Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 11 changed files in this pull request and generated 11 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
padelsbach
force-pushed
the
crl-generation
branch
21 times, most recently
from
575cc9c to
42524ec
Compare
padelsbach
force-pushed
the
crl-generation
branch
2 times, most recently
from
4aaf567 to
9b70e81
Compare
padelsbach
force-pushed
the
crl-generation
branch
from
9b70e81 to
6dc737e
Compare
Contributor
Author
|
jenkins retest this please |
cconlon
previously approved these changes
Feb 5, 2026
Member
|
Over to @douzzer for his final review |
padelsbach
force-pushed
the
crl-generation
branch
from
6dc737e to
8192c01
Compare
padelsbach
force-pushed
the
crl-generation
branch
3 times, most recently
from
3d2171e to
917e675
Compare
douzzer
requested changes
Feb 11, 2026
Contributor
douzzer
left a comment
douzzer
left a comment
There was a problem hiding this comment.
pr-check found some quibbles:
[quantum-safe-wolfssl-all-g++-latest-debug] [10 of 55] [917e67565e-on-2ef096a21b]
configure... real 0m19.490s user 0m11.314s sys 0m9.845s
build...wolfcrypt/src/asn.c: In function ‘int wc_MakeCRL_ex(const byte*, word32, const byte*, byte, const byte*, byte, RevokedCert*, int, const byte*, word32, int, int, byte*, word32)’:
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 41744) int i;
wolfcrypt/src/asn.c:41744:9: error: variable ‘i’ set but not used [-Werror=unused-but-set-variable=]
41744 | int i;
| ^
src/crl.c: In function ‘int wolfSSL_X509_CRL_add_revoked(WOLFSSL_X509_CRL*, WOLFSSL_X509_REVOKED*)’:
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 2283) WOLFSSL_ASN1_TIME revDate = {0};
src/crl.c:2283:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::length’ [-Werror=missing-field-initializers]
2283 | WOLFSSL_ASN1_TIME revDate = {0};
| ^
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 2283) WOLFSSL_ASN1_TIME revDate = {0};
src/crl.c:2283:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::type’ [-Werror=missing-field-initializers]
cc1plus: all warnings being treated as errors
make[2]: *** [Makefile:9495: src/libwolfssl_la-crl.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
cc1plus: all warnings being treated as errors
make[2]: *** [Makefile:9054: wolfcrypt/src/src_libwolfssl_la-asn.lo] Error 1
tests/api.c: In function ‘int generate_crl_test(const char*, const char*, const char*, const char*, const char*)’:
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20431) WOLFSSL_ASN1_TIME asnTime = {0};
tests/api.c:20431:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::length’ [-Werror=missing-field-initializers]
20431 | WOLFSSL_ASN1_TIME asnTime = {0};
| ^
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20431) WOLFSSL_ASN1_TIME asnTime = {0};
tests/api.c:20431:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::type’ [-Werror=missing-field-initializers]
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20449) };
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::intData’ [-Werror=missing-field-initializers]
20449 | };
| ^
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20449) };
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::negative’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::dataMax’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::isDynamic’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::type’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::intData’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::negative’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::dataMax’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::isDynamic’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::type’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::intData’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::negative’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::dataMax’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::isDynamic’ [-Werror=missing-field-initializers]
tests/api.c:20449:5: error: missing initializer for member ‘WOLFSSL_ASN1_INTEGER::type’ [-Werror=missing-field-initializers]
tests/api.c: In function ‘int test_wolfSSL_X509_CRL_sign_large()’:
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20665) WOLFSSL_ASN1_TIME asnTime = {0};
tests/api.c:20665:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::length’ [-Werror=missing-field-initializers]
20665 | WOLFSSL_ASN1_TIME asnTime = {0};
