diff --git a/src/crl.c b/src/crl.c index b9c44089a..1163a847b 100755 --- a/src/crl.c +++ b/src/crl.c @@ -212,6 +212,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr byte* sig = NULL; word32 sigSz = crle->signatureSz; word32 sigOID = crle->signatureOID; + SignatureCtx sigCtx; tbs = XMALLOC(tbsSz, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); if (tbs == NULL) @@ -245,7 +246,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr return ASN_CRL_NO_SIGNER_E; } - ret = VerifyCRL_Signature(tbs, tbsSz, sig, sigSz, sigOID, ca); + ret = VerifyCRL_Signature(&sigCtx, tbs, tbsSz, sig, sigSz, + sigOID, ca, crl->heap); XFREE(sig, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); XFREE(tbs, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 29e5981a0..bd478ffba 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10704,9 +10704,9 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, return 0; } -int VerifyCRL_Signature(const byte* toBeSigned, word32 tbsSz, - const byte* signature, word32 sigSz, - word32 signatureOID, Signer *ca) +int VerifyCRL_Signature(SignatureCtx* sigCtx, const byte* toBeSigned, + word32 tbsSz, const byte* signature, word32 sigSz, + word32 signatureOID, Signer *ca, void* heap) { /* try to confirm/verify signature */ #ifndef IGNORE_KEY_EXTENSIONS @@ -10716,9 +10716,10 @@ int VerifyCRL_Signature(const byte* toBeSigned, word32 tbsSz, } #endif /* IGNORE_KEY_EXTENSIONS */ - InitSignatureCtx(&sigCtx, dcrl->heap, INVALID_DEVID); - if (ConfirmSignature(toBeSigned, tbsSz, ca->publicKey, ca->pubKeySize, - ca->keyOID, signature, sigSz, signatureOID, NULL) != 0) { + InitSignatureCtx(sigCtx, heap, INVALID_DEVID); + if (ConfirmSignature(sigCtx, toBeSigned, tbsSz, ca->publicKey, + ca->pubKeySize, ca->keyOID, signature, sigSz, + signatureOID) != 0) { WOLFSSL_MSG("CRL Confirm signature failed"); return ASN_CRL_CONFIRM_E; } @@ -10729,9 +10730,10 @@ int VerifyCRL_Signature(const byte* toBeSigned, word32 tbsSz, /* prase crl buffer into decoded state, 0 on success */ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) { - int ret = 0, version, len, doNextDate = 1; - word32 oid, idx = 0, dateIdx; - Signer* ca = NULL; + int version, len, doNextDate = 1; + word32 oid, idx = 0, dateIdx; + Signer* ca = NULL; + SignatureCtx sigCtx; WOLFSSL_MSG("ParseCRL"); @@ -10828,9 +10830,9 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) } WOLFSSL_MSG("Found CRL issuer CA"); - return VerifyCRL_Signature(buff + dcrl->certBegin, + return VerifyCRL_Signature(&sigCtx, buff + dcrl->certBegin, dcrl->sigIndex - dcrl->certBegin, dcrl->signature, dcrl->sigLength, - dcrl->signatureOID, ca); + dcrl->signatureOID, ca, dcrl->heap); } #endif /* HAVE_CRL */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 34b7646bb..42750e788 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2354,7 +2354,7 @@ WOLFSSL_API void wolfSSL_get0_next_proto_negotiated(const WOLFSSL *s, const unsi unsigned *len); -#ifdef WOLFSSL_HAPROXY +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context( const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length); #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 13e09ed7f..c0603f2a1 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -976,9 +976,11 @@ struct DecodedCRL { }; WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL*, void* heap); -WOLFSSL_LOCAL int VerifyCRL_Signature(const byte* toBeSigned, word32 tbsSz, +WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx, + const byte* toBeSigned, word32 tbsSz, const byte* signature, word32 sigSz, - word32 signatureOID, Signer *ca); + word32 signatureOID, Signer *ca, + void* heap); WOLFSSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, word32 sz, void* cm); WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);