feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Increased security for WOLFSSL_NO_TRUSTED_CERTS_VERIFY workaround so it only applies to OCSP. Fix for the workaround to still return date or parsing errors.

Browse Source
This commit is contained in:
David Garske
2017-05-26 10:01:42 -07:00
parent 1cf3530124
commit 53021a5df7
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
wolfcrypt/src/asn.c
View File

@@ -39,6 +39,7 @@ ASN Options:
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert
chain is not loaded. This only matches on subject and public key and chain is not loaded. This only matches on subject and public key and
does not perform a PKI validation, so it is not a secure solution. does not perform a PKI validation, so it is not a secure solution.
Only enabled for OCSP.
*/ */
#ifndef NO_ASN #ifndef NO_ASN
@@ -4109,10 +4110,10 @@ static int GetValidity(DecodedCert* cert, int verify)
if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (GetDate(cert, BEFORE) < 0 && verify) if (GetDate(cert, BEFORE) < 0 && verify != NO_VERIFY)
badDate = ASN_BEFORE_DATE_E; /* continue parsing */ badDate = ASN_BEFORE_DATE_E; /* continue parsing */
if (GetDate(cert, AFTER) < 0 && verify) if (GetDate(cert, AFTER) < 0 && verify != NO_VERIFY)
return ASN_AFTER_DATE_E; return ASN_AFTER_DATE_E;
if (badDate != 0) if (badDate != 0)
@@ -6036,7 +6037,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
/* alternate lookup method using subject and match on public key */ /* alternate lookup method using subject and match on public key */
#ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY
if (cert->ca == NULL) { if (cert->ca == NULL && verify == VERIFY_OCSP) {
if (cert->extSubjKeyIdSet) { if (cert->extSubjKeyIdSet) {
cert->ca = GetCA(cm, cert->extSubjKeyId); cert->ca = GetCA(cm, cert->extSubjKeyId);
} }
@@ -6047,7 +6048,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
if ((cert->ca->pubKeySize == cert->pubKeySize) && if ((cert->ca->pubKeySize == cert->pubKeySize) &&
(XMEMCMP(cert->ca->publicKey, cert->publicKey, (XMEMCMP(cert->ca->publicKey, cert->publicKey,
cert->ca->pubKeySize) == 0)) { cert->ca->pubKeySize) == 0)) {
return 0; ret = 0; /* success */
goto exit_pcr;
} }
} }
} }
@@ -6091,7 +6093,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
if (cert->ca) { if (cert->ca) {
if (verify == VERIFY) { if (verify == VERIFY || verify == VERIFY_OCSP) {
/* try to confirm/verify signature */ /* try to confirm/verify signature */
if ((ret = ConfirmSignature(&cert->sigCtx, if ((ret = ConfirmSignature(&cert->sigCtx,
cert->source + cert->certBegin, cert->source + cert->certBegin,
@@ -6121,6 +6123,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
} }
} }
exit_pcr:
if (badDate != 0) if (badDate != 0)
return badDate; return badDate;
@@ -10189,8 +10192,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
InitDecodedCert(&cert, resp->cert, resp->certSz, heap); InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
/* Don't verify if we don't have access to Cert Manager. */ /* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, ret = ParseCertRelative(&cert, CERT_TYPE,
cm); noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert); FreeDecodedCert(&cert);