New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port CRL test from boring crypto/x509/x509_test.cc; add fix to 1.1.0/master #1775
Conversation
Error is pretty clear ; test/crltest.c:40:5: error: string length '1253' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:64:5: error: string length '1298' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:77:5: error: string length '629' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:91:5: error: string length '658' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:105:5: error: string length '666' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:123:5: error: string length '654' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:140:5: error: string length '658' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] test/crltest.c:158:5: error: string length '682' is greater than the length '509' ISO C90 compilers are required to support [-Werror=overlength-strings] |
No, that's a build error which I did not see and which I will fix later. The run-time error is this:
|
Please consider any work from BoringSSL included here to be covered by our existing CLA with OpenSSL. I think the reason the test doesn't pass is because the fix didn't get applied to master (or 1.1.0), so the test is working. :-) |
By the way, in case you need to generate more of these or whatever, here's the private key corresponding to Also, shameless plug, but der-ascii is really handy for generating these kinds of things: |
yes, right i forgot to push the commit with the fix. (appropriate smiley) |
You know that there are problems reported by travis, like "crltest: corrupted double-linked list"? |
No I did not notice the travis problems. |
Added a commit taht should fix this. Thanks for pointing me to the problem. |
retcode = X509_verify_cert(ctx); | ||
/* Unset the CA and CRL stacks so they don't get free'd by us. */ | ||
X509_STORE_CTX_trusted_stack(ctx, NULL); | ||
X509_STORE_CTX_set0_crls(ctx, NULL); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not seeing where either of these fields are freed by X509_STORE_CTX_free
, though perhaps I'm just not seeing it.
Anyway, this doesn't make sense. One would expect that either both X509_STORE_CTX_set0_crls
and X509_STORE_CTX_free
free the existing value or neither to.
That is, if ctx
owns crls
as a result of line 235, then ctx
is responsible for freeing it in both set0_crls
and free
. If ctx
doesn't own crls
, then ctx
should not free it in either function. (At least from inspection, it seems to be the latter.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
asan is complaining, so let's see what happens. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doh, of course i wasn't making sense. :( backed it out. need to reproduce locally.
found and fixed. pushing new version. |
You can avoid the PEM concatentation by using DER format and calling the relevant d2i function directly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me at this point
ping @levitte to re-review. uses the test framework. for master only. |
ping @levitte please reconfirm since it uses the test harness now. updated/rebased commit pushed. |
|
||
if (!X509_STORE_CTX_init(ctx, store, leaf, NULL)) | ||
goto err; | ||
X509_STORE_CTX_trusted_stack(ctx, roots); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change to:
X509_STORE_CTX_set0_trusted_stack(ctx, roots);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(it will fix the Travis build issue)
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc
updated commit pushed. |
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #1775)
This fix was not pushed into 1.0.2 branch, who still has the issue too. |
It was; see 3ade92e |
To be ported to 1.1.0 and 1.0.2 Fails right now on master, needs to be investigated.