WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix bug in ParseCRL_Extensions

pull/8587/head
Lealem Amedie 2025-05-30 10:20:02 -06:00
parent 7898823d42
commit 02a49693e2
7 changed files with 228 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
src/crl.c
View File

@ -135,7 +135,10 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
#endif #endif
dcrl->certs = NULL; dcrl->certs = NULL;
crle->totalCerts = dcrl->totalCerts; crle->totalCerts = dcrl->totalCerts;
crle->crlNumber = dcrl->crlNumber; crle->crlNumberSet = dcrl->crlNumberSet;
if (crle->crlNumberSet) {
XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_SZ);
}
crle->verified = verified; crle->verified = verified;
if (!verified) { if (!verified) {
crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
@ -587,7 +590,9 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info)
info->nextDate = (byte *)entry->nextDate; info->nextDate = (byte *)entry->nextDate;
info->nextDateMaxLen = MAX_DATE_SIZE; info->nextDateMaxLen = MAX_DATE_SIZE;
info->nextDateFormat = entry->nextDateFormat; info->nextDateFormat = entry->nextDateFormat;
info->crlNumber = (sword32)entry->crlNumber; info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
} }
static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
@ -600,10 +605,55 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
info->nextDate = (byte *)entry->nextDate; info->nextDate = (byte *)entry->nextDate;
info->nextDateMaxLen = MAX_DATE_SIZE; info->nextDateMaxLen = MAX_DATE_SIZE;
info->nextDateFormat = entry->nextDateFormat; info->nextDateFormat = entry->nextDateFormat;
info->crlNumber = (sword32)entry->crlNumber; info->crlNumberSet = entry->crlNumberSet;
if (info->crlNumberSet)
XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
} }
#endif #endif
/* Returns MP_GT if prev crlNumber is smaller
* MP_EQ if equal
* MP_LT if prev crlNumber is larger */
static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr)
{
int ret = 0;
DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT,
CRL_MAX_NUM_SZ * CHAR_BIT);
NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
#ifdef MP_INT_SIZE_CHECK_NULL
if ((prev_num == NULL) || (curr_num == NULL)) {
ret = MEMORY_E;
}
#endif
if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT)
!= MP_OKAY) || (INIT_MP_INT_SIZE(curr_num,
CRL_MAX_NUM_SZ * CHAR_BIT)) != MP_OKAY)) {
ret = MP_INIT_E;
}
if (ret == 0 && (mp_read_radix(prev_num, (char*)prev->crlNumber,
MP_RADIX_HEX) != MP_OKAY ||
mp_read_radix(curr_num, (char*)curr->crlNumber,
MP_RADIX_HEX) != MP_OKAY)) {
ret = BAD_FUNC_ARG;
}
if (ret == 0)
ret = mp_cmp(prev_num, curr_num);
FREE_MP_INT_SIZE(prev_num, NULL, DYNAMIC_TYPE_TMP_BUFFER);
FREE_MP_INT_SIZE(curr_num, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return ret;
}
/* Add Decoded CRL, 0 on success */ /* Add Decoded CRL, 0 on success */
static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
int verified) int verified)
@ -615,6 +665,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
CrlInfo old; CrlInfo old;
CrlInfo cnew; CrlInfo cnew;
#endif #endif
int ret = 0;
WOLFSSL_ENTER("AddCRL"); WOLFSSL_ENTER("AddCRL");
@ -645,12 +696,19 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
for (curr = crl->crlList; curr != NULL; curr = curr->next) { for (curr = crl->crlList; curr != NULL; curr = curr->next) {
if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) { if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) {
if (crle->crlNumber <= curr->crlNumber) { ret = CompareCRLnumber(crle, curr);
/* Error out if the CRL we're attempting to add isn't more
* authoritative than the existing entry */
if (ret == MP_LT || ret == MP_EQ) {
WOLFSSL_MSG("Same or newer CRL entry already exists"); WOLFSSL_MSG("Same or newer CRL entry already exists");
CRL_Entry_free(crle, crl->heap); CRL_Entry_free(crle, crl->heap);
wc_UnLockRwLock(&crl->crlLock); wc_UnLockRwLock(&crl->crlLock);
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
else if (ret < 0) {
WOLFSSL_MSG("Error comparing CRL Numbers");
return ret;
}
crle->next = curr->next; crle->next = curr->next;
if (prev != NULL) { if (prev != NULL) {

