From aa56c40d30d90098598755e560857a6d80d8589d Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 10 Oct 2025 11:56:03 -0500 Subject: [PATCH 1/8] Fix / suppress GCC warnings --- src/internal.c | 11 +---------- src/ssl_bn.c | 5 +++++ src/tls.c | 11 ++++++++--- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/internal.c b/src/internal.c index 69e4859cf6..7c1903c4f6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25910,16 +25910,7 @@ int SendData(WOLFSSL* ssl, const void* data, size_t sz) } #endif /* WOLFSSL_DTLS13 */ -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent); - } - else -#endif - { - buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent); - - } + buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent); if (sent == (word32)sz) break; diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 139684bd8c..d038e90585 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -1151,7 +1151,12 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) ret = -1; } else { + PRAGMA_GCC_DIAG_PUSH + PRAGMA_GCC("GCC diagnostic ignored \"-Werror=duplicated-branches\"") + /* ignored warning here because the same return value + was intentional */ ret = WOLFSSL_FATAL_ERROR; /* also -1 */ + PRAGMA_GCC_DIAG_POP } } diff --git a/src/tls.c b/src/tls.c index 5759e344d9..cd2586de0a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -5329,9 +5329,14 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl) SupportedCurve* serverGroup; ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS); - serverGroup = (SupportedCurve*)ext->data; - - ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup); + if (ext == NULL) { + WOLFSSL_MSG("Could not find supported groups extension"); + ret = 0; + } + else { + serverGroup = (SupportedCurve*)ext->data; + ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup); + } } TLSX_FreeAll(priority, ssl->heap); From f713cdb5e0109331e283ce241d9c6c263c89dabd Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 10 Oct 2025 15:14:56 -0500 Subject: [PATCH 2/8] Fix evp const warning and pk buffer warning --- src/pk.c | 4 ++++ wolfcrypt/src/evp.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/pk.c b/src/pk.c index 8bc1c75c05..b0d866aa82 100644 --- a/src/pk.c +++ b/src/pk.c @@ -737,6 +737,10 @@ static int wolfssl_print_indent(WOLFSSL_BIO* bio, char* line, int lineLen, int ret = 1; if (indent > 0) { + /* Cap indent to buffer size to avoid format truncation warning */ + if (indent >= lineLen) { + indent = lineLen - 1; + } /* Print indent spaces. */ int len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " "); if ((len_wanted < 0) || (len_wanted >= lineLen)) { diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 2840f22676..72d0ea876a 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -6820,7 +6820,7 @@ void wolfSSL_EVP_init(void) } static int EvpCipherAesGCM(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, - byte* src, word32 len) + const byte* src, word32 len) { int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); From e47be2163a1cbfcc7640b136b6284414aaf67bc3 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 10 Oct 2025 15:33:53 -0500 Subject: [PATCH 3/8] Fix buffer warnings in x509 --- src/ssl_bn.c | 2 +- src/x509.c | 35 ++++++++++++++++++++++++++++++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/ssl_bn.c b/src/ssl_bn.c index d038e90585..597434d6a0 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -1153,7 +1153,7 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) else { PRAGMA_GCC_DIAG_PUSH PRAGMA_GCC("GCC diagnostic ignored \"-Werror=duplicated-branches\"") - /* ignored warning here because the same return value + /* ignored warning here because the same return value was intentional */ ret = WOLFSSL_FATAL_ERROR; /* also -1 */ PRAGMA_GCC_DIAG_POP diff --git a/src/x509.c b/src/x509.c index 74efb78c38..03d2c6d58c 100644 --- a/src/x509.c +++ b/src/x509.c @@ -1474,6 +1474,12 @@ static WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data_internal( #ifndef NO_BIO + +#ifndef MAX_INDENT + #define MAX_INDENT 40 +#endif + + /* Return 0 on success and 1 on failure. Copies ext data to bio, using indent * to pad the output. flag is ignored. */ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, @@ -1488,6 +1494,9 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, int tmpLen = 0; WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if ((out == NULL) || (ext == NULL)) { WOLFSSL_MSG("NULL parameter error"); return rc; @@ -6320,6 +6329,9 @@ static int X509PrintKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) "Decipher Only" }; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (bio == NULL || x509 == NULL) { ret = WOLFSSL_FAILURE; } @@ -6491,6 +6503,9 @@ static int X509PrintSerial(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) unsigned char serial[32]; int sz = sizeof(serial); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + XMEMSET(serial, 0, sz); if (wolfSSL_X509_get_serial_number(x509, serial, &sz) == WOLFSSL_SUCCESS) { X509PrintSerial_ex(bio, serial, sz, 1, indent); @@ -6583,6 +6598,9 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int count, i; char* buf = NULL; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + count = wolfSSL_X509_get_ext_count(x509); if (count <= 0) return WOLFSSL_SUCCESS; @@ -6996,6 +7014,9 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int len; int ret = WOLFSSL_SUCCESS; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (bio == NULL || x509 == NULL) return BAD_FUNC_ARG; @@ -7083,6 +7104,9 @@ static int X509PrintVersion(WOLFSSL_BIO* bio, int version, int indent) char scratch[MAX_WIDTH]; int scratchLen; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:"); if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) { return WOLFSSL_FAILURE; @@ -7116,6 +7140,9 @@ static int X509PrintReqAttributes(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int scratchLen; int i = 0; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Attributes: \n")) >= MAX_WIDTH) @@ -8863,6 +8890,9 @@ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev, unsigned char serial[32]; int sz = sizeof(serial); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + XMEMSET(serial, 0, sz); if (wolfSSL_X509_REVOKED_get_serial_number(rev, serial, &sz) == WOLFSSL_SUCCESS) { @@ -8921,9 +8951,12 @@ static int X509CRLPrintSignature(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, int indent) { - char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */ + char tmp[MAX_WIDTH]; int ret = 0; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "", "CRL extensions:") >= MAX_WIDTH) { ret = WOLFSSL_FAILURE; From 83336e3436e36d501fe42e4da3dffa5abcbb398e Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 13 Oct 2025 12:15:39 -0500 Subject: [PATCH 4/8] Fix from testing --- src/pk.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/pk.c b/src/pk.c index b0d866aa82..4da27c439a 100644 --- a/src/pk.c +++ b/src/pk.c @@ -737,12 +737,13 @@ static int wolfssl_print_indent(WOLFSSL_BIO* bio, char* line, int lineLen, int ret = 1; if (indent > 0) { + int len_wanted; /* Cap indent to buffer size to avoid format truncation warning */ if (indent >= lineLen) { indent = lineLen - 1; } /* Print indent spaces. */ - int len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " "); + len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " "); if ((len_wanted < 0) || (len_wanted >= lineLen)) { WOLFSSL_ERROR_MSG("Buffer overflow formatting indentation"); ret = 0; From adc914603567480f5758732a1ba370e1db535f4f Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 13 Oct 2025 12:33:40 -0500 Subject: [PATCH 5/8] Fix from testing --- src/ssl_bn.c | 6 +++--- src/x509.c | 37 +++---------------------------------- wolfcrypt/src/evp.c | 4 ++-- wolfssl/openssl/evp.h | 2 +- 4 files changed, 9 insertions(+), 40 deletions(-) diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 597434d6a0..396c628eb1 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -1138,6 +1138,8 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) ret = 1; } else { + PRAGMA_GCC_DIAG_PUSH + PRAGMA_GCC("GCC diagnostic ignored \"-Werror=duplicated-branches\"") /* Compare big numbers with wolfCrypt. */ ret = mp_cmp((mp_int*)a->internal, (mp_int*)b->internal); /* Convert wolfCrypt return value. */ @@ -1151,13 +1153,11 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) ret = -1; } else { - PRAGMA_GCC_DIAG_PUSH - PRAGMA_GCC("GCC diagnostic ignored \"-Werror=duplicated-branches\"") /* ignored warning here because the same return value was intentional */ ret = WOLFSSL_FATAL_ERROR; /* also -1 */ - PRAGMA_GCC_DIAG_POP } + PRAGMA_GCC_DIAG_POP } return