diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9c6c27074..7b30ceea1 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -6398,7 +6398,8 @@ WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header) } -WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) +WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output, + int maxSnSz) { int i = 0; int snSzInt = (int)snSz; @@ -6412,18 +6413,27 @@ WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output) sn++; } + /* truncate if input is too long */ + if (snSzInt > maxSnSz) + snSzInt = maxSnSz; + /* encode ASN Integer, with length and value */ output[i++] = ASN_INTEGER; - i += SetLength(snSzInt, &output[i]); - XMEMCPY(&output[i], sn, snSzInt); - /* make sure number is positive */ - if (snSzInt > 0) { - /* clear MSB bit */ - output[i] &= ~0x80; - /* handle zero case... make 1 */ - if (output[i] == 0) - output[i] = 0x01; + /* handle MSB, to make sure value is positive */ + if (sn[0] & 0x80) { + /* make room for zero pad */ + if (snSzInt > maxSnSz-1) + snSzInt = maxSnSz-1; + + /* add zero pad */ + i += SetLength(snSzInt+1, &output[i]); + output[i++] = 0x00; + XMEMCPY(&output[i], sn, snSzInt); + } + else { + i += SetLength(snSzInt, &output[i]); + XMEMCPY(&output[i], sn, snSzInt); } /* compute final length */ @@ -8201,10 +8211,8 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, if (ret != 0) return ret; } - else if (cert->serialSz > CTC_SERIAL_SIZE) { - cert->serialSz = CTC_SERIAL_SIZE; - } - der->serialSz = SetSerialNumber(cert->serial, cert->serialSz, der->serial); + der->serialSz = SetSerialNumber(cert->serial, cert->serialSz, der->serial, + CTC_SERIAL_SIZE); if (der->serialSz < 0) return der->serialSz; @@ -11109,12 +11117,9 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) algoSz = SetAlgoID(SHAh, algoArray, oidHashType, 0); #endif - if (req->serialSz > EXTERNAL_SERIAL_SIZE) - req->serialSz = EXTERNAL_SERIAL_SIZE; - issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); - snSz = SetSerialNumber(req->serial, req->serialSz, snArray); + snSz = SetSerialNumber(req->serial, req->serialSz, snArray, MAX_SN_SZ); extSz = 0; if (snSz < 0) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 63c794ba7..a81ef77d1 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -993,7 +993,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) esd->contentInfoSeq); esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz, - esd->issuerSn); + esd->issuerSn, MAX_SN_SZ); signerInfoSz += esd->issuerSnSz; esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName); signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz; @@ -2576,7 +2576,7 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, #endif return -1; } - snSz = SetSerialNumber(decoded->serial, decoded->serialSz, serial); + snSz = SetSerialNumber(decoded->serial, decoded->serialSz, serial, MAX_SN_SZ); issuerSerialSeqSz = SetSequence(issuerSeqSz + issuerSz + snSz, issuerSerialSeq); diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 3ff5ea597..3aa95a424 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -804,7 +804,8 @@ WOLFSSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output); WOLFSSL_LOCAL word32 SetSet(word32 len, byte* output); WOLFSSL_LOCAL word32 SetAlgoID(int algoOID,byte* output,int type,int curveSz); WOLFSSL_LOCAL int SetMyVersion(word32 version, byte* output, int header); -WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output); +WOLFSSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output, + int maxSnSz); WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx, byte* serial, int* serialSz, word32 maxIdx); WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,