From 3ef242e889ddae2d79b3998d312ceadc5c011032 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 29 Sep 2020 23:18:12 -0500 Subject: [PATCH 01/14] tests/api.c: change RSA keysize from 1024 to 2048 for sp-math compatibility, in test_wc_CheckProbablePrime(), test_wc_CheckProbablePrime(), test_wc_RsaPSS_Verify(), test_wc_RsaPSS_VerifyCheck(), test_wc_RsaPSS_VerifyCheck(), test_wc_RsaPSS_VerifyCheckInline(), and test_wolfSSL_DC_cert(). --- tests/api.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/api.c b/tests/api.c index ebdcd3276..65e128478 100644 --- a/tests/api.c +++ b/tests/api.c @@ -13782,15 +13782,15 @@ static int test_wc_CheckProbablePrime (void) WC_RNG rng; byte e[3]; word32 eSz = (word32)sizeof(e); - byte n[512]; /* size of RSA_TEST_BYTES */ + byte n[1024]; /* size of RSA_TEST_BYTES */ word32 nSz = (word32)sizeof(n); - byte d[512]; + byte d[1024]; word32 dSz = (word32)sizeof(d); - byte p[512/2]; + byte p[1024/2]; word32 pSz = (word32)sizeof(p); - byte q[512/2]; + byte q[1024/2]; word32 qSz = (word32)sizeof(q); - int nlen = 1024; + int nlen = 2048; int* isPrime; int test[5]; isPrime = test; @@ -13807,7 +13807,7 @@ static int test_wc_CheckProbablePrime (void) ret = wc_RsaSetRNG(&key, &rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng); } if (ret == 0) { ret = wc_RsaExportKey(&key, e, &eSz, n, &nSz, d, &dSz, @@ -13906,9 +13906,9 @@ static int test_wc_RsaPSS_Verify (void) ret = wc_RsaSetRNG(&key, &rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng); } - + if (ret == 0) { ret = wc_RsaPSS_Sign((byte*)szMessage, (word32)XSTRLEN(szMessage)+1, pSignature, sizeof(pSignature), @@ -13972,13 +13972,13 @@ static int test_wc_RsaPSS_VerifyCheck (void) !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING) RsaKey key; WC_RNG rng; - int sz = 128; /* 1024/8 */ + int sz = 256; /* 2048/8 */ byte* pt; byte digest[32]; word32 digestSz; - unsigned char pSignature[1024/8]; /* 2048 is RSA_KEY_SIZE */ + unsigned char pSignature[2048/8]; /* 2048 is RSA_KEY_SIZE */ word32 pSignatureSz = sizeof(pSignature); - unsigned char pDecrypted[1024/8]; + unsigned char pDecrypted[2048/8]; word32 outLen = sizeof(pDecrypted); pt = pDecrypted; @@ -13996,7 +13996,7 @@ static int test_wc_RsaPSS_VerifyCheck (void) ret = wc_RsaSetRNG(&key, &rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng); } if (ret == 0) { digestSz = wc_HashGetDigestSize(WC_HASH_TYPE_SHA256); @@ -14090,7 +14090,7 @@ static int test_wc_RsaPSS_VerifyCheckInline (void) ret = wc_RsaSetRNG(&key, &rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 1024, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng); } if (ret == 0) { digestSz = wc_HashGetDigestSize(WC_HASH_TYPE_SHA256); @@ -31718,7 +31718,7 @@ static void test_wolfSSL_DC_cert(void) #else AssertIntEQ(wc_InitRng(&rng), 0); #endif - AssertIntEQ(wc_MakeRsaKey(&key, 1024, 3, &rng), 0); + AssertIntEQ(wc_MakeRsaKey(&key, 2048, 3, &rng), 0); XMEMSET(&cert, 0 , sizeof(Cert)); From 79978f5c7a664a7846ced7064778ff47547a5d82 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 14:24:53 -0500 Subject: [PATCH 02/14] ecc_check_pubkey_order(): add missing braces. --- wolfcrypt/src/ecc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 85a32ed1e..a071d6432 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -7328,10 +7328,12 @@ static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a, if (err == MP_OKAY && !wc_ecc_point_is_at_infinity(inf)) err = ECC_INF_E; #else + { (void)a; (void)prime; err = WC_KEY_SIZE_E; + } #endif } From a4bd2130996f2db5d6394110facd26e59cd3be80 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 14:26:17 -0500 Subject: [PATCH 03/14] configure.ac: improve --enable-all coverage and make it compatible with --enable-sp-math, add --enable-all-crypto (crypto-only subset of --enable-all), and add --enable-linuxkm-defaults ("Enable feature defaults for Linux Kernel Module"). --- configure.ac | 230 +++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 195 insertions(+), 35 deletions(-) diff --git a/configure.ac b/configure.ac index 6c7c01025..71c2e855f 100644 --- a/configure.ac +++ b/configure.ac @@ -148,6 +148,12 @@ AC_ARG_ENABLE([linuxkm], [ENABLED_LINUXKM=no] ) +AC_ARG_ENABLE([linuxkm-defaults], + [AS_HELP_STRING([--enable-linuxkm-defaults],[Enable feature defaults for Linux Kernel Module (default: disabled)])], + [ENABLED_LINUXKM_DEFAULTS=$enableval], + [ENABLED_LINUXKM_DEFAULTS=$ENABLED_LINUXKM] + ) + AC_ARG_WITH([linux-source], [AS_HELP_STRING([--with-linux-source=PATH],[PATH