From 9db74dc128c51994189685651760e3372fae0977 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 1 Nov 2024 11:56:50 -0500 Subject: [PATCH 1/2] configure.ac: add AM_MAINTAINER_MODE([disable]); add config-time assert for "dual-alg-certs is incompatible with --enable-cryptonly."; remove obsolete config-time check for "--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm."; linuxkm/linuxkm_wc_port.h: add fallback definitions for INT32_MAX and UINT32_MAX; linuxkm/module_exports.c.template: add wolfssl/openssl/fips_rand.h; wolfssl/wolfcrypt/settings.h: add #undef HAVE_ATEXIT to WOLFSSL_LINUXKM settings; wolfssl/wolfcrypt/types.h: fix trailing comma in the DYNAMIC_TYPE_* enum. --- configure.ac | 8 +++++--- linuxkm/linuxkm_wc_port.h | 7 +++++++ linuxkm/module_exports.c.template | 3 +++ wolfssl/wolfcrypt/settings.h | 1 + wolfssl/wolfcrypt/types.h | 2 +- 5 files changed, 17 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 67298c4cd1..3ee0bf20a5 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,9 @@ AC_PREREQ([2.69]) AC_INIT([wolfssl],[5.7.4],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[https://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) +# Inhibit unwanted regeneration of autotools artifacts by Makefile. +AM_MAINTAINER_MODE([disable]) + # The following sets CFLAGS to empty if unset on command line. We do not # want the default "-g -O2" that AC_PROG_CC sets automatically. : ${CFLAGS=""} @@ -8902,6 +8905,8 @@ AC_ARG_ENABLE([dual-alg-certs], AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_EXPERIMENTAL" != "yes" ],[ AC_MSG_ERROR([dual-alg-certs requires --enable-experimental.]) ]) +AS_IF([ test "$ENABLED_DUAL_ALG_CERTS" != "no" && test "$ENABLED_CRYPTONLY" = "yes" ],[ AC_MSG_ERROR([dual-alg-certs is incompatible with --enable-cryptonly.]) ]) + # Adds functionality to support Raw Public Key (RPK) RFC7250 AC_ARG_ENABLE([rpk], [AS_HELP_STRING([--enable-rpk],[Enable support for Raw Public Key (RPK) RFC7250 (default: disabled)])], @@ -9725,9 +9730,6 @@ if test "x$ENABLED_LINUXKM" = "xyes"; then AC_SUBST([ASFLAGS_FPUSIMD_DISABLE]) AC_SUBST([ASFLAGS_FPUSIMD_ENABLE]) - if test "$ENABLED_OPENSSLEXTRA" != "no" && test "$ENABLED_CRYPTONLY" = "no"; then - AC_MSG_ERROR([--enable-opensslextra without --enable-cryptonly is incompatible with --enable-linuxkm.]) - fi if test "$ENABLED_FILESYSTEM" = "yes"; then AC_MSG_ERROR([--enable-filesystem is incompatible with --enable-linuxkm.]) fi diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 1d53adc057..848f0dd7e5 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -918,6 +918,13 @@ #include + #ifndef INT32_MAX + #define INT32_MAX INT_MAX + #endif + #ifndef UINT32_MAX + #define UINT32_MAX UINT_MAX + #endif + /* Linux headers define these using C expressions, but we need * them to be evaluable by the preprocessor, for use in sp_int.h. */ diff --git a/linuxkm/module_exports.c.template b/linuxkm/module_exports.c.template index 77beef5bd1..76b7131d5c 100644 --- a/linuxkm/module_exports.c.template +++ b/linuxkm/module_exports.c.template @@ -215,3 +215,6 @@ #include #endif +#if defined(OPENSSL_EXTRA) && !defined(WC_NO_RNG) && defined(HAVE_HASHDRBG) +#include +#endif diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index c6608e3843..a0fe30ac2e 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3491,6 +3491,7 @@ extern void uITRON4_free(void *p) ; #undef HAVE_STRINGS_H #undef HAVE_ERRNO_H #undef HAVE_THREAD_LS + #undef HAVE_ATEXIT #undef WOLFSSL_HAVE_MIN #undef WOLFSSL_HAVE_MAX #define SIZEOF_LONG 8 diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 41ea648a54..8c5a7af4d1 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -1123,7 +1123,7 @@ typedef struct w64wrapper { DYNAMIC_TYPE_SNIFFER_KEY = 1006, DYNAMIC_TYPE_SNIFFER_KEYLOG_NODE = 1007, DYNAMIC_TYPE_SNIFFER_CHAIN_BUFFER = 1008, - DYNAMIC_TYPE_AES_EAX = 1009, + DYNAMIC_TYPE_AES_EAX = 1009 }; /* max error buffer string size */ From b41ce0427c7295412a2c417fe4063c323d69af4d Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 1 Nov 2024 12:43:08 -0500 Subject: [PATCH 2/2] src/pk.c: in pem_read_bio_key(), fix invalid read (ZD#18875). --- src/pk.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/pk.c b/src/pk.c index a78ec130c9..d8fdf2d85f 100644 --- a/src/pk.c +++ b/src/pk.c @@ -165,7 +165,26 @@ static int pem_read_bio_key(WOLFSSL_BIO* bio, wc_pem_password_cb* cb, /* Write left over data back to BIO if not a file BIO */ if ((ret > 0) && ((memSz - ret) > 0) && (bio->type != WOLFSSL_BIO_FILE)) { - int res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret); + int res; + if (!alloced) { + /* If wolfssl_read_bio() points mem at the buffer internal to + * bio, we need to dup it before calling wolfSSL_BIO_write(), + * because the latter may reallocate the bio, invalidating the + * mem pointer before reading from it. + */ + char *mem_dup = (char *)XMALLOC((size_t)(memSz - ret), + NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (mem_dup != NULL) { + XMEMCPY(mem_dup, mem + ret, (size_t)(memSz - ret)); + res = wolfSSL_BIO_write(bio, mem_dup, memSz - ret); + mem = mem_dup; + alloced = 1; + } + else + res = MEMORY_E; + } + else + res = wolfSSL_BIO_write(bio, mem + ret, memSz - ret); if (res != memSz - ret) { WOLFSSL_ERROR_MSG("Unable to write back excess data"); if (res < 0) {