Skip to content

Commit 66c8726

Browse files
JacobBarthelmehJacobBarthelmeh
committed
make windows cert feature default disabled and simplify macro guard
1 parent 0d5c65f commit 66c8726

15 files changed

Lines changed: 105 additions & 150 deletions

File tree

.github/workflows/windows-cert-store-test.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,8 @@ jobs:
5959
else
6060
echo "WARNING: WOLFSSH_NO_FPKI not found in user_settings.h"
6161
fi
62+
# Enable Windows cert store API for this workflow only (not in repo user_settings.h)
63+
printf '\n/* Appended by windows-cert-store-test CI */\n#define WOLFSSH_WINDOWS_CERT_STORE\n' >> ${{env.USER_SETTINGS_H}}
6264
6365
- name: Build wolfssl library
6466
working-directory: ${{ github.workspace }}\wolfssl

apps/wolfsshd/configuration.c

Lines changed: 15 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -74,13 +74,11 @@ struct WOLFSSHD_CONFIG {
7474
char* hostKeyFile;
7575
char* hostCertFile;
7676
char* userCAKeysFile;
77-
#ifdef USE_WINDOWS_API
78-
#ifdef WOLFSSH_CERTS
77+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
7978
char* hostKeyStore;
8079
char* hostKeyStoreSubject;
8180
char* hostKeyStoreFlags;
82-
#endif /* WOLFSSH_CERTS */
83-
#endif /* USE_WINDOWS_API */
81+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
8482
char* hostKeyAlgos;
8583
char* kekAlgos;
8684
char* listenAddress;
@@ -325,13 +323,11 @@ void wolfSSHD_ConfigFree(WOLFSSHD_CONFIG* conf)
325323
FreeString(&current->authKeysFile, heap);
326324
FreeString(&current->hostKeyFile, heap);
327325
FreeString(&current->hostCertFile, heap);
328-
#ifdef USE_WINDOWS_API
329-
#ifdef WOLFSSH_CERTS
326+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
330327
FreeString(&current->hostKeyStore, heap);
331328
FreeString(&current->hostKeyStoreSubject, heap);
332329
FreeString(&current->hostKeyStoreFlags, heap);
333-
#endif /* WOLFSSH_CERTS */
334-
#endif /* USE_WINDOWS_API */
330+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
335331
FreeString(&current->pidFile, heap);
336332
#ifdef USE_WINDOWS_API
337333
FreeString(&current->winUserStores, heap);
@@ -364,13 +360,11 @@ enum {
364360
OPT_PROTOCOL = 9,
365361
OPT_LOGIN_GRACE_TIME = 10,
366362
OPT_HOST_KEY = 11,
367-
#ifdef USE_WINDOWS_API
368-
#ifdef WOLFSSH_CERTS
363+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
369364
OPT_HOST_KEY_STORE = 50,
370365
OPT_HOST_KEY_STORE_SUBJECT = 51,
371366
OPT_HOST_KEY_STORE_FLAGS = 52,
372-
#endif /* WOLFSSH_CERTS */
373-
#endif /* USE_WINDOWS_API */
367+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
374368
OPT_PASSWORD_AUTH = 12,
375369
OPT_PORT = 13,
376370
OPT_PERMIT_ROOT = 14,
@@ -395,10 +389,10 @@ enum {
395389
NUM_OPTIONS = 26
396390
#ifdef USE_WINDOWS_API
397391
+ 3
398-
#ifdef WOLFSSH_CERTS
399-
+ 3
400-
#endif /* WOLFSSH_CERTS */
401392
#endif /* USE_WINDOWS_API */
393+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
394+
+ 3
395+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
402396
};
403397

