From fe932b893c218cd144319c9b6a6f5323db64cdb0 Mon Sep 17 00:00:00 2001 From: Marco Oliverio Date: Thu, 4 Jul 2024 10:17:18 +0200 Subject: [PATCH] fixup! csrv2multi: pending ca list --- src/internal.c | 5 +++-- src/ocsp.c | 4 ++-- src/ssl.c | 6 +++--- src/ssl_certman.c | 6 +++--- src/ssl_p7p12.c | 4 ++-- src/x509.c | 10 +++++----- wolfcrypt/src/asn.c | 19 +++++++------------ wolfcrypt/src/pkcs12.c | 2 +- wolfssl/wolfcrypt/asn.h | 2 -- 9 files changed, 26 insertions(+), 32 deletions(-) diff --git a/src/internal.c b/src/internal.c index e222babbb..a5a15b501 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14130,7 +14130,7 @@ PRAGMA_GCC_DIAG_POP } #endif /* Parse Certificate */ - ret = ParseCertRelativeEx(args->dCert, certType, verify, SSL_CM(ssl), extraSigners); + ret = ParseCertRelative(args->dCert, certType, verify, SSL_CM(ssl), extraSigners); #if defined(HAVE_RPK) /* if cert type has negotiated with peer, confirm the cert received has @@ -14961,6 +14961,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, s = MakeSigner(SSL_CM(ssl)->heap); if (s == NULL) { FreeDecodedCert(&dCertAdd); + FreeDer(&derBuffer); ret = MEMORY_E; goto exit_ppc; } @@ -23254,7 +23255,7 @@ static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request, InitDecodedCert(cert, certData, length, ssl->heap); /* TODO: Setup async support here */ - ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl)); + ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl), NULL); if (ret != 0) { WOLFSSL_MSG("ParseCert failed"); } diff --git a/src/ocsp.c b/src/ocsp.c index 681f95b8b..9051ecf01 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -802,7 +802,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( InitDecodedCert(cert, subject->derCert->buffer, subject->derCert->length, NULL); - if (ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { + if (ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm, NULL) != 0) { FreeDecodedCert(cert); goto out; } @@ -892,7 +892,7 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, InitDecodedCert(cert, bs->cert, bs->certSz, NULL); certInit = 1; - if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm) < 0) + if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm, NULL) < 0) goto out; if (!(flags & OCSP_NOCHECKS)) { diff --git a/src/ssl.c b/src/ssl.c index 1289eca25..f9f04fd7c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6211,7 +6211,7 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey, size = cert->length; buff = cert->buffer; InitDecodedCert_ex(der, buff, size, heap, devId); - if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL) != 0) { + if (ParseCertRelative(der, CERT_TYPE, NO_VERIFY, NULL, NULL) != 0) { FreeDecodedCert(der); #ifdef WOLFSSL_SMALL_STACK XFREE(der, heap, DYNAMIC_TYPE_DCERT); @@ -13313,7 +13313,7 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, /* Create a DecodedCert object and copy fields into WOLFSSL_X509 object. */ InitDecodedCert(cert, (byte*)in, (word32)len, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) == 0) { + if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL)) == 0) { /* Check if x509 was not previously initialized by wolfSSL_X509_new() */ if (x509->dynamicMemory != TRUE) InitX509(x509, 0, NULL); @@ -17756,7 +17756,7 @@ WOLFSSL_X509* wolfSSL_get_chain_X509(WOLFSSL_X509_CHAIN* chain, int idx) InitDecodedCert(cert, chain->certs[idx].buffer, chain->certs[idx].length, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL)) != 0) { + if ((ret = ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL)) != 0) { WOLFSSL_MSG("Failed to parse cert"); } else { diff --git a/src/ssl_certman.c b/src/ssl_certman.c index d9af7bc66..e66605935 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -698,7 +698,7 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff, /* Parse DER into decoded certificate fields and verify signature * against a known CA. */ - ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm); + ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, cm, NULL); } #ifdef HAVE_CRL @@ -1817,7 +1817,7 @@ int wolfSSL_CertManagerCheckCRL(WOLFSSL_CERT_MANAGER* cm, InitDecodedCert(cert, der, (word32)sz, NULL); /* Parse certificate and perform CRL checks. */ - ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm); + ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_CRL, cm, NULL); if (ret != 0) { WOLFSSL_MSG("ParseCert failed"); } @@ -2289,7 +2289,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, InitDecodedCert(cert, der, (word32)sz, NULL); /* Parse certificate and perform CRL checks. */ - ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm); + ret = ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm, NULL); if (ret != 0) { WOLFSSL_MSG("ParseCert failed"); } diff --git a/src/ssl_p7p12.c b/src/ssl_p7p12.c index dca512f46..11b6c40a9 100644 --- a/src/ssl_p7p12.c +++ b/src/ssl_p7p12.c @@ -1932,7 +1932,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, DYNAMIC_TYPE_X509); InitX509(x509, 1, heap); InitDecodedCert(DeCert, current->buffer, current->bufferSz, heap); - if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { + if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL, NULL) != 0) { WOLFSSL_MSG("Issue with parsing certificate"); FreeDecodedCert(DeCert); wolfSSL_X509_free(x509); @@ -2009,7 +2009,7 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, } InitX509(*cert, 1, heap); InitDecodedCert(DeCert, certData, certDataSz, heap); - if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { + if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL, NULL) != 0) { WOLFSSL_MSG("Issue