From c2c209fb890dca700f172f0ce492ecf51c0b85dd Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 27 Jun 2018 14:09:32 -0600 Subject: [PATCH 01/17] add ca when getting chain from x509 store --- src/internal.c | 34 ++++++++++++++++++++++++++++++++++ src/ssl.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) diff --git a/src/internal.c b/src/internal.c index 6c52f9048..72339878a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8739,6 +8739,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->userCtx = ssl->verifyCbCtx; store->certs = args->certs; store->totalCerts = args->totalCerts; + + #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + if (ssl->ctx->x509_store_pt != NULL) { + store->store = ssl->ctx->x509_store_pt; + } + else { + store->store = &ssl->ctx->x509_store; + } + #endif #if !defined(NO_CERTS) InitX509(x509, 1, ssl->heap); #if defined(KEEP_PEER_CERT) || \ @@ -8822,6 +8831,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->userCtx = ssl->verifyCbCtx; store->certs = args->certs; store->totalCerts = args->totalCerts; + + #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + if (ssl->ctx->x509_store_pt != NULL) { + store->store = ssl->ctx->x509_store_pt; + } + else { + store->store = &ssl->ctx->x509_store; + } + #endif #if !defined(NO_CERTS) InitX509(x509, 1, ssl->heap); #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) @@ -9411,6 +9429,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->userCtx = ssl->verifyCbCtx; store->certs = args->certs; store->totalCerts = args->totalCerts; + + #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) + if (ssl->ctx->x509_store_pt != NULL) { + store->store = ssl->ctx->x509_store_pt; + } + else { + store->store = &ssl->ctx->x509_store; + } + #endif #ifdef KEEP_PEER_CERT if (ssl->peerCert.subject.sz > 0) store->current_cert = &ssl->peerCert; @@ -9464,6 +9491,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->userCtx = ssl->verifyCbCtx; store->certs = args->certs; store->totalCerts = args->totalCerts; + + if (ssl->ctx->x509_store_pt != NULL) { + store->store = ssl->ctx->x509_store_pt; + } + else { + store->store = &ssl->ctx->x509_store; + } #ifdef KEEP_PEER_CERT if (ssl->peerCert.subject.sz > 0) store->current_cert = &ssl->peerCert; diff --git a/src/ssl.c b/src/ssl.c index 22117db4f..4e27b7a4c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17830,6 +17830,8 @@ void wolfSSL_PKCS12_PBE_add(void) WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) { + WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain"); + if (ctx == NULL) { return NULL; } @@ -17848,6 +17850,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) XMEMSET(sk, 0, sizeof(WOLFSSL_STACK)); ctx->chain = sk; + for (i = 0; i < c->count && i < MAX_CHAIN_DEPTH; i++) { WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, i); @@ -17860,9 +17863,35 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) { WOLFSSL_MSG("Unable to load x509 into stack"); wolfSSL_sk_X509_free(sk); + wolfSSL_X509_free(x509); return NULL; } } + + /* add CA used to verify top of chain to the list */ + if (c->count > 0) { + WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1); + if (x509 != NULL) { + WOLFSSL_X509* issuer = NULL; + wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509); + + /* check that the certificate being looked up is not self signed + * and that a issuer was found */ + if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer, + &x509->subject) != 0) { + if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) { + WOLFSSL_MSG("Unable to load CA x509 into stack"); + wolfSSL_sk_X509_free(sk); + wolfSSL_X509_free(issuer); + return NULL; + } + } + else { + WOLFSSL_MSG("could not find CA for cert or is self signed"); + } + } + } + } #endif /* SESSION_CERTS */ From af75145602a613ab5925767f2158d27bfd8cf110 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 27 Jun 2018 16:13:46 -0600 Subject: [PATCH 02/17] adjust macro guards --- src/ssl.c | 11 ++++++++--- wolfssl/internal.h | 3 ++- wolfssl/ssl.h | 3 ++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4e27b7a4c..8418693e6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17868,6 +17868,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) } } +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) /* add CA used to verify top of chain to the list */ if (c->count > 0) { WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1); @@ -17891,6 +17892,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) } } } +#endif } #endif /* SESSION_CERTS */ @@ -32230,9 +32232,11 @@ int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url) ssl->url = url; return WOLFSSL_SUCCESS; } -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* OCSP */ +#endif /* OPENSSL_ALL / WOLFSSL_NGINX / WOLFSSL_HAPROXY */ -#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA) +#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ + defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** chain) { word32 idx; @@ -32451,8 +32455,9 @@ char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings, return NULL; return strings->data.string; } -#endif /* HAVE_OCSP */ +#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ +#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #ifdef HAVE_ALPN void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data, unsigned int *len) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f44356029..80d8fc0ec 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2371,7 +2371,8 @@ struct WOLFSSL_CTX { #ifdef OPENSSL_EXTRA WOLF_STACK_OF(WOLFSSL_X509_NAME)* ca_names; #endif - #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) + #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ + defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) WOLF_STACK_OF(WOLFSSL_X509)* x509Chain; #endif #ifdef WOLFSSL_TLS13 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 93a5c3904..8e07a2574 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2836,7 +2836,8 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)( WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc)); #endif -#ifdef HAVE_OCSP +#if defined(HAVE_OCSP) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** chain); WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx, From 66c2c65444fb194915eed950f5e7b4cc63c6abe9 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 5 Jun 2018 14:41:45 -0700 Subject: [PATCH 03/17] Changes to support Lighttpd 1.4.49: * Fix for `wolfSSL_CTX_set_options` to work correctly when no certificate has been set for WOLFSSL_CTX, otherwise this operation fails with `Server missing certificate`. * Fix for bad argument name `time`. * Fix for `warning: type of bit-field`: Allowed types for bit-fields are int and unsigned int only. * Exposed `ERR_remove_thread_state` and `SSL_CTX_set_tmp_ecdh` for lighttpd * Renamed `WOLFSSL_ERR_remove_thread_state` to `wolfSSL_ERR_remove_thread_state` and setup old name macro. * Add missing newline on asn1.h. * Whitespace cleanup in ssl.c. --- src/ssl.c | 82 +++++++++++++++++----------------- wolfcrypt/src/asn.c | 4 +- wolfcrypt/test/test.c | 6 +-- wolfssl/internal.h | 2 +- wolfssl/openssl/asn1.h | 2 +- wolfssl/openssl/ssl.h | 8 ++-- wolfssl/ssl.h | 20 +++++---- wolfssl/wolfcrypt/asn_public.h | 2 +- 8 files changed, 66 insertions(+), 60 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 2d0ff101a..3375eab41 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10840,7 +10840,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (wolfSSL_add_all_algorithms() == WOLFSSL_FATAL_ERROR) return WOLFSSL_FATAL_ERROR; - + return WOLFSSL_SUCCESS; } @@ -11330,15 +11330,16 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { - WOLFSSL *ssl; + WOLFSSL ssl; WOLFSSL_ENTER("SSL_CTX_set_options"); - if(ctx == NULL) + + if (ctx == NULL) return BAD_FUNC_ARG; - ssl = wolfSSL_new(ctx); - if(ssl == NULL) - return SSL_FAILURE; - ctx->mask = wolfSSL_set_options(ssl, opt); - wolfSSL_free(ssl); + + XMEMSET(&ssl, 0, sizeof(ssl)); + ssl.options.mask = ctx->mask; + ctx->mask = wolfSSL_set_options(&ssl, opt); + return ctx->mask; } @@ -17911,7 +17912,7 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) if((store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL, DYNAMIC_TYPE_X509_STORE)) == NULL) goto err_exit; - + if((store->cm = wolfSSL_CertManagerNew()) == NULL) goto err_exit; @@ -17919,11 +17920,11 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) #ifdef HAVE_CRL store->crl = NULL; - if((store->crl = (WOLFSSL_X509_CRL *)XMALLOC(sizeof(WOLFSSL_X509_CRL), + if((store->crl = (WOLFSSL_X509_CRL *)XMALLOC(sizeof(WOLFSSL_X509_CRL), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) goto err_exit; if(InitCRL(store->crl, NULL) < 0) - goto err_exit; + goto err_exit; #endif return store; @@ -18080,7 +18081,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) } #endif /* NO_CERTS */ -#if !defined(NO_FILESYSTEM) +#if !defined(NO_FILESYSTEM) static void *wolfSSL_d2i_X509_fp_ex(XFILE file, void **x509, int type) { void *newx509 = NULL; @@ -18108,7 +18109,7 @@ static void *wolfSSL_d2i_X509_fp_ex(XFILE file, void **x509, int type) { WOLFSSL_MSG("File read failed"); goto err_exit; - } + } if(type == CERT_TYPE) newx509 = (void *)wolfSSL_X509_d2i(NULL, fileBuffer, (int)sz); #ifdef HAVE_CRL @@ -18200,7 +18201,7 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, const unsigned ch WOLFSSL_MSG("Init tmp CRL failed"); goto err_exit; } - ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1); + ret = BufferLoadCRL(newcrl, in, len, WOLFSSL_FILETYPE_ASN1, 1); if (ret != WOLFSSL_SUCCESS){ WOLFSSL_MSG("Buffer Load CRL failed"); goto err_exit; @@ -18212,7 +18213,7 @@ WOLFSSL_X509_CRL* wolfSSL_d2i_X509_CRL(WOLFSSL_X509_CRL** crl, const unsigned ch err_exit: if(newcrl != NULL) - wolfSSL_X509_CRL_free(newcrl); + wolfSSL_X509_CRL_free(newcrl); newcrl = NULL; _exit: return newcrl; @@ -27691,7 +27692,7 @@ WOLFSSL_RSA *wolfSSL_d2i_RSAPublicKey(WOLFSSL_RSA **r, const unsigned char **pp, WOLFSSL_MSG("RSA_new failed"); return NULL; } - + if(wolfSSL_RSA_LoadDer_ex(rsa, *pp, (int)len, WOLFSSL_RSA_LOAD_PUBLIC) != WOLFSSL_SUCCESS){ WOLFSSL_MSG("RSA_LoadDer failed"); @@ -28734,7 +28735,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) int derSz; long i = 0, l; WOLFSSL_X509_CRL* newcrl; - + WOLFSSL_ENTER("wolfSSL_PEM_read_X509_CRL"); if (fp == NULL) { @@ -29519,7 +29520,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } #endif /* ! NO_SHA256 */ -#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512) +#if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512) /* One shot SHA384 hash of message. * * d message to hash @@ -29567,7 +29568,7 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) #endif /* defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512) */ -#if defined(WOLFSSL_SHA512) +#if defined(WOLFSSL_SHA512) /* One shot SHA512 hash of message. * * d message to hash @@ -30867,8 +30868,9 @@ int wolfSSL_get_state(const WOLFSSL* ssl) /* stunnel compatibility functions*/ -#if defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)) -void WOLFSSL_ERR_remove_thread_state(void* pid) +#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) \ + || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))) +void wolfSSL_ERR_remove_thread_state(void* pid) { (void) pid; return; @@ -31010,6 +31012,7 @@ unsigned long wolfSSL_ERR_peek_last_error(void) #endif } #endif + #ifndef NO_WOLFSSL_STUB int wolfSSL_FIPS_mode(void) { @@ -31056,11 +31059,6 @@ int wolfSSL_CIPHER_get_bits(const WOLFSSL_CIPHER *c, int *alg_bits) } return ret; } -#endif /* #if defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)) */ - - -/* stunnel compatibility functions*/ -#if defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX)) int wolfSSL_sk_X509_NAME_num(const WOLF_STACK_OF(WOLFSSL_X509_NAME) *s) { @@ -31276,7 +31274,8 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CT } #endif -#endif /* OPENSSL_EXTRA and HAVE_STUNNEL */ +#endif /* OPENSSL_ALL || (OPENSSL_EXTRA && (HAVE_STUNNEL || WOLFSSL_NGINX || HAVE_LIGHTY)) */ + #if defined(OPENSSL_ALL) || \ (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || \ @@ -31779,7 +31778,7 @@ void wolfSSL_OPENSSL_config(char *config_name) #endif #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) + || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c) { static int x509_idx = 0; @@ -32181,7 +32180,8 @@ int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *ctx, int (*cb)( } #endif /* HAVE_SESSION_TICKET */ -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA */ +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || + OPENSSL_EXTRA || HAVE_LIGHTY */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) #ifdef HAVE_OCSP @@ -32711,7 +32711,7 @@ static int check_esc_char(char c, char *esc) return 0; } -int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, +int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, unsigned long flags) { size_t str_len = 0, type_len = 0; @@ -32744,7 +32744,7 @@ int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, 'E', 'F' }; char hex_tmp[4]; char *str_ptr, *str_end; - + if (type_len > 0){ if (wolfSSL_BIO_write(out, typebuf, (int)type_len) != (int)type_len){ XFREE(typebuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -32769,7 +32769,7 @@ int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, } str_ptr = str->data; - str_end = str->data + str->length; + str_end = str->data + str->length; while (str_ptr < str_end){ hex_tmp[0] = hex_char[*str_ptr >> 4]; hex_tmp[1] = hex_char[*str_ptr & 0xf]; @@ -32795,17 +32795,17 @@ int wolfSSL_ASN1_STRING_print_ex(WOLFSSL_BIO *out, WOLFSSL_ASN1_STRING *str, if (flags & ASN1_STRFLGS_ESC_2253){ char esc_ch[] = "+;<>\\"; - char* esc_ptr = NULL; + char* esc_ptr = NULL; esc_ptr = str->data; while (*esc_ptr != 0){ if (check_esc_char(*esc_ptr, esc_ch)){ if (wolfSSL_BIO_write(out,"\\", 1) != 1) - goto err_exit; + goto err_exit; str_len++; } if (wolfSSL_BIO_write(out, esc_ptr, 1) != 1) - goto err_exit; + goto err_exit; str_len++; esc_ptr++; } @@ -32847,14 +32847,14 @@ WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, return NULL; } if (out == NULL || *out == NULL){ - ret = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, + ret = (WOLFSSL_ASN1_TIME*)XMALLOC(sizeof(WOLFSSL_ASN1_TIME), NULL, DYNAMIC_TYPE_TMP_BUFFER); if (ret == NULL){ WOLFSSL_MSG("memory alloc failed."); return NULL; } XMEMSET(ret, 0, sizeof(WOLFSSL_ASN1_TIME)); - } else + } else ret = *out; if (time_type == ASN_GENERALIZED_TIME){ @@ -32864,14 +32864,14 @@ WOLFSSL_ASN1_TIME *wolfSSL_ASN1_TIME_to_generalizedtime(WOLFSSL_ASN1_TIME *t, ret->data[0] = ASN_GENERALIZED_TIME; ret->data[1] = ASN_GENERALIZED_TIME_SIZE; data_ptr = ret->data + 2; - if (t->data[2] >= '5') + if (t->data[2] >= '5') XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, "19%s", t->data + 2); else XSNPRINTF((char*)data_ptr, ASN_UTC_TIME_SIZE + 2, "20%s", t->data + 2); return ret; - } - + } + WOLFSSL_MSG("Invalid ASN_TIME value"); return NULL; } @@ -32946,7 +32946,7 @@ int wolfSSL_i2c_ASN1_INTEGER(WOLFSSL_ASN1_INTEGER *a, unsigned char **pp) pptr += a->intData[1] - 1; while (!a->intData[str_len + 2] && str_len > 1){ *(pptr--) = 0; - str_len--; + str_len--; } /* 2's complement next octet */ *(pptr--) = ((a->intData[str_len + 1]) ^ 0xff) + 1; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 008776d27..10ecadec0 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4743,11 +4743,11 @@ int wc_GetDateInfo(const byte* certDate, int certDateSz, const byte** date, #ifndef NO_ASN_TIME int wc_GetDateAsCalendarTime(const byte* date, int length, byte format, - struct tm* time) + struct tm* timearg) { int idx = 0; (void)length; - if (!ExtractDate(date, format, time, &idx)) + if (!ExtractDate(date, format, timearg, &idx)) return ASN_TIME_E; return 0; } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 4a45faf87..d7ca95bea 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1305,7 +1305,7 @@ int asn_test(void) int length; const byte* datePart; #ifndef NO_ASN_TIME - struct tm time; + struct tm timearg; #ifdef WORD64_AVAILABLE word64 now; #else @@ -1334,7 +1334,7 @@ int asn_test(void) return -1404; } - ret = wc_GetDateAsCalendarTime(datePart, length, format, &time); + ret = wc_GetDateAsCalendarTime(datePart, length, format, &timearg); if (ret != 0) return -1405; #endif /* !NO_ASN_TIME */ @@ -2834,7 +2834,7 @@ int hash_test(void) if (hashType != WC_HASH_TYPE_NONE) return -3071; #endif - + ret = wc_HashGetOID(WC_HASH_TYPE_MD5_SHA); #ifndef NO_MD5 if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index f44356029..9c8d28bcc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2496,7 +2496,7 @@ struct WOLFSSL_CTX { CallbackALPNSelect alpnSelect; void* alpnSelectArg; #endif -#if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && (defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY))) CallbackSniRecv sniRecvCb; void* sniRecvCbArg; #endif diff --git a/wolfssl/openssl/asn1.h b/wolfssl/openssl/asn1.h index 44a66189f..d91d20d2c 100644 --- a/wolfssl/openssl/asn1.h +++ b/wolfssl/openssl/asn1.h @@ -53,4 +53,4 @@ ASN1_STRFLGS_UTF8_CONVERT | \ ASN1_STRFLGS_DUMP_UNKNOWN | \ ASN1_STRFLGS_DUMP_DER) -#endif /* WOLFSSL_ASN1_H_ */ \ No newline at end of file +#endif /* WOLFSSL_ASN1_H_ */ diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index a50e99bcb..69150c26e 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -789,7 +789,7 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define PSK_MAX_PSK_LEN 256 #define PSK_MAX_IDENTITY_LEN 128 -#define ERR_remove_thread_state WOLFSSL_ERR_remove_thread_state +#define ERR_remove_thread_state wolfSSL_ERR_remove_thread_state #define SSL_CTX_clear_options wolfSSL_CTX_clear_options @@ -844,7 +844,8 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define ERR_LIB_X509 10 #if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \ - defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) + defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(OPENSSL_ALL) || \ + defined(HAVE_LIGHTY) #include @@ -918,7 +919,8 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define SSL_is_server wolfSSL_is_server #define SSL_CTX_set1_curves_list wolfSSL_CTX_set1_curves_list -#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || WOLFSSL_MYSQL_COMPATIBLE || + OPENSSL_ALL || HAVE_LIGHTY */ #define X509_STORE_CTX_set_time wolfSSL_X509_STORE_CTX_set_time #define SSL_CTX_add_client_CA wolfSSL_CTX_add_client_CA diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 93a5c3904..407f47d97 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -187,13 +187,13 @@ typedef struct WOLFSSL_ASN1_BIT_STRING WOLFSSL_ASN1_BIT_STRING; struct WOLFSSL_ASN1_INTEGER { /* size can be increased set at 20 for tag, length then to hold at least 16 * byte type */ - unsigned char intData[WOLFSSL_ASN1_INTEGER_MAX]; + unsigned char intData[WOLFSSL_ASN1_INTEGER_MAX]; /* ASN_INTEGER | LENGTH | hex of number */ - unsigned char negative; /* negative number flag */ + unsigned char negative; /* negative number flag */ unsigned char* data; unsigned int dataMax; /* max size of data buffer */ - unsigned char isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */ + unsigned int isDynamic:1; /* flag for if data pointer dynamic (1 is yes 0 is no) */ }; struct WOLFSSL_ASN1_TIME { @@ -2647,7 +2647,8 @@ WOLFSSL_API int wolfSSL_PEM_write_bio_X509(WOLFSSL_BIO *bp, WOLFSSL_X509 *x); || defined(HAVE_STUNNEL) \ || defined(WOLFSSL_NGINX) \ || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) + || defined(OPENSSL_EXTRA) \ + || defined(HAVE_LIGHTY) #include @@ -2728,7 +2729,9 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_servername_callback(WOLFSSL_CTX *, WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); -WOLFSSL_API void WOLFSSL_ERR_remove_thread_state(void*); +WOLFSSL_API void wolfSSL_ERR_remove_thread_state(void*); +/* support for depricated old name */ +#define WOLFSSL_ERR_remove_thread_state wolfSSL_ERR_remove_thread_state #ifndef NO_FILESYSTEM WOLFSSL_API void wolfSSL_print_all_errors_fp(XFILE *fp); @@ -2742,7 +2745,7 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs( WOLFSSL_X509_STORE_CTX*, WOLFSSL_X509_NAME*); WOLFSSL_API void wolfSSL_sk_X509_pop_free(WOLF_STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*)); -#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || HAVE_LIGHTY */ #if defined(OPENSSL_ALL) || \ defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ @@ -2800,7 +2803,7 @@ WOLFSSL_API int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url); #endif #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) \ - || defined(OPENSSL_EXTRA) + || defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY) WOLFSSL_API WOLF_STACK_OF(WOLFSSL_CIPHER) *wolfSSL_get_ciphers_compat(const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_X509_get_ex_new_index(int idx, void *arg, void *a, void *b, void *c); @@ -2860,7 +2863,8 @@ WOLFSSL_API char* wolfSSL_sk_WOLFSSL_STRING_value( WOLFSSL_API int PEM_write_bio_WOLFSSL_X509(WOLFSSL_BIO *bio, WOLFSSL_X509 *cert); -#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ +#endif /* OPENSSL_ALL || WOLFSSL_NGINX || WOLFSSL_HAPROXY || + OPENSSL_EXTRA || HAVE_LIGHTY*/ WOLFSSL_API void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data, unsigned int *len); diff --git a/wolfssl/wolfcrypt/asn_public.h b/wolfssl/wolfcrypt/asn_public.h index a3c914a58..48ec24658 100644 --- a/wolfssl/wolfcrypt/asn_public.h +++ b/wolfssl/wolfcrypt/asn_public.h @@ -153,7 +153,7 @@ typedef struct EncryptedInfo { char name[NAME_SZ]; /* cipher name, such as "DES-CBC" */ byte iv[IV_SZ]; /* salt or encrypted IV */ - byte set:1; /* if encryption set */ + int set:1; /* if encryption set */ } EncryptedInfo; From 6dbca2b718afc7568c9a34f3927eec578dc817eb Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 20 Jun 2018 10:48:19 -0700 Subject: [PATCH 04/17] Fix to resolve the increased stack by allocating the temp `ssl` from the heap. --- src/ssl.