feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

small stack memory management

Browse Source
This commit is contained in:
Jacob Barthelmeh
2018-10-25 14:37:44 -06:00
committed by David Garske
parent 77a1dafed0
commit 867bcb4545
1 changed files with 75 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
wolfcrypt/src/pkcs7.c
View File

@@ -64,11 +64,11 @@ typedef enum {
typedef struct PKCS7State { typedef struct PKCS7State {
byte* tmpCert; byte* tmpCert;
byte* bufferPt; byte* bufferPt;
byte* key;
byte* nonce; /* stored nonce */ byte* nonce; /* stored nonce */
byte* aad; /* additional data for AEAD algos */ byte* aad; /* additional data for AEAD algos */
byte* tag; /* tag data for AEAD algos */ byte* tag; /* tag data for AEAD algos */
byte* content; byte* content;
byte multi; /* flag for if content is in multiple parts */
byte* buffer; /* main internal read buffer */ byte* buffer; /* main internal read buffer */
/* stack variables to store for when returning */ /* stack variables to store for when returning */
@@ -93,6 +93,7 @@ typedef struct PKCS7State {
word32 peakUsed; /* most bytes used for struct at any one time */ word32 peakUsed; /* most bytes used for struct at any one time */
word32 peakRead; /* most bytes used by read buffer */ word32 peakRead; /* most bytes used by read buffer */
#endif #endif
byte multi:1; /* flag for if content is in multiple parts */
byte flagOne:1; byte flagOne:1;
} PKCS7State; } PKCS7State;
@@ -152,10 +153,12 @@ static void wc_PKCS7_ResetStream(PKCS7* pkcs7)
XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->tag, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->nonce, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(pkcs7->stream->buffer, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
XFREE(pkcs7->stream->key, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
pkcs7->stream->aad = NULL; pkcs7->stream->aad = NULL;
pkcs7->stream->tag = NULL; pkcs7->stream->tag = NULL;
pkcs7->stream->nonce = NULL; pkcs7->stream->nonce = NULL;
pkcs7->stream->buffer = NULL; pkcs7->stream->buffer = NULL;
pkcs7->stream->key = NULL;
/* reset values, note that content and tmpCert are saved */ /* reset values, note that content and tmpCert are saved */
pkcs7->stream->maxLen = 0; pkcs7->stream->maxLen = 0;
@@ -1829,6 +1832,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
esd->hashType = wc_OidGetHash(pkcs7->hashOID); esd->hashType = wc_OidGetHash(pkcs7->hashOID);
if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) { if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) {
WOLFSSL_MSG("hashSz did not match hashOID"); WOLFSSL_MSG("hashSz did not match hashOID");
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return BUFFER_E; return BUFFER_E;
} }
@@ -1869,6 +1875,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
/* version MUST be 3 */ /* version MUST be 3 */
esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0); esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0);
} else { } else {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return SKID_E; return SKID_E;
} }
@@ -1881,6 +1890,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
ret = wc_PKCS7_SignedDataGetEncAlgoId(pkcs7, &digEncAlgoId, ret = wc_PKCS7_SignedDataGetEncAlgoId(pkcs7, &digEncAlgoId,
&digEncAlgoType); &digEncAlgoType);
if (ret < 0) { if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret; return ret;
} }
esd->digEncAlgoIdSz = SetAlgoID(digEncAlgoId, esd->digEncAlgoId, esd->digEncAlgoIdSz = SetAlgoID(digEncAlgoId, esd->digEncAlgoId,
@@ -1897,6 +1909,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
signingTimeOid, sizeof(signingTimeOid), signingTimeOid, sizeof(signingTimeOid),
signingTime, sizeof(signingTime)); signingTime, sizeof(signingTime));
if (ret < 0) { if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret; return ret;
} }
@@ -1904,6 +1919,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
DYNAMIC_TYPE_PKCS7); DYNAMIC_TYPE_PKCS7);
flatSignedAttribsSz = esd->signedAttribsSz; flatSignedAttribsSz = esd->signedAttribsSz;
