From 2c72f72752f0c46ca550b3e2419032608b3d5961 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 2 Apr 2018 16:25:27 -0700
Subject: [PATCH] Fixes for FIPS, sniffer (w/o enc keys), scan-build issues and
 backwards compatability.

---
 src/sniffer.c                |  2 ++
 src/ssl.c                    |  2 +-
 wolfcrypt/src/pwdbased.c     | 37 ++++++++++++++++++++++--------------
 wolfssl/internal.h           | 12 ++++++++++++
 wolfssl/wolfcrypt/aes.h      |  2 +-
 wolfssl/wolfcrypt/settings.h |  8 ++++++++
 6 files changed, 47 insertions(+), 16 deletions(-)

diff --git a/src/sniffer.c b/src/sniffer.c
index a9d4bdca4..f619b0d2f 100644
--- a/src/sniffer.c
+++ b/src/sniffer.c
@@ -1300,9 +1300,11 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,
 
     if (name == NULL) {
         if (password) {
+    #ifdef WOLFSSL_ENCRYPTED_KEYS
             SSL_CTX_set_default_passwd_cb(sniffer->ctx, SetPassword);
             SSL_CTX_set_default_passwd_cb_userdata(
                                                  sniffer->ctx, (void*)password);
+    #endif
         }
         ret = SSL_CTX_use_PrivateKey_file(sniffer->ctx, keyFile, type);
         if (ret != WOLFSSL_SUCCESS) {
diff --git a/src/ssl.c b/src/ssl.c
index 68a279a6a..ac7c271c7 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -11816,7 +11816,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
                        const byte* data, int sz, int count, byte* key, byte* iv)
     {
         int ret;
-        int hashType;
+        int hashType = WC_HASH_TYPE_NONE;
     #ifdef WOLFSSL_SMALL_STACK
         EncryptedInfo* info = NULL;
     #else
diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c
index 798b7c8d5..29f8786f6 100755
--- a/wolfcrypt/src/pwdbased.c
+++ b/wolfcrypt/src/pwdbased.c
@@ -97,25 +97,31 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     while (keyOutput < (keyLen + ivLen)) {
         digestLeft = diestLen;
         /* D_(i - 1) */
-        if (keyOutput) /* first time D_0 is empty */
+        if (keyOutput) { /* first time D_0 is empty */
             err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
+        }
 
         /* data */
-        if (err == 0)
-            err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
-        /* salt */
-        if (salt && err == 0)
-            err = wc_HashUpdate(hash, hashT, salt, saltLen);
+        err = wc_HashUpdate(hash, hashT, passwd, passwdLen);
+        if (err != 0) break;
 
-        if (err == 0)
-            err = wc_HashFinal(hash, hashT, digest);
+        /* salt */
+        if (salt) {
+            err = wc_HashUpdate(hash, hashT, salt, saltLen);
+            if (err != 0) break;
+        }
+
+        err = wc_HashFinal(hash, hashT, digest);
+        if (err != 0) break;
 
         /* count */
-        if (err == 0) {
-            for (i = 1; i < iterations; i++) {
-                err = wc_HashUpdate(hash, hashT, digest, diestLen);
-                err = wc_HashFinal(hash, hashT, digest);
-            }
+        for (i = 1; i < iterations; i++) {
+            err = wc_HashUpdate(hash, hashT, digest, diestLen);
+            if (err != 0) break;
+
+            err = wc_HashFinal(hash, hashT, digest);
+            if (err != 0) break;
         }
 
         if (keyLeft) {
@@ -141,10 +147,13 @@ int wc_PBKDF1_ex(byte* key, int keyLen, byte* iv, int ivLen,
     XFREE(hash, heap, DYNAMIC_TYPE_HASHCTX);
 #endif
 
+    if (err != 0)
+        return err;
+
     if (keyOutput != (keyLen + ivLen))
         return BUFFER_E;
 
-    return 0;
+    return err;
 }
 
 /* PKCS#5 v1.5 */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 467289940..8b3bfd998 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1151,6 +1151,18 @@ enum Misc {
     MAX_REQUEST_SZ      = 256, /* Maximum cert req len (no auth yet */
     SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
 
+#ifdef HAVE_FIPS
+    /* these moved into wolfCrypt, but kept here for backwards compatibility with FIPS */
+    RC4_KEY_SIZE        = 16,  /* always 128bit           */
+    DES_KEY_SIZE        =  8,  /* des                     */
+    DES3_KEY_SIZE       = 24,  /* 3 des ede               */
+    DES_IV_SIZE         = DES_BLOCK_SIZE,
+    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
+    AES_192_KEY_SIZE    = 24,  /* for 192 bit             */
+    AES_IV_SIZE         = 16,  /* always block size       */
+    AES_128_KEY_SIZE    = 16,  /* for 128 bit             */
+#endif
+
     AEAD_SEQ_OFFSET     = 4,   /* Auth Data: Sequence number */
     AEAD_TYPE_OFFSET    = 8,   /* Auth Data: Type            */
     AEAD_VMAJ_OFFSET    = 9,   /* Auth Data: Major Version   */
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index a0921793b..1bed5bd27 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -76,8 +76,8 @@ enum {
     AES_BLOCK_SIZE = 16,
 
     AES_128_KEY_SIZE    = 16,  /* for 128 bit             */
-    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
     AES_192_KEY_SIZE    = 24,  /* for 192 bit             */
+    AES_256_KEY_SIZE    = 32,  /* for 256 bit             */
     AES_IV_SIZE         = 16,  /* always block size       */
 };
 
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index 97ab1253d..b7b561e00 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -1658,6 +1658,14 @@ extern void uITRON4_free(void *p) ;
     #define WOLFSSL_DER_TO_PEM
 #endif
 
+/* keep backwards compatibility enabling encrypted private key */
+#ifndef WOLFSSL_ENCRYPTED_KEYS
+    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+        defined(HAVE_WEBSERVER)
+        #define WOLFSSL_ENCRYPTED_KEYS
+    #endif
+#endif
+
 #ifdef __cplusplus
     }   /* extern "C" */
 #endif