From b798c5f3a059387026061f22958be590f8b1d639 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Thu, 15 Sep 2022 10:07:00 -0500 Subject: [PATCH 01/10] Added wolfSSL_X509_REVOKED_get_revocationDate() --- src/x509.c | 39 +++++++++++++++++++++++++++++++++++++++ wolfssl/ssl.h | 2 ++ 2 files changed, 41 insertions(+) diff --git a/src/x509.c b/src/x509.c index d3fe112f6..693e59a41 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7633,6 +7633,45 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, return WOLFSSL_SUCCESS; } +/* Retrieve the revocation date from RevokedCert + * return WOLFSSL_SUCCESS on success + */ +int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, + byte* in, int* inOutSz) +{ + char tmp[MAX_DATE_SIZE]; + + WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get_revocationDate"); + + if ((rev == NULL) || (in == NULL) || (inOutSz == NULL)) { + return (BAD_FUNC_ARG); + } + + if (*inOutSz < MAX_DATE_SIZE) { + return (BAD_FUNC_ARG); + } + + if (rev->revDate[0] != 0) { + if (GetTimeString(rev->revDate, ASN_UTC_TIME, + tmp, MAX_DATE_SIZE) != WOLFSSL_SUCCESS) { + if (GetTimeString(rev->revDate, ASN_GENERALIZED_TIME, + tmp, MAX_DATE_SIZE) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error getting revocation date"); + + return (WOLFSSL_FAILURE); + } + } + } + else { + XSTRNCPY(tmp, "Not Set", MAX_DATE_SIZE-1); + } + + *inOutSz = XSTRLEN (tmp); + XMEMCPY(in, tmp, *inOutSz); + + return (WOLFSSL_SUCCESS); +} + /* print serial number out * return WOLFSSL_SUCCESS on success */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 66127b14d..e3fc7d92f 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2897,6 +2897,8 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_X509_CRL *crl); WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); +WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, + byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif From 9117f8b51bb493b8c688534810950d4e1dc02abe Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Wed, 5 Oct 2022 10:17:39 -0500 Subject: [PATCH 02/10] Added more APIs for HaProxy integration. --- src/ocsp.c | 23 ++++++++++++++++++++ src/x509.c | 22 +++++++++---------- tests/api.c | 49 ++++++++++++++++++++++++++++++++++++++++++ wolfssl/ocsp.h | 4 ++++ wolfssl/openssl/ocsp.h | 1 + wolfssl/ssl.h | 2 +- 6 files changed, 89 insertions(+), 12 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index d18e5739d..da2973918 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1068,6 +1068,29 @@ int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data) return id->rawCertIdSize; } +WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, + const unsigned char** derIn, + int length) +{ + if ((derIn == NULL) || (length == 0)) + return (NULL); + + if (*cidOut != NULL) { + XMEMCPY ((*cidOut)->rawCertId, *derIn, length); + (*cidOut)->rawCertIdSize = length; + } + else { + *cidOut = (WOLFSSL_OCSP_CERTID*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + if (*cidOut == NULL) { + return (NULL); + } + XMEMCPY ((*cidOut)->rawCertId, *derIn, length); + (*cidOut)->rawCertIdSize = length; + } + + return (*cidOut); +} + const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) { return single; diff --git a/src/x509.c b/src/x509.c index 693e59a41..8bde060ee 100644 --- a/src/x509.c +++ b/src/x509.c @@ -8052,23 +8052,23 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) #endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */ #ifdef OPENSSL_EXTRA -#ifndef NO_WOLFSSL_STUB WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { - (void)crl; - WOLFSSL_STUB("X509_CRL_get_lastUpdate"); - return 0; + if (crl->crlList->lastDate[0] != 0) { + return (WOLFSSL_ASN1_TIME*)crl->crlList->lastDate; + } + else + return NULL; } -#endif -#ifndef NO_WOLFSSL_STUB + WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { - (void)crl; - WOLFSSL_STUB("X509_CRL_get_nextUpdate"); - return 0; + if (crl->crlList->nextDate[0] != 0) { + return (WOLFSSL_ASN1_TIME*)crl->crlList->nextDate; + } + else + return NULL; } -#endif - #ifndef NO_WOLFSSL_STUB int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key) diff --git a/tests/api.c b/tests/api.c index 02bc7e0be..0e487f9b6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48121,6 +48121,54 @@ static int test_wolfSSL_i2d_OCSP_CERTID(void) return 0; } +static int test_wolfSSL_d2i_OCSP_CERTID(void) +{ +#if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP) + WOLFSSL_OCSP_CERTID* certId; + const unsigned char* rawCertIdPtr; + + const unsigned char rawCertId[] = { + 0x30, 0x49, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, + 0x00, 0x04, 0x14, 0x80, 0x51, 0x06, 0x01, 0x32, 0xad, 0x9a, 0xc2, 0x7d, + 0x51, 0x87, 0xa0, 0xe8, 0x87, 0xfb, 0x01, 0x62, 0x01, 0x55, 0xee, 0x04, + 0x14, 0x03, 0xde, 0x50, 0x35, 0x56, 0xd1, 0x4c, 0xbb, 0x66, 0xf0, 0xa3, + 0xe2, 0x1b, 0x1b, 0xc3, 0x97, 0xb2, 0x3d, 0xd1, 0x55, 0x02, 0x10, 0x01, + 0xfd, 0xa3, 0xeb, 0x6e, 0xca, 0x75, 0xc8, 0x88, 0x43, 0x8b, 0x72, 0x4b, + 0xcf, 0xbc, 0x91 + }; + + rawCertIdPtr = &rawCertId[0]; + + printf(testingFmt, "wolfSSL_d2i_OCSP_CERTID()"); + + /* If the cert ID is NULL the function should allocate it and copy the + * data to it. */ + certId = NULL; + certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId)); + + AssertNotNull(certId); + AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + + XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); + + /* If the cert ID is not NULL the fucntion will just copy the data to it. */ + certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*certId), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + XMEMSET(certId, 0, sizeof(*certId)); + + certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId)); + + AssertNotNull(certId); + AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + + XFREE(certId, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + printf(resultFmt, passed); +#endif + + return 0; +} + static int test_wolfSSL_OCSP_id_cmp(void) { #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) @@ -59577,6 +59625,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_i2d_PrivateKey), TEST_DECL(test_wolfSSL_OCSP_id_get0_info), TEST_DECL(test_wolfSSL_i2d_OCSP_CERTID), + TEST_DECL(test_wolfSSL_d2i_OCSP_CERTID), TEST_DECL(test_wolfSSL_OCSP_id_cmp), TEST_DECL(test_wolfSSL_OCSP_SINGLERESP_get0_id), TEST_DECL(test_wolfSSL_OCSP_single_get0_status), diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index d75e1c1d6..d9ffb6778 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -112,6 +112,10 @@ WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out, WOLFSSL_API int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data); +WOLFSSL_API +WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, + const unsigned char** derIn, + int length); WOLFSSL_API const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id( const WOLFSSL_OCSP_SINGLERESP *single); WOLFSSL_API int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b); diff --git a/wolfssl/openssl/ocsp.h b/wolfssl/openssl/ocsp.h index a68ddeb25..4b2a4de04 100644 --- a/wolfssl/openssl/ocsp.h +++ b/wolfssl/openssl/ocsp.h @@ -78,6 +78,7 @@ #define i2d_OCSP_REQUEST_bio wolfSSL_i2d_OCSP_REQUEST_bio #define i2d_OCSP_CERTID wolfSSL_i2d_OCSP_CERTID +#define d2i_OCSP_CERTID wolfSSL_d2i_OCSP_CERTID #define OCSP_SINGLERESP_get0_id wolfSSL_OCSP_SINGLERESP_get0_id #define OCSP_id_cmp wolfSSL_OCSP_id_cmp #define OCSP_single_get0_status wolfSSL_OCSP_single_get0_status diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index e3fc7d92f..061b4ae31 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2898,7 +2898,7 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, - byte* in, int* inOutSz); + byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif From 5cbb099dc9999d1388b5657552a6cbd3e58a5c8c Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Fri, 7 Oct 2022 15:08:11 -0500 Subject: [PATCH 03/10] Updated per PR comments. --- src/ocsp.c | 18 ++++++++------- src/x509.c | 54 +++++++++++++++---------------------------- tests/api.c | 17 +++++++++++++- wolfssl/openssl/ssl.h | 9 ++++++++ wolfssl/ssl.h | 9 ++++++-- 5 files changed, 60 insertions(+), 47 deletions(-) diff --git a/src/ocsp.c b/src/ocsp.c index da2973918..b8f9aca64 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1072,22 +1072,24 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, const unsigned char** derIn, int length) { - if ((derIn == NULL) || (length == 0)) + if ((cidOut == NULL) || (derIn == NULL) || (length == 0)) return (NULL); - if (*cidOut != NULL) { - XMEMCPY ((*cidOut)->rawCertId, *derIn, length); - (*cidOut)->rawCertIdSize = length; - } - else { + /* If a NULL is passed we allocate the memory for the caller. */ + if (*cidOut == NULL) { *cidOut = (WOLFSSL_OCSP_CERTID*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + if (*cidOut == NULL) { return (NULL); } - XMEMCPY ((*cidOut)->rawCertId, *derIn, length); - (*cidOut)->rawCertIdSize = length; } + XMEMCPY ((*cidOut)->rawCertId, *derIn, length); + (*cidOut)->rawCertIdSize = length; + + /* Per spec. advance past the data that is being returned to the caller. */ + *derIn = *derIn + length; + return (*cidOut); } diff --git a/src/x509.c b/src/x509.c index 8bde060ee..06fe70001 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7611,7 +7611,7 @@ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl, } /* Retrieve serial number from RevokedCert - * return WOLFSSL_SUCCESS on success + * return WOLFSSL_SUCCESS on success and negative values on failure */ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz) @@ -7633,47 +7633,29 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, return WOLFSSL_SUCCESS; } -/* Retrieve the revocation date from RevokedCert - * return WOLFSSL_SUCCESS on success - */ -int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, - byte* in, int* inOutSz) +const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const + WOLFSSL_X509_REVOKED *rev) { - char tmp[MAX_DATE_SIZE]; + WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get0_serial_number"); - WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get_revocationDate"); - - if ((rev == NULL) || (in == NULL) || (inOutSz == NULL)) { - return (BAD_FUNC_ARG); + if (rev != NULL) { + return rev->serialNumber; } + else + return NULL; +} - if (*inOutSz < MAX_DATE_SIZE) { - return (BAD_FUNC_ARG); - } +const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const + WOLFSSL_X509_REVOKED *rev) +{ + WOLFSSL_STUB("wolfSSL_X509_REVOKED_get0_revocation_date"); - if (rev->revDate[0] != 0) { - if (GetTimeString(rev->revDate, ASN_UTC_TIME, - tmp, MAX_DATE_SIZE) != WOLFSSL_SUCCESS) { - if (GetTimeString(rev->revDate, ASN_GENERALIZED_TIME, - tmp, MAX_DATE_SIZE) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error getting revocation date"); - - return (WOLFSSL_FAILURE); - } - } - } - else { - XSTRNCPY(tmp, "Not Set", MAX_DATE_SIZE-1); - } - - *inOutSz = XSTRLEN (tmp); - XMEMCPY(in, tmp, *inOutSz); - - return (WOLFSSL_SUCCESS); + (void) rev; + return NULL; } /* print serial number out -* return WOLFSSL_SUCCESS on success +* return WOLFSSL_SUCCESS on