configure.ac:

  if ENABLED_LINUXKM_PIE, add -DWOLFSSL_NO_OCSP_ISSUER_CHECK to gate out backward dependency in asn.c;

  if ENABLE_LINUXKM, don't error on FIPS without thread_ls_on;

  for --enable-curl, set ENABLED_MD4="yes", and move --enable-md4 AC_ARG_ENABLE() clause up to a position adjacent to des3 handling;

scripts/sniffer-gen.sh: fix illegal exit code (SC2242);

src/internal.c: fix clang-analyzer-core.NonNullParamChecker in CreateTicket();

src/ocsp.c: fix readability-redundant-preprocessor;

src/tls.c: fix empty-body in TLSX_PskKeModes_Parse() and clang-diagnostic-unreachable-code-break in ALPN_Select();

tests/api.c: fix several clang-analyzer-core.NullDereference related to Expect*() refactor;

wolfcrypt/src/asn.c:

  fix -Wconversions in DecodeAuthKeyId() and ParseCertRelative();

  fix readability-redundant-declaration re GetCA() and GetCAByName();

  gate inclusion of wolfssl/internal.h on !defined(WOLFCRYPT_ONLY);

wolfssl/internal.h: add macro-detection gating around GetCA() and GetCAByName() prototypes matching gates in wolfcrypt/src/asn.c;

tests/utils.c: in create_tmp_dir(), use one-arg variant of mkdir() if defined(__CYGWIN__) || defined(__MINGW32__).

configure.ac

@@ -508,6 +508,9 @@ AC_SUBST([ENABLED_LINUXKM_BENCHMARKS])
 if test "$ENABLED_LINUXKM_DEFAULTS" = "yes"
 then
  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWOLFSSL_TEST_SUBROUTINE=static"
+ if test "$ENABLED_LINUXKM_PIE" = "yes"; then
+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK"
+ fi
  if test "$ENABLED_FIPS" = "no"; then
  AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK"
  fi
@@ -4391,6 +4394,14 @@ then
 fi
 
 
+# MD4
+AC_ARG_ENABLE([md4],
+ [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
+ [ ENABLED_MD4=$enableval ],
+ [ ENABLED_MD4=no ]
+ )
+
+
 # DES3
 AC_ARG_ENABLE([des3],
  [AS_HELP_STRING([--enable-des3],[Enable DES3 (default: disabled)])],
@@ -4701,7 +4712,7 @@ AS_CASE([$FIPS_VERSION],
  AS_IF([test "x$ENABLED_DES3" = "xno"],[ENABLED_DES3="yes"])
  ])
 
-AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno"],
+AS_IF([test "x$ENABLED_FIPS" = "xyes" && test "x$thread_ls_on" = "xno" && test "$ENABLE_LINUXKM" = "no"],
  [AC_MSG_ERROR([FIPS requires Thread Local Storage])])
 
 
@@ -6299,6 +6310,11 @@ AC_ARG_ENABLE([curl],
 # curl support requires all the features enabled within this conditional.
 if test "$ENABLED_CURL" = "yes"
 then
+ if test "$ENABLED_MD4" = "no"
+ then
+ ENABLED_MD4="yes"
+ fi
+
  if test "x$ENABLED_DES3" = "xno"
  then
  ENABLED_DES3="yes"
@@ -6513,14 +6529,6 @@ then
  fi
 fi
 
-# MD4
-AC_ARG_ENABLE([md4],
- [AS_HELP_STRING([--enable-md4],[Enable MD4 (default: disabled)])],
- [ ENABLED_MD4=$enableval ],
- [ ENABLED_MD4=no ]
- )
-
-
 if test "$ENABLED_MD4" = "no"
 then
  #turn on MD4 if using stunnel
@@ -8933,14 +8941,10 @@ fi
 
