From 80d4e0f64454e04993a909e982df12101319196d Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 28 Jun 2021 23:36:10 +0700 Subject: [PATCH 1/6] function additions and fixes for expansion of wolfCLU --- src/ssl.c | 101 ++++++++++++++++++++++++++++++++++++++++++++++++-- wolfssl/ssl.h | 5 +++ 2 files changed, 102 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 0baa9449a..6a2498509 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9548,6 +9548,18 @@ int wolfSSL_X509_EXTENSION_get_critical(const WOLFSSL_X509_EXTENSION* ex) return ex->crit; } +/* Sets if the extension is critical + * returns WOLFSSL_SUCCESS on success + */ +int wolfSSL_X509_EXTENSION_set_critical(WOLFSSL_X509_EXTENSION* ex, int crit) +{ + WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_set_critical"); + if (ex == NULL) + return WOLFSSL_FAILURE; + ex->crit = crit; + return WOLFSSL_SUCCESS; +} + /* Creates v3_ext_method for a given X509v3 extension * * ex : The X509_EXTENSION used to create v3_ext_method. If the extension is @@ -10774,6 +10786,13 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, else { ext->value.data = ext->value.strData; } + + ext->obj = wolfSSL_ASN1_OBJECT_new(); + if (!(ext->obj = wolfSSL_OBJ_nid2obj(nid))) { + WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new failed"); + goto err_cleanup; + } + break; } case NID_subject_alt_name: @@ -10829,6 +10848,13 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, goto err_cleanup; } ext->value.type = akey->keyid->type; + + ext->obj = wolfSSL_ASN1_OBJECT_new(); + if (!(ext->obj = wolfSSL_OBJ_nid2obj(nid))) { + WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new failed"); + goto err_cleanup; + } + } else if (akey->issuer) { ext->obj = wolfSSL_ASN1_OBJECT_dup(akey->issuer); @@ -10882,6 +10908,28 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object \ return NULL; return ext->obj; } + + +/** + * duplicates the 'obj' input and sets it into the 'ext' structure + * returns WOLFSSL_SUCCESS on success + */ +int wolfSSL_X509_EXTENSION_set_object(WOLFSSL_X509_EXTENSION* ext, + const WOLFSSL_ASN1_OBJECT* obj) +{ + WOLFSSL_ASN1_OBJECT *current; + + WOLFSSL_ENTER("wolfSSL_X509_EXTENSION_set_object"); + if (ext == NULL) + return WOLFSSL_FAILURE; + + current = wolfSSL_X509_EXTENSION_get_object(ext); + if (current != NULL) { + wolfSSL_ASN1_OBJECT_free(current); + } + ext->obj = wolfSSL_ASN1_OBJECT_dup((WOLFSSL_ASN1_OBJECT*)obj); + return WOLFSSL_SUCCESS; +} #endif /* OPENSSL_ALL */ /* Returns pointer to ASN1_STRING in X509_EXTENSION object */ @@ -10893,6 +10941,27 @@ WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext return &ext->value; } + +/** + * Creates a duplicate of input 'data' and sets it into 'ext' structure + * returns WOLFSSL_SUCCESS on success + */ +int wolfSSL_X509_EXTENSION_set_data(WOLFSSL_X509_EXTENSION* ext, + WOLFSSL_ASN1_STRING* data) +{ + WOLFSSL_ASN1_STRING* current; + + if (ext == NULL || data == NULL) + return WOLFSSL_FAILURE; + + current = wolfSSL_X509_EXTENSION_get_data(ext); + if (current != NULL) { + wolfSSL_ASN1_STRING_free(current); + } + wolfSSL_ASN1_STRING_copy(&ext->value, data); + return WOLFSSL_SUCCESS; +} + #if !defined(NO_PWDBASED) int wolfSSL_X509_digest(const WOLFSSL_X509* x509, const WOLFSSL_EVP_MD* digest, unsigned char* buf, unsigned int* len) @@ -40918,10 +40987,13 @@ cleanup: WC_RNG rng; (void)req; + WOLFSSL_ENTER("wolfSSL_X509_resign_cert"); sigType = wolfSSL_sigTypeFromPKEY(md, pkey); - if (sigType == WOLFSSL_FAILURE) + if (sigType == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Error getting signature type from pkey"); return WOLFSSL_FATAL_ERROR; + } /* Get the private key object and type from pkey. */ @@ -40944,8 +41016,10 @@ cleanup: return ret; ret = wc_SignCert_ex(certBodySz, sigType, der, derSz, type, key, &rng); wc_FreeRng(&rng); - if (ret < 0) + if (ret < 0) { + WOLFSSL_LEAVE("wolfSSL_X509_resign_cert", ret); return ret; + } derSz = ret; /* Extract signature from buffer */ @@ -45187,6 +45261,19 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PrivateKey_EVP(WOLFSSL_EVP_PKEY** out, } XMEMCPY(pkey->pkey.ptr, mem, keyIdx); pkey->type = EVP_PKEY_EC; + + pkey->ownEcc = 1; + pkey->ecc = wolfSSL_EC_KEY_new(); + if (pkey->ecc == NULL) { + wolfSSL_EVP_PKEY_free(pkey); + return NULL; + } + if (wolfSSL_EC_KEY_LoadDer(pkey->ecc, + (const unsigned char*)pkey->pkey.ptr, pkey->pkey_sz) + != WOLFSSL_SUCCESS) { + wolfSSL_EVP_PKEY_free(pkey); + return NULL; + } if (out != NULL) { *out = pkey; } @@ -53354,15 +53441,21 @@ void wolfSSL_X509_REQ_free(WOLFSSL_X509* req) int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) { + int ret; byte der[2048]; int derSz = sizeof(der); - if (req == NULL || pkey == NULL || md == NULL) + if (req == NULL || pkey == NULL || md == NULL) { + WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", BAD_FUNC_ARG); return WOLFSSL_FAILURE; + } /* Create a Cert that has the certificate request fields. */ req->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); - if (wolfssl_x509_make_der(req, 1, der, &derSz, 0) != WOLFSSL_SUCCESS) { + if ((ret = wolfssl_x509_make_der(req, 1, der, &derSz, 0)) + != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Unable to make DER for X509"); + WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", ret); return WOLFSSL_FAILURE; } diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 3733154d5..6e39c3674 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1619,6 +1619,7 @@ WOLFSSL_ABI WOLFSSL_API WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name( WOLFSSL_API unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_ext_isSet_by_NID(WOLFSSL_X509*, int); WOLFSSL_API int wolfSSL_X509_ext_get_critical_by_NID(WOLFSSL_X509*, int); +WOLFSSL_API int wolfSSL_X509_EXTENSION_set_critical(WOLFSSL_X509_EXTENSION*, int); WOLFSSL_API int wolfSSL_X509_get_isCA(WOLFSSL_X509*); WOLFSSL_API int wolfSSL_X509_get_isSet_pathLength(WOLFSSL_X509*); WOLFSSL_API unsigned int wolfSSL_X509_get_pathLength(WOLFSSL_X509*); @@ -3856,7 +3857,11 @@ WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void); #endif WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_X509_EXTENSION_get_object(WOLFSSL_X509_EXTENSION* ext); +WOLFSSL_API int wolfSSL_X509_EXTENSION_set_object(WOLFSSL_X509_EXTENSION* ext, + const WOLFSSL_ASN1_OBJECT* obj); WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data(WOLFSSL_X509_EXTENSION* ext); +WOLFSSL_API int wolfSSL_X509_EXTENSION_set_data(WOLFSSL_X509_EXTENSION* ext, + WOLFSSL_ASN1_STRING* data); #endif /* !NO_CERTS */ WOLFSSL_API WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *r); From de3416998c970ce2fac7d90c416e33d61777ea17 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 30 Jul 2021 10:45:12 -0600 Subject: [PATCH 2/6] fix for memory leak --- src/ssl.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 6a2498509..8730ef32b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10787,7 +10787,6 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, ext->value.data = ext->value.strData; } - ext->obj = wolfSSL_ASN1_OBJECT_new(); if (!(ext->obj = wolfSSL_OBJ_nid2obj(nid))) { WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new failed"); goto err_cleanup; @@ -10849,7 +10848,6 @@ WOLFSSL_X509_EXTENSION *wolfSSL_X509V3_EXT_i2d(int nid, int crit, } ext->value.type = akey->keyid->type; - ext->obj = wolfSSL_ASN1_OBJECT_new(); if (!(ext->obj = wolfSSL_OBJ_nid2obj(nid))) { WOLFSSL_MSG("wolfSSL_ASN1_OBJECT_new failed"); goto err_cleanup; From ff521a14e41ac5d78ce3ce19ea0a49f4e2841bd0 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 30 Jul 2021 11:03:41 -0600 Subject: [PATCH 3/6] add test case and macro mapping --- tests/api.c | 6 ++++++ wolfssl/openssl/x509.h | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/tests/api.c b/tests/api.c index 5c68a1f34..166ff2490 100644 --- a/tests/api.c +++ b/tests/api.c @@ -27880,6 +27880,12 @@ static void test_wolfSSL_certs(void) ext = X509V3_EXT_i2d(NID_basic_constraints, crit, bc); AssertNotNull(ext); X509_EXTENSION_free(ext); + + AssertNotNull(ext = X509_EXTENSION_new()); + X509_EXTENSION_set_critical(ext, 1); + AssertIntEQ(X509_EXTENSION_set_object(ext, + OBJ_nid2obj(NID_basic_constraints)), SSL_SUCCESS); + X509_EXTENSION_free(ext); #endif