Memory usage improvements

kdf.c: wc_PRF() - No need for previous, reuse current. sha256.c: Transform_Sha256() - Add slow but small version for many register implementation. sp_int.h: Change 'used' and 'size' fields to 16-bit types when possible. sp_int.c: Fixes for 16-bit used.
wolfSSL · Aug 28, 2024 · 795d651 · 795d651
1 parent bcbb544
commit 795d651
Show file tree

Hide file tree

Showing 7 changed files with 227 additions and 202 deletions.
diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c
@@ -84,11 +84,9 @@ int wc_PRF(byte* result, word32 resLen, const byte* secret,
     word32 lastTime;
     int    ret = 0;
 #ifdef WOLFSSL_SMALL_STACK
-    byte*  previous;
     byte*  current;
     Hmac*  hmac;
 #else
-    byte   previous[P_HASH_MAX_SIZE];  /* max size */
     byte   current[P_HASH_MAX_SIZE];   /* max size */
     Hmac   hmac[1];
 #endif
@@ -153,19 +151,16 @@ int wc_PRF(byte* result, word32 resLen, const byte* secret,
     lastTime = times - 1;
 
 #ifdef WOLFSSL_SMALL_STACK
-    previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
-    current  = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
-    hmac     = (Hmac*)XMALLOC(sizeof(Hmac),    heap, DYNAMIC_TYPE_HMAC);
-    if (previous == NULL || current == NULL || hmac == NULL) {
-        XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
+    current = (byte*)XMALLOC(P_HASH_MAX_SIZE, heap, DYNAMIC_TYPE_DIGEST);
+    hmac    = (Hmac*)XMALLOC(sizeof(Hmac),    heap, DYNAMIC_TYPE_HMAC);
+    if (current == NULL || hmac == NULL) {
         XFREE(current, heap, DYNAMIC_TYPE_DIGEST);
         XFREE(hmac, heap, DYNAMIC_TYPE_HMAC);
         return MEMORY_E;
     }
 #endif
 #ifdef WOLFSSL_CHECK_MEM_ZERO
-    XMEMSET(previous, 0xff, P_HASH_MAX_SIZE);
-    wc_MemZero_Add("wc_PRF previous", previous, P_HASH_MAX_SIZE);
+    XMEMSET(current, 0xff, P_HASH_MAX_SIZE);
     wc_MemZero_Add("wc_PRF current", current, P_HASH_MAX_SIZE);
     wc_MemZero_Add("wc_PRF hmac", hmac, sizeof(Hmac));
 #endif
@@ -176,53 +171,53 @@ int wc_PRF(byte* result, word32 resLen, const byte* secret,
         if (ret == 0)
             ret = wc_HmacUpdate(hmac, seed, seedLen); /* A0 = seed */
         if (ret == 0)
-            ret = wc_HmacFinal(hmac, previous);       /* A1 */
+            ret = wc_HmacFinal(hmac, current);        /* A1 */
         if (ret == 0) {
             word32 i;
             word32 idx = 0;
 
             for (i = 0; i < times; i++) {
-                ret = wc_HmacUpdate(hmac, previous, len);
+                ret = wc_HmacUpdate(hmac, current, len);
                 if (ret != 0)
                     break;
                 ret = wc_HmacUpdate(hmac, seed, seedLen);
                 if (ret != 0)
                     break;
-                ret = wc_HmacFinal(hmac, current);
-                if (ret != 0)
-                    break;
-
-                if ((i == lastTime) && lastLen)
-                    XMEMCPY(&result[idx], current,
-                                             min(lastLen, P_HASH_MAX_SIZE));
-                else {
-                    XMEMCPY(&result[idx], current, len);
+                if ((i != lastTime) || !lastLen) {
+                    ret = wc_HmacFinal(hmac, &result[idx]);
+                    if (ret != 0)
+                        break;
                     idx += len;
-                    ret = wc_HmacUpdate(hmac, previous, len);
+
+                    ret = wc_HmacUpdate(hmac, current, len);
                     if (ret != 0)
                         break;
-                    ret = wc_HmacFinal(hmac, previous);
+                    ret = wc_HmacFinal(hmac, current);
                     if (ret != 0)
                         break;
                 }
+                else {
+                    ret = wc_HmacFinal(hmac, current);
+                    if (ret != 0)
+                        break;
+                    XMEMCPY(&result[idx], current,
+                                             min(lastLen, P_HASH_MAX_SIZE));
+                }
             }
         }
         wc_HmacFree(hmac);
     }
 
-    ForceZero(previous,  P_HASH_MAX_SIZE);
-    ForceZero(current,   P_HASH_MAX_SIZE);
-    ForceZero(hmac,      sizeof(Hmac));
+    ForceZero(current, P_HASH_MAX_SIZE);
+    ForceZero(hmac,    sizeof(Hmac));
 
 #if defined(WOLFSSL_CHECK_MEM_ZERO)
-    wc_MemZero_Check(previous, P_HASH_MAX_SIZE);
-    wc_MemZero_Check(current,  P_HASH_MAX_SIZE);
-    wc_MemZero_Check(hmac,     sizeof(Hmac));
+    wc_MemZero_Check(current, P_HASH_MAX_SIZE);
+    wc_MemZero_Check(hmac,    sizeof(Hmac));
 #endif
 
 #ifdef WOLFSSL_SMALL_STACK
-    XFREE(previous, heap, DYNAMIC_TYPE_DIGEST);
-    XFREE(current,  heap, DYNAMIC_TYPE_DIGEST);
+    XFREE(current, heap, DYNAMIC_TYPE_DIGEST);
     XFREE(hmac,     heap, DYNAMIC_TYPE_HMAC);
 #endif
 

diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c
@@ -1255,6 +1255,9 @@ static int InitSha256(wc_Sha256* sha256)
     {
         word32 S[8], t0, t1;
         int i;
+    #ifdef USE_SLOW_SHA256
+        int j;
+    #endif
         word32 W[WC_SHA256_BLOCK_SIZE/sizeof(word32)];
 
         /* Copy digest to working vars */
@@ -1268,6 +1271,16 @@ static int InitSha256(wc_Sha256* sha256)
         S[7] = sha256->digest[7];
 
         i = 0;
+    #ifdef USE_SLOW_SHA256
+        for (j = 0; j < 16; j++) {
+            RND1(j);
+        }
+        for (i = 16; i < 64; i += 16) {
+            for (j = 0; j < 16; j++) {
+                RNDN(j);
+            }
+        }
+    #else
         RND1( 0); RND1( 1); RND1( 2); RND1( 3);
         RND1( 4); RND1( 5); RND1( 6); RND1( 7);
         RND1( 8); RND1( 9); RND1(10); RND1(11);
@@ -1279,6 +1292,7 @@ static int InitSha256(wc_Sha256* sha256)
             RNDN( 8); RNDN( 9); RNDN(10); RNDN(11);
             RNDN(12); RNDN(13); RNDN(14); RNDN(15);
         }
+    #endif
 
         /* Add the working vars back into digest */
         sha256->digest[0] += S[0];