Merge pull request #9869 from JacobBarthelmeh/f356

douzzer · web-flow · commit e3e5179cf8f5 · 2026-03-10T19:30:46.000-05:00
fix for sanity checks on serial input
diff --git a/src/x509.c b/src/x509.c
@@ -16082,13 +16082,13 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)
 
     /* WOLFSSL_ASN1_INTEGER has type | size | data
      * Sanity check that the data is actually in ASN format */
-    if (s->length < 3 && s->data[0] != ASN_INTEGER &&
+    if (s->length < 3 || s->data[0] != ASN_INTEGER ||
             s->data[1] != s->length - 2) {
         return WOLFSSL_FAILURE;
     }
     XMEMCPY(x509->serial, s->data + 2, s->length - 2);
     x509->serialSz = s->length - 2;
-    x509->serial[s->length] = 0;
+    x509->serial[x509->serialSz] = 0;
 
     return WOLFSSL_SUCCESS;
 }
diff --git a/tests/api/test_x509.c b/tests/api/test_x509.c
@@ -243,3 +243,96 @@ int test_x509_GetCAByAKID(void)
 #endif /* WOLFSSL_AKID_NAME */
     return EXPECT_RESULT();
 }
+
+int test_x509_set_serialNumber(void)
+{
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    EXPECT_DECLS;
+    WOLFSSL_X509*         x509 = NULL;
+    WOLFSSL_ASN1_INTEGER* s    = NULL;
+#if defined(OPENSSL_EXTRA_X509_SMALL)
+    WOLFSSL_ASN1_INTEGER  asnInt;
+#endif
+
+    ExpectNotNull(x509 = wolfSSL_X509_new());
+#if defined(OPENSSL_EXTRA_X509_SMALL)
+    XMEMSET(&asnInt, 0, sizeof(asnInt));
+    asnInt.data = asnInt.intData;
+    asnInt.isDynamic = 0;
+    asnInt.dataMax = (unsigned int)sizeof(asnInt.intData);
+    s = &asnInt;
+#else
+    ExpectNotNull(s = wolfSSL_ASN1_INTEGER_new());
+#endif
+
+    /* --- invalid inputs that must be rejected --- */
+
+    /* NULL x509 */
+    ExpectIntEQ(X509_set_serialNumber(NULL, s), WOLFSSL_FAILURE);
+    /* NULL s */
+    ExpectIntEQ(X509_set_serialNumber(x509, NULL), WOLFSSL_FAILURE);
+
+    if (s != NULL) {
+        /* length == 0: too short */
+        s->length  = 0;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* length == 1: still too short */
+        s->length  = 1;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* length == 2: still rejected - the guard requires length >= 3 */
+        s->length  = 2;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* wrong type byte */
+        s->length  = 4;
+        s->data[0] = 0x00; /* not ASN_INTEGER */
+        s->data[1] = 2;    /* length field */
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* mismatched length byte (data[1] != s->length - 2) */
+        s->length  = 4;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 99; /* claims 99 bytes but s->length - 2 == 2 */
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* --- valid two-byte serial number --- */
+        s->length  = 4;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 2;
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_SUCCESS);
+        ExpectIntEQ(x509->serialSz, 2);
+        /* NUL terminator must be placed right after the copied data */
+        ExpectIntEQ(x509->serial[x509->serialSz], 0);
+        ExpectIntEQ(x509->serial[0], 0x01);
+        ExpectIntEQ(x509->serial[1], 0x02);
+    }
+
+#if !defined(OPENSSL_EXTRA_X509_SMALL)
+    wolfSSL_ASN1_INTEGER_free(s);
+#endif
+    wolfSSL_X509_free(x509);
+    return EXPECT_RESULT();
+#else
+    return TEST_SKIPPED;
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+}
diff --git a/tests/api/test_x509.h b/tests/api/test_x509.h
@@ -24,9 +24,11 @@
 
 int test_x509_rfc2818_verification_callback(void);
 int test_x509_GetCAByAKID(void);
+int test_x509_set_serialNumber(void);
 
 #define TEST_X509_DECLS                                                        \
     TEST_DECL_GROUP("x509", test_x509_rfc2818_verification_callback),          \
-    TEST_DECL_GROUP("x509", test_x509_GetCAByAKID)
+    TEST_DECL_GROUP("x509", test_x509_GetCAByAKID),                            \
+    TEST_DECL_GROUP("x509", test_x509_set_serialNumber)
 
 #endif /* WOLFCRYPT_TEST_X509_H */

Original file line number	Diff line number	Diff line change
`@@ -16082,13 +16082,13 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)`
`16082`	`16082`
`16083`	`16083`	`/* WOLFSSL_ASN1_INTEGER has type \| size \| data`
`16084`	`16084`	`* Sanity check that the data is actually in ASN format */`
`16085`		`- if (s->length < 3 && s->data[0] != ASN_INTEGER &&`
	`16085`	`+ if (s->length < 3 \|\| s->data[0] != ASN_INTEGER \|\|`
`16086`	`16086`	`s->data[1] != s->length - 2) {`
`16087`	`16087`	`return WOLFSSL_FAILURE;`
`16088`	`16088`	`}`
`16089`	`16089`	`XMEMCPY(x509->serial, s->data + 2, s->length - 2);`
`16090`	`16090`	`x509->serialSz = s->length - 2;`
`16091`		`- x509->serial[s->length] = 0;`
	`16091`	`+ x509->serial[x509->serialSz] = 0;`
`16092`	`16092`
`16093`	`16093`	`return WOLFSSL_SUCCESS;`
`16094`	`16094`	`}`