openssl icon indicating copy to clipboard operation
openssl copied to clipboard

Published 20 hours ago verified publisher icon sftcd

code auditing

Open eighthave opened this issue 3 years ago • 4 comments

I'm working through auditing the ECH code now, and will post findings as put them together. One quick thing is that there are many lines with trailing spaces, which might annoy upstream. Those can be removed with:

find * -type f -print0 | xargs -0 sed -i 's, *$,,'

Here's the first notable thing found with cppcheck:

  • [x] [apps/s_server.c:595]: (style) Obsolete function 'asctime' called. It is recommended to use 'strftime' instead.
    • there are no existing refs to asctime or strftime
    • there is get_current_time(&timenow)

eighthave avatar Aug 10 '21 12:08 eighthave

  • [x] [apps/ech.c:499]: (style) Checking if unsigned variable 'extlen' is less than zero.

  • [x] [apps/lib/s_cb.c:887]: (style) Clarify calculation precedence for '&' and '?'.

  • [x] [apps/s_server.c:595]: (style) Obsolete function 'asctime' called. It is recommended to use 'strftime' instead.

  • [x] [apps/s_server.c:3953]: (style) Checking if unsigned variable 'filesize' is less than zero.

  • [x] [ssl/ech.c:517]: (style) Checking if unsigned variable 'eklen' is less than zero.

  • [x] [ssl/ech.c:728] -> [ssl/ech.c:729]: (warning) Identical inner 'if' condition is always true.

  • [x] [ssl/ech.c:1438] -> [ssl/ech.c:1433]: (warning) Either the condition '!remaining' is redundant or there is possible null pointer dereference: remaining.

  • [x] ssl/ech.c:2124:12: warning: Either the condition '!str' is redundant or there is possible null pointer dereference: str. [nullPointerRedundantCheck]

  • [x] [ssl/ech.c:2253] -> [ssl/ech.c:2252]: (warning) Either the condition '!str' is redundant or there is possible null pointer dereference: str.

  • [x] [ssl/ech.c:2419]: (style) Checking if unsigned variable 'binlen' is less than zero.

  • [x] [ssl/ech.c:2856] -> [ssl/ech.c:2851]: (warning) Either the condition 'if(inner_mem)' is redundant or there is possible null pointer dereference: inner_mem.

  • [x] [ssl/ech.c:3519] -> [ssl/ech.c:3665]: (warning) Either the condition 's==NULL' is redundant or there is possible null pointer dereference: s.

  • [x] [ssl/ech.c:3519] -> [ssl/ech.c:3667]: (warning) Either the condition 's==NULL' is redundant or there is possible null pointer dereference: s.

  • [x] [ssl/ech.c:3729]: (style) Condition 'cipher_len_jitter!=0' is always false

  • [x] [ssl/ech.c:3921]: (style) Checking if unsigned variable 'peerpub_len' is less than zero.

  • [x] [ssl/ech.c:4836] -> [ssl/ech.c:4829]: (warning) Either the condition 'inner_len==0' is redundant or there is possible null pointer dereference: inner_len.

  • [x] [ssl/ssl_lib.c:490]: (style) Assignment of function parameter has no effect outside the function.

  • [x] [ssl/ssl_lib.c:492]: (style) Assignment of function parameter has no effect outside the function.

  • [x] [ssl/ssl_lib.c:2089]: (style) Redundant condition: ret<=0. 'A || (!A && B)' is equivalent to 'A || B'

  • [x] [ssl/ssl_txt.c:157]: (style) Clarify calculation precedence for '&' and '?'.

  • [x] [ssl/statem/extensions.c:473] -> [ssl/statem/extensions.c:475]: (warning) Either the condition 'meth!=NULL' is redundant or there is possible null pointer dereference: meth.

  • [x] [ssl/statem/extensions_clnt.c:1061]: (style) Redundant condition: s->ext.hostname!=NULL. 'A || (!A && B)' is equivalent to 'A || B'

  • [x] [ssl/statem/statem_clnt.c:534] -> [ssl/statem/statem_clnt.c:610]: (style) Condition 's->early_data_state==SSL_EARLY_DATA_CONNECTING' is always false

  • [x] [ssl/statem/statem_clnt.c:1303] -> [ssl/statem/statem_clnt.c:1298]: (warning) Either the condition 'if(inner_mem)' is redundant or there is possible null pointer dereference: inner_mem.

