Skip to content

Fix bug in ParseCRL_Extensions #8587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Fix bug in ParseCRL_Extensions #8587

wants to merge 10 commits into from
+206 −89

Conversation

lealem47
Copy link
Contributor

@lealem47 lealem47 commented Mar 24, 2025
edited
Loading

Description

  • Fix a bug where the idx would get incremented where we don't expect it to be, in the else-if CRL_NUMBER_OID case in ParseCRL_Extensions()
  • Store crl->crlNumber as a byte array to handle CRL numbers as long as 20 octets or 49 digits (https://datatracker.ietf.org/doc/html/rfc5280#section-5.2.3). This conversion unfortunately makes it so that crlNumber isn't stored when NO_BIG_INT is defined

Fixes #8574 and wolfSSL/wolfCLU#174

Also fixes zd#19611

Testing

Tested using wolfCLU with the CRL files provided in #8574 and wolfSSL/wolfCLU#174

Build wolfSSL with
./configure --enable-wolfclu --enable-crl

Then run wolfCLU with
./wolfssl crl -in crl_extention_test.pem -text

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@lealem47 lealem47 self-assigned this Mar 24, 2025
This was referenced Mar 24, 2025
Closed
Open
@lealem47 lealem47 assigned wolfSSL-Bot and unassigned lealem47 Mar 24, 2025
@SparkiDev
Copy link
Contributor

Using a mp_int is heavy weight for a 20 byte number - can allocate up to 1KB for storage of 20 bytes.
You can store the array of bytes and do a XMEMCMP and add a simple big-endian number larger comparison.

@lealem47
Copy link
Contributor Author

Jenkins retest this please

@dgarske dgarske requested a review from SparkiDev March 25, 2025 20:47
dgarske
dgarske requested changes Mar 26, 2025
View reviewed changes
dgarske
dgarske requested changes Mar 26, 2025
View reviewed changes
dgarske
dgarske requested changes Mar 26, 2025
View reviewed changes
@lealem47 lealem47 removed their assignment Mar 26, 2025
dgarske
dgarske previously approved these changes Mar 26, 2025
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Still on fence about backwards compatibility, but okay for now. Over to @SparkiDev

SparkiDev
SparkiDev requested changes Mar 27, 2025
View reviewed changes
@SparkiDev SparkiDev assigned lealem47 and unassigned SparkiDev Mar 27, 2025
@lealem47 lealem47 force-pushed the gh8574 branch 2 times, most recently from 550ca10 to 70a54ff Compare April 2, 2025 00:28
@lealem47 lealem47 requested a review from SparkiDev April 2, 2025 01:00
@lealem47 lealem47 assigned SparkiDev and unassigned lealem47 Apr 2, 2025
@SparkiDev SparkiDev assigned lealem47 and unassigned SparkiDev Apr 3, 2025
dgarske
dgarske requested changes May 6, 2025
View reviewed changes
@dgarske dgarske assigned lealem47 and unassigned SparkiDev May 6, 2025
@lealem47 lealem47 requested a review from dgarske May 9, 2025 23:05
@lealem47 lealem47 removed their assignment May 9, 2025
@lealem47
Copy link
Contributor Author

Jenkins retest this please

PRB-generic-config-parser error:

Found unhandled org.jenkinsci.plugins.workflow.support.steps.AgentOfflineException exception:
Unable to create live FilePath for wolf-linux-cloud-node-cps0d5; wolf-linux-cloud-node-cps0d5 was marked offline: Connection was broken

@lealem47 lealem47 removed their assignment May 13, 2025
@lealem47
Copy link
Contributor Author

lealem47 commented May 14, 2025
edited
Loading

Jenkins Retest this please

@lealem47 lealem47 removed their assignment May 15, 2025
dgarske
dgarske requested changes May 15, 2025
View reviewed changes
src/crl.c
@@ -645,12 +703,17 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,

for (curr = crl->crlList; curr != NULL; curr = curr->next) {
if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) {
if (crle->crlNumber <= curr->crlNumber) {
ret = CompareCRLnumber(crle, curr);
if (ret == -1 || ret == 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please use the MP_ defines for the checks? Perhaps also update the code comments on CompareCRLnumber. Why is MP_LT allowed? can you please add a code comment?

/** Result of comparison is that the first number is greater than second. */
#define MP_GT    1
/** Result of comparison is they are equal. */
#define MP_EQ    0
/** Result of comparison is that the first number is less than second. */
#define MP_LT    (-1)

src/x509.c
@@ -6429,7 +6429,7 @@ static int X509PrintSerial_ex(WOLFSSL_BIO* bio, byte* serial, int sz,
/* if serial can fit into byte then print on the same line */
else {
if ((scratchLen = XSNPRINTF(
scratch, MAX_WIDTH, " %d (0x%x)\n", serial[0], serial[0]))
scratch, MAX_WIDTH, " %d (0x%x)\n", (char)serial[0], serial[0]))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line is over 80 chars now.

wolfcrypt/src/asn.c
else if (length == 1) {
dcrl->crlNumber = buf[idx];
}
mp_free(m);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe not call this if ret == MP_INIT_E?

dgarske
dgarske requested changes May 15, 2025
View reviewed changes
wolfssl/wolfcrypt/asn.h
#endif
int crlNumber; /* CRL number extension */
byte crlNumberSet:1; /* CRL number set indicator */
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multi-test reports this bit-field issue, however there must be a way to make this work. Perhaps it needs to be unsigned int. Not sure (see other uses to solve)

[allcryptonly-gcc-c89] [14 of 39] [e7860a7e85]
    configure...   real 0m5.702s  user 0m3.401s  sys 0m2.671s
In file included from ./wolfssl/ssl.h:45,
                 from ./wolfssl/openssl/ssl.h:39,
                 from ./wolfssl/openssl/aes.h:44,
                 from conftest.c:73:
./wolfssl/wolfcrypt/asn.h:2705:13: error: type of bit-field 'extAuthKeyIdSet' is a GCC extension [-Werror=pedantic]
 2705 |     byte    extAuthKeyIdSet:1;       /* Auth key identifier set indicator */
      |             ^~~~~~~~~~~~~~~
./wolfssl/wolfcrypt/asn.h:2707:13: error: type of bit-field 'crlNumberSet' is a GCC extension [-Werror=pedantic]
 2707 |     byte    crlNumberSet:1;          /* CRL number set indicator */
      |             ^~~~~~~~~~~~
cc1: all warnings being treated as errors

douzzer
douzzer requested changes May 16, 2025
View reviewed changes
src/crl.c
mp_int* curr_num = (mp_int*)XMALLOC(sizeof(*curr_num), NULL,
DYNAMIC_TYPE_BIGINT);
if (prev_num == NULL || curr_num == NULL) {
return MEMORY_E;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will leak if prev_num was allocated but curr_num failed.

src/crl.c
Comment on lines +632 to +636
#ifdef WOLFSSL_SMALL_STACK
XFREE(prev_num, NULL, DYNAMIC_TYPE_BIGINT);
XFREE(curr_num, NULL, DYNAMIC_TYPE_BIGINT);
#endif
return BAD_FUNC_ARG;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to refactor this func to use an if (ret == 0) cascade, with smallstack cleanup once at the end.

src/crl.c
{
int result = 0;
#ifdef WOLFSSL_SMALL_STACK
mp_int* prev_num = (mp_int*)XMALLOC(sizeof(*prev_num), NULL,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding @SparkiDev 's concern about allocing gobs of memory just to process 20 octets of MPI: It's possible to right-size-allocate the MPI containers with existing macros. You'd use DECL_MP_INT_SIZE(), NEW_MP_INT_SIZE(). INIT_MP_INT_SIZE(), and FREE_MP_INT_SIZE(). These exist with all MPI back ends, though they only right-size on SP and heapmath, not TFM (doesn't matter).

@douzzer douzzer assigned douzzer and unassigned wolfSSL-Bot May 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dgarske dgarske dgarske requested changes

@douzzer douzzer douzzer requested changes

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

Requested changes must be addressed to merge this pull request.

Assignees

@douzzer douzzer

@lealem47 lealem47

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Bug]: wolfSSL cannot correctly process CRL files with extensions.
5 participants
@lealem47 @SparkiDev @dgarske @douzzer @wolfSSL-Bot