ret; diff --git a/src/x509.c b/src/x509.c index 03d2c6d58c..aa402dedd1 100644 --- a/src/x509.c +++ b/src/x509.c @@ -27,6 +27,8 @@ #endif #else +#pragma GCC diagnostic ignored "-Wformat-truncation" + #ifndef WOLFCRYPT_ONLY #ifndef NO_CERTS @@ -1474,12 +1476,6 @@ static WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data_internal( #ifndef NO_BIO - -#ifndef MAX_INDENT - #define MAX_INDENT 40 -#endif - - /* Return 0 on success and 1 on failure. Copies ext data to bio, using indent * to pad the output. flag is ignored. */ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, @@ -1494,9 +1490,6 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, int tmpLen = 0; WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - if ((out == NULL) || (ext == NULL)) { WOLFSSL_MSG("NULL parameter error"); return rc; @@ -6329,9 +6322,6 @@ static int X509PrintKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) "Decipher Only" }; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - if (bio == NULL || x509 == NULL) { ret = WOLFSSL_FAILURE; } @@ -6503,9 +6493,6 @@ static int X509PrintSerial(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) unsigned char serial[32]; int sz = sizeof(serial); - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - XMEMSET(serial, 0, sz); if (wolfSSL_X509_get_serial_number(x509, serial, &sz) == WOLFSSL_SUCCESS) { X509PrintSerial_ex(bio, serial, sz, 1, indent); @@ -6598,9 +6585,6 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int count, i; char* buf = NULL; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - count = wolfSSL_X509_get_ext_count(x509); if (count <= 0) return WOLFSSL_SUCCESS; @@ -7014,9 +6998,6 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int len; int ret = WOLFSSL_SUCCESS; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - if (bio == NULL || x509 == NULL) return BAD_FUNC_ARG; @@ -7104,9 +7085,6 @@ static int X509PrintVersion(WOLFSSL_BIO* bio, int version, int indent) char scratch[MAX_WIDTH]; int scratchLen; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:"); if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) { return WOLFSSL_FAILURE; @@ -7140,9 +7118,6 @@ static int X509PrintReqAttributes(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int scratchLen; int i = 0; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Attributes: \n")) >= MAX_WIDTH) @@ -8890,9 +8865,6 @@ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev, unsigned char serial[32]; int sz = sizeof(serial); - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - XMEMSET(serial, 0, sz); if (wolfSSL_X509_REVOKED_get_serial_number(rev, serial, &sz) == WOLFSSL_SUCCESS) { @@ -8951,12 +8923,9 @@ static int X509CRLPrintSignature(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, int indent) { - char tmp[MAX_WIDTH]; + char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */ int ret = 0; - if (indent < 0) indent = 0; - if (indent > MAX_INDENT) indent = MAX_INDENT; - if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "", "CRL extensions:") >= MAX_WIDTH) { ret = WOLFSSL_FAILURE; diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 72d0ea876a..eb7d29fea5 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -8517,8 +8517,8 @@ void wolfSSL_EVP_init(void) } /* Return length on ok */ - int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, byte* src, - word32 len) + int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, + const byte* src, word32 len) { int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 0d9cf860c7..9939b2b8cc 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -892,7 +892,7 @@ WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_set_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte WOLFSSL_API int wolfSSL_EVP_CIPHER_CTX_get_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* iv, int ivLen); WOLFSSL_API int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, - unsigned char* dst, unsigned char* src, + unsigned char* dst, const unsigned char* src, unsigned int len); WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_get_cipherbynid(int id); From bae25afa40f9c0abbef68302c601a5b1bbe6224c Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 13 Oct 2025 12:42:01 -0500 Subject: [PATCH 6/8] Fix from testing --- wolfcrypt/src/evp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index