fix for sanity checks on serial input

Author: JacobBarthelmeh

src/x509.c

@@ -15924,13 +15924,13 @@ int wolfSSL_X509_set_serialNumber(WOLFSSL_X509* x509, WOLFSSL_ASN1_INTEGER* s)
 
     /* WOLFSSL_ASN1_INTEGER has type | size | data
      * Sanity check that the data is actually in ASN format */
-    if (s->length < 3 && s->data[0] != ASN_INTEGER &&
+    if (s->length < 3 || s->data[0] != ASN_INTEGER ||
             s->data[1] != s->length - 2) {
         return WOLFSSL_FAILURE;
     }
     XMEMCPY(x509->serial, s->data + 2, s->length - 2);
     x509->serialSz = s->length - 2;
-    x509->serial[s->length] = 0;
+    x509->serial[x509->serialSz] = 0;
 
     return WOLFSSL_SUCCESS;
 }

tests/api/test_x509.c

@@ -243,3 +243,81 @@ int test_x509_GetCAByAKID(void)
 #endif /* WOLFSSL_AKID_NAME */
     return EXPECT_RESULT();
 }
+
+int test_X509_set_serialNumber(void)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+    WOLFSSL_X509*         x509 = NULL;
+    WOLFSSL_ASN1_INTEGER* s    = NULL;
+
+    ExpectNotNull(x509 = wolfSSL_X509_new());
+    ExpectNotNull(s = wolfSSL_ASN1_INTEGER_new());
+
+    /* --- invalid inputs that must be rejected --- */
+
+    /* NULL x509 */
+    ExpectIntEQ(X509_set_serialNumber(NULL, s), WOLFSSL_FAILURE);
+    /* NULL s */
+    ExpectIntEQ(X509_set_serialNumber(x509, NULL), WOLFSSL_FAILURE);
+
+    if (s != NULL) {
+        /* length == 0: too short */
+        s->length  = 0;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* length == 1: still too short */
+        s->length  = 1;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* length == 2: still rejected — the guard requires length >= 3 */
+        s->length  = 2;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 0;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* wrong type byte */
+        s->length  = 4;
+        s->data[0] = 0x00; /* not ASN_INTEGER */
+        s->data[1] = 2;    /* length field */
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* mismatched length byte (data[1] != s->length - 2) */
+        s->length  = 4;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 99; /* claims 99 bytes but s->length - 2 == 2 */
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_FAILURE);
+
+        /* --- valid two-byte serial number --- */
+        s->length  = 4;
+        s->data[0] = ASN_INTEGER;
+        s->data[1] = 2;
+        s->data[2] = 0x01;
+        s->data[3] = 0x02;
+        ExpectIntEQ(wolfSSL_X509_set_serialNumber(x509, s),
+                    WOLFSSL_SUCCESS);
+        ExpectIntEQ(x509->serialSz, 2);
+        /* NUL terminator must be placed right after the copied data */
+        ExpectIntEQ(x509->serial[x509->serialSz], 0);
+        ExpectIntEQ(x509->serial[0], 0x01);
+        ExpectIntEQ(x509->serial[1], 0x02);
+    }
+
+    wolfSSL_ASN1_INTEGER_free(s);
+    wolfSSL_X509_free(x509);
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+    return EXPECT_RESULT();
+}

tests/api/test_x509.h

@@ -24,9 +24,11 @@
 
 int test_x509_rfc2818_verification_callback(void);
 int test_x509_GetCAByAKID(void);
+int test_X509_set_serialNumber(void);
 
 #define TEST_X509_DECLS                                                        \
     TEST_DECL_GROUP("x509", test_x509_rfc2818_verification_callback),          \
-    TEST_DECL_GROUP("x509", test_x509_GetCAByAKID)
+    TEST_DECL_GROUP("x509", test_x509_GetCAByAKID),                            \
+    TEST_DECL_GROUP("x509", test_X509_set_serialNumber)
 
 #endif /* WOLFCRYPT_TEST_X509_H */