Store crlNumber as a byte array

Author: lealem47

src/crl.c

@@ -139,7 +139,8 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
 #endif
     dcrl->certs = NULL;
     crle->totalCerts = dcrl->totalCerts;
-    crle->crlNumber = dcrl->crlNumber;
+    XMEMCPY(crle->crlNumber, dcrl->crlNumber, CRL_MAX_NUM_SZ);
+    crle->crlNumberSet = dcrl->crlNumberSet;
     crle->verified = verified;
     if (!verified) {
         crle->tbsSz = dcrl->sigIndex - dcrl->certBegin;
@@ -590,7 +591,8 @@ static void SetCrlInfo(CRL_Entry* entry, CrlInfo *info)
     info->nextDate = (byte *)entry->nextDate;
     info->nextDateMaxLen = MAX_DATE_SIZE;
     info->nextDateFormat = entry->nextDateFormat;
-    info->crlNumber = (sword32)entry->crlNumber;
+    XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
+    info->crlNumberSet = entry->crlNumberSet;
 }
 
 static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
@@ -603,10 +605,30 @@ static void SetCrlInfoFromDecoded(DecodedCRL* entry, CrlInfo *info)
     info->nextDate = (byte *)entry->nextDate;
     info->nextDateMaxLen = MAX_DATE_SIZE;
     info->nextDateFormat = entry->nextDateFormat;
-    info->crlNumber = (sword32)entry->crlNumber;
+    XMEMCPY(info->crlNumber, entry->crlNumber, CRL_MAX_NUM_SZ);
+    info->crlNumberSet = entry->crlNumberSet;
 }
 #endif
 
+/* Returns 1 if prev crlNumber is smaller, 0 otherwise */
+static int CompareCRLnumber(CRL_Entry* prev, CRL_Entry* curr) {
+    word32 i;
+    word32 prevCrlNumLen = (word32)XSTRLEN((char*)prev->crlNumber);
+    word32 currCrlNumLen = (word32)XSTRLEN((char*)curr->crlNumber);
+
+    if (prevCrlNumLen != currCrlNumLen) {
+        return (prevCrlNumLen < currCrlNumLen);
+    }
+
+    for (i = 0; i < currCrlNumLen; i++) {
+        if (prev->crlNumber[i] != curr->crlNumber[i]) {
+            return prev->crlNumber[i] < curr->crlNumber[i];
+        }
+    }
+
+    return 1;
+}
+
 /* Add Decoded CRL, 0 on success */
 static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
                   int verified)
@@ -648,7 +670,7 @@ static int AddCRL(WOLFSSL_CRL* crl, DecodedCRL* dcrl, const byte* buff,
 
     for (curr = crl->crlList; curr != NULL; curr = curr->next) {
         if (XMEMCMP(curr->issuerHash, crle->issuerHash, CRL_DIGEST_SIZE) == 0) {
-            if (crle->crlNumber <= curr->crlNumber) {
+            if (CompareCRLnumber(crle, curr)) {
                 WOLFSSL_MSG("Same or newer CRL entry already exists");
                 CRL_Entry_free(crle, crl->heap);
                 wc_UnLockRwLock(&crl->crlLock);

src/x509.c

@@ -8951,7 +8951,7 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl,
             return WOLFSSL_FAILURE;
     }
 
-    if (crl->crlList->crlNumber) {
+    if (crl->crlList->crlNumberSet) {
         if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 4, "",
                     "X509v3 CRL Number:") >= MAX_WIDTH) {
             return WOLFSSL_FAILURE;
@@ -8961,11 +8961,11 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl,
             return WOLFSSL_FAILURE;
         }
 
-        if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%d\n", indent + 8, "",
-            crl->crlList->crlNumber) >= MAX_WIDTH)
-        {
+        if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent + 8, "",
+            crl->crlList->crlNumber) >= MAX_WIDTH) {
             return WOLFSSL_FAILURE;
         }
+
         if (wolfSSL_BIO_write(bio, tmp, (int)XSTRLEN(tmp)) <= 0) {
             return WOLFSSL_FAILURE;
         }

wolfcrypt/src/asn.c

@@ -39077,50 +39077,38 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
                     return ret;
                 }
                 else {
-                    if (length > 1) {
-                        int    i;
-                    #ifdef WOLFSSL_SMALL_STACK
-                        mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL,
-                                DYNAMIC_TYPE_BIGINT);
-                        if (m == NULL) {
-                            return MEMORY_E;
-                        }
-                    #else
-                        mp_int m[1];
-                    #endif
+                #ifdef WOLFSSL_SMALL_STACK
+                    mp_int* m = (mp_int*)XMALLOC(sizeof(*m), NULL,
+                            DYNAMIC_TYPE_BIGINT);
+                    if (m == NULL) {
+                        return MEMORY_E;
+                    }
+                #else
+                    mp_int m[1];
+                #endif
 
-                        if (mp_init(m) != MP_OKAY) {
-                            ret = MP_INIT_E;
-                        }
+                    if (mp_init(m) != MP_OKAY) {
+                        ret = MP_INIT_E;
+                    }
 
