mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-08-01 03:34:39 +02:00
Merge pull request #338 from dgarske/DerBufferRefactor2
Refactor of DerBuffer, so WOLFSSL object doesn't have to grow as a re…
This commit is contained in:
toddouska
11
src/crl.c
11
src/crl.c
@@ -263,7 +263,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
|
|||||||
{
|
{
|
||||||
int ret = SSL_SUCCESS;
|
int ret = SSL_SUCCESS;
|
||||||
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCRL* dcrl;
|
DecodedCRL* dcrl;
|
||||||
#else
|
#else
|
||||||
@@ -275,11 +275,6 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
|
|||||||
if (crl == NULL || buff == NULL || sz == 0)
|
if (crl == NULL || buff == NULL || sz == 0)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (type == SSL_FILETYPE_PEM) {
|
if (type == SSL_FILETYPE_PEM) {
|
||||||
int eccKey = 0; /* not used */
|
int eccKey = 0; /* not used */
|
||||||
EncryptedInfo info;
|
EncryptedInfo info;
|
||||||
@@ -287,8 +282,8 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
|
|||||||
|
|
||||||
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
myBuffer = der.buffer;
|
myBuffer = der->buffer;
|
||||||
sz = der.length;
|
sz = der->length;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
WOLFSSL_MSG("Pem to Der failed");
|
WOLFSSL_MSG("Pem to Der failed");
|
||||||
|
|||||||
153
src/internal.c
153
src/internal.c
@@ -1642,7 +1642,7 @@ void InitX509(WOLFSSL_X509* x509, int dynamicFlag)
|
|||||||
x509->version = 0;
|
x509->version = 0;
|
||||||
x509->pubKey.buffer = NULL;
|
x509->pubKey.buffer = NULL;
|
||||||
x509->sig.buffer = NULL;
|
x509->sig.buffer = NULL;
|
||||||
InitDer(&x509->derCert);
|
x509->derCert = NULL;
|
||||||
x509->altNames = NULL;
|
x509->altNames = NULL;
|
||||||
x509->altNamesNext = NULL;
|
x509->altNamesNext = NULL;
|
||||||
x509->dynamicMemory = (byte)dynamicFlag;
|
x509->dynamicMemory = (byte)dynamicFlag;
|
||||||
@@ -1860,9 +1860,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
|||||||
|
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
/* ctx still owns certificate, certChain, key, dh, and cm */
|
/* ctx still owns certificate, certChain, key, dh, and cm */
|
||||||
XMEMCPY(&ssl->buffers.certificate, &ctx->certificate, sizeof(DerBuffer));
|
ssl->buffers.certificate = ctx->certificate;
|
||||||
XMEMCPY(&ssl->buffers.certChain, &ctx->certChain, sizeof(DerBuffer));
|
ssl->buffers.certChain = ctx->certChain;
|
||||||
XMEMCPY(&ssl->buffers.key, &ctx->privateKey, sizeof(DerBuffer));
|
ssl->buffers.key = ctx->privateKey;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_CAVIUM
|
#ifdef HAVE_CAVIUM
|
||||||
@@ -1897,7 +1897,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
|||||||
/* make sure server has cert and key unless using PSK or Anon
|
/* make sure server has cert and key unless using PSK or Anon
|
||||||
* This should be true even if just switching ssl ctx */
|
* This should be true even if just switching ssl ctx */
|
||||||
if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
|
if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
|
||||||
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
|
if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer ||
|
||||||
|
!ssl->buffers.key || !ssl->buffers.key->buffer) {
|
||||||
WOLFSSL_MSG("Server missing certificate and/or private key");
|
WOLFSSL_MSG("Server missing certificate and/or private key");
|
||||||
return NO_PRIVATE_KEY;
|
return NO_PRIVATE_KEY;
|
||||||
}
|
}
|
||||||
@@ -4471,7 +4472,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
|
|||||||
|
|
||||||
/* store cert for potential retrieval */
|
/* store cert for potential retrieval */
|
||||||
if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) {
|
if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) {
|
||||||
XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx);
|
XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
ret = MEMORY_E;
|
ret = MEMORY_E;
|
||||||
@@ -4543,7 +4544,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
int anyError = 0;
|
int anyError = 0;
|
||||||
int totalCerts = 0; /* number of certs in certs buffer */
|
int totalCerts = 0; /* number of certs in certs buffer */
|
||||||
int count;
|
int count;
|
||||||
DerBuffer certs[MAX_CHAIN_DEPTH];
|
buffer certs[MAX_CHAIN_DEPTH];
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
char* domain = NULL;
|
char* domain = NULL;
|
||||||
@@ -4590,10 +4591,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
if ((*inOutIdx - begin) + certSz > size)
|
if ((*inOutIdx - begin) + certSz > size)
|
||||||
return BUFFER_ERROR;
|
return BUFFER_ERROR;
|
||||||
|
|
||||||
ret = InitDer(&certs[totalCerts]);
|
|
||||||
if (ret < 0) {
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
certs[totalCerts].length = certSz;
|
certs[totalCerts].length = certSz;
|
||||||
certs[totalCerts].buffer = input + *inOutIdx;
|
certs[totalCerts].buffer = input + *inOutIdx;
|
||||||
|
|
||||||
@@ -4627,7 +4624,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
|
|
||||||
/* verify up to peer's first */
|
/* verify up to peer's first */
|
||||||
while (count > 1) {
|
while (count > 1) {
|
||||||
DerBuffer myCert = certs[count - 1];
|
buffer myCert = certs[count - 1];
|
||||||
byte* subjectHash;
|
byte* subjectHash;
|
||||||
|
|
||||||
InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap);
|
InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap);
|
||||||
@@ -4646,11 +4643,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
WOLFSSL_MSG("Chain cert not verified by option, not adding as CA");
|
WOLFSSL_MSG("Chain cert not verified by option, not adding as CA");
|
||||||
}
|
}
|
||||||
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) {
|
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) {
|
||||||
DerBuffer add;
|
DerBuffer* add = NULL;
|
||||||
ret = InitDer(&add);
|
ret = AllocDer(&add, myCert.length, CA_TYPE, ssl->heap);
|
||||||
if (ret == 0) {
|
|
||||||
ret = AllocDer(&add, myCert.length, CA_TYPE, ssl->heap);
|
|
||||||
}
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -4660,7 +4654,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
|
|
||||||
WOLFSSL_MSG("Adding CA from chain");
|
WOLFSSL_MSG("Adding CA from chain");
|
||||||
|
|
||||||
XMEMCPY(add.buffer, myCert.buffer, myCert.length);
|
XMEMCPY(add->buffer, myCert.buffer, myCert.length);
|
||||||
|
|
||||||
/* already verified above */
|
/* already verified above */
|
||||||
ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0);
|
ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0);
|
||||||
@@ -4719,7 +4713,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
|
|
||||||
/* peer's, may not have one if blank client cert sent by TLSv1.2 */
|
/* peer's, may not have one if blank client cert sent by TLSv1.2 */
|
||||||
if (count) {
|
if (count) {
|
||||||
DerBuffer myCert = certs[0];
|
buffer myCert = certs[0];
|
||||||
int fatal = 0;
|
int fatal = 0;
|
||||||
|
|
||||||
