From b261ee623891d597677252cb97e06f6b84e4f31c Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Wed, 29 Apr 2026 15:24:05 +0000 Subject: [PATCH] src/x509.c: handle streaming BIOs in PEM block reader The CRL refactor broke nginx's ssl_cache.t (and the wolfSSL/wolfssl nginx_check matrix on 1.24.0/1.25.0/1.28.1) because nginx loads the test CRL through a FIFO. wolfSSL_PEM_X509_X509_CRL_X509_PKEY_read_bio() asks wolfSSL_BIO_get_len() for the BIO size up front; for a FIFO the underlying ftell() returns ESPIPE, wolfssl_file_len() reports WOLFSSL_BAD_FILETYPE, and BIO_get_len() returns 0. The function then hit the l <= pem_struct_min_sz guard and bailed with ASN_NO_PEM_HEADER before reading a byte, so the caller's loop saw "no CRL" and nginx emitted "PEM_read_bio_X509_CRL() failed". Treat l == 0 as "streaming source, size unknown" and allocate up to MAX_BIO_READ_BUFFER (the same cap ReadPemFromBioToBuffer used for this case before the refactor). The existing byte-by-byte reader already stops at the END marker or at EOF, so this is enough; if the upstream short-reads we still surface ASN_NO_PEM_HEADER from the pem_struct_min_sz read below. Keep rejecting tiny non-zero lengths since those are real "buffer too small" cases. --- src/x509.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/x509.c b/src/x509.c index 19052d00dc..f7df3d75b4 100644 --- a/src/x509.c +++ b/src/x509.c @@ -13766,7 +13766,11 @@ int wolfSSL_write_X509_CRL(WOLFSSL_X509_CRL* crl, const char* path, int type) return WOLFSSL_FAILURE; } - if (l <= pem_struct_min_sz) { + if (l == 0) { + /* Streaming BIO (pipe/FIFO/socket): size unknown, use the cap. */ + l = MAX_BIO_READ_BUFFER; + } + else if (l <= pem_struct_min_sz) { /* No certificate in buffer */ WOLFSSL_ERROR(ASN_NO_PEM_HEADER); return WOLFSSL_FAILURE;