Jenkins Fixes

- explicit conversions - not all curves available for wolfSSL_CTX_set1_groups_list - group funcs depend on HAVE_ECC - `InitSuites` after `ssl->suites` has been set
2021-02-01 14:59:57 +01:00 · 2021-02-01 14:59:57 +01:00 · 542e0d79ec
parent 8a669615f8
commit 542e0d79ec
7 changed files with 107 additions and 58 deletions
--- a/examples/server/server.c
+++ b/examples/server/server.c
@ -1107,7 +1107,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
        WOLFSSL_MEM_STATS mem_stats;
    #endif
 #endif
-#ifdef WOLFSSL_TLS13
+#if defined(WOLFSSL_TLS13)
    int onlyKeyShare = 0;
 #endif
 #if defined(HAVE_SESSION_TICKET)
--- a/src/internal.c
+++ b/src/internal.c
@ -5340,12 +5340,6 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
    ssl->pkCurveOID = ctx->pkCurveOID;
 #endif

-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
-    if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) {
-        WOLFSSL_MSG("wolfSSL_set_options error");
-        return BAD_FUNC_ARG;
-    }
-#endif
 #ifdef OPENSSL_EXTRA
    ssl->CBIS         = ctx->CBIS;
 #endif
@ -5471,6 +5465,13 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
        }
    }  /* writeDup check */

+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
+    if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) {
+        WOLFSSL_MSG("wolfSSL_set_options error");
+        return BAD_FUNC_ARG;
+    }
+#endif
+
 #ifdef WOLFSSL_SESSION_EXPORT
    #ifdef WOLFSSL_DTLS
    ssl->dtls_export = ctx->dtls_export; /* export function for session */
--- a/src/ssl.c
+++ b/src/ssl.c
@ -2376,7 +2376,7 @@ int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type,
 #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */

 /* Elliptic Curves */
-#if defined(HAVE_SUPPORTED_CURVES) && !defined(NO_WOLFSSL_CLIENT)
+#if defined(HAVE_SUPPORTED_CURVES)

 static int isValidCurveGroup(word16 name)
 {
@ -2403,16 +2403,16 @@ static int isValidCurveGroup(word16 name)
        case WOLFSSL_FFDHE_4096:
        case WOLFSSL_FFDHE_6144:
        case WOLFSSL_FFDHE_8192:
-            return 0;
+            return 1;

        default:
-            return BAD_FUNC_ARG;
+            return 0;
    }
 }

 int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
 {
-    if (ssl == NULL || isValidCurveGroup(name) != 0)
+    if (ssl == NULL || !isValidCurveGroup(name))
        return BAD_FUNC_ARG;

    ssl->options.userCurves = 1;
@ -2423,7 +2423,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)

 int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
 {
-    if (ctx == NULL || isValidCurveGroup(name) != 0)
+    if (ctx == NULL || !isValidCurveGroup(name))
        return BAD_FUNC_ARG;

    ctx->userCurves = 1;
@ -2431,7 +2431,7 @@ int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
    return TLSX_UseSupportedCurve(&ctx->extensions, name, ctx->heap);
 }

-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_TLS13)
 int  wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
                                        int count)
 {
@ -2443,9 +2443,10 @@ int  wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
        return WOLFSSL_FAILURE;
    }
    for (i = 0; i < count; i++) {
-        if (isValidCurveGroup(groups[i]) == 0) {
+        if (isValidCurveGroup((word16)groups[i])) {
            _groups[i] = groups[i];
        }
+#ifdef HAVE_ECC
        else {
            /* groups may be populated with curve NIDs */
            int oid = nid2oid(groups[i], oidCurveType);
@ -2456,6 +2457,12 @@ int  wolfSSL_CTX_set1_groups(WOLFSSL_CTX* ctx, int* groups,
            }
            _groups[i] = name;
        }
+#else
+        else {
+            WOLFSSL_MSG("Invalid group name");
+            return WOLFSSL_FAILURE;
+        }
+#endif
    }
    return wolfSSL_CTX_set_groups(ctx, _groups, count) == WOLFSSL_SUCCESS ?
            WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
@ -2471,9 +2478,10 @@ int  wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count)
        return WOLFSSL_FAILURE;
    }
    for (i = 0; i < count; i++) {
-        if (isValidCurveGroup(groups[i]) == 0) {
+        if (isValidCurveGroup((word16)groups[i])) {
            _groups[i] = groups[i];
        }
+#ifdef HAVE_ECC
        else {
            /* groups may be populated with curve NIDs */
            int oid = nid2oid(groups[i], oidCurveType);
@ -2484,12 +2492,18 @@ int  wolfSSL_set1_groups(WOLFSSL* ssl, int* groups, int count)
            }
            _groups[i] = name;
        }
+#else
+        else {
+            WOLFSSL_MSG("Invalid group name");
+            return WOLFSSL_FAILURE;
+        }
+#endif
    }
    return wolfSSL_set_groups(ssl, _groups, count) == WOLFSSL_SUCCESS ?
            WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
 }
-#endif
-#endif /* HAVE_SUPPORTED_CURVES && !NO_WOLFSSL_CLIENT */
+#endif /* OPENSSL_EXTRA && WOLFSSL_TLS13 */
+#endif /* HAVE_SUPPORTED_CURVES */

