From b9c99709f721f161bcb27f28dfb6169a3f88e10a Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 8 Jan 2020 12:48:01 -0700 Subject: [PATCH] Fixes from review --- src/internal.c | 128 ------------------------------------ src/ssl.c | 131 ++++++++++++++++++++++++++++++++++++- tests/api.c | 2 + wolfcrypt/src/asn.c | 14 ++-- wolfcrypt/src/dh.c | 3 + wolfcrypt/src/wc_encrypt.c | 8 ++- wolfssl/internal.h | 4 +- 7 files changed, 150 insertions(+), 140 deletions(-) diff --git a/src/internal.c b/src/internal.c index 203a6c3a7..466536ab9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -17854,30 +17854,6 @@ const char* GetCipherNameInternal(const byte cipherSuite0, const byte cipherSuit } #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) -const char* GetCipherProtocol(const byte minor) -{ - const char* protocol; - - /* Protocol that matches OpenSSL's protocol version. */ - switch (minor) { - case TLSv1_MINOR : - protocol = "TLSv1"; - break; - case TLSv1_2_MINOR : - protocol = "TLSv1.2"; - break; - case TLSv1_3_MINOR : - protocol = "TLSv1.3"; - break; - case SSLv3_MINOR : - protocol = "SSLv3"; - break; - default : - protocol = "unknown"; - } - return protocol; -} - const char* GetCipherKeaStr(char n[][MAX_SEGMENT_SZ]) { const char* keaStr = NULL; const char *n0,*n1,*n2,*n3,*n4; @@ -18067,110 +18043,6 @@ int SetCipherBits(const char* enc) { return ret; } -/* Creates cipher->description based on cipher->offset - * cipher->offset is set in wolfSSL_get_ciphers_compat when it is added - * to a stack of ciphers. - * @param [in] cipher: A cipher from a stack of ciphers. - * return WOLFSSL_SUCCESS if cipher->description is set, else WOLFSSL_FAILURE - */ -int wolfSSL_sk_CIPHER_description(WOLFSSL_CIPHER* cipher) -{ - int ret = WOLFSSL_FAILURE; - int i,j,k; - int strLen; - unsigned long offset; - char *dp = cipher->description; - const char* name; - const char *keaStr, *authStr, *encStr, *macStr, *protocol; - char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}}; - uint8_t len = UINT8_SZ-1; - WOLFSSL_ENTER("wolfSSL_sk_CIPHER_description"); - - if (cipher == NULL) - return WOLFSSL_FAILURE; - - offset = cipher->offset; - protocol = GetCipherProtocol(cipher_names[offset].minor); - name = cipher_names[offset].name; - - if (name == NULL) - return ret; - - /* Segment cipher name into n[n0,n1,n2,n4] - * These are used later for comparisons to create: - * keaStr, authStr, encStr, macStr - * - * If cipher_name = ECDHE-ECDSA-AES256-SHA - * then n0 = "ECDHE", n1 = "ECDSA", n2 = "AES256", n3 = "SHA" - * and n = [n0,n1,n2,n3,0] - */ - strLen = (int)XSTRLEN(name); - - for (i = 0, j = 0, k = 0; i < strLen; i++) { - if(name[i] != '-' && k < MAX_SEGMENTS && j < MAX_SEGMENT_SZ) { - n[k][j] = name[i]; /* Fill kth segment string until '-' */ - j++; - } - else if(k < MAX_SEGMENTS && j < MAX_SEGMENT_SZ) { - n[k][j] = '\0'; - j = 0; - k++; - } - } - /* keaStr */ - keaStr = GetCipherKeaStr(n); - /* authStr */ - authStr = GetCipherAuthStr(n); - /* encStr */ - encStr = GetCipherEncStr(n); - if ((cipher->bits = SetCipherBits(encStr)) == WOLFSSL_FAILURE) { - WOLFSSL_MSG("Cipher Bits Not Set."); - } - /* macStr */ - macStr = GetCipherMacStr(n); - - - /* Build up the string by copying onto the end. */ - XSTRNCPY(dp, name, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " ", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, protocol, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Kx=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, keaStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Au=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, authStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Enc=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, encStr, len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - - XSTRNCPY(dp, " Mac=", len); - dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); - len -= (int)strLen; dp += strLen; - XSTRNCPY(dp, macStr, len); - dp[len-1] = '\0'; - - return WOLFSSL_SUCCESS; -} #endif /* WOLFSSL_QT || OPENSSL_ALL */ const char* GetCipherNameIana(const byte cipherSuite0, const byte cipherSuite) diff --git a/src/ssl.c b/src/ssl.c index 2308267c3..1262b32be 