From 57b9170ac07438479b4aa48fef0685a49fd86df8 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 27 Sep 2021 14:43:56 +0200 Subject: [PATCH 1/4] Make NID's consistent - `CTC_SHAwDSA` -> `NID_dsaWithSHA1` - `CTC_SHA256wDSA` -> `NID_dsa_with_SHA256` - `CTC_MD2wRSA` -> `NID_md2WithRSAEncryption` - `CTC_MD5wRSA` -> `NID_md5WithRSAEncryption` - `CTC_SHAwRSA` -> `NID_sha1WithRSAEncryption` - `CTC_SHA224wRSA` -> `NID_sha224WithRSAEncryption` - `CTC_SHA256wRSA` -> `NID_sha256WithRSAEncryption` - `CTC_SHA384wRSA` -> `NID_sha384WithRSAEncryption` - `CTC_SHA512wRSA` -> `NID_sha512WithRSAEncryption` - `CTC_SHA3_224wRSA` -> `NID_RSA_SHA3_224` - `CTC_SHA3_256wRSA` -> `NID_RSA_SHA3_256` - `CTC_SHA3_384wRSA` -> `NID_RSA_SHA3_384` - `CTC_SHA3_512wRSA` -> `NID_RSA_SHA3_512` - `CTC_SHAwECDSA` -> `NID_ecdsa_with_SHA1` - `CTC_SHA224wECDSA` -> `NID_ecdsa_with_SHA224` - `CTC_SHA256wECDSA` -> `NID_ecdsa_with_SHA256` - `CTC_SHA384wECDSA` -> `NID_ecdsa_with_SHA384` - `CTC_SHA512wECDSA` -> `NID_ecdsa_with_SHA512` - `CTC_SHA3_224wECDSA` -> `NID_ecdsa_with_SHA3_224` - `CTC_SHA3_256wECDSA` -> `NID_ecdsa_with_SHA3_256` - `CTC_SHA3_384wECDSA` -> `NID_ecdsa_with_SHA3_384` - `CTC_SHA3_512wECDSA` -> `NID_ecdsa_with_SHA3_512` - `DSAk` -> `NID_dsa` - `RSAk` -> `NID_rsaEncryption` - `ECDSAk` -> `NID_X9_62_id_ecPublicKey` --- src/internal.c | 4 +- src/ssl.c | 168 +++++++++++++++++++++--------------------- tests/api.c | 12 +-- wolfssl/internal.h | 4 + wolfssl/openssl/evp.h | 9 +++ 5 files changed, 105 insertions(+), 92 deletions(-) diff --git a/src/internal.c b/src/internal.c index 2ff7db3da..0bc9b608e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10574,7 +10574,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) ret = MEMORY_E; } else { if (!(x509->key.algor->algorithm = - wolfSSL_OBJ_nid2obj(dCert->keyOID))) { + wolfSSL_OBJ_nid2obj(oid2nid(dCert->keyOID, oidKeyType)))) { ret = PUBLIC_KEY_E; } } @@ -10604,7 +10604,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) #if defined(OPENSSL_ALL) wolfSSL_ASN1_OBJECT_free(x509->algor.algorithm); if (!(x509->algor.algorithm = - wolfSSL_OBJ_nid2obj(dCert->signatureOID))) { + wolfSSL_OBJ_nid2obj(oid2nid(dCert->signatureOID, oidSigType)))) { ret = PUBLIC_KEY_E; } #endif diff --git a/src/ssl.c b/src/ssl.c index d2295cb31..7b08bdc84 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -135,8 +135,6 @@ #include int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi); int SetIndividualExternal(WOLFSSL_BIGNUM** bn, mp_int* mpi); - int oid2nid(word32 oid, int grp); - word32 nid2oid(int nid, int grp); #endif #if defined(WOLFSSL_QT) @@ -16604,7 +16602,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int wolfSSL_add_all_algorithms(void) { WOLFSSL_ENTER("wolfSSL_add_all_algorithms"); - if (wolfSSL_Init() == WOLFSSL_SUCCESS) + if (initRefCount != 0 || wolfSSL_Init() == WOLFSSL_SUCCESS) return WOLFSSL_SUCCESS; else return WOLFSSL_FATAL_ERROR; @@ -28828,17 +28826,17 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) switch (key->type) { #ifndef NO_RSA case EVP_PKEY_RSA: - pk->algor->algorithm= wolfSSL_OBJ_nid2obj(RSAk); + pk->algor->algorithm= wolfSSL_OBJ_nid2obj(NID_rsaEncryption); break; #endif #ifndef NO_DSA case EVP_PKEY_DSA: - pk->algor->algorithm = wolfSSL_OBJ_nid2obj(DSAk); + pk->algor->algorithm = wolfSSL_OBJ_nid2obj(NID_dsa); break; #endif #ifdef HAVE_ECC case EVP_PKEY_EC: - pk->algor->algorithm = wolfSSL_OBJ_nid2obj(ECDSAk); + pk->algor->algorithm = wolfSSL_OBJ_nid2obj(NID_X9_62_id_ecPublicKey); break; #endif default: @@ -31436,106 +31434,103 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { /* oidSigType */ #ifndef NO_DSA #ifndef NO_SHA - { CTC_SHAwDSA, CTC_SHAwDSA, oidSigType, "DSA-SHA1", "dsaWithSHA1"}, - { CTC_SHA256wDSA, CTC_SHA256wDSA, oidSigType, "dsa_with_SHA256", + { NID_dsaWithSHA1, CTC_SHAwDSA, oidSigType, "DSA-SHA1", "dsaWithSHA1"}, + { NID_dsa_with_SHA256, CTC_SHA256wDSA, oidSigType, "dsa_with_SHA256", "dsa_with_SHA256"}, #endif #endif /* NO_DSA */ #ifndef NO_RSA #ifdef WOLFSSL_MD2 - { CTC_MD2wRSA, CTC_MD2wRSA, oidSigType, "RSA-MD2", + { NID_md2WithRSAEncryption, CTC_MD2wRSA, oidSigType, "RSA-MD2", "md2WithRSAEncryption"}, #endif #ifndef NO_MD5 - { CTC_MD5wRSA, CTC_MD5wRSA, oidSigType, "RSA-MD5", + { NID_md5WithRSAEncryption, CTC_MD5wRSA, oidSigType, "RSA-MD5", "md5WithRSAEncryption"}, #endif #ifndef NO_SHA - { CTC_SHAwRSA, CTC_SHAwRSA, oidSigType, "RSA-SHA1", + { NID_sha1WithRSAEncryption, CTC_SHAwRSA, oidSigType, "RSA-SHA1", "sha1WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA224 - { CTC_SHA224wRSA, CTC_SHA224wRSA, oidSigType, "RSA-SHA224", + { NID_sha224WithRSAEncryption, CTC_SHA224wRSA, oidSigType, "RSA-SHA224", "sha224WithRSAEncryption"}, #endif #ifndef NO_SHA256 - { CTC_SHA256wRSA, CTC_SHA256wRSA, oidSigType, "RSA-SHA256", + { NID_sha256WithRSAEncryption, CTC_SHA256wRSA, oidSigType, "RSA-SHA256", "sha256WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA384 - { CTC_SHA384wRSA, CTC_SHA384wRSA, oidSigType, "RSA-SHA384", + { NID_sha384WithRSAEncryption, CTC_SHA384wRSA, oidSigType, "RSA-SHA384", "sha384WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA512 - { CTC_SHA512wRSA, CTC_SHA512wRSA, oidSigType, "RSA-SHA512", + { NID_sha512WithRSAEncryption, CTC_SHA512wRSA, oidSigType, "RSA-SHA512", "sha512WithRSAEncryption"}, #endif #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 - { CTC_SHA3_224wRSA, CTC_SHA3_224wRSA, oidSigType, "RSA-SHA3-224", + { NID_RSA_SHA3_224, CTC_SHA3_224wRSA, oidSigType, "RSA-SHA3-224", "sha3-224WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_256 - { CTC_SHA3_256wRSA, CTC_SHA3_256wRSA, oidSigType, "RSA-SHA3-256", + { NID_RSA_SHA3_256, CTC_SHA3_256wRSA, oidSigType, "RSA-SHA3-256", "sha3-256WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_384 - { CTC_SHA3_384wRSA, CTC_SHA3_384wRSA, oidSigType, "RSA-SHA3-384", + { NID_RSA_SHA3_384, CTC_SHA3_384wRSA, oidSigType, "RSA-SHA3-384", "sha3-384WithRSAEncryption"}, #endif #ifndef WOLFSSL_NOSHA3_512 - { CTC_SHA3_512wRSA, CTC_SHA3_512wRSA, oidSigType, "RSA-SHA3-512", + { NID_RSA_SHA3_512, CTC_SHA3_512wRSA, oidSigType, "RSA-SHA3-512", "sha3-512WithRSAEncryption"}, #endif #endif #endif /* NO_RSA */ #ifdef HAVE_ECC #ifndef NO_SHA - { CTC_SHAwECDSA, CTC_SHAwECDSA, oidSigType, "ecdsa-with-SHA1", "shaWithECDSA"}, + { NID_ecdsa_with_SHA1, CTC_SHAwECDSA, oidSigType, "ecdsa-with-SHA1", "shaWithECDSA"}, #endif #ifdef WOLFSSL_SHA224 - { CTC_SHA224wECDSA, CTC_SHA224wECDSA, oidSigType, "ecdsa-with-SHA224","sha224WithECDSA"}, + { NID_ecdsa_with_SHA224, CTC_SHA224wECDSA, oidSigType, "ecdsa-with-SHA224","sha224WithECDSA"}, #endif #ifndef NO_SHA256 - { CTC_SHA256wECDSA, CTC_SHA256wECDSA, oidSigType, "ecdsa-with-SHA256","sha256WithECDSA"}, + { NID_ecdsa_with_SHA256, CTC_SHA256wECDSA, oidSigType, "ecdsa-with-SHA256","sha256WithECDSA"}, #endif #ifdef WOLFSSL_SHA384 - { CTC_SHA384wECDSA, CTC_SHA384wECDSA, oidSigType, "ecdsa-with-SHA384","sha384WithECDSA"}, + { NID_ecdsa_with_SHA384, CTC_SHA384wECDSA, oidSigType, "ecdsa-with-SHA384","sha384WithECDSA"}, #endif #ifdef WOLFSSL_SHA512 - { CTC_SHA512wECDSA, CTC_SHA512wECDSA, oidSigType, "ecdsa-with-SHA512","sha512WithECDSA"}, + { NID_ecdsa_with_SHA512, CTC_SHA512wECDSA, oidSigType, "ecdsa-with-SHA512","sha512WithECDSA"}, #endif #ifdef WOLFSSL_SHA3 #ifndef WOLFSSL_NOSHA3_224 - { CTC_SHA3_224wECDSA, CTC_SHA3_224wECDSA, oidSigType, "ecdsa-with-SHA3-224", - "sha3-224WithECDSA"}, + { NID_ecdsa_with_SHA3_224, CTC_SHA3_224wECDSA, oidSigType, "id-ecdsa-with-SHA3-224", + "ecdsa_with_SHA3-224"}, #endif #ifndef WOLFSSL_NOSHA3_256 - { CTC_SHA3_256wECDSA, CTC_SHA3_256wECDSA, oidSigType, "ecdsa-with-SHA3-256", - "sha3-256WithECDSA"}, + { NID_ecdsa_with_SHA3_256, CTC_SHA3_256wECDSA, oidSigType, "id-ecdsa-with-SHA3-256", + "ecdsa_with_SHA3-256"}, #endif #ifndef WOLFSSL_NOSHA3_384 - { CTC_SHA3_384wECDSA, CTC_SHA3_384wECDSA, oidSigType, "ecdsa-with-SHA3-384", - "sha3-384WithECDSA"}, + { NID_ecdsa_with_SHA3_384, CTC_SHA3_384wECDSA, oidSigType, "id-ecdsa-with-SHA3-384", + "ecdsa_with_SHA3-384"}, #endif #ifndef WOLFSSL_NOSHA3_512 - { CTC_SHA3_512wECDSA, CTC_SHA3_512wECDSA, oidSigType, "ecdsa-with-SHA3-512", - "sha3-512WithECDSA"}, + { NID_ecdsa_with_SHA3_512, CTC_SHA3_512wECDSA, oidSigType, "id-ecdsa-with-SHA3-512", + "ecdsa_with_SHA3-512"}, #endif #endif #endif /* HAVE_ECC */ /* oidKeyType */ #ifndef NO_DSA - { DSAk, DSAk, oidKeyType, "DSA", "dsaEncryption"}, { NID_dsa, DSAk, oidKeyType, "DSA", "dsaEncryption"}, #endif /* NO_DSA */ #ifndef NO_RSA - { RSAk, RSAk, oidKeyType, "rsaEncryption", "rsaEncryption"}, { NID_rsaEncryption, RSAk, oidKeyType, "rsaEncryption", "rsaEncryption"}, #endif /* NO_RSA */ #ifdef HAVE_ECC - { ECDSAk, ECDSAk, oidKeyType, "ECDSA", "ecdsaEncryption"}, { NID_X9_62_id_ecPublicKey, ECDSAk, oidKeyType, "id-ecPublicKey", "id-ecPublicKey"}, #endif /* HAVE_ECC */ @@ -44245,6 +44240,7 @@ err: WOLFSSL_ASN1_OBJECT* arg_obj) { word32 oidSz = 0; + int nid = 0; const byte* oid; word32 type = 0; WOLFSSL_ASN1_OBJECT* obj = arg_obj; @@ -44259,6 +44255,7 @@ err: for (i = 0; i < (int)WOLFSSL_OBJECT_INFO_SZ; i++) { if (wolfssl_object_info[i].nid == id) { + nid = id; id = wolfssl_object_info[i].id; sName = wolfssl_object_info[i].sName; type = wolfssl_object_info[i].type; @@ -44298,6 +44295,7 @@ err: return NULL; } } + obj->nid = nid; obj->type = id; obj->grp = type; @@ -50522,54 +50520,56 @@ word32 nid2oid(int nid, int grp) case oidSigType: switch (nid) { #ifndef NO_DSA - case CTC_SHAwDSA: + case NID_dsaWithSHA1: return CTC_SHAwDSA; + case NID_dsa_with_SHA256: + return CTC_SHA256wDSA; #endif /* NO_DSA */ #ifndef NO_RSA - case CTC_MD2wRSA: + case NID_md2WithRSAEncryption: return CTC_MD2wRSA; - case CTC_MD5wRSA: + case NID_md5WithRSAEncryption: return CTC_MD5wRSA; - case CTC_SHAwRSA: + case NID_sha1WithRSAEncryption: return CTC_SHAwRSA; - case CTC_SHA224wRSA: + case NID_sha224WithRSAEncryption: return CTC_SHA224wRSA; - case CTC_SHA256wRSA: + case NID_sha256WithRSAEncryption: return CTC_SHA256wRSA; - case CTC_SHA384wRSA: + case NID_sha384WithRSAEncryption: return CTC_SHA384wRSA; - case CTC_SHA512wRSA: + case NID_sha512WithRSAEncryption: return CTC_SHA512wRSA; #ifdef WOLFSSL_SHA3 - case CTC_SHA3_224wRSA: + case NID_RSA_SHA3_224: return CTC_SHA3_224wRSA; - case CTC_SHA3_256wRSA: + case NID_RSA_SHA3_256: return CTC_SHA3_256wRSA; - case CTC_SHA3_384wRSA: + case NID_RSA_SHA3_384: return CTC_SHA3_384wRSA; - case CTC_SHA3_512wRSA: + case NID_RSA_SHA3_512: return CTC_SHA3_512wRSA; #endif #endif /* NO_RSA */ #ifdef HAVE_ECC - case CTC_SHAwECDSA: + case NID_ecdsa_with_SHA1: return CTC_SHAwECDSA; - case CTC_SHA224wECDSA: + case NID_ecdsa_with_SHA224: return CTC_SHA224wECDSA; - case CTC_SHA256wECDSA: + case NID_ecdsa_with_SHA256: return CTC_SHA256wECDSA; - case CTC_SHA384wECDSA: + case NID_ecdsa_with_SHA384: return CTC_SHA384wECDSA; - case CTC_SHA512wECDSA: + case NID_ecdsa_with_SHA512: return CTC_SHA512wECDSA; #ifdef WOLFSSL_SHA3 - case CTC_SHA3_224wECDSA: + case