wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix X509 subject and issuer name_hash mismatch

Browse Source 
Use WOLFSSL_ERROR_MSG for errors, don't leak canonName, and better
error handling and comments.
This commit is contained in:
jordan
2022-10-26 10:25:05 -05:00
parent 8b7668f771
commit be07401856
1 changed files with 76 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
src/x509.c
View File

@ -2993,43 +2993,44 @@ char* wolfSSL_X509_NAME_oneline(WOLFSSL_X509_NAME* name, char* in, int sz)
unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name)
{
#ifndef NO_SHA
byte digest[WC_SHA_DIGEST_SIZE];
unsigned long ret = 0;
unsigned char* canon_name = NULL;
int size = 0;
unsigned long hash = 0;
unsigned char* canonName = NULL;
byte digest[WC_SHA_DIGEST_SIZE];
int size = 0;
WOLFSSL_ENTER("wolfSSL_X509_NAME_hash");
if (name == NULL) {
WOLFSSL_MSG("WOLFSSL_X509_NAME pointer was NULL");
WOLFSSL_ERROR_MSG("WOLFSSL_X509_NAME pointer was NULL");
return 0;
}
if (name->sz == 0) {
WOLFSSL_MSG("nothing to hash in WOLFSSL_X509_NAME");
WOLFSSL_ERROR_MSG("nothing to hash in WOLFSSL_X509_NAME");
return 0;
}
size = wolfSSL_i2d_X509_NAME_canon(name, &canon_name);
size = wolfSSL_i2d_X509_NAME_canon(name, &canonName);
if (size <= 0){
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
if (size <= 0 || canonName == NULL) {
WOLFSSL_ERROR_MSG("wolfSSL_i2d_X509_NAME_canon error");
return 0;
}
if (wc_ShaHash((byte*)canon_name, size, digest) != 0) {
WOLFSSL_MSG("wc_ShaHash error");
return 0;
if (wc_ShaHash((byte*)canonName, size, digest) == 0) {
/* 4 bytes in little endian as unsigned long */
hash = (((unsigned long)digest[3] << 24) |
((unsigned long)digest[2] << 16) |
((unsigned long)digest[1] << 8) |
((unsigned long)digest[0]));
}
else {
WOLFSSL_ERROR_MSG("wc_ShaHash error");
}
XFREE(canon_name, NULL, DYNAMIC_TYPE_OPENSSL);
ret = (unsigned long) digest[0];
ret |= ((unsigned long) digest[1]) << 8;
ret |= ((unsigned long) digest[2]) << 16;
ret |= ((unsigned long) digest[3]) << 24;
return ret;
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
return hash;
#else
(void)name;
WOLFSSL_MSG("wolfSSL_X509_NAME_hash sha support not compiled in");
WOLFSSL_ERROR_MSG("wolfSSL_X509_NAME_hash sha support not compiled in");
return 0;
#endif
}
@ -4770,14 +4771,18 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert)
* wolfSSL_X509_subject_name_hash
* wolfSSL_X509_issuer_name_hash
* Compute the hash digest of the subject / issuer name.
* These functions prefers SHA-1 (if available) for compatibility.
* These functions prefer SHA-1 (if available) for compatibility. Otherwise
* they use SHA-256.
*
* RETURNS:
* The first 4 bytes of SHA hash in little endian order as unsigned long.
* The first 4 bytes of SHA-1 (or SHA-256) hash in little endian order as
* unsigned long.
* Otherwise, returns zero.
*
* Note:
* Returns the same hash value as OpenSSL's X509_X_name_hash() API
* if SHA-1 support is compiled in.
* if SHA-1 support is compiled in. SHA-256 will be used if SHA-1 is
* not available.
