WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

remove large static buffer for cert chain processing

pull/1/head
Todd A Ouska 2011-04-20 15:54:34 -07:00
parent 1326c79bb6
commit adaef70aec
1 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/ssl.c
View File

@ -657,11 +657,25 @@ int AddCA(SSL_CTX* ctx, buffer der)
*used = info.consumed; *used = info.consumed;
/* we may have a cert chain */ /* we may have a cert chain */
if (type == CERT_TYPE && info.consumed < sz) { if (type == CERT_TYPE && info.consumed < sz) {
/* allow a chain of MAX_DEPTH plus subject, 5 by default */ byte staticBuffer[FILE_BUFFER_SIZE]; /* tmp chain buffer */
byte chainBuffer[MAX_X509_SIZE * MAX_CHAIN_DEPTH]; byte* chainBuffer = staticBuffer;
int dynamicBuffer = 0;
word32 bufferSz = sizeof(staticBuffer);
long consumed = info.consumed; long consumed = info.consumed;
word32 idx = 0; word32 idx = 0;
if ( (sz - consumed) > bufferSz) {
CYASSL_MSG("Growing Tmp Chain Buffer");
bufferSz = sz - consumed; /* will shrink to actual size */
chainBuffer = (byte*)XMALLOC(bufferSz, ctx->heap,
DYNAMIC_FILE_TYPE);
if (chainBuffer == NULL) {
XFREE(der.buffer, ctx->heap, dynamicType);
return MEMORY_E;
}
dynamicBuffer = 1;
}
CYASSL_MSG("Processing Cert Chain"); CYASSL_MSG("Processing Cert Chain");
while (consumed < sz) { while (consumed < sz) {
long left; long left;
@ -672,7 +686,7 @@ int AddCA(SSL_CTX* ctx, buffer der)
ret = PemToDer(buff + consumed, sz - consumed, type, &part, ret = PemToDer(buff + consumed, sz - consumed, type, &part,
ctx->heap, &info, &eccKey); ctx->heap, &info, &eccKey);
if (ret == 0) { if (ret == 0) {
if ( (idx + part.length) > sizeof(chainBuffer)) { if ( (idx + part.length) > bufferSz) {
CYASSL_MSG(" Cert Chain bigger than buffer"); CYASSL_MSG(" Cert Chain bigger than buffer");
ret = BUFFER_E; ret = BUFFER_E;
} }
@ -690,6 +704,7 @@ int AddCA(SSL_CTX* ctx, buffer der)
XFREE(part.buffer, ctx->heap, dynamicType); XFREE(part.buffer, ctx->heap, dynamicType);
if (ret < 0) { if (ret < 0) {
CYASSL_MSG(" Error in Cert in Chain"); CYASSL_MSG(" Error in Cert in Chain");
XFREE(der.buffer, ctx->heap, dynamicType);
return ret; return ret;
} }
CYASSL_MSG(" Consumed another Cert in Chain"); CYASSL_MSG(" Consumed another Cert in Chain");
@ -703,10 +718,16 @@ int AddCA(SSL_CTX* ctx, buffer der)
CYASSL_MSG("Finished Processing Cert Chain"); CYASSL_MSG("Finished Processing Cert Chain");
ctx->certChain.buffer = (byte*)XMALLOC(idx, ctx->heap, ctx->certChain.buffer = (byte*)XMALLOC(idx, ctx->heap,
dynamicType); dynamicType);
if (ctx->certChain.buffer == NULL) if (ctx->certChain.buffer) {
ctx->certChain.length = idx;
XMEMCPY(ctx->certChain.buffer, chainBuffer, idx);
}
if (dynamicBuffer)
XFREE(chainBuffer, ctx->heap, DYNAMIC_FILE_TYPE);
if (ctx->certChain.buffer == NULL) {
XFREE(der.buffer, ctx->heap, dynamicType);
return MEMORY_E; return MEMORY_E;
ctx->certChain.length = idx; }
XMEMCPY(ctx->certChain.buffer, chainBuffer, idx);
} }
} }
else { /* ASN1 (DER) or RAW (NTRU) */ else { /* ASN1 (DER) or RAW (NTRU) */
@ -725,17 +746,24 @@ int AddCA(SSL_CTX* ctx, buffer der)
byte key[AES_256_KEY_SIZE]; byte key[AES_256_KEY_SIZE];
byte iv[AES_IV_SIZE]; byte iv[AES_IV_SIZE];
if (!ctx->passwd_cb) return -1; if (!ctx->passwd_cb) {
XFREE(der.buffer, ctx->heap, dynamicType);
return -1;
}
/* use file's salt for key derivation, hex decode first */ /* use file's salt for key derivation, hex decode first */
if (Base16Decode(info.iv, info.ivSz, info.iv, &info.ivSz) != 0) if (Base16Decode(info.iv, info.ivSz, info.iv, &info.ivSz) != 0) {
XFREE(der.buffer, ctx->heap, dynamicType);
return -1; return -1;
}
passwordSz = ctx->passwd_cb(password, sizeof(password), 0, passwordSz = ctx->passwd_cb(password, sizeof(password), 0,
ctx->userdata); ctx->userdata);
if (EVP_BytesToKey(info.name, "MD5", info.iv, (byte*)password, if (EVP_BytesToKey(info.name, "MD5", info.iv, (byte*)password,
passwordSz, 1, key, iv) <= 0) passwordSz, 1, key, iv) <= 0) {
XFREE(der.buffer, ctx->heap, dynamicType);
return -1; return -1;
}
if (XSTRNCMP(info.name, "DES-CBC", 7) == 0) { if (XSTRNCMP(info.name, "DES-CBC", 7) == 0) {
Des des; Des des;
@ -762,8 +790,10 @@ int AddCA(SSL_CTX* ctx, buffer der)
AesSetKey(&aes, key, AES_256_KEY_SIZE, info.iv, AES_DECRYPTION); AesSetKey(&aes, key, AES_256_KEY_SIZE, info.iv, AES_DECRYPTION);
AesCbcDecrypt(&aes, der.buffer, der.buffer, der.length); AesCbcDecrypt(&aes, der.buffer, der.buffer, der.length);
} }
else else {
XFREE(der.buffer, ctx->heap, dynamicType);
return SSL_BAD_FILE; return SSL_BAD_FILE;
}
} }
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ #endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */