From 7e8438b7b4d63f16b7d41e52e188067cc2d950b2 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 11 Dec 2012 11:33:49 -0800 Subject: [PATCH 1/7] fix pvs studio warnings --- src/internal.c | 71 +++++++++++++++++++++++++------------------------- src/sniffer.c | 2 +- 2 files changed, 37 insertions(+), 36 deletions(-) diff --git a/src/internal.c b/src/internal.c index ae0556cbc..181b90d9c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7257,30 +7257,31 @@ int SetCipherList(Suites* s, const char* list) ssl->options.haveSessionId = 1; /* DoClientHello uses same resume code */ - while (ssl->options.resuming) { /* let's try */ + if (ssl->options.resuming) { /* let's try */ int ret; CYASSL_SESSION* session = GetSession(ssl,ssl->arrays->masterSecret); if (!session) { + CYASSL_MSG("Session lookup for resume failed"); ssl->options.resuming = 0; - break; /* session lookup failed */ - } - if (MatchSuite(ssl, &clSuites) < 0) { - CYASSL_MSG("Unsupported cipher suite, OldClientHello"); - return UNSUPPORTED_SUITE; - } + } else { + if (MatchSuite(ssl, &clSuites) < 0) { + CYASSL_MSG("Unsupported cipher suite, OldClientHello"); + return UNSUPPORTED_SUITE; + } - RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, RAN_LEN); - #ifndef NO_OLD_TLS - if (ssl->options.tls) + RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, RAN_LEN); + #ifndef NO_OLD_TLS + if (ssl->options.tls) + ret = DeriveTlsKeys(ssl); + else + ret = DeriveKeys(ssl); + #else ret = DeriveTlsKeys(ssl); - else - ret = DeriveKeys(ssl); - #else - ret = DeriveTlsKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; + #endif + ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - return ret; + return ret; + } } return MatchSuite(ssl, &clSuites); @@ -7429,31 +7430,31 @@ int SetCipherList(Suites* s, const char* list) ssl->options.haveSessionId = 1; /* ProcessOld uses same resume code */ - while (ssl->options.resuming) { /* let's try */ + if (ssl->options.resuming) { /* let's try */ int ret; CYASSL_SESSION* session = GetSession(ssl,ssl->arrays->masterSecret); if (!session) { - ssl->options.resuming = 0; CYASSL_MSG("Session lookup for resume failed"); - break; /* session lookup failed */ - } - if (MatchSuite(ssl, &clSuites) < 0) { - CYASSL_MSG("Unsupported cipher suite, ClientHello"); - return UNSUPPORTED_SUITE; - } + ssl->options.resuming = 0; + } else { + if (MatchSuite(ssl, &clSuites) < 0) { + CYASSL_MSG("Unsupported cipher suite, ClientHello"); + return UNSUPPORTED_SUITE; + } - RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, RAN_LEN); - #ifndef NO_OLD_TLS - if (ssl->options.tls) + RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, RAN_LEN); + #ifndef NO_OLD_TLS + if (ssl->options.tls) + ret = DeriveTlsKeys(ssl); + else + ret = DeriveKeys(ssl); + #else ret = DeriveTlsKeys(ssl); - else - ret = DeriveKeys(ssl); - #else - ret = DeriveTlsKeys(ssl); - #endif - ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; + #endif + ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; - return ret; + return ret; + } } return MatchSuite(ssl, &clSuites); } diff --git a/src/sniffer.c b/src/sniffer.c index 5e93aa595..02a64d9f3 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -2275,7 +2275,7 @@ static int ProcessMessage(const byte* sslFrame, SnifferSession* session, const byte* sslBegin = sslFrame; const byte* tmp; RecordLayerHeader rh; - int rhSize; + int rhSize = 0; int ret; int decoded = 0; /* bytes stored for user in data */ int notEnough; /* notEnough bytes yet flag */ From 3a98eb757871e7d02db3bf7f5473d1e9aad91929 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 10:57:05 -0800 Subject: [PATCH 2/7] fix for current working directory, relative path instead of absolute, suggestion from SpamapS --- cyassl/test.h | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/cyassl/test.h b/cyassl/test.h index 774adcc3d..3e01edf69 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -821,10 +821,18 @@ static INLINE void ChangeDirBack(int x) /* does current dir contain str */ static INLINE int CurrentDir(const char* str) { - char path[MAX_PATH]; + char path[MAX_PATH]; + char* baseName; GetCurrentDirectoryA(sizeof(path), path); - if (strstr(path, str)) + + baseName = strrchr(path, '\\'); + if (baseName) + baseName++; + else + baseName = path; + + if (strstr(baseName, str)) return 1; return 0; @@ -859,13 +867,21 @@ static INLINE void ChangeDirBack(int x) /* does current dir contain str */ static INLINE int CurrentDir(const char* str) { - char path[MAX_PATH]; + char path[MAX_PATH]; + char* baseName; if (getcwd(path, sizeof(path)) == NULL) { printf("no current dir?\n"); return 0; } - if (strstr(path, str)) + + baseName = strrchr(path, '/'); + if (baseName) + baseName++; + else + baseName = path; + + if (strstr(baseName, str)) return 1; return 0; From c49e7a85f7dc6f963657326be15bf9bef63ec063 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 14:33:21 -0800 Subject: [PATCH 3/7] fix configure.ac quoting --- configure.ac | 78 ++++++++++++++++++++++++++-------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/configure.ac b/configure.ac index d6481e782..4ed565183 100644 --- a/configure.ac +++ b/configure.ac @@ -38,7 +38,7 @@ CYASSL_LIBRARY_VERSION=3:3:0 # | +- increment if source code has changed # | set to zero if current is incremented # +- increment if interfaces have been added, removed or changed -AC_SUBST(CYASSL_LIBRARY_VERSION) +AC_SUBST([CYASSL_LIBRARY_VERSION]) # capture user C_EXTRA_FLAGS from ./configure line, CFLAGS may hold -g -O2 even # if user doesn't override, no way to tell @@ -106,7 +106,7 @@ AS_IF([test "$ax_enable_debug" = "yes"], # SMALL BUILD -AC_ARG_ENABLE(small, +AC_ARG_ENABLE([small], [ --enable-small Enable smallest build (default: disabled)], [ ENABLED_SMALL=$enableval ], [ ENABLED_SMALL=no ] @@ -122,7 +122,7 @@ fi # SINGLE THREADED -AC_ARG_ENABLE(singleThreaded, +AC_ARG_ENABLE([singleThreaded], [ --enable-singleThreaded Enable CyaSSL single threaded (default: disabled)], [ ENABLED_SINGLETHREADED=$enableval ], [ ENABLED_SINGLETHREADED=no ]) @@ -140,7 +140,7 @@ AS_IF([ test "x$ENABLED_SINGLETHREADED" = "xyes" ],[ AM_CFLAGS="-DSINGLE_THREADE # DTLS -AC_ARG_ENABLE(dtls, +AC_ARG_ENABLE([dtls], [ --enable-dtls Enable CyaSSL DTLS (default: disabled)], [ ENABLED_DTLS=$enableval ], [ ENABLED_DTLS=no ] @@ -152,7 +152,7 @@ fi # OPENSSL Extra Compatibility -AC_ARG_ENABLE(opensslExtra, +AC_ARG_ENABLE([opensslExtra], [ --enable-opensslExtra Enable extra OpenSSL API, size+ (default: disabled)], [ ENABLED_OPENSSLEXTRA=$enableval ], [ ENABLED_OPENSSLEXTRA=no ] @@ -169,7 +169,7 @@ fi # IPv6 Test Apps -AC_ARG_ENABLE(ipv6, +AC_ARG_ENABLE([ipv6], [ --enable-ipv6 Enable testing of IPV6 (default: disabled)], [ ENABLED_IPV6=$enableval ], [ ENABLED_IPV6=no ] @@ -182,7 +182,7 @@ fi # Fortress build -AC_ARG_ENABLE(fortress, +AC_ARG_ENABLE([fortress], [ --enable-fortress Enable SSL fortress build (default: disabled)], [ ENABLED_FORTRESS=$enableval ], [ ENABLED_FORTRESS=no ] @@ -195,7 +195,7 @@ fi # ssl bump build -AC_ARG_ENABLE(bump, +AC_ARG_ENABLE([bump], [ --enable-bump Enable SSL Bump build (default: disabled)], [ ENABLED_BUMP=$enableval ], [ ENABLED_BUMP=no ] @@ -209,7 +209,7 @@ fi ENABLED_SLOWMATH="yes" # lean psk build -AC_ARG_ENABLE(leanpsk, +AC_ARG_ENABLE([leanpsk], [ --enable-leanpsk Enable Lean PSK build (default: disabled)], [ ENABLED_LEANPSK=$enableval ], [ ENABLED_LEANPSK=no ] @@ -226,7 +226,7 @@ AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"]) # fastmath -AC_ARG_ENABLE(fastmath, +AC_ARG_ENABLE([fastmath], [ --enable-fastmath Enable fast math for BigInts (default: disabled)], [ ENABLED_FASTMATH=$enableval ], [ ENABLED_FASTMATH=no ] @@ -240,7 +240,7 @@ fi # fast HUGE math -AC_ARG_ENABLE(fasthugemath, +AC_ARG_ENABLE([fasthugemath], [ --enable-fasthugemath Enable fast math + huge code (default: disabled)], [ ENABLED_FASTHUGEMATH=$enableval ], [ ENABLED_FASTHUGEMATH=no ] @@ -262,7 +262,7 @@ AM_CONDITIONAL([BUILD_FASTMATH], [test "x$ENABLED_FASTMATH" = "xyes"]) AM_CONDITIONAL([BUILD_SLOWMATH], [test "x$ENABLED_SLOWMATH" = "xyes"]) # big cache -AC_ARG_ENABLE(bigcache, +AC_ARG_ENABLE([bigcache], [ --enable-bigcache Enable big session cache (default: disabled)], [ ENABLED_BIGCACHE=$enableval ], [ ENABLED_BIGCACHE=no ] @@ -275,7 +275,7 @@ fi # HUGE cache -AC_ARG_ENABLE(hugecache, +AC_ARG_ENABLE([hugecache], [ --enable-hugecache Enable huge session cache (default: disabled)], [ ENABLED_HUGECACHE=$enableval ], [ ENABLED_HUGECACHE=no ] @@ -288,7 +288,7 @@ fi # SMALL cache -AC_ARG_ENABLE(smallcache, +AC_ARG_ENABLE([smallcache], [ --enable-smallcache Enable small session cache (default: disabled)], [ ENABLED_SMALLCACHE=$enableval ], [ ENABLED_SMALLCACHE=no ] @@ -314,7 +314,7 @@ AC_ARG_ENABLE([sniffer], AM_CONDITIONAL([BUILD_SNIFFER], [ test "x$ENABLED_SNIFFER" = "xyes" ]) # AES-GCM -AC_ARG_ENABLE(aesgcm, +AC_ARG_ENABLE([aesgcm], [ --enable-aesgcm Enable CyaSSL AES-GCM support (default: disabled)], [ ENABLED_AESGCM=$enableval ], [ ENABLED_AESGCM=no ] @@ -346,7 +346,7 @@ fi AM_CONDITIONAL([BUILD_AESGCM], [test "x$ENABLED_AESGCM" = "xyes"]) # AES-NI -AC_ARG_ENABLE(aesni, +AC_ARG_ENABLE([aesni], [ --enable-aesni Enable CyaSSL AES-NI support (default: disabled)], [ ENABLED_AESNI=$enableval ], [ ENABLED_AESNI=no ] @@ -366,7 +366,7 @@ AM_CONDITIONAL([BUILD_AESNI], [test "x$ENABLED_AESNI" = "xyes"]) # MD2 -AC_ARG_ENABLE(md2, +AC_ARG_ENABLE([md2], [ --enable-md2 Enable CyaSSL MD2 support (default: disabled)], [ ENABLED_MD2=$enableval ], [ ENABLED_MD2=no ] @@ -386,7 +386,7 @@ AM_CONDITIONAL([BUILD_MD2], [test "x$ENABLED_MD2" = "xyes"]) # RIPEMD -AC_ARG_ENABLE(ripemd, +AC_ARG_ENABLE([ripemd], [ --enable-ripemd Enable CyaSSL RIPEMD-160 support (default: disabled)], [ ENABLED_RIPEMD=$enableval ], [ ENABLED_RIPEMD=no ] @@ -401,7 +401,7 @@ AM_CONDITIONAL([BUILD_RIPEMD], [test "x$ENABLED_RIPEMD" = "xyes"]) # SHA512 -AC_ARG_ENABLE(sha512, +AC_ARG_ENABLE([sha512], [ --enable-sha512 Enable CyaSSL SHA-512 support (default: disabled)], [ ENABLED_SHA512=$enableval ], [ ENABLED_SHA512=no ] @@ -427,7 +427,7 @@ AM_CONDITIONAL([BUILD_SHA512], [test "x$ENABLED_SHA512" = "xyes"]) # SESSION CERTS -AC_ARG_ENABLE(sessioncerts, +AC_ARG_ENABLE([sessioncerts], [ --enable-sessioncerts Enable session cert storing (default: disabled)], [ ENABLED_SESSIONCERTS=$enableval ], [ ENABLED_SESSIONCERTS=no ] @@ -440,7 +440,7 @@ fi # KEY GENERATION -AC_ARG_ENABLE(keygen, +AC_ARG_ENABLE([keygen], [ --enable-keygen Enable key generation (default: disabled)], [ ENABLED_KEYGEN=$enableval ], [ ENABLED_KEYGEN=no ] @@ -453,7 +453,7 @@ fi # CERT GENERATION -AC_ARG_ENABLE(certgen, +AC_ARG_ENABLE([certgen], [ --enable-certgen Enable cert generation (default: disabled)], [ ENABLED_CERTGEN=$enableval ], [ ENABLED_CERTGEN=no ] @@ -466,7 +466,7 @@ fi # HC128 -AC_ARG_ENABLE(hc128, +AC_ARG_ENABLE([hc128], [ --enable-hc128 Enable HC-128 (default: disabled)], [ ENABLED_HC128=$enableval ], [ ENABLED_HC128=no ] @@ -483,7 +483,7 @@ AM_CONDITIONAL([BUILD_HC128], [test "x$ENABLED_HC128" = "xyes"]) # RABBIT -AC_ARG_ENABLE(rabbit, +AC_ARG_ENABLE([rabbit], [ --enable-rabbit Enable RABBIT (default: disabled)], [ ENABLED_RABBIT=$enableval ], [ ENABLED_RABBIT=no ] @@ -500,7 +500,7 @@ AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"]) # PSK -AC_ARG_ENABLE(psk, +AC_ARG_ENABLE([psk], [ --enable-psk Enable PSK (default: disabled)], [ ENABLED_PSK=$enableval ], [ ENABLED_PSK=no ] @@ -513,7 +513,7 @@ fi # Web Server Build -AC_ARG_ENABLE(webServer, +AC_ARG_ENABLE([webServer], [ --enable-webServer Enable Web Server (default: disabled)], [ ENABLED_WEBSERVER=$enableval ], [ ENABLED_WEBSERVER=no ] @@ -526,7 +526,7 @@ fi # No Filesystem Build -AC_ARG_ENABLE(noFilesystem, +AC_ARG_ENABLE([noFilesystem], [ --enable-noFilesystem Enable No Filesystem (default: disabled)], [ ENABLED_NOFILESYSTEM=$enableval ], [ ENABLED_NOFILESYSTEM=no ] @@ -539,7 +539,7 @@ fi # No inline Build -AC_ARG_ENABLE(noInline, +AC_ARG_ENABLE([noInline], [ --enable-noInline Enable No inline (default: disabled)], [ ENABLED_NOINLINE=$enableval ], [ ENABLED_NOINLINE=no ] @@ -554,7 +554,7 @@ AM_CONDITIONAL([BUILD_NOINLINE], [test "x$ENABLED_NOINLINE" = "xyes"]) # ECC -AC_ARG_ENABLE(ecc, +AC_ARG_ENABLE([ecc], [ --enable-ecc Enable ECC (default: disabled)], [ ENABLED_ECC=$enableval ], [ ENABLED_ECC=no ] @@ -575,7 +575,7 @@ fi # OCSP -AC_ARG_ENABLE(ocsp, +AC_ARG_ENABLE([ocsp], [ --enable-ocsp Enable OCSP (default: disabled)], [ ENABLED_OCSP=$enableval ], [ ENABLED_OCSP=no ], @@ -590,7 +590,7 @@ AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) # CRL -AC_ARG_ENABLE(crl, +AC_ARG_ENABLE([crl], [ --enable-crl Enable CRL (default: disabled)], [ ENABLED_CRL=$enableval ], [ ENABLED_CRL=no ], @@ -605,7 +605,7 @@ AM_CONDITIONAL([BUILD_CRL], [test "x$ENABLED_CRL" = "xyes"]) # CRL Monitor -AC_ARG_ENABLE(crl-monitor, +AC_ARG_ENABLE([crl-monitor], [ --enable-crl-monitor Enable CRL Monitor (default: disabled)], [ ENABLED_CRL_MONITOR=$enableval ], [ ENABLED_CRL_MONITOR=no ], @@ -628,7 +628,7 @@ AM_CONDITIONAL([BUILD_CRL_MONITOR], [test "x$ENABLED_CRL_MONITOR" = "xyes"]) ntruHome=`pwd`/NTRU_algorithm ntruInclude=$ntruHome/cryptolib ntruLib=$ntruHome -AC_ARG_ENABLE(ntru, +AC_ARG_ENABLE([ntru], [ --enable-ntru Enable NTRU (default: disabled)], [ ENABLED_NTRU=$enableval ], [ ENABLED_NTRU=no ] @@ -650,7 +650,7 @@ fi #valgrind -AC_ARG_ENABLE(valgrind, +AC_ARG_ENABLE([valgrind], [ --enable-valgrind Enable valgrind for unit tests (default: disabled)], [ ENABLED_VALGRIND=$enableval ], [ ENABLED_VALGRIND=no ] @@ -658,7 +658,7 @@ AC_ARG_ENABLE(valgrind, if test "$ENABLED_VALGRIND" = "yes" then - AC_CHECK_PROG(HAVE_VALGRIND,valgrind,yes,no) + AC_CHECK_PROG([HAVE_VALGRIND],[valgrind],[yes],[no]) if [["$HAVE_VALGRIND" = "no" ]]; then AC_MSG_ERROR([Valgrind not found.]) @@ -670,7 +670,7 @@ AM_CONDITIONAL([USE_VALGRIND], [test "x$ENABLED_VALGRIND" = "xyes"]) # Test certs, use internal cert functions for extra testing -AC_ARG_ENABLE(testcert, +AC_ARG_ENABLE([testcert], [ --enable-testcert Enable Test Cert (default: disabled)], [ ENABLED_TESTCERT=$enableval ], [ ENABLED_TESTCERT=no ] @@ -683,7 +683,7 @@ fi # Enable Examples, used to disable examples -AC_ARG_ENABLE(examples, +AC_ARG_ENABLE([examples], [ --enable-examples Enable Examples (default: enabled)], [ ENABLED_EXAMPLES=$enableval ], [ ENABLED_EXAMPLES=yes ] @@ -694,7 +694,7 @@ AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"]) # LIBZ trylibzdir="" -AC_ARG_WITH(libz, +AC_ARG_WITH([libz], [ --with-libz=PATH PATH to libz install (default /usr/) ], [ AC_MSG_CHECKING([for libz]) @@ -750,7 +750,7 @@ fi LIB_SOCKET_NSL -AC_ARG_ENABLE(gcc-hardening, +AC_ARG_ENABLE([gcc-hardening], AS_HELP_STRING(--enable-gcc-hardening, Enable compiler security checks (default: disabled)), [if test x$enableval = xyes; then AM_CFLAGS="$AM_CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" From a108c5565e3c142b54a5a2daff51910b4d722ea9 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 17:13:33 -0800 Subject: [PATCH 4/7] get release 2.4.4 ready --- README | 30 ++++++++++++++++++++++++++---- configure.ac | 2 +- cyassl/version.h | 4 ++-- 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/README b/README index 58dcded67..484936629 100644 --- a/README +++ b/README @@ -12,7 +12,7 @@ harder. Now to run testsuite just do: or -make test (when using autoconf) +make check (when using autoconf) On *nix or Windows the examples and testsuite will check to see if the current directory is the source directory and if so, attempt to change to the CyaSSL @@ -32,15 +32,37 @@ SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling SSL_new(); Though it's not recommended. +*** end Notes *** + + +CyaSSL Release 2.4.4 (12/12/2012) + +Release 2.4.4 CyaSSL has bug fixes and a few new features including: +- ECC into main version +- Lean PSK build (reduced code size, RAM usage, and stack usage) +- FreeBSD CRL monitor support +- CyaSSL_peek() +- CyaSSL_send() and CyaSSL_recv() for I/O flag setting +- CodeWarrior Support +- MQX Support +- Freescale Kinetis support including Hardware RNG +- autconf builds use jobserver +- cyassl-config +- Sniffer memory reductions + +Thanks to Brian Aker for the improved autoconf system, make rpm, cyassl-config, +warning system, and general good ideas for improving CyaSSL! -Note 3) The Freescale Kinetis K70 RNGA documentation can be found in Chapter 37 of the K70 Sub-Family Reference Manual: http://cache.freescale.com/files/microcontrollers/doc/ref_manual/K70P256M150SF3RM.pdf -*** end Note *** +The CyaSSL manual is available at: +http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions +and comments about the new features please check the manual. -CyaSSL Release 2.4.0 (10/10/2012) + +*************** CyaSSL Release 2.4.0 (10/10/2012) Release 2.4.0 CyaSSL has bug fixes and a few new features including: - DTLS reliability diff --git a/configure.ac b/configure.ac index 4ed565183..4f5ba1166 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.4.2],[http://www.yassl.com]) +AC_INIT([cyassl],[2.4.4],[http://www.yassl.com]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/cyassl/version.h b/cyassl/version.h index 19330ee5d..58f9f44f8 100644 --- a/cyassl/version.h +++ b/cyassl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBCYASSL_VERSION_STRING "2.4.2" -#define LIBCYASSL_VERSION_HEX 0x02004002 +#define LIBCYASSL_VERSION_STRING "2.4.4" +#define LIBCYASSL_VERSION_HEX 0x02004004 #ifdef __cplusplus } From 726d686b074499abd49ecfd0e5d5da6d452238f1 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 18:03:32 -0800 Subject: [PATCH 5/7] fix clang scan-build problems --- ctaocrypt/benchmark/benchmark.c | 4 +++ ctaocrypt/src/asn.c | 3 ++ ctaocrypt/test/test.c | 20 ++++++++---- examples/client/client.c | 2 -- examples/server/server.c | 2 -- src/ssl.c | 58 ++++++++++++++++++--------------- 6 files changed, 53 insertions(+), 36 deletions(-) diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 7ea6eaed6..fa3bc62f7 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -511,6 +511,10 @@ void bench_dh(void) bytes = fread(tmp, 1, sizeof(tmp), file); InitDhKey(&dhKey); bytes = DhKeyDecode(tmp, &idx, &dhKey, (word32)bytes); + if (bytes != 0) { + printf("dhekydecode failed, can't benchmark\n"); + return; + } start = current_time(); diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 0edc4797b..56b420298 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -2079,6 +2079,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, typeH = SHA256h; digestSz = SHA256_DIGEST_SIZE; } + break; #endif #ifdef CYASSL_SHA512 case CTC_SHA512wRSA: @@ -2091,6 +2092,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, typeH = SHA512h; digestSz = SHA512_DIGEST_SIZE; } + break; #endif #ifdef CYASSL_SHA384 case CTC_SHA384wRSA: @@ -2103,6 +2105,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz, typeH = SHA384h; digestSz = SHA384_DIGEST_SIZE; } + break; #endif default: CYASSL_MSG("Verify Signautre has unsupported type"); diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index e27a0210a..08842fd30 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1708,6 +1708,8 @@ int rsa_test(void) if (ret != 0) return -491; FreeDecodedCert(&cert); +#else + (void)bytes; #endif fclose(file2); @@ -2091,13 +2093,13 @@ int dh_test(void) if (ret != 0) return -53; - ret = DhGenerateKeyPair(&key, &rng, priv, &privSz, pub, &pubSz); - ret = DhGenerateKeyPair(&key2, &rng, priv2, &privSz2, pub2, &pubSz2); + ret = DhGenerateKeyPair(&key, &rng, priv, &privSz, pub, &pubSz); + ret += DhGenerateKeyPair(&key2, &rng, priv2, &privSz2, pub2, &pubSz2); if (ret != 0) return -54; - ret = DhAgree(&key, agree, &agreeSz, priv, privSz, pub2, pubSz2); - ret = DhAgree(&key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz); + ret = DhAgree(&key, agree, &agreeSz, priv, privSz, pub2, pubSz2); + ret += DhAgree(&key2, agree2, &agreeSz2, priv2, privSz2, pub, pubSz); if (ret != 0) return -55; @@ -2420,14 +2422,20 @@ int pkcs12_test(void) int ret = PKCS12_PBKDF(derived, passwd, sizeof(passwd), salt, 8, iterations, kLen, SHA, id); - if ( (ret = memcmp(derived, verify, kLen)) != 0) + if (ret < 0) return -103; + if ( (ret = memcmp(derived, verify, kLen)) != 0) + return -104; + iterations = 1000; ret = PKCS12_PBKDF(derived, passwd2, sizeof(passwd2), salt2, 8, iterations, kLen, SHA, id); + if (ret < 0) + return -105; + if ( (ret = memcmp(derived, verify2, 24)) != 0) - return -104; + return -106; return 0; } diff --git a/examples/client/client.c b/examples/client/client.c index 236a45837..b5e756f68 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -232,8 +232,6 @@ void client_test(void* args) } } - argc -= myoptind; - argv += myoptind; myoptind = 0; /* reset for test cases */ switch (version) { diff --git a/examples/server/server.c