 /* QSH quantum safe handshake */
 #ifdef HAVE_QSH
@ -11915,6 +11929,13 @@ int wolfSSL_set_cipher_list(WOLFSSL* ssl, const char* list)
 }

 #ifdef HAVE_KEYING_MATERIAL
+
+#define TLS_PRF_LABEL_CLIENT_FINISHED     "client finished"
+#define TLS_PRF_LABEL_SERVER_FINISHED     "server finished"
+#define TLS_PRF_LABEL_MASTER_SECRET       "master secret"
+#define TLS_PRF_LABEL_EXT_MASTER_SECRET   "extended master secret"
+#define TLS_PRF_LABEL_KEY_EXPANSION       "key expansion"
+
 static const struct ForbiddenLabels {
    const char* label;
    size_t labelLen;
@ -11942,7 +11963,7 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl,
    /* clientRandom + serverRandom
     * OR
     * clientRandom + serverRandom + ctx len encoding + ctx */
-    word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + contextLen;
+    word32 seedLen = !use_context ? SEED_LEN : SEED_LEN + 2 + (word32)contextLen;
    const struct ForbiddenLabels* fl;

    WOLFSSL_ENTER("wolfSSL_export_keying_material");
@ -11977,7 +11998,7 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl,
            context = (byte*)""; /* Give valid pointer for 0 length memcpy */
        }

-        if (Tls13_Exporter(ssl, out, outLen, label, labelLen,
+        if (Tls13_Exporter(ssl, out, (word32)outLen, label, labelLen,
                context, contextLen) != 0) {
            WOLFSSL_MSG("Tls13_Exporter error");
            return WOLFSSL_FAILURE;
@ -12006,8 +12027,8 @@ int wolfSSL_export_keying_material(WOLFSSL *ssl,
        }
    }

-    if (wc_PRF_TLS(out, outLen, ssl->arrays->masterSecret, SECRET_LEN,
-            (byte*)label, labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl),
+    if (wc_PRF_TLS(out, (word32)outLen, ssl->arrays->masterSecret, SECRET_LEN,
+            (byte*)label, (word32)labelLen, seed, seedLen, IsAtLeastTLSv1_2(ssl),
            ssl->specs.mac_algorithm, ssl->heap, ssl->devId) != 0) {
        WOLFSSL_MSG("wc_PRF_TLS error");
        XFREE(seed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -16464,21 +16485,33 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
    }

    switch (version) {
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
        case SSL3_VERSION:
            ctx->minDowngrade = SSLv3_MINOR;
            break;
+#endif
+#ifndef NO_TLS
+    #ifndef NO_OLD_TLS
+        #ifdef WOLFSSL_ALLOW_TLSV10
        case TLS1_VERSION:
            ctx->minDowngrade = TLSv1_MINOR;
            break;
+        #endif
        case TLS1_1_VERSION:
            ctx->minDowngrade = TLSv1_1_MINOR;
            break;
+    #endif
+    #ifndef WOLFSSL_NO_TLS12
        case TLS1_2_VERSION:
            ctx->minDowngrade = TLSv1_2_MINOR;
            break;
+    #endif
+    #ifdef WOLFSSL_TLS13
        case TLS1_3_VERSION:
            ctx->minDowngrade = TLSv1_3_MINOR;
            break;
+    #endif
+#endif
 #ifdef WOLFSSL_DTLS
    #ifndef NO_OLD_TLS
        case DTLS1_VERSION:
@ -16490,18 +16523,15 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
            break;
 #endif
        default:
+            WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
            return WOLFSSL_FAILURE;
    }

    switch (version) {
+#ifndef NO_TLS
    case TLS1_3_VERSION:
-#ifdef WOLFSSL_TLS13
        wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_2);
        FALL_THROUGH;
-#else
-        WOLFSSL_MSG("wolfSSL TLS1.3 support not compiled in");
-        return WOLFSSL_FAILURE;
-#endif
    case TLS1_2_VERSION:
        wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_1);
        FALL_THROUGH;
@ -16510,11 +16540,13 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
        FALL_THROUGH;
    case TLS1_VERSION:
        wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_SSLv3);
-        FALL_THROUGH;
+        break;
+#endif
+#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
    case SSL3_VERSION:
-        FALL_THROUGH;
    case SSL2_VERSION:
        /* Nothing to do here */
+#endif
        break;
 #ifdef WOLFSSL_DTLS
 #ifndef NO_OLD_TLS
@ -16524,7 +16556,7 @@ int wolfSSL_CTX_set_min_proto_version(WOLFSSL_CTX* ctx, int version)
        break;
 #endif
    default:
-        WOLFSSL_MSG("Unrecognized protocol version");
+        WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
        return WOLFSSL_FAILURE;
    }

