Merge pull request #5662 from Uriah-wolfSSL/haproxy-update-2.6.0

src/crl.c

@@ -99,7 +99,17 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
     crle->lastDateFormat = dcrl->lastDateFormat;
     crle->nextDateFormat = dcrl->nextDateFormat;
     crle->version = dcrl->version;
+
 #if defined(OPENSSL_EXTRA)
+    crle->lastDateAsn1.length = MAX_DATE_SIZE;
+    XMEMCPY (crle->lastDateAsn1.data, crle->lastDate,
+             crle->lastDateAsn1.length);
+    crle->lastDateAsn1.type = crle->lastDateFormat;
+    crle->nextDateAsn1.length = MAX_DATE_SIZE;
+    XMEMCPY (crle->nextDateAsn1.data, crle->nextDate,
+             crle->nextDateAsn1.length);
+    crle->nextDateAsn1.type = crle->nextDateFormat;
+
     crle->issuer = NULL;
     wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer,
                           dcrl->issuerSz);
@@ -696,6 +706,17 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
     dupl->lastDateFormat = ent->lastDateFormat;
     dupl->nextDateFormat = ent->nextDateFormat;
 
+#if defined(OPENSSL_EXTRA)
+    dupl->lastDateAsn1.length = MAX_DATE_SIZE;
+    XMEMCPY (dupl->lastDateAsn1.data, dupl->lastDate,
+             dupl->lastDateAsn1.length);
+    dupl->lastDateAsn1.type = dupl->lastDateFormat;
+    dupl->nextDateAsn1.length = MAX_DATE_SIZE;
+    XMEMCPY (dupl->nextDateAsn1.data, dupl->nextDate,
+             dupl->nextDateAsn1.length);
+    dupl->nextDateAsn1.type = dupl->nextDateFormat;
+#endif
+
 #ifdef CRL_STATIC_REVOKED_LIST
     XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert));
 #else

src/ocsp.c

@@ -1068,6 +1068,51 @@ int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
     return id->rawCertIdSize;
 }
 
+WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut,
+                                             const unsigned char** derIn,
+                                             int length)
+{
+    WOLFSSL_OCSP_CERTID *cid = NULL;
+
+    if ((cidOut != NULL) && (derIn != NULL) && (*derIn != NULL) &&
+        (length > 0)) {
+
+        cid = *cidOut;
+
+        /* If a NULL is passed we allocate the memory for the caller. */
+        if (cid == NULL) {
+            cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL,
+                                                DYNAMIC_TYPE_OPENSSL);
+        }
+        else if (cid->rawCertId != NULL) {
+            XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL);
+            cid->rawCertId = NULL;
+            cid->rawCertIdSize = 0;
+        }
+
+        if (cid != NULL) {
+            cid->rawCertId = (byte*)XMALLOC(length + 1, NULL, DYNAMIC_TYPE_OPENSSL);
+            if (cid->rawCertId != NULL) {
+                XMEMCPY(cid->rawCertId, *derIn, length);
+                cid->rawCertIdSize = length;
+
+                /* Per spec. advance past the data that is being returned
+                 * to the caller. */
+                *cidOut = cid;
+                *derIn = *derIn + length;
+
+                return cid;
+            }
+        }
+    }
+
+    if (cid && (!cidOut || cid != *cidOut)) {
+        XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
+
+    return NULL;
+}
+
 const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single)
 {
     return single;

src/x509.c

@@ -7595,7 +7595,7 @@ int wolfSSL_X509_CRL_get_signature_nid(const WOLFSSL_X509_CRL* crl)
 }
 
 /* Retrieve signature from CRL
- * return WOLFSSL_SUCCESS on success
+ * return WOLFSSL_SUCCESS on success and negative values on failure
  */
 int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl,
     unsigned char* buf, int* bufSz)
@@ -7613,7 +7613,7 @@ int wolfSSL_X509_CRL_get_signature(WOLFSSL_X509_CRL* crl,
 }
 
 /* Retrieve serial number from RevokedCert
- * return WOLFSSL_SUCCESS on success
+ * return WOLFSSL_SUCCESS on success and negative values on failure
  */
 int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev,
     byte* in, int* inOutSz)
@@ -7635,8 +7635,32 @@ int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev,
     return WOLFSSL_SUCCESS;
 }
 
+const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const
+                                                      WOLFSSL_X509_REVOKED *rev)
+{
+    WOLFSSL_ENTER("wolfSSL_X509_REVOKED_get0_serial_number");
+
+    if (rev != NULL) {
+        return rev->serialNumber;
+    }
+    else
+        return NULL;
+}
+
+#ifndef NO_WOLFSSL_STUB
+const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const
+                                                      WOLFSSL_X509_REVOKED *rev)
+{
+    WOLFSSL_STUB("wolfSSL_X509_REVOKED_get0_revocation_date");
+
+    (void) rev;
+    return NULL;
+}
+#endif
+
+
 /* print serial number out
-* return WOLFSSL_SUCCESS on success
+*  return WOLFSSL_SUCCESS on success
 */
 static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev,
     int indent)
@@ -8015,23 +8039,25 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl)
 #endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */
 
 #ifdef OPENSSL_EXTRA
-#ifndef NO_WOLFSSL_STUB
 WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl)
 {
-    (void)crl;
+    if ((crl != NULL) && (crl->crlList != NULL) &&
-    WOLFSSL_STUB("X509_CRL_get_lastUpdate");
+        (crl->crlList->lastDateAsn1.data[0] != 0)) {
-    return 0;
+        return &crl->crlList->lastDateAsn1;
+    }
+    else
+        return NULL;
 }
-#endif
+
-#ifndef NO_WOLFSSL_STUB
 WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl)
 {
-    (void)crl;
+    if ((crl != NULL) && (crl->crlList != NULL) &&
-    WOLFSSL_STUB("X509_CRL_get_nextUpdate");
+        (crl->crlList->nextDateAsn1.data[0] != 0)) {
-    return 0;
+        return &crl->crlList->nextDateAsn1;
+    }
+    else
+        return NULL;
 }
-#endif
-
 
 #ifndef NO_WOLFSSL_STUB
 int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key)

tests/api.c

@@ -48439,6 +48439,73 @@ static int test_wolfSSL_i2d_OCSP_CERTID(void)
     return 0;
 }
 
+static int test_wolfSSL_d2i_OCSP_CERTID(void)
+{
+#if (defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)) && defined(HAVE_OCSP)
+    WOLFSSL_OCSP_CERTID* certId;
+    WOLFSSL_OCSP_CERTID* certIdBad;
+    const unsigned char* rawCertIdPtr;
+
+    const unsigned char rawCertId[] = {
+        0x30, 0x49, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+        0x00, 0x04, 0x14, 0x80, 0x51, 0x06, 0x01, 0x32, 0xad, 0x9a, 0xc2, 0x7d,
+        0x51, 0x87, 0xa0, 0xe8, 0x87, 0xfb, 0x01, 0x62, 0x01, 0x55, 0xee, 0x04,
+        0x14, 0x03, 0xde, 0x50, 0x35, 0x56, 0xd1, 0x4c, 0xbb, 0x66, 0xf0, 0xa3,
+        0xe2, 0x1b, 0x1b, 0xc3, 0x97, 0xb2, 0x3d, 0xd1, 0x55, 0x02, 0x10, 0x01,
+        0xfd, 0xa3, 0xeb, 0x6e, 0xca, 0x75, 0xc8, 0x88, 0x43, 0x8b, 0x72, 0x4b,
+        0xcf, 0xbc, 0x91
+    };
+
+    rawCertIdPtr = &rawCertId[0];
+
+    printf(testingFmt, "wolfSSL_d2i_OCSP_CERTID()");
+
+    /* If the cert ID is NULL the function should allocate it and copy the
+     * data to it. */
+    certId = NULL;
+    certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId));
+
+    AssertNotNull(certId);
+    AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId));
+
+    XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL);
+    XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL);
+
+    /* If the cert ID is not NULL the function will just copy the data to it. */
+    certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*certId), NULL,
+                                           DYNAMIC_TYPE_TMP_BUFFER);
+    XMEMSET(certId, 0, sizeof(*certId));
+
+    /* Reset rawCertIdPtr since it was push forward in the previous call. */
+    rawCertIdPtr = &rawCertId[0];
+    certId = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, sizeof(rawCertId));
+
+    AssertNotNull(certId);
+    AssertIntEQ(certId->rawCertIdSize, sizeof(rawCertId));
+
+    XFREE(certId->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL);
+    XFREE(certId, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+    /* The below tests should fail when passed bad parameters. NULL should
+     * always be returned. */
+    certIdBad = (WOLFSSL_OCSP_CERTID*) 1;
+    certIdBad = wolfSSL_d2i_OCSP_CERTID(NULL, &rawCertIdPtr, sizeof(rawCertId));
+    AssertNull(certIdBad);
+
+    certIdBad = (WOLFSSL_OCSP_CERTID*) 1;
+    certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, NULL, sizeof(rawCertId));
+    AssertNull(certIdBad);
+
+    certIdBad = (WOLFSSL_OCSP_CERTID*) 1;
+    certIdBad = wolfSSL_d2i_OCSP_CERTID(&certId, &rawCertIdPtr, 0);
+    AssertNull(certIdBad);
+
+    printf(resultFmt, passed);
+#endif
+
+    return 0;
+}
+
 static int test_wolfSSL_OCSP_id_cmp(void)
 {
 #if defined(OPENSSL_ALL) && defined(HAVE_OCSP)
@@ -59896,6 +59963,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_wolfSSL_i2d_PrivateKey),
     TEST_DECL(test_wolfSSL_OCSP_id_get0_info),
     TEST_DECL(test_wolfSSL_i2d_OCSP_CERTID),
+    TEST_DECL(test_wolfSSL_d2i_OCSP_CERTID),
     TEST_DECL(test_wolfSSL_OCSP_id_cmp),
     TEST_DECL(test_wolfSSL_OCSP_SINGLERESP_get0_id),
     TEST_DECL(test_wolfSSL_OCSP_single_get0_status),

