From f50fcd918e2756900050fb5bedcb57d94c05a5f2 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 30 Oct 2021 20:21:21 +0900 Subject: [PATCH 1/7] support Renesas RA SCE protect mode on RA6M4 evaluation board --- IDE/Renesas/e2studio/RA6M4/README.md | 120 ++ .../e2studio/RA6M4/common/user_settings.h | 80 ++ .../e2studio/RA6M4/common/wolfssl_demo.h | 82 ++ IDE/Renesas/e2studio/RA6M4/include.am | 21 + IDE/Renesas/e2studio/RA6M4/test/.cproject | 334 +++++ IDE/Renesas/e2studio/RA6M4/test/.project | 49 + .../e2studio/RA6M4/test/key_data/key_data.h | 19 + .../RA6M4/test/key_data/key_data_sce.c | 113 ++ .../RA6M4/test/src/SEGGER_RTT/myprint.c | 34 + .../e2studio/RA6M4/test/src/common/.gitignore | 2 + .../e2studio/RA6M4/test/src/hal_entry.c | 59 + .../RA6M4/test/src/sce_tst_thread_entry.c | 18 + .../e2studio/RA6M4/test/src/test_main.c | 197 +++ .../e2studio/RA6M4/test/src/wolf_client.c | 192 +++ .../RA6M4/test/test_RA6M4Debug.launch | 78 ++ IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject | 345 +++++ IDE/Renesas/e2studio/RA6M4/wolfssl/.project | 430 +++++++ .../RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg | 36 + .../e2studio/RA6M4/wolfssl/configuration.xml | 799 ++++++++++++ IDE/include.am | 1 + src/internal.c | 124 +- src/keys.c | 27 +- src/ssl.c | 153 ++- src/tls.c | 29 +- wolfcrypt/benchmark/benchmark.c | 20 +- wolfcrypt/src/asn.c | 137 +- wolfcrypt/src/error.c | 2 + wolfcrypt/src/include.am | 4 + wolfcrypt/src/port/Renesas/renesas_common.c | 805 ++++++++++++ wolfcrypt/src/port/Renesas/renesas_sce_aes.c | 520 ++++++++ wolfcrypt/src/port/Renesas/renesas_sce_sha.c | 263 ++++ wolfcrypt/src/port/Renesas/renesas_sce_util.c | 1119 +++++++++++++++++ .../src/port/Renesas/renesas_tsip_util.c | 18 +- wolfcrypt/src/random.c | 25 + wolfcrypt/src/sha256.c | 20 +- wolfcrypt/src/wc_port.c | 22 +- wolfcrypt/test/test.c | 14 +- wolfssl/internal.h | 24 +- wolfssl/ssl.h | 39 + wolfssl/test.h | 134 ++ wolfssl/wolfcrypt/aes.h | 3 + wolfssl/wolfcrypt/asn.h | 32 +- wolfssl/wolfcrypt/error-crypt.h | 5 +- wolfssl/wolfcrypt/include.am | 2 + .../port/Renesas/renesas-sce-crypt.h | 231 ++++ wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h | 43 + wolfssl/wolfcrypt/port/Renesas/renesas_sync.h | 35 + wolfssl/wolfcrypt/settings.h | 23 +- wolfssl/wolfcrypt/sha256.h | 3 + wolfssl/wolfio.h | 4 +- 50 files changed, 6768 insertions(+), 121 deletions(-) create mode 100644 IDE/Renesas/e2studio/RA6M4/README.md create mode 100644 IDE/Renesas/e2studio/RA6M4/common/user_settings.h create mode 100644 IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h create mode 100644 IDE/Renesas/e2studio/RA6M4/include.am create mode 100644 IDE/Renesas/e2studio/RA6M4/test/.cproject create mode 100644 IDE/Renesas/e2studio/RA6M4/test/.project create mode 100644 IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h create mode 100644 IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/test_main.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c create mode 100644 IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch create mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject create mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/.project create mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg create mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml create mode 100644 wolfcrypt/src/port/Renesas/renesas_common.c create mode 100644 wolfcrypt/src/port/Renesas/renesas_sce_aes.c create mode 100644 wolfcrypt/src/port/Renesas/renesas_sce_sha.c create mode 100644 wolfcrypt/src/port/Renesas/renesas_sce_util.c create mode 100644 wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h create mode 100755 wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h create mode 100644 wolfssl/wolfcrypt/port/Renesas/renesas_sync.h diff --git a/IDE/Renesas/e2studio/RA6M4/README.md b/IDE/Renesas/e2studio/RA6M4/README.md new file mode 100644 index 000000000..9f6323471 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/README.md @@ -0,0 +1,120 @@ +wolfSSL for Renesas RA Evaluation Kit (EK-RA6M4) +================================================= + +## Description + +This directory contains e2studio projects targeted at the Renesas RA 32-bit MCUs.\ +The example projects include a wolfSSL TLS client.\ +They also include benchmark and cryptography tests for the wolfCrypt library. + +The wolfssl project contains both the wolfSSL and wolfCrypt libraries.\ +It is built as a `Renesas RA C Library Project` and contains the Renesas RA\ +configuration. The wolfssl project uses `Secure Cryptography Engine on RA6 Protected Mode` \ +as hardware acceleration for cypto and TLS operation. + +The other projects (benchmark, client, and test) are built as a\ +`Renesas RA C Project Using RA Library`, where the RA library is the wolfssl project.\ +The wolfssl Project Summary is listed below and is relevant for every project. + +### Project Summary +|Item|Name/Version| +|:--|:--| +|Board|EK-RA6M4| +|Device|R7FA6M4AF3CFB| +|Toolchain|GCC ARM Embedded| +|FSP Version|3.4.0a| + +#### Selected software components + +|Components|Version| +|:--|:--| +|Board Support Package Common Files|v3.4.0a| +|Secure Cryptography Engine on RA6 Protected Mode|v3.4.0a| +|I/O Port|v3.4.0a| +|Arm CMSIS Version 5 - Core (M)|v5.7.0+fsp.3.4.0a| +|RA6M3G-EK Board Support Files|v3.4.0a| +|Board support package for R7FA6M4AF3CFB|v3.4.0a| +|Board support package for RA6M4|v3.4.0a| +|FreeRTOS|v10.4.3+fsp.3.4.0a| +|FreeRTOS - Memory Management - Heap 4|v10.4.3+fsp.3.4.0a| +|r_ether to FreeRTOS+TCP Wrapper|v3.4.0a| +|Ethernet|v3.4.0.a| +|Ethernet PHY|v3.4.0a| +|FreeRTOS+TCP|v2.3.2+fsp.3.4.0a| +|FreeRTOS - Buffer Allocation 2|v2.3.2+fsp.3.4.0a| + +## Setup Steps + +1.) Import projects from [File]->[Open projects from File System] + ++ Select folder at /path/to/wolfssl/IDE/Renesas/e2studio/RA6M ++ Deselect the Non-Eclipse project, RA6M4, by clicking the checkbox\ + Only the folders with 'Eclipse project' under 'Import as' need to be selected. + +2.) Create project Content by Smart Configurator + ++ Open Smart Configurator by clicking configuration.xml in wolfSSL_RA6M4 project ++ Create project content by clicking `Generate Project Content` + +3.) Build the wolfSSL project + +4.) Create a 'dummy' Renesas RA C Project Using RA Library. + ++ Click File->New->`RA C/C++ Project`. ++ Select `EK-RA6M4` from Drop-down list. ++ Check `Executable Using an RA Static Library`. ++ Select FreeRTOS from RTOS selection. Click Finish. ++ Enter `dummy_app` as the project name. Click Next. ++ Under `RA library project`, select `wolfSSL_RA6M4`. ++ Click Finish. ++ Copy the followng folder inside dummy_app to `test_RA6M4`\ + script/ + +5.) Prepare SEGGER_RTT to logging + ++ Download J-Link software from [Segger](https://www.segger.com/downloads/jlink) ++ Choose `J-Link Software and Documentation Pack` ++ Copy sample program files below from `Installed SEGGER` folder, `e.g C:\Program Files\SEGGER\JLink\Samples\RTT`, to /path/to/wolfssl/IDE/Reenesas/e2studio/RA6M4/test/src/SEGGER_RTT\ + + SEGGER_RTT.c\ + SEGGER_RTT.h\ + SEGGER_RTT_Conf.h\ + SEGGER_RTT_printf.c + ++ To connect RTT block, you can configure RTT viewer configuration based on where RTT block is in map file\ + e.g.\ + [test_RA6M4.map] + ``` + COMMON 0x200232a8 0xa8 ./src/SEGGER_RTT/SEGGER_RTT.o\ + ```` + you can specify "RTT control block" to 0x200232a8 by Address\ + OR\ + you can specify "RTT control block" to 0x20020000 0x10000 by Search Range + + +6.) Prepare peer wolfssl server + On Linux\ +``` + $ autogen.sh\ + $ ./configure --enable-extended-master=no CFLAGS="-DWOLFSSL_STATIC_RSA -DHAVE_AES_CBC" +``` + +7.) Run the example Client +``` + RSA sign and verify use, launch server + $./example/server/server -b -d -i +``` + +``` + ECDSA sign and verifyuse, launch server + $./examples/server/server -b -d -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem +``` + + **Note**\ + To run "RSA sign and verify" client, enable "#define USE_CERT_BUFFERS_2048" in wolfssl_demo.h\ + To run "ECDSA sign and verify" client, enable "#define USE_CERT_BUFFERS_256" in wolfssl_demo.h + + **Note**\ + To run Crypt test, enable "CRYPT_TEST" macro in wolfssl_demo.h\ + To run Benchmark, enable "BENCHMARK" macro in wolfssl_demo.h + \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/common/user_settings.h b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h new file mode 100644 index 000000000..2615f540c --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h @@ -0,0 +1,80 @@ +/* user_settings.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +/* Operating Environment and Threading */ +#define FREERTOS +#define FREERTOS_TCP + +#define NO_MAIN_DRIVER +#define BENCH_EMBEDDED +#define NO_WRITEV + +#define NO_DEV_RANDOM +#define SIZEOF_LONG_LONG 8 +#define NO_WOLFSSL_DIR +#define WOLFSSL_NO_CURRDIR +#define NO_WOLF_C99 +#define NO_MULTIBYTE_PRINT +#define NO_FILESYSTEM + +#define XVALIDATEDATE(d, f,t) (0) + +#define TFM_TIMING_RESISTANT +#define ECC_TIMING_RESISTANT +#define WC_RSA_BLINDING + +#define HAVE_AESGCM +#define WOLFSSL_SHA512 +#define HAVE_ECC +#define HAVE_CURVE25519 +#define CURVE25519_SMALL + +#define WOLFSSL_SMALL_STACK +#define USE_FAST_MATH + +/* static RSA */ +#define WOLFSSL_STATIC_RSA + +/* SEGGER printf */ +#define USE_SEGGER_RTT_PRINTF + +#ifdef USE_SEGGER_RTT_PRINTF + int myprintf(const char * sFormat, ...); + #undef printf + #define printf myprintf +#endif + +/* #define WOLFSSL_TLS13 */ + +#if defined(WOLFSSL_TLS13) + #include + #define HAVE_FFDHE_2048 + #define HAVE_HKDF + #define WC_RSA_PSS + #define HAVE_TLS_EXTENSIONS + #define HAVE_SUPPORTED_CURVES +#endif + +#define WOLF_CRYPTO_CB +/* Enable SCEKEY_INSTALLED if keys are installed */ +#define SCEKEY_INSTALLED +#if defined(SCEKEY_INSTALLED) + #define HAVE_RENESAS_SYNC +#endif diff --git a/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h new file mode 100644 index 000000000..6c2320439 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h @@ -0,0 +1,82 @@ +/* wolfssl_demo.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef WOLFSSL_DEMO_H_ +#define WOLFSSL_DEMO_H_ + +#include +#include "FreeRTOS_IP.h" +#include "FreeRTOS_Sockets.h" + +#define FREQ 10000 /* Hz */ + +#define FLASH_HP_DF_BLOCK_0 0x08000000U /* 64 B: 0x40100000 - 0x4010003F */ +#define FLASH_HP_DF_BLOCK_1 0x08000040U /* 64 B: 0x40100040 - 0x4010007F */ +#define FLASH_HP_DF_BLOCK_2 0x08000080U /* 64 B: 0x40100080 - 0x401000BF */ +#define FLASH_HP_DF_BLOCK_3 0x080000C0U /* 64 B: 0x401000C0 - 0x401000FF */ + +#define DIRECT_KEY_ADDRESS FLASH_HP_DF_BLOCK_1 + + +/* Enable wolfcrypt test */ +/* can be enabled with benchmark test */ +/*#define CRYPT_TEST*/ + +/* Enable benchmark */ +/* can be enabled with cyrpt test */ +/*#define BENCHMARK*/ + +/* Enable TLS client */ +/* cannot enable with other definition */ +#define TLS_CLIENT +#define TEST_CIPHER_SPECIFIED + +/* RSA certification use */ +#define USE_CERT_BUFFERS_2048 +/* ECC certification use */ +/*#define USE_CERT_BUFFERS_256*/ + +#if defined(USE_CERT_BUFFERS_2048) && defined(USE_CERT_BUFFERS_256) + #error please set either macro USE_CERT_BUFFERS_2048 or USE_CERT_BUFFERS_256 +#endif + +void wolfSSL_TLS_client_init(); +void wolfSSL_TLS_client(); + +static void util_Cleanup(xSocket_t xSock, WOLFSSL_CTX *ctx, WOLFSSL *ssl) { + printf("Cleaning up socket and wolfSSL objects.\n"); + if (xSock != NULL) + FreeRTOS_closesocket(xSock); + if (ssl != NULL) + wolfSSL_free(ssl); + if (ctx != NULL) + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); +} + +static inline void util_inf_loop(xSocket_t xClientSocket, WOLFSSL_CTX *ctx, + WOLFSSL *ssl) { + util_Cleanup(xClientSocket, ctx, ssl); + printf("Reached infinite loop.\n"); + while (1) + ; +} +#endif /* WOLFSSL_DEMO_H_ */ diff --git a/IDE/Renesas/e2studio/RA6M4/include.am b/IDE/Renesas/e2studio/RA6M4/include.am new file mode 100644 index 000000000..d7d652ca6 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/include.am @@ -0,0 +1,21 @@ +# vim:ft=automake +# included from Top Level Makefile.am +# All paths should be given relative to the root + +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/README.md +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/.project +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/.cproject +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/.project +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/test_main.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/common/user_settings.h diff --git a/IDE/Renesas/e2studio/RA6M4/test/.cproject b/IDE/Renesas/e2studio/RA6M4/test/.cproject new file mode 100644 index 000000000..7d3b1437b --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/.cproject @@ -0,0 +1,334 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/test/.project b/IDE/Renesas/e2studio/RA6M4/test/.project new file mode 100644 index 000000000..f8df2a741 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/.project @@ -0,0 +1,49 @@ + + + test_RA6M4 + + + + + + org.eclipse.cdt.managedbuilder.core.genmakebuilder + clean,full,incremental, + + + + + org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder + full,incremental, + + + + + + org.eclipse.cdt.core.cnature + com.renesas.cdt.ra.contentgen.raExecutableNature + org.eclipse.cdt.managedbuilder.core.managedBuildNature + org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + + + + src/benchmark.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/benchmark/benchmark.c + + + src/test.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/test/test.c + + + src/common/user_settings.h + 1 + PARENT-1-PROJECT_LOC/common/user_settings.h + + + src/common/wolfssl_demo.h + 1 + PARENT-1-PROJECT_LOC/common/wolfssl_demo.h + + + diff --git a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h new file mode 100644 index 000000000..d4a3cd04d --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h @@ -0,0 +1,19 @@ + +#ifndef __KEY_DATA_H__ + +#include "r_sce.h" + +/** Firmware update data and user key datas */ +typedef struct user_key_block_data +{ + uint8_t encrypted_provisioning_key[HW_SCE_AES_CBC_IV_BYTE_SIZE * 2]; + uint8_t iv[HW_SCE_AES_CBC_IV_BYTE_SIZE]; + uint8_t encrypted_user_rsa2048_ne_key[HW_SCE_RSA2048_NE_KEY_BYTE_SIZE + 16]; + uint8_t encrypted_user_update_key[HW_SCE_AES256_KEY_BYTE_SIZE + 16]; +} st_user_key_block_data_t; + + + extern const unsigned char ca_cert_der_sign[]; + extern const unsigned char ca_ecc_cert_der_sign[]; + +#endif /* __KEY_DATA_H__ */ \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c new file mode 100644 index 000000000..ba53b1818 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c @@ -0,0 +1,113 @@ + +#include "key_data.h" +#include "wolfssl_demo.h" + +/********************************************************************************************************************** + Exported global variables + *********************************************************************************************************************/ +const st_user_key_block_data_t g_key_block_data = +{ + /* uint8_t encrypted_provisioning_key[R_TSIP_AES_CBC_IV_BYTE_SIZE * 2]; */ + { + 0xE7, 0x1C, 0xEB, 0xCA, 0x3A, 0x64, 0x0B, 0xD2, 0xC5, 0xB8, 0xF2, 0xD0, 0xF7, 0x1B, 0xA9, 0x4A, + 0x98, 0xFF, 0xF3, 0x48, 0x81, 0xAD, 0xAF, 0x63, 0x19, 0x24, 0x4B, 0x2B, 0xC0, 0x8B, 0x9C, 0x6B + }, + /* uint8_t iv[R_TSIP_AES_CBC_IV_BYTE_SIZE]; */ + { + 0xD7, 0x97, 0x56, 0x82, 0x5B, 0x4B, 0x7F, 0xB2, 0x1C, 0x1F, 0xEE, 0x85, 0x02, 0xC5, 0xD0, 0xBA + }, + /* uint8_t encrypted_user_rsa2048_ne_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16]; */ + { + 0x3F, 0xA5, 0xBE, 0xBF, 0x86, 0xEC, 0x23, 0x37, 0x82, 0x37, 0x71, 0x0C, 0x83, 0xA7, 0x8E, 0x86, + 0xF0, 0x16, 0xD3, 0x7B, 0xF1, 0x25, 0xA4, 0x37, 0x7A, 0x2D, 0x16, 0xF2, 0xFF, 0x3D, 0xEE, 0x46, + 0xE0, 0x05, 0x58, 0x56, 0xC2, 0xE7, 0x9D, 0x2C, 0x01, 0x84, 0x59, 0x8E, 0xA8, 0x9E, 0xEE, 0x3F, + 0x22, 0x83, 0x68, 0xDA, 0x9E, 0xCE, 0xEA, 0x99, 0xFD, 0xAF, 0xDF, 0x67, 0x1E, 0x73, 0x25, 0x68, + 0xBF, 0x0A, 0xDF, 0xAF, 0xC4, 0x3D, 0xF1, 0xBD, 0x41, 0xF5, 0xAC, 0xAC, 0xA4, 0x36, 0xF8, 0x96, + 0xC0, 0x8C, 0x2F, 0x1A, 0x79, 0x75, 0x28, 0xAE, 0x67, 0xC9, 0x5A, 0xDE, 0x2A, 0xB4, 0x99, 0xDB, + 0x8C, 0x25, 0x53, 0x58, 0x8C, 0xDC, 0xA8, 0x0D, 0xFE, 0xEE, 0x0F, 0x6C, 0x61, 0xE6, 0x43, 0x66, + 0xE8, 0x4A, 0xE3, 0xEB, 0xAB, 0xA2, 0x52, 0xE4, 0x67, 0xC2, 0x9A, 0x57, 0xA4, 0x1F, 0xE0, 0xFC, + 0x2B, 0xBE, 0x25, 0xBF, 0xF0, 0x70, 0x18, 0x88, 0x93, 0xB7, 0x2F, 0x74, 0xF8, 0xF3, 0x88, 0xB8, + 0xFA, 0x18, 0xBE, 0xC1, 0xB2, 0x24, 0x4B, 0xBC, 0x89, 0x2D, 0xC4, 0x02, 0xB3, 0x82, 0xEC, 0xDB, + 0xC9, 0xF0, 0xA9, 0xC3, 0x30, 0x7C, 0xF5, 0x15, 0xEB, 0x9B, 0x16, 0x8C, 0x9D, 0xEF, 0x42, 0x8A, + 0xCA, 0x5D, 0x28, 0xDF, 0x68, 0xEA, 0xE0, 0xB8, 0x76, 0x7C, 0xBB, 0x4A, 0x51, 0xDD, 0x55, 0x14, + 0xB7, 0xAB, 0xD2, 0xF1, 0xB9, 0x51, 0x19, 0x05, 0x26, 0x87, 0xF7, 0x5C, 0x69, 0x45, 0x3C, 0x82, + 0xE8, 0x82, 0x05, 0x5D, 0x33, 0x8E, 0xD1, 0x42, 0x71, 0xD6, 0x96, 0xDA, 0xAB, 0xB8, 0xC0, 0x0F, + 0xF7, 0x85, 0x8A, 0x12, 0xEF, 0xB9, 0x53, 0xFF, 0xD2, 0x95, 0x18, 0x2F, 0x0C, 0xA6, 0x72, 0x98, + 0xC3, 0xC6, 0x9B, 0x95, 0x70, 0x69, 0xC5, 0xB7, 0xD5, 0x24, 0x77, 0x05, 0xD0, 0x68, 0x85, 0x36, + 0xB8, 0x57, 0xE3, 0xED, 0x2E, 0x4D, 0x95, 0xD3, 0xFC, 0x24, 0x1B, 0x22, 0xFA, 0x43, 0xD8, 0x62, + 0x28, 0x57, 0x6B, 0x34, 0xBF, 0xD1, 0x63, 0x4B, 0xB5, 0xF5, 0x88, 0xBC, 0xB8, 0x69, 0xF3, 0xB5 + }, + /* uint8_t encrypted_user_update_key[R_TSIP_AES256_KEY_BYTE_SIZE + 16]; */ + { + 0x96, 0x15, 0xD0, 0x32, 0x6C, 0x80, 0xDB, 0xF7, 0x5D, 0xD7, 0x28, 0xAF, 0xFD, 0x0F, 0xA5, 0xB0, + 0x44, 0x76, 0x19, 0x75, 0x13, 0x3A, 0x10, 0x92, 0xE2, 0x97, 0xE3, 0x83, 0x6C, 0x42, 0x69, 0xA3, + 0x7E, 0x30, 0x5D, 0xFE, 0x7B, 0x2A, 0x8F, 0x30, 0x92, 0x25, 0x8C, 0xC5, 0xDB, 0x3E, 0x68, 0x06 + }, +}; + +#ifndef USE_CERT_BUFFERS_256 +/* ca-cert.der.sign, */ +const unsigned char ca_cert_der_sign[] = +{ + 0x07, 0x1A, 0x68, 0xF4, 0x53, 0x2A, 0x9B, 0x1F, 0xF7, 0x7B, + 0x5C, 0x70, 0x88, 0x46, 0x03, 0x10, 0x35, 0x0C, 0x84, 0x4F, + 0xDC, 0x09, 0x8D, 0xD8, 0x97, 0x10, 0xFA, 0xC7, 0x1D, 0x7F, + 0xCC, 0xF2, 0xC9, 0x41, 0x27, 0xBA, 0x0C, 0x93, 0x77, 0x64, + 0x46, 0x89, 0xC3, 0x36, 0x45, 0x5B, 0x2E, 0xC7, 0xCF, 0xE7, + 0xDF, 0x61, 0x95, 0x12, 0x7B, 0x9B, 0x6B, 0x8B, 0xD8, 0xBD, + 0xEA, 0x7B, 0xCD, 0xF9, 0x74, 0xA1, 0x1B, 0x41, 0x91, 0x9D, + 0xC8, 0x08, 0xBA, 0xA4, 0x69, 0x19, 0xAD, 0xE0, 0x41, 0x54, + 0xC6, 0x1A, 0x4A, 0x0E, 0xDB, 0x36, 0x23, 0xD9, 0xAC, 0xF6, + 0x1B, 0x49, 0x6D, 0x74, 0x4D, 0x67, 0x5D, 0x36, 0xB9, 0xED, + 0xC6, 0x09, 0x25, 0x13, 0x3A, 0x88, 0x3D, 0x83, 0x41, 0x16, + 0x49, 0x94, 0xC5, 0x24, 0xFC, 0xD4, 0x81, 0xAE, 0x3F, 0x03, + 0x1D, 0x9D, 0x76, 0x1F, 0x44, 0x1A, 0x91, 0xFB, 0xD7, 0x7E, + 0xB7, 0x29, 0xA3, 0x73, 0x4D, 0x72, 0x21, 0xE4, 0x70, 0x02, + 0x6F, 0xBE, 0xE0, 0x73, 0x5F, 0x44, 0x91, 0x34, 0xBC, 0x5B, + 0x93, 0x27, 0x37, 0x05, 0x48, 0x19, 0x3B, 0x50, 0x19, 0x53, + 0xC0, 0xE9, 0xA1, 0x1C, 0x26, 0xA5, 0x16, 0x80, 0xE8, 0x61, + 0x39, 0xFF, 0x8B, 0x52, 0x10, 0xF7, 0x6B, 0x7A, 0x8F, 0xEC, + 0x95, 0x1B, 0x30, 0xA4, 0xA0, 0xD7, 0xDB, 0x3F, 0xEB, 0xA5, + 0x74, 0x48, 0xBA, 0x34, 0xB3, 0x34, 0xA5, 0xC1, 0x46, 0x65, + 0x2E, 0xEA, 0xF1, 0xB9, 0x00, 0xF6, 0x13, 0xC9, 0x15, 0xC6, + 0xB0, 0x4A, 0x18, 0xA8, 0x10, 0x57, 0xDF, 0x8E, 0x09, 0x67, + 0xCC, 0xCA, 0x03, 0x15, 0x04, 0x17, 0x0A, 0xAC, 0x47, 0x8F, + 0x1B, 0x0F, 0x0B, 0x6C, 0x91, 0x98, 0xFF, 0xFD, 0xC5, 0x10, + 0x3F, 0x0A, 0xE7, 0x5D, 0x48, 0xE1, 0xD9, 0x79, 0xEB, 0xEA, + 0x8D, 0x03, 0x96, 0x44, 0xB0, 0x0B +}; + +const int sizeof_ca_cert_der_sign = sizeof(ca_cert_der_sign); +#else +/* ca-ecc-cert.der.sign, */ +const unsigned char ca_ecc_cert_der_sign[] = +{ + 0x07, 0xCA, 0x3B, 0x8F, 0x49, 0x26, 0x33, 0x80, 0x46, 0xFE, + 0x07, 0x91, 0x75, 0x5B, 0xC3, 0x98, 0x5F, 0x0E, 0x93, 0x0B, + 0xDF, 0x1B, 0x1B, 0x01, 0x00, 0xD0, 0x5A, 0x48, 0x81, 0x05, + 0xFC, 0x57, 0xB6, 0x0F, 0xF4, 0x6E, 0x4E, 0x7D, 0xB4, 0x14, + 0x88, 0xFF, 0x8D, 0x75, 0x7A, 0xF5, 0xDE, 0x7B, 0x74, 0xF0, + 0x98, 0x0B, 0xE2, 0x7A, 0xCB, 0xF3, 0x41, 0x70, 0xBC, 0xE2, + 0x07, 0xF7, 0x3D, 0x69, 0xAF, 0xA8, 0xDA, 0xC5, 0x92, 0xAA, + 0xE6, 0xA6, 0xF9, 0x1A, 0xED, 0x12, 0x76, 0x06, 0x1E, 0x4D, + 0x43, 0xD9, 0x27, 0xEF, 0x30, 0x3D, 0x07, 0xAF, 0x63, 0x39, + 0x3F, 0x95, 0x5F, 0xA5, 0x54, 0xFC, 0x26, 0x52, 0xFB, 0xDC, + 0x8C, 0xA6, 0x64, 0x20, 0x39, 0x35, 0x6A, 0xB9, 0xFD, 0x52, + 0x81, 0xAE, 0x56, 0x52, 0x61, 0xDD, 0xC0, 0xCE, 0x92, 0x4F, + 0xEC, 0x0C, 0x72, 0x28, 0x2E, 0x3E, 0xB3, 0x29, 0xAA, 0x8B, + 0xF1, 0xE9, 0xC7, 0x40, 0x57, 0x3C, 0xF1, 0x5D, 0xA8, 0x43, + 0x17, 0xDB, 0x6A, 0x88, 0x36, 0x1E, 0x84, 0x88, 0xA4, 0x5D, + 0x20, 0x64, 0xD5, 0x7D, 0x48, 0x72, 0xF5, 0x1E, 0x50, 0xF7, + 0xB5, 0x49, 0x07, 0xD3, 0x9C, 0xB8, 0x2C, 0x0E, 0x9D, 0x0E, + 0x4F, 0xFA, 0xB8, 0xCC, 0x4E, 0x14, 0xFD, 0xC1, 0xA4, 0x8E, + 0x6F, 0x57, 0xA8, 0x75, 0x29, 0x25, 0xD3, 0x93, 0xD6, 0xF0, + 0x22, 0xE6, 0x1A, 0x73, 0x51, 0xFA, 0x92, 0x3D, 0x0A, 0x04, + 0xCB, 0x62, 0x8C, 0x9E, 0x50, 0x65, 0x11, 0x2A, 0xB9, 0xB8, + 0x8B, 0x5C, 0x86, 0x6C, 0x37, 0x96, 0x5F, 0xEE, 0x50, 0xC0, + 0x30, 0x9E, 0x54, 0x9E, 0xB5, 0xD8, 0xBB, 0xC5, 0x1B, 0x16, + 0xB6, 0x54, 0x6B, 0x5E, 0xA4, 0x54, 0xA7, 0x04, 0xB3, 0x30, + 0x7E, 0xE9, 0xB0, 0xAB, 0x10, 0x95, 0x6C, 0xE5, 0x76, 0x75, + 0x5B, 0x52, 0xFB, 0x37, 0x4E, 0x23 +}; +static const int sizeof_ca_ecc_cert_der_sign = sizeof(ca_ecc_cert_der_sign); +#endif diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c b/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c new file mode 100644 index 000000000..dda9a15fc --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c @@ -0,0 +1,34 @@ +/* myprintf.