WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

ASN macro simplification. Added new `--enable-asn=all` and `WOLFSSL_ASN_ALL` option. Added granular macros for ASN features like: `WOLFSSL_ASN_CA_ISSUER`, `WOLFSSL_ASN_PARSE_KEYUSAGE`, `WOLFSSL_ASN_TIME_STRING`, `WOLFSSL_OCSP_PARSE_STATUS`.

pull/7798/head
David Garske 2024-07-26 11:49:53 -07:00
parent 7da6149250
commit 20f7d6f9f4
11 changed files with 507 additions and 421 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
configure.ac
View File

@ -1992,7 +1992,7 @@ AC_ARG_ENABLE([ffmpeg],
) )
#IP alternative name Support # IP alternative name Support
AC_ARG_ENABLE([ip-alt-name], AC_ARG_ENABLE([ip-alt-name],
[AS_HELP_STRING([--enable-ip-alt-name],[Enable IP subject alternative name (default: disabled)])], [AS_HELP_STRING([--enable-ip-alt-name],[Enable IP subject alternative name (default: disabled)])],
[ ENABLE_IP_ALT_NAME=$enableval ], [ ENABLE_IP_ALT_NAME=$enableval ],
@ -2004,7 +2004,7 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_IP_ALT_NAME"
fi fi
#Qt Support # QT Support
AC_ARG_ENABLE([qt], AC_ARG_ENABLE([qt],
[AS_HELP_STRING([--enable-qt],[Enable qt (default: disabled)])], [AS_HELP_STRING([--enable-qt],[Enable qt (default: disabled)])],
[ ENABLED_QT=$enableval ], [ ENABLED_QT=$enableval ],
@ -4744,43 +4744,52 @@ fi
# ASN # ASN
# turn off asn, which means no certs, no rsa, no dsa, no ecc, # turn off asn, which means no certs, no rsa, no dsa, no ecc,
# and no big int (unless dh is on) # and no big int (unless dh is on)
# turn off ASN if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
then
enable_asn=no
fi
AC_ARG_ENABLE([asn], AC_ARG_ENABLE([asn],
[AS_HELP_STRING([--enable-asn],[Enable ASN (default: enabled)])], [AS_HELP_STRING([--enable-asn],[Enable ASN (default: enabled)])],
[ ENABLED_ASN=$enableval ], [ ENABLED_ASN=$enableval ],
[ ENABLED_ASN=yes ] [ ENABLED_ASN=yes ]
) )
if test "$ENABLED_ASN" = "no" for v in `echo $ENABLED_ASN | tr "," " "`
then do
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT" case $v in
enable_pwdbased=no all)
else # Enable all ASN features
if test "$ENABLED_ASN" = "template"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ALL"
ENABLED_ASN="yes" ENABLED_ASN=yes
fi ;;
if test "$ENABLED_ASN" = "yes"; then template | yes)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_TEMPLATE" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_TEMPLATE"
elif test "$ENABLED_ASN" = "original"; then ENABLED_ASN=yes
;;
original)
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ORIGINAL" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ASN_ORIGINAL"
else ENABLED_ASN=yes
AC_MSG_ERROR([Invalid asn option. Valid are: template or original. Seen: $ENABLED_ASN.]) ;;
fi nocrypt)
AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT"
# turn off ASN if leanpsk on enable_pwdbased=no
if test "$ENABLED_LEANPSK" = "yes" ;;
then no)
AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_BIG_INT" AM_CFLAGS="$AM_CFLAGS -DNO_ASN -DNO_ASN_CRYPT"
enable_pwdbased=no
ENABLED_ASN=no ENABLED_ASN=no
else ;;
if test "$ENABLED_ASN" = "nocrypt" *)
then AC_MSG_ERROR([Invalid asn option. Valid are: all, template/yes, original, nocrypt or no. Seen: $ENABLED_ASN.])
AM_CFLAGS="$AM_CFLAGS -DNO_ASN_CRYPT" break;;
enable_pwdbased=no esac
fi done
fi
fi
if test "$ENABLED_RSA" = "yes" && test "$ENABLED_RSAVFY" = "no" && \ if test "$ENABLED_RSA" = "yes" && test "$ENABLED_RSAVFY" = "no" && \
test "$ENABLED_ASN" = "no" && test "$ENABLED_LOWRESOURCE" = "no" test "$ENABLED_ASN" = "no" && test "$ENABLED_LOWRESOURCE" = "no"

87
src/internal.c
View File

@ -12540,13 +12540,13 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen,
while (altName) { while (altName) {
WOLFSSL_MSG("\tindividual AltName check"); WOLFSSL_MSG("\tindividual AltName check");
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
if (altName->type == ASN_IP_TYPE) { if (altName->type == ASN_IP_TYPE) {
buf = altName->ipString; buf = altName->ipString;
len = (word32)XSTRLEN(buf); len = (word32)XSTRLEN(buf);
} }
else else
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ #endif /* WOLFSSL_IP_ALT_NAME */
{ {
buf = altName->name; buf = altName->name;
len = (word32)altName->len; len = (word32)altName->len;
@ -12817,6 +12817,7 @@ static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert)
int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
{ {
int ret = 0; int ret = 0;
int minSz;
if (x509 == NULL || dCert == NULL || if (x509 == NULL || dCert == NULL ||
dCert->subjectCNLen < 0) dCert->subjectCNLen < 0)
@ -12866,49 +12867,45 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
#endif /* WOLFSSL_CERT_REQ */ #endif /* WOLFSSL_CERT_REQ */
#ifdef WOLFSSL_SEP #ifdef WOLFSSL_SEP
{ minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE);
int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE); if (minSz > 0) {
if (minSz > 0) { x509->deviceTypeSz = minSz;
x509->deviceTypeSz = minSz; XMEMCPY(x509->deviceType, dCert->deviceType, minSz);
XMEMCPY(x509->deviceType, dCert->deviceType, minSz);
}
else
x509->deviceTypeSz = 0;
minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE);
if (minSz > 0) {
x509->hwTypeSz = minSz;
XMEMCPY(x509->hwType, dCert->hwType, minSz);
}
else
x509->hwTypeSz = 0;
minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE);
if (minSz > 0) {
x509->hwSerialNumSz = minSz;
XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz);
}
else
x509->hwSerialNumSz = 0;
} }
else
x509->deviceTypeSz = 0;
minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE);
if (minSz > 0) {
x509->hwTypeSz = minSz;
XMEMCPY(x509->hwType, dCert->hwType, minSz);
}
else
x509->hwTypeSz = 0;
minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE);
if (minSz > 0) {
x509->hwSerialNumSz = minSz;
XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz);
}
else
x509->hwSerialNumSz = 0;
#endif /* WOLFSSL_SEP */ #endif /* WOLFSSL_SEP */
{
int minSz; if (dCert->beforeDateLen > 0) {
if (dCert->beforeDateLen > 0) { minSz = (int)min(dCert->beforeDate[1], MAX_DATE_SZ);
minSz = (int)min(dCert->beforeDate[1], MAX_DATE_SZ); x509->notBefore.type = dCert->beforeDate[0];
x509->notBefore.type = dCert->beforeDate[0]; x509->notBefore.length = minSz;
x509->notBefore.length = minSz; XMEMCPY(x509->notBefore.data, &dCert->beforeDate[2], minSz);
XMEMCPY(x509->notBefore.data, &dCert->beforeDate[2], minSz);
}
else
x509->notBefore.length = 0;
if (dCert->afterDateLen > 0) {
minSz = (int)min(dCert->afterDate[1], MAX_DATE_SZ);
x509->notAfter.type = dCert->afterDate[0];
x509->notAfter.length = minSz;
XMEMCPY(x509->notAfter.data, &dCert->afterDate[2], minSz);
}
else
x509->notAfter.length = 0;
} }
else
x509->notBefore.length = 0;
if (dCert->afterDateLen > 0) {
minSz = (int)min(dCert->afterDate[1], MAX_DATE_SZ);
x509->notAfter.type = dCert->afterDate[0];
x509->notAfter.length = minSz;
XMEMCPY(x509->notAfter.data, &dCert->afterDate[2], minSz);
}
else
x509->notAfter.length = 0;
if (dCert->publicKey != NULL && dCert->pubKeySize != 0) { if (dCert->publicKey != NULL && dCert->pubKeySize != 0) {
x509->pubKey.buffer = (byte*)XMALLOC( x509->pubKey.buffer = (byte*)XMALLOC(
@ -13047,7 +13044,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
ret = MEMORY_E; ret = MEMORY_E;
} }
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #ifdef WOLFSSL_ASN_CA_ISSUER
if (dCert->extAuthInfoCaIssuer != NULL && dCert->extAuthInfoCaIssuerSz > 0) { if (dCert->extAuthInfoCaIssuer != NULL && dCert->extAuthInfoCaIssuerSz > 0) {
x509->authInfoCaIssuer = (byte*)XMALLOC(dCert->extAuthInfoCaIssuerSz, x509->heap, x509->authInfoCaIssuer = (byte*)XMALLOC(dCert->extAuthInfoCaIssuerSz, x509->heap,
DYNAMIC_TYPE_X509_EXT); DYNAMIC_TYPE_X509_EXT);
@ -13133,10 +13130,10 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
#ifndef IGNORE_NETSCAPE_CERT_TYPE #ifndef IGNORE_NETSCAPE_CERT_TYPE
x509->nsCertType = dCert->nsCertType; x509->nsCertType = dCert->nsCertType;
#endif #endif
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) #ifdef WOLFSSL_SEP
x509->certPolicySet = dCert->extCertPolicySet; x509->certPolicySet = dCert->extCertPolicySet;
x509->certPolicyCrit = dCert->extCertPolicyCrit; x509->certPolicyCrit = dCert->extCertPolicyCrit;
#endif /* WOLFSSL_SEP || WOLFSSL_QT */ #endif
#ifdef WOLFSSL_CERT_EXT #ifdef WOLFSSL_CERT_EXT
{ {
int i; int i;

24
src/ocsp.c
View File

@ -668,8 +668,9 @@ int CheckOcspResponder(OcspResponse *bs, DecodedCert *cert, void* vp)
return ret; return ret;
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIGHTY) /* compatibility layer OCSP functions */
#ifdef OPENSSL_EXTRA
int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs, int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
WOLFSSL_OCSP_CERTID* id, int* status, int* reason, WOLFSSL_OCSP_CERTID* id, int* status, int* reason,
WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd, WOLFSSL_ASN1_TIME** revtime, WOLFSSL_ASN1_TIME** thisupd,
@ -695,10 +696,15 @@ int wolfSSL_OCSP_resp_find_status(WOLFSSL_OCSP_BASICRESP *bs,
if (status != NULL) if (status != NULL)
*status = single->status->status; *status = single->status->status;
#ifdef WOLFSSL_OCSP_PARSE_STATUS
if (thisupd != NULL) if (thisupd != NULL)
*thisupd = &single->status->thisDateParsed; *thisupd = &single->status->thisDateParsed;
if (nextupd != NULL) if (nextupd != NULL)
*nextupd = &single->status->nextDateParsed; *nextupd = &single->status->nextDateParsed;
#else
(void)thisupd;
(void)nextupd;
#endif
/* TODO: Not needed for Nginx or httpd */ /* TODO: Not needed for Nginx or httpd */
if (reason != NULL) if (reason != NULL)
@ -1191,9 +1197,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_CERTID_dup(WOLFSSL_OCSP_CERTID* id)
} }
return certId; return certId;
} }
#endif
#if defined(OPENSSL_ALL) || defined(APACHE_HTTPD) || defined(WOLFSSL_HAPROXY)
#ifndef NO_BIO #ifndef NO_BIO
int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out, int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
WOLFSSL_OCSP_REQUEST *req) WOLFSSL_OCSP_REQUEST *req)
@ -1295,7 +1299,8 @@ WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut,
return NULL; return NULL;
} }
const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(const WOLFSSL_OCSP_SINGLERESP *single) const WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_SINGLERESP_get0_id(
const WOLFSSL_OCSP_SINGLERESP *single)
{ {
return single; return single;
} }
@ -1392,9 +1397,6 @@ WOLFSSL_OCSP_SINGLERESP* wolfSSL_OCSP_resp_get0(WOLFSSL_OCSP_BASICRESP *bs, int
return single; return single;
} }
#endif /* OPENSSL_ALL || APACHE_HTTPD || WOLFSSL_HAPROXY */
#ifdef OPENSSL_EXTRA
#ifndef NO_WOLFSSL_STUB #ifndef NO_WOLFSSL_STUB
int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req, WOLFSSL_X509_EXTENSION* ext, int wolfSSL_OCSP_REQUEST_add_ext(OcspRequest* req, WOLFSSL_X509_EXTENSION* ext,
int idx) int idx)
@ -1467,12 +1469,14 @@ int wolfSSL_OCSP_id_get0_info(WOLFSSL_ASN1_STRING **name,
#if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY) #if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY)
/* Serial number starts at 0 index of ser->data */ /* Serial number starts at 0 index of ser->data */
XMEMCPY(&ser->data[i], cid->status->serial, (size_t)cid->status->serialSz); XMEMCPY(&ser->data[i], cid->status->serial,
(size_t)cid->status->serialSz);
ser->length = cid->status->serialSz; ser->length = cid->status->serialSz;
#else #else
ser->data[i++] = ASN_INTEGER; ser->data[i++] = ASN_INTEGER;
i += SetLength(cid->status->serialSz, ser->data + i); i += SetLength(cid->status->serialSz, ser->data + i);
XMEMCPY(&ser->data[i], cid->status->serial, (size_t)cid->status->serialSz); XMEMCPY(&ser->data[i], cid->status->serial,
(size_t)cid->status->serialSz);
ser->length = i + cid->status->serialSz; ser->length = i + cid->status->serialSz;
#endif #endif

2
src/ssl.c
View File

@ -22731,7 +22731,7 @@ void wolfSSL_ERR_remove_state(unsigned long id)
} }
} }
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
#ifdef OPENSSL_ALL #ifdef OPENSSL_ALL

17
src/x509.c
View File

@ -1067,7 +1067,9 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc)
case CERT_POLICY_OID: case CERT_POLICY_OID:
if (!isSet) if (!isSet)
break; break;
#ifdef WOLFSSL_SEP
ext->crit = x509->certPolicyCrit; ext->crit = x509->certPolicyCrit;
#endif
break; break;
case KEY_USAGE_OID: case KEY_USAGE_OID:
@ -2504,7 +2506,8 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
else { else {
WOLFSSL_MSG("No Cert Policy set"); WOLFSSL_MSG("No Cert Policy set");
} }
#elif defined(WOLFSSL_SEP) #endif /* WOLFSSL_CERT_EXT */
#ifdef WOLFSSL_SEP
if (x509->certPolicySet) { if (x509->certPolicySet) {
if (c != NULL) { if (c != NULL) {
*c = x509->certPolicyCrit; *c = x509->certPolicyCrit;
@ -2520,8 +2523,6 @@ void* wolfSSL_X509_get_ext_d2i(const WOLFSSL_X509* x509, int nid, int* c,
else { else {
WOLFSSL_MSG("No Cert Policy set"); WOLFSSL_MSG("No Cert Policy set");
} }
#else
WOLFSSL_MSG("wolfSSL not built with WOLFSSL_SEP or WOLFSSL_CERT_EXT");
#endif #endif
break; break;
} }
@ -3711,7 +3712,7 @@ char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert)
} }
ret = cert->altNamesNext->name; ret = cert->altNamesNext->name;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
/* return the IP address as a string */ /* return the IP address as a string */
if (cert->altNamesNext->type == ASN_IP_TYPE) { if (cert->altNamesNext->type == ASN_IP_TYPE) {
ret = cert->altNamesNext->ipString; ret = cert->altNamesNext->ipString;
@ -5668,9 +5669,9 @@ int wolfSSL_X509_cmp(const WOLFSSL_X509 *a, const WOLFSSL_X509 *b)
case NID_key_usage: crit = x509->keyUsageCrit; break; case NID_key_usage: crit = x509->keyUsageCrit; break;
case NID_crl_distribution_points: crit= x509->CRLdistCrit; break; case NID_crl_distribution_points: crit= x509->CRLdistCrit; break;
case NID_ext_key_usage: crit= x509->extKeyUsageCrit; break; case NID_ext_key_usage: crit= x509->extKeyUsageCrit; break;
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) #ifdef WOLFSSL_SEP
case NID_certificate_policies: crit = x509->certPolicyCrit; break; case NID_certificate_policies: crit = x509->certPolicyCrit; break;
#endif /* WOLFSSL_SEP || WOLFSSL_QT */ #endif /* WOLFSSL_SEP */
} }
} }
@ -5873,7 +5874,7 @@ static int X509PrintSubjAltName(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
break; break;
} }
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
else if (entry->type == ASN_IP_TYPE) { else if (entry->type == ASN_IP_TYPE) {
len = XSNPRINTF(scratch, MAX_WIDTH, "IP Address:%s", len = XSNPRINTF(scratch, MAX_WIDTH, "IP Address:%s",
entry->ipString); entry->ipString);

