diff --git a/src/crl.c b/src/crl.c index 628acda78..9053c79a0 100644 --- a/src/crl.c +++ b/src/crl.c @@ -526,6 +526,7 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap) prev->next = tmp; if (head == NULL) head = tmp; + prev = tmp; } else { WOLFSSL_MSG("Failed to allocate new RevokedCert structure"); @@ -619,6 +620,17 @@ static CRL_Entry* DupCRL_list(CRL_Entry* crl, void* heap) head = tmp; if (prev != NULL) prev->next = tmp; + prev = tmp; + } + else { + WOLFSSL_MSG("Failed to allocate new CRL_Entry structure"); + /* free up any existing list */ + while (head != NULL) { + current = head; + head = head->next; + FreeCRL_Entry(current, heap); + } + return NULL; } current = current->next; } @@ -635,10 +647,6 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dup, const WOLFSSL_X509_CRL* crl) return BAD_FUNC_ARG; } - dup->crlList = DupCRL_list(crl->crlList, dup->heap); -#ifdef HAVE_CRL_IO - dup->crlIOCb = crl->crlIOCb; -#endif if (crl->monitors[0].path) { int pathSz = (int)XSTRLEN(crl->monitors[0].path) + 1; dup->monitors[0].path = (char*)XMALLOC(pathSz, dup->heap, @@ -646,6 +654,9 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dup, const WOLFSSL_X509_CRL* crl) if (dup->monitors[0].path != NULL) { XSTRNCPY(dup->monitors[0].path, crl->monitors[0].path, pathSz); } + else { + return MEMORY_E; + } } if (crl->monitors[1].path) { @@ -655,8 +666,20 @@ static int DupX509_CRL(WOLFSSL_X509_CRL *dup, const WOLFSSL_X509_CRL* crl) if (dup->monitors[1].path != NULL) { XSTRNCPY(dup->monitors[1].path, crl->monitors[1].path, pathSz); } + else { + if (dup->monitors[0].path != NULL) { + XFREE(dup->monitors[0].path, dup->heap, + DYNAMIC_TYPE_CRL_MONITOR); + } + return MEMORY_E; + } } + dup->crlList = DupCRL_list(crl->crlList, dup->heap); +#ifdef HAVE_CRL_IO + dup->crlIOCb = crl->crlIOCb; +#endif + return 0; } diff --git a/src/ssl.c b/src/ssl.c index ae2da8636..d165a398c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -22764,11 +22764,15 @@ err_exit: void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) { if (store != NULL && store->isDynamic) { - if (store->cm != NULL) + if (store->cm != NULL) { wolfSSL_CertManagerFree(store->cm); + store->cm = NULL; + } #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) - if (store->param != NULL) + if (store->param != NULL) { XFREE(store->param, NULL, DYNAMIC_TYPE_OPENSSL); + store->param = NULL; + } #endif XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } @@ -22893,23 +22897,18 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, } +/* free's own cert chain holding and extra data */ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) { WOLFSSL_ENTER("X509_STORE_CTX_free"); if (ctx != NULL) { - #if !defined(OPENSSL_ALL) && !defined(WOLFSSL_QT) - if (ctx->store != NULL) - wolfSSL_X509_STORE_free(ctx->store); - #ifndef WOLFSSL_KEEP_STORE_CERTS - if (ctx->current_cert != NULL) - wolfSSL_FreeX509(ctx->current_cert); - #endif - #endif /* !OPENSSL_ALL && !WOLFSSL_QT */ -#ifdef OPENSSL_EXTRA + #ifdef OPENSSL_EXTRA + wolfSSL_sk_free(ctx->chain); if (ctx->param != NULL){ XFREE(ctx->param,NULL,DYNAMIC_TYPE_OPENSSL); + ctx->param = NULL; } -#endif + #endif XFREE(ctx, NULL, DYNAMIC_TYPE_X509_CTX); } } diff --git a/tests/api.c b/tests/api.c index 7a24b1662..40850d289 100644 --- a/tests/api.c +++ b/tests/api.c @@ -22085,10 +22085,8 @@ static void test_wolfSSL_X509_STORE_CTX_get0_current_issuer(void) X509_free(issuer); X509_STORE_CTX_free(ctx); - #if defined(WOLFSSL_KEEP_STORE_CERTS) || defined(OPENSSL_ALL) || defined(WOLFSSL_QT) - X509_free(x509Svr); - X509_STORE_free(str); - #endif + X509_free(x509Svr); + X509_STORE_free(str); X509_free(x509Ca); printf(resultFmt, passed); @@ -22130,10 +22128,8 @@ static void test_wolfSSL_X509_STORE_CTX(void) #ifdef OPENSSL_ALL sk_X509_free(sk); #endif - #if defined(WOLFSSL_KEEP_STORE_CERTS) || defined(OPENSSL_ALL) || defined(WOLFSSL_QT) X509_STORE_free(str); X509_free(x509); - #endif AssertNotNull(ctx = X509_STORE_CTX_new()); X509_STORE_CTX_set_verify_cb(ctx, verify_cb); @@ -22158,11 +22154,9 @@ static void test_wolfSSL_X509_STORE_CTX(void) AssertIntEQ(sk_num(sk3), 1); /* sanity, make sure chain has 1 cert */ X509_STORE_CTX_free(ctx); sk_X509_free(sk); - #if defined(WOLFSSL_KEEP_STORE_CERTS) || defined(WOLFSSL_QT) X509_STORE_free(str); /* CTX certs not freed yet */ X509_free(x5092); - #endif /* sk2 freed as part of X509_STORE_CTX_free(), sk3 is dup so free here */ sk_X509_free(sk3); #endif @@ -22354,9 +22348,7 @@ static void test_wolfSSL_X509_STORE_CTX_get0_store(void) wolfSSL_X509_STORE_CTX_free(ctx); wolfSSL_X509_STORE_CTX_free(ctx_no_init); -#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) X509_STORE_free(store); -#endif printf(resultFmt, passed); #endif /* OPENSSL_EXTRA */ @@ -22563,7 +22555,7 @@ static void test_wolfSSL_X509_STORE(void) #ifdef HAVE_CRL X509_STORE_CTX *storeCtx; X509_CRL *crl; - X509 *x509; + X509 *ca, *cert; const char crlPem[] = "./certs/crl/crl.revoked"; const char srvCert[] = "./certs/server-revoked-cert.pem"; const char caCert[] = "./certs/ca-cert.pem"; @@ -22571,22 +22563,24 @@ static void test_wolfSSL_X509_STORE(void) printf(testingFmt, "test_wolfSSL_X509_STORE"); AssertNotNull(store = (X509_STORE *)X509_STORE_new()); - AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert, + AssertNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, SSL_FILETYPE_PEM))); - AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); - AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert, + AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); + AssertNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, SSL_FILETYPE_PEM))); AssertNotNull((storeCtx = X509_STORE_CTX_new())); - AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS); + AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); AssertIntEQ(X509_verify_cert(storeCtx), SSL_SUCCESS); + X509_STORE_free(store); X509_STORE_CTX_free(storeCtx); - X509_free(x509); + X509_free(cert); + X509_free(ca); /* should fail to verify now after adding in CRL */ AssertNotNull(store = (X509_STORE *)X509_STORE_new()); - AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert, + AssertNotNull((ca = wolfSSL_X509_load_certificate_file(caCert, SSL_FILETYPE_PEM))); - AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS); + AssertIntEQ(X509_STORE_add_cert(store, ca), SSL_SUCCESS); fp = XFOPEN(crlPem, "rb"); AssertTrue((fp != XBADFILE)); AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, @@ -22595,14 +22589,16 @@ static void test_wolfSSL_X509_STORE(void) AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS); AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),SSL_SUCCESS); AssertNotNull((storeCtx = X509_STORE_CTX_new())); - AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert, + AssertNotNull((cert = wolfSSL_X509_load_certificate_file(srvCert, SSL_FILETYPE_PEM))); - AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS); + AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); AssertIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS); AssertIntEQ(X509_STORE_CTX_get_error(storeCtx), CRL_CERT_REVOKED); - X509_free(x509); - X509_STORE_CTX_free(storeCtx); X509_CRL_free(crl); + X509_STORE_free(store); + X509_STORE_CTX_free(storeCtx); + X509_free(cert); + X509_free(ca); #endif /* HAVE_CRL */ @@ -23797,10 +23793,8 @@ static void test_wolfSSL_X509(void) X509_STORE_CTX_free(ctx); - #if defined(WOLFSSL_KEEP_STORE_CERTS) || defined(WOLFSSL_QT) X509_STORE_free(store); X509_free(x509); - #endif BIO_free(bio); /** d2i_X509_fp test **/