wolfSSL · douzzer · Oct 14, 2025 · Oct 10, 2025 · Oct 10, 2025 · Oct 10, 2025
diff --git a/src/internal.c b/src/internal.c
@@ -25910,16 +25910,7 @@ int SendData(WOLFSSL* ssl, const void* data, size_t sz)
         }
 #endif /* WOLFSSL_DTLS13 */
 
-#ifdef WOLFSSL_DTLS
-        if (ssl->options.dtls) {
-            buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent);
-        }
-        else
-#endif
-        {
-            buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent);
-
-        }
+        buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent);
 
         if (sent == (word32)sz) break;
 

diff --git a/src/pk.c b/src/pk.c
@@ -737,8 +737,13 @@ static int wolfssl_print_indent(WOLFSSL_BIO* bio, char* line, int lineLen,
     int ret = 1;
 
     if (indent > 0) {
+        int len_wanted;
+        /* Cap indent to buffer size to avoid format truncation warning */
+        if (indent >= lineLen) {
+            indent = lineLen - 1;
+        }
         /* Print indent spaces. */
-        int len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " ");
+        len_wanted = XSNPRINTF(line, (size_t)lineLen, "%*s", indent, " ");
         if ((len_wanted < 0) || (len_wanted >= lineLen)) {
             WOLFSSL_ERROR_MSG("Buffer overflow formatting indentation");
             ret = 0;

diff --git a/src/ssl_bn.c b/src/ssl_bn.c
@@ -1138,6 +1138,8 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b)
         ret = 1;
     }
     else {
+        PRAGMA_GCC_DIAG_PUSH
+        PRAGMA_GCC("GCC diagnostic ignored \"-Wduplicated-branches\"")
         /* Compare big numbers with wolfCrypt. */
         ret = mp_cmp((mp_int*)a->internal, (mp_int*)b->internal);
         /* Convert wolfCrypt return value. */
@@ -1151,8 +1153,11 @@ int wolfSSL_BN_cmp(const WOLFSSL_BIGNUM* a, const WOLFSSL_BIGNUM* b)
             ret = -1;
         }
         else {
+            /* ignored warning here because the same return value
+               was intentional */
             ret = WOLFSSL_FATAL_ERROR; /* also -1 */
         }
+        PRAGMA_GCC_DIAG_POP
     }
 
     return ret;

diff --git a/src/tls.c b/src/tls.c
@@ -5329,9 +5329,14 @@ int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
         SupportedCurve* serverGroup;
 
         ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
-        serverGroup = (SupportedCurve*)ext->data;
-
-        ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup);
+        if (ext == NULL) {
+            WOLFSSL_MSG("Could not find supported groups extension");
+            ret = 0;
+        }
+        else {
+            serverGroup = (SupportedCurve*)ext->data;
+            ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup);
+        }
     }
 
     TLSX_FreeAll(priority, ssl->heap);

diff --git a/src/x509.c b/src/x509.c
@@ -1474,6 +1474,12 @@ static WOLFSSL_ASN1_STRING* wolfSSL_X509_EXTENSION_get_data_internal(
 
 
 #ifndef NO_BIO
+
+#ifndef MAX_INDENT
+    #define MAX_INDENT 40
+#endif
+
+
 /* Return 0 on success and 1 on failure. Copies ext data to bio, using indent
  *  to pad the output. flag is ignored. */
 int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext,
@@ -1488,6 +1494,9 @@ int wolfSSL_X509V3_EXT_print(WOLFSSL_BIO *out, WOLFSSL_X509_EXTENSION *ext,
     int tmpLen = 0;
     WOLFSSL_ENTER("wolfSSL_X509V3_EXT_print");
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     if ((out == NULL) || (ext == NULL)) {
         WOLFSSL_MSG("NULL parameter error");
         return rc;
@@ -6320,6 +6329,9 @@ static int X509PrintKeyUsage(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
         "Decipher Only"
     };
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     if (bio == NULL || x509 == NULL) {
         ret = WOLFSSL_FAILURE;
     }
@@ -6491,6 +6503,9 @@ static int X509PrintSerial(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
     unsigned char serial[32];
     int  sz = sizeof(serial);
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     XMEMSET(serial, 0, sz);
     if (wolfSSL_X509_get_serial_number(x509, serial, &sz) == WOLFSSL_SUCCESS) {
         X509PrintSerial_ex(bio, serial, sz, 1, indent);
@@ -6583,6 +6598,9 @@ static int X509PrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
     int  count, i;
     char* buf = NULL;
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     count = wolfSSL_X509_get_ext_count(x509);
     if (count <= 0)
         return WOLFSSL_SUCCESS;
@@ -6996,6 +7014,9 @@ static int X509PrintPubKey(WOLFSSL_BIO* bio, WOLFSSL_X509* x509, int indent)
     int len;
     int ret = WOLFSSL_SUCCESS;
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     if (bio == NULL || x509 == NULL)
         return BAD_FUNC_ARG;
 
