Fenrir fixes

IDE/Android/app/src/main/cpp/CMakeLists.txt

@@ -276,6 +276,7 @@ if ("${WOLFSSL_PKG_TYPE}" MATCHES "normal")
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp.c)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/evp_pk.c)
         list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/misc.c)
+        list(REMOVE_ITEM CRYPTO_SOURCES ${wolfssl_DIR}/wolfcrypt/src/asn_orig.c)
 
 elseif("${WOLFSSL_PKG_TYPE}" MATCHES "fipsready")
         # FIPS Ready needs to explicitly order files for in-core integrity check to work properly.

native/com_wolfssl_WolfSSL.c

@@ -1989,7 +1989,7 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSL_getPkcs8TraditionalOffset
     if (inBuf == NULL) {
         return MEMORY_E;
     }
-    XMEMSET(inBuf, 0, DYNAMIC_TYPE_TMP_BUFFER);
+    XMEMSET(inBuf, 0, (long)sz);
 
     (*jenv)->GetByteArrayRegion(jenv, in, 0, (jsize)sz, (jbyte*)inBuf);
     if ((*jenv)->ExceptionOccurred(jenv)) {

native/com_wolfssl_WolfSSLContext.c

@@ -1777,6 +1777,7 @@ void NativeCtxMissingCRLCallback(const char* url)
 {
     JNIEnv*   jenv;
     jint      vmret  = 0;
+    int       needsDetach = 0;
     jclass    excClass;
     jclass    crlClass = NULL;
     jmethodID crlMethod;
@@ -1793,16 +1794,21 @@ void NativeCtxMissingCRLCallback(const char* url)
 #endif
         if (vmret) {
             printf("Failed to attach JNIEnv to thread\n");
+            return;
         }
+        needsDetach = 1;
     } else if (vmret != JNI_OK) {
         printf("Unable to get JNIEnv from JavaVM\n");
+        return;
     }
 
     /* find exception class */
     excClass = (*jenv)->FindClass(jenv, "com/wolfssl/WolfSSLJNIException");
     if ((*jenv)->ExceptionOccurred(jenv)) {
         (*jenv)->ExceptionDescribe(jenv);
         (*jenv)->ExceptionClear(jenv);
+        if (needsDetach)
+            (*g_vm)->DetachCurrentThread(g_vm);
         return;
     }
 
@@ -1815,6 +1821,8 @@ void NativeCtxMissingCRLCallback(const char* url)
         if (!crlClass) {
             (*jenv)->ThrowNew(jenv, excClass,
                 "Can't get native WolfSSLMissingCRLCallback class reference");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return;
         }
 
@@ -1829,6 +1837,8 @@ void NativeCtxMissingCRLCallback(const char* url)
 
             (*jenv)->ThrowNew(jenv, excClass,
                 "Error getting missingCRLCallback method from JNI");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return;
         }
 
@@ -1841,7 +1851,6 @@ void NativeCtxMissingCRLCallback(const char* url)
         if ((*jenv)->ExceptionOccurred(jenv)) {
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
-            return;
         }
 
     } else {
@@ -1853,6 +1862,9 @@ void NativeCtxMissingCRLCallback(const char* url)
         (*jenv)->ThrowNew(jenv, excClass,
                 "Object reference invalid in NativeMissingCRLCallback");
     }
+
+    if (needsDetach)
+        (*g_vm)->DetachCurrentThread(g_vm);
 }
 
 #endif /* HAVE_CRL */
@@ -6170,7 +6182,7 @@ unsigned int NativePskClientCb(WOLFSSL* ssl, const char* hint, char* identity,
         }
     }
 
-    if (retval > 0) {
+    if (retval > 0 && retval <= (jlong)max_key_len) {
 
         /* copy jbyteArray into char key array */
         (*jenv)->GetByteArrayRegion(jenv, keyArray, 0, retval, (jbyte*)key);
@@ -6238,10 +6250,27 @@ unsigned int NativePskClientCb(WOLFSSL* ssl, const char* hint, char* identity,
             }
             return 0;
         }
-        strcpy(identity, tmpString);
+        if (XSTRLEN(tmpString) >= id_max_len) {
+            (*jenv)->ReleaseStringUTFChars(jenv, bufString,
+                tmpString);
+            (*jenv)->DeleteLocalRef(jenv, ctxRef);
+            (*jenv)->DeleteLocalRef(jenv, hintString);
+            (*jenv)->DeleteLocalRef(jenv, strBufObj);
+            (*jenv)->DeleteLocalRef(jenv, keyArray);
+            (*jenv)->DeleteLocalRef(jenv, bufString);
+            if (needsDetach) {
+                (*g_vm)->DetachCurrentThread(g_vm);
+            }
+            return 0;
+        }
+        XMEMCPY(identity, tmpString, XSTRLEN(tmpString));
+        identity[XSTRLEN(tmpString)] = '\0';
         (*jenv)->ReleaseStringUTFChars(jenv, bufString, tmpString);
         (*jenv)->DeleteLocalRef(jenv, bufString);
     }
+    else {
+        retval = 0;
+    }
 
     /* delete local obj refs, detach JNIEnv from thread */
     (*jenv)->DeleteLocalRef(jenv, ctxRef);
@@ -6545,7 +6574,7 @@ unsigned int NativePskServerCb(WOLFSSL* ssl, const char* identity,
         }
     }
 
-    if (retval > 0) {
+    if (retval > 0 && retval <= (jlong)max_key_len) {
 
         /* copy jbyteArray into char key array */
         (*jenv)->GetByteArrayRegion(jenv, keyArray, 0, retval, (jbyte*)key);
@@ -6561,6 +6590,9 @@ unsigned int NativePskServerCb(WOLFSSL* ssl, const char* identity,
             return 0;
         }
     }
+    else {
+        retval = 0;
+    }
 
     /* delete local obj refs, detach JNIEnv from thread */
     (*jenv)->DeleteLocalRef(jenv, ctxRef);
@@ -6647,6 +6679,10 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLContext_setGroups
 
     if (groupsSz == 0 || groupsSz > WOLFSSL_MAX_GROUP_COUNT ||
         jniGroups == NULL) {
+        if (jniGroups != NULL) {
+            (*jenv)->ReleaseIntArrayElements(jenv, groups,
+                jniGroups, JNI_ABORT);
+        }
         return (jint)BAD_FUNC_ARG;
     }
 

native/com_wolfssl_WolfSSLSession.c

@@ -3640,6 +3640,7 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_usePrivateKeyBuffer
 
     ret = wolfSSL_use_PrivateKey_buffer(ssl, buff, (long)sz, format);
 
+    XMEMSET(buff, 0, (long)sz);
     XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
 
     return ret;
@@ -3868,6 +3869,7 @@ void NativeMissingCRLCallback(const char* url)
 {
     JNIEnv*   jenv;
     jint      vmret  = 0;
+    int       needsDetach = 0;
     jclass    crlClass = NULL;
     jmethodID crlMethod = NULL;
     jobjectRefType refcheck;
@@ -3883,9 +3885,12 @@ void NativeMissingCRLCallback(const char* url)
 #endif
         if (vmret) {
             printf("Failed to attach JNIEnv to thread\n");
+            return;
         }
+        needsDetach = 1;
     } else if (vmret != JNI_OK) {
         printf("Unable to get JNIEnv from JavaVM\n");
+        return;
     }
 
     /* check if our stored object reference is valid */
@@ -3897,6 +3902,8 @@ void NativeMissingCRLCallback(const char* url)
         if (!crlClass) {
             throwWolfSSLException(jenv,
                 "Can't get native WolfSSLMissingCRLCallback class reference");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return;
         }
 
@@ -3911,6 +3918,8 @@ void NativeMissingCRLCallback(const char* url)
 
             throwWolfSSLException(jenv,
                 "Error getting missingCRLCallback method from JNI");
+            if (needsDetach)
+                (*g_vm)->DetachCurrentThread(g_vm);
             return;
         }
 
@@ -3922,7 +3931,6 @@ void NativeMissingCRLCallback(const char* url)
         if ((*jenv)->ExceptionOccurred(jenv)) {
             (*jenv)->ExceptionDescribe(jenv);
             (*jenv)->ExceptionClear(jenv);
-            return;
         }
 
     } else {
@@ -3934,6 +3942,9 @@ void NativeMissingCRLCallback(const char* url)
         throwWolfSSLException(jenv,
             "Object reference invalid in NativeMissingCRLCallback");
     }
+
+    if (needsDetach)
+        (*g_vm)->DetachCurrentThread(g_vm);
 }
 
 #endif /* HAVE_CRL */
@@ -5848,34 +5859,39 @@ int NativeALPNSelectCb(WOLFSSL *ssl, const unsigned char **out,
         /* get char* from jstring */
         selectedProtoCharArr = (*jenv)->GetStringUTFChars(jenv,
             selectedProto, 0);
-        selectedProtoCharArrSz = (int)XSTRLEN(selectedProtoCharArr);
-
-        /* see if selected ALPN protocol is in original sent list */
+        /* see if selected ALPN protocol is in original sent list.
+         * Wire format is length-prefixed: (LEN|PROTO|LEN|PROTO|...) */
         if (selectedProtoCharArr != NULL) {
-            for (idx = 0; idx < inlen; idx++) {
-                if (idx + selectedProtoCharArrSz > inlen) {
-                    /* No match found, fatal error. in not long enough for
-                     * search. Reset ret to error condition, match not set
-                     * correctly */
+            selectedProtoCharArrSz = (int)XSTRLEN(selectedProtoCharArr);
+            idx = 0;
+            while (idx < inlen) {
+                unsigned char protoLen = in[idx];
+                if (idx + 1 + protoLen > inlen) {
                     ret = SSL_TLSEXT_ERR_ALERT_FATAL;
                     break;
                 }
-                if (XMEMCMP(in + idx, selectedProtoCharArr,
+                if (protoLen == selectedProtoCharArrSz &&
+                    XMEMCMP(in + idx + 1, selectedProtoCharArr,
                         selectedProtoCharArrSz) == 0) {
-                    /* Match found. Format of input array is length byte of
-                     * ALPN protocol, followed by ALPN protocol,
-                     * ie (LEN+ALPN|LEN+ALPN|...) We set *out to ALPN selected
-                     * protocol and *outlen to length of protocol (idx - 1) */
-                    *out = in + idx;
-                    *outlen = in[idx - 1];
+                    *out = in + idx + 1;
+                    *outlen = protoLen;
                     break;
                 }
+                idx += 1 + protoLen;
+            }
+            if (idx >= inlen && ret != SSL_TLSEXT_ERR_ALERT_FATAL) {
+                ret = SSL_TLSEXT_ERR_ALERT_FATAL;
             }
         }
         else {
             /* Not able to get selected ALPN protocol from Java, fatal error */
             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
         }
+
+        if (selectedProtoCharArr != NULL) {
+            (*jenv)->ReleaseStringUTFChars(jenv, selectedProto,
+                selectedProtoCharArr);
+        }
     }
 
    return ret;