WOLFSSL_MSG("Verifying Peer's cert");
|
WOLFSSL_MSG("Verifying Peer's cert");
|
||||||
@@ -8280,15 +8274,19 @@ int SendCertificate(WOLFSSL* ssl)
|
|||||||
listSz = 0;
|
listSz = 0;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
certSz = ssl->buffers.certificate.length;
|
if (!ssl->buffers.certificate) {
|
||||||
|
WOLFSSL_MSG("Send Cert missing certificate buffer");
|
||||||
|
return BUFFER_ERROR;
|
||||||
|
}
|
||||||
|
certSz = ssl->buffers.certificate->length;
|
||||||
headerSz = 2 * CERT_HEADER_SZ;
|
headerSz = 2 * CERT_HEADER_SZ;
|
||||||
/* list + cert size */
|
/* list + cert size */
|
||||||
length = certSz + headerSz;
|
length = certSz + headerSz;
|
||||||
listSz = certSz + CERT_HEADER_SZ;
|
listSz = certSz + CERT_HEADER_SZ;
|
||||||
|
|
||||||
/* may need to send rest of chain, already has leading size(s) */
|
/* may need to send rest of chain, already has leading size(s) */
|
||||||
if (certSz) {
|
if (certSz && ssl->buffers.certChain) {
|
||||||
certChainSz = ssl->buffers.certChain.length;
|
certChainSz = ssl->buffers.certChain->length;
|
||||||
length += certChainSz;
|
length += certChainSz;
|
||||||
listSz += certChainSz;
|
listSz += certChainSz;
|
||||||
}
|
}
|
||||||
@@ -8398,9 +8396,9 @@ int SendCertificate(WOLFSSL* ssl)
|
|||||||
fragSz -= CERT_HEADER_SZ;
|
fragSz -= CERT_HEADER_SZ;
|
||||||
|
|
||||||
if (!IsEncryptionOn(ssl, 1)) {
|
if (!IsEncryptionOn(ssl, 1)) {
|
||||||
HashOutputRaw(ssl, ssl->buffers.certificate.buffer, certSz);
|
HashOutputRaw(ssl, ssl->buffers.certificate->buffer, certSz);
|
||||||
if (certChainSz)
|
if (certChainSz)
|
||||||
HashOutputRaw(ssl, ssl->buffers.certChain.buffer,
|
HashOutputRaw(ssl, ssl->buffers.certChain->buffer,
|
||||||
certChainSz);
|
certChainSz);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -8422,7 +8420,7 @@ int SendCertificate(WOLFSSL* ssl)
|
|||||||
if (certSz && ssl->fragOffset < certSz) {
|
if (certSz && ssl->fragOffset < certSz) {
|
||||||
word32 copySz = min(certSz - ssl->fragOffset, fragSz);
|
word32 copySz = min(certSz - ssl->fragOffset, fragSz);
|
||||||
XMEMCPY(output + i,
|
XMEMCPY(output + i,
|
||||||
ssl->buffers.certificate.buffer + ssl->fragOffset, copySz);
|
ssl->buffers.certificate->buffer + ssl->fragOffset, copySz);
|
||||||
i += copySz;
|
i += copySz;
|
||||||
ssl->fragOffset += copySz;
|
ssl->fragOffset += copySz;
|
||||||
length -= copySz;
|
length -= copySz;
|
||||||
@@ -8431,7 +8429,7 @@ int SendCertificate(WOLFSSL* ssl)
|
|||||||
if (certChainSz && fragSz) {
|
if (certChainSz && fragSz) {
|
||||||
word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz);
|
word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz);
|
||||||
XMEMCPY(output + i,
|
XMEMCPY(output + i,
|
||||||
ssl->buffers.certChain.buffer + ssl->fragOffset - certSz,
|
ssl->buffers.certChain->buffer + ssl->fragOffset - certSz,
|
||||||
copySz);
|
copySz);
|
||||||
i += copySz;
|
i += copySz;
|
||||||
ssl->fragOffset += copySz;
|
ssl->fragOffset += copySz;
|
||||||
@@ -8713,7 +8711,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!request || ssl->buffers.weOwnCert) {
|
if (!request || ssl->buffers.weOwnCert) {
|
||||||
DerBuffer der = ssl->buffers.certificate;
|
DerBuffer* der = ssl->buffers.certificate;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCert* cert = NULL;
|
DecodedCert* cert = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -8721,7 +8719,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* unable to fetch status. skip. */
|
/* unable to fetch status. skip. */
|
||||||
if (der.buffer == NULL || der.length == 0)
|
if (der->buffer == NULL || der->length == 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
@@ -8731,7 +8729,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
InitDecodedCert(cert, der->buffer, der->length, NULL);
|
||||||
|
|
||||||
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
||||||
ssl->ctx->cm)) != 0) {
|
ssl->ctx->cm)) != 0) {
|
||||||
@@ -8810,7 +8808,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (!request || ssl->buffers.weOwnCert) {
|
if (!request || ssl->buffers.weOwnCert) {
|
||||||
DerBuffer der = ssl->buffers.certificate;
|
DerBuffer* der = ssl->buffers.certificate;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCert* cert = NULL;
|
DecodedCert* cert = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -8818,7 +8816,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* unable to fetch status. skip. */
|
/* unable to fetch status. skip. */
|
||||||
if (der.buffer == NULL || der.length == 0)
|
if (der->buffer == NULL || der->length == 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
@@ -8828,7 +8826,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
InitDecodedCert(cert, der->buffer, der->length, NULL);
|
||||||
|
|
||||||
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
||||||
ssl->ctx->cm)) != 0) {
|
ssl->ctx->cm)) != 0) {
|
||||||
@@ -8883,7 +8881,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
|
|
||||||
if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
|
if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
|
||||||
|| ssl->buffers.weOwnCertChain)) {
|
|| ssl->buffers.weOwnCertChain)) {
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
word32 idx = 0;
|
word32 idx = 0;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCert* cert = NULL;
|
DecodedCert* cert = NULL;
|
||||||
@@ -8891,11 +8889,6 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
DecodedCert cert[1];
|
DecodedCert cert[1];
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -8903,17 +8896,17 @@ int SendCertificateStatus(WOLFSSL* ssl)
|
|||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
while (idx + OPAQUE24_LEN < ssl->buffers.certChain.length) {
|
while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) {
|
||||||
c24to32(ssl->buffers.certChain.buffer + idx, &der.length);
|
c24to32(ssl->buffers.certChain->buffer + idx, &der->length);
|
||||||
idx += OPAQUE24_LEN;
|
idx += OPAQUE24_LEN;
|
||||||
|
|
||||||
der.buffer = ssl->buffers.certChain.buffer + idx;
|
der->buffer = ssl->buffers.certChain->buffer + idx;
|
||||||
idx += der.length;
|
idx += der->length;
|
||||||
|
|
||||||
if (idx > ssl->buffers.certChain.length)
|
if (idx > ssl->buffers.certChain->length)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
InitDecodedCert(cert, der->buffer, der->length, NULL);
|
||||||
|
|
||||||
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
|
||||||
ssl->ctx->cm)) != 0) {
|
ssl->ctx->cm)) != 0) {
|
||||||
@@ -11350,7 +11343,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
|
|||||||
|
|
||||||
/* don't send client cert or cert verify if user hasn't provided
|
/* don't send client cert or cert verify if user hasn't provided
|
||||||
cert and private key */
|
cert and private key */
|
||||||
if (ssl->buffers.certificate.buffer && ssl->buffers.key.buffer)
|
if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
|
||||||
|
ssl->buffers.key && ssl->buffers.key->buffer)
