WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

coverity: fix check_after_deref, assignment_where_comparison_intended, uninit vars, return values, etc.

pull/8721/head
jordan 2025-05-05 13:18:29 -05:00
parent 9587b7b12e
commit efd5405d0e
7 changed files with 96 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/tls.c
View File

@ -477,20 +477,23 @@ int DeriveTlsKeys(WOLFSSL* ssl)
return MEMORY_E; return MEMORY_E;
} }
#endif #endif
XMEMSET(key_dig, 0, MAX_PRF_DIG);
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
ret = PROTOCOLCB_UNAVAILABLE; ret = PROTOCOLCB_UNAVAILABLE;
if (ssl->ctx->GenSessionKeyCb) { if (ssl->ctx->GenSessionKeyCb) {
void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl); void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl);
ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); ret = ssl->ctx->GenSessionKeyCb(ssl, ctx);
} }
if (!ssl->ctx->GenSessionKeyCb || if (!ssl->ctx->GenSessionKeyCb ||
ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
#endif #endif
ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len, ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len,
ssl->arrays->masterSecret, SECRET_LEN, ssl->arrays->masterSecret, SECRET_LEN,
ssl->arrays->serverRandom, ssl->arrays->clientRandom, ssl->arrays->serverRandom, ssl->arrays->clientRandom,
IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
ssl->heap, ssl->devId); ssl->heap, ssl->devId);
if (ret == 0) if (ret == 0)
ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER); ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
@ -13100,7 +13103,7 @@ static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType) static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType)
{ {
int ret; int ret;
word32 size; word32 size = 0;
if (ech->state == ECH_WRITE_GREASE) { if (ech->state == ECH_WRITE_GREASE) {
size = sizeof(ech->type) + sizeof(ech->cipherSuite) + size = sizeof(ech->type) + sizeof(ech->cipherSuite) +

12
src/tls13.c
View File

@ -5053,7 +5053,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
byte tls12minor; byte tls12minor;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
Dsh13Args* args = NULL; Dsh13Args* args = NULL;
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#else #else
Dsh13Args args[1]; Dsh13Args args[1];
#endif #endif
@ -5061,6 +5060,13 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO); WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
WOLFSSL_ENTER("DoTls13ServerHello"); WOLFSSL_ENTER("DoTls13ServerHello");
if (ssl == NULL || ssl->arrays == NULL)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_ASYNC_CRYPT
WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
#endif
tls12minor = TLSv1_2_MINOR; tls12minor = TLSv1_2_MINOR;
#ifdef WOLFSSL_DTLS13 #ifdef WOLFSSL_DTLS13
@ -5068,10 +5074,6 @@ int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
tls12minor = DTLSv1_2_MINOR; tls12minor = DTLSv1_2_MINOR;
#endif /* WOLFSSL_DTLS13 */ #endif /* WOLFSSL_DTLS13 */
if (ssl == NULL || ssl->arrays == NULL)
return BAD_FUNC_ARG;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ssl->async == NULL) { if (ssl->async == NULL) {
ssl->async = (struct WOLFSSL_ASYNC*) ssl->async = (struct WOLFSSL_ASYNC*)