19
tests/api.c
View File

@ -4268,8 +4268,8 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void)
static int test_wolfSSL_CheckOCSPResponse(void) static int test_wolfSSL_CheckOCSPResponse(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if defined(HAVE_OCSP) && !defined(NO_RSA) && !defined(NO_SHA) && \ #if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) && \
defined(OPENSSL_ALL) !defined(NO_RSA) && !defined(NO_SHA)
const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseFile = "./certs/ocsp/test-response.der";
const char* responseMultiFile = "./certs/ocsp/test-multi-response.der"; const char* responseMultiFile = "./certs/ocsp/test-multi-response.der";
const char* responseNoInternFile = const char* responseNoInternFile =
@ -53340,7 +53340,7 @@ static int test_wolfSSL_X509_sign(void)
ExpectIntEQ(wolfSSL_X509_add_altname(x509, ExpectIntEQ(wolfSSL_X509_add_altname(x509,
"Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch", "Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch",
ASN_DNS_TYPE), SSL_SUCCESS); ASN_DNS_TYPE), SSL_SUCCESS);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
{ {
unsigned char ip4_type[] = {127,128,0,255}; unsigned char ip4_type[] = {127,128,0,255};
unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab, unsigned char ip6_type[] = {0xdd, 0xcc, 0xba, 0xab,
@ -53373,7 +53373,7 @@ static int test_wolfSSL_X509_sign(void)
#if defined(OPENSSL_ALL) && defined(WOLFSSL_ALT_NAMES) #if defined(OPENSSL_ALL) && defined(WOLFSSL_ALT_NAMES)
ExpectIntEQ(X509_get_ext_count(x509), 1); ExpectIntEQ(X509_get_ext_count(x509), 1);
#endif #endif
#if defined(WOLFSSL_ALT_NAMES) && (defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)) #if defined(WOLFSSL_ALT_NAMES) && defined(WOLFSSL_IP_ALT_NAME)
ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1); ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "127.128.0.255", 0), 1);
ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1); ExpectIntEQ(wolfSSL_X509_check_ip_asc(x509, "DDCC:BAAB:FFEE:9988:7766:5544:0033:2211", 0), 1);
#endif #endif
@ -53389,7 +53389,7 @@ static int test_wolfSSL_X509_sign(void)
#ifndef WOLFSSL_ALT_NAMES #ifndef WOLFSSL_ALT_NAMES
/* Valid case - size should be 781-786 with 16 byte serial number */ /* Valid case - size should be 781-786 with 16 byte serial number */
ExpectTrue((781 + snSz <= ret) && (ret <= 781 + 5 + snSz)); ExpectTrue((781 + snSz <= ret) && (ret <= 781 + 5 + snSz));
#elif defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #elif defined(WOLFSSL_IP_ALT_NAME)
/* Valid case - size should be 955-960 with 16 byte serial number */ /* Valid case - size should be 955-960 with 16 byte serial number */
ExpectTrue((939 + snSz <= ret) && (ret <= 939 + 5 + snSz)); ExpectTrue((939 + snSz <= ret) && (ret <= 939 + 5 + snSz));
#else #else
@ -64446,7 +64446,7 @@ static int test_wolfSSL_OCSP_id_cmp(void)
static int test_wolfSSL_OCSP_SINGLERESP_get0_id(void) static int test_wolfSSL_OCSP_SINGLERESP_get0_id(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) #if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA)
WOLFSSL_OCSP_SINGLERESP single; WOLFSSL_OCSP_SINGLERESP single;
const WOLFSSL_OCSP_CERTID* certId; const WOLFSSL_OCSP_CERTID* certId;
@ -64463,7 +64463,8 @@ static int test_wolfSSL_OCSP_SINGLERESP_get0_id(void)
static int test_wolfSSL_OCSP_single_get0_status(void) static int test_wolfSSL_OCSP_single_get0_status(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) #if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA) && \
defined(WOLFSSL_OCSP_PARSE_STATUS)
WOLFSSL_OCSP_SINGLERESP single; WOLFSSL_OCSP_SINGLERESP single;
CertStatus certStatus; CertStatus certStatus;
WOLFSSL_ASN1_TIME* thisDate; WOLFSSL_ASN1_TIME* thisDate;
@ -64498,7 +64499,7 @@ static int test_wolfSSL_OCSP_single_get0_status(void)
static int test_wolfSSL_OCSP_resp_count(void) static int test_wolfSSL_OCSP_resp_count(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) #if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA)
WOLFSSL_OCSP_BASICRESP basicResp; WOLFSSL_OCSP_BASICRESP basicResp;
WOLFSSL_OCSP_SINGLERESP singleRespOne; WOLFSSL_OCSP_SINGLERESP singleRespOne;
WOLFSSL_OCSP_SINGLERESP singleRespTwo; WOLFSSL_OCSP_SINGLERESP singleRespTwo;
@ -64519,7 +64520,7 @@ static int test_wolfSSL_OCSP_resp_count(void)
static int test_wolfSSL_OCSP_resp_get0(void) static int test_wolfSSL_OCSP_resp_get0(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) #if defined(HAVE_OCSP) && defined(OPENSSL_EXTRA)
WOLFSSL_OCSP_BASICRESP basicResp; WOLFSSL_OCSP_BASICRESP basicResp;
WOLFSSL_OCSP_SINGLERESP singleRespOne; WOLFSSL_OCSP_SINGLERESP singleRespOne;
WOLFSSL_OCSP_SINGLERESP singleRespTwo; WOLFSSL_OCSP_SINGLERESP singleRespTwo;

