Merge pull request #2351 from ejohnstown/watch-chain-deux

Sniffer Watch Cert Chain Part 2
2019-07-16 15:04:32 -06:00 · 2019-07-16 15:04:32 -06:00 · cb2ed60305
commit cb2ed60305
parent 5067d1fc10 4b0bb75909
4 changed files with 24 additions and 6 deletions
--- a/src/sniffer.c
+++ b/src/sniffer.c
@ -253,7 +253,8 @@ static const char* const msgTable[] =
    /* 86 */
    "Watch callback not set",
    "Watch hash failed",
-    "Watch callback failed"
+    "Watch callback failed",
+    "Bad Certificate Message"
 };


@ -2320,8 +2321,6 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
    int ret;
    byte digest[SHA256_DIGEST_SIZE];

-    (void)sslBytes;
-
    /* If the receiver is the server, this is the client certificate message,
     * and it should be ignored at this point. */
    if (session->flags.side == WOLFSSL_SERVER_END)
@ -2332,11 +2331,28 @@ static int ProcessCertificate(const byte* input, int* sslBytes,
        return -1;
    }

+    if (*sslBytes < CERT_HEADER_SZ) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
    ato24(input, &certChainSz);
+    *sslBytes -= CERT_HEADER_SZ;
    input += CERT_HEADER_SZ;
+
+    if (*sslBytes < (int)certChainSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
    certChain = input;
+
    ato24(input, &certSz);
    input += OPAQUE24_LEN;
+    if (*sslBytes < (int)certSz) {
+        SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE);
+        return -1;
+    }
+
+    *sslBytes -= certChainSz;

    ret = wc_InitSha256(&sha);
    if (ret == 0)
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@ -189,13 +189,13 @@ const byte eccHash[] = {

 static int myWatchCb(void* vSniffer,
        const unsigned char* certHash, unsigned int certHashSz,
-        const unsigned char* cert, unsigned int certSz,
+        const unsigned char* certChain, unsigned int certChainSz,
        void* ctx, char* error)
 {
    const char* certName = NULL;

-    (void)cert;
-    (void)certSz;
+    (void)certChain;
+    (void)certChainSz;
    (void)ctx;

    if (certHashSz == sizeof(rsaHash) &&
--- a/wolfssl/sniffer_error.h
+++ b/wolfssl/sniffer_error.h
@ -124,6 +124,7 @@
 #define WATCH_CB_MISSING_STR 86
 #define WATCH_HASH_STR 87
 #define WATCH_FAIL_STR 88
+#define BAD_CERT_MSG_STR 89
 /* !!!! also add to msgTable in sniffer.c and .rc file !!!! */


--- a/wolfssl/sniffer_error.rc
+++ b/wolfssl/sniffer_error.rc
@ -106,5 +106,6 @@ STRINGTABLE
    86, "Watch callback not set"
    87, "Watch hash failed"
    88, "Watch callback failed"
+    89, "Bad Certificate Message"
 }