@ -16544,6 +16576,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
    case SSL2_VERSION:
        WOLFSSL_MSG("wolfSSL does not support SSLv2");
        return WOLFSSL_FAILURE;
+#if (defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)) || !defined(NO_TLS)
    case SSL3_VERSION:
        wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1);
        FALL_THROUGH;
@ -16555,12 +16588,11 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
        FALL_THROUGH;
    case TLS1_2_VERSION:
        wolfSSL_CTX_set_options(ctx, WOLFSSL_OP_NO_TLSv1_3);
-#ifdef WOLFSSL_TLS13
        FALL_THROUGH;
    case TLS1_3_VERSION:
        /* Nothing to do here */
-#endif
        break;
+#endif
 #ifdef WOLFSSL_DTLS
 #ifndef NO_OLD_TLS
    case DTLS1_VERSION:
@ -16569,7 +16601,7 @@ int wolfSSL_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int ver)
        break;
 #endif
    default:
-        WOLFSSL_MSG("Unrecognized protocol version");
+        WOLFSSL_MSG("Unrecognized protocol version or not compiled in");
        return WOLFSSL_FAILURE;
    }

@ -27373,10 +27405,11 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op)
    keySz = ssl->buffers.keySz;
 #endif

-    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
-                       ssl->options.haveDH, ssl->options.haveNTRU,
-                       ssl->options.haveECDSAsig, ssl->options.haveECC,
-                       ssl->options.haveStaticECC, ssl->options.side);
+    if (ssl->suites != NULL && ssl->options.side != WOLFSSL_NEITHER_END)
+        InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
+                           ssl->options.haveDH, ssl->options.haveNTRU,
+                           ssl->options.haveECDSAsig, ssl->options.haveECC,
+                           ssl->options.haveStaticECC, ssl->options.side);

    return ssl->options.mask;
 }
@ -28354,7 +28387,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
 WOLFSSL_API WOLFSSL_CIPHER* wolfSSL_sk_SSL_CIPHER_value(WOLFSSL_STACK* sk, int i)
 {
    WOLFSSL_ENTER("wolfSSL_sk_SSL_CIPHER_value");
-    return wolfSSL_sk_value(sk, i);
+    return (WOLFSSL_CIPHER*)wolfSSL_sk_value(sk, i);
 }

 WOLFSSL_API void ERR_load_SSL_strings(void)
@ -46756,8 +46789,16 @@ static WC_INLINE int sslCipherMinMaxCheck(const WOLFSSL *ssl, byte suite0,
            break;
    if (i == cipherSz)
        return 1;
-    if (cipher_names[i].minor < ssl->options.minDowngrade)
+    /* Check min version */
+    if (cipher_names[i].minor < ssl->options.minDowngrade) {
+        if (ssl->options.minDowngrade <= TLSv1_2_MINOR &&
+                cipher_names[i].minor >= TLSv1_MINOR)
+            /* 1.0 ciphersuites are in general available in 1.1 and
+             * 1.1 ciphersuites are in general available in 1.2 */
+            return 0;
        return 1;
+    }
+    /* Check max version */
    switch (cipher_names[i].minor) {
    case SSLv3_MINOR :
        return ssl->options.mask & WOLFSSL_OP_NO_SSLv3;
@ -48497,10 +48538,12 @@ word32 nid2oid(int nid, int grp)

        default:
            WOLFSSL_MSG("NID not in table");
-            return -1;
+            /* MSVC warns without the cast */
+            return (word32)-1;
    }

-    return -1;
+    /* MSVC warns without the cast */
+    return (word32)-1;
 }

 int oid2nid(word32 oid, int grp)
--- a/src/tls13.c
+++ b/src/tls13.c
@ -803,17 +803,17 @@ int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
    /* Derive-Secret(Secret, label, "") */
    ret = HKDF_Expand_Label(firstExpand, hashLen,
            ssl->arrays->exporterSecret, hashLen,
-            protocol, protocolLen, (byte*)label, labelLen,
+            protocol, protocolLen, (byte*)label, (word32)labelLen,
            emptyHash, hashLen, hashType);
    if (ret != 0)
        return ret;

    /* Hash(context_value) */
-    ret = wc_Hash(hashType, context, contextLen, hashOut, WC_MAX_DIGEST_SIZE);
+    ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE);
    if (ret != 0)
        return ret;