b/examples/server/server.c index 984263485..57d3702c7 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -200,8 +200,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } } - argc -= myoptind; - argv += myoptind; myoptind = 0; /* reset for test cases */ switch (version) { diff --git a/src/ssl.c b/src/ssl.c index c4d0f3525..7ae07fb72 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1128,8 +1128,10 @@ int CyaSSL_Init(void) { EncryptedInfo info; buffer der; /* holds DER or RAW (for NTRU) */ + int ret; int dynamicType = 0; int eccKey = 0; + void* heap = ctx ? ctx->heap : NULL; info.set = 0; info.ctx = ctx; @@ -1153,9 +1155,9 @@ int CyaSSL_Init(void) dynamicType = DYNAMIC_TYPE_KEY; if (format == SSL_FILETYPE_PEM) { - int ret = PemToDer(buff, sz, type, &der, ctx->heap, &info, &eccKey); + ret = PemToDer(buff, sz, type, &der, heap, &info, &eccKey); if (ret < 0) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return ret; } if (used) @@ -1174,10 +1176,10 @@ int CyaSSL_Init(void) CYASSL_MSG("Growing Tmp Chain Buffer"); bufferSz = (word32)(sz - consumed); /* will shrink to actual size */ - chainBuffer = (byte*)XMALLOC(bufferSz, ctx->heap, + chainBuffer = (byte*)XMALLOC(bufferSz, heap, DYNAMIC_TYPE_FILE); if (chainBuffer == NULL) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return MEMORY_E; } dynamicBuffer = 1; @@ -1190,7 +1192,7 @@ int CyaSSL_Init(void) part.buffer = 0; ret = PemToDer(buff + consumed, sz - consumed, type, &part, - ctx->heap, &info, &eccKey); + heap, &info, &eccKey); if (ret == 0) { gotOne = 1; if ( (idx + part.length) > bufferSz) { @@ -1208,38 +1210,42 @@ int CyaSSL_Init(void) } } - XFREE(part.buffer, ctx->heap, dynamicType); + XFREE(part.buffer, heap, dynamicType); if (ret == SSL_NO_PEM_HEADER && gotOne) { CYASSL_MSG("We got one good PEM so stuff at end ok"); - ret = 0; break; } if (ret < 0) { CYASSL_MSG(" Error in Cert in Chain"); - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return ret; } CYASSL_MSG(" Consumed another Cert in Chain"); } CYASSL_MSG("Finished Processing Cert Chain"); - ctx->certChain.buffer = (byte*)XMALLOC(idx, ctx->heap, + + if (ctx == NULL) { + CYASSL_MSG("certChain needs context"); + return BAD_FUNC_ARG; + } + ctx->certChain.buffer = (byte*)XMALLOC(idx, heap, dynamicType); if (ctx->certChain.buffer) { ctx->certChain.length = idx; XMEMCPY(ctx->certChain.buffer, chainBuffer, idx); } if (dynamicBuffer) - XFREE(chainBuffer, ctx->heap, DYNAMIC_TYPE_FILE); + XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); if (ctx->certChain.buffer == NULL) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return MEMORY_E; } } } else { /* ASN1 (DER) or RAW (NTRU) */ - der.buffer = (byte*) XMALLOC(sz, ctx->heap, dynamicType); + der.buffer = (byte*) XMALLOC(sz, heap, dynamicType); if (!der.buffer) return MEMORY_ERROR; XMEMCPY(der.buffer, buff, sz); der.length = (word32)sz; @@ -1250,19 +1256,18 @@ int CyaSSL_Init(void) /* decrypt */ char password[80]; int passwordSz; - int ret; byte key[AES_256_KEY_SIZE]; byte iv[AES_IV_SIZE]; if (!ctx->passwd_cb) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return NO_PASSWORD; } /* use file's salt for key derivation, hex decode first */ if (Base16_Decode(info.iv, info.ivSz, info.iv, &info.ivSz) != 0) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return ASN_INPUT_E; } @@ -1270,7 +1275,7 @@ int CyaSSL_Init(void) ctx->userdata); if ( (ret = EVP_BytesToKey(info.name, "MD5", info.iv, (byte*)password, passwordSz, 