AssertIntEQ(crit, 0); BASIC_CONSTRAINTS_free(bc); diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h index a4ab4eace..995c9ab09 100644 --- a/wolfssl/openssl/x509.h +++ b/wolfssl/openssl/x509.h @@ -67,4 +67,8 @@ #define XN_FLAG_MULTILINE 0xFFFF +#define X509_EXTENSION_set_critical wolfSSL_X509_EXTENSION_set_critical +#define X509_EXTENSION_set_object wolfSSL_X509_EXTENSION_set_object +#define X509_EXTENSION_set_data wolfSSL_X509_EXTENSION_set_data + #endif /* WOLFSSL_OPENSSL_509_H_ */ From 3d8dc68266722df57e32351dfb26db6a29703a2a Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 4 Aug 2021 01:34:33 -0700 Subject: [PATCH 4/6] free test case object --- tests/api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index 166ff2490..b9c9876c0 100644 --- a/tests/api.c +++ b/tests/api.c @@ -27802,6 +27802,7 @@ static void test_wolfSSL_certs(void) #ifdef OPENSSL_ALL X509* x509; WOLFSSL_X509_EXTENSION* ext; + ASN1_OBJECT* obj; #endif WOLFSSL* ssl; WOLFSSL_CTX* ctx; @@ -27883,8 +27884,9 @@ static void test_wolfSSL_certs(void) AssertNotNull(ext = X509_EXTENSION_new()); X509_EXTENSION_set_critical(ext, 1); - AssertIntEQ(X509_EXTENSION_set_object(ext, - OBJ_nid2obj(NID_basic_constraints)), SSL_SUCCESS); + AssertNotNull(obj = OBJ_nid2obj(NID_basic_constraints)); + AssertIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); + ASN1_OBJECT_free(obj); X509_EXTENSION_free(ext); #endif AssertIntEQ(crit, 0); From 83d39932bba3bfe70843e1edc7d72c1868db1bd9 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 27 Aug 2021 11:30:44 -0600 Subject: [PATCH 5/6] add test case for X509 EXTENSION set --- src/ssl.c | 8 ++++---- tests/api.c | 12 +++++++++++- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 8730ef32b..61f3d010f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10953,11 +10953,11 @@ int wolfSSL_X509_EXTENSION_set_data(WOLFSSL_X509_EXTENSION* ext, return WOLFSSL_FAILURE; current = wolfSSL_X509_EXTENSION_get_data(ext); - if (current != NULL) { - wolfSSL_ASN1_STRING_free(current); + if (current->length > 0 && current->data != NULL && current->isDynamic) { + XFREE(current->data, NULL, DYNAMIC_TYPE_OPENSSL); } - wolfSSL_ASN1_STRING_copy(&ext->value, data); - return WOLFSSL_SUCCESS; + + return wolfSSL_ASN1_STRING_copy(&ext->value, data); } #if !defined(NO_PWDBASED) diff --git a/tests/api.c b/tests/api.c index b9c9876c0..a34a1151a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -27877,6 +27877,8 @@ static void test_wolfSSL_certs(void) bc = (BASIC_CONSTRAINTS*)X509_get_ext_d2i(x509ext, NID_basic_constraints, &crit, NULL); AssertNotNull(bc); + AssertIntEQ(crit, 0); + #ifdef OPENSSL_ALL ext = X509V3_EXT_i2d(NID_basic_constraints, crit, bc); AssertNotNull(ext); @@ -27888,8 +27890,16 @@ static void test_wolfSSL_certs(void) AssertIntEQ(X509_EXTENSION_set_object(ext, obj), SSL_SUCCESS); ASN1_OBJECT_free(obj); X509_EXTENSION_free(ext); + + AssertNotNull(ext = X509_EXTENSION_new()); + X509_EXTENSION_set_critical(ext, 0); + AssertIntEQ(X509_EXTENSION_set_data(ext, NULL), SSL_FAILURE); + asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, NID_key_usage, &crit, + NULL); + AssertIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); + X509_EXTENSION_free(ext); + #endif - AssertIntEQ(crit, 0); BASIC_CONSTRAINTS_free(bc); asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, NID_key_usage, &crit, NULL); From 65cfef53375c06eb137597cf06d773b7a30a4f62 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 27 Aug 2021 14:10:06 -0600 Subject: [PATCH 6/6] fix for free with test case --- tests/api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/api.c b/tests/api.c index a34a1151a..2b2748b97 100644 --- a/tests/api.c +++ b/tests/api.c @@ -27897,6 +27897,8 @@ static void test_wolfSSL_certs(void) asn1_str = (ASN1_STRING*)X509_get_ext_d2i(x509ext, NID_key_usage, &crit, NULL); AssertIntEQ(X509_EXTENSION_set_data(ext, asn1_str), SSL_SUCCESS); + ASN1_STRING_free(asn1_str); /* X509_EXTENSION_set_data has made a copy + * and X509_get_ext_d2i has created new */ X509_EXTENSION_free(ext); #endif