Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3#10274
Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3#10274gasbytes wants to merge 1 commit intowolfSSL:masterfrom
Conversation
|
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10274
Scan targets checked: wolfcrypt-bugs, wolfcrypt-src
Findings: 2
2 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| /* Add revoked certificate to chain. */ | ||
| if (ret == 0) { | ||
| /* Add revoked certificate to chain. */ | ||
| #ifndef CRL_STATIC_REVOKED_LIST |
There was a problem hiding this comment.
🔵 [Low] Leak of rc->extensions when ParseCRL_ReasonCode fails under CRL_STATIC_REVOKED_LIST + OPENSSL_EXTRA · Resource leaks on error paths
The new error path returned by ParseCRL_ReasonCode (e.g. ASN_CRIT_EXT_E) exits GetRevoked without freeing the just-allocated rc->extensions, because the cleanup block is wrapped in #ifndef CRL_STATIC_REVOKED_LIST. Pre-PR, ParseCRL_ReasonCode returned void, so no such…
Fix: Free rc->extensions on the error path even in the static list configuration (and clear the field) so the buffer does not leak when totalCerts is not…
| if (ret != 0) { | ||
| #ifndef CRL_STATIC_REVOKED_LIST | ||
| #if defined(OPENSSL_EXTRA) | ||
| XFREE(rc->extensions, dcrl->heap, DYNAMIC_TYPE_REVOKED); |
There was a problem hiding this comment.
🔵 [Low] Same leak of rc->extensions in asn_orig.c when ParseCRL_ReasonCode fails · Resource leaks on error paths
In the CRL_STATIC_REVOKED_LIST + OPENSSL_EXTRA build, rc->extensions is allocated, then the new ret != 0 return bypasses the XFREE(rc->extensions, ...) (guarded by #ifndef CRL_STATIC_REVOKED_LIST). The previous slot in the static array is reused without totalCerts…
Fix: Also free rc->extensions (and null it) in the static-list path, or skip the allocation entirely when CRL_STATIC_REVOKED_LIST is defined.
3 participants
Description
Reject CRLs with unrecognized critical entry extensions per RFC 5280 section 5.3.
This is a follow-up to #10239
Testing
./configure --enable-crl --enable-opensslextra --enable-debug &&
make -j8 &&
make check
The changes includes two tests covering the appropriate involved paths
The certs used in the tests are the same ones approved in #10239.
Checklist