diff --git a/src/ssl.c b/src/ssl.c index 61fca152c..74c6b0edc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -19031,7 +19031,7 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl) sk = wolfSSL_sk_X509_new_null(); i = ssl->session->chain.count-1; for (; i >= 0; i--) { - x509 = wolfSSL_X509_new(); + x509 = wolfSSL_X509_new_ex(ssl->heap); if (x509 == NULL) { WOLFSSL_MSG("Error Creating X509"); wolfSSL_sk_X509_pop_free(sk, NULL); @@ -19399,9 +19399,10 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) return NULL; } #ifndef WOLFSSL_X509_STORE_CERTS - ssl->ourCert = wolfSSL_X509_d2i(NULL, + ssl->ourCert = wolfSSL_X509_d2i_ex(NULL, ssl->buffers.certificate->buffer, - ssl->buffers.certificate->length); + ssl->buffers.certificate->length, + ssl->heap); #endif } return ssl->ourCert; @@ -19414,9 +19415,10 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl) return NULL; } #ifndef WOLFSSL_X509_STORE_CERTS - ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL, + ssl->ctx->ourCert = wolfSSL_X509_d2i_ex(NULL, ssl->ctx->certificate->buffer, - ssl->ctx->certificate->length); + ssl->ctx->certificate->length, + ssl->heap); #endif ssl->ctx->ownOurCert = 1; } @@ -19436,9 +19438,9 @@ WOLFSSL_X509* wolfSSL_CTX_get0_certificate(WOLFSSL_CTX* ctx) return NULL; } #ifndef WOLFSSL_X509_STORE_CERTS - ctx->ourCert = wolfSSL_X509_d2i(NULL, + ctx->ourCert = wolfSSL_X509_d2i_ex(NULL, ctx->certificate->buffer, - ctx->certificate->length); + ctx->certificate->length, ctx->heap); #endif ctx->ownOurCert = 1; } @@ -26396,7 +26398,8 @@ void* wolfSSL_GetHKDFExtractCtx(WOLFSSL* ssl) return WOLFSSL_FAILURE; } #else - ctx->ourCert = wolfSSL_X509_d2i(NULL, x->derCert->buffer,x->derCert->length); + ctx->ourCert = wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, + x->derCert->length, ctx->heap); if(ctx->ourCert == NULL){ return WOLFSSL_FAILURE; } @@ -30242,8 +30245,8 @@ int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** ch idx += 3; /* Create a new X509 from DER encoded data. */ - node->data.x509 = wolfSSL_X509_d2i(NULL, ctx->certChain->buffer + idx, - length); + node->data.x509 = wolfSSL_X509_d2i_ex(NULL, + ctx->certChain->buffer + idx, length, ctx->heap); if (node->data.x509 == NULL) { XFREE(node, NULL, DYNAMIC_TYPE_OPENSSL); /* Return as much of the chain as we created. */ @@ -33969,8 +33972,8 @@ WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* pkcs7) return p7->certs; for (i = 0; i < MAX_PKCS7_CERTS && p7->pkcs7.cert[i]; i++) { - WOLFSSL_X509* x509 = wolfSSL_X509_d2i(NULL, p7->pkcs7.cert[i], - p7->pkcs7.certSz[i]); + WOLFSSL_X509* x509 = wolfSSL_X509_d2i_ex(NULL, p7->pkcs7.cert[i], + p7->pkcs7.certSz[i], pkcs7->heap); if (!ret) ret = wolfSSL_sk_X509_new_null(); if (x509) { diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 65a6c5599..149b1bd56 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -42,33 +42,33 @@ * @return A TLS method on success. * @return NULL when no TLS method built into wolfSSL. */ -static WC_INLINE WOLFSSL_METHOD* cm_pick_method(void) +static WC_INLINE WOLFSSL_METHOD* cm_pick_method(void* heap) { #ifndef NO_WOLFSSL_CLIENT #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_client_method(); + return wolfSSLv3_client_method_ex(heap); #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_client_method(); + return wolfTLSv1_client_method_ex(heap); #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_client_method(); + return wolfTLSv1_1_client_method_ex(heap); #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_client_method(); + return wolfTLSv1_2_client_method_ex(heap); #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_client_method(); + return wolfTLSv1_3_client_method_ex(heap); #else return NULL; #endif #elif !defined(NO_WOLFSSL_SERVER) #if !