diff --git a/src/internal.c b/src/internal.c index c132429b7..dda684ed4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3634,6 +3634,12 @@ void FreeX509(WOLFSSL_X509* x509) x509->authKeyId = NULL; XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->subjKeyId = NULL; + + if (x509->CRLInfo != NULL) { + XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); + x509->CRLInfo= NULL; + } + if (x509->authInfo != NULL) { XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT); x509->authInfo = NULL; @@ -10102,6 +10108,54 @@ static void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nam } } + +#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + !defined(IGNORE_NAME_CONSTRAINTS) +/* copies over additional alt names such as dirName + * returns 0 on success + */ +static int CopyAdditionalAltNames(DNS_entry** to, DNS_entry* from, int type, + void* heap) +{ + DNS_entry* cur = from; + + if (to == NULL) { + return BAD_FUNC_ARG; + } + + while (cur != NULL) { + if (cur->type == type) { + DNS_entry* dnsEntry; + int strLen = cur->len; + + dnsEntry = AltNameNew(heap); + if (dnsEntry == NULL) { + WOLFSSL_MSG("\tOut of Memory"); + return MEMORY_E; + } + + dnsEntry->type = type; + dnsEntry->name = (char*)XMALLOC(strLen + 1, heap, + DYNAMIC_TYPE_ALTNAME); + if (dnsEntry->name == NULL) { + WOLFSSL_MSG("\tOut of Memory"); + XFREE(dnsEntry, heap, DYNAMIC_TYPE_ALTNAME); + return MEMORY_E; + } + dnsEntry->len = strLen; + XMEMCPY(dnsEntry->name, cur->name, strLen); + dnsEntry->name[strLen] = '\0'; + + dnsEntry->next = *to; + *to = dnsEntry; + } + cur = cur->next; + } + return 0; +} +#endif /* OPENSSL_EXTRA */ + + /* Copy parts X509 needs from Decoded cert, 0 on success */ /* The same DecodedCert cannot be copied to WOLFSSL_X509 twice otherwise the * altNames pointers could be free'd by second x509 still active by first */ @@ -10304,39 +10358,17 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ !defined(IGNORE_NAME_CONSTRAINTS) - /* add copies of alternate emails from dCert to X509 */ - if (dCert->altEmailNames != NULL) { - DNS_entry* cur = dCert->altEmailNames; - - while (cur != NULL) { - if (cur->type == ASN_RFC822_TYPE) { - DNS_entry* dnsEntry; - int strLen = cur->len; - - dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), x509->heap, - DYNAMIC_TYPE_ALTNAME); - if (dnsEntry == NULL) { - WOLFSSL_MSG("\tOut of Memory"); - return MEMORY_E; - } - - dnsEntry->type = ASN_RFC822_TYPE; - dnsEntry->name = (char*)XMALLOC(strLen + 1, x509->heap, - DYNAMIC_TYPE_ALTNAME); - if (dnsEntry->name == NULL) { - WOLFSSL_MSG("\tOut of Memory"); - XFREE(dnsEntry, x509->heap, DYNAMIC_TYPE_ALTNAME); - return MEMORY_E; - } - dnsEntry->len = strLen; - XMEMCPY(dnsEntry->name, cur->name, strLen); - dnsEntry->name[strLen] = '\0'; - - dnsEntry->next = x509->altNames; - x509->altNames = dnsEntry; - } - cur = cur->next; - } + /* add copies of email names from dCert to X509 */ + if (CopyAdditionalAltNames(&x509->altNames, dCert->altEmailNames, + ASN_RFC822_TYPE, x509->heap) != 0) { + return MEMORY_E; + } +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS) + /* add copies of alternate directory names from dCert to X509 */ + if (CopyAdditionalAltNames(&x509->altNames, dCert->altDirNames, + ASN_DIR_TYPE, x509->heap) != 0) { + return MEMORY_E; } #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ @@ -10630,6 +10662,7 @@ static void DoCertFatalAlert(WOLFSSL* ssl, int ret) if (ssl == NULL || ret == 0) { return; } + WOLFSSL_ERROR(ret); /* Determine alert reason */ alertWhy = bad_certificate; @@ -19953,6 +19986,12 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case HTTP_APPSTR_ERR: return "HTTP Application string error"; #endif + case UNSUPPORTED_PROTO_VERSION: + #ifdef OPENSSL_ALL + return "WRONG_SSL_VERSION"; + #else + return "bad/unsupported protocol version"; + #endif default : return "unknown error number"; @@ -31712,7 +31751,6 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], WOLFSSL_LEAVE("DoClientKeyExchange", ret); WOLFSSL_END(WC_FUNC_CLIENT_KEY_EXCHANGE_DO); - #ifdef WOLFSSL_ASYNC_CRYPT /* Handle async operation */ if (ret == WC_PENDING_E) { @@ -31722,6 +31760,13 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], return ret; } #endif /* WOLFSSL_ASYNC_CRYPT */ + #ifdef OPENSSL_ALL + /* add error ret value to error queue */ + if (ret != 0) { + WOLFSSL_ERROR(ret); + } + #endif + /* Cleanup PMS */ if (ssl->arrays->preMasterSecret != NULL) { diff --git a/src/ssl.c b/src/ssl.c index 65aa7d0a5..2b046e7ab 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10346,7 +10346,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, case ALT_NAMES_OID: { DNS_entry* dns = NULL; - + if (x509->subjAltNameSet && x509->altNames != NULL) { /* Malloc GENERAL_NAME stack */ sk = (WOLFSSL_GENERAL_NAMES*)XMALLOC( @@ -10357,7 +10357,7 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, } XMEMSET(sk, 0, sizeof(WOLFSSL_GENERAL_NAMES)); sk->type = STACK_TYPE_GEN_NAME; - + /* alt names are DNS_entry structs */ if (c != NULL) { if (x509->altNames->next != NULL) { @@ -10378,10 +10378,36 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c, } gn->type = dns->type; - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - dns->len) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - goto err; + switch (gn->type) { + case ASN_DIR_TYPE: + { + int localIdx = 0; + unsigned char* n = (unsigned char*)XMALLOC( + dns->len + MAX_SEQ_SZ, x509->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (n == NULL) { + goto err; + } + + localIdx += SetSequence(dns->len, n); + XMEMCPY(n + localIdx, dns->name, dns->len); + gn->d.dirn = wolfSSL_d2i_X509_NAME(NULL, &n, + dns->len + localIdx); + XFREE(n, x509->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (gn->d.dirn == NULL) { + WOLFSSL_MSG("Convert altDirName to X509 " + "NAME failed"); + goto err; + } + } + break; + + default: + if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, + dns->len) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("ASN1_STRING_set failed"); + goto err; + } } dns = dns->next; @@ -10746,8 +10772,7 @@ int wolfSSL_X509_add_altname_ex(WOLFSSL_X509* x509, const char* name, if ((name == NULL) || (nameSz == 0)) return WOLFSSL_SUCCESS; - newAltName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), - x509->heap, DYNAMIC_TYPE_ALTNAME); + newAltName = AltNameNew(x509->heap); if (newAltName == NULL) return WOLFSSL_FAILURE; @@ -11641,7 +11666,17 @@ void wolfSSL_set_verify_result(WOLFSSL *ssl, long v) int wolfSSL_verify_client_post_handshake(WOLFSSL* ssl) { int ret = wolfSSL_request_certificate(ssl); - return (ret == 0) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; + if (ret != WOLFSSL_SUCCESS) { + if (!IsAtLeastTLSv1_3(ssl->version)) { + /* specific error of wrong version expected */ + WOLFSSL_ERROR(UNSUPPORTED_PROTO_VERSION); + + } + else { + WOLFSSL_ERROR(ret); /* log the error in the error queue */ + } + } + return (ret == WOLFSSL_SUCCESS) ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; } int wolfSSL_CTX_set_post_handshake_auth(WOLFSSL_CTX* ctx, int val) @@ -21139,6 +21174,10 @@ static void wolfSSL_GENERAL_NAME_type_free(WOLFSSL_GENERAL_NAME* name) wolfSSL_ASN1_STRING_free(name->d.dNSName); name->d.dNSName = NULL; } + if (name->d.dirn != NULL) { + wolfSSL_X509_NAME_free(name->d.dirn); + name->d.dirn = NULL; + } if (name->d.uniformResourceIdentifier != NULL) { wolfSSL_ASN1_STRING_free(name->d.uniformResourceIdentifier); name->d.uniformResourceIdentifier = NULL; @@ -27280,7 +27319,7 @@ int wolfSSL_ERR_GET_REASON(unsigned long err) if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)) return PEM_R_NO_START_LINE; #endif -#if defined(OPENSLL_ALL) && defined(WOLFSSL_PYTHON) +#if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) if (err == ((ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG)) return ASN1_R_HEADER_TOO_LONG; #endif @@ -44703,11 +44742,12 @@ unsigned long wolfSSL_ERR_peek_last_error_line(const char **file, int *line) WOLFSSL_MSG("Issue peeking at error node in queue"); return 0; } + printf("ret from peek error node = %d\n", ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) if (ret == -ASN_NO_PEM_HEADER) return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; #endif - #if defined(OPENSLL_ALL) && defined(WOLFSSL_PYTHON) + #if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) if (ret == ASN1_R_HEADER_TOO_LONG) { return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; } @@ -48394,6 +48434,11 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line, if (ret == -ASN_NO_PEM_HEADER) return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE; + #if defined(OPENSSL_ALL) && defined(WOLFSSL_PYTHON) + if (ret == ASN1_R_HEADER_TOO_LONG) { + return (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG; + } + #endif if (ret != -WANT_READ && ret != -WANT_WRITE && ret != -ZERO_RETURN && ret != -WOLFSSL_ERROR_ZERO_RETURN && ret != -SOCKET_PEER_CLOSED_E && ret != -SOCKET_ERROR_E) @@ -58620,10 +58665,14 @@ void wolfSSL_RAND_Cleanup(void) /* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise WOLFSSL_FAILURE */ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) { + int ret; + int hash; + byte secret[DRBG_SEED_LEN]; /* secret length arbitraily choosen */ + #ifndef WOLFSSL_NO_OPENSSL_RAND_CB if (wolfSSL_RAND_InitMutex() == 0 && wc_LockMutex(&gRandMethodMutex) == 0) { if (gRandMethods && gRandMethods->pseudorand) { - int ret = gRandMethods->pseudorand(buf, num); + ret = gRandMethods->pseudorand(buf, num); wc_UnLockMutex(&gRandMethodMutex); return ret; } @@ -58631,8 +58680,34 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) } #endif - /* fallback to using the global shared RNG */ - return wolfSSL_RAND_bytes(buf, num); +#ifdef WOLFSSL_HAVE_PRF + #ifndef NO_SHA256 + hash = WC_SHA256; + #elif defined(WOLFSSL_SHA384) + hash = WC_SHA384; + #elif !defined(NO_SHA) + hash = WC_SHA; + #elif !defined(NO_MD5) + hash = WC_MD5; + #endif + + /* get secret value from source of entropy */ + ret = wolfSSL_RAND_bytes(secret, DRBG_SEED_LEN); + + /* uses input buffer to seed for pseudo random number generation, each + * thread will potentially have different results this way */ + if (ret == WOLFSSL_SUCCESS) { + ret = wc_PRF(buf, num, secret, DRBG_SEED_LEN, (const byte*)buf, num, + hash, NULL, INVALID_DEVID); + ret = (ret == 0) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE; + } +#else + /* fall back to just doing wolfSSL_RAND_bytes if PRF not avialbale */ + ret = wolfSSL_RAND_bytes(buf, num); + (void)hash; + (void)secret; +#endif + return ret; } /* returns WOLFSSL_SUCCESS if the bytes generated are valid otherwise WOLFSSL_FAILURE */ diff --git a/tests/api.c b/tests/api.c index 5fb67d635..5677972d3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4026,6 +4026,7 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) msg_len = wolfSSL_get_finished(ssl, server_side_msg1, MD_MAX_SIZE); AssertIntGE(msg_len, 0); #endif + idx = wolfSSL_read(ssl, input, sizeof(input)-1); if (idx > 0) { input[idx] = '\0'; @@ -4041,6 +4042,9 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) #endif } + if (cbf != NULL && cbf->on_result != NULL) + cbf->on_result(ssl); + #ifdef WOLFSSL_TIRTOS Task_yield(); #endif @@ -32413,6 +32417,106 @@ static void test_wolfSSL_Tls13_Key_Logging_test(void) #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK && WOLFSSL_TLS13 */ } +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) +static void post_auth_version_cb(WOLFSSL* ssl) +{ + /* do handshake and then test version error */ + AssertIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + AssertStrEQ("TLSv1.2", wolfSSL_get_version(ssl)); + AssertIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_FAILURE); +#ifdef OPENSSL_ALL + /* check was added to error queue */ + AssertIntEQ(wolfSSL_ERR_get_error(), -UNSUPPORTED_PROTO_VERSION); + + /* check the string matches expected string */ + AssertStrEQ(wolfSSL_ERR_error_string(-UNSUPPORTED_PROTO_VERSION, NULL), + "WRONG_SSL_VERSION"); +#endif +} + +static void post_auth_cb(WOLFSSL* ssl) +{ + /* do handshake and then test version error */ + AssertIntEQ(wolfSSL_accept(ssl), WOLFSSL_SUCCESS); + AssertStrEQ("TLSv1.3", wolfSSL_get_version(ssl)); + AssertNull(wolfSSL_get_peer_certificate(ssl)); + AssertIntEQ(wolfSSL_verify_client_post_handshake(ssl), WOLFSSL_SUCCESS); +} + +static void set_post_auth_cb(WOLFSSL* ssl) +{ + if (!wolfSSL_is_server(ssl)) { + AssertIntEQ(wolfSSL_allow_post_handshake_auth(ssl), 0); + } + else { + wolfSSL_set_verify(ssl, WOLFSSL_VERIFY_POST_HANDSHAKE, NULL); + } +} +#endif + +static void test_wolfSSL_Tls13_postauth(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && \ + defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) + tcp_ready ready; + func_args client_args; + func_args server_args; + callback_functions server_cbf; + callback_functions client_cbf; + THREAD_TYPE serverThread; + + printf(testingFmt, "wolfSSL_Tls13_postauth()"); + XMEMSET(&client_args, 0, sizeof(func_args)); + XMEMSET(&server_args, 0, sizeof(func_args)); + + StartTCP(); + InitTcpReady(&ready); + +#if defined(USE_WINDOWS_API) + /* use RNG to get random port if using windows */ + ready.port = GetRandomPort(); +#endif + + server_args.signal = &ready; + client_args.signal = &ready; + + /* test version failure doing post auth with TLS 1.2 connection */ + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_2_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_version_cb; + server_args.callbacks = &server_cbf; + client_args.callbacks = &client_cbf; + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); + + /* tests on post auth with TLS 1.3 */ + XMEMSET(&server_cbf, 0, sizeof(callback_functions)); + XMEMSET(&client_cbf, 0, sizeof(callback_functions)); + server_cbf.method = wolfTLSv1_3_server_method; + server_cbf.ssl_ready = set_post_auth_cb; + client_cbf.ssl_ready = set_post_auth_cb; + server_cbf.on_result = post_auth_cb; + server_args.callbacks = &server_cbf; + client_args.callbacks = &client_cbf; + + start_thread(test_server_nofail, &server_args, &serverThread); + wait_tcp_ready(&server_args); + test_client_nofail(&client_args, NULL); + join_thread(serverThread); + + FreeTcpReady(&ready); + printf(resultFmt, passed); +#endif +} + + static void test_wolfSSL_X509_NID(void) { #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ @@ -35551,6 +35655,17 @@ static void test_wolfSSL_ERR_put_error(void) ERR_put_error(0,SYS_F_SOCKET, 15, "this file", 15); AssertIntEQ(ERR_get_error_line(&file, &line), 15); +#ifdef WOLFSSL_PYTHON + ERR_put_error(ERR_LIB_ASN1, SYS_F_ACCEPT, ASN1_R_HEADER_TOO_LONG, + "this file", 100); + AssertIntEQ(wolfSSL_ERR_peek_last_error_line(&file, &line), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + AssertIntEQ(line, 100); + AssertIntEQ(wolfSSL_ERR_peek_error(), + (ERR_LIB_ASN1 << 24) | ASN1_R_HEADER_TOO_LONG); + AssertIntEQ(ERR_get_error_line(&file, &line), ASN1_R_HEADER_TOO_LONG); +#endif + /* try reading