404398
static const CONFIG_OPTION options[NUM_OPTIONS] = {
@@ -417,13 +411,11 @@ static const CONFIG_OPTION options[NUM_OPTIONS] = {
417411
* option names that share a common prefix MUST appear before the shorter
418412
* one. HostKeyStoreSubject/HostKeyStoreFlags before HostKeyStore,
419413
* and all HostKeyStore* before HostKey. */
420-
#ifdef USE_WINDOWS_API
421-
#ifdef WOLFSSH_CERTS
414+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
422415
{OPT_HOST_KEY_STORE_SUBJECT, "HostKeyStoreSubject"},
423416
{OPT_HOST_KEY_STORE_FLAGS, "HostKeyStoreFlags"},
424417
{OPT_HOST_KEY_STORE, "HostKeyStore"},
425-
#endif /* WOLFSSH_CERTS */
426-
#endif /* USE_WINDOWS_API */
418+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
427419
{OPT_HOST_KEY, "HostKey"},
428420
{OPT_PASSWORD_AUTH, "PasswordAuthentication"},
429421
{OPT_PORT, "Port"},
@@ -1108,8 +1100,7 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
11081100
ret = wolfSSHD_ConfigSetWinUserPvPara(*conf, value);
11091101
break;
11101102
#endif /* USE_WINDOWS_API */
1111-
#ifdef USE_WINDOWS_API
1112-
#ifdef WOLFSSH_CERTS
1103+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
11131104
case OPT_HOST_KEY_STORE:
11141105
wolfSSH_Log(WS_LOG_INFO,
11151106
"[SSHD] Parsed HostKeyStore = '%s'", value);
@@ -1127,8 +1118,7 @@ static int HandleConfigOption(WOLFSSHD_CONFIG** conf, int opt,
11271118
ret = SetFileString(&(*conf)->hostKeyStoreFlags, value,
11281119
(*conf)->heap);
11291120
break;
1130-
#endif /* WOLFSSH_CERTS */
1131-
#endif /* USE_WINDOWS_API */
1121+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
11321122
default:
11331123
break;
11341124
}
@@ -1616,8 +1606,7 @@ int SetFileString(char** dst, const char* src, void* heap)
16161606
return ret;
16171607
}
16181608

1619-
#ifdef USE_WINDOWS_API
1620-
#ifdef WOLFSSH_CERTS
1609+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
16211610
char* wolfSSHD_ConfigGetHostKeyStore(const WOLFSSHD_CONFIG* conf)
16221611
{
16231612
char* ret = NULL;
@@ -1652,8 +1641,7 @@ char* wolfSSHD_ConfigGetHostKeyStoreFlags(const WOLFSSHD_CONFIG* conf)
16521641

16531642
return ret;
16541643
}
1655-
#endif /* WOLFSSH_CERTS */
1656-
#endif /* USE_WINDOWS_API */
1644+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
16571645

16581646
int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file)
16591647
{

apps/wolfsshd/configuration.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,13 +42,11 @@ char* wolfSSHD_ConfigGetHostCertFile(const WOLFSSHD_CONFIG* conf);
4242
char* wolfSSHD_ConfigGetUserCAKeysFile(const WOLFSSHD_CONFIG* conf);
4343
int wolfSSHD_ConfigSetHostKeyFile(WOLFSSHD_CONFIG* conf, const char* file);
4444
int wolfSSHD_ConfigSetHostCertFile(WOLFSSHD_CONFIG* conf, const char* file);
45-
#ifdef USE_WINDOWS_API
46-
#ifdef WOLFSSH_CERTS
45+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
4746
char* wolfSSHD_ConfigGetHostKeyStore(const WOLFSSHD_CONFIG* conf);
4847
char* wolfSSHD_ConfigGetHostKeyStoreSubject(const WOLFSSHD_CONFIG* conf);
4948
char* wolfSSHD_ConfigGetHostKeyStoreFlags(const WOLFSSHD_CONFIG* conf);
50-
#endif /* WOLFSSH_CERTS */
51-
#endif /* USE_WINDOWS_API */
49+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
5250
int wolfSSHD_ConfigSetSystemCA(WOLFSSHD_CONFIG* conf, const char* value);
5351
int wolfSSHD_ConfigGetSystemCA(const WOLFSSHD_CONFIG* conf);
5452
int wolfSSHD_ConfigSetUserCAStore(WOLFSSHD_CONFIG* conf, const char* value);

apps/wolfsshd/wolfsshd.c

Lines changed: 7 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,7 @@
3838
#include <wolfssl/wolfcrypt/logging.h>
3939
#include <wolfssl/wolfcrypt/asn_public.h>
4040

41-
#ifdef USE_WINDOWS_API
42-
#ifdef WOLFSSH_CERTS
41+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
4342
#include <windows.h>
4443
#include <wincrypt.h>
4544
#include <ncrypt.h>
@@ -49,8 +48,7 @@
4948
#ifndef CERT_SYSTEM_STORE_LOCAL_MACHINE
5049
#define CERT_SYSTEM_STORE_LOCAL_MACHINE 0x00020000
5150
#endif
52-
#endif /* WOLFSSH_CERTS */
53-
#endif /* USE_WINDOWS_API */
51+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
5452

5553
#define WOLFSSH_TEST_SERVER
5654
#include <wolfssh/test.h>
@@ -354,8 +352,7 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
354352

