diff --git a/src/ssl.c b/src/ssl.c index 2124c8e4e..26de6b3f4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4839,7 +4839,8 @@ int PemToDer(const unsigned char* buff, long longSz, int type, return WOLFSSL_BAD_FILE; /* eat blank line */ - while (*newline == '\r' || *newline == '\n') + while (newline < bufferEnd && + (*newline == '\r' || *newline == '\n')) newline++; headerEnd = newline; @@ -4904,18 +4905,18 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #ifdef WOLFSSL_SMALL_STACK char* password = NULL; #else - char password[80]; + char password[NAME_SZ]; #endif if (!info || !info->ctx || !info->ctx->passwd_cb) return WOLFSSL_BAD_FILE; /* no callback error */ #ifdef WOLFSSL_SMALL_STACK - password = (char*)XMALLOC(80, heap, DYNAMIC_TYPE_STRING); + password = (char*)XMALLOC(NAME_SZ, heap, DYNAMIC_TYPE_STRING); if (password == NULL) return MEMORY_E; #endif - passwordSz = info->ctx->passwd_cb(password, sizeof(password), 0, + passwordSz = info->ctx->passwd_cb(password, NAME_SZ, 0, info->ctx->userdata); /* convert and adjust length */ if (header == BEGIN_ENC_PRIV_KEY) { @@ -5180,11 +5181,11 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #ifdef WOLFSSL_SMALL_STACK char* password = NULL; #else - char password[80]; + char password[NAME_SZ]; #endif #ifdef WOLFSSL_SMALL_STACK - password = (char*)XMALLOC(80, heap, DYNAMIC_TYPE_STRING); + password = (char*)XMALLOC(NAME_SZ, heap, DYNAMIC_TYPE_STRING); if (password == NULL) ret = MEMORY_E; else @@ -5193,7 +5194,7 @@ int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, ret = NO_PASSWORD; } else { - passwordSz = ctx->passwd_cb(password, sizeof(password), + passwordSz = ctx->passwd_cb(password, NAME_SZ, 0, ctx->userdata); /* decrypt the key */ @@ -31988,7 +31989,7 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif #endif -#ifdef WOLFSSL_NGINX +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { static int x509_idx = 0; diff --git a/src/tls.c b/src/tls.c index c6bf6cdc2..2fb8bd422 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2618,6 +2618,10 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, word16 size = 0; /* list size */ + if (offset + OPAQUE16_LEN >= length) { + return BUFFER_E; + } + ato16(input + offset, &request_length); offset += OPAQUE16_LEN; diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 926a9277e..beb5d53bd 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3056,47 +3056,6 @@ int wc_AesSetIV(Aes* aes, const byte* iv) #endif /* AES-CBC block */ #endif /* HAVE_AES_CBC */ -#ifdef HAVE_AES_ECB -#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) - /* implemented in wolfcrypt/src/port/caam/caam_aes.c */ -#else - -/* software implementation */ -int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) -{ - word32 blocks = sz / AES_BLOCK_SIZE; - - if ((in == NULL) || (out == NULL) || (aes == NULL)) - return BAD_FUNC_ARG; - while (blocks>0) { - wc_AesEncryptDirect(aes, out, in); - out += AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - sz -= AES_BLOCK_SIZE; - blocks--; - } - return 0; -} - - -int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) -{ - word32 blocks = sz / AES_BLOCK_SIZE; - - if ((in == NULL) || (out == NULL) || (aes == NULL)) - return BAD_FUNC_ARG; - while (blocks>0) { - wc_AesDecryptDirect(aes, out, in); - out += AES_BLOCK_SIZE; - in += AES_BLOCK_SIZE; - sz -= AES_BLOCK_SIZE; - blocks--; - } - return 0; -} -#endif -#endif - /* AES-CTR */ #if defined(WOLFSSL_AES_COUNTER) @@ -8400,6 +8359,47 @@ int wc_AesGetKeySize(Aes* aes, word32* keySize) #endif /* !WOLFSSL_ARMASM */ #endif /* !WOLFSSL_TI_CRYPT */ +#ifdef HAVE_AES_ECB +#if defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) + /* implemented in wolfcrypt/src/port/caam/caam_aes.c */ +#else + +/* software implementation */ +int wc_AesEcbEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + word32 blocks = sz / AES_BLOCK_SIZE; + + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + while (blocks>0) { + wc_AesEncryptDirect(aes, out, in); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + blocks--; + } + return 0; +} + + +int wc_AesEcbDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) +{ + word32 blocks = sz / AES_BLOCK_SIZE; + + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + while (blocks>0) { + wc_AesDecryptDirect(aes, out, in); + out += AES_BLOCK_SIZE; + in += AES_BLOCK_SIZE; + sz -= AES_BLOCK_SIZE; + blocks--; + } + return 0; +} +#endif +#endif /* HAVE_AES_ECB */ + #ifdef WOLFSSL_AES_CFB /* CFB 128 * diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index f9c8589d1..e98816582 100755 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2014,7 +2014,7 @@ WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, return ASN_OBJECT_ID_E; /* could have NULL tag and 0 terminator, but may not */ - if (input[idx] == ASN_TAG_NULL) { + if (idx < maxIdx && input[idx] == ASN_TAG_NULL) { ret = GetASNNull(input, &idx, maxIdx); if (ret != 0) return ret; @@ -3482,6 +3482,9 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, return ASN_PARSE_E; /* Option NULL ASN.1 tag */ + if (*inOutIdx >= inSz) { + return BUFFER_E; + } if (input[*inOutIdx] == ASN_TAG_NULL) { ret = GetASNNull(input, inOutIdx, inSz); if (ret != 0) @@ -4099,6 +4102,10 @@ static int GetName(DecodedCert* cert, int nameType) hash = cert->subjectHash; } + if (cert->srcIdx >= cert->maxIdx) { + return BUFFER_E; + } + if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { WOLFSSL_MSG("Trying optional prefix..."); diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index f73468297..f511bdf27 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -2821,9 +2821,11 @@ static int wc_ecc_shared_secret_gen_sync(ecc_key* private_key, ecc_point* point, #endif #endif #ifdef WOLFSSL_SP_MATH + { err = WC_KEY_SIZE_E; (void)curve; + } #else { /* make new point */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 32fe4139d..b27e0b51d 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -910,7 +910,9 @@ initDefaultName(); printf( "mp test passed!\n"); #endif -#ifdef ASN_BER_TO_DER +#if defined(ASN_BER_TO_DER) && \ + (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) if ( (ret = berder_test()) != 0) return err_sys("ber-der test failed!\n", ret); else @@ -17692,7 +17694,10 @@ done: } #endif -#ifdef ASN_BER_TO_DER +#if defined(ASN_BER_TO_DER) && \ + (defined(WOLFSSL_TEST_CERT) || defined(OPENSSL_EXTRA) || \ + defined(OPENSSL_EXTRA_X509_SMALL)) +/* wc_BerToDer is only public facing in the case of test cert or opensslextra */ typedef struct berDerTestData { const byte *in; word32 inSz; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 229550ef0..e30b203b6 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -823,7 +823,9 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define ERR_LIB_PEM 9 #define ERR_LIB_X509 10 -#ifdef WOLFSSL_NGINX +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(WOLFSSL_MYSQL_COMPATIBLE) + #include #define OPENSSL_STRING WOLFSSL_STRING