diff options
| author | auth12 <[email protected]> | 2020-07-22 08:40:38 -0700 |
|---|---|---|
| committer | auth12 <[email protected]> | 2020-07-22 08:40:38 -0700 |
| commit | 4ff89e85e74884e8f04edb5c31a94b4323e895e9 (patch) | |
| tree | 65f98ebf9af0d0947e44bf397b1fac0f107d7a2f /client/wolfssl/src/ssl.c | |
| parent | Client injection. (diff) | |
| download | loader-4ff89e85e74884e8f04edb5c31a94b4323e895e9.tar.xz loader-4ff89e85e74884e8f04edb5c31a94b4323e895e9.zip | |
Removed wolfssl
Diffstat (limited to 'client/wolfssl/src/ssl.c')
| -rw-r--r-- | client/wolfssl/src/ssl.c | 47707 |
1 files changed, 0 insertions, 47707 deletions
diff --git a/client/wolfssl/src/ssl.c b/client/wolfssl/src/ssl.c deleted file mode 100644 index 58569f3..0000000 --- a/client/wolfssl/src/ssl.c +++ /dev/null @@ -1,47707 +0,0 @@ -/* ssl.c - * - * Copyright (C) 2006-2020 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - - -#ifdef HAVE_CONFIG_H - #include <config.h> -#endif - -#include <wolfssl/wolfcrypt/settings.h> -#if defined(OPENSSL_EXTRA) && !defined(_WIN32) - /* turn on GNU extensions for XVASPRINTF with wolfSSL_BIO_printf */ - #undef _GNU_SOURCE - #define _GNU_SOURCE -#endif - -#if !defined(WOLFCRYPT_ONLY) || defined(OPENSSL_EXTRA) || \ - defined(OPENSSL_EXTRA_X509_SMALL) - -#ifdef HAVE_ERRNO_H - #include <errno.h> -#endif - -#include <wolfssl/internal.h> -#include <wolfssl/error-ssl.h> -#include <wolfssl/wolfcrypt/coding.h> -#ifdef NO_INLINE - #include <wolfssl/wolfcrypt/misc.h> -#else - #define WOLFSSL_MISC_INCLUDED - #include <wolfcrypt/src/misc.c> -#endif - - -#if !defined(WOLFSSL_ALLOW_NO_SUITES) && !defined(WOLFCRYPT_ONLY) - #if defined(NO_DH) && !defined(HAVE_ECC) && !defined(WOLFSSL_STATIC_RSA) \ - && !defined(WOLFSSL_STATIC_DH) && !defined(WOLFSSL_STATIC_PSK) \ - && !defined(HAVE_ED25519) && !defined(HAVE_ED448) - #error "No cipher suites defined because DH disabled, ECC disabled, and no static suites defined. Please see top of README" - #endif - #ifdef WOLFSSL_CERT_GEN - /* need access to Cert struct for creating certificate */ - #include <wolfssl/wolfcrypt/asn_public.h> - #endif -#endif - -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \ - defined(HAVE_WEBSERVER) || defined(WOLFSSL_KEY_GEN) - #include <wolfssl/openssl/evp.h> - /* openssl headers end, wolfssl internal headers next */ -#endif - -#include <wolfssl/wolfcrypt/wc_encrypt.h> - -#ifndef NO_RSA - #include <wolfssl/wolfcrypt/rsa.h> -#endif - -#ifdef OPENSSL_EXTRA - /* openssl headers begin */ - #include <wolfssl/openssl/aes.h> - #include <wolfssl/openssl/hmac.h> - #include <wolfssl/openssl/crypto.h> - #include <wolfssl/openssl/des.h> - #include <wolfssl/openssl/bn.h> - #include <wolfssl/openssl/buffer.h> - #include <wolfssl/openssl/dh.h> - #include <wolfssl/openssl/rsa.h> - #include <wolfssl/openssl/pem.h> - #include <wolfssl/openssl/ec.h> - #include <wolfssl/openssl/ec25519.h> - #include <wolfssl/openssl/ed25519.h> - #include <wolfssl/openssl/ec448.h> - #include <wolfssl/openssl/ed448.h> - #include <wolfssl/openssl/ecdsa.h> - #include <wolfssl/openssl/ecdh.h> - #include <wolfssl/openssl/err.h> - #include <wolfssl/openssl/opensslv.h> - #include <wolfssl/openssl/rc4.h> - #include <wolfssl/openssl/stack.h> - #include <wolfssl/openssl/x509v3.h> - #include <wolfssl/openssl/x509_vfy.h> - /* openssl headers end, wolfssl internal headers next */ - #include <wolfssl/wolfcrypt/hmac.h> - #include <wolfssl/wolfcrypt/random.h> - #include <wolfssl/wolfcrypt/des3.h> - #include <wolfssl/wolfcrypt/md4.h> - #include <wolfssl/wolfcrypt/md5.h> - #include <wolfssl/wolfcrypt/arc4.h> - #include <wolfssl/wolfcrypt/idea.h> - #include <wolfssl/wolfcrypt/curve25519.h> - #include <wolfssl/wolfcrypt/ed25519.h> - #include <wolfssl/wolfcrypt/curve448.h> - #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) - #include <wolfssl/openssl/ocsp.h> - #endif /* WITH_STUNNEL */ - #if defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384) - #include <wolfssl/wolfcrypt/sha512.h> - #endif - #if defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256) \ - && !defined(WC_NO_RNG) - #include <wolfssl/wolfcrypt/srp.h> - #endif - #if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - #include <wolfssl/wolfcrypt/pkcs7.h> - #endif - #if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) - #include <wolfssl/openssl/pkcs7.h> - #endif /* OPENSSL_ALL && HAVE_PKCS7 */ -#endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi); - int SetIndividualExternal(WOLFSSL_BIGNUM** bn, mp_int* mpi); - int oid2nid(word32 oid, int grp); -#endif - -#if defined(WOLFSSL_QT) - #include <wolfssl/wolfcrypt/sha.h> -#endif - -#ifdef NO_ASN - #include <wolfssl/wolfcrypt/dh.h> -#endif -#endif /* !WOLFCRYPT_ONLY || OPENSSL_EXTRA */ - -#define WOLFSSL_EVP_INCLUDED -#include "wolfcrypt/src/evp.c" - -#ifdef OPENSSL_EXTRA -/* Global pointer to constant BN on */ -static WOLFSSL_BIGNUM* bn_one = NULL; -#endif - -#ifndef WOLFCRYPT_ONLY - -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -const WOLF_EC_NIST_NAME kNistCurves[] = { - {XSTR_SIZEOF("P-192"), "P-192", NID_X9_62_prime192v1}, - {XSTR_SIZEOF("P-256"), "P-256", NID_X9_62_prime256v1}, - {XSTR_SIZEOF("P-112"), "P-112", NID_secp112r1}, - {XSTR_SIZEOF("P-112-2"), "P-112-2", NID_secp112r2}, - {XSTR_SIZEOF("P-128"), "P-128", NID_secp128r1}, - {XSTR_SIZEOF("P-128-2"), "P-128-2", NID_secp128r2}, - {XSTR_SIZEOF("P-160"), "P-160", NID_secp160r1}, - {XSTR_SIZEOF("P-160-2"), "P-160-2", NID_secp160r2}, - {XSTR_SIZEOF("P-224"), "P-224", NID_secp224r1}, - {XSTR_SIZEOF("P-384"), "P-384", NID_secp384r1}, - {XSTR_SIZEOF("P-521"), "P-521", NID_secp521r1}, - {XSTR_SIZEOF("K-160"), "K-160", NID_secp160k1}, - {XSTR_SIZEOF("K-192"), "K-192", NID_secp192k1}, - {XSTR_SIZEOF("K-224"), "K-224", NID_secp224k1}, - {XSTR_SIZEOF("K-256"), "K-256", NID_secp256k1}, - {XSTR_SIZEOF("B-160"), "B-160", NID_brainpoolP160r1}, - {XSTR_SIZEOF("B-192"), "B-192", NID_brainpoolP192r1}, - {XSTR_SIZEOF("B-224"), "B-224", NID_brainpoolP224r1}, - {XSTR_SIZEOF("B-256"), "B-256", NID_brainpoolP256r1}, - {XSTR_SIZEOF("B-320"), "B-320", NID_brainpoolP320r1}, - {XSTR_SIZEOF("B-384"), "B-384", NID_brainpoolP384r1}, - {XSTR_SIZEOF("B-512"), "B-512", NID_brainpoolP512r1}, - {0, NULL, 0}, -}; -#endif - -#if defined(WOLFSSL_RENESAS_TSIP_TLS) - /* for root ca verification */ -int tsip_tls_RootCertVerify(const byte *cert, word32 cert_len, - word32 key_n_start, word32 key_n_len, - word32 key_e_start, word32 key_e_len, - word32 cm_row); -byte tsip_rootCAverified( ); -#endif - -#ifdef WOLFSSL_SESSION_EXPORT -#ifdef WOLFSSL_DTLS -int wolfSSL_dtls_import(WOLFSSL* ssl, unsigned char* buf, unsigned int sz) -{ - WOLFSSL_ENTER("wolfSSL_session_import"); - - if (ssl == NULL || buf == NULL) { - return BAD_FUNC_ARG; - } - - /* sanity checks on buffer and protocol are done in internal function */ - return wolfSSL_dtls_import_internal(ssl, buf, sz); -} - - -/* Sets the function to call for serializing the session. This function is - * called right after the handshake is completed. */ -int wolfSSL_CTX_dtls_set_export(WOLFSSL_CTX* ctx, wc_dtls_export func) -{ - - WOLFSSL_ENTER("wolfSSL_CTX_dtls_set_export"); - - /* purposefully allow func to be NULL */ - if (ctx == NULL) { - return BAD_FUNC_ARG; - } - - ctx->dtls_export = func; - - return WOLFSSL_SUCCESS; -} - - -/* Sets the function in WOLFSSL struct to call for serializing the session. This - * function is called right after the handshake is completed. */ -int wolfSSL_dtls_set_export(WOLFSSL* ssl, wc_dtls_export func) -{ - - WOLFSSL_ENTER("wolfSSL_dtls_set_export"); - - /* purposefully allow func to be NULL */ - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - ssl->dtls_export = func; - - return WOLFSSL_SUCCESS; -} - - -/* This function allows for directly serializing a session rather than using - * callbacks. It has less overhead by removing a temporary buffer and gives - * control over when the session gets serialized. When using callbacks the - * session is always serialized immediately after the handshake is finished. - * - * buf is the argument to contain the serialized session - * sz is the size of the buffer passed in - * ssl is the WOLFSSL struct to serialize - * returns the size of serialized session on success, 0 on no action, and - * negative value on error */ -int wolfSSL_dtls_export(WOLFSSL* ssl, unsigned char* buf, unsigned int* sz) -{ - WOLFSSL_ENTER("wolfSSL_dtls_export"); - - if (ssl == NULL || sz == NULL) { - return BAD_FUNC_ARG; - } - - if (buf == NULL) { - *sz = MAX_EXPORT_BUFFER; - return 0; - } - - /* if not DTLS do nothing */ - if (!ssl->options.dtls) { - WOLFSSL_MSG("Currently only DTLS export is supported"); - return 0; - } - - /* copy over keys, options, and dtls state struct */ - return wolfSSL_dtls_export_internal(ssl, buf, *sz); -} - - -/* This function is similar to wolfSSL_dtls_export but only exports the portion - * of the WOLFSSL structure related to the state of the connection, i.e. peer - * sequence number, epoch, AEAD state etc. - * - * buf is the argument to contain the serialized state, if null then set "sz" to - * buffer size required - * sz is the size of the buffer passed in - * ssl is the WOLFSSL struct to serialize - * returns the size of serialized session on success, 0 on no action, and - * negative value on error */ -int wolfSSL_dtls_export_state_only(WOLFSSL* ssl, unsigned char* buf, - unsigned int* sz) -{ - WOLFSSL_ENTER("wolfSSL_dtls_export_state_only"); - - if (ssl == NULL || sz == NULL) { - return BAD_FUNC_ARG; - } - - if (buf == NULL) { - *sz = MAX_EXPORT_STATE_BUFFER; - return 0; - } - - /* if not DTLS do nothing */ - if (!ssl->options.dtls) { - WOLFSSL_MSG("Currently only DTLS export state is supported"); - return 0; - } - - /* copy over keys, options, and dtls state struct */ - return wolfSSL_dtls_export_state_internal(ssl, buf, *sz); -} - - -/* returns 0 on success */ -int wolfSSL_send_session(WOLFSSL* ssl) -{ - int ret; - byte* buf; - word16 bufSz = MAX_EXPORT_BUFFER; - - WOLFSSL_ENTER("wolfSSL_send_session"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - buf = (byte*)XMALLOC(bufSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (buf == NULL) { - return MEMORY_E; - } - - /* if not DTLS do nothing */ - if (!ssl->options.dtls) { - XFREE(buf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - WOLFSSL_MSG("Currently only DTLS export is supported"); - return 0; - } - - /* copy over keys, options, and dtls state struct */ - ret = wolfSSL_dtls_export_internal(ssl, buf, bufSz); - if (ret < 0) { - XFREE(buf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } - - /* if no error ret has size of buffer */ - ret = ssl->dtls_export(ssl, buf, ret, NULL); - if (ret != WOLFSSL_SUCCESS) { - XFREE(buf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } - - XFREE(buf, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - return 0; -} -#endif /* WOLFSSL_DTLS */ -#endif /* WOLFSSL_SESSION_EXPORT */ - -/* prevent multiple mutex initializations */ -static volatile WOLFSSL_GLOBAL int initRefCount = 0; -static WOLFSSL_GLOBAL wolfSSL_Mutex count_mutex; /* init ref count mutex */ - -/* Create a new WOLFSSL_CTX struct and return the pointer to created struct. - WOLFSSL_METHOD pointer passed in is given to ctx to manage. - This function frees the passed in WOLFSSL_METHOD struct on failure and on - success is freed when ctx is freed. - */ -WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap) -{ - WOLFSSL_CTX* ctx = NULL; - - WOLFSSL_ENTER("wolfSSL_CTX_new_ex"); - - if (initRefCount == 0) { - /* user no longer forced to call Init themselves */ - int ret = wolfSSL_Init(); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_Init failed"); - WOLFSSL_LEAVE("WOLFSSL_CTX_new", 0); - if (method != NULL) { - XFREE(method, heap, DYNAMIC_TYPE_METHOD); - } - return NULL; - } - } - - if (method == NULL) - return ctx; - - ctx = (WOLFSSL_CTX*) XMALLOC(sizeof(WOLFSSL_CTX), heap, DYNAMIC_TYPE_CTX); - if (ctx) { - int ret; - - ret = InitSSL_Ctx(ctx, method, heap); - #ifdef WOLFSSL_STATIC_MEMORY - if (heap != NULL) { - ctx->onHeap = 1; /* free the memory back to heap when done */ - } - #endif - if (ret < 0) { - WOLFSSL_MSG("Init CTX failed"); - wolfSSL_CTX_free(ctx); - ctx = NULL; - } -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) \ - && !defined(NO_SHA256) && !defined(WC_NO_RNG) - else { - ctx->srp = (Srp*) XMALLOC(sizeof(Srp), heap, DYNAMIC_TYPE_SRP); - if (ctx->srp == NULL){ - WOLFSSL_MSG("Init CTX failed"); - wolfSSL_CTX_free(ctx); - return NULL; - } - XMEMSET(ctx->srp, 0, sizeof(Srp)); - } -#endif - } - else { - WOLFSSL_MSG("Alloc CTX failed, method freed"); - XFREE(method, heap, DYNAMIC_TYPE_METHOD); - } - - - WOLFSSL_LEAVE("WOLFSSL_CTX_new", 0); - return ctx; -} - - -WOLFSSL_ABI -WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD* method) -{ -#ifdef WOLFSSL_HEAP_TEST - /* if testing the heap hint then set top level CTX to have test value */ - return wolfSSL_CTX_new_ex(method, (void*)WOLFSSL_HEAP_TEST); -#else - return wolfSSL_CTX_new_ex(method, NULL); -#endif -} - -#ifdef OPENSSL_EXTRA -/* increases CTX reference count to track proper time to "free" */ -int wolfSSL_CTX_up_ref(WOLFSSL_CTX* ctx) -{ - int refCount = SSL_CTX_RefCount(ctx, 1); - return ((refCount > 1) ? 1 : 0); -} -#endif - -WOLFSSL_ABI -void wolfSSL_CTX_free(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("SSL_CTX_free"); - if (ctx) { -#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) \ -&& !defined(NO_SHA256) && !defined(WC_NO_RNG) - if (ctx->srp != NULL){ - if (ctx->srp_password != NULL){ - XFREE(ctx->srp_password, ctx->heap, DYNAMIC_TYPE_SRP); - ctx->srp_password = NULL; - } - wc_SrpTerm(ctx->srp); - XFREE(ctx->srp, ctx->heap, DYNAMIC_TYPE_SRP); - ctx->srp = NULL; - } -#endif - FreeSSL_Ctx(ctx); - } - - WOLFSSL_LEAVE("SSL_CTX_free", 0); -} - - -#ifdef HAVE_ENCRYPT_THEN_MAC -/** - * Sets whether Encrypt-Then-MAC extension can be negotiated against context. - * The default value: enabled. - * - * ctx SSL/TLS context. - * set Whether to allow or not: 1 is allow and 0 is disallow. - * returns WOLFSSL_SUCCESS - */ -int wolfSSL_CTX_AllowEncryptThenMac(WOLFSSL_CTX *ctx, int set) -{ - ctx->disallowEncThenMac = !set; - return WOLFSSL_SUCCESS; -} - -/** - * Sets whether Encrypt-Then-MAC extension can be negotiated against context. - * The default value comes from context. - * - * ctx SSL/TLS context. - * set Whether to allow or not: 1 is allow and 0 is disallow. - * returns WOLFSSL_SUCCESS - */ -int wolfSSL_AllowEncryptThenMac(WOLFSSL *ssl, int set) -{ - ssl->options.disallowEncThenMac = !set; - return WOLFSSL_SUCCESS; -} -#endif - -#ifdef SINGLE_THREADED -/* no locking in single threaded mode, allow a CTX level rng to be shared with - * WOLFSSL objects, WOLFSSL_SUCCESS on ok */ -int wolfSSL_CTX_new_rng(WOLFSSL_CTX* ctx) -{ - WC_RNG* rng; - int ret; - - if (ctx == NULL) { - return BAD_FUNC_ARG; - } - - rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ctx->heap, DYNAMIC_TYPE_RNG); - if (rng == NULL) { - return MEMORY_E; - } - -#ifndef HAVE_FIPS - ret = wc_InitRng_ex(rng, ctx->heap, ctx->devId); -#else - ret = wc_InitRng(rng); -#endif - if (ret != 0) { - XFREE(rng, ctx->heap, DYNAMIC_TYPE_RNG); - return ret; - } - - ctx->rng = rng; - return WOLFSSL_SUCCESS; -} -#endif - - -WOLFSSL_ABI -WOLFSSL* wolfSSL_new(WOLFSSL_CTX* ctx) -{ - WOLFSSL* ssl = NULL; - int ret = 0; - - (void)ret; - WOLFSSL_ENTER("SSL_new"); - - if (ctx == NULL) - return ssl; - - ssl = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl) - if ( (ret = InitSSL(ssl, ctx, 0)) < 0) { - FreeSSL(ssl, ctx->heap); - ssl = 0; - } - - WOLFSSL_LEAVE("SSL_new", ret); - return ssl; -} - - -WOLFSSL_ABI -void wolfSSL_free(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_free"); - if (ssl) - FreeSSL(ssl, ssl->ctx->heap); - WOLFSSL_LEAVE("SSL_free", 0); -} - - -int wolfSSL_is_server(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - return ssl->options.side == WOLFSSL_SERVER_END; -} - -#ifdef HAVE_WRITE_DUP - -/* - * Release resources around WriteDup object - * - * ssl WOLFSSL object - * - * no return, destruction so make best attempt -*/ -void FreeWriteDup(WOLFSSL* ssl) -{ - int doFree = 0; - - WOLFSSL_ENTER("FreeWriteDup"); - - if (ssl->dupWrite) { - if (wc_LockMutex(&ssl->dupWrite->dupMutex) == 0) { - ssl->dupWrite->dupCount--; - if (ssl->dupWrite->dupCount == 0) { - doFree = 1; - } else { - WOLFSSL_MSG("WriteDup count not zero, no full free"); - } - wc_UnLockMutex(&ssl->dupWrite->dupMutex); - } - } - - if (doFree) { - WOLFSSL_MSG("Doing WriteDup full free, count to zero"); - wc_FreeMutex(&ssl->dupWrite->dupMutex); - XFREE(ssl->dupWrite, ssl->heap, DYNAMIC_TYPE_WRITEDUP); - } -} - - -/* - * duplicate existing ssl members into dup needed for writing - * - * dup write only WOLFSSL - * ssl existing WOLFSSL - * - * 0 on success -*/ -static int DupSSL(WOLFSSL* dup, WOLFSSL* ssl) -{ - /* shared dupWrite setup */ - ssl->dupWrite = (WriteDup*)XMALLOC(sizeof(WriteDup), ssl->heap, - DYNAMIC_TYPE_WRITEDUP); - if (ssl->dupWrite == NULL) { - return MEMORY_E; - } - XMEMSET(ssl->dupWrite, 0, sizeof(WriteDup)); - - if (wc_InitMutex(&ssl->dupWrite->dupMutex) != 0) { - XFREE(ssl->dupWrite, ssl->heap, DYNAMIC_TYPE_WRITEDUP); - ssl->dupWrite = NULL; - return BAD_MUTEX_E; - } - ssl->dupWrite->dupCount = 2; /* both sides have a count to start */ - dup->dupWrite = ssl->dupWrite; /* each side uses */ - - /* copy write parts over to dup writer */ - XMEMCPY(&dup->specs, &ssl->specs, sizeof(CipherSpecs)); - XMEMCPY(&dup->options, &ssl->options, sizeof(Options)); - XMEMCPY(&dup->keys, &ssl->keys, sizeof(Keys)); - XMEMCPY(&dup->encrypt, &ssl->encrypt, sizeof(Ciphers)); - /* dup side now owns encrypt/write ciphers */ - XMEMSET(&ssl->encrypt, 0, sizeof(Ciphers)); - - dup->IOCB_WriteCtx = ssl->IOCB_WriteCtx; - dup->wfd = ssl->wfd; - dup->wflags = ssl->wflags; - dup->hmac = ssl->hmac; -#ifdef HAVE_TRUNCATED_HMAC - dup->truncated_hmac = ssl->truncated_hmac; -#endif - - /* unique side dup setup */ - dup->dupSide = WRITE_DUP_SIDE; - ssl->dupSide = READ_DUP_SIDE; - - return 0; -} - - -/* - * duplicate a WOLFSSL object post handshake for writing only - * turn existing object into read only. Allows concurrent access from two - * different threads. - * - * ssl existing WOLFSSL object - * - * return dup'd WOLFSSL object on success -*/ -WOLFSSL* wolfSSL_write_dup(WOLFSSL* ssl) -{ - WOLFSSL* dup = NULL; - int ret = 0; - - (void)ret; - WOLFSSL_ENTER("wolfSSL_write_dup"); - - if (ssl == NULL) { - return ssl; - } - - if (ssl->options.handShakeDone == 0) { - WOLFSSL_MSG("wolfSSL_write_dup called before handshake complete"); - return NULL; - } - - if (ssl->dupWrite) { - WOLFSSL_MSG("wolfSSL_write_dup already called once"); - return NULL; - } - - dup = (WOLFSSL*) XMALLOC(sizeof(WOLFSSL), ssl->ctx->heap, DYNAMIC_TYPE_SSL); - if (dup) { - if ( (ret = InitSSL(dup, ssl->ctx, 1)) < 0) { - FreeSSL(dup, ssl->ctx->heap); - dup = NULL; - } else if ( (ret = DupSSL(dup, ssl)) < 0) { - FreeSSL(dup, ssl->ctx->heap); - dup = NULL; - } - } - - WOLFSSL_LEAVE("wolfSSL_write_dup", ret); - - return dup; -} - - -/* - * Notify write dup side of fatal error or close notify - * - * ssl WOLFSSL object - * err Notify err - * - * 0 on success -*/ -int NotifyWriteSide(WOLFSSL* ssl, int err) -{ - int ret; - - WOLFSSL_ENTER("NotifyWriteSide"); - - ret = wc_LockMutex(&ssl->dupWrite->dupMutex); - if (ret == 0) { - ssl->dupWrite->dupErr = err; - ret = wc_UnLockMutex(&ssl->dupWrite->dupMutex); - } - - return ret; -} - - -#endif /* HAVE_WRITE_DUP */ - - -#ifdef HAVE_POLY1305 -/* set if to use old poly 1 for yes 0 to use new poly */ -int wolfSSL_use_old_poly(WOLFSSL* ssl, int value) -{ - (void)ssl; - (void)value; - -#ifndef WOLFSSL_NO_TLS12 - WOLFSSL_ENTER("SSL_use_old_poly"); - WOLFSSL_MSG("Warning SSL connection auto detects old/new and this function" - "is depreciated"); - ssl->options.oldPoly = (word16)value; - WOLFSSL_LEAVE("SSL_use_old_poly", 0); -#endif - return 0; -} -#endif - - -WOLFSSL_ABI -int wolfSSL_set_fd(WOLFSSL* ssl, int fd) -{ - int ret; - - WOLFSSL_ENTER("SSL_set_fd"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - ret = wolfSSL_set_read_fd(ssl, fd); - if (ret == WOLFSSL_SUCCESS) { - ret = wolfSSL_set_write_fd(ssl, fd); - } - - return ret; -} - - -int wolfSSL_set_read_fd(WOLFSSL* ssl, int fd) -{ - WOLFSSL_ENTER("SSL_set_read_fd"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - ssl->rfd = fd; /* not used directly to allow IO callbacks */ - ssl->IOCB_ReadCtx = &ssl->rfd; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - ssl->IOCB_ReadCtx = &ssl->buffers.dtlsCtx; - ssl->buffers.dtlsCtx.rfd = fd; - } - #endif - - WOLFSSL_LEAVE("SSL_set_read_fd", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_set_write_fd(WOLFSSL* ssl, int fd) -{ - WOLFSSL_ENTER("SSL_set_write_fd"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - ssl->wfd = fd; /* not used directly to allow IO callbacks */ - ssl->IOCB_WriteCtx = &ssl->wfd; - - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - ssl->IOCB_WriteCtx = &ssl->buffers.dtlsCtx; - ssl->buffers.dtlsCtx.wfd = fd; - } - #endif - - WOLFSSL_LEAVE("SSL_set_write_fd", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; -} - - -/** - * Get the name of cipher at priority level passed in. - */ -char* wolfSSL_get_cipher_list(int priority) -{ - const CipherSuiteInfo* ciphers = GetCipherNames(); - - if (priority >= GetCipherNamesSize() || priority < 0) { - return 0; - } - - return (char*)ciphers[priority].name; -} - - -/** - * Get the name of cipher at priority level passed in. - */ -char* wolfSSL_get_cipher_list_ex(WOLFSSL* ssl, int priority) -{ - - if (ssl == NULL) { - return NULL; - } - else { - const char* cipher; - - if ((cipher = wolfSSL_get_cipher_name_internal(ssl)) != NULL) { - if (priority == 0) { - return (char*)cipher; - } - else { - return NULL; - } - } - else { - return wolfSSL_get_cipher_list(priority); - } - } -} - - -int wolfSSL_get_ciphers(char* buf, int len) -{ - const CipherSuiteInfo* ciphers = GetCipherNames(); - int ciphersSz = GetCipherNamesSize(); - int i; - int cipherNameSz; - - if (buf == NULL || len <= 0) - return BAD_FUNC_ARG; - - /* Add each member to the buffer delimited by a : */ - for (i = 0; i < ciphersSz; i++) { - cipherNameSz = (int)XSTRLEN(ciphers[i].name); - if (cipherNameSz + 1 < len) { - XSTRNCPY(buf, ciphers[i].name, len); - buf += cipherNameSz; - - if (i < ciphersSz - 1) - *buf++ = ':'; - *buf = 0; - - len -= cipherNameSz + 1; - } - else - return BUFFER_E; - } - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_ERROR_STRINGS -/* places a list of all supported cipher suites in TLS_* format into "buf" - * return WOLFSSL_SUCCESS on success */ -int wolfSSL_get_ciphers_iana(char* buf, int len) -{ - const CipherSuiteInfo* ciphers = GetCipherNames(); - int ciphersSz = GetCipherNamesSize(); - int i; - int cipherNameSz; - - if (buf == NULL || len <= 0) - return BAD_FUNC_ARG; - - /* Add each member to the buffer delimited by a : */ - for (i = 0; i < ciphersSz; i++) { - cipherNameSz = (int)XSTRLEN(ciphers[i].name_iana); - if (cipherNameSz + 1 < len) { - XSTRNCPY(buf, ciphers[i].name_iana, len); - buf += cipherNameSz; - - if (i < ciphersSz - 1) - *buf++ = ':'; - *buf = 0; - - len -= cipherNameSz + 1; - } - else - return BUFFER_E; - } - return WOLFSSL_SUCCESS; -} -#endif /* NO_ERROR_STRINGS */ - - -const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len) -{ - const char* cipher; - - if (ssl == NULL) - return NULL; - - cipher = wolfSSL_get_cipher_name_iana(ssl); - len = min(len, (int)(XSTRLEN(cipher) + 1)); - XMEMCPY(buf, cipher, len); - return buf; -} - -int wolfSSL_get_fd(const WOLFSSL* ssl) -{ - int fd = -1; - WOLFSSL_ENTER("SSL_get_fd"); - if (ssl) { - fd = ssl->rfd; - } - WOLFSSL_LEAVE("SSL_get_fd", fd); - return fd; -} - - -int wolfSSL_dtls(WOLFSSL* ssl) -{ - int dtlsOpt = 0; - if (ssl) - dtlsOpt = ssl->options.dtls; - return dtlsOpt; -} - -#if !defined(NO_CERTS) -/* Set whether mutual authentication is required for connections. - * Server side only. - * - * ctx The SSL/TLS CTX object. - * req 1 to indicate required and 0 when not. - * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and - * 0 on success. - */ -int wolfSSL_CTX_mutual_auth(WOLFSSL_CTX* ctx, int req) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - if (ctx->method->side == WOLFSSL_CLIENT_END) - return SIDE_ERROR; - - ctx->mutualAuth = (byte)req; - - return 0; -} - -/* Set whether mutual authentication is required for the connection. - * Server side only. - * - * ssl The SSL/TLS object. - * req 1 to indicate required and 0 when not. - * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, - * SIDE_ERROR when not a client and 0 on success. - */ -int wolfSSL_mutual_auth(WOLFSSL* ssl, int req) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - if (ssl->options.side == WOLFSSL_SERVER_END) - return SIDE_ERROR; - - ssl->options.mutualAuth = (word16)req; - - return 0; -} -#endif /* NO_CERTS */ - -#ifndef WOLFSSL_LEANPSK -int wolfSSL_dtls_set_peer(WOLFSSL* ssl, void* peer, unsigned int peerSz) -{ -#ifdef WOLFSSL_DTLS - void* sa; - - if (ssl == NULL) - return WOLFSSL_FAILURE; - - sa = (void*)XMALLOC(peerSz, ssl->heap, DYNAMIC_TYPE_SOCKADDR); - if (sa != NULL) { - if (ssl->buffers.dtlsCtx.peer.sa != NULL) { - XFREE(ssl->buffers.dtlsCtx.peer.sa,ssl->heap,DYNAMIC_TYPE_SOCKADDR); - ssl->buffers.dtlsCtx.peer.sa = NULL; - } - XMEMCPY(sa, peer, peerSz); - ssl->buffers.dtlsCtx.peer.sa = sa; - ssl->buffers.dtlsCtx.peer.sz = peerSz; - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -#else - (void)ssl; - (void)peer; - (void)peerSz; - return WOLFSSL_NOT_IMPLEMENTED; -#endif -} - -int wolfSSL_dtls_get_peer(WOLFSSL* ssl, void* peer, unsigned int* peerSz) -{ -#ifdef WOLFSSL_DTLS - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - - if (peer != NULL && peerSz != NULL - && *peerSz >= ssl->buffers.dtlsCtx.peer.sz - && ssl->buffers.dtlsCtx.peer.sa != NULL) { - *peerSz = ssl->buffers.dtlsCtx.peer.sz; - XMEMCPY(peer, ssl->buffers.dtlsCtx.peer.sa, *peerSz); - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -#else - (void)ssl; - (void)peer; - (void)peerSz; - return WOLFSSL_NOT_IMPLEMENTED; -#endif -} - - -#if defined(WOLFSSL_SCTP) && defined(WOLFSSL_DTLS) - -int wolfSSL_CTX_dtls_set_sctp(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_dtls_set_sctp()"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->dtlsSctp = 1; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_dtls_set_sctp(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_dtls_set_sctp()"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->options.dtlsSctp = 1; - return WOLFSSL_SUCCESS; -} - -#endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */ - -#if (defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)) && \ - defined(WOLFSSL_DTLS) - -int wolfSSL_CTX_dtls_set_mtu(WOLFSSL_CTX* ctx, word16 newMtu) -{ - if (ctx == NULL || newMtu > MAX_RECORD_SIZE) - return BAD_FUNC_ARG; - - ctx->dtlsMtuSz = newMtu; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, word16 newMtu) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (newMtu > MAX_RECORD_SIZE) { - ssl->error = BAD_FUNC_ARG; - return WOLFSSL_FAILURE; - } - - ssl->dtlsMtuSz = newMtu; - return WOLFSSL_SUCCESS; -} - -#endif /* WOLFSSL_DTLS && (WOLFSSL_SCTP || WOLFSSL_DTLS_MTU) */ - - -#ifdef WOLFSSL_DTLS_DROP_STATS - -int wolfSSL_dtls_get_drop_stats(WOLFSSL* ssl, - word32* macDropCount, word32* replayDropCount) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_dtls_get_drop_stats()"); - - if (ssl == NULL) - ret = BAD_FUNC_ARG; - else { - ret = WOLFSSL_SUCCESS; - if (macDropCount != NULL) - *macDropCount = ssl->macDropCount; - if (replayDropCount != NULL) - *replayDropCount = ssl->replayDropCount; - } - - WOLFSSL_LEAVE("wolfSSL_dtls_get_drop_stats()", ret); - return ret; -} - -#endif /* WOLFSSL_DTLS_DROP_STATS */ - - -#if defined(WOLFSSL_MULTICAST) - -int wolfSSL_CTX_mcast_set_member_id(WOLFSSL_CTX* ctx, word16 id) -{ - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_CTX_mcast_set_member_id()"); - - if (ctx == NULL || id > 255) - ret = BAD_FUNC_ARG; - - if (ret == 0) { - ctx->haveEMS = 0; - ctx->haveMcast = 1; - ctx->mcastID = (byte)id; -#ifndef WOLFSSL_USER_IO - ctx->CBIORecv = EmbedReceiveFromMcast; -#endif /* WOLFSSL_USER_IO */ - - ret = WOLFSSL_SUCCESS; - } - WOLFSSL_LEAVE("wolfSSL_CTX_mcast_set_member_id()", ret); - return ret; -} - -int wolfSSL_mcast_get_max_peers(void) -{ - return WOLFSSL_MULTICAST_PEERS; -} - -#ifdef WOLFSSL_DTLS -static WC_INLINE word32 UpdateHighwaterMark(word32 cur, word32 first, - word32 second, word32 max) -{ - word32 newCur = 0; - - if (cur < first) - newCur = first; - else if (cur < second) - newCur = second; - else if (cur < max) - newCur = max; - - return newCur; -} -#endif /* WOLFSSL_DTLS */ - - -int wolfSSL_set_secret(WOLFSSL* ssl, word16 epoch, - const byte* preMasterSecret, word32 preMasterSz, - const byte* clientRandom, const byte* serverRandom, - const byte* suite) -{ - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_set_secret()"); - - if (ssl == NULL || preMasterSecret == NULL || - preMasterSz == 0 || preMasterSz > ENCRYPT_LEN || - clientRandom == NULL || serverRandom == NULL || suite == NULL) { - - ret = BAD_FUNC_ARG; - } - - if (ret == 0) { - XMEMCPY(ssl->arrays->preMasterSecret, preMasterSecret, preMasterSz); - ssl->arrays->preMasterSz = preMasterSz; - XMEMCPY(ssl->arrays->clientRandom, clientRandom, RAN_LEN); - XMEMCPY(ssl->arrays->serverRandom, serverRandom, RAN_LEN); - ssl->options.cipherSuite0 = suite[0]; - ssl->options.cipherSuite = suite[1]; - - ret = SetCipherSpecs(ssl); - } - - if (ret == 0) - ret = MakeTlsMasterSecret(ssl); - - if (ret == 0) { - ssl->keys.encryptionOn = 1; - ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE); - } - - if (ret == 0) { - if (ssl->options.dtls) { - #ifdef WOLFSSL_DTLS - WOLFSSL_DTLS_PEERSEQ* peerSeq; - int i; - - ssl->keys.dtls_epoch = epoch; - for (i = 0, peerSeq = ssl->keys.peerSeq; - i < WOLFSSL_DTLS_PEERSEQ_SZ; - i++, peerSeq++) { - - peerSeq->nextEpoch = epoch; - peerSeq->prevSeq_lo = peerSeq->nextSeq_lo; - peerSeq->prevSeq_hi = peerSeq->nextSeq_hi; - peerSeq->nextSeq_lo = 0; - peerSeq->nextSeq_hi = 0; - XMEMCPY(peerSeq->prevWindow, peerSeq->window, DTLS_SEQ_SZ); - XMEMSET(peerSeq->window, 0, DTLS_SEQ_SZ); - peerSeq->highwaterMark = UpdateHighwaterMark(0, - ssl->ctx->mcastFirstSeq, - ssl->ctx->mcastSecondSeq, - ssl->ctx->mcastMaxSeq); - } - #else - (void)epoch; - #endif - } - FreeHandshakeResources(ssl); - ret = WOLFSSL_SUCCESS; - } - else { - if (ssl) - ssl->error = ret; - ret = WOLFSSL_FATAL_ERROR; - } - WOLFSSL_LEAVE("wolfSSL_set_secret()", ret); - return ret; -} - - -#ifdef WOLFSSL_DTLS - -int wolfSSL_mcast_peer_add(WOLFSSL* ssl, word16 peerId, int remove) -{ - WOLFSSL_DTLS_PEERSEQ* p = NULL; - int ret = WOLFSSL_SUCCESS; - int i; - - WOLFSSL_ENTER("wolfSSL_mcast_peer_add()"); - if (ssl == NULL || peerId > 255) - return BAD_FUNC_ARG; - - if (!remove) { - /* Make sure it isn't already present, while keeping the first - * open spot. */ - for (i = 0; i < WOLFSSL_DTLS_PEERSEQ_SZ; i++) { - if (ssl->keys.peerSeq[i].peerId == INVALID_PEER_ID) - p = &ssl->keys.peerSeq[i]; - if (ssl->keys.peerSeq[i].peerId == peerId) { - WOLFSSL_MSG("Peer ID already in multicast peer list."); - p = NULL; - } - } - - if (p != NULL) { - XMEMSET(p, 0, sizeof(WOLFSSL_DTLS_PEERSEQ)); - p->peerId = peerId; - p->highwaterMark = UpdateHighwaterMark(0, - ssl->ctx->mcastFirstSeq, - ssl->ctx->mcastSecondSeq, - ssl->ctx->mcastMaxSeq); - } - else { - WOLFSSL_MSG("No room in peer list."); - ret = -1; - } - } - else { - for (i = 0; i < WOLFSSL_DTLS_PEERSEQ_SZ; i++) { - if (ssl->keys.peerSeq[i].peerId == peerId) - p = &ssl->keys.peerSeq[i]; - } - - if (p != NULL) { - p->peerId = INVALID_PEER_ID; - } - else { - WOLFSSL_MSG("Peer not found in list."); - } - } - - WOLFSSL_LEAVE("wolfSSL_mcast_peer_add()", ret); - return ret; -} - - -/* If peerId is in the list of peers and its last sequence number is non-zero, - * return 1, otherwise return 0. */ -int wolfSSL_mcast_peer_known(WOLFSSL* ssl, unsigned short peerId) -{ - int known = 0; - int i; - - WOLFSSL_ENTER("wolfSSL_mcast_peer_known()"); - - if (ssl == NULL || peerId > 255) { - return BAD_FUNC_ARG; - } - - for (i = 0; i < WOLFSSL_DTLS_PEERSEQ_SZ; i++) { - if (ssl->keys.peerSeq[i].peerId == peerId) { - if (ssl->keys.peerSeq[i].nextSeq_hi || - ssl->keys.peerSeq[i].nextSeq_lo) { - - known = 1; - } - break; - } - } - - WOLFSSL_LEAVE("wolfSSL_mcast_peer_known()", known); - return known; -} - - -int wolfSSL_CTX_mcast_set_highwater_cb(WOLFSSL_CTX* ctx, word32 maxSeq, - word32 first, word32 second, - CallbackMcastHighwater cb) -{ - if (ctx == NULL || (second && first > second) || - first > maxSeq || second > maxSeq || cb == NULL) { - - return BAD_FUNC_ARG; - } - - ctx->mcastHwCb = cb; - ctx->mcastFirstSeq = first; - ctx->mcastSecondSeq = second; - ctx->mcastMaxSeq = maxSeq; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_mcast_set_highwater_ctx(WOLFSSL* ssl, void* ctx) -{ - if (ssl == NULL || ctx == NULL) - return BAD_FUNC_ARG; - - ssl->mcastHwCbCtx = ctx; - - return WOLFSSL_SUCCESS; -} - -#endif /* WOLFSSL_DTLS */ - -#endif /* WOLFSSL_MULTICAST */ - - -#endif /* WOLFSSL_LEANPSK */ - - -/* return underlying connect or accept, WOLFSSL_SUCCESS on ok */ -int wolfSSL_negotiate(WOLFSSL* ssl) -{ - int err = WOLFSSL_FATAL_ERROR; - - WOLFSSL_ENTER("wolfSSL_negotiate"); -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) { -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version)) - err = wolfSSL_accept_TLSv13(ssl); - else -#endif - err = wolfSSL_accept(ssl); - } -#endif - -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) { -#ifdef WOLFSSL_TLS13 - if (IsAtLeastTLSv1_3(ssl->version)) - err = wolfSSL_connect_TLSv13(ssl); - else -#endif - err = wolfSSL_connect(ssl); - } -#endif - - (void)ssl; - - WOLFSSL_LEAVE("wolfSSL_negotiate", err); - - return err; -} - - -WOLFSSL_ABI -WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl) -{ - if (ssl) { - return ssl->rng; - } - - return NULL; -} - - -#ifndef WOLFSSL_LEANPSK -/* object size based on build */ -int wolfSSL_GetObjectSize(void) -{ -#ifdef SHOW_SIZES - printf("sizeof suites = %lu\n", (unsigned long)sizeof(Suites)); - printf("sizeof ciphers(2) = %lu\n", (unsigned long)sizeof(Ciphers)); -#ifndef NO_RC4 - printf("\tsizeof arc4 = %lu\n", (unsigned long)sizeof(Arc4)); -#endif - printf("\tsizeof aes = %lu\n", (unsigned long)sizeof(Aes)); -#ifndef NO_DES3 - printf("\tsizeof des3 = %lu\n", (unsigned long)sizeof(Des3)); -#endif -#ifndef NO_RABBIT - printf("\tsizeof rabbit = %lu\n", (unsigned long)sizeof(Rabbit)); -#endif -#ifdef HAVE_CHACHA - printf("\tsizeof chacha = %lu\n", (unsigned long)sizeof(ChaCha)); -#endif - printf("sizeof cipher specs = %lu\n", (unsigned long)sizeof(CipherSpecs)); - printf("sizeof keys = %lu\n", (unsigned long)sizeof(Keys)); - printf("sizeof Hashes(2) = %lu\n", (unsigned long)sizeof(Hashes)); -#ifndef NO_MD5 - printf("\tsizeof MD5 = %lu\n", (unsigned long)sizeof(wc_Md5)); -#endif -#ifndef NO_SHA - printf("\tsizeof SHA = %lu\n", (unsigned long)sizeof(wc_Sha)); -#endif -#ifdef WOLFSSL_SHA224 - printf("\tsizeof SHA224 = %lu\n", (unsigned long)sizeof(wc_Sha224)); -#endif -#ifndef NO_SHA256 - printf("\tsizeof SHA256 = %lu\n", (unsigned long)sizeof(wc_Sha256)); -#endif -#ifdef WOLFSSL_SHA384 - printf("\tsizeof SHA384 = %lu\n", (unsigned long)sizeof(wc_Sha384)); -#endif -#ifdef WOLFSSL_SHA384 - printf("\tsizeof SHA512 = %lu\n", (unsigned long)sizeof(wc_Sha512)); -#endif - printf("sizeof Buffers = %lu\n", (unsigned long)sizeof(Buffers)); - printf("sizeof Options = %lu\n", (unsigned long)sizeof(Options)); - printf("sizeof Arrays = %lu\n", (unsigned long)sizeof(Arrays)); -#ifndef NO_RSA - printf("sizeof RsaKey = %lu\n", (unsigned long)sizeof(RsaKey)); -#endif -#ifdef HAVE_ECC - printf("sizeof ecc_key = %lu\n", (unsigned long)sizeof(ecc_key)); -#endif - printf("sizeof WOLFSSL_CIPHER = %lu\n", (unsigned long)sizeof(WOLFSSL_CIPHER)); - printf("sizeof WOLFSSL_SESSION = %lu\n", (unsigned long)sizeof(WOLFSSL_SESSION)); - printf("sizeof WOLFSSL = %lu\n", (unsigned long)sizeof(WOLFSSL)); - printf("sizeof WOLFSSL_CTX = %lu\n", (unsigned long)sizeof(WOLFSSL_CTX)); -#endif - - return sizeof(WOLFSSL); -} - -int wolfSSL_CTX_GetObjectSize(void) -{ - return sizeof(WOLFSSL_CTX); -} - -int wolfSSL_METHOD_GetObjectSize(void) -{ - return sizeof(WOLFSSL_METHOD); -} -#endif - - -#ifdef WOLFSSL_STATIC_MEMORY - -int wolfSSL_CTX_load_static_memory(WOLFSSL_CTX** ctx, wolfSSL_method_func method, - unsigned char* buf, unsigned int sz, - int flag, int max) -{ - WOLFSSL_HEAP* heap; - WOLFSSL_HEAP_HINT* hint; - word32 idx = 0; - - if (ctx == NULL || buf == NULL) { - return BAD_FUNC_ARG; - } - - if (*ctx == NULL && method == NULL) { - return BAD_FUNC_ARG; - } - - if (*ctx == NULL || (*ctx)->heap == NULL) { - if (sizeof(WOLFSSL_HEAP) + sizeof(WOLFSSL_HEAP_HINT) > sz - idx) { - return BUFFER_E; /* not enough memory for structures */ - } - heap = (WOLFSSL_HEAP*)buf; - idx += sizeof(WOLFSSL_HEAP); - if (wolfSSL_init_memory_heap(heap) != 0) { - return WOLFSSL_FAILURE; - } - hint = (WOLFSSL_HEAP_HINT*)(buf + idx); - idx += sizeof(WOLFSSL_HEAP_HINT); - XMEMSET(hint, 0, sizeof(WOLFSSL_HEAP_HINT)); - hint->memory = heap; - - if (*ctx && (*ctx)->heap == NULL) { - (*ctx)->heap = (void*)hint; - } - } - else { -#ifdef WOLFSSL_HEAP_TEST - /* do not load in memory if test has been set */ - if ((*ctx)->heap == (void*)WOLFSSL_HEAP_TEST) { - return WOLFSSL_SUCCESS; - } -#endif - hint = (WOLFSSL_HEAP_HINT*)((*ctx)->heap); - heap = hint->memory; - } - - if (wolfSSL_load_static_memory(buf + idx, sz - idx, flag, heap) != 1) { - WOLFSSL_MSG("Error partitioning memory"); - return WOLFSSL_FAILURE; - } - - /* create ctx if needed */ - if (*ctx == NULL) { - *ctx = wolfSSL_CTX_new_ex(method(hint), hint); - if (*ctx == NULL) { - WOLFSSL_MSG("Error creating ctx"); - return WOLFSSL_FAILURE; - } - } - - /* determine what max applies too */ - if (flag & WOLFMEM_IO_POOL || flag & WOLFMEM_IO_POOL_FIXED) { - heap->maxIO = max; - } - else { /* general memory used in handshakes */ - heap->maxHa = max; - } - - heap->flag |= flag; - - (void)max; - (void)method; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_is_static_memory(WOLFSSL* ssl, WOLFSSL_MEM_CONN_STATS* mem_stats) -{ - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - WOLFSSL_ENTER("wolfSSL_is_static_memory"); - - /* fill out statistics if wanted and WOLFMEM_TRACK_STATS flag */ - if (mem_stats != NULL && ssl->heap != NULL) { - WOLFSSL_HEAP_HINT* hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap)); - WOLFSSL_HEAP* heap = hint->memory; - if (heap->flag & WOLFMEM_TRACK_STATS && hint->stats != NULL) { - XMEMCPY(mem_stats, hint->stats, sizeof(WOLFSSL_MEM_CONN_STATS)); - } - } - - return (ssl->heap) ? 1 : 0; -} - - -int wolfSSL_CTX_is_static_memory(WOLFSSL_CTX* ctx, WOLFSSL_MEM_STATS* mem_stats) -{ - if (ctx == NULL) { - return BAD_FUNC_ARG; - } - WOLFSSL_ENTER("wolfSSL_CTX_is_static_memory"); - - /* fill out statistics if wanted */ - if (mem_stats != NULL && ctx->heap != NULL) { - WOLFSSL_HEAP* heap = ((WOLFSSL_HEAP_HINT*)(ctx->heap))->memory; - if (wolfSSL_GetMemStats(heap, mem_stats) != 1) { - return MEMORY_E; - } - } - - return (ctx->heap) ? 1 : 0; -} - -#endif /* WOLFSSL_STATIC_MEMORY */ - - -/* return max record layer size plaintext input size */ -int wolfSSL_GetMaxOutputSize(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_GetMaxOutputSize"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - WOLFSSL_MSG("Handshake not complete yet"); - return BAD_FUNC_ARG; - } - - return wolfSSL_GetMaxRecordSize(ssl, OUTPUT_RECORD_SIZE); -} - - -/* return record layer size of plaintext input size */ -int wolfSSL_GetOutputSize(WOLFSSL* ssl, int inSz) -{ - int maxSize; - - WOLFSSL_ENTER("wolfSSL_GetOutputSize"); - - if (inSz < 0) - return BAD_FUNC_ARG; - - maxSize = wolfSSL_GetMaxOutputSize(ssl); - if (maxSize < 0) - return maxSize; /* error */ - if (inSz > maxSize) - return INPUT_SIZE_E; - - return BuildMessage(ssl, NULL, 0, NULL, inSz, application_data, 0, 1, 0); -} - - -#ifdef HAVE_ECC -int wolfSSL_CTX_SetMinEccKey_Sz(WOLFSSL_CTX* ctx, short keySz) -{ - if (ctx == NULL || keySz < 0 || keySz % 8 != 0) { - WOLFSSL_MSG("Key size must be divisible by 8 or ctx was null"); - return BAD_FUNC_ARG; - } - - ctx->minEccKeySz = keySz / 8; -#ifndef NO_CERTS - ctx->cm->minEccKeySz = keySz / 8; -#endif - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_SetMinEccKey_Sz(WOLFSSL* ssl, short keySz) -{ - if (ssl == NULL || keySz < 0 || keySz % 8 != 0) { - WOLFSSL_MSG("Key size must be divisible by 8 or ssl was null"); - return BAD_FUNC_ARG; - } - - ssl->options.minEccKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - -#endif /* !NO_RSA */ - -#ifndef NO_RSA -int wolfSSL_CTX_SetMinRsaKey_Sz(WOLFSSL_CTX* ctx, short keySz) -{ - if (ctx == NULL || keySz < 0 || keySz % 8 != 0) { - WOLFSSL_MSG("Key size must be divisible by 8 or ctx was null"); - return BAD_FUNC_ARG; - } - - ctx->minRsaKeySz = keySz / 8; - ctx->cm->minRsaKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_SetMinRsaKey_Sz(WOLFSSL* ssl, short keySz) -{ - if (ssl == NULL || keySz < 0 || keySz % 8 != 0) { - WOLFSSL_MSG("Key size must be divisible by 8 or ssl was null"); - return BAD_FUNC_ARG; - } - - ssl->options.minRsaKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} -#endif /* !NO_RSA */ - -#ifndef NO_DH -/* server Diffie-Hellman parameters, WOLFSSL_SUCCESS on ok */ -int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, - const unsigned char* g, int gSz) -{ - WOLFSSL_ENTER("wolfSSL_SetTmpDH"); - - if (ssl == NULL || p == NULL || g == NULL) - return BAD_FUNC_ARG; - - if ((word16)pSz < ssl->options.minDhKeySz) - return DH_KEY_SIZE_E; - if ((word16)pSz > ssl->options.maxDhKeySz) - return DH_KEY_SIZE_E; - - /* this function is for server only */ - if (ssl->options.side == WOLFSSL_CLIENT_END) - return SIDE_ERROR; - - #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - ssl->options.dhKeyTested = 0; - ssl->options.dhDoKeyTest = 1; - #endif - - if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) { - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ssl->buffers.serverDH_P.buffer = NULL; - } - if (ssl->buffers.serverDH_G.buffer && ssl->buffers.weOwnDH) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ssl->buffers.serverDH_G.buffer = NULL; - } - - ssl->buffers.weOwnDH = 1; /* SSL owns now */ - ssl->buffers.serverDH_P.buffer = (byte*)XMALLOC(pSz, ssl->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (ssl->buffers.serverDH_P.buffer == NULL) - return MEMORY_E; - - ssl->buffers.serverDH_G.buffer = (byte*)XMALLOC(gSz, ssl->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (ssl->buffers.serverDH_G.buffer == NULL) { - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ssl->buffers.serverDH_P.buffer = NULL; - return MEMORY_E; - } - - ssl->buffers.serverDH_P.length = pSz; - ssl->buffers.serverDH_G.length = gSz; - - XMEMCPY(ssl->buffers.serverDH_P.buffer, p, pSz); - XMEMCPY(ssl->buffers.serverDH_G.buffer, g, gSz); - - ssl->options.haveDH = 1; - - if (ssl->options.side != WOLFSSL_NEITHER_END) { - word16 havePSK; - word16 haveRSA; - int keySz = 0; - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #else - havePSK = 0; - #endif - #ifdef NO_RSA - haveRSA = 0; - #else - haveRSA = 1; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - WOLFSSL_LEAVE("wolfSSL_SetTmpDH", 0); - - return WOLFSSL_SUCCESS; -} - - -#if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) -/* Enables or disables the session's DH key prime test. */ -int wolfSSL_SetEnableDhKeyTest(WOLFSSL* ssl, int enable) -{ - WOLFSSL_ENTER("wolfSSL_SetEnableDhKeyTest"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (!enable) - ssl->options.dhDoKeyTest = 0; - else - ssl->options.dhDoKeyTest = 1; - - WOLFSSL_LEAVE("wolfSSL_SetEnableDhKeyTest", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; -} -#endif - - -/* server ctx Diffie-Hellman parameters, WOLFSSL_SUCCESS on ok */ -int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz, - const unsigned char* g, int gSz) -{ - WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH"); - if (ctx == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; - - if ((word16)pSz < ctx->minDhKeySz) - return DH_KEY_SIZE_E; - if ((word16)pSz > ctx->maxDhKeySz) - return DH_KEY_SIZE_E; - - #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \ - !defined(HAVE_SELFTEST) - { - DhKey checkKey; - WC_RNG rng; - int error, freeKey = 0; - - error = wc_InitRng(&rng); - if (!error) - error = wc_InitDhKey(&checkKey); - if (!error) { - freeKey = 1; - error = wc_DhSetCheckKey(&checkKey, - p, pSz, g, gSz, NULL, 0, 0, &rng); - } - if (freeKey) - wc_FreeDhKey(&checkKey); - wc_FreeRng(&rng); - if (error) - return error; - - ctx->dhKeyTested = 1; - } - #endif - - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ctx->serverDH_P.buffer = NULL; - XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ctx->serverDH_G.buffer = NULL; - - ctx->serverDH_P.buffer = (byte*)XMALLOC(pSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (ctx->serverDH_P.buffer == NULL) - return MEMORY_E; - - ctx->serverDH_G.buffer = (byte*)XMALLOC(gSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (ctx->serverDH_G.buffer == NULL) { - XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - ctx->serverDH_P.buffer = NULL; - return MEMORY_E; - } - - ctx->serverDH_P.length = pSz; - ctx->serverDH_G.length = gSz; - - XMEMCPY(ctx->serverDH_P.buffer, p, pSz); - XMEMCPY(ctx->serverDH_G.buffer, g, gSz); - - ctx->haveDH = 1; - - WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0); - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_CTX_SetMinDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) -{ - if (ctx == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ctx->minDhKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_SetMinDhKey_Sz(WOLFSSL* ssl, word16 keySz) -{ - if (ssl == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ssl->options.minDhKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_CTX_SetMaxDhKey_Sz(WOLFSSL_CTX* ctx, word16 keySz) -{ - if (ctx == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ctx->maxDhKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_SetMaxDhKey_Sz(WOLFSSL* ssl, word16 keySz) -{ - if (ssl == NULL || keySz > 16000 || keySz % 8 != 0) - return BAD_FUNC_ARG; - - ssl->options.maxDhKeySz = keySz / 8; - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_GetDhKey_Sz(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return (ssl->options.dhKeySz * 8); -} - -#endif /* !NO_DH */ - - -WOLFSSL_ABI -int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz) -{ - int ret; - - WOLFSSL_ENTER("SSL_write()"); - - if (ssl == NULL || data == NULL || sz < 0) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_EARLY_DATA - if (ssl->earlyData != no_early_data && (ret = wolfSSL_negotiate(ssl)) < 0) { - ssl->error = ret; - return WOLFSSL_FATAL_ERROR; - } - ssl->earlyData = no_early_data; -#endif - -#ifdef HAVE_WRITE_DUP - { /* local variable scope */ - int dupErr = 0; /* local copy */ - - ret = 0; - - if (ssl->dupWrite && ssl->dupSide == READ_DUP_SIDE) { - WOLFSSL_MSG("Read dup side cannot write"); - return WRITE_DUP_WRITE_E; - } - if (ssl->dupWrite) { - if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0) { - return BAD_MUTEX_E; - } - dupErr = ssl->dupWrite->dupErr; - ret = wc_UnLockMutex(&ssl->dupWrite->dupMutex); - } - - if (ret != 0) { - ssl->error = ret; /* high priority fatal error */ - return WOLFSSL_FATAL_ERROR; - } - if (dupErr != 0) { - WOLFSSL_MSG("Write dup error from other side"); - ssl->error = dupErr; - return WOLFSSL_FATAL_ERROR; - } - } -#endif - -#ifdef HAVE_ERRNO_H - errno = 0; -#endif - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_WRITE, SSL_SUCCESS); - ssl->cbmode = SSL_CB_WRITE; - } - #endif - ret = SendData(ssl, data, sz); - - WOLFSSL_LEAVE("SSL_write()", ret); - - if (ret < 0) - return WOLFSSL_FATAL_ERROR; - else - return ret; -} - -static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_read_internal()"); - - if (ssl == NULL || data == NULL || sz < 0) - return BAD_FUNC_ARG; - -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite && ssl->dupSide == WRITE_DUP_SIDE) { - WOLFSSL_MSG("Write dup side cannot read"); - return WRITE_DUP_READ_E; - } -#endif - -#ifdef HAVE_ERRNO_H - errno = 0; -#endif - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - ssl->dtls_expected_rx = max(sz + 100, MAX_MTU); -#ifdef WOLFSSL_SCTP - if (ssl->options.dtlsSctp) -#endif -#if defined(WOLLSSL_SCTP) || defined(WOLFSSL_DTLS_MTU) - ssl->dtls_expected_rx = max(ssl->dtls_expected_rx, ssl->dtlsMtuSz); -#endif - } -#endif - - sz = wolfSSL_GetMaxRecordSize(ssl, sz); - - ret = ReceiveData(ssl, (byte*)data, sz, peek); - -#ifdef HAVE_WRITE_DUP - if (ssl->dupWrite) { - if (ssl->error != 0 && ssl->error != WANT_READ - #ifdef WOLFSSL_ASYNC_CRYPT - && ssl->error != WC_PENDING_E - #endif - ) { - int notifyErr; - - WOLFSSL_MSG("Notifying write side of fatal read error"); - notifyErr = NotifyWriteSide(ssl, ssl->error); - if (notifyErr < 0) { - ret = ssl->error = notifyErr; - } - } - } -#endif - - WOLFSSL_LEAVE("wolfSSL_read_internal()", ret); - - if (ret < 0) - return WOLFSSL_FATAL_ERROR; - else - return ret; -} - - -int wolfSSL_peek(WOLFSSL* ssl, void* data, int sz) -{ - WOLFSSL_ENTER("wolfSSL_peek()"); - - return wolfSSL_read_internal(ssl, data, sz, TRUE); -} - - -WOLFSSL_ABI -int wolfSSL_read(WOLFSSL* ssl, void* data, int sz) -{ - WOLFSSL_ENTER("wolfSSL_read()"); - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_CB_READ, SSL_SUCCESS); - ssl->cbmode = SSL_CB_READ; - } - #endif - return wolfSSL_read_internal(ssl, data, sz, FALSE); -} - - -#ifdef WOLFSSL_MULTICAST - -int wolfSSL_mcast_read(WOLFSSL* ssl, word16* id, void* data, int sz) -{ - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_mcast_read()"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - ret = wolfSSL_read_internal(ssl, data, sz, FALSE); - if (ssl->options.dtls && ssl->options.haveMcast && id != NULL) - *id = ssl->keys.curPeerId; - return ret; -} - -#endif /* WOLFSSL_MULTICAST */ - - -/* helpers to set the device id, WOLFSSL_SUCCESS on ok */ -WOLFSSL_ABI -int wolfSSL_SetDevId(WOLFSSL* ssl, int devId) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->devId = devId; - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_ABI -int wolfSSL_CTX_SetDevId(WOLFSSL_CTX* ctx, int devId) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->devId = devId; - - return WOLFSSL_SUCCESS; -} - -/* helpers to get device id and heap */ -WOLFSSL_ABI -int wolfSSL_CTX_GetDevId(WOLFSSL_CTX* ctx, WOLFSSL* ssl) -{ - int devId = INVALID_DEVID; - if (ctx != NULL) - devId = ctx->devId; - else if (ssl != NULL) - devId = ssl->devId; - return devId; -} -void* wolfSSL_CTX_GetHeap(WOLFSSL_CTX* ctx, WOLFSSL* ssl) -{ - void* heap = NULL; - if (ctx != NULL) - heap = ctx->heap; - else if (ssl != NULL) - heap = ssl->heap; - return heap; -} - - -#ifdef HAVE_SNI - -WOLFSSL_ABI -int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseSNI(&ssl->extensions, type, data, size, ssl->heap); -} - - -WOLFSSL_ABI -int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data, - word16 size) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseSNI(&ctx->extensions, type, data, size, ctx->heap); -} - -#ifndef NO_WOLFSSL_SERVER - -void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options) -{ - if (ssl && ssl->extensions) - TLSX_SNI_SetOptions(ssl->extensions, type, options); -} - - -void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options) -{ - if (ctx && ctx->extensions) - TLSX_SNI_SetOptions(ctx->extensions, type, options); -} - - -byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type) -{ - return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type); -} - - -word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) -{ - if (data) - *data = NULL; - - if (ssl && ssl->extensions) - return TLSX_SNI_GetRequest(ssl->extensions, type, data); - - return 0; -} - - -int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, - byte type, byte* sni, word32* inOutSz) -{ - if (clientHello && helloSz > 0 && sni && inOutSz && *inOutSz > 0) - return TLSX_SNI_GetFromBuffer(clientHello, helloSz, type, sni, inOutSz); - - return BAD_FUNC_ARG; -} - -#endif /* NO_WOLFSSL_SERVER */ - -#endif /* HAVE_SNI */ - - -#ifdef HAVE_TRUSTED_CA - -WOLFSSL_API int wolfSSL_UseTrustedCA(WOLFSSL* ssl, byte type, - const byte* certId, word32 certIdSz) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (type == WOLFSSL_TRUSTED_CA_PRE_AGREED) { - if (certId != NULL || certIdSz != 0) - return BAD_FUNC_ARG; - } - else if (type == WOLFSSL_TRUSTED_CA_X509_NAME) { - if (certId == NULL || certIdSz == 0) - return BAD_FUNC_ARG; - } - #ifndef NO_SHA - else if (type == WOLFSSL_TRUSTED_CA_KEY_SHA1 || - type == WOLFSSL_TRUSTED_CA_CERT_SHA1) { - if (certId == NULL || certIdSz != WC_SHA_DIGEST_SIZE) - return BAD_FUNC_ARG; - } - #endif - else - return BAD_FUNC_ARG; - - return TLSX_UseTrustedCA(&ssl->extensions, - type, certId, certIdSz, ssl->heap); -} - -#endif /* HAVE_TRUSTED_CA */ - - -#ifdef HAVE_MAX_FRAGMENT -#ifndef NO_WOLFSSL_CLIENT - -int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_ALLOW_MAX_FRAGMENT_ADJUST - /* The following is a non-standard way to reconfigure the max packet size - post-handshake for wolfSSL_write/woflSSL_read */ - if (ssl->options.handShakeState == HANDSHAKE_DONE) { - switch (mfl) { - case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; - case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break; - case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break; - case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break; - case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break; - case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break; - default: ssl->max_fragment = MAX_RECORD_SIZE; break; - } - return WOLFSSL_SUCCESS; - } -#endif /* WOLFSSL_MAX_FRAGMENT_ADJUST */ - - /* This call sets the max fragment TLS extension, which gets sent to server. - The server_hello response is what sets the `ssl->max_fragment` in - TLSX_MFL_Parse */ - return TLSX_UseMaxFragment(&ssl->extensions, mfl, ssl->heap); -} - - -int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseMaxFragment(&ctx->extensions, mfl, ctx->heap); -} - -#endif /* NO_WOLFSSL_CLIENT */ -#endif /* HAVE_MAX_FRAGMENT */ - -#ifdef HAVE_TRUNCATED_HMAC -#ifndef NO_WOLFSSL_CLIENT - -int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap); -} - - -int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseTruncatedHMAC(&ctx->extensions, ctx->heap); -} - -#endif /* NO_WOLFSSL_CLIENT */ -#endif /* HAVE_TRUNCATED_HMAC */ - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - -int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options) -{ - if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, - options, NULL, ssl->heap, ssl->devId); -} - - -int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type, - byte options) -{ - if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type, - options, NULL, ctx->heap, ctx->devId); -} - -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - -int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, byte status_type, byte options) -{ - if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequestV2(&ssl->extensions, status_type, - options, ssl->heap, ssl->devId); -} - - -int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type, - byte options) -{ - if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequestV2(&ctx->extensions, status_type, - options, ctx->heap, ctx->devId); -} - -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - -/* Elliptic Curves */ -#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) - -int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - switch (name) { - case WOLFSSL_ECC_SECP160K1: - case WOLFSSL_ECC_SECP160R1: - case WOLFSSL_ECC_SECP160R2: - case WOLFSSL_ECC_SECP192K1: - case WOLFSSL_ECC_SECP192R1: - case WOLFSSL_ECC_SECP224K1: - case WOLFSSL_ECC_SECP224R1: - case WOLFSSL_ECC_SECP256K1: - case WOLFSSL_ECC_SECP256R1: - case WOLFSSL_ECC_SECP384R1: - case WOLFSSL_ECC_SECP521R1: - case WOLFSSL_ECC_BRAINPOOLP256R1: - case WOLFSSL_ECC_BRAINPOOLP384R1: - case WOLFSSL_ECC_BRAINPOOLP512R1: - case WOLFSSL_ECC_X25519: - case WOLFSSL_ECC_X448: - - case WOLFSSL_FFDHE_2048: - case WOLFSSL_FFDHE_3072: - case WOLFSSL_FFDHE_4096: - case WOLFSSL_FFDHE_6144: - case WOLFSSL_FFDHE_8192: - break; - - default: - return BAD_FUNC_ARG; - } - - ssl->options.userCurves = 1; - - return TLSX_UseSupportedCurve(&ssl->extensions, name, ssl->heap); -} - - -int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - switch (name) { - case WOLFSSL_ECC_SECP160K1: - case WOLFSSL_ECC_SECP160R1: - case WOLFSSL_ECC_SECP160R2: - case WOLFSSL_ECC_SECP192K1: - case WOLFSSL_ECC_SECP192R1: - case WOLFSSL_ECC_SECP224K1: - case WOLFSSL_ECC_SECP224R1: - case WOLFSSL_ECC_SECP256K1: - case WOLFSSL_ECC_SECP256R1: - case WOLFSSL_ECC_SECP384R1: - case WOLFSSL_ECC_SECP521R1: - case WOLFSSL_ECC_BRAINPOOLP256R1: - case WOLFSSL_ECC_BRAINPOOLP384R1: - case WOLFSSL_ECC_BRAINPOOLP512R1: - case WOLFSSL_ECC_X25519: - case WOLFSSL_ECC_X448: - case WOLFSSL_FFDHE_2048: - case WOLFSSL_FFDHE_3072: - case WOLFSSL_FFDHE_4096: - case WOLFSSL_FFDHE_6144: - case WOLFSSL_FFDHE_8192: - break; - - default: - return BAD_FUNC_ARG; - } - - ctx->userCurves = 1; - - return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap); -} - -#endif /* HAVE_SUPPORTED_CURVES && !NO_WOLFSSL_CLIENT */ - -/* QSH quantum safe handshake */ -#ifdef HAVE_QSH -/* returns 1 if QSH has been used 0 otherwise */ -int wolfSSL_isQSH(WOLFSSL* ssl) -{ - /* if no ssl struct than QSH was not used */ - if (ssl == NULL) - return 0; - - return ssl->isQSH; -} - - -int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - switch (name) { - #ifdef HAVE_NTRU - case WOLFSSL_NTRU_EESS439: - case WOLFSSL_NTRU_EESS593: - case WOLFSSL_NTRU_EESS743: - break; - #endif - default: - return BAD_FUNC_ARG; - } - - ssl->user_set_QSHSchemes = 1; - - return TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0, ssl->heap); -} - -#ifndef NO_WOLFSSL_CLIENT - /* user control over sending client public key in hello - when flag = 1 will send keys if flag is 0 or function is not called - then will not send keys in the hello extension - return 0 on success - */ - int wolfSSL_UseClientQSHKeys(WOLFSSL* ssl, unsigned char flag) - { - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->sendQSHKeys = flag; - - return 0; - } -#endif /* NO_WOLFSSL_CLIENT */ -#endif /* HAVE_QSH */ - -/* Application-Layer Protocol Negotiation */ -#ifdef HAVE_ALPN - -WOLFSSL_ABI -int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, - word32 protocol_name_listSz, byte options) -{ - char *list, *ptr, *token[WOLFSSL_MAX_ALPN_NUMBER]={NULL}; - word16 len; - int idx = 0; - int ret = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_UseALPN"); - - if (ssl == NULL || protocol_name_list == NULL) - return BAD_FUNC_ARG; - - if (protocol_name_listSz > (WOLFSSL_MAX_ALPN_NUMBER * - WOLFSSL_MAX_ALPN_PROTO_NAME_LEN + - WOLFSSL_MAX_ALPN_NUMBER)) { - WOLFSSL_MSG("Invalid arguments, protocol name list too long"); - return BAD_FUNC_ARG; - } - - if (!(options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) && - !(options & WOLFSSL_ALPN_FAILED_ON_MISMATCH)) { - WOLFSSL_MSG("Invalid arguments, options not supported"); - return BAD_FUNC_ARG; - } - - - list = (char *)XMALLOC(protocol_name_listSz+1, ssl->heap, - DYNAMIC_TYPE_ALPN); - if (list == NULL) { - WOLFSSL_MSG("Memory failure"); - return MEMORY_ERROR; - } - - XSTRNCPY(list, protocol_name_list, protocol_name_listSz); - list[protocol_name_listSz] = '\0'; - - /* read all protocol name from the list */ - token[idx] = XSTRTOK(list, ",", &ptr); - while (idx < WOLFSSL_MAX_ALPN_NUMBER && token[idx] != NULL) - token[++idx] = XSTRTOK(NULL, ",", &ptr); - - /* add protocol name list in the TLS extension in reverse order */ - while ((idx--) > 0) { - len = (word16)XSTRLEN(token[idx]); - - ret = TLSX_UseALPN(&ssl->extensions, token[idx], len, options, - ssl->heap); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("TLSX_UseALPN failure"); - break; - } - } - - XFREE(list, ssl->heap, DYNAMIC_TYPE_ALPN); - - return ret; -} - -int wolfSSL_ALPN_GetProtocol(WOLFSSL* ssl, char **protocol_name, word16 *size) -{ - return TLSX_ALPN_GetRequest(ssl ? ssl->extensions : NULL, - (void **)protocol_name, size); -} - -int wolfSSL_ALPN_GetPeerProtocol(WOLFSSL* ssl, char **list, word16 *listSz) -{ - if (list == NULL || listSz == NULL) - return BAD_FUNC_ARG; - - if (ssl->alpn_client_list == NULL) - return BUFFER_ERROR; - - *listSz = (word16)XSTRLEN(ssl->alpn_client_list); - if (*listSz == 0) - return BUFFER_ERROR; - - *list = (char *)XMALLOC((*listSz)+1, ssl->heap, DYNAMIC_TYPE_TLSX); - if (*list == NULL) - return MEMORY_ERROR; - - XSTRNCPY(*list, ssl->alpn_client_list, (*listSz)+1); - (*list)[*listSz] = 0; - - return WOLFSSL_SUCCESS; -} - - -/* used to free memory allocated by wolfSSL_ALPN_GetPeerProtocol */ -int wolfSSL_ALPN_FreePeerProtocol(WOLFSSL* ssl, char **list) -{ - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - XFREE(*list, ssl->heap, DYNAMIC_TYPE_TLSX); - *list = NULL; - - return WOLFSSL_SUCCESS; -} - -#endif /* HAVE_ALPN */ - -/* Secure Renegotiation */ -#ifdef HAVE_SECURE_RENEGOTIATION - -/* user is forcing ability to use secure renegotiation, we discourage it */ -int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) -{ - int ret = BAD_FUNC_ARG; - - if (ssl) - ret = TLSX_UseSecureRenegotiation(&ssl->extensions, ssl->heap); - - if (ret == WOLFSSL_SUCCESS) { - TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); - - if (extension) - ssl->secure_renegotiation = (SecureRenegotiation*)extension->data; - } - - return ret; -} - -int wolfSSL_CTX_UseSecureRenegotiation(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->useSecureReneg = 1; - return WOLFSSL_SUCCESS; -} - - -/* do a secure renegotiation handshake, user forced, we discourage */ -static int _Rehandshake(WOLFSSL* ssl) -{ - int ret; - - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (ssl->secure_renegotiation == NULL) { - WOLFSSL_MSG("Secure Renegotiation not forced on by user"); - return SECURE_RENEGOTIATION_E; - } - - if (ssl->secure_renegotiation->enabled == 0) { - WOLFSSL_MSG("Secure Renegotiation not enabled at extension level"); - return SECURE_RENEGOTIATION_E; - } - - /* If the client started the renegotiation, the server will already - * have processed the client's hello. */ - if (ssl->options.side != WOLFSSL_SERVER_END || - ssl->options.acceptState != ACCEPT_FIRST_REPLY_DONE) { - - if (ssl->options.handShakeState != HANDSHAKE_DONE) { - WOLFSSL_MSG("Can't renegotiate until previous handshake complete"); - return SECURE_RENEGOTIATION_E; - } - -#ifndef NO_FORCE_SCR_SAME_SUITE - /* force same suite */ - if (ssl->suites) { - ssl->suites->suiteSz = SUITE_LEN; - ssl->suites->suites[0] = ssl->options.cipherSuite0; - ssl->suites->suites[1] = ssl->options.cipherSuite; - } -#endif - - /* reset handshake states */ - ssl->options.sendVerify = 0; - ssl->options.serverState = NULL_STATE; - ssl->options.clientState = NULL_STATE; - ssl->options.connectState = CONNECT_BEGIN; - ssl->options.acceptState = ACCEPT_BEGIN_RENEG; - ssl->options.handShakeState = NULL_STATE; - ssl->options.processReply = 0; /* TODO, move states in internal.h */ - - XMEMSET(&ssl->msgsReceived, 0, sizeof(ssl->msgsReceived)); - - ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED; - -#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SERVER_RENEGOTIATION_INFO) - if (ssl->options.side == WOLFSSL_SERVER_END) { - ret = SendHelloRequest(ssl); - if (ret != 0) { - ssl->error = ret; - return WOLFSSL_FATAL_ERROR; - } - } -#endif /* NO_WOLFSSL_SERVER && HAVE_SERVER_RENEGOTIATION_INFO */ - - ret = InitHandshakeHashes(ssl); - if (ret != 0) { - ssl->error = ret; - return WOLFSSL_FATAL_ERROR; - } - } - ret = wolfSSL_negotiate(ssl); - ssl->secure_rene_count++; - return ret; -} - - -/* do a secure renegotiation handshake, user forced, we discourage */ -int wolfSSL_Rehandshake(WOLFSSL* ssl) -{ - int ret = WOLFSSL_SUCCESS; - WOLFSSL_ENTER("wolfSSL_Rehandshake"); - - if (ssl->options.side == WOLFSSL_SERVER_END) { - /* Reset option to send certificate verify. */ - ssl->options.sendVerify = 0; - } - else { - /* Reset resuming flag to do full secure handshake. */ - ssl->options.resuming = 0; - #ifdef HAVE_SESSION_TICKET - /* Clearing the ticket. */ - ret = wolfSSL_UseSessionTicket(ssl); - #endif - } - - if (ret == WOLFSSL_SUCCESS) - ret = _Rehandshake(ssl); - - return ret; -} - - -#ifndef NO_WOLFSSL_CLIENT - -/* do a secure resumption handshake, user forced, we discourage */ -int wolfSSL_SecureResume(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_SecureResume"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (ssl->options.side == WOLFSSL_SERVER_END) { - ssl->error = SIDE_ERROR; - return SSL_FATAL_ERROR; - } - - return _Rehandshake(ssl); -} - -#endif /* NO_WOLFSSL_CLIENT */ - -long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_SSL_get_secure_renegotiation_support"); - - if (!ssl || !ssl->secure_renegotiation) - return WOLFSSL_FAILURE; - return ssl->secure_renegotiation->enabled; -} - -#endif /* HAVE_SECURE_RENEGOTIATION */ - -/* Session Ticket */ -#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET) -/* WOLFSSL_SUCCESS on ok */ -int wolfSSL_CTX_set_TicketEncCb(WOLFSSL_CTX* ctx, SessionTicketEncCb cb) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->ticketEncCb = cb; - - return WOLFSSL_SUCCESS; -} - -/* set hint interval, WOLFSSL_SUCCESS on ok */ -int wolfSSL_CTX_set_TicketHint(WOLFSSL_CTX* ctx, int hint) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->ticketHint = hint; - - return WOLFSSL_SUCCESS; -} - -/* set user context, WOLFSSL_SUCCESS on ok */ -int wolfSSL_CTX_set_TicketEncCtx(WOLFSSL_CTX* ctx, void* userCtx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->ticketEncCtx = userCtx; - - return WOLFSSL_SUCCESS; -} - -#endif /* !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET) */ - -/* Session Ticket */ -#if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_SESSION_TICKET) -int wolfSSL_UseSessionTicket(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); -} - -int wolfSSL_CTX_UseSessionTicket(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - return TLSX_UseSessionTicket(&ctx->extensions, NULL, ctx->heap); -} - -WOLFSSL_API int wolfSSL_get_SessionTicket(WOLFSSL* ssl, - byte* buf, word32* bufSz) -{ - if (ssl == NULL || buf == NULL || bufSz == NULL || *bufSz == 0) - return BAD_FUNC_ARG; - - if (ssl->session.ticketLen <= *bufSz) { - XMEMCPY(buf, ssl->session.ticket, ssl->session.ticketLen); - *bufSz = ssl->session.ticketLen; - } - else - *bufSz = 0; - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_API int wolfSSL_set_SessionTicket(WOLFSSL* ssl, const byte* buf, - word32 bufSz) -{ - if (ssl == NULL || (buf == NULL && bufSz > 0)) - return BAD_FUNC_ARG; - - if (bufSz > 0) { - /* Ticket will fit into static ticket */ - if(bufSz <= SESSION_TICKET_LEN) { - if (ssl->session.isDynamic) { - XFREE(ssl->session.ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - ssl->session.isDynamic = 0; - ssl->session.ticket = ssl->session.staticTicket; - } - } else { /* Ticket requires dynamic ticket storage */ - if (ssl->session.ticketLen < bufSz) { /* is dyn buffer big enough */ - if(ssl->session.isDynamic) - XFREE(ssl->session.ticket, ssl->heap, - DYNAMIC_TYPE_SESSION_TICK); - ssl->session.ticket = (byte*)XMALLOC(bufSz, ssl->heap, - DYNAMIC_TYPE_SESSION_TICK); - if(!ssl->session.ticket) { - ssl->session.ticket = ssl->session.staticTicket; - ssl->session.isDynamic = 0; - return MEMORY_ERROR; - } - ssl->session.isDynamic = 1; - } - } - XMEMCPY(ssl->session.ticket, buf, bufSz); - } - ssl->session.ticketLen = (word16)bufSz; - - return WOLFSSL_SUCCESS; -} - - -WOLFSSL_API int wolfSSL_set_SessionTicket_cb(WOLFSSL* ssl, - CallbackSessionTicket cb, void* ctx) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->session_ticket_cb = cb; - ssl->session_ticket_ctx = ctx; - - return WOLFSSL_SUCCESS; -} -#endif - - -#ifdef HAVE_EXTENDED_MASTER -#ifndef NO_WOLFSSL_CLIENT - -int wolfSSL_CTX_DisableExtendedMasterSecret(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->haveEMS = 0; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_DisableExtendedMasterSecret(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->options.haveEMS = 0; - - return WOLFSSL_SUCCESS; -} - -#endif -#endif - - -#ifndef WOLFSSL_LEANPSK - -int wolfSSL_send(WOLFSSL* ssl, const void* data, int sz, int flags) -{ - int ret; - int oldFlags; - - WOLFSSL_ENTER("wolfSSL_send()"); - - if (ssl == NULL || data == NULL || sz < 0) - return BAD_FUNC_ARG; - - oldFlags = ssl->wflags; - - ssl->wflags = flags; - ret = wolfSSL_write(ssl, data, sz); - ssl->wflags = oldFlags; - - WOLFSSL_LEAVE("wolfSSL_send()", ret); - - return ret; -} - - -int wolfSSL_recv(WOLFSSL* ssl, void* data, int sz, int flags) -{ - int ret; - int oldFlags; - - WOLFSSL_ENTER("wolfSSL_recv()"); - - if (ssl == NULL || data == NULL || sz < 0) - return BAD_FUNC_ARG; - - oldFlags = ssl->rflags; - - ssl->rflags = flags; - ret = wolfSSL_read(ssl, data, sz); - ssl->rflags = oldFlags; - - WOLFSSL_LEAVE("wolfSSL_recv()", ret); - - return ret; -} -#endif - - -/* WOLFSSL_SUCCESS on ok */ -WOLFSSL_ABI -int wolfSSL_shutdown(WOLFSSL* ssl) -{ - int ret = WOLFSSL_FATAL_ERROR; - WOLFSSL_ENTER("SSL_shutdown()"); - - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - if (ssl->options.quietShutdown) { - WOLFSSL_MSG("quiet shutdown, no close notify sent"); - ret = WOLFSSL_SUCCESS; - } - else { - /* try to send close notify, not an error if can't */ - if (!ssl->options.isClosed && !ssl->options.connReset && - !ssl->options.sentNotify) { - ssl->error = SendAlert(ssl, alert_warning, close_notify); - if (ssl->error < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.sentNotify = 1; /* don't send close_notify twice */ - if (ssl->options.closeNotify) - ret = WOLFSSL_SUCCESS; - else { - ret = WOLFSSL_SHUTDOWN_NOT_DONE; - WOLFSSL_LEAVE("SSL_shutdown()", ret); - return ret; - } - } - -#ifdef WOLFSSL_SHUTDOWNONCE - if (ssl->options.isClosed || ssl->options.connReset) { - /* Shutdown has already occurred. - * Caller is free to ignore this error. */ - return SSL_SHUTDOWN_ALREADY_DONE_E; - } -#endif - - /* call wolfSSL_shutdown again for bidirectional shutdown */ - if (ssl->options.sentNotify && !ssl->options.closeNotify) { - ret = ProcessReply(ssl); - if (ret == ZERO_RETURN) { - /* simulate OpenSSL behavior */ - ssl->error = WOLFSSL_ERROR_SYSCALL; - ret = WOLFSSL_SUCCESS; - } else if (ssl->error == WOLFSSL_ERROR_NONE) { - ret = WOLFSSL_SHUTDOWN_NOT_DONE; - } else { - WOLFSSL_ERROR(ssl->error); - ret = WOLFSSL_FATAL_ERROR; - } - } - } - -#ifdef OPENSSL_EXTRA - /* reset WOLFSSL structure state for possible re-use */ - if (ret == WOLFSSL_SUCCESS) { - if (wolfSSL_clear(ssl) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("could not clear WOLFSSL"); - ret = WOLFSSL_FATAL_ERROR; - } - } -#endif - - WOLFSSL_LEAVE("SSL_shutdown()", ret); - - return ret; -} - - -/* get current error state value */ -int wolfSSL_state(WOLFSSL* ssl) -{ - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - return ssl->error; -} - - -WOLFSSL_ABI -int wolfSSL_get_error(WOLFSSL* ssl, int ret) -{ - WOLFSSL_ENTER("SSL_get_error"); - - if (ret > 0) - return WOLFSSL_ERROR_NONE; - if (ssl == NULL) - return BAD_FUNC_ARG; - - WOLFSSL_LEAVE("SSL_get_error", ssl->error); - - /* make sure converted types are handled in SetErrorString() too */ - if (ssl->error == WANT_READ) - return WOLFSSL_ERROR_WANT_READ; /* convert to OpenSSL type */ - else if (ssl->error == WANT_WRITE) - return WOLFSSL_ERROR_WANT_WRITE; /* convert to OpenSSL type */ - else if (ssl->error == ZERO_RETURN) - return WOLFSSL_ERROR_ZERO_RETURN; /* convert to OpenSSL type */ - return ssl->error; -} - - -/* retrieve alert history, WOLFSSL_SUCCESS on ok */ -int wolfSSL_get_alert_history(WOLFSSL* ssl, WOLFSSL_ALERT_HISTORY *h) -{ - if (ssl && h) { - *h = ssl->alert_history; - } - return WOLFSSL_SUCCESS; -} - -#ifdef OPENSSL_EXTRA -/* returns SSL_WRITING, SSL_READING or SSL_NOTHING */ -int wolfSSL_want(WOLFSSL* ssl) -{ - int rw_state = SSL_NOTHING; - if (ssl) { - if (ssl->error == WANT_READ) - rw_state = SSL_READING; - else if (ssl->error == WANT_WRITE) - rw_state = SSL_WRITING; - } - return rw_state; -} -#endif - -/* return TRUE if current error is want read */ -int wolfSSL_want_read(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_want_read"); - if (ssl->error == WANT_READ) - return 1; - - return 0; -} - - -/* return TRUE if current error is want write */ -int wolfSSL_want_write(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_want_write"); - if (ssl->error == WANT_WRITE) - return 1; - - return 0; -} - - -char* wolfSSL_ERR_error_string(unsigned long errNumber, char* data) -{ - static wcchar msg = "Please supply a buffer for error string"; - - WOLFSSL_ENTER("ERR_error_string"); - if (data) { - SetErrorString((int)errNumber, data); - return data; - } - - return (char*)msg; -} - - -void wolfSSL_ERR_error_string_n(unsigned long e, char* buf, unsigned long len) -{ - WOLFSSL_ENTER("wolfSSL_ERR_error_string_n"); - if (len >= WOLFSSL_MAX_ERROR_SZ) - wolfSSL_ERR_error_string(e, buf); - else { - char tmp[WOLFSSL_MAX_ERROR_SZ]; - - WOLFSSL_MSG("Error buffer too short, truncating"); - if (len) { - wolfSSL_ERR_error_string(e, tmp); - XMEMCPY(buf, tmp, len-1); - buf[len-1] = '\0'; - } - } -} - - -/* don't free temporary arrays at end of handshake */ -void wolfSSL_KeepArrays(WOLFSSL* ssl) -{ - if (ssl) - ssl->options.saveArrays = 1; -} - - -/* user doesn't need temporary arrays anymore, Free */ -void wolfSSL_FreeArrays(WOLFSSL* ssl) -{ - if (ssl && ssl->options.handShakeState == HANDSHAKE_DONE) { - ssl->options.saveArrays = 0; - FreeArrays(ssl, 1); - } -} - -/* Set option to indicate that the resources are not to be freed after - * handshake. - * - * ssl The SSL/TLS object. - * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. - */ -int wolfSSL_KeepHandshakeResources(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->options.keepResources = 1; - - return 0; -} - -/* Free the handshake resources after handshake. - * - * ssl The SSL/TLS object. - * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. - */ -int wolfSSL_FreeHandshakeResources(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - FreeHandshakeResources(ssl); - - return 0; -} - -/* Use the client's order of preference when matching cipher suites. - * - * ssl The SSL/TLS context object. - * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. - */ -int wolfSSL_CTX_UseClientSuites(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->useClientOrder = 1; - - return 0; -} - -/* Use the client's order of preference when matching cipher suites. - * - * ssl The SSL/TLS object. - * returns BAD_FUNC_ARG when ssl is NULL and 0 on success. - */ -int wolfSSL_UseClientSuites(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->options.useClientOrder = 1; - - return 0; -} - -const byte* wolfSSL_GetMacSecret(WOLFSSL* ssl, int verify) -{ -#ifndef WOLFSSL_AEAD_ONLY - if (ssl == NULL) - return NULL; - - if ( (ssl->options.side == WOLFSSL_CLIENT_END && !verify) || - (ssl->options.side == WOLFSSL_SERVER_END && verify) ) - return ssl->keys.client_write_MAC_secret; - else - return ssl->keys.server_write_MAC_secret; -#else - (void)ssl; - (void)verify; - - return NULL; -#endif -} - - -#ifdef ATOMIC_USER - -void wolfSSL_CTX_SetMacEncryptCb(WOLFSSL_CTX* ctx, CallbackMacEncrypt cb) -{ - if (ctx) - ctx->MacEncryptCb = cb; -} - - -void wolfSSL_SetMacEncryptCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->MacEncryptCtx = ctx; -} - - -void* wolfSSL_GetMacEncryptCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->MacEncryptCtx; - - return NULL; -} - - -void wolfSSL_CTX_SetDecryptVerifyCb(WOLFSSL_CTX* ctx, CallbackDecryptVerify cb) -{ - if (ctx) - ctx->DecryptVerifyCb = cb; -} - - -void wolfSSL_SetDecryptVerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->DecryptVerifyCtx = ctx; -} - - -void* wolfSSL_GetDecryptVerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->DecryptVerifyCtx; - - return NULL; -} - -#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) -/** - * Set the callback, against the context, that encrypts then MACs. - * - * ctx SSL/TLS context. - * cb Callback function to use with Encrypt-Then-MAC. - */ -void wolfSSL_CTX_SetEncryptMacCb(WOLFSSL_CTX* ctx, CallbackEncryptMac cb) -{ - if (ctx) - ctx->EncryptMacCb = cb; -} - -/** - * Set the context to use with callback that encrypts then MACs. - * - * ssl SSL/TLS object. - * ctx Callback function's context. - */ -void wolfSSL_SetEncryptMacCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->EncryptMacCtx = ctx; -} - -/** - * Get the context being used with callback that encrypts then MACs. - * - * ssl SSL/TLS object. - * returns callback function's context or NULL if SSL/TLS object is NULL. - */ -void* wolfSSL_GetEncryptMacCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->EncryptMacCtx; - - return NULL; -} - - -/** - * Set the callback, against the context, that MAC verifies then decrypts. - * - * ctx SSL/TLS context. - * cb Callback function to use with Encrypt-Then-MAC. - */ -void wolfSSL_CTX_SetVerifyDecryptCb(WOLFSSL_CTX* ctx, CallbackVerifyDecrypt cb) -{ - if (ctx) - ctx->VerifyDecryptCb = cb; -} - -/** - * Set the context to use with callback that MAC verifies then decrypts. - * - * ssl SSL/TLS object. - * ctx Callback function's context. - */ -void wolfSSL_SetVerifyDecryptCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->VerifyDecryptCtx = ctx; -} - -/** - * Get the context being used with callback that MAC verifies then decrypts. - * - * ssl SSL/TLS object. - * returns callback function's context or NULL if SSL/TLS object is NULL. - */ -void* wolfSSL_GetVerifyDecryptCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->VerifyDecryptCtx; - - return NULL; -} -#endif /* HAVE_ENCRYPT_THEN_MAC !WOLFSSL_AEAD_ONLY */ - - - -const byte* wolfSSL_GetClientWriteKey(WOLFSSL* ssl) -{ - if (ssl) - return ssl->keys.client_write_key; - - return NULL; -} - - -const byte* wolfSSL_GetClientWriteIV(WOLFSSL* ssl) -{ - if (ssl) - return ssl->keys.client_write_IV; - - return NULL; -} - - -const byte* wolfSSL_GetServerWriteKey(WOLFSSL* ssl) -{ - if (ssl) - return ssl->keys.server_write_key; - - return NULL; -} - - -const byte* wolfSSL_GetServerWriteIV(WOLFSSL* ssl) -{ - if (ssl) - return ssl->keys.server_write_IV; - - return NULL; -} - -int wolfSSL_GetKeySize(WOLFSSL* ssl) -{ - if (ssl) - return ssl->specs.key_size; - - return BAD_FUNC_ARG; -} - - -int wolfSSL_GetIVSize(WOLFSSL* ssl) -{ - if (ssl) - return ssl->specs.iv_size; - - return BAD_FUNC_ARG; -} - - -int wolfSSL_GetBulkCipher(WOLFSSL* ssl) -{ - if (ssl) - return ssl->specs.bulk_cipher_algorithm; - - return BAD_FUNC_ARG; -} - - -int wolfSSL_GetCipherType(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - -#ifndef WOLFSSL_AEAD_ONLY - if (ssl->specs.cipher_type == block) - return WOLFSSL_BLOCK_TYPE; - if (ssl->specs.cipher_type == stream) - return WOLFSSL_STREAM_TYPE; -#endif - if (ssl->specs.cipher_type == aead) - return WOLFSSL_AEAD_TYPE; - - return -1; -} - - -int wolfSSL_GetCipherBlockSize(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return ssl->specs.block_size; -} - - -int wolfSSL_GetAeadMacSize(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return ssl->specs.aead_mac_size; -} - - -int wolfSSL_IsTLSv1_1(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (ssl->options.tls1_1) - return 1; - - return 0; -} - - -int wolfSSL_GetSide(WOLFSSL* ssl) -{ - if (ssl) - return ssl->options.side; - - return BAD_FUNC_ARG; -} - - -int wolfSSL_GetHmacSize(WOLFSSL* ssl) -{ - /* AEAD ciphers don't have HMAC keys */ - if (ssl) - return (ssl->specs.cipher_type != aead) ? ssl->specs.hash_size : 0; - - return BAD_FUNC_ARG; -} - -#endif /* ATOMIC_USER */ - -#ifndef NO_CERTS - -WOLFSSL_CERT_MANAGER* wolfSSL_CTX_GetCertManager(WOLFSSL_CTX* ctx) -{ - WOLFSSL_CERT_MANAGER* cm = NULL; - if (ctx) - cm = ctx->cm; - return cm; -} - -WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew_ex(void* heap) -{ - WOLFSSL_CERT_MANAGER* cm; - - WOLFSSL_ENTER("wolfSSL_CertManagerNew"); - - cm = (WOLFSSL_CERT_MANAGER*) XMALLOC(sizeof(WOLFSSL_CERT_MANAGER), heap, - DYNAMIC_TYPE_CERT_MANAGER); - if (cm) { - XMEMSET(cm, 0, sizeof(WOLFSSL_CERT_MANAGER)); - - if (wc_InitMutex(&cm->caLock) != 0) { - WOLFSSL_MSG("Bad mutex init"); - wolfSSL_CertManagerFree(cm); - return NULL; - } - - #ifdef WOLFSSL_TRUST_PEER_CERT - if (wc_InitMutex(&cm->tpLock) != 0) { - WOLFSSL_MSG("Bad mutex init"); - wolfSSL_CertManagerFree(cm); - return NULL; - } - #endif - - /* set default minimum key size allowed */ - #ifndef NO_RSA - cm->minRsaKeySz = MIN_RSAKEY_SZ; - #endif - #ifdef HAVE_ECC - cm->minEccKeySz = MIN_ECCKEY_SZ; - #endif - cm->heap = heap; - } - - return cm; -} - - -WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void) -{ - return wolfSSL_CertManagerNew_ex(NULL); -} - - -void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerFree"); - - if (cm) { - #ifdef HAVE_CRL - if (cm->crl) - FreeCRL(cm->crl, 1); - #endif - #ifdef HAVE_OCSP - if (cm->ocsp) - FreeOCSP(cm->ocsp, 1); - XFREE(cm->ocspOverrideURL, cm->heap, DYNAMIC_TYPE_URL); - #if !defined(NO_WOLFSSL_SERVER) && \ - (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \ - defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) - if (cm->ocsp_stapling) - FreeOCSP(cm->ocsp_stapling, 1); - #endif - #endif - FreeSignerTable(cm->caTable, CA_TABLE_SIZE, cm->heap); - wc_FreeMutex(&cm->caLock); - - #ifdef WOLFSSL_TRUST_PEER_CERT - FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, cm->heap); - wc_FreeMutex(&cm->tpLock); - #endif - - XFREE(cm, cm->heap, DYNAMIC_TYPE_CERT_MANAGER); - } - -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) -#if defined(WOLFSSL_SIGNER_DER_CERT) -/****************************************************************************** -* wolfSSL_CertManagerGetCerts - retrieve stack of X509 certificates in a -* certificate manager (CM). -* -* RETURNS: -* returns stack of X509 certs on success, otherwise returns a NULL. -*/ -WOLFSSL_STACK* wolfSSL_CertManagerGetCerts(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_STACK* sk = NULL; - Signer* signers = NULL; - word32 row = 0; - DecodedCert* dCert = NULL; - WOLFSSL_X509* x509 = NULL; - int found = 0; - - if (cm == NULL) - return NULL; - - sk = wolfSSL_sk_X509_new(); - - if (sk == NULL) { - return NULL; - } - - if (wc_LockMutex(&cm->caLock) != 0) { - goto error_init; - } - - for (row = 0; row < CA_TABLE_SIZE; row++) { - signers = cm->caTable[row]; - while (signers && signers->derCert && signers->derCert->buffer) { - - dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, - DYNAMIC_TYPE_DCERT); - if (dCert == NULL) { - goto error; - } - - XMEMSET(dCert, 0, sizeof(DecodedCert)); - - InitDecodedCert(dCert, signers->derCert->buffer, - signers->derCert->length, cm->heap); - - /* Parse Certificate */ - if (ParseCert(dCert, CERT_TYPE, NO_VERIFY, cm)) { - goto error; - } - - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), cm->heap, - DYNAMIC_TYPE_X509); - - if (x509 == NULL) { - goto error; - } - - InitX509(x509, 1, NULL); - - if (CopyDecodedToX509(x509, dCert) == 0) { - - if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { - WOLFSSL_MSG("Unable to load x509 into stack"); - FreeX509(x509); - XFREE(x509, cm->heap, DYNAMIC_TYPE_X509); - goto error; - } - } - else { - goto error; - } - - found = 1; - - signers = signers->next; - - FreeDecodedCert(dCert); - XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); - dCert = NULL; - } - } - wc_UnLockMutex(&cm->caLock); - - if (!found) { - goto error_init; - } - - return sk; - -error: - wc_UnLockMutex(&cm->caLock); - -error_init: - - if (dCert) { - FreeDecodedCert(dCert); - XFREE(dCert, cm->heap, DYNAMIC_TYPE_DCERT); - } - - if (sk) - wolfSSL_sk_X509_free(sk); - - return NULL; -} -#endif /* WOLFSSL_SIGNER_DER_CERT */ - -/****************************************************************************** -* wolfSSL_X509_STORE_GetCerts - retrieve stack of X509 in a certificate store ctx -* -* This API can be used in SSL verify callback function to view cert chain -* See examples/client/client.c and myVerify() function in test.h -* -* RETURNS: -* returns stack of X509 certs on success, otherwise returns a NULL. -*/ -WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s) -{ - int certIdx = 0; - WOLFSSL_BUFFER_INFO* cert = NULL; - DecodedCert* dCert = NULL; - WOLFSSL_X509* x509 = NULL; - WOLFSSL_STACK* sk = NULL; - int found = 0; - - if (s == NULL) { - return NULL; - } - - sk = wolfSSL_sk_X509_new(); - - if (sk == NULL) { - return NULL; - } - - for (certIdx = s->totalCerts - 1; certIdx >= 0; certIdx--) { - /* get certificate buffer */ - cert = &s->certs[certIdx]; - - dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - - if (dCert == NULL) { - goto error; - } - XMEMSET(dCert, 0, sizeof(DecodedCert)); - - InitDecodedCert(dCert, cert->buffer, cert->length, NULL); - - /* Parse Certificate */ - if (ParseCert(dCert, CERT_TYPE, NO_VERIFY, NULL)){ - goto error; - } - x509 = wolfSSL_X509_new(); - - if (x509 == NULL) { - goto error; - } - InitX509(x509, 1, NULL); - - if (CopyDecodedToX509(x509, dCert) == 0) { - - if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { - WOLFSSL_MSG("Unable to load x509 into stack"); - wolfSSL_X509_free(x509); - goto error; - } - } - else { - goto error; - } - found = 1; - - FreeDecodedCert(dCert); - XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); - dCert = NULL; - } - - if (!found) { - wolfSSL_sk_X509_free(sk); - sk = NULL; - } - return sk; - -error: - if (dCert) { - FreeDecodedCert(dCert); - XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); - } - - if (sk) - wolfSSL_sk_X509_free(sk); - - return NULL; -} -#endif /* OPENSSL_EXTRA && !NO_FILESYSTEM */ - -/* Unload the CA signer list */ -int wolfSSL_CertManagerUnloadCAs(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerUnloadCAs"); - - if (cm == NULL) - return BAD_FUNC_ARG; - - if (wc_LockMutex(&cm->caLock) != 0) - return BAD_MUTEX_E; - - FreeSignerTable(cm->caTable, CA_TABLE_SIZE, cm->heap); - - wc_UnLockMutex(&cm->caLock); - - - return WOLFSSL_SUCCESS; -} - - -#ifdef WOLFSSL_TRUST_PEER_CERT -int wolfSSL_CertManagerUnload_trust_peers(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerUnload_trust_peers"); - - if (cm == NULL) - return BAD_FUNC_ARG; - - if (wc_LockMutex(&cm->tpLock) != 0) - return BAD_MUTEX_E; - - FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, cm->heap); - - wc_UnLockMutex(&cm->tpLock); - - - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_TRUST_PEER_CERT */ - -#endif /* NO_CERTS */ - -#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) - -void wolfSSL_ERR_print_errors_fp(XFILE fp, int err) -{ - char data[WOLFSSL_MAX_ERROR_SZ + 1]; - - WOLFSSL_ENTER("wolfSSL_ERR_print_errors_fp"); - SetErrorString(err, data); - fprintf(fp, "%s", data); -} - -#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) -void wolfSSL_ERR_dump_errors_fp(XFILE fp) -{ - wc_ERR_print_errors_fp(fp); -} - -void wolfSSL_ERR_print_errors_cb (int (*cb)(const char *str, size_t len, - void *u), void *u) -{ - wc_ERR_print_errors_cb(cb, u); -} -#endif -#endif - -WOLFSSL_ABI -int wolfSSL_pending(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_pending"); - return ssl->buffers.clearOutputBuffer.length; -} - - -#ifndef WOLFSSL_LEANPSK -/* turn on handshake group messages for context */ -int wolfSSL_CTX_set_group_messages(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->groupMessages = 1; - - return WOLFSSL_SUCCESS; -} -#endif - - -#ifndef NO_WOLFSSL_CLIENT -/* connect enough to get peer cert chain */ -int wolfSSL_connect_cert(WOLFSSL* ssl) -{ - int ret; - - if (ssl == NULL) - return WOLFSSL_FAILURE; - - ssl->options.certOnly = 1; - ret = wolfSSL_connect(ssl); - ssl->options.certOnly = 0; - - return ret; -} -#endif - - -#ifndef WOLFSSL_LEANPSK -/* turn on handshake group messages for ssl object */ -int wolfSSL_set_group_messages(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->options.groupMessages = 1; - - return WOLFSSL_SUCCESS; -} - - -/* make minVersion the internal equivalent SSL version */ -static int SetMinVersionHelper(byte* minVersion, int version) -{ -#ifdef NO_TLS - (void)minVersion; -#endif - - switch (version) { -#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) - case WOLFSSL_SSLV3: - *minVersion = SSLv3_MINOR; - break; -#endif - -#ifndef NO_TLS - #ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_TLSV10 - case WOLFSSL_TLSV1: - *minVersion = TLSv1_MINOR; - break; - #endif - - case WOLFSSL_TLSV1_1: - *minVersion = TLSv1_1_MINOR; - break; - #endif - #ifndef WOLFSSL_NO_TLS12 - case WOLFSSL_TLSV1_2: - *minVersion = TLSv1_2_MINOR; - break; - #endif -#endif - #ifdef WOLFSSL_TLS13 - case WOLFSSL_TLSV1_3: - *minVersion = TLSv1_3_MINOR; - break; - #endif - - default: - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - return WOLFSSL_SUCCESS; -} - - -/* Set minimum downgrade version allowed, WOLFSSL_SUCCESS on ok */ -WOLFSSL_ABI -int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version) -{ - WOLFSSL_ENTER("wolfSSL_CTX_SetMinVersion"); - - if (ctx == NULL) { - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - return SetMinVersionHelper(&ctx->minDowngrade, version); -} - - -/* Set minimum downgrade version allowed, WOLFSSL_SUCCESS on ok */ -int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version) -{ - WOLFSSL_ENTER("wolfSSL_SetMinVersion"); - - if (ssl == NULL) { - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - return SetMinVersionHelper(&ssl->options.minDowngrade, version); -} - - -/* Function to get version as WOLFSSL_ enum value for wolfSSL_SetVersion */ -int wolfSSL_GetVersion(WOLFSSL* ssl) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (ssl->version.major == SSLv3_MAJOR) { - switch (ssl->version.minor) { - case SSLv3_MINOR : - return WOLFSSL_SSLV3; - case TLSv1_MINOR : - return WOLFSSL_TLSV1; - case TLSv1_1_MINOR : - return WOLFSSL_TLSV1_1; - case TLSv1_2_MINOR : - return WOLFSSL_TLSV1_2; - case TLSv1_3_MINOR : - return WOLFSSL_TLSV1_3; - default: - break; - } - } - - return VERSION_ERROR; -} - -int wolfSSL_SetVersion(WOLFSSL* ssl, int version) -{ - word16 haveRSA = 1; - word16 havePSK = 0; - int keySz = 0; - - WOLFSSL_ENTER("wolfSSL_SetVersion"); - - if (ssl == NULL) { - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - switch (version) { -#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) - case WOLFSSL_SSLV3: - ssl->version = MakeSSLv3(); - break; -#endif - -#ifndef NO_TLS - #ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_TLSV10 - case WOLFSSL_TLSV1: - ssl->version = MakeTLSv1(); - break; - #endif - - case WOLFSSL_TLSV1_1: - ssl->version = MakeTLSv1_1(); - break; - #endif - #ifndef WOLFSSL_NO_TLS12 - case WOLFSSL_TLSV1_2: - ssl->version = MakeTLSv1_2(); - break; - #endif -#endif -#ifdef WOLFSSL_TLS13 - case WOLFSSL_TLSV1_3: - ssl->version = MakeTLSv1_3(); - break; - -#endif - - default: - WOLFSSL_MSG("Bad function argument"); - return BAD_FUNC_ARG; - } - - #ifdef NO_RSA - haveRSA = 0; - #endif - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif - - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - - return WOLFSSL_SUCCESS; -} -#endif /* !leanpsk */ - - -#if !defined(NO_CERTS) || !defined(NO_SESSION_CACHE) - -/* Make a work from the front of random hash */ -static WC_INLINE word32 MakeWordFromHash(const byte* hashID) -{ - return ((word32)hashID[0] << 24) | ((word32)hashID[1] << 16) | - (hashID[2] << 8) | hashID[3]; -} - -#endif /* !NO_CERTS || !NO_SESSION_CACHE */ - - -#ifndef NO_CERTS - -/* hash is the SHA digest of name, just use first 32 bits as hash */ -static WC_INLINE word32 HashSigner(const byte* hash) -{ - return MakeWordFromHash(hash) % CA_TABLE_SIZE; -} - - -/* does CA already exist on signer list */ -int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash) -{ - Signer* signers; - int ret = 0; - word32 row; - - if (cm == NULL || hash == NULL) { - return ret; - } - - row = HashSigner(hash); - - if (wc_LockMutex(&cm->caLock) != 0) { - return ret; - } - signers = cm->caTable[row]; - while (signers) { - byte* subjectHash; - - #ifndef NO_SKID - subjectHash = signers->subjectKeyIdHash; - #else - subjectHash = signers->subjectNameHash; - #endif - - if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { - ret = 1; /* success */ - break; - } - signers = signers->next; - } - wc_UnLockMutex(&cm->caLock); - - return ret; -} - - -#ifdef WOLFSSL_TRUST_PEER_CERT -/* hash is the SHA digest of name, just use first 32 bits as hash */ -static WC_INLINE word32 TrustedPeerHashSigner(const byte* hash) -{ - return MakeWordFromHash(hash) % TP_TABLE_SIZE; -} - -/* does trusted peer already exist on signer list */ -int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash) -{ - TrustedPeerCert* tp; - int ret = 0; - word32 row = TrustedPeerHashSigner(hash); - - if (wc_LockMutex(&cm->tpLock) != 0) - return ret; - tp = cm->tpTable[row]; - while (tp) { - byte* subjectHash; - #ifndef NO_SKID - subjectHash = tp->subjectKeyIdHash; - #else - subjectHash = tp->subjectNameHash; - #endif - if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { - ret = 1; - break; - } - tp = tp->next; - } - wc_UnLockMutex(&cm->tpLock); - - return ret; -} - - -/* return Trusted Peer if found, otherwise NULL - type is what to match on - */ -TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash, int type) -{ - WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp; - TrustedPeerCert* ret = NULL; - TrustedPeerCert* tp = NULL; - word32 row; - - if (cm == NULL || hash == NULL) - return NULL; - - row = TrustedPeerHashSigner(hash); - - if (wc_LockMutex(&cm->tpLock) != 0) - return ret; - - tp = cm->tpTable[row]; - while (tp) { - byte* subjectHash; - switch (type) { - #ifndef NO_SKID - case WC_MATCH_SKID: - subjectHash = tp->subjectKeyIdHash; - break; - #endif - case WC_MATCH_NAME: - subjectHash = tp->subjectNameHash; - break; - default: - WOLFSSL_MSG("Unknown search type"); - wc_UnLockMutex(&cm->tpLock); - return NULL; - } - if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { - ret = tp; - break; - } - tp = tp->next; - } - wc_UnLockMutex(&cm->tpLock); - - return ret; -} - - -int MatchTrustedPeer(TrustedPeerCert* tp, DecodedCert* cert) -{ - if (tp == NULL || cert == NULL) - return BAD_FUNC_ARG; - - /* subject key id or subject hash has been compared when searching - tpTable for the cert from function GetTrustedPeer */ - - /* compare signatures */ - if (tp->sigLen == cert->sigLength) { - if (XMEMCMP(tp->sig, cert->signature, cert->sigLength)) { - return WOLFSSL_FAILURE; - } - } - else { - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_TRUST_PEER_CERT */ - - -/* return CA if found, otherwise NULL */ -Signer* GetCA(void* vp, byte* hash) -{ - WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp; - Signer* ret = NULL; - Signer* signers; - word32 row = HashSigner(hash); - - if (cm == NULL) - return NULL; - - if (wc_LockMutex(&cm->caLock) != 0) - return ret; - - signers = cm->caTable[row]; - while (signers) { - byte* subjectHash; - #ifndef NO_SKID - subjectHash = signers->subjectKeyIdHash; - #else - subjectHash = signers->subjectNameHash; - #endif - if (XMEMCMP(hash, subjectHash, SIGNER_DIGEST_SIZE) == 0) { - ret = signers; - break; - } - signers = signers->next; - } - wc_UnLockMutex(&cm->caLock); - - return ret; -} - - -#ifndef NO_SKID -/* return CA if found, otherwise NULL. Walk through hash table. */ -Signer* GetCAByName(void* vp, byte* hash) -{ - WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp; - Signer* ret = NULL; - Signer* signers; - word32 row; - - if (cm == NULL) - return NULL; - - if (wc_LockMutex(&cm->caLock) != 0) - return ret; - - for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) { - signers = cm->caTable[row]; - while (signers && ret == NULL) { - if (XMEMCMP(hash, signers->subjectNameHash, - SIGNER_DIGEST_SIZE) == 0) { - ret = signers; - } - signers = signers->next; - } - } - wc_UnLockMutex(&cm->caLock); - - return ret; -} -#endif - - -#ifdef WOLFSSL_TRUST_PEER_CERT -/* add a trusted peer cert to linked list */ -int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify) -{ - int ret, row; - TrustedPeerCert* peerCert; - DecodedCert* cert; - DerBuffer* der = *pDer; - byte* subjectHash = NULL; - - WOLFSSL_MSG("Adding a Trusted Peer Cert"); - - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; - - InitDecodedCert(cert, der->buffer, der->length, cm->heap); - if ((ret = ParseCert(cert, TRUSTED_PEER_TYPE, verify, cm)) != 0) { - FreeDecodedCert(cert); - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); - return ret; - } - WOLFSSL_MSG("\tParsed new trusted peer cert"); - - peerCert = (TrustedPeerCert*)XMALLOC(sizeof(TrustedPeerCert), cm->heap, - DYNAMIC_TYPE_CERT); - if (peerCert == NULL) { - FreeDecodedCert(cert); - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - return MEMORY_E; - } - XMEMSET(peerCert, 0, sizeof(TrustedPeerCert)); - -#ifndef NO_SKID - if (cert->extAuthKeyIdSet) { - subjectHash = cert->extSubjKeyId; - } - else { - subjectHash = cert->subjectHash; - } -#else - subjectHash = cert->subjectHash; -#endif - - #ifndef IGNORE_NAME_CONSTRAINTS - if (peerCert->permittedNames) - FreeNameSubtrees(peerCert->permittedNames, cm->heap); - if (peerCert->excludedNames) - FreeNameSubtrees(peerCert->excludedNames, cm->heap); - #endif - - if (AlreadyTrustedPeer(cm, subjectHash)) { - WOLFSSL_MSG("\tAlready have this CA, not adding again"); - FreeTrustedPeer(peerCert, cm->heap); - (void)ret; - } - else { - /* add trusted peer signature */ - peerCert->sigLen = cert->sigLength; - peerCert->sig = XMALLOC(cert->sigLength, cm->heap, - DYNAMIC_TYPE_SIGNATURE); - if (peerCert->sig == NULL) { - FreeDecodedCert(cert); - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - FreeTrustedPeer(peerCert, cm->heap); - return MEMORY_E; - } - XMEMCPY(peerCert->sig, cert->signature, cert->sigLength); - - /* add trusted peer name */ - peerCert->nameLen = cert->subjectCNLen; - peerCert->name = cert->subjectCN; - #ifndef IGNORE_NAME_CONSTRAINTS - peerCert->permittedNames = cert->permittedNames; - peerCert->excludedNames = cert->excludedNames; - #endif - - /* add SKID when available and hash of name */ - #ifndef NO_SKID - XMEMCPY(peerCert->subjectKeyIdHash, cert->extSubjKeyId, - SIGNER_DIGEST_SIZE); - #endif - XMEMCPY(peerCert->subjectNameHash, cert->subjectHash, - SIGNER_DIGEST_SIZE); - peerCert->next = NULL; /* If Key Usage not set, all uses valid. */ - cert->subjectCN = 0; - #ifndef IGNORE_NAME_CONSTRAINTS - cert->permittedNames = NULL; - cert->excludedNames = NULL; - #endif - - #ifndef NO_SKID - if (cert->extAuthKeyIdSet) { - row = TrustedPeerHashSigner(peerCert->subjectKeyIdHash); - } - else { - row = TrustedPeerHashSigner(peerCert->subjectNameHash); - } - #else - row = TrustedPeerHashSigner(peerCert->subjectNameHash); - #endif - - if (wc_LockMutex(&cm->tpLock) == 0) { - peerCert->next = cm->tpTable[row]; - cm->tpTable[row] = peerCert; /* takes ownership */ - wc_UnLockMutex(&cm->tpLock); - } - else { - WOLFSSL_MSG("\tTrusted Peer Cert Mutex Lock failed"); - FreeDecodedCert(cert); - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - FreeTrustedPeer(peerCert, cm->heap); - return BAD_MUTEX_E; - } - } - - WOLFSSL_MSG("\tFreeing parsed trusted peer cert"); - FreeDecodedCert(cert); - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - WOLFSSL_MSG("\tFreeing der trusted peer cert"); - FreeDer(&der); - WOLFSSL_MSG("\t\tOK Freeing der trusted peer cert"); - WOLFSSL_LEAVE("AddTrustedPeer", ret); - - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_TRUST_PEER_CERT */ - - -/* owns der, internal now uses too */ -/* type flag ids from user or from chain received during verify - don't allow chain ones to be added w/o isCA extension */ -int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) -{ - int ret; - Signer* signer = NULL; - word32 row; - byte* subjectHash; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - DerBuffer* der = *pDer; - - WOLFSSL_MSG("Adding a CA"); - - if (cm == NULL) { - FreeDer(pDer); - return BAD_FUNC_ARG; - } - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) { - FreeDer(pDer); - return MEMORY_E; - } -#endif - - InitDecodedCert(cert, der->buffer, der->length, cm->heap); - ret = ParseCert(cert, CA_TYPE, verify, cm); - WOLFSSL_MSG("\tParsed new CA"); - -#ifndef NO_SKID - subjectHash = cert->extSubjKeyId; -#else - subjectHash = cert->subjectHash; -#endif - - /* check CA key size */ - if (verify) { - switch (cert->keyOID) { - #ifndef NO_RSA - case RSAk: - if (cm->minRsaKeySz < 0 || - cert->pubKeySize < (word16)cm->minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("\tCA RSA key size error"); - } - break; - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ECDSAk: - if (cm->minEccKeySz < 0 || - cert->pubKeySize < (word16)cm->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("\tCA ECC key size error"); - } - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_ED25519 - case ED25519k: - if (cm->minEccKeySz < 0 || - ED25519_KEY_SIZE < (word16)cm->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("\tCA ECC key size error"); - } - break; - #endif /* HAVE_ED25519 */ - #ifdef HAVE_ED448 - case ED448k: - if (cm->minEccKeySz < 0 || - ED448_KEY_SIZE < (word16)cm->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("\tCA ECC key size error"); - } - break; - #endif /* HAVE_ED448 */ - - default: - WOLFSSL_MSG("\tNo key size check done on CA"); - break; /* no size check if key type is not in switch */ - } - } - - if (ret == 0 && cert->isCA == 0 && type != WOLFSSL_USER_CA) { - WOLFSSL_MSG("\tCan't add as CA if not actually one"); - ret = NOT_CA_ERROR; - } -#ifndef ALLOW_INVALID_CERTSIGN - else if (ret == 0 && cert->isCA == 1 && type != WOLFSSL_USER_CA && - !cert->selfSigned && (cert->extKeyUsage & KEYUSE_KEY_CERT_SIGN) == 0) { - /* Intermediate CA certs are required to have the keyCertSign - * extension set. User loaded root certs are not. */ - WOLFSSL_MSG("\tDoesn't have key usage certificate signing"); - ret = NOT_CA_ERROR; - } -#endif - else if (ret == 0 && AlreadySigner(cm, subjectHash)) { - WOLFSSL_MSG("\tAlready have this CA, not adding again"); - (void)ret; - } - else if (ret == 0) { - /* take over signer parts */ - signer = MakeSigner(cm->heap); - if (!signer) - ret = MEMORY_ERROR; - } - if (ret == 0 && signer != NULL) { - #ifdef WOLFSSL_SIGNER_DER_CERT - ret = AllocDer(&signer->derCert, der->length, der->type, NULL); - } - if (ret == 0 && signer != NULL) { - XMEMCPY(signer->derCert->buffer, der->buffer, der->length); - #endif - signer->keyOID = cert->keyOID; - if (cert->pubKeyStored) { - signer->publicKey = cert->publicKey; - signer->pubKeySize = cert->pubKeySize; - } - if (cert->subjectCNStored) { - signer->nameLen = cert->subjectCNLen; - signer->name = cert->subjectCN; - } - signer->pathLength = cert->pathLength; - signer->maxPathLen = cert->maxPathLen; - signer->pathLengthSet = cert->pathLengthSet; - signer->selfSigned = cert->selfSigned; - #ifndef IGNORE_NAME_CONSTRAINTS - signer->permittedNames = cert->permittedNames; - signer->excludedNames = cert->excludedNames; - #endif - #ifndef NO_SKID - XMEMCPY(signer->subjectKeyIdHash, cert->extSubjKeyId, - SIGNER_DIGEST_SIZE); - #endif - XMEMCPY(signer->subjectNameHash, cert->subjectHash, - SIGNER_DIGEST_SIZE); - #ifdef HAVE_OCSP - XMEMCPY(signer->subjectKeyHash, cert->subjectKeyHash, - KEYID_SIZE); - #endif - signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage - : 0xFFFF; - signer->next = NULL; /* If Key Usage not set, all uses valid. */ - cert->publicKey = 0; /* in case lock fails don't free here. */ - cert->subjectCN = 0; - #ifndef IGNORE_NAME_CONSTRAINTS - cert->permittedNames = NULL; - cert->excludedNames = NULL; - #endif - - #ifndef NO_SKID - row = HashSigner(signer->subjectKeyIdHash); - #else - row = HashSigner(signer->subjectNameHash); - #endif - - if (wc_LockMutex(&cm->caLock) == 0) { - signer->next = cm->caTable[row]; - cm->caTable[row] = signer; /* takes ownership */ - wc_UnLockMutex(&cm->caLock); - if (cm->caCacheCallback) - cm->caCacheCallback(der->buffer, (int)der->length, type); - } - else { - WOLFSSL_MSG("\tCA Mutex Lock failed"); - ret = BAD_MUTEX_E; - FreeSigner(signer, cm->heap); - } - } -#if defined(WOLFSSL_RENESAS_TSIP_TLS) - /* Verify CA by TSIP so that generated tsip key is going to be able to */ - /* be used for peer's cert verification */ - /* TSIP is only able to handle USER CA, and only one CA. */ - /* Therefore, it doesn't need to call TSIP again if there is already */ - /* verified CA. */ - if ( ret == 0 && signer != NULL ) { - signer->cm_idx = row; - if (type == WOLFSSL_USER_CA && tsip_rootCAverified() == 0 ) { - if ((ret = tsip_tls_RootCertVerify(cert->source, cert->maxIdx, - cert->sigCtx.pubkey_n_start, cert->sigCtx.pubkey_n_len - 1, - cert->sigCtx.pubkey_e_start, cert->sigCtx.pubkey_e_len - 1, - row/* cm index */)) - != 0) - WOLFSSL_MSG("tsip_tls_RootCertVerify() failed"); - else - WOLFSSL_MSG("tsip_tls_RootCertVerify() succeed"); - } - } -#endif - WOLFSSL_MSG("\tFreeing Parsed CA"); - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - WOLFSSL_MSG("\tFreeing der CA"); - FreeDer(pDer); - WOLFSSL_MSG("\t\tOK Freeing der CA"); - - WOLFSSL_LEAVE("AddCA", ret); - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - -#endif /* !NO_CERTS */ - - -#ifndef NO_SESSION_CACHE - - /* basic config gives a cache with 33 sessions, adequate for clients and - embedded servers - - TITAN_SESSION_CACHE allows just over 2 million sessions, for servers - with titanic amounts of memory with long session ID timeouts and high - levels of traffic. - - HUGE_SESSION_CACHE yields 65,791 sessions, for servers under heavy load, - allows over 13,000 new sessions per minute or over 200 new sessions per - second - - BIG_SESSION_CACHE yields 20,027 sessions - - MEDIUM_SESSION_CACHE allows 1055 sessions, adequate for servers that - aren't under heavy load, basically allows 200 new sessions per minute - - SMALL_SESSION_CACHE only stores 6 sessions, good for embedded clients - or systems where the default of nearly 3kB is too much RAM, this define - uses less than 500 bytes RAM - - default SESSION_CACHE stores 33 sessions (no XXX_SESSION_CACHE defined) - */ - #if defined(TITAN_SESSION_CACHE) - #define SESSIONS_PER_ROW 31 - #define SESSION_ROWS 64937 - #elif defined(HUGE_SESSION_CACHE) - #define SESSIONS_PER_ROW 11 - #define SESSION_ROWS 5981 - #elif defined(BIG_SESSION_CACHE) - #define SESSIONS_PER_ROW 7 - #define SESSION_ROWS 2861 - #elif defined(MEDIUM_SESSION_CACHE) - #define SESSIONS_PER_ROW 5 - #define SESSION_ROWS 211 - #elif defined(SMALL_SESSION_CACHE) - #define SESSIONS_PER_ROW 2 - #define SESSION_ROWS 3 - #else - #define SESSIONS_PER_ROW 3 - #define SESSION_ROWS 11 - #endif - - typedef struct SessionRow { - int nextIdx; /* where to place next one */ - int totalCount; /* sessions ever on this row */ - WOLFSSL_SESSION Sessions[SESSIONS_PER_ROW]; - } SessionRow; - - static WOLFSSL_GLOBAL SessionRow SessionCache[SESSION_ROWS]; - - #if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) - static WOLFSSL_GLOBAL word32 PeakSessions; - #endif - - static WOLFSSL_GLOBAL wolfSSL_Mutex session_mutex; /* SessionCache mutex */ - - #ifndef NO_CLIENT_CACHE - - typedef struct ClientSession { - word16 serverRow; /* SessionCache Row id */ - word16 serverIdx; /* SessionCache Idx (column) */ - } ClientSession; - - typedef struct ClientRow { - int nextIdx; /* where to place next one */ - int totalCount; /* sessions ever on this row */ - ClientSession Clients[SESSIONS_PER_ROW]; - } ClientRow; - - static WOLFSSL_GLOBAL ClientRow ClientCache[SESSION_ROWS]; - /* Client Cache */ - /* uses session mutex */ - #endif /* NO_CLIENT_CACHE */ - -#endif /* NO_SESSION_CACHE */ - -WOLFSSL_ABI -int wolfSSL_Init(void) -{ - WOLFSSL_ENTER("wolfSSL_Init"); - - if (initRefCount == 0) { - /* Initialize crypto for use with TLS connection */ - if (wolfCrypt_Init() != 0) { - WOLFSSL_MSG("Bad wolfCrypt Init"); - return WC_INIT_E; - } - -#ifdef OPENSSL_EXTRA - if (wolfSSL_RAND_seed(NULL, 0) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_RAND_Seed failed"); - return WC_INIT_E; - } -#endif - -#ifndef NO_SESSION_CACHE - if (wc_InitMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Bad Init Mutex session"); - return BAD_MUTEX_E; - } -#endif - if (wc_InitMutex(&count_mutex) != 0) { - WOLFSSL_MSG("Bad Init Mutex count"); - return BAD_MUTEX_E; - } - } - - if (wc_LockMutex(&count_mutex) != 0) { - WOLFSSL_MSG("Bad Lock Mutex count"); - return BAD_MUTEX_E; - } - - initRefCount++; - wc_UnLockMutex(&count_mutex); - - return WOLFSSL_SUCCESS; -} - - - -#ifndef NO_CERTS - -/* process user cert chain to pass during the handshake */ -static int ProcessUserChain(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type, WOLFSSL* ssl, - long* used, EncryptedInfo* info, int verify) -{ - int ret = 0; - void* heap = wolfSSL_CTX_GetHeap(ctx, ssl); -#ifdef WOLFSSL_TLS13 - int cnt = 0; -#endif - - if ((type == CA_TYPE) && (ctx == NULL)) { - WOLFSSL_MSG("Need context for CA load"); - return BAD_FUNC_ARG; - } - - /* we may have a user cert chain, try to consume */ - if ((type == CERT_TYPE || type == CA_TYPE) && (info->consumed < sz)) { - #ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ - #else - byte staticBuffer[FILE_BUFFER_SIZE]; /* tmp chain buffer */ - #endif - byte* chainBuffer = staticBuffer; - int dynamicBuffer = 0; - word32 bufferSz; - long consumed = info->consumed; - word32 idx = 0; - int gotOne = 0; - - /* Calculate max possible size, including max headers */ - bufferSz = (word32)(sz - consumed) + (CERT_HEADER_SZ * MAX_CHAIN_DEPTH); - if (bufferSz > sizeof(staticBuffer)) { - WOLFSSL_MSG("Growing Tmp Chain Buffer"); - /* will shrink to actual size */ - chainBuffer = (byte*)XMALLOC(bufferSz, heap, DYNAMIC_TYPE_FILE); - if (chainBuffer == NULL) { - return MEMORY_E; - } - dynamicBuffer = 1; - } - - WOLFSSL_MSG("Processing Cert Chain"); - while (consumed < sz) { - DerBuffer* part = NULL; - word32 remain = (word32)(sz - consumed); - info->consumed = 0; - - if (format == WOLFSSL_FILETYPE_PEM) { - #ifdef WOLFSSL_PEM_TO_DER - ret = PemToDer(buff + consumed, remain, type, &part, - heap, info, NULL); - #else - ret = NOT_COMPILED_IN; - #endif - } - else { - int length = remain; - if (format == WOLFSSL_FILETYPE_ASN1) { - /* get length of der (read sequence) */ - word32 inOutIdx = 0; - if (GetSequence(buff + consumed, &inOutIdx, &length, - remain) < 0) { - ret = ASN_NO_PEM_HEADER; - } - length += inOutIdx; /* include leading sequence */ - } - info->consumed = length; - if (ret == 0) { - ret = AllocDer(&part, length, type, heap); - if (ret == 0) { - XMEMCPY(part->buffer, buff + consumed, length); - } - } - } - if (ret == 0) { - gotOne = 1; -#ifdef WOLFSSL_TLS13 - cnt++; -#endif - if ((idx + part->length + CERT_HEADER_SZ) > bufferSz) { - WOLFSSL_MSG(" Cert Chain bigger than buffer"); - ret = BUFFER_E; - } - else { - c32to24(part->length, &chainBuffer[idx]); - idx += CERT_HEADER_SZ; - XMEMCPY(&chainBuffer[idx], part->buffer, part->length); - idx += part->length; - consumed += info->consumed; - if (used) - *used += info->consumed; - } - - /* add CA's to certificate manager */ - if (type == CA_TYPE) { - /* verify CA unless user set to no verify */ - ret = AddCA(ctx->cm, &part, WOLFSSL_USER_CA, verify); - gotOne = 0; /* don't exit loop for CA type */ - } - } - - FreeDer(&part); - - if (ret == ASN_NO_PEM_HEADER && gotOne) { - WOLFSSL_MSG("We got one good cert, so stuff at end ok"); - break; - } - - if (ret < 0) { - WOLFSSL_MSG(" Error in Cert in Chain"); - if (dynamicBuffer) - XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - return ret; - } - WOLFSSL_MSG(" Consumed another Cert in Chain"); - } - WOLFSSL_MSG("Finished Processing Cert Chain"); - - /* only retain actual size used */ - ret = 0; - if (idx > 0) { - if (ssl) { - if (ssl->buffers.weOwnCertChain) { - FreeDer(&ssl->buffers.certChain); - } - ret = AllocDer(&ssl->buffers.certChain, idx, type, heap); - if (ret == 0) { - XMEMCPY(ssl->buffers.certChain->buffer, chainBuffer, - idx); - ssl->buffers.weOwnCertChain = 1; - } - #ifdef WOLFSSL_TLS13 - ssl->buffers.certChainCnt = cnt; - #endif - } else if (ctx) { - FreeDer(&ctx->certChain); - ret = AllocDer(&ctx->certChain, idx, type, heap); - if (ret == 0) { - XMEMCPY(ctx->certChain->buffer, chainBuffer, idx); - } - #ifdef WOLFSSL_TLS13 - ctx->certChainCnt = cnt; - #endif - } - } - - if (dynamicBuffer) - XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - } - - return ret; -} - -static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der, - int* keySz, word32* idx, int* resetSuites, int* keyFormat, void* heap, int devId) -{ - int ret = 0; - - (void)heap; - (void)devId; - - if (ctx == NULL && ssl == NULL) - ret = BAD_FUNC_ARG; - if (!der || !keySz || !idx || !resetSuites || !keyFormat) - ret = BAD_FUNC_ARG; - -#ifndef NO_RSA - if (ret == 0 && (*keyFormat == 0 || *keyFormat == RSAk)) { - /* make sure RSA key can be used */ - #ifdef WOLFSSL_SMALL_STACK - RsaKey* key; - #else - RsaKey key[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA); - if (key == NULL) - return MEMORY_E; - #endif - - ret = wc_InitRsaKey_ex(key, heap, devId); - if (ret == 0) { - *idx = 0; - if (wc_RsaPrivateKeyDecode(der->buffer, idx, key, der->length) - != 0) { - #if !defined(HAVE_ECC) && !defined(HAVE_ED25519) && \ - !defined(HAVE_ED448) - WOLFSSL_MSG("RSA decode failed and ECC/ED25519/ED448 not " - "enabled to try"); - ret = WOLFSSL_BAD_FILE; - #endif - } - else { - /* check that the size of the RSA key is enough */ - int minRsaSz = ssl ? ssl->options.minRsaKeySz : - ctx->minRsaKeySz; - *keySz = wc_RsaEncryptSize((RsaKey*)key); - if (*keySz < minRsaSz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("Private Key size too small"); - } - - if (ssl) { - ssl->buffers.keyType = rsa_sa_algo; - ssl->buffers.keySz = *keySz; - } - else { - ctx->privateKeyType = rsa_sa_algo; - ctx->privateKeySz = *keySz; - } - - *keyFormat = RSAk; - - if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { - ssl->options.haveStaticECC = 0; - *resetSuites = 1; - } - } - - wc_FreeRsaKey(key); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, heap, DYNAMIC_TYPE_RSA); - #endif - } -#endif -#ifdef HAVE_ECC - if (ret == 0 && (*keyFormat == 0 || *keyFormat == ECDSAk)) { - /* make sure ECC key can be used */ - #ifdef WOLFSSL_SMALL_STACK - ecc_key* key; - #else - ecc_key key[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - key = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC); - if (key == NULL) - return MEMORY_E; - #endif - - if (wc_ecc_init_ex(key, heap, devId) == 0) { - *idx = 0; - if (wc_EccPrivateKeyDecode(der->buffer, idx, key, - der->length) == 0) { - /* check for minimum ECC key size and then free */ - int minKeySz = ssl ? ssl->options.minEccKeySz : - ctx->minEccKeySz; - *keySz = wc_ecc_size(key); - if (*keySz < minKeySz) { - WOLFSSL_MSG("ECC private key too small"); - ret = ECC_KEY_SIZE_E; - } - - *keyFormat = ECDSAk; - if (ssl) { - ssl->options.haveStaticECC = 1; - ssl->buffers.keyType = ecc_dsa_sa_algo; - ssl->buffers.keySz = *keySz; - } - else { - ctx->haveStaticECC = 1; - ctx->privateKeyType = ecc_dsa_sa_algo; - ctx->privateKeySz = *keySz; - } - - if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { - *resetSuites = 1; - } - } - - wc_ecc_free(key); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, heap, DYNAMIC_TYPE_ECC); - #endif - } -#endif /* HAVE_ECC */ -#ifdef HAVE_ED25519 - if (ret == 0 && (*keyFormat == 0 || *keyFormat == ED25519k)) { - /* make sure Ed25519 key can be used */ - #ifdef WOLFSSL_SMALL_STACK - ed25519_key* key; - #else - ed25519_key key[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - key = (ed25519_key*)XMALLOC(sizeof(ed25519_key), heap, - DYNAMIC_TYPE_ED25519); - if (key == NULL) - return MEMORY_E; - #endif - - ret = wc_ed25519_init(key); - if (ret == 0) { - *idx = 0; - if (wc_Ed25519PrivateKeyDecode(der->buffer, idx, key, - der->length) == 0) { - /* check for minimum key size and then free */ - int minKeySz = ssl ? ssl->options.minEccKeySz : - ctx->minEccKeySz; - *keySz = ED25519_KEY_SIZE; - if (*keySz < minKeySz) { - WOLFSSL_MSG("ED25519 private key too small"); - ret = ECC_KEY_SIZE_E; - } - if (ret == 0) { - if (ssl) { - ssl->buffers.keyType = ed25519_sa_algo; - ssl->buffers.keySz = *keySz; - } - else if (ctx) { - ctx->privateKeyType = ed25519_sa_algo; - ctx->privateKeySz = *keySz; - } - - *keyFormat = ED25519k; - if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { - *resetSuites = 1; - } - } - } - - wc_ed25519_free(key); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, heap, DYNAMIC_TYPE_ED25519); - #endif - } -#endif /* HAVE_ED25519 */ -#ifdef HAVE_ED448 - if (ret == 0 && (*keyFormat == 0 || *keyFormat == ED448k)) { - /* make sure Ed448 key can be used */ - #ifdef WOLFSSL_SMALL_STACK - ed448_key* key = NULL; - #else - ed448_key key[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - key = (ed448_key*)XMALLOC(sizeof(ed448_key), heap, DYNAMIC_TYPE_ED448); - if (key == NULL) - return MEMORY_E; - #endif - - ret = wc_ed448_init(key); - if (ret == 0) { - *idx = 0; - if (wc_Ed448PrivateKeyDecode(der->buffer, idx, key, - der->length) != 0) { - ret = WOLFSSL_BAD_FILE; - } - - if (ret == 0) { - /* check for minimum key size and then free */ - int minKeySz = ssl ? ssl->options.minEccKeySz : - ctx->minEccKeySz; - *keySz = ED448_KEY_SIZE; - if (*keySz < minKeySz) { - WOLFSSL_MSG("ED448 private key too small"); - ret = ECC_KEY_SIZE_E; - } - } - if (ret == 0) { - if (ssl) { - ssl->buffers.keyType = ed448_sa_algo; - ssl->buffers.keySz = *keySz; - } - else if (ctx) { - ctx->privateKeyType = ed448_sa_algo; - ctx->privateKeySz = *keySz; - } - - *keyFormat = ED448k; - if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { - *resetSuites = 1; - } - } - - wc_ed448_free(key); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(key, heap, DYNAMIC_TYPE_ED448); - #endif - } -#endif /* HAVE_ED448 */ - return ret; -} - -/* process the buffer buff, length sz, into ctx of format and type - used tracks bytes consumed, userChain specifies a user cert chain - to pass during the handshake */ -int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type, WOLFSSL* ssl, - long* used, int userChain, int verify) -{ - DerBuffer* der = NULL; /* holds DER or RAW (for NTRU) */ - int ret = 0; - int done = 0; - int keyFormat = 0; - int resetSuites = 0; - void* heap = wolfSSL_CTX_GetHeap(ctx, ssl); - int devId = wolfSSL_CTX_GetDevId(ctx, ssl); - word32 idx = 0; - int keySz = 0; -#if (defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)) || \ - defined(HAVE_PKCS8) - word32 algId = 0; -#endif -#ifdef WOLFSSL_SMALL_STACK - EncryptedInfo* info = NULL; -#else - EncryptedInfo info[1]; -#endif - - (void)devId; - (void)idx; - (void)keySz; - - if (used) - *used = sz; /* used bytes default to sz, PEM chain may shorten*/ - - /* check args */ - if (format != WOLFSSL_FILETYPE_ASN1 && format != WOLFSSL_FILETYPE_PEM - && format != WOLFSSL_FILETYPE_RAW) - return WOLFSSL_BAD_FILETYPE; - - if (ctx == NULL && ssl == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_SMALL_STACK - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap, - DYNAMIC_TYPE_ENCRYPTEDINFO); - if (info == NULL) - return MEMORY_E; -#endif - - XMEMSET(info, 0, sizeof(EncryptedInfo)); -#if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED) - if (ctx) { - info->passwd_cb = ctx->passwd_cb; - info->passwd_userdata = ctx->passwd_userdata; - } -#endif - - if (format == WOLFSSL_FILETYPE_PEM) { - #ifdef WOLFSSL_PEM_TO_DER - ret = PemToDer(buff, sz, type, &der, heap, info, &keyFormat); - #else - ret = NOT_COMPILED_IN; - #endif - } - else { - /* ASN1 (DER) or RAW (NTRU) */ - int length = (int)sz; - if (format == WOLFSSL_FILETYPE_ASN1) { - /* get length of der (read sequence or octet string) */ - word32 inOutIdx = 0; - if (GetSequence(buff, &inOutIdx, &length, (word32)sz) >= 0) { - length += inOutIdx; /* include leading sequence */ - } - /* get length using octect string (allowed for private key types) */ - else if (type == PRIVATEKEY_TYPE && - GetOctetString(buff, &inOutIdx, &length, (word32)sz) >= 0) { - length += inOutIdx; /* include leading oct string */ - } - else { - ret = ASN_PARSE_E; - } - } - - info->consumed = length; - - if (ret == 0) { - ret = AllocDer(&der, (word32)length, type, heap); - if (ret == 0) { - XMEMCPY(der->buffer, buff, length); - } - - #ifdef HAVE_PKCS8 - /* if private key try and remove PKCS8 header */ - if (type == PRIVATEKEY_TYPE) { - if ((ret = ToTraditional_ex(der->buffer, der->length, &algId)) > 0) { - /* Found PKCS8 header */ - /* ToTraditional_ex moves buff and returns adjusted length */ - der->length = ret; - } - ret = 0; /* failures should be ignored */ - } - #endif - } - } - - if (used) { - *used = info->consumed; - } - - /* process user chain */ - if (ret >= 0) { - /* Chain should have server cert first, then intermediates, then root. - * First certificate in chain is processed below after ProcessUserChain - * and is loaded into ssl->buffers.certificate. - * Remainder are processed using ProcessUserChain and are loaded into - * ssl->buffers.certChain. */ - if (userChain) { - ret = ProcessUserChain(ctx, buff, sz, format, type, ssl, used, info, - verify); - } - } - - /* info is only used for private key with DER or PEM, so free now */ - if (ret < 0 || type != PRIVATEKEY_TYPE || format == WOLFSSL_FILETYPE_RAW) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); - #endif - } - - /* check for error */ - if (ret < 0) { - FreeDer(&der); - done = 1; - } - - if (done == 1) { - /* No operation, just skip the next section */ - } - /* Handle DER owner */ - else if (type == CA_TYPE) { - if (ctx == NULL) { - WOLFSSL_MSG("Need context for CA load"); - FreeDer(&der); - return BAD_FUNC_ARG; - } - /* verify CA unless user set to no verify */ - ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify); - done = 1; - } -#ifdef WOLFSSL_TRUST_PEER_CERT - else if (type == TRUSTED_PEER_TYPE) { - if (ctx == NULL) { - WOLFSSL_MSG("Need context for trusted peer cert load"); - FreeDer(&der); - return BAD_FUNC_ARG; - } - /* add trusted peer cert */ - ret = AddTrustedPeer(ctx->cm, &der, !ctx->verifyNone); - done = 1; - } -#endif /* WOLFSSL_TRUST_PEER_CERT */ - else if (type == CERT_TYPE) { - if (ssl) { - /* Make sure previous is free'd */ - if (ssl->buffers.weOwnCert) { - FreeDer(&ssl->buffers.certificate); - #ifdef KEEP_OUR_CERT - FreeX509(ssl->ourCert); - if (ssl->ourCert) { - XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); - ssl->ourCert = NULL; - } - #endif - } - ssl->buffers.certificate = der; - #ifdef KEEP_OUR_CERT - ssl->keepCert = 1; /* hold cert for ssl lifetime */ - #endif - ssl->buffers.weOwnCert = 1; - } - else if (ctx) { - FreeDer(&ctx->certificate); /* Make sure previous is free'd */ - #ifdef KEEP_OUR_CERT - if (ctx->ourCert) { - if (ctx->ownOurCert) { - FreeX509(ctx->ourCert); - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); - } - ctx->ourCert = NULL; - } - #endif - ctx->certificate = der; - } - } - else if (type == PRIVATEKEY_TYPE) { - if (ssl) { - /* Make sure previous is free'd */ - if (ssl->buffers.weOwnKey) { - FreeDer(&ssl->buffers.key); - } - ssl->buffers.key = der; - ssl->buffers.weOwnKey = 1; - } - else if (ctx) { - FreeDer(&ctx->privateKey); - ctx->privateKey = der; - } - } - else { - FreeDer(&der); - return WOLFSSL_BAD_CERTTYPE; - } - - if (done == 1) { - /* No operation, just skip the next section */ - } - else if (type == PRIVATEKEY_TYPE && format != WOLFSSL_FILETYPE_RAW) { - #if defined(WOLFSSL_ENCRYPTED_KEYS) || defined(HAVE_PKCS8) - keyFormat = algId; - #endif - - ret = ProcessBufferTryDecode(ctx, ssl, der, &keySz, &idx, &resetSuites, - &keyFormat, heap, devId); - - #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED) - /* for WOLFSSL_FILETYPE_PEM, PemToDer manages the decryption */ - /* If private key type PKCS8 header wasn't already removed (algoId == 0) */ - if ((ret != 0 || keyFormat == 0) - && format != WOLFSSL_FILETYPE_PEM && info->passwd_cb && algId == 0) - { - int passwordSz = NAME_SZ; - #ifndef WOLFSSL_SMALL_STACK - char password[NAME_SZ]; - #else - char* password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING); - if (password == NULL) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); - #endif - FreeDer(&der); - return MEMORY_E; - } - #endif - /* get password */ - ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ, - info->passwd_userdata); - if (ret >= 0) { - passwordSz = ret; - - /* PKCS8 decrypt */ - ret = ToTraditionalEnc(der->buffer, der->length, - password, passwordSz, &algId); - if (ret >= 0) { - der->length = ret; - } - /* ignore failures and try parsing as unencrypted */ - - ForceZero(password, passwordSz); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(password, heap, DYNAMIC_TYPE_STRING); - #endif - ret = ProcessBufferTryDecode(ctx, ssl, der, &keySz, &idx, - &resetSuites, &keyFormat, heap, devId); - } - #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */ - - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO); - #endif - - if (ret != 0) - return ret; - if (keyFormat == 0) - return WOLFSSL_BAD_FILE; - - (void)devId; - } - else if (type == CERT_TYPE) { - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; - #else - DecodedCert cert[1]; - #endif - #ifdef HAVE_PK_CALLBACKS - int keyType = 0; - #endif - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), heap, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; - #endif - - WOLFSSL_MSG("Checking cert signature type"); - InitDecodedCert(cert, der->buffer, der->length, heap); - - if (DecodeToKey(cert, 0) < 0) { - WOLFSSL_MSG("Decode to key failed"); - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, heap, DYNAMIC_TYPE_DCERT); - #endif - return WOLFSSL_BAD_FILE; - } - - if (ssl && ssl->options.side == WOLFSSL_SERVER_END) { - resetSuites = 1; - } - if (ssl && ssl->ctx->haveECDSAsig) { - WOLFSSL_MSG("SSL layer setting cert, CTX had ECDSA, turning off"); - ssl->options.haveECDSAsig = 0; /* may turn back on next */ - } - - switch (cert->signatureOID) { - case CTC_SHAwECDSA: - case CTC_SHA256wECDSA: - case CTC_SHA384wECDSA: - case CTC_SHA512wECDSA: - WOLFSSL_MSG("ECDSA cert signature"); - if (ssl) - ssl->options.haveECDSAsig = 1; - else if (ctx) - ctx->haveECDSAsig = 1; - break; - case CTC_ED25519: - WOLFSSL_MSG("ED25519 cert signature"); - if (ssl) - ssl->options.haveECDSAsig = 1; - else if (ctx) - ctx->haveECDSAsig = 1; - break; - case CTC_ED448: - WOLFSSL_MSG("ED448 cert signature"); - if (ssl) - ssl->options.haveECDSAsig = 1; - else if (ctx) - ctx->haveECDSAsig = 1; - break; - default: - WOLFSSL_MSG("Not ECDSA cert signature"); - break; - } - - #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) - if (ssl) { - ssl->pkCurveOID = cert->pkCurveOID; - #ifndef WC_STRICT_SIG - if (cert->keyOID == ECDSAk) { - ssl->options.haveECC = 1; - } - #ifdef HAVE_ED25519 - else if (cert->keyOID == ED25519k) { - ssl->options.haveECC = 1; - } - #endif - #ifdef HAVE_ED448 - else if (cert->keyOID == ED448k) { - ssl->options.haveECC = 1; - } - #endif - #else - ssl->options.haveECC = ssl->options.haveECDSAsig; - #endif - } - else if (ctx) { - ctx->pkCurveOID = cert->pkCurveOID; - #ifndef WC_STRICT_SIG - if (cert->keyOID == ECDSAk) { - ctx->haveECC = 1; - } - #ifdef HAVE_ED25519 - else if (cert->keyOID == ED25519k) { - ctx->haveECC = 1; - } - #endif - #ifdef HAVE_ED448 - else if (cert->keyOID == ED448k) { - ctx->haveECC = 1; - } - #endif - #else - ctx->haveECC = ctx->haveECDSAsig; - #endif - } - #endif - - /* check key size of cert unless specified not to */ - switch (cert->keyOID) { - #ifndef NO_RSA - case RSAk: - #ifdef HAVE_PK_CALLBACKS - keyType = rsa_sa_algo; - #endif - #ifdef HAVE_PKCS11 - if (ctx) { - ctx->privateKeyType = rsa_sa_algo; - } - else { - ssl->buffers.keyType = rsa_sa_algo; - } - #endif - /* Determine RSA key size by parsing public key */ - idx = 0; - ret = wc_RsaPublicKeyDecode_ex(cert->publicKey, &idx, - cert->pubKeySize, NULL, (word32*)&keySz, NULL, NULL); - if (ret < 0) - break; - - if (ssl && !ssl->options.verifyNone) { - if (ssl->options.minRsaKeySz < 0 || - keySz < (int)ssl->options.minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("Certificate RSA key size too small"); - } - } - else if (ctx && !ctx->verifyNone) { - if (ctx->minRsaKeySz < 0 || - keySz < (int)ctx->minRsaKeySz) { - ret = RSA_KEY_SIZE_E; - WOLFSSL_MSG("Certificate RSA key size too small"); - } - } - break; - #endif /* !NO_RSA */ - #ifdef HAVE_ECC - case ECDSAk: - #ifdef HAVE_PK_CALLBACKS - keyType = ecc_dsa_sa_algo; - #endif - #ifdef HAVE_PKCS11 - if (ctx) { - ctx->privateKeyType = ecc_dsa_sa_algo; - } - else { - ssl->buffers.keyType = ecc_dsa_sa_algo; - } - #endif - /* Determine ECC key size based on curve */ - keySz = wc_ecc_get_curve_size_from_id( - wc_ecc_get_oid(cert->pkCurveOID, NULL, NULL)); - - if (ssl && !ssl->options.verifyNone) { - if (ssl->options.minEccKeySz < 0 || - keySz < (int)ssl->options.minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size error"); - } - } - else if (ctx && !ctx->verifyNone) { - if (ctx->minEccKeySz < 0 || - keySz < (int)ctx->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size error"); - } - } - break; - #endif /* HAVE_ECC */ - #ifdef HAVE_ED25519 - case ED25519k: - #ifdef HAVE_PK_CALLBACKS - keyType = ed25519_sa_algo; - #endif - #ifdef HAVE_PKCS11 - if (ctx) { - ctx->privateKeyType = ed25519_sa_algo; - } - else { - ssl->buffers.keyType = ed25519_sa_algo; - } - #endif - /* ED25519 is fixed key size */ - keySz = ED25519_KEY_SIZE; - if (ssl && !ssl->options.verifyNone) { - if (ssl->options.minEccKeySz < 0 || - keySz < (int)ssl->options.minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate Ed key size error"); - } - } - else if (ctx && !ctx->verifyNone) { - if (ctx->minEccKeySz < 0 || - keySz < (int)ctx->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size error"); - } - } - break; - #endif /* HAVE_ED25519 */ - #ifdef HAVE_ED448 - case ED448k: - #ifdef HAVE_PK_CALLBACKS - keyType = ed448_sa_algo; - #endif - #ifdef HAVE_PKCS11 - if (ctx) { - ctx->privateKeyType = ed448_sa_algo; - } - else { - ssl->buffers.keyType = ed448_sa_algo; - } - #endif - /* ED448 is fixed key size */ - keySz = ED448_KEY_SIZE; - if (ssl && !ssl->options.verifyNone) { - if (ssl->options.minEccKeySz < 0 || - keySz < (int)ssl->options.minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate Ed key size error"); - } - } - else if (ctx && !ctx->verifyNone) { - if (ctx->minEccKeySz < 0 || - keySz < (int)ctx->minEccKeySz) { - ret = ECC_KEY_SIZE_E; - WOLFSSL_MSG("Certificate ECC key size error"); - } - } - break; - #endif /* HAVE_ED448 */ - - default: - WOLFSSL_MSG("No key size check done on certificate"); - break; /* do no check if not a case for the key */ - } - - #ifdef HAVE_PK_CALLBACKS - if (ssl && ssl->buffers.keyType == 0) { - ssl->buffers.keyType = keyType; - ssl->buffers.keySz = keySz; - } - else if (ctx && ctx->privateKeyType == 0) { - ctx->privateKeyType = keyType; - ctx->privateKeySz = keySz; - } - #endif - - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, heap, DYNAMIC_TYPE_DCERT); - #endif - - if (ret != 0) { - done = 1; - } - } - - if (done == 1) { - #ifndef NO_WOLFSSL_CM_VERIFY - if ((type == CA_TYPE) || (type == CERT_TYPE)) { - /* Call to over-ride status */ - if ((ctx != NULL) && (ctx->cm != NULL) && - (ctx->cm->verifyCallback != NULL)) { - ret = CM_VerifyBuffer_ex(ctx->cm, buff, - sz, format, (ret == WOLFSSL_SUCCESS ? 