From 02a49693e2bf63b76a95cba060bf5c9594af296d Mon Sep 17 00:00:00 2001 From: Lealem Amedie Date: Fri, 30 May 2025 10:20:02 -0600 Subject: [PATCH] Fix bug in ParseCRL_Extensions --- src/crl.c | 66 +++++++++++++++++++-- src/x509.c | 127 +++++++++++++++++++++++++++------------- tests/api.c | 13 ++-- wolfcrypt/src/asn.c | 115 +++++++++++++++++------------------- wolfssl/internal.h | 8 ++- wolfssl/ssl.h | 3 +- wolfssl/wolfcrypt/asn.h | 12 +++- 7 files changed, 228 insertions(+), 116 deletions(-) diff --git a/src/crl.c b/src/crl.c index 28233208a..597e2e8de 100644 --- a/src/crl.c +++ b/src/crl.c @@ -135,7 +135,10 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, #endif dcrl->certs = NULL; crle->totalCerts = dcrl->totalCerts; - crle->crlNumber = dcrl->crlNumber; + crle->crlNumberSet = dcrl->crlNumberSet; + if (crle->crlNumberSet) { + XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_SZ); + } crle->verified = verified; if (!verified) { crle->tbsSz = dcrl->sigIndex - dcrl->certBegin; @@ -587,7 +590,9 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info) info->nextDate = (byte *)entry->nextDate; info->nextDateMaxLen = MAX_DATE_SIZE; info->nextDateFormat = entry->nextDateFormat; - info->crlNumber = (sword32)entry->crlNumber; + info->crlNumberSet = entry->crlNumberSet; + if (info->crlNumberSet) + XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ); } static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) @@ -600,10 +605,55 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) info->nextDate = (byte *)entry->nextDate; info->nextDateMaxLen = MAX_DATE_SIZE; info->nextDateFormat = entry->nextDateFormat; - info->crlNumber = (sword32)entry->crlNumber; + info->crlNumberSet = entry->crlNumberSet; + if (info->crlNumberSet) + XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ); } #endif +/* Returns MP_GT if prev crlNumber is smaller + * MP_EQ if equal + * MP_LT if prev crlNumber is larger */ +static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) +{ + int ret = 0; + DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, + CRL_MAX_NUM_SZ * CHAR_BIT); + DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, + CRL_MAX_NUM_SZ * CHAR_BIT); + + NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DYNAMIC_TYPE_TMP_BUFFER); +#ifdef MP_INT_SIZE_CHECK_NULL + if ((prev_num == NULL) || (curr_num == NULL)) { + ret = MEMORY_E; + } +#endif + + if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT) + != MP_OKAY) || (INIT_MP_INT_SIZE(curr_num, + CRL_MAX_NUM_SZ * CHAR_BIT)) != MP_OKAY)) { + ret = MP_INIT_E; + } + + if (ret == 0 && (mp_read_radix(prev_num, (char*)prev->crlNumber, + MP_RADIX_HEX) != MP_OKAY || + mp_read_radix(curr_num, (char*)curr->crlNumber, + MP_RADIX_HEX) != MP_OKAY)) { + ret = BAD_FUNC_ARG; + } + + if (ret == 0) + ret = mp_cmp(prev_num, curr_num); + + FREE_MP_INT_SIZE(prev_num, NULL, DYNAMIC_TYPE_TMP_BUFFER); + FREE_MP_INT_SIZE(curr_num, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; +} + /* Add Decoded CRL, 0 on success */ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, int verified) @@ -615,6 +665,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, CrlInfo old; CrlInfo cnew; #endif + int ret = 0; WOLFSSL_ENTER("AddCRL"); @@ -645,12 +696,19 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, for (curr = crl->crlList; curr != NULL; curr = curr->next) { if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) { - if (crle->crlNumber <= curr->crlNumber) { + ret = CompareCRLnumber(crle, curr); + /* Error out if the CRL we're attempting to add isn't more + * authoritative than the existing