Merge pull request #8176 from SparkiDev/x509_coverage

X509: improve testing coverage
2025-08-03 12:44:45 +02:00 · 2024-11-14 17:49:33 -08:00
parent 8b1e9211b1 86ad96ca29
commit 54bdb39454
8 changed files with 3177 additions and 780 deletions
--- a/src/bio.c
+++ b/src/bio.c
@@ -2837,7 +2837,14 @@ int wolfSSL_BIO_flush(WOLFSSL_BIO* bio)
                (bio->type == WOLFSSL_BIO_DGRAM))
            {
                bio->num.fd = SOCKET_INVALID;
-            } else {
+            }
+            else if (bio->type == WOLFSSL_BIO_FILE) {
+#ifndef NO_FILESYSTEM
+                bio->ptr.fh = XBADFILE;
+#endif
+                bio->num.fd = SOCKET_INVALID;
+            }
+            else {
                bio->num.length = 0;
            }
            bio->init = 1;
--- a/src/ssl_asn1.c
+++ b/src/ssl_asn1.c
@@ -2912,7 +2912,7 @@ static WOLFSSL_ASN1_STRING* d2i_ASN1_STRING(WOLFSSL_ASN1_STRING** out,
    byte tag = 0;
    int length = 0;

-    WOLFSSL_ENTER("d2i_ASN1_GENERALSTRING");
+    WOLFSSL_ENTER("d2i_ASN1_STRING");

    if (src == NULL || *src == NULL || len == 0)
        return NULL;
--- a/src/x509.c
+++ b/src/x509.c
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -114,6 +114,80 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)

 #ifdef OPENSSL_EXTRA

+#if ((defined(SESSION_CERTS) && !defined(WOLFSSL_QT)) || \
+      defined(WOLFSSL_SIGNER_DER_CERT))
+
+/**
+ * Find the issuing cert of the input cert. On a self-signed cert this
+ * function will return an error.
+ * @param issuer The issuer x509 struct is returned here
+ * @param cm     The cert manager that is queried for the issuer
+ * @param x      This cert's issuer will be queried in cm
+ * @return       WOLFSSL_SUCCESS on success
+ *               WOLFSSL_FAILURE on error
+ */
+static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm,
+        WOLFSSL_X509 *x)
+{
+    Signer* ca = NULL;
+#ifdef WOLFSSL_SMALL_STACK
+    DecodedCert* cert = NULL;
+#else
+    DecodedCert  cert[1];
+#endif
+
+    if (cm == NULL || x == NULL || x->derCert == NULL) {
+        WOLFSSL_MSG("No cert DER buffer or NULL cm. Defining "
+                    "WOLFSSL_SIGNER_DER_CERT could solve the issue");
+        return WOLFSSL_FAILURE;
+    }
+
+#ifdef WOLFSSL_SMALL_STACK
+    cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT);
+    if (cert == NULL)
+        return WOLFSSL_FAILURE;
+#endif
+
+    /* Use existing CA retrieval APIs that use DecodedCert. */
+    InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, cm->heap);
+    if (ParseCertRelative(cert, CERT_TYPE, 0, NULL, NULL) == 0
+            && !cert->selfSigned) {
+    #ifndef NO_SKID
+        if (cert->extAuthKeyIdSet)
+            ca = GetCA(cm, cert->extAuthKeyId);
+        if (ca == NULL)
+            ca = GetCAByName(cm, cert->issuerHash);
+    #else /* NO_SKID */
+        ca = GetCA(cm, cert->issuerHash);
+    #endif /* NO SKID */
+    }
+    FreeDecodedCert(cert);
+#ifdef WOLFSSL_SMALL_STACK
+    XFREE(cert, NULL, DYNAMIC_TYPE_DCERT);
+#endif
+
+    if (ca == NULL)
+        return WOLFSSL_FAILURE;
+
+#ifdef WOLFSSL_SIGNER_DER_CERT
+    /* populate issuer with Signer DER */
+    if (wolfSSL_X509_d2i_ex(issuer, ca->derCert->buffer,
+            ca->derCert->length, cm->heap) == NULL)
+        return WOLFSSL_FAILURE;
+#else
+    /* Create an empty certificate as CA doesn't have a certificate. */
+    *issuer = (WOLFSSL_X509 *)XMALLOC(sizeof(WOLFSSL_X509), 0,
+        DYNAMIC_TYPE_OPENSSL);
+    if (*issuer == NULL)
+        return WOLFSSL_FAILURE;
+
+    InitX509((*issuer), 1, NULL);
+#endif
+
+    return WOLFSSL_SUCCESS;
+}
+#endif /* SESSION_CERTS || WOLFSSL_SIGNER_DER_CERT */
+
 WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void)
 {
    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_new");
@@ -1379,7 +1453,7 @@ int wolfSSL_X509_STORE_set_default_paths(WOLFSSL_X509_STORE* store)
 int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
                                        byte *buf, word32 bufLen, int type)
 {
-    int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
+    int ret = WC_NO_ERR_TRACE(WOLFSSL_SUCCESS);
    WOLFSSL_X509 *x509 = NULL;

