From f5f5947616b268f83e86588c5028a452ef78eef1 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Mon, 22 Jul 2019 10:59:43 -0700 Subject: [PATCH 01/11] New OpenSSL compatible APIs: wolfSSL_PEM_write_bio_PKCS7 wolfSSL_PKCS7_SIGNED_new wolfSSL_X509_subject_name_hash wolfSSL_CTX_use_PrivateKey_ASN1 wolfSSL_get0_param wolfSSL_X509_VERIFY_PARAM_set1_host --- src/internal.c | 27 ++++- src/ssl.c | 225 ++++++++++++++++++++++++++++++++++++- tests/api.c | 228 +++++++++++++++++++++++++++++++++++++- wolfssl/internal.h | 1 + wolfssl/openssl/pkcs7.h | 9 +- wolfssl/openssl/ssl.h | 32 +++--- wolfssl/ssl.h | 17 ++- wolfssl/wolfcrypt/pkcs7.h | 10 +- 8 files changed, 515 insertions(+), 34 deletions(-) diff --git a/src/internal.c b/src/internal.c index 718c26b0d2..198db7584b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9113,7 +9113,27 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) else { store->store = &ssl->ctx->x509_store; } - #endif + + #if defined(OPENSSL_EXTRA) + if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + ssl->heap, DYNAMIC_TYPE_OPENSSL)) != NULL) { + XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + /* Overwrite with non-default param values in SSL */ + + if (ssl->param.check_time) + store->param->check_time = ssl->param.check_time; + + if (ssl->param.flags) + store->param->flags = ssl->param.flags; + + if (ssl->param.hostName[0]) + XMEMCPY(store->param->hostName, ssl->param.hostName, + WOLFSSL_HOST_NAME_MAX); + } + #endif /* defined(OPENSSL_EXTRA) */ + #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #ifdef KEEP_PEER_CERT if (args->certIdx == 0) { @@ -9167,6 +9187,11 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) #endif } #endif /* SESSION_CERTS */ +#ifdef OPENSSL_EXTRA + if (store->param){ + XFREE(store->param, ssl->heap, DYNAMIC_TYPE_OPENSSL); + } +#endif #ifdef WOLFSSL_SMALL_STACK XFREE(domain, ssl->heap, DYNAMIC_TYPE_STRING); #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) diff --git a/src/ssl.c b/src/ssl.c index 701d19ae99..3e7c528eeb 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7630,6 +7630,24 @@ int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, unsigned char* der, (void)pri; /* type of private key */ return wolfSSL_use_PrivateKey_buffer(ssl, der, derSz, WOLFSSL_FILETYPE_ASN1); } +/****************************************************************************** +* wolfSSL_CTX_use_PrivateKey_ASN1 - loads a private key buffer into the SSL ctx +* +* RETURNS: +* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE +*/ + +int wolfSSL_CTX_use_PrivateKey_ASN1(int pri, WOLFSSL_CTX* ctx, + unsigned char* der, long derSz) +{ + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_ASN1"); + if (ctx == NULL || der == NULL ) { + return WOLFSSL_FAILURE; + } + + (void)pri; /* type of private key */ + return wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1); +} #ifndef NO_RSA @@ -12194,7 +12212,6 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return &ctx->x509_store; } - void wolfSSL_CTX_set_cert_store(WOLFSSL_CTX* ctx, WOLFSSL_X509_STORE* str) { if (ctx == NULL || str == NULL) { @@ -16649,7 +16666,45 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) return NULL; } +#if defined(OPENSSL_EXTRA) && !defined(NO_SHA) +/****************************************************************************** +* wolfSSL_X509_subject_name_hash - compute the hash digest of the raw subject name +* +* RETURNS: +* The beginning of the hash digest. Otherwise, returns zero. +*/ +unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509) +{ + word32 ret = 0; + int retHash; + WOLFSSL_X509_NAME *subjectName = NULL; +#ifdef WOLFSSL_PIC32MZ_HASH + byte digest[PIC32_DIGEST_SIZE]; +#else + byte digest[WC_SHA_DIGEST_SIZE]; +#endif + + if (x509 == NULL){ + return WOLFSSL_FAILURE; + } + + subjectName = wolfSSL_X509_get_subject_name((WOLFSSL_X509*)x509); + + if (subjectName != NULL){ + retHash = wc_ShaHash((const byte*)subjectName->name, + (word32)subjectName->sz, digest); + + if(retHash != 0){ + WOLFSSL_MSG("Hash of X509 subjectName has failed"); + return WOLFSSL_FAILURE; + } + ret = MakeWordFromHash(digest); + } + + return (unsigned long)ret; +} +#endif WOLFSSL_X509_NAME* wolfSSL_X509_get_issuer_name(WOLFSSL_X509* cert) { @@ -19182,6 +19237,14 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) goto err_exit; #endif +#ifdef OPENSSL_EXTRA + if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + NULL,DYNAMIC_TYPE_OPENSSL)) == NULL) + goto err_exit; + +#endif + return store; err_exit: @@ -19207,6 +19270,11 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) #ifdef HAVE_CRL if (store->crl != NULL) wolfSSL_X509_CRL_free(store->crl); +#endif +#ifdef OPENSSL_EXTRA + if (store->param != NULL){ + XFREE(store->param,NULL,DYNAMIC_TYPE_OPENSSL); + } #endif XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } @@ -19658,6 +19726,43 @@ void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX* ctx, ctx->param->check_time = t; ctx->param->flags |= WOLFSSL_USE_CHECK_TIME; } +/****************************************************************************** +* wolfSSL_X509_VERIFY_PARAM_set1_host - sets the DNS hostname to name +* hostnames is cleared if name is NULL or empty. +* +* RETURNS: +* +*/ +void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, + const char* name, + unsigned int nameSz) +{ + if (pParam == NULL) + return; + + XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX); + + if (nameSz > WOLFSSL_HOST_NAME_MAX) + nameSz = WOLFSSL_HOST_NAME_MAX; + + if (nameSz > 0) + XMEMCPY(pParam->hostName, name, nameSz); + pParam->hostName[WOLFSSL_HOST_NAME_MAX-1] = '\0'; +} +/****************************************************************************** +* wolfSSL_get0_param - return a pointer to the SSL verification parameters +* +* RETURNS: +* returns pointer to the SSL verification parameters on success, +* otherwise returns NULL +*/ +WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) +{ + if (ssl == NULL) { + return NULL; + } + return &ssl->param; +} #ifndef NO_WOLFSSL_STUB void wolfSSL_X509_OBJECT_free_contents(WOLFSSL_X509_OBJECT* obj) @@ -22940,7 +23045,6 @@ int wolfSSL_RAND_bytes(unsigned char* buf, int num) rng = tmpRNG; initTmpRng = 1; } - if (rng) { if (wc_RNG_GenerateBlock(rng, buf, num) != 0) WOLFSSL_MSG("Bad wc_RNG_GenerateBlock"); @@ -34462,8 +34566,8 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); return mode; } -#endif +#endif #if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519) /* return 1 if success, 0 if error * output keys are little endian format @@ -36275,6 +36379,27 @@ PKCS7* wolfSSL_PKCS7_new(void) return (PKCS7*)pkcs7; } +/****************************************************************************** +* wolfSSL_PKCS7_SIGNED_new - allocates PKCS7 and initialize it for a signed data +* +* RETURNS: +* returns pointer to the PKCS7 structure on success, otherwise returns NULL +*/ +PKCS7_SIGNED* wolfSSL_PKCS7_SIGNED_new(void) +{ + byte signedData[]= { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02}; + PKCS7* pkcs7 = NULL; + + pkcs7 = wolfSSL_PKCS7_new(); + pkcs7->contentOID = SIGNED_DATA; + if ((wc_PKCS7_SetContentType(pkcs7, signedData, sizeof(signedData))) < 0) { + if (pkcs7) { + wc_PKCS7_Free(pkcs7); + return NULL; + } + } + return pkcs7; +} void wolfSSL_PKCS7_free(PKCS7* pkcs7) { @@ -36287,7 +36412,11 @@ void wolfSSL_PKCS7_free(PKCS7* pkcs7) XFREE(p7, NULL, DYNAMIC_TYPE_PKCS7); } } - +void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7) +{ + wolfSSL_PKCS7_free((PKCS7*)p7); + return; +} PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len) { WOLFSSL_PKCS7* pkcs7 = NULL; @@ -36426,7 +36555,92 @@ WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* pkcs7, WOLFSSL_STACK* certs, return signers; } -#endif + +/****************************************************************************** +* wolfSSL_PEM_write_bio_PKCS7 - writes the PKCS7 data to BIO +* +* RETURNS: +* returns WOLFSSL_SUCCESS on success, otherwise returns WOLFSSL_FAILURE +*/ + +int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) +{ + byte outputHead[2048]; + byte outputFoot[2048]; + word32 outputHeadSz = (word32)sizeof(outputHead); + word32 outputFootSz = (word32)sizeof(outputFoot); + word32 outputSz = 0; + byte* output = NULL; + byte* pem = NULL; + int pemSz = -1; + enum wc_HashType hashType; + byte hashBuf[WC_MAX_DIGEST_SIZE]; + word32 hashSz = -1; + + WOLFSSL_ENTER("wolfSSL_PEM_write_bio_PKCS7()"); + + if (bio == NULL || p7 == NULL) + return WOLFSSL_FAILURE; + + hashType = wc_OidGetHash(p7->hashOID); + hashSz = wc_HashGetDigestSize(hashType); + if (hashSz > WC_MAX_DIGEST_SIZE) + return WOLFSSL_FAILURE; + + /* only SIGNED_DATA is supported */ + switch (p7->contentOID) { + case SIGNED_DATA: + break; + default: + WOLFSSL_MSG("Unknown PKCS#7 Type"); + return WOLFSSL_FAILURE; + }; + + wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, + outputHead, &outputHeadSz, outputFoot, &outputFootSz); + + outputSz = outputHeadSz + p7->contentSz + outputFootSz; + output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + + if (!output) + return WOLFSSL_FAILURE; + + outputSz = 0; + XMEMCPY(&output[outputSz], outputHead, outputHeadSz); + outputSz += outputHeadSz; + XMEMCPY(&output[outputSz], p7->content, p7->contentSz); + outputSz += p7->contentSz; + XMEMCPY(&output[outputSz], outputFoot, outputFootSz); + outputSz += outputFootSz; + + /* get PEM size */ + pemSz = wc_DerToPemEx(output, outputSz, NULL, 0, NULL, CERT_TYPE); + if (pemSz < 0) + goto error; + + /* create PEM buffer and convert from DER to PEM*/ + if ((pem = (byte*)XMALLOC(pemSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) + goto error; + + if (wc_DerToPemEx(output, outputSz, pem, pemSz, NULL, CERT_TYPE) < 0) { + goto error; + } + if ((wolfSSL_BIO_write(bio, pem, pemSz) == pemSz)) { + XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + return WOLFSSL_SUCCESS; + } + +error: + if (output) { + XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + } + if (pem) { + XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + } + return WOLFSSL_FAILURE; +} +#endif /* defined(OPENSSL_ALL) && defined(HAVE_PKCS7) */ #ifdef OPENSSL_ALL WOLFSSL_STACK* wolfSSL_sk_X509_new(void) @@ -36998,4 +37212,3 @@ int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey) return wolfSSL_X509_set_pubkey(req, pkey); } #endif - diff --git a/tests/api.c b/tests/api.c index c677c3502c..74dcf740d9 100644 --- a/tests/api.c +++ b/tests/api.c @@ -4140,7 +4140,6 @@ static void test_wolfSSL_X509_NAME_get_entry(void) #endif /* !NO_CERTS && !NO_RSA */ } - /* Testing functions dealing with PKCS12 parsing out X509 certs */ static void test_wolfSSL_PKCS12(void) { @@ -17839,7 +17838,31 @@ static void test_wolfSSL_X509_NAME(void) printf(resultFmt, passed); #endif /* defined(OPENSSL_EXTRA) && !defined(NO_DES3) */ } +static void test_wolfSSL_X509_subject_name_hash(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ + && !defined(NO_SHA) + X509* x509; + X509_NAME* subjectName = NULL; + unsigned long ret = 0; + + printf(testingFmt, "wolfSSL_X509_subject_name_hash()"); + + AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, + SSL_FILETYPE_PEM)); + + AssertNotNull(subjectName = wolfSSL_X509_get_subject_name(x509)); + + ret = X509_subject_name_hash(x509); + + AssertIntNE(ret, WOLFSSL_FAILURE); + + X509_free(x509); + printf(resultFmt, passed); + +#endif +} static void test_wolfSSL_DES(void) { @@ -18310,6 +18333,21 @@ static void test_wolfSSL_private_keys(void) /* After loading back in DER format of original key, should match */ AssertIntEQ(wolfSSL_check_private_key(ssl), WOLFSSL_SUCCESS); + /* test loading private key to the WOLFSSL_CTX */ + AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, + (unsigned char*)client_key_der_2048, + sizeof_client_key_der_2048), WOLFSSL_SUCCESS); +#ifndef HAVE_USER_RSA + /* Should mismatch now that a different private key loaded */ + AssertIntNE(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); +#endif + + AssertIntEQ(SSL_CTX_use_PrivateKey_ASN1(0, ctx, + (unsigned char*)server_key, + sizeof_server_key_der_2048), WOLFSSL_SUCCESS); + /* After loading back in DER format of original key, should match */ + AssertIntEQ(wolfSSL_CTX_check_private_key(ctx), WOLFSSL_SUCCESS); + /* pkey not set yet, expecting to fail */ AssertIntEQ(SSL_use_PrivateKey(ssl, pkey), WOLFSSL_FAILURE); @@ -19451,6 +19489,58 @@ static void test_wolfSSL_X509_STORE_CTX_set_time(void) #endif /* OPENSSL_EXTRA */ } +static void test_wolfSSL_get0_param(void) +{ +#if