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 3375eab41..58345be51 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11330,15 +11330,20 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { - WOLFSSL ssl; + WOLFSSL* ssl; WOLFSSL_ENTER("SSL_CTX_set_options"); - if (ctx == NULL) return BAD_FUNC_ARG; - XMEMSET(&ssl, 0, sizeof(ssl)); - ssl.options.mask = ctx->mask; - ctx->mask = wolfSSL_set_options(&ssl, opt); + ssl = (WOLFSSL*)XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); + if (ssl == NULL) + return MEMORY_E; + + XMEMSET(ssl, 0, sizeof(WOLFSSL)); + ssl->options.mask = ctx->mask; + ctx->mask = wolfSSL_set_options(ssl, opt); + + XFREE(ssl, ctx->heap, DYNAMIC_TYPE_SSL); return ctx->mask; } From cd2971fb93c0da6ef29cb812e05ede9662c7dfe6 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 27 Jun 2018 21:30:25 -0700 Subject: [PATCH 05/17] Abstracted code for setting options mask to improve `wolfSSL_CTX_set_options`, so it doesn't require allocating a WOLFSSL object. --- src/ssl.c | 117 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 66 insertions(+), 51 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 58345be51..031ef0d20 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11327,23 +11327,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl) return ctx->mask; } - + static long wolf_set_options(long old_op, long op); long wolfSSL_CTX_set_options(WOLFSSL_CTX* ctx, long opt) { - WOLFSSL* ssl; WOLFSSL_ENTER("SSL_CTX_set_options"); + if (ctx == NULL) return BAD_FUNC_ARG; - ssl = (WOLFSSL*)XMALLOC(sizeof(WOLFSSL), ctx->heap, DYNAMIC_TYPE_SSL); - if (ssl == NULL) - return MEMORY_E; - - XMEMSET(ssl, 0, sizeof(WOLFSSL)); - ssl->options.mask = ctx->mask; - ctx->mask = wolfSSL_set_options(ssl, opt); - - XFREE(ssl, ctx->heap, DYNAMIC_TYPE_SSL); + ctx->mask = wolf_set_options(ctx->mask, opt); return ctx->mask; } @@ -19385,19 +19377,9 @@ int wolfSSL_PEM_def_callback(char* name, int num, int w, void* key) } #endif -long wolfSSL_set_options(WOLFSSL* ssl, long op) +static long wolf_set_options(long old_op, long op) { - word16 haveRSA = 1; - word16 havePSK = 0; - int keySz = 0; - - WOLFSSL_ENTER("wolfSSL_set_options"); - - if (ssl == NULL) { - return 0; - } - - /* if SSL_OP_ALL then turn all bug workarounds one */ + /* if SSL_OP_ALL then turn all bug workarounds on */ if ((op & SSL_OP_ALL) == SSL_OP_ALL) { WOLFSSL_MSG("\tSSL_OP_ALL"); @@ -19414,64 +19396,97 @@ long wolfSSL_set_options(WOLFSSL* ssl, long op) op |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; } - ssl->options.mask |= op; - /* by default cookie exchange is on with DTLS */ - if ((ssl->options.mask & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { + if ((op & SSL_OP_COOKIE_EXCHANGE) == SSL_OP_COOKIE_EXCHANGE) { WOLFSSL_MSG("\tSSL_OP_COOKIE_EXCHANGE : on by default"); } - if ((ssl->options.mask & WOLFSSL_OP_NO_SSLv2) == WOLFSSL_OP_NO_SSLv2) { + if ((op & WOLFSSL_OP_NO_SSLv2) == WOLFSSL_OP_NO_SSLv2) { WOLFSSL_MSG("\tWOLFSSL_OP_NO_SSLv2 : wolfSSL does not support SSLv2"); } - if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { + if ((op & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_3"); - if (ssl->version.minor == TLSv1_3_MINOR) - ssl->version.minor = TLSv1_2_MINOR; } - if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + if ((op & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_2"); - if (ssl->version.minor == TLSv1_2_MINOR) - ssl->version.minor = TLSv1_1_MINOR; } - if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + if ((op & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1_1"); - if (ssl->version.minor == TLSv1_1_MINOR) - ssl->version.minor = TLSv1_MINOR; } - if ((ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + if ((op & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { WOLFSSL_MSG("\tSSL_OP_NO_TLSv1"); - if (ssl->version.minor == TLSv1_MINOR) - ssl->version.minor = SSLv3_MINOR; } - if ((ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { + if ((op & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) { WOLFSSL_MSG("\tSSL_OP_NO_SSLv3"); } - if ((ssl->options.mask & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { + if ((op & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { #ifdef HAVE_LIBZ WOLFSSL_MSG("SSL_OP_NO_COMPRESSION"); - ssl->options.usingCompression = 0; #else WOLFSSL_MSG("SSL_OP_NO_COMPRESSION: compression not compiled in"); #endif } + return old_op | op; +} + +long wolfSSL_set_options(WOLFSSL* ssl, long op) +{ + word16 haveRSA = 1; + word16 havePSK = 0; + int keySz = 0; + + WOLFSSL_ENTER("wolfSSL_set_options"); + + if (ssl == NULL) { + return 0; + } + + ssl->options.mask = wolf_set_options(ssl->options.mask, op); + + if ((ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) { + if (ssl->version.minor == TLSv1_3_MINOR) + ssl->version.minor = TLSv1_2_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) { + if (ssl->version.minor == TLSv1_2_MINOR) + ssl->version.minor = TLSv1_1_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) { + if (ssl->version.minor == TLSv1_1_MINOR) + ssl->version.minor = TLSv1_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) { + if (ssl->version.minor == TLSv1_MINOR) + ssl->version.minor = SSLv3_MINOR; + } + + if ((ssl->options.mask & SSL_OP_NO_COMPRESSION) == SSL_OP_NO_COMPRESSION) { + #ifdef HAVE_LIBZ + ssl->options.usingCompression = 0; + #endif + } + /* in the case of a version change the cipher suites should be reset */ - #ifndef NO_PSK - havePSK = ssl->options.havePSK; - #endif - #ifdef NO_RSA - haveRSA = 0; - #endif - #ifndef NO_CERTS - keySz = ssl->buffers.keySz; - #endif +#ifndef NO_PSK + havePSK = ssl->options.havePSK; +#endif +#ifdef NO_RSA + haveRSA = 0; +#endif +#ifndef NO_CERTS + keySz = ssl->buffers.keySz; +#endif + InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, ssl->options.haveDH, ssl->options.haveNTRU, ssl->options.haveECDSAsig, ssl->options.haveECC, From e204b19923de2a6ac87db99f866ed1d50cb206d4 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 28 Jun 2018 14:36:15 -0600 Subject: [PATCH 06/17] add statusCb variable to OPENSSL_EXTRA build --- wolfssl/internal.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 80d8fc0ec..40de92634 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1707,7 +1707,8 @@ struct WOLFSSL_OCSP { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ OcspEntry* ocspList; /* OCSP response list */ wolfSSL_Mutex ocspLock; /* OCSP list lock */ -#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ + defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) int(*statusCb)(WOLFSSL*, void*); #endif }; From c6890d518edabf85766ac2fc81c0cc15a5776730 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 29 Jun 2018 09:44:01 -0500 Subject: [PATCH 07/17] Fix resource leak in wolfSSL_BN_hex2bn --- src/ssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 22117db4f..a45b2e1ac 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -22184,8 +22184,10 @@ int wolfSSL_BN_hex2bn(WOLFSSL_BIGNUM** bn, const char* str) if (*bn == NULL) WOLFSSL_MSG("BN new failed"); - else if (wolfSSL_BN_bin2bn(decoded, decSz, *bn) == NULL) + else if (wolfSSL_BN_bin2bn(decoded, decSz, *bn) == NULL) { WOLFSSL_MSG("Bad bin2bn error"); + wolfSSL_BN_free(*bn); /* Free new BN */ + } else ret = WOLFSSL_SUCCESS; } From ebb3eb87d13946727e0adfd30e5c0c7c9ba48047 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 29 Jun 2018 11:02:10 -0500 Subject: [PATCH 08/17] Update from review --- src/ssl.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a45b2e1ac..f4abf11a4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -22163,6 +22163,7 @@ int wolfSSL_BN_hex2bn(WOLFSSL_BIGNUM** bn, const char* str) #else byte decoded[1024]; #endif + int weOwn = 0; WOLFSSL_MSG("wolfSSL_BN_hex2bn"); @@ -22179,14 +22180,20 @@ int wolfSSL_BN_hex2bn(WOLFSSL_BIGNUM** bn, const char* str) else if (bn == NULL) ret = decSz; else { - if (*bn == NULL) + if (*bn == NULL) { *bn = wolfSSL_BN_new(); + if (*bn != NULL) { + weOwn = 1; + } + } if (*bn == NULL) WOLFSSL_MSG("BN new failed"); else if (wolfSSL_BN_bin2bn(decoded, decSz, *bn) == NULL) { WOLFSSL_MSG("Bad bin2bn error"); - wolfSSL_BN_free(*bn); /* Free new BN */ + if (weOwn == 1) { + wolfSSL_BN_free(*bn); /* Free new BN */ + } } else ret = WOLFSSL_SUCCESS; From 44c4e332905cd375c7602d18e1e6ce1a0ba92fde Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 29 Jun 2018 10:22:25 -0700 Subject: [PATCH 09/17] Fix ARMv8 AES code to use the shared aes.h `CTR_SZ` and `GCM_NONCE_MID_SZ`. --- wolfcrypt/src/port/arm/armv8-aes.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/port/arm/armv8-aes.c b/wolfcrypt/src/port/arm/armv8-aes.c index ffc5f7df4..94332ce10 100644 --- a/wolfcrypt/src/port/arm/armv8-aes.c +++ b/wolfcrypt/src/port/arm/armv8-aes.c @@ -110,10 +110,6 @@ static const byte rcon[] = { #ifdef HAVE_AESGCM -enum { - NONCE_SZ = 12, - CTR_SZ = 4 -}; static WC_INLINE void IncrementGcmCounter(byte* inOutCtr) { @@ -1555,7 +1551,7 @@ static int Aes128GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte* keyPt; /* pointer to handle pointer advencment */ XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } @@ -1873,7 +1869,7 @@ static int Aes192GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte* keyPt; /* pointer to handle pointer advencment */ XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } @@ -2206,7 +2202,7 @@ static int Aes256GcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte* keyPt; /* pointer to handle pointer advencment */ XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } @@ -2631,7 +2627,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, } XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } @@ -4233,7 +4229,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, } XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } @@ -4312,7 +4308,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, } XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); - if (ivSz == NONCE_SZ) { + if (ivSz == GCM_NONCE_MID_SZ) { XMEMCPY(initialCounter, iv, ivSz); initialCounter[AES_BLOCK_SIZE - 1] = 1; } From 07401d909c6c30ae3843304e00e723d21963efd2 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 29 Jun 2018 15:04:28 -0700 Subject: [PATCH 10/17] Added support for dynamic allocation of PKCS7 structure using `wc_PKCS7_New` and `wc_PKCS7_Free`. Updated the test examples to use the dynamic method. Add API unit test for `wc_PKCS7_New`. --- tests/api.c | 102 ++++++++++++-------- wolfcrypt/src/pkcs7.c | 42 +++++--- wolfcrypt/test/test.c | 196 ++++++++++++++++++++++---------------- wolfssl/wolfcrypt/pkcs7.h | 13 ++- 4 files changed, 214 insertions(+), 139 deletions(-) diff --git a/tests/api.c b/tests/api.c index 832b164d8..736313308 100644 --- a/tests/api.c +++ b/tests/api.c @@ -3263,7 +3263,7 @@ static void test_wolfSSL_mcast(void) | Wolfcrypt *----------------------------------------------------------------------------*/ -/* +/* * Unit test for the wc_InitBlake2b() */ static int test_wc_InitBlake2b (void) @@ -7609,7 +7609,7 @@ static int test_wc_Des3_SetKey (void) return ret; } /* END test_wc_Des3_SetKey */ - + /* * Test function for wc_Des3_CbcEncrypt and wc_Des3_CbcDecrypt @@ -7856,7 +7856,7 @@ static int test_wc_Chacha_SetKey (void) static int test_wc_Poly1305SetKey(void) { int ret = 0; - + #ifdef HAVE_POLY1305 Poly1305 ctx; const byte key[] = @@ -7868,8 +7868,8 @@ static int test_wc_Poly1305SetKey(void) }; printf(testingFmt, "wc_Poly1305_SetKey()"); - - ret = wc_Poly1305SetKey(&ctx, key, (word32)(sizeof(key)/sizeof(byte))); + + ret = wc_Poly1305SetKey(&ctx, key, (word32)(sizeof(key)/sizeof(byte))); /* Test bad args. */ if (ret == 0) { ret = wc_Poly1305SetKey(NULL, key, (word32)(sizeof(key)/sizeof(byte))); @@ -7887,7 +7887,7 @@ static int test_wc_Poly1305SetKey(void) } printf(resultFmt, ret == 0 ? passed : failed); - + #endif return ret; } /* END test_wc_Poly1305_SetKey() */ @@ -10112,7 +10112,7 @@ static int test_wc_RsaKeyToDer (void) * Testing wc_RsaKeyToPublicDer() */ static int test_wc_RsaKeyToPublicDer (void) -{ +{ int ret = 0; #if !defined(NO_RSA) && !defined(HAVE_FAST_RSA) && defined(WOLFSSL_KEY_GEN) &&\ (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) @@ -14185,6 +14185,25 @@ static int test_wc_ecc_is_valid_idx (void) } /* END test_wc_ecc_is_valid_idx */ +/* + * Testing wc_PKCS7_New() + */ +static void test_wc_PKCS7_New (void) +{ +#if defined(HAVE_PKCS7) + PKCS7* pkcs7; + void* heap = NULL; + + printf(testingFmt, "wc_PKCS7_New()"); + + pkcs7 = wc_PKCS7_New(heap, devId); + AssertNotNull(pkcs7); + + printf(resultFmt, passed); + wc_PKCS7_Free(pkcs7); +#endif +} /* END test-wc_PKCS7_New */ + /* * Testing wc_PKCS7_Init() */ @@ -15038,43 +15057,43 @@ static void test_wc_PKCS7_EncodeEncryptedData (void) /* Testing wc_SignatureGetSize() for signature type ECC */ static int test_wc_SignatureGetSize_ecc(void) -{ - int ret = 0; +{ + int ret = 0; #if defined(HAVE_ECC) && !defined(NO_ECC256) enum wc_SignatureType sig_type; word32 key_len; /* Initialize ECC Key */ - ecc_key ecc; + ecc_key ecc; const char* qx = "fa2737fb93488d19caef11ae7faf6b7f4bcd67b286e3fc54e8a65c2b74aeccb0"; - const char* qy = + const char* qy = "d4ccd6dae698208aa8c3a6f39e45510d03be09b2f124bfc067856c324f9b4d09"; - const char* d = + const char* d = "be34baa8d040a3b991f9075b56ba292f755b90e4b6dc10dad36715c33cfdac25"; - + ret = wc_ecc_init(&ecc); if (ret == 0) { ret = wc_ecc_import_raw(&ecc, qx, qy, d, "SECP256R1"); } printf(testingFmt, "wc_SigntureGetSize_ecc()"); - if (ret == 0) { + if (ret == 0) { /* Input for signature type ECC */ sig_type = WC_SIGNATURE_TYPE_ECC; key_len = sizeof(ecc_key); ret = wc_SignatureGetSize(sig_type, &ecc, key_len); - - /* Test bad args */ + + /* Test bad args */ if (ret > 0) { sig_type = (enum wc_SignatureType) 100; ret = wc_SignatureGetSize(sig_type, &ecc, key_len); if (ret == BAD_FUNC_ARG) { sig_type = WC_SIGNATURE_TYPE_ECC; ret = wc_SignatureGetSize(sig_type, NULL, key_len); - } + } if (ret >= 0) { key_len = (word32) 0; - ret = wc_SignatureGetSize(sig_type, &ecc, key_len); + ret = wc_SignatureGetSize(sig_type, &ecc, key_len); } if (ret == BAD_FUNC_ARG) { ret = SIG_TYPE_E; @@ -15102,7 +15121,7 @@ static int test_wc_SignatureGetSize_ecc(void) /* Testing wc_SignatureGetSize() for signature type rsa */ static int test_wc_SignatureGetSize_rsa(void) { - int ret = 0; + int ret = 0; #ifndef NO_RSA enum wc_SignatureType sig_type; word32 key_len; @@ -15112,7 +15131,7 @@ static int test_wc_SignatureGetSize_rsa(void) RsaKey rsa_key; byte* tmp = NULL; size_t bytes; - + #ifdef USE_CERT_BUFFERS_1024 bytes = (size_t)sizeof_client_key_der_1024; if (bytes < (size_t)sizeof_client_key_der_1024) @@ -15128,10 +15147,10 @@ static int test_wc_SignatureGetSize_rsa(void) tmp = (byte*)XMALLOC(bytes, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); if (tmp != NULL) { #ifdef USE_CERT_BUFFERS_1024 - XMEMCPY(tmp, client_key_der_1024, + XMEMCPY(tmp, client_key_der_1024, (size_t)sizeof_client_key_der_1024); #elif defined(USE_CERT_BUFFERS_2048) - XMEMCPY(tmp, client_key_der_2048, + XMEMCPY(tmp, client_key_der_2048, (size_t)sizeof_client_key_der_2048); #elif !defined(NO_FILESYSTEM) file = fopen(clientKey, "rb"); @@ -15148,7 +15167,7 @@ static int test_wc_SignatureGetSize_rsa(void) if (ret == 0) { ret = wc_InitRsaKey_ex(&rsa_key, HEAP_HINT, devId); if (ret == 0) { - ret = wc_RsaPrivateKeyDecode(tmp, &idx, &rsa_key, + ret = wc_RsaPrivateKeyDecode(tmp, &idx, &rsa_key, (word32)bytes); } } @@ -15162,7 +15181,7 @@ static int test_wc_SignatureGetSize_rsa(void) sig_type = WC_SIGNATURE_TYPE_RSA; key_len = sizeof(RsaKey); ret = wc_SignatureGetSize(sig_type, &rsa_key, key_len); - + /* Test bad args */ if (ret > 0) { sig_type = (enum wc_SignatureType) 100; @@ -15173,7 +15192,7 @@ static int test_wc_SignatureGetSize_rsa(void) } #ifndef HAVE_USER_RSA if (ret == BAD_FUNC_ARG) { - #else + #else if (ret == 0) { #endif key_len = (word32)0; @@ -15191,21 +15210,21 @@ static int test_wc_SignatureGetSize_rsa(void) #else ret = SIG_TYPE_E; #endif - + if (ret == SIG_TYPE_E) { ret = 0; }else { ret = WOLFSSL_FATAL_ERROR; } - + printf(resultFmt, ret == 0 ? passed : failed); return ret; }/* END test_wc_SignatureGetSize_rsa(void) */ - + /*----------------------------------------------------------------------------* | hash.h Tests *----------------------------------------------------------------------------*/ - + static int test_wc_HashInit(void) { int ret = 0, i; /* 0 indicates tests passed, 1 indicates failure */ @@ -15604,7 +15623,7 @@ static void test_wolfSSL_ASN1_GENERALIZEDTIME_free(){ XMEMSET(nullstr, 0, 32); asn1_gtime = (WOLFSSL_ASN1_GENERALIZEDTIME*)XMALLOC( - sizeof(WOLFSSL_ASN1_GENERALIZEDTIME), NULL, + sizeof(WOLFSSL_ASN1_GENERALIZEDTIME), NULL, DYNAMIC_TYPE_TMP_BUFFER); XMEMCPY(asn1_gtime->data,"20180504123500Z",ASN_GENERALIZED_TIME_SIZE); wolfSSL_ASN1_GENERALIZEDTIME_free(asn1_gtime); @@ -18374,14 +18393,14 @@ static void test_wolfSSL_SHA(void) "\x23\xB0\x03\x61\xA3\x96\x17\x7A\x9C\xB4\x10\xFF\x61\xF2\x00" "\x15\xAD"; unsigned char out[WC_SHA256_DIGEST_SIZE]; - + XMEMSET(out, 0, WC_SHA256_DIGEST_SIZE); AssertNotNull(SHA256(in, XSTRLEN((char*)in), out)); AssertIntEQ(XMEMCMP(out, expected, WC_SHA256_DIGEST_SIZE), 0); } #endif - #if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512) + #if defined(WOLFSSL_SHA384) && defined(WOLFSSL_SHA512) { const unsigned char in[] = "abc"; unsigned char expected[] = "\xcb\x00\x75\x3f\x45\xa3\x5e\x8b\xb5\xa0\x3d\x69\x9a\xc6\x50" @@ -18590,9 +18609,9 @@ static void test_wolfSSL_ASN1_STRING_print_ex(void){ unsigned long flags; int p_len; unsigned char rbuf[255]; - + printf(testingFmt, "wolfSSL_ASN1_STRING_print_ex()"); - + /* setup */ XMEMSET(rbuf, 0, 255); bio = BIO_new(BIO_s_mem()); @@ -19777,7 +19796,7 @@ static void test_wolfSSL_i2c_ASN1_INTEGER() DYNAMIC_TYPE_TMP_BUFFER)); tpp = pp; XMEMSET(pp, 0, ret + 1); - wolfSSL_i2c_ASN1_INTEGER(a, &pp); + wolfSSL_i2c_ASN1_INTEGER(a, &pp); pp--; AssertIntEQ(*pp, 40); XFREE(tpp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -19792,7 +19811,7 @@ static void test_wolfSSL_i2c_ASN1_INTEGER() DYNAMIC_TYPE_TMP_BUFFER)); tpp = pp; XMEMSET(pp, 0, ret + 1); - wolfSSL_i2c_ASN1_INTEGER(a, &pp); + wolfSSL_i2c_ASN1_INTEGER(a, &pp); pp--; AssertIntEQ(*(pp--), 128); AssertIntEQ(*pp, 0); @@ -19809,7 +19828,7 @@ static void test_wolfSSL_i2c_ASN1_INTEGER() DYNAMIC_TYPE_TMP_BUFFER)); tpp = pp; XMEMSET(pp, 0, ret + 1); - wolfSSL_i2c_ASN1_INTEGER(a, &pp); + wolfSSL_i2c_ASN1_INTEGER(a, &pp); pp--; AssertIntEQ(*pp, 216); XFREE(tpp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -19825,7 +19844,7 @@ static void test_wolfSSL_i2c_ASN1_INTEGER() DYNAMIC_TYPE_TMP_BUFFER)); tpp = pp; XMEMSET(pp, 0, ret + 1); - wolfSSL_i2c_ASN1_INTEGER(a, &pp); + wolfSSL_i2c_ASN1_INTEGER(a, &pp); pp--; AssertIntEQ(*pp, 128); XFREE(tpp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -19841,13 +19860,13 @@ static void test_wolfSSL_i2c_ASN1_INTEGER() DYNAMIC_TYPE_TMP_BUFFER)); tpp = pp; XMEMSET(pp, 0, ret + 1); - wolfSSL_i2c_ASN1_INTEGER(a, &pp); + wolfSSL_i2c_ASN1_INTEGER(a, &pp); pp--; AssertIntEQ(*(pp--), 56); AssertIntEQ(*pp, 255); XFREE(tpp, NULL, DYNAMIC_TYPE_TMP_BUFFER); - wolfSSL_ASN1_INTEGER_free(a); + wolfSSL_ASN1_INTEGER_free(a); printf(resultFmt, passed); #endif /* OPENSSL_EXTRA */ @@ -20176,6 +20195,7 @@ void ApiTest(void) AssertIntEQ(test_wc_ecc_mulmod(), 0); AssertIntEQ(test_wc_ecc_is_valid_idx(), 0); + test_wc_PKCS7_New(); test_wc_PKCS7_Init(); test_wc_PKCS7_InitWithCert(); test_wc_PKCS7_EncodeData(); @@ -20183,7 +20203,7 @@ void ApiTest(void) test_wc_PKCS7_VerifySignedData(); test_wc_PKCS7_EncodeDecodeEnvelopedData(); test_wc_PKCS7_EncodeEncryptedData(); - + printf(" End API Tests\n"); } diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 23072bab1..855019f8f 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -228,6 +228,17 @@ static int wc_PKCS7_GetOIDKeySize(int oid) } +PKCS7* wc_PKCS7_New(void* heap, int devId) +{ + PKCS7* pkcs7 = (PKCS7*)XMALLOC(sizeof(PKCS7), heap, DYNAMIC_TYPE_PKCS7); + if (pkcs7) { + XMEMSET(pkcs7, 0, sizeof(PKCS7)); + wc_PKCS7_Init(pkcs7, heap, devId); + pkcs7->isDynamic = 1; + } + return pkcs7; +} + /* This is to initialize a PKCS7 structure. It sets all values to 0 and can be * used to set the heap hint. * @@ -246,7 +257,11 @@ int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId) } XMEMSET(pkcs7, 0, sizeof(PKCS7)); +#ifdef WOLFSSL_HEAP_TEST + pkcs7->heap = (void*)WOLFSSL_HEAP_TEST; +#else pkcs7->heap = heap; +#endif pkcs7->devId = devId; return 0; @@ -254,34 +269,30 @@ int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId) /* init PKCS7 struct with recipient cert, decode into DecodedCert - * NOTE: keeps previously set pkcs7 memory heap hint */ + * NOTE: keeps previously set pkcs7 heap hint, devId and isDynamic */ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) { int ret = 0; void* heap; int devId; + word16 isDynamic; if (pkcs7 == NULL || (cert == NULL && certSz != 0)) { return BAD_FUNC_ARG; } -#ifdef WOLFSSL_HEAP_TEST - heap = (void*)WOLFSSL_HEAP_TEST; -#else heap = pkcs7->heap; -#endif devId = pkcs7->devId; - - XMEMSET(pkcs7, 0, sizeof(PKCS7)); - pkcs7->heap = heap; - pkcs7->devId = devId; + isDynamic = pkcs7->isDynamic; + wc_PKCS7_Init(pkcs7, heap, devId); + pkcs7->isDynamic = isDynamic; if (cert != NULL && certSz > 0) { #ifdef WOLFSSL_SMALL_STACK DecodedCert* dCert; - dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, - DYNAMIC_TYPE_PKCS7); + dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), pkcs7->heap, + DYNAMIC_TYPE_DCERT); if (dCert == NULL) return MEMORY_E; #else @@ -297,7 +308,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) if (ret < 0) { FreeDecodedCert(dCert); #ifdef WOLFSSL_SMALL_STACK - XFREE(dCert, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); #endif return ret; } @@ -313,7 +324,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) FreeDecodedCert(dCert); #ifdef WOLFSSL_SMALL_STACK - XFREE(dCert, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); #endif } @@ -359,6 +370,11 @@ void wc_PKCS7_Free(PKCS7* pkcs7) if (pkcs7->der != NULL) XFREE(pkcs7->der, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif + + if (pkcs7->isDynamic) { + pkcs7->isDynamic = 0; + XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + } } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 4a45faf87..6478284ea 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2834,7 +2834,7 @@ int hash_test(void) if (hashType != WC_HASH_TYPE_NONE) return -3071; #endif - + ret = wc_HashGetOID(WC_HASH_TYPE_MD5_SHA); #ifndef NO_MD5 if (ret == HASH_TYPE_E || ret == BAD_FUNC_ARG) @@ -18050,7 +18050,7 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, byte enveloped[2048]; byte decoded[2048]; - PKCS7 pkcs7; + PKCS7* pkcs7; #ifdef PKCS7_OUTPUT_TEST_BUNDLES FILE* pkcs7File; #endif @@ -18128,64 +18128,75 @@ static int pkcs7enveloped_run_vectors(byte* rsaCert, word32 rsaCertSz, testSz = sizeof(testVectors) / sizeof(pkcs7EnvelopedVector); for (i = 0; i < testSz; i++) { - ret = wc_PKCS7_Init(&pkcs7, HEAP_HINT, + pkcs7 = wc_PKCS7_New(HEAP_HINT, #ifdef WOLFSSL_ASYNC_CRYPT INVALID_DEVID /* async PKCS7 is not supported */ #else devId #endif ); - if (ret != 0) + if (pkcs7 == NULL) return -9214; - ret = wc_PKCS7_InitWithCert(&pkcs7, testVectors[i].cert, + ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert, (word32)testVectors[i].certSz); - if (ret != 0) + if (ret != 0) { + wc_PKCS7_Free(pkcs7); return -9215; + } - pkcs7.content = (byte*)testVectors[i].content; - pkcs7.contentSz = testVectors[i].contentSz; - pkcs7.contentOID = testVectors[i].contentOID; - pkcs7.encryptOID = testVectors[i].encryptOID; - pkcs7.keyWrapOID = testVectors[i].keyWrapOID; - pkcs7.keyAgreeOID = testVectors[i].keyAgreeOID; - pkcs7.privateKey = testVectors[i].privateKey; - pkcs7.privateKeySz = testVectors[i].privateKeySz; - pkcs7.ukm = testVectors[i].optionalUkm; - pkcs7.ukmSz = testVectors[i].optionalUkmSz; + pkcs7->content = (byte*)testVectors[i].content; + pkcs7->contentSz = testVectors[i].contentSz; + pkcs7->contentOID = testVectors[i].contentOID; + pkcs7->encryptOID = testVectors[i].encryptOID; + pkcs7->keyWrapOID = testVectors[i].keyWrapOID; + pkcs7->keyAgreeOID = testVectors[i].keyAgreeOID; + pkcs7->privateKey = testVectors[i].privateKey; + pkcs7->privateKeySz = testVectors[i].privateKeySz; + pkcs7->ukm = testVectors[i].optionalUkm; + pkcs7->ukmSz = testVectors[i].optionalUkmSz; /* encode envelopedData */ - envelopedSz = wc_PKCS7_EncodeEnvelopedData(&pkcs7, enveloped, + envelopedSz = wc_PKCS7_EncodeEnvelopedData(pkcs7, enveloped, sizeof(enveloped)); if (envelopedSz <= 0) { printf("DEBUG: i = %d, envelopedSz = %d\n", i, envelopedSz); + wc_PKCS7_Free(pkcs7); return -9216; } /* decode envelopedData */ - decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz, + decodedSz = wc_PKCS7_DecodeEnvelopedData(pkcs7, enveloped, envelopedSz, decoded, sizeof(decoded)); - if (decodedSz <= 0) + if (decodedSz <= 0) { + wc_PKCS7_Free(pkcs7); return -9217; + } /* test decode result */ - if (XMEMCMP(decoded, data, sizeof(data)) != 0) + if (XMEMCMP(decoded, data, sizeof(data)) != 0){ + wc_PKCS7_Free(pkcs7); return -9218; + } #ifdef PKCS7_OUTPUT_TEST_BUNDLES /* output pkcs7 envelopedData for external