From 3fe5ee1a7c37d8e54a370104adee74d7662bdc4b Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 18 Feb 2016 22:42:15 -0800 Subject: [PATCH 1/3] Refactor of the DER buffer handling. Added new DerBuffer struct that includes the type and heap ptr. Added new InitDer, AllocDer and FreeDer functions. Cleanup of some missing "heap" args on XMALLOC/XFREE. In FreeDer uses ForceZero if type is private key. --- src/crl.c | 17 +- src/internal.c | 103 ++++---- src/ssl.c | 603 ++++++++++++++++++++++++-------------------- wolfcrypt/src/asn.c | 16 +- wolfssl/internal.h | 40 ++- 5 files changed, 414 insertions(+), 365 deletions(-) diff --git a/src/crl.c b/src/crl.c index 0143dd789..b39e2e77f 100644 --- a/src/crl.c +++ b/src/crl.c @@ -263,20 +263,23 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) { int ret = SSL_SUCCESS; const byte* myBuffer = buff; /* if DER ok, otherwise switch */ - buffer der; + DerBuffer der; #ifdef WOLFSSL_SMALL_STACK DecodedCRL* dcrl; #else DecodedCRL dcrl[1]; #endif - der.buffer = NULL; - WOLFSSL_ENTER("BufferLoadCRL"); if (crl == NULL || buff == NULL || sz == 0) return BAD_FUNC_ARG; + ret = InitDer(&der); + if (ret < 0) { + return ret; + } + if (type == SSL_FILETYPE_PEM) { int eccKey = 0; /* not used */ EncryptedInfo info; @@ -289,6 +292,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) } else { WOLFSSL_MSG("Pem to Der failed"); + FreeDer(&der); return -1; } } @@ -296,9 +300,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) #ifdef WOLFSSL_SMALL_STACK dcrl = (DecodedCRL*)XMALLOC(sizeof(DecodedCRL), NULL, DYNAMIC_TYPE_TMP_BUFFER); if (dcrl == NULL) { - if (der.buffer) - XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); - + FreeDer(&der); return MEMORY_E; } #endif @@ -321,8 +323,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) XFREE(dcrl, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (der.buffer) - XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); + FreeDer(&der); return ret ? ret : SSL_SUCCESS; /* convert 0 to SSL_SUCCESS */ } diff --git a/src/internal.c b/src/internal.c index 0dca6aaec..ecc6272fa 100644 --- a/src/internal.c +++ b/src/internal.c @@ -566,9 +566,9 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #endif #ifndef NO_CERTS - XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); - XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); - XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); + FreeDer(&ctx->privateKey); + FreeDer(&ctx->certificate); + FreeDer(&ctx->certChain); wolfSSL_CertManagerFree(ctx->cm); #endif @@ -1643,7 +1643,7 @@ void InitX509(WOLFSSL_X509* x509, int dynamicFlag) x509->version = 0; x509->pubKey.buffer = NULL; x509->sig.buffer = NULL; - x509->derCert.buffer = NULL; + InitDer(&x509->derCert); x509->altNames = NULL; x509->altNamesNext = NULL; x509->dynamicMemory = (byte)dynamicFlag; @@ -1687,7 +1687,7 @@ void FreeX509(WOLFSSL_X509* x509) FreeX509Name(&x509->subject); if (x509->pubKey.buffer) XFREE(x509->pubKey.buffer, NULL, DYNAMIC_TYPE_PUBLIC_KEY); - XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN); + FreeDer(&x509->derCert); XFREE(x509->sig.buffer, NULL, DYNAMIC_TYPE_SIGNATURE); #ifdef OPENSSL_EXTRA XFREE(x509->authKeyId, NULL, DYNAMIC_TYPE_X509_EXT); @@ -1859,9 +1859,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #ifndef NO_CERTS /* ctx still owns certificate, certChain, key, dh, and cm */ - ssl->buffers.certificate = ctx->certificate; - ssl->buffers.certChain = ctx->certChain; - ssl->buffers.key = ctx->privateKey; + XMEMCPY(&ssl->buffers.certificate, &ctx->certificate, sizeof(DerBuffer)); + XMEMCPY(&ssl->buffers.certChain, &ctx->certChain, sizeof(DerBuffer)); + XMEMCPY(&ssl->buffers.key, &ctx->privateKey, sizeof(DerBuffer)); #endif #ifdef HAVE_CAVIUM @@ -2129,17 +2129,7 @@ void SSL_ResourceFree(WOLFSSL* ssl) } #endif #ifndef NO_CERTS - if (ssl->buffers.weOwnCert) - XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); - if (ssl->buffers.weOwnCertChain) - XFREE(ssl->buffers.certChain.buffer, ssl->heap, DYNAMIC_TYPE_CERT); - if (ssl->buffers.weOwnKey) { - if (ssl->buffers.key.buffer) { - ForceZero(ssl->buffers.key.buffer, ssl->buffers.key.length); - } - XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY); - ssl->buffers.key.buffer = NULL; - } + wolfSSL_UnloadCertsKeys(ssl); #endif #ifndef NO_RSA if (ssl->peerRsaKey) { @@ -2335,21 +2325,7 @@ void FreeHandshakeResources(WOLFSSL* ssl) } #endif #ifndef NO_CERTS - if (ssl->buffers.weOwnCert) { - XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); - ssl->buffers.certificate.buffer = NULL; - } - if (ssl->buffers.weOwnCertChain) { - XFREE(ssl->buffers.certChain.buffer, ssl->heap, DYNAMIC_TYPE_CERT); - ssl->buffers.certChain.buffer = NULL; - } - if (ssl->buffers.weOwnKey) { - if (ssl->buffers.key.buffer) { - ForceZero(ssl->buffers.key.buffer, ssl->buffers.key.length); - } - XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY); - ssl->buffers.key.buffer = NULL; - } + wolfSSL_UnloadCertsKeys(ssl); #endif #ifdef HAVE_PK_CALLBACKS #ifdef HAVE_ECC @@ -4493,14 +4469,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) } /* store cert for potential retrieval */ - x509->derCert.buffer = (byte*)XMALLOC(dCert->maxIdx, NULL, - DYNAMIC_TYPE_CERT); - if (x509->derCert.buffer == NULL) { - ret = MEMORY_E; - } - else { + if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) { XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx); - x509->derCert.length = dCert->maxIdx; } x509->altNames = dCert->altNames; @@ -4561,7 +4531,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, - word32 size) + word32 size) { word32 listSz; word32 begin = *inOutIdx; @@ -4569,7 +4539,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, int anyError = 0; int totalCerts = 0; /* number of certs in certs buffer */ int count; - buffer certs[MAX_CHAIN_DEPTH]; + DerBuffer certs[MAX_CHAIN_DEPTH]; #ifdef WOLFSSL_SMALL_STACK char* domain = NULL; @@ -4616,6 +4586,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if ((*inOutIdx - begin) + certSz > size) return BUFFER_ERROR; + ret = InitDer(&certs[totalCerts]); + if (ret < 0) { + return 0; + } certs[totalCerts].length = certSz; certs[totalCerts].buffer = input + *inOutIdx; @@ -4649,7 +4623,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* verify up to peer's first */ while (count > 1) { - buffer myCert = certs[count - 1]; + DerBuffer myCert = certs[count - 1]; byte* subjectHash; InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap); @@ -4668,18 +4642,24 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Chain cert not verified by option, not adding as CA"); } else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) { - buffer add; - add.length = myCert.length; - add.buffer = (byte*)XMALLOC(myCert.length, ssl->heap, - DYNAMIC_TYPE_CA); + DerBuffer add; + ret = InitDer(&add); + if (ret == 0) { + ret = AllocDer(&add, myCert.length, CA_TYPE, ssl->heap); + } + if (ret < 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return ret; + } + WOLFSSL_MSG("Adding CA from chain"); - if (add.buffer == NULL) - return MEMORY_E; XMEMCPY(add.buffer, myCert.buffer, myCert.length); /* already verified above */ - ret = AddCA(ssl->ctx->cm, add, WOLFSSL_CHAIN_CA, 0); + ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0); if (ret == 1) ret = 0; /* SSL_SUCCESS for external */ } else if (ret != 0) { @@ -4735,7 +4715,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* peer's, may not have one if blank client cert sent by TLSv1.2 */ if (count) { - buffer myCert = certs[0]; + DerBuffer myCert = certs[0]; int fatal = 0; WOLFSSL_MSG("Verifying Peer's cert"); @@ -4833,10 +4813,10 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef KEEP_PEER_CERT if (fatal == 0) { - /* set X509 format for peer cert even if fatal */ - int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert); - if (copyRet == MEMORY_E) - fatal = 1; + /* set X509 format for peer cert even if fatal */ + int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert); + if (copyRet == MEMORY_E) + fatal = 1; } #endif @@ -8717,7 +8697,7 @@ int SendCertificateStatus(WOLFSSL* ssl) return 0; if (!request || ssl->buffers.weOwnCert) { - buffer der = ssl->buffers.certificate; + DerBuffer der = ssl->buffers.certificate; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; #else @@ -8814,7 +8794,7 @@ int SendCertificateStatus(WOLFSSL* ssl) return 0; if (!request || ssl->buffers.weOwnCert) { - buffer der = ssl->buffers.certificate; + DerBuffer der = ssl->buffers.certificate; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; #else @@ -8887,7 +8867,7 @@ int SendCertificateStatus(WOLFSSL* ssl) if (ret == 0 && (!ssl->ctx->chainOcspRequest[0] || ssl->buffers.weOwnCertChain)) { - buffer der = {NULL, 0}; + DerBuffer der; word32 idx = 0; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -8895,6 +8875,11 @@ int SendCertificateStatus(WOLFSSL* ssl) DecodedCert cert[1]; #endif + ret = InitDer(&der); + if (ret < 0) { + return ret; + } + #ifdef WOLFSSL_SMALL_STACK cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/ssl.c b/src/ssl.c index 4973ac80a..c2762ffdb 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1635,6 +1635,60 @@ int wolfSSL_GetHmacSize(WOLFSSL* ssl) #ifndef NO_CERTS +int InitDer(DerBuffer* der) +{ + int ret = BAD_FUNC_ARG; + if (der) { + XMEMSET(der, 0, sizeof(DerBuffer)); + ret = 0; + } + return ret; +} + +int AllocDer(DerBuffer* der, word32 length, int type, void* heap) +{ + int ret = BAD_FUNC_ARG; + if (der) { + int dynType = 0; + + /* Determine dynamic type */ + switch (type) { + case CA_TYPE: dynType = DYNAMIC_TYPE_CA; break; + case CERT_TYPE: dynType = DYNAMIC_TYPE_CERT; break; + case CRL_TYPE: dynType = DYNAMIC_TYPE_CRL; break; + case DSA_TYPE: dynType = DYNAMIC_TYPE_DSA; break; + case ECC_TYPE: dynType = DYNAMIC_TYPE_ECC; break; + case RSA_TYPE: dynType = DYNAMIC_TYPE_RSA; break; + default: dynType = DYNAMIC_TYPE_KEY; break; + } + + /* Setup new buffer */ + der->type = type; + der->dynType = dynType; + der->heap = heap; + der->buffer = (byte*)XMALLOC(length, heap, dynType); + if (!der->buffer) { + return MEMORY_ERROR; + } + der->length = length; + ret = 0; /* Success */ + } + return ret; +} + +void FreeDer(DerBuffer* der) +{ + if (der && der->buffer) { + /* ForceZero private keys */ + if (der->type == PRIVATEKEY_TYPE) { + ForceZero(der->buffer, der->length); + } + XFREE(der->buffer, der->heap, der->dynType); + der->buffer = NULL; + der->length = 0; + } +} + WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void) { WOLFSSL_CERT_MANAGER* cm = NULL; @@ -1709,7 +1763,7 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, { int eccKey = 0; int ret; - buffer der; + DerBuffer der; #ifdef WOLFSSL_SMALL_STACK EncryptedInfo* info = NULL; #else @@ -1728,6 +1782,11 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, return BAD_FUNC_ARG; } + ret = InitDer(&der); + if (ret < 0) { + return ret; + } + #ifdef WOLFSSL_SMALL_STACK info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -1738,7 +1797,6 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, info->set = 0; info->ctx = NULL; info->consumed = 0; - der.buffer = NULL; ret = PemToDer(pem, pemSz, type, &der, NULL, info, &eccKey); @@ -1760,8 +1818,7 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz, } } - XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY); - + FreeDer(&der); return ret; } @@ -1810,7 +1867,7 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, { int eccKey = 0; int ret; - buffer der; + DerBuffer der; #ifdef WOLFSSL_SMALL_STACK EncryptedInfo* info = NULL; #else @@ -1824,6 +1881,11 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, return BAD_FUNC_ARG; } + ret = InitDer(&der); + if (ret < 0) { + return ret; + } + #ifdef WOLFSSL_SMALL_STACK info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -1834,7 +1896,6 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, info->set = 0; info->ctx = NULL; info->consumed = 0; - der.buffer = NULL; #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if (pass) { @@ -1876,7 +1937,7 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz, } } - XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY); + FreeDer(&der); return ret; } @@ -2187,7 +2248,7 @@ Signer* GetCAByName(void* vp, byte* hash) /* owns der, internal now uses too */ /* type flag ids from user or from chain received during verify don't allow chain ones to be added w/o isCA extension */ -int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) +int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify) { int ret; Signer* signer = 0; @@ -2208,7 +2269,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) return MEMORY_E; #endif - InitDecodedCert(cert, der.buffer, der.length, cm->heap); + InitDecodedCert(cert, der->buffer, der->length, cm->heap); ret = ParseCert(cert, CA_TYPE, verify, cm); WOLFSSL_MSG(" Parsed new CA"); @@ -2277,7 +2338,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) cm->caTable[row] = signer; /* takes ownership */ UnLockMutex(&cm->caLock); if (cm->caCacheCallback) - cm->caCacheCallback(der.buffer, (int)der.length, type); + cm->caCacheCallback(der->buffer, (int)der->length, type); } else { WOLFSSL_MSG(" CA Mutex Lock failed"); @@ -2293,7 +2354,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif WOLFSSL_MSG(" Freeing der CA"); - XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CA); + FreeDer(der); WOLFSSL_MSG(" OK Freeing der CA"); WOLFSSL_LEAVE("AddCA", ret); @@ -2411,7 +2472,7 @@ int wolfSSL_Init(void) #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) /* SSL_SUCCESS if ok, <= 0 else */ -static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, +static int wolfssl_decrypt_buffer_key(DerBuffer* der, byte* password, int passwordSz, EncryptedInfo* info) { int ret = SSL_BAD_FILE; @@ -2569,7 +2630,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, /* Remove PEM header/footer, convert to ASN1, store any encrypted data info->consumed tracks of PEM bytes consumed in case multiple parts */ int PemToDer(const unsigned char* buff, long longSz, int type, - buffer* der, void* heap, EncryptedInfo* info, int* eccKey) + DerBuffer* der, void* heap, EncryptedInfo* info, int* eccKey) { const char* header = NULL; const char* footer = NULL; @@ -2579,13 +2640,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, char* bufferEnd = (char*)(buff + longSz); long neededSz; int ret = 0; - int dynamicType = 0; int sz = (int)longSz; int encrypted_key = 0; - (void)dynamicType; - (void)heap; - WOLFSSL_ENTER("PemToDer"); switch (type) { @@ -2601,16 +2658,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type, default: header=BEGIN_RSA_PRIV; footer=END_RSA_PRIV; break; } - switch (type) { - case CA_TYPE: dynamicType = DYNAMIC_TYPE_CA; break; - case CERT_TYPE: dynamicType = DYNAMIC_TYPE_CERT; break; - case CRL_TYPE: dynamicType = DYNAMIC_TYPE_CRL; break; - case DSA_TYPE: dynamicType = DYNAMIC_TYPE_DSA; break; - case ECC_TYPE: dynamicType = DYNAMIC_TYPE_ECC; break; - case RSA_TYPE: dynamicType = DYNAMIC_TYPE_RSA; break; - default: dynamicType = DYNAMIC_TYPE_KEY; break; - } - /* find header */ for (;;) { headerEnd = XSTRNSTR((char*)buff, header, sz); @@ -2731,11 +2778,10 @@ int PemToDer(const unsigned char* buff, long longSz, int type, if (neededSz > sz || neededSz < 0) return SSL_BAD_FILE; - der->buffer = (byte*)XMALLOC(neededSz, heap, dynamicType); - if (!der->buffer) - return MEMORY_ERROR; - - der->length = (word32)neededSz; + ret = AllocDer(der, (word32)neededSz, type, heap); + if (ret < 0) { + return ret; + } if (Base64_Decode((byte*)headerEnd, (word32)neededSz, der->buffer, &der->length) < 0) @@ -2763,7 +2809,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, return SSL_BAD_FILE; /* no callback error */ #ifdef WOLFSSL_SMALL_STACK - password = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); + password = (char*)XMALLOC(80, heap, DYNAMIC_TYPE_TMP_BUFFER); if (password == NULL) return MEMORY_E; #endif @@ -2777,7 +2823,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type, XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif if (ret < 0) { - XFREE(der->buffer, heap, dynamicType); + FreeDer(der); return ret; } @@ -2788,10 +2834,10 @@ int PemToDer(const unsigned char* buff, long longSz, int type, ret = wolfssl_decrypt_buffer_key(der, (byte*)password, passwordSz, info); #ifdef WOLFSSL_SMALL_STACK - XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(password, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (ret != SSL_SUCCESS) { - XFREE(der->buffer, heap, dynamicType); + FreeDer(der); return ret; } } @@ -2809,9 +2855,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, long sz, int format, int type, WOLFSSL* ssl, long* used, int userChain) { - buffer der; /* holds DER or RAW (for NTRU) */ + DerBuffer der; /* holds DER or RAW (for NTRU) */ int ret; - int dynamicType = 0; int eccKey = 0; int rsaKey = 0; void* heap = ctx ? ctx->heap : NULL; @@ -2821,7 +2866,6 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, EncryptedInfo info[1]; #endif - (void)dynamicType; (void)rsaKey; if (used) @@ -2834,15 +2878,13 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (ctx == NULL && ssl == NULL) return BAD_FUNC_ARG; - if (type == CA_TYPE) - dynamicType = DYNAMIC_TYPE_CA; - else if (type == CERT_TYPE) - dynamicType = DYNAMIC_TYPE_CERT; - else - dynamicType = DYNAMIC_TYPE_KEY; + ret = InitDer(&der); + if (ret < 0) { + return ret; + } #ifdef WOLFSSL_SMALL_STACK - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, + info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap, DYNAMIC_TYPE_TMP_BUFFER); if (info == NULL) return MEMORY_E; @@ -2851,7 +2893,6 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, info->set = 0; info->ctx = ctx; info->consumed = 0; - der.buffer = 0; if (format == SSL_FILETYPE_PEM) { ret = PemToDer(buff, sz, type, &der, heap, info, &eccKey); @@ -2861,9 +2902,9 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return ret; } @@ -2875,8 +2916,6 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, byte staticBuffer[FILE_BUFFER_SIZE]; /* tmp chain buffer */ #endif byte* chainBuffer = staticBuffer; - byte* shrinked = NULL; /* shrinked to size chainBuffer - * or staticBuffer */ int dynamicBuffer = 0; word32 bufferSz = sizeof(staticBuffer); long consumed = info->consumed; @@ -2890,9 +2929,9 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, chainBuffer = (byte*)XMALLOC(bufferSz, heap, DYNAMIC_TYPE_FILE); if (chainBuffer == NULL) { #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return MEMORY_E; } dynamicBuffer = 1; @@ -2900,31 +2939,31 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, WOLFSSL_MSG("Processing Cert Chain"); while (consumed < sz) { - buffer part; + DerBuffer part; info->consumed = 0; - part.buffer = 0; - - ret = PemToDer(buff + consumed, sz - consumed, type, &part, - heap, info, &eccKey); + ret = InitDer(&part); if (ret == 0) { - gotOne = 1; - if ( (idx + part.length) > bufferSz) { - WOLFSSL_MSG(" Cert Chain bigger than buffer"); - ret = BUFFER_E; - } - else { - c32to24(part.length, &chainBuffer[idx]); - idx += CERT_HEADER_SZ; - XMEMCPY(&chainBuffer[idx], part.buffer,part.length); - idx += part.length; - consumed += info->consumed; - if (used) - *used += info->consumed; + ret = PemToDer(buff + consumed, sz - consumed, type, &part, + heap, info, &eccKey); + if (ret == 0) { + gotOne = 1; + if ( (idx + part.length) > bufferSz) { + WOLFSSL_MSG(" Cert Chain bigger than buffer"); + ret = BUFFER_E; + } + else { + c32to24(part.length, &chainBuffer[idx]); + idx += CERT_HEADER_SZ; + XMEMCPY(&chainBuffer[idx], part.buffer,part.length); + idx += part.length; + consumed += info->consumed; + if (used) + *used += info->consumed; + } } + FreeDer(&part); } - XFREE(part.buffer, heap, dynamicType); - if (ret == SSL_NO_PEM_HEADER && gotOne) { WOLFSSL_MSG("We got one good PEM so stuff at end ok"); break; @@ -2935,9 +2974,9 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (dynamicBuffer) XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return ret; } WOLFSSL_MSG(" Consumed another Cert in Chain"); @@ -2945,50 +2984,48 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, WOLFSSL_MSG("Finished Processing Cert Chain"); /* only retain actual size used */ - if (idx > 0) /* clang thinks it can be zero, let's help analysis */ - shrinked = (byte*)XMALLOC(idx, heap, dynamicType); - if (shrinked) { + ret = 0; + if (idx > 0) { if (ssl) { - if (ssl->buffers.certChain.buffer && - ssl->buffers.weOwnCertChain) { - XFREE(ssl->buffers.certChain.buffer, heap, dynamicType); + if (ssl->buffers.weOwnCertChain) { + FreeDer(&ssl->buffers.certChain); + } + ret = AllocDer(&ssl->buffers.certChain, idx, type, heap); + if (ret == 0) { + XMEMCPY(ssl->buffers.certChain.buffer, chainBuffer, idx); + ssl->buffers.weOwnCertChain = 1; } - ssl->buffers.certChain.buffer = shrinked; - ssl->buffers.certChain.length = idx; - XMEMCPY(ssl->buffers.certChain.buffer, chainBuffer,idx); - ssl->buffers.weOwnCertChain = 1; } else if (ctx) { - if (ctx->certChain.buffer) - XFREE(ctx->certChain.buffer, heap, dynamicType); - ctx->certChain.buffer = shrinked; - ctx->certChain.length = idx; - XMEMCPY(ctx->certChain.buffer, chainBuffer, idx); + FreeDer(&ctx->certChain); + ret = AllocDer(&ctx->certChain, idx, type, heap); + if (ret == 0) { + XMEMCPY(ctx->certChain.buffer, chainBuffer, idx); + } } } if (dynamicBuffer) XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - if (idx > 0 && shrinked == NULL) { + if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - XFREE(der.buffer, heap, dynamicType); - return MEMORY_E; + FreeDer(&der); + return ret; } } } else { /* ASN1 (DER) or RAW (NTRU) */ - der.buffer = (byte*) XMALLOC(sz, heap, dynamicType); - if (!der.buffer) { + ret = AllocDer(&der, (word32)sz, type, heap); + if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - return MEMORY_ERROR; + return ret; } XMEMCPY(der.buffer, buff, sz); - der.length = (word32)sz; } #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) @@ -3003,7 +3040,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif #ifdef WOLFSSL_SMALL_STACK - password = (char*)XMALLOC(80, NULL, DYNAMIC_TYPE_TMP_BUFFER); + password = (char*)XMALLOC(80, heap, DYNAMIC_TYPE_TMP_BUFFER); if (password == NULL) ret = MEMORY_E; else @@ -3021,61 +3058,63 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, } #ifdef WOLFSSL_SMALL_STACK - XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(password, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (ret != SSL_SUCCESS) { #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return ret; } } #endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif + /* Handle DER owner */ if (type == CA_TYPE) { if (ctx == NULL) { WOLFSSL_MSG("Need context for CA load"); - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return BAD_FUNC_ARG; } /* verify CA unless user set to no verify */ - return AddCA(ctx->cm, der, WOLFSSL_USER_CA, !ctx->verifyNone); - /* takes der over */ + return AddCA(ctx->cm, &der, WOLFSSL_USER_CA, !ctx->verifyNone); } else if (type == CERT_TYPE) { if (ssl) { - if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer) - XFREE(ssl->buffers.certificate.buffer, heap, dynamicType); - ssl->buffers.certificate = der; + /* Make sure previous is free'd */ + if (ssl->buffers.weOwnCert) { + FreeDer(&ssl->buffers.certificate); + } + XMEMCPY(&ssl->buffers.certificate, &der, sizeof(der)); ssl->buffers.weOwnCert = 1; } else if (ctx) { - if (ctx->certificate.buffer) - XFREE(ctx->certificate.buffer, heap, dynamicType); - ctx->certificate = der; /* takes der over */ + FreeDer(&ctx->certificate); /* Make sure previous is free'd */ + XMEMCPY(&ctx->certificate, &der, sizeof(der)); } } else if (type == PRIVATEKEY_TYPE) { if (ssl) { - if (ssl->buffers.weOwnKey && ssl->buffers.key.buffer) - XFREE(ssl->buffers.key.buffer, heap, dynamicType); - ssl->buffers.key = der; + /* Make sure previous is free'd */ + if (ssl->buffers.weOwnKey) { + FreeDer(&ssl->buffers.key); + } + XMEMCPY(&ssl->buffers.key, &der, sizeof(der)); ssl->buffers.weOwnKey = 1; } else if (ctx) { - if (ctx->privateKey.buffer) - XFREE(ctx->privateKey.buffer, heap, dynamicType); - ctx->privateKey = der; /* takes der over */ + FreeDer(&ctx->privateKey); + XMEMCPY(&ctx->privateKey, &der, sizeof(der)); } } else { - XFREE(der.buffer, heap, dynamicType); + FreeDer(&der); return SSL_BAD_CERTTYPE; } @@ -3091,7 +3130,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif #ifdef WOLFSSL_SMALL_STACK - key = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, + key = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL) return MEMORY_E; @@ -3116,7 +3155,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, wc_FreeRsaKey(key); #ifdef WOLFSSL_SMALL_STACK - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (ret != 0) @@ -3151,7 +3190,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, #endif #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), heap, DYNAMIC_TYPE_TMP_BUFFER); if (cert == NULL) return MEMORY_E; @@ -3163,7 +3202,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (DecodeToKey(cert, 0) < 0) { WOLFSSL_MSG("Decode to key failed"); #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(cert, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return