355353
/* Load in host private key */
356354
if (ret == WS_SUCCESS) {
357-
#ifdef USE_WINDOWS_API
358-
#ifdef WOLFSSH_CERTS
355+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
359356
char* hostKeyStore = wolfSSHD_ConfigGetHostKeyStore(conf);
360357
char* hostKeyStoreSubject = wolfSSHD_ConfigGetHostKeyStoreSubject(conf);
361358
char* hostKeyStoreFlags = wolfSSHD_ConfigGetHostKeyStoreFlags(conf);
@@ -408,14 +405,13 @@ static int SetupCTX(WOLFSSHD_CONFIG* conf, WOLFSSH_CTX** ctx,
408405
WFREE(wSubjectName, heap, DYNTYPE_SSHD);
409406
}
410407
} else
411-
#else
408+
#elif defined(WOLFSSH_CERTS)
412409
wolfSSH_Log(WS_LOG_INFO,
413-
"[SSHD] WOLFSSH_CERTS not defined - cert store support disabled");
414-
#endif /* WOLFSSH_CERTS */
410+
"[SSHD] WOLFSSH_WINDOWS_CERT_STORE not defined - cert store support disabled");
415411
#else
416412
wolfSSH_Log(WS_LOG_INFO,
417-
"[SSHD] USE_WINDOWS_API not defined - cert store support disabled");
418-
#endif /* USE_WINDOWS_API */
413+
"[SSHD] WOLFSSH_CERTS not defined - cert store support disabled");
414+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
419415
{
420416
char* hostKey = wolfSSHD_ConfigGetHostKeyFile(conf);
421417

configure.ac

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,12 @@ AC_ARG_ENABLE([certs],
186186
[AS_HELP_STRING([--enable-certs],[Enable X.509 cert support (default: disabled)])],
187187
[ENABLED_CERTS=$enableval],[ENABLED_CERTS=no])
188188

189+
# Windows certificate store (host/client keys)
190+
AC_ARG_ENABLE([windows-cert-store],
191+
[AS_HELP_STRING([--enable-windows-cert-store],[Enable Windows certificate store integration for keys (default: disabled)])],
192+
[ENABLED_WINDOWS_CERT_STORE=$enableval],
193+
[ENABLED_WINDOWS_CERT_STORE=no])
194+
189195
# TPM 2.0 Support
190196
AC_ARG_ENABLE([tpm],
191197
[AS_HELP_STRING([--enable-tpm],[Enable TPM 2.0 support (default: disabled)])],
@@ -245,6 +251,10 @@ AS_IF([test "x$ENABLED_AGENT" = "xyes"],
245251
[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_AGENT"])
246252
AS_IF([test "x$ENABLED_CERTS" = "xyes"],
247253
[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_CERTS"])
254+
AS_IF([test "x$ENABLED_WINDOWS_CERT_STORE" = "xyes"],
255+
[AS_IF([test "x$ENABLED_CERTS" != "xyes"],
256+
[AC_MSG_ERROR([--enable-windows-cert-store requires X.509 cert support (--enable-certs)])])
257+
AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_WINDOWS_CERT_STORE"])
248258
AS_IF([test "x$ENABLED_SMALLSTACK" = "xyes"],
249259
[AM_CPPFLAGS="$AM_CPPFLAGS -DWOLFSSH_SMALL_STACK"])
250260
AS_IF([test "x$ENABLED_SSHCLIENT" = "xyes"],
@@ -345,4 +355,5 @@ AS_ECHO([" * agent: $ENABLED_AGENT"])
345355
AS_ECHO([" * TPM 2.0 support: $ENABLED_TPM"])
346356
AS_ECHO([" * TCP/IP Forwarding: $ENABLED_FWD"])
347357
AS_ECHO([" * X.509 Certs: $ENABLED_CERTS"])
358+
AS_ECHO([" * Windows cert store: $ENABLED_WINDOWS_CERT_STORE"])
348359
AS_ECHO([" * Examples: $ENABLED_EXAMPLES"])

examples/client/common.c

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -47,11 +47,11 @@
4747

4848
#ifdef WOLFSSH_CERTS
4949
#include <wolfssl/wolfcrypt/asn.h>
50-
#ifdef USE_WINDOWS_API
50+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
5151
#include <windows.h>
5252
#include <wincrypt.h>
5353
#include <ncrypt.h>
54-
#endif /* USE_WINDOWS_API */
54+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
5555
#endif
5656