testing */ pkcs7File = fopen(testVectors[i].outFileName, "wb"); - if (!pkcs7File) + if (!pkcs7File) { + wc_PKCS7_Free(pkcs7); return -9219; + } ret = (int)fwrite(enveloped, 1, envelopedSz, pkcs7File); fclose(pkcs7File); if (ret != envelopedSz) { + wc_PKCS7_Free(pkcs7); return -9220; } #endif /* PKCS7_OUTPUT_TEST_BUNDLES */ - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); + pkcs7 = NULL; } #if !defined(HAVE_ECC) || defined(NO_AES) @@ -18313,7 +18324,7 @@ int pkcs7encrypted_test(void) int ret = 0; int i, testSz; int encryptedSz, decodedSz, attribIdx; - PKCS7 pkcs7; + PKCS7* pkcs7; byte encrypted[2048]; byte decoded[2048]; #ifdef PKCS7_OUTPUT_TEST_BUNDLES @@ -18437,55 +18448,65 @@ int pkcs7encrypted_test(void) testSz = sizeof(testVectors) / sizeof(pkcs7EncryptedVector); for (i = 0; i < testSz; i++) { - ret = wc_PKCS7_Init(&pkcs7, HEAP_HINT, devId); - if (ret != 0) + pkcs7 = wc_PKCS7_New(HEAP_HINT, devId); + if (pkcs7 == NULL) return -9400; - pkcs7.content = (byte*)testVectors[i].content; - pkcs7.contentSz = testVectors[i].contentSz; - pkcs7.contentOID = testVectors[i].contentOID; - pkcs7.encryptOID = testVectors[i].encryptOID; - pkcs7.encryptionKey = testVectors[i].encryptionKey; - pkcs7.encryptionKeySz = testVectors[i].encryptionKeySz; - pkcs7.unprotectedAttribs = testVectors[i].attribs; - pkcs7.unprotectedAttribsSz = testVectors[i].attribsSz; + pkcs7->content = (byte*)testVectors[i].content; + pkcs7->contentSz = testVectors[i].contentSz; + pkcs7->contentOID = testVectors[i].contentOID; + pkcs7->encryptOID = testVectors[i].encryptOID; + pkcs7->encryptionKey = testVectors[i].encryptionKey; + pkcs7->encryptionKeySz = testVectors[i].encryptionKeySz; + pkcs7->unprotectedAttribs = testVectors[i].attribs; + pkcs7->unprotectedAttribsSz = testVectors[i].attribsSz; /* encode encryptedData */ - encryptedSz = wc_PKCS7_EncodeEncryptedData(&pkcs7, encrypted, + encryptedSz = wc_PKCS7_EncodeEncryptedData(pkcs7, encrypted, sizeof(encrypted)); - if (encryptedSz <= 0) + if (encryptedSz <= 0) { + wc_PKCS7_Free(pkcs7); return -9401; + } /* decode encryptedData */ - decodedSz = wc_PKCS7_DecodeEncryptedData(&pkcs7, encrypted, encryptedSz, + decodedSz = wc_PKCS7_DecodeEncryptedData(pkcs7, encrypted, encryptedSz, decoded, sizeof(decoded)); - if (decodedSz <= 0) + if (decodedSz <= 0){ + wc_PKCS7_Free(pkcs7); return -9402; + } /* test decode result */ - if (XMEMCMP(decoded, data, sizeof(data)) != 0) + if (XMEMCMP(decoded, data, sizeof(data)) != 0) { + wc_PKCS7_Free(pkcs7); return -9403; + } /* verify decoded unprotected attributes */ - if (pkcs7.decodedAttrib != NULL) { - decodedAttrib = pkcs7.decodedAttrib; + if (pkcs7->decodedAttrib != NULL) { + decodedAttrib = pkcs7->decodedAttrib; attribIdx = 1; while (decodedAttrib != NULL) { /* expected attribute, stored list is reversed */ - expectedAttrib = &(pkcs7.unprotectedAttribs - [pkcs7.unprotectedAttribsSz - attribIdx]); + expectedAttrib = &(pkcs7->unprotectedAttribs + [pkcs7->unprotectedAttribsSz - attribIdx]); /* verify oid */ if (XMEMCMP(decodedAttrib->oid, expectedAttrib->oid, - decodedAttrib->oidSz) != 0) + decodedAttrib->oidSz) != 0) { + wc_PKCS7_Free(pkcs7); return -9404; + } /* verify value */ if (XMEMCMP(decodedAttrib->value, expectedAttrib->value, - decodedAttrib->valueSz) != 0) + decodedAttrib->valueSz) != 0) { + wc_PKCS7_Free(pkcs7); return -9405; + } decodedAttrib = decodedAttrib->next; attribIdx++; @@ -18495,8 +18516,10 @@ int pkcs7encrypted_test(void) #ifdef PKCS7_OUTPUT_TEST_BUNDLES /* output pkcs7 envelopedData for external testing */ pkcs7File = fopen(testVectors[i].outFileName, "wb"); - if (!pkcs7File) + if (!pkcs7File) { + wc_PKCS7_Free(pkcs7); return -9406; + } ret = (int)fwrite(encrypted, encryptedSz, 1, pkcs7File); fclose(pkcs7File); @@ -18505,7 +18528,7 @@ int pkcs7encrypted_test(void) ret = 0; #endif - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); } return ret; @@ -18539,7 +18562,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, byte* out; word32 outSz; WC_RNG rng; - PKCS7 pkcs7; + PKCS7* pkcs7; #ifdef PKCS7_OUTPUT_TEST_BUNDLES FILE* file; #endif @@ -18679,26 +18702,30 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, } for (i = 0; i < testSz; i++) { + pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); + if (pkcs7 == NULL) + return -9410; - pkcs7.heap = HEAP_HINT; - pkcs7.devId = INVALID_DEVID; - ret = wc_PKCS7_InitWithCert(&pkcs7, testVectors[i].cert, + pkcs7->heap = HEAP_HINT; + pkcs7->devId = INVALID_DEVID; + ret = wc_PKCS7_InitWithCert(pkcs7, testVectors[i].cert, (word32)testVectors[i].certSz); if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); + wc_PKCS7_Free(pkcs7); return -9410; } - pkcs7.rng = &rng; - pkcs7.content = (byte*)testVectors[i].content; - pkcs7.contentSz = testVectors[i].contentSz; - pkcs7.hashOID = testVectors[i].hashOID; - pkcs7.encryptOID = testVectors[i].encryptOID; - pkcs7.privateKey = testVectors[i].privateKey; - pkcs7.privateKeySz = testVectors[i].privateKeySz; - pkcs7.signedAttribs = testVectors[i].signedAttribs; - pkcs7.signedAttribsSz = testVectors[i].signedAttribsSz; + pkcs7->rng = &rng; + pkcs7->content = (byte*)testVectors[i].content; + pkcs7->contentSz = testVectors[i].contentSz; + pkcs7->hashOID = testVectors[i].hashOID; + pkcs7->encryptOID = testVectors[i].encryptOID; + pkcs7->privateKey = testVectors[i].privateKey; + pkcs7->privateKeySz = testVectors[i].privateKeySz; + pkcs7->signedAttribs = testVectors[i].signedAttribs; + pkcs7->signedAttribsSz = testVectors[i].signedAttribsSz; /* generate senderNonce */ { @@ -18708,7 +18735,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, ret = wc_RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ); if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9411; } } @@ -18731,20 +18758,20 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, ret = wc_InitSha_ex(&sha, HEAP_HINT, devId); if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9412; } - wc_ShaUpdate(&sha, pkcs7.publicKey, pkcs7.publicKeySz); + wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz); wc_ShaFinal(&sha, digest); wc_ShaFree(&sha); #else ret = wc_InitSha256_ex(&sha, HEAP_HINT, devId); if (ret != 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9413; } - wc_Sha256Update(&sha, pkcs7.publicKey, pkcs7.publicKeySz); + wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz); wc_Sha256Final(&sha, digest); wc_Sha256Free(&sha); #endif @@ -18754,10 +18781,10 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, } } - encodedSz = wc_PKCS7_EncodeSignedData(&pkcs7, out, outSz); + encodedSz = wc_PKCS7_EncodeSignedData(pkcs7, out, outSz); if (encodedSz < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9414; } @@ -18766,35 +18793,38 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, file = fopen(testVectors[i].outFileName, "wb"); if (!file) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9415; } ret = (int)fwrite(out, 1, encodedSz, file); fclose(file); if (ret != (int)encodedSz) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9416; } #endif /* PKCS7_OUTPUT_TEST_BUNDLES */ - wc_PKCS7_Free(&pkcs7); - wc_PKCS7_InitWithCert(&pkcs7, NULL, 0); + wc_PKCS7_Free(pkcs7); - ret = wc_PKCS7_VerifySignedData(&pkcs7, out, outSz); + pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID); + if (pkcs7 == NULL) + return -9410; + wc_PKCS7_InitWithCert(pkcs7, NULL, 0); + + ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz); if (ret < 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9417; } - if (pkcs7.singleCert == NULL || pkcs7.singleCertSz == 0) { + if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9418; } - { /* check getting signed attributes */ #ifndef NO_SHA @@ -18807,25 +18837,25 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, int bufSz = 0; if (testVectors[i].signedAttribs != NULL && - wc_PKCS7_GetAttributeValue(&pkcs7, oidPt, oidSz, + wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz, NULL, (word32*)&bufSz) != LENGTH_ONLY_E) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9419; } if (bufSz > (int)sizeof(buf)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9420; } - bufSz = wc_PKCS7_GetAttributeValue(&pkcs7, oidPt, oidSz, + bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz, buf, (word32*)&bufSz); if ((testVectors[i].signedAttribs != NULL && bufSz < 0) || (testVectors[i].signedAttribs == NULL && bufSz > 0)) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9421; } } @@ -18834,14 +18864,14 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz, file = fopen("./pkcs7cert.der", "wb"); if (!file) { XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); return -9422; } - ret = (int)fwrite(pkcs7.singleCert, 1, pkcs7.singleCertSz, file); + ret = (int)fwrite(pkcs7->singleCert, 1, pkcs7->singleCertSz, file); fclose(file); #endif /* PKCS7_OUTPUT_TEST_BUNDLES */ - wc_PKCS7_Free(&pkcs7); + wc_PKCS7_Free(pkcs7); } XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index e17bf2eec..ccddc06e5 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -95,10 +95,13 @@ typedef struct PKCS7DecodedAttrib { } PKCS7DecodedAttrib; +/* Public Structure Warning: + * Existing members must not be changed to maintain backwards compatibility! + */ typedef struct PKCS7 { WC_RNG* rng; PKCS7Attrib* signedAttribs; - byte* content; /* inner content, not owner */ + byte* content; /* inner content, not owner */ byte* singleCert; /* recipient cert, DER, not owner */ byte* issuer; /* issuer name of singleCert */ byte* privateKey; /* private key, DER, not owner */ @@ -136,11 +139,17 @@ typedef struct PKCS7 { int devId; /* device ID for HW based private key */ byte issuerHash[KEYID_SIZE]; /* hash of all alt Names */ byte issuerSn[MAX_SN_SZ]; /* singleCert's serial number */ - byte publicKey[MAX_RSA_INT_SZ + MAX_RSA_E_SZ ];/*MAX RSA key size (m + e)*/ + byte publicKey[MAX_RSA_INT_SZ + MAX_RSA_E_SZ]; /* MAX RSA key size (m + e)*/ word32 certSz[MAX_PKCS7_CERTS]; + + /* flags - up to 32-bits */ + word16 isDynamic:1; + + /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ } PKCS7; +WOLFSSL_API PKCS7* wc_PKCS7_New(void* heap, int devId); WOLFSSL_API int wc_PKCS7_Init(PKCS7* pkcs7, void* heap, int devId); WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz); WOLFSSL_API void wc_PKCS7_Free(PKCS7* pkcs7); From 733cb74ea83caffb8f22df3864ef1806b64a28e9 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 29 Jun 2018 15:05:37 -0700 Subject: [PATCH 11/17] Updated all PKCS7 XMALLOC/XFREE to use heap pointer (even small stack). --- wolfcrypt/src/pkcs7.c | 342 +++++++++++++++++++++--------------------- 1 file changed, 174 insertions(+), 168 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 855019f8f..76e398b43 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -308,7 +308,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) if (ret < 0) { FreeDecodedCert(dCert); #ifdef WOLFSSL_SMALL_STACK - XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); + XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT); #endif return ret; } @@ -324,7 +324,7 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) FreeDecodedCert(dCert); #ifdef WOLFSSL_SMALL_STACK - XFREE(dCert, NULL, DYNAMIC_TYPE_DCERT); + XFREE(dCert, pkcs7->heap, DYNAMIC_TYPE_DCERT); #endif } @@ -613,7 +613,8 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd) } #ifdef WOLFSSL_SMALL_STACK - privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); + privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (privKey == NULL) return MEMORY_E; #endif @@ -637,7 +638,7 @@ static int wc_PKCS7_RsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd) wc_FreeRsaKey(privKey); #ifdef WOLFSSL_SMALL_STACK - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; @@ -665,7 +666,8 @@ static int wc_PKCS7_EcdsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd) } #ifdef