with parsing certificate"); } if (CopyDecodedToX509(*cert, DeCert) != 0) { diff --git a/src/x509.c b/src/x509.c index 1d31328e8..72a4f37ec 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3612,7 +3612,7 @@ static WOLFSSL_X509* d2i_X509orX509REQ(WOLFSSL_X509** x509, #ifdef WOLFSSL_CERT_REQ cert->isCSR = (byte)req; #endif - if (ParseCertRelative(cert, type, 0, NULL) == 0) { + if (ParseCertRelative(cert, type, 0, NULL, NULL) == 0) { newX509 = wolfSSL_X509_new_ex(heap); if (newX509 != NULL) { if (CopyDecodedToX509(newX509, cert) != 0) { @@ -5254,7 +5254,7 @@ static WOLFSSL_X509* loadX509orX509REQFromBuffer( #endif { InitDecodedCert(cert, der->buffer, der->length, NULL); - ret = ParseCertRelative(cert, type, 0, NULL); + ret = ParseCertRelative(cert, type, 0, NULL, NULL); if (ret == 0) { x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, DYNAMIC_TYPE_X509); @@ -13403,7 +13403,7 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, #endif InitDecodedCert(dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL); + ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL, NULL); if (ret != 0) { goto out; } @@ -13474,7 +13474,7 @@ int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, if (ret == WOLFSSL_SUCCESS) { InitDecodedCert(dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL); + ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL, NULL); if (ret != 0) { ret = WOLFSSL_FAILURE; } @@ -13613,7 +13613,7 @@ static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, /* Use existing CA retrieval APIs that use DecodedCert. */ InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, cm->heap); - if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0 + if (ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL) == 0 && !cert->selfSigned) { #ifndef NO_SKID if (cert->extAuthKeyIdSet) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 22f16642b..45942c039 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -22501,7 +22501,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) char* ptr; #endif - ret = ParseCertRelative(cert, type, verify, cm); + ret = ParseCertRelative(cert, type, verify, cm, NULL); if (ret < 0) return ret; @@ -23399,7 +23399,7 @@ Signer* findSignerByName(Signer *list, byte *hash) return NULL; } -int ParseCertRelativeEx(DecodedCert* cert, int type, int verify, void* cm, Signer *extraCAList) +int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm, Signer *extraCAList) { int ret = 0; #ifndef WOLFSSL_ASN_TEMPLATE @@ -24056,11 +24056,6 @@ exit_pcr: return ret; } -int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) -{ - return ParseCertRelativeEx(cert, type, verify, cm, NULL); -} - int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der) { int ret = 0; @@ -26681,7 +26676,7 @@ static int wc_SetCert_LoadDer(Cert* cert, const byte* der, word32 derSz, InitDecodedCert_ex((DecodedCert*)cert->decodedCert, der, derSz, cert->heap, devId); ret = ParseCertRelative((DecodedCert*)cert->decodedCert, - CERT_TYPE, 0, NULL); + CERT_TYPE, 0, NULL, NULL); if (ret >= 0) { cert->der = (byte*)der; } @@ -32425,7 +32420,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz, #endif InitDecodedCert_ex(decoded, der, (word32)derSz, NULL, devId); - ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); + ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0, NULL); if (ret < 0) { WOLFSSL_MSG("ParseCertRelative error"); @@ -32624,7 +32619,7 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz, int devId) #endif InitDecodedCert_ex(decoded, der, (word32)derSz, NULL, devId); - ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0); + ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0, NULL); if (ret < 0) { WOLFSSL_MSG("ParseCertRelative error"); @@ -36561,7 +36556,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, cert_inited = 1; /* Don't verify if we don't have access to Cert Manager. */ - ret = ParseCertRelativeEx(cert, CERT_TYPE, + ret = ParseCertRelative(cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm, resp->pendingCAs); if (ret < 0) { @@ -36723,7 +36718,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, certInit = 1; /* Parse the certificate and don't verify if we don't have access to * Cert Manager. */ - ret = ParseCertRelativeEx(cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, + ret = ParseCertRelative(cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY, cm, resp->pendingCAs); if (ret < 0) { WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 87ef8a86b..ef111a6df 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -1126,7 +1126,7 @@ static WARN_UNUSED_RESULT int freeDecCertList(WC_DerCertList** list, while (current != NULL) { InitDecodedCert(DeCert, current->buffer, current->bufferSz, heap); - if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL) == 0) { + if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) { if (wc_CheckPrivateKeyCert(*pkey, *pkeySz, DeCert, 0) == 1) { WOLFSSL_MSG("Key Pair found"); *cert = current->buffer; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 893ee882c..503c98579 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2187,8 +2187,6 @@ WOLFSSL_LOCAL int CheckCSRSignaturePubKey(const byte* cert, word32 certSz, WOLFSSL_ASN_API int AddSignature(byte* buf, int bodySz, const byte* sig, int sigSz, int sigAlgoType); WOLFSSL_LOCAL int ParseCertRelative(DecodedCert* cert, int type, int verify, - void* cm); -WOLFSSL_LOCAL int ParseCertRelativeEx(DecodedCert* cert, int type, int verify, void* cm, Signer *extraCa); WOLFSSL_LOCAL int DecodeToKey(DecodedCert* cert, int verify); #ifdef WOLFSSL_ASN_TEMPLATE