563
wolfcrypt/src/asn.c
View File

@ -5706,8 +5706,7 @@ int EncodeObjectId(const word16* in, word32 inSz, byte* out, word32* outSz)
} }
#endif /* HAVE_OID_ENCODING */ #endif /* HAVE_OID_ENCODING */
#if defined(HAVE_OID_DECODING) || defined(WOLFSSL_ASN_PRINT) || \ #if defined(HAVE_OID_DECODING) || defined(WOLFSSL_ASN_PRINT)
defined(OPENSSL_ALL)
/* Encode dotted form of OID into byte array version. /* Encode dotted form of OID into byte array version.
* *
* @param [in] in Byte array containing OID. * @param [in] in Byte array containing OID.
@ -5754,7 +5753,7 @@ int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
return 0; return 0;
} }
#endif /* HAVE_OID_DECODING || WOLFSSL_ASN_PRINT || OPENSSL_ALL */ #endif /* HAVE_OID_DECODING || WOLFSSL_ASN_PRINT */
/* Decode the header of a BER/DER encoded OBJECT ID. /* Decode the header of a BER/DER encoded OBJECT ID.
* *
@ -11427,10 +11426,10 @@ void FreeAltNames(DNS_entry* altNames, void* heap)
DNS_entry* tmp = altNames->next; DNS_entry* tmp = altNames->next;
XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
XFREE(altNames->ipString, heap, DYNAMIC_TYPE_ALTNAME); XFREE(altNames->ipString, heap, DYNAMIC_TYPE_ALTNAME);
#endif #endif
#if defined(OPENSSL_ALL) #ifdef WOLFSSL_RID_ALT_NAME
XFREE(altNames->ridString, heap, DYNAMIC_TYPE_ALTNAME); XFREE(altNames->ridString, heap, DYNAMIC_TYPE_ALTNAME);
#endif #endif
XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME);
@ -11465,17 +11464,17 @@ DNS_entry* AltNameDup(DNS_entry* from, void* heap)
ret->name = CopyString(from->name, from->len, heap, DYNAMIC_TYPE_ALTNAME); ret->name = CopyString(from->name, from->len, heap, DYNAMIC_TYPE_ALTNAME);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
ret->ipString = CopyString(from->ipString, 0, heap, DYNAMIC_TYPE_ALTNAME); ret->ipString = CopyString(from->ipString, 0, heap, DYNAMIC_TYPE_ALTNAME);
#endif #endif
#ifdef OPENSSL_ALL #ifdef WOLFSSL_RID_ALT_NAME
ret->ridString = CopyString(from->ridString, 0, heap, DYNAMIC_TYPE_ALTNAME); ret->ridString = CopyString(from->ridString, 0, heap, DYNAMIC_TYPE_ALTNAME);
#endif #endif
if (ret->name == NULL if (ret->name == NULL
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
|| (from->ipString != NULL && ret->ipString == NULL) || (from->ipString != NULL && ret->ipString == NULL)
#endif #endif
#ifdef OPENSSL_ALL #ifdef WOLFSSL_RID_ALT_NAME
|| (from->ridString != NULL && ret->ridString == NULL) || (from->ridString != NULL && ret->ridString == NULL)
#endif #endif
) { ) {
@ -13324,7 +13323,7 @@ static const byte rdnChoice[] = {
}; };
#endif #endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
/* used to set the human readable string for the IP address with a ASN_IP_TYPE /* used to set the human readable string for the IP address with a ASN_IP_TYPE
* DNS entry * DNS entry
* return 0 on success * return 0 on success
@ -13388,9 +13387,9 @@ static int GenerateDNSEntryIPString(DNS_entry* entry, void* heap)
return ret; return ret;
} }
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ #endif /* WOLFSSL_IP_ALT_NAME */
#if defined(OPENSSL_ALL) #ifdef WOLFSSL_RID_ALT_NAME
/* used to set the human readable string for the registeredID with an /* used to set the human readable string for the registeredID with an
* ASN_RID_TYPE DNS entry * ASN_RID_TYPE DNS entry
* return 0 on success * return 0 on success
@ -13399,7 +13398,9 @@ static int GenerateDNSEntryRIDString(DNS_entry* entry, void* heap)
{ {
int i, j, ret = 0; int i, j, ret = 0;
int nameSz = 0; int nameSz = 0;
#if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA)
int nid = 0; int nid = 0;
#endif
int tmpSize = MAX_OID_SZ; int tmpSize = MAX_OID_SZ;
word32 oid = 0; word32 oid = 0;
word32 idx = 0; word32 idx = 0;
@ -13419,40 +13420,46 @@ static int GenerateDNSEntryRIDString(DNS_entry* entry, void* heap)
ret = GetOID((const byte*)entry->name, &idx, &oid, oidIgnoreType, ret = GetOID((const byte*)entry->name, &idx, &oid, oidIgnoreType,
entry->len); entry->len);
if (ret == 0) {
#if !defined(WOLFCRYPT_ONLY) && defined(OPENSSL_EXTRA)
if ((nid = oid2nid(oid, oidCsrAttrType)) > 0) {
/* OID has known string value */
finalName = (char*)wolfSSL_OBJ_nid2ln(nid);
}
else
#endif
{
/* Decode OBJECT_ID into dotted form array. */
ret = DecodeObjectId((const byte*)(entry->name),(word32)entry->len,
tmpName, (word32*)&tmpSize);
if (ret == 0 && (nid = oid2nid(oid, oidCsrAttrType)) > 0) { if (ret == 0) {
/* OID has known string value */ j = 0;
finalName = (char*)wolfSSL_OBJ_nid2ln(nid); /* Append each number of dotted form. */
} for (i = 0; i < tmpSize; i++) {
else { if (j >= MAX_OID_SZ) {
/* Decode OBJECT_ID into dotted form array. */ return BUFFER_E;
ret = DecodeObjectId((const byte*)(entry->name),(word32)entry->len, }
tmpName, (word32*)&tmpSize);
if (ret == 0) { if (i < tmpSize - 1) {
j = 0; ret = XSNPRINTF(oidName + j, MAX_OID_SZ - j, "%d.",
/* Append each number of dotted form. */ tmpName[i]);
for (i = 0; i < tmpSize; i++) { }
if (j >= MAX_OID_SZ) { else {
return BUFFER_E; ret = XSNPRINTF(oidName + j, MAX_OID_SZ - j, "%d",
} tmpName[i]);
}
if (i < tmpSize - 1) { if (ret >= 0) {
ret = XSNPRINTF(oidName + j, MAX_OID_SZ - j, "%d.", tmpName[i]); j += ret;
} }
else { else {
ret = XSNPRINTF(oidName + j, MAX_OID_SZ - j, "%d", tmpName[i]); return BUFFER_E;
} }
if (ret >= 0) {
j += ret;
}
else {
return BUFFER_E;
} }
ret = 0;
finalName = oidName;
} }
ret = 0;
finalName = oidName;
} }
} }
@ -13473,7 +13480,7 @@ static int GenerateDNSEntryRIDString(DNS_entry* entry, void* heap)
return ret; return ret;
} }
#endif /* OPENSSL_ALL && WOLFSSL_ASN_TEMPLATE */ #endif /* WOLFSSL_RID_ALT_NAME */
#ifdef WOLFSSL_ASN_TEMPLATE #ifdef WOLFSSL_ASN_TEMPLATE
@ -13553,29 +13560,29 @@ static int SetDNSEntry(DecodedCert* cert, const char* str, int strLen,
XMEMCPY(dnsEntry->name, str, (size_t)strLen); XMEMCPY(dnsEntry->name, str, (size_t)strLen);
dnsEntry->name[strLen] = '\0'; dnsEntry->name[strLen] = '\0';
#if defined(OPENSSL_ALL) #ifdef WOLFSSL_RID_ALT_NAME
/* store registeredID as a string */ /* store registeredID as a string */
if (type == ASN_RID_TYPE) { if (type == ASN_RID_TYPE) {
if ((ret = GenerateDNSEntryRIDString(dnsEntry, cert->heap)) != 0) { ret = GenerateDNSEntryRIDString(dnsEntry, cert->heap);
XFREE(dnsEntry->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
}
} }
#endif #endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
/* store IP addresses as a string */ /* store IP addresses as a string */
if (type == ASN_IP_TYPE) { if (type == ASN_IP_TYPE) {
if ((ret = GenerateDNSEntryIPString(dnsEntry, cert->heap)) != 0) { ret = GenerateDNSEntryIPString(dnsEntry, cert->heap);
XFREE(dnsEntry->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
}
} }
#endif
} }
if (ret == 0) { if (ret == 0) {
#endif
ret = AddDNSEntryToList(entries, dnsEntry); ret = AddDNSEntryToList(entries, dnsEntry);
} }
/* failure cleanup */
if (ret != 0 && dnsEntry != NULL) {
XFREE(dnsEntry->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME);
}
return ret; return ret;
} }
#endif #endif
@ -14506,7 +14513,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
!defined(WOLFCRYPT_ONLY) !defined(WOLFCRYPT_ONLY)
if (nameType == ASN_ISSUER) { if (nameType == ASN_ISSUER) {
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) && \ #if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) &&\
(defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT)) (defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT))
dName->rawLen = min(cert->issuerRawLen, WC_ASN_NAME_MAX); dName->rawLen = min(cert->issuerRawLen, WC_ASN_NAME_MAX);
XMEMCPY(dName->raw, cert->issuerRaw, dName->rawLen); XMEMCPY(dName->raw, cert->issuerRaw, dName->rawLen);
@ -14907,8 +14914,7 @@ int ExtractDate(const unsigned char* date, unsigned char format,
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ #ifdef WOLFSSL_ASN_TIME_STRING
defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
int GetTimeString(byte* date, int format, char* buf, int len) int GetTimeString(byte* date, int format, char* buf, int len)
{ {
struct tm t; struct tm t;
@ -14954,8 +14960,7 @@ int GetTimeString(byte* date, int format, char* buf, int len)
return 1; return 1;
} }
#endif /* OPENSSL_ALL || WOLFSSL_MYSQL_COMPATIBLE || #endif /* WOLFSSL_ASN_TIME_STRING */
* OPENSSL_EXTRA || WOLFSSL_NGINX || WOLFSSL_HAPROXY */
/* Check time struct for valid values. Returns 0 for success */ /* Check time struct for valid values. Returns 0 for success */
static int ValidateGmtime(struct tm* inTime) static int ValidateGmtime(struct tm* inTime)
@ -18040,7 +18045,9 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
static void AddAltName(DecodedCert* cert, DNS_entry* dnsEntry) static void AddAltName(DecodedCert* cert, DNS_entry* dnsEntry)
{ {
#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_ALT_NAMES_NO_REV) #if (defined(WOLFSSL_ASN_ALL) || defined(OPENSSL_EXTRA)) && \
!defined(WOLFSSL_ALT_NAMES_NO_REV)
/* logic to add alt name to end of list */
dnsEntry->next = NULL; dnsEntry->next = NULL;
if (cert->altNames == NULL) { if (cert->altNames == NULL) {
/* First on list */ /* First on list */
@ -18335,8 +18342,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
idx += (word32)len; idx += (word32)len;
} }
} }
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \ #ifdef WOLFSSL_IP_ALT_NAME
defined(WOLFSSL_IP_ALT_NAME)
/* GeneralName choice: iPAddress */ /* GeneralName choice: iPAddress */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) { else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
ret = SetDNSEntry(cert, (const char*)(input + idx), len, ASN_IP_TYPE, ret = SetDNSEntry(cert, (const char*)(input + idx), len, ASN_IP_TYPE,
@ -18345,9 +18351,8 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
idx += (word32)len; idx += (word32)len;
} }
} }
#endif /* WOLFSSL_QT || OPENSSL_ALL */ #endif /* WOLFSSL_IP_ALT_NAME */
#ifdef WOLFSSL_RID_ALT_NAME
#ifdef OPENSSL_ALL
/* GeneralName choice: registeredID */ /* GeneralName choice: registeredID */
else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) { else if (tag == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
ret = SetDNSEntry(cert, (const char*)(input + idx), len, ret = SetDNSEntry(cert, (const char*)(input + idx), len,
@ -18356,7 +18361,7 @@ static int DecodeGeneralName(const byte* input, word32* inOutIdx, byte tag,
idx += (word32)len; idx += (word32)len;
} }
} }
#endif #endif /* WOLFSSL_RID_ALT_NAME */
#endif /* IGNORE_NAME_CONSTRAINTS */ #endif /* IGNORE_NAME_CONSTRAINTS */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_FPKI) #if defined(WOLFSSL_SEP) || defined(WOLFSSL_FPKI)
/* GeneralName choice: otherName */ /* GeneralName choice: otherName */
@ -18833,7 +18838,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
length -= strLen; length -= strLen;
idx += (word32)strLen; idx += (word32)strLen;
} }
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
else if (current_byte == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) { else if (current_byte == (ASN_CONTEXT_SPECIFIC | ASN_IP_TYPE)) {
