Merge pull request #2655 from kaleb-himes/ZD-9592

Remove forcing NO_SKID on unsuspecting CRL users
2019-12-10 16:33:16 -08:00
parent 8450c4ae39 74e54393ab
commit 093a31ed49
5 changed files with 30 additions and 17 deletions
--- a/src/crl.c
+++ b/src/crl.c
@ -83,7 +83,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,

    XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
    /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
-     *   copy the hash here if needed for optimized comparisons */
+     * copy the hash here if needed for optimized comparisons */
    XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
    XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
    crle->lastDateFormat = dcrl->lastDateFormat;
@ -109,7 +109,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
        }
        XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
        XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
-    #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+    #ifndef NO_SKID
        crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
        if (crle->extAuthKeyIdSet)
            XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
@ -206,9 +206,9 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
            WOLFSSL_MSG("Found CRL Entry on list");

            if (crle->verified == 0) {
-                Signer* ca;
-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
-                byte extAuthKeyId[KEYID_SIZE]
+                Signer* ca = NULL;
+            #ifndef NO_SKID
+                byte extAuthKeyId[KEYID_SIZE];
            #endif
                byte issuerHash[CRL_DIGEST_SIZE];
                byte* tbs = NULL;
@ -232,15 +232,15 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr

                XMEMCPY(tbs, crle->toBeSigned, tbsSz);
                XMEMCPY(sig, crle->signature, sigSz);
-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
-                XMEMCMPY(extAuthKeyId, crle->extAuthKeyId,
+            #ifndef NO_SKID
+                XMEMCPY(extAuthKeyId, crle->extAuthKeyId,
                                                          sizeof(extAuthKeyId));
            #endif
                XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));

                wc_UnLockMutex(&crl->crlLock);

-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+            #ifndef NO_SKID
                if (crle->extAuthKeyIdSet)
                    ca = GetCA(crl->cm, extAuthKeyId);
                if (ca == NULL)
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -15796,12 +15796,22 @@ void InitDecodedCRL(DecodedCRL* dcrl, void* heap)
    dcrl->sigIndex     = 0;
    dcrl->sigLength    = 0;
    dcrl->signatureOID = 0;
+    dcrl->signature    = NULL;
+    XMEMSET(dcrl->issuerHash, 0, SIGNER_DIGEST_SIZE);
+    /* XMEMSET(dcrl->crlHash, 0, SIGNER_DIGEST_SIZE);
+     * initialize the hash here if needed for optimized comparisons */
+    XMEMSET(dcrl->lastDate, 0, MAX_DATE_SIZE);
+    XMEMSET(dcrl->nextDate, 0, MAX_DATE_SIZE);
+    XMEMSET(dcrl->extAuthKeyId, 0, KEYID_SIZE);
+    dcrl->lastDateFormat = 0;
+    dcrl->nextDateFormat = 0;
    dcrl->certs        = NULL;
    dcrl->totalCerts   = 0;
    dcrl->heap         = heap;
    #ifdef WOLFSSL_HEAP_TEST
        dcrl->heap = (void*)WOLFSSL_HEAP_TEST;
    #endif
+    dcrl->extAuthKeyIdSet = 0;
 }


@ -16026,15 +16036,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
        return ASN_PARSE_E;

    /* openssl doesn't add skid by default for CRLs cause firefox chokes
-       we're not assuming it's available yet */
-#if !defined(NO_SKID) && defined(CRL_SKID_READY)
+       if experiencing issues uncomment NO_SKID define in CRL section of
+       wolfssl/wolfcrypt/settings.h */
+#ifndef NO_SKID
    if (dcrl->extAuthKeyIdSet)
-        ca = GetCA(cm, dcrl->extAuthKeyId);
+        ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
    if (ca == NULL)
-        ca = GetCAByName(cm, dcrl->issuerHash);
+        ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
 #else
    ca = GetCA(cm, dcrl->issuerHash);
-#endif /* !NO_SKID && CRL_SKID_READY */
+#endif /* !NO_SKID */
    WOLFSSL_MSG("About to verify CRL signature");

    if (ca == NULL) {
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -1870,7 +1870,7 @@ struct CRL_Entry {
    byte*   signature;
    word32  signatureSz;
    word32  signatureOID;
-#if !defined(NO_SKID) && defined(CRL_SKID_READY)
+#if !defined(NO_SKID) && !defined(NO_ASN)
    byte    extAuthKeyIdSet;
    byte    extAuthKeyId[KEYID_SIZE];
 #endif
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -1345,11 +1345,13 @@ struct DecodedCRL {
    byte    crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash            */
    byte    lastDate[MAX_DATE_SIZE]; /* last date updated  */
    byte    nextDate[MAX_DATE_SIZE]; /* next update date   */
+    byte    extAuthKeyId[KEYID_SIZE]; /* Authority Key ID                */
    byte    lastDateFormat;          /* format of last date */
    byte    nextDateFormat;          /* format of next date */
    RevokedCert* certs;              /* revoked cert list  */
    int          totalCerts;         /* number on list     */
    void*   heap;
+    byte    extAuthKeyIdSet;         /* Set when the AKID was read from CRL */
 };

 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -1619,9 +1619,9 @@ extern void uITRON4_free(void *p) ;
 #endif

 #ifdef HAVE_CRL
-    /* not widely supported yet */
-    #undef NO_SKID
-    #define NO_SKID
+    /* may not be widely supported */
+    /* #undef NO_SKID */
+    /* #define NO_SKID */
 #endif