SSL_BAD_FILE; } @@ -3208,7 +3247,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, FreeDecodedCert(cert); #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(cert, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif } @@ -3383,7 +3422,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, long sz, int format) { int ret = 0; - buffer der; + DerBuffer der; #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; #else @@ -3392,16 +3431,18 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, WOLFSSL_ENTER("wolfSSL_CertManagerVerifyBuffer"); + ret = InitDer(&der); + if (ret < 0) { + return ret; + } + #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap, DYNAMIC_TYPE_TMP_BUFFER); if (cert == NULL) return MEMORY_E; #endif - der.buffer = NULL; - der.length = 0; - if (format == SSL_FILETYPE_PEM) { int eccKey = 0; /* not used */ #ifdef WOLFSSL_SMALL_STACK @@ -3411,10 +3452,10 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, #endif #ifdef WOLFSSL_SMALL_STACK - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, + info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), cm->heap, DYNAMIC_TYPE_TMP_BUFFER); if (info == NULL) { - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(cert, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif @@ -3427,7 +3468,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, InitDecodedCert(cert, der.buffer, der.length, cm->heap); #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(info, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif } else @@ -3442,10 +3483,9 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff, #endif FreeDecodedCert(cert); - - XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT); + FreeDer(&der); #ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(cert, cm->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret == 0 ? SSL_SUCCESS : ret; @@ -4200,12 +4240,13 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) int ecc = 0; long sz = 0; XFILE file = XFOPEN(fileName, "rb"); - buffer converted; + DerBuffer converted; WOLFSSL_ENTER("wolfSSL_PemCertToDer"); - if (file == XBADFILE) + if (file == XBADFILE) { ret = SSL_BAD_FILE; + } else { XFSEEK(file, 0, XSEEK_END); sz = XFTELL(file); @@ -4221,39 +4262,41 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) else dynamic = 1; } - - converted.buffer = 0; - + if (ret == 0) { - if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) - ret = SSL_BAD_FILE; - else { - #ifdef WOLFSSL_SMALL_STACK - info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (info == NULL) - ret = MEMORY_E; - else - #endif - { - ret = PemToDer(fileBuf, sz, CA_TYPE, &converted, - 0, info, &ecc); - #ifdef WOLFSSL_SMALL_STACK - XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif - } - } - + ret = InitDer(&converted); if (ret == 0) { - if (converted.length < (word32)derSz) { - XMEMCPY(derBuf, converted.buffer, converted.length); - ret = converted.length; + if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) { + ret = SSL_BAD_FILE; + } + else { + #ifdef WOLFSSL_SMALL_STACK + info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (info == NULL) + ret = MEMORY_E; + else + #endif + { + ret = PemToDer(fileBuf, sz, CA_TYPE, &converted, + 0, info, &ecc); + #ifdef WOLFSSL_SMALL_STACK + XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } } - else - ret = BUFFER_E; - } - XFREE(converted.buffer, 0, DYNAMIC_TYPE_CA); + if (ret == 0) { + if (converted.length < (word32)derSz) { + XMEMCPY(derBuf, converted.buffer, converted.length); + ret = converted.length; + } + else + ret = BUFFER_E; + } + + FreeDer(&converted); + } } XFCLOSE(file); @@ -4282,12 +4325,13 @@ int wolfSSL_PemPubKeyToDer(const char* fileName, int ret = 0; long sz = 0; XFILE file = XFOPEN(fileName, "rb"); - buffer converted; + DerBuffer converted; WOLFSSL_ENTER("wolfSSL_PemPubKeyToDer"); - if (file == XBADFILE) + if (file == XBADFILE) { ret = SSL_BAD_FILE; + } else { XFSEEK(file, 0, XSEEK_END); sz = XFTELL(file); @@ -4303,26 +4347,26 @@ int wolfSSL_PemPubKeyToDer(const char* fileName, else dynamic = 1; } - - converted.buffer = 0; - if (ret == 0) { - if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) - ret = SSL_BAD_FILE; - else - ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted, - 0, NULL, NULL); - + ret = InitDer(&converted); if (ret == 0) { - if (converted.length < (word32)derSz) { - XMEMCPY(derBuf, converted.buffer, converted.length); - ret = converted.length; - } + if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) + ret = SSL_BAD_FILE; else - ret = BUFFER_E; - } + ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted, + 0, NULL, NULL); - XFREE(converted.buffer, 0, DYNAMIC_TYPE_CA); + if (ret == 0) { + if (converted.length < (word32)derSz) { + XMEMCPY(derBuf, converted.buffer, converted.length); + ret = converted.length; + } + else + ret = BUFFER_E; + } + + FreeDer(&converted); + } } XFCLOSE(file); @@ -4339,7 +4383,7 @@ int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff, int buffSz) { int ret; - buffer der; + DerBuffer der; WOLFSSL_ENTER("wolfSSL_PubKeyPemToDer"); @@ -4348,7 +4392,10 @@ int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz, return BAD_FUNC_ARG; } - der.buffer = NULL; + ret = InitDer(&der); + if (ret < 0) { + return ret; + } ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL); if (ret < 0) { @@ -4365,7 +4412,7 @@ int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz, } } - XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY); + FreeDer(&der); return ret; } @@ -7349,7 +7396,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) const unsigned char* buf, long sz, int format) { - buffer der; + DerBuffer der; int ret = 0; int weOwnDer = 0; word32 pSz = MAX_DH_SIZE; @@ -7383,9 +7430,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ret = SSL_BAD_FILETYPE; else { if (format == SSL_FILETYPE_PEM) { - der.buffer = NULL; - ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL,NULL); - weOwnDer = 1; + ret = InitDer(&der); + if (ret == 0) { + ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, + NULL, NULL); + weOwnDer = 1; + } } if (ret == 0) { @@ -7399,7 +7449,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } if (weOwnDer) - XFREE(der.buffer, ctx->heap, DYNAMIC_TYPE_KEY); + FreeDer(&der); #ifdef WOLFSSL_SMALL_STACK XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -7468,29 +7518,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (ssl->buffers.weOwnCert) { WOLFSSL_MSG("Unloading cert"); - XFREE(ssl->buffers.certificate.buffer, ssl->heap,DYNAMIC_TYPE_CERT); + FreeDer(&ssl->buffers.certificate); ssl->buffers.weOwnCert = 0; - ssl->buffers.certificate.length = 0; - ssl->buffers.certificate.buffer = NULL; } if (ssl->buffers.weOwnCertChain) { WOLFSSL_MSG("Unloading cert chain"); - XFREE(ssl->buffers.certChain.buffer, ssl->heap,DYNAMIC_TYPE_CERT); + FreeDer(&ssl->buffers.certChain); ssl->buffers.weOwnCertChain = 0; - ssl->buffers.certChain.length = 0; - ssl->buffers.certChain.buffer = NULL; } if (ssl->buffers.weOwnKey) { WOLFSSL_MSG("Unloading key"); - if (ssl->buffers.key.buffer) { - ForceZero(ssl->buffers.key.buffer, ssl->buffers.key.length); - } - XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY); + FreeDer(&ssl->buffers.key); ssl->buffers.weOwnKey = 0; - ssl->buffers.key.length = 0; - ssl->buffers.key.buffer = NULL; } return SSL_SUCCESS; @@ -9952,7 +9993,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) XFILE file; WOLFSSL_X509* x509 = NULL; - buffer der; + DerBuffer der; WOLFSSL_ENTER("wolfSSL_X509_load_certificate"); @@ -9961,6 +10002,11 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)) return NULL; + ret = InitDer(&der); + if (ret < 0) { + return NULL; + } + file = XFOPEN(fname, "rb"); if (file == XBADFILE) return NULL; @@ -9992,9 +10038,6 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) XFCLOSE(file); - der.buffer = NULL; - der.length = 0; - if (format == SSL_FILETYPE_PEM) { int ecc = 0; #ifdef WOLFSSL_SMALL_STACK @@ -10005,7 +10048,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #ifdef WOLFSSL_SMALL_STACK info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL, - DYNAMIC_TYPE_TMP_BUFFER); + DYNAMIC_TYPE_TMP_BUFFER); if (info == NULL) { if (dynamic) XFREE(fileBuffer, NULL, DYNAMIC_TYPE_FILE); @@ -10018,15 +10061,8 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) info->ctx = NULL; info->consumed = 0; - if (PemToDer(fileBuffer, sz, CERT_TYPE, &der, NULL, info, &ecc) != 0) - { - /* Only time this should fail, and leave `der` with a buffer - is when the Base64 Decode fails. Release `der.buffer` in - that case. */ - if (der.buffer != NULL) { - XFREE(der.buffer, NULL, DYNAMIC_TYPE_CERT); - der.buffer = NULL; - } + if (PemToDer(fileBuffer, sz, CERT_TYPE, &der, NULL, info, &ecc) != 0) { + FreeDer(&der); } #ifdef WOLFSSL_SMALL_STACK @@ -10034,10 +10070,9 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #endif } else { - der.buffer = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_CERT); - if (der.buffer != NULL) { + ret = AllocDer(&der, (word32)sz, CERT_TYPE, NULL); + if (ret == 0) { XMEMCPY(der.buffer, fileBuffer, sz); - der.length = (word32)sz; } } @@ -10078,7 +10113,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format) #endif } - XFREE(der.buffer, NULL, DYNAMIC_TYPE_CERT); + FreeDer(&der); } return x509; @@ -10847,20 +10882,27 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert"); if (store != NULL && store->cm != NULL && x509 != NULL) { - buffer derCert; - derCert.buffer = (byte*)XMALLOC(x509->derCert.length, - NULL, DYNAMIC_TYPE_CERT); - if (derCert.buffer != NULL) { - derCert.length = x509->derCert.length; + DerBuffer derCert; + + result = InitDer(&derCert); + if (result == 0) { + result = AllocDer(&derCert, x509->derCert.length, + x509->derCert.type, NULL); + if (result == 0) { /* AddCA() frees the buffer. */ - XMEMCPY(derCert.buffer, + XMEMCPY(derCert.buffer, x509->derCert.buffer, x509->derCert.length); - result = AddCA(store->cm, derCert, WOLFSSL_USER_CA, 1); - if (result != SSL_SUCCESS) result = SSL_FATAL_ERROR; + result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, 1); + } } } WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_cert", result); + + if (result != SSL_SUCCESS) { + result = SSL_FATAL_ERROR; + } + return result; } @@ -11419,11 +11461,15 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) XFILE file = XBADFILE; long sz = 0; int eccKey = 0; - WOLFSSL_CTX* ctx = ssl->ctx; - WOLFSSL_X509* peer_cert = &ssl->peerCert; - buffer fileDer; + WOLFSSL_CTX* ctx = ssl->ctx; + WOLFSSL_X509* peer_cert = &ssl->peerCert; + DerBuffer fileDer; + + ret = InitDer(&fileDer); + if (ret < 0) { + return ret; + } - fileDer.buffer = 0; file = XFOPEN(fname, "rb"); if (file == XBADFILE) return SSL_BAD_FILE; @@ -11468,7 +11514,8 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname) #endif } - XFREE(fileDer.buffer, ctx->heap, DYNAMIC_TYPE_CERT); + FreeDer(&fileDer); + if (dynamic) XFREE(myBuffer, ctx->heap, DYNAMIC_TYPE_FILE); @@ -14090,7 +14137,7 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, unsigned char* passwd, int passwdSz, unsigned char **pem, int *plen) { - byte *der, *tmp, *cipherInfo = NULL; + byte *derBuf, *tmp, *cipherInfo = NULL; int der_max_len = 0, derSz = 0; WOLFSSL_ENTER("wolfSSL_PEM_write_mem_RSAPrivateKey"); @@ -14114,17 +14161,17 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, */ der_max_len = 5 * wolfSSL_RSA_size(rsa) + AES_BLOCK_SIZE; - der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { + derBuf = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (derBuf == NULL) { WOLFSSL_MSG("malloc failed"); return SSL_FAILURE; } /* Key to DER */ - derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, der, der_max_len); + derSz = wc_RsaKeyToDer((RsaKey*)rsa->internal, derBuf, der_max_len); if (derSz < 0) { WOLFSSL_MSG("wc_RsaKeyToDer failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -14132,11 +14179,11 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, if (passwd != NULL && passwdSz > 0 && cipher != NULL) { int ret; - ret = EncryptDerKey(der, &derSz, cipher, + ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz, &cipherInfo); if (ret != SSL_SUCCESS) { WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret; } @@ -14150,23 +14197,23 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } /* DER to PEM */ - *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, PRIVATEKEY_TYPE); if (*plen <= 0) { WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -15473,7 +15520,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, unsigned char* passwd, int