DNS_entry* ipAddr; DNS_entry* ipAddr;
int strLen; int strLen;
@ -18868,21 +18873,19 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
XMEMCPY(ipAddr->name, &input[idx], strLen); XMEMCPY(ipAddr->name, &input[idx], strLen);
ipAddr->name[strLen] = '\0'; ipAddr->name[strLen] = '\0';
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
if (GenerateDNSEntryIPString(ipAddr, cert->heap) != 0) { if (GenerateDNSEntryIPString(ipAddr, cert->heap) != 0) {
WOLFSSL_MSG("\tOut of Memory for IP string"); WOLFSSL_MSG("\tOut of Memory for IP string");
XFREE(ipAddr->name, cert->heap, DYNAMIC_TYPE_ALTNAME); XFREE(ipAddr->name, cert->heap, DYNAMIC_TYPE_ALTNAME);
XFREE(ipAddr, cert->heap, DYNAMIC_TYPE_ALTNAME); XFREE(ipAddr, cert->heap, DYNAMIC_TYPE_ALTNAME);
return MEMORY_E; return MEMORY_E;
} }
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
AddAltName(cert, ipAddr); AddAltName(cert, ipAddr);
length -= strLen; length -= strLen;
idx += (word32)strLen; idx += (word32)strLen;
} }
#endif /* WOLFSSL_QT || OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */ #endif /* WOLFSSL_IP_ALT_NAME */
#if defined(OPENSSL_ALL) #ifdef WOLFSSL_RID_ALT_NAME
else if (current_byte == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) { else if (current_byte == (ASN_CONTEXT_SPECIFIC | ASN_RID_TYPE)) {
DNS_entry* rid; DNS_entry* rid;
int strLen; int strLen;
@ -18929,7 +18932,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert)
length -= strLen; length -= strLen;
idx += (word32)strLen; idx += (word32)strLen;
} }
#endif /* OPENSSL_ALL */ #endif /* WOLFSSL_RID_ALT_NAME */
#endif /* IGNORE_NAME_CONSTRAINTS */ #endif /* IGNORE_NAME_CONSTRAINTS */
else if (current_byte == else if (current_byte ==
(ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) { (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | ASN_OTHER_TYPE)) {
@ -19531,15 +19534,11 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
/* Set ocsp entry */ /* Set ocsp entry */
if (b == GENERALNAME_URI && oid == AIA_OCSP_OID && if (b == GENERALNAME_URI && oid == AIA_OCSP_OID &&
cert->extAuthInfo == NULL) cert->extAuthInfo == NULL) {
{
cert->extAuthInfoSz = length; cert->extAuthInfoSz = length;
cert->extAuthInfo = input + idx; cert->extAuthInfo = input + idx;
#if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT)
break;
#endif
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #ifdef WOLFSSL_ASN_CA_ISSUER
/* Set CaIssuers entry */ /* Set CaIssuers entry */
else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID && else if ((b == GENERALNAME_URI) && oid == AIA_CA_ISSUER_OID &&
cert->extAuthInfoCaIssuer == NULL) cert->extAuthInfoCaIssuer == NULL)
@ -19547,7 +19546,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
cert->extAuthInfoCaIssuerSz = length; cert->extAuthInfoCaIssuerSz = length;
cert->extAuthInfoCaIssuer = input + idx; cert->extAuthInfoCaIssuer = input + idx;
} }
#endif #endif
idx += (word32)length; idx += (word32)length;
} }
@ -19585,11 +19584,8 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC], GetASN_GetConstRef(&dataASN[ACCESSDESCASN_IDX_LOC],
&cert->extAuthInfo, &sz32); &cert->extAuthInfo, &sz32);
cert->extAuthInfoSz = (int)sz32; cert->extAuthInfoSz = (int)sz32;
#if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT)
break;
#endif
} }
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #ifdef WOLFSSL_ASN_CA_ISSUER
/* Check we have CA Issuer and URI. */ /* Check we have CA Issuer and URI. */
else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum == else if ((dataASN[ACCESSDESCASN_IDX_METH].data.oid.sum ==
AIA_CA_ISSUER_OID) && AIA_CA_ISSUER_OID) &&
@ -19600,7 +19596,7 @@ static int DecodeAuthInfo(const byte* input, word32 sz, DecodedCert* cert)
&cert->extAuthInfoCaIssuer, &sz32); &cert->extAuthInfoCaIssuer, &sz32);
cert->extAuthInfoCaIssuerSz = (int)sz32; cert->extAuthInfoCaIssuerSz = (int)sz32;
} }
#endif #endif
/* Otherwise skip. */ /* Otherwise skip. */
} }
} }
@ -20416,8 +20412,7 @@ static int DecodeNameConstraints(const byte* input, word32 sz,
} }
#endif /* IGNORE_NAME_CONSTRAINTS */ #endif /* IGNORE_NAME_CONSTRAINTS */
#if (defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_SEP)) || \ #ifdef WOLFSSL_CERT_EXT
defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
/* Decode ITU-T X.690 OID format to a string representation /* Decode ITU-T X.690 OID format to a string representation
* return string length */ * return string length */
@ -20469,10 +20464,10 @@ int DecodePolicyOID(char *out, word32 outSz, const byte *in, word32 inSz)
exit: exit:
return w; return w;
} }
#endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */ #endif /* WOLFSSL_CERT_EXT */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_QT) #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
#ifdef WOLFSSL_ASN_TEMPLATE #ifdef WOLFSSL_ASN_TEMPLATE
/* ASN.1 template for PolicyInformation. /* ASN.1 template for PolicyInformation.
* X.509: RFC 5280, 4.2.1.4 - Certificate Policies. * X.509: RFC 5280, 4.2.1.4 - Certificate Policies.
*/ */
@ -20491,230 +20486,221 @@ exit:
/* Number of items in ASN.1 template for PolicyInformation. */ /* Number of items in ASN.1 template for PolicyInformation. */
#define policyInfoASN_Length (sizeof(policyInfoASN) / sizeof(ASNItem)) #define policyInfoASN_Length (sizeof(policyInfoASN) / sizeof(ASNItem))
#endif #endif
/* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */ /* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
static int DecodeCertPolicy(const byte* input, word32 sz, DecodedCert* cert) static int DecodeCertPolicy(const byte* input, word32 sz, DecodedCert* cert)
{ {
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
word32 idx = 0; word32 idx = 0;
word32 oldIdx; word32 oldIdx;
int policy_length = 0; int policy_length = 0;
int ret; int ret;
int total_length = 0; int total_length = 0;
#if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \ #if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_DUP_CERTPOL)
!defined(WOLFSSL_DUP_CERTPOL) int i;
int i; #endif
#endif
WOLFSSL_ENTER("DecodeCertPolicy"); WOLFSSL_ENTER("DecodeCertPolicy");
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) /* Check if cert is null before dereferencing below */
/* Check if cert is null before dereferencing below */ if (cert == NULL)
if (cert == NULL) return BAD_FUNC_ARG;
return BAD_FUNC_ARG;
#else
(void)cert;
#endif
#if defined(WOLFSSL_CERT_EXT) #if defined(WOLFSSL_CERT_EXT)
cert->extCertPoliciesNb = 0; cert->extCertPoliciesNb = 0;
#endif #endif
if (GetSequence(input, &idx, &total_length, sz) < 0) { if (GetSequence(input, &idx, &total_length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy total seq failed"); WOLFSSL_MSG("\tGet CertPolicy total seq failed");
return ASN_PARSE_E;
}
/* Validate total length */
if (total_length > (int)(sz - idx)) {
WOLFSSL_MSG("\tCertPolicy length mismatch");
return ASN_PARSE_E;
}
/* Unwrap certificatePolicies */
do {
int length = 0;
if (GetSequence(input, &idx, &policy_length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy seq failed");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
/* Validate total length */ oldIdx = idx;
if (total_length > (int)(sz - idx)) { ret = GetASNObjectId(input, &idx, &length, sz);
WOLFSSL_MSG("\tCertPolicy length mismatch"); if (ret != 0)
return ASN_PARSE_E; return ret;
} policy_length -= (int)(idx - oldIdx);
/* Unwrap certificatePolicies */ if (length > 0) {
do { /* Verify length won't overrun buffer */
int length = 0; if (length > (int)(sz - idx)) {
WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
if (GetSequence(input, &idx, &policy_length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy seq failed");
return ASN_PARSE_E; return ASN_PARSE_E;
} }
oldIdx = idx; #ifdef WOLFSSL_SEP
ret = GetASNObjectId(input, &idx, &length, sz); if (cert->deviceType == NULL) {
if (ret != 0)
return ret;
policy_length -= (int)(idx - oldIdx);
if (length > 0) {
/* Verify length won't overrun buffer */
if (length > (int)(sz - idx)) {
WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
return ASN_PARSE_E;
}
#if defined(WOLFSSL_SEP)
cert->deviceType = (byte*)XMALLOC((size_t)length, cert->heap, cert->deviceType = (byte*)XMALLOC((size_t)length, cert->heap,
DYNAMIC_TYPE_X509_EXT); DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) { if (cert->deviceType == NULL) {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
return MEMORY_E; return MEMORY_E;
} }
cert->deviceTypeSz = length; cert->deviceTypeSz = length;
XMEMCPY(cert->deviceType, input + idx, (size_t)length); XMEMCPY(cert->deviceType, input + idx, (size_t)length);
break;
#elif defined(WOLFSSL_CERT_EXT)
/* decode cert policy */
if (DecodePolicyOID(cert->extCertPolicies[
cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
input + idx, length) <= 0) {
WOLFSSL_MSG("\tCouldn't decode CertPolicy");
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
return ASN_PARSE_E;
}
#ifndef WOLFSSL_DUP_CERTPOL
/* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST
* NOT appear more than once in a certificate policies
* extension". This is a sanity check for duplicates.
* extCertPolicies should only have OID values, additional
* qualifiers need to be stored in a separate array. */
for (i = 0; i < cert->extCertPoliciesNb; i++) {
if (XMEMCMP(cert->extCertPolicies[i],
cert->extCertPolicies[cert->extCertPoliciesNb],
MAX_CERTPOL_SZ) == 0) {
WOLFSSL_MSG("Duplicate policy OIDs not allowed");
WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted");
WOLFSSL_ERROR_VERBOSE(CERTPOLICIES_E);
return CERTPOLICIES_E;
}
}
#endif /* !WOLFSSL_DUP_CERTPOL */
cert->extCertPoliciesNb++;
#else
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
return 0;
#endif
} }
idx += (word32)policy_length;
} while((int)idx < total_length
#if defined(WOLFSSL_CERT_EXT)
&& cert->extCertPoliciesNb < MAX_CERTPOL_NB
#endif
);
WOLFSSL_LEAVE("DecodeCertPolicy", 0);
return 0;
#else /* WOLFSSL_ASN_TEMPLATE */
word32 idx = 0;
int ret = 0;
int total_length = 0;
#if !defined(WOLFSSL_SEP) && defined(WOLFSSL_CERT_EXT) && \
!defined(WOLFSSL_DUP_CERTPOL)
int i;
#endif #endif
WOLFSSL_ENTER("DecodeCertPolicy"); #ifdef WOLFSSL_CERT_EXT
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) /* decode cert policy */
/* Check if cert is null before dereferencing below */ if (DecodePolicyOID(cert->extCertPolicies[
if (cert == NULL) cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
ret = BAD_FUNC_ARG; input + idx, length) <= 0) {
#endif WOLFSSL_MSG("\tCouldn't decode CertPolicy");
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
if (ret == 0) { return ASN_PARSE_E;
#if defined(WOLFSSL_CERT_EXT)
cert->extCertPoliciesNb = 0;
#endif
/* Strip SEQUENCE OF and check using all data. */
if (GetASN_Sequence(input, &idx, &total_length, (word32)sz, 1) < 0)
{
ret = ASN_PARSE_E;
} }
} #ifndef WOLFSSL_DUP_CERTPOL
/* Unwrap certificatePolicies */
while ((ret == 0) && ((int)idx < total_length)
