From f9ff551992abf7cb7ed8e6771585bb7df23b1176 Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 4 Feb 2022 16:59:51 -0800 Subject: [PATCH] Fix for OpenSSL x509_NAME_hash mismatch --- src/ssl.c | 61 +++++++++++++++++++++++++--------- tests/api.c | 5 ++- wolfcrypt/src/asn.c | 16 ++++++--- wolfssl/openssl/crypto.h | 5 ++- wolfssl/wolfcrypt/asn_public.h | 9 +++-- wolfssl/wolfcrypt/types.h | 2 +- 6 files changed, 71 insertions(+), 27 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 87de73201..c37b72572 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -20851,11 +20851,15 @@ char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) return in; } +#ifdef OPENSSL_EXTRA unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name) { #ifndef NO_SHA byte digest[WC_SHA_DIGEST_SIZE]; unsigned long ret = 0; + unsigned char* canon_name = NULL; + int size = 0; + WOLFSSL_ENTER("wolfSSL_X509_NAME_hash"); if (name == NULL) { WOLFSSL_MSG("WOLFSSL_X509_NAME pointer was NULL"); @@ -20865,10 +20869,21 @@ unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name) WOLFSSL_MSG("nothing to hash in WOLFSSL_X509_NAME"); return 0; } - if (wc_ShaHash((byte*)name->name, name->sz, digest) != 0) { + + size = wolfSSL_i2d_X509_NAME_canon(name, &canon_name); + + if (size <= 0){ + WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error"); + return 0; + } + + if (wc_ShaHash((byte*)canon_name, size, digest) != 0) { WOLFSSL_MSG("wc_ShaHash error"); return 0; } + + XFREE(canon_name, NULL, DYNAMIC_TYPE_OPENSSL); + ret = (unsigned long) digest[0]; ret |= ((unsigned long) digest[1]) << 8; ret |= ((unsigned long) digest[2]) << 16; @@ -20880,6 +20895,7 @@ unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name) return 0; #endif } +#endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) && defined(XSNPRINTF) /* Copies X509 subject name into a buffer, with comma-separated name entries @@ -23321,7 +23337,7 @@ void wolfSSL_sk_ASN1_OBJECT_pop_free(WOLF_STACK_OF(WOLFSSL_ASN1_OBJECT)* sk, #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ #endif /* !NO_ASN */ -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #ifndef NO_ASN int wolfSSL_ASN1_STRING_to_UTF8(unsigned char **out, WOLFSSL_ASN1_STRING *in) @@ -23353,6 +23369,11 @@ int wolfSSL_ASN1_STRING_to_UTF8(unsigned char **out, WOLFSSL_ASN1_STRING *in) *out = buf; return inLen; } +#endif /* !NO_ASN */ +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + +#if defined(OPENSSL_EXTRA) +#ifndef NO_ASN int wolfSSL_ASN1_UNIVERSALSTRING_to_string(WOLFSSL_ASN1_STRING *s) { @@ -24933,7 +24954,6 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) return NULL; } } - unsigned char* wolfSSL_ASN1_STRING_data(WOLFSSL_ASN1_STRING* asn) { #ifdef WOLFSSL_DEBUG_OPENSSL @@ -36812,7 +36832,9 @@ int wolfSSL_CMAC_Final(WOLFSSL_CMAC_CTX* ctx, unsigned char* out, return ret; } #endif /* WOLFSSL_CMAC && OPENSSL_EXTRA && WOLFSSL_AES_DIRECT */ +#endif /* OPENSSL_EXTRA */ +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* Free the dynamically allocated data. * * p Pointer to dynamically allocated memory. @@ -36823,6 +36845,9 @@ void wolfSSL_OPENSSL_free(void* p) XFREE(p, NULL, DYNAMIC_TYPE_OPENSSL); } +#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + +#ifdef OPENSSL_EXTRA void *wolfSSL_OPENSSL_malloc(size_t a) { @@ -43974,18 +43999,10 @@ cleanup: return wolfSSL_X509_sign(x509, ctx->pctx->pkey, wolfSSL_EVP_MD_CTX_md(ctx)); } #endif /* OPENSSL_EXTRA */ +#endif /* WOLFSSL_CERT_GEN */ -/* Guarded by either - * A) WOLFSSL_WPAS_SMALL is on or - * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + - * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been - * defined - */ -#if defined(WOLFSSL_WPAS_SMALL) || \ - (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ - defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ - defined(OPENSSL_EXTRA)) + +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* Converts from NID_* value to wolfSSL value if needed. * * @param [in] nid Numeric Id of a domain name component. @@ -44014,7 +44031,6 @@ static int ConvertNIDToWolfSSL(int nid) } } -#if defined(OPENSSL_ALL) /* Convert ASN1 input string into canonical ASN1 string */ /* , which has the following rules: */ /* convert to UTF8 */ @@ -44198,7 +44214,20 @@ int wolfSSL_i2d_X509_NAME_canon(WOLFSSL_X509_NAME* name, unsigned char** out) } return totalBytes; } -#endif /* OPENSSL_ALL */ +#endif /* OPENSSL_ALL || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL*/ + +#ifdef WOLFSSL_CERT_GEN +/* Guarded by either + * A) WOLFSSL_WPAS_SMALL is on or + * B) (OPENSSL_EXTRA or OPENSSL_EXTRA_X509_SMALL) + WOLFSSL_CERT_GEN + + * (WOLFSSL_CERT_REQ or WOLFSSL_CERT_EXT or OPENSSL_EXTRA) has been + * defined + */ +#if defined(WOLFSSL_WPAS_SMALL) || \ + (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ + defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT) || \ + defined(OPENSSL_EXTRA)) /* Converts the x509 name structure into DER format. * diff --git a/tests/api.c b/tests/api.c index