Browse Source

Various portability improvements:
* Change DTLS epoch size word16.
* Allow override of the `RECORD_SIZE` and `STATIC_BUFFER_LEN`.
* Remove endianness force from game build.
* Add `gmtime_s` option.
* Fix for macro conflict with `MAX_KEY_SIZE`.
* Expose functions `wolfSSL_X509_notBefore`, `wolfSSL_X509_notAfter`, `wolfSSL_X509_version` without `OPENSSL_EXTRA`.

David Garske 2 years ago
parent
commit
3fba5d17c3

+ 3 - 3
configure.ac

@@ -86,15 +86,15 @@ else
 fi
 
 
-AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h])
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h limits.h netdb.h netinet/in.h stddef.h time.h sys/ioctl.h sys/socket.h sys/time.h errno.h sys/un.h])
 AC_CHECK_LIB([network],[socket])
 AC_C_BIGENDIAN
 
 # check if functions of interest are linkable, but also check if
 # they're declared by the expected headers, and if not, supersede the
 # unusable positive from AC_CHECK_FUNCS().
-AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r inet_ntoa memset socket strftime atexit])
-AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, inet_ntoa, memset, socket, strftime], [], [
+AC_CHECK_FUNCS([gethostbyname getaddrinfo gettimeofday gmtime_r gmtime_s inet_ntoa memset socket strftime atexit])
+AC_CHECK_DECLS([gethostbyname, getaddrinfo, gettimeofday, gmtime_r, gmtime_s, inet_ntoa, memset, socket, strftime], [], [
 if test "$(eval echo \$"$(eval 'echo ac_cv_func_${as_decl_name}')")" = "yes"
 then
     AC_MSG_NOTICE([    note: earlier check for $(eval 'echo ${as_decl_name}') superseded.])

+ 0 - 3
cyassl/ctaocrypt/settings.h

@@ -350,9 +350,6 @@
 
 #ifdef CYASSL_GAME_BUILD
     #define SIZEOF_LONG_LONG 8
-    #if defined(__PPU) || defined(__XENON)
-        #define BIG_ENDIAN_ORDER
-    #endif
 #endif
 
 #ifdef CYASSL_LSR

+ 6 - 6
src/internal.c

@@ -6734,7 +6734,7 @@ void FreeKey(WOLFSSL* ssl, int type, void** pKey)
                 wc_curve448_free((curve448_key*)*pKey);
                 break;
         #endif /* HAVE_CURVE448 */
-		#if defined(HAVE_PQC) && defined(HAVE_FALCON)
+        #if defined(HAVE_PQC) && defined(HAVE_FALCON)
             case DYNAMIC_TYPE_FALCON:
                 wc_falcon_free((falcon_key*)*pKey);
                 break;
@@ -6801,7 +6801,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
             sz = sizeof(curve448_key);
             break;
     #endif /* HAVE_CURVE448 */
-	#if defined(HAVE_PQC) && defined(HAVE_FALCON)
+    #if defined(HAVE_PQC) && defined(HAVE_FALCON)
         case DYNAMIC_TYPE_FALCON:
             sz = sizeof(falcon_key);
             break;
@@ -6851,7 +6851,7 @@ int AllocKey(WOLFSSL* ssl, int type, void** pKey)
             ret = 0;
             break;
     #endif /* HAVE_CURVE448 */
-	#if defined(HAVE_PQC) && defined(HAVE_FALCON)
+    #if defined(HAVE_PQC) && defined(HAVE_FALCON)
         case DYNAMIC_TYPE_FALCON:
             wc_falcon_init((falcon_key*)*pKey);
             ret = 0;
@@ -7878,7 +7878,7 @@ int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte ty
 }
 
 
-DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq)
+DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq)
 {
     WOLFSSL_ENTER("DtlsMsgFind()");
     while (head != NULL && !(head->epoch == epoch && head->seq == seq)) {
@@ -7888,7 +7888,7 @@ DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq)
 }
 
 
-void DtlsMsgStore(WOLFSSL* ssl, word32 epoch, word32 seq, const byte* data,
+void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq, const byte* data,
         word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap)
 {
     /* See if seq exists in the list. If it isn't in the list, make
@@ -13091,7 +13091,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         break;
                     }
                 #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
-				#if defined(HAVE_PQC) && defined(HAVE_FALCON)
+                #if defined(HAVE_PQC) && defined(HAVE_FALCON)
                     case FALCON_LEVEL1k:
                     case FALCON_LEVEL5k:
                     {

