From 3444d5c526df7fffa4ade75a2a71396c1eff72c0 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 21 Nov 2024 12:06:29 -0800 Subject: [PATCH] Fixes from compatibility header decoupling PR #8182. Fixes issue with wolfEngine and wolfProvider. Change behavior for openssl compatibility headers to be installed unless `--enable-opensslextra=noinstall` is used. Removed dependency on X509 small with SESSION_CERTS, KEEP_PEER_CERTS and KEEP_OUR_CERT. --- configure.ac | 4 +- src/x509.c | 19 ++++--- src/x509_str.c | 2 + wolfssl/ssl.h | 97 ++++++++++++++++++++++-------------- wolfssl/wolfcrypt/settings.h | 7 --- 5 files changed, 74 insertions(+), 55 deletions(-) diff --git a/configure.ac b/configure.ac index a35d87e8ba..4985c20b4c 100644 --- a/configure.ac +++ b/configure.ac @@ -2298,7 +2298,7 @@ fi # OPENSSL Extra Compatibility AC_ARG_ENABLE([opensslextra], - [AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled)])], + [AS_HELP_STRING([--enable-opensslextra],[Enable extra OpenSSL API, size+ (default: disabled). Skip compat header install using "noinstall"])], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] ) @@ -9859,7 +9859,7 @@ fi # Some of these affect build targets and objects, some trigger different # test scripts for make check. AM_CONDITIONAL([BUILD_DISTRO],[test "x$ENABLED_DISTRO" = "xyes"]) -AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xno" && test "x$ENABLED_OPENSSLCOEXIST" = "xno"]) +AM_CONDITIONAL([BUILD_OPENSSL_COMPAT],[test "x$ENABLED_OPENSSLEXTRA" != "xnoinstall"]) AM_CONDITIONAL([BUILD_ALL],[test "x$ENABLED_ALL" = "xyes"]) AM_CONDITIONAL([BUILD_TLS13],[test "x$ENABLED_TLS13" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_RNG],[test "x$ENABLED_RNG" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) diff --git a/src/x509.c b/src/x509.c index aa46164b97..2f000131e6 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3295,6 +3295,7 @@ int wolfSSL_X509_pubkey_digest(const WOLFSSL_X509 *x509, #endif /* OPENSSL_EXTRA */ #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(KEEP_OUR_CERT) || \ defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* user externally called free X509, if dynamic go ahead with free, otherwise @@ -3317,9 +3318,6 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) if (ret != 0) { WOLFSSL_MSG("Couldn't lock x509 mutex"); } - #endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */ - - #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) if (doFree) #endif /* OPENSSL_EXTRA_X509_SMALL || OPENSSL_EXTRA */ { @@ -3337,10 +3335,13 @@ static void ExternalFreeX509(WOLFSSL_X509* x509) WOLFSSL_ABI void wolfSSL_X509_free(WOLFSSL_X509* x509) { - WOLFSSL_ENTER("wolfSSL_FreeX509"); + WOLFSSL_ENTER("wolfSSL_X509_free"); ExternalFreeX509(x509); } +#endif +#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* copy name into in buffer, at most sz bytes, if buffer is null will malloc buffer, call responsible for freeing */ @@ -3766,7 +3767,7 @@ int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME* name) #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #if defined(OPENSSL_EXTRA) || \ - defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) /* return the next, if any, altname from the peer cert */ WOLFSSL_ABI @@ -5354,7 +5355,8 @@ WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( } #endif -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \ + SESSION_CERTS */ #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(KEEP_PEER_CERT) || \ defined(SESSION_CERTS) @@ -14405,7 +14407,7 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ - defined(KEEP_PEER_CERT) + defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) { WOLFSSL_ENTER("wolfSSL_X509_dup"); @@ -14423,7 +14425,8 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) return wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, x->derCert->length, x->heap); } -#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ +#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_PEER_CERT || \ + SESSION_CERTS */ #if defined(OPENSSL_EXTRA) int wolfSSL_X509_check_ca(WOLFSSL_X509 *x509) diff --git a/src/x509_str.c b/src/x509_str.c index 2d92a3844f..70ecbac3bf 