-                        if (ret == 0)
-                            ret = mp_read_unsigned_bin(m, buf + idx, length);
-                        if (ret != MP_OKAY)
-                            ret = BUFFER_E;
+                    if (ret == 0)
+                        ret = mp_read_unsigned_bin(m, buf + idx, length);
+                    if (ret != MP_OKAY)
+                        ret = BUFFER_E;
 
-                        if (ret == 0) {
-                            dcrl->crlNumber = 0;
-                            for (i = 0; i < (int)(*m).used; ++i) {
-                                if (i > (CHAR_BIT *
-                                         (int)sizeof(word32) / DIGIT_BIT)) {
-                                    break;
-                                }
-                                dcrl->crlNumber |= ((word32)(*m).dp[i]) <<
-                                    (DIGIT_BIT * i);
-                            }
-                        }
+                    if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_DEC)
+                            != MP_OKAY)
+                        ret = BUFFER_E;
 
-                        mp_free(m);
-                    #ifdef WOLFSSL_SMALL_STACK
-                        XFREE(m, NULL, DYNAMIC_TYPE_BIGINT);
-                    #endif
+                    dcrl->crlNumberSet = 1;
 
-                        if (ret != 0)
-                            return ret;
-                    }
-                    else if (length == 1) {
-                        dcrl->crlNumber = buf[idx];
-                    }
+                    mp_free(m);
+                #ifdef WOLFSSL_SMALL_STACK
+                    XFREE(m, NULL, DYNAMIC_TYPE_BIGINT);
+                #endif
+
+                    if (ret != 0)
+                        return ret;
                 }
             }
         }
@@ -39198,9 +39186,12 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf, word32 idx,
                 if (ret == 0) {
                     ret = GetInt(m, buf, &localIdx, maxIdx);
                 }
-                if (ret == 0) {
-                    dcrl->crlNumber = (int)m->dp[0];
-                }
+
+                if (ret == 0 && mp_toradix(m, (char*)dcrl->crlNumber, MP_RADIX_DEC)
+                        != MP_OKAY)
+                    ret = BUFFER_E;
+
+                dcrl->crlNumberSet = 1;
 
                 mp_free(m);
             #ifdef WOLFSSL_SMALL_STACK

wolfssl/internal.h

@@ -2560,6 +2560,8 @@ struct CRL_Entry {
     /* DupCRL_Entry copies data after the `verifyMutex` member. Using the mutex
      * as the marker because clang-tidy doesn't like taking the sizeof a
      * pointer. */
+    byte    crlNumber[CRL_MAX_NUM_SZ];    /* CRL number extension */
+    byte    crlNumberSet;                 /* CRL number set indicator */
     byte    issuerHash[CRL_DIGEST_SIZE];  /* issuer hash                 */
     /* byte    crlHash[CRL_DIGEST_SIZE];      raw crl data hash           */
     /* restore the hash here if needed for optimized comparisons */
@@ -2590,7 +2592,6 @@ struct CRL_Entry {
     byte    extAuthKeyIdSet;
     byte    extAuthKeyId[KEYID_SIZE];
 #endif
-    int                   crlNumber;  /* CRL number extension */
 };
 
 

wolfssl/ssl.h

@@ -3748,6 +3748,8 @@ typedef int  (*CbCrlIO)(WOLFSSL_CRL* crl, const char* url, int urlSz);
 
 #ifdef HAVE_CRL_UPDATE_CB
 typedef struct CrlInfo {
+    byte crlNumber[CRL_MAX_NUM_SZ];
+    byte crlNumberSet;
     byte *issuerHash;
     word32 issuerHashLen;
     byte *lastDate;
@@ -3756,7 +3758,6 @@ typedef struct CrlInfo {
     byte *nextDate;
     word32 nextDateMaxLen;
     byte nextDateFormat;
-    sword32 crlNumber;
 } CrlInfo;
 
 typedef void (*CbUpdateCRL)(CrlInfo* old, CrlInfo* cnew);

wolfssl/wolfcrypt/asn.h

@@ -2852,6 +2852,11 @@ struct RevokedCert {
     byte         revDateFormat;
 };
 
+#ifndef CRL_MAX_NUM_SZ
+#define CRL_MAX_NUM_SZ 49 /* RFC5280 states that CRL number can be up to 20 */
+#endif                    /* octets long i.e 49 digits */
+
+
 typedef struct DecodedCRL DecodedCRL;
 
 struct DecodedCRL {
@@ -2864,6 +2869,8 @@ struct DecodedCRL {
     word32  sigParamsLength;         /* length of signature parameters   */
 #endif
     byte*   signature;               /* pointer into raw source, not owned */
+    byte    crlNumber[CRL_MAX_NUM_SZ];      /* CRL number extension */
+    byte    crlNumberSet;                   /* CRL number set indicator */
     byte    issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash          */
     byte    crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash            */
     byte    lastDate[MAX_DATE_SIZE]; /* last date updated  */
@@ -2882,7 +2889,6 @@ struct DecodedCRL {
     byte    extAuthKeyIdSet;
     byte    extAuthKeyId[SIGNER_DIGEST_SIZE]; /* Authority Key ID        */
 #endif
-    int          crlNumber;          /* CRL number extension  */
 };
 
 WOLFSSL_LOCAL void InitDecodedCRL(DecodedCRL* dcrl, void* heap);