Merge pull request #2157 from tempesta-tech/ak-sha384-sign

Fix x509 certificate parsing

Author: krizhanovsky

fw/http.c

@@ -7246,7 +7246,7 @@ __tfw_http_msg_body_dup(const char *filename, TfwStr *c_len, size_t *len,
 		tfw_str_to_cstr(c_len, res, t_sz);
 		b_start += c_len->len;
 	}
-	memcpy_fast(b_start, body, b_sz);
+	memcpy(b_start, body, b_sz);
 
 	*len = t_sz;
 	*body_offset = b_start - res;

fw/tls_conf.c

@@ -1,7 +1,7 @@
 /**
  *		Tempesta FW
  *
- * Copyright (C) 2019-2023 Tempesta Technologies, Inc.
+ * Copyright (C) 2019-2024 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -121,8 +121,8 @@ tfw_tls_add_cn(const ttls_x509_buf *sname, void *a_vhost)
 	TfwVhost *vhost = a_vhost;
 	const char *hname = vhost->name.data;
 	int hlen = vhost->name.len;
-	BasicStr cn = {.data = sname->p, .len = sname->len};
-
+	/* cn-pointed data isn't modified, so just a type compatibility. */
+	BasicStr cn = {.data = (char *)sname->p, .len = sname->len};
 
 	/*
 	 * Try wildcard match by RFC 2818 3.1:
@@ -153,7 +153,7 @@ tfw_tls_add_cn(const ttls_x509_buf *sname, void *a_vhost)
 		 * Add the chopped (w/o leading '*') wildcard to
 		 * the SNI mapping.
 		 */
-		cn.data = sname->p + 1;
+		cn.data = (char *)sname->p + 1;
 		cn.len = sname->len - 1;
 	}
 
@@ -186,18 +186,17 @@ tfw_tls_set_cert(TfwVhost *vhost, TfwCfgSpec *cs, TfwCfgEntry *ce)
 	if (tfw_cfg_check_single_val(ce))
 		return -EINVAL;
 
-	ttls_x509_crt_init(&conf->crt);
-	/* Preserve 3 bytes for the certificate length. */
 	crt_data = tfw_cfg_read_file(ce->vals[0], &crt_size);
 	if (!crt_data) {
 		T_ERR_NL("%s: Can't read certificate file '%s'\n",
 			 ce->name, ce->vals[0]);
 		return -EINVAL;
 	}
 
+	ttls_x509_crt_init(&conf->crt);
 	r = ttls_x509_crt_parse(&conf->crt, crt_data, crt_size);
 	if (r) {
-		T_ERR_NL("%s: Invalid certificate specified (%x)\n",
+		T_ERR_NL("%s: Invalid certificate specified, err=%x\n",
 			 cs->name, -r);
 		goto err;
 	}

tls/asn1.c

@@ -6,7 +6,7 @@
  * Based on mbed TLS, https://tls.mbed.org.
  *
  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * Copyright (C) 2015-2020 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2024 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -39,7 +39,7 @@
  * @len	- The variable that will receive the value
  */
 int
-ttls_asn1_get_len(unsigned char **p, const unsigned char *end, size_t *len)
+ttls_asn1_get_len(const unsigned char **p, const unsigned char *end, size_t *len)
 {
 	if ((end - *p) < 1)
 		return(TTLS_ERR_ASN1_OUT_OF_DATA);
@@ -92,7 +92,7 @@ ttls_asn1_get_len(unsigned char **p, const unsigned char *end, size_t *len)
  * @tag	- The expected tag
  */
 int
-ttls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len,
+ttls_asn1_get_tag(const unsigned char **p, const unsigned char *end, size_t *len,
 		  int tag)
 {
 	if ((end - *p) < 1)
@@ -115,7 +115,7 @@ ttls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len,
  * @val	- The variable that will receive the value
  */
 int
-ttls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val)
+ttls_asn1_get_bool(const unsigned char **p, const unsigned char *end, int *val)
 {
 	int r;
 	size_t len;
@@ -141,7 +141,7 @@ ttls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val)
  * @val	- The variable that will receive the value
  */
 int
-ttls_asn1_get_int(unsigned char **p, const unsigned char *end, int *val)
+ttls_asn1_get_int(const unsigned char **p, const unsigned char *end, int *val)
 {
 	int r;
 	size_t len;
@@ -171,7 +171,7 @@ ttls_asn1_get_int(unsigned char **p, const unsigned char *end, int *val)
  * @X	- The MPI that will receive the value
  */
 int
-ttls_asn1_get_mpi(unsigned char **p, const unsigned char *end, TlsMpi *X)
+ttls_asn1_get_mpi(const unsigned char **p, const unsigned char *end, TlsMpi *X)
 {
 	int r;
 	size_t len;
@@ -187,7 +187,7 @@ ttls_asn1_get_mpi(unsigned char **p, const unsigned char *end, TlsMpi *X)
 }
 
 int
-ttls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
+ttls_asn1_get_bitstring(const unsigned char **p, const unsigned char *end,
 			ttls_asn1_bitstring *bs)
 {
 	int r;
@@ -201,9 +201,8 @@ ttls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
 		return TTLS_ERR_ASN1_OUT_OF_DATA;
 	bs->len -= 1;
 
-	/* Get number of unused bits, ensure unused bits <= 7 */
-	bs->unused_bits = **p;
-	if (bs->unused_bits > 7)
+	/* Ensure unused bits is <= 7. */
+	if (**p > 7)
 		return TTLS_ERR_ASN1_INVALID_LENGTH;
 	++*p;
 
@@ -218,22 +217,26 @@ ttls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
  * Retrieve a bitstring ASN.1 tag without unused bits and its value.
  */
 int
-ttls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
+ttls_asn1_get_bitstring_null(const unsigned char **p, const unsigned char *end,
 			     size_t *len)
 {
 	int r;
 
 	if ((r = ttls_asn1_get_tag(p, end, len, TTLS_ASN1_BIT_STRING)))
 		return r;
 
-	return ((*len)-- < 2 || *(*p)++ != 0) ? -EINVAL : 0;
+	if (!*len)
+		return -EINVAL;
+	--*len;
+
+	return *(*p)++ ? -EINVAL : 0;
 }
 
 /*
  *  Parses and splits an ASN.1 "SEQUENCE OF <tag>"
  */
 int
-ttls_asn1_get_sequence_of(unsigned char **p, const unsigned char *end,
+ttls_asn1_get_sequence_of(const unsigned char **p, const unsigned char *end,
 			  ttls_asn1_sequence *cur, int tag)
 {
 	int r;
@@ -249,7 +252,7 @@ ttls_asn1_get_sequence_of(unsigned char **p, const unsigned char *end,
 		return TTLS_ERR_ASN1_LENGTH_MISMATCH;
 
 	while (*p < end) {
-		buf = &(cur->buf);
+		buf = &cur->buf;
 		buf->tag = **p;
 
 		if ((r = ttls_asn1_get_tag(p, end, &buf->len, tag)))
@@ -284,7 +287,7 @@ ttls_asn1_get_sequence_of(unsigned char **p, const unsigned char *end,
  * @params - The buffer to receive the params (if any)
  */
 int
-ttls_asn1_get_alg(unsigned char **p, const unsigned char *end,
+ttls_asn1_get_alg(const unsigned char **p, const unsigned char *end,
 		  ttls_asn1_buf *alg, ttls_asn1_buf *params)
 {
 	int r;
@@ -324,7 +327,7 @@ ttls_asn1_get_alg(unsigned char **p, const unsigned char *end,
 }
 
 int
-ttls_asn1_get_alg_null(unsigned char **p, const unsigned char *end,
+ttls_asn1_get_alg_null(const unsigned char **p, const unsigned char *end,
 		       ttls_asn1_buf *alg)
 {
 	int r;
@@ -356,15 +359,15 @@ ttls_asn1_write_len(unsigned char **p, unsigned char *start, size_t len)
 	if (len < 0x80) {
 		if (*p - start < 1)
 			return -ENOSPC;
-		*--(*p) = (unsigned char) len;
+		*--(*p) = (unsigned char)len;
 		return 1;
 	}
 
 	if (len <= 0xFF) {
 		if (*p - start < 2)
 			return -ENOSPC;
 
-		*--(*p) = (unsigned char) len;
+		*--(*p) = (unsigned char)len;
 		*--(*p) = 0x81;
 		return 2;
 	}

tls/asn1.h

@@ -6,7 +6,7 @@
  * Based on mbed TLS, https://tls.mbed.org.
  *
  * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
- * Copyright (C) 2015-2020 Tempesta Technologies, Inc.
+ * Copyright (C) 2015-2024 Tempesta Technologies, Inc.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -102,8 +102,7 @@
 do {									\
 	if ((ret = f) < 0)						\
 		return ret;						\
-	else								\
-		g += ret;						\
+	g += ret;							\
 } while (0)
 
 /**
@@ -114,22 +113,20 @@ do {									\
  * @p		- ASN1 data, e.g. in ASCII.
  */
 typedef struct {
-	int		tag;
-	size_t		len;
-	unsigned char	*p;
+	int			tag;
+	size_t			len;
+	const unsigned char	*p;
 } ttls_asn1_buf;
 
 /**
  * Container for ASN1 bit strings.
  *
  * @len		- ASN1 length, in octets;
- * @unused_bits	- Number of unused bits at the end of the string;
  * @p		- Raw ASN1 data for the bit string.
  */
 typedef struct {
-	size_t		len;
-	unsigned char	unused_bits;
-	unsigned char	*p;
+	size_t			len;
+	const unsigned char	*p;
 } ttls_asn1_bitstring;
 
 /**
@@ -140,7 +137,7 @@ typedef struct {
  */
 typedef struct ttls_asn1_sequence
 {
-	ttls_asn1_buf	buf;
+	ttls_asn1_buf		buf;
 	struct ttls_asn1_sequence *next;
 } ttls_asn1_sequence;
 
@@ -160,21 +157,25 @@ typedef struct ttls_asn1_named_data
 	unsigned char	next_merged;
 } ttls_asn1_named_data;
 
-int ttls_asn1_get_len(unsigned char **p, const unsigned char *end, size_t *len);
-int ttls_asn1_get_tag(unsigned char **p, const unsigned char *end, size_t *len,
-		      int tag);
-int ttls_asn1_get_bool(unsigned char **p, const unsigned char *end, int *val);
-int ttls_asn1_get_int(unsigned char **p, const unsigned char *end, int *val);
-int ttls_asn1_get_mpi(unsigned char **p, const unsigned char *end, TlsMpi *X);
-int ttls_asn1_get_bitstring(unsigned char **p, const unsigned char *end,
+int ttls_asn1_get_len(const unsigned char **p, const unsigned char *end,
+		      size_t *len);
+int ttls_asn1_get_tag(const unsigned char **p, const unsigned char *end,
+		      size_t *len, int tag);
+int ttls_asn1_get_bool(const unsigned char **p, const unsigned char *end,
+		       int *val);
+int ttls_asn1_get_int(const unsigned char **p, const unsigned char *end,
+		      int *val);
+int ttls_asn1_get_mpi(const unsigned char **p, const unsigned char *end,
+		      TlsMpi *X);
+int ttls_asn1_get_bitstring(const unsigned char **p, const unsigned char *end,
 			    ttls_asn1_bitstring *bs);
-int ttls_asn1_get_bitstring_null(unsigned char **p, const unsigned char *end,
-				 size_t *len);
-int ttls_asn1_get_sequence_of(unsigned char **p, const unsigned char *end,
+int ttls_asn1_get_bitstring_null(const unsigned char **p,
+				 const unsigned char *end, size_t *len);
+int ttls_asn1_get_sequence_of(const unsigned char **p, const unsigned char *end,
 			      ttls_asn1_sequence *cur, int tag);
-int ttls_asn1_get_alg(unsigned char **p, const unsigned char *end,
+int ttls_asn1_get_alg(const unsigned char **p, const unsigned char *end,
 		      ttls_asn1_buf *alg, ttls_asn1_buf *params);
-int ttls_asn1_get_alg_null(unsigned char **p, const unsigned char *end,
+int ttls_asn1_get_alg_null(const unsigned char **p, const unsigned char *end,
 			   ttls_asn1_buf *alg);
 int ecdsa_signature_to_asn1(const TlsMpi *r, const TlsMpi *s,
 			    unsigned char *sig, size_t *slen);