From f7b911f5cd1653ccf46af613f8e4732f102d85d8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 15:23:43 -0600 Subject: [PATCH 1/6] src/ssl.c, src/internal.c: fix leak in wolfSSL_get_ciphers_compat(): fix gating (OPENSSL_EXTRA, not OPENSSL_ALL) in FreeSuites() re .suitesStack and .clSuitesStack, and similarly fix gating on the implementation of wolfSSL_sk_SSL_CIPHER_free(() and related. src/ssl_sess: suppress false positive clang-analyzer-unix.Malloc "Argument to 'free()' is the address of a global variable". --- src/internal.c | 6 +++--- src/ssl.c | 9 ++------- src/ssl_sess.c | 2 +- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/src/internal.c b/src/internal.c index 652adc5c0..8d2a9be52 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8379,7 +8379,7 @@ void FreeKeyExchange(WOLFSSL* ssl) /* Free up all memory used by Suites structure from WOLFSSL */ void FreeSuites(WOLFSSL* ssl) { -#ifdef OPENSSL_ALL +#ifdef OPENSSL_EXTRA if (ssl->suitesStack != NULL) { /* Enough to free stack structure since WOLFSSL_CIPHER * isn't allocated separately. */ @@ -8392,8 +8392,6 @@ void FreeSuites(WOLFSSL* ssl) wolfSSL_sk_SSL_CIPHER_free(ssl->clSuitesStack); ssl->clSuitesStack = NULL; } -#endif -#ifdef OPENSSL_EXTRA XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); ssl->clSuites = NULL; #endif @@ -25350,6 +25348,8 @@ int SendAsyncData(WOLFSSL* ssl) */ static int ssl_in_handshake(WOLFSSL *ssl, int send) { +int SendAsyncData = 1; +(void)SendAsyncData; if (IsSCR(ssl)) { if (send) { /* allow sending data in SCR */ diff --git a/src/ssl.c b/src/ssl.c index 139067aba..139e9e625 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -21264,10 +21264,7 @@ void wolfSSL_print_all_errors_fp(XFILE fp) /* Note: This is a huge section of API's - through * wolfSSL_X509_OBJECT_get0_X509_CRL */ -#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && \ - (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ - defined(HAVE_LIGHTY) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_OPENSSH) || defined(HAVE_SBLIM_SFCB))) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) #if defined(USE_WOLFSSL_MEMORY) && !defined(WOLFSSL_DEBUG_MEMORY) && \ !defined(WOLFSSL_STATIC_MEMORY) @@ -21676,9 +21673,7 @@ void wolfSSL_THREADID_set_numeric(void* id, unsigned long val) } #endif -#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (HAVE_STUNNEL || WOLFSSL_NGINX || - * HAVE_LIGHTY || WOLFSSL_HAPROXY || WOLFSSL_OPENSSH || - * HAVE_SBLIM_SFCB)) */ +#endif /* OPENSSL_ALL || OPENSSL_EXTRA */ #ifdef HAVE_SNI diff --git a/src/ssl_sess.c b/src/ssl_sess.c index d92db9189..6101df711 100644 --- a/src/ssl_sess.c +++ b/src/ssl_sess.c @@ -4097,7 +4097,7 @@ void wolfSSL_FreeSession(WOLFSSL_CTX* ctx, WOLFSSL_SESSION* session) ForceZero(session->sessionID, ID_LEN); if (session->type == WOLFSSL_SESSION_TYPE_HEAP) { - XFREE(session, session->heap, DYNAMIC_TYPE_SESSION); + XFREE(session, session->heap, DYNAMIC_TYPE_SESSION); /* // NOLINT(clang-analyzer-unix.Malloc) */ } } From 50a3be6df7e851a830142f5e4611b2b1f0b8861c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 15:29:58 -0600 Subject: [PATCH 2/6] wolfcrypt/src/sp_int.c. src/ssl_asn1.c. src/internal.c: rename several declarations to avoid shadowing global functions, for the convenience of obsolete (pre-4v8) gcc -Wshadow. --- src/internal.c | 4 ++-- src/ssl_asn1.c | 26 +++++++++++++------------- wolfcrypt/src/sp_int.c | 4 ++-- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/internal.c b/src/internal.c index 8d2a9be52..aa9387267 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25346,12 +25346,12 @@ int SendAsyncData(WOLFSSL* ssl) * 2 in SCR and we have plain data ready * Early data logic may bypass this logic in TLSv1.3 when appropriate. */ -static int ssl_in_handshake(WOLFSSL *ssl, int send) +static int ssl_in_handshake(WOLFSSL *ssl, int sending_data) { int SendAsyncData = 1; (void)SendAsyncData; if (IsSCR(ssl)) { - if (send) { + if (sending_data) { /* allow sending data in SCR */ return 0; } else { diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c index d1cdbdb2f..d05c235ca 100644 --- a/src/ssl_asn1.c +++ b/src/ssl_asn1.c @@ -1093,36 +1093,36 @@ static int wolfssl_asn1_integer_require_len(WOLFSSL_ASN1_INTEGER* a, int len, */ WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_dup(const WOLFSSL_ASN1_INTEGER* src) { - WOLFSSL_ASN1_INTEGER* dup = NULL; + WOLFSSL_ASN1_INTEGER* dst = NULL; WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_dup"); - /* Check for object to duplicate. */ + /* Check for object to dstlicate. */ if (src != NULL) { /* Create a new ASN.1 INTEGER object to be copied into. */ - dup = wolfSSL_ASN1_INTEGER_new(); + dst = wolfSSL_ASN1_INTEGER_new(); } /* Check for object to copy into. */ - if (dup != NULL) { + if (dst != NULL) { /* Copy simple fields. */ - dup->length = src->length; - dup->negative = src->negative; - dup->type = src->type; + dst->length = src->length; + dst->negative = src->negative; + dst->type = src->type; if (!src->isDynamic) { /* Copy over data from/to fixed buffer. */ - XMEMCPY(dup->intData, src->intData, WOLFSSL_ASN1_INTEGER_MAX); + XMEMCPY(dst->intData, src->intData, WOLFSSL_ASN1_INTEGER_MAX); } - else if (wolfssl_asn1_integer_require_len(dup, src->length, 0) == 0) { - wolfSSL_ASN1_INTEGER_free(dup); - dup = NULL; + else if (wolfssl_asn1_integer_require_len(dst, src->length, 0) == 0) { + wolfSSL_ASN1_INTEGER_free(dst); + dst = NULL; } else { - XMEMCPY(dup->data, src->data, (size_t)src->length); + XMEMCPY(dst->data, src->data, (size_t)src->length); } } - return dup; + return dst; } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index b0dfa25b6..7ea5c2d77 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -8216,7 +8216,7 @@ int sp_addmod_ct(const sp_int* a, const sp_int* b, const sp_int* m, sp_int* r) * @return MP_OKAY on success. */ static void _sp_submod_ct(const sp_int* a, const sp_int* b, const sp_int* m, - unsigned int max, sp_int* r) + unsigned int max_size, sp_int* r) { #ifndef SQR_MUL_ASM sp_int_sword w; @@ -8237,7 +8237,7 @@ static void _sp_submod_ct(const sp_int* a, const sp_int* b, const sp_int* m, l = 0; h = 0; #endif - for (i = 0; i < max; i++) { + for (i = 0; i < max_size; i++) { /* Values past 'used' are not initialized. */ mask_a += (i == a->used); mask_b += (i == b->used); From 9c3816089c3a6ed08bc0f019fbfa207cf01e29c7 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 15:58:54 -0600 Subject: [PATCH 3/6] tests/api.c: disable test_wolfSSL_OCSP_parse_url() if WOLFSSL_SM2 || WOLFSSL_SM3. --- tests/api.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/api.c b/tests/api.c index e90082864..210c186cc 100644 --- a/tests/api.c +++ b/tests/api.c @@ -66551,7 +66551,8 @@ static int test_wolfSSL_OCSP_parse_url(void) #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \ defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \ - !defined(NO_ASN_TIME) + !defined(NO_ASN_TIME) && \ + !defined(WOLFSSL_SM2) && !defined(WOLFSSL_SM3) static time_t test_wolfSSL_OCSP_REQ_CTX_time_cb(time_t* t) { if (t != NULL) { @@ -66566,7 +66567,8 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) { EXPECT_DECLS; #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \ - defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) + defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \ + !defined(WOLFSSL_SM2) && !defined(WOLFSSL_SM3) /* This buffer was taken from the ocsp-stapling.test test case 1. The ocsp * response was captured in wireshark. It contains both the http and binary * parts. The time test_wolfSSL_OCSP_REQ_CTX_time_cb is set exactly so that From de6ac319cc586f15fce0ff2820de720f48fe7a8a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 18:01:49 -0600 Subject: [PATCH 4/6] .wolfssl_known_macro_extras: remove unneeded entries. --- .wolfssl_known_macro_extras | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 44d95f26c..27436f982 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -826,11 +826,6 @@ WOLFSSL_XIL_MSG_NO_SLEEP WOLFSSL_XMSS_LARGE_SECRET_KEY WOLFSSL_ZEPHYR WOLF_ALLOW_BUILTIN -WOLF_CONF_IO -WOLF_CONF_KYBER -WOLF_CONF_PK -WOLF_CONF_RESUMPTION -WOLF_CONF_TPM WOLF_CRYPTO_CB_CMD WOLF_CRYPTO_CB_FIND WOLF_CRYPTO_CB_ONLY_ECC From d6b5c8e8ee84d53752d78ff507c2e676322d07cc Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 18:25:41 -0600 Subject: [PATCH 5/6] src/ssl_asn1.c: fix misspelling cause by overbroad search+replace. --- src/ssl_asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c index d05c235ca..4973235ba 100644 --- a/src/ssl_asn1.c +++ b/src/ssl_asn1.c @@ -1097,7 +1097,7 @@ WOLFSSL_ASN1_INTEGER* wolfSSL_ASN1_INTEGER_dup(const WOLFSSL_ASN1_INTEGER* src) WOLFSSL_ENTER("wolfSSL_ASN1_INTEGER_dup"); - /* Check for object to dstlicate. */ + /* Check for object to duplicate. */ if (src != NULL) { /* Create a new ASN.1 INTEGER object to be copied into. */ dst = wolfSSL_ASN1_INTEGER_new(); From 058014b3ebba50aa2ab733db0d3c5a44ac79a144 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 28 Feb 2025 19:07:03 -0600 Subject: [PATCH 6/6] src/ssl.c: add missing !NO_WOLFSSL_SERVER gate around wolfSSL_get_servername(). --- src/ssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 139e9e625..16ab2998c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -21432,6 +21432,7 @@ int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name) return ret; } +#ifndef NO_WOLFSSL_SERVER /* May be called by server to get the requested accepted name and by the client * to get the requested name. */ const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type) @@ -21443,6 +21444,8 @@ const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type) !wolfSSL_is_server(ssl)); return (const char *)serverName; } +#endif + #endif /* HAVE_SNI */ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)