feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Added check to enforce RFC 5280 Sec 4.2.1.10 rule: "The name constraints extension, which MUST be used only in a CA certificate". Added new define WOLFSSL_NO_ASN_STRICT to restore old behavior for compatability. Fix wc_port time HAVE_RTP_SYS (noticed it was missed during ASN time move to wc_port).

Browse Source
This commit is contained in:
David Garske
2018-02-05 16:39:24 -08:00
parent e1c246f918
commit f4ad808d12
3 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
wolfcrypt/src/asn.c
View File

@@ -34,6 +34,8 @@ ASN Options:
* ASN_DUMP_OID: Allows dump of OID information for debugging. * ASN_DUMP_OID: Allows dump of OID information for debugging.
* RSA_DECODE_EXTRA: Decodes extra information in RSA public key. * RSA_DECODE_EXTRA: Decodes extra information in RSA public key.
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
* WOLFSSL_NO_ASN_STRICT: Disable strict RFC compliance checks to
restore 3.13.0 behavior.
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
must still be trusted) must still be trusted)
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
@@ -48,11 +50,6 @@ ASN Options:
#ifndef NO_ASN #ifndef NO_ASN
#ifdef HAVE_RTP_SYS
#include "os.h" /* dc_rtc_api needs */
#include "dc_rtc_api.h" /* to get current time */
#endif
#include <wolfssl/wolfcrypt/asn.h> #include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/wolfcrypt/coding.h> #include <wolfssl/wolfcrypt/coding.h>
#include <wolfssl/wolfcrypt/md2.h> #include <wolfssl/wolfcrypt/md2.h>
@@ -6337,6 +6334,12 @@ static int DecodeCertExtensions(DecodedCert* cert)
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
case NAME_CONS_OID: case NAME_CONS_OID:
#ifndef WOLFSSL_NO_ASN_STRICT
if (!cert->ca) {
WOLFSSL_MSG("Name constraints allowed only for CA certs");
return ASN_NAME_INVALID_E;
}
#endif
cert->extNameConstraintSet = 1; cert->extNameConstraintSet = 1;
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
cert->extNameConstraintCrit = critical; cert->extNameConstraintCrit = critical;

6
wolfcrypt/src/wc_port.c
View File

@@ -38,11 +38,11 @@
/* IPP header files for library initialization */ /* IPP header files for library initialization */
#ifdef HAVE_FAST_RSA #ifdef HAVE_FAST_RSA
#include <ipp.h> #include <ipp.h>
#include <ippcp.h> #include <ippcp.h>
#endif #endif
#if defined(FREESCALE_LTC_TFM) #ifdef FREESCALE_LTC_TFM
#include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h> #include <wolfssl/wolfcrypt/port/nxp/ksdk_port.h>
#endif #endif

3
wolfssl/wolfcrypt/wc_port.h
View File

@@ -357,6 +357,9 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
#define NEED_TMP_TIME #define NEED_TMP_TIME
#elif defined(HAVE_RTP_SYS) #elif defined(HAVE_RTP_SYS)
#include "os.h" /* dc_rtc_api needs */
#include "dc_rtc_api.h" /* to get current time */
/* uses parital <time.h> structures */ /* uses parital <time.h> structures */
#define XTIME(tl) (0) #define XTIME(tl) (0)
#define XGMTIME(c, t) rtpsys_gmtime((c)) #define XGMTIME(c, t) rtpsys_gmtime((c))