diff --git a/configure.ac b/configure.ac index cb928462c..8f2f31972 100644 --- a/configure.ac +++ b/configure.ac @@ -664,7 +664,6 @@ then test "$enable_tls13" = "" && enable_tls13=yes test "$enable_rsapss" = "" && enable_rsapss=yes fi - test "$enable_quic" = "" && enable_quic=yes # this set is also enabled by enable-all-crypto: test "$enable_atomicuser" = "" && enable_atomicuser=yes @@ -744,6 +743,7 @@ then if test "$ENABLED_LINUXKM_DEFAULTS" != "yes" then test "$enable_compkey" = "" && enable_compkey=yes + test "$enable_quic" = "" && enable_quic=yes AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO -DHAVE_IO_TIMEOUT" fi diff --git a/src/internal.c b/src/internal.c index 9ba84e1e8..37dc505cd 100644 --- a/src/internal.c +++ b/src/internal.c @@ -25903,33 +25903,49 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType, #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY) { + WOLFSSL_X509_NAME* name = NULL; /* Use a DecodedCert struct to get access to GetName to * parse DN name */ - DecodedCert cert; - WOLFSSL_X509_NAME* name; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert = (DecodedCert *)XMALLOC( + sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT); + if (cert == NULL) + return MEMORY_ERROR; +#else + DecodedCert cert[1]; +#endif - InitDecodedCert(&cert, input + *inOutIdx, dnSz, ssl->heap); + InitDecodedCert(cert, input + *inOutIdx, dnSz, ssl->heap); - if ((ret = GetName(&cert, SUBJECT, dnSz)) != 0) { - FreeDecodedCert(&cert); + ret = GetName(cert, SUBJECT, dnSz); + + if (ret == 0) { + if ((name = wolfSSL_X509_NAME_new()) == NULL) + ret = MEMORY_ERROR; + } + + if (ret == 0) { + CopyDecodedName(name, cert, SUBJECT); + } + + if (ret == 0) { + if (wolfSSL_sk_X509_NAME_push(ssl->ca_names, name) + == WOLFSSL_FAILURE) + { + ret = MEMORY_ERROR; + } + } + + FreeDecodedCert(cert); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); +#endif + if (ret != 0) { + if (name != NULL) + wolfSSL_X509_NAME_free(name); return ret; } - - if ((name = wolfSSL_X509_NAME_new()) == NULL) { - FreeDecodedCert(&cert); - return MEMORY_ERROR; - } - - CopyDecodedName(name, &cert, SUBJECT); - - if (wolfSSL_sk_X509_NAME_push(ssl->ca_names, name) - == WOLFSSL_FAILURE) { - FreeDecodedCert(&cert); - wolfSSL_X509_NAME_free(name); - return MEMORY_ERROR; - } - - FreeDecodedCert(&cert); } #endif diff --git a/src/ocsp.c b/src/ocsp.c index d29cb54cc..e31ef23f7 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -593,12 +593,16 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( const WOLFSSL_EVP_MD *dgst, const WOLFSSL_X509 *subject, const WOLFSSL_X509 *issuer) { - WOLFSSL_OCSP_CERTID* certId; - CertStatus* certStatus; - DecodedCert cert; - WOLFSSL_CERT_MANAGER* cm; - int ret; + WOLFSSL_OCSP_CERTID* certId = NULL; + CertStatus* certStatus = NULL; + WOLFSSL_CERT_MANAGER* cm = NULL; + int ret = -1; DerBuffer* derCert = NULL; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert = NULL; +#else + DecodedCert cert[1]; +#endif (void)dgst; @@ -606,7 +610,13 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( if (cm == NULL || subject == NULL || subject->derCert == NULL || issuer == NULL || issuer->derCert == NULL) - return NULL; + goto out; + +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert *)XMALLOC(sizeof(*cert), cm->heap, DYNAMIC_TYPE_DCERT); + if (cert == NULL) + goto out; +#endif ret = AllocDer(&derCert, issuer->derCert->length, issuer->derCert->type, NULL); @@ -616,48 +626,63 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id( issuer->derCert->length); ret = AddCA(cm, &derCert, WOLFSSL_USER_CA, 1); if (ret != WOLFSSL_SUCCESS) { - wolfSSL_CertManagerFree(cm); - return NULL; + goto out; } + derCert = NULL; } - certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), NULL, - DYNAMIC_TYPE_OPENSSL); - certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, - DYNAMIC_TYPE_OPENSSL); + ret = -1; - if (certId == NULL || certStatus == NULL) { - if (certId) - XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); + certId = (WOLFSSL_OCSP_CERTID*)XMALLOC(sizeof(WOLFSSL_OCSP_CERTID), + cm->heap, DYNAMIC_TYPE_OPENSSL); + if (certId == NULL) + goto out; + + certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), cm->heap, + DYNAMIC_TYPE_OPENSSL); + if (certStatus == NULL) + goto out; + + XMEMSET(certId, 0, sizeof(WOLFSSL_OCSP_CERTID)); + XMEMSET(certStatus, 0, sizeof(CertStatus)); + + certId->status = certStatus; + certId->ownStatus = 1; + + InitDecodedCert(cert, subject->derCert->buffer, + subject->derCert->length, NULL); + if (ParseCertRelative(cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { + goto out; + } + else { + XMEMCPY(certId->issuerHash, cert->issuerHash, OCSP_DIGEST_SIZE); + XMEMCPY(certId->issuerKeyHash, cert->issuerKeyHash, OCSP_DIGEST_SIZE); + XMEMCPY(certId->status->serial, cert->serial, cert->serialSz); + certId->status->serialSz = cert->serialSz; + FreeDecodedCert(cert); + } + + ret = 0; + +out: + + if (ret != 0) { + if (derCert != NULL) + FreeDer(&derCert); + if (certId != NULL) + XFREE(certId, cm->heap, DYNAMIC_TYPE_OPENSSL); if (certStatus) - XFREE(certStatus, NULL, DYNAMIC_TYPE_OPENSSL); - - certId = NULL; + XFREE(certStatus, cm->heap, DYNAMIC_TYPE_OPENSSL); + return NULL; } - if (certId != NULL) { - XMEMSET(certId, 0, sizeof(WOLFSSL_OCSP_CERTID)); - XMEMSET(certStatus, 