[mod_wolfssl] minor updates for wolfSSL v4.6.0
This commit is contained in:
parent
5b1b9f7824
commit
6a28bd79b3
|
|
@ -61,8 +61,6 @@ static char global_err_buf[WOLFSSL_MAX_ERROR_SZ];
|
|||
#define ERR_error_string(e,b) \
|
||||
(wolfSSL_ERR_error_string_n((e),global_err_buf,WOLFSSL_MAX_ERROR_SZ), \
|
||||
global_err_buf)
|
||||
/* WolfSSL does not provide OPENSSL_cleanse() */
|
||||
#define OPENSSL_cleanse(x,sz) safe_memclear((x),(sz))
|
||||
|
||||
#if 0 /* symbols and definitions requires WolfSSL built with -DOPENSSL_EXTRA */
|
||||
#define SSL_TLSEXT_ERR_OK 0
|
||||
|
|
@ -94,6 +92,10 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA
|
|||
((WOLF_STACK_OF(WOLFSSL_X509_NAME) *)1) /* ! NULL */
|
||||
#endif
|
||||
|
||||
#if LIBWOLFSSL_VERSION_HEX < 0x04006000 || defined(WOLFSSL_NO_FORCE_ZERO)
|
||||
#define wolfSSL_OPENSSL_cleanse(x,sz) safe_memclear((x),(sz))
|
||||
#endif
|
||||
|
||||
#if LIBWOLFSSL_VERSION_HEX < 0x04002000 /*(exact version needed not checked)*/
|
||||
#ifndef STACK_OF
|
||||
#define STACK_OF(x) WOLFSSL_STACK
|
||||
|
|
@ -279,7 +281,7 @@ mod_openssl_session_ticket_key_rotate (void)
|
|||
session_ticket_keys+0, sizeof(tlsext_ticket_key_t)*2);*/
|
||||
session_ticket_keys[0] = session_ticket_keys[3];
|
||||
|
||||
OPENSSL_cleanse(session_ticket_keys+3, sizeof(tlsext_ticket_key_t));
|
||||
wolfSSL_OPENSSL_cleanse(session_ticket_keys+3, sizeof(tlsext_ticket_key_t));
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -321,7 +323,8 @@ tlsext_ticket_wipe_expired (const time_t cur_ts)
|
|||
for (int i = 0; i < e; ++i) {
|
||||
if (session_ticket_keys[i].expire_ts != 0
|
||||
&& session_ticket_keys[i].expire_ts < cur_ts)
|
||||
OPENSSL_cleanse(session_ticket_keys+i, sizeof(tlsext_ticket_key_t));
|
||||
wolfSSL_OPENSSL_cleanse(session_ticket_keys+i,
|
||||
sizeof(tlsext_ticket_key_t));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -414,7 +417,7 @@ mod_openssl_session_ticket_key_file (const char *fn)
|
|||
rc = 1;
|
||||
}
|
||||
|
||||
OPENSSL_cleanse(buf, sizeof(buf));
|
||||
wolfSSL_OPENSSL_cleanse(buf, sizeof(buf));
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
|
@ -511,7 +514,7 @@ static void mod_openssl_free_openssl (void)
|
|||
if (!ssl_is_init) return;
|
||||
|
||||
#ifdef HAVE_SESSION_TICKET
|
||||
OPENSSL_cleanse(session_ticket_keys, sizeof(session_ticket_keys));
|
||||
wolfSSL_OPENSSL_cleanse(session_ticket_keys, sizeof(session_ticket_keys));
|
||||
stek_rotate_ts = 0;
|
||||
#endif
|
||||
|
||||
|
|
@ -1477,11 +1480,40 @@ mod_openssl_refresh_stapling_files (server *srv, const plugin_data *p, const tim
|
|||
|
||||
|
||||
static int
|
||||
mod_openssl_crt_must_staple (const X509 *crt)
|
||||
mod_openssl_crt_must_staple (const WOLFSSL_X509 *crt)
|
||||
{
|
||||
/* XXX: TODO: not implemented */
|
||||
#if 1
|
||||
UNUSED(crt);
|
||||
return 0;
|
||||
#else
|
||||
STACK_OF(ASN1_OBJECT) * const tlsf = (STACK_OF(ASN1_OBJECT)*)
|
||||
wolfSSL_X509_get_ext_d2i(crt, NID_tlsfeature, NULL, NULL);
