From 80ae237852245b4270d52d576882e2c0bd4eb94a Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 25 Jan 2022 12:34:36 -0800 Subject: [PATCH 1/3] Fixes for building with ipsec-tools/racoon and openvpn: * Fix for `EVP_CIPHER_CTX_flags`, which mapped to a missing function (broke openvpn) * Added stack of name entries for ipsec/racoon support. * Added `X509_STORE_CTX_set_flags` stub. * Added PKCS7 NID types. * Improved FIPS "SHA" logic in `test_wolfSSL_SHA` * Added some uncommon NID type definitions. * Expose the DH `DH_set_length` and `DH_set0_pqg` with OPENSSL_ALL --- doc/dox_comments/header_files/evp.h | 27 +++++++- src/internal.c | 6 ++ src/ssl.c | 100 ++++++++++++++++++++++++---- tests/api.c | 21 +++++- wolfcrypt/src/evp.c | 6 ++ wolfssl/internal.h | 4 ++ wolfssl/openssl/evp.h | 9 +++ wolfssl/openssl/ssl.h | 8 ++- wolfssl/openssl/x509_vfy.h | 7 +- wolfssl/ssl.h | 10 +++ wolfssl/wolfcrypt/asn.h | 3 + 11 files changed, 182 insertions(+), 19 deletions(-) diff --git a/doc/dox_comments/header_files/evp.h b/doc/dox_comments/header_files/evp.h index 293ac84f4..2b573b0c1 100644 --- a/doc/dox_comments/header_files/evp.h +++ b/doc/dox_comments/header_files/evp.h @@ -371,6 +371,7 @@ WOLFSSL_API int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher); \endcode \sa wolfSSL_EVP_CIPHER_flags + \sa wolfSSL_EVP_CIPHER_CTX_flags */ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags); @@ -393,6 +394,7 @@ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, i \endcode \sa wolfSSL_EVP_CIPHER_flags + \sa wolfSSL_EVP_CIPHER_CTX_flags */ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_clear_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags); @@ -414,6 +416,29 @@ WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_clear_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, wolfSSL_EVP_CIPHER_CTX_set_padding(ctx, 1); \endcode - \sa wolfSSL_EVP_CIPHER_flags + \sa wolfSSL_EVP_CIPHER_CTX_new */ WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *c, int pad); + + +/*! + \ingroup openSSL + + \brief Getter function for WOLFSSL_EVP_CIPHER_CTX structure. Deprecated v1.1.0 + + \return unsigned long of flags/mode. + + \param ctx structure to get flag. + + _Example_ + \code + WOLFSSL_EVP_CIPHER_CTX* ctx; + unsigned long flags; + ctx = wolfSSL_EVP_CIPHER_CTX_new() + flags = wolfSSL_EVP_CIPHER_CTX_flags(ctx); + \endcode + + \sa wolfSSL_EVP_CIPHER_CTX_new + \sa wolfSSL_EVP_CIPHER_flags +*/ +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_CTX_flags(const WOLFSSL_EVP_CIPHER_CTX *ctx); diff --git a/src/internal.c b/src/internal.c index 31411703b..06e5647b2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3930,6 +3930,12 @@ void FreeX509Name(WOLFSSL_X509_NAME* name) } } #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#ifdef OPENSSL_ALL + if (name->entries) { + wolfSSL_sk_X509_NAME_ENTRY_free(name->entries); + name->entries = NULL; + } +#endif } } diff --git a/src/ssl.c b/src/ssl.c index a392ee952..47752eb77 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -21774,6 +21774,7 @@ int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data) case STACK_TYPE_X509_EXT: case STACK_TYPE_NULL: case STACK_TYPE_X509_NAME: + case STACK_TYPE_X509_NAME_ENTRY: case STACK_TYPE_CONF_VALUE: case STACK_TYPE_X509_INFO: case STACK_TYPE_BY_DIR_entry: @@ -21834,6 +21835,7 @@ int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data) case STACK_TYPE_X509_EXT: case STACK_TYPE_NULL: case STACK_TYPE_X509_NAME: + case STACK_TYPE_X509_NAME_ENTRY: case STACK_TYPE_CONF_VALUE: case STACK_TYPE_X509_INFO: case STACK_TYPE_BY_DIR_entry: @@ -22507,6 +22509,7 @@ void *wolfSSL_lh_retrieve(WOLFSSL_STACK *sk, void *data) case STACK_TYPE_X509_EXT: case STACK_TYPE_NULL: case STACK_TYPE_X509_NAME: + case STACK_TYPE_X509_NAME_ENTRY: case STACK_TYPE_CONF_VALUE: case STACK_TYPE_X509_INFO: case STACK_TYPE_BY_DIR_entry: @@ -22532,6 +22535,7 @@ void *wolfSSL_lh_retrieve(WOLFSSL_STACK *sk, void *data) case STACK_TYPE_X509_EXT: case STACK_TYPE_NULL: case STACK_TYPE_X509_NAME: + case STACK_TYPE_X509_NAME_ENTRY: case STACK_TYPE_CONF_VALUE: case STACK_TYPE_X509_INFO: case STACK_TYPE_BY_DIR_entry: @@ -31482,6 +31486,8 @@ void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i) return (void*)sk->data.generic; case STACK_TYPE_X509_NAME: return (void*)sk->data.name; + case STACK_TYPE_X509_NAME_ENTRY: + return (void*)sk->data.nameentry; case STACK_TYPE_CONF_VALUE: return (void*)sk->data.conf; case STACK_TYPE_X509_INFO: @@ -31578,6 +31584,7 @@ WOLFSSL_STACK* wolfSSL_sk_dup(WOLFSSL_STACK* sk) case STACK_TYPE_X509_EXT: case STACK_TYPE_NULL: case STACK_TYPE_X509_NAME: + case STACK_TYPE_X509_NAME_ENTRY: case STACK_TYPE_CONF_VALUE: case STACK_TYPE_X509_INFO: case STACK_TYPE_BY_DIR_entry: @@ -31694,6 +31701,12 @@ void wolfSSL_sk_pop_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk, func = (wolfSSL_sk_freefunc)wolfSSL_X509_NAME_free; #endif break; + case STACK_TYPE_X509_NAME_ENTRY: + #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) \ + && !defined(WOLFCRYPT_ONLY) + func = (wolfSSL_sk_freefunc)wolfSSL_X509_NAME_ENTRY_free; + #endif + break; case STACK_TYPE_X509_EXT: #ifdef OPENSSL_ALL func = (wolfSSL_sk_freefunc)wolfSSL_X509_EXTENSION_free; @@ -34015,7 +34028,8 @@ int wolfSSL_DH_compute_key(unsigned char* key, const WOLFSSL_BIGNUM* otherPub, } -#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L +#if defined(OPENSSL_ALL) || \ + defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L int wolfSSL_DH_set_length(WOLFSSL_DH *dh, long len) { WOLFSSL_ENTER("wolfSSL_DH_set_length"); @@ -34076,7 +34090,7 @@ int wolfSSL_DH_set0_pqg(WOLFSSL_DH *dh, WOLFSSL_BIGNUM *p, return WOLFSSL_SUCCESS; } -#endif /* v1.1.0 or later */ +#endif /* OPENSSL_ALL || (v1.1.0 or later) */ #endif /* !HAVE_FIPS || (HAVE_FIPS && !WOLFSSL_DH_EXTRA) || * HAVE_FIPS_VERSION > 2 */ @@ -45465,7 +45479,7 @@ err: WOLFSSL_X509_NAME_ENTRY* entry, int idx, int set) { WOLFSSL_X509_NAME_ENTRY* current = NULL; - int i; + int ret, i; #ifdef WOLFSSL_DEBUG_OPENSSL WOLFSSL_ENTER("wolfSSL_X509_NAME_add_entry()"); @@ -45500,16 +45514,33 @@ err: } } - current = &(name->entry[i]); + current = &name->entry[i]; if (current->set == 0) name->entrySz++; + if (wolfSSL_X509_NAME_ENTRY_create_by_NID(¤t, - entry->nid, - wolfSSL_ASN1_STRING_type(entry->value), - wolfSSL_ASN1_STRING_data(entry->value), - wolfSSL_ASN1_STRING_length(entry->value)) - == NULL) { - WOLFSSL_MSG("Issue adding the name entry"); + entry->nid, + wolfSSL_ASN1_STRING_type(entry->value), + wolfSSL_ASN1_STRING_data(entry->value), + wolfSSL_ASN1_STRING_length(entry->value)) != NULL) + { + ret = WOLFSSL_SUCCESS; + #ifdef OPENSSL_ALL + if (name->entries == NULL) { + name->entries = wolfSSL_sk_X509_NAME_new(NULL); + } + if (wolfSSL_sk_X509_NAME_ENTRY_push(name->entries, current + ) != WOLFSSL_SUCCESS) { + ret = WOLFSSL_FAILURE; + } + #endif + } + else { + ret = WOLFSSL_FAILURE; + } + + if (ret != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error adding the name entry"); if (current->set == 0) name->entrySz--; return WOLFSSL_FAILURE; @@ -48076,6 +48107,42 @@ int wolfSSL_sk_X509_NAME_find(const WOLF_STACK_OF(WOLFSSL_X509_NAME) *sk, return -1; } +/* Name Entry */ +WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* wolfSSL_sk_X509_NAME_ENTRY_new( + wolf_sk_compare_cb cb) +{ + WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL); + if (sk != NULL) { + sk->type = STACK_TYPE_X509_NAME_ENTRY; + #ifdef OPENSSL_ALL + sk->comp = cb; + #else + (void)cb; + #endif + } + return sk; +} +int wolfSSL_sk_X509_NAME_ENTRY_push(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, + WOLFSSL_X509_NAME_ENTRY* nameentry) +{ + return wolfSSL_sk_push(sk, nameentry); +} +WOLFSSL_X509_NAME_ENTRY* wolfSSL_sk_X509_NAME_ENTRY_value( + const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, int i) +{ + return (WOLFSSL_X509_NAME_ENTRY*)wolfSSL_sk_value(sk, i); +} +int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) +{ + if (sk == NULL) + return BAD_FUNC_ARG; + return (int)sk->num; +} +void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) +{ + wolfSSL_sk_free(sk); +} + #endif /* OPENSSL_EXTRA || HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY || WOLFSSL_HAPROXY || WOLFSSL_OPENSSH || HAVE_SBLIM_SFCB */ @@ -61203,10 +61270,19 @@ int wolfSSL_X509_STORE_CTX_set_purpose(WOLFSSL_X509_STORE_CTX *ctx, { (void)ctx; (void)purpose; - WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_purpose"); + WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_purpose (not implemented)"); return 0; } -#endif + +void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx, + unsigned long flags) +{ + (void)ctx; + (void)flags; + WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_flags (not implemented)"); +} +#endif /* !NO_WOLFSSL_STUB */ + #endif /* WOLFSSL_QT || OPENSSL_ALL */ #endif /* OPENSSL_EXTRA */ diff --git a/tests/api.c b/tests/api.c index 98b37748f..302b68361 100644 --- a/tests/api.c +++ b/tests/api.c @@ -29652,7 +29652,7 @@ static void test_wolfSSL_X509_NAME(void) tmp = buf; AssertIntGT((sz = i2d_X509_NAME((X509_NAME*)a, &tmp)), 0); if (sz > 0 && tmp == buf) { - printf("\nERROR - %s line %d failed with:", __FILE__, __LINE__); \ + printf("\nERROR - %s line %d failed with:", __FILE__, __LINE__); printf(" Expected pointer to be incremented\n"); abort(); } @@ -36635,7 +36635,11 @@ static void test_wolfSSL_check_domain(void) FreeTcpReady(&ready); /* Should have been called once for each cert in sent chain */ +#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS AssertIntEQ(test_wolfSSL_check_domain_verify_count, 3); +#else + AssertIntEQ(test_wolfSSL_check_domain_verify_count, 1); +#endif printf(resultFmt, passed); } @@ -38164,6 +38168,9 @@ static void test_wolfSSL_X509_NAME_ENTRY(void) X509_NAME* nm; X509_NAME_ENTRY* entry; unsigned char cn[] = "another name to add"; +#ifdef OPENSSL_ALL + int i, names_len; +#endif printf(testingFmt, "wolfSSL_X509_NAME_ENTRY()"); @@ -38237,6 +38244,14 @@ static void test_wolfSSL_X509_NAME_ENTRY(void) AssertIntEQ(X509_NAME_add_entry_by_NID(nm, NID_commonName, MBSTRING_UTF8, cn, -1, -1, 0), SSL_SUCCESS); +#ifdef OPENSSL_ALL + /* stack of name entry */ + AssertIntGT((names_len = sk_X509_NAME_ENTRY_num(nm->entries)), 0); + for (i=0; ientries, i)); + } +#endif + #ifndef NO_BIO BIO_free(bio); #endif @@ -40582,7 +40597,9 @@ static void test_wolfSSL_SHA(void) #if defined(OPENSSL_EXTRA) && !defined(HAVE_SELFTEST) printf(testingFmt, "wolfSSL_SHA()"); - #if !defined(NO_SHA) && defined(NO_OLD_SHA_NAMES) + #if !defined(NO_SHA) && defined(NO_OLD_SHA_NAMES) && \ + (!defined(HAVE_FIPS) || \ + (defined(HAVE_FIPS_VERSION) && HAVE_FIPS_VERSION > 2)) { const unsigned char in[] = "abc"; unsigned char expected[] = "\xA9\x99\x3E\x36\x47\x06\x81\x6A\xBA\x3E" diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index f1d9e63cc..d91ad48a8 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -326,6 +326,12 @@ unsigned long wolfSSL_EVP_CIPHER_CTX_mode(const WOLFSSL_EVP_CIPHER_CTX *ctx) return ctx->flags & WOLFSSL_EVP_CIPH_MODE; } +unsigned long wolfSSL_EVP_CIPHER_CTX_flags(const WOLFSSL_EVP_CIPHER_CTX *ctx) +{ + if (ctx == NULL) return 0; + return ctx->flags; +} + int wolfSSL_EVP_EncryptFinal(WOLFSSL_EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0eb6c57e7..c98a252e9 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3846,6 +3846,7 @@ typedef enum { STACK_TYPE_X509_OBJ = 14, STACK_TYPE_DIST_POINT = 15, STACK_TYPE_X509_CRL = 16, + STACK_TYPE_X509_NAME_ENTRY = 17, } WOLF_STACK_TYPE; struct WOLFSSL_STACK { @@ -3860,6 +3861,7 @@ struct WOLFSSL_STACK { union { WOLFSSL_X509* x509; WOLFSSL_X509_NAME* name; + WOLFSSL_X509_NAME_ENTRY* nameentry; WOLFSSL_X509_INFO* info; WOLFSSL_BIO* bio; WOLFSSL_ASN1_OBJECT* obj; @@ -3898,6 +3900,8 @@ struct WOLFSSL_X509_NAME { #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) byte raw[ASN_NAME_MAX]; int rawLen; + + WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* entries; #endif void* heap; }; diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index f4be3d2e3..f0f442452 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -245,6 +245,14 @@ enum { NID_cmac = 894, NID_dhKeyAgreement= 28, NID_rc4 = 5, + NID_bf_cbc = 91, + NID_bf_ecb = 92, + NID_bf_cfb64 = 93, + NID_bf_ofb64 = 94, + NID_cast5_cbc = 108, + NID_cast5_ecb = 109, + NID_cast5_cfb64 = 110, + NID_cast5_ofb64 = 111, EVP_PKEY_DH = NID_dhKeyAgreement, EVP_PKEY_HMAC = NID_hmac, EVP_PKEY_FALCON = 300, /* Randomly picked value. */ @@ -708,6 +716,7 @@ WOLFSSL_API unsigned long WOLFSSL_CIPHER_mode(const WOLFSSL_EVP_CIPHER *cipher); WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_flags(const WOLFSSL_EVP_CIPHER *cipher); WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_set_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags); WOLFSSL_API void wolfSSL_EVP_CIPHER_CTX_clear_flags(WOLFSSL_EVP_CIPHER_CTX *ctx, int flags); +WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_CTX_flags(const WOLFSSL_EVP_CIPHER_CTX *ctx); WOLFSSL_API unsigned long wolfSSL_EVP_CIPHER_CTX_mode(const WOLFSSL_EVP_CIPHER_CTX *ctx); WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *c, int pad); WOLFSSL_API int wolfSSL_EVP_add_digest(const WOLFSSL_EVP_MD *digest); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 10958265d..69c3f6f96 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -606,11 +606,17 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define X509_NAME_entry_count wolfSSL_X509_NAME_entry_count -#define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object #define X509_NAME_get_entry wolfSSL_X509_NAME_get_entry +#define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object #define X509_NAME_ENTRY_get_data wolfSSL_X509_NAME_ENTRY_get_data #define X509_NAME_ENTRY_get_object