|
||||||
ssl->options.sendVerify = SEND_CERT;
|
ssl->options.sendVerify = SEND_CERT;
|
||||||
else if (IsTLS(ssl))
|
else if (IsTLS(ssl))
|
||||||
ssl->options.sendVerify = SEND_BLANK_CERT;
|
ssl->options.sendVerify = SEND_BLANK_CERT;
|
||||||
@@ -13432,8 +13426,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
|
|||||||
ret = wc_InitRsaKey(&key, ssl->heap);
|
ret = wc_InitRsaKey(&key, ssl->heap);
|
||||||
if (ret == 0) initRsaKey = 1;
|
if (ret == 0) initRsaKey = 1;
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
|
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key,
|
||||||
ssl->buffers.key.length);
|
ssl->buffers.key->length);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
sigOutSz = wc_RsaEncryptSize(&key);
|
sigOutSz = wc_RsaEncryptSize(&key);
|
||||||
else
|
else
|
||||||
@@ -13441,10 +13435,15 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
|
|||||||
{
|
{
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
WOLFSSL_MSG("Trying ECC client cert, RSA didn't work");
|
WOLFSSL_MSG("Trying ECC client cert, RSA didn't work");
|
||||||
|
|
||||||
|
if (ssl->buffers.key == NULL) {
|
||||||
|
WOLFSSL_MSG("ECC Key missing");
|
||||||
|
return NO_PRIVATE_KEY;
|
||||||
|
}
|
||||||
|
|
||||||
idx = 0;
|
idx = 0;
|
||||||
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &eccKey,
|
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &eccKey,
|
||||||
ssl->buffers.key.length);
|
ssl->buffers.key->length);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
WOLFSSL_MSG("Using ECC client cert");
|
WOLFSSL_MSG("Using ECC client cert");
|
||||||
usingEcc = 1;
|
usingEcc = 1;
|
||||||
@@ -13556,8 +13555,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
|
|||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
|
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
|
||||||
encodedSig, &localSz,
|
encodedSig, &localSz,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->EccSignCtx);
|
ssl->EccSignCtx);
|
||||||
#endif /* HAVE_ECC */
|
#endif /* HAVE_ECC */
|
||||||
#endif /*HAVE_PK_CALLBACKS */
|
#endif /*HAVE_PK_CALLBACKS */
|
||||||
@@ -13651,8 +13650,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
|
|||||||
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
||||||
verify + extraSz + VERIFY_HEADER,
|
verify + extraSz + VERIFY_HEADER,
|
||||||
&ioLen,
|
&ioLen,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->RsaSignCtx);
|
ssl->RsaSignCtx);
|
||||||
#endif /* NO_RSA */
|
#endif /* NO_RSA */
|
||||||
#endif /*HAVE_PK_CALLBACKS */
|
#endif /*HAVE_PK_CALLBACKS */
|
||||||
@@ -14520,7 +14519,7 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
/* sig length */
|
/* sig length */
|
||||||
length += LENGTH_SZ;
|
length += LENGTH_SZ;
|
||||||
|
|
||||||
if (!ssl->buffers.key.buffer) {
|
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
|
||||||
#ifndef NO_RSA
|
#ifndef NO_RSA
|
||||||
wc_FreeRsaKey(&rsaKey);
|
wc_FreeRsaKey(&rsaKey);
|
||||||
#endif
|
#endif
|
||||||
@@ -14532,8 +14531,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
if (ssl->specs.sig_algo == rsa_sa_algo) {
|
if (ssl->specs.sig_algo == rsa_sa_algo) {
|
||||||
/* rsa sig size */
|
/* rsa sig size */
|
||||||
word32 i = 0;
|
word32 i = 0;
|
||||||
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &i,
|
||||||
&rsaKey, ssl->buffers.key.length);
|
&rsaKey, ssl->buffers.key->length);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
goto done_a;
|
goto done_a;
|
||||||
}
|
}
|
||||||
@@ -14544,8 +14543,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
|
if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
|
||||||
/* ecdsa sig size */
|
/* ecdsa sig size */
|
||||||
word32 i = 0;
|
word32 i = 0;
|
||||||
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &i,
|
||||||
&dsaKey, ssl->buffers.key.length);
|
&dsaKey, ssl->buffers.key->length);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
goto done_a;
|
goto done_a;
|
||||||
}
|
}
|
||||||
@@ -14923,8 +14922,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
word32 ioLen = sigSz;
|
word32 ioLen = sigSz;
|
||||||
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
||||||
output + idx, &ioLen,
|
output + idx, &ioLen,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->RsaSignCtx);
|
ssl->RsaSignCtx);
|
||||||
#endif /*HAVE_PK_CALLBACKS */
|
#endif /*HAVE_PK_CALLBACKS */
|
||||||
}
|
}
|
||||||
@@ -15000,8 +14999,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
|
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
|
||||||
output + LENGTH_SZ + idx,
|
output + LENGTH_SZ + idx,
|
||||||
&sz,
|
&sz,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->EccSignCtx);
|
ssl->EccSignCtx);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@@ -15182,12 +15181,12 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
/* sig length */
|
/* sig length */
|
||||||
length += LENGTH_SZ;
|
length += LENGTH_SZ;
|
||||||
|
|
||||||
if (!ssl->buffers.key.buffer) {
|
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
|
||||||
return NO_PRIVATE_KEY;
|
return NO_PRIVATE_KEY;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &i,
|
||||||
&rsaKey, ssl->buffers.key.length);
|
&rsaKey, ssl->buffers.key->length);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
sigSz = wc_RsaEncryptSize(&rsaKey);
|
sigSz = wc_RsaEncryptSize(&rsaKey);
|
||||||
length += sigSz;
|
length += sigSz;
|
||||||
@@ -15581,8 +15580,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
word32 ioLen = sigSz;
|
word32 ioLen = sigSz;
|
||||||
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
|
||||||
output + idx, &ioLen,
|
output + idx, &ioLen,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->RsaSignCtx);
|
ssl->RsaSignCtx);
|
||||||
#endif
|
#endif
|
||||||
} else if (ret == 0) {
|
} else if (ret == 0) {
|
||||||
@@ -16983,12 +16982,12 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!ssl->buffers.key.buffer) {
|
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
|
||||||
return NO_PRIVATE_KEY;
|
return NO_PRIVATE_KEY;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
|
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
|
||||||
&key, ssl->buffers.key.length);
|
&key, ssl->buffers.key->length);
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
length = wc_RsaEncryptSize(&key);
|
length = wc_RsaEncryptSize(&key);
|
||||||
@@ -17021,8 +17020,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
#ifdef HAVE_PK_CALLBACKS
|
#ifdef HAVE_PK_CALLBACKS
|
||||||
ret = ssl->ctx->RsaDecCb(ssl,
|
ret = ssl->ctx->RsaDecCb(ssl,
|
||||||
input + *inOutIdx, length, &out,
|
input + *inOutIdx, length, &out,
|
||||||
ssl->buffers.key.buffer,
|
ssl->buffers.key->buffer,
|
||||||
ssl->buffers.key.length,
|
ssl->buffers.key->length,
|
||||||
ssl->RsaDecCtx);
|
ssl->RsaDecCtx);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
@@ -17168,7 +17167,7 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
word16 cipherLen;
|
word16 cipherLen;
|
||||||
