From 7c831263c8f935a49337e0f7bc725df17bfcd672 Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 21 Mar 2025 08:48:45 -0400 Subject: [PATCH 1/4] coverity: unchecked return value in EchHashHelloInner. --- src/tls13.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index 55f89412c..4406130c9 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -4184,9 +4184,9 @@ static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech) tmpHashes = ssl->hsHashes; ssl->hsHashes = NULL; /* init the ech hashes */ - InitHandshakeHashes(ssl); - ssl->hsHashesEch = ssl->hsHashes; + ret = InitHandshakeHashes(ssl); if (ret == 0) { + ssl->hsHashesEch = ssl->hsHashes; /* do the handshake header then the body */ AddTls13HandShakeHeader(falseHeader, realSz, 0, 0, client_hello, ssl); ret = HashRaw(ssl, falseHeader, HANDSHAKE_HEADER_SZ); @@ -4195,19 +4195,24 @@ static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech) /* init hsHashesEchInner */ if (ech->innerCount == 0) { ssl->hsHashes = ssl->hsHashesEchInner; - InitHandshakeHashes(ssl); - ssl->hsHashesEchInner = ssl->hsHashes; - ech->innerCount = 1; + ret = InitHandshakeHashes(ssl); + if (ret == 0) { + ssl->hsHashesEchInner = ssl->hsHashes; + ech->innerCount = 1; + } } else { /* switch back to hsHashes so we have hrr -> echInner2 */ ssl->hsHashes = tmpHashes; - InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, - &ssl->hsHashesEchInner); + ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, + &ssl->hsHashesEchInner); + } + + if (ret == 0) { + ssl->hsHashes = ssl->hsHashesEchInner; + ret = HashRaw(ssl, falseHeader, HANDSHAKE_HEADER_SZ); + ssl->hsHashes = ssl->hsHashesEch; } - ssl->hsHashes = ssl->hsHashesEchInner; - ret = HashRaw(ssl, falseHeader, HANDSHAKE_HEADER_SZ); - ssl->hsHashes = ssl->hsHashesEch; } } /* hash the body */ From 3a02ab286cad952f3bb355e596f7bcfa4ee378b0 Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 21 Mar 2025 08:59:31 -0400 Subject: [PATCH 2/4] coverity: unchecked return value with mp_copy. --- tests/api/test_dsa.c | 2 +- wolfcrypt/test/test.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/tests/api/test_dsa.c b/tests/api/test_dsa.c index c139858f5..ed62eab6e 100644 --- a/tests/api/test_dsa.c +++ b/tests/api/test_dsa.c @@ -128,7 +128,7 @@ int test_wc_DsaSignVerify(void) #if !defined(HAVE_FIPS) && defined(WOLFSSL_PUBLIC_MP) /* hard set q to 0 and test fail case */ mp_free(&key.q); - mp_init(&key.q); + ExpectIntEQ(mp_init(&key.q), 0); ExpectIntEQ(wc_DsaSign(hash, signature, &key, &rng), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); mp_set(&key.q, 1); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 35f8692e1..28cc8c2ee 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -55360,7 +55360,9 @@ static wc_test_ret_t mp_test_shift(mp_int* a, mp_int* r1, WC_RNG* rng) if (ret != 0) return WC_TEST_RET_ENC_EC(ret); for (i = 0; i < 4; i++) { - mp_copy(r1, a); + ret = mp_copy(r1, a); + if (ret != WC_NO_ERR_TRACE(MP_VAL)) + return WC_TEST_RET_ENC_EC(ret); #if !defined(NO_DH) || defined(HAVE_ECC) || (!defined(NO_RSA) && \ defined(WC_RSA_BLINDING) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) ret = mp_lshd(r1, i); @@ -56785,7 +56787,9 @@ static wc_test_ret_t mp_test_shbd(mp_int* a, mp_int* b, WC_RNG* rng) ret = randNum(a, j, rng, NULL); if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); - mp_copy(a, b); + ret = mp_copy(a, b); + if (ret != WC_NO_ERR_TRACE(MP_VAL)) + return