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_SSLV3) - return wolfSSLv3_server_method(); + return wolfSSLv3_server_method_ex(heap); #elif !defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLSV10) - return wolfTLSv1_server_method(); + return wolfTLSv1_server_method_ex(heap); #elif !defined(NO_OLD_TLS) - return wolfTLSv1_1_server_method(); + return wolfTLSv1_1_server_method_ex(heap); #elif !defined(WOLFSSL_NO_TLS12) - return wolfTLSv1_2_server_method(); + return wolfTLSv1_2_server_method_ex(heap); #elif defined(WOLFSSL_TLS13) - return wolfTLSv1_3_server_method(); + return wolfTLSv1_3_server_method_ex(heap); #else return NULL; #endif @@ -513,8 +513,8 @@ int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, ret = WOLFSSL_FATAL_ERROR; } /* Allocate a temporary WOLFSSL_CTX to load with. */ - if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method())) - == NULL)) { + if ((ret == WOLFSSL_SUCCESS) && ((tmp = + wolfSSL_CTX_new_ex(cm_pick_method(cm->heap), cm->heap)) == NULL)) { WOLFSSL_MSG("CTX new failed"); ret = WOLFSSL_FATAL_ERROR; } @@ -876,8 +876,8 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, ret = WOLFSSL_FATAL_ERROR; } /* Create temporary WOLFSSL_CTX. */ - if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method())) - == NULL)) { + if ((ret == WOLFSSL_SUCCESS) && ((tmp = + wolfSSL_CTX_new_ex(cm_pick_method(cm->heap), cm->heap)) == NULL)) { WOLFSSL_MSG("CTX new failed"); ret = WOLFSSL_FATAL_ERROR; } diff --git a/src/x509.c b/src/x509.c index 13b7f32dd..08dd41f59 100644 --- a/src/x509.c +++ b/src/x509.c @@ -3593,7 +3593,7 @@ WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, } static WOLFSSL_X509* d2i_X509orX509REQ(WOLFSSL_X509** x509, - const byte* in, int len, int req) + const byte* in, int len, int req, void* heap) { WOLFSSL_X509 *newX509 = NULL; int type = req ? CERTREQ_TYPE : CERT_TYPE; @@ -3620,12 +3620,12 @@ static WOLFSSL_X509* d2i_X509orX509REQ(WOLFSSL_X509** x509, return NULL; #endif - InitDecodedCert(cert, (byte*)in, len, NULL); + InitDecodedCert(cert, (byte*)in, len, heap); #ifdef WOLFSSL_CERT_REQ cert->isCSR = (byte)req; #endif if (ParseCertRelative(cert, type, 0, NULL) == 0) { - newX509 = wolfSSL_X509_new(); + newX509 = wolfSSL_X509_new_ex(heap); if (newX509 != NULL) { if (CopyDecodedToX509(newX509, cert) != 0) { wolfSSL_X509_free(newX509); @@ -3659,16 +3659,22 @@ int wolfSSL_X509_get_isCA(WOLFSSL_X509* x509) return isCA; } +WOLFSSL_X509* wolfSSL_X509_d2i_ex(WOLFSSL_X509** x509, const byte* in, int len, + void* heap) +{ + return d2i_X509orX509REQ(x509, in, len, 0, heap); +} + WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len) { - return d2i_X509orX509REQ(x509, in, len, 0); + return wolfSSL_X509_d2i_ex(x509, in, len, NULL); } #ifdef WOLFSSL_CERT_REQ WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len) { - return d2i_X509orX509REQ(x509, in, len, 1); + return d2i_X509orX509REQ(x509, in, len, 1, NULL); } #endif @@ -5319,19 +5325,24 @@ WOLFSSL_X509* wolfSSL_X509_REQ_load_certificate_buffer( /* returns a pointer to a new WOLFSSL_X509 structure on success and NULL on * fail */ -WOLFSSL_X509* wolfSSL_X509_new(void) +WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap) { WOLFSSL_X509* x509; - x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL, + x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap, DYNAMIC_TYPE_X509); if (x509 != NULL) { - InitX509(x509, 1, NULL); + InitX509(x509, 1, heap); } return x509; } +WOLFSSL_X509* wolfSSL_X509_new(void) +{ + return wolfSSL_X509_new_ex(NULL); +} + WOLFSSL_ABI WOLFSSL_X509_NAME* wolfSSL_X509_get_subject_name(WOLFSSL_X509* cert) { @@ -7610,7 +7621,7 @@ static WOLFSSL_X509* d2i_X509orX509REQ_bio(WOLFSSL_BIO* bio, #endif } else { - localX509 = wolfSSL_X509_d2i(NULL, mem, size); + localX509 = wolfSSL_X509_d2i_ex(NULL, mem, size, bio->heap); } if (localX509 == NULL) { WOLFSSL_MSG("wolfSSL_X509_d2i error"); @@ -13353,7 +13364,7 @@ static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, #endif /* Use existing CA retrieval APIs that use DecodedCert. */ - InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, NULL); + InitDecodedCert(cert, x->derCert->buffer, x->derCert->length, cm->heap); if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0 && !cert->selfSigned) { #ifndef NO_SKID @@ -13375,8 +13386,8 @@ static int x509GetIssuerFromCM(WOLFSSL_X509 **issuer, WOLFSSL_CERT_MANAGER* cm, #ifdef WOLFSSL_SIGNER_DER_CERT /* populate issuer with Signer DER */ - if (wolfSSL_X509_d2i(issuer, ca->derCert->buffer, - ca->derCert->length) == NULL) + if (wolfSSL_X509_d2i_ex(issuer, ca->derCert->buffer, + ca->derCert->length, cm->heap) == NULL) return WOLFSSL_FAILURE; #else /* Create an empty certificate as CA doesn't have a certificate. */ @@ -13471,7 +13482,8 @@ WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509 *x) return NULL; } - return wolfSSL_X509_d2i(NULL, x->derCert->buffer, x->derCert->length); + return wolfSSL_X509_d2i_ex(NULL, x->derCert->buffer, x->derCert->length, + x->heap); } #endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */ @@ -13841,7 +13853,7 @@ void wolfSSL_X509V3_set_ctx(WOLFSSL_X509V3_CTX* ctx, WOLFSSL_X509* issuer, /* not checking ctx->x509 for null first since app won't have initialized * this X509V3_CTX before this function call */ - ctx->x509 = wolfSSL_X509_new(); + ctx->x509 = wolfSSL_X509_new_ex(issuer->heap); if (!ctx->x509) return; diff --git a/src/x509_str.c b/src/x509_str.c index b0b365bc4..d5849ad75 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -63,7 +63,8 @@ WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void) int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, - WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, WOLF_STACK_OF(WOLFSSL_X509)* sk) + WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509, + WOLF_STACK_OF(WOLFSSL_X509)* sk) { int ret = 0; (void)sk; @@ -75,8 +76,8 @@ int wolfSSL_X509_STORE_CTX_init(WOLFSSL_X509_STORE_CTX* ctx, ctx->current_cert = x509; #else if(x509 != NULL){ - ctx->current_cert = wolfSSL_X509_d2i(NULL, x509->derCert->buffer, - x509->derCert->length); + ctx->current_cert = wolfSSL_X509_d2i_ex(NULL, x509->derCert->buffer, + x509->derCert->length, x509->heap); if(ctx->current_cert == NULL) return WOLFSSL_FAILURE; } else @@ -1035,7 +1036,7 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, return WOLFSSL_FAILURE; /* tmp ctx for setting our cert manager */ - ctx = wolfSSL_CTX_new(cm_pick_method()); + ctx = wolfSSL_CTX_new_ex(cm_pick_method(str->cm->heap), str->cm->heap); if (ctx == NULL) return WOLFSSL_FAILURE; diff --git a/tests/api.c b/tests/api.c index cf2b3fe5c..9d30b446c 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32048,7 +32048,7 @@ static int test_wolfSSL_X509_NAME(void) XFCLOSE(f); c = buf; - ExpectNotNull(x509 = wolfSSL_X509_d2i(NULL, c, bytes)); + ExpectNotNull(x509 = wolfSSL_X509_d2i_ex(NULL, c, bytes, HEAP_HINT)); /* test cmp function */ ExpectNotNull(a = X509_get_issuer_name(x509)); @@ -37177,8 +37177,8 @@ static int test_wolfSSL_X509_NID(void) /* ------ PARSE ORIGINAL SELF-SIGNED CERTIFICATE ------ */ /* convert cert from DER to internal WOLFSSL_X509 struct */ - ExpectNotNull(cert = wolfSSL_X509_d2i(&cert, client_cert_der_2048, - sizeof_client_cert_der_2048)); + ExpectNotNull(cert = wolfSSL_X509_d2i_ex(&cert, client_cert_der_2048, + sizeof_client_cert_der_2048, HEAP_HINT)); /* ------ EXTRACT CERTIFICATE ELEMENTS ------ */ diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 72ab563bf..9d028d745 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -6071,6 +6071,7 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId) #endif #ifdef WOLFSSL_HEAP_TEST + (void)heap; key->heap = (void*)WOLFSSL_HEAP_TEST; #else key->heap = heap; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index fb68c675f..b760e27a2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1684,6 +1684,7 @@ WOLFSSL_API void wolfSSL_sk_CIPHER_free(WOLF_STACK_OF(WOLFSSL_CIPHER)* sk); WOLFSSL_API WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new(void); +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_new_ex(void* heap); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_dup(WOLFSSL_X509* x); #if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA) WOLFSSL_API int wolfSSL_RSA_up_ref(WOLFSSL_RSA* rsa); @@ -2888,6 +2889,9 @@ WOLFSSL_API WOLFSSL_X509* wolfSSL_d2i_X509(WOLFSSL_X509** x509, const unsigned char** in, int len); WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len); +WOLFSSL_API WOLFSSL_X509* + wolfSSL_X509_d2i_ex(WOLFSSL_X509** x509, const unsigned char* in, int len, + void* heap); #ifdef WOLFSSL_CERT_REQ WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_REQ_d2i(WOLFSSL_X509** x509, const unsigned char* in, int len);