12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783 |
- /* ssl_load.c
- *
- * Copyright (C) 2006-2023 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- #ifdef HAVE_CONFIG_H
- #include <config.h>
- #endif
- #include <wolfssl/wolfcrypt/settings.h>
- /*
- * WOLFSSL_SYS_CA_CERTS
- * Enables ability to load system CA certs from the OS via
- * wolfSSL_CTX_load_system_CA_certs.
- */
- #ifdef WOLFSSL_SYS_CA_CERTS
- #ifdef _WIN32
- #include <windows.h>
- #include <wincrypt.h>
- /* mingw gcc does not support pragma comment, and the
- * linking with crypt32 is handled in configure.ac */
- #if !defined(__MINGW32__) && !defined(__MINGW64__)
- #pragma comment(lib, "crypt32")
- #endif
- #endif
- #if defined(__APPLE__) && defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
- #include <Security/SecTrustSettings.h>
- #endif
- #endif /* WOLFSSL_SYS_CA_CERTS */
- #if !defined(WOLFSSL_SSL_LOAD_INCLUDED)
- #ifndef WOLFSSL_IGNORE_FILE_WARN
- #warning ssl_bn.c does not need to be compiled separately from ssl.c
- #endif
- #else
- #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
- /* PSK field of context when it exists. */
- #define CTX_HAVE_PSK(ctx) (ctx)->havePSK
- /* PSK field of ssl when it exists. */
- #define SSL_HAVE_PSK(ssl) (ssl)->options.havePSK
- #else
- /* Have PSK value when no field. */
- #define CTX_HAVE_PSK(ctx) 0
- /* Have PSK value when no field. */
- #define SSL_HAVE_PSK(ssl) 0
- #endif
- #ifdef NO_RSA
- /* Boolean for RSA available. */
- #define WOLFSSL_HAVE_RSA 0
- #else
- /* Boolean for RSA available. */
- #define WOLFSSL_HAVE_RSA 1
- #endif
- #ifndef NO_CERTS
- /* Private key size from ssl. */
- #define SSL_KEY_SZ(ssl) (ssl)->buffers.keySz
- #else
- /* Private key size not available. */
- #define SSL_KEY_SZ(ssl) 0
- #endif
- #ifdef HAVE_ANON
- /* Anonymous ciphersuite allowed field in context. */
- #define CTX_USE_ANON(ctx) (ctx)->useAnon
- #else
- /* Anonymous ciphersuite allowed field not in context. */
- #define CTX_USE_ANON(ctx) 0
- #endif
- #ifdef HAVE_PK_CALLBACKS
- #define WOLFSSL_IS_PRIV_PK_SET(ctx, ssl) \
- wolfSSL_CTX_IsPrivatePkSet(((ssl) == NULL) ? (ctx) : (ssl)->ctx)
- #else
- #define WOLFSSL_IS_PRIV_PK_SET(ctx, ssl) 0
- #endif
- /* Get the heap from the context or the ssl depending on which is available. */
- #define WOLFSSL_HEAP(ctx, ssl) \
- (((ctx) != NULL) ? (ctx)->heap : (((ssl) != NULL) ? (ssl)->heap : NULL))
- #ifndef NO_CERTS
- /* Get DER encoding from data in a buffer as a DerBuffer.
- *
- * @param [in] buff Buffer containing data.
- * @param [in] len Length of data in buffer.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @param [in] type Type of data:
- * CERT_TYPE, CA_TYPE, TRUSTED_PEER_TYPE,
- * PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
- * @param [in, out] info Info for encryption.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [out] der Holds DER encoded data.
- * @return 0 on success.
- * @return NOT_COMPILED_IN when format is PEM and PEM not supported.
- * @return ASN_PARSE_E when format is ASN.1 and invalid DER encoding.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int DataToDerBuffer(const unsigned char* buff, word32 len, int format,
- int type, EncryptedInfo* info, void* heap, DerBuffer** der)
- {
- int ret;
- info->consumed = 0;
- /* Data in buffer has PEM format - extract DER data. */
- if (format == WOLFSSL_FILETYPE_PEM) {
- #ifdef WOLFSSL_PEM_TO_DER
- ret = PemToDer(buff, len, type, der, heap, info, NULL);
- if (ret != 0) {
- FreeDer(der);
- }
- #else
- ret = NOT_COMPILED_IN;
- #endif
- }
- /* Data in buffer is ASN.1 format - get first SEQ or OCT into der. */
- else {
- int length;
- word32 inOutIdx = 0;
- /* Get length of SEQ including header. */
- if ((info->consumed = wolfssl_der_length(buff, len)) > 0) {
- ret = 0;
- }
- /* Private keys may be wrapped in OCT when PKCS#8 wrapper removed.
- * TODO: is this really needed? */
- else if ((type == PRIVATEKEY_TYPE) &&
- (GetOctetString(buff, &inOutIdx, &length, len) >= 0)) {
- /* Include octet string DER header. */
- info->consumed = length + inOutIdx;
- ret = 0;
- }
- else {
- ret = ASN_PARSE_E;
- }
- if (ret == 0) {
- ret = AllocCopyDer(der, buff, (word32)info->consumed, type, heap);
- }
- }
- return ret;
- }
- /* Process a user's certificate.
- *
- * Puts the 3-byte length before certificate data as required for TLS.
- * CA certificates are added to the certificate manager.
- *
- * @param [in] cm Certificate manager.
- * @param [in, out] pDer DER encoded data.
- * @param [in] type Type of data. Valid values:
- * CERT_TYPE, CA_TYPE or TRUSTED_PEER_TYPE.
- * @param [in] verify How to verify certificate.
- * @param [out] chainBuffer Buffer to hold chain of certificates.
- * @param [in, out] pIdx On in, current index into chainBuffer.
- * On out, index after certificate added.
- * @param [in] bufferSz Size of buffer in bytes.
- * @return 0 on success.
- * @return BUFFER_E if chain buffer not big enough to hold certificate.
- */
- static int ProcessUserCert(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer,
- int type, int verify, byte* chainBuffer, word32* pIdx, word32 bufferSz)
- {
- int ret = 0;
- word32 idx = *pIdx;
- DerBuffer* der = *pDer;
- /* Check there is space for certificate in chainBuffer. */
- if ((ret == 0) && ((idx + der->length + CERT_HEADER_SZ) > bufferSz)) {
- WOLFSSL_MSG(" Cert Chain bigger than buffer. "
- "Consider increasing MAX_CHAIN_DEPTH");
- ret = BUFFER_E;
- }
- if (ret == 0) {
- /* 3-byte length. */
- c32to24(der->length, &chainBuffer[idx]);
- idx += CERT_HEADER_SZ;
- /* Add complete DER encoded certificate. */
- XMEMCPY(&chainBuffer[idx], der->buffer, der->length);
- idx += der->length;
- if (type == CA_TYPE) {
- /* Add CA to certificate manager */
- ret = AddCA(cm, pDer, WOLFSSL_USER_CA, verify);
- if (ret == 1) {
- ret = 0;
- }
- }
- }
- /* Update the index into chainBuffer. */
- *pIdx = idx;
- return ret;
- }
- /* Store the certificate chain buffer aganst WOLFSSL_CTX or WOLFSSL object.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] chainBuffer Buffer containing chain of certificates.
- * @param [in] len Length, in bytes, of data in buffer.
- * @param [in] cnt Number of certificates in chain.
- * @param [in] type Type of data. Valid values:
- * CERT_TYPE, CA_TYPE or CHAIN_CERT_TYPE.
- * @param [in] heap Dynamic memory allocation hint.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int ProcessUserChainRetain(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const byte* chainBuffer, word32 len, int cnt, int type, void* heap)
- {
- int ret = 0;
- (void)cnt;
- /* Store in SSL object if available. */
- if (ssl != NULL) {
- /* Dispose of old chain if not reference to context's. */
- if (ssl->buffers.weOwnCertChain) {
- FreeDer(&ssl->buffers.certChain);
- }
- /* Allocate and copy the buffer into SSL object. */
- ret = AllocCopyDer(&ssl->buffers.certChain, chainBuffer, len, type,
- heap);
- ssl->buffers.weOwnCertChain = (ret == 0);
- #ifdef WOLFSSL_TLS13
- /* Update count of certificates in chain. */
- ssl->buffers.certChainCnt = cnt;
- #endif
- }
- /* Store in SSL context object if available. */
- else if (ctx != NULL) {
- /* Dispose of old chain and allocate and copy in new chain. */
- FreeDer(&ctx->certChain);
- /* Allocate and copy the buffer into SSL context object. */
- ret = AllocCopyDer(&ctx->certChain, chainBuffer, len, type, heap);
- #ifdef WOLFSSL_TLS13
- /* Update count of certificates in chain. */
- ctx->certChainCnt = cnt;
- #endif
- }
- return ret;
- }
- /* Process user cert chain to pass during the TLS handshake.
- *
- * If not a certificate type then data is ignored.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] buff Buffer holding certificates.
- * @param [in] sz Length of data in buffer.
- * @param [in] format Format of the certificate:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1
- * @param [in] type Type of certificate:
- * CA_TYPE, CERT_TYPE or CHAIN_CERT_TYPE
- * @param [out] used Number of bytes from buff used.
- * @param [in, out] info Encryption information.
- * @param [in] verify How to verify certificate.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when type is CA_TYPE and ctx is NULL.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int ProcessUserChain(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const unsigned char* buff, long sz, int format, int type, long* used,
- EncryptedInfo* info, int verify)
- {
- int ret = 0;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- WOLFSSL_ENTER("ProcessUserChain");
- /* Validate parameters. */
- if ((type == CA_TYPE) && (ctx == NULL)) {
- WOLFSSL_MSG("Need context for CA load");
- ret = BAD_FUNC_ARG;
- }
- /* Ignore non-certificate types. */
- if ((ret == 0) && (type != CERT_TYPE) && (type != CHAIN_CERT_TYPE) &&
- (type != CA_TYPE)) {
- WOLFSSL_MSG("File type not a certificate");
- }
- /* Check we haven't consumed all the data. */
- else if ((ret == 0) && (info->consumed >= sz)) {
- WOLFSSL_MSG("Already consumed data");
- }
- else if (ret == 0) {
- #ifndef WOLFSSL_SMALL_STACK
- byte stackBuffer[FILE_BUFFER_SIZE];
- #endif
- StaticBuffer chain;
- long consumed = info->consumed;
- word32 idx = 0;
- int gotOne = 0;
- int cnt = 0;
- /* Calculate max possible size, including max headers */
- long maxSz = (sz - consumed) + (CERT_HEADER_SZ * MAX_CHAIN_DEPTH);
- /* Setup buffer to hold chain. */
- #ifdef WOLFSSL_SMALL_STACK
- static_buffer_init(&chain);
- #else
- static_buffer_init(&chain, stackBuffer, FILE_BUFFER_SIZE);
- #endif
- /* Make buffer big enough to support maximum size. */
- ret = static_buffer_set_size(&chain, (word32)maxSz, heap,
- DYNAMIC_TYPE_FILE);
- WOLFSSL_MSG("Processing Cert Chain");
- /* Keep parsing certificates will data available. */
- while ((ret == 0) && (consumed < sz)) {
- DerBuffer* part = NULL;
- /* Get a certificate as DER. */
- ret = DataToDerBuffer(buff + consumed, (word32)(sz - consumed),
- format, type, info, heap, &part);
- if (ret == 0) {
- /* Process the user certificate. */
- ret = ProcessUserCert(ctx->cm, &part, type, verify,
- chain.buffer, &idx, (word32)maxSz);
- }
- /* PEM may have trailing data that can be ignored. */
- if ((ret == ASN_NO_PEM_HEADER) && gotOne) {
- WOLFSSL_MSG("We got one good cert, so stuff at end ok");
- ret = 0;
- break;
- }
- /* Certificate data handled. */
- FreeDer(&part);
- if (ret == 0) {
- /* Update consumed length. */
- consumed += info->consumed;
- WOLFSSL_MSG(" Consumed another Cert in Chain");
- /* Update whether we got a user certificate. */
- gotOne |= (type != CA_TYPE);
- /* Update count of certificates added to chain. */
- cnt++;
- }
- }
- if (used != NULL) {
- /* Return the total consumed length. */
- *used = consumed;
- }
- /* Check whether there is data in the chain buffer. */
- if ((ret == 0) && (idx > 0)) {
- /* Put the chain buffer against the SSL or SSL context object. */
- ret = ProcessUserChainRetain(ctx, ssl, chain.buffer, idx, cnt, type,
- heap);
- }
- /* Dispose of chain buffer. */
- static_buffer_free(&chain, heap, DYNAMIC_TYPE_FILE);
- }
- WOLFSSL_LEAVE("ProcessUserChain", ret);
- return ret;
- }
- #ifndef NO_RSA
- #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
- (HAVE_FIPS_VERSION > 2))
- /* See if DER data is an RSA private key.
- *
- * Checks size meets minimum RSA key size.
- * This implementation uses less dynamic memory.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an RSA key and format unknown.
- * @return RSA_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, int devId, byte* keyType, int* keySize)
- {
- int ret;
- word32 idx;
- int keySz = 0;
- (void)devId;
- /* Validate we have an RSA private key and get key size. */
- idx = 0;
- ret = wc_RsaPrivateKeyValidate(der->buffer, &idx, &keySz, der->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* If that didn't work then maybe a public key if device ID or callback. */
- if ((ret != 0) && ((devId != INVALID_DEVID) ||
- WOLFSSL_IS_PRIV_PK_SET(ctx, ssl))) {
- word32 nSz;
- /* Decode as an RSA public key. */
- idx = 0;
- ret = wc_RsaPublicKeyDecode_ex(der->buffer, &idx, der->length, NULL,
- &nSz, NULL, NULL);
- if (ret == 0) {
- keySz = (int)nSz;
- }
- }
- #endif
- if (ret == 0) {
- /* Get the minimum RSA key size from SSL or SSL context object. */
- int minRsaSz = ssl ? ssl->options.minRsaKeySz : ctx->minRsaKeySz;
- /* Format, type and size are known. */
- *keyFormat = RSAk;
- *keyType = rsa_sa_algo;
- *keySize = keySz;
- /* Check that the size of the RSA key is enough. */
- if (keySz < minRsaSz) {
- WOLFSSL_MSG("Private Key size too small");
- ret = RSA_KEY_SIZE_E;
- }
- /* No static ECC key possible. */
- if ((ssl != NULL) && (ssl->options.side == WOLFSSL_SERVER_END)) {
- ssl->options.haveStaticECC = 0;
- }
- }
- /* Not an RSA key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not an RSA key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- return ret;
- }
- #else
- /* See if DER data is an RSA private key.
- *
- * Checks size meets minimum RSA key size.
- * This implementation uses more dynamic memory but supports older FIPS.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an RSA key and format unknown.
- * @return RSA_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeRsa(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, int devId, byte* keyType,
- int* keySize)
- {
- int ret;
- word32 idx;
- /* make sure RSA key can be used */
- #ifdef WOLFSSL_SMALL_STACK
- RsaKey* key;
- #else
- RsaKey key[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate an RSA key to parse into so we can get size. */
- key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
- if (key == NULL)
- return MEMORY_E;
- #endif
- /* Initialize the RSA key. */
- ret = wc_InitRsaKey_ex(key, heap, devId);
- if (ret == 0) {
- /* Check we have an RSA private key. */
- idx = 0;
- ret = wc_RsaPrivateKeyDecode(der->buffer, &idx, key, der->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* If that didn't work then maybe a public key if device ID or callback.
- */
- if ((ret != 0) && ((devId != INVALID_DEVID) ||
- WOLFSSL_IS_PRIV_PK_SET(ctx, ssl))) {
- /* If that didn't work then maybe a public key if device ID or
- * callback. */
- idx = 0;
- ret = wc_RsaPublicKeyDecode(der->buffer, &idx, key, der->length);
- }
- #endif
- if (ret == 0) {
- /* Get the minimum RSA key size from SSL or SSL context object. */
- int minRsaSz = ssl ? ssl->options.minRsaKeySz : ctx->minRsaKeySz;
- int keySz = wc_RsaEncryptSize((RsaKey*)key);
- /* Format is known. */
- *keyFormat = RSAk;
- *keyType = rsa_sa_algo;
- *keySize = keySz;
- /* Check that the size of the RSA key is enough. */
- if (keySz < minRsaSz) {
- WOLFSSL_MSG("Private Key size too small");
- ret = RSA_KEY_SIZE_E;
- }
- /* No static ECC key possible. */
- if ((ssl != NULL) && (ssl->options.side == WOLFSSL_SERVER_END)) {
- ssl->options.haveStaticECC = 0;
- }
- }
- /* Not an RSA key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not an RSA key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_FreeRsaKey(key);
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_RSA);
- #endif
- return ret;
- }
- #endif
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- /* See if DER data is an ECC private key.
- *
- * Checks size meets minimum ECC key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an ECC key and format unknown.
- * @return ECC_KEY_SIZE_E when ECC key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeEcc(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, int devId, byte* keyType,
- int* keySize)
- {
- int ret = 0;
- word32 idx;
- /* make sure ECC key can be used */
- #ifdef WOLFSSL_SMALL_STACK
- ecc_key* key;
- #else
- ecc_key key[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate an ECC key to parse into. */
- key = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
- if (key == NULL)
- return MEMORY_E;
- #endif
- /* Initialize ECC key. */
- if (wc_ecc_init_ex(key, heap, devId) == 0) {
- /* Decode as an ECC private key. */
- idx = 0;
- ret = wc_EccPrivateKeyDecode(der->buffer, &idx, key, der->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* If that didn't work then maybe a public key if device ID or callback.
- */
- if ((ret != 0) && ((devId != INVALID_DEVID) ||
- WOLFSSL_IS_PRIV_PK_SET(ctx, ssl))) {
- /* Decode as an ECC public key. */
- idx = 0;
- ret = wc_EccPublicKeyDecode(der->buffer, &idx, key, der->length);
- }
- #endif
- if (ret == 0) {
- /* Get the minimum ECC key size from SSL or SSL context object. */
- int minKeySz = ssl ? ssl->options.minEccKeySz : ctx->minEccKeySz;
- int keySz = wc_ecc_size(key);
- /* Format is known. */
- *keyFormat = ECDSAk;
- #ifdef WOLFSSL_SM2
- if (key->dp->id == ECC_SM2P256V1) {
- *keyType = sm2_sa_algo;
- }
- else
- #endif
- {
- *keyType = ecc_dsa_sa_algo;
- }
- *keySize = keySz;
- /* Check that the size of the ECC key is enough. */
- if (keySz < minKeySz) {
- WOLFSSL_MSG("ECC private key too small");
- ret = ECC_KEY_SIZE_E;
- }
- /* Static ECC key possible. */
- if (ssl) {
- ssl->options.haveStaticECC = 1;
- }
- else {
- ctx->haveStaticECC = 1;
- }
- }
- /* Not an ECC key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not an ECC key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_ecc_free(key);
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_ECC);
- #endif
- return ret;
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
- /* See if DER data is an Ed25519 private key.
- *
- * Checks size meets minimum ECC key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an Ed25519 key and format unknown.
- * @return ECC_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeEd25519(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, int devId, byte* keyType,
- int* keySize)
- {
- int ret;
- word32 idx;
- /* make sure Ed25519 key can be used */
- #ifdef WOLFSSL_SMALL_STACK
- ed25519_key* key;
- #else
- ed25519_key key[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate an Ed25519 key to parse into. */
- key = (ed25519_key*)XMALLOC(sizeof(ed25519_key), heap,
- DYNAMIC_TYPE_ED25519);
- if (key == NULL)
- return MEMORY_E;
- #endif
- /* Initialize Ed25519 key. */
- ret = wc_ed25519_init_ex(key, heap, devId);
- if (ret == 0) {
- /* Decode as an Ed25519 private key. */
- idx = 0;
- ret = wc_Ed25519PrivateKeyDecode(der->buffer, &idx, key, der->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* If that didn't work then maybe a public key if device ID or callback.
- */
- if ((ret != 0) && ((devId != INVALID_DEVID) ||
- WOLFSSL_IS_PRIV_PK_SET(ctx, ssl))) {
- /* Decode as an Ed25519 public key. */
- idx = 0;
- ret = wc_Ed25519PublicKeyDecode(der->buffer, &idx, key,
- der->length);
- }
- #endif
- if (ret == 0) {
- /* Get the minimum ECC key size from SSL or SSL context object. */
- int minKeySz = ssl ? ssl->options.minEccKeySz : ctx->minEccKeySz;
- /* Format is known. */
- *keyFormat = ED25519k;
- *keyType = ed25519_sa_algo;
- *keySize = ED25519_KEY_SIZE;
- /* Check that the size of the ECC key is enough. */
- if (ED25519_KEY_SIZE < minKeySz) {
- WOLFSSL_MSG("ED25519 private key too small");
- ret = ECC_KEY_SIZE_E;
- }
- if (ssl != NULL) {
- #if !defined(WOLFSSL_NO_CLIENT_AUTH) && !defined(NO_ED25519_CLIENT_AUTH)
- /* Ed25519 requires caching enabled for tracking message
- * hash used in EdDSA_Update for signing */
- ssl->options.cacheMessages = 1;
- #endif
- }
- }
- /* Not an Ed25519 key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not an Ed25519 key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_ed25519_free(key);
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_ED25519);
- #endif
- return ret;
- }
- #endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
- #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
- /* See if DER data is an Ed448 private key.
- *
- * Checks size meets minimum ECC key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an Ed448 key and format unknown.
- * @return ECC_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeEd448(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, int devId, byte* keyType,
- int* keySize)
- {
- int ret;
- word32 idx;
- /* make sure Ed448 key can be used */
- #ifdef WOLFSSL_SMALL_STACK
- ed448_key* key = NULL;
- #else
- ed448_key key[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate an Ed448 key to parse into. */
- key = (ed448_key*)XMALLOC(sizeof(ed448_key), heap, DYNAMIC_TYPE_ED448);
- if (key == NULL)
- return MEMORY_E;
- #endif
- /* Initialize Ed448 key. */
- ret = wc_ed448_init_ex(key, heap, devId);
- if (ret == 0) {
- /* Decode as an Ed448 private key. */
- idx = 0;
- ret = wc_Ed448PrivateKeyDecode(der->buffer, &idx, key, der->length);
- #ifdef WOLF_PRIVATE_KEY_ID
- /* If that didn't work then maybe a public key if device ID or callback.
- */
- if ((ret != 0) && ((devId != INVALID_DEVID) ||
- WOLFSSL_IS_PRIV_PK_SET(ctx, ssl))) {
- /* Decode as an Ed448 public key. */
- idx = 0;
- ret = wc_Ed448PublicKeyDecode(der->buffer, &idx, key, der->length);
- }
- #endif
- if (ret == 0) {
- /* Get the minimum ECC key size from SSL or SSL context object. */
- int minKeySz = ssl ? ssl->options.minEccKeySz : ctx->minEccKeySz;
- /* Format is known. */
- *keyFormat = ED448k;
- *keyType = ed448_sa_algo;
- *keySize = ED448_KEY_SIZE;
- /* Check that the size of the ECC key is enough. */
- if (ED448_KEY_SIZE < minKeySz) {
- WOLFSSL_MSG("ED448 private key too small");
- ret = ECC_KEY_SIZE_E;
- }
- if (ssl != NULL) {
- /* Ed448 requires caching enabled for tracking message
- * hash used in EdDSA_Update for signing */
- ssl->options.cacheMessages = 1;
- }
- }
- /* Not an Ed448 key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not an Ed448 key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_ed448_free(key);
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_ED448);
- #endif
- return ret;
- }
- #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- /* See if DER data is an Falcon private key.
- *
- * Checks size meets minimum Falcon key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not an Falcon key and format unknown.
- * @return FALCON_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeFalcon(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, byte* keyType, int* keySize)
- {
- int ret;
- falcon_key* key;
- /* Allocate a Falcon key to parse into. */
- key = (falcon_key*)XMALLOC(sizeof(falcon_key), heap, DYNAMIC_TYPE_FALCON);
- if (key == NULL) {
- return MEMORY_E;
- }
- /* Initialize Falcon key. */
- ret = wc_falcon_init(key);
- if (ret == 0) {
- /* Set up key to parse the format specified. */
- if (*keyFormat == FALCON_LEVEL1k) {
- ret = wc_falcon_set_level(key, 1);
- }
- else if (*keyFormat == FALCON_LEVEL5k) {
- ret = wc_falcon_set_level(key, 5);
- }
- else {
- /* What if *keyformat is 0? We might want to do something more
- * graceful here. */
- /* TODO: get the size of the private key for different formats and
- * compare with DER length. */
- wc_falcon_free(key);
- ret = ALGO_ID_E;
- }
- }
- if (ret == 0) {
- /* Decode as a Falcon private key. */
- ret = wc_falcon_import_private_only(der->buffer, der->length, key);
- if (ret == 0) {
- /* Get the minimum Falcon key size from SSL or SSL context object.
- */
- int minKeySz = ssl ? ssl->options.minFalconKeySz :
- ctx->minFalconKeySz;
- /* Format is known. */
- if (*keyFormat == FALCON_LEVEL1k) {
- *keyType = falcon_level1_sa_algo;
- *keySize = FALCON_LEVEL1_KEY_SIZE;
- }
- else {
- *keyType = falcon_level5_sa_algo;
- *keySize = FALCON_LEVEL5_KEY_SIZE;
- }
- /* Check that the size of the Falcon key is enough. */
- if (*keySize < minKeySz) {
- WOLFSSL_MSG("Falcon private key too small");
- ret = FALCON_KEY_SIZE_E;
- }
- }
- /* Not a Falcon key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not a Falcon key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_falcon_free(key);
- }
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_FALCON);
- return ret;
- }
- #endif
- #if defined(HAVE_DILITHIUM)
- /* See if DER data is an Dilithium private key.
- *
- * Checks size meets minimum Falcon key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] devId Device identifier.
- * @param [out] keyType Type of key.
- * @param [out] keySize Size of key.
- * @return 0 on success or not a Dilithium key and format unknown.
- * @return DILITHIUM_KEY_SIZE_E when key size doesn't meet minimum required.
- */
- static int ProcessBufferTryDecodeDilithium(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, byte* keyType, int* keySize)
- {
- int ret;
- dilithium_key* key;
- /* Allocate a Dilithium key to parse into. */
- key = (dilithium_key*)XMALLOC(sizeof(dilithium_key), heap,
- DYNAMIC_TYPE_DILITHIUM);
- if (key == NULL) {
- return MEMORY_E;
- }
- /* Initialize Dilithium key. */
- ret = wc_dilithium_init(key);
- if (ret == 0) {
- /* Set up key to parse the format specified. */
- if (*keyFormat == DILITHIUM_LEVEL2k) {
- ret = wc_dilithium_set_level(key, 2);
- }
- else if (*keyFormat == DILITHIUM_LEVEL3k) {
- ret = wc_dilithium_set_level(key, 3);
- }
- else if (*keyFormat == DILITHIUM_LEVEL5k) {
- ret = wc_dilithium_set_level(key, 5);
- }
- else {
- /* What if *keyformat is 0? We might want to do something more
- * graceful here. */
- /* TODO: get the size of the private key for different formats and
- * compare with DER length. */
- wc_dilithium_free(key);
- ret = ALGO_ID_E;
- }
- }
- if (ret == 0) {
- /* Decode as a Dilithium private key. */
- ret = wc_dilithium_import_private_only(der->buffer, der->length, key);
- if (ret == 0) {
- /* Get the minimum Dilithium key size from SSL or SSL context
- * object. */
- int minKeySz = ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz;
- /* Format is known. */
- if (*keyFormat == DILITHIUM_LEVEL2k) {
- *keyType = dilithium_level2_sa_algo;
- *keySize = DILITHIUM_LEVEL2_KEY_SIZE;
- }
- else if (*keyFormat == DILITHIUM_LEVEL3k) {
- *keyType = dilithium_level3_sa_algo;
- *keySize = DILITHIUM_LEVEL3_KEY_SIZE;
- }
- else if (*keyFormat == DILITHIUM_LEVEL5k) {
- *keyType = dilithium_level5_sa_algo;
- *keySize = DILITHIUM_LEVEL5_KEY_SIZE;
- }
- /* Check that the size of the Dilithium key is enough. */
- if (*keySize < minKeySz) {
- WOLFSSL_MSG("Dilithium private key too small");
- ret = DILITHIUM_KEY_SIZE_E;
- }
- }
- /* Not a Dilithium key but check whether we know what it is. */
- else if (*keyFormat == 0) {
- WOLFSSL_MSG("Not a Dilithium key");
- /* Format unknown so keep trying. */
- ret = 0;
- }
- /* Free dynamically allocated data in key. */
- wc_dilithium_free(key);
- }
- /* Dispose of allocated key. */
- XFREE(key, heap, DYNAMIC_TYPE_DILITHIUM);
- return ret;
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- /* Try to decode DER data is a known private key.
- *
- * Checks size meets minimum for key type.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in, out] keyFormat On in, expected format. 0 means unknown.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [out] type Type of key:
- * PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when der or keyFormat is NULL.
- * @return BAD_FUNC_ARG when ctx and ssl are NULL.
- * @return WOLFSSL_BAD_FILE when unable to identify the key format.
- */
- static int ProcessBufferTryDecode(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int* keyFormat, void* heap, int type)
- {
- int ret = 0;
- int devId = wolfSSL_CTX_GetDevId(ctx, ssl);
- byte* keyType = NULL;
- int* keySz = NULL;
- (void)heap;
- (void)devId;
- (void)type;
- /* Validate parameters. */
- if ((der == NULL) || (keyFormat == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- /* Must have an SSL context or SSL object to use. */
- if ((ret == 0) && (ctx == NULL) && (ssl == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- if (ret == 0) {
- /* Determine where to put key type and size in SSL or context object. */
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- if (type == ALT_PRIVATEKEY_TYPE) {
- if (ssl != NULL) {
- keyType = &ssl->buffers.altKeyType;
- keySz = &ssl->buffers.altKeySz;
- }
- else {
- keyType = &ctx->altPrivateKeyType;
- keySz = &ctx->altPrivateKeySz;
- }
- }
- else
- #endif
- /* Type is PRIVATEKEY_TYPE. */
- if (ssl != NULL) {
- keyType = &ssl->buffers.keyType;
- keySz = &ssl->buffers.keySz;
- }
- else {
- keyType = &ctx->privateKeyType;
- keySz = &ctx->privateKeySz;
- }
- }
- #ifndef NO_RSA
- /* Try RSA if key format is RSA or yet unknown. */
- if ((ret == 0) && ((*keyFormat == 0) || (*keyFormat == RSAk))) {
- #if !defined(HAVE_FIPS) || (defined(HAVE_FIPS_VERSION) && \
- (HAVE_FIPS_VERSION > 2))
- ret = ProcessBufferTryDecodeRsa(ctx, ssl, der, keyFormat, devId,
- keyType, keySz);
- #else
- ret = ProcessBufferTryDecodeRsa(ctx, ssl, der, keyFormat, heap, devId,
- keyType, keySz);
- #endif
- }
- #endif
- #ifdef HAVE_ECC
- /* Try ECC if key format is ECDSA or SM2, or yet unknown. */
- if ((ret == 0) && ((*keyFormat == 0) || (*keyFormat == ECDSAk)
- #ifdef WOLFSSL_SM2
- || (*keyFormat == SM2k)
- #endif
- )) {
- ret = ProcessBufferTryDecodeEcc(ctx, ssl, der, keyFormat, heap, devId,
- keyType, keySz);
- }
- #endif /* HAVE_ECC */
- #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
- /* Try Ed25519 if key format is Ed25519 or yet unknown. */
- if ((ret == 0) && ((*keyFormat == 0 || *keyFormat == ED25519k))) {
- ret = ProcessBufferTryDecodeEd25519(ctx, ssl, der, keyFormat, heap,
- devId, keyType, keySz);
- }
- #endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
- #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
- /* Try Ed448 if key format is Ed448 or yet unknown. */
- if ((ret == 0) && ((*keyFormat == 0 || *keyFormat == ED448k))) {
- ret = ProcessBufferTryDecodeEd448(ctx, ssl, der, keyFormat, heap, devId,
- keyType, keySz);
- }
- #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- /* Try Falcon if key format is Falcon level 1k or 5k or yet unknown. */
- if ((ret == 0) && ((*keyFormat == 0) || (*keyFormat == FALCON_LEVEL1k) ||
- (*keyFormat == FALCON_LEVEL5k))) {
- ret = ProcessBufferTryDecodeFalcon(ctx, ssl, der, keyFormat, heap,
- keyType, keySz);
- }
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- /* Try Falcon if key format is Dilithium level 2k, 3k or 5k or yet unknown.
- */
- if ((ret == 0) && ((*keyFormat == 0) || (*keyFormat == DILITHIUM_LEVEL2k) ||
- (*keyFormat == DILITHIUM_LEVEL3k) ||
- (*keyFormat == DILITHIUM_LEVEL5k))) {
- ret = ProcessBufferTryDecodeDilithium(ctx, ssl, der, keyFormat, heap,
- keyType, keySz);
- }
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- /* Check we know the format. */
- if ((ret == 0) && (*keyFormat == 0)) {
- WOLFSSL_MSG("Not a supported key type");
- /* Not supported key format. */
- ret = WOLFSSL_BAD_FILE;
- }
- return ret;
- }
- #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
- /* Decrypt PKCS#8 private key.
- *
- * @param [in] info Encryption information.
- * @param [in] der DER encoded data.
- * @param [in] heap Dynamic memory allocation hint.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int ProcessBufferPrivPkcs8Dec(EncryptedInfo* info, DerBuffer* der,
- void* heap)
- {
- int ret = 0;
- word32 algId;
- int passwordSz = NAME_SZ;
- #ifndef WOLFSSL_SMALL_STACK
- char password[NAME_SZ];
- #else
- char* password;
- #endif
- (void)heap;
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate memory for password. */
- password = (char*)XMALLOC(passwordSz, heap, DYNAMIC_TYPE_STRING);
- if (password == NULL) {
- ret = MEMORY_E;
- }
- #endif
- if (ret == 0) {
- /* Get password. */
- ret = info->passwd_cb(password, passwordSz, PEM_PASS_READ,
- info->passwd_userdata);
- }
- if (ret >= 0) {
- /* Returned value is password size. */
- passwordSz = ret;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("ProcessBuffer password", password, passwordSz);
- #endif
- /* Decrypt PKCS#8 private key inline and get algorithm id. */
- ret = ToTraditionalEnc(der->buffer, der->length, password, passwordSz,
- &algId);
- }
- if (ret >= 0) {
- /* Zero out encrypted data not overwritten. */
- ForceZero(der->buffer + ret, der->length - ret);
- /* Set decrypted data length. */
- der->length = ret;
- }
- /* Ensure password is zeroized. */
- ForceZero(password, passwordSz);
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of password memory. */
- XFREE(password, heap, DYNAMIC_TYPE_STRING);
- #elif defined(WOLFSSL_CHECK_MEM_ZERO)
- wc_MemZero_Check(password, NAME_SZ);
- #endif
- return ret;
- }
- #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
- /* Put the DER into the SSL or SSL context object.
- *
- * Precondition: ctx or ssl is not NULL.
- * Precondition: Must be a private key type.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- */
- static void ProcessBufferPrivKeyHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer** der, int type)
- {
- (void)type;
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- if (type == ALT_PRIVATEKEY_TYPE) {
- /* Put in alternate private key fields of objects. */
- if (ssl != NULL) {
- /* Dispose of previous key if not context's. */
- if (ssl->buffers.weOwnAltKey) {
- FreeDer(&ssl->buffers.altKey);
- }
- ssl->buffers.altKeyId = 0;
- ssl->buffers.altKeyLabel = 0;
- ssl->buffers.altKeyDevId = INVALID_DEVID;
- /* Store key by reference and own it. */
- ssl->buffers.altKey = *der;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SSL Buffers key", (*der)->buffer, (*der)->length);
- #endif
- ssl->buffers.weOwnAltKey = 1;
- }
- else if (ctx != NULL) {
- /* Dispose of previous key. */
- FreeDer(&ctx->altPrivateKey);
- ctx->altPrivateKeyId = 0;
- ctx->altPrivateKeyLabel = 0;
- ctx->altPrivateKeyDevId = INVALID_DEVID;
- /* Store key by reference. */
- ctx->altPrivateKey = *der;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("CTX private key", (*der)->buffer, (*der)->length);
- #endif
- }
- }
- else
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- if (ssl != NULL) {
- /* Dispose of previous key if not context's. */
- if (ssl->buffers.weOwnKey) {
- FreeDer(&ssl->buffers.key);
- }
- ssl->buffers.keyId = 0;
- ssl->buffers.keyLabel = 0;
- ssl->buffers.keyDevId = INVALID_DEVID;
- /* Store key by reference and own it. */
- ssl->buffers.key = *der;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("SSL Buffers key", (*der)->buffer, (*der)->length);
- #endif
- ssl->buffers.weOwnKey = 1;
- }
- else if (ctx != NULL) {
- /* Dispose of previous key. */
- FreeDer(&ctx->privateKey);
- ctx->privateKeyId = 0;
- ctx->privateKeyLabel = 0;
- ctx->privateKeyDevId = INVALID_DEVID;
- /* Store key by reference. */
- ctx->privateKey = *der;
- #ifdef WOLFSSL_CHECK_MEM_ZERO
- wc_MemZero_Add("CTX private key", (*der)->buffer, (*der)->length);
- #endif
- }
- }
- /* Decode private key.
- *
- * Precondition: ctx or ssl is not NULL.
- * Precondition: Must be a private key type.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoding.
- * @param [in] format Original format of data.
- * @param [in] info Encryption information.
- * @param [in] heap Dynamic memory allocation hint.
- * @param [in] type Type of data:
- * PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
- * @return 0 on success.
- * @return WOLFSSL_BAD_FILE when not able to decode.
- */
- static int ProcessBufferPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int format, EncryptedInfo* info, void* heap, int type)
- {
- int ret;
- int keyFormat = 0;
- #if (defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)) || \
- defined(HAVE_PKCS8)
- word32 algId = 0;
- #endif
- (void)info;
- (void)format;
- #ifdef HAVE_PKCS8
- /* Try and remove PKCS8 header and get algorithm id. */
- ret = ToTraditional_ex(der->buffer, der->length, &algId);
- if (ret > 0) {
- /* Header stripped inline. */
- der->length = ret;
- keyFormat = algId;
- }
- #endif
- /* Put the data into the SSL or SSL context object. */
- ProcessBufferPrivKeyHandleDer(ctx, ssl, &der, type);
- /* Try to decode the DER data. */
- ret = ProcessBufferTryDecode(ctx, ssl, der, &keyFormat, heap, type);
- #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
- /* If private key type PKCS8 header wasn't already removed (algId == 0). */
- if (((ret != 0) || (keyFormat == 0)) && (format != WOLFSSL_FILETYPE_PEM) &&
- (info->passwd_cb != NULL) && (algId == 0)) {
- /* Try to decrypt DER data as a PKCS#8 private key. */
- ret = ProcessBufferPrivPkcs8Dec(info, der, heap);
- if (ret >= 0) {
- /* Try to decode decrypted data. */
- ret = ProcessBufferTryDecode(ctx, ssl, der, &keyFormat, heap, type);
- }
- }
- #endif /* WOLFSSL_ENCRYPTED_KEYS && !NO_PWDBASED */
- /* Check if we were able to determine key format. */
- if ((ret == 0) && (keyFormat == 0)) {
- #ifdef OPENSSL_EXTRA
- /* Decryption password is probably wrong. */
- if (info->passwd_cb) {
- EVPerr(0, EVP_R_BAD_DECRYPT);
- }
- #endif
- WOLFSSL_ERROR(WOLFSSL_BAD_FILE);
- /* Unable to decode DER data. */
- ret = WOLFSSL_BAD_FILE;
- }
- return ret;
- }
- /* Use the key OID to determine have options.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] keyOID OID for public/private key.
- */
- static void wolfssl_set_have_from_key_oid(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- int keyOID)
- {
- /* Set which private key algorithm available based on key OID. */
- switch (keyOID) {
- case ECDSAk:
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case SM2k:
- #endif
- #ifdef HAVE_ED25519
- case ED25519k:
- #endif
- #ifdef HAVE_ED448
- case ED448k:
- #endif
- if (ssl != NULL) {
- ssl->options.haveECC = 1;
- }
- else {
- ctx->haveECC = 1;
- }
- break;
- #ifndef NO_RSA
- case RSAk:
- #ifdef WC_RSA_PSS
- case RSAPSSk:
- #endif
- if (ssl != NULL) {
- ssl->options.haveRSA = 1;
- }
- else {
- ctx->haveRSA = 1;
- }
- break;
- #endif
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- case FALCON_LEVEL1k:
- case FALCON_LEVEL5k:
- if (ssl != NULL) {
- ssl->options.haveFalconSig = 1;
- }
- else {
- ctx->haveFalconSig = 1;
- }
- break;
- #endif /* HAVE_FALCON */
- #ifdef HAVE_DILITHIUM
- case DILITHIUM_LEVEL2k:
- case DILITHIUM_LEVEL3k:
- case DILITHIUM_LEVEL5k:
- if (ssl != NULL) {
- ssl->options.haveDilithiumSig = 1;
- }
- else {
- ctx->haveDilithiumSig = 1;
- }
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- default:
- WOLFSSL_MSG("Cert key not supported");
- break;
- }
- }
- /* Set which private key algorithm we have against SSL or SSL context object.
- *
- * Precondition: ctx or ssl is not NULL.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] cert Decode certificate.
- */
- static void ProcessBufferCertSetHave(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DecodedCert* cert)
- {
- if (ssl != NULL) {
- /* Reset signatures we have in SSL. */
- ssl->options.haveECDSAsig = 0;
- ssl->options.haveFalconSig = 0;
- ssl->options.haveDilithiumSig = 0;
- }
- /* Set which signature we have based on the type in the cert. */
- switch (cert->signatureOID) {
- case CTC_SHAwECDSA:
- case CTC_SHA256wECDSA:
- case CTC_SHA384wECDSA:
- case CTC_SHA512wECDSA:
- #ifdef HAVE_ED25519
- case CTC_ED25519:
- #endif
- #ifdef HAVE_ED448
- case CTC_ED448:
- #endif
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case CTC_SM3wSM2:
- #endif
- WOLFSSL_MSG("ECDSA/ED25519/ED448 cert signature");
- if (ssl) {
- ssl->options.haveECDSAsig = 1;
- }
- else if (ctx) {
- ctx->haveECDSAsig = 1;
- }
- break;
- #ifdef HAVE_PQC
- #ifdef HAVE_FALCON
- case CTC_FALCON_LEVEL1:
- case CTC_FALCON_LEVEL5:
- WOLFSSL_MSG("Falcon cert signature");
- if (ssl) {
- ssl->options.haveFalconSig = 1;
- }
- else if (ctx) {
- ctx->haveFalconSig = 1;
- }
- break;
- #endif
- #ifdef HAVE_DILITHIUM
- case CTC_DILITHIUM_LEVEL2:
- case CTC_DILITHIUM_LEVEL3:
- case CTC_DILITHIUM_LEVEL5:
- WOLFSSL_MSG("Dilithium cert signature");
- if (ssl) {
- ssl->options.haveDilithiumSig = 1;
- }
- else if (ctx) {
- ctx->haveDilithiumSig = 1;
- }
- break;
- #endif
- #endif
- default:
- WOLFSSL_MSG("Cert signature not supported");
- break;
- }
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
- (defined(HAVE_PQC) && defined(HAVE_LIBOQS)) || !defined(NO_RSA)
- #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
- /* Set the private key curve OID. */
- if (ssl != NULL) {
- ssl->pkCurveOID = cert->pkCurveOID;
- }
- else if (ctx) {
- ctx->pkCurveOID = cert->pkCurveOID;
- }
- #endif
- #ifndef WC_STRICT_SIG
- wolfssl_set_have_from_key_oid(ctx, ssl, cert->keyOID);
- #else
- /* Set whether ECC is available baed on signature available. */
- if (ssl != NULL) {
- ssl->options.haveECC = ssl->options.haveECDSAsig;
- }
- else if (ctx) {
- ctx->haveECC = ctx->haveECDSAsig;
- }
- #endif /* !WC_STRICT_SIG */
- #endif
- }
- /* Check key size is valid.
- *
- * Precondition: ctx or ssl is not NULL.
- *
- * @param [in] min Minimum key size.
- * @param [in] max Maximum key size.
- * @param [in] keySz Key size.
- * @param [in] err Error value to return when key size is invalid.
- * @return 0 on success.
- * @return err when verifying and min is less than 0 or key size is invalid.
- */
- #define CHECK_KEY_SZ(min, max, keySz, err) \
- (((min) < 0) || ((keySz) < (min)) || ((keySz) > (max))) ? (err) : 0
- /* Check public key in certificate.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] cert Certificate object.
- * @return 0 on success.
- * @return Non-zero when an error occurred.
- */
- static int ProcessBufferCertPublicKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DecodedCert* cert, int checkKeySz)
- {
- int ret = 0;
- #ifdef WOLF_PRIVATE_KEY_ID
- byte keyType = 0;
- #endif
- int keySz = 0;
- #ifndef NO_RSA
- word32 idx;
- #endif
- /* Get key size and check unless not verifying. */
- switch (cert->keyOID) {
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case RSAPSSk:
- #endif
- case RSAk:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = rsa_sa_algo;
- #endif
- /* Determine RSA key size by parsing public key */
- idx = 0;
- ret = wc_RsaPublicKeyDecode_ex(cert->publicKey, &idx,
- cert->pubKeySize, NULL, (word32*)&keySz, NULL, NULL);
- if ((ret == 0) && checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minRsaKeySz :
- ctx->minRsaKeySz, RSA_MAX_SIZE / 8, keySz, RSA_KEY_SIZE_E);
- }
- break;
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ECDSAk:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = ecc_dsa_sa_algo;
- #endif
- /* Determine ECC key size based on curve */
- #ifdef WOLFSSL_CUSTOM_CURVES
- if ((cert->pkCurveOID == 0) && (cert->pkCurveSize != 0)) {
- keySz = cert->pkCurveSize;
- }
- else
- #endif
- {
- keySz = wc_ecc_get_curve_size_from_id(wc_ecc_get_oid(
- cert->pkCurveOID, NULL, NULL));
- }
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, (MAX_ECC_BITS + 7) / 8, keySz,
- ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ECC */
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case SM2k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = sm2_sa_algo;
- #endif
- /* Determine ECC key size based on curve */
- keySz = WOLFSSL_SM2_KEY_BITS / 8;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, (MAX_ECC_BITS + 7) / 8, keySz,
- ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED25519
- case ED25519k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = ed25519_sa_algo;
- #endif
- /* ED25519 is fixed key size */
- keySz = ED25519_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, ED25519_KEY_SIZE, keySz, ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- case ED448k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = ed448_sa_algo;
- #endif
- /* ED448 is fixed key size */
- keySz = ED448_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, ED448_KEY_SIZE, keySz, ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case FALCON_LEVEL1k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = falcon_level1_sa_algo;
- #endif
- /* Falcon is fixed key size */
- keySz = FALCON_LEVEL1_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minFalconKeySz :
- ctx->minFalconKeySz, FALCON_MAX_KEY_SIZE, keySz,
- FALCON_KEY_SIZE_E);
- }
- break;
- case FALCON_LEVEL5k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = falcon_level5_sa_algo;
- #endif
- /* Falcon is fixed key size */
- keySz = FALCON_MAX_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minFalconKeySz :
- ctx->minFalconKeySz, FALCON_MAX_KEY_SIZE, keySz,
- FALCON_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DILITHIUM_LEVEL2k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = dilithium_level2_sa_algo;
- #endif
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_MAX_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- case DILITHIUM_LEVEL3k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = dilithium_level3_sa_algo;
- #endif
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_MAX_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- case DILITHIUM_LEVEL5k:
- #ifdef WOLF_PRIVATE_KEY_ID
- keyType = dilithium_level5_sa_algo;
- #endif
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_MAX_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- default:
- WOLFSSL_MSG("No key size check done on public key in certificate");
- break;
- }
- #ifdef WOLF_PRIVATE_KEY_ID
- /* Store the type and key size as there may not be a private key set. */
- if (ssl != NULL) {
- ssl->buffers.keyType = keyType;
- ssl->buffers.keySz = keySz;
- }
- else {
- ctx->privateKeyType = keyType;
- ctx->privateKeySz = keySz;
- }
- #endif
- return ret;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- static int ProcessBufferCertAltPublicKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DecodedCert* cert, int checkKeySz)
- {
- int ret = 0;
- byte keyType = 0;
- int keySz = 0;
- #ifndef NO_RSA
- word32 idx;
- #endif
- /* Check alternative key size of cert. */
- switch (cert->sapkiOID) {
- /* No OID set. */
- case 0:
- if (cert->sapkiLen != 0) {
- /* Have the alternative key data but no OID. */
- ret = NOT_COMPILED_IN;
- }
- break;
- #ifndef NO_RSA
- #ifdef WC_RSA_PSS
- case RSAPSSk:
- #endif
- case RSAk:
- keyType = rsa_sa_algo;
- /* Determine RSA key size by parsing public key */
- idx = 0;
- ret = wc_RsaPublicKeyDecode_ex(cert->sapkiDer, &idx,
- cert->sapkiLen, NULL, (word32*)&keySz, NULL, NULL);
- if ((ret == 0) && checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minRsaKeySz :
- ctx->minRsaKeySz, RSA_MAX_SIZE / 8, keySz, RSA_KEY_SIZE_E);
- }
- break;
- #endif /* !NO_RSA */
- #ifdef HAVE_ECC
- case ECDSAk:
- {
- #ifdef WOLFSSL_SMALL_STACK
- ecc_key* temp_key = NULL;
- #else
- ecc_key temp_key[1];
- #endif
- keyType = ecc_dsa_sa_algo;
- #ifdef WOLFSSL_SMALL_STACK
- temp_key = (ecc_key*)XMALLOC(sizeof(ecc_key), heap,
- DYNAMIC_TYPE_ECC);
- if (temp_key == NULL) {
- ret = MEMORY_E;
- }
- #endif
- /* Determine ECC key size. We have to decode the sapki for
- * that. */
- if (ret == 0) {
- ret = wc_ecc_init_ex(temp_key, heap, INVALID_DEVID);
- if (ret == 0) {
- idx = 0;
- ret = wc_EccPublicKeyDecode(cert->sapkiDer, &idx, temp_key,
- cert->sapkiLen);
- if (ret == 0) {
- keySz = wc_ecc_size(temp_key);
- }
- wc_ecc_free(temp_key);
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- XFREE(temp_key, heap, DYNAMIC_TYPE_ECC);
- #endif
- if ((ret == 0) && checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, (MAX_ECC_BITS + 7) / 8, keySz,
- ECC_KEY_SIZE_E);
- }
- break;
- }
- #endif /* HAVE_ECC */
- #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
- case SM2k:
- keyType = sm2_sa_algo;
- /* Determine ECC key size based on curve */
- keySz = WOLFSSL_SM2_KEY_BITS / 8;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, (MAX_ECC_BITS + 7) / 8, keySz,
- ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED25519
- case ED25519k:
- keyType = ed25519_sa_algo;
- /* ED25519 is fixed key size */
- keySz = ED25519_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, ED25519_KEY_SIZE, keySz, ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED25519 */
- #ifdef HAVE_ED448
- case ED448k:
- keyType = ed448_sa_algo;
- /* ED448 is fixed key size */
- keySz = ED448_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minEccKeySz :
- ctx->minEccKeySz, ED448_KEY_SIZE, keySz, ECC_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_ED448 */
- #if defined(HAVE_PQC)
- #if defined(HAVE_FALCON)
- case FALCON_LEVEL1k:
- keyType = falcon_level1_sa_algo;
- /* Falcon is fixed key size */
- keySz = FALCON_LEVEL1_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minFalconKeySz :
- ctx->minFalconKeySz, FALCON_MAX_KEY_SIZE, keySz,
- FALCON_KEY_SIZE_E);
- }
- break;
- case FALCON_LEVEL5k:
- keyType = falcon_level5_sa_algo;
- /* Falcon is fixed key size */
- keySz = FALCON_LEVEL5_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minFalconKeySz :
- ctx->minFalconKeySz, FALCON_MAX_KEY_SIZE, keySz,
- FALCON_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_FALCON */
- #if defined(HAVE_DILITHIUM)
- case DILITHIUM_LEVEL2k:
- keyType = dilithium_level2_sa_algo;
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_LEVEL2_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- case DILITHIUM_LEVEL3k:
- keyType = dilithium_level3_sa_algo;
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_LEVEL3_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- case DILITHIUM_LEVEL5k:
- keyType = dilithium_level5_sa_algo;
- /* Dilithium is fixed key size */
- keySz = DILITHIUM_LEVEL5_KEY_SIZE;
- if (checkKeySz) {
- ret = CHECK_KEY_SZ(ssl ? ssl->options.minDilithiumKeySz :
- ctx->minDilithiumKeySz, DILITHIUM_MAX_KEY_SIZE, keySz,
- DILITHIUM_KEY_SIZE_E);
- }
- break;
- #endif /* HAVE_DILITHIUM */
- #endif /* HAVE_PQC */
- default:
- /* In this case, there was an OID that we didn't recognize.
- * This is an error. Use not compiled in because likely the
- * given algorithm was not enabled. */
- ret = NOT_COMPILED_IN;
- WOLFSSL_MSG("No alt key size check done on certificate");
- break;
- }
- if (ssl != NULL) {
- ssl->buffers.altKeyType = (byte)keyType;
- ssl->buffers.altKeySz = keySz;
- }
- else if (ctx != NULL) {
- ctx->altPrivateKeyType = (byte)keyType;
- ctx->altPrivateKeySz = keySz;
- }
- return ret;
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- /* Parse the certificate and pull out information for TLS handshake.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoded X509 certificate.
- * @return 0 on success.
- * @return MEMORY_E when dynamic memory allocation fails.
- * @return WOLFSSL_BAD_FILE when decoding certificate fails.
- */
- static int ProcessBufferCert(WOLFSSL_CTX* ctx, WOLFSSL* ssl, DerBuffer* der)
- {
- int ret = 0;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- #if defined(HAVE_RPK)
- RpkState* rpkState = ssl ? &ssl->options.rpkState : &ctx->rpkState;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- DecodedCert* cert;
- #else
- DecodedCert cert[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate memory for certificate to be decoded into. */
- cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), heap, DYNAMIC_TYPE_DCERT);
- if (cert == NULL) {
- ret = MEMORY_E;
- }
- if (ret == 0)
- #endif
- {
- /* Get device id from SSL context or SSL object. */
- int devId = wolfSSL_CTX_GetDevId(ctx, ssl);
- WOLFSSL_MSG("Checking cert signature type");
- /* Initialize certificate object. */
- InitDecodedCert_ex(cert, der->buffer, der->length, heap, devId);
- /* Decode up to and including public key. */
- if (DecodeToKey(cert, 0) < 0) {
- WOLFSSL_MSG("Decode to key failed");
- ret = WOLFSSL_BAD_FILE;
- }
- if (ret == 0) {
- int checkKeySz = 1;
- #if defined(HAVE_RPK)
- /* Store whether the crtificate is a raw public key. */
- rpkState->isRPKLoaded = cert->isRPK;
- #endif /* HAVE_RPK */
- /* Set which private key algorithm we have. */
- ProcessBufferCertSetHave(ctx, ssl, cert);
- /* Don't check if verification is disabled for SSL. */
- if ((ssl != NULL) && ssl->options.verifyNone) {
- checkKeySz = 0;
- }
- /* Don't check if no SSL object verification is disabled for SSL
- * context. */
- else if ((ssl == NULL) && ctx->verifyNone) {
- checkKeySz = 0;
- }
- /* Check public key size. */
- ret = ProcessBufferCertPublicKey(ctx, ssl, cert, checkKeySz);
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- if (ret == 0) {
- ret = ProcessBufferCertAltPublicKey(ctx, ssl, cert, checkKeySz);
- }
- #endif
- }
- }
- /* Dispose of dynamic memory in certificate object. */
- FreeDecodedCert(cert);
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of certificate object. */
- XFREE(cert, heap, DYNAMIC_TYPE_DCERT);
- #endif
- return ret;
- }
- /* Handle storing the DER encoding of the certificate.
- *
- * Do not free der outside of this function.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] der DER encoded certificate.
- * @param [in] type Type of data:
- * CERT_TYPE, CA_TYPE or TRUSTED_PEER_TYPE.
- * @param [in] verify What verification to do.
- * @return 0 on success.
- * @return BAD_FUNC_ARG when type is CA_TYPE and ctx is NULL.
- * @return WOLFSSL_BAD_CERTTYPE when data type is not supported.
- */
- static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- DerBuffer* der, int type, int verify)
- {
- int ret = 0;
- /* CA certificate to verify with. */
- if (type == CA_TYPE) {
- /* verify CA unless user set to no verify */
- ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
- if (ret == 1) {
- ret = 0;
- }
- }
- #ifdef WOLFSSL_TRUST_PEER_CERT
- /* Trusted certificate to verify peer with. */
- else if (type == TRUSTED_PEER_TYPE) {
- WOLFSSL_CERT_MANAGER* cm;
- /* Get certificate manager to add certificate to. */
- if (ctx != NULL) {
- cm = ctx->cm;
- }
- else {
- SSL_CM_WARNING(ssl);
- cm = SSL_CM(ssl);
- }
- /* Add certificate as a trusted peer. */
- ret = AddTrustedPeer(cm, &der, verify);
- if (ret != 1) {
- WOLFSSL_MSG("Error adding trusted peer");
- }
- }
- #endif /* WOLFSSL_TRUST_PEER_CERT */
- /* Leaf certificate - our certificate. */
- else if (type == CERT_TYPE) {
- if (ssl != NULL) {
- /* Free previous certificate if we own it. */
- if (ssl->buffers.weOwnCert) {
- FreeDer(&ssl->buffers.certificate);
- #ifdef KEEP_OUR_CERT
- /* Dispose of X509 version of certificate. */
- wolfSSL_X509_free(ssl->ourCert);
- ssl->ourCert = NULL;
- #endif
- }
- /* Store certificate as ours. */
- ssl->buffers.certificate = der;
- #ifdef KEEP_OUR_CERT
- ssl->keepCert = 1; /* hold cert for ssl lifetime */
- #endif
- /* We have to free the certificate buffer. */
- ssl->buffers.weOwnCert = 1;
- /* ourCert is created on demand. */
- }
- else if (ctx != NULL) {
- /* Free previous certificate. */
- FreeDer(&ctx->certificate); /* Make sure previous is free'd */
- #ifdef KEEP_OUR_CERT
- /* Dispose of X509 version of certificate if we own it. */
- if (ctx->ownOurCert) {
- wolfSSL_X509_free(ctx->ourCert);
- }
- ctx->ourCert = NULL;
- #endif
- /* Store certificate as ours. */
- ctx->certificate = der;
- /* ourCert is created on demand. */
- }
- }
- else {
- /* Dispose of DER buffer. */
- FreeDer(&der);
- /* Not a certificate type supported. */
- ret = WOLFSSL_BAD_CERTTYPE;
- }
- return ret;
- }
- /* Process certificate based on type.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] buff Buffer holding original data.
- * @param [in] sz Size of data in buffer.
- * @param [in] der DER encoding of certificate.
- * @param [in] format Format of data.
- * @param [in] type Type of data:
- * CERT_TYPE, CA_TYPE or TRUSTED_PEER_TYPE.
- * @param [in] verify What verification to do.
- * @return 0 on success.
- * @return WOLFSSL_FATAL_ERROR on failure.
- */
- static int ProcessBufferCertTypes(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const unsigned char* buff, long sz, DerBuffer* der, int format, int type,
- int verify)
- {
- int ret;
- (void)buff;
- (void)sz;
- (void)format;
- ret = ProcessBufferCertHandleDer(ctx, ssl, der, type, verify);
- if ((ret == 0) && (type == CERT_TYPE)) {
- /* Process leaf certificate. */
- ret = ProcessBufferCert(ctx, ssl, der);
- }
- #if !defined(NO_WOLFSSL_CM_VERIFY) && (!defined(NO_WOLFSSL_CLIENT) || \
- !defined(WOLFSSL_NO_CLIENT_AUTH))
- /* Hand bad CA or user certificate to callback. */
- if ((ret < 0) && ((type == CA_TYPE) || (type == CERT_TYPE))) {
- /* Check for verification callback that may override error. */
- if ((ctx != NULL) && (ctx->cm != NULL) &&
- (ctx->cm->verifyCallback != NULL)) {
- /* Verify and use callback. */
- ret = CM_VerifyBuffer_ex(ctx->cm, buff, sz, format, ret);
- /* Convert error. */
- if (ret == 0) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- if (ret == 1) {
- ret = 0;
- }
- }
- }
- #endif /* NO_WOLFSSL_CM_VERIFY */
- return ret;
- }
- /* Reset the cipher suites based on updated private key or certificate.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] type Type of certificate.
- * @return 0 on success.
- * @return WOLFSSL_FATAL_ERROR when allocation fails.
- */
- static int ProcessBufferResetSuites(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int type)
- {
- int ret = 0;
- /* Reset suites of SSL object. */
- if (ssl != NULL) {
- if (ssl->options.side == WOLFSSL_SERVER_END) {
- /* Allocate memory for suites. */
- if (AllocateSuites(ssl) != 0) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- else {
- /* Determine cipher suites based on what we have. */
- InitSuites(ssl->suites, ssl->version, ssl->buffers.keySz,
- WOLFSSL_HAVE_RSA, SSL_HAVE_PSK(ssl), ssl->options.haveDH,
- ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
- ssl->options.haveStaticECC, ssl->options.haveFalconSig,
- ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE,
- ssl->options.side);
- }
- }
- }
- /* Reset suites of SSL context object. */
- else if ((type == CERT_TYPE) && (ctx->method->side == WOLFSSL_SERVER_END)) {
- /* Allocate memory for suites. */
- if (AllocateCtxSuites(ctx) != 0) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- else {
- /* Determine cipher suites based on what we have. */
- InitSuites(ctx->suites, ctx->method->version, ctx->privateKeySz,
- WOLFSSL_HAVE_RSA, CTX_HAVE_PSK(ctx), ctx->haveDH,
- ctx->haveECDSAsig, ctx->haveECC, TRUE, ctx->haveStaticECC,
- ctx->haveFalconSig, ctx->haveDilithiumSig, CTX_USE_ANON(ctx),
- TRUE, ctx->method->side);
- }
- }
- return ret;
- }
- #ifndef WOLFSSL_DUAL_ALG_CERTS
- /* Determine whether the type is for a private key. */
- #define IS_PRIVKEY_TYPE(type) ((type) == PRIVATEKEY_TYPE)
- #else
- /* Determine whether the type is for a private key. */
- #define IS_PRIVKEY_TYPE(type) (((type) == PRIVATEKEY_TYPE) || \
- ((type) == ALT_PRIVATEKEY_TYPE))
- #endif
- /* Process a buffer of data.
- *
- * Data type is a private key or a certificate.
- * The format can be ASN.1 (DER) or PEM.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] buff Buffer holding data.
- * @param [in] sz Size of data in buffer.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @param [in] type Type of data:
- * CERT_TYPE, CA_TYPE, TRUSTED_PEER_TYPE,
- * PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
- * @param [in, out] ssl SSL object.
- * @param [out] used Number of bytes consumed.
- * @param [in[ userChain Whether this certificate is for user's chain.
- * @param [in] verify How to verify certificate.
- * @return 1 on success.
- * @return Less than 1 on failure.
- */
- int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz,
- int format, int type, WOLFSSL* ssl, long* used, int userChain, int verify)
- {
- DerBuffer* der = NULL;
- int ret = 0;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- #ifdef WOLFSSL_SMALL_STACK
- EncryptedInfo* info = NULL;
- #else
- EncryptedInfo info[1];
- #endif
- WOLFSSL_ENTER("ProcessBuffer");
- /* Check data format is supported. */
- if ((format != WOLFSSL_FILETYPE_ASN1) && (format != WOLFSSL_FILETYPE_PEM)) {
- ret = WOLFSSL_BAD_FILETYPE;
- }
- /* Need an object to store certificate into. */
- if ((ret == 0) && (ctx == NULL) && (ssl == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- /* CA certificates go into the SSL context object. */
- if ((ret == 0) && (ctx == NULL) && (type == CA_TYPE)) {
- ret = BAD_FUNC_ARG;
- }
- /* This API does not handle CHAIN_CERT_TYPE */
- if ((ret == 0) && (type == CHAIN_CERT_TYPE)) {
- ret = BAD_FUNC_ARG;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret == 0) {
- /* Allocate memory for encryption information. */
- info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap,
- DYNAMIC_TYPE_ENCRYPTEDINFO);
- if (info == NULL) {
- ret = MEMORY_E;
- }
- }
- #endif
- if (ret == 0) {
- /* Initialize encryption information. */
- XMEMSET(info, 0, sizeof(EncryptedInfo));
- #if defined(WOLFSSL_ENCRYPTED_KEYS) && !defined(NO_PWDBASED)
- if (ctx != NULL) {
- info->passwd_cb = ctx->passwd_cb;
- info->passwd_userdata = ctx->passwd_userdata;
- }
- #endif
- /* Get the DER data for a private key or certificate. */
- ret = DataToDerBuffer(buff, (word32)sz, format, type, info, heap, &der);
- if (used != NULL) {
- /* Update to amount used/consumed. */
- *used = info->consumed;
- }
- #ifdef WOLFSSL_SMALL_STACK
- if (ret != 0) {
- /* Info no longer needed as loading failed. */
- XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);
- }
- #endif
- }
- if ((ret == 0) && IS_PRIVKEY_TYPE(type)) {
- /* Process the private key. */
- ret = ProcessBufferPrivateKey(ctx, ssl, der, format, info, heap, type);
- #ifdef WOLFSSL_SMALL_STACK
- /* Info no longer needed - keep max memory usage down. */
- XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);
- #endif
- }
- else if (ret == 0) {
- /* Processing a cerificate. */
- if (userChain) {
- /* Take original buffer and add to user chain to send in TLS
- * handshake. */
- ret = ProcessUserChain(ctx, ssl, buff, sz, format, type, used, info,
- verify);
- /* Additional chain is optional */
- if (ret == ASN_NO_PEM_HEADER) {
- unsigned long pemErr = 0;
- CLEAR_ASN_NO_PEM_HEADER_ERROR(pemErr);
- ret = 0;
- }
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Info no longer needed - keep max memory usage down. */
- XFREE(info, heap, DYNAMIC_TYPE_ENCRYPTEDINFO);
- #endif
- if (ret == 0) {
- /* Process the different types of certificates. */
- ret = ProcessBufferCertTypes(ctx, ssl, buff, sz, der, format, type,
- verify);
- }
- }
- /* Reset suites if this is a private key or user certificate. */
- if ((ret == 0) && ((type == PRIVATEKEY_TYPE) || (type == CERT_TYPE))) {
- ret = ProcessBufferResetSuites(ctx, ssl, type);
- }
- /* Convert return code. */
- if (ret == 0) {
- ret = 1;
- }
- else if (ret == WOLFSSL_FATAL_ERROR) {
- ret = 0;
- }
- WOLFSSL_LEAVE("ProcessBuffer", ret);
- return ret;
- }
- #if defined(WOLFSSL_WPAS) && defined(HAVE_CRL)
- /* Try to parse data as a PEM CRL.
- *
- * @param [in] ctx SSL context object.
- * @param [in] buff Buffer containing potential CRL in PEM format.
- * @param [in] sz Amount of data in buffer remaining.
- * @param [out] consumed Number of bytes in buffer was the CRL.
- * @return 0 on success.
- */
- static int ProcessChainBufferCRL(WOLFSSL_CTX* ctx, const unsigned char* buff,
- long sz, long* consumed)
- {
- int ret;
- DerBuffer* der = NULL;
- EncryptedInfo info;
- WOLFSSL_MSG("Trying a CRL");
- ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, NULL);
- if (ret == 0) {
- WOLFSSL_MSG(" Processed a CRL");
- wolfSSL_CertManagerLoadCRLBuffer(ctx->cm, der->buffer, der->length,
- WOLFSSL_FILETYPE_ASN1);
- FreeDer(&der);
- *consumed = info.consumed;
- }
- return ret;
- }
- #endif
- /* Process all chain certificates (and CRLs) in the PEM data.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] buff Buffer containing PEM data.
- * @param [in] sz Size of data in buffer.
- * @param [in] type Type of data.
- * @param [in] verify How to verify certificate.
- * @return 1 on success.
- * @return 0 on failure.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int ProcessChainBuffer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const unsigned char* buff, long sz, int type, int verify)
- {
- int ret = 0;
- long used = 0;
- int gotOne = 0;
- WOLFSSL_MSG("Processing CA PEM file");
- /* Keep processing file while no errors and data to parse. */
- while ((ret >= 0) && (used < sz)) {
- long consumed = 0;
- /* Process the buffer. */
- ret = ProcessBuffer(ctx, buff + used, sz - used, WOLFSSL_FILETYPE_PEM,
- type, ssl, &consumed, 0, verify);
- /* Memory allocation failure is fatal. */
- if (ret == MEMORY_E) {
- gotOne = 0;
- }
- /* Other error parsing. */
- else if (ret < 0) {
- #if defined(WOLFSSL_WPAS) && defined(HAVE_CRL)
- /* Try parsing a CRL. */
- if (ProcessChainBufferCRL(ctx, buff + used, sz - used,
- &consumed) == 0) {
- ret = 0;
- }
- else
- #endif
- /* Check whether we made progress. */
- if (consumed > 0) {
- WOLFSSL_ERROR(ret);
- WOLFSSL_MSG("CA Parse failed, with progress in file.");
- WOLFSSL_MSG("Search for other certs in file");
- /* Check if we have more data to parse to recover. */
- if (used + consumed < sz) {
- ret = 0;
- }
- }
- else {
- /* No progress in parsing being made - stop here. */
- WOLFSSL_MSG("CA Parse failed, no progress in file.");
- WOLFSSL_MSG("Do not continue search for other certs in file");
- }
- }
- else {
- /* Got a certificate out. */
- WOLFSSL_MSG(" Processed a CA");
- gotOne = 1;
- }
- /* Update used count. */
- used += consumed;
- }
- /* May have other unparsable data but did we get a certificate? */
- if (gotOne) {
- WOLFSSL_MSG("Processed at least one valid CA. Other stuff OK");
- ret = 1;
- }
- return ret;
- }
- /* Get verify settings for AddCA from SSL context. */
- #define GET_VERIFY_SETTING_CTX(ctx) \
- ((ctx) && (ctx)->verifyNone ? NO_VERIFY : VERIFY)
- /* Get verify settings for AddCA from SSL. */
- #define GET_VERIFY_SETTING_SSL(ssl) \
- ((ssl)->options.verifyNone ? NO_VERIFY : VERIFY)
- #ifndef NO_FILESYSTEM
- /* Process data from a file as private keys, CRL or certificates.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] fname Name of file to read.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @param [in] type Type of data:
- * CERT_TYPE, CA_TYPE, TRUSTED_PEER_TYPE,
- * PRIVATEKEY_TYPE or ALT_PRIVATEKEY_TYPE.
- * @param [in, out] ssl SSL object.
- * @param [in] userChain Whether file contains chain of certificates.
- * @param [in, out] crl CRL object to load data into.
- * @param [in] verify How to verify certificates.
- * @return 1 on success.
- * @return WOLFSSL_BAD_FILE when reading the file fails.
- * @return WOLFSSL_BAD_CERTTYPE when unable to detect certificate type.
- */
- int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
- WOLFSSL* ssl, int userChain, WOLFSSL_CRL* crl, int verify)
- {
- int ret = 0;
- #ifndef WOLFSSL_SMALL_STACK
- byte stackBuffer[FILE_BUFFER_SIZE];
- #endif
- StaticBuffer content;
- long sz = 0;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- (void)crl;
- (void)heap;
- #ifdef WOLFSSL_SMALL_STACK
- static_buffer_init(&content);
- #else
- static_buffer_init(&content, stackBuffer, FILE_BUFFER_SIZE);
- #endif
- /* Read file into static buffer. */
- ret = wolfssl_read_file_static(fname, &content, heap, DYNAMIC_TYPE_FILE,
- &sz);
- if ((ret == 0) && (type == DETECT_CERT_TYPE) &&
- (format != WOLFSSL_FILETYPE_PEM)) {
- WOLFSSL_MSG("Cannot detect certificate type when not PEM");
- ret = WOLFSSL_BAD_CERTTYPE;
- }
- /* Try to detect type by parsing cert header and footer. */
- if ((ret == 0) && (type == DETECT_CERT_TYPE)) {
- #ifndef NO_CODING
- const char* header = NULL;
- const char* footer = NULL;
- /* Look for CA header and footer - same as CERT_TYPE. */
- if (wc_PemGetHeaderFooter(CA_TYPE, &header, &footer) == 0 &&
- (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
- type = CA_TYPE;
- }
- #ifdef HAVE_CRL
- /* Look for CRL header and footer. */
- else if (wc_PemGetHeaderFooter(CRL_TYPE, &header, &footer) == 0 &&
- (XSTRNSTR((char*)content.buffer, header, (word32)sz) != NULL)) {
- type = CRL_TYPE;
- }
- #endif
- /* Look for cert header and footer - same as CA_TYPE. */
- else if (wc_PemGetHeaderFooter(CERT_TYPE, &header, &footer) == 0 &&
- (XSTRNSTR((char*)content.buffer, header, (word32)sz) !=
- NULL)) {
- type = CERT_TYPE;
- }
- else
- #endif
- {
- /* Not a header that we support. */
- WOLFSSL_MSG("Failed to detect certificate type");
- ret = WOLFSSL_BAD_CERTTYPE;
- }
- }
- if (ret == 0) {
- /* When CA or trusted peer and PEM - process as a chain buffer. */
- if (((type == CA_TYPE) || (type == TRUSTED_PEER_TYPE)) &&
- (format == WOLFSSL_FILETYPE_PEM)) {
- ret = ProcessChainBuffer(ctx, ssl, content.buffer, sz, type,
- verify);
- }
- #ifdef HAVE_CRL
- else if (type == CRL_TYPE) {
- /* Load the CRL. */
- ret = BufferLoadCRL(crl, content.buffer, sz, format, verify);
- }
- #endif
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- else if (type == PRIVATEKEY_TYPE) {
- /* Load all other certificate types. */
- ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl,
- NULL, userChain, verify);
- if ((ret == 1) && (consumed < sz)) {
- ret = ProcessBuffer(ctx, content.buffer + consumed,
- sz - consumed, format, ALT_PRIVATEKEY_TYPE, ssl, NULL, 0,
- verify);
- }
- }
- #endif
- else {
- /* Load all other certificate types. */
- ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl,
- NULL, userChain, verify);
- }
- }
- /* Dispose of dynamically allocated data. */
- static_buffer_free(&content, heap, DYNAMIC_TYPE_FILE);
- return ret;
- }
- #ifndef NO_WOLFSSL_DIR
- /* Load file when filename is in the path.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] name Name of file.
- * @param [in] verify How to verify a certificate.
- * @param [in] flags Flags representing options for loading.
- * @param [in, out] failCount Number of files that failed to load.
- * @param [in, out] successCount Number of files successfully loaded.
- * @return 1 on success.
- * @return Not 1 when loading PEM certificate failed.
- */
- static int wolfssl_ctx_load_path_file(WOLFSSL_CTX* ctx, const char* name,
- int verify, int flags, int* failCount, int* successCount)
- {
- int ret;
- /* Attempt to load file as a CA. */
- ret = ProcessFile(ctx, name, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL,
- verify);
- if (ret != 1) {
- /* When ignoring errors or loading PEM only and no PEM. don't fail. */
- if ((flags & WOLFSSL_LOAD_FLAG_IGNORE_ERR) ||
- ((flags & WOLFSSL_LOAD_FLAG_PEM_CA_ONLY) &&
- (ret == ASN_NO_PEM_HEADER))) {
- unsigned long err = 0;
- CLEAR_ASN_NO_PEM_HEADER_ERROR(err);
- #if defined(WOLFSSL_QT)
- ret = 1;
- #endif
- }
- else {
- WOLFSSL_ERROR(ret);
- WOLFSSL_MSG("Load CA file failed, continuing");
- /* Add to fail count. */
- (*failCount)++;
- }
- }
- else {
- #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
- /* Try loading as a trusted peer certificate. */
- ret = wolfSSL_CTX_trust_peer_cert(ctx, name, WOLFSSL_FILETYPE_PEM);
- if (ret != 1) {
- WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error. "
- "Ignoring this error.");
- }
- #endif
- /* Add to success count. */
- (*successCount)++;
- }
- return ret;
- }
- /* Load PEM formatted CA files from a path.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] path Path to directory to read.
- * @param [in] flags Flags representing options for loading.
- * @param [in] verify How to verify a certificate.
- * @param [in] successCount Number of files successfully loaded.
- * @return 1 on success.
- * @return 0 on failure.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int wolfssl_ctx_load_path(WOLFSSL_CTX* ctx, const char* path,
- word32 flags, int verify, int successCount)
- {
- int ret = 1;
- char* name = NULL;
- int fileRet;
- int failCount = 0;
- #ifdef WOLFSSL_SMALL_STACK
- ReadDirCtx* readCtx;
- #else
- ReadDirCtx readCtx[1];
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- /* Allocate memory for directory reading context. */
- readCtx = (ReadDirCtx*)XMALLOC(sizeof(ReadDirCtx), ctx->heap,
- DYNAMIC_TYPE_DIRCTX);
- if (readCtx == NULL) {
- ret = MEMORY_E;
- }
- #endif
- if (ret == 1) {
- /* Get name of first file in path. */
- fileRet = wc_ReadDirFirst(readCtx, path, &name);
- /* While getting filename doesn't fail and name returned, process file.
- */
- while ((fileRet == 0) && (name != NULL)) {
- WOLFSSL_MSG(name);
- /* Load file. */
- ret = wolfssl_ctx_load_path_file(ctx, name, verify, flags,
- &failCount, &successCount);
- /* Get next filenmae. */
- fileRet = wc_ReadDirNext(readCtx, path, &name);
- }
- /* Cleanup directory reading context. */
- wc_ReadDirClose(readCtx);
- /* When not WOLFSSL_QT, ret is always overwritten. */
- (void)ret;
- /* Return real directory read failure error codes. */
- if (fileRet != WC_READDIR_NOFILE) {
- ret = fileRet;
- #if defined(WOLFSSL_QT) || defined(WOLFSSL_IGNORE_BAD_CERT_PATH)
- /* Ignore bad path error when flag set. */
- if ((ret == BAD_PATH_ERROR) &&
- (flags & WOLFSSL_LOAD_FLAG_IGNORE_BAD_PATH_ERR)) {
- /* QSslSocket always loads certs in system folder
- * when it is initialized.
- * Compliant with OpenSSL when flag set.
