[mod_wolfssl] minor updates for wolfSSL v4.6.0

src/mod_wolfssl.c

@@ -61,8 +61,6 @@ static char global_err_buf[WOLFSSL_MAX_ERROR_SZ];
 #define ERR_error_string(e,b) \
         (wolfSSL_ERR_error_string_n((e),global_err_buf,WOLFSSL_MAX_ERROR_SZ), \
          global_err_buf)
-/* WolfSSL does not provide OPENSSL_cleanse() */
-#define OPENSSL_cleanse(x,sz) safe_memclear((x),(sz))
 
 #if 0 /* symbols and definitions requires WolfSSL built with -DOPENSSL_EXTRA */
 #define SSL_TLSEXT_ERR_OK               0
@@ -94,6 +92,10 @@ WOLFSSL_API WOLFSSL_X509_NAME_ENTRY *wolfSSL_X509_NAME_get_entry(WOLFSSL_X509_NA
         ((WOLF_STACK_OF(WOLFSSL_X509_NAME) *)1) /* ! NULL */
 #endif
 
+#if LIBWOLFSSL_VERSION_HEX < 0x04006000 || defined(WOLFSSL_NO_FORCE_ZERO)
+#define wolfSSL_OPENSSL_cleanse(x,sz) safe_memclear((x),(sz))
+#endif
+
 #if LIBWOLFSSL_VERSION_HEX < 0x04002000 /*(exact version needed not checked)*/
 #ifndef STACK_OF
 #define STACK_OF(x) WOLFSSL_STACK
@@ -279,7 +281,7 @@ mod_openssl_session_ticket_key_rotate (void)
               session_ticket_keys+0, sizeof(tlsext_ticket_key_t)*2);*/
     session_ticket_keys[0] = session_ticket_keys[3];
 
-    OPENSSL_cleanse(session_ticket_keys+3, sizeof(tlsext_ticket_key_t));
+    wolfSSL_OPENSSL_cleanse(session_ticket_keys+3, sizeof(tlsext_ticket_key_t));
 }
 
 
@@ -321,7 +323,8 @@ tlsext_ticket_wipe_expired (const time_t cur_ts)
     for (int i = 0; i < e; ++i) {
         if (session_ticket_keys[i].expire_ts != 0
             && session_ticket_keys[i].expire_ts < cur_ts)
-            OPENSSL_cleanse(session_ticket_keys+i, sizeof(tlsext_ticket_key_t));
+            wolfSSL_OPENSSL_cleanse(session_ticket_keys+i,
+                                    sizeof(tlsext_ticket_key_t));
     }
 }
 
@@ -414,7 +417,7 @@ mod_openssl_session_ticket_key_file (const char *fn)
         rc = 1;
     }
 
-    OPENSSL_cleanse(buf, sizeof(buf));
+    wolfSSL_OPENSSL_cleanse(buf, sizeof(buf));
     return rc;
 }
 
@@ -511,7 +514,7 @@ static void mod_openssl_free_openssl (void)
     if (!ssl_is_init) return;
 
   #ifdef HAVE_SESSION_TICKET
-    OPENSSL_cleanse(session_ticket_keys, sizeof(session_ticket_keys));
+    wolfSSL_OPENSSL_cleanse(session_ticket_keys, sizeof(session_ticket_keys));
     stek_rotate_ts = 0;
   #endif
 