word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
|
word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
|
||||||
|
|
||||||
if (!ssl->buffers.key.buffer) {
|
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
|
||||||
return NO_PRIVATE_KEY;
|
return NO_PRIVATE_KEY;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -17188,8 +17187,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (NTRU_OK != ntru_crypto_ntru_decrypt(
|
if (NTRU_OK != ntru_crypto_ntru_decrypt(
|
||||||
(word16) ssl->buffers.key.length,
|
(word16) ssl->buffers.key->length,
|
||||||
ssl->buffers.key.buffer, cipherLen,
|
ssl->buffers.key->buffer, cipherLen,
|
||||||
input + *inOutIdx, &plainLen,
|
input + *inOutIdx, &plainLen,
|
||||||
ssl->arrays->preMasterSecret)) {
|
ssl->arrays->preMasterSecret)) {
|
||||||
return NTRU_DECRYPT_ERROR;
|
return NTRU_DECRYPT_ERROR;
|
||||||
@@ -17270,8 +17269,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
word32 i = 0;
|
word32 i = 0;
|
||||||
|
|
||||||
wc_ecc_init(&staticKey);
|
wc_ecc_init(&staticKey);
|
||||||
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
|
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &i,
|
||||||
&staticKey, ssl->buffers.key.length);
|
&staticKey, ssl->buffers.key->length);
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey,
|
ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey,
|
||||||
|
|||||||
@@ -1341,16 +1341,17 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
|
|||||||
RsaKey key;
|
RsaKey key;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (session->sslServer->buffers.key.buffer == NULL ||
|
if (session->sslServer->buffers.key == NULL ||
|
||||||
session->sslServer->buffers.key.length == 0) {
|
session->sslServer->buffers.key->buffer == NULL ||
|
||||||
|
session->sslServer->buffers.key->length == 0) {
|
||||||
|
|
||||||
SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE);
|
SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
ret = wc_InitRsaKey(&key, 0);
|
ret = wc_InitRsaKey(&key, 0);
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
ret = wc_RsaPrivateKeyDecode(session->sslServer->buffers.key.buffer,
|
ret = wc_RsaPrivateKeyDecode(session->sslServer->buffers.key->buffer,
|
||||||
&idx, &key, session->sslServer->buffers.key.length);
|
&idx, &key, session->sslServer->buffers.key->length);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
int length = wc_RsaEncryptSize(&key);
|
int length = wc_RsaEncryptSize(&key);
|
||||||
|
|
||||||
|
|||||||
347
src/ssl.c
347
src/ssl.c
@@ -1635,21 +1635,12 @@ int wolfSSL_GetHmacSize(WOLFSSL* ssl)
|
|||||||
|
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
|
|
||||||
int InitDer(DerBuffer* der)
|
int AllocDer(DerBuffer** pDer, word32 length, int type, void* heap)
|
||||||
{
|
{
|
||||||
int ret = BAD_FUNC_ARG;
|
int ret = BAD_FUNC_ARG;
|
||||||
if (der) {
|
if (pDer) {
|
||||||
XMEMSET(der, 0, sizeof(DerBuffer));
|
|
||||||
ret = 0;
|
|
||||||
}
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
int AllocDer(DerBuffer* der, word32 length, int type, void* heap)
|
|
||||||
{
|
|
||||||
int ret = BAD_FUNC_ARG;
|
|
||||||
if (der) {
|
|
||||||
int dynType = 0;
|
int dynType = 0;
|
||||||
|
DerBuffer* der;
|
||||||
|
|
||||||
/* Determine dynamic type */
|
/* Determine dynamic type */
|
||||||
switch (type) {
|
switch (type) {
|
||||||
@@ -1663,29 +1654,37 @@ int AllocDer(DerBuffer* der, word32 length, int type, void* heap)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Setup new buffer */
|
/* Setup new buffer */
|
||||||
der->type = type;
|
*pDer = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + length, heap, dynType);
|
||||||
der->dynType = dynType;
|
if (*pDer == NULL) {
|
||||||
der->heap = heap;
|
|
||||||
der->buffer = (byte*)XMALLOC(length, heap, dynType);
|
|
||||||
if (!der->buffer) {
|
|
||||||
return MEMORY_ERROR;
|
return MEMORY_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
der = *pDer;
|
||||||
|
der->type = type;
|
||||||
|
der->dynType = dynType; /* Cache this for FreeDer */
|
||||||
|
der->heap = heap;
|
||||||
|
der->buffer = (byte*)der + sizeof(DerBuffer);
|
||||||
der->length = length;
|
der->length = length;
|
||||||
ret = 0; /* Success */
|
ret = 0; /* Success */
|
||||||
}
|
}
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
void FreeDer(DerBuffer* der)
|
void FreeDer(DerBuffer** pDer)
|
||||||
{
|
{
|
||||||
if (der && der->buffer) {
|
if (pDer && *pDer)
|
||||||
|
{
|
||||||
|
DerBuffer* der = (DerBuffer*)*pDer;
|
||||||
|
|
||||||
/* ForceZero private keys */
|
/* ForceZero private keys */
|
||||||
if (der->type == PRIVATEKEY_TYPE) {
|
if (der->type == PRIVATEKEY_TYPE) {
|
||||||
ForceZero(der->buffer, der->length);
|
ForceZero(der->buffer, der->length);
|
||||||
}
|
}
|
||||||
XFREE(der->buffer, der->heap, der->dynType);
|
|
||||||
der->buffer = NULL;
|
der->buffer = NULL;
|
||||||
der->length = 0;
|
der->length = 0;
|
||||||
|
XFREE(der, der->heap, der->dynType);
|
||||||
|
|
||||||
|
*pDer = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -1763,7 +1762,7 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
{
|
{
|
||||||
int eccKey = 0;
|
int eccKey = 0;
|
||||||
int ret;
|
int ret;
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
EncryptedInfo* info = NULL;
|
EncryptedInfo* info = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -1782,11 +1781,6 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -1808,9 +1802,9 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
WOLFSSL_MSG("Bad Pem To Der");
|
WOLFSSL_MSG("Bad Pem To Der");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if (der.length <= (word32)buffSz) {
|
if (der->length <= (word32)buffSz) {
|
||||||
XMEMCPY(buff, der.buffer, der.length);
|
XMEMCPY(buff, der->buffer, der->length);
|
||||||
ret = der.length;
|
ret = der->length;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
WOLFSSL_MSG("Bad der length");
|
WOLFSSL_MSG("Bad der length");
|
||||||
@@ -1867,7 +1861,7 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
{
|
{
|
||||||
int eccKey = 0;
|
int eccKey = 0;
|
||||||
int ret;
|
int ret;
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
EncryptedInfo* info = NULL;
|
EncryptedInfo* info = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -1881,11 +1875,6 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -1927,9 +1916,9 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
WOLFSSL_MSG("Bad Pem To Der");
|
WOLFSSL_MSG("Bad Pem To Der");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if (der.length <= (word32)buffSz) {
|
if (der->length <= (word32)buffSz) {
|
||||||
XMEMCPY(buff, der.buffer, der.length);
|
XMEMCPY(buff, der->buffer, der->length);
|
||||||
ret = der.length;
|
ret = der->length;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
WOLFSSL_MSG("Bad der length");
|
WOLFSSL_MSG("Bad der length");
|
||||||
@@ -2248,7 +2237,7 @@ Signer* GetCAByName(void* vp, byte* hash)
|
|||||||
/* owns der, internal now uses too */
|
