diff --git a/src/internal.c b/src/internal.c index 5f12565ca..34401e6dc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15511,6 +15511,10 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input, (void)input; (void)sz; + if (input == NULL) { + return BAD_FUNC_ARG; + } + switch (ssl->specs.bulk_cipher_algorithm) { #ifdef BUILD_ARC4 case wolfssl_rc4: @@ -18386,6 +18390,10 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, FALL_THROUGH; case BUILD_MSG_HASH: { + /* done with size calculations */ + if (sizeOnly) + goto exit_buildmsg; + if (type == handshake && hashOutput) { ret = HashOutput(ssl, output, args->headerSz + inSz, args->ivSz); if (ret != 0) @@ -18413,6 +18421,10 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, FALL_THROUGH; case BUILD_MSG_VERIFY_MAC: { + /* done with size calculations */ + if (sizeOnly) + goto exit_buildmsg; + /* User Record Layer Callback handling */ #ifdef ATOMIC_USER #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) @@ -18488,6 +18500,10 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, FALL_THROUGH; case BUILD_MSG_ENCRYPT: { + /* done with size calculations */ + if (sizeOnly) + goto exit_buildmsg; + #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS) /* If we want the PREV_ORDER then modify CUR_ORDER sequence number * for all encryption algos that use it for encryption parameters */ @@ -18535,6 +18551,10 @@ int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input, FALL_THROUGH; case BUILD_MSG_ENCRYPTED_VERIFY_MAC: { + /* done with size calculations */ + if (sizeOnly) + goto exit_buildmsg; + #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) if (ssl->options.startedETMWrite) { WOLFSSL_MSG("Calculate MAC of Encrypted Data"); diff --git a/src/sniffer.c b/src/sniffer.c index b088cf3e3..83055a525 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2863,13 +2863,14 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, } #endif - if (ret != 0) { - goto exit_sk; - } - /* make sure a key type was found */ if (args->key->type == WC_PK_TYPE_NONE) { - ERROR_OUT(NOT_COMPILED_IN, exit_sk); + ret = NOT_COMPILED_IN; + } + + /* check for errors before moving to next state */ + if (ret < 0) { + break; } /* Advance state and proceed */ @@ -2949,6 +2950,11 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, } #endif /* WOLFSSL_ASYNC_CRYPT */ + /* check for errors before moving to next state */ + if (ret < 0) { + break; + } + /* Advance state and proceed */ ssl->options.asyncState = TLS_ASYNC_VERIFY; } /* case TLS_ASYNC_DO */ @@ -2960,6 +2966,7 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, if (args->key->type == WC_PK_TYPE_RSA) { if (ret != SECRET_LEN) { SetError(RSA_DECRYPT_STR, error, session, FATAL_ERROR_STATE); + ret = RSA_BUFFER_E; } } #endif /* !NO_RSA */ @@ -2979,6 +2986,11 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, } #endif /* !NO_DH && WOLFSSL_DH_EXTRA */ + /* check for errors before moving to next state */ + if (ret < 0) { + break; + } + /* Advance state and proceed */ ssl->options.asyncState = TLS_ASYNC_FINALIZE; } /* case TLS_ASYNC_VERIFY */ @@ -3001,12 +3013,12 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, if (SetCipherSpecs(session->sslServer) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); - ret = -1; goto exit_sk; + ret = -1; break; } if (SetCipherSpecs(session->sslClient) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); - ret = -1; goto exit_sk; + ret = -1; break; } #ifdef WOLFSSL_TLS13 @@ -3038,7 +3050,7 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, } if (ret != 0) { SetError(BAD_DERIVE_STR, error, session, FATAL_ERROR_STATE); - ret = -1; goto exit_sk; + ret = -1; break; } #ifdef SHOW_SECRETS @@ -3059,17 +3071,17 @@ static int SetupKeys(const byte* input, int* sslBytes, SnifferSession* session, ret = INPUT_CASE_ERROR; } /* switch(ssl->options.asyncState) */ +#ifdef WOLFSSL_ASYNC_CRYPT exit_sk: /* Handle async pending response */ -#ifdef WOLFSSL_ASYNC_CRYPT if (ret == WC_PENDING_E) { return ret; } #endif /* WOLFSSL_ASYNC_CRYPT */ #ifdef WOLFSSL_SNIFFER_STATS - if (ret != 0) + if (ret < 0) INC_STAT(SnifferStats.sslKeyFails); #endif diff --git a/src/ssl.c b/src/ssl.c index c63aed749..c6669fa6e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13709,6 +13709,7 @@ void AddSession(WOLFSSL* ssl) } } #endif /* WOLFSSL_SESSION_STATS && WOLFSSL_PEAK_SESSIONS */ + (void)error; } diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index a6ff5c269..18e82a282 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -7899,7 +7899,7 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash, /* check for async hardware acceleration */ #if defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_ECC) - if (key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) { + if (err == MP_OKAY && key->asyncDev.marker == WOLFSSL_ASYNC_MARKER_ECC) { #if defined(HAVE_CAVIUM_V) || defined(HAVE_INTEL_QA) #ifdef HAVE_CAVIUM_V if (NitroxEccIsCurveSupported(key))