0 : ret)); - } - } - #endif /* NO_WOLFSSL_CM_VERIFY */ - - return ret; - } - - - if (ssl && resetSuites) { - word16 havePSK = 0; - word16 haveRSA = 0; - - #ifndef NO_PSK - if (ssl->options.havePSK) { - havePSK = 1; - } - #endif - #ifndef NO_RSA - haveRSA = 1; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif - - /* let's reset suites */ - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, - havePSK, ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - return WOLFSSL_SUCCESS; -} - - -/* CA PEM file for verification, may have multiple/chain certs to process */ -static int ProcessChainBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type, WOLFSSL* ssl, int verify) -{ - long used = 0; - int ret = 0; - int gotOne = 0; - - WOLFSSL_MSG("Processing CA PEM file"); - while (used < sz) { - long consumed = 0; - - ret = ProcessBuffer(ctx, buff + used, sz - used, format, type, ssl, - &consumed, 0, verify); - - if (ret < 0) { -#if defined(WOLFSSL_WPAS) && defined(HAVE_CRL) - DerBuffer* der = NULL; - EncryptedInfo info; - - WOLFSSL_MSG("Trying a CRL"); - if (PemToDer(buff + used, sz - used, CRL_TYPE, &der, NULL, &info, - NULL) == 0) { - WOLFSSL_MSG(" Processed a CRL"); - wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, - der->length, WOLFSSL_FILETYPE_ASN1); - FreeDer(&der); - used += info.consumed; - continue; - } -#endif - - if (consumed > 0) { /* Made progress in file */ - WOLFSSL_ERROR(ret); - WOLFSSL_MSG("CA Parse failed, with progress in file."); - WOLFSSL_MSG("Search for other certs in file"); - } - else { - WOLFSSL_MSG("CA Parse failed, no progress in file."); - WOLFSSL_MSG("Do not continue search for other certs in file"); - break; - } - } - else { - WOLFSSL_MSG(" Processed a CA"); - gotOne = 1; - } - used += consumed; - } - - if (gotOne) { - WOLFSSL_MSG("Processed at least one valid CA. Other stuff OK"); - return WOLFSSL_SUCCESS; - } - return ret; -} - - -static WC_INLINE WOLFSSL_METHOD* cm_pick_method(void) -{ - #ifndef NO_WOLFSSL_CLIENT - #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_client_method(); - #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_client_method(); - #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_client_method(); - #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_client_method(); - #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_client_method(); - #else - return NULL; - #endif - #elif !defined(NO_WOLFSSL_SERVER) - #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_server_method(); - #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_server_method(); - #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_server_method(); - #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_server_method(); - #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_server_method(); - #else - return NULL; - #endif - #else - return NULL; - #endif -} - - -/* like load verify locations, 1 for success, < 0 for error */ -int wolfSSL_CertManagerLoadCABuffer(WOLFSSL_CERT_MANAGER* cm, - const unsigned char* in, long sz, int format) -{ - int ret = WOLFSSL_FATAL_ERROR; - WOLFSSL_CTX* tmp; - - WOLFSSL_ENTER("wolfSSL_CertManagerLoadCABuffer"); - - if (cm == NULL) { - WOLFSSL_MSG("No CertManager error"); - return ret; - } - tmp = wolfSSL_CTX_new(cm_pick_method()); - - if (tmp == NULL) { - WOLFSSL_MSG("CTX new failed"); - return ret; - } - - /* for tmp use */ - wolfSSL_CertManagerFree(tmp->cm); - tmp->cm = cm; - - ret = wolfSSL_CTX_load_verify_buffer(tmp, in, sz, format); - - /* don't loose our good one */ - tmp->cm = NULL; - wolfSSL_CTX_free(tmp); - - return ret; -} - -#ifdef HAVE_CRL - -int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm, - const unsigned char* buff, long sz, int type) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerLoadCRLBuffer"); - if (cm == NULL) - return BAD_FUNC_ARG; - - if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Enable CRL failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - return BufferLoadCRL(cm->crl, buff, sz, type, VERIFY); -} - -int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerFreeCRL"); - if (cm == NULL) - return BAD_FUNC_ARG; - if (cm->crl != NULL){ - FreeCRL(cm->crl, 1); - cm->crl = NULL; - } - return WOLFSSL_SUCCESS; -} - -int wolfSSL_CTX_LoadCRLBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, - long sz, int type) -{ - WOLFSSL_ENTER("wolfSSL_CTX_LoadCRLBuffer"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, buff, sz, type); -} - - -int wolfSSL_LoadCRLBuffer(WOLFSSL* ssl, const unsigned char* buff, - long sz, int type) -{ - WOLFSSL_ENTER("wolfSSL_LoadCRLBuffer"); - - if (ssl == NULL || ssl->ctx == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_CertManagerLoadCRLBuffer(ssl->ctx->cm, buff, sz, type); -} - - -#endif /* HAVE_CRL */ - -/* turn on CRL if off and compiled in, set options */ -int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options) -{ - int ret = WOLFSSL_SUCCESS; - - (void)options; - - WOLFSSL_ENTER("wolfSSL_CertManagerEnableCRL"); - if (cm == NULL) - return BAD_FUNC_ARG; - - #ifdef HAVE_CRL - if (cm->crl == NULL) { - cm->crl = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), cm->heap, - DYNAMIC_TYPE_CRL); - if (cm->crl == NULL) - return MEMORY_E; - - if (InitCRL(cm->crl, cm) != 0) { - WOLFSSL_MSG("Init CRL failed"); - FreeCRL(cm->crl, 1); - cm->crl = NULL; - return WOLFSSL_FAILURE; - } - - #ifdef HAVE_CRL_IO - cm->crl->crlIOCb = EmbedCrlLookup; - #endif - } - - cm->crlEnabled = 1; - if (options & WOLFSSL_CRL_CHECKALL) - cm->crlCheckAll = 1; - #else - ret = NOT_COMPILED_IN; - #endif - - return ret; -} - - -int wolfSSL_CertManagerDisableCRL(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerDisableCRL"); - if (cm == NULL) - return BAD_FUNC_ARG; - - cm->crlEnabled = 0; - - return WOLFSSL_SUCCESS; -} - -#ifndef NO_WOLFSSL_CM_VERIFY -void wolfSSL_CertManagerSetVerify(WOLFSSL_CERT_MANAGER* cm, VerifyCallback vc) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerSetVerify"); - if (cm == NULL) - return; - - cm->verifyCallback = vc; -} -#endif /* NO_WOLFSSL_CM_VERIFY */ - -/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ -int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const byte* buff, - long sz, int format, int err_val) -{ - int ret = 0; - DerBuffer* der = NULL; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; -#else - DecodedCert cert[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_CertManagerVerifyBuffer"); - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; -#endif - - if (format == WOLFSSL_FILETYPE_PEM) { -#ifdef WOLFSSL_PEM_TO_DER - ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, NULL, NULL); - if (ret != 0) { - FreeDer(&der); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - #endif - return ret; - } - InitDecodedCert(cert, der->buffer, der->length, cm->heap); -#else - ret = NOT_COMPILED_IN; -#endif - } - else { - InitDecodedCert(cert, (byte*)buff, (word32)sz, cm->heap); - } - - if (ret == 0) - ret = ParseCertRelative(cert, CERT_TYPE, 1, cm); - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - /* ret needs to be self-singer error for Qt compat */ - if (ret == ASN_NO_SIGNER_E && cert->selfSigned) - ret = ASN_SELF_SIGNED_E; -#endif - -#ifdef HAVE_CRL - if (ret == 0 && cm->crlEnabled) - ret = CheckCertCRL(cm->crl, cert); -#endif - -#ifndef NO_WOLFSSL_CM_VERIFY - /* if verify callback has been set */ - if (cm->verifyCallback) { - buffer certBuf; - #ifdef WOLFSSL_SMALL_STACK - ProcPeerCertArgs* args; - args = (ProcPeerCertArgs*)XMALLOC( - sizeof(ProcPeerCertArgs), cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (args == NULL) { - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); - return MEMORY_E; - } - #else - ProcPeerCertArgs args[1]; - #endif - - certBuf.buffer = (byte*)buff; - certBuf.length = (unsigned int)sz; - XMEMSET(args, 0, sizeof(ProcPeerCertArgs)); - - args->totalCerts = 1; - args->certs = &certBuf; - args->dCert = cert; - args->dCertInit = 1; - - if (err_val != 0) { - ret = err_val; - } - ret = DoVerifyCallback(cm, NULL, ret, args); - #ifdef WOLFSSL_SMALL_STACK - XFREE(args, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } -#else - (void)err_val; -#endif - - FreeDecodedCert(cert); - FreeDer(&der); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); -#endif - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - -/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ -int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, - long sz, int format) -{ - return CM_VerifyBuffer_ex(cm, buff, sz, format, 0); -} -/* turn on OCSP if off and compiled in, set options */ -int wolfSSL_CertManagerEnableOCSP(WOLFSSL_CERT_MANAGER* cm, int options) -{ - int ret = WOLFSSL_SUCCESS; - - (void)options; - - WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSP"); - if (cm == NULL) - return BAD_FUNC_ARG; - - #ifdef HAVE_OCSP - if (cm->ocsp == NULL) { - cm->ocsp = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), cm->heap, - DYNAMIC_TYPE_OCSP); - if (cm->ocsp == NULL) - return MEMORY_E; - - if (InitOCSP(cm->ocsp, cm) != 0) { - WOLFSSL_MSG("Init OCSP failed"); - FreeOCSP(cm->ocsp, 1); - cm->ocsp = NULL; - return WOLFSSL_FAILURE; - } - } - cm->ocspEnabled = 1; - if (options & WOLFSSL_OCSP_URL_OVERRIDE) - cm->ocspUseOverrideURL = 1; - if (options & WOLFSSL_OCSP_NO_NONCE) - cm->ocspSendNonce = 0; - else - cm->ocspSendNonce = 1; - if (options & WOLFSSL_OCSP_CHECKALL) - cm->ocspCheckAll = 1; - #ifndef WOLFSSL_USER_IO - cm->ocspIOCb = EmbedOcspLookup; - cm->ocspRespFreeCb = EmbedOcspRespFree; - cm->ocspIOCtx = cm->heap; - #endif /* WOLFSSL_USER_IO */ - #else - ret = NOT_COMPILED_IN; - #endif - - return ret; -} - - -int wolfSSL_CertManagerDisableOCSP(WOLFSSL_CERT_MANAGER* cm) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerDisableOCSP"); - if (cm == NULL) - return BAD_FUNC_ARG; - - cm->ocspEnabled = 0; - - return WOLFSSL_SUCCESS; -} - -/* turn on OCSP Stapling if off and compiled in, set options */ -int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) -{ - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPStapling"); - - if (cm == NULL) - return BAD_FUNC_ARG; - -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - #ifndef NO_WOLFSSL_SERVER - if (cm->ocsp_stapling == NULL) { - cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), - cm->heap, DYNAMIC_TYPE_OCSP); - if (cm->ocsp_stapling == NULL) - return MEMORY_E; - - if (InitOCSP(cm->ocsp_stapling, cm) != 0) { - WOLFSSL_MSG("Init OCSP failed"); - FreeOCSP(cm->ocsp_stapling, 1); - cm->ocsp_stapling = NULL; - return WOLFSSL_FAILURE; - } - } - - #ifndef WOLFSSL_USER_IO - cm->ocspIOCb = EmbedOcspLookup; - cm->ocspRespFreeCb = EmbedOcspRespFree; - cm->ocspIOCtx = cm->heap; - #endif /* WOLFSSL_USER_IO */ - #endif /* NO_WOLFSSL_SERVER */ - cm->ocspStaplingEnabled = 1; -#else - ret = NOT_COMPILED_IN; -#endif - - return ret; -} - -int wolfSSL_CertManagerDisableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) -{ - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_CertManagerDisableOCSPStapling"); - - if (cm == NULL) - return BAD_FUNC_ARG; - -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - cm->ocspStaplingEnabled = 0; -#else - ret = NOT_COMPILED_IN; -#endif - return ret; -} - -#ifdef HAVE_OCSP -/* check CRL if enabled, WOLFSSL_SUCCESS */ -int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) -{ - int ret; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP"); - - if (cm == NULL) - return BAD_FUNC_ARG; - - if (cm->ocspEnabled == 0) - return WOLFSSL_SUCCESS; - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; -#endif - - InitDecodedCert(cert, der, sz, NULL); - - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) { - WOLFSSL_MSG("CheckCertOCSP failed"); - } - - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - -WOLFSSL_API int wolfSSL_CertManagerCheckOCSPResponse(WOLFSSL_CERT_MANAGER *cm, - byte *response, int responseSz, buffer *responseBuffer, - CertStatus *status, OcspEntry *entry, OcspRequest *ocspRequest) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CertManagerCheckOCSP_Staple"); - if (cm == NULL || response == NULL) - return BAD_FUNC_ARG; - if (cm->ocspEnabled == 0) - return WOLFSSL_SUCCESS; - - ret = CheckOcspResponse(cm->ocsp, response, responseSz, responseBuffer, status, - entry, ocspRequest); - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - -int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER* cm, - const char* url) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerSetOCSPOverrideURL"); - if (cm == NULL) - return BAD_FUNC_ARG; - - XFREE(cm->ocspOverrideURL, cm->heap, DYNAMIC_TYPE_URL); - if (url != NULL) { - int urlSz = (int)XSTRLEN(url) + 1; - cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, DYNAMIC_TYPE_URL); - if (cm->ocspOverrideURL != NULL) { - XMEMCPY(cm->ocspOverrideURL, url, urlSz); - } - else - return MEMORY_E; - } - else - cm->ocspOverrideURL = NULL; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER* cm, - CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerSetOCSP_Cb"); - if (cm == NULL) - return BAD_FUNC_ARG; - - cm->ocspIOCb = ioCb; - cm->ocspRespFreeCb = respFreeCb; - cm->ocspIOCtx = ioCbCtx; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_EnableOCSP(WOLFSSL* ssl, int options) -{ - WOLFSSL_ENTER("wolfSSL_EnableOCSP"); - if (ssl) - return wolfSSL_CertManagerEnableOCSP(ssl->ctx->cm, options); - else - return BAD_FUNC_ARG; -} - -int wolfSSL_DisableOCSP(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_DisableOCSP"); - if (ssl) - return wolfSSL_CertManagerDisableOCSP(ssl->ctx->cm); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_EnableOCSPStapling(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_EnableOCSPStapling"); - if (ssl) - return wolfSSL_CertManagerEnableOCSPStapling(ssl->ctx->cm); - else - return BAD_FUNC_ARG; -} - -int wolfSSL_DisableOCSPStapling(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_DisableOCSPStapling"); - if (ssl) - return wolfSSL_CertManagerDisableOCSPStapling(ssl->ctx->cm); - else - return BAD_FUNC_ARG; -} - -int wolfSSL_SetOCSP_OverrideURL(WOLFSSL* ssl, const char* url) -{ - WOLFSSL_ENTER("wolfSSL_SetOCSP_OverrideURL"); - if (ssl) - return wolfSSL_CertManagerSetOCSPOverrideURL(ssl->ctx->cm, url); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_SetOCSP_Cb(WOLFSSL* ssl, - CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx) -{ - WOLFSSL_ENTER("wolfSSL_SetOCSP_Cb"); - if (ssl) { - ssl->ocspIOCtx = ioCbCtx; /* use SSL specific ioCbCtx */ - return wolfSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm, - ioCb, respFreeCb, NULL); - } - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_EnableOCSP(WOLFSSL_CTX* ctx, int options) -{ - WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSP"); - if (ctx) - return wolfSSL_CertManagerEnableOCSP(ctx->cm, options); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_DisableOCSP(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_DisableOCSP"); - if (ctx) - return wolfSSL_CertManagerDisableOCSP(ctx->cm); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX* ctx, const char* url) -{ - WOLFSSL_ENTER("wolfSSL_SetOCSP_OverrideURL"); - if (ctx) - return wolfSSL_CertManagerSetOCSPOverrideURL(ctx->cm, url); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX* ctx, CbOCSPIO ioCb, - CbOCSPRespFree respFreeCb, void* ioCbCtx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_SetOCSP_Cb"); - if (ctx) - return wolfSSL_CertManagerSetOCSP_Cb(ctx->cm, ioCb, - respFreeCb, ioCbCtx); - else - return BAD_FUNC_ARG; -} - -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) -int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPStapling"); - if (ctx) - return wolfSSL_CertManagerEnableOCSPStapling(ctx->cm); - else - return BAD_FUNC_ARG; -} - -int wolfSSL_CTX_DisableOCSPStapling(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_DisableOCSPStapling"); - if (ctx) - return wolfSSL_CertManagerDisableOCSPStapling(ctx->cm); - else - return BAD_FUNC_ARG; -} -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST || HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ - -#endif /* HAVE_OCSP */ - -/* macro to get verify settings for AddCA */ -#define GET_VERIFY_SETTING_CTX(ctx) \ - (ctx && ctx->verifyNone ? NO_VERIFY : VERIFY) -#define GET_VERIFY_SETTING_SSL(ssl) \ - (ssl && ssl->options.verifyNone ? NO_VERIFY : VERIFY) - -#ifndef NO_FILESYSTEM - -/* process a file with name fname into ctx of format and type - userChain specifies a user certificate chain to pass during handshake */ -int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, - WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl, int verify) -{ -#ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ -#else - byte staticBuffer[FILE_BUFFER_SIZE]; -#endif - byte* myBuffer = staticBuffer; - int dynamic = 0; - int ret; - long sz = 0; - XFILE file; - void* heapHint = wolfSSL_CTX_GetHeap(ctx, ssl); - const char* header = NULL; - const char* footer = NULL; - - (void)crl; - (void)heapHint; - - if (fname == NULL) return WOLFSSL_BAD_FILE; - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) return WOLFSSL_BAD_FILE; - if (XFSEEK(file, 0, XSEEK_END) != 0) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) { - WOLFSSL_MSG("ProcessFile file size error"); - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - - if (sz > (long)sizeof(staticBuffer)) { - WOLFSSL_MSG("Getting dynamic buffer"); - myBuffer = (byte*)XMALLOC(sz, heapHint, DYNAMIC_TYPE_FILE); - if (myBuffer == NULL) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - dynamic = 1; - } - - if ( (ret = (int)XFREAD(myBuffer, 1, sz, file)) != sz) - ret = WOLFSSL_BAD_FILE; - else { - /* Try to detect type by parsing cert header and footer */ - if (type == DETECT_CERT_TYPE) { - if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 && - (XSTRNSTR((char*)myBuffer, header, (int)sz) != NULL)) { - type = CA_TYPE; - } -#ifdef HAVE_CRL - else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 && - (XSTRNSTR((char*)myBuffer, header, (int)sz) != NULL)) { - type = CRL_TYPE; - } -#endif - else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 && - (XSTRNSTR((char*)myBuffer, header, (int)sz) != NULL)) { - type = CERT_TYPE; - } - else { - WOLFSSL_MSG("Failed to detect certificate type"); - if (dynamic) - XFREE(myBuffer, heapHint, DYNAMIC_TYPE_FILE); - XFCLOSE(file); - return WOLFSSL_BAD_CERTTYPE; - } - } - if ((type == CA_TYPE || type == TRUSTED_PEER_TYPE) - && format == WOLFSSL_FILETYPE_PEM) { - ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl, - verify); - } -#ifdef HAVE_CRL - else if (type == CRL_TYPE) - ret = BufferLoadCRL(crl, myBuffer, sz, format, verify); -#endif - else - ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL, - userChain, verify); - } - - XFCLOSE(file); - if (dynamic) - XFREE(myBuffer, heapHint, DYNAMIC_TYPE_FILE); - - return ret; -} - -/* loads file then loads each file in path, no c_rehash */ -int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, - const char* path, word32 flags) -{ - int ret = WOLFSSL_SUCCESS; -#ifndef NO_WOLFSSL_DIR - int fileRet; - int successCount = 0; - int failCount = 0; -#endif - int verify; - - WOLFSSL_MSG("wolfSSL_CTX_load_verify_locations_ex"); - - if (ctx == NULL || (file == NULL && path == NULL)) { - return WOLFSSL_FAILURE; - } - - verify = GET_VERIFY_SETTING_CTX(ctx); - if (flags & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) - verify = VERIFY_SKIP_DATE; - - if (file) { - ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, - NULL, verify); -#ifndef NO_WOLFSSL_DIR - if (ret == WOLFSSL_SUCCESS) - successCount++; -#endif - } - - if (ret == WOLFSSL_SUCCESS && path) { -#ifndef NO_WOLFSSL_DIR - char* name = NULL; - #ifdef WOLFSSL_SMALL_STACK - ReadDirCtx* readCtx; - readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap, - DYNAMIC_TYPE_DIRCTX); - if (readCtx == NULL) - return MEMORY_E; - #else - ReadDirCtx readCtx[1]; - #endif - - /* try to load each regular file in path */ - fileRet = wc_ReadDirFirst(readCtx, path, &name); - while (fileRet == 0 && name) { - WOLFSSL_MSG(name); /* log file name */ - ret = ProcessFile(ctx, name, WOLFSSL_FILETYPE_PEM, CA_TYPE, - NULL, 0, NULL, verify); - if (ret != WOLFSSL_SUCCESS) { - /* handle flags for ignoring errors, skipping expired certs or - by PEM certificate header error */ - if ( (flags & WOLFSSL_LOAD_FLAG_IGNORE_ERR) || - ((flags & WOLFSSL_LOAD_FLAG_PEM_CA_ONLY) && - (ret == ASN_NO_PEM_HEADER))) { - /* Do not fail here if a certificate fails to load, - continue to next file */ - ret = WOLFSSL_SUCCESS; - } - else { - WOLFSSL_ERROR(ret); - WOLFSSL_MSG("Load CA file failed, continuing"); - failCount++; - } - } - else { - successCount++; - } - fileRet = wc_ReadDirNext(readCtx, path, &name); - } - wc_ReadDirClose(readCtx); - - /* pass directory read failure to response code */ - if (fileRet != WC_READDIR_NOFILE) { - ret = fileRet; - } - /* report failure if no files were loaded or there were failures */ - else if (successCount == 0 || failCount > 0) { - /* use existing error code if exists */ - if (ret == WOLFSSL_SUCCESS) - ret = WOLFSSL_FAILURE; - } - else { - ret = WOLFSSL_SUCCESS; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_DIRCTX); - #endif -#else - ret = NOT_COMPILED_IN; - (void)flags; -#endif - } - - return ret; -} - -WOLFSSL_ABI -int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, - const char* path) -{ - return wolfSSL_CTX_load_verify_locations_ex(ctx, file, path, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS); -} - - -#ifdef WOLFSSL_TRUST_PEER_CERT -/* Used to specify a peer cert to match when connecting - ctx : the ctx structure to load in peer cert - file: the string name of cert file - type: type of format such as PEM/DER - */ -int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int type) -{ - WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert"); - - if (ctx == NULL || file == NULL) { - return WOLFSSL_FAILURE; - } - - return ProcessFile(ctx, file, type, TRUSTED_PEER_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); -} -#endif /* WOLFSSL_TRUST_PEER_CERT */ - - -/* Verify the certificate, WOLFSSL_SUCCESS for ok, < 0 for error */ -int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, - int format) -{ - int ret = WOLFSSL_FATAL_ERROR; -#ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ -#else - byte staticBuffer[FILE_BUFFER_SIZE]; -#endif - byte* myBuffer = staticBuffer; - int dynamic = 0; - long sz = 0; - XFILE file = XFOPEN(fname, "rb"); - - WOLFSSL_ENTER("wolfSSL_CertManagerVerify"); - - if (file == XBADFILE) return WOLFSSL_BAD_FILE; - if(XFSEEK(file, 0, XSEEK_END) != 0) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) { - WOLFSSL_MSG("CertManagerVerify file size error"); - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - - if (sz > (long)sizeof(staticBuffer)) { - WOLFSSL_MSG("Getting dynamic buffer"); - myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE); - if (myBuffer == NULL) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - dynamic = 1; - } - - if ( (ret = (int)XFREAD(myBuffer, 1, sz, file)) != sz) - ret = WOLFSSL_BAD_FILE; - else - ret = wolfSSL_CertManagerVerifyBuffer(cm, myBuffer, sz, format); - - XFCLOSE(file); - if (dynamic) - XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE); - - return ret; -} - - -/* like load verify locations, 1 for success, < 0 for error */ -int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, - const char* path) -{ - int ret = WOLFSSL_FATAL_ERROR; - WOLFSSL_CTX* tmp; - - WOLFSSL_ENTER("wolfSSL_CertManagerLoadCA"); - - if (cm == NULL) { - WOLFSSL_MSG("No CertManager error"); - return ret; - } - tmp = wolfSSL_CTX_new(cm_pick_method()); - - if (tmp == NULL) { - WOLFSSL_MSG("CTX new failed"); - return ret; - } - - /* for tmp use */ - wolfSSL_CertManagerFree(tmp->cm); - tmp->cm = cm; - - ret = wolfSSL_CTX_load_verify_locations(tmp, file, path); - - /* don't lose our good one */ - tmp->cm = NULL; - wolfSSL_CTX_free(tmp); - - return ret; -} - -#ifndef NO_CHECK_PRIVATE_KEY -/* Check private against public in certificate for match - * - * ctx WOLFSSL_CTX structure to check private key in - * - * Returns SSL_SUCCESS on good private key and SSL_FAILURE if miss matched. */ -int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) -{ -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* der = NULL; -#else - DecodedCert der[1]; -#endif - word32 size; - byte* buff; - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); - - if (ctx == NULL) { - return WOLFSSL_FAILURE; - } - -#ifndef NO_CERTS -#ifdef WOLFSSL_SMALL_STACK - der = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (der == NULL) - return MEMORY_E; -#endif - - size = ctx->certificate->length; - buff = ctx->certificate->buffer; - InitDecodedCert(der, buff, size, ctx->heap); - if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { - FreeDecodedCert(der); - #ifdef WOLFSSL_SMALL_STACK - XFREE(der, NULL, DYNAMIC_TYPE_DCERT); - #endif - return WOLFSSL_FAILURE; - } - - size = ctx->privateKey->length; - buff = ctx->privateKey->buffer; - ret = wc_CheckPrivateKey(buff, size, der); - FreeDecodedCert(der); -#ifdef WOLFSSL_SMALL_STACK - XFREE(der, NULL, DYNAMIC_TYPE_DCERT); -#endif - - if (ret == 1) { - return WOLFSSL_SUCCESS; - } - else { - return WOLFSSL_FAILURE; - } -#else - WOLFSSL_MSG("NO_CERTS is defined, can not check private key"); - return WOLFSSL_FAILURE; -#endif -} -#endif /* !NO_CHECK_PRIVATE_KEY */ - - -#ifdef HAVE_CRL - -/* check CRL if enabled, WOLFSSL_SUCCESS */ -int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) -{ - int ret = 0; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_CertManagerCheckCRL"); - - if (cm == NULL) - return BAD_FUNC_ARG; - - if (cm->crlEnabled == 0) - return WOLFSSL_SUCCESS; - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; -#endif - - InitDecodedCert(cert, der, sz, NULL); - - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); - } - else if ((ret = CheckCertCRL(cm->crl, cert)) != 0) { - WOLFSSL_MSG("CheckCertCRL failed"); - } - - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - - return ret == 0 ? WOLFSSL_SUCCESS : ret; -} - - -int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm, CbMissingCRL cb) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerSetCRL_Cb"); - if (cm == NULL) - return BAD_FUNC_ARG; - - cm->cbMissingCRL = cb; - - return WOLFSSL_SUCCESS; -} - -#ifdef HAVE_CRL_IO -int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER* cm, CbCrlIO cb) -{ - if (cm == NULL) - return BAD_FUNC_ARG; - - cm->crl->crlIOCb = cb; - - return WOLFSSL_SUCCESS; -} -#endif - -int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, - int type, int monitor) -{ - WOLFSSL_ENTER("wolfSSL_CertManagerLoadCRL"); - if (cm == NULL) - return BAD_FUNC_ARG; - - if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Enable CRL failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - return LoadCRL(cm->crl, path, type, monitor); -} - -int wolfSSL_EnableCRL(WOLFSSL* ssl, int options) -{ - WOLFSSL_ENTER("wolfSSL_EnableCRL"); - if (ssl) - return wolfSSL_CertManagerEnableCRL(ssl->ctx->cm, options); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_DisableCRL(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_DisableCRL"); - if (ssl) - return wolfSSL_CertManagerDisableCRL(ssl->ctx->cm); - else - return BAD_FUNC_ARG; -} - -int wolfSSL_LoadCRL(WOLFSSL* ssl, const char* path, int type, int monitor) -{ - WOLFSSL_ENTER("wolfSSL_LoadCRL"); - if (ssl) - return wolfSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type, monitor); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb) -{ - WOLFSSL_ENTER("wolfSSL_SetCRL_Cb"); - if (ssl) - return wolfSSL_CertManagerSetCRL_Cb(ssl->ctx->cm, cb); - else - return BAD_FUNC_ARG; -} - -#ifdef HAVE_CRL_IO -int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb) -{ - WOLFSSL_ENTER("wolfSSL_SetCRL_Cb"); - if (ssl) - return wolfSSL_CertManagerSetCRL_IOCb(ssl->ctx->cm, cb); - else - return BAD_FUNC_ARG; -} -#endif - -int wolfSSL_CTX_EnableCRL(WOLFSSL_CTX* ctx, int options) -{ - WOLFSSL_ENTER("wolfSSL_CTX_EnableCRL"); - if (ctx) - return wolfSSL_CertManagerEnableCRL(ctx->cm, options); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_DisableCRL(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_DisableCRL"); - if (ctx) - return wolfSSL_CertManagerDisableCRL(ctx->cm); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_LoadCRL(WOLFSSL_CTX* ctx, const char* path, - int type, int monitor) -{ - WOLFSSL_ENTER("wolfSSL_CTX_LoadCRL"); - if (ctx) - return wolfSSL_CertManagerLoadCRL(ctx->cm, path, type, monitor); - else - return BAD_FUNC_ARG; -} - - -int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb) -{ - WOLFSSL_ENTER("wolfSSL_CTX_SetCRL_Cb"); - if (ctx) - return wolfSSL_CertManagerSetCRL_Cb(ctx->cm, cb); - else - return BAD_FUNC_ARG; -} - -#ifdef HAVE_CRL_IO -int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb) -{ - WOLFSSL_ENTER("wolfSSL_CTX_SetCRL_IOCb"); - if (ctx) - return wolfSSL_CertManagerSetCRL_IOCb(ctx->cm, cb); - else - return BAD_FUNC_ARG; -} -#endif - - -#endif /* HAVE_CRL */ - - -#ifdef WOLFSSL_DER_LOAD - -/* Add format parameter to allow DER load of CA files */ -int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - WOLFSSL_ENTER("wolfSSL_CTX_der_load_verify_locations"); - if (ctx == NULL || file == NULL) - return WOLFSSL_FAILURE; - - if (ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - -#endif /* WOLFSSL_DER_LOAD */ - - - -WOLFSSL_ABI -int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_file"); - - if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -WOLFSSL_ABI -int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_file"); - - if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -/* Sets the max chain depth when verifying a certificate chain. Default depth - * is set to MAX_CHAIN_DEPTH. - * - * ctx WOLFSSL_CTX structure to set depth in - * depth max depth - */ -void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth) { - WOLFSSL_ENTER("wolfSSL_CTX_set_verify_depth"); - - if (ctx == NULL || depth < 0 || depth > MAX_CHAIN_DEPTH) { - WOLFSSL_MSG("Bad depth argument, too large or less than 0"); - return; - } - - ctx->verifyDepth = (byte)depth; -} - - -/* get cert chaining depth using ssl struct */ -long wolfSSL_get_verify_depth(WOLFSSL* ssl) -{ - if(ssl == NULL) { - return BAD_FUNC_ARG; - } -#ifndef OPENSSL_EXTRA - return MAX_CHAIN_DEPTH; -#else - return ssl->options.verifyDepth; -#endif -} - - -/* get cert chaining depth using ctx struct */ -long wolfSSL_CTX_get_verify_depth(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) { - return BAD_FUNC_ARG; - } -#ifndef OPENSSL_EXTRA - return MAX_CHAIN_DEPTH; -#else - return ctx->verifyDepth; -#endif -} - - -WOLFSSL_ABI -int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file) -{ - /* process up to MAX_CHAIN_DEPTH plus subject cert */ - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file"); - - if (ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, NULL, 1, NULL, - GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -int wolfSSL_CTX_use_certificate_chain_file_format(WOLFSSL_CTX* ctx, - const char* file, int format) -{ - /* process up to MAX_CHAIN_DEPTH plus subject cert */ - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file_format"); - - if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 1, NULL, - GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -#ifndef NO_DH - -/* server Diffie-Hellman parameters */ -static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, - const char* fname, int format) -{ -#ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ -#else - byte staticBuffer[FILE_BUFFER_SIZE]; -#endif - byte* myBuffer = staticBuffer; - int dynamic = 0; - int ret; - long sz = 0; - XFILE file; - - if (ctx == NULL || fname == NULL) - return BAD_FUNC_ARG; - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) return WOLFSSL_BAD_FILE; - if(XFSEEK(file, 0, XSEEK_END) != 0) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) { - WOLFSSL_MSG("SetTmpDH file size error"); - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - - if (sz > (long)sizeof(staticBuffer)) { - WOLFSSL_MSG("Getting dynamic buffer"); - myBuffer = (byte*) XMALLOC(sz, ctx->heap, DYNAMIC_TYPE_FILE); - if (myBuffer == NULL) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - dynamic = 1; - } - - if ( (ret = (int)XFREAD(myBuffer, 1, sz, file)) != sz) - ret = WOLFSSL_BAD_FILE; - else { - if (ssl) - ret = wolfSSL_SetTmpDH_buffer(ssl, myBuffer, sz, format); - else - ret = wolfSSL_CTX_SetTmpDH_buffer(ctx, myBuffer, sz, format); - } - - XFCLOSE(file); - if (dynamic) - XFREE(myBuffer, ctx->heap, DYNAMIC_TYPE_FILE); - - return ret; -} - -/* server Diffie-Hellman parameters */ -int wolfSSL_SetTmpDH_file(WOLFSSL* ssl, const char* fname, int format) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_SetTmpDH_file_wrapper(ssl->ctx, ssl, fname, format); -} - - -/* server Diffie-Hellman parameters */ -int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format) -{ - return wolfSSL_SetTmpDH_file_wrapper(ctx, NULL, fname, format); -} - -#endif /* NO_DH */ - -#endif /* NO_FILESYSTEM */ - -#ifdef OPENSSL_EXTRA -/* put SSL type in extra for now, not very common */ - -/* Converts a DER format key read from "bio" to a PKCS8 structure. - * - * bio input bio to read DER from - * pkey If not NULL then this pointer will be overwritten with a new PKCS8 - * structure. - * - * returns a WOLFSSL_PKCS8_PRIV_KEY_INFO pointer on success and NULL in fail - * case. - */ -WOLFSSL_PKCS8_PRIV_KEY_INFO* wolfSSL_d2i_PKCS8_PKEY_bio(WOLFSSL_BIO* bio, - WOLFSSL_PKCS8_PRIV_KEY_INFO** pkey) -{ - WOLFSSL_PKCS8_PRIV_KEY_INFO* pkcs8 = NULL; -#ifdef WOLFSSL_PEM_TO_DER - unsigned char* mem = NULL; - int memSz; - int keySz; - word32 algId; - - WOLFSSL_MSG("wolfSSL_d2i_PKCS8_PKEY_bio()"); - - if (bio == NULL) { - return NULL; - } - - if ((memSz = wolfSSL_BIO_get_mem_data(bio, &mem)) < 0) { - return NULL; - } - - if ((keySz = wc_KeyPemToDer(mem, memSz, mem, memSz, NULL)) < 0) { - WOLFSSL_MSG("Not PEM format"); - keySz = memSz; - if ((keySz = ToTraditional_ex((byte*)mem, (word32)keySz, &algId)) < 0) { - return NULL; - } - } - - pkcs8 = wolfSSL_EVP_PKEY_new(); - if (pkcs8 == NULL) { - return NULL; - } - - pkcs8->pkey.ptr = (char*)XMALLOC(keySz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - if (pkcs8->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkcs8); - return NULL; - } - XMEMCPY(pkcs8->pkey.ptr, mem, keySz); - pkcs8->pkey_sz = keySz; - - if (pkey != NULL) { - *pkey = pkcs8; - } -#else - (void)bio; - (void)pkey; -#endif /* WOLFSSL_PEM_TO_DER */ - - return pkcs8; -} - - -/* expecting DER format public key - * - * bio input bio to read DER from - * out If not NULL then this pointer will be overwritten with a new - * WOLFSSL_EVP_PKEY pointer - * - * returns a WOLFSSL_EVP_PKEY pointer on success and NULL in fail case. - */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY_bio(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY** out) -{ - unsigned char* mem; - long memSz; - WOLFSSL_EVP_PKEY* pkey = NULL; - - WOLFSSL_ENTER("wolfSSL_d2i_PUBKEY_bio()"); - - if (bio == NULL) { - return NULL; - } - (void)out; - - memSz = wolfSSL_BIO_pending(bio); - if (memSz <= 0) { - return NULL; - } - - mem = (unsigned char*)XMALLOC(memSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (mem == NULL) { - return NULL; - } - - if (wolfSSL_BIO_read(bio, mem, (int)memSz) == memSz) { - pkey = wolfSSL_d2i_PUBKEY(NULL, (const unsigned char**)&mem, memSz); - if (out != NULL && pkey != NULL) { - *out = pkey; - } - } - - XFREE(mem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return pkey; -} - - - -/* Converts a DER encoded public key to a WOLFSSL_EVP_PKEY structure. - * - * out pointer to new WOLFSSL_EVP_PKEY structure. Can be NULL - * in DER buffer to convert - * inSz size of in buffer - * - * returns a pointer to a new WOLFSSL_EVP_PKEY structure on success and NULL - * on fail - */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PUBKEY(WOLFSSL_EVP_PKEY** out, - const unsigned char** in, long inSz) -{ - WOLFSSL_EVP_PKEY* pkey = NULL; - const unsigned char* mem; - long memSz = inSz; - - WOLFSSL_ENTER("wolfSSL_d2i_PUBKEY"); - - if (in == NULL || inSz < 0) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - mem = *in; - - #if !defined(NO_RSA) - { - RsaKey rsa; - word32 keyIdx = 0; - - /* test if RSA key */ - if (wc_InitRsaKey(&rsa, NULL) == 0 && - wc_RsaPublicKeyDecode(mem, &keyIdx, &rsa, (word32)memSz) == 0) { - wc_FreeRsaKey(&rsa); - pkey = wolfSSL_EVP_PKEY_new(); - if (pkey != NULL) { - pkey->pkey_sz = keyIdx; - pkey->pkey.ptr = (char*)XMALLOC(memSz, NULL, - DYNAMIC_TYPE_PUBLIC_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_RSA; - if (out != NULL) { - *out = pkey; - } - - pkey->ownRsa = 1; - pkey->rsa = wolfSSL_RSA_new(); - if (pkey->rsa == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(pkey->rsa, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, WOLFSSL_RSA_LOAD_PUBLIC) != 1) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - return pkey; - } - } - wc_FreeRsaKey(&rsa); - } - #endif /* NO_RSA */ - - #ifdef HAVE_ECC - { - word32 keyIdx = 0; - ecc_key ecc; - - if (wc_ecc_init(&ecc) == 0 && - wc_EccPublicKeyDecode(mem, &keyIdx, &ecc, (word32)memSz) == 0) { - wc_ecc_free(&ecc); - pkey = wolfSSL_EVP_PKEY_new(); - if (pkey != NULL) { - pkey->pkey_sz = keyIdx; - pkey->pkey.ptr = (char*)XMALLOC(keyIdx, NULL, - DYNAMIC_TYPE_PUBLIC_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_EC; - if (out != NULL) { - *out = pkey; - } - - pkey->ownEcc = 1; - pkey->ecc = wolfSSL_EC_KEY_new(); - if (pkey->ecc == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - if (wolfSSL_EC_KEY_LoadDer_ex(pkey->ecc, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, WOLFSSL_EC_KEY_LOAD_PUBLIC) != 1) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - return pkey; - } - } - wc_ecc_free(&ecc); - } - #endif /* HAVE_ECC */ - - #if !defined(NO_DSA) - { - DsaKey dsa; - word32 keyIdx = 0; - - /* test if DSA key */ - if (wc_InitDsaKey(&dsa) == 0 && - wc_DsaPublicKeyDecode(mem, &keyIdx, &dsa, (word32)memSz) == 0) { - wc_FreeDsaKey(&dsa); - pkey = wolfSSL_EVP_PKEY_new(); - - if (pkey != NULL) { - pkey->pkey_sz = keyIdx; - pkey->pkey.ptr = (char*)XMALLOC(memSz, NULL, - DYNAMIC_TYPE_PUBLIC_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_DSA; - if (out != NULL) { - *out = pkey; - } - - pkey->ownDsa = 1; - pkey->dsa = wolfSSL_DSA_new(); - if (pkey->dsa == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - - if (wolfSSL_DSA_LoadDer_ex(pkey->dsa, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, WOLFSSL_DSA_LOAD_PUBLIC) != 1) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - return pkey; - } - } - wc_FreeDsaKey(&dsa); - } - #endif /* NO_DSA */ - - #if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) - { - DhKey dh; - word32 keyIdx = 0; - - /* test if DH key */ - if (wc_InitDhKey(&dh) == 0 && - wc_DhKeyDecode(mem, &keyIdx, &dh, (word32)memSz) == 0) { - wc_FreeDhKey(&dh); - pkey = wolfSSL_EVP_PKEY_new(); - - if (pkey != NULL) { - pkey->pkey_sz = (int)memSz; - pkey->pkey.ptr = (char*)XMALLOC(memSz, NULL, - DYNAMIC_TYPE_PUBLIC_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, memSz); - pkey->type = EVP_PKEY_DH; - if (out != NULL) { - *out = pkey; - } - - pkey->ownDh = 1; - pkey->dh = wolfSSL_DH_new(); - if (pkey->dh == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - if (wolfSSL_DH_LoadDer(pkey->dh, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz) != WOLFSSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - return pkey; - } - } - wc_FreeDhKey(&dh); - } - #endif /* !NO_DH && (WOLFSSL_QT || OPENSSL_ALL) */ - - return pkey; -} - - -/* Reads in a DER format key. If PKCS8 headers are found they are stripped off. - * - * type type of key - * out newly created WOLFSSL_EVP_PKEY structure - * in pointer to input key DER - * inSz size of in buffer - * - * On success a non null pointer is returned and the pointer in is advanced the - * same number of bytes read. - */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey(int type, WOLFSSL_EVP_PKEY** out, - const unsigned char **in, long inSz) -{ - WOLFSSL_EVP_PKEY* local; - word32 idx = 0; - int ret; - word32 algId; - - WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey"); - - if (in == NULL || inSz < 0) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - /* Check if input buffer has PKCS8 header. In the case that it does not - * have a PKCS8 header then do not error out. */ - if ((ret = ToTraditionalInline_ex((const byte*)(*in), &idx, (word32)inSz, - &algId)) > 0) { - WOLFSSL_MSG("Found and removed PKCS8 header"); - } - else { - if (ret != ASN_PARSE_E) { - WOLFSSL_MSG("Unexpected error with trying to remove PKCS8 header"); - return NULL; - } - } - - if (out != NULL && *out != NULL) { - wolfSSL_EVP_PKEY_free(*out); - *out = NULL; - } - local = wolfSSL_EVP_PKEY_new(); - if (local == NULL) { - return NULL; - } - - /* sanity check on idx before use */ - if ((int)idx > inSz) { - WOLFSSL_MSG("Issue with index pointer"); - wolfSSL_EVP_PKEY_free(local); - local = NULL; - return NULL; - } - - local->type = type; - local->pkey_sz = (int)inSz - idx; - local->pkey.ptr = (char*)XMALLOC(inSz - idx, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - if (local->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(local); - local = NULL; - return NULL; - } - else { - XMEMCPY(local->pkey.ptr, *in + idx, inSz - idx); - } - - switch (type) { -#ifndef NO_RSA - case EVP_PKEY_RSA: - local->ownRsa = 1; - local->rsa = wolfSSL_RSA_new(); - if (local->rsa == NULL) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - if (wolfSSL_RSA_LoadDer_ex(local->rsa, - (const unsigned char*)local->pkey.ptr, local->pkey_sz, - WOLFSSL_RSA_LOAD_PRIVATE) != SSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - break; -#endif /* NO_RSA */ -#ifdef HAVE_ECC - case EVP_PKEY_EC: - local->ownEcc = 1; - local->ecc = wolfSSL_EC_KEY_new(); - if (local->ecc == NULL) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - if (wolfSSL_EC_KEY_LoadDer(local->ecc, - (const unsigned char*)local->pkey.ptr, local->pkey_sz) - != SSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - break; -#endif /* HAVE_ECC */ -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) -#ifndef NO_DSA - case EVP_PKEY_DSA: - local->ownDsa = 1; - local->dsa = wolfSSL_DSA_new(); - if (local->dsa == NULL) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - if (wolfSSL_DSA_LoadDer(local->dsa, - (const unsigned char*)local->pkey.ptr, local->pkey_sz) - != SSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - break; -#endif /* NO_DSA */ -#ifndef NO_DH - case EVP_PKEY_DH: - local->ownDh = 1; - local->dh = wolfSSL_DH_new(); - if (local->dh == NULL) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - if (wolfSSL_DH_LoadDer(local->dh, - (const unsigned char*)local->pkey.ptr, local->pkey_sz) - != SSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - break; -#endif /* HAVE_DH */ -#endif /* WOLFSSL_QT || OPENSSL_ALL */ - default: - WOLFSSL_MSG("Unsupported key type"); - wolfSSL_EVP_PKEY_free(local); - return NULL; - } - - /* advance pointer with success */ - if (local != NULL) { - if ((idx + local->pkey_sz) <= (word32)inSz) { - *in = *in + idx + local->pkey_sz; - } - - if (out != NULL) { - *out = local; - } - } - - return local; -} - -#ifndef NO_CERTS - -int wolfSSL_check_private_key(const WOLFSSL* ssl) -{ - DecodedCert der; - word32 size; - byte* buff; - int ret; - - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - - size = ssl->buffers.certificate->length; - buff = ssl->buffers.certificate->buffer; - InitDecodedCert(&der, buff, size, ssl->heap); -#ifdef HAVE_PK_CALLBACKS - ret = InitSigPkCb((WOLFSSL*)ssl, &der.sigCtx); - if (ret != 0) { - FreeDecodedCert(&der); - return ret; - } -#endif - - if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) { - FreeDecodedCert(&der); - return WOLFSSL_FAILURE; - } - - size = ssl->buffers.key->length; - buff = ssl->buffers.key->buffer; - ret = wc_CheckPrivateKey(buff, size, &der); - FreeDecodedCert(&der); - return ret; -} - -#if defined(OPENSSL_ALL) -/* Returns the number of X509V3 extensions in X509 object, or 0 on failure */ -int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert) -{ - int extCount = 0; - int length = 0; - int outSz = 0; - const byte* rawCert; - int sz = 0; - word32 idx = 0; - DecodedCert cert; - const byte* input; - - WOLFSSL_ENTER("wolfSSL_X509_get_ext_count()"); - if (passedCert == NULL) { - WOLFSSL_MSG("\tNot passed a certificate"); - return WOLFSSL_FAILURE; - } - - rawCert = wolfSSL_X509_get_der((WOLFSSL_X509*)passedCert, &outSz); - if (rawCert == NULL) { - WOLFSSL_MSG("\tpassedCert has no internal DerBuffer set."); - return WOLFSSL_FAILURE; - } - InitDecodedCert(&cert, rawCert, (word32)outSz, 0); - - if (ParseCert(&cert, CA_TYPE, NO_VERIFY, NULL) < 0) { - WOLFSSL_MSG("\tCertificate parsing failed"); - return WOLFSSL_FAILURE; - } - - input = cert.extensions; - sz = cert.extensionsSz; - - if (input == NULL || sz == 0) { - WOLFSSL_MSG("\tsz or input NULL error"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; - } - - if (input[idx++] != ASN_EXTENSIONS) { - WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; - } - - if (GetLength(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: invalid length"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; - } - - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; - } - - while (idx < (word32)sz) { - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; - } - idx += length; - extCount++; - } - FreeDecodedCert(&cert); - return extCount; -} - -/* Creates and returns pointer to a new X509_EXTENSION object in memory */ -WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_new(void) -{ - WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_new"); - - WOLFSSL_X509_EXTENSION* newExt; - newExt = (WOLFSSL_X509_EXTENSION*)XMALLOC(sizeof(WOLFSSL_X509_EXTENSION), - NULL, DYNAMIC_TYPE_X509_EXT); - if (newExt == NULL) - return NULL; - XMEMSET(newExt, 0, sizeof(WOLFSSL_X509_EXTENSION)); - - return newExt; -} - -void wolfSSL_X509_EXTENSION_free(WOLFSSL_X509_EXTENSION* x) -{ - WOLFSSL_ASN1_STRING asn1; - WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_free"); - if (x == NULL) - return; - - if (x->obj != NULL) - wolfSSL_ASN1_OBJECT_free(x->obj); - - asn1 = x->value; - if (asn1.length > 0 && asn1.data != NULL && asn1.isDynamic) - XFREE(asn1.data, NULL, DYNAMIC_TYPE_OPENSSL); - - wolfSSL_sk_free(x->ext_sk); - - XFREE(x, NULL, DYNAMIC_TYPE_X509_EXT); -} - -/* Creates and returns a new WOLFSSL_X509_EXTENSION stack. */ -WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_sk_new_x509_ext"); - - sk = wolfSSL_sk_new_null(); - if (sk) { - sk->type = STACK_TYPE_X509_EXT; - } - return sk; -} - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk,WOLFSSL_X509_EXTENSION* ext) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_EXTENSION_push"); - - if (sk == NULL || ext == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.ext == NULL) { - sk->data.ext = ext; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.ext = sk->data.ext; - node->next = sk->next; - node->type = sk->type; - sk->next = node; - sk->data.ext = ext; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - -/* Free the structure for X509_EXTENSION stack - * - * sk stack to free nodes in - */ -void wolfSSL_sk_X509_EXTENSION_free(WOLFSSL_STACK* sk) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_EXTENSION_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while ((node != NULL) && (sk->num > 1)) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - wolfSSL_X509_EXTENSION_free(tmp->data.ext); - XFREE(tmp, NULL, DYNAMIC_TYPE_X509); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - wolfSSL_X509_EXTENSION_free(sk->data.ext); - } - XFREE(sk, NULL, DYNAMIC_TYPE_X509); -} - -int wolfSSL_ASN1_BIT_STRING_set_bit(WOLFSSL_ASN1_BIT_STRING* str, int pos, - int val) -{ - int bytes_cnt, bit; - byte* temp; - - if (!str || (val != 0 && val != 1) || pos < 0) { - return WOLFSSL_FAILURE; - } - - bytes_cnt = pos/8; - bit = 1<<(7-(pos%8)); - - if (bytes_cnt+1 > str->length) { - if (!(temp = (byte*)XREALLOC(str->data, bytes_cnt+1, NULL, - DYNAMIC_TYPE_OPENSSL))) { - return WOLFSSL_FAILURE; - } - XMEMSET(temp+str->length, 0, bytes_cnt+1 - str->length); - str->data = temp; - str->length = bytes_cnt+1; - } - - str->data[bytes_cnt] &= ~bit; - str->data[bytes_cnt] |= val ? bit : 0; - - return WOLFSSL_SUCCESS; -} - -/* Gets the X509_EXTENSION* ext based on it's location in WOLFSSL_X509* x509. - * - * x509 : The X509 structure to look for the extension. - * loc : Location of the extension. If the extension is found at the given - * location, a new X509_EXTENSION structure is populated with extension-specific - * data based on the extension type. - - * Returns NULL on error or pointer to X509_EXTENSION structure containing the - * extension. The returned X509_EXTENSION should not be free'd by caller. - * The returned X509_EXTENSION is pushed onto a stack inside the x509 argument. - * This is later free'd when x509 is free'd. - * - * NOTE: for unknown extension NIDs, a X509_EXTENSION is populated with the - * extension oid as the ASN1_OBJECT (QT compatibility) - */ -WOLFSSL_X509_EXTENSION* wolfSSL_X509_get_ext(const WOLFSSL_X509* x509, int loc) -{ - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ENTER("wolfSSL_X509_get_ext"); - if (x509 == NULL) - return NULL; - - ext = wolfSSL_X509_set_ext((WOLFSSL_X509*) x509, loc); - return ext; -} - -/* Pushes a new X509_EXTENSION* ext onto the stack inside WOLFSSL_X509* x509. - * This is currently a helper function for wolfSSL_X509_get_ext - * Caller does not free the returned WOLFSSL_X509_EXTENSION* - */ -WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) -{ - int extCount = 0, length = 0, outSz = 0, sz = 0, ret = 0; - int objSz = 0, isSet = 0; - const byte* rawCert; - const byte* input; - byte* oidBuf; - word32 oid, idx = 0, tmpIdx = 0; - WOLFSSL_X509_EXTENSION* ext = NULL; - WOLFSSL_ASN1_INTEGER* a; - WOLFSSL_STACK* sk; - DecodedCert cert; - - WOLFSSL_ENTER("wolfSSL_X509_set_ext"); - - if(x509 == NULL){ - WOLFSSL_MSG("\tNot passed a certificate"); - return NULL; - } - - if(loc <0 || (loc > wolfSSL_X509_get_ext_count(x509))){ - WOLFSSL_MSG("\tBad location argument"); - return NULL; - } - - ext = wolfSSL_X509_EXTENSION_new(); - if (ext == NULL) { - WOLFSSL_MSG("\tX509_EXTENSION_new() failed"); - return NULL; - } - - rawCert = wolfSSL_X509_get_der((WOLFSSL_X509*)x509, &outSz); - if (rawCert == NULL) { - WOLFSSL_MSG("\tX509_get_der() failed"); - wolfSSL_X509_EXTENSION_free(ext); - return NULL; - } - - InitDecodedCert( &cert, rawCert, (word32)outSz, 0); - - if (ParseCert(&cert, CA_TYPE, NO_VERIFY, NULL) < 0) { - WOLFSSL_MSG("\tCertificate parsing failed"); - wolfSSL_X509_EXTENSION_free(ext); - return NULL; - } - - input = cert.extensions; - sz = cert.extensionsSz; - - if (input == NULL || sz == 0) { - WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - if (input[idx++] != ASN_EXTENSIONS) { - WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - if (GetLength(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: invalid length"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - while (idx < (word32)sz) { - oid = 0; - - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - tmpIdx = idx; - ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz); - if (ret < 0) { - WOLFSSL_MSG("\tfail: OBJECT ID"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - idx = tmpIdx; - - /* Continue while loop until extCount == loc or idx > sz */ - if (extCount != loc) { - idx += length; - extCount++; - continue; - } - /* extCount == loc. Now get the extension. */ - /* Check if extension has been set */ - isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, oid); - ext->obj = wolfSSL_OBJ_nid2obj(oid); - if (ext->obj == NULL) { - WOLFSSL_MSG("\tfail: Invalid OBJECT"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->obj->nid = oid; - - switch (oid) { - case BASIC_CA_OID: - if (!isSet) - break; - /* Set pathlength */ - a = wolfSSL_ASN1_INTEGER_new(); - if (a == NULL) { - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - a->length = x509->pathLength; - - /* Save ASN1_INTEGER in x509 extension */ - ext->obj->pathlen = a; - - ext->obj->ca = x509->isCa; - ext->crit = x509->basicConstCrit; - break; - - case AUTH_INFO_OID: - if (!isSet) - break; - - /* Create a stack to hold both the caIssuer and ocsp objects - in X509_EXTENSION structure */ - sk = (WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)*)XMALLOC( - sizeof(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)), - NULL, DYNAMIC_TYPE_ASN1); - if (sk == NULL) { - WOLFSSL_MSG("Failed to malloc stack"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT))); - sk->type = STACK_TYPE_OBJ; - - /* Add CaIssuers object to stack */ - if (x509->authInfoCaIssuer != NULL && - x509->authInfoCaIssuerSz > 0) - { - WOLFSSL_ASN1_OBJECT* obj; - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Error creating ASN1 object"); - wolfSSL_sk_ASN1_OBJECT_free(sk); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - obj->obj = (byte*)x509->authInfoCaIssuer; - obj->objSz = x509->authInfoCaIssuerSz; - obj->grp = oidCertAuthInfoType; - obj->nid = AIA_CA_ISSUER_OID; - - ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_sk_ASN1_OBJECT_free(sk); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - } - - /* Add OCSP object to stack */ - if (x509->authInfo != NULL && - x509->authInfoSz > 0) - { - WOLFSSL_ASN1_OBJECT* obj; - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Error creating ASN1 object"); - wolfSSL_sk_ASN1_OBJECT_free(sk); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - obj->obj = x509->authInfo; - obj->objSz = x509->authInfoSz; - obj->grp = oidCertAuthInfoType; - obj->nid = AIA_OCSP_OID; - - ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_sk_ASN1_OBJECT_free(sk); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - } - ext->ext_sk = sk; - ext->crit = x509->authInfoCrit; - break; - - case AUTH_KEY_OID: - if (!isSet) - break; - - ret = wolfSSL_ASN1_STRING_set(&ext->value, x509->authKeyId, - x509->authKeyIdSz); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->crit = x509->authKeyIdCrit; - break; - - case SUBJ_KEY_OID: - if (!isSet) - break; - - ret = wolfSSL_ASN1_STRING_set(&ext->value, x509->subjKeyId, - x509->subjKeyIdSz); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->crit = x509->subjKeyIdCrit; - break; - - case CERT_POLICY_OID: - if (!isSet) - break; - ext->crit = x509->certPolicyCrit; - break; - - case KEY_USAGE_OID: - if (!isSet) - break; - - ret = wolfSSL_ASN1_STRING_set(&ext->value, - (byte*)&(x509->keyUsage), sizeof(word16)); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->crit = x509->keyUsageCrit; - break; - - case EXT_KEY_USAGE_OID: - if (!isSet) - break; - ext->crit = x509->keyUsageCrit; - break; - - case CRL_DIST_OID: - if (!isSet) - break; - ext->crit = x509->CRLdistCrit; - break; - - case ALT_NAMES_OID: - { - WOLFSSL_GENERAL_NAME* gn = NULL; - DNS_entry* dns = NULL; - if (!isSet) - break; - - sk = (WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)*)XMALLOC( - sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)), NULL, - DYNAMIC_TYPE_ASN1); - if (sk == NULL) { - return NULL; - } - XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME))); - sk->type = STACK_TYPE_GEN_NAME; - - if (x509->subjAltNameSet && x509->altNames != NULL) { - /* alt names are DNS_entry structs */ - dns = x509->altNames; - /* Currently only support GEN_DNS type */ - while (dns != NULL) { - gn = wolfSSL_GENERAL_NAME_new(); - if (gn == NULL) { - WOLFSSL_MSG("Error creating GENERAL_NAME"); - wolfSSL_sk_free(sk); - return NULL; - } - - gn->type = dns->type; - gn->d.ia5->length = dns->len; - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - gn->d.ia5->length) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - return NULL; - } - - dns = dns->next; - /* last dns in list add at end of function */ - if (dns != NULL) { - if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing onto stack"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - sk = NULL; - } - } - } - if (wolfSSL_sk_GENERAL_NAME_push(sk,gn) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing onto stack"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - sk = NULL; - } - } - ext->ext_sk = sk; - ext->crit = x509->subjAltNameCrit; - break; - } - - default: - WOLFSSL_MSG("Unknown extension type found, parsing OID"); - /* If the extension type is not recognized/supported, - set the ASN1_OBJECT in the extension with the - parsed oid for access in later function calls */ - - /* Get OID from input */ - if (GetASNObjectId(input, &idx, &length, sz) != 0) { - WOLFSSL_MSG("Failed to Get ASN Object Id"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - oidBuf = (byte*)XMALLOC(length+1+MAX_LENGTH_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (oidBuf == NULL) { - WOLFSSL_MSG("Failed to malloc tmp buffer"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - oidBuf[0] = ASN_OBJECT_ID; - objSz++; - objSz += SetLength(length, oidBuf + 1); - objSz += length; - - /* Set object size and reallocate space in object buffer */ - ext->obj->objSz = objSz; - if(((ext->obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0) || - (ext->obj->obj == NULL)) { - ext->obj->obj =(byte*)XREALLOC((byte*)ext->obj->obj, - ext->obj->objSz, - NULL,DYNAMIC_TYPE_ASN1); - if (ext->obj->obj == NULL) { - wolfSSL_ASN1_OBJECT_free(ext->obj); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; - } else { - ext->obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - /* Get OID from input and copy to ASN1_OBJECT buffer */ - XMEMCPY(oidBuf+2, input+idx, length); - XMEMCPY((byte*)ext->obj->obj, oidBuf, ext->obj->objSz); - XFREE(oidBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - oidBuf = NULL; - ext->obj->grp = oidCertExtType; - ext->crit = 0; - - /* Get extension data and copy as ASN1_STRING */ - tmpIdx = idx + length; - if ((tmpIdx >= (word32)sz) || (input[tmpIdx++] != ASN_OCTET_STRING)) { - WOLFSSL_MSG("Error decoding unknown extension data"); - wolfSSL_ASN1_OBJECT_free(ext->obj); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - - if (GetLength(input, &tmpIdx, &length, sz) <= 0) { - WOLFSSL_MSG("Error: Invalid Input Length."); - wolfSSL_ASN1_OBJECT_free(ext->obj); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - ext->value.data = (char*)XMALLOC(length, NULL, DYNAMIC_TYPE_ASN1); - ext->value.isDynamic = 1; - if (ext->value.data == NULL) { - WOLFSSL_MSG("Failed to malloc ASN1_STRING data"); - wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); - return NULL; - } - XMEMCPY(ext->value.data,input+tmpIdx,length); - ext->value.length = length; - } /* switch(oid) */ - - break; /* Got the Extension. Now exit while loop. */ - - } /* while(idx < sz) */ - - /* Store the new extension in a stack inside x509 - * The extensions on the stack are free'd internally when FreeX509 is called - */ - if (x509->ext_sk == NULL) - x509->ext_sk = wolfSSL_sk_new_x509_ext(); - if (x509->ext_sk != NULL) - wolfSSL_sk_X509_EXTENSION_push(x509->ext_sk, ext); - - FreeDecodedCert(&cert); - return ext; -} - -/* Return 0 on success and 1 on failure. Copies ext data to bio, using indent - * to pad the output. flag is ignored. */ -int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, - unsigned long flag, int indent) -{ - ASN1_OBJECT* obj; - ASN1_STRING* str; - int nid; - const int sz = CTC_NAME_SIZE*2; - int rc = WOLFSSL_FAILURE; - char tmp[CTC_NAME_SIZE*2]; - WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); - - if ((out == NULL) || (ext == NULL)) { - WOLFSSL_MSG("NULL parameter error"); - return rc; - } - - obj = wolfSSL_X509_EXTENSION_get_object(ext); - if (obj == NULL) { - WOLFSSL_MSG("Error getting ASN1_OBJECT from X509_EXTENSION"); - return rc; - } - - str = wolfSSL_X509_EXTENSION_get_data(ext); - if (obj == NULL) { - WOLFSSL_MSG("Error getting ASN1_STRING from X509_EXTENSION"); - return rc; - } - - /* Print extension based on the type */ - nid = wolfSSL_OBJ_obj2nid(obj); - switch (nid) { - case BASIC_CA_OID: - { - char isCa[] = "TRUE"; - char notCa[] = "FALSE"; - XSNPRINTF(tmp, sz, "%*sCA:%s", indent, "", - obj->ca ? isCa : notCa); - break; - } - case ALT_NAMES_OID: - { - WOLFSSL_STACK* sk; - char* val; - int len; - tmp[0] = '\0'; /* Make sure tmp is null-terminated */ - - sk = ext->ext_sk; - while (sk != NULL) { - if (sk->type == STACK_TYPE_GEN_NAME && sk->data.gn) { - /* str is GENERAL_NAME for subject alternative name ext */ - str = sk->data.gn->d.ia5; - len = str->length + 2; /* + 2 for NULL char and "," */ - if (len > sz) { - WOLFSSL_MSG("len greater than buffer size"); - return rc; - } - - val = (char*)XMALLOC(len + indent, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (val == NULL) { - WOLFSSL_MSG("Memory error"); - return rc; - } - if (sk->next) - XSNPRINTF(val, len, "%*s%s, ", indent, "", str->strData); - else - XSNPRINTF(val, len, "%*s%s", indent, "", str->strData); - - XSTRNCAT(tmp, val, len); - XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - sk = sk->next; - } - break; - } - case AUTH_KEY_OID: - case SUBJ_KEY_OID: - { - char* asn1str; - asn1str = wolfSSL_i2s_ASN1_STRING(NULL, str); - XSNPRINTF(tmp, sz, "%*s%s", indent, "", asn1str); - XFREE(asn1str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - break; - } - case AUTH_INFO_OID: - case CERT_POLICY_OID: - case CRL_DIST_OID: - case KEY_USAGE_OID: - WOLFSSL_MSG("X509V3_EXT_print not yet implemented for ext type"); - break; - - default: - XSNPRINTF(tmp, sz, "%*s%s", indent, "", str->strData); - } - - if (wolfSSL_BIO_write(out, tmp, (int)XSTRLEN(tmp)) == (int)XSTRLEN(tmp)) { - rc = WOLFSSL_SUCCESS; - } - (void) flag; - - return rc; -} - -/* Returns crit flag in X509_EXTENSION object */ -int wolfSSL_X509_EXTENSION_get_critical(const WOLFSSL_X509_EXTENSION* ex) -{ - WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_get_critical"); - if (ex == NULL) - return BAD_FUNC_ARG; - return ex->crit; -} - -/* Creates v3_ext_method for a given X509v3 extension - * - * ex : The X509_EXTENSION used to create v3_ext_method. If the extension is - * not NULL, get the NID of the extension object and populate the - * extension type-specific X509V3_EXT_* function(s) in v3_ext_method. - * - * Returns NULL on error or pointer to the v3_ext_method populated with extension - * type-specific X509V3_EXT_* function(s). - * - * NOTE: NID_subject_key_identifier is currently the only extension implementing - * the X509V3_EXT_* functions, as it is the only type called directly by QT. The - * other extension types return a pointer to a v3_ext_method struct that contains - * only the NID. - */ -const WOLFSSL_v3_ext_method* wolfSSL_X509V3_EXT_get(WOLFSSL_X509_EXTENSION* ex) -{ - int nid; - WOLFSSL_v3_ext_method method; - - WOLFSSL_ENTER("wolfSSL_X509V3_EXT_get"); - if ((ex == NULL) || (ex->obj == NULL)) { - WOLFSSL_MSG("Passed an invalid X509_EXTENSION*"); - return NULL; - } - /* Initialize all methods to NULL */ - method.d2i = NULL; - method.i2v = NULL; - method.i2s = NULL; - method.i2r = NULL; - - nid = ex->obj->nid; - if (nid <= 0) { - WOLFSSL_MSG("Failed to get nid from passed extension object"); - return NULL; - } - - switch (nid) { - case NID_basic_constraints: - break; - case NID_subject_key_identifier: - method.i2s = (X509V3_EXT_I2S)wolfSSL_i2s_ASN1_STRING; - break; - case NID_key_usage: - WOLFSSL_MSG("i2v function not yet implemented for Key Usage"); - break; - case NID_authority_key_identifier: - WOLFSSL_MSG("i2v function not yet implemented for Auth Key Id"); - break; - case NID_info_access: - WOLFSSL_MSG("i2v function not yet implemented for Info Access"); - break; - case NID_ext_key_usage: - WOLFSSL_MSG("i2v function not yet implemented for Ext Key Usage"); - break; - case NID_certificate_policies: - WOLFSSL_MSG("r2i function not yet implemented for Cert Policies"); - break; - case NID_crl_distribution_points: - WOLFSSL_MSG("r2i function not yet implemented for CRL Dist Points"); - break; - default: - /* If extension type is unknown, return NULL -- QT makes call to - X509_EXTENSION_get_data() if there is no v3_ext_method */ - WOLFSSL_MSG("X509V3_EXT_get(): Unknown extension type found"); - return NULL; - } - - method.ext_nid = nid; - ex->ext_method = method; - - return (const WOLFSSL_v3_ext_method*)&ex->ext_method; -} - -/* Parses and returns an x509v3 extension internal structure. - * - * ext : The X509_EXTENSION for parsing internal structure. If extension is - * not NULL, get the NID of the extension object and create a new - * extension-specific internal structure based on the extension type. - * - * Returns NULL on error or if NID is not found, otherwise returns a pointer to - * the extension type-specific X509_EXTENSION internal structure. - * Return is expected to be free'd by caller. - */ -void* wolfSSL_X509V3_EXT_d2i(WOLFSSL_X509_EXTENSION* ext) -{ - const WOLFSSL_v3_ext_method* method; - int ret; - WOLFSSL_ASN1_OBJECT* object; - WOLFSSL_BASIC_CONSTRAINTS* bc; - WOLFSSL_AUTHORITY_KEYID* akey; - WOLFSSL_ASN1_STRING* asn1String, *newString; - WOLFSSL_AUTHORITY_INFO_ACCESS* aia; - WOLFSSL_STACK* sk; - - WOLFSSL_ENTER("wolfSSL_X509V3_EXT_d2i"); - - if(ext == NULL) { - WOLFSSL_MSG("Bad function Argument"); - return NULL; - } - - /* extract extension info */ - method = wolfSSL_X509V3_EXT_get(ext); - if (method == NULL) { - WOLFSSL_MSG("wolfSSL_X509V3_EXT_get error"); - return NULL; - } - object = wolfSSL_X509_EXTENSION_get_object(ext); - if (object == NULL) { - WOLFSSL_MSG("X509_EXTENSION_get_object failed"); - return NULL; - } - - /* Return pointer to proper internal structure based on NID */ - switch (object->type) { - /* basicConstraints */ - case (NID_basic_constraints): - WOLFSSL_MSG("basicConstraints"); - /* Allocate new BASIC_CONSTRAINTS structure */ - bc = (WOLFSSL_BASIC_CONSTRAINTS*) - XMALLOC(sizeof(WOLFSSL_BASIC_CONSTRAINTS), NULL, - DYNAMIC_TYPE_X509_EXT); - if (bc == NULL) { - WOLFSSL_MSG("Failed to malloc basic constraints"); - return NULL; - } - /* Copy pathlen and CA into BASIC_CONSTRAINTS from object */ - bc->ca = object->ca; - if (object->pathlen->length > 0) { - bc->pathlen = wolfSSL_ASN1_INTEGER_dup(object->pathlen); - if (bc->pathlen == NULL) { - WOLFSSL_MSG("Failed to duplicate ASN1_INTEGER"); - XFREE(bc, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - } - else - bc->pathlen = NULL; - return bc; - - /* subjectKeyIdentifier */ - case (NID_subject_key_identifier): - WOLFSSL_MSG("subjectKeyIdentifier"); - asn1String = wolfSSL_X509_EXTENSION_get_data(ext); - if (asn1String == NULL) { - WOLFSSL_MSG("X509_EXTENSION_get_data() failed"); - return NULL; - } - newString = wolfSSL_ASN1_STRING_new(); - if (newString == NULL) { - WOLFSSL_MSG("Failed to malloc ASN1_STRING"); - return NULL; - } - ret = wolfSSL_ASN1_STRING_set(newString, asn1String->data, - asn1String->length); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_ASN1_STRING_free(newString); - return NULL; - }; - newString->type = asn1String->type; - return newString; - - /* authorityKeyIdentifier */ - case (NID_authority_key_identifier): - WOLFSSL_MSG("AuthorityKeyIdentifier"); - - akey = (WOLFSSL_AUTHORITY_KEYID*) - XMALLOC(sizeof(WOLFSSL_AUTHORITY_KEYID), NULL, - DYNAMIC_TYPE_X509_EXT); - if (akey == NULL) { - WOLFSSL_MSG("Failed to malloc authority key id"); - return NULL; - } - - akey->keyid = wolfSSL_ASN1_STRING_new(); - if (akey->keyid == NULL) { - WOLFSSL_MSG("ASN1_STRING_new() failed"); - wolfSSL_AUTHORITY_KEYID_free(akey); - return NULL; - } - - asn1String = wolfSSL_X509_EXTENSION_get_data(ext); - if (asn1String == NULL) { - WOLFSSL_MSG("X509_EXTENSION_get_data() failed"); - wolfSSL_AUTHORITY_KEYID_free(akey); - return NULL; - } - - ret = wolfSSL_ASN1_STRING_set(akey->keyid, asn1String->data, - asn1String->length); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_AUTHORITY_KEYID_free(akey); - return NULL; - }; - akey->keyid->type = asn1String->type; - - /* For now, set issuer and serial to NULL. This may need to be - updated for future use */ - akey->issuer = NULL; - akey->serial = NULL; - return akey; - - /* keyUsage */ - case (NID_key_usage): - WOLFSSL_MSG("keyUsage"); - /* This may need to be updated for future use. The i2v method for - keyUsage is not currently set. For now, return the ASN1_STRING - representation of KeyUsage bit string */ - asn1String = wolfSSL_X509_EXTENSION_get_data(ext); - if (asn1String == NULL) { - WOLFSSL_MSG("X509_EXTENSION_get_data() failed"); - return NULL; - } - newString = wolfSSL_ASN1_STRING_new(); - if (newString == NULL) { - WOLFSSL_MSG("Failed to malloc ASN1_STRING"); - return NULL; - } - ret = wolfSSL_ASN1_STRING_set(newString, asn1String->data, - asn1String->length); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_ASN1_STRING_free(newString); - return NULL; - }; - newString->type = asn1String->type; - return newString; - - /* extKeyUsage */ - case (NID_ext_key_usage): - WOLFSSL_MSG("extKeyUsage not supported yet"); - return NULL; - - /* certificatePolicies */ - case (NID_certificate_policies): - WOLFSSL_MSG("certificatePolicies not supported yet"); - return NULL; - - /* cRLDistributionPoints */ - case (NID_crl_distribution_points): - WOLFSSL_MSG("cRLDistributionPoints not supported yet"); - return NULL; - - /* authorityInfoAccess */ - case (NID_info_access): - WOLFSSL_MSG("AuthorityInfoAccess"); - - sk = ext->ext_sk; - if (sk == NULL) { - WOLFSSL_MSG("ACCESS_DESCRIPTION stack NULL"); - return NULL; - } - - /* AUTHORITY_INFO_ACCESS is a stack of ACCESS_DESCRIPTION entries */ - aia = wolfSSL_sk_new_null(); - if (aia == NULL) { - WOLFSSL_MSG("Failed to malloc AUTHORITY_INFO_ACCESS"); - return NULL; - } - aia->type = STACK_TYPE_ACCESS_DESCRIPTION; - - while (sk) { - WOLFSSL_ACCESS_DESCRIPTION* ad; - WOLFSSL_ASN1_OBJECT* aiaEntry; - - if (sk->type != STACK_TYPE_OBJ) { - sk = sk->next; - continue; - } - - aiaEntry = sk->data.obj; - - /* ACCESS_DESCRIPTION has two members, method and location. - Method: ASN1_OBJECT as either AIA_OCSP_OID or AIA_CA_ISSUER_OID - Location: GENERAL_NAME structure containing the URI. */ - - ad = (WOLFSSL_ACCESS_DESCRIPTION*) - XMALLOC(sizeof(WOLFSSL_ACCESS_DESCRIPTION), NULL, - DYNAMIC_TYPE_X509_EXT); - if (ad == NULL) { - WOLFSSL_MSG("Failed to malloc ACCESS_DESCRIPTION"); - XFREE(aia, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - XMEMSET(ad, 0, sizeof(WOLFSSL_ACCESS_DESCRIPTION)); - - /* Create new ASN1_OBJECT from oid */ - ad->method = wolfSSL_OBJ_nid2obj(aiaEntry->nid); - if (ad->method == NULL) { - WOLFSSL_MSG("OBJ_nid2obj() failed"); - XFREE(aia, NULL, DYNAMIC_TYPE_X509_EXT); - XFREE(ad, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - - /* Allocate memory for GENERAL NAME */ - ad->location = (WOLFSSL_GENERAL_NAME*) - XMALLOC(sizeof(WOLFSSL_GENERAL_NAME), NULL, - DYNAMIC_TYPE_OPENSSL); - if (ad->location == NULL) { - WOLFSSL_MSG("Failed to malloc GENERAL_NAME"); - wolfSSL_ASN1_OBJECT_free(ad->method); - XFREE(aia, NULL, DYNAMIC_TYPE_X509_EXT); - XFREE(ad, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - XMEMSET(ad->location, 0, sizeof(WOLFSSL_GENERAL_NAME)); - ad->location->type = GEN_URI; - ad->location->d.uniformResourceIdentifier = - wolfSSL_ASN1_STRING_new(); - /* Set the URI in GENERAL_NAME */ - ret = wolfSSL_ASN1_STRING_set( - ad->location->d.uniformResourceIdentifier, - aiaEntry->obj, aiaEntry->objSz); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set() failed"); - wolfSSL_ASN1_OBJECT_free(ad->method); - XFREE(aia, NULL, DYNAMIC_TYPE_X509_EXT); - XFREE(ad, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - /* Push to AUTHORITY_INFO_ACCESS stack */ - ret = wolfSSL_sk_ACCESS_DESCRIPTION_push(aia, ad); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 AD onto stack"); - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(aia, NULL); - wolfSSL_ASN1_OBJECT_free(ad->method); - XFREE(aia, NULL, DYNAMIC_TYPE_X509_EXT); - XFREE(ad, NULL, DYNAMIC_TYPE_X509_EXT); - return NULL; - } - - sk = sk->next; - } - return aia; - - default: - WOLFSSL_MSG("Extension NID not in table, returning NULL"); - break; - } - return NULL; -} - -/* Looks for the extension matching the passed in nid - * - * x509 : certificate to get parse through for extension. - * nid : Extension OID to be found. - * lastPos : Start search from extension after lastPos. - * Set to -1 to search from index 0. - * return >= 0 If successful the extension index is returned. - * return -1 If extension is not found or error is encountered. - */ -int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) -{ - int extCount = 0, length = 0, outSz = 0, sz = 0, ret = 0; - int isSet = 0, found = 0, loc; - const byte* rawCert; - const byte* input; - word32 oid, idx = 0, tmpIdx = 0; - DecodedCert cert; - - WOLFSSL_ENTER("wolfSSL_X509_get_ext_by_NID"); - - if(x509 == NULL){ - WOLFSSL_MSG("\tNot passed a certificate"); - return WOLFSSL_FATAL_ERROR; - } - - if(lastPos < -1 || (lastPos > (wolfSSL_X509_get_ext_count(x509) - 1))){ - WOLFSSL_MSG("\tBad location argument"); - return WOLFSSL_FATAL_ERROR; - } - - loc = lastPos + 1; - - rawCert = wolfSSL_X509_get_der((WOLFSSL_X509*)x509, &outSz); - if (rawCert == NULL) { - WOLFSSL_MSG("\tX509_get_der() failed"); - return WOLFSSL_FATAL_ERROR; - } - - InitDecodedCert( &cert, rawCert, (word32)outSz, 0); - - if (ParseCert(&cert, CA_TYPE, NO_VERIFY, NULL) < 0) { - WOLFSSL_MSG("\tCertificate parsing failed"); - return WOLFSSL_FATAL_ERROR; - } - - input = cert.extensions; - sz = cert.extensionsSz; - - if (input == NULL || sz == 0) { - WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - - if (input[idx++] != ASN_EXTENSIONS) { - WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - - if (GetLength(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: invalid length"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - - while (idx < (word32)sz) { - oid = 0; - - if (GetSequence(input, &idx, &length, sz) < 0) { - WOLFSSL_MSG("\tfail: should be a SEQUENCE"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - - tmpIdx = idx; - ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz); - if (ret < 0) { - WOLFSSL_MSG("\tfail: OBJECT ID"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; - } - idx = tmpIdx; - - if (extCount >= loc) { - /* extCount >= loc. Now check if extension has been set */ - isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, oid); - - if (isSet && ((word32)nid == oid)) { - found = 1; - break; - } - } - - idx += length; - extCount++; - } /* while(idx < sz) */ - - FreeDecodedCert(&cert); - - return found ? extCount : WOLFSSL_FATAL_ERROR; -} - - -#endif /* OPENSSL_ALL */ - -WOLFSSL_ASN1_BIT_STRING* wolfSSL_ASN1_BIT_STRING_new(void) -{ - WOLFSSL_ASN1_BIT_STRING* str; - - str = (WOLFSSL_ASN1_BIT_STRING*)XMALLOC(sizeof(WOLFSSL_ASN1_BIT_STRING), - NULL, DYNAMIC_TYPE_OPENSSL); - if (str) { - XMEMSET(str, 0, sizeof(WOLFSSL_ASN1_BIT_STRING)); - } - return str; -} - -void wolfSSL_ASN1_BIT_STRING_free(WOLFSSL_ASN1_BIT_STRING* str) -{ - if (str) { - if (str->data) { - XFREE(str->data, NULL, DYNAMIC_TYPE_OPENSSL); - str->data = NULL; - } - XFREE(str, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -int wolfSSL_ASN1_BIT_STRING_get_bit(const WOLFSSL_ASN1_BIT_STRING* str, int i) -{ - if (!str || !str->data || str->length <= (i/8) || i < 0) { - return WOLFSSL_FAILURE; - } - - return (str->data[i/8] & (1<<(7-(i%8)))) ? 1 : 0; -} - -/* Looks for the extension matching the passed in nid - * - * c : if not null then is set to status value -2 if multiple occurrences - * of the extension are found, -1 if not found, 0 if found and not - * critical, and 1 if found and critical. - * nid : Extension OID to be found. - * idx : if NULL return first extension found match, otherwise start search at - * idx location and set idx to the location of extension returned. - * returns NULL or a pointer to an WOLFSSL_ASN1_BIT_STRING (for KEY_USAGE_OID) - * or WOLFSSL_STACK (for other) - * holding extension structure - * - * NOTE code for decoding extensions is in asn.c DecodeCertExtensions -- - * use already decoded extension in this function to avoid decoding twice. - * Currently we do not make use of idx since getting pre decoded extensions. - */ -void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, - int* idx) -{ - void* ret = NULL; - WOLFSSL_STACK* sk = NULL; - WOLFSSL_ASN1_OBJECT* obj = NULL; - WOLFSSL_GENERAL_NAME* gn = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_get_ext_d2i"); - - if (x509 == NULL) { - return NULL; - } - - if (c != NULL) { - *c = -1; /* default to not found */ - } - - switch (nid) { - case BASIC_CA_OID: - if (x509->basicConstSet) { - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - if (c != NULL) { - *c = x509->basicConstCrit; - } - obj->type = BASIC_CA_OID; - obj->grp = oidCertExtType; - obj->nid = nid; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \ - defined(WOLFSSL_APACHE_HTTPD) - obj->ca = x509->isCa; - #endif - } - else { - WOLFSSL_MSG("No Basic Constraint set"); - } - return obj; - - case ALT_NAMES_OID: - { - DNS_entry* dns = NULL; - /* Malloc GENERAL_NAME stack */ - sk = (WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)*)XMALLOC( - sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)), NULL, - DYNAMIC_TYPE_ASN1); - if (sk == NULL) { - return NULL; - } - XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME))); - sk->type = STACK_TYPE_GEN_NAME; - - if (x509->subjAltNameSet && x509->altNames != NULL) { - /* alt names are DNS_entry structs */ - if (c != NULL) { - if (x509->altNames->next != NULL) { - *c = -2; /* more then one found */ - } - else { - *c = x509->subjAltNameCrit; - } - } - - dns = x509->altNames; - /* Currently only support GEN_DNS type */ - while (dns != NULL) { - gn = wolfSSL_GENERAL_NAME_new(); - if (gn == NULL) { - WOLFSSL_MSG("Error creating GENERAL_NAME"); - wolfSSL_sk_free(sk); - return NULL; - } - - gn->type = dns->type; - gn->d.ia5->length = dns->len; - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - gn->d.ia5->length) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - return NULL; - } - - dns = dns->next; - /* last dns in list add at end of function */ - if (dns != NULL) { - if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - sk = NULL; - } - } - } - } - else { - WOLFSSL_MSG("No Alt Names set"); - } - - break; - } - - case CRL_DIST_OID: - if (x509->CRLdistSet && x509->CRLInfo != NULL) { - if (c != NULL) { - *c = x509->CRLdistCrit; - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = CRL_DIST_OID; - obj->grp = oidCertExtType; - obj->obj = x509->CRLInfo; - obj->objSz = x509->CRLInfoSz; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA ; - } - else { - WOLFSSL_MSG("No CRL dist set"); - } - break; - - case AUTH_INFO_OID: - if (x509->authInfoSet && x509->authInfo != NULL) { - if (c != NULL) { - *c = x509->authInfoCrit; - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = AUTH_INFO_OID; - obj->grp = oidCertExtType; - obj->obj = x509->authInfo; - obj->objSz = x509->authInfoSz; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - else { - WOLFSSL_MSG("No Auth Info set"); - } - break; - - case AUTH_KEY_OID: - if (x509->authKeyIdSet) { - if (c != NULL) { - *c = x509->authKeyIdCrit; - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = AUTH_KEY_OID; - obj->grp = oidCertExtType; - obj->obj = x509->authKeyId; - obj->objSz = x509->authKeyIdSz; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - else { - WOLFSSL_MSG("No Auth Key set"); - } - break; - - case SUBJ_KEY_OID: - if (x509->subjKeyIdSet) { - if (c != NULL) { - *c = x509->subjKeyIdCrit; - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = SUBJ_KEY_OID; - obj->grp = oidCertExtType; - obj->obj = x509->subjKeyId; - obj->objSz = x509->subjKeyIdSz; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - else { - WOLFSSL_MSG("No Subject Key set"); - } - break; - - case CERT_POLICY_OID: - { - #ifdef WOLFSSL_CERT_EXT - int i; - - if (x509->certPoliciesNb > 0) { - if (c != NULL) { - if (x509->certPoliciesNb > 1) { - *c = -2; - } - else { - *c = 0; - } - } - - sk = wolfSSL_sk_new_asn1_obj(); - if (sk == NULL) { - return NULL; - } - - for (i = 0; i < x509->certPoliciesNb - 1; i++) { - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - wolfSSL_sk_ASN1_OBJECT_free(sk); - return NULL; - } - obj->type = CERT_POLICY_OID; - obj->grp = oidCertExtType; - obj->obj = (byte*)(x509->certPolicies[i]); - obj->objSz = MAX_CERTPOL_SZ; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - if (wolfSSL_sk_ASN1_OBJECT_push(sk, obj) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); - wolfSSL_ASN1_OBJECT_free(obj); - wolfSSL_sk_ASN1_OBJECT_free(sk); - sk = NULL; - } - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - wolfSSL_sk_ASN1_OBJECT_free(sk); - return NULL; - } - obj->type = CERT_POLICY_OID; - obj->grp = oidCertExtType; - obj->obj = (byte*)(x509->certPolicies[i]); - obj->objSz = MAX_CERTPOL_SZ; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - else { - WOLFSSL_MSG("No Cert Policy set"); - } - #elif defined(WOLFSSL_SEP) - if (x509->certPolicySet) { - if (c != NULL) { - *c = x509->certPolicyCrit; - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = CERT_POLICY_OID; - obj->grp = oidCertExtType; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - } - else { - WOLFSSL_MSG("No Cert Policy set"); - } - #else - WOLFSSL_MSG("wolfSSL not built with WOLFSSL_SEP or WOLFSSL_CERT_EXT"); - #endif - break; - } - case KEY_USAGE_OID: - { - WOLFSSL_ASN1_BIT_STRING* bit_str = NULL; - if (x509->keyUsageSet) { - if (c != NULL) { - *c = x509->keyUsageCrit; - } - - bit_str = wolfSSL_ASN1_BIT_STRING_new(); - if (bit_str == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_BIT_STRING struct"); - return NULL; - } - - bit_str->type = KEY_USAGE_OID; - bit_str->flags = 0; - bit_str->length = sizeof(word16); - bit_str->data = (byte*)XMALLOC(bit_str->length, NULL, DYNAMIC_TYPE_OPENSSL); - if (bit_str->data == NULL) { - wolfSSL_ASN1_BIT_STRING_free(bit_str); - return NULL; - } - XMEMCPY(bit_str->data, &x509->keyUsage, bit_str->length); - } - else { - WOLFSSL_MSG("No Key Usage set"); - } - /* don't add stack of and return bit string directly */ - return bit_str; - } - case INHIBIT_ANY_OID: - WOLFSSL_MSG("INHIBIT ANY extension not supported"); - break; - - case EXT_KEY_USAGE_OID: - if (x509->extKeyUsageSrc != NULL) { - if (c != NULL) { - if (x509->extKeyUsageCount > 1) { - *c = -2; - } - else { - *c = x509->extKeyUsageCrit; - } - } - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->type = EXT_KEY_USAGE_OID; - obj->grp = oidCertExtType; - obj->obj = x509->extKeyUsageSrc; - obj->objSz = x509->extKeyUsageSz; - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA; - } - else { - WOLFSSL_MSG("No Extended Key Usage set"); - } - break; - - case NAME_CONS_OID: - WOLFSSL_MSG("Name Constraint OID extension not supported"); - break; - - case PRIV_KEY_USAGE_PERIOD_OID: - WOLFSSL_MSG("Private Key Usage Period extension not supported"); - break; - - case SUBJECT_INFO_ACCESS: - WOLFSSL_MSG("Subject Info Access extension not supported"); - break; - - case POLICY_MAP_OID: - WOLFSSL_MSG("Policy Map extension not supported"); - break; - - case POLICY_CONST_OID: - WOLFSSL_MSG("Policy Constraint extension not supported"); - break; - - case ISSUE_ALT_NAMES_OID: - WOLFSSL_MSG("Issue Alt Names extension not supported"); - break; - - case TLS_FEATURE_OID: - WOLFSSL_MSG("TLS Feature extension not supported"); - break; - - default: - WOLFSSL_MSG("Unsupported/Unknown extension OID"); - } - - /* make sure stack of is allocated */ - if ((obj || gn) && sk == NULL) { - sk = wolfSSL_sk_new_asn1_obj(); - if (sk == NULL) { - goto err; - } - } - if (obj && wolfSSL_sk_ASN1_OBJECT_push(sk, obj) == WOLFSSL_SUCCESS) { - /* obj pushed successfully on stack */ - } - else if (gn && wolfSSL_sk_GENERAL_NAME_push(sk, gn) == WOLFSSL_SUCCESS) { - /* gn pushed successfully on stack */ - } - else { - /* Nothing to push or push failed */ - WOLFSSL_MSG("Error pushing ASN1_OBJECT or GENERAL_NAME object onto stack " - "or nothing to push."); - goto err; - } - ret = sk; - - (void)idx; - - return ret; - -err: - if (obj) { - wolfSSL_ASN1_OBJECT_free(obj); - } - if (gn) { - wolfSSL_GENERAL_NAME_free(gn); - } - if (sk) { - wolfSSL_sk_ASN1_OBJECT_free(sk); - } - return NULL; -} - - -int wolfSSL_X509_add_altname(WOLFSSL_X509* x509, const char* name, int type) -{ - DNS_entry* newAltName = NULL; - char* nameCopy = NULL; - word32 nameSz; - - if (x509 == NULL) - return WOLFSSL_FAILURE; - - if (name == NULL) - return WOLFSSL_SUCCESS; - - nameSz = (word32)XSTRLEN(name); - if (nameSz == 0) - return WOLFSSL_SUCCESS; - - newAltName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), - x509->heap, DYNAMIC_TYPE_ALTNAME); - if (newAltName == NULL) - return WOLFSSL_FAILURE; - - nameCopy = (char*)XMALLOC(nameSz + 1, x509->heap, DYNAMIC_TYPE_ALTNAME); - if (nameCopy == NULL) { - XFREE(newAltName, x509->heap, DYNAMIC_TYPE_ALTNAME); - return WOLFSSL_FAILURE; - } - - XMEMCPY(nameCopy, name, nameSz + 1); - - newAltName->next = x509->altNames; - newAltName->type = type; - newAltName->len = nameSz; - newAltName->name = nameCopy; - x509->altNames = newAltName; - - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_add_ext(WOLFSSL_X509 *x509, WOLFSSL_X509_EXTENSION *ext, int loc) -{ - WOLFSSL_STUB("wolfSSL_X509_add_ext"); - (void)x509; - (void)ext; - (void)loc; - return WOLFSSL_FAILURE; -} - -/* currently LHASH is not implemented (and not needed for Apache port) */ -WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_conf_nid( - WOLF_LHASH_OF(CONF_VALUE)* conf, WOLFSSL_X509V3_CTX* ctx, int nid, - char* value) -{ - WOLFSSL_STUB("wolfSSL_X509V3_EXT_conf_nid"); - - if (conf != NULL) { - WOLFSSL_MSG("Handling LHASH not implemented yet"); - return NULL; - } - - (void)conf; - (void)ctx; - (void)nid; - (void)value; - return NULL; -} - -void wolfSSL_X509V3_set_ctx_nodb(WOLFSSL_X509V3_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_X509V3_set_ctx_nodb"); - (void)ctx; -} -#endif /* !NO_WOLFSSL_STUB */ - -/* Returns pointer to ASN1_OBJECT from an X509_EXTENSION object */ -WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object \ - (WOLFSSL_X509_EXTENSION* ext) -{ - WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_get_object"); - if(ext == NULL) - return NULL; - return ext->obj; -} - -/* Returns pointer to ASN1_STRING in X509_EXTENSION object */ -WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext) -{ - WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_get_data"); - if (ext == NULL) - return NULL; - return &ext->value; -} - -#if !defined(NO_PWDBASED) -int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest, - unsigned char* buf, unsigned int* len) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_X509_digest"); - - if (x509 == NULL || digest == NULL) { - WOLFSSL_MSG("Null argument found"); - return WOLFSSL_FAILURE; - } - - if (x509->derCert == NULL) { - WOLFSSL_MSG("No DER certificate stored in X509"); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_EVP_Digest(x509->derCert->buffer, x509->derCert->length, buf, - len, digest, NULL); - WOLFSSL_LEAVE("wolfSSL_X509_digest", ret); - return ret; -} -#endif - -int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey) -{ - WOLFSSL_ENTER("wolfSSL_use_PrivateKey"); - if (ssl == NULL || pkey == NULL ) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_use_PrivateKey_buffer(ssl, (unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, WOLFSSL_FILETYPE_ASN1); -} - - -int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, const unsigned char* der, - long derSz) -{ - WOLFSSL_ENTER("wolfSSL_use_PrivateKey_ASN1"); - if (ssl == NULL || der == NULL ) { - return WOLFSSL_FAILURE; - } - - (void)pri; /* type of private key */ - return wolfSSL_use_PrivateKey_buffer(ssl, der, derSz, WOLFSSL_FILETYPE_ASN1); -} -/****************************************************************************** -* wolfSSL_CTX_use_PrivateKey_ASN1 - loads a private key buffer into the SSL ctx -* -* RETURNS: -* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE -*/ - -int wolfSSL_CTX_use_PrivateKey_ASN1(int pri, WOLFSSL_CTX* ctx, - unsigned char* der, long derSz) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_ASN1"); - if (ctx == NULL || der == NULL ) { - return WOLFSSL_FAILURE; - } - - (void)pri; /* type of private key */ - return wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1); -} - - -#ifndef NO_RSA -int wolfSSL_use_RSAPrivateKey_ASN1(WOLFSSL* ssl, unsigned char* der, long derSz) -{ - WOLFSSL_ENTER("wolfSSL_use_RSAPrivateKey_ASN1"); - if (ssl == NULL || der == NULL ) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_use_PrivateKey_buffer(ssl, der, derSz, WOLFSSL_FILETYPE_ASN1); -} -#endif - -int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509) -{ - long idx; - - WOLFSSL_ENTER("wolfSSL_use_certificate"); - if (x509 != NULL && ssl != NULL && x509->derCert != NULL) { - if (ProcessBuffer(NULL, x509->derCert->buffer, x509->derCert->length, - WOLFSSL_FILETYPE_ASN1, CERT_TYPE, ssl, &idx, 0, - GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - } - - (void)idx; - return WOLFSSL_FAILURE; -} - -#endif /* NO_CERTS */ - -#endif /* OPENSSL_EXTRA */ - -#ifndef NO_CERTS -int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, const unsigned char* der, - int derSz) -{ - long idx; - - WOLFSSL_ENTER("wolfSSL_use_certificate_ASN1"); - if (der != NULL && ssl != NULL) { - if (ProcessBuffer(NULL, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, - ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - } - - (void)idx; - return WOLFSSL_FAILURE; -} - -#ifndef NO_FILESYSTEM - -WOLFSSL_ABI -int wolfSSL_use_certificate_file(WOLFSSL* ssl, const char* file, int format) -{ - WOLFSSL_ENTER("wolfSSL_use_certificate_file"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, - ssl, 0, NULL, GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -WOLFSSL_ABI -int wolfSSL_use_PrivateKey_file(WOLFSSL* ssl, const char* file, int format) -{ - WOLFSSL_ENTER("wolfSSL_use_PrivateKey_file"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, - ssl, 0, NULL, GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - - -WOLFSSL_ABI -int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file) -{ - /* process up to MAX_CHAIN_DEPTH plus subject cert */ - WOLFSSL_ENTER("wolfSSL_use_certificate_chain_file"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - if (ProcessFile(ssl->ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, - ssl, 1, NULL, GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - -int wolfSSL_use_certificate_chain_file_format(WOLFSSL* ssl, const char* file, - int format) -{ - /* process up to MAX_CHAIN_DEPTH plus subject cert */ - WOLFSSL_ENTER("wolfSSL_use_certificate_chain_file_format"); - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 1, - NULL, GET_VERIFY_SETTING_SSL(ssl)) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -} - -#endif /* !NO_FILESYSTEM */ -#endif /* !NO_CERTS */ - -#ifdef HAVE_ECC - -/* Set Temp CTX EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ -int wolfSSL_CTX_SetTmpEC_DHE_Sz(WOLFSSL_CTX* ctx, word16 sz) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - if (sz == 0) { - /* applies only to ECDSA */ - if (ctx->privateKeyType != ecc_dsa_sa_algo) - return WOLFSSL_SUCCESS; - - if (ctx->privateKeySz == 0) { - WOLFSSL_MSG("Must set private key/cert first"); - return BAD_FUNC_ARG; - } - - sz = (word16)ctx->privateKeySz; - } - - /* check size */ - if (sz < ECC_MINSIZE || sz > ECC_MAXSIZE) - return BAD_FUNC_ARG; - - ctx->eccTempKeySz = sz; - - return WOLFSSL_SUCCESS; -} - - -/* Set Temp SSL EC-DHE size in octets, should be 20 - 66 for 160 - 521 bit */ -int wolfSSL_SetTmpEC_DHE_Sz(WOLFSSL* ssl, word16 sz) -{ - if (ssl == NULL || sz < ECC_MINSIZE || sz > ECC_MAXSIZE) - return BAD_FUNC_ARG; - - ssl->eccTempKeySz = sz; - - return WOLFSSL_SUCCESS; -} - -#endif /* HAVE_ECC */ - - -#ifdef OPENSSL_EXTRA - -#ifndef NO_FILESYSTEM -int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX* ctx,const char* file, - int format) -{ - WOLFSSL_ENTER("SSL_CTX_use_RSAPrivateKey_file"); - - return wolfSSL_CTX_use_PrivateKey_file(ctx, file, format); -} - - -int wolfSSL_use_RSAPrivateKey_file(WOLFSSL* ssl, const char* file, int format) -{ - WOLFSSL_ENTER("wolfSSL_use_RSAPrivateKey_file"); - - return wolfSSL_use_PrivateKey_file(ssl, file, format); -} -#endif /* NO_FILESYSTEM */ - - -/* Copies the master secret over to out buffer. If outSz is 0 returns the size - * of master secret. - * - * ses : a session from completed TLS/SSL handshake - * out : buffer to hold copy of master secret - * outSz : size of out buffer - * returns : number of bytes copied into out buffer on success - * less then or equal to 0 is considered a failure case - */ -int wolfSSL_SESSION_get_master_key(const WOLFSSL_SESSION* ses, - unsigned char* out, int outSz) -{ - int size; - - if (outSz == 0) { - return SECRET_LEN; - } - - if (ses == NULL || out == NULL || outSz < 0) { - return 0; - } - - if (outSz > SECRET_LEN) { - size = SECRET_LEN; - } - else { - size = outSz; - } - - XMEMCPY(out, ses->masterSecret, size); - return size; -} - - -int wolfSSL_SESSION_get_master_key_length(const WOLFSSL_SESSION* ses) -{ - (void)ses; - return SECRET_LEN; -} - -#endif /* OPENSSL_EXTRA */ - -#ifndef NO_FILESYSTEM -#ifdef HAVE_NTRU - -int wolfSSL_CTX_use_NTRUPrivateKey_file(WOLFSSL_CTX* ctx, const char* file) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_NTRUPrivateKey_file"); - - if (ctx == NULL) - return WOLFSSL_FAILURE; - - if (ProcessFile(ctx, file, WOLFSSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0, - NULL, GET_VERIFY_SETTING_CTX(ctx)) == WOLFSSL_SUCCESS) { - ctx->haveNTRU = 1; - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - -#endif /* HAVE_NTRU */ - - -#endif /* NO_FILESYSTEM */ - - -void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_verify"); - if (ctx == NULL) - return; - - if (mode & WOLFSSL_VERIFY_PEER) { - ctx->verifyPeer = 1; - ctx->verifyNone = 0; /* in case previously set */ - } - - if (mode == WOLFSSL_VERIFY_NONE) { - ctx->verifyNone = 1; - ctx->verifyPeer = 0; /* in case previously set */ - } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { - ctx->failNoCert = 1; - } - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ctx->failNoCert = 0; /* fail on all is set to fail on PSK */ - ctx->failNoCertxPSK = 1; - } - - ctx->verifyCallback = vc; -} - -#ifdef OPENSSL_ALL -void wolfSSL_CTX_set_cert_verify_callback(WOLFSSL_CTX* ctx, - CertVerifyCallback cb, void* arg) -{ - WOLFSSL_ENTER("SSL_CTX_set_cert_verify_callback"); - if (ctx == NULL) - return; - - ctx->verifyCertCb = cb; - ctx->verifyCertCbArg = arg; -} -#endif - - -void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) -{ - WOLFSSL_ENTER("wolfSSL_set_verify"); - if (ssl == NULL) - return; - - if (mode & WOLFSSL_VERIFY_PEER) { - ssl->options.verifyPeer = 1; - ssl->options.verifyNone = 0; /* in case previously set */ - } - - if (mode == WOLFSSL_VERIFY_NONE) { - ssl->options.verifyNone = 1; - ssl->options.verifyPeer = 0; /* in case previously set */ - } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) - ssl->options.failNoCert = 1; - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */ - ssl->options.failNoCertxPSK = 1; - } - - ssl->verifyCallback = vc; -} - -void wolfSSL_set_verify_result(WOLFSSL *ssl, long v) -{ - WOLFSSL_ENTER("wolfSSL_set_verify_result"); - - if (ssl == NULL) - return; - -#ifdef OPENSSL_ALL - ssl->verifyCallbackResult = v; -#else - (void)v; - WOLFSSL_STUB("wolfSSL_set_verify_result"); -#endif -} - -/* store user ctx for verify callback */ -void wolfSSL_SetCertCbCtx(WOLFSSL* ssl, void* ctx) -{ - WOLFSSL_ENTER("wolfSSL_SetCertCbCtx"); - if (ssl) - ssl->verifyCbCtx = ctx; -} - - -/* store context CA Cache addition callback */ -void wolfSSL_CTX_SetCACb(WOLFSSL_CTX* ctx, CallbackCACache cb) -{ - if (ctx && ctx->cm) - ctx->cm->caCacheCallback = cb; -} - - -#if defined(PERSIST_CERT_CACHE) - -#if !defined(NO_FILESYSTEM) - -/* Persist cert cache to file */ -int wolfSSL_CTX_save_cert_cache(WOLFSSL_CTX* ctx, const char* fname) -{ - WOLFSSL_ENTER("wolfSSL_CTX_save_cert_cache"); - - if (ctx == NULL || fname == NULL) - return BAD_FUNC_ARG; - - return CM_SaveCertCache(ctx->cm, fname); -} - - -/* Persist cert cache from file */ -int wolfSSL_CTX_restore_cert_cache(WOLFSSL_CTX* ctx, const char* fname) -{ - WOLFSSL_ENTER("wolfSSL_CTX_restore_cert_cache"); - - if (ctx == NULL || fname == NULL) - return BAD_FUNC_ARG; - - return CM_RestoreCertCache(ctx->cm, fname); -} - -#endif /* NO_FILESYSTEM */ - -/* Persist cert cache to memory */ -int wolfSSL_CTX_memsave_cert_cache(WOLFSSL_CTX* ctx, void* mem, - int sz, int* used) -{ - WOLFSSL_ENTER("wolfSSL_CTX_memsave_cert_cache"); - - if (ctx == NULL || mem == NULL || used == NULL || sz <= 0) - return BAD_FUNC_ARG; - - return CM_MemSaveCertCache(ctx->cm, mem, sz, used); -} - - -/* Restore cert cache from memory */ -int wolfSSL_CTX_memrestore_cert_cache(WOLFSSL_CTX* ctx, const void* mem, int sz) -{ - WOLFSSL_ENTER("wolfSSL_CTX_memrestore_cert_cache"); - - if (ctx == NULL || mem == NULL || sz <= 0) - return BAD_FUNC_ARG; - - return CM_MemRestoreCertCache(ctx->cm, mem, sz); -} - - -/* get how big the the cert cache save buffer needs to be */ -int wolfSSL_CTX_get_cert_cache_memsize(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_get_cert_cache_memsize"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - return CM_GetCertCacheMemSize(ctx->cm); -} - -#endif /* PERSIST_CERT_CACHE */ -#endif /* !NO_CERTS */ - - -#ifndef NO_SESSION_CACHE - -WOLFSSL_ABI -WOLFSSL_SESSION* wolfSSL_get_session(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_get_session"); - if (ssl) - return GetSession(ssl, 0, 1); - - return NULL; -} - - -WOLFSSL_ABI -int wolfSSL_set_session(WOLFSSL* ssl, WOLFSSL_SESSION* session) -{ - WOLFSSL_ENTER("SSL_set_session"); - if (session) - return SetSession(ssl, session); - - return WOLFSSL_FAILURE; -} - - -#ifndef NO_CLIENT_CACHE - -/* Associate client session with serverID, find existing or store for saving - if newSession flag on, don't reuse existing session - WOLFSSL_SUCCESS on ok */ -int wolfSSL_SetServerID(WOLFSSL* ssl, const byte* id, int len, int newSession) -{ - WOLFSSL_SESSION* session = NULL; - - WOLFSSL_ENTER("wolfSSL_SetServerID"); - - if (ssl == NULL || id == NULL || len <= 0) - return BAD_FUNC_ARG; - - if (newSession == 0) { - session = GetSessionClient(ssl, id, len); - if (session) { - if (SetSession(ssl, session) != WOLFSSL_SUCCESS) { - #ifdef HAVE_EXT_CACHE - wolfSSL_SESSION_free(session); - #endif - WOLFSSL_MSG("SetSession failed"); - session = NULL; - } - } - } - - if (session == NULL) { - WOLFSSL_MSG("Valid ServerID not cached already"); - - ssl->session.idLen = (word16)min(SERVER_ID_LEN, (word32)len); - XMEMCPY(ssl->session.serverID, id, ssl->session.idLen); - } - #ifdef HAVE_EXT_CACHE - else - wolfSSL_SESSION_free(session); - #endif - - return WOLFSSL_SUCCESS; -} - -#endif /* NO_CLIENT_CACHE */ - -#if defined(PERSIST_SESSION_CACHE) - -/* for persistence, if changes to layout need to increment and modify - save_session_cache() and restore_session_cache and memory versions too */ -#define WOLFSSL_CACHE_VERSION 2 - -/* Session Cache Header information */ -typedef struct { - int version; /* cache layout version id */ - int rows; /* session rows */ - int columns; /* session columns */ - int sessionSz; /* sizeof WOLFSSL_SESSION */ -} cache_header_t; - -/* current persistence layout is: - - 1) cache_header_t - 2) SessionCache - 3) ClientCache - - update WOLFSSL_CACHE_VERSION if change layout for the following - PERSISTENT_SESSION_CACHE functions -*/ - - -/* get how big the the session cache save buffer needs to be */ -int wolfSSL_get_session_cache_memsize(void) -{ - int sz = (int)(sizeof(SessionCache) + sizeof(cache_header_t)); - - #ifndef NO_CLIENT_CACHE - sz += (int)(sizeof(ClientCache)); - #endif - - return sz; -} - - -/* Persist session cache to memory */ -int wolfSSL_memsave_session_cache(void* mem, int sz) -{ - int i; - cache_header_t cache_header; - SessionRow* row = (SessionRow*)((byte*)mem + sizeof(cache_header)); -#ifndef NO_CLIENT_CACHE - ClientRow* clRow; -#endif - - WOLFSSL_ENTER("wolfSSL_memsave_session_cache"); - - if (sz < wolfSSL_get_session_cache_memsize()) { - WOLFSSL_MSG("Memory buffer too small"); - return BUFFER_E; - } - - cache_header.version = WOLFSSL_CACHE_VERSION; - cache_header.rows = SESSION_ROWS; - cache_header.columns = SESSIONS_PER_ROW; - cache_header.sessionSz = (int)sizeof(WOLFSSL_SESSION); - XMEMCPY(mem, &cache_header, sizeof(cache_header)); - - if (wc_LockMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Session cache mutex lock failed"); - return BAD_MUTEX_E; - } - - for (i = 0; i < cache_header.rows; ++i) - XMEMCPY(row++, SessionCache + i, sizeof(SessionRow)); - -#ifndef NO_CLIENT_CACHE - clRow = (ClientRow*)row; - for (i = 0; i < cache_header.rows; ++i) - XMEMCPY(clRow++, ClientCache + i, sizeof(ClientRow)); -#endif - - wc_UnLockMutex(&session_mutex); - - WOLFSSL_LEAVE("wolfSSL_memsave_session_cache", WOLFSSL_SUCCESS); - - return WOLFSSL_SUCCESS; -} - - -/* Restore the persistent session cache from memory */ -int wolfSSL_memrestore_session_cache(const void* mem, int sz) -{ - int i; - cache_header_t cache_header; - SessionRow* row = (SessionRow*)((byte*)mem + sizeof(cache_header)); -#ifndef NO_CLIENT_CACHE - ClientRow* clRow; -#endif - - WOLFSSL_ENTER("wolfSSL_memrestore_session_cache"); - - if (sz < wolfSSL_get_session_cache_memsize()) { - WOLFSSL_MSG("Memory buffer too small"); - return BUFFER_E; - } - - XMEMCPY(&cache_header, mem, sizeof(cache_header)); - if (cache_header.version != WOLFSSL_CACHE_VERSION || - cache_header.rows != SESSION_ROWS || - cache_header.columns != SESSIONS_PER_ROW || - cache_header.sessionSz != (int)sizeof(WOLFSSL_SESSION)) { - - WOLFSSL_MSG("Session cache header match failed"); - return CACHE_MATCH_ERROR; - } - - if (wc_LockMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Session cache mutex lock failed"); - return BAD_MUTEX_E; - } - - for (i = 0; i < cache_header.rows; ++i) - XMEMCPY(SessionCache + i, row++, sizeof(SessionRow)); - -#ifndef NO_CLIENT_CACHE - clRow = (ClientRow*)row; - for (i = 0; i < cache_header.rows; ++i) - XMEMCPY(ClientCache + i, clRow++, sizeof(ClientRow)); -#endif - - wc_UnLockMutex(&session_mutex); - - WOLFSSL_LEAVE("wolfSSL_memrestore_session_cache", WOLFSSL_SUCCESS); - - return WOLFSSL_SUCCESS; -} - -#if !defined(NO_FILESYSTEM) - -/* Persist session cache to file */ -/* doesn't use memsave because of additional memory use */ -int wolfSSL_save_session_cache(const char *fname) -{ - XFILE file; - int ret; - int rc = WOLFSSL_SUCCESS; - int i; - cache_header_t cache_header; - - WOLFSSL_ENTER("wolfSSL_save_session_cache"); - - file = XFOPEN(fname, "w+b"); - if (file == XBADFILE) { - WOLFSSL_MSG("Couldn't open session cache save file"); - return WOLFSSL_BAD_FILE; - } - cache_header.version = WOLFSSL_CACHE_VERSION; - cache_header.rows = SESSION_ROWS; - cache_header.columns = SESSIONS_PER_ROW; - cache_header.sessionSz = (int)sizeof(WOLFSSL_SESSION); - - /* cache header */ - ret = (int)XFWRITE(&cache_header, sizeof cache_header, 1, file); - if (ret != 1) { - WOLFSSL_MSG("Session cache header file write failed"); - XFCLOSE(file); - return FWRITE_ERROR; - } - - if (wc_LockMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Session cache mutex lock failed"); - XFCLOSE(file); - return BAD_MUTEX_E; - } - - /* session cache */ - for (i = 0; i < cache_header.rows; ++i) { - ret = (int)XFWRITE(SessionCache + i, sizeof(SessionRow), 1, file); - if (ret != 1) { - WOLFSSL_MSG("Session cache member file write failed"); - rc = FWRITE_ERROR; - break; - } - } - -#ifndef NO_CLIENT_CACHE - /* client cache */ - for (i = 0; i < cache_header.rows; ++i) { - ret = (int)XFWRITE(ClientCache + i, sizeof(ClientRow), 1, file); - if (ret != 1) { - WOLFSSL_MSG("Client cache member file write failed"); - rc = FWRITE_ERROR; - break; - } - } -#endif /* NO_CLIENT_CACHE */ - - wc_UnLockMutex(&session_mutex); - - XFCLOSE(file); - WOLFSSL_LEAVE("wolfSSL_save_session_cache", rc); - - return rc; -} - - -/* Restore the persistent session cache from file */ -/* doesn't use memstore because of additional memory use */ -int wolfSSL_restore_session_cache(const char *fname) -{ - XFILE file; - int rc = WOLFSSL_SUCCESS; - int ret; - int i; - cache_header_t cache_header; - - WOLFSSL_ENTER("wolfSSL_restore_session_cache"); - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) { - WOLFSSL_MSG("Couldn't open session cache save file"); - return WOLFSSL_BAD_FILE; - } - /* cache header */ - ret = (int)XFREAD(&cache_header, sizeof cache_header, 1, file); - if (ret != 1) { - WOLFSSL_MSG("Session cache header file read failed"); - XFCLOSE(file); - return FREAD_ERROR; - } - if (cache_header.version != WOLFSSL_CACHE_VERSION || - cache_header.rows != SESSION_ROWS || - cache_header.columns != SESSIONS_PER_ROW || - cache_header.sessionSz != (int)sizeof(WOLFSSL_SESSION)) { - - WOLFSSL_MSG("Session cache header match failed"); - XFCLOSE(file); - return CACHE_MATCH_ERROR; - } - - if (wc_LockMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Session cache mutex lock failed"); - XFCLOSE(file); - return BAD_MUTEX_E; - } - - /* session cache */ - for (i = 0; i < cache_header.rows; ++i) { - ret = (int)XFREAD(SessionCache + i, sizeof(SessionRow), 1, file); - if (ret != 1) { - WOLFSSL_MSG("Session cache member file read failed"); - XMEMSET(SessionCache, 0, sizeof SessionCache); - rc = FREAD_ERROR; - break; - } - } - -#ifndef NO_CLIENT_CACHE - /* client cache */ - for (i = 0; i < cache_header.rows; ++i) { - ret = (int)XFREAD(ClientCache + i, sizeof(ClientRow), 1, file); - if (ret != 1) { - WOLFSSL_MSG("Client cache member file read failed"); - XMEMSET(ClientCache, 0, sizeof ClientCache); - rc = FREAD_ERROR; - break; - } - } - -#endif /* NO_CLIENT_CACHE */ - - wc_UnLockMutex(&session_mutex); - - XFCLOSE(file); - WOLFSSL_LEAVE("wolfSSL_restore_session_cache", rc); - - return rc; -} - -#endif /* !NO_FILESYSTEM */ -#endif /* PERSIST_SESSION_CACHE */ -#endif /* NO_SESSION_CACHE */ - - -void wolfSSL_load_error_strings(void) /* compatibility only */ -{} - - -int wolfSSL_library_init(void) -{ - WOLFSSL_ENTER("SSL_library_init"); - if (wolfSSL_Init() == WOLFSSL_SUCCESS) - return WOLFSSL_SUCCESS; - else - return WOLFSSL_FATAL_ERROR; -} - - -#ifdef HAVE_SECRET_CALLBACK - -int wolfSSL_set_session_secret_cb(WOLFSSL* ssl, SessionSecretCb cb, void* ctx) -{ - WOLFSSL_ENTER("wolfSSL_set_session_secret_cb"); - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - ssl->sessionSecretCb = cb; - ssl->sessionSecretCtx = ctx; - /* If using a pre-set key, assume session resumption. */ - ssl->session.sessionIDSz = 0; - ssl->options.resuming = 1; - - return WOLFSSL_SUCCESS; -} - -#endif - - -#ifndef NO_SESSION_CACHE - -/* on by default if built in but allow user to turn off */ -WOLFSSL_ABI -long wolfSSL_CTX_set_session_cache_mode(WOLFSSL_CTX* ctx, long mode) -{ - WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode"); - if (mode == WOLFSSL_SESS_CACHE_OFF) - ctx->sessionCacheOff = 1; - - if ((mode & WOLFSSL_SESS_CACHE_NO_AUTO_CLEAR) != 0) - ctx->sessionCacheFlushOff = 1; - -#ifdef HAVE_EXT_CACHE - if ((mode & WOLFSSL_SESS_CACHE_NO_INTERNAL_STORE) != 0) - ctx->internalCacheOff = 1; -#endif - - return WOLFSSL_SUCCESS; -} - -#endif /* NO_SESSION_CACHE */ - - -#if !defined(NO_CERTS) -#if defined(PERSIST_CERT_CACHE) - - -#define WOLFSSL_CACHE_CERT_VERSION 1 - -typedef struct { - int version; /* cache cert layout version id */ - int rows; /* hash table rows, CA_TABLE_SIZE */ - int columns[CA_TABLE_SIZE]; /* columns per row on list */ - int signerSz; /* sizeof Signer object */ -} CertCacheHeader; - -/* current cert persistence layout is: - - 1) CertCacheHeader - 2) caTable - - update WOLFSSL_CERT_CACHE_VERSION if change layout for the following - PERSIST_CERT_CACHE functions -*/ - - -/* Return memory needed to persist this signer, have lock */ -static WC_INLINE int GetSignerMemory(Signer* signer) -{ - int sz = sizeof(signer->pubKeySize) + sizeof(signer->keyOID) - + sizeof(signer->nameLen) + sizeof(signer->subjectNameHash); - -#if !defined(NO_SKID) - sz += (int)sizeof(signer->subjectKeyIdHash); -#endif - - /* add dynamic bytes needed */ - sz += signer->pubKeySize; - sz += signer->nameLen; - - return sz; -} - - -/* Return memory needed to persist this row, have lock */ -static WC_INLINE int GetCertCacheRowMemory(Signer* row) -{ - int sz = 0; - - while (row) { - sz += GetSignerMemory(row); - row = row->next; - } - - return sz; -} - - -/* get the size of persist cert cache, have lock */ -static WC_INLINE int GetCertCacheMemSize(WOLFSSL_CERT_MANAGER* cm) -{ - int sz; - int i; - - sz = sizeof(CertCacheHeader); - - for (i = 0; i < CA_TABLE_SIZE; i++) - sz += GetCertCacheRowMemory(cm->caTable[i]); - - return sz; -} - - -/* Store cert cache header columns with number of items per list, have lock */ -static WC_INLINE void SetCertHeaderColumns(WOLFSSL_CERT_MANAGER* cm, int* columns) -{ - int i; - Signer* row; - - for (i = 0; i < CA_TABLE_SIZE; i++) { - int count = 0; - row = cm->caTable[i]; - - while (row) { - ++count; - row = row->next; - } - columns[i] = count; - } -} - - -/* Restore whole cert row from memory, have lock, return bytes consumed, - < 0 on error, have lock */ -static WC_INLINE int RestoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current, - int row, int listSz, const byte* end) -{ - int idx = 0; - - if (listSz < 0) { - WOLFSSL_MSG("Row header corrupted, negative value"); - return PARSE_ERROR; - } - - while (listSz) { - Signer* signer; - byte* publicKey; - byte* start = current + idx; /* for end checks on this signer */ - int minSz = sizeof(signer->pubKeySize) + sizeof(signer->keyOID) + - sizeof(signer->nameLen) + sizeof(signer->subjectNameHash); - #ifndef NO_SKID - minSz += (int)sizeof(signer->subjectKeyIdHash); - #endif - - if (start + minSz > end) { - WOLFSSL_MSG("Would overread restore buffer"); - return BUFFER_E; - } - signer = MakeSigner(cm->heap); - if (signer == NULL) - return MEMORY_E; - - /* pubKeySize */ - XMEMCPY(&signer->pubKeySize, current + idx, sizeof(signer->pubKeySize)); - idx += (int)sizeof(signer->pubKeySize); - - /* keyOID */ - XMEMCPY(&signer->keyOID, current + idx, sizeof(signer->keyOID)); - idx += (int)sizeof(signer->keyOID); - - /* pulicKey */ - if (start + minSz + signer->pubKeySize > end) { - WOLFSSL_MSG("Would overread restore buffer"); - FreeSigner(signer, cm->heap); - return BUFFER_E; - } - publicKey = (byte*)XMALLOC(signer->pubKeySize, cm->heap, - DYNAMIC_TYPE_KEY); - if (publicKey == NULL) { - FreeSigner(signer, cm->heap); - return MEMORY_E; - } - - XMEMCPY(publicKey, current + idx, signer->pubKeySize); - signer->publicKey = publicKey; - idx += signer->pubKeySize; - - /* nameLen */ - XMEMCPY(&signer->nameLen, current + idx, sizeof(signer->nameLen)); - idx += (int)sizeof(signer->nameLen); - - /* name */ - if (start + minSz + signer->pubKeySize + signer->nameLen > end) { - WOLFSSL_MSG("Would overread restore buffer"); - FreeSigner(signer, cm->heap); - return BUFFER_E; - } - signer->name = (char*)XMALLOC(signer->nameLen, cm->heap, - DYNAMIC_TYPE_SUBJECT_CN); - if (signer->name == NULL) { - FreeSigner(signer, cm->heap); - return MEMORY_E; - } - - XMEMCPY(signer->name, current + idx, signer->nameLen); - idx += signer->nameLen; - - /* subjectNameHash */ - XMEMCPY(signer->subjectNameHash, current + idx, SIGNER_DIGEST_SIZE); - idx += SIGNER_DIGEST_SIZE; - - #ifndef NO_SKID - /* subjectKeyIdHash */ - XMEMCPY(signer->subjectKeyIdHash, current + idx,SIGNER_DIGEST_SIZE); - idx += SIGNER_DIGEST_SIZE; - #endif - - signer->next = cm->caTable[row]; - cm->caTable[row] = signer; - - --listSz; - } - - return idx; -} - - -/* Store whole cert row into memory, have lock, return bytes added */ -static WC_INLINE int StoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current, int row) -{ - int added = 0; - Signer* list = cm->caTable[row]; - - while (list) { - XMEMCPY(current + added, &list->pubKeySize, sizeof(list->pubKeySize)); - added += (int)sizeof(list->pubKeySize); - - XMEMCPY(current + added, &list->keyOID, sizeof(list->keyOID)); - added += (int)sizeof(list->keyOID); - - XMEMCPY(current + added, list->publicKey, list->pubKeySize); - added += list->pubKeySize; - - XMEMCPY(current + added, &list->nameLen, sizeof(list->nameLen)); - added += (int)sizeof(list->nameLen); - - XMEMCPY(current + added, list->name, list->nameLen); - added += list->nameLen; - - XMEMCPY(current + added, list->subjectNameHash, SIGNER_DIGEST_SIZE); - added += SIGNER_DIGEST_SIZE; - - #ifndef NO_SKID - XMEMCPY(current + added, list->subjectKeyIdHash,SIGNER_DIGEST_SIZE); - added += SIGNER_DIGEST_SIZE; - #endif - - list = list->next; - } - - return added; -} - - -/* Persist cert cache to memory, have lock */ -static WC_INLINE int DoMemSaveCertCache(WOLFSSL_CERT_MANAGER* cm, - void* mem, int sz) -{ - int realSz; - int ret = WOLFSSL_SUCCESS; - int i; - - WOLFSSL_ENTER("DoMemSaveCertCache"); - - realSz = GetCertCacheMemSize(cm); - if (realSz > sz) { - WOLFSSL_MSG("Mem output buffer too small"); - ret = BUFFER_E; - } - else { - byte* current; - CertCacheHeader hdr; - - hdr.version = WOLFSSL_CACHE_CERT_VERSION; - hdr.rows = CA_TABLE_SIZE; - SetCertHeaderColumns(cm, hdr.columns); - hdr.signerSz = (int)sizeof(Signer); - - XMEMCPY(mem, &hdr, sizeof(CertCacheHeader)); - current = (byte*)mem + sizeof(CertCacheHeader); - - for (i = 0; i < CA_TABLE_SIZE; ++i) - current += StoreCertRow(cm, current, i); - } - - return ret; -} - - -#if !defined(NO_FILESYSTEM) - -/* Persist cert cache to file */ -int CM_SaveCertCache(WOLFSSL_CERT_MANAGER* cm, const char* fname) -{ - XFILE file; - int rc = WOLFSSL_SUCCESS; - int memSz; - byte* mem; - - WOLFSSL_ENTER("CM_SaveCertCache"); - - file = XFOPEN(fname, "w+b"); - if (file == XBADFILE) { - WOLFSSL_MSG("Couldn't open cert cache save file"); - return WOLFSSL_BAD_FILE; - } - - if (wc_LockMutex(&cm->caLock) != 0) { - WOLFSSL_MSG("wc_LockMutex on caLock failed"); - XFCLOSE(file); - return BAD_MUTEX_E; - } - - memSz = GetCertCacheMemSize(cm); - mem = (byte*)XMALLOC(memSz, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (mem == NULL) { - WOLFSSL_MSG("Alloc for tmp buffer failed"); - rc = MEMORY_E; - } else { - rc = DoMemSaveCertCache(cm, mem, memSz); - if (rc == WOLFSSL_SUCCESS) { - int ret = (int)XFWRITE(mem, memSz, 1, file); - if (ret != 1) { - WOLFSSL_MSG("Cert cache file write failed"); - rc = FWRITE_ERROR; - } - } - XFREE(mem, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - - wc_UnLockMutex(&cm->caLock); - XFCLOSE(file); - - return rc; -} - - -/* Restore cert cache from file */ -int CM_RestoreCertCache(WOLFSSL_CERT_MANAGER* cm, const char* fname) -{ - XFILE file; - int rc = WOLFSSL_SUCCESS; - int ret; - int memSz; - byte* mem; - - WOLFSSL_ENTER("CM_RestoreCertCache"); - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) { - WOLFSSL_MSG("Couldn't open cert cache save file"); - return WOLFSSL_BAD_FILE; - } - - if(XFSEEK(file, 0, XSEEK_END) != 0) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - memSz = (int)XFTELL(file); - XREWIND(file); - - if (memSz > MAX_WOLFSSL_FILE_SIZE || memSz <= 0) { - WOLFSSL_MSG("CM_RestoreCertCache file size error"); - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - - mem = (byte*)XMALLOC(memSz, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (mem == NULL) { - WOLFSSL_MSG("Alloc for tmp buffer failed"); - XFCLOSE(file); - return MEMORY_E; - } - - ret = (int)XFREAD(mem, memSz, 1, file); - if (ret != 1) { - WOLFSSL_MSG("Cert file read error"); - rc = FREAD_ERROR; - } else { - rc = CM_MemRestoreCertCache(cm, mem, memSz); - if (rc != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Mem restore cert cache failed"); - } - } - - XFREE(mem, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFCLOSE(file); - - return rc; -} - -#endif /* NO_FILESYSTEM */ - - -/* Persist cert cache to memory */ -int CM_MemSaveCertCache(WOLFSSL_CERT_MANAGER* cm, void* mem, int sz, int* used) -{ - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("CM_MemSaveCertCache"); - - if (wc_LockMutex(&cm->caLock) != 0) { - WOLFSSL_MSG("wc_LockMutex on caLock failed"); - return BAD_MUTEX_E; - } - - ret = DoMemSaveCertCache(cm, mem, sz); - if (ret == WOLFSSL_SUCCESS) - *used = GetCertCacheMemSize(cm); - - wc_UnLockMutex(&cm->caLock); - - return ret; -} - - -/* Restore cert cache from memory */ -int CM_MemRestoreCertCache(WOLFSSL_CERT_MANAGER* cm, const void* mem, int sz) -{ - int ret = WOLFSSL_SUCCESS; - int i; - CertCacheHeader* hdr = (CertCacheHeader*)mem; - byte* current = (byte*)mem + sizeof(CertCacheHeader); - byte* end = (byte*)mem + sz; /* don't go over */ - - WOLFSSL_ENTER("CM_MemRestoreCertCache"); - - if (current > end) { - WOLFSSL_MSG("Cert Cache Memory buffer too small"); - return BUFFER_E; - } - - if (hdr->version != WOLFSSL_CACHE_CERT_VERSION || - hdr->rows != CA_TABLE_SIZE || - hdr->signerSz != (int)sizeof(Signer)) { - - WOLFSSL_MSG("Cert Cache Memory header mismatch"); - return CACHE_MATCH_ERROR; - } - - if (wc_LockMutex(&cm->caLock) != 0) { - WOLFSSL_MSG("wc_LockMutex on caLock failed"); - return BAD_MUTEX_E; - } - - FreeSignerTable(cm->caTable, CA_TABLE_SIZE, cm->heap); - - for (i = 0; i < CA_TABLE_SIZE; ++i) { - int added = RestoreCertRow(cm, current, i, hdr->columns[i], end); - if (added < 0) { - WOLFSSL_MSG("RestoreCertRow error"); - ret = added; - break; - } - current += added; - } - - wc_UnLockMutex(&cm->caLock); - - return ret; -} - - -/* get how big the the cert cache save buffer needs to be */ -int CM_GetCertCacheMemSize(WOLFSSL_CERT_MANAGER* cm) -{ - int sz; - - WOLFSSL_ENTER("CM_GetCertCacheMemSize"); - - if (wc_LockMutex(&cm->caLock) != 0) { - WOLFSSL_MSG("wc_LockMutex on caLock failed"); - return BAD_MUTEX_E; - } - - sz = GetCertCacheMemSize(cm); - - wc_UnLockMutex(&cm->caLock); - - return sz; -} - -#endif /* PERSIST_CERT_CACHE */ -#endif /* NO_CERTS */ - -#ifdef OPENSSL_EXTRA - - -/* removes all cipher suites from the list that contain "toRemove" - * returns the new list size on success - */ -static int wolfSSL_remove_ciphers(char* list, int sz, const char* toRemove) -{ - int idx = 0; - char* next = (char*)list; - int totalSz = sz; - - if (list == NULL) { - return 0; - } - - do { - char* current = next; - char name[MAX_SUITE_NAME + 1]; - word32 length; - - next = XSTRSTR(next, ":"); - length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /* last */ - : (word32)(next - current)); - - XSTRNCPY(name, current, length); - name[(length == sizeof(name)) ? length - 1 : length] = 0; - - if (XSTRSTR(name, toRemove)) { - XMEMMOVE(list + idx, list + idx + length, totalSz - (idx + length)); - totalSz -= length; - list[totalSz] = '\0'; - next = current; - } - else { - idx += length; - } - } while (next++); /* ++ needed to skip ':' */ - - return totalSz; -} - -/* parse some bulk lists like !eNULL / !aNULL - * - * returns WOLFSSL_SUCCESS on success and sets the cipher suite list - */ -static int wolfSSL_parse_cipher_list(WOLFSSL_CTX* ctx, Suites* suites, - const char* list) -{ - int ret = 0; - const int suiteSz = GetCipherNamesSize(); - char* next = (char*)list; - const CipherSuiteInfo* names = GetCipherNames(); - char* localList = NULL; - int sz = 0; - - if (suites == NULL || list == NULL) { - WOLFSSL_MSG("NULL argument"); - return WOLFSSL_FAILURE; - } - - /* does list contain eNULL or aNULL? */ - if (XSTRSTR(list, "aNULL") || XSTRSTR(list, "eNULL")) { - do { - char* current = next; - char name[MAX_SUITE_NAME + 1]; - int i; - word32 length; - - next = XSTRSTR(next, ":"); - length = min(sizeof(name), !next ? (word32)XSTRLEN(current) /*last*/ - : (word32)(next - current)); - - XSTRNCPY(name, current, length); - name[(length == sizeof(name)) ? length - 1 : length] = 0; - - /* check for "not" case */ - if (name[0] == '!' && suiteSz > 0) { - /* populate list with all suites if not already created */ - if (localList == NULL) { - for (i = 0; i < suiteSz; i++) { - sz += (int)XSTRLEN(names[i].name) + 2; - } - localList = (char*)XMALLOC(sz, ctx->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (localList == NULL) { - return WOLFSSL_FAILURE; - } - wolfSSL_get_ciphers(localList, sz); - sz = (int)XSTRLEN(localList); - } - - if (XSTRSTR(name, "eNULL")) { - wolfSSL_remove_ciphers(localList, sz, "-NULL"); - } - } - } - while (next++); /* ++ needed to skip ':' */ - - ret = SetCipherList(ctx, suites, localList); - XFREE(localList, ctx->heap, DYNAMIC_TYPE_TMP_BUFFER); - return (ret)? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; - } - else { - return (SetCipherList(ctx, suites, list)) ? WOLFSSL_SUCCESS : - WOLFSSL_FAILURE; - } -} - -#endif - - -int wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX* ctx, const char* list) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_cipher_list"); - - if (ctx == NULL) - return WOLFSSL_FAILURE; - - /* alloc/init on demand only */ - if (ctx->suites == NULL) { - ctx->suites = (Suites*)XMALLOC(sizeof(Suites), ctx->heap, - DYNAMIC_TYPE_SUITES); - if (ctx->suites == NULL) { - WOLFSSL_MSG("Memory alloc for Suites failed"); - return WOLFSSL_FAILURE; - } - XMEMSET(ctx->suites, 0, sizeof(Suites)); - } - -#ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ctx, ctx->suites, list); -#else - return (SetCipherList(ctx, ctx->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; -#endif -} - - -int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list) -{ - WOLFSSL_ENTER("wolfSSL_set_cipher_list"); -#ifdef SINGLE_THREADED - if (ssl->ctx->suites == ssl->suites) { - ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, - DYNAMIC_TYPE_SUITES); - if (ssl->suites == NULL) { - WOLFSSL_MSG("Suites Memory error"); - return MEMORY_E; - } - ssl->options.ownSuites = 1; - } -#endif - -#ifdef OPENSSL_EXTRA - return wolfSSL_parse_cipher_list(ssl->ctx, ssl->suites, list); -#else - return (SetCipherList(ssl->ctx, ssl->suites, list)) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; -#endif -} - - -int wolfSSL_dtls_get_using_nonblock(WOLFSSL* ssl) -{ - int useNb = 0; - - if (ssl == NULL) - return WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_dtls_get_using_nonblock"); - if (ssl->options.dtls) { -#ifdef WOLFSSL_DTLS - useNb = ssl->options.dtlsUseNonblock; -#endif - } - else { - WOLFSSL_MSG("wolfSSL_dtls_get_using_nonblock() is " - "DEPRECATED for non-DTLS use."); - } - return useNb; -} - - -#ifndef WOLFSSL_LEANPSK - -void wolfSSL_dtls_set_using_nonblock(WOLFSSL* ssl, int nonblock) -{ - (void)nonblock; - - WOLFSSL_ENTER("wolfSSL_dtls_set_using_nonblock"); - - if (ssl == NULL) - return; - - if (ssl->options.dtls) { -#ifdef WOLFSSL_DTLS - ssl->options.dtlsUseNonblock = (nonblock != 0); -#endif - } - else { - WOLFSSL_MSG("wolfSSL_dtls_set_using_nonblock() is " - "DEPRECATED for non-DTLS use."); - } -} - - -#ifdef WOLFSSL_DTLS - -int wolfSSL_dtls_get_current_timeout(WOLFSSL* ssl) -{ - int timeout = 0; - if (ssl) - timeout = ssl->dtls_timeout; - - WOLFSSL_LEAVE("wolfSSL_dtls_get_current_timeout()", timeout); - return timeout; -} - -int wolfSSL_DTLSv1_get_timeout(WOLFSSL* ssl, WOLFSSL_TIMEVAL* timeleft) -{ - if (ssl && timeleft) { - XMEMSET(timeleft, 0, sizeof(WOLFSSL_TIMEVAL)); - timeleft->tv_sec = ssl->dtls_timeout; - } - return 0; -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_DTLSv1_handle_timeout(WOLFSSL* ssl) -{ - WOLFSSL_STUB("SSL_DTLSv1_handle_timeout"); - (void)ssl; - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_DTLSv1_set_initial_timeout_duration(WOLFSSL* ssl, word32 duration_ms) -{ - WOLFSSL_STUB("SSL_DTLSv1_set_initial_timeout_duration"); - (void)ssl; - (void)duration_ms; -} -#endif - -/* user may need to alter init dtls recv timeout, WOLFSSL_SUCCESS on ok */ -int wolfSSL_dtls_set_timeout_init(WOLFSSL* ssl, int timeout) -{ - if (ssl == NULL || timeout < 0) - return BAD_FUNC_ARG; - - if (timeout > ssl->dtls_timeout_max) { - WOLFSSL_MSG("Can't set dtls timeout init greater than dtls timeout max"); - return BAD_FUNC_ARG; - } - - ssl->dtls_timeout_init = timeout; - ssl->dtls_timeout = timeout; - - return WOLFSSL_SUCCESS; -} - - -/* user may need to alter max dtls recv timeout, WOLFSSL_SUCCESS on ok */ -int wolfSSL_dtls_set_timeout_max(WOLFSSL* ssl, int timeout) -{ - if (ssl == NULL || timeout < 0) - return BAD_FUNC_ARG; - - if (timeout < ssl->dtls_timeout_init) { - WOLFSSL_MSG("Can't set dtls timeout max less than dtls timeout init"); - return BAD_FUNC_ARG; - } - - ssl->dtls_timeout_max = timeout; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_dtls_got_timeout(WOLFSSL* ssl) -{ - int result = WOLFSSL_SUCCESS; - WOLFSSL_ENTER("wolfSSL_dtls_got_timeout()"); - - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - if (!ssl->options.handShakeDone && - (DtlsMsgPoolTimeout(ssl) < 0 || DtlsMsgPoolSend(ssl, 0) < 0)) { - - result = WOLFSSL_FATAL_ERROR; - } - - WOLFSSL_LEAVE("wolfSSL_dtls_got_timeout()", result); - return result; -} - - -/* retransmit all the saves messages, WOLFSSL_SUCCESS on ok */ -int wolfSSL_dtls_retransmit(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_dtls_retransmit()"); - - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - if (!ssl->options.handShakeDone) { - int result = DtlsMsgPoolSend(ssl, 0); - if (result < 0) { - ssl->error = result; - WOLFSSL_ERROR(result); - return WOLFSSL_FATAL_ERROR; - } - } - - return 0; -} - -#endif /* DTLS */ -#endif /* LEANPSK */ - - -#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER) - -/* Not an SSL function, return 0 for success, error code otherwise */ -/* Prereq: ssl's RNG needs to be initialized. */ -int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, - const byte* secret, word32 secretSz) -{ - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_DTLS_SetCookieSecret"); - - if (ssl == NULL) { - WOLFSSL_MSG("need a SSL object"); - return BAD_FUNC_ARG; - } - - if (secret != NULL && secretSz == 0) { - WOLFSSL_MSG("can't have a new secret without a size"); - return BAD_FUNC_ARG; - } - - /* If secretSz is 0, use the default size. */ - if (secretSz == 0) - secretSz = COOKIE_SECRET_SZ; - - if (secretSz != ssl->buffers.dtlsCookieSecret.length) { - byte* newSecret; - - if (ssl->buffers.dtlsCookieSecret.buffer != NULL) { - ForceZero(ssl->buffers.dtlsCookieSecret.buffer, - ssl->buffers.dtlsCookieSecret.length); - XFREE(ssl->buffers.dtlsCookieSecret.buffer, - ssl->heap, DYNAMIC_TYPE_NONE); - } - - newSecret = (byte*)XMALLOC(secretSz, ssl->heap,DYNAMIC_TYPE_COOKIE_PWD); - if (newSecret == NULL) { - ssl->buffers.dtlsCookieSecret.buffer = NULL; - ssl->buffers.dtlsCookieSecret.length = 0; - WOLFSSL_MSG("couldn't allocate new cookie secret"); - return MEMORY_ERROR; - } - ssl->buffers.dtlsCookieSecret.buffer = newSecret; - ssl->buffers.dtlsCookieSecret.length = secretSz; - } - - /* If the supplied secret is NULL, randomly generate a new secret. */ - if (secret == NULL) { - ret = wc_RNG_GenerateBlock(ssl->rng, - ssl->buffers.dtlsCookieSecret.buffer, secretSz); - } - else - XMEMCPY(ssl->buffers.dtlsCookieSecret.buffer, secret, secretSz); - - WOLFSSL_LEAVE("wolfSSL_DTLS_SetCookieSecret", 0); - return ret; -} - -#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */ - - -/* EITHER SIDE METHODS */ -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - WOLFSSL_METHOD* wolfSSLv23_method(void) - { - return wolfSSLv23_method_ex(NULL); - } - WOLFSSL_METHOD* wolfSSLv23_method_ex(void* heap) - { - WOLFSSL_METHOD* m = NULL; - WOLFSSL_ENTER("SSLv23_method"); - #if !defined(NO_WOLFSSL_CLIENT) - m = wolfSSLv23_client_method_ex(heap); - #elif !defined(NO_WOLFSSL_SERVER) - m = wolfSSLv23_server_method_ex(heap); - #endif - if (m != NULL) { - m->side = WOLFSSL_NEITHER_END; - } - - return m; - } - - #ifdef WOLFSSL_ALLOW_SSLV3 - WOLFSSL_METHOD* wolfSSLv3_method(void) - { - return wolfSSLv3_method_ex(NULL); - } - WOLFSSL_METHOD* wolfSSLv3_method_ex(void* heap) - { - WOLFSSL_METHOD* m = NULL; - WOLFSSL_ENTER("SSLv3_method"); - #if !defined(NO_WOLFSSL_CLIENT) - m = wolfSSLv3_client_method_ex(heap); - #elif !defined(NO_WOLFSSL_SERVER) - m = wolfSSLv3_server_method_ex(heap); - #endif - if (m != NULL) { - m->side = WOLFSSL_NEITHER_END; - } - - return m; - } - #endif -#endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ - -/* client only parts */ -#ifndef NO_WOLFSSL_CLIENT - - #ifdef OPENSSL_EXTRA - WOLFSSL_METHOD* wolfSSLv2_client_method(void) - { - WOLFSSL_STUB("wolfSSLv2_client_method"); - return NULL; - } - #endif - - #ifdef WOLFSSL_ALLOW_SSLV3 - WOLFSSL_METHOD* wolfSSLv3_client_method(void) - { - return wolfSSLv3_client_method_ex(NULL); - } - WOLFSSL_METHOD* wolfSSLv3_client_method_ex(void* heap) - { - WOLFSSL_METHOD* method = - (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), - heap, DYNAMIC_TYPE_METHOD); - (void)heap; - WOLFSSL_ENTER("SSLv3_client_method_ex"); - if (method) - InitSSL_Method(method, MakeSSLv3()); - return method; - } - #endif /* WOLFSSL_ALLOW_SSLV3 */ - - - WOLFSSL_METHOD* wolfSSLv23_client_method(void) - { - return wolfSSLv23_client_method_ex(NULL); - } - WOLFSSL_METHOD* wolfSSLv23_client_method_ex(void* heap) - { - WOLFSSL_METHOD* method = - (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), - heap, DYNAMIC_TYPE_METHOD); - (void)heap; - WOLFSSL_ENTER("SSLv23_client_method_ex"); - if (method) { - #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512) - #if defined(WOLFSSL_TLS13) - InitSSL_Method(method, MakeTLSv1_3()); - #elif !defined(WOLFSSL_NO_TLS12) - InitSSL_Method(method, MakeTLSv1_2()); - #elif !defined(NO_OLD_TLS) - InitSSL_Method(method, MakeTLSv1_1()); - #endif - #else - #ifndef NO_OLD_TLS - InitSSL_Method(method, MakeTLSv1_1()); - #endif - #endif - #if !defined(NO_OLD_TLS) || defined(WOLFSSL_TLS13) - method->downgrade = 1; - #endif - } - return method; - } - - - #if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) || \ - defined(WOLFSSL_ALLOW_SSLV3) - /* If SCTP is not enabled returns the state of the dtls option. - * If SCTP is enabled returns dtls && !sctp. */ - static WC_INLINE int IsDtlsNotSctpMode(WOLFSSL* ssl) - { - int result = ssl->options.dtls; - - if (result) { - #ifdef WOLFSSL_SCTP - result = !ssl->options.dtlsSctp; - #endif - } - - return result; - } - #endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 || !NO_OLD_TLS */ - - - /* please see note at top of README if you get an error from connect */ - WOLFSSL_ABI - int wolfSSL_connect(WOLFSSL* ssl) - { - #if !(defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13)) - int neededState; - #endif - - WOLFSSL_ENTER("SSL_connect()"); - - #ifdef HAVE_ERRNO_H - errno = 0; - #endif - - if (ssl == NULL) - return BAD_FUNC_ARG; - - #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (ssl->options.side == WOLFSSL_NEITHER_END) { - ssl->error = InitSSL_Side(ssl, WOLFSSL_CLIENT_END); - if (ssl->error != WOLFSSL_SUCCESS) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->error = 0; /* expected to be zero here */ - } - - #ifdef OPENSSL_EXTRA - if (ssl->CBIS != NULL) { - ssl->CBIS(ssl, SSL_ST_CONNECT, SSL_SUCCESS); - ssl->cbmode = SSL_CB_WRITE; - } - #endif - #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ - - #if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13) - return wolfSSL_connect_TLSv13(ssl); - #else - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_connect_TLSv13(ssl); - #endif - - if (ssl->options.side != WOLFSSL_CLIENT_END) { - WOLFSSL_ERROR(ssl->error = SIDE_ERROR); - return WOLFSSL_FATAL_ERROR; - } - - #ifdef WOLFSSL_DTLS - if (ssl->version.major == DTLS_MAJOR) { - ssl->options.dtls = 1; - ssl->options.tls = 1; - ssl->options.tls1_1 = 1; - } - #endif - - if (ssl->buffers.outputBuffer.length > 0 - #ifdef WOLFSSL_ASYNC_CRYPT - /* do not send buffered or advance state if last error was an - async pending operation */ - && ssl->error != WC_PENDING_E - #endif - ) { - if ( (ssl->error = SendBuffered(ssl)) == 0) { - /* fragOffset is non-zero when sending fragments. On the last - * fragment, fragOffset is zero again, and the state can be - * advanced. */ - if (ssl->fragOffset == 0) { - ssl->options.connectState++; - WOLFSSL_MSG("connect state: " - "Advanced from last buffered fragment send"); - } - else { - WOLFSSL_MSG("connect state: " - "Not advanced, more fragments to send"); - } - } - else { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } - - switch (ssl->options.connectState) { - - case CONNECT_BEGIN : - /* always send client hello first */ - if ( (ssl->error = SendClientHello(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.connectState = CLIENT_HELLO_SENT; - WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT"); - FALL_THROUGH; - - case CLIENT_HELLO_SENT : - neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE : - SERVER_HELLODONE_COMPLETE; - #ifdef WOLFSSL_DTLS - /* In DTLS, when resuming, we can go straight to FINISHED, - * or do a cookie exchange and then skip to FINISHED, assume - * we need the cookie exchange first. */ - if (IsDtlsNotSctpMode(ssl)) - neededState = SERVER_HELLOVERIFYREQUEST_COMPLETE; - #endif - /* get response */ - while (ssl->options.serverState < neededState) { - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_connect_TLSv13(ssl); - #endif - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - /* if resumption failed, reset needed state */ - else if (neededState == SERVER_FINISHED_COMPLETE) - if (!ssl->options.resuming) { - if (!IsDtlsNotSctpMode(ssl)) - neededState = SERVER_HELLODONE_COMPLETE; - else - neededState = SERVER_HELLOVERIFYREQUEST_COMPLETE; - } - } - - ssl->options.connectState = HELLO_AGAIN; - WOLFSSL_MSG("connect state: HELLO_AGAIN"); - FALL_THROUGH; - - case HELLO_AGAIN : - if (ssl->options.certOnly) - return WOLFSSL_SUCCESS; - - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_connect_TLSv13(ssl); - #endif - - #ifdef WOLFSSL_DTLS - if (ssl->options.serverState == - SERVER_HELLOVERIFYREQUEST_COMPLETE) { - if (IsDtlsNotSctpMode(ssl)) { - /* re-init hashes, exclude first hello and verify request */ - if ((ssl->error = InitHandshakeHashes(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - if ( (ssl->error = SendClientHello(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } - } - #endif - - ssl->options.connectState = HELLO_AGAIN_REPLY; - WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY"); - FALL_THROUGH; - - case HELLO_AGAIN_REPLY : - #ifdef WOLFSSL_DTLS - if (IsDtlsNotSctpMode(ssl)) { - neededState = ssl->options.resuming ? - SERVER_FINISHED_COMPLETE : SERVER_HELLODONE_COMPLETE; - - /* get response */ - while (ssl->options.serverState < neededState) { - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - /* if resumption failed, reset needed state */ - if (neededState == SERVER_FINISHED_COMPLETE) { - if (!ssl->options.resuming) - neededState = SERVER_HELLODONE_COMPLETE; - } - } - } - #endif - - ssl->options.connectState = FIRST_REPLY_DONE; - WOLFSSL_MSG("connect state: FIRST_REPLY_DONE"); - FALL_THROUGH; - - case FIRST_REPLY_DONE : - #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_connect_TLSv13(ssl); - #endif - if (ssl->options.sendVerify) { - if ( (ssl->error = SendCertificate(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - WOLFSSL_MSG("sent: certificate"); - } - - #endif - ssl->options.connectState = FIRST_REPLY_FIRST; - WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST"); - FALL_THROUGH; - - case FIRST_REPLY_FIRST : - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_connect_TLSv13(ssl); - #endif - if (!ssl->options.resuming) { - if ( (ssl->error = SendClientKeyExchange(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - WOLFSSL_MSG("sent: client key exchange"); - } - - ssl->options.connectState = FIRST_REPLY_SECOND; - WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND"); - FALL_THROUGH; - - case FIRST_REPLY_SECOND : - #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) - if (ssl->options.sendVerify) { - if ( (ssl->error = SendCertificateVerify(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - WOLFSSL_MSG("sent: certificate verify"); - } - #endif /* !NO_CERTS && !WOLFSSL_NO_CLIENT_AUTH */ - ssl->options.connectState = FIRST_REPLY_THIRD; - WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD"); - FALL_THROUGH; - - case FIRST_REPLY_THIRD : - if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - WOLFSSL_MSG("sent: change cipher spec"); - ssl->options.connectState = FIRST_REPLY_FOURTH; - WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH"); - FALL_THROUGH; - - case FIRST_REPLY_FOURTH : - if ( (ssl->error = SendFinished(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - WOLFSSL_MSG("sent: finished"); - ssl->options.connectState = FINISHED_DONE; - WOLFSSL_MSG("connect state: FINISHED_DONE"); - FALL_THROUGH; - - case FINISHED_DONE : - /* get response */ - while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - - ssl->options.connectState = SECOND_REPLY_DONE; - WOLFSSL_MSG("connect state: SECOND_REPLY_DONE"); - FALL_THROUGH; - - case SECOND_REPLY_DONE: -#ifndef NO_HANDSHAKE_DONE_CB - if (ssl->hsDoneCb) { - int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); - if (cbret < 0) { - ssl->error = cbret; - WOLFSSL_MSG("HandShake Done Cb don't continue error"); - return WOLFSSL_FATAL_ERROR; - } - } -#endif /* NO_HANDSHAKE_DONE_CB */ - - if (!ssl->options.dtls) { - if (!ssl->options.keepResources) { - FreeHandshakeResources(ssl); - } - } -#ifdef WOLFSSL_DTLS - else { - ssl->options.dtlsHsRetain = 1; - } -#endif /* WOLFSSL_DTLS */ - - WOLFSSL_LEAVE("SSL_connect()", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; - - default: - WOLFSSL_MSG("Unknown connect state ERROR"); - return WOLFSSL_FATAL_ERROR; /* unknown connect state */ - } - #endif /* !WOLFSSL_NO_TLS12 */ - } - -#endif /* NO_WOLFSSL_CLIENT */ - - -/* server only parts */ -#ifndef NO_WOLFSSL_SERVER - - #ifdef OPENSSL_EXTRA - WOLFSSL_METHOD* wolfSSLv2_server_method(void) - { - WOLFSSL_STUB("wolfSSLv2_server_method"); - return 0; - } - #endif - - #ifdef WOLFSSL_ALLOW_SSLV3 - WOLFSSL_METHOD* wolfSSLv3_server_method(void) - { - return wolfSSLv3_server_method_ex(NULL); - } - WOLFSSL_METHOD* wolfSSLv3_server_method_ex(void* heap) - { - WOLFSSL_METHOD* method = - (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), - heap, DYNAMIC_TYPE_METHOD); - (void)heap; - WOLFSSL_ENTER("SSLv3_server_method_ex"); - if (method) { - InitSSL_Method(method, MakeSSLv3()); - method->side = WOLFSSL_SERVER_END; - } - return method; - } - #endif /* WOLFSSL_ALLOW_SSLV3 */ - - WOLFSSL_METHOD* wolfSSLv23_server_method(void) - { - return wolfSSLv23_server_method_ex(NULL); - } - - WOLFSSL_METHOD* wolfSSLv23_server_method_ex(void* heap) - { - WOLFSSL_METHOD* method = - (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), - heap, DYNAMIC_TYPE_METHOD); - (void)heap; - WOLFSSL_ENTER("SSLv23_server_method_ex"); - if (method) { - #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512) - #ifdef WOLFSSL_TLS13 - InitSSL_Method(method, MakeTLSv1_3()); - #elif !defined(WOLFSSL_NO_TLS12) - InitSSL_Method(method, MakeTLSv1_2()); - #elif !defined(NO_OLD_TLS) - InitSSL_Method(method, MakeTLSv1_1()); - #endif - #else - #ifndef NO_OLD_TLS - InitSSL_Method(method, MakeTLSv1_1()); - #else - #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2 - #endif - #endif - #if !defined(NO_OLD_TLS) || defined(WOLFSSL_TLS13) - method->downgrade = 1; - #endif - method->side = WOLFSSL_SERVER_END; - } - return method; - } - - - int wolfSSL_accept(WOLFSSL* ssl) - { -#if !(defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13)) - word16 havePSK = 0; - word16 haveAnon = 0; - word16 haveMcast = 0; -#endif - - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) - if (ssl->options.side == WOLFSSL_NEITHER_END) { - WOLFSSL_MSG("Setting WOLFSSL_SSL to be server side"); - ssl->error = InitSSL_Side(ssl, WOLFSSL_SERVER_END); - if (ssl->error != WOLFSSL_SUCCESS) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->error = 0; /* expected to be zero here */ - } - #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ - -#if defined(WOLFSSL_NO_TLS12) && defined(NO_OLD_TLS) && defined(WOLFSSL_TLS13) - return wolfSSL_accept_TLSv13(ssl); -#else - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) - return wolfSSL_accept_TLSv13(ssl); - #endif - WOLFSSL_ENTER("SSL_accept()"); - - #ifdef HAVE_ERRNO_H - errno = 0; - #endif - - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - (void)havePSK; - - #ifdef HAVE_ANON - haveAnon = ssl->options.haveAnon; - #endif - (void)haveAnon; - - #ifdef WOLFSSL_MULTICAST - haveMcast = ssl->options.haveMcast; - #endif - (void)haveMcast; - - if (ssl->options.side != WOLFSSL_SERVER_END) { - WOLFSSL_ERROR(ssl->error = SIDE_ERROR); - return WOLFSSL_FATAL_ERROR; - } - - #ifndef NO_CERTS - /* in case used set_accept_state after init */ - /* allow no private key if using PK callbacks and CB is set */ - if (!havePSK && !haveAnon && !haveMcast) { - if (!ssl->buffers.certificate || - !ssl->buffers.certificate->buffer) { - - WOLFSSL_MSG("accept error: server cert required"); - WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); - return WOLFSSL_FATAL_ERROR; - } - - #ifdef HAVE_PK_CALLBACKS - if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { - WOLFSSL_MSG("Using PK for server private key"); - } - else - #endif - if (!ssl->buffers.key || !ssl->buffers.key->buffer) { - WOLFSSL_MSG("accept error: server key required"); - WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); - return WOLFSSL_FATAL_ERROR; - } - } - #endif - - #ifdef WOLFSSL_DTLS - if (ssl->version.major == DTLS_MAJOR) { - ssl->options.dtls = 1; - ssl->options.tls = 1; - ssl->options.tls1_1 = 1; - } - #endif - - if (ssl->buffers.outputBuffer.length > 0 - #ifdef WOLFSSL_ASYNC_CRYPT - /* do not send buffered or advance state if last error was an - async pending operation */ - && ssl->error != WC_PENDING_E - #endif - ) { - if ( (ssl->error = SendBuffered(ssl)) == 0) { - /* fragOffset is non-zero when sending fragments. On the last - * fragment, fragOffset is zero again, and the state can be - * advanced. */ - if (ssl->fragOffset == 0) { - ssl->options.acceptState++; - WOLFSSL_MSG("accept state: " - "Advanced from last buffered fragment send"); - } - else { - WOLFSSL_MSG("accept state: " - "Not advanced, more fragments to send"); - } - } - else { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } - - switch (ssl->options.acceptState) { - - case ACCEPT_BEGIN : -#ifdef HAVE_SECURE_RENEGOTIATION - case ACCEPT_BEGIN_RENEG: -#endif - /* get response */ - while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } -#ifdef WOLFSSL_TLS13 - ssl->options.acceptState = ACCEPT_CLIENT_HELLO_DONE; - WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE"); - FALL_THROUGH; - - case ACCEPT_CLIENT_HELLO_DONE : - if (ssl->options.tls1_3) { - return wolfSSL_accept_TLSv13(ssl); - } -#endif - ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE; - WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); - FALL_THROUGH; - - case ACCEPT_FIRST_REPLY_DONE : - if ( (ssl->error = SendServerHello(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.acceptState = SERVER_HELLO_SENT; - WOLFSSL_MSG("accept state SERVER_HELLO_SENT"); - FALL_THROUGH; - - case SERVER_HELLO_SENT : - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) { - return wolfSSL_accept_TLSv13(ssl); - } - #endif - #ifndef NO_CERTS - if (!ssl->options.resuming) - if ( (ssl->error = SendCertificate(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - #endif - ssl->options.acceptState = CERT_SENT; - WOLFSSL_MSG("accept state CERT_SENT"); - FALL_THROUGH; - - case CERT_SENT : - #ifndef NO_CERTS - if (!ssl->options.resuming) - if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - #endif - ssl->options.acceptState = CERT_STATUS_SENT; - WOLFSSL_MSG("accept state CERT_STATUS_SENT"); - FALL_THROUGH; - - case CERT_STATUS_SENT : - #ifdef WOLFSSL_TLS13 - if (ssl->options.tls1_3) { - return wolfSSL_accept_TLSv13(ssl); - } - #endif - if (!ssl->options.resuming) - if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.acceptState = KEY_EXCHANGE_SENT; - WOLFSSL_MSG("accept state KEY_EXCHANGE_SENT"); - FALL_THROUGH; - - case KEY_EXCHANGE_SENT : - #ifndef NO_CERTS - if (!ssl->options.resuming) { - if (ssl->options.verifyPeer) { - if ( (ssl->error = SendCertificateRequest(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } - } - #endif - ssl->options.acceptState = CERT_REQ_SENT; - WOLFSSL_MSG("accept state CERT_REQ_SENT"); - FALL_THROUGH; - - case CERT_REQ_SENT : - if (!ssl->options.resuming) - if ( (ssl->error = SendServerHelloDone(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.acceptState = SERVER_HELLO_DONE; - WOLFSSL_MSG("accept state SERVER_HELLO_DONE"); - FALL_THROUGH; - - case SERVER_HELLO_DONE : - if (!ssl->options.resuming) { - while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } - ssl->options.acceptState = ACCEPT_SECOND_REPLY_DONE; - WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE"); - FALL_THROUGH; - - case ACCEPT_SECOND_REPLY_DONE : -#ifdef HAVE_SESSION_TICKET - if (ssl->options.createTicket) { - if ( (ssl->error = SendTicket(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } -#endif /* HAVE_SESSION_TICKET */ - ssl->options.acceptState = TICKET_SENT; - WOLFSSL_MSG("accept state TICKET_SENT"); - FALL_THROUGH; - - case TICKET_SENT: - if ( (ssl->error = SendChangeCipher(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - ssl->options.acceptState = CHANGE_CIPHER_SENT; - WOLFSSL_MSG("accept state CHANGE_CIPHER_SENT"); - FALL_THROUGH; - - case CHANGE_CIPHER_SENT : - if ( (ssl->error = SendFinished(ssl)) != 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - - ssl->options.acceptState = ACCEPT_FINISHED_DONE; - WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE"); - FALL_THROUGH; - - case ACCEPT_FINISHED_DONE : - if (ssl->options.resuming) - while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) - if ( (ssl->error = ProcessReply(ssl)) < 0) { - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - - ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE; - WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE"); - FALL_THROUGH; - - case ACCEPT_THIRD_REPLY_DONE : -#ifndef NO_HANDSHAKE_DONE_CB - if (ssl->hsDoneCb) { - int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); - if (cbret < 0) { - ssl->error = cbret; - WOLFSSL_MSG("HandShake Done Cb don't continue error"); - return WOLFSSL_FATAL_ERROR; - } - } -#endif /* NO_HANDSHAKE_DONE_CB */ - - if (!ssl->options.dtls) { - if (!ssl->options.keepResources) { - FreeHandshakeResources(ssl); - } - } -#ifdef WOLFSSL_DTLS - else { - ssl->options.dtlsHsRetain = 1; - } -#endif /* WOLFSSL_DTLS */ - -#ifdef WOLFSSL_SESSION_EXPORT - if (ssl->dtls_export) { - if ((ssl->error = wolfSSL_send_session(ssl)) != 0) { - WOLFSSL_MSG("Export DTLS session error"); - WOLFSSL_ERROR(ssl->error); - return WOLFSSL_FATAL_ERROR; - } - } -#endif - - WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; - - default : - WOLFSSL_MSG("Unknown accept state ERROR"); - return WOLFSSL_FATAL_ERROR; - } -#endif /* !WOLFSSL_NO_TLS12 */ - } - -#endif /* NO_WOLFSSL_SERVER */ - - -#ifndef NO_HANDSHAKE_DONE_CB - -int wolfSSL_SetHsDoneCb(WOLFSSL* ssl, HandShakeDoneCb cb, void* user_ctx) -{ - WOLFSSL_ENTER("wolfSSL_SetHsDoneCb"); - - if (ssl == NULL) - return BAD_FUNC_ARG; - - ssl->hsDoneCb = cb; - ssl->hsDoneCtx = user_ctx; - - - return WOLFSSL_SUCCESS; -} - -#endif /* NO_HANDSHAKE_DONE_CB */ - -WOLFSSL_ABI -int wolfSSL_Cleanup(void) -{ - int ret = WOLFSSL_SUCCESS; - int release = 0; - - WOLFSSL_ENTER("wolfSSL_Cleanup"); - - if (initRefCount == 0) - return ret; /* possibly no init yet, but not failure either way */ - - if (wc_LockMutex(&count_mutex) != 0) { - WOLFSSL_MSG("Bad Lock Mutex count"); - return BAD_MUTEX_E; - } - - release = initRefCount-- == 1; - if (initRefCount < 0) - initRefCount = 0; - - wc_UnLockMutex(&count_mutex); - - if (!release) - return ret; - -#ifdef OPENSSL_EXTRA - if (bn_one) { - wolfSSL_BN_free(bn_one); - bn_one = NULL; - } -#endif - -#ifndef NO_SESSION_CACHE - if (wc_FreeMutex(&session_mutex) != 0) - ret = BAD_MUTEX_E; -#endif - if (wc_FreeMutex(&count_mutex) != 0) - ret = BAD_MUTEX_E; - -#ifdef OPENSSL_EXTRA - wolfSSL_RAND_Cleanup(); -#endif - - if (wolfCrypt_Cleanup() != 0) { - WOLFSSL_MSG("Error with wolfCrypt_Cleanup call"); - ret = WC_CLEANUP_E; - } - - return ret; -} - - -#ifndef NO_SESSION_CACHE - - -/* some session IDs aren't random after all, let's make them random */ -static WC_INLINE word32 HashSession(const byte* sessionID, word32 len, int* error) -{ - byte digest[WC_MAX_DIGEST_SIZE]; - -#ifndef NO_MD5 - *error = wc_Md5Hash(sessionID, len, digest); -#elif !defined(NO_SHA) - *error = wc_ShaHash(sessionID, len, digest); -#elif !defined(NO_SHA256) - *error = wc_Sha256Hash(sessionID, len, digest); -#else - #error "We need a digest to hash the session IDs" -#endif - - return *error == 0 ? MakeWordFromHash(digest) : 0; /* 0 on failure */ -} - - -WOLFSSL_ABI -void wolfSSL_flush_sessions(WOLFSSL_CTX* ctx, long tm) -{ - /* static table now, no flushing needed */ - (void)ctx; - (void)tm; -} - - -/* set ssl session timeout in seconds */ -WOLFSSL_ABI -int wolfSSL_set_timeout(WOLFSSL* ssl, unsigned int to) -{ - if (ssl == NULL) - return BAD_FUNC_ARG; - - if (to == 0) - to = WOLFSSL_SESSION_TIMEOUT; - ssl->timeout = to; - - return WOLFSSL_SUCCESS; -} - - -/* set ctx session timeout in seconds */ -WOLFSSL_ABI -int wolfSSL_CTX_set_timeout(WOLFSSL_CTX* ctx, unsigned int to) -{ - if (ctx == NULL) - return BAD_FUNC_ARG; - - if (to == 0) - to = WOLFSSL_SESSION_TIMEOUT; - ctx->timeout = to; - - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_CLIENT_CACHE - -/* Get Session from Client cache based on id/len, return NULL on failure */ -WOLFSSL_SESSION* GetSessionClient(WOLFSSL* ssl, const byte* id, int len) -{ - WOLFSSL_SESSION* ret = NULL; - word32 row; - int idx; - int count; - int error = 0; - - WOLFSSL_ENTER("GetSessionClient"); - - if (ssl->ctx->sessionCacheOff) - return NULL; - - if (ssl->options.side == WOLFSSL_SERVER_END) - return NULL; - - len = min(SERVER_ID_LEN, (word32)len); - -#ifdef HAVE_EXT_CACHE - if (ssl->ctx->get_sess_cb != NULL) { - int copy = 0; - ret = ssl->ctx->get_sess_cb(ssl, (byte*)id, len, ©); - if (ret != NULL) - return ret; - } - - if (ssl->ctx->internalCacheOff) - return NULL; -#endif - - row = HashSession(id, len, &error) % SESSION_ROWS; - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); - return NULL; - } - - if (wc_LockMutex(&session_mutex) != 0) { - WOLFSSL_MSG("Lock session mutex failed"); - return NULL; - } - - /* start from most recently used */ - count = min((word32)ClientCache[row].totalCount, SESSIONS_PER_ROW); - idx = ClientCache[row].nextIdx - 1; - if (idx < 0) - idx = SESSIONS_PER_ROW - 1; /* if back to front, the previous was end */ - - for (; count > 0; --count, idx = idx ? idx - 1 : SESSIONS_PER_ROW - 1) { - WOLFSSL_SESSION* current; - ClientSession clSess; - - if (idx >= SESSIONS_PER_ROW || idx < 0) { /* sanity check */ - WOLFSSL_MSG("Bad idx"); - break; - } - - clSess = ClientCache[row].Clients[idx]; - - current = &SessionCache[clSess.serverRow].Sessions[clSess.serverIdx]; - if (XMEMCMP(current->serverID, id, len) == 0) { - WOLFSSL_MSG("Found a serverid match for client"); - if (LowResTimer() < (current->bornOn + current->timeout)) { - WOLFSSL_MSG("Session valid"); - ret = current; - break; - } else { - WOLFSSL_MSG("Session timed out"); /* could have more for id */ - } - } else { - WOLFSSL_MSG("ServerID not a match from client table"); - } - } - - wc_UnLockMutex(&session_mutex); - - return ret; -} - -#endif /* NO_CLIENT_CACHE */ - -/* Restore the master secret and session information for certificates. - * - * ssl The SSL/TLS object. - * session The cached session to restore. - * masterSecret The master secret from the cached session. - * restoreSessionCerts Restoring session certificates is required. - */ -static WC_INLINE void RestoreSession(WOLFSSL* ssl, WOLFSSL_SESSION* session, - byte* masterSecret, byte restoreSessionCerts) -{ - (void)ssl; - (void)restoreSessionCerts; - - if (masterSecret) - XMEMCPY(masterSecret, session->masterSecret, SECRET_LEN); -#ifdef SESSION_CERTS - /* If set, we should copy the session certs into the ssl object - * from the session we are returning so we can resume */ - if (restoreSessionCerts) { - ssl->session.chain = session->chain; - ssl->session.version = session->version; - #ifdef NO_RESUME_SUITE_CHECK - ssl->session.cipherSuite0 = session->cipherSuite0; - ssl->session.cipherSuite = session->cipherSuite; - #endif - } -#endif /* SESSION_CERTS */ -#if !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - ssl->session.cipherSuite0 = session->cipherSuite0; - ssl->session.cipherSuite = session->cipherSuite; -#endif -} - -WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret, - byte restoreSessionCerts) -{ - WOLFSSL_SESSION* ret = 0; - const byte* id = NULL; - word32 row; - int idx; - int count; - int error = 0; - - (void) restoreSessionCerts; - - if (ssl->options.sessionCacheOff) - return NULL; - - if (ssl->options.haveSessionId == 0) - return NULL; - -#ifdef HAVE_SESSION_TICKET - if (ssl->options.side == WOLFSSL_SERVER_END && ssl->options.useTicket == 1) - return NULL; -#endif - - if (!ssl->options.tls1_3 && ssl->arrays != NULL) - id = ssl->arrays->sessionID; - else - id = ssl->session.sessionID; - -#ifdef HAVE_EXT_CACHE - if (ssl->ctx->get_sess_cb != NULL) { - int copy = 0; - /* Attempt to retrieve the session from the external cache. */ - ret = ssl->ctx->get_sess_cb(ssl, (byte*)id, ID_LEN, ©); - if (ret != NULL) { - RestoreSession(ssl, ret, masterSecret, restoreSessionCerts); - return ret; - } - } - - if (ssl->ctx->internalCacheOff) - return NULL; -#endif - - row = HashSession(id, ID_LEN, &error) % SESSION_ROWS; - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); - return NULL; - } - - if (wc_LockMutex(&session_mutex) != 0) - return 0; - - /* start from most recently used */ - count = min((word32)SessionCache[row].totalCount, SESSIONS_PER_ROW); - idx = SessionCache[row].nextIdx - 1; - if (idx < 0) - idx = SESSIONS_PER_ROW - 1; /* if back to front, the previous was end */ - - for (; count > 0; --count, idx = idx ? idx - 1 : SESSIONS_PER_ROW - 1) { - WOLFSSL_SESSION* current; - - if (idx >= SESSIONS_PER_ROW || idx < 0) { /* sanity check */ - WOLFSSL_MSG("Bad idx"); - break; - } - - current = &SessionCache[row].Sessions[idx]; - if (XMEMCMP(current->sessionID, id, ID_LEN) == 0) { - WOLFSSL_MSG("Found a session match"); - if (LowResTimer() < (current->bornOn + current->timeout)) { - WOLFSSL_MSG("Session valid"); - ret = current; - RestoreSession(ssl, ret, masterSecret, restoreSessionCerts); - } else { - WOLFSSL_MSG("Session timed out"); - } - break; /* no more sessionIDs whether valid or not that match */ - } else { - WOLFSSL_MSG("SessionID not a match at this idx"); - } - } - - wc_UnLockMutex(&session_mutex); - - return ret; -} - - -static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom) -{ - WOLFSSL_SESSION* copyInto = &ssl->session; - void* tmpBuff = NULL; - int ticketLen = 0; - int doDynamicCopy = 0; - int ret = WOLFSSL_SUCCESS; - - (void)ticketLen; - (void)doDynamicCopy; - (void)tmpBuff; - - if (!ssl || !copyFrom) - return BAD_FUNC_ARG; - -#ifdef HAVE_SESSION_TICKET - /* Free old dynamic ticket if we had one to avoid leak */ - if (copyInto->isDynamic) { - XFREE(copyInto->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - copyInto->ticket = copyInto->staticTicket; - copyInto->isDynamic = 0; - } -#endif - - if (wc_LockMutex(&session_mutex) != 0) - return BAD_MUTEX_E; - -#ifdef HAVE_SESSION_TICKET - /* Size of ticket to alloc if needed; Use later for alloc outside lock */ - doDynamicCopy = copyFrom->isDynamic; - ticketLen = copyFrom->ticketLen; -#endif - - *copyInto = *copyFrom; - - /* Default ticket to non dynamic. This will avoid crash if we fail below */ -#ifdef HAVE_SESSION_TICKET - copyInto->ticket = copyInto->staticTicket; - copyInto->isDynamic = 0; -#endif - -#ifndef NO_RESUME_SUITE_CHECK - copyInto->cipherSuite0 = copyFrom->cipherSuite0; - copyInto->cipherSuite = copyFrom->cipherSuite; -#endif - - if (wc_UnLockMutex(&session_mutex) != 0) { - return BAD_MUTEX_E; - } - -#ifdef HAVE_SESSION_TICKET -#ifdef WOLFSSL_TLS13 - if (wc_LockMutex(&session_mutex) != 0) { - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - return BAD_MUTEX_E; - } - -#ifdef NO_RESUME_SUITE_CHECK - copyInto->cipherSuite0 = copyFrom->cipherSuite0; - copyInto->cipherSuite = copyFrom->cipherSuite; -#endif - copyInto->namedGroup = copyFrom->namedGroup; - copyInto->ticketSeen = copyFrom->ticketSeen; - copyInto->ticketAdd = copyFrom->ticketAdd; -#ifndef WOLFSSL_TLS13_DRAFT_18 - XMEMCPY(©Into->ticketNonce, ©From->ticketNonce, - sizeof(TicketNonce)); -#endif -#ifdef WOLFSSL_EARLY_DATA - copyInto->maxEarlyDataSz = copyFrom->maxEarlyDataSz; -#endif - XMEMCPY(copyInto->masterSecret, copyFrom->masterSecret, SECRET_LEN); - - if (wc_UnLockMutex(&session_mutex) != 0) { - if (ret == WOLFSSL_SUCCESS) - ret = BAD_MUTEX_E; - } -#endif - /* If doing dynamic copy, need to alloc outside lock, then inside a lock - * confirm the size still matches and memcpy */ - if (doDynamicCopy) { - tmpBuff = (byte*)XMALLOC(ticketLen, ssl->heap, - DYNAMIC_TYPE_SESSION_TICK); - if (!tmpBuff) - return MEMORY_ERROR; - - if (wc_LockMutex(&session_mutex) != 0) { - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - return BAD_MUTEX_E; - } - - if ((word16)ticketLen != copyFrom->ticketLen) { - /* Another thread modified the ssl-> session ticket during alloc. - * Treat as error, since ticket different than when copy requested */ - ret = VAR_STATE_CHANGE_E; - } - - if (ret == WOLFSSL_SUCCESS) { - copyInto->ticket = (byte*)tmpBuff; - copyInto->isDynamic = 1; - XMEMCPY(copyInto->ticket, copyFrom->ticket, ticketLen); - } - } else { - /* Need to ensure ticket pointer gets updated to own buffer - * and is not pointing to buff of session copied from */ - copyInto->ticket = copyInto->staticTicket; - } - - if (doDynamicCopy) { - if (wc_UnLockMutex(&session_mutex) != 0) { - if (ret == WOLFSSL_SUCCESS) - ret = BAD_MUTEX_E; - } - } - - if (ret != WOLFSSL_SUCCESS) { - /* cleanup */ - if (tmpBuff) - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - copyInto->ticket = copyInto->staticTicket; - copyInto->isDynamic = 0; - } -#endif /* HAVE_SESSION_TICKET */ - return ret; -} - - -int SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session) -{ - if (ssl->options.sessionCacheOff) - return WOLFSSL_FAILURE; - -#ifdef OPENSSL_EXTRA - /* check for application context id */ - if (ssl->sessionCtxSz > 0) { - if (XMEMCMP(ssl->sessionCtx, session->sessionCtx, ssl->sessionCtxSz)) { - /* context id did not match! */ - WOLFSSL_MSG("Session context did not match"); - return SSL_FAILURE; - } - } -#endif /* OPENSSL_EXTRA */ - - if (LowResTimer() < (session->bornOn + session->timeout)) { - int ret = GetDeepCopySession(ssl, session); - if (ret == WOLFSSL_SUCCESS) { - ssl->options.resuming = 1; - -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - ssl->version = session->version; -#endif -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - ssl->options.cipherSuite0 = session->cipherSuite0; - ssl->options.cipherSuite = session->cipherSuite; -#endif - } - - return ret; - } - return WOLFSSL_FAILURE; /* session timed out */ -} - - -#ifdef WOLFSSL_SESSION_STATS -static int get_locked_session_stats(word32* active, word32* total, - word32* peak); -#endif - -int AddSession(WOLFSSL* ssl) -{ - word32 row = 0; - word32 idx = 0; - int error = 0; -#ifdef HAVE_SESSION_TICKET - byte* tmpBuff = NULL; - int ticLen = 0; -#endif - WOLFSSL_SESSION* session; - int i; - int overwrite = 0; - - if (ssl->options.sessionCacheOff) - return 0; - - if (ssl->options.haveSessionId == 0) - return 0; - -#ifdef HAVE_SESSION_TICKET - if (ssl->options.side == WOLFSSL_SERVER_END && ssl->options.useTicket == 1) - return 0; -#endif - -#ifdef HAVE_SESSION_TICKET - ticLen = ssl->session.ticketLen; - /* Alloc Memory here so if Malloc fails can exit outside of lock */ - if(ticLen > SESSION_TICKET_LEN) { - tmpBuff = (byte*)XMALLOC(ticLen, ssl->heap, - DYNAMIC_TYPE_SESSION_TICK); - if(!tmpBuff) - return MEMORY_E; - } -#endif - -#ifdef HAVE_EXT_CACHE - if (ssl->options.internalCacheOff) { - /* Create a new session object to be stored. */ - session = (WOLFSSL_SESSION*)XMALLOC(sizeof(WOLFSSL_SESSION), NULL, - DYNAMIC_TYPE_OPENSSL); - if (session == NULL) { -#ifdef HAVE_SESSION_TICKET - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); -#endif - return MEMORY_E; - } - XMEMSET(session, 0, sizeof(WOLFSSL_SESSION)); - session->isAlloced = 1; - } - else -#endif - { - /* Use the session object in the cache for external cache if required. - */ -#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) - if (ssl->options.tls1_3) { - row = HashSession(ssl->session.sessionID, ID_LEN, &error) % - SESSION_ROWS; - } - else -#endif - { - row = HashSession(ssl->arrays->sessionID, ID_LEN, &error) % - SESSION_ROWS; - } - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); -#ifdef HAVE_SESSION_TICKET - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); -#endif - return error; - } - - if (wc_LockMutex(&session_mutex) != 0) { -#ifdef HAVE_SESSION_TICKET - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); -#endif - return BAD_MUTEX_E; - } - - for (i=0; i<SESSIONS_PER_ROW; i++) { - if (ssl->options.tls1_3) { - if (XMEMCMP(ssl->session.sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { - WOLFSSL_MSG("Session already exists. Overwriting."); - overwrite = 1; - idx = i; - break; - } - } - else { - if (XMEMCMP(ssl->arrays->sessionID, SessionCache[row].Sessions[i].sessionID, ID_LEN) == 0) { - WOLFSSL_MSG("Session already exists. Overwriting."); - overwrite = 1; - idx = i; - break; - } - } - } - - if (!overwrite) { - idx = SessionCache[row].nextIdx++; - } -#ifdef SESSION_INDEX - ssl->sessionIndex = (row << SESSIDX_ROW_SHIFT) | idx; -#endif - session = &SessionCache[row].Sessions[idx]; - } - - if (!ssl->options.tls1_3) - XMEMCPY(session->masterSecret, ssl->arrays->masterSecret, SECRET_LEN); - else - XMEMCPY(session->masterSecret, ssl->session.masterSecret, SECRET_LEN); - session->haveEMS = ssl->options.haveEMS; -#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) - if (ssl->options.tls1_3) { - XMEMCPY(session->sessionID, ssl->session.sessionID, ID_LEN); - session->sessionIDSz = ID_LEN; - } - else -#endif - { - XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN); - session->sessionIDSz = ssl->arrays->sessionIDSz; - } - -#ifdef OPENSSL_EXTRA - /* If using compatibility layer then check for and copy over session context - * id. */ - if (ssl->sessionCtxSz > 0 && ssl->sessionCtxSz < ID_LEN) { - XMEMCPY(session->sessionCtx, ssl->sessionCtx, ssl->sessionCtxSz); - } -#endif - - session->timeout = ssl->timeout; - session->bornOn = LowResTimer(); - -#ifdef HAVE_SESSION_TICKET - /* Check if another thread modified ticket since alloc */ - if ((word16)ticLen != ssl->session.ticketLen) { - error = VAR_STATE_CHANGE_E; - } - - if (error == 0) { - /* Cleanup cache row's old Dynamic buff if exists */ - if(session->isDynamic) { - XFREE(session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - session->ticket = NULL; - } - - /* If too large to store in static buffer, use dyn buffer */ - if (ticLen > SESSION_TICKET_LEN) { - session->ticket = tmpBuff; - session->isDynamic = 1; - } else { - session->ticket = session->staticTicket; - session->isDynamic = 0; - } - - session->ticketLen = (word16)ticLen; - XMEMCPY(session->ticket, ssl->session.ticket, ticLen); - } else { /* cleanup, reset state */ - session->ticket = session->staticTicket; - session->isDynamic = 0; - session->ticketLen = 0; - if (tmpBuff) { - XFREE(tmpBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); - tmpBuff = NULL; - } - } -#endif - -#ifdef SESSION_CERTS - if (error == 0) { - if (!overwrite || ssl->session.chain.count > 0) { - /* - * If we are overwriting and no certs present in ssl->session.chain - * then keep the old chain. - */ - session->chain.count = ssl->session.chain.count; - XMEMCPY(session->chain.certs, ssl->session.chain.certs, - sizeof(x509_buffer) * session->chain.count); - } - } -#endif /* SESSION_CERTS */ -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - if (error == 0) { - session->version = ssl->version; - } -#endif /* SESSION_CERTS || (WOLFSSL_TLS13 & HAVE_SESSION_TICKET) */ -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - if (error == 0) { - session->cipherSuite0 = ssl->options.cipherSuite0; - session->cipherSuite = ssl->options.cipherSuite; - } -#endif -#if defined(WOLFSSL_TLS13) - if (error == 0) { - session->namedGroup = ssl->session.namedGroup; - } -#endif -#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) - if (error == 0) { - session->ticketSeen = ssl->session.ticketSeen; - session->ticketAdd = ssl->session.ticketAdd; -#ifndef WOLFSSL_TLS13_DRAFT_18 - XMEMCPY(&session->ticketNonce, &ssl->session.ticketNonce, - sizeof(TicketNonce)); -#endif - #ifdef WOLFSSL_EARLY_DATA - session->maxEarlyDataSz = ssl->session.maxEarlyDataSz; - #endif - } -#endif /* WOLFSSL_TLS13 && HAVE_SESSION_TICKET */ -#ifdef HAVE_EXT_CACHE - if (!ssl->options.internalCacheOff) -#endif - { - if (error == 0) { - SessionCache[row].totalCount++; - if (SessionCache[row].nextIdx == SESSIONS_PER_ROW) - SessionCache[row].nextIdx = 0; - } - } -#ifndef NO_CLIENT_CACHE - if (error == 0) { - if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->session.idLen) { - word32 clientRow, clientIdx; - - WOLFSSL_MSG("Adding client cache entry"); - - session->idLen = ssl->session.idLen; - XMEMCPY(session->serverID, ssl->session.serverID, - ssl->session.idLen); - -#ifdef HAVE_EXT_CACHE - if (!ssl->options.internalCacheOff) -#endif - { - clientRow = HashSession(ssl->session.serverID, - ssl->session.idLen, &error) % SESSION_ROWS; - if (error != 0) { - WOLFSSL_MSG("Hash session failed"); - } else { - clientIdx = ClientCache[clientRow].nextIdx++; - - ClientCache[clientRow].Clients[clientIdx].serverRow = - (word16)row; - ClientCache[clientRow].Clients[clientIdx].serverIdx = - (word16)idx; - - ClientCache[clientRow].totalCount++; - if (ClientCache[clientRow].nextIdx == SESSIONS_PER_ROW) - ClientCache[clientRow].nextIdx = 0; - } - } - } - else - session->idLen = 0; - } -#endif /* NO_CLIENT_CACHE */ - -#if defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) -#ifdef HAVE_EXT_CACHE - if (!ssl->options.internalCacheOff) -#endif - { - if (error == 0) { - word32 active = 0; - - error = get_locked_session_stats(&active, NULL, NULL); - if (error == WOLFSSL_SUCCESS) { - error = 0; /* back to this function ok */ - - if (active > PeakSessions) - PeakSessions = active; - } - } - } -#endif /* defined(WOLFSSL_SESSION_STATS) && defined(WOLFSSL_PEAK_SESSIONS) */ - -#ifdef HAVE_EXT_CACHE - if (!ssl->options.internalCacheOff) -#endif - { - if (wc_UnLockMutex(&session_mutex) != 0) - return BAD_MUTEX_E; - } - -#ifdef HAVE_EXT_CACHE - if (error == 0 && ssl->ctx->new_sess_cb != NULL) - ssl->ctx->new_sess_cb(ssl, session); - if (ssl->options.internalCacheOff) - wolfSSL_SESSION_free(session); -#endif - - return error; -} - - -#ifdef SESSION_INDEX - -int wolfSSL_GetSessionIndex(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_GetSessionIndex"); - WOLFSSL_LEAVE("wolfSSL_GetSessionIndex", ssl->sessionIndex); - return ssl->sessionIndex; -} - - -int wolfSSL_GetSessionAtIndex(int idx, WOLFSSL_SESSION* session) -{ - int row, col, result = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_GetSessionAtIndex"); - - row = idx >> SESSIDX_ROW_SHIFT; - col = idx & SESSIDX_IDX_MASK; - - if (wc_LockMutex(&session_mutex) != 0) { - return BAD_MUTEX_E; - } - - if (row < SESSION_ROWS && - col < (int)min(SessionCache[row].totalCount, SESSIONS_PER_ROW)) { - XMEMCPY(session, - &SessionCache[row].Sessions[col], sizeof(WOLFSSL_SESSION)); - result = WOLFSSL_SUCCESS; - } - - if (wc_UnLockMutex(&session_mutex) != 0) - result = BAD_MUTEX_E; - - WOLFSSL_LEAVE("wolfSSL_GetSessionAtIndex", result); - return result; -} - -#endif /* SESSION_INDEX */ - -#if defined(SESSION_CERTS) - -WOLFSSL_X509_CHAIN* wolfSSL_SESSION_get_peer_chain(WOLFSSL_SESSION* session) -{ - WOLFSSL_X509_CHAIN* chain = NULL; - - WOLFSSL_ENTER("wolfSSL_SESSION_get_peer_chain"); - if (session) - chain = &session->chain; - - WOLFSSL_LEAVE("wolfSSL_SESSION_get_peer_chain", chain ? 1 : 0); - return chain; -} - - -#ifdef OPENSSL_EXTRA -/* gets the peer certificate associated with the session passed in - * returns null on failure, the caller should not free the returned pointer */ -WOLFSSL_X509* wolfSSL_SESSION_get0_peer(WOLFSSL_SESSION* session) -{ - WOLFSSL_ENTER("wolfSSL_SESSION_get_peer_chain"); - if (session) { - int count; - - count = wolfSSL_get_chain_count(&session->chain); - if (count < 1 || count >= MAX_CHAIN_DEPTH) { - WOLFSSL_MSG("bad count found"); - return NULL; - } - - if (session->peer == NULL) { - session->peer = wolfSSL_get_chain_X509(&session->chain, 0); - } - return session->peer; - } - WOLFSSL_MSG("No session passed in"); - - return NULL; -} -#endif /* OPENSSL_EXTRA */ -#endif /* SESSION_INDEX && SESSION_CERTS */ - - -#ifdef WOLFSSL_SESSION_STATS - -/* requires session_mutex lock held, WOLFSSL_SUCCESS on ok */ -static int get_locked_session_stats(word32* active, word32* total, word32* peak) -{ - int result = WOLFSSL_SUCCESS; - int i; - int count; - int idx; - word32 now = 0; - word32 seen = 0; - word32 ticks = LowResTimer(); - - (void)peak; - - WOLFSSL_ENTER("get_locked_session_stats"); - - for (i = 0; i < SESSION_ROWS; i++) { - seen += SessionCache[i].totalCount; - - if (active == NULL) - continue; /* no need to calculate what we can't set */ - - count = min((word32)SessionCache[i].totalCount, SESSIONS_PER_ROW); - idx = SessionCache[i].nextIdx - 1; - if (idx < 0) - idx = SESSIONS_PER_ROW - 1; /* if back to front previous was end */ - - for (; count > 0; --count, idx = idx ? idx - 1 : SESSIONS_PER_ROW - 1) { - if (idx >= SESSIONS_PER_ROW || idx < 0) { /* sanity check */ - WOLFSSL_MSG("Bad idx"); - break; - } - - /* if not expired then good */ - if (ticks < (SessionCache[i].Sessions[idx].bornOn + - SessionCache[i].Sessions[idx].timeout) ) { - now++; - } - } - } - - if (active) - *active = now; - - if (total) - *total = seen; - -#ifdef WOLFSSL_PEAK_SESSIONS - if (peak) - *peak = PeakSessions; -#endif - - WOLFSSL_LEAVE("get_locked_session_stats", result); - - return result; -} - - -/* return WOLFSSL_SUCCESS on ok */ -int wolfSSL_get_session_stats(word32* active, word32* total, word32* peak, - word32* maxSessions) -{ - int result = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_get_session_stats"); - - if (maxSessions) { - *maxSessions = SESSIONS_PER_ROW * SESSION_ROWS; - - if (active == NULL && total == NULL && peak == NULL) - return result; /* we're done */ - } - - /* user must provide at least one query value */ - if (active == NULL && total == NULL && peak == NULL) - return BAD_FUNC_ARG; - - if (wc_LockMutex(&session_mutex) != 0) { - return BAD_MUTEX_E; - } - - result = get_locked_session_stats(active, total, peak); - - if (wc_UnLockMutex(&session_mutex) != 0) - result = BAD_MUTEX_E; - - WOLFSSL_LEAVE("wolfSSL_get_session_stats", result); - - return result; -} - -#endif /* WOLFSSL_SESSION_STATS */ - - - #ifdef PRINT_SESSION_STATS - - /* WOLFSSL_SUCCESS on ok */ - int wolfSSL_PrintSessionStats(void) - { - word32 totalSessionsSeen = 0; - word32 totalSessionsNow = 0; - word32 peak = 0; - word32 maxSessions = 0; - int i; - int ret; - double E; /* expected freq */ - double chiSquare = 0; - - ret = wolfSSL_get_session_stats(&totalSessionsNow, &totalSessionsSeen, - &peak, &maxSessions); - if (ret != WOLFSSL_SUCCESS) - return ret; - printf("Total Sessions Seen = %d\n", totalSessionsSeen); - printf("Total Sessions Now = %d\n", totalSessionsNow); -#ifdef WOLFSSL_PEAK_SESSIONS - printf("Peak Sessions = %d\n", peak); -#endif - printf("Max Sessions = %d\n", maxSessions); - - E = (double)totalSessionsSeen / SESSION_ROWS; - - for (i = 0; i < SESSION_ROWS; i++) { - double diff = SessionCache[i].totalCount - E; - diff *= diff; /* square */ - diff /= E; /* normalize */ - - chiSquare += diff; - } - printf(" chi-square = %5.1f, d.f. = %d\n", chiSquare, - SESSION_ROWS - 1); - #if (SESSION_ROWS == 11) - printf(" .05 p value = 18.3, chi-square should be less\n"); - #elif (SESSION_ROWS == 211) - printf(".05 p value = 244.8, chi-square should be less\n"); - #elif (SESSION_ROWS == 5981) - printf(".05 p value = 6161.0, chi-square should be less\n"); - #elif (SESSION_ROWS == 3) - printf(".05 p value = 6.0, chi-square should be less\n"); - #elif (SESSION_ROWS == 2861) - printf(".05 p value = 2985.5, chi-square should be less\n"); - #endif - printf("\n"); - - return ret; - } - - #endif /* SESSION_STATS */ - -#else /* NO_SESSION_CACHE */ - -/* No session cache version */ -WOLFSSL_SESSION* GetSession(WOLFSSL* ssl, byte* masterSecret, - byte restoreSessionCerts) -{ - (void)ssl; - (void)masterSecret; - (void)restoreSessionCerts; - - return NULL; -} - -#endif /* NO_SESSION_CACHE */ - - -/* call before SSL_connect, if verifying will add name check to - date check and signature check */ -WOLFSSL_ABI -int wolfSSL_check_domain_name(WOLFSSL* ssl, const char* dn) -{ - WOLFSSL_ENTER("wolfSSL_check_domain_name"); - - if (ssl == NULL || dn == NULL) { - WOLFSSL_MSG("Bad function argument: NULL"); - return WOLFSSL_FAILURE; - } - - if (ssl->buffers.domainName.buffer) - XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); - - ssl->buffers.domainName.length = (word32)XSTRLEN(dn); - ssl->buffers.domainName.buffer = (byte*)XMALLOC( - ssl->buffers.domainName.length + 1, ssl->heap, DYNAMIC_TYPE_DOMAIN); - - if (ssl->buffers.domainName.buffer) { - unsigned char* domainName = ssl->buffers.domainName.buffer; - XMEMCPY(domainName, dn, ssl->buffers.domainName.length); - domainName[ssl->buffers.domainName.length] = '\0'; - return WOLFSSL_SUCCESS; - } - else { - ssl->error = MEMORY_ERROR; - return WOLFSSL_FAILURE; - } -} - - -/* turn on wolfSSL zlib compression - returns WOLFSSL_SUCCESS for success, else error (not built in) -*/ -int wolfSSL_set_compression(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_set_compression"); - (void)ssl; -#ifdef HAVE_LIBZ - ssl->options.usingCompression = 1; - return WOLFSSL_SUCCESS; -#else - return NOT_COMPILED_IN; -#endif -} - - -#ifndef USE_WINDOWS_API - #ifndef NO_WRITEV - - /* simulate writev semantics, doesn't actually do block at a time though - because of SSL_write behavior and because front adds may be small */ - int wolfSSL_writev(WOLFSSL* ssl, const struct iovec* iov, int iovcnt) - { - #ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ - #else - byte staticBuffer[FILE_BUFFER_SIZE]; - #endif - byte* myBuffer = staticBuffer; - int dynamic = 0; - int sending = 0; - int idx = 0; - int i; - int ret; - - WOLFSSL_ENTER("wolfSSL_writev"); - - for (i = 0; i < iovcnt; i++) - sending += (int)iov[i].iov_len; - - if (sending > (int)sizeof(staticBuffer)) { - myBuffer = (byte*)XMALLOC(sending, ssl->heap, - DYNAMIC_TYPE_WRITEV); - if (!myBuffer) - return MEMORY_ERROR; - - dynamic = 1; - } - - for (i = 0; i < iovcnt; i++) { - XMEMCPY(&myBuffer[idx], iov[i].iov_base, iov[i].iov_len); - idx += (int)iov[i].iov_len; - } - - ret = wolfSSL_write(ssl, myBuffer, sending); - - if (dynamic) - XFREE(myBuffer, ssl->heap, DYNAMIC_TYPE_WRITEV); - - return ret; - } - #endif -#endif - - -#ifdef WOLFSSL_CALLBACKS - - typedef struct itimerval Itimerval; - - /* don't keep calling simple functions while setting up timer and signals - if no inlining these are the next best */ - - #define AddTimes(a, b, c) \ - do { \ - c.tv_sec = a.tv_sec + b.tv_sec; \ - c.tv_usec = a.tv_usec + b.tv_usec; \ - if (c.tv_usec >= 1000000) { \ - c.tv_sec++; \ - c.tv_usec -= 1000000; \ - } \ - } while (0) - - - #define SubtractTimes(a, b, c) \ - do { \ - c.tv_sec = a.tv_sec - b.tv_sec; \ - c.tv_usec = a.tv_usec - b.tv_usec; \ - if (c.tv_usec < 0) { \ - c.tv_sec--; \ - c.tv_usec += 1000000; \ - } \ - } while (0) - - #define CmpTimes(a, b, cmp) \ - ((a.tv_sec == b.tv_sec) ? \ - (a.tv_usec cmp b.tv_usec) : \ - (a.tv_sec cmp b.tv_sec)) \ - - - /* do nothing handler */ - static void myHandler(int signo) - { - (void)signo; - return; - } - - - static int wolfSSL_ex_wrapper(WOLFSSL* ssl, HandShakeCallBack hsCb, - TimeoutCallBack toCb, WOLFSSL_TIMEVAL timeout) - { - int ret = WOLFSSL_FATAL_ERROR; - int oldTimerOn = 0; /* was timer already on */ - WOLFSSL_TIMEVAL startTime; - WOLFSSL_TIMEVAL endTime; - WOLFSSL_TIMEVAL totalTime; - Itimerval myTimeout; - Itimerval oldTimeout; /* if old timer adjust from total time to reset */ - struct sigaction act, oact; - - #define ERR_OUT(x) { ssl->hsInfoOn = 0; ssl->toInfoOn = 0; return x; } - - if (hsCb) { - ssl->hsInfoOn = 1; - InitHandShakeInfo(&ssl->handShakeInfo, ssl); - } - if (toCb) { - ssl->toInfoOn = 1; - InitTimeoutInfo(&ssl->timeoutInfo); - - if (gettimeofday(&startTime, 0) < 0) - ERR_OUT(GETTIME_ERROR); - - /* use setitimer to simulate getitimer, init 0 myTimeout */ - myTimeout.it_interval.tv_sec = 0; - myTimeout.it_interval.tv_usec = 0; - myTimeout.it_value.tv_sec = 0; - myTimeout.it_value.tv_usec = 0; - if (setitimer(ITIMER_REAL, &myTimeout, &oldTimeout) < 0) - ERR_OUT(SETITIMER_ERROR); - - if (oldTimeout.it_value.tv_sec || oldTimeout.it_value.tv_usec) { - oldTimerOn = 1; - - /* is old timer going to expire before ours */ - if (CmpTimes(oldTimeout.it_value, timeout, <)) { - timeout.tv_sec = oldTimeout.it_value.tv_sec; - timeout.tv_usec = oldTimeout.it_value.tv_usec; - } - } - myTimeout.it_value.tv_sec = timeout.tv_sec; - myTimeout.it_value.tv_usec = timeout.tv_usec; - - /* set up signal handler, don't restart socket send/recv */ - act.sa_handler = myHandler; - sigemptyset(&act.sa_mask); - act.sa_flags = 0; -#ifdef SA_INTERRUPT - act.sa_flags |= SA_INTERRUPT; -#endif - if (sigaction(SIGALRM, &act, &oact) < 0) - ERR_OUT(SIGACT_ERROR); - - if (setitimer(ITIMER_REAL, &myTimeout, 0) < 0) - ERR_OUT(SETITIMER_ERROR); - } - - /* do main work */ -#ifndef NO_WOLFSSL_CLIENT - if (ssl->options.side == WOLFSSL_CLIENT_END) - ret = wolfSSL_connect(ssl); -#endif -#ifndef NO_WOLFSSL_SERVER - if (ssl->options.side == WOLFSSL_SERVER_END) - ret = wolfSSL_accept(ssl); -#endif - - /* do callbacks */ - if (toCb) { - if (oldTimerOn) { - gettimeofday(&endTime, 0); - SubtractTimes(endTime, startTime, totalTime); - /* adjust old timer for elapsed time */ - if (CmpTimes(totalTime, oldTimeout.it_value, <)) - SubtractTimes(oldTimeout.it_value, totalTime, - oldTimeout.it_value); - else { - /* reset value to interval, may be off */ - oldTimeout.it_value.tv_sec = oldTimeout.it_interval.tv_sec; - oldTimeout.it_value.tv_usec =oldTimeout.it_interval.tv_usec; - } - /* keep iter the same whether there or not */ - } - /* restore old handler */ - if (sigaction(SIGALRM, &oact, 0) < 0) - ret = SIGACT_ERROR; /* more pressing error, stomp */ - else - /* use old settings which may turn off (expired or not there) */ - if (setitimer(ITIMER_REAL, &oldTimeout, 0) < 0) - ret = SETITIMER_ERROR; - - /* if we had a timeout call callback */ - if (ssl->timeoutInfo.timeoutName[0]) { - ssl->timeoutInfo.timeoutValue.tv_sec = timeout.tv_sec; - ssl->timeoutInfo.timeoutValue.tv_usec = timeout.tv_usec; - (toCb)(&ssl->timeoutInfo); - } - /* clean up */ - FreeTimeoutInfo(&ssl->timeoutInfo, ssl->heap); - ssl->toInfoOn = 0; - } - if (hsCb) { - FinishHandShakeInfo(&ssl->handShakeInfo); - (hsCb)(&ssl->handShakeInfo); - ssl->hsInfoOn = 0; - } - return ret; - } - - -#ifndef NO_WOLFSSL_CLIENT - - int wolfSSL_connect_ex(WOLFSSL* ssl, HandShakeCallBack hsCb, - TimeoutCallBack toCb, WOLFSSL_TIMEVAL timeout) - { - WOLFSSL_ENTER("wolfSSL_connect_ex"); - return wolfSSL_ex_wrapper(ssl, hsCb, toCb, timeout); - } - -#endif - - -#ifndef NO_WOLFSSL_SERVER - - int wolfSSL_accept_ex(WOLFSSL* ssl, HandShakeCallBack hsCb, - TimeoutCallBack toCb, WOLFSSL_TIMEVAL timeout) - { - WOLFSSL_ENTER("wolfSSL_accept_ex"); - return wolfSSL_ex_wrapper(ssl, hsCb, toCb, timeout); - } - -#endif - -#endif /* WOLFSSL_CALLBACKS */ - - -#ifndef NO_PSK - - void wolfSSL_CTX_set_psk_client_callback(WOLFSSL_CTX* ctx, - wc_psk_client_callback cb) - { - WOLFSSL_ENTER("SSL_CTX_set_psk_client_callback"); - - if (ctx == NULL) - return; - - ctx->havePSK = 1; - ctx->client_psk_cb = cb; - } - - - void wolfSSL_set_psk_client_callback(WOLFSSL* ssl,wc_psk_client_callback cb) - { - byte haveRSA = 1; - int keySz = 0; - - WOLFSSL_ENTER("SSL_set_psk_client_callback"); - - if (ssl == NULL) - return; - - ssl->options.havePSK = 1; - ssl->options.client_psk_cb = cb; - - #ifdef NO_RSA - haveRSA = 0; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - - void wolfSSL_CTX_set_psk_server_callback(WOLFSSL_CTX* ctx, - wc_psk_server_callback cb) - { - WOLFSSL_ENTER("SSL_CTX_set_psk_server_callback"); - if (ctx == NULL) - return; - ctx->havePSK = 1; - ctx->server_psk_cb = cb; - } - - - void wolfSSL_set_psk_server_callback(WOLFSSL* ssl,wc_psk_server_callback cb) - { - byte haveRSA = 1; - int keySz = 0; - - WOLFSSL_ENTER("SSL_set_psk_server_callback"); - if (ssl == NULL) - return; - - ssl->options.havePSK = 1; - ssl->options.server_psk_cb = cb; - - #ifdef NO_RSA - haveRSA = 0; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - } - - - const char* wolfSSL_get_psk_identity_hint(const WOLFSSL* ssl) - { - WOLFSSL_ENTER("SSL_get_psk_identity_hint"); - - if (ssl == NULL || ssl->arrays == NULL) - return NULL; - - return ssl->arrays->server_hint; - } - - - const char* wolfSSL_get_psk_identity(const WOLFSSL* ssl) - { - WOLFSSL_ENTER("SSL_get_psk_identity"); - - if (ssl == NULL || ssl->arrays == NULL) - return NULL; - - return ssl->arrays->client_identity; - } - - - int wolfSSL_CTX_use_psk_identity_hint(WOLFSSL_CTX* ctx, const char* hint) - { - WOLFSSL_ENTER("SSL_CTX_use_psk_identity_hint"); - if (hint == 0) - ctx->server_hint[0] = '\0'; - else { - /* Qt does not call CTX_set_*_psk_callbacks where havePSK is set */ - #ifdef WOLFSSL_QT - ctx->havePSK=1; - #endif - XSTRNCPY(ctx->server_hint, hint, MAX_PSK_ID_LEN); - ctx->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */ - } - return WOLFSSL_SUCCESS; - } - - - int wolfSSL_use_psk_identity_hint(WOLFSSL* ssl, const char* hint) - { - WOLFSSL_ENTER("SSL_use_psk_identity_hint"); - - if (ssl == NULL || ssl->arrays == NULL) - return WOLFSSL_FAILURE; - - if (hint == 0) - ssl->arrays->server_hint[0] = 0; - else { - XSTRNCPY(ssl->arrays->server_hint, hint, - sizeof(ssl->arrays->server_hint)-1); - ssl->arrays->server_hint[sizeof(ssl->arrays->server_hint)-1] = '\0'; - } - return WOLFSSL_SUCCESS; - } - -#endif /* NO_PSK */ - - -#ifdef HAVE_ANON - - int wolfSSL_CTX_allow_anon_cipher(WOLFSSL_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_CTX_allow_anon_cipher"); - - if (ctx == NULL) - return WOLFSSL_FAILURE; - - ctx->haveAnon = 1; - - return WOLFSSL_SUCCESS; - } - -#endif /* HAVE_ANON */ - - -#ifndef NO_CERTS -/* used to be defined on NO_FILESYSTEM only, but are generally useful */ - - int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, - const unsigned char* in, - long sz, int format, int userChain, - word32 flags) - { - int verify; - - WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex"); - - verify = GET_VERIFY_SETTING_CTX(ctx); - if (flags & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) - verify = VERIFY_SKIP_DATE; - - if (format == WOLFSSL_FILETYPE_PEM) - return ProcessChainBuffer(ctx, in, sz, format, CA_TYPE, NULL, - verify); - else - return ProcessBuffer(ctx, in, sz, format, CA_TYPE, NULL, NULL, - userChain, verify); - } - - /* wolfSSL extension allows DER files to be loaded from buffers as well */ - int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, - const unsigned char* in, - long sz, int format) - { - return wolfSSL_CTX_load_verify_buffer_ex(ctx, in, sz, format, 0, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS); - } - - int wolfSSL_CTX_load_verify_chain_buffer_format(WOLFSSL_CTX* ctx, - const unsigned char* in, - long sz, int format) - { - return wolfSSL_CTX_load_verify_buffer_ex(ctx, in, sz, format, 1, - WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS); - } - - -#ifdef WOLFSSL_TRUST_PEER_CERT - int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, - const unsigned char* in, - long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer"); - - /* sanity check on arguments */ - if (sz < 0 || in == NULL || ctx == NULL) { - return BAD_FUNC_ARG; - } - - if (format == WOLFSSL_FILETYPE_PEM) - return ProcessChainBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, - NULL, GET_VERIFY_SETTING_CTX(ctx)); - else - return ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, NULL, - NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); - } -#endif /* WOLFSSL_TRUST_PEER_CERT */ - - - int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_buffer"); - return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 0, - GET_VERIFY_SETTING_CTX(ctx)); - } - - - int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_buffer"); - return ProcessBuffer(ctx, in, sz, format, PRIVATEKEY_TYPE, NULL, NULL, - 0, GET_VERIFY_SETTING_CTX(ctx)); - } - -#ifdef HAVE_PKCS11 - int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id, - long sz, int devId, long keySz) - { - int ret = WOLFSSL_FAILURE; - - FreeDer(&ctx->privateKey); - if (AllocDer(&ctx->privateKey, (word32)sz, PRIVATEKEY_TYPE, - ctx->heap) == 0) { - XMEMCPY(ctx->privateKey->buffer, id, sz); - ctx->privateKeyId = 1; - ctx->privateKeySz = (word32)keySz; - if (devId != INVALID_DEVID) - ctx->privateKeyDevId = devId; - else - ctx->privateKeyDevId = ctx->devId; - - ret = WOLFSSL_SUCCESS; - } - - return ret; - } -#endif - - int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer_format"); - return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 1, - GET_VERIFY_SETTING_CTX(ctx)); - } - - int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX* ctx, - const unsigned char* in, long sz) - { - return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, in, sz, - WOLFSSL_FILETYPE_PEM); - } - - -#ifndef NO_DH - - /* server wrapper for ctx or ssl Diffie-Hellman parameters */ - static int wolfSSL_SetTmpDH_buffer_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, - const unsigned char* buf, - long sz, int format) - { - DerBuffer* der = NULL; - int ret = 0; - word32 pSz = MAX_DH_SIZE; - word32 gSz = MAX_DH_SIZE; - #ifdef WOLFSSL_SMALL_STACK - byte* p = NULL; - byte* g = NULL; - #else - byte p[MAX_DH_SIZE]; - byte g[MAX_DH_SIZE]; - #endif - - if (ctx == NULL || buf == NULL) - return BAD_FUNC_ARG; - - ret = AllocDer(&der, 0, DH_PARAM_TYPE, ctx->heap); - if (ret != 0) { - return ret; - } - der->buffer = (byte*)buf; - der->length = (word32)sz; - - #ifdef WOLFSSL_SMALL_STACK - p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - - if (p == NULL || g == NULL) { - XFREE(p, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - return MEMORY_E; - } - #endif - - if (format != WOLFSSL_FILETYPE_ASN1 && format != WOLFSSL_FILETYPE_PEM) - ret = WOLFSSL_BAD_FILETYPE; - else { - if (format == WOLFSSL_FILETYPE_PEM) { -#ifdef WOLFSSL_PEM_TO_DER - FreeDer(&der); - ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, - NULL, NULL); - #ifdef WOLFSSL_WPAS - #ifndef NO_DSA - if (ret < 0) { - ret = PemToDer(buf, sz, DSA_PARAM_TYPE, &der, ctx->heap, - NULL, NULL); - } - #endif - #endif /* WOLFSSL_WPAS */ -#else - ret = NOT_COMPILED_IN; -#endif /* WOLFSSL_PEM_TO_DER */ - } - - if (ret == 0) { - if (wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz) < 0) - ret = WOLFSSL_BAD_FILETYPE; - else if (ssl) - ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz); - else - ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz); - } - } - - FreeDer(&der); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(p, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - #endif - - return ret; - } - - - /* server Diffie-Hellman parameters, WOLFSSL_SUCCESS on ok */ - int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz, - int format) - { - if (ssl == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_SetTmpDH_buffer_wrapper(ssl->ctx, ssl, buf, sz, format); - } - - - /* server ctx Diffie-Hellman parameters, WOLFSSL_SUCCESS on ok */ - int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf, - long sz, int format) - { - return wolfSSL_SetTmpDH_buffer_wrapper(ctx, NULL, buf, sz, format); - } - -#endif /* NO_DH */ - - - int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_use_certificate_buffer"); - if (ssl == NULL) - return BAD_FUNC_ARG; - - return ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 0, - GET_VERIFY_SETTING_SSL(ssl)); - } - - - int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_use_PrivateKey_buffer"); - if (ssl == NULL) - return BAD_FUNC_ARG; - - return ProcessBuffer(ssl->ctx, in, sz, format, PRIVATEKEY_TYPE, - ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); - } - -#ifdef HAVE_PKCS11 - int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id, - long sz, int devId, long keySz) - { - int ret = WOLFSSL_FAILURE; - - if (ssl->buffers.weOwnKey) - FreeDer(&ssl->buffers.key); - if (AllocDer(&ssl->buffers.key, (word32)sz, PRIVATEKEY_TYPE, - ssl->heap) == 0) { - XMEMCPY(ssl->buffers.key->buffer, id, sz); - ssl->buffers.weOwnKey = 1; - ssl->buffers.keyId = 1; - ssl->buffers.keySz = (word32)keySz; - if (devId != INVALID_DEVID) - ssl->buffers.keyDevId = devId; - else - ssl->buffers.keyDevId = ssl->devId; - - ret = WOLFSSL_SUCCESS; - } - - return ret; - } -#endif - - int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, - const unsigned char* in, long sz, int format) - { - WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer_format"); - if (ssl == NULL) - return BAD_FUNC_ARG; - - return ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, - ssl, NULL, 1, GET_VERIFY_SETTING_SSL(ssl)); - } - - int wolfSSL_use_certificate_chain_buffer(WOLFSSL* ssl, - const unsigned char* in, long sz) - { - return wolfSSL_use_certificate_chain_buffer_format(ssl, in, sz, - WOLFSSL_FILETYPE_PEM); - } - - - /* unload any certs or keys that SSL owns, leave CTX as is - WOLFSSL_SUCCESS on ok */ - int wolfSSL_UnloadCertsKeys(WOLFSSL* ssl) - { - if (ssl == NULL) { - WOLFSSL_MSG("Null function arg"); - return BAD_FUNC_ARG; - } - - if (ssl->buffers.weOwnCert && !ssl->keepCert) { - WOLFSSL_MSG("Unloading cert"); - FreeDer(&ssl->buffers.certificate); - #ifdef KEEP_OUR_CERT - FreeX509(ssl->ourCert); - if (ssl->ourCert) { - XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509); - ssl->ourCert = NULL; - } - #endif - ssl->buffers.weOwnCert = 0; - } - - if (ssl->buffers.weOwnCertChain) { - WOLFSSL_MSG("Unloading cert chain"); - FreeDer(&ssl->buffers.certChain); - ssl->buffers.weOwnCertChain = 0; - } - - if (ssl->buffers.weOwnKey) { - WOLFSSL_MSG("Unloading key"); - FreeDer(&ssl->buffers.key); - ssl->buffers.weOwnKey = 0; - } - - return WOLFSSL_SUCCESS; - } - - - int wolfSSL_CTX_UnloadCAs(WOLFSSL_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_CTX_UnloadCAs"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_CertManagerUnloadCAs(ctx->cm); - } - - -#ifdef WOLFSSL_TRUST_PEER_CERT - int wolfSSL_CTX_Unload_trust_peers(WOLFSSL_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_CTX_Unload_trust_peers"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - return wolfSSL_CertManagerUnload_trust_peers(ctx->cm); - } -#endif /* WOLFSSL_TRUST_PEER_CERT */ -/* old NO_FILESYSTEM end */ -#endif /* !NO_CERTS */ - - -#ifdef OPENSSL_EXTRA - - int wolfSSL_add_all_algorithms(void) - { - WOLFSSL_ENTER("wolfSSL_add_all_algorithms"); - if (wolfSSL_Init() == WOLFSSL_SUCCESS) - return WOLFSSL_SUCCESS; - else - return WOLFSSL_FATAL_ERROR; - } - - int wolfSSL_OpenSSL_add_all_algorithms_noconf(void) - { - WOLFSSL_ENTER("wolfSSL_OpenSSL_add_all_algorithms_noconf"); - - if (wolfSSL_add_all_algorithms() == WOLFSSL_FATAL_ERROR) - return WOLFSSL_FATAL_ERROR; - - return WOLFSSL_SUCCESS; - } - - int wolfSSL_OpenSSL_add_all_algorithms_conf(void) - { - WOLFSSL_ENTER("wolfSSL_OpenSSL_add_all_algorithms_conf"); - /* This function is currently the same as - wolfSSL_OpenSSL_add_all_algorithms_noconf since we do not employ - the use of a wolfssl.cnf type configuration file and is only used for - OpenSSL compatability. */ - - if (wolfSSL_add_all_algorithms() == WOLFSSL_FATAL_ERROR) { - return WOLFSSL_FATAL_ERROR; - } - return WOLFSSL_SUCCESS; - } - - /* returns previous set cache size which stays constant */ - long wolfSSL_CTX_sess_set_cache_size(WOLFSSL_CTX* ctx, long sz) - { - /* cache size fixed at compile time in wolfSSL */ - (void)ctx; - (void)sz; - WOLFSSL_MSG("session cache is set at compile time"); - #ifndef NO_SESSION_CACHE - return (long)(SESSIONS_PER_ROW * SESSION_ROWS); - #else - return 0; - #endif - } - -#endif - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) - void wolfSSL_CTX_set_quiet_shutdown(WOLFSSL_CTX* ctx, int mode) - { - WOLFSSL_ENTER("wolfSSL_CTX_set_quiet_shutdown"); - if (mode) - ctx->quietShutdown = 1; - } - - - void wolfSSL_set_quiet_shutdown(WOLFSSL* ssl, int mode) - { - WOLFSSL_ENTER("wolfSSL_CTX_set_quiet_shutdown"); - if (mode) - ssl->options.quietShutdown = 1; - } -#endif - -#ifdef OPENSSL_EXTRA - void wolfSSL_set_bio(WOLFSSL* ssl, WOLFSSL_BIO* rd, WOLFSSL_BIO* wr) - { - WOLFSSL_ENTER("wolfSSL_set_bio"); - - if (ssl == NULL) { - WOLFSSL_MSG("Bad argument, ssl was NULL"); - return; - } - - /* if WOLFSSL_BIO is socket type then set WOLFSSL socket to use */ - if (rd != NULL && rd->type == WOLFSSL_BIO_SOCKET) { - wolfSSL_set_rfd(ssl, rd->num); - } - if (wr != NULL && wr->type == WOLFSSL_BIO_SOCKET) { - wolfSSL_set_wfd(ssl, wr->num); - } - - /* free any existing WOLFSSL_BIOs in use */ - if (ssl->biord != NULL) { - if (ssl->biord != ssl->biowr) { - if (ssl->biowr != NULL) { - wolfSSL_BIO_free(ssl->biowr); - ssl->biowr = NULL; - } - } - wolfSSL_BIO_free(ssl->biord); - ssl->biord = NULL; - } - - - ssl->biord = rd; - ssl->biowr = wr; - - /* set SSL to use BIO callbacks instead */ - if (((ssl->cbioFlag & WOLFSSL_CBIO_RECV) == 0) && - (rd != NULL && rd->type != WOLFSSL_BIO_SOCKET)) { - ssl->CBIORecv = BioReceive; - } - if (((ssl->cbioFlag & WOLFSSL_CBIO_SEND) == 0) && - (wr != NULL && wr->type != WOLFSSL_BIO_SOCKET)) { - ssl->CBIOSend = BioSend; - } - - /* User programs should always retry reading from these BIOs */ - if (rd) { - /* User writes to rd */ - BIO_set_retry_write(rd); - } - if (wr) { - /* User reads from wr */ - BIO_set_retry_read(wr); - } - } -#endif - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_WEBSERVER) - void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx, - WOLF_STACK_OF(WOLFSSL_X509_NAME)* names) - { - WOLFSSL_ENTER("wolfSSL_CTX_set_client_CA_list"); - #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) - if (ctx != NULL) - ctx->ca_names = names; - #else - (void)ctx; - (void)names; - #endif - } - - - /* returns the CA's set on server side or the CA's sent from server when - * on client side */ -#if defined(SESSION_CERTS) && defined(OPENSSL_ALL) - WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list( - const WOLFSSL* ssl) - { - WOLFSSL_ENTER("wolfSSL_get_client_CA_list"); - - if (ssl == NULL) { - WOLFSSL_MSG("Bad argument passed to wolfSSL_get_client_CA_list"); - return NULL; - } - - /* return list of CAs sent from the server */ - if (ssl->options.side == WOLFSSL_CLIENT_END) { - WOLF_STACK_OF(WOLFSSL_X509)* sk; - - sk = wolfSSL_get_peer_cert_chain(ssl); - if (sk != NULL) { - WOLF_STACK_OF(WOLFSSL_X509_NAME)* ret; - WOLFSSL_X509* x509; - - ret = wolfSSL_sk_X509_NAME_new(NULL); - do { - x509 = wolfSSL_sk_X509_pop(sk); - if (x509 != NULL) { - if (wolfSSL_X509_get_isCA(x509)) { - if (wolfSSL_sk_X509_NAME_push(ret, - wolfSSL_X509_get_subject_name(x509)) != 0) { - WOLFSSL_MSG("Error pushing X509 name to stack"); - /* continue on to try other certificates and - * do not fail out here */ - } - } - wolfSSL_X509_free(x509); - } - } while (x509 != NULL); - wolfSSL_sk_X509_free(sk); - return ret; - } - return NULL; - } - else { - /* currently only can be set in the CTX */ - return ssl->ctx->ca_names; - } - } -#endif /* SESSION_CERTS */ - - - #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ - defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) - /* registers client cert callback, called during handshake if server - requests client auth but user has not loaded client cert/key */ - void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb cb) - { - WOLFSSL_ENTER("wolfSSL_CTX_set_client_cert_cb"); - - if (ctx != NULL) { - ctx->CBClientCert = cb; - } - } - #endif /* OPENSSL_ALL || OPENSSL_EXTRA || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ - -#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA || HAVE_WEBSERVER */ - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) - WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list( - const WOLFSSL_CTX *s) - { - WOLFSSL_ENTER("wolfSSL_CTX_get_client_CA_list"); - - if (s == NULL) - return NULL; - - return s->ca_names; - } -#endif - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - #if !defined(NO_RSA) && !defined(NO_CERTS) - WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname) - { - /* The webserver build is using this to load a CA into the server - * for client authentication as an option. Have this return NULL in - * that case. If OPENSSL_EXTRA is enabled, go ahead and include - * the function. */ - #ifdef OPENSSL_EXTRA - WOLFSSL_STACK *list = NULL; - WOLFSSL_STACK *node; - WOLFSSL_BIO* bio; - WOLFSSL_X509 *cert = NULL; - WOLFSSL_X509_NAME *subjectName = NULL; - unsigned long err; - - WOLFSSL_ENTER("wolfSSL_load_client_CA_file"); - - bio = wolfSSL_BIO_new_file(fname, "r"); - if (bio == NULL) - return NULL; - - /* Read each certificate in the chain out of the file. */ - while (wolfSSL_PEM_read_bio_X509(bio, &cert, NULL, NULL) != NULL) { - subjectName = wolfSSL_X509_get_subject_name(cert); - if (subjectName == NULL) - break; - - node = wolfSSL_sk_new_node(NULL); - if (node == NULL) - break; - node->type = STACK_TYPE_X509_NAME; - - /* Need a persistent copy of the subject name. */ - node->data.name = wolfSSL_X509_NAME_dup(subjectName); - /* - * Original cert will be freed so make sure not to try to access - * it in the future. - */ - node->data.name->x509 = NULL; - - /* Put node on the front of the list. */ - node->num = (list == NULL) ? 1 : list->num + 1; - node->next = list; - list = node; - - wolfSSL_X509_free(cert); - cert = NULL; - } - - err = wolfSSL_ERR_peek_last_error(); - - if (ERR_GET_LIB(err) == ERR_LIB_PEM && - ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { - /* - * wolfSSL_PEM_read_bio_X509 pushes an ASN_NO_PEM_HEADER error - * to the error queue on file end. This should not be left - * for the caller to find so we clear the last error. - */ - wc_RemoveErrorNode(-1); - } - - wolfSSL_X509_free(cert); - wolfSSL_BIO_free(bio); - return list; - #else - (void)fname; - return NULL; - #endif - } - #endif -#endif - -#ifdef OPENSSL_EXTRA - #if !defined(NO_RSA) && !defined(NO_CERTS) - int wolfSSL_CTX_add_client_CA(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) - { - WOLFSSL_STACK *node = NULL; - WOLFSSL_X509_NAME *subjectName = NULL; - - WOLFSSL_ENTER("wolfSSL_CTX_add_client_CA"); - - if (ctx == NULL || x509 == NULL){ - WOLFSSL_MSG("Bad argument"); - return SSL_FAILURE; - } - - subjectName = wolfSSL_X509_get_subject_name(x509); - if (subjectName == NULL){ - WOLFSSL_MSG("invalid x509 data"); - return SSL_FAILURE; - } - - /* Alloc stack struct */ - node = (WOLF_STACK_OF(WOLFSSL_X509_NAME)*)XMALLOC( - sizeof(WOLF_STACK_OF(WOLFSSL_X509_NAME)), - NULL, DYNAMIC_TYPE_OPENSSL); - if (node == NULL){ - WOLFSSL_MSG("memory allocation error"); - return SSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLF_STACK_OF(WOLFSSL_X509_NAME))); - - /* Alloc and copy WOLFSSL_X509_NAME */ - node->data.name = (WOLFSSL_X509_NAME*)XMALLOC( - sizeof(WOLFSSL_X509_NAME), - NULL, DYNAMIC_TYPE_OPENSSL); - if (node->data.name == NULL) { - XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); - WOLFSSL_MSG("memory allocation error"); - return SSL_FAILURE; - } - XMEMCPY(node->data.name, subjectName, sizeof(WOLFSSL_X509_NAME)); - XMEMSET(subjectName, 0, sizeof(WOLFSSL_X509_NAME)); - - /* push new node onto head of stack */ - node->num = (ctx->ca_names == NULL) ? 1 : ctx->ca_names->num + 1; - node->next = ctx->ca_names; - ctx->ca_names = node; - return SSL_SUCCESS; - } - #endif - - #ifndef NO_WOLFSSL_STUB - int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx) - { - /* TODO:, not needed in goahead */ - (void)ctx; - WOLFSSL_STUB("SSL_CTX_set_default_verify_paths"); - return SSL_NOT_IMPLEMENTED; - } - #endif - - #if defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256) \ - && !defined(WC_NO_RNG) - static const byte srp_N[] = { - 0xEE, 0xAF, 0x0A, 0xB9, 0xAD, 0xB3, 0x8D, 0xD6, 0x9C, 0x33, 0xF8, - 0x0A, 0xFA, 0x8F, 0xC5, 0xE8, 0x60, 0x72, 0x61, 0x87, 0x75, 0xFF, - 0x3C, 0x0B, 0x9E, 0xA2, 0x31, 0x4C, 0x9C, 0x25, 0x65, 0x76, 0xD6, - 0x74, 0xDF, 0x74, 0x96, 0xEA, 0x81, 0xD3, 0x38, 0x3B, 0x48, 0x13, - 0xD6, 0x92, 0xC6, 0xE0, 0xE0, 0xD5, 0xD8, 0xE2, 0x50, 0xB9, 0x8B, - 0xE4, 0x8E, 0x49, 0x5C, 0x1D, 0x60, 0x89, 0xDA, 0xD1, 0x5D, 0xC7, - 0xD7, 0xB4, 0x61, 0x54, 0xD6, 0xB6, 0xCE, 0x8E, 0xF4, 0xAD, 0x69, - 0xB1, 0x5D, 0x49, 0x82, 0x55, 0x9B, 0x29, 0x7B, 0xCF, 0x18, 0x85, - 0xC5, 0x29, 0xF5, 0x66, 0x66, 0x0E, 0x57, 0xEC, 0x68, 0xED, 0xBC, - 0x3C, 0x05, 0x72, 0x6C, 0xC0, 0x2F, 0xD4, 0xCB, 0xF4, 0x97, 0x6E, - 0xAA, 0x9A, 0xFD, 0x51, 0x38, 0xFE, 0x83, 0x76, 0x43, 0x5B, 0x9F, - 0xC6, 0x1D, 0x2F, 0xC0, 0xEB, 0x06, 0xE3 - }; - static const byte srp_g[] = { - 0x02 - }; - - int wolfSSL_CTX_set_srp_username(WOLFSSL_CTX* ctx, char* username) - { - int r = 0; - SrpSide srp_side = SRP_CLIENT_SIDE; - WC_RNG rng; - byte salt[SRP_SALT_SIZE]; - - WOLFSSL_ENTER("wolfSSL_CTX_set_srp_username"); - if (ctx == NULL || ctx->srp == NULL || username==NULL) - return SSL_FAILURE; - - if (ctx->method->side == WOLFSSL_SERVER_END){ - srp_side = SRP_SERVER_SIDE; - } else if (ctx->method->side == WOLFSSL_CLIENT_END){ - srp_side = SRP_CLIENT_SIDE; - } else { - WOLFSSL_MSG("Init CTX failed"); - return SSL_FAILURE; - } - - if (wc_SrpInit(ctx->srp, SRP_TYPE_SHA256, srp_side) < 0){ - WOLFSSL_MSG("Init CTX failed"); - XFREE(ctx->srp, ctx->heap, DYNAMIC_TYPE_SRP); - wolfSSL_CTX_free(ctx); - return SSL_FAILURE; - } - r = wc_SrpSetUsername(ctx->srp, (const byte*)username, - (word32)XSTRLEN(username)); - if (r < 0) { - WOLFSSL_MSG("fail to set srp username."); - return SSL_FAILURE; - } - - /* if wolfSSL_CTX_set_srp_password has already been called, */ - /* execute wc_SrpSetPassword here */ - if (ctx->srp_password != NULL){ - if (wc_InitRng(&rng) < 0){ - WOLFSSL_MSG("wc_InitRng failed"); - return SSL_FAILURE; - } - XMEMSET(salt, 0, sizeof(salt)/sizeof(salt[0])); - if (wc_RNG_GenerateBlock(&rng, salt, - sizeof(salt)/sizeof(salt[0])) < 0){ - WOLFSSL_MSG("wc_RNG_GenerateBlock failed"); - wc_FreeRng(&rng); - return SSL_FAILURE; - } - if (wc_SrpSetParams(ctx->srp, srp_N, sizeof(srp_N)/sizeof(srp_N[0]), - srp_g, sizeof(srp_g)/sizeof(srp_g[0]), - salt, sizeof(salt)/sizeof(salt[0])) < 0){ - WOLFSSL_MSG("wc_SrpSetParam failed"); - wc_FreeRng(&rng); - return SSL_FAILURE; - } - r = wc_SrpSetPassword(ctx->srp, - (const byte*)ctx->srp_password, - (word32)XSTRLEN((char *)ctx->srp_password)); - if (r < 0) { - WOLFSSL_MSG("fail to set srp password."); - return SSL_FAILURE; - } - wc_FreeRng(&rng); - XFREE(ctx->srp_password, ctx->heap, DYNAMIC_TYPE_SRP); - ctx->srp_password = NULL; - } - - return SSL_SUCCESS; - } - - int wolfSSL_CTX_set_srp_password(WOLFSSL_CTX* ctx, char* password) - { - int r; - WC_RNG rng; - byte salt[SRP_SALT_SIZE]; - - WOLFSSL_ENTER("wolfSSL_CTX_set_srp_password"); - if (ctx == NULL || ctx->srp == NULL || password == NULL) - return SSL_FAILURE; - - if (ctx->srp->user != NULL){ - if (wc_InitRng(&rng) < 0){ - WOLFSSL_MSG("wc_InitRng failed"); - return SSL_FAILURE; - } - XMEMSET(salt, 0, sizeof(salt)/sizeof(salt[0])); - if (wc_RNG_GenerateBlock(&rng, salt, - sizeof(salt)/sizeof(salt[0])) < 0){ - WOLFSSL_MSG("wc_RNG_GenerateBlock failed"); - wc_FreeRng(&rng); - return SSL_FAILURE; - } - if (wc_SrpSetParams(ctx->srp, srp_N, sizeof(srp_N)/sizeof(srp_N[0]), - srp_g, sizeof(srp_g)/sizeof(srp_g[0]), - salt, sizeof(salt)/sizeof(salt[0])) < 0){ - WOLFSSL_MSG("wc_SrpSetParam failed"); - wc_FreeRng(&rng); - return SSL_FAILURE; - } - r = wc_SrpSetPassword(ctx->srp, (const byte*)password, - (word32)XSTRLEN(password)); - if (r < 0) { - WOLFSSL_MSG("wc_SrpSetPassword failed."); - wc_FreeRng(&rng); - return SSL_FAILURE; - } - if (ctx->srp_password != NULL){ - XFREE(ctx->srp_password,NULL, - DYNAMIC_TYPE_SRP); - ctx->srp_password = NULL; - } - wc_FreeRng(&rng); - } else { - /* save password for wolfSSL_set_srp_username */ - if (ctx->srp_password != NULL) - XFREE(ctx->srp_password,ctx->heap, DYNAMIC_TYPE_SRP); - - ctx->srp_password = (byte*)XMALLOC(XSTRLEN(password) + 1, ctx->heap, - DYNAMIC_TYPE_SRP); - if (ctx->srp_password == NULL){ - WOLFSSL_MSG("memory allocation error"); - return SSL_FAILURE; - } - XMEMCPY(ctx->srp_password, password, XSTRLEN(password) + 1); - } - return SSL_SUCCESS; - } - #endif /* WOLFCRYPT_HAVE_SRP && !NO_SHA256 && !WC_NO_RNG */ - - /* keyblock size in bytes or -1 */ - int wolfSSL_get_keyblock_size(WOLFSSL* ssl) - { - if (ssl == NULL) - return WOLFSSL_FATAL_ERROR; - - return 2 * (ssl->specs.key_size + ssl->specs.iv_size + - ssl->specs.hash_size); - } - - - /* store keys returns WOLFSSL_SUCCESS or -1 on error */ - int wolfSSL_get_keys(WOLFSSL* ssl, unsigned char** ms, unsigned int* msLen, - unsigned char** sr, unsigned int* srLen, - unsigned char** cr, unsigned int* crLen) - { - if (ssl == NULL || ssl->arrays == NULL) - return WOLFSSL_FATAL_ERROR; - - *ms = ssl->arrays->masterSecret; - *sr = ssl->arrays->serverRandom; - *cr = ssl->arrays->clientRandom; - - *msLen = SECRET_LEN; - *srLen = RAN_LEN; - *crLen = RAN_LEN; - - return WOLFSSL_SUCCESS; - } - -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) - void wolfSSL_set_accept_state(WOLFSSL* ssl) - { - WOLFSSL_ENTER("wolfSSL_set_accept_state"); - if (ssl->options.side == WOLFSSL_CLIENT_END) { - #ifdef HAVE_ECC - ecc_key key; - word32 idx = 0; - - if (ssl->options.haveStaticECC && ssl->buffers.key != NULL) { - if (wc_ecc_init(&key) >= 0) { - if (wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, - ssl->buffers.key->length) != 0) { - ssl->options.haveECDSAsig = 0; - ssl->options.haveECC = 0; - ssl->options.haveStaticECC = 0; - } - wc_ecc_free(&key); - } - } - #endif - - #ifndef NO_DH - if (!ssl->options.haveDH && ssl->ctx->haveDH) { - ssl->buffers.serverDH_P = ssl->ctx->serverDH_P; - ssl->buffers.serverDH_G = ssl->ctx->serverDH_G; - ssl->options.haveDH = 1; - } - #endif - } - - if (InitSSL_Side(ssl, WOLFSSL_SERVER_END) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error initializing server side"); - } - } - -#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA */ - - /* return true if connection established */ - int wolfSSL_is_init_finished(WOLFSSL* ssl) - { - if (ssl == NULL) - return 0; - - if (ssl->options.handShakeState == HANDSHAKE_DONE) - return 1; - - return 0; - } - -#ifdef OPENSSL_EXTRA - - void wolfSSL_CTX_set_tmp_rsa_callback(WOLFSSL_CTX* ctx, - WOLFSSL_RSA*(*f)(WOLFSSL*, int, int)) - { - /* wolfSSL verifies all these internally */ - (void)ctx; - (void)f; - } - - - void wolfSSL_set_shutdown(WOLFSSL* ssl, int opt) - { - WOLFSSL_ENTER("wolfSSL_set_shutdown"); - if(ssl==NULL) { - WOLFSSL_MSG("Shutdown not set. ssl is null"); - return; - } - - ssl->options.sentNotify = (opt&WOLFSSL_SENT_SHUTDOWN) > 0; - ssl->options.closeNotify = (opt&WOLFSSL_RECEIVED_SHUTDOWN) > 0; - } - - - long wolfSSL_CTX_get_options(WOLFSSL_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_CTX_get_options"); - WOLFSSL_MSG("wolfSSL options are set through API calls and macros"); - if(ctx == NULL) - return BAD_FUNC_ARG; - return ctx->mask; - } - -#endif - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - - static long wolf_set_options(long old_op, long op); - long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) - { - WOLFSSL_ENTER("SSL_CTX_set_options"); - - if (ctx == NULL) - return BAD_FUNC_ARG; - - ctx->mask = wolf_set_options(ctx->mask, opt); - - return ctx->mask; - } - -#endif - -#ifdef OPENSSL_EXTRA - - long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt) - { - WOLFSSL_ENTER("SSL_CTX_clear_options"); - if(ctx == NULL) - return BAD_FUNC_ARG; - ctx->mask &= ~opt; - return ctx->mask; - } - - int wolfSSL_set_rfd(WOLFSSL* ssl, int rfd) - { - WOLFSSL_ENTER("SSL_set_rfd"); - ssl->rfd = rfd; /* not used directly to allow IO callbacks */ - - ssl->IOCB_ReadCtx = &ssl->rfd; - - return WOLFSSL_SUCCESS; - } - - - int wolfSSL_set_wfd(WOLFSSL* ssl, int wfd) - { - WOLFSSL_ENTER("SSL_set_wfd"); - ssl->wfd = wfd; /* not used directly to allow IO callbacks */ - - ssl->IOCB_WriteCtx = &ssl->wfd; - - return WOLFSSL_SUCCESS; - } - -#ifndef NO_CERTS - - WOLFSSL_X509_STORE* wolfSSL_CTX_get_cert_store(WOLFSSL_CTX* ctx) - { - if (ctx == NULL) { - return NULL; - } - - return &ctx->x509_store; - } - - void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509_STORE* str) - { - if (ctx == NULL || str == NULL) { - return; - } - - /* free cert manager if have one */ - if (ctx->cm != NULL) { - wolfSSL_CertManagerFree(ctx->cm); - } - ctx->cm = str->cm; - - /* free existing store if it exists */ - if (ctx->x509_store_pt != NULL) { - /* cert manager was free'd a little earlier in this function */ - ctx->x509_store_pt->cm = NULL; - } - wolfSSL_X509_STORE_free(ctx->x509_store_pt); - ctx->x509_store.cache = str->cache; - ctx->x509_store_pt = str; /* take ownership of store and free it - with CTX free */ - } - - - WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert( - WOLFSSL_X509_STORE_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert"); - if (ctx) - return ctx->current_cert; - return NULL; - } - - - int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error"); - if (ctx != NULL) - return ctx->error; - return 0; - } - - - int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth"); - if(ctx) - return ctx->error_depth; - return WOLFSSL_FATAL_ERROR; - } - - void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx, - WOLFSSL_X509_STORE_CTX_verify_cb verify_cb) - { - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_verify_cb"); - if(ctx == NULL) - return; - ctx->verify_cb = verify_cb; - } - -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st, - WOLFSSL_X509_STORE_CTX_verify_cb verify_cb) - { - WOLFSSL_ENTER("WOLFSSL_X509_STORE_set_verify_cb"); - if (st != NULL) { - st->verify_cb = verify_cb; - } - } -#endif - - -#endif /* !NO_CERTS */ - - WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_md(void) - { - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("wolfSSL_BIO_f_md"); - meth.type = WOLFSSL_BIO_MD; - - return &meth; - } - - /* return the context and initialize the BIO state */ - int wolfSSL_BIO_get_md_ctx(WOLFSSL_BIO *bio, WOLFSSL_EVP_MD_CTX **mdcp) - { - int ret = WOLFSSL_FAILURE; - - if ((bio != NULL) && (mdcp != NULL)) { - *mdcp = (WOLFSSL_EVP_MD_CTX*)bio->ptr; - ret = WOLFSSL_SUCCESS; - } - - return ret; - } - - WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_buffer(void) - { - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("BIO_f_buffer"); - meth.type = WOLFSSL_BIO_BUFFER; - - return &meth; - } - - #ifndef NO_WOLFSSL_STUB - long wolfSSL_BIO_set_write_buffer_size(WOLFSSL_BIO* bio, long size) - { - /* wolfSSL has internal buffer, compatibility only */ - WOLFSSL_ENTER("BIO_set_write_buffer_size"); - WOLFSSL_STUB("BIO_set_write_buffer_size"); - (void)bio; - return size; - } - #endif - - WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_bio(void) - { - static WOLFSSL_BIO_METHOD bio_meth; - - WOLFSSL_ENTER("wolfSSL_BIO_s_bio"); - bio_meth.type = WOLFSSL_BIO_BIO; - - return &bio_meth; - } - - -#ifndef NO_FILESYSTEM - WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_file(void) - { - static WOLFSSL_BIO_METHOD file_meth; - - WOLFSSL_ENTER("wolfSSL_BIO_s_file"); - file_meth.type = WOLFSSL_BIO_FILE; - - return &file_meth; - } -#endif - - - WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_ssl(void) - { - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("wolfSSL_BIO_f_ssl"); - meth.type = WOLFSSL_BIO_SSL; - - return &meth; - } - - - WOLFSSL_BIO_METHOD *wolfSSL_BIO_s_socket(void) - { - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("wolfSSL_BIO_s_socket"); - meth.type = WOLFSSL_BIO_SOCKET; - - return &meth; - } - - - WOLFSSL_BIO* wolfSSL_BIO_new_socket(int sfd, int closeF) - { - WOLFSSL_BIO* bio = wolfSSL_BIO_new(wolfSSL_BIO_s_socket()); - - WOLFSSL_ENTER("BIO_new_socket"); - if (bio) { - bio->type = WOLFSSL_BIO_SOCKET; - bio->shutdown = (byte)closeF; - bio->num = sfd; - } - return bio; - } - - - int wolfSSL_BIO_eof(WOLFSSL_BIO* b) - { - WOLFSSL_ENTER("BIO_eof"); - if ((b != NULL) && (b->eof)) - return 1; - - return 0; - } - - - long wolfSSL_BIO_set_ssl(WOLFSSL_BIO* b, WOLFSSL* ssl, int closeF) - { - WOLFSSL_ENTER("wolfSSL_BIO_set_ssl"); - - if (b != NULL) { - b->ptr = ssl; - b->shutdown = (byte)closeF; - /* add to ssl for bio free if SSL_free called before/instead of free_all? */ - } - - return 0; - } - -#ifndef NO_FILESYSTEM - long wolfSSL_BIO_set_fd(WOLFSSL_BIO* b, int fd, int closeF) - { - WOLFSSL_ENTER("wolfSSL_BIO_set_fd"); - - if (b != NULL) { - b->num = fd; - b->shutdown = (byte)closeF; - } - - return WOLFSSL_SUCCESS; - } -#endif - - /* Sets the close flag */ - int wolfSSL_BIO_set_close(WOLFSSL_BIO *b, long flag) - { - WOLFSSL_ENTER("wolfSSL_BIO_set_close"); - if (b != NULL) { - b->shutdown = (byte)flag; - } - - return WOLFSSL_SUCCESS; - } - - - WOLFSSL_BIO* wolfSSL_BIO_new(WOLFSSL_BIO_METHOD* method) - { - WOLFSSL_BIO* bio; - - WOLFSSL_ENTER("wolfSSL_BIO_new"); - if (method == NULL) { - WOLFSSL_MSG("Bad method pointer passed in"); - return NULL; - } - - bio = (WOLFSSL_BIO*) XMALLOC(sizeof(WOLFSSL_BIO), 0, - DYNAMIC_TYPE_OPENSSL); - if (bio) { - XMEMSET(bio, 0, sizeof(WOLFSSL_BIO)); - bio->type = (byte)method->type; - bio->method = method; - bio->shutdown = BIO_CLOSE; /* default to close things */ - bio->init = 1; - if (method->type != WOLFSSL_BIO_FILE && - method->type != WOLFSSL_BIO_SOCKET && - method->type != WOLFSSL_BIO_MD) { - bio->mem_buf =(WOLFSSL_BUF_MEM*)XMALLOC(sizeof(WOLFSSL_BUF_MEM), - 0, DYNAMIC_TYPE_OPENSSL); - if (bio->mem_buf == NULL) { - WOLFSSL_MSG("Memory error"); - wolfSSL_BIO_free(bio); - return NULL; - } - bio->mem_buf->data = (char*)bio->ptr; - } - - if (method->type == WOLFSSL_BIO_MD) { - bio->ptr = wolfSSL_EVP_MD_CTX_new(); - if (bio->ptr == NULL) { - WOLFSSL_MSG("Memory error"); - wolfSSL_BIO_free(bio); - return NULL; - } - } - - /* check if is custom method */ - if (method->createCb) { - method->createCb(bio); - } - } - return bio; - } - - WOLFSSL_BIO* wolfSSL_BIO_new_mem_buf(const void* buf, int len) - { - WOLFSSL_BIO* bio = NULL; - - if (buf == NULL || len < 0) { - return bio; - } - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - if (bio == NULL) { - return bio; - } - - bio->num = bio->wrSz = len; - bio->ptr = (byte*)XMALLOC(len, 0, DYNAMIC_TYPE_OPENSSL); - if (bio->ptr == NULL) { - wolfSSL_BIO_free(bio); - return NULL; - } - if (bio->mem_buf != NULL) { - bio->mem_buf->data = (char*)bio->ptr; - bio->mem_buf->length = bio->num; - } - - XMEMCPY(bio->ptr, buf, len); - - return bio; - } - - /* - * Note : If the flag BIO_NOCLOSE is set then freeing memory buffers is up - * to the application. - * Returns 1 on success, 0 on failure - */ - int wolfSSL_BIO_free(WOLFSSL_BIO* bio) - { - int ret; - - /* unchain?, doesn't matter in goahead since from free all */ - WOLFSSL_ENTER("wolfSSL_BIO_free"); - if (bio) { - - if (bio->infoCb) { - /* info callback is called before free */ - ret = (int)bio->infoCb(bio, WOLFSSL_BIO_CB_FREE, NULL, 0, 0, 1); - if (ret <= 0) { - return ret; - } - } - - /* call custom set free callback */ - if (bio->method && bio->method->freeCb) { - bio->method->freeCb(bio); - } - - /* remove from pair by setting the paired bios pair to NULL */ - if (bio->pair != NULL) { - bio->pair->pair = NULL; - } - - if (bio->shutdown) { - if (bio->type == WOLFSSL_BIO_SSL && bio->ptr) - wolfSSL_free((WOLFSSL*)bio->ptr); - #ifdef CloseSocket - if (bio->type == WOLFSSL_BIO_SOCKET && bio->num) - CloseSocket(bio->num); - #endif - } - - #ifndef NO_FILESYSTEM - if (bio->type == WOLFSSL_BIO_FILE && bio->shutdown == BIO_CLOSE) { - if (bio->ptr) { - XFCLOSE((XFILE)bio->ptr); - } - } - #endif - - if (bio->shutdown != BIO_NOCLOSE) { - if (bio->type == WOLFSSL_BIO_MEMORY && bio->ptr != NULL) { - if (bio->mem_buf != NULL) { - if (bio->mem_buf->data != (char*)bio->ptr) { - XFREE(bio->ptr, bio->heap, DYNAMIC_TYPE_OPENSSL); - bio->ptr = NULL; - } - } - else { - XFREE(bio->ptr, bio->heap, DYNAMIC_TYPE_OPENSSL); - bio->ptr = NULL; - } - } - if (bio->mem_buf != NULL) { - wolfSSL_BUF_MEM_free(bio->mem_buf); - bio->mem_buf = NULL; - } - } - - if (bio->type == WOLFSSL_BIO_MD) { - wolfSSL_EVP_MD_CTX_free((WOLFSSL_EVP_MD_CTX*)bio->ptr); - } - - XFREE(bio, 0, DYNAMIC_TYPE_OPENSSL); - } - return 1; - } - - /* like BIO_free, but no return value */ - void wolfSSL_BIO_vfree(WOLFSSL_BIO* bio) - { - wolfSSL_BIO_free(bio); - } - - - int wolfSSL_BIO_free_all(WOLFSSL_BIO* bio) - { - WOLFSSL_ENTER("BIO_free_all"); - while (bio) { - WOLFSSL_BIO* next = bio->next; - wolfSSL_BIO_free(bio); - bio = next; - } - return 0; - } - - - WOLFSSL_BIO* wolfSSL_BIO_push(WOLFSSL_BIO* top, WOLFSSL_BIO* append) - { - WOLFSSL_ENTER("BIO_push"); - top->next = append; - append->prev = top; - - return top; - } -#endif /* OPENSSL_EXTRA */ - -#ifdef WOLFSSL_ENCRYPTED_KEYS - - void wolfSSL_CTX_set_default_passwd_cb_userdata(WOLFSSL_CTX* ctx, - void* userdata) - { - WOLFSSL_ENTER("SSL_CTX_set_default_passwd_cb_userdata"); - if (ctx) - ctx->passwd_userdata = userdata; - } - - - void wolfSSL_CTX_set_default_passwd_cb(WOLFSSL_CTX* ctx,pem_password_cb* cb) - { - WOLFSSL_ENTER("SSL_CTX_set_default_passwd_cb"); - if (ctx) - ctx->passwd_cb = cb; - } - - pem_password_cb* wolfSSL_CTX_get_default_passwd_cb(WOLFSSL_CTX *ctx) - { - if (ctx == NULL || ctx->passwd_cb == NULL) { - return NULL; - } - - return ctx->passwd_cb; - } - - - void* wolfSSL_CTX_get_default_passwd_cb_userdata(WOLFSSL_CTX *ctx) - { - if (ctx == NULL) { - return NULL; - } - - return ctx->passwd_userdata; - } - -#endif /* WOLFSSL_ENCRYPTED_KEYS */ - - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - int wolfSSL_num_locks(void) - { - return 0; - } - - void wolfSSL_set_locking_callback(void (*f)(int, int, const char*, int)) - { - WOLFSSL_ENTER("wolfSSL_set_locking_callback"); - - if (wc_SetMutexCb(f) != 0) { - WOLFSSL_MSG("Error when setting mutex call back"); - } - } - - - typedef unsigned long (idCb)(void); - static idCb* inner_idCb = NULL; - - unsigned long wolfSSL_thread_id(void) - { - if (inner_idCb != NULL) { - return inner_idCb(); - } - else { - return 0; - } - } - - - void wolfSSL_set_id_callback(unsigned long (*f)(void)) - { - inner_idCb = f; - } - - unsigned long wolfSSL_ERR_get_error(void) - { - WOLFSSL_ENTER("wolfSSL_ERR_get_error"); - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - { - unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL, - NULL, NULL); - wc_RemoveErrorNode(-1); - return ret; - } -#elif (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) - { - int ret = wc_PullErrorNode(NULL, NULL, NULL); - - if (ret < 0) { - if (ret == BAD_STATE_E) return 0; /* no errors in queue */ - WOLFSSL_MSG("Error with pulling error node!"); - WOLFSSL_LEAVE("wolfSSL_ERR_get_error", ret); - ret = 0 - ret; /* return absolute value of error */ - - /* panic and try to clear out nodes */ - wc_ClearErrorNodes(); - } - - return (unsigned long)ret; - } -#else - return (unsigned long)(0 - NOT_COMPILED_IN); -#endif - } - -#if (defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)) - /* print out and clear all errors */ - void wolfSSL_ERR_print_errors(WOLFSSL_BIO* bio) - { - const char* file = NULL; - const char* reason = NULL; - int ret; - int line = 0; - char buf[WOLFSSL_MAX_ERROR_SZ * 2]; - - WOLFSSL_ENTER("wolfSSL_ERR_print_errors"); - - if (bio == NULL) { - WOLFSSL_MSG("BIO passed in was null"); - return; - } - - do { - ret = wc_PeekErrorNode(0, &file, &reason, &line); - if (ret >= 0) { - const char* r = wolfSSL_ERR_reason_error_string(0 - ret); - XSNPRINTF(buf, sizeof(buf), "error:%d:wolfSSL library:%s:%s:%d\n", - ret, r, file, line); - wolfSSL_BIO_write(bio, buf, (int)XSTRLEN(buf)); - wc_RemoveErrorNode(0); - } - } while (ret >= 0); - } -#endif /* OPENSSL_EXTRA || DEBUG_WOLFSSL_VERBOSE */ - -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ - -#ifdef OPENSSL_EXTRA - -#if !defined(NO_WOLFSSL_SERVER) -size_t wolfSSL_get_server_random(const WOLFSSL *ssl, unsigned char *out, - size_t outSz) -{ - size_t size; - - /* return max size of buffer */ - if (outSz == 0) { - return RAN_LEN; - } - - if (ssl == NULL || out == NULL) { - return 0; - } - - if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays struct not saved after handshake"); - return 0; - } - - if (outSz > RAN_LEN) { - size = RAN_LEN; - } - else { - size = outSz; - } - - XMEMCPY(out, ssl->arrays->serverRandom, size); - return size; -} - - -/* Used to get the peer ephemeral public key sent during the connection - * NOTE: currently wolfSSL_KeepHandshakeResources(WOLFSSL* ssl) must be called - * before the ephemeral key is stored. - * return WOLFSSL_SUCCESS on success */ -int wolfSSL_get_server_tmp_key(const WOLFSSL* ssl, WOLFSSL_EVP_PKEY** pkey) -{ - WOLFSSL_EVP_PKEY* ret = NULL; - - WOLFSSL_ENTER("wolfSSL_get_server_tmp_key"); - - if (ssl == NULL || pkey == NULL) { - WOLFSSL_MSG("Bad argument passed in"); - return WOLFSSL_FAILURE; - } - -#ifdef HAVE_ECC - if (ssl->peerEccKey != NULL) { - unsigned char* der; - const unsigned char* pt; - unsigned int derSz = 0; - int sz; - - if (wc_ecc_export_x963(ssl->peerEccKey, NULL, &derSz) != - LENGTH_ONLY_E) { - WOLFSSL_MSG("get ecc der size failed"); - return WOLFSSL_FAILURE; - } - - derSz += MAX_SEQ_SZ + (2 * MAX_ALGO_SZ) + MAX_SEQ_SZ + TRAILING_ZERO; - der = (unsigned char*)XMALLOC(derSz, ssl->heap, DYNAMIC_TYPE_KEY); - if (der == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - - if ((sz = wc_EccPublicKeyToDer(ssl->peerEccKey, der, derSz, 1)) <= 0) { - WOLFSSL_MSG("get ecc der failed"); - XFREE(der, ssl->heap, DYNAMIC_TYPE_KEY); - return WOLFSSL_FAILURE; - } - pt = der; /* in case pointer gets advanced */ - ret = wolfSSL_d2i_PUBKEY(NULL, &pt, sz); - XFREE(der, ssl->heap, DYNAMIC_TYPE_KEY); - } -#endif - - *pkey = ret; - if (ret == NULL) - return WOLFSSL_FAILURE; - else - return WOLFSSL_SUCCESS; -} - -#endif /* !NO_WOLFSSL_SERVER */ - -int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_min_proto_version"); - - if (ctx == NULL) { - return BAD_FUNC_ARG; - } - - switch (version) { -#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS) - case SSL3_VERSION: - ctx->minDowngrade = SSLv3_MINOR; - break; -#endif -#ifndef NO_TLS - #ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_TLSV10 - case TLS1_VERSION: - ctx->minDowngrade = TLSv1_MINOR; - break; - #endif - case TLS1_1_VERSION: - ctx->minDowngrade = TLSv1_1_MINOR; - break; - #endif - #ifndef WOLFSSL_NO_TLS12 - case TLS1_2_VERSION: - ctx->minDowngrade = TLSv1_2_MINOR; - break; - #endif - #ifdef WOLFSSL_TLS13 - case TLS1_3_VERSION: - ctx->minDowngrade = TLSv1_3_MINOR; - break; - #endif -#endif -#ifdef WOLFSSL_DTLS - #ifndef NO_OLD_TLS - case DTLS1_VERSION: - ctx->minDowngrade = DTLS_MINOR; - break; - #endif - case DTLS1_2_VERSION: - ctx->minDowngrade = DTLSv1_2_MINOR; - break; -#endif - default: - return BAD_FUNC_ARG; - } - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_max_proto_version"); - - /* supported only at compile-time only */ - (void)ctx; - (void)ver; - return WOLFSSL_SUCCESS; -} - - -#if !defined(NO_WOLFSSL_CLIENT) -/* Return the amount of random bytes copied over or error case. - * ssl : ssl struct after handshake - * out : buffer to hold random bytes - * outSz : either 0 (return max buffer sz) or size of out buffer - * - * NOTE: wolfSSL_KeepArrays(ssl) must be called to retain handshake information. - */ -size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, - size_t outSz) -{ - size_t size; - - /* return max size of buffer */ - if (outSz == 0) { - return RAN_LEN; - } - - if (ssl == NULL || out == NULL) { - return 0; - } - - if (ssl->options.saveArrays == 0 || ssl->arrays == NULL) { - WOLFSSL_MSG("Arrays struct not saved after handshake"); - return 0; - } - - if (outSz > RAN_LEN) { - size = RAN_LEN; - } - else { - size = outSz; - } - - XMEMCPY(out, ssl->arrays->clientRandom, size); - return size; -} -#endif /* !NO_WOLFSSL_CLIENT */ - - - unsigned long wolfSSLeay(void) - { - return SSLEAY_VERSION_NUMBER; - } - - unsigned long wolfSSL_OpenSSL_version_num(void) - { - return OPENSSL_VERSION_NUMBER; - } - - const char* wolfSSLeay_version(int type) - { - static const char* version = "SSLeay wolfSSL compatibility"; - (void)type; - return version; - } - - -#ifndef NO_MD5 - int wolfSSL_MD5_Init(WOLFSSL_MD5_CTX* md5) - { - int ret; - typedef char md5_test[sizeof(MD5_CTX) >= sizeof(wc_Md5) ? 1 : -1]; - (void)sizeof(md5_test); - - WOLFSSL_ENTER("MD5_Init"); - ret = wc_InitMd5((wc_Md5*)md5); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_MD5_Update(WOLFSSL_MD5_CTX* md5, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("wolfSSL_MD5_Update"); - ret = wc_Md5Update((wc_Md5*)md5, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_MD5_Final(byte* input, WOLFSSL_MD5_CTX* md5) - { - int ret; - - WOLFSSL_ENTER("MD5_Final"); - ret = wc_Md5Final((wc_Md5*)md5, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } -#endif /* !NO_MD5 */ - - -#ifndef NO_SHA - int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA_CTX) >= sizeof(wc_Sha) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA_Init"); - ret = wc_InitSha((wc_Sha*)sha); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA_Update(WOLFSSL_SHA_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA_Update"); - ret = wc_ShaUpdate((wc_Sha*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA_Final(byte* input, WOLFSSL_SHA_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA_Final"); - ret = wc_ShaFinal((wc_Sha*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA1_Init(WOLFSSL_SHA_CTX* sha) - { - WOLFSSL_ENTER("SHA1_Init"); - return SHA_Init(sha); - } - - - int wolfSSL_SHA1_Update(WOLFSSL_SHA_CTX* sha, const void* input, - unsigned long sz) - { - WOLFSSL_ENTER("SHA1_Update"); - return SHA_Update(sha, input, sz); - } - - - int wolfSSL_SHA1_Final(byte* input, WOLFSSL_SHA_CTX* sha) - { - WOLFSSL_ENTER("SHA1_Final"); - return SHA_Final(input, sha); - } -#endif /* !NO_SHA */ - -#ifdef WOLFSSL_SHA224 - - int wolfSSL_SHA224_Init(WOLFSSL_SHA224_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA224_CTX) >= sizeof(wc_Sha224) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA224_Init"); - ret = wc_InitSha224((wc_Sha224*)sha); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA224_Update(WOLFSSL_SHA224_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA224_Update"); - ret = wc_Sha224Update((wc_Sha224*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA224_Final(byte* input, WOLFSSL_SHA224_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA224_Final"); - ret = wc_Sha224Final((wc_Sha224*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - -#endif /* WOLFSSL_SHA224 */ - - - int wolfSSL_SHA256_Init(WOLFSSL_SHA256_CTX* sha256) - { - int ret; - - typedef char sha_test[sizeof(SHA256_CTX) >= sizeof(wc_Sha256) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA256_Init"); - ret = wc_InitSha256((wc_Sha256*)sha256); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA256_Update(WOLFSSL_SHA256_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA256_Update"); - ret = wc_Sha256Update((wc_Sha256*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA256_Final(byte* input, WOLFSSL_SHA256_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA256_Final"); - ret = wc_Sha256Final((wc_Sha256*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - -#ifdef WOLFSSL_SHA384 - - int wolfSSL_SHA384_Init(WOLFSSL_SHA384_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA384_CTX) >= sizeof(wc_Sha384) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA384_Init"); - ret = wc_InitSha384((wc_Sha384*)sha); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA384_Update(WOLFSSL_SHA384_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA384_Update"); - ret = wc_Sha384Update((wc_Sha384*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA384_Final(byte* input, WOLFSSL_SHA384_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA384_Final"); - ret = wc_Sha384Final((wc_Sha384*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - -#endif /* WOLFSSL_SHA384 */ - - -#ifdef WOLFSSL_SHA512 - - int wolfSSL_SHA512_Init(WOLFSSL_SHA512_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA512_CTX) >= sizeof(wc_Sha512) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA512_Init"); - ret = wc_InitSha512((wc_Sha512*)sha); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA512_Update(WOLFSSL_SHA512_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA512_Update"); - ret = wc_Sha512Update((wc_Sha512*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA512_Final(byte* input, WOLFSSL_SHA512_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA512_Final"); - ret = wc_Sha512Final((wc_Sha512*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - -#endif /* WOLFSSL_SHA512 */ - -#ifdef WOLFSSL_SHA3 -#ifndef WOLFSSL_NOSHA3_224 - - int wolfSSL_SHA3_224_Init(WOLFSSL_SHA3_224_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA3_224_CTX) >= sizeof(wc_Sha3) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA3_224_Init"); - ret = wc_InitSha3_224((wc_Sha3*)sha, NULL, 0); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_224_Update(WOLFSSL_SHA3_224_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA3_224_Update"); - ret = wc_Sha3_224_Update((wc_Sha3*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_224_Final(byte* input, WOLFSSL_SHA3_224_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA3_224_Final"); - ret = wc_Sha3_224_Final((wc_Sha3*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - -#endif /* WOLFSSL_NOSHA3_224 */ - - -#ifndef WOLFSSL_NOSHA3_256 - int wolfSSL_SHA3_256_Init(WOLFSSL_SHA3_256_CTX* sha3_256) - { - int ret; - - typedef char sha_test[sizeof(SHA3_256_CTX) >= sizeof(wc_Sha3) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA3_256_Init"); - ret = wc_InitSha3_256((wc_Sha3*)sha3_256, NULL, 0); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_256_Update(WOLFSSL_SHA3_256_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA3_256_Update"); - ret = wc_Sha3_256_Update((wc_Sha3*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_256_Final(byte* input, WOLFSSL_SHA3_256_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA3_256_Final"); - ret = wc_Sha3_256_Final((wc_Sha3*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } -#endif /* WOLFSSL_NOSHA3_256 */ - - - int wolfSSL_SHA3_384_Init(WOLFSSL_SHA3_384_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA3_384_CTX) >= sizeof(wc_Sha3) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA3_384_Init"); - ret = wc_InitSha3_384((wc_Sha3*)sha, NULL, 0); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_384_Update(WOLFSSL_SHA3_384_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA3_384_Update"); - ret = wc_Sha3_384_Update((wc_Sha3*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_384_Final(byte* input, WOLFSSL_SHA3_384_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA3_384_Final"); - ret = wc_Sha3_384_Final((wc_Sha3*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - -#ifndef WOLFSSL_NOSHA3_512 - - int wolfSSL_SHA3_512_Init(WOLFSSL_SHA3_512_CTX* sha) - { - int ret; - - typedef char sha_test[sizeof(SHA3_512_CTX) >= sizeof(wc_Sha3) ? 1 : -1]; - (void)sizeof(sha_test); - - WOLFSSL_ENTER("SHA3_512_Init"); - ret = wc_InitSha3_512((wc_Sha3*)sha, NULL, 0); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_512_Update(WOLFSSL_SHA3_512_CTX* sha, const void* input, - unsigned long sz) - { - int ret; - - WOLFSSL_ENTER("SHA3_512_Update"); - ret = wc_Sha3_512_Update((wc_Sha3*)sha, (const byte*)input, (word32)sz); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - - - int wolfSSL_SHA3_512_Final(byte* input, WOLFSSL_SHA3_512_CTX* sha) - { - int ret; - - WOLFSSL_ENTER("SHA3_512_Final"); - ret = wc_Sha3_512_Final((wc_Sha3*)sha, input); - - /* return 1 on success, 0 otherwise */ - if (ret == 0) - return 1; - - return 0; - } - -#endif /* WOLFSSL_NOSHA3_512 */ -#endif /* WOLFSSL_SHA3 */ - - /* store for external read of iv, WOLFSSL_SUCCESS on success */ - int wolfSSL_StoreExternalIV(WOLFSSL_EVP_CIPHER_CTX* ctx) - { - WOLFSSL_ENTER("wolfSSL_StoreExternalIV"); - - if (ctx == NULL) { - WOLFSSL_MSG("Bad function argument"); - return WOLFSSL_FATAL_ERROR; - } - - switch (ctx->cipherType) { - -#ifndef NO_AES -#ifdef HAVE_AES_CBC - case AES_128_CBC_TYPE : - case AES_192_CBC_TYPE : - case AES_256_CBC_TYPE : - WOLFSSL_MSG("AES CBC"); - XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); - break; -#endif -#ifdef HAVE_AESGCM - case AES_128_GCM_TYPE : - case AES_192_GCM_TYPE : - case AES_256_GCM_TYPE : - WOLFSSL_MSG("AES GCM"); - XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); - break; -#endif /* HAVE_AESGCM */ -#ifdef HAVE_AES_ECB - case AES_128_ECB_TYPE : - case AES_192_ECB_TYPE : - case AES_256_ECB_TYPE : - WOLFSSL_MSG("AES ECB"); - break; -#endif -#ifdef WOLFSSL_AES_COUNTER - case AES_128_CTR_TYPE : - case AES_192_CTR_TYPE : - case AES_256_CTR_TYPE : - WOLFSSL_MSG("AES CTR"); - XMEMCPY(ctx->iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); - break; -#endif /* WOLFSSL_AES_COUNTER */ -#ifdef WOLFSSL_AES_CFB -#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) - case AES_128_CFB1_TYPE: - case AES_192_CFB1_TYPE: - case AES_256_CFB1_TYPE: - WOLFSSL_MSG("AES CFB1"); - break; - case AES_128_CFB8_TYPE: - case AES_192_CFB8_TYPE: - case AES_256_CFB8_TYPE: - WOLFSSL_MSG("AES CFB8"); - break; -#endif /* !HAVE_SELFTEST && !HAVE_FIPS */ - case AES_128_CFB128_TYPE: - case AES_192_CFB128_TYPE: - case AES_256_CFB128_TYPE: - WOLFSSL_MSG("AES CFB128"); - break; -#endif /* WOLFSSL_AES_CFB */ -#if defined(WOLFSSL_AES_OFB) - case AES_128_OFB_TYPE: - case AES_192_OFB_TYPE: - case AES_256_OFB_TYPE: - WOLFSSL_MSG("AES OFB"); - break; -#endif /* WOLFSSL_AES_OFB */ -#ifdef WOLFSSL_AES_XTS - case AES_128_XTS_TYPE: - case AES_256_XTS_TYPE: - WOLFSSL_MSG("AES XTS"); - break; -#endif /* WOLFSSL_AES_XTS */ -#endif /* NO_AES */ - -#ifndef NO_DES3 - case DES_CBC_TYPE : - WOLFSSL_MSG("DES CBC"); - XMEMCPY(ctx->iv, &ctx->cipher.des.reg, DES_BLOCK_SIZE); - break; - - case DES_EDE3_CBC_TYPE : - WOLFSSL_MSG("DES EDE3 CBC"); - XMEMCPY(ctx->iv, &ctx->cipher.des3.reg, DES_BLOCK_SIZE); - break; -#endif -#ifdef WOLFSSL_DES_ECB - case DES_ECB_TYPE : - WOLFSSL_MSG("DES ECB"); - break; - case DES_EDE3_ECB_TYPE : - WOLFSSL_MSG("DES3 ECB"); - break; -#endif - -#ifdef HAVE_IDEA - case IDEA_CBC_TYPE : - WOLFSSL_MSG("IDEA CBC"); - XMEMCPY(ctx->iv, &ctx->cipher.idea.reg, IDEA_BLOCK_SIZE); - break; -#endif - case ARC4_TYPE : - WOLFSSL_MSG("ARC4"); - break; - - case NULL_CIPHER_TYPE : - WOLFSSL_MSG("NULL"); - break; - - default: { - WOLFSSL_MSG("bad type"); - return WOLFSSL_FATAL_ERROR; - } - } - return WOLFSSL_SUCCESS; - } - - /* set internal IV from external, WOLFSSL_SUCCESS on success */ - int wolfSSL_SetInternalIV(WOLFSSL_EVP_CIPHER_CTX* ctx) - { - - WOLFSSL_ENTER("wolfSSL_SetInternalIV"); - - if (ctx == NULL) { - WOLFSSL_MSG("Bad function argument"); - return WOLFSSL_FATAL_ERROR; - } - - switch (ctx->cipherType) { - -#ifndef NO_AES -#ifdef HAVE_AES_CBC - case AES_128_CBC_TYPE : - case AES_192_CBC_TYPE : - case AES_256_CBC_TYPE : - WOLFSSL_MSG("AES CBC"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); - break; -#endif -#ifdef HAVE_AESGCM - case AES_128_GCM_TYPE : - case AES_192_GCM_TYPE : - case AES_256_GCM_TYPE : - WOLFSSL_MSG("AES GCM"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); - break; -#endif -#ifdef HAVE_AES_ECB - case AES_128_ECB_TYPE : - case AES_192_ECB_TYPE : - case AES_256_ECB_TYPE : - WOLFSSL_MSG("AES ECB"); - break; -#endif -#ifdef WOLFSSL_AES_COUNTER - case AES_128_CTR_TYPE : - case AES_192_CTR_TYPE : - case AES_256_CTR_TYPE : - WOLFSSL_MSG("AES CTR"); - XMEMCPY(&ctx->cipher.aes.reg, ctx->iv, AES_BLOCK_SIZE); - break; -#endif - -#endif /* NO_AES */ - -#ifndef NO_DES3 - case DES_CBC_TYPE : - WOLFSSL_MSG("DES CBC"); - XMEMCPY(&ctx->cipher.des.reg, ctx->iv, DES_BLOCK_SIZE); - break; - - case DES_EDE3_CBC_TYPE : - WOLFSSL_MSG("DES EDE3 CBC"); - XMEMCPY(&ctx->cipher.des3.reg, ctx->iv, DES_BLOCK_SIZE); - break; -#endif -#ifdef WOLFSSL_DES_ECB - case DES_ECB_TYPE : - WOLFSSL_MSG("DES ECB"); - break; - case DES_EDE3_ECB_TYPE : - WOLFSSL_MSG("DES3 ECB"); - break; -#endif - -#ifdef HAVE_IDEA - case IDEA_CBC_TYPE : - WOLFSSL_MSG("IDEA CBC"); - XMEMCPY(&ctx->cipher.idea.reg, ctx->iv, IDEA_BLOCK_SIZE); - break; -#endif - case ARC4_TYPE : - WOLFSSL_MSG("ARC4"); - break; - - case NULL_CIPHER_TYPE : - WOLFSSL_MSG("NULL"); - break; - - default: { - WOLFSSL_MSG("bad type"); - return WOLFSSL_FATAL_ERROR; - } - } - return WOLFSSL_SUCCESS; - } - - unsigned char* wolfSSL_HMAC(const WOLFSSL_EVP_MD* evp_md, const void* key, - int key_len, const unsigned char* d, int n, - unsigned char* md, unsigned int* md_len) - { - int type; - int mdlen; - unsigned char* ret = NULL; -#ifdef WOLFSSL_SMALL_STACK - Hmac* hmac = NULL; -#else - Hmac hmac[1]; -#endif - void* heap = NULL; - - WOLFSSL_ENTER("wolfSSL_HMAC"); - if (!md) { - WOLFSSL_MSG("Static buffer not supported, pass in md buffer"); - return NULL; /* no static buffer support */ - } - -#ifndef NO_MD5 - if (XSTRNCMP(evp_md, "MD5", 3) == 0) { - type = WC_MD5; - mdlen = WC_MD5_DIGEST_SIZE; - } else -#endif -#ifdef WOLFSSL_SHA224 - if (XSTRNCMP(evp_md, "SHA224", 6) == 0) { - type = WC_SHA224; - mdlen = WC_SHA224_DIGEST_SIZE; - } else -#endif -#ifndef NO_SHA256 - if (XSTRNCMP(evp_md, "SHA256", 6) == 0) { - type = WC_SHA256; - mdlen = WC_SHA256_DIGEST_SIZE; - } else -#endif -#ifdef WOLFSSL_SHA384 - if (XSTRNCMP(evp_md, "SHA384", 6) == 0) { - type = WC_SHA384; - mdlen = WC_SHA384_DIGEST_SIZE; - } else -#endif -#ifdef WOLFSSL_SHA512 - if (XSTRNCMP(evp_md, "SHA512", 6) == 0) { - type = WC_SHA512; - mdlen = WC_SHA512_DIGEST_SIZE; - } else -#endif -#ifdef WOLFSSL_SHA3 - #ifndef WOLFSSL_NOSHA3_224 - if (XSTRNCMP(evp_md, "SHA3_224", 8) == 0) { - type = WC_SHA3_224; - mdlen = WC_SHA3_224_DIGEST_SIZE; - } else - #endif - #ifndef WOLFSSL_NOSHA3_256 - if (XSTRNCMP(evp_md, "SHA3_256", 8) == 0) { - type = WC_SHA3_256; - mdlen = WC_SHA3_256_DIGEST_SIZE; - } else - #endif - if (XSTRNCMP(evp_md, "SHA3_384", 8) == 0) { - type = WC_SHA3_384; - mdlen = WC_SHA3_384_DIGEST_SIZE; - } else - #ifndef WOLFSSL_NOSHA3_512 - if (XSTRNCMP(evp_md, "SHA3_512", 8) == 0) { - type = WC_SHA3_512; - mdlen = WC_SHA3_512_DIGEST_SIZE; - } else - #endif -#endif -#ifndef NO_SHA - if (XSTRNCMP(evp_md, "SHA", 3) == 0) { - type = WC_SHA; - mdlen = WC_SHA_DIGEST_SIZE; - } else -#endif - { - return NULL; - } - - #ifdef WOLFSSL_SMALL_STACK - hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap, DYNAMIC_TYPE_HMAC); - if (hmac == NULL) - return NULL; - #endif - - if (wc_HmacInit(hmac, heap, INVALID_DEVID) == 0) { - if (wc_HmacSetKey(hmac, type, (const byte*)key, key_len) == 0) { - if (wc_HmacUpdate(hmac, d, n) == 0) { - if (wc_HmacFinal(hmac, md) == 0) { - if (md_len) - *md_len = mdlen; - ret = md; - } - } - } - wc_HmacFree(hmac); - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(hmac, heap, DYNAMIC_TYPE_HMAC); - #endif - - (void)evp_md; - return ret; - } - - void wolfSSL_ERR_clear_error(void) - { - WOLFSSL_ENTER("wolfSSL_ERR_clear_error"); - -#if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_NGINX) || \ - defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) - wc_ClearErrorNodes(); -#endif - } - - - int wolfSSL_RAND_status(void) - { - return WOLFSSL_SUCCESS; /* wolfCrypt provides enough seed internally */ - } - - - #ifndef NO_WOLFSSL_STUB - void wolfSSL_RAND_add(const void* add, int len, double entropy) - { - (void)add; - (void)len; - (void)entropy; - WOLFSSL_STUB("RAND_add"); - /* wolfSSL seeds/adds internally, use explicit RNG if you want - to take control */ - } - #endif - -#ifndef NO_DES3 - /* 0 on ok */ - int wolfSSL_DES_key_sched(WOLFSSL_const_DES_cblock* key, - WOLFSSL_DES_key_schedule* schedule) - { - WOLFSSL_ENTER("wolfSSL_DES_key_sched"); - - if (key == NULL || schedule == NULL) { - WOLFSSL_MSG("Null argument passed in"); - } - else { - XMEMCPY(schedule, key, sizeof(WOLFSSL_const_DES_cblock)); - } - - return 0; - } - - - /* intended to behave similar to Kerberos mit_des_cbc_cksum - * return the last 4 bytes of cipher text */ - WOLFSSL_DES_LONG wolfSSL_DES_cbc_cksum(const unsigned char* in, - WOLFSSL_DES_cblock* out, long length, WOLFSSL_DES_key_schedule* sc, - WOLFSSL_const_DES_cblock* iv) - { - WOLFSSL_DES_LONG ret; - unsigned char* tmp; - unsigned char* data = (unsigned char*)in; - long dataSz = length; - byte dynamicFlag = 0; /* when padding the buffer created needs free'd */ - - WOLFSSL_ENTER("wolfSSL_DES_cbc_cksum"); - - if (in == NULL || out == NULL || sc == NULL || iv == NULL) { - WOLFSSL_MSG("Bad argument passed in"); - return 0; - } - - /* if input length is not a multiple of DES_BLOCK_SIZE pad with 0s */ - if (dataSz % DES_BLOCK_SIZE) { - dataSz += DES_BLOCK_SIZE - (dataSz % DES_BLOCK_SIZE); - data = (unsigned char*)XMALLOC(dataSz, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (data == NULL) { - WOLFSSL_MSG("Issue creating temporary buffer"); - return 0; - } - dynamicFlag = 1; /* set to free buffer at end */ - XMEMCPY(data, in, length); - XMEMSET(data + length, 0, dataSz - length); /* padding */ - } - - tmp = (unsigned char*)XMALLOC(dataSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (tmp == NULL) { - WOLFSSL_MSG("Issue creating temporary buffer"); - if (dynamicFlag == 1) { - XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - return 0; - } - - wolfSSL_DES_cbc_encrypt(data, tmp, dataSz, sc, - (WOLFSSL_DES_cblock*)iv, 1); - XMEMCPY((unsigned char*)out, tmp + (dataSz - DES_BLOCK_SIZE), - DES_BLOCK_SIZE); - - ret = (((*((unsigned char*)out + 4) & 0xFF) << 24)| - ((*((unsigned char*)out + 5) & 0xFF) << 16)| - ((*((unsigned char*)out + 6) & 0xFF) << 8) | - (*((unsigned char*)out + 7) & 0xFF)); - - XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (dynamicFlag == 1) { - XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - - return ret; - } - - - void wolfSSL_DES_cbc_encrypt(const unsigned char* input, - unsigned char* output, long length, - WOLFSSL_DES_key_schedule* schedule, - WOLFSSL_DES_cblock* ivec, int enc) - { - Des myDes; - byte lastblock[DES_BLOCK_SIZE]; - int lb_sz; - long blk; - - WOLFSSL_ENTER("DES_cbc_encrypt"); - - /* OpenSSL compat, no ret */ - wc_Des_SetKey(&myDes, (const byte*)schedule, (const byte*)ivec, !enc); - lb_sz = length%DES_BLOCK_SIZE; - blk = length/DES_BLOCK_SIZE; - - if (enc){ - wc_Des_CbcEncrypt(&myDes, output, input, (word32)blk*DES_BLOCK_SIZE); - if(lb_sz){ - XMEMSET(lastblock, 0, DES_BLOCK_SIZE); - XMEMCPY(lastblock, input+length-lb_sz, lb_sz); - wc_Des_CbcEncrypt(&myDes, output+blk*DES_BLOCK_SIZE, - lastblock, (word32)DES_BLOCK_SIZE); - } - } - else { - wc_Des_CbcDecrypt(&myDes, output, input, (word32)blk*DES_BLOCK_SIZE); - if(lb_sz){ - wc_Des_CbcDecrypt(&myDes, lastblock, input+length-lb_sz, (word32)DES_BLOCK_SIZE); - XMEMCPY(output+length-lb_sz, lastblock, lb_sz); - } - } - } - - - /* WOLFSSL_DES_key_schedule is a unsigned char array of size 8 */ - void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, - unsigned char* output, long sz, - WOLFSSL_DES_key_schedule* ks1, - WOLFSSL_DES_key_schedule* ks2, - WOLFSSL_DES_key_schedule* ks3, - WOLFSSL_DES_cblock* ivec, int enc) - { - int ret; - Des3 des; - byte key[24];/* EDE uses 24 size key */ - byte lastblock[DES_BLOCK_SIZE]; - int lb_sz; - long blk; - - WOLFSSL_ENTER("wolfSSL_DES_ede3_cbc_encrypt"); - - XMEMSET(key, 0, sizeof(key)); - XMEMCPY(key, *ks1, DES_BLOCK_SIZE); - XMEMCPY(&key[DES_BLOCK_SIZE], *ks2, DES_BLOCK_SIZE); - XMEMCPY(&key[DES_BLOCK_SIZE * 2], *ks3, DES_BLOCK_SIZE); - lb_sz = sz%DES_BLOCK_SIZE; - blk = sz/DES_BLOCK_SIZE; - - /* OpenSSL compat, no ret */ - (void)wc_Des3Init(&des, NULL, INVALID_DEVID); - - if (enc) { - wc_Des3_SetKey(&des, key, (const byte*)ivec, DES_ENCRYPTION); - ret = wc_Des3_CbcEncrypt(&des, output, input, (word32)blk*DES_BLOCK_SIZE); - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &des.asyncDev, WC_ASYNC_FLAG_NONE); - #endif - (void)ret; /* ignore return codes for processing */ - if(lb_sz){ - XMEMSET(lastblock, 0, DES_BLOCK_SIZE); - XMEMCPY(lastblock, input+sz-lb_sz, lb_sz); - ret = wc_Des3_CbcEncrypt(&des, output+blk*DES_BLOCK_SIZE, - lastblock, (word32)DES_BLOCK_SIZE); - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &des.asyncDev, WC_ASYNC_FLAG_NONE); - #endif - (void)ret; /* ignore return codes for processing */ - } - } - else { - wc_Des3_SetKey(&des, key, (const byte*)ivec, DES_DECRYPTION); - ret = wc_Des3_CbcDecrypt(&des, output, input, (word32)blk*DES_BLOCK_SIZE); - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &des.asyncDev, WC_ASYNC_FLAG_NONE); - #endif - (void)ret; /* ignore return codes for processing */ - if(lb_sz){ - ret = wc_Des3_CbcDecrypt(&des, lastblock, input+sz-lb_sz, (word32)DES_BLOCK_SIZE); - #if defined(WOLFSSL_ASYNC_CRYPT) - ret = wc_AsyncWait(ret, &des.asyncDev, WC_ASYNC_FLAG_NONE); - #endif - (void)ret; /* ignore return codes for processing */ - XMEMCPY(output+sz-lb_sz, lastblock, lb_sz); - } - } - wc_Des3Free(&des); - } - - - /* correctly sets ivec for next call */ - void wolfSSL_DES_ncbc_encrypt(const unsigned char* input, - unsigned char* output, long length, - WOLFSSL_DES_key_schedule* schedule, WOLFSSL_DES_cblock* ivec, - int enc) - { - Des myDes; - byte lastblock[DES_BLOCK_SIZE]; - int lb_sz; - long idx = length; - long blk; - - WOLFSSL_ENTER("DES_ncbc_encrypt"); - - /* OpenSSL compat, no ret */ - wc_Des_SetKey(&myDes, (const byte*)schedule, (const byte*)ivec, !enc); - lb_sz = length%DES_BLOCK_SIZE; - blk = length/DES_BLOCK_SIZE; - idx -= sizeof(DES_cblock); - if (lb_sz) { - idx += DES_BLOCK_SIZE - lb_sz; - } - if (enc){ - wc_Des_CbcEncrypt(&myDes, output, input, - (word32)blk * DES_BLOCK_SIZE); - if (lb_sz){ - XMEMSET(lastblock, 0, DES_BLOCK_SIZE); - XMEMCPY(lastblock, input+length-lb_sz, lb_sz); - wc_Des_CbcEncrypt(&myDes, output + blk * DES_BLOCK_SIZE, - lastblock, (word32)DES_BLOCK_SIZE); - } - XMEMCPY(ivec, output + idx, sizeof(DES_cblock)); - } else { - WOLFSSL_DES_cblock tmp; - XMEMCPY(tmp, input + idx, sizeof(DES_cblock)); - wc_Des_CbcDecrypt(&myDes, output, input, - (word32)blk * DES_BLOCK_SIZE); - if (lb_sz){ - wc_Des_CbcDecrypt(&myDes, lastblock, input + length - lb_sz, - (word32)DES_BLOCK_SIZE); - XMEMCPY(output+length-lb_sz, lastblock, lb_sz); - } - XMEMCPY(ivec, tmp, sizeof(WOLFSSL_DES_cblock)); - } - - } - -#endif /* NO_DES3 */ - - void wolfSSL_ERR_free_strings(void) - { - /* handled internally */ - } - - void wolfSSL_cleanup_all_ex_data(void) - { - /* nothing to do here */ - } - - int wolfSSL_clear(WOLFSSL* ssl) - { - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - - ssl->options.isClosed = 0; - ssl->options.connReset = 0; - ssl->options.sentNotify = 0; - ssl->options.sendVerify = 0; - ssl->options.serverState = NULL_STATE; - ssl->options.clientState = NULL_STATE; - ssl->options.connectState = CONNECT_BEGIN; - ssl->options.acceptState = ACCEPT_BEGIN; - ssl->options.handShakeState = NULL_STATE; - ssl->options.handShakeDone = 0; - /* ssl->options.processReply = doProcessInit; */ - - ssl->keys.encryptionOn = 0; - XMEMSET(&ssl->msgsReceived, 0, sizeof(ssl->msgsReceived)); - - if (ssl->hsHashes != NULL) { -#ifndef NO_OLD_TLS -#ifndef NO_MD5 - if (wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, - ssl->devId) != 0) { - return WOLFSSL_FAILURE; - } - #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) - wc_Md5SetFlags(&ssl->hsHashes->hashMd5, WC_HASH_FLAG_WILLCOPY); - #endif -#endif -#ifndef NO_SHA - if (wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, - ssl->devId) != 0) { - return WOLFSSL_FAILURE; - } - #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) - wc_ShaSetFlags(&ssl->hsHashes->hashSha, WC_HASH_FLAG_WILLCOPY); - #endif -#endif -#endif -#ifndef NO_SHA256 - if (wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, - ssl->devId) != 0) { - return WOLFSSL_FAILURE; - } - #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) - wc_Sha256SetFlags(&ssl->hsHashes->hashSha256, WC_HASH_FLAG_WILLCOPY); - #endif -#endif -#ifdef WOLFSSL_SHA384 - if (wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, - ssl->devId) != 0) { - return WOLFSSL_FAILURE; - } - #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) - wc_Sha384SetFlags(&ssl->hsHashes->hashSha384, WC_HASH_FLAG_WILLCOPY); - #endif -#endif -#ifdef WOLFSSL_SHA512 - if (wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, - ssl->devId) != 0) { - return WOLFSSL_FAILURE; - } - #if defined(WOLFSSL_HASH_FLAGS) || defined(WOLF_CRYPTO_CB) - wc_Sha512SetFlags(&ssl->hsHashes->hashSha512, WC_HASH_FLAG_WILLCOPY); - #endif -#endif - } -#ifdef SESSION_CERTS - ssl->session.chain.count = 0; -#endif -#ifdef KEEP_PEER_CERT - FreeX509(&ssl->peerCert); - InitX509(&ssl->peerCert, 0, ssl->heap); -#endif - - return WOLFSSL_SUCCESS; - } - - long wolfSSL_SSL_SESSION_set_timeout(WOLFSSL_SESSION* ses, long t) - { - word32 tmptime; - if (!ses || t < 0) - return BAD_FUNC_ARG; - - tmptime = t & 0xFFFFFFFF; - - ses->timeout = tmptime; - - return WOLFSSL_SUCCESS; - } - -#endif - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - long wolfSSL_CTX_set_mode(WOLFSSL_CTX* ctx, long mode) - { - /* WOLFSSL_MODE_ACCEPT_MOVING_WRITE_BUFFER is wolfSSL default mode */ - - WOLFSSL_ENTER("SSL_CTX_set_mode"); - switch(mode) { - case SSL_MODE_ENABLE_PARTIAL_WRITE: - ctx->partialWrite = 1; - break; - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - case SSL_MODE_RELEASE_BUFFERS: - WOLFSSL_MSG("SSL_MODE_RELEASE_BUFFERS not implemented."); - break; - #endif - default: - WOLFSSL_MSG("Mode Not Implemented"); - } - - /* SSL_MODE_AUTO_RETRY - * Should not return -1 with renegotiation on read/write */ - - return mode; - } -#endif - -#ifdef OPENSSL_EXTRA - - #ifndef NO_WOLFSSL_STUB - long wolfSSL_SSL_get_mode(WOLFSSL* ssl) - { - /* TODO: */ - (void)ssl; - WOLFSSL_STUB("SSL_get_mode"); - return 0; - } - #endif - - #ifndef NO_WOLFSSL_STUB - long wolfSSL_CTX_get_mode(WOLFSSL_CTX* ctx) - { - /* TODO: */ - (void)ctx; - WOLFSSL_STUB("SSL_CTX_get_mode"); - return 0; - } - #endif - - #ifndef NO_WOLFSSL_STUB - void wolfSSL_CTX_set_default_read_ahead(WOLFSSL_CTX* ctx, int m) - { - /* TODO: maybe? */ - (void)ctx; - (void)m; - WOLFSSL_STUB("SSL_CTX_set_default_read_ahead"); - } - #endif - - - /* Storing app session context id, this value is inherited by WOLFSSL - * objects created from WOLFSSL_CTX. Any session that is imported with a - * different session context id will be rejected. - * - * ctx structure to set context in - * sid_ctx value of context to set - * sid_ctx_len length of sid_ctx buffer - * - * Returns SSL_SUCCESS in success case and SSL_FAILURE when failing - */ - int wolfSSL_CTX_set_session_id_context(WOLFSSL_CTX* ctx, - const unsigned char* sid_ctx, - unsigned int sid_ctx_len) - { - WOLFSSL_ENTER("SSL_CTX_set_session_id_context"); - - /* No application specific context needed for wolfSSL */ - if (sid_ctx_len > ID_LEN || ctx == NULL || sid_ctx == NULL) { - return SSL_FAILURE; - } - XMEMCPY(ctx->sessionCtx, sid_ctx, sid_ctx_len); - ctx->sessionCtxSz = (byte)sid_ctx_len; - - return SSL_SUCCESS; - } - - - - /* Storing app session context id. Any session that is imported with a - * different session context id will be rejected. - * - * ssl structure to set context in - * id value of context to set - * len length of sid_ctx buffer - * - * Returns SSL_SUCCESS in success case and SSL_FAILURE when failing - */ - int wolfSSL_set_session_id_context(WOLFSSL* ssl, const unsigned char* id, - unsigned int len) - { - WOLFSSL_ENTER("wolfSSL_set_session_id_context"); - - if (len > ID_LEN || ssl == NULL || id == NULL) { - return SSL_FAILURE; - } - XMEMCPY(ssl->sessionCtx, id, len); - ssl->sessionCtxSz = (byte)len; - - return SSL_SUCCESS; - } - - - long wolfSSL_CTX_sess_get_cache_size(WOLFSSL_CTX* ctx) - { - (void)ctx; - #ifndef NO_SESSION_CACHE - return (long)(SESSIONS_PER_ROW * SESSION_ROWS); - #else - return 0; - #endif - } - - - /* returns the unsigned error value and increments the pointer into the - * error queue. - * - * file pointer to file name - * line gets set to line number of error when not NULL - */ - unsigned long wolfSSL_ERR_get_error_line(const char** file, int* line) - { - #ifdef DEBUG_WOLFSSL - int ret = wc_PullErrorNode(file, NULL, line); - if (ret < 0) { - if (ret == BAD_STATE_E) return 0; /* no errors in queue */ - WOLFSSL_MSG("Issue getting error node"); - WOLFSSL_LEAVE("wolfSSL_ERR_get_error_line", ret); - ret = 0 - ret; /* return absolute value of error */ - - /* panic and try to clear out nodes */ - wc_ClearErrorNodes(); - } - return (unsigned long)ret; - #else - (void)file; - (void)line; - - return 0; - #endif - } - - -#if (defined(DEBUG_WOLFSSL) || defined(OPENSSL_EXTRA)) && \ - (!defined(_WIN32) && !defined(NO_ERROR_QUEUE)) - static const char WOLFSSL_SYS_ACCEPT_T[] = "accept"; - static const char WOLFSSL_SYS_BIND_T[] = "bind"; - static const char WOLFSSL_SYS_CONNECT_T[] = "connect"; - static const char WOLFSSL_SYS_FOPEN_T[] = "fopen"; - static const char WOLFSSL_SYS_FREAD_T[] = "fread"; - static const char WOLFSSL_SYS_GETADDRINFO_T[] = "getaddrinfo"; - static const char WOLFSSL_SYS_GETSOCKOPT_T[] = "getsockopt"; - static const char WOLFSSL_SYS_GETSOCKNAME_T[] = "getsockname"; - static const char WOLFSSL_SYS_GETHOSTBYNAME_T[] = "gethostbyname"; - static const char WOLFSSL_SYS_GETNAMEINFO_T[] = "getnameinfo"; - static const char WOLFSSL_SYS_GETSERVBYNAME_T[] = "getservbyname"; - static const char WOLFSSL_SYS_IOCTLSOCKET_T[] = "ioctlsocket"; - static const char WOLFSSL_SYS_LISTEN_T[] = "listen"; - static const char WOLFSSL_SYS_OPENDIR_T[] = "opendir"; - static const char WOLFSSL_SYS_SETSOCKOPT_T[] = "setsockopt"; - static const char WOLFSSL_SYS_SOCKET_T[] = "socket"; - - /* switch with int mapped to function name for compatibility */ - static const char* wolfSSL_ERR_sys_func(int fun) - { - switch (fun) { - case WOLFSSL_SYS_ACCEPT: return WOLFSSL_SYS_ACCEPT_T; - case WOLFSSL_SYS_BIND: return WOLFSSL_SYS_BIND_T; - case WOLFSSL_SYS_CONNECT: return WOLFSSL_SYS_CONNECT_T; - case WOLFSSL_SYS_FOPEN: return WOLFSSL_SYS_FOPEN_T; - case WOLFSSL_SYS_FREAD: return WOLFSSL_SYS_FREAD_T; - case WOLFSSL_SYS_GETADDRINFO: return WOLFSSL_SYS_GETADDRINFO_T; - case WOLFSSL_SYS_GETSOCKOPT: return WOLFSSL_SYS_GETSOCKOPT_T; - case WOLFSSL_SYS_GETSOCKNAME: return WOLFSSL_SYS_GETSOCKNAME_T; - case WOLFSSL_SYS_GETHOSTBYNAME: return WOLFSSL_SYS_GETHOSTBYNAME_T; - case WOLFSSL_SYS_GETNAMEINFO: return WOLFSSL_SYS_GETNAMEINFO_T; - case WOLFSSL_SYS_GETSERVBYNAME: return WOLFSSL_SYS_GETSERVBYNAME_T; - case WOLFSSL_SYS_IOCTLSOCKET: return WOLFSSL_SYS_IOCTLSOCKET_T; - case WOLFSSL_SYS_LISTEN: return WOLFSSL_SYS_LISTEN_T; - case WOLFSSL_SYS_OPENDIR: return WOLFSSL_SYS_OPENDIR_T; - case WOLFSSL_SYS_SETSOCKOPT: return WOLFSSL_SYS_SETSOCKOPT_T; - case WOLFSSL_SYS_SOCKET: return WOLFSSL_SYS_SOCKET_T; - default: - return "NULL"; - } - } -#endif /* DEBUG_WOLFSSL */ - - - /* @TODO when having an error queue this needs to push to the queue */ - void wolfSSL_ERR_put_error(int lib, int fun, int err, const char* file, - int line) - { - WOLFSSL_ENTER("wolfSSL_ERR_put_error"); - - #if !defined(DEBUG_WOLFSSL) && !defined(OPENSSL_EXTRA) - (void)fun; - (void)err; - (void)file; - (void)line; - WOLFSSL_MSG("Not compiled in debug mode"); - #elif defined(OPENSSL_EXTRA) && \ - (defined(_WIN32) || defined(NO_ERROR_QUEUE)) - (void)fun; - (void)file; - (void)line; - WOLFSSL_ERROR(err); - #else - WOLFSSL_ERROR_LINE(err, wolfSSL_ERR_sys_func(fun), (unsigned int)line, - file, NULL); - #endif - (void)lib; - } - - - /* Similar to wolfSSL_ERR_get_error_line but takes in a flags argument for - * more flexibility. - * - * file output pointer to file where error happened - * line output to line number of error - * data output data. Is a string if ERR_TXT_STRING flag is used - * flags bit flag to adjust data output - * - * Returns the error value or 0 if no errors are in the queue - */ - unsigned long wolfSSL_ERR_get_error_line_data(const char** file, int* line, - const char** data, int *flags) - { - int ret; - - WOLFSSL_STUB("wolfSSL_ERR_get_error_line_data"); - - if (flags != NULL) { - if ((*flags & ERR_TXT_STRING) == ERR_TXT_STRING) { - ret = wc_PullErrorNode(file, data, line); - if (ret < 0) { - if (ret == BAD_STATE_E) return 0; /* no errors in queue */ - WOLFSSL_MSG("Error with pulling error node!"); - WOLFSSL_LEAVE("wolfSSL_ERR_get_error_line_data", ret); - ret = 0 - ret; /* return absolute value of error */ - - /* panic and try to clear out nodes */ - wc_ClearErrorNodes(); - } - - return (unsigned long)ret; - } - } - - ret = wc_PullErrorNode(file, NULL, line); - if (ret < 0) { - if (ret == BAD_STATE_E) return 0; /* no errors in queue */ - WOLFSSL_MSG("Error with pulling error node!"); - WOLFSSL_LEAVE("wolfSSL_ERR_get_error_line_data", ret); - ret = 0 - ret; /* return absolute value of error */ - - /* panic and try to clear out nodes */ - wc_ClearErrorNodes(); - } - - return (unsigned long)ret; - } - -#endif /* OPENSSL_EXTRA */ - - -#if (defined(KEEP_PEER_CERT) && defined(SESSION_CERTS)) || \ - (defined(OPENSSL_ALL) && defined(HAVE_PKCS7)) - /* Decode the X509 DER encoded certificate into a WOLFSSL_X509 object. - * - * x509 WOLFSSL_X509 object to decode into. - * in X509 DER data. - * len Length of the X509 DER data. - * returns the new certificate on success, otherwise NULL. - */ - static int DecodeToX509(WOLFSSL_X509* x509, const byte* in, int len) - { - int ret; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; - #else - DecodedCert cert[1]; - #endif - if (x509 == NULL || in == NULL || len <= 0) - return BAD_FUNC_ARG; - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return MEMORY_E; - #endif - - /* Create a DecodedCert object and copy fields into WOLFSSL_X509 object. - */ - InitDecodedCert(cert, (byte*)in, len, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) == 0) { - /* Check if x509 was not previously initialized by wolfSSL_X509_new() */ - if (x509->dynamicMemory != TRUE) - InitX509(x509, 0, NULL); - ret = CopyDecodedToX509(x509, cert); - FreeDecodedCert(cert); - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); - #endif - - return ret; - } -#endif /* (KEEP_PEER_CERT && SESSION_CERTS) || (OPENSSL_ALL && HAVE_PKCS7) */ - - -#ifdef KEEP_PEER_CERT - WOLFSSL_ABI - WOLFSSL_X509* wolfSSL_get_peer_certificate(WOLFSSL* ssl) - { - WOLFSSL_ENTER("SSL_get_peer_certificate"); - if (ssl == NULL) - return NULL; - - if (ssl->peerCert.issuer.sz) - return &ssl->peerCert; -#ifdef SESSION_CERTS - else if (ssl->session.chain.count > 0) { - if (DecodeToX509(&ssl->peerCert, ssl->session.chain.certs[0].buffer, - ssl->session.chain.certs[0].length) == 0) { - return &ssl->peerCert; - } - } -#endif - return 0; - } - -#endif /* KEEP_PEER_CERT */ - -#if defined(SESSION_CERTS) -/* Return stack of peer certs. - * If Qt or OPENSSL_ALL is defined then return ssl->peerCertChain. - * All other cases return &ssl->session.chain - * ssl->peerCertChain is type WOLFSSL_STACK* - * ssl->session.chain is type WOLFSSL_X509_CHAIN - * Caller does not need to free return. The stack is Free'd when WOLFSSL* ssl is. - */ -WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_get_peer_cert_chain(const WOLFSSL* ssl) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_get_peer_cert_chain"); - - if (ssl == NULL) - return NULL; - - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - if (ssl->peerCertChain == NULL) - wolfSSL_set_peer_cert_chain((WOLFSSL*) ssl); - sk = ssl->peerCertChain; - #else - sk = (WOLF_STACK_OF(WOLFSSL_X509)* )&ssl->session.chain; - #endif - - if (sk == NULL) { - WOLFSSL_MSG("Error: Null Peer Cert Chain"); - } - return sk; -} - -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) -/* Builds up and creates a stack of peer certificates for ssl->peerCertChain - based off of the ssl session chain. Returns stack of WOLFSSL_X509 certs or - NULL on failure */ -WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) -{ - WOLFSSL_STACK* sk; - WOLFSSL_X509* x509; - int i = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_set_peer_cert_chain"); - if ((ssl == NULL) || (ssl->session.chain.count == 0)) - return NULL; - - sk = wolfSSL_sk_X509_new(); - i = ssl->session.chain.count-1; - for (; i >= 0; i--) { - /* For servers, the peer certificate chain does not include the peer - certificate, so do not add it to the stack */ - if (ssl->options.side == WOLFSSL_SERVER_END && i == 0) - continue; - x509 = wolfSSL_X509_new(); - if (x509 == NULL) { - WOLFSSL_MSG("Error Creating X509"); - return NULL; - } - ret = DecodeToX509(x509, ssl->session.chain.certs[i].buffer, - ssl->session.chain.certs[i].length); - - if (ret != 0 || wolfSSL_sk_X509_push(sk, x509) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error decoding cert"); - wolfSSL_X509_free(x509); - wolfSSL_sk_X509_free(sk); - return NULL; - } - } - - if (sk == NULL) { - WOLFSSL_MSG("Null session chain"); - } - /* This is Free'd when ssl is Free'd */ - ssl->peerCertChain = sk; - return sk; -} -#endif /* OPENSSL_ALL || WOLFSSL_QT */ -#endif /* SESSION_CERTS */ - -#ifndef NO_CERTS -#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \ - defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - -/* user externally called free X509, if dynamic go ahead with free, otherwise - * don't */ -static void ExternalFreeX509(WOLFSSL_X509* x509) -{ - int doFree = 0; - - WOLFSSL_ENTER("ExternalFreeX509"); - if (x509) { - if (x509->dynamicMemory) { - #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) - if (wc_LockMutex(&x509->refMutex) != 0) { - WOLFSSL_MSG("Couldn't lock x509 mutex"); - } - /* only free if all references to it are done */ - x509->refCount--; - if (x509->refCount == 0) - doFree = 1; - wc_UnLockMutex(&x509->refMutex); - #else - doFree = 1; - #endif /* OPENSSL_EXTRA */ - - if (doFree) { - FreeX509(x509); - XFREE(x509, x509->heap, DYNAMIC_TYPE_X509); - } - } else { - WOLFSSL_MSG("free called on non dynamic object, not freeing"); - } - } -} - -/* Frees an external WOLFSSL_X509 structure */ -WOLFSSL_ABI -void wolfSSL_X509_free(WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("wolfSSL_FreeX509"); - ExternalFreeX509(x509); -} - - -/* copy name into in buffer, at most sz bytes, if buffer is null will - malloc buffer, call responsible for freeing */ -WOLFSSL_ABI -char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) -{ - int copySz; - - if (name == NULL) { - WOLFSSL_MSG("WOLFSSL_X509_NAME pointer was NULL"); - return NULL; - } - - copySz = min(sz, name->sz); - - WOLFSSL_ENTER("wolfSSL_X509_NAME_oneline"); - if (!name->sz) return in; - - if (!in) { - #ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_MSG("Using static memory -- please pass in a buffer"); - return NULL; - #else - in = (char*)XMALLOC(name->sz, NULL, DYNAMIC_TYPE_OPENSSL); - if (!in ) return in; - copySz = name->sz; - #endif - } - - if (copySz <= 0) - return in; - - XMEMCPY(in, name->name, copySz - 1); - in[copySz - 1] = 0; - - return in; -} - -#if defined(OPENSSL_EXTRA) && defined(XSNPRINTF) -/* Copies X509 subject name into a buffer, with comma-separated name entries - * (matching OpenSSL v1.0.0 format) - * Example Output for Issuer: - * - * C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, - * CN=www.wolfssl.com, [email protected] - */ -char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) -{ - WOLFSSL_X509_NAME_ENTRY* entry; - int nameSz, strSz, count, i, idx = 0; - int totalSz = 0; - char *str; - char tmpBuf[256]; - char buf[80]; - const char* sn; - WOLFSSL_ENTER("wolfSSL_X509_get_name_oneline"); - - if (name == NULL) { - WOLFSSL_MSG("wolfSSL_X509_get_subject_name failed"); - return NULL; - } - #ifdef WOLFSSL_STATIC_MEMORY - if (!in) { - WOLFSSL_MSG("Using static memory -- please pass in a buffer"); - return NULL; - } - #endif - - tmpBuf[0] = '\0'; /* Make sure tmpBuf is NULL terminated */ - /* Loop through X509 name entries and copy new format to buffer */ - count = wolfSSL_X509_NAME_entry_count(name); - for (i = 0; i < count; i++) { - - /* Get name entry and size */ - entry = wolfSSL_X509_NAME_get_entry(name, i); - if (entry == NULL) { - WOLFSSL_MSG("X509_NAME_get_entry failed"); - return NULL; - } - nameSz = wolfSSL_X509_NAME_get_text_by_NID(name, entry->nid, buf, - sizeof(buf)); - if (nameSz < 0) { - WOLFSSL_MSG("X509_NAME_get_text_by_NID failed"); - return NULL; - } - - /* Get short name */ - sn = wolfSSL_OBJ_nid2sn(entry->nid); - if (sn == NULL) { - WOLFSSL_MSG("OBJ_nid2sn failed"); - return NULL; - } - - /* Copy sn and name text to buffer - * Add extra strSz for '=', ',', ' ' and '\0' characters in XSNPRINTF. - */ - if (i != count - 1) { - strSz = (int)XSTRLEN(sn) + nameSz + 4; - totalSz+= strSz; - str = (char*)XMALLOC(strSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (str == NULL) { - WOLFSSL_MSG("Memory error"); - return NULL; - } - XSNPRINTF(str, strSz, "%s=%s, ", sn, buf); - } - else { - /* Copy last name entry - * Add extra strSz for '=' and '\0' characters in XSNPRINTF. - */ - strSz = (int)XSTRLEN(sn) + nameSz + 2; - totalSz+= strSz; - str = (char*)XMALLOC(strSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (str == NULL) { - WOLFSSL_MSG("Memory error"); - return NULL; - } - XSNPRINTF(str, strSz, "%s=%s", sn, buf); - } - /* Copy string to tmpBuf */ - XSTRNCAT(tmpBuf, str, strSz); - idx += strSz; - XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - - /* Allocate space based on total string size if no buffer was provided */ - if (!in) { - in = (char*)XMALLOC(totalSz+1, NULL, DYNAMIC_TYPE_OPENSSL); - if (in == NULL) { - WOLFSSL_MSG("Memory error"); - return in; - } - } - else { - if (totalSz > sz) { - WOLFSSL_MSG("Memory error"); - return NULL; - } - } - - XMEMCPY(in, tmpBuf, totalSz); - in[totalSz] = '\0'; - - return in; -} -#endif - - -/* Wraps wolfSSL_X509_d2i - * - * returns a WOLFSSL_X509 structure pointer on success and NULL on fail - */ -WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, - int len) -{ - WOLFSSL_X509* newX509 = NULL; - - newX509 = wolfSSL_X509_d2i(x509, *in, len); - if (newX509 != NULL) { - *in += newX509->derCert->length; - } - return newX509; -} - - -WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) -{ - WOLFSSL_X509 *newX509 = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_d2i"); - - if (in != NULL && len != 0) { - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; - #else - DecodedCert cert[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return NULL; - #endif - - InitDecodedCert(cert, (byte*)in, len, NULL); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) { - newX509 = wolfSSL_X509_new(); - if (newX509 != NULL) { - if (CopyDecodedToX509(newX509, cert) != 0) { - wolfSSL_X509_free(newX509); - newX509 = NULL; - } - } - } - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); - #endif - } - - if (x509 != NULL) - *x509 = newX509; - - return newX509; -} -#endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA || - OPENSSL_EXTRA_X509_SMALL */ - - - -#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \ - defined(SESSION_CERTS) - /* return the next, if any, altname from the peer cert */ - WOLFSSL_ABI - char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert) - { - char* ret = NULL; - WOLFSSL_ENTER("wolfSSL_X509_get_next_altname"); - - /* don't have any to work with */ - if (cert == NULL || cert->altNames == NULL) - return NULL; - - /* already went through them */ - if (cert->altNamesNext == NULL) - return NULL; - - ret = cert->altNamesNext->name; - cert->altNamesNext = cert->altNamesNext->next; - - return ret; - } - - int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509) - { - int isCA = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_isCA"); - - if (x509 != NULL) - isCA = x509->isCa; - - WOLFSSL_LEAVE("wolfSSL_X509_get_isCA", isCA); - - return isCA; - } - - int wolfSSL_X509_get_signature(WOLFSSL_X509* x509, - unsigned char* buf, int* bufSz) - { - WOLFSSL_ENTER("wolfSSL_X509_get_signature"); - if (x509 == NULL || bufSz == NULL || (*bufSz < (int)x509->sig.length && - buf != NULL)) - return WOLFSSL_FATAL_ERROR; - - if (buf != NULL) - XMEMCPY(buf, x509->sig.buffer, x509->sig.length); - *bufSz = x509->sig.length; - - return WOLFSSL_SUCCESS; - } - - - /* Getter function that copies over the DER public key buffer to "buf" and - * sets the size in bufSz. If "buf" is NULL then just bufSz is set to needed - * buffer size. "bufSz" passed in should initially be set by the user to be - * the size of "buf". This gets checked to make sure the buffer is large - * enough to hold the public key. - * - * Note: this is the X.509 form of key with "header" info. - * return WOLFSSL_SUCCESS on success - */ - int wolfSSL_X509_get_pubkey_buffer(WOLFSSL_X509* x509, - unsigned char* buf, int* bufSz) - { - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; - #else - DecodedCert cert[1]; - #endif - word32 idx; - const byte* der; - int length = 0; - int ret, derSz = 0; - int badDate = 0; - const byte* pubKeyX509 = NULL; - int pubKeyX509Sz = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_pubkey_buffer"); - if (x509 == NULL || bufSz == NULL) { - WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BAD_FUNC_ARG); - return WOLFSSL_FATAL_ERROR; - } - - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), - x509->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) { - WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", MEMORY_E); - return WOLFSSL_FATAL_ERROR; - } - #endif - - der = wolfSSL_X509_get_der(x509, &derSz); - InitDecodedCert(cert, der, derSz, NULL); - ret = wc_GetPubX509(cert, 0, &badDate); - if (ret >= 0) { - idx = cert->srcIdx; - pubKeyX509 = cert->source + cert->srcIdx; - ret = GetSequence(cert->source, &cert->srcIdx, &length, - cert->maxIdx); - pubKeyX509Sz = length + (cert->srcIdx - idx); - } - - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, x509->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - if (ret < 0) { - WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", ret); - return WOLFSSL_FATAL_ERROR; - } - - if (buf != NULL) { - if (pubKeyX509Sz > *bufSz) { - WOLFSSL_LEAVE("wolfSSL_X509_get_pubkey_buffer", BUFFER_E); - return WOLFSSL_FATAL_ERROR; - } - XMEMCPY(buf, pubKeyX509, pubKeyX509Sz); - } - *bufSz = pubKeyX509Sz; - - return WOLFSSL_SUCCESS; - } - - - /* Getter function for the public key OID value - * return public key OID stored in WOLFSSL_X509 structure */ - int wolfSSL_X509_get_pubkey_type(WOLFSSL_X509* x509) - { - if (x509 == NULL) - return WOLFSSL_FAILURE; - return x509->pubKeyOID; - } - - /* write X509 serial number in unsigned binary to buffer - buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases - return WOLFSSL_SUCCESS on success */ - int wolfSSL_X509_get_serial_number(WOLFSSL_X509* x509, - byte* in, int* inOutSz) - { - WOLFSSL_ENTER("wolfSSL_X509_get_serial_number"); - if (x509 == NULL || in == NULL || - inOutSz == NULL || *inOutSz < x509->serialSz) - return BAD_FUNC_ARG; - - XMEMCPY(in, x509->serial, x509->serialSz); - *inOutSz = x509->serialSz; - - return WOLFSSL_SUCCESS; - } - - /* not an openssl compatibility function - getting for derCert */ - const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz) - { - WOLFSSL_ENTER("wolfSSL_X509_get_der"); - - if (x509 == NULL || x509->derCert == NULL || outSz == NULL) - return NULL; - - *outSz = (int)x509->derCert->length; - return x509->derCert->buffer; - } - - /* used by JSSE (not a standard compatibility function) */ - /* this is not thread safe */ - WOLFSSL_ABI - const byte* wolfSSL_X509_notBefore(WOLFSSL_X509* x509) - { - static byte notBeforeData[CTC_DATE_SIZE]; /* temp buffer for date */ - WOLFSSL_ENTER("wolfSSL_X509_notBefore"); - - if (x509 == NULL) - return NULL; - - XMEMSET(notBeforeData, 0, sizeof(notBeforeData)); - notBeforeData[0] = (byte)x509->notBefore.type; - notBeforeData[1] = (byte)x509->notBefore.length; - XMEMCPY(¬BeforeData[2], x509->notBefore.data, x509->notBefore.length); - - return notBeforeData; - } - /* used by JSSE (not a standard compatibility function) */ - /* this is not thread safe */ - WOLFSSL_ABI - const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509) - { - static byte notAfterData[CTC_DATE_SIZE]; /* temp buffer for date */ - WOLFSSL_ENTER("wolfSSL_X509_notAfter"); - - if (x509 == NULL) - return NULL; - - XMEMSET(notAfterData, 0, sizeof(notAfterData)); - notAfterData[0] = (byte)x509->notAfter.type; - notAfterData[1] = (byte)x509->notAfter.length; - XMEMCPY(¬AfterData[2], x509->notAfter.data, x509->notAfter.length); - - return notAfterData; - } - - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) && !defined(NO_WOLFSSL_STUB) - WOLFSSL_ASN1_TIME* wolfSSL_X509_gmtime_adj(WOLFSSL_ASN1_TIME *s, long adj) - { - (void) s; - (void) adj; - WOLFSSL_STUB("wolfSSL_X509_gmtime_adj"); - return NULL; - } - #endif - - /* get the buffer to be signed (tbs) from the WOLFSSL_X509 certificate - * - * outSz : gets set to the size of the buffer - * returns a pointer to the internal buffer at the location of TBS on - * on success and NULL on failure. - */ - const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509* x509, int* outSz) - { - int sz = 0, len; - unsigned int idx = 0, tmpIdx; - const unsigned char* der = NULL; - const unsigned char* tbs = NULL; - - if (x509 == NULL || outSz == NULL) { - return NULL; - } - - der = wolfSSL_X509_get_der(x509, &sz); - if (der == NULL) { - return NULL; - } - - if (GetSequence(der, &idx, &len, sz) < 0) { - return NULL; - } - tbs = der + idx; - tmpIdx = idx; - if (GetSequence(der, &idx, &len, sz) < 0) { - return NULL; - } - *outSz = len + (idx - tmpIdx); - return tbs; - } - - int wolfSSL_X509_version(WOLFSSL_X509* x509) - { - WOLFSSL_ENTER("wolfSSL_X509_version"); - - if (x509 == NULL) - return 0; - - return x509->version; - } - -#ifdef WOLFSSL_SEP - -/* copy oid into in buffer, at most *inOutSz bytes, if buffer is null will - malloc buffer, call responsible for freeing. Actual size returned in - *inOutSz. Requires inOutSz be non-null */ -byte* wolfSSL_X509_get_device_type(WOLFSSL_X509* x509, byte* in, int *inOutSz) -{ - int copySz; - - WOLFSSL_ENTER("wolfSSL_X509_get_dev_type"); - if (inOutSz == NULL) return NULL; - if (!x509->deviceTypeSz) return in; - - copySz = min(*inOutSz, x509->deviceTypeSz); - - if (!in) { - #ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_MSG("Using static memory -- please pass in a buffer"); - return NULL; - #else - in = (byte*)XMALLOC(x509->deviceTypeSz, 0, DYNAMIC_TYPE_OPENSSL); - if (!in) return in; - copySz = x509->deviceTypeSz; - #endif - } - - XMEMCPY(in, x509->deviceType, copySz); - *inOutSz = copySz; - - return in; -} - - -byte* wolfSSL_X509_get_hw_type(WOLFSSL_X509* x509, byte* in, int* inOutSz) -{ - int copySz; - - WOLFSSL_ENTER("wolfSSL_X509_get_hw_type"); - if (inOutSz == NULL) return NULL; - if (!x509->hwTypeSz) return in; - - copySz = min(*inOutSz, x509->hwTypeSz); - - if (!in) { - #ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_MSG("Using static memory -- please pass in a buffer"); - return NULL; - #else - in = (byte*)XMALLOC(x509->hwTypeSz, 0, DYNAMIC_TYPE_OPENSSL); - if (!in) return in; - copySz = x509->hwTypeSz; - #endif - } - - XMEMCPY(in, x509->hwType, copySz); - *inOutSz = copySz; - - return in; -} - - -byte* wolfSSL_X509_get_hw_serial_number(WOLFSSL_X509* x509,byte* in, - int* inOutSz) -{ - int copySz; - - WOLFSSL_ENTER("wolfSSL_X509_get_hw_serial_number"); - if (inOutSz == NULL) return NULL; - if (!x509->hwTypeSz) return in; - - copySz = min(*inOutSz, x509->hwSerialNumSz); - - if (!in) { - #ifdef WOLFSSL_STATIC_MEMORY - WOLFSSL_MSG("Using static memory -- please pass in a buffer"); - return NULL; - #else - in = (byte*)XMALLOC(x509->hwSerialNumSz, 0, DYNAMIC_TYPE_OPENSSL); - if (!in) return in; - copySz = x509->hwSerialNumSz; - #endif - } - - XMEMCPY(in, x509->hwSerialNum, copySz); - *inOutSz = copySz; - - return in; -} - -#endif /* WOLFSSL_SEP */ - -/* require OPENSSL_EXTRA since wolfSSL_X509_free is wrapped by OPENSSL_EXTRA */ -#if !defined(NO_CERTS) && defined(OPENSSL_EXTRA) - -WOLFSSL_ASN1_TIME* wolfSSL_X509_get_notBefore(const WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("wolfSSL_X509_get_notBefore"); - - if (x509 == NULL) - return NULL; - - return (WOLFSSL_ASN1_TIME*)&x509->notBefore; -} - - -WOLFSSL_ASN1_TIME* wolfSSL_X509_get_notAfter(const WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("wolfSSL_X509_get_notAfter"); - - if (x509 == NULL) - return NULL; - - return (WOLFSSL_ASN1_TIME*)&x509->notAfter; -} - - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_X509_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509) -{ - WOLFSSL_STACK* node; - WOLFSSL_ENTER("wolfSSL_sk_X509_push"); - - if (sk == NULL || x509 == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.x509 == NULL) { - sk->data.x509 = x509; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new x509 onto head of stack */ - node->data.x509 = sk->data.x509; - node->next = sk->next; - node->type = sk->type; - sk->next = node; - sk->data.x509 = x509; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - - -WOLFSSL_X509* wolfSSL_sk_X509_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) { - WOLFSSL_STACK* node; - WOLFSSL_X509* x509; - - if (sk == NULL) { - return NULL; - } - - node = sk->next; - x509 = sk->data.x509; - - if (node != NULL) { /* update sk and remove node from stack */ - sk->data.x509 = node->data.x509; - sk->next = node->next; - XFREE(node, NULL, DYNAMIC_TYPE_X509); - } - else { /* last x509 in stack */ - sk->data.x509 = NULL; - } - - if (sk->num > 0) { - sk->num -= 1; - } - - return x509; -} - -/* Getter function for WOLFSSL_X509 pointer - * - * sk is the stack to retrieve pointer from - * i is the index value in stack - * - * returns a pointer to a WOLFSSL_X509 structure on success and NULL on - * fail - */ -WOLFSSL_X509* wolfSSL_sk_X509_value(STACK_OF(WOLFSSL_X509)* sk, int i) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_value"); - - for (; sk != NULL && i > 0; i--) - sk = sk->next; - - if (i != 0 || sk == NULL) - return NULL; - return sk->data.x509; -} - -WOLFSSL_X509* wolfSSL_sk_X509_shift(WOLF_STACK_OF(WOLFSSL_X509)* sk) -{ - return wolfSSL_sk_X509_pop(sk); -} - -#ifndef NO_WOLFSSL_STUB -void* wolfSSL_sk_X509_OBJECT_value(WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int x) -{ - (void) sk; - (void) x; - return NULL; -} -#endif - - -/* Free's all nodes in X509 stack. This is different then wolfSSL_sk_X509_free - * in that it allows for choosing the function to use when freeing an X509s. - * - * sk stack to free nodes in - * f X509 free function - */ -void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, - void (*f) (WOLFSSL_X509*)) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_pop_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - if (f) - f(tmp->data.x509); - else - wolfSSL_X509_free(tmp->data.x509); - tmp->data.x509 = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_X509); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.x509); - else - wolfSSL_X509_free(sk->data.x509); - sk->data.x509 = NULL; - } - XFREE(sk, NULL, DYNAMIC_TYPE_X509); -} - - -/* free structure for x509 stack */ -void wolfSSL_sk_X509_free(WOLF_STACK_OF(WOLFSSL_X509)* sk) -{ - wolfSSL_sk_X509_pop_free(sk, NULL); -} - -#endif /* NO_CERTS && OPENSSL_EXTRA */ - -#if defined(OPENSSL_ALL) || defined (WOLFSSL_QT) -/* return 1 on success 0 on fail */ -int wolfSSL_sk_ACCESS_DESCRIPTION_push(WOLF_STACK_OF(ACCESS_DESCRIPTION)* sk, - WOLFSSL_ACCESS_DESCRIPTION* access) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_ACCESS_DESCRIPTION_push"); - - if (sk == NULL || access == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.access == NULL) { - sk->data.access = access; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_ASN1); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.access = sk->data.access; - node->next = sk->next; - node->type = sk->type; - sk->next = node; - sk->data.access = access; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - -/* Frees all nodes in ACCESS_DESCRIPTION stack -* -* sk stack of nodes to free -* f free function to use, not called with wolfSSL -*/ -void wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(WOLFSSL_STACK* sk, - void (*f) (WOLFSSL_ACCESS_DESCRIPTION*)) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_ACCESS_DESCRIPTION_pop_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - if (f) - f(tmp->data.access); - else - wolfSSL_ACCESS_DESCRIPTION_free(tmp->data.access); - tmp->data.access = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_ASN1); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.access); - else { - if(sk->data.access->method) { - - wolfSSL_ASN1_OBJECT_free(sk->data.access->method); - } - if(sk->data.access->location) { - wolfSSL_GENERAL_NAME_free(sk->data.access->location); - } - } - sk->data.access = NULL; - } - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} - -void wolfSSL_sk_ACCESS_DESCRIPTION_free(WOLFSSL_STACK* sk) -{ - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(sk, NULL); -} - -void wolfSSL_ACCESS_DESCRIPTION_free(WOLFSSL_ACCESS_DESCRIPTION* access) -{ - WOLFSSL_ENTER("wolfSSL_ACCESS_DESCRIPTION_free"); - if (access == NULL) - return; - - if (access->method) - wolfSSL_ASN1_OBJECT_free(access->method); - if (access->location) - wolfSSL_GENERAL_NAME_free(access->location); - - /* access = NULL, don't try to access or double free it */ -} -#endif - -#ifdef OPENSSL_EXTRA - -/* create a generic wolfSSL stack node - * returns a new WOLFSSL_STACK structure on success */ -WOLFSSL_STACK* wolfSSL_sk_new_node(void* heap) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_sk_new_node"); - - sk = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), heap, - DYNAMIC_TYPE_OPENSSL); - if (sk != NULL) { - XMEMSET(sk, 0, sizeof(*sk)); - sk->heap = heap; - } - - return sk; -} - -/* free's node but does not free internal data such as in->data.x509 */ -void wolfSSL_sk_free_node(WOLFSSL_STACK* in) -{ - if (in != NULL) { - XFREE(in, in->heap, DYNAMIC_TYPE_OPENSSL); - } -} - -/* pushes node "in" onto "stack" and returns pointer to the new stack on success - * also handles internal "num" for number of nodes on stack - * return WOLFSSL_SUCCESS on success - */ -int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in) -{ - if (stack == NULL || in == NULL) { - return WOLFSSL_FAILURE; - } - - if (*stack == NULL) { - in->num = 1; - *stack = in; - return WOLFSSL_SUCCESS; - } - - in->num = (*stack)->num + 1; - in->next = *stack; - *stack = in; - return WOLFSSL_SUCCESS; -} - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data) -{ - int ret = WOLFSSL_FAILURE; - WOLFSSL_ENTER("wolfSSL_sk_push"); - - switch (sk->type) { - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - case STACK_TYPE_X509: - ret = wolfSSL_sk_X509_push(sk, (WOLFSSL_X509*) data); - break; - #ifndef NO_WOLFSSL_STUB - case STACK_TYPE_CIPHER: - ret = wolfSSL_sk_CIPHER_push(sk, (WOLFSSL_CIPHER*) data); - break; - #endif - case STACK_TYPE_GEN_NAME: - ret = wolfSSL_sk_ASN1_OBJECT_push(sk, (WOLFSSL_ASN1_OBJECT*) data); - break; - case STACK_TYPE_ACCESS_DESCRIPTION: - ret = wolfSSL_sk_ACCESS_DESCRIPTION_push(sk, - (WOLFSSL_ACCESS_DESCRIPTION*) data); - break; - case STACK_TYPE_NULL: - ret = wolfSSL_sk_GENERIC_push(sk, (void*) data); - break; - case STACK_TYPE_OBJ: - ret = wolfSSL_sk_ASN1_OBJECT_push(sk, (WOLFSSL_ASN1_OBJECT*) data); - break; - #endif - default: - ret = wolfSSL_sk_ASN1_OBJECT_push(sk, (WOLFSSL_ASN1_OBJECT*) data); - break; - } - - return ret; -} - -/* Creates and returns new GENERAL_NAME structure */ -WOLFSSL_GENERAL_NAME* wolfSSL_GENERAL_NAME_new(void) -{ - WOLFSSL_GENERAL_NAME* gn; - WOLFSSL_ENTER("GENERAL_NAME_new"); - - gn = (WOLFSSL_GENERAL_NAME*)XMALLOC(sizeof(WOLFSSL_GENERAL_NAME), NULL, - DYNAMIC_TYPE_ASN1); - if (gn == NULL) { - return NULL; - } - XMEMSET(gn, 0, sizeof(WOLFSSL_GENERAL_NAME)); - - gn->d.ia5 = wolfSSL_ASN1_STRING_new(); - if (gn->d.ia5 == NULL) { - WOLFSSL_MSG("Issue creating ASN1_STRING struct"); - wolfSSL_GENERAL_NAME_free(gn); - return NULL; - } - return gn; -} - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_GENERAL_NAME_push(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)* sk, - WOLFSSL_GENERAL_NAME* gn) -{ - WOLFSSL_STACK* node; - WOLFSSL_ENTER("wolfSSL_sk_GENERAL_NAME_push"); - - if (sk == NULL || gn == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.gn == NULL) { - sk->data.gn = gn; - sk->num += 1; - - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_ASN1); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.gn = sk->data.gn; - node->next = sk->next; - sk->next = node; - sk->data.gn = gn; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - -/* Returns the general name at index i from the stack - * - * sk stack to get general name from - * idx index to get - * - * return a pointer to the internal node of the stack - */ -WOLFSSL_GENERAL_NAME* wolfSSL_sk_GENERAL_NAME_value(WOLFSSL_STACK* sk, int idx) -{ - WOLFSSL_STACK* ret; - - if (sk == NULL) { - return NULL; - } - - ret = wolfSSL_sk_get_node(sk, idx); - if (ret != NULL) { - return ret->data.gn; - } - return NULL; -} - -/* Gets the number of nodes in the stack - * - * sk stack to get the number of nodes from - * - * returns the number of nodes, -1 if no nodes - */ -int wolfSSL_sk_GENERAL_NAME_num(WOLFSSL_STACK* sk) -{ - WOLFSSL_ENTER("wolfSSL_sk_GENERAL_NAME_num"); - - if (sk == NULL) { - return -1; - } - - return (int)sk->num; -} - -/* Frees all nodes in a GENERAL NAME stack - * - * sk stack of nodes to free - * f free function to use, not called with wolfSSL - */ -void wolfSSL_sk_GENERAL_NAME_pop_free(WOLFSSL_STACK* sk, - void (*f) (WOLFSSL_GENERAL_NAME*)) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_GENERAL_NAME_pop_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - if (f) - f(tmp->data.gn); - else - wolfSSL_GENERAL_NAME_free(tmp->data.gn); - XFREE(tmp, NULL, DYNAMIC_TYPE_ASN1); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.gn); - else - wolfSSL_GENERAL_NAME_free(sk->data.gn); - } - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} - -void wolfSSL_sk_GENERAL_NAME_free(WOLFSSL_STACK* sk) -{ - WOLFSSL_ENTER("sk_GENERAL_NAME_free"); - wolfSSL_sk_GENERAL_NAME_pop_free(sk, NULL); -} - - -/* returns the number of nodes in stack on success and WOLFSSL_FATAL_ERROR - * on fail */ -int wolfSSL_sk_ACCESS_DESCRIPTION_num(WOLFSSL_STACK* sk) -{ - if (sk == NULL) { - return WOLFSSL_FATAL_ERROR; - } - - return (int)sk->num; -} - -#ifndef NO_WOLFSSL_STUB -/* similar to call to sk_ACCESS_DESCRIPTION_pop_free */ -void wolfSSL_AUTHORITY_INFO_ACCESS_free( - WOLF_STACK_OF(WOLFSSL_ACCESS_DESCRIPTION)* sk) -{ - WOLFSSL_STUB("wolfSSL_AUTHORITY_INFO_ACCESS_free"); - (void)sk; -} -#endif - -/* returns the node at index "idx", NULL if not found */ -WOLFSSL_STACK* wolfSSL_sk_get_node(WOLFSSL_STACK* sk, int idx) -{ - int i; - WOLFSSL_STACK* ret = NULL; - WOLFSSL_STACK* current; - - current = sk; - for (i = 0; i <= idx && current != NULL; i++) { - if (i == idx) { - ret = current; - break; - } - current = current->next; - } - return ret; -} - -/* returns NULL on fail and pointer to internal data on success */ -WOLFSSL_ACCESS_DESCRIPTION* wolfSSL_sk_ACCESS_DESCRIPTION_value( - WOLFSSL_STACK* sk, int idx) -{ - WOLFSSL_STACK* ret; - - if (sk == NULL) { - return NULL; - } - - ret = wolfSSL_sk_get_node(sk, idx); - if (ret != NULL) { - return ret->data.access; - } - return NULL; -} - -/* Frees GENERAL_NAME objects. -*/ -void wolfSSL_GENERAL_NAME_free(WOLFSSL_GENERAL_NAME* name) -{ - WOLFSSL_ENTER("wolfSSL_GENERAL_NAME_Free"); - if(name != NULL) { - if (name->d.dNSName != NULL) { - wolfSSL_ASN1_STRING_free(name->d.dNSName); - name->d.dNSName = NULL; - } - if (name->d.uniformResourceIdentifier != NULL) { - wolfSSL_ASN1_STRING_free(name->d.uniformResourceIdentifier); - name->d.uniformResourceIdentifier = NULL; - } - if (name->d.iPAddress != NULL) { - wolfSSL_ASN1_STRING_free(name->d.iPAddress); - name->d.iPAddress = NULL; - } - if (name->d.registeredID != NULL) { - wolfSSL_ASN1_OBJECT_free(name->d.registeredID); - name->d.registeredID = NULL; - } - if (name->d.ia5 != NULL) { - wolfSSL_ASN1_STRING_free(name->d.ia5); - name->d.ia5 = NULL; - } - XFREE(name, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -void wolfSSL_GENERAL_NAMES_free(WOLFSSL_GENERAL_NAMES *gens) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_GENERAL_NAMES_free"); - - if (gens == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = gens->next; - while (gens->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - wolfSSL_ASN1_OBJECT_free(tmp->data.obj); - XFREE(tmp, NULL, DYNAMIC_TYPE_ASN1); - gens->num -= 1; - } - - /* free head of stack */ - if (gens->num == 1) { - wolfSSL_ASN1_OBJECT_free(gens->data.obj); - } - XFREE(gens, NULL, DYNAMIC_TYPE_ASN1); -} - -#if defined(OPENSSL_ALL) -WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* wolfSSL_sk_X509_EXTENSION_new_null(void) -{ - WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL); - if (sk) { - sk->type = STACK_TYPE_X509_EXT; - } - - return (WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)*)sk;; -} - -/* returns the number of nodes on the stack */ -int wolfSSL_sk_X509_EXTENSION_num(WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk) -{ - if (sk != NULL) { - return (int)sk->num; - } - return WOLFSSL_FATAL_ERROR; -} - - -/* returns null on failure and pointer to internal value on success */ -WOLFSSL_X509_EXTENSION* wolfSSL_sk_X509_EXTENSION_value( - WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, int idx) -{ - WOLFSSL_STACK* ret; - - if (sk == NULL) { - return NULL; - } - - ret = wolfSSL_sk_get_node(sk, idx); - if (ret != NULL) { - return ret->data.ext; - } - return NULL; -} - -/* frees all of the nodes and the values in stack */ -void wolfSSL_sk_X509_EXTENSION_pop_free( - WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, - void (*f) (WOLFSSL_X509_EXTENSION*)) -{ - WOLFSSL_STACK* current; - - if (sk == NULL) { - return; - } - - current = sk; - while (current != NULL) { - WOLFSSL_STACK* toFree = current; - current = current->next; - - if (f) - f(toFree->data.ext); - wolfSSL_sk_free_node(toFree); - } -} - -#if defined(HAVE_ECC) -/* Copies ecc_key into new WOLFSSL_EC_KEY object - * - * src : EC_KEY to duplicate. If EC_KEY is not null, create new EC_KEY and copy - * internal ecc_key from src to dup. - * - * Returns pointer to duplicate EC_KEY. - */ -WOLFSSL_EC_KEY *wolfSSL_EC_KEY_dup(const WOLFSSL_EC_KEY *src) -{ - WOLFSSL_EC_KEY *dup; - ecc_key *key, *srcKey; - int ret; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_dup"); - - if (src == NULL || src->internal == NULL || src->group == NULL || \ - src->pub_key == NULL || src->priv_key == NULL) { - - WOLFSSL_MSG("src NULL error"); - return NULL; - } - - dup = wolfSSL_EC_KEY_new(); - if (dup == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new error"); - return NULL; - } - - key = (ecc_key*)dup->internal; - if (key == NULL) { - WOLFSSL_MSG("ecc_key NULL error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - srcKey = (ecc_key*)src->internal; - - /* ecc_key */ - /* copy pubkey */ - ret = wc_ecc_copy_point(&srcKey->pubkey, &key->pubkey); - if (ret != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_copy_point error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - /* copy private key k */ - ret = mp_copy(&srcKey->k, &key->k); - if (ret != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - /* copy domain parameters */ - if (srcKey->dp) { - ret = wc_ecc_set_curve(key, 0, srcKey->dp->id); - if (ret != 0) { - WOLFSSL_MSG("wc_ecc_set_curve error"); - return NULL; - } - } - - key->type = srcKey->type; - key->idx = srcKey->idx; - key->state = srcKey->state; - key->flags = srcKey->flags; - - /* Copy group */ - if (dup->group == NULL) { - WOLFSSL_MSG("EC_GROUP_new_by_curve_name error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - dup->group->curve_idx = src->group->curve_idx; - dup->group->curve_nid = src->group->curve_nid; - dup->group->curve_oid = src->group->curve_oid; - - /* Copy public key */ - if (src->pub_key->internal == NULL || dup->pub_key->internal == NULL) { - WOLFSSL_MSG("NULL pub_key error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - /* Copy public key internal */ - ret = wc_ecc_copy_point((ecc_point*)src->pub_key->internal, \ - (ecc_point*)dup->pub_key->internal); - if (ret != MP_OKAY) { - WOLFSSL_MSG("ecc_copy_point error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - /* Copy X, Y, Z */ - dup->pub_key->X = wolfSSL_BN_dup(src->pub_key->X); - if (!dup->pub_key->X && src->pub_key->X) { - WOLFSSL_MSG("Error copying EC_POINT"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - dup->pub_key->Y = wolfSSL_BN_dup(src->pub_key->Y); - if (!dup->pub_key->Y && src->pub_key->Y) { - WOLFSSL_MSG("Error copying EC_POINT"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - dup->pub_key->Z = wolfSSL_BN_dup(src->pub_key->Z); - if (!dup->pub_key->Z && src->pub_key->Z) { - WOLFSSL_MSG("Error copying EC_POINT"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - dup->pub_key->inSet = src->pub_key->inSet; - dup->pub_key->exSet = src->pub_key->exSet; - - /* Copy private key */ - if (src->priv_key->internal == NULL || dup->priv_key->internal == NULL) { - WOLFSSL_MSG("NULL priv_key error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - /* Free priv_key before call to dup function */ - wolfSSL_BN_free(dup->priv_key); - dup->priv_key = wolfSSL_BN_dup(src->priv_key); - if (dup->priv_key == NULL) { - WOLFSSL_MSG("BN_dup error"); - wolfSSL_EC_KEY_free(dup); - return NULL; - } - - return dup; - -} -#endif /* HAVE_ECC */ - -#if !defined(NO_DH) -int wolfSSL_DH_check(const WOLFSSL_DH *dh, int *codes) -{ - int isPrime = MP_NO, codeTmp = 0; - WC_RNG rng; - - WOLFSSL_ENTER("wolfSSL_DH_check"); - if (dh == NULL){ - return WOLFSSL_FAILURE; - } - - if (dh->g == NULL || dh->g->internal == NULL){ - codeTmp = DH_NOT_SUITABLE_GENERATOR; - } - - if (dh->p == NULL || dh->p->internal == NULL){ - codeTmp = DH_CHECK_P_NOT_PRIME; - } - else - { - /* test if dh->p has prime */ - if (wc_InitRng(&rng) == 0){ - mp_prime_is_prime_ex((mp_int*)dh->p->internal,8,&isPrime,&rng); - } - else { - WOLFSSL_MSG("Error initializing rng\n"); - return WOLFSSL_FAILURE; - } - wc_FreeRng(&rng); - if (isPrime != MP_YES){ - codeTmp = DH_CHECK_P_NOT_PRIME; - } - } - /* User may choose to enter NULL for codes if they don't want to check it*/ - if (codes != NULL){ - *codes = codeTmp; - } - - /* if codeTmp was set,some check was flagged invalid */ - if (codeTmp){ - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* Converts DER encoded DH parameters to a WOLFSSL_DH structure. - * - * dh : structure to copy DH parameters into. - * pp : DER encoded DH parameters - * length : length to copy - * - * Returns pointer to WOLFSSL_DH structure on success, or NULL on failure - */ -WOLFSSL_DH *wolfSSL_d2i_DHparams(WOLFSSL_DH **dh, const unsigned char **pp, - long length) -{ - WOLFSSL_DH *newDH = NULL; - int ret; - word32 idx = 0; - - WOLFSSL_ENTER("wolfSSL_d2i_DHparams"); - - if (pp == NULL || length <= 0) { - WOLFSSL_MSG("bad argument"); - return NULL; - } - - if ((newDH = wolfSSL_DH_new()) == NULL) { - WOLFSSL_MSG("wolfSSL_DH_new() failed"); - return NULL; - } - - ret = wc_DhKeyDecode(*pp, &idx, (DhKey*)newDH->internal, (word32)length); - if (ret != 0) { - WOLFSSL_MSG("DhKeyDecode() failed"); - wolfSSL_DH_free(newDH); - return NULL; - } - newDH->inSet = 1; - - if (SetDhExternal(newDH) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDhExternal failed"); - wolfSSL_DH_free(newDH); - return NULL; - } - - *pp += length; - if (dh != NULL){ - *dh = newDH; - } - - return newDH; -} - -/* Converts internal WOLFSSL_DH structure to DER encoded DH. - * - * dh : structure to copy DH parameters from. - * out : DER buffer for DH parameters - * - * Returns size of DER on success and WOLFSSL_FAILURE if error - */ -int wolfSSL_i2d_DHparams(const WOLFSSL_DH *dh, unsigned char **out) -{ - word32 len; - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_i2d_DHparams"); - - if (dh == NULL) { - WOLFSSL_MSG("Bad parameters"); - return WOLFSSL_FAILURE; - } - - /* Get total length */ - len = 2 + mp_leading_bit((mp_int*)dh->p->internal) + - mp_unsigned_bin_size((mp_int*)dh->p->internal) + - 2 + mp_leading_bit((mp_int*)dh->g->internal) + - mp_unsigned_bin_size((mp_int*)dh->g->internal); - - /* Two bytes required for length if ASN.1 SEQ data greater than 127 bytes - * and less than 256 bytes. - */ - len = ((len > 127) ? 2 : 1) + len; - - if (out != NULL && *out != NULL) { - ret = StoreDHparams(*out, &len, (mp_int*)dh->p->internal, - (mp_int*)dh->g->internal); - if (ret != MP_OKAY) { - WOLFSSL_MSG("StoreDHparams error"); - len = 0; - } - else{ - *out += len; - } - } - return (int)len; -} -#endif /* !NO_DH */ - -#endif /* OPENSSL_ALL */ - -#endif /* OPENSSL_EXTRA */ - -#ifndef NO_FILESYSTEM - -#ifndef NO_STDIO_FILESYSTEM - -WOLFSSL_X509* wolfSSL_X509_d2i_fp(WOLFSSL_X509** x509, XFILE file) -{ - WOLFSSL_X509* newX509 = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_d2i_fp"); - - if (file != XBADFILE) { - byte* fileBuffer = NULL; - long sz = 0; - - if (XFSEEK(file, 0, XSEEK_END) != 0) - return NULL; - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz < 0) { - WOLFSSL_MSG("X509_d2i file size error"); - return NULL; - } - - fileBuffer = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE); - if (fileBuffer != NULL) { - int ret = (int)XFREAD(fileBuffer, 1, sz, file); - if (ret == sz) { - newX509 = wolfSSL_X509_d2i(NULL, fileBuffer, (int)sz); - } - XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); - } - } - - if (x509 != NULL) - *x509 = newX509; - - return newX509; -} - -#endif /* NO_STDIO_FILESYSTEM */ - -WOLFSSL_ABI -WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) -{ -#ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ -#else - byte staticBuffer[FILE_BUFFER_SIZE]; -#endif - byte* fileBuffer = staticBuffer; - int dynamic = 0; - int ret; - long sz = 0; - XFILE file; - - WOLFSSL_X509* x509 = NULL; - - /* Check the inputs */ - if ((fname == NULL) || - (format != WOLFSSL_FILETYPE_ASN1 && format != WOLFSSL_FILETYPE_PEM)) - return NULL; - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) - return NULL; - - if (XFSEEK(file, 0, XSEEK_END) != 0){ - XFCLOSE(file); - return NULL; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz < 0) { - WOLFSSL_MSG("X509_load_certificate_file size error"); - XFCLOSE(file); - return NULL; - } - - if (sz > (long)sizeof(staticBuffer)) { - fileBuffer = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE); - if (fileBuffer == NULL) { - XFCLOSE(file); - return NULL; - } - dynamic = 1; - } - - ret = (int)XFREAD(fileBuffer, 1, sz, file); - if (ret != sz) { - XFCLOSE(file); - if (dynamic) - XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); - return NULL; - } - - XFCLOSE(file); - - x509 = wolfSSL_X509_load_certificate_buffer(fileBuffer, (int)sz, format); - - if (dynamic) - XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); - - return x509; -} - -#endif /* NO_FILESYSTEM */ - - -WOLFSSL_X509* wolfSSL_X509_load_certificate_buffer( - const unsigned char* buf, int sz, int format) -{ - int ret; - WOLFSSL_X509* x509 = NULL; - DerBuffer* der = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_load_certificate_ex"); - - if (format == WOLFSSL_FILETYPE_PEM) { - #ifdef WOLFSSL_PEM_TO_DER - if (PemToDer(buf, sz, CERT_TYPE, &der, NULL, NULL, NULL) != 0) { - FreeDer(&der); - } - #else - ret = NOT_COMPILED_IN; - #endif - } - else { - ret = AllocDer(&der, (word32)sz, CERT_TYPE, NULL); - if (ret == 0) { - XMEMCPY(der->buffer, buf, sz); - } - } - - /* At this point we want `der` to have the certificate in DER format */ - /* ready to be decoded. */ - if (der != NULL && der->buffer != NULL) { - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert; - #else - DecodedCert cert[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_DCERT); - if (cert != NULL) - #endif - { - InitDecodedCert(cert, der->buffer, der->length, NULL); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) { - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, - DYNAMIC_TYPE_X509); - if (x509 != NULL) { - InitX509(x509, 1, NULL); - if (CopyDecodedToX509(x509, cert) != 0) { - wolfSSL_X509_free(x509); - x509 = NULL; - } - } - } - - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); - #endif - } - - FreeDer(&der); - } - - return x509; -} - -#endif /* KEEP_PEER_CERT || SESSION_CERTS */ - -/* OPENSSL_EXTRA is needed for wolfSSL_X509_d21 function - KEEP_OUR_CERT is to insure ability for returning ssl certificate */ -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - defined(KEEP_OUR_CERT) -WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) -{ - if (ssl == NULL) { - return NULL; - } - - if (ssl->buffers.weOwnCert) { - if (ssl->ourCert == NULL) { - if (ssl->buffers.certificate == NULL) { - WOLFSSL_MSG("Certificate buffer not set!"); - return NULL; - } - #ifndef WOLFSSL_X509_STORE_CERTS - ssl->ourCert = wolfSSL_X509_d2i(NULL, - ssl->buffers.certificate->buffer, - ssl->buffers.certificate->length); - #endif - } - return ssl->ourCert; - } - else { /* if cert not owned get parent ctx cert or return null */ - if (ssl->ctx) { - if (ssl->ctx->ourCert == NULL) { - if (ssl->ctx->certificate == NULL) { - WOLFSSL_MSG("Ctx Certificate buffer not set!"); - return NULL; - } - #ifndef WOLFSSL_X509_STORE_CERTS - ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL, - ssl->ctx->certificate->buffer, - ssl->ctx->certificate->length); - #endif - ssl->ctx->ownOurCert = 1; - } - return ssl->ctx->ourCert; - } - } - - return NULL; -} -#endif /* OPENSSL_EXTRA && KEEP_OUR_CERT */ -#endif /* NO_CERTS */ - - -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -#ifndef NO_ASN -void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj) -{ - if (obj == NULL) { - return; - } - if ((obj->obj != NULL) && ((obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0)) { - WOLFSSL_MSG("Freeing ASN1 data"); - XFREE((void*)obj->obj, obj->heap, DYNAMIC_TYPE_ASN1); - obj->obj = NULL; - } - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - if (obj->pathlen != NULL) { - wolfSSL_ASN1_INTEGER_free(obj->pathlen); - obj->pathlen = NULL; - } - #endif - if ((obj->dynamic & WOLFSSL_ASN1_DYNAMIC) != 0) { - WOLFSSL_MSG("Freeing ASN1 OBJECT"); - XFREE(obj, NULL, DYNAMIC_TYPE_ASN1); - } -} -#endif /* NO_ASN */ -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ - -#ifdef OPENSSL_EXTRA -#ifndef NO_ASN -WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void) -{ - WOLFSSL_ASN1_OBJECT* obj; - - obj = (WOLFSSL_ASN1_OBJECT*)XMALLOC(sizeof(WOLFSSL_ASN1_OBJECT), NULL, - DYNAMIC_TYPE_ASN1); - if (obj == NULL) { - return NULL; - } - - XMEMSET(obj, 0, sizeof(WOLFSSL_ASN1_OBJECT)); - obj->d.ia5 = &(obj->d.ia5_internal); -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - obj->d.iPAddress = &(obj->d.iPAddress_internal); -#endif - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - return obj; -} - -/* Creates and returns a new WOLFSSL_CIPHER stack. */ -WOLFSSL_STACK* wolfSSL_sk_new_asn1_obj(void) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_sk_new_asn1_obj"); - - sk = wolfSSL_sk_new_null(); - if (sk == NULL) - return NULL; - sk->type = STACK_TYPE_OBJ; - - return sk; -} - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_ASN1_OBJECT_push(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk, - WOLFSSL_ASN1_OBJECT* obj) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_ASN1_OBJECT_push"); - - if (sk == NULL || obj == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.obj == NULL) { - sk->data.obj = obj; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_ASN1); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.obj = sk->data.obj; - node->next = sk->next; - node->type = sk->type; - sk->next = node; - sk->data.obj = obj; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - - -WOLFSSL_ASN1_OBJECT* wolfSSL_sk_ASN1_OBJECT_pop( - WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_ASN1_OBJECT* obj; - - if (sk == NULL) { - return NULL; - } - - node = sk->next; - obj = sk->data.obj; - - if (node != NULL) { /* update sk and remove node from stack */ - sk->data.obj = node->data.obj; - sk->next = node->next; - XFREE(node, NULL, DYNAMIC_TYPE_ASN1); - } - else { /* last obj in stack */ - sk->data.obj = NULL; - } - - if (sk->num > 0) { - sk->num -= 1; - } - - return obj; -} - - -/* Free the structure for ASN1_OBJECT stack - * - * sk stack to free nodes in - */ -void wolfSSL_sk_ASN1_OBJECT_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk) -{ - wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); -} - -/* Free's all nodes in ASN1_OBJECT stack. - * This is different then wolfSSL_ASN1_OBJECT_free in that it allows for - * choosing the function to use when freeing an ASN1_OBJECT stack. - * - * sk stack to free nodes in - * f X509 free function - */ -void wolfSSL_sk_ASN1_OBJECT_pop_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk, - void (*f) (WOLFSSL_ASN1_OBJECT*)) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_ASN1_OBJECT_pop_free"); - - if (sk == NULL) { - WOLFSSL_MSG("Parameter error"); - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - if (f) - f(tmp->data.obj); - else - wolfSSL_ASN1_OBJECT_free(tmp->data.obj); - tmp->data.obj = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_ASN1); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.obj); - else - wolfSSL_ASN1_OBJECT_free(sk->data.obj); - sk->data.obj = NULL; - } - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} - -int wolfSSL_ASN1_STRING_to_UTF8(unsigned char **out, WOLFSSL_ASN1_STRING *in) -{ - /* - ASN1_STRING_to_UTF8() converts the string in to UTF8 format, - the converted data is allocated in a buffer in *out. - The length of out is returned or a negative error code. - The buffer *out should be free using OPENSSL_free(). - */ - unsigned char* buf; - unsigned char* inPtr; - int inLen; - - if (!out || !in) { - return -1; - } - - inPtr = wolfSSL_ASN1_STRING_data(in); - inLen = wolfSSL_ASN1_STRING_length(in); - if (!inPtr || inLen < 0) { - return -1; - } - buf = (unsigned char*)XMALLOC(inLen + 1, NULL, DYNAMIC_TYPE_OPENSSL); - if (!buf) { - return -1; - } - XMEMCPY(buf, inPtr, inLen + 1); - *out = buf; - return inLen; -} - -/* Returns string representation of ASN1_STRING */ -char* wolfSSL_i2s_ASN1_STRING(WOLFSSL_v3_ext_method *method, - const WOLFSSL_ASN1_STRING *s) -{ - int i; - int tmpSz = 100; - int valSz = 5; - char* tmp; - char val[5]; - unsigned char* str; - - WOLFSSL_ENTER("wolfSSL_i2s_ASN1_STRING"); - (void)method; - - if(s == NULL || s->data == NULL) { - WOLFSSL_MSG("Bad Function Argument"); - return NULL; - } - str = (unsigned char*)XMALLOC(s->length, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (str == NULL) { - WOLFSSL_MSG("Memory Error"); - return NULL; - } - XMEMCPY(str, (unsigned char*)s->data, s->length); - - tmp = (char*)XMALLOC(tmpSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (tmp == NULL) { - WOLFSSL_MSG("Memory Error"); - XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - XMEMSET(tmp, 0, tmpSz); - - for (i = 0; i < tmpSz && i < (s->length - 1); i++) { - XSNPRINTF(val, valSz - 1, "%02X:", str[i]); - XSTRNCAT(tmp, val, valSz); - } - XSNPRINTF(val, valSz - 1, "%02X", str[i]); - XSTRNCAT(tmp, val, valSz); - XFREE(str, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return tmp; -} -#endif /* NO_ASN */ - -void wolfSSL_set_connect_state(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_set_connect_state"); - if (ssl == NULL) { - WOLFSSL_MSG("WOLFSSL struct pointer passed in was null"); - return; - } - - #ifndef NO_DH - /* client creates its own DH parameters on handshake */ - if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) { - XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - } - ssl->buffers.serverDH_P.buffer = NULL; - if (ssl->buffers.serverDH_G.buffer && ssl->buffers.weOwnDH) { - XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - } - ssl->buffers.serverDH_G.buffer = NULL; - #endif - - if (InitSSL_Side(ssl, WOLFSSL_CLIENT_END) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error initializing client side"); - } -} -#endif /* OPENSSL_EXTRA */ - - -int wolfSSL_get_shutdown(const WOLFSSL* ssl) -{ - int isShutdown = 0; - - WOLFSSL_ENTER("wolfSSL_get_shutdown"); - - if (ssl) { - /* in OpenSSL, WOLFSSL_SENT_SHUTDOWN = 1, when closeNotifySent * - * WOLFSSL_RECEIVED_SHUTDOWN = 2, from close notify or fatal err */ - isShutdown = ((ssl->options.closeNotify||ssl->options.connReset) << 1) - | (ssl->options.sentNotify); - } - return isShutdown; -} - - -int wolfSSL_session_reused(WOLFSSL* ssl) -{ - int resuming = 0; - if (ssl) - resuming = ssl->options.resuming; - return resuming; -} - -#if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE) -WOLFSSL_SESSION* wolfSSL_SESSION_dup(WOLFSSL_SESSION* session) -{ -#ifdef HAVE_EXT_CACHE - WOLFSSL_SESSION* copy; - - WOLFSSL_ENTER("wolfSSL_SESSION_dup"); - - if (session == NULL) - return NULL; -#ifdef HAVE_SESSION_TICKET - if (session->isDynamic && !session->ticket) { - WOLFSSL_MSG("Session dynamic flag is set but ticket pointer is null"); - return NULL; - } -#endif - - copy = (WOLFSSL_SESSION*)XMALLOC(sizeof(WOLFSSL_SESSION), NULL, - DYNAMIC_TYPE_OPENSSL); - if (copy != NULL) { - XMEMCPY(copy, session, sizeof(WOLFSSL_SESSION)); - copy->isAlloced = 1; -#ifdef HAVE_SESSION_TICKET - if (session->isDynamic) { - copy->ticket = (byte*)XMALLOC(session->ticketLen, NULL, - DYNAMIC_TYPE_SESSION_TICK); - XMEMCPY(copy->ticket, session->ticket, session->ticketLen); - } else { - copy->ticket = copy->staticTicket; - } -#endif -#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) - copy->peer = wolfSSL_X509_dup(session->peer); -#endif - } - return copy; -#else - WOLFSSL_MSG("wolfSSL_SESSION_dup was called " - "but HAVE_EXT_CACHE is not defined"); - (void)session; - return NULL; -#endif /* HAVE_EXT_CACHE */ -} - -void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) -{ - if (session == NULL) - return; - -#if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA) - if (session->peer) { - wolfSSL_X509_free(session->peer); - } -#endif - -#ifdef HAVE_EXT_CACHE - if (session->isAlloced) { - #ifdef HAVE_SESSION_TICKET - if (session->isDynamic) - XFREE(session->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); - #endif - XFREE(session, NULL, DYNAMIC_TYPE_OPENSSL); - } -#else - /* No need to free since cache is static */ - (void)session; -#endif -} -#endif - - -/* helper function that takes in a protocol version struct and returns string */ -static const char* wolfSSL_internal_get_version(ProtocolVersion* version) -{ - WOLFSSL_ENTER("wolfSSL_get_version"); - - if (version == NULL) { - return "Bad arg"; - } - - if (version->major == SSLv3_MAJOR) { - switch (version->minor) { - #ifndef NO_OLD_TLS - #ifdef WOLFSSL_ALLOW_SSLV3 - case SSLv3_MINOR : - return "SSLv3"; - #endif - #ifdef WOLFSSL_ALLOW_TLSV10 - case TLSv1_MINOR : - return "TLSv1"; - #endif - case TLSv1_1_MINOR : - return "TLSv1.1"; - #endif - case TLSv1_2_MINOR : - return "TLSv1.2"; - #ifdef WOLFSSL_TLS13 - case TLSv1_3_MINOR : - #ifdef WOLFSSL_TLS13_DRAFT - #ifdef WOLFSSL_TLS13_DRAFT_18 - return "TLSv1.3 (Draft 18)"; - #elif defined(WOLFSSL_TLS13_DRAFT_22) - return "TLSv1.3 (Draft 22)"; - #elif defined(WOLFSSL_TLS13_DRAFT_23) - return "TLSv1.3 (Draft 23)"; - #elif defined(WOLFSSL_TLS13_DRAFT_26) - return "TLSv1.3 (Draft 26)"; - #else - return "TLSv1.3 (Draft 28)"; - #endif - #else - return "TLSv1.3"; - #endif - #endif - default: - return "unknown"; - } - } -#ifdef WOLFSSL_DTLS - else if (version->major == DTLS_MAJOR) { - switch (version->minor) { - case DTLS_MINOR : - return "DTLS"; - case DTLSv1_2_MINOR : - return "DTLSv1.2"; - default: - return "unknown"; - } - } -#endif /* WOLFSSL_DTLS */ - return "unknown"; -} - - -const char* wolfSSL_get_version(WOLFSSL* ssl) -{ - if (ssl == NULL) { - WOLFSSL_MSG("Bad argument"); - return "unknown"; - } - - return wolfSSL_internal_get_version(&ssl->version); -} - - -/* current library version */ -const char* wolfSSL_lib_version(void) -{ - return LIBWOLFSSL_VERSION_STRING; -} - - -/* current library version in hex */ -word32 wolfSSL_lib_version_hex(void) -{ - return LIBWOLFSSL_VERSION_HEX; -} - - -int wolfSSL_get_current_cipher_suite(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_get_current_cipher_suite"); - if (ssl) - return (ssl->options.cipherSuite0 << 8) | ssl->options.cipherSuite; - return 0; -} - -WOLFSSL_CIPHER* wolfSSL_get_current_cipher(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_get_current_cipher"); - if (ssl) { - ssl->cipher.cipherSuite0 = ssl->options.cipherSuite0; - ssl->cipher.cipherSuite = ssl->options.cipherSuite; - return &ssl->cipher; - } - else - return NULL; -} - - -const char* wolfSSL_CIPHER_get_name(const WOLFSSL_CIPHER* cipher) -{ - WOLFSSL_ENTER("wolfSSL_CIPHER_get_name"); - - if (cipher == NULL) { - return NULL; - } - - #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) && \ - !defined(WOLFSSL_QT) - return GetCipherNameIana(cipher->cipherSuite0, cipher->cipherSuite); - #else - return wolfSSL_get_cipher_name_from_suite(cipher->cipherSuite0, - cipher->cipherSuite); - #endif -} - -const char* wolfSSL_CIPHER_get_version(const WOLFSSL_CIPHER* cipher) -{ - WOLFSSL_ENTER("SSL_CIPHER_get_version"); - - if (cipher == NULL || cipher->ssl == NULL) { - return NULL; - } - - return wolfSSL_get_version(cipher->ssl); -} - -const char* wolfSSL_SESSION_CIPHER_get_name(WOLFSSL_SESSION* session) -{ - if (session == NULL) { - return NULL; - } - -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - #if !defined(WOLFSSL_CIPHER_INTERNALNAME) && !defined(NO_ERROR_STRINGS) - return GetCipherNameIana(session->cipherSuite0, session->cipherSuite); - #else - return GetCipherNameInternal(session->cipherSuite0, session->cipherSuite); - #endif -#else - return NULL; -#endif -} - -const char* wolfSSL_get_cipher(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_cipher"); - return wolfSSL_CIPHER_get_name(wolfSSL_get_current_cipher(ssl)); -} - -/* gets cipher name in the format DHE-RSA-... rather then TLS_DHE... */ -const char* wolfSSL_get_cipher_name(WOLFSSL* ssl) -{ - /* get access to cipher_name_idx in internal.c */ - return wolfSSL_get_cipher_name_internal(ssl); -} - -const char* wolfSSL_get_cipher_name_from_suite(const byte cipherSuite0, - const byte cipherSuite) -{ - return GetCipherNameInternal(cipherSuite0, cipherSuite); -} - -const char* wolfSSL_get_cipher_name_iana_from_suite(const byte cipherSuite0, - const byte cipherSuite) -{ - return GetCipherNameIana(cipherSuite0, cipherSuite); -} - - -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) -/* Creates and returns a new WOLFSSL_CIPHER stack. */ -WOLFSSL_STACK* wolfSSL_sk_new_cipher(void) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_sk_new_cipher"); - - sk = wolfSSL_sk_new_null(); - if (sk == NULL) - return NULL; - sk->type = STACK_TYPE_CIPHER; - - return sk; -} - -#ifndef NO_WOLFSSL_STUB -/* Keep as stubs for now */ -/* return 1 on success 0 on fail */ -int wolfSSL_sk_CIPHER_push(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk, - WOLFSSL_CIPHER* cipher) -{ - WOLFSSL_STUB("wolfSSL_sk_CIPHER_push"); - (void)sk; - (void)cipher; - return 0; -} - - -WOLFSSL_CIPHER* wolfSSL_sk_CIPHER_pop(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk) -{ - WOLFSSL_STUB("wolfSSL_sk_CIPHER_pop"); - (void)sk; - return NULL; -} -#endif /* NO_WOLFSSL_STUB */ -#endif /* WOLFSSL_QT || OPENSSL_ALL */ - -word32 wolfSSL_CIPHER_get_id(const WOLFSSL_CIPHER* cipher) -{ - word16 cipher_id = 0; - - WOLFSSL_ENTER("SSL_CIPHER_get_id"); - - if (cipher && cipher->ssl) { - cipher_id = (cipher->ssl->options.cipherSuite0 << 8) | - cipher->ssl->options.cipherSuite; - } - - return cipher_id; -} - -const WOLFSSL_CIPHER* wolfSSL_get_cipher_by_value(word16 value) -{ - const WOLFSSL_CIPHER* cipher = NULL; - byte cipherSuite0, cipherSuite; - WOLFSSL_ENTER("SSL_get_cipher_by_value"); - - /* extract cipher id information */ - cipherSuite = (value & 0xFF); - cipherSuite0 = ((value >> 8) & 0xFF); - - /* TODO: lookup by cipherSuite0 / cipherSuite */ - (void)cipherSuite0; - (void)cipherSuite; - - return cipher; -} - - -#if defined(OPENSSL_ALL) -/* Free the structure for WOLFSSL_CIPHER stack - * - * sk stack to free nodes in - */ -void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_STACK* tmp; - WOLFSSL_ENTER("wolfSSL_sk_CIPHER_free"); - - if (sk == NULL) - return; - - /* parse through stack freeing each node */ - node = sk->next; - while (node) { - tmp = node; - node = node->next; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - } - - /* free head of stack */ - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} -#endif - -#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) || \ - !defined(NO_DH) -#ifdef HAVE_FFDHE -static const char* wolfssl_ffdhe_name(word16 group) -{ - const char* str = NULL; - switch (group) { - case WOLFSSL_FFDHE_2048: - str = "FFDHE_2048"; - break; - case WOLFSSL_FFDHE_3072: - str = "FFDHE_3072"; - break; - case WOLFSSL_FFDHE_4096: - str = "FFDHE_4096"; - break; - case WOLFSSL_FFDHE_6144: - str = "FFDHE_6144"; - break; - case WOLFSSL_FFDHE_8192: - str = "FFDHE_8192"; - break; - } - return str; -} -#endif -/* Return the name of the curve used for key exchange as a printable string. - * - * ssl The SSL/TLS object. - * returns NULL if ECDH was not used, otherwise the name as a string. - */ -const char* wolfSSL_get_curve_name(WOLFSSL* ssl) -{ - const char* cName = NULL; - - if (ssl == NULL) - return NULL; - -#ifdef HAVE_FFDHE - if (ssl->namedGroup != 0) { - cName = wolfssl_ffdhe_name(ssl->namedGroup); - } -#endif - -#ifdef HAVE_CURVE25519 - if (ssl->ecdhCurveOID == ECC_X25519_OID && cName == NULL) { - cName = "X25519"; - } -#endif - -#ifdef HAVE_CURVE448 - if (ssl->ecdhCurveOID == ECC_X448_OID && cName == NULL) { - cName = "X448"; - } -#endif - -#ifdef HAVE_ECC - if (ssl->ecdhCurveOID != 0 && cName == NULL) { - cName = wc_ecc_get_name(wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, - NULL)); - } -#endif - - return cName; -} -#endif - - -#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(KEEP_PEER_CERT) || \ - defined(SESSION_CERTS) -/* Smaller subset of X509 compatibility functions. Avoid increasing the size of - * this subset and its memory usage */ - -#if !defined(NO_CERTS) -/* returns a pointer to a new WOLFSSL_X509 structure on success and NULL on - * fail - */ -WOLFSSL_X509* wolfSSL_X509_new(void) -{ - WOLFSSL_X509* x509; - - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, - DYNAMIC_TYPE_X509); - if (x509 != NULL) { - InitX509(x509, 1, NULL); - } - - return x509; -} - -WOLFSSL_ABI -WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) -{ - WOLFSSL_ENTER("wolfSSL_X509_get_subject_name"); - if (cert && cert->subject.sz != 0) - return &cert->subject; - return NULL; -} - -#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) -/****************************************************************************** -* wolfSSL_X509_subject_name_hash - compute the hash digest of the raw subject name -* -* RETURNS: -* The beginning of the hash digest. Otherwise, returns zero. -* Note: -* Returns a different hash value from OpenSSL's X509_subject_name_hash() API -* depending on the subject name. -*/ -unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509) -{ - word32 ret = 0; - int retHash; - WOLFSSL_X509_NAME *subjectName = NULL; - -#ifdef WOLFSSL_PIC32MZ_HASH - byte digest[PIC32_DIGEST_SIZE]; -#else - byte digest[WC_SHA_DIGEST_SIZE]; -#endif - - if (x509 == NULL){ - return WOLFSSL_FAILURE; - } - - subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509); - - if (subjectName != NULL){ - retHash = wc_ShaHash((const byte*)subjectName->name, - (word32)subjectName->sz, digest); - - if(retHash != 0){ - WOLFSSL_MSG("Hash of X509 subjectName has failed"); - return WOLFSSL_FAILURE; - } - ret = MakeWordFromHash(digest); - } - - return (unsigned long)ret; -} -#endif - -WOLFSSL_ABI -WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(WOLFSSL_X509* cert) -{ - WOLFSSL_ENTER("X509_get_issuer_name"); - if (cert && cert->issuer.sz != 0) - return &cert->issuer; - return NULL; -} - - -int wolfSSL_X509_get_signature_type(WOLFSSL_X509* x509) -{ - int type = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_signature_type"); - - if (x509 != NULL) - type = x509->sigOID; - - return type; -} - -#if defined(OPENSSL_EXTRA_X509_SMALL) - -/* Used to get a string from the WOLFSSL_X509_NAME structure that - * corresponds with the NID value passed in. - * - * name structure to get string from - * nid NID value to search for - * buf [out] buffer to hold results. If NULL then the buffer size minus the - * null char is returned. - * len size of "buf" passed in - * - * returns the length of string found, not including the NULL terminator. - * It's possible the function could return a negative value in the - * case that len is less than or equal to 0. A negative value is - * considered an error case. - */ -int wolfSSL_X509_NAME_get_text_by_NID(WOLFSSL_X509_NAME* name, - int nid, char* buf, int len) -{ - char *text = NULL; - int textSz = 0; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_get_text_by_NID"); - - switch (nid) { - case ASN_COMMON_NAME: - text = name->fullName.fullName + name->fullName.cnIdx; - textSz = name->fullName.cnLen; - break; - case ASN_SUR_NAME: - text = name->fullName.fullName + name->fullName.snIdx; - textSz = name->fullName.snLen; - break; - case ASN_SERIAL_NUMBER: - text = name->fullName.fullName + name->fullName.serialIdx; - textSz = name->fullName.serialLen; - break; - case ASN_COUNTRY_NAME: - text = name->fullName.fullName + name->fullName.cIdx; - textSz = name->fullName.cLen; - break; - case ASN_LOCALITY_NAME: - text = name->fullName.fullName + name->fullName.lIdx; - textSz = name->fullName.lLen; - break; - case ASN_STATE_NAME: - text = name->fullName.fullName + name->fullName.stIdx; - textSz = name->fullName.stLen; - break; - case ASN_ORG_NAME: - text = name->fullName.fullName + name->fullName.oIdx; - textSz = name->fullName.oLen; - break; - case ASN_ORGUNIT_NAME: - text = name->fullName.fullName + name->fullName.ouIdx; - textSz = name->fullName.ouLen; - break; - case ASN_DOMAIN_COMPONENT: - text = name->fullName.fullName + name->fullName.dcIdx[0]; - textSz = name->fullName.dcLen[0]; - break; - case NID_emailAddress: - text = name->fullName.fullName + name->fullName.emailIdx; - textSz = name->fullName.emailLen; - break; - #ifdef WOLFSSL_CERT_EXT - case ASN_BUS_CAT: - text = name->fullName.fullName + name->fullName.bcIdx; - textSz = name->fullName.bcLen; - break; - #endif - default: - WOLFSSL_MSG("Entry type not found"); - return WOLFSSL_FATAL_ERROR; - } - - /* if buf is NULL return size of buffer needed (minus null char) */ - if (buf == NULL) { - return textSz; - } - - if (buf != NULL && text != NULL) { - textSz = min(textSz + 1, len); /* + 1 to account for null char */ - if (textSz > 0) { - XMEMCPY(buf, text, textSz - 1); - buf[textSz - 1] = '\0'; - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_text_by_NID", textSz); - return (textSz - 1); /* do not include null character in size */ -} - -/* Creates a new WOLFSSL_EVP_PKEY structure that has the public key from x509 - * - * returns a pointer to the created WOLFSSL_EVP_PKEY on success and NULL on fail - */ -WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) -{ - WOLFSSL_EVP_PKEY* key = NULL; - WOLFSSL_ENTER("X509_get_pubkey"); - if (x509 != NULL) { - key = wolfSSL_EVP_PKEY_new_ex(x509->heap); - if (key != NULL) { - if (x509->pubKeyOID == RSAk) { - key->type = EVP_PKEY_RSA; - } - else if (x509->pubKeyOID == DSAk) { - key->type = EVP_PKEY_DSA; - } - else { - key->type = EVP_PKEY_EC; - } - key->save_type = 0; - key->pkey.ptr = (char*)XMALLOC( - x509->pubKey.length, x509->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (key->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - XMEMCPY(key->pkey.ptr, x509->pubKey.buffer, x509->pubKey.length); - key->pkey_sz = x509->pubKey.length; - - #ifdef HAVE_ECC - key->pkey_curve = (int)x509->pkCurveOID; - #endif /* HAVE_ECC */ - - /* decode RSA key */ - #ifndef NO_RSA - if (key->type == EVP_PKEY_RSA) { - key->ownRsa = 1; - key->rsa = wolfSSL_RSA_new(); - if (key->rsa == NULL) { - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(key->rsa, - (const unsigned char*)key->pkey.ptr, key->pkey_sz, - WOLFSSL_RSA_LOAD_PUBLIC) != SSL_SUCCESS) { - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - } - #endif /* NO_RSA */ - - /* decode ECC key */ - #if defined(HAVE_ECC) && defined(OPENSSL_EXTRA) - if (key->type == EVP_PKEY_EC) { - word32 idx = 0; - - key->ownEcc = 1; - key->ecc = wolfSSL_EC_KEY_new(); - if (key->ecc == NULL || key->ecc->internal == NULL) { - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - - /* not using wolfSSL_EC_KEY_LoadDer because public key in x509 - * is in the format of x963 (no sequence at start of buffer) */ - if (wc_EccPublicKeyDecode((const unsigned char*)key->pkey.ptr, - &idx, (ecc_key*)key->ecc->internal, key->pkey_sz) < 0) { - WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - - if (SetECKeyExternal(key->ecc) != SSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyExternal failed"); - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - - key->ecc->inSet = 1; - } - #endif /* HAVE_ECC */ - - #ifndef NO_DSA - if (key->type == EVP_PKEY_DSA) { - key->ownDsa = 1; - key->dsa = wolfSSL_DSA_new(); - if (key->dsa == NULL) { - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - - if (wolfSSL_DSA_LoadDer_ex(key->dsa, - (const unsigned char*)key->pkey.ptr, key->pkey_sz, \ - WOLFSSL_DSA_LOAD_PUBLIC) != SSL_SUCCESS) { - wolfSSL_DSA_free(key->dsa); - key->dsa = NULL; - wolfSSL_EVP_PKEY_free(key); - return NULL; - } - } - #endif /* NO_DSA */ - } - } - return key; -} -#endif /* OPENSSL_EXTRA_X509_SMALL */ -#endif /* !NO_CERTS */ - -/* End of smaller subset of X509 compatibility functions. Avoid increasing the - * size of this subset and its memory usage */ -#endif /* OPENSSL_EXTRA_X509_SMALL */ - -#if defined(OPENSSL_ALL) -/* Takes two WOLFSSL_X509* certificates and performs a Sha hash of each, if the - * has values are the same, then it will do an XMEMCMP to confirm they are - * identical. Returns a 0 when certificates match, returns a negative number - * when certificates are not a match. -*/ -int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) -{ - const byte* derA; - const byte* derB; - int retHashA; - int retHashB; - int outSzA = 0; - int outSzB = 0; - - #ifdef WOLFSSL_PIC32MZ_HASH - byte digestA[PIC32_DIGEST_SIZE]; - byte digestB[PIC32_DIGEST_SIZE]; - #else - byte digestA[WC_SHA_DIGEST_SIZE]; - byte digestB[WC_SHA_DIGEST_SIZE]; - #endif - - if (a == NULL || b == NULL){ - return BAD_FUNC_ARG; - } - - derA = wolfSSL_X509_get_der((WOLFSSL_X509*)a, &outSzA); - if(derA == NULL){ - WOLFSSL_MSG("wolfSSL_X509_get_der - certificate A has failed"); - return WOLFSSL_FATAL_ERROR; - } - derB = wolfSSL_X509_get_der((WOLFSSL_X509*)b, &outSzB); - if(derB == NULL){ - WOLFSSL_MSG("wolfSSL_X509_get_der - certificate B has failed"); - return WOLFSSL_FATAL_ERROR; - } - - retHashA = wc_ShaHash(derA, (word32)outSzA, digestA); - if(retHashA != 0){ - WOLFSSL_MSG("Hash of certificate A has failed"); - return WOLFSSL_FATAL_ERROR; - } - retHashB = wc_ShaHash(derB, (word32)outSzB, digestB); - if(retHashB != 0){ - WOLFSSL_MSG("Hash of certificate B has failed"); - return WOLFSSL_FATAL_ERROR; - } - - if (outSzA == outSzB){ - #ifdef WOLFSSL_PIC32MZ_HASH - if(XMEMCMP(digestA, digestB, PIC32_DIGEST_SIZE) != 0){ - return WOLFSSL_FATAL_ERROR; - } - #else - if(XMEMCMP(digestA, digestB, WC_SHA_DIGEST_SIZE) != 0){ - return WOLFSSL_FATAL_ERROR; - } - #endif - else{ - WOLFSSL_LEAVE("wolfSSL_X509_cmp", 0); - return 0; - } - } - else{ - WOLFSSL_LEAVE("wolfSSL_X509_cmp", WOLFSSL_FATAL_ERROR); - return WOLFSSL_FATAL_ERROR; - } - } -#endif - -#if defined(OPENSSL_EXTRA) -#if !defined(NO_CERTS) - int wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509* x509, int nid) - { - int isSet = 0; - - WOLFSSL_ENTER("wolfSSL_X509_ext_isSet_by_NID"); - - if (x509 != NULL) { - switch (nid) { - case BASIC_CA_OID: isSet = x509->basicConstSet; break; - case ALT_NAMES_OID: isSet = x509->subjAltNameSet; break; - case AUTH_KEY_OID: isSet = x509->authKeyIdSet; break; - case SUBJ_KEY_OID: isSet = x509->subjKeyIdSet; break; - case KEY_USAGE_OID: isSet = x509->keyUsageSet; break; - case CRL_DIST_OID: isSet = x509->CRLdistSet; break; - case EXT_KEY_USAGE_OID: isSet = ((x509->extKeyUsageSrc) ? 1 : 0); - break; - case AUTH_INFO_OID: isSet = x509->authInfoSet; break; - #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) - case CERT_POLICY_OID: isSet = x509->certPolicySet; break; - #endif /* WOLFSSL_SEP || WOLFSSL_QT */ - default: - WOLFSSL_MSG("NID not in table"); - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_ext_isSet_by_NID", isSet); - - return isSet; - } - - - int wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509* x509, int nid) - { - int crit = 0; - - WOLFSSL_ENTER("wolfSSL_X509_ext_get_critical_by_NID"); - - if (x509 != NULL) { - switch (nid) { - case BASIC_CA_OID: crit = x509->basicConstCrit; break; - case ALT_NAMES_OID: crit = x509->subjAltNameCrit; break; - case AUTH_KEY_OID: crit = x509->authKeyIdCrit; break; - case SUBJ_KEY_OID: crit = x509->subjKeyIdCrit; break; - case KEY_USAGE_OID: crit = x509->keyUsageCrit; break; - case CRL_DIST_OID: crit= x509->CRLdistCrit; break; - #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) - case CERT_POLICY_OID: crit = x509->certPolicyCrit; break; - #endif /* WOLFSSL_SEP || WOLFSSL_QT */ - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_ext_get_critical_by_NID", crit); - - return crit; - } - - - int wolfSSL_X509_get_isSet_pathLength(WOLFSSL_X509* x509) - { - int isSet = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_isSet_pathLength"); - - if (x509 != NULL) - isSet = x509->basicConstPlSet; - - WOLFSSL_LEAVE("wolfSSL_X509_get_isSet_pathLength", isSet); - - return isSet; - } - - - word32 wolfSSL_X509_get_pathLength(WOLFSSL_X509* x509) - { - word32 pathLength = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_pathLength"); - - if (x509 != NULL) - pathLength = x509->pathLength; - - WOLFSSL_LEAVE("wolfSSL_X509_get_pathLength", pathLength); - - return pathLength; - } - - - unsigned int wolfSSL_X509_get_keyUsage(WOLFSSL_X509* x509) - { - word16 usage = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_keyUsage"); - - if (x509 != NULL) - usage = x509->keyUsage; - - WOLFSSL_LEAVE("wolfSSL_X509_get_keyUsage", usage); - - return usage; - } - - - byte* wolfSSL_X509_get_authorityKeyID(WOLFSSL_X509* x509, - byte* dst, int* dstLen) - { - byte *id = NULL; - int copySz = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_authorityKeyID"); - - if (x509 != NULL) { - if (x509->authKeyIdSet) { - copySz = min(dstLen != NULL ? *dstLen : 0, - (int)x509->authKeyIdSz); - id = x509->authKeyId; - } - - if (dst != NULL && dstLen != NULL && id != NULL && copySz > 0) { - XMEMCPY(dst, id, copySz); - id = dst; - *dstLen = copySz; - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_get_authorityKeyID", copySz); - - return id; - } - - - byte* wolfSSL_X509_get_subjectKeyID(WOLFSSL_X509* x509, - byte* dst, int* dstLen) - { - byte *id = NULL; - int copySz = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_subjectKeyID"); - - if (x509 != NULL) { - if (x509->subjKeyIdSet) { - copySz = min(dstLen != NULL ? *dstLen : 0, - (int)x509->subjKeyIdSz); - id = x509->subjKeyId; - } - - if (dst != NULL && dstLen != NULL && id != NULL && copySz > 0) { - XMEMCPY(dst, id, copySz); - id = dst; - *dstLen = copySz; - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_get_subjectKeyID", copySz); - - return id; - } - - - int wolfSSL_X509_NAME_entry_count(WOLFSSL_X509_NAME* name) - { - int count = 0; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_entry_count"); - - if (name != NULL) - count = name->fullName.locSz; - - WOLFSSL_LEAVE("wolfSSL_X509_NAME_entry_count", count); - return count; - } - - - - int wolfSSL_X509_NAME_get_index_by_NID(WOLFSSL_X509_NAME* name, - int nid, int pos) - { - int value = nid, i; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_get_index_by_NID"); - - if (name == NULL || pos >= DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { - return BAD_FUNC_ARG; - } - - if (value == NID_emailAddress) { - value = ASN_EMAIL_NAME; - } - - i = pos + 1; /* start search after index passed in */ - if (i < 0) { - i = 0; - } - - for (;i < name->fullName.locSz && - i < DN_NAMES_MAX + DOMAIN_COMPONENT_MAX; i++) { - if (name->fullName.loc[i] == value) { - return i; - } - } - return WOLFSSL_FATAL_ERROR; - } - - - WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data( - WOLFSSL_X509_NAME_ENTRY* in) - { - WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_data"); - if (in == NULL) - return NULL; - - return in->value; - } - - - /* Creates a new WOLFSSL_ASN1_STRING structure. - * - * returns a pointer to the new structure created on success or NULL if fail - */ - WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_new(void) - { - WOLFSSL_ASN1_STRING* asn1; - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_new"); - - asn1 = (WOLFSSL_ASN1_STRING*)XMALLOC(sizeof(WOLFSSL_ASN1_STRING), NULL, - DYNAMIC_TYPE_OPENSSL); - if (asn1 != NULL) { - XMEMSET(asn1, 0, sizeof(WOLFSSL_ASN1_STRING)); - } - - return asn1; /* no check for null because error case is returning null*/ - } - - - /* used to free a WOLFSSL_ASN1_STRING structure */ - void wolfSSL_ASN1_STRING_free(WOLFSSL_ASN1_STRING* asn1) - { - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_free"); - - if (asn1 != NULL) { - if (asn1->length > 0 && asn1->data != NULL && asn1->isDynamic) { - XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL); - } - XFREE(asn1, NULL, DYNAMIC_TYPE_OPENSSL); - } - } - - - /* Creates a new WOLFSSL_ASN1_STRING structure given the input type. - * - * type is the type of set when WOLFSSL_ASN1_STRING is created - * - * returns a pointer to the new structure created on success or NULL if fail - */ - WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_type_new(int type) - { - WOLFSSL_ASN1_STRING* asn1; - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_type_new"); - - asn1 = wolfSSL_ASN1_STRING_new(); - if (asn1 == NULL) { - return NULL; - } - asn1->type = type; - - return asn1; - } - - -/****************************************************************************** -* wolfSSL_ASN1_STRING_type - returns the type of <asn1> -* -* RETURNS: -* returns the type set for <asn1>. Otherwise, returns WOLFSSL_FAILURE. -*/ - int wolfSSL_ASN1_STRING_type(const WOLFSSL_ASN1_STRING* asn1) - { - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_type"); - - if (asn1 == NULL) { - return WOLFSSL_FAILURE; - } - - return asn1->type; - } - - /* if dataSz is negative then use XSTRLEN to find length of data - * return WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure */ - /* `data` can be NULL and only buffer will be allocated */ - int wolfSSL_ASN1_STRING_set(WOLFSSL_ASN1_STRING* asn1, const void* data, - int dataSz) - { - int sz; - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_set"); - - if (asn1 == NULL || (data == NULL && dataSz < 0)) { - return WOLFSSL_FAILURE; - } - - if (dataSz < 0) { - sz = (int)XSTRLEN((const char*)data) + 1; /* +1 for null */ - } - else { - sz = dataSz; - } - - if (sz < 0) { - return WOLFSSL_FAILURE; - } - - /* free any existing data before copying */ - if (asn1->data != NULL && asn1->isDynamic) { - XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL); - asn1->data = NULL; - } - - if (sz > CTC_NAME_SIZE) { - /* create new data buffer and copy over */ - asn1->data = (char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_OPENSSL); - if (asn1->data == NULL) { - return WOLFSSL_FAILURE; - } - asn1->isDynamic = 1; - } - else { - XMEMSET(asn1->strData, 0, CTC_NAME_SIZE); - asn1->data = asn1->strData; - asn1->isDynamic = 0; - } - if (data != NULL) { - XMEMCPY(asn1->data, data, sz); - asn1->data[sz] = '\0'; - } - asn1->length = sz; - - return WOLFSSL_SUCCESS; - } - - - unsigned char* wolfSSL_ASN1_STRING_data(WOLFSSL_ASN1_STRING* asn) - { - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_data"); - - if (asn) { - return (unsigned char*)asn->data; - } - else { - return NULL; - } - } - - - int wolfSSL_ASN1_STRING_length(WOLFSSL_ASN1_STRING* asn) - { - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_length"); - - if (asn) { - return asn->length; - } - else { - return 0; - } - } - -#ifndef NO_WOLFSSL_STUB - WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, - const unsigned char **in, long len) - { - WOLFSSL_STUB("d2i_DISPLAYTEXT"); - (void)asn; - (void)in; - (void)len; - return NULL; - } -#endif - -#ifdef XSNPRINTF /* a snprintf function needs to be available */ - /* Writes the human readable form of x509 to bio. - * - * bio WOLFSSL_BIO to write to. - * x509 Certificate to write. - * - * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on failure - */ - int wolfSSL_X509_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, - unsigned long nmflags, unsigned long cflag) - { - WOLFSSL_ENTER("wolfSSL_X509_print_ex"); - - #ifndef NO_WOLFSSL_STUB - /* flags currently not supported */ - (void)nmflags; - (void)cflag; - #endif - - if (bio == NULL || x509 == NULL) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bio, "Certificate:\n", - (int)XSTRLEN("Certificate:\n")) <= 0) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bio, " Data:\n", - (int)XSTRLEN(" Data:\n")) <= 0) { - return WOLFSSL_FAILURE; - } - - /* print version of cert */ - { - int version; - char tmp[20]; - - if ((version = wolfSSL_X509_version(x509)) < 0) { - WOLFSSL_MSG("Error getting X509 version"); - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_write(bio, " Version:", - (int)XSTRLEN(" Version:")) <= 0) { - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp), " %d (0x%x)\n", version, (byte)version-1); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* print serial number out */ - { - unsigned char serial[32]; - int sz = sizeof(serial); - - XMEMSET(serial, 0, sz); - if (wolfSSL_X509_get_serial_number(x509, serial, &sz) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error getting x509 serial number"); - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_write(bio, " Serial Number:", - (int)XSTRLEN(" Serial Number:")) <= 0) { - return WOLFSSL_FAILURE; - } - - /* if serial can fit into byte than print on the same line */ - if (sz <= (int)sizeof(byte)) { - char tmp[17]; - XSNPRINTF(tmp, sizeof(tmp), " %d (0x%x)\n", serial[0],serial[0]); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - else { - int i; - char tmp[100]; - int tmpSz = 100; - char val[5]; - int valSz = 5; - - /* serial is larger than int size so print off hex values */ - if (wolfSSL_BIO_write(bio, "\n ", - (int)XSTRLEN("\n ")) <= 0) { - return WOLFSSL_FAILURE; - } - tmp[0] = '\0'; - for (i = 0; i < sz - 1 && (3 * i) < tmpSz - valSz; i++) { - XSNPRINTF(val, sizeof(val) - 1, "%02x:", serial[i]); - val[3] = '\0'; /* make sure is null terminated */ - XSTRNCAT(tmp, val, valSz); - } - XSNPRINTF(val, sizeof(val) - 1, "%02x\n", serial[i]); - val[3] = '\0'; /* make sure is null terminated */ - XSTRNCAT(tmp, val, valSz); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - } - - /* print signature algo */ - { - int oid; - const char* sig; - - if ((oid = wolfSSL_X509_get_signature_type(x509)) <= 0) { - WOLFSSL_MSG("Error getting x509 signature type"); - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_write(bio, " Signature Algorithm: ", - (int)XSTRLEN(" Signature Algorithm: ")) <= 0) { - return WOLFSSL_FAILURE; - } - sig = GetSigName(oid); - if (wolfSSL_BIO_write(bio, sig, (int)XSTRLEN(sig)) <= 0) { - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_write(bio, "\n", (int)XSTRLEN("\n")) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* print issuer */ - { - char* issuer; - #ifdef WOLFSSL_SMALL_STACK - char* buff = NULL; - int issSz = 0; - #else - char buff[256]; - int issSz = 256; - #endif - - #if defined(WOLFSSL_QT) - issuer = wolfSSL_X509_get_name_oneline( - wolfSSL_X509_get_issuer_name(x509), buff, issSz); - #else - issuer = wolfSSL_X509_NAME_oneline( - wolfSSL_X509_get_issuer_name(x509), buff, issSz); - #endif - - if (wolfSSL_BIO_write(bio, " Issuer: ", - (int)XSTRLEN(" Issuer: ")) <= 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(issuer, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - return WOLFSSL_FAILURE; - } - if (issuer != NULL) { - if (wolfSSL_BIO_write(bio, issuer, (int)XSTRLEN(issuer)) <= 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(issuer, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - return WOLFSSL_FAILURE; - } - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(issuer, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - if (wolfSSL_BIO_write(bio, "\n", (int)XSTRLEN("\n")) <= 0) { - return WOLFSSL_FAILURE; - } - } - - #ifndef NO_ASN_TIME - /* print validity */ - { - char tmp[80]; - - if (wolfSSL_BIO_write(bio, " Validity\n", - (int)XSTRLEN(" Validity\n")) <= 0) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bio, " Not Before: ", - (int)XSTRLEN(" Not Before: ")) <= 0) { - return WOLFSSL_FAILURE; - } - if (x509->notBefore.length > 0) { - if (GetTimeString(x509->notBefore.data, ASN_UTC_TIME, - tmp, sizeof(tmp)) != WOLFSSL_SUCCESS) { - if (GetTimeString(x509->notBefore.data, ASN_GENERALIZED_TIME, - tmp, sizeof(tmp)) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error getting not before date"); - return WOLFSSL_FAILURE; - } - } - } - else { - XSTRNCPY(tmp, "Not Set", sizeof(tmp)-1); - } - tmp[sizeof(tmp) - 1] = '\0'; /* make sure null terminated */ - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bio, "\n Not After : ", - (int)XSTRLEN("\n Not After : ")) <= 0) { - return WOLFSSL_FAILURE; - } - if (x509->notAfter.length > 0) { - if (GetTimeString(x509->notAfter.data, ASN_UTC_TIME, - tmp, sizeof(tmp)) != WOLFSSL_SUCCESS) { - if (GetTimeString(x509->notAfter.data, ASN_GENERALIZED_TIME, - tmp, sizeof(tmp)) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error getting not after date"); - return WOLFSSL_FAILURE; - } - } - } - else { - XSTRNCPY(tmp, "Not Set", sizeof(tmp)-1); - } - tmp[sizeof(tmp) - 1] = '\0'; /* make sure null terminated */ - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - #endif - - /* print subject */ - { - char* subject; - #ifdef WOLFSSL_SMALL_STACK - char* buff = NULL; - int subSz = 0; - #else - char buff[256]; - int subSz = 256; - #endif - - #if defined(WOLFSSL_QT) - subject = wolfSSL_X509_get_name_oneline( - wolfSSL_X509_get_subject_name(x509), buff, subSz); - #else - subject = wolfSSL_X509_NAME_oneline( - wolfSSL_X509_get_subject_name(x509), buff, subSz); - #endif - - if (wolfSSL_BIO_write(bio, "\n Subject: ", - (int)XSTRLEN("\n Subject: ")) <= 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(subject, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - return WOLFSSL_FAILURE; - } - if (subject != NULL) { - if (wolfSSL_BIO_write(bio, subject, (int)XSTRLEN(subject)) <= 0) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(subject, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - return WOLFSSL_FAILURE; - } - } - #ifdef WOLFSSL_SMALL_STACK - XFREE(subject, NULL, DYNAMIC_TYPE_OPENSSL); - #endif - } - - /* get and print public key */ - if (wolfSSL_BIO_write(bio, "\n Subject Public Key Info:\n", - (int)XSTRLEN("\n Subject Public Key Info:\n")) <= 0) { - return WOLFSSL_FAILURE; - } - { - #if (!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || defined(HAVE_ECC) - char tmp[100]; - #endif - - switch (x509->pubKeyOID) { - #ifndef NO_RSA - case RSAk: - if (wolfSSL_BIO_write(bio, - " Public Key Algorithm: rsaEncryption\n", - (int)XSTRLEN(" Public Key Algorithm: rsaEncryption\n")) <= 0) { - return WOLFSSL_FAILURE; - } - #ifdef HAVE_USER_RSA - if (wolfSSL_BIO_write(bio, - " Build without user RSA to print key\n", - (int)XSTRLEN(" Build without user RSA to print key\n")) - <= 0) { - return WOLFSSL_FAILURE; - } - #else - { - RsaKey rsa; - word32 idx = 0; - int sz; - byte lbit = 0; - int rawLen; - unsigned char* rawKey; - - if (wc_InitRsaKey(&rsa, NULL) != 0) { - WOLFSSL_MSG("wc_InitRsaKey failure"); - return WOLFSSL_FAILURE; - } - if (wc_RsaPublicKeyDecode(x509->pubKey.buffer, - &idx, &rsa, x509->pubKey.length) != 0) { - WOLFSSL_MSG("Error decoding RSA key"); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - if ((sz = wc_RsaEncryptSize(&rsa)) < 0) { - WOLFSSL_MSG("Error getting RSA key size"); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, "%s%s: (%d bit)\n%s\n", - " ", "Public-Key", 8 * sz, - " Modulus:"); - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - - /* print out modulus */ - XSNPRINTF(tmp, sizeof(tmp) - 1," "); - tmp[sizeof(tmp) - 1] = '\0'; - if (mp_leading_bit(&rsa.n)) { - lbit = 1; - XSTRNCAT(tmp, "00", 3); - } - - rawLen = mp_unsigned_bin_size(&rsa.n); - rawKey = (unsigned char*)XMALLOC(rawLen, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (rawKey == NULL) { - WOLFSSL_MSG("Memory error"); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - mp_to_unsigned_bin(&rsa.n, rawKey); - for (idx = 0; idx < (word32)rawLen; idx++) { - char val[5]; - int valSz = 5; - - if ((idx == 0) && !lbit) { - XSNPRINTF(val, valSz - 1, "%02x", rawKey[idx]); - } - else if ((idx != 0) && (((idx + lbit) % 15) == 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - XFREE(rawKey, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, - ":\n "); - XSNPRINTF(val, valSz - 1, "%02x", rawKey[idx]); - } - else { - XSNPRINTF(val, valSz - 1, ":%02x", rawKey[idx]); - } - XSTRNCAT(tmp, val, valSz); - } - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - /* print out remaining modulus values */ - if ((idx > 0) && (((idx - 1 + lbit) % 15) != 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* print out exponent values */ - rawLen = mp_unsigned_bin_size(&rsa.e); - if (rawLen < 0) { - WOLFSSL_MSG("Error getting exponent size"); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - - if ((word32)rawLen < sizeof(word32)) { - rawLen = sizeof(word32); - } - rawKey = (unsigned char*)XMALLOC(rawLen, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (rawKey == NULL) { - WOLFSSL_MSG("Memory error"); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - XMEMSET(rawKey, 0, rawLen); - mp_to_unsigned_bin(&rsa.e, rawKey); - if ((word32)rawLen <= sizeof(word32)) { - idx = *(word32*)rawKey; - #ifdef BIG_ENDIAN_ORDER - idx = ByteReverseWord32(idx); - #endif - } - XSNPRINTF(tmp, sizeof(tmp) - 1, - "\n Exponent: %d (0x%x)\n",idx, idx); - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRsaKey(&rsa); - return WOLFSSL_FAILURE; - } - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - wc_FreeRsaKey(&rsa); - } - #endif /* HAVE_USER_RSA */ - break; - #endif /* NO_RSA */ - - #ifdef HAVE_ECC - case ECDSAk: - { - word32 i; - ecc_key ecc; - - if (wolfSSL_BIO_write(bio, - " Public Key Algorithm: EC\n", - (int)XSTRLEN(" Public Key Algorithm: EC\n")) <= 0) { - return WOLFSSL_FAILURE; - } - if (wc_ecc_init_ex(&ecc, x509->heap, INVALID_DEVID) - != 0) { - return WOLFSSL_FAILURE; - } - - i = 0; - if (wc_EccPublicKeyDecode(x509->pubKey.buffer, &i, - &ecc, x509->pubKey.length) != 0) { - wc_ecc_free(&ecc); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, "%s%s: (%d bit)\n%s\n", - " ", "Public-Key", - 8 * wc_ecc_size(&ecc), - " pub:"); - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - wc_ecc_free(&ecc); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1," "); - { - word32 derSz; - byte* der; - - derSz = wc_ecc_size(&ecc) * WOLFSSL_BIT_SIZE; - der = (byte*)XMALLOC(derSz, x509->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { - wc_ecc_free(&ecc); - return WOLFSSL_FAILURE; - } - - if (wc_ecc_export_x963(&ecc, der, &derSz) != 0) { - wc_ecc_free(&ecc); - XFREE(der, x509->heap, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - for (i = 0; i < derSz; i++) { - char val[5]; - int valSz = 5; - - if (i == 0) { - XSNPRINTF(val, valSz - 1, "%02x", der[i]); - } - else if ((i % 15) == 0) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - wc_ecc_free(&ecc); - XFREE(der, x509->heap, - DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, - ":\n "); - XSNPRINTF(val, valSz - 1, "%02x", der[i]); - } - else { - XSNPRINTF(val, valSz - 1, ":%02x", der[i]); - } - XSTRNCAT(tmp, val, valSz); - } - - /* print out remaining modulus values */ - if ((i > 0) && (((i - 1) % 15) != 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - wc_ecc_free(&ecc); - XFREE(der, x509->heap, - DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - } - - XFREE(der, x509->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - XSNPRINTF(tmp, sizeof(tmp) - 1, "\n%s%s: %s\n", - " ", "ASN1 OID", - ecc.dp->name); - if (wolfSSL_BIO_write(bio, tmp, - (int)XSTRLEN(tmp)) <= 0) { - wc_ecc_free(&ecc); - return WOLFSSL_FAILURE; - } - wc_ecc_free(&ecc); - } - break; - #endif /* HAVE_ECC */ - default: - WOLFSSL_MSG("Unknown key type"); - return WOLFSSL_FAILURE; - } - } - - /* print out extensions */ - if (wolfSSL_BIO_write(bio, " X509v3 extensions:\n", - (int)XSTRLEN(" X509v3 extensions:\n")) <= 0) { - return WOLFSSL_FAILURE; - } - - /* print subject key id */ - if (x509->subjKeyIdSet && x509->subjKeyId != NULL && - x509->subjKeyIdSz > 0) { - char tmp[100]; - word32 i; - char val[5]; - int valSz = 5; - - - if (wolfSSL_BIO_write(bio, - " X509v3 Subject Key Identifier: \n", - (int)XSTRLEN(" X509v3 Subject Key Identifier: \n")) - <= 0) { - return WOLFSSL_FAILURE; - } - - XSNPRINTF(tmp, sizeof(tmp) - 1, " "); - for (i = 0; i < sizeof(tmp) && i < (x509->subjKeyIdSz - 1); i++) { - XSNPRINTF(val, valSz - 1, "%02X:", x509->subjKeyId[i]); - XSTRNCAT(tmp, val, valSz); - } - XSNPRINTF(val, valSz - 1, "%02X\n", x509->subjKeyId[i]); - XSTRNCAT(tmp, val, valSz); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* printf out authority key id */ - if (x509->authKeyIdSet && x509->authKeyId != NULL && - x509->authKeyIdSz > 0) { - char tmp[100]; - word32 i; - char val[5]; - int valSz = 5; - int len = 0; - - if (wolfSSL_BIO_write(bio, - " X509v3 Authority Key Identifier: \n", - (int)XSTRLEN(" X509v3 Authority Key Identifier: \n")) - <= 0) { - return WOLFSSL_FAILURE; - } - - XSNPRINTF(tmp, sizeof(tmp) - 1, " keyid"); - for (i = 0; i < x509->authKeyIdSz; i++) { - /* check if buffer is almost full */ - if (XSTRLEN(tmp) >= sizeof(tmp) - valSz) { - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - tmp[0] = '\0'; - } - XSNPRINTF(val, valSz - 1, ":%02X", x509->authKeyId[i]); - XSTRNCAT(tmp, val, valSz); - } - len = (int)XSTRLEN("\n"); - XSTRNCAT(tmp, "\n", len + 1); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* print basic constraint */ - if (x509->basicConstSet) { - char tmp[100]; - - if (wolfSSL_BIO_write(bio, - "\n X509v3 Basic Constraints: \n", - (int)XSTRLEN("\n X509v3 Basic Constraints: \n")) - <= 0) { - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp), - " CA:%s\n", - (x509->isCa)? "TRUE": "FALSE"); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - - /* print out signature */ - if (x509->sig.length > 0) { - unsigned char* sig; - int sigSz; - int i; - char tmp[100]; - int sigOid = wolfSSL_X509_get_signature_type(x509); - - if (wolfSSL_BIO_write(bio, - " Signature Algorithm: ", - (int)XSTRLEN(" Signature Algorithm: ")) <= 0) { - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1,"%s\n", GetSigName(sigOid)); - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - - sigSz = (int)x509->sig.length; - sig = (unsigned char*)XMALLOC(sigSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sig == NULL) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_X509_get_signature(x509, sig, &sigSz) <= 0) { - XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1," "); - tmp[sizeof(tmp) - 1] = '\0'; - for (i = 0; i < sigSz; i++) { - char val[5]; - int valSz = 5; - - if (i == 0) { - XSNPRINTF(val, valSz - 1, "%02x", sig[i]); - } - else if (((i % 18) == 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) - <= 0) { - XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, - ":\n "); - XSNPRINTF(val, valSz - 1, "%02x", sig[i]); - } - else { - XSNPRINTF(val, valSz - 1, ":%02x", sig[i]); - } - XSTRNCAT(tmp, val, valSz); - } - XFREE(sig, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - /* print out remaining sig values */ - if ((i > 0) && (((i - 1) % 18) != 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) - <= 0) { - return WOLFSSL_FAILURE; - } - } - } - - /* done with print out */ - if (wolfSSL_BIO_write(bio, "\n\0", (int)XSTRLEN("\n\0")) <= 0) { - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; - } - int wolfSSL_X509_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509) - { - return wolfSSL_X509_print_ex(bio, x509, 0, 0); - } - -#endif /* XSNPRINTF */ - -#endif /* NO_CERTS */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -/* Creates cipher->description based on cipher->offset - * cipher->offset is set in wolfSSL_get_ciphers_compat when it is added - * to a stack of ciphers. - * @param [in] cipher: A cipher from a stack of ciphers. - * return WOLFSSL_SUCCESS if cipher->description is set, else WOLFSSL_FAILURE - */ -int wolfSSL_sk_CIPHER_description(WOLFSSL_CIPHER* cipher) -{ - int ret = WOLFSSL_FAILURE; - int i,j,k; - int strLen; - unsigned long offset; - char* dp; - const char* name; - const char *keaStr, *authStr, *encStr, *macStr, *protocol; - char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}}; - unsigned char len = MAX_DESCRIPTION_SZ-1; - const CipherSuiteInfo* cipher_names; - ProtocolVersion pv; - WOLFSSL_ENTER("wolfSSL_sk_CIPHER_description"); - - if (cipher == NULL) - return WOLFSSL_FAILURE; - - dp = cipher->description; - if (dp == NULL) - return WOLFSSL_FAILURE; - - cipher_names = GetCipherNames(); - - offset = cipher->offset; - pv.major = cipher_names[offset].major; - pv.minor = cipher_names[offset].minor; - protocol = wolfSSL_internal_get_version(&pv); - - name = cipher_names[offset].name; - - if (name == NULL) - return ret; - - /* Segment cipher name into n[n0,n1,n2,n4] - * These are used later for comparisons to create: - * keaStr, authStr, encStr, macStr - * - * If cipher_name = ECDHE-ECDSA-AES256-SHA - * then n0 = "ECDHE", n1 = "ECDSA", n2 = "AES256", n3 = "SHA" - * and n = [n0,n1,n2,n3,0] - */ - strLen = (int)XSTRLEN(name); - - for (i = 0, j = 0, k = 0; i <= strLen; i++) { - if (k > MAX_SEGMENTS || j > MAX_SEGMENT_SZ) - break; - - if (name[i] != '-' && name[i] != '\0') { - n[k][j] = name[i]; /* Fill kth segment string until '-' */ - j++; - } - else { - n[k][j] = '\0'; - j = 0; - k++; - } - } - /* keaStr */ - keaStr = GetCipherKeaStr(n); - /* authStr */ - authStr = GetCipherAuthStr(n); - /* encStr */ - encStr = GetCipherEncStr(n); - if ((cipher->bits = SetCipherBits(encStr)) == WOLFSSL_FAILURE) { - WOLFSSL_MSG("Cipher Bits Not Set."); - } - /* macStr */ - macStr = GetCipherMacStr(n); - - - /* Build up the string by copying onto the end. */ - XSTRNCPY(dp, name, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " ", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, protocol, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Kx=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, keaStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Au=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, authStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Enc=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, encStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Mac=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, macStr, len); - dp[len-1] = '\0'; - - return WOLFSSL_SUCCESS; -} -#endif - -char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, - int len) -{ - char *ret = in; - const char *keaStr, *authStr, *encStr, *macStr; - size_t strLen; - WOLFSSL_ENTER("wolfSSL_CIPHER_description"); - - if (cipher == NULL || in == NULL) - return NULL; - -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - /* if cipher is in the stack from wolfSSL_get_ciphers_compat then - * Return the description based on cipher_names[cipher->offset] - */ - if (cipher->in_stack == TRUE) { - wolfSSL_sk_CIPHER_description((WOLFSSL_CIPHER*)cipher); - XSTRNCPY(in,cipher->description,len); - return ret; - } -#endif - - /* Get the cipher description based on the SSL session cipher */ - switch (cipher->ssl->specs.kea) { - case no_kea: - keaStr = "None"; - break; -#ifndef NO_RSA - case rsa_kea: - keaStr = "RSA"; - break; -#endif -#ifndef NO_DH - case diffie_hellman_kea: - keaStr = "DHE"; - break; -#endif - case fortezza_kea: - keaStr = "FZ"; - break; -#ifndef NO_PSK - case psk_kea: - keaStr = "PSK"; - break; - #ifndef NO_DH - case dhe_psk_kea: - keaStr = "DHEPSK"; - break; - #endif - #ifdef HAVE_ECC - case ecdhe_psk_kea: - keaStr = "ECDHEPSK"; - break; - #endif -#endif -#ifdef HAVE_NTRU - case ntru_kea: - keaStr = "NTRU"; - break; -#endif -#ifdef HAVE_ECC - case ecc_diffie_hellman_kea: - keaStr = "ECDHE"; - break; - case ecc_static_diffie_hellman_kea: - keaStr = "ECDH"; - break; -#endif - default: - keaStr = "unknown"; - break; - } - - switch (cipher->ssl->specs.sig_algo) { - case anonymous_sa_algo: - authStr = "None"; - break; -#ifndef NO_RSA - case rsa_sa_algo: - authStr = "RSA"; - break; -#endif -#ifndef NO_DSA - case dsa_sa_algo: - authStr = "DSA"; - break; -#endif -#ifdef HAVE_ECC - case ecc_dsa_sa_algo: - authStr = "ECDSA"; - break; -#endif - default: - authStr = "unknown"; - break; - } - - switch (cipher->ssl->specs.bulk_cipher_algorithm) { - case wolfssl_cipher_null: - encStr = "None"; - break; -#ifndef NO_RC4 - case wolfssl_rc4: - encStr = "RC4(128)"; - break; -#endif -#ifndef NO_DES3 - case wolfssl_triple_des: - encStr = "3DES(168)"; - break; -#endif -#ifdef HAVE_IDEA - case wolfssl_idea: - encStr = "IDEA(128)"; - break; -#endif -#ifndef NO_AES - case wolfssl_aes: - if (cipher->ssl->specs.key_size == 128) - encStr = "AES(128)"; - else if (cipher->ssl->specs.key_size == 256) - encStr = "AES(256)"; - else - encStr = "AES(?)"; - break; - #ifdef HAVE_AESGCM - case wolfssl_aes_gcm: - if (cipher->ssl->specs.key_size == 128) - encStr = "AESGCM(128)"; - else if (cipher->ssl->specs.key_size == 256) - encStr = "AESGCM(256)"; - else - encStr = "AESGCM(?)"; - break; - #endif - #ifdef HAVE_AESCCM - case wolfssl_aes_ccm: - if (cipher->ssl->specs.key_size == 128) - encStr = "AESCCM(128)"; - else if (cipher->ssl->specs.key_size == 256) - encStr = "AESCCM(256)"; - else - encStr = "AESCCM(?)"; - break; - #endif -#endif -#ifdef HAVE_CHACHA - case wolfssl_chacha: - encStr = "CHACHA20/POLY1305(256)"; - break; -#endif -#ifdef HAVE_CAMELLIA - case wolfssl_camellia: - if (cipher->ssl->specs.key_size == 128) - encStr = "Camellia(128)"; - else if (cipher->ssl->specs.key_size == 256) - encStr = "Camellia(256)"; - else - encStr = "Camellia(?)"; - break; -#endif -#if defined(HAVE_HC128) && !defined(NO_HC128) - case wolfssl_hc128: - encStr = "HC128(128)"; - break; -#endif -#if defined(HAVE_RABBIT) && !defined(NO_RABBIT) - case wolfssl_rabbit: - encStr = "RABBIT(128)"; - break; -#endif - default: - encStr = "unknown"; - break; - } - - switch (cipher->ssl->specs.mac_algorithm) { - case no_mac: - macStr = "None"; - break; -#ifndef NO_MD5 - case md5_mac: - macStr = "MD5"; - break; -#endif -#ifndef NO_SHA - case sha_mac: - macStr = "SHA1"; - break; -#endif -#ifdef HAVE_SHA224 - case sha224_mac: - macStr = "SHA224"; - break; -#endif -#ifndef NO_SHA256 - case sha256_mac: - macStr = "SHA256"; - break; -#endif -#ifdef HAVE_SHA384 - case sha384_mac: - macStr = "SHA384"; - break; -#endif -#ifdef HAVE_SHA512 - case sha512_mac: - macStr = "SHA512"; - break; -#endif - default: - macStr = "unknown"; - break; - } - - /* Build up the string by copying onto the end. */ - XSTRNCPY(in, wolfSSL_CIPHER_get_name(cipher), len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - - XSTRNCPY(in, " ", len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - XSTRNCPY(in, wolfSSL_get_version(cipher->ssl), len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - - XSTRNCPY(in, " Kx=", len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - XSTRNCPY(in, keaStr, len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - - XSTRNCPY(in, " Au=", len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - XSTRNCPY(in, authStr, len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - - XSTRNCPY(in, " Enc=", len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - XSTRNCPY(in, encStr, len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - - XSTRNCPY(in, " Mac=", len); - in[len-1] = '\0'; strLen = XSTRLEN(in); len -= (int)strLen; in += strLen; - XSTRNCPY(in, macStr, len); - in[len-1] = '\0'; - - return ret; -} - - -#ifndef NO_SESSION_CACHE - -WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl) -{ - if (ssl == NULL) { - return NULL; - } - - /* sessions are stored statically, no need for reference count */ - return wolfSSL_get_session(ssl); -} - -#endif /* NO_SESSION_CACHE */ - - - -/* was do nothing */ -/* -void OPENSSL_free(void* buf) -{ - (void)buf; -} -*/ - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_OCSP_parse_url(char* url, char** host, char** port, char** path, - int* ssl) -{ - (void)url; - (void)host; - (void)port; - (void)path; - (void)ssl; - WOLFSSL_STUB("OCSP_parse_url"); - return 0; -} -#endif - -#ifndef NO_MD4 - -void wolfSSL_MD4_Init(WOLFSSL_MD4_CTX* md4) -{ - /* make sure we have a big enough buffer */ - typedef char ok[sizeof(md4->buffer) >= sizeof(Md4) ? 1 : -1]; - (void) sizeof(ok); - - WOLFSSL_ENTER("MD4_Init"); - wc_InitMd4((Md4*)md4); -} - - -void wolfSSL_MD4_Update(WOLFSSL_MD4_CTX* md4, const void* data, - unsigned long len) -{ - WOLFSSL_ENTER("MD4_Update"); - wc_Md4Update((Md4*)md4, (const byte*)data, (word32)len); -} - - -void wolfSSL_MD4_Final(unsigned char* digest, WOLFSSL_MD4_CTX* md4) -{ - WOLFSSL_ENTER("MD4_Final"); - wc_Md4Final((Md4*)md4, digest); -} - -#endif /* NO_MD4 */ - - -/* Removes a WOLFSSL_BIO struct from the WOLFSSL_BIO linked list. - * - * bio is the WOLFSSL_BIO struct in the list and removed. - * - * The return WOLFSSL_BIO struct is the next WOLFSSL_BIO in the list or NULL if - * there is none. - */ -WOLFSSL_BIO* wolfSSL_BIO_pop(WOLFSSL_BIO* bio) -{ - if (bio == NULL) { - WOLFSSL_MSG("Bad argument passed in"); - return NULL; - } - - if (bio->prev != NULL) { - bio->prev->next = bio->next; - } - - if (bio->next != NULL) { - bio->next->prev = bio->prev; - } - - return bio->next; -} - - - -WOLFSSL_BIO_METHOD* wolfSSL_BIO_s_mem(void) -{ - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("wolfSSL_BIO_s_mem"); - meth.type = WOLFSSL_BIO_MEMORY; - - return &meth; -} - - -WOLFSSL_BIO_METHOD* wolfSSL_BIO_f_base64(void) -{ - static WOLFSSL_BIO_METHOD meth; - - WOLFSSL_ENTER("wolfSSL_BIO_f_base64"); - meth.type = WOLFSSL_BIO_BASE64; - - return &meth; -} - - -/* Set the flag for the bio. - * - * bio the structure to set the flag in - * flags the flag to use - */ -void wolfSSL_BIO_set_flags(WOLFSSL_BIO* bio, int flags) -{ - WOLFSSL_ENTER("wolfSSL_BIO_set_flags"); - - if (bio != NULL) { - bio->flags |= flags; - } -} - -void wolfSSL_BIO_clear_flags(WOLFSSL_BIO *bio, int flags) -{ - WOLFSSL_ENTER("wolfSSL_BIO_clear_flags"); - if (bio != NULL) { - bio->flags &= ~flags; - } -} - -/* Set ex_data for WOLFSSL_BIO - * - * bio : BIO structure to set ex_data in - * idx : Index of ex_data to set - * data : Data to set in ex_data - * - * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE on failure - */ -int wolfSSL_BIO_set_ex_data(WOLFSSL_BIO *bio, int idx, void *data) -{ - WOLFSSL_ENTER("wolfSSL_BIO_set_ex_data"); - #ifdef HAVE_EX_DATA - if (bio != NULL && idx < MAX_EX_DATA) { - return wolfSSL_CRYPTO_set_ex_data(&bio->ex_data, idx, data); - } - #else - (void)bio; - (void)idx; - (void)data; - #endif - return WOLFSSL_FAILURE; -} - -/* Get ex_data in WOLFSSL_BIO at given index - * - * bio : BIO structure to get ex_data from - * idx : Index of ex_data to get data from - * - * Returns void pointer to ex_data on success or NULL on failure - */ -void *wolfSSL_BIO_get_ex_data(WOLFSSL_BIO *bio, int idx) -{ - WOLFSSL_ENTER("wolfSSL_BIO_get_ex_data"); - #ifdef HAVE_EX_DATA - if (bio != NULL && idx < MAX_EX_DATA && idx >= 0) { - return wolfSSL_CRYPTO_get_ex_data(&bio->ex_data, idx); - } - #else - (void)bio; - (void)idx; - #endif - return NULL; -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_RAND_screen(void) -{ - WOLFSSL_STUB("RAND_screen"); -} -#endif - - - -int wolfSSL_RAND_load_file(const char* fname, long len) -{ - (void)fname; - /* wolfCrypt provides enough entropy internally or will report error */ - if (len == -1) - return 1024; - else - return (int)len; -} - - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_COMP_METHOD* wolfSSL_COMP_zlib(void) -{ - WOLFSSL_STUB("COMP_zlib"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_COMP_METHOD* wolfSSL_COMP_rle(void) -{ - WOLFSSL_STUB("COMP_rle"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_COMP_add_compression_method(int method, void* data) -{ - (void)method; - (void)data; - WOLFSSL_STUB("COMP_add_compression_method"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_set_dynlock_create_callback(WOLFSSL_dynlock_value* (*f)( - const char*, int)) -{ - WOLFSSL_STUB("CRYPTO_set_dynlock_create_callback"); - (void)f; -} -#endif - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_set_dynlock_lock_callback( - void (*f)(int, WOLFSSL_dynlock_value*, const char*, int)) -{ - WOLFSSL_STUB("CRYPTO_set_set_dynlock_lock_callback"); - (void)f; -} -#endif - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_set_dynlock_destroy_callback( - void (*f)(WOLFSSL_dynlock_value*, const char*, int)) -{ - WOLFSSL_STUB("CRYPTO_set_set_dynlock_destroy_callback"); - (void)f; -} -#endif - - -const char* wolfSSL_X509_verify_cert_error_string(long err) -{ - return wolfSSL_ERR_reason_error_string(err); -} - - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_LOOKUP_add_dir(WOLFSSL_X509_LOOKUP* lookup, const char* dir, - long len) -{ - (void)lookup; - (void)dir; - (void)len; - WOLFSSL_STUB("X509_LOOKUP_add_dir"); - return 0; -} -#endif - -int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, - const char* file, long type) -{ -#if !defined(NO_FILESYSTEM) && \ - (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) - int ret = WOLFSSL_FAILURE; - XFILE fp; - long sz; - byte* pem = NULL; - byte* curr = NULL; - byte* prev = NULL; - WOLFSSL_X509* x509; - const char* header = NULL; - const char* footer = NULL; - - if (type != X509_FILETYPE_PEM) - return BAD_FUNC_ARG; - - fp = XFOPEN(file, "r"); - if (fp == XBADFILE) - return BAD_FUNC_ARG; - - if(XFSEEK(fp, 0, XSEEK_END) != 0) { - XFCLOSE(fp); - return WOLFSSL_BAD_FILE; - } - sz = XFTELL(fp); - XREWIND(fp); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) { - WOLFSSL_MSG("X509_LOOKUP_load_file size error"); - goto end; - } - - pem = (byte*)XMALLOC(sz, 0, DYNAMIC_TYPE_PEM); - if (pem == NULL) { - ret = MEMORY_ERROR; - goto end; - } - - /* Read in file which may be CRLs or certificates. */ - if (XFREAD(pem, (size_t)sz, 1, fp) != 1) - goto end; - - prev = curr = pem; - do { - /* get PEM header and footer based on type */ - if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 && - XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) { -#ifdef HAVE_CRL - WOLFSSL_CERT_MANAGER* cm = lookup->store->cm; - - if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Enable CRL failed"); - goto end; - } - } - - ret = BufferLoadCRL(cm->crl, curr, sz, WOLFSSL_FILETYPE_PEM, - NO_VERIFY); - if (ret != WOLFSSL_SUCCESS) - goto end; -#endif - curr = (byte*)XSTRNSTR((char*)curr, footer, (unsigned int)sz); - } - else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 && - XSTRNSTR((char*)curr, header, (unsigned int)sz) != NULL) { - x509 = wolfSSL_X509_load_certificate_buffer(curr, (int)sz, - WOLFSSL_FILETYPE_PEM); - if (x509 == NULL) - goto end; - ret = wolfSSL_X509_STORE_add_cert(lookup->store, x509); - wolfSSL_X509_free(x509); - if (ret != WOLFSSL_SUCCESS) - goto end; - curr = (byte*)XSTRNSTR((char*)curr, footer, (unsigned int)sz); - } - else - goto end; - - if (curr == NULL) - goto end; - - curr++; - sz -= (long)(curr - prev); - prev = curr; - } - while (ret == WOLFSSL_SUCCESS); - -end: - if (pem != NULL) - XFREE(pem, 0, DYNAMIC_TYPE_PEM); - XFCLOSE(fp); - return ret; -#else - (void)lookup; - (void)file; - (void)type; - return WOLFSSL_FAILURE; -#endif -} - -WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_hash_dir(void) -{ - /* Method implementation in functions. */ - static WOLFSSL_X509_LOOKUP_METHOD meth = { 1 }; - return &meth; -} - -WOLFSSL_X509_LOOKUP_METHOD* wolfSSL_X509_LOOKUP_file(void) -{ - /* Method implementation in functions. */ - static WOLFSSL_X509_LOOKUP_METHOD meth = { 0 }; - return &meth; -} - - -WOLFSSL_X509_LOOKUP* wolfSSL_X509_STORE_add_lookup(WOLFSSL_X509_STORE* store, - WOLFSSL_X509_LOOKUP_METHOD* m) -{ - WOLFSSL_ENTER("SSL_X509_STORE_add_lookup"); - if (store == NULL) - return NULL; - - /* Method is a dummy value and is not needed. */ - (void)m; - /* Make sure the lookup has a back reference to the store. */ - store->lookup.store = store; - return &store->lookup; -} - - -#ifndef NO_CERTS -/* Converts the X509 to DER format and outputs it into bio. - * - * bio is the structure to hold output DER - * x509 certificate to create DER from - * - * returns WOLFSSL_SUCCESS on success - */ -int wolfSSL_i2d_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("wolfSSL_i2d_X509_bio"); - - if (bio == NULL || x509 == NULL) { - return WOLFSSL_FAILURE; - } - - if (x509->derCert != NULL) { - word32 len = x509->derCert->length; - byte* der = x509->derCert->buffer; - - if (wolfSSL_BIO_write(bio, der, len) == (int)len) { - return SSL_SUCCESS; - } - } - - return WOLFSSL_FAILURE; -} - - -/* Converts an internal structure to a DER buffer - * - * x509 structure to get DER buffer from - * out buffer to hold result. If NULL then *out is NULL then a new buffer is - * created. - * - * returns the size of the DER result on success - */ -int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out) -{ - const unsigned char* der; - int derSz = 0; - - WOLFSSL_ENTER("wolfSSL_i2d_X509"); - - if (x509 == NULL) { - WOLFSSL_LEAVE("wolfSSL_i2d_X509", BAD_FUNC_ARG); - return BAD_FUNC_ARG; - } - - der = wolfSSL_X509_get_der(x509, &derSz); - if (der == NULL) { - WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E); - return MEMORY_E; - } - - if (out != NULL && *out == NULL) { - *out = (unsigned char*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_OPENSSL); - if (*out == NULL) { - WOLFSSL_LEAVE("wolfSSL_i2d_X509", MEMORY_E); - return MEMORY_E; - } - } - - if (out != NULL) - XMEMCPY(*out, der, derSz); - - WOLFSSL_LEAVE("wolfSSL_i2d_X509", derSz); - return derSz; -} - - -/* Converts the DER from bio and creates a WOLFSSL_X509 structure from it. - * - * bio is the structure holding DER - * x509 certificate to create from DER. Can be NULL - * - * returns pointer to WOLFSSL_X509 structure on success and NULL on fail - */ -WOLFSSL_X509* wolfSSL_d2i_X509_bio(WOLFSSL_BIO* bio, WOLFSSL_X509** x509) -{ - WOLFSSL_X509* localX509 = NULL; - unsigned char* mem = NULL; - int ret; - word32 size; - - WOLFSSL_ENTER("wolfSSL_d2i_X509_bio"); - - if (bio == NULL) { - WOLFSSL_MSG("Bad Function Argument bio is NULL"); - return NULL; - } - - ret = wolfSSL_BIO_get_mem_data(bio, &mem); - if (mem == NULL || ret <= 0) { - WOLFSSL_MSG("Failed to get data from bio struct"); - return NULL; - } - size = ret; - - localX509 = wolfSSL_X509_d2i(NULL, mem, size); - if (localX509 == NULL) { - return NULL; - } - - if (x509 != NULL) { - *x509 = localX509; - } - - return localX509; -} - - -#if !defined(NO_ASN) && !defined(NO_PWDBASED) -WC_PKCS12* wolfSSL_d2i_PKCS12_bio(WOLFSSL_BIO* bio, WC_PKCS12** pkcs12) -{ - WC_PKCS12* localPkcs12 = NULL; - unsigned char* mem = NULL; - int ret; - word32 size; - - WOLFSSL_ENTER("wolfSSL_d2i_PKCS12_bio"); - - if (bio == NULL) { - WOLFSSL_MSG("Bad Function Argument bio is NULL"); - return NULL; - } - - localPkcs12 = wc_PKCS12_new(); - if (localPkcs12 == NULL) { - WOLFSSL_MSG("Memory error"); - return NULL; - } - - if (pkcs12 != NULL) { - *pkcs12 = localPkcs12; - } - - ret = wolfSSL_BIO_get_mem_data(bio, &mem); - if (mem == NULL || ret <= 0) { - WOLFSSL_MSG("Failed to get data from bio struct"); - wc_PKCS12_free(localPkcs12); - if (pkcs12 != NULL) { - *pkcs12 = NULL; - } - return NULL; - } - size = ret; - - ret = wc_d2i_PKCS12(mem, size, localPkcs12); - if (ret < 0) { - WOLFSSL_MSG("Failed to get PKCS12 sequence"); - wc_PKCS12_free(localPkcs12); - if (pkcs12 != NULL) { - *pkcs12 = NULL; - } - return NULL; - } - - return localPkcs12; -} - -/* Converts the PKCS12 to DER format and outputs it into bio. - * - * bio is the structure to hold output DER - * pkcs12 structure to create DER from - * - * return 1 for success or 0 if an error occurs - */ -int wolfSSL_i2d_PKCS12_bio(WOLFSSL_BIO *bio, WC_PKCS12 *pkcs12) -{ - int ret = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_i2d_PKCS12_bio"); - - if ((bio != NULL) && (pkcs12 != NULL)) { - word32 certSz = 0; - byte *certDer = NULL; - - certSz = wc_i2d_PKCS12(pkcs12, &certDer, NULL); - if ((certSz > 0) && (certDer != NULL)) { - if (wolfSSL_BIO_write(bio, certDer, certSz) == (int)certSz) { - ret = SSL_SUCCESS; - } - } - - if (certDer != NULL) { - XFREE(certDer, NULL, DYNAMIC_TYPE_PKCS); - } - } - - return ret; -} - -/* helper function to get raw pointer to DER buffer from WOLFSSL_EVP_PKEY */ -static int wolfSSL_EVP_PKEY_get_der(WOLFSSL_EVP_PKEY* key, unsigned char** der) -{ - if (!key) - return WOLFSSL_FAILURE; - if (der) - *der = (unsigned char*)key->pkey.ptr; - return key->pkey_sz; -} - -/* Copies unencrypted DER key buffer into "der". If "der" is null then the size - * of buffer needed is returned - * NOTE: This also advances the "der" pointer to be at the end of buffer. - * - * Returns size of key buffer on success - */ -int wolfSSL_i2d_PrivateKey(WOLFSSL_EVP_PKEY* key, unsigned char** der) -{ - if (key == NULL) { - return WOLFSSL_FATAL_ERROR; - } - - if (key->pkey_sz <= 0 || !key->pkey.ptr) { - return WOLFSSL_FATAL_ERROR; - } - - if (der != NULL) { - /* since this function signature has no size value passed in it is - * assumed that the user has allocated a large enough buffer */ - XMEMCPY(*der, key->pkey.ptr, key->pkey_sz); - *der += key->pkey_sz; - } - return key->pkey_sz; -} - -/* Creates a new WC_PKCS12 structure - * - * pass password to use - * name friendlyName to use - * pkey private key to go into PKCS12 bundle - * cert certificate to go into PKCS12 bundle - * ca extra certificates that can be added to bundle. Can be NULL - * keyNID type of encryption to use on the key (-1 means no encryption) - * certNID type of encryption to use on the certificate - * itt number of iterations with encryption - * macItt number of iterations with mac creation - * keyType flag for signature and/or encryption key - * - * returns a pointer to a new WC_PKCS12 structure on success and NULL on fail - */ -WC_PKCS12* wolfSSL_PKCS12_create(char* pass, char* name, - WOLFSSL_EVP_PKEY* pkey, WOLFSSL_X509* cert, - WOLF_STACK_OF(WOLFSSL_X509)* ca, - int keyNID, int certNID, int itt, int macItt, int keyType) -{ - WC_PKCS12* pkcs12; - WC_DerCertList* list = NULL; - word32 passSz; - byte* keyDer; - word32 keyDerSz; - byte* certDer; - int certDerSz; - - int ret; - - WOLFSSL_ENTER("wolfSSL_PKCS12_create()"); - - if (pass == NULL || pkey == NULL || cert == NULL) { - WOLFSSL_LEAVE("wolfSSL_PKCS12_create()", BAD_FUNC_ARG); - return NULL; - } - passSz = (word32)XSTRLEN(pass); - - if ((ret = wolfSSL_EVP_PKEY_get_der(pkey, &keyDer)) < 0) { - WOLFSSL_LEAVE("wolfSSL_PKCS12_create", ret); - return NULL; - } - keyDerSz = ret; - - certDer = (byte*)wolfSSL_X509_get_der(cert, &certDerSz); - if (certDer == NULL) { - return NULL; - } - - if (ca != NULL) { - WC_DerCertList* cur; - unsigned long numCerts = ca->num; - byte* curDer; - int curDerSz = 0; - WOLFSSL_STACK* sk = ca; - - while (numCerts > 0 && sk != NULL) { - cur = (WC_DerCertList*)XMALLOC(sizeof(WC_DerCertList), NULL, - DYNAMIC_TYPE_PKCS); - if (cur == NULL) { - wc_FreeCertList(list, NULL); - return NULL; - } - - curDer = (byte*)wolfSSL_X509_get_der(sk->data.x509, &curDerSz); - if (curDer == NULL || curDerSz < 0) { - XFREE(cur, NULL, DYNAMIC_TYPE_PKCS); - wc_FreeCertList(list, NULL); - return NULL; - } - - cur->buffer = (byte*)XMALLOC(curDerSz, NULL, DYNAMIC_TYPE_PKCS); - if (cur->buffer == NULL) { - XFREE(cur, NULL, DYNAMIC_TYPE_PKCS); - wc_FreeCertList(list, NULL); - return NULL; - } - XMEMCPY(cur->buffer, curDer, curDerSz); - cur->bufferSz = curDerSz; - cur->next = list; - list = cur; - - sk = sk->next; - numCerts--; - } - } - - pkcs12 = wc_PKCS12_create(pass, passSz, name, keyDer, keyDerSz, - certDer, certDerSz, list, keyNID, certNID, itt, macItt, - keyType, NULL); - - if (ca != NULL) { - wc_FreeCertList(list, NULL); - } - - return pkcs12; -} - - -/* return WOLFSSL_SUCCESS on success, WOLFSSL_FAILURE on failure */ -int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, - WOLFSSL_EVP_PKEY** pkey, WOLFSSL_X509** cert, WOLF_STACK_OF(WOLFSSL_X509)** ca) -{ - DecodedCert DeCert; - void* heap = NULL; - int ret; - byte* certData = NULL; - word32 certDataSz; - byte* pk = NULL; - word32 pkSz; - WC_DerCertList* certList = NULL; - - WOLFSSL_ENTER("wolfSSL_PKCS12_parse"); - - /* make sure we init return args */ - if (pkey) *pkey = NULL; - if (cert) *cert = NULL; - if (ca) *ca = NULL; - - if (pkcs12 == NULL || psw == NULL || pkey == NULL || cert == NULL) { - WOLFSSL_MSG("Bad argument value"); - return WOLFSSL_FAILURE; - } - - heap = wc_PKCS12_GetHeap(pkcs12); - - if (ca == NULL) { - ret = wc_PKCS12_parse(pkcs12, psw, &pk, &pkSz, &certData, &certDataSz, - NULL); - } - else { - ret = wc_PKCS12_parse(pkcs12, psw, &pk, &pkSz, &certData, &certDataSz, - &certList); - } - if (ret < 0) { - WOLFSSL_LEAVE("wolfSSL_PKCS12_parse", ret); - return WOLFSSL_FAILURE; - } - - /* Decode cert and place in X509 stack struct */ - if (certList != NULL) { - WC_DerCertList* current = certList; - - *ca = (WOLF_STACK_OF(WOLFSSL_X509)*)XMALLOC(sizeof(WOLF_STACK_OF(WOLFSSL_X509)), - heap, DYNAMIC_TYPE_X509); - if (*ca == NULL) { - if (pk != NULL) { - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - } - if (certData != NULL) { - XFREE(*cert, heap, DYNAMIC_TYPE_PKCS); *cert = NULL; - } - /* Free up WC_DerCertList and move on */ - while (current != NULL) { - WC_DerCertList* next = current->next; - - XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS); - XFREE(current, heap, DYNAMIC_TYPE_PKCS); - current = next; - } - return WOLFSSL_FAILURE; - } - XMEMSET(*ca, 0, sizeof(WOLF_STACK_OF(WOLFSSL_X509))); - - /* add list of DER certs as X509's to stack */ - while (current != NULL) { - WC_DerCertList* toFree = current; - WOLFSSL_X509* x509; - - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, - DYNAMIC_TYPE_X509); - InitX509(x509, 1, heap); - InitDecodedCert(&DeCert, current->buffer, current->bufferSz, heap); - if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { - WOLFSSL_MSG("Issue with parsing certificate"); - FreeDecodedCert(&DeCert); - wolfSSL_X509_free(x509); - } - else { - if ((ret = CopyDecodedToX509(x509, &DeCert)) != 0) { - WOLFSSL_MSG("Failed to copy decoded cert"); - FreeDecodedCert(&DeCert); - wolfSSL_X509_free(x509); - wolfSSL_sk_X509_free(*ca); *ca = NULL; - if (pk != NULL) { - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - } - if (certData != NULL) { - XFREE(certData, heap, DYNAMIC_TYPE_PKCS); - } - /* Free up WC_DerCertList */ - while (current != NULL) { - WC_DerCertList* next = current->next; - - XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS); - XFREE(current, heap, DYNAMIC_TYPE_PKCS); - current = next; - } - return WOLFSSL_FAILURE; - } - FreeDecodedCert(&DeCert); - - if (wolfSSL_sk_X509_push(*ca, x509) != 1) { - WOLFSSL_MSG("Failed to push x509 onto stack"); - wolfSSL_X509_free(x509); - wolfSSL_sk_X509_free(*ca); *ca = NULL; - if (pk != NULL) { - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - } - if (certData != NULL) { - XFREE(certData, heap, DYNAMIC_TYPE_PKCS); - } - - /* Free up WC_DerCertList */ - while (current != NULL) { - WC_DerCertList* next = current->next; - - XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS); - XFREE(current, heap, DYNAMIC_TYPE_PKCS); - current = next; - } - return WOLFSSL_FAILURE; - } - } - current = current->next; - XFREE(toFree->buffer, heap, DYNAMIC_TYPE_PKCS); - XFREE(toFree, heap, DYNAMIC_TYPE_PKCS); - } - } - - - /* Decode cert and place in X509 struct */ - if (certData != NULL) { - *cert = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, - DYNAMIC_TYPE_X509); - if (*cert == NULL) { - if (pk != NULL) { - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - } - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - XFREE(certData, heap, DYNAMIC_TYPE_PKCS); - return WOLFSSL_FAILURE; - } - InitX509(*cert, 1, heap); - InitDecodedCert(&DeCert, certData, certDataSz, heap); - if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { - WOLFSSL_MSG("Issue with parsing certificate"); - } - if ((ret = CopyDecodedToX509(*cert, &DeCert)) != 0) { - WOLFSSL_MSG("Failed to copy decoded cert"); - FreeDecodedCert(&DeCert); - if (pk != NULL) { - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - } - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_X509_free(*cert); *cert = NULL; - return WOLFSSL_FAILURE; - } - FreeDecodedCert(&DeCert); - XFREE(certData, heap, DYNAMIC_TYPE_PKCS); - } - - - /* get key type */ - ret = BAD_STATE_E; - if (pk != NULL) { /* decode key if present */ - *pkey = wolfSSL_EVP_PKEY_new_ex(heap); - if (*pkey == NULL) { - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - return WOLFSSL_FAILURE; - } - #ifndef NO_RSA - { - word32 keyIdx = 0; - RsaKey key; - - if (wc_InitRsaKey(&key, heap) != 0) { - ret = BAD_STATE_E; - } - else { - if ((ret = wc_RsaPrivateKeyDecode(pk, &keyIdx, &key, pkSz)) - == 0) { - (*pkey)->type = EVP_PKEY_RSA; - (*pkey)->rsa = wolfSSL_RSA_new(); - (*pkey)->ownRsa = 1; /* we own RSA */ - if ((*pkey)->rsa == NULL) { - WOLFSSL_MSG("issue creating EVP RSA key"); - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - return WOLFSSL_FAILURE; - } - if ((ret = wolfSSL_RSA_LoadDer_ex((*pkey)->rsa, pk, pkSz, - WOLFSSL_RSA_LOAD_PRIVATE)) != SSL_SUCCESS) { - WOLFSSL_MSG("issue loading RSA key"); - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - return WOLFSSL_FAILURE; - } - - WOLFSSL_MSG("Found PKCS12 RSA key"); - ret = 0; /* set in success state for upcoming ECC check */ - } - wc_FreeRsaKey(&key); - } - } - #endif /* NO_RSA */ - - #ifdef HAVE_ECC - { - word32 keyIdx = 0; - ecc_key key; - - if (ret != 0) { /* if is in fail state check if ECC key */ - if (wc_ecc_init(&key) != 0) { - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - return WOLFSSL_FAILURE; - } - - if ((ret = wc_EccPrivateKeyDecode(pk, &keyIdx, &key, pkSz)) - != 0) { - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - WOLFSSL_MSG("Bad PKCS12 key format"); - return WOLFSSL_FAILURE; - } - (*pkey)->type = EVP_PKEY_EC; - (*pkey)->pkey_curve = key.dp->oidSum; - wc_ecc_free(&key); - WOLFSSL_MSG("Found PKCS12 ECC key"); - } - } - #else - if (ret != 0) { /* if is in fail state and no ECC then fail */ - wolfSSL_X509_free(*cert); *cert = NULL; - if (ca != NULL) { - wolfSSL_sk_X509_free(*ca); *ca = NULL; - } - wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; - XFREE(pk, heap, DYNAMIC_TYPE_PKCS); - WOLFSSL_MSG("Bad PKCS12 key format"); - return WOLFSSL_FAILURE; - } - #endif /* HAVE_ECC */ - - (*pkey)->save_type = 0; - (*pkey)->pkey_sz = pkSz; - (*pkey)->pkey.ptr = (char*)pk; - } - - (void)ret; - (void)ca; - - return WOLFSSL_SUCCESS; -} -#endif /* !defined(NO_ASN) && !defined(NO_PWDBASED) */ - - -/* no-op function. Was initially used for adding encryption algorithms available - * for PKCS12 */ -void wolfSSL_PKCS12_PBE_add(void) -{ - WOLFSSL_ENTER("wolfSSL_PKCS12_PBE_add"); -} - - - -WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain"); - - if (ctx == NULL) { - return NULL; - } - -#ifdef SESSION_CERTS - /* if chain is null but sesChain is available then populate stack */ - if (ctx->chain == NULL && ctx->sesChain != NULL) { - int i; - WOLFSSL_X509_CHAIN* c = ctx->sesChain; - WOLFSSL_STACK* sk = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), - NULL, DYNAMIC_TYPE_X509); - - if (sk == NULL) { - return NULL; - } - - XMEMSET(sk, 0, sizeof(WOLFSSL_STACK)); - ctx->chain = sk; - - for (i = 0; i < c->count && i < MAX_CHAIN_DEPTH; i++) { - WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, i); - - if (x509 == NULL) { - WOLFSSL_MSG("Unable to get x509 from chain"); - wolfSSL_sk_X509_free(sk); - return NULL; - } - - if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { - WOLFSSL_MSG("Unable to load x509 into stack"); - wolfSSL_sk_X509_free(sk); - wolfSSL_X509_free(x509); - return NULL; - } - } - -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) - /* add CA used to verify top of chain to the list */ - if (c->count > 0) { - WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1); - if (x509 != NULL) { - WOLFSSL_X509* issuer = NULL; - if (wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509) - == WOLFSSL_SUCCESS) { - /* check that the certificate being looked up is not self - * signed and that a issuer was found */ - if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer, - &x509->subject) != 0) { - if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) { - WOLFSSL_MSG("Unable to load CA x509 into stack"); - wolfSSL_sk_X509_free(sk); - wolfSSL_X509_free(issuer); - return NULL; - } - } - else { - WOLFSSL_MSG("Certificate is self signed"); - if (issuer != NULL) - wolfSSL_X509_free(issuer); - } - } - else { - WOLFSSL_MSG("Could not find CA for certificate"); - } - } - } -#endif - - } -#endif /* SESSION_CERTS */ - - return ctx->chain; -} - -/* make shallow copy of the stack, data pointers are copied by reference */ -WOLFSSL_STACK* wolfSSL_sk_X509_dup(WOLFSSL_STACK* sk) -{ - unsigned long i; - WOLFSSL_STACK* dup = NULL; - WOLFSSL_STACK* node = NULL; - WOLFSSL_STACK *dIdx = NULL, *sIdx = sk; - - if (sk == NULL) { - return NULL; - } - - for (i = 0; i < sk->num; i++) { - - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (node == NULL) { - if (i != 0) { - wolfSSL_sk_free(dup); - } - WOLFSSL_MSG("Memory error"); - return NULL; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* copy sk node to new node, data by reference */ - node->data.x509 = sIdx->data.x509; - node->num = sIdx->num; - - /* insert node into list, progress idx */ - if (i == 0) { - dup = node; - } else { - dIdx->next = node; - } - - dIdx = node; - sIdx = sIdx->next; - } - - return dup; -} - - -/* like X509_STORE_CTX_get_chain(), but return a copy with data reference - counts increased */ -WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get1_chain(WOLFSSL_X509_STORE_CTX* ctx) -{ - unsigned long i; - WOLFSSL_STACK* ref; - WOLFSSL_STACK* dup; - - if (ctx == NULL) { - return NULL; - } - - /* get chain in ctx */ - ref = wolfSSL_X509_STORE_CTX_get_chain(ctx); - if (ref == NULL) { - return ref; - } - - /* create duplicate of ctx chain */ - dup = wolfSSL_sk_X509_dup(ref); - if (dup == NULL) { - return NULL; - } - - /* increase ref counts of inner data X509 */ - ref = dup; - for (i = 0; i < dup->num && ref != NULL; i++) { - if (wc_LockMutex(&ref->data.x509->refMutex) != 0) { - WOLFSSL_MSG("Failed to lock x509 mutex"); - } - ref->data.x509->refCount++; - wc_UnLockMutex(&ref->data.x509->refMutex); - ref = ref->next; - } - - return dup; -} - - -int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) -{ - int result = WOLFSSL_FATAL_ERROR; - - WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert"); - if (store != NULL && store->cm != NULL && x509 != NULL - && x509->derCert != NULL) { - DerBuffer* derCert = NULL; - - result = AllocDer(&derCert, x509->derCert->length, - x509->derCert->type, NULL); - if (result == 0) { - /* AddCA() frees the buffer. */ - XMEMCPY(derCert->buffer, - x509->derCert->buffer, x509->derCert->length); - result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, VERIFY); - } - } - - WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_cert", result); - - if (result != WOLFSSL_SUCCESS) { - result = WOLFSSL_FATAL_ERROR; - } - - return result; -} - -WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) -{ - WOLFSSL_X509_STORE* store = NULL; - WOLFSSL_ENTER("SSL_X509_STORE_new"); - - if ((store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL, - DYNAMIC_TYPE_X509_STORE)) == NULL) - goto err_exit; - - XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE)); - store->isDynamic = 1; - - if ((store->cm = wolfSSL_CertManagerNew()) == NULL) - goto err_exit; - -#ifdef HAVE_CRL - store->crl = NULL; - if ((store->crl = (WOLFSSL_X509_CRL *)XMALLOC(sizeof(WOLFSSL_X509_CRL), - NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - goto err_exit; - if (InitCRL(store->crl, NULL) < 0) - goto err_exit; -#endif - -#ifdef OPENSSL_EXTRA - if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), - NULL,DYNAMIC_TYPE_OPENSSL)) == NULL) - goto err_exit; - -#endif - - return store; - -err_exit: - if (store == NULL) - return NULL; - - wolfSSL_X509_STORE_free(store); - - return NULL; -} - - -void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) -{ - if (store != NULL && store->isDynamic) { - if (store->cm != NULL) - wolfSSL_CertManagerFree(store->cm); -#ifdef HAVE_CRL - if (store->crl != NULL) - wolfSSL_X509_CRL_free(store->crl); -#endif -#ifdef OPENSSL_EXTRA - if (store->param != NULL) - XFREE(store->param, NULL, DYNAMIC_TYPE_OPENSSL); -#endif - XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); - } -} - - -int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag) -{ - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_X509_STORE_set_flags"); - - if (store == NULL) - return WOLFSSL_FAILURE; - - if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) { - ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); - } - - (void)store; - (void)flag; - - return ret; -} - - -int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store) -{ - (void)store; - return WOLFSSL_SUCCESS; -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX* ctx, int idx, - WOLFSSL_X509_NAME* name, WOLFSSL_X509_OBJECT* obj) -{ - (void)ctx; - (void)idx; - (void)name; - (void)obj; - WOLFSSL_STUB("X509_STORE_get_by_subject"); - return 0; -} -#endif - -WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void) -{ - WOLFSSL_X509_STORE_CTX* ctx; - WOLFSSL_ENTER("X509_STORE_CTX_new"); - - ctx = (WOLFSSL_X509_STORE_CTX*)XMALLOC(sizeof(WOLFSSL_X509_STORE_CTX), NULL, - DYNAMIC_TYPE_X509_CTX); - if (ctx != NULL) { - ctx->param = NULL; - wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL); - } - - return ctx; -} - - -int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, - WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, WOLF_STACK_OF(WOLFSSL_X509)* sk) -{ - WOLFSSL_X509* x509_cert; - int ret = 0; - (void)sk; - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_init"); - - if (ctx != NULL) { - ctx->store = store; - #ifndef WOLFSSL_X509_STORE_CERTS - ctx->current_cert = x509; - #else - if(x509 != NULL){ - ctx->current_cert = wolfSSL_X509_d2i(NULL, x509->derCert->buffer,x509->derCert->length); - if(ctx->current_cert == NULL) - return WOLFSSL_FATAL_ERROR; - } else - ctx->current_cert = NULL; - #endif - - ctx->chain = sk; - /* Add intermediate certificates from stack to store */ - while (sk != NULL) { - x509_cert = sk->data.x509; - if (x509_cert != NULL && x509_cert->isCa) { - ret = wolfSSL_X509_STORE_add_cert(store, x509_cert); - if (ret < 0) { - return WOLFSSL_FATAL_ERROR; - } - } - sk = sk->next; - } - - ctx->sesChain = NULL; - ctx->domain = NULL; -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - XMEMSET(&ctx->ex_data, 0, sizeof(ctx->ex_data)); -#endif - ctx->userCtx = NULL; - ctx->error = 0; - ctx->error_depth = 0; - ctx->discardSessionCerts = 0; -#ifdef OPENSSL_EXTRA - if (ctx->param == NULL) { - ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), - NULL,DYNAMIC_TYPE_OPENSSL); - if (ctx->param == NULL){ - WOLFSSL_MSG("wolfSSL_X509_STORE_CTX_init failed"); - return SSL_FATAL_ERROR; - } - } -#endif - return SSL_SUCCESS; - } - return WOLFSSL_FATAL_ERROR; -} - - -void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) -{ - WOLFSSL_ENTER("X509_STORE_CTX_free"); - if (ctx != NULL) { - #if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT) - if (ctx->store != NULL) - wolfSSL_X509_STORE_free(ctx->store); - #ifndef WOLFSSL_KEEP_STORE_CERTS - if (ctx->current_cert != NULL) - wolfSSL_FreeX509(ctx->current_cert); - #endif - #endif /* !OPENSSL_ALL && !WOLFSSL_QT */ -#ifdef OPENSSL_EXTRA - if (ctx->param != NULL){ - XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); - } -#endif - XFREE(ctx, NULL, DYNAMIC_TYPE_X509_CTX); - } -} - - -void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx) -{ - (void)ctx; - /* Do nothing */ -} - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -/* Returns corresponding X509 error from internal ASN error <e> */ -static int GetX509Error(int e) -{ - switch (e) { - case ASN_BEFORE_DATE_E: - return X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; - case ASN_AFTER_DATE_E: - return X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; - case ASN_NO_SIGNER_E: - return X509_V_ERR_INVALID_CA; - case ASN_SELF_SIGNED_E: - return X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - case ASN_PATHLEN_INV_E: - case ASN_PATHLEN_SIZE_E: - return X509_V_ERR_PATH_LENGTH_EXCEEDED; - case ASN_SIG_OID_E: - case ASN_SIG_CONFIRM_E: - case ASN_SIG_HASH_E: - case ASN_SIG_KEY_E: - return X509_V_ERR_CERT_SIGNATURE_FAILURE; - default: - WOLFSSL_MSG("Error not configured or implemented yet"); - return e; - } -} -#endif - -/* Verifies certificate chain using WOLFSSL_X509_STORE_CTX - * returns 0 on success or < 0 on failure. - */ -int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) -{ - int ret = 0; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - int depth = 0; - int error; - byte *afterDate, *beforeDate; -#endif - WOLFSSL_ENTER("wolfSSL_X509_verify_cert"); - - if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL - && ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) { - ret = wolfSSL_CertManagerVerifyBuffer(ctx->store->cm, - ctx->current_cert->derCert->buffer, - ctx->current_cert->derCert->length, - WOLFSSL_FILETYPE_ASN1); - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - /* If there was an error, process it and add it to CTX */ - if (ret < 0) { - /* Get corresponding X509 error */ - error = GetX509Error(ret); - /* Set error depth */ - if (ctx->chain) - depth = (int)ctx->chain->num; - - wolfSSL_X509_STORE_CTX_set_error(ctx, error); - wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); - ctx->store->verify_cb(0, ctx); - } - - error = 0; - /* wolfSSL_CertManagerVerifyBuffer only returns ASN_AFTER_DATE_E or - ASN_BEFORE_DATE_E if there are no additional errors found in the - cert. Therefore, check if the cert is expired or not yet valid - in order to return the correct expected error. */ - afterDate = ctx->current_cert->notAfter.data; - beforeDate = ctx->current_cert->notBefore.data; - - if (ValidateDate(afterDate, ctx->current_cert->notAfter.type, - AFTER) < 1) { - error = X509_V_ERR_CERT_HAS_EXPIRED; - } - else if (ValidateDate(beforeDate, ctx->current_cert->notBefore.type, - BEFORE) < 1) { - error = X509_V_ERR_CERT_NOT_YET_VALID; - } - - if (error != 0 ) { - wolfSSL_X509_STORE_CTX_set_error(ctx, error); - wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); - if (ctx->store && ctx->store->verify_cb) - ctx->store->verify_cb(0, ctx); - } -#endif /* OPENSSL_ALL || WOLFSSL_QT */ - return ret; - } - return WOLFSSL_FATAL_ERROR; -} - - -/* Use the public key to verify the signature. Note: this only verifies - * the certificate signature. - * returns WOLFSSL_SUCCESS on successful signature verification */ -int wolfSSL_X509_verify(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey) -{ - int ret; - const byte* der; - int derSz = 0; - int type; - - if (x509 == NULL || pkey == NULL) { - return WOLFSSL_FATAL_ERROR; - } - - der = wolfSSL_X509_get_der(x509, &derSz); - if (der == NULL) { - WOLFSSL_MSG("Error getting WOLFSSL_X509 DER"); - return WOLFSSL_FATAL_ERROR; - } - - switch (pkey->type) { - case EVP_PKEY_RSA: - type = RSAk; - break; - - case EVP_PKEY_EC: - type = ECDSAk; - break; - - case EVP_PKEY_DSA: - type = DSAk; - break; - - default: - WOLFSSL_MSG("Unknown pkey key type"); - return WOLFSSL_FATAL_ERROR; - } - - ret = CheckCertSignaturePubKey(der, derSz, x509->heap, - (unsigned char*)pkey->pkey.ptr, pkey->pkey_sz, type); - if (ret == 0) { - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -} -#endif /* NO_CERTS */ - -#if !defined(NO_FILESYSTEM) -static void *wolfSSL_d2i_X509_fp_ex(XFILE file, void **x509, int type) -{ - void *newx509 = NULL; - byte *fileBuffer = NULL; - long sz = 0; - - /* init variable */ - if (x509) - *x509 = NULL; - - /* argument check */ - if (file == XBADFILE) { - return NULL; - } - - /* determine file size */ - if (XFSEEK(file, 0, XSEEK_END) != 0) { - return NULL; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0) { - WOLFSSL_MSG("d2i_X509_fp_ex file size error"); - return NULL; - } - - fileBuffer = (byte *)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE); - if (fileBuffer != NULL) { - if ((long)XFREAD(fileBuffer, 1, sz, file) != sz) { - WOLFSSL_MSG("File read failed"); - goto err_exit; - } - if (type == CERT_TYPE) { - newx509 = (void *)wolfSSL_X509_d2i(NULL, fileBuffer, (int)sz); - } - #ifdef HAVE_CRL - else if (type == CRL_TYPE) { - newx509 = (void *)wolfSSL_d2i_X509_CRL(NULL, fileBuffer, (int)sz); - } - #endif - #if !defined(NO_ASN) && !defined(NO_PWDBASED) - else if (type == PKCS12_TYPE) { - if ((newx509 = wc_PKCS12_new()) == NULL) { - goto err_exit; - } - if (wc_d2i_PKCS12(fileBuffer, (int)sz, (WC_PKCS12*)newx509) < 0) { - goto err_exit; - } - } - #endif - else { - goto err_exit; - } - if (newx509 == NULL) { - WOLFSSL_MSG("X509 failed"); - goto err_exit; - } - } - - if (x509) - *x509 = newx509; - - goto _exit; - -err_exit: -#if !defined(NO_ASN) && !defined(NO_PWDBASED) - if ((newx509 != NULL) && (type == PKCS12_TYPE)) { - wc_PKCS12_free((WC_PKCS12*)newx509); - newx509 = NULL; - } -#endif -_exit: - if (fileBuffer != NULL) - XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); - - return newx509; -} - -WOLFSSL_X509_PKCS12 *wolfSSL_d2i_PKCS12_fp(XFILE fp, WOLFSSL_X509_PKCS12 **pkcs12) -{ - WOLFSSL_ENTER("wolfSSL_d2i_PKCS12_fp"); - return (WOLFSSL_X509_PKCS12 *)wolfSSL_d2i_X509_fp_ex(fp, (void **)pkcs12, PKCS12_TYPE); -} - -WOLFSSL_X509 *wolfSSL_d2i_X509_fp(XFILE fp, WOLFSSL_X509 **x509) -{ - WOLFSSL_ENTER("wolfSSL_d2i_X509_fp"); - return (WOLFSSL_X509 *)wolfSSL_d2i_X509_fp_ex(fp, (void **)x509, CERT_TYPE); -} -#endif /* !NO_FILESYSTEM */ - - -#ifdef HAVE_CRL -#ifndef NO_FILESYSTEM -WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) -{ - WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL_fp"); - return (WOLFSSL_X509_CRL *)wolfSSL_d2i_X509_fp_ex(fp, (void **)crl, CRL_TYPE); -} -#endif /* !NO_FILESYSTEM */ - - -WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, - const unsigned char* in, int len) -{ - WOLFSSL_X509_CRL *newcrl = NULL; - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL"); - - if (in == NULL) { - WOLFSSL_MSG("Bad argument value"); - } else { - newcrl = (WOLFSSL_X509_CRL*)XMALLOC(sizeof(WOLFSSL_X509_CRL), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (newcrl == NULL){ - WOLFSSL_MSG("New CRL allocation failed"); - } else { - ret = InitCRL(newcrl, NULL); - if (ret < 0) { - WOLFSSL_MSG("Init tmp CRL failed"); - } else { - ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, - NO_VERIFY); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Buffer Load CRL failed"); - } else { - if (crl) { - *crl = newcrl; - } - } - } - } - } - - if((ret != WOLFSSL_SUCCESS) && (newcrl != NULL)) { - wolfSSL_X509_CRL_free(newcrl); - newcrl = NULL; - } - - return newcrl; -} - -void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) -{ - WOLFSSL_ENTER("wolfSSL_X509_CRL_free"); - - FreeCRL(crl, 1); - return; -} -#endif /* HAVE_CRL */ - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) -{ - (void)crl; - WOLFSSL_STUB("X509_CRL_get_lastUpdate"); - return 0; -} -#endif -#ifndef NO_WOLFSSL_STUB -WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) -{ - (void)crl; - WOLFSSL_STUB("X509_CRL_get_nextUpdate"); - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key) -{ - (void)crl; - (void)key; - WOLFSSL_STUB("X509_CRL_verify"); - return 0; -} -#endif -#endif /* OPENSSL_EXTRA */ - -#ifdef OPENSSL_EXTRA - -/* Gets pointer to X509_STORE that was used to create context. - * - * Return valid pointer on success, NULL if ctx was NULL or not initialized - */ -WOLFSSL_X509_STORE* wolfSSL_X509_STORE_CTX_get0_store( - WOLFSSL_X509_STORE_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get0_store"); - - if (ctx == NULL) - return NULL; - - return ctx->store; -} - -WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_cert(WOLFSSL_X509_STORE_CTX* ctx) -{ - if (ctx == NULL) - return NULL; - - return ctx->current_cert; -} - -void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX* ctx, - unsigned long flags, - time_t t) -{ - (void)flags; - - if (ctx == NULL || ctx->param == NULL) - return; - - ctx->param->check_time = t; - ctx->param->flags |= WOLFSSL_USE_CHECK_TIME; -} - -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_STORE_CTX_set_purpose(WOLFSSL_X509_STORE_CTX *ctx, - int purpose) -{ - (void)ctx; - (void)purpose; - WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_purpose"); - return 0; -} -#endif -#endif /* WOLFSSL_QT || OPENSSL_ALL */ - -#ifndef NO_WOLFSSL_STUB -/* Returns default file name and path of config file. However - a wolfssl.cnf file is not currently supported */ -char* wolfSSL_CONF_get1_default_config_file(void) -{ - WOLFSSL_ENTER("wolfSSL_CONF_get1_default_config_file"); - WOLFSSL_STUB("CONF_get1_default_config_file"); - return NULL; -} -#endif -/****************************************************************************** -* wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name -* hostnames is cleared if name is NULL or empty. -* -* RETURNS: -* -*/ -int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, - const char* name, - unsigned int nameSz) -{ - unsigned int sz = 0; - - if (pParam == NULL) - return WOLFSSL_FAILURE; - - XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX); - - if (name == NULL) - return WOLFSSL_SUCCESS; - - sz = (unsigned int)XSTRLEN(name); - - /* If name is NUL-terminated, namelen can be set to zero. */ - if(nameSz == 0 || nameSz > sz) - nameSz = sz; - - if (nameSz > 0 && name[nameSz - 1] == '\0') - nameSz--; - - if (nameSz > WOLFSSL_HOST_NAME_MAX-1) - nameSz = WOLFSSL_HOST_NAME_MAX-1; - - if (nameSz > 0) - XMEMCPY(pParam->hostName, name, nameSz); - - pParam->hostName[nameSz] = '\0'; - - return WOLFSSL_SUCCESS; -} -/****************************************************************************** -* wolfSSL_get0_param - return a pointer to the SSL verification parameters -* -* RETURNS: -* returns pointer to the SSL verification parameters on success, -* otherwise returns NULL -*/ -WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) -{ - if (ssl == NULL) { - return NULL; - } - return ssl->param; -} - -/* Set the host flag in the X509_VERIFY_PARAM structure */ -void wolfSSL_X509_VERIFY_PARAM_set_hostflags(WOLFSSL_X509_VERIFY_PARAM* param, - unsigned int flags) -{ - if (param != NULL) { - param->hostFlags = flags; - } -} - -/* Sets the expected IP address to ipasc. - * - * param is a pointer to the X509_VERIFY_PARAM structure - * ipasc is a NULL-terminated string with N.N.N.N for IPv4 and - * HH:HH ... HH:HH for IPv6. There is no validation performed on the - * parameter, and it must be an exact match with the IP in the cert. - * - * return 1 for success and 0 for failure*/ -int wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(WOLFSSL_X509_VERIFY_PARAM *param, - const char *ipasc) -{ - int ret = WOLFSSL_FAILURE; - - if (param != NULL) { - if (ipasc == NULL) { - param->ipasc[0] = '\0'; - } - else { - XSTRNCPY(param->ipasc, ipasc, WOLFSSL_MAX_IPSTR-1); - param->ipasc[WOLFSSL_MAX_IPSTR-1] = '\0'; - } - ret = WOLFSSL_SUCCESS; - } - - return ret; -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_X509_OBJECT_free_contents(WOLFSSL_X509_OBJECT* obj) -{ - (void)obj; - WOLFSSL_STUB("X509_OBJECT_free_contents"); -} -#endif - -#ifndef NO_ASN_TIME -int wolfSSL_X509_cmp_current_time(const WOLFSSL_ASN1_TIME* asnTime) -{ - return wolfSSL_X509_cmp_time(asnTime, NULL); -} - -/* return -1 if asnTime is earlier than or equal to cmpTime, and 1 otherwise - * return 0 on error - */ -int wolfSSL_X509_cmp_time(const WOLFSSL_ASN1_TIME* asnTime, time_t* cmpTime) -{ - int ret = WOLFSSL_FAILURE, i = 0; - time_t tmpTime, *pTime = &tmpTime; - byte data_ptr[MAX_TIME_STRING_SZ], inv = 0; - struct tm ts, *tmpTs, *ct; -#if defined(NEED_TMP_TIME) - /* for use with gmtime_r */ - struct tm tmpTimeStorage; - - tmpTs = &tmpTimeStorage; -#else - tmpTs = NULL; -#endif - (void)tmpTs; - - if (asnTime == NULL) { - return WOLFSSL_FAILURE; - } - - if (cmpTime == NULL) { - /* Use current time */ - *pTime = XTIME(0); - } - else { - pTime = cmpTime; - } - - /* Convert ASN1_time to time_t */ - XMEMSET(&ts, 0, sizeof(struct tm)); - - /* Check type */ - if (asnTime->type == ASN_UTC_TIME) { - /* 2-digit year */ - XMEMCPY(data_ptr, &asnTime->data[i], ASN_UTC_TIME_SIZE); - ts.tm_year = (data_ptr[i] - '0') * 10; i++; - ts.tm_year += data_ptr[i] - '0'; i++; - if (ts.tm_year < 70) { - ts.tm_year += 100; - } - } - else if (asnTime->type == ASN_GENERALIZED_TIME) { - /* 4-digit year */ - XMEMCPY(data_ptr, &asnTime->data[i], ASN_GENERALIZED_TIME_SIZE); - ts.tm_year = (data_ptr[i] - '0') * 1000; i++; - ts.tm_year += (data_ptr[i] - '0') * 100; i++; - ts.tm_year += (data_ptr[i] - '0') * 10; i++; - ts.tm_year += data_ptr[i] - '0'; i++; - ts.tm_year -= 1900; - } - else { - /* Invalid type */ - inv = 1; - } - - if (inv != 1) { - ts.tm_mon = (data_ptr[i] - '0') * 10; i++; - ts.tm_mon += (data_ptr[i] - '0') - 1; i++; /* January is 0 not 1 */ - ts.tm_mday = (data_ptr[i] - '0') * 10; i++; - ts.tm_mday += (data_ptr[i] - '0'); i++; - ts.tm_hour = (data_ptr[i] - '0') * 10; i++; - ts.tm_hour += (data_ptr[i] - '0'); i++; - ts.tm_min = (data_ptr[i] - '0') * 10; i++; - ts.tm_min += (data_ptr[i] - '0'); i++; - ts.tm_sec = (data_ptr[i] - '0') * 10; i++; - ts.tm_sec += (data_ptr[i] - '0'); - - /* Convert to time struct*/ - ct = XGMTIME(pTime, tmpTs); - - if (ct == NULL) - return GETTIME_ERROR; - - /* DateGreaterThan returns 1 for >; 0 for <= */ - ret = DateGreaterThan(&ts, ct) ? 1 : -1; - } - - return ret; -} -#endif /* !NO_ASN_TIME */ - -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ - !defined(TIME_OVERRIDES) -WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj_ex(WOLFSSL_ASN1_TIME *asnTime, - int offset_day, long offset_sec, time_t *in_tm) -{ - /* get current time if in_tm is null */ - time_t t = in_tm ? *in_tm : XTIME(0); - return wolfSSL_ASN1_TIME_adj(asnTime, t, offset_day, offset_sec); -} - -WOLFSSL_ASN1_TIME *wolfSSL_X509_time_adj(WOLFSSL_ASN1_TIME *asnTime, - long offset_sec, time_t *in_tm) -{ - return wolfSSL_X509_time_adj_ex(asnTime, 0, offset_sec, in_tm); -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED* revoked) -{ - (void)revoked; - WOLFSSL_STUB("sk_X509_REVOKED_num"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL* crl) -{ - (void)crl; - WOLFSSL_STUB("X509_CRL_get_REVOKED"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( - WOLFSSL_X509_REVOKED* revoked, int value) -{ - (void)revoked; - (void)value; - WOLFSSL_STUB("sk_X509_REVOKED_value"); - return 0; -} -#endif - -/* Used to create a new WOLFSSL_ASN1_INTEGER structure. - * returns a pointer to new structure on success and NULL on failure - */ -WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_new(void) -{ - WOLFSSL_ASN1_INTEGER* a; - - a = (WOLFSSL_ASN1_INTEGER*)XMALLOC(sizeof(WOLFSSL_ASN1_INTEGER), NULL, - DYNAMIC_TYPE_OPENSSL); - if (a == NULL) { - return NULL; - } - - XMEMSET(a, 0, sizeof(WOLFSSL_ASN1_INTEGER)); - a->data = a->intData; - a->dataMax = WOLFSSL_ASN1_INTEGER_MAX; - a->length = 0; - return a; -} - - -/* free's internal elements of WOLFSSL_ASN1_INTEGER and free's "in" itself */ -void wolfSSL_ASN1_INTEGER_free(WOLFSSL_ASN1_INTEGER* in) -{ - if (in != NULL) { - if (in->isDynamic) { - XFREE(in->data, NULL, DYNAMIC_TYPE_OPENSSL); - } - XFREE(in, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - - -/* Duplicate all WOLFSSL_ASN1_INTEGER members from src to dup - * src : WOLFSSL_ASN1_INTEGER to duplicate - * Returns pointer to duplicate WOLFSSL_ASN1_INTEGER - */ -WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_dup(const WOLFSSL_ASN1_INTEGER* src) -{ - WOLFSSL_ASN1_INTEGER* dup; - WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_dup"); - if (!src) - return NULL; - - dup = wolfSSL_ASN1_INTEGER_new(); - - if (dup == NULL) - return NULL; - - dup->negative = src->negative; - dup->dataMax = src->dataMax; - dup->isDynamic = src->isDynamic; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - dup->length = src->length; -#endif - XSTRNCPY((char*)dup->intData,(const char*)src->intData,WOLFSSL_ASN1_INTEGER_MAX); - - if (dup->isDynamic && src->data && dup->dataMax) { - dup->data = (unsigned char*) - XMALLOC(src->dataMax,NULL,DYNAMIC_TYPE_OPENSSL); - if (dup->data == NULL) { - wolfSSL_ASN1_INTEGER_free(dup); - return NULL; - } - XMEMCPY(dup->data,src->data,dup->dataMax); - } - return dup; -} - - -/* sets the value of WOLFSSL_ASN1_INTEGER a to the long value v. */ -int wolfSSL_ASN1_INTEGER_set(WOLFSSL_ASN1_INTEGER *a, long v) -{ - int ret = WOLFSSL_SUCCESS; /* return 1 for success and 0 for failure */ - int j; - unsigned int i = 0; - unsigned char tmp[sizeof(long)+1] = {0}; - - if (a != NULL) { - /* dynamically create data buffer, +2 for type and length */ - a->data = (unsigned char*)XMALLOC((sizeof(long)+1) + 2, NULL, - DYNAMIC_TYPE_OPENSSL); - if (a->data == NULL) { - wolfSSL_ASN1_INTEGER_free(a); - ret = WOLFSSL_FAILURE; - } - else { - a->dataMax = (int)(sizeof(long)+1) + 2; - a->isDynamic = 1; - } - } - else { - /* Invalid parameter */ - ret = WOLFSSL_FAILURE; - } - - - if (ret != WOLFSSL_FAILURE) { - /* Set type */ - a->data[i++] = ASN_INTEGER; - - /* Check for negative */ - if (v < 0) { - a->negative = 1; - v *= -1; - } - - /* Create char buffer */ - for (j = 0; j < (int)sizeof(long); j++) { - if (v == 0) { - break; - } - tmp[j] = (unsigned char)(v & 0xff); - v >>= 8; - } - - /* Set length */ - a->data[i++] = (unsigned char)((j == 0) ? ++j : j); - /* +2 for type and length */ - a->length = j + 2; - - /* Copy to data */ - for (; j > 0; j--) { - a->data[i++] = tmp[j-1]; - } - } - - return ret; -} - - -WOLFSSL_ASN1_INTEGER* wolfSSL_X509_get_serialNumber(WOLFSSL_X509* x509) -{ - WOLFSSL_ASN1_INTEGER* a; - int i = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_serialNumber"); - - a = wolfSSL_ASN1_INTEGER_new(); - if (a == NULL) - return NULL; - - /* Make sure there is space for the data, ASN.1 type and length. */ - if (x509->serialSz > (WOLFSSL_ASN1_INTEGER_MAX - 2)) { - /* dynamically create data buffer, +2 for type and length */ - a->data = (unsigned char*)XMALLOC(x509->serialSz + 2, NULL, - DYNAMIC_TYPE_OPENSSL); - if (a->data == NULL) { - wolfSSL_ASN1_INTEGER_free(a); - return NULL; - } - a->dataMax = x509->serialSz + 2; - a->isDynamic = 1; - } else { - /* Use array instead of dynamic memory */ - a->data = a->intData; - a->dataMax = WOLFSSL_ASN1_INTEGER_MAX; - } - - #ifdef WOLFSSL_QT - XMEMCPY(&a->data[i], x509->serial, x509->serialSz); - a->length = x509->serialSz; - #else - a->data[i++] = ASN_INTEGER; - i += SetLength(x509->serialSz, a->data + i); - XMEMCPY(&a->data[i], x509->serial, x509->serialSz); - a->length = x509->serialSz + 2; - #endif - - x509->serialNumber = a; - - return a; -} - -#endif /* OPENSSL_EXTRA */ - -#if defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) -#ifndef NO_ASN_TIME -int wolfSSL_ASN1_TIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_TIME* asnTime) -{ - char buf[MAX_TIME_STRING_SZ]; - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_print"); - - if (bio == NULL || asnTime == NULL) { - WOLFSSL_MSG("NULL function argument"); - return WOLFSSL_FAILURE; - } - - if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)asnTime, buf, - sizeof(buf)) == NULL) { - XMEMSET(buf, 0, MAX_TIME_STRING_SZ); - XMEMCPY(buf, "Bad time value", 14); - ret = WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bio, buf, (int)XSTRLEN(buf)) <= 0) { - WOLFSSL_MSG("Unable to write to bio"); - return WOLFSSL_FAILURE; - } - - return ret; -} - -char* wolfSSL_ASN1_TIME_to_string(WOLFSSL_ASN1_TIME* t, char* buf, int len) -{ - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_string"); - - if (t == NULL || buf == NULL || len < 5) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - if (t->length > len) { - WOLFSSL_MSG("Length of date is longer then buffer"); - return NULL; - } - - if (!GetTimeString(t->data, t->type, buf, len)) { - return NULL; - } - - return buf; -} -#endif /* !NO_ASN_TIME */ -#endif /* WOLFSSL_MYSQL_COMPATIBLE || WOLFSSL_NGINX || WOLFSSL_HAPROXY || - OPENSSL_EXTRA*/ - - -#ifdef OPENSSL_EXTRA - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_ASN1_INTEGER_cmp(const WOLFSSL_ASN1_INTEGER* a, - const WOLFSSL_ASN1_INTEGER* b) -{ - (void)a; - (void)b; - WOLFSSL_STUB("ASN1_INTEGER_cmp"); - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_ASN1_INTEGER_get(const WOLFSSL_ASN1_INTEGER* i) -{ - (void)i; - WOLFSSL_STUB("ASN1_INTEGER_get"); - return 0; -} -#endif - -/* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */ -void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data"); - #if defined(HAVE_EX_DATA) || defined(FORTRESS) - if (ctx != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx); - } - #else - (void)ctx; - (void)idx; - #endif - return NULL; -} - - -/* set X509_STORE_CTX ex_data, max idx is MAX_EX_DATA. Return WOLFSSL_SUCCESS - * on success, WOLFSSL_FAILURE on error. */ -int wolfSSL_X509_STORE_CTX_set_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx, - void *data) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_ex_data"); - #if defined(HAVE_EX_DATA) || defined(FORTRESS) - if (ctx != NULL) - { - return wolfSSL_CRYPTO_set_ex_data(&ctx->ex_data, idx, data); - } - #else - (void)ctx; - (void)idx; - (void)data; - #endif - return WOLFSSL_FAILURE; -} - -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) -void wolfSSL_X509_STORE_CTX_set_depth(WOLFSSL_X509_STORE_CTX* ctx, int depth) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_depth"); - if (ctx) - ctx->depth = depth; -} -#endif - - -WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get0_current_issuer( - WOLFSSL_X509_STORE_CTX* ctx) -{ - int ret; - WOLFSSL_X509* issuer; - - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get0_current_issuer"); - - if (ctx == NULL) { - return NULL; - } - - ret = wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, ctx->current_cert); - if (ret == WOLFSSL_SUCCESS) { - return issuer; - } - - return NULL; -} - - -/* Gets an index to store SSL structure at. - * - * Returns positive index on success and negative values on failure - */ -int wolfSSL_get_ex_data_X509_STORE_CTX_idx(void) -{ - WOLFSSL_ENTER("wolfSSL_get_ex_data_X509_STORE_CTX_idx"); - - /* store SSL at index 0 */ - return 0; -} - - -/* Set an error stat in the X509 STORE CTX - * - */ -void wolfSSL_X509_STORE_CTX_set_error(WOLFSSL_X509_STORE_CTX* ctx, int er) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_error"); - - if (ctx != NULL) { - ctx->error = er; - } -} - -/* Set the error depth in the X509 STORE CTX */ -void wolfSSL_X509_STORE_CTX_set_error_depth(WOLFSSL_X509_STORE_CTX* ctx, - int depth) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_set_error_depth"); - - if (ctx != NULL) { - ctx->error_depth = depth; - } -} - -/* Sets a function callback that will send information about the state of all - * WOLFSSL objects that have been created by the WOLFSSL_CTX structure passed - * in. - * - * ctx WOLFSSL_CTX structure to set callback function in - * f callback function to use - */ -void wolfSSL_CTX_set_info_callback(WOLFSSL_CTX* ctx, - void (*f)(const WOLFSSL* ssl, int type, int val)) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_info_callback"); - if (ctx == NULL) { - WOLFSSL_MSG("Bad function argument"); - } - else { - ctx->CBIS = f; - } -} - - -unsigned long wolfSSL_ERR_peek_error(void) -{ - WOLFSSL_ENTER("wolfSSL_ERR_peek_error"); - - return wolfSSL_ERR_peek_error_line_data(NULL, NULL, NULL, NULL); -} - -int wolfSSL_ERR_GET_LIB(unsigned long err) -{ - switch (err) { - case PEM_R_NO_START_LINE: - case PEM_R_PROBLEMS_GETTING_PASSWORD: - case PEM_R_BAD_PASSWORD_READ: - case PEM_R_BAD_DECRYPT: - return ERR_LIB_PEM; - case EVP_R_BAD_DECRYPT: - case EVP_R_BN_DECODE_ERROR: - case EVP_R_DECODE_ERROR: - case EVP_R_PRIVATE_KEY_DECODE_ERROR: - return ERR_LIB_EVP; - default: - return 0; - } -} - -/* This function is to find global error values that are the same through out - * all library version. With wolfSSL having only one set of error codes the - * return value is pretty straight forward. The only thing needed is all wolfSSL - * error values are typically negative. - * - * Returns the error reason - */ -int wolfSSL_ERR_GET_REASON(unsigned long err) -{ - int ret = (int)err; - - WOLFSSL_ENTER("wolfSSL_ERR_GET_REASON"); - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - /* Nginx looks for this error to know to stop parsing certificates. */ - if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)) - return PEM_R_NO_START_LINE; -#endif - - /* check if error value is in range of wolfSSL errors */ - ret = 0 - ret; /* setting as negative value */ - /* wolfCrypt range is less than MAX (-100) - wolfSSL range is MIN (-300) and lower */ - if (ret < MAX_CODE_E && ret > MIN_CODE_E) { - return ret; - } - else { - WOLFSSL_MSG("Not in range of typical error values"); - ret = (int)err; - } - - return ret; -} - - -/* returns a string that describes the alert - * - * alertID the alert value to look up - */ -const char* wolfSSL_alert_type_string_long(int alertID) -{ - WOLFSSL_ENTER("wolfSSL_alert_type_string_long"); - - switch (alertID) { - case close_notify: - { - static const char close_notify_str[] = - "close_notify"; - return close_notify_str; - } - - case unexpected_message: - { - static const char unexpected_message_str[] = - "unexpected_message"; - return unexpected_message_str; - } - - case bad_record_mac: - { - static const char bad_record_mac_str[] = - "bad_record_mac"; - return bad_record_mac_str; - } - - case record_overflow: - { - static const char record_overflow_str[] = - "record_overflow"; - return record_overflow_str; - } - - case decompression_failure: - { - static const char decompression_failure_str[] = - "decompression_failure"; - return decompression_failure_str; - } - - case handshake_failure: - { - static const char handshake_failure_str[] = - "handshake_failure"; - return handshake_failure_str; - } - - case no_certificate: - { - static const char no_certificate_str[] = - "no_certificate"; - return no_certificate_str; - } - - case bad_certificate: - { - static const char bad_certificate_str[] = - "bad_certificate"; - return bad_certificate_str; - } - - case unsupported_certificate: - { - static const char unsupported_certificate_str[] = - "unsupported_certificate"; - return unsupported_certificate_str; - } - - case certificate_revoked: - { - static const char certificate_revoked_str[] = - "certificate_revoked"; - return certificate_revoked_str; - } - - case certificate_expired: - { - static const char certificate_expired_str[] = - "certificate_expired"; - return certificate_expired_str; - } - - case certificate_unknown: - { - static const char certificate_unknown_str[] = - "certificate_unknown"; - return certificate_unknown_str; - } - - case illegal_parameter: - { - static const char illegal_parameter_str[] = - "illegal_parameter"; - return illegal_parameter_str; - } - - case unknown_ca: - { - static const char unknown_ca_str[] = - "unknown_ca"; - return unknown_ca_str; - } - - case decode_error: - { - static const char decode_error_str[] = - "decode_error"; - return decode_error_str; - } - - case decrypt_error: - { - static const char decrypt_error_str[] = - "decrypt_error"; - return decrypt_error_str; - } - - #ifdef WOLFSSL_MYSQL_COMPATIBLE - /* catch name conflict for enum protocol with MYSQL build */ - case wc_protocol_version: - { - static const char wc_protocol_version_str[] = - "wc_protocol_version"; - return wc_protocol_version_str; - } - - #else - case protocol_version: - { - static const char protocol_version_str[] = - "protocol_version"; - return protocol_version_str; - } - - #endif - case no_renegotiation: - { - static const char no_renegotiation_str[] = - "no_renegotiation"; - return no_renegotiation_str; - } - - case unrecognized_name: - { - static const char unrecognized_name_str[] = - "unrecognized_name"; - return unrecognized_name_str; - } - - case bad_certificate_status_response: - { - static const char bad_certificate_status_response_str[] = - "bad_certificate_status_response"; - return bad_certificate_status_response_str; - } - - case no_application_protocol: - { - static const char no_application_protocol_str[] = - "no_application_protocol"; - return no_application_protocol_str; - } - - default: - WOLFSSL_MSG("Unknown Alert"); - return NULL; - } -} - - -const char* wolfSSL_alert_desc_string_long(int alertID) -{ - WOLFSSL_ENTER("wolfSSL_alert_desc_string_long"); - return wolfSSL_alert_type_string_long(alertID); -} - - -/* Gets the current state of the WOLFSSL structure - * - * ssl WOLFSSL structure to get state of - * - * Returns a human readable string of the WOLFSSL structure state - */ -const char* wolfSSL_state_string_long(const WOLFSSL* ssl) -{ - - static const char* OUTPUT_STR[14][6][3] = { - { - {"SSLv3 Initialization","SSLv3 Initialization","SSLv3 Initialization"}, - {"TLSv1 Initialization","TLSv2 Initialization","TLSv2 Initialization"}, - {"TLSv1_1 Initialization","TLSv1_1 Initialization","TLSv1_1 Initialization"}, - {"TLSv1_2 Initialization","TLSv1_2 Initialization","TLSv1_2 Initialization"}, - {"DTLSv1 Initialization","DTLSv1 Initialization","DTLSv1 Initialization"}, - {"DTLSv1_2 Initialization","DTLSv1_2 Initialization","DTLSv1_2 Initialization"}, - }, - { - {"SSLv3 read Server Hello Verify Request", - "SSLv3 write Server Hello Verify Request", - "SSLv3 Server Hello Verify Request"}, - {"TLSv1 read Server Hello Verify Request", - "TLSv1 write Server Hello Verify Request", - "TLSv1 Server Hello Verify Request"}, - {"TLSv1_1 read Server Hello Verify Request", - "TLSv1_1 write Server Hello Verify Request", - "TLSv1_1 Server Hello Verify Request"}, - {"TLSv1_2 read Server Hello Verify Request", - "TLSv1_2 write Server Hello Verify Request", - "TLSv1_2 Server Hello Verify Request"}, - {"DTLSv1 read Server Hello Verify Request", - "DTLSv1 write Server Hello Verify Request", - "DTLSv1 Server Hello Verify Request"}, - {"DTLSv1_2 read Server Hello Verify Request", - "DTLSv1_2 write Server Hello Verify Request", - "DTLSv1_2 Server Hello Verify Request"}, - }, - { - {"SSLv3 read Server Hello", - "SSLv3 write Server Hello", - "SSLv3 Server Hello"}, - {"TLSv1 read Server Hello", - "TLSv1 write Server Hello", - "TLSv1 Server Hello"}, - {"TLSv1_1 read Server Hello", - "TLSv1_1 write Server Hello", - "TLSv1_1 Server Hello"}, - {"TLSv1_2 read Server Hello", - "TLSv1_2 write Server Hello", - "TLSv1_2 Server Hello"}, - {"DTLSv1 read Server Hello", - "DTLSv1 write Server Hello", - "DTLSv1 Server Hello"}, - {"DTLSv1_2 read Server Hello" - "DTLSv1_2 write Server Hello", - "DTLSv1_2 Server Hello", - }, - }, - { - {"SSLv3 read Server Session Ticket", - "SSLv3 write Server Session Ticket", - "SSLv3 Server Session Ticket"}, - {"TLSv1 read Server Session Ticket", - "TLSv1 write Server Session Ticket", - "TLSv1 Server Session Ticket"}, - {"TLSv1_1 read Server Session Ticket", - "TLSv1_1 write Server Session Ticket", - "TLSv1_1 Server Session Ticket"}, - {"TLSv1_2 read Server Session Ticket", - "TLSv1_2 write Server Session Ticket", - "TLSv1_2 Server Session Ticket"}, - {"DTLSv1 read Server Session Ticket", - "DTLSv1 write Server Session Ticket", - "DTLSv1 Server Session Ticket"}, - {"DTLSv1_2 read Server Session Ticket", - "DTLSv1_2 write Server Session Ticket", - "DTLSv1_2 Server Session Ticket"}, - }, - { - {"SSLv3 read Server Cert", - "SSLv3 write Server Cert", - "SSLv3 Server Cert"}, - {"TLSv1 read Server Cert", - "TLSv1 write Server Cert", - "TLSv1 Server Cert"}, - {"TLSv1_1 read Server Cert", - "TLSv1_1 write Server Cert", - "TLSv1_1 Server Cert"}, - {"TLSv1_2 read Server Cert", - "TLSv1_2 write Server Cert", - "TLSv1_2 Server Cert"}, - {"DTLSv1 read Server Cert", - "DTLSv1 write Server Cert", - "DTLSv1 Server Cert"}, - {"DTLSv1_2 read Server Cert", - "DTLSv1_2 write Server Cert", - "DTLSv1_2 Server Cert"}, - }, - { - {"SSLv3 read Server Key Exchange", - "SSLv3 write Server Key Exchange", - "SSLv3 Server Key Exchange"}, - {"TLSv1 read Server Key Exchange", - "TLSv1 write Server Key Exchange", - "TLSv1 Server Key Exchange"}, - {"TLSv1_1 read Server Key Exchange", - "TLSv1_1 write Server Key Exchange", - "TLSv1_1 Server Key Exchange"}, - {"TLSv1_2 read Server Key Exchange", - "TLSv1_2 write Server Key Exchange", - "TLSv1_2 Server Key Exchange"}, - {"DTLSv1 read Server Key Exchange", - "DTLSv1 write Server Key Exchange", - "DTLSv1 Server Key Exchange"}, - {"DTLSv1_2 read Server Key Exchange", - "DTLSv1_2 write Server Key Exchange", - "DTLSv1_2 Server Key Exchange"}, - }, - { - {"SSLv3 read Server Hello Done", - "SSLv3 write Server Hello Done", - "SSLv3 Server Hello Done"}, - {"TLSv1 read Server Hello Done", - "TLSv1 write Server Hello Done", - "TLSv1 Server Hello Done"}, - {"TLSv1_1 read Server Hello Done", - "TLSv1_1 write Server Hello Done", - "TLSv1_1 Server Hello Done"}, - {"TLSv1_2 read Server Hello Done", - "TLSv1_2 write Server Hello Done", - "TLSv1_2 Server Hello Done"}, - {"DTLSv1 read Server Hello Done", - "DTLSv1 write Server Hello Done", - "DTLSv1 Server Hello Done"}, - {"DTLSv1_2 read Server Hello Done", - "DTLSv1_2 write Server Hello Done", - "DTLSv1_2 Server Hello Done"}, - }, - { - {"SSLv3 read Server Change CipherSpec", - "SSLv3 write Server Change CipherSpec", - "SSLv3 Server Change CipherSpec"}, - {"TLSv1 read Server Change CipherSpec", - "TLSv1 write Server Change CipherSpec", - "TLSv1 Server Change CipherSpec"}, - {"TLSv1_1 read Server Change CipherSpec", - "TLSv1_1 write Server Change CipherSpec", - "TLSv1_1 Server Change CipherSpec"}, - {"TLSv1_2 read Server Change CipherSpec", - "TLSv1_2 write Server Change CipherSpec", - "TLSv1_2 Server Change CipherSpec"}, - {"DTLSv1 read Server Change CipherSpec", - "DTLSv1 write Server Change CipherSpec", - "DTLSv1 Server Change CipherSpec"}, - {"DTLSv1_2 read Server Change CipherSpec", - "DTLSv1_2 write Server Change CipherSpec", - "DTLSv1_2 Server Change CipherSpec"}, - }, - { - {"SSLv3 read Server Finished", - "SSLv3 write Server Finished", - "SSLv3 Server Finished"}, - {"TLSv1 read Server Finished", - "TLSv1 write Server Finished", - "TLSv1 Server Finished"}, - {"TLSv1_1 read Server Finished", - "TLSv1_1 write Server Finished", - "TLSv1_1 Server Finished"}, - {"TLSv1_2 read Server Finished", - "TLSv1_2 write Server Finished", - "TLSv1_2 Server Finished"}, - {"DTLSv1 read Server Finished", - "DTLSv1 write Server Finished", - "DTLSv1 Server Finished"}, - {"DTLSv1_2 read Server Finished", - "DTLSv1_2 write Server Finished", - "DTLSv1_2 Server Finished"}, - }, - { - {"SSLv3 read Client Hello", - "SSLv3 write Client Hello", - "SSLv3 Client Hello"}, - {"TLSv1 read Client Hello", - "TLSv1 write Client Hello", - "TLSv1 Client Hello"}, - {"TLSv1_1 read Client Hello", - "TLSv1_1 write Client Hello", - "TLSv1_1 Client Hello"}, - {"TLSv1_2 read Client Hello", - "TLSv1_2 write Client Hello", - "TLSv1_2 Client Hello"}, - {"DTLSv1 read Client Hello", - "DTLSv1 write Client Hello", - "DTLSv1 Client Hello"}, - {"DTLSv1_2 read Client Hello", - "DTLSv1_2 write Client Hello", - "DTLSv1_2 Client Hello"}, - }, - { - {"SSLv3 read Client Key Exchange", - "SSLv3 write Client Key Exchange", - "SSLv3 Client Key Exchange"}, - {"TLSv1 read Client Key Exchange", - "TLSv1 write Client Key Exchange", - "TLSv1 Client Key Exchange"}, - {"TLSv1_1 read Client Key Exchange", - "TLSv1_1 write Client Key Exchange", - "TLSv1_1 Client Key Exchange"}, - {"TLSv1_2 read Client Key Exchange", - "TLSv1_2 write Client Key Exchange", - "TLSv1_2 Client Key Exchange"}, - {"DTLSv1 read Client Key Exchange", - "DTLSv1 write Client Key Exchange", - "DTLSv1 Client Key Exchange"}, - {"DTLSv1_2 read Client Key Exchange", - "DTLSv1_2 write Client Key Exchange", - "DTLSv1_2 Client Key Exchange"}, - }, - { - {"SSLv3 read Client Change CipherSpec", - "SSLv3 write Client Change CipherSpec", - "SSLv3 Client Change CipherSpec"}, - {"TLSv1 read Client Change CipherSpec", - "TLSv1 write Client Change CipherSpec", - "TLSv1 Client Change CipherSpec"}, - {"TLSv1_1 read Client Change CipherSpec", - "TLSv1_1 write Client Change CipherSpec", - "TLSv1_1 Client Change CipherSpec"}, - {"TLSv1_2 read Client Change CipherSpec", - "TLSv1_2 write Client Change CipherSpec", - "TLSv1_2 Client Change CipherSpec"}, - {"DTLSv1 read Client Change CipherSpec", - "DTLSv1 write Client Change CipherSpec", - "DTLSv1 Client Change CipherSpec"}, - {"DTLSv1_2 read Client Change CipherSpec", - "DTLSv1_2 write Client Change CipherSpec", - "DTLSv1_2 Client Change CipherSpec"}, - }, - { - {"SSLv3 read Client Finished", - "SSLv3 write Client Finished", - "SSLv3 Client Finished"}, - {"TLSv1 read Client Finished", - "TLSv1 write Client Finished", - "TLSv1 Client Finished"}, - {"TLSv1_1 read Client Finished", - "TLSv1_1 write Client Finished", - "TLSv1_1 Client Finished"}, - {"TLSv1_2 read Client Finished", - "TLSv1_2 write Client Finished", - "TLSv1_2 Client Finished"}, - {"DTLSv1 read Client Finished", - "DTLSv1 write Client Finished", - "DTLSv1 Client Finished"}, - {"DTLSv1_2 read Client Finished", - "DTLSv1_2 write Client Finished", - "DTLSv1_2 Client Finished"}, - }, - { - {"SSLv3 Handshake Done", - "SSLv3 Handshake Done", - "SSLv3 Handshake Done"}, - {"TLSv1 Handshake Done", - "TLSv1 Handshake Done", - "TLSv1 Handshake Done"}, - {"TLSv1_1 Handshake Done", - "TLSv1_1 Handshake Done", - "TLSv1_1 Handshake Done"}, - {"TLSv1_2 Handshake Done", - "TLSv1_2 Handshake Done", - "TLSv1_2 Handshake Done"}, - {"DTLSv1 Handshake Done", - "DTLSv1 Handshake Done", - "DTLSv1 Handshake Done"}, - {"DTLSv1_2 Handshake Done" - "DTLSv1_2 Handshake Done" - "DTLSv1_2 Handshake Done"} - } - }; - enum ProtocolVer { - SSL_V3 = 0, - TLS_V1, - TLS_V1_1, - TLS_V1_2, - DTLS_V1, - DTLS_V1_2, - UNKNOWN = 100 - }; - - enum IOMode { - SS_READ = 0, - SS_WRITE, - SS_NEITHER - }; - - enum SslState { - ss_null_state = 0, - ss_server_helloverify, - ss_server_hello, - ss_sessionticket, - ss_server_cert, - ss_server_keyexchange, - ss_server_hellodone, - ss_server_changecipherspec, - ss_server_finished, - ss_client_hello, - ss_client_keyexchange, - ss_client_changecipherspec, - ss_client_finished, - ss_handshake_done - }; - - int protocol = 0; - int cbmode = 0; - int state = 0; - - WOLFSSL_ENTER("wolfSSL_state_string_long"); - if (ssl == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return NULL; - } - - /* Get state of callback */ - if (ssl->cbmode == SSL_CB_MODE_WRITE){ - cbmode = SS_WRITE; - } else if (ssl->cbmode == SSL_CB_MODE_READ){ - cbmode = SS_READ; - } else { - cbmode = SS_NEITHER; - } - - /* Get protocol version */ - switch (ssl->version.major){ - case SSLv3_MAJOR: - switch (ssl->version.minor){ - case TLSv1_MINOR: - protocol = TLS_V1; - break; - case TLSv1_1_MINOR: - protocol = TLS_V1_1; - break; - case TLSv1_2_MINOR: - protocol = TLS_V1_2; - break; - case SSLv3_MINOR: - protocol = SSL_V3; - break; - default: - protocol = UNKNOWN; - } - break; - case DTLS_MAJOR: - switch (ssl->version.minor){ - case DTLS_MINOR: - protocol = DTLS_V1; - break; - case DTLSv1_2_MINOR: - protocol = DTLS_V1_2; - break; - default: - protocol = UNKNOWN; - } - break; - default: - protocol = UNKNOWN; - } - - /* accept process */ - if (ssl->cbmode == SSL_CB_MODE_READ){ - state = ssl->cbtype; - switch (state) { - case hello_verify_request: - state = ss_server_helloverify; - break; - case session_ticket: - state = ss_sessionticket; - break; - case server_hello: - state = ss_server_hello; - break; - case server_hello_done: - state = ss_server_hellodone; - break; - case certificate: - state = ss_server_cert; - break; - case server_key_exchange: - state = ss_server_keyexchange; - break; - case client_hello: - state = ss_client_hello; - break; - case client_key_exchange: - state = ss_client_keyexchange; - break; - case finished: - if (ssl->options.side == WOLFSSL_SERVER_END) - state = ss_client_finished; - else if (ssl->options.side == WOLFSSL_CLIENT_END) - state = ss_server_finished; - else { - WOLFSSL_MSG("Unknown State"); - state = ss_null_state; - } - break; - default: - WOLFSSL_MSG("Unknown State"); - state = ss_null_state; - } - } else { - /* Send process */ - if (ssl->options.side == WOLFSSL_SERVER_END) - state = ssl->options.serverState; - else - state = ssl->options.clientState; - - switch(state){ - case SERVER_HELLOVERIFYREQUEST_COMPLETE: - state = ss_server_helloverify; - break; - case SERVER_HELLO_COMPLETE: - state = ss_server_hello; - break; - case SERVER_CERT_COMPLETE: - state = ss_server_cert; - break; - case SERVER_KEYEXCHANGE_COMPLETE: - state = ss_server_keyexchange; - break; - case SERVER_HELLODONE_COMPLETE: - state = ss_server_hellodone; - break; - case SERVER_CHANGECIPHERSPEC_COMPLETE: - state = ss_server_changecipherspec; - break; - case SERVER_FINISHED_COMPLETE: - state = ss_server_finished; - break; - case CLIENT_HELLO_COMPLETE: - state = ss_client_hello; - break; - case CLIENT_KEYEXCHANGE_COMPLETE: - state = ss_client_keyexchange; - break; - case CLIENT_CHANGECIPHERSPEC_COMPLETE: - state = ss_client_changecipherspec; - break; - case CLIENT_FINISHED_COMPLETE: - state = ss_client_finished; - break; - case HANDSHAKE_DONE: - state = ss_handshake_done; - break; - default: - WOLFSSL_MSG("Unknown State"); - state = ss_null_state; - } - } - - if (protocol == UNKNOWN) - return NULL; - else - return OUTPUT_STR[state][protocol][cbmode]; -} - -/* - * Sets default PEM callback password if null is passed into - * the callback parameter of a PEM_read_bio_* function. - * - * Returns callback phrase size on success or WOLFSSL_FAILURE otherwise. - */ -int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key) -{ - int sz; - (void)w; - WOLFSSL_ENTER("wolfSSL_PEM_def_callback"); - - /* We assume that the user passes a default password as userdata */ - if (key) { - sz = (int)XSTRLEN((const char*)key); - sz = (sz > num) ? num : sz; - XMEMCPY(name, key, sz); - return sz; - } else { - WOLFSSL_MSG("Error, default password cannot be created."); - return WOLFSSL_FAILURE; - } -} - -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) -static long wolf_set_options(long old_op, long op) -{ - /* if SSL_OP_ALL then turn all bug workarounds on */ - if ((op & SSL_OP_ALL) == SSL_OP_ALL) { - WOLFSSL_MSG("\tSSL_OP_ALL"); - } - - /* by default cookie exchange is on with DTLS */ - if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { - WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default"); - } - - if ((op & WOLFSSL_OP_NO_SSLv2) == WOLFSSL_OP_NO_SSLv2) { - WOLFSSL_MSG("\tWOLFSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2"); - } - -#ifdef SSL_OP_NO_TLSv1_3 - if ((op & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_3"); - } -#endif - - if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); - } - - if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); - } - - if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { - WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); - } - - if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { - WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); - } - - if ((op & SSL_OP_CIPHER_SERVER_PREFERENCE) == SSL_OP_CIPHER_SERVER_PREFERENCE) { - WOLFSSL_MSG("\tSSL_OP_CIPHER_SERVER_PREFERENCE"); - } - - if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { - #ifdef HAVE_LIBZ - WOLFSSL_MSG("SSL_OP_NO_COMPRESSION"); - #else - WOLFSSL_MSG("SSL_OP_NO_COMPRESSION: compression not compiled in"); - #endif - } - - return old_op | op; -} -#endif - -#ifdef OPENSSL_EXTRA -long wolfSSL_set_options(WOLFSSL* ssl, long op) -{ - word16 haveRSA = 1; - word16 havePSK = 0; - int keySz = 0; - - WOLFSSL_ENTER("wolfSSL_set_options"); - - if (ssl == NULL) { - return 0; - } - - ssl->options.mask = wolf_set_options(ssl->options.mask, op); - -#ifdef SSL_OP_NO_TLSv1_3 - if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { - if (ssl->version.minor == TLSv1_3_MINOR) - ssl->version.minor = TLSv1_2_MINOR; - } -#endif - - if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { - if (ssl->version.minor == TLSv1_2_MINOR) - ssl->version.minor = TLSv1_1_MINOR; - } - - if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { - if (ssl->version.minor == TLSv1_1_MINOR) - ssl->version.minor = TLSv1_MINOR; - } - - if ((ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { - if (ssl->version.minor == TLSv1_MINOR) - ssl->version.minor = SSLv3_MINOR; - } - - if ((ssl->options.mask & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { - #ifdef HAVE_LIBZ - ssl->options.usingCompression = 0; - #endif - } - - /* in the case of a version change the cipher suites should be reset */ -#ifndef NO_PSK - havePSK = ssl->options.havePSK; -#endif -#ifdef NO_RSA - haveRSA = 0; -#endif -#ifndef NO_CERTS - keySz = ssl->buffers.keySz; -#endif - - InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, - ssl->options.haveDH, ssl->options.haveNTRU, - ssl->options.haveECDSAsig, ssl->options.haveECC, - ssl->options.haveStaticECC, ssl->options.side); - - return ssl->options.mask; -} - - -long wolfSSL_get_options(const WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_options"); - if(ssl == NULL) - return WOLFSSL_FAILURE; - return ssl->options.mask; -} - -long wolfSSL_clear_options(WOLFSSL* ssl, long opt) -{ - WOLFSSL_ENTER("SSL_clear_options"); - if(ssl == NULL) - return WOLFSSL_FAILURE; - ssl->options.mask &= ~opt; - return ssl->options.mask; -} - - -#if defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SERVER_RENEGOTIATION_INFO) -/* clears the counter for number of renegotiations done - * returns the current count before it is cleared */ -long wolfSSL_clear_num_renegotiations(WOLFSSL *s) -{ - long total; - - WOLFSSL_ENTER("wolfSSL_clear_num_renegotiations"); - if (s == NULL) - return 0; - - total = s->secure_rene_count; - s->secure_rene_count = 0; - return total; -} - - -/* return the number of renegotiations since wolfSSL_new */ -long wolfSSL_total_renegotiations(WOLFSSL *s) -{ - WOLFSSL_ENTER("wolfSSL_total_renegotiations"); - return wolfSSL_num_renegotiations(s); -} - - -/* return the number of renegotiations since wolfSSL_new */ -long wolfSSL_num_renegotiations(WOLFSSL* s) -{ - if (s == NULL) { - return 0; - } - - return s->secure_rene_count; -} -#endif /* HAVE_SECURE_RENEGOTIATION || HAVE_SERVER_RENEGOTIATION_INFO */ - -#ifndef NO_DH -long wolfSSL_set_tmp_dh(WOLFSSL *ssl, WOLFSSL_DH *dh) -{ - int pSz, gSz; - byte *p, *g; - int ret = 0; - - WOLFSSL_ENTER("wolfSSL_set_tmp_dh"); - - if (!ssl || !dh) - return BAD_FUNC_ARG; - - /* Get needed size for p and g */ - pSz = wolfSSL_BN_bn2bin(dh->p, NULL); - gSz = wolfSSL_BN_bn2bin(dh->g, NULL); - - if (pSz <= 0 || gSz <= 0) - return WOLFSSL_FATAL_ERROR; - - p = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (!p) - return MEMORY_E; - - g = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (!g) { - XFREE(p, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - return MEMORY_E; - } - - pSz = wolfSSL_BN_bn2bin(dh->p, p); - gSz = wolfSSL_BN_bn2bin(dh->g, g); - - if (pSz >= 0 && gSz >= 0) /* Conversion successful */ - ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz); - - XFREE(p, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); - - return pSz > 0 && gSz > 0 ? ret : WOLFSSL_FATAL_ERROR; -} -#endif /* !NO_DH */ - - -#ifdef HAVE_PK_CALLBACKS -long wolfSSL_set_tlsext_debug_arg(WOLFSSL* ssl, void *arg) -{ - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - - ssl->loggingCtx = arg; - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_PK_CALLBACKS */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) -const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length) -{ - const byte *c = wolfSSL_SESSION_get_id((SSL_SESSION *)sess, sid_ctx_length); - return c; -} -#endif - -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API int wolfSSL_sk_SSL_COMP_zero(WOLFSSL_STACK* st) -{ - (void)st; - WOLFSSL_STUB("wolfSSL_sk_SSL_COMP_zero"); - /* wolfSSL_set_options(ssl, SSL_OP_NO_COMPRESSION); */ - return WOLFSSL_FAILURE; -} -#endif - -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST -long wolfSSL_set_tlsext_status_type(WOLFSSL *s, int type) -{ - WOLFSSL_ENTER("wolfSSL_set_tlsext_status_type"); - - if (s == NULL){ - return BAD_FUNC_ARG; - } - - if (type == TLSEXT_STATUSTYPE_ocsp){ - int r = 0; - r = TLSX_UseCertificateStatusRequest(&s->extensions, type, 0, s, - s->heap, s->devId); - return (long)r; - } else { - WOLFSSL_MSG( - "SSL_set_tlsext_status_type only supports TLSEXT_STATUSTYPE_ocsp type."); - return SSL_FAILURE; - } - -} -#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_get_tlsext_status_exts(WOLFSSL *s, void *arg) -{ - (void)s; - (void)arg; - WOLFSSL_STUB("wolfSSL_get_tlsext_status_exts"); - return WOLFSSL_FAILURE; -} -#endif - -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_set_tlsext_status_exts(WOLFSSL *s, void *arg) -{ - (void)s; - (void)arg; - WOLFSSL_STUB("wolfSSL_set_tlsext_status_exts"); - return WOLFSSL_FAILURE; -} -#endif - -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_get_tlsext_status_ids(WOLFSSL *s, void *arg) -{ - (void)s; - (void)arg; - WOLFSSL_STUB("wolfSSL_get_tlsext_status_ids"); - return WOLFSSL_FAILURE; -} -#endif - -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) -{ - (void)s; - (void)arg; - WOLFSSL_STUB("wolfSSL_set_tlsext_status_ids"); - return WOLFSSL_FAILURE; -} -#endif - -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len) -{ - (void)s; - (void)sid; - (void)sid_len; - WOLFSSL_STUB("SSL_SESSION_set1_id"); - return WOLFSSL_FAILURE; -} -#endif - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len) -{ - (void)s; - (void)sid_ctx; - (void)sid_ctx_len; - WOLFSSL_STUB("SSL_SESSION_set1_id_context"); - return WOLFSSL_FAILURE; -} -#endif - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD) \ - || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS) -WOLFSSL_X509_ALGOR* wolfSSL_X509_ALGOR_new(void) -{ - WOLFSSL_X509_ALGOR* ret; - ret = (WOLFSSL_X509_ALGOR*)XMALLOC(sizeof(WOLFSSL_X509_ALGOR), NULL, - DYNAMIC_TYPE_OPENSSL); - if (ret) { - XMEMSET(ret, 0, sizeof(WOLFSSL_X509_ALGOR)); - } - return ret; -} - -void wolfSSL_X509_ALGOR_free(WOLFSSL_X509_ALGOR *alg) -{ - if (alg) { - wolfSSL_ASN1_OBJECT_free(alg->algorithm); - wolfSSL_ASN1_TYPE_free(alg->parameter); - XFREE(alg, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -/* Returns X509_ALGOR struct with signature algorithm */ -const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x509) -{ - WOLFSSL_ENTER("X509_get0_tbs_sigalg"); - - if (x509 == NULL) { - WOLFSSL_MSG("x509 struct NULL error"); - return NULL; - } - - return &x509->algor; -} - -/* Sets paobj pointer to X509_ALGOR signature algorithm */ -void wolfSSL_X509_ALGOR_get0(const WOLFSSL_ASN1_OBJECT **paobj, int *pptype, - const void **ppval, const WOLFSSL_X509_ALGOR *algor) -{ - WOLFSSL_ENTER("X509_ALGOR_get0"); - - if (!algor) { - WOLFSSL_MSG("algor object is NULL"); - return; - } - - if (paobj) - *paobj = algor->algorithm; - if (ppval) - *ppval = algor->algorithm; - if (pptype) { - if (algor->parameter) { - *pptype = algor->parameter->type; - } - else { - /* Default to V_ASN1_OBJECT */ - *pptype = V_ASN1_OBJECT; - } - } -} - -/** - * Populate algor members. - * - * @param algor The object to be set - * @param aobj The value to be set in algor->algorithm - * @param ptype The type of algor->parameter - * @param pval The value of algor->parameter - * @return WOLFSSL_SUCCESS on success - * WOLFSSL_FAILURE on missing parameters or bad malloc - */ -int wolfSSL_X509_ALGOR_set0(WOLFSSL_X509_ALGOR *algor, WOLFSSL_ASN1_OBJECT *aobj, - int ptype, void *pval) -{ - if (!algor) { - return WOLFSSL_FAILURE; - } - if (aobj) { - algor->algorithm = aobj; - } - if (pval) { - if (!algor->parameter) { - algor->parameter = wolfSSL_ASN1_TYPE_new(); - if (!algor->parameter) { - return WOLFSSL_FAILURE; - } - } - wolfSSL_ASN1_TYPE_set(algor->parameter, ptype, pval); - } - return WOLFSSL_SUCCESS; -} - -/** - * Set `a` in a smart way. - * - * @param a Object to set - * @param type The type of object in value - * @param value Object to set - */ -void wolfSSL_ASN1_TYPE_set(WOLFSSL_ASN1_TYPE *a, int type, void *value) -{ - if (!a || !value) { - return; - } - switch (type) { - case V_ASN1_OBJECT: - a->value.object = value; - break; - case V_ASN1_UTCTIME: - a->value.utctime = value; - break; - case V_ASN1_GENERALIZEDTIME: - a->value.generalizedtime = value; - break; - default: - WOLFSSL_MSG("Unknown or unsupported ASN1_TYPE"); - return; - } - a->type = type; -} - -/** - * Allocate a new WOLFSSL_ASN1_TYPE object. - * - * @return New zero'ed WOLFSSL_ASN1_TYPE object - */ -WOLFSSL_ASN1_TYPE* wolfSSL_ASN1_TYPE_new(void) -{ - WOLFSSL_ASN1_TYPE* ret = (WOLFSSL_ASN1_TYPE*)XMALLOC(sizeof(WOLFSSL_ASN1_TYPE), - NULL, DYNAMIC_TYPE_OPENSSL); - if (!ret) - return NULL; - XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TYPE)); - return ret; -} - -/** - * Free WOLFSSL_ASN1_TYPE and all its members. - * - * @param at Object to free - */ -void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at) -{ - if (at) { - switch (at->type) { - case V_ASN1_OBJECT: - wolfSSL_ASN1_OBJECT_free(at->value.object); - break; - case V_ASN1_UTCTIME: - wolfSSL_ASN1_TIME_free(at->value.utctime); - break; - case V_ASN1_GENERALIZEDTIME: - wolfSSL_ASN1_TIME_free(at->value.generalizedtime); - break; - default: - WOLFSSL_MSG("Unknown or unsupported ASN1_TYPE"); - break; - } - XFREE(at, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -/** - * Allocate a new WOLFSSL_X509_PUBKEY object. - * - * @return New zero'ed WOLFSSL_X509_PUBKEY object - */ -WOLFSSL_X509_PUBKEY *wolfSSL_X509_PUBKEY_new(void) -{ - WOLFSSL_X509_PUBKEY *ret; - ret = (WOLFSSL_X509_PUBKEY*)XMALLOC(sizeof(WOLFSSL_X509_PUBKEY), NULL, - DYNAMIC_TYPE_OPENSSL); - if (!ret) { - return NULL; - } - XMEMSET(ret, 0, sizeof(WOLFSSL_X509_PUBKEY)); - ret->algor = wolfSSL_X509_ALGOR_new(); - if (!ret->algor) { - wolfSSL_X509_PUBKEY_free(ret); - return NULL; - } - return ret; -} - -/** - * Free WOLFSSL_X509_PUBKEY and all its members. - * - * @param at Object to free - */ -void wolfSSL_X509_PUBKEY_free(WOLFSSL_X509_PUBKEY *x) -{ - if (x) { - if (x->algor) { - wolfSSL_X509_ALGOR_free(x->algor); - } - if (x->pkey) { - wolfSSL_EVP_PKEY_free(x->pkey); - } - XFREE(x, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -/* Returns X509_PUBKEY structure containing X509_ALGOR and EVP_PKEY */ -WOLFSSL_X509_PUBKEY* wolfSSL_X509_get_X509_PUBKEY(const WOLFSSL_X509* x509) -{ - WOLFSSL_ENTER("X509_get_X509_PUBKEY"); - - if (x509 == NULL) { - WOLFSSL_MSG("x509 struct NULL error"); - return NULL; - } - - return (WOLFSSL_X509_PUBKEY*)&x509->key; -} - -/* Sets ppkalg pointer to X509_PUBKEY algorithm. Returns WOLFSSL_SUCCESS on - success or WOLFSSL_FAILURE on error. */ -int wolfSSL_X509_PUBKEY_get0_param(WOLFSSL_ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, WOLFSSL_X509_ALGOR **pa, - WOLFSSL_X509_PUBKEY *pub) -{ - WOLFSSL_ENTER("X509_PUBKEY_get0_param"); - - if (!pub || !pub->pubKeyOID) { - WOLFSSL_MSG("X509_PUBKEY struct not populated"); - return WOLFSSL_FAILURE; - } - - if (!pub->algor) { - if (!(pub->algor = wolfSSL_X509_ALGOR_new())) { - return WOLFSSL_FAILURE; - } - pub->algor->algorithm = wolfSSL_OBJ_nid2obj(pub->pubKeyOID); - if (pub->algor->algorithm == NULL) { - WOLFSSL_MSG("Failed to create object from NID"); - return WOLFSSL_FAILURE; - } - } - - if (pa) - *pa = pub->algor; - if (ppkalg) - *ppkalg = pub->algor->algorithm; - if (pk) - wolfSSL_EVP_PKEY_get_der(pub->pkey, (unsigned char **)pk); - if (ppklen) - *ppklen = wolfSSL_EVP_PKEY_get_der(pub->pkey, NULL); - - return WOLFSSL_SUCCESS; -} - -/* Returns a pointer to the pkey when passed a key */ -WOLFSSL_EVP_PKEY* wolfSSL_X509_PUBKEY_get(WOLFSSL_X509_PUBKEY* key) -{ - WOLFSSL_ENTER("wolfSSL_X509_PUBKEY_get"); - if(key == NULL || key->pkey == NULL){ - WOLFSSL_LEAVE("wolfSSL_X509_PUBKEY_get", BAD_FUNC_ARG); - return NULL; - } - WOLFSSL_LEAVE("wolfSSL_X509_PUBKEY_get", WOLFSSL_SUCCESS); - return key->pkey; -} - -int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) -{ - WOLFSSL_X509_PUBKEY *pk = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_PUBKEY_set"); - - if (!x || !key) { - return WOLFSSL_FAILURE; - } - - if (!(pk = wolfSSL_X509_PUBKEY_new())) { - return WOLFSSL_FAILURE; - } - - switch (key->type) { -#ifndef NO_RSA - case EVP_PKEY_RSA: - pk->algor->algorithm= wolfSSL_OBJ_nid2obj(RSAk); - break; -#endif -#ifndef NO_DSA - case EVP_PKEY_DSA: - pk->algor->algorithm = wolfSSL_OBJ_nid2obj(DSAk); - break; -#endif -#ifdef HAVE_ECC - case EVP_PKEY_EC: - pk->algor->algorithm = wolfSSL_OBJ_nid2obj(ECDSAk); - break; -#endif - default: - WOLFSSL_MSG("Unknown key type"); - goto error; - } - - if (!pk->algor->algorithm) { - WOLFSSL_MSG("Failed to create algorithm object"); - goto error; - } - - if (!wolfSSL_EVP_PKEY_up_ref(key)) { - WOLFSSL_MSG("Failed to up key reference"); - goto error; - } - pk->pkey = key; - - wolfSSL_X509_PUBKEY_free(*x); - *x = pk; - return WOLFSSL_SUCCESS; -error: - if (pk) { - wolfSSL_X509_PUBKEY_free(pk); - } - return WOLFSSL_FAILURE; -} - -#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY*/ - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl) -{ - (void)ssl; - WOLFSSL_STUB("SSL_get_privatekey"); - return NULL; -} -#endif - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API int i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a) -{ - (void)buf; - (void)buf_len; - (void)a; - WOLFSSL_STUB("i2t_ASN1_OBJECT"); - return -1; -} -#endif - -/* Return number of bytes written to BIO on success. 0 on failure. */ -WOLFSSL_API int wolfSSL_i2a_ASN1_OBJECT(WOLFSSL_BIO *bp, - WOLFSSL_ASN1_OBJECT *a) -{ - int length = 0; - word32 idx = 0; - const char null_str[] = "NULL"; - - WOLFSSL_ENTER("wolfSSL_i2a_ASN1_OBJECT"); - - if (bp == NULL) - return WOLFSSL_FAILURE; - - if (a == NULL) { - /* Write "NULL" */ - if (wolfSSL_BIO_write(bp, null_str, (int)XSTRLEN(null_str)) == - (int)XSTRLEN(null_str)) { - return (int)XSTRLEN(null_str); - } - else { - return WOLFSSL_FAILURE; - } - } - - - if ((a->obj == NULL) || (a->obj[idx++] != ASN_OBJECT_ID)) { - WOLFSSL_MSG("Bad ASN1 Object"); - return WOLFSSL_FAILURE; - } - - if (GetLength((const byte*)a->obj, &idx, &length, - a->objSz) < 0 || length < 0) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_write(bp, a->obj + idx, length) == (int)length) { - return length; - } - - return WOLFSSL_FAILURE; -} - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API size_t SSL_get_finished(const WOLFSSL *s, void *buf, size_t count) -{ - (void)s; - (void)buf; - (void)count; - WOLFSSL_STUB("SSL_get_finished"); - return WOLFSSL_FAILURE; -} -#endif - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API size_t SSL_get_peer_finished(const WOLFSSL *s, void *buf, size_t count) -{ - (void)s; - (void)buf; - (void)count; - WOLFSSL_STUB("SSL_get_peer_finished"); - return WOLFSSL_FAILURE; -} -#endif -#endif /* WOLFSSL_HAPROXY */ - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API void SSL_CTX_set_tmp_dh_callback(WOLFSSL_CTX *ctx, WOLFSSL_DH *(*dh) (WOLFSSL *ssl, int is_export, int keylength)) -{ - (void)ctx; - (void)dh; - WOLFSSL_STUB("SSL_CTX_set_tmp_dh_callback"); -} -#endif - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API WOLF_STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void) -{ - WOLFSSL_STUB("SSL_COMP_get_compression_methods"); - return NULL; -} -#endif - - -int wolfSSL_sk_SSL_CIPHER_num(const WOLF_STACK_OF(WOLFSSL_CIPHER)* p) -{ - WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_num"); - if (p == NULL) { - return WOLFSSL_FATAL_ERROR; - } - return (int)p->num; -} - -#if !defined(NO_FILESYSTEM) -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PrivateKey(XFILE fp, WOLFSSL_EVP_PKEY **x, pem_password_cb *cb, void *u) -{ - (void)fp; - (void)x; - (void)cb; - (void)u; - WOLFSSL_STUB("PEM_read_PrivateKey"); - return NULL; -} -#endif -#endif - -#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) -/* Loads certificate(s) files in pem format into X509_STORE struct from either - * a file or directory. - * Returns WOLFSSL_SUCCESS on success or WOLFSSL_FAILURE if an error occurs. - */ -WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, - const char *file, const char *dir) -{ - WOLFSSL_CTX* ctx; - char *name = NULL; - int ret = WOLFSSL_SUCCESS; - int successes = 0; -#ifdef WOLFSSL_SMALL_STACK - ReadDirCtx* readCtx = NULL; -#else - ReadDirCtx readCtx[1]; -#endif - - WOLFSSL_ENTER("X509_STORE_load_locations"); - - if (str == NULL || str->cm == NULL || (file == NULL && dir == NULL)) - return WOLFSSL_FAILURE; - - /* tmp ctx for setting our cert manager */ - ctx = wolfSSL_CTX_new(cm_pick_method()); - if (ctx == NULL) - return WOLFSSL_FAILURE; - - wolfSSL_CertManagerFree(ctx->cm); - ctx->cm = str->cm; - -#ifdef HAVE_CRL - if (str->cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(str->cm, 0) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Enable CRL failed"); - wolfSSL_CTX_free(ctx); - return WOLFSSL_FAILURE; - } - } -#endif - - /* Load individual file */ - if (file) { - /* Try to process file with type DETECT_CERT_TYPE to parse the - correct certificate header and footer type */ - ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, DETECT_CERT_TYPE, - NULL, 0, str->cm->crl, 0); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Failed to load file"); - ret = WOLFSSL_FAILURE; - } - } - - /* Load files in dir */ - if (dir && ret == WOLFSSL_SUCCESS) { - #ifdef WOLFSSL_SMALL_STACK - readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (readCtx == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - #endif - - /* try to load each regular file in dir */ - ret = wc_ReadDirFirst(readCtx, dir, &name); - while (ret == 0 && name) { - WOLFSSL_MSG(name); - /* Try to process file with type DETECT_CERT_TYPE to parse the - correct certificate header and footer type */ - ret = ProcessFile(ctx, name, WOLFSSL_FILETYPE_PEM, DETECT_CERT_TYPE, - NULL, 0, str->cm->crl, 0); - /* Not failing on load errors */ - if (ret != WOLFSSL_SUCCESS) - WOLFSSL_MSG("Failed to load file in path, continuing"); - else - successes++; - - ret = wc_ReadDirNext(readCtx, dir, &name); - } - wc_ReadDirClose(readCtx); - - /* Success if at least one file in dir was loaded */ - if (successes > 0) - ret = WOLFSSL_SUCCESS; - else { - WOLFSSL_ERROR(ret); - ret = WOLFSSL_FAILURE; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_DIRCTX); - #endif - } - - ctx->cm = NULL; - wolfSSL_CTX_free(ctx); - - return ret; -} -#endif /* !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(void *ciphers, int idx) -{ - (void)ciphers; - (void)idx; - WOLFSSL_STUB("wolfSSL_sk_SSL_CIPHER_value"); - return NULL; -} -#endif - -WOLFSSL_API void ERR_load_SSL_strings(void) -{ - -} - -#ifdef HAVE_OCSP -WOLFSSL_API long wolfSSL_get_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char **resp) -{ - if (s == NULL || resp == NULL) - return 0; - - *resp = s->ocspResp; - return s->ocspRespSz; -} - -WOLFSSL_API long wolfSSL_set_tlsext_status_ocsp_resp(WOLFSSL *s, unsigned char *resp, int len) -{ - if (s == NULL) - return WOLFSSL_FAILURE; - - s->ocspResp = resp; - s->ocspRespSz = len; - - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_OCSP */ - -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -long wolfSSL_get_verify_result(const WOLFSSL *ssl) -{ - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - - return ssl->peerVerifyRet; -} -#endif - -#ifdef OPENSSL_EXTRA - -#ifndef NO_WOLFSSL_STUB -/* shows the number of accepts attempted by CTX in it's lifetime */ -long wolfSSL_CTX_sess_accept(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_accept"); - (void)ctx; - return 0; -} -#endif - -#ifndef NO_WOLFSSL_STUB -/* shows the number of connects attempted CTX in it's lifetime */ -long wolfSSL_CTX_sess_connect(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_connect"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -/* shows the number of accepts completed by CTX in it's lifetime */ -long wolfSSL_CTX_sess_accept_good(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_accept_good"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -/* shows the number of connects completed by CTX in it's lifetime */ -long wolfSSL_CTX_sess_connect_good(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_connect_good"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -/* shows the number of renegotiation accepts attempted by CTX */ -long wolfSSL_CTX_sess_accept_renegotiate(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_accept_renegotiate"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -/* shows the number of renegotiation accepts attempted by CTX */ -long wolfSSL_CTX_sess_connect_renegotiate(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_connect_renegotiate"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_sess_hits(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_hits"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_sess_cb_hits(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_cb_hits"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_sess_cache_full(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_cache_full"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_sess_misses(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_misses"); - (void)ctx; - return 0; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_sess_timeouts(WOLFSSL_CTX* ctx) -{ - WOLFSSL_STUB("wolfSSL_CTX_sess_timeouts"); - (void)ctx; - return 0; -} -#endif - - -/* Return the total number of sessions */ -long wolfSSL_CTX_sess_number(WOLFSSL_CTX* ctx) -{ - word32 total = 0; - - WOLFSSL_ENTER("wolfSSL_CTX_sess_number"); - (void)ctx; - -#ifdef WOLFSSL_SESSION_STATS - if (wolfSSL_get_session_stats(NULL, &total, NULL, NULL) != SSL_SUCCESS) { - WOLFSSL_MSG("Error getting session stats"); - } -#else - WOLFSSL_MSG("Please use macro WOLFSSL_SESSION_STATS for session stats"); -#endif - - return (long)total; -} - - -#ifndef NO_CERTS -long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) -{ - byte* chain = NULL; - long chainSz = 0; - int derSz; - const byte* der; - int ret; - int idx = 0; - DerBuffer *derBuffer = NULL; - - WOLFSSL_ENTER("wolfSSL_CTX_add_extra_chain_cert"); - - if (ctx == NULL || x509 == NULL) { - WOLFSSL_MSG("Bad Argument"); - return WOLFSSL_FAILURE; - } - - der = wolfSSL_X509_get_der(x509, &derSz); - if (der == NULL || derSz <= 0) { - WOLFSSL_MSG("Error getting X509 DER"); - return WOLFSSL_FAILURE; - } - - if (ctx->certificate == NULL) { - WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer_format"); - - /* Process buffer makes first certificate the leaf. */ - ret = ProcessBuffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, - NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx)); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); - return WOLFSSL_FAILURE; - } - } - else { - /* TODO: Do this elsewhere. */ - ret = AllocDer(&derBuffer, derSz, CERT_TYPE, ctx->heap); - if (ret != 0) { - WOLFSSL_MSG("Memory Error"); - return WOLFSSL_FAILURE; - } - XMEMCPY(derBuffer->buffer, der, derSz); - ret = AddCA(ctx->cm, &derBuffer, WOLFSSL_USER_CA, - GET_VERIFY_SETTING_CTX(ctx)); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret); - return WOLFSSL_FAILURE; - } - - /* adding cert to existing chain */ - if (ctx->certChain != NULL && ctx->certChain->length > 0) { - chainSz += ctx->certChain->length; - } - chainSz += OPAQUE24_LEN + derSz; - - chain = (byte*)XMALLOC(chainSz, ctx->heap, DYNAMIC_TYPE_DER); - if (chain == NULL) { - WOLFSSL_MSG("Memory Error"); - return WOLFSSL_FAILURE; - } - - if (ctx->certChain != NULL && ctx->certChain->length > 0) { - XMEMCPY(chain, ctx->certChain->buffer, ctx->certChain->length); - idx = ctx->certChain->length; - } - c32to24(derSz, chain + idx); - idx += OPAQUE24_LEN, - XMEMCPY(chain + idx, der, derSz); - idx += derSz; -#ifdef WOLFSSL_TLS13 - ctx->certChainCnt++; -#endif - - FreeDer(&ctx->certChain); - ret = AllocDer(&ctx->certChain, idx, CERT_TYPE, ctx->heap); - if (ret == 0) { - XMEMCPY(ctx->certChain->buffer, chain, idx); - } - } - - /* on success WOLFSSL_X509 memory is responsibility of ctx */ - wolfSSL_X509_free(x509); - if (chain != NULL) - XFREE(chain, ctx->heap, DYNAMIC_TYPE_DER); - - return WOLFSSL_SUCCESS; -} - - -long wolfSSL_CTX_set_tlsext_status_arg(WOLFSSL_CTX* ctx, void* arg) -{ - if (ctx == NULL || ctx->cm == NULL) { - return WOLFSSL_FAILURE; - } - - ctx->cm->ocspIOCtx = arg; - return WOLFSSL_SUCCESS; -} - -#endif /* NO_CERTS */ - - -/* Get the session cache mode for CTX - * - * ctx WOLFSSL_CTX struct to get cache mode from - * - * Returns a bit mask that has the session cache mode */ -WOLFSSL_API long wolfSSL_CTX_get_session_cache_mode(WOLFSSL_CTX* ctx) -{ - long m = 0; - - WOLFSSL_ENTER("SSL_CTX_set_session_cache_mode"); - - if (ctx == NULL) { - return m; - } - - if (ctx->sessionCacheOff != 1) { - m |= SSL_SESS_CACHE_SERVER; - } - - if (ctx->sessionCacheFlushOff == 1) { - m |= SSL_SESS_CACHE_NO_AUTO_CLEAR; - } - -#ifdef HAVE_EXT_CACHE - if (ctx->internalCacheOff == 1) { - m |= SSL_SESS_CACHE_NO_INTERNAL_STORE; - } -#endif - - return m; -} - - -int wolfSSL_CTX_get_read_ahead(WOLFSSL_CTX* ctx) -{ - if (ctx == NULL) { - return WOLFSSL_FAILURE; - } - - return ctx->readAhead; -} - - -int wolfSSL_CTX_set_read_ahead(WOLFSSL_CTX* ctx, int v) -{ - if (ctx == NULL) { - return WOLFSSL_FAILURE; - } - - ctx->readAhead = (byte)v; - - return WOLFSSL_SUCCESS; -} - - -long wolfSSL_CTX_set_tlsext_opaque_prf_input_callback_arg(WOLFSSL_CTX* ctx, - void* arg) -{ - if (ctx == NULL) { - return WOLFSSL_FAILURE; - } - - ctx->userPRFArg = arg; - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_DES3 -/* 0 on success */ -int wolfSSL_DES_set_key(WOLFSSL_const_DES_cblock* myDes, - WOLFSSL_DES_key_schedule* key) -{ -#ifdef WOLFSSL_CHECK_DESKEY - return wolfSSL_DES_set_key_checked(myDes, key); -#else - wolfSSL_DES_set_key_unchecked(myDes, key); - return 0; -#endif -} - - - -/* return true in fail case (1) */ -static int DES_check(word32 mask, word32 mask2, unsigned char* key) -{ - word32 value[2]; - - /* sanity check on length made in wolfSSL_DES_set_key_checked */ - value[0] = mask; - value[1] = mask2; - return (XMEMCMP(value, key, sizeof(value)) == 0)? 1: 0; -} - - -/* check that the key is odd parity and is not a weak key - * returns -1 if parity is wrong, -2 if weak/null key and 0 on success */ -int wolfSSL_DES_set_key_checked(WOLFSSL_const_DES_cblock* myDes, - WOLFSSL_DES_key_schedule* key) -{ - if (myDes == NULL || key == NULL) { - WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_set_key_checked"); - return -2; - } - else { - word32 sz = sizeof(WOLFSSL_DES_key_schedule); - - /* sanity check before call to DES_check */ - if (sz != (sizeof(word32) * 2)) { - WOLFSSL_MSG("Unexpected WOLFSSL_DES_key_schedule size"); - return -2; - } - - /* check odd parity */ - if (wolfSSL_DES_check_key_parity(myDes) != 1) { - WOLFSSL_MSG("Odd parity test fail"); - return -1; - } - - if (wolfSSL_DES_is_weak_key(myDes) == 1) { - WOLFSSL_MSG("Weak key found"); - return -2; - } - - /* passed tests, now copy over key */ - XMEMCPY(key, myDes, sizeof(WOLFSSL_const_DES_cblock)); - - return 0; - } -} - - -/* check is not weak. Weak key list from Nist "Recommendation for the Triple - * Data Encryption Algorithm (TDEA) Block Cipher" - * - * returns 1 if is weak 0 if not - */ -int wolfSSL_DES_is_weak_key(WOLFSSL_const_DES_cblock* key) -{ - word32 mask, mask2; - - WOLFSSL_ENTER("wolfSSL_DES_is_weak_key"); - - if (key == NULL) { - WOLFSSL_MSG("NULL key passed in"); - return 1; - } - - mask = 0x01010101; mask2 = 0x01010101; - if (DES_check(mask, mask2, *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0xFEFEFEFE; mask2 = 0xFEFEFEFE; - if (DES_check(mask, mask2, *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0xE0E0E0E0; mask2 = 0xF1F1F1F1; - if (DES_check(mask, mask2, *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0x1F1F1F1F; mask2 = 0x0E0E0E0E; - if (DES_check(mask, mask2, *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - /* semi-weak *key check (list from same Nist paper) */ - mask = 0x011F011F; mask2 = 0x010E010E; - if (DES_check(mask, mask2, *key) || - DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0x01E001E0; mask2 = 0x01F101F1; - if (DES_check(mask, mask2, *key) || - DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0x01FE01FE; mask2 = 0x01FE01FE; - if (DES_check(mask, mask2, *key) || - DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0x1FE01FE0; mask2 = 0x0EF10EF1; - if (DES_check(mask, mask2, *key) || - DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - mask = 0x1FFE1FFE; mask2 = 0x0EFE0EFE; - if (DES_check(mask, mask2, *key) || - DES_check(ByteReverseWord32(mask), ByteReverseWord32(mask2), *key)) { - WOLFSSL_MSG("Weak key found"); - return 1; - } - - return 0; -} - - -void wolfSSL_DES_set_key_unchecked(WOLFSSL_const_DES_cblock* myDes, - WOLFSSL_DES_key_schedule* key) -{ - if (myDes != NULL && key != NULL) { - XMEMCPY(key, myDes, sizeof(WOLFSSL_const_DES_cblock)); - } -} - - -/* Sets the parity of the DES key for use */ -void wolfSSL_DES_set_odd_parity(WOLFSSL_DES_cblock* myDes) -{ - word32 i; - word32 sz = sizeof(WOLFSSL_DES_cblock); - - WOLFSSL_ENTER("wolfSSL_DES_set_odd_parity"); - - for (i = 0; i < sz; i++) { - unsigned char c = (*myDes)[i]; - if (( - ((c >> 1) & 0x01) ^ - ((c >> 2) & 0x01) ^ - ((c >> 3) & 0x01) ^ - ((c >> 4) & 0x01) ^ - ((c >> 5) & 0x01) ^ - ((c >> 6) & 0x01) ^ - ((c >> 7) & 0x01)) == (c & 0x01)) { - WOLFSSL_MSG("Flipping parity bit"); - (*myDes)[i] = c ^ 0x01; - } - } -} - -int wolfSSL_DES_check_key_parity(WOLFSSL_DES_cblock *myDes) -{ - word32 i; - word32 sz = sizeof(WOLFSSL_DES_cblock); - - WOLFSSL_ENTER("wolfSSL_DES_check_key_parity"); - - for (i = 0; i < sz; i++) { - unsigned char c = (*myDes)[i]; - if (( - ((c >> 1) & 0x01) ^ - ((c >> 2) & 0x01) ^ - ((c >> 3) & 0x01) ^ - ((c >> 4) & 0x01) ^ - ((c >> 5) & 0x01) ^ - ((c >> 6) & 0x01) ^ - ((c >> 7) & 0x01)) == (c & 0x01)) { - return 0; - } - } - return 1; -} - -#ifdef WOLFSSL_DES_ECB -/* Encrypt or decrypt input message desa with key and get output in desb. - * if enc is DES_ENCRYPT,input message is encrypted or - * if enc is DES_DECRYPT,input message is decrypted. - * */ -void wolfSSL_DES_ecb_encrypt(WOLFSSL_DES_cblock* desa, - WOLFSSL_DES_cblock* desb, WOLFSSL_DES_key_schedule* key, int enc) -{ - Des myDes; - - WOLFSSL_ENTER("wolfSSL_DES_ecb_encrypt"); - - if (desa == NULL || key == NULL || desb == NULL || - (enc != DES_ENCRYPT && enc != DES_DECRYPT)) { - WOLFSSL_MSG("Bad argument passed to wolfSSL_DES_ecb_encrypt"); - } else { - if (wc_Des_SetKey(&myDes, (const byte*) key, - (const byte*) NULL, !enc) != 0) { - WOLFSSL_MSG("wc_Des_SetKey return error."); - return; - } - if (enc){ - if (wc_Des_EcbEncrypt(&myDes, (byte*) desb, (const byte*) desa, - sizeof(WOLFSSL_DES_cblock)) != 0){ - WOLFSSL_MSG("wc_Des_EcbEncrypt return error."); - } - } else { - if (wc_Des_EcbDecrypt(&myDes, (byte*) desb, (const byte*) desa, - sizeof(WOLFSSL_DES_cblock)) != 0){ - WOLFSSL_MSG("wc_Des_EcbDecrpyt return error."); - } - } - } -} -#endif -#endif /* NO_DES3 */ - -#ifndef NO_RC4 -/* Set the key state for Arc4 structure. - * - * key Arc4 structure to use - * len length of data buffer - * data initial state to set Arc4 structure - */ -void wolfSSL_RC4_set_key(WOLFSSL_RC4_KEY* key, int len, - const unsigned char* data) -{ - typedef char rc4_test[sizeof(WOLFSSL_RC4_KEY) >= sizeof(Arc4) ? 1 : -1]; - (void)sizeof(rc4_test); - - WOLFSSL_ENTER("wolfSSL_RC4_set_key"); - - if (key == NULL || len < 0) { - WOLFSSL_MSG("bad argument passed in"); - return; - } - - XMEMSET(key, 0, sizeof(WOLFSSL_RC4_KEY)); - wc_Arc4SetKey((Arc4*)key, data, (word32)len); -} - - -/* Encrypt/decrypt with Arc4 structure. - * - * len length of buffer to encrypt/decrypt (in/out) - * in buffer to encrypt/decrypt - * out results of encryption/decryption - */ -void wolfSSL_RC4(WOLFSSL_RC4_KEY* key, size_t len, - const unsigned char* in, unsigned char* out) -{ - WOLFSSL_ENTER("wolfSSL_RC4"); - - if (key == NULL || in == NULL || out == NULL) { - WOLFSSL_MSG("Bad argument passed in"); - return; - } - - wc_Arc4Process((Arc4*)key, out, in, (word32)len); -} -#endif /* NO_RC4 */ - -#ifndef NO_AES - -#ifdef WOLFSSL_AES_DIRECT -/* AES encrypt direct, it is expected to be blocks of AES_BLOCK_SIZE for input. - * - * input Data to encrypt - * output Encrypted data after done - * key AES key to use for encryption - */ -void wolfSSL_AES_encrypt(const unsigned char* input, unsigned char* output, - AES_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_AES_encrypt"); - - if (input == NULL || output == NULL || key == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return; - } - - wc_AesEncryptDirect((Aes*)key, output, input); -} - - -/* AES decrypt direct, it is expected to be blocks of AES_BLOCK_SIZE for input. - * - * input Data to decrypt - * output Decrypted data after done - * key AES key to use for encryption - */ -void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output, - AES_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_AES_decrypt"); - - if (input == NULL || output == NULL || key == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return; - } - - wc_AesDecryptDirect((Aes*)key, output, input); -} -#endif /* WOLFSSL_AES_DIRECT */ - -/* Setup of an AES key to use for encryption. - * - * key key in bytes to use for encryption - * bits size of key in bits - * aes AES structure to initialize - */ -int wolfSSL_AES_set_encrypt_key(const unsigned char *key, const int bits, - AES_KEY *aes) -{ - typedef char aes_test[sizeof(AES_KEY) >= sizeof(Aes) ? 1 : -1]; - (void)sizeof(aes_test); - - WOLFSSL_ENTER("wolfSSL_AES_set_encrypt_key"); - - if (key == NULL || aes == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return -1; - } - - XMEMSET(aes, 0, sizeof(AES_KEY)); - if (wc_AesSetKey((Aes*)aes, key, ((bits)/8), NULL, AES_ENCRYPTION) != 0) { - WOLFSSL_MSG("Error in setting AES key"); - return -1; - } - return 0; -} - - -/* Setup of an AES key to use for decryption. - * - * key key in bytes to use for decryption - * bits size of key in bits - * aes AES structure to initialize - */ -int wolfSSL_AES_set_decrypt_key(const unsigned char *key, const int bits, - AES_KEY *aes) -{ - typedef char aes_test[sizeof(AES_KEY) >= sizeof(Aes) ? 1 : -1]; - (void)sizeof(aes_test); - - WOLFSSL_ENTER("wolfSSL_AES_set_decrypt_key"); - - if (key == NULL || aes == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return -1; - } - - XMEMSET(aes, 0, sizeof(AES_KEY)); - if (wc_AesSetKey((Aes*)aes, key, ((bits)/8), NULL, AES_DECRYPTION) != 0) { - WOLFSSL_MSG("Error in setting AES key"); - return -1; - } - return 0; -} - - -#ifdef HAVE_AES_ECB -/* Encrypt/decrypt a 16 byte block of data using the key passed in. - * - * in buffer to encrypt/decrypt - * out buffer to hold result of encryption/decryption - * key AES structure to use with encryption/decryption - * enc AES_ENCRPT for encryption and AES_DECRYPT for decryption - */ -void wolfSSL_AES_ecb_encrypt(const unsigned char *in, unsigned char* out, - AES_KEY *key, const int enc) -{ - Aes* aes; - - WOLFSSL_ENTER("wolfSSL_AES_ecb_encrypt"); - - if (key == NULL || in == NULL || out == NULL) { - WOLFSSL_MSG("Error, Null argument passed in"); - return; - } - - aes = (Aes*)key; - if (enc == AES_ENCRYPT) { - if (wc_AesEcbEncrypt(aes, out, in, AES_BLOCK_SIZE) != 0) { - WOLFSSL_MSG("Error with AES CBC encrypt"); - } - } - else { - #ifdef HAVE_AES_DECRYPT - if (wc_AesEcbDecrypt(aes, out, in, AES_BLOCK_SIZE) != 0) { - WOLFSSL_MSG("Error with AES CBC decrypt"); - } - #else - WOLFSSL_MSG("AES decryption not compiled in"); - #endif - } -} -#endif /* HAVE_AES_ECB */ - -#ifdef HAVE_AES_CBC -/* Encrypt data using key and iv passed in. iv gets updated to most recent iv - * state after encryption/decryption. - * - * in buffer to encrypt/decrypt - * out buffer to hold result of encryption/decryption - * len length of input buffer - * key AES structure to use with encryption/decryption - * iv iv to use with operation - * enc AES_ENCRPT for encryption and AES_DECRYPT for decryption - */ -void wolfSSL_AES_cbc_encrypt(const unsigned char *in, unsigned char* out, - size_t len, AES_KEY *key, unsigned char* iv, const int enc) -{ - Aes* aes; - - WOLFSSL_ENTER("wolfSSL_AES_cbc_encrypt"); - - if (key == NULL || in == NULL || out == NULL || iv == NULL || len == 0) { - WOLFSSL_MSG("Error, Null argument passed in"); - return; - } - - aes = (Aes*)key; - if (wc_AesSetIV(aes, (const byte*)iv) != 0) { - WOLFSSL_MSG("Error with setting iv"); - return; - } - - if (enc == AES_ENCRYPT) { - if (wc_AesCbcEncrypt(aes, out, in, (word32)len) != 0) { - WOLFSSL_MSG("Error with AES CBC encrypt"); - } - } - else { - if (wc_AesCbcDecrypt(aes, out, in, (word32)len) != 0) { - WOLFSSL_MSG("Error with AES CBC decrypt"); - } - } - - /* to be compatible copy iv to iv buffer after completing operation */ - XMEMCPY(iv, (byte*)(aes->reg), AES_BLOCK_SIZE); -} -#endif /* HAVE_AES_CBC */ - - -/* Encrypt data using CFB mode with key and iv passed in. iv gets updated to - * most recent iv state after encryption/decryption. - * - * in buffer to encrypt/decrypt - * out buffer to hold result of encryption/decryption - * len length of input buffer - * key AES structure to use with encryption/decryption - * iv iv to use with operation - * num contains the amount of block used - * enc AES_ENCRPT for encryption and AES_DECRYPT for decryption - */ -void wolfSSL_AES_cfb128_encrypt(const unsigned char *in, unsigned char* out, - size_t len, AES_KEY *key, unsigned char* iv, int* num, - const int enc) -{ -#ifndef WOLFSSL_AES_CFB - WOLFSSL_MSG("CFB mode not enabled please use macro WOLFSSL_AES_CFB"); - (void)in; - (void)out; - (void)len; - (void)key; - (void)iv; - (void)num; - (void)enc; - - return; -#else - Aes* aes; - - WOLFSSL_ENTER("wolfSSL_AES_cbc_encrypt"); - if (key == NULL || in == NULL || out == NULL || iv == NULL) { - WOLFSSL_MSG("Error, Null argument passed in"); - return; - } - - aes = (Aes*)key; - if (wc_AesSetIV(aes, (const byte*)iv) != 0) { - WOLFSSL_MSG("Error with setting iv"); - return; - } - - if (enc == AES_ENCRYPT) { - if (wc_AesCfbEncrypt(aes, out, in, (word32)len) != 0) { - WOLFSSL_MSG("Error with AES CBC encrypt"); - } - } - else { - if (wc_AesCfbDecrypt(aes, out, in, (word32)len) != 0) { - WOLFSSL_MSG("Error with AES CBC decrypt"); - } - } - - /* to be compatible copy iv to iv buffer after completing operation */ - XMEMCPY(iv, (byte*)(aes->reg), AES_BLOCK_SIZE); - - /* store number of left over bytes to num */ - *num = (aes->left)? AES_BLOCK_SIZE - aes->left : 0; -#endif /* WOLFSSL_AES_CFB */ -} -#endif /* NO_AES */ - -#ifndef NO_FILESYSTEM - #ifdef __clang__ - #pragma clang diagnostic push - #pragma clang diagnostic ignored "-Wformat-nonliteral" - #endif -#endif - -#if !defined(NO_FILESYSTEM) && defined (OPENSSL_EXTRA) -/* returns amount printed on success, negative in fail case */ -int wolfSSL_BIO_vprintf(WOLFSSL_BIO* bio, const char* format, va_list args) -{ - int ret = -1; - - if (bio == NULL) - return WOLFSSL_FATAL_ERROR; - - switch (bio->type) { - case WOLFSSL_BIO_FILE: - if (bio->ptr == NULL) { - va_end(args); - return -1; - } - ret = vfprintf((XFILE)bio->ptr, format, args); - break; - - case WOLFSSL_BIO_MEMORY: - #if defined(OPENSSL_EXTRA) && !defined(_WIN32) - case WOLFSSL_BIO_SSL: - { - int count; - char* pt = NULL; - va_list copy; - - va_copy(copy, args); - count = vsnprintf(NULL, 0, format, args); - if (count >= 0) - { - pt = (char*)XMALLOC(count + 1, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (pt != NULL) - { - count = vsnprintf(pt, count + 1, format, copy); - if (count >= 0) - { - ret = wolfSSL_BIO_write(bio, pt, count); - } - XFREE(pt, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - } - va_end(copy); - } - break; - #endif - - default: - WOLFSSL_MSG("Unsupported WOLFSSL_BIO type for wolfSSL_BIO_printf"); - break; - } - - return ret; -} - -/* returns amount printed on success, negative in fail case */ -int wolfSSL_BIO_printf(WOLFSSL_BIO* bio, const char* format, ...) -{ - int ret; - va_list args; - va_start(args, format); - - ret = wolfSSL_BIO_vprintf(bio, format, args); - - va_end(args); - - return ret; -} - -#endif /* !defined(NO_FILESYSTEM) && defined (OPENSSL_EXTRA) */ - -#if !defined(NO_FILESYSTEM) && defined(__clang__) -#pragma clang diagnostic pop -#endif - -#undef LINE_LEN -#define LINE_LEN 16 -int wolfSSL_BIO_dump(WOLFSSL_BIO *bio, const char *buf, int length) -{ - int ret = 0; - - if (bio == NULL) - return 0; - -#ifndef NO_FILESYSTEM - if (bio->type == WOLFSSL_BIO_FILE) { - int i; - char line[80]; - - if (!buf) { - return fputs("\tNULL", (XFILE)bio->ptr); - } - - sprintf(line, "\t"); - for (i = 0; i < LINE_LEN; i++) { - if (i < length) - sprintf(line + 1 + i * 3,"%02x ", buf[i]); - else - sprintf(line + 1 + i * 3, " "); - } - sprintf(line + 1 + LINE_LEN * 3, "| "); - for (i = 0; i < LINE_LEN; i++) { - if (i < length) { - sprintf(line + 3 + LINE_LEN * 3 + i, - "%c", 31 < buf[i] && buf[i] < 127 ? buf[i] : '.'); - } - } - ret += fputs(line, (XFILE)bio->ptr); - - if (length > LINE_LEN) - ret += wolfSSL_BIO_dump(bio, buf + LINE_LEN, length - LINE_LEN); - } -#else - (void)buf; - (void)length; -#endif - - return ret; -} - -#ifndef NO_ASN_TIME -int wolfSSL_ASN1_UTCTIME_print(WOLFSSL_BIO* bio, const WOLFSSL_ASN1_UTCTIME* a) -{ - WOLFSSL_ENTER("ASN1_UTCTIME_print"); - if (bio == NULL || a == NULL) { - return WOLFSSL_FAILURE; - } - if (a->type != ASN_UTC_TIME) { - WOLFSSL_MSG("Error, not UTC_TIME"); - return WOLFSSL_FAILURE; - } - - return wolfSSL_ASN1_TIME_print(bio, a); -} - -/* Checks the ASN1 syntax of "a" - * returns WOLFSSL_SUCCESS (1) if correct otherwise WOLFSSL_FAILURE (0) */ -int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a) -{ - char buf[MAX_TIME_STRING_SZ]; - - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_check"); - - /* if can parse the WOLFSSL_ASN1_TIME passed in then consider syntax good */ - if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)a, buf, - MAX_TIME_STRING_SZ) == NULL) { - return WOLFSSL_FAILURE; - } - return WOLFSSL_SUCCESS; -} -#endif /* !NO_ASN_TIME */ - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_ASN1_TIME_diff(int *pday, int *psec, - const WOLFSSL_ASN1_TIME *from, const WOLFSSL_ASN1_TIME *to) -{ - WOLFSSL_STUB("wolfSSL_ASN1_TIME_diff"); - (void)pday; - (void)psec; - (void)from; - (void)to; - return 0; -} - -WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_t t) -{ - WOLFSSL_STUB("wolfSSL_ASN1_TIME_set"); - (void)s; - (void)t; - return s; -} -#endif /* !NO_WOLFSSL_STUB */ - -/* Return the month as a string. - * - * n The number of the month as a two characters (1 based). - * returns the month as a string. - */ -static WC_INLINE const char* MonthStr(const char* n) -{ - static const char monthStr[12][4] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; - return monthStr[(n[0] - '0') * 10 + (n[1] - '0') - 1]; -} - -int wolfSSL_ASN1_GENERALIZEDTIME_print(WOLFSSL_BIO* bio, - const WOLFSSL_ASN1_GENERALIZEDTIME* asnTime) -{ - const char* p; - WOLFSSL_ENTER("wolfSSL_ASN1_GENERALIZEDTIME_print"); - - if (bio == NULL || asnTime == NULL) - return BAD_FUNC_ARG; - - if (asnTime->type != ASN_GENERALIZED_TIME) { - WOLFSSL_MSG("Error, not GENERALIZED_TIME"); - return WOLFSSL_FAILURE; - } - p = (const char *)(asnTime->data); - /* GetTimeString not always available. */ - wolfSSL_BIO_write(bio, MonthStr(p + 4), 3); - wolfSSL_BIO_write(bio, " ", 1); - /* Day */ - wolfSSL_BIO_write(bio, p + 6, 2); - wolfSSL_BIO_write(bio, " ", 1); - /* Hour */ - wolfSSL_BIO_write(bio, p + 8, 2); - wolfSSL_BIO_write(bio, ":", 1); - /* Min */ - wolfSSL_BIO_write(bio, p + 10, 2); - wolfSSL_BIO_write(bio, ":", 1); - /* Secs */ - wolfSSL_BIO_write(bio, p + 12, 2); - wolfSSL_BIO_write(bio, " ", 1); - wolfSSL_BIO_write(bio, p, 4); - - return 0; -} - -void wolfSSL_ASN1_GENERALIZEDTIME_free(WOLFSSL_ASN1_TIME* asn1Time) -{ - WOLFSSL_ENTER("wolfSSL_ASN1_GENERALIZEDTIME_free"); - if (asn1Time == NULL) - return; - XMEMSET(asn1Time->data, 0, sizeof(asn1Time->data)); -} - -int wolfSSL_sk_num(WOLFSSL_STACK* sk) -{ - WOLFSSL_ENTER("wolfSSL_sk_num"); - if (sk == NULL) - return 0; - return (int)sk->num; -} - -void* wolfSSL_sk_value(WOLFSSL_STACK* sk, int i) -{ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - int offset = i; -#endif - WOLFSSL_ENTER("wolfSSL_sk_value"); - - for (; sk != NULL && i > 0; i--) - sk = sk->next; - if (sk == NULL) - return NULL; - - switch (sk->type) { - case STACK_TYPE_X509: - return (void*)sk->data.x509; - case STACK_TYPE_CIPHER: - #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - sk->data.cipher.offset = offset; - #endif - return (void*)&sk->data.cipher; - case STACK_TYPE_GEN_NAME: - return (void*)sk->data.gn; - case STACK_TYPE_ACCESS_DESCRIPTION: - return (void*)sk->data.access; - case STACK_TYPE_OBJ: - return (void*)sk->data.obj; - case STACK_TYPE_X509_EXT: - return (void*)sk->data.ext; - case STACK_TYPE_CONF_VALUE: - return (void*)sk->data.conf->value; - case STACK_TYPE_NULL: - default: - return (void*)sk->data.generic; - } -} - -/* Free the structure for ASN1_OBJECT stack */ -void wolfSSL_sk_free(WOLFSSL_STACK* sk) -{ - WOLFSSL_ENTER("wolfSSL_sk_free"); - - if (sk == NULL) { - WOLFSSL_MSG("Error, BAD_FUNC_ARG"); - return; - } - - switch (sk->type) { - case STACK_TYPE_X509: - wolfSSL_sk_X509_free(sk); - break; - #if defined(OPENSSL_ALL) - case STACK_TYPE_CIPHER: - wolfSSL_sk_CIPHER_free(sk); - break; - #endif - case STACK_TYPE_GEN_NAME: - wolfSSL_sk_GENERAL_NAME_free(sk); - break; - #if defined(OPENSSL_ALL) || defined (WOLFSSL_QT) - case STACK_TYPE_ACCESS_DESCRIPTION: - wolfSSL_sk_ACCESS_DESCRIPTION_free(sk); - break; - #endif - case STACK_TYPE_OBJ: - wolfSSL_sk_ASN1_OBJECT_free(sk); - break; - #ifdef OPENSSL_ALL - case STACK_TYPE_X509_INFO: - wolfSSL_sk_X509_INFO_free(sk); - break; - case STACK_TYPE_X509_NAME: - wolfSSL_sk_X509_NAME_free(sk); - break; - case STACK_TYPE_CONF_VALUE: - wolfSSL_sk_CONF_VALUE_free(sk); - break; - #endif - case STACK_TYPE_NULL: - default: - wolfSSL_sk_GENERIC_free(sk); - } -} -/* Frees each node in the stack and frees the stack. - * Does not free any internal members of the stack nodes. - */ -void wolfSSL_sk_GENERIC_pop_free(WOLFSSL_STACK* sk, - void (*f) (void*)) -{ - WOLFSSL_STACK* node; - WOLFSSL_STACK* tmp; - WOLFSSL_ENTER("wolfSSL_sk_GENERIC_pop_free"); - - if (sk == NULL) - return; - - /* parse through stack freeing each node */ - node = sk->next; - while (node) { - tmp = node; - node = node->next; - if (f) - f(tmp->data.generic); - tmp->data.generic = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - } - - /* free head of stack */ - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} - -/* return 1 on success 0 on fail */ -int wolfSSL_sk_GENERIC_push(WOLFSSL_STACK* sk, void* generic) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_GENERIC_push"); - - if (sk == NULL || generic == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.generic == NULL) { - sk->data.generic = generic; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK),NULL,DYNAMIC_TYPE_SSL); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new node onto head of stack */ - node->type = sk->type; - node->data.generic = sk->data.generic; - node->next = sk->next; - sk->next = node; - sk->data.generic = generic; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} -void wolfSSL_sk_GENERIC_free(WOLFSSL_STACK* sk) -{ - wolfSSL_sk_GENERIC_pop_free(sk, NULL); -} - - -/* Free all nodes in a stack */ -void wolfSSL_sk_pop_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk, - wolfSSL_sk_freefunc func) -{ - WOLFSSL_ENTER("wolfSSL_sk_pop_free"); - - if (sk == NULL) { - WOLFSSL_MSG("Error, BAD_FUNC_ARG"); - return; - } - - switch(sk->type) { - #if defined(OPENSSL_ALL) || defined (WOLFSSL_QT) - case STACK_TYPE_ACCESS_DESCRIPTION: - wolfSSL_sk_ACCESS_DESCRIPTION_pop_free(sk, - wolfSSL_ACCESS_DESCRIPTION_free); - break; - #endif - case STACK_TYPE_X509: - wolfSSL_sk_X509_pop_free(sk,(void (*)(WOLFSSL_X509*))func); - break; - case STACK_TYPE_OBJ: - wolfSSL_sk_ASN1_OBJECT_pop_free(sk, - (void (*)(WOLFSSL_ASN1_OBJECT*))func); - break; - case STACK_TYPE_GEN_NAME: - wolfSSL_sk_GENERAL_NAME_pop_free(sk, - (void (*)(WOLFSSL_GENERAL_NAME*))func); - break; - #ifdef OPENSSL_ALL - case STACK_TYPE_X509_NAME: - wolfSSL_sk_X509_NAME_pop_free(sk, - (void (*)(WOLFSSL_X509_NAME*))func); - break; - case STACK_TYPE_X509_EXT: - wolfSSL_sk_X509_EXTENSION_pop_free(sk, - (void (*)(WOLFSSL_X509_EXTENSION*))func); - break; - #endif - #if defined(OPENSSL_ALL) - case STACK_TYPE_X509_INFO: - wolfSSL_sk_X509_INFO_pop_free(sk, - (void (*)(WOLFSSL_X509_INFO*))func); - break; - #endif - default: - wolfSSL_sk_GENERIC_pop_free(sk, - (void (*)(void*))func); - break; - } -} - -#if defined(OPENSSL_ALL) -/* Free the structure for WOLFSSL_CONF_VALUE stack - * - * sk stack to free nodes in - */ -void wolfSSL_sk_CONF_VALUE_free(WOLF_STACK_OF(WOLFSSL_CONF_VALUE)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_STACK* tmp; - WOLFSSL_ENTER("wolfSSL_sk_CONF_VALUE_free"); - - if (sk == NULL) - return; - - /* parse through stack freeing each node */ - node = sk->next; - while (node) { - tmp = node; - node = node->next; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - } - - /* free head of stack */ - XFREE(sk, NULL, DYNAMIC_TYPE_ASN1); -} -#endif - -/* Creates and returns a new null stack. */ -WOLFSSL_STACK* wolfSSL_sk_new_null(void) -{ - WOLFSSL_STACK* sk; - WOLFSSL_ENTER("wolfSSL_sk_new_null"); - - sk = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_OPENSSL); - if (sk == NULL) { - WOLFSSL_MSG("WOLFSSL_STACK memory error"); - return NULL; - } - - XMEMSET(sk, 0, sizeof(WOLFSSL_STACK)); - sk->type = STACK_TYPE_NULL; - - return sk; -} - -/* frees the wolfSSL_BASIC_CONSTRAINTS object */ -void wolfSSL_BASIC_CONSTRAINTS_free(WOLFSSL_BASIC_CONSTRAINTS *bc) -{ - WOLFSSL_ENTER("wolfSSL_BASIC_CONSTRAINTS_free"); - if (bc == NULL) { - WOLFSSL_MSG("Argument is NULL"); - return; - } - if (bc->pathlen) { - wolfSSL_ASN1_INTEGER_free(bc->pathlen); - } - XFREE(bc, NULL, DYNAMIC_TYPE_OPENSSL); -} - -/* frees the wolfSSL_AUTHORITY_KEYID object */ -void wolfSSL_AUTHORITY_KEYID_free(WOLFSSL_AUTHORITY_KEYID *id) -{ - WOLFSSL_ENTER("wolfSSL_AUTHORITY_KEYID_free"); - if(id == NULL) { - WOLFSSL_MSG("Argument is NULL"); - return; - } - if (id->keyid) { - wolfSSL_ASN1_STRING_free(id->keyid); - } - if (id->issuer) { - wolfSSL_ASN1_OBJECT_free(id->issuer); - } - if (id->serial) { - wolfSSL_ASN1_INTEGER_free(id->serial); - } - XFREE(id, NULL, DYNAMIC_TYPE_OPENSSL); -} - -int wolfSSL_sk_SSL_COMP_num(WOLF_STACK_OF(WOLFSSL_COMP)* sk) -{ - if (sk == NULL) - return 0; - return (int)sk->num; -} - -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) || defined(HAVE_EXT_CACHE) -/* stunnel 4.28 needs - * - * Callback that is called if a session tries to resume but could not find - * the session to resume it. - */ -void wolfSSL_CTX_sess_set_get_cb(WOLFSSL_CTX* ctx, - WOLFSSL_SESSION*(*f)(WOLFSSL*, unsigned char*, int, int*)) -{ - if (ctx == NULL) - return; - -#ifdef HAVE_EXT_CACHE - ctx->get_sess_cb = f; -#else - (void)f; -#endif -} - -void wolfSSL_CTX_sess_set_new_cb(WOLFSSL_CTX* ctx, - int (*f)(WOLFSSL*, WOLFSSL_SESSION*)) -{ - if (ctx == NULL) - return; - -#ifdef HAVE_EXT_CACHE - ctx->new_sess_cb = f; -#else - (void)f; -#endif -} - -void wolfSSL_CTX_sess_set_remove_cb(WOLFSSL_CTX* ctx, void (*f)(WOLFSSL_CTX*, - WOLFSSL_SESSION*)) -{ - if (ctx == NULL) - return; - -#ifdef HAVE_EXT_CACHE - ctx->rem_sess_cb = f; -#else - (void)f; -#endif -} -#endif /* OPENSSL_EXTRA || HAVE_EXT_CACHE */ - -#ifdef OPENSSL_EXTRA - -/* - * - * Note: It is expected that the importing and exporting function have been - * built with the same settings. For example if session tickets was - * enabled with the wolfSSL library exporting a session then it is - * expected to be turned on with the wolfSSL library importing the session. - */ -int wolfSSL_i2d_SSL_SESSION(WOLFSSL_SESSION* sess, unsigned char** p) -{ - int size = 0; -#ifdef HAVE_EXT_CACHE - int idx = 0; -#ifdef SESSION_CERTS - int i; -#endif - unsigned char *data; - - if (sess == NULL) { - return BAD_FUNC_ARG; - } - - /* bornOn | timeout | sessionID len | sessionID | masterSecret | haveEMS */ - size += OPAQUE32_LEN + OPAQUE32_LEN + OPAQUE8_LEN + sess->sessionIDSz + - SECRET_LEN + OPAQUE8_LEN; -#ifdef SESSION_CERTS - /* Peer chain */ - size += OPAQUE8_LEN; - for (i = 0; i < sess->chain.count; i++) - size += OPAQUE16_LEN + sess->chain.certs[i].length; -#endif -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - /* Protocol version */ - size += OPAQUE16_LEN; -#endif -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - /* cipher suite */ - size += OPAQUE16_LEN; -#endif -#ifndef NO_CLIENT_CACHE - /* ServerID len | ServerID */ - size += OPAQUE16_LEN + sess->idLen; -#endif -#ifdef OPENSSL_EXTRA - /* session context ID len | session context ID */ - size += OPAQUE8_LEN + sess->sessionCtxSz; -#endif -#ifdef WOLFSSL_TLS13 - /* namedGroup */ - size += OPAQUE16_LEN; -#endif -#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) -#ifdef WOLFSSL_TLS13 - /* ticketSeen | ticketAdd */ - size += OPAQUE32_LEN + OPAQUE32_LEN; -#ifndef WOLFSSL_TLS13_DRAFT_18 - /* ticketNonce */ - size += OPAQUE8_LEN + sess->ticketNonce.len; -#endif -#endif -#ifdef WOLFSSL_EARLY_DATA - size += OPAQUE32_LEN; -#endif -#endif -#ifdef HAVE_SESSION_TICKET - /* ticket len | ticket */ - size += OPAQUE16_LEN + sess->ticketLen; -#endif - - if (p != NULL) { - if (*p == NULL) - *p = (unsigned char*)XMALLOC(size, NULL, DYNAMIC_TYPE_OPENSSL); - if (*p == NULL) - return 0; - data = *p; - - c32toa(sess->bornOn, data + idx); idx += OPAQUE32_LEN; - c32toa(sess->timeout, data + idx); idx += OPAQUE32_LEN; - data[idx++] = sess->sessionIDSz; - XMEMCPY(data + idx, sess->sessionID, sess->sessionIDSz); - idx += sess->sessionIDSz; - XMEMCPY(data + idx, sess->masterSecret, SECRET_LEN); idx += SECRET_LEN; - data[idx++] = (byte)sess->haveEMS; -#ifdef SESSION_CERTS - data[idx++] = (byte)sess->chain.count; - for (i = 0; i < sess->chain.count; i++) { - c16toa((word16)sess->chain.certs[i].length, data + idx); - idx += OPAQUE16_LEN; - XMEMCPY(data + idx, sess->chain.certs[i].buffer, - sess->chain.certs[i].length); - idx += sess->chain.certs[i].length; - } -#endif -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - data[idx++] = sess->version.major; - data[idx++] = sess->version.minor; -#endif -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - data[idx++] = sess->cipherSuite0; - data[idx++] = sess->cipherSuite; -#endif -#ifndef NO_CLIENT_CACHE - c16toa(sess->idLen, data + idx); idx += OPAQUE16_LEN; - XMEMCPY(data + idx, sess->serverID, sess->idLen); - idx += sess->idLen; -#endif -#ifdef OPENSSL_EXTRA - data[idx++] = sess->sessionCtxSz; - XMEMCPY(data + idx, sess->sessionCtx, sess->sessionCtxSz); - idx += sess->sessionCtxSz; -#endif -#ifdef WOLFSSL_TLS13 - c16toa(sess->namedGroup, data + idx); - idx += OPAQUE16_LEN; -#endif -#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) -#ifdef WOLFSSL_TLS13 - c32toa(sess->ticketSeen, data + idx); - idx += OPAQUE32_LEN; - c32toa(sess->ticketAdd, data + idx); - idx += OPAQUE32_LEN; -#ifndef WOLFSSL_TLS13_DRAFT_18 - data[idx++] = sess->ticketNonce.len; - XMEMCPY(data + idx, sess->ticketNonce.data, sess->ticketNonce.len); - idx += sess->ticketNonce.len; -#endif -#endif -#ifdef WOLFSSL_EARLY_DATA - c32toa(sess->maxEarlyDataSz, data + idx); - idx += OPAQUE32_LEN; -#endif -#endif -#ifdef HAVE_SESSION_TICKET - c16toa(sess->ticketLen, data + idx); idx += OPAQUE16_LEN; - XMEMCPY(data + idx, sess->ticket, sess->ticketLen); - idx += sess->ticketLen; -#endif - } -#endif - - (void)sess; - (void)p; -#ifdef HAVE_EXT_CACHE - (void)idx; -#endif - - return size; -} - - -/* TODO: no function to free new session. - * - * Note: It is expected that the importing and exporting function have been - * built with the same settings. For example if session tickets was - * enabled with the wolfSSL library exporting a session then it is - * expected to be turned on with the wolfSSL library importing the session. - */ -WOLFSSL_SESSION* wolfSSL_d2i_SSL_SESSION(WOLFSSL_SESSION** sess, - const unsigned char** p, long i) -{ - WOLFSSL_SESSION* s = NULL; - int ret = 0; -#if defined(HAVE_EXT_CACHE) - int idx; - byte* data; -#ifdef SESSION_CERTS - int j; - word16 length; -#endif -#endif - - (void)p; - (void)i; - (void)ret; - - if (sess != NULL) - s = *sess; - -#ifdef HAVE_EXT_CACHE - if (p == NULL || *p == NULL) - return NULL; - - if (s == NULL) { - s = (WOLFSSL_SESSION*)XMALLOC(sizeof(WOLFSSL_SESSION), NULL, - DYNAMIC_TYPE_OPENSSL); - if (s == NULL) - return NULL; - XMEMSET(s, 0, sizeof(WOLFSSL_SESSION)); - s->isAlloced = 1; -#ifdef HAVE_SESSION_TICKET - s->isDynamic = 0; -#endif - } - - idx = 0; - data = (byte*)*p; - - /* bornOn | timeout | sessionID len */ - if (i < OPAQUE32_LEN + OPAQUE32_LEN + OPAQUE8_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato32(data + idx, &s->bornOn); idx += OPAQUE32_LEN; - ato32(data + idx, &s->timeout); idx += OPAQUE32_LEN; - s->sessionIDSz = data[idx++]; - - /* sessionID | secret | haveEMS */ - if (i - idx < s->sessionIDSz + SECRET_LEN + OPAQUE8_LEN) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->sessionID, data + idx, s->sessionIDSz); - idx += s->sessionIDSz; - XMEMCPY(s->masterSecret, data + idx, SECRET_LEN); idx += SECRET_LEN; - s->haveEMS = data[idx++]; - -#ifdef SESSION_CERTS - /* Certificate chain */ - if (i - idx == 0) { - ret = BUFFER_ERROR; - goto end; - } - s->chain.count = data[idx++]; - for (j = 0; j < s->chain.count; j++) { - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato16(data + idx, &length); idx += OPAQUE16_LEN; - s->chain.certs[j].length = length; - if (i - idx < length) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->chain.certs[j].buffer, data + idx, length); - idx += length; - } -#endif -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - /* Protocol Version */ - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - s->version.major = data[idx++]; - s->version.minor = data[idx++]; -#endif -#if defined(SESSION_CERTS) || !defined(NO_RESUME_SUITE_CHECK) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) - /* Cipher suite */ - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - s->cipherSuite0 = data[idx++]; - s->cipherSuite = data[idx++]; -#endif -#ifndef NO_CLIENT_CACHE - /* ServerID len */ - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato16(data + idx, &s->idLen); idx += OPAQUE16_LEN; - - /* ServerID */ - if (i - idx < s->idLen) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->serverID, data + idx, s->idLen); idx += s->idLen; -#endif -#ifdef OPENSSL_EXTRA - /* byte for length of session context ID */ - if (i - idx < OPAQUE8_LEN) { - ret = BUFFER_ERROR; - goto end; - } - s->sessionCtxSz = data[idx++]; - - /* app session context ID */ - if (i - idx < s->sessionCtxSz) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->sessionCtx, data + idx, s->sessionCtxSz); idx += s->sessionCtxSz; -#endif -#ifdef WOLFSSL_TLS13 - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato16(data + idx, &s->namedGroup); - idx += OPAQUE16_LEN; -#endif -#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) -#ifdef WOLFSSL_TLS13 - if (i - idx < (OPAQUE32_LEN * 2)) { - ret = BUFFER_ERROR; - goto end; - } - ato32(data + idx, &s->ticketSeen); - idx += OPAQUE32_LEN; - ato32(data + idx, &s->ticketAdd); - idx += OPAQUE32_LEN; -#ifndef WOLFSSL_TLS13_DRAFT_18 - if (i - idx < OPAQUE8_LEN) { - ret = BUFFER_ERROR; - goto end; - } - s->ticketNonce.len = data[idx++]; - - if (i - idx < s->ticketNonce.len) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->ticketNonce.data, data + idx, s->ticketNonce.len); - idx += s->ticketNonce.len; -#endif -#endif -#ifdef WOLFSSL_EARLY_DATA - if (i - idx < OPAQUE32_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato32(data + idx, &s->maxEarlyDataSz); - idx += OPAQUE32_LEN; -#endif -#endif -#ifdef HAVE_SESSION_TICKET - /* ticket len */ - if (i - idx < OPAQUE16_LEN) { - ret = BUFFER_ERROR; - goto end; - } - ato16(data + idx, &s->ticketLen); idx += OPAQUE16_LEN; - - /* Dispose of ol dynamic ticket and ensure space for new ticket. */ - if (s->isDynamic) - XFREE(s->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK); - if (s->ticketLen <= SESSION_TICKET_LEN) - s->ticket = s->staticTicket; - else { - s->ticket = (byte*)XMALLOC(s->ticketLen, NULL, - DYNAMIC_TYPE_SESSION_TICK); - if (s->ticket == NULL) { - ret = MEMORY_ERROR; - goto end; - } - s->isDynamic = 1; - } - - /* ticket */ - if (i - idx < s->ticketLen) { - ret = BUFFER_ERROR; - goto end; - } - XMEMCPY(s->ticket, data + idx, s->ticketLen); idx += s->ticketLen; -#endif - (void)idx; - - if (sess != NULL) - *sess = s; - - *p += idx; - -end: - if (ret != 0 && (sess == NULL || *sess != s)) - wolfSSL_SESSION_free(s); -#endif - return s; -} - - -long wolfSSL_SESSION_get_timeout(const WOLFSSL_SESSION* sess) -{ - long timeout = 0; - WOLFSSL_ENTER("wolfSSL_SESSION_get_timeout"); - if (sess) - timeout = sess->timeout; - return timeout; -} - - -long wolfSSL_SESSION_get_time(const WOLFSSL_SESSION* sess) -{ - long bornOn = 0; - WOLFSSL_ENTER("wolfSSL_SESSION_get_time"); - if (sess) - bornOn = sess->bornOn; - return bornOn; -} - - -#endif /* OPENSSL_EXTRA */ - - -#ifdef KEEP_PEER_CERT -char* wolfSSL_X509_get_subjectCN(WOLFSSL_X509* x509) -{ - if (x509 == NULL) - return NULL; - - return x509->subjectCN; -} -#endif /* KEEP_PEER_CERT */ - -#ifdef OPENSSL_EXTRA - -#if defined(FORTRESS) && !defined(NO_FILESYSTEM) -int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) -{ - int ret = WOLFSSL_FATAL_ERROR; - - WOLFSSL_ENTER("wolfSSL_cmp_peer_cert_to_file"); - if (ssl != NULL && fname != NULL) - { - #ifdef WOLFSSL_SMALL_STACK - byte staticBuffer[1]; /* force heap usage */ - #else - byte staticBuffer[FILE_BUFFER_SIZE]; - #endif - byte* myBuffer = staticBuffer; - int dynamic = 0; - XFILE file; - long sz = 0; - WOLFSSL_CTX* ctx = ssl->ctx; - WOLFSSL_X509* peer_cert = &ssl->peerCert; - DerBuffer* fileDer = NULL; - - file = XFOPEN(fname, "rb"); - if (file == XBADFILE) - return WOLFSSL_BAD_FILE; - - if (XFSEEK(file, 0, XSEEK_END) != 0) { - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - sz = XFTELL(file); - XREWIND(file); - - if (sz > MAX_WOLFSSL_FILE_SIZE || sz < 0) { - WOLFSSL_MSG("cmp_peer_cert_to_file size error"); - XFCLOSE(file); - return WOLFSSL_BAD_FILE; - } - - if (sz > (long)sizeof(staticBuffer)) { - WOLFSSL_MSG("Getting dynamic buffer"); - myBuffer = (byte*)XMALLOC(sz, ctx->heap, DYNAMIC_TYPE_FILE); - dynamic = 1; - } - - if ((myBuffer != NULL) && - (sz > 0) && - (XFREAD(myBuffer, 1, sz, file) == (size_t)sz) && - (PemToDer(myBuffer, (long)sz, CERT_TYPE, - &fileDer, ctx->heap, NULL, NULL) == 0) && - (fileDer->length != 0) && - (fileDer->length == peer_cert->derCert->length) && - (XMEMCMP(peer_cert->derCert->buffer, fileDer->buffer, - fileDer->length) == 0)) - { - ret = 0; - } - - FreeDer(&fileDer); - - if (dynamic) - XFREE(myBuffer, ctx->heap, DYNAMIC_TYPE_FILE); - - XFCLOSE(file); - } - - return ret; -} -#endif -#endif /* OPENSSL_EXTRA */ -#endif /* !WOLFCRYPT_ONLY */ -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -const WOLFSSL_ObjectInfo wolfssl_object_info[] = { -#ifndef NO_CERTS - /* oidCertExtType */ - { NID_basic_constraints, BASIC_CA_OID, oidCertExtType, "basicConstraints", - "X509v3 Basic Constraints"}, - { NID_subject_alt_name, ALT_NAMES_OID, oidCertExtType, "subjectAltName", - "X509v3 Subject Alternative Name"}, - { CRL_DIST_OID, CRL_DIST_OID, oidCertExtType, "crlDistributionPoints", - "X509v3 CRL Distribution Points"}, - { NID_info_access, AUTH_INFO_OID, oidCertExtType, "authorityInfoAccess", - "Authority Information Access"}, - { NID_authority_key_identifier, AUTH_KEY_OID, oidCertExtType, - "authorityKeyIdentifier", "X509v3 Authority Key Identifier"}, - { NID_subject_key_identifier, SUBJ_KEY_OID, oidCertExtType, - "subjectKeyIdentifier", "X509v3 Subject Key Identifier"}, - { NID_key_usage, KEY_USAGE_OID, oidCertExtType, "keyUsage", - "X509v3 Key Usage"}, - { NID_inhibit_any_policy, INHIBIT_ANY_OID, oidCertExtType, - "inhibitAnyPolicy", "X509v3 Inhibit Any Policy"}, - { NID_ext_key_usage, KEY_USAGE_OID, oidCertExtType, - "extendedKeyUsage", "X509v3 Extended Key Usage"}, - { NID_name_constraints, NAME_CONS_OID, oidCertExtType, - "nameConstraints", "X509v3 Name Constraints"}, - { NID_certificate_policies, CERT_POLICY_OID, oidCertExtType, - "certificatePolicies", "X509v3 Certificate Policies"}, - - /* oidCertAuthInfoType */ - { AIA_OCSP_OID, AIA_OCSP_OID, oidCertAuthInfoType, "authorityInfoAccess", - "Authority Information Access"}, - { AIA_CA_ISSUER_OID, AIA_CA_ISSUER_OID, oidCertAuthInfoType, - "caIssuers", "CA Issuers"}, - - /* oidCertPolicyType */ - { NID_any_policy, CP_ANY_OID, oidCertPolicyType, "anyPolicy", - "X509v3 Any Policy"}, - - /* oidCertAltNameType */ - { NID_hw_name_oid, HW_NAME_OID, oidCertAltNameType, "Hardware name",""}, - - /* oidCertKeyUseType */ - { NID_anyExtendedKeyUsage, EKU_ANY_OID, oidCertKeyUseType, - "anyExtendedKeyUsage", "Any Extended Key Usage"}, - { EKU_SERVER_AUTH_OID, EKU_SERVER_AUTH_OID, oidCertKeyUseType, - "serverAuth", "TLS Web Server Authentication"}, - { EKU_CLIENT_AUTH_OID, EKU_CLIENT_AUTH_OID, oidCertKeyUseType, - "clientAuth", "TLS Web Client Authentication"}, - { EKU_OCSP_SIGN_OID, EKU_OCSP_SIGN_OID, oidCertKeyUseType, - "OCSPSigning", "OCSP Signing"}, - - /* oidCertNameType */ - { NID_commonName, NID_commonName, oidCertNameType, "CN", "commonName"}, - { NID_surname, NID_surname, oidCertNameType, "SN", "surname"}, - { NID_serialNumber, NID_serialNumber, oidCertNameType, "serialNumber", - "serialNumber"}, - { NID_countryName, NID_countryName, oidCertNameType, "C", "countryName"}, - { NID_localityName, NID_localityName, oidCertNameType, "L", "localityName"}, - { NID_stateOrProvinceName, NID_stateOrProvinceName, oidCertNameType, "ST", - "stateOrProvinceName"}, - { NID_organizationName, NID_organizationName, oidCertNameType, "O", - "organizationName"}, - { NID_organizationalUnitName, NID_organizationalUnitName, oidCertNameType, - "OU", "organizationalUnitName"}, - { NID_emailAddress, NID_emailAddress, oidCertNameType, "emailAddress", - "emailAddress"}, - { NID_domainComponent, NID_domainComponent, oidCertNameType, "DC", - "domainComponent"}, - { NID_businessCategory, NID_businessCategory, oidCertNameType, "businessCategory", - "businessCategory"}, - { NID_jurisdictionCountryName, NID_jurisdictionCountryName, oidCertNameType, "jurisdictionC", - "jurisdictionCountryName"}, - { NID_jurisdictionStateOrProvinceName, NID_jurisdictionStateOrProvinceName, - oidCertNameType, "jurisdictionST", "jurisdictionStateOrProvinceName"}, -#endif -#ifdef OPENSSL_EXTRA /* OPENSSL_EXTRA_X509_SMALL only needs the above */ - /* oidHashType */ - #ifdef WOLFSSL_MD2 - { NID_md2, MD2h, oidHashType, "MD2", "md2"}, - #endif - #ifdef WOLFSSL_MD5 - { NID_md5, MD5h, oidHashType, "MD5", "md5"}, - #endif - #ifndef NO_SHA - { NID_sha1, SHAh, oidHashType, "SHA1", "sha1"}, - #endif - #ifdef WOLFSSL_SHA224 - { NID_sha224, SHA224h, oidHashType, "SHA224", "sha224"}, - #endif - #ifndef NO_SHA256 - { NID_sha256, SHA256h, oidHashType, "SHA256", "sha256"}, - #endif - #ifdef WOLFSSL_SHA384 - { NID_sha384, SHA384h, oidHashType, "SHA384", "sha384"}, - #endif - #ifdef WOLFSSL_SHA512 - { NID_sha512, SHA512h, oidHashType, "SHA512", "sha512"}, - #endif - - /* oidSigType */ - #ifndef NO_DSA - #ifndef NO_SHA - { CTC_SHAwDSA, CTC_SHAwDSA, oidSigType, "DSA-SHA1", "dsaWithSHA1"}, - #endif - #endif /* NO_DSA */ - #ifndef NO_RSA - #ifdef WOLFSSL_MD2 - { CTC_MD2wRSA, CTC_MD2wRSA, oidSigType, "RSA-MD2", - "md2WithRSAEncryption"}, - #endif - #ifndef NO_MD5 - { CTC_MD5wRSA, CTC_MD5wRSA, oidSigType, "RSA-MD5", - "md5WithRSAEncryption"}, - #endif - #ifndef NO_SHA - { CTC_SHAwRSA, CTC_SHAwRSA, oidSigType, "RSA-SHA1", - "sha1WithRSAEncryption"}, - #endif - #ifdef WOLFSSL_SHA224 - { CTC_SHA224wRSA, CTC_SHA224wRSA, oidSigType, "RSA-SHA224", - "sha224WithRSAEncryption"}, - #endif - #ifndef NO_SHA256 - { CTC_SHA256wRSA, CTC_SHA256wRSA, oidSigType, "RSA-SHA256", - "sha256WithRSAEncryption"}, - #endif - #ifdef WOLFSSL_SHA384 - { CTC_SHA384wRSA, CTC_SHA384wRSA, oidSigType, "RSA-SHA384", - "sha384WithRSAEncryption"}, - #endif - #ifdef WOLFSSL_SHA512 - { CTC_SHA512wRSA, CTC_SHA512wRSA, oidSigType, "RSA-SHA512", - "sha512WithRSAEncryption"}, - #endif - #endif /* NO_RSA */ - #ifdef HAVE_ECC - #ifndef NO_SHA - { CTC_SHAwECDSA, CTC_SHAwECDSA, oidSigType, "ecdsa-with-SHA1", "shaWithECDSA"}, - #endif - #ifdef WOLFSSL_SHA224 - { CTC_SHA224wECDSA, CTC_SHA224wECDSA, oidSigType, "ecdsa-with-SHA224","sha224WithECDSA"}, - #endif - #ifndef NO_SHA256 - { CTC_SHA256wECDSA, CTC_SHA256wECDSA, oidSigType, "ecdsa-with-SHA256","sha256WithECDSA"}, - #endif - #ifdef WOLFSSL_SHA384 - { CTC_SHA384wECDSA, CTC_SHA384wECDSA, oidSigType, "ecdsa-with-SHA384","sha384WithECDSA"}, - #endif - #ifdef WOLFSSL_SHA512 - { CTC_SHA512wECDSA, CTC_SHA512wECDSA, oidSigType, "ecdsa-with-SHA512","sha512WithECDSA"}, - #endif - #endif /* HAVE_ECC */ - - /* oidKeyType */ - #ifndef NO_DSA - { DSAk, DSAk, oidKeyType, "DSA", "dsaEncryption"}, - { NID_dsa, DSAk, oidKeyType, "DSA", "dsaEncryption"}, - #endif /* NO_DSA */ - #ifndef NO_RSA - { RSAk, RSAk, oidKeyType, "RSA", "rsaEncryption"}, - { NID_rsaEncryption, RSAk, oidKeyType, "RSA", "rsaEncryption"}, - #endif /* NO_RSA */ - #ifdef HAVE_NTRU - { NTRUk, NTRUk, oidKeyType, "NTRU", "ntruEncryption"}, - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - { ECDSAk, ECDSAk, oidKeyType, "ECDSA", "ecdsaEncryption"}, - { NID_X9_62_id_ecPublicKey, ECDSAk, oidKeyType, "id-ecPublicKey", - "id-ecPublicKey"}, - #endif /* HAVE_ECC */ - #ifndef NO_DH - { NID_dhKeyAgreement, DHk, oidKeyType, "dhKeyAgreement", "dhKeyAgreement"}, - #endif - - /* oidCurveType */ - #ifdef HAVE_ECC - { NID_X9_62_prime192v1, ECC_SECP192R1_OID, oidCurveType, "prime192v1", "prime192v1"}, - { NID_X9_62_prime192v2, ECC_PRIME192V2_OID, oidCurveType, "prime192v2", "prime192v2"}, - { NID_X9_62_prime192v3, ECC_PRIME192V3_OID, oidCurveType, "prime192v3", "prime192v3"}, - - { NID_X9_62_prime239v1, ECC_PRIME239V1_OID, oidCurveType, "prime239v1", "prime239v1"}, - { NID_X9_62_prime239v2, ECC_PRIME239V2_OID, oidCurveType, "prime239v2", "prime239v2"}, - { NID_X9_62_prime239v3, ECC_PRIME239V3_OID, oidCurveType, "prime239v3", "prime239v3"}, - - { NID_X9_62_prime256v1, ECC_SECP256R1_OID, oidCurveType, "prime256v1", "prime256v1"}, - - { NID_secp112r1, ECC_SECP112R1_OID, oidCurveType, "secp112r1", "secp112r1"}, - { NID_secp112r2, ECC_SECP112R2_OID, oidCurveType, "secp112r2", "secp112r2"}, - - { NID_secp128r1, ECC_SECP128R1_OID, oidCurveType, "secp128r1", "secp128r1"}, - { NID_secp128r2, ECC_SECP128R2_OID, oidCurveType, "secp128r2", "secp128r2"}, - - { NID_secp160r1, ECC_SECP160R1_OID, oidCurveType, "secp160r1", "secp160r1"}, - { NID_secp160r2, ECC_SECP160R2_OID, oidCurveType, "secp160r2", "secp160r2"}, - - { NID_secp224r1, ECC_SECP224R1_OID, oidCurveType, "secp224r1", "secp224r1"}, - { NID_secp384r1, ECC_SECP384R1_OID, oidCurveType, "secp384r1", "secp384r1"}, - { NID_secp521r1, ECC_SECP521R1_OID, oidCurveType, "secp521r1", "secp521r1"}, - - { NID_secp160k1, ECC_SECP160K1_OID, oidCurveType, "secp160k1", "secp160k1"}, - { NID_secp192k1, ECC_SECP192K1_OID, oidCurveType, "secp192k1", "secp192k1"}, - { NID_secp224k1, ECC_SECP224K1_OID, oidCurveType, "secp224k1", "secp224k1"}, - { NID_secp256k1, ECC_SECP256K1_OID, oidCurveType, "secp256k1", "secp256k1"}, - - { NID_brainpoolP160r1, ECC_BRAINPOOLP160R1_OID, oidCurveType, "brainpoolP160r1", "brainpoolP160r1"}, - { NID_brainpoolP192r1, ECC_BRAINPOOLP192R1_OID, oidCurveType, "brainpoolP192r1", "brainpoolP192r1"}, - { NID_brainpoolP224r1, ECC_BRAINPOOLP224R1_OID, oidCurveType, "brainpoolP224r1", "brainpoolP224r1"}, - { NID_brainpoolP256r1, ECC_BRAINPOOLP256R1_OID, oidCurveType, "brainpoolP256r1", "brainpoolP256r1"}, - { NID_brainpoolP320r1, ECC_BRAINPOOLP320R1_OID, oidCurveType, "brainpoolP320r1", "brainpoolP320r1"}, - { NID_brainpoolP384r1, ECC_BRAINPOOLP384R1_OID, oidCurveType, "brainpoolP384r1", "brainpoolP384r1"}, - { NID_brainpoolP512r1, ECC_BRAINPOOLP512R1_OID, oidCurveType, "brainpoolP512r1", "brainpoolP512r1"}, - #endif /* HAVE_ECC */ - - /* oidBlkType */ - #ifdef WOLFSSL_AES_128 - { AES128CBCb, AES128CBCb, oidBlkType, "AES-128-CBC", "aes-128-cbc"}, - #endif - #ifdef WOLFSSL_AES_192 - { AES192CBCb, AES192CBCb, oidBlkType, "AES-192-CBC", "aes-192-cbc"}, - #endif - #ifdef WOLFSSL_AES_256 - { AES256CBCb, AES256CBCb, oidBlkType, "AES-256-CBC", "aes-256-cbc"}, - #endif - #ifndef NO_DES3 - { NID_des, DESb, oidBlkType, "DES-CBC", "des-cbc"}, - { NID_des3, DES3b, oidBlkType, "DES-EDE3-CBC", "des-ede3-cbc"}, - #endif /* !NO_DES3 */ - - /* oidOcspType */ - #ifdef HAVE_OCSP - { NID_id_pkix_OCSP_basic, OCSP_BASIC_OID, oidOcspType, "basicOCSPResponse", - "Basic OCSP Response"}, - { OCSP_NONCE_OID, OCSP_NONCE_OID, oidOcspType, "Nonce", - "OCSP Nonce"}, - #endif /* HAVE_OCSP */ - - #ifndef NO_PWDBASED - /* oidKdfType */ - { PBKDF2_OID, PBKDF2_OID, oidKdfType, "PBKDFv2", "PBKDF2"}, - - /* oidPBEType */ - { PBE_SHA1_RC4_128, PBE_SHA1_RC4_128, oidPBEType, - "PBE-SHA1-RC4-128", "pbeWithSHA1And128BitRC4"}, - { PBE_SHA1_DES, PBE_SHA1_DES, oidPBEType, "PBE-SHA1-DES", - "pbeWithSHA1AndDES-CBC"}, - { PBE_SHA1_DES3, PBE_SHA1_DES3, oidPBEType, "PBE-SHA1-3DES", - "pbeWithSHA1And3-KeyTripleDES-CBC"}, - #endif - - /* oidKeyWrapType */ - #ifdef WOLFSSL_AES_128 - { AES128_WRAP, AES128_WRAP, oidKeyWrapType, "AES-128 wrap", "aes128-wrap"}, - #endif - #ifdef WOLFSSL_AES_192 - { AES192_WRAP, AES192_WRAP, oidKeyWrapType, "AES-192 wrap", "aes192-wrap"}, - #endif - #ifdef WOLFSSL_AES_256 - { AES256_WRAP, AES256_WRAP, oidKeyWrapType, "AES-256 wrap", "aes256-wrap"}, - #endif - - #ifndef NO_PKCS7 - #ifndef NO_DH - /* oidCmsKeyAgreeType */ - #ifndef NO_SHA - { dhSinglePass_stdDH_sha1kdf_scheme, dhSinglePass_stdDH_sha1kdf_scheme, - oidCmsKeyAgreeType, "dhSinglePass-stdDH-sha1kdf-scheme", "dhSinglePass-stdDH-sha1kdf-scheme"}, - #endif - #ifdef WOLFSSL_SHA224 - { dhSinglePass_stdDH_sha224kdf_scheme, - dhSinglePass_stdDH_sha224kdf_scheme, oidCmsKeyAgreeType, - "dhSinglePass-stdDH-sha224kdf-scheme", "dhSinglePass-stdDH-sha224kdf-scheme"}, - #endif - #ifndef NO_SHA256 - { dhSinglePass_stdDH_sha256kdf_scheme, - dhSinglePass_stdDH_sha256kdf_scheme, oidCmsKeyAgreeType, - "dhSinglePass-stdDH-sha256kdf-scheme", "dhSinglePass-stdDH-sha256kdf-scheme"}, - #endif - #ifdef WOLFSSL_SHA384 - { dhSinglePass_stdDH_sha384kdf_scheme, - dhSinglePass_stdDH_sha384kdf_scheme, oidCmsKeyAgreeType, - "dhSinglePass-stdDH-sha384kdf-scheme", "dhSinglePass-stdDH-sha384kdf-scheme"}, - #endif - #ifdef WOLFSSL_SHA512 - { dhSinglePass_stdDH_sha512kdf_scheme, - dhSinglePass_stdDH_sha512kdf_scheme, oidCmsKeyAgreeType, - "dhSinglePass-stdDH-sha512kdf-scheme", "dhSinglePass-stdDH-sha512kdf-scheme"}, - #endif - #endif - #endif - #if defined(WOLFSSL_APACHE_HTTPD) - /* "1.3.6.1.5.5.7.8.7" */ - { NID_id_on_dnsSRV, NID_id_on_dnsSRV, oidCertNameType, - WOLFSSL_SN_DNS_SRV, WOLFSSL_LN_DNS_SRV }, - - /* "1.3.6.1.4.1.311.20.2.3" */ - { NID_ms_upn, WOLFSSL_MS_UPN_SUM, oidCertExtType, WOLFSSL_SN_MS_UPN, - WOLFSSL_LN_MS_UPN }, - - /* "1.3.6.1.5.5.7.1.24" */ - { NID_tlsfeature, WOLFSSL_TLS_FEATURE_SUM, oidTlsExtType, - WOLFSSL_SN_TLS_FEATURE, WOLFSSL_LN_TLS_FEATURE }, - #endif -#endif /* OPENSSL_EXTRA */ -}; - -#define WOLFSSL_OBJECT_INFO_SZ \ - (sizeof(wolfssl_object_info) / sizeof(*wolfssl_object_info)) -const size_t wolfssl_object_info_sz = WOLFSSL_OBJECT_INFO_SZ; -#endif -#if defined(OPENSSL_EXTRA) || \ - (defined(OPENSSL_EXTRA_X509_SMALL) && !defined(NO_RSA)) -static WC_RNG globalRNG; -static int initGlobalRNG = 0; -#endif -#if defined(OPENSSL_EXTRA) && \ - !defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) -WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, int *initTmpRng) -{ - WC_RNG* rng = NULL; - - if (!rsa || !initTmpRng) { - return NULL; - } - *initTmpRng = 0; - -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && \ - !defined(HAVE_FAST_RSA) && defined(WC_RSA_BLINDING) - rng = ((RsaKey*)rsa->internal)->rng; -#endif - if (rng == NULL && tmpRNG) { - if (!*tmpRNG) { -#ifdef WOLFSSL_SMALL_STACK - *tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (*tmpRNG == NULL) - return NULL; -#else - WOLFSSL_MSG("*tmpRNG is null"); - return NULL; -#endif - } - - if (wc_InitRng(*tmpRNG) == 0) { - rng = *tmpRNG; - *initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; -#ifdef WOLFSSL_SMALL_STACK - if (*tmpRNG) - XFREE(*tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); - *tmpRNG = NULL; -#endif - } - } - return rng; -} -#endif -#ifndef WOLFCRYPT_ONLY - -#ifdef OPENSSL_EXTRA - -/* Not thread safe! Can be called multiple times. - * Checks if the global RNG has been created. If not then one is created. - * - * Returns SSL_SUCCESS when no error is encountered. - */ -static int wolfSSL_RAND_Init(void) -{ - if (initGlobalRNG == 0) { - if (wc_InitRng(&globalRNG) < 0) { - WOLFSSL_MSG("wolfSSL Init Global RNG failed"); - return 0; - } - initGlobalRNG = 1; - } - - return SSL_SUCCESS; -} - - -/* SSL_SUCCESS on ok */ -int wolfSSL_RAND_seed(const void* seed, int len) -{ - - WOLFSSL_MSG("wolfSSL_RAND_seed"); - - (void)seed; - (void)len; - - return wolfSSL_RAND_Init(); -} - - -/* Returns the path for reading seed data from. - * Uses the env variable $RANDFILE first if set, if not then used $HOME/.rnd - * - * Note uses stdlib by default unless XGETENV macro is overwritten - * - * fname buffer to hold path - * len length of fname buffer - * - * Returns a pointer to fname on success and NULL on failure - */ -const char* wolfSSL_RAND_file_name(char* fname, unsigned long len) -{ -#ifndef NO_FILESYSTEM - char* rt; - char ap[] = "/.rnd"; - - WOLFSSL_ENTER("wolfSSL_RAND_file_name"); - - if (fname == NULL) { - return NULL; - } - - XMEMSET(fname, 0, len); - /* if access to stdlib.h */ - if ((rt = XGETENV("RANDFILE")) != NULL) { - if (len > XSTRLEN(rt)) { - XMEMCPY(fname, rt, XSTRLEN(rt)); - } - else { - WOLFSSL_MSG("RANDFILE too large for buffer"); - rt = NULL; - } - } - - /* $RANDFILE was not set or is too large, check $HOME */ - if (rt == NULL) { - WOLFSSL_MSG("Environment variable RANDFILE not set"); - if ((rt = XGETENV("HOME")) == NULL) { - WOLFSSL_MSG("Environment variable HOME not set"); - return NULL; - } - - if (len > XSTRLEN(rt) + XSTRLEN(ap)) { - fname[0] = '\0'; - XSTRNCAT(fname, rt, len); - XSTRNCAT(fname, ap, len - XSTRLEN(rt)); - return fname; - } - else { - WOLFSSL_MSG("HOME too large for buffer"); - return NULL; - } - } - - return fname; -#else - /* no filesystem defined */ - WOLFSSL_ENTER("wolfSSL_RAND_file_name"); - WOLFSSL_MSG("No filesystem feature enabled, not compiled in"); - (void)fname; - (void)len; - return NULL; -#endif -} - - -/* Writes 1024 bytes from the RNG to the given file name. - * - * fname name of file to write to - * - * Returns the number of bytes written - */ -int wolfSSL_RAND_write_file(const char* fname) -{ - int bytes = 0; - - WOLFSSL_ENTER("RAND_write_file"); - - if (fname == NULL) { - return SSL_FAILURE; - } - -#ifndef NO_FILESYSTEM - { - #ifndef WOLFSSL_SMALL_STACK - unsigned char buf[1024]; - #else - unsigned char* buf = (unsigned char *)XMALLOC(1024, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (buf == NULL) { - WOLFSSL_MSG("malloc failed"); - return SSL_FAILURE; - } - #endif - bytes = 1024; /* default size of buf */ - - if (initGlobalRNG == 0 && wolfSSL_RAND_Init() != SSL_SUCCESS) { - WOLFSSL_MSG("No RNG to use"); - #ifdef WOLFSSL_SMALL_STACK - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return 0; - } - - if (wc_RNG_GenerateBlock(&globalRNG, buf, bytes) != 0) { - WOLFSSL_MSG("Error generating random buffer"); - bytes = 0; - } - else { - XFILE f; - - f = XFOPEN(fname, "wb"); - if (f == XBADFILE) { - WOLFSSL_MSG("Error opening the file"); - bytes = 0; - } - else { - XFWRITE(buf, 1, bytes, f); - XFCLOSE(f); - } - } - ForceZero(buf, bytes); - #ifdef WOLFSSL_SMALL_STACK - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } -#endif - - return bytes; -} - -#ifndef FREERTOS_TCP - -/* These constant values are protocol values made by egd */ -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) - #define WOLFSSL_EGD_NBLOCK 0x01 - #include <sys/un.h> -#endif - -/* This collects entropy from the path nm and seeds the global PRNG with it. - * Makes a call to wolfSSL_RAND_Init which is not thread safe. - * - * nm is the file path to the egd server - * - * Returns the number of bytes read. - */ -int wolfSSL_RAND_egd(const char* nm) -{ -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \ - defined(HAVE_HASHDRBG) - struct sockaddr_un rem; - int fd; - int ret = WOLFSSL_SUCCESS; - word32 bytes = 0; - word32 idx = 0; -#ifndef WOLFSSL_SMALL_STACK - unsigned char buf[256]; -#else - unsigned char* buf; - buf = (unsigned char*)XMALLOC(256, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (buf == NULL) { - WOLFSSL_MSG("Not enough memory"); - return WOLFSSL_FATAL_ERROR; - } -#endif - - if (nm == NULL) { - #ifdef WOLFSSL_SMALL_STACK - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return WOLFSSL_FATAL_ERROR; - } - - fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd < 0) { - WOLFSSL_MSG("Error creating socket"); - #ifdef WOLFSSL_SMALL_STACK - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - return WOLFSSL_FATAL_ERROR; - } - if (ret == WOLFSSL_SUCCESS) { - rem.sun_family = AF_UNIX; - XSTRNCPY(rem.sun_path, nm, sizeof(rem.sun_path) - 1); - rem.sun_path[sizeof(rem.sun_path)-1] = '\0'; - } - - /* connect to egd server */ - if (ret == WOLFSSL_SUCCESS) { - if (connect(fd, (struct sockaddr*)&rem, sizeof(struct sockaddr_un)) - == -1) { - WOLFSSL_MSG("error connecting to egd server"); - ret = WOLFSSL_FATAL_ERROR; - } - } - - while (ret == WOLFSSL_SUCCESS && bytes < 255 && idx + 2 < 256) { - if (ret == WOLFSSL_SUCCESS) { - buf[idx] = WOLFSSL_EGD_NBLOCK; - buf[idx + 1] = 255 - bytes; /* request 255 bytes from server */ - ret = (int)write(fd, buf + idx, 2); - if (ret <= 0 || ret != 2) { - if (errno == EAGAIN) { - ret = WOLFSSL_SUCCESS; - continue; - } - WOLFSSL_MSG("error requesting entropy from egd server"); - ret = WOLFSSL_FATAL_ERROR; - break; - } - } - - /* attempting to read */ - buf[idx] = 0; - ret = (int)read(fd, buf + idx, 256 - bytes); - if (ret == 0) { - WOLFSSL_MSG("error reading entropy from egd server"); - ret = WOLFSSL_FATAL_ERROR; - break; - } - if (ret > 0 && buf[idx] > 0) { - bytes += buf[idx]; /* egd stores amount sent in first byte */ - if (bytes + idx > 255 || buf[idx] > ret) { - WOLFSSL_MSG("Buffer error"); - ret = WOLFSSL_FATAL_ERROR; - break; - } - XMEMMOVE(buf + idx, buf + idx + 1, buf[idx]); - idx = bytes; - ret = WOLFSSL_SUCCESS; - if (bytes >= 255) { - break; - } - } - else { - if (errno == EAGAIN || errno == EINTR) { - WOLFSSL_MSG("EGD would read"); - ret = WOLFSSL_SUCCESS; /* try again */ - } - else if (buf[idx] == 0) { - /* if egd returned 0 then there is no more entropy to be had. - Do not try more reads. */ - ret = WOLFSSL_SUCCESS; - break; - } - else { - WOLFSSL_MSG("Error with read"); - ret = WOLFSSL_FATAL_ERROR; - } - } - } - - if (bytes > 0 && ret == WOLFSSL_SUCCESS) { - wolfSSL_RAND_Init(); /* call to check global RNG is created */ - if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) - != 0) { - WOLFSSL_MSG("Error with reseeding DRBG structure"); - ret = WOLFSSL_FATAL_ERROR; - } - #ifdef SHOW_SECRETS - { /* print out entropy found */ - word32 i; - printf("EGD Entropy = "); - for (i = 0; i < bytes; i++) { - printf("%02X", buf[i]); - } - printf("\n"); - } - #endif - } - - ForceZero(buf, bytes); - #ifdef WOLFSSL_SMALL_STACK - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - close(fd); - - if (ret == WOLFSSL_SUCCESS) { - return bytes; - } - else { - return ret; - } -#else - WOLFSSL_MSG("Type of socket needed is not available"); - WOLFSSL_MSG("\tor using mode where DRBG API is not available"); - (void)nm; - - return WOLFSSL_FATAL_ERROR; -#endif /* USE_WOLFSSL_IO && !USE_WINDOWS_API && !HAVE_FIPS && HAVE_HASHDRBG */ -} - -#endif /* !FREERTOS_TCP */ - -void wolfSSL_RAND_Cleanup(void) -{ - WOLFSSL_ENTER("wolfSSL_RAND_Cleanup()"); - - if (initGlobalRNG != 0) { - wc_FreeRng(&globalRNG); - initGlobalRNG = 0; - } -} - - -int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) -{ - return wolfSSL_RAND_bytes(buf, num); -} - - -/* SSL_SUCCESS on ok */ -int wolfSSL_RAND_bytes(unsigned char* buf, int num) -{ - int ret = 0; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_RAND_bytes"); - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return ret; -#endif - - if (initGlobalRNG) - rng = &globalRNG; - else if(wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - if (rng) { - if (wc_RNG_GenerateBlock(rng, buf, num) != 0) - WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); - else - ret = WOLFSSL_SUCCESS; - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -} - - -int wolfSSL_RAND_poll(void) -{ - byte entropy[16]; - int ret = 0; - word32 entropy_sz = 16; - - WOLFSSL_ENTER("wolfSSL_RAND_poll"); - if (initGlobalRNG == 0){ - WOLFSSL_MSG("Global RNG no Init"); - return WOLFSSL_FAILURE; - } - ret = wc_GenerateSeed(&globalRNG.seed, entropy, entropy_sz); - if (ret != 0){ - WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); - ret = WOLFSSL_FAILURE; - }else - ret = WOLFSSL_SUCCESS; - - return ret; -} -#endif /* OPENSSL_EXTRA */ - - - -#ifdef OPENSSL_EXTRA - -WOLFSSL_ASN1_INTEGER* wolfSSL_BN_to_ASN1_INTEGER(const WOLFSSL_BIGNUM *bn, WOLFSSL_ASN1_INTEGER *ai) -{ - WOLFSSL_ASN1_INTEGER* a; - int len; - WOLFSSL_ENTER("wolfSSL_BN_to_ASN1_INTEGER"); - - if (ai == NULL) { - a = wolfSSL_ASN1_INTEGER_new(); - - if (a == NULL) - return NULL; - - a->type = V_ASN1_INTEGER; - } - else { - a = ai; - } - if (a) { - if (wolfSSL_BN_is_negative(bn) && !wolfSSL_BN_is_zero(bn)) { - a->type |= V_ASN1_NEG_INTEGER; - a->negative = 1; - } - - len = wolfSSL_BN_num_bytes(bn); - if (len == 0) - len = 1; - - /* allocate buffer */ - if (len > (int)sizeof(a->intData)) { - /* create new data buffer and copy over */ - a->data = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL); - if (a->data == NULL) { - if (a != ai) - wolfSSL_ASN1_INTEGER_free(a); - return NULL; - } - a->isDynamic = 1; - } - else { - XMEMSET(a->intData, 0, sizeof(a->intData)); - a->data = a->intData; - } - a->length = len; - - /* populate data */ - if (wolfSSL_BN_is_zero(bn)) { - a->data[0] = 0; - } - else { - len = wolfSSL_BN_bn2bin(bn, a->data); - } - a->length = len; - } - - return a; -} - -#ifdef OPENSSL_ALL -void *wolfSSL_ASN1_item_new(const WOLFSSL_ASN1_ITEM *template) -{ - void *ret = NULL; - const WOLFSSL_ASN1_TEMPLATE *member = NULL; - size_t i; - WOLFSSL_ENTER("wolfSSL_ASN1_item_new"); - if (!template) { - return NULL; - } - if (!(ret = XMALLOC(template->size, NULL, DYNAMIC_TYPE_OPENSSL))) { - return NULL; - } - XMEMSET(ret, 0, template->size); - for (member = template->members, i = 0; i < template->mcount; - member++, i++) { - switch (member->type) { - case WOLFSSL_X509_ALGOR_ASN1: - { - WOLFSSL_X509_ALGOR* algor = wolfSSL_X509_ALGOR_new(); - if (!algor) { - goto error; - } - *(WOLFSSL_X509_ALGOR**)(((byte*)ret) + member->offset) = algor; - break; - } - case WOLFSSL_ASN1_BIT_STRING_ASN1: - { - WOLFSSL_ASN1_BIT_STRING* bit_str = wolfSSL_ASN1_BIT_STRING_new(); - if (!bit_str) { - goto error; - } - *(WOLFSSL_ASN1_BIT_STRING**)(((byte*)ret) + member->offset) = bit_str; - break; - } - default: - WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_new"); - goto error; - } - } - return ret; -error: - wolfSSL_ASN1_item_free(ret, template); - return NULL; -} - -void wolfSSL_ASN1_item_free(void *val, const WOLFSSL_ASN1_ITEM *template) -{ - const WOLFSSL_ASN1_TEMPLATE *member = NULL; - size_t i; - WOLFSSL_ENTER("wolfSSL_ASN1_item_free"); - if (val) { - for (member = template->members, i = 0; i < template->mcount; - member++, i++) { - switch (member->type) { - case WOLFSSL_X509_ALGOR_ASN1: - { - WOLFSSL_X509_ALGOR* algor = *(WOLFSSL_X509_ALGOR**) - (((byte*)val) + member->offset); - if (algor) { - wolfSSL_X509_ALGOR_free(algor); - } - break; - } - case WOLFSSL_ASN1_BIT_STRING_ASN1: - { - WOLFSSL_ASN1_BIT_STRING* bit_str = *(WOLFSSL_ASN1_BIT_STRING**) - (((byte*)val) + member->offset); - if (bit_str) { - wolfSSL_ASN1_BIT_STRING_free(bit_str); - } - break; - } - default: - WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_free"); - } - } - XFREE(val, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -#define bufLenOrNull(buf, len) (buf ? buf + len : NULL) - -static int i2dProcessMembers(const void *src, byte *buf, - const WOLFSSL_ASN1_TEMPLATE *members, size_t mcount) -{ - const WOLFSSL_ASN1_TEMPLATE *member = NULL; - int len = 0, ret; - size_t i; - WOLFSSL_ENTER("processMembers"); - for (member = members, i = 0; i < mcount; member++, i++) { - switch (member->type) { - case WOLFSSL_X509_ALGOR_ASN1: - { - word32 oid = 0; - word32 idx = 0; - const WOLFSSL_X509_ALGOR* algor = *(const WOLFSSL_X509_ALGOR**) - (((byte*)src) + member->offset); - if (!algor->algorithm) { - WOLFSSL_LEAVE("processMembers", WOLFSSL_FAILURE); - return WOLFSSL_FAILURE; - } - - if (GetObjectId(algor->algorithm->obj, &idx, &oid, - algor->algorithm->grp, algor->algorithm->objSz) < 0) { - WOLFSSL_MSG("Issue getting OID of object"); - return -1; - } - - ret = SetAlgoID(oid, bufLenOrNull(buf, len), - algor->algorithm->grp, 0); - if (!ret) { - return WOLFSSL_FAILURE; - } - len += ret; - break; - } - case WOLFSSL_ASN1_BIT_STRING_ASN1: - { - const WOLFSSL_ASN1_BIT_STRING* bit_str; - bit_str = *(const WOLFSSL_ASN1_BIT_STRING**) - (((byte*)src) + member->offset); - len += SetBitString(bit_str->length, 0, bufLenOrNull(buf, len)); - if (buf && bit_str->data) { - XMEMCPY(buf + len, bit_str->data, bit_str->length); - } - len += bit_str->length; - break; - } - default: - WOLFSSL_MSG("Type not support in processMembers"); - WOLFSSL_LEAVE("processMembers", WOLFSSL_FAILURE); - return WOLFSSL_FAILURE; - } - } - WOLFSSL_LEAVE("processMembers", len); - return len; -} - -int wolfSSL_ASN1_item_i2d(const void *src, byte **dest, - const WOLFSSL_ASN1_ITEM *template) -{ - int len = 0; - byte *buf = NULL; - - WOLFSSL_ENTER("wolfSSL_ASN1_item_i2d"); - - if (!src || !template) { - WOLFSSL_LEAVE("wolfSSL_ASN1_item_i2d", WOLFSSL_FAILURE); - return WOLFSSL_FAILURE; - } - - if (dest && !*dest) { - len = wolfSSL_ASN1_item_i2d(src, NULL, template); - if (!len) { - goto error; - } - buf = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_ASN1); - if (!buf) { - goto error; - } - len = 0; - } - - switch (template->type) { - case ASN_SEQUENCE: - { - int seq_len = i2dProcessMembers(src, NULL, template->members, - template->mcount); - if (!seq_len) { - goto error; - } - len += SetSequence(seq_len, bufLenOrNull(buf, len)); - if (buf && - i2dProcessMembers(src, bufLenOrNull(buf, len), template->members, - template->mcount) != seq_len) { - WOLFSSL_MSG("Inconsistent sequence length"); - goto error; - } - len += seq_len; - break; - } - default: - WOLFSSL_MSG("Type not supported in wolfSSL_ASN1_item_i2d"); - goto error; - } - - if (dest && !*dest) { - *dest = buf; - } - else if (dest && *dest && buf) { - /* *dest length is not checked because the user is responsible - * for providing a long enough buffer */ - XMEMCPY(*dest, buf, len); - } - - WOLFSSL_LEAVE("wolfSSL_ASN1_item_i2d", len); - return len; -error: - if (buf) { - XFREE(buf, NULL, DYNAMIC_TYPE_ASN1); - } - WOLFSSL_LEAVE("wolfSSL_ASN1_item_i2d", WOLFSSL_FAILURE); - return WOLFSSL_FAILURE; -} -#endif /* OPENSSL_ALL */ - -#ifndef NO_DH - -static void InitwolfSSL_DH(WOLFSSL_DH* dh) -{ - if (dh) { - XMEMSET(dh, 0, sizeof(WOLFSSL_DH)); - } -} - - -WOLFSSL_DH* wolfSSL_DH_new(void) -{ - WOLFSSL_DH* external; - DhKey* key; - - WOLFSSL_MSG("wolfSSL_DH_new"); - - key = (DhKey*) XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_DH); - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_DH_new malloc DhKey failure"); - return NULL; - } - - external = (WOLFSSL_DH*) XMALLOC(sizeof(WOLFSSL_DH), NULL, - DYNAMIC_TYPE_DH); - if (external == NULL) { - WOLFSSL_MSG("wolfSSL_DH_new malloc WOLFSSL_DH failure"); - XFREE(key, NULL, DYNAMIC_TYPE_DH); - return NULL; - } - - InitwolfSSL_DH(external); - if (wc_InitDhKey(key) != 0) { - WOLFSSL_MSG("wolfSSL_DH_new InitDhKey failure"); - XFREE(key, NULL, DYNAMIC_TYPE_DH); - XFREE(external, NULL, DYNAMIC_TYPE_DH); - return NULL; - } - external->internal = key; - - return external; -} - - -void wolfSSL_DH_free(WOLFSSL_DH* dh) -{ - WOLFSSL_MSG("wolfSSL_DH_free"); - - if (dh) { - if (dh->internal) { - wc_FreeDhKey((DhKey*)dh->internal); - XFREE(dh->internal, NULL, DYNAMIC_TYPE_DH); - dh->internal = NULL; - } - wolfSSL_BN_free(dh->priv_key); - wolfSSL_BN_free(dh->pub_key); - wolfSSL_BN_free(dh->g); - wolfSSL_BN_free(dh->p); - wolfSSL_BN_free(dh->q); - InitwolfSSL_DH(dh); /* set back to NULLs for safety */ - - XFREE(dh, NULL, DYNAMIC_TYPE_DH); - } -} - -int SetDhInternal(WOLFSSL_DH* dh) -{ - int ret = WOLFSSL_FATAL_ERROR; - int pSz = 1024; - int gSz = 1024; -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - int privSz = 256; /* Up to 2048-bit */ - int pubSz = 256; -#endif -#ifdef WOLFSSL_SMALL_STACK - unsigned char* p = NULL; - unsigned char* g = NULL; - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - unsigned char* priv_key = NULL; - unsigned char* pub_key = NULL; - #endif -#else - unsigned char p[1024]; - unsigned char g[1024]; - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - unsigned char priv_key[256]; - unsigned char pub_key[256]; - #endif -#endif - - WOLFSSL_ENTER("SetDhInternal"); - - if (dh == NULL || dh->p == NULL || dh->g == NULL) - WOLFSSL_MSG("Bad function arguments"); - else if (wolfSSL_BN_bn2bin(dh->p, NULL) > pSz) - WOLFSSL_MSG("Bad p internal size"); - else if (wolfSSL_BN_bn2bin(dh->g, NULL) > gSz) - WOLFSSL_MSG("Bad g internal size"); - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - else if (wolfSSL_BN_bn2bin(dh->priv_key, NULL) > privSz) - WOLFSSL_MSG("Bad private key internal size"); - else if (wolfSSL_BN_bn2bin(dh->pub_key, NULL) > privSz) - WOLFSSL_MSG("Bad public key internal size"); - #endif - else { - #ifdef WOLFSSL_SMALL_STACK - p = (unsigned char*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - g = (unsigned char*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - priv_key = (unsigned char*)XMALLOC(privSz,NULL,DYNAMIC_TYPE_PRIVATE_KEY); - pub_key = (unsigned char*)XMALLOC(pubSz,NULL,DYNAMIC_TYPE_PUBLIC_KEY); - #endif - - if (p == NULL || g == NULL) { - XFREE(p, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - return ret; - } - #endif /* WOLFSSL_SMALL_STACK */ - - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - privSz = wolfSSL_BN_bn2bin(dh->priv_key, priv_key); - pubSz = wolfSSL_BN_bn2bin(dh->pub_key, pub_key); - if (privSz <= 0) { - WOLFSSL_MSG("No private key size."); - } - if (pubSz <= 0) { - WOLFSSL_MSG("No public key size."); - } - if (privSz > 0 || pubSz > 0) { - ret = wc_DhSetFullKeys((DhKey*)dh->internal,priv_key,privSz, - pub_key,pubSz); - if (ret == WOLFSSL_FAILURE) { - WOLFSSL_MSG("Failed setting private or public key."); - } - } - #endif /* WOLFSSL_QT || OPENSSL_ALL */ - - pSz = wolfSSL_BN_bn2bin(dh->p, p); - gSz = wolfSSL_BN_bn2bin(dh->g, g); - - if (pSz <= 0 || gSz <= 0) - WOLFSSL_MSG("Bad BN2bin set"); - else if (wc_DhSetKey((DhKey*)dh->internal, p, pSz, g, gSz) < 0) - WOLFSSL_MSG("Bad DH SetKey"); - else { - dh->inSet = 1; - ret = WOLFSSL_SUCCESS; - } - - #ifdef WOLFSSL_SMALL_STACK - XFREE(p, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - XFREE(priv_key, NULL, DYNAMIC_TYPE_PRIVATE_KEY); - XFREE(pub_key, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - #endif - #endif - } - - - return ret; -} - -#if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) -/* Set the members of DhKey into WOLFSSL_DH - * DhKey was populated from wc_DhKeyDecode - */ -int SetDhExternal(WOLFSSL_DH *dh) -{ - DhKey *key; - WOLFSSL_MSG("Entering SetDhExternal"); - - if (dh == NULL || dh->internal == NULL) { - WOLFSSL_MSG("dh key NULL error"); - } - - key = (DhKey*)dh->internal; - - if (SetIndividualExternal(&dh->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dh param p error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dh->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dh param g error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dh->priv_key, &key->priv) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("No DH Private Key"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dh->pub_key, &key->pub) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("No DH Public Key"); - return WOLFSSL_FATAL_ERROR; - } - - dh->exSet = 1; - - return WOLFSSL_SUCCESS; -} -#endif /* !NO_DH && (WOLFSSL_QT || OPENSSL_ALL) */ - -/* return code compliant with OpenSSL : - * DH prime size in bytes if success, 0 if error - */ -int wolfSSL_DH_size(WOLFSSL_DH* dh) -{ - WOLFSSL_MSG("wolfSSL_DH_size"); - - if (dh == NULL) - return WOLFSSL_FATAL_ERROR; - - return wolfSSL_BN_num_bytes(dh->p); -} - -/* This sets a big number with the 768-bit prime from RFC 2409. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A63A3620FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_768_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 768 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 1024-bit prime from RFC 2409. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_1024_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE65381FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_1024_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 1024 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 1536-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_1536_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA237327FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_1536_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 1536 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 2048-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_2048_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28F" - "B5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA0510" - "15728E5A8AACAA68FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_2048_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 2048 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 3072-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_3072_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28F" - "B5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33" - "A85521ABDF1CBA64ECFB850458DBEF0A" - "8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619D" - "CEE3D2261AD2EE6BF12FFA06D98A0864" - "D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E2" - "08E24FA074E5AB3143DB5BFCE0FD108E" - "4B82D120A93AD2CAFFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_3072_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 3072 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 4096-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_4096_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28F" - "B5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33" - "A85521ABDF1CBA64ECFB850458DBEF0A" - "8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619D" - "CEE3D2261AD2EE6BF12FFA06D98A0864" - "D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E2" - "08E24FA074E5AB3143DB5BFCE0FD108E" - "4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C" - "1A946834B6150BDA2583E9CA2AD44CE8" - "DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2" - "233BA186515BE7ED1F612970CEE2D7AF" - "B81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F" - "4DF435C934063199FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_4096_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 4096 prime to big number"); - return NULL; - } - - return bn; -} - -/* This sets a big number with the 6144-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_6144_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28F" - "B5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33" - "A85521ABDF1CBA64ECFB850458DBEF0A" - "8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619D" - "CEE3D2261AD2EE6BF12FFA06D98A0864" - "D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E2" - "08E24FA074E5AB3143DB5BFCE0FD108E" - "4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C" - "1A946834B6150BDA2583E9CA2AD44CE8" - "DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2" - "233BA186515BE7ED1F612970CEE2D7AF" - "B81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F" - "4DF435C93402849236C3FAB4D27C7026" - "C1D4DCB2602646DEC9751E763DBA37BD" - "F8FF9406AD9E530EE5DB382F413001AE" - "B06A53ED9027D831179727B0865A8918" - "DA3EDBEBCF9B14ED44CE6CBACED4BB1B" - "DB7F1447E6CC254B332051512BD7AF42" - "6FB8F401378CD2BF5983CA01C64B92EC" - "F032EA15D1721D03F482D7CE6E74FEF6" - "D55E702F46980C82B5A84031900B1C9E" - "59E7C97FBEC7E8F323A97A7E36CC88BE" - "0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0" - "A79715EEF29BE32806A1D58BB7C5DA76" - "F550AA3D8A1FBFF0EB19CCB1A313D55C" - "DA56C9EC2EF29632387FE8D76E3C0468" - "043E8F663F4860EE12BF2D5B0B7474D6" - "E694F91E6DCC4024FFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_6144_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 6144 prime to big number"); - return NULL; - } - - return bn; -} - - -/* This sets a big number with the 8192-bit prime from RFC 3526. - * - * bn if not NULL then the big number structure is used. If NULL then a new - * big number structure is created. - * - * Returns a WOLFSSL_BIGNUM structure on success and NULL with failure. - */ -WOLFSSL_BIGNUM* wolfSSL_DH_8192_prime(WOLFSSL_BIGNUM* bn) -{ - const char prm[] = { - "FFFFFFFFFFFFFFFFC90FDAA22168C234" - "C4C6628B80DC1CD129024E088A67CC74" - "020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F1437" - "4FE1356D6D51C245E485B576625E7EC6" - "F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE6" - "49286651ECE45B3DC2007CB8A163BF05" - "98DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB" - "9ED529077096966D670C354E4ABC9804" - "F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28F" - "B5C55DF06F4C52C9DE2BCBF695581718" - "3995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33" - "A85521ABDF1CBA64ECFB850458DBEF0A" - "8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619D" - "CEE3D2261AD2EE6BF12FFA06D98A0864" - "D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E2" - "08E24FA074E5AB3143DB5BFCE0FD108E" - "4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C" - "1A946834B6150BDA2583E9CA2AD44CE8" - "DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2" - "233BA186515BE7ED1F612970CEE2D7AF" - "B81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F" - "4DF435C93402849236C3FAB4D27C7026" - "C1D4DCB2602646DEC9751E763DBA37BD" - "F8FF9406AD9E530EE5DB382F413001AE" - "B06A53ED9027D831179727B0865A8918" - "DA3EDBEBCF9B14ED44CE6CBACED4BB1B" - "DB7F1447E6CC254B332051512BD7AF42" - "6FB8F401378CD2BF5983CA01C64B92EC" - "F032EA15D1721D03F482D7CE6E74FEF6" - "D55E702F46980C82B5A84031900B1C9E" - "59E7C97FBEC7E8F323A97A7E36CC88BE" - "0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0" - "A79715EEF29BE32806A1D58BB7C5DA76" - "F550AA3D8A1FBFF0EB19CCB1A313D55C" - "DA56C9EC2EF29632387FE8D76E3C0468" - "043E8F663F4860EE12BF2D5B0B7474D6" - "E694F91E6DBE115974A3926F12FEE5E4" - "38777CB6A932DF8CD8BEC4D073B931BA" - "3BC832B68D9DD300741FA7BF8AFC47ED" - "2576F6936BA424663AAB639C5AE4F568" - "3423B4742BF1C978238F16CBE39D652D" - "E3FDB8BEFC848AD922222E04A4037C07" - "13EB57A81A23F0C73473FC646CEA306B" - "4BCBC8862F8385DDFA9D4B7FA2C087E8" - "79683303ED5BDD3A062B3CF5B3A278A6" - "6D2A13F83F44F82DDF310EE074AB6A36" - "4597E899A0255DC164F31CC50846851D" - "F9AB48195DED7EA1B1D510BD7EE74D73" - "FAF36BC31ECFA268359046F4EB879F92" - "4009438B481C6CD7889A002ED5EE382B" - "C9190DA6FC026E479558E4475677E9AA" - "9E3050E2765694DFC81F56E880B96E71" - "60C980DD98EDD3DFFFFFFFFFFFFFFFFF" - }; - - WOLFSSL_ENTER("wolfSSL_DH_8192_prime"); - - if (wolfSSL_BN_hex2bn(&bn, prm) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting DH 8192 prime to big number"); - return NULL; - } - - return bn; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_DH_generate_key(WOLFSSL_DH* dh) -{ - int ret = WOLFSSL_FAILURE; - word32 pubSz = 0; - word32 privSz = 0; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG; -#else - WC_RNG tmpRNG[1]; -#endif - unsigned char* pub = NULL; - unsigned char* priv = NULL; - - WOLFSSL_MSG("wolfSSL_DH_generate_key"); - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) { - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); - return ret; - } -#endif - - if (dh == NULL || dh->p == NULL || dh->g == NULL) - WOLFSSL_MSG("Bad function arguments"); - else if (dh->inSet == 0 && SetDhInternal(dh) != WOLFSSL_SUCCESS) - WOLFSSL_MSG("Bad DH set internal"); - else if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - pubSz = wolfSSL_BN_num_bytes(dh->p); - if (dh->length) { - privSz = dh->length/8; /* to bytes */ - } else { - privSz = pubSz; - } - pub = (unsigned char*)XMALLOC(pubSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - priv = (unsigned char*)XMALLOC(privSz, NULL, DYNAMIC_TYPE_PRIVATE_KEY); - if (pub == NULL || priv == NULL) { - WOLFSSL_MSG("Unable to malloc memory"); - } - else if (wc_DhGenerateKeyPair((DhKey*)dh->internal, rng, priv, &privSz, - pub, &pubSz) < 0) - WOLFSSL_MSG("Bad wc_DhGenerateKeyPair"); - else { - if (dh->pub_key) - wolfSSL_BN_free(dh->pub_key); - - dh->pub_key = wolfSSL_BN_new(); - if (dh->pub_key == NULL) { - WOLFSSL_MSG("Bad DH new pub"); - } - if (dh->priv_key) - wolfSSL_BN_free(dh->priv_key); - - dh->priv_key = wolfSSL_BN_new(); - - if (dh->priv_key == NULL) { - WOLFSSL_MSG("Bad DH new priv"); - } - - if (dh->pub_key && dh->priv_key) { - if (wolfSSL_BN_bin2bn(pub, pubSz, dh->pub_key) == NULL) - WOLFSSL_MSG("Bad DH bn2bin error pub"); - else if (wolfSSL_BN_bin2bn(priv, privSz, dh->priv_key) == NULL) - WOLFSSL_MSG("Bad DH bn2bin error priv"); - else - ret = WOLFSSL_SUCCESS; - } - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - XFREE(pub, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(priv, NULL, DYNAMIC_TYPE_PRIVATE_KEY); - - return ret; -} - - -/* return code compliant with OpenSSL : - * size of shared secret if success, -1 if error - */ -int wolfSSL_DH_compute_key(unsigned char* key, WOLFSSL_BIGNUM* otherPub, - WOLFSSL_DH* dh) -{ - int ret = WOLFSSL_FATAL_ERROR; - word32 keySz = 0; - int pubSz = 1024; - int privSz = 1024; -#ifdef WOLFSSL_SMALL_STACK - unsigned char* pub; - unsigned char* priv = NULL; -#else - unsigned char pub [1024]; - unsigned char priv[1024]; -#endif - - WOLFSSL_MSG("wolfSSL_DH_compute_key"); - -#ifdef WOLFSSL_SMALL_STACK - pub = (unsigned char*)XMALLOC(pubSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - if (pub == NULL) - return ret; - - priv = (unsigned char*)XMALLOC(privSz, NULL, DYNAMIC_TYPE_PRIVATE_KEY); - if (priv == NULL) { - XFREE(pub, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - return ret; - } -#endif - - if (dh == NULL || dh->priv_key == NULL || otherPub == NULL) - WOLFSSL_MSG("Bad function arguments"); - else if ((keySz = (word32)DH_size(dh)) == 0) - WOLFSSL_MSG("Bad DH_size"); - else if (wolfSSL_BN_bn2bin(dh->priv_key, NULL) > (int)privSz) - WOLFSSL_MSG("Bad priv internal size"); - else if (wolfSSL_BN_bn2bin(otherPub, NULL) > (int)pubSz) - WOLFSSL_MSG("Bad otherPub size"); - else { - privSz = wolfSSL_BN_bn2bin(dh->priv_key, priv); - pubSz = wolfSSL_BN_bn2bin(otherPub, pub); - if (dh->inSet == 0 && SetDhInternal(dh) != SSL_SUCCESS){ - WOLFSSL_MSG("Bad DH set internal"); - } - if (privSz <= 0 || pubSz <= 0) - WOLFSSL_MSG("Bad BN2bin set"); - else if (wc_DhAgree((DhKey*)dh->internal, key, &keySz, - priv, privSz, pub, pubSz) < 0) - WOLFSSL_MSG("wc_DhAgree failed"); - else - ret = (int)keySz; - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(pub, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(priv, NULL, DYNAMIC_TYPE_PRIVATE_KEY); -#endif - - return ret; -} - - -#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L -/* ownership of p,q,and g get taken over by "dh" on success and should be free'd - * with a call to wolfSSL_DH_free -- not individually. - * - * returns WOLFSSL_SUCCESS on success - */ -int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p, - WOLFSSL_BIGNUM *q, WOLFSSL_BIGNUM *g) -{ - int ret; - WOLFSSL_ENTER("wolfSSL_DH_set0_pqg"); - - /* q can be NULL */ - if (dh == NULL || p == NULL || g == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - /* free existing internal DH structure and recreate with new p / g */ - if (dh->inSet) { - ret = wc_FreeDhKey((DhKey*)dh->internal); - if (ret != 0) { - WOLFSSL_MSG("Unable to free internal DH key"); - return WOLFSSL_FAILURE; - } - } - - wolfSSL_BN_free(dh->p); - wolfSSL_BN_free(dh->q); - wolfSSL_BN_free(dh->g); - wolfSSL_BN_free(dh->pub_key); - wolfSSL_BN_free(dh->priv_key); - - dh->p = p; - dh->q = q; - dh->g = g; - - ret = SetDhInternal(dh); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to set internal DH key"); - dh->p = NULL; - dh->q = NULL; - dh->g = NULL; - dh->inSet = 0; - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* v1.1.0 or later */ - -#endif /* NO_DH */ - - -#ifndef NO_DSA -static void InitwolfSSL_DSA(WOLFSSL_DSA* dsa) -{ - if (dsa) { - dsa->p = NULL; - dsa->q = NULL; - dsa->g = NULL; - dsa->pub_key = NULL; - dsa->priv_key = NULL; - dsa->internal = NULL; - dsa->inSet = 0; - dsa->exSet = 0; - } -} - - -WOLFSSL_DSA* wolfSSL_DSA_new(void) -{ - WOLFSSL_DSA* external; - DsaKey* key; - - WOLFSSL_MSG("wolfSSL_DSA_new"); - - key = (DsaKey*) XMALLOC(sizeof(DsaKey), NULL, DYNAMIC_TYPE_DSA); - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_DSA_new malloc DsaKey failure"); - return NULL; - } - - external = (WOLFSSL_DSA*) XMALLOC(sizeof(WOLFSSL_DSA), NULL, - DYNAMIC_TYPE_DSA); - if (external == NULL) { - WOLFSSL_MSG("wolfSSL_DSA_new malloc WOLFSSL_DSA failure"); - XFREE(key, NULL, DYNAMIC_TYPE_DSA); - return NULL; - } - - InitwolfSSL_DSA(external); - if (wc_InitDsaKey(key) != 0) { - WOLFSSL_MSG("wolfSSL_DSA_new InitDsaKey failure"); - XFREE(key, NULL, DYNAMIC_TYPE_DSA); - wolfSSL_DSA_free(external); - return NULL; - } - external->internal = key; - - return external; -} - - -void wolfSSL_DSA_free(WOLFSSL_DSA* dsa) -{ - WOLFSSL_MSG("wolfSSL_DSA_free"); - - if (dsa) { - if (dsa->internal) { - FreeDsaKey((DsaKey*)dsa->internal); - XFREE(dsa->internal, NULL, DYNAMIC_TYPE_DSA); - dsa->internal = NULL; - } - wolfSSL_BN_free(dsa->priv_key); - wolfSSL_BN_free(dsa->pub_key); - wolfSSL_BN_free(dsa->g); - wolfSSL_BN_free(dsa->q); - wolfSSL_BN_free(dsa->p); - InitwolfSSL_DSA(dsa); /* set back to NULLs for safety */ - - XFREE(dsa, NULL, DYNAMIC_TYPE_DSA); - - /* dsa = NULL, don't try to access or double free it */ - } -} - -#endif /* NO_DSA */ -#endif /* OPENSSL_EXTRA */ - -#ifdef OPENSSL_EXTRA - -#ifndef NO_DSA -/* wolfSSL -> OpenSSL */ -int SetDsaExternal(WOLFSSL_DSA* dsa) -{ - DsaKey* key; - WOLFSSL_MSG("Entering SetDsaExternal"); - - if (dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("dsa key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (DsaKey*)dsa->internal; - - if (SetIndividualExternal(&dsa->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa p key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dsa->q, &key->q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa q key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dsa->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa g key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dsa->pub_key, &key->y) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa y key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&dsa->priv_key, &key->x) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa x key error"); - return WOLFSSL_FATAL_ERROR; - } - - dsa->exSet = 1; - - return WOLFSSL_SUCCESS; -} - -/* Openssl -> WolfSSL */ -int SetDsaInternal(WOLFSSL_DSA* dsa) -{ - DsaKey* key; - WOLFSSL_MSG("Entering SetDsaInternal"); - - if (dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("dsa key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (DsaKey*)dsa->internal; - - if (dsa->p != NULL && - SetIndividualInternal(dsa->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa p key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (dsa->q != NULL && - SetIndividualInternal(dsa->q, &key->q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa q key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (dsa->g != NULL && - SetIndividualInternal(dsa->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa g key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (dsa->pub_key != NULL) { - if (SetIndividualInternal(dsa->pub_key, &key->y) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa pub_key error"); - return WOLFSSL_FATAL_ERROR; - } - - /* public key */ - key->type = DSA_PUBLIC; - } - - if (dsa->priv_key != NULL) { - if (SetIndividualInternal(dsa->priv_key, &key->x) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa priv_key error"); - return WOLFSSL_FATAL_ERROR; - } - - /* private key */ - key->type = DSA_PRIVATE; - } - - dsa->inSet = 1; - - return WOLFSSL_SUCCESS; -} -#endif /* NO_DSA */ -#endif /* OPENSSL_EXTRA */ - - -#ifdef OPENSSL_EXTRA -#if !defined(NO_RSA) -/* Generates a RSA key of length len - * - * len length of RSA key i.e. 2048 - * e e to use when generating RSA key - * f callback function for generation details - * data user callback argument - * - * Note: Because of wc_MakeRsaKey an RSA key size generated can be slightly - * rounded down. For example generating a key of size 2999 with e = - * 65537 will make a key of size 374 instead of 375. - * Returns a new RSA key on success and NULL on failure - */ -WOLFSSL_RSA* wolfSSL_RSA_generate_key(int len, unsigned long e, - void(*f)(int, int, void*), void* data) -{ - WOLFSSL_RSA* rsa = NULL; - WOLFSSL_BIGNUM* bn = NULL; - - WOLFSSL_ENTER("wolfSSL_RSA_generate_key"); - - (void)f; - (void)data; - - if (len < 0) { - WOLFSSL_MSG("Bad argument: length was less than 0"); - return NULL; - } - - bn = wolfSSL_BN_new(); - if (bn == NULL) { - WOLFSSL_MSG("Error creating big number"); - return NULL; - } - - if (wolfSSL_BN_set_word(bn, (WOLFSSL_BN_ULONG)e) != SSL_SUCCESS) { - WOLFSSL_MSG("Error using e value"); - wolfSSL_BN_free(bn); - return NULL; - } - - rsa = wolfSSL_RSA_new(); - if (rsa == NULL) { - WOLFSSL_MSG("memory error"); - } - else { - if (wolfSSL_RSA_generate_key_ex(rsa, len, bn, NULL) != SSL_SUCCESS){ - wolfSSL_RSA_free(rsa); - rsa = NULL; - } - } - wolfSSL_BN_free(bn); - - return rsa; -} - - -/* return compliant with OpenSSL - * 1 if success, 0 if error - */ -int wolfSSL_RSA_generate_key_ex(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* bn, - void* cb) -{ - int ret = WOLFSSL_FAILURE; - - (void)cb; - (void)bn; - (void)bits; - - WOLFSSL_ENTER("wolfSSL_RSA_generate_key_ex"); - - if (rsa == NULL || rsa->internal == NULL) { - /* bit size checked during make key call */ - WOLFSSL_MSG("bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_KEY_GEN - { - #ifdef WOLFSSL_SMALL_STACK - WC_RNG* rng; - #else - WC_RNG rng[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (rng == NULL) - return WOLFSSL_FAILURE; - #endif - - if (wc_InitRng(rng) < 0) - WOLFSSL_MSG("RNG init failed"); - else if (wc_MakeRsaKey((RsaKey*)rsa->internal, bits, - wolfSSL_BN_get_word(bn), rng) != MP_OKAY) - WOLFSSL_MSG("wc_MakeRsaKey failed"); - else if (SetRsaExternal(rsa) != WOLFSSL_SUCCESS) - WOLFSSL_MSG("SetRsaExternal failed"); - else { - rsa->inSet = 1; - ret = WOLFSSL_SUCCESS; - } - - wc_FreeRng(rng); - #ifdef WOLFSSL_SMALL_STACK - XFREE(rng, NULL, DYNAMIC_TYPE_RNG); - #endif - } -#else - WOLFSSL_MSG("No Key Gen built in"); -#endif - return ret; -} -#endif /* NO_RSA */ - -#ifndef NO_DSA -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_DSA_generate_key(WOLFSSL_DSA* dsa) -{ - int ret = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_DSA_generate_key"); - - if (dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - if (dsa->inSet == 0) { - WOLFSSL_MSG("No DSA internal set, do it"); - - if (SetDsaInternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaInternal failed"); - return ret; - } - } - -#ifdef WOLFSSL_KEY_GEN - { - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG; -#else - WC_RNG tmpRNG[1]; -#endif - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FATAL_ERROR; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - if (wc_MakeDsaKey(rng, (DsaKey*)dsa->internal) != MP_OKAY) - WOLFSSL_MSG("wc_MakeDsaKey failed"); - else if (SetDsaExternal(dsa) != WOLFSSL_SUCCESS) - WOLFSSL_MSG("SetDsaExternal failed"); - else - ret = WOLFSSL_SUCCESS; - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - } -#else /* WOLFSSL_KEY_GEN */ - WOLFSSL_MSG("No Key Gen built in"); -#endif - return ret; -} - - -/* Returns a pointer to a new WOLFSSL_DSA structure on success and NULL on fail - */ -WOLFSSL_DSA* wolfSSL_DSA_generate_parameters(int bits, unsigned char* seed, - int seedLen, int* counterRet, unsigned long* hRet, - WOLFSSL_BN_CB cb, void* CBArg) -{ - WOLFSSL_DSA* dsa; - - WOLFSSL_ENTER("wolfSSL_DSA_generate_parameters()"); - - (void)cb; - (void)CBArg; - dsa = wolfSSL_DSA_new(); - if (dsa == NULL) { - return NULL; - } - - if (wolfSSL_DSA_generate_parameters_ex(dsa, bits, seed, seedLen, - counterRet, hRet, NULL) != SSL_SUCCESS) { - wolfSSL_DSA_free(dsa); - return NULL; - } - - return dsa; -} - - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_DSA_generate_parameters_ex(WOLFSSL_DSA* dsa, int bits, - unsigned char* seed, int seedLen, - int* counterRet, - unsigned long* hRet, void* cb) -{ - int ret = WOLFSSL_FAILURE; - - (void)bits; - (void)seed; - (void)seedLen; - (void)counterRet; - (void)hRet; - (void)cb; - - WOLFSSL_ENTER("wolfSSL_DSA_generate_parameters_ex"); - - if (dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_KEY_GEN - { - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG; -#else - WC_RNG tmpRNG[1]; -#endif - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FATAL_ERROR; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - if (wc_MakeDsaParameters(rng, bits, - (DsaKey*)dsa->internal) != MP_OKAY) - WOLFSSL_MSG("wc_MakeDsaParameters failed"); - else if (SetDsaExternal(dsa) != WOLFSSL_SUCCESS) - WOLFSSL_MSG("SetDsaExternal failed"); - else - ret = WOLFSSL_SUCCESS; - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - } -#else /* WOLFSSL_KEY_GEN */ - WOLFSSL_MSG("No Key Gen built in"); -#endif - - return ret; -} - -WOLFSSL_DSA_SIG* wolfSSL_DSA_SIG_new(void) -{ - WOLFSSL_DSA_SIG* sig; - WOLFSSL_ENTER("wolfSSL_DSA_SIG_new"); - sig = (WOLFSSL_DSA_SIG*)XMALLOC(sizeof(WOLFSSL_DSA_SIG), NULL, DYNAMIC_TYPE_OPENSSL); - if (sig) - XMEMSET(sig, 0, sizeof(WOLFSSL_DSA_SIG)); - return sig; -} - -void wolfSSL_DSA_SIG_free(WOLFSSL_DSA_SIG *sig) -{ - WOLFSSL_ENTER("wolfSSL_DSA_SIG_free"); - if (sig) { - if (sig->r) { - wolfSSL_BN_free(sig->r); - } - if (sig->s) { - wolfSSL_BN_free(sig->s); - } - XFREE(sig, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -/* return WOLFSSL_SUCCESS on success, < 0 otherwise */ -int wolfSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, - WOLFSSL_DSA* dsa) -{ - int ret = WOLFSSL_FATAL_ERROR; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_DSA_do_sign"); - - if (d == NULL || sigRet == NULL || dsa == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return ret; - } - - if (dsa->inSet == 0) - { - WOLFSSL_MSG("No DSA internal set, do it"); - - if (SetDsaInternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaInternal failed"); - return ret; - } - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FATAL_ERROR; -#endif - - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - if (DsaSign(d, sigRet, (DsaKey*)dsa->internal, rng) < 0) - WOLFSSL_MSG("DsaSign failed"); - else - ret = WOLFSSL_SUCCESS; - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -} - -#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) -WOLFSSL_DSA_SIG* wolfSSL_DSA_do_sign_ex(const unsigned char* digest, - int outLen, WOLFSSL_DSA* dsa) -{ - WOLFSSL_DSA_SIG* sig = NULL; - byte sigBin[DSA_SIG_SIZE]; - - WOLFSSL_ENTER("wolfSSL_DSA_do_sign_ex"); - - if (!digest || !dsa || outLen != WC_SHA_DIGEST_SIZE) { - WOLFSSL_MSG("Bad function arguments"); - return NULL; - } - - if (wolfSSL_DSA_do_sign(digest, sigBin, dsa) != WOLFSSL_SUCCESS) { - return NULL; - } - - if (!