Regression testing: memory allocation failure

SparkiDev · SparkiDev · commit 4d56cc179038 · 2024-06-27T17:17:53.000+10:00
Fixes from memory allocation failure testing.
Also:
fix asn.c to have ifdef protection around code compiled in with dual
algorithm certificates.
  fix test_tls13_rpk_handshake() to support no TLS 1.2 or no TLS 1.3.
fix wc_xmss_sigsleft() to initialize the index to avoid compilation
error.
diff --git a/src/crl.c b/src/crl.c
@@ -121,7 +121,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,
     wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer,
                           dcrl->issuerSz);
     if (crle->issuer == NULL) {
-        return WOLFSSL_FAILURE;
+        return -1;
     }
 #endif
 #ifdef CRL_STATIC_REVOKED_LIST
diff --git a/src/internal.c b/src/internal.c
@@ -13495,6 +13495,9 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt,
                 store->current_cert = x509;
                 *x509Free = 1;
             }
+            else {
+                goto mem_error;
+            }
         }
 #endif
 #ifdef SESSION_CERTS
diff --git a/src/ssl.c b/src/ssl.c
@@ -5437,24 +5437,9 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
         if (!signer)
             ret = MEMORY_ERROR;
     }
-#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
-    if (ret == 0 && signer != NULL)
-        ret = CalcHashId(cert->serial, cert->serialSz, signer->serialHash);
-#endif
-    if (ret == 0 && signer != NULL) {
-    #ifdef WOLFSSL_SIGNER_DER_CERT
-        ret = AllocDer(&signer->derCert, der->length, der->type, NULL);
-    }
-    if (ret == 0 && signer != NULL) {
-        XMEMCPY(signer->derCert->buffer, der->buffer, der->length);
-    #endif
-        signer->keyOID         = cert->keyOID;
-        if (cert->pubKeyStored) {
-            signer->publicKey      = cert->publicKey;
-            signer->pubKeySize     = cert->pubKeySize;
-        }
 
 #ifdef WOLFSSL_DUAL_ALG_CERTS
+    if (ret == 0 && signer != NULL) {
         if (cert->extSapkiSet && cert->sapkiLen > 0) {
             /* Allocated space for alternative public key. */
             signer->sapkiDer = (byte*)XMALLOC(cert->sapkiLen, cm->heap,
@@ -5468,8 +5453,26 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
                 signer->sapkiOID = cert->sapkiOID;
             }
         }
+    }
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
+#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
+    if (ret == 0 && signer != NULL)
+        ret = CalcHashId(cert->serial, cert->serialSz, signer->serialHash);
+#endif
+    if (ret == 0 && signer != NULL) {
+    #ifdef WOLFSSL_SIGNER_DER_CERT
+        ret = AllocDer(&signer->derCert, der->length, der->type, NULL);
+    }
+    if (ret == 0 && signer != NULL) {
+        XMEMCPY(signer->derCert->buffer, der->buffer, der->length);
+    #endif
+        signer->keyOID         = cert->keyOID;
+        if (cert->pubKeyStored) {
+            signer->publicKey      = cert->publicKey;
+            signer->pubKeySize     = cert->pubKeySize;
+        }
+
         if (cert->subjectCNStored) {
             signer->nameLen        = cert->subjectCNLen;
             signer->name           = cert->subjectCN;
diff --git a/src/ssl_load.c b/src/ssl_load.c
@@ -5202,6 +5202,8 @@ static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,
 
     /* Allocate space for cipher suites. */
     if ((ret == 1) && (AllocateSuites(ssl) != 0)) {
+        ssl->buffers.serverDH_P.buffer = NULL;
+        ssl->buffers.serverDH_G.buffer = NULL;
         ret = 0;
     }
     if (ret == 1) {
@@ -5249,8 +5251,6 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
         pAlloc = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         gAlloc = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
         if ((pAlloc == NULL) || (gAlloc == NULL)) {
-            XFREE(pAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
-            XFREE(gAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
             ret = MEMORY_E;
         }
     }
diff --git a/src/tls13.c b/src/tls13.c
@@ -9691,6 +9691,7 @@ static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
 }
 
 #ifdef WOLFSSL_DUAL_ALG_CERTS
+#ifndef NO_RSA
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * RSA public key. Convert it into a usable public key. */
 static int decodeRsaKey(WOLFSSL* ssl)
@@ -9714,7 +9715,9 @@ static int decodeRsaKey(WOLFSSL* ssl)
 
     return 0;
 }
+#endif /* !NO_RSA */
 
+#ifdef HAVE_ECC
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * ECC public key. Convert it into a usable public key. */
 static int decodeEccKey(WOLFSSL* ssl)
@@ -9738,7 +9741,9 @@ static int decodeEccKey(WOLFSSL* ssl)
 
     return 0;
 }
+#endif /* HAVE_ECC */
 
+#ifdef HAVE_DILITHIUM
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * dilithium public key. Convert it into a usable public key. */
 static int decodeDilithiumKey(WOLFSSL* ssl, int level)
@@ -9767,7 +9772,9 @@ static int decodeDilithiumKey(WOLFSSL* ssl, int level)
 
     return 0;
 }
+#endif /* HAVE_DILITHIUM */
 
+#ifdef HAVE_FALCON
 /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
  * falcon public key. Convert it into a usable public key. */
 static int decodeFalconKey(WOLFSSL* ssl, int level)
@@ -9795,6 +9802,7 @@ static int decodeFalconKey(WOLFSSL* ssl, int level)
 
     return 0;
 }
+#endif /* HAVE_FALCON */
 #endif /* WOLFSSL_DUAL_ALG_CERTS */
 
 /* handle processing TLS v1.3 certificate_verify (15) */
@@ -9947,12 +9955,17 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                     sa = args->altSigAlgo;
 