NID_ecdsa_with_SHA3_224: return CTC_SHA3_224wECDSA; - case CTC_SHA3_256wECDSA: + case NID_ecdsa_with_SHA3_256: return CTC_SHA3_256wECDSA; - case CTC_SHA3_384wECDSA: + case NID_ecdsa_with_SHA3_384: return CTC_SHA3_384wECDSA; - case CTC_SHA3_512wECDSA: + case NID_ecdsa_with_SHA3_512: return CTC_SHA3_512wECDSA; #endif #endif /* HAVE_ECC */ @@ -50580,15 +50580,15 @@ word32 nid2oid(int nid, int grp) case oidKeyType: switch (nid) { #ifndef NO_DSA - case DSAk: + case NID_dsa: return DSAk; #endif /* NO_DSA */ #ifndef NO_RSA - case RSAk: + case NID_rsaEncryption: return RSAk; #endif /* NO_RSA */ #ifdef HAVE_ECC - case ECDSAk: + case NID_X9_62_id_ecPublicKey: return ECDSAk; #endif /* HAVE_ECC */ } @@ -50873,56 +50873,56 @@ int oid2nid(word32 oid, int grp) switch (oid) { #ifndef NO_DSA case CTC_SHAwDSA: - return CTC_SHAwDSA; + return NID_dsaWithSHA1; case CTC_SHA256wDSA: - return CTC_SHA256wDSA; + return NID_dsa_with_SHA256; #endif /* NO_DSA */ #ifndef NO_RSA case CTC_MD2wRSA: - return CTC_MD2wRSA; + return NID_md2WithRSAEncryption; case CTC_MD5wRSA: - return CTC_MD5wRSA; + return NID_md5WithRSAEncryption; case CTC_SHAwRSA: - return CTC_SHAwRSA; + return NID_sha1WithRSAEncryption; case CTC_SHA224wRSA: - return CTC_SHA224wRSA; + return NID_sha224WithRSAEncryption; case CTC_SHA256wRSA: - return CTC_SHA256wRSA; + return NID_sha256WithRSAEncryption; case CTC_SHA384wRSA: - return CTC_SHA384wRSA; + return NID_sha384WithRSAEncryption; case CTC_SHA512wRSA: - return CTC_SHA512wRSA; + return NID_sha512WithRSAEncryption; #ifdef WOLFSSL_SHA3 case CTC_SHA3_224wRSA: - return CTC_SHA3_224wRSA; + return NID_RSA_SHA3_224; case CTC_SHA3_256wRSA: - return CTC_SHA3_256wRSA; + return NID_RSA_SHA3_256; case CTC_SHA3_384wRSA: - return CTC_SHA3_384wRSA; + return NID_RSA_SHA3_384; case CTC_SHA3_512wRSA: - return CTC_SHA3_512wRSA; + return NID_RSA_SHA3_512; #endif #endif /* NO_RSA */ #ifdef HAVE_ECC case CTC_SHAwECDSA: - return CTC_SHAwECDSA; + return NID_ecdsa_with_SHA1; case CTC_SHA224wECDSA: - return CTC_SHA224wECDSA; + return NID_ecdsa_with_SHA224; case CTC_SHA256wECDSA: - return CTC_SHA256wECDSA; + return NID_ecdsa_with_SHA256; case CTC_SHA384wECDSA: - return CTC_SHA384wECDSA; + return NID_ecdsa_with_SHA384; case CTC_SHA512wECDSA: - return CTC_SHA512wECDSA; + return NID_ecdsa_with_SHA512; #ifdef WOLFSSL_SHA3 case CTC_SHA3_224wECDSA: - return CTC_SHA3_224wECDSA; + return NID_ecdsa_with_SHA3_224; case CTC_SHA3_256wECDSA: - return CTC_SHA3_256wECDSA; + return NID_ecdsa_with_SHA3_256; case CTC_SHA3_384wECDSA: - return CTC_SHA3_384wECDSA; + return NID_ecdsa_with_SHA3_384; case CTC_SHA3_512wECDSA: - return CTC_SHA3_512wECDSA; + return NID_ecdsa_with_SHA3_512; #endif #endif /* HAVE_ECC */ } @@ -50933,15 +50933,15 @@ int oid2nid(word32 oid, int grp) switch (oid) { #ifndef NO_DSA case DSAk: - return DSAk; + return NID_dsa; #endif /* NO_DSA */ #ifndef NO_RSA case RSAk: - return RSAk; + return NID_rsaEncryption; #endif /* NO_RSA */ #ifdef HAVE_ECC case ECDSAk: - return ECDSAk; + return NID_X9_62_id_ecPublicKey; #endif /* HAVE_ECC */ } break; diff --git a/tests/api.c b/tests/api.c index 727cf4948..992953fdb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33994,6 +33994,9 @@ static void test_wolfSSL_X509_STORE_load_locations(void) AssertIntEQ(X509_STORE_load_locations(store, client_pem_file, NULL), WOLFSSL_SUCCESS); AssertIntEQ(X509_STORE_load_locations(store, NULL, certs_path), WOLFSSL_SUCCESS); + /* Clear nodes */ + wc_ClearErrorNodes(); + SSL_CTX_free(ctx); printf(resultFmt, passed); #endif @@ -36050,7 +36053,7 @@ static void test_wolfSSL_X509_ALGOR_get0(void) AssertNotNull(ppval); AssertIntNE(pptype, 0); /* Make sure NID of X509_ALGOR is Sha256 with RSA */ - AssertIntEQ(OBJ_obj2nid(obj), CTC_SHA256wRSA); + AssertIntEQ(OBJ_obj2nid(obj), NID_sha256WithRSAEncryption); X509_free(x509); @@ -36241,7 +36244,7 @@ static void test_wolfSSL_X509_PUBKEY(void) AssertNotNull(pubKey); AssertIntGT(ppklen, 0); - AssertIntEQ(OBJ_obj2nid(obj), RSAk); + AssertIntEQ(OBJ_obj2nid(obj), NID_rsaEncryption); AssertNotNull(evpKey = X509_PUBKEY_get(pubKey)); AssertNotNull(pubKey2 = X509_PUBKEY_new()); @@ -40860,13 +40863,10 @@ static void test_wolfSSL_OpenSSL_add_all_algorithms(void){ printf(testingFmt, "wolfSSL_OpenSSL_add_all_algorithms()"); AssertIntEQ(wolfSSL_add_all_algorithms(),WOLFSSL_SUCCESS); - wolfSSL_Cleanup(); AssertIntEQ(wolfSSL_OpenSSL_add_all_algorithms_noconf(),WOLFSSL_SUCCESS); - wolfSSL_Cleanup(); AssertIntEQ(wolfSSL_OpenSSL_add_all_algorithms_conf(),WOLFSSL_SUCCESS); - wolfSSL_Cleanup(); printf(resultFmt, passed); #endif @@ -45675,7 +45675,7 @@ static void test_X509_get_signature_nid(void) AssertIntEQ(X509_get_signature_nid(NULL), 0); AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, SSL_FILETYPE_PEM)); - AssertIntEQ(X509_get_signature_nid(x509), CTC_SHA256wRSA); + AssertIntEQ(X509_get_signature_nid(x509), NID_sha256WithRSAEncryption); X509_free(x509); printf(resultFmt, passed); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 14ca12d32..85cf2af5b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4964,6 +4964,10 @@ WOLFSSL_LOCAL void wolfSSL_sk_BY_DIR_entry_free(WOLF_STACK_OF(wolfSSL_BY_DIR_ent WOLFSSL_LOCAL int wolfSSL_sk_BY_DIR_entry_push(WOLF_STACK_OF(wolfSSL_BY_DIR_entry)* sk, WOLFSSL_BY_DIR_entry* in); #endif /* OPENSSL_ALL && !NO_FILESYSTEM && !NO_WOLFSSL_DIR */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) +WOLFSSL_LOCAL int oid2nid(word32 oid, int grp); +WOLFSSL_LOCAL word32 nid2oid(int nid, int grp); +#endif #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 2a2e7ed7a..142549371 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -265,6 +265,7 @@ enum { enum { NID_md5WithRSA = 104, + NID_md2WithRSAEncryption = 7, NID_md5WithRSAEncryption = 8, NID_dsaWithSHA1 = 113, NID_dsaWithSHA1_2 = 70, @@ -274,11 +275,19 @@ enum { NID_sha256WithRSAEncryption = 668, NID_sha384WithRSAEncryption = 669, NID_sha512WithRSAEncryption = 670, + NID_RSA_SHA3_224 = 1116, + NID_RSA_SHA3_256 = 1117, + NID_RSA_SHA3_384 = 1118, + NID_RSA_SHA3_512 = 1119, NID_ecdsa_with_SHA1 = 416, NID_ecdsa_with_SHA224 = 793, NID_ecdsa_with_SHA256 = 794, NID_ecdsa_with_SHA384 = 795, NID_ecdsa_with_SHA512 = 796, + NID_ecdsa_with_SHA3_224 = 1112, + NID_ecdsa_with_SHA3_256 = 1113, + NID_ecdsa_with_SHA3_384 = 1114, + NID_ecdsa_with_SHA3_512 = 1115, NID_dsa_with_SHA224 = 802, NID_dsa_with_SHA256 = 803, NID_sha3_224 = 1096, From fa3cf590d5aac049a8e1d0732b4e8905a2e9d9c7 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Fri, 8 Oct 2021 13:26:28 +0200 Subject: [PATCH 2/4] Fix NID conflicts - `NID_sha224` conflicted with `NID_sha1WithRSAEncryption` - `NID_commonName` conflicted with `PBE-SHA1-3DES` - `NID_X9_62_prime239v3` conflicted with `AES128CBCb` - `NID_md5` conflicted with `NID_surname` - `NID_md2WithRSAEncryption` conflicted with `NID_localityName` - `NID_md5WithRSAEncryption` conflicted with `NID_stateOrProvinceName` NID conflicts found by examining the runtime values in `wolfssl_object_info` --- wolfssl/openssl/ec.h | 2 +- wolfssl/openssl/evp.h | 8 ++++---- wolfssl/wolfcrypt/asn.h | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/wolfssl/openssl/ec.h b/wolfssl/openssl/ec.h index cfc3bdb7f..253f808d2 100644 --- a/wolfssl/openssl/ec.h +++ b/wolfssl/openssl/ec.h @@ -45,7 +45,7 @@ enum { NID_X9_62_prime192v3 = 411, NID_X9_62_prime239v1 = 412, NID_X9_62_prime239v2 = 413, - NID_X9_62_prime239v3 = 414, + NID_X9_62_prime239v3 = 418, /* Previous value conflicted with AES128CBCb */ NID_X9_62_prime256v1 = 415, NID_secp112r1 = 704, NID_secp112r2 = 705, diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 142549371..985e00b16 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -237,10 +237,10 @@ enum { AES_192_GCM_TYPE = 22, AES_256_GCM_TYPE = 23, NID_sha1 = 64, - NID_sha224 = 65, + NID_sha224 = 675, NID_md2 = 77, NID_md4 = 257, - NID_md5 = 4, + NID_md5 = 40, NID_hmac = 855, NID_cmac = 894, NID_dhKeyAgreement= 28, @@ -265,8 +265,8 @@ enum { enum { NID_md5WithRSA = 104, - NID_md2WithRSAEncryption = 7, - NID_md5WithRSAEncryption = 8, + NID_md2WithRSAEncryption = 9, + NID_md5WithRSAEncryption = 99, NID_dsaWithSHA1 = 113, NID_dsaWithSHA1_2 = 70, NID_sha1WithRSA = 115, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 7713abcdc..b7b241a85 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -705,10 +705,11 @@ enum NID_policy_constraints = 150, NID_inhibit_any_policy = 168, /* 2.5.29.54 */ NID_tlsfeature = 1020, /* id-pe 24 */ - NID_commonName = 0x03, /* matches ASN_COMMON_NAME in asn.h */ NID_buildingName = 1494, + NID_commonName = 14, /* CN Changed to not conflict + * with PBE_SHA1_DES3 */ NID_surname = 0x04, /* SN */ NID_serialNumber = 0x05, /* serialNumber */ NID_countryName = 0x06, /* C */ From 348fec3d29ba22f02ee31cf1d889f42d753aaf5c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 21 Oct 2021 13:47:55 +0200 Subject: [PATCH 3/4] `wc_ClearErrorNodes` is a local API that is not exported for linking --- tests/api.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/api.c b/tests/api.c index 992953fdb..21014b0df 100644 --- a/tests/api.c +++ b/tests/api.c @@ -33994,8 +33994,10 @@ static void test_wolfSSL_X509_STORE_load_locations(void) AssertIntEQ(X509_STORE_load_locations(store, client_pem_file, NULL), WOLFSSL_SUCCESS); AssertIntEQ(X509_STORE_load_locations(store, NULL, certs_path), WOLFSSL_SUCCESS); +#if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE) /* Clear nodes */ - wc_ClearErrorNodes(); + ERR_clear_error(); +#endif SSL_CTX_free(ctx); printf(resultFmt, passed); From 48b304be006c4c112894efaea0743b92440f2510 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 26 Oct 2021 11:47:27 +0200 Subject: [PATCH 4/4] Fix issues with `AIA_OCSP_OID` and `AIA_CA_ISSUER_OID` --- src/ssl.c | 91 ++++++++++++++++++++++++++++------------------------- tests/api.c | 2 +- 2 files changed, 50 insertions(+), 43 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 7b08bdc84..84cc0ea64 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9282,7 +9282,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) const byte* rawCert; const byte* input; byte* oidBuf; - word32 oid, idx = 0, tmpIdx = 0; + word32 oid, idx = 0, tmpIdx = 0, nid; WOLFSSL_X509_EXTENSION* ext = NULL; WOLFSSL_ASN1_INTEGER* a; WOLFSSL_STACK* sk; @@ -9382,6 +9382,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) return NULL; } idx = tmpIdx; + nid = (word32)oid2nid(oid, oidCertExtType); /* Continue while loop until extCount == loc or idx > sz */ if (extCount != loc) { @@ -9391,15 +9392,15 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) } /* extCount == loc. Now get the extension. */ /* Check if extension has been set */ - isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, oid); - ext->obj = wolfSSL_OBJ_nid2obj(oid); + isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, nid); + ext->obj = wolfSSL_OBJ_nid2obj(nid); if (ext->obj == NULL) { WOLFSSL_MSG("\tfail: Invalid