(sig = wolfSSL_DSA_SIG_new())) { - goto error; - } - - if (!(sig->r = wolfSSL_BN_bin2bn(sigBin, DSA_HALF_SIZE, NULL))) { - goto error; - } - - if (!(sig->s = wolfSSL_BN_bin2bn(sigBin + DSA_HALF_SIZE, DSA_HALF_SIZE, NULL))) { - goto error; - } - - return sig; -error: - if (sig) { - wolfSSL_DSA_SIG_free(sig); - } - return NULL; -} -#endif /* !HAVE_SELFTEST && !HAVE_FIPS */ - -int wolfSSL_DSA_do_verify(const unsigned char* d, unsigned char* sig, - WOLFSSL_DSA* dsa, int *dsacheck) -{ - int ret = WOLFSSL_FATAL_ERROR; - - WOLFSSL_ENTER("wolfSSL_DSA_do_verify"); - - if (d == NULL || sig == NULL || dsa == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - if (dsa->inSet == 0) - { - WOLFSSL_MSG("No DSA internal set, do it"); - - if (SetDsaInternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaInternal failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - ret = DsaVerify(d, sig, (DsaKey*)dsa->internal, dsacheck); - if (ret != 0 || *dsacheck != 1) { - WOLFSSL_MSG("DsaVerify failed"); - return ret; - } - - return WOLFSSL_SUCCESS; -} - -#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) -int wolfSSL_DSA_do_verify_ex(const unsigned char* digest, int digest_len, - WOLFSSL_DSA_SIG* sig, WOLFSSL_DSA* dsa) -{ - int dsacheck, sz; - byte sigBin[DSA_SIG_SIZE]; - byte* sigBinPtr = sigBin; - - WOLFSSL_ENTER("wolfSSL_DSA_do_verify_ex"); - - if (!digest || !sig || !dsa || digest_len != WC_SHA_DIGEST_SIZE) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - if (!sig->r || !sig->s) { - WOLFSSL_MSG("No signature found in DSA_SIG"); - return WOLFSSL_FAILURE; - } - - /* front pad with zeros */ - if (!(sz = wolfSSL_BN_num_bytes(sig->r))) { - return WOLFSSL_FAILURE; - } - while (sz++ < DSA_HALF_SIZE) { - *sigBinPtr++ = 0; - } - - if (wolfSSL_BN_bn2bin(sig->r, sigBinPtr) == WOLFSSL_FATAL_ERROR) { - return WOLFSSL_FAILURE; - } - - /* Move to s */ - sigBinPtr = sigBin + DSA_HALF_SIZE; - - /* front pad with zeros */ - if (!(sz = wolfSSL_BN_num_bytes(sig->s))) { - return WOLFSSL_FAILURE; - } - while (sz++ < DSA_HALF_SIZE) { - *sigBinPtr++ = 0; - } - - if (wolfSSL_BN_bn2bin(sig->s, sigBinPtr) == WOLFSSL_FATAL_ERROR) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_DSA_do_verify(digest, sigBin, dsa, &dsacheck) != WOLFSSL_SUCCESS || - dsacheck != 1) { - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* !HAVE_SELFTEST && !HAVE_FIPS */ -#endif /* NO_DSA */ - - -#if !defined(NO_RSA) && !defined(HAVE_USER_RSA) - -#ifdef DEBUG_SIGN -static void show(const char *title, const unsigned char *out, unsigned int outlen) -{ - const unsigned char *pt; - printf("%s[%d] = \n", title, (int)outlen); - outlen = outlen>100?100:outlen; - for (pt = out; pt < out + outlen; - printf("%c", ((*pt)&0x6f)>='A'?((*pt)&0x6f):'.'), pt++); - printf("\n"); -} -#else -#define show(a,b,c) -#endif - -/* return SSL_SUCCESS on ok, 0 otherwise */ -int wolfSSL_RSA_sign(int type, const unsigned char* m, - unsigned int mLen, unsigned char* sigRet, - unsigned int* sigLen, WOLFSSL_RSA* rsa) -{ - return wolfSSL_RSA_sign_ex(type, m, mLen, sigRet, sigLen, rsa, 1); -} - -int wolfSSL_RSA_sign_ex(int type, const unsigned char* m, - unsigned int mLen, unsigned char* sigRet, - unsigned int* sigLen, WOLFSSL_RSA* rsa, int flag) -{ - word32 outLen; - word32 signSz; - int initTmpRng = 0; - WC_RNG* rng = NULL; - int ret = 0; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; - byte* encodedSig = NULL; -#else - WC_RNG tmpRNG[1]; - byte encodedSig[MAX_ENCODED_SIG_SZ]; -#endif - - WOLFSSL_ENTER("wolfSSL_RSA_sign"); - - if (m == NULL || sigRet == NULL || sigLen == NULL || rsa == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return 0; - } - show("Message to Sign", m, mLen); - - switch (type) { - #ifdef WOLFSSL_MD2 - case NID_md2: type = MD2h; break; - #endif - #ifndef NO_MD5 - case NID_md5: type = MD5h; break; - #endif - #ifndef NO_SHA - case NID_sha1: type = SHAh; break; - #endif - #ifndef NO_SHA256 - case NID_sha256: type = SHA256h; break; - #endif - #ifdef WOLFSSL_SHA384 - case NID_sha384: type = SHA384h; break; - #endif - #ifdef WOLFSSL_SHA512 - case NID_sha512: type = SHA512h; break; - #endif - #ifndef WOLFSSL_NOSHA3_224 - case NID_sha3_224: type = SHA3_224h; break; - #endif - #ifndef WOLFSSL_NOSHA3_256 - case NID_sha3_256: type = SHA3_256h; break; - #endif - #ifndef WOLFSSL_NOSHA3_384 - case NID_sha3_384: type = SHA3_384h; break; - #endif - #ifndef WOLFSSL_NOSHA3_512 - case NID_sha3_512: type = SHA3_512h; break; - #endif - default: - WOLFSSL_MSG("This NID (md type) not configured or not implemented"); - return 0; - } - - if (rsa->inSet == 0) - { - WOLFSSL_MSG("No RSA internal set, do it"); - - if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return 0; - } - } - - outLen = (word32)wolfSSL_BN_num_bytes(rsa->n); - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return 0; - - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, - DYNAMIC_TYPE_SIGNATURE); - if (encodedSig == NULL) { - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); - return 0; - } -#endif - - if (outLen == 0) - WOLFSSL_MSG("Bad RSA size"); - else if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - - signSz = wc_EncodeSignature(encodedSig, m, mLen, type); - if (signSz == 0) { - WOLFSSL_MSG("Bad Encode Signature"); - } - else { - show("Encoded Message", encodedSig, signSz); - if (flag != 0) { - ret = wc_RsaSSL_Sign(encodedSig, signSz, sigRet, outLen, - (RsaKey*)rsa->internal, rng); - if (ret <= 0) { - WOLFSSL_MSG("Bad Rsa Sign"); - ret = 0; - } - else { - *sigLen = (unsigned int)ret; - ret = SSL_SUCCESS; - show("Signature", sigRet, *sigLen); - } - } else { - ret = SSL_SUCCESS; - XMEMCPY(sigRet, encodedSig, signSz); - *sigLen = signSz; - } - } - - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); - XFREE(encodedSig, NULL, DYNAMIC_TYPE_SIGNATURE); -#endif - - if (ret == WOLFSSL_SUCCESS) - WOLFSSL_MSG("wolfSSL_RSA_sign success"); - else { - WOLFSSL_MSG("wolfSSL_RSA_sign failed"); - } - return ret; -} - - -/* returns WOLFSSL_SUCCESS on successful verify and WOLFSSL_FAILURE on fail */ -int wolfSSL_RSA_verify(int type, const unsigned char* m, - unsigned int mLen, const unsigned char* sig, - unsigned int sigLen, WOLFSSL_RSA* rsa) -{ - int ret; - unsigned char *sigRet ; - unsigned char *sigDec ; - unsigned int len; - - WOLFSSL_ENTER("wolfSSL_RSA_verify"); - if ((m == NULL) || (sig == NULL)) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - sigRet = (unsigned char *)XMALLOC(sigLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sigRet == NULL) { - WOLFSSL_MSG("Memory failure"); - return WOLFSSL_FAILURE; - } - sigDec = (unsigned char *)XMALLOC(sigLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sigDec == NULL) { - WOLFSSL_MSG("Memory failure"); - XFREE(sigRet, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - /* get non-encrypted signature to be compared with decrypted signature */ - ret = wolfSSL_RSA_sign_ex(type, m, mLen, sigRet, &len, rsa, 0); - if (ret <= 0) { - WOLFSSL_MSG("Message Digest Error"); - XFREE(sigRet, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - show("Encoded Message", sigRet, len); - /* decrypt signature */ - ret = wc_RsaSSL_Verify(sig, sigLen, (unsigned char *)sigDec, sigLen, - (RsaKey*)rsa->internal); - if (ret <= 0) { - WOLFSSL_MSG("RSA Decrypt error"); - XFREE(sigRet, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - show("Decrypted Signature", sigDec, ret); - - if ((int)len == ret && XMEMCMP(sigRet, sigDec, ret) == 0) { - WOLFSSL_MSG("wolfSSL_RSA_verify success"); - XFREE(sigRet, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_SUCCESS; - } - else { - WOLFSSL_MSG("wolfSSL_RSA_verify failed"); - XFREE(sigRet, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(sigDec, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } -} - -void wolfSSL_RSA_get0_key(const WOLFSSL_RSA *r, const WOLFSSL_BIGNUM **n, - const WOLFSSL_BIGNUM **e, const WOLFSSL_BIGNUM **d) -{ - WOLFSSL_ENTER("wolfSSL_RSA_get0_key"); - - if (r != NULL) { - if (n != NULL) - *n = r->n; - if (e != NULL) - *e = r->e; - if (d != NULL) - *d = r->d; - } else { - if (n != NULL) - *n = NULL; - if (e != NULL) - *e = NULL; - if (d != NULL) - *d = NULL; - } -} - -/* generate p-1 and q-1, WOLFSSL_SUCCESS on ok */ -int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) -{ - int err; - mp_int tmp; - - WOLFSSL_MSG("wolfSSL_RsaGenAdd"); - - if (rsa == NULL || rsa->p == NULL || rsa->q == NULL || rsa->d == NULL || - rsa->dmp1 == NULL || rsa->dmq1 == NULL) { - WOLFSSL_MSG("rsa no init error"); - return WOLFSSL_FATAL_ERROR; - } - - if (mp_init(&tmp) != MP_OKAY) { - WOLFSSL_MSG("mp_init error"); - return WOLFSSL_FATAL_ERROR; - } - - err = mp_sub_d((mp_int*)rsa->p->internal, 1, &tmp); - if (err != MP_OKAY) { - WOLFSSL_MSG("mp_sub_d error"); - } - else - err = mp_mod((mp_int*)rsa->d->internal, &tmp, - (mp_int*)rsa->dmp1->internal); - - if (err != MP_OKAY) { - WOLFSSL_MSG("mp_mod error"); - } - else - err = mp_sub_d((mp_int*)rsa->q->internal, 1, &tmp); - if (err != MP_OKAY) { - WOLFSSL_MSG("mp_sub_d error"); - } - else - err = mp_mod((mp_int*)rsa->d->internal, &tmp, - (mp_int*)rsa->dmq1->internal); - - mp_clear(&tmp); - - if (err == MP_OKAY) - return WOLFSSL_SUCCESS; - else - return WOLFSSL_FATAL_ERROR; -} -#endif /* !NO_RSA && !HAVE_USER_RSA */ - -WOLFSSL_HMAC_CTX* wolfSSL_HMAC_CTX_new(void) -{ - return (WOLFSSL_HMAC_CTX*)XMALLOC(sizeof(WOLFSSL_HMAC_CTX), NULL, - DYNAMIC_TYPE_OPENSSL); -} - -int wolfSSL_HMAC_CTX_Init(WOLFSSL_HMAC_CTX* ctx) -{ - WOLFSSL_MSG("wolfSSL_HMAC_CTX_Init"); - - if (ctx != NULL) { - /* wc_HmacSetKey sets up ctx->hmac */ - XMEMSET(ctx, 0, sizeof(WOLFSSL_HMAC_CTX)); - } - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_HMAC_Init_ex(WOLFSSL_HMAC_CTX* ctx, const void* key, - int keylen, const EVP_MD* type, WOLFSSL_ENGINE* e) -{ - WOLFSSL_ENTER("wolfSSL_HMAC_Init_ex"); - - /* WOLFSSL_ENGINE not used, call wolfSSL_HMAC_Init */ - (void)e; - return wolfSSL_HMAC_Init(ctx, key, keylen, type); -} - - -/* helper function for Deep copy of internal wolfSSL hmac structure - * returns WOLFSSL_SUCCESS on success */ -int wolfSSL_HmacCopy(Hmac* des, Hmac* src) -{ - void* heap; - -#ifndef HAVE_FIPS - heap = src->heap; -#else - heap = NULL; -#endif - if (wc_HmacInit(des, heap, 0) != 0) { - return WOLFSSL_FAILURE; - } - - /* requires that hash structures have no dynamic parts to them */ - switch (src->macType) { - #ifndef NO_MD5 - case WC_MD5: - wc_Md5Copy(&src->hash.md5, &des->hash.md5); - break; - #endif /* !NO_MD5 */ - - #ifndef NO_SHA - case WC_SHA: - wc_ShaCopy(&src->hash.sha, &des->hash.sha); - break; - #endif /* !NO_SHA */ - - #ifdef WOLFSSL_SHA224 - case WC_SHA224: - wc_Sha224Copy(&src->hash.sha224, &des->hash.sha224); - break; - #endif /* WOLFSSL_SHA224 */ - - #ifndef NO_SHA256 - case WC_SHA256: - wc_Sha256Copy(&src->hash.sha256, &des->hash.sha256); - break; - #endif /* !NO_SHA256 */ - - #ifdef WOLFSSL_SHA384 - case WC_SHA384: - wc_Sha384Copy(&src->hash.sha384, &des->hash.sha384); - break; - #endif /* WOLFSSL_SHA384 */ - #ifdef WOLFSSL_SHA512 - case WC_SHA512: - wc_Sha512Copy(&src->hash.sha512, &des->hash.sha512); - break; - #endif /* WOLFSSL_SHA512 */ - - default: - return WOLFSSL_FAILURE; - } - - XMEMCPY((byte*)des->ipad, (byte*)src->ipad, WC_HMAC_BLOCK_SIZE); - XMEMCPY((byte*)des->opad, (byte*)src->opad, WC_HMAC_BLOCK_SIZE); - XMEMCPY((byte*)des->innerHash, (byte*)src->innerHash, WC_MAX_DIGEST_SIZE); -#ifndef HAVE_FIPS - des->heap = heap; -#endif - des->macType = src->macType; - des->innerHashKeyed = src->innerHashKeyed; - -#ifdef WOLFSSL_ASYNC_CRYPT - XMEMCPY(&des->asyncDev, &src->asyncDev, sizeof(WC_ASYNC_DEV)); - des->keyLen = src->keyLen; - #ifdef HAVE_CAVIUM - des->data = (byte*)XMALLOC(src->dataLen, des->heap, - DYNAMIC_TYPE_HMAC); - if (des->data == NULL) { - return BUFFER_E; - } - XMEMCPY(des->data, src->data, src->dataLen); - des->dataLen = src->dataLen; - #endif /* HAVE_CAVIUM */ -#endif /* WOLFSSL_ASYNC_CRYPT */ - return WOLFSSL_SUCCESS; -} - - -/* Deep copy of information from src to des structure - * - * des destination to copy information to - * src structure to get information from - * - * Returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on error - */ -int wolfSSL_HMAC_CTX_copy(WOLFSSL_HMAC_CTX* des, WOLFSSL_HMAC_CTX* src) -{ - WOLFSSL_ENTER("wolfSSL_HMAC_CTX_copy"); - - if (des == NULL || src == NULL) { - return WOLFSSL_FAILURE; - } - - des->type = src->type; - XMEMCPY((byte *)&des->save_ipad, (byte *)&src->hmac.ipad, - WC_HMAC_BLOCK_SIZE); - XMEMCPY((byte *)&des->save_opad, (byte *)&src->hmac.opad, - WC_HMAC_BLOCK_SIZE); - - return wolfSSL_HmacCopy(&des->hmac, &src->hmac); -} - - -#if defined(HAVE_FIPS) && \ - (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) - -static int _HMAC_Init(Hmac* hmac, int type, void* heap) -{ - int ret = 0; - - switch (type) { - #ifndef NO_MD5 - case WC_MD5: - ret = wc_InitMd5(&hmac->hash.md5); - break; - #endif /* !NO_MD5 */ - - #ifndef NO_SHA - case WC_SHA: - ret = wc_InitSha(&hmac->hash.sha); - break; - #endif /* !NO_SHA */ - - #ifdef WOLFSSL_SHA224 - case WC_SHA224: - ret = wc_InitSha224(&hmac->hash.sha224); - break; - #endif /* WOLFSSL_SHA224 */ - - #ifndef NO_SHA256 - case WC_SHA256: - ret = wc_InitSha256(&hmac->hash.sha256); - break; - #endif /* !NO_SHA256 */ - - #ifdef WOLFSSL_SHA384 - case WC_SHA384: - ret = wc_InitSha384(&hmac->hash.sha384); - break; - #endif /* WOLFSSL_SHA384 */ - #ifdef WOLFSSL_SHA512 - case WC_SHA512: - ret = wc_InitSha512(&hmac->hash.sha512); - break; - #endif /* WOLFSSL_SHA512 */ - - #ifdef WOLFSSL_SHA3 - case WC_SHA3_224: - ret = wc_InitSha3_224(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_256: - ret = wc_InitSha3_256(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_384: - ret = wc_InitSha3_384(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - case WC_SHA3_512: - ret = wc_InitSha3_512(&hmac->hash.sha3, heap, INVALID_DEVID); - break; - #endif - - default: - ret = BAD_FUNC_ARG; - break; - } - - (void)heap; - - return ret; -} - -#else - #define _HMAC_Init _InitHmac -#endif - - -int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, - const EVP_MD* type) -{ - int hmac_error = 0; - void* heap = NULL; - - WOLFSSL_MSG("wolfSSL_HMAC_Init"); - - if (ctx == NULL) { - WOLFSSL_MSG("no ctx on init"); - return WOLFSSL_FAILURE; - } - -#ifndef HAVE_FIPS - heap = ctx->hmac.heap; -#endif - - if (type) { - WOLFSSL_MSG("init has type"); - -#ifndef NO_MD5 - if (XSTRNCMP(type, "MD5", 3) == 0) { - WOLFSSL_MSG("md5 hmac"); - ctx->type = WC_MD5; - } - else -#endif -#ifdef WOLFSSL_SHA224 - if (XSTRNCMP(type, "SHA224", 6) == 0) { - WOLFSSL_MSG("sha224 hmac"); - ctx->type = WC_SHA224; - } - else -#endif -#ifndef NO_SHA256 - if (XSTRNCMP(type, "SHA256", 6) == 0) { - WOLFSSL_MSG("sha256 hmac"); - ctx->type = WC_SHA256; - } - else -#endif -#ifdef WOLFSSL_SHA384 - if (XSTRNCMP(type, "SHA384", 6) == 0) { - WOLFSSL_MSG("sha384 hmac"); - ctx->type = WC_SHA384; - } - else -#endif -#ifdef WOLFSSL_SHA512 - if (XSTRNCMP(type, "SHA512", 6) == 0) { - WOLFSSL_MSG("sha512 hmac"); - ctx->type = WC_SHA512; - } - else -#endif - -#ifndef NO_SHA - /* has to be last since would pick or 256, 384, or 512 too */ - if (XSTRNCMP(type, "SHA", 3) == 0) { - WOLFSSL_MSG("sha hmac"); - ctx->type = WC_SHA; - } - else -#endif - { - WOLFSSL_MSG("bad init type"); - return WOLFSSL_FAILURE; - } - } - - if (key && keylen) { - WOLFSSL_MSG("keying hmac"); - - if (wc_HmacInit(&ctx->hmac, NULL, INVALID_DEVID) == 0) { - hmac_error = wc_HmacSetKey(&ctx->hmac, ctx->type, (const byte*)key, - (word32)keylen); - if (hmac_error < 0){ - wc_HmacFree(&ctx->hmac); - return WOLFSSL_FAILURE; - } - XMEMCPY((byte *)&ctx->save_ipad, (byte *)&ctx->hmac.ipad, - WC_HMAC_BLOCK_SIZE); - XMEMCPY((byte *)&ctx->save_opad, (byte *)&ctx->hmac.opad, - WC_HMAC_BLOCK_SIZE); - } - /* OpenSSL compat, no error */ - } else if(ctx->type >= 0) { /* MD5 == 0 */ - WOLFSSL_MSG("recover hmac"); - wc_HmacFree(&ctx->hmac); - if (wc_HmacInit(&ctx->hmac, NULL, INVALID_DEVID) == 0) { - ctx->hmac.macType = (byte)ctx->type; - ctx->hmac.innerHashKeyed = 0; - XMEMCPY((byte *)&ctx->hmac.ipad, (byte *)&ctx->save_ipad, - WC_HMAC_BLOCK_SIZE); - XMEMCPY((byte *)&ctx->hmac.opad, (byte *)&ctx->save_opad, - WC_HMAC_BLOCK_SIZE); - if ((hmac_error = _HMAC_Init(&ctx->hmac, ctx->hmac.macType, heap)) - !=0) { - return hmac_error; - } - } - } - - (void)hmac_error; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_HMAC_Update(WOLFSSL_HMAC_CTX* ctx, const unsigned char* data, - int len) -{ - int hmac_error = 0; - - WOLFSSL_MSG("wolfSSL_HMAC_Update"); - - if (ctx == NULL) { - WOLFSSL_MSG("no ctx"); - return WOLFSSL_FAILURE; - } - - if (data) { - WOLFSSL_MSG("updating hmac"); - hmac_error = wc_HmacUpdate(&ctx->hmac, data, (word32)len); - if (hmac_error < 0){ - WOLFSSL_MSG("hmac update error"); - return WOLFSSL_FAILURE; - } - } - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_HMAC_Final(WOLFSSL_HMAC_CTX* ctx, unsigned char* hash, - unsigned int* len) -{ - int hmac_error; - - WOLFSSL_MSG("wolfSSL_HMAC_Final"); - - /* "len" parameter is optional. */ - if (ctx == NULL || hash == NULL) { - WOLFSSL_MSG("invalid parameter"); - return WOLFSSL_FAILURE; - } - - WOLFSSL_MSG("final hmac"); - hmac_error = wc_HmacFinal(&ctx->hmac, hash); - if (hmac_error < 0){ - WOLFSSL_MSG("final hmac error"); - return WOLFSSL_FAILURE; - } - - if (len) { - WOLFSSL_MSG("setting output len"); - switch (ctx->type) { - #ifndef NO_MD5 - case WC_MD5: - *len = WC_MD5_DIGEST_SIZE; - break; - #endif - - #ifndef NO_SHA - case WC_SHA: - *len = WC_SHA_DIGEST_SIZE; - break; - #endif - - #ifdef WOLFSSL_SHA224 - case WC_SHA224: - *len = WC_SHA224_DIGEST_SIZE; - break; - #endif - - #ifndef NO_SHA256 - case WC_SHA256: - *len = WC_SHA256_DIGEST_SIZE; - break; - #endif - - #ifdef WOLFSSL_SHA384 - case WC_SHA384: - *len = WC_SHA384_DIGEST_SIZE; - break; - #endif - - #ifdef WOLFSSL_SHA512 - case WC_SHA512: - *len = WC_SHA512_DIGEST_SIZE; - break; - #endif - - default: - WOLFSSL_MSG("bad hmac type"); - return WOLFSSL_FAILURE; - } - } - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_HMAC_cleanup(WOLFSSL_HMAC_CTX* ctx) -{ - WOLFSSL_MSG("wolfSSL_HMAC_cleanup"); - - if (ctx) - wc_HmacFree(&ctx->hmac); - - return SSL_SUCCESS; -} - - -void wolfSSL_HMAC_CTX_free(WOLFSSL_HMAC_CTX* ctx) -{ - if (!ctx) { - return; - } - wolfSSL_HMAC_cleanup(ctx); - XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL); -} - -size_t wolfSSL_HMAC_size(const WOLFSSL_HMAC_CTX *ctx) -{ - if (!ctx) { - return 0; - } - - return (size_t)wc_HashGetDigestSize((enum wc_HashType)ctx->hmac.macType); -} - -#ifndef NO_DES3 - -void wolfSSL_3des_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, int doset, - unsigned char* iv, int len) -{ - (void)len; - - WOLFSSL_MSG("wolfSSL_3des_iv"); - - if (ctx == NULL || iv == NULL) { - WOLFSSL_MSG("Bad function argument"); - return; - } - - if (doset) - wc_Des3_SetIV(&ctx->cipher.des3, iv); /* OpenSSL compat, no ret */ - else - XMEMCPY(iv, &ctx->cipher.des3.reg, DES_BLOCK_SIZE); -} - -#endif /* NO_DES3 */ - - -#ifndef NO_AES - -void wolfSSL_aes_ctr_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, int doset, - unsigned char* iv, int len) -{ - (void)len; - - WOLFSSL_MSG("wolfSSL_aes_ctr_iv"); - - if (ctx == NULL || iv == NULL) { - WOLFSSL_MSG("Bad function argument"); - return; - } - - if (doset) - (void)wc_AesSetIV(&ctx->cipher.aes, iv); /* OpenSSL compat, no ret */ - else - XMEMCPY(iv, &ctx->cipher.aes.reg, AES_BLOCK_SIZE); -} - -#endif /* NO_AES */ - - -/* Free the dynamically allocated data. - * - * p Pointer to dynamically allocated memory. - */ -void wolfSSL_OPENSSL_free(void* p) -{ - WOLFSSL_MSG("wolfSSL_OPENSSL_free"); - - XFREE(p, NULL, DYNAMIC_TYPE_OPENSSL); -} - -void *wolfSSL_OPENSSL_malloc(size_t a) -{ - return XMALLOC(a, NULL, DYNAMIC_TYPE_OPENSSL); -} - -#if defined(WOLFSSL_KEY_GEN) && defined(WOLFSSL_PEM_TO_DER) - -static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, byte **cipherInfo) -{ - int ret, paddingSz; - word32 idx, cipherInfoSz; -#ifdef WOLFSSL_SMALL_STACK - EncryptedInfo* info = NULL; -#else - EncryptedInfo info[1]; -#endif - - WOLFSSL_ENTER("EncryptDerKey"); - - if (der == NULL || derSz == NULL || cipher == NULL || - passwd == NULL || cipherInfo == NULL) - return BAD_FUNC_ARG; - -#ifdef WOLFSSL_SMALL_STACK - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, - DYNAMIC_TYPE_ENCRYPTEDINFO); - if (info == NULL) { - WOLFSSL_MSG("malloc failed"); - return WOLFSSL_FAILURE; - } -#endif - - XMEMSET(info, 0, sizeof(EncryptedInfo)); - - /* set the cipher name on info */ - XSTRNCPY(info->name, cipher, NAME_SZ-1); - info->name[NAME_SZ-1] = '\0'; /* null term */ - - ret = wc_EncryptedInfoGet(info, info->name); - if (ret != 0) { - WOLFSSL_MSG("unsupported cipher"); - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); - #endif - return WOLFSSL_FAILURE; - } - - /* Generate a random salt */ - if (wolfSSL_RAND_bytes(info->iv, info->ivSz) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("generate iv failed"); -#ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); -#endif - return WOLFSSL_FAILURE; - } - - /* add the padding before encryption */ - paddingSz = ((*derSz)/info->ivSz + 1) * info->ivSz - (*derSz); - if (paddingSz == 0) - paddingSz = info->ivSz; - XMEMSET(der+(*derSz), (byte)paddingSz, paddingSz); - (*derSz) += paddingSz; - - /* encrypt buffer */ - if (wc_BufferKeyEncrypt(info, der, *derSz, passwd, passwdSz, WC_MD5) != 0) { - WOLFSSL_MSG("encrypt key failed"); -#ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); -#endif - return WOLFSSL_FAILURE; - } - - /* create cipher info : 'cipher_name,Salt(hex)' */ - cipherInfoSz = (word32)(2*info->ivSz + XSTRLEN(info->name) + 2); - *cipherInfo = (byte*)XMALLOC(cipherInfoSz, NULL, - DYNAMIC_TYPE_STRING); - if (*cipherInfo == NULL) { - WOLFSSL_MSG("malloc failed"); -#ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); -#endif - return WOLFSSL_FAILURE; - } - XSTRNCPY((char*)*cipherInfo, info->name, cipherInfoSz); - XSTRNCAT((char*)*cipherInfo, ",", 2); - - idx = (word32)XSTRLEN((char*)*cipherInfo); - cipherInfoSz -= idx; - ret = Base16_Encode(info->iv, info->ivSz, *cipherInfo+idx, &cipherInfoSz); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_ENCRYPTEDINFO); -#endif - if (ret != 0) { - WOLFSSL_MSG("Base16_Encode failed"); - XFREE(*cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_KEY_GEN || WOLFSSL_PEM_TO_DER */ - -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) -static int wolfSSL_RSA_To_Der(WOLFSSL_RSA* rsa, byte** outBuf, int publicKey) -{ - int derSz = 0; - int ret; - byte* derBuf; - - WOLFSSL_ENTER("wolfSSL_RSA_To_Der"); - - if (!rsa || (publicKey != 0 && publicKey != 1)) { - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", BAD_FUNC_ARG); - return BAD_FUNC_ARG; - } - - if (rsa->inSet == 0) { - if ((ret = SetRsaInternal(rsa)) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal() Failed"); - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", ret); - return ret; - } - } - - if (publicKey) { - if ((derSz = wc_RsaPublicKeyDerSize((RsaKey *)rsa->internal, 1)) < 0) { - WOLFSSL_MSG("wc_RsaPublicKeyDerSize failed"); - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", derSz); - return derSz; - } - } - else { - if ((derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, NULL, 0)) < 0) { - WOLFSSL_MSG("wc_RsaKeyToDer failed"); - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", derSz); - return derSz; - } - } - - if (outBuf) { - if (!(derBuf = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER))) { - WOLFSSL_MSG("malloc failed"); - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", MEMORY_ERROR); - return MEMORY_ERROR; - } - - /* Key to DER */ - if (publicKey) { - derSz = wc_RsaKeyToPublicDer((RsaKey*)rsa->internal, derBuf, derSz); - } - else { - derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, derBuf, derSz); - } - - if (derSz < 0) { - WOLFSSL_MSG("wc_RsaKeyToPublicDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - else { - if (*outBuf) { - XMEMCPY(*outBuf, derBuf, derSz); - XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - else { - *outBuf = derBuf; - } - } - } - - WOLFSSL_LEAVE("wolfSSL_RSA_To_Der", derSz); - return derSz; -} -#endif - -#if defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && !defined(NO_RSA) - -/* Takes a WOLFSSL_RSA key and writes it out to a WOLFSSL_BIO - * - * bio the WOLFSSL_BIO to write to - * key the WOLFSSL_RSA key to write out - * cipher cipher used - * passwd password string if used - * len length of password string - * cb password callback to use - * arg null terminated string for passphrase - */ -int wolfSSL_PEM_write_bio_RSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_RSA* key, - const WOLFSSL_EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb* cb, void* arg) -{ - int ret; - WOLFSSL_EVP_PKEY* pkey; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_RSAPrivateKey"); - - if (bio == NULL || key == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - pkey->type = EVP_PKEY_RSA; - pkey->rsa = key; - pkey->ownRsa = 0; -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) - /* similar to how wolfSSL_PEM_write_mem_RSAPrivateKey finds DER of key */ - { - int derSz; - byte* derBuf = NULL; - - if ((derSz = wolfSSL_RSA_To_Der(key, &derBuf, 0)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - pkey->pkey_sz = derSz; - XMEMCPY(pkey->pkey.ptr, derBuf, derSz); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } -#endif - - ret = wolfSSL_PEM_write_bio_PrivateKey(bio, pkey, cipher, passwd, len, - cb, arg); - - wolfSSL_EVP_PKEY_free(pkey); - - return ret; -} - -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) -/* Takes an RSA public key and writes it out to a WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa) -{ - int ret = 0, derSz = 0; - byte *derBuf = NULL; - WOLFSSL_EVP_PKEY* pkey = NULL; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_RSA_PUBKEY"); - - if (bio == NULL || rsa == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - /* Initialize pkey structure */ - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - pkey->type = EVP_PKEY_RSA; - pkey->rsa = rsa; - pkey->ownRsa = 0; - - if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 1)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - pkey->pkey_sz = derSz; - XMEMCPY(pkey->pkey.ptr, derBuf, derSz); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - ret = wolfSSL_PEM_write_bio_PUBKEY(bio, pkey); - wolfSSL_EVP_PKEY_free(pkey); - - return ret; -} -#endif - - -/* Reads an RSA public key from a WOLFSSL_BIO into a WOLFSSL_RSA - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio,WOLFSSL_RSA** rsa, - pem_password_cb* cb, void *pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_RSA* local; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_RSA_PUBKEY"); - - pkey = wolfSSL_PEM_read_bio_PUBKEY(bio, NULL, cb, pass); - if (pkey == NULL) { - return NULL; - } - - /* Since the WOLFSSL_RSA structure is being taken from WOLFSSL_EVP_PKEY the - * flag indicating that the WOLFSSL_RSA structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownRsa = 0; - local = pkey->rsa; - if (rsa != NULL){ - *rsa = local; - } - - wolfSSL_EVP_PKEY_free(pkey); - return local; -} - -#endif /* defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) && !defined(NO_RSA) */ - -/* Takes a public key and writes it out to a WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key) -{ - byte* keyDer; - int pemSz; - int ret; - byte* tmp; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_PUBKEY"); - - if (bio == NULL || key == NULL) { - return WOLFSSL_FAILURE; - } - - keyDer = (byte*)key->pkey.ptr; - - pemSz = wc_DerToPem(keyDer, key->pkey_sz, NULL, 0, PUBLICKEY_TYPE); - if (pemSz < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PUBKEY", pemSz); - return WOLFSSL_FAILURE; - } - tmp = (byte*)XMALLOC(pemSz, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (tmp == NULL) { - return MEMORY_E; - } - - ret = wc_DerToPemEx(keyDer, key->pkey_sz, tmp, pemSz, - NULL, PUBLICKEY_TYPE); - if (ret < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PUBKEY", ret); - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_BIO_write(bio, tmp, pemSz); - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (ret != pemSz) { - WOLFSSL_MSG("Unable to write full PEM to BIO"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* Takes a private key and writes it out to a WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_PrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY* key, - const WOLFSSL_EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb* cb, void* arg) -{ - byte* keyDer; - int pemSz; - int type; - int ret; - byte* tmp; - - (void)cipher; - (void)passwd; - (void)len; - (void)cb; - (void)arg; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_PrivateKey"); - - if (bio == NULL || key == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - keyDer = (byte*)key->pkey.ptr; - - switch (key->type) { -#ifndef NO_RSA - case EVP_PKEY_RSA: - type = PRIVATEKEY_TYPE; - break; -#endif - -#ifndef NO_DSA - case EVP_PKEY_DSA: - type = DSA_PRIVATEKEY_TYPE; - break; -#endif - -#ifdef HAVE_ECC - case EVP_PKEY_EC: - type = ECC_PRIVATEKEY_TYPE; - break; -#endif - -#if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) - case EVP_PKEY_DH: - type = DH_PRIVATEKEY_TYPE; - break; -#endif - - default: - WOLFSSL_MSG("Unknown Key type!"); - type = PRIVATEKEY_TYPE; - } - - pemSz = wc_DerToPem(keyDer, key->pkey_sz, NULL, 0, type); - if (pemSz < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PrivateKey", pemSz); - return WOLFSSL_FAILURE; - } - tmp = (byte*)XMALLOC(pemSz, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (tmp == NULL) { - return MEMORY_E; - } - - ret = wc_DerToPemEx(keyDer, key->pkey_sz, tmp, pemSz, - NULL, type); - if (ret < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_bio_PrivateKey", ret); - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_BIO_write(bio, tmp, pemSz); - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (ret != pemSz) { - WOLFSSL_MSG("Unable to write full PEM to BIO"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* defined(WOLFSSL_KEY_GEN) || defined(WOLFSSL_CERT_GEN) */ - -#if (defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA)) && \ - (defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM)) - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, - unsigned char **pem, int *plen) -{ - byte *derBuf = NULL, *tmp, *cipherInfo = NULL; - int derSz = 0; - const int type = PRIVATEKEY_TYPE; - const char* header = NULL; - const char* footer = NULL; - - WOLFSSL_ENTER("wolfSSL_PEM_write_mem_RSAPrivateKey"); - - if (pem == NULL || plen == NULL || rsa == NULL || rsa->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - if (wc_PemGetHeaderFooter(type, &header, &footer) != 0) - return WOLFSSL_FAILURE; - - if (rsa->inSet == 0) { - WOLFSSL_MSG("No RSA internal set, do it"); - - if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return WOLFSSL_FAILURE; - } - } - - if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 0)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return WOLFSSL_FAILURE; - } - - /* encrypt DER buffer if required */ - if (passwd != NULL && passwdSz > 0 && cipher != NULL) { - int ret; - - ret = EncryptDerKey(derBuf, &derSz, cipher, - passwd, passwdSz, &cipherInfo); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - return ret; - } - - /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1 + HEADER_ENCRYPTED_KEY_SIZE; - } - else { - /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1; - } - - tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_PEM); - if (tmp == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - - /* DER to PEM */ - *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, type); - if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); - if (*pem == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XMEMSET(*pem, 0, (*plen)+1); - - if (XMEMCPY(*pem, tmp, *plen) == NULL) { - WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_FILESYSTEM -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_RSAPrivateKey(XFILE fp, WOLFSSL_RSA *rsa, - const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - byte *pem; - int plen, ret; - - (void)cb; - (void)u; - - WOLFSSL_MSG("wolfSSL_PEM_write_RSAPrivateKey"); - - if (fp == XBADFILE || rsa == NULL || rsa->internal == NULL) - { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_PEM_write_mem_RSAPrivateKey(rsa, enc, kstr, klen, &pem, &plen); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_PEM_write_mem_RSAPrivateKey failed"); - return WOLFSSL_FAILURE; - } - - ret = (int)XFWRITE(pem, plen, 1, fp); - if (ret != 1) { - WOLFSSL_MSG("RSA private key file write failed"); - return WOLFSSL_FAILURE; - } - - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - return WOLFSSL_SUCCESS; -} -#endif /* NO_FILESYSTEM */ -#endif /* WOLFSSL_KEY_GEN && !NO_RSA && !HAVE_USER_RSA && WOLFSSL_PEM_TO_DER */ - - -#ifdef HAVE_ECC - -#ifdef ALT_ECC_SIZE -static int SetIndividualInternalEcc(WOLFSSL_BIGNUM* bn, mp_int* mpi) -{ - WOLFSSL_MSG("Entering SetIndividualInternal"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - if (mpi == NULL) { - WOLFSSL_MSG("mpi NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - if (mp_copy((mp_int*)bn->internal, mpi) != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - return WOLFSSL_FATAL_ERROR; - } - - return WOLFSSL_SUCCESS; -} -#endif /* ALT_ECC_SIZE */ - -/* EC_POINT Openssl -> WolfSSL */ -static int SetECPointInternal(WOLFSSL_EC_POINT *p) -{ - ecc_point* point; - WOLFSSL_ENTER("SetECPointInternal"); - - if (p == NULL || p->internal == NULL) { - WOLFSSL_MSG("ECPoint NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - point = (ecc_point*)p->internal; - -#ifndef ALT_ECC_SIZE - if (p->X != NULL && SetIndividualInternal(p->X, point->x) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point X error"); - return WOLFSSL_FATAL_ERROR; - } - - if (p->Y != NULL && SetIndividualInternal(p->Y, point->y) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Y error"); - return WOLFSSL_FATAL_ERROR; - } - - if (p->Z != NULL && SetIndividualInternal(p->Z, point->z) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Z error"); - return WOLFSSL_FATAL_ERROR; - } -#else - if (p->X != NULL && SetIndividualInternalEcc(p->X, point->x) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point X error"); - return WOLFSSL_FATAL_ERROR; - } - - if (p->Y != NULL && SetIndividualInternalEcc(p->Y, point->y) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Y error"); - return WOLFSSL_FATAL_ERROR; - } - - if (p->Z != NULL && SetIndividualInternalEcc(p->Z, point->z) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Z error"); - return WOLFSSL_FATAL_ERROR; - } -#endif - - p->inSet = 1; - - return WOLFSSL_SUCCESS; -} - -/* EC_POINT WolfSSL -> OpenSSL */ -static int SetECPointExternal(WOLFSSL_EC_POINT *p) -{ - ecc_point* point; - - WOLFSSL_ENTER("SetECPointExternal"); - - if (p == NULL || p->internal == NULL) { - WOLFSSL_MSG("ECPoint NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - point = (ecc_point*)p->internal; - - if (SetIndividualExternal(&p->X, point->x) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point X error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&p->Y, point->y) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Y error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&p->Z, point->z) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ecc point Z error"); - return WOLFSSL_FATAL_ERROR; - } - - p->exSet = 1; - - return WOLFSSL_SUCCESS; -} - - -/* EC_KEY wolfSSL -> OpenSSL */ -int SetECKeyExternal(WOLFSSL_EC_KEY* eckey) -{ - ecc_key* key; - - WOLFSSL_ENTER("SetECKeyExternal"); - - if (eckey == NULL || eckey->internal == NULL) { - WOLFSSL_MSG("ec key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (ecc_key*)eckey->internal; - - /* set group (OID, nid and idx) */ - eckey->group->curve_oid = ecc_sets[key->idx].oidSum; - eckey->group->curve_nid = ecc_sets[key->idx].id; - eckey->group->curve_idx = key->idx; - - if (eckey->pub_key->internal != NULL) { - /* set the internal public key */ - if (wc_ecc_copy_point(&key->pubkey, - (ecc_point*)eckey->pub_key->internal) != MP_OKAY) { - WOLFSSL_MSG("SetECKeyExternal ecc_copy_point failed"); - return WOLFSSL_FATAL_ERROR; - } - - /* set the external pubkey (point) */ - if (SetECPointExternal(eckey->pub_key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyExternal SetECPointExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - /* set the external privkey */ - if (key->type == ECC_PRIVATEKEY) { - if (SetIndividualExternal(&eckey->priv_key, &key->k) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ec priv key error"); - return WOLFSSL_FATAL_ERROR; - } - } - - eckey->exSet = 1; - - return WOLFSSL_SUCCESS; -} - -/* EC_KEY Openssl -> WolfSSL */ -int SetECKeyInternal(WOLFSSL_EC_KEY* eckey) -{ - ecc_key* key; - - WOLFSSL_ENTER("SetECKeyInternal"); - - if (eckey == NULL || eckey->internal == NULL || eckey->group == NULL) { - WOLFSSL_MSG("ec key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (ecc_key*)eckey->internal; - - /* validate group */ - if ((eckey->group->curve_idx < 0) || - (wc_ecc_is_valid_idx(eckey->group->curve_idx) == 0)) { - WOLFSSL_MSG("invalid curve idx"); - return WOLFSSL_FATAL_ERROR; - } - - /* set group (idx of curve and corresponding domain parameters) */ - key->idx = eckey->group->curve_idx; - key->dp = &ecc_sets[key->idx]; - - /* set pubkey (point) */ - if (eckey->pub_key != NULL) { - if (SetECPointInternal(eckey->pub_key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ec key pub error"); - return WOLFSSL_FATAL_ERROR; - } - - /* copy over the public point to key */ - if (wc_ecc_copy_point((ecc_point*)eckey->pub_key->internal, &key->pubkey) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_copy_point error"); - return WOLFSSL_FATAL_ERROR; - } - - /* public key */ - key->type = ECC_PUBLICKEY; - } - - /* set privkey */ - if (eckey->priv_key != NULL) { - if (SetIndividualInternal(eckey->priv_key, &key->k) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ec key priv error"); - return WOLFSSL_FATAL_ERROR; - } - - /* private key */ - key->type = ECC_PRIVATEKEY; - } - - eckey->inSet = 1; - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_EC_POINT *wolfSSL_EC_KEY_get0_public_key(const WOLFSSL_EC_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_EC_KEY_get0_public_key"); - - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_get0_public_key Bad arguments"); - return NULL; - } - - return key->pub_key; -} - -const WOLFSSL_EC_GROUP *wolfSSL_EC_KEY_get0_group(const WOLFSSL_EC_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_EC_KEY_get0_group"); - - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_get0_group Bad arguments"); - return NULL; - } - - return key->group; -} - - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_EC_KEY_set_private_key(WOLFSSL_EC_KEY *key, - const WOLFSSL_BIGNUM *priv_key) -{ - WOLFSSL_ENTER("wolfSSL_EC_KEY_set_private_key"); - - if (key == NULL || priv_key == NULL) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* free key if previously set */ - if (key->priv_key != NULL) - wolfSSL_BN_free(key->priv_key); - - key->priv_key = wolfSSL_BN_dup(priv_key); - if (key->priv_key == NULL) { - WOLFSSL_MSG("key ecc priv key NULL"); - return WOLFSSL_FAILURE; - } - - if (SetECKeyInternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - wolfSSL_BN_free(key->priv_key); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - - -WOLFSSL_BIGNUM *wolfSSL_EC_KEY_get0_private_key(const WOLFSSL_EC_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_EC_KEY_get0_private_key"); - - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_get0_private_key Bad arguments"); - return NULL; - } - - if (wolfSSL_BN_is_zero(key->priv_key)) { - /* return NULL if not set */ - return NULL; - } - - return key->priv_key; -} - -WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new_by_curve_name(int nid) -{ - WOLFSSL_EC_KEY *key; - int x; - int eccEnum; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_new_by_curve_name"); - - /* If NID passed in is OpenSSL type, convert it to ecc_curve_id enum */ - eccEnum = NIDToEccEnum(nid); - if (eccEnum == -1) - eccEnum = nid; - - key = wolfSSL_EC_KEY_new(); - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new failure"); - return NULL; - } - - /* set the nid of the curve */ - key->group->curve_nid = eccEnum; - - /* search and set the corresponding internal curve idx */ - for (x = 0; ecc_sets[x].size != 0; x++) - if (ecc_sets[x].id == key->group->curve_nid) { - key->group->curve_idx = x; - key->group->curve_oid = ecc_sets[x].oidSum; - break; - } - - return key; -} - -const char* wolfSSL_EC_curve_nid2nist(int nid) -{ - const WOLF_EC_NIST_NAME* nist_name; - for (nist_name = kNistCurves; nist_name->name != NULL; nist_name++) { - if (nist_name->nid == nid) { - return kNistCurves->name; - } - } - return NULL; -} - -#ifdef WOLFSSL_TLS13 -static int populate_groups(int* groups, int max_count, char *list) -{ - char *end; - int len; - int count = 0; - const WOLF_EC_NIST_NAME* nist_name; - - if (!groups || !list) { - return -1; - } - - for (end = list; ; list = ++end) { - if (count > max_count) { - WOLFSSL_MSG("Too many curves in list"); - return -1; - } - while (*end != ':' && *end != '\0') end++; - len = (int)(end - list); /* end points to char after end - * of curve name so no need for -1 */ - if ((len < kNistCurves_MIN_NAME_LEN) || - (len > kNistCurves_MAX_NAME_LEN)) { - WOLFSSL_MSG("Unrecognized curve name in list"); - return -1; - } - for (nist_name = kNistCurves; nist_name->name != NULL; nist_name++) { - if (len == nist_name->name_len && - XSTRNCMP(list, nist_name->name, nist_name->name_len) == 0) { - break; - } - } - if (!nist_name->name) { - WOLFSSL_MSG("Unrecognized curve name in list"); - return -1; - } - groups[count++] = nist_name->nid; - if (*end == '\0') break; - } - - return count; -} - -int wolfSSL_CTX_set1_groups_list(WOLFSSL_CTX *ctx, char *list) -{ - int groups[WOLFSSL_MAX_GROUP_COUNT]; - int count; - - if (!ctx || !list) { - return WOLFSSL_FAILURE; - } - - if ((count = populate_groups(groups, - WOLFSSL_MAX_GROUP_COUNT, list)) == -1) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_CTX_set_groups(ctx, groups, count) == WOLFSSL_SUCCESS ? - WOLFSSL_SUCCESS : WOLFSSL_FAILURE; -} - -int wolfSSL_set1_groups_list(WOLFSSL *ssl, char *list) -{ - int groups[WOLFSSL_MAX_GROUP_COUNT]; - int count; - - if (!ssl || !list) { - return WOLFSSL_FAILURE; - } - - if ((count = populate_groups(groups, - WOLFSSL_MAX_GROUP_COUNT, list)) == -1) { - return WOLFSSL_FAILURE; - } - - return wolfSSL_set_groups(ssl, groups, count) == WOLFSSL_SUCCESS ? - WOLFSSL_SUCCESS : WOLFSSL_FAILURE; -} -#endif /* WOLFSSL_TLS13 */ - -static void InitwolfSSL_ECKey(WOLFSSL_EC_KEY* key) -{ - if (key) { - key->group = NULL; - key->pub_key = NULL; - key->priv_key = NULL; - key->internal = NULL; - key->inSet = 0; - key->exSet = 0; - } -} - -WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new(void) -{ - WOLFSSL_EC_KEY *external; - WOLFSSL_ENTER("wolfSSL_EC_KEY_new"); - - external = (WOLFSSL_EC_KEY*)XMALLOC(sizeof(WOLFSSL_EC_KEY), NULL, - DYNAMIC_TYPE_ECC); - if (external == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new malloc WOLFSSL_EC_KEY failure"); - return NULL; - } - XMEMSET(external, 0, sizeof(WOLFSSL_EC_KEY)); - - InitwolfSSL_ECKey(external); - - external->internal = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, - DYNAMIC_TYPE_ECC); - if (external->internal == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new malloc ecc key failure"); - goto error; - } - XMEMSET(external->internal, 0, sizeof(ecc_key)); - - if (wc_ecc_init((ecc_key*)external->internal) != 0) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new init ecc key failure"); - goto error; - } - - /* curve group */ - external->group = wolfSSL_EC_GROUP_new_by_curve_name(ECC_CURVE_DEF); - if (external->group == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_new malloc WOLFSSL_EC_GROUP failure"); - goto error; - } - - /* public key */ - external->pub_key = wolfSSL_EC_POINT_new(external->group); - if (external->pub_key == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_new failure"); - goto error; - } - - /* private key */ - external->priv_key = wolfSSL_BN_new(); - if (external->priv_key == NULL) { - WOLFSSL_MSG("wolfSSL_BN_new failure"); - goto error; - } - - return external; -error: - wolfSSL_EC_KEY_free(external); - return NULL; -} - -void wolfSSL_EC_KEY_free(WOLFSSL_EC_KEY *key) -{ - WOLFSSL_ENTER("wolfSSL_EC_KEY_free"); - - if (key != NULL) { - if (key->internal != NULL) { - wc_ecc_free((ecc_key*)key->internal); - XFREE(key->internal, NULL, DYNAMIC_TYPE_ECC); - } - wolfSSL_BN_free(key->priv_key); - wolfSSL_EC_POINT_free(key->pub_key); - wolfSSL_EC_GROUP_free(key->group); - InitwolfSSL_ECKey(key); /* set back to NULLs for safety */ - - XFREE(key, NULL, DYNAMIC_TYPE_ECC); - /* key = NULL, don't try to access or double free it */ - } -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_EC_KEY_set_group(WOLFSSL_EC_KEY *key, WOLFSSL_EC_GROUP *group) -{ - (void)key; - (void)group; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_set_group"); - WOLFSSL_STUB("EC_KEY_set_group"); - - return -1; -} -#endif - -int wolfSSL_EC_KEY_generate_key(WOLFSSL_EC_KEY *key) -{ - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_EC_KEY_generate_key"); - - if (key == NULL || key->internal == NULL || - key->group == NULL || key->group->curve_idx < 0) { - WOLFSSL_MSG("wolfSSL_EC_KEY_generate_key Bad arguments"); - return 0; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return 0; -#endif - - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng == NULL) { - WOLFSSL_MSG("wolfSSL_EC_KEY_generate_key failed to set RNG"); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - return 0; - } - - if (wc_ecc_make_key_ex(rng, 0, (ecc_key*)key->internal, - key->group->curve_nid) != MP_OKAY) { - WOLFSSL_MSG("wolfSSL_EC_KEY_generate_key wc_ecc_make_key failed"); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - return 0; - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - if (SetECKeyExternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_EC_KEY_generate_key SetECKeyExternal failed"); - return 0; - } - - return 1; -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_EC_KEY_set_asn1_flag(WOLFSSL_EC_KEY *key, int asn1_flag) -{ - (void)key; - (void)asn1_flag; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_set_asn1_flag"); - WOLFSSL_STUB("EC_KEY_set_asn1_flag"); -} -#endif - -static int setupPoint(const WOLFSSL_EC_POINT *p) { - if (!p) { - return WOLFSSL_FAILURE; - } - if (p->inSet == 0) { - WOLFSSL_MSG("No ECPoint internal set, do it"); - - if (SetECPointInternal((WOLFSSL_EC_POINT *)p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECPointInternal SetECPointInternal failed"); - return WOLFSSL_FAILURE; - } - } - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_EC_KEY_set_public_key(WOLFSSL_EC_KEY *key, - const WOLFSSL_EC_POINT *pub) -{ - ecc_point *pub_p, *key_p; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_set_public_key"); - - if (key == NULL || key->internal == NULL || - pub == NULL || pub->internal == NULL) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_order Bad arguments"); - return WOLFSSL_FAILURE; - } - - if (key->inSet == 0) { - if (SetECKeyInternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FAILURE; - } - } - - if (setupPoint(pub) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - pub_p = (ecc_point*)pub->internal; - key_p = (ecc_point*)key->pub_key->internal; - - /* create new point if required */ - if (key_p == NULL) - key_p = wc_ecc_new_point(); - - if (key_p == NULL) { - WOLFSSL_MSG("key ecc point NULL"); - return WOLFSSL_FAILURE; - } - - if (wc_ecc_copy_point(pub_p, key_p) != MP_OKAY) { - WOLFSSL_MSG("ecc_copy_point failure"); - return WOLFSSL_FAILURE; - } - - if (SetECPointExternal(key->pub_key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FAILURE; - } - - if (SetECKeyInternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FAILURE; - } - - wolfSSL_EC_POINT_dump("pub", pub); - wolfSSL_EC_POINT_dump("key->pub_key", key->pub_key); - - return WOLFSSL_SUCCESS; -} -/* End EC_KEY */ - -int wolfSSL_ECDSA_size(const WOLFSSL_EC_KEY *key) -{ - const EC_GROUP *group; - int bits, bytes; - word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ - - if (!key) { - return WOLFSSL_FAILURE; - } - - if (!(group = wolfSSL_EC_KEY_get0_group(key))) { - return WOLFSSL_FAILURE; - } - if ((bits = wolfSSL_EC_GROUP_order_bits(group)) == 0) { - return WOLFSSL_FAILURE; - } - bytes = (bits + 7) / 8; /* bytes needed to hold bits */ - return headerSz + - 2 + /* possible leading zeroes in r and s */ - bytes + bytes + /* r and s */ - 2; -} - -int wolfSSL_ECDSA_sign(int type, const unsigned char *digest, - int digestSz, unsigned char *sig, - unsigned int *sigSz, WOLFSSL_EC_KEY *key) -{ - int ret = WOLFSSL_SUCCESS; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - int initTmpRng = 0; - - WOLFSSL_ENTER("wolfSSL_ECDSA_sign"); - - if (!key) { - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FAILURE; -#endif - - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) { - WOLFSSL_MSG("Global RNG no Init"); - } - else { - rng = &globalRNG; - } - } - if (rng) { - if (wc_ecc_sign_hash(digest, digestSz, sig, sigSz, rng, (ecc_key*)key->internal) != MP_OKAY) { - ret = WOLFSSL_FAILURE; - } - if (initTmpRng) { - wc_FreeRng(tmpRNG); - } - } else { - ret = WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - if (tmpRNG) - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - (void)type; - return ret; -} - -#ifndef HAVE_SELFTEST -/* ECC point compression types were not included in selftest ecc.h */ - -char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group, - const WOLFSSL_EC_POINT* point, int form, - WOLFSSL_BN_CTX* ctx) -{ - static const char* hexDigit = "0123456789ABCDEF"; - char* hex = NULL; - int id; - int i, sz, len; - - (void)ctx; - - if (group == NULL || point == NULL) - return NULL; - - id = wc_ecc_get_curve_id(group->curve_idx); - - if ((sz = wc_ecc_get_curve_size_from_id(id)) < 0) - return NULL; - - len = sz + 1; - if (form == POINT_CONVERSION_UNCOMPRESSED) - len += sz; - - hex = (char*)XMALLOC(2 * len + 1, NULL, DYNAMIC_TYPE_ECC); - if (hex == NULL) - return NULL; - XMEMSET(hex, 0, 2 * len + 1); - - /* Put in x-ordinate after format byte. */ - i = sz - mp_unsigned_bin_size((mp_int*)point->X->internal) + 1; - if (mp_to_unsigned_bin((mp_int*)point->X->internal, (byte*)(hex + i)) < 0) { - XFREE(hex, NULL, DYNAMIC_TYPE_ECC); - return NULL; - } - - if (form == POINT_CONVERSION_COMPRESSED) { - hex[0] = mp_isodd((mp_int*)point->Y->internal) ? ECC_POINT_COMP_ODD : - ECC_POINT_COMP_EVEN; - } - else { - hex[0] = ECC_POINT_UNCOMP; - /* Put in y-ordinate after x-ordinate */ - i = 1 + 2 * sz - mp_unsigned_bin_size((mp_int*)point->Y->internal); - if (mp_to_unsigned_bin((mp_int*)point->Y->internal, - (byte*)(hex + i)) < 0) { - XFREE(hex, NULL, DYNAMIC_TYPE_ECC); - return NULL; - } - } - - for (i = len-1; i >= 0; i--) { - byte b = hex[i]; - hex[i * 2 + 1] = hexDigit[b & 0xf]; - hex[i * 2 ] = hexDigit[b >> 4]; - } - - return hex; -} - -#endif /* HAVE_SELFTEST */ - -void wolfSSL_EC_POINT_dump(const char *msg, const WOLFSSL_EC_POINT *p) -{ -#if defined(DEBUG_WOLFSSL) - char *num; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_dump"); - - if (!WOLFSSL_IS_DEBUG_ON() || wolfSSL_GetLoggingCb()) { - return; - } - - if (p == NULL) { - printf("%s = NULL", msg); - return; - } - - printf("%s:\n\tinSet=%d, exSet=%d\n", msg, p->inSet, p->exSet); - num = wolfSSL_BN_bn2hex(p->X); - printf("\tX = %s\n", num); - XFREE(num, NULL, DYNAMIC_TYPE_ECC); - num = wolfSSL_BN_bn2hex(p->Y); - printf("\tY = %s\n", num); - XFREE(num, NULL, DYNAMIC_TYPE_ECC); - num = wolfSSL_BN_bn2hex(p->Z); - printf("\tZ = %s\n", num); - XFREE(num, NULL, DYNAMIC_TYPE_ECC); -#else - (void)msg; - (void)p; -#endif -} - -/* Start EC_GROUP */ - -/* return code compliant with OpenSSL : - * 0 if equal, 1 if not and -1 in case of error - */ -int wolfSSL_EC_GROUP_cmp(const WOLFSSL_EC_GROUP *a, const WOLFSSL_EC_GROUP *b, - WOLFSSL_BN_CTX *ctx) -{ - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_EC_GROUP_cmp"); - - if (a == NULL || b == NULL) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_cmp Bad arguments"); - return WOLFSSL_FATAL_ERROR; - } - - /* ok */ - if ((a->curve_idx == b->curve_idx) && (a->curve_nid == b->curve_nid)) - return 0; - - /* ko */ - return 1; -} - -#endif /* HAVE_ECC */ -#endif /* OPENSSL_EXTRA */ - -#if defined(HAVE_ECC) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) -const WOLFSSL_EC_METHOD* wolfSSL_EC_GROUP_method_of( - const WOLFSSL_EC_GROUP *group) -{ - return group; -} - -int wolfSSL_EC_METHOD_get_field_type(const WOLFSSL_EC_METHOD *meth) -{ - if (meth) { - return NID_X9_62_prime_field; - } - return WOLFSSL_FAILURE; -} - -void wolfSSL_EC_GROUP_free(WOLFSSL_EC_GROUP *group) -{ - WOLFSSL_ENTER("wolfSSL_EC_GROUP_free"); - - XFREE(group, NULL, DYNAMIC_TYPE_ECC); - /* group = NULL, don't try to access or double free it */ -} -#endif - -#ifdef OPENSSL_EXTRA -#ifdef HAVE_ECC -#ifndef NO_WOLFSSL_STUB -void wolfSSL_EC_GROUP_set_asn1_flag(WOLFSSL_EC_GROUP *group, int flag) -{ - (void)group; - (void)flag; - - WOLFSSL_ENTER("wolfSSL_EC_GROUP_set_asn1_flag"); - WOLFSSL_STUB("EC_GROUP_set_asn1_flag"); -} -#endif - -WOLFSSL_EC_GROUP *wolfSSL_EC_GROUP_new_by_curve_name(int nid) -{ - WOLFSSL_EC_GROUP *g; - int x; - int eccEnum; - - WOLFSSL_ENTER("wolfSSL_EC_GROUP_new_by_curve_name"); - - /* If NID passed in is OpenSSL type, convert it to ecc_curve_id enum */ - eccEnum = NIDToEccEnum(nid); - if (eccEnum == -1) - eccEnum = nid; - - - /* curve group */ - g = (WOLFSSL_EC_GROUP*) XMALLOC(sizeof(WOLFSSL_EC_GROUP), NULL, - DYNAMIC_TYPE_ECC); - if (g == NULL) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_new_by_curve_name malloc failure"); - return NULL; - } - XMEMSET(g, 0, sizeof(WOLFSSL_EC_GROUP)); - - /* set the nid of the curve */ - g->curve_nid = eccEnum; - - if (eccEnum > ECC_CURVE_DEF) { - /* search and set the corresponding internal curve idx */ - for (x = 0; ecc_sets[x].size != 0; x++) - if (ecc_sets[x].id == g->curve_nid) { - g->curve_idx = x; - g->curve_oid = ecc_sets[x].oidSum; - break; - } - } - - return g; -} - -/* return code compliant with OpenSSL : - * the curve nid if success, 0 if error - */ -int wolfSSL_EC_GROUP_get_curve_name(const WOLFSSL_EC_GROUP *group) -{ - int nid; - WOLFSSL_ENTER("wolfSSL_EC_GROUP_get_curve_name"); - - if (group == NULL) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_curve_name Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* If curve_nid is ECC Enum type, return corresponding OpenSSL nid */ - if ((nid = EccEnumToNID(group->curve_nid)) != -1) - return nid; - - return group->curve_nid; -} - -/* return code compliant with OpenSSL : - * the degree of the curve if success, 0 if error - */ -int wolfSSL_EC_GROUP_get_degree(const WOLFSSL_EC_GROUP *group) -{ - int nid; - int tmp; - - WOLFSSL_ENTER("wolfSSL_EC_GROUP_get_degree"); - - if (group == NULL || group->curve_idx < 0) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_degree Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* If curve_nid passed in is an ecc_curve_id enum, convert it to the - corresponding OpenSSL NID */ - tmp = EccEnumToNID(group->curve_nid); - if (tmp != -1){ - nid = tmp; - } - else{ - nid = group->curve_nid; - } - - switch(nid) { - case NID_secp112r1: - case NID_secp112r2: - return 112; - case NID_secp128r1: - case NID_secp128r2: - return 128; - case NID_secp160k1: - case NID_secp160r1: - case NID_secp160r2: - case NID_brainpoolP160r1: - return 160; - case NID_secp192k1: - case NID_brainpoolP192r1: - case NID_X9_62_prime192v1: - return 192; - case NID_secp224k1: - case NID_secp224r1: - case NID_brainpoolP224r1: - return 224; - case NID_secp256k1: - case NID_brainpoolP256r1: - case NID_X9_62_prime256v1: - return 256; - case NID_brainpoolP320r1: - return 320; - case NID_secp384r1: - case NID_brainpoolP384r1: - return 384; - case NID_secp521r1: - return 521; - case NID_brainpoolP512r1: - return 512; - default: - return WOLFSSL_FAILURE; - } -} - -/* Converts OpenSSL NID value of ECC curves to the associated enum values in - ecc_curve_id, used by ecc_sets[].*/ -int NIDToEccEnum(int n) -{ - WOLFSSL_ENTER("NIDToEccEnum()"); - - switch(n) { - case NID_X9_62_prime192v1: - return ECC_SECP192R1; - case NID_X9_62_prime192v2: - return ECC_PRIME192V2; - case NID_X9_62_prime192v3: - return ECC_PRIME192V3; - case NID_X9_62_prime239v1: - return ECC_PRIME239V1; - case NID_X9_62_prime239v2: - return ECC_PRIME239V2; - case NID_X9_62_prime239v3: - return ECC_PRIME239V3; - case NID_X9_62_prime256v1: - return ECC_SECP256R1; - case NID_secp112r1: - return ECC_SECP112R1; - case NID_secp112r2: - return ECC_SECP112R2; - case NID_secp128r1: - return ECC_SECP128R1; - case NID_secp128r2: - return ECC_SECP128R2; - case NID_secp160r1: - return ECC_SECP160R1; - case NID_secp160r2: - return ECC_SECP160R2; - case NID_secp224r1: - return ECC_SECP224R1; - case NID_secp384r1: - return ECC_SECP384R1; - case NID_secp521r1: - return ECC_SECP521R1; - case NID_secp160k1: - return ECC_SECP160K1; - case NID_secp192k1: - return ECC_SECP192K1; - case NID_secp224k1: - return ECC_SECP224K1; - case NID_secp256k1: - return ECC_SECP256K1; - case NID_brainpoolP160r1: - return ECC_BRAINPOOLP160R1; - case NID_brainpoolP192r1: - return ECC_BRAINPOOLP192R1; - case NID_brainpoolP224r1: - return ECC_BRAINPOOLP224R1; - case NID_brainpoolP256r1: - return ECC_BRAINPOOLP256R1; - case NID_brainpoolP320r1: - return ECC_BRAINPOOLP320R1; - case NID_brainpoolP384r1: - return ECC_BRAINPOOLP384R1; - case NID_brainpoolP512r1: - return ECC_BRAINPOOLP512R1; - default: - WOLFSSL_MSG("NID not found"); - return -1; - } -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_EC_GROUP_get_order(const WOLFSSL_EC_GROUP *group, - WOLFSSL_BIGNUM *order, WOLFSSL_BN_CTX *ctx) -{ - (void)ctx; - - if (group == NULL || order == NULL || order->internal == NULL) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_order NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_init((mp_int*)order->internal) != MP_OKAY) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_order mp_init failure"); - return WOLFSSL_FAILURE; - } - - if (mp_read_radix((mp_int*)order->internal, - ecc_sets[group->curve_idx].order, MP_RADIX_HEX) != MP_OKAY) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_get_order mp_read order failure"); - mp_clear((mp_int*)order->internal); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_EC_GROUP_order_bits(const WOLFSSL_EC_GROUP *group) -{ - int ret; - mp_int order; - - if (group == NULL || group->curve_idx < 0) { - WOLFSSL_MSG("wolfSSL_EC_GROUP_order_bits NULL error"); - return 0; - } - - ret = mp_init(&order); - if (ret == 0) { - ret = mp_read_radix(&order, ecc_sets[group->curve_idx].order, - MP_RADIX_HEX); - if (ret == 0) - ret = mp_count_bits(&order); - mp_clear(&order); - } - - return ret; -} - -/* End EC_GROUP */ - -/* Start EC_POINT */ - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_ECPoint_i2d(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *p, - unsigned char *out, unsigned int *len) -{ - int err; - - WOLFSSL_ENTER("wolfSSL_ECPoint_i2d"); - - if (group == NULL || p == NULL || len == NULL) { - WOLFSSL_MSG("wolfSSL_ECPoint_i2d NULL error"); - return WOLFSSL_FAILURE; - } - - if (setupPoint(p) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - if (out != NULL) { - wolfSSL_EC_POINT_dump("i2d p", p); - } - - err = wc_ecc_export_point_der(group->curve_idx, (ecc_point*)p->internal, - out, len); - if (err != MP_OKAY && !(out == NULL && err == LENGTH_ONLY_E)) { - WOLFSSL_MSG("wolfSSL_ECPoint_i2d wc_ecc_export_point_der failed"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_ECPoint_d2i(unsigned char *in, unsigned int len, - const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *p) -{ - WOLFSSL_ENTER("wolfSSL_ECPoint_d2i"); - - if (group == NULL || p == NULL || p->internal == NULL || in == NULL) { - WOLFSSL_MSG("wolfSSL_ECPoint_d2i NULL error"); - return WOLFSSL_FAILURE; - } - -#ifndef HAVE_SELFTEST - if (wc_ecc_import_point_der_ex(in, len, group->curve_idx, - (ecc_point*)p->internal, 0) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_import_point_der_ex failed"); - return WOLFSSL_FAILURE; - } -#else - /* ECC_POINT_UNCOMP is not defined CAVP self test so use magic number */ - if (in[0] == 0x04) { - if (wc_ecc_import_point_der(in, len, group->curve_idx, - (ecc_point*)p->internal) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_import_point_der failed"); - return WOLFSSL_FAILURE; - } - } - else { - WOLFSSL_MSG("Only uncompressed points supported with HAVE_SELFTEST"); - return WOLFSSL_FAILURE; - } -#endif - - /* Set new external point */ - if (SetECPointExternal(p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECPointExternal failed"); - return WOLFSSL_FAILURE; - } - - wolfSSL_EC_POINT_dump("d2i p", p); - - return WOLFSSL_SUCCESS; -} - -size_t wolfSSL_EC_POINT_point2oct(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *p, - char form, - byte *buf, size_t len, WOLFSSL_BN_CTX *ctx) -{ - word32 min_len = (word32)len; -#ifndef HAVE_SELFTEST - int compressed = form == POINT_CONVERSION_COMPRESSED ? 1 : 0; -#endif /* !HAVE_SELFTEST */ - - WOLFSSL_ENTER("EC_POINT_point2oct"); - - if (!group || !p) { - return WOLFSSL_FAILURE; - } - - if (setupPoint(p) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_EC_POINT_is_at_infinity(group, p)) { - /* encodes to a single 0 octet */ - if (buf != NULL) { - if (len < 1) { - ECerr(EC_F_EC_GFP_SIMPLE_POINT2OCT, EC_R_BUFFER_TOO_SMALL); - return WOLFSSL_FAILURE; - } - buf[0] = 0; - } - return 1; - } - - if (form != POINT_CONVERSION_UNCOMPRESSED -#ifndef HAVE_SELFTEST - && form != POINT_CONVERSION_COMPRESSED -#endif /* !HAVE_SELFTEST */ - ) { - WOLFSSL_MSG("Unsupported curve form"); - return WOLFSSL_FAILURE; - } - -#ifndef HAVE_SELFTEST - if (wc_ecc_export_point_der_ex(group->curve_idx, (ecc_point*)p->internal, - buf, &min_len, compressed) != (buf ? MP_OKAY : LENGTH_ONLY_E)) { - return WOLFSSL_FAILURE; - } -#else - if (wc_ecc_export_point_der(group->curve_idx, (ecc_point*)p->internal, - buf, &min_len) != (buf ? MP_OKAY : LENGTH_ONLY_E)) { - return WOLFSSL_FAILURE; - } -#endif /* !HAVE_SELFTEST */ - - (void)ctx; - - return (size_t)min_len; -} - -int wolfSSL_EC_POINT_oct2point(const WOLFSSL_EC_GROUP *group, - WOLFSSL_EC_POINT *p, const unsigned char *buf, - size_t len, WOLFSSL_BN_CTX *ctx) -{ - WOLFSSL_ENTER("wolfSSL_EC_POINT_oct2point"); - - if (!group || !p) { - return WOLFSSL_FAILURE; - } - - (void)ctx; - - return wolfSSL_ECPoint_d2i((unsigned char*)buf, (unsigned int)len, group, p); -} - -int wolfSSL_i2o_ECPublicKey(const WOLFSSL_EC_KEY *in, unsigned char **out) -{ - size_t len; - unsigned char *tmp = NULL; - char form; - WOLFSSL_ENTER("wolfSSL_i2o_ECPublicKey"); - - if (!in) { - WOLFSSL_MSG("wolfSSL_i2o_ECPublicKey Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* Default to compressed form if not set */ - form = in->form == POINT_CONVERSION_UNCOMPRESSED ? - POINT_CONVERSION_UNCOMPRESSED: - POINT_CONVERSION_COMPRESSED; - - len = wolfSSL_EC_POINT_point2oct(in->group, in->pub_key, form, - NULL, 0, NULL); - - if (len != WOLFSSL_FAILURE && out) { - if (!*out) { - if (!(tmp = (unsigned char*)XMALLOC(len, NULL, - DYNAMIC_TYPE_OPENSSL))) { - WOLFSSL_MSG("malloc failed"); - return WOLFSSL_FAILURE; - } - *out = tmp; - } - - if (wolfSSL_EC_POINT_point2oct(in->group, in->pub_key, form, *out, - len, NULL) == WOLFSSL_FAILURE) { - if (tmp) { - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - *out = NULL; - } - return WOLFSSL_FAILURE; - } - - if (!tmp) { - /* Move buffer forward if it was not alloced in this function */ - *out += len; - } - } - - return (int)len; -} - -void wolfSSL_EC_KEY_set_conv_form(WOLFSSL_EC_KEY *eckey, char form) -{ - if (eckey && (form == POINT_CONVERSION_COMPRESSED || - form == POINT_CONVERSION_UNCOMPRESSED)) { - eckey->form = form; - } -} - - -/* wolfSSL_EC_POINT_point2bn should return "in" if not null */ -WOLFSSL_BIGNUM *wolfSSL_EC_POINT_point2bn(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *p, - char form, - WOLFSSL_BIGNUM *in, WOLFSSL_BN_CTX *ctx) -{ - size_t len; - byte *buf; - WOLFSSL_BIGNUM *ret = NULL; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_oct2point"); - - if (!group || !p) { - return NULL; - } - - if ((len = wolfSSL_EC_POINT_point2oct(group, p, form, - NULL, 0, ctx)) == WOLFSSL_FAILURE) { - return NULL; - } - - if (!(buf = (byte*)XMALLOC(len, NULL, DYNAMIC_TYPE_TMP_BUFFER))) { - WOLFSSL_MSG("malloc failed"); - return NULL; - } - - if (wolfSSL_EC_POINT_point2oct(group, p, form, - buf, len, ctx) == len) { - ret = wolfSSL_BN_bin2bn(buf, (int)len, in); - } - - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return ret; -} - -WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group) -{ - WOLFSSL_EC_POINT *p; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_new"); - - if (group == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_new NULL error"); - return NULL; - } - - p = (WOLFSSL_EC_POINT *)XMALLOC(sizeof(WOLFSSL_EC_POINT), NULL, - DYNAMIC_TYPE_ECC); - if (p == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_new malloc ecc point failure"); - return NULL; - } - XMEMSET(p, 0, sizeof(WOLFSSL_EC_POINT)); - - p->internal = wc_ecc_new_point(); - if (p->internal == NULL) { - WOLFSSL_MSG("ecc_new_point failure"); - XFREE(p, NULL, DYNAMIC_TYPE_ECC); - return NULL; - } - - return p; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_EC_POINT_get_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *point, - WOLFSSL_BIGNUM *x, - WOLFSSL_BIGNUM *y, - WOLFSSL_BN_CTX *ctx) -{ - mp_digit mp; - mp_int modulus; - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_get_affine_coordinates_GFp"); - - if (group == NULL || point == NULL || point->internal == NULL || - x == NULL || y == NULL || wolfSSL_EC_POINT_is_at_infinity(group, point)) { - WOLFSSL_MSG("wolfSSL_EC_POINT_get_affine_coordinates_GFp NULL error"); - return WOLFSSL_FAILURE; - } - - if (setupPoint(point) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - if (!wolfSSL_BN_is_one(point->Z)) { - if (mp_init(&modulus) != MP_OKAY) { - WOLFSSL_MSG("mp_init failed"); - return WOLFSSL_FAILURE; - } - /* Map the Jacobian point back to affine space */ - if (mp_read_radix(&modulus, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) != MP_OKAY) { - WOLFSSL_MSG("mp_read_radix failed"); - mp_clear(&modulus); - return WOLFSSL_FAILURE; - } - if (mp_montgomery_setup(&modulus, &mp) != MP_OKAY) { - WOLFSSL_MSG("mp_montgomery_setup failed"); - mp_clear(&modulus); - return WOLFSSL_FAILURE; - } - if (ecc_map((ecc_point*)point->internal, &modulus, mp) != MP_OKAY) { - WOLFSSL_MSG("ecc_map failed"); - mp_clear(&modulus); - return WOLFSSL_FAILURE; - } - if (SetECPointExternal((WOLFSSL_EC_POINT *)point) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECPointExternal failed"); - mp_clear(&modulus); - return WOLFSSL_FAILURE; - } - } - - BN_copy(x, point->X); - BN_copy(y, point->Y); - mp_clear(&modulus); - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_EC_POINT_set_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group, - WOLFSSL_EC_POINT *point, - const WOLFSSL_BIGNUM *x, - const WOLFSSL_BIGNUM *y, - WOLFSSL_BN_CTX *ctx) -{ - (void)ctx; - WOLFSSL_ENTER("wolfSSL_EC_POINT_set_affine_coordinates_GFp"); - - if (group == NULL || point == NULL || point->internal == NULL || - x == NULL || y == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_set_affine_coordinates_GFp NULL error"); - return WOLFSSL_FAILURE; - } - - if (!point->X) { - point->X = wolfSSL_BN_new(); - } - if (!point->Y) { - point->Y = wolfSSL_BN_new(); - } - if (!point->Z) { - point->Z = wolfSSL_BN_new(); - } - if (!point->X || !point->Y || !point->Z) { - WOLFSSL_MSG("wolfSSL_BN_new failed"); - return WOLFSSL_FAILURE; - } - - BN_copy(point->X, x); - BN_copy(point->Y, y); - BN_copy(point->Z, wolfSSL_BN_value_one()); - - if (SetECPointInternal((WOLFSSL_EC_POINT *)point) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECPointInternal failed"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -#if !defined(WOLFSSL_ATECC508A) && !defined(HAVE_SELFTEST) -/* Calculate the value: generator * n + q * m - * return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, - const WOLFSSL_BIGNUM *n, const WOLFSSL_EC_POINT *q, - const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) -{ - mp_int a, prime; - int ret = WOLFSSL_FAILURE; - ecc_point* result = NULL; - ecc_point* tmp = NULL; - - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_mul"); - - if (!group || !r) { - WOLFSSL_MSG("wolfSSL_EC_POINT_mul NULL error"); - return WOLFSSL_FAILURE; - } - - if (!(result = wc_ecc_new_point())) { - WOLFSSL_MSG("wolfSSL_EC_POINT_new error"); - return WOLFSSL_FAILURE; - } - - /* read the curve prime and a */ - if (mp_init_multi(&prime, &a, NULL, NULL, NULL, NULL) != MP_OKAY) { - WOLFSSL_MSG("mp_init_multi error"); - goto cleanup; - } - - if (q && setupPoint(q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("setupPoint error"); - goto cleanup; - } - - if (mp_read_radix(&prime, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) - != MP_OKAY) { - WOLFSSL_MSG("mp_read_radix prime error"); - goto cleanup; - } - - if (mp_read_radix(&a, ecc_sets[group->curve_idx].Af, MP_RADIX_HEX) - != MP_OKAY) { - WOLFSSL_MSG("mp_read_radix a error"); - goto cleanup; - } - - if (n) { - /* load generator */ - if (wc_ecc_get_generator(result, group->curve_idx) - != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_get_generator error"); - goto cleanup; - } - } - - if (n && q && m) { - /* r = generator * n + q * m */ -#ifdef ECC_SHAMIR - if (ecc_mul2add(result, (mp_int*)n->internal, - (ecc_point*)q->internal, (mp_int*)m->internal, - result, &a, &prime, NULL) - != MP_OKAY) { - WOLFSSL_MSG("ecc_mul2add error"); - goto cleanup; - } -#else - mp_digit mp = 0; - if (mp_montgomery_setup(&prime, &mp) != MP_OKAY) { - WOLFSSL_MSG("mp_montgomery_setup nqm error"); - goto cleanup; - } - if (!(tmp = wc_ecc_new_point())) { - WOLFSSL_MSG("wolfSSL_EC_POINT_new nqm error"); - goto cleanup; - } - /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 1) - != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_mulmod nqm error"); - goto cleanup; - } - /* tmp = q * m */ - if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - tmp, &a, &prime, 1) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_mulmod nqm error"); - goto cleanup; - } - /* result = result + tmp */ - if (ecc_projective_add_point(tmp, result, result, &a, &prime, mp) - != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_mulmod nqm error"); - goto cleanup; - } - if (ecc_map(result, &prime, mp) != MP_OKAY) { - WOLFSSL_MSG("ecc_map nqm error"); - goto cleanup; - } -#endif - } - else if (n) { - /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 1) - != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_mulmod gn error"); - goto cleanup; - } - } - else if (q && m) { - /* r = q * m */ - if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - result, &a, &prime, 1) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_mulmod qm error"); - goto cleanup; - } - } - - /* copy to destination */ - if (wc_ecc_copy_point(result, (ecc_point*)r->internal)) { - WOLFSSL_MSG("wc_ecc_copy_point error"); - goto cleanup; - } - r->inSet = 1; - if (SetECPointExternal(r) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECPointExternal error"); - goto cleanup; - } - - ret = WOLFSSL_SUCCESS; -cleanup: - mp_clear(&a); - mp_clear(&prime); - wc_ecc_del_point(result); - wc_ecc_del_point(tmp); - return ret; -} -#endif /* !defined(WOLFSSL_ATECC508A) && defined(ECC_SHAMIR) && - * !defined(HAVE_SELFTEST) */ - -void wolfSSL_EC_POINT_clear_free(WOLFSSL_EC_POINT *p) -{ - WOLFSSL_ENTER("wolfSSL_EC_POINT_clear_free"); - - wolfSSL_EC_POINT_free(p); -} - -/* return code compliant with OpenSSL : - * 0 if equal, 1 if not and -1 in case of error - */ -int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *a, const WOLFSSL_EC_POINT *b, - WOLFSSL_BN_CTX *ctx) -{ - int ret; - - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp"); - - if (group == NULL || a == NULL || a->internal == NULL || b == NULL || - b->internal == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_cmp Bad arguments"); - return WOLFSSL_FATAL_ERROR; - } - - ret = wc_ecc_cmp_point((ecc_point*)a->internal, (ecc_point*)b->internal); - if (ret == MP_EQ) - return 0; - else if (ret == MP_LT || ret == MP_GT) - return 1; - - return WOLFSSL_FATAL_ERROR; -} - -int wolfSSL_EC_POINT_copy(WOLFSSL_EC_POINT *dest, const WOLFSSL_EC_POINT *src) -{ - WOLFSSL_ENTER("wolfSSL_EC_POINT_copy"); - - if (!dest || !src) { - return WOLFSSL_FAILURE; - } - - if (setupPoint(src) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - if (wc_ecc_copy_point((ecc_point*) dest->internal, - (ecc_point*) src->internal) != MP_OKAY) { - return WOLFSSL_FAILURE; - } - - dest->inSet = 1; - - if (SetECPointExternal(dest) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_ECC */ -#endif /* OPENSSL_EXTRA */ - -#if defined(HAVE_ECC) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) -void wolfSSL_EC_POINT_free(WOLFSSL_EC_POINT *p) -{ - WOLFSSL_ENTER("wolfSSL_EC_POINT_free"); - - if (p != NULL) { - if (p->internal != NULL) { - wc_ecc_del_point((ecc_point*)p->internal); - p->internal = NULL; - } - - wolfSSL_BN_free(p->X); - wolfSSL_BN_free(p->Y); - wolfSSL_BN_free(p->Z); - p->X = NULL; - p->Y = NULL; - p->Z = NULL; - p->inSet = p->exSet = 0; - - XFREE(p, NULL, DYNAMIC_TYPE_ECC); - /* p = NULL, don't try to access or double free it */ - } -} -#endif - -#ifdef OPENSSL_EXTRA -#ifdef HAVE_ECC -/* return code compliant with OpenSSL : - * 1 if point at infinity, 0 else - */ -int wolfSSL_EC_POINT_is_at_infinity(const WOLFSSL_EC_GROUP *group, - const WOLFSSL_EC_POINT *point) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_EC_POINT_is_at_infinity"); - - if (group == NULL || point == NULL || point->internal == NULL) { - WOLFSSL_MSG("wolfSSL_EC_POINT_is_at_infinity NULL error"); - return WOLFSSL_FAILURE; - } - - if (setupPoint(point) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - ret = wc_ecc_point_is_at_infinity((ecc_point*)point->internal); - if (ret < 0) { - WOLFSSL_MSG("ecc_point_is_at_infinity failure"); - return WOLFSSL_FAILURE; - } - - return ret; -} - -/* End EC_POINT */ - -size_t wolfSSL_EC_get_builtin_curves(WOLFSSL_EC_BUILTIN_CURVE *r, size_t nitems) -{ - size_t i, min_nitems; -#ifdef HAVE_SELFTEST - size_t ecc_sets_count; - for (i = 0; ecc_sets[i].size != 0 && ecc_sets[i].name != NULL; i++); - ecc_sets_count = i; -#endif - - if (r == NULL || nitems == 0) - return ecc_sets_count; - - min_nitems = nitems < ecc_sets_count ? nitems : ecc_sets_count; - - for (i = 0; i < min_nitems; i++) { - r[i].nid = EccEnumToNID(ecc_sets[i].id); - r[i].comment = wolfSSL_OBJ_nid2sn(r[i].nid); - } - - return ecc_sets_count; -} - -/* Start ECDSA_SIG */ -void wolfSSL_ECDSA_SIG_free(WOLFSSL_ECDSA_SIG *sig) -{ - WOLFSSL_ENTER("wolfSSL_ECDSA_SIG_free"); - - if (sig) { - wolfSSL_BN_free(sig->r); - wolfSSL_BN_free(sig->s); - - XFREE(sig, NULL, DYNAMIC_TYPE_ECC); - } -} - -WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void) -{ - WOLFSSL_ECDSA_SIG *sig; - - WOLFSSL_ENTER("wolfSSL_ECDSA_SIG_new"); - - sig = (WOLFSSL_ECDSA_SIG*) XMALLOC(sizeof(WOLFSSL_ECDSA_SIG), NULL, - DYNAMIC_TYPE_ECC); - if (sig == NULL) { - WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA signature failure"); - return NULL; - } - - sig->s = NULL; - sig->r = wolfSSL_BN_new(); - if (sig->r == NULL) { - WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure"); - wolfSSL_ECDSA_SIG_free(sig); - return NULL; - } - - sig->s = wolfSSL_BN_new(); - if (sig->s == NULL) { - WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA s failure"); - wolfSSL_ECDSA_SIG_free(sig); - return NULL; - } - - return sig; -} - -/* return signature structure on success, NULL otherwise */ -WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, - WOLFSSL_EC_KEY *key) -{ - WOLFSSL_ECDSA_SIG *sig = NULL; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_ECDSA_do_sign"); - - if (d == NULL || key == NULL || key->internal == NULL) { - WOLFSSL_MSG("wolfSSL_ECDSA_do_sign Bad arguments"); - return NULL; - } - - /* set internal key if not done */ - if (key->inSet == 0) - { - WOLFSSL_MSG("wolfSSL_ECDSA_do_sign No EC key internal set, do it"); - - if (SetECKeyInternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_ECDSA_do_sign SetECKeyInternal failed"); - return NULL; - } - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return NULL; -#endif - - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("wolfSSL_ECDSA_do_sign Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("wolfSSL_ECDSA_do_sign Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - mp_int sig_r, sig_s; - - if (mp_init_multi(&sig_r, &sig_s, NULL, NULL, NULL, NULL) == MP_OKAY) { - if (wc_ecc_sign_hash_ex(d, dlen, rng, (ecc_key*)key->internal, - &sig_r, &sig_s) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_sign_hash_ex failed"); - } - else { - /* put signature blob in ECDSA structure */ - sig = wolfSSL_ECDSA_SIG_new(); - if (sig == NULL) - WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new failed"); - else if (SetIndividualExternal(&(sig->r), &sig_r)!=WOLFSSL_SUCCESS){ - WOLFSSL_MSG("ecdsa r key error"); - wolfSSL_ECDSA_SIG_free(sig); - sig = NULL; - } - else if (SetIndividualExternal(&(sig->s), &sig_s)!=WOLFSSL_SUCCESS){ - WOLFSSL_MSG("ecdsa s key error"); - wolfSSL_ECDSA_SIG_free(sig); - sig = NULL; - } - - } - mp_free(&sig_r); - mp_free(&sig_s); - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return sig; -} - -/* return code compliant with OpenSSL : - * 1 for a valid signature, 0 for an invalid signature and -1 on error - */ -int wolfSSL_ECDSA_do_verify(const unsigned char *d, int dlen, - const WOLFSSL_ECDSA_SIG *sig, WOLFSSL_EC_KEY *key) -{ - int check_sign = 0; - - WOLFSSL_ENTER("wolfSSL_ECDSA_do_verify"); - - if (d == NULL || sig == NULL || key == NULL || key->internal == NULL) { - WOLFSSL_MSG("wolfSSL_ECDSA_do_verify Bad arguments"); - return WOLFSSL_FATAL_ERROR; - } - - /* set internal key if not done */ - if (key->inSet == 0) - { - WOLFSSL_MSG("No EC key internal set, do it"); - - if (SetECKeyInternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - if (wc_ecc_verify_hash_ex((mp_int*)sig->r->internal, - (mp_int*)sig->s->internal, d, dlen, &check_sign, - (ecc_key *)key->internal) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_verify_hash failed"); - return WOLFSSL_FATAL_ERROR; - } - else if (check_sign == 0) { - WOLFSSL_MSG("wc_ecc_verify_hash incorrect signature detected"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_ECDSA_SIG *wolfSSL_d2i_ECDSA_SIG(WOLFSSL_ECDSA_SIG **sig, - const unsigned char **pp, long len) -{ - WOLFSSL_ECDSA_SIG *s = NULL; - - if (pp == NULL) - return NULL; - - if (sig != NULL) - s = *sig; - if (s == NULL) { - s = wolfSSL_ECDSA_SIG_new(); - if (s == NULL) - return NULL; - } - - /* DecodeECC_DSA_Sig calls mp_init, so free these */ - mp_free((mp_int*)s->r->internal); - mp_free((mp_int*)s->s->internal); - - if (DecodeECC_DSA_Sig(*pp, (word32)len, (mp_int*)s->r->internal, - (mp_int*)s->s->internal) != MP_OKAY) { - if (sig == NULL || *sig == NULL) - wolfSSL_ECDSA_SIG_free(s); - return NULL; - } - - *pp += len; - if (sig != NULL) - *sig = s; - return s; -} - -int wolfSSL_i2d_ECDSA_SIG(const WOLFSSL_ECDSA_SIG *sig, unsigned char **pp) -{ - word32 len; - - if (sig == NULL) - return 0; - - /* ASN.1: SEQ + INT + INT - * ASN.1 Integer must be a positive value - prepend zero if number has - * top bit set. - */ - len = 2 + mp_leading_bit((mp_int*)sig->r->internal) + - mp_unsigned_bin_size((mp_int*)sig->r->internal) + - 2 + mp_leading_bit((mp_int*)sig->s->internal) + - mp_unsigned_bin_size((mp_int*)sig->s->internal); - /* Two bytes required for length if ASN.1 SEQ data greater than 127 bytes - * and less than 256 bytes. - */ - len = 1 + ((len > 127) ? 2 : 1) + len; - if (pp != NULL && *pp != NULL) { - if (StoreECC_DSA_Sig(*pp, &len, (mp_int*)sig->r->internal, - (mp_int*)sig->s->internal) != MP_OKAY) { - len = 0; - } - else - *pp += len; - } - - return (int)len; -} -/* End ECDSA_SIG */ - -/* Start ECDH */ -/* return code compliant with OpenSSL : - * length of computed key if success, -1 if error - */ -int wolfSSL_ECDH_compute_key(void *out, size_t outlen, - const WOLFSSL_EC_POINT *pub_key, - WOLFSSL_EC_KEY *ecdh, - void *(*KDF) (const void *in, size_t inlen, - void *out, size_t *outlen)) -{ - word32 len; - (void)KDF; - - (void)KDF; - - WOLFSSL_ENTER("wolfSSL_ECDH_compute_key"); - - if (out == NULL || pub_key == NULL || pub_key->internal == NULL || - ecdh == NULL || ecdh->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - /* set internal key if not done */ - if (ecdh->inSet == 0) - { - WOLFSSL_MSG("No EC key internal set, do it"); - - if (SetECKeyInternal(ecdh) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FATAL_ERROR; - } - } - - len = (word32)outlen; - - if (wc_ecc_shared_secret_ssh((ecc_key*)ecdh->internal, - (ecc_point*)pub_key->internal, - (byte *)out, &len) != MP_OKAY) { - WOLFSSL_MSG("wc_ecc_shared_secret failed"); - return WOLFSSL_FATAL_ERROR; - } - - return len; -} -/* End ECDH */ - -#if !defined(NO_FILESYSTEM) -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_PEM_write_EC_PUBKEY(XFILE fp, WOLFSSL_EC_KEY *x) -{ - (void)fp; - (void)x; - WOLFSSL_STUB("PEM_write_EC_PUBKEY"); - WOLFSSL_MSG("wolfSSL_PEM_write_EC_PUBKEY not implemented"); - - return WOLFSSL_FAILURE; -} -#endif - -/* Uses the same format of input as wolfSSL_PEM_read_bio_PrivateKey but expects - * the results to be an EC key. - * - * bio structure to read EC private key from - * ec if not null is then set to the result - * cb password callback for reading PEM - * pass password string - * - * returns a pointer to a new WOLFSSL_EC_KEY struct on success and NULL on fail - */ - -WOLFSSL_EC_KEY* wolfSSL_PEM_read_bio_EC_PUBKEY(WOLFSSL_BIO* bio, - WOLFSSL_EC_KEY** ec, - pem_password_cb* cb, void *pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_EC_KEY* local; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_EC_PUBKEY"); - - pkey = wolfSSL_PEM_read_bio_PUBKEY(bio, NULL, cb, pass); - if (pkey == NULL) { - return NULL; - } - - /* Since the WOLFSSL_EC_KEY structure is being taken from WOLFSSL_EVP_PKEY the - * flag indicating that the WOLFSSL_EC_KEY structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownEcc = 0; - local = pkey->ecc; - if (ec != NULL) { - *ec = local; - } - - wolfSSL_EVP_PKEY_free(pkey); - return local; -} - -/* Reads a private EC key from a WOLFSSL_BIO into a WOLFSSL_EC_KEY. - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -WOLFSSL_EC_KEY* wolfSSL_PEM_read_bio_ECPrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_EC_KEY** ec, - pem_password_cb* cb, - void *pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_EC_KEY* local; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_ECPrivateKey"); - - pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, cb, pass); - if (pkey == NULL) { - return NULL; - } - - /* Since the WOLFSSL_EC_KEY structure is being taken from WOLFSSL_EVP_PKEY the - * flag indicating that the WOLFSSL_EC_KEY structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownEcc = 0; - local = pkey->ecc; - if (ec != NULL) { - *ec = local; - } - - wolfSSL_EVP_PKEY_free(pkey); - return local; -} -#endif /* NO_FILESYSTEM */ - -#if defined(WOLFSSL_KEY_GEN) -/* Takes a public WOLFSSL_EC_KEY and writes it out to WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_EC_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec) -{ - int ret = 0, der_max_len = 0, derSz = 0; - byte *derBuf; - WOLFSSL_EVP_PKEY* pkey; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_EC_PUBKEY"); - - if (bio == NULL || ec == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - /* Initialize pkey structure */ - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - /* Set pkey info */ - pkey->ecc = ec; - pkey->ownEcc = 0; /* pkey does not own ECC */ - pkey->type = EVP_PKEY_EC; - - /* 4 > size of pub, priv + ASN.1 additional information */ - der_max_len = 4 * wc_ecc_size((ecc_key*)ec->internal) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(der_max_len, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (derBuf == NULL) { - WOLFSSL_MSG("Malloc failed"); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* convert key to der format */ - derSz = wc_EccPublicKeyToDer((ecc_key*)ec->internal, derBuf, der_max_len, 1); - if (derSz < 0) { - WOLFSSL_MSG("wc_EccPublicKeyToDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* add der info to the evp key */ - pkey->pkey_sz = derSz; - XMEMCPY(pkey->pkey.ptr, derBuf, derSz); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if((ret = wolfSSL_PEM_write_bio_PUBKEY(bio, pkey)) != WOLFSSL_SUCCESS){ - WOLFSSL_MSG("wolfSSL_PEM_write_bio_PUBKEY failed"); - } - wolfSSL_EVP_PKEY_free(pkey); - - return ret; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_bio_ECPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_EC_KEY* ec, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb* cb, void* arg) -{ - int ret = 0, der_max_len = 0, derSz = 0; - byte *derBuf; - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_ENTER("WOLFSSL_PEM_write_bio_ECPrivateKey"); - - if (bio == NULL || ec == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - /* Initialize pkey structure */ - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - /* Set pkey info */ - pkey->ecc = ec; - pkey->ownEcc = 0; /* pkey does not own ECC */ - pkey->type = EVP_PKEY_EC; - - /* 4 > size of pub, priv + ASN.1 additional informations - */ - der_max_len = 4 * wc_ecc_size((ecc_key*)ec->internal) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(der_max_len, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (derBuf == NULL) { - WOLFSSL_MSG("Malloc failed"); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* convert key to der format */ - derSz = wc_EccKeyToDer((ecc_key*)ec->internal, derBuf, der_max_len); - if (derSz < 0) { - WOLFSSL_MSG("wc_EccKeyToDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* add der info to the evp key */ - pkey->pkey_sz = derSz; - XMEMCPY(pkey->pkey.ptr, derBuf, derSz); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - - ret = wolfSSL_PEM_write_bio_PrivateKey(bio, pkey, cipher, passwd, len, - cb, arg); - wolfSSL_EVP_PKEY_free(pkey); - - return ret; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, - const EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, - unsigned char **pem, int *plen) -{ -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - byte *derBuf, *tmp, *cipherInfo = NULL; - int der_max_len = 0, derSz = 0; - const int type = ECC_PRIVATEKEY_TYPE; - const char* header = NULL; - const char* footer = NULL; - - WOLFSSL_MSG("wolfSSL_PEM_write_mem_ECPrivateKey"); - - if (pem == NULL || plen == NULL || ecc == NULL || ecc->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - if (wc_PemGetHeaderFooter(type, &header, &footer) != 0) - return WOLFSSL_FAILURE; - - if (ecc->inSet == 0) { - WOLFSSL_MSG("No ECC internal set, do it"); - - if (SetECKeyInternal(ecc) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyInternal failed"); - return WOLFSSL_FAILURE; - } - } - - /* 4 > size of pub, priv + ASN.1 additional information */ - der_max_len = 4 * wc_ecc_size((ecc_key*)ecc->internal) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_DER); - if (derBuf == NULL) { - WOLFSSL_MSG("malloc failed"); - return WOLFSSL_FAILURE; - } - - /* Key to DER */ - derSz = wc_EccKeyToDer((ecc_key*)ecc->internal, derBuf, der_max_len); - if (derSz < 0) { - WOLFSSL_MSG("wc_EccKeyToDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - return WOLFSSL_FAILURE; - } - - /* encrypt DER buffer if required */ - if (passwd != NULL && passwdSz > 0 && cipher != NULL) { - int ret; - - ret = EncryptDerKey(derBuf, &derSz, cipher, - passwd, passwdSz, &cipherInfo); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - return ret; - } - - /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1 + HEADER_ENCRYPTED_KEY_SIZE; - } - else { /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1; - } - - tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_PEM); - if (tmp == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - - /* DER to PEM */ - *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, type); - if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); - if (*pem == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XMEMSET(*pem, 0, (*plen)+1); - - if (XMEMCPY(*pem, tmp, *plen) == NULL) { - WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - - return WOLFSSL_SUCCESS; -#else - (void)ecc; - (void)cipher; - (void)passwd; - (void)passwdSz; - (void)pem; - (void)plen; - return WOLFSSL_FAILURE; -#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ -} - -#ifndef NO_FILESYSTEM -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_ECPrivateKey(XFILE fp, WOLFSSL_EC_KEY *ecc, - const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - byte *pem; - int plen, ret; - - (void)cb; - (void)u; - - WOLFSSL_MSG("wolfSSL_PEM_write_ECPrivateKey"); - - if (fp == XBADFILE || ecc == NULL || ecc->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_PEM_write_mem_ECPrivateKey(ecc, enc, kstr, klen, &pem, &plen); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_PEM_write_mem_ECPrivateKey failed"); - return WOLFSSL_FAILURE; - } - - ret = (int)XFWRITE(pem, plen, 1, fp); - if (ret != 1) { - WOLFSSL_MSG("ECC private key file write failed"); - return WOLFSSL_FAILURE; - } - - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - return WOLFSSL_SUCCESS; -} - -#endif /* NO_FILESYSTEM */ -#endif /* defined(WOLFSSL_KEY_GEN) */ - -#endif /* HAVE_ECC */ - - -#ifndef NO_DSA - -#if defined(WOLFSSL_KEY_GEN) - -/* Takes a DSA Privatekey and writes it out to a WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_DSAPrivateKey(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa, - const EVP_CIPHER* cipher, - unsigned char* passwd, int len, - pem_password_cb* cb, void* arg) -{ - int ret = 0, der_max_len = 0, derSz = 0; - byte *derBuf; - WOLFSSL_EVP_PKEY* pkey; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_DSAPrivateKey"); - - if (bio == NULL || dsa == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return WOLFSSL_FAILURE; - } - - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - pkey->type = EVP_PKEY_DSA; - pkey->dsa = dsa; - pkey->ownDsa = 0; - - /* 4 > size of pub, priv, p, q, g + ASN.1 additional information */ - der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(der_max_len, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (derBuf == NULL) { - WOLFSSL_MSG("Malloc failed"); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* convert key to der format */ - derSz = wc_DsaKeyToDer((DsaKey*)dsa->internal, derBuf, der_max_len); - if (derSz < 0) { - WOLFSSL_MSG("wc_DsaKeyToDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* add der info to the evp key */ - pkey->pkey_sz = derSz; - XMEMCPY(pkey->pkey.ptr, derBuf, derSz); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - - ret = wolfSSL_PEM_write_bio_PrivateKey(bio, pkey, cipher, passwd, len, - cb, arg); - wolfSSL_EVP_PKEY_free(pkey); - - return ret; -} - -#ifndef HAVE_SELFTEST -/* Takes a DSA public key and writes it out to a WOLFSSL_BIO - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -int wolfSSL_PEM_write_bio_DSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_DSA* dsa) -{ - int ret = 0, derMax = 0, derSz = 0; - byte *derBuf; - WOLFSSL_EVP_PKEY* pkey; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_DSA_PUBKEY"); - - if (bio == NULL || dsa == NULL) { - WOLFSSL_MSG("Bad function arguements"); - return WOLFSSL_FAILURE; - } - - pkey = wolfSSL_EVP_PKEY_new_ex(bio->heap); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_EVP_PKEY_new_ex failed"); - return WOLFSSL_FAILURE; - } - - pkey->type = EVP_PKEY_DSA; - pkey->dsa = dsa; - pkey->ownDsa = 0; - - /* 4 > size of pub, priv, p, q, g + ASN.1 additional information */ - derMax = 4 * wolfSSL_BN_num_bytes(dsa->g) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(derMax, bio->heap, DYNAMIC_TYPE_DER); - if (derBuf == NULL) { - WOLFSSL_MSG("malloc failed"); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - /* Key to DER */ - derSz = wc_DsaKeyToPublicDer((DsaKey*)dsa->internal, derBuf, derMax); - if (derSz < 0) { - WOLFSSL_MSG("wc_DsaKeyToDer failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - - pkey->pkey.ptr = (char*)XMALLOC(derSz, bio->heap, DYNAMIC_TYPE_DER); - - if (pkey->pkey.ptr == NULL) { - WOLFSSL_MSG("key malloc failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - pkey->pkey_sz = derSz; - XMEMSET(pkey->pkey.ptr, 0, derSz); - - if (XMEMCPY(pkey->pkey.ptr, derBuf, derSz) == NULL) { - WOLFSSL_MSG("XMEMCPY failed"); - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_DER); - XFREE(pkey->pkey.ptr, bio->heap, DYNAMIC_TYPE_DER); - wolfSSL_EVP_PKEY_free(pkey); - return WOLFSSL_FAILURE; - } - XFREE(derBuf, bio->heap, DYNAMIC_TYPE_DER); - ret = wolfSSL_PEM_write_bio_PUBKEY(bio, pkey); - wolfSSL_EVP_PKEY_free(pkey); - return ret; -} -#endif /* HAVE_SELFTEST */ - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, - const EVP_CIPHER* cipher, - unsigned char* passwd, int passwdSz, - unsigned char **pem, int *plen) -{ -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - byte *derBuf, *tmp, *cipherInfo = NULL; - int der_max_len = 0, derSz = 0; - const int type = DSA_PRIVATEKEY_TYPE; - const char* header = NULL; - const char* footer = NULL; - - WOLFSSL_MSG("wolfSSL_PEM_write_mem_DSAPrivateKey"); - - if (pem == NULL || plen == NULL || dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - if (wc_PemGetHeaderFooter(type, &header, &footer) != 0) - return WOLFSSL_FAILURE; - - if (dsa->inSet == 0) { - WOLFSSL_MSG("No DSA internal set, do it"); - - if (SetDsaInternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaInternal failed"); - return WOLFSSL_FAILURE; - } - } - - /* 4 > size of pub, priv, p, q, g + ASN.1 additional information */ - der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + AES_BLOCK_SIZE; - - derBuf = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_DER); - if (derBuf == NULL) { - WOLFSSL_MSG("malloc failed"); - return WOLFSSL_FAILURE; - } - - /* Key to DER */ - derSz = wc_DsaKeyToDer((DsaKey*)dsa->internal, derBuf, der_max_len); - if (derSz < 0) { - WOLFSSL_MSG("wc_DsaKeyToDer failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - return WOLFSSL_FAILURE; - } - - /* encrypt DER buffer if required */ - if (passwd != NULL && passwdSz > 0 && cipher != NULL) { - int ret; - - ret = EncryptDerKey(derBuf, &derSz, cipher, - passwd, passwdSz, &cipherInfo); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - return ret; - } - - /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1 + HEADER_ENCRYPTED_KEY_SIZE; - } - else { /* tmp buffer with a max size */ - *plen = (derSz * 2) + (int)XSTRLEN(header) + 1 + - (int)XSTRLEN(footer) + 1; - } - - tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_PEM); - if (tmp == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - - /* DER to PEM */ - *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, type); - if (*plen <= 0) { - WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - return WOLFSSL_FAILURE; - } - XFREE(derBuf, NULL, DYNAMIC_TYPE_DER); - if (cipherInfo != NULL) - XFREE(cipherInfo, NULL, DYNAMIC_TYPE_STRING); - - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); - if (*pem == NULL) { - WOLFSSL_MSG("malloc failed"); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XMEMSET(*pem, 0, (*plen)+1); - - if (XMEMCPY(*pem, tmp, *plen) == NULL) { - WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - return WOLFSSL_FAILURE; - } - XFREE(tmp, NULL, DYNAMIC_TYPE_PEM); - - return WOLFSSL_SUCCESS; -#else - (void)dsa; - (void)cipher; - (void)passwd; - (void)passwdSz; - (void)pem; - (void)plen; - return WOLFSSL_FAILURE; -#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ -} - -#ifndef NO_FILESYSTEM -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_PEM_write_DSAPrivateKey(XFILE fp, WOLFSSL_DSA *dsa, - const EVP_CIPHER *enc, - unsigned char *kstr, int klen, - pem_password_cb *cb, void *u) -{ - byte *pem; - int plen, ret; - - (void)cb; - (void)u; - - WOLFSSL_MSG("wolfSSL_PEM_write_DSAPrivateKey"); - - if (fp == XBADFILE || dsa == NULL || dsa->internal == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_PEM_write_mem_DSAPrivateKey(dsa, enc, kstr, klen, &pem, &plen); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_PEM_write_mem_DSAPrivateKey failed"); - return WOLFSSL_FAILURE; - } - - ret = (int)XFWRITE(pem, plen, 1, fp); - if (ret != 1) { - WOLFSSL_MSG("DSA private key file write failed"); - return WOLFSSL_FAILURE; - } - - XFREE(pem, NULL, DYNAMIC_TYPE_KEY); - return WOLFSSL_SUCCESS; -} - -#endif /* NO_FILESYSTEM */ -#endif /* defined(WOLFSSL_KEY_GEN) */ - -#ifndef NO_FILESYSTEM -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_PEM_write_DSA_PUBKEY(XFILE fp, WOLFSSL_DSA *x) -{ - (void)fp; - (void)x; - WOLFSSL_STUB("PEM_write_DSA_PUBKEY"); - WOLFSSL_MSG("wolfSSL_PEM_write_DSA_PUBKEY not implemented"); - - return WOLFSSL_FAILURE; -} -#endif -#endif /* NO_FILESYSTEM */ - -#endif /* #ifndef NO_DSA */ - -static int pem_read_bio_key(WOLFSSL_BIO* bio, pem_password_cb* cb, void* pass, - int keyType, int* eccFlag, DerBuffer** der) -{ -#ifdef WOLFSSL_SMALL_STACK - EncryptedInfo* info = NULL; -#else - EncryptedInfo info[1]; -#endif /* WOLFSSL_SMALL_STACK */ - pem_password_cb* localCb = NULL; - char* mem = NULL; - int memSz = 0; - int ret; - - if(cb) { - localCb = cb; - } else { - if(pass) { - localCb = wolfSSL_PEM_def_callback; - } - } - - if ((ret = wolfSSL_BIO_pending(bio)) > 0) { - memSz = ret; - mem = (char*)XMALLOC(memSz, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (mem == NULL) { - WOLFSSL_MSG("Memory error"); - ret = MEMORY_E; - } - if (ret >= 0) { - if ((ret = wolfSSL_BIO_read(bio, mem, memSz)) <= 0) { - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - mem = NULL; - ret = MEMORY_E; - } - } - } - else if (bio->type == WOLFSSL_BIO_FILE) { - int sz = 100; /* read from file by 100 byte chunks */ - int idx = 0; - char* tmp = (char*)XMALLOC(sz, bio->heap, DYNAMIC_TYPE_OPENSSL); - memSz = 0; - if (tmp == NULL) { - WOLFSSL_MSG("Memory error"); - ret = MEMORY_E; - } - - while (ret >= 0 && (sz = wolfSSL_BIO_read(bio, tmp, sz)) > 0) { - char* newMem; - if (memSz + sz < 0) { - /* sanity check */ - break; - } - newMem = (char*)XREALLOC(mem, memSz + sz, bio->heap, - DYNAMIC_TYPE_OPENSSL); - if (newMem == NULL) { - WOLFSSL_MSG("Memory error"); - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - mem = NULL; - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - tmp = NULL; - ret = MEMORY_E; - break; - } - mem = newMem; - XMEMCPY(mem + idx, tmp, sz); - memSz += sz; - idx += sz; - sz = 100; /* read another 100 byte chunk from file */ - } - XFREE(tmp, bio->heap, DYNAMIC_TYPE_OPENSSL); - tmp = NULL; - if (memSz <= 0) { - WOLFSSL_MSG("No data to read from bio"); - if (mem != NULL) { - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - mem = NULL; - } - ret = BUFFER_E; - } - } - else { - WOLFSSL_MSG("No data to read from bio"); - ret = NOT_COMPILED_IN; - } - -#ifdef WOLFSSL_SMALL_STACK - if (ret >= 0) { - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (info == NULL) { - WOLFSSL_MSG("Error getting memory for EncryptedInfo structure"); - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - mem = NULL; - ret = MEMORY_E; - } - } -#endif - - if (ret >= 0) { - XMEMSET(info, 0, sizeof(EncryptedInfo)); - info->passwd_cb = localCb; - info->passwd_userdata = pass; - ret = PemToDer((const unsigned char*)mem, memSz, keyType, der, - NULL, info, eccFlag); - - if (ret < 0) { - WOLFSSL_MSG("Bad Pem To Der"); - } - else { - /* write left over data back to bio */ - if ((memSz - (int)info->consumed) > 0 && - bio->type != WOLFSSL_BIO_FILE) { - if (wolfSSL_BIO_write(bio, mem + (int)info->consumed, - memSz - (int)info->consumed) <= 0) { - WOLFSSL_MSG("Unable to advance bio read pointer"); - } - } - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - - return ret; -} - -WOLFSSL_EVP_PKEY* wolfSSL_PEM_read_bio_PrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY** key, - pem_password_cb* cb, - void* pass) -{ - WOLFSSL_EVP_PKEY* pkey = NULL; - DerBuffer* der = NULL; - int keyFormat = 0; - int type = -1; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_PrivateKey"); - - if (bio == NULL) - return pkey; - - if (pem_read_bio_key(bio, cb, pass, PRIVATEKEY_TYPE, &keyFormat, - &der) >= 0) { - const unsigned char* ptr = der->buffer; - - if (keyFormat) { - /* keyFormat is Key_Sum enum */ - if (keyFormat == RSAk) - type = EVP_PKEY_RSA; - else if (keyFormat == ECDSAk) - type = EVP_PKEY_EC; - else if (keyFormat == DSAk) - type = EVP_PKEY_DSA; - else if (keyFormat == DHk) - type = EVP_PKEY_DH; - } - else { - /* Default to RSA if format is not set */ - type = EVP_PKEY_RSA; - } - - /* handle case where reuse is attempted */ - if (key != NULL && *key != NULL) - pkey = *key; - - wolfSSL_d2i_PrivateKey(type, &pkey, &ptr, der->length); - if (pkey == NULL) { - WOLFSSL_MSG("Error loading DER buffer into WOLFSSL_EVP_PKEY"); - } - } - - FreeDer(&der); - - if (key != NULL && pkey != NULL) - *key = pkey; - - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_PrivateKey", 0); - - return pkey; -} - -WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_bio_PUBKEY(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY **key, - pem_password_cb *cb, void *pass) -{ - WOLFSSL_EVP_PKEY* pkey = NULL; - DerBuffer* der = NULL; - int keyFormat = 0; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_PUBKEY"); - - if (bio == NULL) - return pkey; - - if (pem_read_bio_key(bio, cb, pass, PUBLICKEY_TYPE, &keyFormat, &der) >= 0) { - const unsigned char* ptr = der->buffer; - - /* handle case where reuse is attempted */ - if (key != NULL && *key != NULL) - pkey = *key; - - wolfSSL_d2i_PUBKEY(&pkey, &ptr, der->length); - if (pkey == NULL) { - WOLFSSL_MSG("Error loading DER buffer into WOLFSSL_EVP_PKEY"); - } - } - - FreeDer(&der); - - if (key != NULL && pkey != NULL) - *key = pkey; - - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_PUBKEY", 0); - - return pkey; -} - - -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && !defined(NO_RSA) -/* Uses the same format of input as wolfSSL_PEM_read_bio_PrivateKey but expects - * the results to be an RSA key. - * - * bio structure to read RSA private key from - * rsa if not null is then set to the result - * cb password callback for reading PEM - * pass password string - * - * returns a pointer to a new WOLFSSL_RSA structure on success and NULL on fail - */ -WOLFSSL_RSA* wolfSSL_PEM_read_bio_RSAPrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_RSA** rsa, pem_password_cb* cb, void* pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_RSA* local; - - WOLFSSL_ENTER("PEM_read_bio_RSAPrivateKey"); - - pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, cb, pass); - if (pkey == NULL) { - return NULL; - } - - /* Since the WOLFSSL_RSA structure is being taken from WOLFSSL_EVP_PEKY the - * flag indicating that the WOLFSSL_RSA structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownRsa = 0; - local = pkey->rsa; - if (rsa != NULL) { - *rsa = local; - } - - wolfSSL_EVP_PKEY_free(pkey); - return local; -} -#endif /* OPENSSL_EXTRA || OPENSSL_ALL || !NO_RSA */ - -#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)) && (!defined(NO_CERTS) && \ - !defined(NO_FILESYSTEM) && !defined(NO_DSA) && defined(WOLFSSL_KEY_GEN)) -/* Uses the same format of input as wolfSSL_PEM_read_bio_PrivateKey but expects - * the results to be an DSA key. - * - * bio structure to read DSA private key from - * dsa if not null is then set to the result - * cb password callback for reading PEM - * pass password string - * - * returns a pointer to a new WOLFSSL_DSA structure on success and NULL on fail - */ -WOLFSSL_DSA* wolfSSL_PEM_read_bio_DSAPrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_DSA** dsa, - pem_password_cb* cb,void *pass) -{ - WOLFSSL_EVP_PKEY* pkey = NULL; - WOLFSSL_DSA* local; - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DSAPrivateKey"); - - - pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, cb, pass); - if (pkey == NULL) { - WOLFSSL_MSG("Error in PEM_read_bio_PrivateKey"); - return NULL; - } - /* Since the WOLFSSL_DSA structure is being taken from WOLFSSL_EVP_PKEY the - * flag indicating that the WOLFSSL_DSA structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownDsa = 0; - local = pkey->dsa; - if (dsa != NULL) { - *dsa = local; - } - wolfSSL_EVP_PKEY_free(pkey); - return local; -} - -/* Reads an DSA public key from a WOLFSSL_BIO into a WOLFSSL_DSA. - * Returns WOLFSSL_SUCCESS or WOLFSSL_FAILURE - */ -WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSA_PUBKEY(WOLFSSL_BIO* bio,WOLFSSL_DSA** dsa, - pem_password_cb* cb, void *pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_DSA* local; - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DSA_PUBKEY"); - - pkey = wolfSSL_PEM_read_bio_PUBKEY(bio, NULL, cb, pass); - if (pkey == NULL) { - WOLFSSL_MSG("wolfSSL_PEM_read_bio_PUBKEY failed"); - return NULL; - } - - /* Since the WOLFSSL_DSA structure is being taken from WOLFSSL_EVP_PKEY the - * flag indicating that the WOLFSSL_DSA structure is owned should be FALSE - * to avoid having it free'd */ - pkey->ownDsa = 0; - local = pkey->dsa; - if (dsa != NULL) { - *dsa = local; - } - - wolfSSL_EVP_PKEY_free(pkey); - return local; -} -#endif - -#ifdef HAVE_ECC -/* returns a new WOLFSSL_EC_GROUP structure on success and NULL on fail */ -WOLFSSL_EC_GROUP* wolfSSL_PEM_read_bio_ECPKParameters(WOLFSSL_BIO* bio, - WOLFSSL_EC_GROUP** group, pem_password_cb* cb, void* pass) -{ - WOLFSSL_EVP_PKEY* pkey; - WOLFSSL_EC_GROUP* ret = NULL; - - /* check on if bio is null is done in wolfSSL_PEM_read_bio_PrivateKey */ - pkey = wolfSSL_PEM_read_bio_PrivateKey(bio, NULL, cb, pass); - if (pkey != NULL) { - if (pkey->type != EVP_PKEY_EC) { - WOLFSSL_MSG("Unexpected key type"); - } - else { - ret = (WOLFSSL_EC_GROUP*)wolfSSL_EC_KEY_get0_group(pkey->ecc); - - /* set ecc group to null so it is not free'd when pkey is free'd */ - pkey->ecc->group = NULL; - } - } - - (void)group; - wolfSSL_EVP_PKEY_free(pkey); - return ret; -} -#endif /* HAVE_ECC */ - -#if !defined(NO_FILESYSTEM) -WOLFSSL_EVP_PKEY *wolfSSL_PEM_read_PUBKEY(XFILE fp, EVP_PKEY **x, - pem_password_cb *cb, void *u) -{ - (void)fp; - (void)x; - (void)cb; - (void)u; - - WOLFSSL_MSG("wolfSSL_PEM_read_PUBKEY not implemented"); - - return NULL; -} -#endif /* NO_FILESYSTEM */ - -#ifndef NO_RSA - -#if defined(XSNPRINTF) && !defined(HAVE_FAST_RSA) -/* snprintf() must be available */ - -/****************************************************************************** -* wolfSSL_RSA_print - writes the human readable form of RSA to bio -* -* RETURNS: -* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE -*/ -int wolfSSL_RSA_print(WOLFSSL_BIO* bio, WOLFSSL_RSA* rsa, int offset) -{ - char tmp[100] = {0}; - word32 idx = 0; - int sz = 0; - byte lbit = 0; - int rawLen = 0; - byte* rawKey = NULL; - RsaKey* iRsa = NULL; - int i = 0; - mp_int *rsaElem = NULL; - char rsaStr[][20] = { "Modulus:", - "PublicExponent:", - "PrivateExponent:", - "Prime1:", - "Prime2:", - "Exponent1:", - "Exponent2:", - "Coefficient:" - }; - - WOLFSSL_ENTER("wolfSSL_RSA_print"); - (void)offset; - - if (bio == NULL || rsa == NULL) { - return WOLFSSL_FATAL_ERROR; - } - - if ((sz = wolfSSL_RSA_size(rsa)) < 0) { - WOLFSSL_MSG("Error getting RSA key size"); - return WOLFSSL_FAILURE; - } - iRsa = (RsaKey*)rsa->internal; - - XSNPRINTF(tmp, sizeof(tmp) - 1, "\n%s: (%d bit)", - "RSA Private-Key", 8 * sz); - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - - for (i=0; i<RSA_INTS; i++) { - switch(i) { - case 0: - /* Print out modulus */ - rsaElem = &iRsa->n; - break; - case 1: - rsaElem = &iRsa->e; - break; - case 2: - rsaElem = &iRsa->d; - break; - case 3: - rsaElem = &iRsa->p; - break; - case 4: - rsaElem = &iRsa->q; - break; - case 5: - rsaElem = &iRsa->dP; - break; - case 6: - rsaElem = &iRsa->dQ; - break; - case 7: - rsaElem = &iRsa->u; - break; - default: - WOLFSSL_MSG("Bad index value"); - } - - if (i == 1) { - /* Print out exponent values */ - rawLen = mp_unsigned_bin_size(rsaElem); - if (rawLen < 0) { - WOLFSSL_MSG("Error getting exponent size"); - return WOLFSSL_FAILURE; - } - - if ((word32)rawLen < sizeof(word32)) { - rawLen = sizeof(word32); - } - rawKey = (byte*)XMALLOC(rawLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (rawKey == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(rawKey, 0, rawLen); - mp_to_unsigned_bin(rsaElem, rawKey); - if ((word32)rawLen <= sizeof(word32)) { - idx = *(word32*)rawKey; - #ifdef BIG_ENDIAN_ORDER - idx = ByteReverseWord32(idx); - #endif - } - XSNPRINTF(tmp, sizeof(tmp) - 1, "\nExponent: %d (0x%x)", idx, idx); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - else { - XSNPRINTF(tmp, sizeof(tmp) - 1, "\n%s\n ", rsaStr[i]); - tmp[sizeof(tmp) - 1] = '\0'; - if (mp_leading_bit(rsaElem)) { - lbit = 1; - XSTRNCAT(tmp, "00", 3); - } - - rawLen = mp_unsigned_bin_size(rsaElem); - rawKey = (byte*)XMALLOC(rawLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (rawKey == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - mp_to_unsigned_bin(rsaElem, rawKey); - for (idx = 0; idx < (word32)rawLen; idx++) { - char val[5]; - int valSz = 5; - - if ((idx == 0) && !lbit) { - XSNPRINTF(val, valSz - 1, "%02x", rawKey[idx]); - } - else if ((idx != 0) && (((idx + lbit) % 15) == 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XSNPRINTF(tmp, sizeof(tmp) - 1, - ":\n "); - XSNPRINTF(val, valSz - 1, "%02x", rawKey[idx]); - } - else { - XSNPRINTF(val, valSz - 1, ":%02x", rawKey[idx]); - } - XSTRNCAT(tmp, val, valSz); - } - XFREE(rawKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - /* print out remaining values */ - if ((idx > 0) && (((idx - 1 + lbit) % 15) != 0)) { - tmp[sizeof(tmp) - 1] = '\0'; - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; - } - } - lbit = 0; - } - - } - /* done with print out */ - if (wolfSSL_BIO_write(bio, "\n\0", (int)XSTRLEN("\n\0")) <= 0) { - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -#endif /* XSNPRINTF */ - -#if !defined(NO_FILESYSTEM) -#ifndef NO_WOLFSSL_STUB -WOLFSSL_RSA *wolfSSL_PEM_read_RSAPublicKey(XFILE fp, WOLFSSL_RSA **x, - pem_password_cb *cb, void *u) -{ - (void)fp; - (void)x; - (void)cb; - (void)u; - WOLFSSL_STUB("PEM_read_RSAPublicKey"); - WOLFSSL_MSG("wolfSSL_PEM_read_RSAPublicKey not implemented"); - - return NULL; -} -#endif -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_PEM_write_RSAPublicKey(XFILE fp, WOLFSSL_RSA *x) -{ - (void)fp; - (void)x; - WOLFSSL_STUB("PEM_write_RSAPublicKey"); - WOLFSSL_MSG("wolfSSL_PEM_write_RSAPublicKey not implemented"); - - return WOLFSSL_FAILURE; -} -#endif - -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_PEM_write_RSA_PUBKEY(XFILE fp, WOLFSSL_RSA *x) -{ - (void)fp; - (void)x; - WOLFSSL_STUB("PEM_write_RSA_PUBKEY"); - WOLFSSL_MSG("wolfSSL_PEM_write_RSA_PUBKEY not implemented"); - - return WOLFSSL_FAILURE; -} -#endif - -#endif /* NO_FILESYSTEM */ - -WOLFSSL_RSA *wolfSSL_d2i_RSAPublicKey(WOLFSSL_RSA **r, const unsigned char **pp, - long len) -{ - WOLFSSL_RSA *rsa = NULL; - - WOLFSSL_ENTER("d2i_RSAPublicKey"); - - if (pp == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - if ((rsa = wolfSSL_RSA_new()) == NULL) { - WOLFSSL_MSG("RSA_new failed"); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(rsa, *pp, (int)len, WOLFSSL_RSA_LOAD_PUBLIC) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("RSA_LoadDer failed"); - wolfSSL_RSA_free(rsa); - rsa = NULL; - } - if (r != NULL) - *r = rsa; - - return rsa; -} - -/* Converts an RSA private key from DER format to an RSA structure. -Returns pointer to the RSA structure on success and NULL if error. */ -WOLFSSL_RSA *wolfSSL_d2i_RSAPrivateKey(WOLFSSL_RSA **r, - const unsigned char **derBuf, long derSz) -{ - WOLFSSL_RSA *rsa = NULL; - - WOLFSSL_ENTER("wolfSSL_d2i_RSAPrivateKey"); - - /* check for bad functions arguments */ - if (derBuf == NULL) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - if ((rsa = wolfSSL_RSA_new()) == NULL) { - WOLFSSL_MSG("RSA_new failed"); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(rsa, *derBuf, (int)derSz, - WOLFSSL_RSA_LOAD_PRIVATE) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("RSA_LoadDer failed"); - wolfSSL_RSA_free(rsa); - rsa = NULL; - } - if (r != NULL) - *r = rsa; - - return rsa; -} - -#if !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(NO_RSA) && !defined(HAVE_USER_RSA) -/* Converts an internal RSA structure to DER format. - * If "pp" is null then buffer size only is returned. - * If "*pp" is null then a created buffer is set in *pp and the caller is - * responsible for free'ing it. - * Returns size of DER on success and WOLFSSL_FAILURE if error - */ -int wolfSSL_i2d_RSAPrivateKey(WOLFSSL_RSA *rsa, unsigned char **pp) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_i2d_RSAPrivateKey"); - - /* check for bad functions arguments */ - if (rsa == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return BAD_FUNC_ARG; - } - - if ((ret = wolfSSL_RSA_To_Der(rsa, pp, 0)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return WOLFSSL_FAILURE; - } - - return ret; /* returns size of DER if successful */ -} - - -int wolfSSL_i2d_RSAPublicKey(WOLFSSL_RSA *rsa, const unsigned char **pp) -{ - int ret; - - /* check for bad functions arguments */ - if (rsa == NULL) { - WOLFSSL_MSG("Bad Function Arguments"); - return BAD_FUNC_ARG; - } - - if ((ret = wolfSSL_RSA_To_Der(rsa, (byte**)pp, 1)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return WOLFSSL_FAILURE; - } - - return ret; -} -#endif /* !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) && \ - * !defined(NO_RSA) && !defined(HAVE_USER_RSA) */ - -#endif /* !NO_RSA */ -#endif /* OPENSSL_EXTRA */ - -#if !defined(NO_RSA) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) -/* return WOLFSSL_SUCCESS if success, WOLFSSL_FATAL_ERROR if error */ -int wolfSSL_RSA_LoadDer(WOLFSSL_RSA* rsa, const unsigned char* derBuf, int derSz) -{ - return wolfSSL_RSA_LoadDer_ex(rsa, derBuf, derSz, WOLFSSL_RSA_LOAD_PRIVATE); -} - - -int wolfSSL_RSA_LoadDer_ex(WOLFSSL_RSA* rsa, const unsigned char* derBuf, - int derSz, int opt) -{ - - word32 idx = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_RSA_LoadDer"); - - if (rsa == NULL || rsa->internal == NULL || derBuf == NULL || derSz <= 0) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - if (opt == WOLFSSL_RSA_LOAD_PRIVATE) { - ret = wc_RsaPrivateKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal, derSz); - } - else { - ret = wc_RsaPublicKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal, derSz); - } - - if (ret < 0) { - if (opt == WOLFSSL_RSA_LOAD_PRIVATE) { - WOLFSSL_MSG("RsaPrivateKeyDecode failed"); - } - else { - WOLFSSL_MSG("RsaPublicKeyDecode failed"); - } - return SSL_FATAL_ERROR; - } - - if (SetRsaExternal(rsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - - rsa->inSet = 1; - - return WOLFSSL_SUCCESS; -} - -#if defined(WC_RSA_PSS) && (defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)) -static int hash2mgf(enum wc_HashType hType) -{ - switch (hType) { -#ifndef NO_SHA - case WC_HASH_TYPE_SHA: - return WC_MGF1SHA1; -#endif -#ifndef NO_SHA256 -#ifdef WOLFSSL_SHA224 - case WC_HASH_TYPE_SHA224: - return WC_MGF1SHA224; -#endif - case WC_HASH_TYPE_SHA256: - return WC_MGF1SHA256; -#endif -#ifdef WOLFSSL_SHA384 - case WC_HASH_TYPE_SHA384: - return WC_MGF1SHA384; -#endif -#ifdef WOLFSSL_SHA512 - case WC_HASH_TYPE_SHA512: - return WC_MGF1SHA512; -#endif - case WC_HASH_TYPE_NONE: - case WC_HASH_TYPE_MD2: - case WC_HASH_TYPE_MD4: - case WC_HASH_TYPE_MD5: - case WC_HASH_TYPE_MD5_SHA: - case WC_HASH_TYPE_SHA3_224: - case WC_HASH_TYPE_SHA3_256: - case WC_HASH_TYPE_SHA3_384: - case WC_HASH_TYPE_SHA3_512: - case WC_HASH_TYPE_BLAKE2B: - case WC_HASH_TYPE_BLAKE2S: - default: - WOLFSSL_MSG("Unrecognized or unsupported hash function"); - return WC_MGF1NONE; - } -} - -/* - * +-----------+ - * | M | - * +-----------+ - * | - * V - * Hash - * | - * V - * +--------+----------+----------+ - * M' = |Padding1| mHash | salt | - * +--------+----------+----------+ - * | - * +--------+----------+ V - * DB = |Padding2|maskedseed| Hash - * +--------+----------+ | - * | | - * V | +--+ - * xor <--- MGF <---| |bc| - * | | +--+ - * | | | - * V V V - * +-------------------+----------+--+ - * EM = | maskedDB |maskedseed|bc| - * +-------------------+----------+--+ - * Diagram taken from https://tools.ietf.org/html/rfc3447#section-9.1 - */ -int wolfSSL_RSA_padding_add_PKCS1_PSS(WOLFSSL_RSA *rsa, unsigned char *EM, - const unsigned char *mHash, - const WOLFSSL_EVP_MD *hashAlg, int saltLen) -{ - int hashLen, emLen, mgf; - int ret = WOLFSSL_FAILURE; - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG _tmpRNG[1]; - WC_RNG* tmpRNG = _tmpRNG; -#endif - enum wc_HashType hashType; - - WOLFSSL_ENTER("wolfSSL_RSA_padding_add_PKCS1_PSS"); - - if (!rsa || !EM || !mHash || !hashAlg) { - return WOLFSSL_FAILURE; - } - - if (!(rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng))) { - WOLFSSL_MSG("WOLFSSL_RSA_GetRNG error"); - goto cleanup; - } - - if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaExternal error"); - goto cleanup; - } - - hashType = wolfSSL_EVP_md2macType(hashAlg); - if (hashType < WC_HASH_TYPE_NONE || hashType > WC_HASH_TYPE_MAX) { - WOLFSSL_MSG("wolfSSL_EVP_md2macType error"); - goto cleanup; - } - - if ((mgf = hash2mgf(hashType)) == WC_MGF1NONE) { - WOLFSSL_MSG("hash2mgf error"); - goto cleanup; - } - - if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) { - WOLFSSL_MSG("wolfSSL_EVP_MD_size error"); - goto cleanup; - } - - if ((emLen = wolfSSL_RSA_size(rsa)) <= 0) { - WOLFSSL_MSG("wolfSSL_RSA_size error"); - goto cleanup; - } - - switch (saltLen) { - /* Negative saltLen values are treated differently */ - case RSA_PSS_SALTLEN_DIGEST: - saltLen = hashLen; - break; - case RSA_PSS_SALTLEN_MAX_SIGN: - case RSA_PSS_SALTLEN_MAX: - saltLen = emLen - hashLen - 2; - break; - default: - if (saltLen < 0) { - /* Not any currently implemented negative value */ - WOLFSSL_MSG("invalid saltLen"); - goto cleanup; - } - } - - if (wc_RsaPad_ex(mHash, wolfSSL_EVP_MD_size(hashAlg), EM, emLen, - RSA_BLOCK_TYPE_1, rng, WC_RSA_PSS_PAD, - wolfSSL_EVP_md2macType(hashAlg), mgf, NULL, 0, saltLen, - wolfSSL_BN_num_bits(rsa->n), NULL) != MP_OKAY) { - WOLFSSL_MSG("wc_RsaPad_ex error"); - goto cleanup; - } - - ret = WOLFSSL_SUCCESS; -cleanup: - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - if (tmpRNG) - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} - -/* - * Refer to wolfSSL_RSA_padding_add_PKCS1_PSS - * for an explanation of the parameters. - */ -int wolfSSL_RSA_verify_PKCS1_PSS(WOLFSSL_RSA *rsa, const unsigned char *mHash, - const WOLFSSL_EVP_MD *hashAlg, - const unsigned char *EM, int saltLen) -{ - int hashLen, mgf, emLen, mPrimeLen; - enum wc_HashType hashType; - byte *mPrime = NULL; - byte *buf = NULL; - - WOLFSSL_ENTER("wolfSSL_RSA_verify_PKCS1_PSS"); - - if (!rsa || !mHash || !hashAlg || !EM) { - return WOLFSSL_FAILURE; - } - - if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) { - return WOLFSSL_FAILURE; - } - - if ((emLen = wolfSSL_RSA_size(rsa)) <= 0) { - WOLFSSL_MSG("wolfSSL_RSA_size error"); - return WOLFSSL_FAILURE; - } - - switch (saltLen) { - /* Negative saltLen values are treated differently */ - case RSA_PSS_SALTLEN_DIGEST: - saltLen = hashLen; - break; - case RSA_PSS_SALTLEN_MAX_SIGN: - case RSA_PSS_SALTLEN_MAX: - saltLen = emLen - hashLen - 2; - break; - default: - if (saltLen < 0) { - /* Not any currently implemented negative value */ - WOLFSSL_MSG("invalid saltLen"); - return WOLFSSL_FAILURE; - } - } - - if (!rsa->exSet && SetRsaExternal(rsa) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - hashType = wolfSSL_EVP_md2macType(hashAlg); - if (hashType < WC_HASH_TYPE_NONE || hashType > WC_HASH_TYPE_MAX) { - WOLFSSL_MSG("wolfSSL_EVP_md2macType error"); - return WOLFSSL_FAILURE; - } - - if ((mgf = hash2mgf(hashType)) == WC_MGF1NONE) { - WOLFSSL_MSG("hash2mgf error"); - return WOLFSSL_FAILURE; - } - - if ((hashLen = wolfSSL_EVP_MD_size(hashAlg)) < 0) { - WOLFSSL_MSG("wolfSSL_EVP_MD_size error"); - return WOLFSSL_FAILURE; - } - - if (!(buf = (byte*)XMALLOC(emLen, NULL, DYNAMIC_TYPE_TMP_BUFFER))) { - WOLFSSL_MSG("malloc error"); - return WOLFSSL_FAILURE; - } - XMEMCPY(buf, EM, emLen); - - /* Remove and verify the PSS padding */ - if ((mPrimeLen = wc_RsaUnPad_ex(buf, emLen, &mPrime, - RSA_BLOCK_TYPE_1, WC_RSA_PSS_PAD, hashType, - mgf, NULL, 0, saltLen, - wolfSSL_BN_num_bits(rsa->n), NULL)) < 0) { - WOLFSSL_MSG("wc_RsaPad_ex error"); - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - - /* Verify the hash is correct */ - if (wc_RsaPSS_CheckPadding_ex(mHash, hashLen, mPrime, mPrimeLen, hashType, - saltLen, wolfSSL_BN_num_bits(rsa->n)) - != MP_OKAY) { - WOLFSSL_MSG("wc_RsaPSS_CheckPadding_ex error"); - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_SUCCESS; -} -#endif - -#if defined(OPENSSL_EXTRA) -WOLFSSL_RSA_METHOD *wolfSSL_RSA_meth_new(const char *name, int flags) -{ - int name_len; - WOLFSSL_RSA_METHOD* meth; - - if (name == NULL) { - return NULL; - } - - meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL, - DYNAMIC_TYPE_OPENSSL); - name_len = (int)XSTRLEN(name); - if (!meth) { - return NULL; - } - meth->flags = flags; - meth->name = (char*)XMALLOC(name_len+1, NULL, DYNAMIC_TYPE_OPENSSL); - if (!meth->name) { - XFREE(meth, NULL, DYNAMIC_TYPE_OPENSSL); - return NULL; - } - XMEMCPY(meth->name, name, name_len+1); - - return meth; -} - -void wolfSSL_RSA_meth_free(WOLFSSL_RSA_METHOD *meth) -{ - if (meth) { - XFREE(meth->name, NULL, DYNAMIC_TYPE_OPENSSL); - XFREE(meth, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_RSA_meth_set(WOLFSSL_RSA_METHOD *rsa, void* p) -{ - (void)rsa; - (void)p; - WOLFSSL_STUB("RSA_METHOD is not implemented."); - return 1; -} -#endif - -int wolfSSL_RSA_set_method(WOLFSSL_RSA *rsa, WOLFSSL_RSA_METHOD *meth) -{ - if (rsa) - rsa->meth = meth; - return 1; -} - -const WOLFSSL_RSA_METHOD* wolfSSL_RSA_get_method(const WOLFSSL_RSA *rsa) -{ - if (!rsa) { - return NULL; - } - return rsa->meth; -} - -const WOLFSSL_RSA_METHOD* wolfSSL_RSA_get_default_method(void) -{ - return wolfSSL_RSA_meth_new("wolfSSL RSA", 0); -} - -int wolfSSL_RSA_flags(const WOLFSSL_RSA *r) -{ - if (r && r->meth) { - return r->meth->flags; - } else { - return 0; - } -} - -void wolfSSL_RSA_set_flags(WOLFSSL_RSA *r, int flags) -{ - if (r && r->meth) { - r->meth->flags = flags; - } -} - -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) -WOLFSSL_RSA* wolfSSL_RSAPublicKey_dup(WOLFSSL_RSA *rsa) -{ - int derSz = 0; - byte *derBuf = NULL; - WOLFSSL_RSA* local; - - WOLFSSL_ENTER("wolfSSL_RSAPublicKey_dup"); - - if (!rsa) { - return NULL; - } - - local = wolfSSL_RSA_new(); - if (local == NULL) { - WOLFSSL_MSG("Error creating a new WOLFSSL_RSA structure"); - return NULL; - } - - if ((derSz = wolfSSL_RSA_To_Der(rsa, &derBuf, 1)) < 0) { - WOLFSSL_MSG("wolfSSL_RSA_To_Der failed"); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(local, - derBuf, derSz, - WOLFSSL_RSA_LOAD_PUBLIC) != SSL_SUCCESS) { - wolfSSL_RSA_free(local); - local = NULL; - } - XFREE(derBuf, NULL, DYNAMIC_TYPE_ASN1); - return local; -} -#endif - -void* wolfSSL_RSA_get_ex_data(const WOLFSSL_RSA *rsa, int idx) -{ - WOLFSSL_ENTER("wolfSSL_RSA_get_ex_data"); -#ifdef HAVE_EX_DATA - if (rsa) { - return wolfSSL_CRYPTO_get_ex_data(&rsa->ex_data, idx); - } -#else - (void)rsa; - (void)idx; -#endif - return NULL; -} - -int wolfSSL_RSA_set_ex_data(WOLFSSL_RSA *rsa, int idx, void *data) -{ - WOLFSSL_ENTER("wolfSSL_RSA_set_ex_data"); - #ifdef HAVE_EX_DATA - if (rsa) { - return wolfSSL_CRYPTO_set_ex_data(&rsa->ex_data, idx, data); - } - #else - (void)rsa; - (void)idx; - (void)data; - #endif - return WOLFSSL_FAILURE; -} - -int wolfSSL_RSA_set0_key(WOLFSSL_RSA *r, WOLFSSL_BIGNUM *n, WOLFSSL_BIGNUM *e, - WOLFSSL_BIGNUM *d) -{ - /* If the fields n and e in r are NULL, the corresponding input - * parameters MUST be non-NULL for n and e. d may be - * left NULL (in case only the public key is used). - */ - if ((!r->n && !n) || (!r->e && !e)) - return 0; - - if (n) { - wolfSSL_BN_free(r->n); - r->n = n; - } - if (e) { - wolfSSL_BN_free(r->e); - r->e = e; - } - if (d) { - wolfSSL_BN_clear_free(r->d); - r->d = d; - } - - return 1; -} -#endif /* OPENSSL_EXTRA */ -#endif /* NO_RSA */ - -#ifdef OPENSSL_EXTRA -#ifndef NO_DSA -/* return WOLFSSL_SUCCESS if success, WOLFSSL_FATAL_ERROR if error */ -int wolfSSL_DSA_LoadDer(WOLFSSL_DSA* dsa, const unsigned char* derBuf, int derSz) -{ - word32 idx = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_DSA_LoadDer"); - - if (dsa == NULL || dsa->internal == NULL || derBuf == NULL || derSz <= 0) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - ret = DsaPrivateKeyDecode(derBuf, &idx, (DsaKey*)dsa->internal, derSz); - if (ret < 0) { - WOLFSSL_MSG("DsaPrivateKeyDecode failed"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetDsaExternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - - dsa->inSet = 1; - - return WOLFSSL_SUCCESS; -} - -/* Loads DSA key from DER buffer. opt = DSA_LOAD_PRIVATE or DSA_LOAD_PUBLIC. - returns 1 on success, or 0 on failure. */ -int wolfSSL_DSA_LoadDer_ex(WOLFSSL_DSA* dsa, const unsigned char* derBuf, - int derSz, int opt) -{ - word32 idx = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_DSA_LoadDer"); - - if (dsa == NULL || dsa->internal == NULL || derBuf == NULL || derSz <= 0) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - if (opt == WOLFSSL_DSA_LOAD_PRIVATE) { - ret = DsaPrivateKeyDecode(derBuf, &idx, (DsaKey*)dsa->internal, derSz); - } - else { - ret = DsaPublicKeyDecode(derBuf, &idx, (DsaKey*)dsa->internal, derSz); - } - - if (ret < 0 && opt == WOLFSSL_DSA_LOAD_PRIVATE) { - WOLFSSL_MSG("DsaPrivateKeyDecode failed"); - return WOLFSSL_FATAL_ERROR; - } - else if (ret < 0 && opt == WOLFSSL_DSA_LOAD_PUBLIC) { - WOLFSSL_MSG("DsaPublicKeyDecode failed"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetDsaExternal(dsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDsaExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - - dsa->inSet = 1; - - return WOLFSSL_SUCCESS; -} -#endif /* !NO_DSA */ - -#ifdef HAVE_ECC -/* return WOLFSSL_SUCCESS if success, WOLFSSL_FATAL_ERROR if error */ -int wolfSSL_EC_KEY_LoadDer(WOLFSSL_EC_KEY* key, const unsigned char* derBuf, - int derSz) -{ - return wolfSSL_EC_KEY_LoadDer_ex(key, derBuf, derSz, - WOLFSSL_EC_KEY_LOAD_PRIVATE); -} - -int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf, - int derSz, int opt) -{ - word32 idx = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_EC_KEY_LoadDer"); - - if (key == NULL || key->internal == NULL || derBuf == NULL || derSz <= 0) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - if (opt == WOLFSSL_EC_KEY_LOAD_PRIVATE) { - ret = wc_EccPrivateKeyDecode(derBuf, &idx, (ecc_key*)key->internal, - derSz); - } - else { - ret = wc_EccPublicKeyDecode(derBuf, &idx, (ecc_key*)key->internal, - derSz); - } - if (ret < 0) { - if (opt == WOLFSSL_EC_KEY_LOAD_PRIVATE) { - WOLFSSL_MSG("wc_EccPrivateKeyDecode failed"); - } - else { - WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); - } - return WOLFSSL_FATAL_ERROR; - } - - if (SetECKeyExternal(key) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetECKeyExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - - key->inSet = 1; - - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_ECC */ - -#if !defined(NO_DH) && (defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH)) -/* return WOLFSSL_SUCCESS if success, WOLFSSL_FATAL_ERROR if error */ -int wolfSSL_DH_LoadDer(WOLFSSL_DH* dh, const unsigned char* derBuf, int derSz) -{ - word32 idx = 0; - int ret; - - if (dh == NULL || dh->internal == NULL || derBuf == NULL || derSz <= 0) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FATAL_ERROR; - } - - ret = wc_DhKeyDecode(derBuf, &idx, (DhKey*)dh->internal, (word32)derSz); - if (ret < 0) { - WOLFSSL_MSG("wc_DhKeyDecode failed"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetDhExternal(dh) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetDhExternal failed"); - return WOLFSSL_FATAL_ERROR; - } - - return WOLFSSL_SUCCESS; -} -#endif /* ! NO_DH && WOLFSSL_QT || OPENSSL_ALL */ - -#endif /* OPENSSL_EXTRA */ - - -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) - -/* increments ref count of WOLFSSL_RSA. Return 1 on success, 0 on error */ -int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa) -{ - if (rsa) { - if (wc_LockMutex(&rsa->refMutex) != 0) { - WOLFSSL_MSG("Failed to lock x509 mutex"); - } - rsa->refCount++; - wc_UnLockMutex(&rsa->refMutex); - - return 1; - } - - return 0; -} - -/* increments ref count of WOLFSSL_X509. Return 1 on success, 0 on error */ -int wolfSSL_X509_up_ref(WOLFSSL_X509* x509) -{ - if (x509) { - if (wc_LockMutex(&x509->refMutex) != 0) { - WOLFSSL_MSG("Failed to lock x509 mutex"); - } - x509->refCount++; - wc_UnLockMutex(&x509->refMutex); - - return 1; - } - - return 0; -} - -#endif /* OPENSSL_EXTRA || OPENSSL_ALL */ - - -#ifdef WOLFSSL_ALT_CERT_CHAINS -int wolfSSL_is_peer_alt_cert_chain(const WOLFSSL* ssl) -{ - int isUsing = 0; - if (ssl) - isUsing = ssl->options.usingAltCertChain; - return isUsing; -} -#endif /* WOLFSSL_ALT_CERT_CHAINS */ - - -#ifdef SESSION_CERTS - -#ifdef WOLFSSL_ALT_CERT_CHAINS -/* Get peer's alternate certificate chain */ -WOLFSSL_X509_CHAIN* wolfSSL_get_peer_alt_chain(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_peer_alt_chain"); - if (ssl) - return &ssl->session.altChain; - - return 0; -} -#endif /* WOLFSSL_ALT_CERT_CHAINS */ - - -/* Get peer's certificate chain */ -WOLFSSL_X509_CHAIN* wolfSSL_get_peer_chain(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_peer_chain"); - if (ssl) - return &ssl->session.chain; - - return 0; -} - - -/* Get peer's certificate chain total count */ -int wolfSSL_get_chain_count(WOLFSSL_X509_CHAIN* chain) -{ - WOLFSSL_ENTER("wolfSSL_get_chain_count"); - if (chain) - return chain->count; - - return 0; -} - - -/* Get peer's ASN.1 DER certificate at index (idx) length in bytes */ -int wolfSSL_get_chain_length(WOLFSSL_X509_CHAIN* chain, int idx) -{ - WOLFSSL_ENTER("wolfSSL_get_chain_length"); - if (chain) - return chain->certs[idx].length; - - return 0; -} - - -/* Get peer's ASN.1 DER certificate at index (idx) */ -byte* wolfSSL_get_chain_cert(WOLFSSL_X509_CHAIN* chain, int idx) -{ - WOLFSSL_ENTER("wolfSSL_get_chain_cert"); - if (chain) - return chain->certs[idx].buffer; - - return 0; -} - - -/* Get peer's wolfSSL X509 certificate at index (idx) */ -WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx) -{ - int ret; - WOLFSSL_X509* x509 = NULL; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_get_chain_X509"); - if (chain != NULL) { - #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_DCERT); - if (cert != NULL) - #endif - { - InitDecodedCert(cert, chain->certs[idx].buffer, - chain->certs[idx].length, NULL); - - if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) != 0) { - WOLFSSL_MSG("Failed to parse cert"); - } - else { - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, - DYNAMIC_TYPE_X509); - if (x509 == NULL) { - WOLFSSL_MSG("Failed alloc X509"); - } - else { - InitX509(x509, 1, NULL); - - if ((ret = CopyDecodedToX509(x509, cert)) != 0) { - WOLFSSL_MSG("Failed to copy decoded"); - wolfSSL_X509_free(x509); - x509 = NULL; - } - } - } - - FreeDecodedCert(cert); - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); - #endif - } - } - (void)ret; - - return x509; -} - - -/* Get peer's PEM certificate at index (idx), output to buffer if inLen big - enough else return error (-1). If buffer is NULL only calculate - outLen. Output length is in *outLen WOLFSSL_SUCCESS on ok */ -int wolfSSL_get_chain_cert_pem(WOLFSSL_X509_CHAIN* chain, int idx, - unsigned char* buf, int inLen, int* outLen) -{ -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - const char* header = NULL; - const char* footer = NULL; - int headerLen; - int footerLen; - int i; - int err; - word32 szNeeded = 0; - - WOLFSSL_ENTER("wolfSSL_get_chain_cert_pem"); - if (!chain || !outLen || idx < 0 || idx >= wolfSSL_get_chain_count(chain)) - return BAD_FUNC_ARG; - - err = wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer); - if (err != 0) - return err; - - headerLen = (int)XSTRLEN(header); - footerLen = (int)XSTRLEN(footer); - - /* Null output buffer return size needed in outLen */ - if(!buf) { - if(Base64_Encode(chain->certs[idx].buffer, chain->certs[idx].length, - NULL, &szNeeded) != LENGTH_ONLY_E) - return WOLFSSL_FAILURE; - *outLen = szNeeded + headerLen + footerLen; - return LENGTH_ONLY_E; - } - - /* don't even try if inLen too short */ - if (inLen < headerLen + footerLen + chain->certs[idx].length) - return BAD_FUNC_ARG; - - /* header */ - if (XMEMCPY(buf, header, headerLen) == NULL) - return WOLFSSL_FATAL_ERROR; - - i = headerLen; - - /* body */ - *outLen = inLen; /* input to Base64_Encode */ - if ( (err = Base64_Encode(chain->certs[idx].buffer, - chain->certs[idx].length, buf + i, (word32*)outLen)) < 0) - return err; - i += *outLen; - - /* footer */ - if ( (i + footerLen) > inLen) - return BAD_FUNC_ARG; - if (XMEMCPY(buf + i, footer, footerLen) == NULL) - return WOLFSSL_FATAL_ERROR; - *outLen += headerLen + footerLen; - - return WOLFSSL_SUCCESS; -#else - (void)chain; - (void)idx; - (void)buf; - (void)inLen; - (void)outLen; - return WOLFSSL_FAILURE; -#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ -} - - -/* get session ID */ -WOLFSSL_ABI -const byte* wolfSSL_get_sessionID(const WOLFSSL_SESSION* session) -{ - WOLFSSL_ENTER("wolfSSL_get_sessionID"); - if (session) - return session->sessionID; - - return NULL; -} - - -#endif /* SESSION_CERTS */ - -#ifdef HAVE_FUZZER -void wolfSSL_SetFuzzerCb(WOLFSSL* ssl, CallbackFuzzer cbf, void* fCtx) -{ - if (ssl) { - ssl->fuzzerCb = cbf; - ssl->fuzzerCtx = fCtx; - } -} -#endif - -#ifndef NO_CERTS -#ifdef HAVE_PK_CALLBACKS - -#ifdef HAVE_ECC -void wolfSSL_CTX_SetEccKeyGenCb(WOLFSSL_CTX* ctx, CallbackEccKeyGen cb) -{ - if (ctx) - ctx->EccKeyGenCb = cb; -} -void wolfSSL_SetEccKeyGenCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->EccKeyGenCtx = ctx; -} -void* wolfSSL_GetEccKeyGenCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->EccKeyGenCtx; - - return NULL; -} - -WOLFSSL_ABI -void wolfSSL_CTX_SetEccSignCb(WOLFSSL_CTX* ctx, CallbackEccSign cb) -{ - if (ctx) - ctx->EccSignCb = cb; -} -void wolfSSL_SetEccSignCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->EccSignCtx = ctx; -} -void* wolfSSL_GetEccSignCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->EccSignCtx; - - return NULL; -} - -void wolfSSL_CTX_SetEccVerifyCb(WOLFSSL_CTX* ctx, CallbackEccVerify cb) -{ - if (ctx) - ctx->EccVerifyCb = cb; -} -void wolfSSL_SetEccVerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->EccVerifyCtx = ctx; -} -void* wolfSSL_GetEccVerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->EccVerifyCtx; - - return NULL; -} - -void wolfSSL_CTX_SetEccSharedSecretCb(WOLFSSL_CTX* ctx, CallbackEccSharedSecret cb) -{ - if (ctx) - ctx->EccSharedSecretCb = cb; -} -void wolfSSL_SetEccSharedSecretCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->EccSharedSecretCtx = ctx; -} -void* wolfSSL_GetEccSharedSecretCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->EccSharedSecretCtx; - - return NULL; -} -#endif /* HAVE_ECC */ - -#ifdef HAVE_ED25519 -void wolfSSL_CTX_SetEd25519SignCb(WOLFSSL_CTX* ctx, CallbackEd25519Sign cb) -{ - if (ctx) - ctx->Ed25519SignCb = cb; -} -void wolfSSL_SetEd25519SignCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->Ed25519SignCtx = ctx; -} -void* wolfSSL_GetEd25519SignCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->Ed25519SignCtx; - - return NULL; -} - -void wolfSSL_CTX_SetEd25519VerifyCb(WOLFSSL_CTX* ctx, CallbackEd25519Verify cb) -{ - if (ctx) - ctx->Ed25519VerifyCb = cb; -} -void wolfSSL_SetEd25519VerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->Ed25519VerifyCtx = ctx; -} -void* wolfSSL_GetEd25519VerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->Ed25519VerifyCtx; - - return NULL; -} -#endif /* HAVE_ED25519 */ - -#ifdef HAVE_CURVE25519 -void wolfSSL_CTX_SetX25519KeyGenCb(WOLFSSL_CTX* ctx, - CallbackX25519KeyGen cb) -{ - if (ctx) - ctx->X25519KeyGenCb = cb; -} -void wolfSSL_SetX25519KeyGenCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->X25519KeyGenCtx = ctx; -} -void* wolfSSL_GetX25519KeyGenCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->X25519KeyGenCtx; - - return NULL; -} - -void wolfSSL_CTX_SetX25519SharedSecretCb(WOLFSSL_CTX* ctx, - CallbackX25519SharedSecret cb) -{ - if (ctx) - ctx->X25519SharedSecretCb = cb; -} -void wolfSSL_SetX25519SharedSecretCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->X25519SharedSecretCtx = ctx; -} -void* wolfSSL_GetX25519SharedSecretCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->X25519SharedSecretCtx; - - return NULL; -} -#endif /* HAVE_CURVE25519 */ - -#ifdef HAVE_ED448 -void wolfSSL_CTX_SetEd448SignCb(WOLFSSL_CTX* ctx, CallbackEd448Sign cb) -{ - if (ctx) - ctx->Ed448SignCb = cb; -} -void wolfSSL_SetEd448SignCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->Ed448SignCtx = ctx; -} -void* wolfSSL_GetEd448SignCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->Ed448SignCtx; - - return NULL; -} - -void wolfSSL_CTX_SetEd448VerifyCb(WOLFSSL_CTX* ctx, CallbackEd448Verify cb) -{ - if (ctx) - ctx->Ed448VerifyCb = cb; -} -void wolfSSL_SetEd448VerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->Ed448VerifyCtx = ctx; -} -void* wolfSSL_GetEd448VerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->Ed448VerifyCtx; - - return NULL; -} -#endif /* HAVE_ED448 */ - -#ifdef HAVE_CURVE448 -void wolfSSL_CTX_SetX448KeyGenCb(WOLFSSL_CTX* ctx, - CallbackX448KeyGen cb) -{ - if (ctx) - ctx->X448KeyGenCb = cb; -} -void wolfSSL_SetX448KeyGenCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->X448KeyGenCtx = ctx; -} -void* wolfSSL_GetX448KeyGenCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->X448KeyGenCtx; - - return NULL; -} - -void wolfSSL_CTX_SetX448SharedSecretCb(WOLFSSL_CTX* ctx, - CallbackX448SharedSecret cb) -{ - if (ctx) - ctx->X448SharedSecretCb = cb; -} -void wolfSSL_SetX448SharedSecretCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->X448SharedSecretCtx = ctx; -} -void* wolfSSL_GetX448SharedSecretCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->X448SharedSecretCtx; - - return NULL; -} -#endif /* HAVE_CURVE448 */ - -#ifndef NO_RSA -void wolfSSL_CTX_SetRsaSignCb(WOLFSSL_CTX* ctx, CallbackRsaSign cb) -{ - if (ctx) - ctx->RsaSignCb = cb; -} -void wolfSSL_CTX_SetRsaSignCheckCb(WOLFSSL_CTX* ctx, CallbackRsaVerify cb) -{ - if (ctx) - ctx->RsaSignCheckCb = cb; -} -void wolfSSL_SetRsaSignCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaSignCtx = ctx; -} -void* wolfSSL_GetRsaSignCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaSignCtx; - - return NULL; -} - - -void wolfSSL_CTX_SetRsaVerifyCb(WOLFSSL_CTX* ctx, CallbackRsaVerify cb) -{ - if (ctx) - ctx->RsaVerifyCb = cb; -} -void wolfSSL_SetRsaVerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaVerifyCtx = ctx; -} -void* wolfSSL_GetRsaVerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaVerifyCtx; - - return NULL; -} - -#ifdef WC_RSA_PSS -void wolfSSL_CTX_SetRsaPssSignCb(WOLFSSL_CTX* ctx, CallbackRsaPssSign cb) -{ - if (ctx) - ctx->RsaPssSignCb = cb; -} -void wolfSSL_CTX_SetRsaPssSignCheckCb(WOLFSSL_CTX* ctx, CallbackRsaPssVerify cb) -{ - if (ctx) - ctx->RsaPssSignCheckCb = cb; -} -void wolfSSL_SetRsaPssSignCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaPssSignCtx = ctx; -} -void* wolfSSL_GetRsaPssSignCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaPssSignCtx; - - return NULL; -} - -void wolfSSL_CTX_SetRsaPssVerifyCb(WOLFSSL_CTX* ctx, CallbackRsaPssVerify cb) -{ - if (ctx) - ctx->RsaPssVerifyCb = cb; -} -void wolfSSL_SetRsaPssVerifyCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaPssVerifyCtx = ctx; -} -void* wolfSSL_GetRsaPssVerifyCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaPssVerifyCtx; - - return NULL; -} -#endif /* WC_RSA_PSS */ - -void wolfSSL_CTX_SetRsaEncCb(WOLFSSL_CTX* ctx, CallbackRsaEnc cb) -{ - if (ctx) - ctx->RsaEncCb = cb; -} -void wolfSSL_SetRsaEncCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaEncCtx = ctx; -} -void* wolfSSL_GetRsaEncCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaEncCtx; - - return NULL; -} - -void wolfSSL_CTX_SetRsaDecCb(WOLFSSL_CTX* ctx, CallbackRsaDec cb) -{ - if (ctx) - ctx->RsaDecCb = cb; -} -void wolfSSL_SetRsaDecCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->RsaDecCtx = ctx; -} -void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->RsaDecCtx; - - return NULL; -} -#endif /* NO_RSA */ - -#endif /* HAVE_PK_CALLBACKS */ -#endif /* NO_CERTS */ - -#if defined(HAVE_PK_CALLBACKS) && !defined(NO_DH) -void wolfSSL_CTX_SetDhAgreeCb(WOLFSSL_CTX* ctx, CallbackDhAgree cb) -{ - if (ctx) - ctx->DhAgreeCb = cb; -} -void wolfSSL_SetDhAgreeCtx(WOLFSSL* ssl, void *ctx) -{ - if (ssl) - ssl->DhAgreeCtx = ctx; -} -void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) -{ - if (ssl) - return ssl->DhAgreeCtx; - - return NULL; -} -#endif /* HAVE_PK_CALLBACKS && !NO_DH */ - - -#ifdef WOLFSSL_HAVE_WOLFSCEP - /* Used by autoconf to see if wolfSCEP is available */ - void wolfSSL_wolfSCEP(void) {} -#endif - - -#ifdef WOLFSSL_HAVE_CERT_SERVICE - /* Used by autoconf to see if cert service is available */ - void wolfSSL_cert_service(void) {} -#endif - -#ifdef OPENSSL_EXTRA - #ifndef NO_CERTS - void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME *name) - { - WOLFSSL_ENTER("wolfSSL_X509_NAME_free"); - FreeX509Name(name, NULL); - XFREE(name, NULL, DYNAMIC_TYPE_X509); - } - - - /* Malloc's a new WOLFSSL_X509_NAME structure - * - * returns NULL on failure, otherwise returns a new structure. - */ - WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new(void) - { - WOLFSSL_X509_NAME* name; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_new"); - - name = (WOLFSSL_X509_NAME*)XMALLOC(sizeof(WOLFSSL_X509_NAME), NULL, - DYNAMIC_TYPE_X509); - if (name != NULL) { - InitX509Name(name, 1); - } - return name; - } - - /* Creates a duplicate of a WOLFSSL_X509_NAME structure. - Returns a new WOLFSSL_X509_NAME structure or NULL on failure */ - WOLFSSL_X509_NAME* wolfSSL_X509_NAME_dup(WOLFSSL_X509_NAME *name) - { - WOLFSSL_X509_NAME* dup = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_dup"); - - if (name == NULL) { - WOLFSSL_MSG("NULL parameter"); - return NULL; - } - - if (!