From f6f4c5579b38aee6ee7c1566d326c371fdbb4c1d Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 30 Jul 2024 14:40:45 +0200 Subject: [PATCH] Missing libspdm features - RsaFunctionPrivate: detect when only n,e,d are available - wolfSSL_EVP_add_digest: return success - wolfSSL_EVP_add_cipher: return success - wolfSSL_BN_bin2bn: accept NULL data if len is 0 (checked in mp_read_unsigned_bin) - wolfssl_read_bio: advance correct bio - wolfSSL_X509_set_ext: return raw extension data for BASIC_CA_OID - Implement - sk_X509_EXTENSION_free - d2i_EC_PUBKEY_bio - d2i_RSA_PUBKEY_bio - d2i_X509_REQ_INFO - X509_REQ_INFO_free - ASN1_TIME_set_string_X509 --- src/pk.c | 76 ++++++++++++++++++++++++++++++ src/ssl_asn1.c | 27 ++++++++--- src/ssl_bn.c | 7 ++- src/ssl_misc.c | 10 +++- src/x509.c | 85 +++++++++++++++++++-------------- tests/api.c | 106 +++++++++++++++++++++++++++++++++++++----- wolfcrypt/src/evp.c | 48 ++++++++++--------- wolfcrypt/src/rsa.c | 23 +++++++-- wolfcrypt/test/test.c | 6 +-- wolfssl/openssl/ec.h | 6 +++ wolfssl/openssl/pem.h | 3 ++ wolfssl/openssl/ssl.h | 5 ++ wolfssl/ssl.h | 7 ++- 13 files changed, 324 insertions(+), 85 deletions(-) diff --git a/src/pk.c b/src/pk.c index 0c74cc8aab..34cdf8d5b4 100644 --- a/src/pk.c +++ b/src/pk.c @@ -2052,6 +2052,32 @@ WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, } return rsa; } + +WOLFSSL_RSA *wolfSSL_d2i_RSA_PUBKEY_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out) +{ + char* data = NULL; + int dataSz = 0; + int memAlloced = 0; + WOLFSSL_RSA* rsa = NULL; + + WOLFSSL_ENTER("wolfSSL_d2i_RSA_PUBKEY_bio"); + + if (bio == NULL) + return NULL; + + if (wolfssl_read_bio(bio, &data, &dataSz, &memAlloced) != 0) { + if (memAlloced) + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return NULL; + } + + rsa = wolfssl_rsa_d2i(out, (const unsigned char*)data, dataSz, + WOLFSSL_RSA_LOAD_PUBLIC); + if (memAlloced) + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return rsa; +} #endif /* !NO_BIO */ #ifndef NO_FILESYSTEM @@ -12342,6 +12368,56 @@ int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* derBuf, return res; } + +#ifndef NO_BIO + +WOLFSSL_EC_KEY *wolfSSL_d2i_EC_PUBKEY_bio(WOLFSSL_BIO *bio, + WOLFSSL_EC_KEY **out) +{ + char* data = NULL; + int dataSz = 0; + int memAlloced = 0; + WOLFSSL_EC_KEY* ec = NULL; + int err = 0; + + WOLFSSL_ENTER("wolfSSL_d2i_EC_PUBKEY_bio"); + + if (bio == NULL) + return NULL; + + if (err == 0 && wolfssl_read_bio(bio, &data, &dataSz, &memAlloced) != 0) { + WOLFSSL_ERROR_MSG("wolfssl_read_bio failed"); + err = 1; + } + + if (err == 0 && (ec = wolfSSL_EC_KEY_new()) == NULL) { + WOLFSSL_ERROR_MSG("wolfSSL_EC_KEY_new failed"); + err = 1; + } + + /* Load the EC key with the public key from the DER encoding. */ + if (err == 0 && wolfSSL_EC_KEY_LoadDer_ex(ec, (const unsigned char*)data, + dataSz, WOLFSSL_EC_KEY_LOAD_PUBLIC) != 1) { + WOLFSSL_ERROR_MSG("wolfSSL_EC_KEY_LoadDer_ex failed"); + err = 1; + } + + if (memAlloced) + XFREE(data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (err) { /* on error */ + wolfSSL_EC_KEY_free(ec); + ec = NULL; + } + else { /* on success */ + if (out != NULL) + *out = ec; + } + + return ec; +} + +#endif /* !NO_BIO */ + /* * EC key PEM APIs */ diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c index b3a0ef3ef9..ea5bececbe 100644 --- a/src/ssl_asn1.c +++ b/src/ssl_asn1.c @@ -3986,7 +3986,7 @@ unsigned char* wolfSSL_ASN1_TIME_get_data(const WOLFSSL_ASN1_TIME *t) */ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a) { - int ret = 1; + int ret = WOLFSSL_SUCCESS; char buf[MAX_TIME_STRING_SZ]; WOLFSSL_ENTER("wolfSSL_ASN1_TIME_check"); @@ -3994,7 +3994,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a) /* If can convert to human readable then format good. */ if (wolfSSL_ASN1_TIME_to_string((WOLFSSL_ASN1_TIME*)a, buf, MAX_TIME_STRING_SZ) == NULL) { - ret = 0; + ret = WOLFSSL_FAILURE; } return ret; @@ -4012,7 +4012,7 @@ int wolfSSL_ASN1_TIME_check(const WOLFSSL_ASN1_TIME* a) */ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str) { - int ret = 1; + int ret = WOLFSSL_SUCCESS; int slen = 0; WOLFSSL_ENTER("wolfSSL_ASN1_TIME_set_string"); @@ -4021,15 +4021,15 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str) WOLFSSL_MSG("Bad parameter"); ret = 0; } - if (ret == 1) { + if (ret == WOLFSSL_SUCCESS) { /* Get length of string including NUL terminator. */ slen = (int)XSTRLEN(str) + 1; if (slen > CTC_DATE_SIZE) { WOLFSSL_MSG("Date string too long"); - ret = 0; + ret = WOLFSSL_FAILURE; } } - if ((ret == 1) && (t != NULL)) { + if ((ret == WOLFSSL_SUCCESS) && (t != NULL)) { /* Copy in string including NUL terminator. */ XMEMCPY(t->data, str, (size_t)slen); /* Do not include NUL terminator in length. */ @@ -4042,6 +4042,21 @@ int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *t, const char *str) return ret; } +int wolfSSL_ASN1_TIME_set_string_X509(WOLFSSL_ASN1_TIME *t, const char *str) +{ + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_ASN1_TIME_set_string_X509"); + + if (t == NULL) + ret = WOLFSSL_FAILURE; + if (ret == WOLFSSL_SUCCESS) + ret = wolfSSL_ASN1_TIME_set_string(t, str); + if (ret == WOLFSSL_SUCCESS) + ret = wolfSSL_ASN1_TIME_check(t); + return ret; +} + /* Convert ASN.1 TIME object to ASN.1 GENERALIZED TIME object. * * @param [in] t ASN.1 TIME object. diff --git a/src/ssl_bn.c b/src/ssl_bn.c index d4ecee4f22..acd0e05ea5 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -492,7 +492,7 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len, WOLFSSL_ENTER("wolfSSL_BN_bin2bn"); /* Validate parameters. */ - if ((data == NULL) || (len < 0)) { + if (len < 0) { ret = NULL; } /* Allocate a new big number when ret is NULL. */ @@ -507,7 +507,7 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len, if (ret->internal == NULL) { ret = NULL; } - else { + else if (data != NULL) { /* Decode into big number. */ if (mp_read_unsigned_bin((mp_int*)ret->internal, data, (word32)len) != 0) { @@ -520,6 +520,9 @@ WOLFSSL_BIGNUM* wolfSSL_BN_bin2bn(const unsigned char* data, int len, bn = NULL; } } + else if (data == NULL) { + wolfSSL_BN_zero(ret); + } } /* Dispose of allocated BN not being returned. */ diff --git a/src/ssl_misc.c b/src/ssl_misc.c index 38fa511467..9a5f4b042a 100644 --- a/src/ssl_misc.c +++ b/src/ssl_misc.c @@ -165,7 +165,15 @@ static int wolfssl_read_bio(WOLFSSL_BIO* bio, char** data, int* dataSz, if (bio->type == WOLFSSL_BIO_MEMORY) { ret = wolfSSL_BIO_get_mem_data(bio, data); if (ret > 0) { - bio->rdIdx += ret; + /* Advance the write index in the memory bio */ + WOLFSSL_BIO* mem_bio = bio; + for (; mem_bio != NULL; mem_bio = mem_bio->next) { + if (mem_bio->type == WOLFSSL_BIO_MEMORY) + break; + } + if (mem_bio == NULL) + mem_bio = bio; /* Default to input */ + mem_bio->rdIdx += ret; } *memAlloced = 0; } diff --git a/src/x509.c b/src/x509.c index b16642d4ff..d62fcc2419 100644 --- a/src/x509.c +++ b/src/x509.c @@ -367,38 +367,6 @@ int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk,WOLFSSL_X509_EXTENSION* ext return wolfSSL_sk_push(sk, ext); } -/* Free the structure for X509_EXTENSION stack - * - * sk stack to free nodes in - */ -void wolfSSL_sk_X509_EXTENSION_free(WOLFSSL_STACK* sk) -{ - WOLFSSL_STACK* node; - - WOLFSSL_ENTER("wolfSSL_sk_X509_EXTENSION_free"); - - if (sk == NULL) { - return; - } - - /* parse through stack freeing each node */ - node = sk->next; - while ((node != NULL) && (sk->num > 1)) { - WOLFSSL_STACK* tmp = node; - node = node->next; - - wolfSSL_X509_EXTENSION_free(tmp->data.ext); - XFREE(tmp, NULL, DYNAMIC_TYPE_X509); - sk->num -= 1; - } - - /* free head of stack */ - if (sk->num == 1) { - wolfSSL_X509_EXTENSION_free(sk->data.ext); - } - XFREE(sk, NULL, DYNAMIC_TYPE_X509); -} - static WOLFSSL_STACK* generateExtStack(const WOLFSSL_X509 *x) { int numOfExt, i; @@ -872,11 +840,37 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) switch (oid) { case BASIC_CA_OID: + { + word32 dataIdx = idx; + word32 dummyOid; + int dataLen = 0; + if (!isSet) break; /* Set pathlength */ a = wolfSSL_ASN1_INTEGER_new(); - if (a == NULL) { + + /* Set the data */ + ret = GetObjectId(input, &dataIdx, &dummyOid, oidCertExtType, + (word32)sz) == 0; + if (ret && dataIdx < (word32)sz) { + /* Skip the critical information */ + if (input[dataIdx] == ASN_BOOLEAN) { + dataIdx++; + ret = GetLength(input, &dataIdx, &dataLen, sz) >= 0; + dataIdx += dataLen; + } + } + if (ret) { + ret = GetOctetString(input, &dataIdx, &dataLen, + (word32)sz) > 0; + } + if (ret) { + ret = wolfSSL_ASN1_STRING_set(&ext->value, input + dataIdx, + dataLen) == 1; + } + + if (a == NULL || !ret) { wolfSSL_X509_EXTENSION_free(ext); FreeDecodedCert(cert); #ifdef WOLFSSL_SMALL_STACK @@ -892,7 +886,7 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) ext->obj->ca = x509->isCa; ext->crit = x509->basicConstCrit; break; - + } case AUTH_INFO_OID: if (!isSet) break; @@ -3654,6 +3648,24 @@ WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, { return d2i_X509orX509REQ(x509, in, len, 1, NULL); } + +WOLFSSL_X509* wolfSSL_d2i_X509_REQ_INFO(WOLFSSL_X509** req, + const unsigned char** in, int len) +{ + WOLFSSL_X509* ret = NULL; + WOLFSSL_ENTER("wolfSSL_d2i_X509_REQ_INFO"); + + if (in == NULL) { + WOLFSSL_MSG("NULL input for wolfSSL_d2i_X509"); + return NULL; + } + + ret = wolfSSL_X509_REQ_d2i(req, *in, len); + if (ret != NULL) { + *in += ret->derCert->length; + } + return ret; +} #endif #endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA || @@ -5042,6 +5054,11 @@ void wolfSSL_sk_X509_EXTENSION_pop_free( wolfSSL_sk_pop_free(sk, (wolfSSL_sk_freefunc)f); } +void wolfSSL_sk_X509_EXTENSION_free(WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk) +{ + wolfSSL_sk_pop_free(sk, NULL); +} + #endif /* OPENSSL_EXTRA */ #if defined(OPENSSL_EXTRA) && !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) diff --git a/tests/api.c b/tests/api.c index 68b1d4c361..418d383322 100644 --- a/tests/api.c +++ b/tests/api.c @@ -43694,6 +43694,9 @@ static int test_wolfSSL_ASN1_TIME(void) ExpectIntEQ(ASN1_TIME_check(NULL), 0); ExpectIntEQ(ASN1_TIME_check(asn_time), 1); + ExpectIntEQ(ASN1_TIME_set_string_X509(asn_time, "101219181011Z"), 1); + ExpectIntEQ(ASN1_TIME_set_string_X509(asn_time, "101219181011Za"), 0); + ASN1_TIME_free(asn_time); ASN1_TIME_free(NULL); #endif @@ -48154,10 +48157,9 @@ static int test_wolfSSL_EVP_MD_size(void) /* error case */ wolfSSL_EVP_MD_CTX_init(&mdCtx); - ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), - BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_EVP_DigestInit(&mdCtx, ""), 0); + ExpectIntEQ(wolfSSL_EVP_MD_size(wolfSSL_EVP_MD_CTX_md(&mdCtx)), 0); + ExpectIntEQ(wolfSSL_EVP_MD_CTX_block_size(&mdCtx), 0); /* Cleanup is valid on uninit'ed struct */ ExpectIntEQ(wolfSSL_EVP_MD_CTX_cleanup(&mdCtx), 1); #endif /* OPENSSL_EXTRA */ @@ -51054,7 +51056,6 @@ static int test_wolfSSL_BN_enc_dec(void) XMEMSET(&emptyBN, 0, sizeof(emptyBN)); ExpectNotNull(a = BN_new()); ExpectNotNull(b = BN_new()); - ExpectIntEQ(BN_set_word(a, 2), 1); /* Invalid parameters */ ExpectIntEQ(BN_bn2bin(NULL, NULL), -1); @@ -51066,8 +51067,10 @@ static int test_wolfSSL_BN_enc_dec(void) ExpectNull(BN_bn2dec(NULL)); ExpectNull(BN_bn2dec(&emptyBN)); - ExpectNull(BN_bin2bn(NULL, sizeof(binNum), NULL)); - ExpectNull(BN_bin2bn(NULL, sizeof(binNum), a)); + ExpectNotNull(BN_bin2bn(NULL, sizeof(binNum), a)); + BN_free(a); + ExpectNotNull(a = BN_new()); + ExpectIntEQ(BN_set_word(a, 2), 1); ExpectNull(BN_bin2bn(binNum, -1, a)); ExpectNull(BN_bin2bn(binNum, -1, NULL)); ExpectNull(BN_bin2bn(binNum, sizeof(binNum), &emptyBN)); @@ -58051,6 +58054,10 @@ static int test_othername_and_SID_ext(void) { ExpectIntGT(X509_REQ_sign(x509, priv, EVP_sha256()), 0); pt = der; ExpectIntGT(derSz = i2d_X509_REQ(x509, &pt), 0); + X509_REQ_free(x509); + x509 = NULL; + pt = der; + ExpectNotNull(d2i_X509_REQ_INFO(&x509, (const unsigned char**)&pt, derSz)); sk_GENERAL_NAME_pop_free(gns, GENERAL_NAME_free); gns = NULL; sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); @@ -58059,7 +58066,6 @@ static int test_othername_and_SID_ext(void) { ASN1_OBJECT_free(sid_oid); ASN1_OCTET_STRING_free(sid_data); X509_REQ_free(x509); - x509 = NULL; EVP_PKEY_free(priv); /* At this point everything used to generate what is in der is cleaned up. @@ -60487,6 +60493,13 @@ static int test_wolfSSL_d2i_PrivateKeys_bio(void) sizeof_client_key_der_2048), 0); XFREE(bufPtr, NULL, DYNAMIC_TYPE_OPENSSL); + RSA_free(rsa); + rsa = NULL; + ExpectIntGT(BIO_write(bio, client_key_der_2048, + sizeof_client_key_der_2048), 0); + ExpectNotNull(d2i_RSA_PUBKEY_bio(bio, &rsa)); + (void)BIO_reset(bio); + RSA_free(rsa); rsa = RSA_new(); ExpectIntEQ(wolfSSL_i2d_RSAPrivateKey(rsa, NULL), 0); @@ -62474,9 +62487,9 @@ static int test_wolfSSL_EVP_PKEY_keygen(void) ExpectNotNull(ctx = EVP_PKEY_CTX_new(pkey, NULL)); /* Bad cases */ - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), BAD_FUNC_ARG); - ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), BAD_FUNC_ARG); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, &pkey), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, NULL), 0); + ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(NULL, NULL), 0); /* Good case */ ExpectIntEQ(wolfSSL_EVP_PKEY_keygen(ctx, &pkey), 0); @@ -71961,6 +71974,65 @@ static int test_wolfSSL_RSA(void) ExpectNotNull(rsa = RSA_generate_key(2048, 3, NULL, NULL)); ExpectIntEQ(RSA_size(rsa), 256); +#if !defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0) + { + /* Test setting only subset of parameters */ + RSA *rsa2 = NULL; + unsigned char hash[SHA256_DIGEST_LENGTH]; + unsigned char signature[2048/8]; + unsigned int signatureLen = 0; + + XMEMSET(hash, 0, sizeof(hash)); + RSA_get0_key(rsa, &n, &e, &d); + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp); + + ExpectIntEQ(RSA_sign(NID_sha256, hash, sizeof(hash), signature, + &signatureLen, rsa), 1); + /* Quick sanity check */ + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa), 1); + + /* Verifying */ + ExpectNotNull(rsa2 = RSA_new()); + ExpectIntEQ(RSA_set0_key(rsa2, BN_dup(n), BN_dup(e), NULL), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa2), 1); + ExpectIntEQ(RSA_set0_factors(rsa2, BN_dup(p), BN_dup(q)), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa2), 1); + ExpectIntEQ(RSA_set0_crt_params(rsa2, BN_dup(dmp1), BN_dup(dmq1), + BN_dup(iqmp)), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa2), 1); + RSA_free(rsa2); + rsa2 = NULL; + + /* Signing */ + XMEMSET(signature, 0, sizeof(signature)); + ExpectNotNull(rsa2 = RSA_new()); + ExpectIntEQ(RSA_set0_key(rsa2, BN_dup(n), BN_dup(e), BN_dup(d)), 1); + ExpectIntEQ(RSA_sign(NID_sha256, hash, sizeof(hash), signature, + &signatureLen, rsa2), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa), 1); + ExpectIntEQ(RSA_set0_factors(rsa2, BN_dup(p), BN_dup(q)), 1); + XMEMSET(signature, 0, sizeof(signature)); + ExpectIntEQ(RSA_sign(NID_sha256, hash, sizeof(hash), signature, + &signatureLen, rsa2), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa), 1); + ExpectIntEQ(RSA_set0_crt_params(rsa2, BN_dup(dmp1), BN_dup(dmq1), + BN_dup(iqmp)), 1); + ExpectIntEQ(RSA_sign(NID_sha256, hash, sizeof(hash), signature, + &signatureLen, rsa2), 