diff --git a/src/bio.c b/src/bio.c index da19fd5ec..1c0733d4e 100644 --- a/src/bio.c +++ b/src/bio.c @@ -189,6 +189,10 @@ int wolfSSL_BIO_read(WOLFSSL_BIO* bio, void* buf, int len) } +/* Converts data into base64 output + * + * returns the resulting buffer size on success. + */ static int wolfSSL_BIO_BASE64_write(WOLFSSL_BIO* bio, const void* data, word32 inLen, byte* out, word32* outLen) { @@ -197,27 +201,31 @@ static int wolfSSL_BIO_BASE64_write(WOLFSSL_BIO* bio, const void* data, WOLFSSL_ENTER("wolfSSL_BIO_BASE64_write"); + if (bio == NULL || data == NULL || out == NULL || outLen == NULL) { + return BAD_FUNC_ARG; + } + #if defined(WOLFSSL_BASE64_ENCODE) tmp = (byte*)XMALLOC(*outLen, bio->heap, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { - return SSL_FATAL_ERROR; + return WOLFSSL_FATAL_ERROR; } if ((bio->flags & WOLFSSL_BIO_FLAG_BASE64_NO_NL) == WOLFSSL_BIO_FLAG_BASE64_NO_NL) { if (Base64_Encode_NoNl((const byte*)data, inLen, tmp, outLen) < 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } else { if (Base64_Encode((const byte*)data, inLen, tmp, outLen) < 0) { - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } - if (ret != SSL_FATAL_ERROR) { + if (ret != WOLFSSL_FATAL_ERROR) { ret = (int)*outLen; XMEMCPY(out, tmp, *outLen); @@ -257,15 +265,23 @@ static int wolfSSL_BIO_SSL_write(WOLFSSL_BIO* bio, const void* data, } +/* Writes to a WOLFSSL_BIO_BIO type. + * + * returns the amount written on success + */ static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data, int len) { - /* internal function where arguments have already been sanity checked */ int sz; char* buf; WOLFSSL_ENTER("wolfSSL_BIO_BIO_write"); + /*adding in sanity checks for static analysis tools */ + if (bio == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + sz = wolfSSL_BIO_nwrite(bio, &buf, len); /* test space for write */ @@ -293,12 +309,15 @@ static int wolfSSL_BIO_BIO_write(WOLFSSL_BIO* bio, const void* data, static int wolfSSL_BIO_MEMORY_write(WOLFSSL_BIO* bio, const void* data, int len) { - /* internal function where arguments have already been sanity checked */ int sz; const unsigned char* buf; WOLFSSL_ENTER("wolfSSL_BIO_MEMORY_write"); + if (bio == NULL || data == NULL) { + return BAD_FUNC_ARG; + } + sz = wolfSSL_BIO_pending(bio); if (sz < 0) { WOLFSSL_MSG("Error getting memory data"); diff --git a/src/internal.c b/src/internal.c index 1d1056977..698dbea41 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8963,8 +8963,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif if (ret != 0) { - int why = bad_certificate; if (!ssl->options.verifyNone) { + int why = bad_certificate; + if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) { why = certificate_expired; } @@ -9007,10 +9008,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif /* SESSION_CERTS */ } - } - if (ret != 0) { - SendAlert(ssl, alert_fatal, why); /* try to send */ - ssl->options.isClosed = 1; + if (ret != 0) { + SendAlert(ssl, alert_fatal, why); /* try to send */ + ssl->options.isClosed = 1; + } } ssl->error = ret; @@ -13186,10 +13187,10 @@ int SendFinished(WOLFSSL* ssl) #endif if (ssl->options.side == WOLFSSL_SERVER_END) { #ifdef OPENSSL_EXTRA - ssl->options.serverState = SERVER_FINISHED_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->options.serverState = SERVER_FINISHED_COMPLETE; + ssl->cbmode = SSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); + ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); #endif ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; @@ -13198,10 +13199,10 @@ int SendFinished(WOLFSSL* ssl) else { if (ssl->options.side == WOLFSSL_CLIENT_END) { #ifdef OPENSSL_EXTRA - ssl->options.clientState = CLIENT_FINISHED_COMPLETE; - ssl->cbmode = SSL_CB_MODE_WRITE; + ssl->options.clientState = CLIENT_FINISHED_COMPLETE; + ssl->cbmode = SSL_CB_MODE_WRITE; if (ssl->CBIS != NULL) - ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); + ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS); #endif ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; @@ -13233,21 +13234,21 @@ int SendCertificate(WOLFSSL* ssl) if (ssl->options.sendVerify == SEND_BLANK_CERT) { #ifdef OPENSSL_EXTRA - if (ssl->version.major == SSLv3_MAJOR - && ssl->version.minor == SSLv3_MINOR){ + if (ssl->version.major == SSLv3_MAJOR + && ssl->version.minor == SSLv3_MINOR){ SendAlert(ssl, alert_warning, no_certificate); - return 0; - } else { + return 0; + } else { #endif - certSz = 0; - certChainSz = 0; - headerSz = CERT_HEADER_SZ; - length = CERT_HEADER_SZ; - listSz = 0; + certSz = 0; + certChainSz = 0; + headerSz = CERT_HEADER_SZ; + length = CERT_HEADER_SZ; + listSz = 0; #ifdef OPENSSL_EXTRA - } - #endif - } + } + #endif + } else { if (!ssl->buffers.certificate) { WOLFSSL_MSG("Send Cert missing certificate buffer"); diff --git a/src/ssl.c b/src/ssl.c index acd744f60..7c1437858 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6361,7 +6361,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) WOLFSSL_ENTER("wolfSSL_CTX_check_private_key"); if (ctx == NULL) { - return SSL_FAILURE; + return WOLFSSL_FAILURE; } #ifndef NO_CERTS @@ -6370,7 +6370,7 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) InitDecodedCert(&der, buff, size, ctx->heap); if (ParseCertRelative(&der, CERT_TYPE, NO_VERIFY, NULL) != 0) { FreeDecodedCert(&der); - return SSL_FAILURE; + return WOLFSSL_FAILURE; } size = ctx->privateKey->length; @@ -6379,14 +6379,14 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) FreeDecodedCert(&der); if (ret == 1) { - return SSL_SUCCESS; + return WOLFSSL_SUCCESS; } else { - return SSL_FAILURE; + return WOLFSSL_FAILURE; } #else WOLFSSL_MSG("NO_CERTS is defined, can not check private key"); - return SSL_FAILURE; + return WOLFSSL_FAILURE; #endif } @@ -11492,10 +11492,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ssl->biowr = wr; /* set SSL to use BIO callbacks instead */ - if (rd->type != WOLFSSL_BIO_SOCKET) { + if (rd != NULL && rd->type != WOLFSSL_BIO_SOCKET) { ssl->CBIORecv = BioReceive; } - if (wr->type != WOLFSSL_BIO_SOCKET) { + if (wr != NULL && wr->type != WOLFSSL_BIO_SOCKET) { ssl->CBIOSend = BioSend; } } @@ -16396,6 +16396,10 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_sk_GENERAL_NAME_value(WOLFSSL_STACK* sk, int i) cur = cur->next; } + if (cur == NULL) { + return NULL; + } + return cur->data.obj; } @@ -21573,10 +21577,10 @@ int wolfSSL_RAND_write_file(const char* fname) */ int wolfSSL_RAND_egd(const char* nm) { -#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) +#if defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !defined(HAVE_FIPS) struct sockaddr_un rem; int fd; - int ret = SSL_SUCCESS; + int ret = WOLFSSL_SUCCESS; word32 bytes = 0; word32 idx = 0; #ifndef WOLFSSL_SMALL_STACK @@ -21586,7 +21590,7 @@ int wolfSSL_RAND_egd(const char* nm) buf = (unsigned char*)XMALLOC(256, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (buf == NULL) { WOLFSSL_MSG("Not enough memory"); - return SSL_FATAL_ERROR; + return WOLFSSL_FATAL_ERROR; } #endif @@ -21594,7 +21598,7 @@ int wolfSSL_RAND_egd(const char* nm) #ifdef WOLFSSL_SMALL_STACK XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - return SSL_FATAL_ERROR; + return WOLFSSL_FATAL_ERROR; } fd = socket(AF_UNIX, SOCK_STREAM, 0); @@ -21603,36 +21607,38 @@ int wolfSSL_RAND_egd(const char* nm) #ifdef WOLFSSL_SMALL_STACK XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - return SSL_FATAL_ERROR; + return WOLFSSL_FATAL_ERROR; } - if (ret == SSL_SUCCESS) { + if (ret == WOLFSSL_SUCCESS) { rem.sun_family = AF_UNIX; XMEMCPY(rem.sun_path, nm, XSTRLEN(nm)); } /* connect to egd server */ - if (ret == SSL_SUCCESS) { + if (ret == WOLFSSL_SUCCESS) { if (connect(fd, (struct sockaddr*)&rem, sizeof(struct sockaddr_un)) == -1) { WOLFSSL_MSG("error