diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index 9384d01b0..4a5f66694 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -217,7 +217,8 @@ enum { DYNAMIC_TYPE_OCSP_ENTRY = 28, DYNAMIC_TYPE_ALTNAME = 29, DYNAMIC_TYPE_SUITES = 30, - DYNAMIC_TYPE_CIPHER = 31 + DYNAMIC_TYPE_CIPHER = 31, + DYNAMIC_TYPE_RNG = 32 }; /* stack protection */ diff --git a/cyassl/internal.h b/cyassl/internal.h index df771684c..6b8284e0c 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1226,7 +1226,7 @@ struct CYASSL { CYASSL_BIO* biowr; /* socket bio write to free/close */ void* IOCB_ReadCtx; void* IOCB_WriteCtx; - RNG rng; + RNG* rng; Md5 hashMd5; /* md5 hash of handshake msgs */ Sha hashSha; /* sha hash of handshake msgs */ #ifndef NO_SHA256 diff --git a/src/internal.c b/src/internal.c index 25dea7056..0f47f0be8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1054,6 +1054,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->arrays.server_hint[0] = 0; #endif /* NO_PSK */ + ssl->rng = NULL; InitCiphers(ssl); /* all done with init, now can return errors, call other stuff */ @@ -1065,7 +1066,13 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ctx->refCount++; UnLockMutex(&ctx->countMutex); - if ( (ret = InitRng(&ssl->rng)) != 0) + ssl->rng = (RNG*)XMALLOC(sizeof(RNG), ssl->heap, DYNAMIC_TYPE_RNG); + if (ssl->rng == NULL) { + CYASSL_MSG("RNG Memory error"); + return MEMORY_E; + } + + if ( (ret = InitRng(ssl->rng)) != 0) return ret; ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, @@ -1101,6 +1108,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) void SSL_ResourceFree(CYASSL* ssl) { FreeCiphers(ssl); + XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_DH); @@ -1149,11 +1157,19 @@ void SSL_ResourceFree(CYASSL* ssl) /* Free any handshake resources no longer needed */ void FreeHandshakeResources(CYASSL* ssl) { + /* input buffer */ if (ssl->buffers.inputBuffer.dynamicFlag) ShrinkInputBuffer(ssl, NO_FORCED_FREE); + /* suites */ XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES); ssl->suites = NULL; + + /* RNG */ + if (ssl->specs.cipher_type == stream || ssl->options.tls1_1 == 0) { + XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG); + ssl->rng = NULL; + } } @@ -3269,7 +3285,7 @@ static int BuildMessage(CYASSL* ssl, byte* output, const byte* input, int inSz, if (ssl->options.tls1_1) { ivSz = blockSz; sz += ivSz; - RNG_GenerateBlock(&ssl->rng, iv, ivSz); + RNG_GenerateBlock(ssl->rng, iv, ivSz); } sz += 1; /* pad byte */ pad = (sz - headerSz) % blockSz; @@ -4708,7 +4724,7 @@ int SetCipherList(Suites* s, const char* list) /* then random */ if (ssl->options.connectState == CONNECT_BEGIN) { - RNG_GenerateBlock(&ssl->rng, output + idx, RAN_LEN); + RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); /* store random */ XMEMCPY(ssl->arrays.clientRandom, output + idx, RAN_LEN); @@ -5187,7 +5203,7 @@ int SetCipherList(Suites* s, const char* list) int ret = 0; if (ssl->specs.kea == rsa_kea) { - RNG_GenerateBlock(&ssl->rng, ssl->arrays.preMasterSecret, + RNG_GenerateBlock(ssl->rng, ssl->arrays.preMasterSecret, SECRET_LEN); ssl->arrays.preMasterSecret[0] = ssl->chVersion.major; ssl->arrays.preMasterSecret[1] = ssl->chVersion.minor; @@ -5198,7 +5214,7 @@ int SetCipherList(Suites* s, const char* list) ret = RsaPublicEncrypt(ssl->arrays.preMasterSecret, SECRET_LEN, encSecret, sizeof(encSecret), &ssl->peerRsaKey, - &ssl->rng); + ssl->rng); if (ret > 0) { encSz = ret; ret = 0; /* set success to 0 */ @@ -5221,7 +5237,7 @@ int