diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index de6f2452f14..52da3674a8b 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -970,6 +970,7 @@ WOLFSSL_USE_FLASHMEM WOLFSSL_USE_FORCE_ZERO WOLFSSL_USE_OPTIONS_H WOLFSSL_VALIDATE_DH_KEYGEN +WOLFSSL_VERIFY_NONE_DEFAULT WOLFSSL_WC_SLHDSA_RECURSIVE WOLFSSL_WC_XMSS_NO_SHA256 WOLFSSL_WICED_PSEUDO_UNIX_EPOCH_TIME diff --git a/src/internal.c b/src/internal.c index fed9d370dea..a5cb422cf9c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2642,6 +2642,12 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX)); +#ifdef WOLFSSL_VERIFY_NONE_DEFAULT + /* OpenSSL compat: default to SSL_VERIFY_NONE unless the app + * sets SSL_VERIFY_PEER. */ + ctx->verifyNone = 1; +#endif + ctx->method = method; if (heap == NULL) { ctx->heap = ctx; /* defaults to self */ diff --git a/tests/api.c b/tests/api.c index 32b90b9a079..cbf29f464c8 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1793,6 +1793,46 @@ static int test_wolfSSL_CTX_new(void) } #endif +#if defined(WOLFSSL_VERIFY_NONE_DEFAULT) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(NO_TLS) +/* WOLFSSL_VERIFY_NONE_DEFAULT makes a fresh CTX default to SSL_VERIFY_NONE + * (OpenSSL compat). Assert the default is applied, inherited by a spawned + * SSL, and correctly overridden by wolfSSL_CTX_set_verify(). */ +static int test_wolfSSL_CTX_verify_none_default(void) +{ + EXPECT_DECLS; + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + /* Freshly created CTX defaults to no verification. */ + ExpectIntEQ(ctx->verifyNone, 1); +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) + ExpectIntEQ(wolfSSL_CTX_get_verify_mode(ctx), WOLFSSL_VERIFY_NONE); +#endif + + /* A spawned SSL inherits the default. */ + ExpectNotNull(ssl = wolfSSL_new(ctx)); + ExpectIntEQ(ssl->options.verifyNone, 1); + wolfSSL_free(ssl); + + /* SSL_VERIFY_PEER clears the default. */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); + ExpectIntEQ(ctx->verifyNone, 0); + ExpectIntEQ(ctx->verifyPeer, 1); + + /* WOLFSSL_VERIFY_DEFAULT resets verifyNone back to 0 (does not restore + * the compat default). */ + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_DEFAULT, NULL); + ExpectIntEQ(ctx->verifyNone, 0); + + wolfSSL_CTX_free(ctx); + + return EXPECT_RESULT(); +} +#endif + #if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) && \ !defined(NO_TLS) && \ (!defined(NO_RSA) || defined(HAVE_ECC)) && !defined(NO_FILESYSTEM) @@ -35250,6 +35290,10 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_Method_Allocators), #if !defined(NO_WOLFSSL_SERVER) && !defined(NO_TLS) TEST_DECL(test_wolfSSL_CTX_new), +#endif +#if defined(WOLFSSL_VERIFY_NONE_DEFAULT) && !defined(NO_WOLFSSL_CLIENT) && \ + !defined(NO_TLS) + TEST_DECL(test_wolfSSL_CTX_verify_none_default), #endif TEST_DECL(test_server_wolfSSL_new), TEST_DECL(test_client_wolfSSL_new), diff --git a/wolfssl/openssl/bio.h b/wolfssl/openssl/bio.h index f797d94ab58..2456ad38093 100644 --- a/wolfssl/openssl/bio.h +++ b/wolfssl/openssl/bio.h @@ -188,6 +188,37 @@ #define BIO_meth_set_create wolfSSL_BIO_meth_set_create #define BIO_meth_set_destroy wolfSSL_BIO_meth_set_destroy +#define WOLFSSL_BIO_TYPE_DESCRIPTOR 0x0100 +#define WOLFSSL_BIO_TYPE_SOURCE_SINK 0x0400 + +/* OpenSSL allocates a fresh BIO type index per call; wolfSSL + * untracked, so return a fixed app-range index. */ +static WC_INLINE int wolfSSL_BIO_get_new_index(void) { return 1000; } + +/* wolfSSL does not store these BIO method callbacks; getters + * report none, set_callback_ctrl is a no-op. */ +static WC_INLINE void * +wolfSSL_BIO_meth_get_gets(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE void * +wolfSSL_BIO_meth_get_puts(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE void * +wolfSSL_BIO_meth_get_ctrl(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE void * +wolfSSL_BIO_meth_get_create(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE void * +wolfSSL_BIO_meth_get_destroy(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE void * +wolfSSL_BIO_meth_get_callback_ctrl(WOLFSSL_BIO_METHOD *m) +{ (void)m; return NULL; } +static WC_INLINE int +wolfSSL_BIO_meth_set_callback_ctrl(WOLFSSL_BIO_METHOD *m, void *cb) +{ (void)m; (void)cb; return 1; } + #define BIO_snprintf XSNPRINTF /* BIO CTRL */ diff --git a/wolfssl/openssl/err.h b/wolfssl/openssl/err.h index dbc240bfe45..63f32f9c2da 100644 --- a/wolfssl/openssl/err.h +++ b/wolfssl/openssl/err.h @@ -38,10 +38,22 @@ #define WOLFSSL_SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 2 #define WOLFSSL_SSL_F_SSL_USE_PRIVATEKEY 3 #define WOLFSSL_EC_F_EC_GFP_SIMPLE_POINT2OCT 4 +#define WOLFSSL_SSL_F_SSL_SET_FD 5 /* reasons */ #define WOLFSSL_ERR_R_SYS_LIB 1 #define WOLFSSL_PKCS12_R_MAC_VERIFY_FAILURE 2 +/* Matches OpenSSL's ERR_R_BUF_LIB (= ERR_LIB_BUF, 7). */ +#define WOLFSSL_ERR_R_BUF_LIB 7 +#define WOLFSSL_SSL_R_UNKNOWN_PROTOCOL 252 +#define WOLFSSL_SSL_R_WRONG_VERSION_NUMBER 267 +#define WOLFSSL_SSL_R_UNSUPPORTED_PROTOCOL 258 +#define WOLFSSL_SSL_R_NO_PROTOCOLS_AVAILABLE 194 +#define WOLFSSL_SSL_R_BAD_PROTOCOL_VERSION_NUMBER 182 +#define WOLFSSL_SSL_R_UNKNOWN_SSL_VERSION 254 +#define WOLFSSL_SSL_R_UNSUPPORTED_SSL_VERSION 259 +#define WOLFSSL_SSL_R_WRONG_SSL_VERSION 266 +#define WOLFSSL_SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 #ifndef OPENSSL_COEXIST diff --git a/wolfssl/openssl/hmac.h b/wolfssl/openssl/hmac.h index b6d84d12889..30cf58ad649 100644 --- a/wolfssl/openssl/hmac.h +++ b/wolfssl/openssl/hmac.h @@ -37,6 +37,12 @@ #include #include +/* OpenSSL's hmac.h pulls in evp.h; mirror it, but only on standalone + * include (WOLFSSL_SSL_H unset) to avoid an include cycle during + * wolfssl/ssl.h's own parse. */ +#ifndef WOLFSSL_SSL_H +#include +#endif #ifdef __cplusplus extern "C" { diff --git a/wolfssl/openssl/objects.h b/wolfssl/openssl/objects.h index 909ae248895..2b8fff6f1c9 100644 --- a/wolfssl/openssl/objects.h +++ b/wolfssl/openssl/objects.h @@ -74,6 +74,53 @@ #define NID_ad_OCSP WC_NID_ad_OCSP #define NID_ad_ca_issuers WC_NID_ad_ca_issuers +/* OBJ_find_sigid_algs(): map a certificate signature-algorithm NID to its + * digest and public-key NIDs; returns 0 for unsupported algorithms. */ +#ifndef BUILDING_WOLFSSL +static WC_INLINE int +wolfSSL_OBJ_find_sigid_algs(int sigid, int *pdig, int *ppkey) +{ + int dig = 0; + int pkey = 0; + int ret = 1; + + switch (sigid) { +#ifndef NO_RSA + case WC_NID_sha1WithRSAEncryption: + dig = WC_NID_sha1; pkey = WC_NID_rsaEncryption; break; + case WC_NID_sha224WithRSAEncryption: + dig = WC_NID_sha224; pkey = WC_NID_rsaEncryption; break; + case WC_NID_sha256WithRSAEncryption: + dig = WC_NID_sha256; pkey = WC_NID_rsaEncryption; break; + case WC_NID_sha384WithRSAEncryption: + dig = WC_NID_sha384; pkey = WC_NID_rsaEncryption; break; + case WC_NID_sha512WithRSAEncryption: + dig = WC_NID_sha512; pkey = WC_NID_rsaEncryption; break; +#endif /* !NO_RSA */ +#ifdef HAVE_ECC + case WC_NID_ecdsa_with_SHA1: + dig = WC_NID_sha1; pkey = WC_NID_X9_62_id_ecPublicKey; break; + case WC_NID_ecdsa_with_SHA224: + dig = WC_NID_sha224; pkey = WC_NID_X9_62_id_ecPublicKey; break; + case WC_NID_ecdsa_with_SHA256: + dig = WC_NID_sha256; pkey = WC_NID_X9_62_id_ecPublicKey; break; + case WC_NID_ecdsa_with_SHA384: + dig = WC_NID_sha384; pkey = WC_NID_X9_62_id_ecPublicKey; break; + case WC_NID_ecdsa_with_SHA512: + dig = WC_NID_sha512; pkey = WC_NID_X9_62_id_ecPublicKey; break; +#endif /* HAVE_ECC */ + default: + ret = 0; break; + } + + if (ret == 1) { + if (pdig != NULL) *pdig = dig; + if (ppkey != NULL) *ppkey = pkey; + } + return ret; +} +#endif + #endif /* !OPENSSL_COEXIST */ #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 063500675e1..8d3b9a80e7b 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -44,6 +44,7 @@ #include #endif #include +#include #ifdef OPENSSL_EXTRA #include #endif @@ -1568,6 +1569,14 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define SSL_get_state wolfSSL_get_state #define SSL_state_string_long wolfSSL_state_string_long +/* Must equal HANDSHAKE_DONE in the internal 'enum states' + * (wolfssl/internal.h), returned by wolfSSL_get_state(); 16 today. */ +#define WOLFSSL_TLS_ST_OK 16 +#define WOLFSSL_SSL_ST_OK WOLFSSL_TLS_ST_OK +#define TLS_ST_OK WOLFSSL_TLS_ST_OK +#define SSL_ST_OK WOLFSSL_SSL_ST_OK +#define SSL_F_SSL_SET_FD WOLFSSL_SSL_F_SSL_SET_FD + #define GENERAL_NAME_new wolfSSL_GENERAL_NAME_new #define GENERAL_NAME_free wolfSSL_GENERAL_NAME_free #define GENERAL_NAME_dup wolfSSL_GENERAL_NAME_dup @@ -1738,16 +1747,43 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define SSL_R_DATA_LENGTH_TOO_LONG BUFFER_ERROR #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG BUFFER_ERROR #define SSL_R_BAD_LENGTH BUFFER_ERROR -#define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR -#define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR +#define SSL_R_UNKNOWN_PROTOCOL WOLFSSL_SSL_R_UNKNOWN_PROTOCOL +#define SSL_R_WRONG_VERSION_NUMBER WOLFSSL_SSL_R_WRONG_VERSION_NUMBER #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR #define SSL_R_HTTPS_PROXY_REQUEST PARSE_ERROR #define SSL_R_HTTP_REQUEST PARSE_ERROR -#define SSL_R_UNSUPPORTED_PROTOCOL VERSION_ERROR +#define SSL_R_UNSUPPORTED_PROTOCOL WOLFSSL_SSL_R_UNSUPPORTED_PROTOCOL +#define SSL_R_NO_PROTOCOLS_AVAILABLE \ + WOLFSSL_SSL_R_NO_PROTOCOLS_AVAILABLE +#define SSL_R_BAD_PROTOCOL_VERSION_NUMBER \ + WOLFSSL_SSL_R_BAD_PROTOCOL_VERSION_NUMBER +#define SSL_R_UNKNOWN_SSL_VERSION WOLFSSL_SSL_R_UNKNOWN_SSL_VERSION +#define SSL_R_UNSUPPORTED_SSL_VERSION \ + WOLFSSL_SSL_R_UNSUPPORTED_SSL_VERSION +#define SSL_R_WRONG_SSL_VERSION WOLFSSL_SSL_R_WRONG_SSL_VERSION +#define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION \ + WOLFSSL_SSL_R_TLSV1_ALERT_PROTOCOL_VERSION #define SSL_R_CERTIFICATE_VERIFY_FAILED VERIFY_CERT_ERROR #define SSL_R_CERT_CB_ERROR CLIENT_CERT_CB_ERROR #define SSL_R_NULL_SSL_METHOD_PASSED BAD_FUNC_ARG #define SSL_R_CCS_RECEIVED_EARLY OUT_OF_ORDER_E +#define ERR_R_BUF_LIB WOLFSSL_ERR_R_BUF_LIB +#define BIO_TYPE_DESCRIPTOR WOLFSSL_BIO_TYPE_DESCRIPTOR +#define BIO_TYPE_SOURCE_SINK WOLFSSL_BIO_TYPE_SOURCE_SINK +#define BIO_get_app_data(bio) wolfSSL_BIO_get_data(bio) +#define BIO_set_app_data(bio, data) \ + wolfSSL_BIO_set_data((bio), (data)) +#define BIO_get_new_index wolfSSL_BIO_get_new_index +#define BIO_meth_get_gets wolfSSL_BIO_meth_get_gets +#define BIO_meth_get_puts wolfSSL_BIO_meth_get_puts +#define BIO_meth_get_ctrl wolfSSL_BIO_meth_get_ctrl +#define BIO_meth_get_create wolfSSL_BIO_meth_get_create +#define BIO_meth_get_destroy wolfSSL_BIO_meth_get_destroy +#define BIO_meth_get_callback_ctrl wolfSSL_BIO_meth_get_callback_ctrl +#define BIO_meth_set_callback_ctrl wolfSSL_BIO_meth_set_callback_ctrl +#ifndef BUILDING_WOLFSSL +#define OBJ_find_sigid_algs wolfSSL_OBJ_find_sigid_algs +#endif #ifdef HAVE_SESSION_TICKET #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72