1); + ExpectIntEQ(RSA_verify(NID_sha256, hash, sizeof(hash), signature, + signatureLen, rsa), 1); + RSA_free(rsa2); + rsa2 = NULL; + } +#endif + #ifdef WOLFSSL_RSA_KEY_CHECK ExpectIntEQ(RSA_check_key(NULL), 0); ExpectIntEQ(RSA_check_key(rsa), 1); @@ -75338,6 +75410,18 @@ static int test_EC_i2d(void) ExpectNull(d2i_ECPrivateKey(©, &tmp, 1)); ExpectNull(d2i_ECPrivateKey(&key, &tmp, 0)); + { + EC_KEY *pubkey = NULL; + BIO* bio = NULL; + + ExpectNotNull(bio = BIO_new(BIO_s_mem())); + ExpectIntGT(BIO_write(bio, buf, len), 0); + ExpectNotNull(d2i_EC_PUBKEY_bio(bio, &pubkey)); + + BIO_free(bio); + EC_KEY_free(pubkey); + } + ExpectIntEQ(i2d_ECPrivateKey(NULL, &p), 0); ExpectIntEQ(i2d_ECPrivateKey(NULL, NULL), 0); diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 024f0e0202..188fffebcc 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -1725,7 +1725,7 @@ int wolfSSL_EVP_DecryptFinal_legacy(WOLFSSL_EVP_CIPHER_CTX *ctx, { int fl; if (ctx == NULL || out == NULL || outl == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; WOLFSSL_ENTER("wolfSSL_EVP_DecryptFinal_legacy"); if (ctx->block_size == 1) { @@ -1764,7 +1764,7 @@ int wolfSSL_EVP_DecryptFinal_legacy(WOLFSSL_EVP_CIPHER_CTX *ctx, int wolfSSL_EVP_CIPHER_CTX_block_size(const WOLFSSL_EVP_CIPHER_CTX *ctx) { - if (ctx == NULL) return BAD_FUNC_ARG; + if (ctx == NULL) return WOLFSSL_FAILURE; switch (ctx->cipherType) { #if !defined(NO_AES) || !defined(NO_DES3) || defined(WOLFSSL_SM4) #if !defined(NO_AES) @@ -2046,7 +2046,7 @@ static unsigned int cipherType(const WOLFSSL_EVP_CIPHER *cipher) int wolfSSL_EVP_CIPHER_block_size(const WOLFSSL_EVP_CIPHER *cipher) { if (cipher == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; switch (cipherType(cipher)) { #if !defined(NO_AES) @@ -2306,7 +2306,7 @@ int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *ctx, int padding) { if (ctx == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; if (padding) { ctx->flags &= (unsigned long)~WOLFSSL_EVP_CIPH_NO_PADDING; } @@ -2318,9 +2318,10 @@ int wolfSSL_EVP_CIPHER_CTX_set_padding(WOLFSSL_EVP_CIPHER_CTX *ctx, int wolfSSL_EVP_add_digest(const WOLFSSL_EVP_MD *digest) { - (void)digest; /* nothing to do */ - return 0; + if (digest == NULL) + return WOLFSSL_FAILURE; + return WOLFSSL_SUCCESS; } @@ -3444,7 +3445,7 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx, WOLFSSL_ENTER("wolfSSL_EVP_PKEY_keygen"); if (ctx == NULL || ppkey == NULL) { - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } pkey = *ppkey; @@ -3454,7 +3455,7 @@ int wolfSSL_EVP_PKEY_keygen(WOLFSSL_EVP_PKEY_CTX *ctx, ctx->pkey->type != EVP_PKEY_RSA && ctx->pkey->type != EVP_PKEY_DH)) { WOLFSSL_MSG("Key not set or key type not supported"); - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } pkey = wolfSSL_EVP_PKEY_new(); if (pkey == NULL) { @@ -4143,9 +4144,10 @@ int wolfSSL_EVP_VerifyFinal(WOLFSSL_EVP_MD_CTX *ctx, int wolfSSL_EVP_add_cipher(const WOLFSSL_EVP_CIPHER *cipher) { - (void)cipher; /* nothing to do */ - return 0; + if (cipher == NULL) + return WOLFSSL_FAILURE; + return WOLFSSL_SUCCESS; } @@ -4344,7 +4346,7 @@ static int wolfSSL_evp_digest_pk_init(WOLFSSL_EVP_MD_CTX *ctx, } type = wolfSSL_EVP_get_digestbynid(default_digest); if (type == NULL) { - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } } @@ -4536,7 +4538,7 @@ int wolfSSL_EVP_DigestSignInit(WOLFSSL_EVP_MD_CTX *ctx, WOLFSSL_ENTER("EVP_DigestSignInit"); if (ctx == NULL || pkey == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; return wolfSSL_evp_digest_pk_init(ctx, pctx, type, e, pkey); } @@ -4548,7 +4550,7 @@ int wolfSSL_EVP_DigestSignUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *d, WOLFSSL_ENTER("EVP_DigestSignUpdate"); if (ctx == NULL || d == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; return wolfssl_evp_digest_pk_update(ctx, d, cnt); } @@ -4661,7 +4663,7 @@ int wolfSSL_EVP_DigestVerifyInit(WOLFSSL_EVP_MD_CTX *ctx, WOLFSSL_ENTER("EVP_DigestVerifyInit"); if (ctx == NULL || type == NULL || pkey == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; return wolfSSL_evp_digest_pk_init(ctx, pctx, type, e, pkey); } @@ -4673,7 +4675,7 @@ int wolfSSL_EVP_DigestVerifyUpdate(WOLFSSL_EVP_MD_CTX *ctx, const void *d, WOLFSSL_ENTER("EVP_DigestVerifyUpdate"); if (ctx == NULL || d == NULL) - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; return wolfssl_evp_digest_pk_update(ctx, d, (unsigned int)cnt); } @@ -9348,7 +9350,7 @@ const WOLFSSL_EVP_MD* wolfSSL_EVP_ripemd160(void) int wolfSSL_EVP_MD_pkey_type(const WOLFSSL_EVP_MD* type) { - int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); + int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); WOLFSSL_ENTER("wolfSSL_EVP_MD_pkey_type"); @@ -9373,7 +9375,7 @@ int wolfSSL_EVP_MD_pkey_type(const WOLFSSL_EVP_MD* type) } } else { - ret = BAD_FUNC_ARG; + ret = WOLFSSL_FAILURE; } WOLFSSL_LEAVE("wolfSSL_EVP_MD_pkey_type", ret); @@ -10493,7 +10495,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type) WOLFSSL_ENTER("EVP_DigestInit"); if (ctx == NULL) { - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } @@ -10591,7 +10593,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD* type) #endif { ctx->macType = WC_HASH_TYPE_NONE; - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } return ret; @@ -10908,7 +10910,7 @@ int wolfSSL_EVP_MD_block_size(const WOLFSSL_EVP_MD* type) if (type == NULL) { WOLFSSL_MSG("No md type arg"); - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } #ifndef NO_SHA @@ -10974,7 +10976,7 @@ int wolfSSL_EVP_MD_block_size(const WOLFSSL_EVP_MD* type) } else #endif - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type) @@ -10983,7 +10985,7 @@ int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type) if (type == NULL) { WOLFSSL_MSG("No md type arg"); - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } #ifndef NO_SHA @@ -11059,7 +11061,7 @@ int wolfSSL_EVP_MD_size(const WOLFSSL_EVP_MD* type) } #endif - return BAD_FUNC_ARG; + return WOLFSSL_FAILURE; } #endif /* OPENSSL_EXTRA || HAVE_CURL */ diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 4c7d3a0e89..c8c5aae060 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -2392,7 +2392,10 @@ static int RsaFunction_SP(const byte* in, word32 inLen, byte* out, #endif #ifndef RSA_LOW_MEM if ((mp_count_bits(&key->p) == 1024) && - (mp_count_bits(&key->q) == 1024)) { + (mp_count_bits(&key->q) == 1024) && + (mp_count_bits(&key->dP) > 0) && + (mp_count_bits(&key->dQ) > 0) && + (mp_count_bits(&key->u) > 0)) { return sp_RsaPrivate_2048(in, inLen, &key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u, &key->n, out, outLen); @@ -2423,7 +2426,10 @@ static int RsaFunction_SP(const byte* in, word32 inLen, byte* out, #endif #ifndef RSA_LOW_MEM if ((mp_count_bits(&key->p) == 1536) && - (mp_count_bits(&key->q) == 1536)) { + (mp_count_bits(&key->q) == 1536) && + (mp_count_bits(&key->dP) > 0) && + (mp_count_bits(&key->dQ) > 0) && + (mp_count_bits(&key->u) > 0)) { return sp_RsaPrivate_3072(in, inLen, &key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u, &key->n, out, outLen); @@ -2454,7 +2460,10 @@ static int RsaFunction_SP(const byte* in, word32 inLen, byte* out, #endif #ifndef RSA_LOW_MEM if ((mp_count_bits(&key->p) == 2048) && - (mp_count_bits(&key->q) == 2048)) { + (mp_count_bits(&key->q) == 2048) && + (mp_count_bits(&key->dP) > 0) && + (mp_count_bits(&key->dQ) > 0) && + (mp_count_bits(&key->u) > 0)) { return sp_RsaPrivate_4096(in, inLen, &key->d, &key->p, &key->q, &key->dP, &key->dQ, &key->u, &key->n, out, outLen); @@ -2551,7 +2560,13 @@ static int