defined(OPENSSL_EXTRA) + SSL_CTX* ctx; + SSL* ssl; + WOLFSSL_X509_VERIFY_PARAM* pParam; + + printf(testingFmt, "wolfSSL_get0_param()"); + + AssertNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); + AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + AssertNotNull(ssl = SSL_new(ctx)); + + pParam = SSL_get0_param(ssl); + + (void)pParam; + + SSL_free(ssl); + SSL_CTX_free(ctx); + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA */ +} + +static void test_wolfSSL_X509_VERIFY_PARAM_set1_host(void) +{ +#if defined(OPENSSL_EXTRA) + const char host[] = "www.example.com"; + WOLFSSL_X509_VERIFY_PARAM* pParam; + + printf(testingFmt, "wolfSSL_X509_VERIFY_PARAM_set1_host()"); + + AssertNotNull(pParam = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + HEAP_HINT, DYNAMIC_TYPE_OPENSSL)); + + XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + X509_VERIFY_PARAM_set1_host(pParam, host, sizeof(host)); + + AssertIntEQ(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); + + XMEMSET(pParam, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + + AssertIntNE(XMEMCMP(pParam->hostName, host, sizeof(host)), 0); + + XFREE(pParam, HEAP_HINT, DYNAMIC_TYPE_OPENSSL); + + printf(resultFmt, passed); +#endif /* OPENSSL_EXTRA */ +} + static void test_wolfSSL_CTX_set_client_CA_list(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) @@ -23586,6 +23676,136 @@ static void test_wolfssl_PKCS7(void) #endif } +static void test_wolfSSL_PKCS7_SIGNED_new(void) +{ +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) + PKCS7_SIGNED* pkcs7; + + printf(testingFmt, "wolfSSL_PKCS7_SIGNED_new()"); + + pkcs7 = PKCS7_SIGNED_new(); + AssertNotNull(pkcs7); + AssertIntEQ(pkcs7->contentOID, SIGNED_DATA); + + PKCS7_SIGNED_free(pkcs7); + printf(resultFmt, passed); +#endif +} + +static void test_wolfSSL_PEM_write_bio_PKCS7(void) +{ +#if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) + PKCS7* pkcs7; + BIO* bio; + const byte* cert_buf = NULL; + int ret; + WC_RNG rng; + const byte data[] = { /* Hello World */ + 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, + 0x72,0x6c,0x64 + }; +#ifndef NO_RSA + #if defined(USE_CERT_BUFFERS_2048) + byte key[sizeof_client_key_der_2048]; + byte cert[sizeof_client_cert_der_2048]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_2048, keySz); + XMEMCPY(cert, client_cert_der_2048, certSz); + #elif defined(USE_CERT_BUFFERS_1024) + byte key[sizeof_client_key_der_1024]; + byte cert[sizeof_client_cert_der_1024]; + word32 keySz = (word32)sizeof(key); + word32 certSz = (word32)sizeof(cert); + XMEMSET(key, 0, keySz); + XMEMSET(cert, 0, certSz); + XMEMCPY(key, client_key_der_1024, keySz); + XMEMCPY(cert, client_cert_der_1024, certSz); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp; + int certSz; + int keySz; + + fp = XFOPEN("./certs/1024/client-cert.der", "rb"); + AssertTrue((fp != XBADFILE)); + certSz = XFREAD(cert, 1, sizeof_client_cert_der_1024, fp); + XFCLOSE(fp); + + fp = XFOPEN("./certs/1024/client-key.der", "rb"); + AssertTrue(fp != XBADFILE); + keySz = XFREAD(key, 1, sizeof_client_key_der_1024, fp); + XFCLOSE(fp); + #endif +#elif defined(HAVE_ECC) + #if defined(USE_CERT_BUFFERS_256) + unsigned char cert[sizeof_cliecc_cert_der_256]; + unsigned char key[sizeof_ecc_clikey_der_256]; + int certSz = (int)sizeof(cert); + int keySz = (int)sizeof(key); + XMEMSET(cert, 0, certSz); + XMEMSET(key, 0, keySz); + XMEMCPY(cert, cliecc_cert_der_256, sizeof_cliecc_cert_der_256); + XMEMCPY(key, ecc_clikey_der_256, sizeof_ecc_clikey_der_256); + #else + unsigned char cert[ONEK_BUF]; + unsigned char key[ONEK_BUF]; + XFILE fp; + int certSz, keySz; + + fp = XFOPEN("./certs/client-ecc-cert.der", "rb"); + AssertTrue(fp != XBADFILE); + certSz = XFREAD(cert, 1, sizeof_cliecc_cert_der_256, fp); + XFCLOSE(fp); + + fp = XFOPEN("./certs/client-ecc-key.der", "rb"); + AssertTrue(fp != XBADFILE); + keySz = XFREAD(key, 1, sizeof_ecc_clikey_der_256, fp); + XFCLOSE(fp); + #endif +#else + #error PKCS7 requires ECC or RSA +#endif + printf(testingFmt, "wolfSSL_PEM_write_bio_PKCS7()"); + + AssertNotNull(pkcs7 = wc_PKCS7_New(HEAP_HINT, devId)); + /* initialize with DER encoded cert */ + AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, (byte*)cert, (word32)certSz), 0); + + /* init rng */ + AssertIntEQ(wc_InitRng(&rng), 0); + + pkcs7->rng = &rng; + pkcs7->content = (byte*)data; /* not used for ex */ + pkcs7->contentSz = (word32)sizeof(data); + pkcs7->contentOID = SIGNED_DATA; + pkcs7->privateKey = key; + pkcs7->privateKeySz = (word32)sizeof(key); + pkcs7->encryptOID = RSAk; + pkcs7->hashOID = SHAh; + pkcs7->signedAttribs = NULL; + pkcs7->signedAttribsSz = 0; + + AssertNotNull(bio = BIO_new(BIO_s_mem())); + /* Write PKCS#7 PEM to BIO, the function converts the DER to PEM cert*/ + AssertIntEQ(PEM_write_bio_PKCS7(bio, pkcs7), WOLFSSL_SUCCESS); + + /* Read PKCS#7 PEM from BIO */ + ret = wolfSSL_BIO_get_mem_data(bio, &cert_buf); + AssertIntGE(ret, 0); + + BIO_free(bio); + wc_PKCS7_Free(pkcs7); + wc_FreeRng(&rng); + + printf(resultFmt, passed); + +#endif +} + /*----------------------------------------------------------------------------* | Certficate Failure Checks *----------------------------------------------------------------------------*/ @@ -24876,7 +25096,6 @@ static void test_SetTmpEC_DHE_Sz(void) #endif } - /*----------------------------------------------------------------------------* | Main *----------------------------------------------------------------------------*/ @@ -24960,6 +25179,7 @@ void ApiTest(void) /* compatibility tests */ test_wolfSSL_X509_NAME(); + test_wolfSSL_X509_subject_name_hash(); test_wolfSSL_DES(); test_wolfSSL_certs(); test_wolfSSL_ASN1_TIME_print(); @@ -24990,6 +25210,8 @@ void ApiTest(void) test_wolfSSL_X509_LOOKUP_load_file(); test_wolfSSL_X509_NID(); test_wolfSSL_X509_STORE_CTX_set_time(); + test_wolfSSL_get0_param(); + test_wolfSSL_X509_VERIFY_PARAM_set1_host(); test_wolfSSL_X509_STORE(); test_wolfSSL_BN(); test_wolfSSL_PEM_read_bio(); @@ -25067,6 +25289,8 @@ void ApiTest(void) test_X509_REQ(); /* OpenSSL PKCS7 API test */ test_wolfssl_PKCS7(); + test_wolfSSL_PKCS7_SIGNED_new(); + test_wolfSSL_PEM_write_bio_PKCS7(); /* wolfCrypt ASN tests */ test_wc_GetPkcs8TraditionalOffset(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9ee111a64a..43039882c8 