diff --git a/configure.ac b/configure.ac index bdb72994b4..1c076891ae 100644 --- a/configure.ac +++ b/configure.ac @@ -6843,7 +6843,7 @@ AS_CASE(["$CFLAGS $CPPFLAGS"],[*'WOLFSSL_TRUST_PEER_CERT'*],[ENABLED_TRUSTED_PEE AS_CASE(["$CFLAGS $CPPFLAGS $AM_CFLAGS"],[*'OPENSSL_COMPATIBLE_DEFAULTS'*], - [ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=yes]) + [ENABLED_OPENSSL_COMPATIBLE_DEFAULTS=yes]) if test "x$ENABLED_OPENSSL_COMPATIBLE_DEFAULTS" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT" diff --git a/examples/client/client.c b/examples/client/client.c index 3775df940a..86e8ecb29f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -3191,8 +3191,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif /* HAVE_ECC */ #if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM) if (trustCert) { - if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, - WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { + if (wolfSSL_CTX_trust_peer_cert(ctx, trustCert, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("can't load trusted peer cert file"); } diff --git a/examples/server/server.c b/examples/server/server.c index 64e30f4e8e..23835a1cbd 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -2568,9 +2568,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #ifdef WOLFSSL_TRUST_PEER_CERT if (trustCert) { - if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, - WOLFSSL_FILETYPE_PEM)) - != WOLFSSL_SUCCESS) { + if (wolfSSL_CTX_trust_peer_cert(ctx, trustCert, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { err_sys_ex(runWithErrors, "can't load trusted peer cert file"); } } @@ -2790,8 +2789,8 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args) } #ifdef WOLFSSL_TRUST_PEER_CERT if (trustCert) { - if ((ret = wolfSSL_trust_peer_cert(ssl, trustCert, - WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { + if (wolfSSL_trust_peer_cert(ssl, trustCert, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { err_sys_ex(runWithErrors, "can't load trusted peer cert " "file"); } diff --git a/src/internal.c b/src/internal.c index 5d88d920c6..25577319ce 100644 --- a/src/internal.c +++ b/src/internal.c @@ -30626,7 +30626,10 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, id = ssl->session->altSessionID; idSz = ID_LEN; } - XMEMCPY(it.id, id, ID_LEN); + /* make sure idSz is not larger than ID_LEN */ + if (idSz > ID_LEN) + idSz = ID_LEN; + XMEMCPY(it.id, id, idSz); } #endif @@ -30765,20 +30768,20 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* get master secret */ if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) { if (ssl->version.minor < it->pv.minor) { - ForceZero(&it, sizeof(it)); + ForceZero(it, sizeof(*it)); WOLFSSL_MSG("Ticket has greater version"); return VERSION_ERROR; } else if (ssl->version.minor > it->pv.minor) { if (IsAtLeastTLSv1_3(it->pv) != IsAtLeastTLSv1_3(ssl->version)) { - ForceZero(&it, sizeof(it)); + ForceZero(it, sizeof(*it)); WOLFSSL_MSG("Tickets cannot be shared between " "TLS 1.3 and TLS 1.2 and lower"); return VERSION_ERROR; } if (!ssl->options.downgrade) { - ForceZero(&it, sizeof(it)); + ForceZero(it, sizeof(*it)); WOLFSSL_MSG("Ticket has lesser version"); return VERSION_ERROR; } @@ -30786,7 +30789,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, WOLFSSL_MSG("Downgrading protocol due to ticket"); if (it->pv.minor < ssl->options.minDowngrade) { - ForceZero(&it, sizeof(it)); + ForceZero(it, sizeof(*it)); return VERSION_ERROR; } ssl->version.minor = it->pv.minor; @@ -30837,7 +30840,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } - ForceZero(&it, sizeof(it)); + ForceZero(it, sizeof(*it)); WOLFSSL_LEAVE("DoClientTicket", ret); WOLFSSL_END(WC_FUNC_TICKET_DO); diff --git a/src/ssl.c b/src/ssl.c index bf45f2f5d1..d2905de196 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5266,7 +5266,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #define SESSIONS_PER_ROW 3 #define SESSION_ROWS 11 #endif - #define INVALID_SESSION_ROW -1 + #define INVALID_SESSION_ROW (-1) #ifdef NO_SESSION_CACHE_ROW_LOCK #undef ENABLE_SESSION_CACHE_ROW_LOCK @@ -5330,11 +5330,15 