From ae1da8af4318c8d59103bd506bab2d20a6fe1a69 Mon Sep 17 00:00:00 2001
From: Colton Willey <colton@wolfssl.com>
Date: Mon, 13 Apr 2026 19:05:41 -0700
Subject: [PATCH 1/3] Add missing NULL checks in public API functions

Add NULL and bounds validation to public API entry points that
were missing basic argument checks. Fixes span ALPN, session cache,
X509, SRP, PrivateKey ID/Label, and OBJ_obj2txt.
---
 src/ssl.c           |  9 ++++++---
 src/ssl_load.c      | 28 ++++++++++++++++++++++++----
 src/ssl_sess.c      | 16 ++++++++++++++--
 src/x509.c          |  4 ++--
 wolfcrypt/src/srp.c |  2 ++
 5 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 58cd6701c02..4e44a6360b8 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14545,7 +14545,10 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
         else if (a->type == WOLFSSL_GEN_DNS || a->type == WOLFSSL_GEN_EMAIL ||
                  a->type == WOLFSSL_GEN_URI) {
             bufSz = (int)XSTRLEN((const char*)a->obj);
-            XMEMCPY(buf, a->obj, min((word32)bufSz, (word32)bufLen));
+            if (bufSz >= bufLen) {
+                bufSz = bufLen - 1;
+            }
+            XMEMCPY(buf, a->obj, (size_t)bufSz);
         }
         else if ((bufSz = wolfssl_obj2txt_numeric(buf, bufLen, a)) > 0) {
             if ((desc = oid_translate_num_to_str(buf))) {
@@ -17498,7 +17501,7 @@ int wolfSSL_CTX_set_alpn_protos(WOLFSSL_CTX *ctx, const unsigned char *p,
                             unsigned int p_len)
 {
     WOLFSSL_ENTER("wolfSSL_CTX_set_alpn_protos");
-    if (ctx == NULL)
+    if (ctx == NULL || p == NULL)
         return BAD_FUNC_ARG;
     if (ctx->alpn_cli_protos != NULL) {
         XFREE((void*)ctx->alpn_cli_protos, ctx->heap, DYNAMIC_TYPE_OPENSSL);
@@ -17552,7 +17555,7 @@ int wolfSSL_set_alpn_protos(WOLFSSL* ssl,
 
     WOLFSSL_ENTER("wolfSSL_set_alpn_protos");
 
-    if (ssl == NULL || p_len <= 1) {
+    if (ssl == NULL || p_len <= 1 || p == NULL) {
 #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
         /* 0 on success in OpenSSL, non-0 on failure in OpenSSL
          * the function reverses the return value convention.
diff --git a/src/ssl_load.c b/src/ssl_load.c
index 0a0fb9e467c..9260aa2b9a1 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -4159,6 +4159,10 @@ int wolfSSL_CTX_use_PrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
 
     WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_Id");
 
+    if (ctx == NULL || id == NULL || sz < 0) {
+        return 0;
+    }
+
     /* Dispose of old private key and allocate and copy in id. */
     FreeDer(&ctx->privateKey);
     if (AllocCopyDer(&ctx->privateKey, id, (word32)sz, PRIVATEKEY_TYPE,
@@ -4227,10 +4231,16 @@ int wolfSSL_CTX_use_PrivateKey_Label(WOLFSSL_CTX* ctx, const char* label,
     int devId)
 {
     int ret = 1;
-    word32 sz = (word32)XSTRLEN(label) + 1;
+    word32 sz;
 
     WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_Label");
 
+    if (ctx == NULL || label == NULL) {
+        return 0;
+    }
+
+    sz = (word32)XSTRLEN(label) + 1;
+
     /* Dispose of old private key and allocate and copy in label. */
     FreeDer(&ctx->privateKey);
     if (AllocCopyDer(&ctx->privateKey, (const byte*)label, (word32)sz,
@@ -4268,7 +4278,7 @@ int wolfSSL_CTX_use_AltPrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
 
     WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_Id");
 
-    if ((ctx == NULL) || (id == NULL)) {
+    if ((ctx == NULL) || (id == NULL) || (sz < 0)) {
         ret = 0;
     }
 