5757
static byte userPublicKeyBuf[512];
@@ -1144,8 +1144,7 @@ void ClientFreeBuffers(const char* pubKeyName, const char* privKeyName,
11441144
#endif
11451145
}
11461146

1147-
#ifdef USE_WINDOWS_API
1148-
#ifdef WOLFSSH_CERTS
1147+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
11491148
int ClientSetPrivateKeyFromStore(WOLFSSH_CTX* ctx,
11501149
const wchar_t* storeName, DWORD dwFlags, const wchar_t* subjectName)
11511150
{
@@ -1223,5 +1222,4 @@ int ClientSetupCertStoreAuth(WOLFSSH_CTX* ctx)
12231222
fprintf(stderr, "No cert store key found in CTX\n");
12241223
return WS_BAD_ARGUMENT;
12251224
}
1226-
#endif /* WOLFSSH_CERTS */
1227-
#endif /* USE_WINDOWS_API */
1225+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */

examples/client/common.h

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,13 +35,11 @@ void ClientFreeBuffers(const char* pubKeyName, const char* privKeyName,
3535
#ifdef WOLFSSH_TPM
3636
int ClientSetTpm(WOLFSSH* ssh);
3737
#endif
38-
#ifdef USE_WINDOWS_API
39-
#ifdef WOLFSSH_CERTS
38+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
4039
int ClientSetPrivateKeyFromStore(WOLFSSH_CTX* ctx,
4140
const wchar_t* storeName, DWORD dwFlags, const wchar_t* subjectName);
4241
int ClientSetupCertStoreAuth(WOLFSSH_CTX* ctx);
43-
#endif /* WOLFSSH_CERTS */
44-
#endif /* USE_WINDOWS_API */
42+
#endif /* WOLFSSH_WINDOWS_CERT_STORE */
4543

4644
#endif /* WOLFSSH_COMMON_H */
4745

examples/echoserver/echoserver.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@
115115
#define SOCKET_EWOULDBLOCK WSAEWOULDBLOCK
116116
#endif
117117

118-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
118+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
119119
#include <windows.h>
120120
#include <wincrypt.h>
121121
#ifndef CERT_SYSTEM_STORE_CURRENT_USER
@@ -2540,7 +2540,7 @@ static void ShowUsage(void)
25402540
printf(" -x <list> set the comma separated list of key exchange algos "
25412541
"to use\n");
25422542
printf(" -m <list> set the comma separated list of mac algos to use\n");
2543-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
2543+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
25442544
printf(" -W <spec> Windows cert store: \"store:subject:flags\" (e.g. My:CN=Server:CURRENT_USER)\n");
25452545
#endif
25462546
printf(" -b <num> test user auth would block\n");
@@ -2641,7 +2641,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
26412641
#ifdef WOLFSSH_CERTS
26422642
char* caCert = NULL;
26432643
#endif
2644-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
2644+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
26452645
const char* certStoreSpec = NULL;
26462646
#endif
26472647

@@ -2652,7 +2652,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
26522652
kbAuthData.promptCount = 0;
26532653
#endif
26542654

2655-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
2655+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
26562656
certStoreSpec = getenv("WOLFSSH_CERT_STORE");
26572657
#endif
26582658
if (argc > 0) {
@@ -2772,7 +2772,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
27722772
useCustomHighWaterCb = 1;
27732773
break;
27742774

2775-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
2775+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
27762776
case 'W':
27772777
certStoreSpec = myoptarg;
27782778
break;
@@ -2958,7 +2958,7 @@ THREAD_RETURN WOLFSSH_THREAD echoserver_test(void* args)
29582958
#endif
29592959
bufSz = EXAMPLE_KEYLOAD_BUFFER_SZ;
29602960

2961-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
2961+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
29622962
if (certStoreSpec != NULL) {
29632963
/* Load host key from Windows certificate store */
29642964
wchar_t* wStoreName = NULL;
@@ -3303,7 +3303,7 @@ int wolfSSH_Echoserver(int argc, char** argv)
33033303
#if !defined(WOLFSSL_NUCLEUS) && !defined(INTEGRITY) && !defined(__INTEGRITY)
33043304
{
33053305
int useStore = 0;
3306-
#if defined(USE_WINDOWS_API) && defined(WOLFSSH_CERTS)
3306+
#ifdef WOLFSSH_WINDOWS_CERT_STORE
33073307
/* When using the Windows certificate store for host keys, the
33083308
* echoserver does not need file-based keys, so skip the root
33093309
* directory search that looks for ./keys/server-key-rsa.pem. */

0 commit comments

Comments
 (0)