From c5df3cb6b616651edd42761555c422d3349ef90a Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 27 Nov 2024 10:38:32 -0800 Subject: [PATCH 1/4] Use proper ref count handling when adding to x509 store --- src/x509_str.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index b7134f079..b9361ceb3 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -1408,24 +1408,30 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) result = X509StoreAddCa(store, x509, WOLFSSL_USER_CA); #if !defined(WOLFSSL_SIGNER_DER_CERT) if (result == WOLFSSL_SUCCESS && store->trusted != NULL) { - result = wolfSSL_sk_X509_push(store->trusted, x509); - if (result > 0) { - result = WOLFSSL_SUCCESS; - } - else { - result = WOLFSSL_FATAL_ERROR; + result = wolfSSL_X509_up_ref(x509); + if (result == WOLFSSL_SUCCESS) { + result = wolfSSL_sk_X509_push(store->trusted, x509); + if (result > 0) { + result = WOLFSSL_SUCCESS; + } + else { + result = WOLFSSL_FATAL_ERROR; + } } } #endif } else { if (store->certs != NULL) { - result = wolfSSL_sk_X509_push(store->certs, x509); - if (result > 0) { - result = WOLFSSL_SUCCESS; - } - else { - result = WOLFSSL_FATAL_ERROR; + result = wolfSSL_X509_up_ref(x509); + if (result == WOLFSSL_SUCCESS) { + result = wolfSSL_sk_X509_push(store->certs, x509); + if (result > 0) { + result = WOLFSSL_SUCCESS; + } + else { + result = WOLFSSL_FATAL_ERROR; + } } } else { From 5684e56e0e92848521de202e4d79ce51b539d14d Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 2 Dec 2024 12:15:33 -0800 Subject: [PATCH 2/4] Always keep original x509 pointer with proper refcounts even for self signed trusted CA --- src/x509_str.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index b9361ceb3..c5d712e18 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -1102,11 +1102,9 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) if ((store->owned = wolfSSL_sk_X509_new_null()) == NULL) goto err_exit; -#if !defined(WOLFSSL_SIGNER_DER_CERT) if ((store->trusted = wolfSSL_sk_X509_new_null()) == NULL) goto err_exit; #endif -#endif #ifdef HAVE_CRL store->crl = store->cm->crl; @@ -1196,20 +1194,18 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) } #if defined(OPENSSL_EXTRA) if (store->certs != NULL) { - wolfSSL_sk_X509_free(store->certs); + wolfSSL_sk_X509_pop_free(store->certs, wolfSSL_X509_free); store->certs = NULL; } if (store->owned != NULL) { wolfSSL_sk_X509_pop_free(store->owned, wolfSSL_X509_free); store->owned = NULL; } -#if !defined(WOLFSSL_SIGNER_DER_CERT) if (store->trusted != NULL) { - wolfSSL_sk_X509_free(store->trusted); + wolfSSL_sk_X509_pop_free(store->trusted, wolfSSL_X509_free); store->trusted = NULL; } #endif -#endif #ifdef OPENSSL_ALL if (store->objs != NULL) { X509StoreFreeObjList(store, store->objs); @@ -1406,7 +1402,6 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) * CA=TRUE */ if (wolfSSL_X509_NAME_cmp(&x509->issuer, &x509->subject) == 0) { result = X509StoreAddCa(store, x509, WOLFSSL_USER_CA); - #if !defined(WOLFSSL_SIGNER_DER_CERT) if (result == WOLFSSL_SUCCESS && store->trusted != NULL) { result = wolfSSL_X509_up_ref(x509); if (result == WOLFSSL_SUCCESS) { @@ -1419,7 +1414,6 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) } } } - #endif } else { if (store->certs != NULL) { From c5acceca5d6deac47a67079c1c99f08e0676c7e1 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Tue, 3 Dec 2024 09:55:43 -0800 Subject: [PATCH 3/4] Dont use specific free function --- src/x509_str.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/x509_str.c b/src/x509_str.c index c5d712e18..bdb388f86 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -1194,15 +1194,15 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) } #if defined(OPENSSL_EXTRA) if (store->certs != NULL) { - wolfSSL_sk_X509_pop_free(store->certs, wolfSSL_X509_free); + wolfSSL_sk_X509_pop_free(store->certs, NULL); store->certs = NULL; } if (store->owned != NULL) { - wolfSSL_sk_X509_pop_free(store->owned, wolfSSL_X509_free); + wolfSSL_sk_X509_pop_free(store->owned, NULL); store->owned = NULL; } if (store->trusted != NULL) { - wolfSSL_sk_X509_pop_free(store->trusted, wolfSSL_X509_free); + wolfSSL_sk_X509_pop_free(store->trusted, NULL); store->trusted = NULL; } #endif From c192cbabe8a53472b8bf84a00fe7234c24f5c5f2 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Wed, 4 Dec 2024 10:33:58 -0800 Subject: [PATCH 4/4] Free x509 on fail to push --- src/x509_str.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/x509_str.c b/src/x509_str.c index bdb388f86..ce8f0e28e 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -1411,6 +1411,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) } else { result = WOLFSSL_FATAL_ERROR; + wolfSSL_X509_free(x509); } } } @@ -1425,6 +1426,7 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) } else { result = WOLFSSL_FATAL_ERROR; + wolfSSL_X509_free(x509); } } }