ed720b951..2cabd2a7a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -29377,9 +29377,8 @@ static void test_wolfSSL_X509_NAME_hash(void) AssertNotNull(bio = BIO_new(BIO_s_file())); AssertIntGT(BIO_read_filename(bio, svrCertFile), 0); AssertNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL)); - AssertIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0xF6CF410E); - AssertIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0x677DD39A); - + AssertIntEQ(X509_NAME_hash(X509_get_subject_name(x509)), 0x137DC03F); + AssertIntEQ(X509_NAME_hash(X509_get_issuer_name(x509)), 0xFDB2DA4); X509_free(x509); BIO_free(bio); printf(resultFmt, passed); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 895e93cf5..45b83909d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4006,10 +4006,12 @@ static const byte extExtKeyUsageTimestampOid[] = {43, 6, 1, 5, 5, 7, 3, 8}; static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; #if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ - defined(WOLFSSL_ASN_TEMPLATE) + defined(WOLFSSL_ASN_TEMPLATE) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL) /* csrAttrType */ #define CSR_ATTR_TYPE_OID_BASE(num) {42, 134, 72, 134, 247, 13, 1, 9, num} -#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) +#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) static const byte attrEmailOid[] = CSR_ATTR_TYPE_OID_BASE(1); #endif #ifdef WOLFSSL_CERT_REQ @@ -4053,12 +4055,14 @@ static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7}; #endif #if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ - defined(WOLFSSL_ASN_TEMPLATE) + defined(WOLFSSL_ASN_TEMPLATE) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL) /* Pilot attribute types (0.9.2342.19200300.100.1.*) */ #ifdef WOLFSSL_ASN_TEMPLATE static const byte uidOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 1}; /* user id */ #endif -#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) +#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* domain component */ #endif #endif @@ -22478,7 +22482,9 @@ int FlattenAltNames(byte* output, word32 outputSz, const DNS_entry* names) } #endif /* WOLFSSL_ALT_NAMES */ +#endif /* WOLFSSL_CERT_GEN */ +#if defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) /* Simple domain name OID size. */ #define DN_OID_SZ 3 @@ -22723,7 +22729,9 @@ int wc_EncodeNameCanonical(EncodedName* name, const char* nameStr, return EncodeName(name, nameStr, (byte)nameType, type, ASN_UTF8STRING, NULL); } +#endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#ifdef WOLFSSL_CERT_GEN /* Encodes one attribute of the name (issuer/subject) * call we_EncodeName_ex with 0x16, IA5String for email type * name structure to hold result of encoding diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h index 88d16385f..a0239517b 100644 --- a/wolfssl/openssl/crypto.h +++ b/wolfssl/openssl/crypto.h @@ -55,8 +55,11 @@ WOLFSSL_API const char* wolfSSLeay_version(int type); WOLFSSL_API unsigned long wolfSSLeay(void); WOLFSSL_API unsigned long wolfSSL_OpenSSL_version_num(void); -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_API void wolfSSL_OPENSSL_free(void* p); +#endif + +#ifdef OPENSSL_EXTRA WOLFSSL_API void *wolfSSL_OPENSSL_malloc(size_t a); WOLFSSL_API int wolfSSL_OPENSSL_hexchar2int(unsigned char c); WOLFSSL_API unsigned char *wolfSSL_OPENSSL_hexstr2buf(const char *str, long *len); diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 7faba0821..205fc2e53 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -297,8 +297,7 @@ typedef struct WOLFSSL_ASN1_INTEGER { #endif #endif /* WOLFSSL_CERT_GEN || WOLFSSL_CERT_EXT */ -#ifdef WOLFSSL_CERT_GEN - +#if defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #ifdef WOLFSSL_MULTI_ATTRIB #ifndef CTC_MAX_ATTRIB #define CTC_MAX_ATTRIB 4 @@ -312,7 +311,9 @@ typedef struct NameAttrib { char value[CTC_NAME_SIZE]; /* name */ } NameAttrib; #endif /* WOLFSSL_MULTI_ATTRIB */ +#endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#ifdef WOLFSSL_CERT_GEN #ifdef WOLFSSL_CUSTOM_OID typedef struct CertOidField { byte* oid; @@ -322,7 +323,9 @@ typedef struct CertOidField { char enc; } CertOidField; #endif +#endif /* WOLFSSL_CERT_GEN */ +#if defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) typedef struct CertName { char country[CTC_NAME_SIZE]; char countryEnc; @@ -360,7 +363,9 @@ typedef struct CertName { CertOidField custom; #endif } CertName; +#endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL*/ +#ifdef WOLFSSL_CERT_GEN /* for user to fill for certificate generation */ typedef struct Cert { diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index d619b9d24..b6b6b60a1 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -778,7 +778,7 @@ decouple library dependencies with standard string, memory and so on. defined(OPENSSL_EXTRA) #define XTOUPPER(c) toupper((c)) #endif - #ifdef OPENSSL_ALL + #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #define XISALNUM(c) isalnum((c)) #define XISASCII(c) isascii((c)) #define XISSPACE(c) isspace((c))