RsaFunctionPrivate(mp_int* tmp, RsaKey* key, WC_RNG* rng) } } #else - if (ret == 0) { + if (ret == 0 && (mp_iszero(&key->p) || mp_iszero(&key->q) || + mp_iszero(&key->dP) || mp_iszero(&key->dQ))) { + if (mp_exptmod(tmp, &key->d, &key->n, tmp) != MP_OKAY) { + ret = MP_EXPTMOD_E; + } + } + else if (ret == 0) { mp_int* tmpa = tmp; #if defined(WC_RSA_BLINDING) && !defined(WC_NO_RNG) mp_int* tmpb = rnd; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 39f1be94f6..33768ff923 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -25487,7 +25487,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t openssl_test(void) if (wolfSSL_EVP_DecryptFinal_ex(NULL, NULL, NULL) != WOLFSSL_FAILURE) return WC_TEST_RET_ENC_NC; - if (EVP_CIPHER_CTX_block_size(NULL) != BAD_FUNC_ARG) + if (EVP_CIPHER_CTX_block_size(NULL) != WOLFSSL_FAILURE) return WC_TEST_RET_ENC_NC; if (wolfSSL_EVP_CIPHER_CTX_cleanup(en) != WOLFSSL_SUCCESS) @@ -25498,7 +25498,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t openssl_test(void) if (EVP_CIPHER_CTX_block_size(en) != en->block_size) return WC_TEST_RET_ENC_NC; - if (EVP_CIPHER_block_size(NULL) != BAD_FUNC_ARG) + if (EVP_CIPHER_block_size(NULL) != WOLFSSL_FAILURE) return WC_TEST_RET_ENC_NC; if (EVP_CIPHER_block_size(EVP_aes_128_cbc()) != AES_BLOCK_SIZE) @@ -25515,7 +25515,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t openssl_test(void) if (en->flags != 42) return WC_TEST_RET_ENC_NC; - if (EVP_CIPHER_CTX_set_padding(NULL, 0) != BAD_FUNC_ARG) + if (EVP_CIPHER_CTX_set_padding(NULL, 0) != WOLFSSL_FAILURE) return WC_TEST_RET_ENC_NC; if (EVP_CIPHER_CTX_set_padding(en, 0) != WOLFSSL_SUCCESS) return WC_TEST_RET_ENC_NC; diff --git a/wolfssl/openssl/ec.h b/wolfssl/openssl/ec.h index 39faf95f2c..c7b0cfffa9 100644 --- a/wolfssl/openssl/ec.h +++ b/wolfssl/openssl/ec.h @@ -26,6 +26,7 @@ #include #include +#include #include #include @@ -205,6 +206,9 @@ WOLFSSL_API int wolfSSL_EC_KEY_LoadDer_ex(WOLFSSL_EC_KEY* key, const unsigned char* der, int derSz, int opt); WOLFSSL_API +WOLFSSL_EC_KEY *wolfSSL_d2i_EC_PUBKEY_bio(WOLFSSL_BIO *bio, + WOLFSSL_EC_KEY **out); +WOLFSSL_API void wolfSSL_EC_KEY_free(WOLFSSL_EC_KEY *key); WOLFSSL_API WOLFSSL_EC_POINT *wolfSSL_EC_KEY_get0_public_key(const WOLFSSL_EC_KEY *key); @@ -371,6 +375,8 @@ typedef WOLFSSL_EC_KEY_METHOD EC_KEY_METHOD; #define EC_KEY_check_key wolfSSL_EC_KEY_check_key #define EC_KEY_print_fp wolfSSL_EC_KEY_print_fp +#define d2i_EC_PUBKEY_bio wolfSSL_d2i_EC_PUBKEY_bio + #define ECDSA_size wolfSSL_ECDSA_size #define ECDSA_sign wolfSSL_ECDSA_sign #define ECDSA_verify wolfSSL_ECDSA_verify diff --git a/wolfssl/openssl/pem.h b/wolfssl/openssl/pem.h index 27cc12dea1..0cfaedd0d3 100644 --- a/wolfssl/openssl/pem.h +++ b/wolfssl/openssl/pem.h @@ -56,6 +56,8 @@ WOLFSSL_API WOLFSSL_RSA *wolfSSL_PEM_read_bio_RSA_PUBKEY(WOLFSSL_BIO* bio, WOLFSSL_RSA** rsa, wc_pem_password_cb* cb, void *u); +WOLFSSL_API +WOLFSSL_RSA *wolfSSL_d2i_RSA_PUBKEY_bio(WOLFSSL_BIO *bio, WOLFSSL_RSA **out); WOLFSSL_API WOLFSSL_EC_GROUP* wolfSSL_PEM_read_bio_ECPKParameters(WOLFSSL_BIO* bio, @@ -252,6 +254,7 @@ int wolfSSL_PEM_write_DHparams(XFILE fp, WOLFSSL_DH* dh); #define PEM_read_RSA_PUBKEY wolfSSL_PEM_read_RSA_PUBKEY #define PEM_write_RSAPublicKey wolfSSL_PEM_write_RSAPublicKey #define PEM_read_RSAPublicKey wolfSSL_PEM_read_RSAPublicKey +#define d2i_RSA_PUBKEY_bio wolfSSL_d2i_RSA_PUBKEY_bio /* DSA */ #define PEM_write_bio_DSAPrivateKey wolfSSL_PEM_write_bio_DSAPrivateKey #define PEM_write_DSAPrivateKey wolfSSL_PEM_write_DSAPrivateKey diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 1a99437568..b4c2114160 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -82,6 +82,7 @@ typedef WOLFSSL_CTX SSL_CTX; typedef WOLFSSL_X509 X509; typedef WOLFSSL_X509 X509_REQ; +typedef WOLFSSL_X509 