Improvements to the CRL verify handling.

2019-08-23 15:29:39 -07:00 · 2019-08-23 15:29:39 -07:00 · 99329b0fc4
commit 99329b0fc4
parent 586b74b05f
2 changed files with 10 additions and 8 deletions
--- a/src/crl.c
+++ b/src/crl.c
@ -428,7 +428,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,

 /* Load CRL File of type, WOLFSSL_SUCCESS on ok */
 int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
-                  int noVerify)
+                  int verify)
 {
    int          ret = WOLFSSL_SUCCESS;
    const byte*  myBuffer = buff;    /* if DER ok, otherwise switch */
@ -471,7 +471,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,

    InitDecodedCRL(dcrl, crl->heap);
    ret = ParseCRL(dcrl, myBuffer, (word32)sz, crl->cm);
-    if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && noVerify)) {
+    if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
        WOLFSSL_MSG("ParseCRL error");
    }
    else {
@ -516,7 +516,7 @@ int wolfSSL_X509_STORE_add_crl(WOLFSSL_X509_STORE *store, WOLFSSL_X509_CRL *newc
    wc_UnLockMutex(&crl->crlLock);

    WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_crl", WOLFSSL_SUCCESS);
-    
+
    return WOLFSSL_SUCCESS;
 }
 #endif
@ -1023,7 +1023,7 @@ int LoadCRL(WOLFSSL_CRL* crl, const char* path, int type, int monitor)
        }

        if (!skip && ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl,
-                                 NO_VERIFY) != WOLFSSL_SUCCESS) {
+                                 VERIFY) != WOLFSSL_SUCCESS) {
            WOLFSSL_MSG("CRL file load failed, continuing");
        }

--- a/src/ssl.c
+++ b/src/ssl.c
@ -5476,7 +5476,7 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
        }
    }

-    return BufferLoadCRL(cm->crl, buff, sz, type, 0);
+    return BufferLoadCRL(cm->crl, buff, sz, type, VERIFY);
 }

 int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm)
@ -6039,7 +6039,7 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
                                     verify);
 #ifdef HAVE_CRL
        else if (type == CRL_TYPE)
-            ret = BufferLoadCRL(crl, myBuffer, sz, format, 0);
+            ret = BufferLoadCRL(crl, myBuffer, sz, format, verify);
 #endif
        else
            ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL,
@ -18556,7 +18556,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
                }
            }

-            ret = BufferLoadCRL(cm->crl, curr, sz, WOLFSSL_FILETYPE_PEM, 1);
+            ret = BufferLoadCRL(cm->crl, curr, sz, WOLFSSL_FILETYPE_PEM,
+                NO_VERIFY);
            if (ret != WOLFSSL_SUCCESS)
                goto end;
 #endif
@ -19690,7 +19691,8 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl,
            if (ret < 0) {
                WOLFSSL_MSG("Init tmp CRL failed");
            } else {
-                ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1);
+                ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1,
+                    NO_VERIFY);
                if (ret != WOLFSSL_SUCCESS) {
                    WOLFSSL_MSG("Buffer Load CRL failed");
                } else {