Merge pull request #122 from SparkiDev/we_ossl_unit_2

AES-GCM: fix smothering of error

Author: cconlon

…atches/1.1.1b/tests/evpkdf.txt_11b.patch …tches/1.1.1b/tests/evpkdf.txt_111b.patchopenssl_patches/1.1.1b/tests/evpkdf.txt_11b.patch renamed to openssl_patches/1.1.1b/tests/evpkdf.txt_111b.patch openssl_patches/1.1.1b/tests/evpkdf.txt_11b.patch renamed to openssl_patches/1.1.1b/tests/evpkdf.txt_111b.patch

@@ -0,0 +1,22 @@
+diff --git a/test/ocspapitest.c b/test/ocspapitest.c
+index 43b03e3f..d9d01ac2 100644
+--- a/test/ocspapitest.c
++++ b/test/ocspapitest.c
+@@ -105,7 +105,7 @@ static int test_resp_signer(void)
+         || !TEST_ptr(extra_certs)
+         || !TEST_true(get_cert_and_key(&signer, &key))
+         || !TEST_true(sk_X509_push(extra_certs, signer))
+-        || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
++        || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha256(),
+                                       NULL, OCSP_NOCERTS)))
+         goto err;
+     if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
+@@ -117,7 +117,7 @@ static int test_resp_signer(void)
+     bs = make_dummy_resp();
+     tmp = NULL;
+     if (!TEST_ptr(bs)
+-        || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
++        || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha256(),
+                                       NULL, 0)))
+         goto err;
+     if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))

openssl_patches/1.1.1b/tests/ocspapitest_111b.patch

@@ -323,7 +323,15 @@ run_patched_tests() {
             TEST="$TEST evptests.txt"
         fi
         # main is the common file for 1.1.1b tests
-        if [ "$TEST" == "main" -o "$TEST" == "apps" -o "$TEST" == "openssl" ]; then
+        if [ "$TEST" == "main" ]; then
+            continue
+        fi
+        # apps and openssl are common files for openssl superapp in 1.1.1b tests
+        if [ "$TEST" == "apps" -o "$TEST" == "openssl" ]; then
+            continue
+        fi
+        # ocspapitest is a 1.1.1b tests that needs setup with a recipe
+        if [ "$TEST" == "ocspapitest" ]; then
             continue
         fi
         if [[ "$TEST" == *".conf.in"* ]]; then
@@ -412,8 +420,18 @@ test_openssl_111b() {
     run_111recipe "test_ssl_test_ctx"
     run_111recipe "test_sslcorrupt"
     run_111recipe "test_x509_store"
+    run_111recipe "test_pkcs7"
     run_111recipe "test_cms"
     run_111recipe "test_cmsapi"
+    run_111recipe "test_crl"
+    run_111recipe "test_rsa"
+    if [ $WOLFSSL_FIPS = "0" ]; then
+        # Uses a 512-bit RSA key to check using SHA512 and full salt length.
+        run_111recipe "test_rsapss"
+    fi
+    run_111recipe "test_x509_check_cert_pkey"
+    run_111recipe "test_ocsp"
+    run_111recipe "test_sslapi"
 
 # individual test runs (recipe is preferred)
 #    for SSL_TEST in "01-simple.conf" "02-protocol-version.conf" \

scripts/openssl-unit-tests.sh

@@ -359,7 +359,9 @@ static int we_aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         OPENSSL_free(aes->aad);
         aes->aad = NULL;
         aes->aadLen = 0;
-        ret = (int)len;
+        if (ret == 1) {
+            ret = (int)len;
+        }
     }
     else if ((ret == 1) && (len == 0)) {
         /* Final called and nothing to do - no data output. */

src/we_aes_gcm.c

@@ -866,7 +866,7 @@ static int we_digest_cleanup(EVP_MD_CTX *ctx)
     digest = (we_Digest *)EVP_MD_CTX_md_data(ctx);
 
     /* Free the digest unless no hash initialized. */
-    if (digest != NULL) {
+    if ((digest != NULL) && (digest->hashType != 0)) {
         rc = wc_HashFree(&digest->hash, digest->hashType);
         if (rc != 0) {
             WOLFENGINE_ERROR_FUNC(WE_LOG_DIGEST, "wc_HashFree", rc);