(dup = wolfSSL_X509_NAME_new())) { - return NULL; - } - - /* copy contents */ - XMEMCPY(dup, name, sizeof(WOLFSSL_X509_NAME)); - InitX509Name(dup, 1); - dup->sz = name->sz; - - /* handle dynamic portions */ - if (name->dynamicName) { - if (!(dup->name = (char*)XMALLOC(name->sz, 0, - DYNAMIC_TYPE_OPENSSL))) { - goto err; - } - } - XMEMCPY(dup->name, name->name, name->sz); - #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - !defined(NO_ASN) - if (!(dup->fullName.fullName = (char*)XMALLOC(name->fullName.fullNameLen, - 0, DYNAMIC_TYPE_OPENSSL))) { - goto err; - } - XMEMCPY(dup->fullName.fullName, name->fullName.fullName, - name->fullName.fullNameLen); - #endif - - return dup; - - err: - if (dup) { - if (dup->dynamicName && dup->name) { - XFREE(dup->name, 0, DYNAMIC_TYPE_OPENSSL); - dup->name = NULL; - } - #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - !defined(NO_ASN) - if (dup->fullName.fullName && - dup->fullName.fullName != name->fullName.fullName) { - XFREE(dup->fullName.fullName, 0, DYNAMIC_TYPE_OPENSSL); - dup->fullName.fullName = NULL; - } - #endif - wolfSSL_X509_NAME_free(dup); - } - return NULL; - } - -#if defined(WOLFSSL_CERT_GEN) - /* helper function for CopyX509NameToCertName() - * - * returns WOLFSSL_SUCCESS on success - */ - static int CopyX509NameEntry(char* out, int mx, char* in, int inLen) - { - if (inLen > mx) { - WOLFSSL_MSG("Name too long"); - XMEMCPY(out, in, mx); - } - else { - XMEMCPY(out, in, inLen); - out[inLen] = '\0'; - } - - /* make sure is null terminated */ - out[mx-1] = '\0'; - - return WOLFSSL_SUCCESS; - } - - - /* Helper function to copy cert name from a WOLFSSL_X509_NAME structure to - * a CertName structure. - * - * returns WOLFSSL_SUCCESS on success and a negative error value on failure - */ - static int CopyX509NameToCertName(WOLFSSL_X509_NAME* n, CertName* cName) - { - DecodedName* dn = NULL; - - if (n == NULL || cName == NULL) { - return BAD_FUNC_ARG; - } - - dn = &(n->fullName); - - /* initialize cert name */ - cName->country[0] = '\0'; - cName->countryEnc = CTC_PRINTABLE; - cName->state[0] = '\0'; - cName->stateEnc = CTC_UTF8; - cName->locality[0] = '\0'; - cName->localityEnc = CTC_UTF8; - cName->sur[0] = '\0'; - cName->surEnc = CTC_UTF8; - cName->org[0] = '\0'; - cName->orgEnc = CTC_UTF8; - cName->unit[0] = '\0'; - cName->unitEnc = CTC_UTF8; - cName->commonName[0] = '\0'; - cName->commonNameEnc = CTC_UTF8; - cName->serialDev[0] = '\0'; - cName->serialDevEnc = CTC_PRINTABLE; - #ifdef WOLFSSL_CERT_EXT - cName->busCat[0] = '\0'; - cName->busCatEnc = CTC_UTF8; - cName->joiC[0] = '\0'; - cName->joiCEnc = CTC_PRINTABLE; - cName->joiSt[0] = '\0'; - cName->joiStEnc = CTC_PRINTABLE; - #endif - cName->email[0] = '\0'; - - - /* ASN_COUNTRY_NAME */ - WOLFSSL_MSG("Copy Country Name"); - if (CopyX509NameEntry(cName->country, CTC_NAME_SIZE, dn->fullName + dn->cIdx, - dn->cLen) != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_ORGUNIT_NAME */ - WOLFSSL_MSG("Copy Org Unit Name"); - if (CopyX509NameEntry(cName->unit, CTC_NAME_SIZE, dn->fullName + dn->ouIdx, - dn->ouLen) != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_ORG_NAME */ - WOLFSSL_MSG("Copy Org Name"); - if (CopyX509NameEntry(cName->org, CTC_NAME_SIZE, dn->fullName + dn->oIdx, - dn->oLen) != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_STATE_NAME */ - WOLFSSL_MSG("Copy State Name"); - if (CopyX509NameEntry(cName->state, CTC_NAME_SIZE, dn->fullName + dn->stIdx, - dn->stLen) != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_LOCALITY_NAME */ - WOLFSSL_MSG("Copy Locality Name"); - if (CopyX509NameEntry(cName->locality, CTC_NAME_SIZE, - dn->fullName + dn->lIdx, dn->lLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_SUR_NAME */ - WOLFSSL_MSG("Copy Sur Name"); - if (CopyX509NameEntry(cName->sur, CTC_NAME_SIZE, dn->fullName + dn->snIdx, - dn->snLen) != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_COMMON_NAME */ - WOLFSSL_MSG("Copy Common Name"); - if (CopyX509NameEntry(cName->commonName, CTC_NAME_SIZE, - dn->fullName + dn->cnIdx, dn->cnLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - /* ASN_SERIAL_NUMBER */ - WOLFSSL_MSG("Copy Serial Number of Device"); - if (CopyX509NameEntry(cName->serialDev, CTC_NAME_SIZE, - dn->fullName + dn->serialIdx, dn->serialLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - #ifdef WOLFSSL_CERT_EXT - /* ASN_BUS_CAT */ - WOLFSSL_MSG("Copy Business Category"); - if (CopyX509NameEntry(cName->busCat, CTC_NAME_SIZE, - dn->fullName + dn->bcIdx, dn->bcLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - /* JoI Country */ - WOLFSSL_MSG("Copy Jurisdiction of Incorporation Country"); - if (CopyX509NameEntry(cName->joiC, CTC_NAME_SIZE, - dn->fullName + dn->jcIdx, dn->jcLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - /* JoI State */ - WOLFSSL_MSG("Copy Jurisdiction of Incorporation State"); - if (CopyX509NameEntry(cName->joiSt, CTC_NAME_SIZE, - dn->fullName + dn->jsIdx, dn->jsLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - #endif - - WOLFSSL_MSG("Copy Email"); - if (CopyX509NameEntry(cName->email, CTC_NAME_SIZE, - dn->fullName + dn->emailIdx, dn->emailLen) - != SSL_SUCCESS) { - return BUFFER_E; - } - - return WOLFSSL_SUCCESS; - } - -#ifdef WOLFSSL_CERT_REQ - static int ReqCertFromX509(Cert* cert, WOLFSSL_X509* req) - { - int ret; - - if (wc_InitCert(cert) != 0) - return WOLFSSL_FAILURE; - - ret = CopyX509NameToCertName(&req->subject, &cert->subject); - if (ret == WOLFSSL_SUCCESS) { - cert->version = req->version; - cert->isCA = req->isCa; -#ifdef WOLFSSL_CERT_EXT - if (req->subjKeyIdSz != 0) { - XMEMCPY(cert->skid, req->subjKeyId, req->subjKeyIdSz); - cert->skidSz = req->subjKeyIdSz; - } - if (req->keyUsageSet) - cert->keyUsage = req->keyUsage; - /* Extended Key Usage not supported. */ -#endif - } - - return ret; - } -#endif - - /* convert a WOLFSSL_X509 to a Cert structure for writing out */ - static int CertFromX509(Cert* cert, WOLFSSL_X509* x509) - { - int ret; - #ifdef WOLFSSL_CERT_EXT - int i; - #endif - - WOLFSSL_ENTER("wolfSSL_X509_to_Cert()"); - - if (x509 == NULL || cert == NULL) { - return BAD_FUNC_ARG; - } - - wc_InitCert(cert); - - cert->version = (int)wolfSSL_X509_get_version(x509); - - #ifdef WOLFSSL_ALT_NAMES - if (x509->notBefore.length > 0) { - if ((x509->notBefore.length + 2) < CTC_DATE_SIZE) { - cert->beforeDate[0] = x509->notBefore.type; - cert->beforeDate[1] = x509->notBefore.length; - XMEMCPY(&cert->beforeDate[2], x509->notBefore.data, - x509->notBefore.length); - cert->beforeDateSz = x509->notBefore.length + 2; - } - else { - WOLFSSL_MSG("Not before date too large"); - return WOLFSSL_FAILURE; - } - } - else { - cert->beforeDateSz = 0; - } - if (x509->notAfter.length > 0) { - if ((x509->notAfter.length + 2) < CTC_DATE_SIZE) { - cert->afterDate[0] = x509->notAfter.type; - cert->afterDate[1] = x509->notAfter.length; - XMEMCPY(&cert->afterDate[2], x509->notAfter.data, - x509->notAfter.length); - cert->afterDateSz = x509->notAfter.length + 2; - } - else { - WOLFSSL_MSG("Not after date too large"); - return WOLFSSL_FAILURE; - } - } - else { - cert->afterDateSz = 0; - } - - cert->altNamesSz = FlattenAltNames(cert->altNames, - sizeof(cert->altNames), x509->altNames); - - #endif /* WOLFSSL_ALT_NAMES */ - - cert->sigType = wolfSSL_X509_get_signature_type(x509); - cert->keyType = x509->pubKeyOID; - cert->isCA = wolfSSL_X509_get_isCA(x509); - - #ifdef WOLFSSL_CERT_EXT - if (x509->subjKeyIdSz < CTC_MAX_SKID_SIZE) { - XMEMCPY(cert->skid, x509->subjKeyId, x509->subjKeyIdSz); - cert->skidSz = (int)x509->subjKeyIdSz; - } - else { - WOLFSSL_MSG("Subject Key ID too large"); - return WOLFSSL_FAILURE; - } - - if (x509->authKeyIdSz < CTC_MAX_AKID_SIZE) { - XMEMCPY(cert->akid, x509->authKeyId, x509->authKeyIdSz); - cert->akidSz = (int)x509->authKeyIdSz; - } - else { - WOLFSSL_MSG("Auth Key ID too large"); - return WOLFSSL_FAILURE; - } - - for (i = 0; i < x509->certPoliciesNb; i++) { - /* copy the smaller of MAX macros, by default they are currently equal*/ - if ((int)CTC_MAX_CERTPOL_SZ <= (int)MAX_CERTPOL_SZ) { - XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], - CTC_MAX_CERTPOL_SZ); - } - else { - XMEMCPY(cert->certPolicies[i], x509->certPolicies[i], - MAX_CERTPOL_SZ); - } - } - cert->certPoliciesNb = (word16)x509->certPoliciesNb; - - cert->keyUsage = x509->keyUsage; - #endif /* WOLFSSL_CERT_EXT */ - - #ifdef WOLFSSL_CERT_REQ - /* copy over challenge password for REQ certs */ - XMEMCPY(cert->challengePw, x509->challengePw, CTC_NAME_SIZE); - #endif - - if (x509->serialSz <= CTC_SERIAL_SIZE) { - XMEMCPY(cert->serial, x509->serial, x509->serialSz); - } - else { - WOLFSSL_MSG("Serial size error"); - return WOLFSSL_FAILURE; - } - - /* copy over Name structures */ - if (x509->issuerSet) - cert->selfSigned = 0; - if ((ret = CopyX509NameToCertName(&(x509->issuer), &(cert->issuer))) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error copying over issuer names"); - WOLFSSL_LEAVE("wolfSSL_X509_to_Cert()", ret); - return WOLFSSL_FAILURE; - } - if ((ret = CopyX509NameToCertName(&(x509->subject), &(cert->subject))) - != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error copying over subject names"); - WOLFSSL_LEAVE("wolfSSL_X509_to_Cert()", ret); - return WOLFSSL_FAILURE; - } - - cert->heap = x509->heap; - - return WOLFSSL_SUCCESS; - } - - - /* returns the sig type to use on success i.e CTC_SHAwRSA and WOLFSSL_FALURE - * on fail case */ - static int wolfSSL_sigTypeFromPKEY(WOLFSSL_EVP_MD* md, - WOLFSSL_EVP_PKEY* pkey) - { - int hashType; - int sigType = WOLFSSL_FAILURE; - - /* Convert key type and hash algorithm to a signature algorithm */ - if (wolfSSL_EVP_get_hashinfo(md, &hashType, NULL) == WOLFSSL_FAILURE) - return WOLFSSL_FAILURE; - - - if (pkey->type == EVP_PKEY_RSA) { - switch (hashType) { - case WC_HASH_TYPE_SHA: - sigType = CTC_SHAwRSA; - break; - case WC_HASH_TYPE_SHA224: - sigType = CTC_SHA224wRSA; - break; - case WC_HASH_TYPE_SHA256: - sigType = CTC_SHA256wRSA; - break; - case WC_HASH_TYPE_SHA384: - sigType = CTC_SHA384wRSA; - break; - case WC_HASH_TYPE_SHA512: - sigType = CTC_SHA512wRSA; - break; - default: - return WOLFSSL_FAILURE; - } - } - else if (pkey->type == EVP_PKEY_EC) { - switch (hashType) { - case WC_HASH_TYPE_SHA: - sigType = CTC_SHAwECDSA; - break; - case WC_HASH_TYPE_SHA224: - sigType = CTC_SHA224wECDSA; - break; - case WC_HASH_TYPE_SHA256: - sigType = CTC_SHA256wECDSA; - break; - case WC_HASH_TYPE_SHA384: - sigType = CTC_SHA384wECDSA; - break; - case WC_HASH_TYPE_SHA512: - sigType = CTC_SHA512wECDSA; - break; - default: - return WOLFSSL_FAILURE; - } - } - else - return WOLFSSL_FAILURE; - return sigType; - } - - - /* generates DER buffer from WOLFSSL_X509 - * If req == 1 then creates a request DER buffer - * - * updates derSz with certificate body size on success - * return WOLFSSL_SUCCESS on success - */ - static int wolfSSL_X509_make_der(WOLFSSL_X509* x509, int req, - unsigned char* der, int* derSz) - { - int ret; - Cert cert; - void* key = NULL; - int type = -1; - #ifndef NO_RSA - RsaKey rsa; - #endif - #ifdef HAVE_ECC - ecc_key ecc; - #endif - WC_RNG rng; - word32 idx = 0; - - if (x509 == NULL || der == NULL || derSz == NULL) - return BAD_FUNC_ARG; - - #ifndef WOLFSSL_CERT_REQ - if (req) { - WOLFSSL_MSG("WOLFSSL_CERT_REQ needed for certificate request"); - return WOLFSSL_FAILURE; - } - #endif - - #ifdef WOLFSSL_CERT_REQ - if (req) { - if (ReqCertFromX509(&cert, x509) != WOLFSSL_SUCCESS) - return WOLFSSL_FAILURE; - } - else - #endif - { - /* Create a Cert that has the certificate fields. */ - if (CertFromX509(&cert, x509) != WOLFSSL_SUCCESS) - return WOLFSSL_FAILURE; - } - - /* Create a public key object from requests public key. */ - #ifndef NO_RSA - if (x509->pubKeyOID == RSAk) { - type = RSA_TYPE; - ret = wc_InitRsaKey(&rsa, x509->heap); - if (ret != 0) - return ret; - ret = wc_RsaPublicKeyDecode(x509->pubKey.buffer, &idx, &rsa, - x509->pubKey.length); - if (ret != 0) { - wc_FreeRsaKey(&rsa); - return ret; - } - key = (void*)&rsa; - } - #endif - #ifdef HAVE_ECC - if (x509->pubKeyOID == ECDSAk) { - type = ECC_TYPE; - ret = wc_ecc_init(&ecc); - if (ret != 0) - return ret; - ret = wc_EccPublicKeyDecode(x509->pubKey.buffer, &idx, &ecc, - x509->pubKey.length); - if (ret != 0) { - wc_ecc_free(&ecc); - return ret; - } - key = (void*)&ecc; - } - #endif - if (key == NULL) - return WOLFSSL_FAILURE; - - /* Make the body of the certificate request. */ - #ifdef WOLFSSL_CERT_REQ - if (req) { - ret = wc_MakeCertReq_ex(&cert, der, *derSz, type, key); - } - else - #endif - { - ret = wc_InitRng(&rng); - if (ret != 0) - return WOLFSSL_FAILURE; - - ret = wc_MakeCert_ex(&cert, der, *derSz, type, key, &rng); - wc_FreeRng(&rng); - } - if (ret < 0) { - return ret; - } - - /* Dispose of the public key object. */ - #ifndef NO_RSA - if (x509->pubKeyOID == RSAk) - wc_FreeRsaKey(&rsa); - #endif - #ifdef HAVE_ECC - if (x509->pubKeyOID == ECDSAk) - wc_ecc_free(&ecc); - #endif - *derSz = ret; - - return WOLFSSL_SUCCESS; - } - - - /* signs a der buffer for the WOLFSSL_X509 structure using the PKEY and MD - * hash passed in - * - * WARNING: this free's and replaces the existing DER buffer in the - * WOLFSSL_X509 with the newly signed buffer. - * returns size of signed buffer on success and negative values on fail - */ - static int wolfSSL_X509_resign_cert(WOLFSSL_X509* x509, int req, - unsigned char* der, int derSz, int certBodySz, WOLFSSL_EVP_MD* md, - WOLFSSL_EVP_PKEY* pkey) - { - int ret; - void* key = NULL; - int type = -1; - int sigType; - WC_RNG rng; - - sigType = wolfSSL_sigTypeFromPKEY(md, pkey); - if (sigType == WOLFSSL_FAILURE) - return WOLFSSL_FATAL_ERROR; - - - /* Get the private key object and type from pkey. */ - #ifndef NO_RSA - if (pkey->type == EVP_PKEY_RSA) { - type = RSA_TYPE; - key = pkey->rsa->internal; - } - #endif - #ifdef HAVE_ECC - if (pkey->type == EVP_PKEY_EC) { - type = ECC_TYPE; - key = pkey->ecc->internal; - } - #endif - - /* Sign the certificate request body. */ - ret = wc_InitRng(&rng); - if (ret != 0) - return ret; - ret = wc_SignCert_ex(certBodySz, sigType, der, derSz, type, key, &rng); - wc_FreeRng(&rng); - if (ret < 0) - return ret; - - /* Put in the new certificate encoding into the x509 object. */ - FreeDer(&x509->derCert); - type = CERT_TYPE; - #ifdef WOLFSSL_REQ_CERT - if (req) { - type = CERTREQ_TYPE; - } - #endif - - if (AllocDer(&x509->derCert, ret, type, NULL) != 0) - return WOLFSSL_FATAL_ERROR; - XMEMCPY(x509->derCert->buffer, der, ret); - x509->derCert->length = ret; - - (void)req; - return ret; - } - - - /* returns the size of signature on success */ - int wolfSSL_X509_sign(WOLFSSL_X509* x509, WOLFSSL_EVP_PKEY* pkey, - const WOLFSSL_EVP_MD* md) - { - int ret; - byte der[4096]; /* @TODO dynamic set based on expected cert size */ - int derSz = sizeof(der); - - WOLFSSL_ENTER("wolfSSL_X509_sign"); - - if (x509 == NULL || pkey == NULL || md == NULL) - return WOLFSSL_FAILURE; - - x509->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); - if ((ret = wolfSSL_X509_make_der(x509, 0, der, &derSz)) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to make DER for X509"); - WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_X509_resign_cert(x509, 0, der, sizeof(der), derSz, - (WOLFSSL_EVP_MD*)md, pkey); - if (ret <= 0) { - WOLFSSL_LEAVE("wolfSSL_X509_sign", ret); - return WOLFSSL_FAILURE; - } - - return ret; - } - - - /* Converts the x509 name structure into DER format. - * - * out pointer to either a pre setup buffer or a pointer to null for - * creating a dynamic buffer. In the case that a pre-existing buffer is - * used out will be incremented the size of the DER buffer on success. - * - * returns the size of the buffer on success, or negative value with failure - */ - int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) - { - CertName cName; - unsigned char buf[256]; /* ASN_MAX_NAME */ - int sz; - WOLFSSL_ENTER("wolfSSL_i2d_X509_NAME"); - - if (out == NULL || name == NULL) { - return BAD_FUNC_ARG; - } - XMEMSET(&cName, 0, sizeof(CertName)); - - if (CopyX509NameToCertName(name, &cName) != SSL_SUCCESS) { - WOLFSSL_MSG("Error converting x509 name to internal CertName"); - return SSL_FATAL_ERROR; - } - - sz = SetName(buf, sizeof(buf), &cName); - if (sz < 0) { - return sz; - } - - /* using buffer passed in */ - if (*out != NULL) { - XMEMCPY(*out, buf, sz); - *out += sz; - } - else { - *out = (unsigned char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_OPENSSL); - if (*out == NULL) { - return MEMORY_E; - } - XMEMCPY(*out, buf, sz); - } - - return sz; - } -#endif /* WOLFSSL_CERT_GEN */ - - - /* Compares the two X509 names. If the size of x is larger then y then a - * positive value is returned if x is smaller a negative value is returned. - * In the case that the sizes are equal a the value of strcmp between the - * two names is returned. - * - * x First name for comparison - * y Second name to compare with x - */ - int wolfSSL_X509_NAME_cmp(const WOLFSSL_X509_NAME* x, - const WOLFSSL_X509_NAME* y) - { - const char* _x; - const char* _y; - WOLFSSL_ENTER("wolfSSL_X509_NAME_cmp"); - - if (x == NULL || y == NULL) { - WOLFSSL_MSG("Bad argument passed in"); - return -2; - } - - if (x == y) { - return 0; /* match */ - } - - if (x->sz != y->sz) { - return x->sz - y->sz; - } - - /* - * If the name member is not set or is immediately null terminated then - * compare the staticName member - */ - _x = (x->name && *x->name) ? x->name : x->staticName; - _y = (y->name && *y->name) ? y->name : y->staticName; - - return XSTRNCMP(_x, _y, x->sz); /* y sz is the same */ - } - - - WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 **x, - pem_password_cb *cb, void *u) - { - WOLFSSL_X509* x509 = NULL; -#if defined(WOLFSSL_PEM_TO_DER) || defined(WOLFSSL_DER_TO_PEM) - unsigned char* pem = NULL; - int pemSz; - long i = 0, l; - const char* footer = NULL; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_X509"); - - if (bp == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_X509", BAD_FUNC_ARG); - return NULL; - } - - if ((l = wolfSSL_BIO_get_len(bp)) <= 0) { - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) - /* No certificate in buffer */ - WOLFSSL_ERROR(ASN_NO_PEM_HEADER); - #endif - return NULL; - } - - pem = (unsigned char*)XMALLOC(l, 0, DYNAMIC_TYPE_PEM); - if (pem == NULL) - return NULL; - - i = 0; - if (wc_PemGetHeaderFooter(CERT_TYPE, NULL, &footer) != 0) { - XFREE(pem, 0, DYNAMIC_TYPE_PEM); - return NULL; - } - - /* TODO: Inefficient - * reading in one byte at a time until see "END CERTIFICATE" - */ - while ((l = wolfSSL_BIO_read(bp, (char *)&pem[i], 1)) == 1) { - i++; - if (i > 26 && XMEMCMP((char *)&pem[i-26], footer, 25) == 0) { - if (pem[i-1] == '\r') { - /* found \r , Windows line ending is \r\n so try to read one - * more byte for \n, ignoring return value */ - (void)wolfSSL_BIO_read(bp, (char *)&pem[i++], 1); - } - break; - } - } - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) - if (l == 0) - WOLFSSL_ERROR(ASN_NO_PEM_HEADER); - #endif - pemSz = (int)i; - x509 = wolfSSL_X509_load_certificate_buffer(pem, pemSz, - WOLFSSL_FILETYPE_PEM); - - if (x != NULL) { - *x = x509; - } - - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); - -#endif /* WOLFSSL_PEM_TO_DER || WOLFSSL_DER_TO_PEM */ - (void)bp; - (void)x; - (void)cb; - (void)u; - - return x509; - } - - WOLFSSL_X509_CRL *wolfSSL_PEM_read_bio_X509_CRL(WOLFSSL_BIO *bp, - WOLFSSL_X509_CRL **x, pem_password_cb *cb, void *u) - { -#if defined(WOLFSSL_PEM_TO_DER) && defined(HAVE_CRL) - unsigned char* pem = NULL; - int pemSz; - int derSz; - DerBuffer* der = NULL; - WOLFSSL_X509_CRL* crl = NULL; - - if ((pemSz = wolfSSL_BIO_get_len(bp)) <= 0) { - goto err; - } - - pem = (unsigned char*)XMALLOC(pemSz, 0, DYNAMIC_TYPE_PEM); - if (pem == NULL) { - goto err; - } - - if (wolfSSL_BIO_read(bp, pem, pemSz) != pemSz) { - goto err; - } - - if((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) { - goto err; - } - derSz = der->length; - if((crl = wolfSSL_d2i_X509_CRL(x, der->buffer, derSz)) == NULL) { - goto err; - } - -err: - if(pem != NULL) { - XFREE(pem, 0, DYNAMIC_TYPE_PEM); - } - if(der != NULL) { - FreeDer(&der); - } - - (void)cb; - (void)u; - - return crl; -#else - (void)bp; - (void)x; - (void)cb; - (void)u; - - return NULL; -#endif - } - -#if !defined(NO_FILESYSTEM) - static void* wolfSSL_PEM_read_X509_ex(XFILE fp, void **x, - pem_password_cb *cb, void *u, int type) - { - unsigned char* pem = NULL; - int pemSz; - long i = 0, l; - void *newx509; - int derSz; - DerBuffer* der = NULL; - - WOLFSSL_ENTER("wolfSSL_PEM_read_X509"); - - if (fp == XBADFILE) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); - return NULL; - } - /* Read cert from file */ - i = XFTELL(fp); - if (i < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_X509", BAD_FUNC_ARG); - return NULL; - } - - if (XFSEEK(fp, 0, XSEEK_END) != 0) - return NULL; - l = XFTELL(fp); - if (l < 0) - return NULL; - if (XFSEEK(fp, i, SEEK_SET) != 0) - return NULL; - pemSz = (int)(l - i); - - /* check calculated length */ - if (pemSz > MAX_WOLFSSL_FILE_SIZE || pemSz < 0) { - WOLFSSL_MSG("PEM_read_X509_ex file size error"); - return NULL; - } - - /* allocate pem buffer */ - pem = (unsigned char*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_PEM); - if (pem == NULL) - return NULL; - - if ((int)XFREAD((char *)pem, 1, pemSz, fp) != pemSz) - goto err_exit; - - switch (type) { - case CERT_TYPE: - newx509 = (void *)wolfSSL_X509_load_certificate_buffer(pem, - pemSz, WOLFSSL_FILETYPE_PEM); - break; - - #ifdef HAVE_CRL - case CRL_TYPE: - if ((PemToDer(pem, pemSz, CRL_TYPE, &der, NULL, NULL, NULL)) < 0) - goto err_exit; - derSz = der->length; - newx509 = (void*)wolfSSL_d2i_X509_CRL((WOLFSSL_X509_CRL **)x, - (const unsigned char *)der->buffer, derSz); - if (newx509 == NULL) - goto err_exit; - FreeDer(&der); - break; - #endif - - default: - goto err_exit; - } - if (x != NULL) { - *x = newx509; - } - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); - return newx509; - - err_exit: - if (pem != NULL) - XFREE(pem, NULL, DYNAMIC_TYPE_PEM); - if (der != NULL) - FreeDer(&der); - - /* unused */ - (void)cb; - (void)u; - (void)derSz; - - return NULL; - } - - WOLFSSL_API WOLFSSL_X509* wolfSSL_PEM_read_X509(XFILE fp, WOLFSSL_X509 **x, - pem_password_cb *cb, void *u) - { - return (WOLFSSL_X509* )wolfSSL_PEM_read_X509_ex(fp, (void **)x, cb, u, CERT_TYPE); - } - -#if defined(HAVE_CRL) - WOLFSSL_API WOLFSSL_X509_CRL* wolfSSL_PEM_read_X509_CRL(XFILE fp, WOLFSSL_X509_CRL **crl, - pem_password_cb *cb, void *u) - { - return (WOLFSSL_X509_CRL* )wolfSSL_PEM_read_X509_ex(fp, (void **)crl, cb, u, CRL_TYPE); - } -#endif - - int wolfSSL_PEM_write_X509(XFILE fp, WOLFSSL_X509* x) - { - int ret; - WOLFSSL_BIO* bio; - - if (x == NULL) - return 0; - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) - return 0; - - if (wolfSSL_BIO_set_fp(bio, fp, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { - wolfSSL_BIO_free(bio); - bio = NULL; - } - - ret = wolfSSL_PEM_write_bio_X509(bio, x); - - if (bio != NULL) - wolfSSL_BIO_free(bio); - - return ret; - } -#endif /* !NO_FILESYSTEM */ - - #define PEM_BEGIN "-----BEGIN " - #define PEM_BEGIN_SZ 11 - #define PEM_END "-----END " - #define PEM_END_SZ 9 - #define PEM_HDR_FIN "-----" - #define PEM_HDR_FIN_SZ 5 - #define PEM_HDR_FIN_EOL_NEWLINE "-----\n" - #define PEM_HDR_FIN_EOL_NULL_TERM "-----\0" - #define PEM_HDR_FIN_EOL_SZ 6 - - int wolfSSL_PEM_read_bio(WOLFSSL_BIO* bio, char **name, char **header, - unsigned char **data, long *len) - { - int ret = WOLFSSL_SUCCESS; - char pem[256]; - int pemLen; - char* p; - char* nameStr = NULL; - int nameLen = 0; - char* headerStr = NULL; - int headerLen; - int headerFound = 0; - unsigned char* der = NULL; - word32 derLen = 0; - - if (bio == NULL || name == NULL || header == NULL || data == NULL || - len == NULL) { - return WOLFSSL_FAILURE; - } - - /* Find header line. */ - pem[sizeof(pem) - 1] = '\0'; - while ((pemLen = wolfSSL_BIO_gets(bio, pem, sizeof(pem) - 1)) > 0) { - if (XSTRNCMP(pem, PEM_BEGIN, PEM_BEGIN_SZ) == 0) - break; - } - if (pemLen <= 0) - ret = WOLFSSL_FAILURE; - /* Have a header line. */ - if (ret == WOLFSSL_SUCCESS) { - while (pem[pemLen - 1] == '\r' || pem[pemLen - 1] == '\n') - pemLen--; - pem[pemLen] = '\0'; - if (XSTRNCMP(pem + pemLen - PEM_HDR_FIN_SZ, PEM_HDR_FIN, - PEM_HDR_FIN_SZ) != 0) { - ret = WOLFSSL_FAILURE; - } - } - - /* Get out name. */ - if (ret == WOLFSSL_SUCCESS) { - nameLen = pemLen - PEM_BEGIN_SZ - PEM_HDR_FIN_SZ; - nameStr = (char*)XMALLOC(nameLen + 1, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (nameStr == NULL) - ret = WOLFSSL_FAILURE; - } - if (ret == WOLFSSL_SUCCESS) { - XSTRNCPY(nameStr, pem + PEM_BEGIN_SZ, nameLen); - nameStr[nameLen] = '\0'; - - /* Get header of PEM - encryption header. */ - headerLen = 0; - while ((pemLen = wolfSSL_BIO_gets(bio, pem, sizeof(pem) - 1)) > 0) { - while (pemLen > 0 && (pem[pemLen - 1] == '\r' || - pem[pemLen - 1] == '\n')) { - pemLen--; - } - pem[pemLen++] = '\n'; - pem[pemLen] = '\0'; - - /* Header separator is a blank line. */ - if (pem[0] == '\n') { - headerFound = 1; - break; - } - - /* Didn't find a blank line - no header. */ - if (XSTRNCMP(pem, PEM_END, PEM_END_SZ) == 0) { - der = (unsigned char*)headerStr; - derLen = headerLen; - /* Empty header - empty string. */ - headerStr = (char*)XMALLOC(1, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (headerStr == NULL) - ret = WOLFSSL_FAILURE; - else - headerStr[0] = '\0'; - break; - } - - p = (char*)XREALLOC(headerStr, headerLen + pemLen + 1, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (p == NULL) { - ret = WOLFSSL_FAILURE; - break; - } - - headerStr = p; - XMEMCPY(headerStr + headerLen, pem, pemLen + 1); - headerLen += pemLen; - } - if (pemLen <= 0) - ret = WOLFSSL_FAILURE; - } - - /* Get body of PEM - if there was a header */ - if (ret == WOLFSSL_SUCCESS && headerFound) { - derLen = 0; - while ((pemLen = wolfSSL_BIO_gets(bio, pem, sizeof(pem) - 1)) > 0) { - while (pemLen > 0 && (pem[pemLen - 1] == '\r' || - pem[pemLen - 1] == '\n')) { - pemLen--; - } - pem[pemLen++] = '\n'; - pem[pemLen] = '\0'; - - if (XSTRNCMP(pem, PEM_END, PEM_END_SZ) == 0) - break; - - p = (char*)XREALLOC(der, derLen + pemLen + 1, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (p == NULL) { - ret = WOLFSSL_FAILURE; - break; - } - - der = (unsigned char*)p; - XMEMCPY(der + derLen, pem, pemLen + 1); - derLen += pemLen; - } - if (pemLen <= 0) - ret = WOLFSSL_FAILURE; - } - - /* Check trailer. */ - if (ret == WOLFSSL_SUCCESS) { - if (XSTRNCMP(pem + PEM_END_SZ, nameStr, nameLen) != 0) - ret = WOLFSSL_FAILURE; - } - if (ret == WOLFSSL_SUCCESS) { - if (XSTRNCMP(pem + PEM_END_SZ + nameLen, - PEM_HDR_FIN_EOL_NEWLINE, - PEM_HDR_FIN_EOL_SZ) != 0 && - XSTRNCMP(pem + PEM_END_SZ + nameLen, - PEM_HDR_FIN_EOL_NULL_TERM, - PEM_HDR_FIN_EOL_SZ) != 0) { - ret = WOLFSSL_FAILURE; - } - } - - /* Base64 decode body. */ - if (ret == WOLFSSL_SUCCESS) { - if (Base64_Decode(der, derLen, der, &derLen) != 0) - ret = WOLFSSL_FAILURE; - } - - if (ret == WOLFSSL_SUCCESS) { - *name = nameStr; - *header = headerStr; - *data = der; - *len = derLen; - nameStr = NULL; - headerStr = NULL; - der = NULL; - } - - if (nameStr != NULL) - XFREE(nameStr, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (headerStr != NULL) - XFREE(headerStr, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (der != NULL) - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return ret; - } - - int wolfSSL_PEM_write_bio(WOLFSSL_BIO* bio, const char *name, - const char *header, const unsigned char *data, - long len) - { - int err = 0; - int outSz = 0; - int nameLen; - int headerLen; - byte* pem = NULL; - word32 pemLen; - word32 derLen = (word32)len; - - if (bio == NULL || name == NULL || header == NULL || data == NULL) - return 0; - - nameLen = (int)XSTRLEN(name); - headerLen = (int)XSTRLEN(header); - - pemLen = (derLen + 2) / 3 * 4; - pemLen += (pemLen + 63) / 64; - - pem = (byte*)XMALLOC(pemLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); - err = pem == NULL; - if (!err) - err = Base64_Encode(data, derLen, pem, &pemLen) != 0; - - if (!err) { - err = wolfSSL_BIO_write(bio, PEM_BEGIN, PEM_BEGIN_SZ) != - (int)PEM_BEGIN_SZ; - } - if (!err) - err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen; - if (!err) { - err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE, - PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ; - } - if (!err && headerLen > 0) { - err = wolfSSL_BIO_write(bio, header, headerLen) != headerLen; - /* Blank line after a header and before body. */ - if (!err) - err = wolfSSL_BIO_write(bio, "\n", 1) != 1; - headerLen++; - } - if (!err) - err = wolfSSL_BIO_write(bio, pem, pemLen) != (int)pemLen; - if (!err) - err = wolfSSL_BIO_write(bio, PEM_END, PEM_END_SZ) != - (int)PEM_END_SZ; - if (!err) - err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen; - if (!err) { - err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE, - PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ; - } - - if (!err) { - outSz = PEM_BEGIN_SZ + nameLen + PEM_HDR_FIN_EOL_SZ + headerLen + - pemLen + PEM_END_SZ + nameLen + PEM_HDR_FIN_EOL_SZ; - } - - if (pem != NULL) - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return outSz; - } - -#if !defined(NO_FILESYSTEM) - int wolfSSL_PEM_read(XFILE fp, char **name, char **header, - unsigned char **data, long *len) - { - int ret; - WOLFSSL_BIO* bio; - - if (name == NULL || header == NULL || data == NULL || len == NULL) - return WOLFSSL_FAILURE; - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) - return 0; - - if (wolfSSL_BIO_set_fp(bio, fp, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { - wolfSSL_BIO_free(bio); - bio = NULL; - } - - ret = wolfSSL_PEM_read_bio(bio, name, header, data, len); - - if (bio != NULL) - wolfSSL_BIO_free(bio); - - return ret; - } - - int wolfSSL_PEM_write(XFILE fp, const char *name, const char *header, - const unsigned char *data, long len) - { - int ret; - WOLFSSL_BIO* bio; - - if (name == NULL || header == NULL || data == NULL) - return 0; - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) - return 0; - - if (wolfSSL_BIO_set_fp(bio, fp, BIO_NOCLOSE) != WOLFSSL_SUCCESS) { - wolfSSL_BIO_free(bio); - bio = NULL; - } - - ret = wolfSSL_PEM_write_bio(bio, name, header, data, len); - - if (bio != NULL) - wolfSSL_BIO_free(bio); - - return ret; - } -#endif - - int wolfSSL_PEM_get_EVP_CIPHER_INFO(char* header, EncryptedInfo* cipher) - { - if (header == NULL || cipher == NULL) - return WOLFSSL_FAILURE; - - XMEMSET(cipher, 0, sizeof(*cipher)); - - if (wc_EncryptedInfoParse(cipher, &header, XSTRLEN(header)) != 0) - return WOLFSSL_FAILURE; - - return WOLFSSL_SUCCESS; - } - - int wolfSSL_PEM_do_header(EncryptedInfo* cipher, unsigned char* data, - long* len, pem_password_cb* callback, void* ctx) - { - int ret = WOLFSSL_SUCCESS; - char password[NAME_SZ]; - int passwordSz; - - if (cipher == NULL || data == NULL || len == NULL || callback == NULL) - return WOLFSSL_FAILURE; - - passwordSz = callback(password, sizeof(password), PEM_PASS_READ, ctx); - if (passwordSz < 0) - ret = WOLFSSL_FAILURE; - - if (ret == WOLFSSL_SUCCESS) { - if (wc_BufferKeyDecrypt(cipher, data, (word32)*len, (byte*)password, - passwordSz, WC_MD5) != 0) { - ret = WOLFSSL_FAILURE; - } - } - - if (passwordSz > 0) - XMEMSET(password, 0, passwordSz); - - return ret; - } - - /* - * bp : bio to read X509 from - * x : x509 to write to - * cb : password call back for reading PEM - * u : password - * _AUX is for working with a trusted X509 certificate - */ - WOLFSSL_X509 *wolfSSL_PEM_read_bio_X509_AUX(WOLFSSL_BIO *bp, - WOLFSSL_X509 **x, pem_password_cb *cb, void *u) { - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_X509"); - - /* AUX info is; trusted/rejected uses, friendly name, private key id, - * and potentially a stack of "other" info. wolfSSL does not store - * friendly name or private key id yet in WOLFSSL_X509 for human - * readability and does not support extra trusted/rejected uses for - * root CA. */ - return wolfSSL_PEM_read_bio_X509(bp, x, cb, u); - } - - -#ifdef OPENSSL_ALL - /* create and return a new WOLFSSL_X509_PKEY structure or NULL on failure */ - static WOLFSSL_X509_PKEY* wolfSSL_X509_PKEY_new(void* heap) - { - WOLFSSL_X509_PKEY* ret; - - ret = (WOLFSSL_X509_PKEY*)XMALLOC(sizeof(WOLFSSL_X509_PKEY), heap, - DYNAMIC_TYPE_KEY); - if (ret != NULL) { - XMEMSET(ret, 0, sizeof(WOLFSSL_X509_PKEY)); - ret->heap = heap; - } - return ret; - } - - - /* sets the values of X509_PKEY based on certificate passed in - * return WOLFSSL_SUCCESS on success */ - static int wolfSSL_X509_PKEY_set(WOLFSSL_X509_PKEY* xPkey, - WOLFSSL_X509* x509) - { - if (xPkey == NULL || x509 == NULL) { - return BAD_FUNC_ARG; - } - wolfSSL_EVP_PKEY_free(xPkey->dec_pkey); - xPkey->dec_pkey = wolfSSL_X509_get_pubkey(x509); - if (xPkey->dec_pkey == NULL) { - return WOLFSSL_FAILURE; - } - return WOLFSSL_SUCCESS; - } - - - /* free up all memory used by "xPkey" passed in */ - static void wolfSSL_X509_PKEY_free(WOLFSSL_X509_PKEY* xPkey) - { - if (xPkey != NULL) { - wolfSSL_EVP_PKEY_free(xPkey->dec_pkey); - } - XFREE(xPkey, xPkey->heap, DYNAMIC_TYPE_KEY); - } - - - /* Takes control of x509 on success - * helper function to break out code needed to set WOLFSSL_X509_INFO up - * free's "info" passed in if is not defaults - * - * returns WOLFSSL_SUCCESS on success - */ - static int wolfSSL_X509_INFO_set(WOLFSSL_X509_INFO* info, - WOLFSSL_X509* x509) - { - if (info == NULL || x509 == NULL) { - return BAD_FUNC_ARG; - } - - /* check is fresh "info" passed in, if not free it */ - if (info->x509 != NULL || info->x_pkey != NULL) { - WOLFSSL_X509_INFO* tmp; - - tmp = wolfSSL_X509_INFO_new(); - if (tmp == NULL) { - WOLFSSL_MSG("Unable to create new structure"); - return MEMORY_E; - } - wolfSSL_X509_INFO_free(info); - info = tmp; - } - - info->x509 = x509; - - //@TODO info->num - //@TODO info->enc_cipher - //@TODO info->enc_len - //@TODO info->enc_data - //@TODO info->crl - - info->x_pkey = wolfSSL_X509_PKEY_new(x509->heap); - return wolfSSL_X509_PKEY_set(info->x_pkey, x509); - } - - - /* - * bio WOLFSSL_BIO to read certificates from - * sk possible stack to push more X509_INFO structs to. Can be NULL - * cb callback password for encrypted PEM certificates - * u user input such as password - * - * returns stack on success and NULL or default stack passed in on fail - */ - WOLF_STACK_OF(WOLFSSL_X509_INFO)* wolfSSL_PEM_X509_INFO_read_bio( - WOLFSSL_BIO* bio, WOLF_STACK_OF(WOLFSSL_X509_INFO)* sk, - pem_password_cb* cb, void* u) - { - WOLF_STACK_OF(WOLFSSL_X509_INFO)* localSk; - WOLFSSL_X509* x509 = NULL; - int ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_PEM_X509_INFO_read_bio"); - - /* attempt to used passed in stack or create a new one */ - if (sk != NULL) { - localSk = sk; - } - else { - localSk = wolfSSL_sk_X509_INFO_new_null(); - } - if (localSk == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_X509_INFO_read_bio", MEMORY_E); - return NULL; - } - - /* parse through BIO and push new info's found onto stack */ - do { - x509 = wolfSSL_PEM_read_bio_X509(bio, NULL, cb, u); - if (x509 != NULL) { - WOLFSSL_X509_INFO* current; - - current = wolfSSL_X509_INFO_new(); - if (current == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_X509_INFO_read_bio", MEMORY_E); - return NULL; - } - ret = wolfSSL_X509_INFO_set(current, x509); - if (ret != WOLFSSL_SUCCESS) { - wolfSSL_X509_free(x509); - } - else { - wolfSSL_sk_X509_INFO_push(localSk, current); - } - } - } while (x509 != NULL && ret == WOLFSSL_SUCCESS); - WOLFSSL_LEAVE("wolfSSL_PEM_X509_INFO_read_bio", ret); - return localSk; - } -#endif /* OPENSSL_ALL */ - - void wolfSSL_X509_NAME_ENTRY_free(WOLFSSL_X509_NAME_ENTRY* ne) - { - WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_free"); - if (ne != NULL) { - if (ne->value != NULL && ne->value != &(ne->data)) { - wolfSSL_ASN1_STRING_free(ne->value); - } - XFREE(ne, NULL, DYNAMIC_TYPE_NAME_ENTRY); - } - } - - - WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_new(void) - { - WOLFSSL_X509_NAME_ENTRY* ne; - - ne = (WOLFSSL_X509_NAME_ENTRY*)XMALLOC(sizeof(WOLFSSL_X509_NAME_ENTRY), - NULL, DYNAMIC_TYPE_NAME_ENTRY); - if (ne != NULL) { - XMEMSET(ne, 0, sizeof(WOLFSSL_X509_NAME_ENTRY)); - ne->value = &(ne->data); - } - - return ne; - } - - - /* Create a new WOLFSSL_X509_NAME_ENTRY structure based on the text passed - * in. Returns NULL on failure */ - WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_create_by_txt( - WOLFSSL_X509_NAME_ENTRY **neIn, const char *txt, int type, - const unsigned char *data, int dataSz) - { - int nid = -1; - WOLFSSL_X509_NAME_ENTRY* ne = NULL; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_create_by_txt()"); - - if (txt == NULL) { - return NULL; - } - - if (neIn != NULL) { - ne = *neIn; - } - - nid = wolfSSL_OBJ_txt2nid(txt); - if (nid == NID_undef) { - WOLFSSL_MSG("Unable to find text"); - ne = NULL; - } - else { - if (ne == NULL) { - ne = wolfSSL_X509_NAME_ENTRY_new(); - if (ne == NULL) { - return NULL; - } - } - ne->nid = nid; - ne->value = wolfSSL_ASN1_STRING_type_new(type); - if (ne->value != NULL) { - wolfSSL_ASN1_STRING_set(ne->value, (const void*)data, dataSz); - ne->set = 1; - } - } - - return ne; - } - - - WOLFSSL_X509_NAME_ENTRY* wolfSSL_X509_NAME_ENTRY_create_by_NID( - WOLFSSL_X509_NAME_ENTRY** out, int nid, int type, - const unsigned char* data, int dataSz) - { - WOLFSSL_X509_NAME_ENTRY* ne; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_create_by_NID()"); - - ne = wolfSSL_X509_NAME_ENTRY_new(); - if (ne == NULL) { - return NULL; - } - - ne->nid = nid; - ne->value = wolfSSL_ASN1_STRING_type_new(type); - wolfSSL_ASN1_STRING_set(ne->value, (const void*)data, dataSz); - ne->set = 1; - - if (out != NULL) { - *out = ne; - } - - return ne; - } - - static int RebuildFullNameAdd(DecodedName* dName, char* data) - { - int totalLen = 0; - int i; - char* fullName; - int idx; - - if (dName->cnLen != 0) - totalLen += dName->cnLen + 4; - if (dName->snLen != 0) - totalLen += dName->snLen + 4; - if (dName->cLen != 0) - totalLen += dName->cLen + 3; - if (dName->lLen != 0) - totalLen += dName->lLen + 3; - if (dName->stLen != 0) - totalLen += dName->stLen + 4; - if (dName->oLen != 0) - totalLen += dName->oLen + 3; - if (dName->ouLen != 0) - totalLen += dName->ouLen + 4; - if (dName->emailLen != 0) - totalLen += dName->emailLen + 14; - if (dName->uidLen != 0) - totalLen += dName->uidLen + 5; - if (dName->serialLen != 0) - totalLen += dName->serialLen + 14; - if (dName->dcNum != 0) { - for (i = 0; i < dName->dcNum; i++) - totalLen += dName->dcLen[i] + 4; - } - - fullName = (char*)XMALLOC(totalLen + 1, NULL, DYNAMIC_TYPE_X509); - if (fullName == NULL) - return MEMORY_E; - - idx = 0; - dName->entryCount = 0; - if (dName->cnLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_COMMON_NAME, 4); - idx += 4; - if (dName->cnIdx == -1) - XMEMCPY(fullName + idx, data, dName->cnLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->cnIdx, - dName->cnLen); - } - dName->cnIdx = idx; - idx += dName->cnLen; - } - if (dName->snLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_SUR_NAME, 4); - idx += 4; - if (dName->snIdx == -1) - XMEMCPY(fullName + idx, data, dName->snLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->snIdx, - dName->snLen); - } - dName->snIdx = idx; - idx += dName->snLen; - } - if (dName->cLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_COUNTRY_NAME, 3); - idx += 3; - if (dName->cIdx == -1) - XMEMCPY(fullName + idx, data, dName->cLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->cIdx, - dName->cLen); - } - dName->cIdx = idx; - idx += dName->cLen; - } - if (dName->lLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_LOCALITY_NAME, 3); - idx += 3; - if (dName->lIdx == -1) - XMEMCPY(fullName + idx, data, dName->lLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->lIdx, - dName->lLen); - } - dName->lIdx = idx; - idx += dName->lLen; - } - if (dName->stLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_STATE_NAME, 4); - idx += 4; - if (dName->stIdx == -1) - XMEMCPY(fullName + idx, data, dName->stLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->stIdx, - dName->stLen); - } - dName->stIdx = idx; - idx += dName->stLen; - } - if (dName->oLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_ORG_NAME, 3); - idx += 3; - if (dName->oIdx == -1) - XMEMCPY(fullName + idx, data, dName->oLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->oIdx, - dName->oLen); - } - dName->oIdx = idx; - idx += dName->oLen; - } - if (dName->ouLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_ORGUNIT_NAME, 4); - idx += 4; - if (dName->ouIdx == -1) - XMEMCPY(fullName + idx, data, dName->ouLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->ouIdx, - dName->ouLen); - } - dName->ouIdx = idx; - idx += dName->ouLen; - } - if (dName->emailLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, "/emailAddress=", 14); - idx += 14; - if (dName->emailIdx == -1) - XMEMCPY(fullName + idx, data, dName->emailLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->emailIdx, - dName->emailLen); - } - dName->emailIdx = idx; - idx += dName->emailLen; - } - if (dName->dcNum != 0) { - for (i = 0; i < dName->dcNum; i++) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_DOMAIN_COMPONENT, 4); - idx += 4; - XMEMCPY(fullName + idx, dName->fullName + dName->dcIdx[i], - dName->dcLen[i]); - dName->dcIdx[i] = idx; - idx += dName->dcLen[i]; - } - } - if (dName->uidLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, "/UID=", 5); - idx += 5; - if (dName->uidIdx == -1) - XMEMCPY(fullName + idx, data, dName->uidLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->uidIdx, - dName->uidLen); - } - dName->uidIdx = idx; - idx += dName->uidLen; - } - if (dName->serialLen != 0) { - dName->entryCount++; - XMEMCPY(fullName + idx, WOLFSSL_SERIAL_NUMBER, 14); - idx += 14; - if (dName->serialIdx == -1) - XMEMCPY(fullName + idx, data, dName->serialLen); - else { - XMEMCPY(fullName + idx, dName->fullName + dName->serialIdx, - dName->serialLen); - } - dName->serialIdx = idx; - idx += dName->serialLen; - } - - if (dName->fullName != NULL) - XFREE(dName->fullName, NULL, DYNAMIC_TYPE_X509); - dName->fullName = fullName; - dName->fullNameLen = idx + 1; - - return 0; - } - - /* Copies entry into name. With it being copied freeing entry becomes the - * callers responsibility. - * returns 1 for success and 0 for error */ - int wolfSSL_X509_NAME_add_entry(WOLFSSL_X509_NAME* name, - WOLFSSL_X509_NAME_ENTRY* entry, int idx, int set) - { - int i; - int fullName = 1; - - WOLFSSL_ENTER("wolfSSL_X509_NAME_add_entry()"); - - switch (entry->nid) { - case ASN_COMMON_NAME: - name->fullName.cnIdx = -1; - name->fullName.cnLen = entry->value->length; - name->fullName.cnNid = entry->nid; - break; - case ASN_SUR_NAME: - name->fullName.snIdx = -1; - name->fullName.snLen = entry->value->length; - name->fullName.snNid = entry->nid; - break; - case ASN_SERIAL_NUMBER: - name->fullName.serialIdx = -1; - name->fullName.serialLen = entry->value->length; - name->fullName.serialNid = entry->nid; - break; - case ASN_COUNTRY_NAME: - name->fullName.cIdx = -1; - name->fullName.cLen = entry->value->length; - name->fullName.cNid = entry->nid; - break; - case ASN_LOCALITY_NAME: - name->fullName.lIdx = -1; - name->fullName.lLen = entry->value->length; - name->fullName.lNid = entry->nid; - break; - case ASN_STATE_NAME: - name->fullName.stIdx = -1; - name->fullName.stLen = entry->value->length; - name->fullName.stNid = entry->nid; - break; - case ASN_ORG_NAME: - name->fullName.oIdx = -1; - name->fullName.oLen = entry->value->length; - name->fullName.oNid = entry->nid; - break; - case ASN_ORGUNIT_NAME: - name->fullName.ouIdx = -1; - name->fullName.ouLen = entry->value->length; - name->fullName.ouNid = entry->nid; - break; - case NID_emailAddress: - name->fullName.emailIdx = -1; - name->fullName.emailLen = entry->value->length; - name->fullName.emailNid = entry->nid; - break; - case ASN_USER_ID: - name->fullName.uidIdx = -1; - name->fullName.uidLen = entry->value->length; - name->fullName.uidNid = entry->nid; - break; - case ASN_DOMAIN_COMPONENT: - name->fullName.dcIdx[0] = -1; - name->fullName.dcLen[0] = entry->value->length; - break; - default: - fullName = 0; - break; - } - - if (fullName) { - int nid = entry->nid; - - if (nid == NID_emailAddress) { - nid = (int)ASN_EMAIL_NAME; - } - - if (idx >= DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { - return WOLFSSL_FAILURE; - } - - if (idx >= 0) { - name->fullName.loc[idx] = nid; - if (idx == name->fullName.locSz) { - name->fullName.locSz += 1; - } - } - - /* place at end */ - if (idx < 0 && name->fullName.locSz + 1 - < DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { - name->fullName.loc[name->fullName.locSz] = nid; - name->fullName.locSz += 1; - } - - if (RebuildFullNameAdd(&name->fullName, entry->value->data) != 0) - return WOLFSSL_FAILURE; - } - else { - for (i = 0; i < MAX_NAME_ENTRIES; i++) { - if (name->extra[i].set != 1) { /* not set so overwritten */ - WOLFSSL_X509_NAME_ENTRY* current = &(name->extra[i]); - WOLFSSL_ASN1_STRING* str; - - WOLFSSL_MSG("Found place for name entry"); - - XMEMCPY(current, entry, sizeof(WOLFSSL_X509_NAME_ENTRY)); - str = entry->value; - XMEMCPY(&(current->data), str, sizeof(WOLFSSL_ASN1_STRING)); - current->value = &(current->data); - current->data.data = (char*)XMALLOC(str->length, - name->x509->heap, DYNAMIC_TYPE_OPENSSL); - - if (current->data.data == NULL) { - return SSL_FAILURE; - } - XMEMCPY(current->data.data, str->data, str->length); - - /* make sure is null terminated */ - current->data.data[str->length - 1] = '\0'; - - current->set = 1; /* make sure now listed as set */ - break; - } - } - - if (i == MAX_NAME_ENTRIES) { - WOLFSSL_MSG("No spot found for name entry"); - return SSL_FAILURE; - } - } - - (void)idx; - (void)set; - return SSL_SUCCESS; - } - - int wolfSSL_X509_NAME_add_entry_by_txt(WOLFSSL_X509_NAME *name, - const char *field, int type, - const unsigned char *bytes, int len, - int loc, int set) - { - int ret = WOLFSSL_FAILURE; - int nid; - WOLFSSL_X509_NAME_ENTRY* entry; - - (void)type; - WOLFSSL_ENTER("wolfSSL_X509_NAME_add_entry_by_txt"); - - if (name == NULL || field == NULL) - return WOLFSSL_FAILURE; - - if ((nid = wolfSSL_OBJ_txt2nid(field)) == NID_undef) - return WOLFSSL_FAILURE; - - entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, - nid, type, (unsigned char*)bytes, len); - if (entry == NULL) - return WOLFSSL_FAILURE; - - ret = wolfSSL_X509_NAME_add_entry(name, entry, loc, set); - wolfSSL_X509_NAME_ENTRY_free(entry); - - return ret; - } - - int wolfSSL_X509_NAME_add_entry_by_NID(WOLFSSL_X509_NAME *name, int nid, - int type, const unsigned char *bytes, - int len, int loc, int set) - { - int ret; - WOLFSSL_X509_NAME_ENTRY* entry; - entry = wolfSSL_X509_NAME_ENTRY_create_by_NID(NULL, nid, type, bytes, len); - if (entry == NULL) - return WOLFSSL_FAILURE; - ret = wolfSSL_X509_NAME_add_entry(name, entry, loc, set); - wolfSSL_X509_NAME_ENTRY_free(entry); - return ret; - } - #endif /* !NO_CERTS */ - - - /* NID variables are dependent on compatibility header files currently - * - * returns a pointer to a new WOLFSSL_ASN1_OBJECT struct on success and NULL - * on fail - */ - - WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_nid2obj(int id) - { - return wolfSSL_OBJ_nid2obj_ex(id, NULL); - } - - - WOLFSSL_LOCAL WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_nid2obj_ex(int id, - WOLFSSL_ASN1_OBJECT* arg_obj) - { - word32 oidSz = 0; - const byte* oid; - word32 type = 0; - WOLFSSL_ASN1_OBJECT* obj = arg_obj; - byte objBuf[MAX_OID_SZ + MAX_LENGTH_SZ + 1]; /* +1 for object tag */ - word32 objSz = 0; - const char* sName = NULL; - int i; - - WOLFSSL_ENTER("wolfSSL_OBJ_nid2obj()"); - - for (i = 0; i < (int)WOLFSSL_OBJECT_INFO_SZ; i++) { - if (wolfssl_object_info[i].nid == id) { - id = wolfssl_object_info[i].id; - sName = wolfssl_object_info[i].sName; - type = wolfssl_object_info[i].type; - break; - } - } - if (i == (int)WOLFSSL_OBJECT_INFO_SZ) { - WOLFSSL_MSG("NID not in table"); - #ifdef WOLFSSL_QT - sName = NULL; - type = id; - #else - return NULL; - #endif - } - - #ifdef HAVE_ECC - if (type == 0 && wc_ecc_get_oid(id, &oid, &oidSz) > 0) { - type = oidCurveType; - } - #endif /* HAVE_ECC */ - - if (sName != NULL) { - if (XSTRLEN(sName) > WOLFSSL_MAX_SNAME - 1) { - WOLFSSL_MSG("Attempted short name is too large"); - return NULL; - } - } - - oid = OidFromId(id, type, &oidSz); - - /* set object ID to buffer */ - if (obj == NULL){ - obj = wolfSSL_ASN1_OBJECT_new(); - if (obj == NULL) { - WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct"); - return NULL; - } - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC; - } else { - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC; - } - obj->type = id; - obj->grp = type; - - obj->sName[0] = '\0'; - if (sName != NULL) { - XMEMCPY(obj->sName, (char*)sName, XSTRLEN((char*)sName)); - } - - objBuf[0] = ASN_OBJECT_ID; objSz++; - objSz += SetLength(oidSz, objBuf + 1); - XMEMCPY(objBuf + objSz, oid, oidSz); - objSz += oidSz; - obj->objSz = objSz; - if(((obj->dynamic & WOLFSSL_ASN1_DYNAMIC_DATA) != 0) || - (obj->obj == NULL)) { - obj->obj = (byte*)XREALLOC((byte*)obj->obj, obj->objSz, NULL, - DYNAMIC_TYPE_ASN1); - if (obj->obj == NULL) { - wolfSSL_ASN1_OBJECT_free(obj); - return NULL; - } - obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA ; - } else { - obj->dynamic &= ~WOLFSSL_ASN1_DYNAMIC_DATA ; - } - XMEMCPY((byte*)obj->obj, objBuf, obj->objSz); - - (void)type; - - return obj; - } - - static const char* oid_translate_num_to_str(const char* oid) - { - const struct oid_dict { - const char* num; - const char* desc; - } oid_dict[] = { - { "2.5.29.37.0", "Any Extended Key Usage" }, - { "1.3.6.1.5.5.7.3.1", "TLS Web Server Authentication" }, - { "1.3.6.1.5.5.7.3.2", "TLS Web Client Authentication" }, - { "1.3.6.1.5.5.7.3.3", "Code Signing" }, - { "1.3.6.1.5.5.7.3.4", "E-mail Protection" }, - { "1.3.6.1.5.5.7.3.8", "Time Stamping" }, - { "1.3.6.1.5.5.7.3.9", "OCSP Signing" }, - { NULL, NULL } - }; - const struct oid_dict* idx; - - for (idx = oid_dict; idx->num != NULL; idx++) { - if (!XSTRNCMP(oid, idx->num, XSTRLEN(idx->num))) { - return idx->desc; - } - } - return NULL; - } - - /* if no_name is one than use numerical form otherwise can be short name. - * - * returns the buffer size on success - */ - int wolfSSL_OBJ_obj2txt(char *buf, int bufLen, WOLFSSL_ASN1_OBJECT *a, int no_name) - { - int bufSz; - const char* desc; - - WOLFSSL_ENTER("wolfSSL_OBJ_obj2txt()"); - - if (buf == NULL || bufLen <= 1 || a == NULL) { - WOLFSSL_MSG("Bad input argument"); - return WOLFSSL_FAILURE; - } - - if (no_name == 1) { - int length; - word32 idx = 0; - byte tag; - - if (GetASNTag(a->obj, &idx, &tag, a->objSz) != 0) { - return WOLFSSL_FAILURE; - } - - if (tag != ASN_OBJECT_ID) { - WOLFSSL_MSG("Bad ASN1 Object"); - return WOLFSSL_FAILURE; - } - - if (GetLength((const byte*)a->obj, &idx, &length, - a->objSz) < 0 || length < 0) { - return ASN_PARSE_E; - } - - if (bufLen < MAX_OID_STRING_SZ) { - bufSz = bufLen - 1; - } - else { - bufSz = MAX_OID_STRING_SZ; - } - - if ((bufSz = DecodePolicyOID(buf, (word32)bufSz, a->obj + idx, - (word32)length)) <= 0) { - WOLFSSL_MSG("Error decoding OID"); - return WOLFSSL_FAILURE; - } - - } - else { /* return short name */ - if (XSTRLEN(a->sName) + 1 < (word32)bufLen - 1) { - bufSz = (int)XSTRLEN(a->sName); - } - else { - bufSz = bufLen - 1; - } - if (bufSz) { - XMEMCPY(buf, a->sName, bufSz); - } - else if (wolfSSL_OBJ_obj2txt(buf, bufLen, a, 1)) { - if ((desc = oid_translate_num_to_str(buf))) { - bufSz = (int)XSTRLEN(desc); - XMEMCPY(buf, desc, min(bufSz, bufLen)); - } - } - else if (a->type == GEN_DNS || a->type == GEN_EMAIL || a->type == GEN_URI) { - bufSz = (int)XSTRLEN((const char*)a->obj); - XMEMCPY(buf, a->obj, min(bufSz, bufLen)); - } - } - - buf[bufSz] = '\0'; - #ifdef WOLFSSL_QT - /* For unknown extension types, QT expects the short name to be the - text representation of the oid */ - if (XSTRLEN(a->sName) == 0) { - XMEMCPY(a->sName, buf, bufSz); - } - #endif - return bufSz; - } -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) && !defined(NO_ASN) - /* DN_Tags to strings */ - static const struct DN_Tag_Strings { - enum DN_Tags tag; - const char* str; - } dn_tag_strings[] = { - { ASN_COMMON_NAME, "CN" }, - { ASN_SUR_NAME, "SN" }, - { ASN_SERIAL_NUMBER, "serialNumber" }, - { ASN_COUNTRY_NAME, "C" }, - { ASN_LOCALITY_NAME, "L" }, - { ASN_STATE_NAME, "ST" }, - { ASN_ORG_NAME, "O"}, - { ASN_ORGUNIT_NAME, "OU"}, - { ASN_BUS_CAT, "businessCategory"}, - { ASN_EMAIL_NAME, "emailAddress"}, - { ASN_USER_ID, "UID"}, - { ASN_DOMAIN_COMPONENT, "DC"}, - { ASN_DN_NULL, NULL } - }; - - int wolfSSL_X509_NAME_get_index_by_OBJ(WOLFSSL_X509_NAME *name, - const WOLFSSL_ASN1_OBJECT *obj, - int idx) { - const struct DN_Tag_Strings* dn; - enum DN_Tags tag = ASN_DN_NULL; - - if (!name || idx >= name->fullName.locSz || - !obj || !obj->obj) { - return -1; - } - - if (idx < 0) { - idx = 0; - } - for (dn = dn_tag_strings; dn->str != NULL; dn++) { - /* Find the DN_Tags number for the name */ - if (XSTRNCMP((const char*) obj->sName, dn->str, obj->objSz - 1) == 0) { - tag = dn->tag; - break; - } - } - if (!tag) { - /* Unable to identify desired name */ - return -1; - } - for (idx++; idx < name->fullName.locSz; idx++) { - /* Find index of desired name */ - if ((enum DN_Tags)name->fullName.loc[idx] == tag) { - return idx; - } - } - return -1; - } -#endif - -#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_POCO_LIB) || \ - defined(WOLFSSL_HAPROXY) - -#ifndef NO_SHA - /* One shot SHA1 hash of message. - * - * d message to hash - * n size of d buffer - * md buffer to hold digest. Should be SHA_DIGEST_SIZE. - * - * Note: if md is null then a static buffer of SHA_DIGEST_SIZE is used. - * When the static buffer is used this function is not thread safe. - * - * Returns a pointer to the message digest on success and NULL on failure. - */ - unsigned char *wolfSSL_SHA1(const unsigned char *d, size_t n, - unsigned char *md) - { - static byte dig[WC_SHA_DIGEST_SIZE]; - wc_Sha sha; - - WOLFSSL_ENTER("wolfSSL_SHA1"); - - if (wc_InitSha_ex(&sha, NULL, 0) != 0) { - WOLFSSL_MSG("SHA1 Init failed"); - return NULL; - } - - if (wc_ShaUpdate(&sha, (const byte*)d, (word32)n) != 0) { - WOLFSSL_MSG("SHA1 Update failed"); - return NULL; - } - - if (wc_ShaFinal(&sha, dig) != 0) { - WOLFSSL_MSG("SHA1 Final failed"); - return NULL; - } - - wc_ShaFree(&sha); - - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } - } -#endif /* ! NO_SHA */ - -#ifndef NO_SHA256 - /* One shot SHA256 hash of message. - * - * d message to hash - * n size of d buffer - * md buffer to hold digest. Should be WC_SHA256_DIGEST_SIZE. - * - * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. - * When the static buffer is used this function is not thread safe. - * - * Returns a pointer to the message digest on success and NULL on failure. - */ - unsigned char *wolfSSL_SHA256(const unsigned char *d, size_t n, - unsigned char *md) - { - static byte dig[WC_SHA256_DIGEST_SIZE]; - wc_Sha256 sha; - - WOLFSSL_ENTER("wolfSSL_SHA256"); - - if (wc_InitSha256_ex(&sha, NULL, 0) != 0) { - WOLFSSL_MSG("SHA256 Init failed"); - return NULL; - } - - if (wc_Sha256Update(&sha, (const byte*)d, (word32)n) != 0) { - WOLFSSL_MSG("SHA256 Update failed"); - return NULL; - } - - if (wc_Sha256Final(&sha, dig) != 0) { - WOLFSSL_MSG("SHA256 Final failed"); - return NULL; - } - - wc_Sha256Free(&sha); - - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA256_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } - } -#endif /* ! NO_SHA256 */ - -#ifdef WOLFSSL_SHA384 - /* One shot SHA384 hash of message. - * - * d message to hash - * n size of d buffer - * md buffer to hold digest. Should be WC_SHA256_DIGEST_SIZE. - * - * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. - * When the static buffer is used this function is not thread safe. - * - * Returns a pointer to the message digest on success and NULL on failure. - */ - unsigned char *wolfSSL_SHA384(const unsigned char *d, size_t n, - unsigned char *md) - { - static byte dig[WC_SHA384_DIGEST_SIZE]; - wc_Sha384 sha; - - WOLFSSL_ENTER("wolfSSL_SHA384"); - - if (wc_InitSha384_ex(&sha, NULL, 0) != 0) { - WOLFSSL_MSG("SHA384 Init failed"); - return NULL; - } - - if (wc_Sha384Update(&sha, (const byte*)d, (word32)n) != 0) { - WOLFSSL_MSG("SHA384 Update failed"); - return NULL; - } - - if (wc_Sha384Final(&sha, dig) != 0) { - WOLFSSL_MSG("SHA384 Final failed"); - return NULL; - } - - wc_Sha384Free(&sha); - - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA384_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } - } -#endif /* WOLFSSL_SHA384 */ - - -#if defined(WOLFSSL_SHA512) - /* One shot SHA512 hash of message. - * - * d message to hash - * n size of d buffer - * md buffer to hold digest. Should be WC_SHA256_DIGEST_SIZE. - * - * Note: if md is null then a static buffer of WC_SHA256_DIGEST_SIZE is used. - * When the static buffer is used this function is not thread safe. - * - * Returns a pointer to the message digest on success and NULL on failure. - */ - unsigned char *wolfSSL_SHA512(const unsigned char *d, size_t n, - unsigned char *md) - { - static byte dig[WC_SHA512_DIGEST_SIZE]; - wc_Sha512 sha; - - WOLFSSL_ENTER("wolfSSL_SHA512"); - - if (wc_InitSha512_ex(&sha, NULL, 0) != 0) { - WOLFSSL_MSG("SHA512 Init failed"); - return NULL; - } - - if (wc_Sha512Update(&sha, (const byte*)d, (word32)n) != 0) { - WOLFSSL_MSG("SHA512 Update failed"); - return NULL; - } - - if (wc_Sha512Final(&sha, dig) != 0) { - WOLFSSL_MSG("SHA512 Final failed"); - return NULL; - } - - wc_Sha512Free(&sha); - - if (md != NULL) { - XMEMCPY(md, dig, WC_SHA512_DIGEST_SIZE); - return md; - } - else { - return (unsigned char*)dig; - } - } -#endif /* defined(WOLFSSL_SHA512) */ -#endif /* OPENSSL_EXTRA */ - -#ifndef WOLFCRYPT_ONLY -#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_POCO_LIB) || \ - defined(WOLFSSL_HAPROXY) - - char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x) - { - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate"); - - FreeDer(&ctx->certificate); /* Make sure previous is free'd */ - ret = AllocDer(&ctx->certificate, x->derCert->length, CERT_TYPE, - ctx->heap); - if (ret != 0) - return 0; - - XMEMCPY(ctx->certificate->buffer, x->derCert->buffer, - x->derCert->length); -#ifdef KEEP_OUR_CERT - if (ctx->ourCert != NULL && ctx->ownOurCert) { - FreeX509(ctx->ourCert); - XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509); - } - #ifndef WOLFSSL_X509_STORE_CERTS - ctx->ourCert = x; - #else - ctx->ourCert = wolfSSL_X509_d2i(NULL, x->derCert->buffer,x->derCert->length); - if(ctx->ourCert == NULL){ - return 0; - } - #endif - - ctx->ownOurCert = 0; -#endif - - /* Update the available options with public keys. */ - switch (x->pubKeyOID) { - case RSAk: - ctx->haveRSA = 1; - break; - #ifdef HAVE_ED25519 - case ED25519k: - #endif - #ifdef HAVE_ED448 - case ED448k: - #endif - case ECDSAk: - ctx->haveECC = 1; - #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) - ctx->pkCurveOID = x->pkCurveOID; - #endif - break; - } - - return WOLFSSL_SUCCESS; - } - - int wolfSSL_CTX_add1_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) - { - int ret; - if (ctx == NULL || x509 == NULL || x509->derCert == NULL) { - return WOLFSSL_FAILURE; - } - - ret = wolfSSL_CTX_load_verify_buffer(ctx, x509->derCert->buffer, - x509->derCert->length, WOLFSSL_FILETYPE_ASN1); - - return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; - } - - int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name) { - #ifndef NO_FILESYSTEM - XFILE fp; - - WOLFSSL_ENTER("wolfSSL_BIO_new_file"); - - if ((wolfSSL_BIO_get_fp(b, &fp) == WOLFSSL_SUCCESS) && (fp != XBADFILE)) - { - XFCLOSE(fp); - } - - fp = XFOPEN(name, "r"); - if (fp == XBADFILE) - return WOLFSSL_BAD_FILE; - - if (wolfSSL_BIO_set_fp(b, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) { - XFCLOSE(fp); - return WOLFSSL_BAD_FILE; - } - - /* file is closed when bio is free'd */ - return WOLFSSL_SUCCESS; - #else - (void)name; - (void)b; - return WOLFSSL_NOT_IMPLEMENTED; - #endif - } - - /* Return the corresponding short name for the nid <n>. - * or NULL if short name can't be found. - */ - const char * wolfSSL_OBJ_nid2sn(int n) { - const WOLFSSL_ObjectInfo *obj_info = wolfssl_object_info; - size_t i; - WOLFSSL_ENTER("wolfSSL_OBJ_nid2sn"); - for (i = 0; i < WOLFSSL_OBJECT_INFO_SZ; i++, obj_info++) { - if (obj_info->nid == n) { - return obj_info->sName; - } - } - WOLFSSL_MSG("SN not found"); - return NULL; - } - -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - int wolfSSL_OBJ_sn2nid(const char *sn) { - WOLFSSL_ENTER("wolfSSL_OBJ_sn2nid"); - if (sn == NULL) - return NID_undef; - return wc_OBJ_sn2nid(sn); - } -#endif - - - /* Gets the NID value that corresponds with the ASN1 object. - * - * o ASN1 object to get NID of - * - * Return NID on success and a negative value on failure - */ - int wolfSSL_OBJ_obj2nid(const WOLFSSL_ASN1_OBJECT *o) - { - word32 oid = 0; - word32 idx = 0; - - WOLFSSL_ENTER("wolfSSL_OBJ_obj2nid"); - - if (o == NULL) { - return -1; - } - - #ifdef WOLFSSL_QT - if (o->grp == oidCertExtType) { - /* If nid is an unknown extension, return NID_undef */ - if (wolfSSL_OBJ_nid2sn(o->nid) == NULL) - return NID_undef; - } - #endif - - if (o->nid > 0) - return o->nid; - if (GetObjectId(o->obj, &idx, &oid, o->grp, o->objSz) < 0) { - WOLFSSL_MSG("Issue getting OID of object"); - return -1; - } - - return oid2nid(oid, o->grp); - } - - /* Returns the long name that corresponds with an ASN1_OBJECT nid value. - * n : NID value of ASN1_OBJECT to search */ - const char* wolfSSL_OBJ_nid2ln(int n) - { - const WOLFSSL_ObjectInfo *obj_info = wolfssl_object_info; - size_t i; - WOLFSSL_ENTER("wolfSSL_OBJ_nid2ln"); - for (i = 0; i < WOLFSSL_OBJECT_INFO_SZ; i++, obj_info++) { - if (obj_info->nid == n) { - return obj_info->lName; - } - } - WOLFSSL_MSG("NID not found in table"); - return NULL; - } - - /* Return the corresponding NID for the long name <ln> - * or NID_undef if NID can't be found. - */ - int wolfSSL_OBJ_ln2nid(const char *ln) - { - const WOLFSSL_ObjectInfo *obj_info = wolfssl_object_info; - size_t i, lnlen; - WOLFSSL_ENTER("wolfSSL_OBJ_ln2nid"); - if (ln && (lnlen = XSTRLEN(ln)) > 0) { - /* Accept input like "/commonName=" */ - if (ln[0] == '/') { - ln++; - lnlen--; - } - if (lnlen) { - if (ln[lnlen-1] == '=') { - lnlen--; - } - for (i = 0; i < WOLFSSL_OBJECT_INFO_SZ; i++, obj_info++) { - if (lnlen == XSTRLEN(obj_info->lName) && - XSTRNCMP(ln, obj_info->lName, lnlen) == 0) { - return obj_info->nid; - } - } - } - } - return NID_undef; - } - - /* compares two objects, return 0 if equal */ - int wolfSSL_OBJ_cmp(const WOLFSSL_ASN1_OBJECT* a, - const WOLFSSL_ASN1_OBJECT* b) - { - WOLFSSL_ENTER("wolfSSL_OBJ_cmp"); - - if (a != NULL && b != NULL && - a->obj != NULL && b->obj != NULL && - a->objSz == b->objSz) { - return XMEMCMP(a->obj, b->obj, a->objSz); - } - - return WOLFSSL_FATAL_ERROR; - } - - /* Gets the NID value that is related to the OID string passed in. Example - * string would be "2.5.29.14" for subject key ID. - * - * returns NID value on success and NID_undef on error - */ - int wolfSSL_OBJ_txt2nid(const char* s) - { - unsigned int i; - #ifdef WOLFSSL_CERT_EXT - int ret; - unsigned int sum = 0; - unsigned int outSz = MAX_OID_SZ; - unsigned char out[MAX_OID_SZ]; - #endif - - WOLFSSL_ENTER("OBJ_txt2nid"); - - if (s == NULL) { - return NID_undef; - } - - #ifdef WOLFSSL_CERT_EXT - ret = EncodePolicyOID(out, &outSz, s, NULL); - if (ret == 0) { - /* sum OID */ - for (i = 0; i < outSz; i++) { - sum += out[i]; - } - } - #endif /* WOLFSSL_CERT_EXT */ - - /* get the group that the OID's sum is in - * @TODO possible conflict with multiples */ - for (i = 0; i < WOLFSSL_OBJECT_INFO_SZ; i++) { - int len; - #ifdef WOLFSSL_CERT_EXT - if (ret == 0) { - if (wolfssl_object_info[i].id == (int)sum) { - return wolfssl_object_info[i].nid; - } - } - #endif - - /* try as a short name */ - len = (int)XSTRLEN(s); - if (XSTRNCMP(wolfssl_object_info[i].sName, s, len) == 0) { - return wolfssl_object_info[i].nid; - } - - /* try as a long name */ - if (XSTRNCMP(wolfssl_object_info[i].lName, s, len) == 0) { - return wolfssl_object_info[i].nid; - } - } - - return NID_undef; - } - - /* Creates new ASN1_OBJECT from short name, long name, or text - * representation of oid. If no_name is 0, then short name, long name, and - * numerical value of oid are interpreted. If no_name is 1, then only the - * numerical value of the oid is interpreted. - * - * Returns pointer to ASN1_OBJECT on success, or NULL on error. - */ -#if defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) - WOLFSSL_ASN1_OBJECT* wolfSSL_OBJ_txt2obj(const char* s, int no_name) - { - int len, i, ret; - int nid = NID_undef; - unsigned int outSz = MAX_OID_SZ; - unsigned char out[MAX_OID_SZ]; - unsigned int sum = 0; - - WOLFSSL_ENTER("wolfSSL_OBJ_txt2obj"); - - if (s == NULL) - return NULL; - - /* If s is numerical value, try to sum oid */ - ret = EncodePolicyOID(out, &outSz, s, NULL); - if (ret == 0) { - for (i = 0; i < (int)outSz; i++) { - sum += out[i]; - } - } - - len = (int)XSTRLEN(s); - - /* TODO: update short names in wolfssl_object_info and check OID sums - are correct */ - for (i = 0; i < (int)WOLFSSL_OBJECT_INFO_SZ; i++) { - /* Short name, long name, and numerical value are interpreted */ - if (no_name == 0 && ((XSTRNCMP(s, wolfssl_object_info[i].sName, len) == 0) || - (XSTRNCMP(s, wolfssl_object_info[i].lName, len) == 0) || - (wolfssl_object_info[i].id == (int)sum))) - nid = wolfssl_object_info[i].nid; - /* Only numerical value is interpreted */ - else if (no_name == 1 && wolfssl_object_info[i].id == (int)sum) - nid = wolfssl_object_info[i].nid; - } - - if (nid != NID_undef) - return wolfSSL_OBJ_nid2obj(nid); - - return NULL; - } -#endif - - /* compatibility function. Its intended use is to remove OID's from an - * internal table that have been added with OBJ_create. wolfSSL manages its - * own internal OID values and does not currently support OBJ_create. */ - void wolfSSL_OBJ_cleanup(void) - { - WOLFSSL_ENTER("wolfSSL_OBJ_cleanup()"); - } - - #ifndef NO_WOLFSSL_STUB - int wolfSSL_OBJ_create(const char *oid, const char *sn, const char *ln) - { - (void)oid; - (void)sn; - (void)ln; - WOLFSSL_STUB("wolfSSL_OBJ_create"); - return WOLFSSL_FAILURE; - } - #endif - - void wolfSSL_set_verify_depth(WOLFSSL *ssl, int depth) - { - #if !defined(OPENSSL_EXTRA) && !defined(NO_WOLFSSL_STUB) - (void)ssl; - (void)depth; - WOLFSSL_STUB("wolfSSL_set_verify_depth"); - #else - WOLFSSL_ENTER("wolfSSL_set_verify_depth"); - ssl->options.verifyDepth = (byte)depth; - #endif - } - - - WOLFSSL_ASN1_OBJECT * wolfSSL_X509_NAME_ENTRY_get_object(WOLFSSL_X509_NAME_ENTRY *ne) { - WOLFSSL_ENTER("wolfSSL_X509_NAME_ENTRY_get_object"); - if (ne == NULL) return NULL; - if (wolfSSL_OBJ_nid2obj_ex(ne->nid, &ne->object) != NULL) { - ne->object.nid = ne->nid; - return &ne->object; - } - return NULL; - } - - - /* looks up the DN given the location "loc". "loc" is the number indicating - * the order that the DN was parsed as, 0 is first DN parsed. - * - * returns the setup WOLFSSL_X509_NAME pointer on success and NULL on fail - */ - static WOLFSSL_X509_NAME* wolfSSL_nameByLoc(WOLFSSL_X509_NAME *name, int loc) - { - char* pt = NULL; - int sz = 0; - - switch (name->fullName.loc[loc]) - { - case ASN_COMMON_NAME: - sz = name->fullName.cnLen; - pt = &name->fullName.fullName[name->fullName.cnIdx]; - name->cnEntry.nid = name->fullName.cnNid; - break; - case ASN_COUNTRY_NAME: - sz = name->fullName.cLen; - pt = &name->fullName.fullName[name->fullName.cIdx]; - name->cnEntry.nid = name->fullName.cNid; - break; - case ASN_LOCALITY_NAME: - sz = name->fullName.lLen; - pt = &name->fullName.fullName[name->fullName.lIdx]; - name->cnEntry.nid = name->fullName.lNid; - break; - case ASN_STATE_NAME: - sz = name->fullName.stLen; - pt = &name->fullName.fullName[name->fullName.stIdx]; - name->cnEntry.nid = name->fullName.stNid; - break; - case ASN_ORG_NAME: - sz = name->fullName.oLen; - pt = &name->fullName.fullName[name->fullName.oIdx]; - name->cnEntry.nid = name->fullName.oNid; - break; - case ASN_ORGUNIT_NAME: - sz = name->fullName.ouLen; - pt = &name->fullName.fullName[name->fullName.ouIdx]; - name->cnEntry.nid = name->fullName.ouNid; - break; - case ASN_EMAIL_NAME: - sz = name->fullName.emailLen; - pt = &name->fullName.fullName[name->fullName.emailIdx]; - name->cnEntry.nid = name->fullName.emailNid; - break; - case ASN_SUR_NAME: - sz = name->fullName.snLen; - pt = &name->fullName.fullName[name->fullName.snIdx]; - name->cnEntry.nid = name->fullName.snNid; - break; - case ASN_USER_ID: - sz = name->fullName.uidLen; - pt = &name->fullName.fullName[name->fullName.uidIdx]; - name->cnEntry.nid = name->fullName.uidNid; - break; - case ASN_SERIAL_NUMBER: - sz = name->fullName.serialLen; - pt = &name->fullName.fullName[name->fullName.serialIdx]; - name->cnEntry.nid = name->fullName.serialNid; - break; -#ifdef WOLFSSL_CERT_EXT - case ASN_BUS_CAT: - sz = name->fullName.bcLen; - pt = &name->fullName.fullName[name->fullName.bcIdx]; - break; -#endif - - case ASN_DOMAIN_COMPONENT: - /* get index of DC i.e. first or second or ... case */ - { - int idx = 0, i; - for (i = 0; i < loc; i++) { - if (name->fullName.loc[i] == ASN_DOMAIN_COMPONENT) { - idx++; - } - } - - /* check that index is not larger than max buffer size or larger - * than the number of domain components parsed */ - if (idx >= DOMAIN_COMPONENT_MAX || idx > name->fullName.dcNum) { - WOLFSSL_MSG("Index was larger then domain buffer"); - return NULL; - } - pt = &name->fullName.fullName[name->fullName.dcIdx[idx]], - sz = name->fullName.dcLen[idx]; - name->cnEntry.nid = ASN_DOMAIN_COMPONENT; - name->cnEntry.data.type = CTC_UTF8; - } - break; - - default: - return NULL; - } - - /* -1 to leave room for trailing terminator 0 */ - if (sz == 0 || sz >= CTC_NAME_SIZE - 1) - return NULL; - if (wolfSSL_ASN1_STRING_set(name->cnEntry.value, pt, sz) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error setting local ASN1 string data"); - return NULL; - } - name->cnEntry.value->type = CTC_UTF8; - name->cnEntry.set = 1; - return name; - } - - - WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry( - WOLFSSL_X509_NAME *name, int loc) - { - WOLFSSL_ENTER("wolfSSL_X509_NAME_get_entry"); - - if (name == NULL) { - return NULL; - } - - if (loc < 0) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - - if (loc <= DN_NAMES_MAX + name->fullName.dcNum) { - if (wolfSSL_nameByLoc(name, loc) != NULL) - return &name->cnEntry; - } - /* DC component */ - if (name->fullName.dcMode) { - if (name->fullName.fullName != NULL){ - if (loc == name->fullName.dcNum){ - name->cnEntry.data.data - = &name->fullName.fullName[name->fullName.cIdx]; - name->cnEntry.data.length = name->fullName.cLen; - name->cnEntry.nid = ASN_COUNTRY_NAME; - } else { - name->cnEntry.data.data - = &name->fullName.fullName[name->fullName.dcIdx[loc]]; - name->cnEntry.data.length = name->fullName.dcLen[loc]; - name->cnEntry.nid = ASN_DOMAIN_COMPONENT; - } - } - name->cnEntry.data.type = CTC_UTF8; - /* common name index case */ - } else if (loc == name->fullName.cnIdx && name->x509 != NULL) { - /* get CN shortcut from x509 since it has null terminator */ - name->cnEntry.data.data = name->x509->subjectCN; - name->cnEntry.data.length = name->fullName.cnLen; - name->cnEntry.data.type = CTC_UTF8; - name->cnEntry.nid = ASN_COMMON_NAME; - name->cnEntry.set = 1; - } else { - WOLFSSL_MSG("loc passed in is not in range of parsed DN's"); - return NULL; - } - return &name->cnEntry; - } - - #ifndef NO_WOLFSSL_STUB - int wolfSSL_X509_check_private_key(WOLFSSL_X509 *x509, WOLFSSL_EVP_PKEY *key) - { - (void) x509; - (void) key; - WOLFSSL_ENTER("wolfSSL_X509_check_private_key"); - WOLFSSL_STUB("X509_check_private_key"); - - return WOLFSSL_SUCCESS; - } - - WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( - WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk) - { - (void) sk; - WOLFSSL_ENTER("wolfSSL_dup_CA_list"); - WOLFSSL_STUB("SSL_dup_CA_list"); - - return NULL; - } - - #endif - -#endif /* OPENSSL_ALL || HAVE_LIGHTY || WOLFSSL_MYSQL_COMPATIBLE || - HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_POCO_LIB || WOLFSSL_HAPROXY */ -#endif /* OPENSSL_EXTRA */ - -#ifndef WOLFCRYPT_ONLY - -#ifdef OPENSSL_EXTRA - -/* wolfSSL uses negative values for error states. This function returns an - * unsigned type so the value returned is the absolute value of the error. - */ -unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) -{ - WOLFSSL_ENTER("wolfSSL_ERR_peek_last_error"); - - (void)line; - (void)file; -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(DEBUG_WOLFSSL) || \ - defined(WOLFSSL_HAPROXY) - { - int ret; - - if ((ret = wc_PeekErrorNode(-1, file, NULL, line)) < 0) { - WOLFSSL_MSG("Issue peeking at error node in queue"); - return 0; - } - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) - if (ret == -ASN_NO_PEM_HEADER) - return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; - #endif - return (unsigned long)ret; - } -#else - return (unsigned long)(0 - NOT_COMPILED_IN); -#endif -} - - -#ifndef NO_CERTS -int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey"); - - if (ctx == NULL || pkey == NULL) { - return WOLFSSL_FAILURE; - } - - if (pkey->pkey.ptr != NULL) { - /* ptr for WOLFSSL_EVP_PKEY struct is expected to be DER format */ - return wolfSSL_CTX_use_PrivateKey_buffer(ctx, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, SSL_FILETYPE_ASN1); - } - - WOLFSSL_MSG("wolfSSL private key not set"); - return BAD_FUNC_ARG; -} -#endif /* !NO_CERTS */ - - -#if defined(HAVE_EX_DATA) || defined(FORTRESS) -void* wolfSSL_CTX_get_ex_data(const WOLFSSL_CTX* ctx, int idx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); - #ifdef HAVE_EX_DATA - if(ctx != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx); - } - #else - (void)ctx; - (void)idx; - #endif - return NULL; -} - -int wolfSSL_CTX_get_ex_new_index(long idx, void* arg, void* a, void* b, - void* c) -{ - static int ctx_idx = 0; - - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_new_index"); - (void)idx; - (void)arg; - (void)a; - (void)b; - (void)c; - - return ctx_idx++; -} - -/* Return the index that can be used for the WOLFSSL structure to store - * application data. - * - */ -int wolfSSL_get_ex_new_index(long argValue, void* arg, - WOLFSSL_CRYPTO_EX_new* cb1, WOLFSSL_CRYPTO_EX_dup* cb2, - WOLFSSL_CRYPTO_EX_free* cb3) -{ - static int ssl_idx = 0; - - WOLFSSL_ENTER("wolfSSL_get_ex_new_index"); - - (void)argValue; - (void)arg; - (void)cb1; - (void)cb2; - (void)cb3; - - return ssl_idx++; -} - - -int wolfSSL_CTX_set_ex_data(WOLFSSL_CTX* ctx, int idx, void* data) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_ex_data"); - #ifdef HAVE_EX_DATA - if (ctx != NULL) - { - return wolfSSL_CRYPTO_set_ex_data(&ctx->ex_data, idx, data); - } - #else - (void)ctx; - (void)idx; - (void)data; - #endif - return WOLFSSL_FAILURE; -} -#endif - - -/* Returns char* to app data stored in ex[0]. - * - * ssl WOLFSSL structure to get app data from - */ -void* wolfSSL_get_app_data(const WOLFSSL *ssl) -{ - /* checkout exdata stuff... */ - WOLFSSL_ENTER("wolfSSL_get_app_data"); - - return wolfSSL_get_ex_data(ssl, 0); -} - - -/* Set ex array 0 to have app data - * - * ssl WOLFSSL struct to set app data in - * arg data to be stored - * - * Returns SSL_SUCCESS on success and SSL_FAILURE on failure - */ -int wolfSSL_set_app_data(WOLFSSL *ssl, void* arg) { - WOLFSSL_ENTER("wolfSSL_set_app_data"); - - return wolfSSL_set_ex_data(ssl, 0, arg); -} - - -int wolfSSL_set_ex_data(WOLFSSL* ssl, int idx, void* data) -{ - WOLFSSL_ENTER("wolfSSL_set_ex_data"); -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - if (ssl != NULL) - { - return wolfSSL_CRYPTO_set_ex_data(&ssl->ex_data, idx, data); - } -#else - WOLFSSL_MSG("HAVE_EX_DATA macro is not defined"); - (void)ssl; - (void)idx; - (void)data; -#endif - return WOLFSSL_FAILURE; -} - - - -void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) -{ - WOLFSSL_ENTER("wolfSSL_get_ex_data"); -#if defined(HAVE_EX_DATA) || defined(FORTRESS) - if (ssl != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&ssl->ex_data, idx); - } -#else - WOLFSSL_MSG("HAVE_EX_DATA macro is not defined"); - (void)ssl; - (void)idx; -#endif - return 0; -} - -#ifndef NO_DSA -WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp, WOLFSSL_DSA **x, - pem_password_cb *cb, void *u) -{ - WOLFSSL_DSA* dsa; - DsaKey* key; - int length; - unsigned char* buf; - word32 bufSz; - int ret; - word32 idx = 0; - DerBuffer* pDer; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DSAparams"); - - ret = wolfSSL_BIO_get_mem_data(bp, &buf); - if (ret <= 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_DSAparams", ret); - return NULL; - } - - bufSz = (word32)ret; - - if (cb != NULL || u != NULL) { - /* - * cb is for a call back when encountering encrypted PEM files - * if cb == NULL and u != NULL then u = null terminated password string - */ - WOLFSSL_MSG("Not yet supporting call back or password for encrypted PEM"); - } - - if ((ret = PemToDer(buf, (long)bufSz, DSA_PARAM_TYPE, &pDer, NULL, NULL, - NULL)) < 0 ) { - WOLFSSL_MSG("Issue converting from PEM to DER"); - return NULL; - } - - if ((ret = GetSequence(pDer->buffer, &idx, &length, pDer->length)) < 0) { - WOLFSSL_LEAVE("wolfSSL_PEM_read_bio_DSAparams", ret); - FreeDer(&pDer); - return NULL; - } - - dsa = wolfSSL_DSA_new(); - if (dsa == NULL) { - FreeDer(&pDer); - WOLFSSL_MSG("Error creating DSA struct"); - return NULL; - } - - key = (DsaKey*)dsa->internal; - if (key == NULL) { - FreeDer(&pDer); - wolfSSL_DSA_free(dsa); - WOLFSSL_MSG("Error finding DSA key struct"); - return NULL; - } - - if (GetInt(&key->p, pDer->buffer, &idx, pDer->length) < 0 || - GetInt(&key->q, pDer->buffer, &idx, pDer->length) < 0 || - GetInt(&key->g, pDer->buffer, &idx, pDer->length) < 0 ) { - WOLFSSL_MSG("dsa key error"); - FreeDer(&pDer); - wolfSSL_DSA_free(dsa); - return NULL; - } - - if (SetIndividualExternal(&dsa->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa p key error"); - FreeDer(&pDer); - wolfSSL_DSA_free(dsa); - return NULL; - } - - if (SetIndividualExternal(&dsa->q, &key->q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa q key error"); - FreeDer(&pDer); - wolfSSL_DSA_free(dsa); - return NULL; - } - - if (SetIndividualExternal(&dsa->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa g key error"); - FreeDer(&pDer); - wolfSSL_DSA_free(dsa); - return NULL; - } - - if (x != NULL) { - *x = dsa; - } - - FreeDer(&pDer); - return dsa; -} -#endif /* NO_DSA */ -#endif /* OPENSSL_EXTRA */ -#endif /* WOLFCRYPT_ONLY */ - -#if defined(OPENSSL_EXTRA) - -/* Begin functions for openssl/buffer.h */ -WOLFSSL_BUF_MEM* wolfSSL_BUF_MEM_new(void) -{ - WOLFSSL_BUF_MEM* buf; - buf = (WOLFSSL_BUF_MEM*)XMALLOC(sizeof(WOLFSSL_BUF_MEM), NULL, - DYNAMIC_TYPE_OPENSSL); - if (buf) { - XMEMSET(buf, 0, sizeof(WOLFSSL_BUF_MEM)); - } - return buf; -} - - -/* returns length of buffer on success */ -int wolfSSL_BUF_MEM_grow(WOLFSSL_BUF_MEM* buf, size_t len) -{ - int len_int = (int)len; - int mx; - - /* verify provided arguments */ - if (buf == NULL || len_int < 0) { - return 0; /* BAD_FUNC_ARG; */ - } - - /* check to see if fits in existing length */ - if (buf->length > len) { - buf->length = len; - return len_int; - } - - /* check to see if fits in max buffer */ - if (buf->max >= len) { - if (buf->data != NULL) { - XMEMSET(&buf->data[buf->length], 0, len - buf->length); - } - buf->length = len; - return len_int; - } - - /* expand size, to handle growth */ - mx = (len_int + 3) / 3 * 4; - - /* use realloc */ - buf->data = (char*)XREALLOC(buf->data, mx, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (buf->data == NULL) { - return 0; /* ERR_R_MALLOC_FAILURE; */ - } - - buf->max = mx; - XMEMSET(&buf->data[buf->length], 0, len - buf->length); - buf->length = len; - - return len_int; -} - -void wolfSSL_BUF_MEM_free(WOLFSSL_BUF_MEM* buf) -{ - if (buf) { - if (buf->data) { - XFREE(buf->data, NULL, DYNAMIC_TYPE_TMP_BUFFER); - buf->data = NULL; - } - buf->max = 0; - buf->length = 0; - XFREE(buf, NULL, DYNAMIC_TYPE_OPENSSL); - } -} -/* End Functions for openssl/buffer.h */ - -#endif /* OPENSSL_EXTRA */ - - -#if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) - -WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) -{ -#ifndef NO_FILESYSTEM - WOLFSSL_BIO* bio; - XFILE fp; - - WOLFSSL_ENTER("wolfSSL_BIO_new_file"); - - fp = XFOPEN(filename, mode); - if (fp == XBADFILE) - return NULL; - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) { - XFCLOSE(fp); - return bio; - } - - if (wolfSSL_BIO_set_fp(bio, fp, BIO_CLOSE) != WOLFSSL_SUCCESS) { - XFCLOSE(fp); - wolfSSL_BIO_free(bio); - bio = NULL; - } - - /* file is closed when BIO is free'd */ - return bio; -#else - (void)filename; - (void)mode; - return NULL; -#endif /* NO_FILESYSTEM */ -} - -#ifndef NO_FILESYSTEM -WOLFSSL_BIO* wolfSSL_BIO_new_fp(XFILE fp, int close_flag) -{ - WOLFSSL_BIO* bio; - - WOLFSSL_ENTER("wolfSSL_BIO_new_fp"); - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) { - return bio; - } - - if (wolfSSL_BIO_set_fp(bio, fp, close_flag) != WOLFSSL_SUCCESS) { - wolfSSL_BIO_free(bio); - bio = NULL; - } - - /* file is closed when BIO is free'd or by user depending on flag */ - return bio; -} -#endif - - -#ifndef NO_DH -WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bio, WOLFSSL_DH **x, - pem_password_cb *cb, void *u) -{ -#ifndef NO_FILESYSTEM - WOLFSSL_DH* localDh = NULL; - unsigned char* mem = NULL; - word32 size; - long sz; - int ret; - DerBuffer *der = NULL; - byte* p = NULL; - byte* g = NULL; - word32 pSz = MAX_DH_SIZE; - word32 gSz = MAX_DH_SIZE; - int memAlloced = 0; - - WOLFSSL_ENTER("wolfSSL_PEM_read_bio_DHparams"); - (void)cb; - (void)u; - - if (bio == NULL) { - WOLFSSL_MSG("Bad Function Argument bio is NULL"); - return NULL; - } - - if (bio->type == WOLFSSL_BIO_MEMORY) { - /* Use the buffer directly. */ - ret = wolfSSL_BIO_get_mem_data(bio, &mem); - if (mem == NULL || ret <= 0) { - WOLFSSL_MSG("Failed to get data from bio struct"); - goto end; - } - size = ret; - } - else if (bio->type == WOLFSSL_BIO_FILE) { - /* Read whole file into a new buffer. */ - if (XFSEEK((XFILE)bio->ptr, 0, SEEK_END) != 0) - goto end; - sz = XFTELL((XFILE)bio->ptr); - if (XFSEEK((XFILE)bio->ptr, 0, SEEK_SET) != 0) - goto end; - if (sz > MAX_WOLFSSL_FILE_SIZE || sz <= 0L) { - WOLFSSL_MSG("PEM_read_bio_DHparams file size error"); - goto end; - } - mem = (unsigned char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_PEM); - if (mem == NULL) - goto end; - memAlloced = 1; - - if (wolfSSL_BIO_read(bio, (char *)mem, (int)sz) <= 0) - goto end; - size = (word32)sz; - } - else { - WOLFSSL_MSG("BIO type not supported for reading DH parameters"); - goto end; - } - - ret = PemToDer(mem, size, DH_PARAM_TYPE, &der, NULL, NULL, NULL); - if (ret != 0) - goto end; - - /* Use the object passed in, otherwise allocate a new object */ - if (x != NULL) - localDh = *x; - if (localDh == NULL) { - localDh = wolfSSL_DH_new(); - if (localDh == NULL) - goto end; - } - - /* Load data in manually */ - p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - if (p == NULL || g == NULL) - goto end; - - /* Extract the p and g as data from the DER encoded DH parameters. */ - ret = wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz); - if (ret != 0) { - if (x != NULL && localDh != *x) - XFREE(localDh, NULL, DYNAMIC_TYPE_OPENSSL); - localDh = NULL; - goto end; - } - - if (x != NULL) - *x = localDh; - - /* Put p and g in as big numbers. */ - if (localDh->p != NULL) { - wolfSSL_BN_free(localDh->p); - localDh->p = NULL; - } - if (localDh->g != NULL) { - wolfSSL_BN_free(localDh->g); - localDh->g = NULL; - } - localDh->p = wolfSSL_BN_bin2bn(p, pSz, NULL); - localDh->g = wolfSSL_BN_bin2bn(g, gSz, NULL); - if (localDh->p == NULL || localDh->g == NULL) { - if (x != NULL && localDh != *x) - wolfSSL_DH_free(localDh); - localDh = NULL; - } - - if (localDh != NULL && localDh->inSet == 0) { - if (SetDhInternal(localDh) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to set internal DH structure"); - wolfSSL_DH_free(localDh); - localDh = NULL; - } - } - -end: - if (memAlloced) XFREE(mem, NULL, DYNAMIC_TYPE_PEM); - if (der != NULL) FreeDer(&der); - XFREE(p, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - return localDh; -#else - (void)bio; - (void)x; - (void)cb; - (void)u; - return NULL; -#endif -} - -#ifndef NO_FILESYSTEM -#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_OPENSSH) -/* Convert DH key parameters to DER format, write to output (outSz) - * If output is NULL then max expected size is set to outSz and LENGTH_ONLY_E is - * returned. - * - * Note : static function due to redefinition complications with DhKey and FIPS - * version 2 build. - * - * return bytes written on success */ -int wc_DhParamsToDer(DhKey* key, byte* out, word32* outSz) -{ - word32 sz = 0, idx = 0; - int pSz = 0, gSz = 0, ret; - byte scratch[MAX_LENGTH_SZ]; - - if (key == NULL || outSz == NULL) { - return BAD_FUNC_ARG; - } - - pSz = mp_unsigned_bin_size(&key->p); - if (pSz < 0) { - return pSz; - } - if (mp_leading_bit(&key->p)) { - pSz++; - } - - gSz = mp_unsigned_bin_size(&key->g); - if (gSz < 0) { - return gSz; - } - if (mp_leading_bit(&key->g)) { - gSz++; - } - - sz = ASN_TAG_SZ; /* Integer */ - sz += SetLength(pSz, scratch); - sz += ASN_TAG_SZ; /* Integer */ - sz += SetLength(gSz, scratch); - sz += gSz + pSz; - - if (out == NULL) { - byte seqScratch[MAX_SEQ_SZ]; - - *outSz = sz + SetSequence(sz, seqScratch); - return LENGTH_ONLY_E; - } - - if (*outSz < MAX_SEQ_SZ || *outSz < sz) { - return BUFFER_E; - } - - idx += SetSequence(sz, out); - if (*outSz < idx + sz) { - return BUFFER_E; - } - - out[idx++] = ASN_INTEGER; - idx += SetLength(pSz, out + idx); - if (mp_leading_bit(&key->p)) { - out[idx++] = 0x00; - pSz -= 1; /* subtract 1 from size to account for leading 0 */ - } - ret = mp_to_unsigned_bin(&key->p, out + idx); - if (ret != MP_OKAY) { - return BUFFER_E; - } - idx += pSz; - - out[idx++] = ASN_INTEGER; - idx += SetLength(gSz, out + idx); - if (mp_leading_bit(&key->g)) { - out[idx++] = 0x00; - gSz -= 1; /* subtract 1 from size to account for leading 0 */ - } - ret = mp_to_unsigned_bin(&key->g, out + idx); - if (ret != MP_OKAY) { - return BUFFER_E; - } - idx += gSz; - return idx; -} - -int wc_DhPubKeyToDer(DhKey* key, byte* out, word32* outSz) -{ - word32 sz = 0; - word32 paramSz = 0; - int ret; - int pubSz = 0; - int idx = 0; - byte scratch[MAX_ALGO_SZ]; - - /* Get size of entire key */ - - /* SEQUENCE <--| SetAlgoId - * OBJECT IDENTIFIER <--| - * SEQUENCE <-- - * INTEGER | wc_DhParamsToDer - * INTEGER <-- - */ - ret = wc_DhParamsToDer(key, NULL, ¶mSz); - if (ret != LENGTH_ONLY_E) - return ASN_PARSE_E; - sz += paramSz; - sz += SetAlgoID(DHk, scratch, oidKeyType, paramSz); - - /* BIT STRING - * INTEGER - */ - pubSz = mp_unsigned_bin_size(&key->pub); - if (pubSz < 0) - return pubSz; - - if (mp_leading_bit(&key->pub)) - pubSz++; - - sz += ASN_TAG_SZ; /* Integer */ - sz += SetLength(pubSz, scratch); - sz += pubSz; - - sz += SetBitString(pubSz, 0, scratch); - - if (out == NULL) { - /* Uppermost SEQUENCE */ - *outSz = sz + SetSequence(sz, scratch); - return LENGTH_ONLY_E; - } - /* end get size of entire key */ - - /* Check for indexing errors */ - if (*outSz < MAX_SEQ_SZ || *outSz < sz) { - return BUFFER_E; - } - - /* Build Up Entire Key */ - - idx += SetSequence(sz, out); - - idx += SetAlgoID(DHk, out+idx, oidKeyType, paramSz); - ret = wc_DhParamsToDer(key, out+idx, ¶mSz); - if (ret < 0) - return ret; - idx += ret; - - /* BIT STRING - * INTEGER - */ - idx += SetBitString(pubSz, 0, out+idx); - - out[idx++] = ASN_INTEGER; - idx += SetLength(pubSz, out + idx); - if (mp_leading_bit(&key->pub)) { - out[idx++] = 0x00; - pubSz -= 1; /* subtract 1 from size to account for leading 0 */ - } - ret = mp_to_unsigned_bin(&key->pub, out + idx); - if (ret != MP_OKAY) { - return BUFFER_E; - } - idx += pubSz; - - return idx; -} - -int wc_DhPrivKeyToDer(DhKey* key, byte* out, word32* outSz) -{ - word32 sz = 0; - word32 paramSz = 0; - int ret; - int privSz = 0; - int idx = 0; - byte scratch[MAX_ALGO_SZ]; - - /* Get size of entire key */ - - /* INTEGER 0 */ - sz += ASN_TAG_SZ; /* Integer */ - sz += SetLength(1, scratch); - sz += 1; - - /* SEQUENCE <--| SetAlgoId - * OBJECT IDENTIFIER <--| - * SEQUENCE <-- - * INTEGER | wc_DhParamsToDer - * INTEGER <-- - */ - ret = wc_DhParamsToDer(key, NULL, ¶mSz); - if (ret != LENGTH_ONLY_E) - return ASN_PARSE_E; - sz += paramSz; - sz += SetAlgoID(DHk, scratch, oidKeyType, paramSz); - - /* OCTET STRING - * INTEGER - */ - privSz = mp_unsigned_bin_size(&key->priv); - if (privSz < 0) - return privSz; - else if (privSz > 256) /* Key is larger than 2048 */ - return ASN_VERSION_E; - - if (mp_leading_bit(&key->priv)) - privSz++; - - sz += ASN_TAG_SZ; /* Integer */ - sz += SetLength(privSz, scratch); - sz += privSz; - - sz += SetOctetString(privSz + ASN_OCTET_STRING, scratch); - - if (out == NULL) { - /* Uppermost SEQUENCE */ - *outSz = sz + SetSequence(sz, scratch); - return LENGTH_ONLY_E; - } - /* end get size of entire key */ - - /* Check for indexing errors */ - if (*outSz < MAX_SEQ_SZ || *outSz < sz) { - return BUFFER_E; - } - - /* Build Up Entire Key */ - - idx += SetSequence(sz, out); - - /* INTEGER 0 */ - out[idx++] = ASN_INTEGER; - idx += SetLength(1, out+idx); - out[idx++] = 0; - - idx += SetAlgoID(DHk, out+idx, oidKeyType, paramSz); - ret = wc_DhParamsToDer(key, out+idx, ¶mSz); - if (ret < 0) - return ret; - idx += ret; - - /* OCTET STRING - * INTEGER - */ - if (privSz == 256) { - idx += SetOctetString(privSz + ASN_OCTET_STRING, out+idx); - } else if (privSz == 128) { - idx += SetOctetString(privSz + ASN_OCTET_STRING-1, out+idx); - } else if (privSz == 64) { - idx += SetOctetString(privSz + ASN_OCTET_STRING-2, out+idx); - } else { - WOLFSSL_MSG("Unsupported key size"); - return ASN_VERSION_E; - } - - out[idx++] = ASN_INTEGER; - idx += SetLength(privSz, out + idx); - if (mp_leading_bit(&key->priv)) { - out[idx++] = 0x00; - privSz -= 1; /* subtract 1 from size to account for leading 0 */ - } - ret = mp_to_unsigned_bin(&key->priv, out + idx); - if (ret != MP_OKAY) { - return BUFFER_E; - } - idx += privSz; - - return idx; -} - -/* Writes the DH parameters in PEM format from "dh" out to the file pointer - * passed in. - * - * returns WOLFSSL_SUCCESS on success - */ -int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh) -{ - int ret; - word32 derSz = 0, pemSz = 0; - byte *der, *pem; - DhKey* key; - - WOLFSSL_ENTER("wolfSSL_PEM_write_DHparams"); - - if (dh == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", BAD_FUNC_ARG); - return WOLFSSL_FAILURE; - } - - if (dh->inSet == 0) { - if (SetDhInternal(dh) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to set internal DH structure"); - return WOLFSSL_FAILURE; - } - } - key = (DhKey*)dh->internal; - ret = wc_DhParamsToDer(key, NULL, &derSz); - if (ret != LENGTH_ONLY_E) { - WOLFSSL_MSG("Failed to get size of DH params"); - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", ret); - return WOLFSSL_FAILURE; - } - - der = (byte*)XMALLOC(derSz, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", MEMORY_E); - return WOLFSSL_FAILURE; - } - ret = wc_DhParamsToDer(key, der, &derSz); - if (ret <= 0) { - WOLFSSL_MSG("Failed to export DH params"); - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", ret); - XFREE(der, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - - /* convert to PEM */ - ret = wc_DerToPem(der, derSz, NULL, 0, DH_PARAM_TYPE); - if (ret < 0) { - WOLFSSL_MSG("Failed to convert DH params to PEM"); - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", ret); - XFREE(der, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } - pemSz = (word32)ret; - - pem = (byte*)XMALLOC(pemSz, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", MEMORY_E); - XFREE(der, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } - ret = wc_DerToPem(der, derSz, pem, pemSz, DH_PARAM_TYPE); - XFREE(der, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ret < 0) { - WOLFSSL_MSG("Failed to convert DH params to PEM"); - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", ret); - XFREE(pem, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } - - ret = (int)XFWRITE(pem, 1, pemSz, fp); - XFREE(pem, key->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (ret <= 0) { - WOLFSSL_MSG("Failed to write to file"); - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", ret); - return WOLFSSL_FAILURE; - } - - WOLFSSL_LEAVE("wolfSSL_PEM_write_DHparams", WOLFSSL_SUCCESS); - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_QT || OPENSSL_ALL */ -#endif /* !NO_FILESYSTEM */ -#endif /* !NO_DH */ - -#ifdef WOLFSSL_CERT_GEN - -#ifdef WOLFSSL_CERT_REQ -/* writes the x509 from x to the WOLFSSL_BIO bp - * - * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on fail - */ -int wolfSSL_PEM_write_bio_X509_REQ(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) -{ - byte* pem; - int pemSz = 0; - const unsigned char* der; - int derSz; - int ret; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509_REQ()"); - - if (x == NULL || bp == NULL) { - return WOLFSSL_FAILURE; - } - - der = wolfSSL_X509_get_der(x, &derSz); - if (der == NULL) { - return WOLFSSL_FAILURE; - } - - /* get PEM size */ - pemSz = wc_DerToPemEx(der, derSz, NULL, 0, NULL, CERTREQ_TYPE); - if (pemSz < 0) { - return WOLFSSL_FAILURE; - } - - /* create PEM buffer and convert from DER */ - pem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - return WOLFSSL_FAILURE; - } - if (wc_DerToPemEx(der, derSz, pem, pemSz, NULL, CERTREQ_TYPE) < 0) { - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - - /* write the PEM to BIO */ - ret = wolfSSL_BIO_write(bp, pem, pemSz); - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - if (ret <= 0) return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_CERT_REQ */ - - -/* writes the x509 from x to the WOLFSSL_BIO bp - * - * returns WOLFSSL_SUCCESS on success and WOLFSSL_FAILURE on fail - */ -int wolfSSL_PEM_write_bio_X509_AUX(WOLFSSL_BIO *bp, WOLFSSL_X509 *x) -{ - byte* pem; - int pemSz = 0; - const unsigned char* der; - int derSz; - int ret; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509_AUX()"); - - if (bp == NULL || x == NULL) { - WOLFSSL_MSG("NULL argument passed in"); - return WOLFSSL_FAILURE; - } - - der = wolfSSL_X509_get_der(x, &derSz); - if (der == NULL) { - return WOLFSSL_FAILURE; - } - - /* get PEM size */ - pemSz = wc_DerToPemEx(der, derSz, NULL, 0, NULL, CERT_TYPE); - if (pemSz < 0) { - return WOLFSSL_FAILURE; - } - - /* create PEM buffer and convert from DER */ - pem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - return WOLFSSL_FAILURE; - } - if (wc_DerToPemEx(der, derSz, pem, pemSz, NULL, CERT_TYPE) < 0) { - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - - /* write the PEM to BIO */ - ret = wolfSSL_BIO_write(bp, pem, pemSz); - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - if (ret <= 0) return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} -#endif /* WOLFSSL_CERT_GEN */ - -int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert) -{ - byte* pem; - int pemSz = 0; - const unsigned char* der; - int derSz; - int ret; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_X509_AUX()"); - - if (bio == NULL || cert == NULL) { - WOLFSSL_MSG("NULL argument passed in"); - return WOLFSSL_FAILURE; - } - - der = wolfSSL_X509_get_der(cert, &derSz); - if (der == NULL) { - return WOLFSSL_FAILURE; - } - - /* get PEM size */ - pemSz = wc_DerToPemEx(der, derSz, NULL, 0, NULL, CERT_TYPE); - if (pemSz < 0) { - return WOLFSSL_FAILURE; - } - - /* create PEM buffer and convert from DER */ - pem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) { - return WOLFSSL_FAILURE; - } - if (wc_DerToPemEx(der, derSz, pem, pemSz, NULL, CERT_TYPE) < 0) { - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - - /* write the PEM to BIO */ - ret = wolfSSL_BIO_write(bio, pem, pemSz); - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - if (ret <= 0) return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} - - -#if defined(OPENSSL_EXTRA) && !defined(NO_DH) -/* Initialize ctx->dh with dh's params. Return WOLFSSL_SUCCESS on ok */ -long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) -{ - int pSz, gSz; - byte *p, *g; - int ret=0; - - WOLFSSL_ENTER("wolfSSL_CTX_set_tmp_dh"); - - if(!ctx || !dh) - return BAD_FUNC_ARG; - - /* Get needed size for p and g */ - pSz = wolfSSL_BN_bn2bin(dh->p, NULL); - gSz = wolfSSL_BN_bn2bin(dh->g, NULL); - - if(pSz <= 0 || gSz <= 0) - return WOLFSSL_FATAL_ERROR; - - p = (byte*)XMALLOC(pSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if(!p) - return MEMORY_E; - - g = (byte*)XMALLOC(gSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if(!g) { - XFREE(p, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - return MEMORY_E; - } - - pSz = wolfSSL_BN_bn2bin(dh->p, p); - gSz = wolfSSL_BN_bn2bin(dh->g, g); - - if(pSz >= 0 && gSz >= 0) /* Conversion successful */ - ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz); - - XFREE(p, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(g, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY); - - return pSz > 0 && gSz > 0 ? ret : WOLFSSL_FATAL_ERROR; -} -#endif /* OPENSSL_EXTRA && !NO_DH */ - - -/* returns the enum value associated with handshake state - * - * ssl the WOLFSSL structure to get state of - */ -int wolfSSL_get_state(const WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_state"); - - if (ssl == NULL) { - WOLFSSL_MSG("Null argument passed in"); - return SSL_FAILURE; - } - - return ssl->options.handShakeState; -} -#endif /* HAVE_LIGHTY || HAVE_STUNNEL || WOLFSSL_MYSQL_COMPATIBLE */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || defined(WOLFSSL_HAPROXY) \ - || defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) - -long wolfSSL_ctrl(WOLFSSL* ssl, int cmd, long opt, void* pt) -{ - WOLFSSL_ENTER("wolfSSL_ctrl"); - if (ssl == NULL) - return BAD_FUNC_ARG; - - switch (cmd) { - #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - case SSL_CTRL_SET_TLSEXT_HOSTNAME: - WOLFSSL_MSG("Entering Case: SSL_CTRL_SET_TLSEXT_HOSTNAME."); - #ifdef HAVE_SNI - if (pt == NULL) { - WOLFSSL_MSG("Passed in NULL Host Name."); - break; - } - return wolfSSL_set_tlsext_host_name(ssl, (const char*) pt); - #else - WOLFSSL_MSG("SNI not enabled."); - break; - #endif /* HAVE_SNI */ - #endif /* WOLFSSL_NGINX || WOLFSSL_QT || OPENSSL_ALL */ - default: - WOLFSSL_MSG("Case not implemented."); - } - (void)opt; - (void)pt; - return WOLFSSL_FAILURE; -} - -long wolfSSL_CTX_ctrl(WOLFSSL_CTX* ctx, int cmd, long opt, void* pt) -{ -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - long ctrl_opt; -#endif - long ret = WOLFSSL_SUCCESS; - - WOLFSSL_ENTER("wolfSSL_CTX_ctrl"); - if (ctx == NULL) - return WOLFSSL_FAILURE; - - switch (cmd) { - case SSL_CTRL_CHAIN: -#ifdef SESSION_CERTS - { - /* - * We don't care about opt here because a copy of the certificate is - * stored anyway so increasing the reference counter is not necessary. - * Just check to make sure that it is set to one of the correct values. - */ - WOLF_STACK_OF(WOLFSSL_X509)* sk = (WOLF_STACK_OF(WOLFSSL_X509)*) pt; - WOLFSSL_X509* x509; - int i; - if (opt != 0 && opt != 1) { - ret = WOLFSSL_FAILURE; - break; - } - /* Clear certificate chain */ - FreeDer(&ctx->certChain); - if (sk) { - for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) { - x509 = wolfSSL_sk_X509_value(sk, i); - /* Prevent wolfSSL_CTX_add_extra_chain_cert from freeing cert */ - if (wolfSSL_X509_up_ref(x509) != 1) { - WOLFSSL_MSG("Error increasing reference count"); - continue; - } - if (wolfSSL_CTX_add_extra_chain_cert(ctx, x509) != - WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error adding certificate to context"); - /* Decrease reference count on failure */ - wolfSSL_X509_free(x509); - } - } - } - /* Free previous chain */ - wolfSSL_sk_X509_free(ctx->x509Chain); - ctx->x509Chain = sk; - if (sk) { - for (i = 0; i < wolfSSL_sk_X509_num(sk); i++) { - x509 = wolfSSL_sk_X509_value(sk, i); - /* On successful setting of new chain up all refs */ - if (wolfSSL_X509_up_ref(x509) != 1) { - WOLFSSL_MSG("Error increasing reference count"); - continue; - } - } - } - } -#else - WOLFSSL_MSG("Session certificates not compiled in"); - ret = WOLFSSL_FAILURE; -#endif - break; - -#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) - case SSL_CTRL_OPTIONS: - WOLFSSL_MSG("Entering Case: SSL_CTRL_OPTIONS."); - ctrl_opt = wolfSSL_CTX_set_options(ctx, opt); - - #ifdef WOLFSSL_QT - /* Set whether to use client or server cipher preference */ - if ((ctrl_opt & SSL_OP_CIPHER_SERVER_PREFERENCE) - == SSL_OP_CIPHER_SERVER_PREFERENCE) { - WOLFSSL_MSG("Using Server's Cipher Preference."); - ctx->useClientOrder = FALSE; - } else { - WOLFSSL_MSG("Using Client's Cipher Preference."); - ctx->useClientOrder = TRUE; - } - #endif /* WOLFSSL_QT */ - - return ctrl_opt; -#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ - case SSL_CTRL_EXTRA_CHAIN_CERT: - WOLFSSL_MSG("Entering Case: SSL_CTRL_EXTRA_CHAIN_CERT."); - if (pt == NULL) { - WOLFSSL_MSG("Passed in x509 pointer NULL."); - ret = WOLFSSL_FAILURE; - break; - } - return wolfSSL_CTX_add_extra_chain_cert(ctx, (WOLFSSL_X509*)pt); - -#ifndef NO_DH - case SSL_CTRL_SET_TMP_DH: - WOLFSSL_MSG("Entering Case: SSL_CTRL_SET_TMP_DH."); - if (pt == NULL) { - WOLFSSL_MSG("Passed in DH pointer NULL."); - ret = WOLFSSL_FAILURE; - break; - } - return wolfSSL_CTX_set_tmp_dh(ctx, (WOLFSSL_DH*)pt); -#endif - -#ifdef HAVE_ECC - case SSL_CTRL_SET_TMP_ECDH: - WOLFSSL_MSG("Entering Case: SSL_CTRL_SET_TMP_ECDH."); - if (pt == NULL) { - WOLFSSL_MSG("Passed in ECDH pointer NULL."); - ret = WOLFSSL_FAILURE; - break; - } - return wolfSSL_SSL_CTX_set_tmp_ecdh(ctx, (WOLFSSL_EC_KEY*)pt); -#endif - case SSL_CTRL_MODE: - wolfSSL_CTX_set_mode(ctx,opt); - break; - - default: - WOLFSSL_MSG("CTX_ctrl cmd not implemented"); - ret = WOLFSSL_FAILURE; - break; - } - - (void)ctx; - (void)cmd; - (void)opt; - (void)pt; - WOLFSSL_LEAVE("wolfSSL_CTX_ctrl", (int)ret); - return ret; -} - -#ifndef WOLFSSL_NO_STUB -long wolfSSL_CTX_callback_ctrl(WOLFSSL_CTX* ctx, int cmd, void (*fp)(void)) -{ - (void) ctx; - (void) cmd; - (void) fp; - WOLFSSL_STUB("wolfSSL_CTX_callback_ctrl"); - return WOLFSSL_FAILURE; - -} -#endif /* WOLFSSL_NO_STUB */ - -#ifndef NO_WOLFSSL_STUB -long wolfSSL_CTX_clear_extra_chain_certs(WOLFSSL_CTX* ctx) -{ - return wolfSSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0l, NULL); -} -#endif - -/* Returns the verifyCallback from the ssl structure if successful. -Returns NULL otherwise. */ -VerifyCallback wolfSSL_get_verify_callback(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_verify_callback()"); - if (ssl) { - return ssl->verifyCallback; - } - return NULL; -} - -/* Creates a new bio pair. -Returns WOLFSSL_SUCCESS if no error, WOLFSSL_FAILURE otherwise.*/ -int wolfSSL_BIO_new_bio_pair(WOLFSSL_BIO **bio1_p, size_t writebuf1, - WOLFSSL_BIO **bio2_p, size_t writebuf2) -{ - WOLFSSL_BIO *bio1 = NULL, *bio2 = NULL; - int ret = 1; - - WOLFSSL_ENTER("wolfSSL_BIO_new_bio_pair()"); - - if (bio1_p == NULL || bio2_p == NULL) { - WOLFSSL_MSG("Bad Function Argument"); - return BAD_FUNC_ARG; - } - - /* set up the new bio structures and write buf sizes */ - if ((bio1 = wolfSSL_BIO_new(wolfSSL_BIO_s_bio())) == NULL) { - WOLFSSL_MSG("Bio allocation failed"); - ret = WOLFSSL_FAILURE; - } - if (ret) { - if ((bio2 = wolfSSL_BIO_new(wolfSSL_BIO_s_bio())) == NULL) { - WOLFSSL_MSG("Bio allocation failed"); - ret = WOLFSSL_FAILURE; - } - } - if (ret && writebuf1) { - if (!(ret = wolfSSL_BIO_set_write_buf_size(bio1, writebuf1))) { - WOLFSSL_MSG("wolfSSL_BIO_set_write_buf() failure"); - } - } - if (ret && writebuf2) { - if (!(ret = wolfSSL_BIO_set_write_buf_size(bio2, writebuf2))) { - WOLFSSL_MSG("wolfSSL_BIO_set_write_buf() failure"); - } - } - - if (ret) { - if ((ret = wolfSSL_BIO_make_bio_pair(bio1, bio2))) { - *bio1_p = bio1; - *bio2_p = bio2; - } - } - if (!ret) { - wolfSSL_BIO_free(bio1); - bio1 = NULL; - wolfSSL_BIO_free(bio2); - bio2 = NULL; - } - return ret; -} - - -#if !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(NO_RSA) && !defined(HAVE_USER_RSA) -/* Converts an rsa key from a bio buffer into an internal rsa structure. -Returns a pointer to the new WOLFSSL_RSA structure. */ -WOLFSSL_RSA* wolfSSL_d2i_RSAPrivateKey_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out) -{ - const unsigned char* bioMem = NULL; - int bioMemSz = 0; - WOLFSSL_RSA* key = NULL; - unsigned char maxKeyBuf[4096]; - unsigned char* bufPtr = NULL; - unsigned char* extraBioMem = NULL; - int extraBioMemSz = 0; - int derLength = 0; - int j = 0, i = 0; - - WOLFSSL_ENTER("wolfSSL_d2i_RSAPrivateKey_bio()"); - - if (bio == NULL) { - WOLFSSL_MSG("Bad Function Argument"); - return NULL; - } - (void)out; - - bioMemSz = wolfSSL_BIO_pending(bio); - if (bioMemSz <= 0) { - WOLFSSL_MSG("wolfSSL_BIO_pending() failure"); - return NULL; - } - - bioMem = (unsigned char*)XMALLOC(bioMemSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (bioMem == NULL) { - WOLFSSL_MSG("Malloc failure"); - return NULL; - } - - bufPtr = maxKeyBuf; - if (wolfSSL_BIO_read(bio, (unsigned char*)bioMem, (int)bioMemSz) == bioMemSz) { - const byte* bioMemPt = bioMem; /* leave bioMem pointer unaltered */ - if ((key = wolfSSL_d2i_RSAPrivateKey(NULL, &bioMemPt, bioMemSz)) == NULL) { - XFREE((unsigned char*)bioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - - /* This function is used to get the total length of the rsa key. */ - derLength = wolfSSL_i2d_RSAPrivateKey(key, &bufPtr); - - /* Write extra data back into bio object if necessary. */ - extraBioMemSz = (bioMemSz - derLength); - if (extraBioMemSz > 0) { - extraBioMem = (unsigned char *)XMALLOC(extraBioMemSz, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (extraBioMem == NULL) { - WOLFSSL_MSG("Malloc failure"); - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - XFREE((unsigned char*)bioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - - for (i = derLength; i < bioMemSz; i++) { - *(extraBioMem + j) = *(bioMem + i); - j++; - } - - wolfSSL_BIO_write(bio, extraBioMem, extraBioMemSz); - if (wolfSSL_BIO_pending(bio) <= 0) { - WOLFSSL_MSG("Failed to write memory to bio"); - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - XFREE((unsigned char*)bioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - } - - if (out != NULL && key != NULL) { - *out = key; - } - } - XFREE((unsigned char*)bioMem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return key; -} -#endif - - -/* Adds the ASN1 certificate to the user ctx. -Returns WOLFSSL_SUCCESS if no error, returns WOLFSSL_FAILURE otherwise.*/ -int wolfSSL_CTX_use_certificate_ASN1(WOLFSSL_CTX *ctx, int derSz, - const unsigned char *der) -{ - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_ASN1()"); - if (der != NULL && ctx != NULL) { - if (wolfSSL_CTX_use_certificate_buffer(ctx, der, derSz, - WOLFSSL_FILETYPE_ASN1) == WOLFSSL_SUCCESS) { - return WOLFSSL_SUCCESS; - } - - } - return WOLFSSL_FAILURE; -} - - -#if !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) && \ - !defined(NO_RSA) && !defined(HAVE_USER_RSA) -/* Adds the rsa private key to the user ctx. -Returns WOLFSSL_SUCCESS if no error, returns WOLFSSL_FAILURE otherwise.*/ -int wolfSSL_CTX_use_RSAPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL_RSA* rsa) -{ - int ret; - int derSize; - unsigned char maxDerBuf[4096]; - unsigned char* key = NULL; - - WOLFSSL_ENTER("wolfSSL_CTX_use_RSAPrivateKey()"); - - if (ctx == NULL || rsa == NULL) { - WOLFSSL_MSG("one or more inputs were NULL"); - return BAD_FUNC_ARG; - } - key = maxDerBuf; - /* convert RSA struct to der encoded buffer and get the size */ - if ((derSize = wolfSSL_i2d_RSAPrivateKey(rsa, &key)) <= 0) { - WOLFSSL_MSG("wolfSSL_i2d_RSAPrivateKey() failure"); - return WOLFSSL_FAILURE; - } - ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, (const unsigned char*)maxDerBuf, - derSize, SSL_FILETYPE_ASN1); - if (ret != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("wolfSSL_CTX_USE_PrivateKey_buffer() failure"); - return WOLFSSL_FAILURE; - } - return ret; -} -#endif /* NO_RSA && !HAVE_FAST_RSA */ - - -/* Converts EVP_PKEY data from a bio buffer to a WOLFSSL_EVP_PKEY structure. -Returns pointer to private EVP_PKEY struct upon success, NULL if there -is a failure.*/ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_bio(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY** out) -{ - unsigned char* mem = NULL; - int memSz = 0; - WOLFSSL_EVP_PKEY* key = NULL; - int i = 0, j = 0; - unsigned char* extraBioMem = NULL; - int extraBioMemSz = 0; - int derLength = 0; - - WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey_bio()"); - - if (bio == NULL) { - return NULL; - } - (void)out; - - memSz = wolfSSL_BIO_pending(bio); - if (memSz <= 0) { - WOLFSSL_MSG("wolfSSL_BIO_pending() failure"); - return NULL; - } - - mem = (unsigned char*)XMALLOC(memSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (mem == NULL) { - WOLFSSL_MSG("Malloc failure"); - return NULL; - } - - if (wolfSSL_BIO_read(bio, (unsigned char*)mem, memSz) == memSz) { - /* Determines key type and returns the new private EVP_PKEY object */ - if ((key = wolfSSL_d2i_PrivateKey_EVP(NULL, &mem, (long)memSz)) == NULL) { - WOLFSSL_MSG("wolfSSL_d2i_PrivateKey_EVP() failure"); - XFREE(mem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - - /* Write extra data back into bio object if necessary. */ - derLength = key->pkey_sz; - extraBioMemSz = (memSz - derLength); - if (extraBioMemSz > 0) { - extraBioMem = (unsigned char *)XMALLOC(extraBioMemSz, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (extraBioMem == NULL) { - WOLFSSL_MSG("Malloc failure"); - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - XFREE(mem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - - for (i = derLength; i < memSz; i++) { - *(extraBioMem + j) = *(mem + i); - j++; - } - - wolfSSL_BIO_write(bio, extraBioMem, extraBioMemSz); - if (wolfSSL_BIO_pending(bio) <= 0) { - WOLFSSL_MSG("Failed to write memory to bio"); - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - XFREE(mem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return NULL; - } - XFREE((unsigned char*)extraBioMem, bio->heap, - DYNAMIC_TYPE_TMP_BUFFER); - } - - if (out != NULL) { - *out = key; - } - } - XFREE(mem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - return key; -} - - -/* Converts a DER encoded private key to a WOLFSSL_EVP_PKEY structure. - * returns a pointer to a new WOLFSSL_EVP_PKEY structure on success and NULL - * on fail */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_EVP(WOLFSSL_EVP_PKEY** out, - unsigned char** in, long inSz) -{ - WOLFSSL_EVP_PKEY* pkey = NULL; - const unsigned char* mem; - long memSz = inSz; - - WOLFSSL_ENTER("wolfSSL_d2i_PrivateKey_EVP()"); - - if (in == NULL || *in == NULL || inSz < 0) { - WOLFSSL_MSG("Bad argument"); - return NULL; - } - mem = *in; - - #if !defined(NO_RSA) - { - RsaKey rsa; - word32 keyIdx = 0; - - /* test if RSA key */ - if (wc_InitRsaKey(&rsa, NULL) == 0 && - wc_RsaPrivateKeyDecode(mem, &keyIdx, &rsa, (word32)memSz) == 0) { - wc_FreeRsaKey(&rsa); - pkey = wolfSSL_EVP_PKEY_new(); - if (pkey != NULL) { - pkey->pkey_sz = keyIdx; - pkey->pkey.ptr = (char*)XMALLOC(memSz, NULL, - DYNAMIC_TYPE_PRIVATE_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_RSA; - if (out != NULL) { - *out = pkey; - } - - pkey->ownRsa = 1; - pkey->rsa = wolfSSL_RSA_new(); - if (pkey->rsa == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - if (wolfSSL_RSA_LoadDer_ex(pkey->rsa, - (const unsigned char*)pkey->pkey.ptr, - pkey->pkey_sz, WOLFSSL_RSA_LOAD_PRIVATE) != 1) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - - return pkey; - } - } - wc_FreeRsaKey(&rsa); - } - #endif /* NO_RSA */ - - #ifdef HAVE_ECC - { - word32 keyIdx = 0; - ecc_key ecc; - - /* test if ecc key */ - if (wc_ecc_init(&ecc) == 0 && - wc_EccPrivateKeyDecode(mem, &keyIdx, &ecc, (word32)memSz) == 0) { - wc_ecc_free(&ecc); - pkey = wolfSSL_EVP_PKEY_new(); - if (pkey != NULL) { - pkey->pkey_sz = keyIdx; - pkey->pkey.ptr = (char*)XMALLOC(keyIdx, NULL, - DYNAMIC_TYPE_PRIVATE_KEY); - if (pkey->pkey.ptr == NULL) { - wolfSSL_EVP_PKEY_free(pkey); - return NULL; - } - XMEMCPY(pkey->pkey.ptr, mem, keyIdx); - pkey->type = EVP_PKEY_EC; - if (out != NULL) { - *out = pkey; - } - return pkey; - } - } - wc_ecc_free(&ecc); - } - #endif /* HAVE_ECC */ - return pkey; -} -#endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT */ - - -/* stunnel compatibility functions*/ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) || \ - defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_OPENSSH))) -void wolfSSL_ERR_remove_thread_state(void* pid) -{ - (void) pid; - return; -} - -#ifndef NO_FILESYSTEM -/***TBD ***/ -void wolfSSL_print_all_errors_fp(XFILE fp) -{ - (void)fp; -} -#endif - -int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) -{ - WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data"); -#ifdef HAVE_EX_DATA - if(session != NULL) { - return wolfSSL_CRYPTO_set_ex_data(&session->ex_data, idx, data); - } -#else - (void)session; - (void)idx; - (void)data; -#endif - return WOLFSSL_FAILURE; -} - - -int wolfSSL_SESSION_get_ex_new_index(long idx, void* data, void* cb1, - void* cb2, CRYPTO_free_func* cb3) -{ - WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_new_index"); - (void)idx; - (void)cb1; - (void)cb2; - (void)cb3; - if (XSTRNCMP((const char*)data, "redirect index", 14) == 0) { - return 0; - } - else if (XSTRNCMP((const char*)data, "addr index", 10) == 0) { - return 1; - } - return WOLFSSL_FAILURE; -} - - -void* wolfSSL_SESSION_get_ex_data(const WOLFSSL_SESSION* session, int idx) -{ - WOLFSSL_ENTER("wolfSSL_SESSION_get_ex_data"); -#ifdef HAVE_EX_DATA - if (session != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&session->ex_data, idx); - } -#else - (void)session; - (void)idx; -#endif - return NULL; -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const char *, int), - void *(*r) (void *, size_t, const char *, - int), void (*f) (void *)) -{ - (void) m; - (void) r; - (void) f; - WOLFSSL_ENTER("wolfSSL_CRYPTO_set_mem_ex_functions"); - WOLFSSL_STUB("CRYPTO_set_mem_ex_functions"); - - return WOLFSSL_FAILURE; -} -#endif - - -void wolfSSL_CRYPTO_cleanup_all_ex_data(void){ - WOLFSSL_ENTER("CRYPTO_cleanup_all_ex_data"); -} - - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator, - void (*callback) (int, int, void *), void *cb_arg) -{ - (void)prime_len; - (void)generator; - (void)callback; - (void)cb_arg; - WOLFSSL_ENTER("wolfSSL_DH_generate_parameters"); - WOLFSSL_STUB("DH_generate_parameters"); - - return NULL; -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_DH_generate_parameters_ex(WOLFSSL_DH* dh, int prime_len, int generator, - void (*callback) (int, int, void *)) -{ - (void)prime_len; - (void)generator; - (void)callback; - (void)dh; - WOLFSSL_ENTER("wolfSSL_DH_generate_parameters_ex"); - WOLFSSL_STUB("DH_generate_parameters_ex"); - - return -1; -} -#endif - -void wolfSSL_ERR_load_crypto_strings(void) -{ - WOLFSSL_ENTER("wolfSSL_ERR_load_crypto_strings"); - /* Do nothing */ - return; -} - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_FIPS_mode(void) -{ - WOLFSSL_ENTER("wolfSSL_FIPS_mode"); - WOLFSSL_STUB("FIPS_mode"); - - return WOLFSSL_FAILURE; -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_FIPS_mode_set(int r) -{ - (void)r; - WOLFSSL_ENTER("wolfSSL_FIPS_mode_set"); - WOLFSSL_STUB("FIPS_mode_set"); - - return WOLFSSL_FAILURE; -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_RAND_set_rand_method(const void *meth) -{ - (void) meth; - WOLFSSL_ENTER("wolfSSL_RAND_set_rand_method"); - WOLFSSL_STUB("RAND_set_rand_method"); - - /* if implemented RAND_bytes and RAND_pseudo_bytes need updated - * those two functions will call the respective functions from meth */ - return SSL_FAILURE; -} -#endif - -int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits) -{ - int ret = WOLFSSL_FAILURE; - WOLFSSL_ENTER("wolfSSL_CIPHER_get_bits"); - - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - (void)alg_bits; - if (c!= NULL) - ret = c->bits; - #else - if (c != NULL && c->ssl != NULL) { - ret = 8 * c->ssl->specs.key_size; - if (alg_bits != NULL) { - *alg_bits = ret; - } - } - #endif - return ret; -} - -#if defined(OPENSSL_ALL) -WOLFSSL_X509_INFO* wolfSSL_X509_INFO_new(void) -{ - WOLFSSL_X509_INFO* info; - info = (WOLFSSL_X509_INFO*)XMALLOC(sizeof(WOLFSSL_X509_INFO), NULL, - DYNAMIC_TYPE_X509); - if (info) { - XMEMSET(info, 0, sizeof(*info)); - } - return info; -} - -void wolfSSL_X509_INFO_free(WOLFSSL_X509_INFO* info) -{ - if (info == NULL) - return; - - if (info->x509) { - wolfSSL_X509_free(info->x509); - info->x509 = NULL; - } -#ifdef HAVE_CRL - if (info->crl) { - wolfSSL_X509_CRL_free(info->crl); - info->crl = NULL; - } -#endif - wolfSSL_X509_PKEY_free(info->x_pkey); - info->x_pkey = NULL; - - XFREE(info, NULL, DYNAMIC_TYPE_X509); -} -#endif - -WOLFSSL_STACK* wolfSSL_sk_X509_INFO_new_null(void) -{ - WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL); - if (sk) { - sk->type = STACK_TYPE_X509_INFO; - } - return sk; -} - - -/* returns value less than 0 on fail to match - * On a successful match the priority level found is returned - */ -int wolfSSL_sk_SSL_CIPHER_find( - WOLF_STACK_OF(WOLFSSL_CIPHER)* sk, const WOLFSSL_CIPHER* toFind) -{ - WOLFSSL_STACK* next; - int i, sz; - - if (sk == NULL || toFind == NULL) { - return WOLFSSL_FATAL_ERROR; - } - - sz = wolfSSL_sk_SSL_CIPHER_num(sk); - next = sk; - for (i = 0; i < sz && next != NULL; i++) { - if (next->data.cipher.cipherSuite0 == toFind->cipherSuite0 && - next->data.cipher.cipherSuite == toFind->cipherSuite) { - return sz - i; /* reverse because stack pushed highest on first */ - } - next = next->next; - } - return WOLFSSL_FATAL_ERROR; -} - - -/* copies over data of "in" to "out" */ -static void wolfSSL_CIPHER_copy(WOLFSSL_CIPHER* in, WOLFSSL_CIPHER* out) -{ - if (in == NULL || out == NULL) - return; - - out->cipherSuite = in->cipherSuite; - out->cipherSuite0 = in->cipherSuite0; -} - - -/* create duplicate of stack and return the new stack - * returns null on failure */ -WOLF_STACK_OF(WOLFSSL_CIPHER)* wolfSSL_sk_SSL_CIPHER_dup( - WOLF_STACK_OF(WOLFSSL_CIPHER)* in) -{ - WOLFSSL_STACK* current; - WOLF_STACK_OF(WOLFSSL_CIPHER)* ret = NULL; - int i, sz; - - sz = wolfSSL_sk_SSL_CIPHER_num(in); - current = in; - for (i = 0; i < sz && current != NULL; i++) { - WOLFSSL_STACK* add = wolfSSL_sk_new_node(in->heap); - if (add != NULL) { - add->type = STACK_TYPE_CIPHER; - wolfSSL_CIPHER_copy(&(current->data.cipher), &(add->data.cipher)); - add->num = i+1; - add->next = ret; - ret = add; - current = current->next; - } - } - return ret; -} - -/* nothing to do yet */ -static void wolfSSL_CIPHER_free(WOLFSSL_CIPHER* in) -{ - (void)in; -} - - -/* free's all nodes in the stack and there data */ -void wolfSSL_sk_SSL_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk) -{ - WOLFSSL_STACK* current = sk; - - while (current != NULL) { - WOLFSSL_STACK* toFree = current; - current = current->next; - - wolfSSL_CIPHER_free(&(toFree->data.cipher)); - wolfSSL_sk_free_node(toFree); - } -} - - -int wolfSSL_sk_X509_INFO_num(const WOLF_STACK_OF(WOLFSSL_X509_INFO) *sk) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_INFO_num"); - - if (sk == NULL) - return -1; - return (int)sk->num; -} - -WOLFSSL_X509_INFO* wolfSSL_sk_X509_INFO_value(const WOLF_STACK_OF(WOLFSSL_X509_INFO) *sk, int i) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_INFO_value"); - - for (; sk != NULL && i > 0; i--) - sk = sk->next; - - if (i != 0 || sk == NULL) - return NULL; - return sk->data.info; -} - -WOLFSSL_X509_INFO* wolfSSL_sk_X509_INFO_pop(WOLF_STACK_OF(WOLFSSL_X509_INFO)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_X509_INFO* info; - - if (sk == NULL) { - return NULL; - } - - node = sk->next; - info = sk->data.info; - - if (node != NULL) { /* update sk and remove node from stack */ - sk->data.info = node->data.info; - sk->next = node->next; - XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); - } - else { /* last x509 in stack */ - sk->data.info = NULL; - } - - if (sk->num > 0) { - sk->num -= 1; - } - - return info; -} - -#if defined(OPENSSL_ALL) -void wolfSSL_sk_X509_INFO_pop_free(WOLF_STACK_OF(WOLFSSL_X509_INFO)* sk, - void (*f) (WOLFSSL_X509_INFO*)) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_INFO_pop_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - if (f) - f(tmp->data.info); - else - wolfSSL_X509_INFO_free(tmp->data.info); - tmp->data.info = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.info); - else - wolfSSL_X509_INFO_free(sk->data.info); - sk->data.info = NULL; - } - XFREE(sk, NULL, DYNAMIC_TYPE_OPENSSL); -} - -void wolfSSL_sk_X509_INFO_free(WOLF_STACK_OF(WOLFSSL_X509_INFO) *sk) -{ - wolfSSL_sk_X509_INFO_pop_free(sk, NULL); -} - - -/* Adds the WOLFSSL_X509_INFO to the stack "sk". "sk" takes control of "in" and - * tries to free it when the stack is free'd. - * - * return 1 on success 0 on fail - */ -int wolfSSL_sk_X509_INFO_push(WOLF_STACK_OF(WOLFSSL_X509_INFO)* sk, - WOLFSSL_X509_INFO* in) -{ - WOLFSSL_STACK* node; - - if (sk == NULL || in == NULL) { - return WOLFSSL_FAILURE; - } - - /* no previous values in stack */ - if (sk->data.info == NULL) { - sk->data.info = in; - sk->num += 1; - return WOLFSSL_SUCCESS; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return WOLFSSL_FAILURE; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.info = sk->data.info; - node->next = sk->next; - node->type = sk->type; - sk->next = node; - sk->data.info = in; - sk->num += 1; - - return WOLFSSL_SUCCESS; -} - - -WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_sk_X509_NAME_new(wolf_sk_compare_cb cb) -{ - WOLFSSL_STACK* sk; - - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_new"); - - sk = wolfSSL_sk_new_node(NULL); - if (sk != NULL) { - sk->type = STACK_TYPE_X509_NAME; - sk->comp = cb; - } - - return sk; -} - -int wolfSSL_sk_X509_NAME_push(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, - WOLFSSL_X509_NAME* name) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_push"); - - if (sk == NULL || name == NULL) { - return BAD_FUNC_ARG; - } - - /* no previous values in stack */ - if (sk->data.name == NULL) { - sk->data.name = name; - sk->num += 1; - return 0; - } - - /* stack already has value(s) create a new node and add more */ - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_OPENSSL); - if (node == NULL) { - WOLFSSL_MSG("Memory error"); - return MEMORY_E; - } - XMEMSET(node, 0, sizeof(WOLFSSL_STACK)); - - /* push new obj onto head of stack */ - node->data.name = sk->data.name; - node->next = sk->next; - sk->type = STACK_TYPE_X509_NAME; - sk->next = node; - sk->data.name = name; - sk->num += 1; - - return 0; -} - -/* return index of found, or negative to indicate not found */ -int wolfSSL_sk_X509_NAME_find(const WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk, - WOLFSSL_X509_NAME *name) -{ - int i; - - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_find"); - - if (sk == NULL) - return BAD_FUNC_ARG; - - for (i = 0; sk; i++, sk = sk->next) { - if (wolfSSL_X509_NAME_cmp(sk->data.name, name) == 0) { - return i; - } - } - return -1; -} - -int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJECT) *s) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_OBJECT_num"); - if (s) { - return (int)s->num; - } else { - return 0; - } -} - - -int wolfSSL_sk_X509_NAME_set_cmp_func(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, - wolf_sk_compare_cb cb) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_set_cmp_func"); - - if (sk == NULL) - return BAD_FUNC_ARG; - - sk->comp = cb; - return 0; -} -#endif /* OPENSSL_ALL */ - -int wolfSSL_sk_X509_NAME_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_num"); - - if (sk == NULL) - return BAD_FUNC_ARG; - - return (int)sk->num; -} - -/* Getter function for WOLFSSL_X509_NAME pointer - * - * sk is the stack to retrieve pointer from - * i is the index value in stack - * - * returns a pointer to a WOLFSSL_X509_NAME structure on success and NULL on - * fail - */ -WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_value(const STACK_OF(WOLFSSL_X509_NAME)* sk, - int i) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_value"); - - for (; sk != NULL && i > 0; i--) { - sk = sk->next; - } - - if (i != 0 || sk == NULL) - return NULL; - - return sk->data.name; -} - -WOLFSSL_X509_NAME* wolfSSL_sk_X509_NAME_pop(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_X509_NAME* name; - - if (sk == NULL) { - return NULL; - } - - node = sk->next; - name = sk->data.name; - - if (node != NULL) { /* update sk and remove node from stack */ - sk->data.name = node->data.name; - sk->next = node->next; - XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); - } - else { /* last x509 in stack */ - sk->data.name = NULL; - } - - if (sk->num > 0) { - sk->num -= 1; - } - - return name; -} - -void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, - void (*f) (WOLFSSL_X509_NAME*)) -{ - WOLFSSL_STACK* node; - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_pop_free"); - - if (sk == NULL) - return; - - node = sk->next; - while (node && sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - if (f) - f(tmp->data.name); - else - wolfSSL_X509_NAME_free(tmp->data.name); - tmp->data.name = NULL; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - if (f) - f(sk->data.name); - else - wolfSSL_X509_NAME_free(sk->data.name); - sk->data.name = NULL; - } - - XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); -} - -/* Free only the sk structure, NOT X509_NAME members */ -void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) -{ - WOLFSSL_STACK* node; - WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_free"); - - if (sk == NULL) - return; - - node = sk->next; - while (sk->num > 1) { - WOLFSSL_STACK* tmp = node; - node = node->next; - XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); - sk->num -= 1; - } - - XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); -} - -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) -/* Helper function for X509_NAME_print_ex. Sets *buf to string for domain - name attribute based on NID. Returns size of buf */ -static int get_dn_attr_by_nid(int n, const char** buf) -{ - int len = 0; - const char *str; - - switch(n) - { - case NID_commonName : - str = "CN"; - len = 2; - break; - case NID_countryName: - str = "C"; - len = 1; - break; - case NID_localityName: - str = "L"; - len = 1; - break; - case NID_stateOrProvinceName: - str = "ST"; - len = 2; - break; - case NID_organizationName: - str = "O"; - len = 1; - break; - case NID_organizationalUnitName: - str = "OU"; - len = 2; - break; - case NID_emailAddress: - str = "emailAddress"; - len = 12; - break; - default: - WOLFSSL_MSG("Attribute type not found"); - str = NULL; - - } - if (buf != NULL) - *buf = str; - return len; -} -#endif - -/* - * The BIO output of wolfSSL_X509_NAME_print_ex does NOT include the null terminator - */ -int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, - int indent, unsigned long flags) -{ -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) - int count = 0, len = 0, totalSz = 0, tmpSz = 0; - char tmp[ASN_NAME_MAX]; - char fullName[ASN_NAME_MAX]; - const char *buf = NULL; - WOLFSSL_X509_NAME_ENTRY* ne; - WOLFSSL_ASN1_STRING* str; -#endif - int i; - (void)flags; - WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex"); - - for (i = 0; i < indent; i++) { - if (wolfSSL_BIO_write(bio, " ", 1) != 1) - return WOLFSSL_FAILURE; - } - -#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) - /* If XN_FLAG_DN_REV is present, print X509_NAME in reverse order */ - if (flags == (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)) { - fullName[0] = '\0'; - count = wolfSSL_X509_NAME_entry_count(name); - for (i = 0; i < count; i++) { - ne = wolfSSL_X509_NAME_get_entry(name, count - i - 1); - if (ne == NULL) - return WOLFSSL_FAILURE; - - str = wolfSSL_X509_NAME_ENTRY_get_data(ne); - if (str == NULL) - return WOLFSSL_FAILURE; - - len = get_dn_attr_by_nid(ne->nid, &buf); - if (len == 0 || buf == NULL) - return WOLFSSL_FAILURE; - - tmpSz = str->length + len + 2; /* + 2 for '=' and comma */ - if (tmpSz > ASN_NAME_MAX) { - WOLFSSL_MSG("Size greater than ASN_NAME_MAX"); - return WOLFSSL_FAILURE; - } - - if (i < count - 1) { - /* tmpSz+1 for last null char */ - XSNPRINTF(tmp, tmpSz+1, "%s=%s,", buf, str->data); - XSTRNCAT(fullName, tmp, tmpSz); - } - else { - XSNPRINTF(tmp, tmpSz, "%s=%s", buf, str->data); - XSTRNCAT(fullName, tmp, tmpSz-1); - tmpSz--; /* Don't include null char in tmpSz */ - } - totalSz += tmpSz; - } - if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) - return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; - } -#else - if (flags == XN_FLAG_RFC2253) { - if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2) - != name->sz - 2) - return WOLFSSL_FAILURE; - } -#endif /* WOLFSSL_APACHE_HTTPD || OPENSSL_ALL || WOLFSSL_NGINX */ - else if (wolfSSL_BIO_write(bio, name->name, name->sz - 1) != name->sz - 1) - return WOLFSSL_FAILURE; - - return WOLFSSL_SUCCESS; -} - -#ifndef NO_WOLFSSL_STUB -WOLFSSL_ASN1_BIT_STRING* wolfSSL_X509_get0_pubkey_bitstr(const WOLFSSL_X509* x) -{ - (void)x; - WOLFSSL_ENTER("wolfSSL_X509_get0_pubkey_bitstr"); - WOLFSSL_STUB("X509_get0_pubkey_bitstr"); - - return NULL; -} -#endif - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_CTX_add_session(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) -{ - (void)ctx; - (void)session; - WOLFSSL_ENTER("wolfSSL_CTX_add_session"); - WOLFSSL_STUB("SSL_CTX_add_session"); - - return WOLFSSL_SUCCESS; -} -#endif - - -int wolfSSL_version(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_version"); - if (ssl->version.major == SSLv3_MAJOR) { - switch (ssl->version.minor) { - case SSLv3_MINOR : - return SSL3_VERSION; - case TLSv1_MINOR : - return TLS1_VERSION; - case TLSv1_1_MINOR : - return TLS1_1_VERSION; - case TLSv1_2_MINOR : - return TLS1_2_VERSION; - case TLSv1_3_MINOR : - return TLS1_3_VERSION; - default: - return WOLFSSL_FAILURE; - } - } - else if (ssl->version.major == DTLS_MAJOR) { - switch (ssl->version.minor) { - case DTLS_MINOR : - return DTLS1_VERSION; - case DTLSv1_2_MINOR : - return DTLS1_2_VERSION; - default: - return WOLFSSL_FAILURE; - } - } - return WOLFSSL_FAILURE; -} - - -int wolfSSL_X509_NAME_get_sz(WOLFSSL_X509_NAME* name) -{ - WOLFSSL_ENTER("wolfSSL_X509_NAME_get_sz"); - if(!name) - return -1; - return name->sz; -} - -#ifdef HAVE_SNI -int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name) -{ - int ret; - WOLFSSL_ENTER("wolfSSL_set_tlsext_host_name"); - ret = wolfSSL_UseSNI(ssl, WOLFSSL_SNI_HOST_NAME, - host_name, (word16)XSTRLEN(host_name)); - WOLFSSL_LEAVE("wolfSSL_set_tlsext_host_name", ret); - return ret; -} - - -#ifndef NO_WOLFSSL_SERVER -const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type) -{ - void * serverName = NULL; - if (ssl == NULL) - return NULL; - TLSX_SNI_GetRequest(ssl->extensions, type, &serverName); - return (const char *)serverName; -} -#endif /* NO_WOLFSSL_SERVER */ -#endif /* HAVE_SNI */ - -WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) -{ - if (ssl && ctx && SetSSL_CTX(ssl, ctx, 0) == WOLFSSL_SUCCESS) - return ssl->ctx; - return NULL; -} - - -VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_get_verify_callback"); - if(ctx) - return ctx->verifyCallback; - return NULL; -} - - -void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX* ctx, CallbackSniRecv cb) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_servername_callback"); - if (ctx) - ctx->sniRecvCb = cb; -} - -int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX* ctx, - CallbackSniRecv cb) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_tlsext_servername_callback"); - if (ctx) { - ctx->sniRecvCb = cb; - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -} - -int wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_servername_arg"); - if (ctx) { - ctx->sniRecvCbArg = arg; - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -} - -void wolfSSL_ERR_load_BIO_strings(void) { - WOLFSSL_ENTER("ERR_load_BIO_strings"); - /* do nothing */ -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_THREADID_set_callback(void(*threadid_func)(void*)) -{ - WOLFSSL_ENTER("wolfSSL_THREADID_set_callback"); - WOLFSSL_STUB("CRYPTO_THREADID_set_callback"); - (void)threadid_func; - return; -} -#endif - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_THREADID_set_numeric(void* id, unsigned long val) -{ - WOLFSSL_ENTER("wolfSSL_THREADID_set_numeric"); - WOLFSSL_STUB("CRYPTO_THREADID_set_numeric"); - (void)id; - (void)val; - return; -} -#endif - - -#ifndef NO_WOLFSSL_STUB -WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs( - WOLFSSL_X509_STORE_CTX* ctx, WOLFSSL_X509_NAME* name) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_get1_certs"); - WOLFSSL_STUB("X509_STORE_get1_certs"); - (void)ctx; - (void)name; - return NULL; -} - -WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects( - WOLFSSL_X509_STORE* store) -{ - WOLFSSL_ENTER("wolfSSL_X509_STORE_get0_objects"); - WOLFSSL_STUB("wolfSSL_X509_STORE_get0_objects"); - (void)store; - return NULL; -} - -WOLFSSL_X509_OBJECT* wolfSSL_sk_X509_OBJECT_delete( - WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* sk, int i) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_OBJECT_delete"); - WOLFSSL_STUB("wolfSSL_sk_X509_OBJECT_delete"); - (void)sk; - (void)i; - return NULL; -} - -void wolfSSL_X509_OBJECT_free(WOLFSSL_X509_OBJECT *a) -{ - WOLFSSL_ENTER("wolfSSL_X509_OBJECT_free"); - WOLFSSL_STUB("wolfSSL_X509_OBJECT_free"); - (void)a; -} - -#endif - - -#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY)) */ - - -#if defined(OPENSSL_EXTRA) - -int wolfSSL_sk_X509_num(const WOLF_STACK_OF(WOLFSSL_X509) *s) -{ - WOLFSSL_ENTER("wolfSSL_sk_X509_num"); - - if (s == NULL) - return -1; - return (int)s->num; -} - -unsigned long wolfSSL_ERR_peek_last_error(void) -{ - WOLFSSL_ENTER("wolfSSL_ERR_peek_last_error"); - -#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) - { - int ret; - - if ((ret = wc_PeekErrorNode(-1, NULL, NULL, NULL)) < 0) { - WOLFSSL_MSG("Issue peeking at error node in queue"); - return 0; - } - if (ret == -ASN_NO_PEM_HEADER) - return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; - return (unsigned long)ret; - } -#else - return (unsigned long)(0 - NOT_COMPILED_IN); -#endif -} - -#endif /* OPENSSL_EXTRA */ - -WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_SSL_CTX"); - return ssl->ctx; -} - -#if defined(OPENSSL_ALL) || \ - defined(OPENSSL_EXTRA) || defined(HAVE_STUNNEL) || \ - defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - -const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen) -{ - WOLFSSL_ENTER("wolfSSL_SESSION_get_id"); - if(!sess || !idLen) { - WOLFSSL_MSG("Bad func args. Please provide idLen"); - return NULL; - } - *idLen = sess->sessionIDSz; - return sess->sessionID; -} - -#if (defined(HAVE_SESSION_TICKET) || defined(SESSION_CERTS)) && \ - !defined(NO_FILESYSTEM) - -#if defined(SESSION_CERTS) || \ - (defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)) -/* returns a pointer to the protocol used by the session */ -static const char* wolfSSL_SESSION_get_protocol(const WOLFSSL_SESSION* in) -{ - return wolfSSL_internal_get_version((ProtocolVersion*)&in->version); -} -#endif - -/* returns true (non 0) if the session has EMS (extended master secret) */ -static int wolfSSL_SESSION_haveEMS(const WOLFSSL_SESSION* in) -{ - if (in == NULL) - return 0; - return in->haveEMS; -} - -#if defined(HAVE_SESSION_TICKET) -/* prints out the ticket to bio passed in - * return WOLFSSL_SUCCESS on success - */ -static int wolfSSL_SESSION_print_ticket(WOLFSSL_BIO* bio, - const WOLFSSL_SESSION* in, const char* tab) -{ - unsigned short i, j, z, sz; - short tag = 0; - byte* pt; - - - if (in == NULL || bio == NULL) { - return BAD_FUNC_ARG; - } - - sz = in->ticketLen; - pt = in->ticket; - - if (wolfSSL_BIO_printf(bio, "%s\n", (sz == 0)? " NONE": "") <= 0) - return WOLFSSL_FAILURE; - - for (i = 0; i < sz;) { - char asc[16]; - - if (sz - i < 16) { - if (wolfSSL_BIO_printf(bio, "%s%04X -", tab, tag + (sz - i)) <= 0) - return WOLFSSL_FAILURE; - } - else { - if (wolfSSL_BIO_printf(bio, "%s%04X -", tab, tag) <= 0) - return WOLFSSL_FAILURE; - } - for (j = 0; i < sz && j < 8; j++,i++) { - asc[j] = ((pt[i])&0x6f)>='A'?