wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

make internal stream buffer dynamic

Browse Source 
formating and build without stream api
This commit is contained in:
Jacob Barthelmeh
2018-10-24 22:40:26 -06:00
committed by David Garske
parent 048a7f4c57
commit 62a2847d75
2 changed files with 229 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
tests/api.c
View File

@ -15370,7 +15370,7 @@ static void test_wc_PKCS7_EncodeSignedData_ex(void)
outputHead, outputHeadSz, outputFoot, 0), WC_PKCS7_WANT_READ_E); outputHead, outputHeadSz, outputFoot, 0), WC_PKCS7_WANT_READ_E);
#else #else
AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz, AssertIntEQ(wc_PKCS7_VerifySignedData_ex(pkcs7, hashBuf, hashSz,
outputHead, outputHeadSz, outputFoot, 0), BUFFER_E); outputHead, outputHeadSz, outputFoot, 0), ASN_PARSE_E);
#endif #endif
printf(resultFmt, passed); printf(resultFmt, passed);

368
wolfcrypt/src/pkcs7.c
View File

@ -69,6 +69,7 @@ typedef struct PKCS7State {
byte* tag; /* tag data for AEAD algos */ byte* tag; /* tag data for AEAD algos */
byte* content; byte* content;
byte multi; /* flag for if content is in multiple parts */ byte multi; /* flag for if content is in multiple parts */
byte* buffer; /* main internal read buffer */
/* stack variables to store for when returning */ /* stack variables to store for when returning */
word32 varOne; word32 varOne;
@ -80,9 +81,9 @@ typedef struct PKCS7State {
word32 maxLen; /* sanity cap on maximum amount of data to allow word32 maxLen; /* sanity cap on maximum amount of data to allow
* needed for GetSequence and other calls */ * needed for GetSequence and other calls */
word32 length; /* amount of data stored */ word32 length; /* amount of data stored */
word32 bufferSz; /* size of internal buffer */
word32 expected; /* next amount of data expected, if needed */ word32 expected; /* next amount of data expected, if needed */
word32 totalRd; /* total amount of bytes read */ word32 totalRd; /* total amount of bytes read */
byte buffer[4096];
word32 nonceSz; /* size of nonce stored */ word32 nonceSz; /* size of nonce stored */
word32 aadSz; /* size of additional AEAD data */ word32 aadSz; /* size of additional AEAD data */
word32 tagSz; /* size of tag for AEAD */ word32 tagSz; /* size of tag for AEAD */
@ -126,10 +127,10 @@ static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
if (pkcs7->stream->length > pkcs7->stream->peakRead) { if (pkcs7->stream->length > pkcs7->stream->peakRead) {
pkcs7->stream->peakRead = pkcs7->stream->length; pkcs7->stream->peakRead = pkcs7->stream->length;
} }
if (pkcs7->stream->length + pkcs7->stream->aadSz + if (pkcs7->stream->bufferSz + pkcs7->stream->aadSz +
pkcs7->stream->nonceSz + pkcs7->stream->tagSz > pkcs7->stream->nonceSz + pkcs7->stream->tagSz >
pkcs7->stream->peakUsed) { pkcs7->stream->peakUsed) {
pkcs7->stream->peakUsed = pkcs7->stream->length + pkcs7->stream->peakUsed = pkcs7->stream->bufferSz +
pkcs7->stream->aadSz + pkcs7->stream->nonceSz + pkcs7->stream->aadSz + pkcs7->stream->nonceSz +
pkcs7->stream->tagSz; pkcs7->stream->tagSz;
} }
@ -150,9 +151,11 @@ static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
XFREE(pkcs7->stream->aad, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->aad, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
pkcs7->stream->aad = NULL; XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
pkcs7->stream->tag = NULL; pkcs7->stream->aad = NULL;
pkcs7->stream->nonce = NULL; pkcs7->stream->tag = NULL;
pkcs7->stream->nonce = NULL;
pkcs7->stream->buffer = NULL;
/* reset values, note that content and tmpCert are saved */ /* reset values, note that content and tmpCert are saved */
pkcs7->stream->maxLen = 0; pkcs7->stream->maxLen = 0;
@ -160,6 +163,7 @@ static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
