diff --git a/src/ssl.c b/src/ssl.c index c9720e96b..e02a48723 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -37036,19 +37036,14 @@ PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len) return wolfSSL_d2i_PKCS7_ex(p7, in, len, NULL, 0); } -/***************************************************************************** -* wolfSSL_d2i_PKCS7_ex - Converts the given unsigned char buffer of size len -* into a PKCS7 object. Optionally, accepts a byte buffer of content which -* is stored as the PKCS7 object's content, to support detached signatures. -* @param content The content which is signed, in case the signature is -* detached. Ignored if NULL. -* @param contentSz The size of the passed in content. +/* This internal function is only decoding and setting up the PKCS7 struct. It +* does not verify the PKCS7 signature. * * RETURNS: * returns pointer to a PKCS7 structure on success, otherwise returns NULL */ -PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len, - byte* content, word32 contentSz) +static PKCS7* wolfSSL_d2i_PKCS7_only(PKCS7** p7, const unsigned char** in, + int len, byte* content, word32 contentSz) { WOLFSSL_PKCS7* pkcs7 = NULL; @@ -37072,12 +37067,6 @@ PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len, pkcs7->pkcs7.content = content; pkcs7->pkcs7.contentSz = contentSz; } - if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len) - != 0) { - WOLFSSL_MSG("wc_PKCS7_VerifySignedData failed"); - wolfSSL_PKCS7_free((PKCS7*)pkcs7); - return NULL; - } if (p7 != NULL) *p7 = (PKCS7*)pkcs7; @@ -37085,6 +37074,43 @@ PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len, return (PKCS7*)pkcs7; } + +/***************************************************************************** +* wolfSSL_d2i_PKCS7_ex - Converts the given unsigned char buffer of size len +* into a PKCS7 object. Optionally, accepts a byte buffer of content which +* is stored as the PKCS7 object's content, to support detached signatures. +* @param content The content which is signed, in case the signature is +* detached. Ignored if NULL. +* @param contentSz The size of the passed in content. +* +* RETURNS: +* returns pointer to a PKCS7 structure on success, otherwise returns NULL +*/ +PKCS7* wolfSSL_d2i_PKCS7_ex(PKCS7** p7, const unsigned char** in, int len, + byte* content, word32 contentSz) +{ + WOLFSSL_PKCS7* pkcs7 = NULL; + + WOLFSSL_ENTER("wolfSSL_d2i_PKCS7_ex"); + + if (in == NULL || *in == NULL || len < 0) + return NULL; + + pkcs7 = (WOLFSSL_PKCS7*)wolfSSL_d2i_PKCS7_only(p7, in, len, content, + contentSz); + if (pkcs7 != NULL) { + if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len) + != 0) { + WOLFSSL_MSG("wc_PKCS7_VerifySignedData failed"); + wolfSSL_PKCS7_free((PKCS7*)pkcs7); + return NULL; + } + } + + return (PKCS7*)pkcs7; +} + + /** * This API was added as a helper function for libest. It * extracts a stack of certificates from the pkcs7 object. @@ -38256,7 +38282,7 @@ PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in, WOLFSSL_MSG("Error base64 decoding S/MIME message."); goto error; } - pkcs7 = wolfSSL_d2i_PKCS7_ex(NULL, (const unsigned char**)&out, outLen, + pkcs7 = wolfSSL_d2i_PKCS7_only(NULL, (const unsigned char**)&out, outLen, bcontMem, bcontMemSz); wc_MIME_free_hdrs(allHdrs); diff --git a/tests/api.c b/tests/api.c index 9e9155186..deb35356f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -48860,7 +48860,7 @@ static int test_wolfSSL_SMIME_read_PKCS7(void) smimeTestFile = XFOPEN("./certs/test/smime-test-multipart-badsig.p7s", "r"); ExpectIntEQ(wolfSSL_BIO_set_fp(bio, smimeTestFile, BIO_CLOSE), SSL_SUCCESS); pkcs7 = wolfSSL_SMIME_read_PKCS7(bio, &bcont); - ExpectNull(pkcs7); + ExpectNotNull(pkcs7); /* can read in the unverified smime bundle */ ExpectIntEQ(wolfSSL_PKCS7_verify(pkcs7, NULL, NULL, bcont, NULL, PKCS7_NOVERIFY), SSL_FAILURE); XFCLOSE(smimeTestFile);