feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix to prevent static ephemeral memory leak if WC_PK_TYPE_NONE is used for auto-detect. Add DER PK auto detect support. Add sniffer ssl_SetWatchKey_buffer support for static ephemeral.

Browse Source
This commit is contained in:
David Garske
2021-06-04 16:17:32 -07:00
parent 258e0c10da
commit 155621b611
2 changed files with 89 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/sniffer.c
View File

@@ -1684,7 +1684,7 @@ static int SetNamedPrivateKey(const char* name, const char* address, int port,
/* auto detect key type with WC_PK_TYPE_NONE */ /* auto detect key type with WC_PK_TYPE_NONE */
/* keySz == 0 mean load file */ /* keySz == 0 mean load file */
ret = wolfSSL_CTX_set_ephemeral_key(sniffer->ctx, WC_PK_TYPE_NONE, ret = wolfSSL_CTX_set_ephemeral_key(sniffer->ctx, WC_PK_TYPE_NONE,
keyFile, 0, type); keyFile, keySz, type);
if (ret == 0) if (ret == 0)
ret = WOLFSSL_SUCCESS; ret = WOLFSSL_SUCCESS;
} }
@@ -5716,8 +5716,21 @@ int ssl_SetWatchKey_buffer(void* vSniffer, const byte* key, word32 keySz,
keyType = (keyType == FILETYPE_PEM) ? WOLFSSL_FILETYPE_PEM : keyType = (keyType == FILETYPE_PEM) ? WOLFSSL_FILETYPE_PEM :
WOLFSSL_FILETYPE_ASN1; WOLFSSL_FILETYPE_ASN1;
#ifdef WOLFSSL_STATIC_EPHEMERAL
/* try setting static ephemeral first */
/* auto detect key type with WC_PK_TYPE_NONE */
ret = wolfSSL_set_ephemeral_key(sniffer->sslServer,
WC_PK_TYPE_NONE, (const char*)key, keySz,
WOLFSSL_FILETYPE_ASN1);
if (ret == 0) {
ret = WOLFSSL_SUCCESS;
}
else
#endif
{
ret = wolfSSL_use_PrivateKey_buffer(sniffer->sslServer, ret = wolfSSL_use_PrivateKey_buffer(sniffer->sslServer,
key, keySz, keyType); key, keySz, keyType);
}
if (ret != WOLFSSL_SUCCESS) { if (ret != WOLFSSL_SUCCESS) {
SetError(KEY_FILE_STR, error, sniffer, FATAL_ERROR_STATE); SetError(KEY_FILE_STR, error, sniffer, FATAL_ERROR_STATE);
return -1; return -1;

68
src/ssl.c
View File

@@ -53027,24 +53027,9 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
WOLFSSL_ENTER("SetStaticEphemeralKey"); WOLFSSL_ENTER("SetStaticEphemeralKey");
/* if key is already set free it */ /* if just free'ing key then skip loading */
#ifndef NO_DH if (key != NULL && keySz > 0) {
if (keyAlgo == WC_PK_TYPE_DH && staticKE->dhKey && #ifndef NO_FILESYSTEM
(ctx == NULL || staticKE->dhKey != ctx->staticKE.dhKey))
FreeDer(&staticKE->dhKey);
#endif
#ifdef HAVE_ECC
if (keyAlgo == WC_PK_TYPE_ECDH && staticKE->ecKey &&
(ctx == NULL || staticKE->ecKey != ctx->staticKE.ecKey))
FreeDer(&staticKE->ecKey);
#endif
/* check if just free'ing key */
if (key == NULL && keySz == 0) {
return 0;
}
#ifndef NO_FILESYSTEM
/* load file from filesystem */ /* load file from filesystem */
if (key && keySz == 0) { if (key && keySz == 0) {
size_t keyBufSz = 0; size_t keyBufSz = 0;
@@ -53056,7 +53041,7 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
keySz = (unsigned int)keyBufSz; keySz = (unsigned int)keyBufSz;
} }
else else
#endif #endif
{ {
/* use as key buffer directly */ /* use as key buffer directly */
keyBuf = (byte*)key; keyBuf = (byte*)key;
@@ -53068,7 +53053,7 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
ret = PemToDer(keyBuf, keySz, PRIVATEKEY_TYPE, &der, ret = PemToDer(keyBuf, keySz, PRIVATEKEY_TYPE, &der,
heap, NULL, &keyFormat); heap, NULL, &keyFormat);
/* auto detect key type */ /* auto detect key type */
if (ret == 0 && keyAlgo == 0) { if (ret == 0 && keyAlgo == WC_PK_TYPE_NONE) {
if (keyFormat == ECDSAk) if (keyFormat == ECDSAk)
keyAlgo = WC_PK_TYPE_ECDH; keyAlgo = WC_PK_TYPE_ECDH;
else else
@@ -53079,11 +53064,54 @@ static int SetStaticEphemeralKey(StaticKeyExchangeInfo_t* staticKE, int keyAlgo,
#endif #endif
} }
else { else {
/* Detect PK type (if required) */
#ifdef HAVE_ECC
if (keyAlgo == WC_PK_TYPE_NONE) {
word32 idx = 0;
ecc_key eccKey;
ret = wc_ecc_init_ex(&eccKey, heap, INVALID_DEVID);
if (ret == 0) {
ret = wc_EccPrivateKeyDecode(keyBuf, &idx, &eccKey, keySz);
if (ret == 0)
keyAlgo = WC_PK_TYPE_ECDH;
wc_ecc_free(&eccKey);
}
}
#endif
#if !defined(NO_DH) && defined(WOLFSSL_DH_EXTRA)
if (keyAlgo == WC_PK_TYPE_NONE) {
word32 idx = 0;
DhKey dhKey;
ret = wc_InitDhKey_ex(&dhKey, heap, INVALID_DEVID);
if (ret == 0) {
ret = wc_DhKeyDecode(keyBuf, &idx, &dhKey, keySz);
if (ret == 0)
keyAlgo = WC_PK_TYPE_DH;
wc_FreeDhKey(&dhKey);
}
}
#endif
if (keyAlgo != WC_PK_TYPE_NONE) {
ret = AllocDer(&der, keySz, PRIVATEKEY_TYPE, heap); ret = AllocDer(&der, keySz, PRIVATEKEY_TYPE, heap);
if (ret == 0) { if (ret == 0) {
XMEMCPY(der->buffer, keyBuf, keySz); XMEMCPY(der->buffer, keyBuf, keySz);
} }
} }
}
}
/* if key is already set free it */
#ifndef NO_DH
if (keyAlgo == WC_PK_TYPE_DH && staticKE->dhKey &&
(ctx == NULL || staticKE->dhKey != ctx->staticKE.dhKey))
FreeDer(&staticKE->dhKey);
#endif
#ifdef HAVE_ECC
if (keyAlgo == WC_PK_TYPE_ECDH && staticKE->ecKey &&
(ctx == NULL || staticKE->ecKey != ctx->staticKE.ecKey))
FreeDer(&staticKE->ecKey);
#endif
switch (keyAlgo) { switch (keyAlgo) {
#ifndef NO_DH #ifndef NO_DH