diff --git a/src/bio.c b/src/bio.c index 9d94144f57..51e18973fc 100644 --- a/src/bio.c +++ b/src/bio.c @@ -2456,6 +2456,7 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) bio = wolfSSL_BIO_new(wolfSSL_BIO_s_socket()); if (bio) { const char* port; + int portVal = 0; #ifdef WOLFSSL_IPV6 const char* ipv6Start = XSTRSTR(str, "["); const char* ipv6End = XSTRSTR(str, "]"); @@ -2466,8 +2467,13 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio) #endif port = XSTRSTR(str, ":"); - if (port != NULL) - bio->port = (word16)XATOI(port + 1); + if (port != NULL) { + portVal = XATOI(port + 1); + /* Reject out-of-range ports instead of truncating to word16. */ + if ((portVal < 0) || (portVal > 65535)) + portVal = 0; + bio->port = (word16)portVal; + } else port = str + XSTRLEN(str); /* point to null terminator */ diff --git a/src/internal.c b/src/internal.c index fc8bc191f1..7114801c04 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12867,6 +12867,8 @@ static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender) } } + ForceZero(md5_result, WC_MD5_DIGEST_SIZE); + WC_FREE_VAR_EX(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; @@ -12912,6 +12914,8 @@ static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender) } } + ForceZero(sha_result, WC_SHA_DIGEST_SIZE); + WC_FREE_VAR_EX(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; @@ -15355,7 +15359,7 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt, if (args->certIdx == 0) { FreeX509(&ssl->peerCert); InitX509(&ssl->peerCert, 0, ssl->heap); - if (CopyDecodedToX509(&ssl->peerCert, args->dCert) == 0) + if (CopyDecodedToX509(&ssl->peerCert, args->dCert) != 0) WOLFSSL_MSG("Unable to copy to ssl->peerCert"); store->current_cert = &ssl->peerCert; /* use existing X509 */ } @@ -23775,6 +23779,14 @@ static int CheckResumptionConsistency(WOLFSSL* ssl) static int DoChangeCipherSpecTls13(WOLFSSL* ssl) { word32 i = ssl->buffers.inputBuffer.idx; +#ifdef WOLFSSL_DTLS13 + if (ssl->options.dtls) { + /* CCS is not part of DTLS 1.3; discard the record without alerting so a + * spoofed CCS cannot tear down the handshake. */ + ssl->buffers.inputBuffer.idx += ssl->curSize; + return 0; + } +#endif if (ssl->options.handShakeState == HANDSHAKE_DONE) { SendAlert(ssl, alert_fatal, unexpected_message); WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE); @@ -25226,6 +25238,8 @@ static int BuildMD5_CertVerify(const WOLFSSL* ssl, byte* digest) } } + ForceZero(md5_result, WC_MD5_DIGEST_SIZE); + WC_FREE_VAR_EX(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; @@ -25272,6 +25286,8 @@ static int BuildSHA_CertVerify(const WOLFSSL* ssl, byte* digest) } } + ForceZero(sha_result, WC_SHA_DIGEST_SIZE); + WC_FREE_VAR_EX(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX); return ret; @@ -42548,8 +42564,18 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], /* Update AAD with index. */ aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx; +#ifndef SINGLE_THREADED + /* Hold the lock over the key/expiry read so a concurrent regen can't swap the key mid-decrypt. */ + if (wc_LockMutex(&keyCtx->mutex) != 0) { + WOLFSSL_MSG("Couldn't lock key context mutex"); + return WOLFSSL_TICKET_RET_REJECT; + } +#endif /* Check expirary */ if (keyCtx->expirary[keyIdx] <= LowResTimer()) { +#ifndef SINGLE_THREADED + wc_UnLockMutex(&keyCtx->mutex); +#endif return WOLFSSL_TICKET_RET_REJECT; } @@ -42557,6 +42583,9 @@ static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ], ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad, aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap, 0); +#ifndef SINGLE_THREADED + wc_UnLockMutex(&keyCtx->mutex); +#endif if (ret != 0) { return WOLFSSL_TICKET_RET_REJECT; } diff --git a/src/ocsp.c b/src/ocsp.c index 4048e7628e..85be2e16e4 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -1159,7 +1159,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, return NULL; dataAlloced = 1; - len = wolfSSL_BIO_read(bio, (char *)data, (int)flen); + len = wolfSSL_BIO_read(bio, (char *)data, (int)fcur); } #endif else diff --git a/src/quic.c b/src/quic.c index caf8ab9e71..4ff27285ed 100644 --- a/src/quic.c +++ b/src/quic.c @@ -1239,6 +1239,11 @@ int wolfSSL_quic_hkdf_expand(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf_expand"); + if (secretlen > INT_MAX || infolen > INT_MAX) { + ret = WOLFSSL_FAILURE; + goto cleanup; + } + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; @@ -1279,6 +1284,11 @@ int wolfSSL_quic_hkdf(uint8_t* dest, size_t destlen, WOLFSSL_ENTER("wolfSSL_quic_hkdf"); + if (secretlen > INT_MAX || saltlen > INT_MAX || infolen > INT_MAX) { + ret = WOLFSSL_FAILURE; + goto cleanup; + } + pctx = wolfSSL_EVP_PKEY_CTX_new_id(WC_NID_hkdf, NULL); if (pctx == NULL) { ret = WOLFSSL_FAILURE; @@ -1348,6 +1358,10 @@ int wolfSSL_quic_aead_encrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, * TODO: there is some fiddling in OpenSSL+quic in regard to CCM ciphers * which we need to check. */ + if (plainlen > INT_MAX || aadlen > INT_MAX) { + return WOLFSSL_FAILURE; + } + if (wolfSSL_EVP_CipherInit(ctx, NULL, NULL, iv, 1) != WOLFSSL_SUCCESS || wolfSSL_EVP_CipherUpdate( ctx, NULL, &len, aad, (int)aadlen) != WOLFSSL_SUCCESS @@ -1373,7 +1387,7 @@ int wolfSSL_quic_aead_decrypt(uint8_t* dest, WOLFSSL_EVP_CIPHER_CTX* ctx, const uint8_t* tag; /* See rationale for wolfSSL_quic_aead_encrypt() on why this is here */ - if (enclen > INT_MAX || ctx->authTagSz > (int)enclen) { + if (enclen > INT_MAX || aadlen > INT_MAX || ctx->authTagSz > (int)enclen) { return WOLFSSL_FAILURE; } diff --git a/src/sniffer.c b/src/sniffer.c index 7f0c432255..380121c8db 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -4482,6 +4482,10 @@ static int ProcessCertificate(const byte* input, int* sslBytes, } #endif + if (OPAQUE24_LEN > *sslBytes) { + SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ato24(input, &certChainSz); *sslBytes -= CERT_HEADER_SZ; input += CERT_HEADER_SZ; @@ -4491,6 +4495,10 @@ static int ProcessCertificate(const byte* input, int* sslBytes, return WOLFSSL_FATAL_ERROR; } + if (OPAQUE24_LEN > *sslBytes) { + SetError(BAD_CERT_MSG_STR, error, session, FATAL_ERROR_STATE); + return WOLFSSL_FATAL_ERROR; + } ato24(input, &certSz); input += OPAQUE24_LEN; if (*sslBytes < (int)certSz) { diff --git a/src/ssl.c b/src/ssl.c index f5a309552c..04afe47409 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -12361,7 +12361,13 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) { #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) WOLFSSL_ENTER("wolfSSL_set_verify_depth"); - ssl->options.verifyDepth = (byte)depth; + /* Reject out-of-range depths; valid range is 0 to MAX_CHAIN_DEPTH. */ + if ((ssl == NULL) || (depth < 0) || (depth > MAX_CHAIN_DEPTH)) { + WOLFSSL_MSG("Bad depth argument, too large or less than 0"); + } + else { + ssl->options.verifyDepth = (byte)depth; + } #endif } @@ -16065,6 +16071,7 @@ int wolfSSL_RAND_pseudo_bytes(unsigned char* buf, int num) (void)hash; (void)secret; #endif + ForceZero(secret, DRBG_SEED_LEN); return ret; } @@ -16939,20 +16946,39 @@ int wolfSSL_FIPS_drbg_uninstantiate(WOLFSSL_DRBG_CTX *ctx) void wolfSSL_FIPS_drbg_free(WOLFSSL_DRBG_CTX *ctx) { if (ctx != NULL) { + int locked = 0; /* As safety check if free'ing the default drbg, then mark global NULL. * Technically the user should not call free on the default drbg. */ + #ifndef WOLFSSL_MUTEX_INITIALIZER + /* wolfSSL_Cleanup may free the mutex before this runs. */ + if ((globalRNGMutex_valid == 1) && (wc_LockMutex(&globalRNGMutex) == 0)) + #else + if (wc_LockMutex(&globalRNGMutex) == 0) + #endif + locked = 1; if (ctx == gDrbgDefCtx) { gDrbgDefCtx = NULL; } + if (locked) + wc_UnLockMutex(&globalRNGMutex); wolfSSL_FIPS_drbg_uninstantiate(ctx); XFREE(ctx, NULL, DYNAMIC_TYPE_OPENSSL); } } WOLFSSL_DRBG_CTX* wolfSSL_FIPS_get_default_drbg(void) { + int locked = 0; +#ifndef WOLFSSL_MUTEX_INITIALIZER + if ((globalRNGMutex_valid == 1) && (wc_LockMutex(&globalRNGMutex) == 0)) +#else + if (wc_LockMutex(&globalRNGMutex) == 0) +#endif + locked = 1; if (gDrbgDefCtx == NULL) { gDrbgDefCtx = wolfSSL_FIPS_drbg_new(0, 0); } + if (locked) + wc_UnLockMutex(&globalRNGMutex); return gDrbgDefCtx; } void wolfSSL_FIPS_get_timevec(unsigned char* buf, unsigned long* pctr) diff --git a/src/ssl_api_crl_ocsp.c b/src/ssl_api_crl_ocsp.c index 677aad4681..1cb77a3c66 100644 --- a/src/ssl_api_crl_ocsp.c +++ b/src/ssl_api_crl_ocsp.c @@ -395,6 +395,9 @@ int wolfSSL_get_ocsp_producedDate( size_t producedDate_space, int *producedDateFormat) { + if (ssl == NULL) + return BAD_FUNC_ARG; + if ((ssl->ocspProducedDateFormat != ASN_UTC_TIME) && (ssl->ocspProducedDateFormat != ASN_GENERALIZED_TIME)) return BAD_FUNC_ARG; @@ -415,6 +418,9 @@ int wolfSSL_get_ocsp_producedDate( int wolfSSL_get_ocsp_producedDate_tm(WOLFSSL *ssl, struct tm *produced_tm) { int idx = 0; + if (ssl == NULL) + return BAD_FUNC_ARG; + if ((ssl->ocspProducedDateFormat != ASN_UTC_TIME) && (ssl->ocspProducedDateFormat != ASN_GENERALIZED_TIME)) return BAD_FUNC_ARG; diff --git a/src/ssl_api_pk.c b/src/ssl_api_pk.c index d18590e8ac..59adff1482 100644 --- a/src/ssl_api_pk.c +++ b/src/ssl_api_pk.c @@ -393,7 +393,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) res = check_cert_key(ctx->certificate, privateKey, altPrivateKey, ctx->heap, ctx->privateKeyDevId, ctx->privateKeyLabel, ctx->privateKeyId, ctx->altPrivateKeyDevId, - ctx->altPrivateKeyLabel, ctx->altPrivateKeyId) != 0; + ctx->altPrivateKeyLabel, ctx->altPrivateKeyId) == 1; } #ifdef WOLFSSL_BLIND_PRIVATE_KEY /* Dispose of the unblinded buffers. */ diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 74d828da93..a88ee73a6c 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -326,23 +326,21 @@ const WOLFSSL_BIGNUM* wolfSSL_BN_value_one(void) wolfSSL_BN_free(one); one = NULL; } - else + else { #ifndef SINGLE_THREADED - /* Ensure global has not been set by another thread. */ - if (bn_one == NULL) - #endif - { + void* expected = NULL; + /* Publish atomically so a losing thread frees only its own object, + * never a pointer already handed to another thread. */ + if (!wolfSSL_Atomic_Ptr_CompareExchange((void* volatile*)&bn_one, + &expected, one)) { + wolfSSL_BN_free(one); + one = (WOLFSSL_BIGNUM*)expected; + } + #else /* Set this big number as the global. */ bn_one = one; - } - #ifndef SINGLE_THREADED - /* Check if another thread has set the global. */ - if (bn_one != one) { - /* Dispose of this big number and return the global. */ - wolfSSL_BN_free(one); - one = bn_one; - } #endif + } } return one; diff --git a/src/ssl_crypto.c b/src/ssl_crypto.c index 92ae36e582..294afb1096 100644 --- a/src/ssl_crypto.c +++ b/src/ssl_crypto.c @@ -2880,6 +2880,8 @@ void wolfSSL_DES_ede3_cbc_encrypt(const unsigned char* input, } } wc_Des3Free(des3); + + ForceZero(key, DES3_KEY_SIZE); } WC_FREE_VAR_EX(des3, NULL, DYNAMIC_TYPE_CIPHER); diff --git a/src/ssl_misc.c b/src/ssl_misc.c index 072f2cc133..fc7e1a4a9b 100644 --- a/src/ssl_misc.c +++ b/src/ssl_misc.c @@ -70,6 +70,11 @@ static int wolfssl_read_bio_file(WOLFSSL_BIO* bio, char** data) /* Update total read. */ ret += sz; + /* Cap total like the direct-file path to avoid int overflow. */ + if (ret > MAX_WOLFSSL_FILE_SIZE) { + sz = BUFFER_E; + break; + } /* Calculate remaining unused memory. */ remaining = READ_BIO_FILE_CHUNK - (ret % READ_BIO_FILE_CHUNK); /* Check for space remaining. */ diff --git a/src/ssl_p7p12.c b/src/ssl_p7p12.c index 27cf6c8963..23aa47d297 100644 --- a/src/ssl_p7p12.c +++ b/src/ssl_p7p12.c @@ -903,6 +903,7 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, { int ret; WOLFSSL_PKCS7* p7; + WOLFSSL_STACK* certHead = certs; WOLFSSL_ENTER("wolfSSL_PKCS7_encode_certs"); if (!pkcs7 || !certs || !out) { @@ -912,10 +913,6 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, p7 = (WOLFSSL_PKCS7*)pkcs7; - /* take ownership of certs */ - p7->certs = certs; - /* TODO: takes ownership even on failure below but not on above failure. */ - if (pkcs7->certList) { WOLFSSL_MSG("wolfSSL_PKCS7_encode_certs called multiple times on same " "struct"); @@ -957,6 +954,9 @@ int wolfSSL_PKCS7_encode_certs(PKCS7* pkcs7, WOLFSSL_STACK* certs, certs = certs->next; } + /* certs are now incorporated into pkcs7; take ownership (earlier failures leave ownership with the caller). */ + p7->certs = certHead; + if (wc_PKCS7_SetSignerIdentifierType(pkcs7, DEGENERATE_SID) != 0) { WOLFSSL_MSG("wc_PKCS7_SetSignerIdentifierType error"); return WOLFSSL_FAILURE; diff --git a/src/tls.c b/src/tls.c index 59a9b2f373..9ebdfaf082 100644 --- a/src/tls.c +++ b/src/tls.c @@ -10089,6 +10089,11 @@ static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl, WOLFSSL_MSG("GenPqcKey memory error"); ret = MEMORY_E; } + else { + /* Zero so an unconditional wc_MlKemKey_Free is safe even if Init is + * skipped on an id2type failure. */ + XMEMSET(kem, 0, sizeof(MlKemKey)); + } if (ret == 0) { ret = mlkem_id2type(keyShareEntry->group, &type); } @@ -12152,6 +12157,10 @@ static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap) while ((current = list) != NULL) { list = current->next; + /* identity may hold an in-place decrypted ticket whose bytes are the + * resumption master secret; wipe before returning it to the heap. */ + if (current->identity != NULL) + ForceZero(current->identity, current->identityLen); XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX); XFREE(current, heap, DYNAMIC_TYPE_TLSX); } @@ -13485,6 +13494,14 @@ static int TLSX_ClientCertificateType_Parse(WOLFSSL* ssl, const byte* input, else if (msgType == server_hello || msgType == encrypted_extensions) { /* parse it in client side */ if (length == 1) { + /* Reject a server-selected type the client did not offer. */ + if (!IsCertTypeListed(*input, + ssl->options.rpkState.sending_ClientCertTypeCnt, + ssl->options.rpkState.sending_ClientCertTypes)) { + SendAlert(ssl, alert_fatal, illegal_parameter); + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; + } ssl->options.rpkState.received_ClientCertTypeCnt = 1; ssl->options.rpkState.received_ClientCertTypes[0] = *input; } @@ -13685,6 +13702,15 @@ static int TLSX_ServerCertificateType_Parse(WOLFSSL* ssl, const byte* input, if (length != 1) /* length slould be 1 */ return BUFFER_E; + /* Reject a server-selected type the client did not offer. */ + if (!IsCertTypeListed(*input, + ssl->options.rpkState.sending_ServerCertTypeCnt, + ssl->options.rpkState.sending_ServerCertTypes)) { + SendAlert(ssl, alert_fatal, illegal_parameter); + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; + } + ssl->options.rpkState.received_ServerCertTypeCnt = 1; ssl->options.rpkState.received_ServerCertTypes[0] = *input; } @@ -14589,6 +14615,17 @@ static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech, return ret; } +/* Header bytes reserved before the ECH inner ClientHello (DTLS uses a larger handshake header than TLS). */ +static word32 TLSX_EchInnerHeaderSz(const WOLFSSL* ssl) +{ +#ifdef WOLFSSL_DTLS13 + return ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : HANDSHAKE_HEADER_SZ; +#else + (void)ssl; + return HANDSHAKE_HEADER_SZ; +#endif +} + /* return status after attempting to open the hpke encrypted ech extension, if * successful the inner client hello will be stored in * ech->innerClientHelloLen */ @@ -14676,7 +14713,7 @@ static int TLSX_ExtractEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, if (ret == 0) { ret = wc_HpkeContextOpenBase(ech->hpke, ech->hpkeContext, aad, aadLen, ech->outerClientPayload, ech->innerClientHelloLen, - ech->innerClientHello + HANDSHAKE_HEADER_SZ); + ech->innerClientHello + TLSX_EchInnerHeaderSz(ssl)); } #ifdef HAVE_SECRET_CALLBACK @@ -14894,7 +14931,7 @@ static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); /* allocate the inner payload buffer */ ech->innerClientHello = - (byte*)XMALLOC(ech->innerClientHelloLen + HANDSHAKE_HEADER_SZ, + (byte*)XMALLOC(ech->innerClientHelloLen + TLSX_EchInnerHeaderSz(ssl), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (ech->innerClientHello == NULL) { XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/x509_str.c b/src/x509_str.c index 710d18b74c..3ee233165d 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -446,9 +446,15 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) #endif SetupStoreCtxError(ctx, ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - if (ctx->store->verify_cb) - ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? - WOLFSSL_SUCCESS : ret; + if (ctx->store->verify_cb) { + if (ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1) { + ret = WOLFSSL_SUCCESS; + } + else { + /* Callback rejection is terminal; don't let a later pass override it. */ + return -1; + } + } #endif } #if !defined(NO_ASN_TIME) && defined(OPENSSL_ALL) @@ -2374,6 +2380,8 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_GetCerts(WOLFSSL_X509_STORE_CTX* s) } } else { + wolfSSL_X509_free(x509); + x509 = NULL; goto error; } found = 1; diff --git a/tests/api/test_certman.c b/tests/api/test_certman.c index 25c203a4b2..f8c13f4a2d 100644 --- a/tests/api/test_certman.c +++ b/tests/api/test_certman.c @@ -2866,6 +2866,99 @@ int test_wolfSSL_CRL_critical_idp(void) return EXPECT_RESULT(); } +int test_wolfSSL_cert_critical_policy_constraints(void) +{ + EXPECT_DECLS; +#if !defined(NO_CERTS) && !defined(NO_RSA) && !defined(WOLFSSL_NO_ASN_STRICT) + /* Critical policyConstraints is parsed but never enforced, so RFC 5280 Sec 4.2 requires rejecting the cert rather than silently accepting it. */ + static const unsigned char cert_crit_policy[] = { + 0x30, 0x82, 0x03, 0x38, 0x30, 0x82, 0x02, 0x20, 0xa0, 0x03, 0x02, + 0x01, 0x02, 0x02, 0x14, 0x39, 0xd1, 0x63, 0xf8, 0xb6, 0x8f, 0x51, + 0xc0, 0x2c, 0xef, 0x38, 0x87, 0x6d, 0x40, 0x1c, 0x2c, 0xc0, 0xcd, + 0xa1, 0x9a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x23, 0x31, 0x21, 0x30, + 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, 0x50, 0x6f, 0x6c, + 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, + 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, 0x73, 0x74, 0x30, + 0x1e, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x31, 0x30, 0x31, 0x30, 0x30, + 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17, 0x0d, 0x34, 0x30, 0x30, 0x31, + 0x30, 0x31, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x23, + 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x18, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x43, 0x6f, 0x6e, 0x73, 0x74, + 0x72, 0x61, 0x69, 0x6e, 0x74, 0x43, 0x72, 0x69, 0x74, 0x54, 0x65, + 0x73, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xa5, 0x09, 0xd5, 0xa6, 0xb1, 0x07, 0xb6, 0x7e, 0xa0, + 0x51, 0x74, 0x5d, 0x1b, 0x3f, 0x92, 0x3d, 0xb2, 0xf4, 0x2d, 0xfc, + 0xd9, 0xa1, 0xa7, 0xc4, 0x2d, 0x28, 0x3e, 0xa5, 0x2e, 0xc0, 0xba, + 0xcc, 0x82, 0x3f, 0xf7, 0x80, 0x86, 0x4f, 0xb5, 0x3b, 0xeb, 0x67, + 0x3f, 0x57, 0x43, 0x72, 0xd0, 0x1e, 0xdb, 0xd9, 0x4f, 0xb5, 0x14, + 0x12, 0xec, 0xa4, 0x7a, 0x2a, 0xb8, 0xd7, 0x12, 0x64, 0x30, 0x32, + 0xe9, 0xfc, 0x3a, 0x91, 0xe3, 0xa6, 0x59, 0x08, 0x11, 0xde, 0xd0, + 0xb0, 0xfa, 0xcf, 0x31, 0x37, 0x3d, 0xa8, 0xd6, 0xa1, 0xb0, 0x84, + 0x25, 0x2d, 0x05, 0x8a, 0x33, 0x32, 0x24, 0x94, 0xa5, 0xef, 0x65, + 0xb6, 0x58, 0xfa, 0x94, 0xbd, 0x3a, 0xef, 0xfd, 0xcd, 0xeb, 0x56, + 0xc4, 0x87, 0x65, 0x45, 0x5f, 0xe1, 0x14, 0xa9, 0x3c, 0x6e, 0x94, + 0xa1, 0xc4, 0xfc, 0x67, 0xcd, 0xff, 0xb4, 0xdb, 0xbd, 0x0e, 0x56, + 0x26, 0x94, 0xa8, 0xdc, 0xc2, 0x9d, 0xef, 0xb3, 0x95, 0x27, 0xc4, + 0x97, 0x00, 0xae, 0x9a, 0x42, 0x48, 0x51, 0xe2, 0xbd, 0xb6, 0x12, + 0xf4, 0xe0, 0xaf, 0x21, 0xd2, 0x92, 0xc3, 0xc1, 0x7d, 