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#include "SEGGER_RTT.h" + +#define SEGGER_INDEX (0) + +int myprintf(const char * sFormat, ...) +{ + int r; + va_list ParamList; + + va_start(ParamList, sFormat); + r = SEGGER_RTT_vprintf(0, sFormat, &ParamList); + va_end(ParamList); + return r; +} diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore b/IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore new file mode 100644 index 000000000..c96a04f00 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c b/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c new file mode 100644 index 000000000..4f769369c --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c @@ -0,0 +1,59 @@ +#include "hal_data.h" + +FSP_CPP_HEADER +void R_BSP_WarmStart(bsp_warm_start_event_t event); +FSP_CPP_FOOTER + +/*******************************************************************************************************************//** + * main() is generated by the RA Configuration editor and is used to generate threads if an RTOS is used. This function + * is called by main() when no RTOS is used. + **********************************************************************************************************************/ +void hal_entry(void) +{ + /* TODO: add your own code here */ + +#if BSP_TZ_SECURE_BUILD + /* Enter non-secure code */ + R_BSP_NonSecureEnter(); +#endif +} + +/*******************************************************************************************************************//** + * This function is called at various points during the startup process. This implementation uses the event that is + * called right before main() to set up the pins. + * + * @param[in] event Where at in the start up process the code is currently at + **********************************************************************************************************************/ +void R_BSP_WarmStart (bsp_warm_start_event_t event) +{ + if (BSP_WARM_START_RESET == event) + { +#if BSP_FEATURE_FLASH_LP_VERSION != 0 + + /* Enable reading from data flash. */ + R_FACI_LP->DFLCTL = 1U; + + /* Would normally have to wait tDSTOP(6us) for data flash recovery. Placing the enable here, before clock and + * C runtime initialization, should negate the need for a delay since the initialization will typically take more than 6us. */ +#endif + } + + if (BSP_WARM_START_POST_C == event) + { + /* C runtime environment and system clocks are setup. */ + + /* Configure pins. */ + R_IOPORT_Open(&g_ioport_ctrl, g_ioport.p_cfg); + } +} + +#if BSP_TZ_SECURE_BUILD + +BSP_CMSE_NONSECURE_ENTRY void template_nonsecure_callable (); + +/* Trustzone Secure Projects require at least one nonsecure callable function in order to build (Remove this if it is not required to build). */ +BSP_CMSE_NONSECURE_ENTRY void template_nonsecure_callable () +{ + +} +#endif diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c b/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c new file mode 100644 index 000000000..7466a8106 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c @@ -0,0 +1,18 @@ +#include "sce_tst_thread.h" +#include "user_settings.h" +/* sce_tst_thread entry function */ +/* pvParameters contains TaskHandle_t */ + +int sce_test(); + +void sce_tst_thread_entry(void *pvParameters) +{ + FSP_PARAMETER_NOT_USED (pvParameters); + + /* TODO: add your own code here */ + sce_test(); + while (1) + { + vTaskDelay (1); + } +} diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c new file mode 100644 index 000000000..5edd53517 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c @@ -0,0 +1,197 @@ +/* test_main.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + + +#include "stdio.h" +#include "stdint.h" +#include +#include +#include +#include +#include "key_data.h" + +#ifdef __cplusplus +extern "C" { +void abort(void); +} +#endif + +User_SCEPKCbInfo guser_PKCbInfo; + +#if defined(TLS_CLIENT) || defined(TLS_SERVER) || defined(EXTRA_SCE_TSIP_TEST) + +extern const st_user_key_block_data_t g_key_block_data; + +/* Key type of the encrypted user_public_key 0: RSA-2048 2: ECDSA-P256*/ +uint32_t encrypted_user_key_type = 0; + +static int SetScetlsKey() +{ +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + + #if defined(TLS_CLIENT) || defined(EXTRA_SCE_TSIP_TEST) + + #if defined(USE_CERT_BUFFERS_256) + sce_inform_cert_sign((const byte *)ca_ecc_cert_der_sign); + encrypted_user_key_type = 2; + #else + sce_inform_cert_sign((const byte *)ca_cert_der_sign); + #endif + sce_inform_user_keys( + (byte*)&g_key_block_data.encrypted_provisioning_key, + (byte*)&g_key_block_data.iv, + (byte*)&g_key_block_data.encrypted_user_rsa2048_ne_key, + encrypted_user_key_type); + #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + guser_PKCbInfo.user_key_id = 0; /* not use user key id */ + #endif + + #elif defined(TLS_SERVER) + + sce_inform_cert_sign((const byte *)client_cert_der_sign); + sce_inform_user_keys( + (byte*)&g_key_block_data.encrypted_provisioning_key, + (byte*)&g_key_block_data.iv, + (byte*)&g_key_block_data.encrypted_user_rsa2048_ne_key, + encrypted_user_key_type); + + #endif + +#endif + return 0; +} +#endif + +typedef struct func_args { + int argc; + char** argv; + int return_code; +} func_args; + + +void wolfcrypt_test(func_args args); +int benchmark_test(void *args); + + +void sce_test(void) +{ + /*(void)timeTick;*/ + +#if defined(CRYPT_TEST) || defined(BENCHMARK) +#if defined(CRYPT_TEST) + int ret; + func_args args = { 0 }; + + if ((ret = wolfCrypt_Init()) != 0) { + printf("wolfCrypt_Init failed %d\n", ret); + } + + printf("Start wolfCrypt Test\n"); + wolfcrypt_test(args); + printf("End wolfCrypt Test\n"); + + if ((ret = wolfCrypt_Cleanup()) != 0) { + printf("wolfCrypt_Cleanup failed %d\n", ret); + } +#endif +#if defined(BENCHMARK) + #include "hal_data.h" + #include "r_sce.h" + + printf("Prepare Installed key\n"); +#if defined(SCEKEY_INSTALLED) + /* aes 256 */ + memcpy(guser_PKCbInfo.sce_wrapped_key_aes256.value, + (uint32_t *)DIRECT_KEY_ADDRESS, HW_SCE_AES256_KEY_INDEX_WORD_SIZE*4); + guser_PKCbInfo.sce_wrapped_key_aes256.type = SCE_KEY_INDEX_TYPE_AES256; + guser_PKCbInfo.aes256_installedkey_set = 1; + /* aes 128 */ + guser_PKCbInfo.aes128_installedkey_set = 0; +#endif + printf("Start wolfCrypt Benchmark\n"); + benchmark_test(NULL); + printf("End wolfCrypt Benchmark\n"); +#endif + +#elif defined(TLS_CLIENT) + #include "hal_data.h" + #include "r_sce.h" + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + #if defined(USE_CERT_BUFFERS_256) +#ifdef TEST_CIPHER_SPECIFIED + const char* cipherlist[] = { + "ECDHE-ECDSA-AES128-SHA256", + "ECDHE-ECDSA-AES128-GCM-SHA256" + }; + const int cipherlist_sz = 2; +#else + const char* cipherlist[] = { + NULL + }; + const int cipherlist_sz = 1; +#endif + #else +#ifdef TEST_CIPHER_SPECIFIED + const char* cipherlist[] = { + "AES128-SHA256", + "AES256-SHA256", + "ECDHE-RSA-AES128-SHA256", + "ECDHE-RSA-AES128-GCM-SHA256" + }; + const int cipherlist_sz = 4; +#else + const char* cipherlist[] = { + NULL + }; + const int cipherlist_sz = 1; +#endif + #endif +#else + const char* cipherlist[] = { NULL }; + const int cipherlist_sz = 0; + +#endif + int i = 0; + + SetScetlsKey(); + + TCPInit(); + + do { + if(cipherlist_sz > 0 && cipherlist[i] != NULL ) printf("cipher : %s\n", cipherlist[i]); + + wolfSSL_TLS_client_init(cipherlist[i]); + + wolfSSL_TLS_client(); + + i++; + } while (i < cipherlist_sz); + +#endif +} + +#ifdef __cplusplus +void abort(void) +{ + +} +#endif diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c new file mode 100644 index 000000000..770862636 --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c @@ -0,0 +1,192 @@ +/* wolf_client.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include "wolfssl_demo.h" + +#include +#include +#include "wolfssl/wolfcrypt/settings.h" +#include "wolfssl/ssl.h" +#include "wolfssl/certs_test.h" + +uint32_t g_encrypted_root_public_key[140]; +static WOLFSSL_CTX *client_ctx; + +extern uint8_t g_ether0_mac_address[6]; +typedef struct user_EccPKCbInfo; +extern struct user_PKCbInfo guser_PKCbInfo; +static const byte ucIPAddress[4] = { 192, 168, 11, 241 }; +static const byte ucNetMask[4] = { 255, 255, 255, 0 }; +static const byte ucGatewayAddress[4] = { 192, 168, 11, 1 }; +static const byte ucDNSServerAddress[4] = { 192, 168, 11, 1 }; + +/* Client connects to the server with these details. */ +#define SERVER_IP "192.168.11.40" +#define DEFAULT_PORT 11111 + +#define FR_SOCKET_SUCCESS 0 + +void TCPInit( ) +{ + BaseType_t fr_status; + + /* FreeRTOS+TCP Ethernet and IP Setup */ + fr_status = FreeRTOS_IPInit(ucIPAddress, + ucNetMask, + ucGatewayAddress, + ucDNSServerAddress, + g_ether0_mac_address); + if (pdPASS != fr_status) { + printf("Error [%ld]: FreeRTOS_IPInit.\n",fr_status); + } +} + +void wolfSSL_TLS_client_init(const char* cipherlist) +{ + + #ifndef NO_FILESYSTEM + #ifdef USE_ECC_CERT + char *cert = "./certs/ca-ecc-cert.pem"; + #else + char *cert = "./certs/ca-cert.pem"; + #endif + #else + #ifdef USE_CERT_BUFFERS_256 + const unsigned char *cert = ca_ecc_cert_der_256; + #define SIZEOF_CERT sizeof_ca_ecc_cert_der_256 + #else + const unsigned char *cert = ca_cert_der_2048; + #define SIZEOF_CERT sizeof_ca_cert_der_2048 + #endif + #endif + + wolfSSL_Init(); + #ifdef DEBUG_WOLFSSL + wolfSSL_Debugging_ON(); + #endif + + /* Create and initialize WOLFSSL_CTX */ + if ((client_ctx = wolfSSL_CTX_new(wolfSSLv23_client_method_ex((void *)NULL))) == NULL) { + printf("ERROR: failed to create WOLFSSL_CTX\n"); + return; + } + #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + /* set callback functions for ECC */ + sce_set_callbacks(client_ctx); + #endif + + #if !defined(NO_FILESYSTEM) + if (wolfSSL_CTX_load_verify_locations(client_ctx, cert, 0) != SSL_SUCCESS) { + printf("ERROR: can't load \"%s\"\n", cert); + return NULL; + } + #else + if (wolfSSL_CTX_load_verify_buffer(client_ctx, cert, SIZEOF_CERT, SSL_FILETYPE_ASN1) != SSL_SUCCESS){ + printf("ERROR: can't load certificate data\n"); + return; + } + #endif + + /* use specific cipher */ + if (cipherlist != NULL && wolfSSL_CTX_set_cipher_list(client_ctx, cipherlist) != WOLFSSL_SUCCESS) { + wolfSSL_CTX_free(client_ctx); client_ctx = NULL; + printf("client can't set cipher list 1"); + } +} + +void wolfSSL_TLS_client( ) +{ + int ret; + /* FreeRTOS+TCP Objects */ + + socklen_t xSize = sizeof(struct freertos_sockaddr); + xSocket_t xClientSocket = NULL; + struct freertos_sockaddr xRemoteAddress; + + WOLFSSL_CTX *ctx = (WOLFSSL_CTX *)client_ctx; + WOLFSSL *ssl; + + #define BUFF_SIZE 256 + static const char sendBuff[]= "Hello Server\n" ; + + char rcvBuff[BUFF_SIZE] = {0}; + + /* Client Socket Setup */ + xRemoteAddress.sin_port = FreeRTOS_htons(DEFAULT_PORT); + xRemoteAddress.sin_addr = FreeRTOS_inet_addr(SERVER_IP); + + /* Create a FreeRTOS TCP Socket and connect */ + xClientSocket = FreeRTOS_socket(FREERTOS_AF_INET, + FREERTOS_SOCK_STREAM, + FREERTOS_IPPROTO_TCP); + configASSERT(xClientSocket != FREERTOS_INVALID_SOCKET); + FreeRTOS_bind(xClientSocket, &xRemoteAddress, sizeof(xSize)); + + /* Client Socket Connect */ + ret = FreeRTOS_connect(xClientSocket, + &xRemoteAddress, + sizeof(xRemoteAddress)); + if (ret != FR_SOCKET_SUCCESS) { + printf("Error [%d]: FreeRTOS_connect.\n",ret); + util_inf_loop(xClientSocket, ctx, ssl); + } + + if((ssl = wolfSSL_new(ctx)) == NULL) { + printf("ERROR wolfSSL_new: %d\n", wolfSSL_get_error(ssl, 0)); + return; + } + #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + /* set callback ctx */ + sce_set_callback_ctx(ssl, (void*)&guser_PKCbInfo); + #endif + /* Attach wolfSSL to the socket */ + ret = wolfSSL_set_fd(ssl, (int) xClientSocket); + if (ret != WOLFSSL_SUCCESS) { + printf("Error [%d]: wolfSSL_set_fd.\n",ret); + util_inf_loop(xClientSocket, ctx, ssl); + } + + if(wolfSSL_connect(ssl) != SSL_SUCCESS) { + printf("ERROR SSL connect: %d\n", wolfSSL_get_error(ssl, 0)); + return; + } + + if (wolfSSL_write(ssl, sendBuff, strlen(sendBuff)) != strlen(sendBuff)) { + printf("ERROR SSL write: %d\n", wolfSSL_get_error(ssl, 0)); + return; + } + + if ((ret=wolfSSL_read(ssl, rcvBuff, BUFF_SIZE)) < 0) { + printf("ERROR SSL read: %d\n", wolfSSL_get_error(ssl, 0)); + return; + } + + rcvBuff[ret] = '\0' ; + printf("Received: %s\n\n", rcvBuff); + + /* frees all data before client termination */ + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); + wolfSSL_Cleanup(); + + + return; +} diff --git a/IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch b/IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch new file mode 100644 index 000000000..3a98cbf6b --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch @@ -0,0 +1,78 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject b/IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject new file mode 100644 index 000000000..b3a924d7b --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject @@ -0,0 +1,345 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/.project b/IDE/Renesas/e2studio/RA6M4/wolfssl/.project new file mode 100644 index 000000000..9dc12ee0b --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/wolfssl/.project @@ -0,0 +1,430 @@ + + + wolfSSL_RA6M4 + + + + + + com.renesas.cdt.ddsc.contentgen.ddscBuilder + + + + + org.eclipse.cdt.managedbuilder.core.genmakebuilder + clean,full,incremental, + + + + + org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder + full,incremental, + + + + + com.renesas.cdt.ddsc.contentgen.ddscInterlockBundleBuilder + + + + + + org.eclipse.cdt.core.cnature + org.eclipse.cdt.managedbuilder.core.managedBuildNature + org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + com.renesas.cdt.ddsc.contentgen.ddscNature + com.renesas.cdt.ra.contentgen.raNature + + + + wolfCrypt/aes.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/aes.c + + + wolfCrypt/arc4.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/arc4.c + + + wolfCrypt/asm.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/asm.c + + + wolfCrypt/asn.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/asn.c + + + wolfCrypt/blake2b.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/blake2b.c + + + wolfCrypt/camellia.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/camellia.c + + + wolfCrypt/chacha.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/chacha.c + + + wolfCrypt/chacha20_poly1305.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/chacha20_poly1305.c + + + wolfCrypt/cmac.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/cmac.c + + + wolfCrypt/coding.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/coding.c + + + wolfCrypt/compress.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/compress.c + + + wolfCrypt/cpuid.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/cpuid.c + + + wolfCrypt/cryptocb.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/cryptocb.c + + + wolfCrypt/curve25519.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/curve25519.c + + + wolfCrypt/des3.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/des3.c + + + wolfCrypt/dh.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/dh.c + + + wolfCrypt/dsa.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/dsa.c + + + wolfCrypt/ecc.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/ecc.c + + + wolfCrypt/ecc_fp.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/ecc_fp.c + + + wolfCrypt/ed25519.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/ed25519.c + + + wolfCrypt/error.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/error.c + + + wolfCrypt/fe_low_mem.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/fe_low_mem.c + + + wolfCrypt/fe_operations.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/fe_operations.c + + + wolfCrypt/ge_low_mem.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/ge_low_mem.c + + + wolfCrypt/ge_operations.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/ge_operations.c + + + wolfCrypt/hash.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/hash.c + + + wolfCrypt/hc128.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/hc128.c + + + wolfCrypt/hmac.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/hmac.c + + + wolfCrypt/idea.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/idea.c + + + wolfCrypt/integer.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/integer.c + + + wolfCrypt/kdf.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/kdf.c + + + wolfCrypt/logging.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/logging.c + + + wolfCrypt/md2.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/md2.c + + + wolfCrypt/md4.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/md4.c + + + wolfCrypt/md5.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/md5.c + + + wolfCrypt/memory.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/memory.c + + + wolfCrypt/pkcs12.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/pkcs12.c + + + wolfCrypt/pkcs7.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/pkcs7.c + + + wolfCrypt/poly1305.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/poly1305.c + + + wolfCrypt/pwdbased.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/pwdbased.c + + + wolfCrypt/rabbit.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/rabbit.c + + + wolfCrypt/random.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/random.c + + + wolfCrypt/rsa.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/rsa.c + + + wolfCrypt/sha.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sha.c + + + wolfCrypt/sha256.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sha256.c + + + wolfCrypt/sha3.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sha3.c + + + wolfCrypt/sha512.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sha512.c + + + wolfCrypt/signature.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/signature.c + + + wolfCrypt/sp_arm32.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_arm32.c + + + wolfCrypt/sp_arm64.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_arm64.c + + + wolfCrypt/sp_armthumb.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_armthumb.c + + + wolfCrypt/sp_c32.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_c32.c + + + wolfCrypt/sp_c64.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_c64.c + + + wolfCrypt/sp_cortexm.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_cortexm.c + + + wolfCrypt/sp_dsp32.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_dsp32.c + + + wolfCrypt/sp_int.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_int.c + + + wolfCrypt/sp_x86_64.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/sp_x86_64.c + + + wolfCrypt/srp.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/srp.c + + + wolfCrypt/tfm.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/tfm.c + + + wolfCrypt/wc_dsp.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wc_dsp.c + + + wolfCrypt/wc_encrypt.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wc_encrypt.c + + + wolfCrypt/wc_pkcs11.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wc_pkcs11.c + + + wolfCrypt/wc_port.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wc_port.c + + + wolfCrypt/wolfevent.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wolfevent.c + + + wolfCrypt/wolfmath.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/wolfmath.c + + + wolfSSL/crl.c + 1 + PARENT-5-PROJECT_LOC/src/crl.c + + + wolfSSL/internal.c + 1 + PARENT-5-PROJECT_LOC/src/internal.c + + + wolfSSL/keys.c + 1 + PARENT-5-PROJECT_LOC/src/keys.c + + + wolfSSL/ocsp.c + 1 + PARENT-5-PROJECT_LOC/src/ocsp.c + + + wolfSSL/sniffer.c + 1 + PARENT-5-PROJECT_LOC/src/sniffer.c + + + wolfSSL/ssl.c + 1 + PARENT-5-PROJECT_LOC/src/ssl.c + + + wolfSSL/tls.c + 1 + PARENT-5-PROJECT_LOC/src/tls.c + + + wolfSSL/tls13.c + 1 + PARENT-5-PROJECT_LOC/src/tls13.c + + + wolfSSL/wolfio.c + 1 + PARENT-5-PROJECT_LOC/src/wolfio.c + + + wolfCrypt/port/renesas_common.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/port/Renesas/renesas_common.c + + + wolfCrypt/port/renesas_sce_aes.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/port/Renesas/renesas_sce_aes.c + + + wolfCrypt/port/renesas_sce_sha.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/port/Renesas/renesas_sce_sha.c + + + wolfCrypt/port/renesas_sce_util.c + 1 + PARENT-5-PROJECT_LOC/wolfcrypt/src/port/Renesas/renesas_sce_util.c + + + diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg b/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg new file mode 100644 index 000000000..94f220b8e --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml b/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml new file mode 100644 index 000000000..9b4ddeb9f --- /dev/null +++ b/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml @@ -0,0 +1,799 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Board Support Package Common Files + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + Ethernet PHY + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + Ethernet + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + I/O Port + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + Secure Cryptography Engine on RA6 Protected Mode + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + r_ether to FreeRTOS+TCP Wrapper + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + FreeRTOS Port + Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack + + + FreeRTOS - Buffer Allocation 2 + Amazon.FreeRTOS-Plus-TCP.2.3.2+fsp.3.4.0.alpha0.20210926.81b96644.pack + + + FreeRTOS+TCP + Amazon.FreeRTOS-Plus-TCP.2.3.2+fsp.3.4.0.alpha0.20210926.81b96644.pack + + + Arm CMSIS Version 5 - Core (M) + Arm.CMSIS5.5.7.0+fsp.3.4.0.alpha0.20210926.81b96644.pack + + + Board support package for R7FA6M4AF3CFB + Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack + + + Board support package for RA6M4 + Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack + + + Board support package for RA6M4 - FSP Data + Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack + + + FreeRTOS + Amazon.FreeRTOS-Kernel.10.4.3+fsp.3.4.0.alpha0.20210926.81b96644.pack + + + FreeRTOS - Memory Management - Heap 4 + Amazon.FreeRTOS-Kernel.10.4.3+fsp.3.4.0.alpha0.20210926.81b96644.pack + + + RA6M4-EK Board Support Files + Renesas.RA_board_ra6m4_ek.3.4.0-alpha0+20210926.81b96644.pack + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/IDE/include.am b/IDE/include.am index b04eb3512..6139540fe 100644 --- a/IDE/include.am +++ b/IDE/include.am @@ -30,6 +30,7 @@ include IDE/Renesas/e2studio/Projects/include.am include IDE/Renesas/e2studio/RA6M3/include.am include IDE/Renesas/e2studio/GR-ROSE/include.am include IDE/Renesas/e2studio/RX72NEnvisionKit/include.am +include IDE/Renesas/e2studio/RA6M4/include.am include IDE/WICED-STUDIO/include.am include IDE/CRYPTOCELL/include.am include IDE/M68K/include.am diff --git a/src/internal.c b/src/internal.c index 70a940bec..ef5de9538 100644 --- a/src/internal.c +++ b/src/internal.c @@ -225,6 +225,17 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int tsip_generatePremasterSecret(); int tsip_generateEncryptPreMasterSecret(WOLFSSL *ssl, byte *out, word32 *outSz); #endif +#ifdef WOLFSSL_RENESAS_SCEPROTECT + int Renesas_cmn_useable(const WOLFSSL *ssl, byte seskey_gennerated); + int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, + unsigned char** out, const unsigned char* keyDer, unsigned int keySz, + void* ctx); + int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, + const unsigned char* hash, unsigned int hashSz, + const unsigned char* keyDer, unsigned int keySz, + int* result, void* ctx); +#endif + #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) static int SessionSecret_callback(WOLFSSL* ssl, void* secret, @@ -1813,7 +1824,11 @@ int wolfSSL_session_import_internal(WOLFSSL* ssl, const unsigned char* buf, /* set hmac function to use when verifying */ if (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 || ssl->options.dtls == 1) { + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) ssl->hmac = TLS_hmac; + #else + ssl->hmac = Renesas_cmn_TLS_hmac; + #endif } /* do not allow stream ciphers with DTLS, except for NULL cipher */ @@ -4293,6 +4308,7 @@ int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo, int hashAlgo, RsaKey* key, buffer* keyBufInfo) { int ret; + #ifdef HAVE_PK_CALLBACKS const byte* keyBuf = NULL; word32 keySz = 0; @@ -4343,7 +4359,11 @@ int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo, void* ctx = wolfSSL_GetRsaVerifyCtx(ssl); ret = ssl->ctx->RsaVerifyCb(ssl, in, inSz, out, keyBuf, keySz, ctx); } + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) else + #else + if (!ssl->ctx->RsaVerifyCb || ret == CRYPTOCB_UNAVAILABLE) + #endif #endif /*HAVE_PK_CALLBACKS */ { ret = wc_RsaSSL_VerifyInline(in, inSz, out, key); @@ -4588,7 +4608,11 @@ int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, word32* outSz, void* ctx = wolfSSL_GetRsaEncCtx(ssl); ret = ssl->ctx->RsaEncCb(ssl, in, inSz, out, outSz, keyBuf, keySz, ctx); } + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) else + #else + if (!ssl->ctx->RsaEncCb || ret == CRYPTOCB_UNAVAILABLE) + #endif #endif /* HAVE_PK_CALLBACKS */ { ret = wc_RsaPublicEncrypt(in, inSz, out, *outSz, key, ssl->rng); @@ -4702,7 +4726,11 @@ int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out, ret = ssl->ctx->EccVerifyCb(ssl, in, inSz, out, outSz, keyBuf, keySz, &ssl->eccVerifyRes, ctx); } + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) else + #else + if (!ssl->ctx->EccVerifyCb || ret == CRYPTOCB_UNAVAILABLE) + #endif #endif /* HAVE_PK_CALLBACKS */ { ret = wc_ecc_verify_hash(in, inSz, out, outSz, &ssl->eccVerifyRes, key); @@ -6370,7 +6398,11 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifndef NO_OLD_TLS ssl->hmac = SSL_hmac; /* default to SSLv3 */ #elif !defined(WOLFSSL_NO_TLS12) + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) ssl->hmac = TLS_hmac; + #else + ssl->hmac = Renesas_cmn_TLS_hmac; + #endif #endif #endif @@ -7024,8 +7056,8 @@ void SSL_ResourceFree(WOLFSSL* ssl) FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); ssl->peerRsaKeyPresent = 0; #endif -#ifdef WOLFSSL_RENESAS_TSIP_TLS - XFREE(ssl->peerTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) + XFREE(ssl->peerSceTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA); #endif if (ssl->buffers.inputBuffer.dynamicFlag) ShrinkInputBuffer(ssl, FORCED_FREE); @@ -11039,17 +11071,31 @@ int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx) /* only setup the verify callback if a PK is set */ #ifdef HAVE_ECC + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) if (ssl->ctx->EccVerifyCb) { sigCtx->pkCbEcc = SigPkCbEccVerify; sigCtx->pkCtxEcc = ssl; } + #else + sigCtx->pkCbEcc = Renesas_cmn_SigPkCbEccVerify; + sigCtx->pkCtxEcc = (void*)&sigCtx->CertAtt; + (void)SigPkCbEccVerify; + #endif + #endif #ifndef NO_RSA /* only setup the verify callback if a PK is set */ + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) if (ssl->ctx->RsaVerifyCb) { sigCtx->pkCbRsa = SigPkCbRsaVerify; sigCtx->pkCtxRsa = ssl; } + #else + sigCtx->pkCbRsa = Renesas_cmn_SigPkCbRsaVerify; + sigCtx->pkCtxRsa = (void*)&sigCtx->CertAtt; + (void)SigPkCbRsaVerify; + #endif + #endif return 0; @@ -12778,21 +12824,21 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { ssl->peerRsaKeyPresent = 1; - #ifdef WOLFSSL_RENESAS_TSIP_TLS + #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* copy encrypted tsip key index into ssl object */ - if (args->dCert->tsip_encRsaKeyIdx) { - if (!ssl->peerTsipEncRsaKeyIndex) { - ssl->peerTsipEncRsaKeyIndex = (byte*)XMALLOC( + if (args->dCert->sce_tsip_encRsaKeyIdx) { + if (!ssl->peerSceTsipEncRsaKeyIndex) { + ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC( TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY, ssl->heap, DYNAMIC_TYPE_RSA); - if (!ssl->peerTsipEncRsaKeyIndex) { + if (!ssl->peerSceTsipEncRsaKeyIndex) { args->lastErr = MEMORY_E; goto exit_ppc; } } - XMEMCPY(ssl->peerTsipEncRsaKeyIndex, - args->dCert->tsip_encRsaKeyIdx, + XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex, + args->dCert->sce_tsip_encRsaKeyIdx, TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY); } #endif @@ -12841,7 +12887,24 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, { int keyRet = 0; word32 idx = 0; + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + /* copy encrypted tsip key index into ssl object */ + if (args->dCert->sce_tsip_encRsaKeyIdx) { + if (!ssl->peerSceTsipEncRsaKeyIndex) { + ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC( + TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY, + ssl->heap, DYNAMIC_TYPE_RSA); + if (!ssl->peerSceTsipEncRsaKeyIndex) { + args->lastErr = MEMORY_E; + goto exit_ppc; + } + } + XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex, + args->dCert->sce_tsip_encRsaKeyIdx, + TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY); + } + #endif if (ssl->peerEccDsaKey == NULL) { /* alloc/init on demand */ keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC, @@ -12860,6 +12923,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { ssl->peerEccDsaKeyPresent = 1; + #ifdef HAVE_PK_CALLBACKS if (ssl->buffers.peerEccDsaKey.buffer) XFREE(ssl->buffers.peerEccDsaKey.buffer, @@ -16647,6 +16711,18 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, padByte = 1; if (ssl->options.tls) { +#if defined(HAVE_PK_CALLBACKS) + if(ssl->ctx->VerifymacCb) { + void* ctx = wolfSSL_GetVerifymacCtx(ssl); + ret = ssl->ctx->VerifymacCb(ssl, input, + (msgSz - ivExtra) - digestSz - pad - 1, + digestSz, content, ctx); + if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) { + return ret; + } + } + if (!ssl->ctx->VerifymacCb || ret == PROTOCOLCB_UNAVAILABLE) +#endif ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra, content); if (ret != 0) @@ -24854,6 +24930,14 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, #endif case rsa_sa_algo: { + #if defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + /* already checked signature result by SCE */ + /* skip the sign checks below */ + if (Renesas_cmn_useable(ssl, 0)) { + break; + } else + #endif if (IsAtLeastTLSv1_2(ssl)) { #ifdef WOLFSSL_SMALL_STACK byte* encodedSig; @@ -25317,6 +25401,16 @@ int SendClientKeyExchange(WOLFSSL* ssl) #ifndef NO_RSA case rsa_kea: { + #if defined(HAVE_PK_CALLBACKS) + if (ssl->ctx->GenPreMasterCb) { + void* ctx = wolfSSL_GetGenPreMasterCtx(ssl); + ret = ssl->ctx->GenPreMasterCb(ssl, ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx); + if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) { + goto exit_scke; + } + } + if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE) { + #endif /* build PreMasterSecret with RNG data */ #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) @@ -25329,19 +25423,21 @@ int SendClientKeyExchange(WOLFSSL* ssl) ret = wc_RNG_GenerateBlock(ssl->rng, &ssl->arrays->preMasterSecret[VERSION_SZ], SECRET_LEN - VERSION_SZ); - #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ - !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) + #if (defined(WOLFSSL_RENESAS_TSIP_TLS) && \ + !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)) } #endif if (ret != 0) { goto exit_scke; } - + ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; - ssl->arrays->preMasterSz = SECRET_LEN; - + ssl->arrays->preMasterSz = SECRET_LEN; + #if defined(HAVE_PK_CALLBACKS) + } + #endif break; } #endif /* !NO_RSA */ diff --git a/src/keys.c b/src/keys.c index caf004653..5831b8595 100644 --- a/src/keys.c +++ b/src/keys.c @@ -42,6 +42,13 @@ !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) int tsip_useable(const WOLFSSL *ssl); #endif + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) +/* callback for TLS hmac in SCE use case */ +int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, + word32 sz, int padSz, int content, int verify, int epochOrder); +#endif + int SetCipherSpecs(WOLFSSL* ssl) { #ifndef NO_WOLFSSL_CLIENT @@ -2101,7 +2108,11 @@ int SetCipherSpecs(WOLFSSL* ssl) #ifndef NO_TLS ssl->options.tls = 1; #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) ssl->hmac = TLS_hmac; + #else + ssl->hmac = Renesas_cmn_TLS_hmac; + #endif #endif if (ssl->version.minor >= 2) { ssl->options.tls1_1 = 1; @@ -2118,7 +2129,11 @@ int SetCipherSpecs(WOLFSSL* ssl) #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_AEAD_ONLY) if (ssl->options.dtls) + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) ssl->hmac = TLS_hmac; + #else + ssl->hmac = Renesas_cmn_TLS_hmac; + #endif #endif return 0; @@ -3096,13 +3111,21 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) } #endif -#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ - !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) +#if (defined(WOLFSSL_RENESAS_TSIP_TLS) && \ + !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)) /* check if keys for TSIP has been created */ if (tsip_useable(ssl) == 1) ret = 0; else #endif + +#if defined(HAVE_PK_CALLBACKS) + if (ssl->ctx->SetKeysCb) { + void* ctx = wolfSSL_GetSetKeysCtx(ssl); + ret = ssl->ctx->SetKeysCb(ssl, ctx); + } + if (!ssl->ctx->SetKeysCb || ret == PROTOCOLCB_UNAVAILABLE) +#endif ret = SetKeys(wc_encrypt, wc_decrypt, keys, &ssl->specs, ssl->options.side, ssl->heap, ssl->devId, ssl->rng, ssl->options.tls1_3); diff --git a/src/ssl.c b/src/ssl.c index ffad2ddfc..ec495b95e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -238,13 +238,12 @@ const WOLF_EC_NIST_NAME kNistCurves[] = { }; #endif -#if defined(WOLFSSL_RENESAS_TSIP_TLS) +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* for root ca verification */ -int tsip_tls_RootCertVerify(const byte *cert, word32 cert_len, +int Renesas_cmn_RootCertVerify(const byte *cert, word32 cert_len, word32 key_n_start, word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row); -byte tsip_rootCAverified( ); #endif #ifdef WOLFSSL_SESSION_EXPORT @@ -4998,7 +4997,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) FreeSigner(signer, cm->heap); } } -#if defined(WOLFSSL_RENESAS_TSIP_TLS) +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* Verify CA by TSIP so that generated tsip key is going to be able to */ /* be used for peer's cert verification */ /* TSIP is only able to handle USER CA, and only one CA. */ @@ -5006,18 +5005,21 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) /* verified CA. */ if ( ret == 0 && signer != NULL ) { signer->cm_idx = row; - if (type == WOLFSSL_USER_CA && tsip_rootCAverified() == 0 ) { - if ((ret = tsip_tls_RootCertVerify(cert->source, cert->maxIdx, - cert->sigCtx.pubkey_n_start, cert->sigCtx.pubkey_n_len - 1, - cert->sigCtx.pubkey_e_start, cert->sigCtx.pubkey_e_len - 1, + if (type == WOLFSSL_USER_CA) { + if ((ret = Renesas_cmn_RootCertVerify(cert->source, cert->maxIdx, + cert->sigCtx.CertAtt.pubkey_n_start, + cert->sigCtx.CertAtt.pubkey_n_len - 1, + cert->sigCtx.CertAtt.pubkey_e_start, + cert->sigCtx.CertAtt.pubkey_e_len - 1, row/* cm index */)) - != 0) - WOLFSSL_MSG("tsip_tls_RootCertVerify() failed"); + < 0) + WOLFSSL_MSG("Renesas_RootCertVerify() failed"); else - WOLFSSL_MSG("tsip_tls_RootCertVerify() succeed"); + WOLFSSL_MSG("Renesas_RootCertVerify() succeed or skipped"); } } -#endif +#endif /* TSIP or SCE */ + WOLFSSL_MSG("\tFreeing Parsed CA"); FreeDecodedCert(cert); #ifdef WOLFSSL_SMALL_STACK @@ -41978,6 +41980,133 @@ void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl) } #endif /* NO_RSA */ +/* callback for premaster secret generation */ +void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX* ctx, CallbackGenPreMaster cb) +{ + if (ctx) + ctx->GenPreMasterCb = cb; +} +/* Set master secret generation callback context */ +void wolfSSL_SetGenPreMasterCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->GenPreMasterCtx = ctx; +} +/* Get master secret generation callback context */ +void* wolfSSL_GetGenPreMasterCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->GenPreMasterCtx; + + return NULL; +} + +/* callback for premaster secret generation */ +void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX* ctx, CallbackGenMasterSecret cb) +{ + if (ctx) + ctx->GenMasterCb = cb; +} +/* Set premaster secret generation callback context */ +void wolfSSL_SetGenMasterSecretCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->GenMasterCtx = ctx; +} +/* Get premaster secret generation callback context */ +void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->GenMasterCtx; + + return NULL; +} + +/* callback for session key generation */ +void wolfSSL_CTX_SetGenSesssionKeyCb(WOLFSSL_CTX* ctx, CallbackGenSessionKey cb) +{ + if (ctx) + ctx->GenSessionKeyCb = cb; +} +/* Set sesssion key generation callback context */ +void wolfSSL_SetGenSesssionKeyCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->GenSessionKeyCtx = ctx; +} +/* Get sesssion key generation callback context */ +void* wolfSSL_GetGenSesssionKeyCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->GenSessionKeyCtx; + + return NULL; +} + +/* callback for set keys */ +void wolfSSL_CTX_SetSetKeysCb(WOLFSSL_CTX* ctx, CallbackSetKeys cb) +{ + if (ctx) + ctx->SetKeysCb = cb; +} +/* Set set keys callback context */ +void wolfSSL_SetSetKeysCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->SetKeysCtx = ctx; +} +/* Get set keys callback context */ +void* wolfSSL_GetSetKeysCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->SetKeysCtx; + + return NULL; +} + +/* callback for verify data */ +void wolfSSL_CTX_SetTlsFinishedCb(WOLFSSL_CTX* ctx, CallbackTlsFinished cb) +{ + if (ctx) + ctx->TlsFinishedCb = cb; +} +/* Set set keys callback context */ +void wolfSSL_SetTlsFinishedCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->TlsFinishedCtx = ctx; +} +/* Get set keys callback context */ +void* wolfSSL_GetTlsFinishedCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->TlsFinishedCtx; + + return NULL; +} +#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) +/* callback for verify data */ +void wolfSSL_CTX_SetVerifymacCb(WOLFSSL_CTX* ctx, CallbackVerifymac cb) +{ + if (ctx) + ctx->VerifymacCb = cb; +} +/* Set set keys callback context */ +void wolfSSL_SetVerifymacCtx(WOLFSSL* ssl, void *ctx) +{ + if (ssl) + ssl->VerifymacCtx = ctx; +} +/* Get set keys callback context */ +void* wolfSSL_GetVerifymacCtx(WOLFSSL* ssl) +{ + if (ssl) + return ssl->VerifymacCtx; + + return NULL; +} +#endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */ + #endif /* HAVE_PK_CALLBACKS */ #endif /* NO_CERTS */ diff --git a/src/tls.c b/src/tls.c index 9f614fa0c..7c8b1df9c 100644 --- a/src/tls.c +++ b/src/tls.c @@ -210,6 +210,14 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) side = tls_server; #ifdef WOLFSSL_HAVE_PRF +#if defined(HAVE_PK_CALLBACKS) + if (ssl->ctx->TlsFinishedCb) { + void* ctx = wolfSSL_GetTlsFinishedCtx(ssl); + ret = ssl->ctx->TlsFinishedCb(ssl, side, handshake_hash, + (byte*)hashes, ctx); + } + if (!ssl->ctx->TlsFinishedCb || ret == PROTOCOLCB_UNAVAILABLE) +#endif #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) if (tsip_useable(ssl)) { @@ -393,15 +401,22 @@ int DeriveTlsKeys(WOLFSSL* ssl) ret = tsip_generateSeesionKey(ssl); else { #endif - ret = _DeriveTlsKeys(key_dig, key_dig_len, +#if defined(HAVE_PK_CALLBACKS) + if (ssl->ctx->GenSessionKeyCb) { + void* ctx = wolfSSL_GetGenSesssionKeyCtx(ssl); + ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); + } + if (!ssl->ctx->GenSessionKeyCb || ret == PROTOCOLCB_UNAVAILABLE) +#endif + ret = _DeriveTlsKeys(key_dig, key_dig_len, ssl->arrays->masterSecret, SECRET_LEN, ssl->arrays->serverRandom, ssl->arrays->clientRandom, IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, ssl->heap, ssl->devId); if (ret == 0) ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER); -#if defined(WOLFSSL_RENESAS_TSIP_TLS) && \ - !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) +#if (defined(WOLFSSL_RENESAS_TSIP_TLS) && \ + !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)) } #endif @@ -576,6 +591,13 @@ int MakeTlsMasterSecret(WOLFSSL* ssl) #endif } else +#endif +#if defined(HAVE_PK_CALLBACKS) + if (ssl->ctx->GenMasterCb) { + void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl); + ret = ssl->ctx->GenMasterCb(ssl, ctx); + } + if (!ssl->ctx->GenMasterCb || ret == PROTOCOLCB_UNAVAILABLE) #endif ret = _MakeTlsMasterSecret(ssl->arrays->masterSecret, SECRET_LEN, ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, @@ -1196,6 +1218,7 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz, return ret; } #endif + ret = wc_HmacInit(&hmac, ssl->heap, ssl->devId); if (ret != 0) return ret; diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 8a5d02e4d..85689a1d3 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -215,6 +215,9 @@ #ifdef HAVE_CAVIUM_OCTEON_SYNC #include #endif + #ifdef HAVE_RENESAS_SYNC + #include + #endif #endif #ifdef WOLFSSL_ASYNC_CRYPT @@ -1437,6 +1440,12 @@ static void* benchmarks_do(void* args) printf("Couldn't get the Octeon device ID\n"); } #endif +#ifdef HAVE_RENESAS_SYNC + devId = wc_CryptoCb_CryptInitRenesascmn(NULL, &guser_PKCbInfo); + if (devId == INVALID_DEVID) { + printf("Couldn't get the Renesas device ID\n"); + } +#endif #endif #if defined(HAVE_LOCAL_RNG) @@ -1508,7 +1517,8 @@ static void* benchmarks_do(void* args) bench_aescbc(0); #endif #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \ - defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \ + defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC) || \ + defined(HAVE_RENESAS_SYNC)) && \ !defined(NO_HW_BENCH) bench_aescbc(1); #endif @@ -1520,7 +1530,8 @@ static void* benchmarks_do(void* args) bench_aesgcm(0); #endif #if ((defined(WOLFSSL_ASYNC_CRYPT) && defined(WC_ASYNC_ENABLE_3DES)) || \ - defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC)) && \ + defined(HAVE_INTEL_QA_SYNC) || defined(HAVE_CAVIUM_OCTEON_SYNC) || \ + defined(HAVE_RENESAS_SYNC)) && \ !defined(NO_HW_BENCH) bench_aesgcm(1); #endif @@ -2092,9 +2103,11 @@ int benchmark_free(void) { int ret; +#ifndef HAVE_RENESAS_SYNC if (gPrintStats || devId != INVALID_DEVID) { bench_stats_print(); } +#endif bench_stats_free(); @@ -2105,6 +2118,9 @@ int benchmark_free(void) #ifdef HAVE_CAVIUM_OCTEON_SYNC wc_CryptoCb_CleanupOcteon(&devId); #endif +#ifdef HAVE_RENESAS_SYNC + wc_CryptoCb_CleanupRenesascmn(&devId); +#endif #endif #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 53995d9c5..80107bf98 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -198,6 +198,9 @@ int tsip_tls_CertVerify(const byte *cert, word32 certSz, word32 key_e_start, word32 key_e_len, byte *tsip_encRsaKeyIdx); #endif +#ifdef WOLFSSL_RENESAS_SCEPROTECT +byte Rnesas_cmn_checkCA(word32 cmdIdx); +#endif /* Calculates the minimum number of bytes required to encode the value. * @@ -7647,7 +7650,7 @@ int EncryptContent(byte* input, word32 inputSz, byte* out, word32* outSz, #ifndef NO_RSA #ifndef HAVE_USER_RSA -#ifdef WOLFSSL_RENESAS_TSIP +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* This function is to retrieve key position information in a cert.