wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 04:34:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

PKCS12 : visibility, check on key match, sanity check on malloc

Browse Source
This commit is contained in:
Jacob Barthelmeh
2016-11-03 11:14:29 -06:00
parent b686deecbe
commit 0839925797
4 changed files with 147 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
src/ssl.c
View File

@@ -11379,14 +11379,14 @@ int wolfSSL_sk_X509_push(STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509)
WOLFSSL_STACK* node;
if (sk == NULL || x509 == NULL) {
return 0;
return SSL_FAILURE;
}
/* no previous values in stack */
if (sk->data.x509 == NULL) {
sk->data.x509 = x509;
sk->num += 1;
return 1;
return SSL_SUCCESS;
}
/* stack already has value(s) create a new node and add more */
@@ -11394,7 +11394,7 @@ int wolfSSL_sk_X509_push(STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509)
DYNAMIC_TYPE_X509);
if (node == NULL) {
WOLFSSL_MSG("Memory error");
return 0;
return SSL_FAILURE;
}
XMEMSET(node, 0, sizeof(WOLFSSL_STACK));
@@ -11405,7 +11405,7 @@ int wolfSSL_sk_X509_push(STACK_OF(WOLFSSL_X509_NAME)* sk, WOLFSSL_X509* x509)
sk->data.x509 = x509;
sk->num += 1;
return 1;
return SSL_SUCCESS;
}
@@ -12560,12 +12560,13 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
WOLFSSL_EVP_PKEY** pkey, WOLFSSL_X509** cert, STACK_OF(WOLFSSL_X509)** ca)
{
DecodedCert DeCert;
void* heap = NULL;
int ret;
byte* certData = NULL;
word32 certDataSz;
byte* pk = NULL;
word32 pkSz;
DerCertList* certList = NULL;
WC_DerCertList* certList = NULL;
WOLFSSL_ENTER("wolfSSL_PKCS12_parse");
@@ -12574,6 +12575,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
return 0;
}
heap = wc_PKCS12_GetHeap(pkcs12);
*pkey = NULL;
*cert = NULL;
@@ -12593,23 +12595,23 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
/* Decode cert and place in X509 stack struct */
if (certList != NULL) {
DerCertList* current = certList;
WC_DerCertList* current = certList;
*ca = (STACK_OF(WOLFSSL_X509)*)XMALLOC(sizeof(STACK_OF(WOLFSSL_X509)),
pkcs12->heap, DYNAMIC_TYPE_PKCS);
heap, DYNAMIC_TYPE_PKCS);
if (*ca == NULL) {
if (pk != NULL) {
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
}
if (certData != NULL) {
XFREE(*cert, pkcs12->heap, DYNAMIC_TYPE_PKCS); *cert = NULL;
XFREE(*cert, heap, DYNAMIC_TYPE_PKCS); *cert = NULL;
}
/* Free up DerCertList and move on */
/* Free up WC_DerCertList and move on */
while (current != NULL) {
DerCertList* next = current->next;
WC_DerCertList* next = current->next;
XFREE(current->buffer, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
XFREE(current, heap, DYNAMIC_TYPE_PKCS);
current = next;
}
return 0;
@@ -12618,14 +12620,13 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
/* add list of DER certs as X509's to stack */
while (current != NULL) {
DerCertList* toFree = current;
WC_DerCertList* toFree = current;
WOLFSSL_X509* x509;
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), pkcs12->heap,
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap,
DYNAMIC_TYPE_PKCS);
InitX509(x509, 1, pkcs12->heap);
InitDecodedCert(&DeCert, current->buffer, current->bufferSz,
pkcs12->heap);
InitX509(x509, 1, heap);
InitDecodedCert(&DeCert, current->buffer, current->bufferSz, heap);
if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) {
WOLFSSL_MSG("Issue with parsing certificate");
FreeDecodedCert(&DeCert);
@@ -12638,17 +12639,17 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
wolfSSL_X509_free(x509);
wolfSSL_sk_X509_free(*ca); *ca = NULL;
if (pk != NULL) {
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
}
if (certData != NULL) {
XFREE(certData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
}
/* Free up DerCertList */
/* Free up WC_DerCertList */
while (current != NULL) {
DerCertList* next = current->next;
WC_DerCertList* next = current->next;
XFREE(current->buffer, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
XFREE(current, heap, DYNAMIC_TYPE_PKCS);
current = next;
}
return 0;
@@ -12660,46 +12661,46 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
wolfSSL_X509_free(x509);
wolfSSL_sk_X509_free(*ca); *ca = NULL;
if (pk != NULL) {
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
}
if (certData != NULL) {
XFREE(certData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
}
/* Free up DerCertList */
/* Free up WC_DerCertList */
while (current != NULL) {
DerCertList* next = current->next;
WC_DerCertList* next = current->next;
XFREE(current->buffer, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
XFREE(current, heap, DYNAMIC_TYPE_PKCS);
current = next;
}
return 0;
}
}
current = current->next;
XFREE(toFree->buffer, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(toFree, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(toFree->buffer, heap, DYNAMIC_TYPE_PKCS);
XFREE(toFree, heap, DYNAMIC_TYPE_PKCS);
}
}
/* Decode cert and place in X509 struct */
if (certData != NULL) {
*cert = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), pkcs12->heap,
*cert = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap,
DYNAMIC_TYPE_PKCS);
if (*cert == NULL) {
if (pk != NULL) {
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
}
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
}
XFREE(certData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
return 0;
}
InitX509(*cert, 1, pkcs12->heap);
InitDecodedCert(&DeCert, certData, certDataSz, pkcs12->heap);
InitX509(*cert, 1, heap);
InitDecodedCert(&DeCert, certData, certDataSz, heap);
if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) {
WOLFSSL_MSG("Issue with parsing certificate");
}
@@ -12707,7 +12708,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
WOLFSSL_MSG("Failed to copy decoded cert");
FreeDecodedCert(&DeCert);
if (pk != NULL) {
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
}
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
@@ -12716,7 +12717,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
return 0;
}
FreeDecodedCert(&DeCert);
XFREE(certData, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(certData, heap, DYNAMIC_TYPE_PKCS);
}
@@ -12724,13 +12725,13 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
ret = BAD_STATE_E;
if (pk != NULL) { /* decode key if present */
*pkey = (WOLFSSL_EVP_PKEY*)XMALLOC(sizeof(WOLFSSL_EVP_PKEY),
pkcs12->heap, DYNAMIC_TYPE_PKCS);
heap, DYNAMIC_TYPE_PKCS);
if (*pkey == NULL) {
wolfSSL_X509_free(*cert); *cert = NULL;
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
}
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
return 0;
}
#ifndef NO_RSA
@@ -12738,7 +12739,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
word32 keyIdx = 0;
RsaKey key;
if (wc_InitRsaKey(&key, pkcs12->heap) != 0) {
if (wc_InitRsaKey(&key, heap) != 0) {
ret = BAD_STATE_E;
}
else {
@@ -12763,8 +12764,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
}
XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
return 0;
}
@@ -12774,8 +12775,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
}
XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
WOLFSSL_MSG("Bad PKCS12 key format");
return 0;
}
@@ -12791,8 +12792,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
if (ca != NULL) {
wolfSSL_sk_X509_free(*ca); *ca = NULL;
}
XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, pkcs12->heap, DYNAMIC_TYPE_PKCS);
XFREE(*pkey, heap, DYNAMIC_TYPE_PKCS); *pkey = NULL;
XFREE(pk, heap, DYNAMIC_TYPE_PKCS);
WOLFSSL_MSG("Bad PKCS12 key format");
return 0;
}

