From 22b2ae7358e4c6cd4e40ac3273eb365ae8802c6f Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Tue, 19 Mar 2019 13:53:27 -0700
Subject: [PATCH] Release Fixes 1. Fix for the enable-afalg option from Jacob
 Barthelmeh. 2. Client fix for enable-sp+enable-sp-math option from David
 Garske. 3. Added a couple of typecasts to some mallocs. 4. Modified the
 option guard for the mask member of Options for the webserver build. 5. Added
 some more padding to the opaque structures used for SHA_CTX and AES_KEY. 6.
 Added WOLFSSL_API to the stack logging functions.

---
 examples/client/client.c              |  3 +-
 src/ssl.c                             |  2 +-
 wolfcrypt/src/port/af_alg/afalg_aes.c | 42 ++++++++++++++++++---------
 wolfcrypt/src/rsa.c                   |  3 +-
 wolfcrypt/test/test.c                 |  4 +--
 wolfssl/internal.h                    |  2 +-
 wolfssl/openssl/aes.h                 |  3 ++
 wolfssl/openssl/sha.h                 |  3 ++
 wolfssl/wolfcrypt/memory.h            |  7 +++++
 9 files changed, 50 insertions(+), 19 deletions(-)

diff --git a/examples/client/client.c b/examples/client/client.c
index 8e73fe8fc..7dccfacd7 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -44,7 +44,8 @@
 
 #ifdef USE_FAST_MATH
     /* included to inspect the size of FP_MAX_BITS */
-    #include <wolfssl/wolfcrypt/tfm.h>
+    /* need integer.h header to make sure right math version used */
+    #include <wolfssl/wolfcrypt/integer.h>
 #endif
 #ifdef HAVE_ECC
     #include <wolfssl/wolfcrypt/ecc.h>
diff --git a/src/ssl.c b/src/ssl.c
index 9b1a49b0e..3db2d0946 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -345,7 +345,7 @@ int wolfSSL_CTX_new_rng(WOLFSSL_CTX* ctx)
         return BAD_FUNC_ARG;
     }
 
-    rng = XMALLOC(sizeof(WC_RNG), ctx->heap, DYNAMIC_TYPE_RNG);
+    rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ctx->heap, DYNAMIC_TYPE_RNG);
     if (rng == NULL) {
         return MEMORY_E;
     }
diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c
index d0634ccd5..1a05ccb9e 100644
--- a/wolfcrypt/src/port/af_alg/afalg_aes.c
+++ b/wolfcrypt/src/port/af_alg/afalg_aes.c
@@ -664,17 +664,25 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return ret;
     }
 
-    /* first 16 bytes was all 0's */
-    iov[0].iov_base = scratch;
-    iov[0].iov_len  = authInSz;
+    {
+        byte* tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (tmp == NULL) {
+            return MEMORY_E;
+        }
+        /* first 16 bytes was all 0's */
+        iov[0].iov_base = tmp;
+        (void)scratch;
+        iov[0].iov_len  = authInSz;
 
-    iov[1].iov_base = out;
-    iov[1].iov_len  = sz;
+        iov[1].iov_base = out;
+        iov[1].iov_len  = sz;
 
-    iov[2].iov_base = authTag;
-    iov[2].iov_len  = authTagSz;
+        iov[2].iov_base = authTag;
+        iov[2].iov_len  = authTagSz;
 
-    ret = (int)readv(aes->rdFd, iov, 3);
+        ret = (int)readv(aes->rdFd, iov, 3);
+        XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
     if (ret < 0) {
         return ret;
     }
@@ -852,14 +860,22 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         return ret;
     }
 
-    iov[0].iov_base = scratch;
-    iov[0].iov_len  = authInSz;
-    iov[1].iov_base = out;
-    iov[1].iov_len  = sz;
-    ret = (int)readv(aes->rdFd, iov, 2);
+    {
+        byte* tmp = (byte*)XMALLOC(authInSz, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+        if (tmp == NULL) {
+            return MEMORY_E;
+        }
+        iov[0].iov_base = tmp;
+        iov[0].iov_len  = authInSz;
+        iov[1].iov_base = out;
+        iov[1].iov_len  = sz;
+        ret = (int)readv(aes->rdFd, iov, 2);
+        XFREE(tmp, aes->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
     if (ret < 0) {
         return AES_GCM_AUTH_E;
     }
+    (void)scratch;
 #endif
 
     return 0;
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 6fd562dc2..24dc025cb 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -1839,7 +1839,8 @@ static int wc_RsaFunctionSync(const byte* in, word32 inLen, byte* out,
                 int cleara = 0, clearb = 0;
 