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -18416,7 +18416,6 @@ char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) char buf[80]; const char* sn; WOLFSSL_ENTER("wolfSSL_X509_get_name_oneline"); - (void)sz; if (name == NULL) { WOLFSSL_MSG("wolfSSL_X509_get_subject_name failed"); @@ -18494,6 +18493,13 @@ char* wolfSSL_X509_get_name_oneline(WOLFSSL_X509_NAME* name, char* in, int sz) return in; } } + else { + if (totalSz > sz) { + WOLFSSL_MSG("Memory error"); + return NULL; + } + } + XMEMCPY(in, tmpBuf, totalSz); in[totalSz] = '\0'; @@ -18513,7 +18519,7 @@ WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, newX509 = wolfSSL_X509_d2i(x509, *in, len); if (newX509 != NULL) { - *in += len; + *in += newX509->derCert->length; } return newX509; } @@ -22216,6 +22222,127 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) #endif /* NO_CERTS */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +/* Creates cipher->description based on cipher->offset + * cipher->offset is set in wolfSSL_get_ciphers_compat when it is added + * to a stack of ciphers. + * @param [in] cipher: A cipher from a stack of ciphers. + * return WOLFSSL_SUCCESS if cipher->description is set, else WOLFSSL_FAILURE + */ +int wolfSSL_sk_CIPHER_description(WOLFSSL_CIPHER* cipher) +{ + int ret = WOLFSSL_FAILURE; + int i,j,k; + int strLen; + unsigned long offset; + char* dp; + const char* name; + const char *keaStr, *authStr, *encStr, *macStr, *protocol; + char n[MAX_SEGMENTS][MAX_SEGMENT_SZ] = {{0}}; + uint8_t len = MAX_DESCRIPTION_SZ; + const CipherSuiteInfo* cipher_names; + ProtocolVersion pv; + WOLFSSL_ENTER("wolfSSL_sk_CIPHER_description"); + + if (cipher == NULL) + return WOLFSSL_FAILURE; + + dp = cipher->description; + if (dp == NULL) + return WOLFSSL_FAILURE; + + cipher_names = GetCipherNames(); + + offset = cipher->offset; + pv.major = cipher_names[offset].major; + pv.minor = cipher_names[offset].minor; + protocol = wolfSSL_internal_get_version(&pv); + + name = cipher_names[offset].name; + + if (name == NULL) + return ret; + + /* Segment cipher name into n[n0,n1,n2,n4] + * These are used later for comparisons to create: + * keaStr, authStr, encStr, macStr + * + * If cipher_name = ECDHE-ECDSA-AES256-SHA + * then n0 = "ECDHE", n1 = "ECDSA", n2 = "AES256", n3 = "SHA" + * and n = [n0,n1,n2,n3,0] + */ + strLen = (int)XSTRLEN(name); + + for (i = 0, j = 0, k = 0; i <= strLen; i++) { + if (k > MAX_SEGMENTS || j > MAX_SEGMENT_SZ) + break; + + if (name[i] != '-' && name[i] != '\0') { + n[k][j] = name[i]; /* Fill kth segment string until '-' */ + j++; + } + else { + n[k][j] = '\0'; + j = 0; + k++; + } + } + /* keaStr */ + keaStr = GetCipherKeaStr(n); + /* authStr */ + authStr = GetCipherAuthStr(n); + /* encStr */ + encStr = GetCipherEncStr(n); + if ((cipher->bits = SetCipherBits(encStr)) == WOLFSSL_FAILURE) { + WOLFSSL_MSG("Cipher Bits Not Set."); + } + /* macStr */ + macStr = GetCipherMacStr(n); + + + /* Build up the string by copying onto the end. */ + XSTRNCPY(dp, name, len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + + XSTRNCPY(dp, " ", len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + XSTRNCPY(dp, protocol, len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + + XSTRNCPY(dp, " Kx=", len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + XSTRNCPY(dp, keaStr, len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + + XSTRNCPY(dp, " Au=", len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + XSTRNCPY(dp, authStr, len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + + XSTRNCPY(dp, " Enc=", len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + XSTRNCPY(dp, encStr, len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + + XSTRNCPY(dp, " Mac=", len); + dp[len-1] = '\0'; strLen = (int)XSTRLEN(dp); + len -= (int)strLen; dp += strLen; + XSTRNCPY(dp, macStr, len); + dp[len-1] = '\0'; + + return WOLFSSL_SUCCESS; +} +#endif + char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER* cipher, char* in, int len) { diff --git a/tests/api.c b/tests/api.c index 86b059d13..f7d03cfc6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -21769,7 +21769,9 @@ static void test_wolfSSL_BIO(void) /* try