add test case and fixes from review

2025-07-31 19:24:42 +02:00 · 2020-06-18 10:57:25 -06:00
parent 82921f8650
commit 1e431e1ade
3 changed files with 53 additions and 17 deletions
--- a/src/crl.c
+++ b/src/crl.c
@@ -527,6 +527,16 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
            if (head == NULL)
                head = tmp;
        }
        else {
            WOLFSSL_MSG("Failed to allocate new RevokedCert structure");
            /* free up any existing list */
            while (head != NULL) {
                current = head;
                head = head->next;
                XFREE(current, heap, DYNAMIC_TYPE_REVOKED);
            }
            return NULL;
        }
        current = current->next;
    }
    return head;
@@ -534,7 +544,7 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
 /* returns a deep copy of ent on success and null on fail */
-static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
+static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
 {
    CRL_Entry *dup;
@@ -543,6 +553,7 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
        WOLFSSL_MSG("alloc CRL Entry failed");
        return NULL;
    }
    XMEMSET(dup, 0, sizeof(CRL_Entry));
    XMEMCPY(dup->issuerHash, ent->issuerHash, CRL_DIGEST_SIZE);
    XMEMCPY(dup->lastDate, ent->lastDate, MAX_DATE_SIZE);
@@ -561,6 +572,7 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
        dup->toBeSigned = (byte*)XMALLOC(dup->tbsSz, heap,
                                          DYNAMIC_TYPE_CRL_ENTRY);
        if (dup->toBeSigned == NULL) {
            FreeCRL_Entry(dup, heap);
            XFREE(dup, heap, DYNAMIC_TYPE_CRL_ENTRY);
            return NULL;
        }
@@ -568,8 +580,8 @@ static CRL_Entry* DupCRL_Entry(CRL_Entry* ent, void* heap)
        dup->signature = (byte*)XMALLOC(dup->signatureSz, heap,
                                         DYNAMIC_TYPE_CRL_ENTRY);
        if (dup->signature == NULL) {
            FreeCRL_Entry(dup, heap);
            XFREE(dup, heap, DYNAMIC_TYPE_CRL_ENTRY);
            XFREE(dup->toBeSigned, heap, DYNAMIC_TYPE_CRL_ENTRY);
            return NULL;
        }
        XMEMCPY(dup->toBeSigned, ent->toBeSigned, dup->tbsSz);
@@ -617,7 +629,7 @@ static CRL_Entry* DupCRL_list(CRL_Entry* crl, void* heap)
 /* Duplicates everything except the parent cm pointed to.
 * Expects that Init has already been done to 'dup'
 * return 0 on success */
-static int DupX509_CRL(WOLFSSL_X509_CRL *dup, WOLFSSL_X509_CRL* crl)
+static int DupX509_CRL(WOLFSSL_X509_CRL *dup, const WOLFSSL_X509_CRL* crl)
 {
    if (dup == NULL || crl == NULL) {
        return BAD_FUNC_ARG;
@@ -660,7 +672,10 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
    if (store->cm->crl == NULL) {
        crl = wolfSSL_X509_crl_new(store->cm);
-        DupX509_CRL(crl, newcrl);
+        if (DupX509_CRL(crl, newcrl) != 0) {
            FreeCRL(crl, 1);
            return WOLFSSL_FAILURE;
        }
        store->crl = store->cm->crl = crl;
        return WOLFSSL_SUCCESS;
    }
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -22921,7 +22921,6 @@ void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx)
    /* Do nothing */
 }
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
 /* Returns corresponding X509 error from internal ASN error <e> */
 static int GetX509Error(int e)
 {
@@ -22947,7 +22946,6 @@ static int GetX509Error(int e)
            return e;
    }
 }
 #endif /* OPENSSL_ALL || WOLFSSL_QT */
 /* Verifies certificate chain using WOLFSSL_X509_STORE_CTX
 * returns 0 on success or < 0 on failure.