if (flatSignedAttribs == NULL) { if (flatSignedAttribs == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return MEMORY_E; return MEMORY_E;
} }
@@ -1919,6 +1937,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
if (ret < 0) { if (ret < 0) {
if (pkcs7->signedAttribsSz != 0) if (pkcs7->signedAttribsSz != 0)
XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return ret; return ret;
} }
@@ -1968,6 +1989,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
if (total2Sz > *output2Sz) { if (total2Sz > *output2Sz) {
if (pkcs7->signedAttribsSz != 0) if (pkcs7->signedAttribsSz != 0)
XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return BUFFER_E; return BUFFER_E;
} }
totalSz -= pkcs7->contentSz; totalSz -= pkcs7->contentSz;
@@ -1976,6 +2000,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
if (totalSz > *outputSz) { if (totalSz > *outputSz) {
if (pkcs7->signedAttribsSz != 0) if (pkcs7->signedAttribsSz != 0)
XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return BUFFER_E; return BUFFER_E;
} }
@@ -2051,6 +2078,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE); XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
idx += KEYID_SIZE; idx += KEYID_SIZE;
} else { } else {
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return SKID_E; return SKID_E;
} }
XMEMCPY(output2 + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz); XMEMCPY(output2 + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz);
@@ -2080,6 +2110,9 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
*outputSz = idx; *outputSz = idx;
} }
#ifdef WOLFSSL_SMALL_STACK
XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
return idx; return idx;
} }
@@ -2656,6 +2689,7 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
#endif #endif
return ret; return ret;
} }
@@ -2698,6 +2732,7 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
#endif #endif
return ret; return ret;
@@ -2767,6 +2802,7 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
#endif #endif
return ret; return ret;
} }
@@ -2808,6 +2844,7 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz,
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT);
#endif #endif
return ret; return ret;
@@ -3965,6 +4002,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
if (ret == 0 && GetAlgoId(pkiMsg2, &idx, &sigOID, oidSigType, if (ret == 0 && GetAlgoId(pkiMsg2, &idx, &sigOID, oidSigType,
pkiMsg2Sz) < 0) { pkiMsg2Sz) < 0) {
ret = ASN_PARSE_E; ret = ASN_PARSE_E;
break;
} }
/* store public key type based on digestEncryptionAlgorithm */ /* store public key type based on digestEncryptionAlgorithm */
@@ -5010,7 +5048,7 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, pkcs7->heap, keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, pkcs7->heap,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_TMP_BUFFER);
encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap,
DYNAMIC_TYPE_TPM_BUFFER); DYNAMIC_TYPE_TMP_BUFFER);
decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap, decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap,
DYNAMIC_TYPE_TMP_BUFFER); DYNAMIC_TYPE_TMP_BUFFER);
@@ -5188,7 +5226,8 @@ int wc_PKCS7_AddRecipient_KTRI(PKCS7* pkcs7, const byte* cert, word32 certSz,
} }
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_TMP_BUFFER); pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap,
DYNAMIC_TYPE_TMP_BUFFER);
if (pubKey == NULL) { if (pubKey == NULL) {
FreeDecodedCert(decoded); FreeDecodedCert(decoded);
XFREE(serial, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(serial, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -6439,6 +6478,9 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
encryptedKey, encryptedKeySz, keyWrapOID, encryptedKey, encryptedKeySz, keyWrapOID,
AES_ENCRYPTION); AES_ENCRYPTION);
if (encryptedKeySz <= 0) { if (encryptedKeySz <= 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
return encryptedKeySz; return encryptedKeySz;
} }
@@ -6460,6 +6502,9 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
timeSz = GetAsnTimeString(tm, genTime, sizeof(genTime)); timeSz = GetAsnTimeString(tm, genTime, sizeof(genTime));
if (timeSz < 0) { if (timeSz < 0) {
XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
return timeSz; return timeSz;
} }
totalSz += timeSz; totalSz += timeSz;
@@ -6488,6 +6533,9 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
if (totalSz > MAX_RECIP_SZ) { if (totalSz > MAX_RECIP_SZ) {
WOLFSSL_MSG("CMS Recipient output buffer too small"); WOLFSSL_MSG("CMS Recipient output buffer too small");
XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
return BUFFER_E; return BUFFER_E;
} }
@@ -6520,6 +6568,10 @@ int wc_PKCS7_AddRecipient_KEKRI(PKCS7* pkcs7, int keyWrapOID, byte* kek,
XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz); XMEMCPY(recip->recip + idx, encryptedKey, encryptedKeySz);
idx += encryptedKeySz; idx += encryptedKeySz;
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
#endif
/* store recipient size */ /* store recipient size */
recip->recipSz = idx; recip->recipSz = idx;
recip->recipType = PKCS7_KEKRI; recip->recipType = PKCS7_KEKRI;
@@ -6858,9 +6910,9 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
#endif #endif
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
mp_int* serialNum; mp_int* serialNum = NULL;
byte* encryptedKey; byte* encryptedKey = NULL;
RsaKey* privKey; RsaKey* privKey = NULL;
#else #else
mp_int serialNum[1]; mp_int serialNum[1];
byte encryptedKey[MAX_ENCRYPTED_KEY_SZ]; byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
@@ -6905,6 +6957,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
case WC_PKCS7_DECRYPT_KTRI_2: case WC_PKCS7_DECRYPT_KTRI_2:
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM
if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, pkcs7->stream->expected, if ((ret = wc_PKCS7_AddDataToStream(pkcs7, in, inSz, pkcs7->stream->expected,
&pkiMsg, idx)) != 0) { &pkiMsg, idx)) != 0) {
return ret; return ret;
@@ -7104,7 +7157,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
wc_FreeRsaKey(privKey); wc_FreeRsaKey(privKey);
if (keySz <= 0 || outKey == NULL) { if (keySz <= 0 || outKey == NULL) {
ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ); ForceZero(encryptedKey, encryptedKeySz);
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
@@ -7113,7 +7166,7 @@ static int wc_PKCS7_DecryptKtri(PKCS7* pkcs7, byte* in, word32 inSz,
} else { } else {
*decryptedKeySz = keySz; *decryptedKeySz = keySz;
XMEMCPY(decryptedKey, outKey, keySz); XMEMCPY(decryptedKey, outKey, keySz);
ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ); ForceZero(encryptedKey, encryptedKeySz);
} }
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
@@ -9426,6 +9479,9 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
ret = MEMORY_E; ret = MEMORY_E;
break; break;
} }
#ifndef NO_PKCS7_STREAM
pkcs7->stream->key = decryptedKey;
#endif
#endif #endif
FALL_THROUGH; FALL_THROUGH;
@@ -9438,6 +9494,11 @@ WOLFSSL_API int wc_PKCS7_DecodeAuthEnvelopedData(PKCS7* pkcs7, byte* in,
case WC_PKCS7_DECRYPT_ORI: case WC_PKCS7_DECRYPT_ORI:
decryptedKeySz = MAX_ENCRYPTED_KEY_SZ; decryptedKeySz = MAX_ENCRYPTED_KEY_SZ;
#ifdef WOLFSSL_SMALL_STACK
#ifndef NO_PKCS7_STREAM
decryptedKey = pkcs7->stream->key;
#endif
#endif
ret = wc_PKCS7_DecryptRecipientInfos(pkcs7, in, inSz, &idx, ret = wc_PKCS7_DecryptRecipientInfos(pkcs7, in, inSz, &idx,
decryptedKey, &decryptedKeySz, decryptedKey, &decryptedKeySz,
@@ -9822,6 +9883,9 @@ authenv_atrbend:
wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz, &encryptedContentSz); wc_PKCS7_StreamGetVar(pkcs7, &encOID, &blockKeySz, &encryptedContentSz);
encryptedContent = pkcs7->stream->bufferPt; encryptedContent = pkcs7->stream->bufferPt;
#ifdef WOLFSSL_SMALL_STACK
decryptedKey = pkcs7->stream->key;
#endif
#endif #endif
/* decrypt encryptedContent */ /* decrypt encryptedContent */
@@ -9850,6 +9914,9 @@ authenv_atrbend:
#ifdef WOLFSSL_SMALL_STACK #ifdef WOLFSSL_SMALL_STACK
XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
decryptedKey = NULL; decryptedKey = NULL;
#ifdef WOLFSSL_SMALL_STACK
pkcs7->stream->key = NULL;
#endif
#endif #endif
ret = encryptedContentSz; ret = encryptedContentSz;
#ifndef NO_PKCS7_STREAM #ifndef NO_PKCS7_STREAM