From 5a59fdd6fda3d09b8f3422f8f8ebf0859bd6d161 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 24 Oct 2018 17:20:00 -0600 Subject: [PATCH] scan-build warnings --- wolfcrypt/src/asn.c | 4 +++ wolfcrypt/src/pkcs7.c | 62 +++++++++++++++++++++---------------------- 2 files changed, 35 insertions(+), 31 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3caa915d2..0963b8b57 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4980,6 +4980,10 @@ int GetAsnTimeString(void* currTime, byte* buf, word32 len) } else if (ts->tm_year >= 100 && ts->tm_year < 150) { year = ts->tm_year - 100; } + else { + WOLFSSL_MSG("unsupported year range"); + return BAD_FUNC_ARG; + } mon = ts->tm_mon + 1; day = ts->tm_mday; hour = ts->tm_hour; diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index f951eb2d3..a1557ed52 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -3414,6 +3414,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, DYNAMIC_TYPE_PKCS7); if (pkcs7->stream->nonce == NULL) { ret = MEMORY_E; + break; } else { pkcs7->stream->nonceSz = contentTypeSz; @@ -3560,6 +3561,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, DYNAMIC_TYPE_PKCS7); if (pkcs7->stream->content == NULL) { ret = MEMORY_E; + break; } else { XMEMCPY(pkcs7->stream->content, content, contentSz); @@ -3595,7 +3597,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, return ret; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length); if (pkcs7->stream->flagOne) { pkiMsg2 = pkiMsg; @@ -3721,7 +3722,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, &pkiMsg, &idx)) != 0) { return ret; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length); if (pkcs7->stream->flagOne) { pkiMsg2 = pkiMsg; @@ -3780,7 +3780,6 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, return ret; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); wc_PKCS7_StreamGetVar(pkcs7, &pkiMsg2Sz, 0, &length); if (pkcs7->stream->flagOne) { pkiMsg2 = pkiMsg; @@ -6746,7 +6745,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz, word32* idx, byte* decryptedKey, word32* decryptedKeySz, int* recipFound) { - int length, encryptedKeySz, ret = 0; + int length, encryptedKeySz = 0, ret = 0; int keySz, version, sidType = 0; word32 encOID; word32 keyIdx; @@ -6937,8 +6936,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz, pkcs7->stream->expected, &pkiMsg, idx)) != 0) { return ret; } - - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); + encryptedKeySz = pkcs7->stream->expected; #endif #ifdef WOLFSSL_SMALL_STACK @@ -7702,12 +7700,12 @@ static int wc_PKCS7_DecryptPwri(PKCS7* pkcs7, byte* in, word32 inSz, /* mark recipFound, since we only support one RecipientInfo for now */ *recipFound = 1; *idx += length; - ret = 0; /* success */ #ifndef NO_PKCS7_STREAM if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) { break; } #endif + ret = 0; /* success */ break; default: @@ -8249,7 +8247,7 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in, word32 inSz, word32* idx, int type) { - int version, length, ret = 0; + int version = 0, length, ret = 0; word32 contentType; byte* pkiMsg = in; word32 pkiMsgSz = inSz; @@ -8374,6 +8372,9 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in, if (ret == 0 && GetLength(pkiMsg, idx, &length, pkiMsgSz) < 0) ret = ASN_PARSE_E; + if (ret < 0) + break; + #ifndef NO_PKCS7_STREAM if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) { break; @@ -8398,6 +8399,9 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in, if (ret == 0 && GetMyVersion(pkiMsg, idx, &version, pkiMsgSz) < 0) ret = ASN_PARSE_E; + if (ret < 0) + break; + #ifndef NO_PKCS7_STREAM if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) { break; @@ -8443,14 +8447,18 @@ static int wc_PKCS7_ParseToRecipientInfoSet(PKCS7* pkcs7, byte* in, if (ret == 0 && GetSet(pkiMsg, idx, &length, pkiMsgSz) < 0) ret = ASN_PARSE_E; - if (ret == 0) - ret = length; + if (ret < 0) + break; #ifndef NO_PKCS7_STREAM if ((ret = wc_PKCS7_StreamEndCase(pkcs7, &tmpIdx, idx)) != 0) { break; } #endif + + if (ret == 0) + ret = length; + break; default: @@ -8485,9 +8493,9 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in, word32 outputSz) { int recipFound = 0; - int ret, length; + int ret, length = 0; word32 idx = 0, tmpIdx = 0; - word32 contentType, encOID; + word32 contentType, encOID = 0; word32 decryptedKeySz; int expBlockSz = 0, blockKeySz = 0; @@ -8510,6 +8518,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in, return BAD_FUNC_ARG; #ifndef NO_PKCS7_STREAM + (void)tmpIv; /* help out static analysis */ if (pkcs7->stream == NULL) { if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) { return ret; @@ -8559,8 +8568,6 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in, case WC_PKCS7_DECRYPT_PWRI: case WC_PKCS7_DECRYPT_ORI: #ifndef NO_PKCS7_STREAM - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, - inSz); decryptedKey = pkcs7->stream->aad; decryptedKeySz = MAX_ENCRYPTED_KEY_SZ; #endif @@ -8715,7 +8722,6 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* in, return ret; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz); wc_PKCS7_StreamGetVar(pkcs7, &encOID, &expBlockSz, &encryptedContentSz); tmpIv = pkcs7->stream->tmpIv; @@ -9234,15 +9240,15 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, int recipFound = 0; int ret, length; word32 idx = 0, tmpIdx = 0; - word32 contentType, encOID; - word32 decryptedKeySz; + word32 contentType, encOID = 0; + word32 decryptedKeySz = 0; byte* pkiMsg = in; word32 pkiMsgSz = inSz; - int expBlockSz, blockKeySz = 0; + int expBlockSz = 0, blockKeySz = 0; byte authTag[AES_BLOCK_SIZE]; byte nonce[GCM_NONCE_MID_SZ]; /* GCM nonce is larger than CCM */ - int nonceSz, authTagSz, macSz; + int nonceSz = 0, authTagSz = 0, macSz = 0; #ifdef WOLFSSL_SMALL_STACK byte* decryptedKey = NULL; @@ -9296,8 +9302,6 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, MAX_VERSION_SZ + ASN_TAG_SZ, &pkiMsg, &idx)) != 0) { return ret; } - - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); #endif #ifdef WOLFSSL_SMALL_STACK decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, @@ -9538,7 +9542,6 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, return ret; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); length = pkcs7->stream->expected; encodedAttribs = pkcs7->stream->aad; #endif @@ -9549,7 +9552,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, if (ret == 0 && wc_PKCS7_ParseAttribs(pkcs7, authAttrib, authAttribSz) < 0) { WOLFSSL_MSG("Error parsing authenticated attributes"); - ret = ASN_PARSE_E; + return ASN_PARSE_E; } idx += length; @@ -9676,7 +9679,6 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, encodedAttribs = pkcs7->stream->aad; } - pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_SEQ_PEEK, in, inSz); wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz, &encryptedContentSz); encryptedContent = pkcs7->stream->bufferPt; #endif @@ -9703,9 +9705,7 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in, /* free memory, zero out keys */ ForceZero(encryptedContent, encryptedContentSz); XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); - if (decryptedKey != NULL) { - ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ); - } + ForceZero(decryptedKey, MAX_ENCRYPTED_KEY_SZ); #ifdef WOLFSSL_SMALL_STACK XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); decryptedKey = NULL; @@ -10027,7 +10027,7 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz, byte tmpIvBuf[MAX_CONTENT_IV_SIZE]; byte *tmpIv = tmpIvBuf; - int encryptedContentSz; + int encryptedContentSz = 0; byte padLen; byte* encryptedContent = NULL; @@ -10043,6 +10043,7 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz, return BAD_FUNC_ARG; #ifndef NO_PKCS7_STREAM + (void)tmpIv; /* help out static analysis */ if (pkcs7->stream == NULL) { if ((ret = wc_PKCS7_CreateStream(pkcs7)) != 0) { return ret; @@ -10208,9 +10209,6 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz, pkiMsgSz = wc_PKCS7_GetMaxStream(pkcs7, PKCS7_DEFAULT_PEEK, in, inSz); - /* restore saved variables */ - expBlockSz = pkcs7->stream->varOne; - /* use IV buffer from stream structure */ tmpIv = pkcs7->stream->tmpIv; length = pkcs7->stream->expected; @@ -10225,6 +10223,8 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* pkcs7, byte* in, word32 inSz, pkiMsgSz) <= 0) ret = ASN_PARSE_E; + if (ret < 0) + break; #ifndef NO_PKCS7_STREAM /* next chunk of data should contain encrypted content */ pkcs7->stream->varThree = encryptedContentSz;