read using ctrl function */ AssertIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_WPENDING, 0, NULL), 8); + AssertIntEQ((int)BIO_ctrl(bio1, BIO_CTRL_PENDING, 0, NULL), 8); AssertIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_WPENDING, 0, NULL), 20); + AssertIntEQ((int)BIO_ctrl(bio2, BIO_CTRL_PENDING, 0, NULL), 20); AssertIntEQ(BIO_nread(bio2, &bufPt, (int)BIO_ctrl_pending(bio2)), 20); for (i = 0; i < 20; i++) { diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 2c972467a..307ad6258 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4471,26 +4471,27 @@ int wc_DhKeyDecode(const byte* input, word32* inOutIdx, DhKey* key, word32 inSz) temp = *inOutIdx; ret = (CheckBitString(input, inOutIdx, &length, inSz, 0, NULL) == 0); - - if (ret) { + if (ret > 0) { /* Found Bit String */ if (GetInt(&key->pub, input, inOutIdx, inSz) == 0) { WOLFSSL_MSG("Found Public Key"); + ret = 0; } } else { *inOutIdx = temp; ret = (GetOctetString(input, inOutIdx, &length, inSz) >= 0); - if (ret) { + if (ret > 0) { /* Found Octet String */ if (GetInt(&key->priv, input, inOutIdx, inSz) == 0) { WOLFSSL_MSG("Found Private Key"); + ret = 0; } } else { /* Don't use length from failed CheckBitString/GetOctetString */ *inOutIdx = temp; + ret = 0; } } - ret = 0; #endif /* WOLFSSL_QT || OPENSSL_ALL */ WOLFSSL_MSG("wc_DhKeyDecode Success"); @@ -14629,6 +14630,7 @@ int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g) int pSz; int gSz; unsigned int tmp; + word32 headerSz = 4; /* 2*ASN_TAG + 2*LEN(ENUM) */ /* If the leading bit on the INTEGER is a 1, add a leading zero */ int pLeadingZero = mp_leading_bit(p); @@ -14643,12 +14645,12 @@ int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g) } tmp = pLeadingZero + gLeadingZero + pLen + gLen; - if (*outLen < tmp) { + if (*outLen < (tmp + headerSz)) { return BUFFER_E; } /* Set sequence */ - idx = SetSequence(tmp, out); + idx = SetSequence(tmp + headerSz + 2, out); /* Encode p */ pSz = SetASNIntMP(p, -1, &out[idx]); diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 8c5c028b2..390afc11b 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -2066,6 +2066,9 @@ int wc_DhAgree(DhKey* key, byte* agree, word32* agreeSz, const byte* priv, } #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) +/* Sets private and public key in DhKey if both are available, otherwise sets + either private or public key, depending on which is available. + Returns WOLFSSL_SUCCESS if at least one of the keys was set. */ WOLFSSL_LOCAL int wc_DhSetFullKeys(DhKey* key,const byte* priv_key,word32 privSz, const byte* pub_key, word32 pubSz) { diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 53abffae1..9ae0c84d9 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -423,31 +423,35 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, derivedLen = 16; break; #endif - #if defined(WOLFSSL_AES_256) && !defined(NO_SHA) + #if defined(WOLFSSL_AES_256) case PBE_AES256_CBC: switch(shaOid) { case HMAC_SHA256_OID: typeH = WC_SHA256; derivedLen = 32; break; + #ifndef NO_SHA default: typeH = WC_SHA; derivedLen = 32; break; + #endif } break; #endif /* WOLFSSL_AES_256 && !NO_SHA */ - #if defined(WOLFSSL_AES_128) && !defined(NO_SHA) + #if defined(WOLFSSL_AES_128) case PBE_AES128_CBC: switch(shaOid) { case HMAC_SHA256_OID: typeH = WC_SHA256; derivedLen = 16; break; + #ifndef NO_SHA default: typeH = WC_SHA; derivedLen = 16; break; + #endif } break; #endif /* WOLFSSL_AES_128 && !NO_SHA */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 74e9b2d33..acae5b5c5 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1804,7 +1804,7 @@ WOLFSSL_LOCAL int SetCipherList(WOLFSSL_CTX*, Suites*, const char* list); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) -#define UINT8_SZ 255 +#define MAX_DESCRIPTION_SZ 255 #endif /* wolfSSL Cipher type just points back to SSL */ struct WOLFSSL_CIPHER { @@ -1812,7 +1812,7 @@ struct WOLFSSL_CIPHER { byte cipherSuite; WOLFSSL* ssl; #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - char description[UINT8_SZ]; + char description[MAX_DESCRIPTION_SZ]; unsigned long offset; unsigned int in_stack; /* TRUE if added to stack in wolfSSL_get_ciphers_compat */ int bits;