pkcs7->stream->idx = 0; pkcs7->stream->idx = 0;
pkcs7->stream->expected = 0; pkcs7->stream->expected = 0;
pkcs7->stream->totalRd = 0; pkcs7->stream->totalRd = 0;
pkcs7->stream->bufferSz = 0;
pkcs7->stream->multi = 0; pkcs7->stream->multi = 0;
pkcs7->stream->flagOne = 0; pkcs7->stream->flagOne = 0;
@ -186,6 +190,29 @@ static void wc_PKCS7_FreeStream(PKCS7* pkcs7)
} }
/* used to increase the max size for internal buffer
* returns 0 on success */
static int wc_PKCS7_GrowStream(PKCS7* pkcs7, word32 newSz)
{
byte* pt;
pt = (byte*)XMALLOC(newSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
if (pt == NULL) {
return MEMORY_E;
}
XMEMCPY(pt, pkcs7->stream->buffer, pkcs7->stream->bufferSz);
#ifdef WC_PKCS7_STREAM_DEBUG
printf("PKCS7 increasing internal stream buffer %d -> %d\n",
pkcs7->stream->bufferSz, newSz);
#endif
pkcs7->stream->bufferSz = newSz;
XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
pkcs7->stream->buffer = pt;
return 0;
}
/* pt gets set to the buffer that is holding data in the case that stream struct /* pt gets set to the buffer that is holding data in the case that stream struct
* is used. * is used.
* *
@ -225,6 +252,14 @@ static int wc_PKCS7_AddDataToStream(PKCS7* pkcs7, byte* in, word32 inSz,
/* try to store input data into stream buffer */ /* try to store input data into stream buffer */
if (inSz - rdSz > 0 && pkcs7->stream->length < expected) { if (inSz - rdSz > 0 && pkcs7->stream->length < expected) {
int len = min(inSz - rdSz, expected - pkcs7->stream->length); int len = min(inSz - rdSz, expected - pkcs7->stream->length);
/* check if internal buffer size needs to be increased */
if (len + pkcs7->stream->length > pkcs7->stream->bufferSz) {
int ret = wc_PKCS7_GrowStream(pkcs7, expected);
if (ret < 0) {
return ret;
}
}
XMEMCPY(pkcs7->stream->buffer + pkcs7->stream->length, in + rdSz, len); XMEMCPY(pkcs7->stream->buffer + pkcs7->stream->length, in + rdSz, len);
pkcs7->stream->length += len; pkcs7->stream->length += len;
pkcs7->stream->idx += len; pkcs7->stream->idx += len;
@ -236,10 +271,10 @@ static int wc_PKCS7_AddDataToStream(PKCS7* pkcs7, byte* in, word32 inSz,
if (pkcs7->stream->length > pkcs7->stream->peakRead) { if (pkcs7->stream->length > pkcs7->stream->peakRead) {
pkcs7->stream->peakRead = pkcs7->stream->length; pkcs7->stream->peakRead = pkcs7->stream->length;
} }
if (pkcs7->stream->length + pkcs7->stream->aadSz + pkcs7->stream->nonceSz + if (pkcs7->stream->bufferSz + pkcs7->stream->aadSz + pkcs7->stream->nonceSz +
pkcs7->stream->tagSz > pkcs7->stream->peakUsed) { pkcs7->stream->tagSz > pkcs7->stream->peakUsed) {
pkcs7->stream->peakUsed = pkcs7->stream->length + pkcs7->stream->aadSz + pkcs7->stream->peakUsed = pkcs7->stream->bufferSz +
pkcs7->stream->nonceSz + pkcs7->stream->tagSz; pkcs7->stream->aadSz + pkcs7->stream->nonceSz + pkcs7->stream->tagSz;
} }
#endif #endif
@ -3193,8 +3228,8 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
word32 hashSz, byte* in, word32 inSz, word32 hashSz, byte* in, word32 inSz,
byte* in2, word32 in2Sz) byte* in2, word32 in2Sz)
{ {
word32 idx, outerContentType, hashOID, sigOID, contentTypeSz = 0, totalSz = 0; word32 idx, outerContentType, hashOID = 0, sigOID, contentTypeSz = 0, totalSz = 0;
int length, version, ret; int length, version, ret = 0;
byte* content = NULL; byte* content = NULL;
byte* contentDynamic = NULL; byte* contentDynamic = NULL;
byte* sig = NULL; byte* sig = NULL;
@ -3212,7 +3247,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 stateIdx = 0; word32 stateIdx = 0;
#endif
byte* pkiMsg2 = in2; byte* pkiMsg2 = in2;
word32 pkiMsg2Sz = in2Sz; word32 pkiMsg2Sz = in2Sz;
@ -3672,11 +3709,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
cert = &pkiMsg2[idx]; cert = &pkiMsg2[idx];
certSz += (certIdx - idx); certSz += (certIdx - idx);
// @TODO
//if (certSz > pkiMsg2Sz) {
// error out here ?
