mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Changed the DecodedCert's der pointer to be a pointer to const. The

Browse Source 
DecodedCert doesn't own the der value, so it should be const. Had to
make many other changes downstream of this.
This commit is contained in:
John Safranek 2018-09-25 12:55:52 -07:00
parent c4e1cdf335
commit 18a27cfe75
6 changed files with 70 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/ssl.c
View File

@ -8163,6 +8163,7 @@ static WC_INLINE int RestoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current,
while (listSz) {
Signer* signer;
byte* publicKey;
byte* start = current + idx; /* for end checks on this signer */
int minSz = sizeof(signer->pubKeySize) + sizeof(signer->keyOID) +
sizeof(signer->nameLen) + sizeof(signer->subjectNameHash);
@ -8192,14 +8193,15 @@ static WC_INLINE int RestoreCertRow(WOLFSSL_CERT_MANAGER* cm, byte* current,
FreeSigner(signer, cm->heap);
return BUFFER_E;
}
signer->publicKey = (byte*)XMALLOC(signer->pubKeySize, cm->heap,
DYNAMIC_TYPE_KEY);
if (signer->publicKey == NULL) {
publicKey = (byte*)XMALLOC(signer->pubKeySize, cm->heap,
DYNAMIC_TYPE_KEY);
if (publicKey == NULL) {
FreeSigner(signer, cm->heap);
return MEMORY_E;
}
XMEMCPY(signer->publicKey, current + idx, signer->pubKeySize);
XMEMCPY(publicKey, current + idx, signer->pubKeySize);
signer->publicKey = publicKey;
idx += signer->pubKeySize;
/* nameLen */
@ -15502,7 +15504,7 @@ void wolfSSL_ASN1_OBJECT_free(WOLFSSL_ASN1_OBJECT* obj)
if (obj->dynamic == 1) {
if (obj->obj != NULL) {
WOLFSSL_MSG("Freeing ASN1 OBJECT data");
XFREE(obj->obj, obj->heap, DYNAMIC_TYPE_ASN1);
XFREE((void*)obj->obj, obj->heap, DYNAMIC_TYPE_ASN1);
}
}
@ -30170,7 +30172,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl)
wolfSSL_ASN1_OBJECT_free(obj);
return NULL;
}
XMEMCPY(obj->obj, objBuf, obj->objSz);
XMEMCPY((byte*)obj->obj, objBuf, obj->objSz);
(void)type;

