Merge pull request #9425 from JacobBarthelmeh/pkcs7_stream

dgarske · web-flow · commit 46a2234c61d0 · 2025-11-14T12:59:09.000-08:00
with decode enveloped data track total encrypted content size
diff --git a/tests/api/test_pkcs7.c b/tests/api/test_pkcs7.c
@@ -2129,7 +2129,8 @@ int test_wc_PKCS7_DecodeEnvelopedData_stream(void)
     #ifdef NO_DES3
         ExpectIntEQ(ret, ALGO_ID_E);
     #else
-        ExpectIntGT(ret, 0);
+        /* expecting the size of ca-cert.pem */
+        ExpectIntEQ(ret, 5539);
     #endif
     }
 
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
@@ -12493,6 +12493,7 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
             }
 
         #endif
+            pkcs7->totalEncryptedContentSz = 0;
             wc_PKCS7_ChangeState(pkcs7, WC_PKCS7_ENV_5);
             FALL_THROUGH;
 
@@ -12628,6 +12629,10 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
                     /* advance idx past encrypted content */
                     localIdx += (word32)encryptedContentSz;
 
+                    /* keep track of total encrypted content size */
+                    pkcs7->totalEncryptedContentSz +=
+                        (word32)encryptedContentSz;
+
                     if (localIdx + ASN_INDEF_END_SZ <= pkiMsgSz) {
                         if (pkiMsg[localIdx] == ASN_EOC &&
                                 pkiMsg[localIdx+1] == ASN_EOC) {
@@ -12673,6 +12678,8 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
             } else {
                 pkcs7->cachedEncryptedContentSz =
                     (word32)encryptedContentTotalSz;
+                pkcs7->totalEncryptedContentSz =
+                    (word32)encryptedContentTotalSz;
                 pkcs7->cachedEncryptedContent = (byte*)XMALLOC(
                         pkcs7->cachedEncryptedContentSz, pkcs7->heap,
                     DYNAMIC_TYPE_PKCS7);
@@ -12734,7 +12741,7 @@ int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* in,
                 pkcs7->cachedEncryptedContentSz = 0;
             }
 
-            ret = encryptedContentSz - padLen;
+            ret = (int)pkcs7->totalEncryptedContentSz - padLen;
         #ifndef NO_PKCS7_STREAM
             pkcs7->stream->aad = NULL;
             pkcs7->stream->aadSz = 0;
diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h
@@ -349,6 +349,7 @@ struct wc_PKCS7 {
     /* used by DecodeEnvelopedData with multiple encrypted contents */
     byte*  cachedEncryptedContent;
     word32 cachedEncryptedContentSz;
+    word32 totalEncryptedContentSz; /* track encrypted content across octets */
     WC_BITFIELD contentCRLF:1; /* have content line endings been converted to CRLF */
     WC_BITFIELD contentIsPkcs7Type:1; /* eContent follows PKCS#7 RFC not CMS */
     WC_BITFIELD hashParamsAbsent:1;

Original file line number	Diff line number	Diff line change
`@@ -2129,7 +2129,8 @@ int test_wc_PKCS7_DecodeEnvelopedData_stream(void)`
`2129`	`2129`	`#ifdef NO_DES3`
`2130`	`2130`	`ExpectIntEQ(ret, ALGO_ID_E);`
`2131`	`2131`	`#else`
`2132`		`- ExpectIntGT(ret, 0);`
	`2132`	`+ /* expecting the size of ca-cert.pem */`
	`2133`	`+ ExpectIntEQ(ret, 5539);`
`2133`	`2134`	`#endif`
`2134`	`2135`	`}`
`2135`	`2136`