Regression test fixes

SparkiDev · SparkiDev · commit 5f1ddadf71a6 · 2024-10-11T11:49:01.000+10:00
Fix unit tests to not compile when NO_RSA is defined and RSA used.
test_wc_PKCS7_EncodeSignedData: only RSA supported with streaming.
test_wolfSSL_RSA when SP math and SP: CRT parameters required.
test_wolfSSL_OCSP_REQ_CTX to compile with NO_ASN_TIME.
test_wolfSSL_IMPLEMENT_ASN1_FUNCTIONS: make sure all objects freed even
on memory allocation failure.
test_wolfSSL_error_cb: don't use bio if is NULL.
test_wolfSSL_BN_enc_dec: don't free a twice on memory allocation error.
test_wc_dilithium_der: remove debug printing
test_othername_and_SID_ext: make sid_oid NULL after free to ensure no
double free on later memory allocation failure.
test_wolfSSL_RSA: don't leak when BN_dup fails.
test_wolfSSL_i2d_ASN1_TYPE: free ASN1 string whn no ASN1 type to put it
into.
test_tls13_rpk_handshake: don't leak on failure
test_dtls_client_hello_timeout_downgrade: only move memory when test is

wolfSSL_certs_clear, wolfSSL_set_SSL_CTX, SetSSL_CTX: Check return from
AllocCopyDer.
d2i_generic: make sure impBuf is only freed once.
wolfSSL_BIO_write: don't dereference front unless it is not NULL.
wolfssl_dns_entry_othername_to_gn: don't free obj twice
wolfSSL_X509_REQ_add1_attr_by_NID: don't access reqAttributes if NULL.
succeeding.
diff --git a/src/bio.c b/src/bio.c
@@ -834,7 +834,9 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)
                                  (const char*)data, len, 0, ret);
     }
 
-    XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    if (front != NULL) {
+        XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);
+    }
 
 #ifdef WOLFSSL_BASE64_ENCODE
     if (retB64 > 0 && ret > 0)
diff --git a/src/internal.c b/src/internal.c
@@ -6849,10 +6849,14 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
         if (ssl->buffers.key != NULL) {
             FreeDer(&ssl->buffers.key);
         }
-        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
             ctx->privateKey->length, ctx->privateKey->type,
             ctx->privateKey->heap);
+        if (ret != 0) {
+            return ret;
+        }
         ssl->buffers.weOwnKey = 1;
+        ret = WOLFSSL_SUCCESS;
     }
     else {
         ssl->buffers.key      = ctx->privateKey;
@@ -6862,9 +6866,12 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #endif
 #else
     if (ctx->privateKey != NULL) {
-        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
             ctx->privateKey->length, ctx->privateKey->type,
             ctx->privateKey->heap);
+        if (ret != 0) {
+            return ret;
+        }
         ssl->buffers.weOwnKey = 1;
         /* Blind the private key for the SSL with new random mask. */
         wolfssl_priv_der_unblind(ssl->buffers.key, ctx->privateKeyMask);
@@ -6885,16 +6892,20 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
     ssl->buffers.altKey   = ctx->altPrivateKey;
 #else
     if (ctx->altPrivateKey != NULL) {
-        AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer,
             ctx->altPrivateKey->length, ctx->altPrivateKey->type,
             ctx->altPrivateKey->heap);
+        if (ret != 0) {
+            return ret;
+        }
         /* Blind the private key for the SSL with new random mask. */
         wolfssl_priv_der_unblind(ssl->buffers.altKey, ctx->altPrivateKeyMask);
         ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
             &ssl->buffers.altKeyMask);
         if (ret != 0) {
             return ret;
         }
+        ret = WOLFSSL_SUCCESS;
     }
 #endif
     ssl->buffers.altKeyType  = ctx->altPrivateKeyType;
diff --git a/src/ssl.c b/src/ssl.c
@@ -19789,11 +19789,15 @@ void wolfSSL_certs_clear(WOLFSSL* ssl)
         return;
 
