diff --git a/src/ssl.c b/src/ssl.c index 49378cdf3..a0c791c45 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3888,8 +3888,10 @@ error: if (sk) wolfSSL_sk_X509_free(sk); - for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { - FreeDer(&certBuffers[i]); + if (certBuffers != NULL) { + for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { + FreeDer(&certBuffers[i]); + } } if (certBuffers) @@ -26570,16 +26572,20 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, int ret = WOLFSSL_FAILURE; int count = 0; WOLFSSL_BIO *bio = NULL; - WOLFSSL_X509_CRL *crl =NULL; - + WOLFSSL_X509_CRL *crl = NULL; + WOLFSSL_ENTER("wolfSSL_X509_load_crl_file"); - + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - - if ((bio == NULL) || (wolfSSL_BIO_read_filename(bio, file) <= 0)) { + if (bio == NULL) { return ret; } - + + if (wolfSSL_BIO_read_filename(bio, file) <= 0) { + wolfSSL_BIO_free(bio); + return ret; + } + if (type == WOLFSSL_FILETYPE_PEM) { do { crl = wolfSSL_PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); @@ -26589,7 +26595,7 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, } break; } - + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); if (ret == WOLFSSL_FAILURE) { WOLFSSL_MSG("Adding crl failed"); @@ -26599,7 +26605,7 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, wolfSSL_X509_CRL_free(crl); crl = NULL; } while(crl == NULL); - + ret = count; } else if (type == WOLFSSL_FILETYPE_ASN1) { crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); @@ -26616,10 +26622,10 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, } else { WOLFSSL_MSG("Invalid file type"); } - + wolfSSL_X509_CRL_free(crl); wolfSSL_BIO_free(bio); - + WOLFSSL_LEAVE("wolfSSL_X509_load_crl_file", ret); return ret; } @@ -32089,6 +32095,7 @@ int wolfSSL_RAND_egd(const char* nm) } #endif + XMEMSET(&rem, 0, sizeof(struct sockaddr_un)); if (nm == NULL) { #ifdef WOLFSSL_SMALL_STACK XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -41265,9 +41272,11 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) WOLFSSL_MSG("Serial size error"); return WOLFSSL_FAILURE; } - if ((int)sizeof(cert->serial) < serialSz) { - WOLFSSL_MSG("Serial buffer too small"); - return BUFFER_E; + + if (serialSz > EXTERNAL_SERIAL_SIZE || + serialSz > CTC_SERIAL_SIZE) { + WOLFSSL_MSG("Serial size too large error"); + return WOLFSSL_FAILURE; } XMEMCPY(cert->serial, serial, serialSz); cert->serialSz = serialSz; @@ -52566,7 +52575,7 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, ts = (struct tm *)XGMTIME(&t_adj, tmpTime); if (ts == NULL){ WOLFSSL_MSG("failed to get time data."); - XFREE(s, NULL, DYNAMIC_TYPE_OPENSSL); + wolfSSL_ASN1_TIME_free(s); return NULL; } @@ -52589,8 +52598,10 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, XSNPRINTF((char *)utc_str, sizeof(utc_str), "%02d%02d%02d%02d%02d%02dZ", utc_year, utc_mon, utc_day, utc_hour, utc_min, utc_sec); - if (wolfSSL_ASN1_TIME_set_string(s, utc_str) != WOLFSSL_SUCCESS) + if (wolfSSL_ASN1_TIME_set_string(s, utc_str) != WOLFSSL_SUCCESS) { + wolfSSL_ASN1_TIME_free(s); return NULL; + } /* GeneralizedTime */ } else { char gt_str[ASN_GENERALIZED_TIME_MAX]; @@ -52605,8 +52616,10 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, XSNPRINTF((char *)gt_str, sizeof(gt_str), "%4d%02d%02d%02d%02d%02dZ", gt_year, gt_mon, gt_day, gt_hour, gt_min,gt_sec); - if (wolfSSL_ASN1_TIME_set_string(s, gt_str) != WOLFSSL_SUCCESS) + if (wolfSSL_ASN1_TIME_set_string(s, gt_str) != WOLFSSL_SUCCESS) { + wolfSSL_ASN1_TIME_free(s); return NULL; + } } return s; @@ -53376,6 +53389,7 @@ PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7) pkcs7->len = ret; if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len) != 0) { + wolfSSL_PKCS7_free((PKCS7*)pkcs7); return NULL; } diff --git a/tests/api.c b/tests/api.c index 95372ac40..7430b1f25 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2748,6 +2748,9 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) } ctx = wolfSSL_CTX_new(method); } + if (ctx == NULL) { + goto done; + } #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 71f451007..3260d02fc 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -6188,7 +6188,7 @@ void bench_eccsiPairGen(void) byte id[] = { 0x01, 0x23, 0x34, 0x45 }; int ret; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6227,7 +6227,7 @@ void bench_eccsiValidate(void) int valid; int ret; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6272,7 +6272,7 @@ void bench_eccsi(void) int ret; int verified; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); (void)wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6518,10 +6518,10 @@ void bench_sakke(void) bench_stats_asym_finish("SAKKE", 1024, desc[10], 0, count, start, 0); len = 0; - wc_GenerateSakkeRskTable(&genKey, rsk, NULL, &len); + (void)wc_GenerateSakkeRskTable(&genKey, rsk, NULL, &len); if (len > 0) { table = (byte*)XMALLOC(len, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_GenerateSakkeRskTable(&genKey, rsk, table, &len); + (void)wc_GenerateSakkeRskTable(&genKey, rsk, table, &len); } (void)wc_SetSakkeRsk(&genKey, rsk, table, len); diff --git a/wolfcrypt/src/eccsi.c b/wolfcrypt/src/eccsi.c index 555020c35..ca58c893b 100644 --- a/wolfcrypt/src/eccsi.c +++ b/wolfcrypt/src/eccsi.c @@ -1666,6 +1666,7 @@ int wc_SetEccsiHash(EccsiKey* key, const byte* hash, byte hashSz) * @param [in] pvt Public Validation Token (PVT) as an ECC point. * @return 0 on success. * @return BAD_FUNC_ARG when key, ssk or pvt is NULL. + * @return MP math errors when copy fails */ int wc_SetEccsiPair(EccsiKey* key, const mp_int* ssk, const ecc_point* pvt) { @@ -1674,9 +1675,13 @@ int wc_SetEccsiPair(EccsiKey* key, const mp_int* ssk, const ecc_point* pvt) if ((key == NULL) || (ssk == NULL) || (pvt == NULL)) { err = BAD_FUNC_ARG; } + if (err == 0) { - mp_copy(ssk, &key->ssk); - wc_ecc_copy_point(pvt, key->pvt); + err = mp_copy(ssk, &key->ssk); + } + + if (err == 0) { + err = wc_ecc_copy_point(pvt, key->pvt); } return err; diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 5ca96e6b6..2515d789f 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -415,10 +415,10 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen, dLen = v; sLen = v * ((saltLen + v - 1) / v); - if (passLen) - pLen = v * ((passLen + v - 1) / v); - else - pLen = 0; + + /* with passLen checked at the top of the function for >= 0 then passLen + * must be 1 or greater here and is always 'true' */ + pLen = v * ((passLen + v - 1) / v); iLen = sLen + pLen; totalLen = dLen + sLen + pLen; diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index 789347528..8468d08b5 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -6120,7 +6120,7 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, int err = 0; byte h[WC_MAX_DIGEST_SIZE]; byte v[WC_MAX_DIGEST_SIZE]; - word32 hashSz = wc_HashGetDigestSize(hashType); + word32 hashSz = 0; word32 i; /* Step 1: A = hashfn( s ), where s = data | extra @@ -6128,7 +6128,16 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, */ /* Step 2: h_0 = 00...00, a string of null bits of length hashlen bits */ - XMEMSET(h, 0, hashSz); + err = wc_HashGetDigestSize(hashType); + if (err > 0) { + hashSz = (word32)err; + XMEMSET(h, 0, hashSz); + err = 0; /* reset err value after getting digest size */ + } + else if (err == 0) { + /* invalid hash digest size */ + err = BAD_FUNC_ARG; + } /* Step 3: l = Ceiling(lg(n)/hashlen) */ /* Step 4: For each i in 1 to l, do */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 5be88a07a..ef665c9d6 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -27281,7 +27281,7 @@ static int eccsi_enc_dec_pair_test(EccsiKey* priv, mp_int* ssk, ecc_point* pvt) return -10117; decPvt = wc_ecc_new_point(); - if (ret != 0) + if (decPvt == NULL) return -10118; ret = wc_EncodeEccsiPair(priv, ssk, pvt, NULL, &sz); @@ -27645,80 +27645,100 @@ static int eccsi_sign_verify_test(EccsiKey* priv, EccsiKey* pub, WC_RNG* rng, int eccsi_test(void) { - int ret; + int ret = 0; WC_RNG rng; - EccsiKey* priv; - EccsiKey* pub; - mp_int* ssk; - ecc_point* pvt; + EccsiKey* priv = NULL; + EccsiKey* pub = NULL; + mp_int* ssk = NULL; + ecc_point* pvt = NULL; priv = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (priv == NULL) { - return -10205; + ret = -10205; } - pub = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, + + if (ret == 0) { + pub = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (pub == NULL) { - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10206; - } - ssk = (mp_int*)XMALLOC(sizeof(mp_int), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (ssk == NULL) { - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10207; + if (pub == NULL) { + ret = -10206; + } } -#ifndef HAVE_FIPS - ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); -#else - ret = wc_InitRng(&rng); -#endif - if (ret != 0) - return -10200; + if (ret == 0) { + ssk = (mp_int*)XMALLOC(sizeof(mp_int), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER); + if (ssk == NULL) { + ret = -10207; + } + } - pvt = wc_ecc_new_point(); - if (pvt == NULL) - return -10201; - ret = mp_init(ssk); - if (ret != 0) - return -10202; + if (ret == 0) { + #ifndef HAVE_FIPS + ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); + #else + ret = wc_InitRng(&rng); + #endif + if (ret != 0) + ret = -10200; + } - ret = eccsi_api_test(&rng, priv, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + pvt = wc_ecc_new_point(); + if (pvt == NULL) + ret = -10201; + } - ret = wc_InitEccsiKey(pub, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10203; + if (ret == 0) { + ret = mp_init(ssk); + if (ret != 0) + ret = -10202; + } - ret = wc_InitEccsiKey(priv, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10204; + if (ret == 0) { + ret = eccsi_api_test(&rng, priv, ssk, pvt); + } - ret = eccsi_kat_verify_test(pub, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = wc_InitEccsiKey(pub, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10203; + } - ret = eccsi_make_key_test(priv, pub, &rng, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = wc_InitEccsiKey(priv, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10204; + } - ret = eccsi_sign_verify_test(priv, pub, &rng, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = eccsi_kat_verify_test(pub, pvt); + } + + if (ret == 0) { + ret = eccsi_make_key_test(priv, pub, &rng, ssk, pvt); + } + + if (ret == 0) { + ret = eccsi_sign_verify_test(priv, pub, &rng, ssk, pvt); + } wc_FreeEccsiKey(priv); wc_FreeEccsiKey(pub); mp_free(ssk); wc_ecc_del_point(pvt); - wc_FreeRng(&rng); - XFREE(ssk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return 0; + if (ret != -10200) + wc_FreeRng(&rng); + if (ssk != NULL) + XFREE(ssk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pub != NULL) + XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (priv != NULL) + XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; } #endif /* WOLFCRYPT_HAVE_ECCSI */ @@ -28771,82 +28791,99 @@ static int sakke_op_test(SakkeKey* priv, SakkeKey* pub, WC_RNG* rng, int sakke_test(void) { - int ret; + int ret = 0; WC_RNG rng; - SakkeKey* priv; - SakkeKey* pub; - SakkeKey* key; + SakkeKey* priv = NULL; + SakkeKey* pub = NULL; + SakkeKey* key = NULL; ecc_point* rsk = NULL; priv = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (priv == NULL) { - return -10404; + ret = -10404; } - pub = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, + + if (ret == 0) { + pub = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (pub == NULL) { - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10405; + if (pub == NULL) { + ret = -10405; + } } - key = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, + + if (ret == 0) { + key = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (key == NULL) { - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10406; + if (key == NULL) { + ret = -10406; + } } -#ifndef HAVE_FIPS - ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); -#else - ret = wc_InitRng(&rng); -#endif - if (ret != 0) - return -10400; + if (ret == 0) { + #ifndef HAVE_FIPS + ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); + #else + ret = wc_InitRng(&rng); + #endif + if (ret != 0) + ret = -10400; + } - rsk = wc_ecc_new_point(); - if (rsk == NULL) - return -10401; + if (ret == 0) { + rsk = wc_ecc_new_point(); + if (rsk == NULL) + ret = -10401; + } - ret = wc_InitSakkeKey(pub, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10402; + if (ret == 0) { + ret = wc_InitSakkeKey(pub, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10402; + } - ret = wc_InitSakkeKey(priv, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10403; + if (ret == 0) { + ret = wc_InitSakkeKey(priv, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10403; + } - ret = sakke_api_test(&rng, key, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_api_test(&rng, key, rsk); + } - ret = sakke_kat_derive_test(pub, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_kat_derive_test(pub, rsk); + } - ret = sakke_kat_encapsulate_test(pub); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_kat_encapsulate_test(pub); + } - ret = sakke_make_key_test(priv, pub, key, &rng, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_make_key_test(priv, pub, key, &rng, rsk); + } - ret = sakke_op_test(priv, pub, &rng, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_op_test(priv, pub, &rng, rsk); + } wc_FreeSakkeKey(priv); wc_FreeSakkeKey(pub); wc_ecc_forcezero_point(rsk); wc_ecc_del_point(rsk); - wc_FreeRng(&rng); - XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return 0; + if (ret != -10400) + wc_FreeRng(&rng); + + if (key != NULL) + XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pub != NULL) + XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (priv != NULL) + XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; } #endif /* WOLFCRYPT_HAVE_SAKKE */