mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-03 20:54:41 +02:00
Changes from code review
This commit is contained in:
Sean Parkinson
@@ -7360,7 +7360,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
|
|
||||||
InitOcspResponse(response, status, input +*inOutIdx, status_length);
|
InitOcspResponse(response, status, input +*inOutIdx, status_length);
|
||||||
|
|
||||||
if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap) != 0)
|
if (OcspResponseDecode(response, ssl->ctx->cm, ssl->heap, 0) != 0)
|
||||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||||
else if (CompareOcspReqResp(request, response) != 0)
|
else if (CompareOcspReqResp(request, response) != 0)
|
||||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||||
@@ -7442,8 +7442,8 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
InitOcspResponse(response, status, input +*inOutIdx,
|
InitOcspResponse(response, status, input +*inOutIdx,
|
||||||
status_length);
|
status_length);
|
||||||
|
|
||||||
if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap)
|
if ((OcspResponseDecode(response, ssl->ctx->cm, ssl->heap,
|
||||||
!= 0)
|
0) != 0)
|
||||||
|| (response->responseStatus != OCSP_SUCCESSFUL)
|
|| (response->responseStatus != OCSP_SUCCESSFUL)
|
||||||
|| (response->status->status != CERT_GOOD))
|
|| (response->status->status != CERT_GOOD))
|
||||||
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
ret = BAD_CERTIFICATE_STATUS_ERROR;
|
||||||
|
|||||||
@@ -287,7 +287,7 @@ static int CheckResponse(WOLFSSL_OCSP* ocsp, byte* response, int responseSz,
|
|||||||
XMEMSET(newStatus, 0, sizeof(CertStatus));
|
XMEMSET(newStatus, 0, sizeof(CertStatus));
|
||||||
|
|
||||||
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
|
InitOcspResponse(ocspResponse, newStatus, response, responseSz);
|
||||||
ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap);
|
ret = OcspResponseDecode(ocspResponse, ocsp->cm, ocsp->cm->heap, 0);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
WOLFSSL_MSG("OcspResponseDecode failed");
|
WOLFSSL_MSG("OcspResponseDecode failed");
|
||||||
goto end;
|
goto end;
|
||||||
@@ -682,7 +682,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
|
|||||||
XMEMCPY(resp->source, *data, len);
|
XMEMCPY(resp->source, *data, len);
|
||||||
resp->maxIdx = len;
|
resp->maxIdx = len;
|
||||||
|
|
||||||
if (OcspResponseDecode(resp, NULL, NULL) != 0) {
|
if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) {
|
||||||
wolfSSL_OCSP_RESPONSE_free(resp);
|
wolfSSL_OCSP_RESPONSE_free(resp);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|||||||
138
src/ssl.c
138
src/ssl.c
@@ -9933,7 +9933,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
/* Clear pointers so freeing certificate doesn't free memory. */
|
/* Clear pointers so freeing certificate doesn't free memory. */
|
||||||
XMEMSET(subjectName, 0, sizeof(WOLFSSL_X509_NAME));
|
XMEMSET(subjectName, 0, sizeof(WOLFSSL_X509_NAME));
|
||||||
|
|
||||||
/* Put nod on the front of the list. */
|
/* Put node on the front of the list. */
|
||||||
node->num = (list == NULL) ? 1 : list->num + 1;
|
node->num = (list == NULL) ? 1 : list->num + 1;
|
||||||
node->next = list;
|
node->next = list;
|
||||||
list = node;
|
list = node;
|
||||||
@@ -10585,7 +10585,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
{
|
{
|
||||||
WOLFSSL_ENTER("wolfSSL_ERR_get_error");
|
WOLFSSL_ENTER("wolfSSL_ERR_get_error");
|
||||||
|
|
||||||
#if defined(WOLFSSL_NGINX)
|
#ifdef WOLFSSL_NGINX
|
||||||
{
|
{
|
||||||
unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL,
|
unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL,
|
||||||
NULL, NULL);
|
NULL, NULL);
|
||||||
@@ -15022,7 +15022,7 @@ unsigned long wolfSSL_ERR_peek_error(void)
|
|||||||
{
|
{
|
