validate preconditions at public API boundary

Author: JeremiahM37

wolfcrypt/src/cmac.c

@@ -71,6 +71,8 @@
  */
 int wc_CMAC_Grow(Cmac* cmac, const byte* in, int inSz)
 {
+    if ((cmac == NULL) || (in == NULL && inSz != 0))
+        return BAD_FUNC_ARG;
     return _wc_Hash_Grow(&cmac->msg, &cmac->used, &cmac->len, in, inSz, cmac->aes.heap);
 }
 #endif /* WOLFSSL_HASH_KEEP */

wolfcrypt/src/curve25519.c

@@ -971,6 +971,9 @@ int wc_curve25519_export_private_raw_ex(curve25519_key* key, byte* out,
     if (key == NULL || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
 
+    if (!key->privSet)
+        return ECC_BAD_ARG_E;
+
     /* check size of outgoing buffer */
     if (*outLen < CURVE25519_KEYSIZE) {
         *outLen = CURVE25519_KEYSIZE;

wolfcrypt/src/curve448.c

@@ -478,6 +478,10 @@ int wc_curve448_export_private_raw_ex(curve448_key* key, byte* out,
         ret = BAD_FUNC_ARG;
     }
 
+    if ((ret == 0) && (!key->privSet)) {
+        ret = ECC_BAD_ARG_E;
+    }
+
     /* check size of outgoing buffer */
     if ((ret == 0) && (*outLen < CURVE448_KEY_SIZE)) {
         *outLen = CURVE448_KEY_SIZE;

wolfcrypt/src/ed25519.c

@@ -1414,7 +1414,7 @@ int wc_ed25519_import_private_key(const byte* priv, word32 privSz,
 int wc_ed25519_export_private_only(const ed25519_key* key, byte* out, word32* outLen)
 {
     /* sanity checks on arguments */
-    if (key == NULL || out == NULL || outLen == NULL)
+    if (key == NULL || !key->privKeySet || out == NULL || outLen == NULL)
         return BAD_FUNC_ARG;
 
     if (*outLen < ED25519_KEY_SIZE) {

wolfcrypt/src/ed448.c

@@ -1301,6 +1301,10 @@ int wc_ed448_export_private_only(const ed448_key* key, byte* out, word32* outLen
         ret = BAD_FUNC_ARG;
     }
 
+    if ((ret == 0) && (!key->privKeySet)) {
+        ret = BAD_FUNC_ARG;
+    }
+
     if ((ret == 0) && (*outLen < ED448_KEY_SIZE)) {
         *outLen = ED448_KEY_SIZE;
         ret = BUFFER_E;
@@ -1333,6 +1337,10 @@ int wc_ed448_export_private(const ed448_key* key, byte* out, word32* outLen)
         ret = BAD_FUNC_ARG;
     }
 
+    if ((ret == 0) && (!key->privKeySet)) {
+        ret = BAD_FUNC_ARG;
+    }
+
     if ((ret == 0) && (*outLen < ED448_PRV_KEY_SIZE)) {
         *outLen = ED448_PRV_KEY_SIZE;
         ret = BUFFER_E;

wolfcrypt/src/rng_bank.c

@@ -928,6 +928,8 @@ WOLFSSL_API int wc_BankRef_Release(WC_RNG *rng)
 {
     int isZero = 0;
     int ret = 0;
+    if (rng == NULL)
+        return BAD_FUNC_ARG;
     if (rng->bankref == NULL)
         return BAD_FUNC_ARG;
     wolfSSL_RefDec(&rng->bankref->refcount, &isZero, &ret);