add NULL validation to KDF APIs

This commit is contained in:
Jeremiah Mackey
2026-04-16 17:14:05 +00:00
parent 625ea89284
commit 3175c3387f
3 changed files with 40 additions and 5 deletions
+4
View File
@@ -1590,6 +1590,10 @@ int wolfSSL_GetHmacMaxSize(void)
const byte* localSalt; /* either points to user input or tmp */
word32 hashSz;
if (out == NULL || (inKey == NULL && inKeySz > 0)) {
return BAD_FUNC_ARG;
}
ret = wc_HmacSizeByType(type);
if (ret < 0) {
return ret;
+6 -4
View File
@@ -1009,7 +1009,8 @@ int wc_SRTP_KDF(const byte* key, word32 keySz, const byte* salt, word32 saltSz,
/* Validate parameters. */
if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
((kdrIdx >= 0) && (idx == NULL))) {
ret = BAD_FUNC_ARG;
}
@@ -1103,7 +1104,8 @@ int wc_SRTCP_KDF_ex(const byte* key, word32 keySz, const byte* salt, word32 salt
/* Validate parameters. */
if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24)) {
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
((kdrIdx >= 0) && (idx == NULL))) {
ret = BAD_FUNC_ARG;
}
@@ -1194,7 +1196,7 @@ int wc_SRTP_KDF_label(const byte* key, word32 keySz, const byte* salt,
/* Validate parameters. */
if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
(outKey == NULL)) {
(outKey == NULL) || ((kdrIdx >= 0) && (idx == NULL))) {
ret = BAD_FUNC_ARG;
}
@@ -1267,7 +1269,7 @@ int wc_SRTCP_KDF_label(const byte* key, word32 keySz, const byte* salt,
/* Validate parameters. */
if ((key == NULL) || (keySz > AES_256_KEY_SIZE) || (salt == NULL) ||
(saltSz > WC_SRTP_MAX_SALT) || (kdrIdx < -1) || (kdrIdx > 24) ||
(outKey == NULL)) {
(outKey == NULL) || ((kdrIdx >= 0) && (idx == NULL))) {
ret = BAD_FUNC_ARG;
}
+30 -1
View File
@@ -31466,7 +31466,18 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t hkdf_test(void)
#endif /* !NO_SHA256 */
#endif /* !NO_SHA || !NO_SHA256 */
return ret;
#ifndef NO_SHA256
/* wc_HKDF_Extract bad arg: NULL out */
ret = wc_HKDF_Extract(WC_SHA256, NULL, 0, ikm1, (word32)sizeof(ikm1), NULL);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
return WC_TEST_RET_ENC_EC(ret);
/* wc_HKDF_Extract bad arg: NULL inKey with non-zero inKeySz */
ret = wc_HKDF_Extract(WC_SHA256, NULL, 0, NULL, 5, okm1);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
return WC_TEST_RET_ENC_EC(ret);
#endif /* !NO_SHA256 */
return 0;
}
#endif /* HAVE_HKDF */
@@ -33402,6 +33413,24 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t srtpkdf_test(void)
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
/* kdrIdx >= 0 requires non-NULL idx. */
ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
0, NULL, keyE, tv[i].keSz, keyA, tv[i].kaSz, keyS, tv[i].ksSz);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_SRTCP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
0, NULL, keyE, tv[i].keSz, keyA, tv[i].kaSz, keyS, tv[i].ksSz);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_SRTP_KDF_label(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
0, NULL, WC_SRTP_LABEL_ENCRYPTION, keyE, tv[i].keSz);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_SRTCP_KDF_label(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
0, NULL, WC_SRTCP_LABEL_ENCRYPTION, keyE, tv[i].keSz);
if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out);
ret = wc_SRTP_KDF(tv[i].key, tv[i].keySz, tv[i].salt, tv[i].saltSz,
tv[i].kdfIdx, tv[i].index, NULL, tv[i].keSz, keyA, tv[i].kaSz,
keyS, tv[i].ksSz);