//}
} }
#ifdef ASN_BER_TO_DER #ifdef ASN_BER_TO_DER
der = pkcs7->der; der = pkcs7->der;
@ -3684,11 +3716,15 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
contentDynamic = pkcs7->contentDynamic; contentDynamic = pkcs7->contentDynamic;
if (ret == 0) { if (ret == 0) {
#ifndef NO_PKCS7_STREAM
PKCS7State* stream = pkcs7->stream; PKCS7State* stream = pkcs7->stream;
#endif
/* This will reset PKCS7 structure and then set the /* This will reset PKCS7 structure and then set the
* certificate */ * certificate */
ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz); ret = wc_PKCS7_InitWithCert(pkcs7, cert, certSz);
#ifndef NO_PKCS7_STREAM
pkcs7->stream = stream; pkcs7->stream = stream;
#endif
} }
pkcs7->contentDynamic = contentDynamic; pkcs7->contentDynamic = contentDynamic;
#ifdef ASN_BER_TO_DER #ifdef ASN_BER_TO_DER
@ -3965,7 +4001,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
break; break;
ret = 0; /* success */ ret = 0; /* success */
#ifndef NO_PKCS7_STREAM
wc_PKCS7_ResetStream(pkcs7); wc_PKCS7_ResetStream(pkcs7);
#endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
break; break;
@ -3975,7 +4013,9 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
} }
if (ret != 0 && ret != WC_PKCS7_WANT_READ_E) { if (ret != 0 && ret != WC_PKCS7_WANT_READ_E) {
#ifndef NO_PKCS7_STREAM
wc_PKCS7_ResetStream(pkcs7); wc_PKCS7_ResetStream(pkcs7);
#endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_START);
} }
return ret; return ret;
@ -4095,7 +4135,6 @@ static int wc_PKCS7_KeyWrap(byte* cek, word32 cekSz, byte* kek,
if (ret <= 0) if (ret <= 0)
return ret; return ret;
break; break;
#endif /* NO_AES */ #endif /* NO_AES */
@ -6807,11 +6846,13 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
word32 encOID; word32 encOID;
word32 keyIdx; word32 keyIdx;
byte issuerHash[KEYID_SIZE]; byte issuerHash[KEYID_SIZE];
byte* outKey = NULL; byte* outKey = NULL;
word32 tmpIdx = *idx; byte* pkiMsg = in;
byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = *idx;
#endif
#ifdef WC_RSA_BLINDING #ifdef WC_RSA_BLINDING
WC_RNG rng; WC_RNG rng;
#endif #endif
@ -7488,13 +7529,14 @@ static int wc_PKCS7_DecryptOri(PKCS7* pkcs7, byte* in, word32 inSz,
{ {
int ret, seqSz, oriOIDSz; int ret, seqSz, oriOIDSz;
word32 oriValueSz, tmpIdx; word32 oriValueSz, tmpIdx;
byte* oriValue; byte* oriValue;
byte oriOID[MAX_OID_SZ]; byte oriOID[MAX_OID_SZ];
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 stateIdx = *idx; word32 stateIdx = *idx;
#endif
if (pkcs7->oriDecryptCb == NULL) { if (pkcs7->oriDecryptCb == NULL) {
WOLFSSL_MSG("You must register an ORI Decrypt callback"); WOLFSSL_MSG("You must register an ORI Decrypt callback");
@ -7504,16 +7546,16 @@ static int wc_PKCS7_DecryptOri(PKCS7* pkcs7, byte* in, word32 inSz,
switch (pkcs7->state) { switch (pkcs7->state) {
case WC_PKCS7_DECRYPT_ORI: case WC_PKCS7_DECRYPT_ORI:
//@TODO for now just get full buffer, needs divided up
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
/* @TODO for now just get full buffer, needs divided up */
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
(pkcs7->stream->maxLen - pkcs7->stream->totalRd) + (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
pkcs7->stream->length, &pkiMsg, idx)) != 0) { pkcs7->stream->length, &pkiMsg, idx)) != 0) {
return ret; return ret;
} }
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in,
inSz);
#endif #endif
/* get OtherRecipientInfo sequence length */ /* get OtherRecipientInfo sequence length */
if (GetLength(pkiMsg, idx, &seqSz, pkiMsgSz) < 0) if (GetLength(pkiMsg, idx, &seqSz, pkiMsgSz) < 0)
@ -7584,13 +7626,14 @@ static int wc_PKCS7_DecryptPwri(PKCS7* pkcs7, byte* in, word32 inSz,
word32 kdfAlgoId, pwriEncAlgoId, keyEncAlgoId, cekSz; word32 kdfAlgoId, pwriEncAlgoId, keyEncAlgoId, cekSz;
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = *idx; word32 tmpIdx = *idx;
#endif
switch (pkcs7->state) { switch (pkcs7->state) {
case WC_PKCS7_DECRYPT_PWRI: case WC_PKCS7_DECRYPT_PWRI:
//@TODO for now just get full buffer, needs divided up
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
/*@TODO for now just get full buffer, needs divided up */
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
(pkcs7->stream->maxLen - pkcs7->stream->totalRd) + (pkcs7->stream->maxLen - pkcs7->stream->totalRd) +
pkcs7->stream->length, &pkiMsg, idx)) != 0) { pkcs7->stream->length, &pkiMsg, idx)) != 0) {
@ -7790,7 +7833,9 @@ static int wc_PKCS7_DecryptKekri(PKCS7* pkcs7, byte* in, word32 inSz,
int ret = 0; int ret = 0;
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = *idx; word32 tmpIdx = *idx;
#endif
switch (pkcs7->state) { switch (pkcs7->state) {
case WC_PKCS7_DECRYPT_KEKRI: case WC_PKCS7_DECRYPT_KEKRI:
@ -7905,7 +7950,15 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
word32 tmpIdx = *idx; #ifndef NO_PKCS7_STREAM
word32 tmpIdx = (idx)? *idx : 0;
#endif
if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
pkcs7->singleCertSz == 0 || pkiMsg == NULL ||
idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) {
return BAD_FUNC_ARG;
}
switch (pkcs7->state) { switch (pkcs7->state) {
case WC_PKCS7_DECRYPT_KARI: { case WC_PKCS7_DECRYPT_KARI: {
@ -7922,12 +7975,6 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz,
#endif #endif
WC_PKCS7_KARI* kari; WC_PKCS7_KARI* kari;
if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
pkcs7->singleCertSz == 0 || pkiMsg == NULL ||
idx == NULL || decryptedKey == NULL || decryptedKeySz == NULL) {
return BAD_FUNC_ARG;
}
kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_DECODE); kari = wc_PKCS7_KariNew(pkcs7, WC_PKCS7_DECODE);
if (kari == NULL) if (kari == NULL)
return MEMORY_E; return MEMORY_E;
@ -8087,10 +8134,13 @@ static int wc_PKCS7_DecryptRecipientInfos(PKCS7* pkcs7, byte* in,
word32 inSz, word32* idx, byte* decryptedKey, word32 inSz, word32* idx, byte* decryptedKey,
word32* decryptedKeySz, int* recipFound) word32* decryptedKeySz, int* recipFound)
{ {
word32 savedIdx, tmpIdx = *idx; word32 savedIdx;
int version, ret = 0, length; int version, ret = 0, length;
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = *idx;
#endif
if (pkcs7 == NULL || pkiMsg == NULL || idx == NULL || if (pkcs7 == NULL || pkiMsg == NULL || idx == NULL ||
decryptedKey == NULL || decryptedKeySz == NULL || decryptedKey == NULL || decryptedKeySz == NULL ||
@ -8308,7 +8358,9 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in,
word32 contentType; word32 contentType;
byte* pkiMsg = in; byte* pkiMsg = in;
word32 pkiMsgSz = inSz; word32 pkiMsgSz = inSz;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = 0; word32 tmpIdx = 0;
#endif
if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0 || idx == NULL) if (pkcs7 == NULL || pkiMsg == NULL || pkiMsgSz == 0 || idx == NULL)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
@ -8355,6 +8407,8 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in,
if (ret == 0 && length == 0 && pkiMsg[(*idx)-1] == 0x80) { if (ret == 0 && length == 0 && pkiMsg[(*idx)-1] == 0x80) {
#ifdef ASN_BER_TO_DER #ifdef ASN_BER_TO_DER
word32 len;
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_BER); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_INFOSET_BER);
FALL_THROUGH; FALL_THROUGH;
@ -8370,7 +8424,7 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in,
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz);
#endif #endif
word32 len = 0; len = 0;
ret = wc_BerToDer(pkiMsg, pkiMsgSz, NULL, &len); ret = wc_BerToDer(pkiMsg, pkiMsgSz, NULL, &len);
if (ret != LENGTH_ONLY_E) if (ret != LENGTH_ONLY_E)
@ -8551,9 +8605,12 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
{ {
int recipFound = 0; int recipFound = 0;
int ret, length = 0; int ret, length = 0;
word32 idx = 0, tmpIdx = 0; word32 idx = 0;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = 0;
#endif
word32 contentType, encOID = 0; word32 contentType, encOID = 0;
word32 decryptedKeySz; word32 decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
int expBlockSz = 0, blockKeySz = 0; int expBlockSz = 0, blockKeySz = 0;
byte tmpIvBuf[MAX_CONTENT_IV_SIZE]; byte tmpIvBuf[MAX_CONTENT_IV_SIZE];
@ -8595,7 +8652,6 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
if (ret < 0) { if (ret < 0) {
break; break;
} }
tmpIdx = idx;
decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);
@ -8603,6 +8659,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
return MEMORY_E; return MEMORY_E;
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_2); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_2);
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
tmpIdx = idx;
pkcs7->stream->aad = decryptedKey; pkcs7->stream->aad = decryptedKey;
#endif #endif
FALL_THROUGH; FALL_THROUGH;
@ -8841,8 +8898,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in,
} }
#else #else
if (decryptedKey != NULL && ret < 0) { if (decryptedKey != NULL && ret < 0) {
ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ); ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ);
}
XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
} }
#endif #endif
@ -9295,8 +9351,11 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
word32 outputSz) word32 outputSz)
{ {
int recipFound = 0; int recipFound = 0;
int ret, length; int ret = 0, length;
word32 idx = 0, tmpIdx = 0; word32 idx = 0;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = 0;
#endif
word32 contentType, encOID = 0; word32 contentType, encOID = 0;
word32 decryptedKeySz = 0; word32 decryptedKeySz = 0;
byte* pkiMsg = in; byte* pkiMsg = in;
@ -9347,24 +9406,26 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
if (ret < 0) if (ret < 0)
break; break;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
tmpIdx = idx; tmpIdx = idx;
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_2); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_2);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_2: case WC_PKCS7_AUTHENV_2:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ + if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
MAX_VERSION_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) { MAX_VERSION_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
return ret; break;
} }
#endif #endif
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);
if (decryptedKey == NULL) if (decryptedKey == NULL) {
return MEMORY_E; ret = MEMORY_E;
break;
}
#endif #endif
FALL_THROUGH; FALL_THROUGH;
@ -9382,40 +9443,45 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
decryptedKey, &decryptedKeySz, decryptedKey, &decryptedKeySz,
&recipFound); &recipFound);
if (ret != 0) { if (ret != 0) {
return ret; break;
} }
if (recipFound == 0) { if (recipFound == 0) {
WOLFSSL_MSG("No recipient found in envelopedData that matches input"); WOLFSSL_MSG("No recipient found in envelopedData that matches input");
return PKCS7_RECIP_E; ret = PKCS7_RECIP_E;
break;
} }
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
tmpIdx = idx; tmpIdx = idx;
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_3); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_3);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_3: case WC_PKCS7_AUTHENV_3:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ + if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_SEQ_SZ +
MAX_ALGO_SZ + MAX_ALGO_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) { MAX_ALGO_SZ + MAX_ALGO_SZ + ASN_TAG_SZ,
return ret; &pkiMsg, &idx)) != 0) {
break;
} }
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
#endif in, inSz);
#endif
/* remove EncryptedContentInfo */ /* remove EncryptedContentInfo */
if (ret == 0 && GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) { if (ret == 0 && GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0) { if (ret == 0 && wc_GetContentType(pkiMsg, &idx, &contentType,
pkiMsgSz) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
if (ret == 0 && GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType, pkiMsgSz) < 0) { if (ret == 0 && GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType,
pkiMsgSz) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
@ -9437,25 +9503,26 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
if (ret < 0) if (ret < 0)
break; break;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) { if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
break; break;
} }
wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz, 0); wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz, 0);
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_4); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_4);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_4: case WC_PKCS7_AUTHENV_4:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ + if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
MAX_VERSION_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ, &pkiMsg, &idx)) != 0) { MAX_VERSION_SZ + ASN_TAG_SZ + MAX_LENGTH_SZ,
return ret; &pkiMsg, &idx)) != 0) {
break;
} }
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz);
#endif #endif
if (ret == 0 && GetLength(pkiMsg, &idx, &nonceSz, pkiMsgSz) < 0) { if (ret == 0 && GetLength(pkiMsg, &idx, &nonceSz, pkiMsgSz) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
@ -9476,7 +9543,8 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
} }
if (ret == 0) { if (ret == 0) {
explicitOctet = pkiMsg[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0); explicitOctet = pkiMsg[idx] ==
(ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0);
} }
/* read encryptedContent, cont[0] */ /* read encryptedContent, cont[0] */
@ -9486,7 +9554,8 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
} }
idx++; idx++;
if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) <= 0) { if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz,
pkiMsgSz) <= 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
@ -9495,7 +9564,8 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) <= 0) { if (ret == 0 && GetLength(pkiMsg, &idx, &encryptedContentSz,
pkiMsgSz) <= 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
} }
@ -9503,7 +9573,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
if (ret < 0) if (ret < 0)
break; break;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) { if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
break; break;
} }
@ -9523,22 +9593,24 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
} }
pkcs7->stream->expected = encryptedContentSz; pkcs7->stream->expected = encryptedContentSz;
wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz, encryptedContentSz); wc_PKCS7_StreamStoreVar(pkcs7, encOID, blockKeySz,
#endif encryptedContentSz);
#endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_5); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_5);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_5: case WC_PKCS7_AUTHENV_5:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ + if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
ASN_TAG_SZ + ASN_TAG_SZ + pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { ASN_TAG_SZ + ASN_TAG_SZ + pkcs7->stream->expected,
return ret; &pkiMsg, &idx)) != 0) {
break;
} }
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz);
encryptedContentSz = pkcs7->stream->expected; encryptedContentSz = pkcs7->stream->expected;
#endif #endif
encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap, encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);
@ -9555,93 +9627,105 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
#endif #endif
/* may have IMPLICIT [1] authenticatedAttributes */ /* may have IMPLICIT [1] authenticatedAttributes */
if (ret == 0 && pkiMsg[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) { if (ret == 0 && pkiMsg[idx] ==
(ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
encodedAttribIdx = idx; encodedAttribIdx = idx;
encodedAttribs = pkiMsg + idx; encodedAttribs = pkiMsg + idx;
idx++; idx++;
if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
pkcs7->stream->expected = length; pkcs7->stream->expected = length;
#endif #endif
encodedAttribSz = length + (idx - encodedAttribIdx); encodedAttribSz = length + (idx - encodedAttribIdx);
if (ret != 0) break; if (ret != 0)
break;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if (encodedAttribSz > 0) { if (encodedAttribSz > 0) {
pkcs7->stream->aadSz = encodedAttribSz; pkcs7->stream->aadSz = encodedAttribSz;
pkcs7->stream->aad = (byte*)XMALLOC(encodedAttribSz, pkcs7->stream->aad = (byte*)XMALLOC(encodedAttribSz,
pkcs7->heap, DYNAMIC_TYPE_PKCS7); pkcs7->heap, DYNAMIC_TYPE_PKCS7);
if (pkcs7->stream->aad == NULL) { if (pkcs7->stream->aad == NULL) {
ret = MEMORY_E; ret = MEMORY_E;
break; break;
}
else {
XMEMCPY(pkcs7->stream->aad, encodedAttribs,
(idx - encodedAttribIdx));
}
} }
else {
XMEMCPY(pkcs7->stream->aad, encodedAttribs,
(idx - encodedAttribIdx));
}
}
if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) { if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