* * The information will be used to call TSIP TLS-linked API for * * certificate verification. */ @@ -9585,9 +9588,9 @@ void FreeDecodedCert(DecodedCert* cert) if (cert->subjectName != NULL) wolfSSL_X509_NAME_free((WOLFSSL_X509_NAME*)cert->subjectName); #endif /* WOLFSSL_X509_NAME_AVAILABLE */ -#ifdef WOLFSSL_RENESAS_TSIP_TLS - if (cert->tsip_encRsaKeyIdx != NULL) - XFREE(cert->tsip_encRsaKeyIdx, cert->heap, DYNAMIC_TYPE_RSA); +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) + if (cert->sce_tsip_encRsaKeyIdx != NULL) + XFREE(cert->sce_tsip_encRsaKeyIdx, cert->heap, DYNAMIC_TYPE_RSA); #endif #ifndef NO_CERTS FreeSignatureCtx(&cert->sigCtx); @@ -9708,8 +9711,9 @@ static int StoreRsaKey(DecodedCert* cert, const byte* source, word32* srcIdx, if (GetSequence(source, srcIdx, &length, pubIdx + pubLen) < 0) return ASN_PARSE_E; -#if defined(WOLFSSL_RENESAS_TSIP) - cert->sigCtx.pubkey_n_start = cert->sigCtx.pubkey_e_start = pubIdx; +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) + cert->sigCtx.CertAtt.pubkey_n_start = + cert->sigCtx.CertAtt.pubkey_e_start = pubIdx; #endif cert->pubKeySize = pubLen; cert->publicKey = source + pubIdx; @@ -9734,10 +9738,10 @@ static int StoreRsaKey(DecodedCert* cert, const byte* source, word32* srcIdx, * SEQUENCE. */ GetASN_GetConstRef(&dataASN[0], &cert->publicKey, &cert->pubKeySize); - #if defined(WOLFSSL_RENESAS_TSIP) + #if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* Start of SEQUENCE. */ - cert->sigCtx.pubkey_n_start = cert->sigCtx.pubkey_e_start = - dataASN[1].offset; + cert->sigCtx.CertAtt.pubkey_n_start = + cert->sigCtx.CertAtt.pubkey_e_start = dataASN[1].offset; #endif #ifdef HAVE_OCSP /* Calculate the hash of the public key for OCSP. */ @@ -9805,13 +9809,25 @@ static int StoreEccKey(DecodedCert* cert, const byte* source, word32* srcIdx, maxIdx) < 0) return ASN_PARSE_E; - if (CheckCurve(cert->pkCurveOID) < 0) + if ((ret = CheckCurve(cert->pkCurveOID)) < 0) return ECC_CURVE_OID_E; - + + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + cert->sigCtx.CertAtt.curve_id = ret; + #endif /* key header */ ret = CheckBitString(source, srcIdx, &length, maxIdx, 1, NULL); if (ret != 0) return ret; + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + cert->sigCtx.CertAtt.pubkey_n_start = + cert->sigCtx.CertAtt.pubkey_e_start = (*srcIdx + 1); + cert->sigCtx.CertAtt.pubkey_n_len = ((length - 1) >> 1); + cert->sigCtx.CertAtt.pubkey_e_start += + cert->sigCtx.CertAtt.pubkey_n_len; + cert->sigCtx.CertAtt.pubkey_e_len = + cert->sigCtx.CertAtt.pubkey_n_len; + #endif #ifdef HAVE_OCSP ret = CalcHashId(source + *srcIdx, length, cert->subjectKeyHash); if (ret != 0) @@ -13071,9 +13087,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, const byte* sig, word32 sigSz, word32 sigOID, byte* rsaKeyIdx) { int ret = 0; -#ifndef WOLFSSL_RENESAS_TSIP_TLS - (void)rsaKeyIdx; -#endif + if (sigCtx == NULL || buf == NULL || bufSz == 0 || key == NULL || keySz == 0 || sig == NULL || sigSz == 0) { return BAD_FUNC_ARG; @@ -13086,6 +13100,23 @@ static int ConfirmSignature(SignatureCtx* sigCtx, WOLFSSL_ENTER("ConfirmSignature"); +#if !defined(WOLFSSL_RENESAS_TSIP_TLS) && !defined(WOLFSSL_RENESAS_SCEPROTECT) + (void)rsaKeyIdx; +#else + CertAttribute* certatt = NULL; + + #if !defined(NO_RSA) + certatt = (CertAttribute*)&sigCtx->CertAtt; + #elif defined(HAVE_ECC) + certatt = (CertAttribute*)&sigCtx->CertAtt; + #endif + if(certatt) { + certatt->keyIndex = rsaKeyIdx; + certatt->cert = buf; + certatt->certSz = bufSz; + } +#endif + #ifndef NO_ASN_CRYPT switch (sigCtx->state) { case SIG_STATE_BEGIN: @@ -13412,14 +13443,19 @@ static int ConfirmSignature(SignatureCtx* sigCtx, #ifndef NO_RSA case RSAk: { - #ifdef HAVE_PK_CALLBACKS + #if defined(HAVE_PK_CALLBACKS) && \ + !defined(WOLFSSL_RENESAS_TSIP_TLS) if (sigCtx->pkCbRsa) { ret = sigCtx->pkCbRsa( sigCtx->sigCpy, sigSz, &sigCtx->out, key, keySz, sigCtx->pkCtxRsa); } + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) else + #else + if (!sigCtx->pkCbRsa || ret == CRYPTOCB_UNAVAILABLE) + #endif /* WOLFSSL_RENESAS_SCEPROTECT */ #endif /* HAVE_PK_CALLBACKS */ { #ifdef WOLFSSL_RENESAS_TSIP_TLS @@ -13427,14 +13463,14 @@ static int ConfirmSignature(SignatureCtx* sigCtx, { ret = tsip_tls_CertVerify(buf, bufSz, sigCtx->sigCpy, sigSz, - sigCtx->pubkey_n_start - sigCtx->certBegin, - sigCtx->pubkey_n_len - 1, - sigCtx->pubkey_e_start - sigCtx->certBegin, - sigCtx->pubkey_e_len - 1, + sigCtx->.CertAtt.pubkey_n_start - sigCtx->certBegin, + sigCtx->.CertAtt.pubkey_n_len - 1, + sigCtx->.CertAtt.pubkey_e_start - sigCtx->certBegin, + sigCtx->.CertAtt.pubkey_e_len - 1, rsaKeyIdx); if (ret == 0){ - sigCtx->verifyByTSIP = 1; + sigCtx->verifyByTSIP_SCE = 1; ret = 0; } else { WOLFSSL_MSG("RSA Verify by tsip didn't match"); @@ -13459,7 +13495,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, #if defined(HAVE_ECC) case ECDSAk: { - #ifdef HAVE_PK_CALLBACKS + #if defined(HAVE_PK_CALLBACKS) if (sigCtx->pkCbEcc) { ret = sigCtx->pkCbEcc( sig, sigSz, @@ -13467,7 +13503,11 @@ static int ConfirmSignature(SignatureCtx* sigCtx, key, keySz, &sigCtx->verify, sigCtx->pkCtxEcc); } + #if !defined(WOLFSSL_RENESAS_SCEPROTECT) else + #else + if (!sigCtx->pkCbEcc || ret == CRYPTOCB_UNAVAILABLE) + #endif /* WOLFSSL_RENESAS_SCEPROTECT */ #endif /* HAVE_PK_CALLBACKS */ { ret = wc_ecc_verify_hash(sig, sigSz, sigCtx->digest, @@ -13531,8 +13571,9 @@ static int ConfirmSignature(SignatureCtx* sigCtx, case RSAk: { int encodedSigSz, verifySz; - #ifdef WOLFSSL_RENESAS_TSIP - if (sigCtx->verifyByTSIP == 1) break; + #if defined(WOLFSSL_RENESAS_TSIP) || \ + defined(WOLFSSL_RENESAS_SCEPROTECT) + if (sigCtx->CertAtt.verifyByTSIP_SCE == 1) break; #endif #ifdef WOLFSSL_SMALL_STACK byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, @@ -17790,10 +17831,10 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) int len = 0; #endif #endif -#if defined(WOLFSSL_RENESAS_TSIP) +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) int idx = 0; #endif - byte* tsip_encRsaKeyIdx; + byte* sce_tsip_encRsaKeyIdx; if (cert == NULL) { return BAD_FUNC_ARG; @@ -18148,52 +18189,56 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } #endif /* HAVE_OCSP */ } -#if defined(WOLFSSL_RENESAS_TSIP) +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) /* prepare for TSIP TLS cert verification API use */ if (cert->keyOID == RSAk) { /* to call TSIP API, it needs keys position info in bytes */ if ((ret = RsaPublicKeyDecodeRawIndex(cert->publicKey, (word32*)&idx, cert->pubKeySize, - &cert->sigCtx.pubkey_n_start, - &cert->sigCtx.pubkey_n_len, - &cert->sigCtx.pubkey_e_start, - &cert->sigCtx.pubkey_e_len)) != 0) { + &cert->sigCtx.CertAtt.pubkey_n_start, + &cert->sigCtx.CertAtt.pubkey_n_len, + &cert->sigCtx.CertAtt.pubkey_e_start, + &cert->sigCtx.CertAtt.pubkey_e_len)) != 0) { WOLFSSL_MSG("Decoding index from cert failed."); return ret; } - cert->sigCtx.certBegin = cert->certBegin; + cert->sigCtx.CertAtt.certBegin = cert->certBegin; + } else if (cert->keyOID == ECDSAk) { + cert->sigCtx.CertAtt.certBegin = cert->certBegin; } /* check if we can use TSIP for cert verification */ /* if the ca is verified as tsip root ca. */ /* TSIP can only handle 2048 bits(256 byte) key. */ - if (cert->ca && tsip_checkCA(cert->ca->cm_idx) != 0 && - cert->sigCtx.pubkey_n_len == 256) { + if (cert->ca && Rnesas_cmn_checkCA(cert->ca->cm_idx) != 0 && + (cert->sigCtx.CertAtt.pubkey_n_len == 256 || + cert->sigCtx.CertAtt.curve_id == ECC_SECP256R1)) { /* assign memory to encrypted tsip Rsa key index */ - if (!cert->tsip_encRsaKeyIdx) - cert->tsip_encRsaKeyIdx = + if (!cert->sce_tsip_encRsaKeyIdx) + cert->sce_tsip_encRsaKeyIdx = (byte*)XMALLOC(TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY, cert->heap, DYNAMIC_TYPE_RSA); - if (cert->tsip_encRsaKeyIdx == NULL) + if (cert->sce_tsip_encRsaKeyIdx == NULL) return MEMORY_E; } else { if (cert->ca) { /* TSIP isn't usable */ - if (tsip_checkCA(cert->ca->cm_idx) == 0) - WOLFSSL_MSG("TSIP isn't usable because the ca isn't verified " + if (Rnesas_cmn_checkCA(cert->ca->cm_idx) == 0) + WOLFSSL_MSG("SCE-TSIP isn't usable because the ca isn't verified " "by TSIP."); - else if (cert->sigCtx.pubkey_n_len != 256) - WOLFSSL_MSG("TSIP isn't usable because the ca isn't signed by " + else if (cert->sigCtx.CertAtt.pubkey_n_len != 256) + WOLFSSL_MSG("SCE-TSIP isn't usable because the ca isn't signed by " "RSA 2048."); else - WOLFSSL_MSG("TSIP isn't usable"); + WOLFSSL_MSG("SCE-TSIP isn't usable"); } - cert->tsip_encRsaKeyIdx = NULL; + cert->sce_tsip_encRsaKeyIdx = NULL; } - - tsip_encRsaKeyIdx = cert->tsip_encRsaKeyIdx; + + sce_tsip_encRsaKeyIdx = cert->sce_tsip_encRsaKeyIdx; + #else - tsip_encRsaKeyIdx = NULL; + sce_tsip_encRsaKeyIdx = NULL; #endif if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) { @@ -18207,7 +18252,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) cert->ca->publicKey, cert->ca->pubKeySize, cert->ca->keyOID, cert->signature, cert->sigLength, cert->signatureOID, - tsip_encRsaKeyIdx)) != 0) { + sce_tsip_encRsaKeyIdx)) != 0) { if (ret != WC_PENDING_E) { WOLFSSL_MSG("Confirm signature failed"); } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 9d685f811..717ee8559 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -554,6 +554,8 @@ const char* wc_GetErrorString(int error) case FIPS_PRIVATE_KEY_LOCKED_E: return "Cannot export private key, locked"; + case PROTOCOLCB_UNAVAILABLE: + return "Protocol callback unavailable"; default: return "unknown error number"; diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index e1ab3e348..5324cf370 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -115,6 +115,10 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/Renesas/renesas_tsip_aes.c \ wolfcrypt/src/port/Renesas/renesas_tsip_sha.c \ wolfcrypt/src/port/Renesas/renesas_tsip_util.c \ + wolfcrypt/src/port/Renesas/renesas_sce_util.c \ + wolfcrypt/src/port/Renesas/renesas_sce_aes.c \ + wolfcrypt/src/port/Renesas/renesas_sce_sha.c \ + wolfcrypt/src/port/Renesas/renesas_common.c \ wolfcrypt/src/port/Renesas/README.md \ wolfcrypt/src/port/cypress/psoc6_crypto.c diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c new file mode 100644 index 000000000..260ab1799 --- /dev/null +++ b/wolfcrypt/src/port/Renesas/renesas_common.c @@ -0,0 +1,805 @@ +/* renesas_common.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + #include +#elif defined(WOLFSSL_RENESAS_TSIP_TLS) + #include +#endif + +#include +#include +#include +#include +#include +#include + + +extern uint32_t g_CAscm_Idx; /* index of CM table */ +static int devId = 7890; /* dev Id for Crypt Callback */ + +#ifdef WOLF_CRYPTO_CB + +#include + +/* Renesas Security Library Common Callback + * For Crypto Call back + * + * devIdArg device Id + * info pointer to wc_CryptInfo + * ctx Crypto Callback context + * return 0 on success, otherwise MEMORY_E or BAD_FUNC_ARG on failure + */ +static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) +{ + int ret = NOT_COMPILED_IN; /* return this to bypass HW and use SW */ + User_SCEPKCbInfo* cbInfo = (User_SCEPKCbInfo*) ctx; + + if (info == NULL || ctx == NULL) + return BAD_FUNC_ARG; + +#ifdef DEBUG_WOLFSSL + printf("CryptoDevCb: Algo Type %d\n", info->algo_type); +#endif + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip aes api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + + if (info->algo_type == WC_ALGO_TYPE_CIPHER) { + + #if !defined(NO_AES) || !defined(NO_DES3) + #ifdef HAVE_AESGCM + if (info->cipher.type == WC_CIPHER_AES_GCM) { + + if (info->cipher.enc && + ( cbInfo->session_key_set == 1 || + (cbInfo->aes256_installedkey_set == 1 && + info->cipher.aesgcm_enc.aes->keylen == 32) || + (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aesgcm_enc.aes->keylen == 16))) { + + if(cbInfo->aes256_installedkey_set == 1 && + info->cipher.aesgcm_enc.aes->keylen == 32) { + + XMEMCPY(&info->cipher.aesgcm_enc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aesgcm_enc.aes->ctx.keySize = 32; + + } else if (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aesgcm_enc.aes->keylen == 16) { + + XMEMCPY(&info->cipher.aesgcm_enc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes128, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aesgcm_enc.aes->ctx.keySize = 16; + } + + ret = wc_sce_AesGcmEncrypt( + info->cipher.aesgcm_enc.aes, + (byte*)info->cipher.aesgcm_enc.out, + (byte*)info->cipher.aesgcm_enc.in, + info->cipher.aesgcm_enc.sz, + (byte*)info->cipher.aesgcm_enc.iv, + info->cipher.aesgcm_enc.ivSz, + (byte*)info->cipher.aesgcm_enc.authTag, + info->cipher.aesgcm_enc.authTagSz, + (byte*)info->cipher.aesgcm_enc.authIn, + info->cipher.aesgcm_enc.authInSz, + (void*)ctx); + + } else if (cbInfo->session_key_set == 1 || + (cbInfo->aes256_installedkey_set == 1 && + info->cipher.aesgcm_dec.aes->keylen == 32) || + (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aesgcm_dec.aes->keylen == 16)) { + + if(cbInfo->aes256_installedkey_set == 1 && + info->cipher.aesgcm_dec.aes->keylen == 32) { + + XMEMCPY(&info->cipher.aesgcm_dec.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aesgcm_dec.aes->ctx.keySize = 32; + + } else if (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aesgcm_dec.aes->keylen == 16) { + + XMEMCPY(&info->cipher.aesgcm_dec.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes128, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aesgcm_dec.aes->ctx.keySize = 16; + } + + ret = wc_sce_AesGcmDecrypt( + info->cipher.aesgcm_dec.aes, + (byte*)info->cipher.aesgcm_dec.out, + (byte*)info->cipher.aesgcm_dec.in, + info->cipher.aesgcm_dec.sz, + (byte*)info->cipher.aesgcm_dec.iv, + info->cipher.aesgcm_dec.ivSz, + (byte*)info->cipher.aesgcm_dec.authTag, + info->cipher.aesgcm_dec.authTagSz, + (byte*)info->cipher.aesgcm_dec.authIn, + info->cipher.aesgcm_dec.authInSz, + (void*)ctx); + } + } + #endif /* HAVE_AESGCM */ + #ifdef HAVE_AES_CBC + if ((info->cipher.type == WC_CIPHER_AES_CBC) && + (cbInfo->session_key_set == 1 || + (cbInfo->aes256_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 32) || + (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 16))) { + + if (info->cipher.enc) { + if(cbInfo->aes256_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 32) { + XMEMCPY(&info->cipher.aescbc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aescbc.aes->ctx.keySize = 32; + + } else if (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 16) { + XMEMCPY(&info->cipher.aescbc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes128, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aescbc.aes->ctx.keySize = 16; + } + + ret = wc_sce_AesCbcEncrypt( + info->cipher.aescbc.aes, + (byte*)info->cipher.aescbc.out, + (byte*)info->cipher.aescbc.in, + info->cipher.aescbc.sz); + } + else { + if(cbInfo->aes256_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 32) { + XMEMCPY(&info->cipher.aescbc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aescbc.aes->ctx.keySize = 32; + + } else if (cbInfo->aes128_installedkey_set == 1 && + info->cipher.aescbc.aes->keylen == 16) { + XMEMCPY(&info->cipher.aescbc.aes->ctx.sce_wrapped_key, + &cbInfo->sce_wrapped_key_aes128, + sizeof(sce_aes_wrapped_key_t)); + info->cipher.aescbc.aes->ctx.keySize = 16; + } + + ret = wc_sce_AesCbcDecrypt( + info->cipher.aescbc.aes, + (byte*)info->cipher.aescbc.out, + (byte*)info->cipher.aescbc.in, + info->cipher.aescbc.sz); + } + } + #endif /* HAVE_AES_CBC */ + #endif /* !NO_AES || !NO_DES3 */ + #endif /* TSIP or SCE */ + } + + (void)devIdArg; + (void)ctx; + + return ret; +} + +/* Renesas Security Library Common Entry Point + * For usable method + * + * ssl : a pointer to WOLFSSL object + * session_key_generated : if session key has been generated + * return 1 for usable, 0 for unusable + */ +int Renesas_cmn_useable(const WOLFSSL* ssl, byte session_key_generated) +{ + int ret; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = sce_useable(ssl, session_key_generated); + #endif + + return ret; +} + +/* Renesas Security Library Common Method + * Crypt Callback initialization + * + * ssl : a pointer to WOLFSSL object + * ctx : callback context + * return valid device Id on success, otherwise INVALID_DEVIID + */ +int wc_CryptoCb_CryptInitRenesascmn(WOLFSSL* ssl, void* ctx) +{ + (void)ssl; + (void)ctx; + + #if defined(WOLFSSL_RENESAS_TSIP) + void* cbInfo = NULL;/* TODO cast tsip cb context */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + User_SCEPKCbInfo* cbInfo = (User_SCEPKCbInfo*)ctx; + #endif + + if (wc_CryptoCb_RegisterDevice(devId, Renesas_cmn_CryptoDevCb, cbInfo) < 0) { + return INVALID_DEVID; + } + + if(ssl) + wolfSSL_SetDevId(ssl, devId); + + return devId; +} + +/* Renesas Security Library Common Method + * Clean up CryptCb + * + * id : a pointer to device id to unregister + * no return value + */ +void wc_CryptoCb_CleanupRenesascmn(int* id) +{ + wc_CryptoCb_UnRegisterDevice(*id); + *id = INVALID_DEVID; +} + +#endif /* WOLF_CRYPTO_CB */ + +/* Renesas Security Library Common Method + * Check CA index if CA can be used for SCE/TSIP because + * the CA has been verified by SCE/TSIP + * + * cmdIdx : ca index + * return 1 can be used, otherwise 0 + */ +byte Rnesas_cmn_checkCA(word32 cmIdx) +{ + return (cmIdx == g_CAscm_Idx? 1:0); +} + +/* check if the root CA has been verified by TSIP/SCE, + * and it exists in the CM table. + */ +static byte sce_tsip_rootCAverified( ) +{ + return (g_CAscm_Idx != (uint32_t)-1 ? 1:0); +} +/* Renesas Security Library Common Callback + * Callback for Rsa verify + * + * ssl the WOLFSSL object + * sig Buffer holding signature + * sigSz Length of signature in bytes + * out Buffer to hold hash + * key Buffer to hold ecc key + * keySz Length of key in bytes + * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code + */ +int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz, + byte** out, const byte* key, word32 keySz, void* ctx) +{ + int ret; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO TSIP */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = SCE_RsaVerify(ssl, sig, sigSz, out,key, keySz, ctx); + + if (ret == 0 && ret != CRYPTOCB_UNAVAILABLE) { + /* Set Call back for SharedScret when being successful */ + wolfSSL_CTX_SetEccSharedSecretCb(ssl->ctx, SCE_EccSharedSecret); + wolfSSL_SetEccSharedSecretCtx(ssl, ctx); + } else { + WOLFSSL_MSG("failed R_SCE_TLS_ServerKeyExchangeVerify"); + wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); + wolfSSL_SetEccSharedSecretCtx(ssl, NULL); + } + #endif + + return ret; +} +/* Renesas Security Library Common Callback + * Callback for Ecc verify + * + * ssl the WOLFSSL object + * sig Buffer holding signature + * sigSz Length of signature in bytes + * hash Buffer to hold hash + * hashSz Length of hash + * key Buffer to hold ecc key + * keySz Length of key in bytes + * result a pointer to int indicates if the verify is ok + * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code + */ +int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, + const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, + int* result, void* ctx) +{ + int ret; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO TSIP */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = SCE_EccVerify(ssl, sig, sigSz, hash, hashSz, key, keySz, + result, ctx); + if (ret == 0 && *result == 1 && ret != CRYPTOCB_UNAVAILABLE) { + /* Set Call back for SharedScret when being successful */ + wolfSSL_CTX_SetEccSharedSecretCb(ssl->ctx, SCE_EccSharedSecret); + wolfSSL_SetEccSharedSecretCtx(ssl, ctx); + } else { + WOLFSSL_MSG("failed R_SCE_TLS_ServerKeyExchangeVerify"); + wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); + wolfSSL_SetEccSharedSecretCtx(ssl, NULL); + } + #endif + + return ret; +} +/* Renesas Security Library Common Entry Point + * For ROOT CA verifycation + * + * cert Buffer to hold cert + * cert_len Length of cert + * key_n_start Byte position of public key in cert + * key_n_len Length of public key in bytes + * key_e_start Byte position of public key exponent in cert + * key_e_len Length of public key exponent + * cm_row CA index + * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code + */ +int Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start, + word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row) +{ + int ret; + + if (sce_tsip_rootCAverified() == 0) { + + #if defined(WOLFSSL_RENESAS_TSIP) + ret = tsip_tls_RootCertVerify(cert, cert_len, key_n_start, + key_n_len, key_e_start, key_e_len, cm_row); + + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + + ret = sce_tls_RootCertVerify(cert, cert_len, key_n_start, + key_n_len, key_e_start, key_e_len, cm_row); + #endif + } else { + /* already verified. skipped */ + ret = 0; + } + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for tls finished + * + * ssl the WOLFSSL object + * side CLIENT or SERVER + * handshake_hash hash while doing handshake + * hashes calculated data by SCE/TSIP pseduo reandom function + * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code + */ +int Renesas_cmn_TlsFinished(WOLFSSL* ssl, const byte *side, + const byte *handshake_hash, + byte *hashes, void* ctx) +{ + int ret = -1; + + (void)ctx; + + /* sanity check */ + if (ssl == NULL || ctx == NULL || side == NULL || handshake_hash == NULL || + hashes == NULL ) + return BAD_FUNC_ARG; + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = sce_generateVerifyData(ssl->arrays->sce_masterSecret, /* master secret */ + side, handshake_hash, hashes); + #endif + + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Set Keys. + * Register callback for tls finished when keys are generated by SCE/TSIP + * + * ssl the WOLFSSL object + * ctx Callback context + * return 0 on sucess, -1 when keys are not generated by SCE/TSIP + */ +int Renesas_cmn_SetKeys(WOLFSSL* ssl, void* ctx) +{ + int ret; + + /* sanity check */ + if (ssl == NULL || ctx == NULL) + return BAD_FUNC_ARG; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + User_SCEPKCbInfo* cbInfo = (User_SCEPKCbInfo*)ctx; + if (cbInfo->session_key_set == 1) { + ret = 0; + + wolfSSL_CTX_SetTlsFinishedCb(ssl->ctx, Renesas_cmn_TlsFinished); + wolfSSL_SetTlsFinishedCtx(ssl, cbInfo); + } else { + wolfSSL_CTX_SetTlsFinishedCb(ssl->ctx, NULL); + wolfSSL_SetTlsFinishedCtx(ssl, NULL); + ret = -1; + } + #endif + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Sesssion Key generation + * Register callback for Set Keys when keys are successfully + * generated by SCE/TSIP + * + * ssl the WOLFSSL object + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, otherwise SCE/TSIP error code + */ +int Renesas_cmn_generateSeesionKey(WOLFSSL* ssl, void* ctx) +{ + int ret = -1; + + (void)ctx; + + /* sanity check */ + if (ssl == NULL || ctx == NULL) + return BAD_FUNC_ARG; + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = sce_generateSeesionKey(ssl, ctx, devId); + if (ret == 0) { + wolfSSL_CTX_SetSetKeysCb(ssl->ctx, Renesas_cmn_SetKeys); + wolfSSL_SetSetKeysCtx(ssl, ctx); + } else { + wolfSSL_CTX_SetSetKeysCb(ssl->ctx, NULL); + wolfSSL_SetSetKeysCtx(ssl, NULL); + } + #endif + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Premaster Secret generation + * Register callback for Set Keys when keys are successfully + * generated by SCE/TSIP + * + * ssl the WOLFSSL object + * premaster Buffer to hold pre master + * preSz Length of pre-master + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise PROTOCOLCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, + word32 preSz, void* ctx) +{ + int ret; + + (void) ctx; + (void) ssl; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (Renesas_cmn_useable(ssl, 0)) { + ret = sce_generatePremasterSecret(premaster, preSz); + ssl->arrays->preMasterSz = preSz; + } else + ret = PROTOCOLCB_UNAVAILABLE; + #endif + + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Master Secret generation + * Register callback for Session Key Generation when master secret is + * successfully generated by SCE/TSIP + * + * ssl the WOLFSSL object + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise PROTOCOLCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) +{ + int ret = WOLFSSL_NOT_IMPLEMENTED; + + (void) ret; + (void) ctx; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (Renesas_cmn_useable(ssl, 0)) { + ret = sce_generateMasterSecret( + ssl->options.cipherSuite0, + ssl->options.cipherSuite, + ssl->arrays->preMasterSecret, + ssl->arrays->clientRandom, + ssl->arrays->serverRandom, + ssl->arrays->sce_masterSecret); + if (ret == 0) { + sce_storeKeyCtx(ssl, ctx); + /* set Session Key generation Callback for use */ + wolfSSL_CTX_SetGenSesssionKeyCb(ssl->ctx, Renesas_cmn_generateSeesionKey); + wolfSSL_SetGenSesssionKeyCtx(ssl, ctx); + } else { + wolfSSL_CTX_SetGenSesssionKeyCb(ssl->ctx, NULL); + wolfSSL_SetGenSesssionKeyCtx(ssl, NULL); + } + } else + ret = PROTOCOLCB_UNAVAILABLE; + + #endif + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Rsa Encryption + * + * ssl the WOLFSSL object + * in Buffer to hold plain text + * inSz Length of plain text + * out Buffer to hold cipher text + * outSz Length of cipher text buffer + * KeyDer Buffer holding Key in der format + * KeySz Length of Key Der + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise CRYPTOCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, + unsigned int inSz, unsigned char* out, word32* outSz, + const unsigned char* keyDer, unsigned int keySz, void* ctx) +{ + int ret; + + (void)ctx; + (void)in; + (void)inSz; + (void)keyDer; + (void)keySz; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (sce_useable(ssl, 0) && wc_RsaEncryptSize(ssl->peerRsaKey) == 256) { + ret = sce_generateEncryptPreMasterSecret(ssl, out, outSz); + } else + ret = CRYPTOCB_UNAVAILABLE; + #endif + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Verify hmac + * + * ssl the WOLFSSL object + * message Buffer to hold message + * inSz Length of message + * macSz Length of mac size + * content content of inner data + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise PROTOCOLCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, + word32 messageSz, word32 macSz, word32 content, void* ctx) +{ + int ret; + (void)ctx; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (sce_useable(ssl, 1)) { + ret = sce_Sha256VerifyHmac(ssl, message, messageSz, macSz, content); + } else + ret = PROTOCOLCB_UNAVAILABLE; + #endif + + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for TLS hmac + * + * ssl the WOLFSSL object + * digest Buffer to hold digest by hmac + * in Buffer to hold in data + * sz Length of in data + * padSz Length of padding + * content content of inner data + * epocOrder + * return FSP_SUCCESS(0) on sucess, otherwise error code + */ +int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, + word32 sz, int padSz, int content, int verify, int epochOrder) +{ + int ret; + byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ]; + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (Renesas_cmn_useable(ssl, 1)) { + if (ssl->specs.hash_size == WC_SHA256_DIGEST_SIZE) { + wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); + ret = sce_Sha256GenerateHmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ, + in, sz, digest); + } + else + ret = TSIP_MAC_DIGSZ_E; + } else { + /* fall through to original TLS hmac method when SCE cannot be used */ + ret = TLS_hmac(ssl, digest, in, sz, padSz, content, verify, epochOrder); + } + + #endif + + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Signature PK Rsa verify + * + * sig Buffer holding signature + * sigSz Length of signature in bytes + * out Buffer to hold hash + * keyDer Buffer to hold rsa key + * keySz Length of key in bytes + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise CRYPTOCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, + unsigned char** out, const unsigned char* keyDer, unsigned int keySz, + void* ctx) +{ + int ret; + CertAttribute* CertAtt; + + (void)out; + (void)keyDer; + (void)keySz; + + /* sanity check */ + if (sig == NULL || out == NULL || keyDer == NULL || ctx == NULL) + return BAD_FUNC_ARG; + + CertAtt = (CertAttribute*)ctx; + if (!CertAtt) { + return CRYPTOCB_UNAVAILABLE; + } + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (CertAtt->keyIndex != NULL) + { + ret = sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, + CertAtt->pubkey_n_start - CertAtt->certBegin, + CertAtt->pubkey_n_len - 1, + CertAtt->pubkey_e_start - CertAtt->certBegin, + CertAtt->pubkey_e_len -1, + (uint8_t*)CertAtt->keyIndex); + if (ret == 0){ + CertAtt->verifyByTSIP_SCE = 1; + } else { + WOLFSSL_MSG("RSA Verify by tsip didn't match"); + ret = ASN_SIG_CONFIRM_E; + } + } else + ret = CRYPTOCB_UNAVAILABLE; + #endif + + return ret; +} + +/* Renesas Security Library Common Callback + * Callback for Signature PK Ecc verify + * + * sig Buffer holding signature + * sigSz Length of signature in bytes + * has Buffer to hold hash + * hashSz Length of hash + * keyDer Buffer to hold rsa key + * keySz Length of key in bytes + * result A pointer to int indicates a result + * ctx Callback context + * return FSP_SUCCESS(0) on sucess, + * otherwise CRYPTOCB_UNAVAILABLE + * so that caller could continue to process if want + */ +int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, + const unsigned char* hash, unsigned int hashSz, + const unsigned char* keyDer, unsigned int keySz, + int* result, void* ctx) +{ + int ret; + CertAttribute* CertAtt; + + (void)result; + (void)keyDer; + (void)keySz; + (void)hash; + (void)hashSz; + /* sanity check */ + if (sig == NULL || keyDer == NULL || hash == NULL || ctx == NULL|| + result == NULL) + return BAD_FUNC_ARG; + + + CertAtt = (CertAttribute*)ctx; + if (!CertAtt) { + return CRYPTOCB_UNAVAILABLE; + } + + #if defined(WOLFSSL_RENESAS_TSIP) + /* TODO call tsip api */ + #elif defined(WOLFSSL_RENESAS_SCEPROTECT) + if (CertAtt->keyIndex != NULL) + { + ret = sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, + CertAtt->pubkey_n_start - CertAtt->certBegin, + CertAtt->pubkey_n_len - 1, + CertAtt->pubkey_e_start - CertAtt->certBegin, + CertAtt->pubkey_e_len -1, + (uint8_t*)CertAtt->keyIndex); + if (ret == 0){ + CertAtt->verifyByTSIP_SCE = 1; + *result = 1; + } else { + WOLFSSL_MSG("RSA Verify by tsip didn't match"); + ret = ASN_SIG_CONFIRM_E; + } + } else + ret = CRYPTOCB_UNAVAILABLE; + #endif + + return ret; +} + diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_aes.c b/wolfcrypt/src/port/Renesas/renesas_sce_aes.c new file mode 100644 index 000000000..4294ff189 --- /dev/null +++ b/wolfcrypt/src/port/Renesas/renesas_sce_aes.c @@ -0,0 +1,520 @@ +/* renesas_sce_aes.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif +#include + +#ifndef NO_AES + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_AES) + +#include +#include +#include +#include +#include "wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h" + +#ifdef NO_INLINE + #include +#else + #define WOLFSSL_MISC_INCLUDED + #include +#endif + +struct Aes; + +#define SCE_AES_GCM_AUTH_TAG_SIZE 16 + +typedef fsp_err_t (*aesGcmEncInitFn) + (sce_gcm_handle_t*, sce_aes_wrapped_key_t*, uint8_t*, uint32_t); +typedef fsp_err_t (*aesGcmEncUpdateFn) + (sce_gcm_handle_t*,uint8_t*, uint8_t*, uint32_t, uint8_t*, uint32_t); +typedef fsp_err_t (*aesGcmEncFinalFn) + (sce_gcm_handle_t*, uint8_t*, uint32_t*, uint8_t*); + +typedef fsp_err_t (*aesGcmDecInitFn) + (sce_gcm_handle_t*, sce_aes_wrapped_key_t*, uint8_t*, uint32_t); +typedef fsp_err_t (*aesGcmDecUpdateFn) + (sce_gcm_handle_t*,uint8_t*, uint8_t*, uint32_t, uint8_t*, uint32_t); +typedef fsp_err_t (*aesGcmDecFinalFn) + (sce_gcm_handle_t*, uint8_t*, uint32_t*, uint8_t*, uint32_t); + +/* Perform Aes Gcm encryption by SCE + * + * aes The AES object. + * out Buffer to hold cipher text + * in Buffer to hold plaintext + * sz Length of cipher text/plaintext in bytes + * iv Buffer holding IV/nonce + * ivSz Length of IV/nonce in bytes + * authTag Buffer to hold authntication data + * authTagSz Length of authentication data in bytes + * ctx The callback context + * return FSP_SUCCESS(0) on Success, otherwise negative value + */ +int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, + const byte* in, word32 sz, + byte* iv, word32 ivSz, + byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz, + void* ctx) +{ + int ret; + sce_gcm_handle_t _handle; + uint32_t dataLen = sz; + User_SCEPKCbInfo *info = (User_SCEPKCbInfo*)ctx; + + aesGcmEncInitFn initFn; + aesGcmEncUpdateFn updateFn; + aesGcmEncFinalFn finalFn; + + uint8_t* plainBuf = NULL; + uint8_t* cipherBuf = NULL; + uint8_t* aTagBuf = NULL; + uint8_t delta; + const uint8_t* iv_l = NULL; + uint32_t ivSz_l = 0; + + sce_hmac_sha_wrapped_key_t key_client_mac; + sce_hmac_sha_wrapped_key_t key_server_mac; + sce_aes_wrapped_key_t key_client_aes; + sce_aes_wrapped_key_t key_server_aes; + + /* sanity check */ + if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0 || ctx == NULL) { + return BAD_FUNC_ARG; + } + + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); + return BAD_FUNC_ARG; + } + + if (aes->ctx.keySize == 16) { + initFn = R_SCE_AES128GCM_EncryptInit; + updateFn = R_SCE_AES128GCM_EncryptUpdate; + finalFn = R_SCE_AES128GCM_EncryptFinal; + } + else { + initFn = R_SCE_AES256GCM_EncryptInit; + updateFn = R_SCE_AES256GCM_EncryptUpdate; + finalFn = R_SCE_AES256GCM_EncryptFinal; + } + + + /* check if AES GCM can be used by SCE */ + if ((ret = sce_hw_lock()) == 0) { + + /* allocate buffers for plaintaxt, ciphertext and authTag to make sure + * those buffers 32bit aligned as TSIP requests. + */ + delta = sz % AES_BLOCK_SIZE; + plainBuf = XMALLOC(sz, aes->heap, DYNAMIC_TYPE_AES); + cipherBuf = XMALLOC(sz + delta, aes->heap, DYNAMIC_TYPE_AES); + aTagBuf = XMALLOC(SCE_AES_GCM_AUTH_TAG_SIZE, aes->heap, + DYNAMIC_TYPE_AES); + + if (plainBuf == NULL || cipherBuf == NULL || aTagBuf == NULL) { + WOLFSSL_MSG("wc_tsip_AesGcmEncrypt: buffer allocation faild"); + ret = -1; + } + + if (ret == 0) { + XMEMCPY(plainBuf, in, sz); + XMEMSET((void*)cipherBuf, 0, sz + delta); + XMEMSET((void*)authTag, 0, authTagSz); + } + + if (ret == 0 && + info->session_key_set == 1) { + /* generate AES-GCM session key. The key stored in + * Aes.ctx.tsip_keyIdx is not used here. + */ + ret = R_SCE_TLS_SessionKeyGenerate( + info->sce_cipher, + (uint32_t*)info->sce_masterSecret, + (uint8_t*) info->sce_clientRandom, + (uint8_t*) info->sce_serverRandom, + &iv[AESGCM_IMP_IV_SZ], /* use exp_IV */ + &key_client_mac, + &key_server_mac, + &key_client_aes, + &key_server_aes, + NULL, NULL); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_SCE_TLS_SessionKeyGenerate failed"); + ret = -1; + } + + } else if (info->aes256_installedkey_set == 1) { + XMEMCPY(&key_client_aes, &info->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + iv_l = iv; + ivSz_l = ivSz; + } + + if (ret == 0) { + + /* since generated session key is coupled to iv, no need to pass + * them init func. + */ + ret = initFn(&_handle, &key_client_aes, (uint8_t*)iv_l, ivSz_l); + + if (ret == FSP_SUCCESS) { + ret = updateFn(&_handle, NULL, NULL, 0UL, (uint8_t*)authIn, + authInSz); + } + if (ret == FSP_SUCCESS) { + ret = updateFn(&_handle, plainBuf, cipherBuf, sz, NULL, 0UL); + } + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_TSIP_AesXXXGcmEncryptUpdate: failed"); + ret = -1; + } + + if (ret == FSP_SUCCESS) { + /* Once R_TSIP_AesxxxGcmEncryptInit or R_TSIP_AesxxxEncryptUpdate is + * called, R_TSIP_AesxxxGcmEncryptFinal must be called regardless of + * the result of the previous call. Otherwise, TSIP can not come out + * from its error state and all the trailing APIs will fail. + */ + dataLen = 0; + ret = finalFn(&_handle, + cipherBuf + (sz / AES_BLOCK_SIZE) * AES_BLOCK_SIZE, + &dataLen, + aTagBuf); + + if (ret == FSP_SUCCESS) { + /* copy encrypted data to out */ + XMEMCPY(out, cipherBuf, dataLen); + + /* copy auth tag to caller's buffer */ + XMEMCPY((void*)authTag, (void*)aTagBuf, + min(authTagSz, SCE_AES_GCM_AUTH_TAG_SIZE )); + + } + else { + WOLFSSL_MSG("R_TSIP_AesxxxGcmEncryptFinal: failed"); + ret = -1; + } + } + } + + XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES); + XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES); + XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES); + + sce_hw_unlock(); + + } + + return ret; +} +/* Perform Aes Gcm decryption by SCE + * + * aes The AES object. + * out Buffer to hold plaintext + * in Buffer to hold cipher text + * sz Length of cipher text/plaintext in bytes + * iv Buffer holding IV/nonce + * ivSz Length of IV/nonce in bytes + * authTag Buffer to hold authntication data + * authTagSz Length of authentication data in bytes + * ctx The Callback context + * return FSP_SUCCESS(0) on Success, otherwise negative value + */ +int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, + const byte* in, word32 sz, + const byte* iv, word32 ivSz, + const byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz, + void* ctx) +{ + int ret; + sce_gcm_handle_t _handle; + uint32_t dataLen = sz; + User_SCEPKCbInfo *info = (User_SCEPKCbInfo*)ctx; + + aesGcmDecInitFn initFn; + aesGcmDecUpdateFn updateFn; + aesGcmDecFinalFn finalFn; + + uint8_t* cipherBuf = NULL; + uint8_t* plainBuf = NULL; + uint8_t* aTagBuf = NULL; + uint8_t delta; + const uint8_t* iv_l = NULL; + uint32_t ivSz_l = 0; + + sce_hmac_sha_wrapped_key_t key_client_mac; + sce_hmac_sha_wrapped_key_t key_server_mac; + sce_aes_wrapped_key_t key_client_aes; + sce_aes_wrapped_key_t key_server_aes; + + /* sanity check */ + if (aes == NULL || authTagSz > AES_BLOCK_SIZE || ivSz == 0 || ctx == NULL) { + return BAD_FUNC_ARG; + } + + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); + return BAD_FUNC_ARG; + } + + + if (aes->ctx.keySize == 16) { + initFn = R_SCE_AES128GCM_DecryptInit; + updateFn = R_SCE_AES128GCM_DecryptUpdate; + finalFn = R_SCE_AES128GCM_DecryptFinal; + } + else { + initFn = R_SCE_AES256GCM_DecryptInit; + updateFn = R_SCE_AES256GCM_DecryptUpdate; + finalFn = R_SCE_AES256GCM_DecryptFinal; + } + + + if ((ret = sce_hw_lock()) == 0) { + /* allocate buffers for plain-taxt, cipher-text, authTag and AAD. + * TSIP requests those buffers 32bit aligned. + */ + delta = sz % AES_BLOCK_SIZE; + cipherBuf = XMALLOC(sz, aes->heap, DYNAMIC_TYPE_AES); + plainBuf = XMALLOC(sz + delta, aes->heap, DYNAMIC_TYPE_AES); + aTagBuf = XMALLOC(SCE_AES_GCM_AUTH_TAG_SIZE, aes->heap, + DYNAMIC_TYPE_AES); + + if (plainBuf == NULL || cipherBuf == NULL || aTagBuf == NULL) { + ret = -1; + } + + if (ret == 0) { + XMEMSET((void*)plainBuf, 0, sz); + XMEMCPY(cipherBuf, in, sz); + XMEMCPY(aTagBuf, authTag, authTagSz); + } + + if (ret == 0 && + info->session_key_set == 1) { + /* generate AES-GCM session key. The key stored in + * Aes.ctx.tsip_keyIdx is not used here. + */ + ret = R_SCE_TLS_SessionKeyGenerate( + info->sce_cipher, + (uint32_t*)info->sce_masterSecret, + (uint8_t*) info->sce_clientRandom, + (uint8_t*) info->sce_serverRandom, + (uint8_t*)&iv[AESGCM_IMP_IV_SZ], /* use exp_IV */ + &key_client_mac, + &key_server_mac, + &key_client_aes, + &key_server_aes, + NULL, NULL); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_TSIP_TlsGenerateSessionKey failed"); + ret = -1; + } + } else if (info->aes256_installedkey_set == 1) { + XMEMCPY(&key_server_aes, &info->sce_wrapped_key_aes256, + sizeof(sce_aes_wrapped_key_t)); + iv_l = iv; + ivSz_l = ivSz; + } + + if (ret == 0) { + /* since key_index has iv and ivSz in it, no need to pass them init + * func. Pass NULL and 0 as 3rd and 4th parameter respectively. + */ + ret = initFn(&_handle, &key_server_aes, (uint8_t*)iv_l, ivSz_l); + + + if (ret == FSP_SUCCESS) { + /* pass only AAD and it's size before passing cipher text */ + ret = updateFn(&_handle, NULL, NULL, 0UL, (uint8_t*)authIn, + authInSz); + } + if (ret == FSP_SUCCESS) { + ret = updateFn(&_handle, cipherBuf, plainBuf, sz, NULL, 0UL); + } + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_TSIP_AesXXXGcmDecryptUpdate: failed in decrypt"); + ret = -1; + } + + if (ret == FSP_SUCCESS) { + dataLen = 0; + ret = finalFn(&_handle, + plainBuf + (sz / AES_BLOCK_SIZE) * AES_BLOCK_SIZE, + &dataLen, + aTagBuf, + min(16, authTagSz)); + + if (ret == FSP_SUCCESS) { + /* copy plain data to out */ + XMEMCPY(out, plainBuf, dataLen); + } + else { + WOLFSSL_MSG("R_TSIP_AesXXXGcmDecryptFinal: failed"); + ret = -1; + } + } + } + + XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES); + XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES); + XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES); + + sce_hw_unlock(); + } + + return ret; +} +/* Perform Aes Cbc encryption by SCE + * + * aes The AES object. + * out Buffer to hold cipher text + * in Buffer to hold plain text + * sz Length of cipher text/plaintext in bytes + * return FSP_SUCCESS(0) on Success, otherwise negative value + */ +int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) +{ + sce_aes_handle_t _handle; + word32 ret; + word32 blocks = (sz / AES_BLOCK_SIZE); + uint32_t dataLength; + byte *iv; + + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + + /* while doing TLS handshake, SCE driver keeps true-key and iv * + * on the device. iv is dummy */ + iv = (uint8_t*)aes->reg; + + if((ret = sce_hw_lock()) != 0){ + WOLFSSL_MSG("Failed to lock"); + return ret; + } + + if (aes->ctx.keySize == 16) { + ret = R_SCE_AES128CBC_EncryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); + } else if (aes->ctx.keySize == 32) { + ret = R_SCE_AES256CBC_EncryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); + } else { + sce_hw_unlock(); + return -1; + } + + while (ret == FSP_SUCCESS && blocks--) { + + if (aes->ctx.keySize == 16) + ret = R_SCE_AES128CBC_EncryptUpdate(&_handle, (uint8_t*)in, + (uint8_t*)out, (uint32_t)AES_BLOCK_SIZE); + else + ret = R_SCE_AES256CBC_EncryptUpdate(&_handle, (uint8_t*)in, + (uint8_t*)out, (uint32_t)AES_BLOCK_SIZE); + + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + } + + if (ret == FSP_SUCCESS) { + if (aes->ctx.keySize == 16) { + ret = R_SCE_AES128CBC_EncryptFinal(&_handle, out, &dataLength); + } else { + ret = R_SCE_AES256CBC_EncryptFinal(&_handle, out, &dataLength); + } + } else { + WOLFSSL_MSG("SCE AES CBC encryption failed"); + ret = -1; + } + + sce_hw_unlock(); + return ret; +} +/* Perform Aes Cbc decryption by SCE + * + * aes The AES object. + * out Buffer to hold plain text + * in Buffer to hold cipher text + * sz Length of cipher text/plaintext in bytes + * return FSP_SUCCESS(0) on Success, otherwise negative value + */ +int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) +{ + sce_aes_handle_t _handle; + word32 ret; + word32 blocks = (sz / AES_BLOCK_SIZE); + uint32_t dataLength; + byte *iv; + + if ((in == NULL) || (out == NULL) || (aes == NULL)) + return BAD_FUNC_ARG; + + iv = (uint8_t*)aes->reg; + + if((ret = sce_hw_lock()) != 0){ + WOLFSSL_MSG("Failed to lock"); + return ret; + } + + if (aes->ctx.keySize == 16) { + ret = R_SCE_AES128CBC_DecryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); + } else if (aes->ctx.keySize == 32) { + ret = R_SCE_AES256CBC_DecryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); + } else { + sce_hw_unlock(); + return -1; + } + + while (ret == FSP_SUCCESS && blocks--) { + + if (aes->ctx.keySize == 16) + ret = R_SCE_AES128CBC_DecryptUpdate(&_handle, (uint8_t*)in, + (uint8_t*)out, (uint32_t)AES_BLOCK_SIZE); + else + ret = R_SCE_AES256CBC_DecryptUpdate(&_handle, (uint8_t*)in, + (uint8_t*)out, (uint32_t)AES_BLOCK_SIZE); + + in += AES_BLOCK_SIZE; + out += AES_BLOCK_SIZE; + } + + if (ret == FSP_SUCCESS) { + if (aes->ctx.keySize == 16) + ret = R_SCE_AES128CBC_DecryptFinal(&_handle, out, &dataLength); + else + ret = R_SCE_AES256CBC_DecryptFinal(&_handle, out, &dataLength); + } else { + WOLFSSL_MSG("SCE AES CBC decryption failed"); + ret = -1; + } + + sce_hw_unlock(); + return ret; +} + +#endif /* WOLFSSL_RENESAS_TSIP_CRYPT */ +#endif /* NO_AES */ diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_sha.c b/wolfcrypt/src/port/Renesas/renesas_sce_sha.c new file mode 100644 index 000000000..226354706 --- /dev/null +++ b/wolfcrypt/src/port/Renesas/renesas_sce_sha.c @@ -0,0 +1,263 @@ +/* renesas_sce_sha.