#if defined(WOLFSSL_CERT_EXT)
&& (cert->extCertPoliciesNb < MAX_CERTPOL_NB)
#endif
) {
ASNGetData dataASN[policyInfoASN_Length];
byte* data = NULL;
word32 length = 0;
/* Clear dynamic data and check OID is a cert policy type. */
XMEMSET(dataASN, 0, sizeof(dataASN));
GetASN_OID(&dataASN[POLICYINFOASN_IDX_ID], oidCertPolicyType);
ret = GetASN_Items(policyInfoASN, dataASN, policyInfoASN_Length, 1,
input, &idx, (word32)sz);
if (ret == 0) {
/* Get the OID. */
GetASN_OIDData(&dataASN[POLICYINFOASN_IDX_ID], &data, &length);
if (length == 0) {
ret = ASN_PARSE_E;
}
}
#if defined(WOLFSSL_SEP)
/* Store OID in device type. */
if (ret == 0) {
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
ret = MEMORY_E;
}
}
if (ret == 0) {
/* Store device type data and length. */
cert->deviceTypeSz = (int)length;
XMEMCPY(cert->deviceType, data, length);
break;
}
#elif defined(WOLFSSL_CERT_EXT)
if (ret == 0) {
/* Decode cert policy. */
if (DecodePolicyOID(
cert->extCertPolicies[cert->extCertPoliciesNb],
MAX_CERTPOL_SZ, data, length) <= 0) {
WOLFSSL_MSG("\tCouldn't decode CertPolicy");
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
ret = ASN_PARSE_E;
}
}
#ifndef WOLFSSL_DUP_CERTPOL
/* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST /* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST
* NOT appear more than once in a certificate policies * NOT appear more than once in a certificate policies
* extension". This is a sanity check for duplicates. * extension". This is a sanity check for duplicates.
* extCertPolicies should only have OID values, additional * extCertPolicies should only have OID values, additional
* qualifiers need to be stored in a separate array. */ * qualifiers need to be stored in a separate array. */
for (i = 0; (ret == 0) && (i < cert->extCertPoliciesNb); i++) { for (i = 0; i < cert->extCertPoliciesNb; i++) {
if (XMEMCMP(cert->extCertPolicies[i], if (XMEMCMP(cert->extCertPolicies[i],
cert->extCertPolicies[cert->extCertPoliciesNb], cert->extCertPolicies[cert->extCertPoliciesNb],
MAX_CERTPOL_SZ) == 0) { MAX_CERTPOL_SZ) == 0) {
WOLFSSL_MSG("Duplicate policy OIDs not allowed"); WOLFSSL_MSG("Duplicate policy OIDs not allowed");
WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted"); WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted");
WOLFSSL_ERROR_VERBOSE(CERTPOLICIES_E); WOLFSSL_ERROR_VERBOSE(CERTPOLICIES_E);
ret = CERTPOLICIES_E; return CERTPOLICIES_E;
} }
} }
#endif /* !defined(WOLFSSL_DUP_CERTPOL) */ #endif /* !WOLFSSL_DUP_CERTPOL */
if (ret == 0) { cert->extCertPoliciesNb++;
/* Keep count of policies seen. */ #endif
cert->extCertPoliciesNb++;
}
#else
(void)data;
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
break;
#endif
} }
idx += (word32)policy_length;
} while((int)idx < total_length
#ifdef WOLFSSL_CERT_EXT
&& cert->extCertPoliciesNb < MAX_CERTPOL_NB
#endif
);
WOLFSSL_LEAVE("DecodeCertPolicy", 0); WOLFSSL_LEAVE("DecodeCertPolicy", 0);
return ret; return 0;
#endif /* WOLFSSL_ASN_TEMPLATE */ #else /* WOLFSSL_ASN_TEMPLATE */
word32 idx = 0;
int ret = 0;
int total_length = 0;
#if defined(WOLFSSL_CERT_EXT) && !defined(WOLFSSL_DUP_CERTPOL)
int i;
#endif
WOLFSSL_ENTER("DecodeCertPolicy");
/* Check if cert is null before dereferencing below */
if (cert == NULL) {
ret = BAD_FUNC_ARG;
} }
#endif /* WOLFSSL_SEP */
if (ret == 0) {
#if defined(WOLFSSL_CERT_EXT)
cert->extCertPoliciesNb = 0;
#endif
/* Strip SEQUENCE OF and check using all data. */
if (GetASN_Sequence(input, &idx, &total_length, (word32)sz, 1) < 0)
{
ret = ASN_PARSE_E;
}
}
/* Unwrap certificatePolicies */
while ((ret == 0) && ((int)idx < total_length)
#if defined(WOLFSSL_CERT_EXT)
&& (cert->extCertPoliciesNb < MAX_CERTPOL_NB)
#endif
) {
ASNGetData dataASN[policyInfoASN_Length];
byte* data = NULL;
word32 length = 0;
/* Clear dynamic data and check OID is a cert policy type. */
XMEMSET(dataASN, 0, sizeof(dataASN));
GetASN_OID(&dataASN[POLICYINFOASN_IDX_ID], oidCertPolicyType);
ret = GetASN_Items(policyInfoASN, dataASN, policyInfoASN_Length, 1,
input, &idx, (word32)sz);
if (ret == 0) {
/* Get the OID. */
GetASN_OIDData(&dataASN[POLICYINFOASN_IDX_ID], &data, &length);
if (length == 0) {
ret = ASN_PARSE_E;
}
}
#ifdef WOLFSSL_SEP
/* Store OID in device type. */
if (ret == 0 && cert->deviceType == NULL) {
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType != NULL) {
/* Store device type data and length. */
cert->deviceTypeSz = (int)length;
XMEMCPY(cert->deviceType, data, length);
}
else {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
ret = MEMORY_E;
}
}
#endif /* WOLFSSL_SEP */
#ifdef WOLFSSL_CERT_EXT
if (ret == 0) {
/* Decode cert policy. */
if (DecodePolicyOID(
cert->extCertPolicies[cert->extCertPoliciesNb],
MAX_CERTPOL_SZ, data, length) <= 0) {
WOLFSSL_MSG("\tCouldn't decode CertPolicy");
WOLFSSL_ERROR_VERBOSE(ASN_PARSE_E);
ret = ASN_PARSE_E;
}
}
#ifndef WOLFSSL_DUP_CERTPOL
/* From RFC 5280 section 4.2.1.4 "A certificate policy OID MUST
* NOT appear more than once in a certificate policies
* extension". This is a sanity check for duplicates.
* extCertPolicies should only have OID values, additional
* qualifiers need to be stored in a separate array. */
for (i = 0; (ret == 0) && (i < cert->extCertPoliciesNb); i++) {
if (XMEMCMP(cert->extCertPolicies[i],
cert->extCertPolicies[cert->extCertPoliciesNb],
MAX_CERTPOL_SZ) == 0) {
WOLFSSL_MSG("Duplicate policy OIDs not allowed");
WOLFSSL_MSG("Use WOLFSSL_DUP_CERTPOL if wanted");
WOLFSSL_ERROR_VERBOSE(CERTPOLICIES_E);
ret = CERTPOLICIES_E;
}
}
#endif /* !WOLFSSL_DUP_CERTPOL */
if (ret == 0) {
/* Keep count of policies seen. */
cert->extCertPoliciesNb++;
}
#endif /* WOLFSSL_CERT_EXT */
}
WOLFSSL_LEAVE("DecodeCertPolicy", 0);
return ret;
#endif /* WOLFSSL_ASN_TEMPLATE */
}
#endif /* WOLFSSL_SEP || WOLFSSL_CERT_EXT */
#ifdef WOLFSSL_SUBJ_DIR_ATTR #ifdef WOLFSSL_SUBJ_DIR_ATTR
#ifdef WOLFSSL_ASN_TEMPLATE #ifdef WOLFSSL_ASN_TEMPLATE
@ -21244,15 +21230,11 @@ static int DecodeExtensionType(const byte* input, word32 length, word32 oid,
/* Certificate policies. */ /* Certificate policies. */
case CERT_POLICY_OID: case CERT_POLICY_OID:
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) #ifdef WOLFSSL_SEP
VERIFY_AND_SET_OID(cert->extCertPolicySet); VERIFY_AND_SET_OID(cert->extCertPolicySet);
#if defined(OPENSSL_EXTRA) || \ cert->extCertPolicyCrit = critical ? 1 : 0;
defined(OPENSSL_EXTRA_X509_SMALL)
cert->extCertPolicyCrit = critical ? 1 : 0;
#endif
#endif #endif
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT) || \ #if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
defined(WOLFSSL_QT)
if (DecodeCertPolicy(input, length, cert) < 0) { if (DecodeCertPolicy(input, length, cert) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
@ -24121,7 +24103,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, Signer
/* If you end up here with error -188, /* If you end up here with error -188,
* consider using WOLFSSL_ALT_CERT_CHAINS. */ * consider using WOLFSSL_ALT_CERT_CHAINS. */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
/* ret needs to be self-signer error for Qt compat */ /* ret needs to be self-signer error for openssl compatibility */
if (cert->selfSigned) { if (cert->selfSigned) {
WOLFSSL_ERROR_VERBOSE(ASN_SELF_SIGNED_E); WOLFSSL_ERROR_VERBOSE(ASN_SELF_SIGNED_E);
return ASN_SELF_SIGNED_E; return ASN_SELF_SIGNED_E;
@ -28140,8 +28122,7 @@ int wc_EncodeNameCanonical(EncodedName* name, const char* nameStr,
} }
#endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
#if (defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)) || \ #ifdef WOLFSSL_ASN_PARSE_KEYUSAGE
(defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
/* Convert key usage string (comma delimited, null terminated) to word16 /* Convert key usage string (comma delimited, null terminated) to word16
* Returns 0 on success, negative on error */ * Returns 0 on success, negative on error */
@ -28264,7 +28245,7 @@ int ParseExtKeyUsageStr(const char* value, byte* extKeyUsage, void* heap)
return ret; return ret;
} }
#endif /* (CERT_GEN && CERT_EXT) || (OPENSSL_ALL || OPENSSL_EXTRA) */ #endif /* WOLFSSL_ASN_PARSE_KEYUSAGE */
#ifdef WOLFSSL_CERT_GEN #ifdef WOLFSSL_CERT_GEN
/* Encodes one attribute of the name (issuer/subject) /* Encodes one attribute of the name (issuer/subject)
@ -35899,7 +35880,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
if (idx >= size) if (idx >= size)
return BUFFER_E; return BUFFER_E;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #ifdef WOLFSSL_OCSP_PARSE_STATUS
single->status->thisDateAsn = source + idx; single->status->thisDateAsn = source + idx;
localIdx = 0; localIdx = 0;
if (GetDateInfo(single->status->thisDateAsn, &localIdx, NULL, if (GetDateInfo(single->status->thisDateAsn, &localIdx, NULL,
@ -35935,7 +35916,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
idx++; idx++;
if (GetLength(source, &idx, &length, size) < 0) if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #ifdef WOLFSSL_OCSP_PARSE_STATUS
single->status->nextDateAsn = source + idx; single->status->nextDateAsn = source + idx;
localIdx = 0; localIdx = 0;
if (GetDateInfo(single->status->nextDateAsn, &localIdx, NULL, if (GetDateInfo(single->status->nextDateAsn, &localIdx, NULL,
@ -36071,8 +36052,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
} }
if (ret == 0) { if (ret == 0) {
#endif #endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ #ifdef WOLFSSL_OCSP_PARSE_STATUS
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
/* Store ASN.1 version of thisDate. */ /* Store ASN.1 version of thisDate. */
cs->thisDateAsn = GetASNItem_Addr( cs->thisDateAsn = GetASNItem_Addr(
dataASN[SINGLERESPONSEASN_IDX_THISUPDATE_GT], source); dataASN[SINGLERESPONSEASN_IDX_THISUPDATE_GT], source);
@ -36095,8 +36075,7 @@ static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size,
if ((ret == 0) && if ((ret == 0) &&
(dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) { (dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT].tag != 0)) {
#endif #endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ #ifdef WOLFSSL_OCSP_PARSE_STATUS
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
/* Store ASN.1 version of thisDate. */ /* Store ASN.1 version of thisDate. */
cs->nextDateAsn = GetASNItem_Addr( cs->nextDateAsn = GetASNItem_Addr(
dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT], source); dataASN[SINGLERESPONSEASN_IDX_NEXTUPDATE_GT], source);
@ -37521,9 +37500,7 @@ void FreeOcspRequest(OcspRequest* req)
XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST); XFREE(req->url, req->heap, DYNAMIC_TYPE_OCSP_REQUEST);
req->url = NULL; req->url = NULL;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ #ifdef OPENSSL_EXTRA
defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \
defined(HAVE_LIGHTY)
if (req->cid != NULL) if (req->cid != NULL)
wolfSSL_OCSP_CERTID_free((WOLFSSL_OCSP_CERTID*)req->cid); wolfSSL_OCSP_CERTID_free((WOLFSSL_OCSP_CERTID*)req->cid);
req->cid = NULL; req->cid = NULL;

6
wolfssl/internal.h
View File

@ -5176,13 +5176,9 @@ struct WOLFSSL_X509 {
byte hwType[EXTERNAL_SERIAL_SIZE]; byte hwType[EXTERNAL_SERIAL_SIZE];
int hwSerialNumSz; int hwSerialNumSz;
byte hwSerialNum[EXTERNAL_SERIAL_SIZE]; byte hwSerialNum[EXTERNAL_SERIAL_SIZE];
#endif /* WOLFSSL_SEP */
#if (defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || \
defined (OPENSSL_EXTRA)) && \
(defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL))
byte certPolicySet; byte certPolicySet;
byte certPolicyCrit; byte certPolicyCrit;
#endif /* (WOLFSSL_SEP || WOLFSSL_QT) && (OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL) */ #endif /* WOLFSSL_SEP */
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) #if defined(WOLFSSL_QT) || defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)
WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */ WOLFSSL_STACK* ext_sk; /* Store X509_EXTENSIONS from wolfSSL_X509_get_ext */
WOLFSSL_STACK* ext_sk_full; /* Store X509_EXTENSIONS from wolfSSL_X509_get0_extensions */ WOLFSSL_STACK* ext_sk_full; /* Store X509_EXTENSIONS from wolfSSL_X509_get0_extensions */

