Skip to content

Commit 0932891

Browse files
authored
Merge pull request wolfSSL#8370 from douzzer/20250120-lean-fips
20250120-lean-fips
2 parents ca92284 + f7abd7c commit 0932891

File tree

17 files changed

+136
-75
lines changed

17 files changed

+136
-75
lines changed

configure.ac

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5951,7 +5951,7 @@ then
59515951
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE128"
59525952
if test "$ENABLED_SHA3" = "no"
59535953
then
5954-
AC_MSG_ERROR([Must have SHA-3 enabled: --enable-sha3])
5954+
AC_MSG_ERROR([shake128 requires SHA-3: --enable-sha3])
59555955
fi
59565956
else
59575957
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE128"
@@ -5967,7 +5967,7 @@ then
59675967
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
59685968
if test "$ENABLED_SHA3" = "no"
59695969
then
5970-
AC_MSG_ERROR([Must have SHA-3 enabled: --enable-sha3])
5970+
AC_MSG_ERROR([shake256 requires SHA-3: --enable-sha3])
59715971
fi
59725972
else
59735973
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"

linuxkm/module_hooks.c

Lines changed: 32 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -244,6 +244,38 @@ static int wolfssl_init(void)
244244
}
245245
return -ECANCELED;
246246
}
247+
#endif /* HAVE_FIPS */
248+
249+
#ifdef WC_RNG_SEED_CB
250+
ret = wc_SetSeed_Cb(wc_GenerateSeed);
251+
if (ret < 0) {
252+
pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret);
253+
(void)libwolfssl_cleanup();
254+
msleep(10);
255+
return -ECANCELED;
256+
}
257+
#endif
258+
259+
#ifdef WOLFCRYPT_ONLY
260+
ret = wolfCrypt_Init();
261+
if (ret != 0) {
262+
pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
263+
return -ECANCELED;
264+
}
265+
#else
266+
ret = wolfSSL_Init();
267+
if (ret != WOLFSSL_SUCCESS) {
268+
pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
269+
return -ECANCELED;
270+
}
271+
#endif
272+
273+
#ifdef HAVE_FIPS
274+
ret = wc_RunAllCast_fips();
275+
if (ret != 0) {
276+
pr_err("wc_RunAllCast_fips() failed with return value %d\n", ret);
277+
return -ECANCELED;
278+
}
247279

248280
pr_info("FIPS 140-3 wolfCrypt-fips v%d.%d.%d%s%s startup "
249281
"self-test succeeded.\n",
@@ -270,33 +302,8 @@ static int wolfssl_init(void)
270302
""
271303
#endif
272304
);
273-
274305
#endif /* HAVE_FIPS */
275306

276-
#ifdef WC_RNG_SEED_CB
277-
ret = wc_SetSeed_Cb(wc_GenerateSeed);
278-
if (ret < 0) {
279-
pr_err("wc_SetSeed_Cb() failed with return code %d.\n", ret);
280-
(void)libwolfssl_cleanup();
281-
msleep(10);
282-
return -ECANCELED;
283-
}
284-
#endif
285-
286-
#ifdef WOLFCRYPT_ONLY
287-
ret = wolfCrypt_Init();
288-
if (ret != 0) {
289-
pr_err("wolfCrypt_Init() failed: %s\n", wc_GetErrorString(ret));
290-
return -ECANCELED;
291-
}
292-
#else
293-
ret = wolfSSL_Init();
294-
if (ret != WOLFSSL_SUCCESS) {
295-
pr_err("wolfSSL_Init() failed: %s\n", wc_GetErrorString(ret));
296-
return -ECANCELED;
297-
}
298-
#endif
299-
300307
#ifndef NO_CRYPT_TEST
301308
ret = wolfcrypt_test(NULL);
302309
if (ret < 0) {

src/internal.c

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -25300,16 +25300,21 @@ static int ssl_in_handshake(WOLFSSL *ssl, int send)
2530025300
return 0;
2530125301
}
2530225302

25303-
int SendData(WOLFSSL* ssl, const void* data, int sz)
25303+
int SendData(WOLFSSL* ssl, const void* data, size_t sz)
2530425304
{
25305-
int sent = 0, /* plainText size */
25306-
sendSz,
25305+
word32 sent = 0; /* plainText size */
25306+
int sendSz,
2530725307
ret;
2530825308
#if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
2530925309
int groupMsgs = 0;
2531025310
#endif
2531125311
int error = ssl->error;
2531225312