| ^
3632e98eb3 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 20665) WOLFSSL_ASN1_TIME asnTime = {0};
tests/api.c:20665:35: error: missing initializer for member ‘WOLFSSL_ASN1_TIME::type’ [-Werror=missing-field-initializers]
cc1plus: all warnings being treated as errors
make[2]: *** [Makefile:9915: tests/unit_test-api.o] Error 1
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 0m12.117s user 1m12.577s sys 0m4.880s
scenario started 2026-02-11T19:59:31.218269Z, real elapsed 0m31.621014s
quantum-safe-wolfssl-all-g++-latest-debug fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--enable-debug' '--enable-debug-trace-errcodes' '--enable-sp-math-all' '--enable-experimental' '--enable-kyber=yes,original' '--enable-lms' '--enable-xmss' '--enable-dilithium' '--enable-dual-alg-certs' '--disable-qt' 'CC=g++-16' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END' 'CPPFLAGS=-DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK'
[sanitizer-all-intelasm-c-fallback-fuzzer] [14 of 55] [917e67565e-on-2ef096a21b]
seed=1771155853
configure... real 0m17.224s user 0m9.602s sys 0m9.292s
build...wolfcrypt/src/asn.c: In function ‘wc_MakeCRL_ex’:
411a0949d8 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 41744) int i;
wolfcrypt/src/asn.c:41744:9: error: variable ‘i’ set but not used [-Werror=unused-but-set-variable=]
41744 | int i;
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9054: wolfcrypt/src/src_libwolfssl_la-asn.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 1m9.910s user 13m6.383s sys 0m10.733s
scenario started 2026-02-11T20:02:28.681604Z, real elapsed 1m27.166515s
sanitizer-all-intelasm-c-fallback-fuzzer fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--enable-intelasm' 'CC=gcc-16' 'LDFLAGS=-g -fno-omit-frame-pointer -fsanitize-recover=all -fsanitize=address,pointer-subtract,leak,undefined,float-cast-overflow,float-divide-by-zero,bounds-strict -fsanitize-recover=all ' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END -DWC_SIPHASH_NO_ASM -DWC_DEBUG_CIPHER_LIFECYCLE -g -fno-omit-frame-pointer -fsanitize=address,pointer-subtract,leak,undefined,float-cast-overflow,float-divide-by-zero,bounds-strict -fsanitize-recover=all --param=max-vartrack-size=128000000' 'CPPFLAGS=-DWC_AES_C_DYNAMIC_FALLBACK -DWC_C_DYNAMIC_FALLBACK -DDEBUG_VECTOR_REGISTER_ACCESS -DDEBUG_VECTOR_REGISTER_ACCESS_FUZZING -DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK -DWC_DEBUG_VECTOR_REGISTERS_FUZZING_SEED=1771155853'
BUILD_ENV: 'FAIL_BUILD_CODENAME=fail_analytic_build' 'MAX_FIPS_CODE_SZ=10000000'
RUN_ENV: 'LD_LIBRARY_PATH=/tmp/wolfssl_test_workdir.24839/wolfssl/src/.libs:/usr/lib/gcc/x86_64-pc-linux-gnu/16:/usr/lib/gcc/x86_64-pc-linux-gnu/16/32' 'ASAN_OPTIONS=halt_on_error=0 color=always log_path=sanitizer_log.asan ' 'UBSAN_OPTIONS=halt_on_error=0 color=always log_path=sanitizer_log.ubsan ' 'LSAN_OPTIONS=halt_on_error=0 color=always log_path=sanitizer_log.lsan ' 'MSAN_OPTIONS=halt_on_error=0 color=always log_path=sanitizer_log.msan ' 'TSAN_OPTIONS=halt_on_error=0 color=always log_path=sanitizer_log.tsan '
[all-gcc-latest-c99-smallstack] [24 of 55] [917e67565e-on-2ef096a21b]
configure... real 0m9.248s user 0m5.817s sys 0m4.461s
build...wolfcrypt/src/asn.c: In function ‘wc_MakeCRL_ex’:
09cd77e658 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 41744) int i;
wolfcrypt/src/asn.c:41744:9: error: variable ‘i’ set but not used [-Werror=unused-but-set-variable=]
41744 | int i;
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9054: wolfcrypt/src/src_libwolfssl_la-asn.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 0m18.171s user 2m56.181s sys 0m4.879s
scenario started 2026-02-11T20:07:49.610923Z, real elapsed 0m27.429834s
all-gcc-latest-c99-smallstack fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--enable-smallstack' '--enable-smallstackcache' '--enable-sp-math-all' '--enable-asn=template' 'CC=gcc-16' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END' 'CPPFLAGS=-std=c99 -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -Wdeclaration-after-statement -DNO_WOLFSSL_CIPHER_SUITE_TEST -DWOLFSSL_OLD_PRIME_CHECK'
RUN_ENV: 'LD_LIBRARY_PATH=/tmp/wolfssl_test_workdir.24839/wolfssl/src/.libs:/usr/lib/gcc/x86_64-pc-linux-gnu/16:/usr/lib/gcc/x86_64-pc-linux-gnu/16/32'
[quantum-safe-wolfssl-all-gcc-latest-m32] [32 of 55] [917e67565e-on-2ef096a21b]
configure... real 0m9.321s user 0m5.933s sys 0m4.369s
build...wolfcrypt/src/asn.c: In function ‘wc_MakeCRL_ex’:
0fc38207eb (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 41744) int i;
wolfcrypt/src/asn.c:41744:9: error: variable ‘i’ set but not used [-Werror=unused-but-set-variable=]
41744 | int i;
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9054: wolfcrypt/src/src_libwolfssl_la-asn.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 0m20.993s user 3m6.017s sys 0m5.285s
scenario started 2026-02-11T20:10:48.297849Z, real elapsed 0m30.324614s
quantum-safe-wolfssl-all-gcc-latest-m32 fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--enable-32bit' '--enable-experimental' '--enable-kyber=yes,original' '--enable-lms' '--enable-xmss' '--enable-dilithium' '--enable-dual-alg-certs' '--disable-qt' 'CC=gcc-16' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END -m32' 'CPPFLAGS=-pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFCRYPT_TEST_LINT'
[all-crypto-linuxkm-defaults-max-func-stack-2k-build] [44 of 55] [917e67565e-on-2ef096a21b]
configure... real 0m8.312s user 0m5.135s sys 0m4.047s
build...src/crl.c: In function ‘wolfSSL_X509_CRL_add_revoked_cert’:
b8129db876 (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 2423) }
src/crl.c:2423:1: error: the frame size of 2688 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
2423 | }
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9495: src/libwolfssl_la-crl.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 0m6.502s user 0m39.127s sys 0m2.046s
scenario started 2026-02-11T20:28:51.644680Z, real elapsed 0m14.826299s
all-crypto-linuxkm-defaults-max-func-stack-2k-build fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-linuxkm-defaults' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--disable-testcert' '--enable-crypttests' '--disable-benchmark' '--disable-examples' '--enable-aesni-with-avx' '--enable-sp-asm' '--with-max-rsa-bits=16384' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END -Wframe-larger-than=2048 -Wstack-usage=4096'
[all-max-func-stack-2k] [45 of 55] [917e67565e-on-2ef096a21b]
configure... real 0m9.194s user 0m5.738s sys 0m4.555s
build...src/crl.c: In function ‘wolfSSL_X509_CRL_add_revoked_cert’:
d4a7620bdd (<paul.adelsbach@wolfssl.com> 2025-12-31 11:59:42 -0800 2423) }
src/crl.c:2423:1: error: the frame size of 2816 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
2423 | }
| ^
cc1: all warnings being treated as errors
make[2]: *** [Makefile:9495: src/libwolfssl_la-crl.lo] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:11426: all-recursive] Error 1
make: *** [Makefile:6231: all] Error 2
real 0m8.351s user 0m45.375s sys 0m2.140s
scenario started 2026-02-11T20:29:06.924519Z, real elapsed 0m17.557571s
all-max-func-stack-2k fail_build
failed config: 'EXTRA_CPPFLAGS=-Werror' '--srcdir' '.' '--disable-jobserver' '--enable-option-checking=fatal' '--enable-all' '--enable-acert' '--enable-dtls13' '--enable-dtls-mtu' '--enable-dtls-frag-ch' '--enable-dtlscid' '--enable-quic' '--with-sys-crypto-policy' '--disable-testcert' '--enable-smallstack' '--enable-smallstackcache' '--enable-crypttests' '--enable-benchmark' '--disable-examples' '--enable-aesni-with-avx' '--enable-sp-asm' '--with-max-rsa-bits=16384' 'CFLAGS=-DTEST_ALWAYS_RUN_TO_END -Wframe-larger-than=2048 -Wstack-usage=4096'
917e675 to
9239adc
Compare
Contributor
|
retest this please |
douzzer
requested changes
Feb 12, 2026
Contributor
douzzer
left a comment
douzzer
left a comment
There was a problem hiding this comment.
Claude found a couple defects that look like true positives to me:
Potential Security Issue: DER-encoded Integer Tag/Length Stripping Is Too Naive
In wolfSSL_X509_CRL_add_revoked (crl.c, around line 947):
and
wolfSSL_X509_CRL_sign Frees buf with the Wrong Heap Tag
I'm sending its full report by email to preserve the formatting.
padelsbach
force-pushed
the
crl-generation
branch
from
9239adc to
5a2b131
Compare
Contributor
Author
I addressed the top 3 issues (red and orange status) and the unused param one. I'll continue to work on the rest. |
padelsbach
force-pushed
the
crl-generation
branch
from
5a2b131 to
6f9a666
Compare
Contributor
Author
Pushed remaining updates, where applicable. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add ability to generate a certificate revocation list (CRL), in addition to the existing CRL decode logic.
Testing
New unit test in C, and new test script which uses openssl to validate the output.
Checklist