feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix memory leak in ECDHE with TSIP

Browse Source
This commit is contained in:
TakayukiMatsuo
2022-07-24 05:24:27 +09:00
parent dc8b796d1d
commit 5a0afc512e
5 changed files with 30 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/wolf_client.c
View File

@ -27,7 +27,9 @@
#include "wolfssl/certs_test.h" #include "wolfssl/certs_test.h"
#include "key_data.h" #include "key_data.h"
#include "wolfssl_demo.h" #include "wolfssl_demo.h"
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
#include <wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h>
#endif
#define SIMPLE_TLSSEVER_IP "192.168.1.12" #define SIMPLE_TLSSEVER_IP "192.168.1.12"
#define SIMPLE_TLSSERVER_PORT "11111" #define SIMPLE_TLSSERVER_PORT "11111"

7
wolfcrypt/src/port/Renesas/renesas_common.c
View File

@ -544,7 +544,7 @@ WOLFSSL_LOCAL int Renesas_cmn_EccVerify(WOLFSSL* ssl, const unsigned char* sig,
* key_e_start Byte position of public key exponent in cert * key_e_start Byte position of public key exponent in cert
* key_e_len Length of public key exponent * key_e_len Length of public key exponent
* cm_row CA index * cm_row CA index
* return FSP_SUCCESS(0) on success, otherwise FSP/TSIP error code * return FSP_SUCCESS(0) on success, otherwise WOLFSSL_FATAL_ERROR
*/ */
int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start, int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start,
word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row) word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row)
@ -564,11 +564,16 @@ int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_
ret = wc_sce_tls_RootCertVerify(cert, cert_len, key_n_start, ret = wc_sce_tls_RootCertVerify(cert, cert_len, key_n_start,
key_n_len, key_e_start, key_e_len, cm_row); key_n_len, key_e_start, key_e_len, cm_row);
#endif #endif
if (ret != TSIP_SUCCESS) {
ret = WOLFSSL_FATAL_ERROR;
}
} }
else { else {
/* already verified. skipped */ /* already verified. skipped */
ret = 0; ret = 0;
} }
WOLFSSL_LEAVE("wc_Renesas_cmn_RootCertVerify", ret);
return ret; return ret;
} }

4
wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
View File

@ -723,7 +723,7 @@ int wc_tsip_AesGcmEncrypt(
* iv init func. * iv init func.
* It expects to pass iv when users create their own key. * It expects to pass iv when users create their own key.
*/ */
err = initFn(&hdl, &key_client_aes, iv_l, ivSz_l); err = initFn(&hdl, &key_client_aes, (uint8_t*)iv_l, ivSz_l);
if (err == TSIP_SUCCESS) { if (err == TSIP_SUCCESS) {
err = updateFn(&hdl, NULL, NULL, 0UL, (uint8_t*)aadBuf, authInSz); err = updateFn(&hdl, NULL, NULL, 0UL, (uint8_t*)aadBuf, authInSz);
@ -917,7 +917,7 @@ int wc_tsip_AesGcmDecrypt(
* *
* It expects to pass iv when users create their own key. * It expects to pass iv when users create their own key.
*/ */
err = initFn(&hdl, &key_server_aes, iv_l, ivSz_l); err = initFn(&hdl, &key_server_aes, (uint8_t*)iv_l, ivSz_l);
if (err == TSIP_SUCCESS) { if (err == TSIP_SUCCESS) {
/* pass only AAD and it's size before passing cipher text */ /* pass only AAD and it's size before passing cipher text */

35
wolfcrypt/src/port/Renesas/renesas_tsip_util.c
View File

@ -2028,8 +2028,19 @@ int wc_tsip_RsaVerify(
WOLFSSL_LEAVE("tsip_RsaVerify", ret); WOLFSSL_LEAVE("tsip_RsaVerify", ret);
return ret; return ret;
} }
/* /* Verify signature for Server Key Exchange with TSIP
* return 0 on success * TSIP can handle prime256v1 curve and sha256 hash
* parameters:
* ssl WOLFSSL object
* sig buffer holding DER encoded ecdsa signature data
* sigSz signature data size
* hash buffer holding sha256 hash data
* hashSz hash data size
* key buffer holding peer's public key (NOT used in this function)
* keySz public key size((NOT used in this function))
* result address of the variable to output result
* ctx context
* return 0 on success, CRYPTOCB_UNAVAILABLE in case TSIP cannot handle
*/ */
int wc_tsip_EccVerify( int wc_tsip_EccVerify(
WOLFSSL* ssl, WOLFSSL* ssl,
@ -2039,8 +2050,7 @@ int wc_tsip_EccVerify(
int* result, void* ctx) int* result, void* ctx)
{ {
int ret = WOLFSSL_FAILURE; int ret = WOLFSSL_FAILURE;
uint8_t* sigforSCE = NULL; uint8_t sigforSCE [R_TSIP_ECDSA_DATA_BYTE_SIZE] = {0};
uint8_t* pSig = NULL;
const byte rs_size = R_TSIP_ECDSA_DATA_BYTE_SIZE/2; const byte rs_size = R_TSIP_ECDSA_DATA_BYTE_SIZE/2;
byte offset = 0x3; byte offset = 0x3;
@ -2060,18 +2070,7 @@ int wc_tsip_EccVerify(
return CRYPTOCB_UNAVAILABLE; return CRYPTOCB_UNAVAILABLE;
} }
sigforSCE = (uint8_t*)XMALLOC(R_TSIP_ECDSA_DATA_BYTE_SIZE, NULL, /* concatenate r and s parts of the signature so that TSIP can handle it*/
DYNAMIC_TYPE_TMP_BUFFER);
if (sigforSCE == NULL) {
WOLFSSL_MSG("failed to malloc memory");
WOLFSSL_LEAVE("wc_tsip_EccVerify", MEMORY_E);
return MEMORY_E;
}
/* initialization */
XMEMCPY(sigforSCE, 0, R_TSIP_ECDSA_DATA_BYTE_SIZE);
/* r */ /* r */
if (sig[offset] == 0x20) { if (sig[offset] == 0x20) {
XMEMCPY(sigforSCE, &sig[offset+1], rs_size); XMEMCPY(sigforSCE, &sig[offset+1], rs_size);
@ -2098,9 +2097,7 @@ int wc_tsip_EccVerify(
} }
} }
pSig = sigforSCE; ret = tsip_ServerKeyExVerify(2, ssl, sigforSCE, 64, ctx);
ret = tsip_ServerKeyExVerify(2, ssl, pSig, 64, ctx);
if (ret == WOLFSSL_SUCCESS) { if (ret == WOLFSSL_SUCCESS) {
*result = 1; *result = 1;

3
wolfssl/internal.h
View File

@ -257,6 +257,9 @@
#include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h> #include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
#endif #endif
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
#include <wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h>
#endif
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {