From 18a27cfe75e136d7859fed0993db197474d3e23d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 25 Sep 2018 12:55:52 -0700 Subject: [PATCH] Changed the DecodedCert's der pointer to be a pointer to const. The DecodedCert doesn't own the der value, so it should be const. Had to make many other changes downstream of this. --- src/ssl.c | 14 ++++---- wolfcrypt/src/asn.c | 76 +++++++++++++++++++++------------------ wolfssl/internal.h | 2 +- wolfssl/ssl.h | 2 +- wolfssl/wolfcrypt/asn.h | 33 ++++++++--------- wolfssl/wolfcrypt/pkcs7.h | 2 +- 6 files changed, 70 insertions(+), 59 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d48363a64..cf1d06630 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8163,6 +8163,7 @@ static WC_INLINE int RestoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current, while (listSz) { Signer* signer; + byte* publicKey; byte* start = current + idx; /* for end checks on this signer */ int minSz = sizeof(signer->pubKeySize) + sizeof(signer->keyOID) + sizeof(signer->nameLen) + sizeof(signer->subjectNameHash); @@ -8192,14 +8193,15 @@ static WC_INLINE int RestoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current, FreeSigner(signer, cm->heap); return BUFFER_E; } - signer->publicKey = (byte*)XMALLOC(signer->pubKeySize, cm->heap, - DYNAMIC_TYPE_KEY); - if (signer->publicKey == NULL) { + publicKey = (byte*)XMALLOC(signer->pubKeySize, cm->heap, + DYNAMIC_TYPE_KEY); + if (publicKey == NULL) { FreeSigner(signer, cm->heap); return MEMORY_E; } - XMEMCPY(signer->publicKey, current + idx, signer->pubKeySize); + XMEMCPY(publicKey, current + idx, signer->pubKeySize); + signer->publicKey = publicKey; idx += signer->pubKeySize; /* nameLen */ @@ -15502,7 +15504,7 @@ void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj) if (obj->dynamic == 1) { if (obj->obj != NULL) { WOLFSSL_MSG("Freeing ASN1 OBJECT data"); - XFREE(obj->obj, obj->heap, DYNAMIC_TYPE_ASN1); + XFREE((void*)obj->obj, obj->heap, DYNAMIC_TYPE_ASN1); } } @@ -30170,7 +30172,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) wolfSSL_ASN1_OBJECT_free(obj); return NULL; } - XMEMCPY(obj->obj, objBuf, obj->objSz); + XMEMCPY((byte*)obj->obj, objBuf, obj->objSz); (void)type; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cb5f5e13d..0404e7239 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -3766,7 +3766,8 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) #endif /* NO_DSA */ -void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) +void InitDecodedCert(DecodedCert* cert, + const byte* source, word32 inSz, void* heap) { if (cert != NULL) { XMEMSET(cert, 0, sizeof(DecodedCert)); @@ -3826,7 +3827,7 @@ void FreeDecodedCert(DecodedCert* cert) if (cert->subjectCNStored == 1) XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); if (cert->pubKeyStored == 1) - XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); + XFREE((void*)cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); if (cert->weOwnAltNames && cert->altNames) FreeAltNames(cert->altNames, cert->heap); #ifndef IGNORE_NAME_CONSTRAINTS @@ -3954,6 +3955,7 @@ static int GetKey(DecodedCert* cert) word16 keyLen; word32 rc; word32 remaining = cert->maxIdx - cert->srcIdx; + byte* publicKey; #ifdef WOLFSSL_SMALL_STACK byte* keyBlob = NULL; #else @@ -3991,15 +3993,16 @@ static int GetKey(DecodedCert* cert) cert->srcIdx = tmpIdx + (int)(next - key); - cert->publicKey = (byte*)XMALLOC(keyLen, cert->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (cert->publicKey == NULL) { + publicKey = (byte*)XMALLOC(keyLen, cert->heap, + DYNAMIC_TYPE_PUBLIC_KEY); + if (publicKey == NULL) { #ifdef WOLFSSL_SMALL_STACK XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return MEMORY_E; } - XMEMCPY(cert->publicKey, keyBlob, keyLen); + XMEMCPY(publicKey, keyBlob, keyLen); + cert->publicKey = publicKey; cert->pubKeyStored = 1; cert->pubKeySize = keyLen; @@ -4016,6 +4019,7 @@ static int GetKey(DecodedCert* cert) int ret; byte seq[5]; int pubLen = length + 1 + SetLength(length, seq); + byte* publicKey; if (cert->source[cert->srcIdx] != (ASN_SEQUENCE | ASN_CONSTRUCTED)) { @@ -4033,11 +4037,12 @@ static int GetKey(DecodedCert* cert) return ret; } - cert->publicKey = (byte*)XMALLOC(pubLen, cert->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (cert->publicKey == NULL) + publicKey = (byte*)XMALLOC(pubLen, cert->heap, + DYNAMIC_TYPE_PUBLIC_KEY); + if (publicKey == NULL) return MEMORY_E; - XMEMCPY(cert->publicKey, &cert->source[tmpIdx], pubLen); + XMEMCPY(publicKey, &cert->source[tmpIdx], pubLen); + cert->publicKey = publicKey; cert->pubKeyStored = 1; cert->pubKeySize = pubLen; @@ -4049,6 +4054,7 @@ static int GetKey(DecodedCert* cert) #ifdef HAVE_ED25519 case ED25519k: { + byte* publicKey; int ret; cert->pkCurveOID = ED25519k; @@ -4058,11 +4064,12 @@ static int GetKey(DecodedCert* cert) if (ret != 0) return ret; - cert->publicKey = (byte*) XMALLOC(length, cert->heap, - DYNAMIC_TYPE_PUBLIC_KEY); - if (cert->publicKey == NULL) + publicKey = (byte*) XMALLOC(length, cert->heap, + DYNAMIC_TYPE_PUBLIC_KEY); + if (publicKey == NULL) return MEMORY_E; - XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length); + XMEMCPY(publicKey, &cert->source[cert->srcIdx], length); + cert->publicKey = publicKey; cert->pubKeyStored = 1; cert->pubKeySize = length; @@ -5934,7 +5941,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) #endif /* IGNORE_NAME_CONSTRAINTS */ -static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) +static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0; @@ -6191,7 +6198,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) return 0; } -static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) +static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0; @@ -6238,7 +6245,7 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert) #define GENERALNAME_URI 6 /* From RFC3280 SS4.2.1.7, GeneralName */ -static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert) +static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0; @@ -6319,7 +6326,7 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert) } -static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) +static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert) /* * Read the first of the Authority Information Access records. If there are * any issues, return without saving the record. @@ -6365,7 +6372,7 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) } -static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) +static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0, ret = 0; @@ -6402,7 +6409,7 @@ static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert) } -static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) +static int DecodeSubjKeyId(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0, ret = 0; @@ -6431,7 +6438,7 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) } -static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) +static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length; @@ -6450,7 +6457,7 @@ static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert) } -static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) +static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0, oid; int length, ret; @@ -6509,7 +6516,8 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) #ifndef IGNORE_NAME_CONSTRAINTS #define ASN_TYPE_MASK 0xF -static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) +static int DecodeSubtree(const byte* input, int sz, + Base_entry** head, void* heap) { word32 idx = 0; @@ -6576,7 +6584,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) } -static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert) +static int DecodeNameConstraints(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0; @@ -6651,7 +6659,7 @@ static int Word32ToString(char* d, word32 number) /* Decode ITU-T X.690 OID format to a string representation * return string length */ -int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) +int DecodePolicyOID(char *out, word32 outSz, const byte *in, word32 inSz) { word32 val, idx = 0, nb_bytes; size_t w_bytes = 0; @@ -6704,7 +6712,7 @@ int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */ - static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert) + static int DecodeCertPolicy(const byte* input, int sz, DecodedCert* cert) { word32 idx = 0; word32 oldIdx; @@ -6822,7 +6830,7 @@ static int DecodeCertExtensions(DecodedCert* cert) int ret = 0; word32 idx = 0; int sz = cert->extensionsSz; - byte* input = cert->extensions; + const byte* input = cert->extensions; int length; word32 oid; byte critical = 0; @@ -7598,7 +7606,7 @@ Signer* MakeSigner(void* heap) void FreeSigner(Signer* signer, void* heap) { XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); - XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); + XFREE((void*)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); #ifndef IGNORE_NAME_CONSTRAINTS if (signer->permittedNames) FreeNameSubtrees(signer->permittedNames, heap); @@ -11833,7 +11841,7 @@ int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz) #endif /* decode certificate and get SKID that will be AKID of current cert */ - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) { FreeDecodedCert(decoded); @@ -12077,7 +12085,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) return MEMORY_E; #endif - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { @@ -12173,7 +12181,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz) return MEMORY_E; #endif - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { @@ -12227,7 +12235,7 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz) return MEMORY_E; #endif - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { @@ -12353,7 +12361,7 @@ static int SetSubjectRawFromCert(byte* sbjRaw, const byte* der, int derSz) } #endif - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { @@ -12405,7 +12413,7 @@ static int SetIssuerRawFromCert(byte* issuerRaw, const byte* der, int derSz) } #endif - InitDecodedCert(decoded, (byte*)der, derSz, NULL); + InitDecodedCert(decoded, der, derSz, NULL); ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 73cc2d964..b9ee207b1 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3394,7 +3394,7 @@ struct WOLFSSL_X509 { byte* authKeyId; byte* subjKeyId; byte* extKeyUsageSrc; - byte* CRLInfo; + const byte* CRLInfo; byte* authInfo; word32 pathLength; word16 keyUsage; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 97399b5f2..c7729c4a5 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -212,7 +212,7 @@ struct WOLFSSL_ASN1_STRING { #define WOLFSSL_MAX_SNAME 40 struct WOLFSSL_ASN1_OBJECT { void* heap; - unsigned char* obj; + const unsigned char* obj; /* sName is short name i.e sha256 rather than oid (null terminated) */ char sName[WOLFSSL_MAX_SNAME]; int type; /* oid */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index df0c2d6b4..60339437b 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -611,7 +611,7 @@ typedef struct CertSignCtx CertSignCtx; struct DecodedCert { - byte* publicKey; + const byte* publicKey; word32 pubKeySize; int pubKeyStored; word32 certBegin; /* offset to start of cert */ @@ -631,25 +631,25 @@ struct DecodedCert { #ifdef HAVE_OCSP byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ #endif /* HAVE_OCSP */ - byte* signature; /* not owned, points into raw cert */ + const byte* signature; /* not owned, points into raw cert */ char* subjectCN; /* CommonName */ int subjectCNLen; /* CommonName Length */ char subjectCNEnc; /* CommonName Encoding */ char issuer[ASN_NAME_MAX]; /* full name including common name */ char subject[ASN_NAME_MAX]; /* full name including common name */ int verify; /* Default to yes, but could be off */ - byte* source; /* byte buffer holder cert, NOT owner */ + const byte* source; /* byte buffer holder cert, NOT owner */ word32 srcIdx; /* current offset into buffer */ word32 maxIdx; /* max offset based on init size */ void* heap; /* for user memory overrides */ byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */ int serialSz; /* raw serial bytes stored */ - byte* extensions; /* not owned, points into raw cert */ + const byte* extensions; /* not owned, points into raw cert */ int extensionsSz; /* length of cert extensions */ word32 extensionsIdx; /* if want to go back and parse later */ - byte* extAuthInfo; /* Authority Information Access URI */ + const byte* extAuthInfo; /* Authority Information Access URI */ int extAuthInfoSz; /* length of the URI */ - byte* extCrlInfo; /* CRL Distribution Points */ + const byte* extCrlInfo; /* CRL Distribution Points */ int extCrlInfoSz; /* length of the URI */ byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */ byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ @@ -658,28 +658,28 @@ struct DecodedCert { byte extExtKeyUsage; /* Extended Key usage bitfield */ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) - byte* extExtKeyUsageSrc; + const byte* extExtKeyUsageSrc; word32 extExtKeyUsageSz; word32 extExtKeyUsageCount; - byte* extAuthKeyIdSrc; + const byte* extAuthKeyIdSrc; word32 extAuthKeyIdSz; - byte* extSubjKeyIdSrc; + const byte* extSubjKeyIdSrc; word32 extSubjKeyIdSz; #endif #if defined(HAVE_ECC) || defined(HAVE_ED25519) word32 pkCurveOID; /* Public Key's curve OID */ #endif /* HAVE_ECC */ - byte* beforeDate; + const byte* beforeDate; int beforeDateLen; - byte* afterDate; + const byte* afterDate; int afterDateLen; #if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT) - byte* issuerRaw; /* pointer to issuer inside source */ + const byte* issuerRaw; /* pointer to issuer inside source */ int issuerRawLen; #endif #ifndef IGNORE_NAME_CONSTRAINT - byte* subjectRaw; /* pointer to subject inside source */ + const byte* subjectRaw; /* pointer to subject inside source */ int subjectRawLen; #endif #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) @@ -793,7 +793,7 @@ struct Signer { word16 keyUsage; byte pathLength; byte pathLengthSet; - byte* publicKey; + const byte* publicKey; int nameLen; char* name; /* common name */ #ifndef IGNORE_NAME_CONSTRAINTS @@ -858,11 +858,12 @@ WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); #ifndef IGNORE_NAME_CONSTRAINTS WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); #endif /* IGNORE_NAME_CONSTRAINTS */ -WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, byte*, word32, void*); +WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, const byte*, word32, void*); WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*); WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm); -WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz, byte *in, word32 inSz); +WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz, + const byte *in, word32 inSz); WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm); WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm); WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify); diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index 2c321dbee..2f8531b78 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -103,7 +103,7 @@ typedef struct PKCS7 { PKCS7Attrib* signedAttribs; byte* content; /* inner content, not owner */ byte* singleCert; /* recipient cert, DER, not owner */ - byte* issuer; /* issuer name of singleCert */ + const byte* issuer; /* issuer name of singleCert */ byte* privateKey; /* private key, DER, not owner */ void* heap; /* heap hint for dynamic memory */ #ifdef ASN_BER_TO_DER