success */ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev, int indent) @@ -8054,7 +8036,7 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) #ifdef OPENSSL_EXTRA WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { - if (crl->crlList->lastDate[0] != 0) { + if ((crl != NULL) && (crl->crlList->lastDate[0] != 0)) { return (WOLFSSL_ASN1_TIME*)crl->crlList->lastDate; } else @@ -8063,7 +8045,7 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { - if (crl->crlList->nextDate[0] != 0) { + if ((crl != NULL) && (crl->crlList->nextDate[0] != 0)) { return (WOLFSSL_ASN1_TIME*)crl->crlList->nextDate; } else diff --git a/tests/api.c b/tests/api.c index 0e487f9b6..23ee53f3b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48125,6 +48125,7 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) { #if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP) WOLFSSL_OCSP_CERTID* certId; + WOLFSSL_OCSP_CERTID* certIdBad; const unsigned char* rawCertIdPtr; const unsigned char rawCertId[] = { @@ -48151,7 +48152,7 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); - /* If the cert ID is not NULL the fucntion will just copy the data to it. */ + /* If the cert ID is not NULL the function will just copy the data to it. */ certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*certId), NULL, DYNAMIC_TYPE_TMP_BUFFER); XMEMSET(certId, 0, sizeof(*certId)); @@ -48163,6 +48164,20 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) XFREE(certId, NULL, DYNAMIC_TYPE_TMP_BUFFER); + /* The below tests should fail when passed bad parameters. NULL should + * always be returned. */ + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(NULL, &rawCertIdPtr, sizeof(rawCertId)); + AssertNull(certIdBad); + + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, NULL, sizeof(rawCertId)); + AssertNull(certIdBad); + + certIdBad = (WOLFSSL_OCSP_CERTID*) 1; + certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, 0); + AssertNull(certIdBad); + printf(resultFmt, passed); #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index b9b0bf9e0..090dd13f8 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -700,9 +700,14 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_CRL_free wolfSSL_X509_CRL_free #define X509_CRL_get_lastUpdate wolfSSL_X509_CRL_get_lastUpdate +#define X509_CRL_get0_lastUpdate wolfSSL_X509_CRL_get_lastUpdate #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate +#define X509_CRL_get0_nextUpdate wolfSSL_X509_CRL_get_nextUpdate #define X509_CRL_verify wolfSSL_X509_CRL_verify #define X509_CRL_get_REVOKED wolfSSL_X509_CRL_get_REVOKED +#define X509_CRL_get_issuer wolfSSL_X509_CRL_get_issuer_name +#define X509_CRL_get_signature_nid wolfSSL_X509_CRL_get_signature_nid +#define X509_CRL_get_version wolfSSL_X509_CRL_version #define X509_load_crl_file wolfSSL_X509_load_crl_file #define X509_get_X509_PUBKEY wolfSSL_X509_get_X509_PUBKEY @@ -727,6 +732,10 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_OBJECT_get0_X509 wolfSSL_X509_OBJECT_get0_X509 #define X509_OBJECT_get0_X509_CRL wolfSSL_X509_OBJECT_get0_X509_CRL +#define X509_REVOKED_get_serial_number wolfSSL_X509_REVOKED_get_serial_number +#define X509_REVOKED_get0_serialNumber wolfSSL_X509_REVOKED_get0_serial_number +#define X509_REVOKED_get0_revocationDate wolfSSL_X509_REVOKED_get0_revocation_date + #define X509_check_purpose(...) 0 #define OCSP_parse_url wolfSSL_OCSP_parse_url diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 061b4ae31..982099f85 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2897,11 +2897,16 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_X509_CRL *crl); WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); -WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, - byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif +WOLFSSL_API +const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const + WOLFSSL_X509_REVOKED *rev); +WOLFSSL_API +const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const + WOLFSSL_X509_REVOKED *rev); + #ifndef NO_FILESYSTEM #ifndef NO_STDIO_FILESYSTEM WOLFSSL_API WOLFSSL_X509* From 0f0496ae8f3149ae634f6661508390219343ddf7 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Wed, 12 Oct 2022 05:27:59 -0500 Subject: [PATCH 04/10] Added WOLFSSL_ASN1_TIME to CRL --- src/crl.c | 22 +++++++++++++--------- src/ocsp.c | 6 +++--- src/x509.c | 24 ++++++++++++++---------- wolfcrypt/src/asn.c | 10 ++++++---- wolfssl/internal.h | 12 +++++------- wolfssl/openssl/ssl.h | 1 - wolfssl/wolfcrypt/asn.h | 6 ++---- 7 files changed, 43 insertions(+), 38 deletions(-) diff --git a/src/crl.c b/src/crl.c index e9609b353..0c1352442 100644 --- a/src/crl.c +++ b/src/crl.c @@ -94,10 +94,12 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); * copy the hash here if needed for optimized comparisons */ - XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); - XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); - crle->lastDateFormat = dcrl->lastDateFormat; - crle->nextDateFormat = dcrl->nextDateFormat; + crle->lastDate.length = MAX_DATE_SIZE; + XMEMCPY(crle->lastDate.data, dcrl->lastDate.data, crle->lastDate.length); + crle->nextDate.length = MAX_DATE_SIZE; + XMEMCPY(crle->nextDate.data, dcrl->nextDate.data, crle->nextDate.length); + crle->lastDate.type = dcrl->lastDate.type; + crle->nextDate.type = dcrl->nextDate.type; crle->version = dcrl->version; #if defined(OPENSSL_EXTRA) crle->issuer = NULL; @@ -385,7 +387,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr #endif { #ifndef NO_ASN_TIME - if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) { + if (!XVALIDATE_DATE(crle->nextDate.data, crle->nextDate.type, AFTER)) { WOLFSSL_MSG("CRL next date is no longer valid"); ret = ASN_AFTER_DATE_E; } @@ -691,10 +693,12 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) XMEMSET(dupl, 0, sizeof(CRL_Entry)); XMEMCPY(dupl->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE); - XMEMCPY(dupl->lastDate, ent->lastDate, MAX_DATE_SIZE); - XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE); - dupl->lastDateFormat = ent->lastDateFormat; - dupl->nextDateFormat = ent->nextDateFormat; + dupl->lastDate.length = MAX_DATE_SIZE; + XMEMCPY(dupl->lastDate.data, ent->lastDate.data, dupl->lastDate.length); + dupl->nextDate.length = MAX_DATE_SIZE; + XMEMCPY(dupl->nextDate.data, ent->nextDate.data, dupl->nextDate.length); + dupl->lastDate.type = ent->lastDate.type; + dupl->nextDate.type = ent->nextDate.type; #ifdef CRL_STATIC_REVOKED_LIST XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); diff --git a/src/ocsp.c b/src/ocsp.c index b8f9aca64..090da0095 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1073,14 +1073,14 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, int length) { if ((cidOut == NULL) || (derIn == NULL) || (length == 0)) - return (NULL); + return NULL; /* If a NULL is passed we allocate the memory for the caller. */ if (*cidOut == NULL) { *cidOut = (WOLFSSL_OCSP_CERTID*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); if (*cidOut == NULL) { - return (NULL); + return NULL; } } @@ -1090,7 +1090,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, /* Per spec. advance past the data that is being returned to the caller. */ *derIn = *derIn + length; - return (*cidOut); + return *cidOut; } const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) diff --git a/src/x509.c b/src/x509.c index 06fe70001..37eef4456 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7645,6 +7645,7 @@ const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const return NULL; } +#ifndef NO_WOLFSSL_STUB const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const WOLFSSL_X509_REVOKED *rev) { @@ -7653,6 +7654,7 @@ const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const (void) rev; return NULL; } +#endif /* print serial number out * return WOLFSSL_SUCCESS on success @@ -7897,10 +7899,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->lastDate[0] != 0) { - if (GetTimeString(crl->crlList->lastDate, ASN_UTC_TIME, + if (crl->crlList->lastDate.data[0] != 0) { + if (GetTimeString(crl->crlList->lastDate.data, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->lastDate, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->lastDate.data, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting last update date"); return WOLFSSL_FAILURE; @@ -7928,10 +7930,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->nextDate[0] != 0) { - if (GetTimeString(crl->crlList->nextDate, ASN_UTC_TIME, + if (crl->crlList->nextDate.data[0] != 0) { + if (GetTimeString(crl->crlList->nextDate.data, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->nextDate, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->nextDate.data, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting next update date"); return WOLFSSL_FAILURE; @@ -8036,8 +8038,9 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) #ifdef OPENSSL_EXTRA WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { - if ((crl != NULL) && (crl->crlList->lastDate[0] != 0)) { - return (WOLFSSL_ASN1_TIME*)crl->crlList->lastDate; + if ((crl != NULL) && (crl->crlList != NULL) && + (crl->crlList->lastDate.data[0] != 0)) { + return &crl->crlList->lastDate; } else return NULL; @@ -8045,8 +8048,9 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { - if ((crl != NULL) && (crl->crlList->nextDate[0] != 0)) { - return (WOLFSSL_ASN1_TIME*)crl->crlList->nextDate; + if ((crl != NULL) && (crl->crlList != NULL) && + (crl->crlList->nextDate.data[0] != 0)) { + return &crl->crlList->nextDate; } else return NULL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e8018ea0e..40d0a043e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -35775,12 +35775,14 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, if (GetNameHash(buf, &idx, dcrl->issuerHash, sz) < 0) return ASN_PARSE_E; - if (GetBasicDate(buf, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->lastDate.data, + (byte*) &dcrl->lastDate.type, sz) < 0) return ASN_PARSE_E; dateIdx = idx; - if (GetBasicDate(buf, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->nextDate.data, + (byte*) &dcrl->nextDate.type, sz) < 0) { #ifndef WOLFSSL_NO_CRL_NEXT_DATE (void)dateIdx; @@ -35797,8 +35799,8 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, #endif { #ifndef NO_ASN_TIME - if (verify != NO_VERIFY && - !