OBJECT"); wolfSSL_X509_EXTENSION_free(ext); FreeDecodedCert(&cert); return NULL; } - ext->obj->nid = oid; + ext->obj->nid = nid; switch (oid) { case BASIC_CA_OID: @@ -9455,7 +9456,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) obj->obj = (byte*)x509->authInfoCaIssuer; obj->objSz = x509->authInfoCaIssuerSz; obj->grp = oidCertAuthInfoType; - obj->nid = AIA_CA_ISSUER_OID; + obj->nid = NID_ad_ca_issuers; ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj); if (ret != WOLFSSL_SUCCESS) { @@ -9484,7 +9485,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) obj->obj = x509->authInfo; obj->objSz = x509->authInfoSz; obj->grp = oidCertAuthInfoType; - obj->nid = AIA_OCSP_OID; + obj->nid = NID_ad_OCSP; ret = wolfSSL_sk_ASN1_OBJECT_push(sk, obj); if (ret != WOLFSSL_SUCCESS) { @@ -10350,7 +10351,7 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) int isSet = 0, found = 0, loc; const byte* rawCert; const byte* input; - word32 oid, idx = 0, tmpIdx = 0; + word32 oid, idx = 0, tmpIdx = 0, foundNID; DecodedCert cert; WOLFSSL_ENTER("wolfSSL_X509_get_ext_by_NID"); @@ -10435,12 +10436,13 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) return WOLFSSL_FATAL_ERROR; } idx = tmpIdx; + foundNID = (word32)oid2nid(oid, oidCertExtType); if (extCount >= loc) { /* extCount >= loc. Now check if extension has been set */ - isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, oid); + isSet = wolfSSL_X509_ext_isSet_by_NID((WOLFSSL_X509*)x509, foundNID); - if (isSet && ((word32)nid == oid)) { + if (isSet && ((word32)nid == foundNID)) { found = 1; break; } @@ -23583,17 +23585,17 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) if (x509 != NULL) { switch (nid) { - case BASIC_CA_OID: isSet = x509->basicConstSet; break; - case ALT_NAMES_OID: isSet = x509->subjAltNameSet; break; - case AUTH_KEY_OID: isSet = x509->authKeyIdSet; break; - case SUBJ_KEY_OID: isSet = x509->subjKeyIdSet; break; - case KEY_USAGE_OID: isSet = x509->keyUsageSet; break; - case CRL_DIST_OID: isSet = x509->CRLdistSet; break; - case EXT_KEY_USAGE_OID: isSet = ((x509->extKeyUsageSrc) ? 1 : 0); + case NID_basic_constraints: isSet = x509->basicConstSet; break; + case NID_subject_alt_name: isSet = x509->subjAltNameSet; break; + case NID_authority_key_identifier: isSet = x509->authKeyIdSet; break; + case NID_subject_key_identifier: isSet = x509->subjKeyIdSet; break; + case NID_key_usage: isSet = x509->keyUsageSet; break; + case NID_crl_distribution_points: isSet = x509->CRLdistSet; break; + case NID_ext_key_usage: isSet = ((x509->extKeyUsageSrc) ? 1 : 0); break; - case AUTH_INFO_OID: isSet = x509->authInfoSet; break; + case NID_info_access: isSet = x509->authInfoSet; break; #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) - case CERT_POLICY_OID: isSet = x509->certPolicySet; break; + case NID_certificate_policies: isSet = x509->certPolicySet; break; #endif /* WOLFSSL_SEP || WOLFSSL_QT */ default: WOLFSSL_MSG("NID not in table"); @@ -23614,14 +23616,15 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) if (x509 != NULL) { switch (nid) { - case BASIC_CA_OID: crit = x509->basicConstCrit; break; - case ALT_NAMES_OID: crit = x509->subjAltNameCrit; break; - case AUTH_KEY_OID: crit = x509->authKeyIdCrit; break; - case SUBJ_KEY_OID: crit = x509->subjKeyIdCrit; break; - case KEY_USAGE_OID: crit = x509->keyUsageCrit; break; - case CRL_DIST_OID: crit= x509->CRLdistCrit; break; + case NID_basic_constraints: crit = x509->basicConstCrit; break; + case NID_subject_alt_name: crit = x509->subjAltNameCrit; break; + case NID_authority_key_identifier: crit = x509->authKeyIdCrit; break; + case NID_subject_key_identifier: crit = x509->subjKeyIdCrit; break; + case