Blob initialization fix-1

tls/s2n_alerts.c

@@ -253,7 +253,8 @@ int s2n_queue_writer_close_alert_warning(struct s2n_connection *conn)
     alert[0] = S2N_TLS_ALERT_LEVEL_WARNING;
     alert[1] = S2N_TLS_ALERT_CLOSE_NOTIFY;
 
-    struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+    struct s2n_blob out = { 0 };
+    POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert)));
 
     /* If there is an alert pending or we've already sent a close_notify, do nothing */
     if (s2n_stuffer_data_available(&conn->writer_alert_out) || conn->close_notify_queued) {
@@ -278,7 +279,8 @@ static int s2n_queue_reader_alert(struct s2n_connection *conn, uint8_t level, ui
     alert[0] = level;
     alert[1] = error_code;
 
-    struct s2n_blob out = { .data = alert, .size = sizeof(alert) };
+    struct s2n_blob out = { 0 };
+    POSIX_GUARD(s2n_blob_init(&out, alert, sizeof(alert)));
 
     /* If there is an alert pending, do nothing */
     if (s2n_stuffer_data_available(&conn->reader_alert_out)) {

tls/s2n_change_cipher_spec.c

@@ -43,7 +43,8 @@ int s2n_client_ccs_recv(struct s2n_connection *conn)
     POSIX_GUARD(s2n_basic_ccs_recv(conn));
 
     /* Zero the sequence number */
-    struct s2n_blob seq = { .data = conn->secure->client_sequence_number, .size = sizeof(conn->secure->client_sequence_number) };
+    struct s2n_blob seq = { 0 };
+    POSIX_GUARD(s2n_blob_init(&seq, conn->secure->client_sequence_number, sizeof(conn->secure->client_sequence_number)));
     POSIX_GUARD(s2n_blob_zero(&seq));
 
     /* Update the client to use the cipher-suite */
@@ -65,7 +66,8 @@ int s2n_server_ccs_recv(struct s2n_connection *conn)
     POSIX_GUARD(s2n_basic_ccs_recv(conn));
 
     /* Zero the sequence number */
-    struct s2n_blob seq = { .data = conn->secure->server_sequence_number, .size = sizeof(conn->secure->server_sequence_number) };
+    struct s2n_blob seq = { 0 };
+    POSIX_GUARD(s2n_blob_init(&seq, conn->secure->server_sequence_number, sizeof(conn->secure->server_sequence_number)));
     POSIX_GUARD(s2n_blob_zero(&seq));
 
     /* Compute the finished message */

tls/s2n_cipher_suites.c

@@ -998,7 +998,8 @@ int s2n_cipher_suites_init(void)
 
         /* Initialize SSLv3 cipher suite if SSLv3 utilizes a different record algorithm */
         if (cur_suite->sslv3_record_alg && cur_suite->sslv3_record_alg->cipher->is_available()) {
-            struct s2n_blob cur_suite_mem = { .data = (uint8_t *) cur_suite, .size = sizeof(struct s2n_cipher_suite) };
+            struct s2n_blob cur_suite_mem = { 0 };
+            POSIX_GUARD(s2n_blob_init(&cur_suite_mem, (uint8_t *) cur_suite, sizeof(struct s2n_cipher_suite)));
             struct s2n_blob new_suite_mem = { 0 };
             POSIX_GUARD(s2n_dup(&cur_suite_mem, &new_suite_mem));
 

tls/s2n_config.c

@@ -841,10 +841,14 @@ int s2n_config_add_ticket_crypto_key(struct s2n_config *config,
     POSIX_ENSURE(s2n_find_ticket_key(config, name_data) == NULL, S2N_ERR_INVALID_TICKET_KEY_NAME_OR_NAME_LENGTH);
 
     uint8_t output_pad[S2N_AES256_KEY_LEN + S2N_TICKET_AAD_IMPLICIT_LEN] = { 0 };
-    struct s2n_blob out_key = { .data = output_pad, .size = s2n_array_len(output_pad) };
-    struct s2n_blob in_key = { .data = key, .size = key_len };
-    struct s2n_blob salt = { .size = 0 };
-    struct s2n_blob info = { .size = 0 };
+    struct s2n_blob out_key = { 0 };
+    POSIX_GUARD(s2n_blob_init(&out_key, output_pad, s2n_array_len(output_pad)));
+    struct s2n_blob in_key = { 0 };
+    POSIX_GUARD(s2n_blob_init(&in_key, key, key_len));
+    struct s2n_blob salt = { 0 };
+    POSIX_GUARD(s2n_blob_init(&salt, NULL, 0));
+    struct s2n_blob info = { 0 };
+    POSIX_GUARD(s2n_blob_init(&info, NULL, 0));
 
     struct s2n_ticket_key *session_ticket_key = { 0 };
     DEFER_CLEANUP(struct s2n_blob allocator = { 0 }, s2n_free);

tls/s2n_handshake.c

@@ -251,11 +251,14 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
         return S2N_SUCCESS;
     }
     const char *name = conn->server_name;
-    struct s2n_blob hostname_blob = { .data = (uint8_t *) (uintptr_t) name, .size = strlen(name) };
+    struct s2n_blob hostname_blob = { 0 };
+    POSIX_GUARD(s2n_blob_init(&hostname_blob, (uint8_t *) (uintptr_t) name, strlen(name)));
     POSIX_ENSURE_LTE(hostname_blob.size, S2N_MAX_SERVER_NAME);
     char normalized_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
     POSIX_CHECKED_MEMCPY(normalized_hostname, hostname_blob.data, hostname_blob.size);
-    struct s2n_blob normalized_name = { .data = (uint8_t *) normalized_hostname, .size = hostname_blob.size };
+    struct s2n_blob normalized_name = { 0 };
+    POSIX_GUARD(s2n_blob_init(&normalized_name, (uint8_t *) normalized_hostname, hostname_blob.size));
+
     POSIX_GUARD(s2n_blob_char_to_lower(&normalized_name));
     struct s2n_stuffer normalized_hostname_stuffer;
     POSIX_GUARD(s2n_stuffer_init(&normalized_hostname_stuffer, &normalized_name));
@@ -270,7 +273,8 @@ int s2n_conn_find_name_matching_certs(struct s2n_connection *conn)
     if (!conn->handshake_params.exact_sni_match_exists) {
         /* We have not yet found an exact domain match. Try to find wildcard matches. */
         char wildcard_hostname[S2N_MAX_SERVER_NAME + 1] = { 0 };
-        struct s2n_blob wildcard_blob = { .data = (uint8_t *) wildcard_hostname, .size = sizeof(wildcard_hostname) };
+        struct s2n_blob wildcard_blob = { 0 };
+        POSIX_GUARD(s2n_blob_init(&wildcard_blob, (uint8_t *) wildcard_hostname, sizeof(wildcard_hostname)));
         struct s2n_stuffer wildcard_stuffer;
         POSIX_GUARD(s2n_stuffer_init(&wildcard_stuffer, &wildcard_blob));
         POSIX_GUARD(s2n_create_wildcard_hostname(&normalized_hostname_stuffer, &wildcard_stuffer));

tls/s2n_handshake_io.c

@@ -900,7 +900,8 @@ static int s2n_advance_message(struct s2n_connection *conn)
 int s2n_generate_new_client_session_id(struct s2n_connection *conn)
 {
     if (conn->mode == S2N_SERVER) {
-        struct s2n_blob session_id = { .data = conn->session_id, .size = S2N_TLS_SESSION_ID_MAX_LEN };
+        struct s2n_blob session_id = { 0 };
+        POSIX_GUARD(s2n_blob_init(&session_id, conn->session_id, S2N_TLS_SESSION_ID_MAX_LEN));
 
         /* Generate a new session id */
         POSIX_GUARD_RESULT(s2n_get_public_random_data(&session_id));
@@ -1297,7 +1298,8 @@ static int s2n_handshake_handle_sslv2(struct s2n_connection *conn)
     S2N_ERROR_IF(ACTIVE_MESSAGE(conn) != CLIENT_HELLO, S2N_ERR_BAD_MESSAGE);
 
     /* Add the message to our handshake hashes */
-    struct s2n_blob hashed = { .data = conn->header_in.blob.data + 2, .size = 3 };
+    struct s2n_blob hashed = { 0 };
+    POSIX_GUARD(s2n_blob_init(&hashed, conn->header_in.blob.data + 2, 3));
     POSIX_GUARD(s2n_conn_update_handshake_hashes(conn, &hashed));
 
     hashed.data = conn->in.blob.data;

tls/s2n_kem.c

@@ -338,7 +338,8 @@ int s2n_kem_send_ciphertext(struct s2n_stuffer *out, struct s2n_kem_params *kem_
     POSIX_GUARD(s2n_stuffer_write_uint16(out, kem->ciphertext_length));
 
