From 5b76a372349b68f43a582117d0270b88ecf0f2a4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Nov 2016 11:45:00 -0800 Subject: [PATCH 1/3] Add the peer cert buffer and count to the X509_STORE_CTX used for the verify callback. Fixes #627. --- src/internal.c | 5 +++++ wolfssl/ssl.h | 2 ++ wolfssl/test.h | 17 ++++++++++------- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index 913dc1335..46386c242 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6861,6 +6861,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, return MEMORY_E; } #endif + XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX)); if (anyError != 0 && ret == 0) ret = anyError; @@ -6879,6 +6880,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->discardSessionCerts = 0; store->domain = domain; store->userCtx = ssl->verifyCbCtx; + store->certs = certs; + store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT store->current_cert = &ssl->peerCert; #else @@ -6916,6 +6919,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->discardSessionCerts = 0; store->domain = domain; store->userCtx = ssl->verifyCbCtx; + store->certs = certs; + store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT store->current_cert = &ssl->peerCert; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 30ff64912..0b7507fe7 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -175,6 +175,8 @@ typedef struct WOLFSSL_X509_STORE_CTX { int error; /* current error */ int error_depth; /* cert depth for this error */ int discardSessionCerts; /* so verify callback can flag for discard */ + int totalCerts; /* number of peer cert buffers */ + struct buffer* certs; /* peer certs */ } WOLFSSL_X509_STORE_CTX; diff --git a/wolfssl/test.h b/wolfssl/test.h index b6833009e..ec33cca71 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -371,7 +371,7 @@ static INLINE WC_NORETURN void err_sys(const char* msg) * msg pointer can be null even when hardcoded and then it won't exit, * making null pointer checks above the err_sys() call useless. * We could just always exit() but some compilers will complain about no - * possible return, with gcc we know the attribute to handle that with + * possible return, with gcc we know the attribute to handle that with * WC_NORETURN. */ if (msg) #endif @@ -1143,17 +1143,20 @@ static INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) wolfSSL_X509_get_issuer_name(peer), 0, 0); char* subject = wolfSSL_X509_NAME_oneline( wolfSSL_X509_get_subject_name(peer), 0, 0); - printf("peer's cert info:\n issuer : %s\n subject: %s\n", issuer, + printf("\tPeer's cert info:\n issuer : %s\n subject: %s\n", issuer, subject); XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); } else - printf("peer has no cert!\n"); + printf("\tPeer has no cert!\n"); +#else + printf("\tPeer certs: %d\n", store->totalCerts); #endif - printf("Subject's domain name is %s\n", store->domain); - printf("Allowing to continue anyway (shouldn't do this, EVER!!!)\n"); + printf("\tSubject's domain name is %s\n", store->domain); + + printf("\tAllowing to continue anyway (shouldn't do this, EVER!!!)\n"); return 1; } @@ -1267,7 +1270,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) static INLINE int ChangeToWolfRoot(void) { - #if !defined(NO_FILESYSTEM) + #if !defined(NO_FILESYSTEM) int depth, res; XFILE file; for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) { @@ -1286,7 +1289,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) break; } } - + err_sys("wolf root not found"); return -1; #else From 50131b410d5d2fec01f18d82ef13760f6cb14967 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Nov 2016 19:24:54 -0800 Subject: [PATCH 2/3] Added new "WOLFSSL_BUFFER_INFO" type to represent internal "buffer" type and the "WOLFSSL_X509_STORE_CTX" certs. Added "VERIFY_CALLBACK_SHOW_PEER_CERTS" to print peer certs pointer and length. --- wolfssl/internal.h | 7 ++----- wolfssl/ssl.h | 7 ++++++- wolfssl/test.h | 8 ++++++++ 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index b29199fae..97eda6be3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1280,11 +1280,8 @@ WOLFSSL_LOCAL int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_LOCAL int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx); -/* wolfSSL buffer type */ -typedef struct buffer { - byte* buffer; - word32 length; -} buffer; +/* wolfSSL buffer type - internal uses "buffer" type */ +typedef WOLFSSL_BUFFER_INFO buffer; #ifndef NO_CERTS /* wolfSSL DER buffer */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 0b7507fe7..8404ccff2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -166,6 +166,11 @@ typedef struct WOLFSSL_X509_OBJECT { } data; } WOLFSSL_X509_OBJECT; +typedef struct WOLFSSL_BUFFER_INFO { + unsigned char* buffer; + unsigned int length; +} WOLFSSL_BUFFER_INFO; + typedef struct WOLFSSL_X509_STORE_CTX { WOLFSSL_X509_STORE* store; /* Store full of a CA cert chain */ WOLFSSL_X509* current_cert; /* stunnel dereference */ @@ -176,7 +181,7 @@ typedef struct WOLFSSL_X509_STORE_CTX { int error_depth; /* cert depth for this error */ int discardSessionCerts; /* so verify callback can flag for discard */ int totalCerts; /* number of peer cert buffers */ - struct buffer* certs; /* peer certs */ + WOLFSSL_BUFFER_INFO* certs; /* peer certs */ } WOLFSSL_X509_STORE_CTX; diff --git a/wolfssl/test.h b/wolfssl/test.h index ec33cca71..63b245479 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1152,6 +1152,14 @@ static INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) printf("\tPeer has no cert!\n"); #else printf("\tPeer certs: %d\n", store->totalCerts); + #ifdef VERIFY_CALLBACK_SHOW_PEER_CERTS + { int i; + for (i=0; itotalCerts; i++) { + WOLFSSL_BUFFER_INFO* cert = &store->certs[i]; + printf("\t\tCert %d: Ptr %p, Len %u\n", i, cert->buffer, cert->length); + } + } + #endif #endif printf("\tSubject's domain name is %s\n", store->domain); From 1240014fabbb70f946ab415a4cec6b1a0c912421 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Nov 2016 19:33:40 -0800 Subject: [PATCH 3/3] Fix OCSP to use public buffer type (now WOLFSSL_BUFFER_INFO). --- wolfssl/ocsp.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index af083410b..5331245c9 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -35,16 +35,15 @@ extern "C" { #endif -struct buffer; typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, - struct buffer* responseBuffer); + WOLFSSL_BUFFER_INFO* responseBuffer); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, - OcspRequest* ocspRequest, struct buffer* responseBuffer); + OcspRequest* ocspRequest, WOLFSSL_BUFFER_INFO* responseBuffer); #ifdef __cplusplus } /* extern "C" */