wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixes to handle degenerate PKCS 7 with BER encoding in PKCS7_VerifySignedData. Fix for PKCS7 API unit test with SHA512 disabled. ZD 4757.

Browse Source
This commit is contained in:
David Garske
2019-01-31 14:36:46 -08:00
parent 0b2bbc33bd
commit 3a0afc3506
2 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/api.c
View File

@@ -15886,7 +15886,7 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void)
AES256_WRAP, dhSinglePass_stdDH_sha256kdf_scheme, eccCert, AES256_WRAP, dhSinglePass_stdDH_sha256kdf_scheme, eccCert,
eccCertSz, eccPrivKey, eccPrivKeySz}, eccCertSz, eccPrivKey, eccPrivKeySz},
#endif #endif
#if !defined(WOLFSSL_SHA512) && !defined(NO_AES_256) #if defined(WOLFSSL_SHA512) && !defined(NO_AES_256)
{(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb, {(byte*)input, (word32)(sizeof(input)/sizeof(char)), DATA, AES256CBCb,
AES256_WRAP, dhSinglePass_stdDH_sha512kdf_scheme, eccCert, AES256_WRAP, dhSinglePass_stdDH_sha512kdf_scheme, eccCert,
eccCertSz, eccPrivKey, eccPrivKeySz}, eccCertSz, eccPrivKey, eccPrivKeySz},

43
wolfcrypt/src/pkcs7.c
View File

@@ -3366,7 +3366,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
byte* in2, word32 in2Sz) byte* in2, word32 in2Sz)
{ {
word32 idx, outerContentType, hashOID = 0, sigOID, contentTypeSz = 0, totalSz = 0; word32 idx, outerContentType, hashOID = 0, sigOID, contentTypeSz = 0, totalSz = 0;
int length, version, ret = 0; int length = 0, version, ret = 0;
byte* content = NULL; byte* content = NULL;
byte* contentDynamic = NULL; byte* contentDynamic = NULL;
byte* sig = NULL; byte* sig = NULL;
@@ -3430,8 +3430,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
} }
{ {
long rc; long rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
if (rc < 0) { if (rc < 0) {
ret = (int)rc; ret = (int)rc;
break; break;
@@ -3471,6 +3470,17 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz, if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz,
NO_USER_CHECK) < 0) NO_USER_CHECK) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#ifndef NO_PKCS7_STREAM
{
long rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK,
pkiMsg, pkiMsgSz);
if (rc < 0) {
ret = (int)rc;
break;
}
}
#endif
#else #else
ret = BER_INDEF_E; ret = BER_INDEF_E;
#endif #endif
@@ -3539,14 +3549,15 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
case WC_PKCS7_VERIFY_STAGE2: case WC_PKCS7_VERIFY_STAGE2:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, pkiMsg, inSz + in2Sz,
MAX_SEQ_SZ + MAX_OID_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ MAX_SEQ_SZ + MAX_OID_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ
+ ASN_TAG_SZ + MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) { + ASN_TAG_SZ + MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) {
break; break;
} }
wc_PKCS7_StreamGetVar(pkcs7, &totalSz, 0, 0); wc_PKCS7_StreamGetVar(pkcs7, &totalSz, 0, 0);
pkiMsgSz = (pkcs7->stream->length > 0)? pkcs7->stream->length :inSz; if (pkcs7->stream->length > 0)
pkiMsgSz = pkcs7->stream->length;
#endif #endif
/* Get the inner ContentInfo sequence */ /* Get the inner ContentInfo sequence */
if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz, if (GetSequence_ex(pkiMsg, &idx, &length, pkiMsgSz,
@@ -3684,14 +3695,14 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
case WC_PKCS7_VERIFY_STAGE3: case WC_PKCS7_VERIFY_STAGE3:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, pkiMsg, inSz + in2Sz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
break; break;
} }
{ {
long rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, long rc = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
in, inSz); pkiMsg, pkiMsgSz);
if (rc < 0) { if (rc < 0) {
ret = (int)rc; ret = (int)rc;
break; break;
@@ -3709,7 +3720,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
/* Break out before content because it can be optional in degenerate /* Break out before content because it can be optional in degenerate
* cases. */ * cases. */
if (ret != 0 && !detached) if (ret != 0 && !degenerate)
break; break;
/* get parts of content */ /* get parts of content */
@@ -3860,7 +3871,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
case WC_PKCS7_VERIFY_STAGE4: case WC_PKCS7_VERIFY_STAGE4:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, pkiMsg, inSz + in2Sz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
break; break;
} }
@@ -4041,7 +4052,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
case WC_PKCS7_VERIFY_STAGE5: case WC_PKCS7_VERIFY_STAGE5:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, pkiMsg, inSz + in2Sz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
break; break;
} }
@@ -4101,7 +4112,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
case WC_PKCS7_VERIFY_STAGE6: case WC_PKCS7_VERIFY_STAGE6:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz + in2Sz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, pkiMsg, inSz + in2Sz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
break; break;
} }
@@ -9117,6 +9128,8 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
} }
pkiMsgSz = (word32)rc; pkiMsgSz = (word32)rc;
} }
#else
ret = 0;
#endif #endif
/* remove EncryptedContentInfo */ /* remove EncryptedContentInfo */
@@ -9196,6 +9209,8 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
ret = MEMORY_E; ret = MEMORY_E;
break; break;
} }
#else
ret = 0;
#endif #endif
XMEMCPY(tmpIv, &pkiMsg[idx], length); XMEMCPY(tmpIv, &pkiMsg[idx], length);
@@ -9260,6 +9275,8 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
decryptedKey = pkcs7->stream->aad; decryptedKey = pkcs7->stream->aad;
decryptedKeySz = pkcs7->stream->aadSz; decryptedKeySz = pkcs7->stream->aadSz;
blockKeySz = pkcs7->stream->contentSz; blockKeySz = pkcs7->stream->contentSz;
#else
ret = 0;
#endif #endif
encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap, encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);
@@ -10196,6 +10213,8 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
length = pkcs7->stream->expected; length = pkcs7->stream->expected;
encodedAttribs = pkcs7->stream->aad; encodedAttribs = pkcs7->stream->aad;
#else
length = 0;
#endif #endif
/* save pointer and length */ /* save pointer and length */
@@ -10990,6 +11009,8 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz,
encryptedContentSz = pkcs7->stream->varThree; encryptedContentSz = pkcs7->stream->varThree;
version = pkcs7->stream->vers; version = pkcs7->stream->vers;
tmpIv = pkcs7->stream->tmpIv; tmpIv = pkcs7->stream->tmpIv;
#else
encOID = 0;
#endif #endif
if (ret == 0 && (encryptedContent = (byte*)XMALLOC( if (ret == 0 && (encryptedContent = (byte*)XMALLOC(
encryptedContentSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7)) == NULL) encryptedContentSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7)) == NULL)