@@ -1477,11 +1480,40 @@ mod_openssl_refresh_stapling_files (server *srv, const plugin_data *p, const tim
 
 
 static int
-mod_openssl_crt_must_staple (const X509 *crt)
+mod_openssl_crt_must_staple (const WOLFSSL_X509 *crt)
 {
     /* XXX: TODO: not implemented */
+  #if 1
     UNUSED(crt);
     return 0;
+  #else
+    STACK_OF(ASN1_OBJECT) * const tlsf = (STACK_OF(ASN1_OBJECT)*)
+      wolfSSL_X509_get_ext_d2i(crt, NID_tlsfeature, NULL, NULL);
+    if (NULL == tlsf) return 0;
+
+    int rc = 0;
+
+    /* wolfSSL_sk_ASN1_INTEGER_num() not implemented */
+    /* wolfSSL_sk_ASN1_INTEGER_value() not implemented */
+    /* wolfSSL_sk_ASN1_INTEGER_pop_free() not implemented */
+    #define wolfSSL_sk_ASN1_INTEGER_num(sk) wolfSSL_sk_num(sk)
+    #define wolfSSL_sk_ASN1_INTEGER_value(sk, i) wolfSSL_sk_value(sk, i)
+    #define wolfSSL_sk_ASN1_INTEGER_pop_free(sk, fn) wolfSSL_sk_pop_free(sk, fn)
+
+    /* wolfSSL_ASN1_INTEGER_get() is a stub func <= 4.6.0; always returns 0 */
+
+    for (int i = 0; i < wolfSSL_sk_ASN1_INTEGER_num(tlsf); ++i) {
+        WOLFSSL_ASN1_INTEGER *ai = wolfSSL_sk_ASN1_INTEGER_value(tlsf, i);
+        long tlsextid = wolfSSL_ASN1_INTEGER_get(ai);
+        if (tlsextid == 5) { /* 5 = OCSP Must-Staple */
+            rc = 1;
+            break;
+        }
+    }
+
+    wolfSSL_sk_ASN1_INTEGER_pop_free(tlsf, wolfSSL_ASN1_INTEGER_free);
+    return rc; /* 1 if OCSP Must-Staple found; 0 if not */
+  #endif
 }
 
 #endif /* HAVE_OCSP */
@@ -2000,9 +2032,9 @@ network_init_ssl (server *srv, plugin_config_socket *s, plugin_data *p)
                   "but wolfssl library built without necessary support");
                 return -1;
           #else
-            /* WTH wolfssl?  wolfSSL_dup_CA_list() is a stub which returns NULL
-             * and so DN names in cert request are not set here.
-             * (A patch has been submitted to WolfSSL to correct this)
+            /* Before wolfssl 4.6.0, wolfSSL_dup_CA_list() is a stub function
+             * which returns NULL, so DN names in cert request are not set here.
+             * (A patch has been submitted to WolfSSL add is part of 4.6.0)
              * https://github.com/wolfSSL/wolfssl/pull/3098 */
             STACK_OF(X509_NAME) * const cert_names = s->ssl_ca_dn_file
               ? s->ssl_ca_dn_file
@@ -3422,6 +3454,28 @@ mod_openssl_ssl_conf_cmd (server *srv, plugin_config_socket *s)
 
     if (maxb) {
         /* WolfSSL max ver is set at WolfSSL compile-time */
+      #if LIBWOLFSSL_VERSION_HEX >= 0x04002000
+        /*(could use SSL_OP_NO_* before 4.2.0)*/
+        /*(wolfSSL_CTX_set_max_proto_version() 4.6.0 uses different defines)*/
+        int n = mod_openssl_ssl_conf_proto_val(srv, s, maxb, 1);
+        switch (n) {
+          case WOLFSSL_SSLV3:
+            wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1);
+            __attribute_fallthrough__
+          case WOLFSSL_TLSV1:
+            wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_1);
+            __attribute_fallthrough__
+          case WOLFSSL_TLSV1_1:
+            wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_2);
+            __attribute_fallthrough__
+          case WOLFSSL_TLSV1_2:
+            wolfSSL_CTX_set_options(s->ssl_ctx, WOLFSSL_OP_NO_TLSv1_3);
+            __attribute_fallthrough__
+          case WOLFSSL_TLSV1_3:
+          default:
+            break;
+        }
+      #endif
     }
 
     if (!buffer_string_is_empty(cipherstring)) {