diff --git a/src/ssl.c b/src/ssl.c index bc7e6074c8..662dc29caa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1295,10 +1295,12 @@ const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len) { const char* cipher; - if (ssl == NULL || len <= 0) + if (ssl == NULL || buf == NULL || len <= 0) return NULL; cipher = wolfSSL_get_cipher_name_iana(ssl); + if (cipher == NULL) + return NULL; len = (int)min((word32)len, (word32)(XSTRLEN(cipher) + 1)); XMEMCPY(buf, cipher, (size_t)len); return buf; @@ -3319,8 +3321,8 @@ int wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups, int i; int _groups[WOLFSSL_MAX_GROUP_COUNT]; WOLFSSL_ENTER("wolfSSL_CTX_set1_groups"); - if (count == 0) { - WOLFSSL_MSG("Group count is zero"); + if (groups == NULL || count <= 0) { + WOLFSSL_MSG("Group count is zero or negative"); return WOLFSSL_FAILURE; } if (count > WOLFSSL_MAX_GROUP_COUNT) { @@ -3358,8 +3360,8 @@ int wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count) int i; int _groups[WOLFSSL_MAX_GROUP_COUNT]; WOLFSSL_ENTER("wolfSSL_CTX_set1_groups"); - if (count == 0) { - WOLFSSL_MSG("Group count is zero"); + if (groups == NULL || count <= 0) { + WOLFSSL_MSG("Group count is zero or negative"); return WOLFSSL_FAILURE; } if (count > WOLFSSL_MAX_GROUP_COUNT) { diff --git a/src/tls.c b/src/tls.c index ecc9f6f842..bdf448d816 100644 --- a/src/tls.c +++ b/src/tls.c @@ -399,7 +399,8 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) int ret, i; WOLFSSL_ENTER("wolfSSL_CTX_set_groups"); - if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) + if (ctx == NULL || groups == NULL || count < 0 || + count > WOLFSSL_MAX_GROUP_COUNT) return BAD_FUNC_ARG; if (!IsTLS_ex(ctx->method->version)) return BAD_FUNC_ARG; @@ -444,7 +445,8 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) int ret, i; WOLFSSL_ENTER("wolfSSL_set_groups"); - if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) + if (ssl == NULL || groups == NULL || count < 0 || + count > WOLFSSL_MAX_GROUP_COUNT) return BAD_FUNC_ARG; if (!IsTLS_ex(ssl->version)) return BAD_FUNC_ARG; diff --git a/tests/api/test_tls.c b/tests/api/test_tls.c index aedae4f703..6e49128226 100644 --- a/tests/api/test_tls.c +++ b/tests/api/test_tls.c @@ -1062,6 +1062,32 @@ int test_tls12_corrupted_finished(void) return EXPECT_RESULT(); } +int test_wolfSSL_get_shared_ciphers(void) +{ + EXPECT_DECLS; +#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS) +#ifndef NO_WOLFSSL_CLIENT + WOLFSSL_CTX* ctx = NULL; + WOLFSSL* ssl = NULL; + char buf[32]; + + ExpectNotNull(ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())); + ExpectNotNull(ssl = wolfSSL_new(ctx)); + + /* NULL ssl - pre-existing guard; pins the contract. */ + ExpectNull(wolfSSL_get_shared_ciphers(NULL, buf, sizeof(buf))); + /* NULL buf - primary regression case (pre-fix: XMEMCPY(NULL, ...) crash). */ + ExpectNull(wolfSSL_get_shared_ciphers(ssl, NULL, sizeof(buf))); + /* len == 0 - pre-existing guard; pins the contract. */ + ExpectNull(wolfSSL_get_shared_ciphers(ssl, buf, 0)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif /* NO_WOLFSSL_CLIENT */ +#endif + return EXPECT_RESULT(); +} + /* Test the TLS 1.2 peerAuthGood fail-safe checks directly on both sides. * The client branch sets NO_PEER_VERIFY; the server branch returns a generic * fatal error from TICKET_SENT before sending its Finished. */ diff --git a/tests/api/test_tls.h b/tests/api/test_tls.h index c0f74f2150..744df25bd6 100644 --- a/tests/api/test_tls.h +++ b/tests/api/test_tls.h @@ -35,6 +35,7 @@ int test_tls12_etm_failed_resumption(void); int test_tls_set_curves_list_ecc_fallback(void); int test_tls12_corrupted_finished(void); int test_tls12_peerauth_failsafe(void); +int test_wolfSSL_get_shared_ciphers(void); #define TEST_TLS_DECLS \ TEST_DECL_GROUP("tls", test_utils_memio_move_message), \ @@ -49,6 +50,7 @@ int test_tls12_peerauth_failsafe(void); TEST_DECL_GROUP("tls", test_tls12_etm_failed_resumption), \ TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback), \ TEST_DECL_GROUP("tls", test_tls12_corrupted_finished), \ - TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe) + TEST_DECL_GROUP("tls", test_tls12_peerauth_failsafe), \ + TEST_DECL_GROUP("tls", test_wolfSSL_get_shared_ciphers) #endif /* TESTS_API_TEST_TLS_H */ diff --git a/tests/api/test_tls13.c b/tests/api/test_tls13.c index 08b9a5f23f..8eb26a9f6d 100644 --- a/tests/api/test_tls13.c +++ b/tests/api/test_tls13.c @@ -587,6 +587,8 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, groups, numGroups), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_CTX_set_groups(clientCtx, bad_groups, numGroups), @@ -614,6 +616,8 @@ int test_tls13_apis(void) #endif ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, -1), + WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(wolfSSL_set_groups(clientSsl, groups, numGroups), WOLFSSL_SUCCESS); ExpectIntEQ(wolfSSL_set_groups(clientSsl, bad_groups, numGroups), @@ -645,6 +649,10 @@ int test_tls13_apis(void) WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); ExpectIntEQ(wolfSSL_set1_groups(clientSsl, too_many_groups, WOLFSSL_MAX_GROUP_COUNT + 1), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_CTX_set1_groups(clientCtx, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); + ExpectIntEQ(wolfSSL_set1_groups(clientSsl, NULL, 1), + WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); #endif #ifndef NO_WOLFSSL_CLIENT #ifndef WOLFSSL_NO_TLS12