diff --git a/src/we_aes_ctr.c b/src/we_aes_ctr.c index 3620907..e148eaa 100644 --- a/src/we_aes_ctr.c +++ b/src/we_aes_ctr.c @@ -195,13 +195,18 @@ static int we_aes_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) /* Get the AES-CTR data to work with. */ aes = (we_AesCtr *)EVP_CIPHER_CTX_get_cipher_data(ctx); - if (aes != NULL) { + if (aes == NULL) { WOLFENGINE_ERROR_FUNC_NULL(WE_LOG_CIPHER, "EVP_CIPHER_CTX_get_cipher_data", aes); ret = 0; } if (ret == 1) { switch (type) { + case EVP_CTRL_INIT: + { + XMEMSET(aes, 0, sizeof(we_AesCtr)); + break; + } default: XSNPRINTF(errBuff, sizeof(errBuff), "Unsupported ctrl type %d", type); @@ -219,6 +224,7 @@ static int we_aes_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) /** Flags for AES-CTR method. */ #define AES_CTR_FLAGS \ (EVP_CIPH_ALWAYS_CALL_INIT | \ + EVP_CIPH_CTRL_INIT | \ EVP_CIPH_FLAG_CUSTOM_CIPHER | \ EVP_CIPH_FLAG_DEFAULT_ASN1 | \ EVP_CIPH_CTR_MODE) diff --git a/src/we_internal.c b/src/we_internal.c index c0cd09e..3c6647a 100644 --- a/src/we_internal.c +++ b/src/we_internal.c @@ -1011,12 +1011,22 @@ static int wolfengine_destroy(ENGINE *e) we_rsa_method = NULL; #endif /* WE_HAVE_RSA */ #ifdef WE_HAVE_ECC - /* we_ec_method is freed by OpenSSL_cleanup(). */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L + ECDSA_METHOD_free(we_ecdsa_method); + we_ecdsa_method = NULL; +#endif + /* For 1.1.1 and above we_ec_method is freed by OpenSSL_cleanup(). */ #ifdef WE_HAVE_EC_KEY EC_KEY_METHOD_free(we_ec_key_method); we_ec_key_method = NULL; #endif #endif +#if defined(WE_HAVE_ECDH) +#if OPENSSL_VERSION_NUMBER < 0x10100000L + OPENSSL_free(we_ecdh_method); + we_ecdh_method = NULL; +#endif +#endif #ifdef WE_HAVE_DES3CBC EVP_CIPHER_meth_free(we_des3_cbc_ciph); we_des3_cbc_ciph = NULL; diff --git a/src/we_mac.c b/src/we_mac.c index 742d331..fe5a9ce 100644 --- a/src/we_mac.c +++ b/src/we_mac.c @@ -1449,6 +1449,7 @@ int we_init_hmac_pkey_asn1_meth(void) #endif /* Add our created asn1 method to the internal list of available * methods. */ + /* Known, still-reachable memory leak from openssl internals on 1.0.2 */ EVP_PKEY_asn1_add0(we_hmac_pkey_asn1_method); } /* No failure after allocation - no need to free on error. */ @@ -1966,6 +1967,7 @@ int we_init_cmac_pkey_asn1_meth(void) we_cmac_pkey_asn1_size, 0); /* Add our created asn1 method to the internal list of available * methods. */ + /* Known, still-reachable memory leak from openssl internals on 1.0.2 */ EVP_PKEY_asn1_add0(we_cmac_pkey_asn1_method); EVP_PKEY_asn1_add_alias(EVP_PKEY_CMAC, NID_wolfengine_cmac); diff --git a/src/we_wolfengine.c b/src/we_wolfengine.c index ab18d28..fbb5c24 100644 --- a/src/we_wolfengine.c +++ b/src/we_wolfengine.c @@ -45,6 +45,7 @@ static ENGINE *engine_wolfengine(void) WOLFENGINE_ENTER(WE_LOG_ENGINE, "engine_wolfengine"); + /* Known, still-reachable memory leak from openssl internals on 1.0.2 */ ret = ENGINE_new(); if (ret == NULL) { WOLFENGINE_ERROR_FUNC_NULL(WE_LOG_ENGINE, "ENGINE_new", ret); @@ -75,6 +76,7 @@ void ENGINE_load_wolfengine(void) return; ENGINE_add(toadd); ENGINE_free(toadd); + /* Known, still-reachable memory leak from openssl internals on 1.0.2 */ ERR_clear_error(); WOLFENGINE_LEAVE(WE_LOG_ENGINE, "ENGINE_load_wolfengine", 1); diff --git a/test/test_aestag.c b/test/test_aestag.c index d0db506..e0d409d 100644 --- a/test/test_aestag.c +++ b/test/test_aestag.c @@ -349,6 +349,9 @@ static int test_aes_tag_fixed(ENGINE *e, void *data, const EVP_CIPHER *cipher, (void)data; + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + if (RAND_bytes(key, keyLen) == 0) { err = 1; } @@ -509,6 +512,10 @@ static int test_aes_tag_tls(ENGINE *e, void *data, const EVP_CIPHER *cipher, (void)data; + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + XMEMSET(msg, 0, sizeof(msg)); + aad[8] = 23; /* Content type */ aad[9] = 3; /* Protocol major version */ aad[10] = 2; /* Protocol minor version */ diff --git a/test/test_cipher.c b/test/test_cipher.c index 0614edc..d3cc3b6 100644 --- a/test/test_cipher.c +++ b/test/test_cipher.c @@ -105,6 +105,10 @@ static int test_cipher_enc_dec(ENGINE *e, void *data, const EVP_CIPHER *cipher, (void)data; + /* Must memset to make valgrind happy */ + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + if (RAND_bytes(key, keyLen) != 1) { err = 1; } @@ -218,7 +222,7 @@ static int test_stream_dec(ENGINE *e, const EVP_CIPHER *cipher, int encLen, unsigned char *dec) { int err; - EVP_CIPHER_CTX *ctx; + EVP_CIPHER_CTX *ctx = NULL; int dLen; int decLen; int i; @@ -280,6 +284,12 @@ static int test_stream_enc_dec(ENGINE *e, void *data, const EVP_CIPHER *cipher, (void)data; + /* Must memset to make valgrind happy */ + XMEMSET(key, 0, sizeof(key)); + XMEMSET(iv, 0, sizeof(iv)); + XMEMSET(enc, 0, sizeof(enc)); + XMEMSET(encExp, 0, sizeof(encExp)); + if (RAND_bytes(key, keyLen) != 1) { printf("generate key failed\n"); err = 1; @@ -674,6 +684,9 @@ int test_aes_ctr_iv_init_regression(ENGINE *e, void *data) (void)data; + XMEMSET(iv, 0, sizeof(iv)); + XMEMSET(key, 0, sizeof(key)); + /* Generate a random IV and key. */ err = RAND_bytes(iv, AES_BLOCK_SIZE) != 1; if (err == 0) { diff --git a/test/test_digest.c b/test/test_digest.c index 25834c8..ff83140 100644 --- a/test/test_digest.c +++ b/test/test_digest.c @@ -79,6 +79,10 @@ static int test_create_digest(const EVP_MD *md, ENGINE *e, void *data) (void)data; + /* Must memset longMsg to make valgrind happy */ + XMEMSET(digest, 0, sizeof(digest)); + XMEMSET(longMsg, 0, sizeof(longMsg)); + RAND_bytes(longMsg, sizeof(longMsg)); dLen = 0; diff --git a/test/test_ecc.c b/test/test_ecc.c index 94f3f64..8eb852c 100644 --- a/test/test_ecc.c +++ b/test/test_ecc.c @@ -879,6 +879,9 @@ int test_ecdsa_p192_pkey(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_192)); @@ -946,6 +949,9 @@ int test_ecdsa_p224_pkey(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_224)); @@ -1001,6 +1007,9 @@ int test_ecdsa_p256_pkey(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_256)); @@ -1056,6 +1065,9 @@ int test_ecdsa_p384_pkey(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_384)); @@ -1111,6 +1123,8 @@ int test_ecdsa_p521_pkey(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_521)); @@ -1166,6 +1180,9 @@ int test_ecdsa_p192(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_192)); @@ -1234,6 +1251,9 @@ int test_ecdsa_p224(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_224)); @@ -1289,6 +1309,9 @@ int test_ecdsa_p256(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_256)); @@ -1344,6 +1367,9 @@ int test_ecdsa_p384(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_384)); @@ -1399,6 +1425,9 @@ int test_ecdsa_p521(ENGINE *e, void *data) (void)data; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { pkey = d2i_PrivateKey(EVP_PKEY_EC, NULL, &p, sizeof(ecc_key_der_521)); @@ -1546,6 +1575,9 @@ int test_ec_key_ecdh_keygen(ENGINE *e, int nid, int len) unsigned char secretA[66]; unsigned char secretB[66]; + XMEMSET(secretA, 0, sizeof(secretA)); + XMEMSET(secretB, 0, sizeof(secretB)); + err = (group = EC_GROUP_new_by_curve_name(nid)) == NULL; if (err == 0) { err = (keyA = EC_KEY_new_method(e)) == NULL; @@ -1667,6 +1699,9 @@ int test_ec_key_ecdh(ENGINE *e, const unsigned char *privKey, size_t len, unsigned char secretB[66]; const unsigned char *p; + XMEMSET(secretA, 0, sizeof(secretA)); + XMEMSET(secretB, 0, sizeof(secretB)); + err = (keyA = EC_KEY_new_method(e)) == NULL; if (err == 0) { p = privKey; @@ -1847,6 +1882,9 @@ int test_ec_key_ecdsa(ENGINE *e, const unsigned char *privKey, unsigned char buf[20]; const unsigned char *p; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { err = (key = EC_KEY_new_method(e)) == NULL; @@ -2032,6 +2070,8 @@ static int test_ecdh_direct(ENGINE* e, const unsigned char* keyDer, err = 1; } + XMEMSET(secret, 0, sizeof(secret)); + p = keyDer; peerPrivKey = keyPeerDer; @@ -2246,6 +2286,9 @@ static int test_ecdsa_key(ENGINE *e, const unsigned char *privKey, PRINT_MSG("ENTER: test_ecdsa"); + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(ecdsaSig, 0, sizeof(ecdsaSig)); + err = RAND_bytes(buf, sizeof(buf)) == 0; if (err == 0) { p = privKey; diff --git a/test/test_hkdf.c b/test/test_hkdf.c index bdc8e16..86bd524 100644 --- a/test/test_hkdf.c +++ b/test/test_hkdf.c @@ -35,6 +35,10 @@ static int test_hkdf_calc(ENGINE *e, unsigned char *key, int keyLen, (void)mode; + XMEMSET(inKey, 0, sizeof(inKey)); + XMEMSET(salt, 0, sizeof(salt)); + XMEMSET(info, 0, sizeof(info)); + ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, e); if (ctx == NULL) { err = 1; @@ -277,6 +281,9 @@ static int test_hkdf_str_md(ENGINE *e, const char *md, const char *mode) unsigned char oKey[128]; unsigned char wKey[128]; + XMEMSET(oKey, 0, sizeof(oKey)); + XMEMSET(wKey, 0, sizeof(wKey)); + PRINT_MSG("Calc with strings OpenSSL"); err = test_hkdf_str_calc(NULL, oKey, sizeof(oKey), md, mode); if (err == 1) { diff --git a/test/test_hmac.c b/test/test_hmac.c index 2ab66d7..99810fc 100644 --- a/test/test_hmac.c +++ b/test/test_hmac.c @@ -119,6 +119,8 @@ int test_hmac_create(ENGINE *e, void *data) unsigned char pswd[] = "My empire of dirt"; unsigned char bigPswd[100]; + XMEMSET(bigPswd, 0, sizeof(bigPswd)); + PRINT_MSG("Testing with SHA1"); ret = test_hmac_create_helper(e, data, EVP_sha1(), pswd, sizeof(pswd)); if (ret == 0) { diff --git a/test/test_rand.c b/test/test_rand.c index bb36eae..1487df0 100644 --- a/test/test_rand.c +++ b/test/test_rand.c @@ -28,6 +28,8 @@ static int test_random_api(void) int err; unsigned char buf[128]; + XMEMSET(buf, 0, sizeof(buf)); + err = RAND_status() != 1; #if OPENSSL_VERSION_NUMBER < 0x10100000L if (err == 0) { diff --git a/test/test_rsa.c b/test/test_rsa.c index e0f4026..e195c87 100644 --- a/test/test_rsa.c +++ b/test/test_rsa.c @@ -400,6 +400,9 @@ static int test_rsa_direct(ENGINE *e, const unsigned char *der, size_t derLen, int i = 0; int rsaSize = 0; + XMEMSET(buf, 0, sizeof(buf)); + XMEMSET(testVectors, 0, sizeof(testVectors)); + err = load_static_rsa_key(e, der, derLen, &weRsaKey, &osslRsaKey) != 1; if (err == 0) { rsaSize = RSA_size(weRsaKey); @@ -408,14 +411,17 @@ static int test_rsa_direct(ENGINE *e, const unsigned char *der, size_t derLen, if (err == 0) { encryptedBuf = (unsigned char*)OPENSSL_zalloc(rsaSize); err = encryptedBuf == NULL; + XMEMSET(encryptedBuf, 0, rsaSize); } if (err == 0) { decryptedBuf = (unsigned char*)OPENSSL_zalloc(rsaSize); err = decryptedBuf == NULL; + XMEMSET(decryptedBuf, 0, rsaSize); } if (err == 0) { noPaddingBuf = (unsigned char*)OPENSSL_zalloc(rsaSize); err = noPaddingBuf == NULL; + XMEMSET(noPaddingBuf, 0, rsaSize); } if (err == 0) { err = RAND_bytes(noPaddingBuf, rsaSize) == 0; @@ -976,6 +982,8 @@ int test_rsa_sign_sha1(ENGINE *e, void *data) unsigned char buf[20]; const unsigned char *p = rsa_key_der_2048; + XMEMSET(buf, 0, sizeof(buf)); + PRINT_MSG("Load RSA key"); pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, sizeof(rsa_key_der_2048)); err = pkey == NULL; @@ -1102,6 +1110,7 @@ static int test_rsa_enc_dec(ENGINE *e, const unsigned char *der, size_t derLen, } buf = (unsigned char *)OPENSSL_zalloc(bufLen); err = buf == NULL; + XMEMSET(buf, 0, bufLen); } if (err == 0) { err = RAND_bytes(buf, (int)bufLen) == 0; @@ -1310,6 +1319,8 @@ int test_rsa_pkey_invalid_key_size(ENGINE *e, void *data) { (void)rsa_key_der_256; (void)rsa_key_der_1024; + XMEMSET(buf, 0, sizeof(buf)); + pkey = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &p, (long)pSize); err = pkey == NULL; if (err == 0) { diff --git a/test/unit.c b/test/unit.c index 622582a..aad13f9 100644 --- a/test/unit.c +++ b/test/unit.c @@ -745,6 +745,12 @@ int main(int argc, char* argv[]) err = run_tests(e, runAll); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_cleanup(); + ENGINE_cleanup(); + ERR_free_strings(); +#endif + return err; }