feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

addressed review comments

Browse Source 
tsip_usable() reconstruction
This commit is contained in:
Hideki Miyazaki
2019-09-19 11:23:55 +09:00
parent a37b604da9
commit 5c5aa45a5e
9 changed files with 69 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
IDE/Renesas/e2studio/Projects/test/src/wolf_client.c
View File

@ -47,8 +47,10 @@ static int my_IORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx)
return WOLFSSL_CBIO_ERR_GENERAL; return WOLFSSL_CBIO_ERR_GENERAL;
ret = tcp_rcv_dat(cepid, buff, sz, TMO_FEVR); ret = tcp_rcv_dat(cepid, buff, sz, TMO_FEVR);
if(ret > 0)return ret; if(ret > 0)
else return WOLFSSL_CBIO_ERR_GENERAL; return ret;
else
return WOLFSSL_CBIO_ERR_GENERAL;
} }
static int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx) static int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
@ -57,13 +59,15 @@ static int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
ID cepid; ID cepid;
if(ctx != NULL) if(ctx != NULL)
cepid = *(ID *)ctx; cepid = *(ID *)ctx;
else else
return WOLFSSL_CBIO_ERR_GENERAL; return WOLFSSL_CBIO_ERR_GENERAL;
ret = tcp_snd_dat(cepid, buff, sz, TMO_FEVR); ret = tcp_snd_dat(cepid, buff, sz, TMO_FEVR);
if(ret == sz)return ret; if(ret == sz)
else return WOLFSSL_CBIO_ERR_GENERAL; return ret;
else
return WOLFSSL_CBIO_ERR_GENERAL;
} }
static int getIPaddr(char *arg) static int getIPaddr(char *arg)

20
src/internal.c
View File

@ -172,7 +172,7 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
#endif #endif
#ifdef WOLFSSL_RENESAS_TSIP_TLS #ifdef WOLFSSL_RENESAS_TSIP_TLS
byte tsip_useable(byte cipher0, byte cipher, byte side); int tsip_useable(const WOLFSSL *ssl);
int tsip_generatePremasterSecret(); int tsip_generatePremasterSecret();
int tsip_generateEncryptPreMasterSecret(WOLFSSL *ssl, byte *out, word32 *outSz); int tsip_generateEncryptPreMasterSecret(WOLFSSL *ssl, byte *out, word32 *outSz);
#endif #endif
@ -12674,10 +12674,8 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
#endif #endif
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite, ret = wc_tsip_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
ssl->options.side)) {
wc_tsip_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
} else } else
#endif #endif
ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz); ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
@ -12959,9 +12957,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
#endif #endif
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite,
ssl->options.side)) {
ret = wc_tsip_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz); ret = wc_tsip_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz);
} else } else
#endif #endif
@ -21025,9 +21021,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
/* build PreMasterSecret with RNG data */ /* build PreMasterSecret with RNG data */
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite,
ssl->options.side)) {
ret = tsip_generatePremasterSecret( ret = tsip_generatePremasterSecret(
&ssl->arrays->preMasterSecret[VERSION_SZ], &ssl->arrays->preMasterSecret[VERSION_SZ],
ENCRYPT_LEN - VERSION_SZ); ENCRYPT_LEN - VERSION_SZ);
@ -21372,9 +21366,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
{ {
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl) &&
ssl->options.cipherSuite,
ssl->options.side) &&
wc_RsaEncryptSize(ssl->peerRsaKey) == 256) { wc_RsaEncryptSize(ssl->peerRsaKey) == 256) {
ret = tsip_generateEncryptPreMasterSecret(ssl, ret = tsip_generateEncryptPreMasterSecret(ssl,
args->encSecret, args->encSecret,

5
src/keys.c
View File

@ -46,7 +46,7 @@
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
int tsip_useable(byte cipher0, byte ciphper1, byte side); int tsip_useable(const WOLFSSL *ssl);
#endif #endif
int SetCipherSpecs(WOLFSSL* ssl) int SetCipherSpecs(WOLFSSL* ssl)
{ {
@ -3179,8 +3179,7 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
/* check if keys for TSIP has been created */ /* check if keys for TSIP has been created */
if (tsip_useable(ssl->options.cipherSuite0, ssl->options.cipherSuite, if (tsip_useable(ssl) == 1)
ssl->options.side) == 1)
ret = 0; ret = 0;
else else
#endif #endif

2
src/ssl.c
View File

@ -109,7 +109,7 @@
#if defined(WOLFSSL_RENESAS_TSIP_TLS) #if defined(WOLFSSL_RENESAS_TSIP_TLS)
/* for root ca verification */ /* for root ca verification */
int tsip_tls_RootCertVerify(const byte *cert , word32 cert_len, int tsip_tls_RootCertVerify(const byte *cert, word32 cert_len,
word32 key_n_start, word32 key_n_len, word32 key_n_start, word32 key_n_len,
word32 key_e_start, word32 key_e_len, word32 key_e_start, word32 key_e_len,
word32 cm_row); word32 cm_row);

18
src/tls.c
View File

@ -132,7 +132,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
#endif #endif
#ifdef WOLFSSL_RENESAS_TSIP_TLS #ifdef WOLFSSL_RENESAS_TSIP_TLS
int tsip_useable(byte cipher0, byte cipher, byte side); int tsip_useable(const WOLFSSL *ssl);
int tsip_generateMasterSecret(const byte *pre, int tsip_generateMasterSecret(const byte *pre,
const byte *cr,const byte *sr, const byte *cr,const byte *sr,
byte *ms/* out */); byte *ms/* out */);
@ -204,9 +204,7 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
#ifdef WOLFSSL_HAVE_PRF #ifdef WOLFSSL_HAVE_PRF
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite,
ssl->options.side)) {
ret = tsip_generateVerifyData(ssl->arrays->tsip_masterSecret, ret = tsip_generateVerifyData(ssl->arrays->tsip_masterSecret,
side, handshake_hash, (byte*)hashes /* out */); side, handshake_hash, (byte*)hashes /* out */);
} else } else
@ -376,9 +374,7 @@ int DeriveTlsKeys(WOLFSSL* ssl)
#endif #endif
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl))
ssl->options.cipherSuite,
ssl->options.side))
ret = tsip_generateSeesionKey(ssl); ret = tsip_generateSeesionKey(ssl);
else { else {
#endif #endif
@ -535,9 +531,7 @@ int MakeTlsMasterSecret(WOLFSSL* ssl)
{ {
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite,
ssl->options.side)) {
ret = tsip_generateMasterSecret( ret = tsip_generateMasterSecret(
&ssl->arrays->preMasterSecret[VERSION_SZ], &ssl->arrays->preMasterSecret[VERSION_SZ],
ssl->arrays->clientRandom, ssl->arrays->clientRandom,
@ -1198,9 +1192,7 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
!defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
if (tsip_useable(ssl->options.cipherSuite0, if (tsip_useable(ssl)) {
ssl->options.cipherSuite,
ssl->options.side)) {
if (ssl->specs.hash_size == WC_SHA_DIGEST_SIZE) if (ssl->specs.hash_size == WC_SHA_DIGEST_SIZE)
ret = tsip_Sha1Hmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ, ret = tsip_Sha1Hmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ,
in, sz, digest, verify); in, sz, digest, verify);

14
wolfcrypt/src/asn.c
View File

@ -8448,9 +8448,21 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
cert->heap, DYNAMIC_TYPE_RSA); cert->heap, DYNAMIC_TYPE_RSA);
if (cert->tsip_encRsaKeyIdx == NULL) if (cert->tsip_encRsaKeyIdx == NULL)
return MEMORY_E; return MEMORY_E;
} else } else {
if (cert->ca) {
/* TSIP isn't usable */
if (tsip_checkCA(cert->ca->cm_idx) == 0)
WOLFSSL_MSG("TSIP isn't usable because the ca isn't verified by TSIP.");
else if (cert->sigCtx.pubkey_n_len != 256)
WOLFSSL_MSG("TSIP isn't usable because the ca isn't signed by RSA 2048.");
else
WOLFSSL_MSG("TSIP isn't usable");
}
#endif #endif
cert->tsip_encRsaKeyIdx = NULL; cert->tsip_encRsaKeyIdx = NULL;
#if defined(WOLFSSL_RENESAS_TSIP)
}
#endif
if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
if (cert->ca) { if (cert->ca) {

