-
Notifications
You must be signed in to change notification settings - Fork 1k
OpenSSL compatibility for libodbc #10813
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -188,6 +188,37 @@ | |
| #define BIO_meth_set_create wolfSSL_BIO_meth_set_create | ||
| #define BIO_meth_set_destroy wolfSSL_BIO_meth_set_destroy | ||
|
|
||
| #define WOLFSSL_BIO_TYPE_DESCRIPTOR 0x0100 | ||
| #define WOLFSSL_BIO_TYPE_SOURCE_SINK 0x0400 | ||
|
|
||
| /* OpenSSL allocates a fresh BIO type index per call; wolfSSL | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 [Low] BIO compat stubs report success/fixed values with silent limitations
Fix: If uniqueness is ever needed, hand out a monotonically increasing index instead of a constant. Keep the comment explicit that callback_ctrl is unsupported so callers don't assume the callback fires. |
||
| * untracked, so return a fixed app-range index. */ | ||
| static WC_INLINE int wolfSSL_BIO_get_new_index(void) { return 1000; } | ||
|
|
||
| /* wolfSSL does not store these BIO method callbacks; getters | ||
| * report none, set_callback_ctrl is a no-op. */ | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_gets(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_puts(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_ctrl(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_create(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_destroy(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE void * | ||
| wolfSSL_BIO_meth_get_callback_ctrl(WOLFSSL_BIO_METHOD *m) | ||
| { (void)m; return NULL; } | ||
| static WC_INLINE int | ||
| wolfSSL_BIO_meth_set_callback_ctrl(WOLFSSL_BIO_METHOD *m, void *cb) | ||
| { (void)m; (void)cb; return 1; } | ||
|
|
||
| #define BIO_snprintf XSNPRINTF | ||
|
|
||
| /* BIO CTRL */ | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74,6 +74,53 @@ | |
| #define NID_ad_OCSP WC_NID_ad_OCSP | ||
| #define NID_ad_ca_issuers WC_NID_ad_ca_issuers | ||
|
|
||
| /* OBJ_find_sigid_algs(): map a certificate signature-algorithm NID to its | ||
| * digest and public-key NIDs; returns 0 for unsupported algorithms. */ | ||
| #ifndef BUILDING_WOLFSSL | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 [Medium] No test coverage for new wolfSSL_OBJ_find_sigid_algs mapping logic The PR adds a non-trivial mapping function (a switch over ~10 signature-algorithm NIDs producing digest+pkey NID pairs, returning 0 for unsupported), but adds no unit test for it. Fix: Add an api.c test that calls OBJ_find_sigid_algs for a couple of RSA and ECDSA sig NIDs, asserts the returned digest/pkey NIDs and return==1, verifies NULL out-params are tolerated, and asserts an unsupported NID returns 0 without touching the out-params. |
||
| static WC_INLINE int | ||
|
dgarske marked this conversation as resolved.
|
||
| wolfSSL_OBJ_find_sigid_algs(int sigid, int *pdig, int *ppkey) | ||
| { | ||
