Merge pull request #10095 from douzzer/20260327-sanitizer-and-fixes-and-tls12_kdf_test-gating

lealem47 · web-flow · commit b7e7e7555f0f · 2026-03-27T17:52:37.000-06:00
20260327-sanitizer-and-tls12_kdf_test-gating-fixes
diff --git a/src/conf.c b/src/conf.c
@@ -98,7 +98,7 @@ WOLFSSL_TXT_DB *wolfSSL_TXT_DB_read(WOLFSSL_BIO *in, int num)
         if (*idx == '#')
             continue;
         *lineEnd = '\0';
-        strBuf = (char*)XMALLOC(fieldsSz + lineEnd - idx + 1, NULL,
+        strBuf = (char*)XMALLOC(fieldsSz + (lineEnd - idx) + 1, NULL,
                                 DYNAMIC_TYPE_OPENSSL);
         if (!strBuf) {
             WOLFSSL_MSG("malloc error");
diff --git a/src/ssl.c b/src/ssl.c
@@ -11746,17 +11746,23 @@ int wolfSSL_OCSP_parse_url(const char* url, char** host, char** port,
         if (upath != NULL && uport >= upath)
             goto err;
         XFREE(*port, NULL, DYNAMIC_TYPE_OPENSSL);
-        *port = CopyString(uport, upath != NULL ? (int)(upath - uport) : -1,
-                           NULL, DYNAMIC_TYPE_OPENSSL);
+        if (upath)
+            *port = CopyString(uport, (int)(upath - uport), NULL,
+                               DYNAMIC_TYPE_OPENSSL);
+        else
+            *port = CopyString(uport, -1, NULL, DYNAMIC_TYPE_OPENSSL);
         if (*port == NULL)
             goto err;
         hostEnd = uport - 1;
     }
     else
         hostEnd = upath;
 
-    *host = CopyString(u, hostEnd != NULL ? (int)(hostEnd - u) : -1, NULL,
-                       DYNAMIC_TYPE_OPENSSL);
+    if (hostEnd)
+        *host = CopyString(u, (int)(hostEnd - u), NULL, DYNAMIC_TYPE_OPENSSL);
+    else
+        *host = CopyString(u, -1, NULL, DYNAMIC_TYPE_OPENSSL);
+
     if (*host == NULL)
         goto err;
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -21339,11 +21339,9 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
         ret = BAD_FUNC_ARG;
     }
 
-    ALLOC_ASNGETDATA(dataASN, x509CertASN_Length, ret, heap);
+    CALLOC_ASNGETDATA(dataASN, x509CertASN_Length, ret, heap);
 
     if ((ret == 0) && (!req)) {
-        /* Clear dynamic data for certificate items. */
-        XMEMSET(dataASN, 0, sizeof(ASNGetData) * x509CertASN_Length);
         /* Set OID types expected for signature and public key. */
         GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_ALGOID_OID], oidSigType);
         GetASN_OID(&dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_ALGO_OID],
@@ -21406,8 +21404,6 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
 #ifndef WOLFSSL_CERT_REQ
         ret = NOT_COMPILED_IN;
 #else
-        /* Clear dynamic data for certificate request items. */
-        XMEMSET(dataASN, 0, sizeof(ASNGetData) * certReqASN_Length);
         /* Set OID types expected for signature and public key. */
         GetASN_OID(&dataASN[CERTREQASN_IDX_INFO_SPUBKEYINFO_ALGOID_OID],
                 oidKeyType);
@@ -21417,6 +21413,7 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
         /* Parse certificate request. */
         ret = GetASN_Items(certReqASN, dataASN, certReqASN_Length, 1, cert,
                            &idx, certSz);
+
         if (ret == 0) {
             /* Store the data for verification in the certificate. */
             tbs = GetASNItem_Addr(dataASN[CERTREQASN_IDX_INFO_SEQ], cert);
@@ -21427,11 +21424,14 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
                     dataASN[CERTREQASN_IDX_INFO_SUBJ_SEQ], cert);
             sigOID = dataASN[CERTREQASN_IDX_INFO_SIGALGO_OID].data.oid.sum;
         #ifdef WC_RSA_PSS
-            sigParams = GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS],
-                cert);
-            sigParamsSz =
-                GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS],
-                    cert);
+            if (GetASNItem_HaveData(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS])) {
+                sigParams =
+                    GetASNItem_Addr(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS],
+                        cert);
+                sigParamsSz =
+                    GetASNItem_Length(dataASN[X509CERTASN_IDX_SIGALGO_PARAMS],
+                        cert);
+            }
         #endif
             GetASN_GetConstRef(&dataASN[CERTREQASN_IDX_INFO_SIGNATURE], &sig,
                     &sigSz);
@@ -34360,7 +34360,7 @@ int ParseCRL(RevokedCert* rcert, DecodedCRL* dcrl, const byte* buff, word32 sz,
             GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff),
             GetASNItem_EndIdx(dataASN[CRLASN_IDX_TBS_REVOKEDCERTS], buff));
     }
-    if (ret == 0) {
+    if ((ret == 0) && GetASNItem_HaveIdx(dataASN[CRLASN_IDX_TBS_EXT_SEQ])) {
         /* Parse the extensions - starting after SEQUENCE OF. */
         ret = ParseCRL_Extensions(dcrl, buff,
             GetASNItem_DataIdx(dataASN[CRLASN_IDX_TBS_EXT_SEQ], buff),
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -651,6 +651,9 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
     ((dataASN).length + (word32)((dataASN).data.buffer.data - (in)) -  \
                                                      (dataASN).offset)
 
+#define GetASNItem_HaveData(dataASN)                                   \
+   ((dataASN).data.buffer.data != NULL)
+
 /* Get the index of a BER item's data.
  *
  * @param [in] dataASN  Dynamic ASN data item.
@@ -660,6 +663,9 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType);
 #define GetASNItem_DataIdx(dataASN, in)                                \
     (word32)((dataASN).data.ref.data - (in))
 
+#define GetASNItem_HaveIdx(dataASN)                                    \
+    ((dataASN).data.ref.data != NULL)
+
 /* Get the end index of a BER item - index of the start of the next item.
  *
  * @param [in] dataASN  Dynamic ASN data item.
diff --git a/wolfssl/wolfcrypt/coding.h b/wolfssl/wolfcrypt/coding.h
@@ -76,15 +76,6 @@ WOLFSSL_API int Base64_Decode_nonCT(const byte* in, word32 inLen, byte* out,
                                   word32* outLen);
 #endif
 
-#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
-    defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) || \
-    defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) || \
-    defined(WOLFSSL_ENCRYPTED_KEYS)
-    #ifndef WOLFSSL_BASE16
-        #define WOLFSSL_BASE16
-    #endif
-#endif
-
 #ifdef WOLFSSL_BASE16
     #ifdef WOLFSSL_API_PREFIX_MAP
         #define Base16_Decode wc_Base16_Decode
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -4316,8 +4316,14 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_BASE64_DECODE
 #endif
 
-#if defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE) && !defined(WOLFSSL_BASE16)
-    #define WOLFSSL_BASE16
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(HAVE_WEBSERVER) || defined(HAVE_FIPS) || \
+    defined(HAVE_ECC_CDH) || defined(HAVE_SELFTEST) || \
+    defined(WOLFCRYPT_FIPS_CORE_DYNAMIC_HASH_VALUE) || \
+    defined(WOLFSSL_ENCRYPTED_KEYS)
+    #ifndef WOLFSSL_BASE16
+        #define WOLFSSL_BASE16
+    #endif
 #endif
 
 #if defined(FORTRESS) && !defined(HAVE_EX_DATA)
