- extracted parsing of DER length into a separate function;

- removed accidental Tab in the wolfssl-gnutls-wrapper/src/cipher.c
  file;

Author: gasbytes

wolfssl-gnutls-wrapper/src/cipher.c

@@ -993,11 +993,11 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
             return GNUTLS_E_INVALID_REQUEST;
         }
 
-	/* Handle 0-byte finalization call, common in cipher APIs for flushing/padding */
-	if (src_size == 0) {
-	   WGW_LOG("Zero-byte decrypt call (finalization), returning success");
-	   return 0;
-	}
+        /* Handle 0-byte finalization call, common in cipher APIs for flushing/padding */
+        if (src_size == 0) {
+            WGW_LOG("Zero-byte decrypt call (finalization), returning success");
+            return 0;
+        }
 
 
         /* Always use the decryption context for decryption operations */

wolfssl-gnutls-wrapper/src/pk.c

@@ -1777,6 +1777,36 @@ static int wolfssl_pk_verify_rsa_pss(const gnutls_datum_t *vdata,
     return 0;
 }
 
+/**
+ * Parse DER length field.
+ *
+ * @param [in]     sig_data  Signature data.
+ * @param [in]     sig_len   Signature data length.
+ * @param [in,out] idx       Current index (updated on success).
+ * @param [out]    len       Parsed length value.
+ * @return  0 on success.
+ * @return  Negative on parsing error.
+ */
+static int parse_der_length(const byte* sig_data, word32 sig_len,
+        word32* idx, word32* len)
+{
+    if (*idx >= sig_len) return -1;
+
+    *len = sig_data[(*idx)++];
+
+    if (*len & 0x80) {
+        /* Long form length */
+        word32 num_bytes = *len & 0x7F;
+        if (num_bytes > 4 || *idx + num_bytes > sig_len) return -1;
+        *len = 0;
+        while (num_bytes--) {
+            *len = (*len << 8) | sig_data[(*idx)++];
+        }
+    }
+
+    return 0;
+}
+
 /**
  * Parse a lenient DER-encoded ECDSA signature to extract r and s.
  *
@@ -1803,17 +1833,7 @@ static int parse_lenient_der_ecdsa_signature(const byte* sig_data, word32 sig_le
     }
 
     /* Parse SEQUENCE length */
-    if (idx >= sig_len) return -1;
-    len = sig_data[idx++];
-    if (len & 0x80) {
-        /* Long form length */
-        word32 num_bytes = len & 0x7F;
-        if (num_bytes > 4 || idx + num_bytes > sig_len) return -1;
-        len = 0;
-        while (num_bytes--) {
-            len = (len << 8) | sig_data[idx++];
-        }
-    }
+    if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) return -1;
 
     /* Parse first INTEGER (r) tag */
     if (idx >= sig_len || sig_data[idx++] != 0x02) {
@@ -1822,19 +1842,13 @@ static int parse_lenient_der_ecdsa_signature(const byte* sig_data, word32 sig_le
     }
 
     /* Parse r length */
-    if (idx >= sig_len) return -1;
-    len = sig_data[idx++];
-    if (len & 0x80) {
-        word32 num_bytes = len & 0x7F;
-        if (num_bytes > 4 || idx + num_bytes > sig_len) return -1;
-        len = 0;
-        while (num_bytes--) {
-            len = (len << 8) | sig_data[idx++];
-        }
-    }
+    if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) return -1;
 
     /* Skip leading zero byte if present (sign byte) */
-    if (len > 0 && idx < sig_len && sig_data[idx] == 0x00) {
+    if (len <= 0)
+        return -1;
+
+    if (idx < sig_len && sig_data[idx] == 0x00) {
         idx++;
         len--;
     }
@@ -1854,16 +1868,7 @@ static int parse_lenient_der_ecdsa_signature(const byte* sig_data, word32 sig_le
     }
 
     /* Parse s length */
-    if (idx >= sig_len) return -1;
-    len = sig_data[idx++];
-    if (len & 0x80) {
-        word32 num_bytes = len & 0x7F;
-        if (num_bytes > 4 || idx + num_bytes > sig_len) return -1;
-        len = 0;
-        while (num_bytes--) {
-            len = (len << 8) | sig_data[idx++];
-        }
-    }
+    if (parse_der_length(sig_data, sig_len, &idx, &len) != 0) return -1;
 
     /* Skip leading zero byte if present (sign byte) */
     if (len > 0 && idx < sig_len && sig_data[idx] == 0x00) {