SetCipherList(Suites* s, const char* list) serverG.buffer, serverG.length); if (ret == 0) /* for DH, encSecret is Yc, agree is pre-master */ - ret = DhGenerateKeyPair(&key, &ssl->rng, priv, &privSz, + ret = DhGenerateKeyPair(&key, ssl->rng, priv, &privSz, encSecret, &encSz); if (ret == 0) ret = DhAgree(&key, ssl->arrays.preMasterSecret, @@ -5263,7 +5279,7 @@ int SetCipherList(Suites* s, const char* list) 'C', 'y', 'a', 'S', 'S', 'L', ' ', 'N', 'T', 'R', 'U' }; - RNG_GenerateBlock(&ssl->rng, ssl->arrays.preMasterSecret, + RNG_GenerateBlock(ssl->rng, ssl->arrays.preMasterSecret, SECRET_LEN); ssl->arrays.preMasterSz = SECRET_LEN; @@ -5305,7 +5321,7 @@ int SetCipherList(Suites* s, const char* list) } ecc_init(&myKey); - ret = ecc_make_key(&ssl->rng, peerKey->dp->size, &myKey); + ret = ecc_make_key(ssl->rng, peerKey->dp->size, &myKey); if (ret != 0) return ECC_MAKEKEY_ERROR; @@ -5472,7 +5488,7 @@ int SetCipherList(Suites* s, const char* list) word32 localSz = sigOutSz; ret = ecc_sign_hash(signBuffer + MD5_DIGEST_SIZE, SHA_DIGEST_SIZE, verify + extraSz + VERIFY_HEADER, - &localSz, &ssl->rng, &eccKey); + &localSz, ssl->rng, &eccKey); #endif } else { @@ -5491,7 +5507,7 @@ int SetCipherList(Suites* s, const char* list) } ret = RsaSSL_Sign(signBuffer, signSz, verify + extraSz + - VERIFY_HEADER, ENCRYPT_LEN, &key, &ssl->rng); + VERIFY_HEADER, ENCRYPT_LEN, &key, ssl->rng); if (ret > 0) ret = 0; /* RSA reset */ @@ -5577,7 +5593,7 @@ int SetCipherList(Suites* s, const char* list) /* then random */ if (!ssl->options.resuming) - RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN); + RNG_GenerateBlock(ssl->rng, ssl->arrays.serverRandom, RAN_LEN); XMEMCPY(output + idx, ssl->arrays.serverRandom, RAN_LEN); idx += RAN_LEN; @@ -5593,7 +5609,7 @@ int SetCipherList(Suites* s, const char* list) /* then session id */ output[idx++] = ID_LEN; if (!ssl->options.resuming) - RNG_GenerateBlock(&ssl->rng, ssl->arrays.sessionID, ID_LEN); + RNG_GenerateBlock(ssl->rng, ssl->arrays.sessionID, ID_LEN); XMEMCPY(output + idx, ssl->arrays.sessionID, ID_LEN); idx += ID_LEN; @@ -5859,7 +5875,7 @@ int SetCipherList(Suites* s, const char* list) signBuffer = encodedSig; } ret = RsaSSL_Sign(signBuffer, signSz, output + idx, sigSz, - &rsaKey, &ssl->rng); + &rsaKey, ssl->rng); FreeRsaKey(&rsaKey); ecc_free(&dsaKey); if (ret > 0) @@ -5871,7 +5887,7 @@ int SetCipherList(Suites* s, const char* list) word32 sz = sigSz; ret = ecc_sign_hash(&hash[MD5_DIGEST_SIZE], SHA_DIGEST_SIZE, - output + idx, &sz, &ssl->rng, &dsaKey); + output + idx, &sz, ssl->rng, &dsaKey); FreeRsaKey(&rsaKey); ecc_free(&dsaKey); if (ret < 0) return ret; @@ -5933,7 +5949,7 @@ int SetCipherList(Suites* s, const char* list) ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length); if (ret == 0) - ret = DhGenerateKeyPair(&dhKey, &ssl->rng, + ret = DhGenerateKeyPair(&dhKey, ssl->rng, ssl->buffers.serverDH_Priv.buffer, &ssl->buffers.serverDH_Priv.length, ssl->buffers.serverDH_Pub.buffer, @@ -6061,7 +6077,7 @@ int SetCipherList(Suites* s, const char* list) signBuffer = encodedSig; } ret = RsaSSL_Sign(signBuffer, signSz, output + idx, sigSz, - &rsaKey, &ssl->rng); + &rsaKey, ssl->rng); FreeRsaKey(&rsaKey); if (ret <= 0) return ret; @@ -6644,7 +6660,7 @@ int SetCipherList(Suites* s, const char* list) return UNSUPPORTED_SUITE; } - RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN); + RNG_GenerateBlock(ssl->rng, ssl->arrays.serverRandom, RAN_LEN); if (ssl->options.tls) ret = DeriveTlsKeys(ssl); else @@ -6806,7 +6822,7 @@ int SetCipherList(Suites* s, const char* list) return UNSUPPORTED_SUITE; } - RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN); + RNG_GenerateBlock(ssl->rng, ssl->arrays.serverRandom, RAN_LEN); if (ssl->options.tls) ret = DeriveTlsKeys(ssl); else diff --git a/src/keys.c b/src/keys.c index a896bd8f3..cfab8c685 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1098,7 +1098,7 @@ int StoreKeys(CYASSL* ssl, const byte* keyData) XMEMCPY(ssl->keys.server_write_IV, &keyData[i], sz); return SetKeys(&ssl->encrypt, &ssl->decrypt, &ssl->keys, &ssl->specs, - ssl->options.side, ssl->heap, &ssl->rng); + ssl->options.side, ssl->heap, ssl->rng); } @@ -1156,7 +1156,7 @@ static void CleanPreMaster(CYASSL* ssl) for (i = 0; i < sz; i++) ssl->arrays.preMasterSecret[i] = 0; - RNG_GenerateBlock(&ssl->rng, ssl->arrays.preMasterSecret, sz); + RNG_GenerateBlock(ssl->rng, ssl->arrays.preMasterSecret, sz); for (i = 0; i < sz; i++) ssl->arrays.preMasterSecret[i] = 0; diff --git a/src/ssl.c b/src/ssl.c index 144d6215b..a283b8ec8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -213,25 +213,24 @@ int CyaSSL_negotiate(CYASSL* ssl) int CyaSSL_GetObjectSize(void) { #ifdef SHOW_SIZES - printf("sizeof suites = %d\n", sizeof(Suites)); - printf("sizeof ciphers(2) = %d\n", sizeof(Ciphers)); - printf("\tsizeof arc4 = %d\n", sizeof(Arc4)); - printf("\tsizeof aes = %d\n", sizeof(Aes)); - printf("\tsizeof des3 = %d\n", sizeof(Des3)); - printf("\tsizeof rabbit = %d\n", sizeof(Rabbitj)); - printf("sizeof cipher specs = %d\n", sizeof(CipherSpecs)); - printf("sizeof keys = %d\n", sizeof(Keys)); - printf("sizeof RNG = %d\n", sizeof(RNG)); - printf("sizeof MD5 = %d\n", sizeof(Md5)); - printf("sizeof SHA = %d\n", sizeof(Sha)); - printf("sizeof SHA256 = %d\n", sizeof(Sha256)); - printf("sizeof Hashes(2) = %d\n", sizeof(Hashes)); - printf("sizeof Buffers = %d\n", sizeof(Buffers)); - printf("sizeof Options = %d\n", sizeof(Options)); - printf("sizeof Arrays = %d\n", sizeof(Arrays)); - printf("sizeof Session = %d\n", sizeof(CYASSL_SESSION)); - printf("sizeof peerKey = %d\n", sizeof(RsaKey)); - printf("sizeof CYASSL_CIPHER = %d\n", sizeof(CYASSL_CIPHER)); + printf("sizeof suites = %lu\n", sizeof(Suites)); + printf("sizeof ciphers(2) = %lu\n", sizeof(Ciphers)); + printf("\tsizeof arc4 = %lu\n", sizeof(Arc4)); + printf("\tsizeof aes = %lu\n", sizeof(Aes)); + printf("\tsizeof des3 = %lu\n", sizeof(Des3)); + printf("\tsizeof rabbit = %lu\n", sizeof(Rabbit)); + printf("sizeof cipher specs = %lu\n", sizeof(CipherSpecs)); + printf("sizeof keys = %lu\n", sizeof(Keys)); + printf("sizeof MD5 = %lu\n", sizeof(Md5)); + printf("sizeof SHA = %lu\n", sizeof(Sha)); + printf("sizeof SHA256 = %lu\n", sizeof(Sha256)); + printf("sizeof Hashes(2) = %lu\n", sizeof(Hashes)); + printf("sizeof Buffers = %lu\n", sizeof(Buffers)); + printf("sizeof Options = %lu\n", sizeof(Options)); + printf("sizeof Arrays = %lu\n", sizeof(Arrays)); + printf("sizeof Session = %lu\n", sizeof(CYASSL_SESSION)); + printf("sizeof peerKey = %lu\n", sizeof(RsaKey)); + printf("sizeof CYASSL_CIPHER = %lu\n", sizeof(CYASSL_CIPHER)); #endif return sizeof(CYASSL); @@ -2490,7 +2489,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) #ifdef HAVE_ECC /* in case used set_accept_state after init */ if (ssl->eccTempKeyPresent == 0) { - if (ecc_make_key(&ssl->rng, ssl->eccTempKeySz, + if (ecc_make_key(ssl->rng, ssl->eccTempKeySz, &ssl->eccTempKey) != 0) { ssl->error = ECC_MAKEKEY_ERROR; CYASSL_ERROR(ssl->error);