diff --git a/src/tls.c b/src/tls.c index 6ad21c924..95aca529d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -477,20 +477,23 @@ int DeriveTlsKeys(WOLFSSL* ssl) return MEMORY_E; } #endif + + XMEMSET(key_dig, 0, MAX_PRF_DIG); + #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) - ret = PROTOCOLCB_UNAVAILABLE; - if (ssl->ctx->GenSessionKeyCb) { - void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl); - ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); - } - if (!ssl->ctx->GenSessionKeyCb || - ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) + ret = PROTOCOLCB_UNAVAILABLE; + if (ssl->ctx->GenSessionKeyCb) { + void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl); + ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); + } + if (!ssl->ctx->GenSessionKeyCb || + ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) #endif - ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len, - ssl->arrays->masterSecret, SECRET_LEN, - ssl->arrays->serverRandom, ssl->arrays->clientRandom, - IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, - ssl->heap, ssl->devId); + ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len, + ssl->arrays->masterSecret, SECRET_LEN, + ssl->arrays->serverRandom, ssl->arrays->clientRandom, + IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, + ssl->heap, ssl->devId); if (ret == 0) ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER); @@ -13100,7 +13103,7 @@ static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf, static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType) { int ret; - word32 size; + word32 size = 0; if (ech->state == ECH_WRITE_GREASE) { size = sizeof(ech->type) + sizeof(ech->cipherSuite) + diff --git a/src/tls13.c b/src/tls13.c index 6efe44640..4983a60c4 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -5053,7 +5053,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, byte tls12minor; #ifdef WOLFSSL_ASYNC_CRYPT Dsh13Args* args = NULL; - WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); #else Dsh13Args args[1]; #endif @@ -5061,6 +5060,13 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO); WOLFSSL_ENTER("DoTls13ServerHello"); + if (ssl == NULL || ssl->arrays == NULL) + return BAD_FUNC_ARG; + +#ifdef WOLFSSL_ASYNC_CRYPT + WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); +#endif + tls12minor = TLSv1_2_MINOR; #ifdef WOLFSSL_DTLS13 @@ -5068,10 +5074,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, tls12minor = DTLSv1_2_MINOR; #endif /* WOLFSSL_DTLS13 */ - - if (ssl == NULL || ssl->arrays == NULL) - return BAD_FUNC_ARG; - #ifdef WOLFSSL_ASYNC_CRYPT if (ssl->async == NULL) { ssl->async = (struct WOLFSSL_ASYNC*) diff --git a/tests/api.c b/tests/api.c index 17f5c68d7..6bf80cbd3 100644 --- a/tests/api.c +++ b/tests/api.c @@ -10080,14 +10080,17 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) sess = &test_wolfSSL_CTX_add_session_client_sess; if (*sess == NULL) { #ifdef NO_SESSION_CACHE_REF - AssertNotNull(*sess = wolfSSL_get1_session(ssl)); + *sess = wolfSSL_get1_session(ssl); + AssertNotNull(*sess); #else /* Test for backwards compatibility */ if (wolfSSL_is_server(ssl)) { - AssertNotNull(*sess = wolfSSL_get1_session(ssl)); + *sess = wolfSSL_get1_session(ssl); + AssertNotNull(*sess); } else { - AssertNotNull(*sess = wolfSSL_get_session(ssl)); + *sess = wolfSSL_get_session(ssl); + AssertNotNull(*sess); } #endif /* Now save the session in the internal store to make it available @@ -10114,8 +10117,8 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl) /* Save CTX to be able to decrypt tickets */ if (wolfSSL_is_server(ssl) && test_wolfSSL_CTX_add_session_server_ctx == NULL) { - AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx - = wolfSSL_get_SSL_CTX(ssl)); + test_wolfSSL_CTX_add_session_server_ctx = wolfSSL_get_SSL_CTX(ssl); + AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx); AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), WOLFSSL_SUCCESS); } @@ -37389,10 +37392,13 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args) (void)args; AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0); - AssertNotNull(clientBio = BIO_new_connect(connectAddr)); + clientBio = BIO_new_connect(connectAddr); + AssertNotNull(clientBio); AssertIntEQ(BIO_do_connect(clientBio), 1); - AssertNotNull(ctx = SSL_CTX_new(SSLv23_method())); - AssertNotNull(sslClient = SSL_new(ctx)); + ctx = SSL_CTX_new(SSLv23_method()); + AssertNotNull(ctx); + sslClient = SSL_new(ctx); + AssertNotNull(sslClient); AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS); SSL_set_bio(sslClient, clientBio, clientBio); AssertIntEQ(SSL_connect(sslClient), 1); diff --git a/tests/quic.c b/tests/quic.c index 3bfd2db07..4960c7e13 100644 --- a/tests/quic.c +++ b/tests/quic.c @@ -144,6 +144,9 @@ static int test_set_quic_method(void) { for (i = 0; valids[i].name != NULL; ++i) { ExpectNotNull(ctx = wolfSSL_CTX_new(valids[i].method())); + if (ctx == NULL) { + break; + } if (valids[i].is_server) { ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); @@ -152,6 +155,9 @@ static int test_set_quic_method(void) { } /* ctx does not have quic enabled, so will SSL* derived from it */ ExpectNotNull(ssl = wolfSSL_new(ctx)); + if (ssl == NULL) { + break; + } ExpectFalse(wolfSSL_is_quic(ssl)); /* Enable quic on the SSL* */ ExpectFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS); @@ -184,32 +190,54 @@ static int test_set_quic_method(void) { data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application); ExpectTrue(data_len == 16*1024); wolfSSL_free(ssl); + ssl = NULL; /* Enabled quic on the ctx */ ExpectTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS); /* It will be enabled on the SSL* */ ExpectNotNull(ssl = wolfSSL_new(ctx)); + if (ssl == NULL) { + break; + } ExpectTrue(wolfSSL_is_quic(ssl)); wolfSSL_free(ssl); - + ssl = NULL; wolfSSL_CTX_free(ctx); + ctx = NULL; } for (i = 0; invalids[i].name != NULL; ++i) { - ExpectNotNull(ctx = wolfSSL_CTX_new(invalids[i].method())); + if (ctx == NULL) { + break; + } ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); ExpectFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS); ExpectNotNull(ssl = wolfSSL_new(ctx)); + if (ssl == NULL) { + break; + } ExpectFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS); ExpectFalse(wolfSSL_is_quic(ssl)); /* even though not quic, this is the only level we can return */ ExpectTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial); ExpectTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial); wolfSSL_free(ssl); + ssl = NULL; wolfSSL_CTX_free(ctx); + ctx = NULL; + } + + /* cleanup */ + if (ssl != NULL) { + wolfSSL_free(ssl); + ssl = NULL; + } + if (ctx != NULL) { + wolfSSL_CTX_free(ctx); + ctx = NULL; } printf(" test_set_quic_method: %s\n", (EXPECT_SUCCESS()) ? pass : fail); @@ -492,7 +520,8 @@ static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx, AssertNotNull(tctx); memset(tctx, 0, sizeof(*tctx)); tctx->name = name; - AssertNotNull((tctx->ssl = wolfSSL_new(ctx))); + tctx->ssl = wolfSSL_new(ctx); + AssertNotNull(tctx->ssl); tctx->verbose = verbose; wolfSSL_set_app_data(tctx->ssl, tctx); AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS); @@ -521,7 +550,8 @@ static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx AssertNotNull(tctx); memset(tctx, 