From 1cf35301242aabb34d3faaf3f3d8bda201622d5f Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 19 May 2017 09:59:03 -0700 Subject: [PATCH 1/3] Fix for building with WOLFSSL_NO_OCSP_OPTIONAL_CERTS defined. --- wolfcrypt/src/asn.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 04ae0c5be..db7421767 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10234,6 +10234,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; } + + (void)noVerify; } *ioIndex = idx; From 53021a5df7fe3b6c4d5ddfdf4b93fe4540f96649 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 26 May 2017 10:01:42 -0700 Subject: [PATCH 2/3] Increased security for `WOLFSSL_NO_TRUSTED_CERTS_VERIFY` workaround so it only applies to OCSP. Fix for the workaround to still return date or parsing errors. --- wolfcrypt/src/asn.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index db7421767..c7f5a3f74 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -39,6 +39,7 @@ ASN Options: * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert chain is not loaded. This only matches on subject and public key and does not perform a PKI validation, so it is not a secure solution. + Only enabled for OCSP. */ #ifndef NO_ASN @@ -4109,10 +4110,10 @@ static int GetValidity(DecodedCert* cert, int verify) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) return ASN_PARSE_E; - if (GetDate(cert, BEFORE) < 0 && verify) + if (GetDate(cert, BEFORE) < 0 && verify != NO_VERIFY) badDate = ASN_BEFORE_DATE_E; /* continue parsing */ - if (GetDate(cert, AFTER) < 0 && verify) + if (GetDate(cert, AFTER) < 0 && verify != NO_VERIFY) return ASN_AFTER_DATE_E; if (badDate != 0) @@ -6036,7 +6037,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) /* alternate lookup method using subject and match on public key */ #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY - if (cert->ca == NULL) { + if (cert->ca == NULL && verify == VERIFY_OCSP) { if (cert->extSubjKeyIdSet) { cert->ca = GetCA(cm, cert->extSubjKeyId); } @@ -6047,7 +6048,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) if ((cert->ca->pubKeySize == cert->pubKeySize) && (XMEMCMP(cert->ca->publicKey, cert->publicKey, cert->ca->pubKeySize) == 0)) { - return 0; + ret = 0; /* success */ + goto exit_pcr; } } } @@ -6091,7 +6093,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { if (cert->ca) { - if (verify == VERIFY) { + if (verify == VERIFY || verify == VERIFY_OCSP) { /* try to confirm/verify signature */ if ((ret = ConfirmSignature(&cert->sigCtx, cert->source + cert->certBegin, @@ -6121,6 +6123,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } +exit_pcr: if (badDate != 0) return badDate; @@ -10189,8 +10192,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, InitDecodedCert(&cert, resp->cert, resp->certSz, heap); /* Don't verify if we don't have access to Cert Manager. */ - ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, - cm); + ret = ParseCertRelative(&cert, CERT_TYPE, + noVerify ? NO_VERIFY : VERIFY_OCSP, cm); if (ret < 0) { WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); FreeDecodedCert(&cert); From a0345f6ba9800340c4c0794ba80167e685190a1b Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 26 May 2017 10:53:42 -0700 Subject: [PATCH 3/3] Fix for building without WOLFSSL_NO_TRUSTED_CERTS_VERIFY. --- wolfcrypt/src/asn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index c7f5a3f74..85d22b98e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6123,7 +6123,10 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } +#ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY exit_pcr: +#endif + if (badDate != 0) return badDate;