Skip to content

Commit 70a54ff

Browse files
lealem47lealem47
committed
Store crlNumber as hex
1 parent 6f81f5c commit 70a54ff

File tree

4 files changed

+127
-50
lines changed

4 files changed

+127
-50
lines changed

src/crl.c

Lines changed: 46 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -610,24 +610,51 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
610610
}
611611
#endif
612612

613-
/* Returns 1 if prev crlNumber is smaller, 0 otherwise */
613+
/* Returns 1 if prev crlNumber is smaller
614+
* 0 if equal
615+
* -1 if prev crlNumber is larger */
614616
static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr)
615617
{
616-
word32 i;
617-
word32 prevCrlNumLen = (word32)XSTRLEN((char*)prev->crlNumber);
618-
word32 currCrlNumLen = (word32)XSTRLEN((char*)curr->crlNumber);
619-
620-
if (prevCrlNumLen != currCrlNumLen) {
621-
return (prevCrlNumLen < currCrlNumLen);
618+
int result = 0;
619+
#ifdef WOLFSSL_SMALL_STACK
620+
mp_int* prev_num = (mp_int*)XMALLOC(sizeof(*prev_num), NULL,
621+
DYNAMIC_TYPE_BIGINT);
622+
mp_int* curr_num = (mp_int*)XMALLOC(sizeof(*curr_num), NULL,
623+
DYNAMIC_TYPE_BIGINT);
624+
if (prev_num == NULL || curr_num == NULL) {
625+
return MEMORY_E;
622626
}
627+
#else
628+
mp_int prev_num[1];
629+
mp_int curr_num[1];
630+
#endif
623631

624-
for (i = 0; i < currCrlNumLen; i++) {
625-
if (prev->crlNumber[i] != curr->crlNumber[i]) {
626-
return prev->crlNumber[i] < curr->crlNumber[i];
627-
}
632+
mp_init(prev_num);
633+
mp_init(curr_num);
634+
635+
if (mp_read_radix(prev_num, (char*)prev->crlNumber, MP_RADIX_HEX)
636+
!= MP_OKAY || mp_read_radix(curr_num, (char*)curr->crlNumber,
637+
MP_RADIX_HEX) != MP_OKAY) {
638+
mp_free(prev_num);
639+
mp_free(curr_num);
640+
#ifdef WOLFSSL_SMALL_STACK
641+
XFREE(prev_num, NULL, DYNAMIC_TYPE_BIGINT);
642+
XFREE(curr_num, NULL, DYNAMIC_TYPE_BIGINT);
643+
#endif
644+
return BAD_FUNC_ARG;
628645
}
629646

630-
return 1;
647+
result = mp_cmp(prev_num, curr_num);
648+
649+
mp_free(prev_num);
650+
mp_free(curr_num);
651+
652+
#ifdef WOLFSSL_SMALL_STACK
653+
XFREE(prev_num, NULL, DYNAMIC_TYPE_BIGINT);
654+
XFREE(curr_num, NULL, DYNAMIC_TYPE_BIGINT);
655+
#endif
656+
657+
return result;
631658
}
632659

633660
/* Add Decoded CRL, 0 on success */
@@ -641,6 +668,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
641668
CrlInfo old;
642669
CrlInfo cnew;
643670
#endif
671+
int ret = 0;
644672

645673
WOLFSSL_ENTER("AddCRL");
646674

@@ -671,12 +699,17 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
671699

672700
for (curr = crl->crlList; curr != NULL; curr = curr->next) {
673701
if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) {
674-
if (CompareCRLnumber(crle, curr)) {
702+
ret = CompareCRLnumber(crle, curr);
703+
if (ret == -1 || ret == 0) {
675704
WOLFSSL_MSG("Same or newer CRL entry already exists");
676705
CRL_Entry_free(crle, crl->heap);
677706
wc_UnLockRwLock(&crl->crlLock);
678707
return BAD_FUNC_ARG;
679708
}
709+
else if (ret < 0) {
710+
WOLFSSL_MSG("Error comparing CRL Numbers");
711+
return ret;
712+
}
680713

