From 2dd8e713f2e7c2881c99e92abf3a49c9de5a2276 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 19 Oct 2023 16:58:28 +0200 Subject: [PATCH 1/5] Fix static analyzer possible leak crl would never be null there but clean up code to make sure newcrl->crlLock gets free'd --- src/crl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/crl.c b/src/crl.c index 51aa49e02..96d1c1e56 100644 --- a/src/crl.c +++ b/src/crl.c @@ -829,6 +829,7 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dupl, const WOLFSSL_X509_CRL* crl) int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newcrl) { WOLFSSL_X509_CRL *crl; + int ret = 0; WOLFSSL_ENTER("wolfSSL_X509_STORE_add_crl"); if (store == NULL || newcrl == NULL || store->cm == NULL) @@ -843,11 +844,10 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc WOLFSSL_MSG("wc_LockRwLock_Rd failed"); return BAD_MUTEX_E; } - if (DupX509_CRL(crl, newcrl) != 0) { - if (crl != NULL) { - wc_UnLockRwLock(&newcrl->crlLock); - FreeCRL(crl, 1); - } + ret = DupX509_CRL(crl, newcrl); + wc_UnLockRwLock(&newcrl->crlLock); + if (ret != 0) { + FreeCRL(crl, 1); return WOLFSSL_FAILURE; } wc_UnLockRwLock(&newcrl->crlLock); From 8a8acbd55f922fd0531e2bbada07bfac18ad7d89 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 19 Oct 2023 17:00:49 +0200 Subject: [PATCH 2/5] Add log about allocation failure --- src/crl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/crl.c b/src/crl.c index 96d1c1e56..951dd6cef 100644 --- a/src/crl.c +++ b/src/crl.c @@ -838,6 +838,7 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc if (store->cm->crl == NULL) { crl = wolfSSL_X509_crl_new(store->cm); if (crl == NULL) { + WOLFSSL_MSG("wolfSSL_X509_crl_new failed"); return WOLFSSL_FAILURE; } if (wc_LockRwLock_Rd(&newcrl->crlLock) != 0) { From cecc5f6b1929b8ed9ba7b623919f7b1aa34982e3 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Thu, 19 Oct 2023 17:04:41 +0200 Subject: [PATCH 3/5] Call wc_UnLockRwLock only once --- src/crl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/crl.c b/src/crl.c index 951dd6cef..d95c65d8f 100644 --- a/src/crl.c +++ b/src/crl.c @@ -851,7 +851,6 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc FreeCRL(crl, 1); return WOLFSSL_FAILURE; } - wc_UnLockRwLock(&newcrl->crlLock); store->crl = store->cm->crl = crl; if (wolfSSL_CertManagerEnableCRL(store->cm, WOLFSSL_CRL_CHECKALL) != WOLFSSL_SUCCESS) { From 3c5d3c0fa9527daa160833c10fc54cf30d505937 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 23 Oct 2023 15:53:42 +0200 Subject: [PATCH 4/5] bwrap ocsp renew script --- certs/ocsp/renewcerts.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 2f3fb3318..f377a1fdd 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -1,5 +1,14 @@ #!/bin/sh +# bwrap execution environment to avoid port conflicts +if [ "${AM_BWRAPPED-}" != "yes" ]; then + bwrap_path="$(command -v bwrap)" + if [ -n "$bwrap_path" ]; then + export AM_BWRAPPED=yes + exec "$bwrap_path" --cap-add ALL --unshare-net --dev-bind / / "$0" "$@" + fi +fi + check_result(){ if [ $1 -ne 0 ]; then if [ -n "$2" ]; then From dc5a246fdd8fa26aa4d7130fc171155d120a1e03 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Tue, 24 Oct 2023 10:31:17 +0200 Subject: [PATCH 5/5] Do NULL check in FreeCRL --- src/crl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/crl.c b/src/crl.c index d95c65d8f..2fc5341fc 100644 --- a/src/crl.c +++ b/src/crl.c @@ -221,8 +221,12 @@ static void CRL_Entry_free(CRL_Entry* crle, void* heap) /* Free all CRL resources */ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) { - CRL_Entry* tmp = crl->crlList; + CRL_Entry* tmp; + if (crl == NULL) + return; + + tmp = crl->crlList; WOLFSSL_ENTER("FreeCRL"); if (crl->monitors[0].path) XFREE(crl->monitors[0].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);