forked from wolfSSL/wolfssl
fix github issue #25, delay ecc key allocs/init until needed
This commit is contained in:
toddouska
101
src/internal.c
101
src/internal.c
@@ -1564,11 +1564,9 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
|||||||
ssl->pkCurveOID = ctx->pkCurveOID;
|
ssl->pkCurveOID = ctx->pkCurveOID;
|
||||||
ssl->peerEccKeyPresent = 0;
|
ssl->peerEccKeyPresent = 0;
|
||||||
ssl->peerEccDsaKeyPresent = 0;
|
ssl->peerEccDsaKeyPresent = 0;
|
||||||
ssl->eccDsaKeyPresent = 0;
|
|
||||||
ssl->eccTempKeyPresent = 0;
|
ssl->eccTempKeyPresent = 0;
|
||||||
ssl->peerEccKey = NULL;
|
ssl->peerEccKey = NULL;
|
||||||
ssl->peerEccDsaKey = NULL;
|
ssl->peerEccDsaKey = NULL;
|
||||||
ssl->eccDsaKey = NULL;
|
|
||||||
ssl->eccTempKey = NULL;
|
ssl->eccTempKey = NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@@ -1896,36 +1894,6 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
|
|||||||
return NO_PRIVATE_KEY;
|
return NO_PRIVATE_KEY;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_ECC
|
|
||||||
ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
|
||||||
ctx->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
if (ssl->peerEccKey == NULL) {
|
|
||||||
WOLFSSL_MSG("PeerEccKey Memory error");
|
|
||||||
return MEMORY_E;
|
|
||||||
}
|
|
||||||
ssl->peerEccDsaKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
|
||||||
ctx->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
if (ssl->peerEccDsaKey == NULL) {
|
|
||||||
WOLFSSL_MSG("PeerEccDsaKey Memory error");
|
|
||||||
return MEMORY_E;
|
|
||||||
}
|
|
||||||
ssl->eccDsaKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
|
||||||
ctx->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
if (ssl->eccDsaKey == NULL) {
|
|
||||||
WOLFSSL_MSG("EccDsaKey Memory error");
|
|
||||||
return MEMORY_E;
|
|
||||||
}
|
|
||||||
ssl->eccTempKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
|
||||||
ctx->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
if (ssl->eccTempKey == NULL) {
|
|
||||||
WOLFSSL_MSG("EccTempKey Memory error");
|
|
||||||
return MEMORY_E;
|
|
||||||
}
|
|
||||||
wc_ecc_init(ssl->peerEccKey);
|
|
||||||
wc_ecc_init(ssl->peerEccDsaKey);
|
|
||||||
wc_ecc_init(ssl->eccDsaKey);
|
|
||||||
wc_ecc_init(ssl->eccTempKey);
|
|
||||||
#endif
|
|
||||||
#ifdef HAVE_SECRET_CALLBACK
|
#ifdef HAVE_SECRET_CALLBACK
|
||||||
ssl->sessionSecretCb = NULL;
|
ssl->sessionSecretCb = NULL;
|
||||||
ssl->sessionSecretCtx = NULL;
|
ssl->sessionSecretCtx = NULL;
|
||||||
@@ -2042,11 +2010,6 @@ void SSL_ResourceFree(WOLFSSL* ssl)
|
|||||||
wc_ecc_free(ssl->eccTempKey);
|
wc_ecc_free(ssl->eccTempKey);
|
||||||
XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
||||||
}
|
}
|
||||||
if (ssl->eccDsaKey) {
|
|
||||||
if (ssl->eccDsaKeyPresent)
|
|
||||||
wc_ecc_free(ssl->eccDsaKey);
|
|
||||||
XFREE(ssl->eccDsaKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_PK_CALLBACKS
|
#ifdef HAVE_PK_CALLBACKS
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
@@ -2144,15 +2107,6 @@ void FreeHandshakeResources(WOLFSSL* ssl)
|
|||||||
XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
XFREE(ssl->eccTempKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
||||||
ssl->eccTempKey = NULL;
|
ssl->eccTempKey = NULL;
|
||||||
}
|
}
|
||||||
if (ssl->eccDsaKey)
|
|
||||||
{
|
|
||||||
