feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Extend the unknown extension callback.

Browse Source 
This will allow the user to pass in a context pointer. Allows them to avoid
global variables.

We also add unknown extensions callback when processing a CA in cert manager
as CA certs can have unknown extensions as well.

Fixes ZD 18252
This commit is contained in:
Anthony Hu
2024-07-09 13:48:54 -04:00
parent 00e42151ca
commit e581930cb7
4 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/ssl.c
View File

@@ -5349,6 +5349,14 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
#endif
InitDecodedCert(cert, der->buffer, der->length, cm->heap);
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) && \
defined(HAVE_OID_DECODING)
if (cm->unknownExtCallback != NULL) {
wc_SetUnknownExtCallback(cert, cm->unknownExtCallback);
}
#endif
ret = ParseCert(cert, CA_TYPE, verify, cm);
WOLFSSL_MSG("\tParsed new CA");

2
tests/api.c
View File

@@ -1258,7 +1258,7 @@ static int myUnknownExtCallback(const word16* oid, word32 oidSz, int crit,
extCount ++;
/* Accept all extensions. This is only a test. Normally we would be much more
* careful about critical extensions. */
return 1;
return 0;
}
static int test_dual_alg_support(void)

29
wolfcrypt/src/asn.c
View File

@@ -21366,6 +21366,17 @@ int wc_SetUnknownExtCallback(DecodedCert* cert,
cert->unknownExtCallback = cb;
return 0;
}
int wc_SetUnknownExtCallbackEx(DecodedCert* cert,
wc_UnknownExtCallbackEx cb, void *ctx) {
if (cert == NULL) {
return BAD_FUNC_ARG;
}
cert->unknownExtCallbackEx = cb;
cert->unknownExtCallbackExCtx = ctx;
return 0;
}
#endif
/*
@@ -21521,7 +21532,8 @@ end:
ret = DecodeExtensionType(input + idx, length, oid, critical, cert,
&isUnknownExt);
#if defined(WOLFSSL_CUSTOM_OID) && defined(HAVE_OID_DECODING)
if (isUnknownExt && (cert->unknownExtCallback != NULL)) {
if (isUnknownExt && (cert->unknownExtCallback != NULL ||
cert->unknownExtCallbackEx != NULL)) {
word16 decOid[MAX_OID_SZ];
word32 decOidSz = sizeof(decOid);
ret = DecodeObjectId(
@@ -21535,9 +21547,18 @@ end:
WOLFSSL_ERROR(ret);
}
ret = cert->unknownExtCallback(decOid, decOidSz, critical,
dataASN[CERTEXTASN_IDX_VAL].data.buffer.data,
dataASN[CERTEXTASN_IDX_VAL].length);
if ((ret == 0) && (cert->unknownExtCallback != NULL)) {
ret = cert->unknownExtCallback(decOid, decOidSz, critical,
dataASN[CERTEXTASN_IDX_VAL].data.buffer.data,
dataASN[CERTEXTASN_IDX_VAL].length);
}
if ((ret == 0) && (cert->unknownExtCallbackEx != NULL)) {
ret = cert->unknownExtCallbackEx(decOid, decOidSz, critical,
dataASN[CERTEXTASN_IDX_VAL].data.buffer.data,
dataASN[CERTEXTASN_IDX_VAL].length,
cert->unknownExtCallbackExCtx);
}
}
#endif
(void)isUnknownExt;

8
wolfssl/wolfcrypt/asn.h
View File

@@ -1645,6 +1645,9 @@ typedef struct CertSignCtx CertSignCtx;
&& defined(HAVE_OID_DECODING)
typedef int (*wc_UnknownExtCallback)(const word16* oid, word32 oidSz, int crit,
const unsigned char* der, word32 derSz);
typedef int (*wc_UnknownExtCallbackEx)(const word16* oid, word32 oidSz,
int crit, const unsigned char* der,
word32 derSz, void *ctx);
#endif
struct DecodedCert {
@@ -1978,6 +1981,8 @@ struct DecodedCert {
#if defined(WOLFSSL_CUSTOM_OID) && defined(WOLFSSL_ASN_TEMPLATE) \
&& defined(HAVE_OID_DECODING)
wc_UnknownExtCallback unknownExtCallback;
wc_UnknownExtCallbackEx unknownExtCallbackEx;
void *unknownExtCallbackExCtx;
#endif
#ifdef WOLFSSL_DUAL_ALG_CERTS
/* Subject Alternative Public Key Info */
@@ -2147,6 +2152,9 @@ WOLFSSL_ASN_API int ParseCert(DecodedCert* cert, int type, int verify,
&& defined(HAVE_OID_DECODING)
WOLFSSL_ASN_API int wc_SetUnknownExtCallback(DecodedCert* cert,
wc_UnknownExtCallback cb);
WOLFSSL_ASN_API int wc_SetUnknownExtCallbackEx(DecodedCert* cert,
wc_UnknownExtCallbackEx cb,
void *ctx);
#endif
WOLFSSL_LOCAL int DecodePolicyOID(char *out, word32 outSz, const byte *in,