681714
crle->next = curr->next;
682715
if (prev != NULL) {

src/x509.c

Lines changed: 75 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -8941,85 +8941,129 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl,
89418941
int indent)
89428942
{
89438943
char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */
8944+
int ret = 0;
89448945

89458946
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "",
89468947
"CRL extensions:") >= MAX_WIDTH) {
8947-
return WOLFSSL_FAILURE;
8948+
ret = WOLFSSL_FAILURE;
89488949
}
89498950

8950-
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8951-
return WOLFSSL_FAILURE;
8951+
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8952+
ret = WOLFSSL_FAILURE;
89528953
}
89538954

8954-
if (crl->crlList->crlNumberSet) {
8955-
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "",
8955+
if (ret == 0 && crl->crlList->crlNumberSet) {
8956+
char dec_string[49]; /* 20 octets can express numbers up to approx
8957+
49 decimal digits */
8958+
#ifdef WOLFSSL_SMALL_STACK
8959+
mp_int* dec_num = (mp_int*)XMALLOC(sizeof(*dec_num), NULL,
8960+
DYNAMIC_TYPE_BIGINT);
8961+
if (dec_num == NULL) {
8962+
ret = MEMORY_E;
8963+
}
8964+
#else
8965+
mp_int dec_num[1];
8966+
#endif
8967+
8968+
if (mp_init(dec_num) != MP_OKAY) {
8969+
ret = MP_INIT_E;
8970+
}
8971+
8972+
if (ret == 0 && mp_read_radix(dec_num, (char *)crl->crlList->crlNumber,
8973+
MP_RADIX_HEX) != MP_OKAY) {
8974+
ret = WOLFSSL_FAILURE;
8975+
}
8976+
8977+
if (ret == 0 && mp_toradix(dec_num, dec_string, MP_RADIX_DEC)
8978+
!= MP_OKAY) {
8979+
ret = WOLFSSL_FAILURE;
8980+
}
8981+
8982+
if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "",
89568983
"X509v3 CRL Number:") >= MAX_WIDTH) {
8957-
return WOLFSSL_FAILURE;
8984+
ret = WOLFSSL_FAILURE;
89588985
}
89598986

8960-
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8961-
return WOLFSSL_FAILURE;
8987+
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8988+
ret = WOLFSSL_FAILURE;
89628989
}
89638990

8964-
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 8, "",
8965-
crl->crlList->crlNumber) >= MAX_WIDTH) {
8966-
return WOLFSSL_FAILURE;
8991+
if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 8, "",
8992+
dec_string) >= MAX_WIDTH) {
8993+
ret = WOLFSSL_FAILURE;
89678994
}
89688995

8969-
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8970-
return WOLFSSL_FAILURE;
8996+
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8997+
ret = WOLFSSL_FAILURE;
89718998
}
89728999
XMEMSET(tmp, 0, sizeof(tmp));
9000+
9001+
mp_free(dec_num);
9002+
#ifdef WOLFSSL_SMALL_STACK
9003+
if (dec_num) {
9004+
XFREE(dec_num, NULL, DYNAMIC_TYPE_BIGINT);
9005+
}
9006+
#endif
89739007
}
89749008

89759009
#if !defined(NO_SKID)
8976-
if (crl->crlList->extAuthKeyIdSet && crl->crlList->extAuthKeyId[0] != 0) {
9010+
if (ret == 0 && crl->crlList->extAuthKeyIdSet &&
9011+
crl->crlList->extAuthKeyId[0] != 0) {
89779012
word32 i;
89789013
char val[5];
89799014
int valSz = 5;
89809015

89819016
if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s", indent + 4, "",
89829017
"X509v3 Authority Key Identifier:") >= MAX_WIDTH) {
8983-
return WOLFSSL_FAILURE;
9018+
ret = WOLFSSL_FAILURE;
89849019
}
89859020

8986-
XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1);
9021+
if (ret == 0) {
9022+
XSTRNCAT(tmp, "\n", MAX_WIDTH - XSTRLEN(tmp) - 1);
9023+
}
89879024

8988-
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
8989-
return WOLFSSL_FAILURE;
9025+
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
9026+
ret = WOLFSSL_FAILURE;
89909027
}
89919028
XMEMSET(tmp, 0, MAX_WIDTH);
89929029

8993-
if (XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s",
9030+
if (ret == 0 && XSNPRINTF(tmp, MAX_WIDTH - 1, "%*s%s",
89949031
indent + 8, "", "keyid") >= MAX_WIDTH) {
8995-
return WOLFSSL_FAILURE;
9032+
ret = WOLFSSL_FAILURE;
89969033
}
89979034

89989035

89999036
for (i = 0; i < XSTRLEN((char*)crl->crlList->extAuthKeyId); i++) {
90009037
/* check if buffer is almost full */
9001-
if (XSTRLEN(tmp) >= sizeof(tmp) - valSz) {
9038+
if (ret == 0 && XSTRLEN(tmp) >= sizeof(tmp) - valSz) {
90029039
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
9003-
return WOLFSSL_FAILURE;
9040+
ret = WOLFSSL_FAILURE;
90049041
}
90059042
tmp[0] = '\0';
90069043
}
9007-
if (XSNPRINTF(val, (size_t)valSz, ":%02X",
9008-
crl->crlList->extAuthKeyId[i]) >= valSz)
9009-
{
9044+
if (ret == 0 && XSNPRINTF(val, (size_t)valSz, ":%02X",
9045+
crl->crlList->extAuthKeyId[i]) >= valSz) {
90109046
WOLFSSL_MSG("buffer overrun");
9011-
return WOLFSSL_FAILURE;
9047+
ret = WOLFSSL_FAILURE;
9048+
}
9049+
if (ret == 0) {
9050+
XSTRNCAT(tmp, val, valSz);
90129051
}
9013-
XSTRNCAT(tmp, val, valSz);
90149052
}
9015-
XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1);
9016-
if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
9017-
return WOLFSSL_FAILURE;
9053+
if (ret == 0) {
9054+
XSTRNCAT(tmp, "\n", XSTRLEN("\n") + 1);
9055+
}
9056+
if (ret == 0 && wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
9057+
ret = WOLFSSL_FAILURE;
90189058
}
90199059
}
90209060
#endif
90219061

9022-
return WOLFSSL_SUCCESS;
9062+
if (ret == 0) {
9063+
ret = WOLFSSL_SUCCESS;
9064+
}
9065+
9066+
return ret;
90239067
}
90249068

90259069
/* iterate through a CRL's Revoked Certs and print out in human

wolfcrypt/src/asn.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39096,8 +39096,8 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
3909639096
if (ret != MP_OKAY)
3909739097
ret = BUFFER_E;
3909839098

39099-
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_DEC)
39100-
!= MP_OKAY)
39099+
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
39100+
MP_RADIX_HEX) != MP_OKAY)
3910139101
ret = BUFFER_E;
3910239102

3910339103
dcrl->crlNumberSet = 1;
@@ -39187,8 +39187,8 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
3918739187
ret = GetInt(m, buf, &localIdx, maxIdx);
3918839188
}
3918939189

39190-
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_DEC)
39191-
!= MP_OKAY)
39190+
if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber,
39191+
MP_RADIX_HEX) != MP_OKAY)
3919239192
ret = BUFFER_E;
3919339193

3919439194
dcrl->crlNumberSet = 1;

wolfssl/wolfcrypt/asn.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2853,8 +2853,8 @@ struct RevokedCert {
28532853
};
28542854

28552855
#ifndef CRL_MAX_NUM_SZ
2856-
#define CRL_MAX_NUM_SZ 49 /* RFC5280 states that CRL number can be up to 20 */
2857-
#endif /* octets long i.e 49 digits */
2856+
#define CRL_MAX_NUM_SZ 20 /* RFC5280 states that CRL number can be up to 20 */
2857+
#endif /* octets long */
28582858

28592859

28602860
typedef struct DecodedCRL DecodedCRL;

0 commit comments

Comments
 (0)