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#include +#include + +#ifdef HAVE_CONFIG_H + #include +#endif +#include + +#if !defined(NO_SHA256) + +#include + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + +#include +#include + +/* Free up allocation for msg + * + * hash The SCE Hash object. + * no return value + */ +static void SCEHashFree(wolfssl_SCE_Hash* hash) +{ + if (hash == NULL) + return; + + if (hash->msg != NULL) { + XFREE(hash->msg, hash->heap, DYNAMIC_TYPE_TMP_BUFFER); + hash->msg = NULL; + } +} +/* Initialize Hash object + * + * hash The SCE Hash object. + * heap Buffer to hold heap if available + * devId device Id + * return 0 on success, BAD_FUNC_ARG when has is NULL + */ +static int SCEHashInit(wolfssl_SCE_Hash* hash, void* heap, int devId, + word32 sha_type) +{ + if (hash == NULL) { + return BAD_FUNC_ARG; + } + + (void)devId; + XMEMSET(hash, 0, sizeof(wolfssl_SCE_Hash)); + + hash->heap = heap; + hash->len = 0; + hash->used = 0; + hash->msg = NULL; + hash->sha_type = sha_type; + + return 0; +} + +/* Add data to msg(work buffer) for final hash operation + * + * hash The SCE Hash object. + * data Buffer to hold plain text for hash + * sz Length of data + * return 0 on success, otherwise MEMORY_E or BAD_FUNC_ARG on failure + */ +static int SCEHashUpdate(wolfssl_SCE_Hash* hash, const byte* data, word32 sz) +{ + if (hash == NULL || (sz > 0 && data == NULL)) { + return BAD_FUNC_ARG; + } + + if (hash->len < hash->used + sz) { + if (hash->msg == NULL) { + hash->msg = (byte*)XMALLOC(hash->used + sz, hash->heap, + DYNAMIC_TYPE_TMP_BUFFER); + } else { +#ifdef FREERTOS + byte* pt = (byte*)XMALLOC(hash->used + sz, hash->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (pt == NULL) { + return MEMORY_E; + } + XMEMCPY(pt, hash->msg, hash->used); + XFREE(hash->msg, hash->heap, DYNAMIC_TYPE_TMP_BUFFER); + hash->msg = NULL; + hash->msg = pt; +#else + byte* pt = (byte*)XREALLOC(hash->msg, hash->used + sz, hash->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (pt == NULL) { + return MEMORY_E; + } + hash->msg = pt; +#endif + } + if (hash->msg == NULL) { + return MEMORY_E; + } + hash->len = hash->used + sz; + } + XMEMCPY(hash->msg + hash->used, data , sz); + hash->used += sz; + + return 0; +} + +/* Perform hash operation using accumulated msg + * + * hash The SCE Hash object. + * out Buffer to hold hashed text + * outSz Length of out + * return FSP_SUCCESS(0) on success, + * otherwise BAD_FUNC_ARG or FSP Error code on failure + */ +static int SCEHashFinal(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) +{ + int ret; + void* heap; + sce_sha_md5_handle_t handle; + uint32_t sz; + + fsp_err_t (*Init)(sce_sha_md5_handle_t*); + fsp_err_t (*Update)(sce_sha_md5_handle_t*, uint8_t*, uint32_t); + fsp_err_t (*Final )(sce_sha_md5_handle_t*, uint8_t*, uint32_t*); + + if (hash == NULL || out == NULL) { + return BAD_FUNC_ARG; + } + + if (hash->sha_type == SCE_SHA256) { + Init = R_SCE_SHA256_Init; + Update = R_SCE_SHA256_Update; + Final = R_SCE_SHA256_Final; + } else + return BAD_FUNC_ARG; + + heap = hash->heap; + + sce_hw_lock(); + + if (Init(&handle) == FSP_SUCCESS) { + ret = Update(&handle, (uint8_t*)hash->msg, hash->used); + if (ret == FSP_SUCCESS) { + ret = Final(&handle, out, (uint32_t*)&sz); + if (ret != FSP_SUCCESS || sz != outSz) { + return ret; + } + } + } + sce_hw_unlock(); + + SCEHashFree(hash); + return SCEHashInit(hash, heap, 0, hash->sha_type); +} +/* Hash operation to message and return a result */ +static int SCEHashGet(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) +{ + int ret; + sce_sha_md5_handle_t handle; + uint32_t sz; + + fsp_err_t (*Init)(sce_sha_md5_handle_t*); + fsp_err_t (*Update)(sce_sha_md5_handle_t*, uint8_t*, uint32_t); + fsp_err_t (*Final )(sce_sha_md5_handle_t*, uint8_t*, uint32_t*); + + if (hash == NULL || out == NULL) { + return BAD_FUNC_ARG; + } + + if (hash->sha_type == SCE_SHA256) { + Init = R_SCE_SHA256_Init; + Update = R_SCE_SHA256_Update; + Final = R_SCE_SHA256_Final; + } else + return BAD_FUNC_ARG; + + sce_hw_lock(); + + if (Init(&handle) == FSP_SUCCESS) { + ret = Update(&handle, (uint8_t*)hash->msg, hash->used); + if (ret == FSP_SUCCESS) { + ret = Final(&handle, out, &sz); + if (ret != FSP_SUCCESS || sz != outSz) { + return ret; + } + } + } + + sce_hw_unlock(); + + return 0; +} +/* copy hash result from src to dst */ +static int SCEHashCopy(wolfssl_SCE_Hash* src, wolfssl_SCE_Hash* dst) +{ + if (src == NULL || dst == NULL) { + return BAD_FUNC_ARG; + } + + XMEMCPY(dst, src, sizeof(wolfssl_SCE_Hash)); + + if (src->len > 0 && src->msg != NULL) { + dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (dst->msg == NULL) { + return MEMORY_E; + } + XMEMCPY(dst->msg, src->msg, src->len); + } + + return 0; +} + +#if !defined(NO_SHA256) +#include + +/* wrapper for wc_InitSha256_ex */ +int wc_InitSha256_ex(wc_Sha256* sha, void* heap, int devId) +{ + return SCEHashInit(sha, heap, devId, SCE_SHA256); +} +/* wrapper for wc_Sha256Update */ +int wc_Sha256Update(wc_Sha256* sha, const byte* in, word32 sz) +{ + return SCEHashUpdate(sha, in, sz); +} +/* wrapper for wc_Sha256Final */ +int wc_Sha256Final(wc_Sha256* sha, byte* hash) +{ + return SCEHashFinal(sha, hash, WC_SHA256_DIGEST_SIZE); +} +/* wrapper for wc_Sha256GetHash */ +int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) +{ + return SCEHashGet(sha, hash, WC_SHA256_DIGEST_SIZE); +} +/* wrapper for wc_Sha256Copy */ +int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst) +{ + return SCEHashCopy(src, dst); +} +#endif /* !NO_SHA256 */ +#endif /* WOLFSSL_RENESAS_SCEPROTECT */ +#endif /* #if !defined(NO_SHA) || !defined(NO_SHA256) */ diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_util.c b/wolfcrypt/src/port/Renesas/renesas_sce_util.c new file mode 100644 index 000000000..ec930bf7e --- /dev/null +++ b/wolfcrypt/src/port/Renesas/renesas_sce_util.c @@ -0,0 +1,1119 @@ +/* renesas_sce_util.c + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#include + +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include + +#if defined(DEBUG_PK_CB) + #define WOLFSSL_PKMSG(_f_, ...) printf(_f_, ##__VA_ARGS__) +#else + #define WOLFSSL_PKMSG(_f_, ...) +#endif + +#if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) +WOLFSSL_GLOBAL SCE_PKCbInfo gSCE_PKCbInfo; +#endif + +/* expect to have these variables defined at user application */ +extern sce_instance_ctrl_t sce_ctrl; +extern sce_cfg_t sce_cfg; + +static const byte* ca_cert_sig; +static sce_key_data g_user_key_info; + +static uint32_t g_encrypted_publicCA_key[HW_SCE_SINST_WORD_SIZE]; +uint32_t g_CAscm_Idx; /* index of CM table */ +wolfSSL_Mutex sce_mutex; +static int sce_CryptHwMutexInit_ = 0; +static uint32_t sce_sess_idx = 0; + +/* Mutex Init */ +static int sce_CryptHwMutexInit(wolfSSL_Mutex* mutex) +{ + return wc_InitMutex(mutex); +} +/* Mutex Lock */ +static int sce_CryptHwMutexLock(wolfSSL_Mutex* mutex) +{ + return wc_LockMutex(mutex); +} +/* Mutex Unlock */ +static int sce_CryptHwMutexUnLock(wolfSSL_Mutex* mutex) +{ + return wc_UnLockMutex(mutex); +} + +/* +* lock hw engine +* this should be called before using engine. +*/ +int sce_hw_lock() +{ + int ret = 0; + + if(sce_CryptHwMutexInit_ == 0){ + + ret = sce_CryptHwMutexInit(&sce_mutex); + + if(ret == 0) { + sce_CryptHwMutexInit_ = 1; + } else { + WOLFSSL_MSG(" mutex initialization failed."); + return -1; + } + } + if(sce_CryptHwMutexLock(&sce_mutex) != 0) { + /* this should not happens */ + return -1; + } + + return ret; +} + +/* +* release hw engine +*/ +void sce_hw_unlock( void ) +{ + sce_CryptHwMutexUnLock(&sce_mutex); +} + +/* Open sce driver for use */ +int sce_Open() +{ + WOLFSSL_ENTER("sce_Open"); + int ret; + if ((ret = sce_hw_lock()) == 0) { + + ret = R_SCE_Open(&sce_ctrl, &sce_cfg); + + if( ret != FSP_SUCCESS ) { + WOLFSSL_MSG("RENESAS SCE Open failed"); + } + if( ret == FSP_SUCCESS && g_user_key_info.encrypted_user_tls_key ){ + + ret = R_SCE_TLS_RootCertificateRSA2048PublicKeyInstall( + g_user_key_info.encrypted_provisioning_key, + g_user_key_info.iv, + g_user_key_info.encrypted_user_tls_key, + &g_user_key_info.user_rsa2048_tls_wrappedkey); /* OUT */ + + /* init vars */ + g_CAscm_Idx = (uint32_t)-1; + + } else { + WOLFSSL_MSG("Failed to lock sce hw \n"); + } + + } + + /* unlock hw */ + sce_hw_unlock(); + + WOLFSSL_LEAVE("sce_Open", ret); + return ret; +} + +/* close SCE driver */ +void sce_Close() +{ + WOLFSSL_ENTER("sce Close"); + int ret; + + if ((ret = sce_hw_lock()) == 0) { + /* close SCE */ + ret = R_SCE_Close(&sce_ctrl); + + /* unlock hw */ + sce_hw_unlock(); + if( ret != FSP_SUCCESS ) { + WOLFSSL_MSG("RENESAS SCE Close failed"); + } + } else { + WOLFSSL_MSG("Failed to unlock sce hw \n"); + } +} + +#if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) +/* Verify Server Key Exchange while doing ECDH key exchange */ +static int SCE_ServerKeyExVerify(uint32_t type, WOLFSSL* ssl, const uint8_t* sig, + uint32_t sigSz, void* ctx) +{ + int ret = WOLFSSL_FAILURE; + User_SCEPKCbInfo* cbInfo; + byte qx[MAX_ECC_BYTES], qy[MAX_ECC_BYTES]; + byte *peerkey = NULL; + + word32 qxLen = sizeof(qx), qyLen = sizeof(qy); + (void) sigSz; + + /* sanity check */ + if (ssl == NULL || sig == NULL || ctx == NULL) + return ret; + + cbInfo = (User_SCEPKCbInfo*)ctx; + + /* export public peer public key */ + ret = wc_ecc_export_public_raw(ssl->peerEccKey, qx, &qxLen, qy, &qyLen); + WOLFSSL_PKMSG("qxLen %d qyLen %d\n", qxLen, qyLen); + if (ret != 0){ + WOLFSSL_MSG("failed to export peer ecc key"); + return ret; + } + /* make peer ecc key data for SCE */ + /* 0padding(24bit) || 04(8bit) || Qx(256bit) || Qy(256bit) */ + peerkey = (byte*)XMALLOC((3 + 1 + qxLen + qyLen), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (peerkey == NULL) { + WOLFSSL_MSG("failed to malloc ecc key"); + return WOLFSSL_FAILURE; + } + + XMEMSET(peerkey, 0, (3 + 1 + qxLen + qyLen)); + peerkey[3] = ECC_POINT_UNCOMP; + XMEMCPY(&peerkey[4], qx, qxLen); + XMEMCPY(&peerkey[4+qxLen], qy, qyLen); + + /* 0 : RSA 2048bit, 1 : Reserved, 2 : ECDSA P-256 */ + ret = R_SCE_TLS_ServerKeyExchangeVerify( + type, + (uint8_t*) ssl->arrays->clientRandom, + (uint8_t*) ssl->arrays->serverRandom, + (uint8_t*) peerkey, + (uint8_t*) sig, + (uint32_t*)ssl->peerSceTsipEncRsaKeyIndex, + (uint32_t*)cbInfo->encrypted_ephemeral_ecdh_public_key); + + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("failed R_SCE_TLS_ServerKeyExchangeVerify"); + cbInfo->pk_key_set = 0; + } else { + ret = WOLFSSL_SUCCESS; + cbInfo->pk_key_set = 1; + } + + XFREE(peerkey, 0, DYNAMIC_TYPE_TMP_BUFFER); + return ret; +} +/* Callback for Rsa Verify */ +int SCE_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, + uint8_t** out, const byte* key, uint32_t keySz, void* ctx) +{ + int ret = WOLFSSL_FAILURE; + (void) out; + (void) key; + (void) keySz; + + WOLFSSL_PKMSG("SCE RSA Verify: sigSz %d, keySz %d\n", sigSz, keySz); + + if (sce_useable(ssl, 0)) + ret = SCE_ServerKeyExVerify(0, ssl, sig, sigSz, ctx); + else + ret = CRYPTOCB_UNAVAILABLE; + + if (ret == WOLFSSL_SUCCESS) + ret = 0; /* 0 for success */ + + WOLFSSL_PKMSG("SCE RSA Verify: ret %d\n", ret); + + return ret; +} +/* Callback for Ecc Verify */ +int SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, + const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, + int* result, void* ctx) +{ + int ret = WOLFSSL_FAILURE; + uint8_t *sigforSCE; + uint8_t *pSig; + const byte rs_size = HW_SCE_ECDSA_DATA_BYTE_SIZE/2; + byte offset = 0x3; + (void) sigSz; + (void) hash; + (void) hashSz; + (void) key; + (void) keySz; + + sigforSCE = NULL; + pSig = NULL; + + WOLFSSL_PKMSG("SCE ECC Verify: ssl->options.serverState = %d sigSz %d, hashSz %d, keySz %d\n", + ssl->options.serverState, sigSz, hashSz, keySz); + + if (!sce_useable(ssl, 0)) { + WOLFSSL_PKMSG("Cannot handle cipher suite by SCE"); + return CRYPTOCB_UNAVAILABLE; + } + + if ((sigforSCE = (uint8_t*)XMALLOC(HW_SCE_ECDSA_DATA_BYTE_SIZE, NULL, + DYNAMIC_TYPE_TEMP)) == NULL){ + WOLFSSL_MSG("failed to malloc memory"); + return MEMORY_E; + } + /* initialization */ + XMEMCPY(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE); + + /* r */ + if (sig[offset] == 0x20) { + XMEMCPY(sigforSCE, &sig[offset+1], rs_size); + + offset = 0x25; + /* s */ + if (sig[offset] == 0x20) { + XMEMCPY(&sigforSCE[rs_size], &sig[offset+1], rs_size); + } else { + XMEMCPY(&sigforSCE[rs_size], &sig[offset+2], rs_size); + } + } else { + XMEMCPY(sigforSCE, &sig[offset+2], rs_size); + + offset = 0x26; + /* s */ + if (sig[offset] == rs_size) { + XMEMCPY(&sigforSCE[rs_size], &sig[offset+1], rs_size); + } else { + XMEMCPY(&sigforSCE[rs_size], &sig[offset+2], rs_size); + } + } + + pSig = sigforSCE; + + ret = SCE_ServerKeyExVerify(2, ssl, pSig, 64, ctx); + + if (ret == WOLFSSL_SUCCESS) { + *result = 1; + ret = 0; /* for success */ + } else + *result = 0; + + WOLFSSL_PKMSG("SCE ECC Verify: ret %d, result %d\n", ret, *result); + + return ret; +} +/* Callback for ECC shared secret */ +int SCE_EccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey, + uint8_t* pubKeyDer, unsigned int* pubKeySz, + uint8_t* out, unsigned int* outlen, int side, void* ctx) +{ + int ret; + (void) otherKey; + (void) side; + + User_SCEPKCbInfo* cbInfo = (User_SCEPKCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + + /* sanity check */ + if (ssl == NULL || pubKeyDer == NULL || pubKeySz == NULL || + out == NULL || outlen == NULL || ctx == NULL) + return WOLFSSL_FAILURE; + + WOLFSSL_PKMSG("PK ECC PMS: Side %s, Peer Curve %d\n", + side == WOLFSSL_CLIENT_END ? "client" : "server", otherKey->dp->id); + + if (cbInfo->pk_key_set == 1) { + /* Generate ECC PUblic key pair */ + ret = R_SCE_TLS_ECC_secp256r1_EphemeralWrappedKeyPairGenerate( + &cbInfo->ecc_p256_wrapped_key, + (uint8_t*)&cbInfo->ecc_ecdh_public_key/* Qx 32 bytes and Qy 32 bytes*/ ); + if (ret != FSP_SUCCESS) { + WOLFSSL_PKMSG("Failed secp256r1_EphemeralWrappedKeyPairGenerate %d\n", ret); + return ret; + } + + /* copy generated ecdh public key inot buffer */ + pubKeyDer[0] = ECC_POINT_UNCOMP; + *pubKeySz = 1 + sizeof(cbInfo->ecc_ecdh_public_key); + XMEMCPY(&pubKeyDer[1], &cbInfo->ecc_ecdh_public_key, + sizeof(cbInfo->ecc_ecdh_public_key)); + + /* Generate Premaster Secret */ + ret = R_SCE_TLS_PreMasterSecretGenerateForECC_secp256r1( + (uint32_t*)&cbInfo->encrypted_ephemeral_ecdh_public_key, + &cbInfo->ecc_p256_wrapped_key, + (uint32_t*)out/* pre-master secret 64 bytes */); + if (ret != FSP_SUCCESS) { + WOLFSSL_PKMSG("Failed PreMasterSecretGenerateForECC_secp256r1 %d\n", ret); + return ret; + } else { + /* set master secret generation callback for use */ + wolfSSL_CTX_SetGenMasterSecretCb(ssl->ctx, Renesas_cmn_genMasterSecret); + wolfSSL_SetGenMasterSecretCtx(ssl, cbInfo); + + } + *outlen = 64; + WOLFSSL_PKMSG("PK ECC PMS: ret %d, PubKeySz %d, OutLen %d\n", ret, *pubKeySz, *outlen); + } + + return ret; +} +#endif +/* Return cipher suite enumuration used in SCE library */ +uint32_t GetSceCipherSuite( + uint8_t cipherSuiteFirst, + uint8_t cipherSuite) +{ + WOLFSSL_ENTER("GetTsipCipherSuite"); + uint32_t sceCipher; + + if(cipherSuiteFirst == CIPHER_BYTE ) + { + switch(cipherSuite){ + + case TLS_RSA_WITH_AES_128_CBC_SHA: /*2F*/ + sceCipher = SCE_TLS_RSA_WITH_AES_128_CBC_SHA; /*0*/ + break; + + case TLS_RSA_WITH_AES_128_CBC_SHA256: + sceCipher = SCE_TLS_RSA_WITH_AES_128_CBC_SHA256; + break; + + case TLS_RSA_WITH_AES_256_CBC_SHA: + sceCipher = SCE_TLS_RSA_WITH_AES_256_CBC_SHA; + break; + + case TLS_RSA_WITH_AES_256_CBC_SHA256: + sceCipher = SCE_TLS_RSA_WITH_AES_256_CBC_SHA256; + break; + + default: + sceCipher = (uint32_t)WOLFSSL_SCE_ILLEGAL_CIPHERSUITE; + break; + } + WOLFSSL_MSG( "<< GetTsipCipherSuite"); + return sceCipher; + } + else if( cipherSuiteFirst == ECC_BYTE ) + { + sceCipher = (uint32_t)WOLFSSL_SCE_ILLEGAL_CIPHERSUITE; + /* comment out until implementation completes */ + switch(cipherSuite){ + + case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: + sceCipher = SCE_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; + break; + + case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + sceCipher = SCE_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; + break; + + case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: + sceCipher = SCE_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; + break; + + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: + sceCipher = SCE_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; + break; + + default: + sceCipher = (uint32_t)WOLFSSL_SCE_ILLEGAL_CIPHERSUITE; + break; + } + } + else{ + sceCipher = (uint32_t)WOLFSSL_SCE_ILLEGAL_CIPHERSUITE; + } + + WOLFSSL_MSG( "<< GetSceCipherSuite" ); + + return sceCipher; +} +/* check if sce tls functions can be used for the cipher */ +/* */ +/* ssl : a pointer to WOLFSSL object */ +/* session_key_generated : if session key has been generated */ +/* return 1 for usable, 0 for unusable */ +int sce_useable(const struct WOLFSSL *ssl, uint8_t session_key_generated) +{ + WOLFSSL_ENTER("sce_usable"); + byte cipher; + byte side; + const Ciphers *enc; + const Ciphers *dec; + + /* sanity check */ + if (ssl == NULL) + return BAD_FUNC_ARG; + + /* when rsa key index == NULL, SCE isn't used for cert verification. */ + /* in the case, we cannot use TSIP. */ + if (!ssl->peerSceTsipEncRsaKeyIndex) + return 0; + + /* when enabled Extended Master Secret, we cannot use SCE. */ + if (ssl->options.haveEMS) + return 0; + + /* when session_key_generated is set as 1, expects to be created */ + /* session key already. */ + if (session_key_generated) { + enc = &ssl->encrypt; + dec = &ssl->decrypt; + if (enc == NULL || dec == NULL) { + /* something wrong */ + return 0; + } + if (enc->aes == NULL || dec->aes == NULL) { + return 0; + } + if (enc->aes->ctx.setup == 0) { + /* session key for SCE is not created */ + return 0; + } + } + + cipher = ssl->options.cipherSuite; + side = ssl->options.side; + + if (((cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA256 || + cipher == l_TLS_RSA_WITH_AES_256_CBC_SHA256) || + (cipher == l_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 || + cipher == l_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 || + cipher == l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 || + cipher == l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)) && + side == WOLFSSL_CLIENT_END) + + return 1; + else + return 0; +} + +/* Generate Hmac by sha256*/ +int sce_Sha256GenerateHmac(const struct WOLFSSL *ssl,const uint8_t* myInner, + uint32_t innerSz,const uint8_t* in, uint32_t sz, byte* digest) +{ + WOLFSSL_ENTER("sce_Sha256HmacGenerate"); + + sce_hmac_sha_handle_t _handle; + sce_hmac_sha_wrapped_key_t wrapped_key; + int ret; + + if ((ssl == NULL) || (myInner == NULL) || (in == NULL) || + (digest == NULL)) + return BAD_FUNC_ARG; + + wrapped_key = ssl->keys.sce_client_write_MAC_secret; + + if ((ret = sce_hw_lock()) != 0) { + WOLFSSL_MSG("hw lock failed\n"); + return ret; + } + + ret = R_SCE_SHA256HMAC_GenerateInit( + &_handle, + &wrapped_key); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_GenerateUpdate( + &_handle, + (uint8_t*)myInner, + innerSz); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_GenerateUpdate( + &_handle, + (uint8_t*)in, + sz); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_GenerateFinal( + &_handle, + digest); + + if (ret != FSP_SUCCESS) + ret = WOLFSSL_FAILURE; + + /* unlock hw */ + sce_hw_unlock(); + WOLFSSL_LEAVE("sce_Sha256HmacGenerate", ret); + return ret; +} + +/* Verify hmac */ +int sce_Sha256VerifyHmac(const struct WOLFSSL *ssl,const uint8_t* message, + uint32_t messageSz,uint32_t macSz, uint32_t content) +{ + WOLFSSL_ENTER("sce_Sha256HmacVerify"); + + sce_hmac_sha_handle_t _handle; + sce_hmac_sha_wrapped_key_t wrapped_key; + byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ]; + int ret; + + if ((ssl == NULL) || (message == NULL)) + return BAD_FUNC_ARG; + + wrapped_key = ssl->keys.sce_server_write_MAC_secret; + + if ((ret = sce_hw_lock()) != 0) { + WOLFSSL_MSG("hw lock failed\n"); + return ret; + } + + wolfSSL_SetTlsHmacInner((struct WOLFSSL*)ssl, myInner, + messageSz, content, 1); + + ret = R_SCE_SHA256HMAC_VerifyInit( + &_handle, + &wrapped_key); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_VerifyUpdate( + &_handle, + (uint8_t*)myInner, + WOLFSSL_TLS_HMAC_INNER_SZ); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_VerifyUpdate( + &_handle, + (uint8_t*)message, + (uint32_t)messageSz); + + if (ret == FSP_SUCCESS) + ret = R_SCE_SHA256HMAC_VerifyFinal( + &_handle, + (uint8_t*)(message+messageSz), + (uint32_t)macSz); + + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("SCE Mac verification failed"); + } + + /* unlock hw */ + sce_hw_unlock(); + WOLFSSL_LEAVE("sce_Sha256HmacVerify", ret); + return ret; +} + +/* generate Verify Data based on master secret */ +int sce_generateVerifyData(const uint8_t *ms, /* master secret */ + const uint8_t *side, const uint8_t *handshake_hash, + uint8_t *hashes /* out */) +{ + WOLFSSL_ENTER("sce_generateVerifyData"); + int ret ; + uint32_t l_side = SCE_TLS_GENERATE_CLIENT_VERIFY; + + if ((ms == NULL) || (side == NULL) || (handshake_hash == NULL) || + (hashes == NULL)) + return BAD_FUNC_ARG; + + if (XSTRNCMP((const char*)side, (const char*)tls_server, FINISHED_LABEL_SZ) + == 0) + { + l_side = SCE_TLS_GENERATE_SERVER_VERIFY; + } + + if ((ret = sce_hw_lock()) == 0) { + ret = R_SCE_TLS_VerifyDataGenerate(l_side, (uint32_t*)ms, + (uint8_t*)handshake_hash, hashes/* out */); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_SCE_TLS_VerifyDataGenerate failed\n"); + } + } + /* unlock hw */ + sce_hw_unlock(); + WOLFSSL_LEAVE("sce_generateVerifyData", ret); + return ret; +} + +/* generate keys for TLS communication */ +int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, + int devId) +{ + WOLFSSL_MSG("sce_generateSeesionKey()"); + int ret; + Ciphers *enc; + Ciphers *dec; + sce_hmac_sha_wrapped_key_t key_client_mac; + sce_hmac_sha_wrapped_key_t key_server_mac; + sce_aes_wrapped_key_t key_client_aes; + sce_aes_wrapped_key_t key_server_aes; + uint32_t sceCS = GetSceCipherSuite(ssl->options.cipherSuite0, + ssl->options.cipherSuite); + + if (ssl== NULL || cbInfo == NULL) + return BAD_FUNC_ARG; + + + if ((ret = sce_hw_lock()) == 0) { + if (sceCS == l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 || + sceCS == l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) + { + WOLFSSL_MSG("Session key for AES-GCM generation skipped."); + + wolfSSL_KeepArrays(ssl); + ret = FSP_SUCCESS; + + } else { + ret = R_SCE_TLS_SessionKeyGenerate( + GetSceCipherSuite( + ssl->options.cipherSuite0, + ssl->options.cipherSuite), + (uint32_t*)ssl->arrays->sce_masterSecret, + (uint8_t*) ssl->arrays->clientRandom, + (uint8_t*) ssl->arrays->serverRandom, + NULL, + &key_client_mac, + &key_server_mac, + &key_client_aes, + &key_server_aes, + NULL, NULL); + } + + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_SCE_TLS_SessionKeyGenerate failed\n"); + } else { + /* succeeded creating session keys */ + /* alloc aes instance for both enc and dec */ + enc = &ssl->encrypt; + dec = &ssl->decrypt; + + if (enc) { + if (enc->aes == NULL) { + enc->aes = (Aes*)XMALLOC(sizeof(Aes), ssl->heap, + DYNAMIC_TYPE_CIPHER); + if (enc->aes == NULL) + return MEMORY_E; + } + + XMEMSET(enc->aes, 0, sizeof(Aes)); + } + if (dec) { + if (dec->aes == NULL) { + dec->aes = (Aes*)XMALLOC(sizeof(Aes), ssl->heap, + DYNAMIC_TYPE_CIPHER); + if (dec->aes == NULL) { + if (enc) { + XFREE(enc->aes, NULL, DYNAMIC_TYPE_CIPHER); + } + return MEMORY_E; + } + } + + XMEMSET(dec->aes, 0, sizeof(Aes)); + } + /* copy key index into aes */ + if (ssl->options.side == PROVISION_CLIENT) { + XMEMCPY(&enc->aes->ctx.sce_wrapped_key, &key_client_aes, + sizeof(key_client_aes)); + XMEMCPY(&dec->aes->ctx.sce_wrapped_key, &key_server_aes, + sizeof(key_server_aes)); + } else { + XMEMCPY(&enc->aes->ctx.sce_wrapped_key, &key_server_aes, + sizeof(key_server_aes)); + XMEMCPY(&dec->aes->ctx.sce_wrapped_key, &key_client_aes, + sizeof(key_client_aes)); + } + /* copy hac key index into keys */ + ssl->keys.sce_client_write_MAC_secret = key_client_mac; + ssl->keys.sce_server_write_MAC_secret = key_server_mac; + + /* set up key size and marked readly */ + if (enc){ + enc->aes->ctx.keySize = ssl->specs.key_size; + enc->aes->ctx.setup = 1; + /* ready for use */ + enc->setup = 1; + } + /* set up key size and marked readly */ + if (dec) { + dec->aes->ctx.keySize = ssl->specs.key_size; + dec->aes->ctx.setup = 1; + /* ready for use */ + dec->setup = 1; + } + + if (cbInfo->sce_cipher == SCE_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 || + cbInfo->sce_cipher == SCE_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) { + enc->aes->nonceSz = AEAD_MAX_IMP_SZ; + dec->aes->nonceSz = AEAD_MAX_IMP_SZ; + } + enc->aes->devId = devId; + dec->aes->devId = devId; + + /* marked as session key is set */ + cbInfo->session_key_set = 1; + } + /* unlock hw */ + sce_hw_unlock(); + } else + WOLFSSL_LEAVE("hw lock failed\n", ret); + + WOLFSSL_LEAVE("sce_generateSeesionKey", ret); + return ret; +} + +/* generate master secret based on pre-master which is generated by SCE */ +int sce_generateMasterSecret( + uint8_t cipherSuiteFirst, + uint8_t cipherSuite, + const uint8_t *pr, /* pre-master */ + const uint8_t *cr, /* client random */ + const uint8_t *sr, /* server random */ + uint8_t *ms) +{ + WOLFSSL_ENTER("sce_generateMasterSecretEx"); + int ret; + + if ((pr == NULL) || (cr == NULL) || (sr == NULL) || + (ms == NULL)) + return BAD_FUNC_ARG; + + uint32_t sceCS = GetSceCipherSuite(cipherSuiteFirst, cipherSuite); + if( sceCS == 0xffffffff) + return BAD_FUNC_ARG; + + if ((ret = sce_hw_lock()) == 0) { + ret = R_SCE_TLS_MasterSecretGenerate( + sceCS, + (uint32_t*)pr, + (uint8_t*)cr, (uint8_t*)sr, (uint32_t*)ms); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_SCE_TLS_MasterSecretGenerate failed\n"); + } + /* unlock hw */ + sce_hw_unlock(); + } else { + WOLFSSL_MSG(" hw lock failed "); + } + WOLFSSL_LEAVE("sce_generateMasterSecret", ret); + return ret; +} + +/* generate pre-Master secrete by SCE */ +int sce_generatePremasterSecret(uint8_t *premaster, uint32_t preSz) +{ + WOLFSSL_ENTER("sce_generatePremasterSecret"); + int ret; + + if (premaster == NULL) + return BAD_FUNC_ARG; + + if ((ret = sce_hw_lock()) == 0 && preSz >= + (SCE_TLS_MASTER_SECRET_WORD_SIZE*4)) { + /* generate pre-master, 80 bytes */ + ret = R_SCE_TLS_PreMasterSecretGenerateForRSA2048((uint32_t*)premaster); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG(" R_SCE_TLS_GeneratePreMasterSecret failed\n"); + } + /* unlock hw */ + sce_hw_unlock(); + } else { + WOLFSSL_MSG(" hw lock failed or preSz is smaller than 80"); + } + + WOLFSSL_LEAVE("sce_generatePremasterSecret", ret); + return ret; +} + + +/* +* generate encrypted pre-Master secrete by SCE +*/ +int sce_generateEncryptPreMasterSecret( + WOLFSSL* ssl, + uint8_t* out, + uint32_t* outSz) +{ + WOLFSSL_MSG("sce_generateEncryptPreMasterSecret"); + int ret; + + if ((ssl == NULL) || (out == NULL) || (outSz == NULL)) + return BAD_FUNC_ARG; + + if ((ret = sce_hw_lock()) == 0) { + if (*outSz >= 256) + ret = R_SCE_TLS_PreMasterSecretEncryptWithRSA2048( + (uint32_t*)ssl->peerSceTsipEncRsaKeyIndex, + (uint32_t*)ssl->arrays->preMasterSecret, + (uint8_t*)out); + else + ret = -1; + + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG("R_SCE_TLS_PreMasterSecretEncryptWithRSA2048 failed\n"); + } else { + *outSz = 256; /* TSIP can only handles 2048 RSA */ + /* set GenMaster Callbackt for Master secret generation */ + void* ctx = wolfSSL_GetRsaVerifyCtx(ssl); + wolfSSL_CTX_SetGenMasterSecretCb(ssl->ctx, Renesas_cmn_genMasterSecret); + wolfSSL_SetGenMasterSecretCtx(ssl, ctx); + } + sce_hw_unlock(); + + } else { + WOLFSSL_MSG(" hw lock failed "); + } + WOLFSSL_LEAVE("sce_generateEncryptPreMasterSecret", ret); + return ret; +} + + +/* Certificate verification by SCE */ +int sce_tls_CertVerify( + const uint8_t* cert, uint32_t certSz, + const uint8_t* signature, uint32_t sigSz, + uint32_t key_n_start,uint32_t key_n_len, + uint32_t key_e_start,uint32_t key_e_len, + uint8_t* sce_encPublickey) +{ + WOLFSSL_ENTER("sce_tls_CertVerify"); + int ret; + uint8_t *sigforSCE; + uint8_t *pSig; + const byte rs_size = 0x20; + byte offset = 0x3; + (void)sigSz; + + sigforSCE = NULL; + pSig = NULL; + + if (cert == NULL) + return BAD_FUNC_ARG; + + if (!signature) { + WOLFSSL_MSG(" signature for ca verification is not set\n"); + return -1; + } + if (!sce_encPublickey) { + WOLFSSL_MSG(" sce_encPublickey is NULL.\n"); + return -1; + } + + if (g_user_key_info.encrypted_user_tls_key_type == + SCE_TLS_PUBLIC_KEY_TYPE_ECDSA_P256/*ECDSA*/) { + + if ((sigforSCE = (uint8_t*)XMALLOC(HW_SCE_ECDSA_DATA_BYTE_SIZE, NULL, + DYNAMIC_TYPE_TEMP)) == NULL){ + WOLFSSL_MSG("failed to malloc memory"); + return MEMORY_E; + } + /* initialization */ + XMEMCPY(sigforSCE, 0, HW_SCE_ECDSA_DATA_BYTE_SIZE); + + if (signature[offset] == 0x20) { + XMEMCPY(sigforSCE, &signature[offset+1], rs_size); + + offset = 0x25; + if (signature[offset] == 0x20) { + XMEMCPY(&sigforSCE[rs_size], &signature[offset+1], rs_size); + } else { + XMEMCPY(&sigforSCE[rs_size], &signature[offset+2], rs_size); + } + } else { + XMEMCPY(sigforSCE, &signature[offset+2], rs_size); + offset = 0x26; + + if (signature[offset] == rs_size) { + XMEMCPY(&sigforSCE[rs_size], &signature[offset+1], rs_size); + } else { + XMEMCPY(&sigforSCE[rs_size], &signature[offset+2], rs_size); + } + } + pSig = sigforSCE; + } else { + pSig = (uint8_t*)signature; + } + + + if ((ret = sce_hw_lock()) == 0) { + ret = R_SCE_TLS_CertificateVerify( + g_user_key_info.encrypted_user_tls_key_type, + (uint32_t*)g_encrypted_publicCA_key,/* encrypted public key */ + (uint8_t*)cert, /* certificate der */ + certSz, /* length of der */ + (uint8_t*)pSig, /* sign data by RSA PSS */ + key_n_start, /* start position of public key n in bytes */ + (key_n_start + key_n_len), /* length of the public key n */ + key_e_start, /* start pos, key e in bytes */ + (key_e_start + key_e_len), /* length of the public key e */ + (uint32_t*)sce_encPublickey /* returned encrypted key */ + ); + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG(" R_TSIP_TlsCertificateVerification() failed"); + } + if (sigforSCE) { + XFREE(sigforSCE, NULL, DYNAMIC_TYPE_TEMP); + } + sce_hw_unlock(); + } else { + WOLFSSL_MSG(" hw lock failed "); + } + WOLFSSL_LEAVE("sce_tls_CertVerify", ret); + return ret; +} + +/* Root Certificate verification */ +int sce_tls_RootCertVerify( + const uint8_t* cert, uint32_t cert_len, + uint32_t key_n_start, uint32_t key_n_len, + uint32_t key_e_start, uint32_t key_e_len, + uint32_t cm_row) +{ + int ret; + /* call to generate encrypted public key for certificate verification */ + uint8_t *signature = (uint8_t*)ca_cert_sig; + + WOLFSSL_ENTER("sce_tls_RootCertVerify"); + + if (cert == NULL) + return BAD_FUNC_ARG; + + if (!signature) { + WOLFSSL_MSG(" signature for ca verification is not set\n"); + return -1; + } + + if ((ret = sce_hw_lock()) == 0) { + ret = R_SCE_TLS_RootCertificateVerify( + g_user_key_info.encrypted_user_tls_key_type, + (uint8_t*)cert, /* CA cert */ + (uint32_t)cert_len, /* length of CA cert */ + key_n_start, /* Byte position of public key */ + (key_n_start + key_n_len), + key_e_start, + (key_e_start + key_e_len), + (uint8_t*)ca_cert_sig, /* RSA 2048 PSS with SHA256 */ + g_encrypted_publicCA_key); /* RSA-2048 public key 560 bytes */ + /* ECDSA 96 bytes */ + if (ret != FSP_SUCCESS) { + WOLFSSL_MSG(" R_SCE_TLS_RootCertificateVerify() failed"); + } else { + g_CAscm_Idx = cm_row; + } + sce_hw_unlock(); + } else { + WOLFSSL_MSG(" hw lock failed "); + } + WOLFSSL_LEAVE("sce_tls_RootCertVerify", ret); + return ret; +} + +/* to inform ca certificate sign */ +/* signature format expects RSA 2048 PSS with SHA256 */ +void sce_inform_cert_sign(const uint8_t *sign) +{ + if(sign) + ca_cert_sig = sign; +} + +void sce_inform_user_keys( + uint8_t* encrypted_provisioning_key, + uint8_t* iv, + uint8_t* encrypted_user_tls_key, + uint32_t encrypted_user_tls_key_type) +{ + WOLFSSL_ENTER("sce_inform_user_keys"); + g_user_key_info.encrypted_provisioning_key = NULL; + g_user_key_info.iv = NULL; + g_user_key_info.encrypted_user_tls_key = NULL; + + if ( encrypted_provisioning_key ) { + g_user_key_info.encrypted_provisioning_key = encrypted_provisioning_key; + } + if ( iv ) { + g_user_key_info.iv = iv; + } + if ( encrypted_user_tls_key ) { + g_user_key_info.encrypted_user_tls_key = encrypted_user_tls_key; + } + + g_user_key_info.encrypted_user_tls_key_type = encrypted_user_tls_key_type; + + /* set callback for ECC */ + WOLFSSL_MSG("sce_inform_user_keys_ex"); +} +/* store elements for session key generation into ssl->keys. + * return 0 on success, negative value on failure + */ +int sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info) +{ + int ret = 0; + + WOLFSSL_MSG(">> sce_storeKeyCtx"); + + if (ssl == NULL || info == NULL) + ret = BAD_FUNC_ARG; + + if (ret == 0) { + XMEMCPY(info->sce_masterSecret, ssl->arrays->sce_masterSecret, + SCE_TLS_MASTERSECRET_SIZE); + XMEMCPY(info->sce_clientRandom, ssl->arrays->clientRandom, 32); + XMEMCPY(info->sce_serverRandom, ssl->arrays->serverRandom, 32); + + info->sce_cipher = GetSceCipherSuite(ssl->options.cipherSuite0, + ssl->options.cipherSuite); + } + + return ret; +} + +/* Set callbacks needed for sce TLS api handling */ +void sce_set_callbacks(WOLFSSL_CTX* ctx) +{ + wolfSSL_CTX_SetEccVerifyCb(ctx, Renesas_cmn_EccVerify); + wolfSSL_CTX_SetRsaVerifyCb(ctx, Renesas_cmn_RsaVerify); + wolfSSL_CTX_SetGenPreMasterCb(ctx, Renesas_cmn_generatePremasterSecret); + wolfSSL_CTX_SetRsaEncCb(ctx, Renesas_cmn_RsaEnc); + wolfSSL_CTX_SetVerifymacCb(ctx, Renesas_cmn_VerifyHmac); + + wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); +} +/* Set callback contexts needed for sce TLS api handling */ +int sce_set_callback_ctx(WOLFSSL* ssl, void* user_ctx) +{ + if (sce_sess_idx > MAX_SCE_CBINDEX) { + WOLFSSL_MSG("exceeds maximum session index"); + return -1; + } + gSCE_PKCbInfo.user_PKCbInfo[sce_sess_idx] = (User_SCEPKCbInfo*)user_ctx; + gSCE_PKCbInfo.user_PKCbInfo[sce_sess_idx]->pk_key_set = 0; + gSCE_PKCbInfo.user_PKCbInfo[sce_sess_idx]->session_key_set = 0; + + wolfSSL_SetEccVerifyCtx(ssl, user_ctx); + wolfSSL_SetRsaVerifyCtx(ssl, user_ctx); + wolfSSL_SetGenPreMasterCtx(ssl, user_ctx); + wolfSSL_SetEccSharedSecretCtx(ssl, NULL); + wolfSSL_SetVerifymacCtx(ssl, user_ctx); + + /* set up crypt callback */ + wc_CryptoCb_CryptInitRenesascmn(ssl, user_ctx); + + gSCE_PKCbInfo.num_session = ++sce_sess_idx; + + return 0; +} + +#endif /* WOLFSSL_RENESAS_SCEPROTECT */ diff --git a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c index 4ba869452..9576d8b60 100644 --- a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c +++ b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c @@ -218,7 +218,7 @@ int tsip_useable(const struct WOLFSSL *ssl) /* when rsa key index == NULL, tsip isn't used for cert verification. */ /* in the case, we cannot use TSIP. */ - if (!ssl->peerTsipEncRsaKeyIndex) + if (!ssl->peerSceTsipEncRsaKeyIndex) return 0; /* when enabled Extended Master Secret, we cannot use TSIP. */ @@ -242,19 +242,7 @@ int tsip_useable(const struct WOLFSSL *ssl) return 0; } -/* check if the g_alreadyVerified CA's key can be used for * - * peer's certification */ -byte tsip_checkCA(word32 cmIdx) -{ - return (cmIdx == g_CAscm_Idx? 1:0); -} -/* check if the root CA has been verified by TSIP, * - * and it exists in the CM table. */ -byte tsip_rootCAverified( ) -{ - return (g_CAscm_Idx != (uint32_t)-1 ? 1:0); -} /* open TSIP driver for use */ int tsip_Open() @@ -820,14 +808,14 @@ int tsip_generateEncryptPreMasterSecret( #if (WOLFSSL_RENESAS_TSIP_VER>=109) ret = R_TSIP_TlsEncryptPreMasterSecretWithRsa2048PublicKey( - (uint32_t*)ssl->peerTsipEncRsaKeyIndex, + (uint32_t*)ssl->peerSceTsipEncRsaKeyIndex, (uint32_t*)&ssl->arrays->preMasterSecret[VERSION_SZ], (uint8_t*)out); #elif (WOLFSSL_RENESAS_TSIP_VER>=106) ret = R_TSIP_TlsEncryptPreMasterSecret( - (uint32_t*)ssl->peerTsipEncRsaKeyIndex, + (uint32_t*)ssl->peerSceTsipEncRsaKeyIndex, (uint32_t*)&ssl->arrays->preMasterSecret[VERSION_SZ], (uint8_t*)out); diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 253528b98..9d465159f 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -2488,7 +2488,32 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) } return ret; } +#elif defined(WOLFSSL_RENESAS_SCEPROTECT) + #include "r_sce.h" + + int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) + { + int ret; + word32 buffer[4]; + while (sz > 0) { + word32 len = sizeof(buffer); + + if (sz < len) { + len = sz; + } + /* return 4 words random number*/ + ret = R_SCE_RandomNumberGenerate(buffer); + if(ret == FSP_SUCCESS) { + XMEMCPY(output, &buffer, len); + output += len; + sz -= len; + } else + return ret; + } + return ret; + } + #elif defined(WOLFSSL_SCE) && !defined(WOLFSSL_SCE_NO_TRNG) #include "hal_data.h" diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 60684f59d..c8350eec4 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -182,7 +182,9 @@ where 0 <= L < 2^64. (!defined(WOLFSSL_ESP32WROOM32_CRYPT) || defined(NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH)) && \ (!defined(WOLFSSL_RENESAS_TSIP_CRYPT) || defined(NO_WOLFSSL_RENESAS_TSIP_HASH)) && \ !defined(WOLFSSL_PSOC6_CRYPTO) && !defined(WOLFSSL_IMXRT_DCP) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \ - !defined(WOLFSSL_KCAPI_HASH) && !defined(WOLFSSL_SE050_HASH) + !defined(WOLFSSL_KCAPI_HASH) && !defined(WOLFSSL_SE050_HASH) && \ + (!defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH)) + static int InitSha256(wc_Sha256* sha256) @@ -743,6 +745,11 @@ static int InitSha256(wc_Sha256* sha256) /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */ +#elif defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH) + + /* implemented in wolfcrypt/src/port/Renesas/renesas_sce_sha.c */ + #elif defined(WOLFSSL_PSOC6_CRYPTO) /* implemented in wolfcrypt/src/port/cypress/psoc6_crypto.c */ @@ -1640,7 +1647,10 @@ void wc_Sha256Free(wc_Sha256* sha256) #if (defined(WOLFSSL_AFALG_HASH) && defined(WOLFSSL_AFALG_HASH_KEEP)) || \ (defined(WOLFSSL_DEVCRYPTO_HASH) && defined(WOLFSSL_DEVCRYPTO_HASH_KEEP)) || \ (defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \ - !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)) + !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH)) && \ + (defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH)) + if (sha256->msg != NULL) { XFREE(sha256->msg, sha256->heap, DYNAMIC_TYPE_TMP_BUFFER); sha256->msg = NULL; @@ -1739,6 +1749,12 @@ void wc_Sha256Free(wc_Sha256* sha256) !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH) /* implemented in wolfcrypt/src/port/Renesas/renesas_tsip_sha.c */ + +#elif defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH) + + /* implemented in wolfcrypt/src/port/Renesas/renesas_sce_sha.c */ + #elif defined(WOLFSSL_PSOC6_CRYPTO) /* implemented in wolfcrypt/src/port/cypress/psoc6_crypto.c */ #elif defined(WOLFSSL_IMXRT_DCP) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 30de50f63..2b4c359f5 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -57,6 +57,9 @@ #if defined(WOLFSSL_RENESAS_TSIP) #include #endif +#if defined(WOLFSSL_RENESAS_SCE) + #include +#endif #if defined(WOLFSSL_STSAFEA100) #include #endif @@ -153,7 +156,17 @@ int wolfCrypt_Init(void) return ret; } #endif - + + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + ret = sce_Open( ); + if( ret != FSP_SUCCESS ) { + WOLFSSL_MSG("RENESAS SCE Open failed"); + /* not return 1 since WOLFSSL_SUCCESS=1*/ + ret = -1;/* FATAL ERROR */ + return ret; + } + #endif + #if defined(WOLFSSL_TRACK_MEMORY) && !defined(WOLFSSL_STATIC_MEMORY) ret = InitMemoryTracker(); if (ret != 0) { @@ -353,9 +366,16 @@ int wolfCrypt_Cleanup(void) #ifdef WOLFSSL_ASYNC_CRYPT wolfAsync_HardwareStop(); #endif + + #ifdef WOLFSSL_RENESAS_SCEPROTECT + sce_Close(); + #else + #ifdef WOLFSSL_SCE + WOLFSSL_SCE_GSCE_HANDLE.p_api->close(WOLFSSL_SCE_GSCE_HANDLE.p_ctrl); #endif + #endif #if defined(WOLFSSL_IMX6_CAAM) || defined(WOLFSSL_IMX6_CAAM_RNG) || \ defined(WOLFSSL_IMX6_CAAM_BLOB) wc_caamFree(); diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 13dbdd4ce..94defd0b2 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1226,7 +1226,7 @@ initDefaultName(); test_pass("OPENSSL (EVP Sign/Verify) passed!\n"); #endif - + #ifdef HAVE_ECC PRIVATE_KEY_UNLOCK(); if ( (ret = ecc_test()) != 0) @@ -2316,7 +2316,7 @@ WOLFSSL_TEST_SUBROUTINE int sha_test(void) /* BEGIN LARGE HASH TEST */ { byte large_input[1024]; -#ifdef WOLFSSL_RENESAS_TSIP +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) const char* large_digest = "\x1d\x6a\x5a\xf6\xe5\x7c\x86\xce\x7f\x7c\xaf\xd5\xdb\x08\xcd\x59" "\x15\x8c\x6d\xb6"; @@ -2328,7 +2328,7 @@ WOLFSSL_TEST_SUBROUTINE int sha_test(void) for (i = 0; i < (int)sizeof(large_input); i++) { large_input[i] = (byte)(i & 0xFF); } -#ifdef WOLFSSL_RENESAS_TSIP +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) times = 20; #else times = 100; @@ -2706,7 +2706,7 @@ WOLFSSL_TEST_SUBROUTINE int sha256_test(void) /* BEGIN LARGE HASH TEST */ { byte large_input[1024]; -#ifdef WOLFSSL_RENESAS_TSIP_CRYPT +#if defined(WOLFSSL_RENESAS_TSIP_CRYPT) || defined(WOLFSSL_RENESAS_SCEPROTECT) const char* large_digest = "\xa4\x75\x9e\x7a\xa2\x03\x38\x32\x88\x66\xa2\xea\x17\xea\xf8\xc7" "\xfe\x4e\xc6\xbb\xe3\xbb\x71\xce\xe7\xdf\x7c\x04\x61\xb3\xc2\x2f"; @@ -2718,7 +2718,7 @@ WOLFSSL_TEST_SUBROUTINE int sha256_test(void) for (i = 0; i < (int)sizeof(large_input); i++) { large_input[i] = (byte)(i & 0xFF); } -#ifdef WOLFSSL_RENESAS_TSIP +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) times = 20; #else times = 100; @@ -22721,9 +22721,9 @@ static int ecc_exp_imp_test(ecc_key* key) #else ecc_key keyImp[1]; #endif - byte priv[32]; + byte priv[32*4]; word32 privLen; - byte pub[65]; + byte pub[65*2]; word32 pubLen, pubLenX, pubLenY; const char qx[] = "7a4e287890a1a47ad3457e52f2f76a83" "ce46cbc947616d0cbaa82323818a793d"; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 82171d2af..38cda0bb2 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2256,6 +2256,11 @@ typedef struct Keys { tsip_hmac_sha_key_index_t tsip_server_write_MAC_secret; #endif +#ifdef WOLFSSL_RENESAS_SCEPROTECT + + sce_hmac_sha_wrapped_key_t sce_client_write_MAC_secret; + sce_hmac_sha_wrapped_key_t sce_server_write_MAC_secret; +#endif } Keys; @@ -3052,6 +3057,12 @@ struct WOLFSSL_CTX { CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ CallbackRsaDec RsaDecCb; /* User Rsa Private Decrypt handler */ #endif /* NO_RSA */ + CallbackGenPreMaster GenPreMasterCb; /* Use generate pre-master handler */ + CallbackGenMasterSecret GenMasterCb; /* Use generate master secret handler */ + CallbackGenSessionKey GenSessionKeyCb; /* Use generate session key handler */ + CallbackSetKeys SetKeysCb; /* Use set keys handler */ + CallbackTlsFinished TlsFinishedCb; /* Use Tls finished handler */ + CallbackVerifymac VerifymacCb; /* Use Verify mac handler */ #endif /* HAVE_PK_CALLBACKS */ #ifdef HAVE_WOLF_EVENT WOLF_EVENT_QUEUE event_queue; @@ -3755,6 +3766,9 @@ typedef struct Arrays { !