wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5559 from tmael/crl_bs_p

Browse Source
This commit is contained in:
Hayden Roche
2022-10-09 09:45:49 -07:00
committed by GitHub
parent 47ccd924c2 5704c83f78
commit 12bfa24ecc
4 changed files with 178 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
src/crl.c
View File

@ -20,8 +20,15 @@
*/ */
/* Name change compatibility layer no longer needs included here */ /*
CRL Options:
* CRL_STATIC_REVOKED_LIST: default: off
* Enables fixed static list of RevokedCerts to allow
* for a binary search.
* CRL_MAX_REVOKED_CERTS: default: 4
* Specifies the number of buffers to hold RevokedCerts.
* The default value is set to 4.
*/
#ifdef HAVE_CONFIG_H #ifdef HAVE_CONFIG_H
#include <config.h> #include <config.h>
#endif #endif
@ -56,7 +63,8 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
else else
crl->heap = NULL; crl->heap = NULL;
crl->cm = cm; crl->cm = cm;
crl->crlList = NULL; crl->crlList = NULL;
crl->currentEntry = NULL;
crl->monitors[0].path = NULL; crl->monitors[0].path = NULL;
crl->monitors[1].path = NULL; crl->monitors[1].path = NULL;
#ifdef HAVE_CRL_MONITOR #ifdef HAVE_CRL_MONITOR
@ -99,7 +107,12 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
return WOLFSSL_FAILURE; return WOLFSSL_FAILURE;
} }
#endif #endif
crle->certs = dcrl->certs; /* take ownsership */ #ifdef CRL_STATIC_REVOKED_LIST
/* ParseCRL_CertList() has already cached the Revoked certs into
the crle->certs array */
#else
crle->certs = dcrl->certs; /* take ownership */
#endif
dcrl->certs = NULL; dcrl->certs = NULL;
crle->totalCerts = dcrl->totalCerts; crle->totalCerts = dcrl->totalCerts;
crle->crlNumber = dcrl->crlNumber; crle->crlNumber = dcrl->crlNumber;
@ -141,6 +154,11 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
/* Free all CRL Entry resources */ /* Free all CRL Entry resources */
static void FreeCRL_Entry(CRL_Entry* crle, void* heap) static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
{ {
#ifdef CRL_STATIC_REVOKED_LIST
if (crle != NULL) {
XMEMSET(crle->certs, 0, CRL_MAX_REVOKED_CERTS*sizeof(RevokedCert));
}
#else
RevokedCert* tmp = crle->certs; RevokedCert* tmp = crle->certs;
RevokedCert* next; RevokedCert* next;
@ -151,6 +169,7 @@ static void FreeCRL_Entry(CRL_Entry* crle, void* heap)
XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED); XFREE(tmp, heap, DYNAMIC_TYPE_REVOKED);
tmp = next; tmp = next;
} }
#endif
if (crle->signature != NULL) if (crle->signature != NULL)
XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY); XFREE(crle->signature, heap, DYNAMIC_TYPE_CRL_ENTRY);
if (crle->toBeSigned != NULL) if (crle->toBeSigned != NULL)
@ -178,6 +197,8 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
if (crl->monitors[1].path) if (crl->monitors[1].path)
XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR); XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR);
XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
crl->currentEntry = NULL;
while(tmp) { while(tmp) {
CRL_Entry* next = tmp->next; CRL_Entry* next = tmp->next;
FreeCRL_Entry(tmp, crl->heap); FreeCRL_Entry(tmp, crl->heap);
@ -208,7 +229,48 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL); XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL);
} }
static int FindRevokedSerial(DecodedCert* cert, RevokedCert* rc, int totalCerts)
{
int ret = 0;
#ifdef CRL_STATIC_REVOKED_LIST
/* do binary search */
int low, high, mid;
low = 0;
high = totalCerts - 1;
while (low <= high) {
mid = (low + high) / 2;
if (XMEMCMP(rc[mid].serialNumber, cert->serial, rc->serialSz) < 0) {
low = mid + 1;
}
else if (XMEMCMP(rc[mid].serialNumber, cert->serial,
rc->serialSz) > 0) {
high = mid - 1;
}
else {
WOLFSSL_MSG("Cert revoked");
ret = CRL_CERT_REVOKED;
break;
}
}
#else
(void)totalCerts;
/* search in the linked list*/
while (rc) {
if (rc->serialSz == cert->serialSz &&
XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
WOLFSSL_MSG("Cert revoked");
