search

wolfSSL / wolfssl

The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3 and DTLS 1.3!
https://www.wolfssl.com
GNU General Public License v2.0
2.36k stars 834 forks source link

20241114-wolfSSL_CTX_UnloadIntermediateCerts-thread-safety #8187

Closed douzzer closed 6 days ago

douzzer commented 1 week ago

add struct wolfSSL_RefWithMutex, wolfSSL_RefWithMutexLock, and wolfSSL_RefWithMutexUnlock, and change WOLFSSL_CTX.ref from wolfSSL_Ref to wolfSSL_RefWithMutex.

in wc_port.c, rename mutexful implementations of wolfSSL_Ref*() to wolfSSL_RefWithMutex*(), and build them even if defined(WOLFSSL_ATOMIC_OPS).

refactor wolfSSL_CTX_UnloadIntermediateCerts() to wrap the refcount check and deallocation with wolfSSL_RefWithMutexLock()...wolfSSL_RefWithMutexUnlock().

move port-specific setup for WARN_UNUSED_RESULT, WC_MAYBE_UNUSED, and WC_INLINE, from types.h to wc_port.h, to make them usable by port-specific definitions later in wc_port.h.

when defined(SINGLE_THREADED) and !defined(WOLFSSL_NO_ATOMICS), typedef int wolfSSL_Atomic_Int, so that access to wolfSSL_Atomic_Ints in SINGLE_THREADED builds is easy.

refactor fallback definitions of wolfSSL_Atomic_Int_FetchAdd and wolfSSL_Atomic_Int_FetchSub as WC_INLINE functions to avoid -Wunused-result.

tested with wolfssl-multi-test.sh ... single-threaded no-atomics super-quick-check with single-threaded enlarged to include "${ENABLE_ALL_TEST_FLAGS[@]}", and no-atomics a new scenario with "${ENABLE_ALL_TEST_FLAGS[@]}" CPPFLAGS=-DWOLFSSL_NO_ATOMICS