From b247b4565c663852e242cceb6518a3efb4b17257 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 7 Oct 2019 11:15:55 -0700 Subject: [PATCH 1/8] Fixes for build warnings with apache httpd --- src/ssl.c | 4 ++-- tests/api.c | 2 +- wolfssl/ssl.h | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d4067db5d..3c0db2fdd 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -20061,7 +20061,7 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b) #ifndef NO_WOLFSSL_STUB WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, - unsigned char **in, long len) + const unsigned char **in, long len) { WOLFSSL_STUB("d2i_DISPLAYTEXT"); (void)asn; @@ -24445,7 +24445,7 @@ const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x509) } /* Sets paobj pointer to X509_ALGOR signature algorithm */ -void wolfSSL_X509_ALGOR_get0(WOLFSSL_ASN1_OBJECT **paobj, int *pptype, +void wolfSSL_X509_ALGOR_get0(const WOLFSSL_ASN1_OBJECT **paobj, int *pptype, const void **ppval, const WOLFSSL_X509_ALGOR *algor) { (void)pptype; diff --git a/tests/api.c b/tests/api.c index ab95d98a4..372654493 100644 --- a/tests/api.c +++ b/tests/api.c @@ -21836,7 +21836,7 @@ static void test_wolfSSL_X509_ALGOR_get0(void) { #if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD)) && !defined(NO_SHA256) X509* x509 = NULL; - ASN1_OBJECT* obj = NULL; + const ASN1_OBJECT* obj = NULL; const X509_ALGOR* alg; printf(testingFmt, "wolfSSL_X509_ALGOR_get0"); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 3b66a279b..3e655707c 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1280,7 +1280,7 @@ WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_X509_NAME_ENTRY_get_data(WOLFSSL_X509_N WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_new(void); WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_ASN1_STRING_type_new(int type); WOLFSSL_API int wolfSSL_ASN1_STRING_type(const WOLFSSL_ASN1_STRING* asn1); -WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, unsigned char **in, long len); +WOLFSSL_API WOLFSSL_ASN1_STRING* wolfSSL_d2i_DISPLAYTEXT(WOLFSSL_ASN1_STRING **asn, const unsigned char **in, long len); WOLFSSL_API void wolfSSL_ASN1_STRING_free(WOLFSSL_ASN1_STRING* asn1); WOLFSSL_API int wolfSSL_ASN1_STRING_set(WOLFSSL_ASN1_STRING* asn1, const void* data, int dataSz); @@ -3579,7 +3579,7 @@ WOLFSSL_API size_t SSL_get_peer_finished(const WOLFSSL *s, void *buf, size_t cou WOLFSSL_API int SSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); WOLFSSL_API int SSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); WOLFSSL_API const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x); -WOLFSSL_API void wolfSSL_X509_ALGOR_get0(WOLFSSL_ASN1_OBJECT **paobj, int *pptype, const void **ppval, const WOLFSSL_X509_ALGOR *algor); +WOLFSSL_API void wolfSSL_X509_ALGOR_get0(const WOLFSSL_ASN1_OBJECT **paobj, int *pptype, const void **ppval, const WOLFSSL_X509_ALGOR *algor); WOLFSSL_API WOLFSSL_X509_PUBKEY *wolfSSL_X509_get_X509_PUBKEY(const WOLFSSL_X509* x509); WOLFSSL_API int wolfSSL_X509_PUBKEY_get0_param(WOLFSSL_ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, void **pa, WOLFSSL_X509_PUBKEY *pub); WOLFSSL_API int i2t_ASN1_OBJECT(char *buf, int buf_len, WOLFSSL_ASN1_OBJECT *a); From 98b8cd35d863fc75e16d3602641a113b13939162 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 7 Oct 2019 11:29:35 -0700 Subject: [PATCH 2/8] Add ALT_NAMES_OID to switch in wolfSSL_X509_set_ext and update X509V3_EXT_print --- src/ssl.c | 98 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 92 insertions(+), 6 