33
wolfssl/wolfcrypt/asn.h
View File

@ -1418,10 +1418,10 @@ struct DNS_entry {
int type; /* i.e. ASN_DNS_TYPE */ int type; /* i.e. ASN_DNS_TYPE */
int len; /* actual DNS len */ int len; /* actual DNS len */
char* name; /* actual DNS name */ char* name; /* actual DNS name */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME) #ifdef WOLFSSL_IP_ALT_NAME
char* ipString; /* human readable form of IP address */ char* ipString; /* human readable form of IP address */
#endif #endif
#if defined(OPENSSL_ALL) #ifdef WOLFSSL_RID_ALT_NAME
char* ridString; /* human readable form of registeredID */ char* ridString; /* human readable form of registeredID */
#endif #endif
@ -1714,7 +1714,7 @@ struct DecodedCert {
word32 extensionsIdx; /* if want to go back and parse later */ word32 extensionsIdx; /* if want to go back and parse later */
const byte* extAuthInfo; /* Authority Information Access URI */ const byte* extAuthInfo; /* Authority Information Access URI */
int extAuthInfoSz; /* length of the URI */ int extAuthInfoSz; /* length of the URI */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) #ifdef WOLFSSL_ASN_CA_ISSUER
const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */ const byte* extAuthInfoCaIssuer; /* Authority Info Access caIssuer URI */
int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */ int extAuthInfoCaIssuerSz; /* length of the caIssuer URI */
#endif #endif
@ -1804,7 +1804,7 @@ struct DecodedCert {
char* subjectSN; char* subjectSN;
int subjectSNLen; int subjectSNLen;
char subjectSNEnc; char subjectSNEnc;
#ifdef WOLFSSL_CERT_NAME_ALL #ifdef WOLFSSL_CERT_NAME_ALL
char* subjectN; char* subjectN;
int subjectNLen; int subjectNLen;
char subjectNEnc; char subjectNEnc;
@ -1817,7 +1817,7 @@ struct DecodedCert {
char* subjectDNQ; char* subjectDNQ;
int subjectDNQLen; int subjectDNQLen;
char subjectDNQEnc; char subjectDNQEnc;
#endif /*WOLFSSL_CERT_NAME_ALL */ #endif /* WOLFSSL_CERT_NAME_ALL */
char* subjectC; char* subjectC;
int subjectCLen; int subjectCLen;
char subjectCEnc; char subjectCEnc;
@ -1882,7 +1882,7 @@ struct DecodedCert {
char* issuerEmail; char* issuerEmail;
int issuerEmailLen; int issuerEmailLen;
#endif /* WOLFSSL_HAVE_ISSUER_NAMES */ #endif /* WOLFSSL_HAVE_ISSUER_NAMES */
#endif /* defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) */ #endif /* WOLFSSL_CERT_GEN || WOLFSSL_CERT_EXT */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
/* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */ /* WOLFSSL_X509_NAME structures (used void* to avoid including ssl.h) */
void* issuerName; void* issuerName;
@ -1962,7 +1962,7 @@ struct DecodedCert {
byte extSubjAltNameSet : 1; byte extSubjAltNameSet : 1;
byte inhibitAnyOidSet : 1; byte inhibitAnyOidSet : 1;
byte selfSigned : 1; /* Indicates subject and issuer are same */ byte selfSigned : 1; /* Indicates subject and issuer are same */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) #ifdef WOLFSSL_SEP
byte extCertPolicySet : 1; byte extCertPolicySet : 1;
#endif #endif
byte extCRLdistCrit : 1; byte extCRLdistCrit : 1;
@ -1988,7 +1988,7 @@ struct DecodedCert {
byte extAltSigAlgSet : 1; byte extAltSigAlgSet : 1;
byte extAltSigValSet : 1; byte extAltSigValSet : 1;
#endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLFSSL_DUAL_ALG_CERTS */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT) #ifdef WOLFSSL_SEP
byte extCertPolicyCrit : 1; byte extCertPolicyCrit : 1;
#endif #endif
#ifdef WOLFSSL_CERT_REQ #ifdef WOLFSSL_CERT_REQ
@ -2040,7 +2040,7 @@ struct Signer {
#ifndef IGNORE_NAME_CONSTRAINTS #ifndef IGNORE_NAME_CONSTRAINTS
Base_entry* permittedNames; Base_entry* permittedNames;
Base_entry* excludedNames; Base_entry* excludedNames;
#endif /* IGNORE_NAME_CONSTRAINTS */ #endif /* !IGNORE_NAME_CONSTRAINTS */
byte subjectNameHash[SIGNER_DIGEST_SIZE]; byte subjectNameHash[SIGNER_DIGEST_SIZE];
/* sha hash of names in certificate */ /* sha hash of names in certificate */
#if defined(HAVE_OCSP) || defined(HAVE_CRL) #if defined(HAVE_OCSP) || defined(HAVE_CRL)
@ -2263,8 +2263,7 @@ WOLFSSL_LOCAL int wc_GetKeyOID(byte* key, word32 keySz, const byte** curveOID,
word32* oidSz, int* algoID, void* heap); word32* oidSz, int* algoID, void* heap);
typedef struct tm wolfssl_tm; typedef struct tm wolfssl_tm;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_EXTRA) || \ #ifdef WOLFSSL_ASN_TIME_STRING
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len); WOLFSSL_LOCAL int GetTimeString(byte* date, int format, char* buf, int len);
#endif #endif
#if !defined(NO_ASN_TIME) && !defined(USER_TIME) && \ #if !defined(NO_ASN_TIME) && !defined(USER_TIME) && \
@ -2431,13 +2430,12 @@ WOLFSSL_LOCAL int AllocCopyDer(DerBuffer** der, const unsigned char* buff,
word32 length, int type, void* heap); word32 length, int type, void* heap);
WOLFSSL_LOCAL void FreeDer(DerBuffer** der); WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
#if (defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)) || \ #ifdef WOLFSSL_ASN_PARSE_KEYUSAGE
(defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
WOLFSSL_LOCAL int ParseKeyUsageStr(const char* value, word16* keyUsage, WOLFSSL_LOCAL int ParseKeyUsageStr(const char* value, word16* keyUsage,
void* heap); void* heap);
WOLFSSL_LOCAL int ParseExtKeyUsageStr(const char* value, byte* extKeyUsage, WOLFSSL_LOCAL int ParseExtKeyUsageStr(const char* value, byte* extKeyUsage,
void* heap); void* heap);
#endif /* (CERT_GEN && CERT_EXT) || (OPENSSL_ALL || OPENSSL_EXTRA) */ #endif
#endif /* !NO_CERTS */ #endif /* !NO_CERTS */
@ -2529,8 +2527,7 @@ struct CertStatus {
byte nextDate[MAX_DATE_SIZE]; byte nextDate[MAX_DATE_SIZE];
byte thisDateFormat; byte thisDateFormat;
byte nextDateFormat; byte nextDateFormat;
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \ #ifdef WOLFSSL_OCSP_PARSE_STATUS
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY)
WOLFSSL_ASN1_TIME thisDateParsed; WOLFSSL_ASN1_TIME thisDateParsed;
WOLFSSL_ASN1_TIME nextDateParsed; WOLFSSL_ASN1_TIME nextDateParsed;
byte* thisDateAsn; byte* thisDateAsn;
@ -2615,10 +2612,6 @@ struct OcspRequest {
int serialSz; int serialSz;
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
WOLFSSL_ASN1_INTEGER* serialInt; WOLFSSL_ASN1_INTEGER* serialInt;
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_APACHE_HTTPD) || \
defined(HAVE_LIGHTY)
void* cid; /* WOLFSSL_OCSP_CERTID kept to free */ void* cid; /* WOLFSSL_OCSP_CERTID kept to free */
#endif #endif
byte* url; /* copy of the extAuthInfo in source cert */ byte* url; /* copy of the extAuthInfo in source cert */

2
wolfssl/wolfcrypt/asn_public.h
View File

@ -361,7 +361,6 @@ typedef struct WOLFSSL_ASN1_INTEGER {
#endif #endif
#endif /* WOLFSSL_CERT_GEN || WOLFSSL_CERT_EXT */ #endif /* WOLFSSL_CERT_GEN || WOLFSSL_CERT_EXT */
#if defined(WOLFSSL_CERT_GEN) || defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
#ifdef WOLFSSL_MULTI_ATTRIB #ifdef WOLFSSL_MULTI_ATTRIB
#ifndef CTC_MAX_ATTRIB #ifndef CTC_MAX_ATTRIB
#define CTC_MAX_ATTRIB 4 #define CTC_MAX_ATTRIB 4
@ -375,7 +374,6 @@ typedef struct NameAttrib {
char value[CTC_NAME_SIZE]; /* name */ char value[CTC_NAME_SIZE]; /* name */
} NameAttrib; } NameAttrib;
#endif /* WOLFSSL_MULTI_ATTRIB */ #endif /* WOLFSSL_MULTI_ATTRIB */
#endif /* WOLFSSL_CERT_GEN || OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
#ifdef WOLFSSL_CUSTOM_OID #ifdef WOLFSSL_CUSTOM_OID
typedef struct CertOidField { typedef struct CertOidField {

110
wolfssl/wolfcrypt/settings.h
View File

@ -2889,6 +2889,116 @@ extern void uITRON4_free(void *p) ;
#define WOLFSSL_ASN_TEMPLATE #define WOLFSSL_ASN_TEMPLATE
#endif #endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
#undef WOLFSSL_ASN_ALL
#define WOLFSSL_ASN_ALL
#endif
/* Enable all parsing features for ASN */
#ifdef WOLFSSL_ASN_ALL
/* Alternate Names */
#undef WOLFSSL_ALT_NAMES
#define WOLFSSL_ALT_NAMES
/* Alternate Name: human readable form of IP address*/
#undef WOLFSSL_IP_ALT_NAME
#define WOLFSSL_IP_ALT_NAME
/* Alternate name: human readable form of registered ID */
#undef WOLFSSL_RID_ALT_NAME
#define WOLFSSL_RID_ALT_NAME
/* CA Issuer URI */
#undef WOLFSSL_ASN_CA_ISSUER
#define WOLFSSL_ASN_CA_ISSUER
/* FPKI (Federal PKI) extensions */
#undef WOLFSSL_FPKI
#define WOLFSSL_FPKI
/* Certificate policies */
#undef WOLFSSL_SEP
#define WOLFSSL_SEP
/* Support for full AuthorityKeyIdentifier extension.
* Only supports copying full AKID from an existing certificate */
#undef WOLFSSL_AKID_NAME
#define WOLFSSL_AKID_NAME
#undef WOLFSSL_CERT_EXT
#define WOLFSSL_CERT_EXT
/* Support for SubjectDirectoryAttributes extension */
#undef WOLFSSL_SUBJ_DIR_ATTR
#define WOLFSSL_SUBJ_DIR_ATTR
/* Support for SubjectInfoAccess extension */
#undef WOLFSSL_SUBJ_INFO_ACC
#define WOLFSSL_SUBJ_INFO_ACC
#undef WOLFSSL_CERT_NAME_ALL
#define WOLFSSL_CERT_NAME_ALL
#undef WOLFSSL_HAVE_ISSUER_NAMES
#define WOLFSSL_HAVE_ISSUER_NAMES
#undef WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_MULTI_ATTRIB
#undef ASN_BER_TO_DER
#define ASN_BER_TO_DER
#undef WOLFSSL_CUSTOM_OID
#define WOLFSSL_CUSTOM_OID
#undef HAVE_OID_ENCODING
#define HAVE_OID_ENCODING
#undef HAVE_OID_DECODING
#define HAVE_OID_DECODING
#undef HAVE_SMIME
#define HAVE_SMIME
#undef WOLFSSL_ASN_TIME_STRING
#define WOLFSSL_ASN_TIME_STRING
#undef WOLFSSL_ASN_PARSE_KEYUSAGE
#define WOLFSSL_ASN_PARSE_KEYUSAGE
#undef WOLFSSL_OCSP_PARSE_STATUS
#define WOLFSSL_OCSP_PARSE_STATUS
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
defined(OPENSSL_EXTRA) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
#undef WOLFSSL_ASN_TIME_STRING
#define WOLFSSL_ASN_TIME_STRING
#endif
#if (defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_EXT)) || \
(defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
#undef WOLFSSL_ASN_PARSE_KEYUSAGE
#define WOLFSSL_ASN_PARSE_KEYUSAGE
#endif
#if defined(HAVE_OCSP) && !defined(WOLFCRYPT_ONLY) && \
(defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || \
defined(WOLFSSL_HAPROXY) || defined(HAVE_LIGHTY) || \
defined(WOLFSSL_APACHE_HTTPD))
#undef WOLFSSL_OCSP_PARSE_STATUS
#define WOLFSSL_OCSP_PARSE_STATUS
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
defined(WOLFSSL_CERT_GEN)
#undef WOLFSSL_MULTI_ATTRIB
#define WOLFSSL_MULTI_ATTRIB
#endif
/* Linux Kernel Module */
#ifdef WOLFSSL_LINUXKM #ifdef WOLFSSL_LINUXKM
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>