/* owns der, internal now uses too */
|
||||||
/* type flag ids from user or from chain received during verify
|
/* type flag ids from user or from chain received during verify
|
||||||
don't allow chain ones to be added w/o isCA extension */
|
don't allow chain ones to be added w/o isCA extension */
|
||||||
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
|
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
Signer* signer = 0;
|
Signer* signer = 0;
|
||||||
@@ -2259,6 +2248,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
|
|||||||
#else
|
#else
|
||||||
DecodedCert cert[1];
|
DecodedCert cert[1];
|
||||||
#endif
|
#endif
|
||||||
|
DerBuffer* der = *pDer;
|
||||||
|
|
||||||
WOLFSSL_MSG("Adding a CA");
|
WOLFSSL_MSG("Adding a CA");
|
||||||
|
|
||||||
@@ -2354,7 +2344,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
|
|||||||
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
#endif
|
#endif
|
||||||
WOLFSSL_MSG(" Freeing der CA");
|
WOLFSSL_MSG(" Freeing der CA");
|
||||||
FreeDer(der);
|
FreeDer(pDer);
|
||||||
WOLFSSL_MSG(" OK Freeing der CA");
|
WOLFSSL_MSG(" OK Freeing der CA");
|
||||||
|
|
||||||
WOLFSSL_LEAVE("AddCA", ret);
|
WOLFSSL_LEAVE("AddCA", ret);
|
||||||
@@ -2630,7 +2620,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
|
|||||||
/* Remove PEM header/footer, convert to ASN1, store any encrypted data
|
/* Remove PEM header/footer, convert to ASN1, store any encrypted data
|
||||||
info->consumed tracks of PEM bytes consumed in case multiple parts */
|
info->consumed tracks of PEM bytes consumed in case multiple parts */
|
||||||
int PemToDer(const unsigned char* buff, long longSz, int type,
|
int PemToDer(const unsigned char* buff, long longSz, int type,
|
||||||
DerBuffer* der, void* heap, EncryptedInfo* info, int* eccKey)
|
DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey)
|
||||||
{
|
{
|
||||||
const char* header = NULL;
|
const char* header = NULL;
|
||||||
const char* footer = NULL;
|
const char* footer = NULL;
|
||||||
@@ -2642,6 +2632,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
int ret = 0;
|
int ret = 0;
|
||||||
int sz = (int)longSz;
|
int sz = (int)longSz;
|
||||||
int encrypted_key = 0;
|
int encrypted_key = 0;
|
||||||
|
DerBuffer* der;
|
||||||
|
|
||||||
WOLFSSL_ENTER("PemToDer");
|
WOLFSSL_ENTER("PemToDer");
|
||||||
|
|
||||||
@@ -2778,10 +2769,11 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
if (neededSz > sz || neededSz < 0)
|
if (neededSz > sz || neededSz < 0)
|
||||||
return SSL_BAD_FILE;
|
return SSL_BAD_FILE;
|
||||||
|
|
||||||
ret = AllocDer(der, (word32)neededSz, type, heap);
|
ret = AllocDer(pDer, (word32)neededSz, type, heap);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
der = *pDer;
|
||||||
|
|
||||||
if (Base64_Decode((byte*)headerEnd, (word32)neededSz,
|
if (Base64_Decode((byte*)headerEnd, (word32)neededSz,
|
||||||
der->buffer, &der->length) < 0)
|
der->buffer, &der->length) < 0)
|
||||||
@@ -2823,7 +2815,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
#endif
|
#endif
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
FreeDer(der);
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2837,7 +2828,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
|
|||||||
XFREE(password, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(password, heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
#endif
|
#endif
|
||||||
if (ret != SSL_SUCCESS) {
|
if (ret != SSL_SUCCESS) {
|
||||||
FreeDer(der);
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -2855,7 +2845,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
long sz, int format, int type, WOLFSSL* ssl,
|
long sz, int format, int type, WOLFSSL* ssl,
|
||||||
long* used, int userChain)
|
long* used, int userChain)
|
||||||
{
|
{
|
||||||
DerBuffer der; /* holds DER or RAW (for NTRU) */
|
DerBuffer* der = NULL; /* holds DER or RAW (for NTRU) */
|
||||||
int ret;
|
int ret;
|
||||||
int eccKey = 0;
|
int eccKey = 0;
|
||||||
int rsaKey = 0;
|
int rsaKey = 0;
|
||||||
@@ -2878,11 +2868,6 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
if (ctx == NULL && ssl == NULL)
|
if (ctx == NULL && ssl == NULL)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap,
|
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -2939,30 +2924,28 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
|
|
||||||
WOLFSSL_MSG("Processing Cert Chain");
|
WOLFSSL_MSG("Processing Cert Chain");
|
||||||
while (consumed < sz) {
|
while (consumed < sz) {
|
||||||
DerBuffer part;
|
DerBuffer* part = NULL;
|
||||||
info->consumed = 0;
|
info->consumed = 0;
|
||||||
ret = InitDer(&part);
|
|
||||||
|
ret = PemToDer(buff + consumed, sz - consumed, type, &part,
|
||||||
|
heap, info, &eccKey);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = PemToDer(buff + consumed, sz - consumed, type, &part,
|
gotOne = 1;
|
||||||
heap, info, &eccKey);
|
if ( (idx + part->length) > bufferSz) {
|
||||||
if (ret == 0) {
|
WOLFSSL_MSG(" Cert Chain bigger than buffer");
|
||||||
gotOne = 1;
|
ret = BUFFER_E;
|
||||||
if ( (idx + part.length) > bufferSz) {
|
}
|
||||||
WOLFSSL_MSG(" Cert Chain bigger than buffer");
|
else {
|
||||||
ret = BUFFER_E;
|
c32to24(part->length, &chainBuffer[idx]);
|
||||||
}
|
idx += CERT_HEADER_SZ;
|
||||||
else {
|
XMEMCPY(&chainBuffer[idx], part->buffer, part->length);
|
||||||
c32to24(part.length, &chainBuffer[idx]);
|
idx += part->length;
|
||||||
idx += CERT_HEADER_SZ;
|
consumed += info->consumed;
|
||||||
XMEMCPY(&chainBuffer[idx], part.buffer,part.length);
|
if (used)
|
||||||
idx += part.length;
|
*used += info->consumed;
|
||||||
consumed += info->consumed;
|
|
||||||
if (used)
|
|
||||||
*used += info->consumed;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
FreeDer(&part);
|
|
||||||
}
|
}
|
||||||
|
FreeDer(&part);
|
||||||
|
|
||||||
if (ret == SSL_NO_PEM_HEADER && gotOne) {
|
if (ret == SSL_NO_PEM_HEADER && gotOne) {
|
||||||
WOLFSSL_MSG("We got one good PEM so stuff at end ok");
|
WOLFSSL_MSG("We got one good PEM so stuff at end ok");
|
||||||
@@ -2992,14 +2975,14 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
}
|
}
|
||||||
ret = AllocDer(&ssl->buffers.certChain, idx, type, heap);
|
ret = AllocDer(&ssl->buffers.certChain, idx, type, heap);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
XMEMCPY(ssl->buffers.certChain.buffer, chainBuffer, idx);
|
XMEMCPY(ssl->buffers.certChain->buffer, chainBuffer, idx);
|
||||||
ssl->buffers.weOwnCertChain = 1;
|
ssl->buffers.weOwnCertChain = 1;
|
||||||
}
|
}
|
||||||
} else if (ctx) {
|
} else if (ctx) {
|
||||||
FreeDer(&ctx->certChain);
|
FreeDer(&ctx->certChain);
|
||||||
ret = AllocDer(&ctx->certChain, idx, type, heap);
|
ret = AllocDer(&ctx->certChain, idx, type, heap);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
XMEMCPY(ctx->certChain.buffer, chainBuffer, idx);
|
XMEMCPY(ctx->certChain->buffer, chainBuffer, idx);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -3025,7 +3008,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
