " [-deviceName deviceName_arg]" + " [-password password_arg] [-server server_arg]" + " [-port port_arg]" + " [-tracefile tracefile_arg]" +#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) + " [-keylogfile keylogfile_arg]" +#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ +#if defined(THREADED_SNIFFTEST) + " [-threads threads_arg]" +#endif /* THREADED_SNIFFTEST */ + "\n", argv[0]); + exit(EXIT_FAILURE); + } + } + #ifndef THREADED_SNIFFTEST #ifndef _WIN32 ssl_InitSniffer(); /* dll load on Windows */ #endif - ssl_Trace("./tracefile.txt", err); + ssl_Trace(traceFile, err); ssl_EnableRecovery(1, -1, err); #ifdef WOLFSSL_SNIFFER_WATCH ssl_SetWatchKeyCallback(myWatchCb, err); @@ -991,101 +1042,175 @@ int main(int argc, char** argv) #ifdef WOLFSSL_SNIFFER_STORE_DATA_CB ssl_SetStoreDataCallback(myStoreDataCb); #endif +#else +#ifdef HAVE_SESSION_TICKET + /* Multiple threads on resume not yet supported */ + workerThreadCount = 1; +#else + workerThreadCount = 5; #endif +#endif + SNPRINTF(filter, sizeof(filter), "(ip6 or ip) and tcp"); + - if (argc == 1) { - char cmdLineArg[128]; + if (pcapFile == NULL) { /* normal case, user chooses device and port */ if (pcap_findalldevs(&alldevs, err) == -1) err_sys("Error in pcap_findalldevs"); - for (d = alldevs; d; d=d->next) { - printf("%d. %s", ++i, d->name); - if (strcmp(d->name, "lo0") == 0) { - defDev = i; + if (deviceName == NULL) { + for (d = alldevs, i = 0; d; d=d->next) { + printf("%d. %s", ++i, d->name); + if (strcmp(d->name, "lo0") == 0) { + defDev = i; + } + if (d->description) + printf(" (%s)\n", d->description); + else + printf(" (No description available)\n"); } - if (d->description) - printf(" (%s)\n", d->description); - else - printf(" (No description available)\n"); - } - if (i == 0) - err_sys("No interfaces found! Make sure pcap or WinPcap is" - " installed correctly and you have sufficient permissions"); - - printf("Enter the interface number (1-%d) [default: %d]: ", i, defDev); - XMEMSET(cmdLineArg, 0, sizeof(cmdLineArg)); - if (XFGETS(cmdLineArg, sizeof(cmdLineArg), stdin)) - inum = XATOI(cmdLineArg); - if (inum == 0) - inum = defDev; - else if (inum < 1 || inum > i) - err_sys("Interface number out of range"); - - /* Jump to the selected adapter */ - for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++); + if (i == 0) + err_sys("No interfaces found! Make sure pcap or WinPcap is" + " installed correctly and you have sufficient permissions"); + + printf("Enter the interface number (1-%d) [default: %d]: ", i, defDev); + XMEMSET(cmdLineArg, 0, sizeof(cmdLineArg)); + if (XFGETS(cmdLineArg, sizeof(cmdLineArg), stdin)) + inum = XATOI(cmdLineArg); + if (inum == 0) + inum = defDev; + else if (inum < 1 || inum > i) + err_sys("Interface number out of range"); + + /* Jump to the selected adapter */ + for (d = alldevs, i = 0; i < inum - 1; d = d->next, i++); + } else { + int deviceNameSz = (int)XSTRLEN(deviceName); + for (d = alldevs; d; d = d->next) { + if (XSTRNCMP(d->name,deviceName,deviceNameSz) == 0) { + fprintf(stderr, "%s == %s\n", d->name, deviceName); + break; + } + } + if (d == NULL) { + err_sys("Can't find the device you're looking for"); + } + } + printf("Selected %s\n", d->name); pcap = pcap_create(d->name, err); - - if (pcap == NULL) printf("pcap_create failed %s\n", err); - - /* print out addresses for selected interface */ - for (a = d->addresses; a; a = a->next) { - if (a->addr->sa_family == AF_INET) { - server = - iptos(&((struct sockaddr_in *)a->addr)->sin_addr); - printf("server = %s\n", server); - } - else if (a->addr->sa_family == AF_INET6) { - server = - ip6tos(&((struct sockaddr_in6 *)a->addr)->sin6_addr); - printf("server = %s\n", server); + if (pcap == NULL) fprintf(stderr, "pcap_create failed %s\n", err); + + if (server == NULL) { + /* print out addresses for selected interface */ + for (a = d->addresses; a; a = a->next) { + if (a->addr->sa_family == AF_INET) { + server = + iptos(&((struct sockaddr_in *)a->addr)->sin_addr); + printf("server = %s\n", server); + } + else if (a->addr->sa_family == AF_INET6) { + server = + ip6tos(&((struct sockaddr_in6 *)a->addr)->sin6_addr); + printf("server = %s\n", server); + } } } - if (server == NULL) - err_sys("Unable to get device IPv4 or IPv6 address"); ret = pcap_set_snaplen(pcap, 65536); - if (ret != 0) printf("pcap_set_snaplen failed %s\n", pcap_geterr(pcap)); + if (ret != 0) + fprintf(stderr, "pcap_set_snaplen failed %s\n", pcap_geterr(pcap)); ret = pcap_set_timeout(pcap, 1000); - if (ret != 0) printf("pcap_set_timeout failed %s\n", pcap_geterr(pcap)); + if (ret != 0) + fprintf(stderr, "pcap_set_timeout failed %s\n", pcap_geterr(pcap)); ret = pcap_set_buffer_size(pcap, 1000000); if (ret != 0) - printf("pcap_set_buffer_size failed %s\n", pcap_geterr(pcap)); + fprintf(stderr, "pcap_set_buffer_size failed %s\n", + pcap_geterr(pcap)); ret = pcap_set_promisc(pcap, 1); - if (ret != 0) printf("pcap_set_promisc failed %s\n", pcap_geterr(pcap)); + if (ret != 0) + fprintf(stderr,"pcap_set_promisc failed %s\n", pcap_geterr(pcap)); ret = pcap_activate(pcap); - if (ret != 0) printf("pcap_activate failed %s\n", pcap_geterr(pcap)); + if (ret != 0) + fprintf(stderr, "pcap_activate failed %s\n", pcap_geterr(pcap)); + + } + else { + saveFile = 1; + pcap = pcap_open_offline(pcapFile , err); + if (pcap == NULL) { + fprintf(stderr, "pcap_open_offline failed %s\n", err); + err_sys(err); + } + } - printf("Enter the port to scan [default: 11111]: "); + if (server == NULL) { + server = DEFAULT_SERVER_IP; + } + + if (port < 0) { + printf("Enter the port to scan [default: %d, '0' for all]: ", + DEFAULT_SERVER_PORT); XMEMSET(cmdLineArg, 0, sizeof(cmdLineArg)); if (XFGETS(cmdLineArg, sizeof(cmdLineArg), stdin)) { port = XATOI(cmdLineArg); } - if (port <= 0) - port = 11111; + if ((port < 0) || (cmdLineArg[0] == '\n')) + port = DEFAULT_SERVER_PORT; - SNPRINTF(filter, sizeof(filter), "tcp and port %d", port); + } + if (port > 0) { + SNPRINTF(cmdLineArg, sizeof(filter), " and port %d", port); + XSTRLCAT(filter, cmdLineArg, sizeof(filter)); + } - ret = pcap_compile(pcap, &pcap_fp, filter, 0, 0); - if (ret != 0) printf("pcap_compile failed %s\n", pcap_geterr(pcap)); +#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) + /* If we offer keylog support, then user must provide EITHER a pubkey + * OR a keylog file but NOT both */ + if (keyFilesSrc && sslKeyLogFile) { + fprintf(stderr, + "Error: either -key OR -keylogfile option but NOT both.\n"); + exit(EXIT_FAILURE); + } - ret = pcap_setfilter(pcap, &pcap_fp); - if (ret != 0) printf("pcap_setfilter failed %s\n", pcap_geterr(pcap)); + if (sslKeyLogFile != NULL) { + ret = ssl_LoadSecretsFromKeyLogFile(sslKeyLogFile, err); + if (ret != 0) { + fprintf(stderr, + "ERROR=%d, unable to load secrets from keylog file\n",ret); + err_sys(err); + } + ret = ssl_CreateKeyLogSnifferServer(server, port, err); + if (ret != 0) { + fprintf(stderr, + "ERROR=%d, unable to create keylog sniffer server\n",ret); + err_sys(err); + } + } + else +#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ + if (keyFilesSrc) { + ret = load_key(NULL, server, port, keyFilesSrc, passwd, err); + if (ret != 0) { + fprintf(stderr, "Failed to load key\n"); + err_sys(err); + } + } + else { /* optionally enter the private key to use */ - #if defined(WOLFSSL_STATIC_EPHEMERAL) && defined(DEFAULT_SERVER_EPH_KEY) +#if defined(WOLFSSL_STATIC_EPHEMERAL) && defined(DEFAULT_SERVER_EPH_KEY) keyFilesSrc = DEFAULT_SERVER_EPH_KEY; - #else +#else keyFilesSrc = DEFAULT_SERVER_KEY; - #endif +#endif printf("Enter the server key [default: %s]: ", keyFilesSrc); XMEMSET(keyFilesBuf, 0, sizeof(keyFilesBuf)); XMEMSET(keyFilesUser, 0, sizeof(keyFilesUser)); @@ -1109,137 +1234,24 @@ int main(int argc, char** argv) } #endif /* !WOLFSSL_SNIFFER_WATCH && HAVE_SNI */ - /* get IPv4 or IPv6 addresses for selected interface */ - for (a = d->addresses; a; a = a->next) { - server = NULL; - if (a->addr->sa_family == AF_INET) { - server = - iptos(&((struct sockaddr_in *)a->addr)->sin_addr); - } - else if (a->addr->sa_family == AF_INET6) { - server = - ip6tos(&((struct sockaddr_in6 *)a->addr)->sin6_addr); - } - - if (server) { - XSTRNCPY(keyFilesBuf, keyFilesSrc, sizeof(keyFilesBuf)); - ret = load_key(sniName, server, port, keyFilesBuf, NULL, err); - if (ret != 0) { - exit(EXIT_FAILURE); - } - } - } - } - else { - char *pcapFile = NULL; - - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-pcap") == 0 && i + 1 < argc) { - pcapFile = argv[++i]; - } - else if (strcmp(argv[i], "-key") == 0 && i + 1 < argc) { - keyFilesSrc = argv[++i]; - } - else if (strcmp(argv[i], "-server") == 0 && i + 1 < argc) { - server = argv[++i]; - } - else if (strcmp(argv[i], "-port") == 0 && i + 1 < argc) { - port = XATOI(argv[++i]); - } - else if (strcmp(argv[i], "-password") == 0 && i + 1 < argc) { - passwd = argv[++i]; - } -#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) - else if (strcmp(argv[i], "-keylogfile") == 0 && i + 1 < argc) { - sslKeyLogFile = argv[++i]; - } -#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ -#if defined(THREADED_SNIFFTEST) - else if (strcmp(argv[i], "-threads") == 0 && i + 1 < argc) { - workerThreadCount = XATOI(argv[++i]); - } -#endif /* THREADED_SNIFFTEST */ - else { - fprintf(stderr, "Invalid option or missing argument: %s\n", argv[i]); - fprintf(stderr, "Usage: %s -pcap pcap_arg -key key_arg" - " [-password password_arg] [-server server_arg] [-port port_arg]" -#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) - " [-keylogfile keylogfile_arg]" -#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ -#if defined(THREADED_SNIFFTEST) - " [-threads threads_arg]" -#endif /* THREADED_SNIFFTEST */ - "\n", argv[0]); - exit(EXIT_FAILURE); - } - } - - if (!pcapFile) { - fprintf(stderr, "Error: -pcap option is required.\n"); + ret = load_key(sniName, server, port, keyFilesBuf, NULL, err); + if (ret != 0) { exit(EXIT_FAILURE); } + } -#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) - /* If we offer keylog support, then user must provide EITHER a pubkey - * OR a keylog file but NOT both */ - if ((!keyFilesSrc && !sslKeyLogFile) || (keyFilesSrc && sslKeyLogFile)) { - fprintf(stderr, "Error: either -key OR -keylogfile option required but NOT both.\n"); - exit(EXIT_FAILURE); - } -#else - if (!keyFilesSrc) { - fprintf(stderr, "Error: -key option is required.\n"); - exit(EXIT_FAILURE); - } -#endif - - saveFile = 1; - pcap = pcap_open_offline(pcapFile , err); - if (pcap == NULL) { - fprintf(stderr, "pcap_open_offline failed %s\n", err); - err_sys(err); - } - else { -#if defined(WOLFSSL_SNIFFER_KEYLOGFILE) - if (sslKeyLogFile != NULL) { - ret = ssl_LoadSecretsFromKeyLogFile(sslKeyLogFile, err); - if (ret != 0) { - fprintf(stderr, "ERROR=%d, unable to load secrets from keylog file\n",ret); - err_sys(err); - } - - ret = ssl_CreateKeyLogSnifferServer(server, port, err); - if (ret != 0) { - fprintf(stderr, "ERROR=%d, unable to create keylog sniffer server\n",ret); - err_sys(err); - } - } - else -#endif /* WOLFSSL_SNIFFER_KEYLOGFILE */ - { - ret = load_key(NULL, server, port, keyFilesSrc, passwd, err); - if (ret != 0) { - fprintf(stderr, "Failed to load key\n"); - err_sys(err); - } - } - - - /* Only let through TCP/IP packets */ - ret = pcap_compile(pcap, &pcap_fp, "(ip6 or ip) and tcp", 0, 0); - if (ret != 0) { - fprintf(stderr, "pcap_compile failed %s\n", pcap_geterr(pcap)); - exit(EXIT_FAILURE); - } - - ret = pcap_setfilter(pcap, &pcap_fp); - if (ret != 0) { - fprintf(stderr, "pcap_setfilter failed %s\n", pcap_geterr(pcap)); - exit(EXIT_FAILURE); - } - + /* Only let through TCP/IP packets */ + printf("Using packet filter: %s\n", filter); + ret = pcap_compile(pcap, &pcap_fp, filter, 0, 0); + if (ret != 0) { + fprintf(stderr, "pcap_compile failed %s\n", pcap_geterr(pcap)); + exit(EXIT_FAILURE); + } - } + ret = pcap_setfilter(pcap, &pcap_fp); + if (ret != 0) { + fprintf(stderr, "pcap_setfilter failed %s\n", pcap_geterr(pcap)); + exit(EXIT_FAILURE); } if (ret != 0) @@ -1263,7 +1275,7 @@ int main(int argc, char** argv) #endif while (1) { - struct pcap_pkthdr header; + struct pcap_pkthdr *header; const unsigned char* packet = NULL; byte* data = NULL; /* pointer to decrypted data */ #ifdef THREADED_SNIFFTEST @@ -1290,22 +1302,28 @@ int main(int argc, char** argv) if (data == NULL) { /* grab next pcap packet */ packetNumber++; - packet = pcap_next(pcap, &header); + if(pcap_next_ex(pcap, &header, &packet) < 0) { + break; + } } if (packet) { - if (header.caplen > 40) { /* min ip(20) + min tcp(20) */ + if (header->caplen > 40) { /* min ip(20) + min tcp(20) */ packet += frame; - header.caplen -= frame; + header->caplen -= frame; } else { /* packet doesn't contain minimum ip/tcp header */ continue; } + if (pcap_datalink(pcap) == DLT_LINUX_SLL) { + packet += 2; + header->caplen -= 2; + } #ifdef THREADED_SNIFFTEST XMEMSET(&info, 0, sizeof(SnifferStreamInfo)); - ret = ssl_DecodePacket_GetStream(&info, packet, header.caplen, err); + ret = ssl_DecodePacket_GetStream(&info, packet, header->caplen, err); /* calculate SnifferStreamInfo checksum */ infoSum = 0; @@ -1328,7 +1346,7 @@ int main(int argc, char** argv) /* add the packet to the worker's linked list */ if (SnifferWorkerPacketAdd(&workers[threadNum], ret, (byte*)packet, - header.caplen, packetNumber)) { + header->caplen, packetNumber)) { printf("Unable to add packet %d to worker", packetNumber); break; } @@ -1337,7 +1355,7 @@ int main(int argc, char** argv) #else /* Decode Packet, ret value will indicate whether a * bad packet was encountered */ - hadBadPacket = DecodePacket((byte*)packet, header.caplen, + hadBadPacket = DecodePacket((byte*)packet, header->caplen, packetNumber,err); #endif } diff --git a/support/gen-debug-trace-error-codes.sh b/support/gen-debug-trace-error-codes.sh index 0b181ae38e..540a95273b 100755 --- a/support/gen-debug-trace-error-codes.sh +++ b/support/gen-debug-trace-error-codes.sh @@ -20,10 +20,12 @@ BEGIN { if ((errcode_a[1] == "MIN_CODE_E") || (errcode_a[1] == "MAX_CODE_E") || - (errcode_a[1] == "WC_FIRST_E") || - (errcode_a[1] == "WC_LAST_E") || - (errcode_a[1] == "WOLFSSL_FIRST_E") || - (errcode_a[1] == "WOLFSSL_LAST_E")) + (errcode_a[1] ~ "WC.*MIN_CODE_E") || + (errcode_a[1] ~ "WC.*MAX_CODE_E") || + (errcode_a[1] ~ "WC.*_FIRST_E") || + (errcode_a[1] ~ "WC.*_LAST_E") || + (errcode_a[1] ~ "WOLFSSL.*_FIRST_E") || + (errcode_a[1] ~ "WOLFSSL.*_LAST_E")) { next; } diff --git a/tests/api.c b/tests/api.c index b334a1c7f0..e7b64124a6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -29,12 +29,7 @@ | Includes *----------------------------------------------------------------------------*/ -#ifdef HAVE_CONFIG_H - #include -#endif - -#include -#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#include #include #include @@ -60,7 +55,6 @@ #include #include -#include #include /* for testing compatibility layer callbacks */ @@ -225,6 +219,7 @@ #include #include #include + #include #ifdef OPENSSL_ALL #include #include @@ -1030,6 +1025,47 @@ static int test_wc_LoadStaticMemory_ex(void) } +static int test_wc_LoadStaticMemory_CTX(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_STATIC_MEMORY) && !defined(NO_WOLFSSL_CLIENT) + byte staticMemory[TEST_LSM_STATIC_SIZE]; + word32 sizeList[TEST_LSM_DEF_BUCKETS] = { TEST_LSM_BUCKETS }; + word32 distList[TEST_LSM_DEF_BUCKETS] = { TEST_LSM_DIST }; + WOLFSSL_HEAP_HINT* heap; + WOLFSSL_CTX *ctx1 = NULL, *ctx2 = NULL; + + + /* Set the size of the static buffer to exactly the minimum size. */ + heap = NULL; + ExpectIntEQ(wc_LoadStaticMemory_ex(&heap, + WOLFMEM_DEF_BUCKETS, sizeList, distList, + staticMemory, sizeof(staticMemory), 0, 1), + 0); + + /* Creating two WOLFSSL_CTX objects from the same heap hint and free'ing + * them should not cause issues. */ + ExpectNotNull((ctx1 = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(heap), + heap))); + wolfSSL_CTX_free(ctx1); + ExpectNotNull((ctx2 = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(heap), + heap))); + wolfSSL_CTX_free(ctx2); + + /* two CTX's at once */ + ExpectNotNull((ctx1 = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(heap), + heap))); + ExpectNotNull((ctx2 = wolfSSL_CTX_new_ex(wolfSSLv23_client_method_ex(heap), + heap))); + wolfSSL_CTX_free(ctx1); + wolfSSL_CTX_free(ctx2); + + wc_UnloadStaticMemory(heap); +#endif /* WOLFSSL_STATIC_MEMORY */ + return EXPECT_RESULT(); +} + + /*----------------------------------------------------------------------------* | Platform dependent function test *----------------------------------------------------------------------------*/ @@ -3408,6 +3444,15 @@ static int test_wolfSSL_CertManagerNameConstraint2(void) ExpectIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz, WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + /* Test no name case. */ + ExpectIntEQ(wolfSSL_X509_add_altname_ex(x509, NULL, 0, ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "", ASN_DIR_TYPE), + WOLFSSL_SUCCESS); + /* IP not supported. */ + ExpectIntEQ(wolfSSL_X509_add_altname(x509, "127.0.0.1", ASN_IP_TYPE), + WOLFSSL_FAILURE); + /* add in matching DIR alt name and resign */ wolfSSL_X509_add_altname_ex(x509, altName, sizeof(altName), ASN_DIR_TYPE); #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) @@ -7127,15 +7172,10 @@ static int test_wolfSSL_EVP_CIPHER_CTX(void) #if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) || \ defined(HAVE_IO_TESTS_DEPENDENCIES) #ifdef WOLFSSL_HAVE_TLS_UNIQUE - #ifdef WC_SHA512_DIGEST_SIZE - #define MD_MAX_SIZE WC_SHA512_DIGEST_SIZE - #else - #define MD_MAX_SIZE WC_SHA256_DIGEST_SIZE - #endif - byte server_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by server */ - byte server_side_msg2[MD_MAX_SIZE] = {0};/* msg received from client */ - byte client_side_msg1[MD_MAX_SIZE] = {0};/* msg sent by client */ - byte client_side_msg2[MD_MAX_SIZE] = {0};/* msg received from server */ + byte server_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by server */ + byte server_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from client */ + byte client_side_msg1[WC_MAX_DIGEST_SIZE]; /* msg sent by client */ + byte client_side_msg2[WC_MAX_DIGEST_SIZE]; /* msg received from server */ #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ /* TODO: Expand and enable this when EVP_chacha20_poly1305 is supported */ @@ -7688,14 +7728,14 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb, TEST_SUCCESS); } #ifdef WOLFSSL_HAVE_TLS_UNIQUE - XMEMSET(server_side_msg2, 0, MD_MAX_SIZE); + XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); msg_len = wolfSSL_get_peer_finished(test_ctx.s_ssl, server_side_msg2, - MD_MAX_SIZE); + WC_MAX_DIGEST_SIZE); ExpectIntGE(msg_len, 0); - XMEMSET(server_side_msg1, 0, MD_MAX_SIZE); + XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); msg_len = wolfSSL_get_finished(test_ctx.s_ssl, server_side_msg1, - MD_MAX_SIZE); + WC_MAX_DIGEST_SIZE); ExpectIntGE(msg_len, 0); #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ @@ -8059,12 +8099,12 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) } #ifdef WOLFSSL_HAVE_TLS_UNIQUE - XMEMSET(server_side_msg2, 0, MD_MAX_SIZE); - msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, MD_MAX_SIZE); + XMEMSET(server_side_msg2, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_peer_finished(ssl, server_side_msg2, WC_MAX_DIGEST_SIZE); AssertIntGE(msg_len, 0); - XMEMSET(server_side_msg1, 0, MD_MAX_SIZE); - msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE); + XMEMSET(server_side_msg1, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_finished(ssl, server_side_msg1, WC_MAX_DIGEST_SIZE); AssertIntGE(msg_len, 0); #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ @@ -9683,12 +9723,12 @@ static int test_wolfSSL_get_finished_client_on_handshake(WOLFSSL_CTX* ctx, /* get_finished test */ /* 1. get own sent message */ - XMEMSET(client_side_msg1, 0, MD_MAX_SIZE); - msg_len = wolfSSL_get_finished(ssl, client_side_msg1, MD_MAX_SIZE); + XMEMSET(client_side_msg1, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_finished(ssl, client_side_msg1, WC_MAX_DIGEST_SIZE); ExpectIntGE(msg_len, 0); /* 2. get peer message */ - XMEMSET(client_side_msg2, 0, MD_MAX_SIZE); - msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, MD_MAX_SIZE); + XMEMSET(client_side_msg2, 0, WC_MAX_DIGEST_SIZE); + msg_len = wolfSSL_get_peer_finished(ssl, client_side_msg2, WC_MAX_DIGEST_SIZE); ExpectIntGE(msg_len, 0); return EXPECT_RESULT(); @@ -9711,8 +9751,8 @@ static int test_wolfSSL_get_finished(void) TEST_SUCCESS); /* test received msg vs sent msg */ - ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, MD_MAX_SIZE)); - ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, MD_MAX_SIZE)); + ExpectIntEQ(0, XMEMCMP(client_side_msg1, server_side_msg2, WC_MAX_DIGEST_SIZE)); + ExpectIntEQ(0, XMEMCMP(client_side_msg2, server_side_msg1, WC_MAX_DIGEST_SIZE)); #endif /* HAVE_SSL_MEMIO_TESTS_DEPENDENCIES && WOLFSSL_HAVE_TLS_UNIQUE */ return EXPECT_RESULT(); @@ -10754,9 +10794,9 @@ static int test_wolfSSL_dtls_export(void) ExpectIntGE(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); /* test importing bad length and bad version */ - version_3[2] += 1; + version_3[2]++; ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); - version_3[2] -= 1; version_3[1] = 0XA0; + version_3[2]--; version_3[1] = 0XA0; ExpectIntLT(wolfSSL_dtls_import(ssl, version_3, sizeof(version_3)), 0); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); @@ -12774,6 +12814,7 @@ static int test_wolfSSL_X509_NAME_get_entry(void) ExpectNotNull(name = X509_get_subject_name(x509)); ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); + ExpectNull(X509_NAME_ENTRY_get_data(NULL)); ExpectNotNull(asn = X509_NAME_ENTRY_get_data(ne)); ExpectNotNull(subCN = (char*)ASN1_STRING_data(asn)); wolfSSL_FreeX509(x509); @@ -12791,6 +12832,8 @@ static int test_wolfSSL_X509_NAME_get_entry(void) ExpectNotNull(bio = BIO_new(BIO_s_mem())); ExpectIntEQ(X509_NAME_print_ex(bio, name, 4, (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_print_ex_fp(XBADFILE, name, 4, + (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_FAILURE); ExpectIntEQ(X509_NAME_print_ex_fp(stderr, name, 4, (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)), WOLFSSL_SUCCESS); BIO_free(bio); @@ -13665,6 +13708,11 @@ static int test_wolfSSL_TBS(void) const unsigned char* tbs; int tbsSz; + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectNull(tbs = wolfSSL_X509_get_tbs(x509, &tbsSz)); + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(caCertFile, WOLFSSL_FILETYPE_PEM)); @@ -13688,17 +13736,22 @@ static int test_wolfSSL_X509_verify(void) WOLFSSL_EVP_PKEY* pkey = NULL; unsigned char buf[2048]; const unsigned char* pt = NULL; - int bufSz; + int bufSz = 0; ExpectNotNull(ca = wolfSSL_X509_load_certificate_file(caCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, NULL), + WOLFSSL_SUCCESS); ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(NULL, buf, &bufSz), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, NULL, &bufSz), WOLFSSL_SUCCESS); ExpectIntEQ(bufSz, 294); + bufSz--; + ExpectIntNE(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), + WOLFSSL_SUCCESS); bufSz = 2048; ExpectIntEQ(wolfSSL_X509_get_pubkey_buffer(ca, buf, &bufSz), WOLFSSL_SUCCESS); @@ -13729,6 +13782,12 @@ static int test_wolfSSL_X509_verify(void) ExpectIntEQ(wolfSSL_X509_verify(NULL, pkey), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); ExpectIntEQ(wolfSSL_X509_verify(serv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + +#ifndef NO_WOLFSSL_STUB + ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(NULL)); + ExpectNull(wolfSSL_X509_get0_pubkey_bitstr(serv)); +#endif + wolfSSL_EVP_PKEY_free(pkey); wolfSSL_FreeX509(ca); @@ -13738,7 +13797,7 @@ static int test_wolfSSL_X509_verify(void) } #if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && !defined(NO_RSA) && \ - !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) + defined(WC_RSA_PSS) && !