diff --git a/src/crl.c b/src/crl.c index f0f4944d9..be7ad2144 100644 --- a/src/crl.c +++ b/src/crl.c @@ -138,7 +138,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff, crle->totalCerts = dcrl->totalCerts; crle->crlNumberSet = dcrl->crlNumberSet; if (crle->crlNumberSet) { - XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_HEX_STR_SZ); + XMEMCPY(crle->crlNumber, dcrl->crlNumber, sizeof(crle->crlNumber)); } crle->verified = verified; if (!verified) { @@ -597,7 +597,7 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info) info->nextDateFormat = entry->nextDateFormat; info->crlNumberSet = entry->crlNumberSet; if (info->crlNumberSet) - XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_HEX_STR_SZ); + XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber)); } static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) @@ -612,7 +612,7 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) info->nextDateFormat = entry->nextDateFormat; info->crlNumberSet = entry->crlNumberSet; if (info->crlNumberSet) - XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_HEX_STR_SZ); + XMEMCPY(info->crlNumber, entry->crlNumber, sizeof(entry->crlNumber)); } #endif @@ -622,14 +622,14 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info) static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) { int ret = 0; - DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); - DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, - CRL_MAX_NUM_SZ * CHAR_BIT); + DECL_MP_INT_SIZE_DYN(prev_num, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); + DECL_MP_INT_SIZE_DYN(curr_num, CRL_MAX_NUM_SZ_BITS, + CRL_MAX_NUM_SZ_BITS); - NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + NEW_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); - NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ * CHAR_BIT, NULL, + NEW_MP_INT_SIZE(curr_num, CRL_MAX_NUM_SZ_BITS, NULL, DYNAMIC_TYPE_TMP_BUFFER); #ifdef MP_INT_SIZE_CHECK_NULL if ((prev_num == NULL) || (curr_num == NULL)) { @@ -637,9 +637,9 @@ static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) } #endif - if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ * CHAR_BIT) + if (ret == 0 && ((INIT_MP_INT_SIZE(prev_num, CRL_MAX_NUM_SZ_BITS) != MP_OKAY) || (INIT_MP_INT_SIZE(curr_num, - CRL_MAX_NUM_SZ * CHAR_BIT)) != MP_OKAY)) { + CRL_MAX_NUM_SZ_BITS)) != MP_OKAY)) { ret = MP_INIT_E; } diff --git a/tests/api.c b/tests/api.c index 000667347..751942dd3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -31627,7 +31627,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crl1Info.nextDateMaxLen, old->nextDateMaxLen); AssertIntEQ(crl1Info.nextDateFormat, old->nextDateFormat); AssertIntEQ(XMEMCMP( - crl1Info.crlNumber, old->crlNumber, CRL_MAX_NUM_HEX_STR_SZ), 0); + crl1Info.crlNumber, old->crlNumber, sizeof(old->crlNumber)), 0); AssertIntEQ(XMEMCMP( crl1Info.issuerHash, old->issuerHash, old->issuerHashLen), 0); AssertIntEQ(XMEMCMP( @@ -31642,7 +31642,7 @@ static void updateCrlCb(CrlInfo* old, CrlInfo* cnew) AssertIntEQ(crlRevInfo.nextDateMaxLen, cnew->nextDateMaxLen); AssertIntEQ(crlRevInfo.nextDateFormat, cnew->nextDateFormat); AssertIntEQ(XMEMCMP( - crlRevInfo.crlNumber, cnew->crlNumber, CRL_MAX_NUM_HEX_STR_SZ), 0); + crlRevInfo.crlNumber, cnew->crlNumber, sizeof(cnew->crlNumber)), 0); AssertIntEQ(XMEMCMP( crlRevInfo.issuerHash, cnew->issuerHash, cnew->issuerHashLen), 0); AssertIntEQ(XMEMCMP( diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index bcbd8c638..46150b6a9 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -40856,22 +40856,13 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, ret = BUFFER_E; /* Check CRL number size * if it exceeds CRL_MAX_NUM_SZ(octets) + * and CRL_MAX_NUM_HEX_STR_SZ(hex string) */ - if (mp_unsigned_bin_size(m) > CRL_MAX_NUM_SZ) { + if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || + ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { WOLFSSL_MSG("CRL number exceeds limitation."); ret = BUFFER_E; } - /* Determine required size for hexadecimal string encoding */ - if (ret == MP_OKAY && - (mp_radix_size(m, MP_RADIX_HEX, &needed) != MP_OKAY)) { - WOLFSSL_MSG("mp_radix_size failure"); - ret = BUFFER_E; - } - if (ret == MP_OKAY && needed > CRL_MAX_NUM_HEX_STR_SZ) { - WOLFSSL_MSG("CRL number hex string" - " exceeds buffer limitation"); - ret = BUFFER_E; - } if (ret == MP_OKAY && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY) ret = BUFFER_E; @@ -40991,22 +40982,13 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx, } /* Check CRL number size * if it exceeds CRL_MAX_NUM_SZ(octets) + * and CRL_MAX_NUM_HEX_STR_SZ(hex string) */ - if (mp_unsigned_bin_size(m) > CRL_MAX_NUM_SZ) { + if (((needed = mp_unsigned_bin_size(m)) > CRL_MAX_NUM_SZ) || + ((needed * 2 + 1) > CRL_MAX_NUM_HEX_STR_SZ)) { WOLFSSL_MSG("CRL number exceeds limitation."); ret = BUFFER_E; } - /* Determine required size for hexadecimal string encoding */ - if (ret == MP_OKAY && - (mp_radix_size(m, MP_RADIX_HEX, &needed) != MP_OKAY)) { - WOLFSSL_MSG("mp_radix_size failure"); - ret = BUFFER_E; - } - if (ret == MP_OKAY && needed > CRL_MAX_NUM_HEX_STR_SZ) { - WOLFSSL_MSG("CRL number hex string" - " exceeds buffer limitation"); - ret = BUFFER_E; - } if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_HEX) != MP_OKAY) ret = BUFFER_E; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index ad60f4ff8..b6549d9a2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3795,7 +3795,7 @@ typedef int (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz); #ifdef HAVE_CRL_UPDATE_CB typedef struct CrlInfo { - byte crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; byte *issuerHash; word32 issuerHashLen; byte *lastDate; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index c21c9e1e7..bbdeaf019 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2694,6 +2694,7 @@ struct RevokedCert { #endif /* octets long */ #define CRL_MAX_NUM_HEX_STR_SZ (CRL_MAX_NUM_SZ * 2 + 1) +#define CRL_MAX_NUM_SZ_BITS (CRL_MAX_NUM_SZ * CHAR_BIT) typedef struct DecodedCRL DecodedCRL; @@ -2707,7 +2708,7 @@ struct DecodedCRL { word32 sigParamsLength; /* length of signature parameters */ #endif byte* signature; /* pointer into raw source, not owned */ - byte crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */