From b86dfffdbed71c889f6e6f8cea6bcf7404b8fa12 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 27 Dec 2023 09:52:56 -0800
Subject: [PATCH] Improve the TLS v1.3 expand key label warning for possible
 use of uninitialized "hash".

---
 src/tls13.c         | 22 ++++++++++++----------
 wolfcrypt/src/kdf.c | 24 +++++++++++++++---------
 2 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/src/tls13.c b/src/tls13.c
index e59942576..208ce0e13 100644
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -266,10 +266,6 @@ static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
         return ret;
 #endif
 
-    /* Hash buffer may not be fully initialized, but the sending length won't
-     * extend beyond the initialized span. */
-PRAGMA_GCC_DIAG_PUSH
-PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
 #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
     ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
                                       protocol, protocolLen,
@@ -288,7 +284,6 @@ PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
                                       label, labelLen,
                                       info, infoLen, digest);
 #endif
-PRAGMA_GCC_DIAG_POP
     (void)ssl;
     (void)side;
     return ret;
@@ -490,14 +485,21 @@ int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
     }
 #endif /* WOLFSSL_DTLS13 */
 
-    if (outputLen == -1)
+    if (outputLen == -1) {
         outputLen = hashSz;
-    if (includeMsgs)
+    }
+    if (includeMsgs) {
         hashOutSz = hashSz;
+    }
+    else {
+        /* Appease static analyzers by making sure hash is cleared, since it is
+         * passed into expand key label where older wc_Tls13_HKDF_Expand_Label
+         * will unconditionally try to call a memcpy on it, however length will
+         * always be 0. */
+        XMEMSET(hash, 0, sizeof(hash));
+        hashOutSz = 0;
+    }
 
-    /* hash buffer may not be fully initialized, but the sending length won't
-     * extend beyond the initialized span.
-     */
     PRIVATE_KEY_UNLOCK();
     ret = Tls13HKDFExpandKeyLabel(ssl, output, outputLen, secret, hashSz,
                                   protocol, protocolLen, label, labelLen,
diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
index 9b289be45..9dcb12076 100644
--- a/wolfcrypt/src/kdf.c
+++ b/wolfcrypt/src/kdf.c
@@ -485,17 +485,23 @@ int wc_PRF_TLS(byte* digest, word32 digLen, const byte* secret, word32 secLen,
         data[idx++] = (byte)okmLen;
         /* Length of protocol | label. */
         data[idx++] = (byte)(protocolLen + labelLen);
-        /* Protocol */
-        XMEMCPY(&data[idx], protocol, protocolLen);
-        idx += protocolLen;
-        /* Label */
-        XMEMCPY(&data[idx], label, labelLen);
-        idx += labelLen;
+        if (protocolLen > 0) {
+            /* Protocol */
+            XMEMCPY(&data[idx], protocol, protocolLen);
+            idx += protocolLen;
+        }
+        if (labelLen > 0) {
+            /* Label */
+            XMEMCPY(&data[idx], label, labelLen);
+            idx += labelLen;
+        }
         /* Length of hash of messages */
         data[idx++] = (byte)infoLen;
-        /* Hash of messages */
-        XMEMCPY(&data[idx], info, infoLen);
-        idx += infoLen;
+        if (infoLen > 0) {
+            /* Hash of messages */
+            XMEMCPY(&data[idx], info, infoLen);
+            idx += infoLen;
+        }
 
     #ifdef WOLFSSL_CHECK_MEM_ZERO
         wc_MemZero_Add("wc_Tls13_HKDF_Expand_Label data", data, idx);