From 7a8550c2172a61c4aebc6f004e89b482602d3a79 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Tue, 24 Feb 2026 14:31:46 -0700 Subject: [PATCH 1/5] compare to original type when searching private key headers, prevent deadcode when WOLF_PRIVATE_KEY_ID enabled --- wolfcrypt/src/asn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 231d250b6ed..7ace4c5b6d1 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -27618,6 +27618,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #ifdef OPENSSL_EXTRA char beginBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ char endBuf[PEM_LINE_LEN + 1]; /* add 1 for null terminator */ + int origType = type; #endif #ifdef WOLFSSL_ENCRYPTED_KEYS int hashType = WC_HASH_TYPE_NONE; @@ -27740,9 +27741,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, if (!headerEnd) { #ifdef OPENSSL_EXTRA - if (type == PRIVATEKEY_TYPE + if (origType == PRIVATEKEY_TYPE #ifdef WOLFSSL_DUAL_ALG_CERTS - || type == ALT_PRIVATEKEY_TYPE + || origType == ALT_PRIVATEKEY_TYPE #endif ) { /* see if there is a -----BEGIN * PRIVATE KEY----- header */ From 5c257e15bbac83560f1b9f2f29534c37d7bc2452 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Thu, 26 Feb 2026 14:55:31 -0700 Subject: [PATCH 2/5] remove redundant NULL check --- wolfcrypt/src/asn.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7ace4c5b6d1..af1a2ef9172 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -11376,8 +11376,7 @@ int wc_RsaPublicKeyDecode_ex(const byte* input, word32* inOutIdx, word32 inSz, if (ret != 0) { /* Didn't work - try whole SubjectKeyInfo instead. Reset index * to caller's start since the previous attempt advanced it. */ - if (inOutIdx != NULL) - *inOutIdx = startIdx; + *inOutIdx = startIdx; #ifdef WC_RSA_PSS /* Could be RSA or RSA PSS key. */ GetASN_OID(&dataASN[RSAPUBLICKEYASN_IDX_ALGOID_OID], oidKeyType); From d6c8e7bced1414362b1720985dc2c0a619f429aa Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Thu, 26 Feb 2026 17:13:48 -0700 Subject: [PATCH 3/5] add tmp variable to satisfy coverity before casting and assigning to word32 variable --- wolfcrypt/src/asn.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index af1a2ef9172..e1db2270801 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -42214,6 +42214,7 @@ static int EncodeCrlSerial(const byte* sn, word32 snSz, byte* output, */ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) { + int tmpSnSz; word32 idx = 0; word32 snSz, dateSz, seqSz; byte snBuf[MAX_SN_SZ]; @@ -42221,10 +42222,11 @@ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) byte seqBuf[MAX_SEQ_SZ]; /* Encode serial number */ - snSz = (word32)EncodeCrlSerial(rc->serialNumber, (word32)rc->serialSz, + tmpSnSz = EncodeCrlSerial(rc->serialNumber, (word32)rc->serialSz, snBuf, sizeof(snBuf)); - if ((int)snSz < 0) + if (tmpSnSz < 0) return 0; + snSz = (word32)tmpSnSz; /* Encode revocation date */ dateSz = EncodeCrlDate(dateBuf, rc->revDate, rc->revDateFormat); @@ -42255,6 +42257,7 @@ static word32 EncodeRevokedCert(byte* output, const RevokedCert* rc) static word32 EncodeCrlNumberExt(byte* output, const byte* crlNum, word32 crlNumSz) { + int tmpIntSz; word32 idx = 0; word32 oidSz, intSz, octetSz, seqSz; byte seqBuf[MAX_SEQ_SZ]; @@ -42266,9 +42269,10 @@ static word32 EncodeCrlNumberExt(byte* output, const byte* crlNum, oidSz = sizeof(crlNumOid); /* Encode the INTEGER for CRL number */ - intSz = (word32)EncodeCrlSerial(crlNum, crlNumSz, intBuf, sizeof(intBuf)); - if ((int)intSz < 0) + tmpIntSz = EncodeCrlSerial(crlNum, crlNumSz, intBuf, sizeof(intBuf)); + if (tmpIntSz < 0) return 0; + intSz = (word32)tmpIntSz; /* Wrap INTEGER in OCTET STRING */ octetSz = SetOctetString(intSz, octetBuf); From 0ef8541b73c5a063027ab5064d74268dae986573 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Mon, 2 Mar 2026 14:39:58 -0700 Subject: [PATCH 4/5] validate hashAlgSz is within bounds before calling XMEMCPY --- wolfcrypt/src/asn.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e1db2270801..183226193f6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7846,6 +7846,9 @@ word32 wc_EncodeRsaPssAlgoId(int hashOID, int saltLen, byte* out, word32 outSz) if (outSz < outerSz) { idx = 0; goto pss_algoid_done; } + if (hashAlgSz > RSA_PSS_ALGOID_TMPBUF_SZ) { + idx = 0; goto pss_algoid_done; + } { word32 idPart = (word32)SetObjectId((int)rsapssOidSz, NULL) + rsapssOidSz; From 682901e32e7d1b58ab46aa0ea119aaee28da2a8a Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Tue, 3 Mar 2026 09:00:45 -0700 Subject: [PATCH 5/5] return MP_VAL if n < 0. remove check for max int value remove comment --- wolfcrypt/src/hpke.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/hpke.c b/wolfcrypt/src/hpke.c index e7b15db0a44..8879079f649 100644 --- a/wolfcrypt/src/hpke.c +++ b/wolfcrypt/src/hpke.c @@ -101,13 +101,12 @@ static int I2OSP(int n, int w, byte* out) { int i; - if (w <= 0 || w > 32) { + if (w <= 0 || w > 32 || n < 0) { return MP_VAL; } /* if width is less than int max check that n is less than w bytes max */ - /* if width is greater than int max check that n is less than int max */ - if ((w < 4 && n > ((1 << (w * 8)) - 1)) || (w >= 4 && n > 0x7fffffff)) { + if (w < 4 && n > ((1 << (w * 8)) - 1)) { return MP_VAL; }