Fix F-570, F-572, F-573, F-574, F-575, F-645, F-646, F-647, F-648, F-649,

  F-657, F-658, F-659, F-660, F-732, F-733, F-734, F-735, F-736, F-740,
  F-741, F-742, F-1108, F-1109, F-1484, F-1485, F-1486, F-1487, F-1488,
  F-1489

Author: aidangarske

src/benchmark/clu_bench_setup.c

@@ -74,7 +74,7 @@ int wolfCLU_benchSetup(int argc, char** argv)
     }
 
     ret = wolfCLU_checkForArg("-time", 5, argc, argv);
-    if (ret > 0) {
+    if (ret > 0 && ret + 1 < argc) {
         /* time for each test in seconds */
         time = XATOI(argv[ret+1]);
         if (time < 1 || time > 10) {

src/certgen/clu_certgen_ed25519.c

@@ -62,6 +62,7 @@ int make_self_signed_ed25519_certificate(char* keyPath, char* certOut)
     }
     if (XFSEEK(keyFile, 0, SEEK_SET) != 0 || (int)XFREAD(keyBuf, 1, keyFileSz, keyFile) != keyFileSz) {
         XFCLOSE(keyFile);
+        XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WOLFCLU_FAILURE;
     }
     XFCLOSE(keyFile);

src/certgen/clu_certgen_rsa.c

@@ -32,6 +32,7 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
 {
     int ret = 0;
     word32 index = 0;
+    int keyInit = 0, rngInit = 0;
 
     Cert newCert;
     RsaKey key;
@@ -42,10 +43,10 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
     XFILE file;
     XFILE pemFile;
     byte* keyBuf;
-    int certBufSz;
-    byte* certBuf;
+    int certBufSz = 0;
+    byte* certBuf = NULL;
     int pemBufSz;
-    byte* pemBuf;
+    byte* pemBuf = NULL;
 
     keyFile = XFOPEN(keyPath, "rb");
     if (keyFile == NULL) {
@@ -62,6 +63,7 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
     }
     if (XFSEEK(keyFile, 0, SEEK_SET) != 0 || (int)XFREAD(keyBuf, 1, keyFileSz, keyFile) != keyFileSz) {
         XFCLOSE(keyFile);
+        XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return WOLFCLU_FAILURE;
     }
     XFCLOSE(keyFile);
@@ -72,19 +74,22 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
         XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         return ret;
     }
+    keyInit = 1;
 
     ret = wc_InitRng(&rng);
     if (ret != 0) {
         wolfCLU_LogError("Failed to initialize rng.\nRET: %d", ret);
         XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+        wc_FreeRsaKey(&key);
         return ret;
     }
+    rngInit = 1;
 
     ret = wc_RsaPrivateKeyDecode(keyBuf, &index, &key, keyFileSz);
     XFREE(keyBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (ret != 0 ) {
         wolfCLU_LogError("Failed to decode private key.\nRET: %d", ret);
-        return ret;
+        goto cleanup;
     }
 
     wc_InitCert(&newCert);
@@ -99,36 +104,44 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
 
     WOLFCLU_LOG(WOLFCLU_L0, "Enter your countries 2 digit code (ex: United States -> US): ");
     if (XFGETS(country,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     country[CTC_NAME_SIZE-1] = '\0';
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the name of the province you are located at: ");
     if (XFGETS(province,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the name of the city you are located at: ");
     if (XFGETS(city,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the name of your orginization: ");
     if (XFGETS(org,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the name of your unit: ");
     if (XFGETS(unit,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the common name of your domain: ");
     if (XFGETS(commonName,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter your email address: ");
     if (XFGETS(email,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "Enter the number of days this certificate should be valid: ");
     if (XFGETS(daysValid,CTC_NAME_SIZE, stdin) == NULL) {
-        return WOLFCLU_FAILURE;
+        ret = WOLFCLU_FAILURE;
+        goto cleanup;
     }
 
     XSTRNCPY(newCert.subject.country, country, CTC_NAME_SIZE);
@@ -162,22 +175,23 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
     certBuf = (byte*) XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (certBuf == NULL) {
         wolfCLU_LogError("Failed to initialize buffer to stort certificate.");
-        return -1;
+        ret = -1;
+        goto cleanup;
     }
     XMEMSET(certBuf, 0, FOURK_SZ);
 
     ret = wc_MakeCert(&newCert, certBuf, FOURK_SZ, &key, NULL, &rng);
     if (ret < 0) {
         wolfCLU_LogError("Failed to make certificate.");
-        return ret;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "MakeCert returned %d", ret);
 
-    ret = wc_SignCert(newCert.bodySz, newCert.sigType, certBuf, FOURK_SZ, &key, 
+    ret = wc_SignCert(newCert.bodySz, newCert.sigType, certBuf, FOURK_SZ, &key,
                                                                    NULL, &rng);
     if (ret < 0) {
         wolfCLU_LogError("Failed to sign certificate.");
-        return ret;
+        goto cleanup;
     }
     WOLFCLU_LOG(WOLFCLU_L0, "SignCert returned %d", ret);
 
@@ -189,7 +203,8 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
     file = XFOPEN(certOut, "wb");
     if (!file) {
         wolfCLU_LogError("failed to open file: %s", certOut);
-        return -1;
+        ret = -1;
+        goto cleanup;
     }
 
     ret = (int)XFWRITE(certBuf, 1, certBufSz, file);
@@ -205,30 +220,44 @@ int make_self_signed_rsa_certificate(char* keyPath, char* certOut, int oid)
     pemBuf = (byte*)XMALLOC(FOURK_SZ, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     if (pemBuf == NULL) {
         wolfCLU_LogError("Failed to initialize pem buffer.");
-        return -1;
+        ret = -1;
+        goto cleanup;
     }
     XMEMSET(pemBuf, 0, FOURK_SZ);
 
     pemBufSz = wc_DerToPem(certBuf, certBufSz, pemBuf, FOURK_SZ, CERT_TYPE);
     if (pemBufSz < 0) {
         wolfCLU_LogError("Failed to convert from der to pem.");
-        return -1;
+        ret = -1;
+        goto cleanup;
     }
 
     WOLFCLU_LOG(WOLFCLU_L0, "Resulting pem buffer is %d bytes", pemBufSz);
 
     pemFile = XFOPEN(certOut, "wb");
     if (!pemFile) {
         wolfCLU_LogError("failed to open file: %s", certOut);
-        return -1;
+        ret = -1;
+        goto cleanup;
     }
     XFWRITE(pemBuf, 1, pemBufSz, pemFile);
     XFCLOSE(pemFile);
     WOLFCLU_LOG(WOLFCLU_L0, "Successfully converted the der to pem. Result is in:  %s\n",
                                                                  certOut);
 
-    free_things_rsa(&pemBuf, &certBuf, NULL, &key, NULL, &rng);
-    return 1;
+    ret = 1;
+
+cleanup:
+    if (pemBuf != NULL)
+        XFREE(pemBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (certBuf != NULL)
+        XFREE(certBuf, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    if (keyInit)
+        wc_FreeRsaKey(&key);
+    if (rngInit)
+        wc_FreeRng(&rng);
+
+    return ret;
 }
 
 void free_things_rsa(byte** a, byte** b, byte** c, RsaKey* d, RsaKey* e,

src/crypto/clu_crypto_setup.c

@@ -186,14 +186,14 @@ int wolfCLU_setup(int argc, char** argv, char action)
                     return WOLFCLU_FATAL_ERROR;
                 }
                 else {
-                    ivString = (char*)XMALLOC(XSTRLEN(optarg), HEAP_HINT,
+                    ivString = (char*)XMALLOC(XSTRLEN(optarg) + 1, HEAP_HINT,
                         DYNAMIC_TYPE_TMP_BUFFER);
                     if (ivString == NULL) {
                         wolfCLU_freeBins(pwdKey, iv, key, NULL, NULL);
                         return MEMORY_E;
                     }
 
-                    XSTRLCPY(ivString, optarg, XSTRLEN(optarg));
+                    XSTRLCPY(ivString, optarg, XSTRLEN(optarg) + 1);
                     ret = wolfCLU_hexToBin(ivString, &iv, &ivSize,
                                        NULL, NULL, NULL,
                                        NULL, NULL, NULL,
@@ -268,14 +268,14 @@ int wolfCLU_setup(int argc, char** argv, char action)
             else {
                 char* keyString;
 
-                keyString = (char*)XMALLOC(XSTRLEN(optarg), HEAP_HINT,
+                keyString = (char*)XMALLOC(XSTRLEN(optarg) + 1, HEAP_HINT,
                         DYNAMIC_TYPE_TMP_BUFFER);
                 if (keyString == NULL) {
                     wolfCLU_freeBins(pwdKey, iv, key, NULL, NULL);
                     return MEMORY_E;
                 }
 
-                XSTRLCPY(keyString, optarg, XSTRLEN(optarg));
+                XSTRLCPY(keyString, optarg, XSTRLEN(optarg) + 1);
                 ret = wolfCLU_hexToBin(keyString, &key, &numBits,
                                        NULL, NULL, NULL,
                                        NULL, NULL, NULL,

src/genkey/clu_genkey.c

@@ -386,9 +386,10 @@ static int wolfCLU_ECC_write_priv_der(WOLFSSL_BIO* out, WOLFSSL_EC_KEY* key)
     }
 
     if (ret > 0) {
-        WOLFCLU_LOG(WOLFCLU_L0, "writing out %d bytes for private key", derSz);
-        ret = wolfSSL_BIO_write(out, der, derSz);
-        if (ret != derSz) {
+        int actualDerSz = ret;
+        WOLFCLU_LOG(WOLFCLU_L0, "writing out %d bytes for private key", actualDerSz);
+        ret = wolfSSL_BIO_write(out, der, actualDerSz);
+        if (ret != actualDerSz) {
             ret = WOLFCLU_FATAL_ERROR;
         }
         WOLFCLU_LOG(WOLFCLU_L0, "ret of write = %d", ret);

src/genkey/clu_genkey_setup.c

@@ -451,7 +451,7 @@ int wolfCLU_genKeySetup(int argc, char** argv)
 