wolfSSL_X509_NAME_ENTRY_get_object +#define sk_X509_NAME_ENTRY_new wolfSSL_sk_X509_NAME_ENTRY_new +#define sk_X509_NAME_ENTRY_push wolfSSL_sk_X509_NAME_ENTRY_push +#define sk_X509_NAME_ENTRY_num wolfSSL_sk_X509_NAME_ENTRY_num +#define sk_X509_NAME_ENTRY_value wolfSSL_sk_X509_NAME_ENTRY_value +#define sk_X509_NAME_ENTRY_free wolfSSL_sk_X509_NAME_ENTRY_free + #define X509_V_FLAG_CRL_CHECK WOLFSSL_CRL_CHECK #define X509_V_FLAG_CRL_CHECK_ALL WOLFSSL_CRL_CHECKALL diff --git a/wolfssl/openssl/x509_vfy.h b/wolfssl/openssl/x509_vfy.h index bb61ba0b7..410ea7cfe 100644 --- a/wolfssl/openssl/x509_vfy.h +++ b/wolfssl/openssl/x509_vfy.h @@ -32,11 +32,12 @@ #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) WOLFSSL_API int wolfSSL_X509_STORE_CTX_set_purpose(WOLFSSL_X509_STORE_CTX *ctx, int purpose); + WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx, + unsigned long flags); #endif -#ifdef WOLFSSL_QT - #define X509_STORE_CTX_set_purpose wolfSSL_X509_STORE_CTX_set_purpose -#endif +#define X509_STORE_CTX_set_purpose wolfSSL_X509_STORE_CTX_set_purpose +#define X509_STORE_CTX_set_flags wolfSSL_X509_STORE_CTX_set_flags #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 6e989d3c1..5ba219d2e 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4382,6 +4382,16 @@ WOLFSSL_API void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* void (*f) (WOLFSSL_X509_NAME*)); WOLFSSL_API void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME) *); +WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* + wolfSSL_sk_X509_NAME_ENTRY_new(wolf_sk_compare_cb); +WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_push(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*, + WOLFSSL_X509_NAME_ENTRY*); +WOLFSSL_API WOLFSSL_X509_NAME_ENTRY* + wolfSSL_sk_X509_NAME_ENTRY_value(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*, int); +WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*); +WOLFSSL_API void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY) *); + + WOLFSSL_API int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJECT) *s); WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio,WOLFSSL_X509_NAME* name,int indent, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index d50eb59b3..25fd42233 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -748,6 +748,9 @@ enum NID_sha512 = 674, NID_sha512_224 = 1094, NID_sha512_256 = 1095, + NID_pkcs7_signed = 22, + NID_pkcs7_enveloped = 23, + NID_pkcs7_signedAndEnveloped = 24, NID_pkcs9_unstructuredName = 49, NID_pkcs9_contentType = 50, /* 1.2.840.113549.1.9.3 */ NID_pkcs9_challengePassword = 54, From 6615f019f513238aec0cf5c5e5b5678642e91cce Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 27 Jan 2022 11:08:08 -0800 Subject: [PATCH 2/3] Improved `HMAC_Init` error logging and code comment for FIPS failure on `wc_HmacSetKey` call. --- src/ssl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 47752eb77..d9a1cccd7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36194,6 +36194,9 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, hmac_error = wc_HmacSetKey(&ctx->hmac, ctx->type, (const byte*)key, (word32)keylen); if (hmac_error < 0){ + /* in FIPS mode a key < 14 characters will fail here */ + WOLFSSL_MSG("hmac set key error"); + WOLFSSL_ERROR(hmac_error); wc_HmacFree(&ctx->hmac); return WOLFSSL_FAILURE; } @@ -36218,7 +36221,9 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, WC_HMAC_BLOCK_SIZE); if ((hmac_error = _HMAC_Init(&ctx->hmac, ctx->hmac.macType, heap)) !