Domů Procházet Nápověda
Přihlásit se
RISCI_ATOM
/
wolfssl
zrcadlo https://github.com/wolfSSL/wolfssl.git
1
0
Rozštěpit 0
Soubory Úkoly 14 Wiki
Procházet zdrojové kódy

Add ability to toggle system CA certs support.

Hayden Roche před 1 rokem
rodič
b50a786cb2
revize
98ac4a6f9c
6 změnil soubory, kde provedl 74 přidání a 16 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 11 0
      CMakeLists.txt
  2. 33 6
      configure.ac
  3. 8 6
      examples/client/client.c
  4. 9 2
      src/ssl.c
  5. 2 2
      tests/api.c
  6. 11 0
      wolfssl/wolfcrypt/settings.h

+ 11 - 0
CMakeLists.txt
Zobrazit soubor 

@@ -1668,6 +1668,17 @@ add_option("WOLFSSL_OPTFLAGS"
 
     "Enable default optimization CFLAGS for the compiler (default: enabled)"
 
     "yes" "yes;no")
 
 
+add_option("WOLFSSL_SYS_CA_CERTS"
 
+    "Enable ability to load CA certs from OS (default: enabled)"
 
+    "yes" "yes;no")
 
+if(WOLFSSL_SYS_CA_CERTS)
 
+    if(NOT WOLFSSL_FILESYSTEM)
 
+        message(FATAL_ERROR "Cannot use system CA certs without a filesystem.")
 
+    else()
 
+        list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SYS_CA_CERTS")
 
+    endif()
 
+endif()
 
+
 
 # FLAGS operations
 
 
 if(WOLFSSL_AESCCM)

+ 33 - 6
configure.ac
Zobrazit soubor 

@@ -1097,7 +1097,6 @@ AC_ARG_ENABLE([cryptonly],
 
 
 AS_IF([test "x$FIPS_VERSION" = "xrand"],[ENABLED_CRYPTONLY="yes"])
 
 
-
 
 # DTLS
 
 # DTLS is a prereq for the options mcast, sctp, and jni. Enabling any of those
 
 # without DTLS will also enable DTLS.
 
@@ -7346,6 +7345,12 @@ AC_ARG_ENABLE([optflags],
 
     [ ENABLED_OPTFLAGS=yes ]
 
     )
 
 
+# Adds functionality to load CA certificates from the operating system.
 
+AC_ARG_ENABLE([sys-ca-certs],
 
+    [AS_HELP_STRING([--enable-sys-ca-certs],[Enable ability to load CA certs from OS (default: enabled)])],
 
+    [ ENABLED_SYS_CA_CERTS=$enableval ],
 
+    [ ENABLED_SYS_CA_CERTS=yes ]
 
+    )
 
 
 # check if should run the trusted peer certs test
 
 # (for now checking both C_FLAGS and C_EXTRA_FLAGS)
 
@@ -7408,6 +7413,24 @@ esac
 
 # Update ENABLE_* variables                                                    #
 
 ################################################################################
 
 
+if test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_CERTS" = "xno" || \
 
+   test "x$ENABLED_ASN" = "xno"
 
+then
 
+   ENABLED_CERTS=no
 
+   ENABLED_ASN=no
 
+fi
 
+
 
+if test "x$ENABLED_SYS_CA_CERTS" = "xyes"
 
+then
 
+    if test "x$ENABLED_FILESYSTEM" = "xno"
 
+    then
 
+        ENABLED_SYS_CA_CERTS="no"
 
+    elif test "x$ENABLED_CERTS" = "xno"
 
+    then
 
+        ENABLED_SYS_CA_CERTS="no"
 
+    fi
 
+fi
 
+
 
 if test "x$ENABLED_WOLFCLU" = "xyes"
 
 then
 
     if test "x$ENABLED_CERTGEN" = "xno"
 
