From 26eea36d7ff618c389d661825d27b7dd6cd00f5e Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Fri, 3 Jan 2020 15:40:52 -0800 Subject: [PATCH 1/5] Fix X509_NAME issues for Apache --- src/ssl.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 8a2bf7391..d8e087991 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -34566,15 +34566,17 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) /* copy contents */ XMEMCPY(dup, name, sizeof(WOLFSSL_X509_NAME)); + InitX509Name(dup, 1); + /* Need to set dynamicName before copying */ + dup->dynamicName = 1; + dup->sz = name->sz; /* handle dynamic portions */ - if (name->dynamicName) { - if (!(dup->name = (char*)XMALLOC(name->sz, 0, - DYNAMIC_TYPE_OPENSSL))) { - goto err; - } - XMEMCPY(dup->name, name->name, name->sz); + if (!(dup->name = (char*)XMALLOC(name->sz, 0, + DYNAMIC_TYPE_OPENSSL))) { + goto err; } + XMEMCPY(dup->name, name->name, name->sz); #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \ !defined(NO_ASN) if (!(dup->fullName.fullName = (char*)XMALLOC(name->fullName.fullNameLen, @@ -39699,10 +39701,24 @@ void wolfSSL_sk_X509_NAME_pop_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk, XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); } -/* Free only the sk structure */ +/* Free only the sk structure, NOT X509_NAME members */ void wolfSSL_sk_X509_NAME_free(WOLF_STACK_OF(WOLFSSL_X509_NAME)* sk) { - wolfSSL_sk_X509_NAME_pop_free(sk, NULL); + WOLFSSL_STACK* node; + WOLFSSL_ENTER("wolfSSL_sk_X509_NAME_free"); + + if (sk == NULL) + return; + + node = sk->next; + while (sk->num > 1) { + WOLFSSL_STACK* tmp = node; + node = node->next; + XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL); + sk->num -= 1; + } + + XFREE(sk, sk->heap, DYNAMIC_TYPE_OPENSSL); } #if defined(WOLFSSL_APACHE_HTTPD) || defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) From 991ee662c0dbebfb75a53d53eed12374b2ee760e Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 6 Jan 2020 08:42:37 -0800 Subject: [PATCH 2/5] Return 0 in ParseCRL_Extensions if there are no CRL extensions to parse --- wolfcrypt/src/asn.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e50527f87..0595482e6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -16036,8 +16036,11 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, if (GetASNTag(buf, &idx, &tag, sz) < 0) return ASN_PARSE_E; - if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) - return ASN_PARSE_E; + if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) { + /* Return without error if no extensions are found */ + WOLFSSL_MSG("No CRL Extensions found"); + return 0; + } if (GetLength(buf, &idx, &length, sz) < 0) return ASN_PARSE_E; From 681ecf0e582c412f2401c5c8dfd23956bb8ec789 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Mon, 6 Jan 2020 14:32:32 -0800 Subject: [PATCH 3/5] Fixes for wolfSSL_CTX_load_verify_locations_ex --- src/ssl.c | 2 ++ wolfssl/openssl/ssl.h | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index d8e087991..1a6851c3f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6798,6 +6798,8 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, if (file) { ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL, verify); + if (ret == WOLFSSL_SUCCESS) + successCount++; } if (ret == WOLFSSL_SUCCESS && path) { diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index d7dbfcf3c..b2aafb9ad 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -210,7 +210,13 @@ typedef WOLFSSL_X509_VERIFY_PARAM X509_VERIFY_PARAM; #ifndef NO_FILESYSTEM #define SSL_CTX_use_certificate_file wolfSSL_CTX_use_certificate_file #define SSL_CTX_use_PrivateKey_file wolfSSL_CTX_use_PrivateKey_file +#ifdef WOLFSSL_APACHE_HTTPD + #define SSL_CTX_load_verify_locations(ctx,file,path) \ + wolfSSL_CTX_load_verify_locations_ex(ctx,file,path,\ + WOLFSSL_LOAD_FLAG_IGNORE_ERR) +#else #define SSL_CTX_load_verify_locations wolfSSL_CTX_load_verify_locations +#endif #define SSL_CTX_use_certificate_chain_file wolfSSL_CTX_use_certificate_chain_file #define SSL_CTX_use_RSAPrivateKey_file wolfSSL_CTX_use_RSAPrivateKey_file From 9e4836a86345ba3c934b55693ddcc242e26ffee5 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Tue, 7 Jan 2020 08:11:05 -0800 Subject: [PATCH 4/5] Fix for jenkins test failure --- src/ssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 1a6851c3f..92d2495d8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6798,8 +6798,10 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file, if (file) { ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL, verify); +#ifndef NO_WOLFSSL_DIR if (ret == WOLFSSL_SUCCESS) successCount++; +#endif } if (ret == WOLFSSL_SUCCESS && path) { From 0938cdde52e19c38e8284be6f3d134e016c3de89 Mon Sep 17 00:00:00 2001 From: Carie Pointer Date: Thu, 9 Jan 2020 14:09:38 -0800 Subject: [PATCH 5/5] Remove dup->dynamicName = 1 call --- src/ssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 92d2495d8..da74c59ad 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -34571,14 +34571,14 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) /* copy contents */ XMEMCPY(dup, name, sizeof(WOLFSSL_X509_NAME)); InitX509Name(dup, 1); - /* Need to set dynamicName before copying */ - dup->dynamicName = 1; dup->sz = name->sz; /* handle dynamic portions */ - if (!(dup->name = (char*)XMALLOC(name->sz, 0, - DYNAMIC_TYPE_OPENSSL))) { - goto err; + if (name->dynamicName) { + if (!(dup->name = (char*)XMALLOC(name->sz, 0, + DYNAMIC_TYPE_OPENSSL))) { + goto err; + } } XMEMCPY(dup->name, name->name, name->sz); #if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \