From 648f474d83530a525510c6acf740894a3d397289 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 12 Jul 2023 13:47:40 -0500 Subject: [PATCH] configure.ac: if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c; if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on; for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling; scripts/sniffer-gen.sh: fix illegal exit code (SC2242); src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket(); src/ocsp.c: fix readability-redundant-preprocessor; src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select(); tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor; wolfcrypt/src/asn.c: fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative(); fix readability-redundant-declaration re GetCA() and GetCAByName(); gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY); wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c; tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__). --- configure.ac | 36 ++++++++++++++++++++---------------- scripts/sniffer-gen.sh | 2 +- src/internal.c | 5 +++++ src/ocsp.c | 3 --- src/tls.c | 5 +++-- tests/api.c | 17 +++++++++++------ tests/utils.c | 3 +++ wolfcrypt/src/asn.c | 35 +++++++++++------------------------ wolfssl/internal.h | 6 ++++-- 9 files changed, 58 insertions(+), 54 deletions(-) diff --git a/configure.ac b/configure.ac index b20f5b7f08..e1e41882ba 100644 --- a/configure.ac +++ b/configure.ac @@ -508,6 +508,9 @@ AC_SUBST([ENABLED_LINUXKM_BENCHMARKS]) if test "$ENABLED_LINUXKM_DEFAULTS" = "yes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWOLFSSL_TEST_SUBROUTINE=static" + if test "$ENABLED_LINUXKM_PIE" = "yes"; then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK" + fi if test "$ENABLED_FIPS" = "no"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK" fi @@ -4391,6 +4394,14 @@ then fi +# MD4 +AC_ARG_ENABLE([md4], + [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])], + [ ENABLED_MD4=$enableval ], + [ ENABLED_MD4=no ] + ) + + # DES3 AC_ARG_ENABLE([des3], [AS_HELP_STRING([--enable-des3],[Enable DES3 (default: disabled)])], @@ -4701,7 +4712,7 @@ AS_CASE([$FIPS_VERSION], AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"]) ]) -AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"], +AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"], [AC_MSG_ERROR([FIPS requires Thread Local Storage])]) @@ -6299,6 +6310,11 @@ AC_ARG_ENABLE([curl], # curl support requires all the features enabled within this conditional. if test "$ENABLED_CURL" = "yes" then + if test "$ENABLED_MD4" = "no" + then + ENABLED_MD4="yes" + fi + if test "x$ENABLED_DES3" = "xno" then ENABLED_DES3="yes" @@ -6513,14 +6529,6 @@ then fi fi -# MD4 -AC_ARG_ENABLE([md4], - [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])], - [ ENABLED_MD4=$enableval ], - [ ENABLED_MD4=no ] - ) - - if test "$ENABLED_MD4" = "no" then #turn on MD4 if using stunnel @@ -8933,14 +8941,10 @@ fi if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes" then - ESCAPED_ARGS="$ac_configure_args" - ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\\/\\\\/g') - ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\"/\\\"/g') - ESCAPED_GLOBAL_ARGS="$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" - ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\\/\\\\/g') - ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\"/\\\"/g') + ESCAPED_ARGS=$(echo "$ac_configure_args" | sed 's/\\/\\\\/g;s/\"/\\\"/g') + ESCAPED_GLOBAL_CFLAGS=$(echo "$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" | sed 's/\\/\\\\/g;s/\"/\\\"/g') echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ESCAPED_ARGS\"" > "${output_objdir}/.build_params" && - echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_ARGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" || + echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" || AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.]) else rm -f "${output_objdir}/.build_params" diff --git a/scripts/sniffer-gen.sh b/scripts/sniffer-gen.sh index 8e395d18f2..8e82158696 100755 --- a/scripts/sniffer-gen.sh +++ b/scripts/sniffer-gen.sh @@ -65,7 +65,7 @@ run_sequence() { run_test "" "-v 4 -g" "-v 4 -J" else echo "Invalid test" - exit -1 + exit 1 fi } diff --git a/src/internal.c b/src/internal.c index f7705b1251..73fbc66269 100644 --- a/src/internal.c +++ b/src/internal.c @@ -35791,6 +35791,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif if (!ssl->options.tls1_3) { + if (ssl->arrays == NULL) { + WOLFSSL_MSG("CreateTicket called with null arrays"); + ret = BAD_FUNC_ARG; + goto error; + } XMEMCPY(it->msecret, ssl->arrays->masterSecret, SECRET_LEN); #ifndef NO_ASN_TIME c32toa(LowResTimer(), it->timestamp); diff --git a/src/ocsp.c b/src/ocsp.c index d8f291f4a8..78b1f0e84e 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -549,8 +549,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, return ret; } -#ifdef HAVE_OCSP - #ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK static int CheckOcspResponderChain(OcspEntry* single, DecodedCert *cert, void* vp) { @@ -646,7 +644,6 @@ int CheckOcspResponder(OcspResponse *bs, DecodedCert *cert, void* vp) } return ret; } -#endif /* HAVE_OCSP */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIGHTY) diff --git a/src/tls.c b/src/tls.c