passwdSz, unsigned char **pem, int *plen) { - byte *der, *tmp, *cipherInfo = NULL; + byte *derBuf, *tmp, *cipherInfo = NULL; int der_max_len = 0, derSz = 0; WOLFSSL_MSG("wolfSSL_PEM_write_mem_ECPrivateKey"); @@ -15496,17 +15543,17 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, */ der_max_len = 4 * wc_ecc_size((ecc_key*)ecc->internal) + AES_BLOCK_SIZE; - der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { + derBuf = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (derBuf == NULL) { WOLFSSL_MSG("malloc failed"); return SSL_FAILURE; } /* Key to DER */ - derSz = wc_EccKeyToDer((ecc_key*)ecc->internal, der, der_max_len); + derSz = wc_EccKeyToDer((ecc_key*)ecc->internal, derBuf, der_max_len); if (derSz < 0) { WOLFSSL_MSG("wc_DsaKeyToDer failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -15514,11 +15561,11 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, if (passwd != NULL && passwdSz > 0 && cipher != NULL) { int ret; - ret = EncryptDerKey(der, &derSz, cipher, + ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz, &cipherInfo); if (ret != SSL_SUCCESS) { WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret; } @@ -15532,23 +15579,23 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } /* DER to PEM */ - *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, ECC_PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, ECC_PRIVATEKEY_TYPE); if (*plen <= 0) { WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -15648,7 +15695,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, unsigned char* passwd, int passwdSz, unsigned char **pem, int *plen) { - byte *der, *tmp, *cipherInfo = NULL; + byte *derBuf, *tmp, *cipherInfo = NULL; int der_max_len = 0, derSz = 0; WOLFSSL_MSG("wolfSSL_PEM_write_mem_DSAPrivateKey"); @@ -15671,17 +15718,17 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, */ der_max_len = 4 * wolfSSL_BN_num_bytes(dsa->g) + AES_BLOCK_SIZE; - der = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (der == NULL) { + derBuf = (byte*)XMALLOC(der_max_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (derBuf == NULL) { WOLFSSL_MSG("malloc failed"); return SSL_FAILURE; } /* Key to DER */ - derSz = wc_DsaKeyToDer((DsaKey*)dsa->internal, der, der_max_len); + derSz = wc_DsaKeyToDer((DsaKey*)dsa->internal, derBuf, der_max_len); if (derSz < 0) { WOLFSSL_MSG("wc_DsaKeyToDer failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -15689,11 +15736,11 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, if (passwd != NULL && passwdSz > 0 && cipher != NULL) { int ret; - ret = EncryptDerKey(der, &derSz, cipher, + ret = EncryptDerKey(derBuf, &derSz, cipher, passwd, passwdSz, &cipherInfo); if (ret != SSL_SUCCESS) { WOLFSSL_MSG("EncryptDerKey failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); return ret; } @@ -15707,23 +15754,23 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, tmp = (byte*)XMALLOC(*plen, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (tmp == NULL) { WOLFSSL_MSG("malloc failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } /* DER to PEM */ - *plen = wc_DerToPemEx(der, derSz, tmp, *plen, cipherInfo, DSA_PRIVATEKEY_TYPE); + *plen = wc_DerToPemEx(derBuf, derSz, tmp, *plen, cipherInfo, DSA_PRIVATEKEY_TYPE); if (*plen <= 0) { WOLFSSL_MSG("wc_DerToPemEx failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -15887,19 +15934,19 @@ int wolfSSL_PEM_write_RSA_PUBKEY(FILE *fp, WOLFSSL_RSA *x) #endif /* NO_FILESYSTEM */ /* return SSL_SUCCESS if success, SSL_FATAL_ERROR if error */ -int wolfSSL_RSA_LoadDer(WOLFSSL_RSA* rsa, const unsigned char* der, int derSz) +int wolfSSL_RSA_LoadDer(WOLFSSL_RSA* rsa, const unsigned char* derBuf, int derSz) { word32 idx = 0; int ret; WOLFSSL_ENTER("wolfSSL_RSA_LoadDer"); - if (rsa == NULL || rsa->internal == NULL || der == NULL || derSz <= 0) { + if (rsa == NULL || rsa->internal == NULL || derBuf == NULL || derSz <= 0) { WOLFSSL_MSG("Bad function arguments"); return SSL_FATAL_ERROR; } - ret = wc_RsaPrivateKeyDecode(der, &idx, (RsaKey*)rsa->internal, derSz); + ret = wc_RsaPrivateKeyDecode(derBuf, &idx, (RsaKey*)rsa->internal, derSz); if (ret < 0) { WOLFSSL_MSG("RsaPrivateKeyDecode failed"); return SSL_FATAL_ERROR; @@ -15919,19 +15966,19 @@ int wolfSSL_RSA_LoadDer(WOLFSSL_RSA* rsa, const unsigned char* der, int derSz) #ifndef NO_DSA /* return SSL_SUCCESS if success, SSL_FATAL_ERROR if error */ -int wolfSSL_DSA_LoadDer(WOLFSSL_DSA* dsa, const unsigned char* der, int derSz) +int wolfSSL_DSA_LoadDer(WOLFSSL_DSA* dsa, const unsigned char* derBuf, int derSz) { word32 idx = 0; int ret; WOLFSSL_ENTER("wolfSSL_DSA_LoadDer"); - if (dsa == NULL || dsa->internal == NULL || der == NULL || derSz <= 0) { + if (dsa == NULL || dsa->internal == NULL || derBuf == NULL || derSz <= 0) { WOLFSSL_MSG("Bad function arguments"); return SSL_FATAL_ERROR; } - ret = DsaPrivateKeyDecode(der, &idx, (DsaKey*)dsa->internal, derSz); + ret = DsaPrivateKeyDecode(derBuf, &idx, (DsaKey*)dsa->internal, derSz); if (ret < 0) { WOLFSSL_MSG("DsaPrivateKeyDecode failed"); return SSL_FATAL_ERROR; @@ -15951,19 +15998,19 @@ int wolfSSL_DSA_LoadDer(WOLFSSL_DSA* dsa, const unsigned char* der, int derSz) #ifdef HAVE_ECC /* return SSL_SUCCESS if success, SSL_FATAL_ERROR if error */ int wolfSSL_EC_KEY_LoadDer(WOLFSSL_EC_KEY* key, - const unsigned char* der, int derSz) + const unsigned char* derBuf, int derSz) { word32 idx = 0; int ret; WOLFSSL_ENTER("wolfSSL_EC_KEY_LoadDer"); - if (key == NULL || key->internal == NULL || der == NULL || derSz <= 0) { + if (key == NULL || key->internal == NULL || derBuf == NULL || derSz <= 0) { WOLFSSL_MSG("Bad function arguments"); return SSL_FATAL_ERROR; } - ret = wc_EccPrivateKeyDecode(der, &idx, (ecc_key*)key->internal, derSz); + ret = wc_EccPrivateKeyDecode(derBuf, &idx, (ecc_key*)key->internal, derSz); if (ret < 0) { WOLFSSL_MSG("wc_EccPrivateKeyDecode failed"); return SSL_FATAL_ERROR; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 567f26820..ebe7637ed 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7668,7 +7668,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) if (cert == NULL || file == NULL) return BAD_FUNC_ARG; - der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); + der = (byte*)XMALLOC(MAX_PUBLIC_KEY_SZ, NULL, DYNAMIC_TYPE_CERT); if (der == NULL) { WOLFSSL_MSG("wc_SetSubjectKeyId memory Problem"); return MEMORY_E; @@ -7684,14 +7684,14 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) /* Load PubKey in internal structure */ rsakey = (RsaKey*) XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_RSA); if (rsakey == NULL) { - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return MEMORY_E; } if (wc_InitRsaKey(rsakey, NULL) != 0) { WOLFSSL_MSG("wc_InitRsaKey failure"); XFREE(rsakey, NULL, DYNAMIC_TYPE_RSA); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return MEMORY_E; } @@ -7706,7 +7706,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) /* Check to load ecc public key */ eckey = (ecc_key*) XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_ECC); if (eckey == NULL) { - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return MEMORY_E; } @@ -7714,7 +7714,7 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) WOLFSSL_MSG("wc_ecc_init failure"); wc_ecc_free(eckey); XFREE(eckey, NULL, DYNAMIC_TYPE_ECC); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return MEMORY_E; } @@ -7722,17 +7722,17 @@ int wc_SetSubjectKeyId(Cert *cert, const char* file) ret = wc_EccPublicKeyDecode(der, &idx, eckey, derSz); if (ret != 0) { WOLFSSL_MSG("wc_EccPublicKeyDecode failed"); - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); wc_ecc_free(eckey); return PUBLIC_KEY_E; } #else - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return PUBLIC_KEY_E; #endif /* HAVE_ECC */ } - XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); ret = wc_SetSubjectKeyIdFromPublicKey(cert, rsakey, eckey); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index bb835db98..f214d8383 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1211,6 +1211,17 @@ typedef struct buffer { word32 length; } buffer; +#ifndef NO_CERTS + /* wolfSSL DER buffer */ + typedef struct DerBuffer { + byte* buffer; + void* heap; + word32 length; + int type; /* enum CertType */ + int dynType; /* DYNAMIC_TYPE_* */ + } DerBuffer; +#endif /* !NO_CERTS */ + enum { FORCED_FREE = 1, @@ -1807,10 +1818,10 @@ struct WOLFSSL_CTX { buffer serverDH_G; #endif #ifndef NO_CERTS - buffer certificate; - buffer certChain; + DerBuffer certificate; + DerBuffer certChain; /* chain after self, in DER, with leading size for each cert */ - buffer privateKey; + DerBuffer privateKey; WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */ #endif Suites* suites; /* make dynamic, user may not need/set */ @@ -1920,7 +1931,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 inSz, word16 sz); #ifndef NO_CERTS WOLFSSL_LOCAL - int AddCA(WOLFSSL_CERT_MANAGER* ctx, buffer der, int type, int verify); + int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify); WOLFSSL_LOCAL int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash); #endif @@ -2182,9 +2193,9 @@ typedef struct Buffers { buffer serverDH_Priv; #endif #ifndef NO_CERTS - buffer certificate; /* WOLFSSL_CTX owns, unless we own */ - buffer key; /* WOLFSSL_CTX owns, unless we own */ - buffer certChain; /* WOLFSSL_CTX owns, unless we own */ + DerBuffer certificate; /* WOLFSSL_CTX owns, unless we own */ + DerBuffer key; /* WOLFSSL_CTX owns, unless we own */ + DerBuffer certChain; /* WOLFSSL_CTX owns, unless we own */ /* chain after self, in DER, with leading size for each cert */ #endif #ifdef WOLFSSL_DTLS @@ -2358,7 +2369,7 @@ struct WOLFSSL_X509 { #ifdef HAVE_ECC word32 pkCurveOID; #endif /* HAVE_ECC */ - buffer derCert; /* may need */ + DerBuffer derCert; /* may need */ DNS_entry* altNames; /* alt names list */ DNS_entry* altNamesNext; /* hint for retrieval */ byte dynamicMemory; /* dynamic memory flag */ @@ -2680,8 +2691,13 @@ typedef struct EncryptedInfo { #ifndef NO_CERTS + + WOLFSSL_LOCAL int InitDer(DerBuffer* der); + WOLFSSL_LOCAL int AllocDer(DerBuffer* der, word32 length, int type, void* heap); + WOLFSSL_LOCAL void FreeDer(DerBuffer* der); + WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, - buffer* der, void* heap, EncryptedInfo* info, + DerBuffer* der, void* heap, EncryptedInfo* info, int* eccKey); WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format, @@ -2784,9 +2800,9 @@ WOLFSSL_LOCAL int ProcessReply(WOLFSSL*); WOLFSSL_LOCAL int SetCipherSpecs(WOLFSSL*); WOLFSSL_LOCAL int MakeMasterSecret(WOLFSSL*); -WOLFSSL_LOCAL int AddSession(WOLFSSL*); -WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); -WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData); +WOLFSSL_LOCAL int AddSession(WOLFSSL*); +WOLFSSL_LOCAL int DeriveKeys(WOLFSSL* ssl); +WOLFSSL_LOCAL int StoreKeys(WOLFSSL* ssl, const byte* keyData); WOLFSSL_LOCAL int IsTLS(const WOLFSSL* ssl); WOLFSSL_LOCAL int IsAtLeastTLSv1_2(const WOLFSSL* ssl); From 1227db4e44451512846398de312e52a8adc0af8f Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 24 Feb 2016 07:04:03 +0100 Subject: [PATCH 2/3] Fixed issue with not properly returning memory error in CopyDecodedToX509 after DER refactor. --- src/internal.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index ecc6272fa..4788dc501 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4469,7 +4469,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) } /* store cert for potential retrieval */ - if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) { + ret = AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL); + if (ret == 0) { XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx); } From a46fd6612bd7656c6292687cfcb59c70ee776362 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 25 Feb 2016 14:35:54 +0100 Subject: [PATCH 3/3] Changed CopyDecodedToX509 AllocDer error code handing to return MEMORY_E, since that is an explicitly handled case. Also resolves the issue with "warning: Value stored to 'ret' is never read". --- src/internal.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 4788dc501..10aa7349a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4469,10 +4469,12 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) } /* store cert for potential retrieval */ - ret = AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL); - if (ret == 0) { + if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) { XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx); } + else { + ret = MEMORY_E; + } x509->altNames = dCert->altNames; dCert->weOwnAltNames = 0;