static analysis fixes, free buffer return in test case, fips build

src/bio.c

@@ -189,6 +189,10 @@ int wolfSSL_BIO_read(WOLFSSL_BIO* bio, void* buf, int len)
 }
 
 
+/* Converts data into base64 output
+ *
+ * returns the resulting buffer size on success.
+ */
 static int wolfSSL_BIO_BASE64_write(WOLFSSL_BIO* bio, const void* data,
         word32 inLen, byte* out, word32* outLen)
 {
@@ -197,27 +201,31 @@ static int wolfSSL_BIO_BASE64_write(WOLFSSL_BIO* bio, const void* data,
 
     WOLFSSL_ENTER("wolfSSL_BIO_BASE64_write");
 
+    if (bio == NULL || data == NULL || out == NULL || outLen == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
 #if defined(WOLFSSL_BASE64_ENCODE)
     tmp = (byte*)XMALLOC(*outLen, bio->heap, DYNAMIC_TYPE_TMP_BUFFER);
     if (tmp == NULL) {
-        return SSL_FATAL_ERROR;
+        return WOLFSSL_FATAL_ERROR;
     }
 
     if ((bio->flags & WOLFSSL_BIO_FLAG_BASE64_NO_NL) ==
             WOLFSSL_BIO_FLAG_BASE64_NO_NL) {
         if (Base64_Encode_NoNl((const byte*)data, inLen,
                 tmp, outLen) < 0) {
-            ret = SSL_FATAL_ERROR;
+            ret = WOLFSSL_FATAL_ERROR;
         }
     }
     else {
         if (Base64_Encode((const byte*)data, inLen,
                 tmp, outLen) < 0) {
-            ret = SSL_FATAL_ERROR;
+            ret = WOLFSSL_FATAL_ERROR;
         }
     }
 
-    if (ret != SSL_FATAL_ERROR) {
+    if (ret != WOLFSSL_FATAL_ERROR) {
         ret = (int)*outLen;
         XMEMCPY(out, tmp, *outLen);
 
@@ -257,15 +265,23 @@ static int wolfSSL_BIO_SSL_write(WOLFSSL_BIO* bio, const void* data,
 }
 
 
+/* Writes to a WOLFSSL_BIO_BIO type.
+ *
+ * returns the amount written on success
+ */
 static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data,
         int len)
 {
-    /* internal function where arguments have already been sanity checked */
     int   sz;
     char* buf;
 
     WOLFSSL_ENTER("wolfSSL_BIO_BIO_write");
 
+    /*adding in sanity checks for static analysis tools */
+    if (bio == NULL || data == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     sz = wolfSSL_BIO_nwrite(bio, &buf, len);
 
     /* test space for write */
@@ -293,12 +309,15 @@ static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data,
 static int wolfSSL_BIO_MEMORY_write(WOLFSSL_BIO* bio, const void* data,
         int len)
 {
-    /* internal function where arguments have already been sanity checked */
     int   sz;
     const unsigned char* buf;
 
     WOLFSSL_ENTER("wolfSSL_BIO_MEMORY_write");
 
+    if (bio == NULL || data == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
     sz = wolfSSL_BIO_pending(bio);
     if (sz < 0) {
         WOLFSSL_MSG("Error getting memory data");

src/internal.c

@@ -8963,8 +8963,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             }
         #endif
             if (ret != 0) {
-                int why = bad_certificate;
                 if (!ssl->options.verifyNone) {
+                    int why = bad_certificate;
+
                     if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) {
                         why = certificate_expired;
                     }
@@ -9007,10 +9008,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         }
                     #endif /* SESSION_CERTS */
                     }
-                }
-                if (ret != 0) {
-                    SendAlert(ssl, alert_fatal, why);   /* try to send */
-                    ssl->options.isClosed = 1;
+                    if (ret != 0) {
+                        SendAlert(ssl, alert_fatal, why);   /* try to send */
+                        ssl->options.isClosed = 1;
+                    }
                 }
 
                 ssl->error = ret;
@@ -13186,10 +13187,10 @@ int SendFinished(WOLFSSL* ssl)
 #endif
         if (ssl->options.side == WOLFSSL_SERVER_END) {
         #ifdef OPENSSL_EXTRA
-			ssl->options.serverState = SERVER_FINISHED_COMPLETE;
-			ssl->cbmode = SSL_CB_MODE_WRITE;
+            ssl->options.serverState = SERVER_FINISHED_COMPLETE;
+            ssl->cbmode = SSL_CB_MODE_WRITE;
             if (ssl->CBIS != NULL)
-				ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
+                ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
         #endif
             ssl->options.handShakeState = HANDSHAKE_DONE;
             ssl->options.handShakeDone  = 1;
@@ -13198,10 +13199,10 @@ int SendFinished(WOLFSSL* ssl)
     else {
         if (ssl->options.side == WOLFSSL_CLIENT_END) {
         #ifdef OPENSSL_EXTRA
-			ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
-			ssl->cbmode = SSL_CB_MODE_WRITE;
+            ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
+            ssl->cbmode = SSL_CB_MODE_WRITE;
             if (ssl->CBIS != NULL)
-				ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
+                ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
         #endif
             ssl->options.handShakeState = HANDSHAKE_DONE;
             ssl->options.handShakeDone  = 1;
@@ -13233,21 +13234,21 @@ int SendCertificate(WOLFSSL* ssl)
 
     if (ssl->options.sendVerify == SEND_BLANK_CERT) {
     #ifdef OPENSSL_EXTRA
-	    if (ssl->version.major == SSLv3_MAJOR
-		    && ssl->version.minor == SSLv3_MINOR){
+        if (ssl->version.major == SSLv3_MAJOR
+            && ssl->version.minor == SSLv3_MINOR){
             SendAlert(ssl, alert_warning, no_certificate);
-		    return 0;
-		} else {
+            return 0;
+        } else {
     #endif
-	        certSz = 0;
-		    certChainSz = 0;
-		    headerSz = CERT_HEADER_SZ;
-		    length = CERT_HEADER_SZ;
-		    listSz = 0;
+            certSz = 0;
+            certChainSz = 0;
+            headerSz = CERT_HEADER_SZ;
+            length = CERT_HEADER_SZ;
+            listSz = 0;
     #ifdef OPENSSL_EXTRA
-		}
-	#endif
-	}
+        }
+    #endif
+    }
     else {
         if (!ssl->buffers.certificate) {
             WOLFSSL_MSG("Send Cert missing certificate buffer");

src/ssl.c

@@ -6361,7 +6361,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
     WOLFSSL_ENTER("wolfSSL_CTX_check_private_key");
 
     if (ctx == NULL) {
-        return SSL_FAILURE;
+        return WOLFSSL_FAILURE;
     }
 
 #ifndef NO_CERTS
@@ -6370,7 +6370,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
     InitDecodedCert(&der, buff, size, ctx->heap);
     if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) {
         FreeDecodedCert(&der);
-        return SSL_FAILURE;
+        return WOLFSSL_FAILURE;
     }
 
     size = ctx->privateKey->length;
@@ -6379,14 +6379,14 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx)
     FreeDecodedCert(&der);
 
     if (ret == 1) {
-        return SSL_SUCCESS;
+        return WOLFSSL_SUCCESS;
     }
     else {
-        return SSL_FAILURE;
+        return WOLFSSL_FAILURE;
     }
 #else
     WOLFSSL_MSG("NO_CERTS is defined, can not check private key");
-    return SSL_FAILURE;
+    return WOLFSSL_FAILURE;
 #endif
 }
 
@@ -11492,10 +11492,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
         ssl->biowr = wr;
 
         /* set SSL to use BIO callbacks instead */
-        if (rd->type != WOLFSSL_BIO_SOCKET) {
+        if (rd != NULL && rd->type != WOLFSSL_BIO_SOCKET) {
             ssl->CBIORecv = BioReceive;
         }
-        if (wr->type != WOLFSSL_BIO_SOCKET) {
+        if (wr != NULL && wr->type != WOLFSSL_BIO_SOCKET) {
             ssl->CBIOSend = BioSend;
         }
     }
@@ -16396,6 +16396,10 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_sk_GENERAL_NAME_value(WOLFSSL_STACK* sk, int i)
         cur = cur->next;
     }
 
+    if (cur == NULL) {
+        return NULL;
+    }
+
     return cur->data.obj;
 }
 
@@ -21573,10 +21577,10 @@ int wolfSSL_RAND_write_file(const char* fname)
  */
 int wolfSSL_RAND_egd(const char* nm)
 {
-#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API)
+#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS)
     struct sockaddr_un rem;
     int fd;
-    int ret = SSL_SUCCESS;
+    int ret = WOLFSSL_SUCCESS;
     word32 bytes = 0;
     word32 idx   = 0;
 #ifndef WOLFSSL_SMALL_STACK
@@ -21586,7 +21590,7 @@ int wolfSSL_RAND_egd(const char* nm)
     buf = (unsigned char*)XMALLOC(256, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     if (buf == NULL) {
         WOLFSSL_MSG("Not enough memory");
-        return SSL_FATAL_ERROR;
+        return WOLFSSL_FATAL_ERROR;
     }
 #endif
 
@@ -21594,7 +21598,7 @@ int wolfSSL_RAND_egd(const char* nm)
     #ifdef WOLFSSL_SMALL_STACK
         XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     #endif
-        return SSL_FATAL_ERROR;
+        return WOLFSSL_FATAL_ERROR;
     }
 
     fd = socket(AF_UNIX, SOCK_STREAM, 0);
@@ -21603,36 +21607,38 @@ int wolfSSL_RAND_egd(const char* nm)
     #ifdef WOLFSSL_SMALL_STACK
         XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     #endif
-        return SSL_FATAL_ERROR;
+        return WOLFSSL_FATAL_ERROR;
     }
-    if (ret == SSL_SUCCESS) {
+    if (ret == WOLFSSL_SUCCESS) {
         rem.sun_family = AF_UNIX;
         XMEMCPY(rem.sun_path, nm, XSTRLEN(nm));
     }
 
     /* connect to egd server */
-    if (ret == SSL_SUCCESS) {
+    if (ret == WOLFSSL_SUCCESS) {
         if (connect(fd, (struct sockaddr*)&rem, sizeof(struct sockaddr_un))
                 == -1) {
             WOLFSSL_MSG("error connecting to egd server");
-            ret = SSL_FATAL_ERROR;
+            ret = WOLFSSL_FATAL_ERROR;
         }
     }
 
-    while (ret == SSL_SUCCESS && bytes < 255 && idx + 2 < 256) {
-        if (ret == SSL_SUCCESS) {
+    while (ret == WOLFSSL_SUCCESS && bytes < 255 && idx + 2 < 256) {
+        if (ret == WOLFSSL_SUCCESS) {
             buf[idx]     = WOLFSSL_EGD_NBLOCK;
             buf[idx + 1] = 255 - bytes; /* request 255 bytes from server */
             ret = (int)write(fd, buf + idx, 2);
             if (ret <= 0 || ret != 2) {
                 if (errno == EAGAIN) {
-                    ret = SSL_SUCCESS;
+                    ret = WOLFSSL_SUCCESS;
                     continue;
                 }
                 WOLFSSL_MSG("error requesting entropy from egd server");
-                ret = SSL_FATAL_ERROR;
+                ret = WOLFSSL_FATAL_ERROR;
+            }
+            else {
+                ret = WOLFSSL_SUCCESS;
             }
-            ret = SSL_SUCCESS;
         }
 
         /* attempting to read */
@@ -21640,19 +21646,19 @@ int wolfSSL_RAND_egd(const char* nm)
         ret = (int)read(fd, buf + idx, 256 - bytes);
         if (ret == 0) {
             WOLFSSL_MSG("error reading entropy from egd server");
-            ret = SSL_FATAL_ERROR;
+            ret = WOLFSSL_FATAL_ERROR;
             break;
         }
         if (ret > 0 && buf[idx] > 0) {
             bytes += buf[idx]; /* egd stores amount sent in first byte */
             if (bytes + idx > 255 || buf[idx] > ret) {
                 WOLFSSL_MSG("Buffer error");
-                ret = SSL_FATAL_ERROR;
+                ret = WOLFSSL_FATAL_ERROR;
                 break;
             }
             XMEMMOVE(buf + idx, buf + idx + 1, buf[idx]);
             idx = bytes;
-            ret = SSL_SUCCESS;
+            ret = WOLFSSL_SUCCESS;
             if (bytes >= 255) {
                 break;
             }
@@ -21660,27 +21666,27 @@ int wolfSSL_RAND_egd(const char* nm)
         else {
             if (errno == EAGAIN || errno == EINTR) {
                 WOLFSSL_MSG("EGD would read");
-                ret = SSL_SUCCESS; /* try again */
+                ret = WOLFSSL_SUCCESS; /* try again */
             }
             else if (buf[idx] == 0) {
                 /* if egd returned 0 then there is no more entropy to be had.
                    Do not try more reads. */
-                ret = SSL_SUCCESS;
+                ret = WOLFSSL_SUCCESS;
                 break;
             }
             else {
                 WOLFSSL_MSG("Error with read");
-                ret = SSL_FATAL_ERROR;
+                ret = WOLFSSL_FATAL_ERROR;
             }
         }
     }
 
-    if (bytes > 0 && ret == SSL_SUCCESS) {
+    if (bytes > 0 && ret == WOLFSSL_SUCCESS) {
         wolfSSL_RAND_Init(); /* call to check global RNG is created */
-        if (wc_RNG_DRBG_Reseed(globalRNG.drbg, (const byte*) buf, bytes)
+        if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes)
                 != 0) {
             WOLFSSL_MSG("Error with reseeding DRBG structure");
-            ret = SSL_FATAL_ERROR;
+            ret = WOLFSSL_FATAL_ERROR;
         }
         #ifdef SHOW_SECRETS
         { /* print out entropy found */
@@ -21700,17 +21706,18 @@ int wolfSSL_RAND_egd(const char* nm)
     #endif
     close(fd);
 
-    if (ret == SSL_SUCCESS) {
+    if (ret == WOLFSSL_SUCCESS) {
         return bytes;
     }
     else {
         return ret;
     }
-#else /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) */
+#else /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !HAVE_FIPS */
     WOLFSSL_MSG("Type of socket needed is not available");
+    WOLFSSL_MSG("\tor using FIPS mode where RNG API is not available");
     (void)nm;
 
-    return SSL_FATAL_ERROR;
+    return WOLFSSL_FATAL_ERROR;
 #endif /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) */
 }
 
@@ -22489,7 +22496,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn)
         return NULL;
     }
 
-    buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_ECC);
+    buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL);
     if (buf == NULL) {
         WOLFSSL_MSG("BN_bn2dec malloc buffer failure");
         return NULL;
@@ -24771,7 +24778,7 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen,
         }
         else if (XSTRNCMP(type, "SHA224", 6) == 0) {
             WOLFSSL_MSG("sha224 hmac");
-            ctx->type = SHA224;
+            ctx->type = WC_SHA224;
         }
         else if (XSTRNCMP(type, "SHA256", 6) == 0) {
             WOLFSSL_MSG("sha256 hmac");
@@ -24779,11 +24786,11 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen,
         }
         else if (XSTRNCMP(type, "SHA384", 6) == 0) {
             WOLFSSL_MSG("sha384 hmac");
-            ctx->type = SHA384;
+            ctx->type = WC_SHA384;
         }
         else if (XSTRNCMP(type, "SHA512", 6) == 0) {
             WOLFSSL_MSG("sha512 hmac");
-            ctx->type = SHA512;
+            ctx->type = WC_SHA512;
         }
 
         /* has to be last since would pick or 256, 384, or 512 too */

tests/api.c

@@ -14694,8 +14694,12 @@ static void test_wolfSSL_BN(void)
     AssertIntEQ(BN_set_word(b, 5), SSL_SUCCESS);
     AssertIntEQ(BN_sub(c, a, b), SSL_SUCCESS);
 #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY)
-    AssertNotNull(BN_bn2dec(c));
-    AssertIntEQ(XMEMCMP(BN_bn2dec(c), "-4", sizeof("-4")), 0);
+    {
+    char* ret;
+    AssertNotNull(ret = BN_bn2dec(c));
+    AssertIntEQ(XMEMCMP(ret, "-4", sizeof("-4")), 0);
+    XFREE(ret, NULL, DYNAMIC_TYPE_OPENSSL);
+    }
 #endif
     AssertIntEQ(BN_get_word(c), 4);
 
@@ -16193,7 +16197,7 @@ static void test_wolfSSL_HMAC_CTX(void)
 #endif
 }
 
-#if defined(OPENSSL_EXTRA)
+#if defined(OPENSSL_EXTRA) && !defined(NO_RSA)
 static void sslMsgCb(int write, int version, int type, const void* buf,
         size_t sz, SSL* ssl, void* arg)
 {

wolfcrypt/src/evp.c

@@ -714,7 +714,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt(WOLFSSL_EVP_PKEY_CTX *ctx,
         if(len < 0)return 0;
         else {
             *outlen = len ;
-            return 1;
+            return WOLFSSL_SUCCESS;
         }
 #endif /* NO_RSA */
 
@@ -740,7 +740,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt_init(WOLFSSL_EVP_PKEY_CTX *ctx)
     switch(ctx->pkey->type){
     case EVP_PKEY_RSA:
         ctx->op = EVP_PKEY_OP_DECRYPT;
-        return 1;
+        return WOLFSSL_SUCCESS;
 
     case EVP_PKEY_EC:
         WOLFSSL_MSG("not implemented");

wolfcrypt/src/random.c

@@ -188,7 +188,7 @@ enum {
 };
 
 
-struct DRBG {
+typedef struct DRBG {
     word32 reseedCtr;
     word32 lastBlock;
     byte V[DRBG_SEED_LEN];
@@ -198,7 +198,7 @@ struct DRBG {
     int devId;
 #endif
     byte   matchCount;
-};
+} DRBG;
 
 
 static int wc_RNG_HealthTestLocal(int reseed);
@@ -278,7 +278,7 @@ static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type,
 }
 
 /* Returns: DRBG_SUCCESS or DRBG_FAILURE */
-int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz)
+static int Hash_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz)
 {
     byte seed[DRBG_SEED_LEN];
 
@@ -301,6 +301,16 @@ int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz)
     return DRBG_SUCCESS;
 }
 
+/* Returns: DRBG_SUCCESS and DRBG_FAILURE or BAD_FUNC_ARG on fail */
+int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* entropy, word32 entropySz)
+{
+    if (rng == NULL || entropy == NULL) {
+        return BAD_FUNC_ARG;
+    }
+
+    return Hash_DRBG_Reseed(rng->drbg, entropy, entropySz);
+}
+
 static INLINE void array_add_one(byte* data, word32 dataSz)
 {
     int i;
@@ -647,7 +657,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz)
             byte entropy[ENTROPY_SZ];
 
             if (wc_GenerateSeed(&rng->seed, entropy, ENTROPY_SZ) == 0 &&
-                wc_RNG_DRBG_Reseed(rng->drbg, entropy, ENTROPY_SZ)
+                Hash_DRBG_Reseed(rng->drbg, entropy, ENTROPY_SZ)
                                                               == DRBG_SUCCESS) {
 
                 ret = Hash_DRBG_Generate(rng->drbg, NULL, 0);
@@ -756,7 +766,7 @@ int wc_RNG_HealthTest(int reseed, const byte* entropyA, word32 entropyASz,
     }
 
     if (reseed) {
-        if (wc_RNG_DRBG_Reseed(drbg, entropyB, entropyBSz) != 0) {
+        if (Hash_DRBG_Reseed(drbg, entropyB, entropyBSz) != 0) {
             goto exit_rng_ht;
         }
     }

wolfssl/wolfcrypt/random.h

@@ -132,11 +132,6 @@ typedef struct OS_Seed {
     #define WC_RNG_TYPE_DEFINED
 #endif
 
-#ifdef HAVE_HASHDRBG
-    /* Private DRBG state */
-    typedef struct DRBG DRBG;
-#endif
-
 /* RNG context */
 struct WC_RNG {
     OS_Seed seed;
@@ -180,7 +175,7 @@ WOLFSSL_API int  wc_FreeRng(WC_RNG*);
 
 
 #ifdef HAVE_HASHDRBG
-    WOLFSSL_LOCAL int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy,
+    WOLFSSL_LOCAL int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* entropy,
                                         word32 entropySz);
     WOLFSSL_API int wc_RNG_HealthTest(int reseed,
                                         const byte* entropyA, word32 entropyASz,