0, sizeof(CertStatus)); +#ifdef WOLFSSL_SMALL_STACK + if (cert != NULL) + XFREE(cert, cm->heap, DYNAMIC_TYPE_DCERT); +#endif - certId->status = certStatus; - certId->ownStatus = 1; - - InitDecodedCert(&cert, subject->derCert->buffer, - subject->derCert->length, NULL); - if (ParseCertRelative(&cert, CERT_TYPE, VERIFY_OCSP, cm) != 0) { - XFREE(certId, NULL, DYNAMIC_TYPE_OPENSSL); - certId = NULL; - } - else { - XMEMCPY(certId->issuerHash, cert.issuerHash, OCSP_DIGEST_SIZE); - XMEMCPY(certId->issuerKeyHash, cert.issuerKeyHash, OCSP_DIGEST_SIZE); - XMEMCPY(certId->status->serial, cert.serial, cert.serialSz); - certId->status->serialSz = cert.serialSz; - } - FreeDecodedCert(&cert); - } - - wolfSSL_CertManagerFree(cm); + if (cm != NULL) + wolfSSL_CertManagerFree(cm); return certId; } @@ -672,23 +697,42 @@ void wolfSSL_OCSP_BASICRESP_free(WOLFSSL_OCSP_BASICRESP* basicResponse) int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs, WOLF_STACK_OF(WOLFSSL_X509) *certs, WOLFSSL_X509_STORE *st, unsigned long flags) { - DecodedCert cert; - int ret = WOLFSSL_SUCCESS; + int ret; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert = (DecodedCert *) + XMALLOC(sizeof(*cert), (st && st->cm) ? st->cm->heap : NULL, + DYNAMIC_TYPE_DCERT); + if (cert == NULL) + return WOLFSSL_FAILURE; +#else + DecodedCert cert[1]; +#endif (void)certs; - if (flags & OCSP_NOVERIFY) - return WOLFSSL_SUCCESS; + if (flags & OCSP_NOVERIFY) { + ret = WOLFSSL_SUCCESS; + goto out; + } #ifdef OPENSSL_EXTRA - if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) - return WOLFSSL_FAILURE; + if (bs->verifyError != OCSP_VERIFY_ERROR_NONE) { + ret = WOLFSSL_FAILURE; + goto out; + } #endif - InitDecodedCert(&cert, bs->cert, bs->certSz, NULL); - if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0) + ret = WOLFSSL_SUCCESS; + InitDecodedCert(cert, bs->cert, bs->certSz, NULL); + if (ParseCertRelative(cert, CERT_TYPE, VERIFY, st->cm) < 0) ret = WOLFSSL_FAILURE; - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + +out: + +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, (st && st->cm) ? st->cm->heap : NULL, DYNAMIC_TYPE_DCERT); +#endif return ret; } diff --git a/src/pk.c b/src/pk.c index 4d8c162c6..aff129669 100644 --- a/src/pk.c +++ b/src/pk.c @@ -4106,8 +4106,17 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) { int ret = 1; int err; - mp_int tmp; mp_int* t = NULL; +#ifdef WOLFSSL_SMALL_STACK + mp_int *tmp = (mp_int *)XMALLOC(sizeof(*tmp), rsa->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (tmp == NULL) { + WOLFSSL_MSG("out of memory"); + return -1; + } +#else + mp_int tmp[1]; +#endif WOLFSSL_ENTER("wolfSSL_RsaGenAdd"); @@ -4120,17 +4129,17 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) if (ret == 1) { /* Initialize temp MP integer. */ - if (mp_init(&tmp) != MP_OKAY) { + if (mp_init(tmp) != MP_OKAY) { WOLFSSL_MSG("mp_init error"); ret = -1; } } if (ret == 1) { - t = &tmp; + t = tmp; /* Sub 1 from p into temp. */ - err = mp_sub_d((mp_int*)rsa->p->internal, 1, &tmp); + err = mp_sub_d((mp_int*)rsa->p->internal, 1, tmp); if (err != MP_OKAY) { WOLFSSL_MSG("mp_sub_d error"); ret = -1; @@ -4138,7 +4147,7 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) } if (ret == 1) { /* Calculate d mod (p - 1) into dmp1 MP integer of BN. */ - err = mp_mod((mp_int*)rsa->d->internal, &tmp, + err = mp_mod((mp_int*)rsa->d->internal, tmp, (mp_int*)rsa->dmp1->internal); if (err != MP_OKAY) { WOLFSSL_MSG("mp_mod error"); @@ -4147,7 +4156,7 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) } if (ret == 1) { /* Sub 1 from q into temp. */ - err = mp_sub_d((mp_int*)rsa->q->internal, 1, &tmp); + err = mp_sub_d((mp_int*)rsa->q->internal, 1, tmp); if (err != MP_OKAY) { WOLFSSL_MSG("mp_sub_d error"); ret = -1; @@ -4155,7 +4164,7 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) } if (ret == 1) { /* Calculate d mod (q - 1) into dmq1 MP integer of BN. */ - err = mp_mod((mp_int*)rsa->d->internal, &tmp, + err = mp_mod((mp_int*)rsa->d->internal, tmp, (mp_int*)rsa->dmq1->internal); if (err != MP_OKAY) { WOLFSSL_MSG("mp_mod error"); @@ -4165,6 +4174,10 @@ int wolfSSL_RSA_GenAdd(WOLFSSL_RSA* rsa) mp_clear(t); +#ifdef WOLFSSL_SMALL_STACK + XFREE(tmp, rsa->heap, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return ret; } @@ -6488,7 +6501,7 @@ int wolfSSL_DH_size(WOLFSSL_DH* dh) */ WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6516,7 +6529,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_768_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_1024_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6546,7 +6559,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_1024_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_1536_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6580,7 +6593,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_1536_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_2048_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6618,7 +6631,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_2048_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_3072_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6664,7 +6677,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_3072_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_4096_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6718,7 +6731,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_4096_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_6144_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -6789,7 +6802,7 @@ WOLFSSL_BIGNUM* wolfSSL_DH_6144_prime(WOLFSSL_BIGNUM* bn) */ WOLFSSL_BIGNUM* wolfSSL_DH_8192_prime(WOLFSSL_BIGNUM* bn) { - const char prm[] = { + static const char prm[] = { "FFFFFFFFFFFFFFFFC90FDAA22168C234" "C4C6628B80DC1CD129024E088A67CC74" "020BBEA63B139B22514A08798E3404DD" @@ -9100,23 +9113,39 @@ int NIDToEccEnum(int n) int wolfSSL_EC_GROUP_order_bits(const WOLFSSL_EC_GROUP *group) { - int ret; - mp_int order; + int ret = 0; +#ifdef WOLFSSL_SMALL_STACK + mp_int *order = (mp_int *)XMALLOC(sizeof(*order), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (order == NULL) + return 0; +#else + mp_int order[1]; +#endif if (group == NULL || group->curve_idx < 0) { WOLFSSL_MSG("wolfSSL_EC_GROUP_order_bits NULL error"); - return 0; + ret = -1; } - ret = mp_init(&order); + if (ret == 0) + ret = mp_init(order); + if (ret == 0) { - ret = mp_read_radix(&order, ecc_sets[group->curve_idx].order, + ret = mp_read_radix(order, ecc_sets[group->curve_idx].order, MP_RADIX_HEX); if (ret == 0) - ret = mp_count_bits(&order); - mp_clear(&order); + ret = mp_count_bits(order); + mp_clear(order); } +#ifdef WOLFSSL_SMALL_STACK + XFREE(order, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + if (ret == -1) + ret = 0; + return ret; } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ diff --git a/src/quic.c b/src/quic.c index f32ce693c..0912a186d 100644 --- a/src/quic.c +++ b/src/quic.c @@ -692,7 +692,8 @@ cleanup: /* Called internally when SSL wants a certain amount of input. */ int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz) { - word32 n, transferred = 0; + word32 n = 0; + int transferred = 0; WOLFSSL_ENTER("wolfSSL_quic_receive"); while (sz > 0) { @@ -975,14 +976,29 @@ const WOLFSSL_EVP_CIPHER* wolfSSL_quic_get_hp(WOLFSSL* ssl) size_t wolfSSL_quic_get_aead_tag_len(const WOLFSSL_EVP_CIPHER* aead_cipher) { - WOLFSSL_EVP_CIPHER_CTX ctx; - - XMEMSET(&ctx, 0, sizeof(ctx)); - if (wolfSSL_EVP_CipherInit(&ctx, aead_cipher, NULL, NULL, 0) - != WOLFSSL_SUCCESS) { + size_t ret; +#ifdef WOLFSSL_SMALL_STACK + WOLFSSL_EVP_CIPHER_CTX *ctx = (WOLFSSL_EVP_CIPHER_CTX *)XMALLOC( + sizeof(*ctx), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ctx == NULL) return 0; +#else + WOLFSSL_EVP_CIPHER_CTX ctx[1]; +#endif + + XMEMSET(ctx, 0, sizeof(*ctx)); + if (wolfSSL_EVP_CipherInit(ctx, aead_cipher, NULL, NULL, 0) + == WOLFSSL_SUCCESS) { + ret = ctx->authTagSz; + } else { + ret = 0; } - return ctx.authTagSz; + +#ifdef WOLFSSL_SMALL_STACK + XFREE(ctx, NULL, DYNAMIC_TYPE_TMP_BUF); +#endif + + return ret; } int wolfSSL_quic_aead_is_gcm(const WOLFSSL_EVP_CIPHER* aead_cipher) diff --git a/src/ssl.c b/src/ssl.c index d70ad7124..e10afc6de 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -32965,7 +32965,11 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, int encTicketLen, int* encLen, void* ctx) { byte digest[WC_MAX_DIGEST_SIZE]; - WOLFSSL_EVP_CIPHER_CTX evpCtx; +#ifdef WOLFSSL_SMALL_STACK + WOLFSSL_EVP_CIPHER_CTX *evpCtx; +#else + WOLFSSL_EVP_CIPHER_CTX evpCtx[1]; +#endif WOLFSSL_HMAC_CTX hmacCtx; unsigned int mdSz = 0; int len = 0; @@ -32981,14 +32985,26 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, return WOLFSSL_TICKET_RET_FATAL; } +#ifdef WOLFSSL_SMALL_STACK + evpCtx = (WOLFSSL_EVP_CIPHER_CTX *)XMALLOC(sizeof(*evpCtx), ssl->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (evpCtx == NULL) { + WOLFSSL_MSG("out of memory"); + return WOLFSSL_TICKET_RET_FATAL; + } +#endif + /* Initialize the cipher and HMAC. */ - wolfSSL_EVP_CIPHER_CTX_init(&evpCtx); + wolfSSL_EVP_CIPHER_CTX_init(evpCtx); if (wolfSSL_HMAC_CTX_Init(&hmacCtx) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("wolfSSL_HMAC_CTX_Init error"); +#ifdef WOLFSSL_SMALL_STACK + XFREE(evpCtx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_TICKET_RET_FATAL; } res = ssl->ctx->ticketEncWrapCb(ssl, keyName, - iv, &evpCtx, &hmacCtx, enc); + iv, evpCtx, &hmacCtx, enc); if (res != TICKET_KEY_CB_RET_OK && res != TICKET_KEY_CB_RET_RENEW) { WOLFSSL_MSG("Ticket callback error"); ret = WOLFSSL_TICKET_RET_FATAL; @@ -32998,11 +33014,11 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, if (enc) { /* Encrypt in place. */ - if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, + if (!wolfSSL_EVP_CipherUpdate(evpCtx, encTicket, &len, encTicket, encTicketLen)) goto end; encTicketLen = len; - if (!wolfSSL_EVP_EncryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) + if (!wolfSSL_EVP_EncryptFinal(evpCtx, &encTicket[encTicketLen], &len)) goto end; /* Total length of encrypted data. */ encTicketLen += len; @@ -33030,11 +33046,11 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, goto end; /* Decrypt the ticket data in place. */ - if (!wolfSSL_EVP_CipherUpdate(&evpCtx, encTicket, &len, + if (!wolfSSL_EVP_CipherUpdate(evpCtx, encTicket, &len, encTicket, encTicketLen)) goto end; encTicketLen = len; - if (!wolfSSL_EVP_DecryptFinal(&evpCtx, &encTicket[encTicketLen], &len)) + if (!wolfSSL_EVP_DecryptFinal(evpCtx, &encTicket[encTicketLen], &len)) goto end; /* Total length of decrypted data. */ *encLen = encTicketLen + len; @@ -33048,6 +33064,9 @@ static int wolfSSL_TicketKeyCb(WOLFSSL* ssl, end: (void)wc_HmacFree(&hmacCtx.hmac); +#ifdef WOLFSSL_SMALL_STACK + XFREE(evpCtx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); +#endif return ret; } @@ -35659,9 +35678,16 @@ static int wolfSSL_BN_add_word_int(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w, { int ret = WOLFSSL_SUCCESS; int rc = 0; - mp_int w_mp; +#ifdef WOLFSSL_SMALL_STACK + mp_int *w_mp = (mp_int *)XMALLOC(sizeof(*w_mp), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (w_mp == NULL) + return WOLFSSL_FAILURE; +#else + mp_int w_mp[1]; +#endif - XMEMSET(&w_mp, 0, sizeof(mp_int)); + XMEMSET(w_mp, 0, sizeof(*w_mp)); if (bn == NULL || bn->internal == NULL) { WOLFSSL_MSG("bn NULL error"); @@ -35684,21 +35710,21 @@ static int wolfSSL_BN_add_word_int(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w, } } else { - if (mp_init(&w_mp) != MP_OKAY) { + if (mp_init(w_mp) != MP_OKAY) { ret = WOLFSSL_FAILURE; } if (ret == WOLFSSL_SUCCESS) { - if (mp_set_int(&w_mp, w) != MP_OKAY) { + if (mp_set_int(w_mp, w) != MP_OKAY) { ret = WOLFSSL_FAILURE; } } if (ret == WOLFSSL_SUCCESS) { if (sub == 1) { - rc = mp_sub((mp_int *)bn->internal, &w_mp, + rc = mp_sub((mp_int *)bn->internal, w_mp, (mp_int *)bn->internal); } else { - rc = mp_add((mp_int *)bn->internal, &w_mp, + rc = mp_add((mp_int *)bn->internal, w_mp, (mp_int *)bn->internal); } if (rc != MP_OKAY) { @@ -35709,7 +35735,11 @@ static int wolfSSL_BN_add_word_int(WOLFSSL_BIGNUM *bn, WOLFSSL_BN_ULONG w, } } - mp_free(&w_mp); + mp_free(w_mp); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(w_mp, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif return ret; } @@ -40455,7 +40485,6 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, WOLFSSL_EVP_PKEY** pkey, WOLFSSL_X509** cert, WOLF_STACK_OF(WOLFSSL_X509)** ca) { - DecodedCert DeCert; void* heap = NULL; int ret; byte* certData = NULL; @@ -40463,6 +40492,11 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, byte* pk = NULL; word32 pkSz; WC_DerCertList* certList = NULL; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *DeCert; +#else + DecodedCert DeCert[1]; +#endif WOLFSSL_ENTER("wolfSSL_PKCS12_parse"); @@ -40491,6 +40525,15 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + DeCert = (DecodedCert *)XMALLOC(sizeof(*DeCert), heap, + DYNAMIC_TYPE_DCERT); + if (DeCert == NULL) { + WOLFSSL_MSG("out of memory"); + return WOLFSSL_FAILURE; + } +#endif + /* Decode cert and place in X509 stack struct */ if (certList != NULL) { WC_DerCertList* current = certList; @@ -40512,7 +40555,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, XFREE(current, heap, DYNAMIC_TYPE_PKCS); current = next; } - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } XMEMSET(*ca, 0, sizeof(WOLF_STACK_OF(WOLFSSL_X509))); @@ -40524,16 +40568,16 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, DYNAMIC_TYPE_X509); InitX509(x509, 1, heap); - InitDecodedCert(&DeCert, current->buffer, current->bufferSz, heap); - if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { + InitDecodedCert(DeCert, current->buffer, current->bufferSz, heap); + if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { WOLFSSL_MSG("Issue with parsing certificate"); - FreeDecodedCert(&DeCert); + FreeDecodedCert(DeCert); wolfSSL_X509_free(x509); } else { - if (CopyDecodedToX509(x509, &DeCert) != 0) { + if (CopyDecodedToX509(x509, DeCert) != 0) { WOLFSSL_MSG("Failed to copy decoded cert"); - FreeDecodedCert(&DeCert); + FreeDecodedCert(DeCert); wolfSSL_X509_free(x509); wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; if (pk != NULL) { @@ -40550,9 +40594,10 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, XFREE(current, heap, DYNAMIC_TYPE_PKCS); current = next; } - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } - FreeDecodedCert(&DeCert); + FreeDecodedCert(DeCert); if (wolfSSL_sk_X509_push(*ca, x509) != 1) { WOLFSSL_MSG("Failed to push x509 onto stack"); @@ -40573,7 +40618,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, XFREE(current, heap, DYNAMIC_TYPE_PKCS); current = next; } - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } } current = current->next; @@ -40595,16 +40641,17 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; } XFREE(certData, heap, DYNAMIC_TYPE_PKCS); - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } InitX509(*cert, 1, heap); - InitDecodedCert(&DeCert, certData, certDataSz, heap); - if (ParseCertRelative(&DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { + InitDecodedCert(DeCert, certData, certDataSz, heap); + if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL) != 0) { WOLFSSL_MSG("Issue with parsing certificate"); } - if (CopyDecodedToX509(*cert, &DeCert) != 0) { + if (CopyDecodedToX509(*cert, DeCert) != 0) { WOLFSSL_MSG("Failed to copy decoded cert"); - FreeDecodedCert(&DeCert); + FreeDecodedCert(DeCert); if (pk != NULL) { XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); } @@ -40612,9 +40659,10 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; } wolfSSL_X509_free(*cert); *cert = NULL; - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } - FreeDecodedCert(&DeCert); + FreeDecodedCert(DeCert); XFREE(certData, heap, DYNAMIC_TYPE_PKCS); } @@ -40629,7 +40677,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, wolfSSL_sk_X509_pop_free(*ca, NULL); *ca = NULL; } XFREE(pk, heap, DYNAMIC_TYPE_PUBLIC_KEY); - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } #ifndef NO_RSA @@ -40660,7 +40709,8 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, } wolfSSL_EVP_PKEY_free(*pkey); *pkey = NULL; WOLFSSL_MSG("Bad PKCS12 key format"); - return WOLFSSL_FAILURE; + ret = WOLFSSL_FAILURE; + goto out; } if (pkey != NULL && *pkey != NULL) { @@ -40671,7 +40721,15 @@ int wolfSSL_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw, (void)ret; (void)ca; - return WOLFSSL_SUCCESS; + ret = WOLFSSL_SUCCESS; + +out: + +#ifdef WOLFSSL_SMALL_STACK + XFREE(DeCert, heap, DYNAMIC_TYPE_DCERT); +#endif + + return ret; } int wolfSSL_PKCS12_verify_mac(WC_PKCS12 *pkcs12, const char *psw, diff --git a/src/x509.c b/src/x509.c index db336a2af..bfa5af079 100644 --- a/src/x509.c +++ b/src/x509.c @@ -121,8 +121,12 @@ int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert) const byte* rawCert; int sz = 0; word32 idx = 0; - DecodedCert cert; const byte* input; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert; +#else + DecodedCert cert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_get_ext_count()"); if (passedCert == NULL) { @@ -135,26 +139,33 @@ int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert) WOLFSSL_MSG("\tpassedCert has no internal DerBuffer set."); return WOLFSSL_FAILURE; } - InitDecodedCert(&cert, rawCert, (word32)outSz, 0); - if (ParseCert(&cert, +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert *)XMALLOC(sizeof(*cert), NULL, DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + WOLFSSL_MSG("out of memory"); + return WOLFSSL_FAILURE; + } +#endif + + InitDecodedCert(cert, rawCert, (word32)outSz, 0); + + if (ParseCert(cert, #ifdef WOLFSSL_CERT_REQ passedCert->isCSR ? CERTREQ_TYPE : #endif CA_TYPE, NO_VERIFY, NULL) < 0) { WOLFSSL_MSG("\tCertificate parsing failed"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; + goto out; } - input = cert.extensions; - sz = cert.extensionsSz; + input = cert->extensions; + sz = cert->extensionsSz; if (input == NULL || sz == 0) { WOLFSSL_MSG("\tsz or input NULL error"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; + goto out; } #ifdef WOLFSSL_CERT_REQ @@ -163,33 +174,36 @@ int wolfSSL_X509_get_ext_count(const WOLFSSL_X509* passedCert) { if (input[idx++] != ASN_EXTENSIONS) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; + goto out; } if (GetLength(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: invalid length"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; + goto out; } } if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); - FreeDecodedCert(&cert); - return WOLFSSL_FAILURE; + goto out; } while (idx < (word32)sz) { if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE"); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); return WOLFSSL_FAILURE; } idx += length; extCount++; } - FreeDecodedCert(&cert); + +out: + + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return extCount; } @@ -1709,7 +1723,11 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) const byte* rawCert; const byte* input; word32 oid, idx = 0, tmpIdx = 0, foundNID; - DecodedCert cert; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *cert; +#else + DecodedCert cert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_get_ext_by_NID"); @@ -1731,26 +1749,33 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) return WOLFSSL_FATAL_ERROR; } - InitDecodedCert( &cert, rawCert, (word32)outSz, 0); +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert *)XMALLOC(sizeof(*cert), x509->heap, + DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + WOLFSSL_MSG("\tout of memory"); + return WOLFSSL_FATAL_ERROR; + } +#endif - if (ParseCert(&cert, + InitDecodedCert( cert, rawCert, (word32)outSz, 0); + + if (ParseCert(cert, #ifdef WOLFSSL_CERT_REQ x509->isCSR ? CERTREQ_TYPE : #endif CA_TYPE, NO_VERIFY, NULL) < 0) { WOLFSSL_MSG("\tCertificate parsing failed"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } - input = cert.extensions; - sz = cert.extensionsSz; + input = cert->extensions; + sz = cert->extensionsSz; if (input == NULL || sz == 0) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } #ifdef WOLFSSL_CERT_REQ @@ -1759,21 +1784,18 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) { if (input[idx++] != ASN_EXTENSIONS) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } if (GetLength(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: invalid length"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } } if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } while (idx < (word32)sz) { @@ -1781,16 +1803,14 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } tmpIdx = idx; ret = GetObjectId(input, &idx, &oid, oidCertExtType, sz); if (ret < 0) { WOLFSSL_MSG("\tfail: OBJECT ID"); - FreeDecodedCert(&cert); - return WOLFSSL_FATAL_ERROR; + goto out; } idx = tmpIdx; foundNID = (word32)oid2nid(oid, oidCertExtType); @@ -1809,7 +1829,12 @@ int wolfSSL_X509_get_ext_by_NID(const WOLFSSL_X509* x509, int nid, int lastPos) extCount++; } /* while(idx < sz) */ - FreeDecodedCert(&cert); +out: + + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, x509->heap, DYNAMIC_TYPE_DCERT); +#endif return found ? extCount : WOLFSSL_FATAL_ERROR; } @@ -11807,7 +11832,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername) { int ret; - DecodedCert dCert; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *dCert; +#else + DecodedCert dCert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_check_host"); @@ -11829,15 +11858,30 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, return WOLFSSL_FAILURE; } - InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); +#ifdef WOLFSSL_SMALL_STACK + dCert = (DecodedCert *)XMALLOC(sizeof(*dCert), x->heap, + DYNAMIC_TYPE_DCERT); + if (dCert == NULL) { + WOLFSSL_MSG("\tout of memory"); + return WOLFSSL_FATAL_ERROR; + } +#endif + + InitDecodedCert(dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL); if (ret != 0) { - FreeDecodedCert(&dCert); - return WOLFSSL_FAILURE; + goto out; } - ret = CheckHostName(&dCert, (char *)chk, chklen); - FreeDecodedCert(&dCert); + ret = CheckHostName(dCert, (char *)chk, chklen); + +out: + + FreeDecodedCert(dCert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(dCert, x->heap, DYNAMIC_TYPE_DCERT); +#endif + if (ret != 0) return WOLFSSL_FAILURE; return WOLFSSL_SUCCESS; @@ -11848,7 +11892,11 @@ int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, unsigned int flags) { int ret = WOLFSSL_FAILURE; - DecodedCert dCert; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert *dCert = NULL; +#else + DecodedCert dCert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_check_ip_asc"); @@ -11862,14 +11910,25 @@ int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, ret = WOLFSSL_SUCCESS; } +#ifdef WOLFSSL_SMALL_STACK if (ret == WOLFSSL_SUCCESS) { - InitDecodedCert(&dCert, x->derCert->buffer, x->derCert->length, NULL); - ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + dCert = (DecodedCert *)XMALLOC(sizeof(*dCert), x->heap, + DYNAMIC_TYPE_DCERT); + if (dCert == NULL) { + WOLFSSL_MSG("\tout of memory"); + ret = WOLFSSL_FAILURE; + } + } +#endif + + if (ret == WOLFSSL_SUCCESS) { + InitDecodedCert(dCert, x->derCert->buffer, x->derCert->length, NULL); + ret = ParseCertRelative(dCert, CERT_TYPE, 0, NULL); if (ret != 0) { ret = WOLFSSL_FAILURE; } else { - ret = CheckIPAddr(&dCert, ipasc); + ret = CheckIPAddr(dCert, ipasc); if (ret != 0) { ret = WOLFSSL_FAILURE; } @@ -11877,9 +11936,14 @@ int wolfSSL_X509_check_ip_asc(WOLFSSL_X509 *x, const char *ipasc, ret = WOLFSSL_SUCCESS; } } - FreeDecodedCert(&dCert); + FreeDecodedCert(dCert); } +#ifdef WOLFSSL_SMALL_STACK + if (dCert != NULL) + XFREE(dCert, x->heap, DYNAMIC_TYPE_DCERT); +#endif + return ret; } #endif diff --git a/tests/quic.c b/tests/quic.c index c090752b2..d47f1f63e 100644 --- a/tests/quic.c +++ b/tests/quic.c @@ -413,7 +413,7 @@ static int ctx_set_encryption_secrets(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL lev static int ctx_add_handshake_data(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, const uint8_t *data, size_t len); static int ctx_flush_flight(WOLFSSL *ssl); -static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t alert); +static int ctx_send_alert(WOLFSSL *ssl, WOLFSSL_ENCRYPTION_LEVEL level, uint8_t err); #ifdef HAVE_SESSION_TICKET static int ctx_session_ticket_cb(WOLFSSL* ssl, const unsigned char* ticket, int ticketSz, @@ -793,7 +793,7 @@ static void check_crypto_rec(const byte *data, size_t data_len, int verbose, int } } -static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log) +static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int indent, char *rec_log, size_t rec_log_size) { const byte *data = out->data; size_t data_len = out->len; @@ -843,8 +843,8 @@ static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int i } if (rec_log) { - if (*rec_log) strcat(rec_log, ":"); - strcat(rec_log, rec_name); + if (*rec_log) XSTRLCAT(rec_log, ":", rec_log_size); + XSTRLCAT(rec_log, rec_name, rec_log_size); } if (from->verbose) printf("%*sCRYPTO[%s]: ", indent, " ", rec_name); check_rec(data, rec_len, from->verbose, indent); @@ -854,7 +854,7 @@ static void check_crypto_records(QuicTestContext *from, OutputBuffer *out, int i } } -static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log) +static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, char *rec_log, size_t rec_log_size) { int ret; OutputBuffer *out, *old; @@ -869,7 +869,7 @@ static void QuicTestContext_forward(QuicTestContext *from, QuicTestContext *to, if (from->verbose) dump_buffer("EarlyData", out->data, out->len, 4); } else { - check_crypto_records(from, out, 4, rec_log); + check_crypto_records(from, out, 4, rec_log, rec_log_size); } ret = wolfSSL_provide_quic_data(to->ssl, out->level, out->data, out->len); out->len = 0; @@ -951,7 +951,7 @@ static int QuicConversation_step(QuicConversation *conv) conv->started = 1; } if (conv->server->output.len > 0) { - QuicTestContext_forward(conv->server, conv->client, conv->rec_log); + QuicTestContext_forward(conv->server, conv->client, conv->rec_log, sizeof(conv->rec_log)); n = wolfSSL_quic_read_write(conv->client->ssl); if (n != WOLFSSL_SUCCESS) { AssertIntEQ(wolfSSL_get_error(conv->client->ssl, 0), SSL_ERROR_WANT_READ); @@ -959,7 +959,7 @@ static int QuicConversation_step(QuicConversation *conv) return 1; } else if (conv->client->output.len > 0) { - QuicTestContext_forward(conv->client, conv->server, conv->rec_log); + QuicTestContext_forward(conv->client, conv->server, conv->rec_log, sizeof(conv->rec_log)); #ifdef WOLFSSL_EARLY_DATA if (conv->accept_early_data) { int written; diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index b5c789d58..41eecac29 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -7111,7 +7111,7 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, #endif { #ifdef WOLFSSL_SMALL_STACK_CACHE - ecc_key key; + ecc_key *key = NULL; #endif #ifdef WOLFSSL_SMALL_STACK ecc_point** precomp = NULL; @@ -7152,24 +7152,35 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, #endif #ifdef WOLFSSL_SMALL_STACK + #ifdef WOLFSSL_SMALL_STACK_CACHE + key = (ecc_key *)XMALLOC(sizeof(*key), heap, DYNAMIC_TYPE_ECC_BUFFER); + if (key == NULL) { + XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER); + return GEN_MEM_ERR; + } + #endif precomp = (ecc_point**)XMALLOC(sizeof(ecc_point*) * SHAMIR_PRECOMP_SZ, heap, DYNAMIC_TYPE_ECC_BUFFER); if (precomp == NULL) { XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER); XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER); + #ifdef WOLFSSL_SMALL_STACK_CACHE + XFREE(key, heap, DYNAMIC_TYPE_ECC_BUFFER); + #endif return GEN_MEM_ERR; } #endif #ifdef WOLFSSL_SMALL_STACK_CACHE - key.t1 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); - key.t2 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); + key->t1 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); + key->t2 = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); #ifdef ALT_ECC_SIZE key.x = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); key.y = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); key.z = (mp_int*)XMALLOC(sizeof(mp_int), heap, DYNAMIC_TYPE_ECC); #endif - if (key.t1 == NULL || key.t2 == NULL + if (key->t1 == NULL || key->t2 == NULL #ifdef ALT_ECC_SIZE || key.x == NULL || key.y == NULL || key.z == NULL #endif @@ -7179,14 +7190,15 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, XFREE(key.y, heap, DYNAMIC_TYPE_ECC); XFREE(key.x, heap, DYNAMIC_TYPE_ECC); #endif - XFREE(key.t2, heap, DYNAMIC_TYPE_ECC); - XFREE(key.t1, heap, DYNAMIC_TYPE_ECC); + XFREE(key->t2, heap, DYNAMIC_TYPE_ECC); + XFREE(key->t1, heap, DYNAMIC_TYPE_ECC); XFREE(precomp, heap, DYNAMIC_TYPE_ECC_BUFFER); XFREE(tB, heap, DYNAMIC_TYPE_ECC_BUFFER); XFREE(tA, heap, DYNAMIC_TYPE_ECC_BUFFER); + XFREE(key, heap, DYNAMIC_TYPE_ECC_BUFFER); return MEMORY_E; } - C->key = &key; + C->key = key; #endif /* WOLFSSL_SMALL_STACK_CACHE */ /* init variables */ @@ -7230,7 +7242,7 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, if (err != MP_OKAY) break; #ifdef WOLFSSL_SMALL_STACK_CACHE - precomp[x]->key = &key; + precomp[x]->key = key; #endif } } @@ -7399,8 +7411,9 @@ int ecc_mul2add(ecc_point* A, mp_int* kA, XFREE(key.y, heap, DYNAMIC_TYPE_ECC); XFREE(key.x, heap, DYNAMIC_TYPE_ECC); #endif - XFREE(key.t2, heap, DYNAMIC_TYPE_ECC); - XFREE(key.t1, heap, DYNAMIC_TYPE_ECC); + XFREE(key->t2, heap, DYNAMIC_TYPE_ECC); + XFREE(key->t1, heap, DYNAMIC_TYPE_ECC); + XFREE(key, heap, DYNAMIC_TYPE_ECC); C->key = NULL; #endif #ifdef WOLFSSL_SMALL_STACK diff --git a/wolfcrypt/src/sakke.c b/wolfcrypt/src/sakke.c index 174b69bc0..0c1ef26c2 100644 --- a/wolfcrypt/src/sakke.c +++ b/wolfcrypt/src/sakke.c @@ -1885,15 +1885,27 @@ static int sakke_accumulate_line_add_one(mp_proj* v, mp_int* prime, mp_digit mp, static int sakke_accumulate_line_dbl(mp_proj* v, ecc_point* p, ecc_point* q, mp_int* prime, mp_digit mp, mp_proj* r, mp_int** t) { - int err; + int err = 0; mp_int* t1 = t[0]; mp_int* t2 = r->z; mp_int* z2 = t[1]; +#ifdef WOLFSSL_SMALL_STACK + mp_int* l = NULL; + mp_int* ty = NULL; + l = (mp_int *)XMALLOC(sizeof(*l), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (l == NULL) + err = 1; + ty = (mp_int *)XMALLOC(sizeof(*ty), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ty == NULL) + err = 1; +#else mp_int tmp[2]; mp_int* l = &tmp[0]; mp_int* ty = &tmp[1]; +#endif - err = mp_init(l); + if (err == 0) + err = mp_init(l); if (err == 0) { err = mp_init(ty); } @@ -1985,8 +1997,19 @@ static int sakke_accumulate_line_dbl(mp_proj* v, ecc_point* p, ecc_point* q, err = sakke_submod(p->y, t2, prime, p->y); } +#ifdef WOLFSSL_SMALL_STACK + if (ty != NULL) { + mp_free(ty); + XFREE(ty, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + if (l != NULL) { + mp_free(l); + XFREE(l, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +#else mp_free(ty); mp_free(l); +#endif return err; } @@ -2018,16 +2041,36 @@ static int sakke_accumulate_line_dbl(mp_proj* v, ecc_point* p, ecc_point* q, static int sakke_accumulate_line_add_one(mp_proj* v, mp_int* prime, mp_digit mp, ecc_point* p, ecc_point* q, ecc_point* c, mp_proj* r, mp_int** t) { - int err; + int err = 0; mp_int* t1 = t[0]; mp_int* t2 = t[1]; +#ifdef WOLFSSL_SMALL_STACK + mp_int* h = NULL; + mp_int* ty = NULL; + mp_int* tz = NULL; + mp_int* t3 = NULL; + h = (mp_int *)XMALLOC(sizeof(*h), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (h == NULL) + err = 1; + ty = (mp_int *)XMALLOC(sizeof(*ty), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (ty == NULL) + err = 1; + tz = (mp_int *)XMALLOC(sizeof(*tz), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (tz == NULL) + err = 1; + t3 = (mp_int *)XMALLOC(sizeof(*t3), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (t3 == NULL) + err = 1; +#else mp_int tmp[4]; mp_int* h = &tmp[0]; mp_int* ty = &tmp[1]; mp_int* tz = &tmp[2]; mp_int* t3 = &tmp[3]; +#endif - err = mp_init_multi(h, ty, tz, t3, NULL, NULL); + if (err == 0) + err = mp_init_multi(h, ty, tz, t3, NULL, NULL); /* r.x = (q.x + p.x) * c.y */ if (err == 0) { @@ -2135,10 +2178,29 @@ static int sakke_accumulate_line_add_one(mp_proj* v, mp_int* prime, mp_digit mp, err = sakke_addmod(t3, t2, prime, c->y); } +#ifdef WOLFSSL_SMALL_STACK + if (t3 != NULL) { + mp_free(t3); + XFREE(t3, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + if (tz != NULL) { + mp_free(tz); + XFREE(tz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + if (ty != NULL) { + mp_free(ty); + XFREE(ty, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + if (h != NULL) { + mp_free(h); + XFREE(h, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } +#else mp_free(t3); mp_free(tz); mp_free(ty); mp_free(h); +#endif return err; } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 2429d2fcf..12f667240 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -29532,82 +29532,95 @@ static int eccsi_enc_dec_pair_test(EccsiKey* priv, mp_int* ssk, ecc_point* pvt) int ret; byte data[32 * 3]; word32 sz; - mp_int decSsk; ecc_point* decPvt = NULL; +#ifdef WOLFSSL_SMALL_STACK + mp_int *decSsk = (mp_int *)XMALLOC(sizeof(*decSsk), HEAP_HINT, + DYNAMIC_TYPE_TMP_BUFFER); + if (decSsk == NULL) + return -10173; +#else + mp_int decSsk[1]; +#endif - ret = mp_init(&decSsk); + ret = mp_init(decSsk); if (ret != 0) - return -10117; + ERROR_OUT(-10117, out); decPvt = wc_ecc_new_point(); if (decPvt == NULL) - return -10118; + ERROR_OUT(-10118, out); ret = wc_EncodeEccsiPair(priv, ssk, pvt, NULL, &sz); if (ret != LENGTH_ONLY_E) - return -10119; + ERROR_OUT(-10119, out); if (sz != 32 * 3) - return -10120; + ERROR_OUT(-10120, out); ret = wc_EncodeEccsiPair(priv, ssk, pvt, data, &sz); if (ret != 0) - return -10121; + ERROR_OUT(-10121, out); if (sz != 32* 3) - return -10122; - ret = wc_DecodeEccsiPair(priv, data, sz, &decSsk, decPvt); + ERROR_OUT(-10122, out); + ret = wc_DecodeEccsiPair(priv, data, sz, decSsk, decPvt); if (ret != 0) - return -10123; - if (mp_cmp(ssk, &decSsk) != MP_EQ) - return -10124; + ERROR_OUT(-10123, out); + if (mp_cmp(ssk, decSsk) != MP_EQ) + ERROR_OUT(-10124, out); if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ) - return -10125; + ERROR_OUT(-10125, out); ret = wc_EncodeEccsiSsk(priv, ssk, NULL, &sz); if (ret != LENGTH_ONLY_E) - return -10119; + ERROR_OUT(-10119, out); if (sz != 32) - return -10120; + ERROR_OUT(-10120, out); ret = wc_EncodeEccsiSsk(priv, ssk, data, &sz); if (ret != 0) - return -10121; + ERROR_OUT(-10121, out); if (sz != 32) - return -10122; - ret = wc_DecodeEccsiSsk(priv, data, sz, &decSsk); + ERROR_OUT(-10122, out); + ret = wc_DecodeEccsiSsk(priv, data, sz, decSsk); if (ret != 0) - return -10123; - if (mp_cmp(ssk, &decSsk) != MP_EQ) - return -10124; + ERROR_OUT(-10123, out); + if (mp_cmp(ssk, decSsk) != MP_EQ) + ERROR_OUT(-10124, out); ret = wc_EncodeEccsiPvt(priv, pvt, NULL, &sz, 1); if (ret != LENGTH_ONLY_E) - return -10126; + ERROR_OUT(-10126, out); if (sz != 32 * 2) - return -10127; + ERROR_OUT(-10127, out); ret = wc_EncodeEccsiPvt(priv, pvt, data, &sz, 1); if (ret != 0) - return -10128; + ERROR_OUT(-10128, out); if (sz != 32 * 2) - return -10129; + ERROR_OUT(-10129, out); ret = wc_DecodeEccsiPvt(priv, data, sz, decPvt); if (ret != 0) - return -10130; + ERROR_OUT(-10130, out); if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ) - return -10131; + ERROR_OUT(-10131, out); sz = sizeof(data); ret = wc_EncodeEccsiPvt(priv, pvt, data, &sz, 0); if (ret != 0) - return -10128; + ERROR_OUT(-10128, out); if (sz != 32 * 2 + 1) - return -10129; + ERROR_OUT(-10129, out); ret = wc_DecodeEccsiPvt(priv, data, sz, decPvt); if (ret != 0) - return -10130; + ERROR_OUT(-10130, out); if (wc_ecc_cmp_point(pvt, decPvt) != MP_EQ) - return -10131; + ERROR_OUT(-10131, out); wc_ecc_del_point(decPvt); - mp_free(&decSsk); - return 0; +out: + + mp_free(decSsk); +#ifdef WOLFSSL_SMALL_STACK + XFREE(decSsk, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + return ret; } static int eccsi_imp_exp_key_test(EccsiKey* priv) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 090532f68..e8119c698 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5632,7 +5632,7 @@ WOLFSSL_LOCAL int wolfSSL_RSA_To_Der(WOLFSSL_RSA* rsa, byte** outBuf, #endif #ifdef WOLFSSL_QUIC -#define WOLFSSL_IS_QUIC(s) (s && s->quic.method != NULL) +#define WOLFSSL_IS_QUIC(s) (((s) != NULL) && ((s)->quic.method != NULL)) WOLFSSL_LOCAL int wolfSSL_quic_receive(WOLFSSL* ssl, byte* buf, word32 sz); WOLFSSL_LOCAL int wolfSSL_quic_send(WOLFSSL* ssl); WOLFSSL_LOCAL void wolfSSL_quic_clear(WOLFSSL* ssl); diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a22dd4806..0f86ec522 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -2607,6 +2607,11 @@ extern void uITRON4_free(void *p) ; #undef WOLFSSL_SMALL_STACK #endif +#if defined(WOLFSSL_SMALL_STACK) && !defined(WOLFSSL_SMALL_STACK_STATIC) && \ + !defined(NO_WOLFSSL_SMALL_STACK_STATIC) +#define WOLFSSL_SMALL_STACK_STATIC +#endif + #ifdef WOLFSSL_SMALL_STACK_STATIC #undef WOLFSSL_SMALL_STACK_STATIC #define WOLFSSL_SMALL_STACK_STATIC static