                 switch(sa) {
+            #ifndef NO_RSA
                 case rsa_pss_sa_algo:
                     ret = decodeRsaKey(ssl);
                     break;
+            #endif
+            #ifdef HAVE_ECC
                 case ecc_dsa_sa_algo:
                     ret = decodeEccKey(ssl);
                     break;
+            #endif
+            #ifdef HAVE_DILITHIUM
                 case dilithium_level2_sa_algo:
                     ret = decodeDilithiumKey(ssl, 2);
                     break;
@@ -9962,12 +9975,15 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 case dilithium_level5_sa_algo:
                     ret = decodeDilithiumKey(ssl, 5);
                     break;
+            #endif
+            #ifdef HAVE_FALCON
                 case falcon_level1_sa_algo:
                     ret = decodeFalconKey(ssl, 1);
                     break;
                 case falcon_level5_sa_algo:
                     ret = decodeFalconKey(ssl, 5);
                     break;
+            #endif
                 default:
                     ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
                 }
@@ -9978,17 +9994,22 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                 if (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
                     /* Now swap in the alternative by removing the native.
                      * sa contains the alternative signature type. */
+                #ifndef NO_RSA
                     if (ssl->peerRsaKeyPresent && sa != rsa_pss_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_RSA,
                                 (void**)&ssl->peerRsaKey);
                         ssl->peerRsaKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_ECC
                     else if (ssl->peerEccDsaKeyPresent &&
                              sa != ecc_dsa_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_ECC,
                                 (void**)&ssl->peerEccDsaKey);
                         ssl->peerEccDsaKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_DILITHIUM
                     else if (ssl->peerDilithiumKeyPresent &&
                              sa != dilithium_level2_sa_algo &&
                              sa != dilithium_level3_sa_algo &&
@@ -9997,13 +10018,16 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
                                 (void**)&ssl->peerDilithiumKey);
                         ssl->peerDilithiumKeyPresent = 0;
                     }
+                #endif
+                #ifdef HAVE_FALCON
                     else if (ssl->peerFalconKeyPresent &&
                              sa != falcon_level1_sa_algo &&
                              sa != falcon_level5_sa_algo) {
                         FreeKey(ssl, DYNAMIC_TYPE_FALCON,
                                 (void**)&ssl->peerFalconKey);
                         ssl->peerFalconKeyPresent = 0;
                     }
+                #endif
                     else {
                         ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
                     }
diff --git a/src/x509.c b/src/x509.c
@@ -12852,6 +12852,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(
         if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {
             WOLFSSL_MSG("Memory error");
             wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);
+            wolfSSL_X509_NAME_free(name);
             return NULL;
         }
     }
diff --git a/tests/api.c b/tests/api.c
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
diff --git a/wolfcrypt/src/wc_xmss_impl.c b/wolfcrypt/src/wc_xmss_impl.c

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl, const byte* buff,`
`121`	`121`	`wolfSSL_d2i_X509_NAME(&crle->issuer, (unsigned char**)&dcrl->issuer,`
`122`	`122`	`dcrl->issuerSz);`
`123`	`123`	`if (crle->issuer == NULL) {`
`124`		`- return WOLFSSL_FAILURE;`
	`124`	`+ return -1;`
`125`	`125`	`}`
`126`	`126`	`#endif`
`127`	`127`	`#ifdef CRL_STATIC_REVOKED_LIST`
Original file line number	Diff line number	Diff line change
`@@ -13495,6 +13495,9 @@ int SetupStoreCtxCallback(WOLFSSL_X509_STORE_CTX** store_pt,`
`13495`	`13495`	`store->current_cert = x509;`
`13496`	`13496`	`*x509Free = 1;`
`13497`	`13497`	`}`
	`13498`	`+ else {`
	`13499`	`+ goto mem_error;`
	`13500`	`+ }`
`13498`	`13501`	`}`
`13499`	`13502`	`#endif`
`13500`	`13503`	`#ifdef SESSION_CERTS`
Original file line number	Diff line number	Diff line change
`@@ -5202,6 +5202,8 @@ static int wolfssl_set_tmp_dh(WOLFSSL* ssl, unsigned char* p, int pSz,`
`5202`	`5202`
`5203`	`5203`	`/* Allocate space for cipher suites. */`
`5204`	`5204`	`if ((ret == 1) && (AllocateSuites(ssl) != 0)) {`
	`5205`	`+ ssl->buffers.serverDH_P.buffer = NULL;`
	`5206`	`+ ssl->buffers.serverDH_G.buffer = NULL;`
`5205`	`5207`	`ret = 0;`
`5206`	`5208`	`}`
`5207`	`5209`	`if (ret == 1) {`
`@@ -5249,8 +5251,6 @@ int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,`
`5249`	`5251`	`pAlloc = (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);`
`5250`	`5252`	`gAlloc = (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);`
`5251`	`5253`	`if ((pAlloc == NULL) \|\| (gAlloc == NULL)) {`
`5252`		`- XFREE(pAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);`
`5253`		`- XFREE(gAlloc, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);`
`5254`	`5254`	`ret = MEMORY_E;`
`5255`	`5255`	`}`
`5256`	`5256`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12852,6 +12852,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(`
`12852`	`12852`	`if (name == NULL \|\| WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {`
`12853`	`12853`	`WOLFSSL_MSG("Memory error");`
`12854`	`12854`	`wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);`
	`12855`	`+ wolfSSL_X509_NAME_free(name);`
`12855`	`12856`	`return NULL;`
`12856`	`12857`	`}`
`12857`	`12858`	`}`