index 272c56002b..1685011aba 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1693,7 +1693,6 @@ int ALPN_Select(WOLFSSL *ssl) SendAlert(ssl, alert_fatal, no_application_protocol); WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E); return UNKNOWN_ALPN_PROTOCOL_NAME_E; - break; } } else @@ -10290,8 +10289,10 @@ static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length, if (ret == 0) ret = TLSX_PskKeyModes_Use(ssl, modes); - if (ret != 0) + if (ret != 0) { WOLFSSL_ERROR_VERBOSE(ret); + } + return ret; } diff --git a/tests/api.c b/tests/api.c index 1fa2655ae5..10cd001eab 100644 --- a/tests/api.c +++ b/tests/api.c @@ -40233,12 +40233,15 @@ static int test_wolfSSL_BIO_gets(void) ExpectNotNull(emp_bm = BUF_MEM_new()); ExpectNotNull(msg_bm = BUF_MEM_new()); ExpectIntEQ(BUF_MEM_grow(msg_bm, sizeof(msg)), sizeof(msg)); - XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL); + if (EXPECT_SUCCESS()) + XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL); /* emp size is 1 for terminator */ ExpectIntEQ(BUF_MEM_grow(emp_bm, sizeof(emp)), sizeof(emp)); - XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL); - emp_bm->data = emp; - msg_bm->data = msg; + if (EXPECT_SUCCESS()) { + XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL); + emp_bm->data = emp; + msg_bm->data = msg; + } ExpectIntEQ(BIO_set_mem_buf(bio, emp_bm, BIO_CLOSE), WOLFSSL_SUCCESS); /* check reading an empty string */ @@ -40256,9 +40259,11 @@ static int test_wolfSSL_BIO_gets(void) ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 8); ExpectIntEQ(BIO_gets(bio, bio_buffer, -1), 0); - emp_bm->data = NULL; + if (EXPECT_SUCCESS()) + emp_bm->data = NULL; BUF_MEM_free(emp_bm); - msg_bm->data = NULL; + if (EXPECT_SUCCESS()) + msg_bm->data = NULL; BUF_MEM_free(msg_bm); #endif diff --git a/tests/utils.c b/tests/utils.c index bd5c9271b3..87557f292b 100644 --- a/tests/utils.c +++ b/tests/utils.c @@ -53,6 +53,9 @@ char* create_tmp_dir(char *tmpDir, int len) #ifdef _MSC_VER if (_mkdir(tmpDir) != 0) return NULL; +#elif defined(__CYGWIN__) || defined(__MINGW32__) + if (mkdir(tmpDir) != 0) + return NULL; #else if (mkdir(tmpDir, 0700) != 0) return NULL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8373daee73..b810638f60 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -190,7 +190,10 @@ ASN Options: #include #endif -#include +#ifndef WOLFCRYPT_ONLY + #include +#endif + #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #include #endif @@ -18867,7 +18870,7 @@ static int DecodeAuthKeyId(const byte* input, word32 sz, DecodedCert* cert) /* Get the hash or hash of the hash if wrong size. */ ret = GetHashId(dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data, (int)dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length, - cert->extAuthKeyId, HashIdAlg(cert->signatureOID)); + cert->extAuthKeyId, HashIdAlg((int)cert->signatureOID)); } #ifdef WOLFSSL_AKID_NAME if (ret == 0 && dataASN[AUTHKEYIDASN_IDX_ISSUER].data.ref.data != NULL) { @@ -21448,29 +21451,10 @@ int wc_ParseCert(DecodedCert* cert, int type, int verify, void* cm) return ParseCert(cert, type, verify, cm); } -#if !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL) && \ - !defined(GetCA) -/* from SSL proper, for locking can't do find here anymore. - * brought in from internal.h if built with compat layer. - * if defined(GetCA), it's a predefined macro and these prototypes - * would conflict. - */ -#ifdef __cplusplus - extern "C" { -#endif - Signer* GetCA(void* signers, byte* hash); - #ifndef NO_SKID - Signer* GetCAByName(void* signers, byte* hash); - #endif -#ifdef __cplusplus - } -#endif - -#endif /* !OPENSSL_EXTRA && !OPENSSL_EXTRA_X509_SMALL && !GetCA */ - -#if defined(WOLFCRYPT_ONLY) +#ifdef WOLFCRYPT_ONLY /* dummy functions, not using wolfSSL so don't need actual ones */ +Signer* GetCA(void* signers, byte* hash); Signer* GetCA(void* signers, byte* hash) { (void)hash; @@ -21479,6 +21463,7 @@ Signer* GetCA(void* signers, byte* hash) } #ifndef NO_SKID +Signer* GetCAByName(void* signers, byte* hash); Signer* GetCAByName(void* signers, byte* hash) { (void)hash; @@ -21488,6 +21473,8 @@ Signer* GetCAByName(void* signers, byte* hash) #endif /* NO_SKID */ #ifdef WOLFSSL_AKID_NAME +Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz, + const byte* serial, word32 serialSz); Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz, const byte* serial, word32 serialSz) { @@ -22701,7 +22688,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } } else { - cert->maxPathLen = min(cert->ca->maxPathLen - 1, + cert->maxPathLen = (byte)min(cert->ca->maxPathLen - 1, cert->maxPathLen); } } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 02a17eb42a..afa75acebc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -6128,12 +6128,14 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG, DecodedCert* cert); #endif - WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash); + #ifndef GetCA + WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash); + #endif #ifdef WOLFSSL_AKID_NAME WOLFSSL_LOCAL Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz, const byte* serial, word32 serialSz); #endif - #ifndef NO_SKID + #if !defined(NO_SKID) && !defined(GetCAByName) WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash); #endif #endif /* !NO_CERTS */