||||||
WOLFSSL_ENTER("wolfSSL_ERR_peek_error");
|
WOLFSSL_ENTER("wolfSSL_ERR_peek_error");
|
||||||
|
|
||||||
#ifdef WOLFSSL_NGINX
|
#ifdef OPENSSL_EXTRA
|
||||||
return wolfSSL_ERR_peek_error_line_data(NULL, NULL, NULL, NULL);
|
return wolfSSL_ERR_peek_error_line_data(NULL, NULL, NULL, NULL);
|
||||||
#else
|
#else
|
||||||
return 0;
|
return 0;
|
||||||
@@ -15406,9 +15406,17 @@ long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
/* TODO: Do this elsewhere. */
|
/* TODO: Do this elsewhere. */
|
||||||
AllocDer(&derBuffer, derSz, CERT_TYPE, ctx->heap);
|
ret = AllocDer(&derBuffer, derSz, CERT_TYPE, ctx->heap);
|
||||||
|
if (ret != 0) {
|
||||||
|
WOLFSSL_MSG("Memory Error");
|
||||||
|
return SSL_FAILURE;
|
||||||
|
}
|
||||||
XMEMCPY(derBuffer->buffer, der, derSz);
|
XMEMCPY(derBuffer->buffer, der, derSz);
|
||||||
AddCA(ctx->cm, &derBuffer, WOLFSSL_USER_CA, !ctx->verifyNone);
|
ret = AddCA(ctx->cm, &derBuffer, WOLFSSL_USER_CA, !ctx->verifyNone);
|
||||||
|
if (ret != SSL_SUCCESS) {
|
||||||
|
WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret);
|
||||||
|
return SSL_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
/* adding cert to existing chain */
|
/* adding cert to existing chain */
|
||||||
if (ctx->certChain != NULL && ctx->certChain->length > 0) {
|
if (ctx->certChain != NULL && ctx->certChain->length > 0) {
|
||||||
@@ -22295,13 +22303,18 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name,
|
|||||||
(void)flags;
|
(void)flags;
|
||||||
WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex");
|
WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex");
|
||||||
|
|
||||||
for (i = 0; i < indent; i++)
|
for (i = 0; i < indent; i++) {
|
||||||
BIO_write(bio, " ", 1);
|
if (wolfSSL_BIO_write(bio, " ", 1) != 1)
|
||||||
|
return SSL_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
if (flags == XN_FLAG_RFC2253)
|
if (flags == XN_FLAG_RFC2253) {
|
||||||
BIO_write(bio, name->name + 1, name->sz - 2);
|
if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2)
|
||||||
else
|
!= name->sz - 2)
|
||||||
BIO_write(bio, name->name, name->sz);
|
return SSL_FAILURE;
|
||||||
|
}
|
||||||
|
else if (wolfSSL_BIO_write(bio, name->name, name->sz) != name->sz)
|
||||||
|
return SSL_FAILURE;
|
||||||
|
|
||||||
return SSL_SUCCESS;
|
return SSL_SUCCESS;
|
||||||
}
|
}
|
||||||
@@ -22960,6 +22973,51 @@ int wolfSSL_AsyncPoll(WOLFSSL* ssl, WOLF_EVENT_FLAG flags)
|
|||||||
}
|
}
|
||||||
#endif /* WOLFSSL_ASYNC_CRYPT */
|
#endif /* WOLFSSL_ASYNC_CRYPT */
|
||||||
|
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
|
||||||
|
const char **data, int *flags)
|
||||||
|
{
|
||||||
|
WOLFSSL_ENTER("wolfSSL_ERR_peek_error_line_data");
|
||||||
|
|
||||||
|
(void)line;
|
||||||
|
(void)file;
|
||||||
|
|
||||||
|
/* No data or flags stored - error display only in Nginx. */
|
||||||
|
if (data != NULL) {
|
||||||
|
*data = "";
|
||||||
|
}
|
||||||
|
if (flags != NULL) {
|
||||||
|
*flags = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(WOLFSSL_NGINX)
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
if ((ret = wc_PeekErrorNode(-1, file, NULL, line)) < 0) {
|
||||||
|
WOLFSSL_MSG("Issue peeking at error node in queue");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
ret = -ret;
|
||||||
|
|
||||||
|
if (ret == SSL_NO_PEM_HEADER)
|
||||||
|
return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE;
|
||||||
|
if (ret != WANT_READ && ret != WANT_WRITE &&
|
||||||
|
ret != ZERO_RETURN && ret != SSL_ERROR_ZERO_RETURN)
|
||||||
|
break;
|
||||||
|
|
||||||
|
wc_RemoveErrorNode(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
return (unsigned long)ret;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
return (unsigned long)(0 - NOT_COMPILED_IN);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_NGINX
