From 0f20e91fa4617cc5590cff9d507fa9e79cfc39df Mon Sep 17 00:00:00 2001 From: Emma Stensland Date: Wed, 1 Jul 2026 14:29:44 -0600 Subject: [PATCH 1/2] F-1298 F-1302 F-1307 F-1712 F-1713 F-1719 F-1720 F-1721 F-1722 F-2093 F-3466 F-3472 F-3477 F-4131 F-4132 F-4600 F-5612 F-6286 F-6289 F-6536: Fix error handling in crypto and signature examples --- certgen/csr_cryptocb.c | 13 ++++++--- certgen/csr_sign.c | 12 ++++++-- certgen/custom_ext.c | 2 +- crypto/aes/aesgcm-file-encrypt.c | 13 ++++++++- crypto/ascon/ascon-file-encrypt.c | 43 ++++++++++++++++++++++++----- hash/sha256-hash.c | 1 + hash/sha3-256-hash.c | 1 + hash/sha512-hash.c | 1 + pk/ecc/ecc_keys.c | 29 +++++++++++++++++-- pk/ed25519/ed25519_keys.c | 29 +++++++++++++++++-- pk/ed448/ed448_keys.c | 29 +++++++++++++++++-- pk/rsa-pss/rsa-pss.c | 2 +- pkcs11/pkcs11_rsa.c | 12 ++++---- pkcs11/pkcs11_test.c | 18 +++++++++--- pkcs7/pkcs7-verify.c | 38 ++++++++++++++++++++----- pkcs7/signedData-stream.c | 5 ++++ pq/ml_dsa/ml_dsa.c | 18 ++++++++++-- pq/stateful_hash_sig/lms_example.c | 1 + pq/stateful_hash_sig/xmss_example.c | 2 ++ signature/signature.c | 13 +++++++-- signature/sigtest/eccsiglentest.c | 13 +++++++-- signature/sigtest/wolfsigtest.c | 13 +++++++-- 22 files changed, 260 insertions(+), 48 deletions(-) diff --git a/certgen/csr_cryptocb.c b/certgen/csr_cryptocb.c index acb39b760..5da62a2a8 100644 --- a/certgen/csr_cryptocb.c +++ b/certgen/csr_cryptocb.c @@ -310,6 +310,8 @@ static int gen_csr(const char* arg1) #endif void* keyPtr = NULL; WC_RNG rng; + int initRng = 0; + int initKey = 0; Cert req; byte der[LARGE_TEMP_SZ]; word32 derSz; @@ -342,6 +344,7 @@ static int gen_csr(const char* arg1) printf("RNG initialization failed: %d\n", ret); goto exit; } + initRng = 1; /* setup test key */ #ifdef HAVE_ECC @@ -394,6 +397,7 @@ static int gen_csr(const char* arg1) printf("Key initialization failed: %d\n", ret); goto exit; } + initKey = 1; /* decode public key */ #ifdef HAVE_ECC @@ -467,18 +471,19 @@ static int gen_csr(const char* arg1) exit: #ifdef HAVE_ECC - if (type == ECC_TYPE) + if (type == ECC_TYPE && initKey) wc_ecc_free(&ecKeyPub); #endif #ifndef NO_RSA - if (type == RSA_TYPE) + if (type == RSA_TYPE && initKey) wc_FreeRsaKey(&rsaKeyPub); #endif #ifdef HAVE_ED25519 - if (type == ED25519_TYPE) + if (type == ED25519_TYPE && initKey) wc_ed25519_free(&edKeyPub); #endif - wc_FreeRng(&rng); + if (initRng) + wc_FreeRng(&rng); wolfCrypt_Cleanup(); diff --git a/certgen/csr_sign.c b/certgen/csr_sign.c index 98c249a39..e5e9f70b6 100644 --- a/certgen/csr_sign.c +++ b/certgen/csr_sign.c @@ -179,11 +179,19 @@ static int do_csrsign(int argc, char** argv) printf("Successfully read %d bytes from %s\n\n", pemSz, csrPemFile); ret = wc_CertPemToDer(pemBuf, pemSz, derBuf, LARGE_TEMP_SZ, CERTREQ_TYPE); - if (ret >= 0) { + if (ret == ASN_NO_PEM_HEADER) { + memcpy(derBuf, pemBuf, pemSz); + memset(pemBuf, 0, LARGE_TEMP_SZ); + derSz = pemSz; + ret = 0; + printf("CSR Cert file detected as DER\n\n"); + } else if (ret >= 0) { derSz = ret; ret = 0; + printf("Converted CSR Cert PEM to DER %d bytes\n", derSz); + } else { + goto exit; } - printf("Converted CSR Cert PEM to DER %d bytes\n", derSz); #ifdef HAVE_DECODEDCERT /* Code for parsing a CSR to a DecodedCert struct */ diff --git a/certgen/custom_ext.c b/certgen/custom_ext.c index 2716ea6be..ed5eac888 100644 --- a/certgen/custom_ext.c +++ b/certgen/custom_ext.c @@ -131,7 +131,7 @@ static int do_certgen(int argc, char** argv) if (ret != 0) goto exit; initNewKey = 1; - wc_MakeRsaKey(&newKey, 2048, WC_RSA_EXPONENT, &rng); + ret = wc_MakeRsaKey(&newKey, 2048, WC_RSA_EXPONENT, &rng); if (ret != 0) goto exit; printf("Successfully created new RSA key\n\n"); diff --git a/crypto/aes/aesgcm-file-encrypt.c b/crypto/aes/aesgcm-file-encrypt.c index 835b7c72e..4b8fe55c3 100644 --- a/crypto/aes/aesgcm-file-encrypt.c +++ b/crypto/aes/aesgcm-file-encrypt.c @@ -442,9 +442,17 @@ int decrypt_file_AesGCM(const char *in_file, const char *out_file, } if (ret == 0) { - /* The tag param is used to compare to the + /* The tag param is used to compare to the calculated tag during decryption */ ret = wc_AesGcmDecryptFinal(&gcm, tag, AESGCM_TAG_SIZE); + if (ret != 0) { + /* Authentication failed. The unauthenticated plaintext + * written above must not be left readable on disk, so + * remove the partially written output file. */ + fprintf(stderr, + "Authentication failed, removing unverified output file\n"); + unlink(out_file); + } } exit: free(in_buf); @@ -720,6 +728,9 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) if (ret == WOLFSSL_SUCCESS && (memcmp(tag_enc, tag_dec, AESGCM_TAG_SIZE) != 0)) { perror("TAG didn't match\n"); + /* Authentication failed, unauthenticated plaintext was + * already written to out_file above; remove it. */ + unlink(out_file); exit(EXIT_FAILURE); } } diff --git a/crypto/ascon/ascon-file-encrypt.c b/crypto/ascon/ascon-file-encrypt.c index 022589a1a..6729400a8 100644 --- a/crypto/ascon/ascon-file-encrypt.c +++ b/crypto/ascon/ascon-file-encrypt.c @@ -31,6 +31,10 @@ #include #include +#ifndef HAVE_ASCON + #error "Please build wolfSSL with the --enable-ascon option" +#endif + #define ASCON_AEAD128_RATE 16 #define SALT_SIZE 8 #define AD_SIZE 32 @@ -304,6 +308,7 @@ int AsconDecrypt(wc_AsconCtx* ctx) int chunk_read = BLOCK_SIZE; int i = 0; long j; + byte* decryptedBuf = NULL; /* read the file header and extract salt, nonce, and tag */ if (fread(ctx->cipherText, 1, FILE_HEADER_SIZE, ctx->inFile) != FILE_HEADER_SIZE) { @@ -353,6 +358,16 @@ int AsconDecrypt(wc_AsconCtx* ctx) /* Start decrypting ciphertext */ ctx->inFileLength -= FILE_HEADER_SIZE; + /* Buffer the decrypted plaintext in memory instead of writing it + * to disk as it is produced: it is unauthenticated until + * DecryptFinal() verifies the tag below, so it must not be + * released to the output file before that check passes. */ + decryptedBuf = (byte*)malloc(ctx->inFileLength > 0 ? ctx->inFileLength : 1); + if (decryptedBuf == NULL) { + printf("ERROR: Failed to allocate decrypted output buffer\n"); + return ERROR; + } + for (j = 0; j <= ctx->inFileLength; j += BLOCK_SIZE) { if (chunk_read > ctx->inFileLength - j) { chunk_read = ctx->inFileLength - j; @@ -360,29 +375,43 @@ int AsconDecrypt(wc_AsconCtx* ctx) if (fread(ctx->cipherText, 1, chunk_read, ctx->inFile) != chunk_read) { printf("ERROR: Failed to read the appropriate amount\n"); + memset(decryptedBuf, 0, ctx->inFileLength); + free(decryptedBuf); return ERROR; } /* decrypts chunk read */ if (wc_AsconAEAD128_DecryptUpdate(ctx->ascon, ctx->plainText, ctx->cipherText, chunk_read) != SUCCESS) { printf("Decrypt update failed.\n"); + memset(decryptedBuf, 0, ctx->inFileLength); + free(decryptedBuf); return ERROR; } - /* write plaintext to output file */ - if (fwrite(ctx->plainText, 1, chunk_read, ctx->outFile) != chunk_read) { - printf("ERROR: Failed to write the appropriate amount\n"); - return ERROR; - } - + memcpy(decryptedBuf + j, ctx->plainText, chunk_read); } - /* Finalize decryption and verify tag */ + /* Finalize decryption and verify tag before releasing any + * plaintext to disk. */ if (wc_AsconAEAD128_DecryptFinal(ctx->ascon, tag) != SUCCESS) { printf("Decrypt final failed.\n"); + memset(decryptedBuf, 0, ctx->inFileLength); + free(decryptedBuf); + return ERROR; + } + + /* Tag verified: only now is it safe to write the plaintext out. */ + if (fwrite(decryptedBuf, 1, ctx->inFileLength, ctx->outFile) != + (size_t)ctx->inFileLength) { + printf("ERROR: Failed to write the appropriate amount\n"); + memset(decryptedBuf, 0, ctx->inFileLength); + free(decryptedBuf); return ERROR; } + memset(decryptedBuf, 0, ctx->inFileLength); + free(decryptedBuf); + } else { printf("Invalid length of input file\n"); return ERROR; diff --git a/hash/sha256-hash.c b/hash/sha256-hash.c index 3c501f85e..f42120495 100644 --- a/hash/sha256-hash.c +++ b/hash/sha256-hash.c @@ -72,6 +72,7 @@ int main(int argc, char** argv) if (ret != 0) { printf("Failed to initialize sha structure\n"); fclose(inputStream); + return ret; } /* Loop reading a block at a time, finishing with any excess */ diff --git a/hash/sha3-256-hash.c b/hash/sha3-256-hash.c index 46fa0a8bd..3a66d151c 100644 --- a/hash/sha3-256-hash.c +++ b/hash/sha3-256-hash.c @@ -72,6 +72,7 @@ int main(int argc, char** argv) if (ret != 0) { printf("Failed to initialize sha structure\n"); fclose(inputStream); + return ret; } /* Loop reading a block at a time, finishing with any excess */ diff --git a/hash/sha512-hash.c b/hash/sha512-hash.c index 40d50db3e..6206b7314 100644 --- a/hash/sha512-hash.c +++ b/hash/sha512-hash.c @@ -72,6 +72,7 @@ int main(int argc, char** argv) if (ret != 0) { printf("Failed to initialize sha structure\n"); fclose(inputStream); + return ret; } /* Loop reading a block at a time, finishing with any excess */ diff --git a/pk/ecc/ecc_keys.c b/pk/ecc/ecc_keys.c index 849d8b04a..0649dba43 100644 --- a/pk/ecc/ecc_keys.c +++ b/pk/ecc/ecc_keys.c @@ -51,12 +51,24 @@ int main() FILE* derFile; size_t sz; - wc_InitRng(&rng); - wc_ecc_init(&key); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("error %d initializing rng\n", ret); + return ret; + } + + ret = wc_ecc_init(&key); + if (ret != 0) { + printf("error %d initializing ecc key\n", ret); + wc_FreeRng(&rng); + return ret; + } ret = wc_ecc_make_key_ex(&rng, ECC_CURVE_SZ, &key, ECC_CURVE_ID); if (ret != 0) { printf("error %d making ecc key\n", ret); + wc_ecc_free(&key); + wc_FreeRng(&rng); return ret; } @@ -64,6 +76,8 @@ int main() ret = wc_EccKeyToDer(&key, der, sizeof(der)); if (ret < 0) { printf("error %d in ecc to der\n", ret); + wc_ecc_free(&key); + wc_FreeRng(&rng); return ret; } sz = ret; @@ -72,6 +86,8 @@ int main() derFile = fopen("ecc-key.der", "w"); if (!derFile) { printf("error loading file\n"); + wc_ecc_free(&key); + wc_FreeRng(&rng); return -1; } @@ -84,6 +100,7 @@ int main() derFile = fopen("ecc-key.der", "rb"); if (!derFile) { printf("error reading from file\n"); + wc_FreeRng(&rng); return -1; } sz = fread(buf, 1, sizeof(buf), derFile); @@ -95,6 +112,8 @@ int main() idx = 0; if (wc_EccPrivateKeyDecode(buf, &idx, &key, (word32)sz) != 0) { printf("error decoding private key\n"); + wc_ecc_free(&key); + wc_FreeRng(&rng); return -1; } wc_ecc_free(&key); @@ -113,6 +132,8 @@ int main() ret = wc_ecc_make_key_ex(&rng, ECC_CURVE_SZ, &key, ECC_CURVE_ID); if (ret != 0) { printf("error %d making ecc key\n", ret); + wc_ecc_free(&key); + wc_FreeRng(&rng); return ret; } @@ -121,6 +142,8 @@ int main() sz = sizeof(buf); if (wc_ecc_export_x963(&key, buf, (word32*)&sz) != 0) { printf("error exporting public ecc key\n"); + wc_ecc_free(&key); + wc_FreeRng(&rng); return -1; } @@ -128,6 +151,8 @@ int main() derFile = fopen("ecc-public.x963", "w"); /* reused the derFile pointer */ if (!derFile) { printf("error loading file\n"); + wc_ecc_free(&key); + wc_FreeRng(&rng); return -1; } fwrite(buf, 1, sz, derFile); diff --git a/pk/ed25519/ed25519_keys.c b/pk/ed25519/ed25519_keys.c index bc8aa7c97..5880a490c 100644 --- a/pk/ed25519/ed25519_keys.c +++ b/pk/ed25519/ed25519_keys.c @@ -88,8 +88,18 @@ int main() word32 idx; size_t sz; - wc_InitRng(&rng); - wc_ed25519_init(&key); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("error %d initializing rng\n", ret); + return ret; + } + + ret = wc_ed25519_init(&key); + if (ret != 0) { + printf("error %d initializing ed25519 key\n", ret); + wc_FreeRng(&rng); + return ret; + } /* * Make a private Ed25510 key @@ -99,6 +109,8 @@ int main() ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key); if (ret != 0) { printf("error %d making Ed25519 key\n", ret); + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } @@ -110,6 +122,8 @@ int main() ret = wc_Ed25519KeyToDer(&key, der, sizeof(der)); if (ret < 0) { printf("error %d in Ed25519 to der\n", ret); + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } sz = ret; @@ -117,6 +131,8 @@ int main() /* write private key to file */ ret = write_file("private key", privFile, der, sz); if (ret < 0) { + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } @@ -130,6 +146,7 @@ int main() sz = sizeof(buf); ret = read_file("private key", privFile, buf, &sz); if (ret < 0) { + wc_FreeRng(&rng); return ret; } @@ -141,6 +158,8 @@ int main() ret = wc_Ed25519PrivateKeyDecode(buf, &idx, &key, (word32)sz); if (ret != 0) { printf("error decoding private key\n"); + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } @@ -162,6 +181,8 @@ int main() ret = wc_ed25519_make_key(&rng, ED25519_KEY_SIZE, &key); if (ret != 0) { printf("error %d making Ed25519 key\n", ret); + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } @@ -175,12 +196,16 @@ int main() ret = wc_ed25519_export_public(&key, buf, (word32*)&sz); if (ret != 0) { printf("error exporting public Ed25519 key\n"); + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } /* write public key to file */ ret = write_file("public key", pubFile, buf, sz); if (ret < 0) { + wc_ed25519_free(&key); + wc_FreeRng(&rng); return ret; } diff --git a/pk/ed448/ed448_keys.c b/pk/ed448/ed448_keys.c index ed172301b..ff7916377 100644 --- a/pk/ed448/ed448_keys.c +++ b/pk/ed448/ed448_keys.c @@ -88,8 +88,18 @@ int main() word32 idx; size_t sz; - wc_InitRng(&rng); - wc_ed448_init(&key); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("error %d initializing rng\n", ret); + return ret; + } + + ret = wc_ed448_init(&key); + if (ret != 0) { + printf("error %d initializing ed448 key\n", ret); + wc_FreeRng(&rng); + return ret; + } /* * Make a private Ed25510 key @@ -99,6 +109,8 @@ int main() ret = wc_ed448_make_key(&rng, ED448_KEY_SIZE, &key); if (ret != 0) { printf("error %d making Ed448 key\n", ret); + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } @@ -110,6 +122,8 @@ int main() ret = wc_Ed448KeyToDer(&key, der, sizeof(der)); if (ret < 0) { printf("error %d in Ed448 to der\n", ret); + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } sz = ret; @@ -117,6 +131,8 @@ int main() /* write private key to file */ ret = write_file("private key", privFile, der, sz); if (ret < 0) { + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } @@ -130,6 +146,7 @@ int main() sz = sizeof(buf); ret = read_file("private key", privFile, buf, &sz); if (ret < 0) { + wc_FreeRng(&rng); return ret; } @@ -141,6 +158,8 @@ int main() ret = wc_Ed448PrivateKeyDecode(buf, &idx, &key, (word32)sz); if (ret != 0) { printf("error decoding private key\n"); + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } @@ -162,6 +181,8 @@ int main() ret = wc_ed448_make_key(&rng, ED448_KEY_SIZE, &key); if (ret != 0) { printf("error %d making Ed448 key\n", ret); + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } @@ -175,12 +196,16 @@ int main() ret = wc_ed448_export_public(&key, buf, (word32*)&sz); if (ret != 0) { printf("error exporting public Ed448 key\n"); + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } /* write public key to file */ ret = write_file("public key", pubFile, buf, sz); if (ret < 0) { + wc_ed448_free(&key); + wc_FreeRng(&rng); return ret; } diff --git a/pk/rsa-pss/rsa-pss.c b/pk/rsa-pss/rsa-pss.c index 047b9f61d..2bbf1c2ca 100644 --- a/pk/rsa-pss/rsa-pss.c +++ b/pk/rsa-pss/rsa-pss.c @@ -116,7 +116,7 @@ static int read_file(const char* filename, unsigned char* data, int* sz) *sz = fileSz; err = 0; load_end: - fclose(f); + if (f != NULL) fclose(f); return err; } diff --git a/pkcs11/pkcs11_rsa.c b/pkcs11/pkcs11_rsa.c index cd2579011..3ea394cc0 100644 --- a/pkcs11/pkcs11_rsa.c +++ b/pkcs11/pkcs11_rsa.c @@ -260,15 +260,15 @@ static int rsa_sign_verify(int devId) if (ret == 0) { fprintf(stderr, "Verifying\n"); ret = wc_RsaSSL_Verify(sig, sigSz, pt, (int)ptSz, &pub); - if (ret < 0) + if (ret < 0) { fprintf(stderr, "Failed to verify: %d\n", ret); - - if (XMEMCMP(hash, pt, ret) != 0) { - fprintf(stderr, "Failed to verify\n"); + } else if (ret != (int)hashSz || XMEMCMP(hash, pt, ret) != 0) { + fprintf(stderr, "Failed to verify: hash mismatch\n"); + ret = -1; + } else { + ret = 0; } - wc_FreeRsaKey(&pub); - ret = 0; } } diff --git a/pkcs11/pkcs11_test.c b/pkcs11/pkcs11_test.c index afcdd6072..ff3cd193f 100644 --- a/pkcs11/pkcs11_test.c +++ b/pkcs11/pkcs11_test.c @@ -284,13 +284,23 @@ int get_public_key(RsaKey* key, Pkcs11Token* token, CK_SESSION_HANDLE session, modSz = template[0].ulValueLen; expSz = template[1].ulValueLen; mod = (unsigned char *)malloc(modSz); - template[0].pValue = mod; exp = (CK_BYTE_PTR) malloc(expSz); - template[1].pValue = exp; + if (mod == NULL || exp == NULL) { + ret = MEMORY_E; + } + else { + template[0].pValue = mod; + template[1].pValue = exp; - rv = token->func->C_GetAttributeValue(session, pubKey, template, 2); + rv = token->func->C_GetAttributeValue(session, pubKey, template, 2); + if (rv != CKR_OK) + ret = -1; + } } - if (rv == CKR_OK) + else + ret = -1; + + if (rv == CKR_OK && ret == 0) ret = wc_RsaPublicKeyDecodeRaw(mod, modSz, exp, expSz, key); if (exp != NULL) diff --git a/pkcs7/pkcs7-verify.c b/pkcs7/pkcs7-verify.c index 8ddb855ac..38b2f39d2 100644 --- a/pkcs7/pkcs7-verify.c +++ b/pkcs7/pkcs7-verify.c @@ -48,6 +48,16 @@ int main(int argc, char** argv) wolfSSL_Debugging_ON(); #endif + /* PKCS_Init captures/saves this, so make sure + * isDynamic = 0 since it is on the stack. Set this before any + * code path that can reach the exit label and call wc_PKCS7_Free(). */ + pkcs7.isDynamic = 0; + + /* Init before any code path that can reach the exit label and call + * wc_PKCS7_Free(), so the struct is always fully zeroed first. */ + rc = wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID); + if (rc != 0) goto exit; + /* load PKCS7 */ derFile = fopen(pkcs7SignedPem, "rb"); if (derFile) { @@ -72,14 +82,12 @@ int main(int argc, char** argv) } rc = 0; } - - /* PKCS_Init captures/saves this, so make sure - * isDynamic = 0 since it is on the stack */ - pkcs7.isDynamic = 0; + else { + rc = -1; + goto exit; + } /* Test verify */ - rc = wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID); - if (rc != 0) goto exit; rc = wc_PKCS7_InitWithCert(&pkcs7, NULL, 0); if (rc != 0) goto exit; @@ -112,10 +120,22 @@ int main(int argc, char** argv) /* load PKCS7 */ derFile = fopen(pkcs7SignedDer, "rb"); if (derFile) { + int derFileSz; fseek(derFile, 0, SEEK_END); - fileSz = (int)ftell(derFile); + derFileSz = (int)ftell(derFile); rewind(derFile); + if (derFileSz > (int)fileSz) { + XFREE(fileBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + fileBuf = (byte*)XMALLOC(derFileSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (fileBuf == NULL) { + rc = MEMORY_E; + fclose(derFile); + goto exit; + } + } + fileSz = derFileSz; + rc = (int)fread(fileBuf, 1, fileSz, derFile); fclose(derFile); @@ -126,6 +146,10 @@ int main(int argc, char** argv) } rc = 0; } + else { + rc = -1; + goto exit; + } /* Verify DER output matches expected output */ if (fileSz != derSz || memcmp(fileBuf, derBuf, derSz) != 0) { diff --git a/pkcs7/signedData-stream.c b/pkcs7/signedData-stream.c index 6b89a2a7d..ba853561e 100644 --- a/pkcs7/signedData-stream.c +++ b/pkcs7/signedData-stream.c @@ -335,6 +335,11 @@ int main(int argc, char** argv) { FILE* f = fopen(encodedFile, "rb"); + if (f == NULL) { + printf("error opening file %s\n", encodedFile); + ret = -1; + goto out; + } encryptedSz = fread(encrypted, 1, encryptedSz, f); fclose(f); } diff --git a/pq/ml_dsa/ml_dsa.c b/pq/ml_dsa/ml_dsa.c index 22b70ac3e..e499faa44 100644 --- a/pq/ml_dsa/ml_dsa.c +++ b/pq/ml_dsa/ml_dsa.c @@ -51,6 +51,8 @@ main(int argc, int opt = 0; MlDsaKey key; WC_RNG rng; + int initRng = 0; + int initKey = 0; byte * priv = NULL; byte * pub = NULL; byte * sig = NULL; @@ -93,7 +95,12 @@ main(int argc, ml_dsa_print_parms_and_die(); } - wc_InitRng(&rng); + rc = wc_InitRng(&rng); + if (rc != 0) { + printf("error: wc_InitRng failed: %d\n", rc); + goto ml_dsa_exit; + } + initRng = 1; rc = ml_dsa_sec_valid(); if (rc < 0) { @@ -105,6 +112,7 @@ main(int argc, printf("error: wc_MlDsaKey_Init returned %d\n", rc); goto ml_dsa_exit; } + initKey = 1; rc = wc_MlDsaKey_SetParams(&key, sec_cat); if (rc != 0) { @@ -243,8 +251,12 @@ main(int argc, ml_dsa_exit: - wc_MlDsaKey_Free(&key); - wc_FreeRng(&rng); + if (initKey) { + wc_MlDsaKey_Free(&key); + } + if (initRng) { + wc_FreeRng(&rng); + } ml_dsa_free((void *) &sig); ml_dsa_free((void *) &pub); diff --git a/pq/stateful_hash_sig/lms_example.c b/pq/stateful_hash_sig/lms_example.c index 33a40cbc3..76db52e34 100644 --- a/pq/stateful_hash_sig/lms_example.c +++ b/pq/stateful_hash_sig/lms_example.c @@ -336,6 +336,7 @@ do_lms_example(int levels, sig = malloc(sigSz); if (sig == NULL) { fprintf(stderr, "error: malloc(%d) failed\n", sigSz); + ret = MEMORY_E; goto exit_lms_example; } diff --git a/pq/stateful_hash_sig/xmss_example.c b/pq/stateful_hash_sig/xmss_example.c index 11acd364f..27aa0e9a2 100644 --- a/pq/stateful_hash_sig/xmss_example.c +++ b/pq/stateful_hash_sig/xmss_example.c @@ -274,6 +274,7 @@ do_xmss_example(const char * params, read_buf = malloc(privSz); if (read_buf == NULL) { fprintf(stderr, "error: malloc read_buf failed\n"); + ret = MEMORY_E; goto exit_xmss_example; } @@ -297,6 +298,7 @@ do_xmss_example(const char * params, sig = malloc(sigSz); if (sig == NULL) { fprintf(stderr, "error: malloc(%d) failed\n", sigSz); + ret = MEMORY_E; goto exit_xmss_example; } diff --git a/signature/signature.c b/signature/signature.c index 966b12d24..e3ad37b1f 100644 --- a/signature/signature.c +++ b/signature/signature.c @@ -66,10 +66,19 @@ int ecc_sign_verify_test(enum wc_HashType hash_type, enum wc_SignatureType sig_t word32 eccPubKeyLen, eccPrivKeyLen; /* Init */ - wc_InitRng(&rng); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("ECC RNG Init failed! %d\n", ret); + return EXIT_FAILURE; + } /* Generate key */ - wc_ecc_init(&eccKey); + ret = wc_ecc_init(&eccKey); + if (ret != 0) { + printf("ECC Key Init failed! %d\n", ret); + wc_FreeRng(&rng); + return EXIT_FAILURE; + } ret = wc_ecc_make_key_ex(&rng, 32, &eccKey, ECC_CURVE_DEF); if(ret != 0) { printf("ECC Make Key Failed! %d\n", ret); diff --git a/signature/sigtest/eccsiglentest.c b/signature/sigtest/eccsiglentest.c index db02f22a3..4ea3d48a2 100644 --- a/signature/sigtest/eccsiglentest.c +++ b/signature/sigtest/eccsiglentest.c @@ -78,10 +78,19 @@ int ecc_sign_verify_test(enum wc_HashType hash_type, #endif /* Init */ - wc_InitRng(&rng); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("ECC RNG Init Failed! %d\n", ret); + return ret; + } /* Generate key */ - wc_ecc_init(&eccKey); + ret = wc_ecc_init(&eccKey); + if (ret != 0) { + printf("ECC Key Init Failed! %d\n", ret); + wc_FreeRng(&rng); + return ret; + } ret = wc_ecc_make_key_ex(&rng, keySz, &eccKey, curveId); if(ret != 0) { diff --git a/signature/sigtest/wolfsigtest.c b/signature/sigtest/wolfsigtest.c index 4055f2f84..48338e1c5 100644 --- a/signature/sigtest/wolfsigtest.c +++ b/signature/sigtest/wolfsigtest.c @@ -140,10 +140,19 @@ int main(int argc, char** argv) print_buf("Digest Input Data:", Digest_given, DATA_BLOCK_LEN); /* Init */ - wc_InitRng(&rng); + ret = wc_InitRng(&rng); + if (ret != 0) { + printf("error %d initializing rng\n", ret); + return ret; + } /* Init Rsa Key */ - wc_InitRsaKey(&rsakey, NULL); + ret = wc_InitRsaKey(&rsakey, NULL); + if (ret != 0) { + printf("error %d initializing rsa key\n", ret); + wc_FreeRng(&rng); + return ret; + } XMEMSET(DER_buf, 0, sizeof(DER_buf)); From d6b5700e745ac4372f5c02d43e734d7c5082ac2b Mon Sep 17 00:00:00 2001 From: Emma Stensland Date: Wed, 1 Jul 2026 14:29:54 -0600 Subject: [PATCH 2/2] F-1296 F-1301 F-1706 F-2112 F-2893 F-2900 F-3223 F-3899 F-4121 F-4123 F-4127 F-4128 F-4603 F-4604: Fix error handling in TLS, DTLS, and protocol examples --- .../WolfSSLDemo/src/wolfDemo/wolf_client.c | 2 +- btle/ecies/ecc-client.c | 1 + can-bus/common.c | 11 ++++++ crypto/aes/aesgcm-file-encrypt.c | 28 +++++++++------ dtls/client-dtls-import.c | 9 ++++- dtls/dtls-export-common.h | 34 ++++++++++++++++--- dtls/memory-bio-dtls.c | 2 +- dtls/server-dtls-import.c | 9 ++++- dtls/server-dtls13.c | 2 +- psk/server-psk.c | 4 +-- tls-options/client-tls-cipher.c | 28 ++++++--------- tls-options/client-tls-session.c | 4 +++ tls-options/server-tls-cipher.c | 29 ++++++---------- tls/client-tls.c | 2 +- 14 files changed, 106 insertions(+), 59 deletions(-) diff --git a/TOPPERS/WolfSSLDemo/src/wolfDemo/wolf_client.c b/TOPPERS/WolfSSLDemo/src/wolfDemo/wolf_client.c index 59e74c4bd..74527d534 100644 --- a/TOPPERS/WolfSSLDemo/src/wolfDemo/wolf_client.c +++ b/TOPPERS/WolfSSLDemo/src/wolfDemo/wolf_client.c @@ -149,7 +149,7 @@ int wolfSSL_TLS_client(void *v_ctx, func_args *args) } if ((ssl = wolfSSL_new(ctx)) == NULL) { - printf("ERROR wolfSSL_new: %d\n", wolfSSL_get_error(ssl, 0)); + printf("ERROR wolfSSL_new failed\n"); ret = -1; goto exit_; } diff --git a/btle/ecies/ecc-client.c b/btle/ecies/ecc-client.c index c1cde09a4..d12cc6336 100644 --- a/btle/ecies/ecc-client.c +++ b/btle/ecies/ecc-client.c @@ -140,6 +140,7 @@ int main(int argc, char** argv) ret = btle_recv(peerSalt, EXCHANGE_SALT_SZ, &type, devCtx); if (ret <= 0) { printf("btle_recv failed %d!\n", ret); + goto cleanup; } if (type != BTLE_PKT_TYPE_SALT) { printf("btle_recv expected salt!\n"); diff --git a/can-bus/common.c b/can-bus/common.c index 66ccffb0a..8286d3f68 100644 --- a/can-bus/common.c +++ b/can-bus/common.c @@ -178,6 +178,11 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, WOLFSSL* ssl = NULL; char *receive_buffer = malloc(ISOTP_DEFAULT_BUFFER_SIZE); + if (!receive_buffer) { + fprintf(stderr, "Could not allocate receive buffer\n"); + return -1; + } + if (type == SERVICE_TYPE_CLIENT) { method = wolfTLSv1_3_client_method(); } else { @@ -186,6 +191,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, if (!method) { fprintf(stderr, "Could not init wolfSSL method\n"); + free(receive_buffer); return -1; } @@ -193,6 +199,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, if (!ctx) { fprintf(stderr, "Could not init wolfSSL context\n"); close_ssl(NULL, NULL); + free(receive_buffer); return -1; } @@ -209,6 +216,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, fprintf(stderr, "ERROR: failed to load cert, " "please check the file.\n"); close_ssl(ctx, NULL); + free(receive_buffer); return -1; } @@ -218,6 +226,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, fprintf(stderr, "ERROR: failed to load key file, " "please check the file.\n"); close_ssl(ctx, NULL); + free(receive_buffer); return -1; } } @@ -226,6 +235,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, if (!ssl) { fprintf(stderr, "Could not init wolfSSL\n"); close_ssl(ctx, NULL); + free(receive_buffer); return -1; } @@ -246,6 +256,7 @@ int setup_ssl(enum service_type type, WOLFSSL_CTX **new_ctx, fprintf(stderr, "ERROR: failed to connect using wolfSSL: %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); close_ssl(ctx, ssl); + free(receive_buffer); return -1; } *new_ctx = ctx; diff --git a/crypto/aes/aesgcm-file-encrypt.c b/crypto/aes/aesgcm-file-encrypt.c index 4b8fe55c3..215fb1f31 100644 --- a/crypto/aes/aesgcm-file-encrypt.c +++ b/crypto/aes/aesgcm-file-encrypt.c @@ -683,11 +683,13 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) ctx = EVP_CIPHER_CTX_new(); if (ctx == NULL) { perror("EVP_CIPHER_CTX_new"); + ret = -1; goto exit; } if (EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, key, iv) != WOLFSSL_SUCCESS) { perror("EVP_DecryptInit_ex"); + ret = -1; goto exit; } while (1) { @@ -697,7 +699,8 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) if (EVP_DecryptUpdate(ctx, out_buf, &out_len, in_buf, in_len) != WOLFSSL_SUCCESS) { - perror("EVP_DecryptInit_ex"); + perror("EVP_DecryptUpdate"); + ret = -1; goto exit; } if (write(out_fd, out_buf, out_len) != out_len) { @@ -710,10 +713,13 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, AES_IV_SIZE, tag_enc) != WOLFSSL_SUCCESS) { perror("EVP_CIPHER_CTX_ctrl"); + ret = -1; goto exit; } if (EVP_DecryptFinal_ex(ctx, out_buf, &out_len) != WOLFSSL_SUCCESS) { - perror("EVP_DecryptInit_ex"); + fprintf(stderr, + "Authentication failed, removing unverified output file\n"); + ret = -1; goto exit; } if (write(out_fd, out_buf, out_len) != out_len) { @@ -725,13 +731,12 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) if (ret == WOLFSSL_SUCCESS) { ret = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, AES_IV_SIZE, tag_dec); - if (ret == WOLFSSL_SUCCESS && + if (ret != WOLFSSL_SUCCESS || (memcmp(tag_enc, tag_dec, AESGCM_TAG_SIZE) != 0)) { - perror("TAG didn't match\n"); - /* Authentication failed, unauthenticated plaintext was - * already written to out_file above; remove it. */ - unlink(out_file); - exit(EXIT_FAILURE); + fprintf(stderr, + "Authentication failed, removing unverified output file\n"); + ret = -1; + goto exit; } } printf("File decryption with EVP GCM complete.\n"); @@ -740,6 +745,9 @@ int decrypt_file(const char *in_file, const char *out_file, const char *key_str) EVP_CIPHER_CTX_free(ctx); close(in_fd); close(out_fd); + if (ret != WOLFSSL_SUCCESS) { + unlink(out_file); + } return ret; } #endif @@ -782,11 +790,11 @@ text.bin", (file_sz/1024)+1, file_sz); pclose(pipe); #ifdef OPENSSL_EXTRA - const char *cmd_enc_evp ="./aesgcm-file-encrypt -e 256 -m 1 \ + const char *cmd_enc_evp ="./aesgcm-file-encrypt -e 256 -m 2 \ -k 77CF00EC060192530B5D06B6B426799B \ -v 77CF00EC060192530B5D06B6B426799B \ -i text.bin -o text2cipher.evp.bin"; - const char *cmd_dec_evp ="./aesgcm-file-encrypt -d 256 -m 1 \ + const char *cmd_dec_evp ="./aesgcm-file-encrypt -d 256 -m 2 \ -k 77CF00EC060192530B5D06B6B426799B \ -i text2cipher.evp.bin -o text2cipher2text.evp.bin"; const char *cmd_diff_evp = "diff -q text.bin text2cipher2text.evp.bin"; diff --git a/dtls/client-dtls-import.c b/dtls/client-dtls-import.c index d6ff02699..ebfb1ef6b 100644 --- a/dtls/client-dtls-import.c +++ b/dtls/client-dtls-import.c @@ -60,6 +60,7 @@ int main(int argc, char** argv) unsigned char* sessionBuf = NULL; unsigned int sessionSz = 0; int n; + int err_occurred = 0; /* Program argument checking */ if (argc < 2 || argc > 3) { @@ -149,6 +150,8 @@ int main(int argc, char** argv) int err = wolfSSL_get_error(ssl, ret); fprintf(stderr, "Error: wolfSSL_write failed: %d (%s)\n", err, wolfSSL_ERR_reason_error_string(err)); + ret = (ret != 0) ? ret : -1; + err_occurred = 1; break; } printf("Sent: %s", sendLine); @@ -164,6 +167,8 @@ int main(int argc, char** argv) if (err != SSL_ERROR_WANT_READ) { fprintf(stderr, "Error: wolfSSL_read failed: %d (%s)\n", err, wolfSSL_ERR_reason_error_string(err)); + ret = (n != 0) ? n : -1; + err_occurred = 1; break; } } @@ -171,7 +176,9 @@ int main(int argc, char** argv) printf("\nEnter message (or 'quit' to exit):\n"); } - ret = 0; + if (!err_occurred) { + ret = 0; + } cleanup: if (sessionBuf != NULL) free(sessionBuf); diff --git a/dtls/dtls-export-common.h b/dtls/dtls-export-common.h index 70f0a184c..5a362e284 100644 --- a/dtls/dtls-export-common.h +++ b/dtls/dtls-export-common.h @@ -276,10 +276,36 @@ unsigned char* LoadEncryptedSession(const char* filename, goto cleanup; } - /* Verify padding and original size */ - if (originalSz > encryptedSz) { - printf("Error: Invalid original size in file\n"); - goto cleanup; + /* Verify PKCS#7 padding and derive the trimmed size from it, rather + * than trusting the untrusted originalSz field on its own */ + { + unsigned char pad; + unsigned int i; + unsigned int trimmedSz; + + if (encryptedSz == 0) { + printf("Error: Invalid encrypted data size in file\n"); + goto cleanup; + } + + pad = decryptedData[encryptedSz - 1]; + if (pad < 1 || pad > AES_BLOCK_SZ || pad > encryptedSz) { + printf("Error: Invalid PKCS#7 padding in file\n"); + goto cleanup; + } + + for (i = 0; i < pad; i++) { + if (decryptedData[encryptedSz - 1 - i] != pad) { + printf("Error: Inconsistent PKCS#7 padding in file\n"); + goto cleanup; + } + } + + trimmedSz = encryptedSz - pad; + if (trimmedSz != originalSz) { + printf("Error: Original size in file does not match padding\n"); + goto cleanup; + } } *sessionSz = originalSz; diff --git a/dtls/memory-bio-dtls.c b/dtls/memory-bio-dtls.c index 9a84b3552..3560c73d4 100644 --- a/dtls/memory-bio-dtls.c +++ b/dtls/memory-bio-dtls.c @@ -170,7 +170,7 @@ int main() } srv_ssl = wolfSSL_new(srv_ctx); - if (srv_ctx == NULL) { + if (srv_ssl == NULL) { err_sys("bad server new"); } diff --git a/dtls/server-dtls-import.c b/dtls/server-dtls-import.c index f1a83b9c1..a999c947f 100644 --- a/dtls/server-dtls-import.c +++ b/dtls/server-dtls-import.c @@ -72,6 +72,7 @@ int main(int argc, char** argv) const char* sessionFile = DEFAULT_SERVER_SESSION_FILE; unsigned char* sessionBuf = NULL; unsigned int sessionSz = 0; + int err_occurred = 0; /* Program argument checking */ if (argc > 2) { @@ -202,6 +203,8 @@ int main(int argc, char** argv) int err = wolfSSL_get_error(ssl, ret); fprintf(stderr, "Error: wolfSSL_write failed: %d (%s)\n", err, wolfSSL_ERR_reason_error_string(err)); + ret = (ret != 0) ? ret : -1; + err_occurred = 1; break; } } @@ -210,12 +213,16 @@ int main(int argc, char** argv) if (err != SSL_ERROR_WANT_READ) { fprintf(stderr, "Error: wolfSSL_read failed: %d (%s)\n", err, wolfSSL_ERR_reason_error_string(err)); + ret = (recvLen != 0) ? recvLen : -1; + err_occurred = 1; break; } } } - ret = 0; + if (!err_occurred) { + ret = 0; + } cleanup: if (sessionBuf != NULL) free(sessionBuf); diff --git a/dtls/server-dtls13.c b/dtls/server-dtls13.c index 4c677d41c..4048f4c13 100644 --- a/dtls/server-dtls13.c +++ b/dtls/server-dtls13.c @@ -152,7 +152,7 @@ int main(int argc, char** argv) if (wolfSSL_set_fd(ssl, listenfd) != WOLFSSL_SUCCESS) { fprintf(stderr, "wolfSSL_set_fd error.\n"); - break; + goto cleanup; } if (wolfSSL_accept(ssl) != WOLFSSL_SUCCESS) { diff --git a/psk/server-psk.c b/psk/server-psk.c index 1fd11f79f..a5189955b 100644 --- a/psk/server-psk.c +++ b/psk/server-psk.c @@ -198,8 +198,8 @@ int main() if (n > 0) { printf("%s\n", buf); /* server response */ - if (wolfSSL_write(ssl, response, strlen(response)) > - strlen(response)) { + n = wolfSSL_write(ssl, response, strlen(response)); + if (n != (int)strlen(response)) { printf("Fatal error : respond: write error\n"); return 1; } diff --git a/tls-options/client-tls-cipher.c b/tls-options/client-tls-cipher.c index 1ca362c84..2ee5e4205 100644 --- a/tls-options/client-tls-cipher.c +++ b/tls-options/client-tls-cipher.c @@ -96,9 +96,8 @@ int main(int argc, char** argv) * Sets the socket to be stream based (TCP), * 0 means choose the default protocol. */ if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { + printf("ERROR: failed to create socket\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto end; } @@ -111,17 +110,15 @@ int main(int argc, char** argv) /* Get the server IPv4 address from the command line call */ if (inet_pton(AF_INET, argv[1], &servAddr.sin_addr) != 1) { + printf("ERROR: invalid address\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto end; } /* Connect to the server */ if ((ret = connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr))) == -1) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to connect\n"); goto end; } @@ -130,24 +127,22 @@ int main(int argc, char** argv) /*---------------------------------*/ /* Initialize wolfSSL */ if ((ret = wolfSSL_Init()) != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to initialize the library\n"); goto socket_cleanup; } /* Create and initialize WOLFSSL_CTX */ if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method())) == NULL) { + printf("ERROR: failed to create WOLFSSL_CTX\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto socket_cleanup; } /* Set cipher suite */ if (cipherList != NULL) { if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to set cipher list: %s\n", cipherList); + ret = -1; goto ctx_cleanup; } } @@ -155,16 +150,14 @@ int main(int argc, char** argv) /* Load client certificates into WOLFSSL_CTX */ if ((ret = wolfSSL_CTX_load_verify_locations(ctx, CERT_FILE, NULL)) != SSL_SUCCESS) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR %d: failed to load %s\n", ret, CERT_FILE); goto ctx_cleanup; } /* Create a WOLFSSL object */ if ((ssl = wolfSSL_new(ctx)) == NULL) { ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to create WOLFSSL object\n"); goto ctx_cleanup; } @@ -190,9 +183,8 @@ int main(int argc, char** argv) printf("Message for server: "); memset(buff, 0, sizeof(buff)); if (fgets(buff, sizeof(buff), stdin) == NULL) { + printf("ERROR: failed to get message for server\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto cleanup; } len = strnlen(buff, sizeof(buff)); diff --git a/tls-options/client-tls-session.c b/tls-options/client-tls-session.c index 8096b87af..68ae903c4 100644 --- a/tls-options/client-tls-session.c +++ b/tls-options/client-tls-session.c @@ -223,6 +223,10 @@ int main(int argc, char **argv) */ if (strcmp(msg, "break") == 0) { session = wolfSSL_get_session(ssl); + if (session == NULL) { + print_SSL_error("failed wolfSSL_get_session", ssl); + break; + } ret = write_SESS(session, SAVED_SESS); break; } diff --git a/tls-options/server-tls-cipher.c b/tls-options/server-tls-cipher.c index 90a7eef7b..26f2541e5 100644 --- a/tls-options/server-tls-cipher.c +++ b/tls-options/server-tls-cipher.c @@ -109,9 +109,8 @@ int main(int argc, char **argv) * Sets the socket to be stream based (TCP), * 0 means choose the default protocol. */ if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { + printf("ERROR: failed to create socket\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto exit; } @@ -119,18 +118,16 @@ int main(int argc, char **argv) /* Create and initialize WOLFSSL_CTX */ if ((ctx = wolfSSL_CTX_new(wolfTLSv1_2_server_method())) == NULL) { + printf("ERROR: failed to create CTX\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto exit; } /* Set cipher suite */ if (cipherList != NULL) { if (wolfSSL_CTX_set_cipher_list(ctx, cipherList) != WOLFSSL_SUCCESS) { + printf("ERROR: failed to set cipher list: %s\n", cipherList); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto exit; } } @@ -138,16 +135,14 @@ int main(int argc, char **argv) /* Load server certificates into WOLFSSL_CTX */ if ((ret = wolfSSL_CTX_use_certificate_file(ctx, CERT_FILE, SSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR %d: failed to use certificate file %s\n", ret, CERT_FILE); goto exit; } /* Load server key into WOLFSSL_CTX */ if ((ret = wolfSSL_CTX_use_PrivateKey_file(ctx, KEY_FILE, SSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR %d: failed to use private key file %s\n", ret, KEY_FILE); goto exit; } @@ -165,17 +160,15 @@ int main(int argc, char **argv) /* Bind the server socket to our port */ if (bind(sockfd, (struct sockaddr*)&servAddr, sizeof(servAddr)) == -1) { - ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to bind socket\n"); + ret = -1; goto exit; } /* Listen for a new connection, allow 5 pending connections */ if (listen(sockfd, 5) == -1) { + printf("ERROR: failed to listen on socket\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto exit; } @@ -188,17 +181,15 @@ int main(int argc, char **argv) /* Accept client connections */ if ((connd = accept(sockfd, (struct sockaddr*)&clientAddr, &size)) == -1) { + printf("ERROR: failed to accept connection\n"); ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); goto exit; } /* Create a WOLFSSL object */ if ((ssl = wolfSSL_new(ctx)) == NULL) { ret = -1; - err = wolfSSL_get_error(ssl, ret); - printf("error = %d, %s\n", err, wolfSSL_ERR_error_string(err, buffer)); + printf("ERROR: failed to create WOLFSSL object\n"); goto exit; } diff --git a/tls/client-tls.c b/tls/client-tls.c index d83aca32d..53da03886 100644 --- a/tls/client-tls.c +++ b/tls/client-tls.c @@ -108,7 +108,7 @@ int main(int argc, char** argv) if (ctx == NULL) { fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n"); ret = -1; - goto socket_cleanup; + goto ctx_cleanup; } /* Load client certificates into WOLFSSL_CTX */