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { + if (verify != NO_VERIFY && !XVALIDATE_DATE(dcrl->nextDate.data, + dcrl->nextDate.type, AFTER)) { WOLFSSL_MSG("CRL after date is no longer valid"); WOLFSSL_ERROR_VERBOSE(CRL_CERT_DATE_ERR); return CRL_CERT_DATE_ERR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 60a9dbd83..a15807c20 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2211,17 +2211,15 @@ struct CRL_Entry { byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ - byte lastDate[MAX_DATE_SIZE]; /* last date updated */ - byte nextDate[MAX_DATE_SIZE]; /* next update date */ - byte lastDateFormat; /* last date format */ - byte nextDateFormat; /* next date format */ + WOLFSSL_ASN1_TIME lastDate; /* last date updated */ + WOLFSSL_ASN1_TIME nextDate; /* next update date */ #ifdef CRL_STATIC_REVOKED_LIST RevokedCert certs[CRL_MAX_REVOKED_CERTS]; #else - RevokedCert* certs; /* revoked cert list */ + RevokedCert* certs; /* revoked cert list */ #endif - int totalCerts; /* number on list */ - int version; /* version of certficate */ + int totalCerts; /* number on list */ + int version; /* version of certficate */ int verified; byte* toBeSigned; word32 tbsSz; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 090dd13f8..aa5f1e6da 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -732,7 +732,6 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #define X509_OBJECT_get0_X509 wolfSSL_X509_OBJECT_get0_X509 #define X509_OBJECT_get0_X509_CRL wolfSSL_X509_OBJECT_get0_X509_CRL -#define X509_REVOKED_get_serial_number wolfSSL_X509_REVOKED_get_serial_number #define X509_REVOKED_get0_serialNumber wolfSSL_X509_REVOKED_get0_serial_number #define X509_REVOKED_get0_revocationDate wolfSSL_X509_REVOKED_get0_revocation_date diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index b8baf24cc..ed7c41d5f 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2447,10 +2447,8 @@ struct DecodedCRL { byte* signature; /* pointer into raw source, not owned */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ - byte lastDate[MAX_DATE_SIZE]; /* last date updated */ - byte nextDate[MAX_DATE_SIZE]; /* next update date */ - byte lastDateFormat; /* format of last date */ - byte nextDateFormat; /* format of next date */ + WOLFSSL_ASN1_TIME lastDate; /* last date updated */ + WOLFSSL_ASN1_TIME nextDate; /* next update date */ RevokedCert* certs; /* revoked cert list */ #if defined(OPENSSL_EXTRA) byte* issuer; /* full name including common name */ From 3c7f01d8533b285c2819cad006bf73528fc7f480 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Thu, 15 Sep 2022 10:07:00 -0500 Subject: [PATCH 05/10] Added WOLFSSL_ASN1_TIME to CRL --- src/x509.c | 5 +++-- wolfssl/ssl.h | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/x509.c b/src/x509.c index 37eef4456..21e2d00af 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7593,7 +7593,7 @@ int wolfSSL_X509_CRL_get_signature_nid(const WOLFSSL_X509_CRL* crl) } /* Retrieve signature from CRL - * return WOLFSSL_SUCCESS on success + * return WOLFSSL_SUCCESS on success and negative values on failure */ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl, unsigned char* buf, int* bufSz) @@ -7636,7 +7636,7 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const WOLFSSL_X509_REVOKED *rev) { - WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get0_serial_number"); + WOLFSSL_STUB("wolfSSL_X509_REVOKED_get0_serial_number"); if (rev != NULL) { return rev->serialNumber; @@ -7656,6 +7656,7 @@ const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const } #endif + /* print serial number out * return WOLFSSL_SUCCESS on success */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 982099f85..1b734152a 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2897,6 +2897,8 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_X509_CRL *crl); WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); +WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, + byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif From 478b0cd4aaaf463cf44c458a0a82b846b05fcd10 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Wed, 5 Oct 2022 10:17:39 -0500 Subject: [PATCH 06/10] Added more APIs for HaProxy integration. --- wolfssl/ssl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 1b734152a..1341a1897 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2898,7 +2898,7 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, - byte* in, int* inOutSz); + byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif From dc8997d4b66456c42089d141049dd4351cf480a9 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Fri, 7 Oct 2022 15:08:11 -0500 Subject: [PATCH 07/10] Added more APIs for HaProxy integration. --- src/x509.c | 2 +- wolfssl/ssl.h | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/src/x509.c b/src/x509.c index 21e2d00af..6a505ee82 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7636,7 +7636,7 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const WOLFSSL_X509_REVOKED *rev) { - WOLFSSL_STUB("wolfSSL_X509_REVOKED_get0_serial_number"); + WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get0_serial_number"); if (rev != NULL) { return rev->serialNumber; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 1341a1897..982099f85 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2897,8 +2897,6 @@ WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_CRL_get_issuer_name( WOLFSSL_X509_CRL *crl); WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev, byte* in, int* inOutSz); -WOLFSSL_API int wolfSSL_X509_REVOKED_get_revocationDate(RevokedCert* rev, - byte* in, int* inOutSz); WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl); #endif From f48b736ec3bc0330871ea0171eedc7775bb89b34 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Fri, 14 Oct 2022 17:09:35 -0500 Subject: [PATCH 08/10] Changed some WOLFSSL_ASN1_TIME handling and other fixes. --- src/crl.c | 22 +++++++++------------- src/ocsp.c | 32 ++++++++++++++++++++++---------- src/x509.c | 34 ++++++++++++++++++++++++---------- wolfcrypt/src/asn.c | 10 ++++------ wolfssl/internal.h | 10 ++++++++-- wolfssl/wolfcrypt/asn.h | 6 ++++-- 6 files changed, 71 insertions(+), 43 deletions(-) diff --git a/src/crl.c b/src/crl.c index 0c1352442..e9609b353 100644 --- a/src/crl.c +++ b/src/crl.c @@ -94,12 +94,10 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); * copy