From 94e1b87ae0a79e481b85bfea431b11f8f54cac29 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 17 Mar 2022 18:07:15 -0600 Subject: [PATCH] smallstack reduction for wolfSSL_X509_set_ext, wolfSSL_EC_POINT_mul, wolfSSL_ECDSA_do_sign, wolfSSL_i2d_X509_NAME, wolfSSL_X509_REQ_sign --- src/ssl.c | 318 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 252 insertions(+), 66 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 5cbd9332a..76deac7df 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9772,7 +9772,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_X509_EXTENSION* ext = NULL; WOLFSSL_ASN1_INTEGER* a; WOLFSSL_STACK* sk; - DecodedCert cert; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; +#else + DecodedCert cert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_set_ext"); @@ -9799,9 +9803,18 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) return NULL; } - InitDecodedCert( &cert, rawCert, (word32)outSz, 0); +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + WOLFSSL_MSG("Failed to allocate memory for DecodedCert"); + wolfSSL_X509_EXTENSION_free(ext); + return NULL; + } +#endif - if (ParseCert(&cert, + InitDecodedCert(cert, rawCert, (word32)outSz, 0); + + if (ParseCert(cert, #ifdef WOLFSSL_CERT_REQ x509->isCSR ? CERTREQ_TYPE : #endif @@ -9809,17 +9822,23 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) NO_VERIFY, NULL) < 0) { WOLFSSL_MSG("\tCertificate parsing failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } - input = cert.extensions; - sz = cert.extensionsSz; + input = cert->extensions; + sz = cert->extensionsSz; if (input == NULL || sz == 0) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return NULL; } @@ -9830,14 +9849,20 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (input[idx++] != ASN_EXTENSIONS) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } if (GetLength(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: invalid length"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9845,7 +9870,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return NULL; } @@ -9855,7 +9883,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -9864,7 +9895,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret < 0) { WOLFSSL_MSG("\tfail: OBJECT ID"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } idx = tmpIdx; @@ -9883,7 +9917,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->obj == NULL) { WOLFSSL_MSG("\tfail: Invalid OBJECT"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->obj->nid = nid; @@ -9896,7 +9933,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) a = wolfSSL_ASN1_INTEGER_new(); if (a == NULL) { wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } a->length = x509->pathLength; @@ -9918,7 +9958,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (sk == NULL) { WOLFSSL_MSG("Failed to malloc stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -9932,7 +9975,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error creating ASN1 object"); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } obj->obj = (byte*)x509->authInfoCaIssuer; @@ -9946,7 +9992,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) wolfSSL_ASN1_OBJECT_free(obj); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9961,7 +10010,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error creating ASN1 object"); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } obj->obj = x509->authInfo; @@ -9975,7 +10027,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) wolfSSL_ASN1_OBJECT_free(obj); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9992,7 +10047,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->authKeyIdCrit; @@ -10007,7 +10065,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->subjKeyIdCrit; @@ -10028,7 +10089,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->keyUsageCrit; @@ -10043,7 +10107,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->keyUsageCrit; @@ -10068,7 +10135,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } #endif @@ -10078,7 +10148,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) DYNAMIC_TYPE_ASN1); if (sk == NULL) { wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } XMEMSET(sk, 0, sizeof(WOLFSSL_GENERAL_NAMES)); @@ -10093,8 +10166,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (gn == NULL) { WOLFSSL_MSG("Error creating GENERAL_NAME"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10104,9 +10180,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) gn->d.ia5->length) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10117,9 +10196,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error pushing onto stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -10128,9 +10210,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error pushing onto stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -10149,7 +10234,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetASNObjectId(input, &idx, &length, sz) != 0) { WOLFSSL_MSG("Failed to Get ASN Object Id"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } oidBuf = (byte*)XMALLOC(length+1+MAX_LENGTH_SZ, NULL, @@ -10157,7 +10245,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (oidBuf == NULL) { WOLFSSL_MSG("Failed to malloc tmp buffer"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } oidBuf[0] = ASN_OBJECT_ID; @@ -10175,8 +10266,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->obj->obj == NULL) { wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); XFREE(oidBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; @@ -10197,7 +10291,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error decoding unknown extension data"); wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10205,7 +10302,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error: Invalid Input Length."); wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->value.data = (char*)XMALLOC(length, NULL, DYNAMIC_TYPE_ASN1); @@ -10213,7 +10313,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->value.data == NULL) { WOLFSSL_MSG("Failed to malloc ASN1_STRING data"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } XMEMCPY(ext->value.data,input+tmpIdx,length); @@ -10232,7 +10335,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (x509->ext_sk != NULL) wolfSSL_sk_X509_EXTENSION_push(x509->ext_sk, ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return ext; } @@ -40421,7 +40527,12 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, const WOLFSSL_BIGNUM *n, const WOLFSSL_EC_POINT *q, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) { - mp_int a, prime; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a = NULL; + mp_int* prime = NULL; +#else + mp_int a[1], prime[1]; +#endif int ret = WOLFSSL_FAILURE; ecc_point* result = NULL; ecc_point* tmp = NULL; @@ -40435,13 +40546,25 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a == NULL) { + return WOLFSSL_FAILURE; + } + prime = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (prime == NULL) { + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); + return WOLFSSL_FAILURE; + } +#endif + if (!(result = wc_ecc_new_point())) { WOLFSSL_MSG("wolfSSL_EC_POINT_new error"); return WOLFSSL_FAILURE; } /* read the curve prime and a */ - if (mp_init_multi(&prime, &a, NULL, NULL, NULL, NULL) != MP_OKAY) { + if (mp_init_multi(prime, a, NULL, NULL, NULL, NULL) != MP_OKAY) { WOLFSSL_MSG("mp_init_multi error"); goto cleanup; } @@ -40451,13 +40574,13 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, goto cleanup; } - if (mp_read_radix(&prime, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) + if (mp_read_radix(prime, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) != MP_OKAY) { WOLFSSL_MSG("mp_read_radix prime error"); goto cleanup; } - if (mp_read_radix(&a, ecc_sets[group->curve_idx].Af, MP_RADIX_HEX) + if (mp_read_radix(a, ecc_sets[group->curve_idx].Af, MP_RADIX_HEX) != MP_OKAY) { WOLFSSL_MSG("mp_read_radix a error"); goto cleanup; @@ -40495,14 +40618,14 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, #ifdef ECC_SHAMIR if (ecc_mul2add(result, (mp_int*)n->internal, (ecc_point*)q->internal, (mp_int*)m->internal, - result, &a, &prime, NULL) + result, a, prime, NULL) != MP_OKAY) { WOLFSSL_MSG("ecc_mul2add error"); goto cleanup; } #else mp_digit mp = 0; - if (mp_montgomery_setup(&prime, &mp) != MP_OKAY) { + if (mp_montgomery_setup(prime, &mp) != MP_OKAY) { WOLFSSL_MSG("mp_montgomery_setup nqm error"); goto cleanup; } @@ -40511,24 +40634,24 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, goto cleanup; } /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 0) + if (wc_ecc_mulmod((mp_int*)n->internal, result, result, a, prime, 0) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } /* tmp = q * m */ if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - tmp, &a, &prime, 0) != MP_OKAY) { + tmp, a, prime, 0) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } /* result = result + tmp */ - if (ecc_projective_add_point(tmp, result, result, &a, &prime, mp) + if (ecc_projective_add_point(tmp, result, result, a, prime, mp) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } - if (ecc_map(result, &prime, mp) != MP_OKAY) { + if (ecc_map(result, prime, mp) != MP_OKAY) { WOLFSSL_MSG("ecc_map nqm error"); goto cleanup; } @@ -40536,7 +40659,7 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, } else if (n) { /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 1) + if (wc_ecc_mulmod((mp_int*)n->internal, result, result, a, prime, 1) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod gn error"); goto cleanup; @@ -40545,7 +40668,7 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, else if (q && m) { /* r = q * m */ if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - result, &a, &prime, 1) != MP_OKAY) { + result, a, prime, 1) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod qm error"); goto cleanup; } @@ -40564,10 +40687,14 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, ret = WOLFSSL_SUCCESS; cleanup: - mp_clear(&a); - mp_clear(&prime); + mp_clear(a); + mp_clear(prime); wc_ecc_del_point(result); wc_ecc_del_point(tmp); +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); +#endif