127
src/x509.c
View File

@ -6414,8 +6414,7 @@ static int X509PrintSerial_ex(WOLFSSL_BIO* bio, byte* serial, int sz,
scratch + scratchLen, scratchSz - scratchLen, scratch + scratchLen, scratchSz - scratchLen,
"%02x%s", serial[i], (i < sz - 1) ? "%02x%s", serial[i], (i < sz - 1) ?
(delimiter ? ":" : "") : "\n")) (delimiter ? ":" : "") : "\n"))
>= scratchSz - scratchLen) >= scratchSz - scratchLen) {
{
WOLFSSL_MSG("buffer overrun"); WOLFSSL_MSG("buffer overrun");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
@ -6428,10 +6427,8 @@ static int X509PrintSerial_ex(WOLFSSL_BIO* bio, byte* serial, int sz,
/* if serial can fit into byte then print on the same line */ /* if serial can fit into byte then print on the same line */
else { else {
if ((scratchLen = XSNPRINTF( if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH, " %d (0x%x)\n",
scratch, MAX_WIDTH, " %d (0x%x)\n", serial[0], serial[0])) (char)serial[0], serial[0])) >= MAX_WIDTH) {
>= MAX_WIDTH)
{
WOLFSSL_MSG("buffer overrun"); WOLFSSL_MSG("buffer overrun");
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
@ -8870,85 +8867,135 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl,
int indent) int indent)
{ {
char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */ char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */
int ret = 0;
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "", if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "",
"CRL extensions:") >= MAX_WIDTH) { "CRL extensions:") >= MAX_WIDTH) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
if (crl->crlList->crlNumber) { if (ret == 0 && crl->crlList->crlNumberSet) {
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "", char dec_string[49]; /* 20 octets can express numbers up to approx
49 decimal digits */
int freeMp = 0;
#ifdef WOLFSSL_SMALL_STACK
mp_int* dec_num = (mp_int*)XMALLOC(sizeof(*dec_num), NULL,
DYNAMIC_TYPE_BIGINT);
if (dec_num == NULL) {
ret = MEMORY_E;
}
#else
mp_int dec_num[1];
#endif
if (ret == 0 && (mp_init(dec_num) != MP_OKAY)) {
ret = MP_INIT_E;
}
else if (ret == 0) {
freeMp = 1;
}
if (ret == 0 && mp_read_radix(dec_num, (char *)crl->crlList->crlNumber,
MP_RADIX_HEX) != MP_OKAY) {
ret = WOLFSSL_FAILURE;
}
if (ret == 0 && mp_toradix(dec_num, dec_string, MP_RADIX_DEC)
!= MP_OKAY) {
ret = WOLFSSL_FAILURE;
}
if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "",
"X509v3 CRL Number:") >= MAX_WIDTH) { "X509v3 CRL Number:") >= MAX_WIDTH) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%d\n", indent + 8, "", if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 8, "",
crl->crlList->crlNumber) >= MAX_WIDTH) dec_string) >= MAX_WIDTH) {
{ ret = WOLFSSL_FAILURE;
return WOLFSSL_FAILURE;
} }
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
return WOLFSSL_FAILURE; if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
ret = WOLFSSL_FAILURE;
} }
XMEMSET(tmp, 0, sizeof(tmp)); XMEMSET(tmp, 0, sizeof(tmp));
if (freeMp) {
mp_free(dec_num);
}
#ifdef WOLFSSL_SMALL_STACK
XFREE(dec_num, NULL, DYNAMIC_TYPE_BIGINT);
#endif
} }
#if !defined(NO_SKID) #if !defined(NO_SKID)
if (crl->crlList->extAuthKeyIdSet && crl->crlList->extAuthKeyId[0] != 0) { if (ret == 0 && crl->crlList->extAuthKeyIdSet &&
crl->crlList->extAuthKeyId[0] != 0) {
word32 i; word32 i;
char val[5]; char val[5];
int valSz = 5; int valSz = 5;
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s", indent + 4, "", if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s", indent + 4, "",
"X509v3 Authority Key Identifier:") >= MAX_WIDTH) { "X509v3 Authority Key Identifier:") >= MAX_WIDTH) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1); if (ret == 0) {
XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1);
}
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
XMEMSET(tmp, 0, MAX_WIDTH); XMEMSET(tmp, 0, MAX_WIDTH);
if (XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s", if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s",
indent + 8, "", "keyid") >= MAX_WIDTH) { indent + 8, "", "keyid") >= MAX_WIDTH) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
for (i = 0; i < XSTRLEN((char*)crl->crlList->extAuthKeyId); i++) { for (i = 0; i < XSTRLEN((char*)crl->crlList->extAuthKeyId); i++) {
/* check if buffer is almost full */ /* check if buffer is almost full */
if (XSTRLEN(tmp) >= sizeof(tmp) - valSz) { if (ret == 0 && XSTRLEN(tmp) >= sizeof(tmp) - valSz) {
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
} }
tmp[0] = '\0'; tmp[0] = '\0';
} }
if (XSNPRINTF(val, (size_t)valSz, ":%02X", if (ret == 0 && XSNPRINTF(val, (size_t)valSz, ":%02X",
crl->crlList->extAuthKeyId[i]) >= valSz) crl->crlList->extAuthKeyId[i]) >= valSz) {
{
WOLFSSL_MSG("buffer overrun"); WOLFSSL_MSG("buffer overrun");
return WOLFSSL_FAILURE; ret = WOLFSSL_FAILURE;
}
if (ret == 0) {
XSTRNCAT(tmp, val, valSz);
} }
XSTRNCAT(tmp, val, valSz);
} }
XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1); if (ret == 0) {
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1);
return WOLFSSL_FAILURE; }
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
ret = WOLFSSL_FAILURE;
} }
} }
#endif #endif
return WOLFSSL_SUCCESS; if (ret == 0) {
ret = WOLFSSL_SUCCESS;
}
return ret;
} }
/* iterate through a CRL's Revoked Certs and print out in human /* iterate through a CRL's Revoked Certs and print out in human
@ -9180,7 +9227,7 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl)
} }
#endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */ #endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */
#ifdef OPENSSL_EXTRA #if defined(HAVE_CRL) && defined(OPENSSL_EXTRA)
WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl)
{ {
if ((crl != NULL) && (crl->crlList != NULL) && if ((crl != NULL) && (crl->crlList != NULL) &&
@ -9210,7 +9257,7 @@ int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key)
return 0; return 0;
} }
#endif #endif
#endif /* OPENSSL_EXTRA */ #endif /* HAVE_CRL && OPENSSL_EXTRA */
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA

13
tests/api.c
View File

@ -42980,7 +42980,8 @@ static int test_wolfSSL_X509V3_set_ctx(void)
{ {
EXPECT_DECLS; EXPECT_DECLS;
#if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \ #if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \
defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \
defined(HAVE_CRL)
WOLFSSL_X509V3_CTX ctx; WOLFSSL_X509V3_CTX ctx;
WOLFSSL_X509* issuer = NULL; WOLFSSL_X509* issuer = NULL;
WOLFSSL_X509* subject = NULL; WOLFSSL_X509* subject = NULL;
@ -56410,7 +56411,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertTrue((f = XFOPEN(crl1, "rb")) != XBADFILE); AssertTrue((f = XFOPEN(crl1, "rb")) != XBADFILE);
AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0);
AssertIntGE(sz = (size_t) XFTELL(f), 1); AssertIntGE(sz = (word32) XFTELL(f), 1);
AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0);
AssertTrue( \ AssertTrue( \
(crl1Buff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); (crl1Buff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL);
@ -56420,7 +56421,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertTrue((f = XFOPEN(crlRevoked, "rb")) != XBADFILE); AssertTrue((f = XFOPEN(crlRevoked, "rb")) != XBADFILE);
AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0);
AssertIntGE(sz = (size_t) XFTELL(f), 1); AssertIntGE(sz = (word32) XFTELL(f), 1);
AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0);
AssertTrue( \ AssertTrue( \
(crlRevBuff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); (crlRevBuff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL);
@ -56441,7 +56442,8 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertIntEQ(crl1Info.lastDateFormat, old->lastDateFormat); AssertIntEQ(crl1Info.lastDateFormat, old->lastDateFormat);
AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen); AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen);
AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat); AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat);
AssertIntEQ(crl1Info.crlNumber, old->crlNumber); AssertIntEQ(XMEMCMP(
crl1Info.crlNumber, old->crlNumber, CRL_MAX_NUM_SZ), 0);
AssertIntEQ(XMEMCMP( AssertIntEQ(XMEMCMP(
crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0); crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0);
AssertIntEQ(XMEMCMP( AssertIntEQ(XMEMCMP(
@ -56455,7 +56457,8 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew)
AssertIntEQ(crlRevInfo.lastDateFormat, cnew->lastDateFormat); AssertIntEQ(crlRevInfo.lastDateFormat, cnew->lastDateFormat);
AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen); AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen);
AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat); AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat);
AssertIntEQ(crlRevInfo.crlNumber, cnew->crlNumber); AssertIntEQ(XMEMCMP(
crlRevInfo.crlNumber, cnew->crlNumber, CRL_MAX_NUM_SZ), 0);
AssertIntEQ(XMEMCMP( AssertIntEQ(XMEMCMP(
crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0); crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0);
AssertIntEQ(XMEMCMP( AssertIntEQ(XMEMCMP(

115
wolfcrypt/src/asn.c
View File

@ -40263,50 +40263,39 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
return ret; return ret;
} }
else { else {
if (length > 1) { DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT,
int i; CRL_MAX_NUM_SZ * CHAR_BIT);
#ifdef WOLFSSL_SMALL_STACK NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL, DYNAMIC_TYPE_TMP_BUFFER);
DYNAMIC_TYPE_BIGINT); #ifdef MP_INT_SIZE_CHECK_NULL
if (m == NULL) { if (m == NULL) {
return MEMORY_E; ret = MEMORY_E;
}
#else
mp_int m[1];
#endif
if (mp_init(m) != MP_OKAY) {
ret = MP_INIT_E;
}
if (ret == 0)
ret = mp_read_unsigned_bin(m, buf + idx, length);
if (ret != MP_OKAY)
ret = BUFFER_E;
if (ret == 0) {
dcrl->crlNumber = 0;
for (i = 0; i < (int)(*m).used; ++i) {
if (i > (CHAR_BIT *
(int)sizeof(word32) / DIGIT_BIT)) {
break;
}
dcrl->crlNumber |= ((word32)(*m).dp[i]) <<
(DIGIT_BIT * i);
}
}
mp_free(m);
#ifdef WOLFSSL_SMALL_STACK
XFREE(m, NULL, DYNAMIC_TYPE_BIGINT);
#endif
if (ret != 0)
return ret;
} }
else if (length == 1) { #endif
dcrl->crlNumber = buf[idx];
if (ret == 0 && ((ret = INIT_MP_INT_SIZE(m, CRL_MAX_NUM_SZ
* CHAR_BIT)) != MP_OKAY)) {
ret = MP_INIT_E;
} }
if (ret == MP_OKAY)
ret = mp_read_unsigned_bin(m, buf + idx, length);
if (ret != MP_OKAY)
ret = BUFFER_E;
if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;
if (ret == MP_OKAY) {
dcrl->crlNumberSet = 1;
}
FREE_MP_INT_SIZE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ret != MP_OKAY)
return ret;
} }
} }
} }
@ -40349,6 +40338,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, buf, &idx, ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, buf, &idx,
maxIdx); maxIdx);
if (ret == 0) { if (ret == 0) {
word32 localIdx = idx;
/* OID in extension. */ /* OID in extension. */
word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum; word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum;
/* Length of extension data. */ /* Length of extension data. */
@ -40358,39 +40348,42 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
#ifndef NO_SKID #ifndef NO_SKID
/* Parse Authority Key Id extension. /* Parse Authority Key Id extension.
* idx is at start of OCTET_STRING data. */ * idx is at start of OCTET_STRING data. */
ret = ParseCRL_AuthKeyIdExt(buf + idx, length, dcrl); ret = ParseCRL_AuthKeyIdExt(buf + localIdx, length, dcrl);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension"); WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension");
} }
#endif #endif
} }
else if (oid == CRL_NUMBER_OID) { else if (oid == CRL_NUMBER_OID) {
#ifdef WOLFSSL_SMALL_STACK DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT,
mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL, CRL_MAX_NUM_SZ * CHAR_BIT);
DYNAMIC_TYPE_BIGINT); NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
#ifdef MP_INT_SIZE_CHECK_NULL
if (m == NULL) { if (m == NULL) {
ret = MEMORY_E; ret = MEMORY_E;
} }
#else
mp_int m[1];
#endif #endif
if (ret == 0) { if (ret == 0 && (INIT_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT)
if (mp_init(m) != MP_OKAY) { != MP_OKAY)) {
ret = MP_INIT_E; ret = MP_INIT_E;
}
}
if (ret == 0) {
ret = GetInt(m, buf, &idx, maxIdx);
}
if (ret == 0) {
dcrl->crlNumber = (int)m->dp[0];
} }
mp_free(m); if (ret == 0) {
#ifdef WOLFSSL_SMALL_STACK ret = GetInt(m, buf, &localIdx, maxIdx);
XFREE(m, NULL, DYNAMIC_TYPE_BIGINT); }
#endif
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
MP_RADIX_HEX) != MP_OKAY)
ret = BUFFER_E;
if (ret == 0) {
dcrl->crlNumberSet = 1;
}
FREE_MP_INT_SIZE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER);
} }
/* TODO: check criticality */ /* TODO: check criticality */
/* Move index on to next extension. */ /* Move index on to next extension. */

