From 0cddbb25b22e5cf56bd15faaf9bfe340af34ea8a Mon Sep 17 00:00:00 2001 From: Josh Holtrop Date: Fri, 24 Apr 2026 09:16:01 -0400 Subject: [PATCH] Rust wrapper: check for NUL-terminated slice in ECC::rs_hex_to_sig Fixes F-3092 --- wrapper/rust/wolfssl-wolfcrypt/src/ecc.rs | 3 +++ .../rust/wolfssl-wolfcrypt/tests/test_ecc.rs | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/wrapper/rust/wolfssl-wolfcrypt/src/ecc.rs b/wrapper/rust/wolfssl-wolfcrypt/src/ecc.rs index 4fc2cd8921..85ccc6fb3e 100644 --- a/wrapper/rust/wolfssl-wolfcrypt/src/ecc.rs +++ b/wrapper/rust/wolfssl-wolfcrypt/src/ecc.rs @@ -1219,6 +1219,9 @@ impl ECC { /// } /// ``` pub fn rs_hex_to_sig(r: &[u8], s: &[u8], dout: &mut [u8]) -> Result { + if r[r.len() - 1] != 0 || s[s.len() - 1] != 0 { + return Err(sys::wolfCrypt_ErrorCodes_BAD_FUNC_ARG); + } let mut dout_size = crate::buffer_len_to_u32(dout.len())?; let r_ptr = r.as_ptr() as *const core::ffi::c_char; let s_ptr = s.as_ptr() as *const core::ffi::c_char; diff --git a/wrapper/rust/wolfssl-wolfcrypt/tests/test_ecc.rs b/wrapper/rust/wolfssl-wolfcrypt/tests/test_ecc.rs index 82f5369fbe..34dd507c28 100644 --- a/wrapper/rust/wolfssl-wolfcrypt/tests/test_ecc.rs +++ b/wrapper/rust/wolfssl-wolfcrypt/tests/test_ecc.rs @@ -342,3 +342,24 @@ fn test_ecc_import() { ECC::import_raw(qx, qy, d, b"SECP256R1\0", None, None).expect("Error with import_raw()"); ECC::import_raw_ex(qx, qy, d, ECC::SECP256R1, None, None).expect("Error with import_raw_ex()"); } + +#[test] +fn test_ecc_rs_hex_to_sig_not_null_terminated() { + let r_hex = b"AABB\0"; + let s_hex = b"CCDD\0"; + let r_hex_no_nul = b"AABB"; + let s_hex_no_nul = b"CCDD"; + let mut sig_out = [0u8; 128]; + + // Both null-terminated should succeed + assert!(ECC::rs_hex_to_sig(r_hex, s_hex, &mut sig_out).is_ok()); + + // r not null-terminated should fail + assert!(ECC::rs_hex_to_sig(r_hex_no_nul, s_hex, &mut sig_out).is_err()); + + // s not null-terminated should fail + assert!(ECC::rs_hex_to_sig(r_hex, s_hex_no_nul, &mut sig_out).is_err()); + + // Both not null-terminated should fail + assert!(ECC::rs_hex_to_sig(r_hex_no_nul, s_hex_no_nul, &mut sig_out).is_err()); +}