ret = CRL_CERT_REVOKED;
break;
}
rc = rc->next;
}
#endif
return ret;
}
static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry) static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry)
{ {
CRL_Entry* crle; CRL_Entry* crle;
@ -338,17 +400,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr
} }
if (foundEntry) { if (foundEntry) {
RevokedCert* rc = crle->certs; ret = FindRevokedSerial(cert, crle->certs, crle->totalCerts);
while (rc) {
if (rc->serialSz == cert->serialSz &&
XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
WOLFSSL_MSG("Cert revoked");
ret = CRL_CERT_REVOKED;
break;
}
rc = rc->next;
}
} }
wc_UnLockMutex(&crl->crlLock); wc_UnLockMutex(&crl->crlLock);
@ -444,14 +496,22 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
int verified) int verified)
{ {
CRL_Entry* crle; CRL_Entry* crle = NULL;
WOLFSSL_ENTER("AddCRL"); WOLFSSL_ENTER("AddCRL");
crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap, DYNAMIC_TYPE_CRL_ENTRY); if (crl == NULL)
if (crle == NULL) {
WOLFSSL_MSG("alloc CRL Entry failed");
return -1; return -1;
crle = crl->currentEntry;
if (crle == NULL) {
crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap,
DYNAMIC_TYPE_CRL_ENTRY);
if (crle == NULL) {
WOLFSSL_MSG("alloc CRL Entry failed");
return MEMORY_E;
}
} }
if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) { if (InitCRL_Entry(crle, dcrl, buff, verified, crl->heap) < 0) {
@ -466,9 +526,12 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); XFREE(crle, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
return BAD_MUTEX_E; return BAD_MUTEX_E;
} }
crle->next = crl->crlList; crle->next = crl->crlList;
crl->crlList = crle; crl->crlList = crle;
wc_UnLockMutex(&crl->crlLock); wc_UnLockMutex(&crl->crlLock);
/* Avoid heap-use-after-free after crl->crlList is released */
crl->currentEntry = NULL;
return 0; return 0;
} }
@ -517,10 +580,21 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type,
} }
#endif #endif
crl->currentEntry = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), crl->heap,
DYNAMIC_TYPE_CRL_ENTRY);
if (crl->currentEntry == NULL) {
WOLFSSL_MSG("alloc CRL Entry failed");
return MEMORY_E;
}
XMEMSET(crl->currentEntry, 0, sizeof(CRL_Entry));
InitDecodedCRL(dcrl, crl->heap); InitDecodedCRL(dcrl, crl->heap);
ret = ParseCRL(dcrl, myBuffer, (word32)sz, verify, crl->cm); ret = ParseCRL(crl->currentEntry->certs, dcrl, myBuffer, (word32)sz,
verify, crl->cm);
if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) { if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) {
WOLFSSL_MSG("ParseCRL error"); WOLFSSL_MSG("ParseCRL error");
XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY);
crl->currentEntry = NULL;
} }
else { else {
ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E); ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E);
@ -558,7 +632,7 @@ static WOLFSSL_X509_CRL* wolfSSL_X509_crl_new(WOLFSSL_CERT_MANAGER* cm)
return ret; return ret;
} }
#ifndef CRL_STATIC_REVOKED_LIST
/* returns head of copied list that was alloc'd */ /* returns head of copied list that was alloc'd */
static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap) static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
{ {
@ -599,12 +673,16 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap)
return head; return head;
} }
#endif /* CRL_STATIC_REVOKED_LIST */
/* returns a deep copy of ent on success and null on fail */ /* returns a deep copy of ent on success and null on fail */
static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
{ {
CRL_Entry *dupl; CRL_Entry *dupl;
#ifdef CRL_STATIC_REVOKED_LIST
if (ent->totalCerts > CRL_MAX_REVOKED_CERTS) {
return NULL;
}
#endif
dupl = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), heap, DYNAMIC_TYPE_CRL_ENTRY); dupl = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), heap, DYNAMIC_TYPE_CRL_ENTRY);
if (dupl == NULL) { if (dupl == NULL) {
WOLFSSL_MSG("alloc CRL Entry failed"); WOLFSSL_MSG("alloc CRL Entry failed");