WOLFSSL_SMALL_STACK - privKey = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_TMP_BUFFER); + privKey = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (privKey == NULL) return MEMORY_E; #endif @@ -691,7 +693,7 @@ static int wc_PKCS7_EcdsaSign(PKCS7* pkcs7, byte* in, word32 inSz, ESD* esd) wc_ecc_free(privKey); #ifdef WOLFSSL_SMALL_STACK - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; @@ -960,7 +962,8 @@ static int wc_PKCS7_SignedDataBuildSignature(PKCS7* pkcs7, return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK - digestInfo = (byte*)XMALLOC(digestInfoSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + digestInfo = (byte*)XMALLOC(digestInfoSz, pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (digestInfo == NULL) { return MEMORY_E; } @@ -971,7 +974,7 @@ static int wc_PKCS7_SignedDataBuildSignature(PKCS7* pkcs7, &digestInfoSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -992,7 +995,7 @@ static int wc_PKCS7_SignedDataBuildSignature(PKCS7* pkcs7, hashSz = wc_HashGetDigestSize(esd->hashType); if (hashSz < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return hashSz; } @@ -1008,7 +1011,7 @@ static int wc_PKCS7_SignedDataBuildSignature(PKCS7* pkcs7, } #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (ret >= 0) { @@ -1062,7 +1065,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) } #ifdef WOLFSSL_SMALL_STACK - esd = (ESD*)XMALLOC(sizeof(ESD), NULL, DYNAMIC_TYPE_TMP_BUFFER); + esd = (ESD*)XMALLOC(sizeof(ESD), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (esd == NULL) return MEMORY_E; #endif @@ -1073,7 +1076,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) ret = wc_HashGetDigestSize(esd->hashType); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1082,7 +1085,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) ret = wc_HashInit(&esd->hash, esd->hashType); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1093,7 +1096,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) pkcs7->content, pkcs7->contentSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1103,7 +1106,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) &esd->contentDigest[2]); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1134,7 +1137,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) &digEncAlgoType); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1151,7 +1154,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) messageDigestOid, sizeof(messageDigestOid)); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return MEMORY_E; } @@ -1161,7 +1164,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) flatSignedAttribsSz = esd->signedAttribsSz; if (flatSignedAttribs == NULL) { #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return MEMORY_E; } @@ -1179,7 +1182,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) if (pkcs7->signedAttribsSz != 0) XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1221,7 +1224,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) if (pkcs7->signedAttribsSz != 0) XFREE(flatSignedAttribs, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BUFFER_E; } @@ -1289,7 +1292,7 @@ int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7, byte* output, word32 outputSz) idx += esd->encContentDigestSz; #ifdef WOLFSSL_SMALL_STACK - XFREE(esd, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(esd, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return idx; @@ -1318,15 +1321,15 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, } #ifdef WOLFSSL_SMALL_STACK - digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, NULL, + digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (digest == NULL) return MEMORY_E; - key = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); + key = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL) { - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif @@ -1336,8 +1339,8 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, ret = wc_InitRsaKey_ex(key, pkcs7->heap, pkcs7->devId); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1347,8 +1350,8 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, WOLFSSL_MSG("ASN RSA key decode error"); wc_FreeRsaKey(key); #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return PUBLIC_KEY_E; } @@ -1362,8 +1365,8 @@ static int wc_PKCS7_RsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, } #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; @@ -1394,15 +1397,15 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK - digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, NULL, + digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (digest == NULL) return MEMORY_E; - key = (ecc_key*)XMALLOC(sizeof(ecc_key), NULL, DYNAMIC_TYPE_TMP_BUFFER); + key = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (key == NULL) { - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif @@ -1412,8 +1415,8 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, ret = wc_ecc_init_ex(key, pkcs7->heap, pkcs7->devId); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1423,8 +1426,8 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, WOLFSSL_MSG("ASN ECDSA key decode error"); wc_ecc_free(key); #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return PUBLIC_KEY_E; } @@ -1438,8 +1441,8 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* pkcs7, byte* sig, int sigSz, } #ifdef WOLFSSL_SMALL_STACK - XFREE(digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(key, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; @@ -1488,7 +1491,8 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, } #ifdef WOLFSSL_SMALL_STACK - digestInfo = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); + digestInfo = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (digestInfo == NULL) return MEMORY_E; #endif @@ -1501,7 +1505,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashGetDigestSize(hashType); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1511,7 +1515,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashInit(&hash, hashType); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1520,7 +1524,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, if (signedAttrib == NULL) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BAD_FUNC_ARG; } @@ -1529,7 +1533,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashUpdate(&hash, hashType, attribSet, attribSetSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1537,7 +1541,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashUpdate(&hash, hashType, signedAttrib, signedAttribSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1545,7 +1549,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashFinal(&hash, hashType, digest); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1554,7 +1558,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, if (pkcs7->content == NULL) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BAD_FUNC_ARG; } @@ -1562,7 +1566,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashUpdate(&hash, hashType, pkcs7->content, pkcs7->contentSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1570,7 +1574,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, ret = wc_HashFinal(&hash, hashType, digest); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1600,7 +1604,7 @@ static int wc_PKCS7_BuildSignedDataDigest(PKCS7* pkcs7, byte* signedAttrib, *plainDigestSz = hashSz; #ifdef WOLFSSL_SMALL_STACK - XFREE(digestInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(digestInfo, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return 0; } @@ -1633,7 +1637,7 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig, return BAD_FUNC_ARG; #ifdef WOLFSSL_SMALL_STACK - pkcs7Digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, NULL, + pkcs7Digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (pkcs7Digest == NULL) return MEMORY_E; @@ -1647,7 +1651,7 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig, &plainDigestSz); if (ret < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(pkcs7Digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -1679,7 +1683,7 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig, } #ifdef WOLFSSL_SMALL_STACK - XFREE(pkcs7Digest, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -2416,8 +2420,8 @@ static int wc_PKCS7_KariGenerateEphemeralKey(WC_PKCS7_KARI* kari, WC_RNG* rng) rng == NULL) return BAD_FUNC_ARG; - kari->senderKeyExport = (byte*)XMALLOC(kari->decoded->pubKeySize, kari->heap, - DYNAMIC_TYPE_PKCS7); + kari->senderKeyExport = (byte*)XMALLOC(kari->decoded->pubKeySize, + kari->heap, DYNAMIC_TYPE_PKCS7); if (kari->senderKeyExport == NULL) return MEMORY_E; @@ -2927,15 +2931,15 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, RsaKey* pubKey; DecodedCert* decoded; - serial = (byte*)XMALLOC(MAX_SN_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + serial = (byte*)XMALLOC(MAX_SN_SZ, heap, DYNAMIC_TYPE_TMP_BUFFER); + keyAlgArray = (byte*)XMALLOC(MAX_SN_SZ, heap, DYNAMIC_TYPE_TMP_BUFFER); + decoded = (DecodedCert*)XMALLOC(sizeof(DecodedCert), heap, DYNAMIC_TYPE_TMP_BUFFER); if (decoded == NULL || serial == NULL || keyAlgArray == NULL) { - if (serial) XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (keyAlgArray) XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (decoded) XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (serial) XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + if (keyAlgArray) XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + if (decoded) XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } @@ -2954,9 +2958,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, if (ret < 0) { FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -2969,9 +2973,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, WOLFSSL_MSG("DecodedCert lacks raw issuer pointer and length"); FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return -1; } @@ -2982,9 +2986,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, WOLFSSL_MSG("DecodedCert missing serial number"); FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return -1; } @@ -2997,9 +3001,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, if (keyEncAlgo != RSAk) { FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ALGO_ID_E; } @@ -3008,20 +3012,20 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, if (keyEncAlgSz == 0) { FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BAD_FUNC_ARG; } #ifdef WOLFSSL_SMALL_STACK - pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); + pubKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_TMP_BUFFER); if (pubKey == NULL) { FreeDecodedCert(decoded); - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif @@ -3031,10 +3035,10 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, if (ret != 0) { FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pubKey, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -3045,10 +3049,10 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, wc_FreeRsaKey(pubKey); FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pubKey, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return PUBLIC_KEY_E; } @@ -3058,16 +3062,16 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, wc_FreeRsaKey(pubKey); #ifdef WOLFSSL_SMALL_STACK - XFREE(pubKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(pubKey, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (*keyEncSz < 0) { WOLFSSL_MSG("RSA Public Encrypt failed"); FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return *keyEncSz; } @@ -3084,9 +3088,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, WOLFSSL_MSG("RecipientInfo output buffer too small"); FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BUFFER_E; } @@ -3113,9 +3117,9 @@ static int wc_CreateRecipientInfo(const byte* cert, word32 