  • [x] [ssl/statem/statem_srvr.c:94] -> [ssl/statem/statem_srvr.c:103]: (style) Condition 'mt==SSL3_MT_FINISHED' is always false

  • [x] [ssl/statem/statem_srvr.c:2351]: (style) Assignment of function parameter has no effect outside the function.

  • [x] [ssl/statem/statem_srvr.c:3862] -> [ssl/statem/statem_srvr.c:3867]: (warning) Identical inner 'if' condition is always true.

  • [x] The scope of the variable can be reduced.

    • [apps/lib/s_cb.c:1268]: (style) The scope of the variable 'crl' can be reduced.
    • [apps/lib/s_cb.c:898]: (style) The scope of the variable 'rv' can be reduced.
    • [apps/lib/s_cb.c:983]: (style) The scope of the variable 'curr' can be reduced.
    • [apps/s_client.c:3448]: (style) The scope of the variable 'public_key' can be reduced.
    • [apps/s_client.c:3450]: (style) The scope of the variable 'verify_result' can be reduced.
    • [apps/s_client.c:3454]: (style) The scope of the variable 'exportedkeymat' can be reduced.
    • [apps/s_server.c:3291]: (style) The scope of the variable 'verify_err' can be reduced.
    • [apps/s_server.c:3307]: (style) The scope of the variable 'wbio' can be reduced.
    • [apps/s_server.c:3400]: (style) The scope of the variable 'exportedkeymat' can be reduced.
    • [apps/s_server.c:3401]: (style) The scope of the variable 'i' can be reduced.
    • [apps/s_server.c:4299]: (style) The scope of the variable 'tsess' can be reduced.
    • [ssl/ech.c:3513]: (style) The scope of the variable 'outer_chlen' can be reduced.
    • [ssl/ech.c:3662]: (style) The scope of the variable 'ddata' can be reduced.
    • [ssl/ech.c:4174]: (style) The scope of the variable 'etype' can be reduced.
    • [ssl/ech.c:4175]: (style) The scope of the variable 'elen' can be reduced.
    • [ssl/s3_enc.c:380]: (style) The scope of the variable 'md' can be reduced.
    • [ssl/s3_enc.c:381]: (style) The scope of the variable 'hdatalen' can be reduced.
    • [ssl/ssl_lib.c:1029]: (style) The scope of the variable 'old_ip' can be reduced.
    • [ssl/ssl_lib.c:220]: (style) The scope of the variable 'i' can be reduced.
    • [ssl/ssl_lib.c:2861]: (style) The scope of the variable 'c' can be reduced.
    • [ssl/ssl_lib.c:2920]: (style) The scope of the variable 'c' can be reduced.
    • [ssl/ssl_lib.c:3732]: (style) The scope of the variable 'ecdsa_ok' can be reduced.
    • [ssl/ssl_lib.c:4165]: (style) The scope of the variable 'xn' can be reduced.
    • [ssl/statem/extensions.c:784]: (style) The scope of the variable 'thisexd' can be reduced.
    • [ssl/statem/extensions.c:844]: (style) The scope of the variable 'reason' can be reduced.
    • [ssl/statem/extensions_clnt.c:1635]: (style) The scope of the variable 'ecpointformats_len' can be reduced.
    • [ssl/statem/extensions_clnt.c:256]: (style) The scope of the variable 'alg_a' can be reduced.
    • [ssl/statem/extensions_clnt.c:256]: (style) The scope of the variable 'alg_k' can be reduced.
    • [ssl/statem/extensions_clnt.c:877]: (style) The scope of the variable 'i' can be reduced.
    • [ssl/statem/extensions_clnt.c:970]: (style) The scope of the variable 'identity' can be reduced.
    • [ssl/statem/extensions_srvr.c:1602]: (style) The scope of the variable 'encoded_pt_len' can be reduced.
    • [ssl/statem/statem_clnt.c:1404]: (style) The scope of the variable 'comp' can be reduced.
    • [ssl/statem/statem_lib.c:1280]: (style) The scope of the variable 'i' can be reduced.
    • [ssl/statem/statem_lib.c:924]: (style) The scope of the variable 'chain_count' can be reduced.
    • [ssl/statem/statem_srvr.c:1247]: (style) The scope of the variable 'ret' can be reduced.
    • [ssl/statem/statem_srvr.c:2047]: (style) The scope of the variable 'v' can be reduced.
    • [ssl/statem/statem_srvr.c:2146]: (style) The scope of the variable 'ret' can be reduced.
    • [ssl/t1_trce.c:1310]: (style) The scope of the variable 'sigalg' can be reduced.
    • [ssl/t1_trce.c:44]: (style) The scope of the variable 'val' can be reduced.
    • [ssl/t1_trce.c:716]: (style) The scope of the variable 'sigalg' can be reduced.
    • [ssl/t1_trce.c:974]: (style) The scope of the variable 'cs' can be reduced.