76
wolfcrypt/src/asn.c
View File

@ -3766,7 +3766,8 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
#endif /* NO_DSA */
void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
void InitDecodedCert(DecodedCert* cert,
const byte* source, word32 inSz, void* heap)
{
if (cert != NULL) {
XMEMSET(cert, 0, sizeof(DecodedCert));
@ -3826,7 +3827,7 @@ void FreeDecodedCert(DecodedCert* cert)
if (cert->subjectCNStored == 1)
XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN);
if (cert->pubKeyStored == 1)
XFREE(cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
XFREE((void*)cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY);
if (cert->weOwnAltNames && cert->altNames)
FreeAltNames(cert->altNames, cert->heap);
#ifndef IGNORE_NAME_CONSTRAINTS
@ -3954,6 +3955,7 @@ static int GetKey(DecodedCert* cert)
word16 keyLen;
word32 rc;
word32 remaining = cert->maxIdx - cert->srcIdx;
byte* publicKey;
#ifdef WOLFSSL_SMALL_STACK
byte* keyBlob = NULL;
#else
@ -3991,15 +3993,16 @@ static int GetKey(DecodedCert* cert)
cert->srcIdx = tmpIdx + (int)(next - key);
cert->publicKey = (byte*)XMALLOC(keyLen, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (cert->publicKey == NULL) {
publicKey = (byte*)XMALLOC(keyLen, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (publicKey == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(keyBlob, cert->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return MEMORY_E;
}
XMEMCPY(cert->publicKey, keyBlob, keyLen);
XMEMCPY(publicKey, keyBlob, keyLen);
cert->publicKey = publicKey;
cert->pubKeyStored = 1;
cert->pubKeySize = keyLen;
@ -4016,6 +4019,7 @@ static int GetKey(DecodedCert* cert)
int ret;
byte seq[5];
int pubLen = length + 1 + SetLength(length, seq);
byte* publicKey;
if (cert->source[cert->srcIdx] !=
(ASN_SEQUENCE | ASN_CONSTRUCTED)) {
@ -4033,11 +4037,12 @@ static int GetKey(DecodedCert* cert)
return ret;
}
cert->publicKey = (byte*)XMALLOC(pubLen, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (cert->publicKey == NULL)
publicKey = (byte*)XMALLOC(pubLen, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (publicKey == NULL)
return MEMORY_E;
XMEMCPY(cert->publicKey, &cert->source[tmpIdx], pubLen);
XMEMCPY(publicKey, &cert->source[tmpIdx], pubLen);
cert->publicKey = publicKey;
cert->pubKeyStored = 1;
cert->pubKeySize = pubLen;
@ -4049,6 +4054,7 @@ static int GetKey(DecodedCert* cert)
#ifdef HAVE_ED25519
case ED25519k:
{
byte* publicKey;
int ret;
cert->pkCurveOID = ED25519k;
@ -4058,11 +4064,12 @@ static int GetKey(DecodedCert* cert)
if (ret != 0)
return ret;
cert->publicKey = (byte*) XMALLOC(length, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (cert->publicKey == NULL)
publicKey = (byte*) XMALLOC(length, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (publicKey == NULL)
return MEMORY_E;
XMEMCPY(cert->publicKey, &cert->source[cert->srcIdx], length);
XMEMCPY(publicKey, &cert->source[cert->srcIdx], length);
cert->publicKey = publicKey;
cert->pubKeyStored = 1;
cert->pubKeySize = length;
@ -5934,7 +5941,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
#endif /* IGNORE_NAME_CONSTRAINTS */
static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
static int DecodeAltNames(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
@ -6191,7 +6198,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
return 0;
}
static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
static int DecodeBasicCaConstraint(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
@ -6238,7 +6245,7 @@ static int DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
#define GENERALNAME_URI 6
/* From RFC3280 SS4.2.1.7, GeneralName */
static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
static int DecodeCrlDist(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
@ -6319,7 +6326,7 @@ static int DecodeCrlDist(byte* input, int sz, DecodedCert* cert)
}
static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
static int DecodeAuthInfo(const byte* input, int sz, DecodedCert* cert)
/*
* Read the first of the Authority Information Access records. If there are
