From 66c874bdedbf6aa52272babb9708bd7db907f16a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Dec 2024 18:30:41 -0600 Subject: [PATCH 1/8] configure.ac: add --enable-fips=cert4718 alias for v5, and make --enable-fips=v5 set FIPS to 5.2.1; set DEF_FAST_MATH and DEF_SP_MATH to "no" when "yes" would conflict with user-supplied arguments. --- configure.ac | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index 218b1659b..94d4b3516 100644 --- a/configure.ac +++ b/configure.ac @@ -397,8 +397,8 @@ AS_CASE([$ENABLED_WOLFENGINE], # v2 - FIPS 140-2 Cert 3389 # cert3389 - alias for v2 # rand - wolfRand -# v5-RC12 - FIPS 140-3, wolfCrypt/fips WCv5.0-RC12 -# v5 - currently, alias for v5-RC12 +# v5 - FIPS 140-3 Cert 4718 +# cert4718 - alias for v5 # ready - FIPS 140-3 settings with in-tree wolfcrypt sources, feature locked # dev - FIPS 140-3 settings with in-tree wolfcrypt sources, features freely adjustable # v5-ready - Alias for ready. @@ -414,6 +414,7 @@ AS_CASE([$ENABLED_WOLFENGINE], # HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2. # v5-RC11 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC11 # HAVE_FIPS_VERSION = 5, HAVE_FIPS_VERSION_MINOR = 2. +# v5-RC12 - historical FIPS 140-3, wolfCrypt/fips WCv5.0-RC12 AS_CASE([$ENABLED_FIPS], [no],[ FIPS_VERSION="none" @@ -445,10 +446,20 @@ AS_CASE([$ENABLED_FIPS], DEF_SP_MATH="no" DEF_FAST_MATH="no" ], - [v5|v5-RC12],[ + [v5|cert4718],[ + FIPS_VERSION="v5" + HAVE_FIPS_VERSION_MAJOR=5 + HAVE_FIPS_VERSION_MINOR=2 + HAVE_FIPS_VERSION_PATCH=1 + ENABLED_FIPS="yes" + DEF_SP_MATH="no" + DEF_FAST_MATH="yes" + ], + [v5-RC12],[ FIPS_VERSION="v5-RC12" HAVE_FIPS_VERSION_MAJOR=5 HAVE_FIPS_VERSION_MINOR=2 + HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" DEF_SP_MATH="no" DEF_FAST_MATH="yes" @@ -689,6 +700,17 @@ fi # MATH LIBRARY SELECTION +# Assure consistency of defaults +if test "$DEF_FAST_MATH" = "yes" && ((test "$enable_sp_math" != "no" && test "$enable_sp_math" != "") || test "$enable_heapmath" = "yes") +then + DEF_FAST_MATH=no +fi + +if test "$DEF_SP_MATH" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes") +then + DEF_SP_MATH=no +fi + # Single Precision maths implementation AC_ARG_ENABLE([sp], [AS_HELP_STRING([--enable-sp],[Enable Single Precision maths implementation (default: disabled)])], @@ -936,7 +958,7 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" fi - if test "$ENABLED_SP_MATH" = "no" + if test "$ENABLED_SP_MATH" != "yes" then # linuxkm is incompatible with opensslextra and its dependents. if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" @@ -987,7 +1009,7 @@ then test "$enable_webserver" = "" && enable_webserver=yes - if test "$ENABLED_SP_MATH" = "no" + if test "$ENABLED_SP_MATH" != "yes" then if test "$ENABLED_FIPS" = "no" then @@ -1183,7 +1205,7 @@ then fi # sp-math is incompatible with opensslextra, ECC custom curves, and DSA. - if test "$ENABLED_SP_MATH" = "no" + if test "$ENABLED_SP_MATH" != "yes" then test "$enable_dsa" = "" && test "$enable_sha" != "no" && enable_dsa=yes if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -le 5; then @@ -9848,7 +9870,7 @@ if test "x$ENABLED_LINUXKM" = "xyes"; then if test "$ENABLED_SMALL_STACK" != "yes"; then AC_MSG_ERROR([--enable-smallstack is required for --enable-linuxkm.]) fi - if test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no" && test "$ENABLED_BIGNUM" != "no"; then + if test "$ENABLED_SP_MATH" != "yes" && test "$ENABLED_SP_MATH_ALL" = "no" && test "$ENABLED_BIGNUM" != "no"; then AC_MSG_ERROR([--enable-sp-math or --enable-sp-math-all is required for --enable-linuxkm.]) fi if test "$ENABLED_STACKSIZE" != "no"; then @@ -10320,7 +10342,7 @@ if test "$ENABLED_SP_MATH_ALL" != "no" then ENABLED_SP_MATH_DESC="all" else - if test "$ENABLED_SP_MATH" != "no" + if test "$ENABLED_SP_MATH" = "yes" then ENABLED_SP_MATH_DESC="restricted" else From 37acac2eb3b272bf3aeaab44219be560f908b499 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Dec 2024 18:42:48 -0600 Subject: [PATCH 2/8] configure.ac: fix SC1105 ("Shells disambiguate (( differently or not at all."). --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 94d4b3516..24775bd1b 100644 --- a/configure.ac +++ b/configure.ac @@ -701,7 +701,7 @@ fi # MATH LIBRARY SELECTION # Assure consistency of defaults -if test "$DEF_FAST_MATH" = "yes" && ((test "$enable_sp_math" != "no" && test "$enable_sp_math" != "") || test "$enable_heapmath" = "yes") +if test "$DEF_FAST_MATH" = "yes" && ( (test "$enable_sp_math" != "no" && test "$enable_sp_math" != "") || test "$enable_heapmath" = "yes") then DEF_FAST_MATH=no fi From 3dcc12b30a80cac583349b201ff9673ab7295e88 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Dec 2024 18:32:27 -0600 Subject: [PATCH 3/8] wolfssl/wolfcrypt/types.h and wolfssl/wolfcrypt/hash.h: define WOLF_AGG_DUMMY_MEMBER, pivoting on HAVE_EMPTY_AGGREGATES, and use WOLF_AGG_DUMMY_MEMBER in wc_Hashes. --- wolfssl/wolfcrypt/hash.h | 1 + wolfssl/wolfcrypt/types.h | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h index edbc949bc..ee001a98b 100644 --- a/wolfssl/wolfcrypt/hash.h +++ b/wolfssl/wolfcrypt/hash.h @@ -119,6 +119,7 @@ typedef union { #ifdef WOLFSSL_SM3 wc_Sm3 sm3; #endif + WOLF_AGG_DUMMY_MEMBER; } wc_Hashes; #ifndef NO_HASH_WRAPPER diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index d2a9dc44f..a90a9fe16 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -135,6 +135,44 @@ decouple library dependencies with standard string, memory and so on. #endif #endif + #ifndef HAVE_EMPTY_AGGREGATES + /* The C standards don't define empty aggregates, but gcc and clang do. + * We need to accommodate them for one of the same reasons C++ does -- + * templates that conditionally result in empty aggregates, e.g. in + * hash.h. + */ + #if !defined(WOLF_C89) && defined(__GNUC__) && \ + !defined(__STRICT_ANSI__) && \ + HAVE_ANONYMOUS_INLINE_AGGREGATES + 0 == 1 + #define HAVE_EMPTY_AGGREGATES 1 + #else + #define HAVE_EMPTY_AGGREGATES 0 + #endif + #endif + + #define _WOLF_AGG_DUMMY_MEMBER_HELPER2(a, b, c) a ## b ## c + #define _WOLF_AGG_DUMMY_MEMBER_HELPER(a, b, c) _WOLF_AGG_DUMMY_MEMBER_HELPER2(a, b, c) + #if HAVE_EMPTY_AGGREGATES + 0 == 1 + /* swallow the semicolon with a zero-sized array (language extension + * specific to gcc/clang). + */ + #define WOLF_AGG_DUMMY_MEMBER \ + struct { \ + PRAGMA_GCC_DIAG_PUSH \ + PRAGMA_GCC("GCC diagnostic ignored \"-Wpedantic\"") \ + PRAGMA_CLANG_DIAG_PUSH \ + PRAGMA_CLANG("clang diagnostic ignored \"-Wzero-length-array\"") \ + byte _WOLF_AGG_DUMMY_MEMBER_HELPER(_wolf_L, __LINE__, _agg_dummy_member)[0]; \ + PRAGMA_CLANG_DIAG_POP \ + PRAGMA_GCC_DIAG_POP \ + } + #else + /* Use a single byte with a constructed name as a dummy member -- these + * are the standard semantics of an empty structure in C++. + */ + #define WOLF_AGG_DUMMY_MEMBER char _WOLF_AGG_DUMMY_MEMBER_HELPER(_wolf_L, __LINE__, _agg_dummy_member) + #endif + /* helpers for stringifying the expanded value of a macro argument rather * than its literal text: */ From 27e0df040fac8b5c8138b656fde218284626c957 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Dec 2024 20:02:12 -0600 Subject: [PATCH 4/8] src/ssl_crypto.c: revert FIPS gate threshold in wolfSSL_AES_decrypt() changed in d85c108952 -- original value was correct, misdiagnosed by faulty test. --- src/ssl_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_crypto.c b/src/ssl_crypto.c index 6907822a6..f2ff78193 100644 --- a/src/ssl_crypto.c +++ b/src/ssl_crypto.c @@ -3041,7 +3041,7 @@ void wolfSSL_AES_decrypt(const unsigned char* input, unsigned char* output, } else #if !defined(HAVE_SELFTEST) && \ - (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION3_GE(5,2,1))) + (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION3_GE(5,3,0))) /* Decrypt a block with wolfCrypt AES. */ if (wc_AesDecryptDirect((Aes*)key, output, input) != 0) { WOLFSSL_MSG("wc_AesDecryptDirect failed"); From aec0345f90d3b37f107c7e11df8eb2522afbc7c4 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 4 Dec 2024 21:09:03 -0600 Subject: [PATCH 5/8] update fips-check.sh for cert #4718: remap linuxv5 as an alias for linuxv5.2.1, and add linuxv5-RC12. --- fips-check.sh | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 5ee63a704..215a5fc6a 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -144,8 +144,8 @@ marvell-linux-selftest) 'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable' ) ;; -linuxv5) - FIPS_OPTION='v5' +linuxv5-RC12) + FIPS_OPTION='v5-RC12' FIPS_FILES=( 'wolfcrypt/src/fips.c:WCv5.2.0.1-RC01' 'wolfcrypt/src/fips_test.c:WCv5.0-RC12' @@ -186,7 +186,7 @@ linuxv5) 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12' ) ;; -linuxv5.2.1) +linuxv5|linuxv5.2.1) FIPS_OPTION='v5' FIPS_FILES=( 'wolfcrypt/src/fips.c:v5.2.1-stable' @@ -321,7 +321,11 @@ v6.0.0) ) ;; fips-ready|fips-dev) - FIPS_OPTION='ready' + if [ "$FLAVOR" = 'fips-dev' ]; then + FIPS_OPTION='dev' + else + FIPS_OPTION='ready' + fi FIPS_FILES=( 'wolfcrypt/src/fips.c:master' 'wolfcrypt/src/fips_test.c:master' @@ -330,7 +334,6 @@ fips-ready|fips-dev) 'wolfssl/wolfcrypt/fips.h:master' ) WOLFCRYPT_FILES=() - if [ "$FLAVOR" = 'fips-dev' ]; then FIPS_OPTION='dev'; fi ;; wolfrand) FIPS_OPTION='rand' From 447d5ea6ee8733f73fcdaab791ddb834b0b2b4ca Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 5 Dec 2024 15:39:16 -0600 Subject: [PATCH 6/8] fips-check.sh: add support for WOLFSSL_REPO and noautogen option; tweak git fetching to keep wolfssl and fips tags distinct, and fetch all needed tags by name to assure availability for checkout. also, hide stdout noise from pushd/popd. --- fips-check.sh | 50 +++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/fips-check.sh b/fips-check.sh index 215a5fc6a..7d0e58899 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -18,7 +18,9 @@ FLAVOR="${FLAVOR:-linux}" KEEP="${KEEP:-no}" MAKECHECK=${MAKECHECK:-yes} DOCONFIGURE=${DOCONFIGURE:-yes} +DOAUTOGEN=${DOAUTOGEN:-yes} FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}" +WOLFSSL_REPO="${WOLFSSL_REPO:-origin}" Usage() { cat </dev/null +declare -A FIPS_TAGS_NEEDED WOLFCRYPT_TAGS_NEEDED +for file_entry in "${WOLFCRYPT_FILES[@]}"; do + WOLFCRYPT_TAGS_NEEDED["${file_entry#*:}"]=1 +done +for file_entry in "${FIPS_FILES[@]}"; do + FIPS_TAGS_NEEDED["${file_entry#*:}"]=1 +done + +echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" +for tag in "${!WOLFCRYPT_TAGS_NEEDED[@]}"; do + if $GIT describe --exact-match --long "$tag" 2>/dev/null; then + continue + fi + if ! $GIT fetch --depth 1 "$WOLFSSL_REPO" tag "$tag"; then + echo "Can't fetch wolfCrypt tag: $tag" + exit 1 + fi +done if ! $GIT clone . "$TEST_DIR"; then echo "fips-check: Couldn't duplicate current working directory." exit 1 fi -pushd "$TEST_DIR" || exit 