WC_TEST_RET_ENC_EC(ret); for (k = 0; k <= DIGIT_BIT * 2; k++) { ret = mp_mul_2d(a, k, a); if (ret != MP_OKAY) @@ -56804,7 +56808,9 @@ static wc_test_ret_t mp_test_shbd(mp_int* a, mp_int* b, WC_RNG* rng) ret = randNum(a, j, rng, NULL); if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); - mp_copy(a, b); + ret = mp_copy(a, b); + if (ret != WC_NO_ERR_TRACE(MP_VAL)) + return WC_TEST_RET_ENC_EC(ret); for (k = 0; k < 10; k++) { ret = mp_lshd(a, k); if (ret != MP_OKAY) @@ -57598,7 +57604,9 @@ static wc_test_ret_t mp_test_exptmod(mp_int* b, mp_int* e, mp_int* m, mp_int* r) mp_mul_2d(b, DIGIT_BIT, b); mp_add_d(b, 1, b); mp_set(e, 0x3); - mp_copy(b, m); + ret = mp_copy(b, m); + if (ret != WC_NO_ERR_TRACE(MP_VAL)) + return WC_TEST_RET_ENC_EC(ret); ret = mp_exptmod_ex(b, e, 1, m, r); if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); From 15ac07c9efde7a9ce97b6b661b1c55f350db3ca7 Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 21 Mar 2025 09:25:28 -0400 Subject: [PATCH 3/4] coverity: check correct ret value. --- wolfcrypt/test/test.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 28cc8c2ee..27f26cd3a 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -55361,7 +55361,7 @@ static wc_test_ret_t mp_test_shift(mp_int* a, mp_int* r1, WC_RNG* rng) return WC_TEST_RET_ENC_EC(ret); for (i = 0; i < 4; i++) { ret = mp_copy(r1, a); - if (ret != WC_NO_ERR_TRACE(MP_VAL)) + if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); #if !defined(NO_DH) || defined(HAVE_ECC) || (!defined(NO_RSA) && \ defined(WC_RSA_BLINDING) && !defined(WOLFSSL_RSA_VERIFY_ONLY)) @@ -56788,7 +56788,7 @@ static wc_test_ret_t mp_test_shbd(mp_int* a, mp_int* b, WC_RNG* rng) if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); ret = mp_copy(a, b); - if (ret != WC_NO_ERR_TRACE(MP_VAL)) + if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); for (k = 0; k <= DIGIT_BIT * 2; k++) { ret = mp_mul_2d(a, k, a); @@ -56809,7 +56809,7 @@ static wc_test_ret_t mp_test_shbd(mp_int* a, mp_int* b, WC_RNG* rng) if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); ret = mp_copy(a, b); - if (ret != WC_NO_ERR_TRACE(MP_VAL)) + if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); for (k = 0; k < 10; k++) { ret = mp_lshd(a, k); @@ -57605,7 +57605,7 @@ static wc_test_ret_t mp_test_exptmod(mp_int* b, mp_int* e, mp_int* m, mp_int* r) mp_add_d(b, 1, b); mp_set(e, 0x3); ret = mp_copy(b, m); - if (ret != WC_NO_ERR_TRACE(MP_VAL)) + if (ret != MP_OKAY) return WC_TEST_RET_ENC_EC(ret); ret = mp_exptmod_ex(b, e, 1, m, r); if (ret != MP_OKAY) From 8d0931df9d5d3411bedec07b1f8999f598408b05 Mon Sep 17 00:00:00 2001 From: jordan Date: Fri, 21 Mar 2025 10:08:13 -0400 Subject: [PATCH 4/4] coverity: check mp radix ret values. --- wolfcrypt/test/test.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 27f26cd3a..1092a79da 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -55282,8 +55282,12 @@ static wc_test_ret_t mp_test_radix_16(mp_int* a, mp_int* r, WC_RNG* rng) ret = randNum(a, j, rng, NULL); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); - mp_radix_size(a, MP_RADIX_HEX, &size); - mp_toradix(a, str, MP_RADIX_HEX); + ret = mp_radix_size(a, MP_RADIX_HEX, &size); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); + ret = mp_toradix(a, str, MP_RADIX_HEX); + if (ret != 0) + return WC_TEST_RET_ENC_EC(ret); if ((int)XSTRLEN(str) != size - 1) return WC_TEST_RET_ENC_NC; mp_read_radix(r, str, MP_RADIX_HEX);