NID_key_usage: crit = x509->keyUsageCrit; break; + case NID_crl_distribution_points: crit= x509->CRLdistCrit; break; + case NID_ext_key_usage: crit= x509->extKeyUsageCrit; break; #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) - case CERT_POLICY_OID: crit = x509->certPolicyCrit; break; + case NID_certificate_policies: crit = x509->certPolicyCrit; break; #endif /* WOLFSSL_SEP || WOLFSSL_QT */ } } @@ -31319,7 +31322,7 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "X509v3 Basic Constraints"}, { NID_subject_alt_name, ALT_NAMES_OID, oidCertExtType, "subjectAltName", "X509v3 Subject Alternative Name"}, - { CRL_DIST_OID, CRL_DIST_OID, oidCertExtType, "crlDistributionPoints", + { NID_crl_distribution_points, CRL_DIST_OID, oidCertExtType, "crlDistributionPoints", "X509v3 CRL Distribution Points"}, { NID_info_access, AUTH_INFO_OID, oidCertExtType, "authorityInfoAccess", "Authority Information Access"}, @@ -31339,9 +31342,9 @@ const WOLFSSL_ObjectInfo wolfssl_object_info[] = { "certificatePolicies", "X509v3 Certificate Policies"}, /* oidCertAuthInfoType */ - { AIA_OCSP_OID, AIA_OCSP_OID, oidCertAuthInfoType, "OCSP", + { NID_ad_OCSP, AIA_OCSP_OID, oidCertAuthInfoType, "OCSP", "OCSP"}, - { AIA_CA_ISSUER_OID, AIA_CA_ISSUER_OID, oidCertAuthInfoType, + { NID_ad_ca_issuers, AIA_CA_ISSUER_OID, oidCertAuthInfoType, "caIssuers", "CA Issuers"}, /* oidCertPolicyType */ @@ -50694,19 +50697,19 @@ word32 nid2oid(int nid, int grp) /* oidCertExtType */ case oidCertExtType: switch (nid) { - case BASIC_CA_OID: + case NID_basic_constraints: return BASIC_CA_OID; - case ALT_NAMES_OID: + case NID_subject_alt_name: return ALT_NAMES_OID; - case CRL_DIST_OID: + case NID_crl_distribution_points: return CRL_DIST_OID; - case AUTH_INFO_OID: + case NID_info_access: return AUTH_INFO_OID; - case AUTH_KEY_OID: + case NID_authority_key_identifier: return AUTH_KEY_OID; - case SUBJ_KEY_OID: + case NID_subject_key_identifier: return SUBJ_KEY_OID; - case INHIBIT_ANY_OID: + case NID_inhibit_any_policy: return INHIBIT_ANY_OID; case NID_key_usage: return KEY_USAGE_OID; @@ -50714,6 +50717,8 @@ word32 nid2oid(int nid, int grp) return NAME_CONS_OID; case NID_certificate_policies: return CERT_POLICY_OID; + case NID_ext_key_usage: + return EXT_KEY_USAGE_OID; } break; @@ -51047,25 +51052,27 @@ int oid2nid(word32 oid, int grp) case oidCertExtType: switch (oid) { case BASIC_CA_OID: - return BASIC_CA_OID; + return NID_basic_constraints; case ALT_NAMES_OID: - return ALT_NAMES_OID; + return NID_subject_alt_name; case CRL_DIST_OID: - return CRL_DIST_OID; + return NID_crl_distribution_points; case AUTH_INFO_OID: - return AUTH_INFO_OID; + return NID_info_access; case AUTH_KEY_OID: - return AUTH_KEY_OID; + return NID_authority_key_identifier; case SUBJ_KEY_OID: - return SUBJ_KEY_OID; + return NID_subject_key_identifier; case INHIBIT_ANY_OID: - return INHIBIT_ANY_OID; + return NID_inhibit_any_policy; case KEY_USAGE_OID: return NID_key_usage; case NAME_CONS_OID: return NID_name_constraints; case CERT_POLICY_OID: return NID_certificate_policies; + case EXT_KEY_USAGE_OID: + return NID_ext_key_usage; } break; diff --git a/tests/api.c b/tests/api.c index 21014b0df..2c311a7a3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -43652,7 +43652,7 @@ static void test_wolfSSL_X509V3_EXT_get(void) { AssertIntEQ((numOfExt = wolfSSL_X509_get_ext_count(x509)), 5); for (i = 0; i < numOfExt; i++) { AssertNotNull(ext = wolfSSL_X509_get_ext(x509, i)); - AssertNotNull(extNid = ext->obj->nid); + AssertIntNE((extNid = ext->obj->nid), NID_undef); AssertNotNull(method = wolfSSL_X509V3_EXT_get(ext)); AssertIntEQ(method->ext_nid, extNid); }