the hash here if needed for optimized comparisons */ - crle->lastDate.length = MAX_DATE_SIZE; - XMEMCPY(crle->lastDate.data, dcrl->lastDate.data, crle->lastDate.length); - crle->nextDate.length = MAX_DATE_SIZE; - XMEMCPY(crle->nextDate.data, dcrl->nextDate.data, crle->nextDate.length); - crle->lastDate.type = dcrl->lastDate.type; - crle->nextDate.type = dcrl->nextDate.type; + XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); + XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); + crle->lastDateFormat = dcrl->lastDateFormat; + crle->nextDateFormat = dcrl->nextDateFormat; crle->version = dcrl->version; #if defined(OPENSSL_EXTRA) crle->issuer = NULL; @@ -387,7 +385,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr #endif { #ifndef NO_ASN_TIME - if (!XVALIDATE_DATE(crle->nextDate.data, crle->nextDate.type, AFTER)) { + if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL next date is no longer valid"); ret = ASN_AFTER_DATE_E; } @@ -693,12 +691,10 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) XMEMSET(dupl, 0, sizeof(CRL_Entry)); XMEMCPY(dupl->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE); - dupl->lastDate.length = MAX_DATE_SIZE; - XMEMCPY(dupl->lastDate.data, ent->lastDate.data, dupl->lastDate.length); - dupl->nextDate.length = MAX_DATE_SIZE; - XMEMCPY(dupl->nextDate.data, ent->nextDate.data, dupl->nextDate.length); - dupl->lastDate.type = ent->lastDate.type; - dupl->nextDate.type = ent->nextDate.type; + XMEMCPY(dupl->lastDate, ent->lastDate, MAX_DATE_SIZE); + XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE); + dupl->lastDateFormat = ent->lastDateFormat; + dupl->nextDateFormat = ent->nextDateFormat; #ifdef CRL_STATIC_REVOKED_LIST XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); diff --git a/src/ocsp.c b/src/ocsp.c index 090da0095..48a02f937 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1072,25 +1072,37 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, const unsigned char** derIn, int length) { + WOLFSSL_OCSP_CERTID *cid = NULL; + if ((cidOut == NULL) || (derIn == NULL) || (length == 0)) - return NULL; + goto err; + cid = *cidOut; /* If a NULL is passed we allocate the memory for the caller. */ - if (*cidOut == NULL) { - *cidOut = (WOLFSSL_OCSP_CERTID*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); - - if (*cidOut == NULL) { - return NULL; - } + if (!cid) { + cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, DYNAMIC_TYPE_OPENSSL); + if (!cid) goto err; + } + else if (cid->rawCertId) { + XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + cid->rawCertId = NULL; + cid->rawCertIdSize = 0; } - XMEMCPY ((*cidOut)->rawCertId, *derIn, length); - (*cidOut)->rawCertIdSize = length; + cid->rawCertId = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + if (!cid->rawCertId) goto err; + XMEMCPY (cid->rawCertId, *derIn, length); + cid->rawCertIdSize = length; /* Per spec. advance past the data that is being returned to the caller. */ + *cidOut = cid; *derIn = *derIn + length; + return cid; - return *cidOut; +err: + if (cid && (!cidOut || cid != *cidOut)) + XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; } const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) diff --git a/src/x509.c b/src/x509.c index 6a505ee82..066422800 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7900,10 +7900,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->lastDate.data[0] != 0) { - if (GetTimeString(crl->crlList->lastDate.data, ASN_UTC_TIME, + if (crl->crlList->lastDate[0] != 0) { + if (GetTimeString(crl->crlList->lastDate, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->lastDate.data, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->lastDate, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting last update date"); return WOLFSSL_FAILURE; @@ -7931,10 +7931,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->nextDate.data[0] != 0) { - if (GetTimeString(crl->crlList->nextDate.data, ASN_UTC_TIME, + if (crl->crlList->nextDate[0] != 0) { + if (GetTimeString(crl->crlList->nextDate, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->nextDate.data, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->nextDate, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting next update date"); return WOLFSSL_FAILURE; @@ -8040,8 +8040,15 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->lastDate.data[0] != 0)) { - return &crl->crlList->lastDate; + (crl->crlList->lastDate[0] != 0)) { + + /* Copy date to an ASN1_TIME struct for returning to the caller. */ + crl->crlList->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crl->crlList->lastDateAsn1.data, crl->crlList->lastDate, + crl->crlList->lastDateAsn1.length); + crl->crlList->lastDateAsn1.type = crl->crlList->lastDateFormat; + + return &crl->crlList->lastDateAsn1; } else return NULL; @@ -8050,8 +8057,15 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->nextDate.data[0] != 0)) { - return &crl->crlList->nextDate; + (crl->crlList->nextDate[0] != 0)) { + + /* Copy date to an ASN1_TIME struct for returning to the caller. */ + crl->crlList->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crl->crlList->nextDateAsn1.data, crl->crlList->nextDate, + crl->crlList->nextDateAsn1.length); + crl->crlList->nextDateAsn1.type = crl->crlList->nextDateFormat; + + return &crl->crlList->nextDateAsn1; } else return NULL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 40d0a043e..e8018ea0e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -35775,14 +35775,12 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, if (GetNameHash(buf, &idx, dcrl->issuerHash, sz) < 0) return ASN_PARSE_E; - if (GetBasicDate(buf, &idx, dcrl->lastDate.data, - (byte*) &dcrl->lastDate.type, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) return ASN_PARSE_E; dateIdx = idx; - if (GetBasicDate(buf, &idx, dcrl->nextDate.data, - (byte*) &dcrl->nextDate.type, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) { #ifndef WOLFSSL_NO_CRL_NEXT_DATE (void)dateIdx; @@ -35799,8 +35797,8 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, #endif { #ifndef NO_ASN_TIME - if (verify != NO_VERIFY && !XVALIDATE_DATE(dcrl->nextDate.data, - dcrl->nextDate.type, AFTER)) { + if (verify != NO_VERIFY && + !