mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 15:50:51 +02:00
src/x509.c: handle streaming BIOs in PEM block reader
The CRL refactor broke nginx's ssl_cache.t (and the wolfSSL/wolfssl nginx_check matrix on 1.24.0/1.25.0/1.28.1) because nginx loads the test CRL through a FIFO. wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio() asks wolfSSL_BIO_get_len() for the BIO size up front; for a FIFO the underlying ftell() returns ESPIPE, wolfssl_file_len() reports WOLFSSL_BAD_FILETYPE, and BIO_get_len() returns 0. The function then hit the l <= pem_struct_min_sz guard and bailed with ASN_NO_PEM_HEADER before reading a byte, so the caller's loop saw "no CRL" and nginx emitted "PEM_read_bio_X509_CRL() failed". Treat l == 0 as "streaming source, size unknown" and allocate up to MAX_BIO_READ_BUFFER (the same cap ReadPemFromBioToBuffer used for this case before the refactor). The existing byte-by-byte reader already stops at the END marker or at EOF, so this is enough; if the upstream short-reads we still surface ASN_NO_PEM_HEADER from the pem_struct_min_sz read below. Keep rejecting tiny non-zero lengths since those are real "buffer too small" cases.
This commit is contained in:
+5
-1
@@ -13766,7 +13766,11 @@ int wolfSSL_write_X509_CRL(WOLFSSL_X509_CRL* crl, const char* path, int type)
|
||||
return WOLFSSL_FAILURE;
|
||||
}
|
||||
|
||||
if (l <= pem_struct_min_sz) {
|
||||
if (l == 0) {
|
||||
/* Streaming BIO (pipe/FIFO/socket): size unknown, use the cap. */
|
||||
l = MAX_BIO_READ_BUFFER;
|
||||
}
|
||||
else if (l <= pem_struct_min_sz) {
|
||||
/* No certificate in buffer */
|
||||
WOLFSSL_ERROR(ASN_NO_PEM_HEADER);
|
||||
return WOLFSSL_FAILURE;
|
||||
|
||||
Reference in New Issue
Block a user