Skip to content

X509_STORE_CTX_set0_crls: implement for OpenVPN#10896

Open
julek-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
julek-wolfssl:julek-dev/openvpn-set0-crls
Open

X509_STORE_CTX_set0_crls: implement for OpenVPN#10896
julek-wolfssl wants to merge 2 commits into
wolfSSL:masterfrom
julek-wolfssl:julek-dev/openvpn-set0-crls

Conversation

@julek-wolfssl

Copy link
Copy Markdown
Member

Summary

OpenVPN master keeps CRLs in its own stack and passes them to each verification with X509_STORE_CTX_set0_crls from its cert verify callback. CRLs are no longer loaded into the store.

  • Add wolfSSL_X509_STORE_CTX_set0_crls. The ctx borrows the stack.
  • Check the ctx CRLs in X509StoreVerifyCert. They can revoke a cert the CertManager accepted and can satisfy the CRL requirement when the CertManager has no CRL loaded. The check runs after the date override handling so that a revocation is not masked by an overridden date error. A stale CRL in the stack does not fail the check when another CRL vouches for the cert.
  • Add CheckCertCRLFromCm to check a cert against a caller-owned CRL using the cm of the store for CRL signature verification. The CRL object is not modified and the cached verification result of the entries is not used because it is only valid for the owning cm.
  • Pass the good result of the cert verify callback to the following verify callbacks in DoVerifyCallback. In OpenSSL the cert verify callback replaces chain verification so the verify callbacks only see its result. OpenVPN needs this to run its per-cert verification.
  • Re-add OpenVPN master to CI testing.

Test plan

  • CI passes, including the re-added OpenVPN master job
  • tests/api/test_ossl_x509_str.c unit tests pass

Copilot AI review requested due to automatic review settings July 14, 2026 09:40
@julek-wolfssl julek-wolfssl self-assigned this Jul 14, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds OpenSSL-compat support for supplying a caller-owned CRL stack to per-verification contexts (needed by OpenVPN’s X509_STORE_CTX_set0_crls usage), and updates verification/CRL-checking logic so these CRLs participate correctly in chain validation and callback flows.

Changes:

  • Add wolfSSL_X509_STORE_CTX_set0_crls and store a borrowed CRL stack pointer on WOLFSSL_X509_STORE_CTX.
  • Extend verification to consult ctx-supplied CRLs (including a new CheckCertCRLFromCm path that verifies CRL signatures using the store’s cert manager).
  • Adjust verify-callback result propagation and re-enable OpenVPN master in CI; add unit tests for the new behavior.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfssl/ssl.h Adds crls field to WOLFSSL_X509_STORE_CTX and declares wolfSSL_X509_STORE_CTX_set0_crls.
wolfssl/openssl/ssl.h Adds OpenSSL-compat macro X509_STORE_CTX_set0_crls.
wolfssl/crl.h Declares internal helper CheckCertCRLFromCm.
src/x509_str.c Implements wolfSSL_X509_STORE_CTX_set0_crls and consults ctx CRLs during X509StoreVerifyCert.
src/crl.c Adds cm-parameterized CRL checking to support verifying caller-owned CRLs with a different WOLFSSL_CERT_MANAGER.
src/internal.c Adjusts verify-callback flow to pass cert-verify callback success onward.
tests/api/test_ossl_x509_str.h Registers new unit tests for ctx CRL stack behavior.
tests/api/test_ossl_x509_str.c Adds unit tests for X509_STORE_CTX_set0_crls (direct and handshake/callback scenarios).
.github/workflows/openvpn.yml Re-adds OpenVPN master to the CI test matrix.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/internal.c
Comment thread wolfssl/openssl/ssl.h

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Comment thread src/x509_str.c
Comment thread src/x509_str.c
Comment thread src/x509_str.c
@julek-wolfssl
julek-wolfssl marked this pull request as ready for review July 14, 2026 13:19
@github-actions

Copy link
Copy Markdown

retest this please

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown

OpenVPN master keeps CRLs in its own stack and passes them to each
verification with X509_STORE_CTX_set0_crls from its cert verify
callback. CRLs are no longer loaded into the store.

- Add wolfSSL_X509_STORE_CTX_set0_crls. The ctx borrows the stack.
- Check the ctx CRLs in X509StoreVerifyCert. They can revoke a cert the
  CertManager accepted and can satisfy the CRL requirement when the
  CertManager has no CRL loaded. The check runs after the date override
  handling so that a revocation is not masked by an overridden date
  error. A stale CRL in the stack does not fail the check when another
  CRL vouches for the cert.
- Add CheckCertCRLFromCm to check a cert against a caller-owned CRL
  using the cm of the store for CRL signature verification. The CRL
  object is not modified and the cached verification result of the
  entries is not used because it is only valid for the owning cm.
- Pass the good result of the cert verify callback to the following
  verify callbacks in DoVerifyCallback. In OpenSSL the cert verify
  callback replaces chain verification so the verify callbacks only see
  its result. OpenVPN needs this to run its per-cert verification.
- Re-add OpenVPN master to CI testing.
Fixes a heap-use-after-free found by ASAN in the sanitize-asan CI
config. wolfSSL_X509_verify_cert filled ctx->chain with borrowed
pointers while CleanupStoreCtxCallback frees the chain members it
expects from X509_STORE_CTX_get_chain. Calling X509_verify_cert from a
cert verify callback, like OpenVPN does, freed the certs twice. Take a
reference for each cert pushed onto the chain and free the members
whenever the chain is freed, like OpenSSL.

Also address review comments:
- Pass a cert verify callback failure on to the following verify
  callbacks as preverify_ok = 0.
- Only define X509_STORE_CTX_set0_crls with HAVE_CRL.
@julek-wolfssl
julek-wolfssl force-pushed the julek-dev/openvpn-set0-crls branch from 5f40197 to e43eb4e Compare July 16, 2026 12:09
@julek-wolfssl

Copy link
Copy Markdown
Member Author

retest this please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants