diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 231d250b6ed..183226193f6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7846,6 +7846,9 @@ word32 wc_EncodeRsaPssAlgoId(int hashOID, int saltLen, byte* out, word32 outSz) if (outSz < outerSz) { idx = 0; goto pss_algoid_done; } + if (hashAlgSz > RSA_PSS_ALGOID_TMPBUF_SZ) { + idx = 0; goto pss_algoid_done; + } { word32 idPart = (word32)SetObjectId((int)rsapssOidSz, NULL) + rsapssOidSz; @@ -11376,8 +11379,7 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, if (ret != 0) { /* Didn't work - try whole SubjectKeyInfo instead. Reset index * to caller's start since the previous attempt advanced it. */ - if (inOutIdx != NULL) - *inOutIdx = startIdx; + *inOutIdx = startIdx; #ifdef WC_RSA_PSS /* Could be RSA or RSA PSS key. */ GetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], oidKeyType); @@ -27618,6 +27620,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #ifdef OPENSSL_EXTRA char beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ char endBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ + int origType = type; #endif #ifdef WOLFSSL_ENCRYPTED_KEYS int hashType = WC_HASH_TYPE_NONE; @@ -27740,9 +27743,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, if (!headerEnd) { #ifdef OPENSSL_EXTRA - if (type == PRIVATEKEY_TYPE + if (origType == PRIVATEKEY_TYPE #ifdef WOLFSSL_DUAL_ALG_CERTS - || type == ALT_PRIVATEKEY_TYPE + || origType == ALT_PRIVATEKEY_TYPE #endif ) { /* see if there is a -----BEGIN * PRIVATE KEY----- header */ @@ -42214,6 +42217,7 @@ static int EncodeCrlSerial(const byte* sn, word32 snSz, byte* output, */ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) { + int tmpSnSz; word32 idx = 0; word32 snSz, dateSz, seqSz; byte snBuf[MAX_SN_SZ]; @@ -42221,10 +42225,11 @@ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) byte seqBuf[MAX_SEQ_SZ]; /* Encode serial number */ - snSz = (word32)EncodeCrlSerial(rc->serialNumber, (word32)rc->serialSz, + tmpSnSz = EncodeCrlSerial(rc->serialNumber, (word32)rc->serialSz, snBuf, sizeof(snBuf)); - if ((int)snSz < 0) + if (tmpSnSz < 0) return 0; + snSz = (word32)tmpSnSz; /* Encode revocation date */ dateSz = EncodeCrlDate(dateBuf, rc->revDate, rc->revDateFormat); @@ -42255,6 +42260,7 @@ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) static word32 EncodeCrlNumberExt(byte* output, const byte* crlNum, word32 crlNumSz) { + int tmpIntSz; word32 idx = 0; word32 oidSz, intSz, octetSz, seqSz; byte seqBuf[MAX_SEQ_SZ]; @@ -42266,9 +42272,10 @@ static word32 EncodeCrlNumberExt(byte* output, const byte* crlNum, oidSz = sizeof(crlNumOid); /* Encode the INTEGER for CRL number */ - intSz = (word32)EncodeCrlSerial(crlNum, crlNumSz, intBuf, sizeof(intBuf)); - if ((int)intSz < 0) + tmpIntSz = EncodeCrlSerial(crlNum, crlNumSz, intBuf, sizeof(intBuf)); + if (tmpIntSz < 0) return 0; + intSz = (word32)tmpIntSz; /* Wrap INTEGER in OCTET STRING */ octetSz = SetOctetString(intSz, octetBuf); diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index e7b15db0a44..8879079f649 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -101,13 +101,12 @@ static int I2OSP(int n, int w, byte* out) { int i; - if (w <= 0 || w > 32) { + if (w <= 0 || w > 32 || n < 0) { return MP_VAL; } /* if width is less than int max check that n is less than w bytes max */ - /* if width is greater than int max check that n is less than int max */ - if ((w < 4 && n > ((1 << (w * 8)) - 1)) || (w >= 4 && n > 0x7fffffff)) { + if (w < 4 && n > ((1 << (w * 8)) - 1)) { return MP_VAL; }