From 339e44bd8789999d332ba1ee33e6c31bceb86b1f Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 16 Mar 2022 13:51:18 -0600 Subject: [PATCH 1/7] smallstack reduction for wc_ecc_import_point_der_ex() --- wolfcrypt/src/ecc.c | 59 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 14 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index fe44ca04c..723cc5c6c 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -8080,13 +8080,35 @@ int wc_ecc_import_point_der_ex(const byte* in, word32 inLen, #if !defined(WOLFSSL_SP_MATH) { int did_init = 0; - mp_int t1, t2; + #ifdef WOLFSSL_SMALL_STACK + mp_int* t1 = NULL; + mp_int* t2 = NULL; + #else + mp_int t1[1], t2[1]; + #endif DECLARE_CURVE_SPECS(3); ALLOC_CURVE_SPECS(3, err); + #ifdef WOLFSSL_SMALL_STACK if (err == MP_OKAY) { - if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY) + t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, + DYNAMIC_TYPE_BIGINT); + if (t1 == NULL) { + err = MEMORY_E; + } + } + if (err == MP_OKAY) { + t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, + DYNAMIC_TYPE_BIGINT); + if (t2 == NULL) { + err = MEMORY_E; + } + } + #endif + + if (err == MP_OKAY) { + if (mp_init_multi(t1, t2, NULL, NULL, NULL, NULL) != MP_OKAY) err = MEMORY_E; else did_init = 1; @@ -8111,42 +8133,51 @@ int wc_ecc_import_point_der_ex(const byte* in, word32 inLen, /* compute x^3 */ if (err == MP_OKAY) - err = mp_sqr(point->x, &t1); + err = mp_sqr(point->x, t1); if (err == MP_OKAY) - err = mp_mulmod(&t1, point->x, curve->prime, &t1); + err = mp_mulmod(t1, point->x, curve->prime, t1); /* compute x^3 + a*x */ if (err == MP_OKAY) - err = mp_mulmod(curve->Af, point->x, curve->prime, &t2); + err = mp_mulmod(curve->Af, point->x, curve->prime, t2); if (err == MP_OKAY) - err = mp_add(&t1, &t2, &t1); + err = mp_add(t1, t2, t1); /* compute x^3 + a*x + b */ if (err == MP_OKAY) - err = mp_add(&t1, curve->Bf, &t1); + err = mp_add(t1, curve->Bf, t1); /* compute sqrt(x^3 + a*x + b) */ if (err == MP_OKAY) - err = mp_sqrtmod_prime(&t1, curve->prime, &t2); + err = mp_sqrtmod_prime(t1, curve->prime, t2); /* adjust y */ if (err == MP_OKAY) { - if ((mp_isodd(&t2) == MP_YES && + if ((mp_isodd(t2) == MP_YES && pointType == ECC_POINT_COMP_ODD) || - (mp_isodd(&t2) == MP_NO && + (mp_isodd(t2) == MP_NO && pointType == ECC_POINT_COMP_EVEN)) { - err = mp_mod(&t2, curve->prime, point->y); + err = mp_mod(t2, curve->prime, point->y); } else { - err = mp_submod(curve->prime, &t2, curve->prime, point->y); + err = mp_submod(curve->prime, t2, curve->prime, point->y); } } if (did_init) { - mp_clear(&t2); - mp_clear(&t1); + mp_clear(t2); + mp_clear(t1); } + #ifdef WOLFSSL_SMALL_STACK + if (t1 != NULL) { + XFREE(t1, NULL, DYNAMIC_TYPE_BIGINT); + } + if (t2 != NULL) { + XFREE(t2, NULL, DYNAMIC_TYPE_BIGINT); + } + #endif + wc_ecc_curve_free(curve); FREE_CURVE_SPECS(); } From 851ff9e661971ff0cd5dfcb325939246e72417ac Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 17 Mar 2022 17:53:22 -0600 Subject: [PATCH 2/7] smallstack reduction for PrintPubKeyRSA, PrintPubKeyDSA, PrintPubKeyDH --- wolfcrypt/src/evp.c | 93 +++++++++++++++++++++++++++++++++++---------- 1 file changed, 73 insertions(+), 20 deletions(-) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 864b468aa..e843d3bed 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -8242,12 +8242,26 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, int wsz; word32 i; unsigned long exponent = 0; - mp_int a; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a = NULL; +#else + mp_int a[1]; +#endif char line[32] = { 0 }; (void)pctx; - if( mp_init(&a) != 0) { +#ifdef WOLFSSL_SMALL_STACK + a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a == NULL) { + return WOLFSSL_FAILURE; + } +#endif + + if( mp_init(a) != 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif return WOLFSSL_FAILURE; } if (indent < 0) { @@ -8272,10 +8286,10 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, if (wolfSSL_BIO_write(out, line, (int)XSTRLEN(line)) <= 0) { break; } - if (mp_set_int(&a, bitlen) != 0) { + if (mp_set_int(a, bitlen) != 0) { break; } - if (mp_todecimal(&a, (char*)buff) != 0) { + if (mp_todecimal(a, (char*)buff) != 0) { break; } wsz = (int)XSTRLEN((const char*)buff); @@ -8315,10 +8329,10 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, } XMEMSET(buff, 0, sizeof(buff)); - if (mp_set_int(&a, exponent) != 0) { + if (mp_set_int(a, exponent) != 0) { break; } - if (mp_todecimal(&a, (char*)buff) != 