22
tests/api.c
View File

@ -10080,14 +10080,17 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
sess = &test_wolfSSL_CTX_add_session_client_sess; sess = &test_wolfSSL_CTX_add_session_client_sess;
if (*sess == NULL) { if (*sess == NULL) {
#ifdef NO_SESSION_CACHE_REF #ifdef NO_SESSION_CACHE_REF
AssertNotNull(*sess = wolfSSL_get1_session(ssl)); *sess = wolfSSL_get1_session(ssl);
AssertNotNull(*sess);
#else #else
/* Test for backwards compatibility */ /* Test for backwards compatibility */
if (wolfSSL_is_server(ssl)) { if (wolfSSL_is_server(ssl)) {
AssertNotNull(*sess = wolfSSL_get1_session(ssl)); *sess = wolfSSL_get1_session(ssl);
AssertNotNull(*sess);
} }
else { else {
AssertNotNull(*sess = wolfSSL_get_session(ssl)); *sess = wolfSSL_get_session(ssl);
AssertNotNull(*sess);
} }
#endif #endif
/* Now save the session in the internal store to make it available /* Now save the session in the internal store to make it available
@ -10114,8 +10117,8 @@ static void test_wolfSSL_CTX_add_session_on_result(WOLFSSL* ssl)
/* Save CTX to be able to decrypt tickets */ /* Save CTX to be able to decrypt tickets */
if (wolfSSL_is_server(ssl) && if (wolfSSL_is_server(ssl) &&
test_wolfSSL_CTX_add_session_server_ctx == NULL) { test_wolfSSL_CTX_add_session_server_ctx == NULL) {
AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx test_wolfSSL_CTX_add_session_server_ctx = wolfSSL_get_SSL_CTX(ssl);
= wolfSSL_get_SSL_CTX(ssl)); AssertNotNull(test_wolfSSL_CTX_add_session_server_ctx);
AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)), AssertIntEQ(wolfSSL_CTX_up_ref(wolfSSL_get_SSL_CTX(ssl)),
WOLFSSL_SUCCESS); WOLFSSL_SUCCESS);
} }
@ -37389,10 +37392,13 @@ static THREAD_RETURN WOLFSSL_THREAD test_wolfSSL_BIO_accept_client(void* args)
(void)args; (void)args;
AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0); AssertIntGT(snprintf(connectAddr, sizeof(connectAddr), "%s:%d", wolfSSLIP, wolfSSLPort), 0);
AssertNotNull(clientBio = BIO_new_connect(connectAddr)); clientBio = BIO_new_connect(connectAddr);
AssertNotNull(clientBio);
AssertIntEQ(BIO_do_connect(clientBio), 1); AssertIntEQ(BIO_do_connect(clientBio), 1);
AssertNotNull(ctx = SSL_CTX_new(SSLv23_method())); ctx = SSL_CTX_new(SSLv23_method());
AssertNotNull(sslClient = SSL_new(ctx)); AssertNotNull(ctx);
sslClient = SSL_new(ctx);
AssertNotNull(sslClient);
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS); AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), WOLFSSL_SUCCESS);
SSL_set_bio(sslClient, clientBio, clientBio); SSL_set_bio(sslClient, clientBio, clientBio);
AssertIntEQ(SSL_connect(sslClient), 1); AssertIntEQ(SSL_connect(sslClient), 1);