XMEMCPY(der.buffer, buff, sz);
|
XMEMCPY(der->buffer, buff, sz);
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
|
||||||
@@ -3053,7 +3036,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
0, ctx->userdata);
|
0, ctx->userdata);
|
||||||
|
|
||||||
/* decrypt the key */
|
/* decrypt the key */
|
||||||
ret = wolfssl_decrypt_buffer_key(&der, (byte*)password,
|
ret = wolfssl_decrypt_buffer_key(der, (byte*)password,
|
||||||
passwordSz, info);
|
passwordSz, info);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -3138,7 +3121,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
|
|
||||||
ret = wc_InitRsaKey(key, 0);
|
ret = wc_InitRsaKey(key, 0);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
if (wc_RsaPrivateKeyDecode(der.buffer, &idx, key, der.length)
|
if (wc_RsaPrivateKeyDecode(der->buffer, &idx, key, der->length)
|
||||||
!= 0) {
|
!= 0) {
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
/* could have DER ECC (or pkcs8 ecc), no easy way to tell */
|
/* could have DER ECC (or pkcs8 ecc), no easy way to tell */
|
||||||
@@ -3169,7 +3152,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
ecc_key key;
|
ecc_key key;
|
||||||
|
|
||||||
wc_ecc_init(&key);
|
wc_ecc_init(&key);
|
||||||
if (wc_EccPrivateKeyDecode(der.buffer,&idx,&key,der.length) != 0) {
|
if (wc_EccPrivateKeyDecode(der->buffer, &idx, &key,
|
||||||
|
der->length) != 0) {
|
||||||
wc_ecc_free(&key);
|
wc_ecc_free(&key);
|
||||||
return SSL_BAD_FILE;
|
return SSL_BAD_FILE;
|
||||||
}
|
}
|
||||||
@@ -3197,7 +3181,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
WOLFSSL_MSG("Checking cert signature type");
|
WOLFSSL_MSG("Checking cert signature type");
|
||||||
InitDecodedCert(cert, der.buffer, der.length, heap);
|
InitDecodedCert(cert, der->buffer, der->length, heap);
|
||||||
|
|
||||||
if (DecodeToKey(cert, 0) < 0) {
|
if (DecodeToKey(cert, 0) < 0) {
|
||||||
WOLFSSL_MSG("Decode to key failed");
|
WOLFSSL_MSG("Decode to key failed");
|
||||||
@@ -3422,7 +3406,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
|
|||||||
long sz, int format)
|
long sz, int format)
|
||||||
{
|
{
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCert* cert = NULL;
|
DecodedCert* cert = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -3431,11 +3415,6 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
|
|||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_CertManagerVerifyBuffer");
|
WOLFSSL_ENTER("wolfSSL_CertManagerVerifyBuffer");
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap,
|
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap,
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -3465,7 +3444,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
|
|||||||
info->consumed = 0;
|
info->consumed = 0;
|
||||||
|
|
||||||
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, info, &eccKey);
|
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, info, &eccKey);
|
||||||
InitDecodedCert(cert, der.buffer, der.length, cm->heap);
|
InitDecodedCert(cert, der->buffer, der->length, cm->heap);
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(info, cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(info, cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -4240,7 +4219,7 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz)
|
|||||||
int ecc = 0;
|
int ecc = 0;
|
||||||
long sz = 0;
|
long sz = 0;
|
||||||
XFILE file = XFOPEN(fileName, "rb");
|
XFILE file = XFOPEN(fileName, "rb");
|
||||||
DerBuffer converted;
|
DerBuffer* converted = NULL;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_PemCertToDer");
|
WOLFSSL_ENTER("wolfSSL_PemCertToDer");
|
||||||
|
|
||||||
@@ -4264,39 +4243,36 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = InitDer(&converted);
|
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) {
|
||||||
if (ret == 0) {
|
ret = SSL_BAD_FILE;
|
||||||
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) {
|
|
||||||
ret = SSL_BAD_FILE;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
|
||||||
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
|
||||||
DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
if (info == NULL)
|
|
||||||
ret = MEMORY_E;
|
|
||||||
else
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
ret = PemToDer(fileBuf, sz, CA_TYPE, &converted,
|
|
||||||
0, info, &ecc);
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
|
||||||
XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ret == 0) {
|
|
||||||
if (converted.length < (word32)derSz) {
|
|
||||||
XMEMCPY(derBuf, converted.buffer, converted.length);
|
|
||||||
ret = converted.length;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
ret = BUFFER_E;
|
|
||||||
}
|
|
||||||
|
|
||||||
FreeDer(&converted);
|
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
|
||||||
|
DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
|
if (info == NULL)
|
||||||
|
ret = MEMORY_E;
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
ret = PemToDer(fileBuf, sz, CA_TYPE, &converted,
|
||||||
|
0, info, &ecc);
|
||||||
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
|
XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ret == 0) {
|
||||||
|
if (converted->length < (word32)derSz) {
|
||||||
|
XMEMCPY(derBuf, converted->buffer, converted->length);
|
||||||
|
ret = converted->length;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
ret = BUFFER_E;
|
||||||
|
}
|
||||||
|
|
||||||
|
FreeDer(&converted);
|
||||||
}
|
}
|
||||||
|
|
||||||
XFCLOSE(file);
|
XFCLOSE(file);
|
||||||
@@ -4325,7 +4301,7 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
|
|||||||
int ret = 0;
|
int ret = 0;
|
||||||
long sz = 0;
|
long sz = 0;
|
||||||
XFILE file = XFOPEN(fileName, "rb");
|
XFILE file = XFOPEN(fileName, "rb");
|
||||||
DerBuffer converted;
|
DerBuffer* converted = NULL;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_PemPubKeyToDer");
|
WOLFSSL_ENTER("wolfSSL_PemPubKeyToDer");
|
||||||
|
|
||||||
@@ -4348,25 +4324,22 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
|
|||||||
dynamic = 1;
|
dynamic = 1;
|
||||||
}
|
}
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
ret = InitDer(&converted);
|
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0)
|
||||||
|
ret = SSL_BAD_FILE;
|
||||||
|
else
|
||||||
|
ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted,
|
||||||
|
0, NULL, NULL);
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0)
|
if (converted->length < (word32)derSz) {
|
||||||
ret = SSL_BAD_FILE;
|
XMEMCPY(derBuf, converted->buffer, converted->length);
|
||||||
else
|
ret = converted->length;
|
||||||
ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted,
|
|
||||||
0, NULL, NULL);
|
|
||||||
|
|
||||||
if (ret == 0) {
|
|
||||||
if (converted.length < (word32)derSz) {
|
|
||||||
XMEMCPY(derBuf, converted.buffer, converted.length);
|
|
||||||
ret = converted.length;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
ret = BUFFER_E;
