F-644: fix read of exactly MAX_LEN bytes treated as error

src/crypto/clu_decrypt.c

@@ -156,12 +156,17 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size,
             }
             else {
                 ret = (int)XFREAD(input, 1, MAX_LEN, inFile);
-                if ((ret > 0 && ret != MAX_LEN) || feof(inFile)) {
+                if (ret > 0) {
                     tempMax = ret;
                     ret = 0; /* success */
                 }
                 else {
-                    wolfCLU_LogError("Input file does not exist.");
+                    if (feof(inFile)) {
+                        wolfCLU_LogError("Unexpected end of file.");
+                    }
+                    else {
+                        wolfCLU_LogError("File read error.");
+                    }
                     ret = FREAD_ERROR;
                 }
             }

src/x509/clu_x509_sign.c

@@ -257,7 +257,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
     const char *altSigAlgOid        = "2.5.29.73";
     const char *altSigValOid        = "2.5.29.74";
 
-    /* 
+    /*
      * LARGE_TEMO_SZ defines the size of temporary buffers used for signature key,
      * verification key and signature value buffers.
      * The value 11264 is enough for P-521 and ML-DSA-87 PEM certs.
@@ -397,7 +397,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
                 ret = WOLFCLU_FATAL_ERROR;
             }
         }
-        
+
         if (ret == 0) {
             XMEMSET(caKeyBuf, 0, caKeySz); /* clear original buffer */
             caKeySz = derObj->length;
@@ -667,13 +667,13 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
 
     if (ret == WOLFCLU_SUCCESS) {
         switch (level) {
-            case 2: 
+            case 2:
                 newCert.sigType = CTC_SHA256wECDSA;
                 break;
-            case 3: 
+            case 3:
                 newCert.sigType = CTC_SHA384wECDSA;
                 break;
-            case 5: 
+            case 5:
                 newCert.sigType = CTC_SHA512wECDSA;
                 break;
         }
@@ -691,7 +691,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
             else {
                 ret = WOLFCLU_SUCCESS;
             }
-        }        
+        }
     }
 
     if (ret == WOLFCLU_SUCCESS) {
@@ -715,7 +715,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
     }
 
     if (ret == WOLFCLU_SUCCESS && isCA) {
-        ret = wc_MakeCert(&newCert, scratchBuf, 
+        ret = wc_MakeCert(&newCert, scratchBuf,
                             scratchSz, NULL, &caKey, &rng);
         if (ret <= 0) {
             wolfCLU_LogError("Error making certificate");
@@ -732,7 +732,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
                 scratchSz = ret;
                 ret = WOLFCLU_SUCCESS;
             }
-        }        
+        }
     }
     else if (ret == WOLFCLU_SUCCESS && !isCA) {
         ret = wc_MakeCert(&newCert, scratchBuf, scratchSz,
@@ -1274,7 +1274,13 @@ int wolfCLU_CertSign(WOLFCLU_CERT_SIGN* csign, WOLFSSL_X509* x509)
             case WC_HASH_TYPE_BLAKE2B:
             case WC_HASH_TYPE_BLAKE2S:
 
-    #if LIBWOLFSSL_VERSION_HEX > 0x05001000
+    #if LIBWOLFSSL_VERSION_HEX >= 0x05009000
+            case WC_HASH_TYPE_SHA512_224:
+            case WC_HASH_TYPE_SHA512_256:
+            case WC_HASH_TYPE_SHAKE128:
+            case WC_HASH_TYPE_SHAKE256:
+            case WC_HASH_TYPE_SM3:
+    #elif LIBWOLFSSL_VERSION_HEX > 0x05001000
         #ifndef WOLFSSL_NOSHA512_224
             case WC_HASH_TYPE_SHA512_224:
         #endif

tests/encrypt/enc-test.sh

@@ -185,5 +185,28 @@ fi
 rm -f test-dec.der
 rm -f test-enc.der
 
+# camellia: decrypt file of exactly MAX_LEN bytes (non-EVP path)
+if grep -q "HAVE_CAMELLIA" wolfssl/wolfssl/options.h 2>/dev/null; then
+    dd if=/dev/urandom bs=2048 count=1 of=test_maxlen_camellia.bin 2>/dev/null
+    ./wolfssl encrypt camellia-cbc-128 -pwd testpwd \
+        -in test_maxlen_camellia.bin -out test_maxlen_camellia.enc
+    if [ $? != 0 ]; then
+        echo "failed to encrypt in MAX_LEN boundary test"
+        exit 99
+    fi
+    ./wolfssl decrypt camellia-cbc-128 \
+        -in test_maxlen_camellia.enc -out test_maxlen_camellia.dec -pwd testpwd
+    if [ $? != 0 ]; then
+        echo "failed to decrypt in MAX_LEN boundary test"
+        exit 99
+    fi
+    diff test_maxlen_camellia.bin test_maxlen_camellia.dec &> /dev/null
+    if [ $? != 0 ]; then
+        echo "MAX_LEN boundary: decrypted file does not match original"
+        exit 99
+    fi
+    rm -f test_maxlen_camellia.bin test_maxlen_camellia.enc test_maxlen_camellia.dec
+fi
+
 echo "Done"
 exit 0

tests/ocsp/ocsp-interop-test.sh

@@ -293,7 +293,7 @@ if [ $RESULT = 0 ]; then
 fi
 
 # Check for error message
-grep -qi "fail\|error\|not found\|unable" "$TEST_DIR/test6.log"
+grep -qi "fail\|error\|not found\|unable\|no such\|could not" "$TEST_DIR/test6.log"
 if [ $? != 0 ]; then
     echo "Test 6 failed: expected error message about invalid file"
     exit 99