mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-30 10:47:28 +02:00
Fixes
- Fix challengePw copy in ReqCertFromX509 - Proper header length in wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio - Special case for extended key usage in wolfSSL_OBJ_cmp - Numerical input in wolfSSL_OBJ_txt2obj can just be encoded with EncodePolicyOID. Searching for the sum can return wrong values since they are not unique.
This commit is contained in:
Juliusz Sosinowicz
69
src/ssl.c
69
src/ssl.c
@ -39363,10 +39363,8 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
|
|||||||
/* Extended Key Usage not supported. */
|
/* Extended Key Usage not supported. */
|
||||||
#endif
|
#endif
|
||||||
#ifdef WOLFSSL_CERT_REQ
|
#ifdef WOLFSSL_CERT_REQ
|
||||||
if (XSTRLEN(cert->challengePw) > 0) {
|
XMEMCPY(cert->challengePw, req->challengePw, CTC_NAME_SIZE);
|
||||||
XMEMCPY(cert->challengePw, req->challengePw, CTC_NAME_SIZE);
|
cert->challengePwPrintableString = req->challengePw[0] != 0;
|
||||||
cert->challengePwPrintableString = 1;
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -40842,7 +40840,7 @@ err:
|
|||||||
else if (header) {
|
else if (header) {
|
||||||
if (!headerEnd) {
|
if (!headerEnd) {
|
||||||
headerEnd = XSTRNSTR(header + XSTR_SIZEOF("-----"),
|
headerEnd = XSTRNSTR(header + XSTR_SIZEOF("-----"),
|
||||||
"-----", i - (header - pem));
|
"-----", i - (header + XSTR_SIZEOF("-----") - pem));
|
||||||
if (headerEnd) {
|
if (headerEnd) {
|
||||||
headerEnd += XSTR_SIZEOF("-----");
|
headerEnd += XSTR_SIZEOF("-----");
|
||||||
/* Read in the newline */
|
/* Read in the newline */
|
||||||
@ -40881,8 +40879,11 @@ err:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!footerEnd) /* Only check footerEnd since it is set last */
|
if (!footerEnd) {
|
||||||
|
/* Only check footerEnd since it is set last */
|
||||||
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
else {
|
else {
|
||||||
if (headerEnd - header ==
|
if (headerEnd - header ==
|
||||||
XSTR_SIZEOF("-----BEGIN CERTIFICATE-----") &&
|
XSTR_SIZEOF("-----BEGIN CERTIFICATE-----") &&
|
||||||
@ -42034,6 +42035,33 @@ err:
|
|||||||
a->objSz == b->objSz) {
|
a->objSz == b->objSz) {
|
||||||
return XMEMCMP(a->obj, b->obj, a->objSz);
|
return XMEMCMP(a->obj, b->obj, a->objSz);
|
||||||
}
|
}
|
||||||
|
else if (a != NULL && b != NULL && a->objSz != b->objSz &&
|
||||||
|
(a->type == EXT_KEY_USAGE_OID
|
||||||
|
|| b->type == EXT_KEY_USAGE_OID)) {
|
||||||
|
/* Special case for EXT_KEY_USAGE_OID so that
|
||||||
|
* cmp will be treated as a substring search */
|
||||||
|
/* Used in libest to check for id-kp-cmcRA in
|
||||||
|
* EXT_KEY_USAGE extension */
|
||||||
|
unsigned int idx;
|
||||||
|
const byte* s; /* shorter */
|
||||||
|
unsigned int sLen;
|
||||||
|
const byte* l; /* longer */
|
||||||
|
unsigned int lLen;
|
||||||
|
if (a->objSz > b->objSz) {
|
||||||
|
s = b->obj; sLen = b->objSz;
|
||||||
|
l = a->obj; lLen = a->objSz;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
s = a->obj; sLen = a->objSz;
|
||||||
|
l = b->obj; lLen = b->objSz;
|
||||||
|
}
|
||||||
|
for (idx = 0; idx <= lLen - sLen; idx++) {
|
||||||
|
if (XMEMCMP(l + idx, s, sLen) == 0) {
|
||||||
|
/* Found substring */
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return WOLFSSL_FATAL_ERROR;
|
return WOLFSSL_FATAL_ERROR;
|
||||||
}
|
}
|
||||||
@ -42122,7 +42150,7 @@ err:
|
|||||||
int nid = NID_undef;
|
int nid = NID_undef;
|
||||||
unsigned int outSz = MAX_OID_SZ;
|
unsigned int outSz = MAX_OID_SZ;
|
||||||
unsigned char out[MAX_OID_SZ];
|
unsigned char out[MAX_OID_SZ];
|
||||||
unsigned int sum = 0;
|
WOLFSSL_ASN1_OBJECT* obj;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_OBJ_txt2obj");
|
WOLFSSL_ENTER("wolfSSL_OBJ_txt2obj");
|
||||||
|
|
||||||
@ -42132,9 +42160,26 @@ err:
|
|||||||
/* If s is numerical value, try to sum oid */
|
/* If s is numerical value, try to sum oid */
|
||||||
ret = EncodePolicyOID(out, &outSz, s, NULL);
|
ret = EncodePolicyOID(out, &outSz, s, NULL);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
for (i = 0; i < (int)outSz; i++) {
|
/* If numerical encode succeeded then just
|
||||||
sum += out[i];
|
* create object from that because sums are
|
||||||
|
* not unique and can cause confusion. */
|
||||||
|
obj = wolfSSL_ASN1_OBJECT_new();
|
||||||
|
if (obj == NULL) {
|
||||||
|
WOLFSSL_MSG("Issue creating WOLFSSL_ASN1_OBJECT struct");
|
||||||
|
return NULL;
|
||||||
}
|
}
|
||||||
|
obj->dynamic |= WOLFSSL_ASN1_DYNAMIC;
|
||||||
|
obj->obj = (byte*)XMALLOC(1 + MAX_LENGTH_SZ + outSz, NULL,
|
||||||
|
DYNAMIC_TYPE_ASN1);
|
||||||
|
if (obj->obj == NULL) {
|
||||||
|
wolfSSL_ASN1_OBJECT_free(obj);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA ;
|
||||||
|
i = SetObjectId(outSz, (byte*)obj->obj);
|
||||||
|
XMEMCPY((byte*)obj->obj + i, out, outSz);
|
||||||
|
obj->objSz = i + outSz;
|
||||||
|
return obj;
|
||||||
}
|
}
|
||||||
|
|
||||||
len = (int)XSTRLEN(s);
|
len = (int)XSTRLEN(s);
|
||||||
@ -42144,11 +42189,7 @@ err:
|
|||||||
for (i = 0; i < (int)WOLFSSL_OBJECT_INFO_SZ; i++) {
|
for (i = 0; i < (int)WOLFSSL_OBJECT_INFO_SZ; i++) {
|
||||||
/* Short name, long name, and numerical value are interpreted */
|
/* Short name, long name, and numerical value are interpreted */
|
||||||
if (no_name == 0 && ((XSTRNCMP(s, wolfssl_object_info[i].sName, len) == 0) ||
|
if (no_name == 0 && ((XSTRNCMP(s, wolfssl_object_info[i].sName, len) == 0) ||
|
||||||
(XSTRNCMP(s, wolfssl_object_info[i].lName, len) == 0) ||
|
(XSTRNCMP(s, wolfssl_object_info[i].lName, len) == 0)))
|
||||||
(wolfssl_object_info[i].id == (int)sum)))
|
|
||||||
nid = wolfssl_object_info[i].nid;
|
|
||||||
/* Only numerical value is interpreted */
|
|
||||||
else if (no_name == 1 && wolfssl_object_info[i].id == (int)sum)
|
|
||||||
nid = wolfssl_object_info[i].nid;
|
nid = wolfssl_object_info[i].nid;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
24
tests/api.c
24
tests/api.c
@ -37890,6 +37890,13 @@ static void test_wolfSSL_d2i_X509_REQ(void)
|
|||||||
{
|
{
|
||||||
const char* csrFile = "./certs/csr.signed.der";
|
const char* csrFile = "./certs/csr.signed.der";
|
||||||
const char* csrPopFile = "./certs/csr.attr.der";
|
const char* csrPopFile = "./certs/csr.attr.der";
|
||||||
|
/* ./certs/csr.dsa.pem is generated using
|
||||||
|
* openssl req -newkey dsa:certs/dsaparams.pem \
|
||||||
|
* -keyout certs/csr.dsa.key.pem -keyform PEM -out certs/csr.dsa.pem \
|
||||||
|
* -outform PEM
|
||||||
|
* with the passphrase "wolfSSL"
|
||||||
|
*/
|
||||||
|
const char* csrDsaFile = "./certs/csr.dsa.pem";
|
||||||
BIO* bio = NULL;
|
BIO* bio = NULL;
|
||||||
X509* req = NULL;
|
X509* req = NULL;
|
||||||
EVP_PKEY *pub_key = NULL;
|
EVP_PKEY *pub_key = NULL;
|
||||||
@ -37930,6 +37937,23 @@ static void test_wolfSSL_d2i_X509_REQ(void)
|
|||||||
*/
|
*/
|
||||||
AssertIntGE(X509_REQ_get_attr_by_NID(req, NID_pkcs9_challengePassword, -1), 0);
|
AssertIntGE(X509_REQ_get_attr_by_NID(req, NID_pkcs9_challengePassword, -1), 0);
|
||||||
|
|
||||||
|
X509_free(req);
|
||||||
|
BIO_free(bio);
|
||||||
|
}
|
||||||
|
{
|
||||||
|
AssertNotNull(bio = BIO_new_file(csrDsaFile, "rb"));
|
||||||
|
AssertNotNull(PEM_read_bio_X509_REQ(bio, &req, NULL, NULL));
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Extract the public key from the CSR
|
||||||
|
*/
|
||||||
|
AssertNotNull(pub_key = X509_REQ_get_pubkey(req));
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Verify the signature in the CSR
|
||||||
|
*/
|
||||||
|
AssertIntEQ(X509_REQ_verify(req, pub_key), 1);
|
||||||
|
|
||||||
X509_free(req);
|
X509_free(req);
|
||||||
BIO_free(bio);
|
BIO_free(bio);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user