diff --git a/src/crl.c b/src/crl.c index 1376a72d8..803bd0243 100644 --- a/src/crl.c +++ b/src/crl.c @@ -83,7 +83,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, XMEMCPY(crle->issuerHash, dcrl->issuerHash, CRL_DIGEST_SIZE); /* XMEMCPY(crle->crlHash, dcrl->crlHash, CRL_DIGEST_SIZE); - * copy the hash here if needed for optimized comparisons */ + * copy the hash here if needed for optimized comparisons */ XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); crle->lastDateFormat = dcrl->lastDateFormat; @@ -109,7 +109,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, } XMEMCPY(crle->toBeSigned, buff + dcrl->certBegin, crle->tbsSz); XMEMCPY(crle->signature, dcrl->signature, crle->signatureSz); - #if !defined(NO_SKID) && defined(CRL_SKID_READY) + #ifndef NO_SKID crle->extAuthKeyIdSet = dcrl->extAuthKeyIdSet; if (crle->extAuthKeyIdSet) XMEMCPY(crle->extAuthKeyId, dcrl->extAuthKeyId, KEYID_SIZE); @@ -206,9 +206,9 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr WOLFSSL_MSG("Found CRL Entry on list"); if (crle->verified == 0) { - Signer* ca; - #if !defined(NO_SKID) && defined(CRL_SKID_READY) - byte extAuthKeyId[KEYID_SIZE] + Signer* ca = NULL; + #ifndef NO_SKID + byte extAuthKeyId[KEYID_SIZE]; #endif byte issuerHash[CRL_DIGEST_SIZE]; byte* tbs = NULL; @@ -232,15 +232,15 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr XMEMCPY(tbs, crle->toBeSigned, tbsSz); XMEMCPY(sig, crle->signature, sigSz); - #if !defined(NO_SKID) && defined(CRL_SKID_READY) - XMEMCMPY(extAuthKeyId, crle->extAuthKeyId, + #ifndef NO_SKID + XMEMCPY(extAuthKeyId, crle->extAuthKeyId, sizeof(extAuthKeyId)); #endif XMEMCPY(issuerHash, crle->issuerHash, sizeof(issuerHash)); wc_UnLockMutex(&crl->crlLock); - #if !defined(NO_SKID) && defined(CRL_SKID_READY) + #ifndef NO_SKID if (crle->extAuthKeyIdSet) ca = GetCA(crl->cm, extAuthKeyId); if (ca == NULL) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d9e5956d5..ed698f32d 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -15796,12 +15796,22 @@ void InitDecodedCRL(DecodedCRL* dcrl, void* heap) dcrl->sigIndex = 0; dcrl->sigLength = 0; dcrl->signatureOID = 0; + dcrl->signature = NULL; + XMEMSET(dcrl->issuerHash, 0, SIGNER_DIGEST_SIZE); + /* XMEMSET(dcrl->crlHash, 0, SIGNER_DIGEST_SIZE); + * initialize the hash here if needed for optimized comparisons */ + XMEMSET(dcrl->lastDate, 0, MAX_DATE_SIZE); + XMEMSET(dcrl->nextDate, 0, MAX_DATE_SIZE); + XMEMSET(dcrl->extAuthKeyId, 0, KEYID_SIZE); + dcrl->lastDateFormat = 0; + dcrl->nextDateFormat = 0; dcrl->certs = NULL; dcrl->totalCerts = 0; dcrl->heap = heap; #ifdef WOLFSSL_HEAP_TEST dcrl->heap = (void*)WOLFSSL_HEAP_TEST; #endif + dcrl->extAuthKeyIdSet = 0; } @@ -16026,15 +16036,16 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) return ASN_PARSE_E; /* openssl doesn't add skid by default for CRLs cause firefox chokes - we're not assuming it's available yet */ -#if !defined(NO_SKID) && defined(CRL_SKID_READY) + if experiencing issues uncomment NO_SKID define in CRL section of + wolfssl/wolfcrypt/settings.h */ +#ifndef NO_SKID if (dcrl->extAuthKeyIdSet) - ca = GetCA(cm, dcrl->extAuthKeyId); + ca = GetCA(cm, dcrl->extAuthKeyId); /* more unique than issuerHash */ if (ca == NULL) - ca = GetCAByName(cm, dcrl->issuerHash); + ca = GetCAByName(cm, dcrl->issuerHash); /* last resort */ #else ca = GetCA(cm, dcrl->issuerHash); -#endif /* !NO_SKID && CRL_SKID_READY */ +#endif /* !NO_SKID */ WOLFSSL_MSG("About to verify CRL signature"); if (ca == NULL) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ba1c7a00c..694607d50 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1870,7 +1870,7 @@ struct CRL_Entry { byte* signature; word32 signatureSz; word32 signatureOID; -#if !defined(NO_SKID) && defined(CRL_SKID_READY) +#if !defined(NO_SKID) && !defined(NO_ASN) byte extAuthKeyIdSet; byte extAuthKeyId[KEYID_SIZE]; #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 860a7a1d3..99222638d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1345,11 +1345,13 @@ struct DecodedCRL { byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ + byte extAuthKeyId[KEYID_SIZE]; /* Authority Key ID */ byte lastDateFormat; /* format of last date */ byte nextDateFormat; /* format of next date */ RevokedCert* certs; /* revoked cert list */ int totalCerts; /* number on list */ void* heap; + byte extAuthKeyIdSet; /* Set when the AKID was read from CRL */ }; WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 1f1a672aa..df8ced810 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1619,9 +1619,9 @@ extern void uITRON4_free(void *p) ; #endif #ifdef HAVE_CRL - /* not widely supported yet */ - #undef NO_SKID - #define NO_SKID + /* may not be widely supported */ + /* #undef NO_SKID */ + /* #define NO_SKID */ #endif