diff --git a/.github/workflows/wolfCrypt-Wconversion.yml b/.github/workflows/wolfCrypt-Wconversion.yml index 22f787b8d4..576b7e29bc 100644 --- a/.github/workflows/wolfCrypt-Wconversion.yml +++ b/.github/workflows/wolfCrypt-Wconversion.yml @@ -18,17 +18,17 @@ jobs: matrix: config: [ # Add new configs here - '--disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"', - '--enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"', - '--enable-smallstack --disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"', - '--enable-smallstack --enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion"', - '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"', - '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion" --enable-32bit CFLAGS=-m32', - '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,small CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"', - '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,no-large-code CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"', - '--enable-smallstack --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"', - '--disable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion" --enable-32bit CFLAGS=-m32', - '--disable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,small CPPFLAGS="-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128"', + '--disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"', + '--enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"', + '--enable-smallstack --disable-asm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"', + '--enable-smallstack --enable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual"', + '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -DNO_INT128 -Wcast-qual"', + '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual" --enable-32bit CFLAGS=-m32', + '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,small CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"', + '--enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,no-large-code CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"', + '--enable-smallstack --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"', + '--disable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem CPPFLAGS="-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wdeclaration-after-statement -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual" --enable-32bit CFLAGS=-m32', + '--disable-intelasm --enable-cryptonly --enable-all-crypto --disable-examples --disable-benchmark --disable-crypttests --enable-mlkem=yes,small CPPFLAGS="-DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -Wconversion -Warith-conversion -Wenum-conversion -Wfloat-conversion -Wsign-conversion -Wcast-qual -DNO_INT128"', ] name: build library if: github.repository_owner == 'wolfssl' diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 3bcb317b8d..61f67b7121 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -705,8 +705,6 @@ WOLFSSL_ATMEL_TIME WOLFSSL_BEFORE_DATE_CLOCK_SKEW WOLFSSL_BIGINT_TYPES WOLFSSL_BIO_NO_FLOW_STATS -WOLFSSL_BLAKE2B_INIT_EACH_FIELD -WOLFSSL_BLAKE2S_INIT_EACH_FIELD WOLFSSL_BYTESWAP32_ASM WOLFSSL_CAAM_BLACK_KEY_AESCCM WOLFSSL_CAAM_BLACK_KEY_SM diff --git a/doc/dox_comments/header_files/signature.h b/doc/dox_comments/header_files/signature.h index 6113887837..5ab04f2cdf 100644 --- a/doc/dox_comments/header_files/signature.h +++ b/doc/dox_comments/header_files/signature.h @@ -80,7 +80,7 @@ int wc_SignatureVerify( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len); + void* key, word32 key_len); /*! \ingroup Signature @@ -143,7 +143,7 @@ int wc_SignatureGenerate( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng); /*! @@ -194,7 +194,7 @@ int wc_SignatureVerifyHash(enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len); + void* key, word32 key_len); /*! \ingroup Signature @@ -245,7 +245,7 @@ int wc_SignatureGenerateHash(enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng); /*! @@ -296,7 +296,7 @@ int wc_SignatureGenerateHash_ex(enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng, int verify); /*! @@ -346,5 +346,5 @@ int wc_SignatureGenerate_ex(enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng, int verify); diff --git a/src/internal.c b/src/internal.c index 516f7ccc68..1f1bfac3f3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13384,7 +13384,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, word32 domainLen, { int match = 0; DNS_entry* altName = NULL; - char *buf; + const char *buf; word32 len; WOLFSSL_MSG("Checking AltNames"); diff --git a/src/ocsp.c b/src/ocsp.c index 0eeec81538..30db41c0ce 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -2131,8 +2131,8 @@ int wolfSSL_OCSP_request_add1_nonce(OcspRequest* req, unsigned char* val, */ int wolfSSL_OCSP_check_nonce(OcspRequest* req, WOLFSSL_OCSP_BASICRESP* bs) { - byte* reqNonce = NULL; - byte* rspNonce = NULL; + const byte* reqNonce = NULL; + const byte* rspNonce = NULL; int reqNonceSz = 0; int rspNonceSz = 0; diff --git a/src/ssl_certman.c b/src/ssl_certman.c index eafa52ceb3..00acd00371 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -1265,7 +1265,9 @@ static WC_INLINE int cm_restore_cert_row(WOLFSSL_CERT_MANAGER* cm, if (ret == 0) { /* Copy in certificate name. */ - XMEMCPY(signer->name, current + idx, (size_t)signer->nameLen); + /* safe cast -- allocated by above XMALLOC(). */ + XMEMCPY((void *)(wc_ptr_t)signer->name, current + idx, + (size_t)signer->nameLen); idx += signer->nameLen; /* Copy in hash of subject name. */ diff --git a/src/x509.c b/src/x509.c index 8fc8edc57b..ea79fba4cd 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3061,6 +3061,7 @@ int wolfSSL_X509_add_altname_ex(WOLFSSL_X509* x509, const char* name, newAltName->type = type; newAltName->len = (int)nameSz; newAltName->name = nameCopy; + newAltName->nameStored = 1; x509->altNames = newAltName; return WOLFSSL_SUCCESS; @@ -4259,7 +4260,8 @@ char* wolfSSL_X509_get_next_altname(WOLFSSL_X509* cert) return NULL; } - ret = cert->altNamesNext->name; + /* unsafe cast required for ABI compatibility. */ + ret = (char *)(wc_ptr_t)cert->altNamesNext->name; #ifdef WOLFSSL_IP_ALT_NAME /* return the IP address as a string */ if (cert->altNamesNext->type == ASN_IP_TYPE) { diff --git a/tests/api/test_ocsp.c b/tests/api/test_ocsp.c index 06c527bf82..cd01c7372d 100644 --- a/tests/api/test_ocsp.c +++ b/tests/api/test_ocsp.c @@ -251,7 +251,7 @@ int test_ocsp_basic_verify(void) WOLFSSL_SUCCESS); /* verify that the signature is checked */ if (EXPECT_SUCCESS()) { - response->sig[0] ^= 0xff; + ((byte *)(wc_ptr_t)response->sig)[0] ^= 0xff; } ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, NULL, OCSP_NOVERIFY), WOLFSSL_FAILURE); @@ -285,12 +285,12 @@ int test_ocsp_basic_verify(void) WOLFSSL_SUCCESS); /* make invalid signature */ if (EXPECT_SUCCESS()) { - response->sig[0] ^= 0xff; + ((byte *)(wc_ptr_t)response->sig)[0] ^= 0xff; } ExpectIntEQ(wolfSSL_OCSP_basic_verify(response, NULL, store, 0), WOLFSSL_FAILURE); if (EXPECT_SUCCESS()) { - response->sig[0] ^= 0xff; + ((byte *)(wc_ptr_t)response->sig)[0] ^= 0xff; } /* cert embedded and in certs, no store needed bc OCSP_TRUSTOTHER */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index c6b0525ca8..79714815e4 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1496,7 +1496,7 @@ static int GetASN_StoreData(const ASNItem* asn, ASNGetData* data, } FALL_THROUGH; case ASN_DATA_TYPE_MP_INITED: - err = mp_read_unsigned_bin(data->data.mp, (byte*)input + idx, + err = mp_read_unsigned_bin(data->data.mp, (const byte*)input + idx, (word32)len); if (err != 0) { #ifdef WOLFSSL_DEBUG_ASN_TEMPLATE @@ -2257,9 +2257,10 @@ void GetASN_GetConstRef(ASNGetData * dataASN, const byte** data, word32* length) * @param [out] data Pointer to data of item. * @param [out] length Length of buffer in bytes. */ -void GetASN_GetRef(ASNGetData * dataASN, byte** data, word32* length) +void GetASN_GetRef(const ASNGetData * dataASN, const byte** data, + word32* length) { - *data = (byte*)dataASN->data.ref.data; + *data = (const byte*)dataASN->data.ref.data; *length = dataASN->data.ref.length; } @@ -2269,9 +2270,10 @@ void GetASN_GetRef(ASNGetData * dataASN, byte** data, word32* length) * @param [out] data Pointer to . * @param [out] length Length of buffer in bytes. */ -void GetASN_OIDData(ASNGetData * dataASN, byte** data, word32* length) +void GetASN_OIDData(const ASNGetData * dataASN, const byte** data, + word32* length) { - *data = (byte*)dataASN->data.oid.data; + *data = (const byte*)dataASN->data.oid.data; *length = dataASN->data.oid.length; } @@ -10158,10 +10160,10 @@ int DecryptContent(byte* input, word32 sz, const char* password, int passwordSz) word32 keySz = 0; word32 saltSz = 0; word32 shaOid = 0; - byte* salt = NULL; - byte* key = NULL; + const byte* salt = NULL; + const byte* key = NULL; byte cbcIv[MAX_IV_SIZE]; - byte* params = NULL; + const byte* params = NULL; WOLFSSL_ENTER("DecryptContent"); @@ -10248,9 +10250,10 @@ int DecryptContent(byte* input, word32 sz, const char* password, int passwordSz) if (ret == 0) { /* Decrypt the key. */ + /* safe cast -- key is actually inside the readwrite "input" buffer. */ ret = wc_CryptKey( - password, passwordSz, salt, (int)saltSz, (int)iterations, id, key, - (int)keySz, version, cbcIv, 0, (int)shaOid); + password, passwordSz, salt, (int)saltSz, (int)iterations, id, + (byte *)(wc_ptr_t)key, (int)keySz, version, cbcIv, 0, (int)shaOid); } if (ret == 0) { /* Copy the decrypted key into the input (inline). */ @@ -10473,8 +10476,10 @@ static int EncryptContentPBES2(byte* input, word32 inputSz, byte* out, (int)(p8EncPbes2ASN_Length - P8ENCPBES2ASN_IDX_ALGO_SEQ), out); - saltEnc = (byte*) - dataASN[P8ENCPBES2ASN_IDX_ALGO_PARAMS_PBKDF2_SALT].data.buffer.data; + /* safe cast -- the pointer is actually inside the output buffer. */ + saltEnc = (byte*)(wc_ptr_t) + dataASN[P8ENCPBES2ASN_IDX_ALGO_PARAMS_PBKDF2_SALT]. + data.buffer.data; if (genSalt) { /* Generate salt into encoding. */ ret = wc_RNG_GenerateBlock(rng, saltEnc, saltSz); @@ -10484,13 +10489,15 @@ static int EncryptContentPBES2(byte* input, word32 inputSz, byte* out, } } if (ret == 0) { - cbcIv = (byte*) + /* safe cast -- the pointer is actually inside the output buffer. */ + cbcIv = (byte*)(wc_ptr_t) dataASN[P8ENCPBES2ASN_IDX_ALGO_ENCS_PARAMS].data.buffer.data; ret = wc_RNG_GenerateBlock(rng, cbcIv, (word32)blockSz); } if (ret == 0) { /* Store PKCS#8 key in output buffer. */ - byte* pkcs8 = (byte*) + /* safe cast -- the pointer is actually inside the output buffer. */ + byte* pkcs8 = (byte*)(wc_ptr_t) dataASN[P8ENCPBES2ASN_IDX_ENCDATA].data.buffer.data; XMEMCPY(pkcs8, input, inputSz); (void)wc_PkcsPad(pkcs8, inputSz, (word32)blockSz); @@ -10655,16 +10662,19 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, if (salt == NULL) { /* Generate salt into encoding. */ - salt = (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SALT]. - data.buffer.data; + /* safe cast -- the pointer is actually inside the output buffer. */ + salt = (byte*)(wc_ptr_t) + dataASN[P8ENCPBES1ASN_IDX_ENCALGO_PBEPARAM_SALT]. + data.buffer.data; ret = wc_RNG_GenerateBlock(rng, salt, saltSz); } } if (ret == 0) { byte cbcIv[MAX_IV_SIZE]; /* Store PKCS#8 key in output buffer. */ - byte* pkcs8 = - (byte*)dataASN[P8ENCPBES1ASN_IDX_ENCDATA].data.buffer.data; + /* safe cast -- the pointer is actually inside the output buffer. */ + byte* pkcs8 = (byte*)(wc_ptr_t) + dataASN[P8ENCPBES1ASN_IDX_ENCDATA].data.buffer.data; XMEMCPY(pkcs8, input, inputSz); (void)wc_PkcsPad(pkcs8, inputSz, (word32)blockSz); @@ -11914,12 +11924,33 @@ void FreeAltNames(DNS_entry* altNames, void* heap) while (altNames) { DNS_entry* tmp = altNames->next; - XFREE(altNames->name, heap, DYNAMIC_TYPE_ALTNAME); + if (altNames->nameStored) { + /* safe cast -- .nameStored signifies that the pointer comes from + * our own earlier XMALLOC(). + */ + XFREE((void *)(wc_ptr_t)altNames->name, heap, + DYNAMIC_TYPE_ALTNAME); + altNames->nameStored = 0; + } #ifdef WOLFSSL_IP_ALT_NAME - XFREE(altNames->ipString, heap, DYNAMIC_TYPE_ALTNAME); + if (altNames->ipStringStored) { + /* safe cast -- .ipStringStored signifies that the pointer comes + * from our own earlier XMALLOC(). + */ + XFREE((void *)(wc_ptr_t)altNames->ipString, heap, + DYNAMIC_TYPE_ALTNAME); + altNames->ipStringStored = 0; + } #endif #ifdef WOLFSSL_RID_ALT_NAME - XFREE(altNames->ridString, heap, DYNAMIC_TYPE_ALTNAME); + if (altNames->ridStringStored) { + /* safe cast -- .ridStringStored signifies that the pointer comes + * from our own earlier XMALLOC(). + */ + XFREE((void *)(wc_ptr_t)altNames->ridString, heap, + DYNAMIC_TYPE_ALTNAME); + altNames->ridStringStored = 0; + } #endif XFREE(altNames, heap, DYNAMIC_TYPE_ALTNAME); altNames = tmp; @@ -11953,11 +11984,14 @@ DNS_entry* AltNameDup(DNS_entry* from, void* heap) ret->name = CopyString(from->name, from->len, heap, DYNAMIC_TYPE_ALTNAME); + ret->nameStored = 1; #ifdef WOLFSSL_IP_ALT_NAME ret->ipString = CopyString(from->ipString, 0, heap, DYNAMIC_TYPE_ALTNAME); + ret->ipStringStored = 1; #endif #ifdef WOLFSSL_RID_ALT_NAME ret->ridString = CopyString(from->ridString, 0, heap, DYNAMIC_TYPE_ALTNAME); + ret->ridStringStored = 1; #endif if (ret->name == NULL #ifdef WOLFSSL_IP_ALT_NAME @@ -12013,10 +12047,18 @@ void FreeDecodedCert(DecodedCert* cert) if (cert == NULL) return; if (cert->subjectCNStored == 1) { - XFREE(cert->subjectCN, cert->heap, DYNAMIC_TYPE_SUBJECT_CN); + /* safe cast -- .subjectCNStored signifies that the pointer comes from + * our own earlier XMALLOC(). + */ + XFREE((void*)(wc_ptr_t)cert->subjectCN, cert->heap, + DYNAMIC_TYPE_SUBJECT_CN); } if (cert->pubKeyStored == 1) { - XFREE((void*)cert->publicKey, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); + /* safe cast -- .pubKeyStored signifies that the pointer comes from our + * own earlier XMALLOC(). + */ + XFREE((void*)(wc_ptr_t)cert->publicKey, cert->heap, + DYNAMIC_TYPE_PUBLIC_KEY); } if (cert->weOwnAltNames && cert->altNames) FreeAltNames(cert->altNames, cert->heap); @@ -12280,7 +12322,8 @@ static int SetEccPublicKey(byte* output, ecc_key* key, int outLen, /* Skip to where public point is to be encoded. */ output += sz - pubSz; /* Cache the location to place the name curve OID. */ - curveOid = (byte*) + /* safe cast -- the pointer is actually inside the output buffer. */ + curveOid = (byte*)(wc_ptr_t) dataASN[ECCPUBLICKEYASN_IDX_ALGOID_CURVEID].data.buffer.data; } @@ -12431,7 +12474,9 @@ int SetAsymKeyDerPublic(const byte* pubKey, word32 pubKeyLen, /* Encode public key. */ SetASN_Items(publicKeyASN, dataASN, publicKeyASN_Length, output); /* Set location to encode public point. */ - output = (byte*)dataASN[PUBKEYASN_IDX_PUBKEY].data.buffer.data; + /* safe cast -- the pointer is actually inside the output buffer. */ + output = (byte*)(wc_ptr_t) + dataASN[PUBKEYASN_IDX_PUBKEY].data.buffer.data; } FREE_ASNSETDATA(dataASN, NULL); @@ -13135,7 +13180,8 @@ int GetHashId(const byte* id, int length, byte* hash, int hashAlg) /* Set the string for a name component into the subject name. */ #define SetCertNameSubject(cert, id, val) \ - *((char**)(((byte *)(cert)) + certNameSubject[(id) - 3].data)) = (val) + *((const char**)(((byte *)(cert)) + certNameSubject[(id) - 3].data)) = \ + (val) /* Set the string length for a name component into the subject name. */ #define SetCertNameSubjectLen(cert, id, val) \ *((int*)(((byte *)(cert)) + certNameSubject[(id) - 3].len)) = (int)(val) @@ -13166,7 +13212,8 @@ int GetHashId(const byte* id, int length, byte* hash, int hashAlg) /* Set the string for a name component into the issuer name. */ #define SetCertNameIssuer(cert, id, val) \ - *((char**)(((byte *)(cert)) + certNameSubject[(id) - 3].dataI)) = (val) + *((const char**)(((byte *)(cert)) + certNameSubject[(id) - 3].dataI)) = \ + (val) /* Set the string length for a name component into the issuer name. */ #define SetCertNameIssuerLen(cert, id, val) \ *((int*)(((byte *)(cert)) + certNameSubject[(id) - 3].lenI)) = (int)(val) @@ -13603,7 +13650,7 @@ static int GenerateDNSEntryIPString(DNS_entry* entry, void* heap) int ret = 0; size_t nameSz = 0; char tmpName[WOLFSSL_MAX_IPSTR]; - unsigned char* ip; + const unsigned char* ip; if (entry == NULL || entry->type != ASN_IP_TYPE) { return BAD_FUNC_ARG; @@ -13614,7 +13661,7 @@ static int GenerateDNSEntryIPString(DNS_entry* entry, void* heap) WOLFSSL_MSG("Unexpected IP size"); return BAD_FUNC_ARG; } - ip = (unsigned char*)entry->name; + ip = (const unsigned char*)entry->name; XMEMSET(tmpName, 0, sizeof(tmpName)); @@ -13649,6 +13696,9 @@ static int GenerateDNSEntryIPString(DNS_entry* entry, void* heap) if (entry->ipString == NULL) { ret = MEMORY_E; } + else { + entry->ipStringStored = 1; + } if (ret == 0) { XMEMCPY(entry->ipString, tmpName, nameSz); @@ -13747,6 +13797,9 @@ static int GenerateDNSEntryRIDString(DNS_entry* entry, void* heap) if (entry->ridString == NULL) { ret = MEMORY_E; } + else { + entry->ridStringStored = 1; + } if (ret == 0) { XMEMCPY(entry->ridString, finalName, (word32)(nameSz + 1)); @@ -13809,6 +13862,7 @@ static int SetDNSEntry(void* heap, const char* str, int strLen, { DNS_entry* dnsEntry; int ret = 0; + char *dnsEntry_name = NULL; /* TODO: consider one malloc. */ /* Allocate DNS Entry object. */ @@ -13818,18 +13872,21 @@ static int SetDNSEntry(void* heap, const char* str, int strLen, } if (ret == 0) { /* Allocate DNS Entry name - length of string plus 1 for NUL. */ - dnsEntry->name = (char*)XMALLOC((size_t)strLen + 1, heap, - DYNAMIC_TYPE_ALTNAME); + dnsEntry->name = dnsEntry_name = (char*)XMALLOC((size_t)strLen + 1, + heap, DYNAMIC_TYPE_ALTNAME); if (dnsEntry->name == NULL) { ret = MEMORY_E; } + else { + dnsEntry->nameStored = 1; + } } if (ret == 0) { /* Set tag type, name length, name and NUL terminate name. */ dnsEntry->type = type; dnsEntry->len = strLen; - XMEMCPY(dnsEntry->name, str, (size_t)strLen); - dnsEntry->name[strLen] = '\0'; + XMEMCPY(dnsEntry_name, str, (size_t)strLen); + dnsEntry_name[strLen] = '\0'; #ifdef WOLFSSL_RID_ALT_NAME /* store registeredID as a string */ @@ -13848,7 +13905,7 @@ static int SetDNSEntry(void* heap, const char* str, int strLen, /* failure cleanup */ if (ret != 0 && dnsEntry != NULL) { - XFREE(dnsEntry->name, heap, DYNAMIC_TYPE_ALTNAME); + XFREE(dnsEntry_name, heap, DYNAMIC_TYPE_ALTNAME); XFREE(dnsEntry, heap, DYNAMIC_TYPE_ALTNAME); } @@ -13865,21 +13922,21 @@ static int SetDNSEntry(void* heap, const char* str, int strLen, * @param [in] tag BER tag representing encoding of string. * @return 0 on success, negative values on failure. */ -static int SetSubject(DecodedCert* cert, int id, byte* str, int strLen, +static int SetSubject(DecodedCert* cert, int id, const byte* str, int strLen, byte tag) { int ret = 0; /* Put string and encoding into certificate. */ if (id == ASN_COMMON_NAME) { - cert->subjectCN = (char *)str; + cert->subjectCN = (const char *)str; cert->subjectCNLen = (int)strLen; cert->subjectCNEnc = (char)tag; } #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) else if (id > ASN_COMMON_NAME && id <= ASN_USER_ID) { /* Use table and offsets to put data into appropriate fields. */ - SetCertNameSubject(cert, id, (char*)str); + SetCertNameSubject(cert, id, (const char*)str); SetCertNameSubjectLen(cert, id, strLen); SetCertNameSubjectEnc(cert, id, tag); } @@ -13887,19 +13944,19 @@ static int SetSubject(DecodedCert* cert, int id, byte* str, int strLen, #if !defined(IGNORE_NAME_CONSTRAINTS) || \ defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) else if (id == ASN_EMAIL) { - cert->subjectEmail = (char*)str; + cert->subjectEmail = (const char*)str; cert->subjectEmailLen = strLen; } #endif #ifdef WOLFSSL_CERT_EXT /* TODO: consider mapping id to an index and using SetCertNameSubect*(). */ else if (id == ASN_JURIS_C) { - cert->subjectJC = (char*)str; + cert->subjectJC = (const char*)str; cert->subjectJCLen = strLen; cert->subjectJCEnc = (char)tag; } else if (id == ASN_JURIS_ST) { - cert->subjectJS = (char*)str; + cert->subjectJS = (const char*)str; cert->subjectJSLen = strLen; cert->subjectJSEnc = (char)tag; } @@ -13919,25 +13976,25 @@ static int SetSubject(DecodedCert* cert, int id, byte* str, int strLen, * @param [in] tag BER tag representing encoding of string. * @return 0 on success, negative values on failure. */ -static int SetIssuer(DecodedCert* cert, int id, byte* str, int strLen, +static int SetIssuer(DecodedCert* cert, int id, const byte* str, int strLen, byte tag) { int ret = 0; /* Put string and encoding into certificate. */ if (id == ASN_COMMON_NAME) { - cert->issuerCN = (char *)str; + cert->issuerCN = (const char *)str; cert->issuerCNLen = (int)strLen; cert->issuerCNEnc = (char)tag; } else if (id > ASN_COMMON_NAME && id <= ASN_USER_ID) { /* Use table and offsets to put data into appropriate fields. */ - SetCertNameIssuer(cert, id, (char*)str); + SetCertNameIssuer(cert, id, (const char*)str); SetCertNameIssuerLen(cert, id, strLen); SetCertNameIssuerEnc(cert, id, tag); } else if (id == ASN_EMAIL) { - cert->issuerEmail = (char*)str; + cert->issuerEmail = (const char*)str; cert->issuerEmailLen = strLen; } @@ -13963,7 +14020,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, int ret = 0; const char* typeStr = NULL; byte typeStrLen = 0; - byte* oid; + const byte* oid; word32 oidSz; int id = 0; @@ -14075,7 +14132,7 @@ static int GetRDN(DecodedCert* cert, char* full, word32* idx, int* nid, if ((ret == 0) && (typeStr != NULL)) { /* OID type to store for subject name and add to full string. */ - byte* str; + const byte* str; word32 strLen; byte tag = dataASN[RDNASN_IDX_ATTR_VAL].tag; @@ -14215,7 +14272,7 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType, * (do parsing for WOLFSSL_X509_NAME on demand) */ if (ret == 0) { int enc; - byte* str; + const byte* str; word32 strLen; byte tag = dataASN[RDNASN_IDX_ATTR_VAL].tag; @@ -17506,7 +17563,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) subjectDnsName.next = NULL; subjectDnsName.type = ASN_RFC822_TYPE; subjectDnsName.len = cert->subjectEmailLen; - subjectDnsName.name = (char *)cert->subjectEmail; + subjectDnsName.name = cert->subjectEmail; } break; case ASN_DIR_TYPE: @@ -17524,7 +17581,7 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert) subjectDnsName.next = NULL; subjectDnsName.type = ASN_DIR_TYPE; subjectDnsName.len = cert->subjectRawLen; - subjectDnsName.name = (char *)cert->subjectRaw; + subjectDnsName.name = (const char *)cert->subjectRaw; } break; case ASN_URI_TYPE: @@ -19306,7 +19363,7 @@ static int DecodeCertPolicy(const byte* input, word32 sz, DecodedCert* cert) #endif ) { ASNGetData dataASN[policyInfoASN_Length]; - byte* data = NULL; + const byte* data = NULL; word32 length = 0; /* Clear dynamic data and check OID is a cert policy type. */ @@ -19441,7 +19498,7 @@ static int DecodeSubjDirAttr(const byte* input, word32 sz, DecodedCert* cert) (dataASN[SUBJDIRATTRASN_IDX_OID].data.oid.sum == SDA_COC_OID)) { int cuLen; word32 setIdx = 0; - byte* setData; + const byte* setData; word32 setLen; GetASN_GetRef(&dataASN[SUBJDIRATTRASN_IDX_SET], &setData, &setLen); @@ -20836,8 +20893,8 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt, 1, input, &idx, maxIdx); if (ret == 0) { /* Store references to password data. */ - cert->contentType = - (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data; + cert->contentType = (const char*) + strDataASN[STRATTRASN_IDX_STR].data.ref.data; cert->contentTypeLen = (int)strDataASN[STRATTRASN_IDX_STR].data.ref.length; } @@ -20855,8 +20912,8 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt, 1, input, &idx, maxIdx); if (ret == 0) { /* Store references to password data. */ - cert->cPwd = - (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data; + cert->cPwd = (const char*) + strDataASN[STRATTRASN_IDX_STR].data.ref.data; cert->cPwdLen = (int)strDataASN[STRATTRASN_IDX_STR]. data.ref.length; } @@ -20875,8 +20932,8 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt, 1, input, &idx, maxIdx); if (ret == 0) { /* Store references to serial number. */ - cert->sNum = - (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data; + cert->sNum = (const char*) + strDataASN[STRATTRASN_IDX_STR].data.ref.data; cert->sNumLen = (int)strDataASN[STRATTRASN_IDX_STR]. data.ref.length; /* Store serial number if small enough. */ @@ -20896,8 +20953,8 @@ static int DecodeCertReqAttrValue(DecodedCert* cert, int* criticalExt, 1, input, &idx, maxIdx); if (ret == 0) { /* Store references to unstructured name. */ - cert->unstructuredName = - (char*)strDataASN[STRATTRASN_IDX_STR].data.ref.data; + cert->unstructuredName = (const char*) + strDataASN[STRATTRASN_IDX_STR].data.ref.data; cert->unstructuredNameLen = (int)strDataASN[STRATTRASN_IDX_STR]. data.ref.length; } @@ -21330,7 +21387,7 @@ static int GetAKIHash(const byte* input, word32 maxIdx, word32 sigOID, int ret = 0; word32 idx = 0; word32 extEndIdx; - byte* extData; + const byte* extData; word32 extDataSz; byte critical; @@ -22633,8 +22690,17 @@ void FreeSigner(Signer* signer, void* heap) { (void)signer; (void)heap; - XFREE(signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); - XFREE((void*)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); + + /* this cast is safe because signer->name is only set in FillSigner() + * from cert->subjectCN, and only if cert->subjectCNStored, in which case + * cert->subjectCN is set to NULL, imparting ownership to the Signer object. + */ + XFREE((void *)(wc_ptr_t)signer->name, heap, DYNAMIC_TYPE_SUBJECT_CN); + /* this cast is safe because signer->publicKey is only set in FillSigner() + * from cert->publicKey, and only if cert->pubKeyStored, in which case + * cert->publicKey is set to NULL, imparting ownership to the Signer object. + */ + XFREE((void*)(wc_ptr_t)signer->publicKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); #ifdef WOLFSSL_DUAL_ALG_CERTS XFREE(signer->sapkiDer, heap, DYNAMIC_TYPE_PUBLIC_KEY); #endif @@ -22709,7 +22775,11 @@ void FreeTrustedPeer(TrustedPeerCert* tp, void* heap) return; } - XFREE(tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN); + /* safe cast -- when .name is set in AddTrustedPeer() from cert->subjectCN, + * it inherits the allocation from ParseCert(), and cert->subjectCN is set + * to NULL. + */ + XFREE((void *)(wc_ptr_t)tp->name, heap, DYNAMIC_TYPE_SUBJECT_CN); XFREE(tp->sig, heap, DYNAMIC_TYPE_SIGNATURE); #ifndef IGNORE_NAME_CONSTRAINTS @@ -23327,7 +23397,7 @@ int wc_EncryptedInfoParse(EncryptedInfo* info, const char** pBuffer, int err = 0; const char* bufferStart; const char* bufferEnd; - char* line; + const char* line; if (info == NULL || pBuffer == NULL || bufSz == 0) return BAD_FUNC_ARG; @@ -23340,8 +23410,8 @@ int wc_EncryptedInfoParse(EncryptedInfo* info, const char** pBuffer, min((word32)bufSz, PEM_LINE_LEN)); if (line != NULL) { word32 lineSz; - char* finish; - char* start; + const char* finish; + const char* start; word32 startSz; const char* newline = NULL; @@ -23625,7 +23695,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, /* map header if not found for type */ for (;;) { - headerEnd = XSTRNSTR((char*)buff, header, sz); + headerEnd = XSTRNSTR((const char *)buff, header, sz); if (headerEnd) { break; } @@ -23851,7 +23921,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, #endif /* WOLFSSL_ENCRYPTED_KEYS */ /* find footer */ - footerEnd = XSTRNSTR(headerEnd, footer, (unsigned int)((char*)buff + + footerEnd = XSTRNSTR(headerEnd, footer, (unsigned int)((const char*)buff + sz - headerEnd)); if (!footerEnd) { if (info) @@ -23890,7 +23960,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, case CERT_TYPE: case TRUSTED_CERT_TYPE: case CRL_TYPE: - if (Base64_Decode_nonCT((byte*)headerEnd, (word32)neededSz, + if (Base64_Decode_nonCT((const byte*)headerEnd, (word32)neededSz, der->buffer, &der->length) < 0) { WOLFSSL_ERROR(BUFFER_E); @@ -23898,7 +23968,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, } break; default: - if (Base64_Decode((byte*)headerEnd, (word32)neededSz, + if (Base64_Decode((const byte*)headerEnd, (word32)neededSz, der->buffer, &der->length) < 0) { WOLFSSL_ERROR(BUFFER_E); return BUFFER_E; @@ -24112,7 +24182,8 @@ int wc_KeyPemToDer(const unsigned char* pem, int pemSz, XMEMSET(info, 0, sizeof(EncryptedInfo)); #ifdef WOLFSSL_ENCRYPTED_KEYS info->passwd_cb = KeyPemToDerPassCb; - info->passwd_userdata = (void*)pass; + /* if user passes readonly data, user must only access it readonly. */ + info->passwd_userdata = (void*)(wc_ptr_t)pass; #else (void)pass; #endif @@ -24985,7 +25056,7 @@ static int wc_SetCert_LoadDer(Cert* cert, const byte* der, word32 derSz, ret = ParseCertRelative((DecodedCert*)cert->decodedCert, CERT_TYPE, 0, NULL, NULL); if (ret >= 0) { - cert->der = (byte*)der; + cert->der = der; } else { wc_SetCert_Free(cert); @@ -26652,8 +26723,11 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, #ifdef WOLFSSL_CERT_EXT if (cert->extKeyUsage != 0){ /* Encode Extended Key Usage into space provided. */ - if (SetExtKeyUsage(cert, - (byte*)dataASN[CERTEXTSASN_IDX_EKU_STR].data.buffer.data, + /* safe cast -- the pointer is actually inside the output buffer. */ + if (SetExtKeyUsage( + cert, + (byte*)(wc_ptr_t) + dataASN[CERTEXTSASN_IDX_EKU_STR].data.buffer.data, dataASN[CERTEXTSASN_IDX_EKU_STR].data.buffer.length, cert->extKeyUsage) <= 0) { ret = KEYUSAGE_E; @@ -26661,8 +26735,10 @@ static int EncodeExtensions(Cert* cert, byte* output, word32 maxSz, } if ((!forRequest) && (cert->certPoliciesNb > 0)) { /* Encode Certificate Policies into space provided. */ + /* safe cast -- the pointer is actually inside the output buffer. */ if (SetCertificatePolicies( - (byte*)dataASN[CERTEXTSASN_IDX_POLICIES_INFO].data.buffer.data, + (byte*)(wc_ptr_t) + dataASN[CERTEXTSASN_IDX_POLICIES_INFO].data.buffer.data, dataASN[CERTEXTSASN_IDX_POLICIES_INFO].data.buffer.length, cert->certPolicies, cert->certPoliciesNb, cert->heap) <= 0) { ret = CERTPOLICIES_E; @@ -27409,16 +27485,20 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, /* Encode issuer name into buffer. Use the subject as the issuer * if it is self-signed. Size will be correct because we did the * same for size. */ + /* safe cast -- the pointer is actually inside derBuffer. */ ret = SetNameEx( - (byte*)dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].data.buffer.data, + (byte*)(wc_ptr_t) + dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].data.buffer.data, dataASN[X509CERTASN_IDX_TBS_ISSUER_SEQ].data.buffer.length, cert->selfSigned ? &cert->subject : &cert->issuer, cert->heap); } } if ((ret >= 0) && (sbjRawLen == 0)) { /* Encode subject name into buffer. */ + /* safe cast -- the pointer is actually inside derBuffer. */ ret = SetNameEx( - (byte*)dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].data.buffer.data, + (byte*)(wc_ptr_t) + dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].data.buffer.data, dataASN[X509CERTASN_IDX_TBS_SUBJECT_SEQ].data.buffer.length, &cert->subject, cert->heap); } @@ -27426,17 +27506,19 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, if (cert->beforeDateSz == 0 || cert->afterDateSz == 0) { /* Encode validity into buffer. */ + /* safe casts -- the pointers are actually inside derBuffer. */ ret = SetValidity( - (byte*)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT] + (byte*)(wc_ptr_t)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTB_GT] .data.buffer.data, - (byte*)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT] + (byte*)(wc_ptr_t)dataASN[X509CERTASN_IDX_TBS_VALIDITY_NOTA_GT] .data.buffer.data, cert->daysValid); } } if (ret >= 0) { /* Encode public key into buffer. */ + /* safe cast -- the pointer is actually inside derBuffer. */ ret = EncodePublicKey(cert->keyType, - (byte*)dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ] + (byte*)(wc_ptr_t)dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ] .data.buffer.data, (int)dataASN[X509CERTASN_IDX_TBS_SPUBKEYINFO_SEQ] .data.buffer.length, @@ -27445,9 +27527,12 @@ static int MakeAnyCert(Cert* cert, byte* derBuffer, word32 derSz, } if ((ret >= 0) && (!dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].noOut)) { /* Encode extensions into buffer. */ - ret = EncodeExtensions(cert, - (byte*)dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.data, - dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.length, 0); + /* safe cast -- the pointer is actually inside derBuffer. */ + ret = EncodeExtensions( + cert, + (byte*)(wc_ptr_t) + dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.data, + dataASN[X509CERTASN_IDX_TBS_EXT_SEQ].data.buffer.length, 0); } if (ret >= 0) { /* Store encoded certificate body size. */ @@ -27827,16 +27912,21 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, #endif { /* Encode subject name into space in buffer. */ + /* safe cast -- the pointer is actually inside derBuffer. */ ret = SetNameEx( - (byte*)dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ].data.buffer.data, + (byte*)(wc_ptr_t) + dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ].data.buffer.data, dataASN[CERTREQBODYASN_IDX_SUBJ_SEQ].data.buffer.length, &cert->subject, cert->heap); } } if (ret >= 0 && derBuffer != NULL) { /* Encode public key into space in buffer. */ - ret = EncodePublicKey(cert->keyType, - (byte*)dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ].data.buffer.data, + /* safe cast -- the pointer is actually inside derBuffer. */ + ret = EncodePublicKey( + cert->keyType, + (byte*)(wc_ptr_t) + dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ].data.buffer.data, (int)dataASN[CERTREQBODYASN_IDX_SPUBKEYINFO_SEQ].data.buffer.length, rsaKey, eccKey, ed25519Key, ed448Key, dsaKey, falconKey, dilithiumKey, sphincsKey); @@ -27844,9 +27934,12 @@ static int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz, if ((ret >= 0 && derBuffer != NULL) && (!dataASN[CERTREQBODYASN_IDX_EXT_BODY].noOut)) { /* Encode extensions into space in buffer. */ - ret = EncodeExtensions(cert, - (byte*)dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.data, - dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.length, 1); + /* safe cast -- the pointer is actually inside derBuffer. */ + ret = EncodeExtensions( + cert, + (byte*)(wc_ptr_t) + dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.data, + dataASN[CERTREQBODYASN_IDX_EXT_BODY].data.buffer.length, 1); } if (ret >= 0) { /* Store encoded certificate request body size. */ @@ -28997,9 +29090,11 @@ int wc_SetCustomExtension(Cert *cert, int critical, const char *oid, ext = &cert->customCertExt[cert->customCertExtCount]; - ext->oid = (char*)oid; + /* if supplied oid is readonly, user must access ext->oid readonly. */ + ext->oid = (char*)(wc_ptr_t)oid; ext->crit = (critical == 0) ? 0 : 1; - ext->val = (byte*)der; + /* if supplied der is readonly, user must access ext->der readonly. */ + ext->val = (byte*)(wc_ptr_t)der; ext->valSz = (int)derSz; cert->customCertExtCount++; @@ -30001,43 +30096,55 @@ static int EccSpecifiedECDomainDecode(const byte* input, word32 inSz, /* Allocate buffer to put hex strings into. */ if (ret == 0) { /* Base X-ordinate */ + char *curve_Gx = NULL; ret = DataToHexStringAlloc(base + 1, (word32)curve->size, - (char**)&curve->Gx, heap, + &curve_Gx, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->Gx = curve_Gx; } if (ret == 0) { /* Base Y-ordinate */ + char *curve_Gy = NULL; ret = DataToHexStringAlloc(base + 1 + curve->size, (word32)curve->size, - (char**)&curve->Gy, heap, + &curve_Gy, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->Gy = curve_Gy; } if (ret == 0) { /* Prime */ + char *curve_prime = NULL; ret = DataToHexStringAlloc( dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PRIME_P].data.ref.length, - (char**)&curve->prime, heap, DYNAMIC_TYPE_ECC_BUFFER); + &curve_prime, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->prime = curve_prime; } if (ret == 0) { /* Parameter A */ + char *curve_Af = NULL; ret = DataToHexStringAlloc( dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PARAM_A].data.ref.length, - (char**)&curve->Af, heap, DYNAMIC_TYPE_ECC_BUFFER); + &curve_Af, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->Af = curve_Af; } if (ret == 0) { /* Parameter B */ + char *curve_Bf = NULL; ret = DataToHexStringAlloc( dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_PARAM_B].data.ref.length, - (char**)&curve->Bf, heap, DYNAMIC_TYPE_ECC_BUFFER); + &curve_Bf, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->Bf = curve_Bf; } if (ret == 0) { /* Order of curve */ + char *curve_order = NULL; ret = DataToHexStringAlloc( dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.data, dataASN[ECCSPECIFIEDASN_IDX_ORDER].data.ref.length, - (char**)&curve->order, heap, DYNAMIC_TYPE_ECC_BUFFER); + &curve_order, heap, DYNAMIC_TYPE_ECC_BUFFER); + curve->order = curve_order; } #else if (ret == 0) { @@ -30401,8 +30508,11 @@ int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *inLen, if (curveIn) { /* Put named curve OID data into encoding. */ - curveIdSz = SetCurve(key, - (byte*)dataASN[ECCKEYASN_IDX_CURVEID].data.buffer.data, + /* safe cast -- the pointer is actually inside the output buffer. */ + curveIdSz = SetCurve( + key, + (byte *)(wc_ptr_t) + dataASN[ECCKEYASN_IDX_CURVEID].data.buffer.data, (size_t)curveIdSz); if (curveIdSz < 0) { ret = curveIdSz; @@ -30410,15 +30520,22 @@ int wc_BuildEccKeyDer(ecc_key* key, byte* output, word32 *inLen, } if (ret == 0) { /* Export the private value into the buffer. */ - ret = wc_ecc_export_private_only(key, - (byte*)dataASN[ECCKEYASN_IDX_PKEY].data.buffer.data, &privSz); + /* safe cast -- the pointer is actually inside the output buffer. */ + ret = wc_ecc_export_private_only( + key, + (byte*)(wc_ptr_t) + dataASN[ECCKEYASN_IDX_PKEY].data.buffer.data, + &privSz); } if ((ret == 0) && pubIn) { /* Export the public point into the buffer. */ PRIVATE_KEY_UNLOCK(); - ret = wc_ecc_export_x963(key, - (byte*)dataASN[ECCKEYASN_IDX_PUBKEY_VAL].data.buffer.data, - &pubSz); + /* safe cast -- the pointer is actually inside the output buffer. */ + ret = wc_ecc_export_x963( + key, + (byte*)(wc_ptr_t) + dataASN[ECCKEYASN_IDX_PUBKEY_VAL].data.buffer.data, + &pubSz); PRIVATE_KEY_LOCK(); } } @@ -31261,13 +31378,19 @@ int SetAsymKeyDer(const byte* privKey, word32 privKeyLen, SetASN_Items(privateKeyASN, dataASN, privateKeyASN_Length, output); /* Put private value into space provided. */ - XMEMCPY((byte*)dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.buffer.data, - privKey, privKeyLen); + /* safe cast -- the pointer is actually inside output buffer. */ + XMEMCPY( + (byte*)(wc_ptr_t) + dataASN[PRIVKEYASN_IDX_PKEY_CURVEPKEY].data.buffer.data, + privKey, privKeyLen); if (pubKey != NULL) { /* Put public value into space provided. */ - XMEMCPY((byte*)dataASN[PRIVKEYASN_IDX_PUBKEY].data.buffer.data, - pubKey, pubKeyLen); + /* safe cast -- the pointer is actually inside output buffer. */ + XMEMCPY( + (byte*)(wc_ptr_t) + dataASN[PRIVKEYASN_IDX_PUBKEY].data.buffer.data, + pubKey, pubKeyLen); } } if (ret == 0) { @@ -31884,8 +32007,8 @@ WC_MAYBE_UNUSED static int EncodeSingleResponse(OcspEntry* single, byte* out, #endif /* HAVE_OCSP_RESPONDER */ #ifdef WOLFSSL_ASN_TEMPLATE -static int DecodeSingleResponse(byte* source, word32* ioIndex, word32 size, - int wrapperSz, OcspEntry* single) +static int DecodeSingleResponse(const byte* source, word32* ioIndex, + word32 size, int wrapperSz, OcspEntry* single) { DECL_ASNGETDATA(dataASN, singleResponseASN_Length); int ret = 0; @@ -32019,7 +32142,7 @@ enum { #endif #ifdef WOLFSSL_ASN_TEMPLATE -static int DecodeOcspRespExtensions(byte* source, word32* ioIndex, +static int DecodeOcspRespExtensions(const byte* source, word32* ioIndex, OcspResponse* resp, word32 sz) { /* certExtASN_Length is greater than respExtHdrASN_Length */ @@ -32307,7 +32430,7 @@ WC_MAYBE_UNUSED static int EncodeResponseData(OcspResponse* resp, byte* out, #endif /* HAVE_OCSP_RESPONDER */ #ifdef WOLFSSL_ASN_TEMPLATE -static int DecodeResponseData(byte* source, word32* ioIndex, +static int DecodeResponseData(const byte* source, word32* ioIndex, OcspResponse* resp, word32 size) { DECL_ASNGETDATA(dataASN, ocspRespDataASN_Length); @@ -32734,7 +32857,7 @@ WC_MAYBE_UNUSED static int EncodeBasicOcspResponse(OcspResponse* resp, #endif /* HAVE_OCSP_RESPONDER */ #ifdef WOLFSSL_ASN_TEMPLATE -static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, +static int DecodeBasicOcspResponse(const byte* source, word32* ioIndex, OcspResponse* resp, word32 size, void* cm, void* heap, int noVerify, int noVerifySignature) { @@ -33015,7 +33138,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm, void* heap, word32 idx = 0, size = resp->maxIdx; byte* source = resp->source; byte status = 0; - byte* basic; + const byte* basic; word32 basicSz; WOLFSSL_ENTER("OcspResponseDecode"); @@ -33374,7 +33497,7 @@ int DecodeOcspRequest(OcspRequest* req, const byte* input, word32 size) word32 idx = 0; word32 issuerHashSz = sizeof(req->issuerHash); word32 issuerKeyHashSz = sizeof(req->issuerKeyHash); - byte* serial = NULL; + const byte* serial = NULL; word32 serialSz = 0; WOLFSSL_ENTER("DecodeOcspRequest"); diff --git a/wolfcrypt/src/asn_orig.c b/wolfcrypt/src/asn_orig.c index 527ae2380d..9ecb821d3a 100644 --- a/wolfcrypt/src/asn_orig.c +++ b/wolfcrypt/src/asn_orig.c @@ -3182,8 +3182,10 @@ static int DecodeConstructedOtherName(DecodedCert* cert, const byte* input, ret = MEMORY_E; } else { - XMEMCPY(dnsEntry->name, &input[*idx], (size_t)strLen); - dnsEntry->name[strLen] = '\0'; + dnsEntry->nameStored = 1; + XMEMCPY((void *)(wc_ptr_t)dnsEntry->name, &input[*idx], + (size_t)strLen); + ((char *)(wc_ptr_t)dnsEntry->name)[strLen] = '\0'; AddAltName(cert, dnsEntry); } } @@ -3271,9 +3273,11 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) XFREE(dnsEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } + dnsEntry->nameStored = 1; dnsEntry->len = strLen; - XMEMCPY(dnsEntry->name, &input[idx], (size_t)strLen); - dnsEntry->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)dnsEntry->name, &input[idx], + (size_t)strLen); + ((char *)(wc_ptr_t)dnsEntry->name)[strLen] = '\0'; AddAltName(cert, dnsEntry); @@ -3315,9 +3319,11 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) XFREE(dirEntry, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } + dirEntry->nameStored = 1; dirEntry->len = strLen; - XMEMCPY(dirEntry->name, &input[idx], (size_t)strLen); - dirEntry->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)dirEntry->name, &input[idx], + (size_t)strLen); + ((char *)(wc_ptr_t)dirEntry->name)[strLen] = '\0'; dirEntry->next = cert->altDirNames; cert->altDirNames = dirEntry; @@ -3343,7 +3349,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; } - + emailEntry->nameStored = 1; emailEntry->type = ASN_RFC822_TYPE; emailEntry->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap, DYNAMIC_TYPE_ALTNAME); @@ -3353,8 +3359,9 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) return MEMORY_E; } emailEntry->len = strLen; - XMEMCPY(emailEntry->name, &input[idx], (size_t)strLen); - emailEntry->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)emailEntry->name, &input[idx], + (size_t)strLen); + ((char *)(wc_ptr_t)emailEntry->name)[strLen] = '\0'; emailEntry->next = cert->altEmailNames; cert->altEmailNames = emailEntry; @@ -3426,7 +3433,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; } - + uriEntry->nameStored = 1; uriEntry->type = ASN_URI_TYPE; uriEntry->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap, DYNAMIC_TYPE_ALTNAME); @@ -3436,8 +3443,9 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) return MEMORY_E; } uriEntry->len = strLen; - XMEMCPY(uriEntry->name, &input[idx], (size_t)strLen); - uriEntry->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)uriEntry->name, &input[idx], + (size_t)strLen); + ((char *)(wc_ptr_t)uriEntry->name)[strLen] = '\0'; AddAltName(cert, uriEntry); @@ -3469,7 +3477,7 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; } - + ipAddr->nameStored = 1; ipAddr->type = ASN_IP_TYPE; ipAddr->name = (char*)XMALLOC((size_t)strLen + 1, cert->heap, DYNAMIC_TYPE_ALTNAME); @@ -3479,12 +3487,13 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) return MEMORY_E; } ipAddr->len = strLen; - XMEMCPY(ipAddr->name, &input[idx], strLen); - ipAddr->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)ipAddr->name, &input[idx], strLen); + ((char *)(wc_ptr_t)ipAddr->name)[strLen] = '\0'; if (GenerateDNSEntryIPString(ipAddr, cert->heap) != 0) { WOLFSSL_MSG("\tOut of Memory for IP string"); - XFREE(ipAddr->name, cert->heap, DYNAMIC_TYPE_ALTNAME); + XFREE((void *)(wc_ptr_t)ipAddr->name, cert->heap, + DYNAMIC_TYPE_ALTNAME); XFREE(ipAddr, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } @@ -3528,13 +3537,15 @@ static int DecodeAltNames(const byte* input, word32 sz, DecodedCert* cert) XFREE(rid, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } + rid->nameStored = 1; rid->len = strLen; - XMEMCPY(rid->name, &input[idx], strLen); - rid->name[strLen] = '\0'; + XMEMCPY((void *)(wc_ptr_t)rid->name, &input[idx], strLen); + ((char *)(wc_ptr_t)rid->name)[strLen] = '\0'; if (GenerateDNSEntryRIDString(rid, cert->heap) != 0) { WOLFSSL_MSG("\tOut of Memory for registered Id string"); - XFREE(rid->name, cert->heap, DYNAMIC_TYPE_ALTNAME); + XFREE((void *)(wc_ptr_t)rid->name, cert->heap, + DYNAMIC_TYPE_ALTNAME); XFREE(rid, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } diff --git a/wolfcrypt/src/blake2b.c b/wolfcrypt/src/blake2b.c index eb1f2dead2..90776bbef1 100644 --- a/wolfcrypt/src/blake2b.c +++ b/wolfcrypt/src/blake2b.c @@ -106,9 +106,9 @@ static WC_INLINE int blake2b_init0( blake2b_state *S ) int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) { word32 i; - byte *p ; + const byte *p ; blake2b_init0( S ); - p = ( byte * )( P ); + p = ( const byte * )( P ); /* IV XOR ParamBlock */ for( i = 0; i < 8; ++i ) @@ -120,71 +120,37 @@ int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) int blake2b_init( blake2b_state *S, const byte outlen ) { -#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD - blake2b_param P[1]; -#else - volatile blake2b_param P[1]; -#endif + volatile blake2b_param P; if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG; -#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD - P->digest_length = outlen; - P->key_length = 0; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - XMEMSET( P->reserved, 0, sizeof( P->reserved ) ); - XMEMSET( P->salt, 0, sizeof( P->salt ) ); - XMEMSET( P->personal, 0, sizeof( P->personal ) ); -#else - XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) ); - P->digest_length = outlen; - P->fanout = 1; - P->depth = 1; -#endif - return blake2b_init_param( S, (blake2b_param *)P ); -} + XMEMSET((void *)(wc_ptr_t)&P, 0, sizeof(P)); + WC_BARRIER(); + P.digest_length = outlen; + P.fanout = 1; + P.depth = 1; + return blake2b_init_param(S, (const blake2b_param *)(wc_ptr_t)&P); +} int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key, const byte keylen ) { int ret = 0; -#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD - blake2b_param P[1]; -#else - volatile blake2b_param P[1]; -#endif + volatile blake2b_param P; if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG; if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return BAD_FUNC_ARG; -#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD - P->digest_length = outlen; - P->key_length = keylen; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - XMEMSET( P->reserved, 0, sizeof( P->reserved ) ); - XMEMSET( P->salt, 0, sizeof( P->salt ) ); - XMEMSET( P->personal, 0, sizeof( P->personal ) ); -#else - XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) ); - P->digest_length = outlen; - P->key_length = keylen; - P->fanout = 1; - P->depth = 1; -#endif + XMEMSET( (void *)(wc_ptr_t)&P, 0, sizeof( P ) ); + WC_BARRIER(); + P.digest_length = outlen; + P.key_length = keylen; + P.fanout = 1; + P.depth = 1; - ret = blake2b_init_param( S, (blake2b_param *)P ); + ret = blake2b_init_param(S, (const blake2b_param *)(wc_ptr_t)&P); if ( ret < 0 ) return ret; { @@ -409,7 +375,7 @@ int blake2b( byte *out, const void *in, const void *key, const byte outlen, } { - int ret = blake2b_update( S, ( byte * )in, inlen ); + int ret = blake2b_update( S, ( const byte * )in, inlen ); if (ret < 0) return ret; } diff --git a/wolfcrypt/src/blake2s.c b/wolfcrypt/src/blake2s.c index 0017840e5f..ee105209bb 100644 --- a/wolfcrypt/src/blake2s.c +++ b/wolfcrypt/src/blake2s.c @@ -102,9 +102,9 @@ static WC_INLINE int blake2s_init0( blake2s_state *S ) int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) { word32 i; - byte *p ; + const byte *p ; blake2s_init0( S ); - p = ( byte * )( P ); + p = ( const byte * )( P ); /* IV XOR ParamBlock */ for( i = 0; i < 8; ++i ) @@ -117,32 +117,17 @@ int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) int blake2s_init( blake2s_state *S, const byte outlen ) { -#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD - blake2s_param P[1]; -#else - volatile blake2s_param P[1]; -#endif + volatile blake2s_param P; if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG; -#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD - P->digest_length = outlen; - P->key_length = 0; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store32( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - XMEMSET( P->salt, 0, sizeof( P->salt ) ); - XMEMSET( P->personal, 0, sizeof( P->personal ) ); -#else - XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) ); - P->digest_length = outlen; - P->fanout = 1; - P->depth = 1; -#endif - return blake2s_init_param( S, (blake2s_param *)P ); + XMEMSET( (void *)(wc_ptr_t)&P, 0, sizeof( P ) ); + WC_BARRIER(); + P.digest_length = outlen; + P.fanout = 1; + P.depth = 1; + + return blake2s_init_param( S, (const blake2s_param *)(wc_ptr_t)&P ); } @@ -150,36 +135,20 @@ int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key, const byte keylen ) { int ret = 0; -#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD - blake2s_param P[1]; -#else - volatile blake2s_param P[1]; -#endif + volatile blake2s_param P; if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG; if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return BAD_FUNC_ARG; -#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD - P->digest_length = outlen; - P->key_length = keylen; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - XMEMSET( P->salt, 0, sizeof( P->salt ) ); - XMEMSET( P->personal, 0, sizeof( P->personal ) ); -#else - XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) ); - P->digest_length = outlen; - P->key_length = keylen; - P->fanout = 1; - P->depth = 1; -#endif + XMEMSET( (void *)(wc_ptr_t)&P, 0, sizeof( P ) ); + WC_BARRIER(); + P.digest_length = outlen; + P.key_length = keylen; + P.fanout = 1; + P.depth = 1; - ret = blake2s_init_param( S, (blake2s_param *)P ); + ret = blake2s_init_param( S, (const blake2s_param *)(wc_ptr_t)&P ); if (ret < 0) return ret; @@ -401,7 +370,7 @@ int blake2s( byte *out, const void *in, const void *key, const byte outlen, } { - int ret = blake2s_update( S, ( byte * )in, inlen ); + int ret = blake2s_update( S, ( const byte * )in, inlen ); if (ret < 0) return ret; } diff --git a/wolfcrypt/src/chacha.c b/wolfcrypt/src/chacha.c index ebd9d83a69..9c0a770491 100644 --- a/wolfcrypt/src/chacha.c +++ b/wolfcrypt/src/chacha.c @@ -52,7 +52,7 @@ Public domain. #define U32C(v) (v##U) #define U32V(v) ((word32)(v) & U32C(0xFFFFFFFF)) - #define U8TO32_LITTLE(p) LITTLE32(((word32*)(p))[0]) + #define U8TO32_LITTLE(p) LITTLE32(((const word32*)(p))[0]) #define ROTATE(v,c) rotlFixed(v, c) #define XOR(v,w) ((v) ^ (w)) diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c index 9f58aa7a75..bc2961aca4 100644 --- a/wolfcrypt/src/curve25519.c +++ b/wolfcrypt/src/curve25519.c @@ -314,7 +314,8 @@ int wc_curve25519_make_pub_blind(int public_size, byte* pub, int private_size, #else fe_init(); - ret = curve25519_smul_blind(pub, priv, (byte*)kCurve25519BasePoint, rng); + ret = curve25519_smul_blind(pub, priv, (const byte*)kCurve25519BasePoint, + rng); #endif if (ret == 0) { diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 7940679aeb..f879392939 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -3919,7 +3919,7 @@ static int ecc_check_order_minus_1(const mp_int* k, ecc_point* tG, ecc_point* R, */ err = mp_sub_d(order, 1, t); if (err == MP_OKAY) { - int kIsMinusOne = (mp_cmp((mp_int*)k, t) == MP_EQ); + int kIsMinusOne = (mp_cmp((const mp_int*)k, t) == MP_EQ); err = mp_cond_copy(tG->x, kIsMinusOne, R->x); if (err == MP_OKAY) { err = mp_sub(modulus, tG->y, t); @@ -4424,7 +4424,8 @@ static int wc_ecc_cmp_param(const char* curveParam, if (encType == WC_TYPE_HEX_STR) { if ((word32)XSTRLEN(curveParam) != paramSz) return -1; - return (XSTRNCMP(curveParam, (char*) param, paramSz) == 0) ? 0 : -1; + return (XSTRNCMP(curveParam, (const char*) param, paramSz) == 0) + ? 0 : -1; } #ifdef WOLFSSL_SMALL_STACK @@ -7915,21 +7916,21 @@ int wc_ecc_sign_set_k(const byte* k, word32 klen, ecc_key* key) #endif /* !HAVE_ECC_SIGN */ #ifdef WOLFSSL_CUSTOM_CURVES -void wc_ecc_free_curve(const ecc_set_type* curve, void* heap) +void wc_ecc_free_curve(ecc_set_type* curve, void* heap) { #ifndef WOLFSSL_ECC_CURVE_STATIC if (curve->prime != NULL) - XFREE((void*)curve->prime, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->prime, heap, DYNAMIC_TYPE_ECC_BUFFER); if (curve->Af != NULL) - XFREE((void*)curve->Af, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->Af, heap, DYNAMIC_TYPE_ECC_BUFFER); if (curve->Bf != NULL) - XFREE((void*)curve->Bf, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->Bf, heap, DYNAMIC_TYPE_ECC_BUFFER); if (curve->order != NULL) - XFREE((void*)curve->order, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->order, heap, DYNAMIC_TYPE_ECC_BUFFER); if (curve->Gx != NULL) - XFREE((void*)curve->Gx, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->Gx, heap, DYNAMIC_TYPE_ECC_BUFFER); if (curve->Gy != NULL) - XFREE((void*)curve->Gy, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE((void*)(wc_ptr_t)curve->Gy, heap, DYNAMIC_TYPE_ECC_BUFFER); #endif XFREE((void*)curve, heap, DYNAMIC_TYPE_ECC_BUFFER); @@ -8041,7 +8042,7 @@ int wc_ecc_free(ecc_key* key) #ifdef WOLFSSL_CUSTOM_CURVES if (key->deallocSet && key->dp != NULL) - wc_ecc_free_curve(key->dp, key->heap); + wc_ecc_free_curve((ecc_set_type *)(wc_ptr_t)key->dp, key->heap); #endif #ifdef WOLFSSL_CHECK_MEM_ZERO @@ -13867,7 +13868,7 @@ enum ecSrvState { struct ecEncCtx { - const byte* kdfSalt; /* optional salt for kdf */ + byte* kdfSalt; /* optional salt for kdf */ const byte* kdfInfo; /* optional info for kdf */ const byte* macSalt; /* optional salt for mac */ word32 kdfSaltSz; /* size of kdfSalt */ diff --git a/wolfcrypt/src/ge_operations.c b/wolfcrypt/src/ge_operations.c index 9716220a53..3758552c15 100644 --- a/wolfcrypt/src/ge_operations.c +++ b/wolfcrypt/src/ge_operations.c @@ -9091,7 +9091,8 @@ static void ge_select(ge_precomp *t,int pos,signed char b) fe_neg(minust.xy2d,t->xy2d); fe_cmov(t->xy2d,minust.xy2d,bnegative); #else - fe_cmov_table((fe*)t, (fe*)base[pos], b); + /* (wc_ptr_t) needed to work around C array casting semantics. */ + fe_cmov_table((fe*)t, (const fe*)(wc_ptr_t)base[pos], b); #endif } diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index 75e7ca7b0d..91e457cdee 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -1392,10 +1392,10 @@ LBL_ERR:mp_clear(&x); /* compare magnitude of two ints (unsigned) */ -int mp_cmp_mag (mp_int * a, mp_int * b) +int mp_cmp_mag (const mp_int * a, const mp_int * b) { int n; - mp_digit *tmpa, *tmpb; + const mp_digit *tmpa, *tmpb; /* compare based on # of non-zero digits */ if (a->used > b->used) { @@ -1430,7 +1430,7 @@ int mp_cmp_mag (mp_int * a, mp_int * b) /* compare two ints (signed)*/ -int mp_cmp (mp_int * a, mp_int * b) +int mp_cmp (const mp_int * a, const mp_int * b) { /* compare based on sign */ if (a->sign != b->sign) { diff --git a/wolfcrypt/src/misc.c b/wolfcrypt/src/misc.c index cdf89d189b..669794702d 100644 --- a/wolfcrypt/src/misc.c +++ b/wolfcrypt/src/misc.c @@ -205,7 +205,7 @@ WC_MISC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, } } else if (((size_t)out & 0x3) == 0) { - byte *in_bytes = (byte *)in; + const byte *in_bytes = (const byte *)in; word32 scratch; byteCount &= ~0x3U; @@ -216,7 +216,7 @@ WC_MISC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, } } else { - byte *in_bytes = (byte *)in; + const byte *in_bytes = (const byte *)in; byte *out_bytes = (byte *)out; word32 scratch; @@ -234,7 +234,7 @@ WC_MISC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, WC_MISC_STATIC WC_INLINE word32 readUnalignedWord32(const byte *in) { if (((wc_ptr_t)in & (wc_ptr_t)(sizeof(word32) - 1U)) == (wc_ptr_t)0) - return *(word32 *)in; + return *(const word32 *)in; else { word32 out = 0; /* else CONFIG_FORTIFY_SOURCE -Wmaybe-uninitialized */ XMEMCPY(&out, in, sizeof(out)); @@ -283,7 +283,7 @@ WC_MISC_STATIC WC_INLINE void writeUnalignedWords32(byte *out, const word32 *in, WC_MISC_STATIC WC_INLINE word64 readUnalignedWord64(const byte *in) { if (((wc_ptr_t)in & (wc_ptr_t)(sizeof(word64) - 1U)) == (wc_ptr_t)0) - return *(word64 *)in; + return *(const word64 *)in; else { word64 out = 0; /* else CONFIG_FORTIFY_SOURCE -Wmaybe-uninitialized */ XMEMCPY(&out, in, sizeof(out)); @@ -382,7 +382,7 @@ WC_MISC_STATIC WC_INLINE void ByteReverseWords64(word64* out, const word64* in, } } else if (((size_t)out & 0x7) == 0) { - byte *in_bytes = (byte *)in; + const byte *in_bytes = (const byte *)in; word64 scratch; byteCount &= ~0x7U; @@ -393,7 +393,7 @@ WC_MISC_STATIC WC_INLINE void ByteReverseWords64(word64* out, const word64* in, } } else { - byte *in_bytes = (byte *)in; + const byte *in_bytes = (const byte *)in; byte *out_bytes = (byte *)out; word64 scratch; diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 5f00282f38..806b80514c 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -63,7 +63,7 @@ static const byte WC_PKCS12_ShroudedKeyBag_OID[] = typedef struct ContentInfo { - byte* data; + const byte* data; struct ContentInfo* next; word32 encC; /* encryptedContent */ word32 dataSz; @@ -350,7 +350,7 @@ static int GetSafeContent(WC_PKCS12* pkcs12, const byte* input, ci->type = (int)oid; ci->dataSz = (word32)curSz - (localIdx-curIdx); - ci->data = (byte*)input + localIdx; + ci->data = input + localIdx; localIdx += ci->dataSz; #ifdef WOLFSSL_DEBUG_PKCS12 @@ -1180,7 +1180,8 @@ static byte* PKCS12_ConcatenateContent(WC_PKCS12* pkcs12,byte* mergedData, /* Check if constructed [0] is seen after wc_BerToDer() or not. * returns 1 if seen, 0 if not, ASN_PARSE_E on error */ -static int PKCS12_CheckConstructedZero(byte* data, word32 dataSz, word32* idx) +static int PKCS12_CheckConstructedZero(const byte* data, word32 dataSz, + word32* idx) { word32 oid; int ret = 0; @@ -1355,7 +1356,7 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw, /* if there is sign data then verify the MAC */ if (pkcs12->signData != NULL ) { if ((ret = wc_PKCS12_verify(pkcs12, pkcs12->safe->data, - pkcs12->safe->dataSz, (byte*)psw, (word32)pswSz)) != 0) { + pkcs12->safe->dataSz, (const byte*)psw, (word32)pswSz)) != 0) { WOLFSSL_MSG("PKCS12 Bad MAC on verify"); WOLFSSL_LEAVE("wc_PKCS12_parse verify ", ret); (void)ret; @@ -1371,7 +1372,7 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw, /* Decode content infos */ ci = pkcs12->safe->CI; for (i = 0; i < pkcs12->safe->numCI; i++) { - byte* data; + const byte* data; word32 idx = 0; int size, totalSz; byte tag; @@ -1422,9 +1423,13 @@ int wc_PKCS12_parse_ex(WC_PKCS12* pkcs12, const char* psw, * the DecryptContent() expects */ if (pkcs12->indefinite && PKCS12_CheckConstructedZero(data, ci->dataSz, &idx) == 1) { - data[idx-1] = ASN_LONG_LENGTH; - ret = PKCS12_CoalesceOctetStrings(pkcs12, data, ci->dataSz, - &idx, &curIdx); + /* safe casts -- pkcs12->indefinite signals that data is inside + * the earlier allocation of der by wc_d2i_PKCS12((). + */ + ((byte *)(wc_ptr_t)data)[idx-1] = ASN_LONG_LENGTH; + ret = PKCS12_CoalesceOctetStrings( + pkcs12, ((byte *)(wc_ptr_t)data), ci->dataSz, + &idx, &curIdx); if (ret < 0) { goto exit_pk12par; } diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 14b79edb1b..7bda1f62dd 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -2740,10 +2740,10 @@ static int wc_PKCS7_EncodeContentStreamHelper(wc_PKCS7* pkcs7, int cipherType, * Returns 0 on success */ #ifndef NO_AES static int wc_PKCS7_EncodeContentStream(wc_PKCS7* pkcs7, ESD* esd, Aes* aes, - byte* in, int inSz, byte* out, int cipherType) + const byte* in, int inSz, byte* out, int cipherType) #else static int wc_PKCS7_EncodeContentStream(wc_PKCS7* pkcs7, ESD* esd, void* aes, - byte* in, int inSz, byte* out, int cipherType) + const byte* in, int inSz, byte* out, int cipherType) #endif { int ret = 0; @@ -2753,7 +2753,7 @@ static int wc_PKCS7_EncodeContentStream(wc_PKCS7* pkcs7, ESD* esd, void* aes, if (pkcs7->encodeStream) { int sz; word32 totalSz = 0; - byte* buf; + const byte* buf; byte* encContentOut; byte* contentData; word32 idx = 0, outIdx = 0; @@ -2790,8 +2790,9 @@ static int wc_PKCS7_EncodeContentStream(wc_PKCS7* pkcs7, ESD* esd, void* aes, #ifdef ASN_BER_TO_DER if (pkcs7->getContentCb) { - contentDataRead = pkcs7->getContentCb(pkcs7, - &buf, pkcs7->streamCtx); + contentDataRead = + pkcs7->getContentCb(pkcs7, (byte **)(wc_ptr_t)&buf, + pkcs7->streamCtx); if (buf == NULL) { WOLFSSL_MSG("Get content callback returned null " @@ -4820,7 +4821,7 @@ static int wc_PKCS7_VerifyContentMessageDigest(wc_PKCS7* pkcs7, word32 idx = 0; word32 contentIdx = 0; byte* content = NULL; - byte* digestBuf = NULL; + const byte* digestBuf = NULL; WC_DECLARE_VAR(digest, byte, MAX_PKCS7_DIGEST_SZ, 0); PKCS7DecodedAttrib* attrib; enum wc_HashType hashType; @@ -4909,7 +4910,7 @@ static int wc_PKCS7_VerifyContentMessageDigest(wc_PKCS7* pkcs7, } else { /* user passed in pre-computed hash */ - digestBuf = (byte*)hashBuf; + digestBuf = (const byte*)hashBuf; digestSz = (int)hashSz; } @@ -7458,7 +7459,7 @@ static int wc_PKCS7_KariParseRecipCert(WC_PKCS7_KARI* kari, const byte* cert, /* decode certificate */ if (cert != NULL) { - InitDecodedCert(kari->decoded, (byte*)cert, certSz, kari->heap); + InitDecodedCert(kari->decoded, cert, certSz, kari->heap); kari->decodedInit = 1; ret = ParseCert(kari->decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) @@ -8265,7 +8266,7 @@ int wc_PKCS7_AddRecipient_KTRI(wc_PKCS7* pkcs7, const byte* cert, word32 certSz, return ret; } - InitDecodedCert(decoded, (byte*)cert, certSz, pkcs7->heap); + InitDecodedCert(decoded, cert, certSz, pkcs7->heap); ret = ParseCert(decoded, CA_TYPE, NO_VERIFY, 0); if (ret < 0) { FreeDecodedCert(decoded); @@ -8596,11 +8597,13 @@ int wc_PKCS7_WriteOut(wc_PKCS7* pkcs7, byte* output, const byte* input, /* encrypt content using encryptOID algo */ -static int wc_PKCS7_EncryptContent(wc_PKCS7* pkcs7, int encryptOID, byte* key, - int keySz, - byte* iv, int ivSz, byte* aad, word32 aadSz, - byte* authTag, word32 authTagSz, byte* in, - int inSz, byte* out) +static int wc_PKCS7_EncryptContent(wc_PKCS7* pkcs7, int encryptOID, + const byte* key, int keySz, + const byte* iv, int ivSz, + const byte* aad, word32 aadSz, + byte* authTag, word32 authTagSz, + const byte* in, int inSz, + byte* out) { int ret; #ifndef NO_AES @@ -8830,7 +8833,8 @@ static int wc_PKCS7_EncryptContent(wc_PKCS7* pkcs7, int encryptOID, byte* key, static int wc_PKCS7_DecryptContentInit(wc_PKCS7* pkcs7, word32 encryptOID, - byte* key, word32 keySz, byte* iv, int ivSz, int devId, void* heap) + const byte* key, word32 keySz, const byte* iv, int ivSz, + int devId, void* heap) { int ret; #ifndef NO_AES @@ -8975,8 +8979,8 @@ static int wc_PKCS7_DecryptContentInit(wc_PKCS7* pkcs7, word32 encryptOID, /* Only does decryption of content using encryptOID algo and already set keys * returns 0 on success */ static int wc_PKCS7_DecryptContentEx(wc_PKCS7* pkcs7, word32 encryptOID, - byte* iv, int ivSz, byte* aad, word32 aadSz, byte* authTag, - word32 authTagSz, byte* in, int inSz, byte* out) + const byte* iv, int ivSz, const byte* aad, word32 aadSz, + const byte* authTag, word32 authTagSz, const byte* in, int inSz, byte* out) { int ret; @@ -9159,16 +9163,21 @@ static void wc_PKCS7_DecryptContentFree(wc_PKCS7* pkcs7, word32 encryptOID, * returns 0 on success */ static int wc_PKCS7_DecryptContent(wc_PKCS7* pkcs7, word32 encryptOID, - byte* key, word32 keySz, byte* iv, int ivSz, byte* aad, word32 aadSz, - byte* authTag, word32 authTagSz, byte* in, int inSz, byte* out, - int devId, void* heap) + const byte* key, word32 keySz, const byte* iv, int ivSz, + const byte* aad, word32 aadSz, const byte* authTag, word32 authTagSz, + const byte* in, int inSz, byte* out, int devId, void* heap) { int ret; if (pkcs7->decryptionCb != NULL) { - return pkcs7->decryptionCb(pkcs7, (int)encryptOID, iv, ivSz, - aad, aadSz, authTag, authTagSz, in, - inSz, out, pkcs7->decryptionCtx); + /* unsafe casts needed for backward compatibility of + * CallbackDecryptContent. + */ + return pkcs7->decryptionCb(pkcs7, (int)encryptOID, (byte *)(wc_ptr_t)iv, + ivSz, (byte *)(wc_ptr_t)aad, aadSz, + (byte *)(wc_ptr_t)authTag, authTagSz, + (byte *)(wc_ptr_t)in, inSz, out, + pkcs7->decryptionCtx); } ret = wc_PKCS7_DecryptContentInit(pkcs7, encryptOID, key, keySz, iv, ivSz, @@ -9490,15 +9499,15 @@ static int wc_PKCS7_PwriKek_KeyWrap(wc_PKCS7* pkcs7, const byte* kek, if (ret == 0) { /* encrypt, normal */ - ret = wc_PKCS7_EncryptContent(pkcs7, algID, (byte*)kek, (int)kekSz, - (byte*)iv, (int)ivSz, NULL, 0, NULL, 0, out, + ret = wc_PKCS7_EncryptContent(pkcs7, algID, kek, (int)kekSz, + iv, (int)ivSz, NULL, 0, NULL, 0, out, outLen, out); } if (ret == 0) { /* encrypt again, using last ciphertext block as IV */ lastBlock = out + (((outLen / blockSz) - 1) * blockSz); - ret = wc_PKCS7_EncryptContent(pkcs7, algID, (byte*)kek, (int)kekSz, + ret = wc_PKCS7_EncryptContent(pkcs7, algID, kek, (int)kekSz, lastBlock, blockSz, NULL, 0, NULL, 0, out, outLen, out); } @@ -9524,8 +9533,8 @@ static int wc_PKCS7_PwriKek_KeyUnWrap(wc_PKCS7* pkcs7, const byte* kek, word32 ivSz, word32 algID) { int blockSz, cekLen, ret; - byte* tmpIv = NULL; - byte* lastBlock = NULL; + const byte* tmpIv = NULL; + const byte* lastBlock = NULL; byte* outTmp = NULL; byte fail = 0; @@ -9557,26 +9566,26 @@ static int wc_PKCS7_PwriKek_KeyUnWrap(wc_PKCS7* pkcs7, const byte* kek, } /* use block out[n-1] as IV to decrypt block out[n] */ - lastBlock = (byte*)in + inSz - blockSz; + lastBlock = in + inSz - blockSz; tmpIv = lastBlock - blockSz; /* decrypt last block */ - ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz, tmpIv, + ret = wc_PKCS7_DecryptContent(pkcs7, algID, kek, kekSz, tmpIv, blockSz, NULL, 0, NULL, 0, lastBlock, blockSz, outTmp + inSz - blockSz, pkcs7->devId, pkcs7->heap); if (ret == 0) { /* using last decrypted block as IV, decrypt [0 ... n-1] blocks */ lastBlock = outTmp + inSz - blockSz; - ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz, - lastBlock, blockSz, NULL, 0, NULL, 0, (byte*)in, + ret = wc_PKCS7_DecryptContent(pkcs7, algID, kek, kekSz, + lastBlock, blockSz, NULL, 0, NULL, 0, in, (int)inSz - blockSz, outTmp, pkcs7->devId, pkcs7->heap); } if (ret == 0) { /* decrypt using original kek and iv */ - ret = wc_PKCS7_DecryptContent(pkcs7, algID, (byte*)kek, kekSz, - (byte*)iv, (int)ivSz, NULL, 0, NULL, 0, outTmp, (int)inSz, + ret = wc_PKCS7_DecryptContent(pkcs7, algID, kek, kekSz, + iv, (int)ivSz, NULL, 0, NULL, 0, outTmp, (int)inSz, outTmp, pkcs7->devId, pkcs7->heap); } diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 3e2071a95a..4fb4393f0b 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -1851,7 +1851,7 @@ static int RsaUnPad_PSS(byte *pkcsBlock, unsigned int pkcsBlockLen, /* UnPad plaintext, set start to *output, return length of plaintext, * < 0 on error */ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, - byte **output, byte padValue) + const byte **output, byte padValue) { int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); word16 i; @@ -1880,7 +1880,7 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, return RSA_PAD_E; } - *output = (byte *)(pkcsBlock + i); + *output = (const byte *)(pkcsBlock + i); ret = (int)pkcsBlockLen - i; } #ifndef WOLFSSL_RSA_VERIFY_ONLY @@ -1918,7 +1918,7 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, inv |= ctMaskNotEq(pkcsBlock[1], padValue); invalid = inv; - *output = (byte *)(pkcsBlock + i); + *output = (const byte *)(pkcsBlock + i); invalidMask = (int)-1 + (int)(inv >> 7); ret = invalidMask & ((int)pkcsBlockLen - i); } @@ -1941,7 +1941,8 @@ int wc_RsaUnPad_ex(byte* pkcsBlock, word32 pkcsBlockLen, byte** out, switch (padType) { case WC_RSA_PKCSV15_PAD: /*WOLFSSL_MSG("wolfSSL Using RSA PKCSV15 un-padding");*/ - ret = RsaUnPad(pkcsBlock, pkcsBlockLen, out, padValue); + ret = RsaUnPad(pkcsBlock, pkcsBlockLen, (const byte **)(void *)out, + padValue); break; #ifndef WC_NO_RSA_OAEP diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index e03f1aa279..e636a2fca2 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -454,7 +454,7 @@ static WC_INLINE void AddLength(wc_Sha* sha, word32 len) #ifndef XTRANSFORM #define XTRANSFORM(S,B) Transform((S),(B)) - #define blk0(i) (W[i] = *((word32*)&data[(i)*sizeof(word32)])) + #define blk0(i) (W[i] = *((const word32*)&data[(i)*sizeof(word32)])) #define blk1(i) (W[(i)&15] = \ rotlFixed(W[((i)+13)&15]^W[((i)+8)&15]^W[((i)+2)&15]^W[(i)&15],1)) diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index c5d4cf0d68..fffbaf16c3 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -95,7 +95,11 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type, #ifdef HAVE_ECC /* Sanity check that void* key is at least ecc_key in size */ if (key_len >= sizeof(ecc_key)) { - sig_len = wc_ecc_sig_size((ecc_key*)key); +#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && FIPS_VERSION3_LT(5,0,0)) + sig_len = wc_ecc_sig_size((ecc_key*)(wc_ptr_t)key); +#else + sig_len = wc_ecc_sig_size((const ecc_key*)key); +#endif } else { WOLFSSL_MSG("wc_SignatureGetSize: Invalid ECC key size"); @@ -110,7 +114,11 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type, #ifndef NO_RSA /* Sanity check that void* key is at least RsaKey in size */ if (key_len >= sizeof(RsaKey)) { - sig_len = wc_RsaEncryptSize((RsaKey*)key); +#if defined(HAVE_SELFTEST) || (defined(HAVE_FIPS) && FIPS_VERSION3_LT(5,0,0)) + sig_len = wc_RsaEncryptSize((RsaKey*)(wc_ptr_t)key); +#else + sig_len = wc_RsaEncryptSize((const RsaKey*)key); +#endif } else { WOLFSSL_MSG("wc_SignatureGetSize: Invalid RsaKey key size"); @@ -132,7 +140,7 @@ int wc_SignatureVerifyHash( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len) + void* key, word32 key_len) { int ret; @@ -271,7 +279,7 @@ int wc_SignatureVerify( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len) + void* key, word32 key_len) { int ret; word32 hash_len, hash_enc_len; @@ -349,7 +357,7 @@ int wc_SignatureGenerateHash( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng) + void* key, word32 key_len, WC_RNG* rng) { return wc_SignatureGenerateHash_ex(hash_type, sig_type, hash_data, hash_len, sig, sig_len, key, key_len, rng, 1); @@ -359,7 +367,7 @@ int wc_SignatureGenerateHash_ex( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng, int verify) + void* key, word32 key_len, WC_RNG* rng, int verify) { int ret; @@ -460,7 +468,7 @@ int wc_SignatureGenerate( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng) + void* key, word32 key_len, WC_RNG* rng) { return wc_SignatureGenerate_ex(hash_type, sig_type, data, data_len, sig, sig_len, key, key_len, rng, 1); @@ -470,7 +478,7 @@ int wc_SignatureGenerate_ex( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng, int verify) + void* key, word32 key_len, WC_RNG* rng, int verify) { int ret; word32 hash_len, hash_enc_len; diff --git a/wolfcrypt/src/siphash.c b/wolfcrypt/src/siphash.c index dec1428947..28047be30b 100644 --- a/wolfcrypt/src/siphash.c +++ b/wolfcrypt/src/siphash.c @@ -80,7 +80,7 @@ * @param [in] a Little-endian byte array. * @return 16-bit number. */ -#define GET_U16(a) (*(word16*)(a)) +#define GET_U16(a) (*(const word16*)(a)) /** * Encode 64-bit number to a little-endian byte array. * @@ -411,8 +411,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz, return BAD_FUNC_ARG; } - k0 = ((word64*)key)[0]; - k1 = ((word64*)key)[1]; + k0 = ((const word64*)key)[0]; + k1 = ((const word64*)key)[1]; __asm__ __volatile__ ( "xorq %[k0], %[v0]\n\t" "xorq %[k1], %[v1]\n\t" diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index a3fe98ff3b..255b43f001 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -5132,16 +5132,16 @@ extern "C" { #endif /* Modular exponentiation implementations using Single Precision. */ -WOLFSSL_LOCAL int sp_ModExp_1024(sp_int* base, sp_int* exp, sp_int* mod, - sp_int* res); -WOLFSSL_LOCAL int sp_ModExp_1536(sp_int* base, sp_int* exp, sp_int* mod, - sp_int* res); -WOLFSSL_LOCAL int sp_ModExp_2048(sp_int* base, sp_int* exp, sp_int* mod, - sp_int* res); -WOLFSSL_LOCAL int sp_ModExp_3072(sp_int* base, sp_int* exp, sp_int* mod, - sp_int* res); -WOLFSSL_LOCAL int sp_ModExp_4096(sp_int* base, sp_int* exp, sp_int* mod, - sp_int* res); +WOLFSSL_LOCAL int sp_ModExp_1024(const sp_int* base, const sp_int* exp, + const sp_int* mod, sp_int* res); +WOLFSSL_LOCAL int sp_ModExp_1536(const sp_int* base, const sp_int* exp, + const sp_int* mod, sp_int* res); +WOLFSSL_LOCAL int sp_ModExp_2048(const sp_int* base, const sp_int* exp, + const sp_int* mod, sp_int* res); +WOLFSSL_LOCAL int sp_ModExp_3072(const sp_int* base, const sp_int* exp, + const sp_int* mod, sp_int* res); +WOLFSSL_LOCAL int sp_ModExp_4096(const sp_int* base, const sp_int* exp, + const sp_int* mod, sp_int* res); #ifdef __cplusplus } /* extern "C" */ @@ -5167,9 +5167,9 @@ static void _sp_mont_setup(const sp_int* m, sp_int_digit* rho); * * @param [out] a SP integer to set to zero. */ -static void _sp_zero(sp_int* a) +static void _sp_zero(volatile sp_int* a) { - sp_int_minimal* am = (sp_int_minimal *)a; + volatile sp_int_minimal* am = (volatile sp_int_minimal *)a; am->used = 0; am->dp[0] = 0; @@ -5191,7 +5191,7 @@ static void _sp_init_size(sp_int* a, unsigned int size) #ifdef HAVE_WOLF_BIGINT wc_bigint_init((struct WC_BIGINT*)&am->raw); #endif - _sp_zero((sp_int*)am); + _sp_zero((volatile sp_int*)am); am->size = (sp_size_t)size; } @@ -14132,12 +14132,12 @@ int sp_exptmod_ex(const sp_int* b, const sp_int* e, int digits, const sp_int* m, #ifndef WOLFSSL_SP_NO_2048 if ((mBits == 1024) && sp_isodd(m) && (bBits <= 1024) && (eBits <= 1024)) { - err = sp_ModExp_1024((sp_int*)b, (sp_int*)e, (sp_int*)m, r); + err = sp_ModExp_1024(b, e, m, r); done = 1; } else if ((mBits == 2048) && sp_isodd(m) && (bBits <= 2048) && (eBits <= 2048)) { - err = sp_ModExp_2048((sp_int*)b, (sp_int*)e, (sp_int*)m, r); + err = sp_ModExp_2048(b, e, m, r); done = 1; } else @@ -14145,12 +14145,12 @@ int sp_exptmod_ex(const sp_int* b, const sp_int* e, int digits, const sp_int* m, #ifndef WOLFSSL_SP_NO_3072 if ((mBits == 1536) && sp_isodd(m) && (bBits <= 1536) && (eBits <= 1536)) { - err = sp_ModExp_1536((sp_int*)b, (sp_int*)e, (sp_int*)m, r); + err = sp_ModExp_1536(b, e, m, r); done = 1; } else if ((mBits == 3072) && sp_isodd(m) && (bBits <= 3072) && (eBits <= 3072)) { - err = sp_ModExp_3072((sp_int*)b, (sp_int*)e, (sp_int*)m, r); + err = sp_ModExp_3072(b, e, m, r); done = 1; } else @@ -14158,7 +14158,7 @@ int sp_exptmod_ex(const sp_int* b, const sp_int* e, int digits, const sp_int* m, #ifdef WOLFSSL_SP_4096 if ((mBits == 4096) && sp_isodd(m) && (bBits <= 4096) && (eBits <= 4096)) { - err = sp_ModExp_4096((sp_int*)b, (sp_int*)e, (sp_int*)m, r); + err = sp_ModExp_4096(b, e, m, r); done = 1; } else diff --git a/wolfcrypt/src/srp.c b/wolfcrypt/src/srp.c index 96655156c2..2d8b4ec3e0 100644 --- a/wolfcrypt/src/srp.c +++ b/wolfcrypt/src/srp.c @@ -389,11 +389,11 @@ int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz, /* Set k = H(N, g) */ r = SrpHashInit(&hash, srp->type, srp->heap); - if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz); + if (!r) r = SrpHashUpdate(&hash, (const byte*) N, nSz); for (i = 0; (word32)i < nSz - gSz; i++) { if (!r) r = SrpHashUpdate(&hash, &pad, 1); } - if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz); + if (!r) r = SrpHashUpdate(&hash, (const byte*) g, gSz); if (!r) r = SrpHashFinal(&hash, srp->k); SrpHashFree(&hash); @@ -401,13 +401,13 @@ int wc_SrpSetParams(Srp* srp, const byte* N, word32 nSz, /* digest1 = H(N) */ if (!r) r = SrpHashInit(&hash, srp->type, srp->heap); - if (!r) r = SrpHashUpdate(&hash, (byte*) N, nSz); + if (!r) r = SrpHashUpdate(&hash, (const byte*) N, nSz); if (!r) r = SrpHashFinal(&hash, digest1); SrpHashFree(&hash); /* digest2 = H(g) */ if (!r) r = SrpHashInit(&hash, srp->type, srp->heap); - if (!r) r = SrpHashUpdate(&hash, (byte*) g, gSz); + if (!r) r = SrpHashUpdate(&hash, (const byte*) g, gSz); if (!r) r = SrpHashFinal(&hash, digest2); SrpHashFree(&hash); diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 06341879e8..e521200ce5 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -4540,9 +4540,9 @@ int mp_exptmod_nct (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) /* compare two ints (signed)*/ -int mp_cmp (mp_int * a, mp_int * b) +int mp_cmp (const mp_int * a, const mp_int * b) { - return fp_cmp(a, b); + return fp_cmp((mp_int *)a, (mp_int *)b); } /* compare a digit */ diff --git a/wolfcrypt/src/wc_encrypt.c b/wolfcrypt/src/wc_encrypt.c index 721c14d175..7cb130b522 100644 --- a/wolfcrypt/src/wc_encrypt.c +++ b/wolfcrypt/src/wc_encrypt.c @@ -315,7 +315,7 @@ int wc_BufferKeyEncrypt(EncryptedInfo* info, byte* der, word32 derSz, * * returns a negative value on fail case */ -int wc_CryptKey(const char* password, int passwordSz, byte* salt, +int wc_CryptKey(const char* password, int passwordSz, const byte* salt, int saltSz, int iterations, int id, byte* input, int length, int version, byte* cbcIv, int enc, int shaOid) { @@ -439,14 +439,14 @@ int wc_CryptKey(const char* password, int passwordSz, byte* salt, #ifndef NO_HMAC case PKCS5v2: PRIVATE_KEY_UNLOCK(); - ret = wc_PBKDF2(key, (byte*)password, passwordSz, + ret = wc_PBKDF2(key, (const byte*)password, passwordSz, salt, saltSz, iterations, (int)derivedLen, typeH); PRIVATE_KEY_LOCK(); break; #endif #ifndef NO_SHA case PKCS5: - ret = wc_PBKDF1(key, (byte*)password, passwordSz, + ret = wc_PBKDF1(key, (const byte*)password, passwordSz, salt, saltSz, iterations, (int)derivedLen, typeH); break; #endif diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 078c435dab..db4e5a5399 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -4237,12 +4237,12 @@ char* wolfSSL_strnstr(const char* s1, const char* s2, unsigned int n) unsigned int s2_len = (unsigned int)XSTRLEN(s2); if (s2_len == 0) - return (char*)s1; + return (char *)(wc_ptr_t)s1; while (n >= s2_len && s1[0]) { if (s1[0] == s2[0]) if (XMEMCMP(s1, s2, s2_len) == 0) - return (char*)s1; + return (char *)(wc_ptr_t)s1; s1++; n--; } diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 08dab649ae..42c7e24566 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -377,9 +377,9 @@ WOLFSSL_LOCAL void GetASN_Boolean(ASNGetData *dataASN, byte* num); WOLFSSL_LOCAL void GetASN_OID(ASNGetData *dataASN, int oidType); WOLFSSL_LOCAL void GetASN_GetConstRef(ASNGetData * dataASN, const byte** data, word32* length); -WOLFSSL_LOCAL void GetASN_GetRef(ASNGetData * dataASN, byte** data, +WOLFSSL_LOCAL void GetASN_GetRef(const ASNGetData * dataASN, const byte** data, word32* length); -WOLFSSL_LOCAL void GetASN_OIDData(ASNGetData * dataASN, byte** data, +WOLFSSL_LOCAL void GetASN_OIDData(const ASNGetData * dataASN, const byte** data, word32* length); WOLFSSL_LOCAL void SetASN_Boolean(ASNSetData *dataASN, byte val); WOLFSSL_LOCAL void SetASN_Int8Bit(ASNSetData *dataASN, byte num); @@ -533,8 +533,8 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType); */ #define GetASN_GetRef(dataASN, d, l) \ do { \ - *(d) = (byte*)(dataASN)->data.ref.data; \ - *(l) = (dataASN)->data.ref.length; \ + *(d) = (const byte*)(dataASN)->data.ref.data; \ + *(l) = (dataASN)->data.ref.length; \ } while (0) /* Get the data and length from an ASN data item that is an OID. @@ -545,7 +545,7 @@ WOLFSSL_LOCAL void SetASN_OID(ASNSetData *dataASN, int oid, int oidType); */ #define GetASN_OIDData(dataASN, d, l) \ do { \ - *(d) = (byte*)(dataASN)->data.oid.data; \ + *(d) = (const byte*)(dataASN)->data.oid.data; \ *(l) = (dataASN)->data.oid.length; \ } while (0) @@ -1445,12 +1445,16 @@ struct DNS_entry { DNS_entry* next; /* next on DNS list */ int type; /* i.e. ASN_DNS_TYPE */ int len; /* actual DNS len */ - char* name; /* actual DNS name */ + const char* + name; /* actual DNS name */ + int nameStored; #ifdef WOLFSSL_IP_ALT_NAME char* ipString; /* human readable form of IP address */ + int ipStringStored; #endif #ifdef WOLFSSL_RID_ALT_NAME char* ridString; /* human readable form of registeredID */ + int ridStringStored; #endif #ifdef WOLFSSL_FPKI @@ -1765,8 +1769,10 @@ struct DecodedCert { byte subjectKeyHash[KEYID_SIZE]; /* hash of the public Key */ byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ #endif /* HAVE_OCSP */ - const byte* signature; /* not owned, points into raw cert */ - char* subjectCN; /* CommonName */ + const byte* + signature; /* not owned, points into raw cert */ + const char* + subjectCN; /* CommonName */ int subjectCNLen; /* CommonName Length */ char subjectCNEnc; /* CommonName Encoding */ char issuer[WC_ASN_NAME_MAX]; /* full name including common name */ @@ -1871,7 +1877,8 @@ struct DecodedCert { #endif #if !defined(IGNORE_NAME_CONSTRAINTS) || \ defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) - char* subjectEmail; + const char* + subjectEmail; int subjectEmailLen; #endif #if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_CERT_EXT) @@ -1920,17 +1927,20 @@ struct DecodedCert { char* subjectBC; int subjectBCLen; char subjectBCEnc; - char* subjectJC; + const char* + subjectJC; int subjectJCLen; char subjectJCEnc; - char* subjectJS; + const char* + subjectJS; int subjectJSLen; char subjectJSEnc; char* subjectPC; int subjectPCLen; char subjectPCEnc; #if defined(WOLFSSL_HAVE_ISSUER_NAMES) - char* issuerCN; + const char* + issuerCN; int issuerCNLen; char issuerCNEnc; char* issuerSN; @@ -1954,7 +1964,8 @@ struct DecodedCert { char* issuerSND; int issuerSNDLen; char issuerSNDEnc; - char* issuerEmail; + const char* + issuerEmail; int issuerEmailLen; #endif /* WOLFSSL_HAVE_ISSUER_NAMES */ #endif /* WOLFSSL_CERT_GEN || WOLFSSL_CERT_EXT */ @@ -1981,11 +1992,14 @@ struct DecodedCert { #ifdef WOLFSSL_CERT_REQ /* CSR attributes */ - char* contentType; /* Content Type */ + const char* + contentType; /* Content Type */ int contentTypeLen; - char* cPwd; /* Challenge Password */ + const char* + cPwd; /* Challenge Password */ int cPwdLen; - char* sNum; /* Serial Number */ + const char* + sNum; /* Serial Number */ int sNumLen; char* dnQualifier; int dnQualifierLen; @@ -1995,7 +2009,8 @@ struct DecodedCert { int surnameLen; char* givenName; int givenNameLen; - char* unstructuredName; + const char* + unstructuredName; int unstructuredNameLen; #endif /* WOLFSSL_CERT_REQ */ @@ -2117,7 +2132,8 @@ struct Signer { WC_BITFIELD selfSigned:1; const byte* publicKey; int nameLen; - char* name; /* common name */ + const char* + name; /* common name */ #ifndef IGNORE_NAME_CONSTRAINTS Base_entry* permittedNames; Base_entry* excludedNames; @@ -2161,7 +2177,8 @@ struct Signer { /* used for having trusted peer certs rather then CA */ struct TrustedPeerCert { int nameLen; - char* name; /* common name */ + const char* + name; /* common name */ #ifndef IGNORE_NAME_CONSTRAINTS Base_entry* permittedNames; Base_entry* excludedNames; @@ -2753,8 +2770,8 @@ struct CertStatus { #ifdef WOLFSSL_OCSP_PARSE_STATUS WOLFSSL_ASN1_TIME thisDateParsed; WOLFSSL_ASN1_TIME nextDateParsed; - byte* thisDateAsn; - byte* nextDateAsn; + const byte* thisDateAsn; + const byte* nextDateAsn; #endif byte revocationDate[MAX_DATE_SIZE]; /* ASN-formatted revocation time */ word32 revocationDateSz; @@ -2818,7 +2835,8 @@ enum responderIdType { struct OcspResponse { int responseStatus; /* return code from Responder */ - byte* response; /* Pointer to beginning of OCSP Response */ + const byte* + response; /* Pointer to beginning of OCSP Response */ word32 responseSz; /* length of the OCSP Response */ enum responderIdType responderIdType; @@ -2832,19 +2850,23 @@ struct OcspResponse { byte producedDateFormat; /* format of the producedDate */ byte producedDateSz; - byte* cert; + const byte* + cert; word32 certSz; - byte* sig; /* Pointer to sig in source */ + const byte* + sig; /* Pointer to sig in source */ word32 sigSz; /* Length in octets for the sig */ word32 sigOID; /* OID for hash used for sig */ - byte* sigParams; - word32 sigParamsSz; + const byte* + sigParams; + word32 sigParamsSz; OcspEntry* single; /* chain of OCSP single responses */ - byte* nonce; /* pointer to nonce inside ASN.1 response */ + const byte* + nonce; /* pointer to nonce inside ASN.1 response */ int nonceSz; /* length of the nonce string */ byte* source; /* pointer to source buffer, not owned */ @@ -3003,8 +3025,9 @@ struct DecodedCRL { word32 sigParamsIndex; /* start of signature parameters */ word32 sigParamsLength; /* length of signature parameters */ #endif - byte* signature; /* pointer into raw source, not owned */ - char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ + const byte* + signature; /* pointer into raw source, not owned */ + char crlNumber[CRL_MAX_NUM_HEX_STR_SZ]; /* CRL number extension */ byte issuerHash[SIGNER_DIGEST_SIZE]; /* issuer name hash */ byte crlHash[SIGNER_DIGEST_SIZE]; /* raw crl data hash */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index 8eda908fe8..3d4a78b598 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -504,17 +504,17 @@ typedef struct Cert { CertExtension customCertExt[NUM_CUSTOM_EXT]; int customCertExtCount; #endif /* WOLFSSL_CUSTOM_OID */ - void* decodedCert; /* internal DecodedCert allocated from heap */ - byte* der; /* Pointer to buffer of current DecodedCert cache */ - void* heap; /* heap hint */ + void* decodedCert; /* internal DecodedCert allocated from heap */ + const byte* der; /* Pointer to buffer of current DecodedCert cache */ + void* heap; /* heap hint */ WC_BITFIELD basicConstSet:1; /* Indicator for when Basic Constraint is set */ - byte basicConstCrit; /* Indicator of criticality of Basic Constraints extension */ + byte basicConstCrit; /* Indicator of criticality of Basic Constraints extension */ #ifdef WOLFSSL_ALLOW_ENCODING_CA_FALSE - WC_BITFIELD isCaSet:1; /* Indicator for when isCA is set */ + WC_BITFIELD isCaSet:1; /* Indicator for when isCA is set */ #endif - WC_BITFIELD pathLenSet:1; /* Indicator for when path length is set */ + WC_BITFIELD pathLenSet:1; /* Indicator for when path length is set */ #ifdef WOLFSSL_ALT_NAMES - WC_BITFIELD altNamesCrit:1; /* Indicator of criticality of SAN extension */ + WC_BITFIELD altNamesCrit:1; /* Indicator of criticality of SAN extension */ #endif } Cert; diff --git a/wolfssl/wolfcrypt/blake2-impl.h b/wolfssl/wolfcrypt/blake2-impl.h index 335925a3a6..68f9c8ff8b 100644 --- a/wolfssl/wolfcrypt/blake2-impl.h +++ b/wolfssl/wolfcrypt/blake2-impl.h @@ -41,9 +41,9 @@ static WC_INLINE word32 load32( const void *src ) { #if defined(LITTLE_ENDIAN_ORDER) - return *( word32 * )( src ); + return *( const word32 * )( src ); #else - const byte *p = ( byte * )src; + const byte *p = ( const byte * )src; word32 w = *p++; w |= ( word32 )( *p++ ) << 8; w |= ( word32 )( *p++ ) << 16; @@ -55,9 +55,9 @@ static WC_INLINE word32 load32( const void *src ) static WC_INLINE word64 load64( const void *src ) { #if defined(LITTLE_ENDIAN_ORDER) - return *( word64 * )( src ); + return *( const word64 * )( src ); #else - const byte *p = ( byte * )src; + const byte *p = ( const byte * )src; word64 w = *p++; w |= ( word64 )( *p++ ) << 8; w |= ( word64 )( *p++ ) << 16; diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index e5a6839d56..8f4c374f6d 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -769,7 +769,7 @@ int wc_ecc_init_label(ecc_key* key, const char* label, void* heap, int devId); #endif #ifdef WOLFSSL_CUSTOM_CURVES WOLFSSL_LOCAL -void wc_ecc_free_curve(const ecc_set_type* curve, void* heap); +void wc_ecc_free_curve(ecc_set_type* curve, void* heap); #endif WOLFSSL_ABI WOLFSSL_API int wc_ecc_free(ecc_key* key); diff --git a/wolfssl/wolfcrypt/fe_operations.h b/wolfssl/wolfcrypt/fe_operations.h index 652f09712d..d503d2653b 100644 --- a/wolfssl/wolfcrypt/fe_operations.h +++ b/wolfssl/wolfcrypt/fe_operations.h @@ -160,7 +160,7 @@ WOLFSSL_LOCAL void fe_pow22523(fe out,const fe z); #endif #ifdef CURVED25519_ASM -WOLFSSL_LOCAL void fe_cmov_table(fe* r, fe* base, signed char b); +WOLFSSL_LOCAL void fe_cmov_table(fe* r, const fe* base, signed char b); WOLFSSL_LOCAL void fe_invert_nct(fe r, const fe a); #endif /* CURVED25519_ASM */ diff --git a/wolfssl/wolfcrypt/ge_operations.h b/wolfssl/wolfcrypt/ge_operations.h index 501ba09bc7..8496b959b1 100644 --- a/wolfssl/wolfcrypt/ge_operations.h +++ b/wolfssl/wolfcrypt/ge_operations.h @@ -122,7 +122,7 @@ typedef struct { WOLFSSL_LOCAL void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p); WOLFSSL_LOCAL void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p); WOLFSSL_LOCAL void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p); -#define ge_p3_dbl(r, p) ge_p2_dbl((ge_p1p1 *)(r), (ge_p2 *)(p)) +#define ge_p3_dbl(r, p) ge_p2_dbl((ge_p1p1 *)(r), (const ge_p2 *)(p)) WOLFSSL_LOCAL void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q); WOLFSSL_LOCAL void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q); WOLFSSL_LOCAL void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q); diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index 6dd4baea04..7e4792a6d5 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -345,8 +345,8 @@ MP_API int mp_abs (mp_int * a, mp_int * b); MP_API int mp_invmod (mp_int * a, mp_int * b, mp_int * c); int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c); MP_API int mp_invmod_slow (mp_int * a, mp_int * b, mp_int * c); -MP_API int mp_cmp_mag (mp_int * a, mp_int * b); -MP_API int mp_cmp (mp_int * a, mp_int * b); +MP_API int mp_cmp_mag (const mp_int * a, const mp_int * b); +MP_API int mp_cmp (const mp_int * a, const mp_int * b); #define mp_cmp_ct(a, b, n) mp_cmp(a, b) MP_API int mp_cmp_d(mp_int * a, mp_digit b); MP_API int mp_set (mp_int * a, mp_digit b); diff --git a/wolfssl/wolfcrypt/signature.h b/wolfssl/wolfcrypt/signature.h index d6b24a8296..7f7b2acfab 100644 --- a/wolfssl/wolfcrypt/signature.h +++ b/wolfssl/wolfcrypt/signature.h @@ -49,35 +49,35 @@ WOLFSSL_API int wc_SignatureVerifyHash( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len); + void* key, word32 key_len); WOLFSSL_API int wc_SignatureVerify( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, const byte* sig, word32 sig_len, - const void* key, word32 key_len); + void* key, word32 key_len); WOLFSSL_API int wc_SignatureGenerateHash( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng); + void* key, word32 key_len, WC_RNG* rng); WOLFSSL_API int wc_SignatureGenerateHash_ex( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* hash_data, word32 hash_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, WC_RNG* rng, int verify); + void* key, word32 key_len, WC_RNG* rng, int verify); WOLFSSL_API int wc_SignatureGenerate( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng); WOLFSSL_API int wc_SignatureGenerate_ex( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, + void* key, word32 key_len, WC_RNG* rng, int verify); #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index 20fe4ae8c4..3868ca6402 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -843,7 +843,7 @@ MP_API int mp_2expt(mp_int* a, int b); MP_API int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d); -MP_API int mp_cmp(mp_int *a, mp_int *b); +MP_API int mp_cmp(const mp_int *a, const mp_int *b); #define mp_cmp_ct(a, b, n) mp_cmp(a, b) MP_API int mp_cmp_d(mp_int *a, mp_digit b); diff --git a/wolfssl/wolfcrypt/wc_encrypt.h b/wolfssl/wolfcrypt/wc_encrypt.h index 3c43e35a23..da11b53922 100644 --- a/wolfssl/wolfcrypt/wc_encrypt.h +++ b/wolfssl/wolfcrypt/wc_encrypt.h @@ -114,8 +114,8 @@ WOLFSSL_API int wc_Des3_CbcDecryptWithKey(byte* out, #ifndef NO_PWDBASED WOLFSSL_LOCAL int wc_CryptKey(const char* password, int passwordSz, - byte* salt, int saltSz, int iterations, int id, byte* input, int length, - int version, byte* cbcIv, int enc, int shaOid); + const byte* salt, int saltSz, int iterations, int id, byte* input, + int length, int version, byte* cbcIv, int enc, int shaOid); #endif #ifdef __cplusplus diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index f2ac50ddcd..b13ac51bd0 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -1808,6 +1808,18 @@ WOLFSSL_ABI WOLFSSL_API int wolfCrypt_Cleanup(void); #define XFENCE() WC_DO_NOTHING #endif +#ifdef WC_BARRIER + /* use user-supplied WC_BARRIER() definition. */ +#elif defined(__GNUC__) && !defined(WOLFSSL_NO_ASM) + #define WC_BARRIER() __asm__ __volatile__("" ::: "memory") +#else + /* XFENCE() is a no-op on some targets. The fallback construct uses C89 + * intrinsics as an additional (but weak) portable barrier. + */ + #define WC_BARRIER() do { volatile byte _xfence = 0; (void)_xfence; XFENCE(); \ + } while(0) +#endif + /* AFTER user_settings.h is loaded, ** determine if POSIX multi-threaded: HAVE_PTHREAD */