Fix bugs

CMakeLists.txt

@@ -818,7 +818,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1069")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1070")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)

include/gmssl/version.h

@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1069"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1070"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);

src/tls13.c

@@ -1349,8 +1349,13 @@ int tls13_do_recv(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
+		if (tls_record_data_length(conn->record) > TLS_MAX_RECORD_SIZE - TLS_RECORD_HEADER_SIZE) {
+			error_print();
+			return -1;
+		}
 		conn->recordlen = tls_record_data_length(conn->record);
 		conn->recv_state = TLS_state_recv_record_data;
+		// pass through
 
 	case TLS_state_recv_record_data:
 		while (conn->recordlen) {
@@ -1579,6 +1584,11 @@ int tls13_recv_early_data(TLS_CONNECT *conn)
 		}
 		return ret;
 	}
+
+	if (conn->datalen > sizeof(conn->early_data_buf)) {
+		error_print();
+		return -1;
+	}
 	memcpy(conn->early_data_buf, conn->data, conn->datalen);
 	conn->early_data_len = conn->datalen;
 
@@ -4305,10 +4315,6 @@ int tls13_send_client_hello(TLS_CONNECT *conn)
 
 		memcpy(conn->plain_record, conn->record, conn->recordlen);
 		conn->plain_recordlen = conn->recordlen;
-
-		if (conn->client_certificate_verify) {
-			sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
-		}
 	}
 
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -4602,6 +4608,10 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn)
 			tls13_send_alert(conn, TLS_alert_decode_error);
 			return -1;
 		}
+		if (cookie_len > sizeof(conn->cookie_buf)) {
+			error_print();
+			return -1;
+		}
 		memcpy(conn->cookie_buf, cookie_data, cookie_datalen);
 		conn->cookie_len = cookie_datalen;
 	}
@@ -4631,10 +4641,6 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn)
 		return -1;
 	}
 
-	if (conn->client_certs_len) {
-		sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
-	}
-
 	return 1;
 }
 
@@ -5282,6 +5288,10 @@ int tls13_recv_server_hello(TLS_CONNECT *conn)
 		}
 
 		// TODO: change psk from buf to reference
+		if (keylen > sizeof(conn->psk)) {
+			error_print();
+			return -1;
+		}
 		memcpy(conn->psk, key, keylen);
 		conn->psk_len = keylen;
 	}
@@ -6849,6 +6859,10 @@ int tls13_recv_client_hello(TLS_CONNECT *conn)
 		// tls13 server ignore legacy_session_id
 		warning_print();
 
+		if (legacy_session_id_len > sizeof(conn->session_id)) {
+			error_print();
+			return -1;
+		}
 		memcpy(conn->session_id, legacy_session_id, legacy_session_id_len);
 		conn->session_id_len = legacy_session_id_len;
 	}

src/x509_cer.c

@@ -1226,6 +1226,7 @@ int x509_signed_from_der(const uint8_t **tbs, size_t *tbslen,
 	return 1;
 }
 
+// FIXME: 应该直接把函数接口的signer_id 改为sign_args
 int x509_signed_verify(const uint8_t *a, size_t alen,
 	const X509_KEY *key, const char *signer_id, size_t signer_id_len)
 {
@@ -1254,9 +1255,10 @@ int x509_signed_verify(const uint8_t *a, size_t alen,
 		return -1;
 	}
 
+	// FIXME: 应该直接把函数接口的signer_id 改为sign_args
 	if (key->algor == OID_ec_public_key && key->algor_param == OID_sm2) {
-		sign_args = SM2_DEFAULT_ID;
+		sign_args = (uint8_t *)signer_id;
-		sign_argslen = SM2_DEFAULT_ID_LENGTH;
+		sign_argslen = signer_id_len;
 	}
 	if (x509_verify_init(&verify_ctx, key, sign_args, sign_argslen, sig, siglen) != 1
 		|| x509_verify_update(&verify_ctx, tbs, tbslen) != 1
@@ -1860,6 +1862,7 @@ int x509_cert_check(const uint8_t *cert, size_t certlen, int cert_type,
 	}
 	if (serial_len < 4) {
 		error_print(); // not enough randomness
+		return -1; // FIXME: 通过宏设置错误？还是返回一个错误原因，让应用判断？
 	}
 
 	time(&now);

src/x509_ext.c

@@ -280,7 +280,7 @@ int x509_ext_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t
 	case OID_ce_policy_constraints: return x509_policy_constraints_print(fp, fmt, ind, name, p, len);
 	case OID_ce_ext_key_usage: return x509_ext_key_usage_print(fp, fmt, ind, name, p, len);
 	case OID_ce_crl_distribution_points: return x509_crl_distribution_points_print(fp, fmt, ind, name, p, len);
-	case OID_ce_inhibit_any_policy: format_print(fp, fmt, ind, "%s: %d\n", name, ival);
+	case OID_ce_inhibit_any_policy: return format_print(fp, fmt, ind, "%s: %d\n", name, ival);
 	case OID_ce_freshest_crl: return x509_freshest_crl_print(fp, fmt, ind, name, p, len);
 	case OID_netscape_cert_type: return x509_netscape_cert_type_print(fp, fmt, ind, name, ival);
 	case OID_netscape_cert_comment: return format_string(fp, fmt, ind, name, p, len);
@@ -1030,7 +1030,7 @@ int x509_general_names_get_next(const uint8_t *gns, size_t gns_len, const uint8_
 		return -1;
 	}
 
-	if (*ptr > gns + gns_len) {
+	if (*ptr < gns  || *ptr > gns + gns_len) {
 		error_print();
 		return -1;
 	}
@@ -2135,7 +2135,7 @@ int x509_general_subtree_from_der(
 		error_print();
 		return -1;
 	}
-	if (*minimum < 0) *minimum = 0;
+	if (minimum && *minimum < 0) *minimum = 0;
 	return 1;
 }
 

src/x509_key.c

@@ -2476,6 +2476,7 @@ void x509_sign_ctx_cleanup(X509_SIGN_CTX *ctx)
 	}
 }
 
+// FIXME: add arg max_outlen ?
 int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *pub, uint8_t *out, size_t *outlen)
 {
 	if (!key || !pub || !out || !outlen) {
@@ -2514,6 +2515,7 @@ int x509_key_do_exchange(const X509_KEY *key, const X509_KEY *pub, uint8_t *out,
 	return 1;
 }
 
+// FIXME: add arg max_outlen ?
 int x509_key_exchange(const X509_KEY *key, const uint8_t *peer_pub, size_t peer_publen, uint8_t *out, size_t *outlen)
 {
 	if (!key || !peer_pub || !out || !outlen) {