return ret; } #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A && !HAVE_SELFTEST && @@ -40837,9 +40964,15 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, WC_RNG* rng = NULL; #ifdef WOLFSSL_SMALL_STACK WC_RNG* tmpRNG = NULL; + byte* out = NULL; + mp_int* sig_r = NULL; + mp_int* sig_s = NULL; #else WC_RNG tmpRNG[1]; + byte out[ECC_BUFSIZE]; + mp_int sig_r[1], sig_s[1]; #endif + word32 outlen = ECC_BUFSIZE; WOLFSSL_ENTER("wolfSSL_ECDSA_do_sign"); @@ -40863,6 +40996,24 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); if (tmpRNG == NULL) return NULL; + out = (byte*)XMALLOC(outlen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (out == NULL) { + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } + sig_r = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (sig_r == NULL) { + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } + sig_s = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (sig_s == NULL) { + XFREE(sig_r, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } #endif if (wc_InitRng(tmpRNG) == 0) { @@ -40878,31 +41029,28 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, } if (rng) { - byte out[ECC_BUFSIZE]; - word32 outlen = ECC_BUFSIZE; /* use wc_ecc_sign_hash because it supports crypto callbacks */ if (wc_ecc_sign_hash(d, dlen, out, &outlen, rng, (ecc_key*)key->internal) == 0) { - mp_int sig_r, sig_s; - if (mp_init_multi(&sig_r, &sig_s, NULL, NULL, NULL, NULL) == MP_OKAY) { + if (mp_init_multi(sig_r, sig_s, NULL, NULL, NULL, NULL) == MP_OKAY) { /* put signature blob in ECDSA structure */ - if (DecodeECC_DSA_Sig(out, outlen, &sig_r, &sig_s) == 0) { + if (DecodeECC_DSA_Sig(out, outlen, sig_r, sig_s) == 0) { sig = wolfSSL_ECDSA_SIG_new(); if (sig == NULL) WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new failed"); - else if (SetIndividualExternal(&sig->r, &sig_r) != WOLFSSL_SUCCESS) { + else if (SetIndividualExternal(&sig->r, sig_r) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ecdsa r key error"); wolfSSL_ECDSA_SIG_free(sig); sig = NULL; } - else if (SetIndividualExternal(&sig->s, &sig_s)!=WOLFSSL_SUCCESS){ + else if (SetIndividualExternal(&sig->s, sig_s)!=WOLFSSL_SUCCESS){ WOLFSSL_MSG("ecdsa s key error"); wolfSSL_ECDSA_SIG_free(sig); sig = NULL; } } - mp_free(&sig_r); - mp_free(&sig_s); + mp_free(sig_r); + mp_free(sig_s); } } else { @@ -40913,6 +41061,9 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, if (initTmpRng) wc_FreeRng(tmpRNG); #ifdef WOLFSSL_SMALL_STACK + XFREE(sig_s, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(sig_r, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); #endif @@ -45210,7 +45361,11 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) unsigned char **in, long length) { WOLFSSL_X509_NAME* tmp = NULL; - DecodedCert cert; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif WOLFSSL_ENTER("wolfSSL_d2i_X509_NAME"); @@ -45219,12 +45374,20 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) return NULL; } + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + return NULL; + } + #endif + /* Set the X509_NAME buffer as the input data for cert. * in is NOT a full certificate. Just the name. */ - InitDecodedCert(&cert, *in, (word32)length, NULL); + InitDecodedCert(cert, *in, (word32)length, NULL); /* Parse the X509 subject name */ - if (GetName(&cert, SUBJECT, (int)length) != 0) { + if (GetName(cert, SUBJECT, (int)length) != 0) { WOLFSSL_MSG("WOLFSSL_X509_NAME parse error"); goto cleanup; } @@ -45234,7 +45397,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) goto cleanup; } - if (wolfSSL_X509_NAME_copy((WOLFSSL_X509_NAME*)cert.subjectName, + if (wolfSSL_X509_NAME_copy((WOLFSSL_X509_NAME*)cert->subjectName, tmp) != WOLFSSL_SUCCESS) { wolfSSL_X509_NAME_free(tmp); tmp = NULL; @@ -45244,7 +45407,10 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) if (name) *name = tmp; cleanup: - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return tmp; } @@ -57431,27 +57597,47 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) { int ret; +#ifdef WOLFSSL_SMALL_STACK + byte* der = NULL; +#else byte der[2048]; - int derSz = sizeof(der); +#endif + int derSz = 2048; if (req == NULL || pkey == NULL || md == NULL) { WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", BAD_FUNC_ARG); return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + der = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + return WOLFSSL_FAILURE; + } +#endif + /* Create a Cert that has the certificate request fields. */ req->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); ret = wolfssl_x509_make_der(req, 1, der, &derSz, 0); if (ret != WOLFSSL_SUCCESS) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif WOLFSSL_MSG("Unable to make DER for X509"); WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", ret); return WOLFSSL_FAILURE; } - if (wolfSSL_X509_resign_cert(req, 1, der, sizeof(der), derSz, + if (wolfSSL_X509_resign_cert(req, 1, der, 2048, derSz, (WOLFSSL_EVP_MD*)md, pkey) <= 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_SUCCESS; }