Memory Usage: reduce maximum in use

CheckCertSignature Free the dataASN before calling ConfirmSignature. dataASN not needed at this point and ConfirmSignature uses lots of memory. DecodeCertInternal: Free the dataASN before calling DecodeCertExtensions, dataASN not needed at this point and DecodeCertExtensions uses more memory. ecc_verify_hash: v doesn't need to be a new allocated variable - reuse w. v is the modular reduction of x-ordinate to prime calculated at end.
2025-07-30 02:37:28 +02:00 · 2023-04-19 14:17:30 +10:00
parent 70322f620d
commit 436c647acc
2 changed files with 23 additions and 29 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -20275,33 +20275,35 @@ static int DecodeCertInternal(DecodedCert* cert, int verify, int* criticalExt,
            cert->extensionsSz  = (int)GetASNItem_Length(
                    dataASN[X509CERTASN_IDX_TBS_EXT], cert->source);
            cert->extensionsIdx = dataASN[X509CERTASN_IDX_TBS_EXT].offset;
-
-            /* Decode the extension data starting at [3]. */
-            ret = DecodeCertExtensions(cert);
-            if (criticalExt != NULL) {
-                if (ret == ASN_CRIT_EXT_E) {
-                    /* Return critical extension not recognized. */
-                    *criticalExt = ret;
-                    ret = 0;
-                }
-                else {
-                    /* No critical extension error. */
-                    *criticalExt = 0;
-                }
-            }
-        }
-        if (ret == 0) {
            /* Advance past extensions. */
            cert->srcIdx = dataASN[X509CERTASN_IDX_SIGALGO_SEQ].offset;
        }
    }

+    /* Dispose of memory before allocating for extension decoding. */
+    FREE_ASNGETDATA(dataASN, cert->heap);
+
+    if ((ret == 0) && (!done) && (cert->extensions != NULL)) {
+        /* Decode the extension data starting at [3]. */
+        ret = DecodeCertExtensions(cert);
+        if (criticalExt != NULL) {
+            if (ret == ASN_CRIT_EXT_E) {
+                /* Return critical extension not recognized. */
+                *criticalExt = ret;
+                ret = 0;
+            }
+            else {
+                /* No critical extension error. */
+                *criticalExt = 0;
+            }
+        }
+    }
+
    if ((ret == 0) && (!done) && (badDate != 0)) {
        /* Parsed whole certificate fine but return any date errors. */
        ret = badDate;
    }

-    FREE_ASNGETDATA(dataASN, cert->heap);
    return ret;
 }

@ -21408,6 +21410,8 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
        }
    }

+    FREE_ASNGETDATA(dataASN, heap);
+
    if (ret == 0) {
        /* Check signature. */
        ret = ConfirmSignature(sigCtx, tbs, tbsSz, pubKey, pubKeySz, pubKeyOID,
@ -21422,7 +21426,6 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
    if (sigCtx != NULL)
        XFREE(sigCtx, heap, DYNAMIC_TYPE_SIGNATURE);
 #endif
-    FREE_ASNGETDATA(dataASN, heap);
    return ret;
 #endif /* WOLFSSL_ASN_TEMPLATE */
 }
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@ -8284,12 +8284,12 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
   ecc_point  lcl_mG;
   ecc_point  lcl_mQ;
 #endif
-   DECL_MP_INT_SIZE_DYN(v, ECC_KEY_MAX_BITS(key), MAX_ECC_BITS_USE);
   DECL_MP_INT_SIZE_DYN(w, ECC_KEY_MAX_BITS(key), MAX_ECC_BITS_USE);
 #if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)
   DECL_MP_INT_SIZE_DYN(e_lcl, ECC_KEY_MAX_BITS(key), MAX_ECC_BITS_USE);
 #endif
   mp_int*    e;
+   mp_int*    v = NULL;      /* Will be w. */
   mp_int*    u1 = NULL;     /* Will be e. */
   mp_int*    u2 = NULL;     /* Will be w. */

@ -8371,12 +8371,6 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
   }
 #endif /* WOLFSSL_ASYNC_CRYPT && WC_ASYNC_ENABLE_ECC */

-   NEW_MP_INT_SIZE(v, ECC_KEY_MAX_BITS(key), key->heap, DYNAMIC_TYPE_ECC);
-#ifdef MP_INT_SIZE_CHECK_NULL
-   if (v == NULL) {
-       err = MEMORY_E;
-   }
-#endif
   NEW_MP_INT_SIZE(w, ECC_KEY_MAX_BITS(key), key->heap, DYNAMIC_TYPE_ECC);
 #ifdef MP_INT_SIZE_CHECK_NULL
   if (w == NULL) {
@ -8387,8 +8381,7 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
   if (err == MP_OKAY) {
       u1 = e;
       u2 = w;
-
-       err = INIT_MP_INT_SIZE(v, ECC_KEY_MAX_BITS(key));
+       v = w;
   }
   if (err == MP_OKAY) {
       err = INIT_MP_INT_SIZE(w, ECC_KEY_MAX_BITS(key));
@ -8503,10 +8496,8 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
   wc_ecc_del_point_ex(mQ, key->heap);

   mp_clear(e);
-   mp_clear(v);
   mp_clear(w);
   FREE_MP_INT_SIZE(w, key->heap, DYNAMIC_TYPE_ECC);
-   FREE_MP_INT_SIZE(v, key->heap, DYNAMIC_TYPE_ECC);
 #if !defined(WOLFSSL_ASYNC_CRYPT) || !defined(HAVE_CAVIUM_V)
   FREE_MP_INT_SIZE(e_lcl, key->heap, DYNAMIC_TYPE_ECC);
 #endif