From 692f2690452b411baf859e8e2dbf3373b1d7a3d5 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Wed, 19 Aug 2020 07:46:21 +0100 Subject: [PATCH] coverity: 62140: if newer mbedtls apis available use and check returns mbedtls has older and newer hashing apis, if we detected the newer ones we use them like the older ones since generally, hashing doesn't have a way to fail for sha and md5 update etc. Coverity objects... change it to dumbly check the retcode. --- lib/tls/mbedtls/lws-genhash.c | 150 +++++++++++++++++++++++++++++----- 1 file changed, 131 insertions(+), 19 deletions(-) diff --git a/lib/tls/mbedtls/lws-genhash.c b/lib/tls/mbedtls/lws-genhash.c index a32d2152d..b983686a7 100644 --- a/lib/tls/mbedtls/lws-genhash.c +++ b/lib/tls/mbedtls/lws-genhash.c @@ -28,10 +28,10 @@ #include #if (MBEDTLS_VERSION_NUMBER >= 0x02070000) -#define MBA(fn) fn##_ret -#else -#define MBA(fn) fn -#endif + +/* + * We have the _ret variants available, check the return codes on everything + */ int lws_genhash_init(struct lws_genhash_ctx *ctx, enum lws_genhash_types type) @@ -41,23 +41,28 @@ lws_genhash_init(struct lws_genhash_ctx *ctx, enum lws_genhash_types type) switch (ctx->type) { case LWS_GENHASH_TYPE_MD5: mbedtls_md5_init(&ctx->u.md5); - MBA(mbedtls_md5_starts)(&ctx->u.md5); + if (mbedtls_md5_starts_ret(&ctx->u.md5)) + return 1; break; case LWS_GENHASH_TYPE_SHA1: mbedtls_sha1_init(&ctx->u.sha1); - MBA(mbedtls_sha1_starts)(&ctx->u.sha1); + if (mbedtls_sha1_starts_ret(&ctx->u.sha1)) + return 1; break; case LWS_GENHASH_TYPE_SHA256: mbedtls_sha256_init(&ctx->u.sha256); - MBA(mbedtls_sha256_starts)(&ctx->u.sha256, 0); + if (mbedtls_sha256_starts_ret(&ctx->u.sha256, 0)) + return 1; break; case LWS_GENHASH_TYPE_SHA384: mbedtls_sha512_init(&ctx->u.sha512); - MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 1 /* is384 */); + if (mbedtls_sha512_starts_ret(&ctx->u.sha512, 1 /* is384 */)) + return 1; break; case LWS_GENHASH_TYPE_SHA512: mbedtls_sha512_init(&ctx->u.sha512); - MBA(mbedtls_sha512_starts)(&ctx->u.sha512, 0); + if (mbedtls_sha512_starts_ret(&ctx->u.sha512, 0)) + return 1; break; default: return 1; @@ -74,19 +79,24 @@ lws_genhash_update(struct lws_genhash_ctx *ctx, const void *in, size_t len) switch (ctx->type) { case LWS_GENHASH_TYPE_MD5: - MBA(mbedtls_md5_update)(&ctx->u.md5, in, len); + if (mbedtls_md5_update_ret(&ctx->u.md5, in, len)) + return 1; break; case LWS_GENHASH_TYPE_SHA1: - MBA(mbedtls_sha1_update)(&ctx->u.sha1, in, len); + if (mbedtls_sha1_update_ret(&ctx->u.sha1, in, len)) + return 1; break; case LWS_GENHASH_TYPE_SHA256: - MBA(mbedtls_sha256_update)(&ctx->u.sha256, in, len); + if (mbedtls_sha256_update_ret(&ctx->u.sha256, in, len)) + return 1; break; case LWS_GENHASH_TYPE_SHA384: - MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len); + if (mbedtls_sha512_update_ret(&ctx->u.sha512, in, len)) + return 1; break; case LWS_GENHASH_TYPE_SHA512: - MBA(mbedtls_sha512_update)(&ctx->u.sha512, in, len); + if (mbedtls_sha512_update_ret(&ctx->u.sha512, in, len)) + return 1; break; } @@ -98,23 +108,28 @@ lws_genhash_destroy(struct lws_genhash_ctx *ctx, void *result) { switch (ctx->type) { case LWS_GENHASH_TYPE_MD5: - MBA(mbedtls_md5_finish)(&ctx->u.md5, result); + if (mbedtls_md5_finish_ret(&ctx->u.md5, result)) + return 1; mbedtls_md5_free(&ctx->u.md5); break; case LWS_GENHASH_TYPE_SHA1: - MBA(mbedtls_sha1_finish)(&ctx->u.sha1, result); + if (mbedtls_sha1_finish_ret(&ctx->u.sha1, result)) + return 1; mbedtls_sha1_free(&ctx->u.sha1); break; case LWS_GENHASH_TYPE_SHA256: - MBA(mbedtls_sha256_finish)(&ctx->u.sha256, result); + if (mbedtls_sha256_finish_ret(&ctx->u.sha256, result)) + return 1; mbedtls_sha256_free(&ctx->u.sha256); break; case LWS_GENHASH_TYPE_SHA384: - MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result); + if (mbedtls_sha512_finish_ret(&ctx->u.sha512, result)) + return 1; mbedtls_sha512_free(&ctx->u.sha512); break; case LWS_GENHASH_TYPE_SHA512: - MBA(mbedtls_sha512_finish)(&ctx->u.sha512, result); + if (mbedtls_sha512_finish_ret(&ctx->u.sha512, result)) + return 1; mbedtls_sha512_free(&ctx->u.sha512); break; } @@ -122,6 +137,103 @@ lws_genhash_destroy(struct lws_genhash_ctx *ctx, void *result) return 0; } +#else + +/* + * mbedtls is too old to have the _ret variants + */ + +int +lws_genhash_init(struct lws_genhash_ctx *ctx, enum lws_genhash_types type) +{ + ctx->type = type; + + switch (ctx->type) { + case LWS_GENHASH_TYPE_MD5: + mbedtls_md5_init(&ctx->u.md5); + mbedtls_md5_starts(&ctx->u.md5); + break; + case LWS_GENHASH_TYPE_SHA1: + mbedtls_sha1_init(&ctx->u.sha1); + mbedtls_sha1_starts(&ctx->u.sha1); + break; + case LWS_GENHASH_TYPE_SHA256: + mbedtls_sha256_init(&ctx->u.sha256); + mbedtls_sha256_starts(&ctx->u.sha256, 0); + break; + case LWS_GENHASH_TYPE_SHA384: + mbedtls_sha512_init(&ctx->u.sha512); + mbedtls_sha512_starts(&ctx->u.sha512, 1 /* is384 */); + break; + case LWS_GENHASH_TYPE_SHA512: + mbedtls_sha512_init(&ctx->u.sha512); + mbedtls_sha512_starts(&ctx->u.sha512, 0); + break; + default: + return 1; + } + + return 0; +} + +int +lws_genhash_update(struct lws_genhash_ctx *ctx, const void *in, size_t len) +{ + if (!len) + return 0; + + switch (ctx->type) { + case LWS_GENHASH_TYPE_MD5: + mbedtls_md5_update(&ctx->u.md5, in, len); + break; + case LWS_GENHASH_TYPE_SHA1: + mbedtls_sha1_update(&ctx->u.sha1, in, len); + break; + case LWS_GENHASH_TYPE_SHA256: + mbedtls_sha256_update(&ctx->u.sha256, in, len); + break; + case LWS_GENHASH_TYPE_SHA384: + mbedtls_sha512_update(&ctx->u.sha512, in, len); + break; + case LWS_GENHASH_TYPE_SHA512: + mbedtls_sha512_update(&ctx->u.sha512, in, len); + break; + } + + return 0; +} + +int +lws_genhash_destroy(struct lws_genhash_ctx *ctx, void *result) +{ + switch (ctx->type) { + case LWS_GENHASH_TYPE_MD5: + mbedtls_md5_finish(&ctx->u.md5, result); + mbedtls_md5_free(&ctx->u.md5); + break; + case LWS_GENHASH_TYPE_SHA1: + mbedtls_sha1_finish(&ctx->u.sha1, result); + mbedtls_sha1_free(&ctx->u.sha1); + break; + case LWS_GENHASH_TYPE_SHA256: + mbedtls_sha256_finish(&ctx->u.sha256, result); + mbedtls_sha256_free(&ctx->u.sha256); + break; + case LWS_GENHASH_TYPE_SHA384: + mbedtls_sha512_finish(&ctx->u.sha512, result); + mbedtls_sha512_free(&ctx->u.sha512); + break; + case LWS_GENHASH_TYPE_SHA512: + mbedtls_sha512_finish(&ctx->u.sha512, result); + mbedtls_sha512_free(&ctx->u.sha512); + break; + } + + return 0; +} + +#endif + int lws_genhmac_init(struct lws_genhmac_ctx *ctx, enum lws_genhmac_types type, const uint8_t *key, size_t key_len)