=0) { - return hmac_error; + WOLFSSL_MSG("hmac init error"); + WOLFSSL_ERROR(hmac_error); + return WOLFSSL_FAILURE; } } } From c69010adef22a879b92df50db79bebd4c1f30646 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 28 Jan 2022 09:21:01 -0800 Subject: [PATCH 3/3] Peer review feedback. --- src/ssl.c | 10 +++++++--- wolfssl/internal.h | 2 +- wolfssl/ssl.h | 12 ++++++------ 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d9a1cccd7..f7621b2c3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -31487,7 +31487,7 @@ void* wolfSSL_sk_value(const WOLFSSL_STACK* sk, int i) case STACK_TYPE_X509_NAME: return (void*)sk->data.name; case STACK_TYPE_X509_NAME_ENTRY: - return (void*)sk->data.nameentry; + return (void*)sk->data.name_entry; case STACK_TYPE_CONF_VALUE: return (void*)sk->data.conf; case STACK_TYPE_X509_INFO: @@ -48127,22 +48127,26 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* wolfSSL_sk_X509_NAME_ENTRY_new( } return sk; } + int wolfSSL_sk_X509_NAME_ENTRY_push(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, - WOLFSSL_X509_NAME_ENTRY* nameentry) + WOLFSSL_X509_NAME_ENTRY* name_entry) { - return wolfSSL_sk_push(sk, nameentry); + return wolfSSL_sk_push(sk, name_entry); } + WOLFSSL_X509_NAME_ENTRY* wolfSSL_sk_X509_NAME_ENTRY_value( const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, int i) { return (WOLFSSL_X509_NAME_ENTRY*)wolfSSL_sk_value(sk, i); } + int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) { if (sk == NULL) return BAD_FUNC_ARG; return (int)sk->num; } + void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk) { wolfSSL_sk_free(sk); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c98a252e9..e90ff9ceb 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3861,7 +3861,7 @@ struct WOLFSSL_STACK { union { WOLFSSL_X509* x509; WOLFSSL_X509_NAME* name; - WOLFSSL_X509_NAME_ENTRY* nameentry; + WOLFSSL_X509_NAME_ENTRY* name_entry; WOLFSSL_X509_INFO* info; WOLFSSL_BIO* bio; WOLFSSL_ASN1_OBJECT* obj; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5ba219d2e..02815ab4d 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4383,13 +4383,13 @@ WOLFSSL_API void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* WOLFSSL_API void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME) *); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* - wolfSSL_sk_X509_NAME_ENTRY_new(wolf_sk_compare_cb); -WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_push(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*, - WOLFSSL_X509_NAME_ENTRY*); + wolfSSL_sk_X509_NAME_ENTRY_new(wolf_sk_compare_cb cb); +WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_push(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, + WOLFSSL_X509_NAME_ENTRY* name_entry); WOLFSSL_API WOLFSSL_X509_NAME_ENTRY* - wolfSSL_sk_X509_NAME_ENTRY_value(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*, int); -WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)*); -WOLFSSL_API void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY) *); + wolfSSL_sk_X509_NAME_ENTRY_value(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk, int i); +WOLFSSL_API int wolfSSL_sk_X509_NAME_ENTRY_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk); +WOLFSSL_API void wolfSSL_sk_X509_NAME_ENTRY_free(WOLF_STACK_OF(WOLFSSL_X509_NAME_ENTRY)* sk); WOLFSSL_API int wolfSSL_sk_X509_OBJECT_num(const WOLF_STACK_OF(WOLFSSL_X509_OBJECT) *s);