Use 2nd stack for update signature verification

earlephilhower · earlephilhower · commit fe02cb3c5e1e · 2020-03-11T09:14:56.000-07:00
Fixes esp8266#7145 When doing a signed update, the signature calculation can use a lot of stack, so move it silently to the BearSSL second stack. Also fix a memory leak of signature-bytes found by @JiriBilek
diff --git a/cores/esp8266/Updater.cpp b/cores/esp8266/Updater.cpp
@@ -1,6 +1,7 @@
 #include "Updater.h"
 #include "eboot_command.h"
 #include <esp8266_peri.h>
+#include "StackThunk.h"
 
 //#define DEBUG_UPDATER Serial
 
@@ -40,6 +41,14 @@ UpdaterClass::UpdaterClass()
 {
 #if ARDUINO_SIGNING
   installSignature(&esp8266::updaterSigningHash, &esp8266::updaterSigningVerifier);
+  stack_thunk_add_ref();
+#endif
+}
+
+UpdaterClass::~UpdaterClass()
+{
+#if ARDUINO_SIGNING
+    stack_thunk_del_ref();
 #endif
 }
 
@@ -263,8 +272,10 @@ bool UpdaterClass::end(bool evenIfRemaining){
 #endif
     if (!_verify->verify(_hash, (void *)sig, sigLen)) {
       _setError(UPDATE_ERROR_SIGN);
+      free(sig);
       return false;
     }
+    free(sig);
 #ifdef DEBUG_UPDATER
     DEBUG_UPDATER.printf_P(PSTR("[Updater] Signature matches\n"));
 #endif
diff --git a/cores/esp8266/Updater.h b/cores/esp8266/Updater.h
@@ -53,6 +53,7 @@ class UpdaterClass {
     typedef std::function<void(size_t, size_t)> THandlerFunction_Progress;
   
     UpdaterClass();
+    ~UpdaterClass();
 
     /* Optionally add a cryptographic signature verification hash and method */
     void installSignature(UpdaterHashClass *hash, UpdaterVerifyClass *verify) {  _hash = hash;  _verify = verify; }
diff --git a/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp b/libraries/ESP8266WiFi/src/BearSSLHelpers.cpp
@@ -870,9 +870,9 @@ uint32_t SigningVerifier::length()
   }
 }
 
-bool SigningVerifier::verify(UpdaterHashClass *hash, const void *signature, uint32_t signatureLen) {
-  if (!_pubKey || !hash || !signature || signatureLen != length()) return false;
-
+// We need to use the 2nd stack to do a verification, so do the thunk
+// directly inside the class function for ease of use.
+extern "C" bool SigningVerifier_verify(PublicKey *_pubKey, UpdaterHashClass *hash, const void *signature, uint32_t signatureLen) {
   if (_pubKey->isRSA()) {
     bool ret;
     unsigned char vrf[hash->len()];
@@ -890,6 +890,20 @@ bool SigningVerifier::verify(UpdaterHashClass *hash, const void *signature, uint
   }
 };
 
+#if !CORE_MOCK
+make_stack_thunk(SigningVerifier_verify);
+extern "C" bool thunk_SigningVerifier_verify(PublicKey *_pubKey, UpdaterHashClass *hash, const void *signature, uint32_t signatureLen);
+#endif
+
+bool SigningVerifier::verify(UpdaterHashClass *hash, const void *signature, uint32_t signatureLen) {
+  if (!_pubKey || !hash || !signature || signatureLen != length()) return false;
+#if !CORE_MOCK
+    return thunk_SigningVerifier_verify(_pubKey, hash, signature, signatureLen);
+#else
+    return SigningVerifier_verify(_pubKey, hash, signature, signatureLen);
+#endif
+}
+
 #if !CORE_MOCK
 
 // Second stack thunked helpers
