OIDs represented as word32 instead of word16#10710
Conversation
aidankeefe2022
force-pushed
the
Asn1-word16-word32-migration
branch
from
1e9f191 to
70d10ae
Compare
|
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10710
Scan targets checked: wolfcrypt-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 1
Low (1)
OID arcs widened to word32 still printed with %d
File: wolfcrypt/src/asn.c:14386
Function: GenerateDNSEntryRIDString
Category: Incorrect sizeof/type usage
tmpName was widened from word16 to word32 but is still printed via XSNPRINTF(..., "%d.", tmpName[i]); word32 (unsigned int) no longer matches %d, producing a -Wformat warning that breaks -Werror builds. Same pattern in PrintObjectIdNum (asn.c:37660). Arc values are bounded, so no runtime misprint.
Recommendation: Use "%u" (or cast the argument to int) at both call sites that print word32 OID arcs.
Referenced code: wolfcrypt/src/asn.c:14386-14387 (2 lines)
This review was generated automatically by Fenrir. Findings are non-blocking.
|
For some reason I had just envisioned an API argument change. It makes sense though for some of the internals of the function to change too, this looks good but it is more risk than I had envisioned. |
aidankeefe2022
force-pushed
the
Asn1-word16-word32-migration
branch
3 times, most recently
from
cc4ecf8 to
4f68f69
Compare
will not be truncated. Added tests for updated OID handling. made change fips compatable removed tests for EncodeObjectId caused symbol error in CI/CD
aidankeefe2022
force-pushed
the
Asn1-word16-word32-migration
branch
from
4f68f69 to
524bf6d
Compare
|
Jenkins retest this please |
4 participants
Description
This fixes two issues in how OIDs are represented in wolfSSL.
Breaking change. Word16 cannot represent many real OID arcs -- e.g. 1.2.840.113549.1.1.1 (RSA encryption). This was widened to word 32 in three public symbols:
The callback types appear as fields in WOLFSSL_CERT_MANAGER, wc_PKCS7, and DecodedCert.
New internal functions were added to handle this change EncodeObjectId_ex and DecodeObjectId_ex both handle
word32 OIDs. The non _ex functions were left due to them being called by FIPS code and that code expects word16.
Non-breaking bug fix. DER encoding packs the first two arcs into a single value (40 x first + second), so decoding assumed the second arc was 0-39. That assumption holds only when the first arc is 0 or 1; when the first arc is 2, the second arc is unbounded and base-128 encodes to a value above 127. Decoding now special-cases this.
Example -- 2.100.3:
encodes -> 0x81, 0x34, 0x03
before: decoded as 4.20.3 (0x81,0x34 unpacked to 180; 180/40=4 rem 20)
after: decodes as 2.100.3
Testing
Added tests for DecodeObjectId and EncodeObjectId covering word32 OIDs, plus a test for an OID whose first arc is 2 and second arc is 100, verifying correct decoding of the byte form.
Checklist