eb7d29fea5..c0b2fcab33 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -7012,7 +7012,7 @@ void wolfSSL_EVP_init(void) } static int EvpCipherAesCCM(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, - byte* src, word32 len) + const byte* src, word32 len) { int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE); From e67b85724e4a906b0aae8b699b174e75a44b139f Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 13 Oct 2025 12:57:47 -0500 Subject: [PATCH 7/8] Fix from testing --- src/x509.c | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/src/x509.c b/src/x509.c index aa402dedd1..479775772b 100644 --- a/src/x509.c +++ b/src/x509.c @@ -27,8 +27,6 @@ #endif #else -#pragma GCC diagnostic ignored "-Wformat-truncation" - #ifndef WOLFCRYPT_ONLY #ifndef NO_CERTS @@ -1476,6 +1474,12 @@ static WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data_internal( #ifndef NO_BIO + +#ifndef MAX_INDENT + #define MAX_INDENT 40 +#endif + + /* Return 0 on success and 1 on failure. Copies ext data to bio, using indent * to pad the output. flag is ignored. */ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, @@ -1490,6 +1494,9 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext, int tmpLen = 0; WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print"); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if ((out == NULL) || (ext == NULL)) { WOLFSSL_MSG("NULL parameter error"); return rc; @@ -6322,6 +6329,9 @@ static int X509PrintKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) "Decipher Only" }; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (bio == NULL || x509 == NULL) { ret = WOLFSSL_FAILURE; } @@ -6493,6 +6503,9 @@ static int X509PrintSerial(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) unsigned char serial[32]; int sz = sizeof(serial); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + XMEMSET(serial, 0, sz); if (wolfSSL_X509_get_serial_number(x509, serial, &sz) == WOLFSSL_SUCCESS) { X509PrintSerial_ex(bio, serial, sz, 1, indent); @@ -6585,6 +6598,9 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int count, i; char* buf = NULL; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + count = wolfSSL_X509_get_ext_count(x509); if (count <= 0) return WOLFSSL_SUCCESS; @@ -6998,6 +7014,9 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent) int len; int ret = WOLFSSL_SUCCESS; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (bio == NULL || x509 == NULL) return BAD_FUNC_ARG; @@ -7085,6 +7104,9 @@ static int X509PrintVersion(WOLFSSL_BIO* bio, int version, int indent) char scratch[MAX_WIDTH]; int scratchLen; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:"); if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) { return WOLFSSL_FAILURE; @@ -7118,6 +7140,9 @@ static int X509PrintReqAttributes(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int scratchLen; int i = 0; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Attributes: \n")) >= MAX_WIDTH) @@ -8865,6 +8890,9 @@ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev, unsigned char serial[32]; int sz = sizeof(serial); + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + XMEMSET(serial, 0, sz); if (wolfSSL_X509_REVOKED_get_serial_number(rev, serial, &sz) == WOLFSSL_SUCCESS) { @@ -8926,6 +8954,9 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl, char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */ int ret = 0; + if (indent < 0) indent = 0; + if (indent > MAX_INDENT) indent = MAX_INDENT; + if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "", "CRL extensions:") >= MAX_WIDTH) { ret = WOLFSSL_FAILURE; From dd22fa32434c9e727cedfb31d5b19e816d536f0f Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Mon, 13 Oct 2025 15:27:01 -0500 Subject: [PATCH 8/8] Fix from testing --- src/ssl_bn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_bn.c b/src/ssl_bn.c index 396c628eb1..b3016a5bbb 100644 --- a/src/ssl_bn.c +++ b/src/ssl_bn.c @@ -1139,7 +1139,7 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b) } else { PRAGMA_GCC_DIAG_PUSH - PRAGMA_GCC("GCC diagnostic ignored \"-Werror=duplicated-branches\"") + PRAGMA_GCC("GCC diagnostic ignored \"-Wduplicated-branches\"") /* Compare big numbers with wolfCrypt. */ ret = mp_cmp((mp_int*)a->internal, (mp_int*)b->internal); /* Convert wolfCrypt return value. */