Fixes for FIPS, sniffer (w/o enc keys), scan-build issues and backwards compatability.

2025-08-02 20:24:39 +02:00 · 2018-04-02 16:25:27 -07:00
parent 9be11bf62c
commit 2c72f72752
6 changed files with 47 additions and 16 deletions
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -1300,9 +1300,11 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,

    if (name == NULL) {
        if (password) {
+    #ifdef WOLFSSL_ENCRYPTED_KEYS
            SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);
            SSL_CTX_set_default_passwd_cb_userdata(
                                                 sniffer->ctx, (void*)password);
+    #endif
        }
        ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type);
        if (ret != WOLFSSL_SUCCESS) {
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -11816,7 +11816,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
                       const byte* data, int sz, int count, byte* key, byte* iv)
    {
        int ret;
-        int hashType;
+        int hashType = WC_HASH_TYPE_NONE;
    #ifdef WOLFSSL_SMALL_STACK
        EncryptedInfo* info = NULL;
    #else
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -97,25 +97,31 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
    while (keyOutput < (keyLen + ivLen)) {
        digestLeft = diestLen;
        /* D_(i - 1) */
-        if (keyOutput) /* first time D_0 is empty */
+        if (keyOutput) { /* first time D_0 is empty */
            err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
+        }

        /* data */
-        if (err == 0)
-            err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
-        /* salt */
-        if (salt && err == 0)
-            err = wc_HashUpdate(hash, hashT, salt, saltLen);
+        err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
+        if (err != 0) break;

-        if (err == 0)
-            err = wc_HashFinal(hash, hashT, digest);
+        /* salt */
+        if (salt) {
+            err = wc_HashUpdate(hash, hashT, salt, saltLen);
+            if (err != 0) break;
+        }
+
+        err = wc_HashFinal(hash, hashT, digest);
+        if (err != 0) break;

        /* count */
-        if (err == 0) {
-            for (i = 1; i < iterations; i++) {
-                err = wc_HashUpdate(hash, hashT, digest, diestLen);
-                err = wc_HashFinal(hash, hashT, digest);
-            }
+        for (i = 1; i < iterations; i++) {
+            err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
+
+            err = wc_HashFinal(hash, hashT, digest);
+            if (err != 0) break;
        }

        if (keyLeft) {
@@ -141,10 +147,13 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
    XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
 #endif

+    if (err != 0)
+        return err;
+
    if (keyOutput != (keyLen + ivLen))
        return BUFFER_E;

-    return 0;
+    return err;
 }

 /* PKCS#5 v1.5 */
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1151,6 +1151,18 @@ enum Misc {
    MAX_REQUEST_SZ      = 256, /* Maximum cert req len (no auth yet */
    SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */

+#ifdef HAVE_FIPS
+    /* these moved into wolfCrypt, but kept here for backwards compatibility with FIPS */
+    RC4_KEY_SIZE        = 16,  /* always 128bit           */
+    DES_KEY_SIZE        =  8,  /* des                     */
+    DES3_KEY_SIZE       = 24,  /* 3 des ede               */
+    DES_IV_SIZE         = DES_BLOCK_SIZE,
+    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
+    AES_192_KEY_SIZE    = 24,  /* for 192 bit             */
+    AES_IV_SIZE         = 16,  /* always block size       */
+    AES_128_KEY_SIZE    = 16,  /* for 128 bit             */
+#endif
+
    AEAD_SEQ_OFFSET     = 4,   /* Auth Data: Sequence number */
    AEAD_TYPE_OFFSET    = 8,   /* Auth Data: Type            */
    AEAD_VMAJ_OFFSET    = 9,   /* Auth Data: Major Version   */
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -76,8 +76,8 @@ enum {
    AES_BLOCK_SIZE = 16,

    AES_128_KEY_SIZE    = 16,  /* for 128 bit             */
-    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
    AES_192_KEY_SIZE    = 24,  /* for 192 bit             */
+    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
    AES_IV_SIZE         = 16,  /* always block size       */
 };

--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -1658,6 +1658,14 @@ extern void uITRON4_free(void *p) ;
    #define WOLFSSL_DER_TO_PEM
 #endif

+/* keep backwards compatibility enabling encrypted private key */
+#ifndef WOLFSSL_ENCRYPTED_KEYS
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+        defined(HAVE_WEBSERVER)
+        #define WOLFSSL_ENCRYPTED_KEYS
+    #endif
+#endif
+
 #ifdef __cplusplus
    }   /* extern "C" */
 #endif