From f48b736ec3bc0330871ea0171eedc7775bb89b34 Mon Sep 17 00:00:00 2001 From: Uriah Pollock Date: Fri, 14 Oct 2022 17:09:35 -0500 Subject: [PATCH] Changed some WOLFSSL_ASN1_TIME handling and other fixes. --- src/crl.c | 22 +++++++++------------- src/ocsp.c | 32 ++++++++++++++++++++++---------- src/x509.c | 34 ++++++++++++++++++++++++---------- wolfcrypt/src/asn.c | 10 ++++------ wolfssl/internal.h | 10 ++++++++-- wolfssl/wolfcrypt/asn.h | 6 ++++-- 6 files changed, 71 insertions(+), 43 deletions(-) diff --git a/src/crl.c b/src/crl.c index 0c1352442..e9609b353 100644 --- a/src/crl.c +++ b/src/crl.c @@ -94,12 +94,10 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); * copy the hash here if needed for optimized comparisons */ - crle->lastDate.length = MAX_DATE_SIZE; - XMEMCPY(crle->lastDate.data, dcrl->lastDate.data, crle->lastDate.length); - crle->nextDate.length = MAX_DATE_SIZE; - XMEMCPY(crle->nextDate.data, dcrl->nextDate.data, crle->nextDate.length); - crle->lastDate.type = dcrl->lastDate.type; - crle->nextDate.type = dcrl->nextDate.type; + XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); + XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); + crle->lastDateFormat = dcrl->lastDateFormat; + crle->nextDateFormat = dcrl->nextDateFormat; crle->version = dcrl->version; #if defined(OPENSSL_EXTRA) crle->issuer = NULL; @@ -387,7 +385,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr #endif { #ifndef NO_ASN_TIME - if (!XVALIDATE_DATE(crle->nextDate.data, crle->nextDate.type, AFTER)) { + if (!XVALIDATE_DATE(crle->nextDate,crle->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL next date is no longer valid"); ret = ASN_AFTER_DATE_E; } @@ -693,12 +691,10 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) XMEMSET(dupl, 0, sizeof(CRL_Entry)); XMEMCPY(dupl->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE); - dupl->lastDate.length = MAX_DATE_SIZE; - XMEMCPY(dupl->lastDate.data, ent->lastDate.data, dupl->lastDate.length); - dupl->nextDate.length = MAX_DATE_SIZE; - XMEMCPY(dupl->nextDate.data, ent->nextDate.data, dupl->nextDate.length); - dupl->lastDate.type = ent->lastDate.type; - dupl->nextDate.type = ent->nextDate.type; + XMEMCPY(dupl->lastDate, ent->lastDate, MAX_DATE_SIZE); + XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE); + dupl->lastDateFormat = ent->lastDateFormat; + dupl->nextDateFormat = ent->nextDateFormat; #ifdef CRL_STATIC_REVOKED_LIST XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); diff --git a/src/ocsp.c b/src/ocsp.c index 090da0095..48a02f937 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1072,25 +1072,37 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut, const unsigned char** derIn, int length) { + WOLFSSL_OCSP_CERTID *cid = NULL; + if ((cidOut == NULL) || (derIn == NULL) || (length == 0)) - return NULL; + goto err; + cid = *cidOut; /* If a NULL is passed we allocate the memory for the caller. */ - if (*cidOut == NULL) { - *cidOut = (WOLFSSL_OCSP_CERTID*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); - - if (*cidOut == NULL) { - return NULL; - } + if (!cid) { + cid = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(*cid), NULL, DYNAMIC_TYPE_OPENSSL); + if (!cid) goto err; + } + else if (cid->rawCertId) { + XFREE(cid->rawCertId, NULL, DYNAMIC_TYPE_OPENSSL); + cid->rawCertId = NULL; + cid->rawCertIdSize = 0; } - XMEMCPY ((*cidOut)->rawCertId, *derIn, length); - (*cidOut)->rawCertIdSize = length; + cid->rawCertId = (byte*)XMALLOC(length, NULL, DYNAMIC_TYPE_OPENSSL); + if (!cid->rawCertId) goto err; + XMEMCPY (cid->rawCertId, *derIn, length); + cid->rawCertIdSize = length; /* Per spec. advance past the data that is being returned to the caller. */ + *cidOut = cid; *derIn = *derIn + length; + return cid; - return *cidOut; +err: + if (cid && (!cidOut || cid != *cidOut)) + XFREE(cid, NULL, DYNAMIC_TYPE_OPENSSL); + return NULL; } const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) diff --git a/src/x509.c b/src/x509.c index 6a505ee82..066422800 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7900,10 +7900,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->lastDate.data[0] != 0) { - if (GetTimeString(crl->crlList->lastDate.data, ASN_UTC_TIME, + if (crl->crlList->lastDate[0] != 0) { + if (GetTimeString(crl->crlList->lastDate, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->lastDate.data, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->lastDate, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting last update date"); return WOLFSSL_FAILURE; @@ -7931,10 +7931,10 @@ static int X509CRLPrintDates(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, return WOLFSSL_FAILURE; } - if (crl->crlList->nextDate.data[0] != 0) { - if (GetTimeString(crl->crlList->nextDate.data, ASN_UTC_TIME, + if (crl->crlList->nextDate[0] != 0) { + if (GetTimeString(crl->crlList->nextDate, ASN_UTC_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { - if (GetTimeString(crl->crlList->nextDate.data, ASN_GENERALIZED_TIME, + if (GetTimeString(crl->crlList->nextDate, ASN_GENERALIZED_TIME, tmp, MAX_WIDTH) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error getting next update date"); return WOLFSSL_FAILURE; @@ -8040,8 +8040,15 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->lastDate.data[0] != 0)) { - return &crl->crlList->lastDate; + (crl->crlList->lastDate[0] != 0)) { + + /* Copy date to an ASN1_TIME struct for returning to the caller. */ + crl->crlList->lastDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crl->crlList->lastDateAsn1.data, crl->crlList->lastDate, + crl->crlList->lastDateAsn1.length); + crl->crlList->lastDateAsn1.type = crl->crlList->lastDateFormat; + + return &crl->crlList->lastDateAsn1; } else return NULL; @@ -8050,8 +8057,15 @@ WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_nextUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && - (crl->crlList->nextDate.data[0] != 0)) { - return &crl->crlList->nextDate; + (crl->crlList->nextDate[0] != 0)) { + + /* Copy date to an ASN1_TIME struct for returning to the caller. */ + crl->crlList->nextDateAsn1.length = MAX_DATE_SIZE; + XMEMCPY (crl->crlList->nextDateAsn1.data, crl->crlList->nextDate, + crl->crlList->nextDateAsn1.length); + crl->crlList->nextDateAsn1.type = crl->crlList->nextDateFormat; + + return &crl->crlList->nextDateAsn1; } else return NULL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 40d0a043e..e8018ea0e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -35775,14 +35775,12 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, if (GetNameHash(buf, &idx, dcrl->issuerHash, sz) < 0) return ASN_PARSE_E; - if (GetBasicDate(buf, &idx, dcrl->lastDate.data, - (byte*) &dcrl->lastDate.type, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->lastDate, &dcrl->lastDateFormat, sz) < 0) return ASN_PARSE_E; dateIdx = idx; - if (GetBasicDate(buf, &idx, dcrl->nextDate.data, - (byte*) &dcrl->nextDate.type, sz) < 0) + if (GetBasicDate(buf, &idx, dcrl->nextDate, &dcrl->nextDateFormat, sz) < 0) { #ifndef WOLFSSL_NO_CRL_NEXT_DATE (void)dateIdx; @@ -35799,8 +35797,8 @@ static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl, #endif { #ifndef NO_ASN_TIME - if (verify != NO_VERIFY && !XVALIDATE_DATE(dcrl->nextDate.data, - dcrl->nextDate.type, AFTER)) { + if (verify != NO_VERIFY && + !XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL after date is no longer valid"); WOLFSSL_ERROR_VERBOSE(CRL_CERT_DATE_ERR); return CRL_CERT_DATE_ERR; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a15807c20..4558373f3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2211,8 +2211,14 @@ struct CRL_Entry { byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ - WOLFSSL_ASN1_TIME lastDate; /* last date updated */ - WOLFSSL_ASN1_TIME nextDate; /* next update date */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* last date format */ + byte nextDateFormat; /* next date format */ +#if defined(OPENSSL_EXTRA) + WOLFSSL_ASN1_TIME lastDateAsn1; /* last date updated */ + WOLFSSL_ASN1_TIME nextDateAsn1; /* next update date */ +#endif #ifdef CRL_STATIC_REVOKED_LIST RevokedCert certs[CRL_MAX_REVOKED_CERTS]; #else diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index ed7c41d5f..b8baf24cc 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2447,8 +2447,10 @@ struct DecodedCRL { byte* signature; /* pointer into raw source, not owned */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ - WOLFSSL_ASN1_TIME lastDate; /* last date updated */ - WOLFSSL_ASN1_TIME nextDate; /* next update date */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte lastDateFormat; /* format of last date */ + byte nextDateFormat; /* format of next date */ RevokedCert* certs; /* revoked cert list */ #if defined(OPENSSL_EXTRA) byte* issuer; /* full name including common name */