diff --git a/src/internal.c b/src/internal.c index 85d26145f..9e5598986 100644 --- a/src/internal.c +++ b/src/internal.c @@ -22314,6 +22314,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (ssl->suites->sigAlgo != ed25519_sa_algo) { ssl->buffers.sig.length = wc_HashGetDigestSize(hashType); + if ((int)ssl->buffers.sig.length < 0) { + ERROR_OUT(HASH_TYPE_E, exit_sske); + } ssl->buffers.sig.buffer = (byte*)XMALLOC( ssl->buffers.sig.length, ssl->heap, DYNAMIC_TYPE_SIGNATURE); @@ -25312,9 +25315,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->peerX25519KeyPresent = 1; - if (ret != 0) { - goto exit_dcke; - } break; } #endif @@ -25358,9 +25358,6 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ssl->peerEccKeyPresent = 1; #endif /* HAVE_ECC */ - if (ret != 0) { - goto exit_dcke; - } break; } #endif /* HAVE_ECC || HAVE_CURVE25519 */ diff --git a/src/ssl.c b/src/ssl.c index a785e65f3..621c2658b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11954,14 +11954,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl) word32 idx = 0; if (ssl->options.haveStaticECC && ssl->buffers.key != NULL) { - wc_ecc_init(&key); - if (wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, - ssl->buffers.key->length) != 0) { - ssl->options.haveECDSAsig = 0; - ssl->options.haveECC = 0; - ssl->options.haveStaticECC = 0; + if (wc_ecc_init(&key) >= 0) { + if (wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key, + ssl->buffers.key->length) != 0) { + ssl->options.haveECDSAsig = 0; + ssl->options.haveECC = 0; + ssl->options.haveStaticECC = 0; + } + wc_ecc_free(&key); } - wc_ecc_free(&key); } #endif @@ -14648,7 +14649,7 @@ int wolfSSL_EVP_MD_type(const WOLFSSL_EVP_MD *md) blk = sz/DES_BLOCK_SIZE; /* OpenSSL compat, no ret */ - wc_Des3Init(&des, NULL, INVALID_DEVID); + (void)wc_Des3Init(&des, NULL, INVALID_DEVID); if (enc) { wc_Des3_SetKey(&des, key, (const byte*)ivec, DES_ENCRYPTION); @@ -18876,6 +18877,8 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) } else { WOLFSSL_MSG("Certificate is self signed"); + if (issuer != NULL) + wolfSSL_X509_free(issuer); } } else { @@ -19114,7 +19117,6 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) static void *wolfSSL_d2i_X509_fp_ex(XFILE file, void **x509, int type) { void *newx509 = NULL; - DerBuffer* der = NULL; byte *fileBuffer = NULL; if (file != XBADFILE) @@ -19171,16 +19173,18 @@ err_exit: if(newx509 != NULL){ if(type == CERT_TYPE) wolfSSL_X509_free((WOLFSSL_X509*)newx509); - #ifdef HAVE_CRL - else { - if(type == CRL_TYPE) - wolfSSL_X509_CRL_free((WOLFSSL_X509_CRL*)newx509); + #ifdef HAVE_CRL + else if(type == CRL_TYPE) { + wolfSSL_X509_CRL_free((WOLFSSL_X509_CRL*)newx509); } - #endif + #endif + #if !defined(NO_ASN) && !defined(NO_PWDBASED) + else if(type == PKCS12_TYPE) { + wc_PKCS12_free((WC_PKCS12*)newx509); + } + #endif } _exit: - if(der != NULL) - FreeDer(&der); if(fileBuffer != NULL) XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); return newx509; @@ -19210,42 +19214,43 @@ WOLFSSL_X509_CRL *wolfSSL_d2i_X509_CRL_fp(XFILE fp, WOLFSSL_X509_CRL **crl) #endif /* !NO_FILESYSTEM */ -WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, const unsigned char* in, int len) +WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, + const unsigned char* in, int len) { WOLFSSL_X509_CRL *newcrl = NULL; - int ret ; + int ret = WOLFSSL_SUCCESS; WOLFSSL_ENTER("wolfSSL_d2i_X509_CRL"); - if(in == NULL){ + if (in == NULL) { WOLFSSL_MSG("Bad argument value"); - return NULL; + } else { + newcrl = (WOLFSSL_X509_CRL*)XMALLOC(sizeof(WOLFSSL_X509_CRL), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (newcrl == NULL){ + WOLFSSL_MSG("New CRL allocation failed"); + } else { + ret = InitCRL(newcrl, NULL); + if (ret < 0) { + WOLFSSL_MSG("Init tmp CRL failed"); + } else { + ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1); + if (ret != WOLFSSL_SUCCESS) { + WOLFSSL_MSG("Buffer Load CRL failed"); + } else { + if (crl) { + *crl = newcrl; + } + } + } + } } - newcrl = (WOLFSSL_X509_CRL*)XMALLOC(sizeof(WOLFSSL_X509_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (newcrl == NULL){ - WOLFSSL_MSG("New CRL allocation failed"); - return NULL; - } - if (InitCRL(newcrl, NULL) < 0) { - WOLFSSL_MSG("Init tmp CRL failed"); - goto err_exit; - } - ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1); - if (ret != WOLFSSL_SUCCESS){ - WOLFSSL_MSG("Buffer Load CRL failed"); - goto err_exit; - } - if(crl){ - *crl = newcrl; - } - goto _exit; - -err_exit: - if(newcrl != NULL) + if((ret != WOLFSSL_SUCCESS) && (newcrl != NULL)) { wolfSSL_X509_CRL_free(newcrl); - newcrl = NULL; -_exit: + newcrl = NULL; + } + return newcrl; } @@ -20347,6 +20352,10 @@ const char* wolfSSL_state_string_long(const WOLFSSL* ssl) state = ss_client_finished; else if (ssl->options.side == WOLFSSL_CLIENT_END) state = ss_server_finished; + else { + WOLFSSL_MSG("Unknown State"); + state = ss_null_state; + } break; default: WOLFSSL_MSG("Unknown State"); @@ -27274,7 +27283,11 @@ WOLFSSL_EC_KEY *wolfSSL_EC_KEY_new(void) } XMEMSET(external->internal, 0, sizeof(ecc_key)); - wc_ecc_init((ecc_key*)external->internal); + if (wc_ecc_init((ecc_key*)external->internal) != 0) { + WOLFSSL_MSG("wolfSSL_EC_KEY_new init ecc key failure"); + wolfSSL_EC_KEY_free(external); + return NULL; + } /* public key */ external->pub_key = (WOLFSSL_EC_POINT*)XMALLOC(sizeof(WOLFSSL_EC_POINT), @@ -27499,7 +27512,7 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group, { static const char* hexDigit = "0123456789ABCDEF"; char* hex = NULL; - int id = wc_ecc_get_curve_id(group->curve_idx); + int id; int i, sz, len; (void)ctx; @@ -27507,6 +27520,8 @@ char* wolfSSL_EC_POINT_point2hex(const WOLFSSL_EC_GROUP* group, if (group == NULL || point == NULL) return NULL; + id = wc_ecc_get_curve_id(group->curve_idx); + if ((sz = wc_ecc_get_curve_size_from_id(id)) < 0) return NULL; @@ -35452,47 +35467,52 @@ unsigned char* wolfSSL_ASN1_TIME_get_data(WOLFSSL_ASN1_TIME *t) WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, WOLFSSL_ASN1_TIME **out) { - unsigned char time_type; + unsigned char time_type = 0; WOLFSSL_ASN1_TIME *ret = NULL; unsigned char *data_ptr = NULL; WOLFSSL_ENTER("wolfSSL_ASN1_TIME_to_generalizedtime"); - if (t == NULL) - return NULL; - - time_type = t->data[0]; - if (time_type != ASN_UTC_TIME && time_type != ASN_GENERALIZED_TIME){ - WOLFSSL_MSG("Invalid ASN_TIME type."); - return NULL; - } - if (out == NULL || *out == NULL){ - ret = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (ret == NULL){ - WOLFSSL_MSG("memory alloc failed."); - return NULL; + if (t == NULL) { + WOLFSSL_MSG("Invalid ASN_TIME value"); + } else { + time_type = t->data[0]; + if (time_type != ASN_UTC_TIME && time_type != ASN_GENERALIZED_TIME){ + WOLFSSL_MSG("Invalid ASN_TIME type."); + } else { + if (out == NULL || *out == NULL) { + ret = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ret == NULL){ + WOLFSSL_MSG("memory alloc failed."); + } + else { + XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TIME)); + } + } else { + ret = *out; + } } - XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TIME)); - } else - ret = *out; - - if (time_type == ASN_GENERALIZED_TIME){ - XMEMCPY(ret->data, t->data, ASN_GENERALIZED_TIME_SIZE); - return ret; - } else if (time_type == ASN_UTC_TIME){ - ret->data[0] = ASN_GENERALIZED_TIME; - ret->data[1] = ASN_GENERALIZED_TIME_SIZE; - data_ptr = ret->data + 2; - if (t->data[2] >= '5') - XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, "19%s", t->data + 2); - else - XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, "20%s", t->data + 2); - - return ret; } - WOLFSSL_MSG("Invalid ASN_TIME value"); - return NULL; + if (ret != NULL) { + if (time_type == ASN_GENERALIZED_TIME){ + XMEMCPY(ret->data, t->data, ASN_GENERALIZED_TIME_SIZE); + } else { + /* (time_type == ASN_UTC_TIME) */ + ret->data[0] = ASN_GENERALIZED_TIME; + ret->data[1] = ASN_GENERALIZED_TIME_SIZE; + data_ptr = ret->data + 2; + if (t->data[2] >= '5') { + XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, + "19%s", t->data + 2); + } else { + XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, + "20%s", t->data + 2); + } + } + } + + return ret; } #endif /* !NO_ASN_TIME */ @@ -35774,8 +35794,6 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, WOLFSSL_STACK* certs, p7->pkcs7.content = mem; p7->pkcs7.contentSz = memSz; } - if (ret != 0) - return WOLFSSL_FAILURE; /* certs is the list of certificates to find the cert with issuer/serial. */ (void)certs; @@ -35985,6 +36003,9 @@ static int bio_get_data(WOLFSSL_BIO* bio, byte** data) ret = BAD_FUNC_ARG; if (ret == 0) { curr = XFTELL(file); + if (curr < 0) { + ret = WOLFSSL_BAD_FILE; + } if (XFSEEK(file, 0, XSEEK_END) != 0) ret = WOLFSSL_BAD_FILE; } @@ -36007,11 +36028,13 @@ static int bio_get_data(WOLFSSL_BIO* bio, byte** data) if ((ret = wolfSSL_BIO_read(bio, mem, ret)) <= 0) { XFREE(mem, bio->heap, DYNAMIC_TYPE_OPENSSL); ret = MEMORY_E; + mem = NULL; } } } *data = mem; + return ret; } @@ -36035,12 +36058,17 @@ WOLFSSL_EVP_PKEY* wolfSSL_d2i_PKCS8PrivateKey_bio(WOLFSSL_BIO* bio, if (cb != NULL) { passwordSz = cb(password, sizeof(password), PEM_PASS_READ, ctx); - if (passwordSz < 0) + if (passwordSz < 0) { + XFREE(der, bio->heap, DYNAMIC_TYPE_OPENSSL); return NULL; + } ret = ToTraditionalEnc(der, len, password, passwordSz, &algId); - if (ret < 0) + if (ret < 0) { + XFREE(der, bio->heap, DYNAMIC_TYPE_OPENSSL); return NULL; + } + XMEMSET(password, 0, passwordSz); } diff --git a/src/tls.c b/src/tls.c index b0d44d23a..541871d6d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -823,7 +823,9 @@ static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac) int digestSz = wc_HashGetDigestSize(hashType); int blockSz = wc_HashGetBlockSize(hashType); - ret = wc_HashInit(&hash, hashType); + if ((digestSz >= 0) && (blockSz >= 0)) { + ret = wc_HashInit(&hash, hashType); + } if (ret == 0) { ret = wc_HashUpdate(&hash, hashType, (byte*)hmac->opad, blockSz); diff --git a/src/tls13.c b/src/tls13.c index 1a5adbe71..bc224555d 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -3280,6 +3280,8 @@ static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites) int suiteSz = 0; word16 i, j; + XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ); + for (i = 0; i < ssl->suites->suiteSz; i += 2) { for (j = 0; j < peerSuites->suiteSz; j += 2) { if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] && diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index eabe2c584..aafe06ea0 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -5139,7 +5139,7 @@ void bench_ed25519KeyGen(void) do { for (i = 0; i < genTimes; i++) { wc_ed25519_init(&genKey); - wc_ed25519_make_key(&rng, 32, &genKey); + (void)wc_ed25519_make_key(&rng, 32, &genKey); wc_ed25519_free(&genKey); } count += i; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index eef4035b9..497074374 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8976,36 +8976,41 @@ int PemToDer(const unsigned char* buff, long longSz, int type, for (;;) { headerEnd = XSTRNSTR((char*)buff, header, sz); - if (headerEnd || type != PRIVATEKEY_TYPE) { + if (headerEnd) { break; } else - if (header == BEGIN_RSA_PRIV) { - header = BEGIN_PRIV_KEY; footer = END_PRIV_KEY; - } else - if (header == BEGIN_PRIV_KEY) { - header = BEGIN_ENC_PRIV_KEY; footer = END_ENC_PRIV_KEY; - } else -#ifdef HAVE_ECC - if (header == BEGIN_ENC_PRIV_KEY) { - header = BEGIN_EC_PRIV; footer = END_EC_PRIV; - } else - if (header == BEGIN_EC_PRIV) { - header = BEGIN_DSA_PRIV; footer = END_DSA_PRIV; - } else -#endif -#ifdef HAVE_ED25519 + if (type == PRIVATEKEY_TYPE) { + if (header == BEGIN_RSA_PRIV) { + header = BEGIN_PRIV_KEY; footer = END_PRIV_KEY; + } else + if (header == BEGIN_PRIV_KEY) { + header = BEGIN_ENC_PRIV_KEY; footer = END_ENC_PRIV_KEY; + } else #ifdef HAVE_ECC - if (header == BEGIN_DSA_PRIV) - #else - if (header == BEGIN_ENC_PRIV_KEY) + if (header == BEGIN_ENC_PRIV_KEY) { + header = BEGIN_EC_PRIV; footer = END_EC_PRIV; + } else + if (header == BEGIN_EC_PRIV) { + header = BEGIN_DSA_PRIV; footer = END_DSA_PRIV; + } else #endif - { - header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV; + #ifdef HAVE_ED25519 + #ifdef HAVE_ECC + if (header == BEGIN_DSA_PRIV) + #else + if (header == BEGIN_ENC_PRIV_KEY) + #endif + { + header = BEGIN_EDDSA_PRIV; footer = END_EDDSA_PRIV; + } else + #endif + { + break; + } } else -#endif #ifdef HAVE_CRL - if (type == CRL_TYPE) { - header = BEGIN_CRL; footer = END_CRL; + if ((type == CRL_TYPE) && (header != BEGIN_CRL)) { + header = BEGIN_CRL; footer = END_CRL; } else #endif { diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 3d494525b..723ec771c 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -2201,13 +2201,13 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh) /* tmp2 += (2*loop_check_prime) * to have p = (q * tmp2) + 1 prime */ - if (primeCheckCount) { + if ((ret == 0) && (primeCheckCount)) { if (mp_add_d(&tmp2, 2 * primeCheckCount, &tmp2) != MP_OKAY) ret = MP_ADD_E; } /* find a value g for which g^tmp2 != 1 */ - if (mp_set(&dh->g, 1) != MP_OKAY) + if ((ret == 0) && (mp_set(&dh->g, 1) != MP_OKAY)) ret = MP_ZERO_E; if (ret == 0) { @@ -2219,18 +2219,24 @@ int wc_DhGenerateParams(WC_RNG *rng, int modSz, DhKey *dh) } while (ret == 0 && mp_cmp_d(&tmp, 1) == MP_EQ); } - /* at this point tmp generates a group of order q mod p */ - mp_exch(&tmp, &dh->g); + if (ret == 0) { + /* at this point tmp generates a group of order q mod p */ + mp_exch(&tmp, &dh->g); + } /* clear the parameters if there was an error */ - if (ret != 0) { + if ((ret != 0) && (dh != NULL)) { mp_clear(&dh->q); mp_clear(&dh->p); mp_clear(&dh->g); } - ForceZero(buf, bufSz); - XFREE(buf, dh->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (buf != NULL) { + ForceZero(buf, bufSz); + if (dh != NULL) { + XFREE(buf, dh->heap, DYNAMIC_TYPE_TMP_BUFFER); + } + } mp_clear(&tmp); mp_clear(&tmp2); diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index aec0b1113..ef259b187 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -357,12 +357,14 @@ static long wc_PKCS7_GetMaxStream(PKCS7* pkcs7, byte flag, byte* in, pkcs7->stream->maxLen = length + idx; } } + + if (pkcs7->stream->maxLen == 0) { + pkcs7->stream->maxLen = defSz; + } + return pkcs7->stream->maxLen; } - if (pkcs7->stream->maxLen == 0) { - pkcs7->stream->maxLen = defSz; - } return defSz; } @@ -3435,7 +3437,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, byte* der; #endif int multiPart = 0, keepContent; - int contentLen; + int contentLen = 0; byte* pkiMsg = in; word32 pkiMsgSz = inSz; @@ -3877,7 +3879,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf, /* If getting the content info failed with non degenerate then return the * error case. Otherwise with a degenerate it is ok if the content * info was omitted */ - if (!degenerate && !detached && ret != 0) { + if (!degenerate && !detached && (ret != 0)) { break; } else { @@ -8560,10 +8562,11 @@ static int wc_PKCS7_DecryptKari(PKCS7* pkcs7, byte* in, word32 inSz, ret = BAD_FUNC_ARG; } - return ret; (void)pkiMsg; (void)pkiMsgSz; + + return ret; #else (void)in; (void)inSz; @@ -8588,7 +8591,7 @@ static int wc_PKCS7_DecryptRecipientInfos(PKCS7* pkcs7, byte* in, byte* pkiMsg = in; word32 pkiMsgSz = inSz; #ifndef NO_PKCS7_STREAM - word32 tmpIdx = *idx; + word32 tmpIdx; long rc; #endif @@ -8598,6 +8601,10 @@ static int wc_PKCS7_DecryptRecipientInfos(PKCS7* pkcs7, byte* in, return BAD_FUNC_ARG; } +#ifndef NO_PKCS7_STREAM + tmpIdx = *idx; +#endif + /* check if in the process of decrypting */ switch (pkcs7->state) { case WC_PKCS7_DECRYPT_KTRI: @@ -9914,6 +9921,9 @@ int wc_PKCS7_EncodeAuthEnvelopedData(PKCS7* pkcs7, byte* output, idx += unauthAttribsSetSz; XMEMCPY(output + idx, flatUnauthAttribs, unauthAttribsSz); idx += unauthAttribsSz; + } + + if (flatUnauthAttribs != NULL) { XFREE(flatUnauthAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); }