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL after date is no longer valid"); WOLFSSL_ERROR_VERBOSE(CRL_CERT_DATE_ERR); return CRL_CERT_DATE_ERR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a15807c20..4558373f3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2211,8 +2211,14 @@ struct CRL_Entry { byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ - WOLFSSL_ASN1_TIME lastDate; /* last date updated */ - WOLFSSL_ASN1_TIME nextDate; /* next update date */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* last date format */ + byte nextDateFormat; /* next date format */ +#if defined(OPENSSL_EXTRA) + WOLFSSL_ASN1_TIME lastDateAsn1; /* last date updated */ + WOLFSSL_ASN1_TIME nextDateAsn1; /* next update date */ +#endif #ifdef CRL_STATIC_REVOKED_LIST RevokedCert certs[CRL_MAX_REVOKED_CERTS]; #else diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index ed7c41d5f..b8baf24cc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2447,8 +2447,10 @@ struct DecodedCRL { byte* signature; /* pointer into raw source, not owned */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ - WOLFSSL_ASN1_TIME lastDate; /* last date updated */ - WOLFSSL_ASN1_TIME nextDate; /* next update date */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* format of last date */ + byte nextDateFormat; /* format of next date */ RevokedCert* certs; /* revoked cert list */ #if defined(OPENSSL_EXTRA) byte* issuer; /* full name including common name */ From 6aff27c5c8ee96fba7f4a63a35eebeea724d8873 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Fri, 21 Oct 2022 13:16:32 -0500 Subject: [PATCH 09/10] Resolved valgrind issue. Updated ASN1_TIME usage per feedback. Refactored wolfSSL_d2i_OCSP_CERTID per feedback. --- src/crl.c | 17 +++++++++++++++++ src/ocsp.c | 51 ++++++++++++++++++++++++++++----------------------- src/x509.c | 18 ++---------------- tests/api.c | 2 ++ 4 files changed, 49 insertions(+), 39 deletions(-) diff --git a/src/crl.c b/src/crl.c index e9609b353..e36af26ad 100644 --- a/src/crl.c +++ b/src/crl.c @@ -99,7 +99,15 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->lastDateFormat = dcrl->lastDateFormat; crle->nextDateFormat = dcrl->nextDateFormat; crle->version = dcrl->version; + #if defined(OPENSSL_EXTRA) + crle->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crle->lastDateAsn1.data, crle->lastDate, crle->lastDateAsn1.length); + crle->lastDateAsn1.type = crle->lastDateFormat; + crle->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crle->nextDateAsn1.data, crle->nextDate, crle->nextDateAsn1.length); + crle->nextDateAsn1.type = crle->nextDateFormat; + crle->issuer = NULL; wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer, dcrl->issuerSz); @@ -696,6 +704,15 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) dupl->lastDateFormat = ent->lastDateFormat; dupl->nextDateFormat = ent->nextDateFormat; +#if defined(OPENSSL_EXTRA) + dupl->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (dupl->lastDateAsn1.data, dupl->lastDate, dupl->lastDateAsn1.length); + dupl->lastDateAsn1.type = dupl->lastDateFormat; + dupl->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (dupl->nextDateAsn1.data, dupl->nextDate, dupl->nextDateAsn1.length); + dupl->nextDateAsn1.type = dupl->nextDateFormat; +#endif + #ifdef CRL_STATIC_REVOKED_LIST XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); #else diff --git a/src/ocsp.c b/src/ocsp.c index 48a02f937..c182e0dd8 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1074,34 +1074,39 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, { WOLFSSL_OCSP_CERTID *cid = NULL; - if ((cidOut == NULL) || (derIn == NULL) || (length == 0)) - goto err; + if ((cidOut != NULL) && (derIn != NULL) && (length > 0)) { - cid = *cidOut; - /* If a NULL is passed we allocate the memory for the caller. */ - if (!cid) { - cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, DYNAMIC_TYPE_OPENSSL); - if (!cid) goto err; - } - else if (cid->rawCertId) { - XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); - cid->rawCertId = NULL; - cid->rawCertIdSize = 0; + cid = *cidOut; + + /* If a NULL is passed we allocate the memory for the caller. */ + if (cid == NULL) + cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, + DYNAMIC_TYPE_OPENSSL); + else if (cid->rawCertId) { + XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + cid->rawCertId = NULL; + cid->rawCertIdSize = 0; + } + + if (cid != NULL) { + cid->rawCertId = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + if (cid->rawCertId != NULL) { + XMEMCPY (cid->rawCertId, *derIn, length); + cid->rawCertIdSize = length; + + /* Per spec. advance past the data that is being returned + * to the caller. */ + *cidOut = cid; + *derIn = *derIn + length; + + return cid; + } + } } - cid->rawCertId = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); - if (!cid->rawCertId) goto err; - XMEMCPY (cid->rawCertId, *derIn, length); - cid->rawCertIdSize = length; - - /* Per spec. advance past the data that is being returned to the caller. */ - *cidOut = cid; - *derIn = *derIn + length; - return cid; - -err: if (cid && (!cidOut || cid != *cidOut)) XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; } diff --git a/src/x509.c b/src/x509.c index 066422800..69b2ded80 100644 --- a/src/x509.c +++ b/src/x509.c @@ -8040,14 +8040,7 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->lastDate[0] != 0)) { - - /* Copy date to an ASN1_TIME struct for returning to the caller. */ - crl->crlList->lastDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (crl->crlList->lastDateAsn1.data, crl->crlList->lastDate, - crl->crlList->lastDateAsn1.length); - crl->crlList->lastDateAsn1.type = crl->crlList->lastDateFormat; - + (crl->crlList->lastDateAsn1.data[0] != 0)) { return &crl->crlList->lastDateAsn1; } else @@ -8057,14 +8050,7 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->nextDate[0] != 0)) { - - /* Copy date to an ASN1_TIME struct for returning to the caller. */ - crl->crlList->nextDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (crl->crlList->nextDateAsn1.data, crl->crlList->nextDate, - crl->crlList->nextDateAsn1.length); - crl->crlList->nextDateAsn1.type = crl->crlList->nextDateFormat; - + (crl->crlList->nextDateAsn1.data[0] != 0)) { return &crl->crlList->nextDateAsn1; } else diff --git a/tests/api.c b/tests/api.c index 23ee53f3b..4114caaec 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48150,6 +48150,7 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) AssertNotNull(certId); AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); /* If the cert ID is not NULL the function will just copy the data to it. */ @@ -48162,6 +48163,7 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) AssertNotNull(certId); AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId)); + XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); XFREE(certId, NULL, DYNAMIC_TYPE_TMP_BUFFER); /* The below tests should fail when passed bad parameters. NULL should From 19e30b081f70e5f43e630f11c99fbc3255bf826e Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Mon, 24 Oct 2022 16:27:18 -0500 Subject: [PATCH 10/10] Resolved sanitizer issue. --- src/crl.c | 12 ++++++++---- src/ocsp.c | 15 +++++++++------ tests/api.c | 2 ++ 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/src/crl.c b/src/crl.c index e36af26ad..a716e1801 100644 --- a/src/crl.c +++ b/src/crl.c @@ -102,10 +102,12 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, #if defined(OPENSSL_EXTRA) crle->lastDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (crle->lastDateAsn1.data, crle->lastDate, crle->lastDateAsn1.length); + XMEMCPY (crle->lastDateAsn1.data, crle->lastDate, + crle->lastDateAsn1.length); crle->lastDateAsn1.type = crle->lastDateFormat; crle->nextDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (crle->nextDateAsn1.data, crle->nextDate, crle->nextDateAsn1.length); + XMEMCPY (crle->nextDateAsn1.data, crle->nextDate, + crle->nextDateAsn1.length); crle->nextDateAsn1.type = crle->nextDateFormat; crle->issuer = NULL; @@ -706,10 +708,12 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) #if defined(OPENSSL_EXTRA) dupl->lastDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (dupl->lastDateAsn1.data, dupl->lastDate, dupl->lastDateAsn1.length); + XMEMCPY (dupl->lastDateAsn1.data, dupl->lastDate, + dupl->lastDateAsn1.length); dupl->lastDateAsn1.type = dupl->lastDateFormat; dupl->nextDateAsn1.length = MAX_DATE_SIZE; - XMEMCPY (dupl->nextDateAsn1.data, dupl->nextDate, dupl->nextDateAsn1.length); + XMEMCPY (dupl->nextDateAsn1.data, dupl->nextDate, + dupl->nextDateAsn1.length); dupl->nextDateAsn1.type = dupl->nextDateFormat; #endif diff --git a/src/ocsp.c b/src/ocsp.c index c182e0dd8..1141b9e22 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1074,24 +1074,26 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, { WOLFSSL_OCSP_CERTID *cid = NULL; - if ((cidOut != NULL) && (derIn != NULL) && (length > 0)) { + if ((cidOut != NULL) && (derIn != NULL) && (*derIn != NULL) && + (length > 0)) { cid = *cidOut; /* If a NULL is passed we allocate the memory for the caller. */ - if (cid == NULL) + if (cid == NULL) { cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, DYNAMIC_TYPE_OPENSSL); - else if (cid->rawCertId) { + } + else if (cid->rawCertId != NULL) { XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); cid->rawCertId = NULL; cid->rawCertIdSize = 0; } if (cid != NULL) { - cid->rawCertId = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + cid->rawCertId = (byte*)XMALLOC(length + 1, NULL, DYNAMIC_TYPE_OPENSSL); if (cid->rawCertId != NULL) { - XMEMCPY (cid->rawCertId, *derIn, length); + XMEMCPY(cid->rawCertId, *derIn, length); cid->rawCertIdSize = length; /* Per spec. advance past the data that is being returned @@ -1104,8 +1106,9 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, } } - if (cid && (!cidOut || cid != *cidOut)) + if (cid && (!cidOut || cid != *cidOut)) { XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL); + } return NULL; } diff --git a/tests/api.c b/tests/api.c index 4114caaec..709b0fb60 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48158,6 +48158,8 @@ static int test_wolfSSL_d2i_OCSP_CERTID(void) DYNAMIC_TYPE_TMP_BUFFER); XMEMSET(certId, 0, sizeof(*certId)); + /* Reset rawCertIdPtr since it was push forward in the previous call. */ + rawCertIdPtr = &rawCertId[0]; certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId)); AssertNotNull(certId);