Add true zero-allocation X.509 certificate verification under WOLFSSL_NO_MALLOC#10821
Add true zero-allocation X.509 certificate verification under WOLFSSL_NO_MALLOC#10821aidangarske wants to merge 1 commit into
Conversation
|
retest this please |
5b82762 to
46477a1
Compare
There was a problem hiding this comment.
Pull request overview
This PR updates wolfCrypt’s X.509 parsing/verification path to support a strict no-allocator configuration by referencing public keys and SubjectAltName (SAN) data in-place within the source DER, and by storing SAN list nodes in a fixed per-certificate pool when WC_ASN_NO_HEAP is active.
Changes:
- Introduces
WC_ASN_NO_HEAPgating and a fixed-size SAN pool (WC_ASN_MAX_ALTNAMES) in decoded certificate structures. - Updates key and SAN handling to avoid heap allocation (in-place key/SAN references; pool-backed SAN nodes) and adjusts freeing behavior accordingly.
- Adds a unit test to exercise heap/file-free parsing and validate the in-place/no-heap invariants when enabled.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
wolfssl/wolfcrypt/asn.h |
Adds WC_ASN_NO_HEAP gating, SAN pool fields, and tracking metadata for SAN entry ownership. |
wolfcrypt/src/asn.c |
Implements no-heap key/SAN storage paths and updates freeing and CA storage behavior under no-heap. |
wolfcrypt/test/test.c |
Adds a parse test intended to validate no-heap/in-place storage behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ffba504 to
d271031
Compare
dgarske
left a comment
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: review + review-securityOverall recommendation: REQUEST_CHANGES
Findings: 7 total — 6 posted, 1 skipped
6 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [High] [review] Unused static function build break under WC_ASN_NO_HEAP + WOLFSSL_IP_ALT_NAME/WOLFSSL_RID_ALT_NAME —
wolfcrypt/src/asn.c:14289,14360,14577,14583 - [Medium] [review] cert_no_malloc_test uses a cert whose IP SAN the no-heap path fail-closes —
wolfcrypt/test/test.c:26025-26027 - [Medium] [review] New no-heap key/SAN in-place paths are under-tested —
wolfcrypt/test/test.c:26018-26046 - [Low] [review+review-security] No-heap SAN name is not NUL-terminated (contract divergence from heap path) —
wolfcrypt/src/asn.c:14536-14542 - [Low] [review+review-security] altNamePool embedded mid-struct enlarges stack-allocated DecodedCert/DecodedAcert under no-heap —
wolfssl/wolfcrypt/asn.h:1806-1811 - [Low] [review] New SetDNSEntry call sites exceed the 80-column style limit —
wolfcrypt/src/asn.c:19066,19128,19274,19306,19322
Skipped findings
- [Medium]
Shared 8-slot SAN pool exhaustion and IP/RID fail-closed abort the entire certificate parse under no-heap
Review generated by Skoll
d5de700 to
368bf22
Compare
368bf22 to
f15d175
Compare
Makes the X.509 verify path (wc_ParseCert) truly be no malloc, so embedded/no-heap builds can validate certificate chains without dynamic memory.
Previously a strict no-heap build failed to parse any real certificate. The public-key copy (StoreKey/StoreEccKey) and the SubjectAltName list (AltNameNew/SetDNSEntry) needed the heap and returned
MEMORY_E. This references the public key and alt-name strings in place in the source DER (the same contract wolfSSL already uses for subjectCN), with SAN entries held in a fixed per-cert pool (WC_ASN_MAX_ALTNAMES, default 8).Gated by a new internal
WC_ASN_NO_HEAP(WOLFSSL_NO_MALLOC && NO_WOLFSSL_MEMORY && !XMALLOC_USER && !WOLFSSL_STATIC_MEMORY): only builds with genuinely no allocator take the in-place path; builds with a real allocator (callbacks, XMALLOC_USER, static memory) keep the existing heap paths. Default malloc builds are byte-for-byte unchangedUnder no-heap, IP/RID SANs (which need a heap-synthesized string) and CertManager CA storage are fail-closed (documented limitations). Adds a heap-free parse test (cert_no_malloc_test).