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -221,7 +221,9 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, wolfSSL_sk_X509_free(ctx->chain); ctx->chain = NULL; } +#ifdef SESSION_CERTS ctx->sesChain = NULL; +#endif ctx->domain = NULL; #ifdef HAVE_EX_DATA XMEMSET(&ctx->ex_data, 0, sizeof(ctx->ex_data)); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d72af51ab3..ee9b2fbf3c 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -553,14 +553,16 @@ struct WOLFSSL_X509_STORE_CTX { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */ WOLFSSL_X509* current_cert; /* current X509 (OPENSSL_EXTRA) */ -#if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA) + #if defined(WOLFSSL_ASIO) || defined(OPENSSL_EXTRA) WOLFSSL_X509* current_issuer; /* asio dereference */ -#endif + #endif +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ WOLFSSL_X509_CHAIN* sesChain; /* pointer to WOLFSSL_SESSION peer chain */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_STACK* chain; -#ifdef OPENSSL_EXTRA + #ifdef OPENSSL_EXTRA WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */ -#endif + #endif #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ char* domain; /* subject CN domain name */ @@ -1408,11 +1410,6 @@ WOLFSSL_API int wolfSSL_GetSessionIndex(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_GetSessionAtIndex(int index, WOLFSSL_SESSION* session); #endif /* SESSION_INDEX */ -#ifdef SESSION_CERTS -WOLFSSL_API - WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session); -WOLFSSL_API WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session); -#endif /* SESSION_CERTS */ #ifdef OPENSSL_EXTRA /* compatibility callback for TLS state */ @@ -1864,9 +1861,6 @@ WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSI WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( const WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa); WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509); @@ -2101,7 +2095,6 @@ WOLFSSL_API unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x5 WOLFSSL_API int wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509* x509, int nid); WOLFSSL_API int wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509* x509, int nid); WOLFSSL_API int wolfSSL_X509_EXTENSION_set_critical(WOLFSSL_X509_EXTENSION* ex, int crit); -WOLFSSL_API int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_get_isSet_pathLength(WOLFSSL_X509* x509); WOLFSSL_API unsigned int wolfSSL_X509_get_pathLength(WOLFSSL_X509* x509); WOLFSSL_API unsigned int wolfSSL_X509_get_keyUsage(WOLFSSL_X509* x509); @@ -2164,11 +2157,6 @@ WOLFSSL_API int wolfSSL_ASN1_STRING_copy(WOLFSSL_ASN1_STRING* dst, const WOLFSSL_ASN1_STRING* src); WOLFSSL_API int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx); WOLFSSL_API const char* wolfSSL_X509_verify_cert_error_string(long err); -WOLFSSL_API int wolfSSL_X509_get_signature_type(WOLFSSL_X509* x509); -WOLFSSL_API int wolfSSL_X509_get_signature(WOLFSSL_X509* x509, unsigned char* buf, int* bufSz); -WOLFSSL_API int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509, unsigned char* buf, - int* bufSz); -WOLFSSL_API int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup,const char* dir,long type); WOLFSSL_API int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, const char* file, @@ -2774,10 +2762,6 @@ WOLFSSL_API void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx); WOLFSSL_API long wolfSSL_set_options(WOLFSSL *s, long op); WOLFSSL_API long wolfSSL_get_options(const WOLFSSL *s); -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name( - WOLFSSL_X509* cert); -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name( - WOLFSSL_X509* cert); WOLFSSL_ABI WOLFSSL_API char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz); @@ -3118,6 +3102,21 @@ WOLFSSL_API unsigned long wolfSSL_SESSION_get_ticket_lifetime_hint( WOLFSSL_API long wolfSSL_SESSION_get_timeout(const WOLFSSL_SESSION* session); WOLFSSL_API long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* session); + +#ifdef SESSION_CERTS +#ifdef OPENSSL_EXTRA +WOLFSSL_API const char *wolfSSL_get0_peername(WOLFSSL *ssl); +#endif + +WOLFSSL_API + WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session); +WOLFSSL_API WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session); + +WOLFSSL_API int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx, + unsigned char* buf, int inLen, int* outLen); +#endif /* SESSION_CERTS */ + + /* extra ends */ @@ -3127,9 +3126,6 @@ WOLFSSL_API long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* session); date check and signature check */ WOLFSSL_ABI WOLFSSL_API int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn); -#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) -WOLFSSL_API const char *wolfSSL_get0_peername(WOLFSSL *ssl); -#endif /* need to call once to load library (session cache) */ WOLFSSL_ABI WOLFSSL_API int wolfSSL_Init(void); @@ -3171,13 +3167,49 @@ WOLFSSL_API int wolfSSL_get_chain_length(WOLFSSL_X509_CHAIN* chain, int idx); WOLFSSL_API unsigned char* wolfSSL_get_chain_cert(WOLFSSL_X509_CHAIN* chain, int idx); /* index cert in X509 */ WOLFSSL_API WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx); + + +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ + defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || defined(SESSION_CERTS) + +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); + +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name( + WOLFSSL_X509* cert); +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name( + WOLFSSL_X509* cert); + +WOLFSSL_API int wolfSSL_X509_get_signature_type(WOLFSSL_X509* x509); +WOLFSSL_API int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509); +WOLFSSL_API int wolfSSL_X509_get_signature(WOLFSSL_X509* x509, + unsigned char* buf, int* bufSz); +WOLFSSL_API int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509, + unsigned char* buf, int* bufSz); +WOLFSSL_API int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509); + +#ifndef NO_FILESYSTEM +WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* + wolfSSL_X509_load_certificate_file(const char* fname, int format); +#endif +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( + const unsigned char* buf, int sz, int format); +#ifdef WOLFSSL_CERT_REQ +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( + const unsigned char* buf, int sz, int format); +#endif + /* free X509 */ #define wolfSSL_FreeX509(x509) wolfSSL_X509_free((x509)) WOLFSSL_ABI WOLFSSL_API void wolfSSL_X509_free(WOLFSSL_X509* x509); +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || KEEP_PEER_CERT || \ + KEEP_OUR_CERT || SESSION_CERTS */ + + /* get index cert in PEM */ -WOLFSSL_API int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx, - unsigned char* buf, int inLen, int* outLen); + WOLFSSL_ABI WOLFSSL_API const unsigned char* wolfSSL_get_sessionID( const WOLFSSL_SESSION* s); WOLFSSL_API int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509,unsigned char* in,int* inOutSz); @@ -3302,17 +3334,6 @@ const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const /* connect enough to get peer cert */ WOLFSSL_API int wolfSSL_connect_cert(WOLFSSL* ssl); -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509* - wolfSSL_X509_load_certificate_file(const char* fname, int format); -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( - const unsigned char* buf, int sz, int format); -#ifdef WOLFSSL_CERT_REQ -WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( - const unsigned char* buf, int sz, int format); -#endif -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ - #ifdef OPENSSL_EXTRA /* PKCS12 compatibility */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index b1b9b06cd7..9efaad22c2 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3721,13 +3721,6 @@ extern void uITRON4_free(void *p) ; #define WOLFSSL_HAVE_TLS_UNIQUE #endif -/* Keep peer cert, keep our cert and session certs requires WOLFSSL_X509 */ -#if (defined(KEEP_PEER_CERT) || defined(KEEP_OUR_CERT) || \ - defined(SESSION_CERTS)) && \ - !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL) - #define OPENSSL_EXTRA_X509_SMALL -#endif - /* WPAS Small option requires OPENSSL_EXTRA_X509_SMALL */ #if defined(WOLFSSL_WPAS_SMALL) && !defined(OPENSSL_EXTRA_X509_SMALL) #define OPENSSL_EXTRA_X509_SMALL