From 141d1cb5af2a7e04e8d256b510c7ada3925d197b Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 19:31:44 +0700 Subject: [PATCH 01/12] fix for potential leak on fail case --- src/ssl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 49378cdf3..59941bad4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -52566,7 +52566,7 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, ts = (struct tm *)XGMTIME(&t_adj, tmpTime); if (ts == NULL){ WOLFSSL_MSG("failed to get time data."); - XFREE(s, NULL, DYNAMIC_TYPE_OPENSSL); + wolfSSL_ASN1_TIME_free(s); return NULL; } @@ -52589,8 +52589,10 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, XSNPRINTF((char *)utc_str, sizeof(utc_str), "%02d%02d%02d%02d%02d%02dZ", utc_year, utc_mon, utc_day, utc_hour, utc_min, utc_sec); - if (wolfSSL_ASN1_TIME_set_string(s, utc_str) != WOLFSSL_SUCCESS) + if (wolfSSL_ASN1_TIME_set_string(s, utc_str) != WOLFSSL_SUCCESS) { + wolfSSL_ASN1_TIME_free(s); return NULL; + } /* GeneralizedTime */ } else { char gt_str[ASN_GENERALIZED_TIME_MAX]; @@ -52605,8 +52607,10 @@ WOLFSSL_ASN1_TIME* wolfSSL_ASN1_TIME_adj(WOLFSSL_ASN1_TIME *s, time_t t, XSNPRINTF((char *)gt_str, sizeof(gt_str), "%4d%02d%02d%02d%02d%02dZ", gt_year, gt_mon, gt_day, gt_hour, gt_min,gt_sec); - if (wolfSSL_ASN1_TIME_set_string(s, gt_str) != WOLFSSL_SUCCESS) + if (wolfSSL_ASN1_TIME_set_string(s, gt_str) != WOLFSSL_SUCCESS) { + wolfSSL_ASN1_TIME_free(s); return NULL; + } } return s; From 97b83a25502aa05594297c98ab77e84e04e3e74a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 19:38:50 +0700 Subject: [PATCH 02/12] free PKCS7 structure on error case --- src/ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl.c b/src/ssl.c index 59941bad4..44e9094da 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -53380,6 +53380,7 @@ PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7) pkcs7->len = ret; if (wc_PKCS7_VerifySignedData(&pkcs7->pkcs7, pkcs7->data, pkcs7->len) != 0) { + wolfSSL_PKCS7_free((PKCS7*)pkcs7); return NULL; } From 75abeebaf7368aa80c8879954bb08fb1793be8ec Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 22:23:40 +0700 Subject: [PATCH 03/12] free memory in test case --- wolfcrypt/test/test.c | 117 ++++++++++++++++++++++++------------------ 1 file changed, 67 insertions(+), 50 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 5be88a07a..4de350fc9 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -28771,82 +28771,99 @@ static int sakke_op_test(SakkeKey* priv, SakkeKey* pub, WC_RNG* rng, int sakke_test(void) { - int ret; + int ret = 0; WC_RNG rng; - SakkeKey* priv; - SakkeKey* pub; - SakkeKey* key; + SakkeKey* priv = NULL; + SakkeKey* pub = NULL; + SakkeKey* key = NULL; ecc_point* rsk = NULL; priv = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (priv == NULL) { - return -10404; + ret = -10404; } - pub = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, + + if (ret == 0) { + pub = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (pub == NULL) { - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10405; + if (pub == NULL) { + ret = -10405; + } } - key = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, + + if (ret == 0) { + key = (SakkeKey*)XMALLOC(sizeof(SakkeKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (key == NULL) { - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10406; + if (key == NULL) { + ret = -10406; + } } -#ifndef HAVE_FIPS - ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); -#else - ret = wc_InitRng(&rng); -#endif - if (ret != 0) - return -10400; + if (ret == 0) { + #ifndef HAVE_FIPS + ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); + #else + ret = wc_InitRng(&rng); + #endif + if (ret != 0) + ret = -10400; + } - rsk = wc_ecc_new_point(); - if (rsk == NULL) - return -10401; + if (ret == 0) { + rsk = wc_ecc_new_point(); + if (rsk == NULL) + ret = -10401; + } - ret = wc_InitSakkeKey(pub, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10402; + if (ret == 0) { + ret = wc_InitSakkeKey(pub, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10402; + } - ret = wc_InitSakkeKey(priv, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10403; + if (ret == 0) { + ret = wc_InitSakkeKey(priv, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10403; + } - ret = sakke_api_test(&rng, key, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_api_test(&rng, key, rsk); + } - ret = sakke_kat_derive_test(pub, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_kat_derive_test(pub, rsk); + } - ret = sakke_kat_encapsulate_test(pub); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_kat_encapsulate_test(pub); + } - ret = sakke_make_key_test(priv, pub, key, &rng, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_make_key_test(priv, pub, key, &rng, rsk); + } - ret = sakke_op_test(priv, pub, &rng, rsk); - if (ret != 0) - return ret; + if (ret == 0) { + ret = sakke_op_test(priv, pub, &rng, rsk); + } wc_FreeSakkeKey(priv); wc_FreeSakkeKey(pub); wc_ecc_forcezero_point(rsk); wc_ecc_del_point(rsk); - wc_FreeRng(&rng); - XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return 0; + if (ret != -10400) + wc_FreeRng(&rng); + + if (key != NULL) + XFREE(key, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pub != NULL) + XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (priv != NULL) + XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; } #endif /* WOLFCRYPT_HAVE_SAKKE */ From 4ead19e21f15cb486cee9515d92844eb55ff8b98 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 22:31:53 +0700 Subject: [PATCH 04/12] check return value of hash digest size --- wolfcrypt/src/sakke.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index 789347528..5f57fad46 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -6120,7 +6120,7 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, int err = 0; byte h[WC_MAX_DIGEST_SIZE]; byte v[WC_MAX_DIGEST_SIZE]; - word32 hashSz = wc_HashGetDigestSize(hashType); + word32 hashSz; word32 i; /* Step 1: A = hashfn( s ), where s = data | extra @@ -6128,7 +6128,12 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, */ /* Step 2: h_0 = 00...00, a string of null bits of length hashlen bits */ - XMEMSET(h, 0, hashSz); + err = wc_HashGetDigestSize(hashType); + if (err > 0) { + hashSz = (word32)err; + XMEMSET(h, 0, hashSz); + err = 0; /* reset err value after getting digest size */ + } /* Step 3: l = Ceiling(lg(n)/hashlen) */ /* Step 4: For each i in 1 to l, do */ From 9ea60db80af9422e9648ee3cc0131da06a8501dd Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 22:41:34 +0700 Subject: [PATCH 05/12] add free of bio in error case --- src/ssl.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 44e9094da..4fe216c44 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -26570,16 +26570,20 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, int ret = WOLFSSL_FAILURE; int count = 0; WOLFSSL_BIO *bio = NULL; - WOLFSSL_X509_CRL *crl =NULL; - + WOLFSSL_X509_CRL *crl = NULL; + WOLFSSL_ENTER("wolfSSL_X509_load_crl_file"); - + bio = wolfSSL_BIO_new(wolfSSL_BIO_s_file()); - - if ((bio == NULL) || (wolfSSL_BIO_read_filename(bio, file) <= 0)) { + if (bio == NULL) { return ret; } - + + if (wolfSSL_BIO_read_filename(bio, file) <= 0) { + wolfSSL_BIO_free(bio); + return ret; + } + if (type == WOLFSSL_FILETYPE_PEM) { do { crl = wolfSSL_PEM_read_bio_X509_CRL(bio, NULL, NULL, NULL); @@ -26589,7 +26593,7 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, } break; } - + ret = wolfSSL_X509_STORE_add_crl(ctx->store, crl); if (ret == WOLFSSL_FAILURE) { WOLFSSL_MSG("Adding crl failed"); @@ -26599,7 +26603,7 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, wolfSSL_X509_CRL_free(crl); crl = NULL; } while(crl == NULL); - + ret = count; } else if (type == WOLFSSL_FILETYPE_ASN1) { crl = wolfSSL_d2i_X509_CRL_bio(bio, NULL); @@ -26616,10 +26620,10 @@ WOLFSSL_API int wolfSSL_X509_load_crl_file(WOLFSSL_X509_LOOKUP *ctx, } else { WOLFSSL_MSG("Invalid file type"); } - + wolfSSL_X509_CRL_free(crl); wolfSSL_BIO_free(bio); - + WOLFSSL_LEAVE("wolfSSL_X509_load_crl_file", ret); return ret; } From b4c0301f5762aaa4061d7ce155b67d9386b76908 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 22:59:14 +0700 Subject: [PATCH 06/12] add sanity check on serial size --- src/ssl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4fe216c44..88527a3a2 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -41269,9 +41269,11 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) WOLFSSL_MSG("Serial size error"); return WOLFSSL_FAILURE; } - if ((int)sizeof(cert->serial) < serialSz) { - WOLFSSL_MSG("Serial buffer too small"); - return BUFFER_E; + + if (serialSz > EXTERNAL_SERIAL_SIZE || + serialSz > CTC_SERIAL_SIZE) { + WOLFSSL_MSG("Serial size too large error"); + return WOLFSSL_FAILURE; } XMEMCPY(cert->serial, serial, serialSz); cert->serialSz = serialSz; From fdb3221ea775ff1c1fe1d3e2cf3383b83b6bd6b9 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 23:07:23 +0700 Subject: [PATCH 07/12] check variable is not null before use in error case --- src/ssl.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 88527a3a2..a1c7c70ea 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3888,8 +3888,10 @@ error: if (sk) wolfSSL_sk_X509_free(sk); - for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { - FreeDer(&certBuffers[i]); + if (certBuffers != NULL) { + for (i = 0; i < numCerts && certBuffers[i] != NULL; ++i) { + FreeDer(&certBuffers[i]); + } } if (certBuffers) From 1c3ba77bee0b45c1b26acc6e9b6e1d574ce2116f Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 23:13:34 +0700 Subject: [PATCH 08/12] remove dead code path --- wolfcrypt/src/pwdbased.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index 5ca96e6b6..2515d789f 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -415,10 +415,10 @@ int wc_PKCS12_PBKDF_ex(byte* output, const byte* passwd, int passLen, dLen = v; sLen = v * ((saltLen + v - 1) / v); - if (passLen) - pLen = v * ((passLen + v - 1) / v); - else - pLen = 0; + + /* with passLen checked at the top of the function for >= 0 then passLen + * must be 1 or greater here and is always 'true' */ + pLen = v * ((passLen + v - 1) / v); iLen = sLen + pLen; totalLen = dLen + sLen + pLen; From 39f34ef88ba69ee0f3ae3dfcae1f5f05602f32ea Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 23:32:17 +0700 Subject: [PATCH 09/12] check return values --- wolfcrypt/src/eccsi.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/eccsi.c b/wolfcrypt/src/eccsi.c index 555020c35..ca58c893b 100644 --- a/wolfcrypt/src/eccsi.c +++ b/wolfcrypt/src/eccsi.c @@ -1666,6 +1666,7 @@ int wc_SetEccsiHash(EccsiKey* key, const byte* hash, byte hashSz) * @param [in] pvt Public Validation Token (PVT) as an ECC point. * @return 0 on success. * @return BAD_FUNC_ARG when key, ssk or pvt is NULL. + * @return MP math errors when copy fails */ int wc_SetEccsiPair(EccsiKey* key, const mp_int* ssk, const ecc_point* pvt) { @@ -1674,9 +1675,13 @@ int wc_SetEccsiPair(EccsiKey* key, const mp_int* ssk, const ecc_point* pvt) if ((key == NULL) || (ssk == NULL) || (pvt == NULL)) { err = BAD_FUNC_ARG; } + if (err == 0) { - mp_copy(ssk, &key->ssk); - wc_ecc_copy_point(pvt, key->pvt); + err = mp_copy(ssk, &key->ssk); + } + + if (err == 0) { + err = wc_ecc_copy_point(pvt, key->pvt); } return err; From 4e8769ba6b7f245f210a9b71dd6334c9066fb51b Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 25 Mar 2021 23:49:32 +0700 Subject: [PATCH 10/12] initialize variable --- src/ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssl.c b/src/ssl.c index a1c7c70ea..a0c791c45 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -32095,6 +32095,7 @@ int wolfSSL_RAND_egd(const char* nm) } #endif + XMEMSET(&rem, 0, sizeof(struct sockaddr_un)); if (nm == NULL) { #ifdef WOLFSSL_SMALL_STACK XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER); From 71fea2bdd1f3501239a34767e0eaf9a80ea456fb Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 26 Mar 2021 17:52:52 +0700 Subject: [PATCH 11/12] initialize hash size variable to 0 in the case that getting the digest size returns 0 --- wolfcrypt/src/sakke.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index 5f57fad46..c07f3e345 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -6120,7 +6120,7 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, int err = 0; byte h[WC_MAX_DIGEST_SIZE]; byte v[WC_MAX_DIGEST_SIZE]; - word32 hashSz; + word32 hashSz = 0; word32 i; /* Step 1: A = hashfn( s ), where s = data | extra From 9a86f133c82015cbbc2e2d56220bfa9b40ac811c Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 26 Mar 2021 20:23:40 +0700 Subject: [PATCH 12/12] additional fixes for reports with test cases --- tests/api.c | 3 + wolfcrypt/benchmark/benchmark.c | 10 +-- wolfcrypt/src/sakke.c | 4 + wolfcrypt/test/test.c | 126 ++++++++++++++++++-------------- 4 files changed, 85 insertions(+), 58 deletions(-) diff --git a/tests/api.c b/tests/api.c index 95372ac40..7430b1f25 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2748,6 +2748,9 @@ static THREAD_RETURN WOLFSSL_THREAD test_server_nofail(void* args) } ctx = wolfSSL_CTX_new(method); } + if (ctx == NULL) { + goto done; + } #if defined(HAVE_SESSION_TICKET) && \ ((defined(HAVE_CHACHA) && defined(HAVE_POLY1305)) || defined(HAVE_AESGCM)) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 71f451007..3260d02fc 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -6188,7 +6188,7 @@ void bench_eccsiPairGen(void) byte id[] = { 0x01, 0x23, 0x34, 0x45 }; int ret; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6227,7 +6227,7 @@ void bench_eccsiValidate(void) int valid; int ret; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6272,7 +6272,7 @@ void bench_eccsi(void) int ret; int verified; - mp_init(&ssk); + (void)mp_init(&ssk); pvt = wc_ecc_new_point(); (void)wc_InitEccsiKey(&genKey, NULL, INVALID_DEVID); (void)wc_MakeEccsiKey(&genKey, &gRng); @@ -6518,10 +6518,10 @@ void bench_sakke(void) bench_stats_asym_finish("SAKKE", 1024, desc[10], 0, count, start, 0); len = 0; - wc_GenerateSakkeRskTable(&genKey, rsk, NULL, &len); + (void)wc_GenerateSakkeRskTable(&genKey, rsk, NULL, &len); if (len > 0) { table = (byte*)XMALLOC(len, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_GenerateSakkeRskTable(&genKey, rsk, table, &len); + (void)wc_GenerateSakkeRskTable(&genKey, rsk, table, &len); } (void)wc_SetSakkeRsk(&genKey, rsk, table, len); diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index c07f3e345..8468d08b5 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -6134,6 +6134,10 @@ static int sakke_hash_to_range(SakkeKey* key, enum wc_HashType hashType, XMEMSET(h, 0, hashSz); err = 0; /* reset err value after getting digest size */ } + else if (err == 0) { + /* invalid hash digest size */ + err = BAD_FUNC_ARG; + } /* Step 3: l = Ceiling(lg(n)/hashlen) */ /* Step 4: For each i in 1 to l, do */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 4de350fc9..ef665c9d6 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -27281,7 +27281,7 @@ static int eccsi_enc_dec_pair_test(EccsiKey* priv, mp_int* ssk, ecc_point* pvt) return -10117; decPvt = wc_ecc_new_point(); - if (ret != 0) + if (decPvt == NULL) return -10118; ret = wc_EncodeEccsiPair(priv, ssk, pvt, NULL, &sz); @@ -27645,80 +27645,100 @@ static int eccsi_sign_verify_test(EccsiKey* priv, EccsiKey* pub, WC_RNG* rng, int eccsi_test(void) { - int ret; + int ret = 0; WC_RNG rng; - EccsiKey* priv; - EccsiKey* pub; - mp_int* ssk; - ecc_point* pvt; + EccsiKey* priv = NULL; + EccsiKey* pub = NULL; + mp_int* ssk = NULL; + ecc_point* pvt = NULL; priv = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (priv == NULL) { - return -10205; + ret = -10205; } - pub = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, + + if (ret == 0) { + pub = (EccsiKey*)XMALLOC(sizeof(EccsiKey), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (pub == NULL) { - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10206; - } - ssk = (mp_int*)XMALLOC(sizeof(mp_int), HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (ssk == NULL) { - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return -10207; + if (pub == NULL) { + ret = -10206; + } } -#ifndef HAVE_FIPS - ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); -#else - ret = wc_InitRng(&rng); -#endif - if (ret != 0) - return -10200; + if (ret == 0) { + ssk = (mp_int*)XMALLOC(sizeof(mp_int), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER); + if (ssk == NULL) { + ret = -10207; + } + } - pvt = wc_ecc_new_point(); - if (pvt == NULL) - return -10201; - ret = mp_init(ssk); - if (ret != 0) - return -10202; + if (ret == 0) { + #ifndef HAVE_FIPS + ret = wc_InitRng_ex(&rng, HEAP_HINT, devId); + #else + ret = wc_InitRng(&rng); + #endif + if (ret != 0) + ret = -10200; + } - ret = eccsi_api_test(&rng, priv, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + pvt = wc_ecc_new_point(); + if (pvt == NULL) + ret = -10201; + } - ret = wc_InitEccsiKey(pub, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10203; + if (ret == 0) { + ret = mp_init(ssk); + if (ret != 0) + ret = -10202; + } - ret = wc_InitEccsiKey(priv, HEAP_HINT, INVALID_DEVID); - if (ret != 0) - return -10204; + if (ret == 0) { + ret = eccsi_api_test(&rng, priv, ssk, pvt); + } - ret = eccsi_kat_verify_test(pub, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = wc_InitEccsiKey(pub, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10203; + } - ret = eccsi_make_key_test(priv, pub, &rng, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = wc_InitEccsiKey(priv, HEAP_HINT, INVALID_DEVID); + if (ret != 0) + ret = -10204; + } - ret = eccsi_sign_verify_test(priv, pub, &rng, ssk, pvt); - if (ret != 0) - return ret; + if (ret == 0) { + ret = eccsi_kat_verify_test(pub, pvt); + } + + if (ret == 0) { + ret = eccsi_make_key_test(priv, pub, &rng, ssk, pvt); + } + + if (ret == 0) { + ret = eccsi_sign_verify_test(priv, pub, &rng, ssk, pvt); + } wc_FreeEccsiKey(priv); wc_FreeEccsiKey(pub); mp_free(ssk); wc_ecc_del_point(pvt); - wc_FreeRng(&rng); - XFREE(ssk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - return 0; + if (ret != -10200) + wc_FreeRng(&rng); + if (ssk != NULL) + XFREE(ssk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (pub != NULL) + XFREE(pub, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + if (priv != NULL) + XFREE(priv, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + + return ret; } #endif /* WOLFCRYPT_HAVE_ECCSI */