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 3c0db2fdd..76e4082d8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7463,6 +7463,7 @@ int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert) sz = cert.extensionsSz; if (input == NULL || sz == 0) { + WOLFSSL_MSG("\tsz or input NULL error"); FreeDecodedCert(&cert); return WOLFSSL_FAILURE; } @@ -7922,6 +7923,67 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) ext->crit = x509->CRLdistCrit; break; + case ALT_NAMES_OID: + if (!isSet) + break; + + WOLFSSL_GENERAL_NAME* gn = NULL; + DNS_entry* dns = NULL; + sk = (WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)*)XMALLOC( + sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)), NULL, + DYNAMIC_TYPE_ASN1); + if (sk == NULL) { + return NULL; + } + XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME))); + sk->type = STACK_TYPE_GEN_NAME; + + if (x509->subjAltNameSet && x509->altNames != NULL) { + /* alt names are DNS_entry structs */ + dns = x509->altNames; + /* Currenlty only support GEN_DNS type */ + while (dns != NULL) { + gn = wolfSSL_GENERAL_NAME_new(); + if (gn == NULL) { + WOLFSSL_MSG("Error creating GENERAL_NAME"); + wolfSSL_sk_free(sk); + return NULL; + } + + gn->type = dns->type; + gn->d.ia5->length = (int)XSTRLEN(dns->name); + if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, + gn->d.ia5->length) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("ASN1_STRING_set failed"); + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_free(sk); + return NULL; + } + + dns = dns->next; + /* last dns in list add at end of function */ + if (dns != NULL) { + if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) != + WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_free(sk); + sk = NULL; + } + } + } + if (wolfSSL_sk_GENERAL_NAME_push(sk,gn) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_free(sk); + sk = NULL; + } + } + ext->ext_sk = sk; + ext->crit = x509->subjAltNameCrit; + + break; + default: WOLFSSL_MSG("Unknown extension type found, parsing OID"); /* If the extension type is not recognized/supported, @@ -8024,14 +8086,38 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, unsigned long flag, int indent) { int rc = WOLFSSL_FAILURE; + int nid; char tmp[CTC_NAME_SIZE*2]; + ASN1_OBJECT* obj; + ASN1_STRING* str; + WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); - if ((out != NULL) && (ext != NULL)) { + if ((out == NULL) || (ext == NULL)) { + WOLFSSL_MSG("NULL parameter error"); + return rc; + } - XSNPRINTF(tmp, CTC_NAME_SIZE*2, "%*s%s", indent, "", ext->value.strData); - if (wolfSSL_BIO_write(out, tmp, (int)XSTRLEN(tmp)) == (int)XSTRLEN(tmp)) { - rc = WOLFSSL_SUCCESS; - } + obj = wolfSSL_X509_EXTENSION_get_object(ext); + if (obj == NULL) { + WOLFSSL_MSG("Error getting ASN1_OBJECT from X509_EXTENSION"); + return rc; + } + + nid = wolfSSL_OBJ_obj2nid(obj); + + /* TODO: may need to add other multi-value extensions to switch */ + switch(nid) { + case ALT_NAMES_OID: + /* ASN1_STRING is GENERAL_NAME */ + str = ext->ext_sk->data.gn->d.ia5; + break; + default: + str = &ext->value; + } + + XSNPRINTF(tmp, CTC_NAME_SIZE*2, "%*s%s", indent, "", str->strData); + if (wolfSSL_BIO_write(out, tmp, (int)XSTRLEN(tmp)) == (int)XSTRLEN(tmp)) { + rc = WOLFSSL_SUCCESS; } (void) flag; @@ -38241,7 +38327,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) unsigned char out[MAX_OID_SZ]; unsigned int sum = 0; - WOLFSSL_ENTER("wolfSSL_OBJ_txt2nid"); + WOLFSSL_ENTER("wolfSSL_OBJ_txt2obj"); if (s == NULL) return NULL; From 136bc458573cc8bd69663b509d201875e5dd2616 