|
||||
if (NULL == tlsf) return 0;
|
||||
|
||||
int rc = 0;
|
||||
|
||||
/* wolfSSL_sk_ASN1_INTEGER_num() not implemented */
|
||||
/* wolfSSL_sk_ASN1_INTEGER_value() not implemented */
|
||||
/* wolfSSL_sk_ASN1_INTEGER_pop_free() not implemented */
|
||||
#define wolfSSL_sk_ASN1_INTEGER_num(sk) wolfSSL_sk_num(sk)
|
||||
#define wolfSSL_sk_ASN1_INTEGER_value(sk, i) wolfSSL_sk_value(sk, i)
|
||||
#define wolfSSL_sk_ASN1_INTEGER_pop_free(sk, fn) wolfSSL_sk_pop_free(sk, fn)
|
||||
|
||||
/* wolfSSL_ASN1_INTEGER_get() is a stub func <= 4.6.0; always returns 0 */
|
||||
|
||||
for (int i = 0; i < wolfSSL_sk_ASN1_INTEGER_num(tlsf); ++i) {
|
||||
WOLFSSL_ASN1_INTEGER *ai = wolfSSL_sk_ASN1_INTEGER_value(tlsf, i);
|
||||
long tlsextid = wolfSSL_ASN1_INTEGER_get(ai);
|
||||
if (tlsextid == 5) { /* 5 = OCSP Must-Staple */
|
||||
rc = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
wolfSSL_sk_ASN1_INTEGER_pop_free(tlsf, wolfSSL_ASN1_INTEGER_free);
|
||||
return rc; /* 1 if OCSP Must-Staple found; 0 if not */
|
||||
#endif
|
||||
}
|
||||
|
||||
#endif /* HAVE_OCSP */
|
||||
|
|
@ -2000,9 +2032,9 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
|
|||
"but wolfssl library built without necessary support");
|
||||
return -1;
|
||||
#else
|
||||
/* WTH wolfssl? wolfSSL_dup_CA_list() is a stub which returns NULL
|
||||
* and so DN names in cert request are not set here.
|
||||
* (A patch has been submitted to WolfSSL to correct this)
|
||||
/* Before wolfssl 4.6.0, wolfSSL_dup_CA_list() is a stub function
|
||||
* which returns NULL, so DN names in cert request are not set here.
|
||||
* (A patch has been submitted to WolfSSL add is part of 4.6.0)
|
||||
* https://github.com/wolfSSL/wolfssl/pull/3098 */
|
||||
STACK_OF(X509_NAME) * const cert_names = s->ssl_ca_dn_file
|
||||
? s->ssl_ca_dn_file
|
||||
|
|
@ -3422,6 +3454,28 @@ mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
|
|||
|
||||
if (maxb) {
|
||||
/* WolfSSL max ver is set at WolfSSL compile-time */
|
||||
#if LIBWOLFSSL_VERSION_HEX >= 0x04002000
|
||||
/*(could use SSL_OP_NO_* before 4.2.0)*/
|
||||
/*(wolfSSL_CTX_set_max_proto_version() 4.6.0 uses different defines)*/
|
||||
int n = mod_openssl_ssl_conf_proto_val(srv, s, maxb, 1);
|
||||
switch (n) {
|
||||
case WOLFSSL_SSLV3:
|
||||
wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1);
|
||||
__attribute_fallthrough__
|
||||
case WOLFSSL_TLSV1:
|
||||
wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_1);
|
||||
__attribute_fallthrough__
|
||||
case WOLFSSL_TLSV1_1:
|
||||
wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_2);
|
||||
__attribute_fallthrough__
|
||||
case WOLFSSL_TLSV1_2:
|
||||
wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_3);
|
||||
__attribute_fallthrough__
|
||||
case WOLFSSL_TLSV1_3:
|
||||
default:
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if (!buffer_string_is_empty(cipherstring)) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue