From 04975ac158e6d33875c2855f74792efb2258bb93 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 13 May 2025 20:30:48 -0500 Subject: [PATCH] wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor wolfssl_log() to use it, and move printf setup includes/prototypes from logging.c to logging.h; src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from callers; remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem and certs/external/baltimore-cybertrust-root.pem. Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/55460a52619626f614e86d528b9a60445562eb34] Signed-off-by: Khem Raj --- certs/external/baltimore-cybertrust-root.pem | 21 --- certs/external/ca_collection.pem | 77 ---------- src/ssl_load.c | 111 +++++++++++---- wolfcrypt/src/error.c | 4 +- wolfcrypt/src/logging.c | 142 ++----------------- wolfssl/internal.h | 3 +- wolfssl/wolfcrypt/logging.h | 93 +++++++++++- 7 files changed, 190 insertions(+), 261 deletions(-) delete mode 100644 certs/external/baltimore-cybertrust-root.pem diff --git a/certs/external/baltimore-cybertrust-root.pem b/certs/external/baltimore-cybertrust-root.pem deleted file mode 100644 index 519028c63..000000000 --- a/certs/external/baltimore-cybertrust-root.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ -RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD -VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX -DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y -ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy -VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr -mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr -IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK -mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu -XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy -dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye -jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 -BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 -DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 -9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx -jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 -Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz -ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS -R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp ------END CERTIFICATE----- diff --git a/certs/external/ca_collection.pem b/certs/external/ca_collection.pem index ddfdf9cee..c76d6c605 100644 --- a/certs/external/ca_collection.pem +++ b/certs/external/ca_collection.pem @@ -1,80 +1,3 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 33554617 (0x20000b9) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root - Validity - Not Before: May 12 18:46:00 2000 GMT - Not After : May 12 23:59:00 2025 GMT - Subject: C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:a3:04:bb:22:ab:98:3d:57:e8:26:72:9a:b5:79: - d4:29:e2:e1:e8:95:80:b1:b0:e3:5b:8e:2b:29:9a: - 64:df:a1:5d:ed:b0:09:05:6d:db:28:2e:ce:62:a2: - 62:fe:b4:88:da:12:eb:38:eb:21:9d:c0:41:2b:01: - 52:7b:88:77:d3:1c:8f:c7:ba:b9:88:b5:6a:09:e7: - 73:e8:11:40:a7:d1:cc:ca:62:8d:2d:e5:8f:0b:a6: - 50:d2:a8:50:c3:28:ea:f5:ab:25:87:8a:9a:96:1c: - a9:67:b8:3f:0c:d5:f7:f9:52:13:2f:c2:1b:d5:70: - 70:f0:8f:c0:12:ca:06:cb:9a:e1:d9:ca:33:7a:77: - d6:f8:ec:b9:f1:68:44:42:48:13:d2:c0:c2:a4:ae: - 5e:60:fe:b6:a6:05:fc:b4:dd:07:59:02:d4:59:18: - 98:63:f5:a5:63:e0:90:0c:7d:5d:b2:06:7a:f3:85: - ea:eb:d4:03:ae:5e:84:3e:5f:ff:15:ed:69:bc:f9: - 39:36:72:75:cf:77:52:4d:f3:c9:90:2c:b9:3d:e5: - c9:23:53:3f:1f:24:98:21:5c:07:99:29:bd:c6:3a: - ec:e7:6e:86:3a:6b:97:74:63:33:bd:68:18:31:f0: - 78:8d:76:bf:fc:9e:8e:5d:2a:86:a7:4d:90:dc:27: - 1a:39 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0 - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:3 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - Signature Algorithm: sha1WithRSAEncryption - 85:0c:5d:8e:e4:6f:51:68:42:05:a0:dd:bb:4f:27:25:84:03: - bd:f7:64:fd:2d:d7:30:e3:a4:10:17:eb:da:29:29:b6:79:3f: - 76:f6:19:13:23:b8:10:0a:f9:58:a4:d4:61:70:bd:04:61:6a: - 12:8a:17:d5:0a:bd:c5:bc:30:7c:d6:e9:0c:25:8d:86:40:4f: - ec:cc:a3:7e:38:c6:37:11:4f:ed:dd:68:31:8e:4c:d2:b3:01: - 74:ee:be:75:5e:07:48:1a:7f:70:ff:16:5c:84:c0:79:85:b8: - 05:fd:7f:be:65:11:a3:0f:c0:02:b4:f8:52:37:39:04:d5:a9: - 31:7a:18:bf:a0:2a:f4:12:99:f7:a3:45:82:e3:3c:5e:f5:9d: - 9e:b5:c8:9e:7c:2e:c8:a4:9e:4e:08:14:4b:6d:fd:70:6d:6b: - 1a:63:bd:64:e6:1f:b7:ce:f0:f2:9f:2e:bb:1b:b7:f2:50:88: - 73:92:c2:e2:e3:16:8d:9a:32:02:ab:8e:18:dd:e9:10:11:ee: - 7e:35:ab:90:af:3e:30:94:7a:d0:33:3d:a7:65:0f:f5:fc:8e: - 9e:62:cf:47:44:2c:01:5d:bb:1d:b5:32:d2:47:d2:38:2e:d0: - fe:81:dc:32:6a:1e:b5:ee:3c:d5:fc:e7:81:1d:19:c3:24:42: - ea:63:39:a9 ------BEGIN CERTIFICATE----- -MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ -RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD -VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX -DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y -ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy -VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr -mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr -IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK -mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu -XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy -dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye -jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 -BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 -DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 -9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx -jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 -Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz -ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS -R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp ------END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) diff --git a/src/ssl_load.c b/src/ssl_load.c index 24c8af1be..d803b4093 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -2352,11 +2352,13 @@ static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type) * @param [out] used Number of bytes consumed. * @param [in[ userChain Whether this certificate is for user's chain. * @param [in] verify How to verify certificate. + * @param [in] source_name Associated filename or other source ID. * @return 1 on success. * @return Less than 1 on failure. */ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, - int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify) + int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify, + const char *source_name) { DerBuffer* der = NULL; int ret = 0; @@ -2367,6 +2369,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, EncryptedInfo info[1]; #endif int algId = 0; +#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS + long usedAtStart = used ? *used : 0L; +#else + (void)source_name; +#endif WOLFSSL_ENTER("ProcessBuffer"); @@ -2444,6 +2451,22 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, CLEAR_ASN_NO_PEM_HEADER_ERROR(pemErr); ret = 0; } +#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS + if (ret < 0) { +#ifdef NO_ERROR_STRINGS + WOLFSSL_DEBUG_PRINTF( + "ERROR: ProcessUserChain: certificate from %s at offset %ld" + " rejected with code %d\n", + source_name, usedAtStart, ret); +#else + WOLFSSL_DEBUG_PRINTF( + "ERROR: ProcessUserChain: certificate from %s at offset %ld" + " rejected with code %d: %s\n", + source_name, usedAtStart, ret, + wolfSSL_ERR_reason_error_string(ret)); +#endif + } +#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */ } #ifdef WOLFSSL_SMALL_STACK @@ -2455,6 +2478,22 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, /* Process the different types of certificates. */ ret = ProcessBufferCertTypes(ctx, ssl, buff, sz, der, format, type, verify); +#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS + if (ret < 0) { +#ifdef NO_ERROR_STRINGS + WOLFSSL_DEBUG_PRINTF( + "ERROR: ProcessBufferCertTypes: certificate from %s at" + " offset %ld rejected with code %d\n", + source_name, usedAtStart, ret); +#else + WOLFSSL_DEBUG_PRINTF( + "ERROR: ProcessBufferCertTypes: certificate from %s at" + " offset %ld rejected with code %d: %s\n", + source_name, usedAtStart, ret, + wolfSSL_ERR_reason_error_string(ret)); +#endif + } +#endif /* WOLFSSL_DEBUG_CERTIFICATE_LOADS */ } else { FreeDer(&der); @@ -2515,12 +2554,14 @@ static int ProcessChainBufferCRL(WOLFSSL_CTX* ctx, const unsigned char* buff, * @param [in] sz Size of data in buffer. * @param [in] type Type of data. * @param [in] verify How to verify certificate. + * @param [in] source_name Associated filename or other source ID. * @return 1 on success. * @return 0 on failure. * @return MEMORY_E when dynamic memory allocation fails. */ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, - const unsigned char* buff, long sz, int type, int verify) + const unsigned char* buff, long sz, int type, int verify, + const char *source_name) { int ret = 0; long used = 0; @@ -2529,11 +2570,11 @@ static int ProcessChainBuffer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, WOLFSSL_MSG("Processing CA PEM file"); /* Keep processing file while no errors and data to parse. */ while ((ret >= 0) && (used < sz)) { - long consumed = 0; + long consumed = used; /* Process the buffer. */ ret = ProcessBuffer(ctx, buff + used, sz - used, WOLFSSL_FILETYPE_PEM, - type, ssl, &consumed, 0, verify); + type, ssl, &consumed, 0, verify, source_name); /* Memory allocation failure is fatal. */ if (ret == WC_NO_ERR_TRACE(MEMORY_E)) { gotOne = 0; @@ -2665,6 +2706,12 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, { /* Not a header that we support. */ WOLFSSL_MSG("Failed to detect certificate type"); +#ifdef WOLFSSL_DEBUG_CERTIFICATE_LOADS + WOLFSSL_DEBUG_PRINTF( + "ERROR: ProcessFile: Failed to detect certificate type" + " of \"%s\"\n", + fname); +#endif ret = WOLFSSL_BAD_CERTTYPE; } } @@ -2673,7 +2720,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, if (((type == CA_TYPE) || (type == TRUSTED_PEER_TYPE)) && (format == WOLFSSL_FILETYPE_PEM)) { ret = ProcessChainBuffer(ctx, ssl, content.buffer, sz, type, - verify); + verify, fname); } #ifdef HAVE_CRL else if (type == CRL_TYPE) { @@ -2690,18 +2737,18 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, long consumed = 0; ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl, - &consumed, userChain, verify); + &consumed, userChain, verify, fname); if ((ret == 1) && (consumed < sz)) { ret = ProcessBuffer(ctx, content.buffer + consumed, sz - consumed, format, ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, - verify); + verify, fname); } } #endif else { /* Load all other certificate types. */ ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl, - NULL, userChain, verify); + NULL, userChain, verify, fname); } } @@ -3030,7 +3077,8 @@ static int LoadSystemCaCertsWindows(WOLFSSL_CTX* ctx, byte* loaded) if (ProcessBuffer(ctx, certCtx->pbCertEncoded, certCtx->cbCertEncoded, WOLFSSL_FILETYPE_ASN1, CA_TYPE, NULL, NULL, 0, - GET_VERIFY_SETTING_CTX(ctx)) == 1) { + GET_VERIFY_SETTING_CTX(ctx), + storeNames[i]) == 1) { /* * Set "loaded" as long as we've loaded one CA * cert. @@ -3105,7 +3153,8 @@ static int LoadSystemCaCertsMac(WOLFSSL_CTX* ctx, byte* loaded) if (ProcessBuffer(ctx, CFDataGetBytePtr(der), CFDataGetLength(der), WOLFSSL_FILETYPE_ASN1, CA_TYPE, NULL, NULL, 0, - GET_VERIFY_SETTING_CTX(ctx)) == 1) { + GET_VERIFY_SETTING_CTX(ctx), + "MacOSX trustDomains") == 1) { /* * Set "loaded" as long as we've loaded one CA * cert. @@ -3644,7 +3693,8 @@ int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509) /* Get DER encoded certificate data from X509 object. */ ret = ProcessBuffer(NULL, x509->derCert->buffer, x509->derCert->length, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, ssl, &idx, 0, - GET_VERIFY_SETTING_SSL(ssl)); + GET_VERIFY_SETTING_SSL(ssl), + "x509 buffer"); } /* Return 1 on success or 0 on failure. */ @@ -3676,7 +3726,8 @@ int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, const unsigned char* der, long idx = 0; ret = ProcessBuffer(NULL, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, - ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl)); + ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl), + "asn1 buffer"); } /* Return 1 on success or 0 on failure. */ @@ -3884,12 +3935,13 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in, /* When PEM, treat as certificate chain of CA certificates. */ if (format == WOLFSSL_FILETYPE_PEM) { - ret = ProcessChainBuffer(ctx, NULL, in, sz, CA_TYPE, verify); + ret = ProcessChainBuffer(ctx, NULL, in, sz, CA_TYPE, verify, + "PEM buffer"); } /* When DER, load the CA certificate. */ else { ret = ProcessBuffer(ctx, in, sz, format, CA_TYPE, NULL, NULL, - userChain, verify); + userChain, verify, "buffer"); } #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) if (ret == 1) { @@ -3973,12 +4025,12 @@ int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, /* When PEM, treat as certificate chain of trusted peer certificates. */ if (format == WOLFSSL_FILETYPE_PEM) { ret = ProcessChainBuffer(ctx, NULL, in, sz, TRUSTED_PEER_TYPE, - verify); + verify, "peer"); } /* When DER, load the trusted peer certificate. */ else { ret = ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, NULL, - NULL, 0, verify); + NULL, 0, verify, "peer"); } } @@ -4004,7 +4056,7 @@ int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx, WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_buffer"); ret = ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 0, - GET_VERIFY_SETTING_CTX(ctx)); + GET_VERIFY_SETTING_CTX(ctx), "buffer"); WOLFSSL_LEAVE("wolfSSL_CTX_use_certificate_buffer", ret); return ret; @@ -4030,7 +4082,7 @@ int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_buffer"); ret = ProcessBuffer(ctx, in, sz, format, PRIVATEKEY_TYPE, NULL, &consumed, - 0, GET_VERIFY_SETTING_CTX(ctx)); + 0, GET_VERIFY_SETTING_CTX(ctx), "key buffer"); #ifdef WOLFSSL_DUAL_ALG_CERTS if ((ret == 1) && (consumed < sz)) { /* When support for dual algorithm certificates is enabled, the @@ -4038,7 +4090,8 @@ int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, * private key. Hence, we have to parse both of them. */ ret = ProcessBuffer(ctx, in + consumed, sz - consumed, format, - ALT_PRIVATEKEY_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); + ALT_PRIVATEKEY_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx), + "key buffer"); } #endif @@ -4056,7 +4109,7 @@ int wolfSSL_CTX_use_AltPrivateKey_buffer(WOLFSSL_CTX* ctx, WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_buffer"); ret = ProcessBuffer(ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, NULL, - NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); + NULL, 0, GET_VERIFY_SETTING_CTX(ctx), "alt key buffer"); WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_buffer", ret); return ret; @@ -4271,7 +4324,8 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, } ret = ProcessBuffer(ctx, certData, certDataLen, certFormat, - CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); + CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx), + label ? label : "cert buffer"); exit: XFREE(certData, ctx->heap, DYNAMIC_TYPE_CERT); @@ -4333,7 +4387,7 @@ int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx, { WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer_format"); return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 1, - GET_VERIFY_SETTING_CTX(ctx)); + GET_VERIFY_SETTING_CTX(ctx), "cert chain buffer"); } /* Load a PEM encoded certificate chain in a buffer into SSL context. @@ -4376,7 +4430,7 @@ int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, const unsigned char* in, } else { ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 0, - GET_VERIFY_SETTING_SSL(ssl)); + GET_VERIFY_SETTING_SSL(ssl), "cert buffer"); } return ret; @@ -4407,7 +4461,7 @@ int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in, } else { ret = ProcessBuffer(ssl->ctx, in, sz, format, PRIVATEKEY_TYPE, ssl, - &consumed, 0, GET_VERIFY_SETTING_SSL(ssl)); + &consumed, 0, GET_VERIFY_SETTING_SSL(ssl), "key buffer"); #ifdef WOLFSSL_DUAL_ALG_CERTS if ((ret == 1) && (consumed < sz)) { /* When support for dual algorithm certificates is enabled, the @@ -4415,7 +4469,8 @@ int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in, * private key. Hence, we have to parse both of them. */ ret = ProcessBuffer(ssl->ctx, in + consumed, sz - consumed, format, - ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); + ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl), + "key buffer"); } #endif } @@ -4431,7 +4486,7 @@ int wolfSSL_use_AltPrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in, WOLFSSL_ENTER("wolfSSL_use_AltPrivateKey_buffer"); ret = ProcessBuffer(ssl->ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, ssl, - NULL, 0, GET_VERIFY_SETTING_SSL(ssl)); + NULL, 0, GET_VERIFY_SETTING_SSL(ssl), "alt key buffer"); WOLFSSL_LEAVE("wolfSSL_use_AltPrivateKey_buffer", ret); return ret; @@ -4669,7 +4724,7 @@ int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl, } else { ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 1, - GET_VERIFY_SETTING_SSL(ssl)); + GET_VERIFY_SETTING_SSL(ssl), "cert chain buffer"); } return ret; @@ -4826,7 +4881,7 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509) /* Process buffer makes first certificate the leaf. */ ret = ProcessBuffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, - NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx)); + NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx), "extra