From e4da4f60d91fa9e7776dfc92392b62b6c8994ea7 Mon Sep 17 00:00:00 2001 From: Tesfa Mael Date: Fri, 7 Oct 2022 10:26:52 -0700 Subject: [PATCH] Implemented suggested changes --- src/crl.c | 106 ++++++++++++++++++++++---------------------- wolfcrypt/src/asn.c | 18 ++++---- 2 files changed, 60 insertions(+), 64 deletions(-) diff --git a/src/crl.c b/src/crl.c index 3c0297ce8..131163ccd 100644 --- a/src/crl.c +++ b/src/crl.c @@ -197,10 +197,8 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) if (crl->monitors[1].path) XFREE(crl->monitors[1].path, crl->heap, DYNAMIC_TYPE_CRL_MONITOR); - if (crl->currentEntry != NULL ) { - XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); - crl->currentEntry = NULL; - } + XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); + crl->currentEntry = NULL; while(tmp) { CRL_Entry* next = tmp->next; FreeCRL_Entry(tmp, crl->heap); @@ -231,7 +229,47 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) XFREE(crl, crl->heap, DYNAMIC_TYPE_CRL); } +static int FindRevokedSerial(DecodedCert* cert, CRL_Entry* crle, RevokedCert* rc) +{ + int ret = 0; +#ifdef CRL_STATIC_REVOKED_LIST + /* do binary search */ + int low, high, mid; + low = 0; + high = crle->totalCerts - 1; + + while (low <= high) { + mid = (low + high) / 2; + + if (XMEMCMP(rc[mid].serialNumber, cert->serial, rc->serialSz) < 0) { + low = mid + 1; + } + else if (XMEMCMP(rc[mid].serialNumber, cert->serial, + rc->serialSz) > 0) { + high = mid - 1; + } + else { + WOLFSSL_MSG("Cert revoked"); + ret = CRL_CERT_REVOKED; + break; + } + } +#else + /* search in the linked list*/ + + while (rc) { + if (rc->serialSz == cert->serialSz && + XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { + WOLFSSL_MSG("Cert revoked"); + ret = CRL_CERT_REVOKED; + break; + } + rc = rc->next; + } +#endif + return ret; +} static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntry) { CRL_Entry* crle; @@ -361,42 +399,7 @@ static int CheckCertCRLList(WOLFSSL_CRL* crl, DecodedCert* cert, int *pFoundEntr } if (foundEntry) { - RevokedCert* rc = crle->certs; - -#ifdef CRL_STATIC_REVOKED_LIST - int low, high, mid; - - low = 0; - high = crle->totalCerts - 1; - - while (low <= high) { - mid = (low + high) / 2; - - if (XMEMCMP(rc[mid].serialNumber, cert->serial, rc->serialSz) < 0) { - low = mid + 1; - } - else if (XMEMCMP(rc[mid].serialNumber, cert->serial, - rc->serialSz) > 0) { - high = mid - 1; - } - else { - WOLFSSL_MSG("Cert revoked"); - ret = CRL_CERT_REVOKED; - break; - } - } -#else - - while (rc) { - if (rc->serialSz == cert->serialSz && - XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { - WOLFSSL_MSG("Cert revoked"); - ret = CRL_CERT_REVOKED; - break; - } - rc = rc->next; - } -#endif + ret = FindRevokedSerial(cert, crle, crle->certs); } wc_UnLockMutex(&crl->crlLock); @@ -506,7 +509,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff, DYNAMIC_TYPE_CRL_ENTRY); if (crle == NULL) { WOLFSSL_MSG("alloc CRL Entry failed"); - return -1; + return MEMORY_E; } } @@ -589,10 +592,8 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type, verify, crl->cm); if (ret != 0 && !(ret == ASN_CRL_NO_SIGNER_E && verify == NO_VERIFY)) { WOLFSSL_MSG("ParseCRL error"); - if (crl->currentEntry != NULL ) { - XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); - crl->currentEntry = NULL; - } + XFREE(crl->currentEntry, crl->heap, DYNAMIC_TYPE_CRL_ENTRY); + crl->currentEntry = NULL; } else { ret = AddCRL(crl, dcrl, myBuffer, ret != ASN_CRL_NO_SIGNER_E); @@ -676,7 +677,11 @@ static RevokedCert *DupRevokedCertList(RevokedCert* in, void* heap) static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) { CRL_Entry *dupl; - +#ifdef CRL_STATIC_REVOKED_LIST + if (ent->totalCerts > CRL_MAX_REVOKED_CERTS) { + return NULL; + } +#endif dupl = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), heap, DYNAMIC_TYPE_CRL_ENTRY); if (dupl == NULL) { WOLFSSL_MSG("alloc CRL Entry failed"); @@ -691,14 +696,7 @@ static CRL_Entry* DupCRL_Entry(const CRL_Entry* ent, void* heap) dupl->nextDateFormat = ent->nextDateFormat; #ifdef CRL_STATIC_REVOKED_LIST - if (ent->totalCerts > CRL_MAX_REVOKED_CERTS) { - FreeCRL_Entry(dupl, heap); - XFREE(dupl, heap, DYNAMIC_TYPE_CRL_ENTRY); - return NULL; - } - else - XMEMCPY(dupl->certs, ent->certs, - ent->totalCerts*sizeof(RevokedCert)); + XMEMCPY(dupl->certs, ent->certs, ent->totalCerts*sizeof(RevokedCert)); #else dupl->certs = DupRevokedCertList(ent->certs, heap); #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 251904330..e8018ea0e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -35497,10 +35497,10 @@ static int GetRevoked(RevokedCert* rcert, const byte* buff, word32* idx, } rc = &rcert[totalCerts]; - - if (wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz, - maxIdx) < 0) { - return ASN_PARSE_E; + ret = wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,maxIdx); + if (ret < 0) { + WOLFSSL_MSG("wc_GetSerialNumber error"); + return ret; } #else @@ -35510,13 +35510,11 @@ static int GetRevoked(RevokedCert* rcert, const byte* buff, word32* idx, WOLFSSL_MSG("Alloc Revoked Cert failed"); return MEMORY_E; } - - if (wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz, - maxIdx) < 0) { - XFREE(rc, dcrl->heap, DYNAMIC_TYPE_REVOKED); - return ASN_PARSE_E; + ret = wc_GetSerialNumber(buff, idx, rc->serialNumber, &rc->serialSz,maxIdx); + if (ret < 0) { + WOLFSSL_MSG("wc_GetSerialNumber error"); + return ret; } - /* add to list */ rc->next = dcrl->certs; dcrl->certs = rc;