2 +pushd "$TEST_DIR" 1>/dev/null || exit 2 if ! $GIT clone "$FIPS_REPO" fips; then echo "fips-check: Couldn't check out FIPS repository." exit 1 fi +pushd fips 1>/dev/null || exit 2 + +echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):" +for tag in "${!FIPS_TAGS_NEEDED[@]}"; do + if $GIT describe "$tag" 2>/dev/null; then + continue + fi + if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then + echo "Can't fetch FIPS tag: $tag" + exit 1 + fi +done + +popd 1>/dev/null || exit 2 + checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3 -pushd fips || exit 2 +pushd fips 1>/dev/null || exit 2 copy_fips_files "${FIPS_FILES[@]}" || exit 3 -popd || exit 2 +popd 1>/dev/null || exit 2 # When checking out cert 3389 ready code, NIST will no longer perform # new certifications on 140-2 modules. If we were to use the latest files from @@ -464,7 +498,9 @@ if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then fi # run the make test -./autogen.sh +if [ "$DOAUTOGEN" = "yes" ]; then + ./autogen.sh +fi if [ "$DOCONFIGURE" = "yes" ]; then case "$FIPS_OPTION" in @@ -502,7 +538,7 @@ if [ "$DOCONFIGURE" = "yes" ]; then fi # Clean up -popd || exit 2 +popd 1>/dev/null || exit 2 if [ "$KEEP" = 'no' ]; then rm -rf "$TEST_DIR" fi From 0381a47d7ed1199cb5ceefc1500fb35cdc953fb5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 6 Dec 2024 12:53:03 -0600 Subject: [PATCH 7/8] peer review: refactor HAVE_ANONYMOUS_INLINE_AGGREGATES and HAVE_EMPTY_AGGREGATES to conform to wolfssl convention -- defined() for true, !defined() for false -- while retaining ability for user override-off by passing in explicit 0 definition. --- wolfssl/wolfcrypt/cryptocb.h | 16 ++++++++-------- wolfssl/wolfcrypt/types.h | 32 ++++++++++++++++++++++---------- 2 files changed, 30 insertions(+), 18 deletions(-) diff --git a/wolfssl/wolfcrypt/cryptocb.h b/wolfssl/wolfcrypt/cryptocb.h index 93330f359..a52742f49 100644 --- a/wolfssl/wolfcrypt/cryptocb.h +++ b/wolfssl/wolfcrypt/cryptocb.h @@ -104,12 +104,12 @@ enum wc_CryptoCbCmdType { /* Crypto Information Structure for callbacks */ typedef struct wc_CryptoInfo { int algo_type; /* enum wc_AlgoType */ -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES union { #endif struct { int type; /* enum wc_PkType */ -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES union { #endif #ifndef NO_RSA @@ -279,7 +279,7 @@ typedef struct wc_CryptoInfo { int type; /* enum wc_PqcSignatureType */ } pqc_sig_check; #endif -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; #endif } pk; @@ -287,7 +287,7 @@ typedef struct wc_CryptoInfo { struct { int type; /* enum wc_CipherType */ int enc; -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES union { #endif #ifdef HAVE_AESGCM @@ -375,7 +375,7 @@ typedef struct wc_CryptoInfo { } des3; #endif void* ctx; -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; #endif } cipher; @@ -387,7 +387,7 @@ typedef struct wc_CryptoInfo { const byte* in; word32 inSz; byte* digest; -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES union { #endif #ifndef NO_SHA @@ -409,7 +409,7 @@ typedef struct wc_CryptoInfo { wc_Sha3* sha3; #endif void* ctx; -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; #endif } hash; @@ -454,7 +454,7 @@ typedef struct wc_CryptoInfo { void *ctx; } cmd; #endif -#if HAVE_ANONYMOUS_INLINE_AGGREGATES +#ifdef HAVE_ANONYMOUS_INLINE_AGGREGATES }; #endif } wc_CryptoInfo; diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index a90a9fe16..5fb14b88a 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -123,36 +123,49 @@ decouple library dependencies with standard string, memory and so on. #ifndef HAVE_ANONYMOUS_INLINE_AGGREGATES /* if a version is available, pivot on the version, otherwise guess it's - * allowed, subject to override. + * disallowed, subject to override. */ #if !defined(WOLF_C89) && (!defined(__STDC__) \ || (!defined(__STDC_VERSION__) && !defined(__cplusplus)) \ || (defined(__STDC_VERSION__) && (__STDC_VERSION__ >= 201101L)) \ || (defined(__cplusplus) && (__cplusplus >= 201103L))) #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 - #else - #define HAVE_ANONYMOUS_INLINE_AGGREGATES 0 #endif + #elif ~(~HAVE_ANONYMOUS_INLINE_AGGREGATES + 1) == 1 + /* forced on with empty value -- remap to 1 */ + #undef HAVE_ANONYMOUS_INLINE_AGGREGATES + #define HAVE_ANONYMOUS_INLINE_AGGREGATES 1 + #elif HAVE_ANONYMOUS_INLINE_AGGREGATES + /* forced on with explicit nonzero value -- leave as-is. */ + #else + /* forced off with explicit zero value -- remap to undef. */ + #undef HAVE_ANONYMOUS_INLINE_AGGREGATES #endif #ifndef HAVE_EMPTY_AGGREGATES /* The C standards don't define empty aggregates, but gcc and clang do. * We need to accommodate them for one of the same reasons C++ does -- - * templates that conditionally result in empty aggregates, e.g. in - * hash.h. + * conditionally empty aggregates, e.g. in hash.h. */ #if !defined(WOLF_C89) && defined(__GNUC__) && \ !defined(__STRICT_ANSI__) && \ - HAVE_ANONYMOUS_INLINE_AGGREGATES + 0 == 1 + defined(HAVE_ANONYMOUS_INLINE_AGGREGATES) #define HAVE_EMPTY_AGGREGATES 1 - #else - #define HAVE_EMPTY_AGGREGATES 0 #endif + #elif ~(~HAVE_EMPTY_AGGREGATES + 1) == 1 + /* forced on with empty value -- remap to 1 */ + #undef HAVE_EMPTY_AGGREGATES + #define HAVE_EMPTY_AGGREGATES 1 + #elif HAVE_EMPTY_AGGREGATES + /* forced on with explicit nonzero value -- leave as-is. */ + #else + /* forced off with explicit zero value -- remap to undef. */ + #undef HAVE_EMPTY_AGGREGATES #endif #define _WOLF_AGG_DUMMY_MEMBER_HELPER2(a, b, c) a ## b ## c #define _WOLF_AGG_DUMMY_MEMBER_HELPER(a, b, c) _WOLF_AGG_DUMMY_MEMBER_HELPER2(a, b, c) - #if HAVE_EMPTY_AGGREGATES + 0 == 1 + #ifdef HAVE_EMPTY_AGGREGATES /* swallow the semicolon with a zero-sized array (language extension * specific to gcc/clang). */ @@ -185,7 +198,6 @@ decouple library dependencies with standard string, memory and so on. * without disrupting clean flow/syntax when some enum values are * preprocessor-gated. */ - #define WC_VALUE_OF(x) x #if defined(WOLF_C89) || defined(WOLF_NO_TRAILING_ENUM_COMMAS) #define _WOLF_ENUM_DUMMY_LAST_ELEMENT_HELPER2(a, b, c, d, e) a ## b ## c ## d ## e #define _WOLF_ENUM_DUMMY_LAST_ELEMENT_HELPER(a, b, c, d, e) _WOLF_ENUM_DUMMY_LAST_ELEMENT_HELPER2(a, b, c, d, e) From 0ad072a34b68cd50da2739ee626b8162ca8a86e8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 6 Dec 2024 13:01:10 -0600 Subject: [PATCH 8/8] src/internal.c: in HashSkeData(), remove unneeded logically faulty nullness check around XFREE(ssl->buffers.digest.buffer, ...). --- src/internal.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index 10e5867b6..f8d014b30 100644 --- a/src/internal.c +++ b/src/internal.c @@ -29851,11 +29851,9 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, ssl->buffers.digest.length = (unsigned int)digest_sz; /* buffer for hash */ - if (!ssl->buffers.digest.buffer) { - if (!ssl->options.dontFreeDigest) { - XFREE(ssl->buffers.digest.buffer, ssl->heap, - DYNAMIC_TYPE_DIGEST); - } + if (!ssl->options.dontFreeDigest) { + XFREE(ssl->buffers.digest.buffer, ssl->heap, + DYNAMIC_TYPE_DIGEST); } ssl->options.dontFreeDigest = 0;