certSz, FreeDecodedCert(decoded); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(keyAlgArray, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(decoded, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(keyAlgArray, heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(decoded, heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return totalSz; @@ -3436,12 +3440,13 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) } #ifdef WOLFSSL_SMALL_STACK - recip = (byte*)XMALLOC(MAX_RECIP_SZ, NULL, DYNAMIC_TYPE_PKCS7); - contentKeyEnc = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL, + recip = (byte*)XMALLOC(MAX_RECIP_SZ, pkcs7->heap, + DYNAMIC_TYPE_PKCS7); + contentKeyEnc = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, DYNAMIC_TYPE_PKCS7); if (contentKeyEnc == NULL || recip == NULL) { - if (recip) XFREE(recip, NULL, DYNAMIC_TYPE_PKCS7); - if (contentKeyEnc) XFREE(contentKeyEnc, NULL, DYNAMIC_TYPE_PKCS7); + if (recip) XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); + if (contentKeyEnc) XFREE(contentKeyEnc, pkcs7->heap, DYNAMIC_TYPE_PKCS7); wc_FreeRng(&rng); return MEMORY_E; } @@ -3480,14 +3485,14 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) ForceZero(contentKeyEnc, MAX_ENCRYPTED_KEY_SZ); #ifdef WOLFSSL_SMALL_STACK - XFREE(contentKeyEnc, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(contentKeyEnc, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif if (recipSz < 0) { WOLFSSL_MSG("Failed to create RecipientInfo"); wc_FreeRng(&rng); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return recipSz; } @@ -3498,7 +3503,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) wc_FreeRng(&rng); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -3507,7 +3512,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) contentTypeSz = wc_SetContentType(pkcs7->contentOID, contentType); if (contentTypeSz == 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BAD_FUNC_ARG; } @@ -3536,7 +3541,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) if (encryptedContent == NULL) { XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return MEMORY_E; } @@ -3553,7 +3558,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return BAD_FUNC_ARG; } @@ -3567,7 +3572,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -3603,7 +3608,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); XFREE(plain, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return BUFFER_E; } @@ -3643,7 +3648,7 @@ int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7, byte* output, word32 outputSz) XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(recip, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recip, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return idx; @@ -3692,15 +3697,15 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, } #ifdef WOLFSSL_SMALL_STACK - serialNum = (mp_int*)XMALLOC(sizeof(mp_int), NULL, - DYNAMIC_TYPE_TMP_BUFFER); + serialNum = (mp_int*)XMALLOC(sizeof(mp_int), pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (serialNum == NULL) return MEMORY_E; #endif if (GetInt(serialNum, pkiMsg, idx, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(serialNum, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serialNum, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ASN_PARSE_E; } @@ -3708,7 +3713,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, mp_clear(serialNum); #ifdef WOLFSSL_SMALL_STACK - XFREE(serialNum, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serialNum, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif if (GetAlgoId(pkiMsg, idx, &encOID, oidKeyType, pkiMsgSz) < 0) @@ -3720,7 +3725,7 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, /* read encryptedKey */ #ifdef WOLFSSL_SMALL_STACK - encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL, + encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); if (encryptedKey == NULL) return MEMORY_E; @@ -3728,14 +3733,14 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (pkiMsg[(*idx)++] != ASN_OCTET_STRING) { #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ASN_PARSE_E; } if (GetLength(pkiMsg, idx, &encryptedKeySz, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ASN_PARSE_E; } @@ -3746,18 +3751,19 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, /* load private key */ #ifdef WOLFSSL_SMALL_STACK - privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), NULL, DYNAMIC_TYPE_TMP_BUFFER); + privKey = (RsaKey*)XMALLOC(sizeof(RsaKey), pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); if (privKey == NULL) { - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif - ret = wc_InitRsaKey_ex(privKey, NULL, INVALID_DEVID); + ret = wc_InitRsaKey_ex(privKey, pkcs7->heap, INVALID_DEVID); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -3774,8 +3780,8 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, WOLFSSL_MSG("Failed to decode RSA private key"); wc_FreeRsaKey(privKey); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -3801,8 +3807,8 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (keySz <= 0 || outKey == NULL) { ForceZero(encryptedKey, MAX_ENCRYPTED_KEY_SZ); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return keySz; } else { @@ -3812,8 +3818,8 @@ static int wc_PKCS7_DecodeKtri(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, } #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(privKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(privKey, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return 0; @@ -4041,23 +4047,23 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari, } #ifdef WOLFSSL_SMALL_STACK - serial = (mp_int*)XMALLOC(sizeof(mp_int), NULL, + serial = (mp_int*)XMALLOC(sizeof(mp_int), kari->heap, DYNAMIC_TYPE_TMP_BUFFER); if (serial == NULL) return MEMORY_E; - recipSerial = (mp_int*)XMALLOC(sizeof(mp_int), NULL, + recipSerial = (mp_int*)XMALLOC(sizeof(mp_int), kari->heap, DYNAMIC_TYPE_TMP_BUFFER); if (recipSerial == NULL) { - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); return MEMORY_E; } #endif if (GetInt(serial, pkiMsg, idx, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(recipSerial, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ASN_PARSE_E; } @@ -4068,8 +4074,8 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari, mp_clear(serial); WOLFSSL_MSG("Failed to parse CMS recipient serial number"); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(recipSerial, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return ret; } @@ -4079,8 +4085,8 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari, mp_clear(recipSerial); WOLFSSL_MSG("CMS serial number does not match recipient"); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(recipSerial, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return PKCS7_RECIP_E; } @@ -4089,8 +4095,8 @@ static int wc_PKCS7_KariGetIssuerAndSerialNumber(WC_PKCS7_KARI* kari, mp_clear(recipSerial); #ifdef WOLFSSL_SMALL_STACK - XFREE(serial, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(recipSerial, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(serial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(recipSerial, kari->heap, DYNAMIC_TYPE_TMP_BUFFER); #endif return 0; @@ -4189,7 +4195,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, return MEMORY_E; #ifdef WOLFSSL_SMALL_STACK - encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL, + encryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, DYNAMIC_TYPE_PKCS7); if (encryptedKey == NULL) { wc_PKCS7_KariFree(kari); @@ -4205,7 +4211,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4216,7 +4222,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4226,7 +4232,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4238,7 +4244,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4265,7 +4271,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, default: wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif WOLFSSL_MSG("AES key wrap algorithm unsupported"); return BAD_KEYWRAP_ALG_E; @@ -4277,7 +4283,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4287,7 +4293,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (ret != 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4299,7 +4305,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, if (keySz <= 0) { wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return keySz; } @@ -4307,7 +4313,7 @@ static int wc_PKCS7_DecodeKari(PKCS7* pkcs7, byte* pkiMsg, word32 pkiMsgSz, wc_PKCS7_KariFree(kari); #ifdef WOLFSSL_SMALL_STACK - XFREE(encryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(encryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return 0; @@ -4504,7 +4510,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, return ASN_PARSE_E; #ifdef WOLFSSL_SMALL_STACK - decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, NULL, + decryptedKey = (byte*)XMALLOC(MAX_ENCRYPTED_KEY_SZ, pkcs7->heap, DYNAMIC_TYPE_PKCS7); if (decryptedKey == NULL) return MEMORY_E; @@ -4516,7 +4522,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, &recipFound); if (ret != 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4524,7 +4530,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (recipFound == 0) { WOLFSSL_MSG("No recipient found in envelopedData that matches input"); #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return PKCS7_RECIP_E; } @@ -4532,21 +4538,21 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, /* remove EncryptedContentInfo */ if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } if (GetAlgoId(pkiMsg, &idx, &encOID, oidBlkType, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4554,7 +4560,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, blockKeySz = wc_PKCS7_GetOIDKeySize(encOID); if (blockKeySz < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return blockKeySz; } @@ -4562,7 +4568,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, expBlockSz = wc_PKCS7_GetOIDBlockSize(encOID); if (expBlockSz < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return expBlockSz; } @@ -4570,14 +4576,14 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, /* get block cipher IV, stored in OPTIONAL parameter of AlgoID */ if (pkiMsg[idx++] != ASN_OCTET_STRING) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } if (GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4585,7 +4591,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (length != expBlockSz) { WOLFSSL_MSG("Incorrect IV length, must be of content alg block size"); #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4599,7 +4605,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (pkiMsg[idx] != (ASN_CONTEXT_SPECIFIC | 0) && pkiMsg[idx] != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 0)) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4607,7 +4613,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) <= 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4615,14 +4621,14 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (explicitOctet) { if (pkiMsg[idx++] != ASN_OCTET_STRING) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } if (GetLength(pkiMsg, &idx, &encryptedContentSz, pkiMsgSz) <= 0) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ASN_PARSE_E; } @@ -4632,7 +4638,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, DYNAMIC_TYPE_PKCS7); if (encryptedContent == NULL) { #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return MEMORY_E; } @@ -4646,7 +4652,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, if (ret != 0) { XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return ret; } @@ -4661,7 +4667,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, ForceZero(encryptedContent, encryptedContentSz); XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #ifdef WOLFSSL_SMALL_STACK - XFREE(decryptedKey, NULL, DYNAMIC_TYPE_PKCS7); + XFREE(decryptedKey, pkcs7->heap, DYNAMIC_TYPE_PKCS7); #endif return encryptedContentSz - padLen; From 3adbb07abef1175a50155a5fadb01e95826c5b26 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 29 Jun 2018 15:07:56 -0700 Subject: [PATCH 12/17] Comment correction. --- wolfssl/wolfcrypt/pkcs7.