From 59c14cdc6c23a12434bad2bcb82ca3b78728b686 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:24:13 -0700 Subject: [PATCH 1/6] Allow setting SetLength and SetSequence to public APIs by adding them to ASN APIs. --- wolfssl/wolfcrypt/asn.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 3953e323ee..661aa97a1e 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2485,11 +2485,11 @@ WOLFSSL_LOCAL word32 SetASNImplicit(byte tag,byte number, word32 len, WOLFSSL_LOCAL word32 SetASNExplicit(byte number, word32 len, byte* output); WOLFSSL_LOCAL word32 SetASNSet(word32 len, byte* output); -WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output); +WOLFSSL_ASN_API word32 SetLength(word32 length, byte* output); WOLFSSL_LOCAL word32 SetLengthEx(word32 length, byte* output, byte isIndef); WOLFSSL_LOCAL word32 SetHeader(byte tag, word32 len, byte* output, byte isIndef); -WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output); +WOLFSSL_ASN_API word32 SetSequence(word32 len, byte* output); WOLFSSL_LOCAL word32 SetSequenceEx(word32 len, byte* output, byte isIndef); WOLFSSL_LOCAL word32 SetIndefEnd(byte* output); WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output); From f94489b66d39b817c4a9701edaa5d58879b2e29a Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:25:03 -0700 Subject: [PATCH 2/6] Fix issues in documentation of wc_LoadStaticMemory's return code. --- doc/dox_comments/header_files/memory.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/dox_comments/header_files/memory.h b/doc/dox_comments/header_files/memory.h index fe18397db1..b5430758a3 100644 --- a/doc/dox_comments/header_files/memory.h +++ b/doc/dox_comments/header_files/memory.h @@ -376,7 +376,8 @@ int wolfSSL_is_static_memory(WOLFSSL* ssl, WOLFSSL_MEM_CONN_STATS* mem_stats); buffers to themselves for their lifetime. WOLFMEM_TRACK_STATS - each SSL keeps track of memory stats while running - \return none This function does not return a value. + \return Returns 0 on success. + \return Returns a non-zero integer on failure. \param pHint WOLFSSL_HEAP_HINT structure to use \param buf memory to use for all operations. @@ -396,7 +397,7 @@ int wolfSSL_is_static_memory(WOLFSSL* ssl, WOLFSSL_MEM_CONN_STATS* mem_stats); // load in memory for use ret = wc_LoadStaticMemory(&hint, memory, memorySz, flag, 0); - if (ret != SSL_SUCCESS) { + if (ret) { // handle error case } ... @@ -419,7 +420,8 @@ int wc_LoadStaticMemory(WOLFSSL_HEAP_HINT** pHint, unsigned char* buf, into functions. This extended version allows for custom bucket sizes and distributions instead of using the default predefined sizes. - \return none This function does not return a value. + \return Returns 0 on success. + \return Returns a non-zero integer on failure. \param pHint WOLFSSL_HEAP_HINT handle to initialize \param listSz number of entries in the size and distribution lists @@ -447,7 +449,7 @@ int wc_LoadStaticMemory(WOLFSSL_HEAP_HINT** pHint, unsigned char* buf, ret = wc_LoadStaticMemory_ex(&hint, listSz, sizeList, distList, memory, memorySz, flag, 0); - if (ret != SSL_SUCCESS) { + if (ret) { // handle error case } ... From 4bb464828285eb2ca2f4e1c9975074ff64ea82e1 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:33:15 -0700 Subject: [PATCH 3/6] Ensure lru_count does not overflow. --- wolfcrypt/src/ecc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index da309eb2ab..c34e140d6b 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -13214,7 +13214,7 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, err = add_entry(idx1, A); } } - if (err == MP_OKAY && idx1 != -1) { + if (err == MP_OKAY && idx1 != -1 && fp_cache[idx1].lru_count < (INT_MAX-1)) { /* increment LRU */ ++(fp_cache[idx1].lru_count); } @@ -13231,7 +13231,7 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, } } - if (err == MP_OKAY && idx2 != -1) { + if (err == MP_OKAY && idx2 != -1 && fp_cache[idx2].lru_count < (INT_MAX-1)) { /* increment LRU */ ++(fp_cache[idx2].lru_count); } @@ -13368,7 +13368,7 @@ int wc_ecc_mulmod_ex(const mp_int* k, ecc_point *G, ecc_point *R, mp_int* a, if (idx >= 0) err = add_entry(idx, G); } - if (err == MP_OKAY && idx >= 0) { + if (err == MP_OKAY && idx >= 0 && fp_cache[idx].lru_count < (INT_MAX-1)) { /* increment LRU */ ++(fp_cache[idx].lru_count); } @@ -13539,7 +13539,7 @@ int wc_ecc_mulmod_ex2(const mp_int* k, ecc_point *G, ecc_point *R, mp_int* a, if (idx >= 0) err = add_entry(idx, G); } - if (err == MP_OKAY && idx >= 0) { + if (err == MP_OKAY && idx >= 0 && fp_cache[idx].lru_count < (INT_MAX-1)) { /* increment LRU */ ++(fp_cache[idx].lru_count); } From 1e770e1a0fc527927eb10a9622e6ebefbfcb8140 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:40:30 -0700 Subject: [PATCH 4/6] Send decode_error alert rather than illegal_parameter when receiving an empty/malformed keyshare extension. Fixes #9640. --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 7d7dcea86c..843d16f461 100644 --- a/src/tls.c +++ b/src/tls.c @@ -9894,7 +9894,7 @@ static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input, ato16(&input[offset], &keLen); offset += OPAQUE16_LEN; if (keLen == 0) - return INVALID_PARAMETER; + return BUFFER_ERROR; if (keLen > length - offset) return BUFFER_ERROR; From eae22ab37df7c89d6fca420d2d7c2bebf63b0d98 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 15:43:54 -0700 Subject: [PATCH 5/6] Send illegal_parameter alert rather than handshake_failure when the server tries to use a cipher suite that the client does not support. Fixes #9639. --- src/tls13.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 5b0f098507..b9e06896f9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5497,8 +5497,8 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, suite[1] = ssl->options.cipherSuite; if (!FindSuiteSSL(ssl, suite)) { WOLFSSL_MSG("Cipher suite not supported on client"); - WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR); - return MATCH_SUITE_ERROR; + WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); + return INVALID_PARAMETER; } #if defined(HAVE_ECH) From a429eb719114610d93150a327acedf56194c70ce Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 4 Feb 2026 16:39:29 -0700 Subject: [PATCH 6/6] Add prefix for SetLength/Sequence when WOLFSSL_API_PREFIX_MAP is defined. --- wolfssl/wolfcrypt/asn.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 661aa97a1e..577468173d 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2226,6 +2226,8 @@ typedef enum MimeStatus #define GetShortInt wc_GetShortInt #define SetShortInt wc_SetShortInt #define GetLength wc_GetLength + #define SetLength wc_SetLength + #define SetSequence wc_SetSequence #define GetASNInt wc_GetASNInt #define GetASNTag wc_GetASNTag #define SetAlgoID wc_SetAlgoID