@@ -7083,6 +7104,9 @@ static int X509PrintVersion(WOLFSSL_BIO* bio, int version, int indent)
     char scratch[MAX_WIDTH];
     int scratchLen;
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     scratchLen = XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:");
     if ((scratchLen < 0) || (scratchLen >= MAX_WIDTH)) {
         return WOLFSSL_FAILURE;
@@ -7116,6 +7140,9 @@ static int X509PrintReqAttributes(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
     int scratchLen;
     int i = 0;
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     if ((scratchLen = XSNPRINTF(scratch, MAX_WIDTH,
                                  "%*s%s", indent, "", "Attributes: \n"))
         >= MAX_WIDTH)
@@ -8863,6 +8890,9 @@ static int X509RevokedPrintSerial(WOLFSSL_BIO* bio, RevokedCert* rev,
     unsigned char serial[32];
     int  sz = sizeof(serial);
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     XMEMSET(serial, 0, sz);
     if (wolfSSL_X509_REVOKED_get_serial_number(rev, serial, &sz)
             == WOLFSSL_SUCCESS) {
@@ -8924,6 +8954,9 @@ static int X509CRLPrintExtensions(WOLFSSL_BIO* bio, WOLFSSL_X509_CRL* crl,
     char tmp[MAX_WIDTH]; /* buffer for XSNPRINTF */
     int  ret = 0;
 
+    if (indent < 0) indent = 0;
+    if (indent > MAX_INDENT) indent = MAX_INDENT;
+
     if (XSNPRINTF(tmp, MAX_WIDTH, "%*s%s\n", indent, "",
                 "CRL extensions:") >= MAX_WIDTH) {
         ret = WOLFSSL_FAILURE;

diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c
@@ -6820,7 +6820,7 @@ void wolfSSL_EVP_init(void)
     }
 
     static int EvpCipherAesGCM(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst,
-                               byte* src, word32 len)
+                               const byte* src, word32 len)
     {
         int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
 
@@ -7012,7 +7012,7 @@ void wolfSSL_EVP_init(void)
     }
 
     static int EvpCipherAesCCM(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst,
-                               byte* src, word32 len)
+                               const byte* src, word32 len)
     {
         int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
 
@@ -8517,8 +8517,8 @@ void wolfSSL_EVP_init(void)
     }
 
     /* Return length on ok */
-    int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst, byte* src,
-                           word32 len)
+    int wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* dst,
+                           const byte* src, word32 len)
     {
         int ret = WC_NO_ERR_TRACE(WOLFSSL_FAILURE);
 

diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h
@@ -892,7 +892,7 @@ WOLFSSL_API int  wolfSSL_EVP_CIPHER_CTX_set_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte
 WOLFSSL_API int  wolfSSL_EVP_CIPHER_CTX_get_iv(WOLFSSL_EVP_CIPHER_CTX* ctx, byte* iv,
                                                      int ivLen);
 WOLFSSL_API int  wolfSSL_EVP_Cipher(WOLFSSL_EVP_CIPHER_CTX* ctx,
-                          unsigned char* dst, unsigned char* src,
+                          unsigned char* dst, const unsigned char* src,
                           unsigned int len);
 
 WOLFSSL_API const WOLFSSL_EVP_CIPHER* wolfSSL_EVP_get_cipherbynid(int id);