X509_REQ_INFO; typedef WOLFSSL_X509_NAME X509_NAME; typedef WOLFSSL_X509_INFO X509_INFO; typedef WOLFSSL_X509_CHAIN X509_CHAIN; @@ -426,6 +427,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define d2i_X509_fp wolfSSL_d2i_X509_fp #define i2d_X509 wolfSSL_i2d_X509 #define d2i_X509 wolfSSL_d2i_X509 +#define d2i_X509_REQ_INFO wolfSSL_d2i_X509_REQ_INFO #define PEM_read_bio_X509 wolfSSL_PEM_read_bio_X509 #define PEM_read_bio_X509_REQ wolfSSL_PEM_read_bio_X509_REQ #define PEM_read_X509_REQ wolfSSL_PEM_read_X509_REQ @@ -443,6 +445,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define d2i_X509_REQ wolfSSL_d2i_X509_REQ #define X509_REQ_new wolfSSL_X509_REQ_new #define X509_REQ_free wolfSSL_X509_REQ_free +#define X509_REQ_INFO_free wolfSSL_X509_REQ_free #define X509_REQ_sign wolfSSL_X509_REQ_sign #define X509_REQ_sign_ctx wolfSSL_X509_REQ_sign_ctx #define X509_REQ_add_extensions wolfSSL_X509_REQ_add_extensions @@ -565,6 +568,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; #define sk_X509_EXTENSION_new_null wolfSSL_sk_X509_EXTENSION_new_null #define sk_X509_EXTENSION_pop_free wolfSSL_sk_X509_EXTENSION_pop_free #define sk_X509_EXTENSION_push wolfSSL_sk_X509_EXTENSION_push +#define sk_X509_EXTENSION_free wolfSSL_sk_X509_EXTENSION_free #define X509_INFO_new wolfSSL_X509_INFO_new #define X509_INFO_free wolfSSL_X509_INFO_free @@ -878,6 +882,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_ #endif #define ASN1_TIME_set wolfSSL_ASN1_TIME_set #define ASN1_TIME_set_string wolfSSL_ASN1_TIME_set_string +#define ASN1_TIME_set_string_X509 wolfSSL_ASN1_TIME_set_string_X509 #define ASN1_GENERALIZEDTIME_set_string wolfSSL_ASN1_TIME_set_string #define ASN1_GENERALIZEDTIME_print wolfSSL_ASN1_GENERALIZEDTIME_print diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 09b953e961..ba7cf54866 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1642,6 +1642,8 @@ WOLFSSL_API void wolfSSL_ACCESS_DESCRIPTION_free(WOLFSSL_ACCESS_DESCRIPTION* a); WOLFSSL_API void wolfSSL_sk_X509_EXTENSION_pop_free( WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk, void (*f) (WOLFSSL_X509_EXTENSION*)); +WOLFSSL_API void wolfSSL_sk_X509_EXTENSION_free( + WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* sk); WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_EXTENSION)* wolfSSL_sk_X509_EXTENSION_new_null(void); WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_new(void); WOLFSSL_API WOLFSSL_ASN1_OBJECT* wolfSSL_ASN1_OBJECT_dup(WOLFSSL_ASN1_OBJECT* obj); @@ -2827,6 +2829,8 @@ WOLFSSL_API int wolfSSL_ASN1_TIME_compare(const WOLFSSL_ASN1_TIME *a, #ifdef OPENSSL_EXTRA WOLFSSL_API WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_set(WOLFSSL_ASN1_TIME *s, time_t t); WOLFSSL_API int wolfSSL_ASN1_TIME_set_string(WOLFSSL_ASN1_TIME *s, const char *str); +WOLFSSL_API int wolfSSL_ASN1_TIME_set_string_X509(WOLFSSL_ASN1_TIME *t, + const char *str); #endif WOLFSSL_API int wolfSSL_sk_num(const WOLFSSL_STACK* sk); @@ -2966,6 +2970,8 @@ WOLFSSL_API WOLFSSL_X509* #ifdef WOLFSSL_CERT_REQ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len); +WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509_REQ_INFO(WOLFSSL_X509** req, + const unsigned char** in, int len); #endif WOLFSSL_API int wolfSSL_i2d_X509(WOLFSSL_X509* x509, unsigned char** out); WOLFSSL_API WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL **crl, @@ -4510,7 +4516,6 @@ WOLFSSL_API WOLFSSL_X509_EXTENSION* wolfSSL_X509_EXTENSION_dup( WOLFSSL_X509_EXTENSION* src); WOLFSSL_API int wolfSSL_sk_X509_EXTENSION_push(WOLFSSL_STACK* sk, WOLFSSL_X509_EXTENSION* ext); -WOLFSSL_API void wolfSSL_sk_X509_EXTENSION_free(WOLFSSL_STACK* sk); WOLFSSL_API void wolfSSL_X509_EXTENSION_free(WOLFSSL_X509_EXTENSION* ext_to_free); WOLFSSL_API WOLFSSL_STACK* wolfSSL_sk_new_x509_ext(void); #endif