1, key, iv)) <= 0) { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return ret; } @@ -1300,7 +1305,7 @@ int CyaSSL_Init(void) AesCbcDecrypt(&enc, der.buffer, der.buffer, der.length); } else { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return SSL_BAD_FILE; } } @@ -1312,32 +1317,32 @@ int CyaSSL_Init(void) else if (type == CERT_TYPE) { if (ssl) { if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer) - XFREE(ssl->buffers.certificate.buffer, ctx->heap, + XFREE(ssl->buffers.certificate.buffer, heap, dynamicType); ssl->buffers.certificate = der; ssl->buffers.weOwnCert = 1; } - else { + else if (ctx) { if (ctx->certificate.buffer) - XFREE(ctx->certificate.buffer, ctx->heap, dynamicType); + XFREE(ctx->certificate.buffer, heap, dynamicType); ctx->certificate = der; /* takes der over */ } } else if (type == PRIVATEKEY_TYPE) { if (ssl) { if (ssl->buffers.weOwnKey && ssl->buffers.key.buffer) - XFREE(ssl->buffers.key.buffer, ctx->heap, dynamicType); + XFREE(ssl->buffers.key.buffer, heap, dynamicType); ssl->buffers.key = der; ssl->buffers.weOwnKey = 1; } - else { + else if (ctx) { if (ctx->privateKey.buffer) - XFREE(ctx->privateKey.buffer, ctx->heap, dynamicType); + XFREE(ctx->privateKey.buffer, heap, dynamicType); ctx->privateKey = der; /* takes der over */ } } else { - XFREE(der.buffer, ctx->heap, dynamicType); + XFREE(der.buffer, heap, dynamicType); return SSL_BAD_CERTTYPE; } @@ -1384,7 +1389,7 @@ int CyaSSL_Init(void) DecodedCert cert; CYASSL_MSG("Checking cert signature type"); - InitDecodedCert(&cert, der.buffer, der.length, ctx->heap); + InitDecodedCert(&cert, der.buffer, der.length, heap); if (DecodeToKey(&cert, 0) < 0) { CYASSL_MSG("Decode to key failed"); @@ -1396,7 +1401,8 @@ int CyaSSL_Init(void) case CTC_SHA384wECDSA: case CTC_SHA512wECDSA: CYASSL_MSG("ECDSA cert signature"); - ctx->haveECDSAsig = 1; + if (ctx) + ctx->haveECDSAsig = 1; if (ssl) ssl->options.haveECDSAsig = 1; break; From 0e67cd17d6ca9f078cabb4bf8ee05a7d03ae4122 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 20:04:10 -0800 Subject: [PATCH 6/7] clang opensslExtra fix --- src/ssl.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 7ae07fb72..1baa80dab 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1260,7 +1260,7 @@ int CyaSSL_Init(void) byte key[AES_256_KEY_SIZE]; byte iv[AES_IV_SIZE]; - if (!ctx->passwd_cb) { + if (!ctx || !ctx->passwd_cb) { XFREE(der.buffer, heap, dynamicType); return NO_PASSWORD; } @@ -1311,9 +1311,15 @@ int CyaSSL_Init(void) } #endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ - if (type == CA_TYPE) + if (type == CA_TYPE) { + if (ctx == NULL) { + CYASSL_MSG("Need context for CA load"); + XFREE(der.buffer, heap, dynamicType); + return BAD_FUNC_ARG; + } return AddCA(ctx->cm, der, CYASSL_USER_CA, ctx->verifyPeer); /* takes der over */ + } else if (type == CERT_TYPE) { if (ssl) { if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer) From f82324a08129178706ddd4b7b84cc57b6bc4f62e Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 12 Dec 2012 20:06:55 -0800 Subject: [PATCH 7/7] README typo --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 484936629..4771e375a 100644 --- a/README +++ b/README @@ -46,7 +46,7 @@ Release 2.4.4 CyaSSL has bug fixes and a few new features including: - CodeWarrior Support - MQX Support - Freescale Kinetis support including Hardware RNG -- autconf builds use jobserver +- autoconf builds use jobserver - cyassl-config - Sniffer memory reductions