0, sizeof(*tctx)); tctx->name = name; - AssertNotNull((tctx->ssl = wolfSSL_new(ctx))); + tctx->ssl = wolfSSL_new(ctx); + AssertNotNull(tctx->ssl); tctx->verbose = verbose; wolfSSL_set_app_data(tctx->ssl, tctx); AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method_fail) == WOLFSSL_SUCCESS); @@ -717,7 +747,8 @@ static void ext_equals(const byte *data, size_t data_len, int ext_type, const byte *ext; word16 len16; - AssertNotNull(ext = ext_find(data, data_len, ext_type)); + ext = ext_find(data, data_len, ext_type); + AssertNotNull(ext); ato16(&ext[2], &len16); AssertTrue(len16 == exp_len); AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0); @@ -738,8 +769,10 @@ static void check_quic_client_hello(const byte *data, size_t data_len, idx = HANDSHAKE_HEADER_SZ; /* the client hello arrives alone */ AssertIntEQ(rec_len, data_len); - AssertTrue(data[idx++] == SSLv3_MAJOR); - AssertTrue(data[idx++] == TLSv1_2_MINOR); + AssertTrue(data[idx] == SSLv3_MAJOR); + idx++; + AssertTrue(data[idx] == TLSv1_2_MINOR); + idx++; idx += 32; /* 32 bytes RANDOM */ AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */ idx += 1 + data[idx]; @@ -852,8 +885,10 @@ static void check_quic_server_hello(const byte *data, size_t data_len, check_handshake_record(data, data_len, &rec_type, &rec_len); AssertIntEQ(rec_type, server_hello); idx = HANDSHAKE_HEADER_SZ; - AssertTrue(data[idx++] == SSLv3_MAJOR); - AssertTrue(data[idx++] == TLSv1_2_MINOR); + AssertTrue(data[idx] == SSLv3_MAJOR); + idx++; + AssertTrue(data[idx] == TLSv1_2_MINOR); + idx++; idx += 32; /* 32 bytes RANDOM */ /* AssertIntEQ(data[idx], 0); session id of len 0 */ idx += 1 + data[idx]; diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 162338c6f..3b19c0cbc 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -309,6 +309,8 @@ static int test_crl_monitor(void) int ret = -1; int i = -1, j; + XMEMSET(tmpDir, '\0', sizeof(tmpDir)); + printf("\nRunning CRL monitor test\n"); (void)XSNPRINTF(rounds, sizeof(rounds), "%d", CRL_MONITOR_TEST_ROUNDS); @@ -499,7 +501,11 @@ static void show_ciphers(void) /* Cleanup temporary output file. */ static void cleanup_output(void) { - remove(outputName); + int ret = 0; + ret = remove(outputName); + if (ret < 0) { + fprintf(stderr, "remove(%s) failed: %d\n", outputName, ret); + } } /* Validate output equals input using a hash. Remove temporary output file. diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 6d4cd4de7..d15f796f9 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -7645,8 +7645,12 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz, /* 3.2 c. Set K = 0x00 0x00 ... */ XMEMSET(K, 0x00, KSz); - mp_init(z1); /* always init z1 and free z1 */ - ret = mp_to_unsigned_bin_len(priv, x, (int)qLen); + if (ret == 0) { + ret = mp_init(z1); /* always init z1 and free z1 */ + } + if (ret == 0) { + ret = mp_to_unsigned_bin_len(priv, x, (int)qLen); + } if (ret == 0) { #ifdef WOLFSSL_CHECK_MEM_ZERO wc_MemZero_Add("wc_ecc_gen_deterministic_k x", x, qLen); @@ -7690,7 +7694,7 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz, #endif { /* use original hash and keep leading 0's */ - mp_to_unsigned_bin_len(z1, h1, (int)h1len); + ret = mp_to_unsigned_bin_len(z1, h1, (int)h1len); } } mp_free(z1); diff --git a/wolfssl/test.h b/wolfssl/test.h index fa84ab0e0..6e6bc0f86 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -2084,6 +2084,7 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl, numCiphers = sk_num(supportedCiphers); for (i = 0; i < numCiphers; ++i) { + XMEMSET(buf, 0, sizeof(buf)); if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { SSL_CIPHER_description(cipher, buf, sizeof(buf));