((pt[i])&0x6f):'.'; - if (wolfSSL_BIO_printf(bio, " %02X", pt[i]) <= 0) - return WOLFSSL_FAILURE; - } - - if (i < sz) { - asc[j] = ((pt[i])&0x6f)>='A'?((pt[i])&0x6f):'.'; - if (wolfSSL_BIO_printf(bio, "-%02X", pt[i]) <= 0) - return WOLFSSL_FAILURE; - j++; - i++; - } - - for (; i < sz && j < 16; j++,i++) { - asc[j] = ((pt[i])&0x6f)>='A'?((pt[i])&0x6f):'.'; - if (wolfSSL_BIO_printf(bio, " %02X", pt[i]) <= 0) - return WOLFSSL_FAILURE; - } - - /* pad out spacing */ - for (z = j; z < 17; z++) { - if (wolfSSL_BIO_printf(bio, " ") <= 0) - return WOLFSSL_FAILURE; - } - - for (z = 0; z < j; z++) { - if (wolfSSL_BIO_printf(bio, "%c", asc[z]) <= 0) - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_printf(bio, "\n") <= 0) - return WOLFSSL_FAILURE; - - tag += 16; - } - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_SESSION_TICKET */ - - -/* prints out the session information in human readable form - * return WOLFSSL_SUCCESS on success - */ -int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) -{ - const unsigned char* pt; - unsigned char buf[SECRET_LEN]; - unsigned int sz = 0, i; - int ret; - WOLFSSL_SESSION* session = (WOLFSSL_SESSION*)x; - - if (session == NULL) { - WOLFSSL_MSG("Bad NULL argument"); - return WOLFSSL_FAILURE; - } - - if (wolfSSL_BIO_printf(bp, "%s\n", "SSL-Session:") <= 0) - return WOLFSSL_FAILURE; - -#if defined(SESSION_CERTS) || (defined(WOLFSSL_TLS13) && \ - defined(HAVE_SESSION_TICKET)) - if (wolfSSL_BIO_printf(bp, " Protocol : %s\n", - wolfSSL_SESSION_get_protocol(session)) <= 0) - return WOLFSSL_FAILURE; -#endif - - if (wolfSSL_BIO_printf(bp, " Cipher : %s\n", - wolfSSL_SESSION_CIPHER_get_name(session)) <= 0) - return WOLFSSL_FAILURE; - - pt = wolfSSL_SESSION_get_id(session, &sz); - if (wolfSSL_BIO_printf(bp, " Session-ID: ") <= 0) - return WOLFSSL_FAILURE; - - for (i = 0; i < sz; i++) { - if (wolfSSL_BIO_printf(bp, "%02X", pt[i]) <= 0) - return WOLFSSL_FAILURE; - } - if (wolfSSL_BIO_printf(bp, "\n") <= 0) - return WOLFSSL_FAILURE; - - if (wolfSSL_BIO_printf(bp, " Session-ID-ctx: \n") <= 0) - return WOLFSSL_FAILURE; - - ret = wolfSSL_SESSION_get_master_key(x, buf, sizeof(buf)); - if (wolfSSL_BIO_printf(bp, " Master-Key: ") <= 0) - return WOLFSSL_FAILURE; - - if (ret > 0) { - sz = (unsigned int)ret; - for (i = 0; i < sz; i++) { - if (wolfSSL_BIO_printf(bp, "%02X", buf[i]) <= 0) - return WOLFSSL_FAILURE; - } - } - if (wolfSSL_BIO_printf(bp, "\n") <= 0) - return WOLFSSL_FAILURE; - - /* @TODO PSK identity hint and SRP */ - - if (wolfSSL_BIO_printf(bp, " TLS session ticket:") <= 0) - return WOLFSSL_FAILURE; - -#ifdef HAVE_SESSION_TICKET - if (wolfSSL_SESSION_print_ticket(bp, x, " ") != WOLFSSL_SUCCESS) - return WOLFSSL_FAILURE; -#endif - - if (wolfSSL_BIO_printf(bp, " Start Time: %ld\n", - wolfSSL_SESSION_get_time(x)) <= 0) - return WOLFSSL_FAILURE; - - if (wolfSSL_BIO_printf(bp, " Timeout : %ld (sec)\n", - wolfSSL_SESSION_get_timeout(x)) <= 0) - return WOLFSSL_FAILURE; - - /* @TODO verify return code print */ - - if (wolfSSL_BIO_printf(bp, " Extended master secret: %s\n", - (wolfSSL_SESSION_haveEMS(session) == 0)? "no" : "yes") <= 0) - return WOLFSSL_FAILURE; - - return WOLFSSL_SUCCESS; -} -#endif /* (HAVE_SESSION_TICKET || SESSION_CERTS) && !NO_FILESYSTEM */ - -#endif /* OPENSSL_ALL || OPENSSL_EXTRA || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ - -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \ - || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) - -int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) -{ - int mode = 0; - WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); - - if(!ctx) - return WOLFSSL_FATAL_ERROR; - - if (ctx->verifyPeer) - mode |= WOLFSSL_VERIFY_PEER; - else if (ctx->verifyNone) - mode |= WOLFSSL_VERIFY_NONE; - - if (ctx->failNoCert) - mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - if (ctx->failNoCertxPSK) - mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; - - WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); - return mode; -} - -#endif -#if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519) -/* return 1 if success, 0 if error - * output keys are little endian format - */ -int wolfSSL_EC25519_generate_key(unsigned char *priv, unsigned int *privSz, - unsigned char *pub, unsigned int *pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_EC25519_generate_key"); - - if (priv == NULL || privSz == NULL || *privSz < CURVE25519_KEYSIZE || - pub == NULL || pubSz == NULL || *pubSz < CURVE25519_KEYSIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FAILURE; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - curve25519_key key; - - if (wc_curve25519_init(&key) != MP_OKAY) - WOLFSSL_MSG("wc_curve25519_init failed"); - else if (wc_curve25519_make_key(rng, CURVE25519_KEYSIZE, &key)!=MP_OKAY) - WOLFSSL_MSG("wc_curve25519_make_key failed"); - /* export key pair */ - else if (wc_curve25519_export_key_raw_ex(&key, priv, privSz, pub, - pubSz, EC25519_LITTLE_ENDIAN) - != MP_OKAY) - WOLFSSL_MSG("wc_curve25519_export_key_raw_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_curve25519_free(&key); - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - */ -int wolfSSL_EC25519_shared_key(unsigned char *shared, unsigned int *sharedSz, - const unsigned char *priv, unsigned int privSz, - const unsigned char *pub, unsigned int pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) shared; - (void) sharedSz; - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - curve25519_key privkey, pubkey; - - WOLFSSL_ENTER("wolfSSL_EC25519_shared_key"); - - if (shared == NULL || sharedSz == NULL || *sharedSz < CURVE25519_KEYSIZE || - priv == NULL || privSz < CURVE25519_KEYSIZE || - pub == NULL || pubSz < CURVE25519_KEYSIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import private key */ - if (wc_curve25519_init(&privkey) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_init privkey failed"); - return ret; - } - if (wc_curve25519_import_private_ex(priv, privSz, &privkey, - EC25519_LITTLE_ENDIAN) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_import_private_ex failed"); - wc_curve25519_free(&privkey); - return ret; - } - - /* import public key */ - if (wc_curve25519_init(&pubkey) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_init pubkey failed"); - wc_curve25519_free(&privkey); - return ret; - } - if (wc_curve25519_import_public_ex(pub, pubSz, &pubkey, - EC25519_LITTLE_ENDIAN) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_import_public_ex failed"); - wc_curve25519_free(&privkey); - wc_curve25519_free(&pubkey); - return ret; - } - - if (wc_curve25519_shared_secret_ex(&privkey, &pubkey, - shared, sharedSz, - EC25519_LITTLE_ENDIAN) != MP_OKAY) - WOLFSSL_MSG("wc_curve25519_shared_secret_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_curve25519_free(&privkey); - wc_curve25519_free(&pubkey); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} -#endif /* OPENSSL_EXTRA && HAVE_CURVE25519 */ - -#if defined(OPENSSL_EXTRA) && defined(HAVE_ED25519) -/* return 1 if success, 0 if error - * output keys are little endian format - */ -int wolfSSL_ED25519_generate_key(unsigned char *priv, unsigned int *privSz, - unsigned char *pub, unsigned int *pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_ED25519_generate_key"); - - if (priv == NULL || privSz == NULL || *privSz < ED25519_PRV_KEY_SIZE || - pub == NULL || pubSz == NULL || *pubSz < ED25519_PUB_KEY_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FATAL_ERROR; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - ed25519_key key; - - if (wc_ed25519_init(&key) != MP_OKAY) - WOLFSSL_MSG("wc_ed25519_init failed"); - else if (wc_ed25519_make_key(rng, ED25519_KEY_SIZE, &key)!=MP_OKAY) - WOLFSSL_MSG("wc_ed25519_make_key failed"); - /* export private key */ - else if (wc_ed25519_export_key(&key, priv, privSz, pub, pubSz)!=MP_OKAY) - WOLFSSL_MSG("wc_ed25519_export_key failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed25519_free(&key); - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - * priv is a buffer containing private and public part of key - */ -int wolfSSL_ED25519_sign(const unsigned char *msg, unsigned int msgSz, - const unsigned char *priv, unsigned int privSz, - unsigned char *sig, unsigned int *sigSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) msg; - (void) msgSz; - (void) priv; - (void) privSz; - (void) sig; - (void) sigSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - ed25519_key key; - int ret = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_ED25519_sign"); - - if (priv == NULL || privSz != ED25519_PRV_KEY_SIZE || - msg == NULL || sig == NULL || *sigSz < ED25519_SIG_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import key */ - if (wc_ed25519_init(&key) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_init failed"); - return ret; - } - if (wc_ed25519_import_private_key(priv, privSz/2, - priv+(privSz/2), ED25519_PUB_KEY_SIZE, - &key) != MP_OKAY){ - WOLFSSL_MSG("wc_ed25519_import_private failed"); - wc_ed25519_free(&key); - return ret; - } - - if (wc_ed25519_sign_msg(msg, msgSz, sig, sigSz, &key) != MP_OKAY) - WOLFSSL_MSG("wc_curve25519_shared_secret_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed25519_free(&key); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - * pub is a buffer containing public part of key - */ -int wolfSSL_ED25519_verify(const unsigned char *msg, unsigned int msgSz, - const unsigned char *pub, unsigned int pubSz, - const unsigned char *sig, unsigned int sigSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) msg; - (void) msgSz; - (void) pub; - (void) pubSz; - (void) sig; - (void) sigSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - ed25519_key key; - int ret = WOLFSSL_FAILURE, check = 0; - - WOLFSSL_ENTER("wolfSSL_ED25519_verify"); - - if (pub == NULL || pubSz != ED25519_PUB_KEY_SIZE || - msg == NULL || sig == NULL || sigSz != ED25519_SIG_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import key */ - if (wc_ed25519_init(&key) != MP_OKAY) { - WOLFSSL_MSG("wc_curve25519_init failed"); - return ret; - } - if (wc_ed25519_import_public(pub, pubSz, &key) != MP_OKAY){ - WOLFSSL_MSG("wc_ed25519_import_public failed"); - wc_ed25519_free(&key); - return ret; - } - - if ((ret = wc_ed25519_verify_msg((byte*)sig, sigSz, msg, msgSz, - &check, &key)) != MP_OKAY) { - WOLFSSL_MSG("wc_ed25519_verify_msg failed"); - } - else if (!check) - WOLFSSL_MSG("wc_ed25519_verify_msg failed (signature invalid)"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed25519_free(&key); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -#endif /* OPENSSL_EXTRA && HAVE_ED25519 */ - -#if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE448) -/* return 1 if success, 0 if error - * output keys are little endian format - */ -int wolfSSL_EC448_generate_key(unsigned char *priv, unsigned int *privSz, - unsigned char *pub, unsigned int *pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_EC448_generate_key"); - - if (priv == NULL || privSz == NULL || *privSz < CURVE448_KEY_SIZE || - pub == NULL || pubSz == NULL || *pubSz < CURVE448_KEY_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FAILURE; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - curve448_key key; - - if (wc_curve448_init(&key) != MP_OKAY) - WOLFSSL_MSG("wc_curve448_init failed"); - else if (wc_curve448_make_key(rng, CURVE448_KEY_SIZE, &key)!=MP_OKAY) - WOLFSSL_MSG("wc_curve448_make_key failed"); - /* export key pair */ - else if (wc_curve448_export_key_raw_ex(&key, priv, privSz, pub, pubSz, - EC448_LITTLE_ENDIAN) - != MP_OKAY) - WOLFSSL_MSG("wc_curve448_export_key_raw_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_curve448_free(&key); - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - */ -int wolfSSL_EC448_shared_key(unsigned char *shared, unsigned int *sharedSz, - const unsigned char *priv, unsigned int privSz, - const unsigned char *pub, unsigned int pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) shared; - (void) sharedSz; - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - curve448_key privkey, pubkey; - - WOLFSSL_ENTER("wolfSSL_EC448_shared_key"); - - if (shared == NULL || sharedSz == NULL || *sharedSz < CURVE448_KEY_SIZE || - priv == NULL || privSz < CURVE448_KEY_SIZE || - pub == NULL || pubSz < CURVE448_KEY_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import private key */ - if (wc_curve448_init(&privkey) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_init privkey failed"); - return ret; - } - if (wc_curve448_import_private_ex(priv, privSz, &privkey, - EC448_LITTLE_ENDIAN) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_import_private_ex failed"); - wc_curve448_free(&privkey); - return ret; - } - - /* import public key */ - if (wc_curve448_init(&pubkey) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_init pubkey failed"); - wc_curve448_free(&privkey); - return ret; - } - if (wc_curve448_import_public_ex(pub, pubSz, &pubkey, - EC448_LITTLE_ENDIAN) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_import_public_ex failed"); - wc_curve448_free(&privkey); - wc_curve448_free(&pubkey); - return ret; - } - - if (wc_curve448_shared_secret_ex(&privkey, &pubkey, shared, sharedSz, - EC448_LITTLE_ENDIAN) != MP_OKAY) - WOLFSSL_MSG("wc_curve448_shared_secret_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_curve448_free(&privkey); - wc_curve448_free(&pubkey); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} -#endif /* OPENSSL_EXTRA && HAVE_CURVE448 */ - -#if defined(OPENSSL_EXTRA) && defined(HAVE_ED448) -/* return 1 if success, 0 if error - * output keys are little endian format - */ -int wolfSSL_ED448_generate_key(unsigned char *priv, unsigned int *privSz, - unsigned char *pub, unsigned int *pubSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) priv; - (void) privSz; - (void) pub; - (void) pubSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - int ret = WOLFSSL_FAILURE; - int initTmpRng = 0; - WC_RNG *rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG *tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - - WOLFSSL_ENTER("wolfSSL_ED448_generate_key"); - - if (priv == NULL || privSz == NULL || *privSz < ED448_PRV_KEY_SIZE || - pub == NULL || pubSz == NULL || *pubSz < ED448_PUB_KEY_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FATAL_ERROR; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) - WOLFSSL_MSG("Global RNG no Init"); - else - rng = &globalRNG; - } - - if (rng) { - ed448_key key; - - if (wc_ed448_init(&key) != MP_OKAY) - WOLFSSL_MSG("wc_ed448_init failed"); - else if (wc_ed448_make_key(rng, ED448_KEY_SIZE, &key) != MP_OKAY) - WOLFSSL_MSG("wc_ed448_make_key failed"); - /* export private key */ - else if (wc_ed448_export_key(&key, priv, privSz, pub, pubSz) != MP_OKAY) - WOLFSSL_MSG("wc_ed448_export_key failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed448_free(&key); - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - * priv is a buffer containing private and public part of key - */ -int wolfSSL_ED448_sign(const unsigned char *msg, unsigned int msgSz, - const unsigned char *priv, unsigned int privSz, - unsigned char *sig, unsigned int *sigSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) msg; - (void) msgSz; - (void) priv; - (void) privSz; - (void) sig; - (void) sigSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - ed448_key key; - int ret = WOLFSSL_FAILURE; - - WOLFSSL_ENTER("wolfSSL_ED448_sign"); - - if (priv == NULL || privSz != ED448_PRV_KEY_SIZE || msg == NULL || - sig == NULL || *sigSz < ED448_SIG_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import key */ - if (wc_ed448_init(&key) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_init failed"); - return ret; - } - if (wc_ed448_import_private_key(priv, privSz/2, priv+(privSz/2), - ED448_PUB_KEY_SIZE, &key) != MP_OKAY){ - WOLFSSL_MSG("wc_ed448_import_private failed"); - wc_ed448_free(&key); - return ret; - } - - if (wc_ed448_sign_msg(msg, msgSz, sig, sigSz, &key) != MP_OKAY) - WOLFSSL_MSG("wc_curve448_shared_secret_ex failed"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed448_free(&key); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -/* return 1 if success, 0 if error - * input and output keys are little endian format - * pub is a buffer containing public part of key - */ -int wolfSSL_ED448_verify(const unsigned char *msg, unsigned int msgSz, - const unsigned char *pub, unsigned int pubSz, - const unsigned char *sig, unsigned int sigSz) -{ -#ifndef WOLFSSL_KEY_GEN - WOLFSSL_MSG("No Key Gen built in"); - (void) msg; - (void) msgSz; - (void) pub; - (void) pubSz; - (void) sig; - (void) sigSz; - return WOLFSSL_FAILURE; -#else /* WOLFSSL_KEY_GEN */ - ed448_key key; - int ret = WOLFSSL_FAILURE, check = 0; - - WOLFSSL_ENTER("wolfSSL_ED448_verify"); - - if (pub == NULL || pubSz != ED448_PUB_KEY_SIZE || msg == NULL || - sig == NULL || sigSz != ED448_SIG_SIZE) { - WOLFSSL_MSG("Bad arguments"); - return WOLFSSL_FAILURE; - } - - /* import key */ - if (wc_ed448_init(&key) != MP_OKAY) { - WOLFSSL_MSG("wc_curve448_init failed"); - return ret; - } - if (wc_ed448_import_public(pub, pubSz, &key) != MP_OKAY){ - WOLFSSL_MSG("wc_ed448_import_public failed"); - wc_ed448_free(&key); - return ret; - } - - if ((ret = wc_ed448_verify_msg((byte*)sig, sigSz, msg, msgSz, &check, - &key)) != MP_OKAY) { - WOLFSSL_MSG("wc_ed448_verify_msg failed"); - } - else if (!check) - WOLFSSL_MSG("wc_ed448_verify_msg failed (signature invalid)"); - else - ret = WOLFSSL_SUCCESS; - - wc_ed448_free(&key); - - return ret; -#endif /* WOLFSSL_KEY_GEN */ -} - -#endif /* OPENSSL_EXTRA && HAVE_ED448 */ - -#ifdef WOLFSSL_JNI - -int wolfSSL_set_jobject(WOLFSSL* ssl, void* objPtr) -{ - WOLFSSL_ENTER("wolfSSL_set_jobject"); - if (ssl != NULL) - { - ssl->jObjectRef = objPtr; - return WOLFSSL_SUCCESS; - } - return WOLFSSL_FAILURE; -} - -void* wolfSSL_get_jobject(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_jobject"); - if (ssl != NULL) - return ssl->jObjectRef; - return NULL; -} - -#endif /* WOLFSSL_JNI */ - - -#ifdef WOLFSSL_ASYNC_CRYPT -int wolfSSL_CTX_AsyncPoll(WOLFSSL_CTX* ctx, WOLF_EVENT** events, int maxEvents, - WOLF_EVENT_FLAG flags, int* eventCount) -{ - if (ctx == NULL) { - return BAD_FUNC_ARG; - } - - return wolfAsync_EventQueuePoll(&ctx->event_queue, NULL, - events, maxEvents, flags, eventCount); -} - -int wolfSSL_AsyncPoll(WOLFSSL* ssl, WOLF_EVENT_FLAG flags) -{ - int ret, eventCount = 0; - WOLF_EVENT* events[1]; - - if (ssl == NULL) { - return BAD_FUNC_ARG; - } - - ret = wolfAsync_EventQueuePoll(&ssl->ctx->event_queue, ssl, - events, sizeof(events)/sizeof(*events), flags, &eventCount); - if (ret == 0) { - ret = eventCount; - } - - return ret; -} -#endif /* WOLFSSL_ASYNC_CRYPT */ - -#ifdef OPENSSL_EXTRA -unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, - const char **data, int *flags) -{ - WOLFSSL_ENTER("wolfSSL_ERR_peek_error_line_data"); - - (void)line; - (void)file; - - /* No data or flags stored - error display only in Nginx. */ - if (data != NULL) { - *data = ""; - } - if (flags != NULL) { - *flags = 0; - } - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ - defined(WOLFSSL_OPENSSH) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) - { - int ret = 0; - - while (1) { - if ((ret = wc_PeekErrorNode(-1, file, NULL, line)) < 0) { - WOLFSSL_MSG("Issue peeking at error node in queue"); - return 0; - } - /* OpenSSL uses positive error codes */ - if (ret < 0) { - ret = -ret; - } - - if (ret == -ASN_NO_PEM_HEADER) - return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; - if (ret != WANT_READ && ret != WANT_WRITE && - ret != ZERO_RETURN && ret != WOLFSSL_ERROR_ZERO_RETURN && - ret != SOCKET_PEER_CLOSED_E && ret != SOCKET_ERROR_E) - break; - - wc_RemoveErrorNode(-1); - } - - return (unsigned long)ret; - } -#else - return (unsigned long)(0 - NOT_COMPILED_IN); -#endif -} -#endif - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) - -/* returns a pointer to internal cipher suite list. Should not be free'd by - * caller. - */ -WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl) -{ - WOLF_STACK_OF(WOLFSSL_CIPHER)* ret = NULL; - Suites* suites; - - WOLFSSL_ENTER("wolfSSL_get_ciphers_compat"); - if (ssl == NULL || (ssl->suites == NULL && ssl->ctx->suites == NULL)) { - return NULL; - } - - if (ssl->suites != NULL) { - suites = ssl->suites; - } - else { - suites = ssl->ctx->suites; - } - - /* check if stack needs populated */ - if (suites->stack == NULL) { - int i; - for (i = 0; i < suites->suiteSz; i+=2) { - WOLFSSL_STACK* add = wolfSSL_sk_new_node(ssl->heap); - if (add != NULL) { - add->type = STACK_TYPE_CIPHER; - add->data.cipher.cipherSuite0 = suites->suites[i]; - add->data.cipher.cipherSuite = suites->suites[i+1]; - #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) - /* in_stack is checked in wolfSSL_CIPHER_description */ - add->data.cipher.in_stack = 1; - #endif - - add->next = ret; - if (ret != NULL) { - add->num = ret->num + 1; - } - else { - add->num = 1; - } - ret = add; - } - } - suites->stack = ret; - } - return suites->stack; -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_OPENSSL_config(char *config_name) -{ - (void)config_name; - WOLFSSL_STUB("OPENSSL_config"); -} -#endif /* !NO_WOLFSSL_STUB */ -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) -int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) -{ - static int x509_idx = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_ex_new_index"); - (void)idx; - (void)arg; - (void)a; - (void)b; - (void)c; - - return x509_idx++; -} - -#if defined(HAVE_EX_DATA) || defined(FORTRESS) -void* wolfSSL_CRYPTO_get_ex_data(const WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx) -{ - WOLFSSL_ENTER("wolfSSL_CTX_get_ex_data"); -#ifdef MAX_EX_DATA - if(ex_data && idx < MAX_EX_DATA && idx >= 0) { - return ex_data->ex_data[idx]; - } -#else - (void)ex_data; - (void)idx; -#endif - return NULL; -} - -int wolfSSL_CRYPTO_set_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data, int idx, void *data) -{ - WOLFSSL_ENTER("wolfSSL_CRYPTO_set_ex_data"); -#ifdef MAX_EX_DATA - if (ex_data && idx < MAX_EX_DATA && idx >= 0) { - ex_data->ex_data[idx] = data; - return WOLFSSL_SUCCESS; - } -#else - (void)ex_data; - (void)idx; - (void)data; -#endif - return WOLFSSL_FAILURE; -} -#endif /* defined(HAVE_EX_DATA) || defined(FORTRESS) */ - -void *wolfSSL_X509_get_ex_data(X509 *x509, int idx) -{ - WOLFSSL_ENTER("wolfSSL_X509_get_ex_data"); - #ifdef HAVE_EX_DATA - if (x509 != NULL) { - return wolfSSL_CRYPTO_get_ex_data(&x509->ex_data, idx); - } - #else - (void)x509; - (void)idx; - #endif - return NULL; -} - -int wolfSSL_X509_set_ex_data(X509 *x509, int idx, void *data) -{ - WOLFSSL_ENTER("wolfSSL_X509_set_ex_data"); - #ifdef HAVE_EX_DATA - if (x509 != NULL) - { - return wolfSSL_CRYPTO_set_ex_data(&x509->ex_data, idx, data); - } - #else - (void)x509; - (void)idx; - (void)data; - #endif - return WOLFSSL_FAILURE; -} - -int wolfSSL_X509_NAME_digest(const WOLFSSL_X509_NAME *name, - const WOLFSSL_EVP_MD *type, unsigned char *md, unsigned int *len) -{ - WOLFSSL_ENTER("wolfSSL_X509_NAME_digest"); - - if (name == NULL || type == NULL) - return WOLFSSL_FAILURE; - -#if !defined(NO_FILESYSTEM) && !defined(NO_PWDBASED) - return wolfSSL_EVP_Digest((unsigned char*)name->fullName.fullName, - name->fullName.fullNameLen, md, len, type, NULL); -#else - (void)md; - (void)len; - return NOT_COMPILED_IN; -#endif -} - -long wolfSSL_SSL_CTX_get_timeout(const WOLFSSL_CTX *ctx) -{ - WOLFSSL_ENTER("wolfSSL_SSL_CTX_get_timeout"); - - if (ctx == NULL) - return 0; - - return ctx->timeout; -} - - -/* returns the time in seconds of the current timeout */ -long wolfSSL_get_timeout(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("wolfSSL_get_timeout"); - - if (ssl == NULL) - return 0; - return ssl->timeout; -} - -#ifdef HAVE_ECC -int wolfSSL_SSL_CTX_set_tmp_ecdh(WOLFSSL_CTX *ctx, WOLFSSL_EC_KEY *ecdh) -{ - WOLFSSL_ENTER("wolfSSL_SSL_CTX_set_tmp_ecdh"); - - if (ctx == NULL || ecdh == NULL) - return BAD_FUNC_ARG; - - ctx->ecdhCurveOID = ecdh->group->curve_oid; - - return WOLFSSL_SUCCESS; -} -#endif - -/* Assumes that the session passed in is from the cache. */ -int wolfSSL_SSL_CTX_remove_session(WOLFSSL_CTX *ctx, WOLFSSL_SESSION *s) -{ - WOLFSSL_ENTER("wolfSSL_SSL_CTX_remove_session"); - - if (ctx == NULL || s == NULL) - return BAD_FUNC_ARG; - -#ifdef HAVE_EXT_CACHE - if (!ctx->internalCacheOff) -#endif - { - /* Don't remove session just timeout session. */ - s->timeout = 0; - } - -#ifdef HAVE_EXT_CACHE - if (ctx->rem_sess_cb != NULL) - ctx->rem_sess_cb(ctx, s); -#endif - - return 0; -} - -BIO *wolfSSL_SSL_get_rbio(const WOLFSSL *s) -{ - WOLFSSL_ENTER("wolfSSL_SSL_get_rbio"); - /* Nginx sets the buffer size if the read BIO is different to write BIO. - * The setting buffer size doesn't do anything so return NULL for both. - */ - if (s == NULL) - return NULL; - - return s->biord; -} -BIO *wolfSSL_SSL_get_wbio(const WOLFSSL *s) -{ - WOLFSSL_ENTER("wolfSSL_SSL_get_wbio"); - (void)s; - /* Nginx sets the buffer size if the read BIO is different to write BIO. - * The setting buffer size doesn't do anything so return NULL for both. - */ - if (s == NULL) - return NULL; - - return s->biowr; -} - -int wolfSSL_SSL_do_handshake(WOLFSSL *s) -{ - WOLFSSL_ENTER("wolfSSL_SSL_do_handshake"); - - if (s == NULL) - return WOLFSSL_FAILURE; - - if (s->options.side == WOLFSSL_CLIENT_END) { - #ifndef NO_WOLFSSL_CLIENT - return wolfSSL_connect(s); - #else - WOLFSSL_MSG("Client not compiled in"); - return WOLFSSL_FAILURE; - #endif - } - -#ifndef NO_WOLFSSL_SERVER - return wolfSSL_accept(s); -#else - WOLFSSL_MSG("Server not compiled in"); - return WOLFSSL_FAILURE; -#endif -} - -int wolfSSL_SSL_in_init(WOLFSSL *ssl) -{ - WOLFSSL_ENTER("SSL_in_init"); - - if (ssl == NULL) - return WOLFSSL_FAILURE; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - return ssl->options.connectState < SECOND_REPLY_DONE; - } - return ssl->options.acceptState < ACCEPT_THIRD_REPLY_DONE; -} - -int wolfSSL_SSL_in_connect_init(WOLFSSL* ssl) -{ - WOLFSSL_ENTER("SSL_connect_init"); - - if (ssl == NULL) - return WOLFSSL_FAILURE; - - if (ssl->options.side == WOLFSSL_CLIENT_END) { - return ssl->options.connectState > CONNECT_BEGIN && - ssl->options.connectState < SECOND_REPLY_DONE; - } - - return ssl->options.acceptState > ACCEPT_BEGIN && - ssl->options.acceptState < ACCEPT_THIRD_REPLY_DONE; -} - -#ifndef NO_SESSION_CACHE - -WOLFSSL_SESSION *wolfSSL_SSL_get0_session(const WOLFSSL *ssl) -{ - WOLFSSL_SESSION *session; - - WOLFSSL_ENTER("wolfSSL_SSL_get0_session"); - - if (ssl == NULL) { - return NULL; - } - - session = wolfSSL_get_session((WOLFSSL*)ssl); - -#ifdef HAVE_EXT_CACHE - ((WOLFSSL*)ssl)->extSession = session; -#endif - - return session; -} - -#endif /* NO_SESSION_CACHE */ - -int wolfSSL_X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername) -{ - int ret; - DecodedCert dCert; - - WOLFSSL_ENTER("wolfSSL_X509_check_host"); - - /* flags and peername not needed for Nginx. */ - (void)flags; - (void)peername; - - if (flags == WOLFSSL_NO_WILDCARDS) { - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); - return WOLFSSL_FAILURE; - } - - InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); - if (ret != 0) { - FreeDecodedCert(&dCert); - return WOLFSSL_FAILURE; - } - - ret = CheckHostName(&dCert, (char *)chk, chklen); - FreeDecodedCert(&dCert); - if (ret != 0) - return WOLFSSL_FAILURE; - return WOLFSSL_SUCCESS; -} - -int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a) -{ - static char num[16] = { '0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; - int i; - word32 j; - word32 len = 0; - - WOLFSSL_ENTER("wolfSSL_i2a_ASN1_INTEGER"); - - if (bp == NULL || a == NULL) - return WOLFSSL_FAILURE; - - /* Skip ASN.1 INTEGER (type) byte. */ - i = 1; - /* When indefinite length, can't determine length with data available. */ - if (a->data[i] == 0x80) - return 0; - /* One length byte if less than 0x80. */ - if (a->data[i] < 0x80) - len = a->data[i++]; - /* Multiple length byte if greater than 0x80. */ - else if (a->data[i] > 0x80) { - switch (a->data[i++] - 0x80) { - case 4: - len |= a->data[i++] << 24; - FALL_THROUGH; - case 3: - len |= a->data[i++] << 16; - FALL_THROUGH; - case 2: - len |= a->data[i++] << 8; - FALL_THROUGH; - case 1: - len |= a->data[i++]; - break; - default: - /* Not supporting greater than 4 bytes of length. */ - return 0; - } - } - - /* Zero length integer is the value zero. */ - if (len == 0) { - wolfSSL_BIO_write(bp, "00", 2); - return 2; - } - - /* Don't do negative - just write out every byte. */ - for (j = 0; j < len; i++,j++) { - wolfSSL_BIO_write(bp, &num[a->data[i] >> 4], 1); - wolfSSL_BIO_write(bp, &num[a->data[i] & 0xf], 1); - } - - /* Two nibbles written for each byte. */ - return len * 2; -} - - -#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) -/* Expected return values from implementations of OpenSSL ticket key callback. - */ -#define TICKET_KEY_CB_RET_FAILURE -1 -#define TICKET_KEY_CB_RET_NOT_FOUND 0 -#define TICKET_KEY_CB_RET_OK 1 -#define TICKET_KEY_CB_RET_RENEW 2 - -/* The ticket key callback as used in OpenSSL is stored here. */ -static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv, - WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL; - -/* Implementation of session ticket encryption/decryption using OpenSSL - * callback to initialize the cipher and HMAC. - * - * ssl The SSL/TLS object. - * keyName The key name - used to identify the key to be used. - * iv The IV to use. - * mac The MAC of the encrypted data. - * enc Encrypt ticket. - * encTicket The ticket data. - * encTicketLen The length of the ticket data. - * encLen The encrypted/decrypted ticket length - output length. - * ctx Ignored. Application specific data. - * returns WOLFSSL_TICKET_RET_OK to indicate success, - * WOLFSSL_TICKET_RET_CREATE if a new ticket is required and - * WOLFSSL_TICKET_RET_FATAL on error. - */ -static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, - unsigned char keyName[WOLFSSL_TICKET_NAME_SZ], - unsigned char iv[WOLFSSL_TICKET_IV_SZ], - unsigned char mac[WOLFSSL_TICKET_MAC_SZ], - int enc, unsigned char* encTicket, - int encTicketLen, int* encLen, void* ctx) -{ - byte digest[WC_MAX_DIGEST_SIZE]; - WOLFSSL_EVP_CIPHER_CTX evpCtx; - WOLFSSL_HMAC_CTX hmacCtx; - unsigned int mdSz = 0; - int len = 0; - int ret = WOLFSSL_TICKET_RET_FATAL; - int res; - - (void)ctx; - - if (ticketKeyCb == NULL) - return WOLFSSL_TICKET_RET_FATAL; - - wolfSSL_EVP_CIPHER_CTX_init(&evpCtx); - /* Initialize the cipher and HMAC. */ - res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc); - if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) - return WOLFSSL_TICKET_RET_FATAL; - - if (enc) - { - /* Encrypt in place. */ - if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, - encTicket, encTicketLen)) - goto end; - encTicketLen = len; - if (!wolfSSL_EVP_EncryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) - goto end; - /* Total length of encrypted data. */ - encTicketLen += len; - *encLen = encTicketLen; - - /* HMAC the encrypted data into the parameter 'mac'. */ - if (!wolfSSL_HMAC_Update(&hmacCtx, encTicket, encTicketLen)) - goto end; -#ifdef WOLFSSL_SHA512 - /* Check for SHA512, which would overrun the mac buffer */ - if (hmacCtx.hmac.macType == WC_SHA512) - goto end; -#endif - if (!wolfSSL_HMAC_Final(&hmacCtx, mac, &mdSz)) - goto end; - } - else - { - /* HMAC the encrypted data and compare it to the passed in data. */ - if (!wolfSSL_HMAC_Update(&hmacCtx, encTicket, encTicketLen)) - goto end; - if (!wolfSSL_HMAC_Final(&hmacCtx, digest, &mdSz)) - goto end; - if (XMEMCMP(mac, digest, mdSz) != 0) - goto end; - - /* Decrypt the ticket data in place. */ - if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, - encTicket, encTicketLen)) - goto end; - encTicketLen = len; - if (!wolfSSL_EVP_DecryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) - goto end; - /* Total length of decrypted data. */ - *encLen = encTicketLen + len; - } - - ret = (res == TICKET_KEY_CB_RET_RENEW) ? WOLFSSL_TICKET_RET_CREATE : - WOLFSSL_TICKET_RET_OK; -end: - return ret; -} - -/* Set the callback to use when encrypting/decrypting tickets. - * - * ctx The SSL/TLS context object. - * cb The OpenSSL session ticket callback. - * returns WOLFSSL_SUCCESS to indicate success. - */ -int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, int (*cb)( - WOLFSSL *ssl, unsigned char *name, unsigned char *iv, - WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)) -{ - /* Store callback in a global. */ - ticketKeyCb = cb; - /* Set the ticket encryption callback to be a wrapper around OpenSSL - * callback. - */ - ctx->ticketEncCb = wolfSSL_TicketKeyCb; - - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_SESSION_TICKET */ - -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || - OPENSSL_EXTRA || HAVE_LIGHTY */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -#ifdef HAVE_OCSP -/* Not an OpenSSL API. */ -int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response) -{ - *response = ssl->ocspResp; - return ssl->ocspRespSz; -} - -/* Not an OpenSSL API. */ -char* wolfSSL_get_ocsp_url(WOLFSSL* ssl) -{ - return ssl->url; -} - -/* Not an OpenSSL API. */ -int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url) -{ - if (ssl == NULL) - return WOLFSSL_FAILURE; - - ssl->url = url; - return WOLFSSL_SUCCESS; -} -#endif /* OCSP */ -#endif /* OPENSSL_ALL / WOLFSSL_NGINX / WOLFSSL_HAPROXY */ - -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ - defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) -int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** chain) -{ - word32 idx; - word32 length; - WOLFSSL_STACK* node; - WOLFSSL_STACK* last = NULL; - - if (ctx == NULL || chain == NULL) { - chain = NULL; - return WOLFSSL_FAILURE; - } - if (ctx->x509Chain != NULL) { - *chain = ctx->x509Chain; - return WOLFSSL_SUCCESS; - } - - /* If there are no chains then success! */ - *chain = NULL; - if (ctx->certChain == NULL || ctx->certChain->length == 0) { - return WOLFSSL_SUCCESS; - } - - /* Create a new stack of WOLFSSL_X509 object from chain buffer. */ - for (idx = 0; idx < ctx->certChain->length; ) { - node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_OPENSSL); - if (node == NULL) - return WOLFSSL_FAILURE; - node->next = NULL; - - /* 3 byte length | X509 DER data */ - ato24(ctx->certChain->buffer + idx, &length); - idx += 3; - - /* Create a new X509 from DER encoded data. */ - node->data.x509 = wolfSSL_X509_d2i(NULL, ctx->certChain->buffer + idx, - length); - if (node->data.x509 == NULL) { - XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); - /* Return as much of the chain as we created. */ - ctx->x509Chain = *chain; - return WOLFSSL_FAILURE; - } - idx += length; - - /* Add object to the end of the stack. */ - if (last == NULL) { - node->num = 1; - *chain = node; - } - else { - (*chain)->num++; - last->next = node; - } - - last = node; - } - - ctx->x509Chain = *chain; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, - int(*cb)(WOLFSSL*, void*)) -{ - if (ctx == NULL || ctx->cm == NULL) - return WOLFSSL_FAILURE; - -#if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) - /* Ensure stapling is on for callback to be used. */ - wolfSSL_CTX_EnableOCSPStapling(ctx); - - if (ctx->cm->ocsp_stapling == NULL) - return WOLFSSL_FAILURE; - - ctx->cm->ocsp_stapling->statusCb = cb; -#else - (void)cb; -#endif - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, - WOLFSSL_X509_STORE_CTX *ctx, WOLFSSL_X509 *x) -{ - WOLFSSL_STACK* node; - Signer* ca = NULL; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif - - if (issuer == NULL || ctx == NULL || x == NULL) - return WOLFSSL_FATAL_ERROR; - - if (ctx->chain != NULL) { - for (node = ctx->chain; node != NULL; node = node->next) { - if (wolfSSL_X509_check_issued(node->data.x509, x) == X509_V_OK) { - *issuer = x; - return WOLFSSL_SUCCESS; - } - } - } - - -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); - if (cert == NULL) - return WOLFSSL_FAILURE; -#endif - - /* Use existing CA retrieval APIs that use DecodedCert. */ - InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) { - #ifndef NO_SKID - if (cert->extAuthKeyIdSet) - ca = GetCA(ctx->store->cm, cert->extAuthKeyId); - if (ca == NULL) - ca = GetCAByName(ctx->store->cm, cert->issuerHash); - #else /* NO_SKID */ - ca = GetCA(ctx->store->cm, cert->issuerHash); - #endif /* NO SKID */ - } - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); -#endif - - if (ca == NULL) - return WOLFSSL_FAILURE; - -#ifdef WOLFSSL_SIGNER_DER_CERT - /* populate issuer with Signer DER */ - *issuer = wolfSSL_X509_d2i(issuer, ca->derCert->buffer, - ca->derCert->length); - if (*issuer == NULL) - return WOLFSSL_FAILURE; -#else - /* Create an empty certificate as CA doesn't have a certificate. */ - *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0, - DYNAMIC_TYPE_OPENSSL); - if (*issuer == NULL) - return WOLFSSL_FAILURE; - - InitX509((*issuer), 1, NULL); -#endif - - /* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */ - - return WOLFSSL_SUCCESS; -} - -void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk) -{ - WOLFSSL_STACK *curr; - - while (sk != NULL) { - curr = sk; - sk = sk->next; - - XFREE(curr, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x) -{ - WOLFSSL_STACK* list = NULL; - char* url; - - if (x->authInfoSz == 0) - return NULL; - - list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1, - NULL, DYNAMIC_TYPE_OPENSSL); - if (list == NULL) - return NULL; - - url = (char*)list; - url += sizeof(WOLFSSL_STACK); - XMEMCPY(url, x->authInfo, x->authInfoSz); - url[x->authInfoSz] = '\0'; - - list->data.string = url; - list->next = NULL; - - return list; -} - -int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) -{ - WOLFSSL_X509_NAME *issuerName = wolfSSL_X509_get_issuer_name(subject); - WOLFSSL_X509_NAME *subjectName = wolfSSL_X509_get_subject_name(issuer); - - if (issuerName == NULL || subjectName == NULL) - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - - /* Literal matching of encoded names and key ids. */ - if (issuerName->sz != subjectName->sz || - XMEMCMP(issuerName->name, subjectName->name, subjectName->sz) != 0) { - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - } - - if (subject->authKeyId != NULL && issuer->subjKeyId != NULL) { - if (subject->authKeyIdSz != issuer->subjKeyIdSz || - XMEMCMP(subject->authKeyId, issuer->subjKeyId, - issuer->subjKeyIdSz) != 0) { - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - } - } - - return X509_V_OK; -} - -WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) -{ - return wolfSSL_X509_d2i(NULL, x->derCert->buffer, x->derCert->length); -} - -char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings, - int idx) -{ - for (; idx > 0 && strings != NULL; idx--) - strings = strings->next; - if (strings == NULL) - return NULL; - return strings->data.string; -} -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ - -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -#ifdef HAVE_ALPN -void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data, - unsigned int *len) -{ - word16 nameLen; - - if (ssl != NULL && data != NULL && len != NULL) { - TLSX_ALPN_GetRequest(ssl->extensions, (void **)data, &nameLen); - *len = nameLen; - } -} - -int wolfSSL_select_next_proto(unsigned char **out, unsigned char *outLen, - const unsigned char *in, unsigned int inLen, - const unsigned char *clientNames, - unsigned int clientLen) -{ - unsigned int i, j; - byte lenIn, lenClient; - - if (out == NULL || outLen == NULL || in == NULL || clientNames == NULL) - return OPENSSL_NPN_UNSUPPORTED; - - for (i = 0; i < inLen; i += lenIn) { - lenIn = in[i++]; - for (j = 0; j < clientLen; j += lenClient) { - lenClient = clientNames[j++]; - - if (lenIn != lenClient) - continue; - - if (XMEMCMP(in + i, clientNames + j, lenIn) == 0) { - *out = (unsigned char *)(in + i); - *outLen = lenIn; - return OPENSSL_NPN_NEGOTIATED; - } - } - } - - *out = (unsigned char *)clientNames + 1; - *outLen = clientNames[0]; - return OPENSSL_NPN_NO_OVERLAP; -} - -void wolfSSL_CTX_set_alpn_select_cb(WOLFSSL_CTX *ctx, - int (*cb) (WOLFSSL *ssl, - const unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), void *arg) -{ - if (ctx != NULL) { - ctx->alpnSelect = cb; - ctx->alpnSelectArg = arg; - } -} - -void wolfSSL_CTX_set_next_protos_advertised_cb(WOLFSSL_CTX *s, - int (*cb) (WOLFSSL *ssl, - const unsigned char - **out, - unsigned int *outlen, - void *arg), void *arg) -{ - (void)s; - (void)cb; - (void)arg; - WOLFSSL_STUB("wolfSSL_CTX_set_next_protos_advertised_cb"); -} - -void wolfSSL_CTX_set_next_proto_select_cb(WOLFSSL_CTX *s, - int (*cb) (WOLFSSL *ssl, - unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), void *arg) -{ - (void)s; - (void)cb; - (void)arg; - WOLFSSL_STUB("wolfSSL_CTX_set_next_proto_select_cb"); -} - -void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsigned char **data, - unsigned *len) -{ - (void)s; - (void)data; - (void)len; - WOLFSSL_STUB("wolfSSL_get0_next_proto_negotiated"); -} -#endif /* HAVE_ALPN */ - -#endif /* WOLFSSL_NGINX / WOLFSSL_HAPROXY */ - -#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC) -int wolfSSL_CTX_set1_curves_list(WOLFSSL_CTX* ctx, const char* names) -{ - int idx, start = 0, len; - word16 curve; - char name[MAX_CURVE_NAME_SZ]; - - /* Disable all curves so that only the ones the user wants are enabled. */ - ctx->disabledCurves = 0xFFFFFFFFUL; - for (idx = 1; names[idx-1] != '\0'; idx++) { - if (names[idx] != ':' && names[idx] != '\0') - continue; - - len = idx - 1 - start; - if (len > MAX_CURVE_NAME_SZ - 1) - return WOLFSSL_FAILURE; - - XMEMCPY(name, names + start, len); - name[len] = 0; - - if ((XSTRNCMP(name, "prime256v1", len) == 0) || - (XSTRNCMP(name, "secp256r1", len) == 0) || - (XSTRNCMP(name, "P-256", len) == 0)) { - curve = WOLFSSL_ECC_SECP256R1; - } - else if ((XSTRNCMP(name, "secp384r1", len) == 0) || - (XSTRNCMP(name, "P-384", len) == 0)) { - curve = WOLFSSL_ECC_SECP384R1; - } - else if ((XSTRNCMP(name, "secp521r1", len) == 0) || - (XSTRNCMP(name, "P-521", len) == 0)) { - curve = WOLFSSL_ECC_SECP521R1; - } - else if (XSTRNCMP(name, "X25519", len) == 0) { - curve = WOLFSSL_ECC_X25519; - } - else if (XSTRNCMP(name, "X448", len) == 0) { - curve = WOLFSSL_ECC_X448; - } - else { - #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) - int ret; - const ecc_set_type *eccSet; - - ret = wc_ecc_get_curve_idx_from_name(name); - if (ret < 0) { - WOLFSSL_MSG("Could not find name in set"); - return WOLFSSL_FAILURE; - } - - eccSet = wc_ecc_get_curve_params(ret); - if (eccSet == NULL) { - WOLFSSL_MSG("NULL set returned"); - return WOLFSSL_FAILURE; - } - - curve = GetCurveByOID(eccSet->oidSum); - #else - WOLFSSL_MSG("API not present to search farther using name"); - return WOLFSSL_FAILURE; - #endif - } - - if (curve > (sizeof(word32) * WOLFSSL_BIT_SIZE)) { - /* shift left more than size of ctx->disabledCurves causes static - * analysis report */ - WOLFSSL_MSG("curve value is too large for upcoming shift"); - return WOLFSSL_FAILURE; - } - - #if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT) - /* set the supported curve so client TLS extension contains only the - * desired curves */ - if (wolfSSL_CTX_UseSupportedCurve(ctx, curve) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Unable to set supported curve"); - return WOLFSSL_FAILURE; - } - #endif - - /* Switch the bit to off and therefore is enabled. */ - ctx->disabledCurves &= ~(1U << curve); - start = idx + 1; - } - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names) -{ - if (ssl == NULL) { - return WOLFSSL_FAILURE; - } - return wolfSSL_CTX_set1_curves_list(ssl->ctx, names); -} -#endif /* OPENSSL_EXTRA && HAVE_ECC */ - -#ifdef OPENSSL_EXTRA -#ifndef NO_WOLFSSL_STUB -int wolfSSL_CTX_set_msg_callback(WOLFSSL_CTX *ctx, SSL_Msg_Cb cb) -{ - WOLFSSL_STUB("SSL_CTX_set_msg_callback"); - (void)ctx; - (void)cb; - return WOLFSSL_FAILURE; -} -#endif - - -/* Sets a callback for when sending and receiving protocol messages. - * - * ssl WOLFSSL structure to set callback in - * cb callback to use - * - * return SSL_SUCCESS on success and SSL_FAILURE with error case - */ -int wolfSSL_set_msg_callback(WOLFSSL *ssl, SSL_Msg_Cb cb) -{ - WOLFSSL_ENTER("wolfSSL_set_msg_callback"); - - if (ssl == NULL) { - return SSL_FAILURE; - } - - if (cb != NULL) { - ssl->toInfoOn = 1; - } - - ssl->protoMsgCb = cb; - return SSL_SUCCESS; -} -#ifndef NO_WOLFSSL_STUB -int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg) -{ - WOLFSSL_STUB("SSL_CTX_set_msg_callback_arg"); - (void)ctx; - (void)arg; - return WOLFSSL_FAILURE; -} -#endif - -int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg) -{ - WOLFSSL_ENTER("wolfSSL_set_msg_callback_arg"); - if (ssl == NULL) - return WOLFSSL_FAILURE; - - ssl->protoMsgCtx = arg; - return WOLFSSL_SUCCESS; -} - -void *wolfSSL_OPENSSL_memdup(const void *data, size_t siz, const char* file, int line) -{ - void *ret; - (void)file; - (void)line; - - if (data == NULL || siz >= INT_MAX) - return NULL; - - ret = OPENSSL_malloc(siz); - if (ret == NULL) { - return NULL; - } - return XMEMCPY(ret, data, siz); -} - -int wolfSSL_CTX_set_alpn_protos(WOLFSSL_CTX *ctx, const unsigned char *p, - unsigned int p_len) -{ - WOLFSSL_ENTER("wolfSSL_CTX_set_alpn_protos"); - if(ctx == NULL) - return BAD_FUNC_ARG; - if((void *)ctx->alpn_cli_protos != NULL) - wolfSSL_OPENSSL_free((void *)ctx->alpn_cli_protos); - ctx->alpn_cli_protos = - (const unsigned char *)wolfSSL_OPENSSL_memdup(p, p_len, NULL, 0); - if (ctx->alpn_cli_protos == NULL) { - return SSL_FAILURE; - } - ctx->alpn_cli_protos_len = p_len; - - return SSL_SUCCESS; -} - - -#ifdef HAVE_ALPN -/* Sets the ALPN extension protos - * - * example format is - * unsigned char p[] = { - * 8, 'h', 't', 't', 'p', '/', '1', '.', '1' - * }; - * - * returns WOLFSSL_SUCCESS on success */ -int wolfSSL_set_alpn_protos(WOLFSSL* ssl, - const unsigned char* p, unsigned int p_len) -{ - WOLFSSL_BIO* bio; - char* pt; - - unsigned int sz; - unsigned int idx = 0; - int alpn_opt = WOLFSSL_ALPN_CONTINUE_ON_MISMATCH; - WOLFSSL_ENTER("wolfSSL_set_alpn_protos"); - - if (ssl == NULL || p_len <= 1) { - return WOLFSSL_FAILURE; - } - - bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem()); - if (bio == NULL) { - return WOLFSSL_FAILURE; - } - - /* convert into comma separated list */ - while (idx < p_len - 1) { - unsigned int i; - - sz = p[idx++]; - if (idx + sz > p_len) { - WOLFSSL_MSG("Bad list format"); - wolfSSL_BIO_free(bio); - return WOLFSSL_FAILURE; - } - if (sz > 0) { - for (i = 0; i < sz; i++) { - wolfSSL_BIO_write(bio, &p[idx++], 1); - } - if (idx < p_len - 1) - wolfSSL_BIO_write(bio, ",", 1); - } - } - wolfSSL_BIO_write(bio, "\0", 1); - - /* clears out all current ALPN extensions set */ - TLSX_Remove(&ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL, ssl->heap); - - if ((sz = wolfSSL_BIO_get_mem_data(bio, &pt)) > 0) { - wolfSSL_UseALPN(ssl, pt, sz, alpn_opt); - } - wolfSSL_BIO_free(bio); - return WOLFSSL_SUCCESS; -} -#endif /* HAVE_ALPN */ -#endif - -#endif /* WOLFCRYPT_ONLY */ - -#if defined(OPENSSL_EXTRA) - -#define WOLFSSL_BIO_INCLUDED -#include "src/bio.c" - -int oid2nid(word32 oid, int grp) -{ - /* get OID type */ - switch (grp) { - /* oidHashType */ - case oidHashType: - switch (oid) { - #ifdef WOLFSSL_MD2 - case MD2h: - return NID_md2; - #endif - #ifndef NO_MD5 - case MD5h: - return NID_md5; - #endif - #ifndef NO_SHA - case SHAh: - return NID_sha1; - #endif - case SHA224h: - return NID_sha224; - #ifndef NO_SHA256 - case SHA256h: - return NID_sha256; - #endif - #ifdef WOLFSSL_SHA384 - case SHA384h: - return NID_sha384; - #endif - #ifdef WOLFSSL_SHA512 - case SHA512h: - return NID_sha512; - #endif - } - break; - - /* oidSigType */ - case oidSigType: - switch (oid) { - #ifndef NO_DSA - case CTC_SHAwDSA: - return CTC_SHAwDSA; - #endif /* NO_DSA */ - #ifndef NO_RSA - case CTC_MD2wRSA: - return CTC_MD2wRSA; - case CTC_MD5wRSA: - return CTC_MD5wRSA; - case CTC_SHAwRSA: - return CTC_SHAwRSA; - case CTC_SHA224wRSA: - return CTC_SHA224wRSA; - case CTC_SHA256wRSA: - return CTC_SHA256wRSA; - case CTC_SHA384wRSA: - return CTC_SHA384wRSA; - case CTC_SHA512wRSA: - return CTC_SHA512wRSA; - #endif /* NO_RSA */ - #ifdef HAVE_ECC - case CTC_SHAwECDSA: - return CTC_SHAwECDSA; - case CTC_SHA224wECDSA: - return CTC_SHA224wECDSA; - case CTC_SHA256wECDSA: - return CTC_SHA256wECDSA; - case CTC_SHA384wECDSA: - return CTC_SHA384wECDSA; - case CTC_SHA512wECDSA: - return CTC_SHA512wECDSA; - #endif /* HAVE_ECC */ - } - break; - - /* oidKeyType */ - case oidKeyType: - switch (oid) { - #ifndef NO_DSA - case DSAk: - return DSAk; - #endif /* NO_DSA */ - #ifndef NO_RSA - case RSAk: - return RSAk; - #endif /* NO_RSA */ - #ifdef HAVE_NTRU - case NTRUk: - return NTRUk; - #endif /* HAVE_NTRU */ - #ifdef HAVE_ECC - case ECDSAk: - return ECDSAk; - #endif /* HAVE_ECC */ - } - break; - - - #ifdef HAVE_ECC - case oidCurveType: - switch (oid) { - case ECC_SECP192R1_OID: - return NID_X9_62_prime192v1; - case ECC_PRIME192V2_OID: - return NID_X9_62_prime192v2; - case ECC_PRIME192V3_OID: - return NID_X9_62_prime192v3; - case ECC_PRIME239V1_OID: - return NID_X9_62_prime239v1; - case ECC_PRIME239V2_OID: - return NID_X9_62_prime239v2; - case ECC_PRIME239V3_OID: - return NID_X9_62_prime239v3; - case ECC_SECP256R1_OID: - return NID_X9_62_prime256v1; - case ECC_SECP112R1_OID: - return NID_secp112r1; - case ECC_SECP112R2_OID: - return NID_secp112r2; - case ECC_SECP128R1_OID: - return NID_secp128r1; - case ECC_SECP128R2_OID: - return NID_secp128r2; - case ECC_SECP160R1_OID: - return NID_secp160r1; - case ECC_SECP160R2_OID: - return NID_secp160r2; - case ECC_SECP224R1_OID: - return NID_secp224r1; - case ECC_SECP384R1_OID: - return NID_secp384r1; - case ECC_SECP521R1_OID: - return NID_secp521r1; - case ECC_SECP160K1_OID: - return NID_secp160k1; - case ECC_SECP192K1_OID: - return NID_secp192k1; - case ECC_SECP224K1_OID: - return NID_secp224k1; - case ECC_SECP256K1_OID: - return NID_secp256k1; - case ECC_BRAINPOOLP160R1_OID: - return NID_brainpoolP160r1; - case ECC_BRAINPOOLP192R1_OID: - return NID_brainpoolP192r1; - case ECC_BRAINPOOLP224R1_OID: - return NID_brainpoolP224r1; - case ECC_BRAINPOOLP256R1_OID: - return NID_brainpoolP256r1; - case ECC_BRAINPOOLP320R1_OID: - return NID_brainpoolP320r1; - case ECC_BRAINPOOLP384R1_OID: - return NID_brainpoolP384r1; - case ECC_BRAINPOOLP512R1_OID: - return NID_brainpoolP512r1; - } - break; - #endif /* HAVE_ECC */ - - /* oidBlkType */ - case oidBlkType: - switch (oid) { - #ifdef WOLFSSL_AES_128 - case AES128CBCb: - return AES128CBCb; - #endif - #ifdef WOLFSSL_AES_192 - case AES192CBCb: - return AES192CBCb; - #endif - #ifdef WOLFSSL_AES_256 - case AES256CBCb: - return AES256CBCb; - #endif - #ifndef NO_DES3 - case DESb: - return NID_des; - case DES3b: - return NID_des3; - #endif - } - break; - - #ifdef HAVE_OCSP - case oidOcspType: - switch (oid) { - case OCSP_BASIC_OID: - return NID_id_pkix_OCSP_basic; - case OCSP_NONCE_OID: - return OCSP_NONCE_OID; - } - break; - #endif /* HAVE_OCSP */ - - /* oidCertExtType */ - case oidCertExtType: - switch (oid) { - case BASIC_CA_OID: - return BASIC_CA_OID; - case ALT_NAMES_OID: - return ALT_NAMES_OID; - case CRL_DIST_OID: - return CRL_DIST_OID; - case AUTH_INFO_OID: - return AUTH_INFO_OID; - case AUTH_KEY_OID: - return AUTH_KEY_OID; - case SUBJ_KEY_OID: - return SUBJ_KEY_OID; - case INHIBIT_ANY_OID: - return INHIBIT_ANY_OID; - case KEY_USAGE_OID: - return NID_key_usage; - case NAME_CONS_OID: - return NID_name_constraints; - case CERT_POLICY_OID: - return NID_certificate_policies; - } - break; - - /* oidCertAuthInfoType */ - case oidCertAuthInfoType: - switch (oid) { - case AIA_OCSP_OID: - return AIA_OCSP_OID; - case AIA_CA_ISSUER_OID: - return AIA_CA_ISSUER_OID; - } - break; - - /* oidCertPolicyType */ - case oidCertPolicyType: - switch (oid) { - case CP_ANY_OID: - return NID_any_policy; - } - break; - - /* oidCertAltNameType */ - case oidCertAltNameType: - switch (oid) { - case HW_NAME_OID: - return NID_hw_name_oid; - } - break; - - /* oidCertKeyUseType */ - case oidCertKeyUseType: - switch (oid) { - case EKU_ANY_OID: - return NID_anyExtendedKeyUsage; - case EKU_SERVER_AUTH_OID: - return EKU_SERVER_AUTH_OID; - case EKU_CLIENT_AUTH_OID: - return EKU_CLIENT_AUTH_OID; - case EKU_OCSP_SIGN_OID: - return EKU_OCSP_SIGN_OID; - } - break; - - /* oidKdfType */ - case oidKdfType: - switch (oid) { - case PBKDF2_OID: - return PBKDF2_OID; - } - break; - - /* oidPBEType */ - case oidPBEType: - switch (oid) { - case PBE_SHA1_RC4_128: - return PBE_SHA1_RC4_128; - case PBE_SHA1_DES: - return PBE_SHA1_DES; - case PBE_SHA1_DES3: - return PBE_SHA1_DES3; - } - break; - - /* oidKeyWrapType */ - case oidKeyWrapType: - switch (oid) { - #ifdef WOLFSSL_AES_128 - case AES128_WRAP: - return AES128_WRAP; - #endif - #ifdef WOLFSSL_AES_192 - case AES192_WRAP: - return AES192_WRAP; - #endif - #ifdef WOLFSSL_AES_256 - case AES256_WRAP: - return AES256_WRAP; - #endif - } - break; - - /* oidCmsKeyAgreeType */ - case oidCmsKeyAgreeType: - switch (oid) { - #ifndef NO_SHA - case dhSinglePass_stdDH_sha1kdf_scheme: - return dhSinglePass_stdDH_sha1kdf_scheme; - #endif - #ifdef WOLFSSL_SHA224 - case dhSinglePass_stdDH_sha224kdf_scheme: - return dhSinglePass_stdDH_sha224kdf_scheme; - #endif - #ifndef NO_SHA256 - case dhSinglePass_stdDH_sha256kdf_scheme: - return dhSinglePass_stdDH_sha256kdf_scheme; - #endif - #ifdef WOLFSSL_SHA384 - case dhSinglePass_stdDH_sha384kdf_scheme: - return dhSinglePass_stdDH_sha384kdf_scheme; - #endif - #ifdef WOLFSSL_SHA512 - case dhSinglePass_stdDH_sha512kdf_scheme: - return dhSinglePass_stdDH_sha512kdf_scheme; - #endif - } - break; - - default: - WOLFSSL_MSG("NID not in table"); - return -1; - } - - return -1; -} - - -/* when calling SetIndividualInternal, mpi should be cleared by caller if no - * longer used. ie mp_free(mpi). This is to free data when fastmath is - * disabled since a copy of mpi is made by this function and placed into bn. - */ -int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi) -{ - WOLFSSL_MSG("Entering SetIndividualInternal"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - if (mpi == NULL || (mp_init(mpi) != MP_OKAY)) { - WOLFSSL_MSG("mpi NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - if (mp_copy((mp_int*)bn->internal, mpi) != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - return WOLFSSL_FATAL_ERROR; - } - - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_ASN -WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai, - WOLFSSL_BIGNUM *bn) -{ - mp_int mpi; - word32 idx = 0; - int ret; - - WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_to_BN"); - - if (ai == NULL) { - return NULL; - } - - ret = GetInt(&mpi, ai->data, &idx, ai->dataMax); - if (ret != 0) { - #ifdef WOLFSSL_QT - mp_init(&mpi); /* must init mpi */ - /* Serial number in QT starts at index 0 of data */ - if (mp_read_unsigned_bin(&mpi, (byte*)ai->data, ai->length) != 0) { - mp_clear(&mpi); - return NULL; - } - #else - /* expecting ASN1 format for INTEGER */ - WOLFSSL_LEAVE("wolfSSL_ASN1_INTEGER_to_BN", ret); - return NULL; - #endif - } - - /* mp_clear needs called because mpi is copied and causes memory leak with - * --disable-fastmath */ - ret = SetIndividualExternal(&bn, &mpi); - mp_clear(&mpi); - - if (ret != WOLFSSL_SUCCESS) { - return NULL; - } - return bn; -} -#endif /* !NO_ASN */ - -#if !defined(NO_DSA) && !defined(NO_DH) -WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *dsa) -{ - WOLFSSL_DH* dh; - DhKey* key; - - WOLFSSL_ENTER("wolfSSL_DSA_dup_DH"); - - if (dsa == NULL) { - return NULL; - } - - dh = wolfSSL_DH_new(); - if (dh == NULL) { - return NULL; - } - key = (DhKey*)dh->internal; - - if (dsa->p != NULL && - SetIndividualInternal(((WOLFSSL_DSA*)dsa)->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa p key error"); - wolfSSL_DH_free(dh); - return NULL; - } - if (dsa->g != NULL && - SetIndividualInternal(((WOLFSSL_DSA*)dsa)->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa g key error"); - wolfSSL_DH_free(dh); - return NULL; - } - - if (SetIndividualExternal(&dh->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa p key error"); - wolfSSL_DH_free(dh); - return NULL; - } - if (SetIndividualExternal(&dh->g, &key->g) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("dsa g key error"); - wolfSSL_DH_free(dh); - return NULL; - } - - return dh; -} -#endif /* !NO_DSA && !NO_DH */ - - -#ifndef NO_RSA -#if !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) -/* Openssl -> WolfSSL */ -int SetRsaInternal(WOLFSSL_RSA* rsa) -{ - RsaKey* key; - WOLFSSL_MSG("Entering SetRsaInternal"); - - if (rsa == NULL || rsa->internal == NULL) { - WOLFSSL_MSG("rsa key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (RsaKey*)rsa->internal; - - if (SetIndividualInternal(rsa->n, &key->n) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa n key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualInternal(rsa->e, &key->e) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa e key error"); - return WOLFSSL_FATAL_ERROR; - } - - /* public key */ - key->type = RSA_PUBLIC; - - if (rsa->d != NULL) { - if (SetIndividualInternal(rsa->d, &key->d) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa d key error"); - return WOLFSSL_FATAL_ERROR; - } - - /* private key */ - key->type = RSA_PRIVATE; - } - - if (rsa->p != NULL && - SetIndividualInternal(rsa->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa p key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (rsa->q != NULL && - SetIndividualInternal(rsa->q, &key->q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa q key error"); - return WOLFSSL_FATAL_ERROR; - } - -#ifndef RSA_LOW_MEM - if (rsa->dmp1 != NULL && - SetIndividualInternal(rsa->dmp1, &key->dP) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa dP key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (rsa->dmq1 != NULL && - SetIndividualInternal(rsa->dmq1, &key->dQ) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa dQ key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (rsa->iqmp != NULL && - SetIndividualInternal(rsa->iqmp, &key->u) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa u key error"); - return WOLFSSL_FATAL_ERROR; - } -#endif /* !RSA_LOW_MEM */ - - rsa->inSet = 1; - - return WOLFSSL_SUCCESS; -} - - -/* SSL_SUCCESS on ok */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_RSA_blinding_on(WOLFSSL_RSA* rsa, WOLFSSL_BN_CTX* bn) -{ - (void)rsa; - (void)bn; - WOLFSSL_STUB("RSA_blinding_on"); - WOLFSSL_MSG("wolfSSL_RSA_blinding_on"); - - return WOLFSSL_SUCCESS; /* on by default */ -} -#endif - -/* return compliant with OpenSSL - * size of encrypted data if success , -1 if error - */ -int wolfSSL_RSA_public_encrypt(int len, const unsigned char* fr, - unsigned char* to, WOLFSSL_RSA* rsa, int padding) -{ - int initTmpRng = 0; - WC_RNG *rng = NULL; - int outLen; - int ret = 0; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG _tmpRNG[1]; - WC_RNG* tmpRNG = _tmpRNG; -#endif -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - int mgf = WC_MGF1NONE; - enum wc_HashType hash = WC_HASH_TYPE_NONE; -#endif - - WOLFSSL_MSG("wolfSSL_RSA_public_encrypt"); - - /* Check and remap the padding to internal values, if needed. */ -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - if (padding == RSA_PKCS1_PADDING) - padding = WC_RSA_PKCSV15_PAD; - else if (padding == RSA_PKCS1_OAEP_PADDING) { - padding = WC_RSA_OAEP_PAD; - hash = WC_HASH_TYPE_SHA; - mgf = WC_MGF1SHA1; - } - else if (padding == RSA_PKCS1_PSS_PADDING) { - padding = WC_RSA_PSS_PAD; - hash = WC_HASH_TYPE_SHA256; - mgf = WC_MGF1SHA256; - } - else if (padding == RSA_NO_PADDING) { - padding = WC_RSA_NO_PAD; - } -#else - if (padding == RSA_PKCS1_PADDING) - ; -#endif - else { - WOLFSSL_MSG("wolfSSL_RSA_public_encrypt unsupported padding"); - return 0; - } - - if (rsa->inSet == 0) - { - if (SetRsaInternal(rsa) != SSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return 0; - } - } - - outLen = wolfSSL_RSA_size(rsa); - - rng = WOLFSSL_RSA_GetRNG(rsa, (WC_RNG**)&tmpRNG, &initTmpRng); - - if (outLen == 0) { - WOLFSSL_MSG("Bad RSA size"); - } - - if (rng) { -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - ret = wc_RsaPublicEncrypt_ex(fr, len, to, outLen, - (RsaKey*)rsa->internal, rng, padding, - hash, mgf, NULL, 0); -#else - ret = wc_RsaPublicEncrypt(fr, len, to, outLen, - (RsaKey*)rsa->internal, rng); -#endif - if (ret <= 0) { - WOLFSSL_MSG("Bad Rsa Encrypt"); - } - if (len <= 0) { - WOLFSSL_MSG("Bad Rsa Encrypt"); - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - if (tmpRNG) - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - if (ret >= 0) - WOLFSSL_MSG("wolfSSL_RSA_public_encrypt success"); - else { - WOLFSSL_MSG("wolfSSL_RSA_public_encrypt failed"); - ret = WOLFSSL_FATAL_ERROR; /* return -1 on error case */ - } - return ret; -} - - - - -/* return compliant with OpenSSL - * size of plain recovered data if success , -1 if error - */ -int wolfSSL_RSA_private_decrypt(int len, const unsigned char* fr, - unsigned char* to, WOLFSSL_RSA* rsa, int padding) -{ - int outLen; - int ret = 0; - #if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - int mgf = WC_MGF1NONE; - enum wc_HashType hash = WC_HASH_TYPE_NONE; - #endif - - WOLFSSL_MSG("wolfSSL_RSA_private_decrypt"); - -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - if (padding == RSA_PKCS1_PADDING) - padding = WC_RSA_PKCSV15_PAD; - else if (padding == RSA_PKCS1_OAEP_PADDING) { - padding = WC_RSA_OAEP_PAD; - hash = WC_HASH_TYPE_SHA; - mgf = WC_MGF1SHA1; - } - else if (padding == RSA_PKCS1_PSS_PADDING) { - padding = WC_RSA_PSS_PAD; - hash = WC_HASH_TYPE_SHA256; - mgf = WC_MGF1SHA256; - } - else if (padding == RSA_NO_PADDING) { - padding = WC_RSA_NO_PAD; - } -#else - if (padding == RSA_PKCS1_PADDING) - ; -#endif - else { - WOLFSSL_MSG("wolfSSL_RSA_private_decrypt unsupported padding"); - return 0; - } - - if (rsa->inSet == 0) - { - if (SetRsaInternal(rsa) != SSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return 0; - } - } - - outLen = wolfSSL_RSA_size(rsa); - if (outLen == 0) { - WOLFSSL_MSG("Bad RSA size"); - } - - /* size of 'to' buffer must be size of RSA key */ -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) - ret = wc_RsaPrivateDecrypt_ex(fr, len, to, outLen, - (RsaKey*)rsa->internal, padding, - hash, mgf, NULL, 0); -#else - ret = wc_RsaPrivateDecrypt(fr, len, to, outLen, - (RsaKey*)rsa->internal); -#endif - - if (len <= 0) { - WOLFSSL_MSG("Bad Rsa Decrypt"); - } - - if (ret > 0) - WOLFSSL_MSG("wolfSSL_RSA_private_decrypt success"); - else { - WOLFSSL_MSG("wolfSSL_RSA_private_decrypt failed"); - ret = WOLFSSL_FATAL_ERROR; - } - return ret; -} - -#if !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) -int wolfSSL_RSA_public_decrypt(int flen, const unsigned char* from, - unsigned char* to, WOLFSSL_RSA* rsa, int padding) -{ - int tlen = 0; - int pad_type; - - WOLFSSL_ENTER("wolfSSL_RSA_public_decrypt"); - - if (rsa == NULL || rsa->internal == NULL || from == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return WOLFSSL_FAILURE; - } - - switch (padding) { - case RSA_PKCS1_PADDING: - pad_type = WC_RSA_PKCSV15_PAD; - break; - case RSA_PKCS1_OAEP_PADDING: - pad_type = WC_RSA_OAEP_PAD; - break; - case RSA_PKCS1_PSS_PADDING: - pad_type = WC_RSA_PSS_PAD; - break; - case RSA_NO_PADDING: - pad_type = WC_RSA_NO_PAD; - break; - default: - WOLFSSL_MSG("wolfSSL_RSA_public_decrypt unsupported padding"); - return WOLFSSL_FAILURE; - } - - if (rsa->inSet == 0) - { - WOLFSSL_MSG("No RSA internal set, do it"); - - if (SetRsaInternal(rsa) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return WOLFSSL_FAILURE; - } - } - - /* size of 'to' buffer must be size of RSA key */ - tlen = wc_RsaSSL_Verify_ex(from, flen, to, wolfSSL_RSA_size(rsa), - (RsaKey*)rsa->internal, pad_type); - if (tlen <= 0) - WOLFSSL_MSG("wolfSSL_RSA_public_decrypt failed"); - else { - WOLFSSL_MSG("wolfSSL_RSA_public_decrypt success"); - } - return tlen; -} -#endif /* !defined(_WIN32) && !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) */ - -/* RSA private encrypt calls wc_RsaSSL_Sign. Similar function set up as RSA - * public decrypt. - * - * len Length of input buffer - * in Input buffer to sign - * out Output buffer (expected to be greater than or equal to RSA key size) - * rsa Key to use for encryption - * padding Type of RSA padding to use. - */ -int wolfSSL_RSA_private_encrypt(int len, unsigned char* in, - unsigned char* out, WOLFSSL_RSA* rsa, int padding) -{ - int sz = 0; - WC_RNG* rng = NULL; -#if !defined(WC_RSA_BLINDING) || defined(HAVE_USER_RSA) - WC_RNG rng_lcl; -#endif - RsaKey* key; - - WOLFSSL_MSG("wolfSSL_RSA_private_encrypt"); - - if (len < 0 || rsa == NULL || rsa->internal == NULL || in == NULL) { - WOLFSSL_MSG("Bad function arguments"); - return 0; - } - - if (padding != RSA_PKCS1_PADDING && padding != RSA_PKCS1_PSS_PADDING) { - WOLFSSL_MSG("wolfSSL_RSA_private_encrypt unsupported padding"); - return 0; - } - - if (rsa->inSet == 0) - { - WOLFSSL_MSG("Setting internal RSA structure"); - - if (SetRsaInternal(rsa) != SSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return 0; - } - } - - key = (RsaKey*)rsa->internal; -#if defined(WC_RSA_BLINDING) && !defined(HAVE_USER_RSA) - rng = key->rng; -#else - rng = &rng_lcl; - #ifndef HAVE_FIPS - if (wc_InitRng_ex(rng, key->heap, INVALID_DEVID) != 0) - #else - if (wc_InitRng(rng) != 0) - #endif - { - WOLFSSL_MSG("Error with random number"); - return SSL_FATAL_ERROR; - } -#endif - - /* size of output buffer must be size of RSA key */ - sz = wc_RsaSSL_Sign(in, (word32)len, out, wolfSSL_RSA_size(rsa), key, rng); - #if !defined(WC_RSA_BLINDING) || defined(HAVE_USER_RSA) - if (wc_FreeRng(rng) != 0) { - WOLFSSL_MSG("Error freeing random number generator"); - return SSL_FATAL_ERROR; - } - #endif - if (sz <= 0) { - WOLFSSL_LEAVE("wolfSSL_RSA_private_encrypt", sz); - return 0; - } - - return sz; -} -#endif /* HAVE_USER_RSA */ -#endif - - -/* frees all nodes in the current threads error queue - * - * id thread id. ERR_remove_state is depreciated and id is ignored. The - * current threads queue will be free'd. - */ -void wolfSSL_ERR_remove_state(unsigned long id) -{ - WOLFSSL_ENTER("wolfSSL_ERR_remove_state"); - (void)id; - if (wc_ERR_remove_state() != 0) { - WOLFSSL_MSG("Error with removing the state"); - } -} - - -WOLFSSL_BN_CTX* wolfSSL_BN_CTX_new(void) -{ - static int ctx; /* wolfcrypt doesn't now need ctx */ - - WOLFSSL_MSG("wolfSSL_BN_CTX_new"); - return (WOLFSSL_BN_CTX*)&ctx; - -} - -void wolfSSL_BN_CTX_init(WOLFSSL_BN_CTX* ctx) -{ - (void)ctx; - WOLFSSL_MSG("wolfSSL_BN_CTX_init"); -} - - -void wolfSSL_BN_CTX_free(WOLFSSL_BN_CTX* ctx) -{ - (void)ctx; - WOLFSSL_MSG("wolfSSL_BN_CTX_free"); - /* do free since static ctx that does nothing */ -} - -/* WOLFSSL_SUCCESS on ok */ -int wolfSSL_BN_sub(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* a, - const WOLFSSL_BIGNUM* b) -{ - WOLFSSL_MSG("wolfSSL_BN_sub"); - - if (r == NULL || a == NULL || b == NULL) - return 0; - - if (mp_sub((mp_int*)a->internal,(mp_int*)b->internal, - (mp_int*)r->internal) == MP_OKAY) - return WOLFSSL_SUCCESS; - - WOLFSSL_MSG("wolfSSL_BN_sub mp_sub failed"); - return 0; -} - -/* WOLFSSL_SUCCESS on ok */ -int wolfSSL_BN_mod(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* a, - const WOLFSSL_BIGNUM* b, const WOLFSSL_BN_CTX* c) -{ - (void)c; - WOLFSSL_MSG("wolfSSL_BN_mod"); - - if (r == NULL || a == NULL || b == NULL) - return 0; - - if (mp_mod((mp_int*)a->internal,(mp_int*)b->internal, - (mp_int*)r->internal) == MP_OKAY) - return WOLFSSL_SUCCESS; - - WOLFSSL_MSG("wolfSSL_BN_mod mp_mod failed"); - return 0; -} - - -/* r = (a^p) % m */ -int wolfSSL_BN_mod_exp(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a, - const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_BN_mod_exp"); - - (void) ctx; - if (r == NULL || a == NULL || p == NULL || m == NULL) { - WOLFSSL_MSG("Bad Argument"); - return WOLFSSL_FAILURE; - } - - if ((ret = mp_exptmod((mp_int*)a->internal,(mp_int*)p->internal, - (mp_int*)m->internal, (mp_int*)r->internal)) == MP_OKAY) { - return WOLFSSL_SUCCESS; - } - - WOLFSSL_LEAVE("wolfSSL_BN_mod_exp", ret); - (void)ret; - - return WOLFSSL_FAILURE; -} - -/* r = (a * p) % m */ -int wolfSSL_BN_mod_mul(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a, - const WOLFSSL_BIGNUM *p, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_BN_mod_mul"); - - (void) ctx; - if (r == NULL || a == NULL || p == NULL || m == NULL) { - WOLFSSL_MSG("Bad Argument"); - return SSL_FAILURE; - } - - if ((ret = mp_mulmod((mp_int*)a->internal,(mp_int*)p->internal, - (mp_int*)m->internal, (mp_int*)r->internal)) == MP_OKAY) { - return SSL_SUCCESS; - } - - WOLFSSL_LEAVE("wolfSSL_BN_mod_mul", ret); - (void)ret; - - return SSL_FAILURE; -} - -#ifdef OPENSSL_EXTRA -const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void) -{ - WOLFSSL_MSG("wolfSSL_BN_value_one"); - - if (bn_one == NULL) { - bn_one = wolfSSL_BN_new(); - if (bn_one) { - if (mp_set_int((mp_int*)bn_one->internal, 1) != MP_OKAY) { - /* handle error by freeing BN and returning NULL */ - wolfSSL_BN_free(bn_one); - bn_one = NULL; - } - } - } - - return bn_one; -} -#endif - -/* return compliant with OpenSSL - * size of BIGNUM in bytes, 0 if error */ -int wolfSSL_BN_num_bytes(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_ENTER("wolfSSL_BN_num_bytes"); - - if (bn == NULL || bn->internal == NULL) - return WOLFSSL_FAILURE; - - return mp_unsigned_bin_size((mp_int*)bn->internal); -} - -/* return compliant with OpenSSL - * size of BIGNUM in bits, 0 if error */ -int wolfSSL_BN_num_bits(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_ENTER("wolfSSL_BN_num_bits"); - - if (bn == NULL || bn->internal == NULL) - return WOLFSSL_FAILURE; - - return mp_count_bits((mp_int*)bn->internal); -} - -int wolfSSL_BN_is_negative(const WOLFSSL_BIGNUM* bn) -{ - if (bn == NULL) - return WOLFSSL_FAILURE; - - return mp_isneg((mp_int*)bn->internal); -} - -/* return compliant with OpenSSL - * 1 if BIGNUM is zero, 0 else */ -int wolfSSL_BN_is_zero(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_is_zero"); - - if (bn == NULL || bn->internal == NULL) - return WOLFSSL_FAILURE; - - if (mp_iszero((mp_int*)bn->internal) == MP_YES) - return WOLFSSL_SUCCESS; - - return WOLFSSL_FAILURE; -} - -/* return compliant with OpenSSL - * 1 if BIGNUM is one, 0 else */ -int wolfSSL_BN_is_one(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_is_one"); - - if (bn == NULL || bn->internal == NULL) - return WOLFSSL_FAILURE; - - if (mp_cmp_d((mp_int*)bn->internal, 1) == MP_EQ) - return WOLFSSL_SUCCESS; - - return WOLFSSL_FAILURE; -} - -/* return compliant with OpenSSL - * 1 if BIGNUM is odd, 0 else */ -int wolfSSL_BN_is_odd(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_is_odd"); - - if (bn == NULL || bn->internal == NULL) - return WOLFSSL_FAILURE; - - if (mp_isodd((mp_int*)bn->internal) == MP_YES) - return WOLFSSL_SUCCESS; - - return WOLFSSL_FAILURE; -} - -/* return compliant with OpenSSL - * 1 if BIGNUM is word, 0 else */ -int wolfSSL_BN_is_word(const WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w) -{ - WOLFSSL_ENTER("wolfSSL_BN_is_word"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_isword((mp_int*)bn->internal, w) == MP_YES) { - return WOLFSSL_SUCCESS; - } - - return WOLFSSL_FAILURE; -} - -/* return compliant with OpenSSL - * -1 if a < b, 0 if a == b and 1 if a > b - */ -int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) -{ - int ret; - - WOLFSSL_MSG("wolfSSL_BN_cmp"); - - if (a == NULL || a->internal == NULL || b == NULL || b->internal == NULL) - return WOLFSSL_FATAL_ERROR; - - ret = mp_cmp((mp_int*)a->internal, (mp_int*)b->internal); - - return (ret == MP_EQ ? 0 : (ret == MP_GT ? 1 : -1)); -} - -/* return compliant with OpenSSL - * length of BIGNUM in bytes, -1 if error */ -int wolfSSL_BN_bn2bin(const WOLFSSL_BIGNUM* bn, unsigned char* r) -{ - WOLFSSL_MSG("wolfSSL_BN_bn2bin"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("NULL bn error"); - return WOLFSSL_FATAL_ERROR; - } - - if (r == NULL) - return mp_unsigned_bin_size((mp_int*)bn->internal); - - if (mp_to_unsigned_bin((mp_int*)bn->internal, r) != MP_OKAY) { - WOLFSSL_MSG("mp_to_unsigned_bin error"); - return WOLFSSL_FATAL_ERROR; - } - - return mp_unsigned_bin_size((mp_int*)bn->internal); -} - - -WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* str, int len, - WOLFSSL_BIGNUM* ret) -{ - int weOwn = 0; - - WOLFSSL_MSG("wolfSSL_BN_bin2bn"); - - /* if ret is null create a BN */ - if (ret == NULL) { - ret = wolfSSL_BN_new(); - weOwn = 1; - if (ret == NULL) - return NULL; - } - - /* check ret and ret->internal then read in value */ - if (ret && ret->internal) { - if (mp_read_unsigned_bin((mp_int*)ret->internal, str, len) != 0) { - WOLFSSL_MSG("mp_read_unsigned_bin failure"); - if (weOwn) - wolfSSL_BN_free(ret); - return NULL; - } - } else { - return NULL; - } - - return ret; -} - -/* return compliant with OpenSSL - * 1 if success, 0 if error */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_mask_bits(WOLFSSL_BIGNUM* bn, int n) -{ - (void)bn; - (void)n; - WOLFSSL_ENTER("wolfSSL_BN_mask_bits"); - WOLFSSL_STUB("BN_mask_bits"); - return SSL_FAILURE; -} -#endif - - -/* WOLFSSL_SUCCESS on ok */ -int wolfSSL_BN_rand(WOLFSSL_BIGNUM* bn, int bits, int top, int bottom) -{ - int ret = 0; - int len = bits / 8; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; - byte* buff = NULL; -#else - WC_RNG tmpRNG[1]; - byte buff[1024]; -#endif - - (void)top; - (void)bottom; - WOLFSSL_MSG("wolfSSL_BN_rand"); - - if (bits % 8) - len++; - -#ifdef WOLFSSL_SMALL_STACK - buff = (byte*)XMALLOC(1024, NULL, DYNAMIC_TYPE_TMP_BUFFER); - tmpRNG = (WC_RNG*) XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (buff == NULL || tmpRNG == NULL) { - XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); - return ret; - } -#endif - - if (bn == NULL || bn->internal == NULL) - WOLFSSL_MSG("Bad function arguments"); - else if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else if (initGlobalRNG) - rng = &globalRNG; - - if (rng) { - if (wc_RNG_GenerateBlock(rng, buff, len) != 0) - WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); - else { - buff[0] |= 0x80 | 0x40; - buff[len-1] |= 0x01; - - if (mp_read_unsigned_bin((mp_int*)bn->internal,buff,len) != MP_OKAY) - WOLFSSL_MSG("mp read bin failed"); - else - ret = WOLFSSL_SUCCESS; - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - return ret; -} - - -/* WOLFSSL_SUCCESS on ok - * code is same as wolfSSL_BN_rand except for how top and bottom is handled. - * top -1 then leave most sig bit alone - * top 0 then most sig is set to 1 - * top is 1 then first two most sig bits are 1 - * - * bottom is hot then odd number */ -int wolfSSL_BN_pseudo_rand(WOLFSSL_BIGNUM* bn, int bits, int top, int bottom) -{ - int ret = 0; - int len = bits / 8; - int initTmpRng = 0; - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; - byte* buff = NULL; -#else - WC_RNG tmpRNG[1]; - byte buff[1024]; -#endif - - WOLFSSL_MSG("wolfSSL_BN_rand"); - - if (bits % 8) - len++; - -#ifdef WOLFSSL_SMALL_STACK - buff = (byte*)XMALLOC(1024, NULL, DYNAMIC_TYPE_TMP_BUFFER); - tmpRNG = (WC_RNG*) XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (buff == NULL || tmpRNG == NULL) { - XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return ret; - } -#endif - - if (bn == NULL || bn->internal == NULL) - WOLFSSL_MSG("Bad function arguments"); - else if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else if (initGlobalRNG) - rng = &globalRNG; - - if (rng) { - if (wc_RNG_GenerateBlock(rng, buff, len) != 0) - WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); - else { - switch (top) { - case -1: - break; - - case 0: - buff[0] |= 0x80; - break; - - case 1: - buff[0] |= 0x80 | 0x40; - break; - } - - if (bottom == 1) { - buff[len-1] |= 0x01; - } - - if (mp_read_unsigned_bin((mp_int*)bn->internal,buff,len) != MP_OKAY) - WOLFSSL_MSG("mp read bin failed"); - else - ret = WOLFSSL_SUCCESS; - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} - -/* return code compliant with OpenSSL : - * 1 if bit set, 0 else - */ -int wolfSSL_BN_is_bit_set(const WOLFSSL_BIGNUM* bn, int n) -{ - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - return mp_is_bit_set((mp_int*)bn->internal, (mp_digit)n); -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_set_bit(WOLFSSL_BIGNUM* bn, int n) -{ - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_set_bit((mp_int*)bn->internal, n) != MP_OKAY) { - WOLFSSL_MSG("mp_set_bit error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_BN_clear_bit(WOLFSSL_BIGNUM* bn, int n) -{ - int ret = WOLFSSL_FAILURE; -#ifndef WOLFSSL_SMALL_STACK - mp_int tmp[1]; -#else - mp_int* tmp = NULL; -#endif - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - goto cleanup; - } - if (mp_is_bit_set((mp_int*)bn->internal, n)) { -#ifdef WOLFSSL_SMALL_STACK - tmp = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); - if (tmp == NULL) { - goto cleanup; - } -#endif - if (mp_init(tmp) != MP_OKAY) { - goto cleanup; - } - if (mp_set_bit(tmp, n) != MP_OKAY) { - goto cleanup; - } - if (mp_sub((mp_int*)bn->internal, tmp, (mp_int*)bn->internal) != MP_OKAY) { - goto cleanup; - } - } - - ret = WOLFSSL_SUCCESS; -cleanup: - mp_clear(tmp); -#ifdef WOLFSSL_SMALL_STACK - if (tmp) - XFREE(tmp, NULL, DYNAMIC_TYPE_BIGINT); -#endif - return ret; -} - - -/* WOLFSSL_SUCCESS on ok */ -/* Note on use: this function expects str to be an even length. It is - * converting pairs of bytes into 8-bit values. As an example, the RSA - * public exponent is commonly 0x010001. To get it to convert, you need - * to pass in the string "010001", it will fail if you use "10001". This - * is an affect of how Base16_Decode() works. - */ -int wolfSSL_BN_hex2bn(WOLFSSL_BIGNUM** bn, const char* str) -{ - int ret = 0; - word32 decSz = 1024; -#ifdef WOLFSSL_SMALL_STACK - byte* decoded; -#else - byte decoded[1024]; -#endif - int weOwn = 0; - int strLen; - - WOLFSSL_MSG("wolfSSL_BN_hex2bn"); - -#ifdef WOLFSSL_SMALL_STACK - decoded = (byte*)XMALLOC(decSz, NULL, DYNAMIC_TYPE_DER); - if (decoded == NULL) - return ret; -#endif - - if (str == NULL || str[0] == '\0') { - WOLFSSL_MSG("Bad function argument"); - ret = WOLFSSL_FAILURE; - } else { - strLen = (int)XSTRLEN(str); - /* ignore trailing new lines */ - while (str[strLen-1] == '\n' && strLen > 0) strLen--; - - if (Base16_Decode((byte*)str, strLen, decoded, &decSz) < 0) - WOLFSSL_MSG("Bad Base16_Decode error"); - else if (bn == NULL) - ret = decSz; - else { - if (*bn == NULL) { - *bn = wolfSSL_BN_new(); - if (*bn != NULL) { - weOwn = 1; - } - } - - if (*bn == NULL) - WOLFSSL_MSG("BN new failed"); - else if (wolfSSL_BN_bin2bn(decoded, decSz, *bn) == NULL) { - WOLFSSL_MSG("Bad bin2bn error"); - if (weOwn == 1) { - wolfSSL_BN_free(*bn); /* Free new BN */ - } - } - else - ret = WOLFSSL_SUCCESS; - } - } - -#ifdef WOLFSSL_SMALL_STACK - XFREE(decoded, NULL, DYNAMIC_TYPE_DER); -#endif - - return ret; -} - - -WOLFSSL_BIGNUM* wolfSSL_BN_dup(const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_BIGNUM* ret; - - WOLFSSL_MSG("wolfSSL_BN_dup"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return NULL; - } - - ret = wolfSSL_BN_new(); - if (ret == NULL) { - WOLFSSL_MSG("bn new error"); - return NULL; - } - - if (mp_copy((mp_int*)bn->internal, (mp_int*)ret->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - wolfSSL_BN_free(ret); - return NULL; - } - - ret->neg = bn->neg; - - return ret; -} - - -WOLFSSL_BIGNUM* wolfSSL_BN_copy(WOLFSSL_BIGNUM* r, const WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_copy"); - - if (r == NULL || bn == NULL) { - WOLFSSL_MSG("r or bn NULL error"); - return NULL; - } - - if (mp_copy((mp_int*)bn->internal, (mp_int*)r->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - return NULL; - } - - r->neg = bn->neg; - - return r; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_set_word(WOLFSSL_BIGNUM* bn, WOLFSSL_BN_ULONG w) -{ - WOLFSSL_MSG("wolfSSL_BN_set_word"); - - if (bn == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_set_int((mp_int*)bn->internal, w) != MP_OKAY) { - WOLFSSL_MSG("mp_init_set_int error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - - -/* Returns the big number as an unsigned long if possible. - * - * bn big number structure to get value from - * - * Returns value or 0xFFFFFFFFL if bigger than unsigned long. - */ -unsigned long wolfSSL_BN_get_word(const WOLFSSL_BIGNUM* bn) -{ - mp_int* mp; - - WOLFSSL_MSG("wolfSSL_BN_get_word"); - - if (bn == NULL) { - WOLFSSL_MSG("Invalid argument"); - return 0; - } - - if (wolfSSL_BN_num_bytes(bn) > (int)sizeof(unsigned long)) { - WOLFSSL_MSG("bignum is larger than unsigned long"); - return 0xFFFFFFFFL; - } - mp = (mp_int*)bn->internal; - - return (unsigned long)(mp->dp[0]); -} - -/* return code compliant with OpenSSL : - * number length in decimal if success, 0 if error - */ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_BN_dec2bn(WOLFSSL_BIGNUM** bn, const char* str) -{ - (void)bn; - (void)str; - - WOLFSSL_MSG("wolfSSL_BN_dec2bn"); - WOLFSSL_STUB("BN_dec2bn"); - return SSL_FAILURE; -} -#endif - -#if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) -char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) -{ - int len = 0; - char *buf; - - WOLFSSL_MSG("wolfSSL_BN_bn2dec"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return NULL; - } - - if (mp_radix_size((mp_int*)bn->internal, MP_RADIX_DEC, &len) != MP_OKAY) { - WOLFSSL_MSG("mp_radix_size failure"); - return NULL; - } - - buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL); - if (buf == NULL) { - WOLFSSL_MSG("BN_bn2dec malloc buffer failure"); - return NULL; - } - - if (mp_todecimal((mp_int*)bn->internal, buf) != MP_OKAY) { - XFREE(buf, NULL, DYNAMIC_TYPE_ECC); - return NULL; - } - - return buf; -} -#else -char* wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM* bn) -{ - (void)bn; - - WOLFSSL_MSG("wolfSSL_BN_bn2dec"); - - return NULL; -} -#endif /* defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) */ - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_lshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) -{ - WOLFSSL_MSG("wolfSSL_BN_lshift"); - - if (r == NULL || r->internal == NULL || bn == NULL || bn->internal == NULL){ - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_mul_2d((mp_int*)bn->internal, n, (mp_int*)r->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_mul_2d error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_rshift(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *bn, int n) -{ - WOLFSSL_MSG("wolfSSL_BN_rshift"); - - if (r == NULL || r->internal == NULL || bn == NULL || bn->internal == NULL){ - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_div_2d((mp_int*)bn->internal, n, - (mp_int*)r->internal, NULL) != MP_OKAY) { - WOLFSSL_MSG("mp_mul_2d error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_add_word(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w) -{ - WOLFSSL_MSG("wolfSSL_BN_add_word"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_add_d((mp_int*)bn->internal, w, (mp_int*)bn->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_add_d error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * 1 if success, 0 else - */ -int wolfSSL_BN_add(WOLFSSL_BIGNUM *r, WOLFSSL_BIGNUM *a, WOLFSSL_BIGNUM *b) -{ - WOLFSSL_MSG("wolfSSL_BN_add"); - - if (r == NULL || r->internal == NULL || a == NULL || a->internal == NULL || - b == NULL || b->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_add((mp_int*)a->internal, (mp_int*)b->internal, - (mp_int*)r->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_add_d error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* r = a + b (mod m) */ -int wolfSSL_BN_mod_add(WOLFSSL_BIGNUM *r, const WOLFSSL_BIGNUM *a, - const WOLFSSL_BIGNUM *b, const WOLFSSL_BIGNUM *m, - WOLFSSL_BN_CTX *ctx) -{ - (void)ctx; - WOLFSSL_MSG("wolfSSL_BN_add"); - - if (r == NULL || r->internal == NULL || - a == NULL || a->internal == NULL || - b == NULL || b->internal == NULL || - m == NULL || m->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - if (mp_addmod((mp_int*)a->internal, (mp_int*)b->internal, - (mp_int*)m->internal, (mp_int*)r->internal) != MP_OKAY) { - WOLFSSL_MSG("mp_add_d error"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -#ifdef WOLFSSL_KEY_GEN - -/* return code compliant with OpenSSL : - * 1 if prime, 0 if not, -1 if error - */ -int wolfSSL_BN_is_prime_ex(const WOLFSSL_BIGNUM *bn, int nbchecks, - WOLFSSL_BN_CTX *ctx, WOLFSSL_BN_GENCB *cb) -{ - WC_RNG* rng = NULL; -#ifdef WOLFSSL_SMALL_STACK - WC_RNG* tmpRNG = NULL; -#else - WC_RNG tmpRNG[1]; -#endif - int initTmpRng = 0; - int res = MP_NO; - - (void)ctx; - (void)cb; - - WOLFSSL_MSG("wolfSSL_BN_is_prime_ex"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FATAL_ERROR; - } - -#ifdef WOLFSSL_SMALL_STACK - tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (tmpRNG == NULL) - return WOLFSSL_FAILURE; -#endif - if (wc_InitRng(tmpRNG) == 0) { - rng = tmpRNG; - initTmpRng = 1; - } - else { - WOLFSSL_MSG("Bad RNG Init, trying global"); - if (initGlobalRNG == 0) { - WOLFSSL_MSG("Global RNG no Init"); - } - else - rng = &globalRNG; - } - - if (rng) { - if (mp_prime_is_prime_ex((mp_int*)bn->internal, - nbchecks, &res, rng) != MP_OKAY) { - WOLFSSL_MSG("mp_prime_is_prime_ex error"); - res = MP_NO; - } - } - - if (initTmpRng) - wc_FreeRng(tmpRNG); -#ifdef WOLFSSL_SMALL_STACK - XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); -#endif - - if (res != MP_YES) { - WOLFSSL_MSG("mp_prime_is_prime_ex not prime"); - return WOLFSSL_FAILURE; - } - - return WOLFSSL_SUCCESS; -} - -/* return code compliant with OpenSSL : - * (bn mod w) if success, -1 if error - */ -WOLFSSL_BN_ULONG wolfSSL_BN_mod_word(const WOLFSSL_BIGNUM *bn, - WOLFSSL_BN_ULONG w) -{ - WOLFSSL_BN_ULONG ret = 0; - - WOLFSSL_MSG("wolfSSL_BN_mod_word"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return (WOLFSSL_BN_ULONG)WOLFSSL_FATAL_ERROR; - } - - if (mp_mod_d((mp_int*)bn->internal, w, &ret) != MP_OKAY) { - WOLFSSL_MSG("mp_add_d error"); - return (WOLFSSL_BN_ULONG)WOLFSSL_FATAL_ERROR; - } - - return ret; -} -#endif /* #ifdef WOLFSSL_KEY_GEN */ - -char *wolfSSL_BN_bn2hex(const WOLFSSL_BIGNUM *bn) -{ - int len = 0; - char *buf; - - WOLFSSL_ENTER("wolfSSL_BN_bn2hex"); - - if (bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return NULL; - } - - if (mp_radix_size((mp_int*)bn->internal, MP_RADIX_HEX, &len) != MP_OKAY) { - WOLFSSL_MSG("mp_radix_size failure"); - return NULL; - } - len += 1; /* add one for null terminator */ - - buf = (char*)XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL); - if (buf == NULL) { - WOLFSSL_MSG("BN_bn2hex malloc buffer failure"); - return NULL; - } - - if (mp_tohex((mp_int*)bn->internal, buf) != MP_OKAY) { - XFREE(buf, NULL, DYNAMIC_TYPE_OPENSSL); - return NULL; - } - - return buf; -} - -#ifndef NO_FILESYSTEM -/* return code compliant with OpenSSL : - * 1 if success, 0 if error - */ -int wolfSSL_BN_print_fp(XFILE fp, const WOLFSSL_BIGNUM *bn) -{ - char *buf; - - WOLFSSL_ENTER("wolfSSL_BN_print_fp"); - - if (fp == XBADFILE || bn == NULL || bn->internal == NULL) { - WOLFSSL_MSG("bn NULL error"); - return WOLFSSL_FAILURE; - } - - buf = wolfSSL_BN_bn2hex(bn); - if (buf == NULL) { - WOLFSSL_MSG("wolfSSL_BN_bn2hex failure"); - return WOLFSSL_FAILURE; - } - - fprintf(fp, "%s", buf); - XFREE(buf, NULL, DYNAMIC_TYPE_OPENSSL); - - return WOLFSSL_SUCCESS; -} -#endif /* !NO_FILESYSTEM */ - - -WOLFSSL_BIGNUM *wolfSSL_BN_CTX_get(WOLFSSL_BN_CTX *ctx) -{ - /* ctx is not used, return new Bignum */ - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_BN_CTX_get"); - - return wolfSSL_BN_new(); -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_BN_CTX_start(WOLFSSL_BN_CTX *ctx) -{ - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_BN_CTX_start"); - WOLFSSL_STUB("BN_CTX_start"); - WOLFSSL_MSG("wolfSSL_BN_CTX_start TBD"); -} -#endif - - -WOLFSSL_BIGNUM *wolfSSL_BN_mod_inverse(WOLFSSL_BIGNUM *r, - WOLFSSL_BIGNUM *a, - const WOLFSSL_BIGNUM *n, - WOLFSSL_BN_CTX *ctx) -{ - int dynamic = 0; - - /* ctx is not used */ - (void)ctx; - - WOLFSSL_ENTER("wolfSSL_BN_mod_inverse"); - - /* check parameter */ - if (r == NULL) { - r = wolfSSL_BN_new(); - if (r == NULL){ - WOLFSSL_MSG("WolfSSL_BN_new() failed"); - return NULL; - } - dynamic = 1; - } - - if (a == NULL) { - WOLFSSL_MSG("a NULL error"); - if (dynamic == 1) { - wolfSSL_BN_free(r); - } - return NULL; - } - - if (n == NULL) { - WOLFSSL_MSG("n NULL error"); - if (dynamic == 1) { - wolfSSL_BN_free(r); - } - return NULL; - } - - /* Compute inverse of a modulo n and return r */ - if (mp_invmod((mp_int *)a->internal,(mp_int *)n->internal, - (mp_int*)r->internal) == MP_VAL){ - WOLFSSL_MSG("mp_invmod() error"); - if (dynamic == 1) { - wolfSSL_BN_free(r); - } - return NULL; - } - - return r; -} -#endif /* OPENSSL_EXTRA */ -#if (defined(WOLFSSL_QT) || defined(OPENSSL_ALL)) && !defined(NO_ASN) -static int unprintable_char(char c) -{ - const unsigned char last_unprintable = 31; - const unsigned char LF = 10; - const unsigned char CR = 13; - - if (c <= last_unprintable && c != LF && c != CR) { - return 1; - } - return 0; -} - -int wolfSSL_ASN1_STRING_print(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str) -{ - int i; - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_print"); - if (out == NULL || str == NULL) - return WOLFSSL_FAILURE; - - for (i=0; i < str->length; i++) { - if (unprintable_char(str->data[i])) { - str->data[i] = '.'; - } - } - - if (wolfSSL_BIO_write(out, str->data, str->length) != str->length){ - return WOLFSSL_FAILURE; - } - - return str->length; -} -#endif /* (WOLFSSL_QT || OPENSSL_ALL) && !NO_ASN */ - -#if defined(OPENSSL_EXTRA) -int wolfSSL_X509_check_ca(WOLFSSL_X509 *x509) -{ - WOLFSSL_ENTER("X509_check_ca"); - - if (x509 == NULL) - return WOLFSSL_FAILURE; - if (x509->isCa) - return 1; - if (x509->extKeyUsageCrit) - return 4; - - return 0; -} - - -const char *wolfSSL_ASN1_tag2str(int tag) -{ - static const char *const tag_label[31] = { - "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", "NULL", - "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", "ENUMERATED", - "<ASN1 11>", "UTF8STRING", "<ASN1 13>", "<ASN1 14>", "<ASN1 15>", - "SEQUENCE", "SET", "NUMERICSTRING", "PRINTABLESTRING", "T61STRING", - "VIDEOTEXTSTRING", "IA5STRING", "UTCTIME", "GENERALIZEDTIME", - "GRAPHICSTRING", "VISIBLESTRING", "GENERALSTRING", "UNIVERSALSTRING", - "<ASN1 29>", "BMPSTRING" - }; - - if ((tag == V_ASN1_NEG_INTEGER) || (tag == V_ASN1_NEG_ENUMERATED)) - tag &= ~0x100; - if (tag < 0 || tag > 30) - return "(unknown)"; - return tag_label[tag]; -} - -static int check_esc_char(char c, char *esc) -{ - char *ptr; - - ptr = esc; - while(*ptr != 0){ - if (c == *ptr) - return 1; - ptr++; - } - return 0; -} - -int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, - unsigned long flags) -{ - size_t str_len = 0, type_len = 0; - unsigned char *typebuf = NULL; - const char *hash="#"; - - WOLFSSL_ENTER("wolfSSL_ASN1_STRING_PRINT_ex"); - if (out == NULL || str == NULL) - return WOLFSSL_FAILURE; - - /* add ASN1 type tag */ - if (flags & ASN1_STRFLGS_SHOW_TYPE){ - const char *tag = wolfSSL_ASN1_tag2str(str->type); - /* colon len + tag len + null*/ - type_len = XSTRLEN(tag) + 2; - typebuf = (unsigned char *)XMALLOC(type_len , NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (typebuf == NULL){ - WOLFSSL_MSG("memory alloc failed."); - return WOLFSSL_FAILURE; - } - XMEMSET(typebuf, 0, type_len); - XSNPRINTF((char*)typebuf, (size_t)type_len , "%s:", tag); - type_len--; - } - - /* dump hex */ - if (flags & ASN1_STRFLGS_DUMP_ALL){ - static const char hex_char[] = { '0', '1', '2', '3', '4', '5', '6', - '7','8', '9', 'A', 'B', 'C', 'D', - 'E', 'F' }; - char hex_tmp[4]; - char *str_ptr, *str_end; - - if (type_len > 0){ - if (wolfSSL_BIO_write(out, typebuf, (int)type_len) != (int)type_len){ - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - str_len += type_len; - } - if (wolfSSL_BIO_write(out, hash, 1) != 1){ - goto err_exit; - } - str_len++; - if (flags & ASN1_STRFLGS_DUMP_DER){ - hex_tmp[0] = hex_char[str->type >> 4]; - hex_tmp[1] = hex_char[str->type & 0xf]; - hex_tmp[2] = hex_char[str->length >> 4]; - hex_tmp[3] = hex_char[str->length & 0xf]; - if (wolfSSL_BIO_write(out, hex_tmp, 4) != 4){ - goto err_exit; - } - str_len += 4; - XMEMSET(hex_tmp, 0, 4); - } - - str_ptr = str->data; - str_end = str->data + str->length; - while (str_ptr < str_end){ - hex_tmp[0] = hex_char[*str_ptr >> 4]; - hex_tmp[1] = hex_char[*str_ptr & 0xf]; - if (wolfSSL_BIO_write(out, hex_tmp, 2) != 2){ - goto err_exit; - } - str_ptr++; - str_len += 2; - } - if (type_len > 0) - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return (int)str_len; - } - - if (type_len > 0){ - if (wolfSSL_BIO_write(out, typebuf, (int)type_len) != (int)type_len){ - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; - } - str_len += type_len; - } - - if (flags & ASN1_STRFLGS_ESC_2253){ - char esc_ch[] = "+;<>\\"; - char* esc_ptr; - - esc_ptr = str->data; - while (*esc_ptr != 0){ - if (check_esc_char(*esc_ptr, esc_ch)){ - if (wolfSSL_BIO_write(out,"\\", 1) != 1) - goto err_exit; - str_len++; - } - if (wolfSSL_BIO_write(out, esc_ptr, 1) != 1) - goto err_exit; - str_len++; - esc_ptr++; - } - if (type_len > 0) - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return (int)str_len; - } - - if (wolfSSL_BIO_write(out, str->data, str->length) != str->length){ - goto err_exit; - } - str_len += str->length; - if (type_len > 0) - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return (int)str_len; - -err_exit: - if (type_len > 0) - XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return WOLFSSL_FAILURE; -} - -#if !defined(NO_ASN_TIME) && !defined(USER_TIME) && !defined(TIME_OVERRIDES) -WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_new(void) -{ - WOLFSSL_ASN1_TIME* ret = (WOLFSSL_ASN1_TIME*) - XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, DYNAMIC_TYPE_OPENSSL); - if (!ret) - return NULL; - XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TIME)); - return ret; -} - -void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t) -{ - if (t) { - XFREE(t, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - -WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, - int offset_day, long offset_sec) -{ - const time_t sec_per_day = 24*60*60; - struct tm* ts = NULL; - struct tm* tmpTime; - time_t t_adj = 0; - time_t offset_day_sec = 0; -#if defined(NEED_TMP_TIME) - struct tm tmpTimeStorage; - - tmpTime = &tmpTimeStorage; -#else - tmpTime = NULL; -#endif - (void)tmpTime; - - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_adj"); - - if (s == NULL){ - s = wolfSSL_ASN1_TIME_new(); - if (s == NULL){ - return NULL; - } - } - - /* compute GMT time with offset */ - offset_day_sec = offset_day * sec_per_day; - t_adj = t + offset_day_sec + offset_sec; - ts = (struct tm *)XGMTIME(&t_adj, tmpTime); - if (ts == NULL){ - WOLFSSL_MSG("failed to get time data."); - XFREE(s, NULL, DYNAMIC_TYPE_OPENSSL); - return NULL; - } - - /* create ASN1 time notation */ - /* UTC Time */ - if (ts->tm_year >= 50 && ts->tm_year < 150){ - char utc_str[ASN_UTC_TIME_SIZE]; - int utc_year = 0,utc_mon,utc_day,utc_hour,utc_min,utc_sec; - - s->type = V_ASN1_UTCTIME; - s->length = ASN_UTC_TIME_SIZE; - - if (ts->tm_year >= 50 && ts->tm_year < 100){ - utc_year = ts->tm_year; - } else if (ts->tm_year >= 100 && ts->tm_year < 150){ - utc_year = ts->tm_year - 100; - } - utc_mon = ts->tm_mon + 1; - utc_day = ts->tm_mday; - utc_hour = ts->tm_hour; - utc_min = ts->tm_min; - utc_sec = ts->tm_sec; - XSNPRINTF((char *)utc_str, sizeof(utc_str), - "%02d%02d%02d%02d%02d%02dZ", - utc_year, utc_mon, utc_day, utc_hour, utc_min, utc_sec); - XMEMCPY(s->data, (byte *)utc_str, s->length); - /* GeneralizedTime */ - } else { - char gt_str[ASN_GENERALIZED_TIME_MAX]; - int gt_year,gt_mon,gt_day,gt_hour,gt_min,gt_sec; - - s->type = V_ASN1_GENERALIZEDTIME; - s->length = ASN_GENERALIZED_TIME_SIZE; - - gt_year = ts->tm_year + 1900; - gt_mon = ts->tm_mon + 1; - gt_day = ts->tm_mday; - gt_hour = ts->tm_hour; - gt_min = ts->tm_min; - gt_sec = ts->tm_sec; - XSNPRINTF((char *)gt_str, sizeof(gt_str), - "%4d%02d%02d%02d%02d%02dZ", - gt_year, gt_mon, gt_day, gt_hour, gt_min,gt_sec); - XMEMCPY(s->data, (byte *)gt_str, s->length); - } - - return s; -} -#endif /* !NO_ASN_TIME && !USER_TIME && !TIME_OVERRIDES */ - -#ifndef NO_ASN_TIME -/* not a compatibility function - length getter for opaque type */ -int wolfSSL_ASN1_TIME_get_length(WOLFSSL_ASN1_TIME *t) -{ - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_get_length"); - if (t == NULL) - return WOLFSSL_FAILURE; - return t->length; -} -/* not a compatibility function - data getter for opaque type */ -unsigned char* wolfSSL_ASN1_TIME_get_data(WOLFSSL_ASN1_TIME *t) -{ - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_get_data"); - if (t == NULL) - return NULL; - return t->data; -} - -WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, - WOLFSSL_ASN1_TIME **out) -{ - int time_type = 0; - WOLFSSL_ASN1_TIME *ret = NULL; - - WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_generalizedtime"); - if (t == NULL) { - WOLFSSL_MSG("Invalid ASN_TIME value"); - } else { - time_type = t->type; - if (time_type != ASN_UTC_TIME && time_type != ASN_GENERALIZED_TIME){ - WOLFSSL_MSG("Invalid ASN_TIME type."); - } else { - if (out == NULL || *out == NULL) { - ret = wolfSSL_ASN1_TIME_new(); - if (ret == NULL){ - WOLFSSL_MSG("memory alloc failed."); - } - } else { - ret = *out; - } - } - } - - if (ret != NULL) { - if (time_type == ASN_GENERALIZED_TIME){ - XMEMCPY(ret->data, t->data, ASN_GENERALIZED_TIME_SIZE); - } else { /* ASN_UTC_TIME */ - /* convert UTC to generalized time */ - ret->type = ASN_GENERALIZED_TIME; - ret->length = ASN_GENERALIZED_TIME_SIZE; - if (t->data[0] >= '5') { - ret->data[0] = '1'; ret->data[1] = '9'; - } else { - ret->data[0] = '2'; ret->data[1] = '0'; - } - XMEMCPY(&ret->data[2], t->data, ASN_UTC_TIME_SIZE); - } - } - - return ret; -} -#endif /* !NO_ASN_TIME */ - -#ifndef NO_ASN -int wolfSSL_i2c_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER *a, unsigned char **pp) -{ - unsigned char *pptr = NULL; - char pad = 0 ; - unsigned char pad_val = 0; - int ret_size = 0; - unsigned char data1 = 0; - unsigned char neg = 0; - int i = 0; - - WOLFSSL_ENTER("wolfSSL_i2c_ASN1_INTEGER"); - if (a == NULL) - return WOLFSSL_FAILURE; - - ret_size = a->intData[1]; - if (ret_size == 0) - ret_size = 1; - else{ - ret_size = (int)a->intData[1]; - neg = a->negative; - data1 = a->intData[2]; - if (ret_size == 1 && data1 == 0) - neg = 0; - /* 0x80 or greater positive number in first byte */ - if (!neg && (data1 > 127)){ - pad = 1; - pad_val = 0; - } else if (neg){ - /* negative number */ - if (data1 > 128){ - pad = 1; - pad_val = 0xff; - } else if (data1 == 128){ - for (i = 3; i < a->intData[1] + 2; i++){ - if (a->intData[i]){ - pad = 1; - pad_val = 0xff; - break; - } - } - } - } - ret_size += (int)pad; - } - if (pp == NULL) - return ret_size; - - pptr = *pp; - if (pad) - *(pptr++) = pad_val; - if (a->intData[1] == 0) - *(pptr++) = 0; - else if (!neg){ - /* positive number */ - for (i=0; i < a->intData[1]; i++){ - *pptr = a->intData[i+2]; - pptr++; - } - } else { - /* negative number */ - int str_len = 0; - - /* 0 padding from end of buffer */ - str_len = (int)a->intData[1]; - pptr += a->intData[1] - 1; - while (!a->intData[str_len + 2] && str_len > 1){ - *(pptr--) = 0; - str_len--; - } - /* 2's complement next octet */ - *(pptr--) = ((a->intData[str_len + 1]) ^ 0xff) + 1; - str_len--; - /* Complement any octets left */ - while (str_len > 0){ - *(pptr--) = a->intData[str_len + 1] ^ 0xff; - str_len--; - } - } - *pp += ret_size; - return ret_size; -} -#endif /* !NO_ASN */ - - -#ifndef NO_CERTS -int wolfSSL_X509_CA_num(WOLFSSL_X509_STORE* store) -{ - int i = 0; - int cnt_ret = 0; - Signer **table; - - WOLFSSL_ENTER("wolfSSL_X509_CA_num"); - if (store == NULL || store->cm == NULL){ - WOLFSSL_MSG("invalid parameter"); - return WOLFSSL_FAILURE; - } - - table = store->cm->caTable; - if (table){ - if (wc_LockMutex(&store->cm->caLock) == 0){ - for (i = 0; i < CA_TABLE_SIZE; i++) { - Signer* signer = table[i]; - while (signer) { - Signer* next = signer->next; - cnt_ret++; - signer = next; - } - } - wc_UnLockMutex(&store->cm->caLock); - } - } - - return cnt_ret; -} -#endif /* !NO_CERTS */ - -long wolfSSL_X509_get_version(const WOLFSSL_X509 *x509) -{ - int version = 0; - - WOLFSSL_ENTER("wolfSSL_X509_get_version"); - - if (x509 == NULL){ - WOLFSSL_MSG("invalid parameter"); - return 0L; - } - version = x509->version; - if (version != 0) - return (long)version - 1L; - - return 0L; -} - - -int wolfSSL_X509_get_signature_nid(const WOLFSSL_X509 *x) -{ - if (x == NULL) - return 0; - - return oid2nid(x->sigOID, oidSigType); -} -#endif /* OPENSSL_EXTRA */ - -#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) -/* return compliant with OpenSSL - * RSA modulus size in bytes, -1 if error - */ -int wolfSSL_RSA_size(const WOLFSSL_RSA* rsa) -{ - WOLFSSL_ENTER("wolfSSL_RSA_size"); - - if (rsa == NULL) - return WOLFSSL_FATAL_ERROR; - if (rsa->inSet == 0) - { - if (SetRsaInternal((WOLFSSL_RSA*)rsa) != SSL_SUCCESS) { - WOLFSSL_MSG("SetRsaInternal failed"); - return 0; - } - } - return wc_RsaEncryptSize((RsaKey*)rsa->internal); -} -#endif - -#if !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) && \ - !defined(NO_RSA) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) -/* WolfSSL -> OpenSSL */ -int SetRsaExternal(WOLFSSL_RSA* rsa) -{ - RsaKey* key; - WOLFSSL_MSG("Entering SetRsaExternal"); - - if (rsa == NULL || rsa->internal == NULL) { - WOLFSSL_MSG("rsa key NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - key = (RsaKey*)rsa->internal; - - if (SetIndividualExternal(&rsa->n, &key->n) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa n key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&rsa->e, &key->e) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa e key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (key->type == RSA_PRIVATE) { - if (SetIndividualExternal(&rsa->d, &key->d) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa d key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&rsa->p, &key->p) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa p key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&rsa->q, &key->q) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa q key error"); - return WOLFSSL_FATAL_ERROR; - } - - #ifndef RSA_LOW_MEM - if (SetIndividualExternal(&rsa->dmp1, &key->dP) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa dP key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&rsa->dmq1, &key->dQ) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa dQ key error"); - return WOLFSSL_FATAL_ERROR; - } - - if (SetIndividualExternal(&rsa->iqmp, &key->u) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("rsa u key error"); - return WOLFSSL_FATAL_ERROR; - } - #endif /* !RSA_LOW_MEM */ - } - rsa->exSet = 1; - - return WOLFSSL_SUCCESS; -} -#endif -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -/* when calling SetIndividualExternal, mpi should be cleared by caller if no - * longer used. ie mp_free(mpi). This is to free data when fastmath is - * disabled since a copy of mpi is made by this function and placed into bn. - */ -int SetIndividualExternal(WOLFSSL_BIGNUM** bn, mp_int* mpi) -{ - byte dynamic = 0; - - WOLFSSL_MSG("Entering SetIndividualExternal"); - - if (mpi == NULL || bn == NULL) { - WOLFSSL_MSG("mpi NULL error"); - return WOLFSSL_FATAL_ERROR; - } - - if (*bn == NULL) { - *bn = wolfSSL_BN_new(); - if (*bn == NULL) { - WOLFSSL_MSG("SetIndividualExternal alloc failed"); - return WOLFSSL_FATAL_ERROR; - } - dynamic = 1; - } - - if (mp_copy(mpi, (mp_int*)((*bn)->internal)) != MP_OKAY) { - WOLFSSL_MSG("mp_copy error"); - if (dynamic == 1) { - wolfSSL_BN_free(*bn); - } - return WOLFSSL_FATAL_ERROR; - } - - return WOLFSSL_SUCCESS; -} - - -static void InitwolfSSL_BigNum(WOLFSSL_BIGNUM* bn) -{ - if (bn) { - XMEMSET(bn, 0, sizeof(WOLFSSL_BIGNUM)); - bn->neg = 0; - bn->internal = NULL; - } -} - - -WOLFSSL_BIGNUM* wolfSSL_BN_new(void) -{ - WOLFSSL_BIGNUM* external; - mp_int* mpi; - - WOLFSSL_MSG("wolfSSL_BN_new"); - -#if !defined(USE_FAST_MATH) || defined(HAVE_WOLF_BIGINT) - mpi = (mp_int*) XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); - if (mpi == NULL) { - WOLFSSL_MSG("wolfSSL_BN_new malloc mpi failure"); - return NULL; - } -#endif - - external = (WOLFSSL_BIGNUM*) XMALLOC(sizeof(WOLFSSL_BIGNUM), NULL, - DYNAMIC_TYPE_BIGINT); - if (external == NULL) { - WOLFSSL_MSG("wolfSSL_BN_new malloc WOLFSSL_BIGNUM failure"); -#if !defined(USE_FAST_MATH) || defined(HAVE_WOLF_BIGINT) - XFREE(mpi, NULL, DYNAMIC_TYPE_BIGINT); -#endif - return NULL; - } - -#if defined(USE_FAST_MATH) && !defined(HAVE_WOLF_BIGINT) - mpi = &external->fp; -#endif - - InitwolfSSL_BigNum(external); - if (mp_init(mpi) != MP_OKAY) { - wolfSSL_BN_free(external); - return NULL; - } - external->internal = mpi; - - return external; -} - - -#if defined(USE_FAST_MATH) && !defined(HAVE_WOLF_BIGINT) -/* This function works without BN_free only with TFM */ -void wolfSSL_BN_init(WOLFSSL_BIGNUM* bn) -{ - if(bn == NULL)return; - WOLFSSL_MSG("wolfSSL_BN_init"); - InitwolfSSL_BigNum(bn); - if (mp_init(&bn->fp) != MP_OKAY) - return; - bn->internal = (void *)&bn->fp; -} -#endif - -void wolfSSL_BN_free(WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_free"); - if (bn) { - if (bn->internal) { - mp_int* bni = (mp_int*)bn->internal; - mp_free(bni); -#if !defined(USE_FAST_MATH) || defined(HAVE_WOLF_BIGINT) - XFREE(bn->internal, NULL, DYNAMIC_TYPE_BIGINT); -#endif - bn->internal = NULL; - } - XFREE(bn, NULL, DYNAMIC_TYPE_BIGINT); - /* bn = NULL, don't try to access or double free it */ - } -} - -void wolfSSL_BN_clear_free(WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_clear_free"); - if (bn) { - if (bn->internal) { - mp_int* bni = (mp_int*)bn->internal; - mp_forcezero(bni); - } - wolfSSL_BN_free(bn); - } -} - -void wolfSSL_BN_clear(WOLFSSL_BIGNUM* bn) -{ - WOLFSSL_MSG("wolfSSL_BN_clear"); - if (bn && bn->internal) { - mp_forcezero((mp_int*)bn->internal); - } -} -#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ - -#if !defined(NO_RSA) && (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) -static void InitwolfSSL_Rsa(WOLFSSL_RSA* rsa) -{ - if (rsa) { - XMEMSET(rsa, 0, sizeof(WOLFSSL_RSA)); - } -} - - -void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) -{ - WOLFSSL_ENTER("wolfSSL_RSA_free"); - - if (rsa) { -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) - int doFree = 0; - if (wc_LockMutex(&rsa->refMutex) != 0) { - WOLFSSL_MSG("Couldn't lock rsa mutex"); - } - - /* only free if all references to it are done */ - rsa->refCount--; - if (rsa->refCount == 0) { - doFree = 1; - } - wc_UnLockMutex(&rsa->refMutex); - - if (!doFree) { - return; - } - - wc_FreeMutex(&rsa->refMutex); -#endif - - if (rsa->internal) { -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && \ - !defined(HAVE_FAST_RSA) && defined(WC_RSA_BLINDING) - WC_RNG* rng; - - /* check if RNG is owned before freeing it */ - if (rsa->ownRng) { - rng = ((RsaKey*)rsa->internal)->rng; - if (rng != NULL && rng != &globalRNG) { - wc_FreeRng(rng); - XFREE(rng, NULL, DYNAMIC_TYPE_RNG); - } - } -#endif /* WC_RSA_BLINDING */ - wc_FreeRsaKey((RsaKey*)rsa->internal); - XFREE(rsa->internal, NULL, DYNAMIC_TYPE_RSA); - rsa->internal = NULL; - } - wolfSSL_BN_free(rsa->iqmp); - wolfSSL_BN_free(rsa->dmq1); - wolfSSL_BN_free(rsa->dmp1); - wolfSSL_BN_free(rsa->q); - wolfSSL_BN_free(rsa->p); - wolfSSL_BN_free(rsa->d); - wolfSSL_BN_free(rsa->e); - wolfSSL_BN_free(rsa->n); - - #ifdef WC_RSA_BLINDING - if (rsa->rng && wc_FreeRng(rsa->rng) != 0) { - WOLFSSL_MSG("Issue freeing rng"); - } - XFREE(rsa->rng, NULL, DYNAMIC_TYPE_RNG); - #endif - -#if defined(OPENSSL_EXTRA) && !defined(WOLFCRYPT_ONLY) - if (rsa->meth) { - wolfSSL_RSA_meth_free(rsa->meth); - } -#endif - - InitwolfSSL_Rsa(rsa); /* set back to NULLs for safety */ - - XFREE(rsa, NULL, DYNAMIC_TYPE_RSA); - - /* rsa = NULL, don't try to access or double free it */ - } -} - -WOLFSSL_RSA* wolfSSL_RSA_new(void) -{ - WOLFSSL_RSA* external; - RsaKey* key; - - WOLFSSL_ENTER("wolfSSL_RSA_new"); - - key = (RsaKey*) XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); - if (key == NULL) { - WOLFSSL_MSG("wolfSSL_RSA_new malloc RsaKey failure"); - return NULL; - } - - external = (WOLFSSL_RSA*) XMALLOC(sizeof(WOLFSSL_RSA), NULL, - DYNAMIC_TYPE_RSA); - if (external == NULL) { - WOLFSSL_MSG("wolfSSL_RSA_new malloc WOLFSSL_RSA failure"); - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - return NULL; - } - - InitwolfSSL_Rsa(external); - if (wc_InitRsaKey(key, NULL) != 0) { - WOLFSSL_MSG("InitRsaKey WOLFSSL_RSA failure"); - XFREE(external, NULL, DYNAMIC_TYPE_RSA); - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - return NULL; - } - -#if !defined(HAVE_FIPS) && !defined(HAVE_USER_RSA) && \ - !defined(HAVE_FAST_RSA) && defined(WC_RSA_BLINDING) - { - WC_RNG* rng; - - rng = (WC_RNG*) XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (rng != NULL && wc_InitRng(rng) != 0) { - WOLFSSL_MSG("InitRng failure, attempting to use global RNG"); - XFREE(rng, NULL, DYNAMIC_TYPE_RNG); - rng = NULL; - } - - external->ownRng = 1; - if (rng == NULL && initGlobalRNG) { - external->ownRng = 0; - rng = &globalRNG; - } - - if (rng == NULL) { - WOLFSSL_MSG("wolfSSL_RSA_new no WC_RNG for blinding"); - XFREE(external, NULL, DYNAMIC_TYPE_RSA); - XFREE(key, NULL, DYNAMIC_TYPE_RSA); - return NULL; - } - - wc_RsaSetRNG(key, rng); - } -#else - XMEMSET(key, 0, sizeof(RsaKey)); -#endif /* WC_RSA_BLINDING */ - - external->internal = key; - external->inSet = 0; -#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) - external->refCount = 1; - wc_InitMutex(&external->refMutex); -#endif - return external; -} -#endif /* !NO_RSA && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */ - -#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) -PKCS7* wolfSSL_PKCS7_new(void) -{ - WOLFSSL_PKCS7* pkcs7; - int ret = 0; - - pkcs7 = (WOLFSSL_PKCS7*)XMALLOC(sizeof(*pkcs7), NULL, DYNAMIC_TYPE_PKCS7); - if (pkcs7 != NULL) { - XMEMSET(pkcs7, 0, sizeof(*pkcs7)); - ret = wc_PKCS7_Init(&pkcs7->pkcs7, NULL, INVALID_DEVID); - } - - if (ret != 0 && pkcs7 != NULL) - XFREE(pkcs7, NULL, DYNAMIC_TYPE_PKCS7); - - return (PKCS7*)pkcs7; -} -/****************************************************************************** -* wolfSSL_PKCS7_SIGNED_new - allocates PKCS7 and initialize it for a signed data -* -* RETURNS: -* returns pointer to the PKCS7 structure on success, otherwise returns NULL -*/ -PKCS7_SIGNED* wolfSSL_PKCS7_SIGNED_new(void) -{ - byte signedData[]= { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02}; - PKCS7* pkcs7 = NULL; - - if ((pkcs7 = wolfSSL_PKCS7_new()) == NULL) - return NULL; - pkcs7->contentOID = SIGNED_DATA; - if ((wc_PKCS7_SetContentType(pkcs7, signedData, sizeof(signedData))) < 0) { - if (pkcs7) { - wolfSSL_PKCS7_free(pkcs7); - return NULL; - } - } - return pkcs7; -} - -void wolfSSL_PKCS7_free(PKCS7* pkcs7) -{ - WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; - - if (p7 != NULL) { - if (p7->data != NULL) - XFREE(p7->data, NULL, DYNAMIC_TYPE_PKCS7); - wc_PKCS7_Free(&p7->pkcs7); - XFREE(p7, NULL, DYNAMIC_TYPE_PKCS7); - } -} -void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7) -{ - wolfSSL_PKCS7_free(p7); - return; -} -PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len) -{ - WOLFSSL_PKCS7* pkcs7 = NULL; - word32 idx = 0; - - if (in == NULL) - return NULL; - - if ((pkcs7 = (WOLFSSL_PKCS7*)wolfSSL_PKCS7_new()) == NULL) - return NULL; - - if (GetSequence(*in, &idx, &pkcs7->len, len) < 0) { - wolfSSL_PKCS7_free((PKCS7*)pkcs7); - return NULL; - } - pkcs7->len += idx; - - pkcs7->data = (byte*)XMALLOC(pkcs7->len, NULL, DYNAMIC_TYPE_PKCS7); - if (pkcs7->data == NULL) { - wolfSSL_PKCS7_free((PKCS7*)pkcs7); - return NULL; - } - XMEMCPY(pkcs7->data, *in, pkcs7->len); - *in += pkcs7->len; - - if (p7 != NULL) - *p7 = (PKCS7*)pkcs7; - return (PKCS7*)pkcs7; -} - -PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7) -{ - WOLFSSL_PKCS7* pkcs7; - - if (bio == NULL) - return NULL; - - if ((pkcs7 = (WOLFSSL_PKCS7*)wolfSSL_PKCS7_new()) == NULL) - return NULL; - - pkcs7->len = wolfSSL_BIO_pending(bio); - pkcs7->data = (byte*)XMALLOC(pkcs7->len, NULL, DYNAMIC_TYPE_PKCS7); - if (pkcs7->data == NULL) { - wolfSSL_PKCS7_free((PKCS7*)pkcs7); - return NULL; - } - - if (wolfSSL_BIO_read(bio, pkcs7->data, pkcs7->len) != pkcs7->len) { - wolfSSL_PKCS7_free((PKCS7*)pkcs7); - return NULL; - } - - if (p7 != NULL) - *p7 = (PKCS7*)pkcs7; - return (PKCS7*)pkcs7; -} - -int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, - WOLFSSL_X509_STORE* store, WOLFSSL_BIO* in, - WOLFSSL_BIO* out, int flags) -{ - int ret = 0; - unsigned char* mem = NULL; - int memSz = 0; - WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; - - if (pkcs7 == NULL) - return WOLFSSL_FAILURE; - - if (in != NULL) { - if ((memSz = wolfSSL_BIO_get_mem_data(in, &mem)) < 0) - return WOLFSSL_FAILURE; - - p7->pkcs7.content = mem; - p7->pkcs7.contentSz = memSz; - } - - /* certs is the list of certificates to find the cert with issuer/serial. */ - (void)certs; - /* store is the certificate store to use to verify signer certificate - * associated with the signers. - */ - (void)store; - - ret = wc_PKCS7_VerifySignedData_ex(&p7->pkcs7, NULL, 0, p7->data, p7->len, - NULL, 0); - if (ret != 0) - return WOLFSSL_FAILURE; - - if ((flags & PKCS7_NOVERIFY) != PKCS7_NOVERIFY) { - /* All signer certificates are verified. */ - return WOLFSSL_FAILURE; - } - - if (out != NULL) - wolfSSL_BIO_write(out, p7->pkcs7.content, p7->pkcs7.contentSz); - - return WOLFSSL_SUCCESS; -} - -WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* pkcs7, WOLFSSL_STACK* certs, - int flags) -{ - WOLFSSL_STACK* signers = NULL; - WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; - - if (p7 == NULL) - return NULL; - /* Only PKCS#7 messages with a single cert that is the verifying certificate - * is supported. - */ - if ((flags | PKCS7_NOINTERN) == PKCS7_NOINTERN) - return NULL; - - signers = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (signers == NULL) - return NULL; - - signers->num = 1; - signers->data.x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, - DYNAMIC_TYPE_X509); - if (signers->data.x509 == NULL) { - XFREE(signers, NULL, DYNAMIC_TYPE_X509); - return NULL; - } - - if (DecodeToX509(signers->data.x509, p7->pkcs7.singleCert, - p7->pkcs7.singleCertSz) != 0) { - XFREE(signers->data.x509, NULL, DYNAMIC_TYPE_X509); - XFREE(signers, NULL, DYNAMIC_TYPE_X509); - return NULL; - } - - (void)certs; - - return signers; -} - -/****************************************************************************** -* wolfSSL_PEM_write_bio_PKCS7 - writes the PKCS7 data to BIO -* -* RETURNS: -* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE -*/ - -int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) -{ -#ifdef WOLFSSL_SMALL_STACK - byte* outputHead; - byte* outputFoot; -#else - byte outputHead[2048]; - byte outputFoot[2048]; -#endif - word32 outputHeadSz = 2048; - word32 outputFootSz = 2048; - word32 outputSz = 0; - byte* output = NULL; - byte* pem = NULL; - int pemSz = -1; - enum wc_HashType hashType; - byte hashBuf[WC_MAX_DIGEST_SIZE]; - word32 hashSz = -1; - - WOLFSSL_ENTER("wolfSSL_PEM_write_bio_PKCS7()"); - - if (bio == NULL || p7 == NULL) - return WOLFSSL_FAILURE; - -#ifdef WOLFSSL_SMALL_STACK - outputHead = (byte*)XMALLOC(outputHeadSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (outputHead == NULL) - return MEMORY_E; - - outputFoot = (byte*)XMALLOC(outputFootSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (outputFoot == NULL) - goto error; - -#endif - - XMEMSET(hashBuf, 0, WC_MAX_DIGEST_SIZE); - XMEMSET(outputHead, 0, outputHeadSz); - XMEMSET(outputFoot, 0, outputFootSz); - - hashType = wc_OidGetHash(p7->hashOID); - hashSz = wc_HashGetDigestSize(hashType); - if (hashSz > WC_MAX_DIGEST_SIZE) - return WOLFSSL_FAILURE; - - /* only SIGNED_DATA is supported */ - switch (p7->contentOID) { - case SIGNED_DATA: - break; - default: - WOLFSSL_MSG("Unknown PKCS#7 Type"); - return WOLFSSL_FAILURE; - }; - - if ((wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, - outputHead, &outputHeadSz, outputFoot, &outputFootSz)) != 0) - return WOLFSSL_FAILURE; - - outputSz = outputHeadSz + p7->contentSz + outputFootSz; - output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - - if (!output) - return WOLFSSL_FAILURE; - - XMEMSET(output, 0, outputSz); - outputSz = 0; - XMEMCPY(&output[outputSz], outputHead, outputHeadSz); - outputSz += outputHeadSz; - XMEMCPY(&output[outputSz], p7->content, p7->contentSz); - outputSz += p7->contentSz; - XMEMCPY(&output[outputSz], outputFoot, outputFootSz); - outputSz += outputFootSz; - - /* get PEM size */ - pemSz = wc_DerToPemEx(output, outputSz, NULL, 0, NULL, CERT_TYPE); - if (pemSz < 0) - goto error; - - pemSz++; /* for '\0'*/ - - /* create PEM buffer and convert from DER to PEM*/ - if ((pem = (byte*)XMALLOC(pemSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) - goto error; - - XMEMSET(pem, 0, pemSz); - - if (wc_DerToPemEx(output, outputSz, pem, pemSz, NULL, CERT_TYPE) < 0) { - goto error; - } - if ((wolfSSL_BIO_write(bio, pem, pemSz) == pemSz)) { - XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); -#ifdef WOLFSSL_SMALL_STACK - XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); -#endif - return WOLFSSL_SUCCESS; - } - -error: -#ifdef WOLFSSL_SMALL_STACK - if (outputHead) { - XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (outputFoot) { - XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } -#endif - if (output) { - XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - if (pem) { - XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); - } - return WOLFSSL_FAILURE; -} -#endif /* OPENSSL_ALL && HAVE_PKCS7 */ - -#if defined(OPENSSL_EXTRA) -WOLFSSL_STACK* wolfSSL_sk_X509_new(void) -{ - WOLFSSL_STACK* s = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL, - DYNAMIC_TYPE_X509); - if (s != NULL) { - XMEMSET(s, 0, sizeof(*s)); - s->type = STACK_TYPE_X509; - } - - return s; -} -#endif - -#ifdef OPENSSL_ALL -int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY* pkey, - const WOLFSSL_EVP_CIPHER* enc, - char* passwd, int passwdSz, - pem_password_cb* cb, void* ctx) -{ - int ret = 0; - char password[NAME_SZ]; - byte* key = NULL; - word32 keySz; - byte* pem = NULL; - int pemSz; - int type = PKCS8_PRIVATEKEY_TYPE; - int algId; - const byte* curveOid; - word32 oidSz; - int encAlgId; - - if (bio == NULL || pkey == NULL) - return -1; - - keySz = pkey->pkey_sz + 128; - key = (byte*)XMALLOC(keySz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (key == NULL) - ret = MEMORY_E; - - if (ret == 0 && enc != NULL && passwd == NULL) { - passwdSz = cb(password, sizeof(password), 1, ctx); - if (passwdSz < 0) - ret = WOLFSSL_FAILURE; - passwd = password; - } - - if (ret == 0 && enc != NULL) { - WC_RNG rng; - ret = wc_InitRng(&rng); - if (ret == 0) { - #ifndef NO_DES3 - if (enc == EVP_DES_CBC) - encAlgId = DESb; - else if (enc == EVP_DES_EDE3_CBC) - encAlgId = DES3b; - else - #endif - #if !defined(NO_AES) && defined(HAVE_AES_CBC) - #ifdef WOLFSSL_AES_256 - if (enc == EVP_AES_256_CBC) - encAlgId = AES256CBCb; - else - #endif - #endif - ret = -1; - if (ret == 0) { - ret = TraditionalEnc((byte*)pkey->pkey.ptr, pkey->pkey_sz, key, - &keySz, passwd, passwdSz, PKCS5, PBES2, - encAlgId, NULL, 0, WC_PKCS12_ITT_DEFAULT, - &rng, NULL); - if (ret > 0) { - keySz = ret; - ret = 0; - } - } - wc_FreeRng(&rng); - } - type = PKCS8_ENC_PRIVATEKEY_TYPE; - } - if (ret == 0 && enc == NULL) { - type = PKCS8_PRIVATEKEY_TYPE; - if (pkey->type == EVP_PKEY_EC) { - algId = ECDSAk; - ret = wc_ecc_get_oid(pkey->ecc->group->curve_oid, &curveOid, - &oidSz); - } - else { - algId = RSAk; - curveOid = NULL; - oidSz = 0; - } - - if (ret >= 0) { - ret = wc_CreatePKCS8Key(key, &keySz, (byte*)pkey->pkey.ptr, - pkey->pkey_sz, algId, curveOid, oidSz); - keySz = ret; - } - } - - if (password == passwd) - XMEMSET(password, 0, passwdSz); - - if (ret >= 0) { - pemSz = 2 * keySz + 2 * 64; - pem = (byte*)XMALLOC(pemSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (pem == NULL) - ret = MEMORY_E; - } - - if (ret >= 0) - ret = wc_DerToPemEx(key, keySz, pem, pemSz, NULL, type); - - if (key != NULL) - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - if (ret >= 0) { - if (wolfSSL_BIO_write(bio, pem, ret) != ret) - ret = -1; - } - - if (pem != NULL) - XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - return ret < 0 ? 0 : ret; - -} - -static int bio_get_data(WOLFSSL_BIO* bio, byte** data) -{ - int ret = 0; - byte* mem = NULL; -#ifndef NO_FILESYSTEM - long memSz; - XFILE file; - long curr; -#endif - - if ((ret = wolfSSL_BIO_pending(bio)) > 0) { - } -#ifndef NO_FILESYSTEM - else if (bio->type == WOLFSSL_BIO_FILE) { - if (wolfSSL_BIO_get_fp(bio, &file) != WOLFSSL_SUCCESS) - ret = BAD_FUNC_ARG; - if (ret == 0) { - curr = XFTELL(file); - if (curr < 0) { - ret = WOLFSSL_BAD_FILE; - } - if (XFSEEK(file, 0, XSEEK_END) != 0) - ret = WOLFSSL_BAD_FILE; - } - if (ret == 0) { - memSz = XFTELL(file); - if (memSz > MAX_WOLFSSL_FILE_SIZE || memSz < 0) { - ret = WOLFSSL_BAD_FILE; - } - } - if (ret == 0) { - memSz -= curr; - ret = (int)memSz; - if (XFSEEK(file, curr, SEEK_SET) != 0) - ret = WOLFSSL_BAD_FILE; - } - } -#endif - - if (ret > 0) { - mem = (byte*)XMALLOC(ret, bio->heap, DYNAMIC_TYPE_OPENSSL); - if (mem == NULL) { - WOLFSSL_MSG("Memory error"); - ret = MEMORY_E; - } - if (ret >= 0) { - if ((ret = wolfSSL_BIO_read(bio, mem, ret)) <= 0) { - XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); - ret = MEMORY_E; - mem = NULL; - } - } - } - - *data = mem; - - return ret; -} - -#ifndef NO_WOLFSSL_STUB -void wolfSSL_BIO_set_init(WOLFSSL_BIO* bio, int init) -{ - WOLFSSL_STUB("wolfSSL_BIO_set_init"); - (void)bio; - (void)init; -} - -void wolfSSL_BIO_set_shutdown(WOLFSSL_BIO* bio, int shut) -{ - WOLFSSL_STUB("wolfSSL_BIO_set_shutdown"); - (void)bio; - (void)shut; - -} -int wolfSSL_BIO_get_shutdown(WOLFSSL_BIO* bio) -{ - WOLFSSL_STUB("wolfSSL_BIO_get_shutdown"); - (void)bio; - return 0; -} -#endif /* NO_WOLFSSL_STUB */ - -void wolfSSL_BIO_clear_retry_flags(WOLFSSL_BIO* bio) -{ - WOLFSSL_ENTER("wolfSSL_BIO_clear_retry_flags"); - - if (bio) - bio->flags &= ~(WOLFSSL_BIO_FLAG_READ|WOLFSSL_BIO_FLAG_RETRY); -} - -int wolfSSL_BIO_should_retry(WOLFSSL_BIO *bio) -{ - int ret = 0; - if (bio != NULL) { - ret = (int)(bio->flags & WOLFSSL_BIO_FLAG_RETRY); - } - - return ret; -} - -/* DER data is PKCS#8 encrypted. */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio, - WOLFSSL_EVP_PKEY** pkey, - pem_password_cb* cb, - void* ctx) -{ - int ret; - byte* der; - int len; - byte* p; - char password[NAME_SZ]; - int passwordSz; - word32 algId; - WOLFSSL_EVP_PKEY* key; - - if ((len = bio_get_data(bio, &der)) < 0) - return NULL; - - if (cb != NULL) { - passwordSz = cb(password, sizeof(password), PEM_PASS_READ, ctx); - if (passwordSz < 0) { - XFREE(der, bio->heap, DYNAMIC_TYPE_OPENSSL); - return NULL; - } - - ret = ToTraditionalEnc(der, len, password, passwordSz, &algId); - if (ret < 0) { - XFREE(der, bio->heap, DYNAMIC_TYPE_OPENSSL); - return NULL; - } - - XMEMSET(password, 0, passwordSz); - } - - p = der; - key = wolfSSL_d2i_PrivateKey_EVP(pkey, &p, len); - XFREE(der, bio->heap, DYNAMIC_TYPE_OPENSSL); - return key; -} - -/* Detect which type of key it is before decoding. */ -WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey(WOLFSSL_EVP_PKEY** pkey, - const unsigned char** pp, - long length) -{ - int ret; - WOLFSSL_EVP_PKEY* key = NULL; - const byte* der = *pp; - word32 idx = 0; - int len = 0; - word32 end = 0; - int cnt = 0; - int type; - word32 algId; - word32 keyLen = (word32)length; - - /* Take off PKCS#8 wrapper if found. */ - if ((len = ToTraditionalInline_ex(der, &idx, keyLen, &algId)) >= 0) { - der += idx; - keyLen = len; - } - idx = 0; - len = 0; - - /* Use the number of elements in the outer sequence to determine key type. - */ - ret = GetSequence(der, &idx, &len, keyLen); - if (ret >= 0) { - end = idx + len; - while (ret >= 0 && idx < end) { - /* Skip type */ - idx++; - /* Get length and skip over - keeping count */ - len = 0; - ret = GetLength(der, &idx, &len, keyLen); - if (ret >= 0) { - if (idx + len > end) - ret = ASN_PARSE_E; - else { - idx += len; - cnt++; - } - } - } - } - - if (ret >= 0) { - /* ECC includes version, private[, curve][, public key] */ - if (cnt >= 2 && cnt <= 4) - type = EVP_PKEY_EC; - else - type = EVP_PKEY_RSA; - - key = wolfSSL_d2i_PrivateKey(type, pkey, &der, keyLen); - *pp = der; - } - - return key; -} -#endif - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) -int wolfSSL_X509_set_subject_name(WOLFSSL_X509 *cert, WOLFSSL_X509_NAME *name) -{ - int i; - WOLFSSL_X509_NAME_ENTRY* ne; - - WOLFSSL_ENTER("X509_set_subject_name"); - if (cert == NULL || name == NULL) - return WOLFSSL_FAILURE; - - FreeX509Name(&cert->subject, cert->heap); - InitX509Name(&cert->subject, 0); - if (name->dynamicName) { - cert->subject.name = (char*)XMALLOC(name->sz, cert->heap, - DYNAMIC_TYPE_SUBJECT_CN); - if (cert->subject.name == NULL) - return WOLFSSL_FAILURE; - } - XMEMCPY(cert->subject.name, name->name, name->sz); - cert->subject.sz = name->sz; - - for (i = 0; i < 10; i++) { - ne = wolfSSL_X509_NAME_get_entry(name, i); - if (ne != NULL) - wolfSSL_X509_NAME_add_entry(&cert->subject, ne, i, 1); - } - cert->subject.x509 = cert; - cert->subject.name = cert->subject.fullName.fullName; - cert->subject.sz = cert->subject.fullName.fullNameLen; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_set_issuer_name(WOLFSSL_X509 *cert, WOLFSSL_X509_NAME *name) -{ - int i; - WOLFSSL_X509_NAME_ENTRY* ne; - - WOLFSSL_ENTER("X509_set_issuer_name"); - if (cert == NULL || name == NULL) - return WOLFSSL_FAILURE; - - FreeX509Name(&cert->issuer, cert->heap); - InitX509Name(&cert->issuer, 0); - if (name->dynamicName) { - cert->issuer.name = (char*)XMALLOC(name->sz, cert->heap, - DYNAMIC_TYPE_SUBJECT_CN); - if (cert->issuer.name == NULL) - return WOLFSSL_FAILURE; - } - XMEMCPY(cert->issuer.name, name->name, name->sz); - cert->issuer.sz = name->sz; - - for (i = 0; i < 10; i++) { - ne = wolfSSL_X509_NAME_get_entry(name, i); - if (ne != NULL) - wolfSSL_X509_NAME_add_entry(&cert->issuer, ne, i, 1); - } - cert->issuer.x509 = cert; - cert->issuer.name = cert->issuer.fullName.fullName; - cert->issuer.sz = cert->issuer.fullName.fullNameLen; - cert->issuerSet = 1; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_set_notAfter(WOLFSSL_X509* x509, const WOLFSSL_ASN1_TIME* t) -{ - if (x509 == NULL || t == NULL) { - return WOLFSSL_FAILURE; - } - - XMEMCPY(&x509->notAfter, t, sizeof(WOLFSSL_ASN1_TIME)); - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_set_notBefore(WOLFSSL_X509* x509, const WOLFSSL_ASN1_TIME* t) -{ - if (x509 == NULL || t == NULL) { - return WOLFSSL_FAILURE; - } - - XMEMCPY(&x509->notBefore, t, sizeof(WOLFSSL_ASN1_TIME)); - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s) -{ - WOLFSSL_ENTER("wolfSSL_X509_set_serialNumber"); - if (!x509 || !s || s->dataMax >= EXTERNAL_SERIAL_SIZE) - return WOLFSSL_FAILURE; - - if (s->isDynamic) - XSTRNCPY((char*)x509->serial,(char*)s->data,s->dataMax); - else - XSTRNCPY((char*)x509->serial,(char*)s->intData,s->dataMax); - - x509->serial[s->dataMax] = 0; - x509->serialSz = s->dataMax; - - return WOLFSSL_SUCCESS; -} - - -int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) -{ - byte* p; - WOLFSSL_ENTER("wolfSSL_X509_set_pubkey"); - - if (cert == NULL || pkey == NULL) - return WOLFSSL_FAILURE; - - if (pkey->type == EVP_PKEY_RSA) - cert->pubKeyOID = RSAk; - else if (pkey->type == EVP_PKEY_EC) - cert->pubKeyOID = ECDSAk; - else - return WOLFSSL_FAILURE; - - p = (byte*)XMALLOC(pkey->pkey_sz, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); - if (p == NULL) - return WOLFSSL_FAILURE; - - if (cert->pubKey.buffer != NULL) - XFREE(cert->pubKey.buffer, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); - cert->pubKey.buffer = p; - XMEMCPY(cert->pubKey.buffer, pkey->pkey.ptr, pkey->pkey_sz); - cert->pubKey.length = pkey->pkey_sz; - - return WOLFSSL_SUCCESS; -} - -int wolfSSL_X509_set_version(WOLFSSL_X509* x509, long v) -{ - WOLFSSL_ENTER("wolfSSL_X509_set_version"); - if ((x509 == NULL) || (v < 0) || (v > INT_MAX)) { - return WOLFSSL_FAILURE; - } - x509->version = (int) v + 1; - - return WOLFSSL_SUCCESS; -} - -#endif /* OPENSSL_EXTRA && !NO_CERTS && WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */ - -#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) - -void wolfSSL_X509V3_set_ctx(WOLFSSL_X509V3_CTX* ctx, WOLFSSL_X509* issuer, - WOLFSSL_X509* subject, WOLFSSL_X509* req, WOLFSSL_X509_CRL* crl, - int flag) -{ - int ret = WOLFSSL_SUCCESS; - WOLFSSL_ENTER("wolfSSL_X509V3_set_ctx"); - if (!ctx || !ctx->x509) - return; - - /* Set parameters in ctx as long as ret == WOLFSSL_SUCCESS */ - if (issuer) - ret = wolfSSL_X509_set_issuer_name(ctx->x509,&issuer->issuer); - - if (subject && ret == WOLFSSL_SUCCESS) - ret = wolfSSL_X509_set_subject_name(ctx->x509,&subject->subject); - - if (req && ret == WOLFSSL_SUCCESS) { - WOLFSSL_MSG("req not implemented."); - } - - if (crl && ret == WOLFSSL_SUCCESS) { - WOLFSSL_MSG("crl not implemented."); - } - - if (flag && ret == WOLFSSL_SUCCESS) { - WOLFSSL_MSG("flag not implemented."); - } - - if (!ret) { - WOLFSSL_MSG("Error setting WOLFSSL_X509V3_CTX parameters."); - } -} - -int wolfSSL_i2d_X509_REQ(WOLFSSL_X509* req, unsigned char** out) -{ - const unsigned char* der; - int derSz = 0; - WOLFSSL_ENTER("wolfSSL_i2d_X509_REQ"); - - if (req == NULL || out == NULL) { - return BAD_FUNC_ARG; - } - - der = wolfSSL_X509_get_der(req, &derSz); - if (der == NULL) { - return MEMORY_E; - } - - if (*out == NULL) { - *out = (unsigned char*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_OPENSSL); - if (*out == NULL) { - return MEMORY_E; - } - } - - XMEMCPY(*out, der, derSz); - - return derSz; -} - -WOLFSSL_X509* wolfSSL_X509_REQ_new(void) -{ - return wolfSSL_X509_new(); -} - -void wolfSSL_X509_REQ_free(WOLFSSL_X509* req) -{ - wolfSSL_X509_free(req); -} - -int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, - const WOLFSSL_EVP_MD *md) -{ - byte der[2048]; - int derSz = sizeof(der); - - if (req == NULL || pkey == NULL || md == NULL) - return WOLFSSL_FAILURE; - - /* Create a Cert that has the certificate request fields. */ - req->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); - if (wolfSSL_X509_make_der(req, 1, der, &derSz) != WOLFSSL_SUCCESS) { - return WOLFSSL_FAILURE; - } - - if (wolfSSL_X509_resign_cert(req, 1, der, sizeof(der), derSz, - (WOLFSSL_EVP_MD*)md, pkey) <= 0) { - return WOLFSSL_FAILURE; - } - return WOLFSSL_SUCCESS; -} - - -#ifndef NO_WOLFSSL_STUB -int wolfSSL_X509_REQ_add_extensions(WOLFSSL_X509* req, - WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* ext) -{ - (void)req; - (void)ext; - return WOLFSSL_FATAL_ERROR; -} -#endif - -int wolfSSL_X509_REQ_set_subject_name(WOLFSSL_X509 *req, - WOLFSSL_X509_NAME *name) -{ - return wolfSSL_X509_set_subject_name(req, name); -} - -int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey) -{ - return wolfSSL_X509_set_pubkey(req, pkey); -} -#endif /* OPENSSL_EXTRA && !NO_CERTS && WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */ - - |