From 88bf5d967620f072365077fc47ea93fc78ce81e7 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 9 May 2019 10:08:11 -0600 Subject: [PATCH] add sanity check on buffer index and regression tests macro guards on use case and adjustment for memory size gcc-8 warning fix adjustement to default memory bucket sizes --- configure.ac | 3 + src/ssl.c | 231 ++++++++++++++++++++++--------------- tests/api.c | 148 ++++++++++++++++++++++++ wolfcrypt/src/asn.c | 29 +++++ wolfssl/ssl.h | 2 + wolfssl/wolfcrypt/asn.h | 17 ++- wolfssl/wolfcrypt/memory.h | 3 + 7 files changed, 339 insertions(+), 94 deletions(-) diff --git a/configure.ac b/configure.ac index 2fb2eb9d8..4d007d83c 100644 --- a/configure.ac +++ b/configure.ac @@ -195,6 +195,9 @@ then # Enable DH const table speedups (eliminates `-lm` math lib dependency) AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" + + # Enable multiple attribute additions such as DC + AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" fi AM_CONDITIONAL([BUILD_ALL], [test "x$ENABLED_ALL" = "xyes"]) diff --git a/src/ssl.c b/src/ssl.c index 55867bc53..7c7be7e9c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16956,43 +16956,30 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) int wolfSSL_X509_NAME_get_index_by_NID(WOLFSSL_X509_NAME* name, int nid, int pos) { - int ret = -1; + int value = nid, i; WOLFSSL_ENTER("wolfSSL_X509_NAME_get_index_by_NID"); - if (name == NULL) { + if (name == NULL || pos >= DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { return BAD_FUNC_ARG; } - /* these index values are already stored in DecodedName - use those when available */ - if (name->fullName.fullName && name->fullName.fullNameLen > 0) { - name->fullName.dcMode = 0; - switch (nid) { - case ASN_COMMON_NAME: - if (pos != name->fullName.cnIdx) - ret = name->fullName.cnIdx; - break; - case ASN_DOMAIN_COMPONENT: - name->fullName.dcMode = 1; - if (pos < name->fullName.dcNum - 1){ - ret = pos + 1; - } else { - ret = -1; - } - break; - default: - WOLFSSL_MSG("NID not yet implemented"); - break; - } + if (value == NID_emailAddress) { + value = ASN_EMAIL_NAME; } - WOLFSSL_LEAVE("wolfSSL_X509_NAME_get_index_by_NID", ret); + i = pos + 1; /* start search after index passed in */ + if (i < 0) { + i = 0; + } - (void)pos; - (void)nid; - - return ret; + for (;i < name->fullName.locSz && + i < DN_NAMES_MAX + DOMAIN_COMPONENT_MAX; i++) { + if (name->fullName.loc[i] == value) { + return i; + } + } + return WOLFSSL_FATAL_ERROR; } @@ -17033,7 +17020,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) WOLFSSL_ENTER("wolfSSL_ASN1_STRING_free"); if (asn1 != NULL) { - if (asn1->length > 0 && asn1->data != NULL) { + if (asn1->length > 0 && asn1->data != NULL && asn1->isDynamic) { XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL); } XFREE(asn1, NULL, DYNAMIC_TYPE_OPENSSL); @@ -17088,14 +17075,21 @@ WOLFSSL_EVP_PKEY* wolfSSL_X509_get_pubkey(WOLFSSL_X509* x509) } /* free any existing data before copying */ - if (asn1->data != NULL) { + if (asn1->data != NULL && asn1->isDynamic) { XFREE(asn1->data, NULL, DYNAMIC_TYPE_OPENSSL); } - /* create new data buffer and copy over */ - asn1->data = (char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_OPENSSL); - if (asn1->data == NULL) { - return WOLFSSL_FAILURE; + if (sz > CTC_NAME_SIZE) { + /* create new data buffer and copy over */ + asn1->data = (char*)XMALLOC(sz, NULL, DYNAMIC_TYPE_OPENSSL); + if (asn1->data == NULL) { + return WOLFSSL_FAILURE; + } + asn1->isDynamic = 1; + } + else { + XMEMSET(asn1->strData, 0, CTC_NAME_SIZE); + asn1->data = asn1->strData; } XMEMCPY(asn1->data, data, sz); asn1->length = sz; @@ -30379,6 +30373,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) if (out == NULL || name == NULL) { return BAD_FUNC_ARG; } + XMEMSET(&cName, 0, sizeof(CertName)); if (CopyX509NameToCertName(name, &cName) != SSL_SUCCESS) { WOLFSSL_MSG("Error converting x509 name to internal CertName"); @@ -31316,6 +31311,30 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } if (fullName) { + int nid = entry->nid; + + if (nid == NID_emailAddress) { + nid = (int)ASN_EMAIL_NAME; + } + + if (idx >= DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { + return WOLFSSL_FAILURE; + } + + if (idx >= 0) { + name->fullName.loc[idx] = nid; + if (idx == name->fullName.locSz) { + name->fullName.locSz += 1; + } + } + + /* place at end */ + if (idx < 0 && name->fullName.locSz + 1 + < DN_NAMES_MAX + DOMAIN_COMPONENT_MAX) { + name->fullName.loc[name->fullName.locSz] = nid; + name->fullName.locSz += 1; + } + if (RebuildFullNameAdd(&name->fullName, entry->value->data) != 0) return WOLFSSL_FAILURE; } @@ -32452,66 +32471,113 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return NULL; } - static WOLFSSL_X509_NAME *get_nameByLoc( WOLFSSL_X509_NAME *name, int loc) + + /* looks up the DN given the location "loc". "loc" is the number indicating + * the order that the DN was parsed as, 0 is first DN parsed. + * + * returns the setup WOLFSSL_X509_NAME pointer on success and NULL on fail + */ + static WOLFSSL_X509_NAME *wolfSSL_nameByLoc( WOLFSSL_X509_NAME *name, int loc) { - switch (loc) + char* pt = NULL; + int sz = 0; + + switch (name->fullName.loc[loc]) { - case 0: - name->cnEntry.value->length = name->fullName.cnLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.cnIdx]; + case ASN_COMMON_NAME: + sz = name->fullName.cnLen; + pt = &name->fullName.fullName[name->fullName.cnIdx], name->cnEntry.nid = name->fullName.cnNid; break; - case 1: - name->cnEntry.value->length = name->fullName.cLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.cIdx]; + case ASN_COUNTRY_NAME: + sz = name->fullName.cLen; + pt = &name->fullName.fullName[name->fullName.cIdx], name->cnEntry.nid = name->fullName.cNid; break; - case 2: - name->cnEntry.value->length = name->fullName.lLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.lIdx]; + case ASN_LOCALITY_NAME: + sz = name->fullName.lLen; + pt = &name->fullName.fullName[name->fullName.lIdx]; name->cnEntry.nid = name->fullName.lNid; break; - case 3: - name->cnEntry.value->length = name->fullName.stLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.stIdx]; + case ASN_STATE_NAME: + sz = name->fullName.stLen; + pt = &name->fullName.fullName[name->fullName.stIdx]; name->cnEntry.nid = name->fullName.stNid; break; - case 4: - name->cnEntry.value->length = name->fullName.oLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.oIdx]; + case ASN_ORG_NAME: + sz = name->fullName.oLen; + pt = &name->fullName.fullName[name->fullName.oIdx]; name->cnEntry.nid = name->fullName.oNid; break; - case 5: - name->cnEntry.value->length = name->fullName.ouLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.ouIdx]; + case