| int dig = 0; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 [Low] wolfSSL_OBJ_find_sigid_algs omits RSA-PSS, EdDSA, and MD5 signature NIDs The mapping covers SHA1/224/256/384/512 with RSA and ECDSA but returns 0 (unsupported) for other algorithms wolfSSL/OpenSSL know, e.g. NID_rsassaPss (WC_NID_rsassaPss=912), Ed25519/Ed448, and md5WithRSAEncryption (WC_NID_md5WithRSAEncryption=99), all of which are already defined in evp.h. For EdDSA in particular, OpenSSL's OBJ_find_sigid_algs returns 1 with pkey set and digest = undef; returning 0 here diverges and may cause a compat consumer's certificate-algorithm introspection to treat those certs as unknown. This is acceptable as a documented limitation for the current use case but is a divergence from OpenSSL semantics. Fix: Consider extending the switch (guarded by the relevant feature macros) to cover RSA-PSS and Ed25519/Ed448 to match OpenSSL, or note the intentional scope limitation in the function comment. |
||
| int pkey = 0; | ||
| int ret = 1; | ||
|
|
||
| switch (sigid) { | ||
| #ifndef NO_RSA | ||
| case WC_NID_sha1WithRSAEncryption: | ||
| dig = WC_NID_sha1; pkey = WC_NID_rsaEncryption; break; | ||
| case WC_NID_sha224WithRSAEncryption: | ||
| dig = WC_NID_sha224; pkey = WC_NID_rsaEncryption; break; | ||
| case WC_NID_sha256WithRSAEncryption: | ||
| dig = WC_NID_sha256; pkey = WC_NID_rsaEncryption; break; | ||
| case WC_NID_sha384WithRSAEncryption: | ||
| dig = WC_NID_sha384; pkey = WC_NID_rsaEncryption; break; | ||
| case WC_NID_sha512WithRSAEncryption: | ||
| dig = WC_NID_sha512; pkey = WC_NID_rsaEncryption; break; | ||
| #endif /* !NO_RSA */ | ||
| #ifdef HAVE_ECC | ||
| case WC_NID_ecdsa_with_SHA1: | ||
| dig = WC_NID_sha1; pkey = WC_NID_X9_62_id_ecPublicKey; break; | ||
| case WC_NID_ecdsa_with_SHA224: | ||
| dig = WC_NID_sha224; pkey = WC_NID_X9_62_id_ecPublicKey; break; | ||
| case WC_NID_ecdsa_with_SHA256: | ||
| dig = WC_NID_sha256; pkey = WC_NID_X9_62_id_ecPublicKey; break; | ||
| case WC_NID_ecdsa_with_SHA384: | ||
| dig = WC_NID_sha384; pkey = WC_NID_X9_62_id_ecPublicKey; break; | ||
| case WC_NID_ecdsa_with_SHA512: | ||
| dig = WC_NID_sha512; pkey = WC_NID_X9_62_id_ecPublicKey; break; | ||
| #endif /* HAVE_ECC */ | ||
| default: | ||
| ret = 0; break; | ||
| } | ||
|
|
||
| if (ret == 1) { | ||
| if (pdig != NULL) *pdig = dig; | ||
| if (ppkey != NULL) *ppkey = pkey; | ||
| } | ||
| return ret; | ||
| } | ||
| #endif | ||
|
|
||
| #endif /* !OPENSSL_COEXIST */ | ||
|
|
||
| #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -44,6 +44,7 @@ | |
| #include <wolfssl/openssl/evp.h> | ||
| #endif | ||
| #include <wolfssl/openssl/bio.h> | ||
| #include <wolfssl/openssl/err.h> | ||
| #ifdef OPENSSL_EXTRA | ||
| #include <wolfssl/openssl/crypto.h> | ||
| #endif | ||
|
|
@@ -1568,6 +1569,14 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; | |
| #define SSL_get_state wolfSSL_get_state | ||
| #define SSL_state_string_long wolfSSL_state_string_long | ||
|
|
||
| /* Must equal HANDSHAKE_DONE in the internal 'enum states' | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 [Medium] WOLFSSL_TLS_ST_OK hardcoded to 16, duplicating internal HANDSHAKE_DONE with no compile-time check
Fix: Add a compile-time check in a .c file that includes internal.h, e.g. |
||
| * (wolfssl/internal.h), returned by wolfSSL_get_state(); 16 today. */ | ||
| #define WOLFSSL_TLS_ST_OK 16 | ||
|
dgarske marked this conversation as resolved.
|
||
| #define WOLFSSL_SSL_ST_OK WOLFSSL_TLS_ST_OK | ||
| #define TLS_ST_OK WOLFSSL_TLS_ST_OK | ||
| #define SSL_ST_OK WOLFSSL_SSL_ST_OK | ||
| #define SSL_F_SSL_SET_FD WOLFSSL_SSL_F_SSL_SET_FD | ||
|
|
||
| #define GENERAL_NAME_new wolfSSL_GENERAL_NAME_new | ||
| #define GENERAL_NAME_free wolfSSL_GENERAL_NAME_free | ||
| #define GENERAL_NAME_dup wolfSSL_GENERAL_NAME_dup | ||
|
|
@@ -1738,16 +1747,43 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; | |
| #define SSL_R_DATA_LENGTH_TOO_LONG BUFFER_ERROR | ||
| #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG BUFFER_ERROR | ||
| #define SSL_R_BAD_LENGTH BUFFER_ERROR | ||
| #define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR | ||
| #define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR | ||
| #define SSL_R_UNKNOWN_PROTOCOL WOLFSSL_SSL_R_UNKNOWN_PROTOCOL | ||
| #define SSL_R_WRONG_VERSION_NUMBER WOLFSSL_SSL_R_WRONG_VERSION_NUMBER | ||
| #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR | ||
| #define SSL_R_HTTPS_PROXY_REQUEST PARSE_ERROR | ||
| #define SSL_R_HTTP_REQUEST PARSE_ERROR | ||
| #define SSL_R_UNSUPPORTED_PROTOCOL VERSION_ERROR | ||
| #define SSL_R_UNSUPPORTED_PROTOCOL WOLFSSL_SSL_R_UNSUPPORTED_PROTOCOL | ||
| #define SSL_R_NO_PROTOCOLS_AVAILABLE \ | ||
| WOLFSSL_SSL_R_NO_PROTOCOLS_AVAILABLE | ||
| #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER \ | ||
| WOLFSSL_SSL_R_BAD_PROTOCOL_VERSION_NUMBER | ||
| #define SSL_R_UNKNOWN_SSL_VERSION WOLFSSL_SSL_R_UNKNOWN_SSL_VERSION | ||
| #define SSL_R_UNSUPPORTED_SSL_VERSION \ | ||
| WOLFSSL_SSL_R_UNSUPPORTED_SSL_VERSION | ||
| #define SSL_R_WRONG_SSL_VERSION WOLFSSL_SSL_R_WRONG_SSL_VERSION | ||
| #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION \ | ||
| WOLFSSL_SSL_R_TLSV1_ALERT_PROTOCOL_VERSION | ||
| #define SSL_R_CERTIFICATE_VERIFY_FAILED VERIFY_CERT_ERROR | ||
| #define SSL_R_CERT_CB_ERROR CLIENT_CERT_CB_ERROR | ||
| #define SSL_R_NULL_SSL_METHOD_PASSED BAD_FUNC_ARG | ||
| #define SSL_R_CCS_RECEIVED_EARLY OUT_OF_ORDER_E | ||
| #define ERR_R_BUF_LIB WOLFSSL_ERR_R_BUF_LIB | ||
| #define BIO_TYPE_DESCRIPTOR WOLFSSL_BIO_TYPE_DESCRIPTOR | ||
| #define BIO_TYPE_SOURCE_SINK WOLFSSL_BIO_TYPE_SOURCE_SINK | ||
| #define BIO_get_app_data(bio) wolfSSL_BIO_get_data(bio) | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 [Medium] BIO_get_app_data/BIO_set_app_data aliased to BIO_get_data/BIO_set_data (shared storage) In OpenSSL, Fix: Back app_data with a distinct storage slot (e.g. BIO ex_data index) so it does not alias the method data pointer, or document the limitation prominently if the aliasing is acceptable for the intended consumers. |
||
| #define BIO_set_app_data(bio, data) \ | ||
| wolfSSL_BIO_set_data((bio), (data)) | ||
| #define BIO_get_new_index wolfSSL_BIO_get_new_index | ||
| #define BIO_meth_get_gets wolfSSL_BIO_meth_get_gets | ||
| #define BIO_meth_get_puts wolfSSL_BIO_meth_get_puts | ||
| #define BIO_meth_get_ctrl wolfSSL_BIO_meth_get_ctrl | ||
| #define BIO_meth_get_create wolfSSL_BIO_meth_get_create | ||
| #define BIO_meth_get_destroy wolfSSL_BIO_meth_get_destroy | ||
| #define BIO_meth_get_callback_ctrl wolfSSL_BIO_meth_get_callback_ctrl | ||
| #define BIO_meth_set_callback_ctrl wolfSSL_BIO_meth_set_callback_ctrl | ||
| #ifndef BUILDING_WOLFSSL | ||
| #define OBJ_find_sigid_algs wolfSSL_OBJ_find_sigid_algs | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 [Medium] OBJ_find_sigid_algs compat macro placed in ssl.h instead of objects.h with the other OBJ_ macros* Every other Fix: Move the |
||
| #endif | ||
|
|
||
| #ifdef HAVE_SESSION_TICKET | ||
| #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.