diff --git a/src/internal.c b/src/internal.c index d8c45cbf7..feab76786 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1981,7 +1981,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) if (ctx->x509_store.lookup.dirs) { #if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) - if (!ctx->x509_store.lookup.dirs->dir_entry) { + if (ctx->x509_store.lookup.dirs->dir_entry) { wolfSSL_sk_BY_DIR_entry_free(ctx->x509_store.lookup.dirs->dir_entry); } #endif @@ -10619,6 +10619,7 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) WOLFSSL_MSG("failed hash operation"); return WOLFSSL_FAILURE; } + wolfSSL_OPENSSL_free(pbuf); } /* try to load each hashed name file in path */ @@ -10633,8 +10634,9 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) for (i=0; idirs->dir_entry, i); - - len = XSTRLEN(entry->dir_name) + 13; + /*/.(r)N\0 */ + /*112345678 1 1 1 1 => 13 */ + len = (int)XSTRLEN(entry->dir_name) + 13; if (filename != NULL) { XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL); @@ -10678,6 +10680,7 @@ int LoadCrlCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type) WOLFSSL_FILETYPE_PEM); if (x509 != NULL) { ret = wolfSSL_X509_STORE_add_cert(store, x509); + wolfSSL_X509_free(x509); } else { WOLFSSL_MSG("failed to load certificate\n"); ret = WOLFSSL_FAILURE; @@ -10839,45 +10842,6 @@ static int ProcessPeerCertParse(WOLFSSL* ssl, ProcPeerCertArgs* args, /* Parse Certificate */ ret = ParseCertRelative(args->dCert, certType, verify, ssl->ctx->cm); -#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ - (defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \ - !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) - if (ret == ASN_NO_SIGNER_E) { - WOLFSSL_MSG("try to load certificate if hash dir is set"); - if (ssl->ctx->x509_store_pt != NULL) { - ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt, - (WOLFSSL_X509_NAME*)args->dCert->issuerName, - X509_LU_X509); - } else { - ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store, - (WOLFSSL_X509_NAME*)args->dCert->issuerName, - X509_LU_X509); - } - - if (ret == WOLFSSL_SUCCESS) { - /* re try Parse Certificate */ - InitDecodedCert(args->dCert, cert->buffer, cert->length, ssl->heap); - args->dCertInit = 1; - args->dCert->sigCtx.devId = ssl->devId; - #ifdef WOLFSSL_ASYNC_CRYPT - args->dCert->sigCtx.asyncCtx = ssl; - #endif - #ifdef HAVE_PK_CALLBACKS - /* setup the PK callback context */ - ret = InitSigPkCb(ssl, &args->dCert->sigCtx); - if (ret != 0) - return ret; - #endif - ret = ParseCertRelative(args->dCert, certType, verify, - ssl->ctx->cm); - } else { - WOLFSSL_MSG("failed to load certificate from hash folder"); - /* restore return code */ - ret = ASN_NO_SIGNER_E; - } - } -#endif - /* perform below checks for date failure cases */ if (ret == 0 || ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) { /* get subject and determine if already loaded */ @@ -11309,6 +11273,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, !ssl->options.verifyNone ? VERIFY : NO_VERIFY, &subjectHash, &alreadySigner); +#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) + if (ret == ASN_NO_SIGNER_E) { + WOLFSSL_MSG("try to load certificate if hash dir is set"); + if (ssl->ctx->x509_store_pt != NULL) { + ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt, + (WOLFSSL_X509_NAME*)args->dCert->issuerName, + X509_LU_X509); + } else { + ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store, + (WOLFSSL_X509_NAME*)args->dCert->issuerName, + X509_LU_X509); + } + if (ret == WOLFSSL_SUCCESS) { + FreeDecodedCert(args->dCert); + args->dCertInit = 0; + /* once again */ + ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, + !ssl->options.verifyNone ? VERIFY : NO_VERIFY, + &subjectHash, &alreadySigner); + } else + ret = ASN_NO_SIGNER_E; + } +#endif #ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_PENDING_E) goto exit_ppc; @@ -11502,6 +11491,31 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, !ssl->options.verifyNone ? VERIFY : NO_VERIFY, &subjectHash, &alreadySigner); +#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \ + (defined(WOLFSSL_CERT_REQ) || defined(OLFSSL_CERT_EXT)) && \ + !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) + if (ret == ASN_NO_SIGNER_E) { + WOLFSSL_MSG("try to load certificate if hash dir is set"); + if (ssl->ctx->x509_store_pt != NULL) { + ret = LoadCrlCertByIssuer(ssl->ctx->x509_store_pt, + (WOLFSSL_X509_NAME*)args->dCert->issuerName, + X509_LU_X509); + } else { + ret = LoadCrlCertByIssuer(&ssl->ctx->x509_store, + (WOLFSSL_X509_NAME*)args->dCert->issuerName, + X509_LU_X509); + } + if (ret == WOLFSSL_SUCCESS) { + FreeDecodedCert(args->dCert); + args->dCertInit = 0; + /* once again */ + ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, + !ssl->options.verifyNone ? VERIFY : NO_VERIFY, + &subjectHash, &alreadySigner); + } else + ret = ASN_NO_SIGNER_E; + } +#endif #ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_PENDING_E) goto exit_ppc; diff --git a/src/ssl.c b/src/ssl.c index 11f47938e..9d86f16ba 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -24894,7 +24894,7 @@ static int x509AddCertDir(void *p, const char *argc, long argl) WOLFSSL_MSG("failed to allocate dir entry"); return 0; } - entry->dir_type = argl; + entry->dir_type = (int)argl; entry->dir_name = (char*)XMALLOC(pathLen + 1/* \0 termination*/ , NULL, DYNAMIC_TYPE_OPENSSL); entry->hashes = wolfSSL_sk_BY_DIR_HASH_new_null(); @@ -24953,7 +24953,7 @@ int wolfSSL_X509_LOOKUP_ctrl(WOLFSSL_X509_LOOKUP *ctx, int cmd, switch (cmd) { case WOLFSSL_X509_L_FILE_LOAD: /* expects to return a number of processed cert or crl file */ - lret = wolfSSL_X509_load_cert_crl_file(ctx, argc, argl) > 0 ? + lret = wolfSSL_X509_load_cert_crl_file(ctx, argc, (int)argl) > 0 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; break; case WOLFSSL_X509_L_ADD_DIR: @@ -25885,7 +25885,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) if (store->lookup.dirs != NULL) { #if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR) - if (!store->lookup.dirs->dir_entry) { + if (store->lookup.dirs->dir_entry) { wolfSSL_sk_BY_DIR_entry_free(store->lookup.dirs->dir_entry); } #endif @@ -26329,6 +26329,8 @@ WOLFSSL_API int wolfSSL_X509_load_cert_crl_file(WOLFSSL_X509_LOOKUP *ctx, } else { WOLFSSL_MSG("wolfSSL_X509_STORE_add_cert error"); } + wolfSSL_X509_free(x509); + x509 = NULL; } else { WOLFSSL_MSG("wolfSSL_X509_load_certificate_file error"); } @@ -41609,7 +41611,7 @@ static int wolfSSL_ASN1_STRING_canon(WOLFSSL_ASN1_STRING* asn_out, } } /* put actual length */ - asn_out->length = dst - asn_out->data; + asn_out->length = (int)(dst - asn_out->data); return WOLFSSL_SUCCESS; } /* this is to converts the x509 name structure into canonical DER format @@ -41680,6 +41682,8 @@ int wolfSSL_i2d_X509_NAME_canon(WOLFSSL_X509_NAME* name, unsigned char** out) return WOLFSSL_FATAL_ERROR; } totalBytes += ret; + wolfSSL_OPENSSL_free(cano_data->data); + wolfSSL_ASN1_STRING_free(cano_data); } } @@ -42820,6 +42824,8 @@ err: } XFREE(pem, 0, DYNAMIC_TYPE_PEM); + if (der) + FreeDer(&der); return WOLFSSL_SUCCESS; err: if (pem) diff --git a/tests/api.c b/tests/api.c index c0ee92ddb..823c4033b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -25855,6 +25855,7 @@ static void test_wolfSSL_sk_X509_BY_DIR(void) /* pop */ AssertNotNull(ent = wolfSSL_sk_BY_DIR_entry_pop(entry_stack)); AssertIntEQ((len = wolfSSL_sk_BY_DIR_entry_num(entry_stack)), 1); + wolfSSL_BY_DIR_entry_free(ent); /* free */ wolfSSL_sk_BY_DIR_entry_free(entry_stack); @@ -28205,7 +28206,6 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void) AssertIntEQ((num = wolfSSL_sk_BY_DIR_entry_num(sk)), 1); dir = wolfSSL_sk_BY_DIR_entry_value(sk, 0); - printf("dir->dir_name %s\n", dir->dir_name); AssertIntEQ(XSTRLEN((const char*)dir->dir_name), XSTRLEN("./")); AssertIntEQ(XMEMCMP(dir->dir_name, "./", XSTRLEN((const char*)dir->dir_name)), 0); @@ -28218,7 +28218,7 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_hash_dir(void) total_len = 0; for(i = MAX_DIR - 1; i>=0 && total_len < MAX_FILENAME_SZ; i--) { - len = XSTRLEN((const char*)&paths[i]); + len = (int)XSTRLEN((const char*)&paths[i]); total_len += len; XSTRNCPY(p, paths[i], MAX_FILENAME_SZ - total_len); p += len; @@ -28315,10 +28315,13 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void) AssertNotNull(issuerName); cmp = X509_NAME_cmp(caName, issuerName); AssertIntEQ(cmp, 0); - + /* load der format */ + X509_free(issuer); + X509_STORE_CTX_free(ctx); X509_STORE_free(str); sk_X509_free(sk); + X509_free(x509Svr); AssertNotNull((str = wolfSSL_X509_STORE_new())); AssertNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); @@ -28326,18 +28329,17 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void) SSL_FILETYPE_ASN1,NULL), 1); AssertNotNull(sk = wolfSSL_CertManagerGetCerts(str->cm)); AssertIntEQ((cert_count = sk_X509_num(sk)), 1); - /* check if CA cert is loaded into the store */ for (i = 0; i < cert_count; i++) { x509Ca = sk_X509_value(sk, i); AssertIntEQ(0, wolfSSL_X509_cmp(x509Ca, cert1)); } + X509_STORE_free(str); + sk_X509_free(sk); + X509_free(cert1); + #ifdef HAVE_CRL - /* once feeing store */ - wolfSSL_X509_STORE_free(str); - str = NULL; - AssertNotNull(str = wolfSSL_X509_STORE_new()); AssertNotNull(lookup = X509_STORE_add_lookup(str, X509_LOOKUP_file())); AssertIntEQ(X509_LOOKUP_ctrl(lookup, X509_L_FILE_LOAD, caCertFile, @@ -28365,15 +28367,11 @@ static void test_wolfSSL_X509_LOOKUP_ctrl_file(void) "certs/server-revoked-cert.pem", WOLFSSL_FILETYPE_PEM ), CRL_CERT_REVOKED); } - -#endif - X509_free(issuer); - X509_STORE_CTX_free(ctx); - X509_free(x509Svr); + X509_STORE_free(str); - sk_X509_free(sk); - X509_free(x509Ca); - X509_free(cert1); + +#endif + printf(resultFmt, passed); #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index dea8abaf8..dabc1e20a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -9791,7 +9791,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } #endif - if (cert->srcIdx < cert->sigIndex) { #ifndef ALLOW_V1_EXTENSIONS if (cert->version < 2) { @@ -9820,7 +9819,6 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) /* advance past extensions */ cert->srcIdx = cert->sigIndex; } - if ((ret = GetAlgoId(cert->source, &cert->srcIdx, #ifdef WOLFSSL_CERT_REQ !cert->isCSR ? &confirmOID : &cert->signatureOID,