ASN_ORGUNIT_NAME: + sz = name->fullName.ouLen; + pt = &name->fullName.fullName[name->fullName.ouIdx]; name->cnEntry.nid = name->fullName.ouNid; break; - case 6: - name->cnEntry.value->length = name->fullName.emailLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.emailIdx]; + case ASN_EMAIL_NAME: + sz = name->fullName.emailLen; + pt = &name->fullName.fullName[name->fullName.emailIdx]; name->cnEntry.nid = name->fullName.emailNid; break; - case 7: - name->cnEntry.value->length = name->fullName.snLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.snIdx]; + case ASN_SUR_NAME: + sz = name->fullName.snLen; + pt = &name->fullName.fullName[name->fullName.snIdx]; name->cnEntry.nid = name->fullName.snNid; break; - case 8: - name->cnEntry.value->length = name->fullName.uidLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.uidIdx]; + case ASN_USER_ID: + sz = name->fullName.uidLen; + pt = &name->fullName.fullName[name->fullName.uidIdx]; name->cnEntry.nid = name->fullName.uidNid; break; - case 9: - name->cnEntry.value->length = name->fullName.serialLen; - name->cnEntry.value->data = &name->fullName.fullName[name->fullName.serialIdx]; + case ASN_SERIAL_NUMBER: + sz = name->fullName.serialLen; + pt = &name->fullName.fullName[name->fullName.serialIdx]; name->cnEntry.nid = name->fullName.serialNid; break; +#ifdef WOLFSSL_CERT_EXT + case ASN_BUS_CAT: + sz = name->fullName.bcLen; + pt = &name->fullName.fullName[name->fullName.bcIdx]; + break; +#endif + + case ASN_DOMAIN_COMPONENT: + /* get index of DC i.e. first or second or ... case */ + { + int idx = 0, i; + for (i = 0; i < loc; i++) { + if (name->fullName.loc[i] == ASN_DOMAIN_COMPONENT) { + idx++; + } + } + + /* check that index is not larger than max buffer size or larger + * than the number of domain components parsed */ + if (idx >= DOMAIN_COMPONENT_MAX || idx > name->fullName.dcNum) { + WOLFSSL_MSG("Index was larger then domain buffer"); + return NULL; + } + pt = &name->fullName.fullName[name->fullName.dcIdx[idx]], + sz = name->fullName.dcLen[idx]; + name->cnEntry.nid = ASN_DOMAIN_COMPONENT; + name->cnEntry.data.type = CTC_UTF8; + } + break; + default: return NULL; } - if (name->cnEntry.value->length == 0) + + /* -1 to leave room for trailing terminator 0 */ + if (sz == 0 || sz >= CTC_NAME_SIZE - 1) return NULL; + if (wolfSSL_ASN1_STRING_set(name->cnEntry.value, pt, sz) != + WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error setting local ASN1 string data"); + return NULL; + } name->cnEntry.value->type = CTC_UTF8; + name->cnEntry.set = 1; return name; } @@ -32525,33 +32591,14 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) return NULL; } - if (loc < 0 || loc > 9 + name->fullName.dcNum) { + if (loc < 0) { WOLFSSL_MSG("Bad argument"); return NULL; } - if (loc >= 0 && loc <= 9){ - if (get_nameByLoc(name, loc) != NULL) + if (loc <= DN_NAMES_MAX + name->fullName.dcNum) { + if (wolfSSL_nameByLoc(name, loc) != NULL) return &name->cnEntry; - } - - /* DC component */ - if (name->fullName.dcMode){ - if (name->fullName.fullName != NULL){ - if (loc == name->fullName.dcNum){ - name->cnEntry.data.data = &name->fullName.fullName[name->fullName.cIdx]; - name->cnEntry.data.length = name->fullName.cLen; - name->cnEntry.nid = ASN_COUNTRY_NAME; - } else { - name->cnEntry.data.data = &name->fullName.fullName[name->fullName.dcIdx[loc]]; - name->cnEntry.data.length = name->fullName.dcLen[loc]; - name->cnEntry.nid = ASN_DOMAIN_COMPONENT; - } - } - name->cnEntry.data.type = CTC_UTF8; - name->cnEntry.set = 1; - - /* common name index case */ } else if (loc == name->fullName.cnIdx && name->x509 != NULL) { /* get CN shortcut from x509 since it has null terminator */ name->cnEntry.data.data = name->x509->subjectCN; @@ -32559,11 +32606,11 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) name->cnEntry.data.type = CTC_UTF8; name->cnEntry.nid = ASN_COMMON_NAME; name->cnEntry.set = 1; + return &name->cnEntry; } - else - return NULL; + WOLFSSL_MSG("loc passed in is not in range of parsed DN's"); - return &name->cnEntry; + return NULL; } #ifndef NO_WOLFSSL_STUB diff --git a/tests/api.c b/tests/api.c index 39bb6f265..72c3b5f3e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -22205,6 +22205,153 @@ static void test_wolfSSL_X509_check_ca(void){ #endif } +static void test_wolfSSL_DC_cert(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_FILESYSTEM) && \ + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_KEY_GEN) && \ + defined(WOLFSSL_CERT_EXT) + Cert cert; + RsaKey key; + WC_RNG rng; + byte der[FOURK_BUF]; + int certSz; + int ret, idx; + const byte mySerial[8] = {1,2,3,4,5,6,7,8}; + const unsigned char* pt; + + X509* x509; + X509_NAME* x509name; + X509_NAME_ENTRY* entry; + ASN1_STRING* entryValue; + + CertName name; + printf(testingFmt, "wolfSSL Certs with DC"); + + XMEMSET(&name, 0, sizeof(CertName)); + + /* set up cert name */ + XMEMCPY(name.country, "US", sizeof("US")); + name.countryEnc = CTC_PRINTABLE; + XMEMCPY(name.state, "Oregon", sizeof("Oregon")); + name.stateEnc = CTC_UTF8; + XMEMCPY(name.locality, "Portland", sizeof("Portland")); + name.localityEnc = CTC_UTF8; + XMEMCPY(name.sur, "Test", sizeof("Test")); + name.surEnc = CTC_UTF8; + XMEMCPY(name.org, "wolfSSL", sizeof("wolfSSL")); + name.orgEnc = CTC_UTF8; + XMEMCPY(name.unit, "Development", sizeof("Development")); + name.unitEnc = CTC_UTF8; + XMEMCPY(name.commonName, "www.wolfssl.com", sizeof("www.wolfssl.com")); + name.commonNameEnc = CTC_UTF8; + XMEMCPY(name.serialDev, "wolfSSL12345", sizeof("wolfSSL12345")); + name.serialDevEnc = CTC_PRINTABLE; +#ifdef WOLFSSL_MULTI_ATTRIB + #if CTC_MAX_ATTRIB > 2 + { + NameAttrib* n; + n = &name.name[0]; + n->id = ASN_DOMAIN_COMPONENT; + n->type = CTC_UTF8; + n->sz = sizeof("com"); + XMEMCPY(n->value, "com", sizeof("com")); + + n = &name.name[1]; + n->id = ASN_DOMAIN_COMPONENT; + n->type = CTC_UTF8; + n->sz = sizeof("wolfssl"); + XMEMCPY(n->value, "wolfssl", sizeof("wolfssl")); + } + #endif +#endif /* WOLFSSL_MULTI_ATTRIB */ + + AssertIntEQ(wc_InitRsaKey(&key, HEAP_HINT), 0); +#ifndef HAVE_FIPS + AssertIntEQ(wc_InitRng_ex(&rng, HEAP_HINT, devId), 0); +#else + AssertIntEQ(wc_InitRng(&rng), 0); +#endif + AssertIntEQ(wc_MakeRsaKey(&key, 1024, 3, &rng), 0); + + + XMEMSET(&cert, 0 , sizeof(Cert)); + AssertIntEQ(wc_InitCert(&cert), 0); + + XMEMCPY(&cert.subject, &name, sizeof(CertName)); + XMEMCPY(cert.serial, mySerial, sizeof(mySerial)); + cert.serialSz = (int)sizeof(mySerial); + cert.isCA = 1; +#ifndef NO_SHA256 + cert.sigType = CTC_SHA256wRSA; +#else + cert.sigType = CTC_SHAwRSA; +#endif + + /* add SKID from the Public Key */ + AssertIntEQ(wc_SetSubjectKeyIdFromPublicKey(&cert, &key, NULL), 0); + + /* add AKID from the Public Key */ + AssertIntEQ(wc_SetAuthKeyIdFromPublicKey(&cert, &key, NULL), 0); + + ret = 0; + do { +#if defined(WOLFSSL_ASYNC_CRYPT) + ret = wc_AsyncWait(ret, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN); +#endif + if (ret >= 0) { + ret = wc_MakeSelfCert(&cert, der, FOURK_BUF, &key, &rng); + } + } while (ret == WC_PENDING_E); + AssertIntGT(ret, 0); + certSz = ret; + + /* der holds a certificate with DC's now check X509 parsing of it */ + pt = der; + AssertNotNull(x509 = d2i_X509(NULL, &pt, certSz)); + AssertNotNull(x509name = X509_get_subject_name(x509)); +#ifdef WOLFSSL_MULTI_ATTRIB + AssertIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + -1)), 5); + AssertIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + idx)), 6); + AssertIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + idx)), -1); +#endif /* WOLFSSL_MULTI_ATTRIB */ + + /* compare DN at index 0 */ + AssertNotNull(entry = X509_NAME_get_entry(x509name, 0)); + AssertNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + AssertIntEQ(ASN1_STRING_length(entryValue), 2); + AssertStrEQ((const char*)ASN1_STRING_data(entryValue), "US"); + +#ifdef WOLFSSL_MULTI_ATTRIB + /* get first and second DC and compare result */ + AssertIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + -1)), 5); + AssertNotNull(entry = X509_NAME_get_entry(x509name, idx)); + AssertNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + AssertStrEQ((const char *)ASN1_STRING_data(entryValue), "com"); + + AssertIntEQ((idx = X509_NAME_get_index_by_NID(x509name, NID_domainComponent, + idx)), 6); + AssertNotNull(entry = X509_NAME_get_entry(x509name, idx)); + AssertNotNull(entryValue = X509_NAME_ENTRY_get_data(entry)); + AssertStrEQ((const char *)ASN1_STRING_data(entryValue), "wolfssl"); +#endif /* WOLFSSL_MULTI_ATTRIB */ + + /* try invalid index locations for regression test and sanity check */ + AssertNull(entry = X509_NAME_get_entry(x509name, 11)); + AssertNull(entry = X509_NAME_get_entry(x509name, 20)); + + (void)idx; + X509_free(x509); + wc_FreeRsaKey(&key); + wc_FreeRng(&rng); + printf(resultFmt, passed); +#endif +} + + static void test_wolfSSL_X509_get_version(void){ #if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_RSA) WOLFSSL_X509 *x509; @@ -24547,6 +24694,7 @@ void ApiTest(void) test_wolfSSL_ASN1_TIME_to_generalizedtime(); test_wolfSSL_i2c_ASN1_INTEGER(); test_wolfSSL_X509_check_ca(); + test_wolfSSL_DC_cert(); test_wolfSSL_DES_ncbc(); test_wolfSSL_AES_cbc_encrypt(); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5a0e2c64c..c9c3e99df 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4594,6 +4594,9 @@ static int GetName(DecodedCert* cert, int nameType) DecodedName* dName = (nameType == ISSUER) ? &cert->issuerName : &cert->subjectName; int dcnum = 0; + #ifdef OPENSSL_EXTRA + int count = 0; + #endif #endif /* OPENSSL_EXTRA */ WOLFSSL_MSG("Getting Cert Name"); @@ -4826,6 +4829,10 @@ static int GetName(DecodedCert* cert, int nameType) #endif XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); idx += strLen; + #if defined(OPENSSL_EXTRA) + /* store order that DN was parsed */ + dName->loc[count++] = id; + #endif } cert->srcIdx += strLen; @@ -4896,6 +4903,10 @@ static int GetName(DecodedCert* cert, int nameType) #endif XMEMCPY(&full[idx], &cert->source[cert->srcIdx], strLen); idx += strLen; + #if defined(OPENSSL_EXTRA) + /* store order that DN was parsed */ + dName->loc[count++] = id; + #endif } cert->srcIdx += strLen; @@ -4977,6 +4988,10 @@ static int GetName(DecodedCert* cert, int nameType) if (!tooBig) { XMEMCPY(&full[idx], &cert->source[cert->srcIdx], adv); idx += adv; + #if defined(OPENSSL_EXTRA) + /* store order that DN was parsed */ + dName->loc[count++] = ASN_EMAIL_NAME; + #endif } } @@ -4994,6 +5009,11 @@ static int GetName(DecodedCert* cert, int nameType) defined(OPENSSL_EXTRA_X509_SMALL) dName->uidIdx = cert->srcIdx; dName->uidLen = adv; + + #ifdef OPENSSL_EXTRA + /* store order that DN was parsed */ + dName->loc[count++] = ASN_USER_ID; + #endif #endif /* OPENSSL_EXTRA */ break; @@ -5006,6 +5026,11 @@ static int GetName(DecodedCert* cert, int nameType) dName->dcLen[dcnum] = adv; dName->dcNum = dcnum + 1; dcnum++; + + #ifdef OPENSSL_EXTRA + /* store order that DN was parsed */ + dName->loc[count++] = ASN_DOMAIN_COMPONENT; + #endif #endif /* OPENSSL_EXTRA */ break; @@ -5022,6 +5047,10 @@ static int GetName(DecodedCert* cert, int nameType) } } full[idx++] = 0; + #if defined(OPENSSL_EXTRA) + /* store order that DN was parsed */ + dName->locSz = count; + #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) { diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d768b041b..e5b367409 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -202,10 +202,12 @@ struct WOLFSSL_ASN1_TIME { }; struct WOLFSSL_ASN1_STRING { + char strData[CTC_NAME_SIZE]; int length; int type; /* type of string i.e. CTC_UTF8 */ char* data; long flags; + unsigned int isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */ }; #define WOLFSSL_MAX_SNAME 40 diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 38d48717b..5c0ef6879 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -214,11 +214,15 @@ enum ECC_TYPES #define ASN_JOI_ST 0x2 #ifndef WC_ASN_NAME_MAX - #define WC_ASN_NAME_MAX 256 + #ifdef OPENSSL_EXTRA + #define WC_ASN_NAME_MAX 300 + #else + #define WC_ASN_NAME_MAX 256 + #endif #endif +#define ASN_NAME_MAX WC_ASN_NAME_MAX enum Misc_ASN { - ASN_NAME_MAX = WC_ASN_NAME_MAX, MAX_SALT_SIZE = 64, /* MAX PKCS Salt length */ MAX_IV_SIZE = 64, /* MAX PKCS Iv length */ ASN_BOOL_SIZE = 2, /* including type */ @@ -538,6 +542,7 @@ struct Base_entry { }; #define DOMAIN_COMPONENT_MAX 10 +#define DN_NAMES_MAX 9 struct DecodedName { char* fullName; @@ -585,6 +590,14 @@ struct DecodedName { int dcLen[DOMAIN_COMPONENT_MAX]; int dcNum; int dcMode; +#ifdef OPENSSL_EXTRA + /* hold the location / order with which each of the DN tags was found + * + * example of ASN_DOMAIN_COMPONENT at index 0 if first found and so on. + */ + int loc[DOMAIN_COMPONENT_MAX + DN_NAMES_MAX]; + int locSz; +#endif }; enum SignatureState { diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index 0098e3380..f9295b392 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -101,6 +101,9 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*, #ifndef SESSION_CERTS /* default size of chunks of memory to separate into */ #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,16128 + #elif defined (OPENSSL_EXTRA) + /* extra storage in structs for multiple attributes and order */ + #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3360,4480,25520 #elif defined (WOLFSSL_CERT_EXT) /* certificate extensions requires 24k for the SSL struct */ #define WOLFMEM_BUCKETS 64,128,256,512,1024,2432,3456,4544,24576