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h index ccddc06e5..46ef20e93 100644 --- a/wolfssl/wolfcrypt/pkcs7.h +++ b/wolfssl/wolfcrypt/pkcs7.h @@ -142,7 +142,7 @@ typedef struct PKCS7 { byte publicKey[MAX_RSA_INT_SZ + MAX_RSA_E_SZ]; /* MAX RSA key size (m + e)*/ word32 certSz[MAX_PKCS7_CERTS]; - /* flags - up to 32-bits */ + /* flags - up to 16-bits */ word16 isDynamic:1; /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */ From a9ff79e3210f362620c032371be42ca518ac46eb Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 2 Jul 2018 10:10:30 -0600 Subject: [PATCH 13/17] check return value --- src/ssl.c | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 8418693e6..bbc8158a4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17874,21 +17874,25 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx) WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1); if (x509 != NULL) { WOLFSSL_X509* issuer = NULL; - wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509); - - /* check that the certificate being looked up is not self signed - * and that a issuer was found */ - if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer, - &x509->subject) != 0) { - if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) { - WOLFSSL_MSG("Unable to load CA x509 into stack"); - wolfSSL_sk_X509_free(sk); - wolfSSL_X509_free(issuer); - return NULL; + if (wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509) + == WOLFSSL_SUCCESS) { + /* check that the certificate being looked up is not self + * signed and that a issuer was found */ + if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer, + &x509->subject) != 0) { + if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) { + WOLFSSL_MSG("Unable to load CA x509 into stack"); + wolfSSL_sk_X509_free(sk); + wolfSSL_X509_free(issuer); + return NULL; + } + } + else { + WOLFSSL_MSG("Certificate is self signed"); } } else { - WOLFSSL_MSG("could not find CA for cert or is self signed"); + WOLFSSL_MSG("Could not find CA for certificate"); } } } From fb3d3dce0e482a60d1f44440a6b28ffbf0bc5dff Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 2 Jul 2018 09:38:14 -0700 Subject: [PATCH 14/17] Fix for use of unititlized `PKCS7.isDynamic` case in unit test. Added return code checks for `wc_PKCS7_Init`. --- tests/api.c | 1 + wolfcrypt/src/pkcs7.c | 13 ++++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/api.c b/tests/api.c index 736313308..3d27f0b9d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -14278,6 +14278,7 @@ static void test_wc_PKCS7_InitWithCert (void) #endif printf(testingFmt, "wc_PKCS7_InitWithCert()"); /* If initialization is not successful, it's free'd in init func. */ + pkcs7.isDynamic = 0; AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, (word32)certSz), 0); wc_PKCS7_Free(&pkcs7); diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 76e398b43..89fc9992d 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -233,8 +233,13 @@ PKCS7* wc_PKCS7_New(void* heap, int devId) PKCS7* pkcs7 = (PKCS7*)XMALLOC(sizeof(PKCS7), heap, DYNAMIC_TYPE_PKCS7); if (pkcs7) { XMEMSET(pkcs7, 0, sizeof(PKCS7)); - wc_PKCS7_Init(pkcs7, heap, devId); - pkcs7->isDynamic = 1; + if (wc_PKCS7_Init(pkcs7, heap, devId) == 0) { + pkcs7->isDynamic = 1; + } + else { + XFREE(pkcs7, heap, DYNAMIC_TYPE_PKCS7); + pkcs7 = NULL; + } } return pkcs7; } @@ -284,7 +289,9 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz) heap = pkcs7->heap; devId = pkcs7->devId; isDynamic = pkcs7->isDynamic; - wc_PKCS7_Init(pkcs7, heap, devId); + ret = wc_PKCS7_Init(pkcs7, heap, devId); + if (ret != 0) + return ret; pkcs7->isDynamic = isDynamic; if (cert != NULL && certSz > 0) { From 2bd4fb110c7546fe7d984189df1bfe6b682fe197 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 2 Jul 2018 10:24:41 -0700 Subject: [PATCH 15/17] Fix additional cases for use of unititlized PKCS isDynmaic in unit test. --- tests/api.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/api.c b/tests/api.c index 3d27f0b9d..845a6be07 100644 --- a/tests/api.c +++ b/tests/api.c @@ -14376,6 +14376,8 @@ static void test_wc_PKCS7_EncodeData (void) XMEMSET(output, 0, sizeof(output)); + AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0); + AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, (byte*)cert, certSz), 0); printf(testingFmt, "wc_PKCS7_EncodeData()"); @@ -14481,6 +14483,8 @@ static void test_wc_PKCS7_EncodeSignedData (void) XMEMSET(output, 0, outputSz); AssertIntEQ(wc_InitRng(&rng), 0); + AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0); + AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, cert, certSz), 0); printf(testingFmt, "wc_PKCS7_EncodeSignedData()"); @@ -14492,7 +14496,6 @@ static void test_wc_PKCS7_EncodeSignedData (void) pkcs7.encryptOID = RSAk; pkcs7.hashOID = SHAh; pkcs7.rng = &rng; - pkcs7.devId = INVALID_DEVID; AssertIntGT(wc_PKCS7_EncodeSignedData(&pkcs7, output, outputSz), 0); @@ -14596,6 +14599,8 @@ static void test_wc_PKCS7_VerifySignedData(void) XMEMSET(output, 0, outputSz); AssertIntEQ(wc_InitRng(&rng), 0); + AssertIntEQ(wc_PKCS7_Init(&pkcs7, HEAP_HINT, INVALID_DEVID), 0); + AssertIntEQ(wc_PKCS7_InitWithCert(&pkcs7, cert, certSz), 0); printf(testingFmt, "wc_PKCS7_VerifySignedData()"); From 201217bd9744460060872e71d89fbd23e24faddd Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Mon, 2 Jul 2018 13:55:38 -0600 Subject: [PATCH 16/17] casts for tls 1.3 windows warnings --- src/internal.c | 6 +++--- src/tls.c | 8 ++++---- src/tls13.c | 32 ++++++++++++++++---------------- 3 files changed, 23 insertions(+), 23 deletions(-) diff --git a/src/internal.c b/src/internal.c index dd60f7d18..16f058149 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12640,8 +12640,8 @@ int ProcessReply(WOLFSSL* ssl) ssl->keys.decryptedCur = 1; #ifdef WOLFSSL_TLS13 if (ssl->options.tls1_3) { - word16 i = ssl->buffers.inputBuffer.length - - ssl->keys.padSz; + word16 i = (word16)(ssl->buffers.inputBuffer.length - + ssl->keys.padSz); /* Remove padding from end of plain text. */ for (--i; i > ssl->buffers.inputBuffer.idx; i--) { if (ssl->buffers.inputBuffer.buffer[i] != 0) @@ -20478,7 +20478,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, /* TLS v1.3 capable server downgraded. */ XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1), tls13Downgrade, TLS13_DOWNGRADE_SZ); - output[idx + RAN_LEN - 1] = IsAtLeastTLSv1_2(ssl); + output[idx + RAN_LEN - 1] = (byte)IsAtLeastTLSv1_2(ssl); } else #endif diff --git a/src/tls.c b/src/tls.c index 5f5bcc26a..7fb4e5ca2 100644 --- a/src/tls.c +++ b/src/tls.c @@ -5211,7 +5211,7 @@ static int TLSX_SupportedVersions_Write(void* data, byte* output, #endif *(output++) = pv.major; - *(output++) = pv.minor - i; + *(output++) = (byte)(pv.minor - i); } *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); @@ -6225,10 +6225,10 @@ static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output, c16toa(current->group, &output[i]); i += KE_GROUP_LEN; - c16toa(current->pubKeyLen, &output[i]); + c16toa((word16)(current->pubKeyLen), &output[i]); i += OPAQUE16_LEN; XMEMCPY(&output[i], current->pubKey, current->pubKeyLen); - i += current->pubKeyLen; + i += (word16)current->pubKeyLen; } /* Write the length of the list if required. */ if (isRequest) @@ -6766,7 +6766,7 @@ static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap, return MEMORY_E; XMEMSET(kse, 0, sizeof(*kse)); - kse->group = group; + kse->group = (word16)group; /* Add it to the back and maintain the links. */ while (*list != NULL) diff --git a/src/tls13.c b/src/tls13.c index 77e85f2ab..264274df7 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -231,10 +231,10 @@ static int HKDF_Expand_Label(byte* okm, word32 okmLen, byte data[MAX_HKDF_LABEL_SZ]; /* Output length. */ - data[idx++] = okmLen >> 8; - data[idx++] = okmLen; + data[idx++] = (byte)(okmLen >> 8); + data[idx++] = (byte)okmLen; /* Length of protocol | label. */ - data[idx++] = protocolLen + labelLen; + data[idx++] = (byte)(protocolLen + labelLen); /* Protocol */ XMEMCPY(&data[idx], protocol, protocolLen); idx += protocolLen; @@ -242,7 +242,7 @@ static int HKDF_Expand_Label(byte* okm, word32 okmLen, XMEMCPY(&data[idx], label, labelLen); idx += labelLen; /* Length of hash of messages */ - data[idx++] = infoLen; + data[idx++] = (byte)infoLen; /* Hash of messages */ XMEMCPY(&data[idx], info, infoLen); idx += infoLen; @@ -2115,7 +2115,7 @@ int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, case BUILD_MSG_ENCRYPT: { /* The real record content type goes at the end of the data. */ - output[args->idx++] = type; + output[args->idx++] = (byte)type; #ifdef ATOMIC_USER if (ssl->ctx->MacEncryptCb) { @@ -4410,7 +4410,7 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, ext->resp = 0; i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - reqSz = OPAQUE8_LEN + reqCtxLen; + reqSz = (word16)(OPAQUE8_LEN + reqCtxLen); ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz); if (ret != 0) return ret; @@ -4431,7 +4431,7 @@ static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, AddTls13Headers(output, reqSz, certificate_request, ssl); /* Certificate request context. */ - output[i++] = reqCtxLen; + output[i++] = (byte)reqCtxLen; if (reqCtxLen != 0) { XMEMCPY(output + i, reqCtx, reqCtxLen); i += reqCtxLen; @@ -4625,7 +4625,7 @@ static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz, if (ret < 0) return ret; - *sigDataSz = idx + ret; + *sigDataSz = (word16)(idx + ret); ret = 0; return ret; @@ -5257,7 +5257,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) args->sigDataSz, ssl->suites->hashAlgo); if (ret < 0) goto exit_scv; - args->sigDataSz = ret; + args->sigDataSz = (word16)ret; ret = 0; } #endif /* HAVE_ECC */ @@ -5290,7 +5290,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) NULL, NULL #endif ); - args->length = sig->length; + args->length = (word16)sig->length; } #endif /* HAVE_ECC */ #ifdef HAVE_ED25519 @@ -5322,7 +5322,7 @@ static int SendTls13CertificateVerify(WOLFSSL* ssl) NULL #endif ); - args->length = args->sigLen; + args->length = (word16)args->sigLen; } #endif /* !NO_RSA */ @@ -5649,7 +5649,7 @@ static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, args->sigDataSz, args->hashAlgo); if (ret < 0) goto exit_dcv; - args->sigDataSz = ret; + args->sigDataSz = (word16)ret; ret = 0; } #endif @@ -7887,8 +7887,8 @@ int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) return BAD_FUNC_ARG; for (i = 0; i < count; i++) - ctx->group[i] = groups[i]; - ctx->numGroups = count; + ctx->group[i] = (word16)groups[i]; + ctx->numGroups = (byte)count; return WOLFSSL_SUCCESS; } @@ -7911,8 +7911,8 @@ int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) return BAD_FUNC_ARG; for (i = 0; i < count; i++) - ssl->group[i] = groups[i]; - ssl->numGroups = count; + ssl->group[i] = (word16)groups[i]; + ssl->numGroups = (byte)count; return WOLFSSL_SUCCESS; } From cf191a4d9647af496e07b7e496437e3073aea737 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 2 Jul 2018 13:31:13 -0700 Subject: [PATCH 17/17] Fixed a memory leak in the wolfCrypt test for DH key generation. --- wolfcrypt/test/test.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 4a45faf87..52e49ba5b 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -11325,6 +11325,10 @@ static int dh_fips_generate_test(WC_RNG *rng) #endif /* HAVE_SELFTEST */ #ifdef WOLFSSL_KEY_GEN + wc_FreeDhKey(&key); + ret = wc_InitDhKey_ex(&key, HEAP_HINT, devId); + if (ret != 0) + return -8231; ret = wc_DhGenerateParams(rng, 2048, &key); if (ret != 0) {