to root of Linux kernel build tree])], [KERNEL_ROOT=$withval], @@ -186,6 +192,34 @@ then fi +# Single Precision maths implementation +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" +then + ENABLED_SP_DEFAULT=small +else + ENABLED_SP_DEFAULT=no +fi +AC_ARG_ENABLE([sp], + [AS_HELP_STRING([--enable-sp],[Enable Single Precision maths implementation (default: disabled)])], + [ ENABLED_SP=$enableval ], + [ ENABLED_SP=$ENABLED_SP_DEFAULT ], + ) + + +# Single Precision maths exclusively (no fastmath) +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" && test "$ENABLED_SP" != "no" +then + ENABLED_SP_MATH_DEFAULT=yes +else + ENABLED_SP_MATH_DEFAULT=no +fi +AC_ARG_ENABLE([sp-math], + [AS_HELP_STRING([--enable-sp-math],[Enable Single Precision math implementation only (default: disabled)])], + [ ENABLED_SP_MATH=$enableval ], + [ ENABLED_SP_MATH=$ENABLED_SP_MATH_DEFAULT ], + ) + + # ALL FEATURES AC_ARG_ENABLE([all], [AS_HELP_STRING([--enable-all],[Enable all wolfSSL features, except SSLv3 (default: disabled)])], @@ -263,6 +297,7 @@ then enable_haproxy=yes enable_stunnel=yes enable_nginx=yes + enable_apachehttpd=yes enable_openvpn=yes enable_asio=yes enable_libwebsockets=yes @@ -274,19 +309,168 @@ then enable_indef=yes enable_enckeys=yes enable_hashflags=yes - enable_dhdefaultparams=yes - - # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout - AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" + enable_defaultdhparams=yes + enable_arc4=yes + enable_des3=yes + enable_nullcipher=yes + enable_blake2=yes + enable_blake2s=yes + enable_certgencache=yes + enable_md4=yes + enable_postauth=yes + enable_hrrcookie=yes + enable_cryptocb=yes + enable_fallback_scsv=yes + enable_secure_renegotiation=yes + enable_anon=yes + enable_mcast=yes # Enable DH const table speedups (eliminates `-lm` math lib dependency) AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" - # Enable ECC Key Gen / Import checks - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN" + # Enable multiple attribute additions such as DC + AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" + + if test "$ENABLED_SP_MATH" = "no" + then + # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout + AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" + + # Enable ECC Key Gen / Import checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN" + else + if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" + then + # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout + AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" + else + # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs + AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT" + fi + + # sp-math is incompatible with opensslextra, ECC custom curves, DSA, and WOLFSSL_VALIDATE_ECC_IMPORT: + + # Enable ECC Key Gen + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" + + enable_openssh=no + enable_opensslextra=no + enable_opensslall=no + enable_dsa=no + enable_ecccustcurves=no + enable_srp=no + enable_certservice=no + enable_jni=no + enable_lighty=no + enable_haproxy=no + enable_stunnel=no + enable_nginx=no + enable_apachehttpd=no + enable_openvpn=no + enable_asio=no + enable_libwebsockets=no + enable_qt=no + + if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" + then + enable_compkey=no + fi + fi +fi + + +# ALL CRYPTO FEATURES +AC_ARG_ENABLE([all-crypto], + [AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])], + [ ENABLED_ALL_CRYPT=$enableval ], + [ ENABLED_ALL_CRYPT=no ] + ) +if test "$ENABLED_ALL_CRYPT" = "yes" +then + enable_atomicuser=yes + enable_pkcallbacks=yes + enable_aesgcm=yes + enable_aesccm=yes + enable_aesctr=yes + enable_aesofb=yes + enable_aescfb=yes + enable_camellia=yes + enable_ripemd=yes + enable_sha512=yes + enable_sha224=yes + enable_sha3=yes + enable_sessioncerts=yes + enable_keygen=yes + enable_certgen=yes + enable_certreq=yes + enable_certext=yes + enable_sep=yes + enable_hkdf=yes + enable_compkey=yes + enable_curve25519=yes + enable_curve448=yes + enable_ed448=yes + enable_ed25519=yes + enable_fpecc=yes + enable_eccencrypt=yes + enable_psk=yes + enable_idea=yes + enable_cmac=yes + enable_xts=yes + enable_hc128=yes + enable_rabbit=yes + enable_ocsp=yes + enable_ocspstapling=yes + enable_ocspstapling2=yes + enable_crl=yes + enable_supportedcurves=yes + enable_tlsx=yes + enable_pkcs7=yes + enable_pwdbased=yes + enable_aeskeywrap=yes + enable_x963kdf=yes + enable_scrypt=yes + enable_indef=yes + enable_enckeys=yes + enable_hashflags=yes + enable_defaultdhparams=yes + enable_arc4=yes + enable_des3=yes + enable_nullcipher=yes + enable_blake2=yes + enable_blake2s=yes + enable_certgencache=yes + enable_md4=yes + enable_cryptocb=yes + enable_anon=yes + + # Enable AES Decrypt, AES ECB, Alt Names, DER Load + AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD" + + # Enable DH const table speedups (eliminates `-lm` math lib dependency) + AM_CFLAGS="$AM_CFLAGS -DHAVE_FFDHE_2048 -DHAVE_FFDHE_3072 -DFP_MAX_BITS=8192" # Enable multiple attribute additions such as DC AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" + + if test "$ENABLED_SP_MATH" = "no" + then + enable_dsa=yes + enable_ecccustcurves=yes + + # Enable ECC Key Gen / Import checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN -DWOLFSSL_VALIDATE_ECC_IMPORT" + else + # sp-math is incompatible with opensslextra, ECC custom curves, DSA, and WOLFSSL_VALIDATE_ECC_IMPORT: + + # Enable ECC Key Gen checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" + + if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" + then + enable_compkey=no + fi + fi fi @@ -3415,7 +3599,7 @@ fi # Small Stack - Cache on object -if test "$ENABLED_LINUXKM" = "yes" +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" then ENABLED_SMALL_STACK_CACHE_DEFAULT=yes else @@ -3433,7 +3617,7 @@ then fi # Small Stack -if test "$ENABLED_LINUXKM" = "yes" +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" then ENABLED_SMALL_STACK_DEFAULT=yes else @@ -4073,7 +4257,7 @@ if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" then FASTMATH_DEFAULT=yes fi -if test "$ENABLED_LINUXKM" = "yes" +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" then FASTMATH_DEFAULT=no fi @@ -4395,19 +4579,6 @@ AS_IF([test "x$ENABLED_INTEL_QA" = "xyes" || test "x$ENABLED_INTEL_QA_SYNC" = "x ]) -# Single Precision maths implementation -if test "$ENABLED_LINUXKM" = "yes" -then - ENABLED_SP_DEFAULT=small -else - ENABLED_SP_DEFAULT=no -fi -AC_ARG_ENABLE([sp], - [AS_HELP_STRING([--enable-sp],[Enable Single Precision maths implementation (default: disabled)])], - [ ENABLED_SP=$enableval ], - [ ENABLED_SP=$ENABLED_SP_DEFAULT ], - ) - ENABLED_SP_RSA=no ENABLED_SP_DH=no ENABLED_SP_FF_2048=no @@ -4654,17 +4825,6 @@ if test "$ENABLED_SP_ASM" = "yes"; then esac fi -if test "$ENABLED_LINUXKM" = "yes" && test "$ENABLED_SP" != "no" -then - ENABLED_SP_MATH_DEFAULT=yes -else - ENABLED_SP_MATH_DEFAULT=no -fi -AC_ARG_ENABLE([sp-math], - [AS_HELP_STRING([--enable-sp-math],[Enable Single Precision math implementation only (default: disabled)])], - [ ENABLED_SP_MATH=$enableval ], - [ ENABLED_SP_MATH=$ENABLED_SP_MATH_DEFAULT ], - ) if test "$ENABLED_SP_MATH" = "yes"; then if test "$ENABLED_SP" = "no"; then AC_MSG_ERROR([Must have SP enabled: --enable-sp]) @@ -5429,8 +5589,8 @@ if test "x$ENABLED_LINUXKM" = "xyes"; then if test "$ENABLED_SMALL_STACK" != "yes"; then AC_MSG_ERROR([--enable-smallstack is required for --enable-linuxkm.]) fi - if test "$ENABLED_SMALL_STACK_CACHE" != "yes"; then - AC_MSG_ERROR([--enable-smallstackcache is required for --enable-linuxkm.]) + if test "$ENABLED_SP_MATH" = "no"; then + AC_MSG_ERROR([--enable-sp-math is required for --enable-linuxkm.]) fi if test "$ENABLED_STACKSIZE" = "yes"; then AC_MSG_ERROR([--enable-stacksize is incompatible with --enable-linuxkm.]) From fd3815c70890b613fc38d1e65f5eb3414fccfcc2 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 15:09:53 -0500 Subject: [PATCH 04/14] configure.ac: include enable_xchacha in --enable-all-crypto. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 71c2e855f..beae37815 100644 --- a/configure.ac +++ b/configure.ac @@ -419,6 +419,7 @@ then enable_xts=yes enable_hc128=yes enable_rabbit=yes + enable_xchacha=yes enable_ocsp=yes enable_ocspstapling=yes enable_ocspstapling2=yes From 70474659a04a5f06c9c6d5f7e8fb9fe7c65c1e3d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 15:11:06 -0500 Subject: [PATCH 05/14] wc_ShaFinal(): remove superfluous ret=0 when WOLF_CRYPTO_CB, complained by PRB-scan-build-distro-check. --- wolfcrypt/src/sha.c | 1 - 1 file changed, 1 deletion(-) diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 5c80563e1..8154517de 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -679,7 +679,6 @@ int wc_ShaFinal(wc_Sha* sha, byte* hash) ret = wc_CryptoCb_ShaHash(sha, NULL, 0, hash); if (ret != CRYPTOCB_UNAVAILABLE) return ret; - ret = 0; /* reset ret */ /* fall-through when unavailable */ } #endif From a3185310ca19a840600b55dc4b8f30a7f0b0446f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 19:21:19 -0500 Subject: [PATCH 06/14] tests/api.c: clean up and parameterize key/buffers sizes in test_wc_CheckProbablePrime(). --- tests/api.