diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c index 662c94fb42..c110d27af6 100644 --- a/tests/api/test_pkcs7.c +++ b/tests/api/test_pkcs7.c @@ -2129,7 +2129,8 @@ int test_wc_PKCS7_DecodeEnvelopedData_stream(void) #ifdef NO_DES3 ExpectIntEQ(ret, ALGO_ID_E); #else - ExpectIntGT(ret, 0); + /* expecting the size of ca-cert.pem */ + ExpectIntEQ(ret, 5539); #endif } diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 54cfe00c5d..c529a098dd 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -12493,6 +12493,7 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, } #endif + pkcs7->totalEncryptedContentSz = 0; wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_5); FALL_THROUGH; @@ -12628,6 +12629,10 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, /* advance idx past encrypted content */ localIdx += (word32)encryptedContentSz; + /* keep track of total encrypted content size */ + pkcs7->totalEncryptedContentSz += + (word32)encryptedContentSz; + if (localIdx + ASN_INDEF_END_SZ <= pkiMsgSz) { if (pkiMsg[localIdx] == ASN_EOC && pkiMsg[localIdx+1] == ASN_EOC) { @@ -12673,6 +12678,8 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, } else { pkcs7->cachedEncryptedContentSz = (word32)encryptedContentTotalSz; + pkcs7->totalEncryptedContentSz = + (word32)encryptedContentTotalSz; pkcs7->cachedEncryptedContent = (byte*)XMALLOC( pkcs7->cachedEncryptedContentSz, pkcs7->heap, DYNAMIC_TYPE_PKCS7); @@ -12734,7 +12741,7 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in, pkcs7->cachedEncryptedContentSz = 0; } - ret = encryptedContentSz - padLen; + ret = (int)pkcs7->totalEncryptedContentSz - padLen; #ifndef NO_PKCS7_STREAM pkcs7->stream->aad = NULL; pkcs7->stream->aadSz = 0; diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index b65c442c6c..834d17fa5c 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -349,6 +349,7 @@ struct wc_PKCS7 { /* used by DecodeEnvelopedData with multiple encrypted contents */ byte* cachedEncryptedContent; word32 cachedEncryptedContentSz; + word32 totalEncryptedContentSz; /* track encrypted content across octets */ WC_BITFIELD contentCRLF:1; /* have content line endings been converted to CRLF */ WC_BITFIELD contentIsPkcs7Type:1; /* eContent follows PKCS#7 RFC not CMS */ WC_BITFIELD hashParamsAbsent:1;