-    ret = HKDF_Expand_Label(out, outLen, firstExpand, hashLen,
+    ret = HKDF_Expand_Label(out, (word32)outLen, firstExpand, hashLen,
            protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ,
            hashOut, hashLen, hashType);

@ -8051,7 +8051,7 @@ int wolfSSL_preferred_group(WOLFSSL* ssl)
 }
 #endif

-#ifdef HAVE_SUPPORTED_CURVES
+#if defined(HAVE_SUPPORTED_CURVES)
 /* Sets the key exchange groups in rank order on a context.
 *
 * ctx     SSL/TLS context object.
--- a/tests/api.c
+++ b/tests/api.c
@ -37221,12 +37221,24 @@ static int test_tls13_apis(void)
 #ifdef WOLFSSL_EARLY_DATA
    int          outSz;
 #endif
-#ifdef HAVE_SUPPORTED_CURVES
+#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
    int          groups[2] = { WOLFSSL_ECC_X25519, WOLFSSL_ECC_X448 };
    int          numGroups = 2;
 #endif
 #if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
-    char         groupList[] = "P-521:P-384:P-256";
+    char         groupList[] =
+#ifndef NO_ECC_SECP
+#if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
+            "P-521:"
+#endif
+#if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
+            "P-384:"
+#endif
+#if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
+            "P-256"
+#endif
+            "";
+#endif /* !defined(NO_ECC_SECP) */
 #endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */

 #ifndef WOLFSSL_NO_TLS12
@ -37433,6 +37445,7 @@ static int test_tls13_apis(void)
 #endif
 #endif

+#ifdef HAVE_ECC
 #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT
    AssertIntEQ(wolfSSL_preferred_group(NULL), BAD_FUNC_ARG);
 #ifndef NO_WOLFSSL_SERVER
@ -37488,7 +37501,7 @@ static int test_tls13_apis(void)
                WOLFSSL_SUCCESS);
 #endif

-#if defined(OPENSSL_EXTRA) && defined(HAVE_ECC)
+#ifdef OPENSSL_EXTRA
    AssertIntEQ(wolfSSL_CTX_set1_groups_list(NULL, NULL), WOLFSSL_FAILURE);
 #ifndef NO_WOLFSSL_CLIENT
    AssertIntEQ(wolfSSL_CTX_set1_groups_list(clientCtx, NULL), WOLFSSL_FAILURE);
@ -37524,8 +37537,9 @@ static int test_tls13_apis(void)
    AssertIntEQ(wolfSSL_set1_groups_list(serverSsl, groupList),
                WOLFSSL_SUCCESS);
 #endif
-#endif /* defined(OPENSSL_EXTRA) && defined(HAVE_ECC) */
+#endif /* OPENSSL_EXTRA */
 #endif /* HAVE_SUPPORTED_CURVES */
+#endif /* HAVE_ECC */

 #ifdef WOLFSSL_EARLY_DATA
    AssertIntEQ(wolfSSL_CTX_set_max_early_data(NULL, 0), BAD_FUNC_ARG);
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -5621,7 +5621,7 @@ int wc_OBJ_sn2nid(const char *sn)
        sn = "SECP256R1";
    /* OpenSSL allows lowercase curve names */
    for (i = 0; i < (int)(sizeof(curveName) - 1) && *sn; i++) {
-        curveName[i] = XTOUPPER(*sn++);
+        curveName[i] = (char)XTOUPPER(*sn++);
    }
    curveName[i] = '\0';
    /* find based on name and return NID */
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -1064,11 +1064,6 @@ WOLFSSL_API int  wolfSSL_CTX_set_cipher_list(WOLFSSL_CTX*, const char*);
 WOLFSSL_API int  wolfSSL_set_cipher_list(WOLFSSL*, const char*);

 #ifdef HAVE_KEYING_MATERIAL
-#define TLS_PRF_LABEL_CLIENT_FINISHED     "client finished"
-#define TLS_PRF_LABEL_SERVER_FINISHED     "server finished"
-#define TLS_PRF_LABEL_MASTER_SECRET       "master secret"
-#define TLS_PRF_LABEL_EXT_MASTER_SECRET   "extended master secret"
-#define TLS_PRF_LABEL_KEY_EXPANSION       "key expansion"
 /* Keying Material Exporter for TLS */
 WOLFSSL_API int wolfSSL_export_keying_material(WOLFSSL *ssl,
        unsigned char *out, size_t outLen,
@ -3168,13 +3163,9 @@ enum {
 };

 #ifdef HAVE_SUPPORTED_CURVES
-#ifndef NO_WOLFSSL_CLIENT
-
 WOLFSSL_API int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name);
 WOLFSSL_API int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx,
                                                           word16 name);
-
-#endif
 #endif

 #ifdef WOLFSSL_TLS13