Skip to content

Address bug fixes sent in by ZD 21534#10168

Merged
SparkiDev merged 9 commits intowolfSSL:masterfrom
night1rider:zd-21534
Apr 14, 2026
Merged

Address bug fixes sent in by ZD 21534#10168
SparkiDev merged 9 commits intowolfSSL:masterfrom
night1rider:zd-21534

Conversation

@night1rider
Copy link
Copy Markdown
Contributor

@night1rider night1rider commented Apr 8, 2026
edited
Loading

See: ZD 21534

wolfSSL_use_AltPrivateKey_Id inverted AllocDer check (e31abd8, 13af706)

The AllocDer success check is inverted. It checks == 0 instead of != 0, so it treats successful allocations as failures and misses real allocation failures, leading to a NULL pointer write. The CTX level function has the correct check. A regression test was added.

wolfSSL_use_AltPrivateKey_Label inverted AllocDer check (ae3c00f, cf5da7b)

Same inverted AllocDer check in the Label variant. The CTX level function has the correct check. A regression test was added.

wolfSSL_add1_chain_cert comparison instead of assignment (939f978)

ret == wolfSSL_X509_up_ref(x509) is a comparison when it should be an assignment (ret =). The happy path works by accident because both sides equal 1, but on failure ret never gets updated so the caller sees false success and the X509 ref count leaks. The sibling wolfSSL_CTX_add1_chain_cert uses the correct assignment.

wolfSSL_CTX_set_tmp_dh wrong logical operator and comparison (5003c03)

The error check uses && and < 0 when it should use || and <= 0. This means it only catches the error when both p and g encoding fail, and it misses zero length returns. Three other instances of this same check in the file all use || and <= 0.

ProcessBufferCertPublicKey wrong endif comments (b067686)

Two #endif comments say HAVE_ED25519 but they actually close WOLFSSL_SM2 && WOLFSSL_SM3 blocks. Copy paste error, no runtime impact.

ws_ctx_ssl_set_tmp_dh cast away const (7d38e9c)

The DER path allocates an empty DerBuffer and points its buffer directly at the caller's const data, casting away const. When FreeDer runs later it tries to free a pointer it doesn't own, which is undefined behavior. Fixed by allocating the DerBuffer with the actual size and copying the data in. Affects wolfSSL_SetTmpDH_buffer and wolfSSL_CTX_SetTmpDH_buffer when called with WOLFSSL_FILETYPE_ASN1.

@night1rider night1rider self-assigned this Apr 8, 2026
@night1rider night1rider changed the title Adress bug fixes sent in by ZD 21534 Address bug fixes sent in by ZD 21534 Apr 8, 2026
dgarske
dgarske reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: APPROVE
Findings: 3 total — 3 posted, 0 skipped

Posted findings

  • [Medium] No regression test for wolfSSL_add1_chain_cert comparison-to-assignment fixsrc/ssl_load.c:5205
  • [Medium] No regression test for wolfSSL_CTX_set_tmp_dh operator fixsrc/ssl_load.c:5867
  • [Medium] ws_ctx_ssl_set_tmp_dh fix could benefit from a targeted test for the ASN1 pathsrc/ssl_load.c:5932-5936

Review generated by Skoll via openclaw

@night1rider night1rider force-pushed the zd-21534 branch 2 times, most recently from bd90bb2 to 307d3ce Compare April 10, 2026 18:27
@night1rider
Copy link
Copy Markdown
Contributor Author

night1rider commented Apr 13, 2026

Jenkins retest this please

@night1rider
Add test for wolfSSL_use_AltPrivateKey_Id to verify successful key ID…
3925804 
… allocation
@night1rider
Fix inverted AllocDer success check in wolfSSL_use_AltPrivateKey_Id
72c1dd7
@night1rider
Add test for wolfSSL_use_AltPrivateKey_Label to verify successful key…
b74731d 
… label allocation
@night1rider
Fix inverted AllocDer success check in wolfSSL_use_AltPrivateKey_Label
0a152dd
@night1rider
Fix == vs = in wolfSSL_add1_chain_cert so ret captures up_ref result …
886ca03 
…instead of comparing against it, matching wolfSSL_CTX_add1_chain_cert
@night1rider
Fix DH encoding check in wolfSSL_CTX_set_tmp_dh: && to || and < to <=…
2a0d76c 
… to catch single-param failure and zero-length, matching wolfSSL_set_tmp_dh.
@night1rider
Copy-paste error in ProcessBufferCertPublicKey and ProcessBufferCertA…
4594f3f 
…ltPublicKey, Fix #endif comments closing WOLFSSL_SM2/SM3 blocks, not HAVE_ED25519
@night1rider
Fix cast-away-const in ws_ctx_ssl_set_tmp_dh: allocate DerBuffer with…
0ab5401 
… actual size and copy data instead of pointing at caller's const buffer, which caused FreeDer to free non-owned memory.
@night1rider
Add DH regression test and incremement ref counter tests to api.c
8cc02d8
@night1rider
Copy link
Copy Markdown
Contributor Author

night1rider commented Apr 13, 2026

rebased and forced to pull in #10202 to fix CI issues

wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10168

Scan targets checked: wolfssl-bugs, wolfssl-compliance, wolfssl-consttime, wolfssl-defaults, wolfssl-mutation, wolfssl-proptest, wolfssl-src, wolfssl-zeroize

No new issues found in the changed files. ✅

@SparkiDev SparkiDev merged commit 5ad6097 into wolfSSL:master Apr 14, 2026
409 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@dgarske dgarske dgarske approved these changes

@SparkiDev SparkiDev SparkiDev approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@night1rider @dgarske @SparkiDev @wolfSSL-Fenrir-bot @wolfSSL-Bot