@@ -7621,6 +7644,14 @@ AS_IF([test "x$ENABLED_16BIT" = "xyes" && \
 
 ################################################################################
 
 # Update CFLAGS based on options                                               #
 
 ################################################################################
 
+AS_IF([test "x$ENABLED_CERTS" = "xno"],
 
+      [AM_CFLAGS="$AM_CFLAGS -DNO_CERTS"])
 
+
 
+AS_IF([test "x$ENABLED_ASN" = "xno"],
 
+      [AM_CFLAGS="$AM_CFLAGS -DNO_ASN"])
 
+
 
+AS_IF([test "x$ENABLED_SYS_CA_CERTS" = "xyes"],
 
+      [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SYS_CA_CERTS"])
 
 
 AS_IF([test "x$ENABLED_ALTNAMES" = "xyes"],
 
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_NAMES"])
 
@@ -7894,11 +7925,6 @@ fi
 
 
 AS_IF([test "x$ENABLED_WOLFSSH" = "xyes"],[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSL_WOLFSSH"])
 
 
-if test "x$ENABLED_CERTS" = "xno" || test "x$ENABLED_LEANPSK" = "xyes" || test "x$ENABLED_ASN" = "xno"; then
 
-   AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_CERTS"
 
-   ENABLED_ASN=no
 
-fi
 
-
 
 # only allow secure renegotiation info with TLSV12 and ASN
 
 if test "x$ENABLED_ASN" = "xno" || \
 
     test "x$ENABLED_TLSV12" = "xno" || \
 
@@ -8664,6 +8690,7 @@ echo "   * IoT-Safe:                   $ENABLED_IOTSAFE"
 
 echo "   * IoT-Safe HWRNG:             $ENABLED_IOTSAFE_HWRNG"
 
 echo "   * NXP SE050:                  $ENABLED_SE050"
 
 echo "   * PSA:                        $ENABLED_PSA"
 
+echo "   * System CA certs:            $ENABLED_SYS_CA_CERTS"
 
 echo ""
 
 echo "---"

+ 8 - 6
examples/client/client.c
Zobrazit soubor 

@@ -1318,7 +1318,7 @@ static const char* client_usage_msg[][70] = {
 
 #ifdef WOLFSSL_SRTP
 
         "--srtp <profile> (default is SRTP_AES128_CM_SHA1_80)\n",       /* 71 */
 
 #endif
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
         "--sys-ca-certs Load system CA certs for server cert verification\n", /* 72 */
 
 #endif
 
         "\n"
 
@@ -1767,7 +1767,7 @@ static void Usage(void)
 
     printf("%s", msg[++msgid]);     /* more --pqc options */
 
     printf("%s", msg[++msgid]);     /* more --pqc options */
 
 #endif
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
     printf("%s", msg[++msgid]); /* --sys-ca-certs */
 
 #endif
 
 #ifdef WOLFSSL_SRTP
 
@@ -1903,7 +1903,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
 #ifdef WOLFSSL_DTLS_CID
 
         {"cid", 2, 262},
 
 #endif /* WOLFSSL_DTLS_CID */
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
         { "sys-ca-certs", 0, 263 },
 
+#endif
 
         { 0, 0, 0 }
 
     };
 
 #endif
 
@@ -2013,7 +2015,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     char* pqcAlg = NULL;
 
     int exitWithRet = 0;
 
     int loadCertKeyIntoSSLObj = 0;
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
     byte loadSysCaCerts = 0;
 
 #endif
 
 
@@ -2716,7 +2718,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
                 pqcAlg = myoptarg;
 
                 break;
 
 #endif
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
             case 263:
 
                 loadSysCaCerts = 1;
 
                 break;
 
@@ -2977,12 +2979,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
 
     }
 
 #endif
 
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
     if (loadSysCaCerts &&
 
         wolfSSL_CTX_load_system_CA_certs(ctx) != WOLFSSL_SUCCESS) {
 
         err_sys("wolfSSL_CTX_load_system_CA_certs failed");
 
     }
 
-#endif
 
+#endif /* WOLFSSL_SYS_CA_CERTS */
 
 
     if (minVersion != CLIENT_INVALID_VERSION) {
 
 #ifdef WOLFSSL_DTLS

+ 9 - 2
src/ssl.c
Zobrazit soubor 

@@ -183,6 +183,9 @@
 
  *     ClientCache by default for backwards compatibility. This define will
 
  *     make wolfSSL_get_session return a reference to ssl->session. The returned
 
  *     pointer will be freed with the related WOLFSSL object.
 