connecting to egd server"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } - while (ret == SSL_SUCCESS && bytes < 255 && idx + 2 < 256) { - if (ret == SSL_SUCCESS) { + while (ret == WOLFSSL_SUCCESS && bytes < 255 && idx + 2 < 256) { + if (ret == WOLFSSL_SUCCESS) { buf[idx] = WOLFSSL_EGD_NBLOCK; buf[idx + 1] = 255 - bytes; /* request 255 bytes from server */ ret = (int)write(fd, buf + idx, 2); if (ret <= 0 || ret != 2) { if (errno == EAGAIN) { - ret = SSL_SUCCESS; + ret = WOLFSSL_SUCCESS; continue; } WOLFSSL_MSG("error requesting entropy from egd server"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; + } + else { + ret = WOLFSSL_SUCCESS; } - ret = SSL_SUCCESS; } /* attempting to read */ @@ -21640,19 +21646,19 @@ int wolfSSL_RAND_egd(const char* nm) ret = (int)read(fd, buf + idx, 256 - bytes); if (ret == 0) { WOLFSSL_MSG("error reading entropy from egd server"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; break; } if (ret > 0 && buf[idx] > 0) { bytes += buf[idx]; /* egd stores amount sent in first byte */ if (bytes + idx > 255 || buf[idx] > ret) { WOLFSSL_MSG("Buffer error"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; break; } XMEMMOVE(buf + idx, buf + idx + 1, buf[idx]); idx = bytes; - ret = SSL_SUCCESS; + ret = WOLFSSL_SUCCESS; if (bytes >= 255) { break; } @@ -21660,27 +21666,27 @@ int wolfSSL_RAND_egd(const char* nm) else { if (errno == EAGAIN || errno == EINTR) { WOLFSSL_MSG("EGD would read"); - ret = SSL_SUCCESS; /* try again */ + ret = WOLFSSL_SUCCESS; /* try again */ } else if (buf[idx] == 0) { /* if egd returned 0 then there is no more entropy to be had. Do not try more reads. */ - ret = SSL_SUCCESS; + ret = WOLFSSL_SUCCESS; break; } else { WOLFSSL_MSG("Error with read"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } } } - if (bytes > 0 && ret == SSL_SUCCESS) { + if (bytes > 0 && ret == WOLFSSL_SUCCESS) { wolfSSL_RAND_Init(); /* call to check global RNG is created */ - if (wc_RNG_DRBG_Reseed(globalRNG.drbg, (const byte*) buf, bytes) + if (wc_RNG_DRBG_Reseed(&globalRNG, (const byte*) buf, bytes) != 0) { WOLFSSL_MSG("Error with reseeding DRBG structure"); - ret = SSL_FATAL_ERROR; + ret = WOLFSSL_FATAL_ERROR; } #ifdef SHOW_SECRETS { /* print out entropy found */ @@ -21700,17 +21706,18 @@ int wolfSSL_RAND_egd(const char* nm) #endif close(fd); - if (ret == SSL_SUCCESS) { + if (ret == WOLFSSL_SUCCESS) { return bytes; } else { return ret; } -#else /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) */ +#else /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) && !HAVE_FIPS */ WOLFSSL_MSG("Type of socket needed is not available"); + WOLFSSL_MSG("\tor using FIPS mode where RNG API is not available"); (void)nm; - return SSL_FATAL_ERROR; + return WOLFSSL_FATAL_ERROR; #endif /* defined(USE_WOLFSSL_IO) && !defined(USE_WINDOWS_API) */ } @@ -22489,7 +22496,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) return NULL; } - buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_ECC); + buf = (char*) XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL); if (buf == NULL) { WOLFSSL_MSG("BN_bn2dec malloc buffer failure"); return NULL; @@ -24771,7 +24778,7 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, } else if (XSTRNCMP(type, "SHA224", 6) == 0) { WOLFSSL_MSG("sha224 hmac"); - ctx->type = SHA224; + ctx->type = WC_SHA224; } else if (XSTRNCMP(type, "SHA256", 6) == 0) { WOLFSSL_MSG("sha256 hmac"); @@ -24779,11 +24786,11 @@ int wolfSSL_HMAC_Init(WOLFSSL_HMAC_CTX* ctx, const void* key, int keylen, } else if (XSTRNCMP(type, "SHA384", 6) == 0) { WOLFSSL_MSG("sha384 hmac"); - ctx->type = SHA384; + ctx->type = WC_SHA384; } else if (XSTRNCMP(type, "SHA512", 6) == 0) { WOLFSSL_MSG("sha512 hmac"); - ctx->type = SHA512; + ctx->type = WC_SHA512; } /* has to be last since would pick or 256, 384, or 512 too */ diff --git a/tests/api.c b/tests/api.c index 3f1a2d31f..1f49b615d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -14694,8 +14694,12 @@ static void test_wolfSSL_BN(void) AssertIntEQ(BN_set_word(b, 5), SSL_SUCCESS); AssertIntEQ(BN_sub(c, a, b), SSL_SUCCESS); #if defined(WOLFSSL_KEY_GEN) || defined(HAVE_COMP_KEY) - AssertNotNull(BN_bn2dec(c)); - AssertIntEQ(XMEMCMP(BN_bn2dec(c), "-4", sizeof("-4")), 0); + { + char* ret; + AssertNotNull(ret = BN_bn2dec(c)); + AssertIntEQ(XMEMCMP(ret, "-4", sizeof("-4")), 0); + XFREE(ret, NULL, DYNAMIC_TYPE_OPENSSL); + } #endif AssertIntEQ(BN_get_word(c), 4); @@ -16193,7 +16197,7 @@ static void test_wolfSSL_HMAC_CTX(void) #endif } -#if defined(OPENSSL_EXTRA) +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) static void sslMsgCb(int write, int version, int type, const void* buf, size_t sz, SSL* ssl, void* arg) { diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index a90108422..02b2d9c16 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -714,7 +714,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt(WOLFSSL_EVP_PKEY_CTX *ctx, if(len < 0)return 0; else { *outlen = len ; - return 1; + return WOLFSSL_SUCCESS; } #endif /* NO_RSA */ @@ -740,7 +740,7 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_decrypt_init(WOLFSSL_EVP_PKEY_CTX *ctx) switch(ctx->pkey->type){ case EVP_PKEY_RSA: ctx->op = EVP_PKEY_OP_DECRYPT; - return 1; + return WOLFSSL_SUCCESS; case EVP_PKEY_EC: WOLFSSL_MSG("not implemented"); diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 04619f123..df4521d48 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -188,7 +188,7 @@ enum { }; -struct DRBG { +typedef struct DRBG { word32 reseedCtr; word32 lastBlock; byte V[DRBG_SEED_LEN]; @@ -198,7 +198,7 @@ struct DRBG { int devId; #endif byte matchCount; -}; +} DRBG; static int wc_RNG_HealthTestLocal(int reseed); @@ -278,7 +278,7 @@ static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type, } /* Returns: DRBG_SUCCESS or DRBG_FAILURE */ -int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz) +static int Hash_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz) { byte seed[DRBG_SEED_LEN]; @@ -301,6 +301,16 @@ int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy, word32 entropySz) return DRBG_SUCCESS; } +/* Returns: DRBG_SUCCESS and DRBG_FAILURE or BAD_FUNC_ARG on fail */ +int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* entropy, word32 entropySz) +{ + if (rng == NULL || entropy == NULL) { + return BAD_FUNC_ARG; + } + + return Hash_DRBG_Reseed(rng->drbg, entropy, entropySz); +} + static INLINE void array_add_one(byte* data, word32 dataSz) { int i; @@ -647,7 +657,7 @@ int wc_RNG_GenerateBlock(WC_RNG* rng, byte* output, word32 sz) byte entropy[ENTROPY_SZ]; if (wc_GenerateSeed(&rng->seed, entropy, ENTROPY_SZ) == 0 && - wc_RNG_DRBG_Reseed(rng->drbg, entropy, ENTROPY_SZ) + Hash_DRBG_Reseed(rng->drbg, entropy, ENTROPY_SZ) == DRBG_SUCCESS) { ret = Hash_DRBG_Generate(rng->drbg, NULL, 0); @@ -756,7 +766,7 @@ int wc_RNG_HealthTest(int reseed, const byte* entropyA, word32 entropyASz, } if (reseed) { - if (wc_RNG_DRBG_Reseed(drbg, entropyB, entropyBSz) != 0) { + if (Hash_DRBG_Reseed(drbg, entropyB, entropyBSz) != 0) { goto exit_rng_ht; } } diff --git a/wolfssl/wolfcrypt/random.h b/wolfssl/wolfcrypt/random.h index 3bbd7427e..2fa451053 100644 --- a/wolfssl/wolfcrypt/random.h +++ b/wolfssl/wolfcrypt/random.h @@ -132,11 +132,6 @@ typedef struct OS_Seed { #define WC_RNG_TYPE_DEFINED #endif -#ifdef HAVE_HASHDRBG - /* Private DRBG state */ - typedef struct DRBG DRBG; -#endif - /* RNG context */ struct WC_RNG { OS_Seed seed; @@ -180,7 +175,7 @@ WOLFSSL_API int wc_FreeRng(WC_RNG*); #ifdef HAVE_HASHDRBG - WOLFSSL_LOCAL int wc_RNG_DRBG_Reseed(DRBG* drbg, const byte* entropy, + WOLFSSL_LOCAL int wc_RNG_DRBG_Reseed(WC_RNG* rng, const byte* entropy, word32 entropySz); WOLFSSL_API int wc_RNG_HealthTest(int reseed, const byte* entropyA, word32 entropyASz,