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 7 Oct 2019 11:36:00 -0700 Subject: [PATCH 3/8] Update wolfSSL_X509_NAME_print_ex for printing X509_NAME in reverse order --- src/ssl.c | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++- wolfssl/ssl.h | 5 ++- 2 files changed, 95 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 76e4082d8..9b31186b1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -40513,10 +40513,66 @@ void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); } +#if defined(WOLFSSL_APACHE_HTTPD) +/* Helper function for X509_NAME_print_ex. Sets *buf to string for domain + name attribute based on NID. Returns size of buf */ +int get_dn_attr_by_nid(int n, char** buf) +{ + int len = 0; + const char *str; + + switch(n) + { + case NID_commonName : + str = "CN"; + len = 2; + break; + case NID_countryName: + str = "C"; + len = 1; + break; + case NID_localityName: + str = "L"; + len = 1; + break; + case NID_stateOrProvinceName: + str = "ST"; + len = 2; + break; + case NID_organizationName: + str = "O"; + len = 1; + break; + case NID_organizationalUnitName: + str = "OU"; + len = 2; + break; + case NID_emailAddress: + str = "emailAddress"; + len = 12; + break; + default: + WOLFSSL_MSG("Attribute type not found"); + str = NULL; + + } + if (buf != NULL) + *buf = (char*)str; + return len; +} +#endif int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { +#if defined(WOLFSSL_APACHE_HTTPD) + int count = 0, len = 0, totalSz = 0, tmpSz = 0; + char tmp[ASN_NAME_MAX]; + char fullName[ASN_NAME_MAX]; + char *buf = NULL; + WOLFSSL_X509_NAME_ENTRY* ne; + WOLFSSL_ASN1_STRING* str; +#endif int i; (void)flags; WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex"); @@ -40526,7 +40582,41 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, return WOLFSSL_FAILURE; } - if (flags == XN_FLAG_RFC2253) { + /* If XN_FLAG_DN_REV is present, print X509_NAME in reverse order */ + if (flags == (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)) { +#if defined(WOLFSSL_APACHE_HTTPD) + fullName[0] = '\0'; + count = wolfSSL_X509_NAME_entry_count(name); + for (i = 0; i < count; i++) { + ne = wolfSSL_X509_NAME_get_entry(name, count - i - 1); + if (ne == NULL) + return WOLFSSL_FAILURE; + + str = wolfSSL_X509_NAME_ENTRY_get_data(ne); + if (str == NULL) + return WOLFSSL_FAILURE; + + len = get_dn_attr_by_nid(ne->nid, &buf); + if (len == 0 || buf == NULL) + return WOLFSSL_FAILURE; + + tmpSz = str->length + len + 2; + if (i < count - 1) { + XSNPRINTF(tmp, tmpSz+1, "%s=%s,", buf, str->data); + XSTRNCAT(fullName, tmp, tmpSz); + } + else { + XSNPRINTF(tmp, tmpSz, "%s=%s", buf, str->data); + XSTRNCAT(fullName, tmp, tmpSz-1); + } + totalSz += tmpSz; + } + if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) + return WOLFSSL_FAILURE; + return WOLFSSL_SUCCESS; +#endif + } + else if (flags == XN_FLAG_RFC2253) { if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2) != name->sz - 2) return WOLFSSL_FAILURE; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 3e655707c..15d2e4578 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1666,6 +1666,7 @@ enum { XN_FLAG_SEP_CPLUS_SPC = (2 << 16), XN_FLAG_ONELINE = 0, XN_FLAG_RFC2253 = 1, + XN_FLAG_DN_REV = (1 << 20), CRYPTO_LOCK = 1, CRYPTO_NUM_LOCKS = 10, @@ -3346,7 +3347,9 @@ WOLFSSL_API void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* void f (WOLFSSL_X509_NAME*)); WOLFSSL_API void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME) *); - +#if defined(WOLFSSL_APACHE_HTTPD) +WOLFSSL_API