Port CRL test from boring crypto/x509/x509_test.cc; add fix to 1.1.0/master #1775
Conversation
richsalz
added
branch: master
|
Error is pretty clear ; test/crltest.c:40:5: error: string length '1253' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:64:5: error: string length '1298' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:77:5: error: string length '629' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:91:5: error: string length '658' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:105:5: error: string length '666' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:123:5: error: string length '654' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:140:5: error: string length '658' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:158:5: error: string length '682' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] |
|
No, that's a build error which I did not see and which I will fix later. The run-time error is this: |
|
Please consider any work from BoringSSL included here to be covered by our existing CLA with OpenSSL. I think the reason the test doesn't pass is because the fix didn't get applied to master (or 1.1.0), so the test is working. :-) |
|
By the way, in case you need to generate more of these or whatever, here's the private key corresponding to Also, shameless plug, but der-ascii is really handy for generating these kinds of things: |
richsalz
added
branch: 1.0.2
richsalz
changed the title
|
yes, right i forgot to push the commit with the fix. (appropriate smiley) |
|
You know that there are problems reported by travis, like "crltest: corrupted double-linked list"? |
|
No I did not notice the travis problems. |
|
Added a commit taht should fix this. Thanks for pointing me to the problem. |
| retcode = X509_verify_cert(ctx); | ||
| /* Unset the CA and CRL stacks so they don't get free'd by us. */ | ||
| X509_STORE_CTX_trusted_stack(ctx, NULL); | ||
| X509_STORE_CTX_set0_crls(ctx, NULL); |
There was a problem hiding this comment.
I'm not seeing where either of these fields are freed by X509_STORE_CTX_free, though perhaps I'm just not seeing it.
Anyway, this doesn't make sense. One would expect that either both X509_STORE_CTX_set0_crls and X509_STORE_CTX_free free the existing value or neither to.
That is, if ctx owns crls as a result of line 235, then ctx is responsible for freeing it in both set0_crls and free. If ctx doesn't own crls, then ctx should not free it in either function. (At least from inspection, it seems to be the latter.)
There was a problem hiding this comment.
asan is complaining, so let's see what happens. :)
There was a problem hiding this comment.
doh, of course i wasn't making sense. :( backed it out. need to reproduce locally.
|
found and fixed. pushing new version. |
|
You can avoid the PEM concatentation by using DER format and calling the relevant d2i function directly. |
|
ping @levitte to re-review. uses the test framework. for master only. |
|
ping @levitte please reconfirm since it uses the test harness now. updated/rebased commit pushed. |
|
|
||
| if (!X509_STORE_CTX_init(ctx, store, leaf, NULL)) | ||
| goto err; | ||
| X509_STORE_CTX_trusted_stack(ctx, roots); |
There was a problem hiding this comment.
Change to:
X509_STORE_CTX_set0_trusted_stack(ctx, roots);
There was a problem hiding this comment.
(it will fix the Travis build issue)
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc
|
updated commit pushed. |
levitte
added
the
approval: done
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #1775)
|
This fix was not pushed into 1.0.2 branch, who still has the issue too. |
|
It was; see 3ade92e |
To be ported to 1.1.0 and 1.0.2 Fails right now on master, needs to be investigated.