@@ -4561,6 +4571,10 @@ int wolfSSL_use_PrivateKey_Id(WOLFSSL* ssl, const unsigned char* id,
 {
     int ret = 1;
 
+    if (ssl == NULL || id == NULL || sz < 0) {
+        return 0;
+    }
+
     /* Dispose of old private key if owned and allocate and copy in id. */
     if (ssl->buffers.weOwnKey) {
         FreeDer(&ssl->buffers.key);
@@ -4629,7 +4643,13 @@ int wolfSSL_use_PrivateKey_id(WOLFSSL* ssl, const unsigned char* id,
 int wolfSSL_use_PrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
 {
     int ret = 1;
-    word32 sz = (word32)XSTRLEN(label) + 1;
+    word32 sz;
+
+    if (ssl == NULL || label == NULL) {
+        return 0;
+    }
+
+    sz = (word32)XSTRLEN(label) + 1;
 
     /* Dispose of old private key if owned and allocate and copy in label. */
     if (ssl->buffers.weOwnKey) {
@@ -4672,7 +4692,7 @@ int wolfSSL_use_AltPrivateKey_Id(WOLFSSL* ssl, const unsigned char* id, long sz,
 {
     int ret = 1;
 
-    if ((ssl == NULL) || (id == NULL)) {
+    if ((ssl == NULL) || (id == NULL) || (sz < 0)) {
         ret = 0;
     }
 
diff --git a/src/ssl_sess.c b/src/ssl_sess.c
index d28d28976cd..8cea6c7b30f 100644
--- a/src/ssl_sess.c
+++ b/src/ssl_sess.c
@@ -430,10 +430,16 @@ int wolfSSL_memsave_session_cache(void* mem, int sz)
 {
     int i;
     cache_header_t cache_header;
-    SessionRow*    row  = (SessionRow*)((byte*)mem + sizeof(cache_header));
+    SessionRow*    row;
 
     WOLFSSL_ENTER("wolfSSL_memsave_session_cache");
 
+    if (mem == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    row = (SessionRow*)((byte*)mem + sizeof(cache_header));
+
     if (sz < wolfSSL_get_session_cache_memsize()) {
         WOLFSSL_MSG("Memory buffer too small");
         return BUFFER_E;
@@ -520,10 +526,16 @@ int wolfSSL_memrestore_session_cache(const void* mem, int sz)
 {
     int    i;
     cache_header_t cache_header;
-    SessionRow*    row  = (SessionRow*)((byte*)mem + sizeof(cache_header));
+    SessionRow*    row;
 
     WOLFSSL_ENTER("wolfSSL_memrestore_session_cache");
 
+    if (mem == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    row = (SessionRow*)((byte*)mem + sizeof(cache_header));
+
     if (sz < wolfSSL_get_session_cache_memsize()) {
         WOLFSSL_MSG("Memory buffer too small");
         return BUFFER_E;
diff --git a/src/x509.c b/src/x509.c
index 46dfd38ed43..82e3afb8f8e 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -3277,8 +3277,8 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509V3_EXT_nconf(WOLFSSL_CONF *conf,
 
     WOLFSSL_ENTER("wolfSSL_X509V3_EXT_nconf");
 
-    if (value == NULL) {
-        WOLFSSL_MSG("value NULL parameter");
+    if (value == NULL || sName == NULL) {
+        WOLFSSL_MSG("NULL parameter");
         return NULL;
     }
 
diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c
index 2d8b4ec3e0d..c8583ffbf93 100644
--- a/wolfcrypt/src/srp.c
+++ b/wolfcrypt/src/srp.c
@@ -378,6 +378,8 @@ int wc_SrpSetParams(Srp* srp, const byte* N,    word32 nSz,
     if (srp->salt) {
         ForceZero(srp->salt, srp->saltSz);
         XFREE(srp->salt, srp->heap, DYNAMIC_TYPE_SRP);
+        srp->salt = NULL;
+        srp->saltSz = 0;
     }
 
     srp->salt = (byte*)XMALLOC(saltSz, srp->heap, DYNAMIC_TYPE_SRP);

From fc63047411fa9cc3f24c6c5d37ec4c9c336ab57a Mon Sep 17 00:00:00 2001
From: Mattia Moffa <mattia@moffa.xyz>
Date: Mon, 20 Apr 2026 18:11:16 +0200
Subject: [PATCH 2/3] Additional related minor fixes

---
 src/ssl.c      | 7 +++++--
 src/ssl_load.c | 8 ++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 4e44a6360b8..999fb13845e 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -14544,10 +14544,13 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl)
         }
         else if (a->type == WOLFSSL_GEN_DNS || a->type == WOLFSSL_GEN_EMAIL ||
                  a->type == WOLFSSL_GEN_URI) {
-            bufSz = (int)XSTRLEN((const char*)a->obj);
-            if (bufSz >= bufLen) {
+            size_t objLen = XSTRLEN((const char*)a->obj);
+            if (objLen >= (size_t)bufLen) {
                 bufSz = bufLen - 1;
             }
+            else {
+                bufSz = (int)objLen;
+            }
             XMEMCPY(buf, a->obj, (size_t)bufSz);
         }
         else if ((bufSz = wolfssl_obj2txt_numeric(buf, bufLen, a)) > 0) {
diff --git a/src/ssl_load.c b/src/ssl_load.c
index 9260aa2b9a1..c3b5c81dc92 100644
--- a/src/ssl_load.c
+++ b/src/ssl_load.c
@@ -4290,7 +4290,7 @@ int wolfSSL_CTX_use_AltPrivateKey_Id(WOLFSSL_CTX* ctx, const unsigned char* id,
         }
     }
     if (ret == 1) {
-        XMEMCPY(ctx->altPrivateKey->buffer, id, sz);
+        XMEMCPY(ctx->altPrivateKey->buffer, id, (word32)sz);
         ctx->altPrivateKeyId = 1;
         if (devId != INVALID_DEVID) {
             ctx->altPrivateKeyDevId = devId;
@@ -4704,12 +4704,12 @@ int wolfSSL_use_AltPrivateKey_Id(WOLFSSL* ssl, const unsigned char* id, long sz,
         #endif
         }
         if (AllocDer(&ssl->buffers.altKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
-                ssl->heap) == 0) {
+                ssl->heap) != 0) {
             ret = 0;
         }
     }
     if (ret == 1) {
-        XMEMCPY(ssl->buffers.altKey->buffer, id, sz);
+        XMEMCPY(ssl->buffers.altKey->buffer, id, (word32)sz);
         ssl->buffers.weOwnAltKey = 1;
         ssl->buffers.altKeyId = 1;
         if (devId != INVALID_DEVID) {
@@ -4752,7 +4752,7 @@ int wolfSSL_use_AltPrivateKey_Label(WOLFSSL* ssl, const char* label, int devId)
         #endif
         }
         if (AllocDer(&ssl->buffers.altKey, (word32)sz, ALT_PRIVATEKEY_TYPE,
-                ssl->heap) == 0) {
+                ssl->heap) != 0) {
             ret = 0;
         }
     }

From c3e5f196436a3c6d2b64b846d1fbffc8a574f0e4 Mon Sep 17 00:00:00 2001
From: Mattia Moffa <mattia@moffa.xyz>
Date: Tue, 21 Apr 2026 02:35:57 +0200
Subject: [PATCH 3/3] Address Copilot suggestions

---
 tests/api/test_ossl_x509_ext.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/api/test_ossl_x509_ext.c b/tests/api/test_ossl_x509_ext.c
index 653c0d7e1fe..dfc2451529a 100644
--- a/tests/api/test_ossl_x509_ext.c
+++ b/tests/api/test_ossl_x509_ext.c
@@ -1020,6 +1020,7 @@ int test_wolfSSL_X509V3_EXT_nconf(void)
     ExpectNull(X509V3_EXT_nconf(NULL, NULL, ext_names[0], NULL));
     ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, ext_nids[0], NULL));
     ExpectNull(X509V3_EXT_nconf(NULL, NULL, "", ext_values[0]));
+    ExpectNull(X509V3_EXT_nconf(NULL, NULL, NULL, ext_values[0]));
     ExpectNull(X509V3_EXT_nconf_nid(NULL, NULL, 0, ext_values[0]));
 
     /* conf and ctx ignored. */