0) { + if (mp_todecimal(a, (char*)buff) != 0) { break; } wsz = (int)XSTRLEN((const char*)buff); @@ -8331,7 +8345,7 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, break; } XMEMSET(buff, 0, sizeof(buff)); - if (mp_tohex(&a, (char*)buff) != 0) { + if (mp_tohex(a, (char*)buff) != 0) { break; } if (wolfSSL_BIO_write(out, buff, (int)XSTRLEN((char*)buff)) <= 0) { @@ -8345,7 +8359,10 @@ static int PrintPubKeyRSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, res = WOLFSSL_SUCCESS; } while (0); - mp_free(&a); + mp_free(a); +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif return res; } #endif /* !NO_RSA */ @@ -8574,11 +8591,26 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, int pSz, qSz, gSz, ySz; int idx; int wsz; - mp_int a; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a = NULL; +#else + mp_int a[1]; +#endif char line[32] = { 0 }; - if( mp_init(&a) != 0) +#ifdef WOLFSSL_SMALL_STACK + a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a == NULL) { return WOLFSSL_FAILURE; + } +#endif + + if( mp_init(a) != 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif + return WOLFSSL_FAILURE; + } inOutIdx = 0; (void)pctx; @@ -8684,10 +8716,10 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, if (wolfSSL_BIO_write(out, line, (int)XSTRLEN(line)) <= 0) { break; } - if (mp_set_int(&a, bitlen) != 0) { + if (mp_set_int(a, bitlen) != 0) { break; } - if (mp_todecimal(&a, (char*)buff) != 0) { + if (mp_todecimal(a, (char*)buff) != 0) { break; } wsz = (int)XSTRLEN((const char*)buff); @@ -8738,7 +8770,10 @@ static int PrintPubKeyDSA(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, res = WOLFSSL_SUCCESS; } while (0); - mp_free(&a); + mp_free(a); +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif return res; } #endif /* !NO_DSA */ @@ -8774,11 +8809,26 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, int wsz; word32 outSz; byte outHex[3]; - mp_int a; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a = NULL; +#else + mp_int a[1]; +#endif char line[32] = { 0 }; - if( mp_init(&a) != 0) +#ifdef WOLFSSL_SMALL_STACK + a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a == NULL) { return WOLFSSL_FAILURE; + } +#endif + + if( mp_init(a) != 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif + return WOLFSSL_FAILURE; + } inOutIdx = 0; (void)pctx; @@ -8872,10 +8922,10 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, if (wolfSSL_BIO_write(out, line, (int)XSTRLEN(line)) <= 0) { break; } - if (mp_set_int(&a, bitlen) != 0) { + if (mp_set_int(a, bitlen) != 0) { break; } - if (mp_todecimal(&a, (char*)buff) != 0) { + if (mp_todecimal(a, (char*)buff) != 0) { break; } wsz = (int)XSTRLEN((const char*)buff); @@ -8911,10 +8961,10 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, if (wolfSSL_BIO_write(out, line, (int)XSTRLEN(line)) <= 0) { break; } - if (mp_set_int(&a, generator) != 0) { + if (mp_set_int(a, generator) != 0) { break; } - if (mp_todecimal(&a, (char*)buff) != 0) { + if (mp_todecimal(a, (char*)buff) != 0) { break; } wsz = (int)XSTRLEN((const char*)buff); @@ -8946,7 +8996,10 @@ static int PrintPubKeyDH(WOLFSSL_BIO* out, const byte* pkey, int pkeySz, res = WOLFSSL_SUCCESS; } while (0); - mp_free(&a); + mp_free(a); +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); +#endif return res; } #endif /* WOLFSSL_DH_EXTRA */ From 210eb6283cb43da220f0be7a91d29d2861d2d376 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 17 Mar 2022 18:05:01 -0600 Subject: [PATCH 3/7] smallstack reduction for wc_ecc_import_x963_ex, mp_jacobi --- wolfcrypt/src/ecc.c | 101 +++++++++++++++++++++++++++++++++----------- 1 file changed, 77 insertions(+), 24 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 723cc5c6c..c4b1811a5 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -9265,14 +9265,33 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key, #ifdef HAVE_COMP_KEY if (err == MP_OKAY && compressed == 1) { /* build y */ #if !defined(WOLFSSL_SP_MATH) - mp_int t1, t2; + #ifdef WOLFSSL_SMALL_STACK + mp_int* t1 = NULL; + mp_int* t2 = NULL; + #else + mp_int t1[1], t2[1]; + #endif int did_init = 0; DECLARE_CURVE_SPECS(3); ALLOC_CURVE_SPECS(3, err); + #ifdef WOLFSSL_SMALL_STACK if (err == MP_OKAY) { - if (mp_init_multi(&t1, &t2, NULL, NULL, NULL, NULL) != MP_OKAY) + t1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (t1 == NULL) { + err = MEMORY_E; + } + } + if (err == MP_OKAY) { + t2 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (t2 == NULL) { + err = MEMORY_E; + } + } + #endif + if (err == MP_OKAY) { + if (mp_init_multi(t1, t2, NULL, NULL, NULL, NULL) != MP_OKAY) err = MEMORY_E; else did_init = 1; @@ -9297,41 +9316,49 @@ int wc_ecc_import_x963_ex(const byte* in, word32 inLen, ecc_key* key, /* compute x^3 */ if (err == MP_OKAY) - err = mp_sqr(key->pubkey.x, &t1); + err = mp_sqr(key->pubkey.x, t1); if (err == MP_OKAY) - err = mp_mulmod(&t1, key->pubkey.x, curve->prime, &t1); + err = mp_mulmod(t1, key->pubkey.x, curve->prime, t1); /* compute x^3 + a*x */ if (err == MP_OKAY) - err = mp_mulmod(curve->Af, key->pubkey.x, curve->prime, &t2); + err = mp_mulmod(curve->Af, key->pubkey.x, curve->prime, t2); if (err == MP_OKAY) - err = mp_add(&t1, &t2, &t1); + err = mp_add(t1, t2, t1); /* compute x^3 + a*x + b */ if (err == MP_OKAY) - err = mp_add(&t1, curve->Bf, &t1); + err = mp_add(t1, curve->Bf, t1); /* compute sqrt(x^3 + a*x + b) */ if (err == MP_OKAY) - err = mp_sqrtmod_prime(&t1, curve->prime, &t2); + err = mp_sqrtmod_prime(t1, curve->prime, t2); /* adjust y */ if (err == MP_OKAY) { - if ((mp_isodd(&t2) == MP_YES && pointType == ECC_POINT_COMP_ODD) || - (mp_isodd(&t2) == MP_NO && pointType == ECC_POINT_COMP_EVEN)) { - err = mp_mod(&t2, curve->prime, &t2); + if ((mp_isodd(t2) == MP_YES && pointType == ECC_POINT_COMP_ODD) || + (mp_isodd(t2) == MP_NO && pointType == ECC_POINT_COMP_EVEN)) { + err = mp_mod(t2, curve->prime, t2); } else { - err = mp_submod(curve->prime, &t2, curve->prime, &t2); + err = mp_submod(curve->prime, t2, curve->prime, t2); } if (err == MP_OKAY) - err = mp_copy(&t2, key->pubkey.y); + err = mp_copy(t2, key->pubkey.y); } if (did_init) { - mp_clear(&t2); - mp_clear(&t1); + mp_clear(t2); + mp_clear(t1); } + #ifdef WOLFSSL_SMALL_STACK + if (t1 != NULL) { + XFREE(t1, NULL, DYNAMIC_TYPE_BIGINT); + } + if (t2 != NULL) { + XFREE(t2, NULL, DYNAMIC_TYPE_BIGINT); + } + #endif wc_ecc_curve_free(curve); FREE_CURVE_SPECS(); @@ -12954,7 +12981,12 @@ int wc_ecc_decrypt(ecc_key* privKey, ecc_key* pubKey, const byte* msg, */ int mp_jacobi(mp_int* a, mp_int* n, int* c) { - mp_int a1, n1; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a1 = NULL; + mp_int* n1 = NULL; +#else + mp_int a1[1], n1[1]; +#endif int res; int s = 1; int k; @@ -12972,22 +13004,38 @@ int mp_jacobi(mp_int* a, mp_int* n, int* c) return MP_VAL; } - if ((res = mp_init_multi(&a1, &n1, NULL, NULL, NULL, NULL)) != MP_OKAY) { +#ifdef WOLFSSL_SMALL_STACK + a1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a1 == NULL) { + return MP_MEM; + } + n1 = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (n1 == NULL) { + XFREE(a1, NULL, DYNAMIC_TYPE_BIGINT); + return MP_MEM; + } +#endif + + if ((res = mp_init_multi(a1, n1, NULL, NULL, NULL, NULL)) != MP_OKAY) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(a1, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(n1, NULL, DYNAMIC_TYPE_BIGINT); +#endif return res; } SAVE_VECTOR_REGISTERS(return _svr_ret;); - if ((res = mp_mod(a, n, &a1)) != MP_OKAY) { + if ((res = mp_mod(a, n, a1)) != MP_OKAY) { goto done; } - if ((res = mp_copy(n, &n1)) != MP_OKAY) { + if ((res = mp_copy(n, n1)) != MP_OKAY) { goto done; } - t[0] = &a1; - t[1] = &n1; + t[0] = a1; + t[1] = n1; /* Keep reducing until first number is 0. */ while (!mp_iszero(t[0])) { @@ -13037,9 +13085,14 @@ done: RESTORE_VECTOR_REGISTERS(); - /* cleanup */ - mp_clear(&n1); - mp_clear(&a1); + /* cleanup */ + mp_clear(n1); + mp_clear(a1); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(a1, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(n1, NULL, DYNAMIC_TYPE_BIGINT); +#endif return res; } From 94e1b87ae0a79e481b85bfea431b11f8f54cac29 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 17 Mar 2022 18:07:15 -0600 Subject: [PATCH 4/7] smallstack reduction for wolfSSL_X509_set_ext, wolfSSL_EC_POINT_mul, wolfSSL_ECDSA_do_sign, wolfSSL_i2d_X509_NAME, wolfSSL_X509_REQ_sign --- src/ssl.c | 318 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 252 insertions(+), 66 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 5cbd9332a..76deac7df 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9772,7 +9772,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_X509_EXTENSION* ext = NULL; WOLFSSL_ASN1_INTEGER* a; WOLFSSL_STACK* sk; - DecodedCert cert; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; +#else + DecodedCert cert[1]; +#endif WOLFSSL_ENTER("wolfSSL_X509_set_ext"); @@ -9799,9 +9803,18 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) return NULL; } - InitDecodedCert( &cert, rawCert, (word32)outSz, 0); +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + WOLFSSL_MSG("Failed to allocate memory for DecodedCert"); + wolfSSL_X509_EXTENSION_free(ext); + return NULL; + } +#endif - if (ParseCert(&cert, + InitDecodedCert(cert, rawCert, (word32)outSz, 0); + + if (ParseCert(cert, #ifdef WOLFSSL_CERT_REQ x509->isCSR ? CERTREQ_TYPE : #endif @@ -9809,17 +9822,23 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) NO_VERIFY, NULL) < 0) { WOLFSSL_MSG("\tCertificate parsing failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } - input = cert.extensions; - sz = cert.extensionsSz; + input = cert->extensions; + sz = cert->extensionsSz; if (input == NULL || sz == 0) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return NULL; } @@ -9830,14 +9849,20 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (input[idx++] != ASN_EXTENSIONS) { WOLFSSL_MSG("\tfail: should be an EXTENSIONS"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } if (GetLength(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: invalid length"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9845,7 +9870,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE (1)"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return NULL; } @@ -9855,7 +9883,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetSequence(input, &idx, &length, sz) < 0) { WOLFSSL_MSG("\tfail: should be a SEQUENCE"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -9864,7 +9895,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret < 0) { WOLFSSL_MSG("\tfail: OBJECT ID"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } idx = tmpIdx; @@ -9883,7 +9917,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->obj == NULL) { WOLFSSL_MSG("\tfail: Invalid OBJECT"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->obj->nid = nid; @@ -9896,7 +9933,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) a = wolfSSL_ASN1_INTEGER_new(); if (a == NULL) { wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } a->length = x509->pathLength; @@ -9918,7 +9958,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (sk == NULL) { WOLFSSL_MSG("Failed to malloc stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -9932,7 +9975,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error creating ASN1 object"); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } obj->obj = (byte*)x509->authInfoCaIssuer; @@ -9946,7 +9992,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) wolfSSL_ASN1_OBJECT_free(obj); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9961,7 +10010,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error creating ASN1 object"); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } obj->obj = x509->authInfo; @@ -9975,7 +10027,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) wolfSSL_ASN1_OBJECT_free(obj); wolfSSL_sk_ASN1_OBJECT_pop_free(sk, NULL); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -9992,7 +10047,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->authKeyIdCrit; @@ -10007,7 +10065,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->subjKeyIdCrit; @@ -10028,7 +10089,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->keyUsageCrit; @@ -10043,7 +10107,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->crit = x509->keyUsageCrit; @@ -10068,7 +10135,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ret != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set() failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } #endif @@ -10078,7 +10148,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) DYNAMIC_TYPE_ASN1); if (sk == NULL) { wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } XMEMSET(sk, 0, sizeof(WOLFSSL_GENERAL_NAMES)); @@ -10093,8 +10166,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (gn == NULL) { WOLFSSL_MSG("Error creating GENERAL_NAME"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10104,9 +10180,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) gn->d.ia5->length) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ASN1_STRING_set failed"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10117,9 +10196,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error pushing onto stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -10128,9 +10210,12 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_SUCCESS) { WOLFSSL_MSG("Error pushing onto stack"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); wolfSSL_GENERAL_NAME_free(gn); wolfSSL_sk_pop_free(sk, NULL); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } } @@ -10149,7 +10234,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (GetASNObjectId(input, &idx, &length, sz) != 0) { WOLFSSL_MSG("Failed to Get ASN Object Id"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } oidBuf = (byte*)XMALLOC(length+1+MAX_LENGTH_SZ, NULL, @@ -10157,7 +10245,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (oidBuf == NULL) { WOLFSSL_MSG("Failed to malloc tmp buffer"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } oidBuf[0] = ASN_OBJECT_ID; @@ -10175,8 +10266,11 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->obj->obj == NULL) { wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); XFREE(oidBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->obj->dynamic |= WOLFSSL_ASN1_DYNAMIC_DATA; @@ -10197,7 +10291,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error decoding unknown extension data"); wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } @@ -10205,7 +10302,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) WOLFSSL_MSG("Error: Invalid Input Length."); wolfSSL_ASN1_OBJECT_free(ext->obj); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } ext->value.data = (char*)XMALLOC(length, NULL, DYNAMIC_TYPE_ASN1); @@ -10213,7 +10313,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (ext->value.data == NULL) { WOLFSSL_MSG("Failed to malloc ASN1_STRING data"); wolfSSL_X509_EXTENSION_free(ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return NULL; } XMEMCPY(ext->value.data,input+tmpIdx,length); @@ -10232,7 +10335,10 @@ WOLFSSL_X509_EXTENSION* wolfSSL_X509_set_ext(WOLFSSL_X509* x509, int loc) if (x509->ext_sk != NULL) wolfSSL_sk_X509_EXTENSION_push(x509->ext_sk, ext); - FreeDecodedCert(&cert); + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); +#endif return ext; } @@ -40421,7 +40527,12 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, const WOLFSSL_BIGNUM *n, const WOLFSSL_EC_POINT *q, const WOLFSSL_BIGNUM *m, WOLFSSL_BN_CTX *ctx) { - mp_int a, prime; +#ifdef WOLFSSL_SMALL_STACK + mp_int* a = NULL; + mp_int* prime = NULL; +#else + mp_int a[1], prime[1]; +#endif int ret = WOLFSSL_FAILURE; ecc_point* result = NULL; ecc_point* tmp = NULL; @@ -40435,13 +40546,25 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + a = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (a == NULL) { + return WOLFSSL_FAILURE; + } + prime = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (prime == NULL) { + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); + return WOLFSSL_FAILURE; + } +#endif + if (!(result = wc_ecc_new_point())) { WOLFSSL_MSG("wolfSSL_EC_POINT_new error"); return WOLFSSL_FAILURE; } /* read the curve prime and a */ - if (mp_init_multi(&prime, &a, NULL, NULL, NULL, NULL) != MP_OKAY) { + if (mp_init_multi(prime, a, NULL, NULL, NULL, NULL) != MP_OKAY) { WOLFSSL_MSG("mp_init_multi error"); goto cleanup; } @@ -40451,13 +40574,13 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, goto cleanup; } - if (mp_read_radix(&prime, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) + if (mp_read_radix(prime, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) != MP_OKAY) { WOLFSSL_MSG("mp_read_radix prime error"); goto cleanup; } - if (mp_read_radix(&a, ecc_sets[group->curve_idx].Af, MP_RADIX_HEX) + if (mp_read_radix(a, ecc_sets[group->curve_idx].Af, MP_RADIX_HEX) != MP_OKAY) { WOLFSSL_MSG("mp_read_radix a error"); goto cleanup; @@ -40495,14 +40618,14 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, #ifdef ECC_SHAMIR if (ecc_mul2add(result, (mp_int*)n->internal, (ecc_point*)q->internal, (mp_int*)m->internal, - result, &a, &prime, NULL) + result, a, prime, NULL) != MP_OKAY) { WOLFSSL_MSG("ecc_mul2add error"); goto cleanup; } #else mp_digit mp = 0; - if (mp_montgomery_setup(&prime, &mp) != MP_OKAY) { + if (mp_montgomery_setup(prime, &mp) != MP_OKAY) { WOLFSSL_MSG("mp_montgomery_setup nqm error"); goto cleanup; } @@ -40511,24 +40634,24 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, goto cleanup; } /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 0) + if (wc_ecc_mulmod((mp_int*)n->internal, result, result, a, prime, 0) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } /* tmp = q * m */ if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - tmp, &a, &prime, 