|
#ifdef WOLFSSL_NGINX
|
||||||
void wolfSSL_OPENSSL_config(char *config_name)
|
void wolfSSL_OPENSSL_config(char *config_name)
|
||||||
{
|
{
|
||||||
@@ -23211,51 +23269,15 @@ int wolfSSL_i2a_ASN1_INTEGER(BIO *bp, const WOLFSSL_ASN1_INTEGER *a)
|
|||||||
return len * 2;
|
return len * 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
|
|
||||||
const char **data, int *flags)
|
|
||||||
{
|
|
||||||
WOLFSSL_ENTER("wolfSSL_ERR_peek_error_line_data");
|
|
||||||
|
|
||||||
(void)line;
|
|
||||||
(void)file;
|
|
||||||
|
|
||||||
/* No data or flags stored - error display only in Nginx. */
|
|
||||||
if (data != NULL) {
|
|
||||||
*data = "";
|
|
||||||
}
|
|
||||||
if (flags != NULL) {
|
|
||||||
*flags = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
#if defined(WOLFSSL_NGINX)
|
|
||||||
{
|
|
||||||
int ret = 0;
|
|
||||||
|
|
||||||
while (1) {
|
|
||||||
if ((ret = wc_PeekErrorNode(-1, file, NULL, line)) < 0) {
|
|
||||||
WOLFSSL_MSG("Issue peeking at error node in queue");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
ret = -ret;
|
|
||||||
|
|
||||||
if (ret == SSL_NO_PEM_HEADER)
|
|
||||||
return (ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE;
|
|
||||||
if (ret != WANT_READ && ret != WANT_WRITE &&
|
|
||||||
ret != ZERO_RETURN && ret != SSL_ERROR_ZERO_RETURN)
|
|
||||||
break;
|
|
||||||
|
|
||||||
wc_RemoveErrorNode(-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
return (unsigned long)ret;
|
|
||||||
}
|
|
||||||
#else
|
|
||||||
return (unsigned long)(0 - NOT_COMPILED_IN);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef HAVE_SESSION_TICKET
|
#ifdef HAVE_SESSION_TICKET
|
||||||
|
/* Expected return values from implementations of OpenSSL ticket key callback.
|
||||||
|
*/
|
||||||
|
#define TICKET_KEY_CB_RET_FAILURE -1
|
||||||
|
#define TICKET_KEY_CB_RET_NOT_FOUND 0
|
||||||
|
#define TICKET_KEY_CB_RET_OK 1
|
||||||
|
#define TICKET_KEY_CB_RET_RENEW 2
|
||||||
|
|
||||||
/* The ticket key callback as used in OpenSSL is stored here. */
|
/* The ticket key callback as used in OpenSSL is stored here. */
|
||||||
static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
|
static int (*ticketKeyCb)(WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
|
||||||
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL;
|
WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc) = NULL;
|
||||||
@@ -23293,10 +23315,13 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl,
|
|||||||
|
|
||||||
(void)ctx;
|
(void)ctx;
|
||||||
|
|
||||||
|
if (ticketKeyCb == NULL)
|
||||||
|
return WOLFSSL_TICKET_RET_FATAL;
|
||||||
|
|
||||||
wolfSSL_EVP_CIPHER_CTX_init(&evpCtx);
|
wolfSSL_EVP_CIPHER_CTX_init(&evpCtx);
|
||||||
/* Initialize the cipher and HMAC. */
|
/* Initialize the cipher and HMAC. */
|
||||||
res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc);
|
res = ticketKeyCb(ssl, keyName, iv, &evpCtx, &hmacCtx, enc);
|
||||||
if (res != 1 && res != 2)
|
if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW)
|
||||||
return WOLFSSL_TICKET_RET_FATAL;
|
return WOLFSSL_TICKET_RET_FATAL;
|
||||||
|
|
||||||
if (enc)
|
if (enc)
|
||||||
@@ -23335,7 +23360,8 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl,
|
|||||||
*encLen = encTicketLen + len;
|
*encLen = encTicketLen + len;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = (res == 2) ? WOLFSSL_TICKET_RET_CREATE : WOLFSSL_TICKET_RET_OK;
|
ret = (res == TICKET_KEY_CB_RET_RENEW) ? WOLFSSL_TICKET_RET_CREATE :
|
||||||
|
WOLFSSL_TICKET_RET_OK;
|
||||||
end:
|
end:
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -9708,7 +9708,7 @@ static int DecodeCerts(byte* source,
|
|||||||
|
|
||||||
|
|
||||||
static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
||||||
OcspResponse* resp, word32 size, void* cm, void* heap)
|
OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify)
|
||||||
{
|
{
|
||||||
int length;
|
int length;
|
||||||
word32 idx = *ioIndex;
|
word32 idx = *ioIndex;
|
||||||
@@ -9766,8 +9766,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||||||
|
|
||||||
InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
|
InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
|
||||||
/* Don't verify if we don't have access to Cert Manager. */
|
/* Don't verify if we don't have access to Cert Manager. */
|
||||||
ret = ParseCertRelative(&cert, CERT_TYPE,
|
ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY,
|
||||||
cm == NULL ? NO_VERIFY : VERIFY, cm);
|
cm);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
|
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
|
||||||
FreeDecodedCert(&cert);
|
FreeDecodedCert(&cert);
|
||||||
@@ -9824,7 +9824,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap)
|
int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, int noVerify)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
int length = 0;
|
int length = 0;
|
||||||
@@ -9869,7 +9869,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap)
|
|||||||
if (GetLength(source, &idx, &length, size) < 0)
|
if (GetLength(source, &idx, &length, size) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap);
|
ret = DecodeBasicOcspResponse(source, &idx, resp, size, cm, heap, noVerify);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
|||||||
@@ -2243,6 +2243,11 @@ WOLFSSL_API int wolfSSL_CTX_set_msg_callback_arg(WOLFSSL_CTX *ctx, void* arg);
|
|||||||
WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg);
|
WOLFSSL_API int wolfSSL_set_msg_callback_arg(WOLFSSL *ssl, void* arg);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef OPENSSL_EXTRA
|
||||||
|
WOLFSSL_API unsigned long wolfSSL_ERR_peek_error_line_data(const char **file,
|
||||||
|
int *line, const char **data, int *flags);
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef WOLFSSL_NGINX
|
#ifdef WOLFSSL_NGINX
|
||||||
/* Not an OpenSSL API. */
|
/* Not an OpenSSL API. */
|
||||||
WOLFSSL_LOCAL int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response);
|
WOLFSSL_LOCAL int wolfSSL_get_ocsp_response(WOLFSSL* ssl, byte** response);
|
||||||
@@ -2278,9 +2283,6 @@ WOLFSSL_API int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk,
|
|||||||
WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
|
WOLFSSL_API int wolfSSL_i2a_ASN1_INTEGER(WOLFSSL_BIO *bp,
|
||||||
const WOLFSSL_ASN1_INTEGER *a);
|
const WOLFSSL_ASN1_INTEGER *a);
|
||||||
|
|
||||||
WOLFSSL_API unsigned long wolfSSL_ERR_peek_error_line_data(const char **file,
|
|
||||||
int *line, const char **data, int *flags);
|
|
||||||
|
|
||||||
#ifdef HAVE_SESSION_TICKET
|
#ifdef HAVE_SESSION_TICKET
|
||||||
WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
|
WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
|
||||||
WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
|
WOLFSSL *ssl, unsigned char *name, unsigned char *iv,
|
||||||
|
|||||||
@@ -868,7 +868,7 @@ struct OcspRequest {
|
|||||||
|
|
||||||
|
|
||||||
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
|
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
|
||||||
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap);
|
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*, void* heap, int);
|
||||||
|
|
||||||
WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*);
|
WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, void*);
|
||||||
WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
|
WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
|
||||||
|
|||||||
Reference in New Issue
Block a user