Add CMAC cleanup and RSA TLS bounds check

JeremiahM37 · JeremiahM37 · commit 4f0e2ab59e91 · 2026-04-13T16:08:04.000Z
diff --git a/src/wp_cmac.c b/src/wp_cmac.c
@@ -90,6 +90,9 @@ static wp_CmacCtx* wp_cmac_new(WOLFPROV_CTX* provCtx)
 static void wp_cmac_free(wp_CmacCtx* macCtx)
 {
     if (macCtx != NULL) {
+    #ifndef HAVE_FIPS
+        wc_CmacFree(&macCtx->cmac);
+    #endif
         OPENSSL_cleanse(macCtx->key, macCtx->keyLen);
         OPENSSL_clear_free(macCtx, sizeof(*macCtx));
     }
diff --git a/src/wp_rsa_asym.c b/src/wp_rsa_asym.c
@@ -463,6 +463,9 @@ static int wp_rsaa_decrypt(wp_RsaAsymCtx* ctx, unsigned char* out,
             if (ctx->clientVersion <= 0) {
                 ok = 0;
             }
+            if (ok && (outSize < WOLFSSL_MAX_MASTER_KEY_LENGTH)) {
+                ok = 0;
+            }
             if (ok) {
                 byte mask;
                 byte negMask;

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,9 @@ static wp_CmacCtx* wp_cmac_new(WOLFPROV_CTX* provCtx)`
`90`	`90`	`static void wp_cmac_free(wp_CmacCtx* macCtx)`
`91`	`91`	`{`
`92`	`92`	`if (macCtx != NULL) {`
	`93`	`+ #ifndef HAVE_FIPS`
	`94`	`+ wc_CmacFree(&macCtx->cmac);`
	`95`	`+ #endif`
`93`	`96`	`OPENSSL_cleanse(macCtx->key, macCtx->keyLen);`
`94`	`97`	`OPENSSL_clear_free(macCtx, sizeof(*macCtx));`
`95`	`98`	`}`