forked from wolfSSL/wolfssl
fixed sanitize errors
This commit is contained in:
Hideki Miyazaki
@@ -1981,7 +1981,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
|
||||
|
||||
if (ctx->x509_store.lookup.dirs) {
|
||||
#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
||||
if (!ctx->x509_store.lookup.dirs->dir_entry) {
|
||||
if (ctx->x509_store.lookup.dirs->dir_entry) {
|
||||
wolfSSL_sk_BY_DIR_entry_free(ctx->x509_store.lookup.dirs->dir_entry);
|
||||
}
|
||||
#endif
|
||||
@@ -10619,6 +10619,7 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
|
||||
WOLFSSL_MSG("failed hash operation");
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
wolfSSL_OPENSSL_free(pbuf);
|
||||
}
|
||||
|
||||
/* try to load each hashed name file in path */
|
||||
@@ -10633,8 +10634,9 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
|
||||
for (i=0; i<num; i++) {
|
||||
|
||||
entry = wolfSSL_sk_BY_DIR_entry_value(lookup->dirs->dir_entry, i);
|
||||
|
||||
len = XSTRLEN(entry->dir_name) + 13;
|
||||
/*/<hash value:8>.(r)N\0 */
|
||||
/*112345678 1 1 1 1 => 13 */
|
||||
len = (int)XSTRLEN(entry->dir_name) + 13;
|
||||
|
||||
if (filename != NULL) {
|
||||
XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
@@ -10678,6 +10680,7 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
|
||||
WOLFSSL_FILETYPE_PEM);
|
||||
if (x509 != NULL) {
|
||||
ret = wolfSSL_X509_STORE_add_cert(store, x509);
|
||||
wolfSSL_X509_free(x509);
|
||||
} else {
|
||||
WOLFSSL_MSG("failed to load certificate\n");
|
||||
ret = WOLFSSL_FAILURE;
|
||||
@@ -10839,45 +10842,6 @@ static int ProcessPeerCertParse(WOLFSSL* ssl, ProcPeerCertArgs* args,
|
||||
|
||||
/* Parse Certificate */
|
||||
ret = ParseCertRelative(args->dCert, certType, verify, ssl->ctx->cm);
|
||||
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
|
||||
(defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
||||
if (ret == ASN_NO_SIGNER_E) {
|
||||
WOLFSSL_MSG("try to load certificate if hash dir is set");
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
} else {
|
||||
ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
}
|
||||
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
/* re try Parse Certificate */
|
||||
InitDecodedCert(args->dCert, cert->buffer, cert->length, ssl->heap);
|
||||
args->dCertInit = 1;
|
||||
args->dCert->sigCtx.devId = ssl->devId;
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
args->dCert->sigCtx.asyncCtx = ssl;
|
||||
#endif
|
||||
#ifdef HAVE_PK_CALLBACKS
|
||||
/* setup the PK callback context */
|
||||
ret = InitSigPkCb(ssl, &args->dCert->sigCtx);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
#endif
|
||||
ret = ParseCertRelative(args->dCert, certType, verify,
|
||||
ssl->ctx->cm);
|
||||
} else {
|
||||
WOLFSSL_MSG("failed to load certificate from hash folder");
|
||||
/* restore return code */
|
||||
ret = ASN_NO_SIGNER_E;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* perform below checks for date failure cases */
|
||||
if (ret == 0 || ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) {
|
||||
/* get subject and determine if already loaded */
|
||||
@@ -11309,6 +11273,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
|
||||
!ssl->options.verifyNone ? VERIFY : NO_VERIFY,
|
||||
&subjectHash, &alreadySigner);
|
||||
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
|
||||
(defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
||||
if (ret == ASN_NO_SIGNER_E) {
|
||||
WOLFSSL_MSG("try to load certificate if hash dir is set");
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
} else {
|
||||
ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
}
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
FreeDecodedCert(args->dCert);
|
||||
args->dCertInit = 0;
|
||||
/* once again */
|
||||
ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
|
||||
!ssl->options.verifyNone ? VERIFY : NO_VERIFY,
|
||||
&subjectHash, &alreadySigner);
|
||||
} else
|
||||
ret = ASN_NO_SIGNER_E;
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
if (ret == WC_PENDING_E)
|
||||
goto exit_ppc;
|
||||
@@ -11502,6 +11491,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||
ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
|
||||
!ssl->options.verifyNone ? VERIFY : NO_VERIFY,
|
||||
&subjectHash, &alreadySigner);
|
||||
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
|
||||
(defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \
|
||||
!defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
||||
if (ret == ASN_NO_SIGNER_E) {
|
||||
WOLFSSL_MSG("try to load certificate if hash dir is set");
|
||||
if (ssl->ctx->x509_store_pt != NULL) {
|
||||
ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
} else {
|
||||
ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store,
|
||||
(WOLFSSL_X509_NAME*)args->dCert->issuerName,
|
||||
X509_LU_X509);
|
||||
}
|
||||
if (ret == WOLFSSL_SUCCESS) {
|
||||
FreeDecodedCert(args->dCert);
|
||||
args->dCertInit = 0;
|
||||
/* once again */
|
||||
ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
|
||||
!ssl->options.verifyNone ? VERIFY : NO_VERIFY,
|
||||
&subjectHash, &alreadySigner);
|
||||
} else
|
||||
ret = ASN_NO_SIGNER_E;
|
||||
}
|
||||
#endif
|
||||
#ifdef WOLFSSL_ASYNC_CRYPT
|
||||
if (ret == WC_PENDING_E)
|
||||
goto exit_ppc;
|
||||
|
||||
14
src/ssl.c
14
src/ssl.c
@@ -24894,7 +24894,7 @@ static int x509AddCertDir(void *p, const char *argc, long argl)
|
||||
WOLFSSL_MSG("failed to allocate dir entry");
|
||||
return 0;
|
||||
}
|
||||
entry->dir_type = argl;
|
||||
entry->dir_type = (int)argl;
|
||||
entry->dir_name = (char*)XMALLOC(pathLen + 1/* \0 termination*/
|
||||
, NULL, DYNAMIC_TYPE_OPENSSL);
|
||||
entry->hashes = wolfSSL_sk_BY_DIR_HASH_new_null();
|
||||
@@ -24953,7 +24953,7 @@ int wolfSSL_X509_LOOKUP_ctrl(WOLFSSL_X509_LOOKUP *ctx, int cmd,
|
||||
switch (cmd) {
|
||||
case WOLFSSL_X509_L_FILE_LOAD:
|
||||
/* expects to return a number of processed cert or crl file */
|
||||
lret = wolfSSL_X509_load_cert_crl_file(ctx, argc, argl) > 0 ?
|
||||
lret = wolfSSL_X509_load_cert_crl_file(ctx, argc, (int)argl) > 0 ?
|
||||
WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
|
||||
break;
|
||||
case WOLFSSL_X509_L_ADD_DIR:
|
||||
@@ -25885,7 +25885,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store)
|
||||
|
||||
if (store->lookup.dirs != NULL) {
|
||||
#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
|
||||
if (!store->lookup.dirs->dir_entry) {
|
||||
if (store->lookup.dirs->dir_entry) {
|
||||
wolfSSL_sk_BY_DIR_entry_free(store->lookup.dirs->dir_entry);
|
||||
}
|
||||
#endif
|
||||
@@ -26329,6 +26329,8 @@ WOLFSSL_API int wolfSSL_X509_load_cert_crl_file(WOLFSSL_X509_LOOKUP *ctx,
|
||||
} else {
|
||||
WOLFSSL_MSG("wolfSSL_X509_STORE_add_cert error");
|
||||
}
|
||||
wolfSSL_X509_free(x509);
|
||||
x509 = NULL;
|
||||
} else {
|
||||
WOLFSSL_MSG("wolfSSL_X509_load_certificate_file error");
|
||||
}
|
||||
@@ -41609,7 +41611,7 @@ static int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out,
|
||||
}
|
||||
}
|
||||
/* put actual length */
|
||||
asn_out->length = dst - asn_out->data;
|
||||
asn_out->length = (int)(dst - asn_out->data);
|
||||
return WOLFSSL_SUCCESS;
|
||||
}
|
||||
/* this is to converts the x509 name structure into canonical DER format
|
||||
@@ -41680,6 +41682,8 @@ int wolfSSL_i2d_X509_NAME_canon(WOLFSSL_X509_NAME* name, unsigned char** out)
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
totalBytes += ret;
|
||||
wolfSSL_OPENSSL_free(cano_data->data);
|
||||
wolfSSL_ASN1_STRING_free(cano_data);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -42820,6 +42824,8 @@ err:
|
||||
}
|
||||
|
