wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-03 04:34:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

Support indefinite length BER encodings in PKCS #7

Browse Source
This commit is contained in:
Sean Parkinson
2018-02-19 13:40:18 +10:00
parent 7a2aa6bc13
commit d09f26a69f
8 changed files with 222 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
configure.ac
View File

@@ -217,6 +217,7 @@ then
enable_aeskeywrap=yes enable_aeskeywrap=yes
enable_x963kdf=yes enable_x963kdf=yes
enable_scrypt=yes enable_scrypt=yes
enable_indef=yes
AM_CFLAGS="-DHAVE_AES_DECRYPT $AM_CFLAGS" AM_CFLAGS="-DHAVE_AES_DECRYPT $AM_CFLAGS"
fi fi
@@ -2662,6 +2663,19 @@ fi
AM_CONDITIONAL([BUILD_SRP], [test "x$ENABLED_SRP" = "xyes"]) AM_CONDITIONAL([BUILD_SRP], [test "x$ENABLED_SRP" = "xyes"])
# Indefinite length encoded BER message support
AC_ARG_ENABLE([indef],
[AS_HELP_STRING([--enable-indef],[Enable parsing of indefinite length encoded msgs (default: disabled)])],
[ ENABLED_BER_INDEF=$enableval ],
[ ENABLED_BER_INDEF=no ]
)
if test "x$ENABLED_BER_INDEF" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DASN_BER_TO_DER"
fi
# Small Stack # Small Stack
AC_ARG_ENABLE([smallstack], AC_ARG_ENABLE([smallstack],
@@ -4247,6 +4261,7 @@ echo " * SIGNAL: $ENABLED_SIGNAL"
echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
echo " * DTLS: $ENABLED_DTLS" echo " * DTLS: $ENABLED_DTLS"
echo " * SCTP: $ENABLED_SCTP" echo " * SCTP: $ENABLED_SCTP"
echo " * Indefinite Length: $ENABLED_BER_INDEF"
echo " * Multicast: $ENABLED_MCAST" echo " * Multicast: $ENABLED_MCAST"
echo " * Old TLS Versions: $ENABLED_OLD_TLS" echo " * Old TLS Versions: $ENABLED_OLD_TLS"
echo " * SSL version 3.0: $ENABLED_SSLV3" echo " * SSL version 3.0: $ENABLED_SSLV3"

122
wolfcrypt/src/asn.c
View File

@@ -786,6 +786,128 @@ static word32 SetBitString(word32 len, byte unusedBits, byte* output)
} }
#endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 */ #endif /* !NO_RSA || HAVE_ECC || HAVE_ED25519 */
#ifdef ASN_BER_TO_DER
/* Convert a BER encoding with indefinite length items to DER.
*
* ber BER encoded data.
* length Length of BER encoded data.
* der Buffer to hold DER encoded version of data.
* NULL indicates only the length is required.
* returns the length of the DER data on success, ASN_PARSE_E if the BER data is
* invalid and BAD_FUNC_ARG if ber is NULL.
*/
int wc_BerToDer(byte* ber, word32 length, byte* der)
{
int ret;
word32 i, j, k;
int len, l;
int indef;
int depth = 1;
word32 cnt;
byte lenBytes[4];
if (ber == NULL)
return BAD_FUNC_ARG;
for (i = 0, j = 0; i < length; ) {
if (i + 1 >= length)
return ASN_PARSE_E;
if (ber[i] == 0 && ber[i+1] == 0) {
if (--depth == 0)
break;
i += 2;
continue;
}
indef = ber[i+1] == 0x80;
if (indef && ber[i] < 0x40 && ber[i] != 0x30 && ber[i] != 0x31) {
if (der != NULL)
der[j] = ber[i] & 0x1f;
i++; j++;
i++;
if (i + 1 >= length)
return ASN_PARSE_E;
len = 0;
k = i;
while (ber[k] != 0x00) {
k++;
ret = GetLength(ber, &k, &l, length);
if (ret < 0)
return ASN_PARSE_E;
k += l;
len += l;
if (k + 1 >= length)
return ASN_PARSE_E;
}
if (der == NULL) {
j += SetLength(len, lenBytes);
j += len;
}
else {
j += SetLength(len, der + j);
k = i;
while (ber[k] != 0x00) {
k++;
ret = GetLength(ber, &k, &l, length);
if (ret < 0)
return ASN_PARSE_E;
XMEMCPY(der + j, ber + k, l);
k += l; j += l;
}
}
i = k + 2;
continue;
}
if (der != NULL)
der[j] = ber[i];
i++; j++;
cnt = i;
ret = GetLength(ber, &cnt, &len, length);
if (ret < 0)
return ASN_PARSE_E;
cnt -= i;
if (der != NULL) {
for (k = 0; k < cnt; k++)
der[j + k] = ber[i + k];
}
i += cnt; j += cnt;
if (cnt == 0) {
i++;
len = wc_BerToDer(ber + i, length - i, NULL);
if (len < 0)
return len;
if (der != NULL)
j += SetLength(len, der + j);
else
j += SetLength(len, lenBytes);
}
if (!indef) {
if (i + len > length)
return ASN_PARSE_E;
if (der != NULL)
XMEMCPY(der + j, ber + i, len);
i += len;
j += len;
}
else
depth++;
}
return j;
}
#endif
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
#if (!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || \ #if (!defined(NO_RSA) && !defined(HAVE_USER_RSA)) || \

