diff --git a/ChangeLog b/ChangeLog index c6feb63d9..58ff14734 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,8 @@ Bugfix public macro MBEDTLS_X509_ID_FLAG. This could lead to invalid evaluation in case operators binding less strongly than subtraction were used for the parameter. + * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl + sni entry parameter. Reported by inestlerode in #560. Changes * Server's RSA certificate in certs.c was SHA-1 signed. In the default diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 9fe797ee6..5ee90ac35 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -290,8 +290,14 @@ int main( void ) #endif /* MBEDTLS_SSL_CACHE_C */ #if defined(SNI_OPTION) +#if defined(MBEDTLS_X509_CRL_PARSE_C) +#define SNI_CRL ",crl" +#else +#define SNI_CRL "" +#endif + #define USAGE_SNI \ - " sni=%%s name1,cert1,key1,ca1,crl1,auth1[,...]\n" \ + " sni=%%s name1,cert1,key1,ca1"SNI_CRL",auth1[,...]\n" \ " default: disabled\n" #else #define USAGE_SNI "" @@ -725,10 +731,10 @@ void sni_free( sni_entry *head ) mbedtls_x509_crt_free( cur->ca ); mbedtls_free( cur->ca ); - +#if defined(MBEDTLS_X509_CRL_PARSE_C) mbedtls_x509_crl_free( cur->crl ); mbedtls_free( cur->crl ); - +#endif next = cur->next; mbedtls_free( cur ); cur = next; @@ -747,7 +753,10 @@ sni_entry *sni_parse( char *sni_string ) sni_entry *cur = NULL, *new = NULL; char *p = sni_string; char *end = p; - char *crt_file, *key_file, *ca_file, *crl_file, *auth_str; + char *crt_file, *key_file, *ca_file, *auth_str; +#if defined(MBEDTLS_X509_CRL_PARSE_C) + char *crl_file; +#endif while( *end != '\0' ) ++end; @@ -765,7 +774,9 @@ sni_entry *sni_parse( char *sni_string ) GET_ITEM( crt_file ); GET_ITEM( key_file ); GET_ITEM( ca_file ); +#if defined(MBEDTLS_X509_CRL_PARSE_C) GET_ITEM( crl_file ); +#endif GET_ITEM( auth_str ); if( ( new->cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) ) ) == NULL || @@ -790,6 +801,7 @@ sni_entry *sni_parse( char *sni_string ) goto error; } +#if defined(MBEDTLS_X509_CRL_PARSE_C) if( strcmp( crl_file, "-" ) != 0 ) { if( ( new->crl = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) ) ) == NULL ) @@ -800,6 +812,7 @@ sni_entry *sni_parse( char *sni_string ) if( mbedtls_x509_crl_parse_file( new->crl, crl_file ) != 0 ) goto error; } +#endif if( strcmp( auth_str, "-" ) != 0 ) {