0) != MP_OKAY) { + tmp, a, prime, 0) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } /* result = result + tmp */ - if (ecc_projective_add_point(tmp, result, result, &a, &prime, mp) + if (ecc_projective_add_point(tmp, result, result, a, prime, mp) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod nqm error"); goto cleanup; } - if (ecc_map(result, &prime, mp) != MP_OKAY) { + if (ecc_map(result, prime, mp) != MP_OKAY) { WOLFSSL_MSG("ecc_map nqm error"); goto cleanup; } @@ -40536,7 +40659,7 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, } else if (n) { /* r = generator * n */ - if (wc_ecc_mulmod((mp_int*)n->internal, result, result, &a, &prime, 1) + if (wc_ecc_mulmod((mp_int*)n->internal, result, result, a, prime, 1) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod gn error"); goto cleanup; @@ -40545,7 +40668,7 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, else if (q && m) { /* r = q * m */ if (wc_ecc_mulmod((mp_int*)m->internal, (ecc_point*)q->internal, - result, &a, &prime, 1) != MP_OKAY) { + result, a, prime, 1) != MP_OKAY) { WOLFSSL_MSG("wc_ecc_mulmod qm error"); goto cleanup; } @@ -40564,10 +40687,14 @@ int wolfSSL_EC_POINT_mul(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *r, ret = WOLFSSL_SUCCESS; cleanup: - mp_clear(&a); - mp_clear(&prime); + mp_clear(a); + mp_clear(prime); wc_ecc_del_point(result); wc_ecc_del_point(tmp); +#ifdef WOLFSSL_SMALL_STACK + XFREE(a, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); +#endif return ret; } #endif /* !WOLFSSL_ATECC508A && !WOLFSSL_ATECC608A && !HAVE_SELFTEST && @@ -40837,9 +40964,15 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, WC_RNG* rng = NULL; #ifdef WOLFSSL_SMALL_STACK WC_RNG* tmpRNG = NULL; + byte* out = NULL; + mp_int* sig_r = NULL; + mp_int* sig_s = NULL; #else WC_RNG tmpRNG[1]; + byte out[ECC_BUFSIZE]; + mp_int sig_r[1], sig_s[1]; #endif + word32 outlen = ECC_BUFSIZE; WOLFSSL_ENTER("wolfSSL_ECDSA_do_sign"); @@ -40863,6 +40996,24 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, tmpRNG = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_RNG); if (tmpRNG == NULL) return NULL; + out = (byte*)XMALLOC(outlen, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (out == NULL) { + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } + sig_r = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (sig_r == NULL) { + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } + sig_s = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (sig_s == NULL) { + XFREE(sig_r, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); + return NULL; + } #endif if (wc_InitRng(tmpRNG) == 0) { @@ -40878,31 +41029,28 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, } if (rng) { - byte out[ECC_BUFSIZE]; - word32 outlen = ECC_BUFSIZE; /* use wc_ecc_sign_hash because it supports crypto callbacks */ if (wc_ecc_sign_hash(d, dlen, out, &outlen, rng, (ecc_key*)key->internal) == 0) { - mp_int sig_r, sig_s; - if (mp_init_multi(&sig_r, &sig_s, NULL, NULL, NULL, NULL) == MP_OKAY) { + if (mp_init_multi(sig_r, sig_s, NULL, NULL, NULL, NULL) == MP_OKAY) { /* put signature blob in ECDSA structure */ - if (DecodeECC_DSA_Sig(out, outlen, &sig_r, &sig_s) == 0) { + if (DecodeECC_DSA_Sig(out, outlen, sig_r, sig_s) == 0) { sig = wolfSSL_ECDSA_SIG_new(); if (sig == NULL) WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new failed"); - else if (SetIndividualExternal(&sig->r, &sig_r) != WOLFSSL_SUCCESS) { + else if (SetIndividualExternal(&sig->r, sig_r) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("ecdsa r key error"); wolfSSL_ECDSA_SIG_free(sig); sig = NULL; } - else if (SetIndividualExternal(&sig->s, &sig_s)!=WOLFSSL_SUCCESS){ + else if (SetIndividualExternal(&sig->s, sig_s)!=WOLFSSL_SUCCESS){ WOLFSSL_MSG("ecdsa s key error"); wolfSSL_ECDSA_SIG_free(sig); sig = NULL; } } - mp_free(&sig_r); - mp_free(&sig_s); + mp_free(sig_r); + mp_free(sig_s); } } else { @@ -40913,6 +41061,9 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, if (initTmpRng) wc_FreeRng(tmpRNG); #ifdef WOLFSSL_SMALL_STACK + XFREE(sig_s, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(sig_r, NULL, DYNAMIC_TYPE_BIGINT); + XFREE(out, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(tmpRNG, NULL, DYNAMIC_TYPE_RNG); #endif @@ -45210,7 +45361,11 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) unsigned char **in, long length) { WOLFSSL_X509_NAME* tmp = NULL; - DecodedCert cert; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif WOLFSSL_ENTER("wolfSSL_d2i_X509_NAME"); @@ -45219,12 +45374,20 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) return NULL; } + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_DCERT); + if (cert == NULL) { + return NULL; + } + #endif + /* Set the X509_NAME buffer as the input data for cert. * in is NOT a full certificate. Just the name. */ - InitDecodedCert(&cert, *in, (word32)length, NULL); + InitDecodedCert(cert, *in, (word32)length, NULL); /* Parse the X509 subject name */ - if (GetName(&cert, SUBJECT, (int)length) != 0) { + if (GetName(cert, SUBJECT, (int)length) != 0) { WOLFSSL_MSG("WOLFSSL_X509_NAME parse error"); goto cleanup; } @@ -45234,7 +45397,7 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) goto cleanup; } - if (wolfSSL_X509_NAME_copy((WOLFSSL_X509_NAME*)cert.subjectName, + if (wolfSSL_X509_NAME_copy((WOLFSSL_X509_NAME*)cert->subjectName, tmp) != WOLFSSL_SUCCESS) { wolfSSL_X509_NAME_free(tmp); tmp = NULL; @@ -45244,7 +45407,10 @@ int wolfSSL_i2d_X509_NAME(WOLFSSL_X509_NAME* name, unsigned char** out) if (name) *name = tmp; cleanup: - FreeDecodedCert(&cert); + FreeDecodedCert(cert); + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_DCERT); + #endif return tmp; } @@ -57431,27 +57597,47 @@ int wolfSSL_X509_REQ_sign(WOLFSSL_X509 *req, WOLFSSL_EVP_PKEY *pkey, const WOLFSSL_EVP_MD *md) { int ret; +#ifdef WOLFSSL_SMALL_STACK + byte* der = NULL; +#else byte der[2048]; - int derSz = sizeof(der); +#endif + int derSz = 2048; if (req == NULL || pkey == NULL || md == NULL) { WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", BAD_FUNC_ARG); return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + der = (byte*)XMALLOC(derSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (der == NULL) { + return WOLFSSL_FAILURE; + } +#endif + /* Create a Cert that has the certificate request fields. */ req->sigOID = wolfSSL_sigTypeFromPKEY((WOLFSSL_EVP_MD*)md, pkey); ret = wolfssl_x509_make_der(req, 1, der, &derSz, 0); if (ret != WOLFSSL_SUCCESS) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif WOLFSSL_MSG("Unable to make DER for X509"); WOLFSSL_LEAVE("wolfSSL_X509_REQ_sign", ret); return WOLFSSL_FAILURE; } - if (wolfSSL_X509_resign_cert(req, 1, der, sizeof(der), derSz, + if (wolfSSL_X509_resign_cert(req, 1, der, 2048, derSz, (WOLFSSL_EVP_MD*)md, pkey) <= 0) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + XFREE(der, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif return WOLFSSL_SUCCESS; } From ddc1899d4806c7ac63766b77f487f3e157f9f57c Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 18 Mar 2022 09:07:57 -0600 Subject: [PATCH 5/7] smallstack reduction for wolfSSL_EC_POINT_get_affine_coordinates_GFp --- src/ssl.c | 50 ++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 76deac7df..bb8182769 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -40281,7 +40281,11 @@ int wolfSSL_EC_POINT_get_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group, WOLFSSL_BN_CTX *ctx) { mp_digit mp; - mp_int modulus; +#ifdef WOLFSSL_SMALL_STACK + mp_int* modulus = NULL; +#else + mp_int modulus[1]; +#endif (void)ctx; WOLFSSL_ENTER("wolfSSL_EC_POINT_get_affine_coordinates_GFp"); @@ -40296,39 +40300,65 @@ int wolfSSL_EC_POINT_get_affine_coordinates_GFp(const WOLFSSL_EC_GROUP *group, return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + modulus = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (modulus == NULL) { + return WOLFSSL_FAILURE; + } +#endif + if (!wolfSSL_BN_is_one(point->Z)) { - if (mp_init(&modulus) != MP_OKAY) { + if (mp_init(modulus) != MP_OKAY) { WOLFSSL_MSG("mp_init failed"); + #ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } /* Map the Jacobian point back to affine space */ - if (mp_read_radix(&modulus, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) != MP_OKAY) { + if (mp_read_radix(modulus, ecc_sets[group->curve_idx].prime, MP_RADIX_HEX) != MP_OKAY) { WOLFSSL_MSG("mp_read_radix failed"); - mp_clear(&modulus); + mp_clear(modulus); + #ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } - if (mp_montgomery_setup(&modulus, &mp) != MP_OKAY) { + if (mp_montgomery_setup(modulus, &mp) != MP_OKAY) { WOLFSSL_MSG("mp_montgomery_setup failed"); - mp_clear(&modulus); + mp_clear(modulus); + #ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } - if (ecc_map((ecc_point*)point->internal, &modulus, mp) != MP_OKAY) { + if (ecc_map((ecc_point*)point->internal, modulus, mp) != MP_OKAY) { WOLFSSL_MSG("ecc_map failed"); - mp_clear(&modulus); + mp_clear(modulus); + #ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } if (SetECPointExternal((WOLFSSL_EC_POINT *)point) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("SetECPointExternal failed"); - mp_clear(&modulus); + mp_clear(modulus); + #ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } - mp_clear(&modulus); + mp_clear(modulus); } BN_copy(x, point->X); BN_copy(y, point->Y); +#ifdef WOLFSSL_SMALL_STACK + XFREE(modulus, NULL, DYNAMIC_TYPE_BIGINT); +#endif + return WOLFSSL_SUCCESS; } #endif From 64a309e2450a86225f4a3da6d39edd3a89438339 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 18 Mar 2022 09:12:58 -0600 Subject: [PATCH 6/7] smallstack reduction for wolfSSL_ASN1_INTEGER_to_BN --- src/ssl.c | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index bb8182769..cfff03c11 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -53993,7 +53993,11 @@ int SetIndividualInternal(WOLFSSL_BIGNUM* bn, mp_int* mpi) WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai, WOLFSSL_BIGNUM *bn) { - mp_int mpi; +#ifdef WOLFSSL_SMALL_STACK + mp_int* mpi = NULL; +#else + mp_int mpi[1]; +#endif word32 idx = 0; int ret; @@ -54003,29 +54007,49 @@ WOLFSSL_BIGNUM *wolfSSL_ASN1_INTEGER_to_BN(const WOLFSSL_ASN1_INTEGER *ai, return NULL; } - ret = GetInt(&mpi, ai->data, &idx, ai->dataMax); +#ifdef WOLFSSL_SMALL_STACK + mpi = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (mpi == NULL) { + return NULL; + } +#endif + + ret = GetInt(mpi, ai->data, &idx, ai->dataMax); if (ret != 0) { #if defined(WOLFSSL_QT) || defined(WOLFSSL_HAPROXY) - ret = mp_init(&mpi); /* must init mpi */ + ret = mp_init(mpi); /* must init mpi */ if (ret != MP_OKAY) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(mpi, NULL, DYNAMIC_TYPE_BIGINT); + #endif return NULL; } /* Serial number in QT starts at index 0 of data */ - if (mp_read_unsigned_bin(&mpi, (byte*)ai->data, ai->length) != 0) { - mp_clear(&mpi); + if (mp_read_unsigned_bin(mpi, (byte*)ai->data, ai->length) != 0) { + mp_clear(mpi); + #ifdef WOLFSSL_SMALL_STACK + XFREE(mpi, NULL, DYNAMIC_TYPE_BIGINT); + #endif return NULL; } #else /* expecting ASN1 format for INTEGER */ WOLFSSL_LEAVE("wolfSSL_ASN1_INTEGER_to_BN", ret); + #ifdef WOLFSSL_SMALL_STACK + XFREE(mpi, NULL, DYNAMIC_TYPE_BIGINT); + #endif return NULL; #endif } /* mp_clear needs called because mpi is copied and causes memory leak with * --disable-fastmath */ - ret = SetIndividualExternal(&bn, &mpi); - mp_clear(&mpi); + ret = SetIndividualExternal(&bn, mpi); + mp_clear(mpi); + +#ifdef WOLFSSL_SMALL_STACK + XFREE(mpi, NULL, DYNAMIC_TYPE_BIGINT); +#endif if (ret != WOLFSSL_SUCCESS) { return NULL; From 906ea4ad0392dc8ad84fba8d87e24ee33b889860 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 18 Mar 2022 09:17:11 -0600 Subject: [PATCH 7/7] smallstack reduction for wolfSSL_EC_POINT_invert --- src/ssl.c | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index cfff03c11..757830852 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -40735,7 +40735,11 @@ int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *a, WOLFSSL_BN_CTX *ctx) { ecc_point* p; - mp_int prime; +#ifdef WOLFSSL_SMALL_STACK + mp_int* prime = NULL; +#else + mp_int prime[1]; +#endif (void)ctx; @@ -40747,22 +40751,42 @@ int wolfSSL_EC_POINT_invert(const WOLFSSL_EC_GROUP *group, WOLFSSL_EC_POINT *a, p = (ecc_point*)a->internal; +#ifdef WOLFSSL_SMALL_STACK + prime = (mp_int*)XMALLOC(sizeof(mp_int), NULL, DYNAMIC_TYPE_BIGINT); + if (prime == NULL) { + return WOLFSSL_FAILURE; + } +#endif + /* read the curve prime and a */ - if (mp_init_multi(&prime, NULL, NULL, NULL, NULL, NULL) != MP_OKAY) { + if (mp_init_multi(prime, NULL, NULL, NULL, NULL, NULL) != MP_OKAY) { WOLFSSL_MSG("mp_init_multi error"); + #ifdef WOLFSSL_SMALL_STACK + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } - if (mp_sub(&prime, p->y, p->y) != MP_OKAY) { + if (mp_sub(prime, p->y, p->y) != MP_OKAY) { WOLFSSL_MSG("mp_sub error"); + #ifdef WOLFSSL_SMALL_STACK + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } if (SetECPointExternal(a) != WOLFSSL_SUCCESS) { WOLFSSL_MSG("SetECPointExternal error"); + #ifdef WOLFSSL_SMALL_STACK + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); + #endif return WOLFSSL_FAILURE; } +#ifdef WOLFSSL_SMALL_STACK + XFREE(prime, NULL, DYNAMIC_TYPE_BIGINT); +#endif + return WOLFSSL_SUCCESS; }