int get_dn_attr_by_nid(int n, char** buf); +#endif WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int, unsigned long); From d89f9ddc425672374d58b522fe08089e841b91f7 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 11:10:27 -0700 Subject: [PATCH 4/8] Update X509V3_EXT_print for different extension types --- src/ssl.c | 77 ++++++++++++++++++++++++++++++++++++++++++----------- tests/api.c | 12 ++++++++- 2 files changed, 73 insertions(+), 16 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 9b31186b1..f1bef9c8d 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2575,7 +2575,7 @@ long wolfSSL_SSL_get_secure_renegotiation_support(WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_SSL_get_secure_renegotiation_support"); - if (!ssl) + if (!ssl || !ssl->secure_renegotiation) return WOLFSSL_FAILURE; return ssl->secure_renegotiation->enabled; } @@ -8085,11 +8085,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, unsigned long flag, int indent) { - int rc = WOLFSSL_FAILURE; - int nid; - char tmp[CTC_NAME_SIZE*2]; ASN1_OBJECT* obj; ASN1_STRING* str; + int nid; + int sz = CTC_NAME_SIZE*2; + int rc = WOLFSSL_FAILURE; + char tmp[sz]; WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); if ((out == NULL) || (ext == NULL)) { @@ -8103,19 +8104,65 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, return rc; } - nid = wolfSSL_OBJ_obj2nid(obj); - - /* TODO: may need to add other multi-value extensions to switch */ - switch(nid) { - case ALT_NAMES_OID: - /* ASN1_STRING is GENERAL_NAME */ - str = ext->ext_sk->data.gn->d.ia5; - break; - default: - str = &ext->value; + str = wolfSSL_X509_EXTENSION_get_data(ext); + if (obj == NULL) { + WOLFSSL_MSG("Error getting ASN1_STRING from X509_EXTENSION"); + return rc; + } + + /* Print extension based on the type */ + nid = wolfSSL_OBJ_obj2nid(obj); + switch(nid) { + case BASIC_CA_OID: + { + char isCa[] = "TRUE"; + char notCa[] = "FALSE"; + XSNPRINTF(tmp, sz, "%*sCA:%s", indent, "", + obj->ca ? isCa : notCa); + break; + } + case ALT_NAMES_OID: + { + WOLFSSL_STACK* sk; + char val[sz]; + tmp[0] = '\0'; /* Make sure tmp is null-terminated */ + + sk = ext->ext_sk; + while (sk != NULL) { + /* str is GENERAL_NAME for subject alternative name ext */ + str = sk->data.gn->d.ia5; + if (sk->next) + XSNPRINTF(val, sz, "%*s%s, ", indent, "", str->strData); + else + XSNPRINTF(val, sz, "%*s%s", indent, "", str->strData); + + XSTRNCAT(tmp, val, sz); + sk = sk->next; + } + break; + } + + case AUTH_KEY_OID: + case SUBJ_KEY_OID: + { + char* asn1str; + asn1str = wolfSSL_i2s_ASN1_STRING(NULL, str); + XSNPRINTF(tmp, sz, "%*s%s", indent, "", asn1str); + XFREE(asn1str, NULL, DYNAMIC_TYPE_TMP_BUFFER); + break; + } + + case AUTH_INFO_OID: + case CERT_POLICY_OID: + case CRL_DIST_OID: + case KEY_USAGE_OID: + WOLFSSL_MSG("X509V3_EXT_print not yet implemented for ext type"); + break; + + default: + XSNPRINTF(tmp, sz, "%*s%s", indent, "", str->strData); } - XSNPRINTF(tmp, CTC_NAME_SIZE*2, "%*s%s", indent, "", str->strData); if (wolfSSL_BIO_write(out, tmp, (int)XSTRLEN(tmp)) == (int)XSTRLEN(tmp)) { rc = WOLFSSL_SUCCESS; } diff --git a/tests/api.c b/tests/api.c index 372654493..98ad102cc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -25028,11 +25028,21 @@ static void test_wolfSSL_X509V3_EXT_print(void) AssertNotNull(x509 = wolfSSL_PEM_read_X509(f, NULL, NULL, NULL)); fclose(f); + AssertNotNull(bio = wolfSSL_BIO_new(BIO_s_mem())); + loc = wolfSSL_X509_get_ext_by_NID(x509, NID_basic_constraints, -1); AssertIntGT(loc, -1); AssertNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); - AssertNotNull(bio = wolfSSL_BIO_new(BIO_s_mem())); + AssertIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); + loc = wolfSSL_X509_get_ext_by_NID(x509, NID_subject_key_identifier, -1); + AssertIntGT(loc, -1); + AssertNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); + AssertIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); + + loc = wolfSSL_X509_get_ext_by_NID(x509, NID_authority_key_identifier, -1); + AssertIntGT(loc, -1); + AssertNotNull(ext = wolfSSL_X509_get_ext(x509, loc)); AssertIntEQ(wolfSSL_X509V3_EXT_print(bio, ext, 0, 0), WOLFSSL_SUCCESS); wolfSSL_BIO_free(bio); From 2312d0e12523c2917429090b541bc283c5b28bd5 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 12:54:23 -0700 Subject: [PATCH 5/8] Dynamically allocate buffer in wolfSSL_X509V3_EXT_print --- src/ssl.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index f1bef9c8d..5f4cf3c85 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8124,19 +8124,24 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, case ALT_NAMES_OID: { WOLFSSL_STACK* sk; - char val[sz]; + char* val; + int len; tmp[0] = '\0'; /* Make sure tmp is null-terminated */ sk = ext->ext_sk; while (sk != NULL) { /* str is GENERAL_NAME for subject alternative name ext */ str = sk->data.gn->d.ia5; + len = str->length + 2; /* + 2 for NULL char and "," */ + val = (char*)XMALLOC(len + indent, NULL, + DYNAMIC_TYPE_TMP_BUFFER); if (sk->next) - XSNPRINTF(val, sz, "%*s%s, ", indent, "", str->strData); + XSNPRINTF(val, len, "%*s%s, ", indent, "", str->strData); else - XSNPRINTF(val, sz, "%*s%s", indent, "", str->strData); + XSNPRINTF(val, len, "%*s%s", indent, "", str->strData); XSTRNCAT(tmp, val, sz); + XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); sk = sk->next; } break; From d137cab42713fbcbfb43894a5b24ceaba213a873 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 13:12:34 -0700 Subject: [PATCH 6/8] Update in XSTRCAT call --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 5f4cf3c85..72e626d97 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8140,7 +8140,7 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, else XSNPRINTF(val, len, "%*s%s", indent, "", str->strData); - XSTRNCAT(tmp, val, sz); + XSTRNCAT(tmp, val, len); XFREE(val, NULL, DYNAMIC_TYPE_TMP_BUFFER); sk = sk->next; } From 4fa2b71848d2acece311ee407f26a13b56d04e2c Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Wed, 9 Oct 2019 15:38:26 -0700 Subject: [PATCH 7/8] Minor changes requested from review --- src/ssl.c | 12 ++++++------ wolfssl/ssl.h | 3 --- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 72e626d97..961efec88 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -40565,10 +40565,10 @@ void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); } -#if defined(WOLFSSL_APACHE_HTTPD) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) /* Helper function for X509_NAME_print_ex. Sets *buf to string for domain name attribute based on NID. Returns size of buf */ -int get_dn_attr_by_nid(int n, char** buf) +static int get_dn_attr_by_nid(int n, char** buf) { int len = 0; const char *str; @@ -40617,7 +40617,7 @@ int get_dn_attr_by_nid(int n, char** buf) int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int indent, unsigned long flags) { -#if defined(WOLFSSL_APACHE_HTTPD) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) int count = 0, len = 0, totalSz = 0, tmpSz = 0; char tmp[ASN_NAME_MAX]; char fullName[ASN_NAME_MAX]; @@ -40636,7 +40636,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, /* If