- */
- ret = 1;
- }
- else {
- /* qssl socket wants to know errors. */
- WOLFSSL_ERROR(ret);
- }
- #endif
- }
- /* Report failure if no files successfully loaded or there were
- * failures. */
- else if ((successCount == 0) || (failCount > 0)) {
- /* Use existing error code if exists. */
- #if defined(WOLFSSL_QT)
- /* Compliant with OpenSSL when flag set. */
- if (!(flags & WOLFSSL_LOAD_FLAG_IGNORE_ZEROFILE))
- #endif
- {
- /* Return 0 when no files loaded. */
- ret = 0;
- }
- }
- else {
- /* We loaded something so it is a success. */
- ret = 1;
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of dynamically allocated memory. */
- XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_DIRCTX);
- #endif
- }
- return ret;
- }
- #endif
- /* Load a file and/or files in path
- *
- * No c_rehash.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of file to load. May be NULL.
- * @param [in] path Path to directory containing PEM CA files.
- * May be NULL.
- * @param [in] flags Flags representing options for loading.
- * @return 1 on success.
- * @return 0 on failure.
- * @return NOT_COMPILED_IN when directory reading not supported and path is
- * not NULL.
- * @return Other negative on error.
- */
- int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
- const char* path, word32 flags)
- {
- int ret = 1;
- #ifndef NO_WOLFSSL_DIR
- int successCount = 0;
- #endif
- int verify = WOLFSSL_VERIFY_DEFAULT;
- WOLFSSL_MSG("wolfSSL_CTX_load_verify_locations_ex");
- /* Validate parameters. */
- if ((ctx == NULL) || ((file == NULL) && (path == NULL))) {
- ret = 0;
- }
- if (ret == 1) {
- /* Get setting on how to verify certificates. */
- verify = GET_VERIFY_SETTING_CTX(ctx);
- /* Overwrite setting when flag set. */
- if (flags & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) {
- verify = VERIFY_SKIP_DATE;
- }
- if (file != NULL) {
- /* Load the PEM formatted CA file. */
- ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0,
- NULL, verify);
- #ifndef NO_WOLFSSL_DIR
- if (ret == 1) {
- /* Include success in overall count. */
- successCount++;
- }
- #endif
- #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
- /* Load CA as a trusted peer certificate. */
- ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM);
- if (ret != 1) {
- WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error");
- }
- #endif
- }
- }
- if ((ret == 1) && (path != NULL)) {
- #ifndef NO_WOLFSSL_DIR
- /* Load CA files form path. */
- ret = wolfssl_ctx_load_path(ctx, path, flags, verify, successCount);
- #else
- /* Loading a path not supported. */
- ret = NOT_COMPILED_IN;
- (void)flags;
- #endif
- }
- return ret;
- }
- /* Load a file and/or files in path
- *
- * No c_rehash.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of file to load. May be NULL.
- * @param [in] path Path to directory containing PEM CA files.
- * May be NULL.
- * @return 1 on success.
- * @return 0 on failure.
- */
- WOLFSSL_ABI
- int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
- const char* path)
- {
- /* Load using default flags/options. */
- int ret = wolfSSL_CTX_load_verify_locations_ex(ctx, file, path,
- WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
- /* Return 1 on success or 0 on failure. */
- return WS_RETURN_CODE(ret, 0);
- }
- #ifdef WOLFSSL_SYS_CA_CERTS
- #ifdef USE_WINDOWS_API
- /* Load CA certificate from Windows store.
- *
- * Assumes loaded is 0.
- *
- * @param [in, out] ctx SSL context object.
- * @param [out] loaded Whether CA certificates were loaded.
- * @return 1 on success.
- * @return 0 on failure.
- */
- static int LoadSystemCaCertsWindows(WOLFSSL_CTX* ctx, byte* loaded)
- {
- int ret = 1;
- word32 i;
- HANDLE handle = NULL;
- PCCERT_CONTEXT certCtx = NULL;
- LPCSTR storeNames[2] = {"ROOT", "CA"};
- HCRYPTPROV_LEGACY hProv = (HCRYPTPROV_LEGACY)NULL;
- if ((ctx == NULL) || (loaded == NULL)) {
- ret = 0;
- }
- for (i = 0; (ret == 0) && (i < sizeof(storeNames)/sizeof(*storeNames));
- ++i) {
- handle = CertOpenSystemStoreA(hProv, storeNames[i]);
- if (handle != NULL) {
- while ((certCtx = CertEnumCertificatesInStore(handle, certCtx))
- != NULL) {
- if (certCtx->dwCertEncodingType == X509_ASN_ENCODING) {
- if (ProcessBuffer(ctx, certCtx->pbCertEncoded,
- certCtx->cbCertEncoded, WOLFSSL_FILETYPE_ASN1,
- CA_TYPE, NULL, NULL, 0,
- GET_VERIFY_SETTING_CTX(ctx)) == 1) {
- /*
- * Set "loaded" as long as we've loaded one CA
- * cert.
- */
- *loaded = 1;
- }
- }
- }
- }
- else {
- WOLFSSL_MSG_EX("Failed to open cert store %s.", storeNames[i]);
- }
- if (handle != NULL && !CertCloseStore(handle, 0)) {
- WOLFSSL_MSG_EX("Failed to close cert store %s.", storeNames[i]);
- ret = 0;
- }
- }
- return ret;
- }
- #elif defined(__APPLE__)
- #if defined(HAVE_SECURITY_SECTRUSTSETTINGS_H) \
- && !defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)
- /* Manually obtains certificates from the system trust store and loads them
- * directly into wolfSSL "the old way".
- *
- * As of MacOS 14.0 we are still able to use this method to access system
- * certificates. Accessibility of this API is indicated by the presence of the
- * Security/SecTrustSettings.h header. In the likely event that Apple removes
- * access to this API on Macs, this function should be removed and the
- * DoAppleNativeCertValidation() routine should be used for all devices.
- *
- * Assumes loaded is 0.
- *
- * @param [in, out] ctx SSL context object.
- * @param [out] loaded Whether CA certificates were loaded.
- * @return 1 on success.
- * @return 0 on failure.
- */
- static int LoadSystemCaCertsMac(WOLFSSL_CTX* ctx, byte* loaded)
- {
- int ret = 1;
- word32 i;
- const unsigned int trustDomains[] = {
- kSecTrustSettingsDomainUser,
- kSecTrustSettingsDomainAdmin,
- kSecTrustSettingsDomainSystem
- };
- CFArrayRef certs;
- OSStatus stat;
- CFIndex numCerts;
- CFDataRef der;
- CFIndex j;
- if ((ctx == NULL) || (loaded == NULL)) {
- ret = 0;
- }
- for (i = 0; (ret == 1) && (i < sizeof(trustDomains)/sizeof(*trustDomains));
- ++i) {
- stat = SecTrustSettingsCopyCertificates(
- (SecTrustSettingsDomain)trustDomains[i], &certs);
- if (stat == errSecSuccess) {
- numCerts = CFArrayGetCount(certs);
- for (j = 0; j < numCerts; ++j) {
- der = SecCertificateCopyData((SecCertificateRef)
- CFArrayGetValueAtIndex(certs, j));
- if (der != NULL) {
- if (ProcessBuffer(ctx, CFDataGetBytePtr(der),
- CFDataGetLength(der), WOLFSSL_FILETYPE_ASN1,
- CA_TYPE, NULL, NULL, 0,
- GET_VERIFY_SETTING_CTX(ctx)) == 1) {
- /*
- * Set "loaded" as long as we've loaded one CA
- * cert.
- */
- *loaded = 1;
- }
- CFRelease(der);
- }
- }
- CFRelease(certs);
- }
- else if (stat == errSecNoTrustSettings) {
- WOLFSSL_MSG_EX("No trust settings for domain %d, moving to next "
- "domain.", trustDomains[i]);
- }
- else {
- WOLFSSL_MSG_EX("SecTrustSettingsCopyCertificates failed with"
- " status %d.", stat);
- ret = 0;
- break;
- }
- }
- return ret;
- }
- #endif /* defined(HAVE_SECURITY_SECTRUSTSETTINGS_H) */
- #else
- /* Potential system CA certs directories on Linux/Unix distros. */
- static const char* systemCaDirs[] = {
- #if defined(__ANDROID__) || defined(ANDROID)
- "/system/etc/security/cacerts" /* Android */
- #else
- "/etc/ssl/certs", /* Debian, Ubuntu, Gentoo, others */
- "/etc/pki/ca-trust/source/anchors", /* Fedora, RHEL */
- "/etc/pki/tls/certs" /* Older RHEL */
- #endif
- };
- /* Get CA directory list.
- *
- * @param [out] num Number of CA directories.
- * @return CA directory list.
- * @return NULL when num is NULL.
- */
- const char** wolfSSL_get_system_CA_dirs(word32* num)
- {
- const char** ret;
- /* Validate parameters. */
- if (num == NULL) {
- ret = NULL;
- }
- else {
- ret = systemCaDirs;
- *num = sizeof(systemCaDirs)/sizeof(*systemCaDirs);
- }
- return ret;
- }
- /* Load CA certificate from default system directories.
- *
- * Assumes loaded is 0.
- *
- * @param [in, out] ctx SSL context object.
- * @param [out] loaded Whether CA certificates were loaded.
- * @return 1 on success.
- * @return 0 on failure.
- */
- static int LoadSystemCaCertsNix(WOLFSSL_CTX* ctx, byte* loaded) {
- int ret = 1;
- word32 i;
- if ((ctx == NULL) || (loaded == NULL)) {
- ret = 0;
- }
- for (i = 0; (ret == 1) && (i < sizeof(systemCaDirs)/sizeof(*systemCaDirs));
- ++i) {
- WOLFSSL_MSG_EX("Attempting to load system CA certs from %s.",
- systemCaDirs[i]);
- /*
- * We want to keep trying to load more CA certs even if one cert in
- * the directory is bad and can't be used (e.g. if one is expired),
- * so we use WOLFSSL_LOAD_FLAG_IGNORE_ERR.
- */
- if (wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, systemCaDirs[i],
- WOLFSSL_LOAD_FLAG_IGNORE_ERR) != 1) {
- WOLFSSL_MSG_EX("Failed to load CA certs from %s, trying "
- "next possible location.", systemCaDirs[i]);
- }
- else {
- WOLFSSL_MSG_EX("Loaded CA certs from %s.",
- systemCaDirs[i]);
- *loaded = 1;
- /* Stop searching after we've loaded one directory. */
- break;
- }
- }
- return ret;
- }
- #endif
- /* Load CA certificates from system defined locations.
- *
- * @param [in, out] ctx SSL context object.
- * @return 1 on success.
- * @return 0 on failure.
- * @return WOLFSSL_BAD_PATH when no error but no certificates loaded.
- */
- int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
- {
- int ret;
- byte loaded = 0;
- WOLFSSL_ENTER("wolfSSL_CTX_load_system_CA_certs");
- #ifdef USE_WINDOWS_API
- ret = LoadSystemCaCertsWindows(ctx, &loaded);
- #elif defined(__APPLE__)
- #if defined(HAVE_SECURITY_SECTRUSTSETTINGS_H) \
- && !defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)
- /* As of MacOS 14.0 we are still able to access system certificates and
- * load them manually into wolfSSL "the old way". Accessibility of this API
- * is indicated by the presence of the Security/SecTrustSettings.h header */
- ret = LoadSystemCaCertsMac(ctx, &loaded);
- #elif defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)
- /* For other Apple devices, Apple has removed the ability to obtain
- * certificates from the trust store, so we can't use wolfSSL's built-in
- * certificate validation mechanisms anymore. We instead must call into the
- * Security Framework APIs to authenticate peer certificates when received.
- * (see src/internal.c:DoAppleNativeCertValidation()).
- * Thus, there is no CA "loading" required, but to keep behavior consistent
- * with the current API (not using system CA certs unless this function has
- * been called), we simply set a flag indicating that the new apple trust
- * verification routine should be used later */
- ctx->doAppleNativeCertValidationFlag = 1;
- ret = 1;
- loaded = 1;
- #if FIPS_VERSION_GE(2,0) /* Gate back to cert 3389 FIPS modules */
- #warning "Cryptographic operations may occur outside the FIPS module boundary" \
- "Please review FIPS claims for cryptography on this Apple device"
- #endif /* FIPS_VERSION_GE(2,0) */
- #else
- /* HAVE_SECURITY_SECXXX_H macros are set by autotools or CMake when searching
- * system for the required SDK headers. If building with user_settings.h, you
- * will need to manually define WOLFSSL_APPLE_NATIVE_CERT_VALIDATION
- * and ensure the appropriate Security.framework headers and libraries are
- * visible to your compiler */
- #error "WOLFSSL_SYS_CA_CERTS on Apple devices requires Security.framework" \
- " header files to be detected, or a manual override with" \
- " WOLFSSL_APPLE_NATIVE_CERT_VALIDATION"
- #endif
- #else
- ret = LoadSystemCaCertsNix(ctx, &loaded);
- #endif
- /* If we didn't fail but didn't load then we error out. */
- if ((ret == 1) && (!loaded)) {
- ret = WOLFSSL_BAD_PATH;
- }
- WOLFSSL_LEAVE("wolfSSL_CTX_load_system_CA_certs", ret);
- return ret;
- }
- #endif /* WOLFSSL_SYS_CA_CERTS */
- #ifdef WOLFSSL_TRUST_PEER_CERT
- /* Load a trusted peer certificate into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of peer certificate file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 when ctx or file is NULL.
- */
- int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert");
- /* Validate parameters. */
- if ((ctx == NULL) || (file == NULL)) {
- ret = 0;
- }
- else {
- ret = ProcessFile(ctx, file, format, TRUSTED_PEER_TYPE, NULL, 0, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- }
- return ret;
- }
- /* Load a trusted peer certificate into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of peer certificate file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 when ssl or file is NULL.
- */
- int wolfSSL_trust_peer_cert(WOLFSSL* ssl, const char* file, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_trust_peer_cert");
- /* Validate parameters. */
- if ((ssl == NULL) || (file == NULL)) {
- ret = 0;
- }
- else {
- ret = ProcessFile(NULL, file, format, TRUSTED_PEER_TYPE, ssl, 0, NULL,
- GET_VERIFY_SETTING_SSL(ssl));
- }
- return ret;
- }
- #endif /* WOLFSSL_TRUST_PEER_CERT */
- #ifdef WOLFSSL_DER_LOAD
- /* Load a CA certificate into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of peer certificate file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
- int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_der_load_verify_locations");
- /* Validate parameters. */
- if ((ctx == NULL) || (file == NULL)) {
- ret = 0;
- }
- else {
- ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- }
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #endif /* WOLFSSL_DER_LOAD */
- /* Load a user certificate into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of user certificate file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- WOLFSSL_ABI
- int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX* ctx, const char* file,
- int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_file");
- ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- /* Load a private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of private key file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- WOLFSSL_ABI
- int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file,
- int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_file");
- ret = ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- /* Load an alternative private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of private key file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_AltPrivateKey_file(WOLFSSL_CTX* ctx, const char* file,
- int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_file");
- ret = ProcessFile(ctx, file, format, ALT_PRIVATEKEY_TYPE, NULL, 0, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- /* Load a PEM certificate chain into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of PEM certificate chain file.
- * @return 1 on success.
- * @return 0 on failure.
- */
- WOLFSSL_ABI
- int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file)
- {
- int ret;
- /* process up to MAX_CHAIN_DEPTH plus subject cert */
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file");
- ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, NULL, 1, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- /* Load certificate chain into SSL context.
- *
- * Processes up to MAX_CHAIN_DEPTH plus subject cert.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of private key file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_certificate_chain_file_format(WOLFSSL_CTX* ctx,
- const char* file, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file_format");
- ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 1, NULL,
- GET_VERIFY_SETTING_CTX(ctx));
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #endif /* NO_FILESYSTEM */
- #ifdef OPENSSL_EXTRA
- /* Load a private key into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] pkey EVP private key.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_PrivateKey(WOLFSSL* ssl, WOLFSSL_EVP_PKEY* pkey)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_PrivateKey");
- /* Validate parameters. */
- if ((ssl == NULL) || (pkey == NULL)) {
- ret = 0;
- }
- else {
- /* Get DER encoded key data from EVP private key. */
- ret = wolfSSL_use_PrivateKey_buffer(ssl, (unsigned char*)pkey->pkey.ptr,
- pkey->pkey_sz, WOLFSSL_FILETYPE_ASN1);
- }
- return ret;
- }
- /* Load a DER encoded private key in a buffer into SSL.
- *
- * @param [in] pri Indicates type of private key. Ignored.
- * @param [in, out] ssl SSL object.
- * @param [in] der Buffer holding DER encoded private key.
- * @param [in] derSz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_PrivateKey_ASN1(int pri, WOLFSSL* ssl, const unsigned char* der,
- long derSz)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_PrivateKey_ASN1");
- (void)pri;
- /* Validate parameters. */
- if ((ssl == NULL) || (der == NULL)) {
- ret = 0;
- }
- else {
- ret = wolfSSL_use_PrivateKey_buffer(ssl, der, derSz,
- WOLFSSL_FILETYPE_ASN1);
- }
- return ret;
- }
- /* Load a DER encoded private key in a buffer into SSL context.
- *
- * @param [in] pri Indicates type of private key. Ignored.
- * @param [in, out] ctx SSL context object.
- * @param [in] der Buffer holding DER encoded private key.
- * @param [in] derSz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_PrivateKey_ASN1(int pri, WOLFSSL_CTX* ctx,
- unsigned char* der, long derSz)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_ASN1");
- (void)pri;
- /* Validate parameters. */
- if ((ctx == NULL) || (der == NULL)) {
- ret = 0;
- }
- else {
- ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSz,
- WOLFSSL_FILETYPE_ASN1);
- }
- return ret;
- }
- #ifndef NO_RSA
- /* Load a DER encoded RSA private key in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] der Buffer holding DER encoded RSA private key.
- * @param [in] derSz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_RSAPrivateKey_ASN1(WOLFSSL* ssl, unsigned char* der, long derSz)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_RSAPrivateKey_ASN1");
- /* Validate parameters. */
- if ((ssl == NULL) || (der == NULL)) {
- ret = 0;
- }
- else {
- ret = wolfSSL_use_PrivateKey_buffer(ssl, der, derSz,
- WOLFSSL_FILETYPE_ASN1);
- }
- return ret;
- }
- #endif
- /* Load a certificate into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_certificate(WOLFSSL* ssl, WOLFSSL_X509* x509)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate");
- /* Validate parameters. */
- if ((ssl == NULL) || (x509 == NULL) || (x509->derCert == NULL)) {
- ret = 0;
- }
- else {
- long idx = 0;
- /* Get DER encoded certificate data from X509 object. */
- ret = ProcessBuffer(NULL, x509->derCert->buffer, x509->derCert->length,
- WOLFSSL_FILETYPE_ASN1, CERT_TYPE, ssl, &idx, 0,
- GET_VERIFY_SETTING_SSL(ssl));
- }
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #endif /* OPENSSL_EXTRA */
- /* Load a DER encoded certificate in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] der Buffer holding DER encoded certificate.
- * @param [in] derSz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_certificate_ASN1(WOLFSSL* ssl, const unsigned char* der,
- int derSz)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate_ASN1");
- /* Validate parameters. */
- if ((ssl == NULL) || (der == NULL)) {
- ret = 0;
- }
- else {
- long idx = 0;
- ret = ProcessBuffer(NULL, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE,
- ssl, &idx, 0, GET_VERIFY_SETTING_SSL(ssl));
- }
- /* Return 1 on success or 0 on failure. */
- return WS_RC(ret);
- }
- #ifndef NO_FILESYSTEM
- /* Load a certificate from a file into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- WOLFSSL_ABI
- int wolfSSL_use_certificate_file(WOLFSSL* ssl, const char* file, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate_file");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL,
- GET_VERIFY_SETTING_SSL(ssl));
- /* Return 1 on success or 0 on failure. */
- ret = WS_RC(ret);
- }
- return ret;
- }
- /* Load a private key from a file into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- WOLFSSL_ABI
- int wolfSSL_use_PrivateKey_file(WOLFSSL* ssl, const char* file, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_PrivateKey_file");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL,
- GET_VERIFY_SETTING_SSL(ssl));
- /* Return 1 on success or 0 on failure. */
- ret = WS_RC(ret);
- }
- return ret;
- }
- /* Load a PEM encoded certificate chain from a file into SSL.
- *
- * Process up to MAX_CHAIN_DEPTH plus subject cert.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of file.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- WOLFSSL_ABI
- int wolfSSL_use_certificate_chain_file(WOLFSSL* ssl, const char* file)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate_chain_file");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessFile(ssl->ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, ssl,
- 1, NULL, GET_VERIFY_SETTING_SSL(ssl));
- /* Return 1 on success or 0 on failure. */
- ret = WS_RC(ret);
- }
- return ret;
- }
- /* Load a certificate chain from a file into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- int wolfSSL_use_certificate_chain_file_format(WOLFSSL* ssl, const char* file,
- int format)
- {
- int ret;
- /* process up to MAX_CHAIN_DEPTH plus subject cert */
- WOLFSSL_ENTER("wolfSSL_use_certificate_chain_file_format");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 1, NULL,
- GET_VERIFY_SETTING_SSL(ssl));
- /* Return 1 on success or 0 on failure. */
- ret = WS_RC(ret);
- }
- return ret;
- }
- #endif /* !NO_FILESYSTEM */
- #ifdef OPENSSL_EXTRA
- #ifndef NO_FILESYSTEM
- /* Load an RSA private key from a file into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] file Name of file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX* ctx,const char* file,
- int format)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_use_RSAPrivateKey_file");
- return wolfSSL_CTX_use_PrivateKey_file(ctx, file, format);
- }
- /* Load an RSA private key from a file into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] file Name of file.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- int wolfSSL_use_RSAPrivateKey_file(WOLFSSL* ssl, const char* file, int format)
- {
- WOLFSSL_ENTER("wolfSSL_use_RSAPrivateKey_file");
- return wolfSSL_use_PrivateKey_file(ssl, file, format);
- }
- #endif /* NO_FILESYSTEM */
- #endif /* OPENSSL_EXTRA */
- /* Load a buffer of certificate/s into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding certificate or private key.
- * @param [in] sz Length of data in buffer in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @param [in] userChain Whether file contains chain of certificates.
- * @param [in] flags Flags representing options for loading.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
- long sz, int format, int userChain, word32 flags)
- {
- int ret;
- int verify;
- WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex");
- /* Get setting on how to verify certificates. */
- verify = GET_VERIFY_SETTING_CTX(ctx);
- /* Overwrite setting when flag set. */
- if (flags & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) {
- verify = VERIFY_SKIP_DATE;
- }
- /* When PEM, treat as certificate chain of CA certificates. */
- if (format == WOLFSSL_FILETYPE_PEM) {
- ret = ProcessChainBuffer(ctx, NULL, in, sz, CA_TYPE, verify);
- }
- /* When DER, load the CA certificate. */
- else {
- ret = ProcessBuffer(ctx, in, sz, format, CA_TYPE, NULL, NULL,
- userChain, verify);
- }
- #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
- if (ret == 1) {
- /* Load certificate/s as trusted peer certificate. */
- ret = wolfSSL_CTX_trust_peer_buffer(ctx, in, sz, format);
- }
- #endif
- WOLFSSL_LEAVE("wolfSSL_CTX_load_verify_buffer_ex", ret);
- return ret;
- }
- /* Load a buffer of certificate/s into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding certificate or private key.
- * @param [in] sz Length of data in buffer in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_load_verify_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
- long sz, int format)
- {
- return wolfSSL_CTX_load_verify_buffer_ex(ctx, in, sz, format, 0,
- WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
- }
- /* Load a buffer of certificate chain into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding certificate chain.
- * @param [in] sz Length of data in buffer in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_load_verify_chain_buffer_format(WOLFSSL_CTX* ctx,
- const unsigned char* in, long sz, int format)
- {
- return wolfSSL_CTX_load_verify_buffer_ex(ctx, in, sz, format, 1,
- WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS);
- }
- #ifdef WOLFSSL_TRUST_PEER_CERT
- /* Load a buffer of certificate/s into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding certificate/s.
- * @param [in] sz Length of data in buffer in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ctx or in is NULL, or sz is less than zero.
- */
- int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
- long sz, int format)
- {
- int ret;
- int verify;
- WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer");
- /* Validate parameters. */
- if ((ctx == NULL) || (in == NULL) || (sz < 0)) {
- ret = BAD_FUNC_ARG;
- }
- else {
- #if WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY
- verify = VERIFY_SKIP_DATE;
- #else
- verify = GET_VERIFY_SETTING_CTX(ctx);
- #endif
- /* When PEM, treat as certificate chain of trusted peer certificates. */
- if (format == WOLFSSL_FILETYPE_PEM) {
- ret = ProcessChainBuffer(ctx, NULL, in, sz, TRUSTED_PEER_TYPE,
- verify);
- }
- /* When DER, load the trusted peer certificate. */
- else {
- ret = ProcessBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, NULL,
- NULL, 0, verify);
- }
- }
- return ret;
- }
- #endif /* WOLFSSL_TRUST_PEER_CERT */
- /* Load a certificate in a buffer into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding certificate.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_use_certificate_buffer(WOLFSSL_CTX* ctx,
- const unsigned char* in, long sz, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_buffer");
- ret = ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 0,
- GET_VERIFY_SETTING_CTX(ctx));
- WOLFSSL_LEAVE("wolfSSL_CTX_use_certificate_buffer", ret);
- return ret;
- }
- /* Load a private key in a buffer into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding private key.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_use_PrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in,
- long sz, int format)
- {
- int ret;
- long consumed = 0;
- WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_buffer");
- ret = ProcessBuffer(ctx, in, sz, format, PRIVATEKEY_TYPE, NULL, &consumed,
- 0, GET_VERIFY_SETTING_CTX(ctx));
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- if ((ret == 1) && (consumed < sz)) {
- /* When support for dual algorithm certificates is enabled, the
- * buffer may contain both the primary and the alternative
- * private key. Hence, we have to parse both of them.
- */
- ret = ProcessBuffer(ctx, in + consumed, sz - consumed, format,
- ALT_PRIVATEKEY_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx));
- }
- #endif
- (void)consumed;
- WOLFSSL_LEAVE("wolfSSL_CTX_use_PrivateKey_buffer", ret);
- return ret;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- int wolfSSL_CTX_use_AltPrivateKey_buffer(WOLFSSL_CTX* ctx,
- const unsigned char* in, long sz, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_buffer");
- ret = ProcessBuffer(ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, NULL,
- NULL, 0, GET_VERIFY_SETTING_CTX(ctx));
- WOLFSSL_LEAVE("wolfSSL_CTX_use_AltPrivateKey_buffer", ret);
- return ret;
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- #ifdef WOLF_PRIVATE_KEY_ID
- /* Load the id of a private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] id Buffer holding id.
- * @param [in] sz Size of data in bytes.
- * @param [in] devId Device identifier.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
- long sz, int devId)
- {
- int ret = 1;
- /* Dispose of old private key and allocate and copy in id. */
- FreeDer(&ctx->privateKey);
- if (AllocCopyDer(&ctx->privateKey, id, (word32)sz, PRIVATEKEY_TYPE,
- ctx->heap) != 0) {
- ret = 0;
- }
- if (ret == 1) {
- /* Private key is an id. */
- ctx->privateKeyId = 1;
- ctx->privateKeyLabel = 0;
- /* Set private key device id to be one passed in or for SSL context. */
- if (devId != INVALID_DEVID) {
- ctx->privateKeyDevId = devId;
- }
- else {
- ctx->privateKeyDevId = ctx->devId;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- /* Set the ID for the alternative key, too. User can still override that
- * afterwards. */
- ret = wolfSSL_CTX_use_AltPrivateKey_id(ctx, id, sz, devId, keySz);
- #endif
- }
- return ret;
- }
- /* Load the id of a private key into SSL context and set key size.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] id Buffer holding id.
- * @param [in] sz Size of data in bytes.
- * @param [in] devId Device identifier.
- * @param [in] keySz Size of key.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_PrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
- long sz, int devId, long keySz)
- {
- int ret = wolfSSL_CTX_use_PrivateKey_Id(ctx, id, sz, devId);
- if (ret == 1) {
- /* Set the key size which normally is calculated during decoding. */
- ctx->privateKeySz = (word32)keySz;
- }
- return ret;
- }
- /* Load the label name of a private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] label Buffer holding label.
- * @param [in] devId Device identifier.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label,
- int devId)
- {
- int ret = 1;
- word32 sz = (word32)XSTRLEN(label) + 1;
- /* Dispose of old private key and allocate and copy in label. */
- FreeDer(&ctx->privateKey);
- if (AllocCopyDer(&ctx->privateKey, (const byte*)label, (word32)sz,
- PRIVATEKEY_TYPE, ctx->heap) != 0) {
- ret = 0;
- }
- if (ret == 1) {
- /* Private key is a label. */
- ctx->privateKeyId = 0;
- ctx->privateKeyLabel = 1;
- /* Set private key device id to be one passed in or for SSL context. */
- if (devId != INVALID_DEVID) {
- ctx->privateKeyDevId = devId;
- }
- else {
- ctx->privateKeyDevId = ctx->devId;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- /* Set the ID for the alternative key, too. User can still override that
- * afterwards. */
- ret = wolfSSL_CTX_use_AltPrivateKey_Label(ctx, label, devId);
- #endif
- }
- return ret;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- int wolfSSL_CTX_use_AltPrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
- long sz, int devId)
- {
- int ret = 1;
- if ((ctx == NULL) || (id == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- FreeDer(&ctx->altPrivateKey);
- if (AllocDer(&ctx->altPrivateKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
- ctx->heap) != 0) {
- ret = 0;
- }
- }
- if (ret == 1) {
- XMEMCPY(ctx->altPrivateKey->buffer, id, sz);
- ctx->altPrivateKeyId = 1;
- if (devId != INVALID_DEVID) {
- ctx->altPrivateKeyDevId = devId;
- }
- else {
- ctx->altPrivateKeyDevId = ctx->devId;
- }
- }
- return ret;
- }
- int wolfSSL_CTX_use_AltPrivateKey_id(WOLFSSL_CTX* ctx, const unsigned char* id,
- long sz, int devId, long keySz)
- {
- int ret = wolfSSL_CTX_use_AltPrivateKey_Id(ctx, id, sz, devId);
- if (ret == 1) {
- ctx->altPrivateKeySz = (word32)keySz;
- }
- return ret;
- }
- int wolfSSL_CTX_use_AltPrivateKey_Label(WOLFSSL_CTX* ctx, const char* label,
- int devId)
- {
- int ret = 1;
- word32 sz;
- if ((ctx == NULL) || (label == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- sz = (word32)XSTRLEN(label) + 1;
- FreeDer(&ctx->altPrivateKey);
- if (AllocDer(&ctx->altPrivateKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
- ctx->heap) != 0) {
- ret = 0;
- }
- }
- if (ret == 1) {
- XMEMCPY(ctx->altPrivateKey->buffer, label, sz);
- ctx->altPrivateKeyLabel = 1;
- if (devId != INVALID_DEVID) {
- ctx->altPrivateKeyDevId = devId;
- }
- else {
- ctx->altPrivateKeyDevId = ctx->devId;
- }
- }
- return ret;
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- #endif /* WOLF_PRIVATE_KEY_ID */
- /* Load a certificate chain in a buffer into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding DER encoded certificate chain.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_use_certificate_chain_buffer_format(WOLFSSL_CTX* ctx,
- const unsigned char* in, long sz, int format)
- {
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_buffer_format");
- return ProcessBuffer(ctx, in, sz, format, CERT_TYPE, NULL, NULL, 1,
- GET_VERIFY_SETTING_CTX(ctx));
- }
- /* Load a PEM encoded certificate chain in a buffer into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] in Buffer holding DER encoded certificate chain.
- * @param [in] sz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX* ctx,
- const unsigned char* in, long sz)
- {
- return wolfSSL_CTX_use_certificate_chain_buffer_format(ctx, in, sz,
- WOLFSSL_FILETYPE_PEM);
- }
- /* Load a user certificate in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] in Buffer holding user certificate.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, const unsigned char* in,
- long sz, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate_buffer");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 0,
- GET_VERIFY_SETTING_SSL(ssl));
- }
- return ret;
- }
- /* Load a private key in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] in Buffer holding private key.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- int wolfSSL_use_PrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in,
- long sz, int format)
- {
- int ret;
- long consumed = 0;
- WOLFSSL_ENTER("wolfSSL_use_PrivateKey_buffer");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessBuffer(ssl->ctx, in, sz, format, PRIVATEKEY_TYPE, ssl,
- &consumed, 0, GET_VERIFY_SETTING_SSL(ssl));
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- if ((ret == 1) && (consumed < sz)) {
- /* When support for dual algorithm certificates is enabled, the
- * buffer may contain both the primary and the alternative
- * private key. Hence, we have to parse both of them.
- */
- ret = ProcessBuffer(ssl->ctx, in + consumed, sz - consumed, format,
- ALT_PRIVATEKEY_TYPE, ssl, NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
- }
- #endif
- }
- return ret;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- int wolfSSL_use_AltPrivateKey_buffer(WOLFSSL* ssl, const unsigned char* in,
- long sz, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_AltPrivateKey_buffer");
- ret = ProcessBuffer(ssl->ctx, in, sz, format, ALT_PRIVATEKEY_TYPE, ssl,
- NULL, 0, GET_VERIFY_SETTING_SSL(ssl));
- WOLFSSL_LEAVE("wolfSSL_use_AltPrivateKey_buffer", ret);
- return ret;
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- #ifdef WOLF_PRIVATE_KEY_ID
- /* Load the id of a private key into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] id Buffer holding id.
- * @param [in] sz Size of data in bytes.
- * @param [in] devId Device identifier.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_PrivateKey_Id(WOLFSSL* ssl, const unsigned char* id,
- long sz, int devId)
- {
- int ret = 1;
- /* Dispose of old private key if owned and allocate and copy in id. */
- if (ssl->buffers.weOwnKey) {
- FreeDer(&ssl->buffers.key);
- }
- if (AllocCopyDer(&ssl->buffers.key, id, (word32)sz, PRIVATEKEY_TYPE,
- ssl->heap) != 0) {
- ret = 0;
- }
- if (ret == 1) {
- /* Buffer now ours. */
- ssl->buffers.weOwnKey = 1;
- /* Private key is an id. */
- ssl->buffers.keyId = 1;
- ssl->buffers.keyLabel = 0;
- /* Set private key device id to be one passed in or for SSL. */
- if (devId != INVALID_DEVID) {
- ssl->buffers.keyDevId = devId;
- }
- else {
- ssl->buffers.keyDevId = ssl->devId;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- /* Set the ID for the alternative key, too. User can still override that
- * afterwards. */
- ret = wolfSSL_use_AltPrivateKey_Id(ssl, id, sz, devId);
- #endif
- }
- return ret;
- }
- /* Load the id of a private key into SSL and set key size.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] id Buffer holding id.
- * @param [in] sz Size of data in bytes.
- * @param [in] devId Device identifier.
- * @param [in] keySz Size of key.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
- long sz, int devId, long keySz)
- {
- int ret = wolfSSL_use_PrivateKey_Id(ssl, id, sz, devId);
- if (ret == 1) {
- /* Set the key size which normally is calculated during decoding. */
- ssl->buffers.keySz = (word32)keySz;
- }
- return ret;
- }
- /* Load the label name of a private key into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] label Buffer holding label.
- * @param [in] devId Device identifier.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_use_PrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
- {
- int ret = 1;
- word32 sz = (word32)XSTRLEN(label) + 1;
- /* Dispose of old private key if owned and allocate and copy in label. */
- if (ssl->buffers.weOwnKey) {
- FreeDer(&ssl->buffers.key);
- }
- if (AllocCopyDer(&ssl->buffers.key, (const byte*)label, (word32)sz,
- PRIVATEKEY_TYPE, ssl->heap) != 0) {
- ret = 0;
- }
- if (ret == 1) {
- /* Buffer now ours. */
- ssl->buffers.weOwnKey = 1;
- /* Private key is a label. */
- ssl->buffers.keyId = 0;
- ssl->buffers.keyLabel = 1;
- /* Set private key device id to be one passed in or for SSL. */
- if (devId != INVALID_DEVID) {
- ssl->buffers.keyDevId = devId;
- }
- else {
- ssl->buffers.keyDevId = ssl->devId;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- /* Set the label for the alternative key, too. User can still override
- * that afterwards. */
- ret = wolfSSL_use_AltPrivateKey_Label(ssl, label, devId);
- #endif
- }
- return ret;
- }
- #ifdef WOLFSSL_DUAL_ALG_CERTS
- int wolfSSL_use_AltPrivateKey_Id(WOLFSSL* ssl, const unsigned char* id, long sz,
- int devId)
- {
- int ret = 1;
- if ((ssl == NULL) || (id == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- if (ssl->buffers.weOwnAltKey) {
- FreeDer(&ssl->buffers.altKey);
- }
- if (AllocDer(&ssl->buffers.altKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
- ssl->heap) == 0) {
- ret = 0;
- }
- }
- if (ret == 1) {
- XMEMCPY(ssl->buffers.altKey->buffer, id, sz);
- ssl->buffers.weOwnAltKey = 1;
- ssl->buffers.altKeyId = 1;
- if (devId != INVALID_DEVID) {
- ssl->buffers.altKeyDevId = devId;
- }
- else {
- ssl->buffers.altKeyDevId = ssl->devId;
- }
- }
- return ret;
- }
- int wolfSSL_use_AltPrivateKey_id(WOLFSSL* ssl, const unsigned char* id, long sz,
- int devId, long keySz)
- {
- int ret = wolfSSL_use_AltPrivateKey_Id(ssl, id, sz, devId);
- if (ret == 1) {
- ssl->buffers.altKeySz = (word32)keySz;
- }
- return ret;
- }
- int wolfSSL_use_AltPrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
- {
- int ret = 1;
- word32 sz;
- if ((ssl == NULL) || (label == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- sz = (word32)XSTRLEN(label) + 1;
- if (ssl->buffers.weOwnAltKey)
- FreeDer(&ssl->buffers.altKey);
- if (AllocDer(&ssl->buffers.altKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
- ssl->heap) == 0) {
- ret = 0;
- }
- }
- if (ret == 1) {
- XMEMCPY(ssl->buffers.altKey->buffer, label, sz);
- ssl->buffers.weOwnAltKey = 1;
- ssl->buffers.altKeyLabel = 1;
- if (devId != INVALID_DEVID) {
- ssl->buffers.altKeyDevId = devId;
- }
- else {
- ssl->buffers.altKeyDevId = ssl->devId;
- }
- }
- return ret;
- }
- #endif /* WOLFSSL_DUAL_ALG_CERTS */
- #endif /* WOLF_PRIVATE_KEY_ID */
- /* Load a certificate chain in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] in Buffer holding DER encoded certificate chain.
- * @param [in] sz Size of data in bytes.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ssl is NULL.
- */
- int wolfSSL_use_certificate_chain_buffer_format(WOLFSSL* ssl,
- const unsigned char* in, long sz, int format)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer_format");
- /* Validate parameters. */
- if (ssl == NULL) {
- ret = BAD_FUNC_ARG;
- }
- else {
- ret = ProcessBuffer(ssl->ctx, in, sz, format, CERT_TYPE, ssl, NULL, 1,
- GET_VERIFY_SETTING_SSL(ssl));
- }
- return ret;
- }
- /* Load a PEM encoded certificate chain in a buffer into SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] in Buffer holding DER encoded certificate chain.
- * @param [in] sz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return Negative on error.
- */
- int wolfSSL_use_certificate_chain_buffer(WOLFSSL* ssl, const unsigned char* in,
- long sz)
- {
- return wolfSSL_use_certificate_chain_buffer_format(ssl, in, sz,
- WOLFSSL_FILETYPE_PEM);
- }
- #if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \
- defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || \
- defined(WOLFSSL_NGINX) || defined(HAVE_POCO_LIB) || \
- defined(WOLFSSL_HAPROXY)
- /* Add certificate to chain.
