diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 6ca7b1abe..a8df9d993 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -619,6 +619,7 @@ RNG rng; void bench_rsa(void) { int i; + int ret; byte tmp[3072]; size_t bytes; word32 idx = 0; @@ -654,14 +655,18 @@ void bench_rsa(void) if (RsaInitCavium(&rsaKey, CAVIUM_DEV_ID) != 0) printf("RSA init cavium failed\n"); #endif - InitRng(&rng); + ret = InitRng(&rng); + if (ret < 0) { + printf("InitRNG failed\n"); + return; + } InitRsaKey(&rsaKey, 0); - bytes = RsaPrivateKeyDecode(tmp, &idx, &rsaKey, (word32)bytes); + ret = RsaPrivateKeyDecode(tmp, &idx, &rsaKey, (word32)bytes); start = current_time(1); for (i = 0; i < times; i++) - bytes = RsaPublicEncrypt(message,len,enc,sizeof(enc), &rsaKey, &rng); + ret = RsaPublicEncrypt(message,len,enc,sizeof(enc), &rsaKey, &rng); total = current_time(0) - start; each = total / times; /* per second */ @@ -670,11 +675,16 @@ void bench_rsa(void) printf("RSA %d encryption took %6.2f milliseconds, avg over %d" " iterations\n", rsaKeySz, milliEach, times); + if (ret < 0) { + printf("Rsa Public Encrypt failed\n"); + return; + } + start = current_time(1); for (i = 0; i < times; i++) { byte out[512]; /* for up to 4096 bit */ - RsaPrivateDecrypt(enc, (word32)bytes, out, sizeof(out), &rsaKey); + RsaPrivateDecrypt(enc, (word32)ret, out, sizeof(out), &rsaKey); } total = current_time(0) - start; @@ -736,6 +746,9 @@ void bench_dh(void) bytes = DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes); if (bytes != 0) { printf("dhekydecode failed, can't benchmark\n"); + #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) + fclose(file); + #endif return; } diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 0cc31abf8..fcf812e8f 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -791,6 +791,8 @@ static int DecryptKey(const char* password, int passwordSz, byte* salt, ret += PKCS12_PBKDF(cbcIv, unicodePasswd, idx, salt, saltSz, iterations, 8, typeH, 2); } + else + return ALGO_ID_E; if (ret != 0) return ret; @@ -1610,7 +1612,7 @@ static int GetName(DecodedCert* cert, int nameType) } if (email) { - if (14 > (ASN_NAME_MAX - idx)) { + if ( (14 + adv) > (int)(ASN_NAME_MAX - idx)) { CYASSL_MSG("ASN name too big, skipping"); tooBig = TRUE; } @@ -1633,7 +1635,7 @@ static int GetName(DecodedCert* cert, int nameType) } if (uid) { - if (5 > (ASN_NAME_MAX - idx)) { + if ( (5 + adv) > (int)(ASN_NAME_MAX - idx)) { CYASSL_MSG("ASN name too big, skipping"); tooBig = TRUE; } diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index 63c3967ad..ce5fe2920 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -154,7 +154,8 @@ void HmacSetKey(Hmac* hmac, int type, const byte* key, word32 length) default: break; } - XMEMSET(ip + length, 0, hmac_block_size - length); + if ( (hmac_block_size - length) > 0) + XMEMSET(ip + length, 0, hmac_block_size - length); for(i = 0; i < hmac_block_size; i++) { op[i] = ip[i] ^ OPAD; diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index 0f9b434f3..202170a2c 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -2110,6 +2110,7 @@ int rsa_test(void) "Please run from CyaSSL home dir", -40); bytes = fread(tmp, 1, FOURK_BUF, file); + fclose(file); #endif /* USE_CERT_BUFFERS */ #ifdef HAVE_CAVIUM @@ -2151,6 +2152,7 @@ int rsa_test(void) return -49; bytes = fread(tmp, 1, FOURK_BUF, file2); + fclose(file2); #endif #ifdef CYASSL_TEST_CERT @@ -2164,10 +2166,6 @@ int rsa_test(void) (void)bytes; #endif -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - fclose(file2); - fclose(file); -#endif #ifdef CYASSL_KEY_GEN { @@ -2541,6 +2539,7 @@ int dh_test(void) return -50; bytes = (word32) fread(tmp, 1, sizeof(tmp), file); + fclose(file); #endif /* USE_CERT_BUFFERS */ InitDhKey(&key); @@ -2573,9 +2572,6 @@ int dh_test(void) FreeDhKey(&key); FreeDhKey(&key2); -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - fclose(file); -#endif return 0; } @@ -2615,6 +2611,7 @@ int dsa_test(void) return -60; bytes = (word32) fread(tmp, 1, sizeof(tmp), file); + fclose(file); #endif /* USE_CERT_BUFFERS */ InitSha(&sha); @@ -2636,9 +2633,6 @@ int dsa_test(void) if (answer != 1) return -65; FreeDsaKey(&key); -#if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) - fclose(file); -#endif return 0; } diff --git a/cyassl/test.h b/cyassl/test.h index 399614a7a..fe6118215 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -359,6 +359,9 @@ static INLINE void tcp_socket(SOCKET_T* sockfd, int udp) else *sockfd = socket(AF_INET_V, SOCK_STREAM, 0); + if (*sockfd < 0) + err_sys("socket failed\n"); + #ifndef USE_WINDOWS_API #ifdef SO_NOSIGPIPE { @@ -414,7 +417,7 @@ enum { TEST_ERROR_READY }; -static INLINE int tcp_select(SOCKET_T socketfd, unsigned int to_sec) +static INLINE int tcp_select(SOCKET_T socketfd, int to_sec) { fd_set recvfds, errfds; SOCKET_T nfds = socketfd + 1; @@ -453,9 +456,11 @@ static INLINE void tcp_listen(SOCKET_T* sockfd, int port, int useAnyAddr, #ifndef USE_WINDOWS_API { - int on = 1; + int res, on = 1; socklen_t len = sizeof(on); - setsockopt(*sockfd, SOL_SOCKET, SO_REUSEADDR, &on, len); + res = setsockopt(*sockfd, SOL_SOCKET, SO_REUSEADDR, &on, len); + if (res < 0) + err_sys("setsockopt SO_REUSEADDR failed\n"); } #endif @@ -500,9 +505,11 @@ static INLINE void udp_accept(SOCKET_T* sockfd, int* clientfd, int useAnyAddr, #ifndef USE_WINDOWS_API { - int on = 1; + int res, on = 1; socklen_t len = sizeof(on); - setsockopt(*sockfd, SOL_SOCKET, SO_REUSEADDR, &on, len); + res = setsockopt(*sockfd, SOL_SOCKET, SO_REUSEADDR, &on, len); + if (res < 0) + err_sys("setsockopt SO_REUSEADDR failed\n"); } #endif @@ -561,7 +568,11 @@ static INLINE void tcp_set_nonblocking(SOCKET_T* sockfd) int ret = ioctlsocket(*sockfd, FIONBIO, &blocking); #else int flags = fcntl(*sockfd, F_GETFL, 0); + if (flags < 0) + err_sys("fcntl get failed"); fcntl(*sockfd, F_SETFL, flags | O_NONBLOCK); + if (flags < 0) + err_sys("fcntl set failed"); #endif } diff --git a/examples/client/client.c b/examples/client/client.c index a58067910..fa9f2dae9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -415,6 +415,7 @@ void client_test(void* args) printf("SSL connect ok, sending GET...\n"); msgSz = 28; strncpy(msg, "GET /index.html HTTP/1.0\r\n\r\n", msgSz); + msg[msgSz] = '\0'; } if (CyaSSL_write(ssl, msg, msgSz) != msgSz) err_sys("SSL_write failed"); @@ -521,10 +522,10 @@ void client_test(void* args) CyaSSL_shutdown(sslResume); CyaSSL_free(sslResume); + CloseSocket(sockfd); } CyaSSL_CTX_free(ctx); - CloseSocket(sockfd); ((func_args*)args)->return_code = 0; } diff --git a/src/ssl.c b/src/ssl.c index 7bb755ba5..030d96fb3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -500,6 +500,9 @@ int CyaSSL_shutdown(CYASSL* ssl) { CYASSL_ENTER("SSL_shutdown()"); + if (ssl == NULL) + return 0; + if (ssl->options.quietShutdown) { CYASSL_MSG("quiet shutdown, no close notify sent"); return 0; @@ -1578,6 +1581,10 @@ int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type, } dynamic = 1; } + else if (sz < 0) { + XFCLOSE(file); + return SSL_BAD_FILE; + } if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0) ret = SSL_BAD_FILE; @@ -1741,6 +1748,10 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, } dynamic = 1; } + else if (sz < 0) { + XFCLOSE(file); + return SSL_BAD_FILE; + } if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0) ret = SSL_BAD_FILE; @@ -2051,6 +2062,10 @@ int CyaSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) } dynamic = 1; } + else if (sz < 0) { + XFCLOSE(file); + return SSL_BAD_FILE; + } if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) ret = SSL_BAD_FILE; @@ -2262,6 +2277,10 @@ static int CyaSSL_SetTmpDH_file_wrapper(CYASSL_CTX* ctx, CYASSL* ssl, } dynamic = 1; } + else if (sz < 0) { + XFCLOSE(file); + return SSL_BAD_FILE; + } if ( (ret = (int)XFREAD(myBuffer, sz, 1, file)) < 0) ret = SSL_BAD_FILE; @@ -6401,6 +6420,7 @@ int CyaSSL_set_compression(CYASSL* ssl) } if ((myBuffer != NULL) && + (sz > 0) && (XFREAD(myBuffer, sz, 1, file) > 0) && (PemToDer(myBuffer, sz, CERT_TYPE, &fileDer, ctx->heap, &info, &eccKey) == 0) && diff --git a/tests/api.c b/tests/api.c index d598b4e73..7db26fc68 100644 --- a/tests/api.c +++ b/tests/api.c @@ -613,21 +613,21 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) if (CyaSSL_CTX_load_verify_locations(ctx, cliCert, 0) != SSL_SUCCESS) { /*err_sys("can't load ca file, Please run from CyaSSL home dir");*/ - return 0; + goto done; } if (CyaSSL_CTX_use_certificate_file(ctx, svrCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) { /*err_sys("can't load server cert chain file, " "Please run from CyaSSL home dir");*/ - return 0; + goto done; } if (CyaSSL_CTX_use_PrivateKey_file(ctx, svrKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) { /*err_sys("can't load server key file, " "Please run from CyaSSL home dir");*/ - return 0; + goto done; } ssl = CyaSSL_new(ctx); tcp_accept(&sockfd, &clientfd, (func_args*)args, yasslPort, 0, 0); @@ -648,7 +648,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) char buffer[80]; printf("error = %d, %s\n", err, CyaSSL_ERR_error_string(err, buffer)); /*err_sys("SSL_accept failed");*/ - return 0; + goto done; } idx = CyaSSL_read(ssl, input, sizeof(input)-1); @@ -663,6 +663,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) return 0; } +done: CyaSSL_shutdown(ssl); CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); @@ -696,21 +697,21 @@ void test_client_nofail(void* args) if (CyaSSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) { /* err_sys("can't load ca file, Please run from CyaSSL home dir");*/ - return; + goto done2; } if (CyaSSL_CTX_use_certificate_file(ctx, cliCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) { /*err_sys("can't load client cert file, " "Please run from CyaSSL home dir");*/ - return; + goto done2; } if (CyaSSL_CTX_use_PrivateKey_file(ctx, cliKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) { /*err_sys("can't load client key file, " "Please run from CyaSSL home dir");*/ - return; + goto done2; } tcp_connect(&sockfd, yasslIP, yasslPort, 0); @@ -723,13 +724,13 @@ void test_client_nofail(void* args) char buffer[80]; printf("err = %d, %s\n", err, CyaSSL_ERR_error_string(err, buffer)); /*printf("SSL_connect failed");*/ - return; + goto done2; } if (CyaSSL_write(ssl, msg, msgSz) != msgSz) { /*err_sys("SSL_write failed");*/ - return; + goto done2; } input = CyaSSL_read(ssl, reply, sizeof(reply)-1); @@ -739,6 +740,7 @@ void test_client_nofail(void* args) printf("Server response: %s\n", reply); } +done2: CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); diff --git a/tests/suites.c b/tests/suites.c index 47d318019..bdcb56556 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -46,17 +46,29 @@ static void execute_test_case(int svr_argc, char** svr_argv, THREAD_TYPE serverThread; char commandLine[MAX_COMMAND_SZ]; int i; + size_t added = 0; static int tests = 1; commandLine[0] = '\0'; for (i = 0; i < svr_argc; i++) { + added += strlen(svr_argv[i]) + 2; + if (added >= MAX_COMMAND_SZ) { + printf("server command line too long\n"); + break; + } strcat(commandLine, svr_argv[i]); strcat(commandLine, " "); } printf("trying server command line[%d]: %s\n", tests, commandLine); commandLine[0] = '\0'; + added = 0; for (i = 0; i < cli_argc; i++) { + added += strlen(cli_argv[i]) + 2; + if (added >= MAX_COMMAND_SZ) { + printf("client command line too long\n"); + break; + } strcat(commandLine, cli_argv[i]); strcat(commandLine, " "); } @@ -124,7 +136,7 @@ static void test_harness(void* vargs) fseek(file, 0, SEEK_END); sz = ftell(file); rewind(file); - if (sz == 0) { + if (sz <= 0) { fprintf(stderr, "%s is empty\n", fname); fclose(file); args->return_code = 1; @@ -143,6 +155,7 @@ static void test_harness(void* vargs) if (len != sz) { fprintf(stderr, "read error\n"); fclose(file); + free(script); args->return_code = 1; return; }