From d1a3646d5c7374967f306d585a5a5a15ef5f0299 Mon Sep 17 00:00:00 2001 From: John Bland Date: Wed, 17 Jan 2024 11:26:52 -0500 Subject: [PATCH] add heap hint support for a few of the x509 functions --- src/ssl.c | 4 ++-- src/ssl_certman.c | 28 ++++++++++++++-------------- src/x509.c | 37 +++++++++++++++++++++++++++---------- src/x509_str.c | 2 +- wolfssl/ssl.h | 5 +++++ 5 files changed, 49 insertions(+), 27 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 1cdd8b3b2..44f5b7a25 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -18758,13 +18758,13 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out, WOLFSSL_ENTER("wolfSSL_get_peer_certificate"); if (ssl != NULL) { if (ssl->peerCert.issuer.sz) - ret = wolfSSL_X509_dup(&ssl->peerCert); + ret = wolfSSL_X509_dup_ex(&ssl->peerCert, ssl->heap); #ifdef SESSION_CERTS else if (ssl->session->chain.count > 0) { if (DecodeToX509(&ssl->peerCert, ssl->session->chain.certs[0].buffer, ssl->session->chain.certs[0].length) == 0) { - ret = wolfSSL_X509_dup(&ssl->peerCert); + ret = wolfSSL_X509_dup_ex(&ssl->peerCert, ssl->heap); } } #endif diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 65a6c5599..acc5cdee6 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -42,33 +42,33 @@ * @return A TLS method on success. * @return NULL when no TLS method built into wolfSSL. */ -static WC_INLINE WOLFSSL_METHOD* cm_pick_method(void) +static WC_INLINE WOLFSSL_METHOD* cm_pick_method(void* heap) { #ifndef NO_WOLFSSL_CLIENT #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_client_method(); + return wolfSSLv3_client_method_ex(heap); #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_client_method(); + return wolfTLSv1_client_method_ex(heap); #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_client_method(); + return wolfTLSv1_1_client_method_ex(heap); #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_client_method(); + return wolfTLSv1_2_client_method_ex(heap); #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_client_method(); + return wolfTLSv1_3_client_method_ex(heap); #else return NULL; #endif #elif !defined(NO_WOLFSSL_SERVER) #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_server_method(); + return wolfSSLv3_server_method_ex(heap); #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_server_method(); + return wolfTLSv1_server_method_ex(heap); #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_server_method(); + return wolfTLSv1_1_server_method_ex(heap); #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_server_method(); + return wolfTLSv1_2_server_method_ex(heap); #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_server_method(); + return wolfTLSv1_3_server_method_ex(heap); #else return NULL; #endif @@ -513,8 +513,8 @@ int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, ret = WOLFSSL_FATAL_ERROR; } /* Allocate a temporary WOLFSSL_CTX to load with. */ - if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method())) - == NULL)) { + if ((ret == WOLFSSL_SUCCESS) && ((tmp = + wolfSSL_CTX_new_ex(cm_pick_method(cm->heap), cm->heap)) == NULL)) { WOLFSSL_MSG("CTX new failed"); ret = WOLFSSL_FATAL_ERROR; } @@ -876,7 +876,7 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, ret = WOLFSSL_FATAL_ERROR; } /* Create temporary WOLFSSL_CTX. */ - if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method())) + if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method(cm->heap))) == NULL)) { WOLFSSL_MSG("CTX new failed"); ret = WOLFSSL_FATAL_ERROR; diff --git a/src/x509.c b/src/x509.c index 73369f3d3..528cc5b41 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3593,7 +3593,7 @@ WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, } static WOLFSSL_X509* d2i_X509orX509REQ(WOLFSSL_X509** x509, - const byte* in, int len, int req) + const byte* in, int len, int req, void* heap) { WOLFSSL_X509 *newX509 = NULL; int type = req ? CERTREQ_TYPE : CERT_TYPE; @@ -3620,12 +3620,12 @@ static WOLFSSL_X509* d2i_X509orX509REQ(WOLFSSL_X509** x509, return NULL; #endif - InitDecodedCert(cert, (byte*)in, len, NULL); + InitDecodedCert(cert, (byte*)in, len, heap); #ifdef WOLFSSL_CERT_REQ cert->isCSR = (byte)req; #endif if (ParseCertRelative(cert, type, 0, NULL) == 0) { - newX509 = wolfSSL_X509_new(); + newX509 = wolfSSL_X509_new_ex(heap); if (newX509 != NULL) { if (CopyDecodedToX509(newX509, cert) != 0) { wolfSSL_X509_free(newX509); @@ -3659,16 +3659,22 @@ int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509) return isCA; } +WOLFSSL_X509* wolfSSL_X509_d2i_ex(WOLFSSL_X509** x509, const byte* in, int len, + void* heap) +{ + return d2i_X509orX509REQ(x509, in, len, 0, heap); +} + WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) { - return d2i_X509orX509REQ(x509, in, len, 0); + return wolfSSL_X509_d2i_ex(x509, in, len, NULL); } #ifdef WOLFSSL_CERT_REQ WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len) { - return d2i_X509orX509REQ(x509, in, len, 1); + return d2i_X509orX509REQ(x509, in, len, 1, NULL); } #endif @@ -5319,19 +5325,24 @@ WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( /* returns a pointer to a new WOLFSSL_X509 structure on success and NULL on * fail */ -WOLFSSL_X509* wolfSSL_X509_new(void) +WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap) { WOLFSSL_X509* x509; - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, + x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, DYNAMIC_TYPE_X509); if (x509 != NULL) { - InitX509(x509, 1, NULL); + InitX509(x509, 1, heap); } return x509; } +WOLFSSL_X509* wolfSSL_X509_new(void) +{ + return wolfSSL_X509_new_ex(NULL); +} + WOLFSSL_ABI WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) { @@ -13408,7 +13419,7 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL) || \ defined(KEEP_PEER_CERT) -WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) +WOLFSSL_X509* wolfSSL_X509_dup_ex(WOLFSSL_X509 *x, void* heap) { WOLFSSL_ENTER("wolfSSL_X509_dup"); @@ -13422,7 +13433,13 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) return NULL; } - return wolfSSL_X509_d2i(NULL, x->derCert->buffer, x->derCert->length); + return wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, x->derCert->length, + heap); +} + +WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) +{ + return wolfSSL_X509_dup_ex(x, NULL); } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ diff --git a/src/x509_str.c b/src/x509_str.c index b0b365bc4..1899085be 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -1035,7 +1035,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, return WOLFSSL_FAILURE; /* tmp ctx for setting our cert manager */ - ctx = wolfSSL_CTX_new(cm_pick_method()); + ctx = wolfSSL_CTX_new(cm_pick_method(NULL)); if (ctx == NULL) return WOLFSSL_FAILURE; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 907b3691b..c9bd3b712 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1681,7 +1681,9 @@ WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup_ex(WOLFSSL_X509* x, void* heap); #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa); WOLFSSL_API int wolfSSL_X509_up_ref(WOLFSSL_X509* x509); @@ -2885,6 +2887,9 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, int len); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len); +WOLFSSL_API WOLFSSL_X509* + wolfSSL_X509_d2i_ex(WOLFSSL_X509** x509, const unsigned char* in, int len, + void* heap); #ifdef WOLFSSL_CERT_REQ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len);