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3739,6 +3739,7 @@ struct WOLFSSL { WOLFSSL_BIO* biord; /* socket bio read to free/close */ WOLFSSL_BIO* biowr; /* socket bio write to free/close */ byte sessionCtx[ID_LEN]; /* app session context ID */ + WOLFSSL_X509_VERIFY_PARAM param; /* verification parameters*/ #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) unsigned long peerVerifyRet; diff --git a/wolfssl/openssl/pkcs7.h b/wolfssl/openssl/pkcs7.h index 9dd53e33bf..401ce4e2db 100644 --- a/wolfssl/openssl/pkcs7.h +++ b/wolfssl/openssl/pkcs7.h @@ -47,8 +47,9 @@ typedef struct WOLFSSL_PKCS7 WOLFSSL_API PKCS7* wolfSSL_PKCS7_new(void); +WOLFSSL_API PKCS7_SIGNED* wolfSSL_PKCS7_SIGNED_new(void); WOLFSSL_API void wolfSSL_PKCS7_free(PKCS7* p7); - +WOLFSSL_API void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7); WOLFSSL_API PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len); WOLFSSL_API PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7); @@ -56,13 +57,17 @@ WOLFSSL_API int wolfSSL_PKCS7_verify(PKCS7* p7, WOLFSSL_STACK* certs, WOLFSSL_X509_STORE* store, WOLFSSL_BIO* in, WOLFSSL_BIO* out, int flags); WOLFSSL_API WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* p7, WOLFSSL_STACK* certs, int flags); +WOLFSSL_API int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7); -#define PKCS7_new wolfSSL_PKCS7_new +#define PKCS7_new wolfSSL_PKCS7_new +#define PKCS7_SIGNED_new wolfSSL_PKCS7_SIGNED_new #define PKCS7_free wolfSSL_PKCS7_free +#define PKCS7_SIGNED_free wolfSSL_PKCS7_SIGNED_free #define d2i_PKCS7 wolfSSL_d2i_PKCS7 #define d2i_PKCS7_bio wolfSSL_d2i_PKCS7_bio #define PKCS7_verify wolfSSL_PKCS7_verify #define PKCS7_get0_signers wolfSSL_PKCS7_get0_signers +#define PEM_write_bio_PKCS7 wolfSSL_PEM_write_bio_PKCS7 #endif /* OPENSSL_ALL && HAVE_PKCS7 */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index fb6e89b5f4..74501c3cab 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -101,6 +101,7 @@ typedef WOLFSSL_X509_REVOKED X509_REVOKED; typedef WOLFSSL_X509_OBJECT X509_OBJECT; typedef WOLFSSL_X509_STORE X509_STORE; typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; +typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM; #define EVP_CIPHER_INFO EncryptedInfo @@ -115,7 +116,6 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; /* depreciated */ #define CRYPTO_thread_id wolfSSL_thread_id #define CRYPTO_set_id_callback wolfSSL_set_id_callback - #define CRYPTO_LOCK 0x01 #define CRYPTO_UNLOCK 0x02 #define CRYPTO_READ 0x04 @@ -162,6 +162,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_use_PrivateKey_ASN1 wolfSSL_use_PrivateKey_ASN1 #define SSL_use_RSAPrivateKey_ASN1 wolfSSL_use_RSAPrivateKey_ASN1 #define SSL_get_privatekey wolfSSL_get_privatekey +#define SSL_CTX_use_PrivateKey_ASN1 wolfSSL_CTX_use_PrivateKey_ASN1 #define SSLv23_method wolfSSLv23_method #define SSLv23_client_method wolfSSLv23_client_method @@ -250,7 +251,6 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_session_reused wolfSSL_session_reused #define SSL_SESSION_free wolfSSL_SESSION_free #define SSL_is_init_finished wolfSSL_is_init_finished - #define SSL_get_version wolfSSL_get_version #define SSL_get_current_cipher wolfSSL_get_current_cipher @@ -266,7 +266,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_SESSION_get_master_key_length wolfSSL_SESSION_get_master_key_length #define DSA_dup_DH wolfSSL_DSA_dup_DH - + #define i2d_X509_bio wolfSSL_i2d_X509_bio #define d2i_X509_bio wolfSSL_d2i_X509_bio #define d2i_X509_fp wolfSSL_d2i_X509_fp @@ -317,7 +317,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_email_free wolfSSL_X509_email_free #define X509_check_issued wolfSSL_X509_check_issued #define X509_dup wolfSSL_X509_dup - + #define sk_X509_new wolfSSL_sk_X509_new #define sk_X509_num wolfSSL_sk_X509_num #define sk_X509_value wolfSSL_sk_X509_value @@ -371,7 +371,6 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_STORE_CTX_cleanup wolfSSL_X509_STORE_CTX_cleanup #define X509_STORE_CTX_set_error wolfSSL_X509_STORE_CTX_set_error #define X509_STORE_CTX_get_ex_data wolfSSL_X509_STORE_CTX_get_ex_data - #define X509_STORE_new wolfSSL_X509_STORE_new #define X509_STORE_free wolfSSL_X509_STORE_free #define X509_STORE_add_lookup wolfSSL_X509_STORE_add_lookup @@ -382,16 +381,17 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define X509_STORE_get_by_subject wolfSSL_X509_STORE_get_by_subject #define X509_STORE_CTX_get1_issuer wolfSSL_X509_STORE_CTX_get1_issuer #define X509_STORE_CTX_set_time wolfSSL_X509_STORE_CTX_set_time +#define X509_VERIFY_PARAM_set1_host wolfSSL_X509_VERIFY_PARAM_set1_host #define X509_LOOKUP_add_dir wolfSSL_X509_LOOKUP_add_dir #define X509_LOOKUP_load_file wolfSSL_X509_LOOKUP_load_file #define X509_LOOKUP_hash_dir wolfSSL_X509_LOOKUP_hash_dir #define X509_LOOKUP_file wolfSSL_X509_LOOKUP_file - + #define d2i_X509_CRL wolfSSL_d2i_X509_CRL #define d2i_X509_CRL_fp wolfSSL_d2i_X509_CRL_fp #define PEM_read_X509_CRL wolfSSL_PEM_read_X509_CRL - + #define X509_CRL_free wolfSSL_X509_CRL_free #define X509_CRL_get_lastUpdate wolfSSL_X509_CRL_get_lastUpdate #define X509_CRL_get_nextUpdate wolfSSL_X509_CRL_get_nextUpdate @@ -402,9 +402,10 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define sk_X509_REVOKED_value wolfSSL_sk_X509_REVOKED_value #define X509_OBJECT_free_contents wolfSSL_X509_OBJECT_free_contents +#define X509_subject_name_hash wolfSSL_X509_subject_name_hash #define OCSP_parse_url wolfSSL_OCSP_parse_url - + #define MD4_Init wolfSSL_MD4_Init #define MD4_Update wolfSSL_MD4_Update #define MD4_Final wolfSSL_MD4_Final @@ -433,7 +434,7 @@ typedef WOLFSSL_X509_STORE_CTX X509_STORE_CTX; #define SSL_set_bio wolfSSL_set_bio #define BIO_eof wolfSSL_BIO_eof #define BIO_set_ss wolfSSL_BIO_set_ss - + #define BIO_s_mem wolfSSL_BIO_s_mem #define BIO_f_base64 wolfSSL_BIO_f_base64 #define BIO_set_flags wolfSSL_BIO_set_flags @@ -515,7 +516,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define RSA_free wolfSSL_RSA_free #define RSA_generate_key wolfSSL_RSA_generate_key #define SSL_CTX_set_tmp_rsa_callback wolfSSL_CTX_set_tmp_rsa_callback - + #define PEM_def_callback wolfSSL_PEM_def_callback #define SSL_CTX_sess_accept wolfSSL_CTX_sess_accept @@ -609,7 +610,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_want_write