         /* get the height argument */
         ret = wolfCLU_checkForArg("-height", 7, argc, argv);
-        if (ret > 0 || argv[ret+1] != NULL) {
+        if (ret > 0 && argv[ret+1] != NULL) {
             WOLFCLU_LOG(WOLFCLU_L0, "Height: %s", argv[ret+1]);
 
             if (XSTRNCMP(argv[ret+1], "20", 2) == 0
@@ -473,7 +473,7 @@ int wolfCLU_genKeySetup(int argc, char** argv)
 
         /* get the layer argument */
         ret = wolfCLU_checkForArg("-layer", 6, argc, argv);
-        if (ret > 0 || argv[ret+1] != NULL) {
+        if (ret > 0 && argv[ret+1] != NULL) {
             WOLFCLU_LOG(WOLFCLU_L0, "Layer: %s", argv[ret+1]);
 
             switch (height) {
@@ -610,7 +610,7 @@ int wolfCLU_genKeySetup(int argc, char** argv)
 
         /* get the height argument */
         ret = wolfCLU_checkForArg("-height", 7, argc, argv);
-        if (ret > 0 || argv[ret+1] != NULL) {
+        if (ret > 0 && argv[ret+1] != NULL) {
             WOLFCLU_LOG(WOLFCLU_L0, "Height: %s", argv[ret+1]);
 
             if (XSTRNCMP(argv[ret+1], "10", 2) == 0) {

src/hash/clu_alg_hash.c

@@ -40,27 +40,39 @@ int wolfCLU_algHashSetup(int argc, char** argv, int algorithm)
             alg = (char*)"md5";
             size = WC_MD5_DIGEST_SIZE;
             break;
+        #else
+            wolfCLU_LogError("MD5 not compiled in");
+            return NOT_COMPILED_IN;
         #endif
 
         case WOLFCLU_CERT_SHA256:
         #ifndef NO_SHA256
             alg = (char*)"sha256";
             size = WC_SHA256_DIGEST_SIZE;
             break;
+        #else
+            wolfCLU_LogError("SHA-256 not compiled in");
+            return NOT_COMPILED_IN;
         #endif
 
         case WOLFCLU_CERT_SHA384:
         #ifdef WOLFSSL_SHA384
             alg = (char*)"sha384";
             size = WC_SHA384_DIGEST_SIZE;
             break;
+        #else
+            wolfCLU_LogError("SHA-384 not compiled in");
+            return NOT_COMPILED_IN;
         #endif
 
         case WOLFCLU_CERT_SHA512:
         #ifdef WOLFSSL_SHA512
             alg = (char*)"sha512";
             size = WC_SHA512_DIGEST_SIZE;
             break;
+        #else
+            wolfCLU_LogError("SHA-512 not compiled in");
+            return NOT_COMPILED_IN;
         #endif
 
         default:

src/hash/clu_hash_setup.c

@@ -94,7 +94,7 @@ int wolfCLU_hashSetup(int argc, char** argv)
 
     /* returns location of the arg in question if present */
     ret = wolfCLU_checkForArg("-in", 3, argc, argv);
-    if (ret > 0) {
+    if (ret > 0 && ret + 1 < argc) {
         bioIn = wolfSSL_BIO_new_file(argv[ret+1], "rb");
         if (bioIn == NULL) {
             wolfCLU_LogError("unable to open file %s", argv[ret+1]);
@@ -104,7 +104,7 @@ int wolfCLU_hashSetup(int argc, char** argv)
     }
 
     ret = wolfCLU_checkForArg("-out", 4, argc, argv);
-    if (ret > 0) {
+    if (ret > 0 && ret + 1 < argc) {
         bioOut = wolfSSL_BIO_new_file(argv[ret+1], "wb");
         if (bioOut == NULL) {
             wolfCLU_LogError("unable to open output file %s",
@@ -114,7 +114,7 @@ int wolfCLU_hashSetup(int argc, char** argv)
     }
 
     ret = wolfCLU_checkForArg("-size", 5, argc, argv);
-    if (ret > 0) {
+    if (ret > 0 && ret + 1 < argc) {
         /* size of output */
 #ifndef HAVE_BLAKE2
         wolfCLU_LogError("%s: -size is only valid when blake2 is enabled.",

src/ocsp/clu_ocsp.c

@@ -884,6 +884,7 @@ static int ocspResponder(OcspResponderConfig* config)
     freeIndexEntries(indexEntries);
     XFREE(caCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(signerCertDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
+    wolfCLU_ForceZero(signerKeyDer, signerKeyDerSz);
     XFREE(signerKeyDer, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
     XFREE(caSubject, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
 

src/pkcs/clu_pkcs12.c

@@ -234,6 +234,7 @@ int wolfCLU_PKCS12(int argc, char** argv)
         }
     }
 
+    wolfCLU_ForceZero(password, MAX_PASSWORD_SIZE);
     wolfSSL_BIO_free(bioIn);
     wolfSSL_BIO_free(bioOut);
     wolfSSL_EVP_PKEY_free(pkey);