X509_STORE_CTX_set0_crls: implement for OpenVPN#10896
Open
julek-wolfssl wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds OpenSSL-compat support for supplying a caller-owned CRL stack to per-verification contexts (needed by OpenVPN’s X509_STORE_CTX_set0_crls usage), and updates verification/CRL-checking logic so these CRLs participate correctly in chain validation and callback flows.
Changes:
- Add
wolfSSL_X509_STORE_CTX_set0_crlsand store a borrowed CRL stack pointer onWOLFSSL_X509_STORE_CTX. - Extend verification to consult ctx-supplied CRLs (including a new
CheckCertCRLFromCmpath that verifies CRL signatures using the store’s cert manager). - Adjust verify-callback result propagation and re-enable OpenVPN
masterin CI; add unit tests for the new behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
wolfssl/ssl.h |
Adds crls field to WOLFSSL_X509_STORE_CTX and declares wolfSSL_X509_STORE_CTX_set0_crls. |
wolfssl/openssl/ssl.h |
Adds OpenSSL-compat macro X509_STORE_CTX_set0_crls. |
wolfssl/crl.h |
Declares internal helper CheckCertCRLFromCm. |
src/x509_str.c |
Implements wolfSSL_X509_STORE_CTX_set0_crls and consults ctx CRLs during X509StoreVerifyCert. |
src/crl.c |
Adds cm-parameterized CRL checking to support verifying caller-owned CRLs with a different WOLFSSL_CERT_MANAGER. |
src/internal.c |
Adjusts verify-callback flow to pass cert-verify callback success onward. |
tests/api/test_ossl_x509_str.h |
Registers new unit tests for ctx CRL stack behavior. |
tests/api/test_ossl_x509_str.c |
Adds unit tests for X509_STORE_CTX_set0_crls (direct and handshake/callback scenarios). |
.github/workflows/openvpn.yml |
Re-adds OpenVPN master to the CI test matrix. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
julek-wolfssl
marked this pull request as ready for review
July 14, 2026 13:19
|
retest this please |
|
OpenVPN master keeps CRLs in its own stack and passes them to each verification with X509_STORE_CTX_set0_crls from its cert verify callback. CRLs are no longer loaded into the store. - Add wolfSSL_X509_STORE_CTX_set0_crls. The ctx borrows the stack. - Check the ctx CRLs in X509StoreVerifyCert. They can revoke a cert the CertManager accepted and can satisfy the CRL requirement when the CertManager has no CRL loaded. The check runs after the date override handling so that a revocation is not masked by an overridden date error. A stale CRL in the stack does not fail the check when another CRL vouches for the cert. - Add CheckCertCRLFromCm to check a cert against a caller-owned CRL using the cm of the store for CRL signature verification. The CRL object is not modified and the cached verification result of the entries is not used because it is only valid for the owning cm. - Pass the good result of the cert verify callback to the following verify callbacks in DoVerifyCallback. In OpenSSL the cert verify callback replaces chain verification so the verify callbacks only see its result. OpenVPN needs this to run its per-cert verification. - Re-add OpenVPN master to CI testing.
Fixes a heap-use-after-free found by ASAN in the sanitize-asan CI config. wolfSSL_X509_verify_cert filled ctx->chain with borrowed pointers while CleanupStoreCtxCallback frees the chain members it expects from X509_STORE_CTX_get_chain. Calling X509_verify_cert from a cert verify callback, like OpenVPN does, freed the certs twice. Take a reference for each cert pushed onto the chain and free the members whenever the chain is freed, like OpenSSL. Also address review comments: - Pass a cert verify callback failure on to the following verify callbacks as preverify_ok = 0. - Only define X509_STORE_CTX_set0_crls with HAVE_CRL.
julek-wolfssl
force-pushed
the
julek-dev/openvpn-set0-crls
branch
from
July 16, 2026 12:09
5f40197 to
e43eb4e
Compare
Member
Author
|
retest this please |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenVPN master keeps CRLs in its own stack and passes them to each verification with
X509_STORE_CTX_set0_crlsfrom its cert verify callback. CRLs are no longer loaded into the store.wolfSSL_X509_STORE_CTX_set0_crls. The ctx borrows the stack.X509StoreVerifyCert. They can revoke a cert the CertManager accepted and can satisfy the CRL requirement when the CertManager has no CRL loaded. The check runs after the date override handling so that a revocation is not masked by an overridden date error. A stale CRL in the stack does not fail the check when another CRL vouches for the cert.CheckCertCRLFromCmto check a cert against a caller-owned CRL using the cm of the store for CRL signature verification. The CRL object is not modified and the cached verification result of the entries is not used because it is only valid for the owning cm.DoVerifyCallback. In OpenSSL the cert verify callback replaces chain verification so the verify callbacks only see its result. OpenVPN needs this to run its per-cert verification.Test plan
tests/api/test_ossl_x509_str.cunit tests pass