@ -617,8 +695,12 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap)
XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE); XMEMCPY(dupl->nextDate, ent->nextDate, MAX_DATE_SIZE);
dupl->lastDateFormat = ent->lastDateFormat; dupl->lastDateFormat = ent->lastDateFormat;
dupl->nextDateFormat = ent->nextDateFormat; dupl->nextDateFormat = ent->nextDateFormat;
dupl->certs = DupRevokedCertList(ent->certs, heap);
#ifdef CRL_STATIC_REVOKED_LIST
XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert));
#else
dupl->certs = DupRevokedCertList(ent->certs, heap);
#endif
dupl->totalCerts = ent->totalCerts; dupl->totalCerts = ent->totalCerts;
dupl->verified = ent->verified; dupl->verified = ent->verified;

81
wolfcrypt/src/asn.c
View File

@ -33475,7 +33475,7 @@ int wc_Curve448PublicKeyToDer(curve448_key* key, byte* output, word32 inLen,
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
#if defined(HAVE_OCSP) || defined(HAVE_CRL) #if (defined(HAVE_OCSP) || defined(HAVE_CRL)) && !defined(WOLFCRYPT_ONLY)
/* Get raw Date only, no processing, 0 on success */ /* Get raw Date only, no processing, 0 on success */
static int GetBasicDate(const byte* source, word32* idx, byte* date, static int GetBasicDate(const byte* source, word32* idx, byte* date,
@ -33499,7 +33499,7 @@ static int GetBasicDate(const byte* source, word32* idx, byte* date,
#endif /* WOLFSSL_ASN_TEMPLATE */ #endif /* WOLFSSL_ASN_TEMPLATE */
#ifdef HAVE_OCSP #if defined(HAVE_OCSP) && !defined(WOLFCRYPT_ONLY)
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
static int GetEnumerated(const byte* input, word32* inOutIdx, int *value, static int GetEnumerated(const byte* input, word32* inOutIdx, int *value,
@ -35391,7 +35391,7 @@ int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
#endif /* WOLFSSL_ASN_TEMPLATE */ #endif /* WOLFSSL_ASN_TEMPLATE */
} }
#ifdef HAVE_CRL #if defined(HAVE_CRL) && !defined(WOLFCRYPT_ONLY)
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
static char* GetNameFromDer(const byte* source, int sz) static char* GetNameFromDer(const byte* source, int sz)
@ -35469,8 +35469,8 @@ enum {
#endif #endif
/* Get Revoked Cert list, 0 on success */ /* Get Revoked Cert list, 0 on success */
static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, static int GetRevoked(RevokedCert* rcert, const byte* buff, word32* idx,
int maxIdx) DecodedCRL* dcrl, int maxIdx)
{ {
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
#ifndef NO_ASN_TIME #ifndef NO_ASN_TIME
@ -35479,7 +35479,9 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
int len; int len;
word32 end; word32 end;
RevokedCert* rc; RevokedCert* rc;
#ifdef CRL_STATIC_REVOKED_LIST
int totalCerts = 0;
#endif
WOLFSSL_ENTER("GetRevoked"); WOLFSSL_ENTER("GetRevoked");
if (GetSequence(buff, idx, &len, maxIdx) < 0) if (GetSequence(buff, idx, &len, maxIdx) < 0)
@ -35487,24 +35489,39 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
end = *idx + len; end = *idx + len;
#ifdef CRL_STATIC_REVOKED_LIST
totalCerts = dcrl->totalCerts;
if (totalCerts >= CRL_MAX_REVOKED_CERTS) {
return MEMORY_E;
}
rc = &rcert[totalCerts];
ret = wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,maxIdx);
if (ret < 0) {
WOLFSSL_MSG("wc_GetSerialNumber error");
return ret;
}
#else
rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap, rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap,
DYNAMIC_TYPE_REVOKED); DYNAMIC_TYPE_REVOKED);
if (rc == NULL) { if (rc == NULL) {
WOLFSSL_MSG("Alloc Revoked Cert failed"); WOLFSSL_MSG("Alloc Revoked Cert failed");
return MEMORY_E; return MEMORY_E;
} }
ret = wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,maxIdx);
if (wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz, if (ret < 0) {
maxIdx) < 0) { WOLFSSL_MSG("wc_GetSerialNumber error");
XFREE(rc, dcrl->heap, DYNAMIC_TYPE_REVOKED); return ret;
return ASN_PARSE_E;
} }
/* add to list */ /* add to list */
rc->next = dcrl->certs; rc->next = dcrl->certs;
