Address peer review

Author: julek-wolfssl

.github/workflows/nginx.yml

@@ -246,8 +246,7 @@ jobs:
           ./auto/configure --with-wolfssl=$GITHUB_WORKSPACE/build-dir --with-http_ssl_module \
             --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module \
             --with-http_v2_module --with-mail --with-mail_ssl_module \
-            --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 \
-            ${{ env.nginx_c_flags }}' \
+            --with-cc-opt='-fsanitize=address -DNGX_DEBUG_PALLOC=1 -g3 ${{ env.nginx_c_flags }}' \
             --with-ld-opt='-fsanitize=address ${{ env.nginx_c_flags }}'
           make -j
 

src/internal.c

@@ -39034,12 +39034,10 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
         }
 #endif
 
-        /* Calculate actual internal ticket size */
+        internalTicketSz = (int)WOLFSSL_INTERNAL_TICKET_BASE_SZ;
 #if defined(OPENSSL_ALL) && defined(KEEP_PEER_CERT) && \
     !defined(NO_CERT_IN_TICKET)
-        internalTicketSz = (int)(WOLFSSL_INTERNAL_TICKET_BASE_SZ + peerCertSz);
-#else
-        internalTicketSz = (int)WOLFSSL_INTERNAL_TICKET_BASE_SZ;
+        internalTicketSz += peerCertSz;
 #endif
         /* MAC is placed after the encrypted data */
         mac = et->enc_ticket + WOLFSSL_TICKET_ENC_SZ;
@@ -39326,6 +39324,48 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
     }
 #endif /* WOLFSSL_SLT13 */
 
+#if defined(OPENSSL_ALL) && defined(KEEP_PEER_CERT) && \
+    !defined(NO_CERT_IN_TICKET)
+    static void RestorePeerCertFromTicket(WOLFSSL* ssl, InternalTicket* it)
+    {
+        word16 peerCertLen = 0;
+        ato16(it->peerCertLen, &peerCertLen);
+
+        if (peerCertLen > 0 && peerCertLen <= MAX_TICKET_PEER_CERT_SZ) {
+#ifdef SESSION_CERTS
+            /* Clear existing chain and add the peer certificate */
+            ssl->session->chain.count = 0;
+            AddSessionCertToChain(&ssl->session->chain,
+                                  it->peerCert, peerCertLen);
+#endif
+            /* Also decode into ssl->peerCert for direct access */
+            {
+                int ret;
+                DecodedCert* dCert;
+
+                dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
+                                               DYNAMIC_TYPE_DCERT);
+                if (dCert != NULL) {
+                    InitDecodedCert(dCert, it->peerCert, peerCertLen, ssl->heap);
+                    ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL, NULL);
+                    if (ret == 0) {
+                        FreeX509(&ssl->peerCert);
+                        InitX509(&ssl->peerCert, 0, ssl->heap);
+                        ret = CopyDecodedToX509(&ssl->peerCert, dCert);
+                        if (ret != 0) {
+                            /* Failed to copy - clear peerCert */
+                            FreeX509(&ssl->peerCert);
+                            InitX509(&ssl->peerCert, 0, ssl->heap);
+                        }
+                    }
+                    FreeDecodedCert(dCert);
+                    XFREE(dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
+                }
+            }
+        }
+    }
+#endif /* OPENSSL_ALL && KEEP_PEER_CERT && !NO_CERT_IN_TICKET */
+
     void DoClientTicketFinalize(WOLFSSL* ssl, InternalTicket* it,
             const WOLFSSL_SESSION* sess)
     {
@@ -39416,44 +39456,7 @@ static int AddPSKtoPreMasterSecret(WOLFSSL* ssl)
 
 #if defined(OPENSSL_ALL) && defined(KEEP_PEER_CERT) && \
     !defined(NO_CERT_IN_TICKET)
-        /* Restore peer certificate from ticket to session chain and peerCert */
-        {
-            word16 peerCertLen = 0;
-            ato16(it->peerCertLen, &peerCertLen);
-
-            if (peerCertLen > 0 && peerCertLen <= MAX_TICKET_PEER_CERT_SZ) {
-#ifdef SESSION_CERTS
-                /* Clear existing chain and add the peer certificate */
-                ssl->session->chain.count = 0;
-                AddSessionCertToChain(&ssl->session->chain,
-                                      it->peerCert, peerCertLen);
-#endif
-                /* Also decode into ssl->peerCert for direct access */
-                {
-                    int ret;
-                    DecodedCert* dCert;
-
-                    dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
-                                                   DYNAMIC_TYPE_DCERT);
-                    if (dCert != NULL) {
-                        InitDecodedCert(dCert, it->peerCert, peerCertLen, ssl->heap);
-                        ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL, NULL);
-                        if (ret == 0) {
-                            FreeX509(&ssl->peerCert);
-                            InitX509(&ssl->peerCert, 0, ssl->heap);
-                            ret = CopyDecodedToX509(&ssl->peerCert, dCert);
-                            if (ret != 0) {
-                                /* Failed to copy - clear peerCert */
-                                FreeX509(&ssl->peerCert);
-                                InitX509(&ssl->peerCert, 0, ssl->heap);
-                            }
-                        }
-                        FreeDecodedCert(dCert);
-                        XFREE(dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
-                    }
-                }
-            }
-        }
+        RestorePeerCertFromTicket(ssl, it);
 #endif
 
         ssl->version.minor = it->pv.minor;

src/ssl.c

@@ -15508,11 +15508,10 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 #endif
 #ifndef WOLFSSL_BLIND_PRIVATE_KEY
 #ifdef WOLFSSL_COPY_KEY
+    if (ssl->buffers.key != NULL && ssl->buffers.weOwnKey) {
+        FreeDer(&ssl->buffers.key);
+    }
     if (ctx->privateKey != NULL) {
-        if (ssl->buffers.key != NULL) {
-            FreeDer(&ssl->buffers.key);
-            ssl->buffers.key = NULL;
-        }
         ret = AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
             ctx->privateKey->length, ctx->privateKey->type,
             ctx->privateKey->heap);
@@ -15523,8 +15522,6 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
         ssl->buffers.weOwnKey = 1;
     }
     else {
-        if (ssl->buffers.key != NULL && ssl->buffers.weOwnKey)
-            FreeDer(&ssl->buffers.key);
         ssl->buffers.key      = ctx->privateKey;
     }
 #else

src/ssl_api_cert.c

@@ -881,8 +881,11 @@ int wolfSSL_UnloadCertsKeys(WOLFSSL* ssl)
     #ifdef WOLFSSL_DUAL_ALG_CERTS
         if (ssl->buffers.weOwnAltKey) {
             WOLFSSL_MSG("Unloading alt key");
-            if (ssl->buffers.altKey != NULL && ssl->buffers.altKey->buffer != NULL)
-                ForceZero(ssl->buffers.altKey->buffer, ssl->buffers.altKey->length);
+            if (ssl->buffers.altKey != NULL &&
+                    ssl->buffers.altKey->buffer != NULL) {
+                ForceZero(ssl->buffers.altKey->buffer,
+                          ssl->buffers.altKey->length);
+            }
             FreeDer(&ssl->buffers.altKey);
         #ifdef WOLFSSL_BLIND_PRIVATE_KEY
             FreeDer(&ssl->buffers.altKeyMask);

src/x509.c

@@ -38,6 +38,8 @@
     #include <wolfssl/wolfio.h>
 #endif
 
+/* 16 times MAX_X509_SIZE should be more than enough to read any X509
+ * certificate file */
 #define MAX_BIO_READ_BUFFER (MAX_X509_SIZE * 16)
 
 #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)