From cde2d95e53b5b50f07976b56ec831348612684d2 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 25 Jul 2025 13:34:53 -0600 Subject: [PATCH 1/2] resolve scan-build report --- src/certgen/clu_certgen_ed25519.c | 1 + src/client/client.c | 10 +++++-- src/crypto/clu_decrypt.c | 22 +++++++++++---- src/crypto/clu_encrypt.c | 47 ++++++++++++++++++++++++++----- src/genkey/clu_genkey.c | 3 +- src/sign-verify/clu_sign.c | 42 +++++++++++++++++++++------ src/sign-verify/clu_verify.c | 12 ++++++-- src/tools/clu_base64.c | 2 +- 8 files changed, 110 insertions(+), 29 deletions(-) diff --git a/src/certgen/clu_certgen_ed25519.c b/src/certgen/clu_certgen_ed25519.c index 628f631..0d5709c 100644 --- a/src/certgen/clu_certgen_ed25519.c +++ b/src/certgen/clu_certgen_ed25519.c @@ -57,6 +57,7 @@ int make_self_signed_ed25519_certificate(char* keyPath, char* certOut) keyFileSz = (int)XFTELL(keyFile); keyBuf = (byte*)XMALLOC(keyFileSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (keyBuf == NULL) { + XFCLOSE(keyFile); return MEMORY_E; } if (XFSEEK(keyFile, 0, SEEK_SET) != 0 || (int)XFREAD(keyBuf, 1, keyFileSz, keyFile) != keyFileSz) { diff --git a/src/client/client.c b/src/client/client.c index 8266a83..9424275 100644 --- a/src/client/client.c +++ b/src/client/client.c @@ -354,6 +354,9 @@ static WC_INLINE void clu_tcp_connect(SOCKET_T* sockfd, const char* ip, clu_build_addr(NULL, &ipv6, ip, port, udp, sctp); clu_tcp_socket(sockfd, udp, sctp, isIpv6); if (!udp) { + if (*sockfd < 0) + err_sys_with_errno("tcp bad socket"); + if (connect(*sockfd, (const struct sockaddr*)&ipv6, sizeof(ipv6)) != 0) err_sys_with_errno("ipv6 tcp connect failed"); @@ -367,6 +370,9 @@ static WC_INLINE void clu_tcp_connect(SOCKET_T* sockfd, const char* ip, clu_tcp_socket(sockfd, udp, sctp, isIpv6); if (!udp) { + if (*sockfd < 0) + err_sys_with_errno("tcp bad socket"); + if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) err_sys_with_errno("tcp connect failed"); @@ -3355,8 +3361,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(WOLFSSL_TRUST_PEER_CERT) && !defined(NO_FILESYSTEM) if (trustCert) { - if ((ret = wolfSSL_CTX_trust_peer_cert(ctx, trustCert, - WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { + if (wolfSSL_CTX_trust_peer_cert(ctx, trustCert, + WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) { wolfSSL_CTX_free(ctx); ctx = NULL; err_sys("can't load trusted peer cert file"); } diff --git a/src/crypto/clu_decrypt.c b/src/crypto/clu_decrypt.c index 168a17b..5a5aa0f 100644 --- a/src/crypto/clu_decrypt.c +++ b/src/crypto/clu_decrypt.c @@ -145,16 +145,26 @@ int wolfCLU_decrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, */ while (length > 0 && ret == 0) { /* Read in 1kB */ - if (ret == 0 && - (ret = (int)XFREAD(input, 1, MAX_LEN, inFile)) != MAX_LEN) { + if (ret == 0) { if (feof(inFile)) { - tempMax = ret; - ret = 0; /* success */ + wolfCLU_LogError("Unexpected end of the file."); + ret = FREAD_ERROR; } - else { - wolfCLU_LogError("Input file does not exist."); + else if (ferror(inFile)) { + wolfCLU_LogError("File stream in error state"); ret = FREAD_ERROR; } + else { + ret = (int)XFREAD(input, 1, MAX_LEN, inFile); + if ((ret > 0 && ret != MAX_LEN) || feof(inFile)) { + tempMax = ret; + ret = 0; /* success */ + } + else { + wolfCLU_LogError("Input file does not exist."); + ret = FREAD_ERROR; + } + } } #ifdef HAVE_CAMELLIA diff --git a/src/crypto/clu_encrypt.c b/src/crypto/clu_encrypt.c index ef18005..2601ca6 100644 --- a/src/crypto/clu_encrypt.c +++ b/src/crypto/clu_encrypt.c @@ -76,8 +76,15 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, /* open the file to write */ tempInFile = XFOPEN(in, "wb"); - XFWRITE(userInputBuffer, 1, inputLength, tempInFile); - XFCLOSE(tempInFile); + if (tempInFile == NULL) { + wolfCLU_LogError("unable to open file %s", in); + XFREE(userInputBuffer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + return BAD_FUNC_ARG; + } + else { + XFWRITE(userInputBuffer, 1, inputLength, tempInFile); + XFCLOSE(tempInFile); + } /* free buffer */ XFREE(userInputBuffer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -121,6 +128,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, ret = wc_RNG_GenerateBlock(&rng, iv, block); if (ret != 0) { + XFCLOSE(inFile); return ret; } @@ -128,6 +136,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, ret = wolfCLU_genKey_PWDBASED(&rng, pwdKey, size, salt, padCounter); if (ret != WOLFCLU_SUCCESS) { wolfCLU_LogError("failed to set pwdKey."); + XFCLOSE(inFile); return ret; } /* move the generated pwdKey to "key" for encrypting */ @@ -140,6 +149,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, outFile = XFOPEN(out, "wb"); if (outFile == NULL) { wolfCLU_LogError("unable to open output file %s", out); + XFCLOSE(inFile); return WOLFCLU_FATAL_ERROR; } XFWRITE(salt, 1, SALT_SIZE, outFile); @@ -148,10 +158,13 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, /* MALLOC 1kB buffers */ input = (byte*) XMALLOC(MAX_LEN, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) + if (input == NULL) { + XFCLOSE(inFile); return MEMORY_E; + } output = (byte*) XMALLOC(MAX_LEN, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (output == NULL) { + XFCLOSE(inFile); wolfCLU_freeBins(input, NULL, NULL, NULL, NULL); return MEMORY_E; } @@ -159,10 +172,15 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, /* loop, encrypt 1kB at a time till length <= 0 */ while (length > 0) { /* Read in 1kB to input[] */ - if (inputHex == 1) - ret = (int) fread(inputString, 1, MAX_LEN, inFile); - else - ret = (int) fread(input, 1, MAX_LEN, inFile); + if (feof(inFile)) { + ret = 0; + } + else { + if (inputHex == 1) + ret = (int) fread(inputString, 1, MAX_LEN, inFile); + else + ret = (int) fread(input, 1, MAX_LEN, inFile); + } if (ret != MAX_LEN) { /* check for end of file */ @@ -178,6 +196,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, if (hexRet != WOLFCLU_SUCCESS) { wolfCLU_LogError("failed during conversion of input," " ret = %d", hexRet); + XFCLOSE(inFile); return hexRet; } }/* end hex or ascii */ @@ -191,6 +210,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, } else { /* otherwise we got a file read error */ wolfCLU_freeBins(input, output, NULL, NULL, NULL); + XFCLOSE(inFile); return FREAD_ERROR; }/* End feof check */ }/* End fread check */ @@ -200,6 +220,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, alg == WOLFCLU_CAMELLIA256CBC) { ret = wc_CamelliaSetKey(&camellia, key, block, iv); if (ret != 0) { + XFCLOSE(inFile); wolfCLU_LogError("CamelliaSetKey failed."); wolfCLU_freeBins(input, output, NULL, NULL, NULL); return ret; @@ -208,6 +229,7 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, wc_CamelliaCbcEncrypt(&camellia, output, input, tempMax); } else { + XFCLOSE(inFile); wolfCLU_LogError("Incompatible mode while using Camellia."); wolfCLU_freeBins(input, output, NULL, NULL, NULL); return FATAL_ERROR; @@ -233,14 +255,25 @@ int wolfCLU_encrypt(int alg, char* mode, byte* pwdKey, byte* key, int size, /* Open the outFile in append mode */ outFile = XFOPEN(out, "ab"); + if (outFile == NULL) { + XFCLOSE(inFile); + wolfCLU_LogError("failed to open file."); + wolfCLU_freeBins(input, output, NULL, NULL, NULL); + return FWRITE_ERROR; + } + ret = (int)XFWRITE(output, 1, tempMax, outFile); if (ferror(outFile)) { + XFCLOSE(outFile); + XFCLOSE(inFile); wolfCLU_LogError("failed to write to file."); wolfCLU_freeBins(input, output, NULL, NULL, NULL); return FWRITE_ERROR; } if (ret > MAX_LEN) { + XFCLOSE(outFile); + XFCLOSE(inFile); wolfCLU_LogError("Wrote too much to file."); wolfCLU_freeBins(input, output, NULL, NULL, NULL); return FWRITE_ERROR; diff --git a/src/genkey/clu_genkey.c b/src/genkey/clu_genkey.c index 8c3cb14..c86cac4 100644 --- a/src/genkey/clu_genkey.c +++ b/src/genkey/clu_genkey.c @@ -89,7 +89,8 @@ int wolfCLU_genKey_ED25519(WC_RNG* rng, char* fOutNm, int directive, int format) ret = WC_KEY_SIZE_E; /* export keys to buffers */ - ret = wc_ed25519_export_key(&edKeyOut, privKeyBuf, &privKeySz, + if (ret == 0) + ret = wc_ed25519_export_key(&edKeyOut, privKeyBuf, &privKeySz, pubKeyBuf, &pubKeySz); } diff --git a/src/sign-verify/clu_sign.c b/src/sign-verify/clu_sign.c index 7e183d7..349d9db 100644 --- a/src/sign-verify/clu_sign.c +++ b/src/sign-verify/clu_sign.c @@ -263,8 +263,14 @@ int wolfCLU_sign_data_rsa(byte* data, char* out, word32 dataSz, char* privKey, if (ret >= 0) { XFILE s; s = XFOPEN(out, "wb"); - XFWRITE(outBuf, 1, outBufSz, s); - XFCLOSE(s); + if (s == NULL) { + wolfCLU_LogError("Failed to open output file"); + ret = BAD_FUNC_ARG; + } + else { + XFWRITE(outBuf, 1, outBufSz, s); + XFCLOSE(s); + } } else { wolfCLU_LogError("Failed to sign data with RSA private key.\nRET: %d", ret); @@ -272,7 +278,9 @@ int wolfCLU_sign_data_rsa(byte* data, char* out, word32 dataSz, char* privKey, } /* cleanup allocated resources */ - XFCLOSE(privKeyFile); + if (privKeyFile != NULL) { + XFCLOSE(privKeyFile); + } if (keyBuf!= NULL) { XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -388,8 +396,14 @@ int wolfCLU_sign_data_ecc(byte* data, char* out, word32 fSz, char* privKey, if (ret >= 0) { XFILE s; s = XFOPEN(out, "wb"); - XFWRITE(outBuf, 1, outLen, s); - XFCLOSE(s); + if (s == NULL) { + wolfCLU_LogError("Failed to open file"); + ret = BAD_FUNC_ARG; + } + else { + XFWRITE(outBuf, 1, outLen, s); + XFCLOSE(s); + } } else { wolfCLU_LogError("Failed to sign data with Ecc private key.\nRET: %d", ret); @@ -397,7 +411,9 @@ int wolfCLU_sign_data_ecc(byte* data, char* out, word32 fSz, char* privKey, } /* cleanup allocated resources */ - XFCLOSE(privKeyFile); + if (privKeyFile != NULL) { + XFCLOSE(privKeyFile); + } if (keyBuf!= NULL) { XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -530,8 +546,14 @@ int wolfCLU_sign_data_ed25519 (byte* data, char* out, word32 fSz, char* privKey, if (ret >= 0) { XFILE s; s = XFOPEN(out, "wb"); - XFWRITE(outBuf, 1, outBufSz, s); - XFCLOSE(s); + if (s == NULL) { + wolfCLU_LogError("Failed to open file"); + ret = BAD_FUNC_ARG; + } + else { + XFWRITE(outBuf, 1, outBufSz, s); + XFCLOSE(s); + } } else { wolfCLU_LogError("Failed to sign data with ED25519 private key.\nRET: %d", ret); @@ -539,7 +561,9 @@ int wolfCLU_sign_data_ed25519 (byte* data, char* out, word32 fSz, char* privKey, } /* cleanup allocated resources */ - XFCLOSE(privKeyFile); + if (privKeyFile != NULL) { + XFCLOSE(privKeyFile); + } if (keyBuf!= NULL) { XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/sign-verify/clu_verify.c b/src/sign-verify/clu_verify.c index 89e88c6..f51e2f7 100644 --- a/src/sign-verify/clu_verify.c +++ b/src/sign-verify/clu_verify.c @@ -450,7 +450,9 @@ int wolfCLU_verify_signature_rsa(byte* sig, char* out, int sigSz, char* keyPath, } /* Cleanup allocated resources */ - XFCLOSE(keyPathFile); + if (keyPathFile != NULL) { + XFCLOSE(keyPathFile); + } if (outBuf != NULL) { XFREE(outBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -578,7 +580,9 @@ int wolfCLU_verify_signature_ecc(byte* sig, int sigSz, byte* hash, int hashSz, } /* cleanup allocated resources */ - XFCLOSE(keyPathFile); + if (keyPathFile != NULL) { + XFCLOSE(keyPathFile); + } if (outBuf != NULL) { XFREE(outBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); @@ -711,7 +715,9 @@ int wolfCLU_verify_signature_ed25519(byte* sig, int sigSz, } /* cleanup allocated resources */ - XFCLOSE(keyPathFile); + if (keyPathFile != NULL) { + XFCLOSE(keyPathFile); + } if (keyBuf != NULL) { XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/tools/clu_base64.c b/src/tools/clu_base64.c index f1c2c5d..d4d36bf 100644 --- a/src/tools/clu_base64.c +++ b/src/tools/clu_base64.c @@ -294,7 +294,7 @@ int wolfCLU_Base64Setup(int argc, char** argv) wolfSSL_BIO_free(bioOut); } - return WOLFCLU_SUCCESS; + return ret; #else (void)argc; (void)argv; From a194e44b7ba8bd56402957ef97d7de31562342af Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 25 Jul 2025 13:51:44 -0600 Subject: [PATCH 2/2] fix return value and handle PKCS7 PEM types correctly --- src/tools/clu_base64.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/tools/clu_base64.c b/src/tools/clu_base64.c index d4d36bf..00561f3 100644 --- a/src/tools/clu_base64.c +++ b/src/tools/clu_base64.c @@ -163,15 +163,17 @@ int wolfCLU_Base64Setup(int argc, char** argv) /* Try other types if PRIVATEKEY_TYPE fails */ ret = wc_PemToDer(input, (long)inputSz, CERT_TYPE, &der, NULL, NULL, NULL); - if (ret < 0) { - ret = wc_PemToDer(input, (long)inputSz, CERTREQ_TYPE, + } + + if (ret < 0) { + ret = wc_PemToDer(input, (long)inputSz, PKCS7_TYPE, &der, NULL, NULL, NULL); - if (ret < 0) { - wolfCLU_LogError("PEM to DER conversion failed: %d", - ret); - ret = WOLFCLU_FATAL_ERROR; - } - } + } + + /* If all PEM to DER attempts failed then set error */ + if (ret < 0) { + wolfCLU_LogError("PEM to DER conversion failed: %d", ret); + ret = WOLFCLU_FATAL_ERROR; } if (ret == 0) { @@ -247,6 +249,9 @@ int wolfCLU_Base64Setup(int argc, char** argv) wolfCLU_LogError("Base64 encode failed: %d", ret); ret = WOLFCLU_FATAL_ERROR; } + else { + ret = WOLFCLU_SUCCESS; + } } } @@ -257,6 +262,9 @@ int wolfCLU_Base64Setup(int argc, char** argv) wolfCLU_LogError("Failed to write output data: %d", ret); ret = WOLFCLU_FATAL_ERROR; } + else { + ret = WOLFCLU_SUCCESS; + } } else if (ret == WOLFCLU_SUCCESS) { /* Write to stdout */ @@ -268,6 +276,9 @@ int wolfCLU_Base64Setup(int argc, char** argv) wolfCLU_LogError("Failed to write to stdout: %d", ret); ret = WOLFCLU_FATAL_ERROR; } + else { + ret = WOLFCLU_SUCCESS; + } } else { wolfCLU_LogError("Failed to create stdout BIO");