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #error CLIENT_SESSION_ROWS too big #endif - typedef struct ClientSession { + struct ClientSession { word16 serverRow; /* SessionCache Row id */ word16 serverIdx; /* SessionCache Idx (column) */ word32 sessionIDHash; - } ClientSession; + }; + #ifndef WOLFSSL_CLIENT_SESSION_DEFINED + typedef struct ClientSession ClientSession; + #define WOLFSSL_CLIENT_SESSION_DEFINED + #endif typedef struct ClientRow { int nextIdx; /* where to place next one */ @@ -15507,6 +15511,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output) return WOLFSSL_FAILURE; #endif + XMEMSET(bogusID, 0, sizeof(bogusID)); if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) id = ssl->arrays->sessionID; else if (ssl->session->haveAltSessionID) { @@ -15763,8 +15768,9 @@ int wolfSSL_SetSession(WOLFSSL* ssl, WOLFSSL_SESSION* session) SESSION_ROW_UNLOCK(sessRow); sessRow = NULL; } - /* Make sure we don't access this anymore */ - session = NULL; + + /* Note: the `session` variable cannot be used below, since the row is + * un-locked */ if (ret != WOLFSSL_SUCCESS) return ret; @@ -24094,7 +24100,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, output->heap, DYNAMIC_TYPE_SESSION_TICK); if (tmp == NULL) { WOLFSSL_MSG("Failed to allocate memory for ticket"); - XFREE(ticBuff, ssl->heap, DYNAMIC_TYPE_SESSION_TICK); + XFREE(ticBuff, output->heap, DYNAMIC_TYPE_SESSION_TICK); output->ticket = NULL; output->ticketLen = 0; output->ticketLenAlloc = 0; @@ -24138,7 +24144,7 @@ int wolfSSL_DupSession(const WOLFSSL_SESSION* input, WOLFSSL_SESSION* output, } else { if (ticBuff != NULL) - XFREE(ticBuff, input->heap, DYNAMIC_TYPE_SESSION_TICK); + XFREE(ticBuff, output->heap, DYNAMIC_TYPE_SESSION_TICK); output->ticket = output->_staticTicket; output->ticketLenAlloc = 0; } diff --git a/src/wolfio.c b/src/wolfio.c index 24c21fa299..1507e949c7 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -834,10 +834,12 @@ int wolfIO_TcpConnect(SOCKET_T* sockfd, const char* ip, word16 port, int to_sec) return -1; } +#if !defined(HAVE_GETADDRINFO) #ifdef WOLFSSL_IPV6 sockaddr_len = sizeof(SOCKADDR_IN6); #else sockaddr_len = sizeof(SOCKADDR_IN); +#endif #endif XMEMSET(&addr, 0, sizeof(addr)); diff --git a/tests/api.c b/tests/api.c index f8336579f1..8a0cf5f729 100644 --- a/tests/api.c +++ b/tests/api.c @@ -39320,6 +39320,8 @@ static void test_wolfSSL_SESSION(void) #else AssertIntEQ(wolfSSL_SESSION_has_ticket(sess), 0); #endif +#else + (void)sess; #endif /* OPENSSL_EXTRA */ /* Retain copy of the session for later testing */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index fa0b911f63..286c54838a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1691,7 +1691,10 @@ typedef WOLFSSL_BUFFER_INFO buffer; typedef struct Suites Suites; /* Declare opaque struct for API to use */ -typedef struct ClientSession ClientSession; +#ifndef WOLFSSL_CLIENT_SESSION_DEFINED + typedef struct ClientSession ClientSession; + #define WOLFSSL_CLIENT_SESSION_DEFINED +#endif /* defaults to client */ WOLFSSL_LOCAL void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv); @@ -4608,13 +4611,13 @@ struct WOLFSSL { */ #ifdef WOLFSSL_HAVE_ERROR_QUEUE #define CLEAR_ASN_NO_PEM_HEADER_ERROR(err) \ - err = wolfSSL_ERR_peek_last_error(); \ + (err) = wolfSSL_ERR_peek_last_error(); \ if (ERR_GET_LIB(err) == ERR_LIB_PEM && \ ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { \ wc_RemoveErrorNode(-1); \ } #else -#define CLEAR_ASN_NO_PEM_HEADER_ERROR(err) (void)err; +#define CLEAR_ASN_NO_PEM_HEADER_ERROR(err) (void)(err); #endif /* diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b25942dd8f..bd82cf1e62 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2852,7 +2852,8 @@ WOLFSSL_API int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len, WOLFSSL_API int wolfSSL_Unload_trust_peers(WOLFSSL* ssl); #endif WOLFSSL_API int wolfSSL_CTX_trust_peer_buffer(WOLFSSL_CTX* ctx, - const unsigned char*, long, int); + const unsigned char* in, + long sz, int format); #endif WOLFSSL_API int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in, long sz, int format,