|
|
||||||
}
|
}
|
||||||
|
else
|
||||||
FreeDer(&converted);
|
ret = BUFFER_E;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
FreeDer(&converted);
|
||||||
}
|
}
|
||||||
|
|
||||||
XFCLOSE(file);
|
XFCLOSE(file);
|
||||||
@@ -4382,8 +4355,8 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
|
|||||||
int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz,
|
int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz,
|
||||||
unsigned char* buff, int buffSz)
|
unsigned char* buff, int buffSz)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_PubKeyPemToDer");
|
WOLFSSL_ENTER("wolfSSL_PubKeyPemToDer");
|
||||||
|
|
||||||
@@ -4392,19 +4365,14 @@ int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz,
|
|||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL);
|
ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
WOLFSSL_MSG("Bad Pem To Der");
|
WOLFSSL_MSG("Bad Pem To Der");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if (der.length <= (word32)buffSz) {
|
if (der->length <= (word32)buffSz) {
|
||||||
XMEMCPY(buff, der.buffer, der.length);
|
XMEMCPY(buff, der->buffer, der->length);
|
||||||
ret = der.length;
|
ret = der->length;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
WOLFSSL_MSG("Bad der length");
|
WOLFSSL_MSG("Bad der length");
|
||||||
@@ -6160,9 +6128,11 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
|
|||||||
|
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
/* in case used set_accept_state after init */
|
/* in case used set_accept_state after init */
|
||||||
if (!havePSK && !haveAnon &&
|
if (!havePSK && !haveAnon &&
|
||||||
(ssl->buffers.certificate.buffer == NULL ||
|
(!ssl->buffers.certificate ||
|
||||||
ssl->buffers.key.buffer == NULL)) {
|
!ssl->buffers.certificate->buffer ||
|
||||||
|
!ssl->buffers.key ||
|
||||||
|
!ssl->buffers.key->buffer)) {
|
||||||
WOLFSSL_MSG("accept error: don't have server cert and key");
|
WOLFSSL_MSG("accept error: don't have server cert and key");
|
||||||
ssl->error = NO_PRIVATE_KEY;
|
ssl->error = NO_PRIVATE_KEY;
|
||||||
WOLFSSL_ERROR(ssl->error);
|
WOLFSSL_ERROR(ssl->error);
|
||||||
@@ -7414,9 +7384,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
const unsigned char* buf,
|
const unsigned char* buf,
|
||||||
long sz, int format)
|
long sz, int format)
|
||||||
{
|
{
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
int weOwnDer = 0;
|
|
||||||
word32 pSz = MAX_DH_SIZE;
|
word32 pSz = MAX_DH_SIZE;
|
||||||
word32 gSz = MAX_DH_SIZE;
|
word32 gSz = MAX_DH_SIZE;
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
@@ -7430,8 +7399,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
if (ctx == NULL || buf == NULL)
|
if (ctx == NULL || buf == NULL)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
der.buffer = (byte*)buf;
|
ret = AllocDer(&der, 0, DH_PARAM_TYPE, ctx->heap);
|
||||||
der.length = (word32)sz;
|
if (ret != 0) {
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
der->buffer = (byte*)buf;
|
||||||
|
der->length = (word32)sz;
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -7448,16 +7421,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
ret = SSL_BAD_FILETYPE;
|
ret = SSL_BAD_FILETYPE;
|
||||||
else {
|
else {
|
||||||
if (format == SSL_FILETYPE_PEM) {
|
if (format == SSL_FILETYPE_PEM) {
|
||||||
ret = InitDer(&der);
|
FreeDer(&der);
|
||||||
if (ret == 0) {
|
ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap,
|
||||||
ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap,
|
NULL, NULL);
|
||||||
NULL, NULL);
|
|
||||||
weOwnDer = 1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0)
|
if (wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz) < 0)
|
||||||
ret = SSL_BAD_FILETYPE;
|
ret = SSL_BAD_FILETYPE;
|
||||||
else if (ssl)
|
else if (ssl)
|
||||||
ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz);
|
ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz);
|
||||||
@@ -7466,8 +7436,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (weOwnDer)
|
FreeDer(&der);
|
||||||
FreeDer(&der);
|
|
||||||
|
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
@@ -9796,8 +9765,8 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
|
|||||||
if (x509 == NULL || outSz == NULL)
|
if (x509 == NULL || outSz == NULL)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
*outSz = (int)x509->derCert.length;
|
*outSz = (int)x509->derCert->length;
|
||||||
return x509->derCert.buffer;
|
return x509->derCert->buffer;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -10011,7 +9980,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
|
|||||||
XFILE file;
|
XFILE file;
|
||||||
|
|
||||||
WOLFSSL_X509* x509 = NULL;
|
WOLFSSL_X509* x509 = NULL;
|
||||||
DerBuffer der;
|
DerBuffer* der = NULL;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_X509_load_certificate");
|
WOLFSSL_ENTER("wolfSSL_X509_load_certificate");
|
||||||
|
|
||||||
@@ -10020,11 +9989,6 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
|
|||||||
(format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM))
|
(format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM))
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
ret = InitDer(&der);
|
|
||||||
if (ret < 0) {
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
file = XFOPEN(fname, "rb");
|
file = XFOPEN(fname, "rb");
|
||||||
if (file == XBADFILE)
|
if (file == XBADFILE)
|
||||||
return NULL;
|
return NULL;
|
||||||
@@ -10090,7 +10054,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
|
|||||||
else {
|
else {
|
||||||
ret = AllocDer(&der, (word32)sz, CERT_TYPE, NULL);
|
ret = AllocDer(&der, (word32)sz, CERT_TYPE, NULL);
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
XMEMCPY(der.buffer, fileBuffer, sz);
|
XMEMCPY(der->buffer, fileBuffer, sz);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -10099,7 +10063,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
|
|||||||
|
|
||||||
/* At this point we want `der` to have the certificate in DER format */
|
/* At this point we want `der` to have the certificate in DER format */
|
||||||
/* ready to be decoded. */
|
/* ready to be decoded. */
|
||||||
if (der.buffer != NULL) {
|
if (der != NULL && der->buffer != NULL) {
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
DecodedCert* cert = NULL;
|
DecodedCert* cert = NULL;
|
||||||
#else
|
#else
|
||||||
@@ -10112,7 +10076,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
|
|||||||
if (cert != NULL)
|
if (cert != NULL)
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
InitDecodedCert(cert, der.buffer, der.length, NULL);
|
InitDecodedCert(cert, der->buffer, der->length, NULL);
|
||||||
if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) {
|
if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) {
|
||||||
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL,
|
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL,
|
||||||
DYNAMIC_TYPE_X509);
|
DYNAMIC_TYPE_X509);
|
||||||