* any issues, return without saving the record.
@ -6365,7 +6372,7 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
}
static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
static int DecodeAuthKeyId(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0, ret = 0;
@ -6402,7 +6409,7 @@ static int DecodeAuthKeyId(byte* input, int sz, DecodedCert* cert)
}
static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
static int DecodeSubjKeyId(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0, ret = 0;
@ -6431,7 +6438,7 @@ static int DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert)
}
static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
static int DecodeKeyUsage(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length;
@ -6450,7 +6457,7 @@ static int DecodeKeyUsage(byte* input, int sz, DecodedCert* cert)
}
static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
static int DecodeExtKeyUsage(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0, oid;
int length, ret;
@ -6509,7 +6516,8 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
#ifndef IGNORE_NAME_CONSTRAINTS
#define ASN_TYPE_MASK 0xF
static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
static int DecodeSubtree(const byte* input, int sz,
Base_entry** head, void* heap)
{
word32 idx = 0;
@ -6576,7 +6584,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
}
static int DecodeNameConstraints(byte* input, int sz, DecodedCert* cert)
static int DecodeNameConstraints(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
@ -6651,7 +6659,7 @@ static int Word32ToString(char* d, word32 number)
/* Decode ITU-T X.690 OID format to a string representation
* return string length */
int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
int DecodePolicyOID(char *out, word32 outSz, const byte *in, word32 inSz)
{
word32 val, idx = 0, nb_bytes;
size_t w_bytes = 0;
@ -6704,7 +6712,7 @@ int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
/* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
static int DecodeCertPolicy(const byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
word32 oldIdx;
@ -6822,7 +6830,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
int ret = 0;
word32 idx = 0;
int sz = cert->extensionsSz;
byte* input = cert->extensions;
const byte* input = cert->extensions;
int length;
word32 oid;
byte critical = 0;
@ -7598,7 +7606,7 @@ Signer* MakeSigner(void* heap)
void FreeSigner(Signer* signer, void* heap)
{
XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN);
XFREE(signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
XFREE((void*)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
#ifndef IGNORE_NAME_CONSTRAINTS
if (signer->permittedNames)
FreeNameSubtrees(signer->permittedNames, heap);
@ -11833,7 +11841,7 @@ int wc_SetAuthKeyIdFromCert(Cert *cert, const byte *der, int derSz)
#endif
/* decode certificate and get SKID that will be AKID of current cert */
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCert(decoded, CERT_TYPE, NO_VERIFY, 0);
if (ret != 0) {
FreeDecodedCert(decoded);
@ -12077,7 +12085,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
return MEMORY_E;
#endif
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0) {
@ -12173,7 +12181,7 @@ static int SetDatesFromCert(Cert* cert, const byte* der, int derSz)
return MEMORY_E;
#endif
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0) {
@ -12227,7 +12235,7 @@ static int SetNameFromCert(CertName* cn, const byte* der, int derSz)
return MEMORY_E;
#endif
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0) {
@ -12353,7 +12361,7 @@ static int SetSubjectRawFromCert(byte* sbjRaw, const byte* der, int derSz)
}
#endif
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0) {
@ -12405,7 +12413,7 @@ static int SetIssuerRawFromCert(byte* issuerRaw, const byte* der, int derSz)
}
#endif
InitDecodedCert(decoded, (byte*)der, derSz, NULL);
InitDecodedCert(decoded, der, derSz, NULL);
ret = ParseCertRelative(decoded, CA_TYPE, NO_VERIFY, 0);
if (ret < 0) {