*/
unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
{
@ -4786,41 +4791,51 @@ unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509)
unsigned char* canonName = NULL;
byte digest[WC_MAX_DIGEST_SIZE];
int size = 0;
int retHash = NOT_COMPILED_IN;
if (x509 == NULL) {
WOLFSSL_ERROR_MSG("WOLFSSL_X509 pointer was NULL");
return 0;
}
subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509);
if (subjectName == NULL) {
WOLFSSL_MSG("wolfSSL_X509_get_subject_name error");
WOLFSSL_ERROR_MSG("wolfSSL_X509_get_subject_name error");
return 0;
}
size = wolfSSL_i2d_X509_NAME_canon(subjectName, &canonName);
if (size <= 0 || canonName == NULL){
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
WOLFSSL_ERROR_MSG("wolfSSL_i2d_X509_NAME_canon error");
return 0;
}
#ifndef NO_SHA
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
WOLFSSL_MSG("wc_ShaHash error");
return 0;
}
retHash = wc_ShaHash((const byte*)canonName, (word32)size, digest);
#elif !defined(NO_SHA256)
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
WOLFSSL_MSG("wc_Sha256Hash error");
return 0;
}
retHash = wc_Sha256Hash((const byte*)canonName, (word32)size, digest);
#else
retHash = NOT_COMPILED_IN;
#endif
hash = (unsigned long) digest[0];
hash |= ((unsigned long) digest[1]) << 8;
hash |= ((unsigned long) digest[2]) << 16;
hash |= ((unsigned long) digest[3]) << 24;
if (retHash == 0) {
/* 4 bytes in little endian as unsigned long */
hash = (((unsigned long)digest[3] << 24) |
((unsigned long)digest[2] << 16) |
((unsigned long)digest[1] << 8) |
((unsigned long)digest[0]));
}
else {
#ifndef NO_SHA
WOLFSSL_ERROR_MSG("wc_ShaHash error");
#elif !defined(NO_SHA256)
WOLFSSL_ERROR_MSG("wc_Sha256Hash error");
#else
WOLFSSL_ERROR_MSG("wolfSSL_X509_subject_name_hash not compiled in");
#endif
}
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);
@ -4834,41 +4849,51 @@ unsigned long wolfSSL_X509_issuer_name_hash(const WOLFSSL_X509* x509)
unsigned char* canonName = NULL;
byte digest[WC_MAX_DIGEST_SIZE];
int size = 0;
int retHash = NOT_COMPILED_IN;
if (x509 == NULL) {
WOLFSSL_ERROR_MSG("WOLFSSL_X509 pointer was NULL");
return 0;
}
issuerName = wolfSSL_X509_get_issuer_name((WOLFSSL_X509*)x509);
if (issuerName == NULL) {
WOLFSSL_MSG("wolfSSL_X509_get_issuer_name error");
WOLFSSL_ERROR_MSG("wolfSSL_X509_get_issuer_name error");
return 0;
}
size = wolfSSL_i2d_X509_NAME_canon(issuerName, &canonName);
if (size <= 0 || canonName == NULL){
WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error");
WOLFSSL_ERROR_MSG("wolfSSL_i2d_X509_NAME_canon error");
return 0;
}
#ifndef NO_SHA
if (wc_ShaHash((const byte*)canonName, (word32)size, digest) != 0) {
WOLFSSL_MSG("wc_ShaHash error");
return 0;
}
retHash = wc_ShaHash((const byte*)canonName, (word32)size, digest);
#elif !defined(NO_SHA256)
if (wc_Sha256Hash((const byte*)canonName, (word32)size, digest) != 0) {
WOLFSSL_MSG("wc_ShaHash error");
return 0;
}
retHash = wc_Sha256Hash((const byte*)canonName, (word32)size, digest);
#else
retHash = NOT_COMPILED_IN;
#endif
hash = (unsigned long) digest[0];
hash |= ((unsigned long) digest[1]) << 8;
hash |= ((unsigned long) digest[2]) << 16;
hash |= ((unsigned long) digest[3]) << 24;
if (retHash == 0) {
/* 4 bytes in little endian as unsigned long */
hash = (((unsigned long)digest[3] << 24) |
((unsigned long)digest[2] << 16) |
((unsigned long)digest[1] << 8) |
((unsigned long)digest[0]));
}
else {
#ifndef NO_SHA
WOLFSSL_ERROR_MSG("wc_ShaHash error");
#elif !defined(NO_SHA256)
WOLFSSL_ERROR_MSG("wc_Sha256Hash error");
#else
WOLFSSL_ERROR_MSG("wolfSSL_X509_issuer_name_hash not compiled in");
#endif
}
XFREE(canonName, NULL, DYNAMIC_TYPE_OPENSSL);