dcrl->certs = rc; dcrl->certs = rc;
dcrl->totalCerts++;
(void)rcert;
#endif /* CRL_STATIC_REVOKED_LIST */
dcrl->totalCerts++;
/* get date */ /* get date */
#ifndef NO_ASN_TIME #ifndef NO_ASN_TIME
ret = GetBasicDate(buff, idx, rc->revDate, &rc->revDateFormat, maxIdx); ret = GetBasicDate(buff, idx, rc->revDate, &rc->revDateFormat, maxIdx);
@ -35523,13 +35540,23 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
word32 serialSz = EXTERNAL_SERIAL_SIZE; word32 serialSz = EXTERNAL_SERIAL_SIZE;
word32 revDateSz = MAX_DATE_SIZE; word32 revDateSz = MAX_DATE_SIZE;
RevokedCert* rc; RevokedCert* rc;
#ifdef CRL_STATIC_REVOKED_LIST
int totalCerts = dcrl->totalCerts;
if (totalCerts >= CRL_MAX_REVOKED_CERTS) {
return MEMORY_E;
}
rc = &rcert[totalCerts];
#else
/* Allocate a new revoked certificate object. */ /* Allocate a new revoked certificate object. */
rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap, rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), dcrl->heap,
DYNAMIC_TYPE_CRL); DYNAMIC_TYPE_CRL);
if (rc == NULL) { if (rc == NULL) {
ret = MEMORY_E; ret = MEMORY_E;
} }
#endif /* CRL_STATIC_REVOKED_LIST */
CALLOC_ASNGETDATA(dataASN, revokedASN_Length, ret, dcrl->heap); CALLOC_ASNGETDATA(dataASN, revokedASN_Length, ret, dcrl->heap);
@ -35555,15 +35582,20 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
/* TODO: use extensions, only v2 */ /* TODO: use extensions, only v2 */
/* Add revoked certificate to chain. */ /* Add revoked certificate to chain. */
#ifndef CRL_STATIC_REVOKED_LIST
rc->next = dcrl->certs; rc->next = dcrl->certs;
dcrl->certs = rc; dcrl->certs = rc;
#endif
dcrl->totalCerts++; dcrl->totalCerts++;
} }
FREE_ASNGETDATA(dataASN, dcrl->heap); FREE_ASNGETDATA(dataASN, dcrl->heap);
#ifndef CRL_STATIC_REVOKED_LIST
if ((ret != 0) && (rc != NULL)) { if ((ret != 0) && (rc != NULL)) {
XFREE(rc, dcrl->heap, DYNAMIC_TYPE_CRL); XFREE(rc, dcrl->heap, DYNAMIC_TYPE_CRL);
} }
(void)rcert;
#endif
return ret; return ret;
#endif /* WOLFSSL_ASN_TEMPLATE */ #endif /* WOLFSSL_ASN_TEMPLATE */
} }
@ -35578,15 +35610,15 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
* @return 0 on success. * @return 0 on success.
* @return ASN_PARSE_E on failure. * @return ASN_PARSE_E on failure.
*/ */
static int ParseCRL_RevokedCerts(DecodedCRL* dcrl, const byte* buff, word32 idx, static int ParseCRL_RevokedCerts(RevokedCert* rcert, DecodedCRL* dcrl,
word32 maxIdx) const byte* buff, word32 idx, word32 maxIdx)
{ {
int ret = 0; int ret = 0;
/* Parse each revoked cerificate. */ /* Parse each revoked cerificate. */
while ((ret == 0) && (idx < maxIdx)) { while ((ret == 0) && (idx < maxIdx)) {
/* Parse a revoked certificate. */ /* Parse a revoked certificate. */
if (GetRevoked(buff, &idx, dcrl, maxIdx) < 0) { if (GetRevoked(rcert, buff, &idx, dcrl, maxIdx) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
} }
@ -35704,8 +35736,8 @@ static int PaseCRL_CheckSignature(DecodedCRL* dcrl, const byte* buff, void* cm)
#endif #endif
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf, static int ParseCRL_CertList(RevokedCert* rcert, DecodedCRL* dcrl,
word32* inOutIdx, int sz, int verify) const byte* buf,word32* inOutIdx, int sz, int verify)
{ {
word32 oid, dateIdx, idx, checkIdx; word32 oid, dateIdx, idx, checkIdx;
int length; int length;
@ -35787,7 +35819,7 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
len += idx; len += idx;
while (idx < (word32)len) { while (idx < (word32)len) {
if (GetRevoked(buf, &idx, dcrl, len) < 0) if (GetRevoked(rcert, buf, &idx, dcrl, len) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
} }
} }
@ -36137,8 +36169,8 @@ enum {
#endif #endif
/* parse crl buffer into decoded state, 0 on success */ /* parse crl buffer into decoded state, 0 on success */
int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, int verify, int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz,
void* cm) int verify, void* cm)
{ {
