Merge pull request #989 from dgarske/testing

Fixes for CRL handling and possible false failure in `wolfSSL_CTX_load_verify_locations`
2025-08-03 20:54:41 +02:00 · 2017-06-21 14:10:49 -07:00
parent cd570a01f2 fec75e445e
commit 9ead657723
6 changed files with 18 additions and 9 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -1729,7 +1729,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
    }

 #ifdef HAVE_CRL
-    if (disableCRL == 0) {
+    if (disableCRL == 0 && !useVerifyCb) {
    #ifdef HAVE_IO_TIMEOUT
        wolfIO_SetTimeout(DEFAULT_TIMEOUT_SEC);
    #endif
--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@@ -216,7 +216,7 @@ do
        fi

        # check for psk suite and turn on client psk if so
-        psk = ""
+        psk=""
        case $wolfSuite in
        *PSK*)
            psk="-s " ;;
--- a/src/crl.c
+++ b/src/crl.c
@@ -318,7 +318,8 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
        RevokedCert* rc = crle->certs;

        while (rc) {
-            if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
+            if (rc->serialSz == cert->serialSz &&
+                   XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
                WOLFSSL_MSG("Cert revoked");
                ret = CRL_CERT_REVOKED;
                break;
--- a/src/internal.c
+++ b/src/internal.c
@@ -13022,7 +13022,7 @@ int SendCertificateStatus(WOLFSSL* ssl)

            #ifdef WOLFSSL_SMALL_STACK
                cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
-                                             DYNAMIC_TYPE_TMP_DCERT);
+                                             DYNAMIC_TYPE_DCERT);
                if (cert == NULL)
                    return MEMORY_E;
            #endif
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -5621,6 +5621,7 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
                                     const char* path)
 {
    int ret = SSL_SUCCESS;
+    int fileRet;

    WOLFSSL_ENTER("wolfSSL_CTX_load_verify_locations");

@@ -5644,16 +5645,21 @@ int wolfSSL_CTX_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
    #endif

        /* try to load each regular file in path */
-        ret = wc_ReadDirFirst(readCtx, path, &name);
-        while (ret == 0 && name) {
+        fileRet = wc_ReadDirFirst(readCtx, path, &name);
+        while (fileRet == 0 && name) {
            ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE,
                                                          NULL, 0, NULL);
            if (ret != SSL_SUCCESS)
                break;
-            ret = wc_ReadDirNext(readCtx, path, &name);
+            fileRet = wc_ReadDirNext(readCtx, path, &name);
        }
        wc_ReadDirClose(readCtx);

+        /* pass directory read failure to response code */
+        if (ret == SSL_SUCCESS && fileRet != -1) {
+            ret = fileRet;
+        }
+
    #ifdef WOLFSSL_SMALL_STACK
        XFREE(readCtx, ctx->heap, DYNAMIC_TYPE_DIRCTX);
    #endif
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -197,9 +197,10 @@ int wolfCrypt_Cleanup(void)
 #if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)

 /* File Handling Helpers */
+/* returns 0 if file found, -1 if no files or negative error */
 int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name)
 {
-    int ret = 0;
+    int ret = -1; /* default to no files found */

    if (name)
        *name = NULL;
@@ -258,9 +259,10 @@ int wc_ReadDirFirst(ReadDirCtx* ctx, const char* path, char** name)
    return ret;
 }

+/* returns 0 if file found, -1 if no more files */
 int wc_ReadDirNext(ReadDirCtx* ctx, const char* path, char** name)
 {
-    int ret = -1;
+    int ret = -1; /* default to no file found */

    if (name)
        *name = NULL;