From e135ea7338008202c2137ff6717ebec119efb44f Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 28 Jan 2022 12:39:00 -0800 Subject: [PATCH 1/2] Fix for certreq and certgen options with openssl compatability --- src/ssl.c | 218 +++++++++++++++++++++++--------------------- wolfcrypt/src/asn.c | 4 + wolfssl/internal.h | 8 +- wolfssl/ssl.h | 19 ++-- 4 files changed, 134 insertions(+), 115 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a392ee952..f9d0b4948 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -29577,59 +29577,6 @@ void wolfSSL_ASN1_TYPE_set(WOLFSSL_ASN1_TYPE *a, int type, void *value) a->type = type; } -/** - * Allocate a new WOLFSSL_ASN1_TYPE object. - * - * @return New zero'ed WOLFSSL_ASN1_TYPE object - */ -WOLFSSL_ASN1_TYPE* wolfSSL_ASN1_TYPE_new(void) -{ - WOLFSSL_ASN1_TYPE* ret = (WOLFSSL_ASN1_TYPE*)XMALLOC(sizeof(WOLFSSL_ASN1_TYPE), - NULL, DYNAMIC_TYPE_OPENSSL); - if (!ret) - return NULL; - XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TYPE)); - return ret; -} - -/** - * Free WOLFSSL_ASN1_TYPE and all its members. - * - * @param at Object to free - */ -void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at) -{ - if (at) { - switch (at->type) { - case V_ASN1_OBJECT: - wolfSSL_ASN1_OBJECT_free(at->value.object); - break; - case V_ASN1_UTCTIME: - #ifndef NO_ASN_TIME - wolfSSL_ASN1_TIME_free(at->value.utctime); - #endif - break; - case V_ASN1_GENERALIZEDTIME: - #ifndef NO_ASN_TIME - wolfSSL_ASN1_TIME_free(at->value.generalizedtime); - #endif - break; - case V_ASN1_UTF8STRING: - case V_ASN1_PRINTABLESTRING: - case V_ASN1_T61STRING: - case V_ASN1_IA5STRING: - case V_ASN1_UNIVERSALSTRING: - case V_ASN1_SEQUENCE: - wolfSSL_ASN1_STRING_free(at->value.asn1_string); - break; - default: - WOLFSSL_MSG("Unknown or unsupported ASN1_TYPE"); - break; - } - XFREE(at, NULL, DYNAMIC_TYPE_OPENSSL); - } -} - /** * Allocate a new WOLFSSL_X509_PUBKEY object. * @@ -29836,7 +29783,67 @@ error: return WOLFSSL_FAILURE; } -#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY*/ +#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY || WOLFSSL_WPAS */ + +#if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD) \ + || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS) \ + || defined(OPENSSL_EXTRA) +/** + * Allocate a new WOLFSSL_ASN1_TYPE object. + * + * @return New zero'ed WOLFSSL_ASN1_TYPE object + */ +WOLFSSL_ASN1_TYPE* wolfSSL_ASN1_TYPE_new(void) +{ + WOLFSSL_ASN1_TYPE* ret = (WOLFSSL_ASN1_TYPE*)XMALLOC(sizeof(WOLFSSL_ASN1_TYPE), + NULL, DYNAMIC_TYPE_OPENSSL); + if (!ret) + return NULL; + XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TYPE)); + return ret; +} + +/** + * Free WOLFSSL_ASN1_TYPE and all its members. + * + * @param at Object to free + */ +void wolfSSL_ASN1_TYPE_free(WOLFSSL_ASN1_TYPE* at) +{ + if (at) { + switch (at->type) { + case V_ASN1_OBJECT: + wolfSSL_ASN1_OBJECT_free(at->value.object); + break; + case V_ASN1_UTCTIME: + #ifndef NO_ASN_TIME + wolfSSL_ASN1_TIME_free(at->value.utctime); + #endif + break; + case V_ASN1_GENERALIZEDTIME: + #ifndef NO_ASN_TIME + wolfSSL_ASN1_TIME_free(at->value.generalizedtime); + #endif + break; + case V_ASN1_UTF8STRING: + case V_ASN1_PRINTABLESTRING: + case V_ASN1_T61STRING: + case V_ASN1_IA5STRING: + case V_ASN1_UNIVERSALSTRING: + case V_ASN1_SEQUENCE: + wolfSSL_ASN1_STRING_free(at->value.asn1_string); + break; + default: + WOLFSSL_MSG("Unknown or unsupported ASN1_TYPE"); + break; + } + XFREE(at, NULL, DYNAMIC_TYPE_OPENSSL); + } +} +#endif /* OPENSSL_ALL || WOLFSSL_APACHE_HTTPD || WOLFSSL_HAPROXY || WOLFSSL_WPAS + || OPENSSL_EXTRA */ + + #ifndef NO_WOLFSSL_STUB /*** TBD ***/ @@ -56291,27 +56298,41 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, return WOLFSSL_SUCCESS; } - -/* Return NID as the attr index */ -int wolfSSL_X509_REQ_get_attr_by_NID(const WOLFSSL_X509 *req, - int nid, int lastpos) +WOLFSSL_X509 *wolfSSL_X509_to_X509_REQ(WOLFSSL_X509 *x, + WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) { - WOLFSSL_ENTER("wolfSSL_X509_REQ_get_attr_by_NID"); + WOLFSSL_ENTER("wolfSSL_X509_to_X509_REQ"); + (void)pkey; + (void)md; + return wolfSSL_X509_dup(x); +} - /* Since we only support 1 attr per attr type then a lastpos of >= 0 - * indicates that one was already returned */ - if (!req || lastpos >= 0) { +int wolfSSL_X509_REQ_set_subject_name(WOLFSSL_X509 *req, + WOLFSSL_X509_NAME *name) +{ + return wolfSSL_X509_set_subject_name(req, name); +} + +int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey) +{ + return wolfSSL_X509_set_pubkey(req, pkey); +} +#endif /* OPENSSL_ALL && !NO_CERTS && WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */ + +#if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ + defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_REQ) + +WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type( + WOLFSSL_X509_ATTRIBUTE *attr, int idx) +{ + WOLFSSL_ENTER("wolfSSL_X509_ATTRIBUTE_get0_type"); + + if (!attr || idx != 0) { WOLFSSL_MSG("Bad parameter"); - return WOLFSSL_FATAL_ERROR; + return NULL; } - switch (nid) { - case NID_pkcs9_challengePassword: - return req->challengePwAttr ? nid : WOLFSSL_FATAL_ERROR; - default: - WOLFSSL_MSG("Unsupported attribute"); - return WOLFSSL_FATAL_ERROR; - } + return attr->value; } /** @@ -56337,6 +56358,28 @@ WOLFSSL_X509_ATTRIBUTE *wolfSSL_X509_REQ_get_attr( } } +/* Return NID as the attr index */ +int wolfSSL_X509_REQ_get_attr_by_NID(const WOLFSSL_X509 *req, + int nid, int lastpos) +{ + WOLFSSL_ENTER("wolfSSL_X509_REQ_get_attr_by_NID"); + + /* Since we only support 1 attr per attr type then a lastpos of >= 0 + * indicates that one was already returned */ + if (!req || lastpos >= 0) { + WOLFSSL_MSG("Bad parameter"); + return WOLFSSL_FATAL_ERROR; + } + + switch (nid) { + case NID_pkcs9_challengePassword: + return req->challengePwAttr ? nid : WOLFSSL_FATAL_ERROR; + default: + WOLFSSL_MSG("Unsupported attribute"); + return WOLFSSL_FATAL_ERROR; + } +} + WOLFSSL_X509_ATTRIBUTE* wolfSSL_X509_ATTRIBUTE_new(void) { WOLFSSL_X509_ATTRIBUTE* ret; @@ -56376,40 +56419,7 @@ void wolfSSL_X509_ATTRIBUTE_free(WOLFSSL_X509_ATTRIBUTE* attr) XFREE(attr, NULL, DYNAMIC_TYPE_OPENSSL); } } - -WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type( - WOLFSSL_X509_ATTRIBUTE *attr, int idx) -{ - WOLFSSL_ENTER("wolfSSL_X509_ATTRIBUTE_get0_type"); - - if (!attr || idx != 0) { - WOLFSSL_MSG("Bad parameter"); - return NULL; - } - - return attr->value; -} - -WOLFSSL_X509 *wolfSSL_X509_to_X509_REQ(WOLFSSL_X509 *x, - WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) -{ - WOLFSSL_ENTER("wolfSSL_X509_to_X509_REQ"); - (void)pkey; - (void)md; - return wolfSSL_X509_dup(x); -} - -int wolfSSL_X509_REQ_set_subject_name(WOLFSSL_X509 *req, - WOLFSSL_X509_NAME *name) -{ - return wolfSSL_X509_set_subject_name(req, name); -} - -int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey) -{ - return wolfSSL_X509_set_pubkey(req, pkey); -} -#endif /* OPENSSL_ALL && !NO_CERTS && WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */ +#endif #ifdef WOLFSSL_STATIC_EPHEMERAL int wolfSSL_StaticEphemeralKeyLoad(WOLFSSL* ssl, int keyAlgo, void* keyPtr) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4ae36b942..895e93cf5 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4009,7 +4009,9 @@ static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; defined(WOLFSSL_ASN_TEMPLATE) /* csrAttrType */ #define CSR_ATTR_TYPE_OID_BASE(num) {42, 134, 72, 134, 247, 13, 1, 9, num} +#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) static const byte attrEmailOid[] = CSR_ATTR_TYPE_OID_BASE(1); +#endif #ifdef WOLFSSL_CERT_REQ static const byte attrUnstructuredNameOid[] = CSR_ATTR_TYPE_OID_BASE(2); static const byte attrPkcs9ContentTypeOid[] = CSR_ATTR_TYPE_OID_BASE(3); @@ -4056,8 +4058,10 @@ static const byte dnsSRVOid[] = {43, 6, 1, 5, 5, 7, 8, 7}; #ifdef WOLFSSL_ASN_TEMPLATE static const byte uidOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 1}; /* user id */ #endif +#if !defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) static const byte dcOid[] = {9, 146, 38, 137, 147, 242, 44, 100, 1, 25}; /* domain component */ #endif +#endif /* Looks up the ID/type of an OID. diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0eb6c57e7..4fef89bfc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -4022,13 +4022,15 @@ struct WOLFSSL_X509 { #endif byte serial[EXTERNAL_SERIAL_SIZE]; char subjectCN[ASN_NAME_MAX]; /* common name short cut */ -#ifdef WOLFSSL_CERT_REQ -#ifdef OPENSSL_ALL +#if defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_GEN) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) WOLFSSL_X509_ATTRIBUTE* challengePwAttr; #endif + #if defined(WOLFSSL_CERT_REQ) char challengePw[CTC_NAME_SIZE]; /* for REQ certs */ char contentType[CTC_NAME_SIZE]; -#endif /* WOLFSSL_CERT_REQ */ + #endif +#endif /* WOLFSSL_CERT_REQ || WOLFSSL_CERT_GEN */ WOLFSSL_X509_NAME issuer; WOLFSSL_X509_NAME subject; #if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 6e989d3c1..c146aff08 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -4282,21 +4282,24 @@ WOLFSSL_API int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req, int nid, int type, const unsigned char *bytes, int len); -WOLFSSL_API int wolfSSL_X509_REQ_get_attr_by_NID(const WOLFSSL_X509 *req, - int nid, int lastpos); WOLFSSL_API int wolfSSL_X509_REQ_add1_attr_by_txt(WOLFSSL_X509 *req, const char *attrname, int type, const unsigned char *bytes, int len); -WOLFSSL_API WOLFSSL_X509_ATTRIBUTE *wolfSSL_X509_REQ_get_attr( - const WOLFSSL_X509 *req, int loc); -WOLFSSL_API WOLFSSL_X509_ATTRIBUTE* wolfSSL_X509_ATTRIBUTE_new(void); -WOLFSSL_API void wolfSSL_X509_ATTRIBUTE_free(WOLFSSL_X509_ATTRIBUTE* attr); -WOLFSSL_API WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type( - WOLFSSL_X509_ATTRIBUTE *attr, int idx); WOLFSSL_API WOLFSSL_X509 *wolfSSL_X509_to_X509_REQ(WOLFSSL_X509 *x, WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md); #endif +#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && defined(WOLFSSL_CERT_GEN) || \ + defined(WOLFSSL_CERT_REQ) +WOLFSSL_API WOLFSSL_X509_ATTRIBUTE *wolfSSL_X509_REQ_get_attr( + const WOLFSSL_X509 *req, int loc); +WOLFSSL_API int wolfSSL_X509_REQ_get_attr_by_NID(const WOLFSSL_X509 *req, + int nid, int lastpos); +WOLFSSL_API WOLFSSL_X509_ATTRIBUTE* wolfSSL_X509_ATTRIBUTE_new(void); +WOLFSSL_API void wolfSSL_X509_ATTRIBUTE_free(WOLFSSL_X509_ATTRIBUTE* attr); +WOLFSSL_API WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type( + WOLFSSL_X509_ATTRIBUTE *attr, int idx); +#endif #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) \ || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) From f608b1a731cf3b1c8ccc8d34fc8e62334b0a766d Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 28 Jan 2022 13:54:13 -0800 Subject: [PATCH 2/2] macro logic fix --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index f9d0b4948..f93f3ec27 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -56320,7 +56320,7 @@ int wolfSSL_X509_REQ_set_pubkey(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey) #endif /* OPENSSL_ALL && !NO_CERTS && WOLFSSL_CERT_GEN && WOLFSSL_CERT_REQ */ #if defined(OPENSSL_ALL) && !defined(NO_CERTS) && \ - defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_REQ) + (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_REQ)) WOLFSSL_ASN1_TYPE *wolfSSL_X509_ATTRIBUTE_get0_type( WOLFSSL_X509_ATTRIBUTE *attr, int idx)