53
tests/quic.c
View File

@ -144,6 +144,9 @@ static int test_set_quic_method(void) {
for (i = 0; valids[i].name != NULL; ++i) { for (i = 0; valids[i].name != NULL; ++i) {
ExpectNotNull(ctx = wolfSSL_CTX_new(valids[i].method())); ExpectNotNull(ctx = wolfSSL_CTX_new(valids[i].method()));
if (ctx == NULL) {
break;
}
if (valids[i].is_server) { if (valids[i].is_server) {
ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM)); WOLFSSL_FILETYPE_PEM));
@ -152,6 +155,9 @@ static int test_set_quic_method(void) {
} }
/* ctx does not have quic enabled, so will SSL* derived from it */ /* ctx does not have quic enabled, so will SSL* derived from it */
ExpectNotNull(ssl = wolfSSL_new(ctx)); ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectFalse(wolfSSL_is_quic(ssl)); ExpectFalse(wolfSSL_is_quic(ssl));
/* Enable quic on the SSL* */ /* Enable quic on the SSL* */
ExpectFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS); ExpectFalse(wolfSSL_set_quic_method(ssl, &null_method) == WOLFSSL_SUCCESS);
@ -184,32 +190,54 @@ static int test_set_quic_method(void) {
data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application); data_len = wolfSSL_quic_max_handshake_flight_len(ssl, wolfssl_encryption_application);
ExpectTrue(data_len == 16*1024); ExpectTrue(data_len == 16*1024);
wolfSSL_free(ssl); wolfSSL_free(ssl);
ssl = NULL;
/* Enabled quic on the ctx */ /* Enabled quic on the ctx */
ExpectTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS); ExpectTrue(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
/* It will be enabled on the SSL* */ /* It will be enabled on the SSL* */
ExpectNotNull(ssl = wolfSSL_new(ctx)); ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectTrue(wolfSSL_is_quic(ssl)); ExpectTrue(wolfSSL_is_quic(ssl));
wolfSSL_free(ssl); wolfSSL_free(ssl);
ssl = NULL;
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
ctx = NULL;
} }
for (i = 0; invalids[i].name != NULL; ++i) { for (i = 0; invalids[i].name != NULL; ++i) {
ExpectNotNull(ctx = wolfSSL_CTX_new(invalids[i].method())); ExpectNotNull(ctx = wolfSSL_CTX_new(invalids[i].method()));
if (ctx == NULL) {
break;
}
ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile, ExpectTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCertFile,
WOLFSSL_FILETYPE_PEM)); WOLFSSL_FILETYPE_PEM));
ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, ExpectTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKeyFile,
WOLFSSL_FILETYPE_PEM)); WOLFSSL_FILETYPE_PEM));
ExpectFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS); ExpectFalse(wolfSSL_CTX_set_quic_method(ctx, &dummy_method) == WOLFSSL_SUCCESS);
ExpectNotNull(ssl = wolfSSL_new(ctx)); ExpectNotNull(ssl = wolfSSL_new(ctx));
if (ssl == NULL) {
break;
}
ExpectFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS); ExpectFalse(wolfSSL_set_quic_method(ssl, &dummy_method) == WOLFSSL_SUCCESS);
ExpectFalse(wolfSSL_is_quic(ssl)); ExpectFalse(wolfSSL_is_quic(ssl));
/* even though not quic, this is the only level we can return */ /* even though not quic, this is the only level we can return */
ExpectTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial); ExpectTrue(wolfSSL_quic_read_level(ssl) == wolfssl_encryption_initial);
ExpectTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial); ExpectTrue(wolfSSL_quic_write_level(ssl) == wolfssl_encryption_initial);
wolfSSL_free(ssl); wolfSSL_free(ssl);
ssl = NULL;
wolfSSL_CTX_free(ctx); wolfSSL_CTX_free(ctx);
ctx = NULL;
}
/* cleanup */
if (ssl != NULL) {
wolfSSL_free(ssl);
ssl = NULL;
}
if (ctx != NULL) {
wolfSSL_CTX_free(ctx);
ctx = NULL;
} }
printf(" test_set_quic_method: %s\n", (EXPECT_SUCCESS()) ? pass : fail); printf(" test_set_quic_method: %s\n", (EXPECT_SUCCESS()) ? pass : fail);
@ -492,7 +520,8 @@ static void QuicTestContext_init(QuicTestContext *tctx, WOLFSSL_CTX *ctx,
AssertNotNull(tctx); AssertNotNull(tctx);
memset(tctx, 0, sizeof(*tctx)); memset(tctx, 0, sizeof(*tctx));
tctx->name = name; tctx->name = name;
AssertNotNull((tctx->ssl = wolfSSL_new(ctx))); tctx->ssl = wolfSSL_new(ctx);
AssertNotNull(tctx->ssl);
tctx->verbose = verbose; tctx->verbose = verbose;
wolfSSL_set_app_data(tctx->ssl, tctx); wolfSSL_set_app_data(tctx->ssl, tctx);
AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS); AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method) == WOLFSSL_SUCCESS);
@ -521,7 +550,8 @@ static void QuicTestContext_init_fail_cb(QuicTestContext *tctx, WOLFSSL_CTX *ctx
AssertNotNull(tctx); AssertNotNull(tctx);
memset(tctx, 0, sizeof(*tctx)); memset(tctx, 0, sizeof(*tctx));
tctx->name = name; tctx->name = name;
AssertNotNull((tctx->ssl = wolfSSL_new(ctx))); tctx->ssl = wolfSSL_new(ctx);
AssertNotNull(tctx->ssl);
tctx->verbose = verbose; tctx->verbose = verbose;
wolfSSL_set_app_data(tctx->ssl, tctx); wolfSSL_set_app_data(tctx->ssl, tctx);
AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method_fail) == WOLFSSL_SUCCESS); AssertTrue(wolfSSL_set_quic_method(tctx->ssl, &ctx_method_fail) == WOLFSSL_SUCCESS);
@ -717,7 +747,8 @@ static void ext_equals(const byte *data, size_t data_len, int ext_type,
const byte *ext; const byte *ext;
word16 len16; word16 len16;
AssertNotNull(ext = ext_find(data, data_len, ext_type)); ext = ext_find(data, data_len, ext_type);
AssertNotNull(ext);
ato16(&ext[2], &len16); ato16(&ext[2], &len16);
AssertTrue(len16 == exp_len); AssertTrue(len16 == exp_len);
AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0); AssertTrue(memcmp(ext + 4, exp_data, exp_len) == 0);
@ -738,8 +769,10 @@ static void check_quic_client_hello(const byte *data, size_t data_len,
idx = HANDSHAKE_HEADER_SZ; idx = HANDSHAKE_HEADER_SZ;
/* the client hello arrives alone */ /* the client hello arrives alone */
AssertIntEQ(rec_len, data_len); AssertIntEQ(rec_len, data_len);
AssertTrue(data[idx++] == SSLv3_MAJOR); AssertTrue(data[idx] == SSLv3_MAJOR);
AssertTrue(data[idx++] == TLSv1_2_MINOR); idx++;
AssertTrue(data[idx] == TLSv1_2_MINOR);
idx++;
idx += 32; /* 32 bytes RANDOM */ idx += 32; /* 32 bytes RANDOM */
AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */ AssertIntEQ(data[idx], 0); /* session id length MUST be 0, RFC9001 ch. 8.4 */
idx += 1 + data[idx]; idx += 1 + data[idx];
@ -852,8 +885,10 @@ static void check_quic_server_hello(const byte *data, size_t data_len,
check_handshake_record(data, data_len, &rec_type, &rec_len); check_handshake_record(data, data_len, &rec_type, &rec_len);
AssertIntEQ(rec_type, server_hello); AssertIntEQ(rec_type, server_hello);
idx = HANDSHAKE_HEADER_SZ; idx = HANDSHAKE_HEADER_SZ;
AssertTrue(data[idx++] == SSLv3_MAJOR); AssertTrue(data[idx] == SSLv3_MAJOR);
AssertTrue(data[idx++] == TLSv1_2_MINOR); idx++;
AssertTrue(data[idx] == TLSv1_2_MINOR);
idx++;
idx += 32; /* 32 bytes RANDOM */ idx += 32; /* 32 bytes RANDOM */
/* AssertIntEQ(data[idx], 0); session id of len 0 */ /* AssertIntEQ(data[idx], 0); session id of len 0 */
idx += 1 + data[idx]; idx += 1 + data[idx];

8
testsuite/testsuite.c
View File

@ -309,6 +309,8 @@ static int test_crl_monitor(void)
int ret = -1; int ret = -1;
int i = -1, j; int i = -1, j;
XMEMSET(tmpDir, '\0', sizeof(tmpDir));
printf("\nRunning CRL monitor test\n"); printf("\nRunning CRL monitor test\n");
(void)XSNPRINTF(rounds, sizeof(rounds), "%d", CRL_MONITOR_TEST_ROUNDS); (void)XSNPRINTF(rounds, sizeof(rounds), "%d", CRL_MONITOR_TEST_ROUNDS);
@ -499,7 +501,11 @@ static void show_ciphers(void)
/* Cleanup temporary output file. */ /* Cleanup temporary output file. */
static void cleanup_output(void) static void cleanup_output(void)
{ {
remove(outputName); int ret = 0;
ret = remove(outputName);
if (ret < 0) {
fprintf(stderr, "remove(%s) failed: %d\n", outputName, ret);
}
} }
/* Validate output equals input using a hash. Remove temporary output file. /* Validate output equals input using a hash. Remove temporary output file.

10
wolfcrypt/src/ecc.c
View File

@ -7645,8 +7645,12 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
/* 3.2 c. Set K = 0x00 0x00 ... */ /* 3.2 c. Set K = 0x00 0x00 ... */
XMEMSET(K, 0x00, KSz); XMEMSET(K, 0x00, KSz);
mp_init(z1); /* always init z1 and free z1 */ if (ret == 0) {
ret = mp_to_unsigned_bin_len(priv, x, (int)qLen); ret = mp_init(z1); /* always init z1 and free z1 */
}
if (ret == 0) {
ret = mp_to_unsigned_bin_len(priv, x, (int)qLen);
}
if (ret == 0) { if (ret == 0) {
#ifdef WOLFSSL_CHECK_MEM_ZERO #ifdef WOLFSSL_CHECK_MEM_ZERO
wc_MemZero_Add("wc_ecc_gen_deterministic_k x", x, qLen); wc_MemZero_Add("wc_ecc_gen_deterministic_k x", x, qLen);
@ -7690,7 +7694,7 @@ int wc_ecc_gen_deterministic_k(const byte* hash, word32 hashSz,
#endif #endif
{ {
/* use original hash and keep leading 0's */ /* use original hash and keep leading 0's */
mp_to_unsigned_bin_len(z1, h1, (int)h1len); ret = mp_to_unsigned_bin_len(z1, h1, (int)h1len);
} }
} }
mp_free(z1); mp_free(z1);

1
wolfssl/test.h
View File

@ -2084,6 +2084,7 @@ static WC_INLINE int my_psk_use_session_cb(WOLFSSL* ssl,
numCiphers = sk_num(supportedCiphers); numCiphers = sk_num(supportedCiphers);
for (i = 0; i < numCiphers; ++i) { for (i = 0; i < numCiphers; ++i) {
XMEMSET(buf, 0, sizeof(buf));
if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) { if ((cipher = (const WOLFSSL_CIPHER*)sk_value(supportedCiphers, i))) {
SSL_CIPHER_description(cipher, buf, sizeof(buf)); SSL_CIPHER_description(cipher, buf, sizeof(buf));