6
wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
View File

@ -89,6 +89,9 @@ int wc_tsip_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz)
} else { } else {
ret = R_TSIP_Aes256CbcEncryptFinal(&_handle, out, &dataLength); ret = R_TSIP_Aes256CbcEncryptFinal(&_handle, out, &dataLength);
} }
} else {
WOLFSSL_MSG("TSIP AES CBC encryption failed");
ret = -1;
} }
tsip_hw_unlock(); tsip_hw_unlock();
@ -140,6 +143,9 @@ int wc_tsip_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz)
ret = R_TSIP_Aes128CbcDecryptFinal(&_handle, out, &dataLength); ret = R_TSIP_Aes128CbcDecryptFinal(&_handle, out, &dataLength);
else else
ret = R_TSIP_Aes256CbcDecryptFinal(&_handle, out, &dataLength); ret = R_TSIP_Aes256CbcDecryptFinal(&_handle, out, &dataLength);
} else {
WOLFSSL_MSG("TSIP AES CBC decryption failed");
ret = -1;
} }
tsip_hw_unlock(); tsip_hw_unlock();

28
wolfcrypt/src/port/Renesas/renesas_tsip_util.c
View File

@ -106,9 +106,31 @@ void tsip_hw_unlock( void )
/* cipher0 : in the some cipher suite, */ /* cipher0 : in the some cipher suite, */
/* first byte becomes greater than 0, otherwise 0x00 */ /* first byte becomes greater than 0, otherwise 0x00 */
/* side : CLIENT END or SEVER END */ /* side : CLIENT END or SEVER END */
byte tsip_useable(byte cipher0, byte cipher, byte side) int tsip_useable(const struct WOLFSSL *ssl)
{ {
if (cipher0 > 0x00) return 0; byte cipher0;
byte cipher;
byte side;
/* sanity check */
if (ssl == NULL)
return BAD_FUNC_ARG;
/* when rsa key index == NULL, tsip isn't used for cert verification. */
/* in the case, we cannot use TSIP. */
if (!ssl->peerTsipEncRsaKeyIndex)
return 0;
/* when enabled Extended Master Secret, we cannot use TSIP. */
if (ssl->options.haveEMS)
return 0;
cipher0 = ssl->options.cipherSuite0;
cipher = ssl->options.cipherSuite;
side = ssl->options.side;
if (cipher0 > 0x00)
return 0;
if ((cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA || if ((cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA ||
cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA256 || cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA256 ||
@ -267,7 +289,7 @@ int tsip_Sha1Hmac(const struct WOLFSSL *ssl, const byte *myInner,
int ret; int ret;
if ((ssl == NULL) || (myInner == NULL) || (in == NULL) || if ((ssl == NULL) || (myInner == NULL) || (in == NULL) ||
(digest == NULL)) (digest == NULL))
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
if ((ret = tsip_hw_lock()) != 0) { if ((ret = tsip_hw_lock()) != 0) {

2
wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
View File

@ -65,7 +65,7 @@ int tsip_Open( );
void tsip_Close( ); void tsip_Close( );
int tsip_hw_lock(); int tsip_hw_lock();
void tsip_hw_unlock( void ); void tsip_hw_unlock( void );
int tsip_usable(byte cipher0, byte cipher, byte side); int tsip_usable(const struct WOLFSSL *ssl);
void tsip_inform_sflash_signedcacert(const byte *ps_flash, void tsip_inform_sflash_signedcacert(const byte *ps_flash,
const byte *psigned_ca_cert, word32 len); const byte *psigned_ca_cert, word32 len);
void tsip_inform_cert_sign(const byte *sign); void tsip_inform_cert_sign(const byte *sign);