Coverity warning fixes

Author: JeremiahM37

src/tls.c

@@ -9384,9 +9384,9 @@ static int TLSX_KeyShare_ProcessEcc_ex(WOLFSSL* ssl,
             break;
     #endif
         default:
-            /* unsupported curve */
             curveId = ECC_CURVE_INVALID;
             WOLFSSL_ERROR_VERBOSE(ECC_PEERKEY_ERROR);
+            (void)curveId;
             return ECC_PEERKEY_ERROR;
     }
 

wolfcrypt/src/asn.c

@@ -25028,8 +25028,10 @@ Signer* findSignerByName(Signer *list, byte *hash)
     }
     return NULL;
 }
+/*declared with WOLFSSL_LOCAL due to coverity warning "routine not emitted",
+likely due to inconsistencies between its declaration and definition. */
 
-int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
+WOLFSSL_LOCAL int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
                       Signer *extraCAList)
 {
     int    ret = 0;

wolfcrypt/src/hmac.c

@@ -152,71 +152,122 @@ static int HmacKeyInitHash(wc_HmacHash* hash, int type, void* heap, int devId)
 {
     int ret = 0;
 
-    switch (type) {
-    #ifndef NO_MD5
-        case WC_MD5:
+    switch ((enum wc_HashType)type) {
+        case WC_HASH_TYPE_MD5:
+        #ifndef NO_MD5
             ret = wc_InitMd5_ex(&hash->md5, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* !NO_MD5 */
 
-    #ifndef NO_SHA
-        case WC_SHA:
+        case WC_HASH_TYPE_SHA:
+        #ifndef NO_SHA
             ret = wc_InitSha_ex(&hash->sha, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* !NO_SHA */
 
-    #ifdef WOLFSSL_SHA224
-        case WC_SHA224:
+        case WC_HASH_TYPE_SHA224:
+        #ifdef WOLFSSL_SHA224
             ret = wc_InitSha224_ex(&hash->sha224, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* WOLFSSL_SHA224 */
 
-    #ifndef NO_SHA256
-        case WC_SHA256:
+        case WC_HASH_TYPE_SHA256:
+        #ifndef NO_SHA256
             ret = wc_InitSha256_ex(&hash->sha256, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA384
-        case WC_SHA384:
+        case WC_HASH_TYPE_SHA384:
+        #ifdef WOLFSSL_SHA384
             ret = wc_InitSha384_ex(&hash->sha384, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* WOLFSSL_SHA384 */
-    #ifdef WOLFSSL_SHA512
-        case WC_SHA512:
+
+        case WC_HASH_TYPE_SHA512:
+        #ifdef WOLFSSL_SHA512
             ret = wc_InitSha512_ex(&hash->sha512, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif /* WOLFSSL_SHA512 */
 
-    #ifdef WOLFSSL_SHA3
-    #ifndef WOLFSSL_NOSHA3_224
-        case WC_SHA3_224:
+        case WC_HASH_TYPE_SHA3_224:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
             ret = wc_InitSha3_224(&hash->sha3, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_256
-        case WC_SHA3_256:
+
+        case WC_HASH_TYPE_SHA3_256:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
             ret = wc_InitSha3_256(&hash->sha3, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_384
-        case WC_SHA3_384:
+
+        case WC_HASH_TYPE_SHA3_384:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
             ret = wc_InitSha3_384(&hash->sha3, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_512
-        case WC_SHA3_512:
+
+        case WC_HASH_TYPE_SHA3_512:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
             ret = wc_InitSha3_512(&hash->sha3, heap, devId);
+        #else
+            ret = BAD_FUNC_ARG;
+        #endif
             break;
-    #endif
-    #endif
 
     #ifdef WOLFSSL_SM3
-        case WC_SM3:
+        case WC_HASH_TYPE_SM3:
             ret = wc_InitSm3(&hash->sm3, heap, devId);
             break;
     #endif
 
+        case WC_HASH_TYPE_NONE:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+            ret = BAD_FUNC_ARG;
+            break;
+
+    #ifndef WOLFSSL_NOSHA512_224
+        case WC_HASH_TYPE_SHA512_224:
+            ret = BAD_FUNC_ARG;
+            break;
+    #endif
+    #ifndef WOLFSSL_NOSHA512_256
+        case WC_HASH_TYPE_SHA512_256:
+            ret = BAD_FUNC_ARG;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHAKE128
+        case WC_HASH_TYPE_SHAKE128:
+            ret = BAD_FUNC_ARG;
+            break;
+    #endif
+    #ifdef WOLFSSL_SHAKE256
+        case WC_HASH_TYPE_SHAKE256:
+            ret = BAD_FUNC_ARG;
+            break;
+    #endif
         default:
             ret = BAD_FUNC_ARG;
             break;
@@ -329,70 +380,93 @@ static int HmacKeyHashUpdate(byte macType, wc_HmacHash* hash, byte* pad)
 {
     int ret = 0;
 
-    switch (macType) {
-    #ifndef NO_MD5
-        case WC_MD5:
+    switch ((enum wc_HashType)macType) {
+        case WC_HASH_TYPE_MD5:
+        #ifndef NO_MD5
             ret = wc_Md5Update(&hash->md5, pad, WC_MD5_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* !NO_MD5 */
 
-    #ifndef NO_SHA
-        case WC_SHA:
+        case WC_HASH_TYPE_SHA:
+        #ifndef NO_SHA
             ret = wc_ShaUpdate(&hash->sha, pad, WC_SHA_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* !NO_SHA */
 
-    #ifdef WOLFSSL_SHA224
-        case WC_SHA224:
+        case WC_HASH_TYPE_SHA224:
+        #ifdef WOLFSSL_SHA224
             ret = wc_Sha224Update(&hash->sha224, pad, WC_SHA224_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* WOLFSSL_SHA224 */
-    #ifndef NO_SHA256
-        case WC_SHA256:
+
+        case WC_HASH_TYPE_SHA256:
+        #ifndef NO_SHA256
             ret = wc_Sha256Update(&hash->sha256, pad, WC_SHA256_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* !NO_SHA256 */
 
-    #ifdef WOLFSSL_SHA384
-        case WC_SHA384:
+        case WC_HASH_TYPE_SHA384:
+        #ifdef WOLFSSL_SHA384
             ret = wc_Sha384Update(&hash->sha384, pad, WC_SHA384_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* WOLFSSL_SHA384 */
-    #ifdef WOLFSSL_SHA512
-        case WC_SHA512:
+
+        case WC_HASH_TYPE_SHA512:
+        #ifdef WOLFSSL_SHA512
             ret = wc_Sha512Update(&hash->sha512, pad, WC_SHA512_BLOCK_SIZE);
+        #endif
             break;
-    #endif /* WOLFSSL_SHA512 */
 
-    #ifdef WOLFSSL_SHA3
-    #ifndef WOLFSSL_NOSHA3_224
-        case WC_SHA3_224:
+        case WC_HASH_TYPE_SHA3_224:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224)
             ret = wc_Sha3_224_Update(&hash->sha3, pad, WC_SHA3_224_BLOCK_SIZE);
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_256
-        case WC_SHA3_256:
+
+        case WC_HASH_TYPE_SHA3_256:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256)
             ret = wc_Sha3_256_Update(&hash->sha3, pad, WC_SHA3_256_BLOCK_SIZE);
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_384
-        case WC_SHA3_384:
+
+        case WC_HASH_TYPE_SHA3_384:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384)
             ret = wc_Sha3_384_Update(&hash->sha3, pad, WC_SHA3_384_BLOCK_SIZE);
+        #endif
             break;
-    #endif
-    #ifndef WOLFSSL_NOSHA3_512
-        case WC_SHA3_512:
+
+        case WC_HASH_TYPE_SHA3_512:
+        #if defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512)
             ret = wc_Sha3_512_Update(&hash->sha3, pad, WC_SHA3_512_BLOCK_SIZE);
+        #endif
             break;
-    #endif
-    #endif /* WOLFSSL_SHA3 */
 
     #ifdef WOLFSSL_SM3
-        case WC_SM3:
+        case WC_HASH_TYPE_SM3:
             ret = wc_Sm3Update(&hash->sm3, pad, WC_SM3_BLOCK_SIZE);
             break;
     #endif
 
+        /* HmacKeyHashUpdate is only ever called with a valid hash type.
+         * Default to no-op. */
+        case WC_HASH_TYPE_NONE:
+        case WC_HASH_TYPE_MD2:
+        case WC_HASH_TYPE_MD4:
+        case WC_HASH_TYPE_MD5_SHA:
+        case WC_HASH_TYPE_BLAKE2B:
+        case WC_HASH_TYPE_BLAKE2S:
+    #ifndef WOLFSSL_NOSHA512_224
+        case WC_HASH_TYPE_SHA512_224:
+    #endif
+    #ifndef WOLFSSL_NOSHA512_256
+        case WC_HASH_TYPE_SHA512_256:
+    #endif
+    #ifdef WOLFSSL_SHAKE128
+        case WC_HASH_TYPE_SHAKE128:
+    #endif
+    #ifdef WOLFSSL_SHAKE256
+        case WC_HASH_TYPE_SHAKE256:
+    #endif
         default:
             break;
     }

wolfcrypt/src/pkcs12.c

@@ -830,7 +830,10 @@ int wc_d2i_PKCS12_fp(const char* file, WC_PKCS12** pkcs12)
         wc_PKCS12_free(*pkcs12);
         *pkcs12 = NULL;
     }
-    XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    if (buf != NULL) {
+        XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+        buf = NULL;
+    }
 
     WOLFSSL_LEAVE("wc_d2i_PKCS12_fp", ret);
 
@@ -1715,7 +1718,11 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
         }
 
         /* free temporary buffer */
-        XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        /* At the other location where buf is freed */
+        if (buf != NULL) {
+            XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+            buf = NULL;  /* Set to NULL to prevent double-free at exit */
+}
 
         ci = ci->next;
         WOLFSSL_MSG("Done Parsing PKCS12 Content Info Container");
@@ -1742,23 +1749,22 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw,
     ret = 0; /* success */
 
 exit_pk12par:
-
     if (ret != 0) {
         /* failure cleanup */
         if (*pkey) {
             XFREE(*pkey, pkcs12->heap, DYNAMIC_TYPE_PUBLIC_KEY);
             *pkey = NULL;
         }
-        XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
-        buf = NULL;
-
         wc_FreeCertList(certList, pkcs12->heap);
     }
+    /* Always cleanup buf, but check if it's already been freed */
+    if (buf != NULL) {
+        XFREE(buf, pkcs12->heap, DYNAMIC_TYPE_PKCS);
+        /* No buf = NULL needed since we return immediately */
+    }
 
     return ret;
 }
-
-
 /* Helper function to get parameters for key and cert encryptions */
 static int wc_PKCS12_get_enc_params(int inAlgo, int* vPKCS, int* outAlgo,
         int* blkOid, int* hmacOid)