  • [ ] The function is never used.
    • [apps/ech.c:352]: (style) The function 'ech_main' is never used.
    • [apps/lib/s_cb.c:108]: (style) The function 'set_cert_stuff' is never used.
    • [apps/s_client.c:918]: (style) The function 's_client_main' is never used.
    • [apps/s_server.c:1310]: (style) The function 's_server_main' is never used.
    • [ssl/ech.c:1525]: (style) The function 'SSL_CTX_ech_add' is never used.
    • [ssl/ech.c:1570]: (style) The function 'SSL_ech_server_name' is never used.
    • [ssl/ech.c:1655]: (style) The function 'SSL_CTX_ech_set_outer_server_name' is never used.
    • [ssl/ech.c:1839]: (style) The function 'SSL_CTX_ech_server_key_status' is never used.
    • [ssl/ech.c:1857]: (style) The function 'SSL_CTX_ech_server_flush_keys' is never used.
    • [ssl/ech.c:2002]: (style) The function 'SSL_CTX_ech_server_enable_buffer' is never used.
    • [ssl/ech.c:2495]: (style) The function 'SSL_CTX_svcb_add' is never used.
    • [ssl/ech.c:3475]: (style) The function 'SSL_ech_set_callback' is never used.
    • [ssl/ech.c:4819]: (style) The function 'SSL_CTX_ech_raw_decrypt' is never used.
    • [ssl/ech.c:4932]: (style) The function 'SSL_ech_set_outer_alpn_protos' is never used.
    • [ssl/record/ssl3_record_tls13.c:23]: (style) The function 'tls13_enc' is never used.
    • [ssl/s3_enc.c:245]: (style) The function 'ssl3_setup_key_block' is never used.
    • [ssl/s3_enc.c:428]: (style) The function 'ssl3_final_finish_mac' is never used.
    • [ssl/s3_enc.c:481]: (style) The function 'ssl3_generate_master_secret' is never used.
    • [ssl/s3_enc.c:534]: (style) The function 'ssl3_alert_code' is never used.
    • [ssl/s3_enc.c:94]: (style) The function 'ssl3_change_cipher_state' is never used.
    • [ssl/ssl_lib.c:1002]: (style) The function 'SSL_CTX_set_trust' is never used.
    • [ssl/ssl_lib.c:1007]: (style) The function 'SSL_set_trust' is never used.
    • [ssl/ssl_lib.c:1012]: (style) The function 'SSL_set1_host' is never used.
    • [ssl/ssl_lib.c:1022]: (style) The function 'SSL_add1_host' is never used.
    • [ssl/ssl_lib.c:1051]: (style) The function 'SSL_set_hostflags' is never used.
    • [ssl/ssl_lib.c:1066]: (style) The function 'SSL_CTX_dane_set_flags' is never used.
    • [ssl/ssl_lib.c:1074]: (style) The function 'SSL_CTX_dane_clear_flags' is never used.
    • [ssl/ssl_lib.c:1133]: (style) The function 'SSL_dane_clear_flags' is never used.
    • [ssl/ssl_lib.c:1178]: (style) The function 'SSL_get0_dane' is never used.
    • [ssl/ssl_lib.c:1189]: (style) The function 'SSL_CTX_dane_mtype_set' is never used.
    • [ssl/ssl_lib.c:1200]: (style) The function 'SSL_set1_param' is never used.
    • [ssl/ssl_lib.c:1205]: (style) The function 'SSL_CTX_get0_param' is never used.
    • [ssl/ssl_lib.c:1210]: (style) The function 'SSL_get0_param' is never used.
    • [ssl/ssl_lib.c:1540]: (style) The function 'SSL_set_fd' is never used.
    • [ssl/ssl_lib.c:1567]: (style) The function 'SSL_set_wfd' is never used.
    • [ssl/ssl_lib.c:1597]: (style) The function 'SSL_set_rfd' is never used.
    • [ssl/ssl_lib.c:1621]: (style) The function 'SSL_get_finished' is never used.
    • [ssl/ssl_lib.c:1633]: (style) The function 'SSL_get_peer_finished' is never used.
    • [ssl/ssl_lib.c:1658]: (style) The function 'SSL_CTX_get_verify_mode' is never used.
    • [ssl/ssl_lib.c:1663]: (style) The function 'SSL_CTX_get_verify_depth' is never used.
    • [ssl/ssl_lib.c:1668]: (style) The function 'SSL_CTX_get_verify_callback' is never used.
    • [ssl/ssl_lib.c:1695]: (style) The function 'SSL_pending' is never used.
    • [ssl/ssl_lib.c:1728]: (style) The function 'SSL_get1_peer_certificate' is never used.
    • [ssl/ssl_lib.c:1811]: (style) The function 'SSL_check_private_key' is never used.
    • [ssl/ssl_lib.c:1837]: (style) The function 'SSL_get_all_async_fds' is never used.
    • [ssl/ssl_lib.c:1846]: (style) The function 'SSL_get_changed_async_fds' is never used.
    • [ssl/ssl_lib.c:1857]: (style) The function 'SSL_CTX_set_async_callback' is never used.
    • [ssl/ssl_lib.c:1863]: (style) The function 'SSL_CTX_set_async_callback_arg' is never used.
    • [ssl/ssl_lib.c:1869]: (style) The function 'SSL_set_async_callback' is never used.
    • [ssl/ssl_lib.c:1875]: (style) The function 'SSL_set_async_callback_arg' is never used.
    • [ssl/ssl_lib.c:1881]: (style) The function 'SSL_get_async_status' is never used.
    • [ssl/ssl_lib.c:1911]: (style) The function 'SSL_get_default_timeout' is never used.
    • [ssl/ssl_lib.c:2140]: (style) The function 'SSL_peek' is never used.
    • [ssl/ssl_lib.c:2163]: (style) The function 'SSL_peek_ex' is never used.
    • [ssl/ssl_lib.c:2378]: (style) The function 'SSL_shutdown' is never used.
    • [ssl/ssl_lib.c:2482]: (style) The function 'SSL_renegotiate_pending' is never used.
    • [ssl/ssl_lib.c:2491]: (style) The function 'SSL_new_session_ticket' is never used.
    • [ssl/ssl_lib.c:2504]: (style) The function 'SSL_ctrl' is never used.
    • [ssl/ssl_lib.c:2615]: (style) The function 'SSL_CTX_ctrl' is never used.
    • [ssl/ssl_lib.c:2748]: (style) The function 'ssl_cipher_id_cmp' is never used.
    • [ssl/ssl_lib.c:2757]: (style) The function 'ssl_cipher_ptr_id_cmp' is never used.
    • [ssl/ssl_lib.c:2829]: (style) The function 'SSL_get_cipher_list' is never used.
    • [ssl/ssl_lib.c:2875]: (style) The function 'SSL_CTX_set_cipher_list' is never used.
    • [ssl/ssl_lib.c:2899]: (style) The function 'SSL_set_cipher_list' is never used.
    • [ssl/ssl_lib.c:3131]: (style) The function 'SSL_CTX_set_npn_advertised_cb' is never used.
    • [ssl/ssl_lib.c:3149]: (style) The function 'SSL_CTX_set_npn_select_cb' is never used.
    • [ssl/ssl_lib.c:3208]: (style) The function 'SSL_set_alpn_protos' is never used.
    • [ssl/ssl_lib.c:3277]: (style) The function 'SSL_export_keying_material_early' is never used.
    • [ssl/ssl_lib.c:3543]: (style) The function 'SSL_CTX_new' is never used.
    • [ssl/ssl_lib.c:3656]: (style) The function 'SSL_CTX_set_default_passwd_cb' is never used.
    • [ssl/ssl_lib.c:3661]: (style) The function 'SSL_CTX_set_default_passwd_cb_userdata' is never used.
    • [ssl/ssl_lib.c:3666]: (style) The function 'SSL_CTX_get_default_passwd_cb' is never used.
    • [ssl/ssl_lib.c:3671]: (style) The function 'SSL_CTX_get_default_passwd_cb_userdata' is never used.
    • [ssl/ssl_lib.c:3676]: (style) The function 'SSL_set_default_passwd_cb' is never used.
    • [ssl/ssl_lib.c:3681]: (style) The function 'SSL_set_default_passwd_cb_userdata' is never used.
    • [ssl/ssl_lib.c:3686]: (style) The function 'SSL_get_default_passwd_cb' is never used.
    • [ssl/ssl_lib.c:3691]: (style) The function 'SSL_get_default_passwd_cb_userdata' is never used.
    • [ssl/ssl_lib.c:3696]: (style) The function 'SSL_CTX_set_cert_verify_callback' is never used.
    • [ssl/ssl_lib.c:3711]: (style) The function 'SSL_CTX_set_verify_depth' is never used.
    • [ssl/ssl_lib.c:3721]: (style) The function 'SSL_set_cert_cb' is never used.
    • [ssl/ssl_lib.c:3726]: (style) The function 'ssl_set_masks' is never used.
    • [ssl/ssl_lib.c:3842]: (style) The function 'ssl_get_server_cert_serverinfo' is never used.
    • [ssl/ssl_lib.c:3927]: (style) The function 'SSL_CTX_get_ssl_method' is never used.
    • [ssl/ssl_lib.c:3932]: (style) The function 'SSL_get_ssl_method' is never used.
    • [ssl/ssl_lib.c:4107]: (style) The function 'ssl_undefined_void_function' is never used.
    • [ssl/ssl_lib.c:4113]: (style) The function 'ssl_undefined_const_function' is never used.
    • [ssl/ssl_lib.c:4118]: (style) The function 'ssl_bad_method' is never used.
    • [ssl/ssl_lib.c:4376]: (style) The function 'SSL_get_privatekey' is never used.
    • [ssl/ssl_lib.c:4384]: (style) The function 'SSL_CTX_get0_certificate' is never used.
    • [ssl/ssl_lib.c:4392]: (style) The function 'SSL_CTX_get0_privatekey' is never used.
    • [ssl/ssl_lib.c:4407]: (style) The function 'SSL_get_pending_cipher' is never used.
    • [ssl/ssl_lib.c:4430]: (style) The function 'ssl_init_wbio_buffer' is never used.
    • [ssl/ssl_lib.c:4464]: (style) The function 'SSL_CTX_set_quiet_shutdown' is never used.
    • [ssl/ssl_lib.c:4469]: (style) The function 'SSL_CTX_get_quiet_shutdown' is never used.
    • [ssl/ssl_lib.c:4474]: (style) The function 'SSL_set_quiet_shutdown' is never used.
    • [ssl/ssl_lib.c:4479]: (style) The function 'SSL_get_quiet_shutdown' is never used.
    • [ssl/ssl_lib.c:4484]: (style) The function 'SSL_set_shutdown' is never used.
    • [ssl/ssl_lib.c:4489]: (style) The function 'SSL_get_shutdown' is never used.
    • [ssl/ssl_lib.c:4499]: (style) The function 'SSL_client_version' is never used.
    • [ssl/ssl_lib.c:4556]: (style) The function 'SSL_CTX_set_default_verify_paths' is never used.
    • [ssl/ssl_lib.c:4562]: (style) The function 'SSL_CTX_set_default_verify_dir' is never used.
    • [ssl/ssl_lib.c:4580]: (style) The function 'SSL_CTX_set_default_verify_file' is never used.
    • [ssl/ssl_lib.c:4599]: (style) The function 'SSL_CTX_set_default_verify_store' is never used.
    • [ssl/ssl_lib.c:4628]: (style) The function 'SSL_CTX_load_verify_store' is never used.
    • [ssl/ssl_lib.c:4634]: (style) The function 'SSL_CTX_load_verify_locations' is never used.
    • [ssl/ssl_lib.c:4662]: (style) The function 'SSL_set_verify_result' is never used.
    • [ssl/ssl_lib.c:4672]: (style) The function 'SSL_get_client_random' is never used.
    • [ssl/ssl_lib.c:4682]: (style) The function 'SSL_get_server_random' is never used.
    • [ssl/ssl_lib.c:4692]: (style) The function 'SSL_SESSION_get_master_key' is never used.
    • [ssl/ssl_lib.c:4715]: (style) The function 'SSL_set_ex_data' is never used.
    • [ssl/ssl_lib.c:4720]: (style) The function 'SSL_get_ex_data' is never used.
    • [ssl/ssl_lib.c:4725]: (style) The function 'SSL_CTX_set_ex_data' is never used.
    • [ssl/ssl_lib.c:4730]: (style) The function 'SSL_CTX_get_ex_data' is never used.
    • [ssl/ssl_lib.c:4746]: (style) The function 'SSL_CTX_set1_cert_store' is never used.
    • [ssl/ssl_lib.c:4753]: (style) The function 'SSL_want' is never used.
    • [ssl/ssl_lib.c:4775]: (style) The function 'SSL_use_psk_identity_hint' is never used.
    • [ssl/ssl_lib.c:4794]: (style) The function 'SSL_get_psk_identity_hint' is never used.
    • [ssl/ssl_lib.c:4801]: (style) The function 'SSL_get_psk_identity' is never used.
    • [ssl/ssl_lib.c:4808]: (style) The function 'SSL_set_psk_client_callback' is never used.
    • [ssl/ssl_lib.c:4818]: (style) The function 'SSL_set_psk_server_callback' is never used.
    • [ssl/ssl_lib.c:4829]: (style) The function 'SSL_set_psk_find_session_callback' is never used.
    • [ssl/ssl_lib.c:4840]: (style) The function 'SSL_set_psk_use_session_callback' is never used.
    • [ssl/ssl_lib.c:4851]: (style) The function 'SSL_CTX_set_msg_callback' is never used.
    • [ssl/ssl_lib.c:4876]: (style) The function 'SSL_set_not_resumable_session_callback' is never used.
    • [ssl/ssl_lib.c:4896]: (style) The function 'SSL_CTX_get_record_padding_callback_arg' is never used.
    • [ssl/ssl_lib.c:4901]: (style) The function 'SSL_CTX_set_block_padding' is never used.
    • [ssl/ssl_lib.c:4913]: (style) The function 'SSL_set_record_padding_callback' is never used.
    • [ssl/ssl_lib.c:4927]: (style) The function 'SSL_set_record_padding_callback_arg' is never used.
    • [ssl/ssl_lib.c:4932]: (style) The function 'SSL_get_record_padding_callback_arg' is never used.
    • [ssl/ssl_lib.c:4937]: (style) The function 'SSL_set_block_padding' is never used.
    • [ssl/ssl_lib.c:4949]: (style) The function 'SSL_set_num_tickets' is never used.
    • [ssl/ssl_lib.c:4956]: (style) The function 'SSL_get_num_tickets' is never used.
    • [ssl/ssl_lib.c:4961]: (style) The function 'SSL_CTX_set_num_tickets' is never used.
    • [ssl/ssl_lib.c:4968]: (style) The function 'SSL_CTX_get_num_tickets' is never used.