    if (str == NULL || buf == NULL) {
@@ -1389,14 +1463,18 @@ int X509StoreLoadCertBuffer(WOLFSSL_X509_STORE *str,
    /* OpenSSL X509_STORE_load_file fails on DER file, we will as well */
    x509 = wolfSSL_X509_load_certificate_buffer(buf, bufLen, type);
    if (str->owned != NULL) {
-        wolfSSL_sk_X509_push(str->owned, x509);
+        if (wolfSSL_sk_X509_push(str->owned, x509) <= 0) {
+            ret = WOLFSSL_FAILURE;
+        }
+    }
+    if (ret == WOLFSSL_SUCCESS) {
+        ret = wolfSSL_X509_STORE_add_cert(str, x509);
    }
-    ret = wolfSSL_X509_STORE_add_cert(str, x509);
    if (ret != WOLFSSL_SUCCESS) {
        WOLFSSL_MSG("Failed to load file");
        ret = WOLFSSL_FAILURE;
    }
-    if (str->owned == NULL) {
+    if (ret != WOLFSSL_SUCCESS || str->owned == NULL) {
        wolfSSL_X509_free(x509);
    }

@@ -1746,9 +1824,10 @@ WOLF_STACK_OF(WOLFSSL_X509_OBJECT)* wolfSSL_X509_STORE_get0_objects(
    cert_stack = wolfSSL_CertManagerGetCerts(store->cm);
    store->numAdded = 0;
    for (i = 0; i < wolfSSL_sk_X509_num(store->certs); i++) {
-        wolfSSL_sk_X509_push(cert_stack,
-                             wolfSSL_sk_X509_value(store->certs, i));
-        store->numAdded++;
+        if (wolfSSL_sk_X509_push(cert_stack,
+                             wolfSSL_sk_X509_value(store->certs, i)) > 0) {
+            store->numAdded++;
+        }
    }
    /* Do not modify stack until after we guarantee success to
     * simplify cleanup logic handling cert merging above */
--- a/tests/api.c
+++ b/tests/api.c
--- a/tests/quic.c
+++ b/tests/quic.c
@@ -21,11 +21,10 @@

 #ifdef HAVE_CONFIG_H
    #include <config.h>
-#else
+#endif
 #ifndef WOLFSSL_USER_SETTINGS
    #include <wolfssl/options.h>
 #endif
-#endif
 #include <wolfssl/wolfcrypt/settings.h>

 #include <tests/unit.h>
--- a/tests/unit.h
+++ b/tests/unit.h
@@ -158,6 +158,12 @@
 #define EXPECT_FAIL() \
    (! EXPECT_SUCCESS())

+#define EXPECT_TEST(ret) do {                                                  \
+    if (EXPECT_SUCCESS()) {                                                    \
+        _ret = (ret);                                                          \
+    }                                                                          \
+} while (0)
+
 #define ExpFail(description, result) do {                                    \
    if ((_ret == TEST_SUCCESS_NO_MSGS) || (_ret == TEST_SKIPPED_NO_MSGS))    \
        _ret = _fail_codepoint_id;                                           \
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -38857,7 +38857,34 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
                }
            #endif
            }
-            /* TODO: Parse CRL Number extension */
+            else if (oid == CRL_NUMBER_OID) {
+            #ifdef WOLFSSL_SMALL_STACK
+                mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL,
+                        DYNAMIC_TYPE_BIGINT);
+                if (m == NULL) {
+                    ret = MEMORY_E;
+                }
+            #else
+                mp_int m[1];
+            #endif
+
+                if (ret == 0) {
+                    if (mp_init(m) != MP_OKAY) {
+                        ret = MP_INIT_E;
+                    }
+                }
+                if (ret == 0) {
+                    ret = GetInt(m, buf, &idx, maxIdx);
+                }
+                if (ret == 0) {
+                    dcrl->crlNumber = (int)m->dp[0];
+                }
+
+                mp_free(m);
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(m, NULL, DYNAMIC_TYPE_BIGINT);
+            #endif
+            }
            /* TODO: check criticality */
            /* Move index on to next extension. */
            idx += (word32)length;