@@ -10899,19 +10863,17 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
|
|||||||
int result = SSL_FATAL_ERROR;
|
int result = SSL_FATAL_ERROR;
|
||||||
|
|
||||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert");
|
WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert");
|
||||||
if (store != NULL && store->cm != NULL && x509 != NULL) {
|
if (store != NULL && store->cm != NULL && x509 != NULL
|
||||||
DerBuffer derCert;
|
&& x509->derCert != NULL) {
|
||||||
|
DerBuffer* derCert = NULL;
|
||||||
|
|
||||||
result = InitDer(&derCert);
|
result = AllocDer(&derCert, x509->derCert->length,
|
||||||
|
x509->derCert->type, NULL);
|
||||||
if (result == 0) {
|
if (result == 0) {
|
||||||
result = AllocDer(&derCert, x509->derCert.length,
|
/* AddCA() frees the buffer. */
|
||||||
x509->derCert.type, NULL);
|
XMEMCPY(derCert->buffer,
|
||||||
if (result == 0) {
|
x509->derCert->buffer, x509->derCert->length);
|
||||||
/* AddCA() frees the buffer. */
|
result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, 1);
|
||||||
XMEMCPY(derCert.buffer,
|
|
||||||
x509->derCert.buffer, x509->derCert.length);
|
|
||||||
result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, 1);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -11024,10 +10986,10 @@ void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx)
|
|||||||
int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
|
int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
|
||||||
{
|
{
|
||||||
if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
|
if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
|
||||||
&& ctx->current_cert != NULL) {
|
&& ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) {
|
||||||
return wolfSSL_CertManagerVerifyBuffer(ctx->store->cm,
|
return wolfSSL_CertManagerVerifyBuffer(ctx->store->cm,
|
||||||
ctx->current_cert->derCert.buffer,
|
ctx->current_cert->derCert->buffer,
|
||||||
ctx->current_cert->derCert.length,
|
ctx->current_cert->derCert->length,
|
||||||
SSL_FILETYPE_ASN1);
|
SSL_FILETYPE_ASN1);
|
||||||
}
|
}
|
||||||
return SSL_FATAL_ERROR;
|
return SSL_FATAL_ERROR;
|
||||||
@@ -11481,12 +11443,7 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
|
|||||||
int eccKey = 0;
|
int eccKey = 0;
|
||||||
WOLFSSL_CTX* ctx = ssl->ctx;
|
WOLFSSL_CTX* ctx = ssl->ctx;
|
||||||
WOLFSSL_X509* peer_cert = &ssl->peerCert;
|
WOLFSSL_X509* peer_cert = &ssl->peerCert;
|
||||||
DerBuffer fileDer;
|
DerBuffer* fileDer = NULL;
|
||||||
|
|
||||||
ret = InitDer(&fileDer);
|
|
||||||
if (ret < 0) {
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
file = XFOPEN(fname, "rb");
|
file = XFOPEN(fname, "rb");
|
||||||
if (file == XBADFILE)
|
if (file == XBADFILE)
|
||||||
@@ -11519,10 +11476,10 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
|
|||||||
(XFREAD(myBuffer, sz, 1, file) > 0) &&
|
(XFREAD(myBuffer, sz, 1, file) > 0) &&
|
||||||
(PemToDer(myBuffer, sz, CERT_TYPE,
|
(PemToDer(myBuffer, sz, CERT_TYPE,
|
||||||
&fileDer, ctx->heap, info, &eccKey) == 0) &&
|
&fileDer, ctx->heap, info, &eccKey) == 0) &&
|
||||||
(fileDer.length != 0) &&
|
(fileDer->length != 0) &&
|
||||||
(fileDer.length == peer_cert->derCert.length) &&
|
(fileDer->length == peer_cert->derCert->length) &&
|
||||||
(XMEMCMP(peer_cert->derCert.buffer, fileDer.buffer,
|
(XMEMCMP(peer_cert->derCert->buffer, fileDer->buffer,
|
||||||
fileDer.length) == 0))
|
fileDer->length) == 0))
|
||||||
{
|
{
|
||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1818,10 +1818,10 @@ struct WOLFSSL_CTX {
|
|||||||
buffer serverDH_G;
|
buffer serverDH_G;
|
||||||
#endif
|
#endif
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
DerBuffer certificate;
|
DerBuffer* certificate;
|
||||||
DerBuffer certChain;
|
DerBuffer* certChain;
|
||||||
/* chain after self, in DER, with leading size for each cert */
|
/* chain after self, in DER, with leading size for each cert */
|
||||||
DerBuffer privateKey;
|
DerBuffer* privateKey;
|
||||||
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
|
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
|
||||||
#endif
|
#endif
|
||||||
Suites* suites; /* make dynamic, user may not need/set */
|
Suites* suites; /* make dynamic, user may not need/set */
|
||||||
@@ -1931,7 +1931,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
|||||||
word32 inSz, word16 sz);
|
word32 inSz, word16 sz);
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
WOLFSSL_LOCAL
|
WOLFSSL_LOCAL
|
||||||
int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify);
|
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify);
|
||||||
WOLFSSL_LOCAL
|
WOLFSSL_LOCAL
|
||||||
int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
|
int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
|
||||||
#endif
|
#endif
|
||||||
@@ -2193,9 +2193,9 @@ typedef struct Buffers {
|
|||||||
buffer serverDH_Priv;
|
buffer serverDH_Priv;
|
||||||
#endif
|
#endif
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
DerBuffer certificate; /* WOLFSSL_CTX owns, unless we own */
|
DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */
|
||||||
DerBuffer key; /* WOLFSSL_CTX owns, unless we own */
|
DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */
|
||||||
DerBuffer certChain; /* WOLFSSL_CTX owns, unless we own */
|
DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */
|
||||||
/* chain after self, in DER, with leading size for each cert */
|
/* chain after self, in DER, with leading size for each cert */
|
||||||
#endif
|
#endif
|
||||||
#ifdef WOLFSSL_DTLS
|
#ifdef WOLFSSL_DTLS
|
||||||
@@ -2373,7 +2373,7 @@ struct WOLFSSL_X509 {
|
|||||||
word32 pkCurveOID;
|
word32 pkCurveOID;
|
||||||
#endif /* HAVE_ECC */
|
#endif /* HAVE_ECC */
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
DerBuffer derCert; /* may need */
|
DerBuffer* derCert; /* may need */
|
||||||
#endif
|
#endif
|
||||||
DNS_entry* altNames; /* alt names list */
|
DNS_entry* altNames; /* alt names list */
|
||||||
DNS_entry* altNamesNext; /* hint for retrieval */
|
DNS_entry* altNamesNext; /* hint for retrieval */
|
||||||
@@ -2697,12 +2697,11 @@ typedef struct EncryptedInfo {
|
|||||||
|
|
||||||
#ifndef NO_CERTS
|
#ifndef NO_CERTS
|
||||||
|
|
||||||
WOLFSSL_LOCAL int InitDer(DerBuffer* der);
|
WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap);
|
||||||
WOLFSSL_LOCAL int AllocDer(DerBuffer* der, word32 length, int type, void* heap);
|
WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
|
||||||
WOLFSSL_LOCAL void FreeDer(DerBuffer* der);
|
|
||||||
|
|
||||||
WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
|
WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
|
||||||
DerBuffer* der, void* heap, EncryptedInfo* info,
|
DerBuffer** pDer, void* heap, EncryptedInfo* info,
|
||||||
int* eccKey);
|
int* eccKey);
|
||||||
|
|
||||||
WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format,
|
WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format,
|
||||||
|
|||||||
Reference in New Issue
Block a user