wolfSSL_want_write #define BIO_prf wolfSSL_BIO_prf - + #define sk_num wolfSSL_sk_num #define sk_value wolfSSL_sk_value @@ -700,7 +701,7 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define SSL_R_SHORT_READ 10 #define ERR_R_PEM_LIB 9 #define V_ASN1_IA5STRING 22 -#define SSL_CTRL_MODE 33 +#define SSL_CTRL_MODE 33 #define SSL_CTX_clear_chain_certs(ctx) SSL_CTX_set0_chain(ctx,NULL) #define d2i_RSAPrivateKey_bio wolfSSL_d2i_RSAPrivateKey_bio @@ -761,7 +762,7 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define SSL_set_tlsext_status_ocsp_res wolfSSL_set_tlsext_status_ocsp_resp #define SSL_set_tlsext_status_ocsp_resp wolfSSL_set_tlsext_status_ocsp_resp #define SSL_get_tlsext_status_ocsp_resp wolfSSL_get_tlsext_status_ocsp_resp - + #define SSL_CTX_add_extra_chain_cert wolfSSL_CTX_add_extra_chain_cert #define SSL_CTX_get_read_ahead wolfSSL_CTX_get_read_ahead #define SSL_CTX_set_read_ahead wolfSSL_CTX_set_read_ahead @@ -949,7 +950,7 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define SSL_is_server wolfSSL_is_server #define SSL_CTX_set1_curves_list wolfSSL_CTX_set1_curves_list -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || WOLFSSL_MYSQL_COMPATIBLE || +#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || WOLFSSL_MYSQL_COMPATIBLE || OPENSSL_ALL || HAVE_LIGHTY */ #ifdef OPENSSL_EXTRA @@ -957,9 +958,10 @@ typedef STACK_OF(WOLFSSL_ASN1_OBJECT) GENERAL_NAMES; #define SSL_CTX_set_srp_password wolfSSL_CTX_set_srp_password #define SSL_CTX_set_srp_username wolfSSL_CTX_set_srp_username #define SSL_get_SSL_CTX wolfSSL_get_SSL_CTX +#define SSL_get0_param wolfSSL_get0_param #define ERR_NUM_ERRORS 16 -#define EVP_PKEY_RSA 6 +#define EVP_PKEY_RSA 6 #define EVP_PKEY_RSA2 19 #define SN_pkcs9_emailAddress "Email" #define LN_pkcs9_emailAddress "emailAddress" diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5624311ca2..06259ef982 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -307,6 +307,7 @@ struct WOLFSSL_X509_STORE { WOLFSSL_X509_LOOKUP lookup; #ifdef OPENSSL_EXTRA int isDynamic; + WOLFSSL_X509_VERIFY_PARAM* param; /* certificate validation parameter */ #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_CRL) WOLFSSL_X509_CRL *crl; @@ -317,9 +318,11 @@ struct WOLFSSL_X509_STORE { #define WOLFSSL_USE_CHECK_TIME 0x2 #define WOLFSSL_NO_CHECK_TIME 0x200000 #define WOLFSSL_NO_WILDCARDS 0x4 +#define WOLFSSL_HOST_NAME_MAX 256 struct WOLFSSL_X509_VERIFY_PARAM { - time_t check_time; - unsigned long flags; + time_t check_time; + unsigned long flags; + char hostName[WOLFSSL_HOST_NAME_MAX]; }; #endif @@ -578,6 +581,7 @@ WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap); WOLFSSL_API WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD*); WOLFSSL_API WOLFSSL* wolfSSL_new(WOLFSSL_CTX*); WOLFSSL_API WOLFSSL_CTX* wolfSSL_get_SSL_CTX(WOLFSSL* ssl); +WOLFSSL_API WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_is_server(WOLFSSL*); WOLFSSL_API WOLFSSL* wolfSSL_write_dup(WOLFSSL*); WOLFSSL_API int wolfSSL_set_fd (WOLFSSL*, int); @@ -1014,6 +1018,10 @@ WOLFSSL_API int wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*); WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX*, unsigned long flags, time_t t); +WOLFSSL_API void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, + const char* name, + unsigned int nameSz); + #endif WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_X509_CRL_get_REVOKED(WOLFSSL_X509_CRL*); WOLFSSL_API WOLFSSL_X509_REVOKED* wolfSSL_sk_X509_REVOKED_value( @@ -2689,6 +2697,8 @@ WOLFSSL_API WOLFSSL_EVP_PKEY *wolfSSL_get_privatekey(const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_use_RSAPrivateKey_ASN1(WOLFSSL* ssl, unsigned char* der, long derSz); #endif +WOLFSSL_API int wolfSSL_CTX_use_PrivateKey_ASN1(int pri, WOLFSSL_CTX* ctx, + unsigned char* der, long derSz); #endif /* NO_CERTS */ WOLFSSL_API WOLFSSL_DH *wolfSSL_DSA_dup_DH(const WOLFSSL_DSA *r); @@ -2791,7 +2801,6 @@ WOLFSSL_API WOLFSSL_DSA *wolfSSL_PEM_read_bio_DSAparams(WOLFSSL_BIO *bp, WOLFSSL_API int wolfSSL_PEM_write_bio_X509_REQ(WOLFSSL_BIO *bp,WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_PEM_write_bio_X509_AUX(WOLFSSL_BIO *bp,WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); - #endif /* HAVE_STUNNEL || HAVE_LIGHTY */ #ifdef OPENSSL_ALL @@ -3107,6 +3116,8 @@ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio, WOLFSSL_EVP_PKEY** pkey, pem_password_cb* cb, void* u); WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_d2i_AutoPrivateKey( WOLFSSL_EVP_PKEY** pkey, const unsigned char** data, long length); +WOLFSSL_API unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509); + #endif /* OPENSSL_EXTRA */ diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index 436aaf78ec..32bfec8454 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -198,6 +198,7 @@ typedef struct PKCS7State PKCS7State; typedef struct Pkcs7Cert Pkcs7Cert; typedef struct Pkcs7EncodedRecip Pkcs7EncodedRecip; typedef struct PKCS7 PKCS7; +typedef struct PKCS7 PKCS7_SIGNED; typedef struct PKCS7SignerInfo PKCS7SignerInfo; /* OtherRecipientInfo decrypt callback prototype */ @@ -220,7 +221,7 @@ typedef int (*CallbackWrapCEK)(PKCS7* pkcs7, byte* cek, word32 cekSz, int keyWrapAlgo, int type, int dir); /* Public Structure Warning: - * Existing members must not be changed to maintain backwards compatibility! + * Existing members must not be changed to maintain backwards compatibility! */ struct PKCS7 { WC_RNG* rng; @@ -267,7 +268,7 @@ struct PKCS7 { byte issuerSn[MAX_SN_SZ]; /* singleCert's serial number */ byte publicKey[MAX_RSA_INT_SZ + MAX_RSA_E_SZ]; /* MAX RSA key size (m + e)*/ word32 certSz[MAX_PKCS7_CERTS]; - + /* flags - up to 16-bits */ word16 isDynamic:1; word16 noDegenerate:1; /* allow degenerate case in verify function */ @@ -320,7 +321,6 @@ struct PKCS7 { /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ }; - WOLFSSL_API PKCS7* wc_PKCS7_New(void* heap, int devId); WOLFSSL_API int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId); WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* der, word32 derSz); @@ -346,7 +346,7 @@ WOLFSSL_API int wc_PKCS7_SetDetached(PKCS7* pkcs7, word16 flag); WOLFSSL_API int wc_PKCS7_NoDefaultSignedAttribs(PKCS7* pkcs7); WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz); -WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, +WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot, @@ -354,7 +354,7 @@ WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf, WOLFSSL_API void wc_PKCS7_AllowDegenerate(PKCS7* pkcs7, word16 flag); WOLFSSL_API int wc_PKCS7_VerifySignedData(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz); -WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf, +WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf, word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot, word32 pkiMsgFootSz); From eccc85b9faed0a3d084d18d40f45c52d7cb3754d Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Mon, 5 Aug 2019 17:51:31 -0700 Subject: [PATCH 02/11] Add NO_RSA conditional --- tests/api.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/api.c b/tests/api.c index 74dcf740d9..1a43302eda 100644 --- a/tests/api.c +++ b/tests/api.c @@ -17841,7 +17841,7 @@ static void test_wolfSSL_X509_NAME(void) static void test_wolfSSL_X509_subject_name_hash(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ - && !defined(NO_SHA) + && !defined(NO_SHA) && !defined(NO_RSA) X509* x509; X509_NAME* subjectName = NULL; @@ -19491,7 +19491,7 @@ static void test_wolfSSL_X509_STORE_CTX_set_time(void) static void test_wolfSSL_get0_param(void) { -#if defined(OPENSSL_EXTRA) +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) SSL_CTX* ctx; SSL* ssl; WOLFSSL_X509_VERIFY_PARAM* pParam; @@ -19510,7 +19510,7 @@ static void test_wolfSSL_get0_param(void) SSL_free(ssl); SSL_CTX_free(ctx); printf(resultFmt, passed); -#endif /* OPENSSL_EXTRA */ +#endif /* OPENSSL_EXTRA && !defined(NO_RSA)*/ } static void test_wolfSSL_X509_VERIFY_PARAM_set1_host(void) From 000c38ae1f6aadcf45c7634efd1080aede1d6217 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 6 Aug 2019 07:46:57 -0700 Subject: [PATCH 03/11] Use wolfSSL_PKCS7_free, not wc_PKCS7_Free --- src/ssl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 3e7c528eeb..a63a016a64 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19255,6 +19255,11 @@ err_exit: #ifdef HAVE_CRL if(store->crl != NULL) wolfSSL_X509_CRL_free(store->crl); +#endif +#ifdef OPENSSL_EXTRA + if (store->param != NULL){ + XFREE(store->param,NULL,DYNAMIC_TYPE_OPENSSL); + } #endif wolfSSL_X509_STORE_free(store); @@ -36390,11 +36395,12 @@ PKCS7_SIGNED* wolfSSL_PKCS7_SIGNED_new(void) byte signedData[]= { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02}; PKCS7* pkcs7 = NULL; - pkcs7 = wolfSSL_PKCS7_new(); + if ((pkcs7 = wolfSSL_PKCS7_new()) == NULL) + return NULL; pkcs7->contentOID = SIGNED_DATA; if ((wc_PKCS7_SetContentType(pkcs7, signedData, sizeof(signedData))) < 0) { if (pkcs7) { - wc_PKCS7_Free(pkcs7); + wolfSSL_PKCS7_free(pkcs7); return NULL; } } From c1938969aa79e2196bf0a8cd57c8a675ff6039a7 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 6 Aug 2019 10:47:30 -0700 Subject: [PATCH 04/11] Convert to pointer to pass static memory --- src/internal.c | 32 +++++++++++++++++++++++--------- src/ssl.c | 2 +- wolfssl/internal.h | 2 +- 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/src/internal.c b/src/internal.c index 198db7584b..b07df2b2ef 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5119,6 +5119,15 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->sessionCtxSz = ctx->sessionCtxSz; XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz); ssl->cbioFlag = ctx->cbioFlag; + + if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + WOLFSSL_MSG("ssl->param memory error"); + return MEMORY_E; + } + XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + #endif InitCiphers(ssl); @@ -5682,7 +5691,11 @@ void SSL_ResourceFree(WOLFSSL* ssl) FreeWriteDup(ssl); } #endif - +#ifdef OPENSSL_EXTRA + if (ssl->param) { + XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL); + } +#endif #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) while (ssl->certReqCtx != NULL) { CertReqCtx* curr = ssl->certReqCtx; @@ -9121,16 +9134,17 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); /* Overwrite with non-default param values in SSL */ + if (ssl->param) { + if (ssl->param->check_time) + store->param->check_time = ssl->param->check_time; - if (ssl->param.check_time) - store->param->check_time = ssl->param.check_time; + if (ssl->param->flags) + store->param->flags = ssl->param->flags; - if (ssl->param.flags) - store->param->flags = ssl->param.flags; - - if (ssl->param.hostName[0]) - XMEMCPY(store->param->hostName, ssl->param.hostName, - WOLFSSL_HOST_NAME_MAX); + if (ssl->param->hostName[0]) + XMEMCPY(store->param->hostName, ssl->param->hostName, + WOLFSSL_HOST_NAME_MAX); + } } #endif /* defined(OPENSSL_EXTRA) */ #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/ diff --git a/src/ssl.c b/src/ssl.c index a63a016a64..33bc2166c0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19766,7 +19766,7 @@ WOLFSSL_X509_VERIFY_PARAM* wolfSSL_get0_param(WOLFSSL* ssl) if (ssl == NULL) { return NULL; } - return &ssl->param; + return ssl->param; } #ifndef NO_WOLFSSL_STUB diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 43039882c8..05e8c08fc2 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3739,7 +3739,7 @@ struct WOLFSSL { WOLFSSL_BIO* biord; /* socket bio read to free/close */ WOLFSSL_BIO* biowr; /* socket bio write to free/close */ byte sessionCtx[ID_LEN]; /* app session context ID */ - WOLFSSL_X509_VERIFY_PARAM param; /* verification parameters*/ + WOLFSSL_X509_VERIFY_PARAM* param; /* verification parameters*/ #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) unsigned long peerVerifyRet; From 1371fc8327e28d3f02a377369d265ef56c85d7a6 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 6 Aug 2019 13:23:18 -0700 Subject: [PATCH 05/11] Review comments --- src/internal.c | 50 +++++++++++++++++++++++++++----------------------- src/ssl.c | 10 +++++++--- tests/api.c | 6 +++--- 3 files changed, 37 insertions(+), 29 deletions(-) diff --git a/src/internal.c b/src/internal.c index b07df2b2ef..677f7b05b8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -5120,14 +5120,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz); ssl->cbioFlag = ctx->cbioFlag; - if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), - ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { - WOLFSSL_MSG("ssl->param memory error"); - return MEMORY_E; - } - XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); - #endif InitCiphers(ssl); @@ -5154,6 +5146,16 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN); #endif +#ifdef OPENSSL_EXTRA + if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) { + WOLFSSL_MSG("ssl->param memory error"); + return MEMORY_E; + } + XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); +#endif + #ifdef SINGLE_THREADED if (ctx->suites == NULL) #endif @@ -9128,24 +9130,26 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) } #if defined(OPENSSL_EXTRA) - if ((store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( - sizeof(WOLFSSL_X509_VERIFY_PARAM), - ssl->heap, DYNAMIC_TYPE_OPENSSL)) != NULL) { - XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC( + sizeof(WOLFSSL_X509_VERIFY_PARAM), + ssl->heap, DYNAMIC_TYPE_OPENSSL); + if (store->param == NULL) { + return MEMORY_E; + } + XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM)); + /* Overwrite with non-default param values in SSL */ + if (ssl->param) { + if (ssl->param->check_time) + store->param->check_time = ssl->param->check_time; - /* Overwrite with non-default param values in SSL */ - if (ssl->param) { - if (ssl->param->check_time) - store->param->check_time = ssl->param->check_time; + if (ssl->param->flags) + store->param->flags = ssl->param->flags; - if (ssl->param->flags) - store->param->flags = ssl->param->flags; + if (ssl->param->hostName[0]) + XMEMCPY(store->param->hostName, ssl->param->hostName, + WOLFSSL_HOST_NAME_MAX); - if (ssl->param->hostName[0]) - XMEMCPY(store->param->hostName, ssl->param->hostName, - WOLFSSL_HOST_NAME_MAX); - } - } + } #endif /* defined(OPENSSL_EXTRA) */ #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) diff --git a/src/ssl.c b/src/ssl.c index 33bc2166c0..d956e2ebb5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36420,7 +36420,7 @@ void wolfSSL_PKCS7_free(PKCS7* pkcs7) } void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7) { - wolfSSL_PKCS7_free((PKCS7*)p7); + wolfSSL_PKCS7_free(p7); return; } PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len) @@ -36588,6 +36588,9 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if (bio == NULL || p7 == NULL) return WOLFSSL_FAILURE; + XMEMSET(outputHead, 0, outputHeadSz); + XMEMSET(outputFoot, 0, outputFootSz); + hashType = wc_OidGetHash(p7->hashOID); hashSz = wc_HashGetDigestSize(hashType); if (hashSz > WC_MAX_DIGEST_SIZE) @@ -36602,8 +36605,9 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) return WOLFSSL_FAILURE; }; - wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, - outputHead, &outputHeadSz, outputFoot, &outputFootSz); + if ((wc_PKCS7_EncodeSignedData_ex(p7, hashBuf, hashSz, + outputHead, &outputHeadSz, outputFoot, &outputFootSz)) != 0) + return WOLFSSL_FAILURE; outputSz = outputHeadSz + p7->contentSz + outputFootSz; output = (byte*)XMALLOC(outputSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/tests/api.c b/tests/api.c index 1a43302eda..7cc0d14712 100644 --- a/tests/api.c +++ b/tests/api.c @@ -23695,10 +23695,10 @@ static void test_wolfSSL_PKCS7_SIGNED_new(void) static void test_wolfSSL_PEM_write_bio_PKCS7(void) { #if defined(OPENSSL_ALL) && defined(HAVE_PKCS7) && !defined(NO_FILESYSTEM) - PKCS7* pkcs7; - BIO* bio; + PKCS7* pkcs7 = NULL; + BIO* bio = NULL; const byte* cert_buf = NULL; - int ret; + int ret = 0; WC_RNG rng; const byte data[] = { /* Hello World */ 0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f, From 4bff2b6befd3941585bbbd7aa6dd91b3856ca426 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 6 Aug 2019 15:49:36 -0700 Subject: [PATCH 06/11] Fixed valgrind issue --- src/ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index d956e2ebb5..efbd78e2ee 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36588,6 +36588,7 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if (bio == NULL || p7 == NULL) return WOLFSSL_FAILURE; + XMEMSET(hashBuf, 0, WC_MAX_DIGEST_SIZE); XMEMSET(outputHead, 0, outputHeadSz); XMEMSET(outputFoot, 0, outputFootSz); @@ -36615,6 +36616,7 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if (!output) return WOLFSSL_FAILURE; + XMEMSET(output, 0, outputSz); outputSz = 0; XMEMCPY(&output[outputSz], outputHead, outputHeadSz); outputSz += outputHeadSz; @@ -36628,10 +36630,14 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if (pemSz < 0) goto error; + pemSz++; /* for '\0'*/ + /* create PEM buffer and convert from DER to PEM*/ if ((pem = (byte*)XMALLOC(pemSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) goto error; + XMEMSET(pem, 0, pemSz); + if (wc_DerToPemEx(output, outputSz, pem, pemSz, NULL, CERT_TYPE) < 0) { goto error; } From b9ddbb974a546597823f56a9a24a49f4975d7790 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 13 Aug 2019 09:55:28 -0700 Subject: [PATCH 07/11] perform domain name check on the peer certificate --- src/internal.c | 9 +++++++++ src/ssl.c | 23 ++++++++++++++++++----- wolfssl/ssl.h | 2 +- 3 files changed, 28 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 677f7b05b8..16820fadc8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9054,7 +9054,16 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) use_cb = 1; } #endif +#if defined(OPENSSL_EXTRA) + /* perform domain name check on the peer certificate */ + if (args->dCertInit && args->dCert && args->dCert->subjectCN \ + && ssl->param && ssl->param->hostName[0]) { + if(XSTRSTR(args->dCert->subjectCN, ssl->param->hostName) == NULL) { + return VERIFY_CERT_ERROR; + } + } +#endif /* if verify callback has been set */ if (use_cb && ssl->verifyCallback) { #ifdef WOLFSSL_SMALL_STACK diff --git a/src/ssl.c b/src/ssl.c index efbd78e2ee..782a81e94a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16672,6 +16672,9 @@ WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) * * RETURNS: * The beginning of the hash digest. Otherwise, returns zero. +* Note: +* Returns a different hash value from OpenSSL's X509_subject_name_hash() API +* depending on the subject name. */ unsigned long wolfSSL_X509_subject_name_hash(const WOLFSSL_X509* x509) { @@ -19738,21 +19741,31 @@ void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX* ctx, * RETURNS: * */ -void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, +int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, const char* name, unsigned int nameSz) { if (pParam == NULL) - return; + return WOLFSSL_FAILURE; XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX); + /* If name is NUL-terminated, namelen can be set to zero. */ + if(name && (nameSz == 0)) + nameSz = XSTRLEN(name); - if (nameSz > WOLFSSL_HOST_NAME_MAX) - nameSz = WOLFSSL_HOST_NAME_MAX; + if (nameSz > 0 && name[nameSz - 1] == '\0') + nameSz--; + + if (nameSz > WOLFSSL_HOST_NAME_MAX-1) + nameSz = WOLFSSL_HOST_NAME_MAX-1; if (nameSz > 0) XMEMCPY(pParam->hostName, name, nameSz); - pParam->hostName[WOLFSSL_HOST_NAME_MAX-1] = '\0'; + + pParam->hostName[nameSz] = '\0'; + + return WOLFSSL_SUCCESS; + } /****************************************************************************** * wolfSSL_get0_param - return a pointer to the SSL verification parameters diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 06259ef982..710b6942bb 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1018,7 +1018,7 @@ WOLFSSL_API int wolfSSL_sk_X509_REVOKED_num(WOLFSSL_X509_REVOKED*); WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_time(WOLFSSL_X509_STORE_CTX*, unsigned long flags, time_t t); -WOLFSSL_API void wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, +WOLFSSL_API int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, const char* name, unsigned int nameSz); From 1acd24deb891749203bd9aa2b47fa8ac1ae74f3a Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 13 Aug 2019 10:15:57 -0700 Subject: [PATCH 08/11] Review comment to reduce stack usage --- src/ssl.c | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 782a81e94a..a3f574a356 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36584,10 +36584,15 @@ WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* pkcs7, WOLFSSL_STACK* certs, int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) { - byte outputHead[2048]; - byte outputFoot[2048]; - word32 outputHeadSz = (word32)sizeof(outputHead); - word32 outputFootSz = (word32)sizeof(outputFoot); +#ifdef WOLFSSL_SMALL_STACK + byte* outputHead; + byte* outputFoot; +#else + byte outputHead[2048]; + byte outputFoot[2048]; +#endif + word32 outputHeadSz = 2048; + word32 outputFootSz = 2048; word32 outputSz = 0; byte* output = NULL; byte* pem = NULL; @@ -36601,6 +36606,17 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if (bio == NULL || p7 == NULL) return WOLFSSL_FAILURE; +#ifdef WOLFSSL_SMALL_STACK + outputHead = (byte*)XMALLOC(outputHeadSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (outputHead == NULL) + return MEMORY_E; + + outputFoot = (byte*)XMALLOC(outputFootSz, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (outputFoot == NULL) + goto error; + +#endif + XMEMSET(hashBuf, 0, WC_MAX_DIGEST_SIZE); XMEMSET(outputHead, 0, outputHeadSz); XMEMSET(outputFoot, 0, outputFootSz); @@ -36661,6 +36677,14 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) } error: +#ifdef WOLFSSL_SMALL_STACK + if (outputHead) { + XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + } + if (outputFoot) { + XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + } +#endif if (output) { XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } From b7bd710bc8332d5a5da6a3a1d913c65f5225fd3d Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 13 Aug 2019 10:29:37 -0700 Subject: [PATCH 09/11] Add small stack option --- src/ssl.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a3f574a356..dcc02cf23a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -36673,23 +36673,27 @@ int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7) if ((wolfSSL_BIO_write(bio, pem, pemSz) == pemSz)) { XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); +#ifdef WOLFSSL_SMALL_STACK + XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_SUCCESS; } error: #ifdef WOLFSSL_SMALL_STACK if (outputHead) { - XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outputHead, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } if (outputFoot) { - XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(outputFoot, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } #endif if (output) { - XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(output, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } if (pem) { - XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pem, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); } return WOLFSSL_FAILURE; } From b1ad0525ea29c0c08816c83a89671a49069a5987 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 13 Aug 2019 10:45:24 -0700 Subject: [PATCH 10/11] cast to correct static analysis issue --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index dcc02cf23a..77bc1cd840 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19751,7 +19751,7 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX); /* If name is NUL-terminated, namelen can be set to zero. */ if(name && (nameSz == 0)) - nameSz = XSTRLEN(name); + nameSz = (unsigned int)XSTRLEN(name); if (nameSz > 0 && name[nameSz - 1] == '\0') nameSz--; From 9301cce9ac21b695a24af793027102e8dc7ba70c Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Tue, 13 Aug 2019 11:48:20 -0700 Subject: [PATCH 11/11] Check a null pointer dereference --- src/ssl.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 77bc1cd840..5a00c7c66a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19745,13 +19745,21 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, const char* name, unsigned int nameSz) { + unsigned int sz = 0; + if (pParam == NULL) return WOLFSSL_FAILURE; XMEMSET(pParam->hostName, 0, WOLFSSL_HOST_NAME_MAX); + + if (name == NULL) + return WOLFSSL_SUCCESS; + + sz = (unsigned int)XSTRLEN(name); + /* If name is NUL-terminated, namelen can be set to zero. */ - if(name && (nameSz == 0)) - nameSz = (unsigned int)XSTRLEN(name); + if(nameSz == 0 || nameSz > sz) + nameSz = sz; if (nameSz > 0 && name[nameSz - 1] == '\0') nameSz--; @@ -19765,7 +19773,6 @@ int wolfSSL_X509_VERIFY_PARAM_set1_host(WOLFSSL_X509_VERIFY_PARAM* pParam, pParam->hostName[nameSz] = '\0'; return WOLFSSL_SUCCESS; - } /****************************************************************************** * wolfSSL_get0_param - return a pointer to the SSL verification parameters