12
wolfcrypt/src/asn.c
View File

@@ -1449,9 +1449,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
int ret = 0;
/* test if RSA key */
if (wc_InitRsaKey(&a, NULL) == 0) {
if (wc_RsaPrivateKeyDecode(key, &keyIdx, &a, keySz) == 0 &&
der->keyOID == RSAk) {
if (der->keyOID == RSAk) {
if (wc_InitRsaKey(&a, NULL) == 0 &&
wc_RsaPrivateKeyDecode(key, &keyIdx, &a, keySz) == 0) {
WOLFSSL_MSG("Checking RSA key pair");
keyIdx = 0; /* reset to 0 for parsing public key */
@@ -1499,9 +1499,9 @@ int wc_CheckPrivateKey(byte* key, word32 keySz, DecodedCert* der)
word32 keyIdx = 0;
ecc_key key_pair;
if ((ret = wc_ecc_init(&key_pair)) == 0) {
if (wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, keySz) == 0 &&
der->keyOID == ECDSAk) {
if (der->keyOID == ECDSAk) {
if ((ret = wc_ecc_init(&key_pair)) == 0 &&
wc_EccPrivateKeyDecode(key, &keyIdx, &key_pair, keySz) == 0) {
WOLFSSL_MSG("Checking ECC key pair");
keyIdx = 0;
if ((ret = wc_ecc_import_x963(der->publicKey, der->pubKeySize,

