Use char instead of sword8, sanity length check on CKA_VALUE

2024-12-09 16:09:04 -08:00 · 2024-12-09 16:09:04 -08:00 · 0c20a20acc
parent 0cda59e00e
commit 0c20a20acc
4 changed files with 11 additions and 6 deletions
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@ -4163,8 +4163,8 @@ static int wolfSSL_CTX_use_certificate_ex(WOLFSSL_CTX* ctx,
        labelLen = (word32)XSTRLEN(label);
    }

-    ret = wc_CryptoCb_GetCert(devId, (const sword8 *)label,
-        labelLen, id, idLen, &certData, &certDataLen, &certFormat, ctx->heap);
+    ret = wc_CryptoCb_GetCert(devId, label, labelLen, id, idLen,
+        &certData, &certDataLen, &certFormat, ctx->heap);
    if (ret != 0) {
        ret = WOLFSSL_FAILURE;
        goto exit;
--- a/wolfcrypt/src/cryptocb.c
+++ b/wolfcrypt/src/cryptocb.c
@ -1801,7 +1801,7 @@ int wc_CryptoCb_RandomSeed(OS_Seed* os, byte* seed, word32 sz)
 #endif /* !WC_NO_RNG */

 #ifndef NO_CERTS
-int wc_CryptoCb_GetCert(int devId, const sword8 *label, word32 labelLen,
+int wc_CryptoCb_GetCert(int devId, const char *label, word32 labelLen,
                        const byte *id, word32 idLen, byte** out,
                        word32* outSz, int *format, void *heap)
 {
--- a/wolfcrypt/src/wc_pkcs11.c
+++ b/wolfcrypt/src/wc_pkcs11.c
@ -4021,6 +4021,11 @@ static int Pkcs11GetCert(Pkcs11Session* session, wc_CryptoInfo* info) {
        goto exit;
    }

+    if (tmpl[0].ulValueLen <= 0) {
+        ret = WC_HW_E;
+        goto exit;
+    }
+
    certData = (byte *)XMALLOC(
        (int)tmpl[0].ulValueLen, info->cert.heap, DYNAMIC_TYPE_CERT);
    if (certData == NULL) {
@ -4051,7 +4056,7 @@ exit:
    return ret;
 }

-#endif /* ifndef NO_CERTS */
+#endif /* !NO_CERTS */

 /**
 * Perform a cryptographic operation using PKCS#11 device.
--- a/wolfssl/wolfcrypt/cryptocb.h
+++ b/wolfssl/wolfcrypt/cryptocb.h
@ -452,7 +452,7 @@ typedef struct wc_CryptoInfo {
    struct {
        const byte *id;
        word32 idLen;
-        const sword8 *label;
+        const char *label;
        word32 labelLen;
        byte **certDataOut;
        word32 *certSz;
@ -670,7 +670,7 @@ WOLFSSL_LOCAL int wc_CryptoCb_Cmac(Cmac* cmac, const byte* key, word32 keySz,
 #endif

 #ifndef NO_CERTS
-WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const sword8 *label,
+WOLFSSL_LOCAL int wc_CryptoCb_GetCert(int devId, const char *label,
    word32 labelLen, const byte *id, word32 idLen, byte** out,
    word32* outSz, int *format, void *heap);
 #endif