2
wolfssl/internal.h
View File

@ -3394,7 +3394,7 @@ struct WOLFSSL_X509 {
byte* authKeyId;
byte* subjKeyId;
byte* extKeyUsageSrc;
byte* CRLInfo;
const byte* CRLInfo;
byte* authInfo;
word32 pathLength;
word16 keyUsage;

2
wolfssl/ssl.h
View File

@ -212,7 +212,7 @@ struct WOLFSSL_ASN1_STRING {
#define WOLFSSL_MAX_SNAME 40
struct WOLFSSL_ASN1_OBJECT {
void* heap;
unsigned char* obj;
const unsigned char* obj;
/* sName is short name i.e sha256 rather than oid (null terminated) */
char sName[WOLFSSL_MAX_SNAME];
int type; /* oid */

33
wolfssl/wolfcrypt/asn.h
View File

@ -611,7 +611,7 @@ typedef struct CertSignCtx CertSignCtx;
struct DecodedCert {
byte* publicKey;
const byte* publicKey;
word32 pubKeySize;
int pubKeyStored;
word32 certBegin; /* offset to start of cert */
@ -631,25 +631,25 @@ struct DecodedCert {
#ifdef HAVE_OCSP
byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */
#endif /* HAVE_OCSP */
byte* signature; /* not owned, points into raw cert */
const byte* signature; /* not owned, points into raw cert */
char* subjectCN; /* CommonName */
int subjectCNLen; /* CommonName Length */
char subjectCNEnc; /* CommonName Encoding */
char issuer[ASN_NAME_MAX]; /* full name including common name */
char subject[ASN_NAME_MAX]; /* full name including common name */
int verify; /* Default to yes, but could be off */
byte* source; /* byte buffer holder cert, NOT owner */
const byte* source; /* byte buffer holder cert, NOT owner */
word32 srcIdx; /* current offset into buffer */
word32 maxIdx; /* max offset based on init size */
void* heap; /* for user memory overrides */
byte serial[EXTERNAL_SERIAL_SIZE]; /* raw serial number */
int serialSz; /* raw serial bytes stored */
byte* extensions; /* not owned, points into raw cert */
const byte* extensions; /* not owned, points into raw cert */
int extensionsSz; /* length of cert extensions */
word32 extensionsIdx; /* if want to go back and parse later */
byte* extAuthInfo; /* Authority Information Access URI */
const byte* extAuthInfo; /* Authority Information Access URI */
int extAuthInfoSz; /* length of the URI */
byte* extCrlInfo; /* CRL Distribution Points */
const byte* extCrlInfo; /* CRL Distribution Points */
int extCrlInfoSz; /* length of the URI */
byte extSubjKeyId[KEYID_SIZE]; /* Subject Key ID */
byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */
@ -658,28 +658,28 @@ struct DecodedCert {
byte extExtKeyUsage; /* Extended Key usage bitfield */
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
byte* extExtKeyUsageSrc;
const byte* extExtKeyUsageSrc;
word32 extExtKeyUsageSz;
word32 extExtKeyUsageCount;
byte* extAuthKeyIdSrc;
const byte* extAuthKeyIdSrc;
word32 extAuthKeyIdSz;
byte* extSubjKeyIdSrc;
const byte* extSubjKeyIdSrc;
word32 extSubjKeyIdSz;
#endif
#if defined(HAVE_ECC) || defined(HAVE_ED25519)
word32 pkCurveOID; /* Public Key's curve OID */
#endif /* HAVE_ECC */
byte* beforeDate;
const byte* beforeDate;
int beforeDateLen;
byte* afterDate;
const byte* afterDate;
int afterDateLen;
#if defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT)
byte* issuerRaw; /* pointer to issuer inside source */
const byte* issuerRaw; /* pointer to issuer inside source */
int issuerRawLen;
#endif
#ifndef IGNORE_NAME_CONSTRAINT
byte* subjectRaw; /* pointer to subject inside source */
const byte* subjectRaw; /* pointer to subject inside source */
int subjectRawLen;
#endif
#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT)
@ -793,7 +793,7 @@ struct Signer {
word16 keyUsage;
byte pathLength;
byte pathLengthSet;
byte* publicKey;
const byte* publicKey;
int nameLen;
char* name; /* common name */
#ifndef IGNORE_NAME_CONSTRAINTS
@ -858,11 +858,12 @@ WOLFSSL_ASN_API void FreeAltNames(DNS_entry*, void*);
#ifndef IGNORE_NAME_CONSTRAINTS
WOLFSSL_ASN_API void FreeNameSubtrees(Base_entry*, void*);
#endif /* IGNORE_NAME_CONSTRAINTS */
WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, byte*, word32, void*);
WOLFSSL_ASN_API void InitDecodedCert(DecodedCert*, const byte*, word32, void*);
WOLFSSL_ASN_API void FreeDecodedCert(DecodedCert*);
WOLFSSL_ASN_API int ParseCert(DecodedCert*, int type, int verify, void* cm);
WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz, byte *in, word32 inSz);
WOLFSSL_LOCAL int DecodePolicyOID(char *o, word32 oSz,
const byte *in, word32 inSz);
WOLFSSL_API int CheckCertSignature(const byte*,word32,void*,void* cm);
WOLFSSL_LOCAL int ParseCertRelative(DecodedCert*,int type,int verify,void* cm);
WOLFSSL_LOCAL int DecodeToKey(DecodedCert*, int verify);

2
wolfssl/wolfcrypt/pkcs7.h
View File

@ -103,7 +103,7 @@ typedef struct PKCS7 {
PKCS7Attrib* signedAttribs;
byte* content; /* inner content, not owner */
byte* singleCert; /* recipient cert, DER, not owner */
byte* issuer; /* issuer name of singleCert */
const byte* issuer; /* issuer name of singleCert */
byte* privateKey; /* private key, DER, not owner */
void* heap; /* heap hint for dynamic memory */
#ifdef ASN_BER_TO_DER