             #ifdef WOLFSSL_SMALL_STACK
-                tmpa = XMALLOC(sizeof(mp_int) * 2, key->heap, DYNAMIC_TYPE_RSA);
+                tmpa = (mp_int*)XMALLOC(sizeof(mp_int) * 2,
+                        key->heap, DYNAMIC_TYPE_RSA);
                 if (tmpa != NULL)
                     tmpb = tmpa + 1;
                 else
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index 495b983cf..c6d49a033 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -9208,7 +9208,7 @@ int decodedCertCache_test(void)
 #endif /* defined(WOLFSSL_CERT_GEN_CACHE) && defined(WOLFSSL_TEST_CERT) &&
           defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_CERT_GEN) */
 
-#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
+#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
 static int rsa_flatten_test(RsaKey* key)
 {
     int    ret;
@@ -11575,7 +11575,7 @@ int rsa_test(void)
         return ret;
 #endif
 
-#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+#if !defined(NO_ASN) && !defined(WOLFSSL_RSA_PUBLIC_ONLY)
     ret = rsa_flatten_test(&key);
     if (ret != 0)
         return ret;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index abf8aa1cf..b374a25c3 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -3182,7 +3182,7 @@ typedef struct Options {
     wc_psk_server_tls13_callback server_psk_tls13_cb;  /* server callback */
 #endif
 #endif /* NO_PSK */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
     unsigned long     mask; /* store SSL_OP_ flags */
 #endif
 
diff --git a/wolfssl/openssl/aes.h b/wolfssl/openssl/aes.h
index c2c3a4de7..3104bb2e4 100644
--- a/wolfssl/openssl/aes.h
+++ b/wolfssl/openssl/aes.h
@@ -56,6 +56,9 @@ typedef struct WOLFSSL_AES_KEY {
     #ifdef WOLFSSL_AFALG
     void* afalg_holder[288 / sizeof(void*)];
     #endif
+    #ifdef HAVE_PKCS11
+    void* pkcs11_holder[(AES_MAX_ID_LEN + sizeof(int)) / sizeof(void*)];
+    #endif
 } WOLFSSL_AES_KEY;
 typedef WOLFSSL_AES_KEY AES_KEY;
 
diff --git a/wolfssl/openssl/sha.h b/wolfssl/openssl/sha.h
index 23b4488a4..ba84ebb96 100644
--- a/wolfssl/openssl/sha.h
+++ b/wolfssl/openssl/sha.h
@@ -40,6 +40,9 @@
 typedef struct WOLFSSL_SHA_CTX {
     /* big enough to hold wolfcrypt Sha, but check on init */
     void* holder[(112 + WC_ASYNC_DEV_SIZE) / sizeof(void*)];
+    #ifdef WOLF_CRYPTO_CB
+    void* cryptocb_holder[(sizeof(int) + sizeof(void*) + 4) / sizeof(void*)];
+    #endif
 } WOLFSSL_SHA_CTX;
 
 WOLFSSL_API int wolfSSL_SHA_Init(WOLFSSL_SHA_CTX*);
diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h
index 75a8995bf..0098e3380 100644
--- a/wolfssl/wolfcrypt/memory.h
+++ b/wolfssl/wolfcrypt/memory.h
@@ -197,6 +197,13 @@ WOLFSSL_API int wolfSSL_GetAllocators(wolfSSL_Malloc_cb*,
     WOLFSSL_API int wolfSSL_MemoryPaddingSz(void);
 #endif /* WOLFSSL_STATIC_MEMORY */
 
+#ifdef WOLFSSL_STACK_LOG
+    WOLFSSL_API void __attribute__((no_instrument_function))
+            __cyg_profile_func_enter(void *func,  void *caller);
+    WOLFSSL_API void __attribute__((no_instrument_function))
+            __cyg_profile_func_exit(void *func, void *caller);
+#endif /* WOLFSSL_STACK_LOG */
+
 #ifdef __cplusplus
     }  /* extern "C" */
 #endif