 if test "$ENABLED_REPRODUCIBLE_BUILD" != "yes"
 then
- ESCAPED_ARGS="$ac_configure_args"
- ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\\/\\\\/g')
- ESCAPED_ARGS=$(echo "$ESCAPED_ARGS" | sed 's/\"/\\\"/g')
- ESCAPED_GLOBAL_ARGS="$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS"
- ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\\/\\\\/g')
- ESCAPED_GLOBAL_ARGS=$(echo "$ESCAPED_GLOBAL_ARGS" | sed 's/\"/\\\"/g')
+ ESCAPED_ARGS=$(echo "$ac_configure_args" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
+ ESCAPED_GLOBAL_CFLAGS=$(echo "$CPPFLAGS $AM_CPPFLAGS $CFLAGS $AM_CFLAGS" | sed 's/\\/\\\\/g;s/\"/\\\"/g')
  echo "#define LIBWOLFSSL_CONFIGURE_ARGS \"$ESCAPED_ARGS\"" > "${output_objdir}/.build_params" &&
- echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_ARGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
+ echo "#define LIBWOLFSSL_GLOBAL_CFLAGS \"$ESCAPED_GLOBAL_CFLAGS\" LIBWOLFSSL_GLOBAL_EXTRA_CFLAGS" >> "${output_objdir}/.build_params" ||
  AC_MSG_ERROR([Couldn't create ${output_objdir}/.build_params.])
 else
  rm -f "${output_objdir}/.build_params"

scripts/sniffer-gen.sh

@@ -65,7 +65,7 @@ run_sequence() {
  run_test "" "-v 4 -g" "-v 4 -J"
  else
  echo "Invalid test"
- exit -1
+ exit 1
  fi
 }
 

src/internal.c

@@ -35791,6 +35791,11 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
  #endif
 
  if (!ssl->options.tls1_3) {
+ if (ssl->arrays == NULL) {
+ WOLFSSL_MSG("CreateTicket called with null arrays");
+ ret = BAD_FUNC_ARG;
+ goto error;
+ }
  XMEMCPY(it->msecret, ssl->arrays->masterSecret, SECRET_LEN);
 #ifndef NO_ASN_TIME
  c32toa(LowResTimer(), it->timestamp);

src/ocsp.c

@@ -549,8 +549,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
  return ret;
 }
 
-#ifdef HAVE_OCSP
-
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 static int CheckOcspResponderChain(OcspEntry* single, DecodedCert *cert,
  void* vp) {
@@ -646,7 +644,6 @@ int CheckOcspResponder(OcspResponse *bs, DecodedCert *cert, void* vp)
  }
  return ret;
 }
-#endif /* HAVE_OCSP */
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
  defined(WOLFSSL_APACHE_HTTPD) || defined(HAVE_LIGHTY)

src/tls.c

@@ -1693,7 +1693,6 @@ int ALPN_Select(WOLFSSL *ssl)
  SendAlert(ssl, alert_fatal, no_application_protocol);
  WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
  return UNKNOWN_ALPN_PROTOCOL_NAME_E;
- break;
  }
  }
  else
@@ -10290,8 +10289,10 @@ static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length,
  if (ret == 0)
  ret = TLSX_PskKeyModes_Use(ssl, modes);
 
- if (ret != 0)
+ if (ret != 0) {
  WOLFSSL_ERROR_VERBOSE(ret);
+ }
+
  return ret;
 }
 

tests/api.c

@@ -40233,12 +40233,15 @@ static int test_wolfSSL_BIO_gets(void)
  ExpectNotNull(emp_bm = BUF_MEM_new());
  ExpectNotNull(msg_bm = BUF_MEM_new());
  ExpectIntEQ(BUF_MEM_grow(msg_bm, sizeof(msg)), sizeof(msg));
- XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
+ if (EXPECT_SUCCESS())
+ XFREE(msg_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
  /* emp size is 1 for terminator */
  ExpectIntEQ(BUF_MEM_grow(emp_bm, sizeof(emp)), sizeof(emp));
- XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
- emp_bm->data = emp;
- msg_bm->data = msg;
+ if (EXPECT_SUCCESS()) {
+ XFREE(emp_bm->data, NULL, DYNAMIC_TYPE_OPENSSL);
+ emp_bm->data = emp;
+ msg_bm->data = msg;
+ }
  ExpectIntEQ(BIO_set_mem_buf(bio, emp_bm, BIO_CLOSE), WOLFSSL_SUCCESS);
 
  /* check reading an empty string */
@@ -40256,9 +40259,11 @@ static int test_wolfSSL_BIO_gets(void)
  ExpectIntEQ(BIO_gets(bio, bio_buffer, bufferSz), 8);
  ExpectIntEQ(BIO_gets(bio, bio_buffer, -1), 0);
 
- emp_bm->data = NULL;
+ if (EXPECT_SUCCESS())
+ emp_bm->data = NULL;
  BUF_MEM_free(emp_bm);
- msg_bm->data = NULL;
+ if (EXPECT_SUCCESS())
+ msg_bm->data = NULL;
  BUF_MEM_free(msg_bm);
 #endif
 

tests/utils.c

@@ -53,6 +53,9 @@ char* create_tmp_dir(char *tmpDir, int len)
 #ifdef _MSC_VER
  if (_mkdir(tmpDir) != 0)
  return NULL;
+#elif defined(__CYGWIN__) || defined(__MINGW32__)
+ if (mkdir(tmpDir) != 0)
+ return NULL;
 #else
  if (mkdir(tmpDir, 0700) != 0)
  return NULL;

wolfcrypt/src/asn.c

@@ -190,7 +190,10 @@ ASN Options:
  #include <wolfssl/wolfcrypt/cryptocb.h>
 #endif
 
-#include <wolfssl/internal.h>
+#ifndef WOLFCRYPT_ONLY
+ #include <wolfssl/internal.h>
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
  #include <wolfssl/openssl/objects.h>
 #endif
@@ -18867,7 +18870,7 @@ static int DecodeAuthKeyId(const byte* input, word32 sz, DecodedCert* cert)
  /* Get the hash or hash of the hash if wrong size. */
  ret = GetHashId(dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.data,
  (int)dataASN[AUTHKEYIDASN_IDX_KEYID].data.ref.length,
- cert->extAuthKeyId, HashIdAlg(cert->signatureOID));
+ cert->extAuthKeyId, HashIdAlg((int)cert->signatureOID));
  }
 #ifdef WOLFSSL_AKID_NAME
  if (ret == 0 && dataASN[AUTHKEYIDASN_IDX_ISSUER].data.ref.data != NULL) {
@@ -21448,29 +21451,10 @@ int wc_ParseCert(DecodedCert* cert, int type, int verify, void* cm)
  return ParseCert(cert, type, verify, cm);
 }
 
-#if !defined(OPENSSL_EXTRA) && !defined(OPENSSL_EXTRA_X509_SMALL) && \
- !defined(GetCA)
-/* from SSL proper, for locking can't do find here anymore.
- * brought in from internal.h if built with compat layer.
- * if defined(GetCA), it's a predefined macro and these prototypes
- * would conflict.
- */
-#ifdef __cplusplus
- extern "C" {
-#endif
- Signer* GetCA(void* signers, byte* hash);
- #ifndef NO_SKID
- Signer* GetCAByName(void* signers, byte* hash);
- #endif
-#ifdef __cplusplus
- }
-#endif
-
-#endif /* !OPENSSL_EXTRA && !OPENSSL_EXTRA_X509_SMALL && !GetCA */
-
-#if defined(WOLFCRYPT_ONLY)
+#ifdef WOLFCRYPT_ONLY
 
 /* dummy functions, not using wolfSSL so don't need actual ones */
+Signer* GetCA(void* signers, byte* hash);
 Signer* GetCA(void* signers, byte* hash)
 {
  (void)hash;
@@ -21479,6 +21463,7 @@ Signer* GetCA(void* signers, byte* hash)
 }
 
 #ifndef NO_SKID
+Signer* GetCAByName(void* signers, byte* hash);
 Signer* GetCAByName(void* signers, byte* hash)
 {
  (void)hash;
@@ -21488,6 +21473,8 @@ Signer* GetCAByName(void* signers, byte* hash)
 #endif /* NO_SKID */
 
 #ifdef WOLFSSL_AKID_NAME
+Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
+ const byte* serial, word32 serialSz);
 Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
  const byte* serial, word32 serialSz)
 {
@@ -22701,7 +22688,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
  }
  }
  else {
- cert->maxPathLen = min(cert->ca->maxPathLen - 1,
+ cert->maxPathLen = (byte)min(cert->ca->maxPathLen - 1,
  cert->maxPathLen);
  }
  }

wolfssl/internal.h

@@ -6128,12 +6128,14 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG,
  DecodedCert* cert);
  #endif
 
- WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash);
+ #ifndef GetCA
+ WOLFSSL_LOCAL Signer* GetCA(void* vp, byte* hash);
+ #endif
  #ifdef WOLFSSL_AKID_NAME
  WOLFSSL_LOCAL Signer* GetCAByAKID(void* vp, const byte* issuer,
  word32 issuerSz, const byte* serial, word32 serialSz);
  #endif
- #ifndef NO_SKID
+ #if !defined(NO_SKID) && !defined(GetCAByName)
  WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);
  #endif
 #endif /* !NO_CERTS */