From e48f06bd53458c63bf23d7605c71b94ece268493 Mon Sep 17 00:00:00 2001
From: Daniel Pouzzner <douzzer@wolfssl.com>
Date: Thu, 18 Apr 2024 13:49:44 -0500
Subject: [PATCH] =?UTF-8?q?fixes=20for=20WOLFSSL=5FDUAL=5FALG=5FCERTS:=20"?=
 =?UTF-8?q?cannot=20take=20address=20of=20bit-field=20=E2=80=98altKeyType?=
 =?UTF-8?q?=E2=80=99"=20and=20"=E2=80=98altPrivateKeyType=E2=80=99"=20in?=
 =?UTF-8?q?=20ProcessBufferTryDecode(),=20"=E2=80=98heap=E2=80=99=20undecl?=
 =?UTF-8?q?ared"=20in=20ProcessBufferCertAltPublicKey(),=20"=E2=80=98consu?=
 =?UTF-8?q?med=E2=80=99=20undeclared"=20in=20ProcessFile(),=20"=E2=80=98ke?=
 =?UTF-8?q?ySz=E2=80=99=20undeclared"=20in=20wolfSSL=5FCTX=5Fuse=5FPrivate?=
 =?UTF-8?q?Key=5FId().?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/ssl_load.c     | 12 +++++++++---
 wolfssl/internal.h |  4 ++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/ssl_load.c b/src/ssl_load.c
index 7a0a7c99a..68d612b2a 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -1757,6 +1757,7 @@ static int ProcessBufferCertAltPublicKey(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
     DecodedCert* cert, int checkKeySz)
 {
     int ret = 0;
+    void* heap = WOLFSSL_HEAP(ctx, ssl);
     byte keyType = 0;
     int keySz = 0;
 #ifndef NO_RSA
@@ -2575,9 +2576,14 @@ int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, int type,
 #endif
 #ifdef WOLFSSL_DUAL_ALG_CERTS
         else if (type == PRIVATEKEY_TYPE) {
-            /* Load all other certificate types. */
+            /* When support for dual algorithm certificates is enabled, the
+             * private key file may contain both the primary and the
+             * alternative private key. Hence, we have to parse both of them.
+             */
+            long consumed = 0;
+
             ret = ProcessBuffer(ctx, content.buffer, sz, format, type, ssl,
-                NULL, userChain, verify);
+                &consumed, userChain, verify);
             if ((ret == 1) && (consumed < sz)) {
                 ret = ProcessBuffer(ctx, content.buffer + consumed,
                     sz - consumed, format, ALT_PRIVATEKEY_TYPE, ssl, NULL, 0,
@@ -3951,7 +3957,7 @@ int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
     #ifdef WOLFSSL_DUAL_ALG_CERTS
         /* Set the ID for the alternative key, too. User can still override that
          * afterwards. */
-        ret = wolfSSL_CTX_use_AltPrivateKey_id(ctx, id, sz, devId, keySz);
+        ret = wolfSSL_CTX_use_AltPrivateKey_Id(ctx, id, sz, devId);
     #endif
     }
 
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 4f1f43a6d..6b61cd575 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -3585,7 +3585,7 @@ struct WOLFSSL_CTX {
 
 #ifdef WOLFSSL_DUAL_ALG_CERTS
     DerBuffer*  altPrivateKey;
-    byte        altPrivateKeyType:6;
+    byte        altPrivateKeyType;
     byte        altPrivateKeyId:1;
     byte        altPrivateKeyLabel:1;
     int         altPrivateKeySz;
@@ -4560,7 +4560,7 @@ typedef struct Buffers {
     int             keyDevId;              /* Device Id for key */
 #ifdef WOLFSSL_DUAL_ALG_CERTS
     DerBuffer*      altKey;                /* WOLFSSL_CTX owns, unless we own */
-    byte            altKeyType:6;          /* Type of alt key */
+    byte            altKeyType;            /* Type of alt key */
     byte            altKeyId:1;            /* Key data is an id not data */
     byte            altKeyLabel:1;         /* Key data is a label not data */
     int             altKeySz;              /* Size of alt key */