Merge pull request #2655 from kaleb-himes/ZD-9592

Remove forcing NO_SKID on unsuspecting CRL users

src/crl.c

@@ -83,7 +83,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
 
     XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE);
     /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE);
-     *   copy the hash here if needed for optimized comparisons */
+     * copy the hash here if needed for optimized comparisons */
     XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
     XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
     crle->lastDateFormat = dcrl->lastDateFormat;
@@ -109,7 +109,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
         }
         XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz);
         XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz);
-    #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+    #ifndef NO_SKID
         crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet;
         if (crle->extAuthKeyIdSet)
             XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE);
@@ -206,9 +206,9 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
             WOLFSSL_MSG("Found CRL Entry on list");
 
             if (crle->verified == 0) {
-                Signer* ca;
+                Signer* ca = NULL;
-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+            #ifndef NO_SKID
-                byte extAuthKeyId[KEYID_SIZE]
+                byte extAuthKeyId[KEYID_SIZE];
             #endif
                 byte issuerHash[CRL_DIGEST_SIZE];
                 byte* tbs = NULL;
@@ -232,15 +232,15 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
 
                 XMEMCPY(tbs, crle->toBeSigned, tbsSz);
                 XMEMCPY(sig, crle->signature, sigSz);
-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+            #ifndef NO_SKID
-                XMEMCMPY(extAuthKeyId, crle->extAuthKeyId,
+                XMEMCPY(extAuthKeyId, crle->extAuthKeyId,
                                                           sizeof(extAuthKeyId));
             #endif
                 XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash));
 
                 wc_UnLockMutex(&crl->crlLock);
 
-            #if !defined(NO_SKID) && defined(CRL_SKID_READY)
+            #ifndef NO_SKID
                 if (crle->extAuthKeyIdSet)
                     ca = GetCA(crl->cm, extAuthKeyId);
                 if (ca == NULL)

wolfcrypt/src/asn.c

@@ -15796,12 +15796,22 @@ void InitDecodedCRL(DecodedCRL* dcrl, void* heap)
     dcrl->sigIndex     = 0;
     dcrl->sigLength    = 0;
     dcrl->signatureOID = 0;
+    dcrl->signature    = NULL;
+    XMEMSET(dcrl->issuerHash, 0, SIGNER_DIGEST_SIZE);
+    /* XMEMSET(dcrl->crlHash, 0, SIGNER_DIGEST_SIZE);
+     * initialize the hash here if needed for optimized comparisons */
+    XMEMSET(dcrl->lastDate, 0, MAX_DATE_SIZE);
+    XMEMSET(dcrl->nextDate, 0, MAX_DATE_SIZE);
+    XMEMSET(dcrl->extAuthKeyId, 0, KEYID_SIZE);
+    dcrl->lastDateFormat = 0;
+    dcrl->nextDateFormat = 0;
     dcrl->certs        = NULL;
     dcrl->totalCerts   = 0;
     dcrl->heap         = heap;
     #ifdef WOLFSSL_HEAP_TEST
         dcrl->heap = (void*)WOLFSSL_HEAP_TEST;
     #endif
+    dcrl->extAuthKeyIdSet = 0;
 }
 
 
@@ -16026,15 +16036,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
         return ASN_PARSE_E;
 
     /* openssl doesn't add skid by default for CRLs cause firefox chokes
-       we're not assuming it's available yet */
+       if experiencing issues uncomment NO_SKID define in CRL section of
-#if !defined(NO_SKID) && defined(CRL_SKID_READY)
+       wolfssl/wolfcrypt/settings.h */
+#ifndef NO_SKID
     if (dcrl->extAuthKeyIdSet)
-        ca = GetCA(cm, dcrl->extAuthKeyId);
+        ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */
     if (ca == NULL)
-        ca = GetCAByName(cm, dcrl->issuerHash);
+        ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */
 #else
     ca = GetCA(cm, dcrl->issuerHash);
-#endif /* !NO_SKID && CRL_SKID_READY */
+#endif /* !NO_SKID */
     WOLFSSL_MSG("About to verify CRL signature");
 
     if (ca == NULL) {

wolfssl/internal.h

@@ -1870,7 +1870,7 @@ struct CRL_Entry {
     byte*   signature;
     word32  signatureSz;
     word32  signatureOID;
-#if !defined(NO_SKID) && defined(CRL_SKID_READY)
+#if !defined(NO_SKID) && !defined(NO_ASN)
     byte    extAuthKeyIdSet;
     byte    extAuthKeyId[KEYID_SIZE];
 #endif

wolfssl/wolfcrypt/asn.h

@@ -1345,11 +1345,13 @@ struct DecodedCRL {
     byte    crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash            */
     byte    lastDate[MAX_DATE_SIZE]; /* last date updated  */
     byte    nextDate[MAX_DATE_SIZE]; /* next update date   */
+    byte    extAuthKeyId[KEYID_SIZE]; /* Authority Key ID                */
     byte    lastDateFormat;          /* format of last date */
     byte    nextDateFormat;          /* format of next date */
     RevokedCert* certs;              /* revoked cert list  */
     int          totalCerts;         /* number on list     */
     void*   heap;
+    byte    extAuthKeyIdSet;         /* Set when the AKID was read from CRL */
 };
 
 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap);

wolfssl/wolfcrypt/settings.h

@@ -1619,9 +1619,9 @@ extern void uITRON4_free(void *p) ;
 #endif
 
 #ifdef HAVE_CRL
-    /* not widely supported yet */
+    /* may not be widely supported */
-    #undef NO_SKID
+    /* #undef NO_SKID */
-    #define NO_SKID
+    /* #define NO_SKID */
 #endif