#ifndef WOLFSSL_ASN_TEMPLATE #ifndef WOLFSSL_ASN_TEMPLATE
Signer* ca = NULL; Signer* ca = NULL;
@ -36167,7 +36199,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, int verify,
return ASN_PARSE_E; return ASN_PARSE_E;
dcrl->sigIndex = len + idx; dcrl->sigIndex = len + idx;
if (ParseCRL_CertList(dcrl, buff, &idx, dcrl->sigIndex, verify) < 0) if (ParseCRL_CertList(rcert, dcrl, buff, &idx, dcrl->sigIndex, verify) < 0)
return ASN_PARSE_E; return ASN_PARSE_E;
if (ParseCRL_Extensions(dcrl, buff, &idx, dcrl->sigIndex) < 0) if (ParseCRL_Extensions(dcrl, buff, &idx, dcrl->sigIndex) < 0)
@ -36303,6 +36335,7 @@ end:
} }
if (ret == 0) { if (ret == 0) {
#endif #endif
#if defined(OPENSSL_EXTRA)
/* Parse and store the issuer name. */ /* Parse and store the issuer name. */
dcrl->issuerSz = GetASNItem_Length(dataASN[CRLASN_IDX_TBS_ISSUER], dcrl->issuerSz = GetASNItem_Length(dataASN[CRLASN_IDX_TBS_ISSUER],
buff); buff);
@ -36315,10 +36348,12 @@ end:
if (ret < 0) { if (ret < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
} }
#endif
} }
if ((ret == 0) && (dataASN[CRLASN_IDX_TBS_REVOKEDCERTS].tag != 0)) { if ((ret == 0) && (dataASN[CRLASN_IDX_TBS_REVOKEDCERTS].tag != 0)) {
/* Parse revoked cerificates - starting after SEQUENCE OF. */ /* Parse revoked cerificates - starting after SEQUENCE OF. */
ret = ParseCRL_RevokedCerts(dcrl, buff, ret = ParseCRL_RevokedCerts(rcert, dcrl, buff,
GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff), GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff),
GetASNItem_EndIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff)); GetASNItem_EndIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff));
} }

13
wolfssl/internal.h
View File

@ -2198,7 +2198,13 @@ typedef struct CRL_Entry CRL_Entry;
#ifdef NO_ASN #ifdef NO_ASN
typedef struct RevokedCert RevokedCert; typedef struct RevokedCert RevokedCert;
#endif #endif
#ifdef CRL_STATIC_REVOKED_LIST
#ifndef CRL_MAX_REVOKED_CERTS
#define CRL_MAX_REVOKED_CERTS 4
#elif CRL_MAX_REVOKED_CERTS > 22000
#error CRL_MAX_REVOKED_CERTS too big, max is 22000
#endif
#endif
/* Complete CRL */ /* Complete CRL */
struct CRL_Entry { struct CRL_Entry {
CRL_Entry* next; /* next entry */ CRL_Entry* next; /* next entry */
@ -2209,7 +2215,11 @@ struct CRL_Entry {
byte nextDate[MAX_DATE_SIZE]; /* next update date */ byte nextDate[MAX_DATE_SIZE]; /* next update date */
byte lastDateFormat; /* last date format */ byte lastDateFormat; /* last date format */
byte nextDateFormat; /* next date format */ byte nextDateFormat; /* next date format */
#ifdef CRL_STATIC_REVOKED_LIST
RevokedCert certs[CRL_MAX_REVOKED_CERTS];
#else
RevokedCert* certs; /* revoked cert list */ RevokedCert* certs; /* revoked cert list */
#endif
int totalCerts; /* number on list */ int totalCerts; /* number on list */
int version; /* version of certficate */ int version; /* version of certficate */
int verified; int verified;
@ -2245,6 +2255,7 @@ struct CRL_Monitor {
/* wolfSSL CRL controller */ /* wolfSSL CRL controller */
struct WOLFSSL_CRL { struct WOLFSSL_CRL {
WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */
CRL_Entry* currentEntry; /* Current CRL entry being processed */
CRL_Entry* crlList; /* our CRL list */ CRL_Entry* crlList; /* our CRL list */
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
CbCrlIO crlIOCb; CbCrlIO crlIOCb;

4
wolfssl/wolfcrypt/asn.h
View File

@ -2472,8 +2472,8 @@ WOLFSSL_LOCAL int VerifyCRL_Signature(SignatureCtx* sigCtx,
const byte* signature, word32 sigSz, const byte* signature, word32 sigSz,
word32 signatureOID, Signer *ca, word32 signatureOID, Signer *ca,
void* heap); void* heap);
WOLFSSL_LOCAL int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, WOLFSSL_LOCAL int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl,
int verify, void* cm); const byte* buff, word32 sz, int verify, void* cm);
WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl); WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL* dcrl);