From 6ee660841b01e8a28dae6d9e976bf66ffee267e9 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 16 Oct 2025 15:04:47 -0500 Subject: [PATCH 1/3] fixes/workarounds for -Wnull-dereferences, some true positive, some false positive: * src/pk.c:wolfSSL_RSA_meth_new() * tests/api.c:test_wolfSSL_PKCS7_certs() * tests/api.c:test_wolfSSL_X509V3_EXT_get() * wolfcrypt/src/asn.c:EncodeName() * wolfcrypt/src/pkcs12.c:wc_i2d_PKCS12() * wolfcrypt/src/port/af_alg/afalg_aes.c --- src/pk.c | 32 +++++++++++++-------------- tests/api.c | 10 +++++---- wolfcrypt/src/asn.c | 9 +++++--- wolfcrypt/src/pkcs12.c | 6 +++-- wolfcrypt/src/port/af_alg/afalg_aes.c | 20 +++++++++++++++++ 5 files changed, 52 insertions(+), 25 deletions(-) diff --git a/src/pk.c b/src/pk.c index 113112f1f..8f07a679c 100644 --- a/src/pk.c +++ b/src/pk.c @@ -970,23 +970,23 @@ WOLFSSL_RSA_METHOD *wolfSSL_RSA_meth_new(const char *name, int flags) int err; /* Validate name is not NULL. */ - err = (name == NULL); - if (!err) { - /* Allocate an RSA METHOD to return. */ - meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL, - DYNAMIC_TYPE_OPENSSL); - err = (meth == NULL); - } - if (!err) { - XMEMSET(meth, 0, sizeof(*meth)); - meth->flags = flags; - meth->dynamic = 1; + if (name == NULL) + return NULL; + /* Allocate an RSA METHOD to return. */ + meth = (WOLFSSL_RSA_METHOD*)XMALLOC(sizeof(WOLFSSL_RSA_METHOD), NULL, + DYNAMIC_TYPE_OPENSSL); + if (meth == NULL) + return NULL; + + XMEMSET(meth, 0, sizeof(*meth)); + meth->flags = flags; + meth->dynamic = 1; + + name_len = (int)XSTRLEN(name); + meth->name = (char*)XMALLOC((size_t)(name_len + 1), NULL, + DYNAMIC_TYPE_OPENSSL); + err = (meth->name == NULL); - name_len = (int)XSTRLEN(name); - meth->name = (char*)XMALLOC((size_t)(name_len + 1), NULL, - DYNAMIC_TYPE_OPENSSL); - err = (meth->name == NULL); - } if (!err) { XMEMCPY(meth->name, name, (size_t)(name_len + 1)); } diff --git a/tests/api.c b/tests/api.c index 44e3fabe2..fe32649b1 100644 --- a/tests/api.c +++ b/tests/api.c @@ -20116,8 +20116,8 @@ static int test_wolfSSL_PKCS7_certs(void) while (EXPECT_SUCCESS() && (sk_X509_INFO_num(info_sk) > 0)) { X509_INFO* info = NULL; ExpectNotNull(info = sk_X509_INFO_shift(info_sk)); - ExpectIntGT(sk_X509_push(sk, info->x509), 0); - if (EXPECT_SUCCESS() && (info != NULL)) { + if (info != NULL) { + ExpectIntGT(sk_X509_push(sk, info->x509), 0); info->x509 = NULL; } X509_INFO_free(info); @@ -32422,8 +32422,10 @@ static int test_wolfSSL_X509V3_EXT_get(void) ExpectIntNE((extNid = ext->obj->nid), NID_undef); ExpectNotNull(method = wolfSSL_X509V3_EXT_get(ext)); ExpectIntEQ(method->ext_nid, extNid); - if (method->ext_nid == NID_subject_key_identifier) { - ExpectNotNull(method->i2s); + if (EXPECT_SUCCESS()) { + if (method->ext_nid == NID_subject_key_identifier) { + ExpectNotNull(method->i2s); + } } } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index cddb408f3..55ab98ffd 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -29922,6 +29922,9 @@ static int EncodeName(EncodedName* name, const char* nameStr, name->used = 0; return 0; } + nameSz = (word32)cname->custom.valSz; + oid = cname->custom.oid; + oidSz = (word32)cname->custom.oidSz; } #else (void)cname; @@ -29961,9 +29964,9 @@ static int EncodeName(EncodedName* name, const char* nameStr, break; #ifdef WOLFSSL_CUSTOM_OID case ASN_CUSTOM_NAME: - nameSz = (word32)cname->custom.valSz; - oid = cname->custom.oid; - oidSz = (word32)cname->custom.oidSz; + /* oid setup is above (mitigating false positive + * -Wnull-dereference). + */ break; #endif #ifdef WOLFSSL_CERT_REQ diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 516ef654e..de368ac5a 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -977,8 +977,10 @@ int wc_i2d_PKCS12(WC_PKCS12* pkcs12, byte** der, int* derSz) totalSz += seqSz; /* check if getting length only */ - if (der == NULL && derSz != NULL) { - *derSz = (int)totalSz; + if (der == NULL) { + /* repeat nullness check locally to mollify -Wnull-dereference. */ + if (derSz != NULL) + *derSz = (int)totalSz; XFREE(sdBuf, pkcs12->heap, DYNAMIC_TYPE_PKCS); return WC_NO_ERR_TRACE(LENGTH_ONLY_E); } diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c index 9e46bc0bb..aec42527e 100644 --- a/wolfcrypt/src/port/af_alg/afalg_aes.c +++ b/wolfcrypt/src/port/af_alg/afalg_aes.c @@ -186,6 +186,10 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, if ((sz / WC_AES_BLOCK_SIZE) > 0) { /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCbcEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret < 0) { @@ -245,6 +249,10 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, if ((sz / WC_AES_BLOCK_SIZE) > 0) { /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCbcDecrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret != 0) { @@ -397,6 +405,10 @@ int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen, /* update IV */ cmsg = CMSG_FIRSTHDR(&(aes->msg)); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesCtrEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } ret = wc_Afalg_SetIv(CMSG_NXTHDR(&(aes->msg), cmsg), (byte*)(aes->reg), AES_IV_SIZE); if (ret < 0) { @@ -613,7 +625,15 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, msg = &(aes->msg); cmsg = CMSG_FIRSTHDR(msg); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_FIRSTHDR() in wc_AesGcmEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } cmsg = CMSG_NXTHDR(msg, cmsg); + if (cmsg == NULL) { + WOLFSSL_MSG("CMSG_NEXTHDR() in wc_AesGcmEncrypt() returned NULL unexpectedly."); + return SYSLIB_FAILED_E; + } /* set IV and AAD size */ ret = wc_Afalg_SetIv(cmsg, (byte*)iv, ivSz); From d6aa15718751d8cae972a323efded57d91347a1b Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 16 Oct 2025 15:05:46 -0500 Subject: [PATCH 2/3] fixes for OPENSSL_COEXIST covering OPENSSL_COMPATIBLE_DEFAULTS and WOLFSSL_WPAS: * src/ssl.c:wolfSSL_CTX_new_ex() * src/x509.c:wolfSSL_X509_PUBKEY_set() --- src/ssl.c | 4 ++-- src/x509.c | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 395a2a84e..daa9b6dc7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1153,8 +1153,8 @@ WOLFSSL_CTX* wolfSSL_CTX_new_ex(WOLFSSL_METHOD* method, void* heap) #ifdef OPENSSL_COMPATIBLE_DEFAULTS if (ctx) { - wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL); - wolfSSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); + wolfSSL_CTX_set_mode(ctx, WOLFSSL_MODE_AUTO_RETRY); if (wolfSSL_CTX_set_min_proto_version(ctx, (method->version.major == DTLS_MAJOR) ? DTLS1_VERSION : SSL3_VERSION) != WOLFSSL_SUCCESS || diff --git a/src/x509.c b/src/x509.c index 0db853a33..988cb32ba 100644 --- a/src/x509.c +++ b/src/x509.c @@ -10195,18 +10195,18 @@ int wolfSSL_X509_PUBKEY_set(WOLFSSL_X509_PUBKEY **x, WOLFSSL_EVP_PKEY *key) keyTypeObj = wolfSSL_OBJ_nid2obj(key->type); if (keyTypeObj == NULL) { if (ptype == WOLFSSL_V_ASN1_OBJECT) - ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); + wolfSSL_ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); else - ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); + wolfSSL_ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); goto error; } if (!wolfSSL_X509_ALGOR_set0(pk->algor, keyTypeObj, ptype, pval)) { WOLFSSL_MSG("Failed to create algorithm object"); - ASN1_OBJECT_free(keyTypeObj); + wolfSSL_ASN1_OBJECT_free(keyTypeObj); if (ptype == WOLFSSL_V_ASN1_OBJECT) - ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); + wolfSSL_ASN1_OBJECT_free((WOLFSSL_ASN1_OBJECT *)pval); else - ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); + wolfSSL_ASN1_STRING_free((WOLFSSL_ASN1_STRING *)pval); goto error; } From 0c4feb0aa68e3c1a79ab9ee7d62375759baa1523 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 16 Oct 2025 16:10:54 -0500 Subject: [PATCH 3/3] wolfcrypt/src/asn.c: revert earlier changes in EncodeName(), and add local S390-specific pragma to inhibit false-positive -Wnull-dereference. --- wolfcrypt/src/asn.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 55ab98ffd..734b39be1 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -29922,9 +29922,6 @@ static int EncodeName(EncodedName* name, const char* nameStr, name->used = 0; return 0; } - nameSz = (word32)cname->custom.valSz; - oid = cname->custom.oid; - oidSz = (word32)cname->custom.oidSz; } #else (void)cname; @@ -29964,9 +29961,17 @@ static int EncodeName(EncodedName* name, const char* nameStr, break; #ifdef WOLFSSL_CUSTOM_OID case ASN_CUSTOM_NAME: - /* oid setup is above (mitigating false positive - * -Wnull-dereference). - */ + #ifdef __s390x__ + /* inhibit arch-specific false positive. */ + PRAGMA_GCC_DIAG_PUSH; + PRAGMA_GCC("GCC diagnostic ignored \"-Wnull-dereference\""); + #endif + nameSz = (word32)cname->custom.valSz; + oid = cname->custom.oid; + oidSz = (word32)cname->custom.oidSz; + #ifdef __s390x__ + PRAGMA_GCC_DIAG_POP; + #endif break; #endif #ifdef WOLFSSL_CERT_REQ