Add lock around static ECC ecc_oid_cache

wolfSSL · Oct 9, 2024 · da8f5b4 · da8f5b4
1 parent bf29b68
commit da8f5b4
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 1 deletion.
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
@@ -1426,7 +1426,12 @@ size_t wc_ecc_get_sets_count(void) {
         byte oid[ECC_MAX_OID_LEN];
     } oid_cache_t;
     static oid_cache_t ecc_oid_cache[ECC_SET_COUNT];
+
+    static wolfSSL_Mutex ecc_oid_cache_lock WOLFSSL_MUTEX_INITIALIZER_CLAUSE(ecc_oid_cache_lock);
+#ifndef WOLFSSL_MUTEX_INITIALIZER
+    static volatile int eccOidLockInit = 0;
 #endif
+#endif /* HAVE_OID_ENCODING */
 
 /* Forward declarations */
 #if defined(HAVE_COMP_KEY) && defined(HAVE_ECC_KEY_EXPORT)
@@ -15418,6 +15423,23 @@ static int wc_ecc_export_x963_compressed(ecc_key* key, byte* out, word32* outLen
 #endif /* HAVE_ECC_KEY_EXPORT */
 #endif /* HAVE_COMP_KEY */
 
+#ifdef HAVE_OID_ENCODING
+int wc_ecc_oid_cache_init(void)
+{
+    int ret = 0;
+#if !defined(SINGLE_THREADED) && !defined(WOLFSSL_MUTEX_INITIALIZER)
+    ret = wc_InitMutex(&ecc_oid_cache_lock);
+#endif
+    return ret;
+}
+
+void wc_ecc_oid_cache_free(void)
+{
+#if !defined(SINGLE_THREADED) && !defined(WOLFSSL_MUTEX_INITIALIZER)
+    wc_FreeMutex(&ecc_oid_cache_lock);
+#endif
+}
+#endif /* HAVE_OID_ENCODING */
 
 int wc_ecc_get_oid(word32 oidSum, const byte** oid, word32* oidSz)
 {
@@ -15432,8 +15454,22 @@ int wc_ecc_get_oid(word32 oidSum, const byte** oid, word32* oidSz)
         if (ecc_sets[x].oidSum == oidSum) {
         #ifdef HAVE_OID_ENCODING
             int ret = 0;
+            oid_cache_t* o = NULL;
+
+        #ifndef WOLFSSL_MUTEX_INITIALIZER
+            /* extra sanity check if wolfCrypt_Init not called */
+            if (eccOidLockInit == 0) {
+                wc_InitMutex(&ecc_oid_cache_lock);
+                eccOidLockInit = 1;
+            }
+        #endif
+
+            if (wc_LockMutex(&ecc_oid_cache_lock) != 0) {
+                return BAD_MUTEX_E;
+            }
+
             /* check cache */
-            oid_cache_t* o = &ecc_oid_cache[x];
+            o = &ecc_oid_cache[x];
             if (o->oidSz == 0) {
                 o->oidSz = sizeof(o->oid);
                 ret = EncodeObjectId(ecc_sets[x].oid, ecc_sets[x].oidSz,
@@ -15445,6 +15481,9 @@ int wc_ecc_get_oid(word32 oidSum, const byte** oid, word32* oidSz)
             if (oid) {
                 *oid = o->oid;
             }
+
+            wc_UnLockMutex(&ecc_oid_cache_lock);
+
             /* on success return curve id */
             if (ret == 0) {
                 ret = ecc_sets[x].id;

diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
@@ -365,6 +365,13 @@ int wolfCrypt_Init(void)
             return ret;
         }
     #endif
+    #if defined(HAVE_OID_ENCODING) && (!defined(HAVE_FIPS) || \
+            (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)))
+        if ((ret = wc_ecc_oid_cache_init()) != 0) {
+            WOLFSSL_MSG("Error creating ECC oid cache");
+            return ret;
+        }
+    #endif
 #endif
 
 #ifdef WOLFSSL_SCE
@@ -456,6 +463,10 @@ int wolfCrypt_Cleanup(void)
     #ifdef ECC_CACHE_CURVE
         wc_ecc_curve_cache_free();
     #endif
+    #if defined(HAVE_OID_ENCODING) && (!defined(HAVE_FIPS) || \
+            (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)))
+        wc_ecc_oid_cache_free();
+    #endif
 #endif /* HAVE_ECC */
 
     #if defined(OPENSSL_EXTRA) || defined(DEBUG_WOLFSSL_VERBOSE)

diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h
@@ -1027,6 +1027,11 @@ WOLFSSL_API int wc_ecc_curve_cache_init(void);
 WOLFSSL_API void wc_ecc_curve_cache_free(void);
 #endif
 
+#ifdef HAVE_OID_ENCODING
+WOLFSSL_LOCAL int wc_ecc_oid_cache_init(void);
+WOLFSSL_LOCAL void wc_ecc_oid_cache_free(void);
+#endif
+
 WOLFSSL_API
 int wc_ecc_gen_k(WC_RNG* rng, int size, mp_int* k, mp_int* order);