From 22bcceb2d3c544fe362619196e1b5237517dc4f5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Thu, 29 Oct 2020 20:28:29 -0500 Subject: [PATCH 1/5] src/sniffer.c: guard against null arguments to TraceSetNamedServer(), to eliminate -Werror=format-overflow= warnings from gcc. --- src/sniffer.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index 826adf232..bec413fa3 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -992,7 +992,10 @@ static void TraceSetNamedServer(const char* name, if (TraceOn) { fprintf(TraceFile, "\tTrying to install a new Sniffer Server with\n"); fprintf(TraceFile, "\tname: %s, server: %s, port: %d, keyFile: %s\n", - name, srv, port, keyFile); + name ? name : "", + srv ? srv : "", + port, + keyFile ? keyFile : ""); } } From 4b1a779fcc7dd6991930b303b7d447ecb62de716 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Mon, 9 Nov 2020 11:54:49 -0600 Subject: [PATCH 2/5] tests: fix for fips-test -Wunused-variable on "rng" --- tests/api.c | 2 ++ wolfcrypt/test/test.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tests/api.c b/tests/api.c index ddfdbe7b8..9b1581c3d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -23211,7 +23211,9 @@ static void test_wc_PKCS7_EncodeDecodeEnvelopedData (void) { #if defined(HAVE_PKCS7) PKCS7* pkcs7; +#ifdef ECC_TIMING_RESISTANT WC_RNG rng; +#endif word32 tempWrd32 = 0; byte* tmpBytePtr = NULL; const char input[] = "Test data to encode."; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 0966a4d41..566c3adc2 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -26224,7 +26224,9 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, byte *enveloped; byte *decoded; PKCS7* pkcs7; +#ifdef ECC_TIMING_RESISTANT WC_RNG rng; +#endif #ifdef PKCS7_OUTPUT_TEST_BUNDLES XFILE pkcs7File; #endif From bd38124814c330b5d34d6ef76b8a522f34e5b0c6 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Mon, 9 Nov 2020 21:24:34 -0600 Subject: [PATCH 3/5] ssl.c: refactor wolfSSL_RSA_generate_key() and wolfSSL_RSA_generate_key_ex() to retry failed wc_MakeRsaKey() on PRIME_GEN_E when -DHAVE_FIPS, matching non-FIPS behavior, to eliminate exposed nondeterministic failures due to finite failCount. --- src/ssl.c | 132 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 80 insertions(+), 52 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a17f6a406..573759301 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -30166,6 +30166,63 @@ int SetDsaInternal(WOLFSSL_DSA* dsa) #ifdef OPENSSL_EXTRA #if !defined(NO_RSA) + +/* return wolfSSL native error codes. */ +static int wolfSSL_RSA_generate_key_native(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* bn, + void* cb) +{ + int ret; + + (void)cb; + (void)bn; + (void)bits; + + WOLFSSL_ENTER("wolfSSL_RSA_generate_key_native"); + + if (rsa == NULL || rsa->internal == NULL) { + /* bit size checked during make key call */ + WOLFSSL_MSG("bad arguments"); + return BAD_FUNC_ARG; + } + +#ifdef WOLFSSL_KEY_GEN + { + #ifdef WOLFSSL_SMALL_STACK + WC_RNG* rng; + #else + WC_RNG rng[1]; + #endif + + #ifdef WOLFSSL_SMALL_STACK + rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); + if (rng == NULL) + return MEMORY_E; + #endif + + if ((ret = wc_InitRng(rng)) < 0) + WOLFSSL_MSG("RNG init failed"); + else if ((ret = wc_MakeRsaKey((RsaKey*)rsa->internal, bits, + wolfSSL_BN_get_word(bn), rng)) != MP_OKAY) + WOLFSSL_MSG("wc_MakeRsaKey failed"); + else if ((ret = SetRsaExternal(rsa)) != WOLFSSL_SUCCESS) + WOLFSSL_MSG("SetRsaExternal failed"); + else { + rsa->inSet = 1; + ret = WOLFSSL_ERROR_NONE; + } + + wc_FreeRng(rng); + #ifdef WOLFSSL_SMALL_STACK + XFREE(rng, NULL, DYNAMIC_TYPE_RNG); + #endif + } +#else + WOLFSSL_MSG("No Key Gen built in"); + ret = NOT_COMPILED_IN; +#endif + return ret; +} + /* Generates a RSA key of length len * * len length of RSA key i.e. 2048 @@ -30211,9 +30268,19 @@ WOLFSSL_RSA* wolfSSL_RSA_generate_key(int len, unsigned long e, WOLFSSL_MSG("memory error"); } else { - if (wolfSSL_RSA_generate_key_ex(rsa, len, bn, NULL) != SSL_SUCCESS){ - wolfSSL_RSA_free(rsa); - rsa = NULL; + for (;;) { + int gen_ret = wolfSSL_RSA_generate_key_native(rsa, len, bn, NULL); + if (gen_ret == WOLFSSL_ERROR_NONE) + break; +#ifdef HAVE_FIPS + else if (gen_ret == PRIME_GEN_E) + continue; +#endif + else { + wolfSSL_RSA_free(rsa); + rsa = NULL; + break; + } } } wolfSSL_BN_free(bn); @@ -30221,62 +30288,23 @@ WOLFSSL_RSA* wolfSSL_RSA_generate_key(int len, unsigned long e, return rsa; } - /* return compliant with OpenSSL * 1 if success, 0 if error */ int wolfSSL_RSA_generate_key_ex(WOLFSSL_RSA* rsa, int bits, WOLFSSL_BIGNUM* bn, void* cb) { - int ret = WOLFSSL_FAILURE; - - (void)cb; - (void)bn; - (void)bits; - - WOLFSSL_ENTER("wolfSSL_RSA_generate_key_ex"); - - if (rsa == NULL || rsa->internal == NULL) { - /* bit size checked during make key call */ - WOLFSSL_MSG("bad arguments"); - return WOLFSSL_FAILURE; - } - -#ifdef WOLFSSL_KEY_GEN - { - #ifdef WOLFSSL_SMALL_STACK - WC_RNG* rng; - #else - WC_RNG rng[1]; - #endif - - #ifdef WOLFSSL_SMALL_STACK - rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); - if (rng == NULL) - return WOLFSSL_FAILURE; - #endif - - if (wc_InitRng(rng) < 0) - WOLFSSL_MSG("RNG init failed"); - else if (wc_MakeRsaKey((RsaKey*)rsa->internal, bits, - wolfSSL_BN_get_word(bn), rng) != MP_OKAY) - WOLFSSL_MSG("wc_MakeRsaKey failed"); - else if (SetRsaExternal(rsa) != WOLFSSL_SUCCESS) - WOLFSSL_MSG("SetRsaExternal failed"); - else { - rsa->inSet = 1; - ret = WOLFSSL_SUCCESS; - } - - wc_FreeRng(rng); - #ifdef WOLFSSL_SMALL_STACK - XFREE(rng, NULL, DYNAMIC_TYPE_RNG); - #endif - } -#else - WOLFSSL_MSG("No Key Gen built in"); + for (;;) { + int gen_ret = wolfSSL_RSA_generate_key_native(rsa, bits, bn, cb); + if (gen_ret == WOLFSSL_ERROR_NONE) + return WOLFSSL_SUCCESS; +#ifdef HAVE_FIPS + else if (gen_ret == PRIME_GEN_E) + continue; #endif - return ret; + else + return WOLFSSL_FAILURE; + } } #endif /* NO_RSA */ From 196ae63eb25d375c1f9ce8074f5043bcf71d6f4e Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 10 Nov 2020 00:03:02 -0600 Subject: [PATCH 4/5] scripts/external.test: skip test when -DWOLFSSL_SNIFFER (staticCipherList in client.c is incompatible). --- scripts/external.test | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/scripts/external.test b/scripts/external.test index 9557a0b43..96a11f0bd 100755 --- a/scripts/external.test +++ b/scripts/external.test @@ -13,6 +13,12 @@ if [ $? -ne 0 ]; then # cloudflare seems to change CAs quickly, disabled by default if test -n "$WOLFSSL_EXTERNAL_TEST"; then + + if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then + echo 'skipping WOLFSSL_EXTERNAL_TEST because WOLFSSL_SNIFFER configuration of build is incompatible.' + exit 0 + fi + echo "WOLFSSL_EXTERNAL_TEST set, running test..." else echo "WOLFSSL_EXTERNAL_TEST NOT set, won't run" From 5625929c8348501a76107318e02d09e140de0f2a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 10 Nov 2020 01:27:45 -0600 Subject: [PATCH 5/5] scripts/external.test: skip test when -UHAVE_ECC. --- scripts/external.test | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/scripts/external.test b/scripts/external.test index 96a11f0bd..95422242e 100755 --- a/scripts/external.test +++ b/scripts/external.test @@ -14,8 +14,14 @@ if [ $? -ne 0 ]; then # cloudflare seems to change CAs quickly, disabled by default if test -n "$WOLFSSL_EXTERNAL_TEST"; then - if ./examples/client/client '-#' | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then - echo 'skipping WOLFSSL_EXTERNAL_TEST because WOLFSSL_SNIFFER configuration of build is incompatible.' + BUILD_FLAGS="$(./examples/client/client '-#')" + if echo "$BUILD_FLAGS" | fgrep -q -e ' -DWOLFSSL_SNIFFER '; then + echo 'skipping WOLFSSL_EXTERNAL_TEST because -DWOLFSSL_SNIFFER configuration of build is incompatible.' + exit 0 + fi + + if echo "$BUILD_FLAGS" | fgrep -v -q -e ' -DHAVE_ECC '; then + echo 'skipping WOLFSSL_EXTERNAL_TEST because -UHAVE_ECC configuration of build is incompatible.' exit 0 fi