25313+
if (sz > INT_MAX) {
25314+
WOLFSSL_MSG("SendData sz overflow");
25315+
return WOLFSSL_FATAL_ERROR;
25316+
}
25317+
2531325318
if (error == WC_NO_ERR_TRACE(WANT_WRITE)
2531425319
#ifdef WOLFSSL_ASYNC_CRYPT
2531525320
|| error == WC_NO_ERR_TRACE(WC_PENDING_E)
@@ -25414,7 +25419,7 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
2541425419
sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
2541525420
WOLFSSL_MSG("sent write buffered data");
2541625421

25417-
if (sent > sz) {
25422+
if (sent > (word32)sz) {
2541825423
WOLFSSL_MSG("error: write() after WANT_WRITE with short size");
2541925424
return (ssl->error = BAD_FUNC_ARG);
2542025425
}
@@ -25503,19 +25508,19 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
2550325508

2550425509
#ifdef WOLFSSL_DTLS
2550525510
if (ssl->options.dtls) {
25506-
buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
25511+
buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent);
2550725512
}
2550825513
else
2550925514
#endif
2551025515
{
25511-
buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
25516+
buffSz = wolfSSL_GetMaxFragSize(ssl, (word32)sz - sent);
2551225517

2551325518
}
2551425519

25515-
if (sent == sz) break;
25520+
if (sent == (word32)sz) break;
2551625521

2551725522
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK)
25518-
if (ssl->options.dtls && (buffSz < sz - sent)) {
25523+
if (ssl->options.dtls && ((size_t)buffSz < (word32)sz - sent)) {
2551925524
error = DTLS_SIZE_ERROR;
2552025525
ssl->error = error;
2552125526
WOLFSSL_ERROR(error);
@@ -25686,13 +25691,18 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
2568625691
}
2568725692

2568825693
/* process input data */
25689-
int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
25694+
int ReceiveData(WOLFSSL* ssl, byte* output, size_t sz, int peek)
2569025695
{
2569125696
int size;
2569225697
int error = ssl->error;
2569325698

2569425699
WOLFSSL_ENTER("ReceiveData");
2569525700

25701+
if (sz > INT_MAX) {
25702+
WOLFSSL_MSG("ReceiveData sz overflow");
25703+
return WOLFSSL_FATAL_ERROR;
25704+
}
25705+
2569625706
/* reset error state */
2569725707
if (error == WC_NO_ERR_TRACE(WANT_READ) ||
2569825708
error == WOLFSSL_ERROR_WANT_READ) {
@@ -25842,7 +25852,7 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
2584225852
#endif
2584325853
}
2584425854

25845-
size = (int)min((word32)sz, ssl->buffers.clearOutputBuffer.length);
25855+
size = (int)min_size_t(sz, (size_t)ssl->buffers.clearOutputBuffer.length);
2584625856

2584725857
XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
2584825858

src/ssl.c

Lines changed: 47 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -2970,14 +2970,13 @@ int wolfSSL_GetDhKey_Sz(WOLFSSL* ssl)
29702970
#endif /* !NO_DH */
29712971

29722972

2973-
WOLFSSL_ABI
2974-
int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz)
2973+
static int wolfSSL_write_internal(WOLFSSL* ssl, const void* data, size_t sz)
29752974
{
29762975
int ret;
29772976

29782977
WOLFSSL_ENTER("wolfSSL_write");
29792978

2980-
if (ssl == NULL || data == NULL || sz < 0)
2979+
if (ssl == NULL || data == NULL)
29812980
return BAD_FUNC_ARG;
29822981

29832982
#ifdef WOLFSSL_QUIC
@@ -3037,6 +3036,17 @@ int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz)
30373036
return ret;
30383037
}
30393038

