From 8fda4ce14730019e4e92ae44c75f97fb9c4afc53 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 14 Oct 2024 10:19:54 -0600 Subject: [PATCH 1/2] use heap hint with wolfSSL_CTX_check_private_key --- src/ssl.c | 4 ++-- src/x509.c | 2 +- wolfcrypt/src/asn.c | 28 +++++++++++++++------------- wolfcrypt/src/pkcs12.c | 2 +- wolfssl/wolfcrypt/asn.h | 6 ++++-- 5 files changed, 23 insertions(+), 19 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 2fe5e93d99..450ed24193 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6347,7 +6347,7 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey, if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) #endif /* WOLF_PRIVATE_KEY_ID */ { - ret = wc_CheckPrivateKeyCert(buff, size, der, 0); + ret = wc_CheckPrivateKeyCert(buff, size, der, 0, heap); ret = (ret == 1) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE; } @@ -6407,7 +6407,7 @@ static int check_cert_key(DerBuffer* cert, DerBuffer* key, DerBuffer* altKey, if (ret == WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) #endif /* WOLF_PRIVATE_KEY_ID */ { - ret = wc_CheckPrivateKeyCert(buff, size, der, 1); + ret = wc_CheckPrivateKeyCert(buff, size, der, 1, heap); ret = (ret == 1) ? WOLFSSL_SUCCESS: WOLFSSL_FAILURE; } } diff --git a/src/x509.c b/src/x509.c index 0f6fcfb657..58f5cc1194 100644 --- a/src/x509.c +++ b/src/x509.c @@ -12984,7 +12984,7 @@ WOLFSSL_ASN1_OBJECT* wolfSSL_X509_NAME_ENTRY_get_object( #ifndef NO_CHECK_PRIVATE_KEY return wc_CheckPrivateKey((byte*)key->pkey.ptr, key->pkey_sz, x509->pubKey.buffer, x509->pubKey.length, - (enum Key_Sum)x509->pubKeyOID) == 1 ? + (enum Key_Sum)x509->pubKeyOID, key->heap) == 1 ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE; #else /* not compiled in */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9ec233855e..1a4ce95186 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7446,9 +7446,11 @@ int wc_CreatePKCS8Key(byte* out, word32* outSz, byte* key, word32 keySz, * privKeySz : size of private key buffer * pubKey : buffer holding DER format public key * pubKeySz : size of public key buffer - * ks : type of key */ + * ks : type of key + * heap : heap hint to use */ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, - const byte* pubKey, word32 pubKeySz, enum Key_Sum ks) + const byte* pubKey, word32 pubKeySz, enum Key_Sum ks, + void* heap) { int ret; (void)privKeySz; @@ -7485,14 +7487,14 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, } #endif - if ((ret = wc_InitRsaKey(a, NULL)) < 0) { + if ((ret = wc_InitRsaKey(a, heap)) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(b, NULL, DYNAMIC_TYPE_RSA); XFREE(a, NULL, DYNAMIC_TYPE_RSA); #endif return ret; } - if ((ret = wc_InitRsaKey(b, NULL)) < 0) { + if ((ret = wc_InitRsaKey(b, heap)) < 0) { wc_FreeRsaKey(a); #ifdef WOLFSSL_SMALL_STACK XFREE(b, NULL, DYNAMIC_TYPE_RSA); @@ -7553,7 +7555,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, } #endif - if ((ret = wc_ecc_init(key_pair)) < 0) { + if ((ret = wc_ecc_init_ex(key_pair, heap, INVALID_DEVID)) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(privDer, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(key_pair, NULL, DYNAMIC_TYPE_ECC); @@ -7571,7 +7573,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, wc_MemZero_Add("wc_CheckPrivateKey privDer", privDer, privSz); #endif wc_ecc_free(key_pair); - ret = wc_ecc_init(key_pair); + ret = wc_ecc_init_ex(key_pair, heap, INVALID_DEVID); if (ret == 0) { ret = wc_ecc_import_private_key(privDer, privSz, pubKey, @@ -7622,7 +7624,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, return MEMORY_E; #endif - if ((ret = wc_ed25519_init(key_pair)) < 0) { + if ((ret = wc_ed25519_init_ex(key_pair, heap, INVALID_DEVID)) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(key_pair, NULL, DYNAMIC_TYPE_ED25519); #endif @@ -7672,7 +7674,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, return MEMORY_E; #endif - if ((ret = wc_ed448_init(key_pair)) < 0) { + if ((ret = wc_ed448_init_ex(key_pair, heap, INVALID_DEVID)) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(key_pair, NULL, DYNAMIC_TYPE_ED448); #endif @@ -7933,7 +7935,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, * checkAlt : indicate if we check primary or alternative key */ int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, DecodedCert* der, - int checkAlt) + int checkAlt, void* heap) { int ret = 0; @@ -7947,7 +7949,7 @@ int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, DecodedCert* der, word32 idx = 0; /* Dilithium has the largest public key at the moment */ word32 pubKeyLen = DILITHIUM_MAX_PUB_KEY_SIZE; - byte* decodedPubKey = (byte*)XMALLOC(pubKeyLen, NULL, + byte* decodedPubKey = (byte*)XMALLOC(pubKeyLen, heap, DYNAMIC_TYPE_PUBLIC_KEY); if (decodedPubKey == NULL) { ret = MEMORY_E; @@ -7966,15 +7968,15 @@ int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, DecodedCert* der, } if (ret == 0) { ret = wc_CheckPrivateKey(key, keySz, decodedPubKey, pubKeyLen, - (enum Key_Sum) der->sapkiOID); + (enum Key_Sum) der->sapkiOID, heap); } - XFREE(decodedPubKey, NULL, DYNAMIC_TYPE_PUBLIC_KEY); + XFREE(decodedPubKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); } else #endif { ret = wc_CheckPrivateKey(key, keySz, der->publicKey, - der->pubKeySize, (enum Key_Sum) der->keyOID); + der->pubKeySize, (enum Key_Sum) der->keyOID, heap); } (void)checkAlt; diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c index 3cddc646b4..e8cc11e9eb 100644 --- a/wolfcrypt/src/pkcs12.c +++ b/wolfcrypt/src/pkcs12.c @@ -1112,7 +1112,7 @@ static WARN_UNUSED_RESULT int freeDecCertList(WC_DerCertList** list, InitDecodedCert(DeCert, current->buffer, current->bufferSz, heap); if (ParseCertRelative(DeCert, CERT_TYPE, NO_VERIFY, NULL, NULL) == 0) { - if (wc_CheckPrivateKeyCert(*pkey, *pkeySz, DeCert, 0) == 1) { + if (wc_CheckPrivateKeyCert(*pkey, *pkeySz, DeCert, 0, heap) == 1) { WOLFSSL_MSG("Key Pair found"); *cert = current->buffer; *certSz = current->bufferSz; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 6df41eb29d..b43b1c1bbb 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -2382,9 +2382,11 @@ WOLFSSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash, WOLFSSL_LOCAL int GetNameHash_ex(const byte* source, word32* idx, byte* hash, int maxIdx, word32 sigOID); WOLFSSL_LOCAL int wc_CheckPrivateKeyCert(const byte* key, word32 keySz, - DecodedCert* der, int checkAlt); + DecodedCert* der, int checkAlt, + void* heap); WOLFSSL_LOCAL int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, - const byte* pubKey, word32 pubKeySz, enum Key_Sum ks); + const byte* pubKey, word32 pubKeySz, + enum Key_Sum ks, void* heap); WOLFSSL_LOCAL int StoreDHparams(byte* out, word32* outLen, mp_int* p, mp_int* g); #ifdef WOLFSSL_DH_EXTRA WOLFSSL_API int wc_DhPublicKeyDecode(const byte* input, word32* inOutIdx, From bc0a2c43e65003ca4a9a3c10fc768ec8ef63fb91 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 21 Oct 2024 10:04:26 -0600 Subject: [PATCH 2/2] avoid warning for unused parameter with certain build configurations --- wolfcrypt/src/asn.c | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1a4ce95186..9cad859e52 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -7921,6 +7921,7 @@ int wc_CheckPrivateKey(const byte* privKey, word32 privKeySz, ret = 0; } (void)ks; + (void)heap; return ret; }