    • [ssl/ssl_lib.c:5044]: (style) The function 'SSL_set_debug' is never used.
    • [ssl/ssl_lib.c:5052]: (style) The function 'SSL_set_security_level' is never used.
    • [ssl/ssl_lib.c:5057]: (style) The function 'SSL_get_security_level' is never used.
    • [ssl/ssl_lib.c:5062]: (style) The function 'SSL_set_security_callback' is never used.
    • [ssl/ssl_lib.c:5070]: (style) The function 'SSL_get_security_callback' is never used.
    • [ssl/ssl_lib.c:5077]: (style) The function 'SSL_set0_security_ex_data' is never used.
    • [ssl/ssl_lib.c:5082]: (style) The function 'SSL_get0_security_ex_data' is never used.
    • [ssl/ssl_lib.c:5087]: (style) The function 'SSL_CTX_set_security_level' is never used.
    • [ssl/ssl_lib.c:5092]: (style) The function 'SSL_CTX_get_security_level' is never used.
    • [ssl/ssl_lib.c:5119]: (style) The function 'SSL_CTX_get0_security_ex_data' is never used.
    • [ssl/ssl_lib.c:5124]: (style) The function 'SSL_CTX_get_options' is never used.
    • [ssl/ssl_lib.c:5144]: (style) The function 'SSL_CTX_clear_options' is never used.
    • [ssl/ssl_lib.c:5149]: (style) The function 'SSL_clear_options' is never used.
    • [ssl/ssl_lib.c:5228]: (style) The function 'ct_extract_ocsp_response_scts' is never used.
    • [ssl/ssl_lib.c:5279]: (style) The function 'ct_extract_x509v3_extension_scts' is never used.
    • [ssl/ssl_lib.c:5392]: (style) The function 'SSL_CTX_ct_is_enabled' is never used.
    • [ssl/ssl_lib.c:5509]: (style) The function 'SSL_enable_ct' is never used.
    • [ssl/ssl_lib.c:5522]: (style) The function 'SSL_CTX_set_default_ctlog_list_file' is never used.
    • [ssl/ssl_lib.c:5527]: (style) The function 'SSL_CTX_set_ctlog_list_file' is never used.
    • [ssl/ssl_lib.c:5532]: (style) The function 'SSL_CTX_set0_ctlog_store' is never used.
    • [ssl/ssl_lib.c:5545]: (style) The function 'SSL_CTX_set_client_hello_cb' is never used.
    • [ssl/ssl_lib.c:5552]: (style) The function 'SSL_client_hello_isv2' is never used.
    • [ssl/ssl_lib.c:5559]: (style) The function 'SSL_client_hello_get0_legacy_version' is never used.
    • [ssl/ssl_lib.c:5566]: (style) The function 'SSL_client_hello_get0_random' is never used.
    • [ssl/ssl_lib.c:5575]: (style) The function 'SSL_client_hello_get0_session_id' is never used.
    • [ssl/ssl_lib.c:5584]: (style) The function 'SSL_client_hello_get0_ciphers' is never used.
    • [ssl/ssl_lib.c:5593]: (style) The function 'SSL_client_hello_get0_compression_methods' is never used.
    • [ssl/ssl_lib.c:5602]: (style) The function 'SSL_client_hello_get1_extensions_present' is never used.
    • [ssl/ssl_lib.c:5640]: (style) The function 'SSL_client_hello_get0_ext' is never used.
    • [ssl/ssl_lib.c:5661]: (style) The function 'SSL_free_buffers' is never used.
    • [ssl/ssl_lib.c:5672]: (style) The function 'SSL_alloc_buffers' is never used.
    • [ssl/ssl_lib.c:5682]: (style) The function 'SSL_CTX_get_keylog_callback' is never used.
    • [ssl/ssl_lib.c:5840]: (style) The function 'SSL_bytes_to_cipher_list' is never used.
    • [ssl/ssl_lib.c:5944]: (style) The function 'SSL_CTX_get_max_early_data' is never used.
    • [ssl/ssl_lib.c:5949]: (style) The function 'SSL_set_max_early_data' is never used.
    • [ssl/ssl_lib.c:5956]: (style) The function 'SSL_get_max_early_data' is never used.
    • [ssl/ssl_lib.c:5968]: (style) The function 'SSL_CTX_get_recv_max_early_data' is never used.
    • [ssl/ssl_lib.c:5973]: (style) The function 'SSL_set_recv_max_early_data' is never used.
    • [ssl/ssl_lib.c:5980]: (style) The function 'SSL_get_recv_max_early_data' is never used.
    • [ssl/ssl_lib.c:5985]: (style) The function 'ssl_get_max_send_fragment' is never used.
    • [ssl/ssl_lib.c:5995]: (style) The function 'ssl_get_split_send_fragment' is never used.
    • [ssl/ssl_lib.c:6033]: (style) The function 'SSL_CTX_set_post_handshake_auth' is never used.
    • [ssl/ssl_lib.c:6090]: (style) The function 'SSL_CTX_set_session_ticket_cb' is never used.