3
wolfcrypt/src/error.c
View File

@@ -449,6 +449,9 @@ const char* wc_GetErrorString(int error)
case PRIME_GEN_E: case PRIME_GEN_E:
return "Unable to find a prime for RSA key"; return "Unable to find a prime for RSA key";
case BER_INDEF_E:
return "Unable to decode an indefinite length encoded message";
default: default:
return "unknown error number"; return "unknown error number";

72
wolfcrypt/src/pkcs7.c
View File

@@ -338,6 +338,11 @@ void wc_PKCS7_Free(PKCS7* pkcs7)
return; return;
wc_PKCS7_FreeDecodedAttrib(pkcs7->decodedAttrib, pkcs7->heap); wc_PKCS7_FreeDecodedAttrib(pkcs7->decodedAttrib, pkcs7->heap);
#ifdef ASN_BER_TO_DER
if (pkcs7->der != NULL)
XFREE(pkcs7->der, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
} }
@@ -1849,6 +1854,28 @@ int wc_PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz)
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (length == 0 && pkiMsg[idx-1] == 0x80) {
#ifdef ASN_BER_TO_DER
int len;
len = wc_BerToDer(pkiMsg, pkiMsgSz, NULL);
if (len < 0)
return len;
pkcs7->der = XMALLOC(len, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
if (pkcs7->der == NULL)
return MEMORY_E;
wc_BerToDer(pkiMsg, pkiMsgSz, pkcs7->der);
pkiMsg = pkcs7->der;
pkiMsgSz = len;
idx = 0;
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
#else
return BER_INDEF_E;
#endif
}
/* Get the contentInfo contentType */ /* Get the contentInfo contentType */
if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0) if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
@@ -4299,6 +4326,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
int encryptedContentSz; int encryptedContentSz;
byte padLen; byte padLen;
byte* encryptedContent = NULL; byte* encryptedContent = NULL;
int explicitOctet;
if (pkcs7 == NULL || pkcs7->singleCert == NULL || if (pkcs7 == NULL || pkcs7->singleCert == NULL ||
pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL || pkcs7->singleCertSz == 0 || pkcs7->privateKey == NULL ||
@@ -4313,6 +4341,28 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (length == 0 && pkiMsg[idx-1] == 0x80) {
#ifdef ASN_BER_TO_DER
int len;
len = wc_BerToDer(pkiMsg, pkiMsgSz, NULL);
if (len < 0)
return len;
pkcs7->der = XMALLOC(len, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
if (pkcs7->der == NULL)
return MEMORY_E;
wc_BerToDer(pkiMsg, pkiMsgSz, pkcs7->der);
pkiMsg = pkcs7->der;
pkiMsgSz = len;
idx = 0;
if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
return ASN_PARSE_E;
#else
return BER_INDEF_E;
#endif
}
if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0) if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
@@ -4435,8 +4485,27 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
XMEMCPY(tmpIv, &pkiMsg[idx], length); XMEMCPY(tmpIv, &pkiMsg[idx], length);
idx += length; idx += length;
explicitOctet = pkiMsg[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0);
/* read encryptedContent, cont[0] */ /* read encryptedContent, cont[0] */
if (pkiMsg[idx++] != (ASN_CONTEXT_SPECIFIC | 0)) { if (pkiMsg[idx] != (ASN_CONTEXT_SPECIFIC | 0) &&
pkiMsg[idx] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
#endif
return ASN_PARSE_E;
}
idx++;
if (GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) <= 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
#endif
return ASN_PARSE_E;
}
if (explicitOctet) {
if (pkiMsg[idx++] != ASN_OCTET_STRING) {
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7);
#endif #endif
@@ -4449,6 +4518,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
#endif #endif
return ASN_PARSE_E; return ASN_PARSE_E;
} }
}
encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap, encryptedContent = (byte*)XMALLOC(encryptedContentSz, pkcs7->heap,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);