- *
- * @param [in, out] chain Buffer holding encoded certificate for TLS.
- * @param [in] weOwn Indicates we need to free chain if repleced.
- * @param [in] cert Buffer holding DER encoded certificate.
- * @param [in] certSz Size of DER encoded certificate in bytes.
- * @param [in] heap Dynamic memory allocation hint.
- * @return 1 on success.
- * @return 0 on failure.
- */
- static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
- word32 certSz, void* heap)
- {
- int res = 1;
- int ret;
- DerBuffer* oldChain = *chain;
- DerBuffer* newChain = NULL;
- word32 len = 0;
- if (oldChain != NULL) {
- /* Get length of previous chain. */
- len = oldChain->length;
- }
- /* Allocate DER buffer bug enough to hold old and new certificates. */
- ret = AllocDer(&newChain, len + CERT_HEADER_SZ + certSz, CERT_TYPE, heap);
- if (ret != 0) {
- WOLFSSL_MSG("AllocDer error");
- res = 0;
- }
- if (res == 1) {
- if (oldChain != NULL) {
- /* Place old chain in new buffer. */
- XMEMCPY(newChain->buffer, oldChain->buffer, len);
- }
- /* Append length and DER encoded certificate. */
- c32to24(certSz, newChain->buffer + len);
- XMEMCPY(newChain->buffer + len + CERT_HEADER_SZ, cert, certSz);
- /* Dispose of old chain if we own it. */
- if (weOwn) {
- FreeDer(chain);
- }
- /* Replace chain. */
- *chain = newChain;
- }
- return res;
- }
- #endif
- #ifdef OPENSSL_EXTRA
- /* Add a certificate to end of chain sent in TLS handshake.
- *
- * @param [in, out] ctx SSL context.
- * @param [in] der Buffer holding DER encoded certificate.
- * @param [in] derSz Size of data in buffer.
- * @return 1 on success.
- * @return 0 on failure.
- */
- static int wolfssl_ctx_add_to_chain(WOLFSSL_CTX* ctx, const byte* der,
- int derSz)
- {
- int res = 1;
- int ret;
- DerBuffer* derBuffer = NULL;
- /* Create a DER buffer from DER encoding. */
- ret = AllocCopyDer(&derBuffer, der, derSz, CERT_TYPE, ctx->heap);
- if (ret != 0) {
- WOLFSSL_MSG("Memory Error");
- res = 0;
- }
- if (res == 1) {
- /* Add a user CA certificate to the certificate manager. */
- res = AddCA(ctx->cm, &derBuffer, WOLFSSL_USER_CA,
- GET_VERIFY_SETTING_CTX(ctx));
- if (res != 1) {
- res = 0;
- }
- }
- if (res == 1) {
- /* Add chain to DER buffer. */
- res = wolfssl_add_to_chain(&ctx->certChain, 1, der, derSz, ctx->heap);
- #ifdef WOLFSSL_TLS13
- /* Update count of certificates. */
- ctx->certChainCnt++;
- #endif
- }
- return res;
- }
- /* Add a certificate to chain sent in TLS handshake.
- *
- * @param [in, out] ctx SSL context.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- long wolfSSL_CTX_add_extra_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
- {
- int ret = 1;
- int derSz = 0;
- const byte* der = NULL;
- WOLFSSL_ENTER("wolfSSL_CTX_add_extra_chain_cert");
- /* Validate parameters. */
- if ((ctx == NULL) || (x509 == NULL)) {
- WOLFSSL_MSG("Bad Argument");
- ret = 0;
- }
- if (ret == 1) {
- /* Get the DER encoding of the certificate from the X509 object. */
- der = wolfSSL_X509_get_der(x509, &derSz);
- /* Validate buffer. */
- if ((der == NULL) || (derSz <= 0)) {
- WOLFSSL_MSG("Error getting X509 DER");
- ret = 0;
- }
- }
- if ((ret == 1) && (ctx->certificate == NULL)) {
- WOLFSSL_ENTER("wolfSSL_use_certificate_chain_buffer_format");
- /* Process buffer makes first certificate the leaf. */
- ret = ProcessBuffer(ctx, der, derSz, WOLFSSL_FILETYPE_ASN1, CERT_TYPE,
- NULL, NULL, 1, GET_VERIFY_SETTING_CTX(ctx));
- if (ret != 1) {
- ret = 0;
- }
- }
- else if (ret == 1) {
- /* Add certificate to existing chain. */
- ret = wolfssl_ctx_add_to_chain(ctx, der, derSz);
- }
- if (ret == 1) {
- /* On success WOLFSSL_X509 memory is responsibility of SSL context. */
- wolfSSL_X509_free(x509);
- }
- WOLFSSL_LEAVE("wolfSSL_CTX_add_extra_chain_cert", ret);
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- #if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) || \
- defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(HAVE_STUNNEL) || \
- defined(WOLFSSL_NGINX) || defined(HAVE_POCO_LIB) || \
- defined(WOLFSSL_HAPROXY)
- /* Load a certificate into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x)
- {
- int res = 1;
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate");
- /* Validate parameters. */
- if ((ctx == NULL) || (x == NULL) || (x->derCert == NULL)) {
- WOLFSSL_MSG("Bad parameter");
- res = 0;
- }
- if (res == 1) {
- /* Replace certificate buffer with one holding the new certificate. */
- FreeDer(&ctx->certificate);
- ret = AllocCopyDer(&ctx->certificate, x->derCert->buffer,
- x->derCert->length, CERT_TYPE, ctx->heap);
- if (ret != 0) {
- res = 0;
- }
- }
- #ifdef KEEP_OUR_CERT
- if (res == 1) {
- /* Dispose of our certificate if it is ours. */
- if ((ctx->ourCert != NULL) && ctx->ownOurCert) {
- wolfSSL_X509_free(ctx->ourCert);
- }
- #ifndef WOLFSSL_X509_STORE_CERTS
- /* Keep a reference to the new certificate. */
- ctx->ourCert = x;
- if (wolfSSL_X509_up_ref(x) != 1) {
- res = 0;
- }
- #else
- /* Keep a copy of the new certificate. */
- ctx->ourCert = wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer,
- x->derCert->length, ctx->heap);
- if (ctx->ourCert == NULL) {
- res = 0;
- }
- #endif
- /* Now own our certificate. */
- ctx->ownOurCert = 1;
- }
- #endif
- if (res == 1) {
- /* Set have options based on public key OID. */
- wolfssl_set_have_from_key_oid(ctx, NULL, x->pubKeyOID);
- }
- return res;
- }
- /* Add the certificate to the chain in the SSL context and own the X509 object.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_add0_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
- {
- int ret;
- WOLFSSL_ENTER("wolfSSL_CTX_add0_chain_cert");
- /* Add certificate to chain and copy or up reference it. */
- ret = wolfSSL_CTX_add1_chain_cert(ctx, x509);
- if (ret == 1) {
- /* Down reference or free original now as we own certificate. */
- wolfSSL_X509_free(x509);
- }
- return ret;
- }
- /* Add the certificate to the chain in the SSL context.
- *
- * X509 object copied or up referenced.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_add1_chain_cert(WOLFSSL_CTX* ctx, WOLFSSL_X509* x509)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_CTX_add1_chain_cert");
- /* Validate parameters. */
- if ((ctx == NULL) || (x509 == NULL) || (x509->derCert == NULL)) {
- ret = 0;
- }
- /* Check if we already have set a certificate. */
- if ((ret == 1) && (ctx->certificate == NULL)) {
- /* Use the certificate. */
- ret = wolfSSL_CTX_use_certificate(ctx, x509);
- }
- /* Increate reference count as we will store it. */
- else if ((ret == 1) && ((ret = wolfSSL_X509_up_ref(x509)) == 1)) {
- /* Load the DER encoding. */
- ret = wolfSSL_CTX_load_verify_buffer(ctx, x509->derCert->buffer,
- x509->derCert->length, WOLFSSL_FILETYPE_ASN1);
- if (ret == 1) {
- /* Add DER encoding to chain. */
- ret = wolfssl_add_to_chain(&ctx->certChain, 1,
- x509->derCert->buffer, x509->derCert->length, ctx->heap);
- }
- /* Store cert in stack to free it later. */
- if ((ret == 1) && (ctx->x509Chain == NULL)) {
- /* Create a stack for certificates. */
- ctx->x509Chain = wolfSSL_sk_X509_new_null();
- if (ctx->x509Chain == NULL) {
- WOLFSSL_MSG("wolfSSL_sk_X509_new_null error");
- ret = 0;
- }
- }
- if (ret == 1) {
- /* Push the X509 object onto stack. */
- ret = wolfSSL_sk_X509_push(ctx->x509Chain, x509);
- }
- if (ret != 1) {
- /* Decrease reference count on error as we didn't store it. */
- wolfSSL_X509_free(x509);
- }
- }
- return WS_RC(ret);
- }
- #ifdef KEEP_OUR_CERT
- /* Add the certificate to the chain in the SSL and own the X509 object.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_add0_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_add0_chain_cert");
- /* Validate parameters. */
- if ((ssl == NULL) || (ssl->ctx == NULL) || (x509 == NULL) ||
- (x509->derCert == NULL)) {
- ret = 0;
- }
- /* Check if we already have set a certificate. */
- if ((ret == 1) && (ssl->buffers.certificate == NULL)) {
- /* Use the certificate. */
- ret = wolfSSL_use_certificate(ssl, x509);
- if (ret == 1) {
- /* Dispose of old certificate if we own it. */
- if (ssl->buffers.weOwnCert) {
- wolfSSL_X509_free(ssl->ourCert);
- }
- /* Store cert to free it later. */
- ssl->ourCert = x509;
- ssl->buffers.weOwnCert = 1;
- }
- }
- else if (ret == 1) {
- /* Add DER encoding to chain. */
- ret = wolfssl_add_to_chain(&ssl->buffers.certChain,
- ssl->buffers.weOwnCertChain, x509->derCert->buffer,
- x509->derCert->length, ssl->heap);
- if (ret == 1) {
- /* We now own cert chain. */
- ssl->buffers.weOwnCertChain = 1;
- /* Create a stack to put certificate into. */
- if (ssl->ourCertChain == NULL) {
- ssl->ourCertChain = wolfSSL_sk_X509_new_null();
- if (ssl->ourCertChain == NULL) {
- WOLFSSL_MSG("wolfSSL_sk_X509_new_null error");
- ret = 0;
- }
- }
- }
- if (ret == 1) {
- /* Push X509 object onto stack to be freed. */
- ret = wolfSSL_sk_X509_push(ssl->ourCertChain, x509);
- if (ret != 1) {
- /* Free it now on error. */
- wolfSSL_X509_free(x509);
- }
- }
- }
- return WS_RC(ret);
- }
- /* Add the certificate to the chain in the SSL.
- *
- * X509 object is up referenced.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] x509 X509 certificate object.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_add1_chain_cert(WOLFSSL* ssl, WOLFSSL_X509* x509)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_add1_chain_cert");
- /* Validate parameters. */
- if ((ssl == NULL) || (ssl->ctx == NULL) || (x509 == NULL) ||
- (x509->derCert == NULL)) {
- ret = 0;
- }
- /* Increase reference count on X509 object before adding. */
- if ((ret == 1) && ((ret == wolfSSL_X509_up_ref(x509)) == 1)) {
- /* Add this to the chain. */
- if ((ret = wolfSSL_add0_chain_cert(ssl, x509)) != 1) {
- /* Decrease reference count on error as not stored. */
- wolfSSL_X509_free(x509);
- }
- }
- return ret;
- }
- #endif /* KEEP_OUR_CERT */
- #endif /* OPENSSL_EXTRA, HAVE_LIGHTY, WOLFSSL_MYSQL_COMPATIBLE, HAVE_STUNNEL,
- WOLFSSL_NGINX, HAVE_POCO_LIB, WOLFSSL_HAPROXY */
- #ifdef OPENSSL_EXTRA
- /* Load a private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] pkey EVP private key.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_PrivateKey(WOLFSSL_CTX *ctx, WOLFSSL_EVP_PKEY *pkey)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey");
- /* Validate parameters. */
- if ((ctx == NULL) || (pkey == NULL) || (pkey->pkey.ptr == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- switch (pkey->type) {
- #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
- case EVP_PKEY_RSA:
- WOLFSSL_MSG("populating RSA key");
- ret = PopulateRSAEvpPkeyDer(pkey);
- break;
- #endif /* (WOLFSSL_KEY_GEN || OPENSSL_EXTRA) && !NO_RSA */
- #if !defined(HAVE_SELFTEST) && (defined(WOLFSSL_KEY_GEN) || \
- defined(WOLFSSL_CERT_GEN)) && !defined(NO_DSA)
- case EVP_PKEY_DSA:
- break;
- #endif /* !HAVE_SELFTEST && (WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN) &&
- * !NO_DSA */
- #ifdef HAVE_ECC
- case EVP_PKEY_EC:
- WOLFSSL_MSG("populating ECC key");
- ret = ECC_populate_EVP_PKEY(pkey, pkey->ecc);
- break;
- #endif
- default:
- ret = 0;
- }
- }
- if (ret == 1) {
- /* ptr for WOLFSSL_EVP_PKEY struct is expected to be DER format */
- ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx,
- (const unsigned char*)pkey->pkey.ptr, pkey->pkey_sz,
- SSL_FILETYPE_ASN1);
- }
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- #if defined(OPENSSL_ALL) || defined(WOLFSSL_ASIO) || \
- defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_QT)
- /* Load a DER encoded certificate in a buffer into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] der Buffer holding DER encoded certificate.
- * @param [in] derSz Size of data in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- */
- int wolfSSL_CTX_use_certificate_ASN1(WOLFSSL_CTX *ctx, int derSz,
- const unsigned char *der)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_ASN1");
- /* Validate parameters. */
- if ((ctx == NULL) || (der == NULL)) {
- ret = 0;
- }
- /* Load DER encoded cerificate into SSL context. */
- if ((ret == 1) && (wolfSSL_CTX_use_certificate_buffer(ctx, der, derSz,
- WOLFSSL_FILETYPE_ASN1) != 1)) {
- ret = 0;
- }
- return ret;
- }
- #if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA)
- /* Load an RSA private key into SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] rsa RSA private key.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ctx or rsa is NULL.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- int wolfSSL_CTX_use_RSAPrivateKey(WOLFSSL_CTX* ctx, WOLFSSL_RSA* rsa)
- {
- int ret = 1;
- int derSize;
- unsigned char* der = NULL;
- unsigned char* p;
- WOLFSSL_ENTER("wolfSSL_CTX_use_RSAPrivateKey");
- /* Validate parameters. */
- if ((ctx == NULL) || (rsa == NULL)) {
- WOLFSSL_MSG("one or more inputs were NULL");
- ret = BAD_FUNC_ARG;
- }
- /* Get DER encoding size. */
- if ((ret == 1) && ((derSize = wolfSSL_i2d_RSAPrivateKey(rsa, NULL)) <= 0)) {
- ret = 0;
- }
- if (ret == 1) {
- /* Allocate memory to hold DER encoding.. */
- der = (unsigned char*)XMALLOC(derSize, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (der == NULL) {
- WOLFSSL_MSG("Malloc failure");
- ret = MEMORY_E;
- }
- }
- if (ret == 1) {
- /* Pointer passed in is modified.. */
- p = der;
- /* Encode the RSA key as DER into buffer and get size. */
- if ((derSize = wolfSSL_i2d_RSAPrivateKey(rsa, &p)) <= 0) {
- WOLFSSL_MSG("wolfSSL_i2d_RSAPrivateKey() failure");
- ret = 0;
- }
- }
- if (ret == 1) {
- /* Load DER encoded cerificate into SSL context. */
- ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, der, derSize,
- SSL_FILETYPE_ASN1);
- if (ret != WOLFSSL_SUCCESS) {
- WOLFSSL_MSG("wolfSSL_CTX_USE_PrivateKey_buffer() failure");
- ret = 0;
- }
- }
- /* Dispos of dynamically allocated data. */
- XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- return ret;
- }
- #endif /* WOLFSSL_KEY_GEN && !NO_RSA */
- #endif /* OPENSSL_ALL || WOLFSSL_ASIO || WOLFSSL_HAPROXY || WOLFSSL_QT */
- #endif /* !NO_CERTS */
- #ifdef OPENSSL_EXTRA
- #ifdef WOLFSSL_SYS_CA_CERTS
- /* Use the default paths to look for CA certificate.
- *
- * This is an OpenSSL compatibility layer function, but it doesn't mirror
- * the exact functionality of its OpenSSL counterpart. We don't support the
- * notion of an "OpenSSL directory". This function will attempt to load the
- * environment variables SSL_CERT_DIR and SSL_CERT_FILE, if either are
- * found, they will be loaded. Otherwise, it will act as a wrapper around
- * our native wolfSSL_CTX_load_system_CA_certs function. This function does
- * conform to OpenSSL's return value conventions.
- *
- * @param [in] ctx SSL context object.
- * @return 1 on success.
- * @return 0 on failure.
- * @return WOLFSSL_FATAL_ERROR when using a filesystem is not supported.
- */
- int wolfSSL_CTX_set_default_verify_paths(WOLFSSL_CTX* ctx)
- {
- int ret;
- #ifdef XGETENV
- char* certDir;
- char* certFile;
- word32 flags;
- #endif
- WOLFSSL_ENTER("wolfSSL_CTX_set_default_verify_paths");
- #ifdef XGETENV
- certDir = XGETENV("SSL_CERT_DIR");
- certFile = XGETENV("SSL_CERT_FILE");
- flags = WOLFSSL_LOAD_FLAG_PEM_CA_ONLY;
- if ((certDir != NULL) || (certFile != NULL)) {
- if (certDir != NULL) {
- /* We want to keep trying to load more CA certs even if one cert in
- * the directory is bad and can't be used (e.g. if one is
- * expired), so we use WOLFSSL_LOAD_FLAG_IGNORE_ERR.
- */
- flags |= WOLFSSL_LOAD_FLAG_IGNORE_ERR;
- }
- /* Load CA certificates from environment variable locations. */
- ret = wolfSSL_CTX_load_verify_locations_ex(ctx, certFile, certDir,
- flags);
- if (ret != 1) {
- WOLFSSL_MSG_EX("Failed to load CA certs from SSL_CERT_FILE: %s"
- " SSL_CERT_DIR: %s. Error: %d", certFile,
- certDir, ret);
- ret = 0;
- }
- }
- else
- #endif
- {
- #ifdef NO_FILESYSTEM
- WOLFSSL_MSG("wolfSSL_CTX_set_default_verify_paths not supported"
- " with NO_FILESYSTEM enabled");
- ret = WOLFSSL_FATAL_ERROR;
- #else
- /* Load the system CA certificates. */
- ret = wolfSSL_CTX_load_system_CA_certs(ctx);
- if (ret == WOLFSSL_BAD_PATH) {
- /* OpenSSL doesn't treat the lack of a system CA cert directory as a
- * failure. We do the same here.
- */
- ret = 1;
- }
- #endif
- }
- WOLFSSL_LEAVE("wolfSSL_CTX_set_default_verify_paths", ret);
- return ret;
- }
- #endif /* WOLFSSL_SYS_CA_CERTS */
- #endif /* OPENSSL_EXTRA */
- #ifndef NO_DH
- /* Set the temporary DH parameters against the SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] p Buffer holding prime.
- * @param [in] pSz Length of prime in bytes.
- * @param [in] g Buffer holding generator.
