WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

coverity: fix check_after_deref, assignment_where_comparison_intended, uninit vars, return values, etc.

pull/8721/head
jordan 2025-05-05 13:18:29 -05:00
parent 9587b7b12e
commit efd5405d0e
7 changed files with 96 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/tls.c
View File

@ -477,20 +477,23 @@ int DeriveTlsKeys(WOLFSSL* ssl)
return MEMORY_E;
}
#endif
XMEMSET(key_dig, 0, MAX_PRF_DIG);
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
ret = PROTOCOLCB_UNAVAILABLE;
if (ssl->ctx->GenSessionKeyCb) {
void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl);
ret = ssl->ctx->GenSessionKeyCb(ssl, ctx);
}
if (!ssl->ctx->GenSessionKeyCb ||
ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
ret = PROTOCOLCB_UNAVAILABLE;
if (ssl->ctx->GenSessionKeyCb) {
void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl);
ret = ssl->ctx->GenSessionKeyCb(ssl, ctx);
}
if (!ssl->ctx->GenSessionKeyCb ||
ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
#endif
ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len,
ssl->arrays->masterSecret, SECRET_LEN,
ssl->arrays->serverRandom, ssl->arrays->clientRandom,
IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
ssl->heap, ssl->devId);
ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len,
ssl->arrays->masterSecret, SECRET_LEN,
ssl->arrays->serverRandom, ssl->arrays->clientRandom,
IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
ssl->heap, ssl->devId);
if (ret == 0)
ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
@ -13100,7 +13103,7 @@ static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType)
{
int ret;
word32 size;
word32 size = 0;
if (ech->state == ECH_WRITE_GREASE) {
size = sizeof(ech->type) + sizeof(ech->cipherSuite) +

12
src/tls13.c
View File

@ -5053,7 +5053,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
byte tls12minor;
#ifdef WOLFSSL_ASYNC_CRYPT
Dsh13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else
Dsh13Args args[1];
#endif
@ -5061,6 +5060,13 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
WOLFSSL_ENTER("DoTls13ServerHello");
if (ssl == NULL || ssl->arrays == NULL)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_ASYNC_CRYPT
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#endif
tls12minor = TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13
@ -5068,10 +5074,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
tls12minor = DTLSv1_2_MINOR;
#endif /* WOLFSSL_DTLS13 */
if (ssl == NULL || ssl->arrays == NULL)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*)

22
tests/api.c
View File

@ -10080,14 +10080,17 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
sess = &test_wolfSSL_CTX_add_session_client_sess;
if (*sess == NULL) {
#ifdef NO_SESSION_CACHE_REF
AssertNotNull(*sess = wolfSSL_get1_session(ssl));
*sess = wolfSSL_get1_session(ssl);
AssertNotNull(*sess);
#else
/* Test for backwards compatibility */
if (wolfSSL_is_server(ssl)) {
AssertNotNull(*sess = wolfSSL_get1_session(ssl));
*sess = wolfSSL_get1_session(ssl);
AssertNotNull(*sess);
}
else {
AssertNotNull(*sess = wolfSSL_get_session(ssl));
*sess = wolfSSL_get_session(ssl);
AssertNotNull(*sess);
}
#endif
/* Now save the session in the internal store to make it available
@ -10114,8 +10117,8 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
/* Save CTX to be able to decrypt tickets */
if (wolfSSL_is_server(ssl) &&
test_wolfSSL_CTX_add_session_server_ctx == NULL) {
AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx
= wolfSSL_get_SSL_CTX(ssl));
test_wolfSSL_CTX_add_session_server_ctx = wolfSSL_get_SSL_CTX(ssl);
AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx);
AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
WOLFSSL_SUCCESS);
}
@ -37389,10 +37392,13 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args)
(void)args;
AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0);
AssertNotNull(clientBio = BIO_new_connect(connectAddr));
clientBio = BIO_new_connect(connectAddr);
AssertNotNull(clientBio);
AssertIntEQ(BIO_do_connect(clientBio), 1);
AssertNotNull(ctx = SSL_CTX_new(SSLv23_method()));
AssertNotNull(sslClient = SSL_new(ctx));
ctx = SSL_CTX_new(SSLv23_method());
AssertNotNull(ctx);
sslClient = SSL_new(ctx);
AssertNotNull(sslClient);
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS);
SSL_set_bio(sslClient, clientBio, clientBio);
AssertIntEQ(SSL_connect(sslClient), 1);

53
tests/quic.c
View File

@ -144,6 +144,9 @@ static int test_set_quic_method(void) {
for (i = 0; valids[i].name != NULL; ++i) {
ExpectNotNull(ctx = wolfSSL_CTX_new(valids[i].method()));
if (ctx == NULL) {
break;
}
if (valids[i].is_server) {
ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM));
@ -152,6 +155,9 @@ static int test_set_quic_method(void) {
}
/* ctx does not have quic enabled, so will SSL* derived from it */
ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectFalse(wolfSSL_is_quic(ssl));
/* Enable quic on the SSL* */
ExpectFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
@ -184,32 +190,54 @@ static int test_set_quic_method(void) {
data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
ExpectTrue(data_len == 16*1024);
wolfSSL_free(ssl);
ssl = NULL;
/* Enabled quic on the ctx */
ExpectTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
/* It will be enabled on the SSL* */
ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectTrue(wolfSSL_is_quic(ssl));
wolfSSL_free(ssl);
ssl = NULL;
wolfSSL_CTX_free(ctx);
ctx = NULL;
}
for (i = 0; invalids[i].name != NULL; ++i) {
ExpectNotNull(ctx = wolfSSL_CTX_new(invalids[i].method()));
if (ctx == NULL) {
break;
}
ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM));
ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
WOLFSSL_FILETYPE_PEM));
ExpectFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
ExpectFalse(wolfSSL_is_quic(ssl));
/* even though not quic, this is the only level we can return */
ExpectTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
ExpectTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
wolfSSL_free(ssl);
ssl = NULL;
wolfSSL_CTX_free(ctx);
ctx = NULL;
}
/* cleanup */
if (ssl != NULL) {
wolfSSL_free(ssl);
ssl = NULL;
}
if (ctx != NULL) {
wolfSSL_CTX_free(ctx);
ctx = NULL;
}
printf(" test_set_quic_method: %s\n", (EXPECT_SUCCESS()) ? pass : fail);
@ -492,7 +520,8 @@ static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
AssertNotNull(tctx);
memset(tctx, 0, sizeof(*tctx));
tctx->name = name;
AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
tctx->ssl = wolfSSL_new(ctx);
AssertNotNull(tctx->ssl);
tctx->verbose = verbose;
wolfSSL_set_app_data(tctx->ssl, tctx);
AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
@ -521,7 +550,8 @@ static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx
AssertNotNull(tctx);
memset(tctx, 0, sizeof(*tctx));
tctx->name = name;
AssertNotNull((tctx->ssl = wolfSSL_new(ctx)));
tctx->ssl = wolfSSL_new(ctx);
AssertNotNull(tctx->ssl);
tctx->verbose = verbose;
wolfSSL_set_app_data(tctx->ssl, tctx);
AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method_fail) == WOLFSSL_SUCCESS);
@ -717,7 +747,8 @@ static void ext_equals(const byte *data, size_t data_len, int ext_type,
const byte *ext;
word16 len16;
AssertNotNull(ext = ext_find(data, data_len, ext_type));
ext = ext_find(data, data_len, ext_type);
AssertNotNull(ext);
ato16(&ext[2], &len16);
AssertTrue(len16 == exp_len);
AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
@ -738,8 +769,10 @@ static void check_quic_client_hello(const byte *data, size_t data_len,
idx = HANDSHAKE_HEADER_SZ;
/* the client hello arrives alone */
AssertIntEQ(rec_len, data_len);
AssertTrue(data[idx++] == SSLv3_MAJOR);
AssertTrue(data[idx++] == TLSv1_2_MINOR);
AssertTrue(data[idx] == SSLv3_MAJOR);
idx++;
AssertTrue(data[idx] == TLSv1_2_MINOR);
idx++;
idx += 32; /* 32 bytes RANDOM */
AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
idx += 1 + data[idx];
@ -852,8 +885,10 @@ static void check_quic_server_hello(const byte *data, size_t data_len,
check_handshake_record(data, data_len, &rec_type, &rec_len);
AssertIntEQ(rec_type, server_hello);
idx = HANDSHAKE_HEADER_SZ;
AssertTrue(data[idx++] == SSLv3_MAJOR);
AssertTrue(data[idx++] == TLSv1_2_MINOR);
AssertTrue(data[idx] == SSLv3_MAJOR);
idx++;
AssertTrue(data[idx] == TLSv1_2_MINOR);
idx++;
idx += 32; /* 32 bytes RANDOM */
/* AssertIntEQ(data[idx], 0); session id of len 0 */
idx += 1 + data[idx];

8
testsuite/testsuite.c
View File

@ -309,6 +309,8 @@ static int test_crl_monitor(void)
int ret = -1;
int i = -1, j;
XMEMSET(tmpDir, '\0', sizeof(tmpDir));
printf("\nRunning CRL monitor test\n");
(void)XSNPRINTF(rounds, sizeof(rounds), "%d", CRL_MONITOR_TEST_ROUNDS);
@ -499,7 +501,11 @@ static void show_ciphers(void)
/* Cleanup temporary output file. */
static void cleanup_output(void)
{
remove(outputName);
int ret = 0;
ret = remove(outputName);
if (ret < 0) {
fprintf(stderr, "remove(%s) failed: %d\n", outputName, ret);
}
}
/* Validate output equals input using a hash. Remove temporary output file.

10
wolfcrypt/src/ecc.c
View File

@ -7645,8 +7645,12 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
/* 3.2 c. Set K = 0x00 0x00 ... */
XMEMSET(K, 0x00, KSz);
mp_init(z1); /* always init z1 and free z1 */
ret = mp_to_unsigned_bin_len(priv, x, (int)qLen);
if (ret == 0) {
ret = mp_init(z1); /* always init z1 and free z1 */
}
if (ret == 0) {
ret = mp_to_unsigned_bin_len(priv, x, (int)qLen);
}
if (ret == 0) {
#ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("wc_ecc_gen_deterministic_k x", x, qLen);
@ -7690,7 +7694,7 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
#endif
{
/* use original hash and keep leading 0's */
mp_to_unsigned_bin_len(z1, h1, (int)h1len);
ret = mp_to_unsigned_bin_len(z1, h1, (int)h1len);
}
}
mp_free(z1);

1
wolfssl/test.h
View File

@ -2084,6 +2084,7 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl,
numCiphers = sk_num(supportedCiphers);
for (i = 0; i < numCiphers; ++i) {
XMEMSET(buf, 0, sizeof(buf));
if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) {
SSL_CIPHER_description(cipher, buf, sizeof(buf));