break; break;
} }
#endif
#endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRB); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRB);
FALL_THROUGH; FALL_THROUGH;
}
case WC_PKCS7_AUTHENV_ATRB: else {
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { break;
return ret;
} }
#endif
goto authenv_atrbend; /* jump over attribute cases */
}
length = pkcs7->stream->expected; case WC_PKCS7_AUTHENV_ATRB:
encodedAttribs = pkcs7->stream->aad; #ifndef NO_PKCS7_STREAM
#endif if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
return ret;
}
/* save pointer and length */ length = pkcs7->stream->expected;
authAttrib = &pkiMsg[idx]; encodedAttribs = pkcs7->stream->aad;
authAttribSz = length; #endif
if (ret == 0 && wc_PKCS7_ParseAttribs(pkcs7, authAttrib, authAttribSz) < 0) { /* save pointer and length */
WOLFSSL_MSG("Error parsing authenticated attributes"); authAttrib = &pkiMsg[idx];
return ASN_PARSE_E; authAttribSz = length;
}
idx += length; if (ret == 0 && wc_PKCS7_ParseAttribs(pkcs7, authAttrib, authAttribSz) < 0) {
WOLFSSL_MSG("Error parsing authenticated attributes");
ret = ASN_PARSE_E;
break;
}
#ifndef NO_PKCS7_STREAM idx += length;
if (encodedAttribSz > 0) {
XMEMCPY(pkcs7->stream->aad + (encodedAttribSz - length), authAttrib, authAttribSz); #ifndef NO_PKCS7_STREAM
} if (encodedAttribSz > 0) {
XMEMCPY(pkcs7->stream->aad + (encodedAttribSz - length),
authAttrib, authAttribSz);
}
if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) { if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
break; break;
} }
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRBEND); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_ATRBEND);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_ATRBEND: authenv_atrbend:
case WC_PKCS7_AUTHENV_ATRBEND:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ + if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, MAX_LENGTH_SZ +
ASN_TAG_SZ, &pkiMsg, &idx)) != 0) { ASN_TAG_SZ, &pkiMsg, &idx)) != 0) {
return ret; return ret;
} }
pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK,
in, inSz);
if (pkcs7->stream->aadSz > 0) { if (pkcs7->stream->aadSz > 0) {
encodedAttribSz = pkcs7->stream->aadSz; encodedAttribSz = pkcs7->stream->aadSz;
encodedAttribs = pkcs7->stream->aad; encodedAttribs = pkcs7->stream->aad;
} }
#endif #endif
}
/* get authTag OCTET STRING */ /* get authTag OCTET STRING */
if (ret == 0 && pkiMsg[idx++] != ASN_OCTET_STRING) { if (ret == 0 && pkiMsg[idx++] != ASN_OCTET_STRING) {
@ -9673,7 +9757,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
if (ret < 0) if (ret < 0)
break; break;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) { if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, &idx)) != 0) {
break; break;
} }
@ -9695,15 +9779,15 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
} }
} }
#endif #endif
wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_6); wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_AUTHENV_6);
FALL_THROUGH; FALL_THROUGH;
case WC_PKCS7_AUTHENV_6: case WC_PKCS7_AUTHENV_6:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz,
pkcs7->stream->expected, &pkiMsg, &idx)) != 0) { pkcs7->stream->expected, &pkiMsg, &idx)) != 0) {
return ret; break;
} }
/* restore all variables needed */ /* restore all variables needed */
@ -9738,7 +9822,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz, &encryptedContentSz); wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz, &encryptedContentSz);
encryptedContent = pkcs7->stream->bufferPt; encryptedContent = pkcs7->stream->bufferPt;
#endif #endif
/* decrypt encryptedContent */ /* decrypt encryptedContent */
ret = wc_PKCS7_DecryptContent(encOID, decryptedKey, blockKeySz, ret = wc_PKCS7_DecryptContent(encOID, decryptedKey, blockKeySz,
@ -10077,7 +10161,11 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz,
byte* output, word32 outputSz) byte* output, word32 outputSz)
{ {
int ret = 0, version, length, haveAttribs = 0; int ret = 0, version, length, haveAttribs = 0;
word32 idx = 0, tmpIdx = 0; word32 idx = 0;
#ifndef NO_PKCS7_STREAM
word32 tmpIdx = 0;
#endif
word32 contentType, encOID; word32 contentType, encOID;
int expBlockSz = 0; int expBlockSz = 0;