- * @param [in] gSz Length of generator in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- */
- static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,
- unsigned char* g, int gSz)
- {
- int ret = 1;
- /* Check the size of the prime meets the requirements of the SSL. */
- if (((word16)pSz < ssl->options.minDhKeySz) ||
- ((word16)pSz > ssl->options.maxDhKeySz)) {
- ret = DH_KEY_SIZE_E;
- }
- /* Only able to set DH parameters on server. */
- if ((ret == 1) && (ssl->options.side == WOLFSSL_CLIENT_END)) {
- ret = SIDE_ERROR;
- }
- if (ret == 1) {
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- /* New DH parameters not tested for validity. */
- ssl->options.dhKeyTested = 0;
- /* New DH parameters must be tested for validity before use. */
- ssl->options.dhDoKeyTest = 1;
- #endif
- /* Dispose of old DH parameters if we own it. */
- if (ssl->buffers.weOwnDH) {
- XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
- DYNAMIC_TYPE_PUBLIC_KEY);
- }
- /* Assign the buffers and lengths to SSL. */
- ssl->buffers.serverDH_P.buffer = p;
- ssl->buffers.serverDH_G.buffer = g;
- ssl->buffers.serverDH_P.length = pSz;
- ssl->buffers.serverDH_G.length = gSz;
- /* We own the buffers. */
- ssl->buffers.weOwnDH = 1;
- /* We have a DH parameters to use. */
- ssl->options.haveDH = 1;
- }
- /* Allocate space for cipher suites. */
- if ((ret == 1) && (AllocateSuites(ssl) != 0)) {
- ret = 0;
- }
- if (ret == 1) {
- /* Reset the cipher suites based on having a DH parameters now. */
- InitSuites(ssl->suites, ssl->version, SSL_KEY_SZ(ssl),
- WOLFSSL_HAVE_RSA, SSL_HAVE_PSK(ssl), ssl->options.haveDH,
- ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
- ssl->options.haveStaticECC, ssl->options.haveFalconSig,
- ssl->options.haveDilithiumSig, ssl->options.useAnon, TRUE,
- ssl->options.side);
- }
- return ret;
- }
- /* Set the temporary DH parameters against the SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] p Buffer holding prime.
- * @param [in] pSz Length of prime in bytes.
- * @param [in] g Buffer holding generator.
- * @param [in] gSz Length of generator in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
- const unsigned char* g, int gSz)
- {
- int ret = 1;
- byte* pAlloc = NULL;
- byte* gAlloc = NULL;
- WOLFSSL_ENTER("wolfSSL_SetTmpDH");
- /* Validate parameters. */
- if ((ssl == NULL) || (p == NULL) || (g == NULL)) {
- ret = 0;
- }
- if (ret == 1) {
- /* Allocate buffers for p and g to be assigned into SSL. */
- pAlloc = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- gAlloc = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if ((pAlloc == NULL) || (gAlloc == NULL)) {
- XFREE(pAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(gAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ret = MEMORY_E;
- }
- }
- if (ret == 1) {
- /* Copy p and g into allocated buffers. */
- XMEMCPY(pAlloc, p, pSz);
- XMEMCPY(gAlloc, g, gSz);
- /* Set the buffers into SSL. */
- ret = wolfssl_set_tmp_dh(ssl, pAlloc, pSz, gAlloc, gSz);
- }
- if (ret != 1) {
- /* Free the allocated buffers if not assigned into SSL. */
- XFREE(pAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(gAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- WOLFSSL_LEAVE("wolfSSL_SetTmpDH", ret);
- return ret;
- }
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- /* Check the DH parameters is valid.
- *
- * @param [in] p Buffer holding prime.
- * @param [in] pSz Length of prime in bytes.
- * @param [in] g Buffer holding generator.
- * @param [in] gSz Length of generator in bytes.
- * @return 1 on success.
- * @return DH_CHECK_PUB_E when p is not a prime.
- * @return BAD_FUNC_ARG when p or g is NULL, or pSz or gSz is 0.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int wolfssl_check_dh_key(unsigned char* p, int pSz, unsigned char* g,
- int gSz)
- {
- WC_RNG rng;
- int ret = 0;
- #ifndef WOLFSSL_SMALL_STACK
- DhKey checkKey[1];
- #else
- DhKey *checkKey;
- #endif
- #ifdef WOLFSSL_SMALL_STACK
- checkKey = (DhKey*)XMALLOC(sizeof(DhKey), NULL, DYNAMIC_TYPE_DH);
- if (checkKey == NULL) {
- ret = MEMORY_E;
- }
- #endif
- /* Initialize a new random number generator. */
- if ((ret == 0) && ((ret = wc_InitRng(&rng)) == 0)) {
- /* Initialize a DH object. */
- if ((ret = wc_InitDhKey(checkKey)) == 0) {
- /* Check DH parameters. */
- ret = wc_DhSetCheckKey(checkKey, p, pSz, g, gSz, NULL, 0, 0, &rng);
- /* Dispose of DH object. */
- wc_FreeDhKey(checkKey);
- }
- /* Dispose of random number generator. */
- wc_FreeRng(&rng);
- }
- #ifdef WOLFSSL_SMALL_STACK
- /* Dispose of dynamically allocated data. */
- XFREE(checkKey, NULL, DYNAMIC_TYPE_DH);
- #endif
- /* Convert wolfCrypt return code to 1 on success and ret on failure. */
- return WC_TO_WS_RC(ret);
- }
- #endif
- /* Set the temporary DH parameters against the SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] p Buffer holding prime.
- * @param [in] pSz Length of prime in bytes.
- * @param [in] g Buffer holding generator.
- * @param [in] gSz Length of generator in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- * @return BAD_FUNC_ARG when ctx, p or g is NULL.
- * @return DH_CHECK_PUB_E when p is not a prime.
- * @return MEMORY_E when dynamic memory allocation fails.
- */
- static int wolfssl_ctx_set_tmp_dh(WOLFSSL_CTX* ctx, unsigned char* p, int pSz,
- unsigned char* g, int gSz)
- {
- int ret = 1;
- WOLFSSL_ENTER("wolfSSL_CTX_SetTmpDH");
- /* Check the size of the prime meets the requirements of the SSL context. */
- if (((word16)pSz < ctx->minDhKeySz) || ((word16)pSz > ctx->maxDhKeySz)) {
- ret = DH_KEY_SIZE_E;
- }
- #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
- !defined(HAVE_SELFTEST)
- if (ret == 1) {
- /* Test DH parameters for validity. */
- ret = wolfssl_check_dh_key(p, pSz, g, gSz);
- /* Record as whether tested based on result of validity test. */
- ctx->dhKeyTested = (ret == 1);
- }
- #endif
- if (ret == 1) {
- /* Dispose of old DH parameters. */
- XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- /* Assign the buffers and lengths to SSL context. */
- ctx->serverDH_P.buffer = p;
- ctx->serverDH_G.buffer = g;
- ctx->serverDH_P.length = pSz;
- ctx->serverDH_G.length = gSz;
- /* We have a DH parameters to use. */
- ctx->haveDH = 1;
- }
- WOLFSSL_LEAVE("wolfSSL_CTX_SetTmpDH", 0);
- return ret;
- }
- /* Set the temporary DH parameters against the SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] p Buffer holding prime.
- * @param [in] pSz Length of prime in bytes.
- * @param [in] g Buffer holding generator.
- * @param [in] gSz Length of generator in bytes.
- * @return 1 on success.
- * @return 0 on failure.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- * @return BAD_FUNC_ARG when ctx, p or g is NULL.
- * @return DH_CHECK_PUB_E when p is not a prime.
- */
- int wolfSSL_CTX_SetTmpDH(WOLFSSL_CTX* ctx, const unsigned char* p, int pSz,
- const unsigned char* g, int gSz)
- {
- int ret = 1;
- byte* pAlloc = NULL;
- byte* gAlloc = NULL;
- /* Validate parameters. */
- if ((ctx == NULL) || (p == NULL) || (g == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- if (ret == 1) {
- /* Allocate buffers for p and g to be assigned into SSL context. */
- pAlloc = (byte*)XMALLOC(pSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- gAlloc = (byte*)XMALLOC(gSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if ((pAlloc == NULL) || (gAlloc == NULL)) {
- XFREE(pAlloc, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(gAlloc, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- ret = MEMORY_E;
- }
- }
- if (ret == 1) {
- /* Copy p and g into allocated buffers. */
- XMEMCPY(pAlloc, p, pSz);
- XMEMCPY(gAlloc, g, gSz);
- /* Set the buffers into SSL context. */
- ret = wolfssl_ctx_set_tmp_dh(ctx, pAlloc, pSz, gAlloc, gSz);
- }
- if (ret != 1) {
- /* Free the allocated buffers if not assigned into SSL context. */
- XFREE(pAlloc, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(gAlloc, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- return ret;
- }
- #ifdef OPENSSL_EXTRA
- /* Set the temporary DH parameters against the SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] dh DH object.
- * @return 1 on success.
- * @return 0 on failure.
- * @return WOLFSSL_FATAL_ERROR on failure.
- * @return BAD_FUNC_ARG when ssl or dh is NULL.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- */
- long wolfSSL_set_tmp_dh(WOLFSSL *ssl, WOLFSSL_DH *dh)
- {
- int ret = 1;
- byte* p = NULL;
- byte* g = NULL;
- int pSz = 0;
- int gSz = 0;
- WOLFSSL_ENTER("wolfSSL_set_tmp_dh");
- /* Validate parameters. */
- if ((ssl == NULL) || (dh == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- if (ret == 1) {
- /* Get needed size for p and g. */
- pSz = wolfSSL_BN_bn2bin(dh->p, NULL);
- gSz = wolfSSL_BN_bn2bin(dh->g, NULL);
- /* Validate p and g size. */
- if ((pSz <= 0) || (gSz <= 0)) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- }
- if (ret == 1) {
- /* Allocate buffers for p and g to be assigned into SSL. */
- p = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- g = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if ((p == NULL) || (g == NULL)) {
- ret = MEMORY_E;
- }
- }
- if (ret == 1) {
- /* Encode p and g and get sizes. */
- pSz = wolfSSL_BN_bn2bin(dh->p, p);
- gSz = wolfSSL_BN_bn2bin(dh->g, g);
- /* Check encoding worked. */
- if ((pSz <= 0) || (gSz <= 0)) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- }
- if (ret == 1) {
- /* Set the buffers into SSL. */
- ret = wolfssl_set_tmp_dh(ssl, p, pSz, g, gSz);
- }
- if (ret != 1) {
- /* Free the allocated buffers if not assigned into SSL. */
- XFREE(p, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(g, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- return ret;
- }
- /* Set the temporary DH parameters object against the SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] dh DH object.
- * @return 1 on success.
- * @return 0 on failure.
- * @return DH_KEY_SIZE_E when the prime is too short or long.
- * @return SIDE_ERROR when the SSL is for a client.
- * @return BAD_FUNC_ARG when ctx, p or g is NULL.
- * @return DH_CHECK_PUB_E when p is not a prime.
- */
- long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh)
- {
- int ret = 1;
- int pSz = 0;
- int gSz = 0;
- byte* p = NULL;
- byte* g = NULL;
- WOLFSSL_ENTER("wolfSSL_CTX_set_tmp_dh");
- /* Validate parameters. */
- if ((ctx == NULL) || (dh == NULL)) {
- ret = BAD_FUNC_ARG;
- }
- if (ret == 1) {
- /* Get needed size for p and g. */
- pSz = wolfSSL_BN_bn2bin(dh->p, NULL);
- gSz = wolfSSL_BN_bn2bin(dh->g, NULL);
- /* Validate p and g size. */
- if ((pSz <= 0) || (gSz <= 0)) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- }
- if (ret == 1) {
- /* Allocate buffers for p and g to be assigned into SSL. */
- p = (byte*)XMALLOC(pSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- g = (byte*)XMALLOC(gSz, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if ((p == NULL) || (g == NULL)) {
- ret = MEMORY_E;
- }
- }
- if (ret == 1) {
- /* Encode p and g and get sizes. */
- pSz = wolfSSL_BN_bn2bin(dh->p, p);
- gSz = wolfSSL_BN_bn2bin(dh->g, g);
- /* Check encoding worked. */
- if ((pSz < 0) && (gSz < 0)) {
- ret = WOLFSSL_FATAL_ERROR;
- }
- }
- if (ret == 1) {
- /* Set the buffers into SSL context. */
- ret = wolfssl_ctx_set_tmp_dh(ctx, p, pSz, g, gSz);
- }
- if (ret != 1) {
- /* Free the allocated buffers if not assigned into SSL. */
- XFREE(p, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(g, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- return ret;
- }
- #endif /* OPENSSL_EXTRA */
- #ifndef NO_CERTS
- /* Set the temporary DH parameters against the SSL context or SSL.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @oaram [in] buf Buffer holding encoded DH parameters.
- * @param [in] sz Size of encoded DH parameters.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return 0 on failure.
- * @return BAD_FUNC_ARG when ctx and ssl NULL or buf is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- static int ws_ctx_ssl_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const unsigned char* buf, long sz, int format)
- {
- DerBuffer* der = NULL;
- int res = 1;
- int ret;
- /* p and g size to allocate set to maximum valid size. */
- word32 pSz = MAX_DH_SIZE;
- word32 gSz = MAX_DH_SIZE;
- byte* p = NULL;
- byte* g = NULL;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- /* Validate parameters. */
- if (((ctx == NULL) && (ssl == NULL)) || (buf == NULL)) {
- res = BAD_FUNC_ARG;
- }
- /* Check format is supported. */
- if ((res == 1) && (format != WOLFSSL_FILETYPE_ASN1)) {
- if (format != WOLFSSL_FILETYPE_PEM) {
- res = WOLFSSL_BAD_FILETYPE;
- }
- #ifndef WOLFSSL_PEM_TO_DER
- else {
- res = NOT_COMPILED_IN;
- }
- #endif
- }
- /* PemToDer allocates its own DER buffer. */
- if ((res == 1) && (format != WOLFSSL_FILETYPE_PEM)) {
- /* Create an empty DER buffer. */
- ret = AllocDer(&der, 0, DH_PARAM_TYPE, heap);
- if (ret == 0) {
- /* Assign encoded DH parameters to DER buffer. */
- der->buffer = (byte*)buf;
- der->length = (word32)sz;
- }
- else {
- res = ret;
- }
- }
- if (res == 1) {
- /* Allocate enough memory to p and g to support valid use cases. */
- p = (byte*)XMALLOC(pSz, heap, DYNAMIC_TYPE_PUBLIC_KEY);
- g = (byte*)XMALLOC(gSz, heap, DYNAMIC_TYPE_PUBLIC_KEY);
- if ((p == NULL) || (g == NULL)) {
- res = MEMORY_E;
- }
- }
- #ifdef WOLFSSL_PEM_TO_DER
- if ((res == 1) && (format == WOLFSSL_FILETYPE_PEM)) {
- /* Convert from PEM to DER. */
- /* Try converting DH parameters from PEM to DER. */
- ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, heap, NULL, NULL);
- if (ret < 0) {
- /* Otherwise, try converting X9.43 format DH parameters. */
- ret = PemToDer(buf, sz, X942_PARAM_TYPE, &der, heap, NULL, NULL);
- }
- #if defined(WOLFSSL_WPAS) && !defined(NO_DSA)
- if (ret < 0) {
- /* Otherwise, try converting DSA parameters. */
- ret = PemToDer(buf, sz, DSA_PARAM_TYPE, &der, heap, NULL, NULL);
- }
- #endif /* WOLFSSL_WPAS && !NO_DSA */
- if (ret < 0) {
- /* Return error from conversion. */
- res = ret;
- }
- }
- #endif /* WOLFSSL_PEM_TO_DER */
- if (res == 1) {
- /* Get the p and g from the DER encoded parameters. */
- if (wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz) < 0) {
- res = WOLFSSL_BAD_FILETYPE;
- }
- else if (ssl != NULL) {
- /* Set p and g into SSL. */
- res = wolfssl_set_tmp_dh(ssl, p, pSz, g, gSz);
- }
- else {
- /* Set p and g into SSL context. */
- res = wolfssl_ctx_set_tmp_dh(ctx, p, pSz, g, gSz);
- }
- }
- /* Dispose of the DER buffer. */
- FreeDer(&der);
- if (res != 1) {
- /* Free the allocated buffers if not assigned into SSL or context. */
- XFREE(p, heap, DYNAMIC_TYPE_PUBLIC_KEY);
- XFREE(g, heap, DYNAMIC_TYPE_PUBLIC_KEY);
- }
- return res;
- }
- /* Set the temporary DH parameters against the SSL.
- *
- * @param [in, out] ssl SSL object.
- * @oaram [in] buf Buffer holding encoded DH parameters.
- * @param [in] sz Size of encoded DH parameters.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return BAD_FUNC_ARG when ssl or buf is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz,
- int format)
- {
- return ws_ctx_ssl_set_tmp_dh(NULL, ssl, buf, sz, format);
- }
- /* Set the temporary DH parameters against the SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @oaram [in] buf Buffer holding encoded DH parameters.
- * @param [in] sz Size of encoded DH parameters.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return BAD_FUNC_ARG when ctx or buf is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
- long sz, int format)
- {
- return ws_ctx_ssl_set_tmp_dh(ctx, NULL, buf, sz, format);
- }
- #ifndef NO_FILESYSTEM
- /* Set the temporary DH parameters file against the SSL context or SSL.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in, out] ssl SSL object.
- * @param [in] fname Name of file to load.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return BAD_FUNC_ARG when ctx and ssl NULL or fname is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- static int ws_ctx_ssl_set_tmp_dh_file(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const char* fname, int format)
- {
- int res = 1;
- int ret;
- #ifndef WOLFSSL_SMALL_STACK
- byte stackBuffer[FILE_BUFFER_SIZE];
- #endif
- StaticBuffer dhFile;
- long sz = 0;
- void* heap = WOLFSSL_HEAP(ctx, ssl);
- /* Setup buffer to hold file contents. */
- #ifdef WOLFSSL_SMALL_STACK
- static_buffer_init(&dhFile);
- #else
- static_buffer_init(&dhFile, stackBuffer, FILE_BUFFER_SIZE);
- #endif
- /* Validate parameters. */
- if (((ctx == NULL) && (ssl == NULL)) || (fname == NULL)) {
- res = BAD_FUNC_ARG;
- }
- if (res == 1) {
- /* Read file into static buffer. */
- ret = wolfssl_read_file_static(fname, &dhFile, heap, DYNAMIC_TYPE_FILE,
- &sz);
- if (ret != 0) {
- res = ret;
- }
- }
- if (res == 1) {
- if (ssl != NULL) {
- /* Set encoded DH paramters into SSL. */
- res = wolfSSL_SetTmpDH_buffer(ssl, dhFile.buffer, sz, format);
- }
- else {
- /* Set encoded DH paramters into SSL context. */
- res = wolfSSL_CTX_SetTmpDH_buffer(ctx, dhFile.buffer, sz, format);
- }
- }
- /* Dispose of any dynamically allocated data. */
- static_buffer_free(&dhFile, heap, DYNAMIC_TYPE_FILE);
- return res;
- }
- /* Set the temporary DH parameters file against the SSL.
- *
- * @param [in, out] ssl SSL object.
- * @param [in] fname Name of file to load.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return BAD_FUNC_ARG when ssl or fname is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- int wolfSSL_SetTmpDH_file(WOLFSSL* ssl, const char* fname, int format)
- {
- return ws_ctx_ssl_set_tmp_dh_file(NULL, ssl, fname, format);
- }
- /* Set the temporary DH parameters file against the SSL context.
- *
- * @param [in, out] ctx SSL context object.
- * @param [in] fname Name of file to load.
- * @param [in] format Format of data:
- * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1.
- * @return 1 on success.
- * @return BAD_FUNC_ARG when ctx or fname is NULL.
- * @return NOT_COMPLED_IN when format is PEM but PEM is not supported.
- * @return WOLFSSL_BAD_FILETYPE if format is not supported.
- */
- int wolfSSL_CTX_SetTmpDH_file(WOLFSSL_CTX* ctx, const char* fname, int format)
- {
- return ws_ctx_ssl_set_tmp_dh_file(ctx, NULL, fname, format);
- }
- #endif /* NO_FILESYSTEM */
- #endif /* NO_CERTS */
- #endif /* !NO_DH */
- #endif /* !WOLFSSL_SSL_LOAD_INCLUDED */
|