     /* ctx still owns certificate, certChain, key, dh, and cm */
-    if (ssl->buffers.weOwnCert)
+    if (ssl->buffers.weOwnCert) {
         FreeDer(&ssl->buffers.certificate);
+        ssl->buffers.weOwnCert = 0;
+    }
     ssl->buffers.certificate = NULL;
-    if (ssl->buffers.weOwnCertChain)
+    if (ssl->buffers.weOwnCertChain) {
         FreeDer(&ssl->buffers.certChain);
+        ssl->buffers.weOwnCertChain = 0;
+    }
     ssl->buffers.certChain = NULL;
 #ifdef WOLFSSL_TLS13
     ssl->buffers.certChainCnt = 0;
@@ -19803,6 +19807,7 @@ void wolfSSL_certs_clear(WOLFSSL* ssl)
     #ifdef WOLFSSL_BLIND_PRIVATE_KEY
         FreeDer(&ssl->buffers.keyMask);
     #endif
+        ssl->buffers.weOwnKey = 0;
     }
     ssl->buffers.key      = NULL;
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
@@ -19819,6 +19824,7 @@ void wolfSSL_certs_clear(WOLFSSL* ssl)
     #ifdef WOLFSSL_BLIND_PRIVATE_KEY
         FreeDer(&ssl->buffers.altKeyMask);
     #endif
+        ssl->buffers.weOwnAltKey = 0;
     }
     ssl->buffers.altKey     = NULL;
 #ifdef WOLFSSL_BLIND_PRIVATE_KEY
@@ -20398,11 +20404,13 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     if (ctx->certificate != NULL) {
         if (ssl->buffers.certificate != NULL) {
             FreeDer(&ssl->buffers.certificate);
+            ssl->buffers.certificate = NULL;
         }
         ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
             ctx->certificate->length, ctx->certificate->type,
             ctx->certificate->heap);
         if (ret != 0) {
+            ssl->buffers.weOwnCert = 0;
             return NULL;
         }
 
@@ -20412,11 +20420,13 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     if (ctx->certChain != NULL) {
         if (ssl->buffers.certChain != NULL) {
             FreeDer(&ssl->buffers.certChain);
+            ssl->buffers.certChain = NULL;
         }
         ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
             ctx->certChain->length, ctx->certChain->type,
             ctx->certChain->heap);
         if (ret != 0) {
+            ssl->buffers.weOwnCertChain = 0;
             return NULL;
         }
 
@@ -20436,10 +20446,15 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     if (ctx->privateKey != NULL) {
         if (ssl->buffers.key != NULL) {
             FreeDer(&ssl->buffers.key);
+            ssl->buffers.key = NULL;
         }
-        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
             ctx->privateKey->length, ctx->privateKey->type,
             ctx->privateKey->heap);
+        if (ret != 0) {
+            ssl->buffers.weOwnKey = 0;
+            return NULL;
+        }
         ssl->buffers.weOwnKey = 1;
     }
     else {
@@ -20450,15 +20465,18 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 #endif
 #else
     if (ctx->privateKey != NULL) {
-        AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.key, ctx->privateKey->buffer,
             ctx->privateKey->length, ctx->privateKey->type,
             ctx->privateKey->heap);
+        if (ret != 0) {
+            return NULL;
+        }
         /* Blind the private key for the SSL with new random mask. */
         wolfssl_priv_der_unblind(ssl->buffers.key, ctx->privateKeyMask);
         ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
             &ssl->buffers.keyMask);
         if (ret != 0) {
-            return ret;
+            return NULL;
         }
     }
 #endif
@@ -20480,15 +20498,18 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
     ssl->buffers.altKey   = ctx->altPrivateKey;
 #else
     if (ctx->altPrivateKey != NULL) {
-        AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer,
+        ret = AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer,
             ctx->altPrivateKey->length, ctx->altPrivateKey->type,
             ctx->altPrivateKey->heap);
+        if (ret != 0) {
+            return NULL;
+        }
         /* Blind the private key for the SSL with new random mask. */
         wolfssl_priv_der_unblind(ssl->buffers.altKey, ctx->altPrivateKeyMask);
         ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey,
             &ssl->buffers.altKeyMask);
         if (ret != 0) {
-            return ret;
+            return NULL;
         }
     }
 #endif
diff --git a/src/ssl_asn1.c b/src/ssl_asn1.c
@@ -580,6 +580,7 @@ static void* d2i_generic(const WOLFSSL_ASN1_TEMPLATE* mem,
     if (impBuf != NULL) {
         tmp = *src + (tmp - impBuf); /* for the next calculation */
         XFREE(impBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        impBuf = NULL;
     }
     if (asnLen >= 0 && (int)(tmp - *src) != asnLen) {
         WOLFSSL_MSG("ptr not advanced enough");
diff --git a/src/x509.c b/src/x509.c
@@ -562,7 +562,6 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns,
     /* Create a WOLFSSL_ASN1_STRING from the DER. */
     str = wolfSSL_ASN1_STRING_type_new(tag);
     if (str == NULL) {
-        wolfSSL_ASN1_OBJECT_free(obj);
         goto err;
     }
     wolfSSL_ASN1_STRING_set(str, p, (int)len);
@@ -15431,12 +15430,14 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req,
                 req->reqAttributes->type = STACK_TYPE_X509_REQ_ATTR;
             }
         }
-        if (req->reqAttributes->type == STACK_TYPE_X509_REQ_ATTR) {
+        if ((req->reqAttributes != NULL) &&
+                (req->reqAttributes->type == STACK_TYPE_X509_REQ_ATTR)) {
             ret = wolfSSL_sk_push(req->reqAttributes, attr) > 0
                     ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;
         }
-        else
+        else {
             ret = WOLFSSL_FAILURE;
+        }
         if (ret != WOLFSSL_SUCCESS)
             wolfSSL_X509_ATTRIBUTE_free(attr);
     }
diff --git a/tests/api.c b/tests/api.c

Original file line number	Diff line number	Diff line change
`@@ -834,7 +834,9 @@ int wolfSSL_BIO_write(WOLFSSL_BIO* bio, const void* data, int len)`
`834`	`834`	`(const char*)data, len, 0, ret);`
`835`	`835`	`}`
`836`	`836`
`837`		`- XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);`
	`837`	`+ if (front != NULL) {`
	`838`	`+ XFREE(frmt, front->heap, DYNAMIC_TYPE_TMP_BUFFER);`
	`839`	`+ }`
`838`	`840`
`839`	`841`	`#ifdef WOLFSSL_BASE64_ENCODE`
`840`	`842`	`if (retB64 > 0 && ret > 0)`
Original file line number	Diff line number	Diff line change
`@@ -580,6 +580,7 @@ static void* d2i_generic(const WOLFSSL_ASN1_TEMPLATE* mem,`
`580`	`580`	`if (impBuf != NULL) {`
`581`	`581`	`tmp = src + (tmp - impBuf); / for the next calculation */`
`582`	`582`	`XFREE(impBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);`
	`583`	`+ impBuf = NULL;`
`583`	`584`	`}`
`584`	`585`	`if (asnLen >= 0 && (int)(tmp - *src) != asnLen) {`
`585`	`586`	`WOLFSSL_MSG("ptr not advanced enough");`
Original file line number	Diff line number	Diff line change
`@@ -562,7 +562,6 @@ static int wolfssl_dns_entry_othername_to_gn(DNS_entry* dns,`
`562`	`562`	`/* Create a WOLFSSL_ASN1_STRING from the DER. */`
`563`	`563`	`str = wolfSSL_ASN1_STRING_type_new(tag);`
`564`	`564`	`if (str == NULL) {`
`565`		`- wolfSSL_ASN1_OBJECT_free(obj);`
`566`	`565`	`goto err;`
`567`	`566`	`}`
`568`	`567`	`wolfSSL_ASN1_STRING_set(str, p, (int)len);`
`@@ -15431,12 +15430,14 @@ int wolfSSL_X509_REQ_add1_attr_by_NID(WOLFSSL_X509 *req,`
`15431`	`15430`	`req->reqAttributes->type = STACK_TYPE_X509_REQ_ATTR;`
`15432`	`15431`	`}`
`15433`	`15432`	`}`
`15434`		`- if (req->reqAttributes->type == STACK_TYPE_X509_REQ_ATTR) {`
	`15433`	`+ if ((req->reqAttributes != NULL) &&`
	`15434`	`+ (req->reqAttributes->type == STACK_TYPE_X509_REQ_ATTR)) {`
`15435`	`15435`	`ret = wolfSSL_sk_push(req->reqAttributes, attr) > 0`
`15436`	`15436`	`? WOLFSSL_SUCCESS : WOLFSSL_FAILURE;`
`15437`	`15437`	`}`
`15438`		`- else`
	`15438`	`+ else {`
`15439`	`15439`	`ret = WOLFSSL_FAILURE;`
	`15440`	`+ }`
`15440`	`15441`	`if (ret != WOLFSSL_SUCCESS)`
`15441`	`15442`	`wolfSSL_X509_ATTRIBUTE_free(attr);`
`15442`	`15443`	`}`