     /* Ciphertext will get written to *out */
-    struct s2n_blob ciphertext = { .data = s2n_stuffer_raw_write(out, kem->ciphertext_length), .size = kem->ciphertext_length };
+    struct s2n_blob ciphertext = { 0 };
+    POSIX_GUARD(s2n_blob_init(&ciphertext, s2n_stuffer_raw_write(out, kem->ciphertext_length), kem->ciphertext_length));
     POSIX_ENSURE_REF(ciphertext.data);
 
     /* Saves the shared secret in kem_params */

tls/s2n_record_read_aead.c

@@ -41,13 +41,15 @@ int s2n_record_parse_aead(
     /* TLS 1.3 record protection uses a different 5 byte associated data than TLS 1.2's */
     s2n_stack_blob(aad, is_tls13_record ? S2N_TLS13_AAD_LEN : S2N_TLS_MAX_AAD_LEN, S2N_TLS_MAX_AAD_LEN);
 
-    struct s2n_blob en = { .size = encrypted_length, .data = s2n_stuffer_raw_read(&conn->in, encrypted_length) };
+    struct s2n_blob en = { 0 };
+    POSIX_GUARD(s2n_blob_init(&en, s2n_stuffer_raw_read(&conn->in, encrypted_length), encrypted_length));
     POSIX_ENSURE_REF(en.data);
     /* In AEAD mode, the explicit IV is in the record */
     POSIX_ENSURE_GTE(en.size, cipher_suite->record_alg->cipher->io.aead.record_iv_size);
 
     uint8_t aad_iv[S2N_TLS_MAX_IV_LEN] = { 0 };
-    struct s2n_blob iv = { .data = aad_iv, .size = sizeof(aad_iv) };
+    struct s2n_blob iv = { 0 };
+    POSIX_GUARD(s2n_blob_init(&iv, aad_iv, sizeof(aad_iv)));
     struct s2n_stuffer iv_stuffer = { 0 };
     POSIX_GUARD(s2n_stuffer_init(&iv_stuffer, &iv));
 
@@ -98,7 +100,8 @@ int s2n_record_parse_aead(
     POSIX_ENSURE_NE(en.size, 0);
 
     POSIX_GUARD(cipher_suite->record_alg->cipher->io.aead.decrypt(session_key, &iv, &aad, &en, &en));
-    struct s2n_blob seq = { .data = sequence_number, .size = S2N_TLS_SEQUENCE_NUM_LEN };
+    struct s2n_blob seq = { 0 };
+    POSIX_GUARD(s2n_blob_init(&seq, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
     POSIX_GUARD(s2n_increment_sequence_number(&seq));
 
     /* O.k., we've successfully read and decrypted the record, now we need to align the stuffer

tls/s2n_server_key_exchange.c

@@ -71,7 +71,9 @@ int s2n_server_key_recv(struct s2n_connection *conn)
     uint16_t signature_length;
     POSIX_GUARD(s2n_stuffer_read_uint16(in, &signature_length));
 
-    struct s2n_blob signature = { .size = signature_length, .data = s2n_stuffer_raw_read(in, signature_length) };
+    struct s2n_blob signature = { 0 };
+    POSIX_GUARD(s2n_blob_init(&signature, s2n_stuffer_raw_read(in, signature_length), signature_length));
+
     POSIX_ENSURE_REF(signature.data);
     POSIX_ENSURE_GT(signature_length, 0);
 
@@ -164,7 +166,8 @@ int s2n_kem_server_key_recv_read_data(struct s2n_connection *conn, struct s2n_bl
     struct s2n_stuffer kem_id_stuffer = { 0 };
     uint8_t kem_id_arr[2];
     kem_extension_size kem_id;
-    struct s2n_blob kem_id_blob = { .data = kem_id_arr, .size = s2n_array_len(kem_id_arr) };
+    struct s2n_blob kem_id_blob = { 0 };
+    POSIX_GUARD(s2n_blob_init(&kem_id_blob, kem_id_arr, s2n_array_len(kem_id_arr)));
     POSIX_GUARD(s2n_stuffer_init(&kem_id_stuffer, &kem_id_blob));
     POSIX_GUARD(s2n_stuffer_write(&kem_id_stuffer, &(kem_data->kem_name)));
     POSIX_GUARD(s2n_stuffer_read_uint16(&kem_id_stuffer, &kem_id));