diff --git a/src/crl.c b/src/crl.c index b94d3aadc..803bd0243 100644 --- a/src/crl.c +++ b/src/crl.c @@ -82,7 +82,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, WOLFSSL_ENTER("InitCRL_Entry"); XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); - XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); + /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); + * copy the hash here if needed for optimized comparisons */ XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); crle->lastDateFormat = dcrl->lastDateFormat; diff --git a/src/ssl.c b/src/ssl.c index 01d8e654b..039aac212 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4583,10 +4583,6 @@ Signer* GetCAByName(void* vp, byte* hash) if (XMEMCMP(hash, signers->subjectNameHash, SIGNER_DIGEST_SIZE) == 0) { ret = signers; - } else if (cm->crl != NULL && cm->crl->crlList != NULL && - XMEMCMP(hash, cm->crl->crlList->crlHash, - SIGNER_DIGEST_SIZE) == 0) { - ret = signers; } signers = signers->next; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 363e8dcf0..ed698f32d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -15798,7 +15798,8 @@ void InitDecodedCRL(DecodedCRL* dcrl, void* heap) dcrl->signatureOID = 0; dcrl->signature = NULL; XMEMSET(dcrl->issuerHash, 0, SIGNER_DIGEST_SIZE); - XMEMSET(dcrl->crlHash, 0, SIGNER_DIGEST_SIZE); + /* XMEMSET(dcrl->crlHash, 0, SIGNER_DIGEST_SIZE); + * initialize the hash here if needed for optimized comparisons */ XMEMSET(dcrl->lastDate, 0, MAX_DATE_SIZE); XMEMSET(dcrl->nextDate, 0, MAX_DATE_SIZE); XMEMSET(dcrl->extAuthKeyId, 0, KEYID_SIZE); @@ -16006,10 +16007,11 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) WOLFSSL_MSG("ParseCRL"); /* raw crl hash */ - wc_Sha sha; - wc_InitSha(&sha); - wc_ShaUpdate(&sha, buff, sz); - wc_ShaFinal(&sha, dcrl->crlHash); + /* hash here if needed for optimized comparisons + * wc_Sha sha; + * wc_InitSha(&sha); + * wc_ShaUpdate(&sha, buff, sz); + * wc_ShaFinal(&sha, dcrl->crlHash); */ if (GetSequence(buff, &idx, &len, sz) < 0) return ASN_PARSE_E; @@ -16037,8 +16039,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) if experiencing issues uncomment NO_SKID define in CRL section of wolfssl/wolfcrypt/settings.h */ #ifndef NO_SKID - ca = GetCAByName(cm, dcrl->crlHash); /* most unique */ - if (ca == NULL && dcrl->extAuthKeyIdSet) + if (dcrl->extAuthKeyIdSet) ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */ if (ca == NULL) ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 20b1386a6..694607d50 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1856,7 +1856,8 @@ typedef struct CRL_Entry CRL_Entry; struct CRL_Entry { CRL_Entry* next; /* next entry */ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - byte crlHash[CRL_DIGEST_SIZE]; /* raw crl data hash */ + /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ + /* restore the hash here if needed for optimized comparisons */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte lastDateFormat; /* last date format */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index fb2cc2e60..df8ced810 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1619,8 +1619,8 @@ extern void uITRON4_free(void *p) ; #endif #ifdef HAVE_CRL - /* not widely supported yet */ - #undef NO_SKID + /* may not be widely supported */ + /* #undef NO_SKID */ /* #define NO_SKID */ #endif