wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

More complete fix for removing NO_SKID condition as default with CRL enabled

Browse Source
This commit is contained in:
kaleb-himes
2019-12-07 03:39:57 -07:00
parent b4f67dabcf
commit 072fe8fd6d
6 changed files with 29 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/crl.c
View File

@@ -82,8 +82,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
WOLFSSL_ENTER("InitCRL_Entry");
XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
/* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
* copy the hash here if needed for optimized comparisons */
XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
crle->lastDateFormat = dcrl->lastDateFormat;
@@ -109,7 +108,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
}
XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
#ifndef NO_SKID
crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
if (crle->extAuthKeyIdSet)
XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
@@ -206,9 +205,9 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
WOLFSSL_MSG("Found CRL Entry on list");
if (crle->verified == 0) {
Signer* ca;
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
byte extAuthKeyId[KEYID_SIZE]
Signer* ca = NULL;
#ifndef NO_SKID
byte extAuthKeyId[KEYID_SIZE];
#endif
byte issuerHash[CRL_DIGEST_SIZE];
byte* tbs = NULL;
@@ -232,15 +231,15 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
XMEMCPY(tbs, crle->toBeSigned, tbsSz);
XMEMCPY(sig, crle->signature, sigSz);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
XMEMCMPY(extAuthKeyId, crle->extAuthKeyId,
#ifndef NO_SKID
XMEMCPY(extAuthKeyId, crle->extAuthKeyId,
sizeof(extAuthKeyId));
#endif
XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
wc_UnLockMutex(&crl->crlLock);
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
#ifndef NO_SKID
if (crle->extAuthKeyIdSet)
ca = GetCA(crl->cm, extAuthKeyId);
if (ca == NULL)

4
src/ssl.c
View File

@@ -4583,6 +4583,10 @@ Signer* GetCAByName(void* vp, byte* hash)
if (XMEMCMP(hash, signers->subjectNameHash,
SIGNER_DIGEST_SIZE) == 0) {
ret = signers;
} else if (cm->crl != NULL && cm->crl->crlList != NULL &&
XMEMCMP(hash, cm->crl->crlList->crlHash,
SIGNER_DIGEST_SIZE) == 0) {
ret = signers;
}
signers = signers->next;
}

23
wolfcrypt/src/asn.c
View File

@@ -15997,11 +15997,10 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
WOLFSSL_MSG("ParseCRL");
/* raw crl hash */
/* hash here if needed for optimized comparisons
* wc_Sha sha;
* wc_InitSha(&sha);
* wc_ShaUpdate(&sha, buff, sz);
* wc_ShaFinal(&sha, dcrl->crlHash); */
wc_Sha sha;
wc_InitSha(&sha);
wc_ShaUpdate(&sha, buff, sz);
wc_ShaFinal(&sha, dcrl->crlHash);
if (GetSequence(buff, &idx, &len, sz) < 0)
return ASN_PARSE_E;
@@ -16026,15 +16025,17 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
return ASN_PARSE_E;
/* openssl doesn't add skid by default for CRLs cause firefox chokes
we're not assuming it's available yet */
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
if (dcrl->extAuthKeyIdSet)
ca = GetCA(cm, dcrl->extAuthKeyId);
if experiencing issues uncomment NO_SKID define in CRL section of
wolfssl/wolfcrypt/settings.h */
#ifndef NO_SKID
ca = GetCAByName(cm, dcrl->crlHash); /* most unique */
if (ca == NULL && dcrl->extAuthKeyIdSet)
ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
if (ca == NULL)
ca = GetCAByName(cm, dcrl->issuerHash);
ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
#else
ca = GetCA(cm, dcrl->issuerHash);
#endif /* !NO_SKID && CRL_SKID_READY */
#endif /* !NO_SKID */
WOLFSSL_MSG("About to verify CRL signature");
if (ca == NULL) {

5
wolfssl/internal.h
View File

@@ -1856,8 +1856,7 @@ typedef struct CRL_Entry CRL_Entry;
struct CRL_Entry {
CRL_Entry* next; /* next entry */
byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */
byte crlHash[CRL_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* last date format */
@@ -1870,7 +1869,7 @@ struct CRL_Entry {
byte* signature;
word32 signatureSz;
word32 signatureOID;
#if !defined(NO_SKID) && defined(CRL_SKID_READY)
#ifndef NO_SKID
byte extAuthKeyIdSet;
byte extAuthKeyId[KEYID_SIZE];
#endif

2
wolfssl/wolfcrypt/asn.h
View File

@@ -1345,11 +1345,13 @@ struct DecodedCRL {
byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
byte lastDateFormat; /* format of last date */
byte nextDateFormat; /* format of next date */
RevokedCert* certs; /* revoked cert list */
int totalCerts; /* number on list */
void* heap;
byte extAuthKeyIdSet : 1; /* Set when the AKID was read from CRL */
};
WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);

2
wolfssl/wolfcrypt/settings.h
View File

@@ -1621,7 +1621,7 @@ extern void uITRON4_free(void *p) ;
#ifdef HAVE_CRL
/* not widely supported yet */
#undef NO_SKID
#define NO_SKID
/* #define NO_SKID */
#endif