-
Notifications
You must be signed in to change notification settings - Fork 1k
OpenSSL compatibility for libodbc #10813
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -38,10 +38,21 @@ | |
| #define WOLFSSL_SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 2 | ||
| #define WOLFSSL_SSL_F_SSL_USE_PRIVATEKEY 3 | ||
| #define WOLFSSL_EC_F_EC_GFP_SIMPLE_POINT2OCT 4 | ||
| #define WOLFSSL_SSL_F_SSL_SET_FD 5 | ||
|
|
||
| /* reasons */ | ||
| #define WOLFSSL_ERR_R_SYS_LIB 1 | ||
| #define WOLFSSL_PKCS12_R_MAC_VERIFY_FAILURE 2 | ||
| #define WOLFSSL_ERR_R_BUF_LIB 0 | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 [Low] WOLFSSL_ERR_R_BUF_LIB defined as 0 (conflicts with 'no error' and OpenSSL's value)
Fix: Give ERR_R_BUF_LIB a distinct nonzero value (matching OpenSSL's convention if the consumer compares raw values), or confirm the consumer never treats 0 as a meaningful reason. |
||
| #define WOLFSSL_SSL_R_UNKNOWN_PROTOCOL 252 | ||
| #define WOLFSSL_SSL_R_WRONG_VERSION_NUMBER 267 | ||
| #define WOLFSSL_SSL_R_UNSUPPORTED_PROTOCOL 258 | ||
| #define WOLFSSL_SSL_R_NO_PROTOCOLS_AVAILABLE 194 | ||
| #define WOLFSSL_SSL_R_BAD_PROTOCOL_VERSION_NUMBER 182 | ||
| #define WOLFSSL_SSL_R_UNKNOWN_SSL_VERSION 254 | ||
| #define WOLFSSL_SSL_R_UNSUPPORTED_SSL_VERSION 259 | ||
| #define WOLFSSL_SSL_R_WRONG_SSL_VERSION 266 | ||
| #define WOLFSSL_SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 | ||
|
|
||
| #ifndef OPENSSL_COEXIST | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74,6 +74,20 @@ | |
| #define NID_ad_OCSP WC_NID_ad_OCSP | ||
| #define NID_ad_ca_issuers WC_NID_ad_ca_issuers | ||
|
|
||
| /* OBJ_find_sigid_algs(): report SHA-256 / RSA for libpq's | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 [Low] Garbled comment on OBJ_find_sigid_algs literal NIDs The comment 'Literal NIDs (672, 6) is for ASN is disabled.' is grammatically broken and unclear (double 'is'). It appears to intend 'Literal NIDs (672, 6) are used in case ASN is disabled.' Fix: Fix the comment wording. |
||
| * RSA-with-SHA-256 channel binding. Literal NIDs (672, 6) is for | ||
| * ASN is disabled. */ | ||
| #ifndef BUILDING_WOLFSSL | ||
| static WC_INLINE int | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔴 [High] OBJ_find_sigid_algs stub hardcodes SHA-256/RSA and ignores sigid The new Fix: Do not ship an always-success stub that returns fixed crypto parameters. Either map the real signature algorithm, or return 0 for anything other than the algorithm(s) actually supported so callers can detect the unsupported case. |
||
| wolfSSL_OBJ_find_sigid_algs(int sigid, int *pdig, int *ppkey) | ||
| { | ||
| (void)sigid; | ||
| if (pdig != NULL) *pdig = 672; /* NID_sha256 */ | ||
| if (ppkey != NULL) *ppkey = 6; /* NID_rsaEncryption */ | ||
| return 1; | ||
| } | ||
| #endif | ||
|
|
||
| #endif /* !OPENSSL_COEXIST */ | ||
|
|
||
| #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -44,6 +44,7 @@ | |
| #include <wolfssl/openssl/evp.h> | ||
| #endif | ||
| #include <wolfssl/openssl/bio.h> | ||
| #include <wolfssl/openssl/err.h> | ||
| #ifdef OPENSSL_EXTRA | ||
| #include <wolfssl/openssl/crypto.h> | ||
| #endif | ||
|
|
@@ -1568,6 +1569,12 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; | |
| #define SSL_get_state wolfSSL_get_state | ||
| #define SSL_state_string_long wolfSSL_state_string_long | ||
|
|
||
| #define WOLFSSL_TLS_ST_OK 16 | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🔵 [Low] TLS_ST_OK hardcoded to 16, coupled to internal enum position
Fix: Add a comment noting that 16 must equal the internal HANDSHAKE_DONE enum value (wolfssl/internal.h enum states), so a future editor keeps them in sync. |
||
| #define WOLFSSL_SSL_ST_OK WOLFSSL_TLS_ST_OK | ||
| #define TLS_ST_OK WOLFSSL_TLS_ST_OK | ||
| #define SSL_ST_OK WOLFSSL_SSL_ST_OK | ||
