From 638e1c98dca10c298be041233ffa7c83d33dca85 Mon Sep 17 00:00:00 2001
From: Roman Khlopkov <roman.khlopkov@demlabs.net>
Date: Tue, 25 May 2021 08:42:24 +0000
Subject: [PATCH] bugs-4783
---
3rdparty/wolfssl/CMakeLists.txt | 34 ++++++++----
3rdparty/wolfssl/cyassl/options.h | 51 +++++++-----------
3rdparty/wolfssl/wolfssl/options.h | 51 +++++++-----------
dap-sdk/net/client/dap_client_http.c | 77 +++++++++++++++++-----------
dap-sdk/net/core/dap_worker.c | 61 +++++++++++++++-------
5 files changed, 147 insertions(+), 127 deletions(-)
diff --git a/3rdparty/wolfssl/CMakeLists.txt b/3rdparty/wolfssl/CMakeLists.txt
index 550c2b74b2..171c8ef3fa 100644
--- a/3rdparty/wolfssl/CMakeLists.txt
+++ b/3rdparty/wolfssl/CMakeLists.txt
@@ -46,21 +46,34 @@ set(WOLFSSL_DEFINITIONS)
set(WOLFSSL_LINK_LIBS)
#set(WOLFSSL_INSTALL_LIBS)
+set(WOLFSSL_ECC "yes")
+set(WOLFSSL_CURVE25519 "yes")
+set(WOLFSSL_ED25519 "yes")
+set(WOLFSSL_CURVE448 "yes")
+set(WOLFSSL_ED448 "yes")
+set(WOLFSSL_FE448 "yes")
+set(WOLFSSL_GE448 "yes")
+set(WOLFSSL_FEMATH "yes")
+set(WOLFSSL_GEMATH "yes")
+set(WOLFSSL_PSK "yes")
+set(WOLFSSL_OPENSSLEXTRA "yes")
+list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_STATIC_DH")
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_STATIC_RSA")
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_STATIC_PSK")
-list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_STATIC_DH")
-list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_OPENSSLEXTRA")
+list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ED25519")
+list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CURVE25519")
+list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ED448")
+list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CURVE448")
+list(APPEND WOLFSSL_DEFINITIONS "-DOPENSSL_EXTRA")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_SUPPORTED_CURVES")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_TLS_EXTENSIONS")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_ECC")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_AES")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_AESGCM")
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_AESGCM_DECRYPT")
-list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SHA384")
-list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_CHACHA")
-list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_POLY1305")
-list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_TLS_EXTENSIONS")
-list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_SNI")
+
+#list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_AESNI")
+list(APPEND WOLFSSL_DEFINITIONS "-DDEBUG_WOLFSSL")
include(${CMAKE_CURRENT_SOURCE_DIR}/cmake/functions.cmake)
@@ -184,6 +197,8 @@ find_package(Threads)
# Example for map file and custom linker script
#set(CMAKE_EXE_LINKER_FLAGS " -Xlinker -Map=output.map -T\"${CMAKE_CURRENT_SOURCE_DIR}/linker.ld\"")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -msse4.2 -m64")
+
####################################################
# Build Options
####################################################
@@ -983,11 +998,8 @@ if (WOLFSSL_TLS13)
"-DWOLFSSL_TLS13"
"-DHAVE_TLS_EXTENSIONS"
"-DHAVE_SUPPORTED_CURVES")
+ message("[+] TLS1.3 enabled")
endif()
-list(APPEND WOLFSSL_DEFINITIONS
- "-DWOLFSSL_TLS13"
- "-DHAVE_TLS_EXTENSIONS"
- "-DHAVE_SUPPORTED_CURVES")
# TODO: - Session ticket
diff --git a/3rdparty/wolfssl/cyassl/options.h b/3rdparty/wolfssl/cyassl/options.h
index 990fc059dc..e2e364e7b0 100644
--- a/3rdparty/wolfssl/cyassl/options.h
+++ b/3rdparty/wolfssl/cyassl/options.h
@@ -18,17 +18,29 @@
extern "C" {
#endif
+#undef WOLFSSL_STATIC_DH
+#define WOLFSSL_STATIC_DH
+
#undef WOLFSSL_STATIC_RSA
#define WOLFSSL_STATIC_RSA
#undef WOLFSSL_STATIC_PSK
#define WOLFSSL_STATIC_PSK
-#undef WOLFSSL_STATIC_DH
-#define WOLFSSL_STATIC_DH
+#undef HAVE_ED25519
+#define HAVE_ED25519
+
+#undef HAVE_CURVE25519
+#define HAVE_CURVE25519
+
+#undef HAVE_ED448
+#define HAVE_ED448
+
+#undef HAVE_CURVE448
+#define HAVE_CURVE448
-#undef WOLFSSL_OPENSSLEXTRA
-#define WOLFSSL_OPENSSLEXTRA
+#undef OPENSSL_EXTRA
+#define OPENSSL_EXTRA
#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES
@@ -48,20 +60,8 @@ extern "C" {
#undef HAVE_AESGCM_DECRYPT
#define HAVE_AESGCM_DECRYPT
-#undef WOLFSSL_SHA384
-#define WOLFSSL_SHA384
-
-#undef HAVE_CHACHA
-#define HAVE_CHACHA
-
-#undef HAVE_POLY1305
-#define HAVE_POLY1305
-
-#undef HAVE_TLS_EXTENSIONS
-#define HAVE_TLS_EXTENSIONS
-
-#undef HAVE_SNI
-#define HAVE_SNI
+#undef DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL
#undef HAVE_THREAD_LS
#define HAVE_THREAD_LS
@@ -164,30 +164,15 @@ extern "C" {
#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES
-#undef WOLFSSL_TLS13
-#define WOLFSSL_TLS13
-
-#undef HAVE_TLS_EXTENSIONS
-#define HAVE_TLS_EXTENSIONS
-
-#undef HAVE_SUPPORTED_CURVES
-#define HAVE_SUPPORTED_CURVES
-
#undef HAVE_EXTENDED_MASTER
#define HAVE_EXTENDED_MASTER
-#undef NO_PSK
-#define NO_PSK
-
#undef HAVE_ENCRYPT_THEN_MAC
#define HAVE_ENCRYPT_THEN_MAC
#undef NO_MD4
#define NO_MD4
-#undef NO_PWDBASED
-#define NO_PWDBASED
-
#undef USE_FAST_MATH
#define USE_FAST_MATH
diff --git a/3rdparty/wolfssl/wolfssl/options.h b/3rdparty/wolfssl/wolfssl/options.h
index 5c9a8debcb..d6f39494f9 100644
--- a/3rdparty/wolfssl/wolfssl/options.h
+++ b/3rdparty/wolfssl/wolfssl/options.h
@@ -15,17 +15,29 @@
extern "C" {
#endif
+#undef WOLFSSL_STATIC_DH
+#define WOLFSSL_STATIC_DH
+
#undef WOLFSSL_STATIC_RSA
#define WOLFSSL_STATIC_RSA
#undef WOLFSSL_STATIC_PSK
#define WOLFSSL_STATIC_PSK
-#undef WOLFSSL_STATIC_DH
-#define WOLFSSL_STATIC_DH
+#undef HAVE_ED25519
+#define HAVE_ED25519
+
+#undef HAVE_CURVE25519
+#define HAVE_CURVE25519
+
+#undef HAVE_ED448
+#define HAVE_ED448
+
+#undef HAVE_CURVE448
+#define HAVE_CURVE448
-#undef WOLFSSL_OPENSSLEXTRA
-#define WOLFSSL_OPENSSLEXTRA
+#undef OPENSSL_EXTRA
+#define OPENSSL_EXTRA
#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES
@@ -45,20 +57,8 @@ extern "C" {
#undef HAVE_AESGCM_DECRYPT
#define HAVE_AESGCM_DECRYPT
-#undef WOLFSSL_SHA384
-#define WOLFSSL_SHA384
-
-#undef HAVE_CHACHA
-#define HAVE_CHACHA
-
-#undef HAVE_POLY1305
-#define HAVE_POLY1305
-
-#undef HAVE_TLS_EXTENSIONS
-#define HAVE_TLS_EXTENSIONS
-
-#undef HAVE_SNI
-#define HAVE_SNI
+#undef DEBUG_WOLFSSL
+#define DEBUG_WOLFSSL
#undef HAVE_THREAD_LS
#define HAVE_THREAD_LS
@@ -161,30 +161,15 @@ extern "C" {
#undef HAVE_SUPPORTED_CURVES
#define HAVE_SUPPORTED_CURVES
-#undef WOLFSSL_TLS13
-#define WOLFSSL_TLS13
-
-#undef HAVE_TLS_EXTENSIONS
-#define HAVE_TLS_EXTENSIONS
-
-#undef HAVE_SUPPORTED_CURVES
-#define HAVE_SUPPORTED_CURVES
-
#undef HAVE_EXTENDED_MASTER
#define HAVE_EXTENDED_MASTER
-#undef NO_PSK
-#define NO_PSK
-
#undef HAVE_ENCRYPT_THEN_MAC
#define HAVE_ENCRYPT_THEN_MAC
#undef NO_MD4
#define NO_MD4
-#undef NO_PWDBASED
-#define NO_PWDBASED
-
#undef USE_FAST_MATH
#define USE_FAST_MATH
diff --git a/dap-sdk/net/client/dap_client_http.c b/dap-sdk/net/client/dap_client_http.c
index 2be177c9d9..08a7f6ea59 100644
--- a/dap-sdk/net/client/dap_client_http.c
+++ b/dap-sdk/net/client/dap_client_http.c
@@ -86,6 +86,7 @@ typedef struct dap_http_client_internal {
#define PVT(a) (a ? (dap_client_http_pvt_t *) (a)->_inheritor : NULL)
static void s_http_connected(dap_events_socket_t * a_esocket); // Connected callback
+static void s_http_ssl_connected(dap_events_socket_t * a_esocket); // connected SSL callback
static void s_client_http_delete(dap_client_http_pvt_t * a_http_pvt);
static void s_http_read(dap_events_socket_t * a_es, void * arg);
static void s_http_error(dap_events_socket_t * a_es, int a_arg);
@@ -114,7 +115,7 @@ int dap_client_http_init()
s_client_timeout_read_after_connect_ms = (time_t) dap_config_get_item_uint32_default(g_config,"dap_client","timeout_read_after_connect",5);
#ifndef DAP_NET_CLIENT_NO_SSL
wolfSSL_Init();
- wolfSSL_Debugging_ON();
+ wolfSSL_Debugging_ON ();
if ((s_ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL)
return -1;
const char *l_ssl_cert_path = dap_config_get_item_str(g_config, "dap_client", "ssl_cert_path");
@@ -123,22 +124,21 @@ int dap_client_http_init()
return -2;
} else
wolfSSL_CTX_set_verify(s_ctx, WOLFSSL_VERIFY_NONE, 0);
- if (wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP160R1) != SSL_SUCCESS) {
+ if (wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP256R1) != SSL_SUCCESS) {
log_it(L_ERROR, "WolfSSL UseSupportedCurve() handle error");
}
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP160R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP160R2);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP192K1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP192R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP224K1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP224R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP256K1);
wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP256R1);
wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP384R1);
wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_SECP521R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_BRAINPOOLP256R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_BRAINPOOLP384R1);
- wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_BRAINPOOLP512R1);
+ wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_X25519);
+ wolfSSL_CTX_UseSupportedCurve(s_ctx, WOLFSSL_ECC_X448);
+
+ if (s_debug_more) {
+ const int l_ciphers_len = 2048;
+ char l_buf[l_ciphers_len];
+ wolfSSL_get_ciphers(l_buf, l_ciphers_len);
+ log_it(L_DEBUG, "WolfSSL cipher list is :\n%s", l_buf);
+ }
#endif
return 0;
}
@@ -604,25 +604,24 @@ void* dap_client_http_request_custom(dap_worker_t * a_worker, const char *a_upli
l_ev_socket->remote_addr.sin_family = AF_INET;
l_ev_socket->remote_addr.sin_port = htons(a_uplink_port);
l_ev_socket->flags |= DAP_SOCK_CONNECTING;
- l_ev_socket->type = a_over_ssl ? DESCRIPTOR_TYPE_SOCKET_CLIENT_SSL : DESCRIPTOR_TYPE_SOCKET_CLIENT;
+ l_ev_socket->type = DESCRIPTOR_TYPE_SOCKET_CLIENT;
l_ev_socket->flags |= DAP_SOCK_READY_TO_WRITE;
-
+ if (a_over_ssl) {
+#ifndef DAP_NET_CLIENT_NO_SSL
+ l_ev_socket->callbacks.connected_callback = s_http_ssl_connected;
+#else
+ log_it(L_ERROR,"We have no SSL implementation but trying to create SSL connection!");
+#endif
+ }
int l_err = connect(l_socket, (struct sockaddr *) &l_ev_socket->remote_addr, sizeof(struct sockaddr_in));
if (l_err == 0){
log_it(L_DEBUG, "Connected momentaly with %s:%u!", a_uplink_addr, a_uplink_port);
l_http_pvt->worker = a_worker?a_worker: dap_events_worker_get_auto();
if (a_over_ssl) {
#ifndef DAP_NET_CLIENT_NO_SSL
- WOLFSSL *l_ssl = wolfSSL_new(s_ctx);
- if (!l_ssl)
- log_it(L_ERROR, "wolfSSL_new error");
- wolfSSL_set_fd(l_ssl, l_socket);
- l_ev_socket->_pvt = (void *)l_ssl;
-#else
- log_it(L_ERROR,"We have no SSL implementation but trying to create SSL connection!");
+ s_http_ssl_connected(l_ev_socket);
#endif
}
- dap_worker_add_events_socket(l_ev_socket,l_http_pvt->worker);
return l_http_pvt;
}
#ifdef DAP_OS_WINDOWS
@@ -674,6 +673,31 @@ void* dap_client_http_request_custom(dap_worker_t * a_worker, const char *a_upli
#endif
}
+#ifndef DAP_NET_CLIENT_NO_SSL
+static void s_http_ssl_connected(dap_events_socket_t * a_esocket)
+{
+ assert(a_esocket);
+ dap_client_http_pvt_t * l_http_pvt = PVT(a_esocket);
+ assert(l_http_pvt);
+ dap_worker_t *l_worker = l_http_pvt->worker;
+ assert(l_worker);
+
+ WOLFSSL *l_ssl = wolfSSL_new(s_ctx);
+ if (!l_ssl)
+ log_it(L_ERROR, "wolfSSL_new error");
+ wolfSSL_set_fd(l_ssl, a_esocket->socket);
+ a_esocket->_pvt = (void *)l_ssl;
+ a_esocket->type = DESCRIPTOR_TYPE_SOCKET_CLIENT_SSL;
+ a_esocket->flags |= DAP_SOCK_CONNECTING;
+ a_esocket->flags |= DAP_SOCK_READY_TO_WRITE;
+ a_esocket->callbacks.connected_callback = s_http_connected;
+ dap_events_socket_handler_t * l_ev_socket_handler = DAP_NEW_Z(dap_events_socket_handler_t);
+ l_ev_socket_handler->esocket = a_esocket;
+ l_ev_socket_handler->uuid = a_esocket->uuid;
+ dap_timerfd_start_on_worker(l_http_pvt->worker, s_client_timeout_ms, s_timer_timeout_check, l_ev_socket_handler);
+}
+#endif
+
/**
* @brief s_http_connected
* @param a_esocket
@@ -686,15 +710,6 @@ static void s_http_connected(dap_events_socket_t * a_esocket)
dap_worker_t *l_worker = l_http_pvt->worker;
assert(l_worker);
- if (l_http_pvt->is_over_ssl) {
-#ifndef DAP_NET_CLIENT_NO_SSL
- WOLFSSL *l_ssl = wolfSSL_new(s_ctx);
- if (!l_ssl)
- log_it(L_ERROR, "wolfSSL_new error");
- wolfSSL_set_fd(l_ssl, a_esocket->socket);
- a_esocket->_pvt = (void *)l_ssl;
-#endif
- }
log_it(L_INFO, "Remote address connected (%s:%u) with sock_id %d", l_http_pvt->uplink_addr, l_http_pvt->uplink_port, a_esocket->socket);
// add to dap_worker
//dap_client_pvt_t * l_client_pvt = (dap_client_pvt_t*) a_obj;
diff --git a/dap-sdk/net/core/dap_worker.c b/dap-sdk/net/core/dap_worker.c
index f2f9981bfc..8b829f7b33 100644
--- a/dap-sdk/net/core/dap_worker.c
+++ b/dap-sdk/net/core/dap_worker.c
@@ -566,29 +566,52 @@ void *dap_worker_thread(void *arg)