3
wolfcrypt/test/test.c
View File

@@ -16702,6 +16702,9 @@ int pkcs7encrypted_test(void)
pkcs7.unprotectedAttribs = testVectors[i].attribs; pkcs7.unprotectedAttribs = testVectors[i].attribs;
pkcs7.unprotectedAttribsSz = testVectors[i].attribsSz; pkcs7.unprotectedAttribsSz = testVectors[i].attribsSz;
pkcs7.heap = HEAP_HINT; pkcs7.heap = HEAP_HINT;
#ifdef ASN_BER_TO_DER
pkcs7.der = NULL;
#endif
/* encode encryptedData */ /* encode encryptedData */
encryptedSz = wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted, encryptedSz = wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted,

2
wolfssl/wolfcrypt/asn.h
View File

@@ -765,6 +765,8 @@ struct TrustedPeerCert {
#define WOLFSSL_ASN_API WOLFSSL_LOCAL #define WOLFSSL_ASN_API WOLFSSL_LOCAL
#endif #endif
WOLFSSL_ASN_API int wc_BerToDer(byte* ber, word32 length, byte* der);
WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*); WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*);
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*); WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*);

4
wolfssl/wolfcrypt/error-crypt.h
View File

@@ -198,7 +198,9 @@ enum {
PSS_SALTLEN_E = -250, /* PSS length of salt is to long for hash */ PSS_SALTLEN_E = -250, /* PSS length of salt is to long for hash */
PRIME_GEN_E = -251, /* Failure finding a prime. */ PRIME_GEN_E = -251, /* Failure finding a prime. */
WC_LAST_E = -251, /* Update this to indicate last error */ BER_INDEF_E = -252, /* Cannot decode indefinite length BER. */
WC_LAST_E = -252, /* Update this to indicate last error */
MIN_CODE_E = -300 /* errors -101 - -299 */ MIN_CODE_E = -300 /* errors -101 - -299 */
/* add new companion error id strings for any new error codes /* add new companion error id strings for any new error codes

3
wolfssl/wolfcrypt/pkcs7.h
View File

@@ -100,6 +100,9 @@ typedef struct PKCS7 {
byte* issuer; /* issuer name of singleCert */ byte* issuer; /* issuer name of singleCert */
byte* privateKey; /* private key, DER, not owner */ byte* privateKey; /* private key, DER, not owner */
void* heap; /* heap hint for dynamic memory */ void* heap; /* heap hint for dynamic memory */
#ifdef ASN_BER_TO_DER
byte* der; /* DER encoded version of message */
#endif
byte* cert[MAX_PKCS7_CERTS]; byte* cert[MAX_PKCS7_CERTS];
/* Encrypted-data Content Type */ /* Encrypted-data Content Type */