+ 24 - 19
src/ssl.c

@@ -2411,7 +2411,7 @@ static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
             /* Add some bytes so that we can operate with slight difference
              * in set MTU size on each peer */
             ssl->dtls_expected_rx = max(ssl->dtls_expected_rx,
-                    ssl->dtlsMtuSz + DTLS_MTU_ADDITIONAL_READ_BUFFER);
+                    ssl->dtlsMtuSz + (word32)DTLS_MTU_ADDITIONAL_READ_BUFFER);
 #endif
     }
 #endif
@@ -5070,7 +5070,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                 }
                 break;
             #endif /* HAVE_ED448 */
-			#if defined(HAVE_PQC) && defined(HAVE_FALCON)
+            #if defined(HAVE_PQC) && defined(HAVE_FALCON)
             case FALCON_LEVEL1k:
                 if (cm->minFalconKeySz < 0 ||
                           FALCON_LEVEL1_KEY_SIZE < (word16)cm->minFalconKeySz) {
@@ -5396,7 +5396,7 @@ int wolfSSL_Init(void)
 
     WOLFSSL_ENTER("wolfSSL_Init");
 
-    #if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+    #if FIPS_VERSION_GE(5,1)
         ret = wolfCrypt_SetPrivateKeyReadEnable_fips(1, WC_KEYTYPE_ALL);
         if (ret != 0)
             return ret;
@@ -15275,7 +15275,7 @@ int wolfSSL_Cleanup(void)
             ret = WC_CLEANUP_E;
     }
 
-#if defined(HAVE_FIPS_VERSION) && ((HAVE_FIPS_VERSION > 5) || ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR >= 1)))
+#if FIPS_VERSION_GE(5,1)
     if (wolfCrypt_SetPrivateKeyReadEnable_fips(0, WC_KEYTYPE_ALL) < 0) {
         if (ret == WOLFSSL_SUCCESS)
             ret = WC_CLEANUP_E;
@@ -21701,7 +21701,9 @@ const byte* wolfSSL_X509_get_der(WOLFSSL_X509* x509, int* outSz)
 
 #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL || KEEP_OUR_CERT || KEEP_PEER_CERT || SESSION_CERTS */
 
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) || \
+    defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || \
+    defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
 
 /* used by JSSE (not a standard compatibility function) */
 WOLFSSL_ABI
@@ -21737,6 +21739,19 @@ const byte* wolfSSL_X509_notAfter(WOLFSSL_X509* x509)
     return x509->notAfterData;
 }
 
+int wolfSSL_X509_version(WOLFSSL_X509* x509)
+{
+    WOLFSSL_ENTER("wolfSSL_X509_version");
+
+    if (x509 == NULL)
+        return 0;
+
+    return x509->version;
+}
+#endif
+
+#ifdef OPENSSL_EXTRA
+
 /* get the buffer to be signed (tbs) from the WOLFSSL_X509 certificate
     *
     * outSz : gets set to the size of the buffer
@@ -21771,16 +21786,6 @@ const unsigned char* wolfSSL_X509_get_tbs(WOLFSSL_X509* x509, int* outSz)
     return tbs;
 }
 
-int wolfSSL_X509_version(WOLFSSL_X509* x509)
-{
-    WOLFSSL_ENTER("wolfSSL_X509_version");
-
-    if (x509 == NULL)
-        return 0;
-
-    return x509->version;
-}
-
 #ifdef WOLFSSL_SEP
 
 /* copy oid into in buffer, at most *inOutSz bytes, if buffer is null will
@@ -58576,7 +58581,8 @@ int wolfSSL_RAND_write_file(const char* fname)
 #ifndef FREERTOS_TCP
 
 /* These constant values are protocol values made by egd */
-#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(NETOS)
+#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \
+    defined(HAVE_HASHDRBG) && !defined(NETOS) && defined(HAVE_SYS_UN_H)
     #define WOLFSSL_EGD_NBLOCK 0x01
     #include <sys/un.h>
 #endif
@@ -58589,8 +58595,7 @@ int wolfSSL_RAND_write_file(const char* fname)
  */
 int wolfSSL_RAND_egd(const char* nm)
 {
-#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) && \
-    defined(HAVE_HASHDRBG)
+#ifdef WOLFSSL_EGD_NBLOCK
     struct sockaddr_un rem;
     int fd;
     int ret = WOLFSSL_SUCCESS;
@@ -58728,7 +58733,7 @@ int wolfSSL_RAND_egd(const char* nm)
     (void)nm;
 
     return WOLFSSL_FATAL_ERROR;
-#endif /* USE_WOLFSSL_IO && !USE_WINDOWS_API && !HAVE_FIPS && HAVE_HASHDRBG */
+#endif /* WOLFSSL_EGD_NBLOCK */
 }
 