chain buffer"); if (ret != 1) { ret = 0; } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index af5ba36b4..9ec9484d4 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -182,10 +182,10 @@ const char* wc_GetErrorString(int error) return "ASN date error, bad size"; case ASN_BEFORE_DATE_E : - return "ASN date error, current date before"; + return "ASN date error, current date is before start of validity"; case ASN_AFTER_DATE_E : - return "ASN date error, current date after"; + return "ASN date error, current date is after expiration"; case ASN_SIG_OID_E : return "ASN signature error, mismatched oid"; diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 29b9221df..b80fc3a56 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -230,42 +230,6 @@ void WOLFSSL_TIME(int count) #ifdef DEBUG_WOLFSSL -#if defined(ARDUINO) - /* see Arduino wolfssl.h for wolfSSL_Arduino_Serial_Print */ -#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) - /* see wc_port.h for fio.h and nio.h includes */ -#elif defined(WOLFSSL_SGX) - /* Declare sprintf for ocall */ - int sprintf(char* buf, const char *fmt, ...); -#elif defined(WOLFSSL_DEOS) -#elif defined(MICRIUM) - #if (BSP_SER_COMM_EN == DEF_ENABLED) - #include - #endif -#elif defined(WOLFSSL_USER_LOG) - /* user includes their own headers */ -#elif defined(WOLFSSL_ESPIDF) - #include "esp_types.h" - #include "esp_log.h" -#elif defined(WOLFSSL_TELIT_M2MB) - #include - #include "m2m_log.h" -#elif defined(WOLFSSL_ANDROID_DEBUG) - #include -#elif defined(WOLFSSL_XILINX) - #include "xil_printf.h" -#elif defined(WOLFSSL_LINUXKM) - /* the requisite linux/kernel.h is included in wc_port.h, with incompatible warnings masked out. */ -#elif defined(FUSION_RTOS) - #include - #define fprintf FCL_FPRINTF -#else - #include /* for default printf stuff */ -#endif - -#if defined(THREADX) && !defined(THREADX_NO_DC_PRINTF) - int dc_log_printf(char*, ...); -#endif #ifdef HAVE_STACK_SIZE_VERBOSE #include @@ -281,106 +245,30 @@ static void wolfssl_log(const int logLevel, const char* const file_name, else { #if defined(WOLFSSL_USER_LOG) WOLFSSL_USER_LOG(logMessage); -#elif defined(ARDUINO) - wolfSSL_Arduino_Serial_Print(logMessage); -#elif defined(WOLFSSL_LOG_PRINTF) - if (file_name != NULL) - printf("[%s L %d] %s\n", file_name, line_number, logMessage); - else - printf("%s\n", logMessage); -#elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF) - if (file_name != NULL) - dc_log_printf("[%s L %d] %s\n", file_name, line_number, logMessage); - else - dc_log_printf("%s\n", logMessage); -#elif defined(WOLFSSL_DEOS) - if (file_name != NULL) - printf("[%s L %d] %s\r\n", file_name, line_number, logMessage); - else - printf("%s\r\n", logMessage); -#elif defined(MICRIUM) - if (file_name != NULL) - BSP_Ser_Printf("[%s L %d] %s\r\n", - file_name, line_number, logMessage); - else - BSP_Ser_Printf("%s\r\n", logMessage); -#elif defined(WOLFSSL_MDK_ARM) - fflush(stdout) ; - if (file_name != NULL) - printf("[%s L %d] %s\n", file_name, line_number, logMessage); - else - printf("%s\n", logMessage); - fflush(stdout) ; -#elif defined(WOLFSSL_UTASKER) - fnDebugMsg((char*)logMessage); - fnDebugMsg("\r\n"); -#elif defined(MQX_USE_IO_OLD) - if (file_name != NULL) - fprintf(_mqxio_stderr, "[%s L %d] %s\n", - file_name, line_number, logMessage); - else - fprintf(_mqxio_stderr, "%s\n", logMessage); -#elif defined(WOLFSSL_APACHE_MYNEWT) - if (file_name != NULL) - LOG_DEBUG(&mynewt_log, LOG_MODULE_DEFAULT, "[%s L %d] %s\n", - file_name, line_number, logMessage); - else - LOG_DEBUG(&mynewt_log, LOG_MODULE_DEFAULT, "%s\n", logMessage); -#elif defined(WOLFSSL_ESPIDF) - if (file_name != NULL) - ESP_LOGI("wolfssl", "[%s L %d] %s", - file_name, line_number, logMessage); - else - ESP_LOGI("wolfssl", "%s", logMessage); -#elif defined(WOLFSSL_ZEPHYR) - if (file_name != NULL) - printk("[%s L %d] %s\n", file_name, line_number, logMessage); - else - printk("%s\n", logMessage); -#elif defined(WOLFSSL_TELIT_M2MB) - if (file_name != NULL) - M2M_LOG_INFO("[%s L %d] %s\n", file_name, line_number, logMessage); - else - M2M_LOG_INFO("%s\n", logMessage); -#elif defined(WOLFSSL_ANDROID_DEBUG) - if (file_name != NULL) - __android_log_print(ANDROID_LOG_VERBOSE, "[wolfSSL]", "[%s L %d] %s", - file_name, line_number, logMessage); - else - __android_log_print(ANDROID_LOG_VERBOSE, "[wolfSSL]", "%s", - logMessage); -#elif defined(WOLFSSL_XILINX) - if (file_name != NULL) - xil_printf("[%s L %d] %s\r\n", file_name, line_number, logMessage); - else - xil_printf("%s\r\n", logMessage); -#elif defined(WOLFSSL_LINUXKM) - if (file_name != NULL) - printk("[%s L %d] %s\n", file_name, line_number, logMessage); - else - printk("%s\n", logMessage); -#elif defined(WOLFSSL_RENESAS_RA6M4) - if (file_name != NULL) - myprintf("[%s L %d] %s\n", file_name, line_number, logMessage); - else - myprintf("%s\n", logMessage); -#elif defined(STACK_SIZE_CHECKPOINT_MSG) && \ - defined(HAVE_STACK_SIZE_VERBOSE) && defined(HAVE_STACK_SIZE_VERBOSE_LOG) - STACK_SIZE_CHECKPOINT_MSG(logMessage); -#else +#elif defined(WOLFSSL_DEBUG_PRINTF) if (log_prefix != NULL) { if (file_name != NULL) - fprintf(stderr, "[%s]: [%s L %d] %s\n", + WOLFSSL_DEBUG_PRINTF("[%s]: [%s L %d] %s\n", log_prefix, file_name, line_number, logMessage); else - fprintf(stderr, "[%s]: %s\n", log_prefix, logMessage); + WOLFSSL_DEBUG_PRINTF("[%s]: %s\n", log_prefix, logMessage); } else { if (file_name != NULL) - fprintf(stderr, "[%s L %d] %s\n", + WOLFSSL_DEBUG_PRINTF("[%s L %d] %s\n", file_name, line_number, logMessage); else - fprintf(stderr, "%s\n", logMessage); + WOLFSSL_DEBUG_PRINTF("%s\n", logMessage); } +#elif defined(ARDUINO) + wolfSSL_Arduino_Serial_Print(logMessage); +#elif defined(WOLFSSL_UTASKER) + fnDebugMsg((char*)logMessage); + fnDebugMsg("\r\n"); +#elif defined(STACK_SIZE_CHECKPOINT_MSG) && \ + defined(HAVE_STACK_SIZE_VERBOSE) && defined(HAVE_STACK_SIZE_VERBOSE_LOG) + STACK_SIZE_CHECKPOINT_MSG(logMessage); +#else + #error No log method defined. #endif } } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9cdbdb697..dd191fb1a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6389,7 +6389,8 @@ WOLFSSL_TEST_VIS void wolfSSL_ResourceFree(WOLFSSL* ssl); /* Micrium uses */ WOLFSSL_LOCAL int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, int format, int type, WOLFSSL* ssl, - long* used, int userChain, int verify); + long* used, int userChain, int verify, + const char *source_name); WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type, WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl, int verify); diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 49de70147..8b3cf0fd8 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -89,11 +89,6 @@ enum wc_FuncNum { }; #endif -#if defined(ARDUINO) -/* implemented in Arduino wolfssl.h */ -extern WOLFSSL_API int wolfSSL_Arduino_Serial_Print(const char* const s); -#endif /* ARDUINO */ - typedef void (*wolfSSL_Logging_cb)(const int logLevel, const char *const logMessage); @@ -157,6 +152,10 