XN_FLAG_DN_REV is present, print X509_NAME in reverse order */ if (flags == (XN_FLAG_RFC2253 & ~XN_FLAG_DN_REV)) { -#if defined(WOLFSSL_APACHE_HTTPD) +#if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) fullName[0] = '\0'; count = wolfSSL_X509_NAME_entry_count(name); for (i = 0; i < count; i++) { @@ -40652,7 +40652,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if (len == 0 || buf == NULL) return WOLFSSL_FAILURE; - tmpSz = str->length + len + 2; + tmpSz = str->length + len + 2; /* + 2 for '=' and null char */ if (i < count - 1) { XSNPRINTF(tmp, tmpSz+1, "%s=%s,", buf, str->data); XSTRNCAT(fullName, tmp, tmpSz); @@ -40666,7 +40666,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, if (wolfSSL_BIO_write(bio, fullName, totalSz) != totalSz) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; -#endif +#endif /* WOLFSSL_APACHE_HTTPD || OPENSSL_ALL */ } else if (flags == XN_FLAG_RFC2253) { if (wolfSSL_BIO_write(bio, name->name + 1, name->sz - 2) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 15d2e4578..fa74a53e5 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3347,9 +3347,6 @@ WOLFSSL_API void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* void f (WOLFSSL_X509_NAME*)); WOLFSSL_API void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME) *); -#if defined(WOLFSSL_APACHE_HTTPD) -WOLFSSL_API int get_dn_attr_by_nid(int n, char** buf); -#endif WOLFSSL_API int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO*,WOLFSSL_X509_NAME*,int, unsigned long); From 1d7f0de5b51abb19f82bdafcb929989e179c0578 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Thu, 10 Oct 2019 09:13:35 -0700 Subject: [PATCH 8/8] Fixes from review, adds some error checking, and adds const variables --- src/ssl.c | 117 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 67 insertions(+), 50 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 961efec88..ded6e99f7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7924,64 +7924,67 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) break; case ALT_NAMES_OID: - if (!isSet) - break; + { + WOLFSSL_GENERAL_NAME* gn = NULL; + DNS_entry* dns = NULL; + if (!isSet) + break; - WOLFSSL_GENERAL_NAME* gn = NULL; - DNS_entry* dns = NULL; - sk = (WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)*)XMALLOC( - sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)), NULL, + sk = (WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)*)XMALLOC( + sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME)), NULL, DYNAMIC_TYPE_ASN1); - if (sk == NULL) { - return NULL; - } - XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME))); - sk->type = STACK_TYPE_GEN_NAME; + if (sk == NULL) { + return NULL; + } + XMEMSET(sk, 0, sizeof(WOLF_STACK_OF(WOLFSSL_GENERAL_NAME))); + sk->type = STACK_TYPE_GEN_NAME; - if (x509->subjAltNameSet && x509->altNames != NULL) { - /* alt names are DNS_entry structs */ - dns = x509->altNames; - /* Currenlty only support GEN_DNS type */ - while (dns != NULL) { - gn = wolfSSL_GENERAL_NAME_new(); - if (gn == NULL) { - WOLFSSL_MSG("Error creating GENERAL_NAME"); - wolfSSL_sk_free(sk); - return NULL; - } + if (x509->subjAltNameSet && x509->altNames != NULL) { + /* alt names are DNS_entry structs */ + dns = x509->altNames; + /* Currenlty only support GEN_DNS type */ + while (dns != NULL) { + gn = wolfSSL_GENERAL_NAME_new(); + if (gn == NULL) { + WOLFSSL_MSG("Error creating GENERAL_NAME"); + wolfSSL_sk_free(sk); + return NULL; + } - gn->type = dns->type; - gn->d.ia5->length = (int)XSTRLEN(dns->name); - if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, - gn->d.ia5->length) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("ASN1_STRING_set failed"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - return NULL; - } + gn->type = dns->type; + gn->d.ia5->length = (int)XSTRLEN(dns->name); + if (wolfSSL_ASN1_STRING_set(gn->d.ia5, dns->name, + gn->d.ia5->length) != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("ASN1_STRING_set failed"); + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_free(sk); + return NULL; + } - dns = dns->next; - /* last dns in list add at end of function */ - if (dns != NULL) { - if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) != + dns = dns->next; + /* last dns in list add at end of function */ + if (dns != NULL) { + if (wolfSSL_sk_GENERAL_NAME_push(sk, gn) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); + WOLFSSL_MSG("Error pushing onto stack"); + wolfSSL_GENERAL_NAME_free(gn); + wolfSSL_sk_free(sk); + sk = NULL; + } + } + } + if (wolfSSL_sk_GENERAL_NAME_push(sk,gn) != + WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Error pushing onto stack"); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_free(sk); sk = NULL; - } } } - if (wolfSSL_sk_GENERAL_NAME_push(sk,gn) != WOLFSSL_SUCCESS) { - WOLFSSL_MSG("Error pushing ASN1 object onto stack"); - wolfSSL_GENERAL_NAME_free(gn); - wolfSSL_sk_free(sk); - sk = NULL; - } - } - ext->ext_sk = sk; - ext->crit = x509->subjAltNameCrit; + ext->ext_sk = sk; + ext->crit = x509->subjAltNameCrit; + } break; default: @@ -8088,7 +8091,7 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, ASN1_OBJECT* obj; ASN1_STRING* str; int nid; - int sz = CTC_NAME_SIZE*2; + const int sz = CTC_NAME_SIZE*2; int rc = WOLFSSL_FAILURE; char tmp[sz]; WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); @@ -8133,8 +8136,17 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, /* str is GENERAL_NAME for subject alternative name ext */ str = sk->data.gn->d.ia5; len = str->length + 2; /* + 2 for NULL char and "," */ + if (len > sz) { + WOLFSSL_MSG("len greater than buffer size"); + return rc; + } + val = (char*)XMALLOC(len + indent, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (val == NULL) { + WOLFSSL_MSG("Memory error"); + return rc; + } if (sk->next) XSNPRINTF(val, len, "%*s%s, ", indent, "", str->strData); else @@ -40568,7 +40580,7 @@ void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) /* Helper function for X509_NAME_print_ex. Sets *buf to string for domain name attribute based on NID. Returns size of buf */ -static int get_dn_attr_by_nid(int n, char** buf) +static int get_dn_attr_by_nid(int n, const char** buf) { int len = 0; const char *str; @@ -40609,7 +40621,7 @@ static int get_dn_attr_by_nid(int n, char** buf) } if (buf != NULL) - *buf = (char*)str; + *buf = str; return len; } #endif @@ -40621,7 +40633,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, int count = 0, len = 0, totalSz = 0, tmpSz = 0; char tmp[ASN_NAME_MAX]; char fullName[ASN_NAME_MAX]; - char *buf = NULL; + const char *buf = NULL; WOLFSSL_X509_NAME_ENTRY* ne; WOLFSSL_ASN1_STRING* str; #endif @@ -40653,6 +40665,11 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name, return WOLFSSL_FAILURE; tmpSz = str->length + len + 2; /* + 2 for '=' and null char */ + if (tmpSz > ASN_NAME_MAX) { + WOLFSSL_MSG("Size greater than ASN_NAME_MAX"); + return WOLFSSL_FAILURE; + } + if (i < count - 1) { XSNPRINTF(tmp, tmpSz+1, "%s=%s,", buf, str->data); XSTRNCAT(fullName, tmp, tmpSz);