wolfssl/internal.h

@@ -2217,13 +2217,17 @@ struct CRL_Entry {
     byte    nextDate[MAX_DATE_SIZE]; /* next update date   */
     byte    lastDateFormat;          /* last date format */
     byte    nextDateFormat;          /* next date format */
+#if defined(OPENSSL_EXTRA)
+    WOLFSSL_ASN1_TIME lastDateAsn1;  /* last date updated  */
+    WOLFSSL_ASN1_TIME nextDateAsn1;  /* next update date   */
+#endif
 #ifdef CRL_STATIC_REVOKED_LIST
     RevokedCert certs[CRL_MAX_REVOKED_CERTS];
 #else
-    RevokedCert* certs;              /* revoked cert list  */
+    RevokedCert* certs;             /* revoked cert list  */
 #endif
-    int          totalCerts;         /* number on list     */
+    int     totalCerts;             /* number on list     */
-    int     version;                 /* version of certficate */
+    int     version;                /* version of certficate */
     int     verified;
     byte*   toBeSigned;
     word32  tbsSz;

wolfssl/ocsp.h

@@ -112,6 +112,10 @@ WOLFSSL_API int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
 
 WOLFSSL_API int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id,
                                         unsigned char** data);
+WOLFSSL_API
+WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut,
+                                             const unsigned char** derIn,
+                                             int length);
 WOLFSSL_API const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(
     const WOLFSSL_OCSP_SINGLERESP *single);
 WOLFSSL_API int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b);

wolfssl/openssl/ocsp.h

@@ -78,6 +78,7 @@
 #define i2d_OCSP_REQUEST_bio      wolfSSL_i2d_OCSP_REQUEST_bio
 
 #define i2d_OCSP_CERTID           wolfSSL_i2d_OCSP_CERTID
+#define d2i_OCSP_CERTID           wolfSSL_d2i_OCSP_CERTID
 #define OCSP_SINGLERESP_get0_id   wolfSSL_OCSP_SINGLERESP_get0_id
 #define OCSP_id_cmp               wolfSSL_OCSP_id_cmp
 #define OCSP_single_get0_status   wolfSSL_OCSP_single_get0_status

wolfssl/openssl/ssl.h

@@ -701,9 +701,14 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 
 #define X509_CRL_free                   wolfSSL_X509_CRL_free
 #define X509_CRL_get_lastUpdate         wolfSSL_X509_CRL_get_lastUpdate
+#define X509_CRL_get0_lastUpdate        wolfSSL_X509_CRL_get_lastUpdate
 #define X509_CRL_get_nextUpdate         wolfSSL_X509_CRL_get_nextUpdate
+#define X509_CRL_get0_nextUpdate        wolfSSL_X509_CRL_get_nextUpdate
 #define X509_CRL_verify                 wolfSSL_X509_CRL_verify
 #define X509_CRL_get_REVOKED            wolfSSL_X509_CRL_get_REVOKED
+#define X509_CRL_get_issuer             wolfSSL_X509_CRL_get_issuer_name
+#define X509_CRL_get_signature_nid      wolfSSL_X509_CRL_get_signature_nid
+#define X509_CRL_get_version            wolfSSL_X509_CRL_version
 #define X509_load_crl_file              wolfSSL_X509_load_crl_file
 
 #define X509_get_X509_PUBKEY            wolfSSL_X509_get_X509_PUBKEY
@@ -728,6 +733,9 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define X509_OBJECT_get0_X509           wolfSSL_X509_OBJECT_get0_X509
 #define X509_OBJECT_get0_X509_CRL       wolfSSL_X509_OBJECT_get0_X509_CRL
 
+#define X509_REVOKED_get0_serialNumber   wolfSSL_X509_REVOKED_get0_serial_number
+#define X509_REVOKED_get0_revocationDate wolfSSL_X509_REVOKED_get0_revocation_date
+
 #define X509_check_purpose(...)         0
 
 #define OCSP_parse_url                  wolfSSL_OCSP_parse_url

wolfssl/ssl.h

@@ -2901,6 +2901,13 @@ WOLFSSL_API int wolfSSL_X509_REVOKED_get_serial_number(RevokedCert* rev,
 WOLFSSL_API void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl);
 #endif
 
+WOLFSSL_API
+const WOLFSSL_ASN1_INTEGER* wolfSSL_X509_REVOKED_get0_serial_number(const
+                                                     WOLFSSL_X509_REVOKED *rev);
+WOLFSSL_API
+const WOLFSSL_ASN1_TIME* wolfSSL_X509_REVOKED_get0_revocation_date(const
+                                                     WOLFSSL_X509_REVOKED *rev);
+
 #ifndef NO_FILESYSTEM
     #ifndef NO_STDIO_FILESYSTEM
     WOLFSSL_API WOLFSSL_X509*