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tests/api.c b/tests/api.c index 65e128478..641524d3f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -13778,19 +13778,22 @@ static int test_wc_CheckProbablePrime (void) int ret = 0; #if !defined(NO_RSA) && defined(WOLFSSL_KEY_GEN) && !defined(HAVE_SELFTEST) && \ !defined(HAVE_FIPS) && defined(WC_RSA_BLINDING) + +#define CHECK_PROBABLE_PRIME_KEY_BITS 2048 + RsaKey key; WC_RNG rng; byte e[3]; word32 eSz = (word32)sizeof(e); - byte n[1024]; /* size of RSA_TEST_BYTES */ + byte n[CHECK_PROBABLE_PRIME_KEY_BITS / 8]; /* size of RSA_TEST_BYTES */ word32 nSz = (word32)sizeof(n); - byte d[1024]; + byte d[CHECK_PROBABLE_PRIME_KEY_BITS / 8]; word32 dSz = (word32)sizeof(d); - byte p[1024/2]; + byte p[CHECK_PROBABLE_PRIME_KEY_BITS / 8 / 2]; word32 pSz = (word32)sizeof(p); - byte q[1024/2]; + byte q[CHECK_PROBABLE_PRIME_KEY_BITS / 8 / 2]; word32 qSz = (word32)sizeof(q); - int nlen = 2048; + int nlen = CHECK_PROBABLE_PRIME_KEY_BITS; int* isPrime; int test[5]; isPrime = test; @@ -13807,7 +13810,7 @@ static int test_wc_CheckProbablePrime (void) ret = wc_RsaSetRNG(&key, &rng); } if (ret == 0) { - ret = wc_MakeRsaKey(&key, 2048, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&key, CHECK_PROBABLE_PRIME_KEY_BITS, WC_RSA_EXPONENT, &rng); } if (ret == 0) { ret = wc_RsaExportKey(&key, e, &eSz, n, &nSz, d, &dSz, @@ -13873,6 +13876,9 @@ static int test_wc_CheckProbablePrime (void) wc_FreeRng(&rng); printf(resultFmt, ret == 0 ? passed : failed); + +#undef CHECK_PROBABLE_PRIME_KEY_BITS + #endif return ret; From 24b20352f8bf893d8bf654154eea9f0855c46852 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 19:23:12 -0500 Subject: [PATCH 07/14] configure.ac: refactor-for-clarity enable-all[-crypto] feature selection logic conditionalized on sp-math and linuxkm. --- configure.ac | 55 +++++++++++++++++++++++----------------------------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/configure.ac b/configure.ac index beae37815..801832a08 100644 --- a/configure.ac +++ b/configure.ac @@ -331,27 +331,23 @@ then # Enable multiple attribute additions such as DC AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" + # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout + AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT" + + # Enable ECC Key Gen checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" + + if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" + then + AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" + fi + if test "$ENABLED_SP_MATH" = "no" then - # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout - AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" - - # Enable ECC Key Gen / Import checks - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT -DWOLFSSL_VALIDATE_ECC_KEYGEN" + # Enable ECC Import checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT" else - if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" - then - # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs, CRL IO with Timeout - AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" - else - # Enable AES Decrypt, AES ECB, Alt Names, DER Load, Keep Certs - AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD -DKEEP_OUR_CERT -DKEEP_PEER_CERT" - fi - - # sp-math is incompatible with opensslextra, ECC custom curves, DSA, and WOLFSSL_VALIDATE_ECC_IMPORT: - - # Enable ECC Key Gen - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" + # sp-math is incompatible with opensslextra, ECC custom curves, and DSA: enable_openssh=no enable_opensslextra=no @@ -406,7 +402,6 @@ then enable_certext=yes enable_sep=yes enable_hkdf=yes - enable_compkey=yes enable_curve25519=yes enable_curve448=yes enable_ed448=yes @@ -445,6 +440,11 @@ then enable_cryptocb=yes enable_anon=yes + if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" + then + enable_compkey=yes + fi + # Enable AES Decrypt, AES ECB, Alt Names, DER Load AM_CFLAGS="$AM_CFLAGS -DHAVE_AES_DECRYPT -DHAVE_AES_ECB -DWOLFSSL_ALT_NAMES -DWOLFSSL_DER_LOAD" @@ -454,23 +454,16 @@ then # Enable multiple attribute additions such as DC AM_CFLAGS="-DWOLFSSL_MULTI_ATTRIB $AM_CFLAGS" + # Enable ECC Key Gen checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" + if test "$ENABLED_SP_MATH" = "no" then enable_dsa=yes enable_ecccustcurves=yes - # Enable ECC Key Gen / Import checks - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN -DWOLFSSL_VALIDATE_ECC_IMPORT" - else - # sp-math is incompatible with opensslextra, ECC custom curves, DSA, and WOLFSSL_VALIDATE_ECC_IMPORT: - - # Enable ECC Key Gen checks - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_KEYGEN" - - if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" - then - enable_compkey=no - fi + # Enable ECC Import checks + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_VALIDATE_ECC_IMPORT" fi fi From c37ba164bf0f0e8e0b59f9ec127ddf80eab2657d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 19:54:20 -0500 Subject: [PATCH 08/14] configure.ac: don't include enable_certgencache=yes in --enable-all[-crypto] feature sets, to avoid memory leak false alarms. --- configure.ac | 2 -- 1 file changed, 2 deletions(-) diff --git a/configure.ac b/configure.ac index 801832a08..b814f2f7b 100644 --- a/configure.ac +++ b/configure.ac @@ -315,7 +315,6 @@ then enable_nullcipher=yes enable_blake2=yes enable_blake2s=yes - enable_certgencache=yes enable_md4=yes enable_postauth=yes enable_hrrcookie=yes @@ -435,7 +434,6 @@ then enable_nullcipher=yes enable_blake2=yes enable_blake2s=yes - enable_certgencache=yes enable_md4=yes enable_cryptocb=yes enable_anon=yes From 7fb84574596803b50eafbc1d31b77595a69bbd41 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 23:28:10 -0500 Subject: [PATCH 09/14] fix whitespace. --- wolfcrypt/src/ecc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index a071d6432..4c4017ae5 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -7328,12 +7328,12 @@ static int ecc_check_pubkey_order(ecc_key* key, ecc_point* pubkey, mp_int* a, if (err == MP_OKAY && !wc_ecc_point_is_at_infinity(inf)) err = ECC_INF_E; #else - { + { (void)a; (void)prime; err = WC_KEY_SIZE_E; - } + } #endif } From 2ed8f93592e0a2d97296c5c7f12584378a6fb502 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 30 Sep 2020 23:29:39 -0500 Subject: [PATCH 10/14] src/internal.c: fix memory leaks in ProcessPeerCerts() and GetDhPublicKey(). --- src/internal.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 7fefaed5b..bd64f3f0b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -11460,6 +11460,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, else { ssl->peerEccDsaKeyPresent = 1; #ifdef HAVE_PK_CALLBACKS + if (ssl->buffers.peerEccDsaKey.buffer) + XFREE(ssl->buffers.peerEccDsaKey.buffer, + ssl->heap, DYNAMIC_TYPE_ECC); ssl->buffers.peerEccDsaKey.buffer = (byte*)XMALLOC(args->dCert->pubKeySize, ssl->heap, DYNAMIC_TYPE_ECC); @@ -21132,9 +21135,20 @@ static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size, ssl->buffers.weOwnDH = 1; - ssl->buffers.serverDH_P.buffer = NULL; - ssl->buffers.serverDH_G.buffer = NULL; - ssl->buffers.serverDH_Pub.buffer = NULL; + if (ssl->buffers.serverDH_P.buffer) { + XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); + ssl->buffers.serverDH_P.buffer = NULL; + } + + if (ssl->buffers.serverDH_G.buffer) { + XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); + ssl->buffers.serverDH_G.buffer = NULL; + } + + if (ssl->buffers.serverDH_Pub.buffer) { + XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); + ssl->buffers.serverDH_Pub.buffer = NULL; + } /* p */ if ((args->idx - args->begin) + OPAQUE16_LEN > size) { From a522207b1468770a0c4a01d3967b14f1b72e565c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 1 Oct 2020 01:10:52 -0500 Subject: [PATCH 11/14] fix memory leaks in src/internal.c:DoSessionTicket() and testsuite/testsuite.c:file_test(). --- src/internal.c | 166 ++++++++++++++++++++++++++---------------- testsuite/testsuite.c | 2 + 2 files changed, 106 insertions(+), 62 deletions(-) diff --git a/src/internal.c b/src/internal.c index bd64f3f0b..c004304f2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -27132,13 +27132,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = wc_HmacSetKey(&cookieHmac, cookieType, ssl->buffers.dtlsCookieSecret.buffer, ssl->buffers.dtlsCookieSecret.length); - if (ret != 0) return ret; + if (ret != 0) goto out; ret = wc_HmacUpdate(&cookieHmac, (const byte*)ssl->buffers.dtlsCtx.peer.sa, ssl->buffers.dtlsCtx.peer.sz); - if (ret != 0) return ret; + if (ret != 0) goto out; ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN); - if (ret != 0) return ret; + if (ret != 0) goto out; } #endif /* WOLFSSL_DTLS */ i += OPAQUE16_LEN; @@ -27158,11 +27158,13 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (!ssl->options.downgrade) { WOLFSSL_MSG("Client trying to connect with lesser version"); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } if (pv.minor < ssl->options.minDowngrade) { WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } if (pv.minor == SSLv3_MINOR) { @@ -27231,12 +27233,14 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->version.minor == SSLv3_MINOR && (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { WOLFSSL_MSG("\tError, option set to not allow SSLv3"); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } if (ssl->version.minor < ssl->options.minDowngrade) { WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } if (reset) { @@ -27268,7 +27272,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef WOLFSSL_DTLS if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) { ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN); - if (ret != 0) return ret; + if (ret != 0) goto out; } #endif /* WOLFSSL_DTLS */ i += RAN_LEN; @@ -27294,15 +27298,17 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif if (b == ID_LEN || bogusID) { - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; + if ((i - begin) + b > helloSz) { + ret = BUFFER_ERROR; + goto out; + } XMEMCPY(ssl->arrays->sessionID, input + i, b); #ifdef WOLFSSL_DTLS if (IsDtlsNotSctpMode(ssl) && !IsSCR(ssl) && !ssl->options.resuming) { ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; + if (ret != 0) goto out; } #endif /* WOLFSSL_DTLS */ ssl->arrays->sessionIDSz = b; @@ -27312,24 +27318,31 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } else if (b) { WOLFSSL_MSG("Invalid session ID size"); - return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ + ret = BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ + goto out; } #ifdef WOLFSSL_DTLS /* cookie */ if (ssl->options.dtls) { - if ((i - begin) + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; + if ((i - begin) + OPAQUE8_LEN > helloSz) { + ret = BUFFER_ERROR; + goto out; + } peerCookieSz = input[i++]; if (peerCookieSz) { - if (peerCookieSz > MAX_COOKIE_LEN) - return BUFFER_ERROR; + if (peerCookieSz > MAX_COOKIE_LEN) { + ret = BUFFER_ERROR; + goto out; + } - if ((i - begin) + peerCookieSz > helloSz) - return BUFFER_ERROR; + if ((i - begin) + peerCookieSz > helloSz) { + ret = BUFFER_ERROR; + goto out; + } XMEMCPY(peerCookie, input + i, peerCookieSz); @@ -27339,22 +27352,30 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif /* suites */ - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; + if ((i - begin) + OPAQUE16_LEN > helloSz) { + ret = BUFFER_ERROR; + goto out; + } ato16(&input[i], &clSuites.suiteSz); i += OPAQUE16_LEN; /* Cipher suite lists are always multiples of two in length. */ - if (clSuites.suiteSz % 2 != 0) - return BUFFER_ERROR; + if (clSuites.suiteSz % 2 != 0) { + ret = BUFFER_ERROR; + goto out; + } /* suites and compression length check */ - if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) - return BUFFER_ERROR; + if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) { + ret = BUFFER_ERROR; + goto out; + } - if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) - return BUFFER_ERROR; + if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) { + ret = BUFFER_ERROR; + goto out; + } XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); @@ -27366,7 +27387,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap); if (ret != WOLFSSL_SUCCESS) - return ret; + goto out; extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); if (extension) { @@ -27383,7 +27404,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->ctx->method->version.minor > pv.minor) { WOLFSSL_MSG("Client trying to connect with lesser version"); SendAlert(ssl, alert_fatal, inappropriate_fallback); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } } #endif @@ -27393,7 +27415,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = wc_HmacUpdate(&cookieHmac, input + i - OPAQUE16_LEN, clSuites.suiteSz + OPAQUE16_LEN); - if (ret != 0) return ret; + if (ret != 0) goto out; } #endif /* WOLFSSL_DTLS */ i += clSuites.suiteSz; @@ -27402,15 +27424,18 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* compression length */ b = input[i++]; - if ((i - begin) + b > helloSz) - return BUFFER_ERROR; + if ((i - begin) + b > helloSz) { + ret = BUFFER_ERROR; + goto out; + } if (b == 0) { WOLFSSL_MSG("No compression types in list"); #ifdef WOLFSSL_EXTRA_ALERTS SendAlert(ssl, alert_fatal, decode_error); #endif - return COMPRESSION_ERROR; + ret = COMPRESSION_ERROR; + goto out; } #ifdef WOLFSSL_DTLS @@ -27419,9 +27444,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, byte newCookie[MAX_COOKIE_LEN]; ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1); - if (ret != 0) return ret; + if (ret != 0) goto out; ret = wc_HmacFinal(&cookieHmac, newCookie); - if (ret != 0) return ret; + if (ret != 0) goto out; /* If a cookie callback is set, call it to overwrite the cookie. * This should be deprecated. The code now calculates the cookie @@ -27429,7 +27454,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->ctx->CBIOCookie != NULL && ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz, ssl->IOCB_CookieCtx) != cookieSz) { - return COOKIE_ERROR; + ret = COOKIE_ERROR; + goto out; } /* Check the cookie, see if we progress the state machine. */ @@ -27442,14 +27468,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->keys.dtls_handshake_number = 0; ssl->keys.dtls_expected_peer_handshake_number = 0; *inOutIdx += helloSz; - return SendHelloVerifyRequest(ssl, newCookie, cookieSz); + ret = SendHelloVerifyRequest(ssl, newCookie, cookieSz); + goto out; } } /* This was skipped in the DTLS case so we could handle the hello * verify request. */ ret = HashInput(ssl, input + *inOutIdx, helloSz); - if (ret != 0) return ret; + if (ret != 0) goto out; } #endif /* WOLFSSL_DTLS */ @@ -27481,7 +27508,8 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef WOLFSSL_EXTRA_ALERTS SendAlert(ssl, alert_fatal, illegal_parameter); #endif - return COMPRESSION_ERROR; + ret = COMPRESSION_ERROR; + goto out; } } @@ -27504,34 +27532,39 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #ifdef HAVE_TLS_EXTENSIONS /* auto populate extensions supported unless user defined */ if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) - return ret; + goto out; #endif - if ((i - begin) + OPAQUE16_LEN > helloSz) - return BUFFER_ERROR; + if ((i - begin) + OPAQUE16_LEN > helloSz) { + ret = BUFFER_ERROR; + goto out; + } ato16(&input[i], &totalExtSz); i += OPAQUE16_LEN; - if ((i - begin) + totalExtSz > helloSz) - return BUFFER_ERROR; + if ((i - begin) + totalExtSz > helloSz) { + ret = BUFFER_ERROR; + goto out; + } #ifdef HAVE_TLS_EXTENSIONS /* tls extensions */ if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, client_hello, &clSuites))) - return ret; + goto out; #ifdef WOLFSSL_TLS13 if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) != NULL) { WOLFSSL_MSG( "Client attempting to connect with higher version"); - return VERSION_ERROR; + ret = VERSION_ERROR; + goto out; } #endif #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) if((ret=SNI_Callback(ssl))) - return ret; + goto out; ssl->options.side = WOLFSSL_SERVER_END; #endif @@ -27540,16 +27573,20 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, while (totalExtSz) { word16 extId, extSz; - if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) - return BUFFER_ERROR; + if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) { + ret = BUFFER_ERROR; + goto out; + } ato16(&input[i], &extId); i += OPAQUE16_LEN; ato16(&input[i], &extSz); i += OPAQUE16_LEN; - if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) - return BUFFER_ERROR; + if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) { + ret = BUFFER_ERROR; + goto out; + } if (extId == HELLO_EXT_SIG_ALGO) { word16 hashSigAlgoSz; @@ -27557,11 +27594,15 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ato16(&input[i], &hashSigAlgoSz); i += OPAQUE16_LEN; - if (OPAQUE16_LEN + hashSigAlgoSz > extSz) - return BUFFER_ERROR; + if (OPAQUE16_LEN + hashSigAlgoSz > extSz) { + ret = BUFFER_ERROR; + goto out; + } - if (hashSigAlgoSz % 2 != 0) - return BUFFER_ERROR; + if (hashSigAlgoSz % 2 != 0) { + ret = BUFFER_ERROR; + goto out; + } clSuites.hashSigAlgoSz = hashSigAlgoSz; if (clSuites.hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) { @@ -27598,7 +27639,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->options.resuming) { ret = HandleTlsResumption(ssl, bogusID, &clSuites); if (ret != 0) - return ret; + goto out; #ifdef HAVE_SECURE_RENEGOTIATION if (ssl->secure_renegotiation && @@ -27608,13 +27649,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) { - #ifdef WOLFSSL_DTLS - wc_HmacFree(&cookieHmac); - #endif WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); - return ret; + goto out; } } @@ -27625,7 +27663,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, * present and no matches in the server's list. */ ret = TLSX_SupportedFFDHE_Set(ssl); if (ret != 0) - return ret; + goto out; } #endif #endif @@ -27645,14 +27683,18 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #endif #ifdef WOLFSSL_DTLS - wc_HmacFree(&cookieHmac); - if (ret == 0 && ssl->options.dtls) DtlsMsgPoolReset(ssl); #endif WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); + out: + +#ifdef WOLFSSL_DTLS + wc_HmacFree(&cookieHmac); +#endif + return ret; } diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 79e655aae..039ef9f72 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -421,6 +421,8 @@ void file_test(const char* file, byte* check) } ret = wc_Sha256Final(&sha256, shasum); + wc_Sha256Free(&sha256); + if (ret != 0) { printf("Can't wc_Sha256Final %d\n", ret); fclose(f); From d900e57ae41f410459b3edd86998ccc3c9aba8a6 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 1 Oct 2020 18:07:48 -0500 Subject: [PATCH 12/14] improve --enable-linuxkm-defaults fidelity. --- configure.ac | 5 +++++ wolfssl/wolfcrypt/settings.h | 16 ++++++++++++---- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index b814f2f7b..fbcf5024e 100644 --- a/configure.ac +++ b/configure.ac @@ -154,6 +154,11 @@ AC_ARG_ENABLE([linuxkm-defaults], [ENABLED_LINUXKM_DEFAULTS=$ENABLED_LINUXKM] ) +if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_OLD_PRIME_CHECK -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DSP_HALF_SIZE=32 -DSP_HALF_MAX=4294967295U" +fi + AC_ARG_WITH([linux-source], [AS_HELP_STRING([--with-linux-source=PATH],[PATH to root of Linux kernel build tree])], [KERNEL_ROOT=$withval], diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index d361db60e..ca3c46b0d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2124,10 +2124,18 @@ extern void uITRON4_free(void *p) ; #define SIZEOF_LONG 8 #define SIZEOF_LONG_LONG 8 #define CHAR_BIT 8 - #define WOLFSSL_SP_DIV_64 - #define WOLFSSL_SP_DIV_WORD_HALF - #define SP_HALF_SIZE 32 - #define SP_HALF_MAX 4294967295U + #ifndef WOLFSSL_SP_DIV_64 + #define WOLFSSL_SP_DIV_64 + #endif + #ifndef WOLFSSL_SP_DIV_WORD_HALF + #define WOLFSSL_SP_DIV_WORD_HALF + #endif + #ifndef SP_HALF_SIZE + #define SP_HALF_SIZE 32 + #endif + #ifndef SP_HALF_MAX + #define SP_HALF_MAX 4294967295U + #endif #endif From c18f7010cffcc81b2a9b9f5e73849f720b8f2537 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 2 Oct 2020 18:54:45 -0500 Subject: [PATCH 13/14] configure.ac: remove enable_apachehttpd and enable_secure_renegotiation from new --enable-all (valgrind woes). --- configure.ac | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index fbcf5024e..941fb24b3 100644 --- a/configure.ac +++ b/configure.ac @@ -302,7 +302,6 @@ then enable_haproxy=yes enable_stunnel=yes enable_nginx=yes - enable_apachehttpd=yes enable_openvpn=yes enable_asio=yes enable_libwebsockets=yes @@ -325,7 +324,6 @@ then enable_hrrcookie=yes enable_cryptocb=yes enable_fallback_scsv=yes - enable_secure_renegotiation=yes enable_anon=yes enable_mcast=yes @@ -370,11 +368,11 @@ then enable_asio=no enable_libwebsockets=no enable_qt=no + fi - if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" - then - enable_compkey=no - fi + if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" + then + enable_compkey=no fi fi From 1c492dc0b6000168aea54bb082ce70d4e817daa7 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 6 Oct 2020 22:14:08 -0500 Subject: [PATCH 14/14] cosmetic cleanups. --- src/internal.c | 2 +- tests/api.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index c004304f2..39e80d94b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -27689,7 +27689,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_LEAVE("DoClientHello", ret); WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); - out: + out: #ifdef WOLFSSL_DTLS wc_HmacFree(&cookieHmac); diff --git a/tests/api.c b/tests/api.c index 641524d3f..866000ecb 100644 --- a/tests/api.c +++ b/tests/api.c @@ -13785,7 +13785,7 @@ static int test_wc_CheckProbablePrime (void) WC_RNG rng; byte e[3]; word32 eSz = (word32)sizeof(e); - byte n[CHECK_PROBABLE_PRIME_KEY_BITS / 8]; /* size of RSA_TEST_BYTES */ + byte n[CHECK_PROBABLE_PRIME_KEY_BITS / 8]; word32 nSz = (word32)sizeof(n); byte d[CHECK_PROBABLE_PRIME_KEY_BITS / 8]; word32 dSz = (word32)sizeof(d);