+ * WOLFSSL_SYS_CA_CERTS
 
+ *     Enables ability to load system CA certs from the OS via
 
+ *     wolfSSL_CTX_load_system_CA_certs.
 
  */
 
 
 #define WOLFSSL_EVP_INCLUDED
 
@@ -8050,6 +8053,8 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
 
     return WS_RETURN_CODE(ret,WOLFSSL_FAILURE);
 
 }
 
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
+
 
 #ifdef USE_WINDOWS_API
 
 
 static int LoadSystemCaCertsWindows(WOLFSSL_CTX* ctx, byte* loaded)
 
@@ -8245,6 +8250,8 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
 
     return ret;
 
 }
 
 
+#endif /* WOLFSSL_SYS_CA_CERTS */
 
+
 
 #ifdef WOLFSSL_TRUST_PEER_CERT
 
 /* Used to specify a peer cert to match when connecting
 
     ctx : the ctx structure to load in peer cert
 
@@ -16355,7 +16362,7 @@ cleanup:
 
 
 #ifdef OPENSSL_EXTRA
 
 
-    #ifndef NO_FILESYSTEM
 
+    #ifdef WOLFSSL_SYS_CA_CERTS
 
     /*
 
      * This is an OpenSSL compatibility layer function, but it doesn't mirror
 
      * the exact functionality of its OpenSSL counterpart. We don't support the
 
@@ -16383,7 +16390,7 @@ cleanup:
 
 
         return ret;
 
     }
 
-    #endif /* !NO_FILESYSTEM */
 
+    #endif /* WOLFSSL_SYS_CA_CERTS */
 
 
     #if defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA256) \
 
         && !defined(WC_NO_RNG)

+ 2 - 2
tests/api.c
Zobrazit soubor 

@@ -1350,7 +1350,7 @@ static int test_wolfSSL_CTX_load_system_CA_certs(void)
 
 {
 
     int ret = 0;
 
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT)
 
+#if defined(WOLFSSL_SYS_CA_CERTS) && !defined(NO_WOLFSSL_CLIENT)
 
     WOLFSSL_CTX* ctx;
 
     byte dirValid = 0;
 
 
@@ -1404,7 +1404,7 @@ static int test_wolfSSL_CTX_load_system_CA_certs(void)
 
 #endif /* OPENSSL_EXTRA */
 
 
     wolfSSL_CTX_free(ctx);
 
-#endif /* !NO_FILESYSTEM && !NO_CERTS && !NO_WOLFSSL_CLIENT */
 
+#endif /* WOLFSSL_SYS_CA_CERTS && !NO_WOLFSSL_CLIENT */
 
 
     return ret;
 
 }

+ 11 - 0
wolfssl/wolfcrypt/settings.h
Zobrazit soubor 

@@ -2857,6 +2857,17 @@ extern void uITRON4_free(void *p) ;
 
     #define WOLFSSL_ASYNC_IO
 
 #endif
 
 
+#ifdef WOLFSSL_SYS_CA_CERTS
 
+    #ifdef NO_FILESYSTEM
 
+        #warning "Turning off WOLFSSL_SYS_CA_CERTS b/c NO_FILESYSTEM is defined."
 
+        #undef WOLFSSL_SYS_CA_CERTS
 
+    #endif
 
+    #ifdef NO_CERTS
 
+        #warning "Turning off WOLFSSL_SYS_CA_CERTS b/c NO_CERTS is defined."
 
+        #undef WOLFSSL_SYS_CA_CERTS
 
+    #endif
 
+#endif /* WOLFSSL_SYS_CA_CERTS */
 
+
 
 #ifdef __cplusplus
 
     }   /* extern "C" */
 
 #endif