From 1cc715865076aa3daaec3ef74a604dbfa420125d Mon Sep 17 00:00:00 2001
From: Lealem Amedie <lealem@wolfssl.com>
Date: Fri, 23 Jan 2026 16:51:02 -0700
Subject: [PATCH 1/2] Fix for enc command old algo name format

---
 src/tools/clu_funcs.c     | 64 ++++++++++++++++++++++-----------------
 tests/encrypt/enc-test.sh | 44 +++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 27 deletions(-)

diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c
index aa639ad..d5cf7b6 100644
--- a/src/tools/clu_funcs.c
+++ b/src/tools/clu_funcs.c
@@ -722,19 +722,31 @@ static int wolfCLU_parseAlgo(char* name, int* alg, char** mode, int* size)
             nameCheck = 1;
     }
 
-    /* gets mode after second "-" and before the third */
+    /* gets mode and size after the algorithm name, supports both
+     * "alg-size-mode" (aes-256-cbc) and "alg-mode-size" (aes-cbc-256) */
     if (nameCheck != 0) {
-        /* gets size after third "-" */
         sz = strtok_r(NULL, "-", &end);
         if (sz == NULL) {
             return WOLFCLU_FATAL_ERROR;
         }
+        tmpMode = strtok_r(NULL, "-", &end);
+        if (tmpMode == NULL) {
+            return WOLFCLU_FATAL_ERROR;
+        }
+
+        /* if second token isn't numeric, it's the mode (alg-mode-size) */
+        if (sz[0] < '0' || sz[0] > '9') {
+            char* tmp = sz;
+            sz = tmpMode;
+            tmpMode = tmp;
+        }
         *size = XATOI(sz);
     }
-
-    tmpMode = strtok_r(NULL, "-", &end);
-    if (tmpMode == NULL) {
-        return WOLFCLU_FATAL_ERROR;
+    else {
+        tmpMode = strtok_r(NULL, "-", &end);
+        if (tmpMode == NULL) {
+            return WOLFCLU_FATAL_ERROR;
+        }
     }
 
     for (i = 0; i < (int) (sizeof(acceptMode)/sizeof(acceptMode[0])); i++) {
@@ -866,16 +878,16 @@ static int wolfCLU_parseAlgo(char* name, int* alg, char** mode, int* size)
     return ret;
 }
 
-static const char WOLFCLU_AES128CTR_NAME[] = "aes-128-ctr";
-static const char WOLFCLU_AES192CTR_NAME[] = "aes-192-ctr";
-static const char WOLFCLU_AES256CTR_NAME[] = "aes-256-ctr";
-static const char WOLFCLU_AES128CBC_NAME[] = "aes-128-cbc";
-static const char WOLFCLU_AES192CBC_NAME[] = "aes-192-cbc";
-static const char WOLFCLU_AES256CBC_NAME[] = "aes-256-cbc";
-static const char WOLFCLU_CAMELLIA128CBC_NAME[] = "camellia-128-cbc";
-static const char WOLFCLU_CAMELLIA192CBC_NAME[] = "camellia-192-cbc";
-static const char WOLFCLU_CAMELLIA256CBC_NAME[] = "camellia-256-cbc";
-static const char WOLFCLU_DESCBC_NAME[] = "des-cbc";
+static const char WOLFCLU_AES128CTR_NAME[] = "-aes-128-ctr";
+static const char WOLFCLU_AES192CTR_NAME[] = "-aes-192-ctr";
+static const char WOLFCLU_AES256CTR_NAME[] = "-aes-256-ctr";
+static const char WOLFCLU_AES128CBC_NAME[] = "-aes-128-cbc";
+static const char WOLFCLU_AES192CBC_NAME[] = "-aes-192-cbc";
+static const char WOLFCLU_AES256CBC_NAME[] = "-aes-256-cbc";
+static const char WOLFCLU_CAMELLIA128CBC_NAME[] = "-camellia-128-cbc";
+static const char WOLFCLU_CAMELLIA192CBC_NAME[] = "-camellia-192-cbc";
+static const char WOLFCLU_CAMELLIA256CBC_NAME[] = "-camellia-256-cbc";
+static const char WOLFCLU_DESCBC_NAME[] = "-des-cbc";
 
 static const char* algoName[] = {
     WOLFCLU_AES128CTR_NAME,
@@ -894,23 +906,21 @@ static const char* algoName[] = {
  * names */
 #define MAX_AES_IDX 6
 static const char* oldAlgoName[] = {
-    "aes-ctr-128",
-    "aes-ctr-192",
-    "aes-ctr-256",
-    "aes-cbc-128",
-    "aes-cbc-192",
-    "aes-cbc-256",
+    "-aes-ctr-128",
+    "-aes-ctr-192",
+    "-aes-ctr-256",
+    "-aes-cbc-128",
+    "-aes-cbc-192",
+    "-aes-cbc-256",
 };
 
 
 /* convert an old algo name into one optargs can handle */
-static void wolfCLU_oldAlgo(int argc, char** argv, int maxIdx)
+static void wolfCLU_oldAlgo(int argc, char** argv)
 {
-    int end;
     int i, j;
 
-    end = (argc < maxIdx)? argc : maxIdx;
-    for (i = 0; i < end; i++) {
+    for (i = 0; i < argc; i++) {
         for (j = 0; j < MAX_AES_IDX; j++) {
             if (XSTRCMP(argv[i], oldAlgoName[j]) == 0) {
                 argv[i] = (char*)algoName[j];
@@ -957,7 +967,7 @@ int wolfCLU_getAlgo(int argc, char** argv, int* alg, char** mode, int* size)
     int option;
     char name[80];
 
-    wolfCLU_oldAlgo(argc, argv, 3);
+    wolfCLU_oldAlgo(argc, argv);
     XMEMSET(name, 0, sizeof(name));
     XSTRLCPY(name, argv[2], XSTRLEN(argv[2])+1);
     ret = wolfCLU_parseAlgo(name, alg, mode, size);
diff --git a/tests/encrypt/enc-test.sh b/tests/encrypt/enc-test.sh
index 21ee04c..31b7754 100755
--- a/tests/encrypt/enc-test.sh
+++ b/tests/encrypt/enc-test.sh
@@ -141,5 +141,49 @@ if [ $? == 0 ]; then
     rm -f test-enc.der
 fi
 
+# test legacy algo names
+run "enc -base64 -aes-cbc-256 -in certs/crl.der -out test-enc.der" "test password"
+run "enc -base64 -d -aes-cbc-256 -in test-enc.der -out test-dec.der" "test password"
+diff "./certs/crl.der" "./test-dec.der" &> /dev/null
+if [ $? != 0 ]; then
+    echo "issue with legacy name aes-cbc-256 round trip"
+    exit 99
+fi
+rm -f test-dec.der
+rm -f test-enc.der
+
+# encrypt with legacy name, decrypt with canonical name
+run "enc -aes-cbc-256 -in certs/crl.der -out test-enc.der" "test password"
+run "enc -d -aes-256-cbc -in test-enc.der -out test-dec.der" "test password"
+diff "./certs/crl.der" "./test-dec.der" &> /dev/null
+if [ $? != 0 ]; then
+    echo "issue with legacy enc / canonical dec"
+    exit 99
+fi
+rm -f test-dec.der
+rm -f test-enc.der
+
+# encrypt with canonical name, decrypt with legacy name
+run "enc -aes-256-cbc -in certs/crl.der -out test-enc.der" "test password"
+run "enc -d -aes-cbc-256 -in test-enc.der -out test-dec.der" "test password"
+diff "./certs/crl.der" "./test-dec.der" &> /dev/null
+if [ $? != 0 ]; then
+    echo "issue with canonical enc / legacy dec"
+    exit 99
+fi
+rm -f test-dec.der
+rm -f test-enc.der
+
+# test legacy name with aes-cbc-128
+run "enc -aes-cbc-128 -in certs/crl.der -out test-enc.der" "test password"
+run "enc -d -aes-cbc-128 -in test-enc.der -out test-dec.der" "test password"
+diff "./certs/crl.der" "./test-dec.der" &> /dev/null
+if [ $? != 0 ]; then
+    echo "issue with legacy name aes-cbc-128 round trip"
+    exit 99
+fi
+rm -f test-dec.der
+rm -f test-enc.der
+
 echo "Done"
 exit 0

From e905c35f908b31018a72ee0cb1517e33328e375f Mon Sep 17 00:00:00 2001
From: Lealem Amedie <lealem@wolfssl.com>
Date: Fri, 23 Jan 2026 16:56:58 -0700
Subject: [PATCH 2/2] prevent reading past the end of the buffer

---
 src/tools/clu_funcs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c
index d5cf7b6..bb1fbc5 100644
--- a/src/tools/clu_funcs.c
+++ b/src/tools/clu_funcs.c
@@ -1175,8 +1175,8 @@ int wolfCLU_checkForArg(const char* searchTerm, int length, int argc,
            return 1;
 
         }
-        else if (XMEMCMP(argv[i], searchTerm, length) == 0 &&
-                   (int)XSTRLEN(argv[i]) == length) {
+        else if ((int)XSTRLEN(argv[i]) == length &&
+                   XMEMCMP(argv[i], searchTerm, length) == 0) {
             ret = i;
             if (argFound == 1) {
                 wolfCLU_LogError("ERROR: argument found twice: \"%s\"", searchTerm);