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) /* Given acert file and its pubkey file, read them and then * attempt to verify signed acert. * @@ -14066,13 +14125,59 @@ static int test_wolfSSL_X509_ACERT_buffer(void) return EXPECT_RESULT(); } +/* note: when ACERT generation and signing are implemented, + * this test will be filled out appropriately. + * */ +static int test_wolfSSL_X509_ACERT_new_and_sign(void) +{ + EXPECT_DECLS; +#if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) && \ + !defined(NO_RSA) && defined(WC_RSA_PSS) && \ + (defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)) + X509_ACERT * x509 = NULL; + int rc = 0; + + x509 = X509_ACERT_new(); + ExpectNotNull(x509); + + if (x509 != NULL) { + wolfSSL_X509_ACERT_free(x509); + x509 = NULL; + } + + /* Same but with static memory hint. */ + x509 = wolfSSL_X509_ACERT_new_ex(HEAP_HINT); + ExpectNotNull(x509); + + #ifndef NO_WOLFSSL_STUB + /* ACERT sign not implemented yet. */ + if (x509 != NULL) { + rc = wolfSSL_X509_ACERT_sign(x509, NULL, NULL); + ExpectIntEQ(rc, WOLFSSL_NOT_IMPLEMENTED); + } + #else + (void) rc; + #endif /* NO_WOLFSSL_STUB */ + + if (x509 != NULL) { + wolfSSL_X509_ACERT_free(x509); + x509 = NULL; + } + +#endif + return EXPECT_RESULT(); +} + /* Test ACERT support, but with ASN functions only. + * + * This example acert_ietf has both Holder IssuerSerial + * and Holder entityName fields. * */ static int test_wolfSSL_X509_ACERT_asn(void) { EXPECT_DECLS; #if defined(WOLFSSL_ACERT) && !defined(NO_CERTS) - const byte acert_ietf[] = \ + const byte acert_ietf[] = \ "-----BEGIN ATTRIBUTE CERTIFICATE-----\n" "MIICPTCCASUCAQEwN6AWMBGkDzANMQswCQYDVQQDDAJDQQIBAqEdpBswGTEXMBUG\n" "A1UEAwwOc2VydmVyLmV4YW1wbGWgLTArpCkwJzElMCMGA1UEAwwcQXR0cmlidXRl\n" @@ -14089,16 +14194,25 @@ static int test_wolfSSL_X509_ACERT_asn(void) "Bw==\n" "-----END ATTRIBUTE CERTIFICATE-----\n"; int rc = 0; - byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, - 0xa2, 0xaa, 0xb5, 0x40, 0x21, - 0x44, 0xb8, 0x2c, 0x4f, 0xd9, - 0x80, 0x1b, 0x5f, 0x57, 0xc2}; + int n_diff = 0; + byte ietf_serial[] = {0x03, 0xb5, 0x90, 0x59, 0x02, + 0xa2, 0xaa, 0xb5, 0x40, 0x21, + 0x44, 0xb8, 0x2c, 0x4f, 0xd9, + 0x80, 0x1b, 0x5f, 0x57, 0xc2}; + byte holderIssuerName[] = {0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x02, 0x43, 0x41}; + byte holderEntityName[] = {0x31, 0x17, 0x30, 0x15, 0x06, + 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0e, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x2e, 0x65, 0x78, + 0x61, 0x6d, 0x70, 0x6c, 0x65}; DerBuffer * der = NULL; - #ifdef WOLFSSL_SMALL_STACK +#ifdef WOLFSSL_SMALL_STACK DecodedAcert * acert = NULL; - #else +#else DecodedAcert acert[1]; - #endif +#endif rc = wc_PemToDer(acert_ietf, sizeof(acert_ietf), ACERT_TYPE, &der, HEAP_HINT, NULL, NULL); @@ -14110,21 +14224,22 @@ static int test_wolfSSL_X509_ACERT_asn(void) ExpectNotNull(der->buffer); } - #ifdef WOLFSSL_SMALL_STACK +#ifdef WOLFSSL_SMALL_STACK acert = (DecodedAcert*)XMALLOC(sizeof(DecodedAcert), HEAP_HINT, DYNAMIC_TYPE_DCERT); ExpectNotNull(acert); - #endif +#else + XMEMSET(acert, 0, sizeof(DecodedAcert)); +#endif - #ifdef WOLFSSL_SMALL_STACK - if (acert != NULL) - #endif - { - if (der != NULL && der->buffer != NULL) { - wc_InitDecodedAcert(acert, der->buffer, der->length, HEAP_HINT); - rc = wc_ParseX509Acert(acert, VERIFY_SKIP_DATE); - ExpectIntEQ(rc, 0); - } + if (der != NULL && der->buffer != NULL +#ifdef WOLFSSL_SMALL_STACK + && acert != NULL +#endif + ) { + wc_InitDecodedAcert(acert, der->buffer, der->length, HEAP_HINT); + rc = wc_ParseX509Acert(acert, VERIFY_SKIP_DATE); + ExpectIntEQ(rc, 0); ExpectIntEQ(acert->serialSz, 20); ExpectIntEQ(XMEMCMP(acert->serial, ietf_serial, sizeof(ietf_serial)), @@ -14134,18 +14249,49 @@ static int test_wolfSSL_X509_ACERT_asn(void) ExpectNotNull(acert->rawAttr); ExpectIntEQ(acert->rawAttrLen, 65); + ExpectNotNull(acert->holderIssuerName); + ExpectNotNull(acert->holderEntityName); + + if ((acert->holderIssuerName != NULL) && + (acert->holderEntityName != NULL)) { + ExpectNotNull(acert->holderEntityName->name); + ExpectNotNull(acert->holderIssuerName->name); + } + + if ((acert->holderIssuerName != NULL) && + (acert->holderEntityName != NULL) && + (acert->holderIssuerName->name != NULL) && + (acert->holderEntityName->name != NULL)) { + ExpectIntEQ(acert->holderIssuerName->len, + sizeof(holderIssuerName)); + ExpectIntEQ(acert->holderEntityName->len, + sizeof(holderEntityName)); + + ExpectIntEQ(acert->holderIssuerName->type, ASN_DIR_TYPE); + ExpectIntEQ(acert->holderEntityName->type, ASN_DIR_TYPE); + + n_diff = XMEMCMP(acert->holderIssuerName->name, holderIssuerName, + sizeof(holderIssuerName)); + ExpectIntEQ(n_diff, 0); + + n_diff = XMEMCMP(acert->holderEntityName->name, holderEntityName, + sizeof(holderEntityName)); + ExpectIntEQ(n_diff, 0); + } + wc_FreeDecodedAcert(acert); } - #ifdef WOLFSSL_SMALL_STACK +#ifdef WOLFSSL_SMALL_STACK if (acert != NULL) { XFREE(acert, HEAP_HINT, DYNAMIC_TYPE_DCERT); acert = NULL; } - #endif +#endif if (der != NULL) { wc_FreeDer(&der); + der = NULL; } #endif @@ -20149,7 +20295,7 @@ static int test_wc_AesGcmEncryptDecrypt(void) } /* END test_wc_AesGcmEncryptDecrypt */ /* - * test function for mixed (one-shot encrpytion + stream decryption) AES GCM + * test function for mixed (one-shot encryption + stream decryption) AES GCM * using a long IV (older FIPS does NOT support long IVs). Relates to zd15423 */ static int test_wc_AesGcmMixedEncDecLongIV(void) @@ -24048,7 +24194,7 @@ static int test_wc_ed25519_sign_msg(void) ExpectIntEQ(wc_ed25519_sign_msg(msg, msglen, sig, &badSigLen, &key), WC_NO_ERR_TRACE(BUFFER_E)); ExpectIntEQ(badSigLen, ED25519_SIG_SIZE); - badSigLen -= 1; + badSigLen--; #ifdef HAVE_ED25519_VERIFY ExpectIntEQ(wc_ed25519_verify_msg(sig+1, siglen, msg, msglen, &verify_ok, @@ -25007,7 +25153,7 @@ static int test_wc_ed448_sign_msg(void) ExpectIntEQ(wc_ed448_sign_msg(msg, msglen, sig, &badSigLen, &key, NULL, 0), WC_NO_ERR_TRACE(BUFFER_E)); ExpectIntEQ(badSigLen, ED448_SIG_SIZE); - badSigLen -= 1; + badSigLen--; #ifdef HAVE_ED448_VERIFY ExpectIntEQ(wc_ed448_verify_msg(sig, siglen, msg, msglen, &verify_ok, &key, @@ -28112,10 +28258,10 @@ static int test_wc_kyber_make_key_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte seed_512[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte seed_512[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0x2C, 0xB8, 0x43, 0xA0, 0x2E, 0xF0, 0x2E, 0xE1, 0x09, 0x30, 0x5F, 0x39, 0x11, 0x9F, 0xAB, 0xF4, @@ -28127,7 +28273,7 @@ static int test_wc_kyber_make_key_kats(void) 0x3B, 0xB8, 0x08, 0x43, 0x64, 0x52, 0x06, 0xBD, 0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7 }; - static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = { + static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = { 0xA3, 0x24, 0x39, 0xF8, 0x5A, 0x3C, 0x21, 0xD2, 0x1A, 0x71, 0xB9, 0xB9, 0x2A, 0x9B, 0x64, 0xEA, 0x0A, 0xB8, 0x43, 0x12, 0xC7, 0x70, 0x23, 0x69, @@ -28229,7 +28375,7 @@ static int test_wc_kyber_make_key_kats(void) 0x97, 0x37, 0x33, 0xC3, 0x98, 0xEA, 0xF0, 0x0E, 0x17, 0x02, 0xC6, 0x73, 0x4A, 0xD8, 0xEB, 0x3B }; - static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = { + static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = { 0x7F, 0xE4, 0x20, 0x6F, 0x26, 0xBE, 0xDB, 0x64, 0xC1, 0xED, 0x00, 0x09, 0x61, 0x52, 0x45, 0xDC, 0x98, 0x48, 0x3F, 0x66, 0x3A, 0xCC, 0x61, 0x7E, @@ -28436,8 +28582,8 @@ static int test_wc_kyber_make_key_kats(void) 0xD9, 0xF2, 0xF6, 0x29, 0xE3, 0xCC, 0x49, 0xB7 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte seed_768[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte seed_768[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0xE3, 0x4A, 0x70, 0x1C, 0x4C, 0x87, 0x58, 0x2F, 0x42, 0x26, 0x4E, 0xE4, 0x22, 0xD3, 0xC6, 0x84, @@ -28449,7 +28595,7 @@ static int test_wc_kyber_make_key_kats(void) 0x64, 0x8E, 0xAE, 0x4E, 0x54, 0x48, 0xC3, 0x4C, 0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD }; - static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = { + static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = { 0x6D, 0x14, 0xA0, 0x71, 0xF7, 0xCC, 0x45, 0x25, 0x58, 0xD5, 0xE7, 0x1A, 0x7B, 0x08, 0x70, 0x62, 0xEC, 0xB1, 0x38, 0x68, 0x44, 0x58, 0x82, 0x46, @@ -28599,7 +28745,7 @@ static int test_wc_kyber_make_key_kats(void) 0xA6, 0x0D, 0x04, 0xE8, 0xC1, 0x70, 0xD7, 0x41, 0xC7, 0xA2, 0xB0, 0xE1, 0xAB, 0xDA, 0xC9, 0x68 }; - static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = { + static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = { 0x98, 0xA1, 0xB2, 0xDA, 0x4A, 0x65, 0xCF, 0xB5, 0x84, 0x5E, 0xA7, 0x31, 0x1E, 0x6A, 0x06, 0xDB, 0x73, 0x1F, 0x15, 0x90, 0xC4, 0x1E, 0xE7, 0x4B, @@ -28902,8 +29048,8 @@ static int test_wc_kyber_make_key_kats(void) 0x3E, 0xB8, 0x88, 0x20, 0xB1, 0x59, 0xEE, 0xDD }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte seed_1024[KYBER_MAKEKEY_RAND_SZ] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte seed_1024[WC_ML_KEM_MAKEKEY_RAND_SZ] = { /* d */ 0x49, 0xAC, 0x8B, 0x99, 0xBB, 0x1E, 0x6A, 0x8E, 0xA8, 0x18, 0x26, 0x1F, 0x8B, 0xE6, 0x8B, 0xDE, @@ -28915,7 +29061,7 @@ static int test_wc_kyber_make_key_kats(void) 0x30, 0x22, 0x1F, 0xD6, 0x7D, 0x9B, 0x7D, 0x6E, 0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7 }; - static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = { + static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = { 0xA0, 0x41, 0x84, 0xD4, 0xBC, 0x7B, 0x53, 0x2A, 0x0F, 0x70, 0xA5, 0x4D, 0x77, 0x57, 0xCD, 0xE6, 0x17, 0x5A, 0x68, 0x43, 0xB8, 0x61, 0xCB, 0x2B, @@ -29113,7 +29259,7 @@ static int test_wc_kyber_make_key_kats(void) 0x0A, 0x5A, 0x73, 0xC4, 0xDC, 0xFD, 0x75, 0x5E, 0x61, 0x0B, 0x4F, 0xC8, 0x1F, 0xF8, 0x4E, 0x21 }; - static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = { + static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = { 0x8C, 0x8B, 0x37, 0x22, 0xA8, 0x2E, 0x55, 0x05, 0x65, 0x52, 0x16, 0x11, 0xEB, 0xBC, 0x63, 0x07, 0x99, 0x44, 0xC9, 0xB1, 0xAB, 0xB3, 0xB0, 0x02, @@ -29512,8 +29658,8 @@ static int test_wc_kyber_make_key_kats(void) 0x15, 0x10, 0xB2, 0xDB, 0xAD, 0x87, 0x62, 0xF7 }; #endif - static byte pubKey[KYBER_MAX_PUBLIC_KEY_SIZE]; - static byte privKey[KYBER_MAX_PRIVATE_KEY_SIZE]; + static byte pubKey[WC_ML_KEM_MAX_PUBLIC_KEY_SIZE]; + static byte privKey[WC_ML_KEM_MAX_PRIVATE_KEY_SIZE]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -29521,40 +29667,40 @@ static int test_wc_kyber_make_key_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_512, sizeof(seed_512)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER512_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER512_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_512, KYBER512_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_512, KYBER512_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_512, WC_ML_KEM_512_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_512, WC_ML_KEM_512_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_768, sizeof(seed_768)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER768_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER768_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_768, KYBER768_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_768, KYBER768_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_768, WC_ML_KEM_768_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_768, WC_ML_KEM_768_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_MakeKeyWithRandom(key, seed_1024, sizeof(seed_1024)), 0); ExpectIntEQ(wc_KyberKey_EncodePublicKey(key, pubKey, - KYBER1024_PUBLIC_KEY_SIZE), 0); + WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0); ExpectIntEQ(wc_KyberKey_EncodePrivateKey(key, privKey, - KYBER1024_PRIVATE_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(pubKey, ek_1024, KYBER1024_PUBLIC_KEY_SIZE), 0); - ExpectIntEQ(XMEMCMP(privKey, dk_1024, KYBER1024_PRIVATE_KEY_SIZE), 0); + WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(pubKey, ek_1024, WC_ML_KEM_1024_PUBLIC_KEY_SIZE), 0); + ExpectIntEQ(XMEMCMP(privKey, dk_1024, WC_ML_KEM_1024_PRIVATE_KEY_SIZE), 0); wc_KyberKey_Free(key); #endif @@ -29567,10 +29713,10 @@ static int test_wc_kyber_encapsulate_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte ek_512[KYBER512_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte ek_512[WC_ML_KEM_512_PUBLIC_KEY_SIZE] = { 0xDD, 0x19, 0x24, 0x93, 0x5A, 0xA8, 0xE6, 0x17, 0xAF, 0x18, 0xB5, 0xA0, 0x65, 0xAC, 0x45, 0x72, 0x77, 0x67, 0xEE, 0x89, 0x7C, 0xF4, 0xF9, 0x44, @@ -29672,13 +29818,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0xA4, 0xD0, 0x31, 0xA0, 0x8A, 0xBF, 0x4F, 0x2E, 0x74, 0xF1, 0xA0, 0xBB, 0x8A, 0x0F, 0xD3, 0xCB }; - static const byte seed_512[KYBER_ENC_RAND_SZ] = { + static const byte seed_512[WC_ML_KEM_ENC_RAND_SZ] = { 0x6F, 0xF0, 0x2E, 0x1D, 0xC7, 0xFD, 0x91, 0x1B, 0xEE, 0xE0, 0xC6, 0x92, 0xC8, 0xBD, 0x10, 0x0C, 0x3E, 0x5C, 0x48, 0x96, 0x4D, 0x31, 0xDF, 0x92, 0x99, 0x42, 0x18, 0xE8, 0x06, 0x64, 0xA6, 0xCA }; - static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = { + static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = { 0x19, 0xC5, 0x92, 0x50, 0x59, 0x07, 0xC2, 0x4C, 0x5F, 0xA2, 0xEB, 0xFA, 0x93, 0x2D, 0x2C, 0xBB, 0x48, 0xF3, 0xE4, 0x34, 0x0A, 0x28, 0xF7, 0xEB, @@ -29776,15 +29922,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0xD1, 0x8C, 0x8C, 0xD9, 0x12, 0xF9, 0xA7, 0x7F, 0x8E, 0x6B, 0xF0, 0x20, 0x53, 0x74, 0xB4, 0x62 }; - static const byte k_512[KYBER_SS_SZ] = { + static const byte k_512[WC_ML_KEM_SS_SZ] = { 0x0B, 0xF3, 0x23, 0x33, 0x8D, 0x6F, 0x0A, 0x21, 0xD5, 0x51, 0x4B, 0x67, 0x3C, 0xD1, 0x0B, 0x71, 0x4C, 0xE6, 0xE3, 0x6F, 0x35, 0xBC, 0xD1, 0xBF, 0x54, 0x41, 0x96, 0x36, 0x8E, 0xE5, 0x1A, 0x13 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte ek_768[KYBER768_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte ek_768[WC_ML_KEM_768_PUBLIC_KEY_SIZE] = { 0x89, 0xD2, 0xCB, 0x65, 0xF9, 0x4D, 0xCB, 0xFC, 0x89, 0x0E, 0xFC, 0x7D, 0x0E, 0x5A, 0x7A, 0x38, 0x34, 0x4D, 0x16, 0x41, 0xA3, 0xD0, 0xB0, 0x24, @@ -29934,13 +30080,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0xFE, 0xD3, 0xC3, 0x9C, 0x1B, 0xBD, 0xDB, 0x08, 0x37, 0xD0, 0xD4, 0x70, 0x6B, 0x09, 0x22, 0xC4 }; - static const byte seed_768[KYBER_ENC_RAND_SZ] = { + static const byte seed_768[WC_ML_KEM_ENC_RAND_SZ] = { 0x2C, 0xE7, 0x4A, 0xD2, 0x91, 0x13, 0x35, 0x18, 0xFE, 0x60, 0xC7, 0xDF, 0x5D, 0x25, 0x1B, 0x9D, 0x82, 0xAD, 0xD4, 0x84, 0x62, 0xFF, 0x50, 0x5C, 0x6E, 0x54, 0x7E, 0x94, 0x9E, 0x6B, 0x6B, 0xF7 }; - static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = { + static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = { 0x56, 0xB4, 0x2D, 0x59, 0x3A, 0xAB, 0x8E, 0x87, 0x73, 0xBD, 0x92, 0xD7, 0x6E, 0xAB, 0xDD, 0xF3, 0xB1, 0x54, 0x6F, 0x83, 0x26, 0xF5, 0x7A, 0x7B, @@ -30078,15 +30224,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0xA2, 0x30, 0x19, 0x81, 0xA6, 0x41, 0x8F, 0x8B, 0xA7, 0xD7, 0xB0, 0xD7, 0xCA, 0x58, 0x75, 0xC6 }; - static const byte k_768[KYBER_SS_SZ] = { + static const byte k_768[WC_ML_KEM_SS_SZ] = { 0x26, 0x96, 0xD2, 0x8E, 0x9C, 0x61, 0xC2, 0xA0, 0x1C, 0xE9, 0xB1, 0x60, 0x8D, 0xCB, 0x9D, 0x29, 0x27, 0x85, 0xA0, 0xCD, 0x58, 0xEF, 0xB7, 0xFE, 0x13, 0xB1, 0xDE, 0x95, 0xF0, 0xDB, 0x55, 0xB3 }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte ek_1024[KYBER1024_PUBLIC_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte ek_1024[WC_ML_KEM_1024_PUBLIC_KEY_SIZE] = { 0x30, 0x7A, 0x4C, 0xEA, 0x41, 0x48, 0x21, 0x9B, 0x95, 0x8E, 0xA0, 0xB7, 0x88, 0x66, 0x59, 0x23, 0x5A, 0x4D, 0x19, 0x80, 0xB1, 0x92, 0x61, 0x08, @@ -30284,13 +30430,13 @@ static int test_wc_kyber_encapsulate_kats(void) 0x3E, 0x30, 0x41, 0xE0, 0x5D, 0x90, 0x67, 0xAF, 0xF3, 0xB1, 0x24, 0x4F, 0x76, 0x3E, 0x79, 0x83 }; - static const byte seed_1024[KYBER_ENC_RAND_SZ] = { + static const byte seed_1024[WC_ML_KEM_ENC_RAND_SZ] = { 0x59, 0xC5, 0x15, 0x4C, 0x04, 0xAE, 0x43, 0xAA, 0xFF, 0x32, 0x70, 0x0F, 0x08, 0x17, 0x00, 0x38, 0x9D, 0x54, 0xBE, 0xC4, 0xC3, 0x7C, 0x08, 0x8B, 0x1C, 0x53, 0xF6, 0x62, 0x12, 0xB1, 0x2C, 0x72 }; - static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = { + static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = { 0xE2, 0xD5, 0xFD, 0x4C, 0x13, 0xCE, 0xA0, 0xB5, 0x2D, 0x87, 0x4F, 0xEA, 0x90, 0x12, 0xF3, 0xA5, 0x17, 0x43, 0xA1, 0x09, 0x37, 0x10, 0xBB, 0xF2, @@ -30488,15 +30634,15 @@ static int test_wc_kyber_encapsulate_kats(void) 0x52, 0x35, 0xD6, 0x36, 0xC6, 0x5C, 0xD1, 0x02, 0xB0, 0x1E, 0x22, 0x78, 0x1A, 0x72, 0x91, 0x8C }; - static const byte k_1024[KYBER_SS_SZ] = { + static const byte k_1024[WC_ML_KEM_SS_SZ] = { 0x72, 0x64, 0xBD, 0xE5, 0xC6, 0xCE, 0xC1, 0x48, 0x49, 0x69, 0x3E, 0x2C, 0x3C, 0x86, 0xE4, 0x8F, 0x80, 0x95, 0x8A, 0x4F, 0x61, 0x86, 0xFC, 0x69, 0x33, 0x3A, 0x41, 0x48, 0xE6, 0xE4, 0x97, 0xF3 }; #endif - static byte ct[KYBER_MAX_CIPHER_TEXT_SIZE]; - static byte ss[KYBER_SS_SZ]; + static byte ct[WC_ML_KEM_MAX_CIPHER_TEXT_SIZE]; + static byte ss[WC_ML_KEM_SS_SZ]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -30504,31 +30650,31 @@ static int test_wc_kyber_encapsulate_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_512, sizeof(ek_512)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_512, sizeof(seed_512)), 0); - ExpectIntEQ(XMEMCMP(ct, c_512, KYBER512_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_512, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_512, WC_ML_KEM_512_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_512, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_768, sizeof(ek_768)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_768, sizeof(seed_768)), 0); - ExpectIntEQ(XMEMCMP(ct, c_768, KYBER768_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_768, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_768, WC_ML_KEM_768_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_768, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePublicKey(key, ek_1024, sizeof(ek_1024)), 0); ExpectIntEQ(wc_KyberKey_EncapsulateWithRandom(key, ct, ss, seed_1024, sizeof(seed_1024)), 0); - ExpectIntEQ(XMEMCMP(ct, c_1024, KYBER1024_CIPHER_TEXT_SIZE), 0); - ExpectIntEQ(XMEMCMP(ss, k_1024, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ct, c_1024, WC_ML_KEM_1024_CIPHER_TEXT_SIZE), 0); + ExpectIntEQ(XMEMCMP(ss, k_1024, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif @@ -30541,10 +30687,10 @@ static int test_wc_kyber_decapsulate_kats(void) { EXPECT_DECLS; #if defined(WOLFSSL_HAVE_KYBER) && defined(WOLFSSL_WC_KYBER) && \ - !defined(WOLFSSL_KYBER_ORIGINAL) + !defined(WOLFSSL_NO_ML_KEM) KyberKey* key; -#ifndef WOLFSSL_NO_KYBER512 - static const byte dk_512[KYBER512_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_512 + static const byte dk_512[WC_ML_KEM_512_PRIVATE_KEY_SIZE] = { 0x69, 0xF9, 0xCB, 0xFD, 0x12, 0x37, 0xBA, 0x16, 0x1C, 0xF6, 0xE6, 0xC1, 0x8F, 0x48, 0x8F, 0xC6, 0xE3, 0x9A, 0xB4, 0xA5, 0xC9, 0xE6, 0xC2, 0x2E, @@ -30750,7 +30896,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0x09, 0x8A, 0x3F, 0x35, 0x17, 0x78, 0xB0, 0x88, 0x8C, 0x95, 0x90, 0xA9, 0x09, 0x0C, 0xD4, 0x04 }; - static const byte c_512[KYBER512_CIPHER_TEXT_SIZE] = { + static const byte c_512[WC_ML_KEM_512_CIPHER_TEXT_SIZE] = { 0x16, 0x1C, 0xD2, 0x59, 0xFE, 0xAA, 0x7E, 0xC6, 0xB2, 0x86, 0x49, 0x8A, 0x9A, 0x6F, 0x69, 0xF8, 0xB2, 0x62, 0xA2, 0xE2, 0x09, 0x3D, 0x0F, 0xBD, @@ -30848,15 +30994,15 @@ static int test_wc_kyber_decapsulate_kats(void) 0x34, 0x6B, 0xAF, 0xCD, 0xD0, 0x6D, 0x40, 0x2F, 0xF2, 0x4D, 0x6C, 0x1E, 0x5F, 0x61, 0xA8, 0x5D }; - static const byte kprime_512[KYBER_SS_SZ] = { + static const byte kprime_512[WC_ML_KEM_SS_SZ] = { 0xDF, 0x46, 0x2A, 0xD6, 0x8F, 0x1E, 0xC8, 0x97, 0x2E, 0xD9, 0xB0, 0x2D, 0x6D, 0xE0, 0x60, 0x4B, 0xDE, 0xC7, 0x57, 0x20, 0xE0, 0x50, 0x49, 0x73, 0x51, 0xE6, 0xEC, 0x93, 0x3E, 0x71, 0xF8, 0x82 }; #endif -#ifndef WOLFSSL_NO_KYBER768 - static const byte dk_768[KYBER768_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_768 + static const byte dk_768[WC_ML_KEM_768_PRIVATE_KEY_SIZE] = { 0x1E, 0x4A, 0xC8, 0x7B, 0x1A, 0x69, 0x2A, 0x52, 0x9F, 0xDB, 0xBA, 0xB9, 0x33, 0x74, 0xC5, 0x7D, 0x11, 0x0B, 0x10, 0xF2, 0xB1, 0xDD, 0xEB, 0xAC, @@ -31158,7 +31304,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0xB4, 0xAB, 0x82, 0xE5, 0xFC, 0xA1, 0x35, 0xE8, 0xD2, 0x6A, 0x6B, 0x3A, 0x89, 0xFA, 0x5B, 0x6F }; - static const byte c_768[KYBER768_CIPHER_TEXT_SIZE] = { + static const byte c_768[WC_ML_KEM_768_CIPHER_TEXT_SIZE] = { 0xA5, 0xC8, 0x1C, 0x76, 0xC2, 0x43, 0x05, 0xE1, 0xCE, 0x5D, 0x81, 0x35, 0xD4, 0x15, 0x23, 0x68, 0x2E, 0x9E, 0xE6, 0xD7, 0xB4, 0x0A, 0xD4, 0x1D, @@ -31296,15 +31442,15 @@ static int test_wc_kyber_decapsulate_kats(void) 0xA5, 0x9A, 0x1F, 0xD2, 0x8A, 0xF3, 0x5C, 0x00, 0xD1, 0x8A, 0x40, 0x6A, 0x28, 0xFC, 0x79, 0xBA }; - static const byte kprime_768[KYBER_SS_SZ] = { + static const byte kprime_768[WC_ML_KEM_SS_SZ] = { 0xDC, 0x5B, 0x88, 0x88, 0xBC, 0x1E, 0xBA, 0x5C, 0x19, 0x69, 0xC2, 0x11, 0x64, 0xEA, 0x43, 0xE2, 0x2E, 0x7A, 0xC0, 0xCD, 0x01, 0x2A, 0x2F, 0x26, 0xCB, 0x8C, 0x48, 0x7E, 0x69, 0xEF, 0x7C, 0xE4 }; #endif -#ifndef WOLFSSL_NO_KYBER1024 - static const byte dk_1024[KYBER1024_PRIVATE_KEY_SIZE] = { +#ifndef WOLFSSL_NO_ML_KEM_1024 + static const byte dk_1024[WC_ML_KEM_1024_PRIVATE_KEY_SIZE] = { 0x84, 0x45, 0xC3, 0x36, 0xF3, 0x51, 0x8B, 0x29, 0x81, 0x63, 0xDC, 0xBB, 0x63, 0x57, 0x59, 0x79, 0x83, 0xCA, 0x2E, 0x87, 0x3D, 0xCB, 0x49, 0x61, @@ -31702,7 +31848,7 @@ static int test_wc_kyber_decapsulate_kats(void) 0x0D, 0xE1, 0xB7, 0xA4, 0x81, 0xB8, 0x3E, 0x58, 0x3B, 0x6A, 0xF1, 0x6F, 0x63, 0xCB, 0x00, 0xC6 }; - static const byte c_1024[KYBER1024_CIPHER_TEXT_SIZE] = { + static const byte c_1024[WC_ML_KEM_1024_CIPHER_TEXT_SIZE] = { 0x0C, 0x68, 0x1B, 0x4A, 0xA8, 0x1F, 0x26, 0xAD, 0xFB, 0x64, 0x5E, 0xC2, 0x4B, 0x37, 0x52, 0xF6, 0xB3, 0x2C, 0x68, 0x64, 0x5A, 0xA5, 0xE7, 0xA9, @@ -31900,14 +32046,14 @@ static int test_wc_kyber_decapsulate_kats(void) 0x7B, 0x12, 0x43, 0x33, 0x43, 0xA6, 0x58, 0xF1, 0x98, 0x0C, 0x81, 0x24, 0xEA, 0x6D, 0xD8, 0x1F }; - static const byte kprime_1024[KYBER_SS_SZ] = { + static const byte kprime_1024[WC_ML_KEM_SS_SZ] = { 0x8F, 0x33, 0x6E, 0x9C, 0x28, 0xDF, 0x34, 0x9E, 0x03, 0x22, 0x0A, 0xF0, 0x1C, 0x42, 0x83, 0x2F, 0xEF, 0xAB, 0x1F, 0x2A, 0x74, 0xC1, 0x6F, 0xAF, 0x6F, 0x64, 0xAD, 0x07, 0x1C, 0x1A, 0x33, 0x94 }; #endif - static byte ss[KYBER_SS_SZ]; + static byte ss[WC_ML_KEM_SS_SZ]; key = (KyberKey*)XMALLOC(sizeof(KyberKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); ExpectNotNull(key); @@ -31915,25 +32061,25 @@ static int test_wc_kyber_decapsulate_kats(void) XMEMSET(key, 0, sizeof(KyberKey)); } -#ifndef WOLFSSL_NO_KYBER512 - ExpectIntEQ(wc_KyberKey_Init(KYBER512, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_512 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_512, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_512, sizeof(dk_512)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_512, sizeof(c_512)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_512, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_512, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER768 - ExpectIntEQ(wc_KyberKey_Init(KYBER768, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_768 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_768, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_768, sizeof(dk_768)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_768, sizeof(c_768)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_768, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_768, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif -#ifndef WOLFSSL_NO_KYBER1024 - ExpectIntEQ(wc_KyberKey_Init(KYBER1024, key, NULL, INVALID_DEVID), 0); +#ifndef WOLFSSL_NO_ML_KEM_1024 + ExpectIntEQ(wc_KyberKey_Init(WC_ML_KEM_1024, key, NULL, INVALID_DEVID), 0); ExpectIntEQ(wc_KyberKey_DecodePrivateKey(key, dk_1024, sizeof(dk_1024)), 0); ExpectIntEQ(wc_KyberKey_Decapsulate(key, ss, c_1024, sizeof(c_1024)), 0); - ExpectIntEQ(XMEMCMP(ss, kprime_1024, KYBER_SS_SZ), 0); + ExpectIntEQ(XMEMCMP(ss, kprime_1024, WC_ML_KEM_SS_SZ), 0); wc_KyberKey_Free(key); #endif @@ -33007,7 +33153,7 @@ static int test_wc_dilithium_verify(void) ExpectIntEQ(res, 0); sig[100] ^= 0x80; - /* Set all indeces to 0. */ + /* Set all indices to 0. */ XMEMSET(sig + sigLen - 4, 0, 4); ExpectIntEQ(wc_dilithium_verify_msg(sig, sigLen, msg, 32, &res, key), WC_NO_ERR_TRACE(SIG_VERIFY_E)); @@ -34811,7 +34957,7 @@ static int test_wc_dilithium_der(void) int pubDerLen; int privDerLen; int keyDerLen; - word32 idx; + word32 idx = 0; #ifndef WOLFSSL_NO_ML_DSA_44 pubLen = DILITHIUM_LEVEL2_PUB_KEY_SIZE; @@ -34838,6 +34984,9 @@ static int test_wc_dilithium_der(void) if (key != NULL) { XMEMSET(key, 0, sizeof(*key)); } + if (der != NULL) { + XMEMSET(der, 0, sizeof(*der)); + } XMEMSET(&rng, 0, sizeof(WC_RNG)); ExpectIntEQ(wc_InitRng(&rng), 0); ExpectIntEQ(wc_dilithium_init(key), 0); @@ -34848,10 +34997,24 @@ static int test_wc_dilithium_der(void) 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wc_Dilithium_PrivateKeyToDer(key, der, DILITHIUM_MAX_DER_SIZE), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + /* When security level is not set, we attempt to parse it from DER. Since + * the supplied DER is invalid, this should fail with ASN parsing error */ + idx = 0; +#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT ExpectIntEQ(wc_Dilithium_PublicKeyDecode(der, &idx, key, pubDerLen), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#else + ExpectIntEQ(wc_Dilithium_PublicKeyDecode(der, &idx, key, pubDerLen), + WC_NO_ERR_TRACE(ASN_PARSE_E)); +#endif + idx = 0; +#ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, privDerLen), - WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#else + ExpectIntEQ(wc_Dilithium_PrivateKeyDecode(der, &idx, key, privDerLen), + WC_NO_ERR_TRACE(ASN_PARSE_E)); +#endif #ifndef WOLFSSL_NO_ML_DSA_44 ExpectIntEQ(wc_dilithium_set_level(key, WC_ML_DSA_44), 0); @@ -54939,6 +55102,10 @@ static int test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS(void) ec_obj = OBJ_nid2obj(EVP_PKEY_EC); group_obj = OBJ_nid2obj(nid); if ((ec_obj != NULL) && (group_obj != NULL)) { + ExpectIntEQ(X509_ALGOR_set0(NULL, ec_obj, V_ASN1_OBJECT, + group_obj), 0); + ExpectIntEQ(X509_ALGOR_set0(bootstrap->alg, NULL, V_ASN1_OBJECT, + NULL), 1); ExpectIntEQ(X509_ALGOR_set0(bootstrap->alg, ec_obj, V_ASN1_OBJECT, group_obj), 1); if (EXPECT_SUCCESS()) { @@ -55308,9 +55475,11 @@ static int test_wolfSSL_X509_NAME(void) (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ defined(OPENSSL_EXTRA)) X509* x509 = NULL; +#ifndef OPENSSL_EXTRA const unsigned char* c = NULL; - unsigned char buf[4096]; int bytes = 0; +#endif + unsigned char buf[4096]; XFILE f = XBADFILE; const X509_NAME* a = NULL; const X509_NAME* b = NULL; @@ -55327,6 +55496,10 @@ static int test_wolfSSL_X509_NAME(void) 0x01, 0x16, 0x00 }; #endif +#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED) + byte digest[64]; /* max digest size */ + word32 digestSz; +#endif #ifndef OPENSSL_EXTRA_X509_SMALL /* test compile of deprecated function, returns 0 */ @@ -55334,24 +55507,80 @@ static int test_wolfSSL_X509_NAME(void) #endif ExpectNotNull(a = X509_NAME_new()); + ExpectNotNull(b = X509_NAME_new()); +#ifndef OPENSSL_EXTRA_X509_SMALL + ExpectIntEQ(X509_NAME_cmp(a, b), 0); +#endif + X509_NAME_free((X509_NAME*)b); X509_NAME_free((X509_NAME*)a); a = NULL; ExpectTrue((f = XFOPEN(file, "rb")) != XBADFILE); +#ifndef OPENSSL_EXTRA ExpectIntGT(bytes = (int)XFREAD(buf, 1, sizeof(buf), f), 0); if (f != XBADFILE) XFCLOSE(f); c = buf; ExpectNotNull(x509 = wolfSSL_X509_d2i_ex(NULL, c, bytes, HEAP_HINT)); +#else + ExpectNull(wolfSSL_X509_d2i_fp(NULL, XBADFILE)); + ExpectNotNull(wolfSSL_X509_d2i_fp(&x509, f)); + if (f != XBADFILE) + XFCLOSE(f); +#endif /* test cmp function */ + ExpectNull(X509_get_issuer_name(NULL)); ExpectNotNull(a = X509_get_issuer_name(x509)); + ExpectNull(X509_get_subject_name(NULL)); ExpectNotNull(b = X509_get_subject_name(x509)); +#ifdef KEEP_PEER_CERT + ExpectNull(wolfSSL_X509_get_subjectCN(NULL)); + ExpectNotNull(wolfSSL_X509_get_subjectCN(x509)); +#endif -#ifndef OPENSSL_EXTRA_X509_SMALL +#if defined(OPENSSL_EXTRA) + ExpectIntEQ(X509_check_issued(NULL, NULL), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(x509, NULL), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(NULL, x509), + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH); + ExpectIntEQ(X509_check_issued(x509, x509), WOLFSSL_X509_V_OK); + + ExpectIntEQ(X509_NAME_cmp(NULL, NULL), -2); + ExpectIntEQ(X509_NAME_cmp(NULL, b), -2); + ExpectIntEQ(X509_NAME_cmp(a, NULL), -2); ExpectIntEQ(X509_NAME_cmp(a, b), 0); /* self signed should be 0 */ + +#if !defined(NO_PWDBASED) + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, NULL, NULL), 0); +#ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), NULL, + NULL), 0); +#endif + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, digest, NULL), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, NULL, digest, + &digestSz), 0); +#ifndef NO_SHA256 + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, wolfSSL_EVP_sha256(), digest, + &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), NULL, + &digestSz), 0); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, + NULL), 1); + ExpectIntEQ(wolfSSL_X509_NAME_digest(a, wolfSSL_EVP_sha256(), digest, + &digestSz), 1); + ExpectTrue(digestSz == 32); +#endif +#else + ExpectIntEQ(wolfSSL_X509_NAME_digest(NULL, NULL, NULL, NULL), + NOT_COMPILED_IN); #endif +#endif /* OPENSSL_EXTRA */ tmp = buf; ExpectIntGT((sz = i2d_X509_NAME((X509_NAME*)a, &tmp)), 0); @@ -55379,17 +55608,34 @@ static int test_wolfSSL_X509_NAME(void) /* test for givenName and name */ { WOLFSSL_X509_NAME_ENTRY* entry = NULL; + WOLFSSL_X509_NAME_ENTRY empty; const byte gName[] = "test-given-name"; const byte name[] = "test-name"; + XMEMSET(&empty, 0, sizeof(empty)); + + ExpectNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, + NID_givenName, ASN_UTF8STRING, NULL, sizeof(gName))); ExpectNotNull(entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); - ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry, -1, 0), + ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, + NID_givenName, ASN_UTF8STRING, gName, sizeof(gName))); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , NULL , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, NULL , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry(NULL , entry , -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, &empty, -1, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , 99, 0), + 0); + ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry , -1, 0), 1); wolfSSL_X509_NAME_ENTRY_free(entry); entry = NULL; - ExpectNotNull(entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, + ExpectNotNull(wolfSSL_X509_NAME_ENTRY_create_by_NID(&entry, NID_name, ASN_UTF8STRING, name, sizeof(name))); ExpectIntEQ(wolfSSL_X509_NAME_add_entry((X509_NAME*)b, entry, -1, 0), 1); @@ -55402,10 +55648,21 @@ static int test_wolfSSL_X509_NAME(void) #endif b = NULL; + ExpectNull(X509_NAME_dup(NULL)); ExpectNotNull(b = X509_NAME_dup((X509_NAME*)a)); #ifndef OPENSSL_EXTRA_X509_SMALL ExpectIntEQ(X509_NAME_cmp(a, b), 0); #endif + ExpectIntEQ(X509_NAME_entry_count(NULL), 0); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); + X509_NAME_free((X509_NAME*)b); + ExpectNotNull(b = wolfSSL_X509_NAME_new()); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 0); + ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy(NULL, (X509_NAME*)b), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_NAME_copy((X509_NAME*)a, (X509_NAME*)b), 1); + ExpectIntEQ(X509_NAME_entry_count((X509_NAME*)b), 7); X509_NAME_free((X509_NAME*)b); X509_NAME_free(d2i_name); d2i_name = NULL; @@ -55440,6 +55697,12 @@ static int test_wolfSSL_X509_NAME_hash(void) !defined(NO_RSA) && !defined(NO_SHA) && !defined(NO_BIO) BIO* bio = NULL; X509* x509 = NULL; + X509_NAME* name = NULL; + + ExpectIntEQ(X509_NAME_hash(NULL), 0); + ExpectNotNull(name = wolfSSL_X509_NAME_new_ex(NULL)); + ExpectIntEQ(X509_NAME_hash(name), 0); + X509_NAME_free(name); ExpectNotNull(bio = BIO_new(BIO_s_file())); ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); @@ -55466,6 +55729,7 @@ static int test_wolfSSL_X509_NAME_print_ex(void) BIO* membio = NULL; X509* x509 = NULL; X509_NAME* name = NULL; + X509_NAME* empty = NULL; const char* expNormal = "C=US, CN=wolfssl.com"; const char* expEqSpace = "C = US, CN = wolfssl.com"; @@ -55484,7 +55748,13 @@ static int test_wolfSSL_X509_NAME_print_ex(void) /* Test without flags */ ExpectNotNull(membio = BIO_new(BIO_s_mem())); + ExpectNotNull(empty = wolfSSL_X509_NAME_new()); + ExpectIntEQ(X509_NAME_print_ex(NULL, NULL, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(membio, NULL, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(NULL, name, 0, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_FAILURE); ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS); + wolfSSL_X509_NAME_free(empty); BIO_free(membio); membio = NULL; @@ -55752,6 +56022,12 @@ static int test_wolfSSL_X509_subject_name_hash(void) unsigned long ret1 = 0; unsigned long ret2 = 0; + ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_subject_name_hash(NULL), 0); + ExpectIntEQ(X509_subject_name_hash(x509), 0); + X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); ExpectNotNull(subjectName = wolfSSL_X509_get_subject_name(x509)); @@ -55788,6 +56064,12 @@ static int test_wolfSSL_X509_issuer_name_hash(void) unsigned long ret1 = 0; unsigned long ret2 = 0; + ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_issuer_name_hash(NULL), 0); + ExpectIntEQ(X509_issuer_name_hash(x509), 0); + X509_free(x509); + x509 = NULL; + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); ExpectNotNull(issuertName = wolfSSL_X509_get_issuer_name(x509)); @@ -55823,6 +56105,9 @@ static int test_wolfSSL_X509_check_host(void) const char altName[] = "example.com"; const char badAltName[] = "a.example.com"; + ExpectIntEQ(X509_check_host(NULL, NULL, XSTRLEN(altName), 0, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + /* cliCertFile has subjectAltName set to 'example.com', '127.0.0.1' */ ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); @@ -55848,6 +56133,13 @@ static int test_wolfSSL_X509_check_host(void) WOLFSSL_LEFT_MOST_WILDCARD_ONLY, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_NO_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_NO_PARTIAL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_check_host(x509, altName, XSTRLEN(altName), + WOLFSSL_MULTI_LABEL_WILDCARDS, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + X509_free(x509); ExpectIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), @@ -55866,11 +56158,20 @@ static int test_wolfSSL_X509_check_email(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && !defined(NO_RSA) X509* x509 = NULL; + X509* empty = NULL; const char goodEmail[] = "info@wolfssl.com"; const char badEmail[] = "disinfo@wolfssl.com"; ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); + ExpectNotNull(empty = wolfSSL_X509_new()); + + ExpectIntEQ(wolfSSL_X509_check_email(NULL, NULL, 0, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(NULL, goodEmail, XSTRLEN(goodEmail), + 0), 0); + ExpectIntEQ(wolfSSL_X509_check_email(empty, goodEmail, XSTRLEN(goodEmail), + 0), 0); /* Should fail on non-matching email address */ ExpectIntEQ(wolfSSL_X509_check_email(x509, badEmail, XSTRLEN(badEmail), 0), @@ -55885,6 +56186,7 @@ static int test_wolfSSL_X509_check_email(void) ExpectIntEQ(wolfSSL_X509_check_email(x509, NULL, 0, 0), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + X509_free(empty); X509_free(x509); /* Should fail when x509 is NULL */ @@ -56357,6 +56659,41 @@ static int test_wc_CheckCertSigPubKey(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_ext_d2i(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + X509* x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_basic_constraints, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_alt_name, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_authority_key_identifier, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_subject_key_identifier, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_key_usage, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_crl_distribution_points, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_ext_key_usage, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_info_access, + NULL, NULL)); + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_certificate_policies, + NULL, NULL)); + /* Invalid NID for an extension. */ + ExpectNull(wolfSSL_X509_get_ext_d2i(x509, NID_description, + NULL, NULL)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_certs(void) { EXPECT_DECLS; @@ -56373,6 +56710,7 @@ static int test_wolfSSL_certs(void) STACK_OF(ASN1_OBJECT)* sk = NULL; ASN1_STRING* asn1_str = NULL; AUTHORITY_KEYID* akey = NULL; + WOLFSSL_STACK* skid = NULL; BASIC_CONSTRAINTS* bc = NULL; int crit = 0; @@ -56420,6 +56758,12 @@ static int test_wolfSSL_certs(void) x509 = NULL; /* create and use x509 */ + ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, -1)); + ExpectNull(wolfSSL_X509_load_certificate_file("/tmp/badfile", + WOLFSSL_FILETYPE_PEM)); + ExpectNull(wolfSSL_X509_load_certificate_file(NULL, WOLFSSL_FILETYPE_PEM)); + ExpectNull(wolfSSL_X509_load_certificate_file(cliCertFileExt, + WOLFSSL_FILETYPE_ASN1)); #ifdef OPENSSL_ALL ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM)); @@ -56454,31 +56798,101 @@ static int test_wolfSSL_certs(void) { byte digest[64]; /* max digest size */ word32 digestSz; + X509* x509Empty = NULL; XMEMSET(digest, 0, sizeof(digest)); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, &digestSz), + ExpectIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, NULL, digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), NULL, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, NULL), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha256(), digest, &digestSz), + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha1(), digest, &digestSz), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_digest(x509ext, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_SUCCESS); - ExpectIntEQ(X509_digest(NULL, wolfSSL_EVP_sha1(), digest, &digestSz), - WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(x509Empty = wolfSSL_X509_new()); + ExpectIntEQ(X509_digest(x509Empty, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_FAILURE); + wolfSSL_X509_free(x509Empty); + } + #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ + + #if !defined(NO_SHA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) + /************* Get Digest of Certificate ******************/ + { + byte digest[64]; /* max digest size */ + word32 digestSz; + X509* x509Empty = NULL; + + XMEMSET(digest, 0, sizeof(digest)); + ExpectIntEQ(X509_pubkey_digest(NULL, wolfSSL_EVP_sha1(), digest, + &digestSz), WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, NULL, digest, &digestSz), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), NULL, + &digestSz), WOLFSSL_FAILURE); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, + NULL), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha1(), digest, + &digestSz), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_pubkey_digest(x509ext, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_SUCCESS); + + ExpectNotNull(x509Empty = wolfSSL_X509_new()); + ExpectIntEQ(X509_pubkey_digest(x509Empty, wolfSSL_EVP_sha256(), digest, + &digestSz), WOLFSSL_FAILURE); + wolfSSL_X509_free(x509Empty); } #endif /* !NO_SHA && !NO_SHA256 && !NO_PWDBASED */ /* test and checkout X509 extensions */ + ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, + NID_basic_constraints, NULL, NULL)); + BASIC_CONSTRAINTS_free(bc); + bc = NULL; ExpectNotNull(bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, NID_basic_constraints, &crit, NULL)); ExpectIntEQ(crit, 0); #ifdef OPENSSL_ALL + ExpectNull(X509V3_EXT_i2d(NID_basic_constraints, crit, NULL)); + { + int i; + int unsupportedNid[] = { + 0, + NID_inhibit_any_policy, + NID_certificate_policies, + NID_policy_mappings, + NID_name_constraints, + NID_policy_constraints, + NID_crl_distribution_points + }; + int unsupportedNidCnt = (int)(sizeof(unsupportedNid) / + sizeof(*unsupportedNid)); + + for (i = 0; i < unsupportedNidCnt; i++) { + ExpectNotNull(ext = X509V3_EXT_i2d(unsupportedNid[i], crit, bc)); + X509_EXTENSION_free(ext); + ext = NULL; + } + } ExpectNotNull(ext = X509V3_EXT_i2d(NID_basic_constraints, crit, bc)); X509_EXTENSION_free(ext); ext = NULL; ExpectNotNull(ext = X509_EXTENSION_new()); - X509_EXTENSION_set_critical(ext, 1); + ExpectIntEQ(X509_EXTENSION_set_critical(NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_critical(ext, 1), WOLFSSL_SUCCESS); ExpectNotNull(obj = OBJ_nid2obj(NID_basic_constraints)); + ExpectIntEQ(X509_EXTENSION_set_object(NULL, NULL), SSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_object(NULL, obj), SSL_FAILURE); + ExpectIntEQ(X509_EXTENSION_set_object(ext, NULL), SSL_SUCCESS); + ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); + /* Check old object is being freed. */ ExpectIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); ASN1_OBJECT_free(obj); obj = NULL; @@ -56486,10 +56900,16 @@ static int test_wolfSSL_certs(void) ext = NULL; ExpectNotNull(ext = X509_EXTENSION_new()); - X509_EXTENSION_set_critical(ext, 0); - ExpectIntEQ(X509_EXTENSION_set_data(ext, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, NID_key_usage, &crit, - NULL); + ExpectIntEQ(X509_EXTENSION_set_critical(ext, 0), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_EXTENSION_set_data(ext, NULL), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, NULL, NULL)); + ASN1_STRING_free(asn1_str); + asn1_str = NULL; + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, &crit, NULL)); + ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); ExpectIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); ASN1_STRING_free(asn1_str); /* X509_EXTENSION_set_data has made a copy * and X509_get_ext_d2i has created new */ @@ -56498,9 +56918,14 @@ static int test_wolfSSL_certs(void) ext = NULL; #endif + BASIC_CONSTRAINTS_free(NULL); BASIC_CONSTRAINTS_free(bc); bc = NULL; + ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, + NID_key_usage, NULL, NULL)); + ASN1_STRING_free(asn1_str); + asn1_str = NULL; ExpectNotNull(asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, NID_key_usage, &crit, NULL)); ExpectIntEQ(crit, 1); @@ -56514,6 +56939,11 @@ static int test_wolfSSL_certs(void) asn1_str = NULL; #ifdef OPENSSL_ALL + ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, + NID_ext_key_usage, NULL, NULL)); + EXTENDED_KEY_USAGE_free(NULL); + EXTENDED_KEY_USAGE_free(sk); + sk = NULL; ExpectNotNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509, NID_ext_key_usage, &crit, NULL)); ExpectNotNull(ext = X509V3_EXT_i2d(NID_ext_key_usage, crit, sk)); @@ -56527,6 +56957,11 @@ static int test_wolfSSL_certs(void) ExpectNull(sk); #endif + ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, + NID_authority_key_identifier, NULL, NULL)); + wolfSSL_AUTHORITY_KEYID_free(NULL); + wolfSSL_AUTHORITY_KEYID_free(akey); + akey = NULL; ExpectNotNull(akey = (AUTHORITY_KEYID*)X509_get_ext_d2i(x509ext, NID_authority_key_identifier, &crit, NULL)); #ifdef OPENSSL_ALL @@ -56538,6 +56973,21 @@ static int test_wolfSSL_certs(void) wolfSSL_AUTHORITY_KEYID_free(akey); akey = NULL; + ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, + NID_subject_key_identifier, NULL, NULL)); + wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); + skid = NULL; + ExpectNotNull(skid = (WOLFSSL_STACK*)X509_get_ext_d2i(x509ext, + NID_subject_key_identifier, &crit, NULL)); +#ifdef OPENSSL_ALL + ExpectNotNull(ext = X509V3_EXT_i2d(NID_subject_key_identifier, crit, + skid)); + X509_EXTENSION_free(ext); + ext = NULL; +#endif + wolfSSL_sk_ASN1_OBJECT_pop_free(skid, wolfSSL_ASN1_OBJECT_free); + skid = NULL; + /* NID not yet supported */ ExpectNull(sk = (STACK_OF(ASN1_OBJECT)*)X509_get_ext_d2i(x509ext, NID_private_key_usage_period, &crit, NULL)); @@ -56545,6 +56995,10 @@ static int test_wolfSSL_certs(void) sk_ASN1_OBJECT_free(sk); sk = NULL; + ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, + NID_subject_alt_name, NULL, NULL)); + sk_GENERAL_NAME_free(sk); + sk = NULL; ExpectNotNull(sk = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509ext, NID_subject_alt_name, &crit, NULL)); { @@ -57683,7 +58137,7 @@ static int test_wolfSSL_PEM_file_RSAPrivateKey(void) RSA* rsa = NULL; XFILE f = NULL; - ExpectTrue((f = XFOPEN(svrKeyFile, "r")) != XBADFILE); + ExpectTrue((f = XFOPEN(svrKeyFile, "rb")) != XBADFILE); ExpectNotNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); ExpectIntEQ(RSA_size(rsa), 256); if (f != XBADFILE) { @@ -57701,7 +58155,7 @@ static int test_wolfSSL_PEM_file_RSAPrivateKey(void) RSA_free(rsa); #ifdef HAVE_ECC - ExpectTrue((f = XFOPEN(eccKeyFile, "r")) != XBADFILE); + ExpectTrue((f = XFOPEN(eccKeyFile, "rb")) != XBADFILE); ExpectNull((rsa = PEM_read_RSAPrivateKey(f, NULL, NULL, NULL))); if (f != XBADFILE) XFCLOSE(f); @@ -59380,6 +59834,7 @@ static int test_wolfSSL_X509_Name_canon(void) /* When output buffer is NULL, should return necessary output buffer * length.*/ + ExpectIntEQ(wolfSSL_i2d_X509_NAME_canon(NULL, NULL), BAD_FUNC_ARG); ExpectIntGT(wolfSSL_i2d_X509_NAME_canon(name, NULL), 0); ExpectIntGT((len = (word32)wolfSSL_i2d_X509_NAME_canon(name, &pbuf)), 0); ExpectIntEQ(wc_ShaHash((const byte*)pbuf, (word32)len, digest), 0); @@ -59448,7 +59903,13 @@ static int test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void) ExpectNotNull((str = wolfSSL_X509_STORE_new())); ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_DIR, "", - SSL_FILETYPE_PEM,NULL), 0); + SSL_FILETYPE_PEM, NULL), 0); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_ADD_STORE, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_LOAD_STORE, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_NOT_IMPLEMENTED); + ExpectIntEQ(X509_LOOKUP_ctrl(lookup, 0, "", + SSL_FILETYPE_PEM, NULL), WOLFSSL_FAILURE); /* free store */ X509_STORE_free(str); @@ -59537,6 +59998,14 @@ static int test_wolfSSL_X509_LOOKUP_ctrl_file(void) ExpectNotNull(ctx = X509_STORE_CTX_new()); ExpectNotNull((str = wolfSSL_X509_STORE_new())); ExpectNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, NULL, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(lookup, NULL, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, caCertFile, + WOLFSSL_FILETYPE_PEM), 0); + ExpectIntEQ(wolfSSL_X509_load_cert_crl_file(NULL, der , + WOLFSSL_FILETYPE_PEM), 0); ExpectIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, SSL_FILETYPE_PEM,NULL), 1); ExpectNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); @@ -59555,8 +60024,12 @@ static int test_wolfSSL_X509_LOOKUP_ctrl_file(void) ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); issuer = X509_STORE_CTX_get0_current_issuer(ctx); - ExpectNotNull(issuer); + ExpectNull(issuer); + ExpectIntEQ(X509_verify_cert(ctx), 1); + + issuer = X509_STORE_CTX_get0_current_issuer(ctx); + ExpectNotNull(issuer); caName = X509_get_subject_name(x509Ca); ExpectNotNull(caName); issuerName = X509_get_subject_name(issuer); @@ -59565,7 +60038,6 @@ static int test_wolfSSL_X509_LOOKUP_ctrl_file(void) ExpectIntEQ(cmp, 0); /* load der format */ - X509_free(issuer); issuer = NULL; X509_STORE_CTX_free(ctx); ctx = NULL; @@ -59643,7 +60115,7 @@ static int test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup(void) return res; } -static int test_wolfSSL_X509_STORE_CTX_get0_current_issuer(void) +static int test_wolfSSL_X509_STORE_CTX_get_issuer(void) { EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) @@ -59665,16 +60137,23 @@ static int test_wolfSSL_X509_STORE_CTX_get0_current_issuer(void) ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x509Svr, NULL), SSL_SUCCESS); + /* Issuer0 is not set until chain is built for verification */ ExpectNull(X509_STORE_CTX_get0_current_issuer(NULL)); - ExpectNotNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); + ExpectNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); + + /* Issuer1 will use the store to make a new issuer */ + ExpectIntEQ(X509_STORE_CTX_get1_issuer(&issuer, ctx, x509Svr), 1); + ExpectNotNull(issuer); + X509_free(issuer); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(issuer = X509_STORE_CTX_get0_current_issuer(ctx)); ExpectNotNull(caName = X509_get_subject_name(x509Ca)); ExpectNotNull(issuerName = X509_get_subject_name(issuer)); #ifdef WOLFSSL_SIGNER_DER_CERT ExpectIntEQ(X509_NAME_cmp(caName, issuerName), 0); #endif - X509_free(issuer); X509_STORE_CTX_free(ctx); X509_free(x509Svr); X509_STORE_free(str); @@ -59821,11 +60300,9 @@ static int test_wolfSSL_X509_STORE_CTX(void) ExpectNotNull((ctx = X509_STORE_CTX_new())); ExpectIntEQ(X509_STORE_CTX_init(ctx, str, x5092, sk), 1); ExpectNull((sk2 = X509_STORE_CTX_get_chain(NULL))); - ExpectNotNull((sk2 = X509_STORE_CTX_get_chain(ctx))); - ExpectIntEQ(sk_num(sk2), 1); /* sanity, make sure chain has 1 cert */ + ExpectNull((sk2 = X509_STORE_CTX_get_chain(ctx))); ExpectNull((sk3 = X509_STORE_CTX_get1_chain(NULL))); - ExpectNotNull((sk3 = X509_STORE_CTX_get1_chain(ctx))); - ExpectIntEQ(sk_num(sk3), 1); /* sanity, make sure chain has 1 cert */ + ExpectNull((sk3 = X509_STORE_CTX_get1_chain(ctx))); X509_STORE_CTX_free(ctx); ctx = NULL; X509_STORE_free(str); @@ -59892,6 +60369,424 @@ static int test_wolfSSL_X509_STORE_CTX(void) return EXPECT_RESULT(); } +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + +typedef struct { + const char *caFile; + const char *caIntFile; + const char *caInt2File; + const char *leafFile; + X509 *x509Ca; + X509 *x509CaInt; + X509 *x509CaInt2; + X509 *x509Leaf; + STACK_OF(X509)* expectedChain; +} X509_STORE_test_data; + +static X509 * test_wolfSSL_X509_STORE_CTX_ex_helper(const char *file) +{ + XFILE fp = XBADFILE; + X509 *x = NULL; + + fp = XFOPEN(file, "rb"); + if (fp == NULL) { + return NULL; + } + x = PEM_read_X509(fp, 0, 0, 0); + XFCLOSE(fp); + + return x; +} + +static int test_wolfSSL_X509_STORE_CTX_ex1(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 1, add X509 certs to store and verify */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex2(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 2, add certs by filename to store and verify */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caIntFile, NULL), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caInt2File, NULL), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex3(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 3, mix and match X509 with files */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex4(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* inter = NULL; + int i = 0; + + /* Test case 4, CA loaded by file, intermediates passed on init */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_load_locations( + store, testData->caFile, NULL), 1); + ExpectNotNull(inter = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(inter); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex5(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* trusted = NULL; + int i = 0; + + /* Test case 5, manually set trusted stack */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(trusted); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex6(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + STACK_OF(X509)* trusted = NULL; + STACK_OF(X509)* inter = NULL; + int i = 0; + + /* Test case 6, manually set trusted stack will be unified with + * any intermediates provided on init */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectNotNull(inter = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(inter, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, inter), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + sk_X509_free(trusted); + sk_X509_free(inter); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex7(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 7, certs added to store after ctx init are still used */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex8(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + int i = 0; + + /* Test case 8, Only full chain verifies */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + ExpectIntEQ(sk_X509_num(chain), sk_X509_num(testData->expectedChain)); + for (i = 0; i < sk_X509_num(chain); i++) { + ExpectIntEQ(X509_cmp(sk_X509_value(chain, i), + sk_X509_value(testData->expectedChain, i)), 0); + } + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex9(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + X509_STORE_CTX* ctx2 = NULL; + STACK_OF(X509)* trusted = NULL; + + /* Test case 9, certs added to store should not be reflected in ctx that + * has been manually set with a trusted stack, but are reflected in ctx + * that has not set trusted stack */ + ExpectNotNull(store = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(ctx2 = X509_STORE_CTX_new()); + ExpectNotNull(trusted = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(trusted, testData->x509Ca), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt), 1); + ExpectIntGE(sk_X509_push(trusted, testData->x509CaInt2), 1); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + ExpectIntEQ(X509_STORE_CTX_init(ctx2, store, testData->x509Leaf, NULL), 1); + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntNE(X509_verify_cert(ctx2), 1); + X509_STORE_CTX_trusted_stack(ctx, trusted); + /* CTX1 should now verify */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectIntNE(X509_verify_cert(ctx2), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509Ca), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + /* CTX2 should now verify */ + ExpectIntEQ(X509_verify_cert(ctx2), 1); + X509_STORE_CTX_free(ctx); + X509_STORE_CTX_free(ctx2); + X509_STORE_free(store); + sk_X509_free(trusted); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex10(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + + /* Test case 10, ensure partial chain flag works */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + /* Fails because chain is incomplete */ + ExpectIntNE(X509_verify_cert(ctx), 1); + ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN), 1); + /* Partial chain now OK */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData) +{ + EXPECT_DECLS; + X509_STORE* store = NULL; + X509_STORE_CTX* ctx = NULL; + STACK_OF(X509)* chain = NULL; + + /* Test case 11, test partial chain flag on ctx itself */ + ExpectNotNull(store = X509_STORE_new()); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1); + ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1); + /* Fails because chain is incomplete */ + ExpectIntNE(X509_verify_cert(ctx), 1); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_PARTIAL_CHAIN); + /* Partial chain now OK */ + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx)); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return EXPECT_RESULT(); +} +#endif + +static int test_wolfSSL_X509_STORE_CTX_ex(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + !defined(NO_FILESYSTEM) && !defined(NO_RSA) + X509_STORE_test_data testData; + XMEMSET((void *)&testData, 0, sizeof(X509_STORE_test_data)); + testData.caFile = "./certs/ca-cert.pem"; + testData.caIntFile = "./certs/intermediate/ca-int-cert.pem"; + testData.caInt2File = "./certs/intermediate/ca-int2-cert.pem"; + testData.leafFile = "./certs/intermediate/server-chain.pem"; + + ExpectNotNull(testData.x509Ca = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caFile)); + ExpectNotNull(testData.x509CaInt = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caIntFile)); + ExpectNotNull(testData.x509CaInt2 = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.caInt2File)); + ExpectNotNull(testData.x509Leaf = \ + test_wolfSSL_X509_STORE_CTX_ex_helper(testData.leafFile)); + ExpectNotNull(testData.expectedChain = sk_X509_new_null()); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Leaf), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt2), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509CaInt), 1); + ExpectIntGE(sk_X509_push(testData.expectedChain, testData.x509Ca), 1); + + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex1(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex2(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex3(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex4(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex5(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex6(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex7(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex8(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1); + ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1); + + if(testData.x509Ca) { + X509_free(testData.x509Ca); + } + if(testData.x509CaInt) { + X509_free(testData.x509CaInt); + } + if(testData.x509CaInt2) { + X509_free(testData.x509CaInt2); + } + if(testData.x509Leaf) { + X509_free(testData.x509Leaf); + } + if (testData.expectedChain) { + sk_X509_free(testData.expectedChain); + } + +#endif /* defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + * !defined(NO_FILESYSTEM) && !defined(NO_RSA) */ + + return EXPECT_RESULT(); +} + + #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename, STACK_OF(X509)* chain) @@ -59914,6 +60809,75 @@ static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename, return EXPECT_RESULT(); } +#if defined(OPENSSL_ALL) + +static int last_errcode; +static int last_errdepth; + +static int X509Callback(int ok, X509_STORE_CTX *ctx) +{ + + if (!ok) { + last_errcode = X509_STORE_CTX_get_error(ctx); + last_errdepth = X509_STORE_CTX_get_error_depth(ctx); + } + /* Always return OK to allow verification to continue.