diff --git a/ccm.c b/ccm.c index dfd9ef7..c9362e5 100644 --- a/ccm.c +++ b/ccm.c @@ -31,11 +31,11 @@ #define MASK_L(_L) ((1 << 8 * _L) - 1) #define SET_COUNTER(A,L,cnt,C) { \ - int i; \ + unsigned int i_; \ memset((A) + DTLS_CCM_BLOCKSIZE - (L), 0, (L)); \ (C) = (cnt) & MASK_L(L); \ - for (i = DTLS_CCM_BLOCKSIZE - 1; (C) && (i > (L)); --i, (C) >>= 8) \ - (A)[i] |= (C) & 0xFF; \ + for (i_ = DTLS_CCM_BLOCKSIZE - 1; (C) && (i_ > (L)); --i_, (C) >>= 8) \ + (A)[i_] |= (C) & 0xFF; \ } static inline void @@ -45,7 +45,7 @@ block0(size_t M, /* number of auth bytes */ size_t lm, /* l(m) message length */ unsigned char nonce[DTLS_CCM_BLOCKSIZE], unsigned char *result) { - int i; + unsigned int i; result[0] = CCM_FLAGS(la, M, L); diff --git a/crypto.c b/crypto.c index 0b2e5f7..7394d40 100644 --- a/crypto.c +++ b/crypto.c @@ -63,11 +63,11 @@ static void dtls_cipher_context_release(void) } #ifndef WITH_CONTIKI -void crypto_init() +void crypto_init(void) { } -static dtls_handshake_parameters_t *dtls_handshake_malloc() { +static dtls_handshake_parameters_t *dtls_handshake_malloc(void) { return malloc(sizeof(dtls_handshake_parameters_t)); } @@ -75,7 +75,7 @@ static void dtls_handshake_dealloc(dtls_handshake_parameters_t *handshake) { free(handshake); } -static dtls_security_parameters_t *dtls_security_malloc() { +static dtls_security_parameters_t *dtls_security_malloc(void) { return malloc(sizeof(dtls_security_parameters_t)); } @@ -88,12 +88,12 @@ static void dtls_security_dealloc(dtls_security_parameters_t *security) { MEMB(handshake_storage, dtls_handshake_parameters_t, DTLS_HANDSHAKE_MAX); MEMB(security_storage, dtls_security_parameters_t, DTLS_SECURITY_MAX); -void crypto_init() { +void crypto_init(void) { memb_init(&handshake_storage); memb_init(&security_storage); } -static dtls_handshake_parameters_t *dtls_handshake_malloc() { +static dtls_handshake_parameters_t *dtls_handshake_malloc(void) { return memb_alloc(&handshake_storage); } @@ -101,7 +101,7 @@ static void dtls_handshake_dealloc(dtls_handshake_parameters_t *handshake) { memb_free(&handshake_storage, handshake); } -static dtls_security_parameters_t *dtls_security_malloc() { +static dtls_security_parameters_t *dtls_security_malloc(void) { return memb_alloc(&security_storage); } @@ -110,7 +110,7 @@ static void dtls_security_dealloc(dtls_security_parameters_t *security) { } #endif /* WITH_CONTIKI */ -dtls_handshake_parameters_t *dtls_handshake_new() +dtls_handshake_parameters_t *dtls_handshake_new(void) { dtls_handshake_parameters_t *handshake; @@ -142,7 +142,7 @@ void dtls_handshake_free(dtls_handshake_parameters_t *handshake) dtls_handshake_dealloc(handshake); } -dtls_security_parameters_t *dtls_security_new() +dtls_security_parameters_t *dtls_security_new(void) { dtls_security_parameters_t *security; @@ -182,6 +182,7 @@ dtls_p_hash(dtls_hashfunc_t h, unsigned char tmp[DTLS_HMAC_DIGEST_SIZE]; size_t dlen; /* digest length */ size_t len = 0; /* result length */ + (void)h; hmac_a = dtls_hmac_new(key, keylen); if (!hmac_a) @@ -275,6 +276,7 @@ dtls_ccm_encrypt(aes128_ccm_t *ccm_ctx, const unsigned char *src, size_t srclen, unsigned char *nounce, const unsigned char *aad, size_t la) { long int len; + (void)src; assert(ccm_ctx); @@ -292,6 +294,7 @@ dtls_ccm_decrypt(aes128_ccm_t *ccm_ctx, const unsigned char *src, unsigned char *nounce, const unsigned char *aad, size_t la) { long int len; + (void)src; assert(ccm_ctx); diff --git a/dtls.c b/dtls.c index 86e2b71..d0a8c33 100644 --- a/dtls.c +++ b/dtls.c @@ -168,7 +168,7 @@ PROCESS(dtls_retransmit_process, "DTLS retransmit process"); static dtls_context_t the_dtls_context; static inline dtls_context_t * -malloc_context() { +malloc_context(void) { return &the_dtls_context; } @@ -179,7 +179,7 @@ free_context(dtls_context_t *context) { #else /* WITH_CONTIKI */ static inline dtls_context_t * -malloc_context() { +malloc_context(void) { return (dtls_context_t *)malloc(sizeof(dtls_context_t)); } @@ -190,7 +190,7 @@ free_context(dtls_context_t *context) { #endif void -dtls_init() { +dtls_init(void) { dtls_clock_init(); crypto_init(); netq_init(); @@ -312,7 +312,8 @@ dtls_create_cookie(dtls_context_t *ctx, uint8 *msg, size_t msglen, uint8 *cookie, int *clen) { unsigned char buf[DTLS_HMAC_MAX]; - size_t len, e; + size_t e; + int len; /* create cookie with HMAC-SHA256 over: * - SECRET @@ -487,6 +488,7 @@ static inline int is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(dtls_cipher_t cipher) #ifdef DTLS_ECC return cipher == TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8; #else + (void)cipher; return 0; #endif /* DTLS_ECC */ } @@ -518,6 +520,8 @@ static inline int is_ecdsa_supported(dtls_context_t *ctx, int is_client) return ctx && ctx->h && ((!is_client && ctx->h->get_ecdsa_key) || (is_client && ctx->h->verify_ecdsa_key)); #else + (void)ctx; + (void)is_client; return 0; #endif /* DTLS_ECC */ } @@ -529,6 +533,7 @@ static inline int is_ecdsa_client_auth_supported(dtls_context_t *ctx) #ifdef DTLS_ECC return ctx && ctx->h && ctx->h->get_ecdsa_key && ctx->h->verify_ecdsa_key; #else + (void)ctx; return 0; #endif /* DTLS_ECC */ } @@ -569,6 +574,7 @@ static int hs_attempt_with_existing_peer(uint8_t *msg, size_t msglen, dtls_peer_t *peer) { + (void)msglen; if ((peer) && (peer->state == DTLS_STATE_CONNECTED)) { if (msg[0] == DTLS_CT_HANDSHAKE) { uint16_t msg_epoch = dtls_uint16_to_int(DTLS_RECORD_HEADER(msg)->epoch); @@ -659,6 +665,7 @@ calculate_key_block(dtls_context_t *ctx, int pre_master_len = 0; dtls_security_parameters_t *security = dtls_security_params_next(peer); uint8 master_secret[DTLS_MASTER_SECRET_LENGTH]; + (void)role; /* The macro dtls_kb_size() does not use role. */ if (!security) { return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR); @@ -711,8 +718,26 @@ calculate_key_block(dtls_context_t *ctx, break; } #endif /* DTLS_ECC */ + case TLS_NULL_WITH_NULL_NULL: + assert(!"calculate_key_block: tried to use NULL cipher\n"); + return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY); + + /* The following cases cover the enum symbols that are not + * included in this build. These must be kept just above the + * default case as they do nothing but fall through. + */ +#ifndef DTLS_PSK + case TLS_PSK_WITH_AES_128_CCM_8: + /* fall through to default */ +#endif /* !DTLS_PSK */ + +#ifndef DTLS_ECC + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + /* fall through to default */ +#endif /* !DTLS_ECC */ + default: - dtls_crit("calculate_key_block: unknown cipher\n"); + dtls_crit("calculate_key_block: unknown cipher %x04 \n", handshake->cipher); return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR); } @@ -954,7 +979,8 @@ static int dtls_update_parameters(dtls_context_t *ctx, dtls_peer_t *peer, uint8 *data, size_t data_length) { - int i, j; + int i; + unsigned int j; int ok; dtls_handshake_parameters_t *config = peer->handshake_params; dtls_security_parameters_t *security = dtls_security_params(peer); @@ -1059,7 +1085,7 @@ static inline int check_client_keyexchange(dtls_context_t *ctx, dtls_handshake_parameters_t *handshake, uint8 *data, size_t length) { - + (void)ctx; #ifdef DTLS_ECC if (is_tls_ecdhe_ecdsa_with_aes_128_ccm_8(handshake->cipher)) { @@ -1160,6 +1186,7 @@ check_finished(dtls_context_t *ctx, dtls_peer_t *peer, size_t digest_length, label_size; const unsigned char *label; unsigned char buf[DTLS_HMAC_MAX]; + (void)ctx; if (data_length < DTLS_HS_LENGTH + DTLS_FIN_LENGTH) return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); @@ -1532,7 +1559,7 @@ dtls_send_multi(dtls_context_t *ctx, dtls_peer_t *peer, /* Guess number of bytes application data actually sent: * dtls_prepare_record() tells us in len the number of bytes to * send, res will contain the bytes actually sent. */ - return res <= 0 ? res : overall_len - (len - res); + return res <= 0 ? res : (int)(overall_len - (len - (unsigned int)res)); } static inline int @@ -1874,7 +1901,7 @@ dtls_send_server_hello(dtls_context_t *ctx, dtls_peer_t *peer) p += sizeof(uint8); } - assert(p - buf <= sizeof(buf)); + assert((buf <= p) && ((unsigned int)(p - buf) <= sizeof(buf))); /* TODO use the same record sequence number as in the ClientHello, see 4.2.1. Denial-of-Service Countermeasures */ @@ -2060,7 +2087,7 @@ dtls_send_server_key_exchange_psk(dtls_context_t *ctx, dtls_peer_t *peer, memcpy(p, psk_hint, len); p += len; - assert(p - buf <= sizeof(buf)); + assert((buf <= p) && ((unsigned int)(p - buf) <= sizeof(buf))); return dtls_send_handshake_msg(ctx, peer, DTLS_HT_SERVER_KEY_EXCHANGE, buf, p - buf); @@ -2278,12 +2305,31 @@ dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer) break; } #endif /* DTLS_ECC */ + + case TLS_NULL_WITH_NULL_NULL: + assert(!"NULL cipher requested"); + return dtls_alert_fatal_create(DTLS_ALERT_INSUFFICIENT_SECURITY); + + /* The following cases cover the enum symbols that are not + * included in this build. These must be kept just above the + * default case as they do nothing but fall through. + */ +#ifndef DTLS_PSK + case TLS_PSK_WITH_AES_128_CCM_8: + /* fall through to default */ +#endif /* !DTLS_PSK */ + +#ifndef DTLS_ECC + case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: + /* fall through to default */ +#endif /* !DTLS_ECC */ + default: - dtls_crit("cipher not supported\n"); + dtls_crit("cipher %x04 not supported\n", handshake->cipher); return dtls_alert_fatal_create(DTLS_ALERT_INTERNAL_ERROR); } - assert(p - buf <= sizeof(buf)); + assert((buf <= p) && ((unsigned int)(p - buf) <= sizeof(buf))); return dtls_send_handshake_msg(ctx, peer, DTLS_HT_CLIENT_KEY_EXCHANGE, buf, p - buf); @@ -2351,7 +2397,7 @@ dtls_send_finished(dtls_context_t *ctx, dtls_peer_t *peer, p += DTLS_FIN_LENGTH; - assert(p - buf <= sizeof(buf)); + assert((buf <= p) && ((unsigned int)(p - buf) <= sizeof(buf))); return dtls_send_handshake_msg(ctx, peer, DTLS_HT_FINISHED, buf, p - buf); @@ -2499,7 +2545,7 @@ dtls_send_client_hello(dtls_context_t *ctx, dtls_peer_t *peer, p += sizeof(uint8); } - assert(p - buf <= sizeof(buf)); + assert((buf <= p) && ((unsigned int)(p - buf) <= sizeof(buf))); if (cookie_length != 0) clear_hs_hash(peer); @@ -2738,6 +2784,7 @@ check_server_key_exchange_psk(dtls_context_t *ctx, { dtls_handshake_parameters_t *config = peer->handshake_params; uint16_t len; + (void)ctx; update_hs_hash(peer, data, data_length); @@ -2779,6 +2826,7 @@ check_certificate_request(dtls_context_t *ctx, int auth_alg; int sig_alg; int hash_alg; + (void)ctx; update_hs_hash(peer, data, data_length); @@ -3522,6 +3570,7 @@ handle_ccs(dtls_context_t *ctx, dtls_peer_t *peer, { int err; dtls_handshake_parameters_t *handshake = peer->handshake_params; + (void)record_header; /* A CCS message is handled after a KeyExchange message was * received from the client. When security parameters have been @@ -3559,6 +3608,7 @@ static int handle_alert(dtls_context_t *ctx, dtls_peer_t *peer, uint8 *record_header, uint8 *data, size_t data_length) { int free_peer = 0; /* indicates whether to free peer */ + (void)record_header; if (data_length < 2) return dtls_alert_fatal_create(DTLS_ALERT_DECODE_ERROR); @@ -3727,7 +3777,7 @@ dtls_handle_message(dtls_context_t *ctx, state = DTLS_STATE_WAIT_CLIENTHELLO; role = DTLS_SERVER; } else { - int err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR); + err = dtls_alert_fatal_create(DTLS_ALERT_DECRYPT_ERROR); dtls_info("decrypt_verify() failed\n"); if (peer->state < DTLS_STATE_CONNECTED) { dtls_alert_send_from_err(ctx, peer, &peer->session, err); diff --git a/dtls_debug.c b/dtls_debug.c index f4626db..7b3ae10 100644 --- a/dtls_debug.c +++ b/dtls_debug.c @@ -213,7 +213,7 @@ dsrv_log(log_t level, char *format, ...) { va_list ap; FILE *log_fd; - if (maxlog < level) + if (maxlog < (int)level) return; log_fd = level <= DTLS_LOG_CRIT ? stderr : stdout; @@ -295,7 +295,7 @@ dtls_dsrv_hexdump_log(log_t level, const char *name, const unsigned char *buf, s FILE *log_fd; int n = 0; - if (maxlog < level) + if (maxlog < (int)level) return; log_fd = level <= DTLS_LOG_CRIT ? stderr : stdout; diff --git a/dtls_debug.h b/dtls_debug.h index 8cff829..d46b6da 100644 --- a/dtls_debug.h +++ b/dtls_debug.h @@ -33,7 +33,7 @@ #ifdef CONTIKI_TARGET_MBXXX extern char __Stack_Init, _estack; -static inline void check_stack() { +static inline void check_stack(void) { const char *p = &__Stack_Init; while (p < &_estack && *p == 0x38) { p++; @@ -42,13 +42,13 @@ static inline void check_stack() { PRINTF("Stack: %d bytes used (%d free)\n", &_estack - p, p - &__Stack_Init); } #else /* CONTIKI_TARGET_MBXXX */ -static inline void check_stack() { +static inline void check_stack(void) { } #endif /* CONTIKI_TARGET_MBXXX */ #else /* WITH_CONTKI */ #define PRINTF(...) -static inline void check_stack() { +static inline void check_stack(void) { } #endif @@ -60,14 +60,14 @@ typedef enum { DTLS_LOG_EMERG=0, DTLS_LOG_ALERT, DTLS_LOG_CRIT, DTLS_LOG_WARN, #ifndef WITH_CONTIKI /* Contiki does not have the required PACKAGE_ variables configured */ /** Returns a zero-terminated string with the name of this library. */ -const char *dtls_package_name(); +const char *dtls_package_name(void); /** Returns a zero-terminated string with the library version. */ -const char *dtls_package_version(); +const char *dtls_package_version(void); #endif /* WITH_CONTIKI */ /** Returns the current log level. */ -log_t dtls_get_log_level(); +log_t dtls_get_log_level(void); /** Sets the log level to the specified value. */ void dtls_set_log_level(log_t level); diff --git a/hmac.c b/hmac.c index a7d5216..e16eca5 100644 --- a/hmac.c +++ b/hmac.c @@ -33,7 +33,7 @@ #include static inline dtls_hmac_context_t * -dtls_hmac_context_new() { +dtls_hmac_context_new(void) { return (dtls_hmac_context_t *)malloc(sizeof(dtls_hmac_context_t)); } @@ -47,7 +47,7 @@ dtls_hmac_context_free(dtls_hmac_context_t *ctx) { MEMB(hmac_context_storage, dtls_hmac_context_t, DTLS_HASH_MAX); static inline dtls_hmac_context_t * -dtls_hmac_context_new() { +dtls_hmac_context_new(void) { return (dtls_hmac_context_t *)memb_alloc(&hmac_context_storage); } @@ -57,7 +57,7 @@ dtls_hmac_context_free(dtls_hmac_context_t *ctx) { } void -dtls_hmac_storage_init() { +dtls_hmac_storage_init(void) { memb_init(&hmac_context_storage); } #endif /* WITH_CONTIKI */ diff --git a/netq.h b/netq.h index a5b71d3..c8821ac 100644 --- a/netq.h +++ b/netq.h @@ -64,10 +64,10 @@ typedef struct netq_t { } netq_t; #ifndef WITH_CONTIKI -static inline void netq_init() +static inline void netq_init(void) { } #else -void netq_init(); +void netq_init(void); #endif /** diff --git a/peer.c b/peer.c index 40ff605..7a02444 100644 --- a/peer.c +++ b/peer.c @@ -20,12 +20,12 @@ #include "dtls_debug.h" #ifndef WITH_CONTIKI -void peer_init() +void peer_init(void) { } static inline dtls_peer_t * -dtls_malloc_peer() { +dtls_malloc_peer(void) { return (dtls_peer_t *)malloc(sizeof(dtls_peer_t)); } @@ -42,12 +42,12 @@ dtls_free_peer(dtls_peer_t *peer) { MEMB(peer_storage, dtls_peer_t, DTLS_PEER_MAX); void -peer_init() { +peer_init(void) { memb_init(&peer_storage); } static inline dtls_peer_t * -dtls_malloc_peer() { +dtls_malloc_peer(void) { return memb_alloc(&peer_storage); }