Add support for enabling and disabling CRLs. #6329
Conversation
|
retest this please! |
|
retest this please! |
src/x509_str.c
Outdated
| if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) { | ||
| ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); | ||
| } | ||
| ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); |
There was a problem hiding this comment.
Is it safe to make this change, considering the new behavior only applies when OPENSSL_COMPATIBLE_DEFAULTS is defined? Shouldn't this also be gated behind OPENSSL_COMPATIBLE_DEFAULTS?
There was a problem hiding this comment.
The OPENSSL_COMPATIBLE_DEFAULTS flag is unnecessary here because wolfSSL_CertManagerEnableCRL() does not utilize the provided flag when OPENSSL_COMPATIBLE_DEFAULTS is not defined.
There was a problem hiding this comment.
Before this change, wolfSSL_CertManagerEnableCRL is only being called if either WOLFSSL_CRL_CHECKALL or WOLFSSL_CRL_CHECK is set. But after this change, wolfSSL_CertManagerEnableCRL is always being called. In the case where OPENSSL_COMPATIBLE_DEFAULTS is not defined, calling wolfSSL_CertManagerEnableCRL will enable the CRL, so this is leading to a behavior change for that case. The function X509_STORE_set_flags is used for other X509 flags unrelated to CRL, and it is not expected to enable the CRL in this case.
Is there a reason you need to remove the flag check? If I'm understanding right, this should work fine in both cases with this check kept.
|
retest this please! |
| /* Turn off all checks */ | ||
| cm->crlCheckAll = 0; | ||
| } | ||
| #endif | ||
| #ifdef HAVE_CRL | ||
| if (cm->crl == NULL) { | ||
| cm->crl = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), cm->heap, |
There was a problem hiding this comment.
If OPENSSL_COMPATIBLE_DEFAULTS is defined, and we don't end up enabling CRL, is there any point in allocating and initializing the cert manager's CRL? Or should the entire function be skipped in this case? I'm not seeing anywhere else in the code where we set crlEnabled.
There was a problem hiding this comment.
@kareem-wolfssl. Excellent observation! Your feedback has been implemented in the update.
src/x509_str.c
Outdated
| if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) { | ||
| ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); | ||
| } | ||
| ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); |
There was a problem hiding this comment.
Before this change, wolfSSL_CertManagerEnableCRL is only being called if either WOLFSSL_CRL_CHECKALL or WOLFSSL_CRL_CHECK is set. But after this change, wolfSSL_CertManagerEnableCRL is always being called. In the case where OPENSSL_COMPATIBLE_DEFAULTS is not defined, calling wolfSSL_CertManagerEnableCRL will enable the CRL, so this is leading to a behavior change for that case. The function X509_STORE_set_flags is used for other X509 flags unrelated to CRL, and it is not expected to enable the CRL in this case.
Is there a reason you need to remove the flag check? If I'm understanding right, this should work fine in both cases with this check kept.
src/internal.c
Outdated
| else { | ||
| #ifdef WOLFSSL_REFCNT_ERROR_RETURN | ||
| return ret; | ||
| #else | ||
| (void)ret; | ||
| #endif | ||
| } |
There was a problem hiding this comment.
I'm not sure why the return value logic needs to be gated on WOLFSSL_REFCNT_ERROR_RETURN. I can see that this follows a similar pattern that happens in many other places. I'm not a fan of this but I'll allow it for now.
Do leaf CRL check by default Correct wolfSSL_sk_X509_NAME_push return check Update OpenSSL compatibility errors for HAProxy Change X509_V to literal constant values Fix the compat layer with TLS session ticket reuse Fix for tls1_2 session resume and cache miss Save intitial wolfSSL ctx Check for OpenSSL CRL error code 23
| #ifndef NO_WOLFSSL_SERVER | ||
| #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) | ||
| #if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET) | ||
| #if defined(WOLFSSL_HAPROXY) |
There was a problem hiding this comment.
Should we support a way to use initial_ctx with a macro besides WOLFSSL_HAPROXY?
There was a problem hiding this comment.
@dgarske, not in this PR. More comfortable with the current changes since it has been tested against Haproxy.
There was a problem hiding this comment.
Seems shortsighted to limit that area of code to HAPROXY only. Could you instead create a new macro like WOLFSSL_TICKET_USE_INITIAL_CTX and set this macro in settings.h for WOLFSSL_HAPROXY? At least giving other OSP projects the opportunity to use it?
There was a problem hiding this comment.
I believe the use case for initial_ctx is quite rare, and I'm skeptical about its use in other OSP projects.
Currently, #define SSL_TICKET_CTX(ssl) ssl->initial_ctx->ticketEncCtx , initial_ctx, and ssl->initial_ctx are gated by WOLFSSL_HAPROXY. Are you suggesting alterations to the gating for all of these?
If that's the case, I can replace the WOLFSSL_HAPROXY gating with WOLFSSL_USE_INITIAL_CTX, which would provide a bit more flexibility.
There was a problem hiding this comment.
Correct, looking for flexibility around the use of the initial_ctx feature. Its a fairly easy refactor. If you think HAPROXY is the only project that will ever use this feature then we can take the PR as-is.
There was a problem hiding this comment.
Thanks for clarifying. Currently, I'm inclined to leave it as-is and consider the easy refactor only when necessary. None of our supported OSP projects require it presently, and if they had, we would have run into issues earlier. I can't predict the needs of future OSP projects. Although introducing a new setting is straightforward, it implies the added responsibility of maintenance and instructing non-configure autotool users to add one more setting to their user_settings.h file.
Description
This PR adds the ability to turn CRL checks on or off from X509_STORE during runtime. This functionality would be consistent with OpenSSL. By default, the CRL check is enabled when wolfSSL is configured with HAVE_CRL.
wolfSSL_DisableCRL() can be used to disable CRL check on SSL object but we are missing an ability to turn it off for a WOLFSSL_X509_STORE object.Fixes zd#15424
Testing
How did you test?
Checklist