 #endif /* !FREERTOS_TCP */

+ 1 - 1
wolfcrypt/src/pkcs12.c

@@ -512,7 +512,7 @@ static int wc_PKCS12_create_mac(WC_PKCS12* pkcs12, byte* data, word32 dataSz,
     int id  = 3; /* value from RFC 7292 indicating key is used for MAC */
     word32 i;
     byte unicodePasswd[MAX_UNICODE_SZ];
-    byte key[MAX_KEY_SIZE];
+    byte key[PKCS_MAX_KEY_SIZE];
 
     if (pkcs12 == NULL || pkcs12->signData == NULL || data == NULL ||
             out == NULL) {

+ 13 - 13
wolfcrypt/src/wc_encrypt.c

@@ -381,7 +381,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 #ifdef WOLFSSL_SMALL_STACK
     byte* key;
 #else
-    byte key[MAX_KEY_SIZE];
+    byte key[PKCS_MAX_KEY_SIZE];
 #endif
 
     (void)input;
@@ -469,7 +469,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
     }
 
 #ifdef WOLFSSL_SMALL_STACK
-    key = (byte*)XMALLOC(MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    key = (byte*)XMALLOC(PKCS_MAX_KEY_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (key == NULL)
         return MEMORY_E;
 #endif
@@ -494,7 +494,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
         byte unicodePasswd[MAX_UNICODE_SZ];
 
         if ( (passwordSz * 2 + 2) > (int)sizeof(unicodePasswd)) {
-            ForceZero(key, MAX_KEY_SIZE);
+            ForceZero(key, PKCS_MAX_KEY_SIZE);
         #ifdef WOLFSSL_SMALL_STACK
             XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
         #endif
@@ -519,7 +519,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
     }
 #endif /* HAVE_PKCS12 */
     default:
-        ForceZero(key, MAX_KEY_SIZE);
+        ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -528,7 +528,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
     } /* switch (version) */
 
     if (ret != 0) {
-        ForceZero(key, MAX_KEY_SIZE);
+        ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
         XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -554,7 +554,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                 ret = wc_Des_SetKey(&des, key, desIv, DES_DECRYPTION);
             }
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -582,7 +582,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 
             ret = wc_Des3Init(&des, NULL, INVALID_DEVID);
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -595,7 +595,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                 ret = wc_Des3_SetKey(&des, key, desIv, DES_DECRYPTION);
             }
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -608,7 +608,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                 ret = wc_Des3_CbcDecrypt(&des, input, input, length);
             }
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -669,7 +669,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
             XFREE(aes, NULL, DYNAMIC_TYPE_AES);
 #endif
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -692,7 +692,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
                     ret = wc_Rc2CbcDecrypt(&rc2, input, input, length);
             }
             if (ret != 0) {
-                ForceZero(key, MAX_KEY_SIZE);
+                ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
                 XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -704,7 +704,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
 #endif
 
         default:
-            ForceZero(key, MAX_KEY_SIZE);
+            ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
             XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif
@@ -712,7 +712,7 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt,
             return ALGO_ID_E;
     }
 
-    ForceZero(key, MAX_KEY_SIZE);
+    ForceZero(key, PKCS_MAX_KEY_SIZE);
 #ifdef WOLFSSL_SMALL_STACK
     XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 #endif

+ 27 - 11
wolfssl/internal.h

@@ -1805,14 +1805,22 @@ enum {
 #endif
 
 
-/* give user option to use 16K static buffers */
-#if defined(LARGE_STATIC_BUFFERS)
-    #define RECORD_SIZE MAX_RECORD_SIZE
+/* determine maximum record size */
+#ifdef RECORD_SIZE
+    /* user supplied value */
+    #if RECORD_SIZE < 128 || RECORD_SIZE > MAX_RECORD_SIZE
+        #error Invalid record size
+    #endif
 #else
-    #ifdef WOLFSSL_DTLS
-        #define RECORD_SIZE MAX_MTU
+    /* give user option to use 16K static buffers */
+    #if defined(LARGE_STATIC_BUFFERS)
+        #define RECORD_SIZE     MAX_RECORD_SIZE
     #else
-        #define RECORD_SIZE 128
+        #ifdef WOLFSSL_DTLS
+            #define RECORD_SIZE MAX_MTU
+        #else
+            #define RECORD_SIZE 128
+        #endif
     #endif
 #endif
 
@@ -1835,7 +1843,13 @@ enum {
        The length (in bytes) of the following TLSPlaintext.fragment.
        The length should not exceed 2^14.
 */
-#if defined(LARGE_STATIC_BUFFERS)
+#ifdef STATIC_BUFFER_LEN
+    /* user supplied option */
+    #if STATIC_BUFFER_LEN < 5 || STATIC_BUFFER_LEN > (RECORD_HEADER_SZ + \
+                          RECORD_SIZE + COMP_EXTRA + MTU_EXTRA + MAX_MSG_EXTRA))
+        #error Invalid static buffer length
+    #endif
+#elif defined(LARGE_STATIC_BUFFERS)
     #define STATIC_BUFFER_LEN RECORD_HEADER_SZ + RECORD_SIZE + COMP_EXTRA + \
              MTU_EXTRA + MAX_MSG_EXTRA
 #else
@@ -4047,8 +4061,9 @@ struct WOLFSSL_X509 {
     WOLFSSL_X509_ALGOR algor;
     WOLFSSL_X509_PUBKEY key;
 #endif
-#if defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || defined(KEEP_PEER_CERT) || \
-    defined(SESSION_CERTS)
+#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) || \
+    defined(OPENSSL_ALL) || defined(KEEP_OUR_CERT) || \
+    defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
     byte            notBeforeData[CTC_DATE_SIZE];
     byte            notAfterData[CTC_DATE_SIZE];
 #endif
@@ -4936,8 +4951,9 @@ WOLFSSL_LOCAL void DoCertFatalAlert(WOLFSSL* ssl, int ret);
     WOLFSSL_LOCAL int  DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch,
                                   const byte* data, byte type,
                                   word32 fragOffset, word32 fragSz, void* heap);
-    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg* head, word32 epoch, word32 seq);
-    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL* ssl, word32 epoch, word32 seq,
+    WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq);
+
+    WOLFSSL_LOCAL void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq,
                                     const byte* data, word32 dataSz, byte type,
                                     word32 fragOffset, word32 fragSz,
                                     void* heap);

+ 6 - 2
wolfssl/wolfcrypt/asn.h

@@ -2278,8 +2278,12 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl);
 
 #if !defined(NO_ASN) || !defined(NO_PWDBASED)
 
-#ifndef MAX_KEY_SIZE
-    #define MAX_KEY_SIZE    64  /* MAX PKCS Key length */
+#ifndef PKCS_MAX_KEY_SIZE
+    #define PKCS_MAX_KEY_SIZE    64  /* MAX PKCS Key length */
+#endif
+#if !defined(WOLFSSL_GAME_BUILD) && !defined(MAX_KEY_SIZE)
+    /* for backwards compatibility */
+    #define MAX_KEY_SIZE PKCS_MAX_KEY_SIZE
 #endif
 #ifndef MAX_UNICODE_SZ
     #define MAX_UNICODE_SZ  256

+ 0 - 3
wolfssl/wolfcrypt/settings.h

@@ -915,9 +915,6 @@ extern void uITRON4_free(void *p) ;
 
 #ifdef WOLFSSL_GAME_BUILD
     #define SIZEOF_LONG_LONG 8
-    #if defined(__PPU) || defined(__XENON)
-        #define BIG_ENDIAN_ORDER
-    #endif
 #endif
 
 #ifdef WOLFSSL_LSR

+ 5 - 1
wolfssl/wolfcrypt/wc_port.h

@@ -882,7 +882,11 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
 #endif
 #if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
     /* Always use gmtime_r if available. */
-    #if defined(HAVE_GMTIME_R)
+    #if defined(HAVE_GMTIME_S)
+        /* reentrant version */
+        #define XGMTIME(c, t)   gmtime_s((c), (t))
+        #define NEED_TMP_TIME
+    #elif defined(HAVE_GMTIME_R)
         #define XGMTIME(c, t)   gmtime_r((c), (t))
         #define NEED_TMP_TIME
     #else