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); #define WOLFSSL_TIME(n) WC_DO_NOTHING #endif +#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_CERTIFICATE_LOADS) + #define WOLFSSL_DEBUG_CERTIFICATE_LOADS +#endif + #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_DEBUG_ERRORS_ONLY) #if defined(_WIN32) #if defined(INTIME_RTOS) @@ -268,6 +267,90 @@ WOLFSSL_API void wolfSSL_SetLoggingPrefix(const char* prefix); extern WOLFSSL_API THREAD_LS_T void *StackSizeCheck_stackOffsetPointer; #endif +/* Port-specific includes and printf methods: */ + +#if defined(ARDUINO) + /* implemented in Arduino wolfssl.h */ + extern WOLFSSL_API int wolfSSL_Arduino_Serial_Print(const char* const s); +#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) + /* see wc_port.h for fio.h and nio.h includes */ +#elif defined(WOLFSSL_SGX) + /* Declare sprintf for ocall */ + int sprintf(char* buf, const char *fmt, ...); +#elif defined(WOLFSSL_DEOS) +#elif defined(MICRIUM) + #if (BSP_SER_COMM_EN == DEF_ENABLED) + #include + #endif +#elif defined(WOLFSSL_USER_LOG) + /* user includes their own headers */ +#elif defined(WOLFSSL_ESPIDF) + #include "esp_types.h" + #include "esp_log.h" +#elif defined(WOLFSSL_TELIT_M2MB) + #include + #include "m2m_log.h" +#elif defined(WOLFSSL_ANDROID_DEBUG) + #include +#elif defined(WOLFSSL_XILINX) + #include "xil_printf.h" +#elif defined(WOLFSSL_LINUXKM) + /* the requisite linux/kernel.h is included in linuxkm_wc_port.h, with + * incompatible warnings masked out. + */ +#elif defined(FUSION_RTOS) + #include + #define fprintf FCL_FPRINTF +#else + #include /* for default printf stuff */ +#endif + +#if defined(THREADX) && !defined(THREADX_NO_DC_PRINTF) + int dc_log_printf(char*, ...); +#endif + +#ifdef WOLFSSL_DEBUG_PRINTF + /* user-supplied definition */ +#elif defined(ARDUINO) + /* ARDUINO only has print and sprintf, no printf. */ +#elif defined(WOLFSSL_LOG_PRINTF) || defined(WOLFSSL_DEOS) + #define WOLFSSL_DEBUG_PRINTF(...) printf(__VA_ARGS__) +#elif defined(THREADX) && !defined(THREADX_NO_DC_PRINTF) + #define WOLFSSL_DEBUG_PRINTF(...) dc_log_printf(__VA_ARGS__) +#elif defined(MICRIUM) + #define WOLFSSL_DEBUG_PRINTF(...) BSP_Ser_Printf(__VA_ARGS__) +#elif defined(WOLFSSL_MDK_ARM) + #define WOLFSSL_DEBUG_PRINTF(...) do { \ + fflush(stdout); \ + printf(__VA_ARGS__); \ + fflush(stdout); \ + } while (0) +#elif defined(WOLFSSL_UTASKER) + /* WOLFSSL_UTASKER only has fnDebugMsg and related primitives, no printf. */ +#elif defined(MQX_USE_IO_OLD) + #define WOLFSSL_DEBUG_PRINTF(...) fprintf(_mqxio_stderr, __VAR_ARGS) +#elif defined(WOLFSSL_APACHE_MYNEWT) + #define WOLFSSL_DEBUG_PRINTF(...) LOG_DEBUG(&mynewt_log, \ + LOG_MODULE_DEFAULT, __VA_ARGS__) +#elif defined(WOLFSSL_ESPIDF) + #define WOLFSSL_DEBUG_PRINTF(...) ESP_LOGI("wolfssl", __VA_ARGS__) +#elif defined(WOLFSSL_ZEPHYR) + #define WOLFSSL_DEBUG_PRINTF(...) printk(__VA_ARGS__) +#elif defined(WOLFSSL_TELIT_M2MB) + #define WOLFSSL_DEBUG_PRINTF(...) M2M_LOG_INFO(__VA_ARGS__) +#elif defined(WOLFSSL_ANDROID_DEBUG) + #define WOLFSSL_DEBUG_PRINTF(...) __android_log_print(ANDROID_LOG_VERBOSE, \ + "[wolfSSL]", __VA_ARGS__) +#elif defined(WOLFSSL_XILINX) + #define WOLFSSL_DEBUG_PRINTF(...) xil_printf(__VA_ARGS__) +#elif defined(WOLFSSL_LINUXKM) + #define WOLFSSL_DEBUG_PRINTF(...) printk(__VA_ARGS__) +#elif defined(WOLFSSL_RENESAS_RA6M4) + #define WOLFSSL_DEBUG_PRINTF(...) myprintf(__VA_ARGS__) +#else + #define WOLFSSL_DEBUG_PRINTF(...) fprintf(stderr, __VA_ARGS__) +#endif + #ifdef __cplusplus } #endif