past end of error queue */ file = NULL; AssertIntEQ(ERR_get_error_line(&file, &line), 0); @@ -49441,6 +49556,7 @@ void ApiTest(void) test_wolfSSL_CTX_get_keylog_callback(); test_wolfSSL_Tls12_Key_Logging_test(); test_wolfSSL_Tls13_Key_Logging_test(); + test_wolfSSL_Tls13_postauth(); test_wolfSSL_CTX_set_ecdh_auto(); test_wolfSSL_THREADID_hash(); test_wolfSSL_RAND_set_rand_method(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e33e17d2c..18921521c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -9372,6 +9372,19 @@ void FreeAltNames(DNS_entry* altNames, void* heap) } } +/* malloc and initialize a new alt name structure */ +DNS_entry* AltNameNew(void* heap) +{ + DNS_entry* ret; + ret = (DNS_entry*)XMALLOC(sizeof(DNS_entry), heap, DYNAMIC_TYPE_ALTNAME); + if (ret != NULL) { + XMEMSET(ret, 0, sizeof(DNS_entry)); + } + (void)heap; + return ret; +} + + #ifndef IGNORE_NAME_CONSTRAINTS /* Free the subtree names object. @@ -10382,8 +10395,7 @@ static int SetDNSEntry(DecodedCert* cert, const char* str, int strLen, /* TODO: consider one malloc. */ /* Allocate DNS Entry object. */ - dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + dnsEntry = AltNameNew(cert->heap); if (dnsEntry == NULL) { ret = MEMORY_E; } @@ -10992,8 +11004,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, { DNS_entry* emailName; - emailName = (DNS_entry*)XMALLOC(sizeof(DNS_entry), - cert->heap, DYNAMIC_TYPE_ALTNAME); + emailName = AltNameNew(cert->heap); if (emailName == NULL) { WOLFSSL_MSG("\tOut of Memory"); #if (defined(OPENSSL_EXTRA) || \ @@ -13873,8 +13884,7 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) } length -= (idx - lenStartIdx); - dnsEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + dnsEntry = AltNameNew(cert->heap); if (dnsEntry == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -13914,8 +13924,7 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) } length -= (idx - lenStartIdx); - dirEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + dirEntry = AltNameNew(cert->heap); if (dirEntry == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -13950,8 +13959,7 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) } length -= (idx - lenStartIdx); - emailEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + emailEntry = AltNameNew(cert->heap); if (emailEntry == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -14020,8 +14028,7 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) } #endif - uriEntry = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + uriEntry = AltNameNew(cert->heap); if (uriEntry == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -14061,8 +14068,7 @@ static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) return BUFFER_E; } - ipAddr = (DNS_entry*)XMALLOC(sizeof(DNS_entry), cert->heap, - DYNAMIC_TYPE_ALTNAME); + ipAddr = AltNameNew(cert->heap); if (ipAddr == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 84f1dcfd4..73c8aab23 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -174,6 +174,7 @@ enum wolfSSL_ErrorCodes { HTTP_STATUS_ERR = -447, /* HTTP Status error */ HTTP_VERSION_ERR = -448, /* HTTP Version error */ HTTP_APPSTR_ERR = -449, /* HTTP Application string error */ + UNSUPPORTED_PROTO_VERSION = -450, /* bad/unsupported protocol version*/ /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 168fd775c..7713abcdc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1662,6 +1662,7 @@ WOLFSSL_ASN_API int wc_BerToDer(const byte* ber, word32 berSz, byte* der, word32* derSz); WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); +WOLFSSL_ASN_API DNS_entry* AltNameNew(void*); #ifndef IGNORE_NAME_CONSTRAINTS WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); #endif /* IGNORE_NAME_CONSTRAINTS */