entry */ + if (ret == MP_LT || ret == MP_EQ) { WOLFSSL_MSG("Same or newer CRL entry already exists"); CRL_Entry_free(crle, crl->heap); wc_UnLockRwLock(&crl->crlLock); return BAD_FUNC_ARG; } + else if (ret < 0) { + WOLFSSL_MSG("Error comparing CRL Numbers"); + return ret; + } crle->next = curr->next; if (prev != NULL) { diff --git a/src/x509.c b/src/x509.c index eda280e73..6afd8e497 100644 --- a/src/x509.c +++ b/src/x509.c @@ -6414,8 +6414,7 @@ static int X509PrintSerial_ex(WOLFSSL_BIO* bio, byte* serial, int sz, scratch + scratchLen, scratchSz - scratchLen, "%02x%s", serial[i], (i < sz - 1) ? (delimiter ? ":" : "") : "\n")) - >= scratchSz - scratchLen) - { + >= scratchSz - scratchLen) { WOLFSSL_MSG("buffer overrun"); return WOLFSSL_FAILURE; } @@ -6428,10 +6427,8 @@ static int X509PrintSerial_ex(WOLFSSL_BIO* bio, byte* serial, int sz, /* if serial can fit into byte then print on the same line */ else { - if ((scratchLen = XSNPRINTF( - scratch, MAX_WIDTH, " %d (0x%x)\n", serial[0], serial[0])) - >= MAX_WIDTH) - { + if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH, " %d (0x%x)\n", + (char)serial[0], serial[0])) >= MAX_WIDTH) { WOLFSSL_MSG("buffer overrun"); return WOLFSSL_FAILURE; } @@ -8870,85 +8867,135 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, int indent) { char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */ + int ret = 0; if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "", "CRL extensions:") >= MAX_WIDTH) { - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; } - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { + ret = WOLFSSL_FAILURE; } - if (crl->crlList->crlNumber) { - if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "", + if (ret == 0 && crl->crlList->crlNumberSet) { + char dec_string[49]; /* 20 octets can express numbers up to approx + 49 decimal digits */ + int freeMp = 0; + #ifdef WOLFSSL_SMALL_STACK + mp_int* dec_num = (mp_int*)XMALLOC(sizeof(*dec_num), NULL, + DYNAMIC_TYPE_BIGINT); + if (dec_num == NULL) { + ret = MEMORY_E; + } + #else + mp_int dec_num[1]; + #endif + + if (ret == 0 && (mp_init(dec_num) != MP_OKAY)) { + ret = MP_INIT_E; + } + else if (ret == 0) { + freeMp = 1; + } + + if (ret == 0 && mp_read_radix(dec_num, (char *)crl->crlList->crlNumber, + MP_RADIX_HEX) != MP_OKAY) { + ret = WOLFSSL_FAILURE; + } + + if (ret == 0 && mp_toradix(dec_num, dec_string, MP_RADIX_DEC) + != MP_OKAY) { + ret = WOLFSSL_FAILURE; + } + + if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "", "X509v3 CRL Number:") >= MAX_WIDTH) { - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; } - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { + ret = WOLFSSL_FAILURE; } - if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%d\n", indent + 8, "", - crl->crlList->crlNumber) >= MAX_WIDTH) - { - return WOLFSSL_FAILURE; + if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 8, "", + dec_string) >= MAX_WIDTH) { + ret = WOLFSSL_FAILURE; } - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + + if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { + ret = WOLFSSL_FAILURE; } + XMEMSET(tmp, 0, sizeof(tmp)); + + if (freeMp) { + mp_free(dec_num); + } + + #ifdef WOLFSSL_SMALL_STACK + XFREE(dec_num, NULL, DYNAMIC_TYPE_BIGINT); + #endif } #if !defined(NO_SKID) - if (crl->crlList->extAuthKeyIdSet && crl->crlList->extAuthKeyId[0] != 0) { + if (ret == 0 && crl->crlList->extAuthKeyIdSet && + crl->crlList->extAuthKeyId[0] != 0) { word32 i; char val[5]; int valSz = 5; if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s", indent + 4, "", "X509v3 Authority Key Identifier:") >= MAX_WIDTH) { - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; } - XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1); + if (ret == 0) { + XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1); + } - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { + ret = WOLFSSL_FAILURE; } XMEMSET(tmp, 0, MAX_WIDTH); - if (XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s", + if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s", indent + 8, "", "keyid") >= MAX_WIDTH) { - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; } for (i = 0; i < XSTRLEN((char*)crl->crlList->extAuthKeyId); i++) { /* check if buffer is almost full */ - if (XSTRLEN(tmp) >= sizeof(tmp) - valSz) { + if (ret == 0 && XSTRLEN(tmp) >= sizeof(tmp) - valSz) { if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; } tmp[0] = '\0'; } - if (XSNPRINTF(val, (size_t)valSz, ":%02X", - crl->crlList->extAuthKeyId[i]) >= valSz) - { + if (ret == 0 && XSNPRINTF(val, (size_t)valSz, ":%02X", + crl->crlList->extAuthKeyId[i]) >= valSz) { WOLFSSL_MSG("buffer overrun"); - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + } + if (ret == 0) { + XSTRNCAT(tmp, val, valSz); } - XSTRNCAT(tmp, val, valSz); } - XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1); - if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { - return WOLFSSL_FAILURE; + if (ret == 0) { + XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1); + } + if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) { + ret = WOLFSSL_FAILURE; } } #endif - return WOLFSSL_SUCCESS; + if (ret == 0) { + ret = WOLFSSL_SUCCESS; + } + + return ret; } /* iterate through a CRL's Revoked Certs and print out in human @@ -9180,7 +9227,7 @@ void wolfSSL_X509_CRL_free(WOLFSSL_X509_CRL *crl) } #endif /* HAVE_CRL && (OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL) */ -#ifdef OPENSSL_EXTRA +#if defined(HAVE_CRL) && defined(OPENSSL_EXTRA) WOLFSSL_ASN1_TIME* wolfSSL_X509_CRL_get_lastUpdate(WOLFSSL_X509_CRL* crl) { if ((crl != NULL) && (crl->crlList != NULL) && @@ -9210,7 +9257,7 @@ int wolfSSL_X509_CRL_verify(WOLFSSL_X509_CRL* crl, WOLFSSL_EVP_PKEY* key) return 0; } #endif -#endif /* OPENSSL_EXTRA */ +#endif /* HAVE_CRL && OPENSSL_EXTRA */ #ifdef OPENSSL_EXTRA diff --git a/tests/api.c b/tests/api.c index d4be8331f..180a939cd 100644 --- a/tests/api.c +++ b/tests/api.c @@ -42980,7 +42980,8 @@ static int test_wolfSSL_X509V3_set_ctx(void) { EXPECT_DECLS; #if (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \ - defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) + defined(WOLFSSL_CERT_GEN) && defined(WOLFSSL_CERT_REQ) && \ + defined(HAVE_CRL) WOLFSSL_X509V3_CTX ctx; WOLFSSL_X509* issuer = NULL; WOLFSSL_X509* subject = NULL; @@ -56410,7 +56411,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertTrue((f = XFOPEN(crl1, "rb")) != XBADFILE); AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); - AssertIntGE(sz = (size_t) XFTELL(f), 1); + AssertIntGE(sz = (word32) XFTELL(f), 1); AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); AssertTrue( \ (crl1Buff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); @@ -56420,7 +56421,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertTrue((f = XFOPEN(crlRevoked, "rb")) != XBADFILE); AssertTrue(XFSEEK(f, 0, XSEEK_END) == 0); - AssertIntGE(sz = (size_t) XFTELL(f), 1); + AssertIntGE(sz = (word32) XFTELL(f), 1); AssertTrue(XFSEEK(f, 0, XSEEK_SET) == 0); AssertTrue( \ (crlRevBuff = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_FILE)) != NULL); @@ -56441,7 +56442,8 