3039+
WOLFSSL_ABI
3040+
int wolfSSL_write(WOLFSSL* ssl, const void* data, int sz)
3041+
{
3042+
WOLFSSL_ENTER("wolfSSL_write");
3043+
3044+
if (sz < 0)
3045+
return BAD_FUNC_ARG;
3046+
3047+
return wolfSSL_write_internal(ssl, data, (size_t)sz);
3048+
}
3049+
30403050
int wolfSSL_inject(WOLFSSL* ssl, const void* data, int sz)
30413051
{
30423052
int maxLength;
@@ -3074,15 +3084,15 @@ int wolfSSL_inject(WOLFSSL* ssl, const void* data, int sz)
30743084
}
30753085

30763086

3077-
int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, int sz, size_t* wr)
3087+
int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, size_t sz, size_t* wr)
30783088
{
30793089
int ret;
30803090

30813091
if (wr != NULL) {
30823092
*wr = 0;
30833093
}
30843094

3085-
ret = wolfSSL_write(ssl, data, sz);
3095+
ret = wolfSSL_write_internal(ssl, data, sz);
30863096
if (ret >= 0) {
30873097
if (wr != NULL) {
30883098
*wr = (size_t)ret;
@@ -3093,7 +3103,7 @@ int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, int sz, size_t* wr)
30933103
if (ret == 0 && ssl->options.partialWrite) {
30943104
ret = 0;
30953105
}
3096-
else if (ret < sz && !ssl->options.partialWrite) {
3106+
else if ((size_t)ret < sz && !ssl->options.partialWrite) {
30973107
ret = 0;
30983108
}
30993109
else {
@@ -3110,13 +3120,13 @@ int wolfSSL_write_ex(WOLFSSL* ssl, const void* data, int sz, size_t* wr)
31103120
}
31113121

31123122

3113-
static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
3123+
static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, size_t sz, int peek)
31143124
{
31153125
int ret;
31163126

31173127
WOLFSSL_ENTER("wolfSSL_read_internal");
31183128

3119-
if (ssl == NULL || data == NULL || sz < 0)
3129+
if (ssl == NULL || data == NULL)
31203130
return BAD_FUNC_ARG;
31213131

31223132
#ifdef WOLFSSL_QUIC
@@ -3194,7 +3204,10 @@ int wolfSSL_peek(WOLFSSL* ssl, void* data, int sz)
31943204
{
31953205
WOLFSSL_ENTER("wolfSSL_peek");
31963206

3197-
return wolfSSL_read_internal(ssl, data, sz, TRUE);
3207+
if (sz < 0)
3208+
return BAD_FUNC_ARG;
3209+
3210+
return wolfSSL_read_internal(ssl, data, (size_t)sz, TRUE);
31983211
}
31993212

32003213

@@ -3203,6 +3216,9 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
32033216
{
32043217
WOLFSSL_ENTER("wolfSSL_read");
32053218

3219+
if (sz < 0)
3220+
return BAD_FUNC_ARG;
3221+
32063222
#ifdef OPENSSL_EXTRA
32073223
if (ssl == NULL) {
32083224
return BAD_FUNC_ARG;
@@ -3212,16 +3228,26 @@ int wolfSSL_read(WOLFSSL* ssl, void* data, int sz)
32123228
ssl->cbmode = WOLFSSL_CB_READ;
32133229
}
32143230
#endif
3215-
return wolfSSL_read_internal(ssl, data, sz, FALSE);
3231+
return wolfSSL_read_internal(ssl, data, (size_t)sz, FALSE);
32163232
}
32173233

32183234

32193235
/* returns 0 on failure and on no read */
3220-
int wolfSSL_read_ex(WOLFSSL* ssl, void* data, int sz, size_t* rd)
3236+
int wolfSSL_read_ex(WOLFSSL* ssl, void* data, size_t sz, size_t* rd)
32213237
{
3222-
int ret;
3238+
int ret;
3239+
3240+
#ifdef OPENSSL_EXTRA
3241+
if (ssl == NULL) {
3242+
return BAD_FUNC_ARG;
3243+
}
3244+
if (ssl->CBIS != NULL) {
3245+
ssl->CBIS(ssl, WOLFSSL_CB_READ, WOLFSSL_SUCCESS);
3246+
ssl->cbmode = WOLFSSL_CB_READ;
3247+
}
3248+
#endif
3249+
ret = wolfSSL_read_internal(ssl, data, sz, FALSE);
32233250

3224-
ret = wolfSSL_read(ssl, data, sz);
32253251
if (ret > 0 && rd != NULL) {
32263252
*rd = (size_t)ret;
32273253
}
@@ -3238,10 +3264,10 @@ int wolfSSL_mcast_read(WOLFSSL* ssl, word16* id, void* data, int sz)
32383264

32393265
WOLFSSL_ENTER("wolfSSL_mcast_read");
32403266

3241-
if (ssl == NULL)
3267+
if ((ssl == NULL) || (sz < 0))
32423268
return BAD_FUNC_ARG;
32433269

3244-
ret = wolfSSL_read_internal(ssl, data, sz, FALSE);
3270+
ret = wolfSSL_read_internal(ssl, data, (size_t)sz, FALSE);
32453271
if (ssl->options.dtls && ssl->options.haveMcast && id != NULL)
32463272
*id = ssl->keys.curPeerId;
32473273
return ret;
@@ -11302,19 +11328,19 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
1130211328
#endif
1130311329
byte* myBuffer = staticBuffer;
1130411330
int dynamic = 0;
11305-
int sending = 0;
11331+
word32 sending = 0;
1130611332
int idx = 0;
1130711333
int i;
1130811334
int ret;
1130911335

1131011336
WOLFSSL_ENTER("wolfSSL_writev");
1131111337

1131211338
for (i = 0; i < iovcnt; i++)
11313-
sending += (int)iov[i].iov_len;
11339+
sending += iov[i].iov_len;
1131411340

11315-
if (sending > (int)sizeof(staticBuffer)) {
11316-
myBuffer = (byte*)XMALLOC((size_t)sending, ssl->heap,
11317-
DYNAMIC_TYPE_WRITEV);
11341+
if (sending > sizeof(staticBuffer)) {
11342+
myBuffer = (byte*)XMALLOC(sending, ssl->heap,
11343+
DYNAMIC_TYPE_WRITEV);
1131811344
if (!myBuffer)
1131911345
return MEMORY_ERROR;
1132011346

@@ -11331,7 +11357,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
1133111357
*/
1133211358
PRAGMA_GCC_DIAG_PUSH
1133311359
PRAGMA_GCC("GCC diagnostic ignored \"-Wmaybe-uninitialized\"")
11334-
ret = wolfSSL_write(ssl, myBuffer, sending);
11360+
ret = wolfSSL_write_internal(ssl, myBuffer, sending);
1133511361
PRAGMA_GCC_DIAG_POP
1133611362

1133711363
if (dynamic)

src/tls13.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14887,7 +14887,7 @@ int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
1488714887
return WOLFSSL_FATAL_ERROR;
1488814888
}
1488914889
if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
14890-
ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
14890+
ret = ReceiveData(ssl, (byte*)data, (size_t)sz, FALSE);
1489114891
if (ret > 0)
1489214892
*outSz = ret;
1489314893
if (ssl->error == WC_NO_ERR_TRACE(ZERO_RETURN)) {

wolfcrypt/benchmark/benchmark.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -586,7 +586,7 @@
586586
#undef LIBCALL_CHECK_RET
587587
#if defined(NO_STDIO_FILESYSTEM) || defined(NO_ERROR_STRINGS) || \
588588
defined(NO_MAIN_DRIVER) || defined(BENCH_EMBEDDED)
589-
#define LIBCALL_CHECK_RET(...) __VA_ARGS__
589+
#define LIBCALL_CHECK_RET(...) (void)(__VA_ARGS__)
590590
#else
591591
#define LIBCALL_CHECK_RET(...) do { \
592592
int _libcall_ret = (__VA_ARGS__); \

wolfcrypt/src/aes.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6886,7 +6886,7 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c,
68866886
#define GHASH_ONE_BLOCK_SW(aes, block) \
68876887
do { \
68886888
xorbuf(AES_TAG(aes), block, WC_AES_BLOCK_SIZE); \
6889-
GMULT(AES_TAG(aes), aes->gcm.H); \
6889+
GMULT(AES_TAG(aes), (aes)->gcm.H); \
68906890
} \
68916891
while (0)
68926892
#endif /* WOLFSSL_AESGCM_STREAM */

0 commit comments

Comments
 (0)