}
// If its outgoing connection
- if ( l_flag_write && !l_cur->server && (l_cur->flags & DAP_SOCK_CONNECTING) &&
- ( l_cur->type == DESCRIPTOR_TYPE_SOCKET_CLIENT || l_cur->type == DESCRIPTOR_TYPE_SOCKET_UDP ||
- l_cur->type == DESCRIPTOR_TYPE_SOCKET_CLIENT_SSL)){
+ if ((l_flag_write && !l_cur->server && l_cur->flags & DAP_SOCK_CONNECTING && l_cur->type == DESCRIPTOR_TYPE_SOCKET_CLIENT) ||
+ (l_cur->type == DESCRIPTOR_TYPE_SOCKET_CLIENT_SSL && l_cur->flags & DAP_SOCK_CONNECTING)) {
int l_error = 0;
socklen_t l_error_len = sizeof(l_error);
char l_error_buf[128];
l_error_buf[0]='\0';
- getsockopt(l_cur->socket, SOL_SOCKET, SO_ERROR, (void *)&l_error, &l_error_len);
- if(l_error == EINPROGRESS) {
- log_it(L_DEBUG, "Connecting with %s in progress...", l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)");
- }else if (l_error){
- strerror_r(l_error, l_error_buf, sizeof (l_error_buf));
- log_it(L_ERROR,"Connecting error with %s: \"%s\" (code %d)", l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)",
- l_error_buf, l_error);
- if ( l_cur->callbacks.error_callback )
- l_cur->callbacks.error_callback(l_cur, l_error);
- }else{
- if(s_debug_reactor)
- log_it(L_NOTICE, "Connected with %s",l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)");
- l_cur->flags ^= DAP_SOCK_CONNECTING;
- if (l_cur->callbacks.connected_callback)
- l_cur->callbacks.connected_callback(l_cur);
- dap_events_socket_worker_poll_update_unsafe(l_cur);
+ if (l_cur->type == DESCRIPTOR_TYPE_SOCKET_CLIENT_SSL) {
+#ifndef DAP_NET_CLIENT_NO_SSL
+ WOLFSSL *l_ssl = SSL(l_cur);
+ int l_res = wolfSSL_negotiate(l_ssl);
+ if (l_res != WOLFSSL_SUCCESS) {
+ char l_err_str[80];
+ int l_err = wolfSSL_get_error(l_ssl, l_res);
+ if (l_err != WOLFSSL_ERROR_WANT_READ && l_err != WOLFSSL_ERROR_WANT_WRITE) {
+ wolfSSL_ERR_error_string(l_err, l_err_str);
+ log_it(L_ERROR, "SSL handshake error \"%s\" with code %d", l_err_str, l_err);
+ if ( l_cur->callbacks.error_callback )
+ l_cur->callbacks.error_callback(l_cur, l_error);
+ }
+ } else {
+ if(s_debug_reactor)
+ log_it(L_NOTICE, "SSL handshake done with %s", l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)");
+ l_cur->flags ^= DAP_SOCK_CONNECTING;
+ if (l_cur->callbacks.connected_callback)
+ l_cur->callbacks.connected_callback(l_cur);
+ dap_events_socket_worker_poll_update_unsafe(l_cur);
+ }
+#endif
+ } else {
+ getsockopt(l_cur->socket, SOL_SOCKET, SO_ERROR, (void *)&l_error, &l_error_len);
+ if(l_error == EINPROGRESS) {
+ log_it(L_DEBUG, "Connecting with %s in progress...", l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)");
+ }else if (l_error){
+ strerror_r(l_error, l_error_buf, sizeof (l_error_buf));
+ log_it(L_ERROR,"Connecting error with %s: \"%s\" (code %d)", l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)",
+ l_error_buf, l_error);
+ if ( l_cur->callbacks.error_callback )
+ l_cur->callbacks.error_callback(l_cur, l_error);
+ }else{
+ if(s_debug_reactor)
+ log_it(L_NOTICE, "Connected with %s",l_cur->remote_addr_str ? l_cur->remote_addr_str: "(NULL)");
+ l_cur->flags ^= DAP_SOCK_CONNECTING;
+ if (l_cur->callbacks.connected_callback)
+ l_cur->callbacks.connected_callback(l_cur);
+ dap_events_socket_worker_poll_update_unsafe(l_cur);
+ }
}
}
--
GitLab