||||
XFREE(pem, 0, DYNAMIC_TYPE_PEM);
|
||||
if (der)
|
||||
FreeDer(&der);
|
||||
return WOLFSSL_SUCCESS;
|
||||
err:
|
||||
if (pem)
|
||||
|
||||
30
tests/api.c
30
tests/api.c
@@ -25855,6 +25855,7 @@ static void test_wolfSSL_sk_X509_BY_DIR(void)
|
||||
/* pop */
|
||||
AssertNotNull(ent = wolfSSL_sk_BY_DIR_entry_pop(entry_stack));
|
||||
AssertIntEQ((len = wolfSSL_sk_BY_DIR_entry_num(entry_stack)), 1);
|
||||
wolfSSL_BY_DIR_entry_free(ent);
|
||||
|
||||
/* free */
|
||||
wolfSSL_sk_BY_DIR_entry_free(entry_stack);
|
||||
@@ -28205,7 +28206,6 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void)
|
||||
AssertIntEQ((num = wolfSSL_sk_BY_DIR_entry_num(sk)), 1);
|
||||
|
||||
dir = wolfSSL_sk_BY_DIR_entry_value(sk, 0);
|
||||
printf("dir->dir_name %s\n", dir->dir_name);
|
||||
AssertIntEQ(XSTRLEN((const char*)dir->dir_name), XSTRLEN("./"));
|
||||
AssertIntEQ(XMEMCMP(dir->dir_name, "./",
|
||||
XSTRLEN((const char*)dir->dir_name)), 0);
|
||||
@@ -28218,7 +28218,7 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void)
|
||||
total_len = 0;
|
||||
|
||||
for(i = MAX_DIR - 1; i>=0 && total_len < MAX_FILENAME_SZ; i--) {
|
||||
len = XSTRLEN((const char*)&paths[i]);
|
||||
len = (int)XSTRLEN((const char*)&paths[i]);
|
||||
total_len += len;
|
||||
XSTRNCPY(p, paths[i], MAX_FILENAME_SZ - total_len);
|
||||
p += len;
|
||||
@@ -28315,10 +28315,13 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void)
|
||||
AssertNotNull(issuerName);
|
||||
cmp = X509_NAME_cmp(caName, issuerName);
|
||||
AssertIntEQ(cmp, 0);
|
||||
|
||||
|
||||
/* load der format */
|
||||
X509_free(issuer);
|
||||
X509_STORE_CTX_free(ctx);
|
||||
X509_STORE_free(str);
|
||||
sk_X509_free(sk);
|
||||
X509_free(x509Svr);
|
||||
|
||||
AssertNotNull((str = wolfSSL_X509_STORE_new()));
|
||||
AssertNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
|
||||
@@ -28326,18 +28329,17 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void)
|
||||
SSL_FILETYPE_ASN1,NULL), 1);
|
||||
AssertNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm));
|
||||
AssertIntEQ((cert_count = sk_X509_num(sk)), 1);
|
||||
|
||||
/* check if CA cert is loaded into the store */
|
||||
for (i = 0; i < cert_count; i++) {
|
||||
x509Ca = sk_X509_value(sk, i);
|
||||
AssertIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1));
|
||||
}
|
||||
|
||||
X509_STORE_free(str);
|
||||
sk_X509_free(sk);
|
||||
X509_free(cert1);
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
/* once feeing store */
|
||||
wolfSSL_X509_STORE_free(str);
|
||||
str = NULL;
|
||||
|
||||
AssertNotNull(str = wolfSSL_X509_STORE_new());
|
||||
AssertNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file()));
|
||||
AssertIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile,
|
||||
@@ -28365,15 +28367,11 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void)
|
||||
"certs/server-revoked-cert.pem",
|
||||
WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED);
|
||||
}
|
||||
|
||||
#endif
|
||||
X509_free(issuer);
|
||||
X509_STORE_CTX_free(ctx);
|
||||
X509_free(x509Svr);
|
||||
|
||||
X509_STORE_free(str);
|
||||
sk_X509_free(sk);
|
||||
X509_free(x509Ca);
|
||||
X509_free(cert1);
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
printf(resultFmt, passed);
|
||||
#endif
|
||||
|
||||
@@ -9791,7 +9791,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
if (cert->srcIdx < cert->sigIndex) {
|
||||
#ifndef ALLOW_V1_EXTENSIONS
|
||||
if (cert->version < 2) {
|
||||
@@ -9820,7 +9819,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
|
||||
/* advance past extensions */
|
||||
cert->srcIdx = cert->sigIndex;
|
||||
}
|
||||
|
||||
if ((ret = GetAlgoId(cert->source, &cert->srcIdx,
|
||||
#ifdef WOLFSSL_CERT_REQ
|
||||
!cert->isCSR ? &confirmOID : &cert->signatureOID,
|
||||
|
||||
Reference in New Issue
Block a user