0xb1, 0xad, + 0x11, 0xc9, 0x4e, 0xed, 0xb6, 0x80, 0x81, 0x2a, 0x86, 0xb2, 0xf2, + 0x6e, 0x8c, 0x6d, 0xe0, 0x55, 0x7a, 0x00, 0x76, 0x81, 0x73, 0x27, + 0x26, 0x3a, 0xd7, 0xe9, 0x86, 0xfb, 0x26, 0x14, 0x10, 0x1f, 0x0f, + 0xf8, 0xfd, 0x41, 0x67, 0x37, 0xdc, 0x51, 0xcf, 0xd7, 0x44, 0x2f, + 0x77, 0x85, 0xb2, 0xbb, 0xd4, 0xe9, 0xf4, 0xbb, 0xfc, 0xb0, 0x08, + 0xaf, 0xba, 0x8a, 0x73, 0x4c, 0x62, 0x97, 0x7b, 0xd2, 0x5d, 0x01, + 0x32, 0x5c, 0x84, 0x2d, 0xc7, 0x06, 0x53, 0x13, 0x25, 0xa7, 0xf2, + 0x85, 0xce, 0x18, 0x7c, 0x80, 0x7d, 0x46, 0xcf, 0x59, 0x4a, 0x6a, + 0x79, 0xad, 0xfd, 0x10, 0xf3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, + 0x64, 0x30, 0x62, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, + 0x16, 0x04, 0x14, 0x57, 0x3b, 0x53, 0xa1, 0xea, 0xb0, 0x48, 0x46, + 0x26, 0x1c, 0x05, 0xa4, 0xb4, 0xca, 0x4c, 0xe7, 0x2d, 0x6c, 0x69, + 0xc2, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, + 0x16, 0x80, 0x14, 0x57, 0x3b, 0x53, 0xa1, 0xea, 0xb0, 0x48, 0x46, + 0x26, 0x1c, 0x05, 0xa4, 0xb4, 0xca, 0x4c, 0xe7, 0x2d, 0x6c, 0x69, + 0xc2, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x24, 0x01, 0x01, 0xff, + 0x04, 0x05, 0x30, 0x03, 0x80, 0x01, 0x00, 0x30, 0x0f, 0x06, 0x03, + 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, + 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, + 0x25, 0xb6, 0xa5, 0xb5, 0xbd, 0xa3, 0x8e, 0xcf, 0x06, 0x09, 0x67, + 0x28, 0x03, 0xf4, 0x6e, 0x6d, 0xa9, 0x4a, 0xe4, 0xac, 0x2e, 0xda, + 0xdb, 0x98, 0x38, 0x50, 0x5b, 0xdf, 0xc6, 0x17, 0xc7, 0x1c, 0xea, + 0x05, 0xd8, 0xea, 0xf4, 0x84, 0x41, 0x21, 0xc1, 0x3c, 0x59, 0x4e, + 0xa3, 0x6e, 0x82, 0xa8, 0xda, 0x28, 0x81, 0x29, 0x02, 0x74, 0x75, + 0x56, 0xf2, 0xd3, 0x70, 0x3f, 0x24, 0x21, 0x08, 0x73, 0xe9, 0xb2, + 0x15, 0xc8, 0x30, 0x8c, 0x3b, 0xbe, 0x2a, 0x1c, 0x64, 0xfc, 0xb8, + 0x9d, 0x9d, 0xa4, 0xf7, 0xda, 0x05, 0x93, 0x6c, 0x1c, 0xaf, 0xa8, + 0xd3, 0xef, 0x0f, 0x9a, 0x52, 0x84, 0xce, 0x03, 0xbb, 0x06, 0x64, + 0x8e, 0xa2, 0x70, 0x5e, 0x03, 0xb8, 0xa0, 0xe4, 0x58, 0x84, 0x1b, + 0xf9, 0xa9, 0xfd, 0x9c, 0xc8, 0xf1, 0x8c, 0x98, 0x0d, 0x22, 0x3d, + 0x54, 0x80, 0xb2, 0x12, 0xf9, 0xba, 0xa7, 0xfa, 0xcc, 0x77, 0x48, + 0xe3, 0xe9, 0x46, 0x54, 0x49, 0xd4, 0x9c, 0x60, 0x53, 0x02, 0x4c, + 0x6b, 0x0a, 0x73, 0xe5, 0x16, 0x0f, 0xea, 0xa2, 0xed, 0xbb, 0xab, + 0xce, 0xbe, 0x29, 0x45, 0xff, 0xc1, 0xcf, 0x4e, 0x4a, 0x25, 0x8b, + 0xc8, 0x32, 0x50, 0x62, 0x6a, 0x4a, 0x4c, 0x1a, 0xbc, 0xc4, 0xf4, + 0x66, 0xf2, 0x19, 0x57, 0x4f, 0x5c, 0x7a, 0xab, 0xe0, 0x79, 0x19, + 0xeb, 0x9d, 0xc3, 0x56, 0xfa, 0x99, 0xf5, 0xb0, 0x5c, 0xe3, 0x92, + 0xa4, 0x8a, 0x7c, 0x42, 0xcf, 0xd8, 0x25, 0x80, 0x47, 0x8d, 0x83, + 0x3e, 0xd7, 0xef, 0x60, 0x1c, 0xfd, 0xe0, 0xd1, 0x2d, 0x04, 0xbf, + 0xe7, 0x3d, 0x1d, 0xb2, 0xda, 0xfd, 0x4c, 0x7f, 0x20, 0x73, 0xa7, + 0x7a, 0xd1, 0xf2, 0x43, 0x64, 0x22, 0x9d, 0x7e, 0x2b, 0x7a, 0xeb, + 0xe6, 0xcd, 0xea, 0x57, 0xea, 0xe1, 0x86, 0x78, 0xcf, 0x09, 0x4d, + 0x90, 0xb9, 0x62 + }; + WOLFSSL_CERT_MANAGER* cm = NULL; + + ExpectNotNull(cm = wolfSSL_CertManagerNew()); + ExpectIntNE(wolfSSL_CertManagerLoadCABuffer(cm, cert_crit_policy, + sizeof(cert_crit_policy), WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS); + wolfSSL_CertManagerFree(cm); +#endif + return EXPECT_RESULT(); +} + int test_wolfSSL_CRL_unknown_critical_ext(void) { EXPECT_DECLS; diff --git a/tests/api/test_certman.h b/tests/api/test_certman.h index 3511760145..868dca801d 100644 --- a/tests/api/test_certman.h +++ b/tests/api/test_certman.h @@ -48,6 +48,7 @@ int test_wolfSSL_CRL_duplicate_extensions(void); int test_wolfSSL_CRL_critical_idp(void); int test_wolfSSL_CRL_unknown_critical_ext(void); int test_wolfSSL_CRL_unknown_critical_entry_ext(void); +int test_wolfSSL_cert_critical_policy_constraints(void); int test_wolfSSL_CertManagerCheckOCSPResponse(void); int test_various_pathlen_chains(void); int test_wolfSSL_CertManagerRejectMD5Cert(void); @@ -82,6 +83,7 @@ int test_wolfSSL_CertManagerNameConstraint_skid_disambiguates(void); TEST_DECL_GROUP("certman", test_wolfSSL_CRL_critical_idp), \ TEST_DECL_GROUP("certman", test_wolfSSL_CRL_unknown_critical_ext), \ TEST_DECL_GROUP("certman", test_wolfSSL_CRL_unknown_critical_entry_ext), \ + TEST_DECL_GROUP("certman", test_wolfSSL_cert_critical_policy_constraints), \ TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerCheckOCSPResponse), \ TEST_DECL_GROUP("certman", test_various_pathlen_chains), \ TEST_DECL_GROUP("certman", test_wolfSSL_CertManagerRejectMD5Cert), \ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 12d4956caf..2251158543 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -21637,6 +21637,12 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length, case INHIBIT_ANY_OID: VERIFY_AND_SET_OID(cert->inhibitAnyOidSet); WOLFSSL_MSG("Inhibit anyPolicy extension not supported yet."); + #ifndef WOLFSSL_NO_ASN_STRICT + if (critical) { + WOLFSSL_ERROR_VERBOSE(ASN_CRIT_EXT_E); + ret = ASN_CRIT_EXT_E; + } + #endif break; #ifndef IGNORE_NETSCAPE_CERT_TYPE @@ -21661,6 +21667,12 @@ WOLFSSL_TEST_VIS int DecodeExtensionType(const byte* input, word32 length, cert->extPolicyConstCrit = critical ? 1 : 0; if (DecodePolicyConstraints(&input[idx], (int)length, cert) < 0) return ASN_PARSE_E; + #ifndef WOLFSSL_NO_ASN_STRICT + if (critical) { + WOLFSSL_ERROR_VERBOSE(ASN_CRIT_EXT_E); + ret = ASN_CRIT_EXT_E; + } + #endif break; #ifdef WOLFSSL_SUBJ_DIR_ATTR case SUBJ_DIR_ATTR_OID: @@ -32938,8 +32950,9 @@ int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *outLen, ret = BAD_FUNC_ARG; } - /* Check key has parameters when encoding curve. */ - if ((ret == 0) && curveIn && (key->dp == NULL)) { + /* Check key has parameters: key->dp->size is dereferenced below regardless + * of curveIn. */ + if ((ret == 0) && (key->dp == NULL)) { ret = BAD_FUNC_ARG; } if (ret == 0) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 882a2af1ae..af15d1992a 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -6727,6 +6727,17 @@ static int wc_PKCS7_HandleOctetStrings(wc_PKCS7* pkcs7, byte* in, word32 inSz, /* grow content buffer */ contBufSz = pkcs7->stream->accumContSz; + /* Reject before the word32 add wraps and yields a tiny alloc for an oversized copy. */ + if (pkcs7->stream->expected > + WOLFSSL_PKCS7_MAX_STREAM_ALLOC - + pkcs7->stream->accumContSz) { + WOLFSSL_MSG("PKCS7 accumulated content size too large"); + if (tempBuf != NULL) { + XFREE(tempBuf, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + } + ret = BUFFER_E; + break; + } pkcs7->stream->accumContSz += pkcs7->stream->expected; pkcs7->stream->content =