| #define SSL_F_SSL_SET_FD WOLFSSL_SSL_F_SSL_SET_FD | ||
|
|
||
| #define GENERAL_NAME_new wolfSSL_GENERAL_NAME_new | ||
| #define GENERAL_NAME_free wolfSSL_GENERAL_NAME_free | ||
| #define GENERAL_NAME_dup wolfSSL_GENERAL_NAME_dup | ||
|
|
@@ -1738,16 +1745,43 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; | |
| #define SSL_R_DATA_LENGTH_TOO_LONG BUFFER_ERROR | ||
| #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG BUFFER_ERROR | ||
| #define SSL_R_BAD_LENGTH BUFFER_ERROR | ||
| #define SSL_R_UNKNOWN_PROTOCOL VERSION_ERROR | ||
| #define SSL_R_WRONG_VERSION_NUMBER VERSION_ERROR | ||
| #define SSL_R_UNKNOWN_PROTOCOL WOLFSSL_SSL_R_UNKNOWN_PROTOCOL | ||
| #define SSL_R_WRONG_VERSION_NUMBER WOLFSSL_SSL_R_WRONG_VERSION_NUMBER | ||
| #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ENCRYPT_ERROR | ||
| #define SSL_R_HTTPS_PROXY_REQUEST PARSE_ERROR | ||
| #define SSL_R_HTTP_REQUEST PARSE_ERROR | ||
| #define SSL_R_UNSUPPORTED_PROTOCOL VERSION_ERROR | ||
| #define SSL_R_UNSUPPORTED_PROTOCOL WOLFSSL_SSL_R_UNSUPPORTED_PROTOCOL | ||
| #define SSL_R_NO_PROTOCOLS_AVAILABLE \ | ||
| WOLFSSL_SSL_R_NO_PROTOCOLS_AVAILABLE | ||
| #define SSL_R_BAD_PROTOCOL_VERSION_NUMBER \ | ||
| WOLFSSL_SSL_R_BAD_PROTOCOL_VERSION_NUMBER | ||
| #define SSL_R_UNKNOWN_SSL_VERSION WOLFSSL_SSL_R_UNKNOWN_SSL_VERSION | ||
| #define SSL_R_UNSUPPORTED_SSL_VERSION \ | ||
| WOLFSSL_SSL_R_UNSUPPORTED_SSL_VERSION | ||
| #define SSL_R_WRONG_SSL_VERSION WOLFSSL_SSL_R_WRONG_SSL_VERSION | ||
| #define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION \ | ||
| WOLFSSL_SSL_R_TLSV1_ALERT_PROTOCOL_VERSION | ||
| #define SSL_R_CERTIFICATE_VERIFY_FAILED VERIFY_CERT_ERROR | ||
| #define SSL_R_CERT_CB_ERROR CLIENT_CERT_CB_ERROR | ||
| #define SSL_R_NULL_SSL_METHOD_PASSED BAD_FUNC_ARG | ||
| #define SSL_R_CCS_RECEIVED_EARLY OUT_OF_ORDER_E | ||
| #define ERR_R_BUF_LIB WOLFSSL_ERR_R_BUF_LIB | ||
| #define BIO_TYPE_DESCRIPTOR WOLFSSL_BIO_TYPE_DESCRIPTOR | ||
| #define BIO_TYPE_SOURCE_SINK WOLFSSL_BIO_TYPE_SOURCE_SINK | ||
| #define BIO_get_app_data(bio) wolfSSL_BIO_get_data(bio) | ||
| #define BIO_set_app_data(bio, data) \ | ||
| wolfSSL_BIO_set_data((bio), (data)) | ||
| #define BIO_get_new_index wolfSSL_BIO_get_new_index | ||
| #define BIO_meth_get_gets wolfSSL_BIO_meth_get_gets | ||
| #define BIO_meth_get_puts wolfSSL_BIO_meth_get_puts | ||
| #define BIO_meth_get_ctrl wolfSSL_BIO_meth_get_ctrl | ||
| #define BIO_meth_get_create wolfSSL_BIO_meth_get_create | ||
| #define BIO_meth_get_destroy wolfSSL_BIO_meth_get_destroy | ||
| #define BIO_meth_get_callback_ctrl wolfSSL_BIO_meth_get_callback_ctrl | ||
| #define BIO_meth_set_callback_ctrl wolfSSL_BIO_meth_set_callback_ctrl | ||
| #ifndef BUILDING_WOLFSSL | ||
| #define OBJ_find_sigid_algs wolfSSL_OBJ_find_sigid_algs | ||
| #endif | ||
|
|
||
| #ifdef HAVE_SESSION_TICKET | ||
| #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 [Medium] No test coverage for WOLFSSL_VERIFY_NONE_DEFAULT security-relevant default change
The new
WOLFSSL_VERIFY_NONE_DEFAULTbuild option flips the default peer-verification behavior of a freshly created CTX (and every SSL it spawns, viassl->options.verifyNone = ctx->verifyNone) from verify to no-verify. This is a security-relevant default and there is no test asserting (a) that with the macro set a new CTX hasverifyNoneand an SSL inherits it, and (b) that a subsequentwolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, ...)correctly clears the default. The PR checklist 'added tests' is unchecked.Fix: Add an API test (guarded on WOLFSSL_VERIFY_NONE_DEFAULT) that creates a CTX, checks the default is VERIFY_NONE, verifies an SSL inherits it, and verifies wolfSSL_CTX_set_verify(WOLFSSL_VERIFY_PEER) overrides it. Also confirm interaction with wolfSSL_CTX_set_verify(WOLFSSL_VERIFY_DEFAULT), which resets verifyNone back to 0.