8
wolfssl/internal.h
View File

@ -2548,6 +2548,8 @@ typedef struct CRL_Entry CRL_Entry;
#error CRL_MAX_REVOKED_CERTS too big, max is 22000 #error CRL_MAX_REVOKED_CERTS too big, max is 22000
#endif #endif
#endif #endif
#ifdef HAVE_CRL
/* Complete CRL */ /* Complete CRL */
struct CRL_Entry { struct CRL_Entry {
byte* toBeSigned; byte* toBeSigned;
@ -2560,6 +2562,7 @@ struct CRL_Entry {
/* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex /* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex
* as the marker because clang-tidy doesn't like taking the sizeof a * as the marker because clang-tidy doesn't like taking the sizeof a
* pointer. */ * pointer. */
byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */
byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
/* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */ /* restore the hash here if needed for optimized comparisons */
@ -2587,10 +2590,10 @@ struct CRL_Entry {
byte* sigParams; /* buffer with signature parameters */ byte* sigParams; /* buffer with signature parameters */
#endif #endif
#if !defined(NO_SKID) && !defined(NO_ASN) #if !defined(NO_SKID) && !defined(NO_ASN)
byte extAuthKeyIdSet;
byte extAuthKeyId[KEYID_SIZE]; byte extAuthKeyId[KEYID_SIZE];
byte extAuthKeyIdSet:1; /* Auth key identifier set indicator */
#endif #endif
int crlNumber; /* CRL number extension */ byte crlNumberSet:1; /* CRL number set indicator */
}; };
@ -2643,6 +2646,7 @@ struct WOLFSSL_CRL {
#endif #endif
void* heap; /* heap hint for dynamic memory */ void* heap; /* heap hint for dynamic memory */
}; };
#endif
#ifdef NO_ASN #ifdef NO_ASN

3
wolfssl/ssl.h
View File

@ -3749,6 +3749,7 @@ typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz);
#ifdef HAVE_CRL_UPDATE_CB #ifdef HAVE_CRL_UPDATE_CB
typedef struct CrlInfo { typedef struct CrlInfo {
byte crlNumber[CRL_MAX_NUM_SZ];
byte *issuerHash; byte *issuerHash;
word32 issuerHashLen; word32 issuerHashLen;
byte *lastDate; byte *lastDate;
@ -3757,7 +3758,7 @@ typedef struct CrlInfo {
byte *nextDate; byte *nextDate;
word32 nextDateMaxLen; word32 nextDateMaxLen;
byte nextDateFormat; byte nextDateFormat;
sword32 crlNumber; byte crlNumberSet:1;
} CrlInfo; } CrlInfo;
typedef void (*CbUpdateCRL)(CrlInfo* old, CrlInfo* cnew); typedef void (*CbUpdateCRL)(CrlInfo* old, CrlInfo* cnew);

12
wolfssl/wolfcrypt/asn.h
View File

@ -2610,6 +2610,11 @@ struct RevokedCert {
byte revDateFormat; byte revDateFormat;
}; };
#ifndef CRL_MAX_NUM_SZ
#define CRL_MAX_NUM_SZ 20 /* RFC5280 states that CRL number can be up to 20 */
#endif /* octets long */
typedef struct DecodedCRL DecodedCRL; typedef struct DecodedCRL DecodedCRL;
struct DecodedCRL { struct DecodedCRL {
@ -2622,6 +2627,7 @@ struct DecodedCRL {
word32 sigParamsLength; /* length of signature parameters */ word32 sigParamsLength; /* length of signature parameters */
#endif #endif
byte* signature; /* pointer into raw source, not owned */ byte* signature; /* pointer into raw source, not owned */
byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */
byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */
byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */
@ -2637,10 +2643,10 @@ struct DecodedCRL {
int version; /* version of cert */ int version; /* version of cert */
void* heap; void* heap;
#ifndef NO_SKID #ifndef NO_SKID
byte extAuthKeyIdSet; byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */
byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */ WC_BITFIELD extAuthKeyIdSet:1; /* Auth key identifier set indicator */
#endif #endif
int crlNumber; /* CRL number extension */ WC_BITFIELD crlNumberSet:1; /* CRL number set indicator */
}; };
WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL* dcrl, void* heap); WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL* dcrl, void* heap);