@@ -22955,11 +22953,10 @@ static int GetX509Error(int e)
 int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 {
    int ret = 0;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
    int depth = 0;
    int error;
    byte *afterDate, *beforeDate;
-#endif
+
    WOLFSSL_ENTER("wolfSSL_X509_verify_cert");
    if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
@@ -22969,7 +22966,6 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
                    ctx->current_cert->derCert->length,
                    WOLFSSL_FILETYPE_ASN1);
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
        /* If there was an error, process it and add it to CTX */
        if (ret < 0) {
            /* Get corresponding X509 error */
@@ -22980,8 +22976,10 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
            wolfSSL_X509_STORE_CTX_set_error(ctx, error);
            wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
            if (ctx->store && ctx->store->verify_cb)
                ctx->store->verify_cb(0, ctx);
        #endif
        }
        error = 0;
@@ -23004,10 +23002,11 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
        if (error != 0 ) {
            wolfSSL_X509_STORE_CTX_set_error(ctx, error);
            wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
            if (ctx->store && ctx->store->verify_cb)
                ctx->store->verify_cb(0, ctx);
        #endif
        }
 #endif /* OPENSSL_ALL || WOLFSSL_QT */
        return ret;
    }
    return WOLFSSL_FATAL_ERROR;
--- a/tests/api.c
+++ b/tests/api.c
@@ -22561,26 +22561,48 @@ static void test_wolfSSL_X509_STORE(void)
    X509_STORE *store;
    #ifdef HAVE_CRL
    X509_STORE_CTX *storeCtx;
    X509_CRL *crl;
    X509 *x509;
-    const char crl_pem[] = "./certs/crl/crl.pem";
+    const char crlPem[] = "./certs/crl/crl.revoked";
-    const char svrCert[] = "./certs/server-cert.pem";
+    const char srvCert[] = "./certs/server-revoked-cert.pem";
    const char caCert[] = "./certs/ca-cert.pem";
    XFILE fp;
    printf(testingFmt, "test_wolfSSL_X509_STORE");
    AssertNotNull(store = (X509_STORE *)X509_STORE_new());
-    AssertNotNull((x509 =
+    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert,
-                       wolfSSL_X509_load_certificate_file(svrCert, SSL_FILETYPE_PEM)));
+                           SSL_FILETYPE_PEM)));
    AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS);
    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert,
                    SSL_FILETYPE_PEM)));
    AssertNotNull((storeCtx = X509_STORE_CTX_new()));
    AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS);
    AssertIntEQ(X509_verify_cert(storeCtx), SSL_SUCCESS);
    X509_STORE_CTX_free(storeCtx);
    X509_free(x509);
-    fp = XFOPEN(crl_pem, "rb");
+    /* should fail to verify now after adding in CRL */
    AssertNotNull(store = (X509_STORE *)X509_STORE_new());
    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(caCert,
                           SSL_FILETYPE_PEM)));
    AssertIntEQ(X509_STORE_add_cert(store, x509), SSL_SUCCESS);
    fp = XFOPEN(crlPem, "rb");
    AssertTrue((fp != XBADFILE));
-    AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL, NULL, NULL));
+    AssertNotNull(crl = (X509_CRL *)PEM_read_X509_CRL(fp, (X509_CRL **)NULL,
                NULL, NULL));
    XFCLOSE(fp);
    AssertIntEQ(X509_STORE_add_crl(store, crl), SSL_SUCCESS);
    AssertIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK),SSL_SUCCESS);
    AssertNotNull((storeCtx = X509_STORE_CTX_new()));
    AssertNotNull((x509 = wolfSSL_X509_load_certificate_file(srvCert,
                    SSL_FILETYPE_PEM)));
    AssertIntEQ(X509_STORE_CTX_init(storeCtx, store, x509, NULL), SSL_SUCCESS);
    AssertIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS);
    AssertIntEQ(X509_STORE_CTX_get_error(storeCtx), CRL_CERT_REVOKED);
    X509_free(x509);
    X509_STORE_CTX_free(storeCtx);
    X509_CRL_free(crl);
    X509_STORE_free(store);
    #endif /* HAVE_CRL */