diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index f9434a408..08c43b2e8 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -422,7 +422,7 @@ RNG rng; void bench_rsa(void) { int i; - byte tmp[4096]; + byte tmp[3072]; size_t bytes; word32 idx = 0; diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index af346e27d..07e83c459 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1264,7 +1264,7 @@ static int GetKey(DecodedCert* cert) if ( (next - key) < 0) return ASN_NTRU_KEY_E; - cert->srcIdx = tmpIdx + (next - key); + cert->srcIdx = tmpIdx + (int)(next - key); cert->publicKey = (byte*) XMALLOC(keyLen, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); @@ -2972,17 +2972,29 @@ static mp_int* GetRsaInt(RsaKey* key, int idx) } +/* Release Tmp RSA resources */ +static INLINE void FreeTmpRsas(byte** tmps, void* heap) +{ + int i; + + (void)heap; + + for (i = 0; i < RSA_INTS; i++) + XFREE(tmps[i], heap, DYNAMIC_TYPE_RSA); +} + + /* Convert RsaKey key to DER format, write to output (inLen), return bytes written */ int RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) { word32 seqSz, verSz, rawLen, intTotalLen = 0; word32 sizes[RSA_INTS]; - int i, j, outLen; + int i, j, outLen, ret = 0; - byte seq[MAX_SEQ_SZ]; - byte ver[MAX_VERSION_SZ]; - byte tmps[RSA_INTS][MAX_RSA_INT_SZ]; + byte seq[MAX_SEQ_SZ]; + byte ver[MAX_VERSION_SZ]; + byte* tmps[RSA_INTS]; if (!key || !output) return BAD_FUNC_ARG; @@ -2990,25 +3002,43 @@ int RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) if (key->type != RSA_PRIVATE) return BAD_FUNC_ARG; + for (i = 0; i < RSA_INTS; i++) + tmps[i] = NULL; + /* write all big ints from key to DER tmps */ for (i = 0; i < RSA_INTS; i++) { mp_int* keyInt = GetRsaInt(key, i); rawLen = mp_unsigned_bin_size(keyInt); + tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, + DYNAMIC_TYPE_RSA); + if (tmps[i] == NULL) { + ret = MEMORY_E; + break; + } tmps[i][0] = ASN_INTEGER; sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1; /* int tag */ - if ( (sizes[i] + rawLen) < sizeof(tmps[i])) { + if (sizes[i] <= MAX_SEQ_SZ) { int err = mp_to_unsigned_bin(keyInt, tmps[i] + sizes[i]); if (err == MP_OKAY) { sizes[i] += rawLen; intTotalLen += sizes[i]; } - else - return err; + else { + ret = err; + break; + } } - else - return ASN_INPUT_E; + else { + ret = ASN_INPUT_E; + break; + } + } + + if (ret != 0) { + FreeTmpRsas(tmps, key->heap); + return ret; } /* make headers */ @@ -3029,6 +3059,7 @@ int RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) XMEMCPY(output + j, tmps[i], sizes[i]); j += sizes[i]; } + FreeTmpRsas(tmps, key->heap); return outLen; } @@ -4051,10 +4082,18 @@ int CyaSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz); /* Set cert issuer from issuerFile in PEM */ int SetIssuer(Cert* cert, const char* issuerFile) { - byte der[8192]; - int derSz = CyaSSL_PemCertToDer(issuerFile, der, sizeof(der)); + int derSz; + byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); + if (der == NULL) { + CYASSL_MSG("SetIssuer OOF Problem"); + return MEMORY_E; + } + derSz = CyaSSL_PemCertToDer(issuerFile, der, EIGHTK_BUF); cert->selfSigned = 0; + + XFREE(der, NULL, DYNAMIC_TYPE_CERT); + return SetNameFromCert(&cert->issuer, der, derSz); } @@ -4062,8 +4101,16 @@ int SetIssuer(Cert* cert, const char* issuerFile) /* Set cert subject from subjectFile in PEM */ int SetSubject(Cert* cert, const char* subjectFile) { - byte der[8192]; - int derSz = CyaSSL_PemCertToDer(subjectFile, der, sizeof(der)); + int derSz; + byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); + + if (der == NULL) { + CYASSL_MSG("SetSubject OOF Problem"); + return MEMORY_E; + } + derSz = CyaSSL_PemCertToDer(subjectFile, der, EIGHTK_BUF); + + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return SetNameFromCert(&cert->subject, der, derSz); } @@ -4074,8 +4121,15 @@ int SetSubject(Cert* cert, const char* subjectFile) /* Set atl names from file in PEM */ int SetAltNames(Cert* cert, const char* file) { - byte der[8192]; - int derSz = CyaSSL_PemCertToDer(file, der, sizeof(der)); + int derSz; + byte* der = (byte*)XMALLOC(EIGHTK_BUF, NULL, DYNAMIC_TYPE_CERT); + + if (der == NULL) { + CYASSL_MSG("SetAltNames OOF Problem"); + return MEMORY_E; + } + derSz = CyaSSL_PemCertToDer(file, der, EIGHTK_BUF); + XFREE(der, NULL, DYNAMIC_TYPE_CERT); return SetAltNamesFromCert(cert, der, derSz); } diff --git a/ctaocrypt/src/integer.c b/ctaocrypt/src/integer.c index e8da05ea1..388c4f0d5 100644 --- a/ctaocrypt/src/integer.c +++ b/ctaocrypt/src/integer.c @@ -37,6 +37,11 @@ #include +#ifndef NO_CYASSL_SMALL_STACK + #ifndef CYASSL_SMALL_STACK + #define CYASSL_SMALL_STACK + #endif +#endif /* math settings check */ word32 CheckRunTimeSettings(void) diff --git a/ctaocrypt/src/tfm.c b/ctaocrypt/src/tfm.c index 95fcb40ff..b048b1680 100644 --- a/ctaocrypt/src/tfm.c +++ b/ctaocrypt/src/tfm.c @@ -1005,7 +1005,7 @@ static int _fp_exptmod(fp_int * G, fp_int * X, fp_int * P, fp_int * Y) } /* grab the next msb from the exponent */ - y = (fp_digit)(buf >> (DIGIT_BIT - 1)) & 1; + y = (int)(buf >> (DIGIT_BIT - 1)) & 1; buf <<= (fp_digit)1; /* do ops */ diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index 4c574784a..ae6b14f3f 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1364,7 +1364,9 @@ int random_test(void) #ifdef HAVE_NTRU -static byte GetEntropy(ENTROPY_CMD cmd, byte* out) +byte GetEntropy(ENTROPY_CMD cmd, byte* out); + +byte GetEntropy(ENTROPY_CMD cmd, byte* out) { static RNG rng; @@ -1403,11 +1405,12 @@ static const char* clientCert = "./certs/client-cert.der"; static const char* caCertFile = "./certs/ca-cert.pem"; #endif +#define FOURK_BUF 4096 int rsa_test(void) { - byte tmp[2048], tmp2[2048]; - size_t bytes, bytes2; + byte* tmp; + size_t bytes; RsaKey key; RNG rng; word32 idx = 0; @@ -1420,13 +1423,17 @@ int rsa_test(void) DecodedCert cert; #endif + tmp = (byte*)malloc(FOURK_BUF); + if (tmp == NULL) + return -40; + FILE* file = fopen(clientKey, "rb"), * file2; if (!file) err_sys("can't open ./certs/client-key.der, " "Please run from CyaSSL home dir", -40); - bytes = fread(tmp, 1, sizeof(tmp), file); + bytes = fread(tmp, 1, FOURK_BUF, file); InitRsaKey(&key, 0); ret = RsaPrivateKeyDecode(tmp, &idx, &key, (word32)bytes); @@ -1456,17 +1463,15 @@ int rsa_test(void) if (!file2) return -49; - bytes2 = fread(tmp2, 1, sizeof(tmp2), file2); + bytes = fread(tmp, 1, FOURK_BUF, file2); #ifdef CYASSL_TEST_CERT - InitDecodedCert(&cert, (byte*)&tmp2, (word32)bytes2, 0); + InitDecodedCert(&cert, (byte*)&tmp, (word32)bytes2, 0); ret = ParseCert(&cert, CERT_TYPE, NO_VERIFY, 0); if (ret != 0) return -491; FreeDecodedCert(&cert); -#else - (void)bytes2; #endif fclose(file2); @@ -1474,8 +1479,8 @@ int rsa_test(void) #ifdef CYASSL_KEY_GEN { - byte der[4096]; - byte pem[4096]; + byte* der; + byte* pem; int derSz = 0; int pemSz = 0; RsaKey derIn; @@ -1488,7 +1493,14 @@ int rsa_test(void) if (ret != 0) return -301; - derSz = RsaKeyToDer(&genKey, der, sizeof(der)); + der = (byte*)malloc(FOURK_BUF); + if (der == NULL) + return -307; + pem = (byte*)malloc(FOURK_BUF); + if (pem == NULL) + return -308; + + derSz = RsaKeyToDer(&genKey, der, FOURK_BUF); if (derSz < 0) return -302; @@ -1498,7 +1510,7 @@ int rsa_test(void) ret = (int)fwrite(der, derSz, 1, keyFile); fclose(keyFile); - pemSz = DerToPem(der, derSz, pem, sizeof(pem), PRIVATEKEY_TYPE); + pemSz = DerToPem(der, derSz, pem, FOURK_BUF, PRIVATEKEY_TYPE); if (pemSz < 0) return -304; @@ -1516,6 +1528,8 @@ int rsa_test(void) FreeRsaKey(&derIn); FreeRsaKey(&genKey); + free(pem); + free(der); } #endif /* CYASSL_KEY_GEN */ @@ -1524,8 +1538,8 @@ int rsa_test(void) /* self signed */ { Cert myCert; - byte derCert[4096]; - byte pem[4096]; + byte* derCert; + byte* pem; FILE* derFile; FILE* pemFile; int certSz; @@ -1534,6 +1548,13 @@ int rsa_test(void) DecodedCert decode; #endif + derCert = (byte*)malloc(FOURK_BUF); + if (derCert == NULL) + return -309; + pem = (byte*)malloc(FOURK_BUF); + if (pem == NULL) + return -310; + InitCert(&myCert); strncpy(myCert.subject.country, "US", CTC_NAME_SIZE); @@ -1546,7 +1567,7 @@ int rsa_test(void) myCert.isCA = 1; myCert.sigType = CTC_SHA256wRSA; - certSz = MakeSelfCert(&myCert, derCert, sizeof(derCert), &key, &rng); + certSz = MakeSelfCert(&myCert, derCert, FOURK_BUF, &key, &rng); if (certSz < 0) return -401; @@ -1563,7 +1584,7 @@ int rsa_test(void) ret = (int)fwrite(derCert, certSz, 1, derFile); fclose(derFile); - pemSz = DerToPem(derCert, certSz, pem, sizeof(pem), CERT_TYPE); + pemSz = DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) return -404; @@ -1572,36 +1593,42 @@ int rsa_test(void) return -405; ret = (int)fwrite(pem, pemSz, 1, pemFile); fclose(pemFile); - - + free(pem); + free(derCert); } /* CA style */ { RsaKey caKey; Cert myCert; - byte derCert[4096]; - byte pem[4096]; + byte* derCert; + byte* pem; FILE* derFile; FILE* pemFile; int certSz; int pemSz; - byte tmp3[2048]; size_t bytes3; word32 idx3 = 0; #ifdef CYASSL_TEST_CERT DecodedCert decode; #endif + derCert = (byte*)malloc(FOURK_BUF); + if (derCert == NULL) + return -311; + pem = (byte*)malloc(FOURK_BUF); + if (pem == NULL) + return -312; + FILE* file3 = fopen(caKeyFile, "rb"); if (!file3) return -412; - bytes3 = fread(tmp3, 1, sizeof(tmp3), file3); + bytes3 = fread(tmp, 1, FOURK_BUF, file3); fclose(file3); InitRsaKey(&caKey, 0); - ret = RsaPrivateKeyDecode(tmp3, &idx3, &caKey, (word32)bytes3); + ret = RsaPrivateKeyDecode(tmp, &idx3, &caKey, (word32)bytes3); if (ret != 0) return -413; InitCert(&myCert); @@ -1618,11 +1645,11 @@ int rsa_test(void) if (ret < 0) return -405; - certSz = MakeCert(&myCert, derCert, sizeof(derCert), &key, &rng); + certSz = MakeCert(&myCert, derCert, FOURK_BUF, &key, &rng); if (certSz < 0) return -407; - certSz = SignCert(&myCert, derCert, sizeof(derCert), &caKey, &rng); + certSz = SignCert(&myCert, derCert, FOURK_BUF, &caKey, &rng); if (certSz < 0) return -408; @@ -1641,7 +1668,7 @@ int rsa_test(void) ret = (int)fwrite(derCert, certSz, 1, derFile); fclose(derFile); - pemSz = DerToPem(derCert, certSz, pem, sizeof(pem), CERT_TYPE); + pemSz = DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) return -411; @@ -1650,25 +1677,32 @@ int rsa_test(void) return -412; ret = (int)fwrite(pem, pemSz, 1, pemFile); fclose(pemFile); + free(pem); + free(derCert); } #ifdef HAVE_NTRU { RsaKey caKey; Cert myCert; - byte derCert[4096]; - byte pem[4096]; + byte* derCert; + byte* pem; FILE* derFile; FILE* pemFile; FILE* caFile; FILE* ntruPrivFile; int certSz; int pemSz; - byte tmp[2048]; size_t bytes; word32 idx = 0; #ifdef CYASSL_TEST_CERT DecodedCert decode; #endif + derCert = (byte*)malloc(FOURK_BUF); + if (derCert == NULL) + return -311; + pem = (byte*)malloc(FOURK_BUF); + if (pem == NULL) + return -312; byte public_key[557]; /* sized for EES401EP2 */ word16 public_key_len; /* no. of octets in public key */ @@ -1700,7 +1734,7 @@ int rsa_test(void) if (!caFile) return -453; - bytes = fread(tmp, 1, sizeof(tmp), caFile); + bytes = fread(tmp, 1, FOURK_BUF, caFile); fclose(caFile); InitRsaKey(&caKey, 0); @@ -1721,12 +1755,12 @@ int rsa_test(void) if (ret < 0) return -455; - certSz = MakeNtruCert(&myCert, derCert, sizeof(derCert), public_key, + certSz = MakeNtruCert(&myCert, derCert, FOURK_BUF, public_key, public_key_len, &rng); if (certSz < 0) return -456; - certSz = SignCert(&myCert, derCert, sizeof(derCert), &caKey, &rng); + certSz = SignCert(&myCert, derCert, FOURK_BUF, &caKey, &rng); if (certSz < 0) return -457; @@ -1744,7 +1778,7 @@ int rsa_test(void) ret = fwrite(derCert, certSz, 1, derFile); fclose(derFile); - pemSz = DerToPem(derCert, certSz, pem, sizeof(pem), CERT_TYPE); + pemSz = DerToPem(derCert, certSz, pem, FOURK_BUF, CERT_TYPE); if (pemSz < 0) return -460; @@ -1759,11 +1793,14 @@ int rsa_test(void) return -462; ret = fwrite(private_key, private_key_len, 1, ntruPrivFile); fclose(ntruPrivFile); + free(pem); + free(derCert); } #endif /* HAVE_NTRU */ #endif /* CYASSL_CERT_GEN */ FreeRsaKey(&key); + free(tmp); return 0; } diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 24fe042f4..0b9e2f67a 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -142,6 +142,7 @@ enum Misc_ASN { #endif MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ MAX_OCSP_NONCE_SZ = 18, /* OCSP Nonce size */ + EIGHTK_BUF = 8192, /* Tmp buffer size */ MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2 /* use bigger NTRU size */ }; diff --git a/m4/ax_harden_compiler_flags.m4 b/m4/ax_harden_compiler_flags.m4 index a32cef3c9..a94dce410 100644 --- a/m4/ax_harden_compiler_flags.m4 +++ b/m4/ax_harden_compiler_flags.m4 @@ -58,6 +58,7 @@ # AX_APPEND_COMPILE_FLAGS([-Wold-style-definition],,[$ax_append_compile_cflags_extra]) # AX_APPEND_COMPILE_FLAGS([-std=c99],,[$ax_append_compile_cflags_extra]) # AX_APPEND_COMPILE_FLAGS([-Wlogical-op],,[$ax_append_compile_cflags_extra]) +# AX_APPEND_COMPILE_FLAGS([-fstack-check],,[$ax_append_compile_cflags_extra]) -- problems with fastmath stack size checks #serial 4 @@ -113,7 +114,6 @@ AX_APPEND_COMPILE_FLAGS([-O0],,[$ax_append_compile_cflags_extra]) ],[]) - AX_APPEND_COMPILE_FLAGS([-fstack-check],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wno-pragmas],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wall],,[$ax_append_compile_cflags_extra]) @@ -179,7 +179,6 @@ AS_IF([test "$ac_cv_vcs_checkout" = "yes" ], [ AX_APPEND_COMPILE_FLAGS([-Werror],,[$ax_append_compile_cxxflags_extra]) - AX_APPEND_COMPILE_FLAGS([-fstack-check],,[$ax_append_compile_cxxflags_extra]) ],[ AX_APPEND_COMPILE_FLAGS([-Wno-pragmas],,[$ax_append_compile_cxxflags_extra]) ]) diff --git a/src/ssl.c b/src/ssl.c index 992ef8dcb..86fce8767 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3175,7 +3175,7 @@ int CyaSSL_set_compression(CYASSL* ssl) because of SSL_write behavior and because front adds may be small */ int CyaSSL_writev(CYASSL* ssl, const struct iovec* iov, int iovcnt) { - byte tmp[OUTPUT_RECORD_SIZE]; + byte tmp[FILE_BUFFER_SIZE]; byte* myBuffer = tmp; int send = 0; int newBuffer = 0; @@ -6855,8 +6855,8 @@ static int initGlobalRNG = 0; /* return 1 on success else 0 */ int CyaSSL_DH_generate_key(CYASSL_DH* dh) { - unsigned char pub [1024]; - unsigned char priv[1024]; + unsigned char pub [768]; + unsigned char priv[768]; word32 pubSz = sizeof(pub); word32 privSz = sizeof(priv); RNG tmpRNG;