diff --git a/examples/client/client.c b/examples/client/client.c index d8b03be6b..1af2c22b3 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -408,15 +408,13 @@ static int StartTLS_Init(SOCKET_T* sockfd) if (sockfd == NULL) return BAD_FUNC_ARG; - XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); - /* S: 220 SMTP service ready */ - if (recv(*sockfd, tmpBuf, sizeof(tmpBuf), 0) < 0) + XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); + if (recv(*sockfd, tmpBuf, sizeof(tmpBuf)-1, 0) < 0) err_sys("failed to read STARTTLS command\n"); if (!XSTRNCMP(tmpBuf, starttlsCmd[0], XSTRLEN(starttlsCmd[0]))) { printf("%s\n", tmpBuf); - XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); } else { err_sys("incorrect STARTTLS command received"); } @@ -427,12 +425,12 @@ static int StartTLS_Init(SOCKET_T* sockfd) err_sys("failed to send STARTTLS EHLO command\n"); /* S: 250 offers a warm hug of welcome */ - if (recv(*sockfd, tmpBuf, sizeof(tmpBuf), 0) < 0) + XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); + if (recv(*sockfd, tmpBuf, sizeof(tmpBuf)-1, 0) < 0) err_sys("failed to read STARTTLS command\n"); if (!XSTRNCMP(tmpBuf, starttlsCmd[2], XSTRLEN(starttlsCmd[2]))) { printf("%s\n", tmpBuf); - XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); } else { err_sys("incorrect STARTTLS command received"); } @@ -444,12 +442,12 @@ static int StartTLS_Init(SOCKET_T* sockfd) } /* S: 220 Go ahead */ - if (recv(*sockfd, tmpBuf, sizeof(tmpBuf), 0) < 0) + XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); + if (recv(*sockfd, tmpBuf, sizeof(tmpBuf)-1, 0) < 0) err_sys("failed to read STARTTLS command\n"); if (!XSTRNCMP(tmpBuf, starttlsCmd[4], XSTRLEN(starttlsCmd[4]))) { printf("%s\n", tmpBuf); - XMEMSET(tmpBuf, 0, sizeof(tmpBuf)); } else { err_sys("incorrect STARTTLS command received, expected 220"); } diff --git a/src/internal.c b/src/internal.c index e04f1899e..db15eb392 100755 --- a/src/internal.c +++ b/src/internal.c @@ -8584,6 +8584,12 @@ static INLINE int DtlsCheckWindow(WOLFSSL* ssl) word32 idx = diff / DTLS_WORD_BITS; word32 newDiff = diff % DTLS_WORD_BITS; + /* verify idx is valid for window array */ + if (idx >= WOLFSSL_DTLS_WINDOW_WORDS) { + WOLFSSL_MSG("Invalid DTLS windows index"); + return 0; + } + if (window[idx] & (1 << (newDiff - 1))) { WOLFSSL_MSG("Current record sequence number already received."); return 0; @@ -11794,7 +11800,7 @@ int SendCertificateStatus(WOLFSSL* ssl) if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) return 0; - if (!request || ssl->buffers.weOwnCert) { + if (request == NULL || ssl->buffers.weOwnCert) { DerBuffer* der = ssl->buffers.certificate; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -11822,25 +11828,27 @@ int SendCertificateStatus(WOLFSSL* ssl) else { request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - return MEMORY_E; + if (request) { + ret = InitOcspRequest(request, cert, 0, ssl->heap); + if (ret == 0) { + /* make sure ctx OCSP request is updated */ + if (!ssl->buffers.weOwnCert) { + wolfSSL_Mutex* ocspLock = + &ssl->ctx->cm->ocsp_stapling->ocspLock; + if (wc_LockMutex(ocspLock) == 0) { + if (ssl->ctx->certOcspRequest == NULL) + ssl->ctx->certOcspRequest = request; + wc_UnLockMutex(ocspLock); + } + } + } + else { + XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); + request = NULL; + } } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - else if (!ssl->buffers.weOwnCert && 0 == wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->certOcspRequest) - ssl->ctx->certOcspRequest = request; - wc_UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + else { + ret = MEMORY_E; } } @@ -11859,10 +11867,11 @@ int SendCertificateStatus(WOLFSSL* ssl) &response); /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) + if (ret == OCSP_CERT_REVOKED || + ret == OCSP_CERT_UNKNOWN || + ret == OCSP_LOOKUP_FAIL) { ret = 0; + } if (response.buffer) { if (ret == 0) @@ -11898,18 +11907,18 @@ int SendCertificateStatus(WOLFSSL* ssl) if (!request || ssl->buffers.weOwnCert) { DerBuffer* der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif /* unable to fetch status. skip. */ if (der->buffer == NULL || der->length == 0) return 0; #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (cert == NULL) return MEMORY_E; @@ -11924,26 +11933,27 @@ int SendCertificateStatus(WOLFSSL* ssl) else { request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - if (request == NULL) { - FreeDecodedCert(cert); - - #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - #endif - - return MEMORY_E; + if (request) { + ret = InitOcspRequest(request, cert, 0, ssl->heap); + if (ret == 0) { + /* make sure ctx OCSP request is updated */ + if (!ssl->buffers.weOwnCert) { + wolfSSL_Mutex* ocspLock = + &ssl->ctx->cm->ocsp_stapling->ocspLock; + if (wc_LockMutex(ocspLock) == 0) { + if (ssl->ctx->certOcspRequest == NULL) + ssl->ctx->certOcspRequest = request; + wc_UnLockMutex(ocspLock); + } + } + } + else { + XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); + request = NULL; + } } - - ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); - } - else if (!ssl->buffers.weOwnCert && 0 == wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->certOcspRequest) - ssl->ctx->certOcspRequest = request; - - wc_UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + else { + ret = MEMORY_E; } } @@ -11962,10 +11972,11 @@ int SendCertificateStatus(WOLFSSL* ssl) &responses[0]); /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) + if (ret == OCSP_CERT_REVOKED || + ret == OCSP_CERT_UNKNOWN || + ret == OCSP_LOOKUP_FAIL) { ret = 0; + } } if (request != ssl->ctx->certOcspRequest) @@ -11984,7 +11995,7 @@ int SendCertificateStatus(WOLFSSL* ssl) XMEMSET(&der, 0, sizeof(buffer)); #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (cert == NULL) return MEMORY_E; @@ -12011,23 +12022,30 @@ int SendCertificateStatus(WOLFSSL* ssl) request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); if (request == NULL) { + FreeDecodedCert(cert); + ret = MEMORY_E; break; } ret = InitOcspRequest(request, cert, 0, ssl->heap); - if (ret != 0) { - XFREE(request, ssl->heap,DYNAMIC_TYPE_OCSP_REQUEST); - break; + if (ret == 0) { + /* make sure ctx OCSP request is updated */ + if (!ssl->buffers.weOwnCertChain) { + wolfSSL_Mutex* ocspLock = + &ssl->ctx->cm->ocsp_stapling->ocspLock; + if (wc_LockMutex(ocspLock) == 0) { + if (ssl->ctx->chainOcspRequest[i] == NULL) + ssl->ctx->chainOcspRequest[i] = request; + wc_UnLockMutex(ocspLock); + } + } } - else if (!ssl->buffers.weOwnCertChain && 0 == - wc_LockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock)) { - if (!ssl->ctx->chainOcspRequest[i]) - ssl->ctx->chainOcspRequest[i] = request; - - wc_UnLockMutex( - &ssl->ctx->cm->ocsp_stapling->ocspLock); + else { + FreeDecodedCert(cert); + XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); + request = NULL; + break; } #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) @@ -12037,13 +12055,14 @@ int SendCertificateStatus(WOLFSSL* ssl) request, &responses[i + 1]); /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) + if (ret == OCSP_CERT_REVOKED || + ret == OCSP_CERT_UNKNOWN || + ret == OCSP_LOOKUP_FAIL) { ret = 0; + } if (request != ssl->ctx->chainOcspRequest[i]) - XFREE(request, ssl->heap,DYNAMIC_TYPE_OCSP_REQUEST); + XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); i++; } @@ -12065,10 +12084,11 @@ int SendCertificateStatus(WOLFSSL* ssl) request, &responses[++i]); /* Suppressing, not critical */ - if (ret == OCSP_CERT_REVOKED - || ret == OCSP_CERT_UNKNOWN - || ret == OCSP_LOOKUP_FAIL) + if (ret == OCSP_CERT_REVOKED || + ret == OCSP_CERT_UNKNOWN || + ret == OCSP_LOOKUP_FAIL) { ret = 0; + } } } @@ -17609,9 +17629,9 @@ int SendCertificateVerify(WOLFSSL* ssl) } #ifndef NO_OLD_TLS else { - /* if old TLS load MD5 hash as value to sign */ - XMEMCPY(ssl->buffers.sig.buffer, ssl->hsHashes->certHashes.md5, - FINISHED_SZ); + /* if old TLS load MD5 and SHA hash as value to sign */ + XMEMCPY(ssl->buffers.sig.buffer, + (byte*)ssl->hsHashes->certHashes.md5, FINISHED_SZ); } #endif @@ -17767,11 +17787,6 @@ int SendCertificateVerify(WOLFSSL* ssl) args->inputSz); } - /* Check for error */ - if (ret != 0) { - goto exit_scv; - } - /* Advance state and proceed */ ssl->options.asyncState = TLS_ASYNC_END; } /* case TLS_ASYNC_FINALIZE */ diff --git a/src/io.c b/src/io.c index 879a4e824..5b7196011 100644 --- a/src/io.c +++ b/src/io.c @@ -1024,45 +1024,72 @@ int wolfIO_HttpBuildRequest(const char* reqType, const char* domainName, word32 reqTypeLen, domainNameLen, reqSzStrLen, contentTypeLen, maxLen; char reqSzStr[6]; char* req = (char*)buf; + const char* blankStr = " "; + const char* http11Str = " HTTP/1.1"; + const char* hostStr = "\r\nHost: "; + const char* contentLenStr = "\r\nContent-Length: "; + const char* contentTypeStr = "\r\nContent-Type: "; + const char* doubleCrLfStr = "\r\n\r\n"; + word32 blankStrLen, http11StrLen, hostStrLen, contentLenStrLen, + contentTypeStrLen, doubleCrLfStrLen; reqTypeLen = (word32)XSTRLEN(reqType); domainNameLen = (word32)XSTRLEN(domainName); reqSzStrLen = wolfIO_Word16ToString(reqSzStr, (word16)reqSz); contentTypeLen = (word32)XSTRLEN(contentType); - /* determine max length */ - maxLen = reqTypeLen + domainNameLen + pathLen + reqSzStrLen + contentTypeLen + 56; + blankStrLen = (word32)XSTRLEN(blankStr); + http11StrLen = (word32)XSTRLEN(http11Str); + hostStrLen = (word32)XSTRLEN(hostStr); + contentLenStrLen = (word32)XSTRLEN(contentLenStr); + contentTypeStrLen = (word32)XSTRLEN(contentTypeStr); + doubleCrLfStrLen = (word32)XSTRLEN(doubleCrLfStr); + + /* determine max length and check it */ + maxLen = + reqTypeLen + + blankStrLen + + pathLen + + http11StrLen + + hostStrLen + + domainNameLen + + contentLenStrLen + + reqSzStrLen + + contentTypeStrLen + + contentTypeLen + + doubleCrLfStrLen + + 1 /* null term */; if (maxLen > (word32)bufSize) return 0; XSTRNCPY((char*)buf, reqType, reqTypeLen); buf += reqTypeLen; - XSTRNCPY((char*)buf, " ", 1); - buf += 1; + XSTRNCPY((char*)buf, blankStr, blankStrLen+1); + buf += blankStrLen; XSTRNCPY((char*)buf, path, pathLen); buf += pathLen; - XSTRNCPY((char*)buf, " HTTP/1.1", 9); - buf += 9; + XSTRNCPY((char*)buf, http11Str, http11StrLen+1); + buf += http11StrLen; if (domainNameLen > 0) { - XSTRNCPY((char*)buf, "\r\nHost: ", 8); - buf += 8; + XSTRNCPY((char*)buf, hostStr, hostStrLen+1); + buf += hostStrLen; XSTRNCPY((char*)buf, domainName, domainNameLen); buf += domainNameLen; } if (reqSz > 0 && reqSzStrLen > 0) { - XSTRNCPY((char*)buf, "\r\nContent-Length: ", 18); - buf += 18; + XSTRNCPY((char*)buf, contentLenStr, contentLenStrLen+1); + buf += contentLenStrLen; XSTRNCPY((char*)buf, reqSzStr, reqSzStrLen); buf += reqSzStrLen; } if (contentTypeLen > 0) { - XSTRNCPY((char*)buf, "\r\nContent-Type: ", 16); - buf += 16; + XSTRNCPY((char*)buf, contentTypeStr, contentTypeStrLen+1); + buf += contentTypeStrLen; XSTRNCPY((char*)buf, contentType, contentTypeLen); buf += contentTypeLen; } - XSTRNCPY((char*)buf, "\r\n\r\n", 4); - buf += 4; + XSTRNCPY((char*)buf, doubleCrLfStr, doubleCrLfStrLen+1); + buf += doubleCrLfStrLen; #ifdef WOLFIO_DEBUG printf("HTTP %s: %s", reqType, req); diff --git a/src/ocsp.c b/src/ocsp.c index d0fab5e4c..25a270a71 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -608,7 +608,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, byte* p; int len; int dataAlloced = 0; - OcspResponse* ret; + OcspResponse* ret = NULL; if (bio == NULL) return NULL; @@ -624,9 +624,18 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, long l; i = XFTELL(bio->file); + if (i < 0) + return NULL; XFSEEK(bio->file, 0, SEEK_END); l = XFTELL(bio->file); + if (l < 0) + return NULL; XFSEEK(bio->file, i, SEEK_SET); + + /* check calulated length */ + if (l - i <= 0) + return NULL; + data = (byte*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER); if (data == NULL) return NULL; @@ -637,8 +646,10 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE_bio(WOLFSSL_BIO* bio, else return NULL; - p = data; - ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len); + if (len > 0) { + p = data; + ret = wolfSSL_d2i_OCSP_RESPONSE(response, (const unsigned char **)&p, len); + } if (dataAlloced) XFREE(data, 0, DYNAMIC_TYPE_TMP_BUFFER); @@ -687,8 +698,8 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, return NULL; } - GetSequence(*data, &idx, &length, len); - (*data) += idx + length; + if (GetSequence(*data, &idx, &length, len) >= 0) + (*data) += idx + length; return resp; } diff --git a/src/ssl.c b/src/ssl.c index c2026a6ff..503441eac 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -674,8 +674,8 @@ const char* wolfSSL_get_shared_ciphers(WOLFSSL* ssl, char* buf, int len) if (ssl == NULL) return NULL; - cipher = wolfSSL_get_cipher_name_from_suite(ssl->options.cipherSuite0, - ssl->options.cipherSuite); + cipher = wolfSSL_get_cipher_name_from_suite(ssl->options.cipherSuite, + ssl->options.cipherSuite0); len = min(len, (int)(XSTRLEN(cipher) + 1)); XMEMCPY(buf, cipher, len); return buf; @@ -9000,9 +9000,11 @@ static int GetDeepCopySession(WOLFSSL* ssl, WOLFSSL_SESSION* copyFrom) copyInto->ticket = copyInto->staticTicket; } - if (wc_UnLockMutex(&session_mutex) != 0) { - if (ret == SSL_SUCCESS) - ret = BAD_MUTEX_E; + if (doDynamicCopy) { + if (wc_UnLockMutex(&session_mutex) != 0) { + if (ret == SSL_SUCCESS) + ret = BAD_MUTEX_E; + } } if (ret != SSL_SUCCESS) { @@ -16317,7 +16319,7 @@ void wolfSSL_DES_set_odd_parity(WOLFSSL_DES_cblock* myDes) #ifdef WOLFSSL_DES_ECB -/* Encrpyt or decrypt input message desa with key and get output in desb. +/* Encrpyt or decrypt input message desa with key and get output in desb. * if enc is DES_ENCRYPT,input message is encrypted or * if enc is DES_DECRYPT,input message is decrypted. * */ @@ -19565,6 +19567,7 @@ static int EncryptDerKey(byte *der, int *derSz, const EVP_CIPHER* cipher, /* set the cipher name on info */ XSTRNCPY(info->name, cipher, NAME_SZ); + info->name[NAME_SZ-1] = '\0'; /* null term */ /* Generate a random salt */ if (wolfSSL_RAND_bytes(info->iv, info->ivSz) != SSL_SUCCESS) { @@ -20736,17 +20739,16 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, mp_clear(&a); mp_clear(&prime); - if (ret != MP_OKAY) { - ret = SSL_FAILURE; - } - - /* set the external value for the computed point */ - if (ret != SSL_FAILURE) { + if (ret == MP_OKAY) { + /* set the external value for the computed point */ ret = SetECPointInternal(r); if (ret != SSL_SUCCESS) { WOLFSSL_MSG("SetECPointInternal r failed"); } } + else { + ret = SSL_FAILURE; + } return ret; } @@ -22018,9 +22020,18 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) /* Read in next certificate from file but no more. */ i = XFTELL(bp->file); + if (i < 0) + return NULL; XFSEEK(bp->file, 0, SEEK_END); l = XFTELL(bp->file); + if (l < 0) + return NULL; XFSEEK(bp->file, i, SEEK_SET); + + /* check calulated length */ + if (l - i <= 0) + return NULL; + pem = (unsigned char*)XMALLOC(l - i, 0, DYNAMIC_TYPE_TMP_BUFFER); if (pem == NULL) return NULL; @@ -22582,10 +22593,13 @@ WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) return NULL; bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - if (bio == NULL) + if (bio == NULL) { + XFCLOSE(fp); return bio; + } if (wolfSSL_BIO_set_fp(bio, fp, BIO_CLOSE) != SSL_SUCCESS) { + XFCLOSE(fp); wolfSSL_BIO_free(bio); bio = NULL; } diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 12110f15d..796a90a12 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -592,12 +592,13 @@ static INLINE int bench_stats_sym_check(double start) static void bench_stats_sym_finish(const char* desc, int doAsync, int count, double start) { - double total, persec; + double total, persec = 0; END_INTEL_CYCLES total = current_time(0) - start; - persec = 1 / total * count; + if (count > 0) + persec = 1 / total * count; #ifdef BENCH_EMBEDDED /* since using kB, convert to MB/s */ persec = persec / 1024; @@ -618,10 +619,11 @@ static void bench_stats_sym_finish(const char* desc, int doAsync, int count, dou static void bench_stats_asym_finish(const char* algo, int strength, const char* desc, int doAsync, int count, double start) { - double total, each, opsSec, milliEach; + double total, each = 0, opsSec, milliEach; total = current_time(0) - start; - each = total / count; /* per second */ + if (count > 0) + each = total / count; /* per second */ opsSec = count / total; /* ops/per second */ milliEach = each * 1000; /* milliseconds */ @@ -1570,7 +1572,7 @@ void bench_chacha(void) void bench_chacha20_poly1305_aead(void) { double start; - int i, count; + int ret, i, count; byte authTag[CHACHA20_POLY1305_AEAD_AUTHTAG_SIZE]; XMEMSET(authTag, 0, sizeof(authTag)); @@ -1578,8 +1580,12 @@ void bench_chacha20_poly1305_aead(void) bench_stats_start(&count, &start); do { for (i = 0; i < numBlocks; i++) { - wc_ChaCha20Poly1305_Encrypt(bench_key, bench_iv, NULL, 0, + ret = wc_ChaCha20Poly1305_Encrypt(bench_key, bench_iv, NULL, 0, bench_plain, BENCH_SIZE, bench_cipher, authTag); + if (ret < 0) { + printf("wc_ChaCha20Poly1305_Encrypt error: %d\n", ret); + break; + } } count += i; } while (bench_stats_sym_check(start)); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 0cc26bc75..939dd1606 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7387,7 +7387,7 @@ static int SetOidValue(byte* out, word32 outSz, const byte *oid, word32 oidSz, /* encode Subject Key Identifier, return total bytes written * RFC5280 : non-critical */ -static int SetSKID(byte* output, word32 outSz, byte *input, word32 length) +static int SetSKID(byte* output, word32 outSz, const byte *input, word32 length) { byte skid_len[1 + MAX_LENGTH_SZ]; byte skid_enc_len[MAX_LENGTH_SZ]; @@ -7921,9 +7921,11 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey, /* SKID */ if (cert->skidSz) { /* check the provided SKID size */ - if (cert->skidSz > (int)sizeof(der->skid)) + if (cert->skidSz > (int)sizeof(cert->skid)) return SKID_E; + /* Note: different skid buffers sizes for der (MAX_KID_SZ) and + cert (CTC_MAX_SKID_SIZE). */ der->skidSz = SetSKID(der->skid, sizeof(der->skid), cert->skid, cert->skidSz); if (der->skidSz <= 0) @@ -8645,9 +8647,11 @@ int wc_SignCert(int requestSz, int sType, byte* buffer, word32 buffSz, heap = eccKey->heap; } +#ifdef WOLFSSL_ASYNC_CRYPT if (certSignCtx == NULL) { return BAD_FUNC_ARG; } +#endif if (certSignCtx->sig == NULL) { certSignCtx->sig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, heap, @@ -8984,6 +8988,7 @@ int wc_SetAuthKeyId(Cert *cert, const char* file) /* Set KeyUsage from human readable string */ int wc_SetKeyUsage(Cert *cert, const char *value) { + int ret = 0; char *token, *str, *ptr; word32 len; @@ -9025,14 +9030,16 @@ int wc_SetKeyUsage(Cert *cert, const char *value) cert->keyUsage |= KEYUSE_ENCIPHER_ONLY; else if (!XSTRNCASECMP(token, "decipherOnly", len)) cert->keyUsage |= KEYUSE_DECIPHER_ONLY; - else - return KEYUSAGE_E; + else { + ret = KEYUSAGE_E; + break; + } token = XSTRTOK(NULL, ",", &ptr); } XFREE(str, cert->heap, DYNAMIC_TYPE_TMP_BUFFER); - return 0; + return ret; } #endif /* WOLFSSL_CERT_EXT */ diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index e256d72b4..944719fe1 100755 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -6562,9 +6562,13 @@ done: mp_clear(&tka); mp_clear(&order); +#ifdef WOLFSSL_SMALL_STACK if (kb[0]) +#endif ForceZero(kb[0], KB_SIZE); +#ifdef WOLFSSL_SMALL_STACK if (kb[1]) +#endif ForceZero(kb[1], KB_SIZE); #ifdef WOLFSSL_SMALL_STACK diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 35a71f47d..00818340e 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -224,10 +224,10 @@ static int evpCipherBlock(WOLFSSL_EVP_CIPHER_CTX *ctx, if (ctx->enc) wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl); else - wc_Des3_EcbEncrypt(&ctx->cipher.des3, out, in, inl); + wc_Des3_EcbDecrypt(&ctx->cipher.des3, out, in, inl); break; - #endif - #endif + #endif /* WOLFSSL_DES_ECB */ + #endif /* !NO_DES3 */ default: return 0; } diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index 5ed519860..3b0a9d96d 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -286,25 +286,10 @@ int wc_LoggingInit(void) /* internal function that is called by wolfCrypt_Cleanup */ int wc_LoggingCleanup(void) { - if (wc_LockMutex(&debug_mutex) != 0) { - WOLFSSL_MSG("Lock debug mutex failed"); - return BAD_MUTEX_E; - } + /* clear logging entries */ + wc_ClearErrorNodes(); - /* free all nodes from error queue */ - { - struct wc_error_queue* current; - struct wc_error_queue* next; - - current = (struct wc_error_queue*)wc_errors; - while (current != NULL) { - next = current->next; - XFREE(current, current->heap, DYNAMIC_TYPE_LOG); - current = next; - } - } - - wc_UnLockMutex(&debug_mutex); + /* free mutex */ if (wc_FreeMutex(&debug_mutex) != 0) { WOLFSSL_MSG("Bad Mutex free"); return BAD_MUTEX_E; @@ -473,6 +458,8 @@ void wc_RemoveErrorNode(int index) wc_UnLockMutex(&debug_mutex); } +#endif /* DEBUG_WOLFSSL || WOLFSSL_NGINX */ + /* Clears out the list of error nodes. */ void wc_ClearErrorNodes(void) @@ -499,8 +486,6 @@ void wc_ClearErrorNodes(void) wc_last_node = NULL; wc_UnLockMutex(&debug_mutex); } -#endif /* DEBUG_WOLFSSL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ - int wc_SetLoggingHeap(void* h) { diff --git a/wolfcrypt/src/md5.c b/wolfcrypt/src/md5.c index f65ea3353..972cc334d 100755 --- a/wolfcrypt/src/md5.c +++ b/wolfcrypt/src/md5.c @@ -360,7 +360,7 @@ int wc_Md5Update(Md5* md5, const byte* data, word32 len) local = (byte*)md5->buffer; /* check that internal buffLen is valid */ - if (md5->buffLen > MD5_BLOCK_SIZE) + if (md5->buffLen >= MD5_BLOCK_SIZE) return BUFFER_E; while (len) { diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a1ef73447..043d974fa 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -4100,8 +4100,11 @@ int wc_PKCS7_EncodeEncryptedData(PKCS7* pkcs7, byte* output, word32 outputSz) /* encrypt content */ ret = wc_PKCS7_GenerateIV(NULL, tmpIv, blockSz); - if (ret != 0) + if (ret != 0) { + XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7); return ret; + } ret = wc_PKCS7_EncryptContent(pkcs7->encryptOID, pkcs7->encryptionKey, pkcs7->encryptionKeySz, tmpIv, blockSz, plain, encryptedOutSz, @@ -4181,7 +4184,7 @@ int wc_PKCS7_EncodeEncryptedData(PKCS7* pkcs7, byte* output, word32 outputSz) WOLFSSL_MSG("PKCS#7 output buffer too small"); if (pkcs7->unprotectedAttribsSz != 0) { XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS); - XFREE(attribs, pkcs7->heap, DYNAMIC_TYPE_PKCS); + XFREE(flatAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS); } XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7); diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 9b0871f52..ddda7f71c 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -257,9 +257,8 @@ static int Hash_df(DRBG* drbg, byte* out, word32 outSz, byte type, if (ret == 0) ret = wc_Sha256Final(&sha, digest); + wc_Sha256Free(&sha); if (ret == 0) { - wc_Sha256Free(&sha); - if (outSz > OUTPUT_BLOCK_LEN) { XMEMCPY(out, digest, OUTPUT_BLOCK_LEN); outSz -= OUTPUT_BLOCK_LEN; @@ -342,8 +341,7 @@ static int Hash_gen(DRBG* drbg, byte* out, word32 outSz, const byte* V) ret = wc_Sha256Update(&sha, data, sizeof(data)); if (ret == 0) ret = wc_Sha256Final(&sha, digest); - if (ret == 0) - wc_Sha256Free(&sha); + wc_Sha256Free(&sha); if (ret == 0) { XMEMCPY(&checkBlock, digest, sizeof(word32)); @@ -363,14 +361,14 @@ static int Hash_gen(DRBG* drbg, byte* out, word32 outSz, const byte* V) drbg->lastBlock = checkBlock; } - if (out != NULL) { + if (out != NULL && outSz != 0) { if (outSz >= OUTPUT_BLOCK_LEN) { XMEMCPY(out, digest, OUTPUT_BLOCK_LEN); outSz -= OUTPUT_BLOCK_LEN; out += OUTPUT_BLOCK_LEN; array_add_one(data, DRBG_SEED_LEN); } - else if (out != NULL && outSz != 0) { + else if (out != NULL) { XMEMCPY(out, digest, outSz); outSz = 0; } @@ -430,8 +428,8 @@ static int Hash_DRBG_Generate(DRBG* drbg, byte* out, word32 outSz) ret = wc_Sha256Update(&sha, drbg->V, sizeof(drbg->V)); if (ret == 0) ret = wc_Sha256Final(&sha, digest); - if (ret == 0) - wc_Sha256Free(&sha); + + wc_Sha256Free(&sha); if (ret == 0) { array_add(drbg->V, sizeof(drbg->V), digest, SHA256_DIGEST_SIZE); diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 582695c34..706760e8d 100755 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -432,7 +432,7 @@ int wc_ShaUpdate(Sha* sha, const byte* data, word32 len) #endif /* WOLFSSL_ASYNC_CRYPT */ /* check that internal buffLen is valid */ - if (sha->buffLen > SHA_BLOCK_SIZE) + if (sha->buffLen >= SHA_BLOCK_SIZE) return BUFFER_E; while (len) { diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 948d18514..cd8423a07 100755 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -510,7 +510,7 @@ static int InitSha256(Sha256* sha256) local = (byte*)sha256->buffer; /* check that internal buffLen is valid */ - if (sha256->buffLen > SHA256_BLOCK_SIZE) + if (sha256->buffLen >= SHA256_BLOCK_SIZE) return BUFFER_E; SAVE_XMM_YMM; /* for Intel AVX */ diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 55b6d4587..4188c3601 100755 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -529,7 +529,7 @@ static INLINE int Sha512Update(Sha512* sha512, const byte* data, word32 len) byte* local = (byte*)sha512->buffer; /* check that internal buffLen is valid */ - if (sha512->buffLen > SHA512_BLOCK_SIZE) + if (sha512->buffLen >= SHA512_BLOCK_SIZE) return BUFFER_E; SAVE_XMM_YMM; /* for Intel AVX */ diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c index 920c8f2da..fbe226a35 100644 --- a/wolfcrypt/src/srp.c +++ b/wolfcrypt/src/srp.c @@ -552,6 +552,8 @@ static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size) byte counter[4]; int r = BAD_FUNC_ARG; + XMEMSET(digest, 0, SRP_MAX_DIGEST_SIZE); + srp->key = (byte*)XMALLOC(2 * digestSz, srp->heap, DYNAMIC_TYPE_SRP); if (srp->key == NULL) return MEMORY_E; @@ -568,7 +570,7 @@ static int wc_SrpSetKey(Srp* srp, byte* secret, word32 size) if (!r) r = SrpHashUpdate(&hash, secret, size); if (!r) r = SrpHashUpdate(&hash, counter, 4); - if(j + digestSz > srp->keySz) { + if (j + digestSz > srp->keySz) { if (!r) r = SrpHashFinal(&hash, digest); XMEMCPY(srp->key + j, digest, srp->keySz - j); j = srp->keySz; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 16462562a..b5bc45ca7 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -12863,14 +12863,14 @@ int pkcs7encrypted_test(void) ret = (int)fwrite(encrypted, encryptedSz, 1, pkcs7File); fclose(pkcs7File); + + if (ret > 0) + ret = 0; #endif wc_PKCS7_Free(&pkcs7); } - if (ret > 0) - return 0; - return ret; }