From 454687f429b3b76e926e78295438c7eccd34ba86 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 6 Feb 2019 13:32:10 -0800
Subject: [PATCH] Fix for TLS HMAC constant timing to ensure final is called
 for dummy operations. Added devCtx to AES for CryptoCb.

---
 src/tls.c               | 3 +++
 wolfcrypt/src/aes.c     | 4 ++++
 wolfssl/wolfcrypt/aes.h | 7 +++++--
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/tls.c b/src/tls.c
index b7e087e44..1ffffe734 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -1112,6 +1112,9 @@ static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
             if (ret != 0)
                 break;
         }
+        /* call final to cleanup */
+        if (ret == 0)
+            ret = wc_HmacFinal(hmac, dummy);
     }
 
     return ret;
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 43bfe9e33..e865a9ad3 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -6528,6 +6528,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
 
 #ifdef WOLF_CRYPTO_CB
     aes->devId = devId;
+    aes->devCtx = NULL;
 #else
     (void)devId;
 #endif
@@ -6589,6 +6590,9 @@ void wc_AesFree(Aes* aes)
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
     wc_DevCryptoFree(&aes->ctx);
+#endif
+#if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC)))
     ForceZero((byte*)aes->devKey, AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE);
 #endif
 }
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index 18d37bd9c..37f0a1f51 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -152,7 +152,7 @@ typedef struct Aes {
 #endif /* WOLFSSL_AESNI */
 #ifdef WOLF_CRYPTO_CB
     int    devId;
-    word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+    void*  devCtx;
 #endif
 #ifdef HAVE_PKCS11
     byte id[AES_MAX_ID_LEN];
@@ -182,9 +182,12 @@ typedef struct Aes {
                   GCM_NONCE_MID_SZ)];
 #endif
 #endif
+#if defined(WOLF_CRYPTO_CB) || (defined(WOLFSSL_DEVCRYPTO) && \
+    (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC)))
+    word32 devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
+#endif
 #if defined(WOLFSSL_DEVCRYPTO) && \
     (defined(WOLFSSL_DEVCRYPTO_AES) || defined(WOLFSSL_DEVCRYPTO_CBC))
-    word32       devKey[AES_MAX_KEY_SIZE/WOLFSSL_BIT_SIZE/sizeof(word32)]; /* raw key */
     WC_CRYPTODEV ctx;
 #endif
     void*  heap; /* memory hint to use */