    • [ssl/ssl_lib.c:6101]: (style) The function 'SSL_CTX_set_allow_early_data_cb' is never used.
    • [ssl/ssl_lib.c:6109]: (style) The function 'SSL_set_allow_early_data_cb' is never used.
    • [ssl/ssl_lib.c:6117]: (style) The function 'ssl_evp_cipher_fetch' is never used.
    • [ssl/ssl_lib.c:6138]: (style) The function 'ssl_evp_cipher_up_ref' is never used.
    • [ssl/ssl_lib.c:6182]: (style) The function 'ssl_evp_md_up_ref' is never used.
    • [ssl/ssl_lib.c:6209]: (style) The function 'SSL_set0_tmp_dh_pkey' is never used.
    • [ssl/ssl_lib.c:649]: (style) The function 'SSL_CTX_set_ssl_version' is never used.
    • [ssl/ssl_lib.c:910]: (style) The function 'SSL_up_ref' is never used.
    • [ssl/ssl_lib.c:957]: (style) The function 'SSL_set_generate_session_id' is never used.
    • [ssl/ssl_lib.c:992]: (style) The function 'SSL_CTX_set_purpose' is never used.
    • [ssl/ssl_lib.c:997]: (style) The function 'SSL_set_purpose' is never used.
    • [ssl/ssl_txt.c:16]: (style) The function 'SSL_SESSION_print_fp' is never used.
    • [ssl/ssl_txt.c:175]: (style) The function 'SSL_SESSION_print_keylog' is never used.
    • [ssl/statem/statem_clnt.c:1021]: (style) The function 'ossl_statem_client_process_message' is never used.
    • [ssl/statem/statem_clnt.c:1079]: (style) The function 'ossl_statem_client_post_process_message' is never used.
    • [ssl/statem/statem_clnt.c:211]: (style) The function 'ossl_statem_client_read_transition' is never used.
    • [ssl/statem/statem_clnt.c:501]: (style) The function 'ossl_statem_client_write_transition' is never used.
    • [ssl/statem/statem_clnt.c:669]: (style) The function 'ossl_statem_client_pre_work' is never used.
    • [ssl/statem/statem_clnt.c:733]: (style) The function 'ossl_statem_client_post_work' is never used.
    • [ssl/statem/statem_clnt.c:887]: (style) The function 'ossl_statem_client_construct_message' is never used.
    • [ssl/statem/statem_clnt.c:960]: (style) The function 'ossl_statem_client_max_message_size' is never used.
    • [ssl/statem/statem_lib.c:1167]: (style) The function 'tls_get_message_header' is never used.
    • [ssl/statem/statem_lib.c:1276]: (style) The function 'tls_get_message_body' is never used.
    • [ssl/statem/statem_lib.c:43]: (style) The function 'ssl3_do_write' is never used.
    • [ssl/statem/statem_lib.c:77]: (style) The function 'tls_close_construct_packet' is never used.
    • [ssl/statem/statem_srvr.c:1017]: (style) The function 'ossl_statem_server_construct_message' is never used.
    • [ssl/statem/statem_srvr.c:1136]: (style) The function 'ossl_statem_server_max_message_size' is never used.
    • [ssl/statem/statem_srvr.c:1179]: (style) The function 'ossl_statem_server_process_message' is never used.
    • [ssl/statem/statem_srvr.c:1225]: (style) The function 'ossl_statem_server_post_process_message' is never used.
    • [ssl/statem/statem_srvr.c:156]: (style) The function 'ossl_statem_server_read_transition' is never used.
    • [ssl/statem/statem_srvr.c:33]: (style) struct member 'GOST_KX_MESSAGE::kxBlob' is never used.
    • [ssl/statem/statem_srvr.c:34]: (style) struct member 'GOST_KX_MESSAGE::opaqueBlob' is never used.
    • [ssl/statem/statem_srvr.c:544]: (style) The function 'ossl_statem_server_write_transition' is never used.
    • [ssl/statem/statem_srvr.c:682]: (style) The function 'ossl_statem_server_pre_work' is never used.
    • [ssl/statem/statem_srvr.c:809]: (style) The function 'ossl_statem_server_post_work' is never used.
    • [ssl/tls13_enc.c:367]: (style) The function 'tls13_generate_master_secret' is never used.
    • [ssl/tls13_enc.c:382]: (style) The function 'tls13_final_finish_mac' is never used.
    • [ssl/tls13_enc.c:433]: (style) The function 'tls13_setup_key_block' is never used.
    • [ssl/tls13_enc.c:928]: (style) The function 'tls13_alert_code' is never used.
    • [ssl/tls13_enc.c:937]: (style) The function 'tls13_export_keying_material' is never used.

eighthave avatar Aug 10 '21 12:08 eighthave

I'm working through auditing the ECH code now, and will post findings as put them together. One quick thing is that there are many lines with trailing spaces, which might annoy upstream. Those can be removed with:

find * -type f -print0 | xargs -0 sed -i 's, *$,,'

Just pushed changes for this. I didn't use the above as there are files that a) I didn't modify for ECH so don't want to for this, and b) that legitimately have spaces at line ends (e.g. some test data).

sftcd avatar Aug 23 '21 13:08 sftcd

Here's the first notable thing found with cppcheck:

  • [x] [apps/s_server.c:595]: (style) Obsolete function 'asctime' called. It is recommended to use 'strftime' instead.

    • there are no existing refs to asctime or strftime
    • there is get_current_time(&timenow)

Not sure I agree asctime() is obsolete and get_current_time wouldn't be right anyway. I did however change to use of the thread-safe gmtime_r and asctime_r as a result of this, so it was useful anyway

Ok - it looks like POSIX does deprecate asctime so I moved to strftime.

sftcd avatar Aug 23 '21 15:08 sftcd

In the LARGE list above, a number of the nits aren't in ECH code, (e.g. number 2 and 4) so I'm just checking those off. For those that are obvious enough ECH things, if I check-em without comment then I've just done the obvious fix following the recommendation.

sftcd avatar Aug 23 '21 15:08 sftcd