From 324b87614ed90b9a4ede491bd50c6f6f08c0a914 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 9 Dec 2024 12:15:41 -0800 Subject: [PATCH 1/6] Initial implementation for using PKCS11 to retrieve certificate for SSL CTX --- src/ssl_load.c | 78 ++++++++++++++++++++++++++++ wolfcrypt/src/cryptocb.c | 31 ++++++++++++ wolfcrypt/src/wc_pkcs11.c | 98 +++++++++++++++++++++++++++++++++++- wolfssl/ssl.h | 6 +++ wolfssl/wolfcrypt/cryptocb.h | 17 +++++++ wolfssl/wolfcrypt/pkcs11.h | 2 + wolfssl/wolfcrypt/types.h | 3 +- 7 files changed, 233 insertions(+), 2 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index a15274b23f..c2483a83c1 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4146,6 +4146,84 @@ int wolfSSL_CTX_use_AltPrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, #endif /* WOLFSSL_DUAL_ALG_CERTS */ #endif /* WOLF_PRIVATE_KEY_ID */ +#if defined(WOLF_CRYPTO_CB) && !defined(NO_CERTS) + +static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, + const char *label, const unsigned char *id, int idLen, int devId); + +static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, + const char *label, const unsigned char *id, int idLen, int devId) +{ + int ret; + byte *certData = NULL; + word32 certDataLen = 0; + word32 labelLen = 0; + + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_label_ex"); + + if (label != NULL) { + labelLen = (word32)XSTRLEN(label); + } + + ret = wc_CryptoCb_GetCert(devId, (const sword8 *)label, + labelLen, id, idLen, &certData, &certDataLen, ctx->heap); + if (ret != 0) { + ret = WOLFSSL_FAILURE; + goto exit; + } + + ret = ProcessBuffer(ctx, certData, certDataLen, WOLFSSL_FILETYPE_ASN1, + CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); + +exit: + if (certData != NULL) { + XFREE(certData, ctx->heap, DYNAMIC_TYPE_CERT); + } + + return ret; +} + +/* Load the label name of a certificate into the SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] label Buffer holding label. + * @param [in] devId Device identifier. + * @return 1 on success. + * @return 0 on failure. + */ +int wolfSSL_CTX_use_certificate_label(WOLFSSL_CTX* ctx, + const char *label, int devId) +{ + if ((ctx == NULL) || (label == NULL)) { + WOLFSSL_MSG("Bad Argument"); + return WOLFSSL_FAILURE; + } + + return wolfSSL_CTX_use_certificate_ex(ctx, label, NULL, 0, devId); +} + +/* Load the id of a certificate into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] id Buffer holding id. + * @param [in] idLen Size of data in bytes. + * @param [in] devId Device identifier. + * @return 1 on success. + * @return 0 on failure. + */ +int wolfSSL_CTX_use_certificate_id(WOLFSSL_CTX* ctx, + const unsigned char *id, int idLen, int devId) +{ + if ((ctx == NULL) || (id == NULL) || (idLen <= 0)) { + WOLFSSL_MSG("Bad Argument"); + return WOLFSSL_FAILURE; + } + + return wolfSSL_CTX_use_certificate_ex(ctx, NULL, id, idLen, devId); +} + +#endif /* if defined(WOLF_CRYPTO_CB) && !defined(NO_CERTS) */ + /* Load a certificate chain in a buffer into SSL context. * * @param [in, out] ctx SSL context object. diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 62c0e28b72..a67fb41098 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -85,6 +85,7 @@ static const char* GetAlgoTypeStr(int algo) case WC_ALGO_TYPE_SEED: return "Seed"; case WC_ALGO_TYPE_HMAC: return "HMAC"; case WC_ALGO_TYPE_CMAC: return "CMAC"; + case WC_ALGO_TYPE_CERT: return "Cert"; } return NULL; } @@ -1799,6 +1800,36 @@ int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz) } #endif /* !WC_NO_RNG */ +#ifndef NO_CERTS +int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen, + const byte *id, word32 idLen, byte** out, + word32* outSz, void *heap) +{ + int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); + CryptoCb* dev; + + /* locate registered callback */ + dev = wc_CryptoCb_FindDevice(devId, WC_ALGO_TYPE_CERT); + if (dev && dev->cb) { + wc_CryptoInfo cryptoInfo; + XMEMSET(&cryptoInfo, 0, sizeof(cryptoInfo)); + cryptoInfo.algo_type = WC_ALGO_TYPE_CERT; + cryptoInfo.cert.label = label; + cryptoInfo.cert.labelLen = labelLen; + cryptoInfo.cert.id = id; + cryptoInfo.cert.idLen = idLen; + cryptoInfo.cert.heap = heap; + cryptoInfo.cert.certDataOut = out; + cryptoInfo.cert.certSz = outSz; + cryptoInfo.cert.heap = heap; + + ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); + } + + return wc_CryptoCb_TranslateErrorCode(ret); +} +#endif /* ifndef NO_CERTS */ + #if defined(WOLFSSL_CMAC) int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz, const byte* in, word32 inSz, byte* out, word32* outSz, int type, diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index d7ef8d8c38..d8565912f1 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -108,6 +108,8 @@ static CK_OBJECT_CLASS privKeyClass = CKO_PRIVATE_KEY; static CK_OBJECT_CLASS secretKeyClass = CKO_SECRET_KEY; #endif +static CK_OBJECT_CLASS certClass = CKO_CERTIFICATE; + #ifdef WOLFSSL_DEBUG_PKCS11 /* Enable logging of PKCS#11 calls and return value. */ #define PKCS11_RV(op, rv) pkcs11_rv(op, rv) @@ -240,6 +242,10 @@ static void pkcs11_dump_template(const char* name, CK_ATTRIBUTE* templ, XSNPRINTF(line, sizeof(line), "%25s: SECRET", type); WOLFSSL_MSG(line); } + else if (keyClass == CKO_CERTIFICATE) { + XSNPRINTF(line, sizeof(line), "%25s: CERTIFICATE", type); + WOLFSSL_MSG(line); + } else { XSNPRINTF(line, sizeof(line), "%25s: UNKNOWN (%p)", type, @@ -1463,7 +1469,8 @@ int wc_Pkcs11StoreKey(Pkcs11Token* token, int type, int clear, void* key) } #if !defined(NO_RSA) || defined(HAVE_ECC) || (!defined(NO_AES) && \ - (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || !defined(NO_HMAC) + (defined(HAVE_AESGCM) || defined(HAVE_AES_CBC))) || \ + !defined(NO_HMAC) || !defined(NO_CERTS) /** * Find the PKCS#11 object containing key data using template. @@ -3965,6 +3972,84 @@ static int Pkcs11RandomSeed(Pkcs11Session* session, wc_CryptoInfo* info) } #endif +#ifndef NO_CERTS + +static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { + int ret = 0; + CK_RV rv = 0; + CK_ULONG count = 0; + CK_OBJECT_HANDLE certHandle = CK_INVALID_HANDLE; + byte *certData = NULL; + CK_ATTRIBUTE certTemplate[2] = { + { CKA_CLASS, &certClass, sizeof(certClass) } + }; + CK_ATTRIBUTE tmpl[] = { + { CKA_VALUE, NULL_PTR, 0 } + }; + CK_ULONG certTmplCnt = sizeof(certTemplate) / sizeof(*certTemplate); + CK_ULONG tmplCnt = sizeof(tmpl) / sizeof(*tmpl); + + WOLFSSL_MSG("PKCS#11: Retrieve certificate"); + if (info->cert.labelLen > 0) { + certTemplate[1].type = CKA_LABEL; + certTemplate[1].pValue = (CK_VOID_PTR)info->cert.label; + certTemplate[1].ulValueLen = info->cert.labelLen; + } + else if (info->cert.idLen > 0) { + certTemplate[1].type = CKA_ID; + certTemplate[1].pValue = (CK_VOID_PTR)info->cert.id; + certTemplate[1].ulValueLen = info->cert.idLen; + } + else { + ret = BAD_FUNC_ARG; + goto exit; + } + + ret = Pkcs11FindKeyByTemplate( + &certHandle, session, certTemplate, certTmplCnt, &count); + if (ret == 0 && count == 0) { + ret = WC_HW_E; + goto exit; + } + + PKCS11_DUMP_TEMPLATE("Get Certificate Length", tmpl, tmplCnt); + rv = session->func->C_GetAttributeValue( + session->handle, certHandle, tmpl, tmplCnt); + PKCS11_RV("C_GetAttributeValue", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + goto exit; + } + + certData = XMALLOC( + (int)tmpl[0].ulValueLen, info->cert.heap, DYNAMIC_TYPE_CERT); + if (certData == NULL) { + ret = MEMORY_E; + goto exit; + } + + tmpl[0].pValue = certData; + rv = session->func->C_GetAttributeValue( + session->handle, certHandle, tmpl, tmplCnt); + PKCS11_RV("C_GetAttributeValue", rv); + if (rv != CKR_OK) { + ret = WC_HW_E; + goto exit; + } + + *info->cert.certDataOut = certData; + *info->cert.certSz = (word32)tmpl[0].ulValueLen; + certData = NULL; + +exit: + if (certData != NULL) { + XFREE(certData, info->cert.heap, DYNAMIC_TYPE_CERT); + } + return ret; +} + +#endif /* ifndef NO_CERTS */ + /** * Perform a cryptographic operation using PKCS#11 device. * @@ -4157,6 +4242,17 @@ int wc_Pkcs11_CryptoDevCb(int devId, wc_CryptoInfo* info, void* ctx) } #else ret = NOT_COMPILED_IN; + #endif + } + else if (info->algo_type == WC_ALGO_TYPE_CERT) { + #ifndef NO_CERTS + ret = Pkcs11OpenSession(token, &session, readWrite); + if (ret == 0) { + ret = Pkcs11GetCert(&session, info); + Pkcs11CloseSession(token, &session); + } + #else + ret = NOT_COMPILED_IN; #endif } else diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index be1fecffee..c3d45a6ea6 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3545,6 +3545,12 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len, const unsigned char* in, long sz, int format); WOLFSSL_API int wolfSSL_CTX_use_certificate_chain_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, long sz); +#if defined(WOLF_CRYPTO_CB) + WOLFSSL_API int wolfSSL_CTX_use_certificate_label(WOLFSSL_CTX* ctx, + const char *label, int devId); + WOLFSSL_API int wolfSSL_CTX_use_certificate_id(WOLFSSL_CTX* ctx, + const unsigned char *id, int idLen, int devId); +#endif #ifdef WOLFSSL_DUAL_ALG_CERTS WOLFSSL_API int wolfSSL_CTX_use_AltPrivateKey_buffer(WOLFSSL_CTX* ctx, const unsigned char* in, long sz, int format); diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index a52742f49a..fcc35d8140 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -448,6 +448,17 @@ typedef struct wc_CryptoInfo { int type; } cmac; #endif +#ifndef NO_CERTS + struct { + const byte *id; + word32 idLen; + const sword8 *label; + word32 labelLen; + byte **certDataOut; + word32 *certSz; + void *heap; + } cert; +#endif #ifdef WOLF_CRYPTO_CB_CMD struct { /* uses wc_AlgoType=ALGO_NONE */ int type; /* enum wc_CryptoCbCmdType */ @@ -657,6 +668,12 @@ WOLFSSL_LOCAL int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz, void* ctx); #endif +#ifndef NO_CERTS +WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const sword8 *label, + word32 labelLen, const byte *id, word32 idLen, byte** out, + word32* outSz, void *heap); +#endif + #endif /* WOLF_CRYPTO_CB */ #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/pkcs11.h b/wolfssl/wolfcrypt/pkcs11.h index 7a53710b6f..f252a008be 100644 --- a/wolfssl/wolfcrypt/pkcs11.h +++ b/wolfssl/wolfcrypt/pkcs11.h @@ -71,10 +71,12 @@ extern "C" { #define CKF_RW_SESSION 0x00000002UL #define CKF_SERIAL_SESSION 0x00000004UL +#define CKO_CERTIFICATE 0x00000001UL #define CKO_PUBLIC_KEY 0x00000002UL #define CKO_PRIVATE_KEY 0x00000003UL #define CKO_SECRET_KEY 0x00000004UL + #define CKK_RSA 0x00000000UL #define CKK_DH 0x00000002UL #define CKK_EC 0x00000003UL diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 5fb14b88a3..c224988301 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1138,8 +1138,9 @@ typedef struct w64wrapper { WC_ALGO_TYPE_SEED = 5, WC_ALGO_TYPE_HMAC = 6, WC_ALGO_TYPE_CMAC = 7, + WC_ALGO_TYPE_CERT = 8, - WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_CMAC + WC_ALGO_TYPE_MAX = WC_ALGO_TYPE_CERT }; /* hash types */ From c83c9e68c9d45cd3f52ce94cc5d5d5d219a57c14 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 9 Dec 2024 13:10:32 -0800 Subject: [PATCH 2/6] Updates per review comments --- src/ssl_load.c | 7 +------ wolfcrypt/src/wc_pkcs11.c | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index c2483a83c1..ed96d4aa45 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4148,9 +4148,6 @@ int wolfSSL_CTX_use_AltPrivateKey_Label(WOLFSSL_CTX* ctx, const char* label, #if defined(WOLF_CRYPTO_CB) && !defined(NO_CERTS) -static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, - const char *label, const unsigned char *id, int idLen, int devId); - static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, const char *label, const unsigned char *id, int idLen, int devId) { @@ -4159,7 +4156,7 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, word32 certDataLen = 0; word32 labelLen = 0; - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_label_ex"); + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_ex"); if (label != NULL) { labelLen = (word32)XSTRLEN(label); @@ -4195,7 +4192,6 @@ int wolfSSL_CTX_use_certificate_label(WOLFSSL_CTX* ctx, const char *label, int devId) { if ((ctx == NULL) || (label == NULL)) { - WOLFSSL_MSG("Bad Argument"); return WOLFSSL_FAILURE; } @@ -4215,7 +4211,6 @@ int wolfSSL_CTX_use_certificate_id(WOLFSSL_CTX* ctx, const unsigned char *id, int idLen, int devId) { if ((ctx == NULL) || (id == NULL) || (idLen <= 0)) { - WOLFSSL_MSG("Bad Argument"); return WOLFSSL_FAILURE; } diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index d8565912f1..bbe292e865 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -4021,7 +4021,7 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { goto exit; } - certData = XMALLOC( + certData = (byte *)XMALLOC( (int)tmpl[0].ulValueLen, info->cert.heap, DYNAMIC_TYPE_CERT); if (certData == NULL) { ret = MEMORY_E; From 0cda59e00ef96d4c1e74e9c9c400e4323e704f71 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 9 Dec 2024 14:32:02 -0800 Subject: [PATCH 3/6] Add support for cert format in get cert crypto callback --- src/ssl_load.c | 5 +++-- wolfcrypt/src/cryptocb.c | 3 ++- wolfcrypt/src/wc_pkcs11.c | 3 +++ wolfssl/wolfcrypt/cryptocb.h | 3 ++- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index ed96d4aa45..4a67913eda 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4155,6 +4155,7 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, byte *certData = NULL; word32 certDataLen = 0; word32 labelLen = 0; + int certFormat = 0; WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_ex"); @@ -4163,13 +4164,13 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, } ret = wc_CryptoCb_GetCert(devId, (const sword8 *)label, - labelLen, id, idLen, &certData, &certDataLen, ctx->heap); + labelLen, id, idLen, &certData, &certDataLen, &certFormat, ctx->heap); if (ret != 0) { ret = WOLFSSL_FAILURE; goto exit; } - ret = ProcessBuffer(ctx, certData, certDataLen, WOLFSSL_FILETYPE_ASN1, + ret = ProcessBuffer(ctx, certData, certDataLen, certFormat, CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); exit: diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index a67fb41098..0d1d26738a 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -1803,7 +1803,7 @@ int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz) #ifndef NO_CERTS int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen, const byte *id, word32 idLen, byte** out, - word32* outSz, void *heap) + word32* outSz, int *format, void *heap) { int ret = WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE); CryptoCb* dev; @@ -1821,6 +1821,7 @@ int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen, cryptoInfo.cert.heap = heap; cryptoInfo.cert.certDataOut = out; cryptoInfo.cert.certSz = outSz; + cryptoInfo.cert.certFormatOut = format; cryptoInfo.cert.heap = heap; ret = dev->cb(dev->devId, &cryptoInfo, dev->ctx); diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index bbe292e865..26b2703c76 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -4039,6 +4039,9 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { *info->cert.certDataOut = certData; *info->cert.certSz = (word32)tmpl[0].ulValueLen; + if (info->cert.certFormatOut != NULL) { + *info->cert.certFormatOut = CTC_FILETYPE_ASN1; + } certData = NULL; exit: diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index fcc35d8140..a8f19e304c 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -456,6 +456,7 @@ typedef struct wc_CryptoInfo { word32 labelLen; byte **certDataOut; word32 *certSz; + int *certFormatOut; void *heap; } cert; #endif @@ -671,7 +672,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz, #ifndef NO_CERTS WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen, const byte *id, word32 idLen, byte** out, - word32* outSz, void *heap); + word32* outSz, int *format, void *heap); #endif #endif /* WOLF_CRYPTO_CB */ From 0c20a20acce46daf5f46cc4d14fdbaaa90e2ec23 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 9 Dec 2024 16:09:04 -0800 Subject: [PATCH 4/6] Use char instead of sword8, sanity length check on CKA_VALUE --- src/ssl_load.c | 4 ++-- wolfcrypt/src/cryptocb.c | 2 +- wolfcrypt/src/wc_pkcs11.c | 7 ++++++- wolfssl/wolfcrypt/cryptocb.h | 4 ++-- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index 4a67913eda..4b9a626116 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4163,8 +4163,8 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, labelLen = (word32)XSTRLEN(label); } - ret = wc_CryptoCb_GetCert(devId, (const sword8 *)label, - labelLen, id, idLen, &certData, &certDataLen, &certFormat, ctx->heap); + ret = wc_CryptoCb_GetCert(devId, label, labelLen, id, idLen, + &certData, &certDataLen, &certFormat, ctx->heap); if (ret != 0) { ret = WOLFSSL_FAILURE; goto exit; diff --git a/wolfcrypt/src/cryptocb.c b/wolfcrypt/src/cryptocb.c index 0d1d26738a..973b4f9de4 100644 --- a/wolfcrypt/src/cryptocb.c +++ b/wolfcrypt/src/cryptocb.c @@ -1801,7 +1801,7 @@ int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz) #endif /* !WC_NO_RNG */ #ifndef NO_CERTS -int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen, +int wc_CryptoCb_GetCert(int devId, const char *label, word32 labelLen, const byte *id, word32 idLen, byte** out, word32* outSz, int *format, void *heap) { diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index 26b2703c76..c49682331c 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -4021,6 +4021,11 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { goto exit; } + if (tmpl[0].ulValueLen <= 0) { + ret = WC_HW_E; + goto exit; + } + certData = (byte *)XMALLOC( (int)tmpl[0].ulValueLen, info->cert.heap, DYNAMIC_TYPE_CERT); if (certData == NULL) { @@ -4051,7 +4056,7 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { return ret; } -#endif /* ifndef NO_CERTS */ +#endif /* !NO_CERTS */ /** * Perform a cryptographic operation using PKCS#11 device. diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index a8f19e304c..976332f4eb 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -452,7 +452,7 @@ typedef struct wc_CryptoInfo { struct { const byte *id; word32 idLen; - const sword8 *label; + const char *label; word32 labelLen; byte **certDataOut; word32 *certSz; @@ -670,7 +670,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz, #endif #ifndef NO_CERTS -WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const sword8 *label, +WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const char *label, word32 labelLen, const byte *id, word32 idLen, byte** out, word32* outSz, int *format, void *heap); #endif From 00386c76bfc23777d6a3b3f6061102d66c75b02e Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Tue, 10 Dec 2024 09:43:03 -0800 Subject: [PATCH 5/6] No redundant NULL check on free --- wolfcrypt/src/wc_pkcs11.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c index c49682331c..b3df75c42e 100644 --- a/wolfcrypt/src/wc_pkcs11.c +++ b/wolfcrypt/src/wc_pkcs11.c @@ -4050,9 +4050,7 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) { certData = NULL; exit: - if (certData != NULL) { - XFREE(certData, info->cert.heap, DYNAMIC_TYPE_CERT); - } + XFREE(certData, info->cert.heap, DYNAMIC_TYPE_CERT); return ret; } From 2039d6371f4684335ed134d7601bd303c826c38d Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 11 Dec 2024 12:25:35 -0800 Subject: [PATCH 6/6] Remove redundant NULL check --- src/ssl_load.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/ssl_load.c b/src/ssl_load.c index 4b9a626116..fff042b339 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -4174,10 +4174,7 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx, CERT_TYPE, NULL, NULL, 0, GET_VERIFY_SETTING_CTX(ctx)); exit: - if (certData != NULL) { - XFREE(certData, ctx->heap, DYNAMIC_TYPE_CERT); - } - + XFREE(certData, ctx->heap, DYNAMIC_TYPE_CERT); return ret; }