diff --git a/src/internal.c b/src/internal.c index 545ba173e..bdb0cee69 100644 --- a/src/internal.c +++ b/src/internal.c @@ -30516,6 +30516,33 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif } InternalTicket; + static WC_INLINE int compare_InternalTickets( + InternalTicket *a, + InternalTicket *b) + { + if ((a->pv.major == b->pv.major) && + (a->pv.minor == b->pv.minor) && + (XMEMCMP(a->suite,b->suite,sizeof a->suite) == 0) && + (XMEMCMP(a->msecret,b->msecret,sizeof a->msecret) == 0) && + (a->timestamp == b->timestamp) && + (a->haveEMS == b->haveEMS) +#ifdef WOLFSSL_TLS13 + && + (a->ageAdd == b->ageAdd) && + (a->namedGroup == b->namedGroup) && + (a->ticketNonce.len == b->ticketNonce.len) && + (XMEMCMP(a->ticketNonce.data, b->ticketNonce.data, + a->ticketNonce.len) == 0) +#ifdef WOLFSSL_EARLY_DATA + && (a->maxEarlyDataSz == b->maxEarlyDataSz) +#endif +#endif + ) + return 0; + else + return -1; + } + /* RFC 5077 defines this for session tickets */ /* fit within SESSION_TICKET_LEN */ typedef struct ExternalTicket { @@ -30601,7 +30628,9 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* sanity checks on encrypt callback */ /* internal ticket can't be the same if encrypted */ - if (XMEMCMP(et->enc_ticket, &it, sizeof(InternalTicket)) == 0) { + if (compare_InternalTickets((InternalTicket *)et->enc_ticket, &it) + == 0) + { ForceZero(&it, sizeof(it)); ForceZero(et->enc_ticket, sizeof(it)); WOLFSSL_MSG("User ticket encrypt didn't encrypt"); diff --git a/src/ssl.c b/src/ssl.c index 2975dfb26..a2fcbecd8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -20902,13 +20902,13 @@ unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name) WOLFSSL_MSG("nothing to hash in WOLFSSL_X509_NAME"); return 0; } - + size = wolfSSL_i2d_X509_NAME_canon(name, &canon_name); - + if (size <= 0){ WOLFSSL_MSG("wolfSSL_i2d_X509_NAME_canon error"); return 0; - } + } if (wc_ShaHash((byte*)canon_name, size, digest) != 0) { WOLFSSL_MSG("wc_ShaHash error"); @@ -20916,7 +20916,7 @@ unsigned long wolfSSL_X509_NAME_hash(WOLFSSL_X509_NAME* name) } XFREE(canon_name, NULL, DYNAMIC_TYPE_OPENSSL); - + ret = (unsigned long) digest[0]; ret |= ((unsigned long) digest[1]) << 8; ret |= ((unsigned long) digest[2]) << 16; @@ -21783,6 +21783,25 @@ int wolfSSL_sk_push_node(WOLFSSL_STACK** stack, WOLFSSL_STACK* in) return WOLFSSL_SUCCESS; } +#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) +static WC_INLINE int compare_WOLFSSL_CIPHER( + WOLFSSL_CIPHER *a, + WOLFSSL_CIPHER *b) +{ + if ((a->cipherSuite0 == b->cipherSuite0) && + (a->cipherSuite == b->cipherSuite) && + (a->ssl == b->ssl) && + (XMEMCMP(a->description, b->description, sizeof a->description) == 0) && + (a->offset == b->offset) && + (a->in_stack == b->in_stack) && + (a->bits == b->bits)) + return 0; + else + return -1; +} +#endif /* OPENSSL_ALL || WOLFSSL_QT */ + + /* return 1 on success 0 on fail */ int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data) { @@ -21802,8 +21821,7 @@ int wolfSSL_sk_push(WOLFSSL_STACK* sk, const void *data) #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) /* check if entire struct is zero */ XMEMSET(&ciph, 0, sizeof(WOLFSSL_CIPHER)); - if (XMEMCMP(&sk->data.cipher, &ciph, - sizeof(WOLFSSL_CIPHER)) == 0) { + if (compare_WOLFSSL_CIPHER(&sk->data.cipher, &ciph) == 0) { sk->data.cipher = *(WOLFSSL_CIPHER*)data; sk->num = 1; if (sk->hash_fn) { diff --git a/tests/api.c b/tests/api.c index c7f930d22..140e16f4a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -25347,7 +25347,8 @@ static int test_wc_ecc_pointFns (void) if (ret == 0) { ret = wc_ecc_import_point_der(der, derSz, idx, point); /* Condition double checks wc_ecc_cmp_point(). */ - if (ret == 0 && XMEMCMP(&key.pubkey, point, sizeof(key.pubkey))) { + if (ret == 0 && + XMEMCMP((void *)&key.pubkey, (void *)point, sizeof(key.pubkey))) { ret = wc_ecc_cmp_point(&key.pubkey, point); } } @@ -52055,7 +52056,6 @@ static void test_openssl_FIPS_drbg(void) AssertIntEQ(FIPS_drbg_set_callbacks(dctx, NULL, NULL, 20, NULL, NULL), WOLFSSL_SUCCESS); AssertIntEQ(FIPS_drbg_instantiate(dctx, NULL, 0), WOLFSSL_SUCCESS); - AssertIntEQ(FIPS_drbg_generate(dctx, data1, dlen, 0, NULL, 0), WOLFSSL_SUCCESS); AssertIntNE(XMEMCMP(data1, zeroData, dlen), 0); diff --git a/tests/suites.c b/tests/suites.c index 71d862bca..a36516408 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -321,7 +321,7 @@ static int execute_test_case(int svr_argc, char** svr_argv, size_t added; static int tests = 1; #if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS) - char portNumber[8]; + static char portNumber[8]; #endif int cliTestShouldFail = 0, svrTestShouldFail = 0; #ifdef WOLFSSL_NO_CLIENT_AUTH diff --git a/wolfssl/openssl/fips_rand.h b/wolfssl/openssl/fips_rand.h index d6b2f021d..3fc97b1b1 100644 --- a/wolfssl/openssl/fips_rand.h +++ b/wolfssl/openssl/fips_rand.h @@ -54,11 +54,11 @@ typedef struct WOLFSSL_DRBG_CTX { void* app_data; } WOLFSSL_DRBG_CTX; -#define DRBG_FLAG_CTR_USE_DF 0x1 -#define DRBG_FLAG_TEST 0x2 +#define DRBG_FLAG_CTR_USE_DF 0x1 +#define DRBG_FLAG_TEST 0x2 -#define DRBG_FLAG_NOERR 0x1 -#define DRBG_CUSTOM_RESEED 0x2 +#define DRBG_FLAG_NOERR 0x1 +#define DRBG_CUSTOM_RESEED 0x2 #define DRBG_STATUS_UNINITIALISED 0 #define DRBG_STATUS_READY 1