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crl1Info.lastDateFormat, old->lastDateFormat); AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen); AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat); - AssertIntEQ(crl1Info.crlNumber, old->crlNumber); + AssertIntEQ(XMEMCMP( + crl1Info.crlNumber, old->crlNumber, CRL_MAX_NUM_SZ), 0); AssertIntEQ(XMEMCMP( crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0); AssertIntEQ(XMEMCMP( @@ -56455,7 +56457,8 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crlRevInfo.lastDateFormat, cnew->lastDateFormat); AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen); AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat); - AssertIntEQ(crlRevInfo.crlNumber, cnew->crlNumber); + AssertIntEQ(XMEMCMP( + crlRevInfo.crlNumber, cnew->crlNumber, CRL_MAX_NUM_SZ), 0); AssertIntEQ(XMEMCMP( crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0); AssertIntEQ(XMEMCMP( diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 690bca980..49f970525 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -40263,50 +40263,39 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, return ret; } else { - if (length > 1) { - int i; - #ifdef WOLFSSL_SMALL_STACK - mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL, - DYNAMIC_TYPE_BIGINT); - if (m == NULL) { - return MEMORY_E; - } - #else - mp_int m[1]; - #endif - - if (mp_init(m) != MP_OKAY) { - ret = MP_INIT_E; - } - - if (ret == 0) - ret = mp_read_unsigned_bin(m, buf + idx, length); - if (ret != MP_OKAY) - ret = BUFFER_E; - - if (ret == 0) { - dcrl->crlNumber = 0; - for (i = 0; i < (int)(*m).used; ++i) { - if (i > (CHAR_BIT * - (int)sizeof(word32) / DIGIT_BIT)) { - break; - } - dcrl->crlNumber |= ((word32)(*m).dp[i]) << - (DIGIT_BIT * i); - } - } - - mp_free(m); - #ifdef WOLFSSL_SMALL_STACK - XFREE(m, NULL, DYNAMIC_TYPE_BIGINT); - #endif - - if (ret != 0) - return ret; + DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT, + CRL_MAX_NUM_SZ * CHAR_BIT); + NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + #ifdef MP_INT_SIZE_CHECK_NULL + if (m == NULL) { + ret = MEMORY_E; } - else if (length == 1) { - dcrl->crlNumber = buf[idx]; + #endif + + if (ret == 0 && ((ret = INIT_MP_INT_SIZE(m, CRL_MAX_NUM_SZ + * CHAR_BIT)) != MP_OKAY)) { + ret = MP_INIT_E; } + + if (ret == MP_OKAY) + ret = mp_read_unsigned_bin(m, buf + idx, length); + + if (ret != MP_OKAY) + ret = BUFFER_E; + + if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber, + MP_RADIX_HEX) != MP_OKAY) + ret = BUFFER_E; + + if (ret == MP_OKAY) { + dcrl->crlNumberSet = 1; + } + + FREE_MP_INT_SIZE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (ret != MP_OKAY) + return ret; } } } @@ -40349,6 +40338,7 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, ret = GetASN_Items(certExtASN, dataASN, certExtASN_Length, 0, buf, &idx, maxIdx); if (ret == 0) { + word32 localIdx = idx; /* OID in extension. */ word32 oid = dataASN[CERTEXTASN_IDX_OID].data.oid.sum; /* Length of extension data. */ @@ -40358,39 +40348,42 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, #ifndef NO_SKID /* Parse Authority Key Id extension. * idx is at start of OCTET_STRING data. */ - ret = ParseCRL_AuthKeyIdExt(buf + idx, length, dcrl); + ret = ParseCRL_AuthKeyIdExt(buf + localIdx, length, dcrl); if (ret != 0) { WOLFSSL_MSG("\tcouldn't parse AuthKeyId extension"); } #endif } else if (oid == CRL_NUMBER_OID) { - #ifdef WOLFSSL_SMALL_STACK - mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL, - DYNAMIC_TYPE_BIGINT); + DECL_MP_INT_SIZE_DYN(m, CRL_MAX_NUM_SZ * CHAR_BIT, + CRL_MAX_NUM_SZ * CHAR_BIT); + NEW_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + #ifdef MP_INT_SIZE_CHECK_NULL if (m == NULL) { ret = MEMORY_E; } - #else - mp_int m[1]; #endif - if (ret == 0) { - if (mp_init(m) != MP_OKAY) { + if (ret == 0 && (INIT_MP_INT_SIZE(m, CRL_MAX_NUM_SZ * CHAR_BIT) + != MP_OKAY)) { ret = MP_INIT_E; - } - } - if (ret == 0) { - ret = GetInt(m, buf, &idx, maxIdx); - } - if (ret == 0) { - dcrl->crlNumber = (int)m->dp[0]; } - mp_free(m); - #ifdef WOLFSSL_SMALL_STACK - XFREE(m, NULL, DYNAMIC_TYPE_BIGINT); - #endif + if (ret == 0) { + ret = GetInt(m, buf, &localIdx, maxIdx); + } + + if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, + MP_RADIX_HEX) != MP_OKAY) + ret = BUFFER_E; + + if (ret == 0) { + dcrl->crlNumberSet = 1; + } + + FREE_MP_INT_SIZE(m, NULL, DYNAMIC_TYPE_TMP_BUFFER); } /* TODO: check criticality */ /* Move index on to next extension. */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 52a075efd..b834f12df 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2548,6 +2548,8 @@ typedef struct CRL_Entry CRL_Entry; #error CRL_MAX_REVOKED_CERTS too big, max is 22000 #endif #endif + +#ifdef HAVE_CRL /* Complete CRL */ struct CRL_Entry { byte* toBeSigned; @@ -2560,6 +2562,7 @@ struct CRL_Entry { /* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex * as the marker because clang-tidy doesn't like taking the sizeof a * pointer. */ + byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ @@ -2587,10 +2590,10 @@ struct CRL_Entry { byte* sigParams; /* buffer with signature parameters */ #endif #if !defined(NO_SKID) && !defined(NO_ASN) - byte extAuthKeyIdSet; byte extAuthKeyId[KEYID_SIZE]; + byte extAuthKeyIdSet:1; /* Auth key identifier set indicator */ #endif - int crlNumber; /* CRL number extension */ + byte crlNumberSet:1; /* CRL number set indicator */ }; @@ -2643,6 +2646,7 @@ struct WOLFSSL_CRL { #endif void* heap; /* heap hint for dynamic memory */ }; +#endif #ifdef NO_ASN diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 908d5c6e8..45f94e69d 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3749,6 +3749,7 @@ typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz); #ifdef HAVE_CRL_UPDATE_CB typedef struct CrlInfo { + byte crlNumber[CRL_MAX_NUM_SZ]; byte *issuerHash; word32 issuerHashLen; byte *lastDate; @@ -3757,7 +3758,7 @@ typedef struct CrlInfo { byte *nextDate; word32 nextDateMaxLen; byte nextDateFormat; - sword32 crlNumber; + byte crlNumberSet:1; } CrlInfo; typedef void (*CbUpdateCRL)(CrlInfo* old, CrlInfo* cnew); diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f3913f367..a4f897c3b 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2610,6 +2610,11 @@ struct RevokedCert { byte revDateFormat; }; +#ifndef CRL_MAX_NUM_SZ +#define CRL_MAX_NUM_SZ 20 /* RFC5280 states that CRL number can be up to 20 */ +#endif /* octets long */ + + typedef struct DecodedCRL DecodedCRL; struct DecodedCRL { @@ -2622,6 +2627,7 @@ struct DecodedCRL { word32 sigParamsLength; /* length of signature parameters */ #endif byte* signature; /* pointer into raw source, not owned */ + byte crlNumber[CRL_MAX_NUM_SZ]; /* CRL number extension */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ @@ -2637,10 +2643,10 @@ struct DecodedCRL { int version; /* version of cert */ void* heap; #ifndef NO_SKID - byte extAuthKeyIdSet; - byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */ + byte extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID */ + WC_BITFIELD extAuthKeyIdSet:1; /* Auth key identifier set indicator */ #endif - int crlNumber; /* CRL number extension */ + WC_BITFIELD crlNumberSet:1; /* CRL number set indicator */ }; WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL* dcrl, void* heap);