*/ + return 1; +} + +static int test_X509_STORE_InvalidCa(void) +{ + EXPECT_DECLS; + const char* filename = "./certs/intermediate/ca_false_intermediate/" + "test_int_not_cacert.pem"; + const char* srvfile = "./certs/intermediate/ca_false_intermediate/" + "test_sign_bynoca_srv.pem"; + X509_STORE_CTX* ctx = NULL; + X509_STORE* str = NULL; + XFILE fp = XBADFILE; + X509* cert = NULL; + STACK_OF(X509)* untrusted = NULL; + + last_errcode = 0; + last_errdepth = 0; + + ExpectTrue((fp = XFOPEN(srvfile, "rb")) + != XBADFILE); + ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectNotNull(str = X509_STORE_new()); + ExpectNotNull(ctx = X509_STORE_CTX_new()); + ExpectNotNull(untrusted = sk_X509_new_null()); + + /* create cert chain stack */ + ExpectIntEQ(test_X509_STORE_untrusted_load_cert_to_stack(filename, + untrusted), TEST_SUCCESS); + + X509_STORE_set_verify_cb(str, X509Callback); + + ExpectIntEQ(X509_STORE_load_locations(str, + "./certs/intermediate/ca_false_intermediate/test_ca.pem", + NULL), 1); + + ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); + ExpectIntEQ(X509_verify_cert(ctx), 1); + ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); + + X509_free(cert); + X509_STORE_free(str); + X509_STORE_CTX_free(ctx); + sk_X509_pop_free(untrusted, NULL); + + return EXPECT_RESULT(); +} +#endif /* OPENSSL_ALL */ + + + static int test_X509_STORE_untrusted_certs(const char** filenames, int ret, int err, int loadCA) { @@ -59994,9 +60958,15 @@ static int test_X509_STORE_untrusted(void) /* Succeeds because path to loaded CA is available. */ ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1), TEST_SUCCESS); - /* Fails because root CA is in the untrusted stack */ + /* Root CA in untrusted chain is OK so long as CA has been loaded + * properly */ + ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1), + TEST_SUCCESS); + /* Still needs properly loaded CA, while including it in untrusted + * list is not an error, it also doesn't count for verify */ ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), TEST_SUCCESS); + X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), + TEST_SUCCESS); /* Succeeds because path to loaded CA is available. */ ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1), TEST_SUCCESS); @@ -60173,6 +61143,9 @@ static int test_wolfSSL_X509_VERIFY_PARAM_set1_host(void) if (pParam != NULL) { XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + ExpectIntEQ(X509_VERIFY_PARAM_set1_host(NULL, host, sizeof(host)), + WOLFSSL_FAILURE); + X509_VERIFY_PARAM_set1_host(pParam, host, sizeof(host)); ExpectIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); @@ -60242,6 +61215,21 @@ static int test_wolfSSL_X509_VERIFY_PARAM_set1_ip(void) ExpectNotNull(param = X509_VERIFY_PARAM_new()); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, buf, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 16), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 4), WOLFSSL_FAILURE); + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(NULL, buf, 0), WOLFSSL_FAILURE); + + ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, NULL, 0), WOLFSSL_SUCCESS); + /* test 127.0.0.1 */ buf[0] =0x7f; buf[1] = 0; buf[2] = 0; buf[3] = 1; ExpectIntEQ(X509_VERIFY_PARAM_set1_ip(param, &buf[0], 4), SSL_SUCCESS); @@ -60354,6 +61342,8 @@ static int test_wolfSSL_CTX_set_client_CA_list(void) ExpectNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx)); ExpectIntEQ(sk_X509_NAME_num(ca_list), sk_X509_NAME_num(names)); + ExpectIntEQ(sk_X509_NAME_find(NULL, name), BAD_FUNC_ARG); + ExpectIntEQ(sk_X509_NAME_find(names, NULL), WOLFSSL_FATAL_ERROR); ExpectIntGT((names_len = sk_X509_NAME_num(names)), 0); for (i = 0; i < names_len; i++) { ExpectNotNull(name = sk_X509_NAME_value(names, i)); @@ -60654,7 +61644,7 @@ static int test_wolfSSL_Tls12_Key_Logging_test(void) &server_cbf, NULL), TEST_SUCCESS); /* check if the keylog file exists */ - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "r")) != XBADFILE); + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); XFFLUSH(fp); /* Just to make sure any buffers get flushed */ XMEMSET(buff, 0, sizeof(buff)); @@ -60719,7 +61709,7 @@ static int test_wolfSSL_Tls13_Key_Logging_test(void) int numfnd = 0; int i; - ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "r")) != XBADFILE); + ExpectTrue((fp = XFOPEN("./MyKeyLog.txt", "rb")) != XBADFILE); while (EXPECT_SUCCESS() && XFGETS(buff, (int)sizeof(buff), fp) != NULL) { @@ -61009,7 +61999,7 @@ static int test_wolfSSL_X509_NID(void) #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ !defined(NO_RSA) && defined(USE_CERT_BUFFERS_2048) && !defined(NO_ASN) int sigType; - int nameSz; + int nameSz = 0; X509* cert = NULL; EVP_PKEY* pubKeyTmp = NULL; @@ -61034,11 +62024,15 @@ static int test_wolfSSL_X509_NID(void) ExpectNotNull(pubKeyTmp = X509_get_pubkey(cert)); /* extract signatureType */ + ExpectIntEQ(wolfSSL_X509_get_signature_type(NULL), 0); ExpectIntNE((sigType = wolfSSL_X509_get_signature_type(cert)), 0); /* extract subjectName info */ ExpectNotNull(name = X509_get_subject_name(cert)); ExpectIntEQ(X509_NAME_get_text_by_NID(name, -1, NULL, 0), -1); + ExpectIntEQ(X509_NAME_get_text_by_NID(NULL, NID_commonName, NULL, 0), -1); + ExpectIntEQ(X509_NAME_get_text_by_NID(name, NID_commonName, + commonName, -2), 0); ExpectIntGT((nameSz = X509_NAME_get_text_by_NID(name, NID_commonName, NULL, 0)), 0); ExpectIntEQ(nameSz, 15); @@ -61368,6 +62362,14 @@ static int test_X509_STORE_get0_objects(void) #else ExpectIntEQ(sk_X509_OBJECT_num(objs), 0); #endif +#endif + ExpectIntEQ(sk_X509_OBJECT_num(NULL), 0); + ExpectNull(sk_X509_OBJECT_value(NULL, 0)); + ExpectNull(sk_X509_OBJECT_value(NULL, 1)); + ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs))); + ExpectNull(sk_X509_OBJECT_value(objs, sk_X509_OBJECT_num(objs) + 1)); +#ifndef NO_WOLFSSL_STUB + ExpectNull(sk_X509_OBJECT_delete(objs, 0)); #endif for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { obj = (X509_OBJECT*)sk_X509_OBJECT_value(objs, i); @@ -61376,6 +62378,8 @@ static int test_X509_STORE_get0_objects(void) { X509* x509 = NULL; X509_NAME *subj_name = NULL; + ExpectNull(X509_OBJECT_get0_X509_CRL(NULL)); + ExpectNull(X509_OBJECT_get0_X509_CRL(obj)); ExpectNotNull(x509 = X509_OBJECT_get0_X509(obj)); ExpectIntEQ(X509_STORE_add_cert(store_cpy, x509), WOLFSSL_SUCCESS); ExpectNotNull(subj_name = X509_get_subject_name(x509)); @@ -61387,6 +62391,8 @@ static int test_X509_STORE_get0_objects(void) #ifdef HAVE_CRL { X509_CRL* crl = NULL; + ExpectNull(X509_OBJECT_get0_X509(NULL)); + ExpectNull(X509_OBJECT_get0_X509(obj)); ExpectNotNull(crl = X509_OBJECT_get0_X509_CRL(obj)); ExpectIntEQ(X509_STORE_add_crl(store_cpy, crl), WOLFSSL_SUCCESS); break; @@ -61402,6 +62408,14 @@ static int test_X509_STORE_get0_objects(void) X509_STORE_free(store_cpy); SSL_CTX_free(ctx); + + wolfSSL_sk_X509_OBJECT_free(NULL); + objs = NULL; + ExpectNotNull(objs = wolfSSL_sk_X509_OBJECT_new()); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(objs, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_X509_OBJECT_push(NULL, obj), WOLFSSL_FAILURE); + wolfSSL_sk_X509_OBJECT_free(objs); #endif return EXPECT_RESULT(); } @@ -63452,6 +64466,7 @@ static int test_wolfSSL_X509_cmp_time(void) ExpectIntEQ(ASN1_TIME_set_string(&asn_time, "000222211515Z"), 1); ExpectIntEQ(-1, wolfSSL_X509_cmp_time(&asn_time, NULL)); + ExpectIntEQ(-1, wolfSSL_X509_cmp_current_time(&asn_time)); #endif return EXPECT_RESULT(); } @@ -64068,8 +65083,18 @@ static int test_wolfSSL_X509(void) #endif char der[] = "certs/ca-cert.der"; XFILE fp = XBADFILE; + int derSz = 0; + +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new(BIO_s_mem())); +#endif ExpectNotNull(x509 = X509_new()); + ExpectNull(wolfSSL_X509_get_der(x509, &derSz)); +#if !defined(NO_BIO) && defined(WOLFSSL_CERT_GEN) + ExpectIntEQ(i2d_X509_bio(bio, x509), WOLFSSL_FAILURE); +#endif + ExpectNull(wolfSSL_X509_dup(x509)); X509_free(x509); x509 = NULL; @@ -64077,33 +65102,65 @@ static int test_wolfSSL_X509(void) ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); - ExpectNotNull(bio = BIO_new(BIO_s_mem())); - #ifdef WOLFSSL_CERT_GEN + ExpectIntEQ(i2d_X509_bio(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(i2d_X509_bio(bio, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(i2d_X509_bio(NULL, x509), WOLFSSL_FAILURE); ExpectIntEQ(i2d_X509_bio(bio, x509), SSL_SUCCESS); #endif ExpectNotNull(ctx = X509_STORE_CTX_new()); ExpectIntEQ(X509_verify_cert(ctx), WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectNotNull(wolfSSL_X509_verify_cert_error_string(CRL_MISSING)); ExpectNotNull(store = X509_STORE_new()); ExpectIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); ExpectIntEQ(X509_STORE_CTX_init(ctx, store, x509, NULL), SSL_SUCCESS); ExpectIntEQ(X509_verify_cert(ctx), SSL_SUCCESS); +#ifndef NO_WOLFSSL_STUB + ExpectNull(X509_get_default_cert_file_env()); + ExpectNull(X509_get_default_cert_file()); + ExpectNull(X509_get_default_cert_dir_env()); + ExpectNull(X509_get_default_cert_dir()); +#endif + + ExpectNull(wolfSSL_X509_get_der(NULL, NULL)); + ExpectNull(wolfSSL_X509_get_der(x509, NULL)); + ExpectNull(wolfSSL_X509_get_der(NULL, &derSz)); + + ExpectIntEQ(wolfSSL_X509_version(NULL), 0); + ExpectIntEQ(wolfSSL_X509_version(x509), 3); X509_STORE_CTX_free(ctx); X509_STORE_free(store); X509_free(x509); x509 = NULL; BIO_free(bio); + bio = NULL; #endif /** d2i_X509_fp test **/ ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); ExpectNotNull(x509 = (X509 *)d2i_X509_fp(fp, (X509 **)NULL)); ExpectNotNull(x509); + +#ifdef HAVE_EX_DATA_CRYPTO + ExpectIntEQ(wolfSSL_X509_get_ex_new_index(1, NULL, NULL, NULL, NULL), 0); +#endif + ExpectNull(wolfSSL_X509_get_ex_data(NULL, 1)); + ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); +#ifdef HAVE_EX_DATA + ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); + ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 1); + ExpectPtrEq(wolfSSL_X509_get_ex_data(x509, 1), der); +#else + ExpectIntEQ(wolfSSL_X509_set_ex_data(NULL, 1, der), 0); + ExpectIntEQ(wolfSSL_X509_set_ex_data(x509, 1, der), 0); + ExpectNull(wolfSSL_X509_get_ex_data(x509, 1)); +#endif + X509_free(x509); x509 = NULL; if (fp != XBADFILE) { @@ -64111,12 +65168,24 @@ static int test_wolfSSL_X509(void) fp = XBADFILE; } ExpectTrue((fp = XFOPEN(der, "rb")) != XBADFILE); + ExpectNull((X509 *)d2i_X509_fp(XBADFILE, (X509 **)&x509)); ExpectNotNull((X509 *)d2i_X509_fp(fp, (X509 **)&x509)); ExpectNotNull(x509); X509_free(x509); + x509 = NULL; if (fp != XBADFILE) XFCLOSE(fp); +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new_file(der, "rb")); + ExpectNull(d2i_X509_bio(NULL, &x509)); + ExpectNotNull(x509 = d2i_X509_bio(bio, NULL)); + ExpectNotNull(x509); + X509_free(x509); + BIO_free(bio); + bio = NULL; +#endif + /* X509_up_ref test */ ExpectIntEQ(X509_up_ref(NULL), 0); ExpectNotNull(x509 = X509_new()); /* refCount = 1 */ @@ -64125,6 +65194,7 @@ static int test_wolfSSL_X509(void) X509_free(x509); /* refCount = 2 */ X509_free(x509); /* refCount = 1 */ X509_free(x509); /* refCount = 0, free */ + #endif return EXPECT_RESULT(); } @@ -64141,6 +65211,10 @@ static int test_wolfSSL_X509_get_ext_count(void) /* NULL parameter check */ ExpectIntEQ(X509_get_ext_count(NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(X509_get_ext_count(x509), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + wolfSSL_X509_free(x509); + x509 = NULL; ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM)); @@ -64160,9 +65234,6 @@ static int test_wolfSSL_X509_get_ext_count(void) /* wolfSSL_X509_get_ext_count() valid input */ ExpectIntEQ((ret = wolfSSL_X509_get_ext_count(x509)), 5); - /* wolfSSL_X509_get_ext_count() NULL argument */ - ExpectIntEQ((ret = wolfSSL_X509_get_ext_count(NULL)), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); - wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); @@ -64327,9 +65398,16 @@ static int test_wolfSSL_X509_sign2(void) ExpectIntEQ(notAfter->length, 13); ExpectTrue(wolfSSL_X509_set_notBefore(x509, notBefore)); + ExpectTrue(wolfSSL_X509_set1_notBefore(x509, notBefore)); ExpectTrue(wolfSSL_X509_set_notAfter(x509, notAfter)); + ExpectTrue(wolfSSL_X509_set1_notAfter(x509, notAfter)); #endif + ExpectNull(wolfSSL_X509_notBefore(NULL)); + ExpectNotNull(wolfSSL_X509_notBefore(x509)); + ExpectNull(wolfSSL_X509_notAfter(NULL)); + ExpectNotNull(wolfSSL_X509_notAfter(x509)); + ExpectIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0); ExpectNotNull((der = wolfSSL_X509_get_der(x509, &derSz))); @@ -64359,6 +65437,7 @@ static int test_wolfSSL_X509_sign(void) char *cn = NULL; word32 cnSz = 0; X509_NAME *name = NULL; + X509_NAME *emptyName = NULL; X509 *x509 = NULL; X509 *ca = NULL; DecodedCert dCert; @@ -64382,6 +65461,11 @@ static int test_wolfSSL_X509_sign(void) #endif byte sn[16]; int snSz = sizeof(sn); + int sigSz = 0; +#ifndef NO_WOLFSSL_STUB + const WOLFSSL_ASN1_BIT_STRING* sig = NULL; + const WOLFSSL_X509_ALGOR* alg = NULL; +#endif /* Set X509_NAME fields */ ExpectNotNull(name = X509_NAME_new()); @@ -64397,6 +65481,7 @@ static int test_wolfSSL_X509_sign(void) clientKeySz)); ExpectNotNull(pub = wolfSSL_d2i_PUBKEY(NULL, &rsaPub, clientPubKeySz)); ExpectNotNull(x509 = X509_new()); + ExpectIntEQ(X509_sign(x509, priv, EVP_sha256()), 0); /* Set version 3 */ ExpectIntNE(X509_set_version(x509, 2L), 0); /* Set subject name, add pubkey, and sign certificate */ @@ -64405,6 +65490,9 @@ static int test_wolfSSL_X509_sign(void) name = NULL; ExpectIntEQ(X509_set_pubkey(x509, pub), SSL_SUCCESS); #ifdef WOLFSSL_ALT_NAMES + ExpectNull(wolfSSL_X509_get_next_altname(NULL)); + ExpectNull(wolfSSL_X509_get_next_altname(x509)); + /* Add some subject alt names */ ExpectIntNE(wolfSSL_X509_add_altname(NULL, "ipsum", ASN_DNS_TYPE), SSL_SUCCESS); @@ -64432,6 +65520,26 @@ static int test_wolfSSL_X509_sign(void) sizeof(ip6_type), ASN_IP_TYPE), SSL_SUCCESS); } #endif + + { + int i; + + if (x509 != NULL) { + x509->altNamesNext = x509->altNames; + } +#ifdef WOLFSSL_IP_ALT_NAME + /* No names in IP address. */ + ExpectNull(wolfSSL_X509_get_next_altname(x509)); + ExpectNull(wolfSSL_X509_get_next_altname(x509)); +#endif + for (i = 0; i < 3; i++) { + ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); + } + ExpectNull(wolfSSL_X509_get_next_altname(x509)); +#ifdef WOLFSSL_MULTICIRCULATE_ALTNAMELIST + ExpectNotNull(wolfSSL_X509_get_next_altname(x509)); +#endif + } #endif /* WOLFSSL_ALT_NAMES */ { @@ -64443,6 +65551,22 @@ static int test_wolfSSL_X509_sign(void) /* test valid sign case */ ExpectIntGT(ret = X509_sign(x509, priv, EVP_sha256()), 0); + /* test getting signature */ +#ifndef NO_WOLFSSL_STUB + wolfSSL_X509_get0_signature(&sig, &alg, x509); +#endif + ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, &sigSz), + WOLFSSL_SUCCESS); + ExpectIntGT(sigSz, 0); + ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, NULL), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_X509_get_signature(x509, NULL, NULL), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_X509_get_signature(NULL, NULL, &sigSz), + WOLFSSL_FATAL_ERROR); + sigSz = 0; + ExpectIntEQ(wolfSSL_X509_get_signature(x509, sn, &sigSz), + WOLFSSL_FATAL_ERROR); /* test valid X509_sign_ctx case */ ExpectNotNull(mctx = EVP_MD_CTX_new()); @@ -64491,15 +65615,37 @@ static int test_wolfSSL_X509_sign(void) InitDecodedCert(&dCert, certIssuer, (word32)certIssuerSz, 0); ExpectIntEQ(ParseCert(&dCert, CERT_TYPE, NO_VERIFY, NULL), 0); + ExpectNotNull(emptyName = X509_NAME_new()); ExpectNotNull(ca = d2i_X509(NULL, &certIssuer, (int)certIssuerSz)); + ExpectIntEQ(wolfSSL_X509_get_isCA(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_isCA(ca), 1); ExpectNotNull(name = X509_get_subject_name(ca)); - cnSz = X509_NAME_get_sz(name); + ExpectIntEQ(X509_NAME_get_sz(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntGT(cnSz = X509_NAME_get_sz(name), 0); ExpectNotNull(cn = (char*)XMALLOC(cnSz, HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); - ExpectNotNull(cn = X509_NAME_oneline(name, cn, (int)cnSz)); + ExpectNull(X509_NAME_oneline(NULL, cn, (int)cnSz)); + ExpectPtrEq(X509_NAME_oneline(name, cn, 0), cn); + ExpectPtrEq(X509_NAME_oneline(emptyName, cn, (int)cnSz), cn); + ExpectNull(X509_NAME_oneline(emptyName, NULL, 0)); + ExpectPtrEq(X509_NAME_oneline(name, cn, (int)cnSz), cn); ExpectIntEQ(0, XSTRNCMP(cn, dCert.subject, XSTRLEN(cn))); XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); cn = NULL; +#if defined(XSNPRINTF) + ExpectNull(wolfSSL_X509_get_name_oneline(NULL, NULL, 0)); + ExpectNotNull(cn = wolfSSL_X509_get_name_oneline(name, NULL, 0)); + ExpectIntGT((int)(cnSz = (word32)XSTRLEN(cn) + 1), 0); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); + ExpectNull(wolfSSL_X509_get_name_oneline(NULL, cn, (int)cnSz)); + ExpectNull(wolfSSL_X509_get_name_oneline(name, cn, cnSz - 1)); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(name, cn, (int)cnSz), cn); + ExpectPtrEq(wolfSSL_X509_get_name_oneline(emptyName, cn, (int)cnSz), cn); + XFREE(cn, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + cn = NULL; +#endif + X509_NAME_free(emptyName); + #ifdef WOLFSSL_MULTI_ATTRIB /* test adding multiple OU's to the signer */ ExpectNotNull(name = X509_get_subject_name(ca)); @@ -64585,6 +65731,7 @@ static int test_wolfSSL_X509_ALGOR_get0(void) const void *ppval = NULL; byte* der = NULL; const byte* tmp = NULL; + const byte badObj[] = { 0x06, 0x00 }; ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); @@ -64595,6 +65742,7 @@ static int test_wolfSSL_X509_ALGOR_get0(void) ExpectNull(obj); /* Valid case */ + X509_ALGOR_get0(NULL, NULL, NULL, alg); X509_ALGOR_get0(&obj, &pptype, &ppval, alg); ExpectNotNull(obj); ExpectNull(ppval); @@ -64602,13 +65750,24 @@ static int test_wolfSSL_X509_ALGOR_get0(void) /* Make sure NID of X509_ALGOR is Sha256 with RSA */ ExpectIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); + ExpectIntEQ(i2d_X509_ALGOR(NULL, NULL), WOLFSSL_FATAL_ERROR); ExpectIntEQ(i2d_X509_ALGOR(alg, &der), 15); + ExpectNull(d2i_X509_ALGOR(NULL, NULL, 0)); + /* tmp is NULL. */ + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + tmp = badObj; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, (long)sizeof(badObj))); + tmp = der; + ExpectNull(d2i_X509_ALGOR(NULL, &tmp, 0)); + ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); tmp = der; ExpectNotNull(d2i_X509_ALGOR(&alg2, &tmp, 15)); XFREE(der, NULL, DYNAMIC_TYPE_ASN1); X509_free(x509); + X509_ALGOR_free(NULL); X509_ALGOR_free(alg2); + alg2 = NULL; #endif return EXPECT_RESULT(); } @@ -64724,14 +65883,22 @@ static int test_wolfSSL_X509_VERIFY_PARAM(void) ExpectIntEQ(X509_VERIFY_PARAM_set_flags(paramTo, X509_V_FLAG_CRL_CHECK_ALL), 1); + ExpectIntEQ(X509_VERIFY_PARAM_get_flags(NULL), 0); ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), X509_V_FLAG_CRL_CHECK_ALL); + ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(NULL, X509_V_FLAG_CRL_CHECK_ALL), + WOLFSSL_FAILURE); ExpectIntEQ(X509_VERIFY_PARAM_clear_flags(paramTo, X509_V_FLAG_CRL_CHECK_ALL), 1); ExpectIntEQ(X509_VERIFY_PARAM_get_flags(paramTo), 0); + ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup(NULL)); + ExpectNull(wolfSSL_X509_VERIFY_PARAM_lookup("")); + ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_client")); + ExpectNotNull(wolfSSL_X509_VERIFY_PARAM_lookup("ssl_server")); + X509_VERIFY_PARAM_free(paramTo); X509_VERIFY_PARAM_free(paramFrom); X509_VERIFY_PARAM_free(NULL); /* to confirm NULL parameter gives no harm */ @@ -64843,6 +66010,8 @@ static int test_wolfSSL_X509_PUBKEY_RSA(void) X509_PUBKEY* pubKey = NULL; X509_PUBKEY* pubKey2 = NULL; EVP_PKEY* evpKey = NULL; + byte buf[1024]; + byte* tmp; const unsigned char *pk = NULL; int ppklen; @@ -64860,11 +66029,23 @@ static int test_wolfSSL_X509_PUBKEY_RSA(void) ExpectNotNull(pubKey); ExpectIntGT(ppklen, 0); + tmp = buf; + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(NULL, &tmp), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, NULL), 294); + ExpectIntEQ(wolfSSL_i2d_X509_PUBKEY(pubKey, &tmp), 294); + ExpectIntEQ(OBJ_obj2nid(obj), NID_rsaEncryption); ExpectNotNull(evpKey = X509_PUBKEY_get(pubKey)); ExpectNotNull(pubKey2 = X509_PUBKEY_new()); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, NULL), 0); + ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 0); + ExpectIntEQ(X509_PUBKEY_set(NULL, NULL), 0); + ExpectIntEQ(X509_PUBKEY_set(&pubKey2, NULL), 0); + ExpectIntEQ(X509_PUBKEY_set(NULL, evpKey), 0); ExpectIntEQ(X509_PUBKEY_set(&pubKey2, evpKey), 1); + ExpectIntEQ(X509_PUBKEY_get0_param(NULL, NULL, NULL, NULL, pubKey2), 1); ExpectIntEQ(X509_PUBKEY_get0_param(&obj, &pk, &ppklen, &pa, pubKey2), 1); ExpectNotNull(pk); ExpectNotNull(pa); @@ -64875,6 +66056,7 @@ static int test_wolfSSL_X509_PUBKEY_RSA(void) ExpectIntEQ(pptype, V_ASN1_NULL); ExpectIntEQ(OBJ_obj2nid(pa_oid), EVP_PKEY_RSA); + X509_PUBKEY_free(NULL); X509_PUBKEY_free(pubKey2); X509_free(x509); EVP_PKEY_free(evpKey); @@ -68026,6 +69208,16 @@ static int test_wolfSSL_OBJ(void) /* Get the Common Name by using OBJ_txt2obj */ ExpectNotNull(field_name_obj = OBJ_txt2obj("CN", 0)); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(NULL, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, field_name_obj, 99), + WOLFSSL_FATAL_ERROR); + ExpectIntEQ(X509_NAME_get_index_by_OBJ(x509Name, NULL, 0), + WOLFSSL_FATAL_ERROR); do { lastpos = tmp; @@ -68262,6 +69454,7 @@ static int test_wolfSSL_PEM_write_bio_X509(void) BIO* output = NULL; X509* x509a = NULL; X509* x509b = NULL; + X509* empty = NULL; ASN1_TIME* notBeforeA = NULL; ASN1_TIME* notAfterA = NULL; @@ -68289,10 +69482,16 @@ static int test_wolfSSL_PEM_write_bio_X509(void) /* write X509 back to PEM BIO; no need to sign as nothing changed. */ ExpectNotNull(output = BIO_new(wolfSSL_BIO_s_mem())); + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectIntEQ(PEM_write_bio_X509(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(output, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(NULL, x509a), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509(output, empty), WOLFSSL_FAILURE); ExpectIntEQ(PEM_write_bio_X509(output, x509a), WOLFSSL_SUCCESS); /* compare length against expected */ expectedLen = 2000; ExpectIntEQ(wolfSSL_BIO_get_len(output), expectedLen); + wolfSSL_X509_free(empty); #ifndef NO_ASN_TIME /* read exported X509 PEM back into struct, sanity check on export, @@ -68402,10 +69601,12 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) !defined(NO_RSA) && defined(WOLFSSL_CERT_GEN) X509* x509 = NULL; #ifndef NO_BIO + X509* empty = NULL; BIO* bio = NULL; #endif X509_NAME* nm = NULL; X509_NAME_ENTRY* entry = NULL; + WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* entries = NULL; unsigned char cn[] = "another name to add"; #ifdef OPENSSL_ALL int i; @@ -68415,24 +69616,37 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); #ifndef NO_BIO + ExpectNotNull(empty = wolfSSL_X509_new()); ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(bio, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(NULL, x509), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_AUX(bio, empty), WOLFSSL_FAILURE); ExpectIntEQ(PEM_write_bio_X509_AUX(bio, x509), SSL_SUCCESS); + wolfSSL_X509_free(empty); #endif #ifdef WOLFSSL_CERT_REQ { X509_REQ* req = NULL; #ifndef NO_BIO + X509_REQ* emptyReq = NULL; BIO* bReq = NULL; #endif ExpectNotNull(req = wolfSSL_X509_load_certificate_file(cliCertFile, SSL_FILETYPE_PEM)); #ifndef NO_BIO + ExpectNotNull(emptyReq = wolfSSL_X509_REQ_new()); ExpectNotNull(bReq = BIO_new(BIO_s_mem())); + ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(NULL, req), WOLFSSL_FAILURE); + ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, emptyReq), WOLFSSL_FAILURE); ExpectIntEQ(PEM_write_bio_X509_REQ(bReq, req), SSL_SUCCESS); BIO_free(bReq); + X509_REQ_free(emptyReq); #endif X509_free(req); } @@ -68446,9 +69660,19 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) ExpectIntEQ(X509_NAME_add_entry(nm, entry, -1, 0), SSL_SUCCESS); #ifdef WOLFSSL_CERT_EXT + ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, NULL, MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, NULL, MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); + ExpectIntEQ(X509_NAME_add_entry_by_txt(NULL, "emailAddress", MBSTRING_UTF8, + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_FAILURE); ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "emailAddress", MBSTRING_UTF8, - (byte*)"support@wolfssl.com", 19, -1, - 1), WOLFSSL_SUCCESS); + (byte*)"support@wolfssl.com", 19, -1, 1), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_NAME_add_entry_by_txt(nm, "commonName", MBSTRING_UTF8, + (byte*)"wolfssl.com", 11, 0, 1), WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509_NAME_delete_entry(NULL, -1)); + ExpectNull(wolfSSL_X509_NAME_delete_entry(nm, -1)); + ExpectNotNull(wolfSSL_X509_NAME_delete_entry(nm, 0)); #endif X509_NAME_ENTRY_free(entry); entry = NULL; @@ -68459,16 +69683,18 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) unsigned char fvrtDrnk[] = "tequila"; unsigned char* der = NULL; char* subject = NULL; + ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_pkcs9_contentType, MBSTRING_ASC, srv_pkcs9p, -1, -1, 0), SSL_SUCCESS); ExpectIntEQ(X509_NAME_add_entry_by_NID(nm, NID_favouriteDrink, MBSTRING_ASC, fvrtDrnk, -1, -1, 0), SSL_SUCCESS); + ExpectIntEQ(wolfSSL_i2d_X509_NAME(NULL, &der), BAD_FUNC_ARG); ExpectIntGT(wolfSSL_i2d_X509_NAME(nm, &der), 0); ExpectNotNull(der); - ExpectNotNull(subject = X509_NAME_oneline(nm, 0, 0)); + ExpectNotNull(subject = X509_NAME_oneline(nm, NULL, 0)); ExpectNotNull(XSTRSTR(subject, "favouriteDrink=tequila")); ExpectNotNull(XSTRSTR(subject, "contentType=Server")); #ifdef DEBUG_WOLFSSL @@ -68481,9 +69707,13 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) } #endif + ExpectNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, NULL, 0x0c, cn, + (int)sizeof(cn))); /* Test add entry by text */ ExpectNotNull(entry = X509_NAME_ENTRY_create_by_txt(NULL, "commonName", 0x0c, cn, (int)sizeof(cn))); + ExpectPtrEq(X509_NAME_ENTRY_create_by_txt(&entry, "commonName", + 0x0c, cn, (int)sizeof(cn)), entry); #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) \ || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) ExpectNull(X509_NAME_ENTRY_create_by_txt(&entry, "unknown", @@ -68505,6 +69735,13 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) } #endif + ExpectNotNull(entries = wolfSSL_sk_X509_NAME_ENTRY_new(NULL)); + ExpectIntEQ(sk_X509_NAME_ENTRY_num(NULL), BAD_FUNC_ARG); + ExpectIntEQ(sk_X509_NAME_ENTRY_num(entries), 0); + ExpectNull(sk_X509_NAME_ENTRY_value(NULL, 0)); + ExpectNull(sk_X509_NAME_ENTRY_value(entries, 0)); + wolfSSL_sk_X509_NAME_ENTRY_free(entries); + #ifndef NO_BIO BIO_free(bio); #endif @@ -68514,7 +69751,8 @@ static int test_wolfSSL_X509_NAME_ENTRY(void) } /* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_GENERAL_NAME_set0_othername(void) { +static int test_GENERAL_NAME_set0_othername(void) +{ EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ @@ -68555,6 +69793,20 @@ static int test_GENERAL_NAME_set0_othername(void) { if ((value == NULL) || (value->value.ptr != (char*)utf8str)) { wolfSSL_ASN1_STRING_free(utf8str); } + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , upn_oid, NULL ), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(gn , NULL , value), + WOLFSSL_FAILURE); + ExpectIntEQ(GENERAL_NAME_set0_othername(NULL, upn_oid, value ), + WOLFSSL_FAILURE); ExpectIntEQ(GENERAL_NAME_set0_othername(gn, upn_oid, value), 1); if (EXPECT_FAIL()) { ASN1_TYPE_free(value); @@ -68582,8 +69834,11 @@ static int test_GENERAL_NAME_set0_othername(void) { ExpectNotNull(gns = (GENERAL_NAMES*)X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)); + ExpectIntEQ(sk_GENERAL_NAME_num(NULL), WOLFSSL_FATAL_ERROR); ExpectIntEQ(sk_GENERAL_NAME_num(gns), 3); + ExpectNull(sk_GENERAL_NAME_value(NULL, 0)); + ExpectNull(sk_GENERAL_NAME_value(gns, 20)); ExpectNotNull(gn = sk_GENERAL_NAME_value(gns, 2)); ExpectIntEQ(gn->type, 0); @@ -68598,9 +69853,10 @@ static int test_GENERAL_NAME_set0_othername(void) { } /* Note the lack of wolfSSL_ prefix...this is a compatibility layer test. */ -static int test_othername_and_SID_ext(void) { +static int test_othername_and_SID_ext(void) +{ EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ALT_NAMES) && \ defined(WOLFSSL_CERT_EXT) && !defined(NO_FILESYSTEM) && \ @@ -68613,6 +69869,7 @@ static int test_othername_and_SID_ext(void) { byte der[4096]; int derSz = 0; + byte badDer[2] = { 0x30, 0x00 }; X509_REQ* x509 = NULL; STACK_OF(X509_EXTENSION) *exts = NULL; @@ -68685,7 +69942,13 @@ static int test_othername_and_SID_ext(void) { ExpectNotNull(sid_ext = X509_EXTENSION_create_by_OBJ(NULL, sid_oid, 0, sid_data)); ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); + wolfSSL_sk_X509_EXTENSION_free(exts); + exts = NULL; + ExpectNotNull(exts = sk_X509_EXTENSION_new_null()); /* Ensure an empty stack doesn't raise an error. */ + ExpectIntEQ(X509_REQ_add_extensions(NULL, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(x509, NULL), 0); + ExpectIntEQ(X509_REQ_add_extensions(NULL, exts), 0); ExpectIntEQ(X509_REQ_add_extensions(x509, exts), 1); ExpectIntEQ(sk_X509_EXTENSION_push(exts, san_ext), 1); if (EXPECT_FAIL()) { @@ -68708,6 +69971,10 @@ static int test_othername_and_SID_ext(void) { ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); X509_REQ_free(x509); x509 = NULL; + ExpectNull(d2i_X509_REQ_INFO(&x509, NULL, derSz)); + pt = badDer; + ExpectNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, + sizeof(badDer))); pt = der; ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); @@ -68733,6 +70000,7 @@ static int test_othername_and_SID_ext(void) { BIO_free(bio); ExpectNotNull(exts = (STACK_OF(X509_EXTENSION)*)X509_REQ_get_extensions( x509)); + ExpectIntEQ(sk_X509_EXTENSION_num(NULL), WOLFSSL_FATAL_ERROR); ExpectIntEQ(sk_X509_EXTENSION_num(exts), 2); /* Check the SID extension. */ @@ -68913,6 +70181,9 @@ static int test_wolfSSL_X509_set_notBefore(void) ExpectFalse(wolfSSL_X509_set_notBefore(x, NULL)); ExpectFalse(wolfSSL_X509_set_notBefore(NULL, asn_time)); + ExpectNull(X509_get_notBefore(NULL)); + ExpectNull(X509_get_notAfter(NULL)); + /* * Cleanup */ @@ -68935,13 +70206,16 @@ static int test_wolfSSL_X509_set_version(void) ExpectNotNull(x509 = X509_new()); /* These should pass. */ ExpectTrue(wolfSSL_X509_set_version(x509, v)); + ExpectIntEQ(0, wolfSSL_X509_get_version(NULL)); ExpectIntEQ(v, wolfSSL_X509_get_version(x509)); /* Fail Case: When v(long) is greater than x509->version(int). */ v = maxInt+1; ExpectFalse(wolfSSL_X509_set_version(x509, v)); - ExpectFalse(wolfSSL_X509_set_version(NULL, 2L)); - ExpectFalse(wolfSSL_X509_set_version(NULL, maxInt+1)); + ExpectIntEQ(wolfSSL_X509_set_version(NULL, -1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(NULL, 1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(x509, -1), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_set_version(NULL, maxInt+1), WOLFSSL_FAILURE); /* Cleanup */ X509_free(x509); @@ -70594,10 +71868,10 @@ static int test_wolfSSL_SESSION(void) char buf[64] = {0}; word32 bufSz = (word32)sizeof(buf); - ExpectIntEQ(SSL_SUCCESS, + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_set_SessionTicket(ssl, (byte *)ticket, (word32)XSTRLEN(ticket))); - ExpectIntEQ(SSL_SUCCESS, + ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_get_SessionTicket(ssl, (byte *)buf, &bufSz)); ExpectStrEQ(ticket, buf); } @@ -70716,15 +71990,12 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) !defined(NO_RSA) && defined(HAVE_IO_TESTS_DEPENDENCIES) && \ !defined(NO_SESSION_CACHE) && defined(OPENSSL_EXTRA) && \ !defined(WOLFSSL_NO_TLS12) - - WOLFSSL_CTX* ctx = NULL; callback_functions server_cbf, client_cbf; XMEMSET(&server_cbf, 0, sizeof(callback_functions)); XMEMSET(&client_cbf, 0, sizeof(callback_functions)); /* force server side to use TLS 1.2 */ - server_cbf.ctx = ctx; server_cbf.method = wolfTLSv1_2_server_method; client_cbf.method = wolfSSLv23_client_method; @@ -70736,9 +72007,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - /* set the previously created session and wait till expired */ - server_cbf.ctx = ctx; - client_cbf.method = wolfSSLv23_client_method; server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_wait; @@ -70749,9 +72017,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(client_cbf.return_code, TEST_SUCCESS); ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); - /* set the previously created expired session */ - server_cbf.ctx = ctx; - client_cbf.method = wolfSSLv23_client_method; server_cbf.ctx_ready = test_wolfSSL_SESSION_expire_downgrade_ctx_ready; client_cbf.ssl_ready = test_wolfSSL_SESSION_expire_downgrade_ssl_ready_set; @@ -70763,8 +72028,6 @@ static int test_wolfSSL_SESSION_expire_downgrade(void) ExpectIntEQ(server_cbf.return_code, TEST_SUCCESS); wolfSSL_SESSION_free(test_wolfSSL_SESSION_expire_sess); - wolfSSL_CTX_free(ctx); - #endif return EXPECT_RESULT(); } @@ -70848,8 +72111,8 @@ static int SessRemSslSetupCb(WOLFSSL* ssl) else { side = &sessRemCtx_Client; (void)wolfSSL_Atomic_Int_FetchAdd(&clientSessRemCountMalloc, 1); - #if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ - !defined(NO_SESSION_CACHE_REF) +#if (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) || \ + !defined(NO_SESSION_CACHE_REF) ExpectNotNull(clientSess = SSL_get1_session(ssl)); ExpectIntEQ(SSL_CTX_up_ref(clientSessCtx = SSL_get_SSL_CTX(ssl)), SSL_SUCCESS); @@ -71190,6 +72453,7 @@ static int test_wolfSSL_sk_GENERAL_NAME(void) !defined(NO_RSA) X509* x509 = NULL; GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; unsigned char buf[4096]; const unsigned char* bufPt = NULL; int bytes = 0; @@ -71227,6 +72491,10 @@ static int test_wolfSSL_sk_GENERAL_NAME(void) break; } } + + ExpectNotNull(dup_gn = wolfSSL_GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_free(dup_gn); + dup_gn = NULL; } X509_free(x509); x509 = NULL; @@ -71242,6 +72510,11 @@ static int test_wolfSSL_sk_GENERAL_NAME(void) } sk = NULL; } + + ExpectNull(wolfSSL_GENERAL_NAME_dup(NULL)); + ExpectIntEQ(wolfSSL_GENERAL_NAME_set_type(NULL, WOLFSSL_GEN_IA5), + BAD_FUNC_ARG); + wolfSSL_GENERAL_NAMES_free(NULL); #endif return EXPECT_RESULT(); } @@ -71252,6 +72525,7 @@ static int test_wolfSSL_GENERAL_NAME_print(void) #if defined(OPENSSL_ALL) && !defined(NO_BIO) && !defined(NO_RSA) X509* x509 = NULL; GENERAL_NAME* gn = NULL; + GENERAL_NAME* dup_gn = NULL; unsigned char buf[4096]; const unsigned char* bufPt = NULL; int bytes = 0; @@ -71264,6 +72538,7 @@ static int test_wolfSSL_GENERAL_NAME_print(void) AUTHORITY_INFO_ACCESS* aia = NULL; ACCESS_DESCRIPTION* ad = NULL; ASN1_IA5STRING *dnsname = NULL; + ASN1_OBJECT* ridObj = NULL; const unsigned char v4Addr[] = {192,168,53,1}; const unsigned char v6Addr[] = @@ -71272,15 +72547,20 @@ static int test_wolfSSL_GENERAL_NAME_print(void) const unsigned char email[] = {'i', 'n', 'f', 'o', '@', 'w', 'o', 'l', 'f', 's', 's', 'l', '.', 'c', 'o', 'm'}; - - const char* dnsStr = "DNS:example.com"; - const char* uriStr = "URI:http://127.0.0.1:22220"; - const char* v4addStr = "IP Address:192.168.53.1"; - const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; - const char* emailStr = "email:info@wolfssl.com"; - const char* othrStr = "othername:"; - const char* x400Str = "X400Name:"; - const char* ediStr = "EdiPartyName:"; + const unsigned char ridData[] = { 0x06, 0x04, 0x2a, 0x03, 0x04, 0x05 }; + const unsigned char* p; + unsigned long len; + + const char* dnsStr = "DNS:example.com"; + const char* uriStr = "URI:http://127.0.0.1:22220"; + const char* v4addStr = "IP Address:192.168.53.1"; + const char* v6addStr = "IP Address:2021:DB8:0:0:0:FF00:42:7777"; + const char* emailStr = "email:info@wolfssl.com"; + const char* othrStr = "othername:"; + const char* x400Str = "X400Name:"; + const char* ediStr = "EdiPartyName:"; + const char* dirNameStr = "DirName:"; + const char* ridStr = "Registered ID:1.2.3.4.5"; /* BIO to output */ ExpectNotNull(out = BIO_new(BIO_s_mem())); @@ -71329,6 +72609,16 @@ static int test_wolfSSL_GENERAL_NAME_print(void) XMEMSET(outbuf, 0, sizeof(outbuf)); ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); ExpectIntEQ(XSTRNCMP((const char*)outbuf, dnsStr, XSTRLEN(dnsStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_DNS, NULL); + wolfSSL_GENERAL_NAME_set0_value(dup_gn, WOLFSSL_GEN_IA5, outbuf); + wolfSSL_GENERAL_NAME_set0_value(NULL, WOLFSSL_GEN_DNS, outbuf); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; GENERAL_NAME_free(gn); /* test for GEN_URI */ @@ -71348,6 +72638,9 @@ static int test_wolfSSL_GENERAL_NAME_print(void) if (ad != NULL) { gn = ad->location; } + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); gn = NULL; @@ -71382,6 +72675,10 @@ static int test_wolfSSL_GENERAL_NAME_print(void) ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); ExpectIntEQ(XSTRNCMP((const char*)outbuf, v4addStr, XSTRLEN(v4addStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + GENERAL_NAME_free(gn); gn = NULL; @@ -71402,6 +72699,10 @@ static int test_wolfSSL_GENERAL_NAME_print(void) ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); ExpectIntEQ(XSTRNCMP((const char*)outbuf, v6addStr, XSTRLEN(v6addStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + GENERAL_NAME_free(gn); gn = NULL; @@ -71422,6 +72723,10 @@ static int test_wolfSSL_GENERAL_NAME_print(void) ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); ExpectIntEQ(XSTRNCMP((const char*)outbuf, emailStr, XSTRLEN(emailStr)), 0); + ExpectNotNull(dup_gn = GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(dup_gn); + dup_gn = NULL; + GENERAL_NAME_free(gn); gn = NULL; @@ -71456,6 +72761,10 @@ static int test_wolfSSL_GENERAL_NAME_print(void) if (gn != NULL) { gn->type = GEN_IA5; } + + /* Duplicating GEN_X400 not supported. */ + ExpectNull(GENERAL_NAME_dup(gn)); + GENERAL_NAME_free(gn); gn = NULL; @@ -71475,6 +72784,48 @@ static int test_wolfSSL_GENERAL_NAME_print(void) if (gn != NULL) { gn->type = GEN_IA5; } + + /* Duplicating GEN_EDIPARTY not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + + GENERAL_NAME_free(gn); + gn = NULL; + + /* test for GEN_DIRNAME */ + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_DIRNAME; + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, dirNameStr, XSTRLEN(dirNameStr)), + 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); + /* Restore to GEN_IA5 (default) to avoid memory leak. */ + if (gn != NULL) { + gn->type = GEN_IA5; + } + GENERAL_NAME_free(gn); + gn = NULL; + + /* test for GEN_RID */ + p = ridData; + len = sizeof(ridData); + ExpectNotNull(ridObj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, len)); + ExpectNotNull(gn = wolfSSL_GENERAL_NAME_new()); + if (gn != NULL) { + gn->type = GEN_RID; + wolfSSL_ASN1_STRING_free(gn->d.ia5); + gn->d.registeredID = ridObj; + } + ExpectIntEQ(GENERAL_NAME_print(out, gn), 1); + XMEMSET(outbuf,0,sizeof(outbuf)); + ExpectIntGT(BIO_read(out, outbuf, sizeof(outbuf)), 0); + ExpectIntEQ(XSTRNCMP((const char*)outbuf, ridStr, XSTRLEN(ridStr)), 0); + /* Duplicating GEN_DIRNAME not supported. */ + ExpectNull(dup_gn = GENERAL_NAME_dup(gn)); GENERAL_NAME_free(gn); gn = NULL; @@ -71534,8 +72885,20 @@ static int test_wolfSSL_sk_DIST_POINT(void) } } + ExpectNotNull(dp = wolfSSL_DIST_POINT_new()); + wolfSSL_DIST_POINT_free(NULL); + wolfSSL_DIST_POINTS_free(NULL); + wolfSSL_sk_DIST_POINT_free(NULL); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(dps, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_push(NULL, dp), WOLFSSL_FAILURE); + ExpectNull(wolfSSL_sk_DIST_POINT_value(NULL, 0)); + ExpectIntEQ(wolfSSL_sk_DIST_POINT_num(NULL), WOLFSSL_FATAL_ERROR); + wolfSSL_DIST_POINT_free(dp); + X509_free(x509); CRL_DIST_POINTS_free(dps); + #endif return EXPECT_RESULT(); } @@ -72003,12 +73366,16 @@ static int test_wolfSSL_X509_get_serialNumber(void) ASN1_INTEGER* a = NULL; BIGNUM* bn = NULL; X509* x509 = NULL; + X509* empty = NULL; char *serialHex = NULL; byte serial[3]; int serialSz; + ExpectNotNull(empty = wolfSSL_X509_new()); ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM)); + ExpectNull(X509_get_serialNumber(NULL)); + ExpectNotNull(X509_get_serialNumber(empty)); ExpectNotNull(a = X509_get_serialNumber(x509)); /* check on value of ASN1 Integer */ @@ -72018,7 +73385,22 @@ static int test_wolfSSL_X509_get_serialNumber(void) /* test setting serial number and then retrieving it */ ExpectNotNull(a = ASN1_INTEGER_new()); ExpectIntEQ(ASN1_INTEGER_set(a, 3), 1); + ExpectIntEQ(X509_set_serialNumber(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_set_serialNumber(x509, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_set_serialNumber(NULL, a), WOLFSSL_FAILURE); ExpectIntEQ(X509_set_serialNumber(x509, a), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, NULL), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_get_serial_number(NULL, serial, &serialSz), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, NULL), + BAD_FUNC_ARG); + serialSz = 0; + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), + BUFFER_E); + ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, NULL, &serialSz), + WOLFSSL_SUCCESS); + ExpectIntEQ(serialSz, 1); serialSz = sizeof(serial); ExpectIntEQ(wolfSSL_X509_get_serial_number(x509, serial, &serialSz), WOLFSSL_SUCCESS); @@ -72053,6 +73435,7 @@ static int test_wolfSSL_X509_get_serialNumber(void) a = NULL; X509_free(x509); /* free's a */ + X509_free(empty); ExpectNotNull(serialHex = BN_bn2hex(bn)); #ifndef WC_DISABLE_RADIX_ZERO_PAD @@ -72076,6 +73459,126 @@ static int test_wolfSSL_X509_get_serialNumber(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_ext_get_critical_by_NID(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) + WOLFSSL_X509* x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(NULL, + WC_NID_basic_constraints), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_basic_constraints), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_subject_alt_name), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_authority_key_identifier), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_subject_key_identifier), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_key_usage), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_crl_distribution_points), 0); + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_ext_key_usage), 0); +#ifdef WOLFSSL_SEP + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_certificate_policies), 0); +#endif + ExpectIntEQ(wolfSSL_X509_ext_get_critical_by_NID(x509, + WC_NID_info_access), 0); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_CRL_distribution_points(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + const char* file = "./certs/client-crl-dist.pem"; + + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(NULL, + WC_NID_crl_distribution_points), 0); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_crl_distribution_points), 0); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(file, + WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_crl_distribution_points), 1); + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_SEP(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_SEP) + WOLFSSL_X509* x509 = NULL; +#if 0 + byte* out; +#endif + int outSz; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + + outSz = 0; + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_device_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_device_type(x509, NULL, &outSz)); + + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_type(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); + + outSz = 0; + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(NULL, NULL, &outSz)); + ExpectNull(wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + + ExpectIntEQ(wolfSSL_X509_ext_isSet_by_NID(x509, + WC_NID_certificate_policies), 0); + + wolfSSL_X509_free(x509); + x509 = NULL; + +#if 0 + /* Use certificate with the extension here. */ + ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, + SSL_FILETYPE_PEM)); + + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_type(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + outSz = 0; + ExpectNotNull(out = wolfSSL_X509_get_hw_serial_number(x509, NULL, &outSz)); + ExpectIntGT(outSz, 0); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + + wolfSSL_X509_free(x509); +#endif +#endif + return EXPECT_RESULT(); +} static int test_wolfSSL_OpenSSL_add_all_algorithms(void) { @@ -72175,8 +73678,17 @@ static int test_wolfSSL_X509_check_ca(void) ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectIntEQ(wolfSSL_X509_check_ca(NULL), 0); ExpectIntEQ(wolfSSL_X509_check_ca(x509), 1); wolfSSL_X509_free(x509); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_check_ca(x509), 0); + if (x509 != NULL) { + x509->extKeyUsageCrit = 1; + } + ExpectIntEQ(wolfSSL_X509_check_ca(x509), 4); + wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); } @@ -72186,15 +73698,23 @@ static int test_wolfSSL_X509_check_ip_asc(void) EXPECT_DECLS; #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) WOLFSSL_X509 *x509 = NULL; + WOLFSSL_X509 *empty = NULL; ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(empty = wolfSSL_X509_new()); + #if 0 /* TODO: add cert gen for testing positive case */ ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.0.0.1", 0), 1); #endif ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "0.0.0.0", 0), 0); ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, NULL, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, NULL, 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(NULL, "0.0.0.0", 0), 0); + ExpectIntEQ(wolfSSL_X509_check_ip_asc(empty, "127.128.0.255", 0), 0); + + wolfSSL_X509_free(empty); wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); @@ -72359,9 +73879,10 @@ static int test_wolfSSL_make_cert(void) ExpectStrEQ((const char *)ASN1_STRING_data(entryValue), "wolfssl"); #endif /* WOLFSSL_MULTI_ATTRIB */ + ExpectNull(X509_NAME_get_entry(NULL, 0)); /* try invalid index locations for regression test and sanity check */ - ExpectNull(entry = X509_NAME_get_entry(x509name, 11)); - ExpectNull(entry = X509_NAME_get_entry(x509name, 20)); + ExpectNull(X509_NAME_get_entry(x509name, 11)); + ExpectNull(X509_NAME_get_entry(x509name, 20)); X509_free(x509); #endif /* OPENSSL_EXTRA */ @@ -72379,13 +73900,47 @@ static int test_x509_get_key_id(void) X509 *x509 = NULL; const ASN1_STRING* str = NULL; byte* keyId = NULL; + byte keyIdData[32]; + int len; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + len = (int)sizeof(keyIdData); + ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); + ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); + ExpectNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); + wolfSSL_X509_free(x509); + x509 = NULL; ExpectNotNull(x509 = X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectNotNull(str = X509_get0_subject_key_id(x509)); + ExpectNull(wolfSSL_X509_get_subjectKeyID(NULL, NULL, NULL)); ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, NULL)); ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), ASN1_STRING_length(str)); + ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, keyIdData, NULL)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + len = (int)sizeof(keyIdData); + ExpectNotNull(keyId = wolfSSL_X509_get_subjectKeyID(x509, NULL, &len)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + ExpectNotNull(wolfSSL_X509_get_subjectKeyID(x509, keyIdData, &len)); + ExpectIntEQ(len, ASN1_STRING_length(str)); + ExpectBufEQ(keyIdData, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + ExpectBufEQ(keyId, ASN1_STRING_data((ASN1_STRING*)str), + ASN1_STRING_length(str)); + + ExpectNull(wolfSSL_X509_get_authorityKeyID(NULL, NULL, NULL)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, NULL)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, NULL)); + len = (int)sizeof(keyIdData); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, NULL, &len)); + ExpectNotNull(wolfSSL_X509_get_authorityKeyID(x509, keyIdData, &len)); + ExpectIntEQ(len, 20); X509_free(x509); #endif @@ -72533,6 +74088,91 @@ static int test_wolfSSL_X509_PUBKEY_get(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_set_pubkey(void) +{ + EXPECT_DECLS; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_EVP_PKEY* pkey = NULL; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + +#if !defined(NO_RSA) + { + WOLFSSL_RSA* rsa = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_RSA; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(rsa = wolfSSL_RSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_RSA, rsa), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_RSA_free(rsa); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \ + defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA) + { + WOLFSSL_DSA* dsa = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_DSA; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(dsa = wolfSSL_DSA_new()); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_DSA, dsa), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_DSA_free(dsa); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if defined(HAVE_ECC) + { + WOLFSSL_EC_KEY* ec = NULL; + + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_EC; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + ExpectNotNull(ec = wolfSSL_EC_KEY_new()); + ExpectIntEQ(wolfSSL_EC_KEY_generate_key(ec), 1); + ExpectIntEQ(wolfSSL_EVP_PKEY_assign(pkey, EVP_PKEY_EC, ec), + WOLFSSL_SUCCESS); + if (EXPECT_FAIL()) { + wolfSSL_EC_KEY_free(ec); + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_SUCCESS); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + } +#endif +#if !defined(NO_DH) + ExpectNotNull(pkey = wolfSSL_EVP_PKEY_new()); + if (pkey != NULL) { + pkey->type = WC_EVP_PKEY_DH; + } + ExpectIntEQ(wolfSSL_X509_set_pubkey(x509, pkey), WOLFSSL_FAILURE); + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; +#endif + + wolfSSL_X509_free(x509); + + return EXPECT_RESULT(); +} + static int test_wolfSSL_EVP_PKEY_set1_get1_DSA(void) { EXPECT_DECLS; @@ -74534,7 +76174,53 @@ static int test_wolfSSL_NCONF(void) } #endif /* OPENSSL_ALL */ -static int test_wolfSSL_X509V3_EXT_get(void) { +static int test_wolfSSL_X509V3_set_ctx(void) +{ + EXPECT_DECLS; +#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) + WOLFSSL_X509V3_CTX ctx; + WOLFSSL_X509* issuer = NULL; + WOLFSSL_X509* subject = NULL; + WOLFSSL_X509 req; + WOLFSSL_X509_CRL crl; + + XMEMSET(&ctx, 0, sizeof(ctx)); + ExpectNotNull(issuer = wolfSSL_X509_new()); + ExpectNotNull(subject = wolfSSL_X509_new()); + XMEMSET(&req, 0, sizeof(req)); + XMEMSET(&crl, 0, sizeof(crl)); + + wolfSSL_X509V3_set_ctx(NULL, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, issuer, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, subject, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, &req, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, &crl, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 1); + /* X509 allocated in context results in 'failure' (but not return). */ + wolfSSL_X509V3_set_ctx(&ctx, NULL, NULL, NULL, NULL, 0); + wolfSSL_X509_free(ctx.x509); + ctx.x509 = NULL; + + wolfSSL_X509_free(subject); + wolfSSL_X509_free(issuer); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509V3_EXT_get(void) +{ EXPECT_DECLS; #if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) XFILE f = XBADFILE; @@ -74544,6 +76230,36 @@ static int test_wolfSSL_X509V3_EXT_get(void) { WOLFSSL_X509* x509 = NULL; WOLFSSL_X509_EXTENSION* ext = NULL; const WOLFSSL_v3_ext_method* method = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + /* No object in extension. */ + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* NID is zero. */ + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + /* NID is not known. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = 1; + } + ExpectNull(wolfSSL_X509V3_EXT_get(ext)); + + /* NIDs not in certificate. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = NID_certificate_policies; + } + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectIntEQ(method->ext_nid, NID_certificate_policies); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = NID_crl_distribution_points; + } + ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); + ExpectIntEQ(method->ext_nid, NID_crl_distribution_points); + + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + ext = NULL; ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); @@ -74557,6 +76273,9 @@ static int test_wolfSSL_X509V3_EXT_get(void) { ExpectIntNE((extNid = ext->obj->nid), NID_undef); ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); ExpectIntEQ(method->ext_nid, extNid); + if (method->ext_nid == NID_subject_key_identifier) { + ExpectNotNull(method->i2s); + } } /* wolfSSL_X509V3_EXT_get() NULL argument test */ @@ -74601,8 +76320,22 @@ static int test_wolfSSL_X509V3_EXT_nconf(void) X509* x509 = NULL; unsigned int keyUsageFlags; unsigned int extKeyUsageFlags; + WOLFSSL_CONF conf; + WOLFSSL_X509V3_CTX ctx; +#ifndef NO_WOLFSSL_STUB + WOLFSSL_LHASH lhash; +#endif ExpectNotNull(x509 = X509_new()); + ExpectNull(X509V3_EXT_nconf(NULL, NULL, ext_names[0], NULL)); + ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[0], NULL)); + ExpectNull(X509V3_EXT_nconf(NULL, NULL, "", ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, 0, ext_values[0])); + + /* conf and ctx ignored. */ + ExpectNull(X509V3_EXT_nconf_nid(&conf, NULL, 0, ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(NULL , &ctx, 0, ext_values[0])); + ExpectNull(X509V3_EXT_nconf_nid(&conf, &ctx, 0, ext_values[0])); /* keyUsage / extKeyUsage should match string above */ keyUsageFlags = KU_DIGITAL_SIGNATURE @@ -74651,11 +76384,159 @@ static int test_wolfSSL_X509V3_EXT_nconf(void) ext = NULL; } X509_free(x509); + +#ifndef NO_WOLFSSL_STUB + ExpectIntEQ(wolfSSL_X509V3_EXT_add_nconf(NULL, NULL, NULL, NULL), + WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509V3_EXT_conf_nid(NULL, NULL, 0, NULL)); + ExpectNull(wolfSSL_X509V3_EXT_conf_nid(&lhash, NULL, 0, NULL)); + wolfSSL_X509V3_set_ctx_nodb(NULL); +#endif +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509V3_EXT_bc(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_BASIC_CONSTRAINTS* bc = NULL; + WOLFSSL_ASN1_INTEGER* pathLen = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); + if (pathLen != NULL) { + pathLen->length = 2; + } + + if (obj != NULL) { + obj->type = NID_basic_constraints; + obj->nid = NID_basic_constraints; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No pathlen set. */ + ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_BASIC_CONSTRAINTS_free(bc); + bc = NULL; + + if ((ext != NULL) && (ext->obj != NULL)) { + ext->obj->pathlen = pathLen; + pathLen = NULL; + } + /* pathlen set. */ + ExpectNotNull(bc = (WOLFSSL_BASIC_CONSTRAINTS*)wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_ASN1_INTEGER_free(pathLen); + wolfSSL_BASIC_CONSTRAINTS_free(bc); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); #endif return EXPECT_RESULT(); } -static int test_wolfSSL_X509V3_EXT(void) { +static int test_wolfSSL_X509V3_EXT_san(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_STACK* sk = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + if (obj != NULL) { + obj->type = NID_subject_alt_name; + obj->nid = NID_subject_alt_name; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + ExpectNotNull(sk = wolfSSL_sk_new_null()); + if (ext != NULL) { + ext->ext_sk = sk; + sk = NULL; + } + /* Extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_sk_free(sk); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509V3_EXT_aia(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_STACK* sk = NULL; + WOLFSSL_STACK* node = NULL; + WOLFSSL_AUTHORITY_INFO_ACCESS* aia = NULL; + WOLFSSL_ASN1_OBJECT* entry = NULL; + + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + if (obj != NULL) { + obj->type = NID_info_access; + obj->nid = NID_info_access; + } + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNotNull(wolfSSL_X509V3_EXT_get(ext)); + /* No extension stack set. */ + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + ExpectNotNull(sk = wolfSSL_sk_new_null()); + if (ext != NULL) { + ext->ext_sk = sk; + sk = NULL; + } + /* Extension stack set but empty. */ + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *)wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_AUTHORITY_INFO_ACCESS_free(aia); + aia = NULL; + + ExpectNotNull(entry = wolfSSL_ASN1_OBJECT_new()); + if (entry != NULL) { + entry->nid = WC_NID_ad_OCSP; + entry->obj = (const unsigned char*)"http://127.0.0.1"; + entry->objSz = 16; + } + ExpectNotNull(node = wolfSSL_sk_new_node(NULL)); + if ((node != NULL) && (ext != NULL)) { + node->type = STACK_TYPE_OBJ; + node->data.obj = entry; + entry = NULL; + ExpectIntEQ(wolfSSL_sk_push_node(&ext->ext_sk, node), WOLFSSL_SUCCESS); + if (EXPECT_SUCCESS()) { + node = NULL; + } + } + ExpectNotNull(aia = (WOLFSSL_AUTHORITY_INFO_ACCESS *)wolfSSL_X509V3_EXT_d2i(ext)); + wolfSSL_ACCESS_DESCRIPTION_free(NULL); + + wolfSSL_AUTHORITY_INFO_ACCESS_pop_free(aia, + wolfSSL_ACCESS_DESCRIPTION_free); + wolfSSL_ASN1_OBJECT_free(entry); + wolfSSL_sk_free(node); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509V3_EXT(void) +{ EXPECT_DECLS; #if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) XFILE f = XBADFILE; @@ -74678,6 +76559,34 @@ static int test_wolfSSL_X509V3_EXT(void) { /* Check NULL argument */ ExpectNull(wolfSSL_X509V3_EXT_d2i(NULL)); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_ext_key_usage; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_certificate_policies; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_crl_distribution_points; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = ext->obj->type = NID_subject_alt_name; + } + ExpectNull(wolfSSL_X509V3_EXT_d2i(ext)); + + wolfSSL_ASN1_OBJECT_free(obj); + obj = NULL; + wolfSSL_X509_EXTENSION_free(ext); + ext = NULL; + /* Using OCSP cert with X509V3 extensions */ ExpectTrue((f = XFOPEN("./certs/ocsp/root-ca-cert.pem", "rb")) != XBADFILE); ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); @@ -74751,11 +76660,11 @@ static int test_wolfSSL_X509V3_EXT(void) { ExpectIntEQ((nid = wolfSSL_OBJ_obj2nid(obj)), NID_key_usage); ExpectNotNull(asn1str = (WOLFSSL_ASN1_STRING*)wolfSSL_X509V3_EXT_d2i(ext)); - #if defined(WOLFSSL_QT) +#if defined(WOLFSSL_QT) ExpectNotNull(data = (unsigned char*)ASN1_STRING_get0_data(asn1str)); - #else +#else ExpectNotNull(data = wolfSSL_ASN1_STRING_data(asn1str)); - #endif +#endif expected = KEYUSE_KEY_CERT_SIGN | KEYUSE_CRL_SIGN; if (data != NULL) { #ifdef BIG_ENDIAN_ORDER @@ -74767,7 +76676,8 @@ static int test_wolfSSL_X509V3_EXT(void) { ExpectIntEQ(actual, expected); wolfSSL_ASN1_STRING_free(asn1str); asn1str = NULL; -#if 1 + ExpectIntEQ(wolfSSL_X509_get_keyUsage(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_keyUsage(x509), expected); i++; /* Authority Info Access */ @@ -74806,11 +76716,18 @@ static int test_wolfSSL_X509V3_EXT(void) { } ExpectIntEQ(actual, 0); + ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(NULL), WOLFSSL_FATAL_ERROR); + ExpectIntEQ(wolfSSL_sk_ACCESS_DESCRIPTION_num(aia), 1); + ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(NULL, 0)); + ExpectNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 1)); + ExpectNotNull(wolfSSL_sk_ACCESS_DESCRIPTION_value(aia, 0)); wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); aia = NULL; -#else - (void) aia; (void) ad; (void) adObj; (void) gn; + +#ifndef NO_WOLFSSL_STUB + ExpectNull(wolfSSL_X509_delete_ext(x509, 0)); #endif + wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); @@ -74826,6 +76743,16 @@ static int test_wolfSSL_X509_get_extension_flags(void) unsigned int keyUsageFlags; unsigned int extKeyUsageFlags; + ExpectIntEQ(X509_get_extension_flags(NULL), 0); + ExpectIntEQ(X509_get_key_usage(NULL), 0); + ExpectIntEQ(X509_get_extended_key_usage(NULL), 0); + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(X509_get_extension_flags(x509), 0); + ExpectIntEQ(X509_get_key_usage(x509), -1); + ExpectIntEQ(X509_get_extended_key_usage(x509), 0); + wolfSSL_X509_free(x509); + x509 = NULL; + /* client-int-cert.pem has the following extension flags. */ extFlags = EXFLAG_KUSAGE | EXFLAG_XKUSAGE; /* and the following key usage flags. */ @@ -74895,6 +76822,8 @@ static int test_wolfSSL_X509_get_ext(void) /* wolfSSL_X509_get_ext() NULL x509, valid idx */ ExpectNull(foundExtension = wolfSSL_X509_get_ext(NULL, 0)); + ExpectNull(wolfSSL_X509_get0_extensions(NULL)); + wolfSSL_X509_free(x509); #endif return EXPECT_RESULT(); @@ -74909,6 +76838,12 @@ static int test_wolfSSL_X509_get_ext_by_NID(void) WOLFSSL_X509* x509 = NULL; ASN1_OBJECT* obj = NULL; + ExpectNotNull(x509 = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1), + WOLFSSL_FATAL_ERROR); + wolfSSL_X509_free(x509); + x509 = NULL; + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); ExpectNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); if (f != XBADFILE) @@ -74916,6 +76851,8 @@ static int test_wolfSSL_X509_get_ext_by_NID(void) ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1), 0); + ExpectIntGE(wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, 20), + -1); /* Start search from last location (should fail) */ ExpectIntGE(rc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, @@ -74974,6 +76911,381 @@ static int test_wolfSSL_X509_get_ext_subj_alt_name(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_set_ext(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_RSA) + WOLFSSL_X509* x509 = NULL; + XFILE f = XBADFILE; + int loc; + + ExpectNull(wolfSSL_X509_set_ext(NULL, 0)); + + ExpectNotNull(x509 = wolfSSL_X509_new()); + /* Location too small. */ + ExpectNull(wolfSSL_X509_set_ext(x509, -1)); + /* Location too big. */ + ExpectNull(wolfSSL_X509_set_ext(x509, 1)); + /* No DER encoding. */ + ExpectNull(wolfSSL_X509_set_ext(x509, 0)); + wolfSSL_X509_free(x509); + x509 = NULL; + + ExpectTrue((f = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = PEM_read_X509(f, NULL, NULL, NULL)); + if (f != XBADFILE) { + XFCLOSE(f); + } + for (loc = 0; loc < wolfSSL_X509_get_ext_count(x509); loc++) { + ExpectNotNull(wolfSSL_X509_set_ext(x509, loc)); + } + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + +#if defined(OPENSSL_ALL) +static int test_X509_add_basic_constraints(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte basicConsObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x13 }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + ASN1_INTEGER* pathLen = NULL; + + p = basicConsObj; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, + sizeof(basicConsObj))); + if (obj != NULL) { + obj->type = NID_basic_constraints; + } + ExpectNotNull(pathLen = wolfSSL_ASN1_INTEGER_new()); + if (pathLen != NULL) { + pathLen->length = 2; + } + if (obj != NULL) { + obj->ca = 0; + } + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + if (ext != NULL && ext->obj != NULL) { + ext->obj->ca = 0; + ext->obj->pathlen = pathLen; + } + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->isCa, 0); + ExpectIntEQ(x509->pathLength, 2); + if (ext != NULL && ext->obj != NULL) { + /* Add second time to without path length. */ + ext->obj->ca = 1; + ext->obj->pathlen = NULL; + } + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->isCa, 1); + ExpectIntEQ(x509->pathLength, 2); + ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_isSet_pathLength(x509), 1); + ExpectIntEQ(wolfSSL_X509_get_pathLength(NULL), 0); + ExpectIntEQ(wolfSSL_X509_get_pathLength(x509), 2); + + wolfSSL_ASN1_INTEGER_free(pathLen); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_X509_add_key_usage(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0f }; + const byte data[] = { 0x04, 0x02, 0x01, 0x80 }; + const byte emptyData[] = { 0x04, 0x00 }; + const char* strData = "digitalSignature,keyCertSign"; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_key_usage; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* No Data - no change. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->keyUsage, KEYUSE_DECIPHER_ONLY | KEYUSE_ENCIPHER_ONLY); + + /* Add second time with string to interpret. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->keyUsage, KEYUSE_DIGITAL_SIG | KEYUSE_KEY_CERT_SIGN); + + /* Empty data. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + p = emptyData; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(emptyData))); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + /* Invalid string to parse. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_X509_add_ext_key_usage(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x25 }; + const byte data[] = { 0x04, 0x01, 0x01 }; + const byte emptyData[] = { 0x04, 0x00 }; + const char* strData = "serverAuth,codeSigning"; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_ext_key_usage; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + /* No Data - no change. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_ANY); + + /* Add second time with string to interpret. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, strData, (word32)XSTRLEN(strData) + 1), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + ExpectIntEQ(x509->extKeyUsage, EXTKEYUSE_SERVER_AUTH | EXTKEYUSE_CODESIGN); + + /* Empty data. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + p = emptyData; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(emptyData))); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + /* Invalid string to parse. */ + wolfSSL_ASN1_STRING_free(str); + str = NULL; + ExpectNotNull(str = wolfSSL_ASN1_STRING_new()); + ExpectIntEQ(ASN1_STRING_set(str, "bad", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_FAILURE); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_x509_add_auth_key_id(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x23 }; + const byte data[] = { + 0x04, 0x81, 0xcc, 0x30, 0x81, 0xc9, 0x80, 0x14, + 0x27, 0x8e, 0x67, 0x11, 0x74, 0xc3, 0x26, 0x1d, + 0x3f, 0xed, 0x33, 0x63, 0xb3, 0xa4, 0xd8, 0x1d, + 0x30, 0xe5, 0xe8, 0xd5, 0xa1, 0x81, 0x9a, 0xa4, + 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0c, 0x07, 0x4d, 0x6f, 0x6e, + 0x74, 0x61, 0x6e, 0x61, 0x31, 0x10, 0x30, 0x0e, + 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x42, + 0x6f, 0x7a, 0x65, 0x6d, 0x61, 0x6e, 0x31, 0x11, + 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, + 0x08, 0x53, 0x61, 0x77, 0x74, 0x6f, 0x6f, 0x74, + 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x0c, 0x0a, 0x43, 0x6f, 0x6e, 0x73, + 0x75, 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, + 0x0f, 0x77, 0x77, 0x77, 0x2e, 0x77, 0x6f, 0x6c, + 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, + 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, + 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, + 0x6d, 0x82, 0x14, 0x33, 0x44, 0x1a, 0xa8, 0x6c, + 0x01, 0xec, 0xf6, 0x60, 0xf2, 0x70, 0x51, 0x0a, + 0x4c, 0xd1, 0x14, 0xfa, 0xbc, 0xe9, 0x44 + }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_authority_key_identifier; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + /* Add second time with string to interpret. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} + +static int test_x509_add_subj_key_id(WOLFSSL_X509* x509) +{ + EXPECT_DECLS; + const byte objData[] = { 0x06, 0x03, 0x55, 0x1d, 0x0e }; + const byte data[] = { + 0x04, 0x16, 0x04, 0x14, 0xb3, 0x11, 0x32, 0xc9, + 0x92, 0x98, 0x84, 0xe2, 0xc9, 0xf8, 0xd0, 0x3b, + 0x6e, 0x03, 0x42, 0xca, 0x1f, 0x0e, 0x8e, 0x3c + }; + const byte* p; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* str = NULL; + + p = objData; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, sizeof(objData))); + if (obj != NULL) { + obj->type = NID_subject_key_identifier; + } + p = data; + ExpectNotNull(str = d2i_ASN1_OCTET_STRING(NULL, &p, (long)sizeof(data))); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, str), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Add second time with string to interpret. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_ASN1_STRING_free(str); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_X509_EXTENSION_free(ext); + + return EXPECT_RESULT(); +} +#endif + +static int test_wolfSSL_X509_add_ext(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509_EXTENSION* ext_empty = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + WOLFSSL_ASN1_STRING* data = NULL; + const byte* p; + const byte subjAltNameObj[] = { 0x06, 0x03, 0x55, 0x1d, 0x11 }; + const byte subjAltName[] = { + 0x04, 0x15, 0x30, 0x13, 0x82, 0x0b, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, + 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01 + }; + + ExpectNotNull(x509 = wolfSSL_X509_new()); + + /* Create extension: Subject Alternative Name */ + ExpectNotNull(ext_empty = wolfSSL_X509_EXTENSION_new()); + p = subjAltName; + ExpectNotNull(data = d2i_ASN1_OCTET_STRING(NULL, &p, + (long)sizeof(subjAltName))); + p = subjAltNameObj; + ExpectNotNull(obj = wolfSSL_d2i_ASN1_OBJECT(NULL, &p, + sizeof(subjAltNameObj))); + if (obj != NULL) { + obj->type = NID_subject_alt_name; + } + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_data(ext, data), WOLFSSL_SUCCESS); + + /* Failure cases. */ + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(NULL, ext, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, 0), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext_empty, -1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + + /* Add: Subject Alternative Name */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + /* Add second time to ensure no memory leaks. */ + ExpectIntEQ(wolfSSL_X509_add_ext(x509, ext, -1), WOLFSSL_SUCCESS); + + wolfSSL_X509_EXTENSION_free(ext); + wolfSSL_ASN1_OBJECT_free(obj); + wolfSSL_ASN1_STRING_free(data); + wolfSSL_X509_EXTENSION_free(ext_empty); + + EXPECT_TEST(test_X509_add_basic_constraints(x509)); + EXPECT_TEST(test_X509_add_key_usage(x509)); + EXPECT_TEST(test_X509_add_ext_key_usage(x509)); + EXPECT_TEST(test_x509_add_auth_key_id(x509)); + EXPECT_TEST(test_x509_add_subj_key_id(x509)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_X509_EXTENSION_new(void) { EXPECT_DECLS; @@ -74983,6 +77295,24 @@ static int test_wolfSSL_X509_EXTENSION_new(void) ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); ExpectNotNull(ext->obj = wolfSSL_ASN1_OBJECT_new()); + wolfSSL_X509_EXTENSION_free(NULL); + wolfSSL_X509_EXTENSION_free(ext); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_EXTENSION_dup(void) +{ + EXPECT_DECLS; +#if defined (OPENSSL_ALL) + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* dup = NULL; + + ExpectNull(wolfSSL_X509_EXTENSION_dup(NULL)); + ExpectNotNull(ext = wolfSSL_X509_EXTENSION_new()); + ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); + + wolfSSL_X509_EXTENSION_free(dup); wolfSSL_X509_EXTENSION_free(ext); #endif return EXPECT_RESULT(); @@ -74994,6 +77324,7 @@ static int test_wolfSSL_X509_EXTENSION_get_object(void) #if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) WOLFSSL_X509* x509 = NULL; WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* dup = NULL; WOLFSSL_ASN1_OBJECT* o = NULL; XFILE file = XBADFILE; @@ -75007,6 +77338,8 @@ static int test_wolfSSL_X509_EXTENSION_get_object(void) ExpectNull(wolfSSL_X509_EXTENSION_get_object(NULL)); ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); ExpectIntEQ(o->nid, 128); + ExpectNotNull(dup = wolfSSL_X509_EXTENSION_dup(ext)); + wolfSSL_X509_EXTENSION_free(dup); /* wolfSSL_X509_EXTENSION_get_object() NULL argument */ ExpectNull(o = wolfSSL_X509_EXTENSION_get_object(NULL)); @@ -75062,6 +77395,62 @@ static int test_wolfSSL_X509_EXTENSION_get_critical(void) return EXPECT_RESULT(); } +static int test_wolfSSL_X509_EXTENSION_create_by_OBJ(void) +{ + EXPECT_DECLS; +#if !defined(NO_FILESYSTEM) && defined(OPENSSL_ALL) && !defined(NO_RSA) + XFILE file = XBADFILE; + WOLFSSL_X509* x509 = NULL; + WOLFSSL_X509* empty = NULL; + WOLFSSL_X509_EXTENSION* ext = NULL; + WOLFSSL_X509_EXTENSION* ext2 = NULL; + WOLFSSL_X509_EXTENSION* ext3 = NULL; + WOLFSSL_ASN1_OBJECT* o = NULL; + int crit = 0; + WOLFSSL_ASN1_STRING* str = NULL; + + ExpectTrue((file = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); + ExpectNotNull(x509 = wolfSSL_PEM_read_X509(file, NULL, NULL, NULL)); + if (file != XBADFILE) + XFCLOSE(file); + ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, 0)); + + ExpectNotNull(o = wolfSSL_X509_EXTENSION_get_object(ext)); + ExpectIntEQ(crit = wolfSSL_X509_EXTENSION_get_critical(ext), 0); + ExpectNotNull(str = wolfSSL_X509_EXTENSION_get_data(ext)); + + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, NULL)); + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, 0, NULL)); + ExpectNull(wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, NULL, 0, str)); + ExpectNotNull(ext2 = wolfSSL_X509_EXTENSION_create_by_OBJ(NULL, o, crit, + str)); + ExpectNotNull(ext3 = wolfSSL_X509_EXTENSION_create_by_OBJ(ext2, o, crit, + str)); + if (ext3 == NULL) { + wolfSSL_X509_EXTENSION_free(ext2); + } + wolfSSL_X509_EXTENSION_free(ext3); + + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(NULL, o, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, NULL, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(empty, o, -1), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + wolfSSL_X509_free(empty); + empty = NULL; + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, -2), 0); + ExpectIntEQ(wolfSSL_X509_get_ext_by_OBJ(x509, o, 0), + WC_NO_ERR_TRACE(WOLFSSL_FATAL_ERROR)); + + wolfSSL_X509_free(x509); +#endif + return EXPECT_RESULT(); +} + static int test_wolfSSL_X509V3_EXT_print(void) { EXPECT_DECLS; @@ -75085,6 +77474,15 @@ static int test_wolfSSL_X509V3_EXT_print(void) ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1), -1); ExpectNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); + + /* Failure cases. */ + ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, NULL, 0, 0), + WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio , NULL, 0, 0), + WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509V3_EXT_print(NULL, ext , 0, 0), + WOLFSSL_FAILURE); + /* Good case. */ ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); ExpectIntGT(loc = wolfSSL_X509_get_ext_by_NID(x509, @@ -75135,6 +77533,46 @@ static int test_wolfSSL_X509V3_EXT_print(void) BIO_free(bio); X509_free(x509); } + + { + BIO* bio = NULL; + X509_EXTENSION* ext = NULL; + WOLFSSL_ASN1_OBJECT* obj = NULL; + + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectNotNull(ext = X509_EXTENSION_new()); + + /* No object. */ + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_FAILURE); + + ExpectNotNull(obj = wolfSSL_ASN1_OBJECT_new()); + ExpectIntEQ(wolfSSL_X509_EXTENSION_set_object(ext, obj), + WOLFSSL_SUCCESS); + + /* NID not supported yet - just doesn't write anything. */ + if (ext != NULL && ext->obj != NULL) { + ext->obj->nid = AUTH_INFO_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = CERT_POLICY_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = CRL_DIST_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + ext->obj->nid = KEY_USAGE_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + + ext->obj->nid = EXT_KEY_USAGE_OID; + ExpectIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), + WOLFSSL_SUCCESS); + } + + wolfSSL_ASN1_OBJECT_free(obj); + X509_EXTENSION_free(ext); + BIO_free(bio); + } #endif return EXPECT_RESULT(); } @@ -75147,6 +77585,7 @@ static int test_wolfSSL_X509_cmp(void) XFILE file2 = XBADFILE; WOLFSSL_X509* cert1 = NULL; WOLFSSL_X509* cert2 = NULL; + WOLFSSL_X509* empty = NULL; ExpectTrue((file1 = XFOPEN("./certs/server-cert.pem", "rb")) != XBADFILE); ExpectTrue((file2 = XFOPEN("./certs/3072/client-cert.pem", "rb")) != @@ -75159,6 +77598,8 @@ static int test_wolfSSL_X509_cmp(void) if (file2 != XBADFILE) fclose(file2); + ExpectNotNull(empty = wolfSSL_X509_new()); + /* wolfSSL_X509_cmp() testing matching certs */ ExpectIntEQ(0, wolfSSL_X509_cmp(cert1, cert1)); @@ -75174,8 +77615,13 @@ static int test_wolfSSL_X509_cmp(void) /* wolfSSL_X509_cmp() testing NULL, NULL args */ ExpectIntEQ(WC_NO_ERR_TRACE(BAD_FUNC_ARG), wolfSSL_X509_cmp(NULL, NULL)); - wolfSSL_X509_free(cert1); + /* wolfSSL_X509_cmp() testing empty cert */ + ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(empty, cert2)); + ExpectIntEQ(WOLFSSL_FATAL_ERROR, wolfSSL_X509_cmp(cert1, empty)); + + wolfSSL_X509_free(empty); wolfSSL_X509_free(cert2); + wolfSSL_X509_free(cert1); #endif return EXPECT_RESULT(); } @@ -75438,6 +77884,7 @@ static int test_wolfSSL_OCSP_id_get0_info(void) ExpectNotNull(x509Int = X509_get_serialNumber(cert)); ExpectIntEQ(x509Int->length, serial->length); ExpectIntEQ(XMEMCMP(x509Int->data, serial->data, serial->length), 0); + ExpectNotNull(x509Int = X509_get_serialNumber(cert)); /* test OCSP_id_cmp */ ExpectIntNE(OCSP_id_cmp(NULL, NULL), 0); @@ -75919,11 +78366,13 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) BIO* bio1 = NULL; BIO* bio2 = NULL; X509* cert = NULL; + X509* empty = NULL; X509 *issuer = NULL; X509_LOOKUP *lookup = NULL; X509_STORE *store = NULL; STACK_OF(X509_OBJECT) *str_objs = NULL; X509_OBJECT *x509_obj = NULL; + STACK_OF(WOLFSSL_STRING) *skStr = NULL; ExpectNotNull(bio1 = BIO_new(BIO_s_bio())); ExpectNotNull(bio2 = BIO_new(BIO_s_bio())); @@ -75932,15 +78381,34 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) /* Load the leaf cert */ ExpectNotNull(cert = wolfSSL_X509_load_certificate_file( "certs/ocsp/server1-cert.pem", WOLFSSL_FILETYPE_PEM)); + ExpectNull(wolfSSL_X509_get1_ocsp(NULL)); + ExpectNotNull(skStr = wolfSSL_X509_get1_ocsp(cert)); + wolfSSL_X509_email_free(NULL); + wolfSSL_X509_email_free(skStr); + ExpectNotNull(empty = wolfSSL_X509_new()); + ExpectNull(wolfSSL_X509_get1_ocsp(empty)); + wolfSSL_X509_free(empty); ExpectNotNull(store = X509_STORE_new()); ExpectNotNull(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())); ExpectIntEQ(X509_LOOKUP_load_file(lookup, "certs/ocsp/server1-cert.pem", X509_FILETYPE_PEM), 1); ExpectNotNull(str_objs = X509_STORE_get0_objects(store)); + ExpectNull(X509_OBJECT_retrieve_by_subject(NULL, X509_LU_X509, NULL)); + ExpectNull(X509_OBJECT_retrieve_by_subject(str_objs, X509_LU_X509, NULL)); + ExpectNull(X509_OBJECT_retrieve_by_subject(NULL, X509_LU_X509, + X509_get_issuer_name(cert))); + ExpectNull(X509_OBJECT_retrieve_by_subject(str_objs, + X509_LU_CRL, X509_get_issuer_name(cert))); ExpectNotNull(x509_obj = X509_OBJECT_retrieve_by_subject(str_objs, X509_LU_X509, X509_get_issuer_name(cert))); ExpectNotNull(issuer = X509_OBJECT_get0_X509(x509_obj)); + ExpectTrue(wolfSSL_X509_OBJECT_get_type(NULL) == WOLFSSL_X509_LU_NONE); +#ifndef NO_WOLFSSL_STUB + /* Not implemented and not in OpenSSL 1.1.0+ */ + wolfSSL_X509_OBJECT_free_contents(x509_obj); +#endif + wolfSSL_X509_OBJECT_free(NULL); ExpectNotNull(req = OCSP_REQUEST_new()); ExpectNotNull(cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer)); @@ -77397,9 +79865,11 @@ static int test_ERR_load_crypto_strings(void) } #if defined(OPENSSL_ALL) && !defined(NO_CERTS) +static WOLFSSL_X509 x1; +static WOLFSSL_X509 x2; static void free_x509(X509* x) { - AssertIntEQ((x == (X509*)1 || x == (X509*)2), 1); + AssertIntEQ((x == &x1 || x == &x2), 1); } #endif @@ -77410,7 +79880,7 @@ static int test_sk_X509(void) { STACK_OF(X509)* s = NULL; - ExpectNotNull(s = sk_X509_new_null()); + ExpectNotNull(s = wolfSSL_sk_X509_new(NULL)); ExpectIntEQ(sk_X509_num(s), 0); sk_X509_pop_free(s, NULL); @@ -77419,14 +79889,25 @@ static int test_sk_X509(void) sk_X509_pop_free(s, NULL); ExpectNotNull(s = sk_X509_new_null()); - sk_X509_push(s, (X509*)1); + + /* Test invalid parameters. */ + ExpectIntEQ(sk_X509_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(sk_X509_push(s, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(sk_X509_push(NULL, (X509*)1), WOLFSSL_FAILURE); + ExpectNull(sk_X509_pop(NULL)); + ExpectNull(sk_X509_value(NULL, 0)); + ExpectNull(sk_X509_value(NULL, 1)); + + sk_X509_push(s, &x1); ExpectIntEQ(sk_X509_num(s), 1); - ExpectIntEQ((sk_X509_value(s, 0) == (X509*)1), 1); - sk_X509_push(s, (X509*)2); + ExpectIntEQ((sk_X509_value(s, 0) == &x1), 1); + sk_X509_push(s, &x2); ExpectIntEQ(sk_X509_num(s), 2); - ExpectIntEQ((sk_X509_value(s, 0) == (X509*)2), 1); - ExpectIntEQ((sk_X509_value(s, 1) == (X509*)1), 1); - sk_X509_push(s, (X509*)2); + ExpectNull(sk_X509_value(s, 2)); + ExpectIntEQ((sk_X509_value(s, 0) == &x2), 1); + ExpectIntEQ((sk_X509_value(s, 1) == &x1), 1); + sk_X509_push(s, &x2); + sk_X509_pop_free(s, free_x509); } @@ -77489,6 +79970,8 @@ static int test_sk_X509(void) ExpectIntEQ((x == z), 1); ExpectIntEQ(sk_X509_num(s), len - 1 - i); } + ExpectNull(sk_X509_shift(NULL)); + ExpectNull(sk_X509_shift(s)); sk_free(s); @@ -77506,6 +79989,148 @@ static int test_sk_X509_CRL(void) X509_CRL* crl = NULL; XFILE fp = XBADFILE; STACK_OF(X509_CRL)* s = NULL; +#ifndef NO_BIO + BIO* bio = NULL; +#endif +#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) + RevokedCert* rev = NULL; + byte buff[1024]; + int len = 0; +#endif +#if (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) || \ + !defined(NO_BIO) + X509_CRL empty; +#endif + WOLFSSL_X509_REVOKED revoked; + WOLFSSL_ASN1_INTEGER* asnInt = NULL; + const WOLFSSL_ASN1_INTEGER* sn; + +#if (!defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)) || \ + !defined(NO_BIO) + XMEMSET(&empty, 0, sizeof(X509_CRL)); +#endif + +#ifndef NO_BIO + ExpectNotNull(bio = BIO_new_file("./certs/crl/crl.der", "rb")); + ExpectNull(wolfSSL_d2i_X509_CRL_bio(NULL, NULL)); + ExpectNotNull(crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL)); + BIO_free(bio); + bio = NULL; + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_X509_CRL_print(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_CRL_print(bio, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_CRL_print(NULL, crl), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_CRL_print(bio, &empty), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_CRL_print(bio, crl), WOLFSSL_SUCCESS); +#ifndef NO_ASN_TIME + ExpectIntEQ(BIO_get_mem_data(bio, NULL), 1466); +#else + ExpectIntEQ(BIO_get_mem_data(bio, NULL), 1324); +#endif + BIO_free(bio); + + wolfSSL_X509_CRL_free(crl); + crl = NULL; +#endif + +#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) + ExpectTrue((fp = XFOPEN("./certs/crl/crl.der", "rb")) != XBADFILE); + ExpectNotNull(crl = d2i_X509_CRL_fp(fp, (X509_CRL **)NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + wolfSSL_X509_CRL_free(crl); + crl = NULL; + + ExpectTrue((fp = XFOPEN("./certs/crl/crl.der", "rb")) != XBADFILE); + ExpectIntEQ(len = (int)XFREAD(buff, 1, sizeof(buff), fp), 520); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + ExpectNull(crl = d2i_X509_CRL((X509_CRL **)NULL, NULL, len)); + ExpectNotNull(crl = d2i_X509_CRL((X509_CRL **)NULL, buff, len)); + ExpectNotNull(rev = crl->crlList->certs); + + ExpectNull(wolfSSL_X509_CRL_get_issuer_name(NULL)); + ExpectNull(wolfSSL_X509_CRL_get_issuer_name(&empty)); + ExpectIntEQ(wolfSSL_X509_CRL_version(NULL), 0); + ExpectIntEQ(wolfSSL_X509_CRL_version(&empty), 0); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_type(NULL), 0); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_type(&empty), 0); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_nid(NULL), 0); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_nid(&empty), 0); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(NULL, NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(crl , NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(NULL, NULL, &len), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(&empty, NULL, &len), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(NULL, NULL, NULL), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(rev , NULL, NULL), + BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(NULL, NULL, &len), + BAD_FUNC_ARG); + ExpectNull(wolfSSL_X509_CRL_get_lastUpdate(NULL)); + ExpectNull(wolfSSL_X509_CRL_get_lastUpdate(&empty)); + ExpectNull(wolfSSL_X509_CRL_get_nextUpdate(NULL)); + ExpectNull(wolfSSL_X509_CRL_get_nextUpdate(&empty)); + + ExpectNotNull(wolfSSL_X509_CRL_get_issuer_name(crl)); + ExpectIntEQ(wolfSSL_X509_CRL_version(crl), 2); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_type(crl), CTC_SHA256wRSA); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature_nid(crl), + WC_NID_sha256WithRSAEncryption); + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(crl, NULL, &len), + WOLFSSL_SUCCESS); + ExpectIntEQ(len, 256); + len--; + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(crl, buff, &len), BUFFER_E); + len += 2; + ExpectIntEQ(wolfSSL_X509_CRL_get_signature(crl, buff, &len), + WOLFSSL_SUCCESS); + ExpectIntEQ(len, 256); + ExpectNotNull(wolfSSL_X509_CRL_get_lastUpdate(crl)); + ExpectNotNull(wolfSSL_X509_CRL_get_nextUpdate(crl)); + + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(rev, NULL, &len), + WOLFSSL_SUCCESS); + ExpectIntEQ(len, 1); + len--; + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(rev, buff, &len), + BUFFER_E); + len += 2; + ExpectIntEQ(wolfSSL_X509_REVOKED_get_serial_number(rev, buff, &len), + WOLFSSL_SUCCESS); + ExpectIntEQ(len, 1); + +#ifndef NO_WOLFSSL_STUB + ExpectIntEQ(wolfSSL_sk_X509_REVOKED_num(NULL), 0); + ExpectIntEQ(wolfSSL_sk_X509_REVOKED_num(&revoked), 0); + ExpectNull(wolfSSL_X509_CRL_get_REVOKED(NULL)); + ExpectNull(wolfSSL_X509_CRL_get_REVOKED(crl)); + ExpectNull(wolfSSL_sk_X509_REVOKED_value(NULL, 0)); + ExpectNull(wolfSSL_sk_X509_REVOKED_value(&revoked, 0)); + ExpectIntEQ(wolfSSL_X509_CRL_verify(NULL, NULL), 0); +#endif + + wolfSSL_X509_CRL_free(crl); + crl = NULL; +#endif + + ExpectNotNull(asnInt = wolfSSL_ASN1_INTEGER_new()); + ExpectIntEQ(wolfSSL_ASN1_INTEGER_set(asnInt, 1), 1); + revoked.serialNumber = asnInt; + ExpectNull(wolfSSL_X509_REVOKED_get0_serial_number(NULL)); + ExpectNotNull(sn = wolfSSL_X509_REVOKED_get0_serial_number(&revoked)); + ExpectPtrEq(sn, asnInt); +#ifndef NO_WOLFSSL_STUB + ExpectNull(wolfSSL_X509_REVOKED_get0_revocation_date(NULL)); + ExpectNull(wolfSSL_X509_REVOKED_get0_revocation_date(&revoked)); +#endif + wolfSSL_ASN1_INTEGER_free(asnInt); ExpectTrue((fp = XFOPEN("./certs/crl/crl.pem", "rb")) != XBADFILE); ExpectNotNull(crl = (X509_CRL*)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, @@ -77514,6 +80139,13 @@ static int test_sk_X509_CRL(void) XFCLOSE(fp); ExpectNotNull(s = sk_X509_CRL_new()); + + ExpectIntEQ(sk_X509_CRL_push(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(sk_X509_CRL_push(NULL, crl), WOLFSSL_FAILURE); + ExpectIntEQ(sk_X509_CRL_push(s, NULL), WOLFSSL_FAILURE); + ExpectNull(sk_X509_CRL_value(NULL, 0)); + ExpectIntEQ(sk_X509_CRL_num(NULL), 0); + ExpectIntEQ(sk_X509_CRL_num(s), 0); ExpectIntEQ(sk_X509_CRL_push(s, crl), 1); if (EXPECT_FAIL()) { @@ -77521,6 +80153,7 @@ static int test_sk_X509_CRL(void) } ExpectIntEQ(sk_X509_CRL_num(s), 1); ExpectPtrEq(sk_X509_CRL_value(s, 0), crl); + sk_X509_CRL_free(s); #endif return EXPECT_RESULT(); @@ -77571,7 +80204,11 @@ static int test_X509_REQ(void) #ifdef HAVE_ECC const unsigned char* ecPriv = (const unsigned char*)ecc_clikey_der_256; const unsigned char* ecPub = (unsigned char*)ecc_clikeypub_der_256; + BIO* bio = NULL; #endif + unsigned char tooLongPassword[WC_CTC_NAME_SIZE + 1]; + + XMEMSET(tooLongPassword, 0, sizeof(tooLongPassword)); ExpectNotNull(name = X509_NAME_new()); ExpectIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8, @@ -77595,6 +80232,9 @@ static int test_X509_REQ(void) ExpectIntEQ(X509_REQ_sign(req, NULL, EVP_sha256()), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(X509_REQ_sign(req, priv, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(X509_REQ_sign(req, priv, EVP_sha256()), WOLFSSL_SUCCESS); + ExpectIntEQ(i2d_X509_REQ(NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(i2d_X509_REQ(req, NULL), BAD_FUNC_ARG); + ExpectIntEQ(i2d_X509_REQ(NULL, &der), BAD_FUNC_ARG); len = i2d_X509_REQ(req, &der); DEBUG_WRITE_DER(der, len, "req.der"); #ifdef USE_CERT_BUFFERS_1024 @@ -77608,6 +80248,9 @@ static int test_X509_REQ(void) mctx = EVP_MD_CTX_new(); ExpectIntEQ(EVP_DigestSignInit(mctx, &pkctx, EVP_sha256(), NULL, priv), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_sign_ctx(NULL, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_sign_ctx(req, NULL), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_sign_ctx(NULL, mctx), WOLFSSL_FAILURE); ExpectIntEQ(X509_REQ_sign_ctx(req, mctx), WOLFSSL_SUCCESS); EVP_MD_CTX_free(mctx); @@ -77662,8 +80305,13 @@ static int test_X509_REQ(void) /* Signature is random and may be shorter or longer. */ ExpectIntGE((len = i2d_X509_REQ(req, &der)), 245); ExpectIntLE(len, 253); + ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE)); + ExpectIntEQ(X509_REQ_print(bio, req), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_print(bio, NULL), WOLFSSL_FAILURE); + BIO_free(bio); XFREE(der, NULL, DYNAMIC_TYPE_OPENSSL); X509_REQ_free(req); + req = NULL; EVP_PKEY_free(pub); EVP_PKEY_free(priv); @@ -77673,6 +80321,140 @@ static int test_X509_REQ(void) #endif /* HAVE_ECC */ X509_NAME_free(name); + + ExpectNull(wolfSSL_X509_REQ_get_extensions(NULL)); + /* Stub function. */ + ExpectNull(wolfSSL_X509_to_X509_REQ(NULL, NULL, NULL)); + + ExpectNotNull(req = X509_REQ_new()); +#ifdef HAVE_LIBEST + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, NULL, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, NULL, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, "name", + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, NULL, + WOLFSSL_MBSTRING_ASC, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, NULL, + WOLFSSL_MBSTRING_UTF8, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_FAILURE); + + + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, "name", + WOLFSSL_MBSTRING_ASC, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, NULL, + WOLFSSL_MBSTRING_ASC, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "name", + WOLFSSL_MBSTRING_UTF8, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "name", + WOLFSSL_MBSTRING_ASC, NULL, 0), WOLFSSL_FAILURE); + + /* Unsupported bytes. */ + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "name", + WOLFSSL_MBSTRING_ASC, (byte*)"1.3.6.1.1.1.1.23", 16), WOLFSSL_FAILURE); + + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "MAC Address", + WOLFSSL_MBSTRING_ASC, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "ecpublicKey", + WOLFSSL_MBSTRING_ASC, (byte*)"1.2.840.10045.2.1", -1), WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "ecdsa-with-SHA384", + WOLFSSL_MBSTRING_ASC, (byte*)"1.2.840.10045.4.3.3", -1), + WOLFSSL_SUCCESS); +#else + /* Stub function. */ + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(NULL, NULL, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(wolfSSL_X509_REQ_add1_attr_by_txt(req, "MAC Address", + WOLFSSL_MBSTRING_ASC, (byte*)"1.3.6.1.1.1.1.22", 16), WOLFSSL_FAILURE); +#endif + + ExpectIntEQ(X509_REQ_add1_attr_by_NID(NULL, WC_NID_subject_alt_name, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_subject_alt_name, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(NULL, WC_NID_subject_alt_name, + WOLFSSL_MBSTRING_ASC, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(NULL, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_UTF8, NULL, 0), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(NULL, WC_NID_subject_alt_name, + WOLFSSL_MBSTRING_UTF8, (byte*)"password", 8), WOLFSSL_FAILURE); + + ExpectIntEQ(X509_REQ_add1_attr_by_NID(NULL, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_ASC, (byte*)"password", 8), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_subject_alt_name, + WOLFSSL_MBSTRING_ASC, (byte*)"password", 8), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_UTF8, (byte*)"password", 8), WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_ASC, NULL, -1), WOLFSSL_FAILURE); + + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_ASC, (byte*)"password", -1), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_challengePassword, + WOLFSSL_MBSTRING_ASC, tooLongPassword, sizeof(tooLongPassword)), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_serialNumber, + WOLFSSL_MBSTRING_ASC, (byte*)"123456", -1), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_serialNumber, + WOLFSSL_MBSTRING_ASC, tooLongPassword, sizeof(tooLongPassword)), + WOLFSSL_FAILURE); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_unstructuredName, + WOLFSSL_MBSTRING_ASC, (byte*)"name", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_pkcs9_contentType, + WOLFSSL_MBSTRING_ASC, (byte*)"type", 4), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_surname, + WOLFSSL_MBSTRING_ASC, (byte*)"surname", 7), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_initials, + WOLFSSL_MBSTRING_ASC, (byte*)"s.g", 3), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_givenName, + WOLFSSL_MBSTRING_ASC, (byte*)"givenname", 9), WOLFSSL_SUCCESS); + ExpectIntEQ(X509_REQ_add1_attr_by_NID(req, WC_NID_dnQualifier, + WOLFSSL_MBSTRING_ASC, (byte*)"dnQualifier", 11), WOLFSSL_SUCCESS); + + wolfSSL_X509_REQ_free(req); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_X509_REQ_print(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && !defined(NO_BIO) + WOLFSSL_X509* req = NULL; + XFILE fp = XBADFILE; + const char* csrFileName = "certs/csr.attr.der"; + const char* csrExtFileName = "certs/csr.ext.der"; + BIO* bio = NULL; + + ExpectTrue((fp = XFOPEN(csrFileName, "rb")) != XBADFILE); + ExpectNotNull(req = d2i_X509_REQ_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + fp = XBADFILE; + } + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_X509_REQ_print(bio, req), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_get_mem_data(bio, NULL), 2681); + + BIO_free(bio); + bio = NULL; + wolfSSL_X509_REQ_free(req); + req = NULL; + + ExpectTrue((fp = XFOPEN(csrExtFileName, "rb")) != XBADFILE); + ExpectNotNull(req = d2i_X509_REQ_fp(fp, NULL)); + if (fp != XBADFILE) { + XFCLOSE(fp); + } + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntEQ(wolfSSL_X509_REQ_print(bio, req), WOLFSSL_SUCCESS); + ExpectIntEQ(BIO_get_mem_data(bio, NULL), 1889); + + BIO_free(bio); + wolfSSL_X509_REQ_free(req); #endif return EXPECT_RESULT(); } @@ -78177,7 +80959,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) static const char contTypeText[] = "Content-Type: text/plain\r\n\r\n"; XFILE smimeTestFile = XBADFILE; - ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "r")) != + ExpectTrue((smimeTestFile = XFOPEN("./certs/test/smime-test.p7s", "rb")) != XBADFILE); /* smime-test.p7s */ @@ -78198,7 +80980,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) pkcs7 = NULL; /* smime-test-multipart.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "r"); + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart.p7s", "rb"); ExpectFalse(smimeTestFile == XBADFILE); ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); @@ -78215,7 +80997,8 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) pkcs7 = NULL; /* smime-test-multipart-badsig.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", "r"); + smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", + "rb"); ExpectFalse(smimeTestFile == XBADFILE); ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); @@ -78232,7 +81015,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) pkcs7 = NULL; /* smime-test-canon.p7s */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "r"); + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); ExpectFalse(smimeTestFile == XBADFILE); ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); @@ -78249,7 +81032,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) pkcs7 = NULL; /* Test PKCS7_TEXT, PKCS7_verify() should remove Content-Type: text/plain */ - smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "r"); + smimeTestFile = XFOPEN("./certs/test/smime-test-canon.p7s", "rb"); ExpectFalse(smimeTestFile == XBADFILE); ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); @@ -78803,6 +81586,7 @@ static int test_tls13_apis(void) #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) int groups[2] = { WOLFSSL_ECC_SECP256R1, #ifdef WOLFSSL_HAVE_KYBER +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 WOLFSSL_KYBER_LEVEL1 #elif !defined(WOLFSSL_NO_KYBER768) @@ -78810,6 +81594,15 @@ static int test_tls13_apis(void) #else WOLFSSL_KYBER_LEVEL5 #endif +#else + #ifndef WOLFSSL_NO_ML_KEM_512 + WOLFSSL_ML_KEM_512 + #elif !defined(WOLFSSL_NO_ML_KEM_768) + WOLFSSL_ML_KEM_768 + #else + WOLFSSL_ML_KEM_1024 + #endif +#endif #else WOLFSSL_ECC_SECP256R1 #endif @@ -78837,6 +81630,7 @@ static int test_tls13_apis(void) #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 "P-256:secp256r1" #if defined(WOLFSSL_HAVE_KYBER) +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 ":P256_KYBER_LEVEL1" #elif !defined(WOLFSSL_NO_KYBER768) @@ -78844,10 +81638,20 @@ static int test_tls13_apis(void) #else ":P256_KYBER_LEVEL5" #endif +#else + #ifndef WOLFSSL_NO_KYBER512 + ":P256_ML_KEM_512" + #elif !defined(WOLFSSL_NO_KYBER768) + ":P256_ML_KEM_768" + #else + ":P256_ML_KEM_1024" + #endif +#endif #endif #endif #endif /* !defined(NO_ECC_SECP) */ #if defined(WOLFSSL_HAVE_KYBER) +#ifdef WOLFSSL_KYBER_ORIGINAL #ifndef WOLFSSL_NO_KYBER512 ":KYBER_LEVEL1" #elif !defined(WOLFSSL_NO_KYBER768) @@ -78855,6 +81659,15 @@ static int test_tls13_apis(void) #else ":KYBER_LEVEL5" #endif +#else + #ifndef WOLFSSL_NO_KYBER512 + ":ML_KEM_512" + #elif !defined(WOLFSSL_NO_KYBER768) + ":ML_KEM_768" + #else + ":ML_KEM_1024" + #endif +#endif #endif ""; #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */ @@ -78990,12 +81803,22 @@ static int test_tls13_apis(void) #endif #if defined(WOLFSSL_HAVE_KYBER) +#ifndef WOLFSSL_NO_ML_KEM +#ifndef WOLFSSL_NO_ML_KEM_768 + kyberLevel = WOLFSSL_ML_KEM_768; +#elif !defined(WOLFSSL_NO_ML_KEM_1024) + kyberLevel = WOLFSSL_ML_KEM_1024; +#else + kyberLevel = WOLFSSL_ML_KEM_512; +#endif +#else #ifndef WOLFSSL_NO_KYBER768 kyberLevel = WOLFSSL_KYBER_LEVEL3; #elif !defined(WOLFSSL_NO_KYBER1024) kyberLevel = WOLFSSL_KYBER_LEVEL5; #else kyberLevel = WOLFSSL_KYBER_LEVEL1; +#endif #endif ExpectIntEQ(wolfSSL_UseKeyShare(NULL, kyberLevel), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); #ifndef NO_WOLFSSL_SERVER @@ -80134,6 +82957,7 @@ static int test_wolfSSL_X509_load_crl_file(void) "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM), 1); } + ExpectIntEQ(X509_load_crl_file(lookup, pem[0], 0), 0); for (i = 0; pem[i][0] != '\0'; i++) { ExpectIntEQ(X509_load_crl_file(lookup, pem[i], WOLFSSL_FILETYPE_PEM), 1); @@ -80147,7 +82971,7 @@ static int test_wolfSSL_X509_load_crl_file(void) #ifdef WC_RSA_PSS ExpectIntEQ(wolfSSL_CertManagerVerify(store->cm, "certs/rsapss/server-rsapss-cert.pem", WOLFSSL_FILETYPE_PEM), - WC_NO_ERR_TRACE(CRL_CERT_REVOKED)); + WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)); #endif } /* once feeing store */ @@ -80199,8 +83023,15 @@ static int test_wolfSSL_i2d_X509(void) const unsigned char* cert_buf = server_cert_der_2048; unsigned char* out = NULL; unsigned char* tmp = NULL; + const unsigned char* nullPtr = NULL; + const unsigned char notCert[2] = { 0x30, 0x00 }; + const unsigned char* notCertPtr = notCert; X509* cert = NULL; + ExpectNull(d2i_X509(NULL, NULL, sizeof_server_cert_der_2048)); + ExpectNull(d2i_X509(NULL, &nullPtr, sizeof_server_cert_der_2048)); + ExpectNull(d2i_X509(NULL, &cert_buf, 0)); + ExpectNull(d2i_X509(NULL, ¬CertPtr, sizeof(notCert))); ExpectNotNull(d2i_X509(&cert, &cert_buf, sizeof_server_cert_der_2048)); /* Pointer should be advanced */ ExpectPtrGT(cert_buf, server_cert_der_2048); @@ -80209,9 +83040,13 @@ static int test_wolfSSL_i2d_X509(void) tmp = out; ExpectIntGT(i2d_X509(cert, &tmp), 0); ExpectPtrGT(tmp, out); +#if defined(WOLFSSL_CERT_GEN) && !defined(NO_BIO) && !defined(NO_FILESYSTEM) + ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, NULL), 0); + ExpectIntEQ(wolfSSL_PEM_write_X509(XBADFILE, cert), 0); + ExpectIntEQ(wolfSSL_PEM_write_X509(stderr, cert), 1); +#endif - if (out != NULL) - XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); + XFREE(out, NULL, DYNAMIC_TYPE_OPENSSL); X509_free(cert); #endif return EXPECT_RESULT(); @@ -80266,10 +83101,13 @@ static int test_wolfSSL_d2i_X509_REQ(void) pub_key = NULL; } { + X509_REQ* empty = NULL; #ifdef OPENSSL_ALL X509_ATTRIBUTE* attr = NULL; ASN1_TYPE *at = NULL; #endif + + ExpectNotNull(empty = wolfSSL_X509_REQ_new()); ExpectNotNull(bio = BIO_new_file(csrPopFile, "rb")); ExpectNotNull(d2i_X509_REQ_bio(bio, &req)); @@ -80283,13 +83121,29 @@ static int test_wolfSSL_d2i_X509_REQ(void) */ ExpectIntEQ(X509_REQ_verify(req, pub_key), 1); + ExpectIntEQ(wolfSSL_X509_REQ_get_attr_count(NULL), 0); + ExpectIntEQ(wolfSSL_X509_REQ_get_attr_count(empty), 0); +#ifdef OPENSSL_ALL + ExpectIntEQ(wolfSSL_X509_REQ_get_attr_count(req), 2); +#else + ExpectIntEQ(wolfSSL_X509_REQ_get_attr_count(req), 0); +#endif #ifdef OPENSSL_ALL /* * Obtain the challenge password from the CSR */ + ExpectIntEQ(X509_REQ_get_attr_by_NID(NULL, NID_pkcs9_challengePassword, + -1), -1); ExpectIntEQ(X509_REQ_get_attr_by_NID(req, NID_pkcs9_challengePassword, -1), 1); + ExpectNull(X509_REQ_get_attr(NULL, 3)); + ExpectNull(X509_REQ_get_attr(req, 3)); + ExpectNull(X509_REQ_get_attr(NULL, 0)); + ExpectNull(X509_REQ_get_attr(empty, 0)); ExpectNotNull(attr = X509_REQ_get_attr(req, 1)); + ExpectNull(X509_ATTRIBUTE_get0_type(NULL, 1)); + ExpectNull(X509_ATTRIBUTE_get0_type(attr, 1)); + ExpectNull(X509_ATTRIBUTE_get0_type(NULL, 0)); ExpectNotNull(at = X509_ATTRIBUTE_get0_type(attr, 0)); ExpectNotNull(at->value.asn1_string); ExpectStrEQ((char*)ASN1_STRING_data(at->value.asn1_string), @@ -80303,6 +83157,7 @@ static int test_wolfSSL_d2i_X509_REQ(void) bio = NULL; EVP_PKEY_free(pub_key); pub_key = NULL; + wolfSSL_X509_REQ_free(empty); } { #ifdef OPENSSL_ALL @@ -80372,7 +83227,11 @@ static int test_wolfSSL_d2i_X509_REQ(void) /* Run the same test, but with a file pointer instead of a BIO. * (PEM_read_X509_REQ)*/ ExpectTrue((f = XFOPEN(csrDsaFile, "rb")) != XBADFILE); - ExpectNotNull(PEM_read_X509_REQ(f, &req, NULL, NULL)); + ExpectNull(PEM_read_X509_REQ(XBADFILE, &req, NULL, NULL)); + if (EXPECT_SUCCESS()) + ExpectNotNull(PEM_read_X509_REQ(f, &req, NULL, NULL)); + else if (f != XBADFILE) + XFCLOSE(f); ExpectIntEQ(X509_REQ_verify(req, pub_key), 1); X509_free(req); @@ -81999,6 +84858,7 @@ static int test_wolfSSL_PEM_X509_INFO_read_bio(void) BIO* bio = NULL; X509_INFO* info = NULL; STACK_OF(X509_INFO)* sk = NULL; + STACK_OF(X509_INFO)* sk2 = NULL; char* subject = NULL; char exp1[] = "/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/" "CN=www.wolfssl.com/emailAddress=info@wolfssl.com"; @@ -82011,6 +84871,7 @@ static int test_wolfSSL_PEM_X509_INFO_read_bio(void) ExpectIntEQ(sk_X509_INFO_num(sk), 2); /* using dereference to maintain testing for Apache port*/ + ExpectNull(sk_X509_INFO_pop(NULL)); ExpectNotNull(info = sk_X509_INFO_pop(sk)); ExpectNotNull(subject = X509_NAME_oneline(X509_get_subject_name(info->x509), 0, 0)); @@ -82030,7 +84891,42 @@ static int test_wolfSSL_PEM_X509_INFO_read_bio(void) ExpectNull(info = sk_X509_INFO_pop(sk)); sk_X509_INFO_pop_free(sk, X509_INFO_free); + sk = NULL; BIO_free(bio); + bio = NULL; + + ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); + ExpectNotNull(bio = BIO_new(BIO_s_file())); + ExpectIntGT(BIO_read_filename(bio, svrCertFile), 0); + ExpectNotNull(sk2 = PEM_X509_INFO_read_bio(bio, sk, NULL, NULL)); + ExpectPtrEq(sk, sk2); + if (sk2 != sk) { + sk_X509_INFO_pop_free(sk, X509_INFO_free); + } + sk = NULL; + BIO_free(bio); + sk_X509_INFO_pop_free(sk2, X509_INFO_free); + + ExpectNotNull(sk = wolfSSL_sk_X509_INFO_new_null()); + sk_X509_INFO_free(sk); +#endif + return EXPECT_RESULT(); +} + +static int test_wolfSSL_PEM_X509_INFO_read(void) +{ + EXPECT_DECLS; +#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) + XFILE fp = XBADFILE; + STACK_OF(X509_INFO)* sk = NULL; + + ExpectTrue((fp = XFOPEN(svrCertFile, "rb")) != XBADFILE); + ExpectNull(wolfSSL_PEM_X509_INFO_read(XBADFILE, NULL, NULL, NULL)); + ExpectNotNull(sk = wolfSSL_PEM_X509_INFO_read(fp, NULL, NULL, NULL)); + + sk_X509_INFO_pop_free(sk, X509_INFO_free); + if (fp != XBADFILE) + XFCLOSE(fp); #endif return EXPECT_RESULT(); } @@ -82049,9 +84945,13 @@ static int test_wolfSSL_X509_NAME_ENTRY_get_object(void) ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, WOLFSSL_FILETYPE_PEM)); ExpectNotNull(name = X509_get_subject_name(x509)); + ExpectIntGE(X509_NAME_get_index_by_NID(NULL, NID_commonName, -1), + BAD_FUNC_ARG); ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1), 0); + ExpectIntGE(idx = X509_NAME_get_index_by_NID(name, NID_commonName, -2), 0); ExpectNotNull(ne = X509_NAME_get_entry(name, idx)); + ExpectNull(X509_NAME_ENTRY_get_object(NULL)); ExpectNotNull(object = X509_NAME_ENTRY_get_object(ne)); X509_free(x509); @@ -82222,6 +85122,10 @@ static int test_wolfSSL_X509_STORE_set_get_crl_ctx_ready2(WOLFSSL_CTX* ctx) test_wolfSSL_X509_STORE_set_get_crl_verify); ExpectNotNull(X509_STORE_get0_param(cert_store)); ExpectNotNull(param = X509_VERIFY_PARAM_new()); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(NULL, NULL) , WOLFSSL_SUCCESS); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, NULL) , WOLFSSL_SUCCESS); + ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, + X509_STORE_get0_param(cert_store)), WOLFSSL_SUCCESS); ExpectIntEQ(X509_VERIFY_PARAM_inherit(param, X509_STORE_get0_param(cert_store)), 1); ExpectIntEQ(X509_VERIFY_PARAM_set_flags( @@ -82292,6 +85196,7 @@ static int test_wolfSSL_dup_CA_list(void) copyStack = SSL_dup_CA_list(originalStack); ExpectNotNull(copyStack); + ExpectIntEQ(sk_X509_NAME_num(NULL), BAD_FUNC_ARG); originalCount = sk_X509_NAME_num(originalStack); copyCount = sk_X509_NAME_num(copyStack); @@ -82302,6 +85207,24 @@ static int test_wolfSSL_dup_CA_list(void) originalStack = NULL; copyStack = NULL; + originalStack = sk_X509_NAME_new_null(); + ExpectNull(sk_X509_NAME_pop(NULL)); + ExpectNull(sk_X509_NAME_pop(originalStack)); + for (i = 0; i < 3; i++) { + name = X509_NAME_new(); + ExpectNotNull(name); + ExpectIntEQ(sk_X509_NAME_push(originalStack, name), i+1); + if (EXPECT_FAIL()) { + X509_NAME_free(name); + } + name = NULL; + } + ExpectNotNull(name = sk_X509_NAME_pop(originalStack)); + X509_NAME_free(name); + wolfSSL_sk_X509_NAME_set_cmp_func(NULL, NULL); + wolfSSL_sk_X509_NAME_set_cmp_func(originalStack, NULL); + wolfSSL_sk_X509_NAME_pop_free(originalStack, X509_NAME_free); + res = EXPECT_RESULT(); #endif /* OPENSSL_ALL */ return res; @@ -82402,8 +85325,8 @@ static int test_wolfSSL_X509_print(void) static int test_wolfSSL_X509_CRL_print(void) { EXPECT_DECLS; -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(HAVE_CRL)\ - && !defined(NO_FILESYSTEM) && defined(XSNPRINTF) +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(HAVE_CRL) && \ + !defined(NO_RSA) && !defined(NO_FILESYSTEM) && defined(XSNPRINTF) X509_CRL* crl = NULL; BIO *bio = NULL; XFILE fp = XBADFILE; @@ -83149,6 +86072,7 @@ static int test_wolfSSL_RSA_verify(void) ExpectNotNull(cert = PEM_read_X509(fp, 0, 0, 0 )); if (fp != XBADFILE) XFCLOSE(fp); + ExpectNull(X509_get_pubkey(NULL)); ExpectNotNull(evpPubkey = X509_get_pubkey(cert)); ExpectNotNull(pubKey = EVP_PKEY_get1_RSA(evpPubkey)); ExpectIntEQ(RSA_verify(NID_sha256, hash, SHA256_DIGEST_LENGTH, signature, @@ -85713,9 +88637,9 @@ static int test_wolfSSL_EC_POINT(void) ExpectIntEQ(ECPoint_i2d(group, Gxy, NULL, &blen), 1); ExpectIntEQ(blen, sizeof(binUncompG)); ExpectNotNull(buf = (unsigned char*)XMALLOC(blen, NULL, DYNAMIC_TYPE_ECC)); - blen -= 1; + blen--; ExpectIntEQ(ECPoint_i2d(group, Gxy, buf, &blen), 0); - blen += 1; + blen++; ExpectIntEQ(ECPoint_i2d(group, Gxy, buf, &blen), 1); ExpectIntEQ(XMEMCMP(buf, binUncompG, sizeof(binUncompG)), 0); XFREE(buf, NULL, DYNAMIC_TYPE_ECC); @@ -86994,46 +89918,130 @@ static int test_wolfSSL_CTX_LoadCRL(void) return EXPECT_RESULT(); } -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) && \ - !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) -static int test_multiple_crls_same_issuer_ctx_ready(WOLFSSL_CTX* ctx) -{ - EXPECT_DECLS; - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); - ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx, "./certs/crl/crl.pem", - WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); - return EXPECT_RESULT(); -} -#endif - -static int test_multiple_crls_same_issuer(void) -{ - EXPECT_DECLS; -#if defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && defined(HAVE_CRL) && \ - !defined(WOLFSSL_CRL_ALLOW_MISSING_CDP) - test_ssl_cbf client_cbs, server_cbs; - struct { - const char* server_cert; - const char* server_key; - } test_params[] = { - { "./certs/server-cert.pem", "./certs/server-key.pem" }, - { "./certs/server-revoked-cert.pem", "./certs/server-revoked-key.pem" } - }; - size_t i; +#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ + defined(HAVE_CRL_UPDATE_CB) +int crlUpdateTestStatus = 0; +WOLFSSL_CERT_MANAGER* updateCrlTestCm = NULL; +static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) +{ + const char* crl1 = "./certs/crl/crl.pem"; + const char* crlRevoked = "./certs/crl/crl.revoked"; + byte *crl1Buff = NULL; + word32 crl1Sz; + byte *crlRevBuff = NULL; + word32 crlRevSz; + WOLFSSL_CERT_MANAGER* cm = updateCrlTestCm; + XFILE f; + word32 sz; + CrlInfo crl1Info; + CrlInfo crlRevInfo; + + crlUpdateTestStatus = 0; + if (old == NULL || cnew == NULL) { + return; + } - for (i = 0; i < (sizeof(test_params)/sizeof(*test_params)); i++) { - XMEMSET(&client_cbs, 0, sizeof(client_cbs)); - XMEMSET(&server_cbs, 0, sizeof(server_cbs)); + AssertTrue((f = XFOPEN(crl1, "rb")) != XBADFILE); + AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); + AssertIntGE(sz = (size_t) XFTELL(f), 1); + AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); + AssertTrue( \ + (crl1Buff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); + AssertTrue(XFREAD(crl1Buff, 1, sz, f) == sz); + XFCLOSE(f); + crl1Sz = sz; + + AssertTrue((f = XFOPEN(crlRevoked, "rb")) != XBADFILE); + AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); + AssertIntGE(sz = (size_t) XFTELL(f), 1); + AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); + AssertTrue( \ + (crlRevBuff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); + AssertTrue(XFREAD(crlRevBuff, 1, sz, f) == sz); + XFCLOSE(f); + crlRevSz = sz; - server_cbs.certPemFile = test_params[i].server_cert; - server_cbs.keyPemFile = test_params[i].server_key; - client_cbs.crlPemFile = "./certs/crl/extra-crls/general-server-crl.pem"; + AssertIntEQ(wolfSSL_CertManagerGetCRLInfo( + cm, &crl1Info, crl1Buff, crl1Sz, WOLFSSL_FILETYPE_PEM), + WOLFSSL_SUCCESS); + AssertIntEQ(wolfSSL_CertManagerGetCRLInfo( + cm, &crlRevInfo, crlRevBuff, crlRevSz, WOLFSSL_FILETYPE_PEM), + WOLFSSL_SUCCESS); - client_cbs.ctx_ready = test_multiple_crls_same_issuer_ctx_ready; + /* Old entry being replaced should match crl1 */ + AssertIntEQ(crl1Info.issuerHashLen, old->issuerHashLen); + AssertIntEQ(crl1Info.lastDateMaxLen, old->lastDateMaxLen); + AssertIntEQ(crl1Info.lastDateFormat, old->lastDateFormat); + AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen); + AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat); + AssertIntEQ(crl1Info.crlNumber, old->crlNumber); + AssertIntEQ(XMEMCMP( + crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0); + AssertIntEQ(XMEMCMP( + crl1Info.lastDate, old->lastDate, old->lastDateMaxLen), 0); + AssertIntEQ(XMEMCMP( + crl1Info.nextDate, old->nextDate, old->nextDateMaxLen), 0); + + /* Newer entry should match crl revoked */ + AssertIntEQ(crlRevInfo.issuerHashLen, cnew->issuerHashLen); + AssertIntEQ(crlRevInfo.lastDateMaxLen, cnew->lastDateMaxLen); + AssertIntEQ(crlRevInfo.lastDateFormat, cnew->lastDateFormat); + AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen); + AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat); + AssertIntEQ(crlRevInfo.crlNumber, cnew->crlNumber); + AssertIntEQ(XMEMCMP( + crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0); + AssertIntEQ(XMEMCMP( + crlRevInfo.lastDate, cnew->lastDate, cnew->lastDateMaxLen), 0); + AssertIntEQ(XMEMCMP( + crlRevInfo.nextDate, cnew->nextDate, cnew->nextDateMaxLen), 0); + + XFREE(crl1Buff, NULL, DYNAMIC_TYPE_FILE); + XFREE(crlRevBuff, NULL, DYNAMIC_TYPE_FILE); + crlUpdateTestStatus = 1; +} +#endif + +static int test_wolfSSL_crl_update_cb(void) +{ + EXPECT_DECLS; +#if defined(HAVE_CRL) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ + defined(HAVE_CRL_UPDATE_CB) + const char* crl1 = "./certs/crl/crl.pem"; + const char* crlRevoked = "./certs/crl/crl.revoked"; + const char* issuerCert = "./certs/client-cert.pem"; + const char* caCert = "./certs/ca-cert.pem"; + const char* goodCert = "./certs/server-cert.pem"; + const char* revokedCert = "./certs/server-revoked-cert.pem"; + int pemType = WOLFSSL_FILETYPE_PEM; + WOLFSSL_CERT_MANAGER* cm = NULL; - ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cbs, - &server_cbs, NULL), -1001); - } + updateCrlTestCm = wolfSSL_CertManagerNew(); + ExpectNotNull(updateCrlTestCm); + cm = updateCrlTestCm; + ExpectIntEQ(wolfSSL_CertManagerSetCRLUpdate_Cb(cm, updateCrlCb), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, caCert, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCA(cm, issuerCert, NULL), + WOLFSSL_SUCCESS); + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crl1, pemType), + WOLFSSL_SUCCESS); + /* CRL1 does not have good cert revoked */ + ExpectIntEQ(wolfSSL_CertManagerVerify(cm, goodCert, pemType), + WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerify(cm, revokedCert, pemType), + WOLFSSL_SUCCESS); + /* Load newer CRL from same issuer, callback verifies CRL entry details */ + ExpectIntEQ(wolfSSL_CertManagerLoadCRLFile(cm, crlRevoked, pemType), + WOLFSSL_SUCCESS); + /* CRL callback verified entry info was as expected */ + ExpectIntEQ(crlUpdateTestStatus, 1); + /* Ensure that both certs fail with newer CRL */ + ExpectIntNE(wolfSSL_CertManagerVerify(cm, goodCert, pemType), + WOLFSSL_SUCCESS); + ExpectIntNE(wolfSSL_CertManagerVerify(cm, revokedCert, pemType), + WOLFSSL_SUCCESS); #endif return EXPECT_RESULT(); } @@ -87250,7 +90258,8 @@ static int test_wolfSSL_dtls_plaintext(void) return TEST_RES_CHECK(1); } #else -static int test_wolfSSL_dtls_plaintext(void) { +static int test_wolfSSL_dtls_plaintext(void) +{ return TEST_SKIPPED; } #endif @@ -87562,13 +90571,16 @@ static int test_wolfSSL_dtls_bad_record(void) } #else -static int test_wolfSSL_dtls_fragments(void) { +static int test_wolfSSL_dtls_fragments(void) +{ return TEST_SKIPPED; } -static int test_wolfSSL_ignore_alert_before_cookie(void) { +static int test_wolfSSL_ignore_alert_before_cookie(void) +{ return TEST_SKIPPED; } -static int test_wolfSSL_dtls_bad_record(void) { +static int test_wolfSSL_dtls_bad_record(void) +{ return TEST_SKIPPED; } #endif @@ -89151,7 +92163,7 @@ static int test_CONF_CTX_FILE(void) static int test_wolfSSL_CRYPTO_get_ex_new_index(void) { EXPECT_DECLS; -#ifdef HAVE_EX_DATA +#ifdef HAVE_EX_DATA_CRYPTO int idx1, idx2; /* test for unsupported class index */ @@ -89216,15 +92228,11 @@ static int test_wolfSSL_CRYPTO_get_ex_new_index(void) ExpectIntNE(idx1, -1); ExpectIntNE(idx2, -1); ExpectIntNE(idx1, idx2); -#endif /* HAVE_EX_DATA */ +#endif /* HAVE_EX_DATA_CRYPTO */ return EXPECT_RESULT(); } -#if defined(HAVE_EX_DATA) && defined(HAVE_EXT_CACHE) && \ - (defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB)))) +#if defined(HAVE_EX_DATA_CRYPTO) && defined(OPENSSL_EXTRA) #define SESSION_NEW_IDX_LONG 0xDEADBEEF #define SESSION_NEW_IDX_VAL ((void*)0xAEADAEAD) @@ -89394,9 +92402,9 @@ static int error_test(void) { -15, -17 }, { -19, -19 }, { -26, -27 }, - { -30, WC_FIRST_E+1 }, + { -30, WC_SPAN1_FIRST_E + 1 }, #else - { -9, WC_FIRST_E+1 }, + { -9, WC_SPAN1_FIRST_E + 1 }, #endif { -124, -124 }, { -166, -169 }, @@ -89407,14 +92415,15 @@ static int error_test(void) { -358, -358 }, { -384, -384 }, { -466, -499 }, - { WOLFSSL_LAST_E-1, WOLFSSL_LAST_E-1 } + { WOLFSSL_LAST_E - 1, WC_SPAN2_FIRST_E + 1 }, + { WC_SPAN2_LAST_E - 1, MIN_CODE_E } }; /* Check that all errors have a string and it's the same through the two * APIs. Check that the values that are not errors map to the unknown * string. */ - for (i = 0; i >= WOLFSSL_LAST_E-1; i--) { + for (i = 0; i >= MIN_CODE_E; i--) { int this_missing = 0; for (j = 0; j < (int)XELEM_CNT(missing); ++j) { if ((i <= missing[j].first) && (i >= missing[j].last)) { @@ -89476,8 +92485,7 @@ static int test_wolfSSL_ERR_strings(void) ExpectNotNull(err = wolfSSL_ERR_func_error_string(WC_NO_ERR_TRACE((word32)UNSUPPORTED_SUITE))); ExpectIntEQ((*err == '\0'), 1); - /* The value -MIN_CODE_E+2 is PEM_R_PROBLEMS_GETTING_PASSWORD. */ - ExpectNotNull(err = wolfSSL_ERR_lib_error_string(-MIN_CODE_E+2)); + ExpectNotNull(err = wolfSSL_ERR_lib_error_string(-WOLFSSL_PEM_R_PROBLEMS_GETTING_PASSWORD_E)); ExpectIntEQ((*err == '\0'), 1); #endif #endif @@ -95040,7 +98048,11 @@ static int test_dtls13_frag_ch_pq(void) const char *test_str = "test"; int test_str_size; byte buf[255]; +#ifdef WOLFSSL_KYBER_ORIGINAL int group = WOLFSSL_KYBER_LEVEL5; +#else + int group = WOLFSSL_ML_KEM_1024; +#endif XMEMSET(&test_ctx, 0, sizeof(test_ctx)); ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, @@ -95050,8 +98062,13 @@ static int test_dtls13_frag_ch_pq(void) ExpectIntEQ(wolfSSL_UseKeyShare(ssl_c, group), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_dtls13_allow_ch_frag(ssl_s, 1), WOLFSSL_SUCCESS); ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0); +#ifdef WOLFSSL_KYBER_ORIGINAL ExpectStrEQ(wolfSSL_get_curve_name(ssl_c), "KYBER_LEVEL5"); ExpectStrEQ(wolfSSL_get_curve_name(ssl_s), "KYBER_LEVEL5"); +#else + ExpectStrEQ(wolfSSL_get_curve_name(ssl_c), "ML_KEM_1024"); + ExpectStrEQ(wolfSSL_get_curve_name(ssl_s), "ML_KEM_1024"); +#endif test_str_size = XSTRLEN("test") + 1; ExpectIntEQ(wolfSSL_write(ssl_c, test_str, test_str_size), test_str_size); ExpectIntEQ(wolfSSL_read(ssl_s, buf, sizeof(buf)), test_str_size); @@ -95849,17 +98866,208 @@ static int test_dtls13_basic_connection_id(void) return EXPECT_RESULT(); } +static int test_dtls12_missing_finished(void) +{ + EXPECT_DECLS; +#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS) + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + const char test_str[] = "test string"; + char test_buf[sizeof(test_str)]; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfDTLSv1_2_client_method, wolfDTLSv1_2_server_method), 0); + + /* CH1 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* HVR */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* CH2 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server first flight */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* Client second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), 1); + /* Let's clear the output */ + test_ctx.c_len = 0; + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_s, test_str, sizeof(test_str)), + sizeof(test_str)); + /* Client should not error out on a missing finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server rtx second flight with finished */ + ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_s), 1); + /* Client process rest of handshake */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), 1); + + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_s, test_str, sizeof(test_str)), + sizeof(test_str)); + ExpectIntEQ(wolfSSL_read(ssl_c, test_buf, sizeof(test_buf)), + sizeof(test_str)); + ExpectBufEQ(test_buf, test_str, sizeof(test_str)); + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); +#endif + return EXPECT_RESULT(); +} + +static int test_dtls13_missing_finished_client(void) +{ + EXPECT_DECLS; +#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS13) + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + const char test_str[] = "test string"; + char test_buf[sizeof(test_str)]; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), 0); + + /* CH1 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* HRR */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* CH2 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server first flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* Let's clear the output */ + test_ctx.c_len = 0; + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_s, test_str, sizeof(test_str)), + sizeof(test_str)); + /* Client second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server should not error out on a missing finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* Client rtx second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), 1); + /* Client */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), 1); + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_s, test_str, sizeof(test_str)), + sizeof(test_str)); + ExpectIntEQ(wolfSSL_read(ssl_c, test_buf, sizeof(test_buf)), + sizeof(test_str)); + ExpectBufEQ(test_buf, test_str, sizeof(test_str)); + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); +#endif + return EXPECT_RESULT(); +} + +static int test_dtls13_missing_finished_server(void) +{ + EXPECT_DECLS; +#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && defined(WOLFSSL_DTLS13) + WOLFSSL_CTX *ctx_c = NULL; + WOLFSSL_CTX *ctx_s = NULL; + WOLFSSL *ssl_c = NULL; + WOLFSSL *ssl_s = NULL; + struct test_memio_ctx test_ctx; + const char test_str[] = "test string"; + char test_buf[sizeof(test_str)]; + + XMEMSET(&test_ctx, 0, sizeof(test_ctx)); + ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c, &ssl_s, + wolfDTLSv1_3_client_method, wolfDTLSv1_3_server_method), 0); + + /* CH1 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* HRR */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* CH2 */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server first flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* Client second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Let's clear the output */ + test_ctx.s_len = 0; + /* We should signal that the handshake is done */ + ExpectTrue(wolfSSL_is_init_finished(ssl_c)); + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_c, test_str, sizeof(test_str)), + sizeof(test_str)); + /* Server should not error out on a missing finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); + /* Client rtx second flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_c), -1); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); + /* Server first flight with finished */ + ExpectIntEQ(wolfSSL_negotiate(ssl_s), 1); + /* Let's send some app data */ + ExpectIntEQ(wolfSSL_write(ssl_c, test_str, sizeof(test_str)), + sizeof(test_str)); + ExpectIntEQ(wolfSSL_read(ssl_s, test_buf, sizeof(test_buf)), + sizeof(test_str)); + ExpectBufEQ(test_buf, test_str, sizeof(test_str)); + + wolfSSL_free(ssl_c); + wolfSSL_free(ssl_s); + wolfSSL_CTX_free(ctx_c); + wolfSSL_CTX_free(ctx_s); +#endif + return EXPECT_RESULT(); +} + #if defined(HAVE_IO_TESTS_DEPENDENCIES) && defined(WOLFSSL_TLS13) && \ defined(HAVE_LIBOQS) static void test_tls13_pq_groups_ctx_ready(WOLFSSL_CTX* ctx) { +#ifdef WOLFSSL_KYBER_ORIGINAL int group = WOLFSSL_KYBER_LEVEL5; +#else + int group = WOLFSSL_ML_KEM_1024; +#endif AssertIntEQ(wolfSSL_CTX_set_groups(ctx, &group, 1), WOLFSSL_SUCCESS); } static void test_tls13_pq_groups_on_result(WOLFSSL* ssl) { +#ifdef WOLFSSL_KYBER_ORIGINAL AssertStrEQ(wolfSSL_get_curve_name(ssl), "KYBER_LEVEL5"); +#else + AssertStrEQ(wolfSSL_get_curve_name(ssl), "ML_KEM_1024"); +#endif } #endif @@ -96915,6 +100123,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfCrypt_Init), TEST_DECL(test_wc_LoadStaticMemory_ex), + TEST_DECL(test_wc_LoadStaticMemory_CTX), /* Locking with Compat Mutex */ TEST_DECL(test_wc_SetMutexCb), @@ -97384,6 +100593,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_lhash), TEST_DECL(test_wolfSSL_certs), + TEST_DECL(test_wolfSSL_X509_ext_d2i), TEST_DECL(test_wolfSSL_private_keys), TEST_DECL(test_wolfSSL_PEM_def_callback), @@ -97559,9 +100769,13 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_TBS), TEST_DECL(test_wolfSSL_X509_STORE_CTX), + TEST_DECL(test_wolfSSL_X509_STORE_CTX_ex), TEST_DECL(test_X509_STORE_untrusted), +#if defined(OPENSSL_ALL) + TEST_DECL(test_X509_STORE_InvalidCa), +#endif TEST_DECL(test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup), - TEST_DECL(test_wolfSSL_X509_STORE_CTX_get0_current_issuer), + TEST_DECL(test_wolfSSL_X509_STORE_CTX_get_issuer), TEST_DECL(test_wolfSSL_X509_STORE_set_flags), TEST_DECL(test_wolfSSL_X509_LOOKUP_load_file), TEST_DECL(test_wolfSSL_X509_Name_canon), @@ -97612,9 +100826,11 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_set_notBefore), TEST_DECL(test_wolfSSL_X509_set_version), TEST_DECL(test_wolfSSL_X509_get_serialNumber), + TEST_DECL(test_wolfSSL_X509_ext_get_critical_by_NID), + TEST_DECL(test_wolfSSL_X509_CRL_distribution_points), + TEST_DECL(test_wolfSSL_X509_SEP), TEST_DECL(test_wolfSSL_X509_CRL), TEST_DECL(test_wolfSSL_i2d_X509), - TEST_DECL(test_wolfSSL_d2i_X509_REQ), TEST_DECL(test_wolfSSL_PEM_read_X509), TEST_DECL(test_wolfSSL_X509_check_ca), TEST_DECL(test_wolfSSL_X509_check_ip_asc), @@ -97630,16 +100846,19 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_ACERT_verify), TEST_DECL(test_wolfSSL_X509_ACERT_misc_api), TEST_DECL(test_wolfSSL_X509_ACERT_buffer), + TEST_DECL(test_wolfSSL_X509_ACERT_new_and_sign), TEST_DECL(test_wolfSSL_X509_ACERT_asn), #ifndef NO_BIO TEST_DECL(test_wolfSSL_X509_INFO_multiple_info), TEST_DECL(test_wolfSSL_X509_INFO), TEST_DECL(test_wolfSSL_PEM_X509_INFO_read_bio), + TEST_DECL(test_wolfSSL_PEM_X509_INFO_read), #endif #ifdef OPENSSL_ALL TEST_DECL(test_wolfSSL_X509_PUBKEY_get), + TEST_DECL(test_wolfSSL_X509_set_pubkey), #endif TEST_DECL(test_wolfSSL_X509_CA_num), @@ -97656,13 +100875,21 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_get_ext_by_NID), TEST_DECL(test_wolfSSL_X509_get_ext_subj_alt_name), TEST_DECL(test_wolfSSL_X509_get_ext_count), + TEST_DECL(test_wolfSSL_X509_set_ext), + TEST_DECL(test_wolfSSL_X509_add_ext), TEST_DECL(test_wolfSSL_X509_EXTENSION_new), + TEST_DECL(test_wolfSSL_X509_EXTENSION_dup), TEST_DECL(test_wolfSSL_X509_EXTENSION_get_object), TEST_DECL(test_wolfSSL_X509_EXTENSION_get_data), TEST_DECL(test_wolfSSL_X509_EXTENSION_get_critical), + TEST_DECL(test_wolfSSL_X509_EXTENSION_create_by_OBJ), + TEST_DECL(test_wolfSSL_X509V3_set_ctx), TEST_DECL(test_wolfSSL_X509V3_EXT_get), TEST_DECL(test_wolfSSL_X509V3_EXT_nconf), TEST_DECL(test_wolfSSL_X509V3_EXT), + TEST_DECL(test_wolfSSL_X509V3_EXT_bc), + TEST_DECL(test_wolfSSL_X509V3_EXT_san), + TEST_DECL(test_wolfSSL_X509V3_EXT_aia), TEST_DECL(test_wolfSSL_X509V3_EXT_print), TEST_DECL(test_wolfSSL_X509_cmp), @@ -97675,7 +100902,9 @@ TEST_CASE testCases[] = { TEST_DECL(test_sk_X509_CRL), /* OpenSSL X509 REQ API test */ + TEST_DECL(test_wolfSSL_d2i_X509_REQ), TEST_DECL(test_X509_REQ), + TEST_DECL(test_wolfSSL_X509_REQ_print), /* OpenSSL compatibility outside SSL context w/ CRL lookup directory */ TEST_DECL(test_X509_STORE_No_SSL_CTX), @@ -98041,7 +101270,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_use_certificate_chain_file), TEST_DECL(test_wolfSSL_CTX_trust_peer_cert), TEST_DECL(test_wolfSSL_CTX_LoadCRL), - TEST_DECL(test_multiple_crls_same_issuer), + TEST_DECL(test_wolfSSL_crl_update_cb), TEST_DECL(test_wolfSSL_CTX_SetTmpDH_file), TEST_DECL(test_wolfSSL_CTX_SetTmpDH_buffer), TEST_DECL(test_wolfSSL_CTX_SetMinMaxDhKey_Sz), @@ -98255,6 +101484,9 @@ TEST_CASE testCases[] = { TEST_DECL(test_dtls_old_seq_number), TEST_DECL(test_dtls12_basic_connection_id), TEST_DECL(test_dtls13_basic_connection_id), + TEST_DECL(test_dtls12_missing_finished), + TEST_DECL(test_dtls13_missing_finished_client), + TEST_DECL(test_dtls13_missing_finished_server), TEST_DECL(test_tls13_pq_groups), TEST_DECL(test_tls13_early_data), TEST_DECL(test_tls_multi_handshakes_one_record), diff --git a/tests/hash.c b/tests/hash.c index 1ebbc61998..75c8011aae 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -20,11 +20,7 @@ */ -#ifdef HAVE_CONFIG_H - #include -#endif - -#include +#include #include @@ -36,8 +32,6 @@ #include #include -#include - typedef struct testVector { const char* input; const char* output; diff --git a/tests/quic.c b/tests/quic.c index 77533c87a5..c58625db48 100644 --- a/tests/quic.c +++ b/tests/quic.c @@ -19,11 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ - #ifdef HAVE_CONFIG_H #include #endif - +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif #include #include @@ -41,6 +42,11 @@ #include #include +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_AES_256) + #define DEFAULT_TLS_DIGEST_SZ WC_SHA384_DIGEST_SIZE +#else + #define DEFAULT_TLS_DIGEST_SZ WC_SHA256_DIGEST_SIZE +#endif #define testingFmt " %s:" #define resultFmt " %s\n" @@ -1126,13 +1132,16 @@ static int test_quic_server_hello(int verbose) { QuicConversation_step(&conv, 0); /* check established/missing secrets */ check_secrets(&tserver, wolfssl_encryption_initial, 0, 0); - check_secrets(&tserver, wolfssl_encryption_handshake, 32, 32); - check_secrets(&tserver, wolfssl_encryption_application, 32, 32); + check_secrets(&tserver, wolfssl_encryption_handshake, + DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ); + check_secrets(&tserver, wolfssl_encryption_application, + DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ); check_secrets(&tclient, wolfssl_encryption_handshake, 0, 0); /* feed the server data to the client */ QuicConversation_step(&conv, 0); /* client has generated handshake secret */ - check_secrets(&tclient, wolfssl_encryption_handshake, 32, 32); + check_secrets(&tclient, wolfssl_encryption_handshake, + DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ); /* continue the handshake till done */ conv.started = 1; /* run till end */ @@ -1155,8 +1164,10 @@ static int test_quic_server_hello(int verbose) { /* the last client write (FINISHED) was at handshake level */ AssertTrue(tclient.output.level == wolfssl_encryption_handshake); /* we have the app secrets */ - check_secrets(&tclient, wolfssl_encryption_application, 32, 32); - check_secrets(&tserver, wolfssl_encryption_application, 32, 32); + check_secrets(&tclient, wolfssl_encryption_application, + DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ); + check_secrets(&tserver, wolfssl_encryption_application, + DEFAULT_TLS_DIGEST_SZ, DEFAULT_TLS_DIGEST_SZ); /* verify client and server have the same secrets established */ assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_handshake); assert_secrets_EQ(&tclient, &tserver, wolfssl_encryption_application); diff --git a/tests/suites.c b/tests/suites.c index 7328789f46..9155cc5552 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -20,11 +20,7 @@ */ -#ifdef HAVE_CONFIG_H - #include -#endif - -#include +#include #ifdef NO_INLINE #include @@ -37,7 +33,7 @@ #include #include #include -#include + #if defined(HAVE_ECC) && defined(FP_ECC) && defined(HAVE_THREAD_LS) \ && (defined(NO_MAIN_DRIVER) || defined(HAVE_STACK_SIZE)) #include @@ -184,6 +180,28 @@ static int IsKyberLevelAvailable(const char* line) begin += 6; end = XSTRSTR(begin, " "); + #ifndef WOLFSSL_NO_ML_KEM + if ((size_t)end - (size_t)begin == 10) { + #ifndef WOLFSSL_NO_ML_KEM_512 + if (XSTRNCMP(begin, "ML_KEM_512", 10) == 0) { + available = 1; + } + #endif + #ifndef WOLFSSL_NO_ML_KEM_768 + if (XSTRNCMP(begin, "ML_KEM_768", 10) == 0) { + available = 1; + } + #endif + } + #ifndef WOLFSSL_NO_ML_KEM_1024 + if ((size_t)end - (size_t)begin == 11) { + if (XSTRNCMP(begin, "ML_KEM_1024", 11) == 0) { + available = 1; + } + } + #endif + #endif + #ifdef WOLFSSL_KYBER_ORIGINAL if ((size_t)end - (size_t)begin == 12) { #ifndef WOLFSSL_NO_KYBER512 if (XSTRNCMP(begin, "KYBER_LEVEL1", 12) == 0) { @@ -201,6 +219,7 @@ static int IsKyberLevelAvailable(const char* line) } #endif } + #endif } return (begin == NULL) || available; diff --git a/tests/test-dtls13-pq-2.conf b/tests/test-dtls13-pq-2.conf index 6a4bfac084..bd5e32697d 100644 --- a/tests/test-dtls13-pq-2.conf +++ b/tests/test-dtls13-pq-2.conf @@ -1,3 +1,17 @@ +# server DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# client DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# P384_ML_KEM_768 and P521_ML_KEM_1024 would fragment the ClientHello. + # server DTLSv1.3 with post-quantum group -u -v 4 diff --git a/tests/test-dtls13-pq.conf b/tests/test-dtls13-pq.conf index c84ab819dd..37abf2c77a 100644 --- a/tests/test-dtls13-pq.conf +++ b/tests/test-dtls13-pq.conf @@ -2,12 +2,26 @@ -u -v 4 -l TLS13-AES256-GCM-SHA384 ---pqc KYBER_LEVEL1 +--pqc ML_KEM_512 # client DTLSv1.3 with post-quantum group -u -v 4 -l TLS13-AES256-GCM-SHA384 ---pqc KYBER_LEVEL1 +--pqc ML_KEM_512 + +# ML_KEM_768 and ML_KEM_1024 would fragment the ClientHello. + +# server DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# client DTLSv1.3 with post-quantum group +-u +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 # KYBER_LEVEL3 and KYBER_LEVEL5 would fragment the ClientHello. diff --git a/tests/test-tls13-pq-2.conf b/tests/test-tls13-pq-2.conf index ff09d72a71..26f5f525d8 100644 --- a/tests/test-tls13-pq-2.conf +++ b/tests/test-tls13-pq-2.conf @@ -1,3 +1,33 @@ +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P256_ML_KEM_512 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P384_ML_KEM_768 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P384_ML_KEM_768 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P521_ML_KEM1024 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc P521_ML_KEM1024 + # server TLSv1.3 with post-quantum group -v 4 -l TLS13-AES256-GCM-SHA384 diff --git a/tests/test-tls13-pq.conf b/tests/test-tls13-pq.conf index 9d2b218deb..ac8164e995 100644 --- a/tests/test-tls13-pq.conf +++ b/tests/test-tls13-pq.conf @@ -1,3 +1,33 @@ +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_512 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_768 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_768 + +# server TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_1024 + +# client TLSv1.3 with post-quantum group +-v 4 +-l TLS13-AES256-GCM-SHA384 +--pqc ML_KEM_1024 + # server TLSv1.3 with post-quantum group -v 4 -l TLS13-AES256-GCM-SHA384 diff --git a/tests/unit.c b/tests/unit.c index 870be9875c..2028768d5b 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -22,15 +22,11 @@ /* Name change compatibility layer no longer need to be included here */ -#ifdef HAVE_CONFIG_H - #include -#endif +#include -#include #include #include -#include #include diff --git a/tests/unit.h b/tests/unit.h index 87e80ce847..f07549ea7f 100644 --- a/tests/unit.h +++ b/tests/unit.h @@ -23,6 +23,18 @@ #ifndef TESTS_UNIT_H #define TESTS_UNIT_H +#ifdef HAVE_CONFIG_H + #include +#endif + +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif +#include + +#undef TEST_OPENSSL_COEXIST /* can't use this option with unit tests */ +#undef OPENSSL_COEXIST /* can't use this option with unit tests */ + #include #include /* thread and tcp stuff */ @@ -146,6 +158,12 @@ #define EXPECT_FAIL() \ (! EXPECT_SUCCESS()) +#define EXPECT_TEST(ret) do { \ + if (EXPECT_SUCCESS()) { \ + _ret = (ret); \ + } \ +} while (0) + #define ExpFail(description, result) do { \ if ((_ret == TEST_SUCCESS_NO_MSGS) || (_ret == TEST_SKIPPED_NO_MSGS)) \ _ret = _fail_codepoint_id; \ diff --git a/tests/w64wrapper.c b/tests/w64wrapper.c index ffaa57cad8..caf50f0011 100644 --- a/tests/w64wrapper.c +++ b/tests/w64wrapper.c @@ -18,11 +18,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ -#ifdef HAVE_CONFIG_H - #include -#endif -#include #include #ifdef WOLFSSL_W64_WRAPPER diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 3e0986e155..186a4f9e50 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -25,6 +25,13 @@ #endif #include +#ifndef WOLFSSL_USER_SETTINGS + #include +#endif + +#undef TEST_OPENSSL_COEXIST /* can't use this option with this example */ +#undef OPENSSL_COEXIST /* can't use this option with this example */ + #include #include diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 2cab9c8fff..ba1df31670 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -476,6 +476,7 @@ #endif #elif defined(WOLFSSL_ZEPHYR) #include + #include #define BENCH_EMBEDDED #define printf printfk static int printfk(const char *fmt, ...) @@ -1991,6 +1992,11 @@ static const char* bench_result_words2[][5] = { #endif + +#if defined(WOLFSSL_DEVCRYPTO) && defined(WOLFSSL_AUTHSZ_BENCH) + #warning Large/Unalligned AuthSz could result in errors with /dev/crypto +#endif + /* use kB instead of mB for embedded benchmarking */ #ifdef BENCH_EMBEDDED #ifndef BENCH_NTIMES @@ -2483,7 +2489,7 @@ static void bench_multi_value_stats(double max, double min, double sum, #endif /* countSz is number of bytes that 1 count represents. Normally bench_size, - * except for AES direct that operates on AES_BLOCK_SIZE blocks */ + * except for AES direct that operates on WC_AES_BLOCK_SIZE blocks */ static void bench_stats_sym_finish(const char* desc, int useDeviceID, int count, word32 countSz, double start, int ret) @@ -3066,8 +3072,8 @@ static void* benchmarks_do(void* args) bench_buf_size += 16 - (bench_buf_size % 16); #ifdef WOLFSSL_AFALG_XILINX_AES - bench_plain = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16); - bench_cipher = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16); + bench_plain = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16); /* native heap */ + bench_cipher = (byte*)aligned_alloc(64, (size_t)bench_buf_size + 16); /* native heap */ #else bench_plain = (byte*)XMALLOC((size_t)bench_buf_size + 16, HEAP_HINT, DYNAMIC_TYPE_WOLF_BIGINT); @@ -3651,6 +3657,24 @@ static void* benchmarks_do(void* args) #ifdef WOLFSSL_HAVE_KYBER if (bench_all || (bench_pq_asym_algs & BENCH_KYBER)) { +#ifndef WOLFSSL_NO_ML_KEM + #ifdef WOLFSSL_KYBER512 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) { + bench_kyber(WC_ML_KEM_512); + } + #endif + #ifdef WOLFSSL_KYBER768 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER768)) { + bench_kyber(WC_ML_KEM_768); + } + #endif + #ifdef WOLFSSL_KYBER1024 + if (bench_all || (bench_pq_asym_algs & BENCH_KYBER1024)) { + bench_kyber(WC_ML_KEM_1024); + } + #endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 if (bench_all || (bench_pq_asym_algs & BENCH_KYBER512)) { bench_kyber(KYBER512); @@ -3666,6 +3690,7 @@ static void* benchmarks_do(void* args) bench_kyber(KYBER1024); } #endif +#endif } #endif @@ -4778,6 +4803,14 @@ void bench_gmac(int useDeviceID) const char* gmacStr = "GMAC Default"; #endif +/* Implementations of /Dev/Crypto will error out if the size of Auth in is */ +/* greater than the system's page size */ +#if defined(WOLFSSL_DEVCRYPTO) && defined(WOLFSSL_AUTHSZ_BENCH) + bench_size = WOLFSSL_AUTHSZ_BENCH; +#elif defined(WOLFSSL_DEVCRYPTO) + bench_size = sysconf(_SC_PAGESIZE); +#endif + /* init keys */ XMEMSET(bench_plain, 0, bench_size); XMEMSET(tag, 0, sizeof(tag)); @@ -4808,7 +4841,13 @@ void bench_gmac(int useDeviceID) #ifdef MULTI_VALUE_STATISTICS bench_multi_value_stats(max, min, sum, squareSum, runs); #endif - +#if defined(WOLFSSL_DEVCRYPTO) + if (ret != 0 && (bench_size > sysconf(_SC_PAGESIZE))) { + printf("authIn Buffer Size[%d] greater than System Page Size[%ld]\n", + bench_size, sysconf(_SC_PAGESIZE)); + } + bench_size = BENCH_SIZE; +#endif } #endif /* HAVE_AESGCM */ @@ -4825,7 +4864,7 @@ static void bench_aesecb_internal(int useDeviceID, double start; DECLARE_MULTI_VALUE_STATS_VARS() #ifdef HAVE_FIPS - const word32 benchSz = AES_BLOCK_SIZE; + const word32 benchSz = WC_AES_BLOCK_SIZE; #else const word32 benchSz = bench_size; #endif @@ -5352,9 +5391,9 @@ static void bench_aessiv_internal(const byte* key, word32 keySz, const char* { int i; int ret = 0; - byte assoc[AES_BLOCK_SIZE]; - byte nonce[AES_BLOCK_SIZE]; - byte siv[AES_BLOCK_SIZE]; + byte assoc[WC_AES_BLOCK_SIZE]; + byte nonce[WC_AES_BLOCK_SIZE]; + byte siv[WC_AES_BLOCK_SIZE]; int count = 0; double start; DECLARE_MULTI_VALUE_STATS_VARS() @@ -5362,8 +5401,8 @@ static void bench_aessiv_internal(const byte* key, word32 keySz, const char* bench_stats_start(&count, &start); do { for (i = 0; i < numBlocks; i++) { - ret = wc_AesSivEncrypt(key, keySz, assoc, AES_BLOCK_SIZE, nonce, - AES_BLOCK_SIZE, bench_plain, bench_size, + ret = wc_AesSivEncrypt(key, keySz, assoc, WC_AES_BLOCK_SIZE, nonce, + WC_AES_BLOCK_SIZE, bench_plain, bench_size, siv, bench_cipher); if (ret != 0) { printf("wc_AesSivEncrypt failed (%d)\n", ret); @@ -5388,8 +5427,8 @@ static void bench_aessiv_internal(const byte* key, word32 keySz, const char* bench_stats_start(&count, &start); do { for (i = 0; i < numBlocks; i++) { - ret = wc_AesSivDecrypt(key, keySz, assoc, AES_BLOCK_SIZE, nonce, - AES_BLOCK_SIZE, bench_cipher, bench_size, + ret = wc_AesSivDecrypt(key, keySz, assoc, WC_AES_BLOCK_SIZE, nonce, + WC_AES_BLOCK_SIZE, bench_cipher, bench_size, siv, bench_plain); if (ret != 0) { printf("wc_AesSivDecrypt failed (%d)\n", ret); @@ -5489,7 +5528,7 @@ void bench_poly1305(void) #ifdef HAVE_CAMELLIA void bench_camellia(void) { - Camellia cam; + wc_Camellia cam; double start; int ret, i, count; DECLARE_MULTI_VALUE_STATS_VARS() @@ -7905,7 +7944,7 @@ void bench_blake2s(void) static void bench_cmac_helper(word32 keySz, const char* outMsg, int useDeviceID) { Cmac cmac; - byte digest[AES_BLOCK_SIZE]; + byte digest[WC_AES_BLOCK_SIZE]; word32 digestSz = sizeof(digest); double start; int ret, i, count; @@ -9470,6 +9509,27 @@ void bench_kyber(int type) int keySize = 0; switch (type) { +#ifndef WOLFSSL_NO_ML_KEM +#ifdef WOLFSSL_WC_ML_KEM_512 + case WC_ML_KEM_512: + name = "ML-KEM 512 "; + keySize = 128; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_768 + case WC_ML_KEM_768: + name = "ML-KEM 768 "; + keySize = 192; + break; +#endif +#ifdef WOLFSSL_WC_ML_KEM_1024 + case WC_ML_KEM_1024: + name = "ML-KEM 1024 "; + keySize = 256; + break; +#endif +#endif +#ifdef WOLFSSL_KYBER_ORIGINAL #ifdef WOLFSSL_KYBER512 case KYBER512: name = "KYBER512 "; @@ -9487,6 +9547,7 @@ void bench_kyber(int type) name = "KYBER1024"; keySize = 256; break; +#endif #endif } @@ -14496,7 +14557,15 @@ void bench_sphincsKeySign(byte level, byte optim) return (double) ticks/TICKS_PER_SECOND; } +#elif defined(WOLFSSL_RPIPICO) + #include "pico/stdlib.h" + double current_time(int reset) + { + (void)reset; + + return (double) time_us_64() / 1000000; + } #elif defined(THREADX) #include "tx_api.h" double current_time(int reset) diff --git a/wolfcrypt/src/ASN_TEMPLATE.md b/wolfcrypt/src/ASN_TEMPLATE.md new file mode 100644 index 0000000000..5fa3fce320 --- /dev/null +++ b/wolfcrypt/src/ASN_TEMPLATE.md @@ -0,0 +1,162 @@ +# Writing an ASN Template + +## Template + +A template that describes the ASN.1 items that are expected is required. + +Each ASN.1 item should have a named index to make it easier to choose the item +when assigning variables or getting data. + +The number of items in the template is needed too. Use a define using sizeof to +allow for modification. + +```c +/* ASN template for . + * + */ +static const ASNItem