if (ssl->eccDsaKeyPresent) {
|
|
||||||
wc_ecc_free(ssl->eccDsaKey);
|
|
||||||
ssl->eccDsaKeyPresent = 0;
|
|
||||||
}
|
|
||||||
XFREE(ssl->eccDsaKey, ssl->heap, DYNAMIC_TYPE_ECC);
|
|
||||||
ssl->eccDsaKey = NULL;
|
|
||||||
}
|
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_PK_CALLBACKS
|
#ifdef HAVE_PK_CALLBACKS
|
||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
@@ -4465,7 +4419,17 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||||||
#ifdef HAVE_ECC
|
#ifdef HAVE_ECC
|
||||||
case ECDSAk:
|
case ECDSAk:
|
||||||
{
|
{
|
||||||
if (ssl->peerEccDsaKeyPresent) { /* don't leak on reuse */
|
if (ssl->peerEccDsaKey == NULL) {
|
||||||
|
/* alloc/init on demand */
|
||||||
|
ssl->peerEccDsaKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
||||||
|
ssl->ctx->heap, DYNAMIC_TYPE_ECC);
|
||||||
|
if (ssl->peerEccDsaKey == NULL) {
|
||||||
|
WOLFSSL_MSG("PeerEccDsaKey Memory error");
|
||||||
|
return MEMORY_E;
|
||||||
|
}
|
||||||
|
wc_ecc_init(ssl->peerEccDsaKey);
|
||||||
|
} else if (ssl->peerEccDsaKeyPresent) {
|
||||||
|
/* don't leak on reuse */
|
||||||
wc_ecc_free(ssl->peerEccDsaKey);
|
wc_ecc_free(ssl->peerEccDsaKey);
|
||||||
ssl->peerEccDsaKeyPresent = 0;
|
ssl->peerEccDsaKeyPresent = 0;
|
||||||
wc_ecc_init(ssl->peerEccDsaKey);
|
wc_ecc_init(ssl->peerEccDsaKey);
|
||||||
@@ -9911,7 +9875,16 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
|
|||||||
if ((*inOutIdx - begin) + length > size)
|
if ((*inOutIdx - begin) + length > size)
|
||||||
return BUFFER_ERROR;
|
return BUFFER_ERROR;
|
||||||
|
|
||||||
if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
|
if (ssl->peerEccKey == NULL) {
|
||||||
|
/* alloc/init on demand */
|
||||||
|
ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
||||||
|
ssl->ctx->heap, DYNAMIC_TYPE_ECC);
|
||||||
|
if (ssl->peerEccKey == NULL) {
|
||||||
|
WOLFSSL_MSG("PeerEccKey Memory error");
|
||||||
|
return MEMORY_E;
|
||||||
|
}
|
||||||
|
wc_ecc_init(ssl->peerEccKey);
|
||||||
|
} else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
|
||||||
wc_ecc_free(ssl->peerEccKey);
|
wc_ecc_free(ssl->peerEccKey);
|
||||||
ssl->peerEccKeyPresent = 0;
|
ssl->peerEccKeyPresent = 0;
|
||||||
wc_ecc_init(ssl->peerEccKey);
|
wc_ecc_init(ssl->peerEccKey);
|
||||||
@@ -10675,8 +10648,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
|
|||||||
|
|
||||||
if (ssl->specs.static_ecdh) {
|
if (ssl->specs.static_ecdh) {
|
||||||
/* TODO: EccDsa is really fixed Ecc change naming */
|
/* TODO: EccDsa is really fixed Ecc change naming */
|
||||||
if (!ssl->peerEccDsaKeyPresent ||
|
if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent ||
|
||||||
!ssl->peerEccDsaKey->dp) {
|
!ssl->peerEccDsaKey->dp) {
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
#endif
|
#endif
|
||||||
@@ -10685,7 +10658,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
|
|||||||
peerKey = ssl->peerEccDsaKey;
|
peerKey = ssl->peerEccDsaKey;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if (!ssl->peerEccKeyPresent || !ssl->peerEccKey->dp) {
|
if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
|
||||||
|
!ssl->peerEccKey->dp) {
|
||||||
#ifdef WOLFSSL_SMALL_STACK
|
#ifdef WOLFSSL_SMALL_STACK
|
||||||
XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
XFREE(encSecret, NULL, DYNAMIC_TYPE_TMP_BUFFER);
|
||||||
#endif
|
#endif
|
||||||
@@ -11631,6 +11605,16 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
WOLFSSL_MSG("Using ephemeral ECDH");
|
WOLFSSL_MSG("Using ephemeral ECDH");
|
||||||
|
|
||||||
/* need ephemeral key now, create it if missing */
|
/* need ephemeral key now, create it if missing */
|
||||||
|
if (ssl->eccTempKey == NULL) {
|
||||||
|
/* alloc/init on demand */
|
||||||
|
ssl->eccTempKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
||||||
|
ssl->ctx->heap, DYNAMIC_TYPE_ECC);
|
||||||
|
if (ssl->eccTempKey == NULL) {
|
||||||
|
WOLFSSL_MSG("EccTempKey Memory error");
|
||||||
|
return MEMORY_E;
|
||||||
|
}
|
||||||
|
wc_ecc_init(ssl->eccTempKey);
|
||||||
|
}
|
||||||
if (ssl->eccTempKeyPresent == 0) {
|
if (ssl->eccTempKeyPresent == 0) {
|
||||||
if (wc_ecc_make_key(ssl->rng, ssl->eccTempKeySz,
|
if (wc_ecc_make_key(ssl->rng, ssl->eccTempKeySz,
|
||||||
ssl->eccTempKey) != 0) {
|
ssl->eccTempKey) != 0) {
|
||||||
@@ -13207,8 +13191,8 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
err = wc_ecc_verify_hash(input + *inOutIdx, sz, digest, digestSz,
|
err = wc_ecc_verify_hash(input + *inOutIdx, sz, digest,
|
||||||
&verify, ssl->peerEccDsaKey);
|
digestSz, &verify, ssl->peerEccDsaKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (err == 0 && verify == 1)
|
if (err == 0 && verify == 1)
|
||||||
@@ -13545,7 +13529,16 @@ int DoSessionTicket(WOLFSSL* ssl,
|
|||||||
if ((*inOutIdx - begin) + length > size)
|
if ((*inOutIdx - begin) + length > size)
|
||||||
return BUFFER_ERROR;
|
return BUFFER_ERROR;
|
||||||
|
|
||||||
if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
|
if (ssl->peerEccKey == NULL) {
|
||||||
|
/* alloc/init on demand */
|
||||||
|
ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
|
||||||
|
ssl->ctx->heap, DYNAMIC_TYPE_ECC);
|
||||||
|
if (ssl->peerEccKey == NULL) {
|
||||||
|
WOLFSSL_MSG("PeerEccKey Memory error");
|
||||||
|
return MEMORY_E;
|
||||||
|
}
|
||||||
|
wc_ecc_init(ssl->peerEccKey);
|
||||||
|
} else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
|
||||||
wc_ecc_free(ssl->peerEccKey);
|
wc_ecc_free(ssl->peerEccKey);
|
||||||
ssl->peerEccKeyPresent = 0;
|
ssl->peerEccKeyPresent = 0;
|
||||||
wc_ecc_init(ssl->peerEccKey);
|
wc_ecc_init(ssl->peerEccKey);
|
||||||
|
|||||||
@@ -2074,13 +2074,11 @@ struct WOLFSSL {
|
|||||||
ecc_key* peerEccKey; /* peer's ECDHE key */
|
ecc_key* peerEccKey; /* peer's ECDHE key */
|
||||||
ecc_key* peerEccDsaKey; /* peer's ECDSA key */
|
ecc_key* peerEccDsaKey; /* peer's ECDSA key */
|
||||||
ecc_key* eccTempKey; /* private ECDHE key */
|
ecc_key* eccTempKey; /* private ECDHE key */
|
||||||
ecc_key* eccDsaKey; /* private ECDSA key */
|
|
||||||
word16 eccTempKeySz; /* in octets 20 - 66 */
|
word16 eccTempKeySz; /* in octets 20 - 66 */
|
||||||
word32 pkCurveOID; /* curve Ecc_Sum */
|
word32 pkCurveOID; /* curve Ecc_Sum */
|
||||||
byte peerEccKeyPresent;
|
byte peerEccKeyPresent;
|
||||||
byte peerEccDsaKeyPresent;
|
byte peerEccDsaKeyPresent;
|
||||||
byte eccTempKeyPresent;
|
byte eccTempKeyPresent;
|
||||||
byte eccDsaKeyPresent;
|
|
||||||
#endif
|
#endif
|
||||||
hmacfp hmac;
|
hmacfp hmac;
|
||||||
void* heap; /* for user overrides */
|
void* heap; /* for user overrides */
|
||||||
|
|||||||
Reference in New Issue
Block a user