feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Improvements to the CRL verify handling.

Browse Source
This commit is contained in:
David Garske
2019-08-23 15:29:39 -07:00
parent 586b74b05f
commit 99329b0fc4
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/crl.c
View File

@@ -428,7 +428,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
/* Load CRL File of type, WOLFSSL_SUCCESS on ok */ /* Load CRL File of type, WOLFSSL_SUCCESS on ok */
int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
int noVerify) int verify)
{ {
int ret = WOLFSSL_SUCCESS; int ret = WOLFSSL_SUCCESS;
const byte* myBuffer = buff; /* if DER ok, otherwise switch */ const byte* myBuffer = buff; /* if DER ok, otherwise switch */
@@ -471,7 +471,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
InitDecodedCRL(dcrl, crl->heap); InitDecodedCRL(dcrl, crl->heap);
ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm); ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) { if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
WOLFSSL_MSG("ParseCRL error"); WOLFSSL_MSG("ParseCRL error");
} }
else { else {
@@ -516,7 +516,7 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
wc_UnLockMutex(&crl->crlLock); wc_UnLockMutex(&crl->crlLock);
WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS); WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS);
return WOLFSSL_SUCCESS; return WOLFSSL_SUCCESS;
} }
#endif #endif
@@ -1023,7 +1023,7 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
} }
if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl, if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl,
NO_VERIFY) != WOLFSSL_SUCCESS) { VERIFY) != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("CRL file load failed, continuing"); WOLFSSL_MSG("CRL file load failed, continuing");
} }

10
src/ssl.c
View File

@@ -5476,7 +5476,7 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
} }
} }
return BufferLoadCRL(cm->crl, buff, sz, type, 0); return BufferLoadCRL(cm->crl, buff, sz, type, VERIFY);
} }
int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm) int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm)
@@ -6039,7 +6039,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
verify); verify);
#ifdef HAVE_CRL #ifdef HAVE_CRL
else if (type == CRL_TYPE) else if (type == CRL_TYPE)
ret = BufferLoadCRL(crl, myBuffer, sz, format, 0); ret = BufferLoadCRL(crl, myBuffer, sz, format, verify);
#endif #endif
else else
ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL, ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL,
@@ -18556,7 +18556,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
} }
} }
ret = BufferLoadCRL(cm->crl, curr, sz, WOLFSSL_FILETYPE_PEM, 1); ret = BufferLoadCRL(cm->crl, curr, sz, WOLFSSL_FILETYPE_PEM,
NO_VERIFY);
if (ret != WOLFSSL_SUCCESS) if (ret != WOLFSSL_SUCCESS)
goto end; goto end;
#endif #endif
@@ -19690,7 +19691,8 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl,
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("Init tmp CRL failed"); WOLFSSL_MSG("Init tmp CRL failed");
} else { } else {
ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1); ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1,
NO_VERIFY);
if (ret != WOLFSSL_SUCCESS) { if (ret != WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Buffer Load CRL failed"); WOLFSSL_MSG("Buffer Load CRL failed");
} else { } else {