PKCS7 changes

- Allow PKCS7_EncodeSigned to be called with a zero content length
- wc_HashUpdate now doesn't error out on zero length data
- First cert in wolfSSL_PKCS7_encode_certs is treated as main cert and the PKCS7 struct is initialized with it
- wolfSSL_BIO_get_mem_data returns the buffer from the last bio in chain

src/bio.c

@@ -1684,6 +1684,10 @@ int wolfSSL_BIO_get_mem_data(WOLFSSL_BIO* bio, void* p)
     if (bio == NULL)
         return WOLFSSL_FATAL_ERROR;
 
+    /* Return pointer from last BIO in chain */
+    while (bio->next)
+        bio = bio->next;
+
     if (p) {
         *(byte**)p = (byte*)bio->ptr;
     }

src/ssl.c

@@ -48732,7 +48732,10 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs,
 int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs,
                                WOLFSSL_BIO* out)
 {
+    int ret;
     PKCS7* p7;
+    WC_RNG rng;
+    byte cleanRng = 0;
 
     WOLFSSL_ENTER("wolfSSL_PKCS7_encode_certs");
 
@@ -48743,6 +48746,28 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs,
 
     p7 = &((WOLFSSL_PKCS7*)pkcs7)->pkcs7;
 
+    if (p7->certList) {
+        WOLFSSL_MSG("wolfSSL_PKCS7_encode_certs called multiple times on same "
+                    "struct");
+        return WOLFSSL_FAILURE;
+    }
+
+    if (certs) {
+        /* Save some of the values */
+        int hashOID = p7->hashOID;
+        byte version = p7->version;
+
+        if (wc_PKCS7_InitWithCert(p7, certs->data.x509->derCert->buffer,
+                certs->data.x509->derCert->length) != 0) {
+            WOLFSSL_MSG("wc_PKCS7_InitWithCert error");
+            return WOLFSSL_FAILURE;
+        }
+        certs = certs->next;
+
+        p7->hashOID = hashOID;
+        p7->version = version;
+    }
+
     /* Add the certs to the PKCS7 struct */
     while (certs) {
         if (wc_PKCS7_AddCertificate(p7, certs->data.x509->derCert->buffer,
@@ -48753,7 +48778,28 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs,
         certs = certs->next;
     }
 
-    return wolfSSL_i2d_PKCS7_bio(out, p7);
+    if (wc_PKCS7_SetSignerIdentifierType(p7, DEGENERATE_SID) != 0) {
+        WOLFSSL_MSG("wc_PKCS7_SetSignerIdentifierType error");
+        return WOLFSSL_FAILURE;
+    }
+
+    if (!p7->rng) {
+        if (wc_InitRng(&rng) != 0) {
+            WOLFSSL_MSG("wc_InitRng error");
+            return WOLFSSL_FAILURE;
+        }
+        p7->rng = &rng;
+        cleanRng = 1;
+    }
+
+    ret = wolfSSL_i2d_PKCS7_bio(out, p7);
+
+    if (cleanRng) {
+        wc_FreeRng(&rng);
+        p7->rng = NULL;
+    }
+
+    return ret;
 }
 #endif /* !NO_BIO */
 

wolfcrypt/src/hash.c

@@ -625,7 +625,7 @@ int wc_HashUpdate(wc_HashAlg* hash, enum wc_HashType type, const byte* data,
 {
     int ret = HASH_TYPE_E; /* Default to hash type error */
 
-    if (hash == NULL || data == NULL)
+    if (hash == NULL || (data == NULL && dataSz > 0))
         return BAD_FUNC_ARG;
 
     switch (type) {

wolfcrypt/src/pkcs7.c

@@ -1151,6 +1151,7 @@ int wc_PKCS7_AddCertificate(PKCS7* pkcs7, byte* derCert, word32 derCertSz)
                                DYNAMIC_TYPE_PKCS7);
     if (cert == NULL)
         return MEMORY_E;
+    XMEMSET(cert, 0, sizeof(Pkcs7Cert));
 
     cert->der = derCert;
     cert->derSz = derCertSz;
@@ -2268,8 +2269,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
 
     byte signingTime[MAX_TIME_STRING_SZ];
 
-    if (pkcs7 == NULL || pkcs7->contentSz == 0 ||
+    if (pkcs7 == NULL || (pkcs7->contentSz > 0 && pkcs7->content == NULL) ||
-        pkcs7->encryptOID == 0 || pkcs7->hashOID == 0 || pkcs7->rng == 0 ||
+        pkcs7->hashOID == 0 ||
         output == NULL || outputSz == NULL || *outputSz == 0 || hashSz == 0 ||
         hashBuf == NULL) {
         return BAD_FUNC_ARG;
@@ -2746,7 +2747,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz)
 #endif
 
     /* other args checked in wc_PKCS7_EncodeSigned_ex */
-    if (pkcs7 == NULL || pkcs7->contentSz == 0 || pkcs7->content == NULL) {
+    if (pkcs7 == NULL || (pkcs7->contentSz > 0 && pkcs7->content == NULL)) {
         return BAD_FUNC_ARG;
     }
 

wolfssl/openssl/include.am

@@ -47,6 +47,7 @@ nobase_include_HEADERS+= \
                          wolfssl/openssl/ssl.h \
                          wolfssl/openssl/stack.h \
                          wolfssl/openssl/tls1.h \
+                         wolfssl/openssl/txt_db.h \
                          wolfssl/openssl/ui.h \
                          wolfssl/openssl/x509.h \
                          wolfssl/openssl/x509_vfy.h \

wolfssl/openssl/txt_db.h

@@ -0,0 +1,27 @@
+/* txt_db.h
+ *
+ * Copyright (C) 2006-2020 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL.
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ */
+
+#ifndef WOLFSSL_TXT_DB_H_
+#define WOLFSSL_TXT_DB_H_
+
+
+
+#endif /* WOLFSSL_TXT_DB_H_ */

wolfssl/openssl/x509.h

@@ -24,4 +24,9 @@
 #define X509_FLAG_NO_IDS        (1UL << 12)
 
 #define XN_FLAG_FN_SN           0
-#define XN_FLAG_SEP_CPLUS_SPC   2
+#define XN_FLAG_ONELINE         0
+#define XN_FLAG_RFC2253         1
+#define XN_FLAG_SEP_CPLUS_SPC   (2 << 16)
+#define XN_FLAG_SEP_SPLUS_SPC   (3 << 16)
+#define XN_FLAG_DN_REV          (1 << 20)
+#define XN_FLAG_SPC_EQ          (1 << 23)

wolfssl/ssl.h

@@ -1816,12 +1816,6 @@ enum {
 
     X509_R_CERT_ALREADY_IN_HASH_TABLE,
 
-    XN_FLAG_SPC_EQ  = (1 << 23),
-    XN_FLAG_SEP_CPLUS_SPC = (2 << 16),
-    XN_FLAG_ONELINE = 0,
-    XN_FLAG_RFC2253 = 1,
-    XN_FLAG_DN_REV = (1 << 20),
-
     CRYPTO_LOCK = 1,
     CRYPTO_NUM_LOCKS = 10,