96
wolfcrypt/src/pkcs12.c
View File

@@ -42,10 +42,73 @@
#include <wolfssl/wolfcrypt/pkcs12.h>
#include <wolfssl/wolfcrypt/pwdbased.h>
enum {
WC_PKCS12_KeyBag = 667,
WC_PKCS12_ShroudedKeyBag = 668,
WC_PKCS12_CertBag = 669,
WC_PKCS12_CertBag_Type1 = 675,
WC_PKCS12_CrlBag = 670,
WC_PKCS12_SecretBag = 671,
WC_PKCS12_SafeContentsBag = 672,
WC_PKCS12_DATA = 651,
WC_PKCS12_ENCRYPTED_DATA = 656,
};
typedef struct ContentInfo ContentInfo;
typedef struct ContentInfo {
byte* data;
ContentInfo* next;
word32 encC; /* encryptedContent */
word32 dataSz;
int type; /* DATA / encrypted / envelpoed */
} ContentInfo;
typedef struct AuthenticatedSafe {
ContentInfo* CI;
byte* data; /* T contents.... */
word32 oid; /* encrypted or not */
word32 numCI; /* number of Content Info structs */
word32 dataSz;
} AuthenticatedSafe;
typedef struct MacData {
byte* digest;
byte* salt;
word32 oid;
word32 digestSz;
word32 saltSz;
int itt; /* number of itterations when creating HMAC key */
} MacData;
typedef struct WC_PKCS12 {
void* heap;
AuthenticatedSafe* safe;
MacData* signData;
word32 oid; /* DATA / Enveloped DATA ... */
} WC_PKCS12;
/* for friendlyName, localKeyId .... */
typedef struct WC_PKCS12_ATTRIBUTE {
byte* data;
word32 oid;
word32 dataSz;
} WC_PKCS12_ATTRIBUTE;
WC_PKCS12* wc_PKCS12_new(void)
{
WC_PKCS12* pkcs12 = (WC_PKCS12*)XMALLOC(sizeof(WC_PKCS12),
NULL, DYNAMIC_TYPE_PKCS);
if (pkcs12 == NULL) {
WOLFSSL_MSG("Memory issue when creating WC_PKCS12 struct");
return NULL;
}
XMEMSET(pkcs12, 0, sizeof(WC_PKCS12));
return pkcs12;
@@ -567,9 +630,9 @@ int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12)
}
/* helper function to free DerCertList */
static void freeCertList(DerCertList* list, void* heap) {
DerCertList* current;
/* helper function to free WC_DerCertList */
static void freeCertList(WC_DerCertList* list, void* heap) {
WC_DerCertList* current;
if (list == NULL) {
return;
@@ -577,7 +640,7 @@ static void freeCertList(DerCertList* list, void* heap) {
current = list;
while(current != NULL) {
DerCertList* next = current->next;
WC_DerCertList* next = current->next;
if (current->buffer != NULL) {
XFREE(current->buffer, heap, DYNAMIC_TYPE_PKCS);
}
@@ -616,10 +679,10 @@ static void freeBuffers(byte* a, byte* b, void* heap)
*/
int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
byte** pkey, word32* pkeySz, byte** cert, word32* certSz,
DerCertList** ca)
WC_DerCertList** ca)
{
ContentInfo* ci = NULL;
DerCertList* certList = NULL;
WC_DerCertList* certList = NULL;
byte* buf = NULL;
word32 i, oid;
int ret, pswSz;
@@ -885,7 +948,7 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
case WC_PKCS12_CertBag: /* 669 */
{
DerCertList* node;
WC_DerCertList* node;
WOLFSSL_MSG("PKCS12 Cert Bag found");
if (data[idx++] !=
(ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC)) {
@@ -952,14 +1015,14 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
}
/* list to hold all certs found */
node = (DerCertList*)XMALLOC(sizeof(DerCertList),
node = (WC_DerCertList*)XMALLOC(sizeof(WC_DerCertList),
pkcs12->heap, DYNAMIC_TYPE_PKCS);
if (node == NULL) {
freeBuffers(*pkey, buf, pkcs12->heap);
freeCertList(certList, pkcs12->heap);
return MEMORY_E;
}
XMEMSET(node, 0, sizeof(DerCertList));
XMEMSET(node, 0, sizeof(WC_DerCertList));
node->buffer = (byte*)XMALLOC(size, pkcs12->heap,
DYNAMIC_TYPE_PKCS);
@@ -1020,8 +1083,8 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
/* check if key pair, remove from list */
{
DerCertList* current = certList;
DerCertList* previous = NULL;
WC_DerCertList* current = certList;
WC_DerCertList* previous = NULL;
if (*pkey != NULL) {
@@ -1078,5 +1141,16 @@ int wc_PKCS12_SetHeap(WC_PKCS12* pkcs12, void* heap)
return 0;
}
/* getter for heap */
void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12)
{
if (pkcs12 == NULL) {
return NULL;
}
return pkcs12->heap;
}
#endif /* !defined(NO_ASN) && !defined(NO_PWDBASED) */

70
wolfssl/wolfcrypt/pkcs12.h
View File

@@ -29,81 +29,25 @@
extern "C" {
#endif
enum {
WC_PKCS12_KeyBag = 667,
WC_PKCS12_ShroudedKeyBag = 668,
WC_PKCS12_CertBag = 669,
WC_PKCS12_CertBag_Type1 = 675,
WC_PKCS12_CrlBag = 670,
WC_PKCS12_SecretBag = 671,
WC_PKCS12_SafeContentsBag = 672,
WC_PKCS12_DATA = 651,
WC_PKCS12_ENCRYPTED_DATA = 656,
};
typedef struct DerCertList DerCertList;
typedef struct DerCertList {
typedef struct WC_PKCS12 WC_PKCS12;
typedef struct WC_DerCertList WC_DerCertList;
typedef struct WC_DerCertList { /* dereferenced in ssl.c */
byte* buffer;
word32 bufferSz;
DerCertList* next;
} DerCertList;
WC_DerCertList* next;
} WC_DerCertList;
typedef struct ContentInfo ContentInfo;
typedef struct ContentInfo {
byte* data;
ContentInfo* next;
word32 encC; /* encryptedContent */
word32 dataSz;
int type; /* DATA / encrypted / envelpoed */
} ContentInfo;
typedef struct AuthenticatedSafe {
ContentInfo* CI;
byte* data; /* T contents.... */
word32 oid; /* encrypted or not */
word32 numCI; /* number of Content Info structs */
word32 dataSz;
} AuthenticatedSafe;
typedef struct MacData {
byte* digest;
byte* salt;
word32 oid;
word32 digestSz;
word32 saltSz;
int itt; /* number of itterations when creating HMAC key */
} MacData;
/* for friendlyName, localKeyId .... */
typedef struct WC_PKCS12_ATTRIBUTE {
byte* data;
word32 oid;
word32 dataSz;
} WC_PKCS12_ATTRIBUTE;
typedef struct WC_PKCS12 {
void* heap;
AuthenticatedSafe* safe;
MacData* signData;
word32 oid; /* DATA / Enveloped DATA ... */
} WC_PKCS12;
WOLFSSL_API WC_PKCS12* wc_PKCS12_new(void);
WOLFSSL_API void wc_PKCS12_free(WC_PKCS12* pkcs12);
WOLFSSL_API int wc_d2i_PKCS12(const byte* der, word32 derSz, WC_PKCS12* pkcs12);
WOLFSSL_API int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
byte** pkey, word32* pkeySz, byte** cert, word32* certSz,
DerCertList** ca);
WC_DerCertList** ca);
WOLFSSL_LOCAL int wc_PKCS12_SetHeap(WC_PKCS12* pkcs12, void* heap);
WOLFSSL_LOCAL void* wc_PKCS12_GetHeap(WC_PKCS12* pkcs12);
#ifdef __cplusplus