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION) byte tsip_masterSecret[TSIP_TLS_MASTERSECRET_SIZE]; #endif +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + byte sce_masterSecret[SCE_TLS_MASTERSECRET_SIZE]; +#endif #ifdef WOLFSSL_DTLS byte cookie[MAX_COOKIE_LEN]; byte cookieSz; @@ -4241,8 +4255,8 @@ struct WOLFSSL { #endif /* OPENSSL_EXTRA */ #ifndef NO_RSA RsaKey* peerRsaKey; -#ifdef WOLFSSL_RENESAS_TSIP_TLS - byte *peerTsipEncRsaKeyIndex; +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) + byte* peerSceTsipEncRsaKeyIndex; #endif byte peerRsaKeyPresent; #endif @@ -4468,6 +4482,12 @@ struct WOLFSSL { void* RsaEncCtx; /* Rsa Public Encrypt Callback Context */ void* RsaDecCtx; /* Rsa Private Decrypt Callback Context */ #endif /* NO_RSA */ + void* GenPreMasterCtx; /* Generate Premaster Callback Context */ + void* GenMasterCtx; /* Generate Master Callback Context */ + void* GenSessionKeyCtx; /* Generate Sesssion Key Callback Context */ + void* SetKeysCtx; /* Generate Sesssion Key Callback Context */ + void* TlsFinishedCtx; /* Generate Tls Finished Callback Context */ + void* VerifymacCtx; /* Verify mac Callback Context */ #endif /* HAVE_PK_CALLBACKS */ #ifdef HAVE_SECRET_CALLBACK SessionSecretCb sessionSecretCb; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 51243aa6e..c529dbe86 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3206,6 +3206,45 @@ WOLFSSL_API void wolfSSL_CTX_SetRsaDecCb(WOLFSSL_CTX*, CallbackRsaDec); WOLFSSL_API void wolfSSL_SetRsaDecCtx(WOLFSSL* ssl, void *ctx); WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); #endif + +/* Protocol Callback */ +typedef int (*CallbackGenMasterSecret)(WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX*, CallbackGenMasterSecret); +WOLFSSL_API void wolfSSL_SetGenMasterSecretCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl); + +typedef int (*CallbackGenPreMaster)(WOLFSSL* ssl, byte *premaster, + word32 preSz, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX*, CallbackGenPreMaster); +WOLFSSL_API void wolfSSL_SetGenPreMasterCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetGenPreMasterCtx(WOLFSSL* ssl); + +typedef int (*CallbackGenSessionKey)(WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetGenSesssionKeyCb(WOLFSSL_CTX*, CallbackGenSessionKey); +WOLFSSL_API void wolfSSL_SetGenSesssionKeyCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetGenSesssionKeyCtx(WOLFSSL* ssl); + +typedef int (*CallbackSetKeys)(WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetSetKeysCb(WOLFSSL_CTX*, CallbackSetKeys); +WOLFSSL_API void wolfSSL_SetSetKeysCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetSetKeysCtx(WOLFSSL* ssl); + +typedef int (*CallbackTlsFinished)(WOLFSSL* ssl, + const byte *side, + const byte *handshake_hash, + byte *hashes, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetTlsFinishedCb(WOLFSSL_CTX*, CallbackTlsFinished); +WOLFSSL_API void wolfSSL_SetTlsFinishedCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetTlsFinishedCtx(WOLFSSL* ssl); + +#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) +typedef int (*CallbackVerifymac)(WOLFSSL *ssl, const byte* message, + word32 messageSz, word32 macSz, word32 content, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetVerifymacCb(WOLFSSL_CTX*, CallbackVerifymac); +WOLFSSL_API void wolfSSL_SetVerifymacCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetVerifymacCtx(WOLFSSL* ssl); +#endif + #endif /* HAVE_PK_CALLBACKS */ #ifndef NO_CERTS diff --git a/wolfssl/test.h b/wolfssl/test.h index 3b726afbb..9c8badec5 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4606,6 +4606,118 @@ static WC_INLINE int myRsaDec(WOLFSSL* ssl, byte* in, word32 inSz, #endif /* NO_RSA */ +static WC_INLINE int myGenMaster(WOLFSSL* ssl, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + + WOLFSSL_PKMSG("Gen Master"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Gen Master: ret %d\n", ret); + + return ret; +} + +static WC_INLINE int myGenPreMaster(WOLFSSL* ssl, byte *premaster, + word32 preSz, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void) ssl; + (void) cbInfo; + (void) premaster; + (void) preSz; + + WOLFSSL_PKMSG("Gen Pre-Master Cb"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Gen Pre-Master Cb: ret %d\n", ret); + + return ret; +} + +static WC_INLINE int myGenSessionKey(WOLFSSL* ssl, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + + WOLFSSL_PKMSG("Gen Master Cb"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Gen Master Cb: ret %d\n", ret); + + return ret; +} + +static WC_INLINE int mySetKeys(WOLFSSL* ssl, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + + WOLFSSL_PKMSG("Set Keys Cb"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Set Keys Cb: ret %d\n", ret); + + return ret; +} + +#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) +static WC_INLINE int myVerifymac(WOLFSSL *ssl, const byte* message, + word32 messageSz, word32 macSz, word32 content, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)message; + (void)messageSz; + (void)macSz; + (void)content; + (void)cbInfo; + + WOLFSSL_PKMSG("Verify Mac Cb"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Verify Mac Cb: ret %d\n", ret); + + return ret; +} +#endif + +static WC_INLINE int myTlsFinished(WOLFSSL* ssl, + const byte *side, + const byte *handshake_hash, + byte *hashes, void* ctx) +{ + int ret; + PkCbInfo* cbInfo = (PkCbInfo*)ctx; + + (void)ssl; + (void)cbInfo; + (void)side; + (void)handshake_hash; + (void)hashes; + + WOLFSSL_PKMSG("Tls Finished Cb"); + /* fall through original routine */ + ret = PROTOCOLCB_UNAVAILABLE; + WOLFSSL_PKMSG("Tls Finished Cb: ret %d\n", ret); + + return ret; +} + static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) { (void)ctx; @@ -4655,6 +4767,17 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) wolfSSL_CTX_SetRsaEncCb(ctx, myRsaEnc); wolfSSL_CTX_SetRsaDecCb(ctx, myRsaDec); #endif /* NO_RSA */ + + wolfSSL_CTX_SetGenMasterSecretCb(ctx, myGenMaster); + wolfSSL_CTX_SetGenPreMasterCb(ctx, myGenPreMaster); + wolfSSL_CTX_SetGenSesssionKeyCb(ctx, myGenSessionKey); + wolfSSL_CTX_SetSetKeysCb(ctx, mySetKeys); + + #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) + wolfSSL_CTX_SetVerifymacCb(ctx, myVerifymac); + #endif + + wolfSSL_CTX_SetTlsFinishedCb(ctx, myTlsFinished); } static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) @@ -4694,6 +4817,17 @@ static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) wolfSSL_SetRsaEncCtx(ssl, myCtx); wolfSSL_SetRsaDecCtx(ssl, myCtx); #endif /* NO_RSA */ + + wolfSSL_SetGenMasterSecretCtx(ssl, myCtx); + wolfSSL_SetGenPreMasterCtx(ssl, myCtx); + wolfSSL_SetGenSesssionKeyCtx(ssl, myCtx); + wolfSSL_SetSetKeysCtx(ssl, myCtx); + + #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) + wolfSSL_SetVerifymacCtx(ssl, myCtx); + #endif + + wolfSSL_SetTlsFinishedCtx(ssl, myCtx); } #endif /* HAVE_PK_CALLBACKS */ diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 3ba981062..639e13157 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -262,6 +262,9 @@ struct Aes { defined(WOLFSSL_RENESAS_TSIP_TLS_AES_CRYPT) TSIP_AES_CTX ctx; #endif +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + SCE_AES_CTX ctx; +#endif #if defined(WOLFSSL_IMXRT_DCP) dcp_handle_t handle; #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f34ee8d82..dc077fe4a 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1213,6 +1213,21 @@ enum SignatureState { #endif #endif /* HAVE_PK_CALLBACKS */ +#if defined(WOLFSSL_RENESAS_TSIP_TLS) ||defined(WOLFSSL_RENESAS_SCEPROTECT) +typedef struct tagCertAttribute { + byte verifyByTSIP_SCE; + word32 certBegin; + word32 pubkey_n_start; + word32 pubkey_n_len; + word32 pubkey_e_start; + word32 pubkey_e_len; + int curve_id; + const byte* cert; + word32 certSz; + const byte* keyIndex; + } CertAttribute; +#endif + struct SignatureCtx { void* heap; byte* digest; @@ -1268,13 +1283,8 @@ struct SignatureCtx { #endif #endif /* HAVE_PK_CALLBACKS */ #ifndef NO_RSA -#ifdef WOLFSSL_RENESAS_TSIP_TLS - byte verifyByTSIP; - word32 certBegin; - word32 pubkey_n_start; - word32 pubkey_n_len; - word32 pubkey_e_start; - word32 pubkey_e_len; +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) + CertAttribute CertAtt; #endif #endif }; @@ -1552,10 +1562,10 @@ struct DecodedCert { #ifndef NO_CERTS SignatureCtx sigCtx; #endif -#ifdef WOLFSSL_RENESAS_TSIP - byte* tsip_encRsaKeyIdx; +#if defined(WOLFSSL_RENESAS_TSIP) || defined(WOLFSSL_RENESAS_SCEPROTECT) + byte* sce_tsip_encRsaKeyIdx; #endif - + int badDate; int criticalExt; @@ -1643,7 +1653,7 @@ struct Signer { #ifdef WOLFSSL_SIGNER_DER_CERT DerBuffer* derCert; #endif -#ifdef WOLFSSL_RENESAS_TSIP_TLS +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) word32 cm_idx; #endif Signer* next; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index c22989b86..620259077 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -246,8 +246,9 @@ enum { DHE_PCT_E = -285, /* DHE Pairwise Consistency Test failure */ ECC_PCT_E = -286, /* ECDHE Pairwise Consistency Test failure */ FIPS_PRIVATE_KEY_LOCKED_E = -287, /* Cannot export private key. */ - - WC_LAST_E = -287, /* Update this to indicate last error */ + PROTOCOLCB_UNAVAILABLE = -288, /* Protocol callback unavailable */ + + WC_LAST_E = -288, /* Update this to indicate last error */ MIN_CODE_E = -300 /* errors -101 - -299 */ /* add new companion error id strings for any new error codes diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index b19b93fc1..763046eff 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -94,6 +94,8 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h \ wolfssl/wolfcrypt/port/arm/cryptoCell.h \ wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h \ + wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h \ + wolfssl/wolfcrypt/port/Renesas/renesas_sync.h \ wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h if BUILD_CRYPTOAUTHLIB diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h b/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h new file mode 100644 index 000000000..023a01039 --- /dev/null +++ b/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h @@ -0,0 +1,231 @@ +/* renesas-sce-crypt.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#ifndef __RENESAS_SCE_CRYPT_H__ +#define __RENESAS_SCE_CRYPT_H__ + +#include "r_sce.h" +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define SCE_SESSIONKEY_NONCE_SIZE 8 +#define WOLFSSL_SCE_ILLEGAL_CIPHERSUITE -1 + + enum { + l_TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, + l_TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3c, + l_TLS_RSA_WITH_AES_256_CBC_SHA = 0x35, + l_TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d, + l_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0x27, + l_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, + l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2b, + l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f, +}; + +#define MAX_SCE_CBINDEX 5 + +typedef struct tagUser_SCEPKCbInfo { + uint32_t user_key_id; + + /* out from R_SCE_TLS_ServerKeyExchangeVerify */ + uint32_t encrypted_ephemeral_ecdh_public_key[SCE_TLS_ENCRYPTED_ECCPUBKEY_SZ]; + /* out from R_SCE_TLS_ECC_secp256r1_EphemeralWrappedKeyPairGenerate */ + sce_tls_p256_ecc_wrapped_key_t ecc_p256_wrapped_key; + uint8_t ecc_ecdh_public_key[HW_SCE_ECC_PUBLIC_KEY_BYTE_SIZE]; + + uint32_t sce_masterSecret[SCE_TLS_MASTERSECRET_SIZE/4]; + uint8_t sce_clientRandom[SCE_TLS_CLIENTRANDOM_SZ]; + uint8_t sce_serverRandom[SCE_TLS_SERVERRANDOM_SZ]; + uint8_t sce_cipher; + + /* installed key handling */ + sce_aes_wrapped_key_t sce_wrapped_key_aes256; + uint8_t aes256_installedkey_set:1; + sce_aes_wrapped_key_t sce_wrapped_key_aes128; + uint8_t aes128_installedkey_set:1; + + /* flag whether encrypted ec key is set */ + uint8_t pk_key_set:1; + uint8_t session_key_set:1; + +} User_SCEPKCbInfo; + +typedef struct tagSCE_PKCbInfo { + User_SCEPKCbInfo *user_PKCbInfo[MAX_SCE_CBINDEX]; + uint32_t num_session; +} SCE_PKCbInfo; + +typedef struct +{ + uint8_t *encrypted_provisioning_key; + uint8_t *iv; + uint8_t *encrypted_user_tls_key; + uint32_t encrypted_user_tls_key_type; + sce_tls_ca_certification_public_wrapped_key_t user_rsa2048_tls_wrappedkey; +} sce_key_data; + +struct WOLFSSL; +struct WOLFSSL_CTX; +struct ecc_key; + +int sce_Open(); +void sce_Close(); +int sce_hw_lock(); +void sce_hw_unlock( void ); +int sce_usable(const struct WOLFSSL *ssl); + +typedef struct { + sce_aes_wrapped_key_t sce_wrapped_key; + word32 keySize; + byte setup; +} SCE_AES_CTX; + +struct Aes; +int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, + word32 sz); +int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, + word32 sz); + +int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, + const byte* in, word32 sz, + byte* iv, word32 ivSz, + byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz, + void* ctx); + +int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, + const byte* in, word32 sz, + const byte* iv, word32 ivSz, + const byte* authTag, word32 authTagSz, + const byte* authIn, word32 authInSz, + void* ctx); + +#if !defined(NO_SHA256) && !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH) + +typedef enum { + SCE_SHA256 = 1, +} SCE_SHA_TYPE; + +typedef struct { + byte* msg; + void* heap; + word32 used; + word32 len; + word32 sha_type; +#if defined(WOLF_CRYPTO_CB) + word32 flags; + int devId; +#endif +} wolfssl_SCE_Hash; + +/* RAW hash function APIs are not implemented with SCE */ +#undef WOLFSSL_NO_HASH_RAW +#define WOLFSSL_NO_HASH_RAW + +typedef wolfssl_SCE_Hash wc_Sha256; + +#endif /* NO_SHA */ + +void sce_inform_cert_sign(const uint8_t *sign); + +byte sce_rootCAverified(); + +byte sce_checkCA(uint32_t cmIdx); + +int sce_tls_RootCertVerify( + const uint8_t* cert, uint32_t cert_len, + uint32_t key_n_start, uint32_t key_n_len, + uint32_t key_e_start, uint32_t key_e_len, + uint32_t cm_row); + +int sce_tls_CertVerify( + const uint8_t* cert, uint32_t certSz, + const uint8_t* signature, uint32_t sigSz, + uint32_t key_n_start, uint32_t key_n_len, + uint32_t key_e_start, uint32_t key_e_len, + uint8_t* sce_encRsaKeyIdx); + + +int sce_generatePremasterSecret( + uint8_t* premaster, + uint32_t preSz); + +int sce_generateEncryptPreMasterSecret( + struct WOLFSSL* ssl, + uint8_t* out, + uint32_t* outSz); + +int sce_Sha256GenerateHmac( + const struct WOLFSSL *ssl, + const uint8_t* myInner, + uint32_t innerSz, + const uint8_t* in, + uint32_t sz, + uint8_t* digest); + +int sce_Sha256VerifyHmac( + const struct WOLFSSL *ssl, + const uint8_t* message, + uint32_t messageSz, + uint32_t macSz, + uint32_t content); + +void sce_inform_user_keys( + uint8_t* encrypted_provisioning_key, + uint8_t* iv, + uint8_t* encrypted_user_tls_key, + uint32_t encrypted_user_tls_key_type); + +void sce_set_callbacks(struct WOLFSSL_CTX* ctx); +int sce_set_callback_ctx(struct WOLFSSL* ssl, void* user_ctx); + +uint32_t GetSceCipherSuite( + uint8_t cipherSuiteFirst, + uint8_t cipherSuite); + +int sce_useable(const struct WOLFSSL *ssl, + uint8_t session_key_generated); +int sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info); +int sce_generateVerifyData(const uint8_t *ms, /* master secret */ + const uint8_t *side, const uint8_t *handshake_hash, + uint8_t *hashes /* out */); +int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, + int devId); +int sce_generateMasterSecret( + uint8_t cipherSuiteFirst, + uint8_t cipherSuite, + const uint8_t *pr, /* pre-master */ + const uint8_t *cr, /* client random */ + const uint8_t *sr, /* server random */ + uint8_t *ms); + +int SCE_RsaVerify(struct WOLFSSL* ssl, byte* sig, uint32_t sigSz, + uint8_t** out, const byte* key, uint32_t keySz, void* ctx); +int SCE_EccVerify(struct WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, + const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, + int* result, void* ctx); +int SCE_EccSharedSecret(struct WOLFSSL* ssl, struct ecc_key* otherKey, + uint8_t* pubKeyDer, unsigned int* pubKeySz, + uint8_t* out, unsigned int* outlen, int side, void* ctx); +#endif /* __RENESAS_SCE_CRYPT_H__ */ diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h b/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h new file mode 100755 index 000000000..f3df9a2ba --- /dev/null +++ b/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h @@ -0,0 +1,43 @@ +/* renesas_cmn.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ +#ifndef __RENESAS_CMN_H__ +#define __RENESAS_CMN_H__ + +#include +#include + +/* Common Callback and Method */ +int Renesas_cmn_genMasterSecret(WOLFSSL* ssl, void* ctx); +int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, + word32 preSz, void* ctx); +int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, + unsigned int inSz, unsigned char* out, word32* outSz, + const unsigned char* keyDer, unsigned int keySz, void* ctx); +int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, + word32 messageSz, word32 macSz, word32 content); +int wc_CryptoCb_CryptInitRenesascmn(WOLFSSL* ssl, void* ctx); +int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, + const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, + int* result, void* ctx); +int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, + uint8_t** out, const byte* key, uint32_t keySz, void* ctx); + +#endif /* __RENESAS_CMN_H__ */ \ No newline at end of file diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h b/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h new file mode 100644 index 000000000..ea18d4411 --- /dev/null +++ b/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h @@ -0,0 +1,35 @@ +/* cavium_octeon_sync.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _RENESAS_SYNC_H_ +#define _RENESAS_SYNC_H_ + +#ifdef HAVE_RENESAS_SYNC + +struct WOLFSSL; +struct User_SCEPKCbInfo; +extern User_SCEPKCbInfo guser_PKCbInfo; + +WOLFSSL_API int wc_CryptoCb_CryptInitRenesascmn(struct WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wc_CryptoCb_CleanupRenesascmn(int* id); + +#endif /* HAVE_RENESAS_SYNC */ +#endif /* _RENESAS_SYNC_H_ */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9252f7111..1a8960d12 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -212,6 +212,12 @@ /* Uncomment next line if using RENESAS RX64N */ /* #define WOLFSSL_RENESAS_RX65N */ +/* Uncomment next line if using RENESAS SCE PROTECT MODE */ +/* #define WOLFSSL_RENESAS_SCEPROTECT */ + +/* Uncomment next line if using RENESAS RA6M4 */ +/* #define WOLFSSL_RENESAS_RA6M4 */ + /* Uncomment next line if using Solaris OS*/ /* #define WOLFSSL_SOLARIS */ @@ -326,7 +332,22 @@ #endif #endif -#if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) +#if defined(WOLFSSL_RENESAS_SCEPROTECT) + #define SCE_TLS_MASTERSECRET_SIZE 80 /* 20 words */ + #define TSIP_TLS_HMAC_KEY_INDEX_WORDSIZE 64 + #define TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY 560 /* in bytes */ + #define SCE_TLS_CLIENTRANDOM_SZ 36 /* in bytes */ + #define SCE_TLS_SERVERRANDOM_SZ 36 /* in bytes */ + #define SCE_TLS_ENCRYPTED_ECCPUBKEY_SZ 96 /* in bytes */ + + #define WOLFSSL_RENESAS_SCEPROTECT_ECC + #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + #define HAVE_PK_CALLBACKS + /* #define DEBUG_PK_CB */ + #endif +#endif +#if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) ||\ + defined(WOLFSSL_RENESAS_RA6M4) /* settings in user_settings.h */ #endif diff --git a/wolfssl/wolfcrypt/sha256.h b/wolfssl/wolfcrypt/sha256.h index fed65f126..8e4447003 100644 --- a/wolfssl/wolfcrypt/sha256.h +++ b/wolfssl/wolfcrypt/sha256.h @@ -142,6 +142,9 @@ enum { #elif defined(WOLFSSL_RENESAS_TSIP_CRYPT) && \ !defined(NO_WOLFSSL_RENESAS_TSIP_CRYPT_HASH) #include "wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h" +#elif defined(WOLFSSL_RENESAS_SCEPROTECT) && \ + !defined(NO_WOLFSSL_RENESAS_SCEPROTECT_HASH) + #include "wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h" #else #if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_HASH) diff --git a/wolfssl/wolfio.h b/wolfssl/wolfio.h index 93d7d0371..421226685 100644 --- a/wolfssl/wolfio.h +++ b/wolfssl/wolfio.h @@ -168,7 +168,9 @@ #endif #endif - #if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) /* Uses FREERTOS_TCP */ + #if defined(WOLFSSL_RENESAS_RA6M3G) || defined(WOLFSSL_RENESAS_RA6M3) ||\ + defined(WOLFSSL_RENESAS_RA6M4) + /* Uses FREERTOS_TCP */ #include #endif From c84194ffc8e24efa5c38be98effd9711955840c7 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 19 Nov 2021 14:44:45 +0900 Subject: [PATCH 2/7] include renesas_cmn.h to am file --- wolfssl/wolfcrypt/include.am | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 763046eff..7728fc35c 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -96,6 +96,7 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h \ wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h \ wolfssl/wolfcrypt/port/Renesas/renesas_sync.h \ + wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h \ wolfssl/wolfcrypt/port/cypress/psoc6_crypto.h if BUILD_CRYPTOAUTHLIB From 9a331d70721b29ef3a939096f1212bb99fbe3553 Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Fri, 19 Nov 2021 15:35:06 +0900 Subject: [PATCH 3/7] update Readme --- IDE/Renesas/e2studio/RA6M4/README.md | 94 +++++++++++++++++++++++----- 1 file changed, 78 insertions(+), 16 deletions(-) diff --git a/IDE/Renesas/e2studio/RA6M4/README.md b/IDE/Renesas/e2studio/RA6M4/README.md index 9f6323471..9727af816 100644 --- a/IDE/Renesas/e2studio/RA6M4/README.md +++ b/IDE/Renesas/e2studio/RA6M4/README.md @@ -43,11 +43,11 @@ The wolfssl Project Summary is listed below and is relevant for every project. |FreeRTOS+TCP|v2.3.2+fsp.3.4.0a| |FreeRTOS - Buffer Allocation 2|v2.3.2+fsp.3.4.0a| -## Setup Steps +## Setup Steps and Build wolfSSL Library 1.) Import projects from [File]->[Open projects from File System] -+ Select folder at /path/to/wolfssl/IDE/Renesas/e2studio/RA6M ++ Select folder at /path/to/wolfssl/IDE/Renesas/e2studio/RA6M4 + Deselect the Non-Eclipse project, RA6M4, by clicking the checkbox\ Only the folders with 'Eclipse project' under 'Import as' need to be selected. @@ -91,30 +91,92 @@ The wolfssl Project Summary is listed below and is relevant for every project. OR\ you can specify "RTT control block" to 0x20020000 0x10000 by Search Range +## Run Client +1.) Enable TLS_CLIENT definition in wolfssl_demo.h of test_RA6M4 projet -6.) Prepare peer wolfssl server - On Linux\ +2.) Client IP address and Server IP address + ++ Client IP address can be changed by the following line in wolf_client.c. ``` - $ autogen.sh\ +static const byte ucIPAddress[4] = { 192, 168, 11, 241 }; +``` ++ Client IP address can be changed by the following line in wolf_client.c. +``` +#define SERVER_IP "192.168.11.40" +``` + +3.) Build test_RA6M4 project + +4.) Prepare peer wolfssl server + ++ On Linux +``` + $ autogen.sh $ ./configure --enable-extended-master=no CFLAGS="-DWOLFSSL_STATIC_RSA -DHAVE_AES_CBC" ``` +Run peer wolfSSL server -7.) Run the example Client +RSA sign and verify use, launch server with the following option ``` - RSA sign and verify use, launch server $./example/server/server -b -d -i ``` +You will see the following message on J-LinK RTT Viewer +``` +cipher : AES128-SHA256 +Received: I hear you fa shizzle! + +cipher : AES256-SHA256 +Received: I hear you fa shizzle! + +cipher : ECDHE-RSA-AES128-SHA256 +Received: I hear you fa shizzle! + +cipher : ECDHE-RSA-AES128-GCM-SHA256 +Received: I hear you fa shizzle! +``` + +ECDSA sign and verifyuse, launch server with the following option ``` - ECDSA sign and verifyuse, launch server $./examples/server/server -b -d -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem ``` - **Note**\ - To run "RSA sign and verify" client, enable "#define USE_CERT_BUFFERS_2048" in wolfssl_demo.h\ - To run "ECDSA sign and verify" client, enable "#define USE_CERT_BUFFERS_256" in wolfssl_demo.h - - **Note**\ - To run Crypt test, enable "CRYPT_TEST" macro in wolfssl_demo.h\ - To run Benchmark, enable "BENCHMARK" macro in wolfssl_demo.h - \ No newline at end of file +You will see the following message on J-LinK RTT Viewer +``` +cipher : ECDHE-ECDSA-AES128-SHA256 +Received: I hear you fa shizzle! + +cipher : ECDHE-ECDSA-AES128-GCM-SHA256 +Received: I hear you fa shizzle! +``` + +5.) Run the example Client + + **Note**\ + To run "RSA verify" client, enable "#define USE_CERT_BUFFERS_2048" in wolfssl_demo.h\ + To run "ECDSA verify" client, enable "#define USE_CERT_BUFFERS_256" in wolfssl_demo.h + +## Run Crypt test and Benchmark + +1.) Enable CRYPT_TEST and/or BENCHMARK definition in wolfssl_demo.h + +2.) Enable SCEKEY_INSTALLED definition in user_settings.h if you have installed key for AES + +In the example code for benchmark, it assumes that AES key is installed at DIRECT_KEY_ADDRESS which is 0x08000000U as follows: +``` +#if defined(SCEKEY_INSTALLED) + /* aes 256 */ + memcpy(guser_PKCbInfo.sce_wrapped_key_aes256.value, + (uint32_t *)DIRECT_KEY_ADDRESS, HW_SCE_AES256_KEY_INDEX_WORD_SIZE*4); + guser_PKCbInfo.sce_wrapped_key_aes256.type = SCE_KEY_INDEX_TYPE_AES256; + guser_PKCbInfo.aes256_installedkey_set = 1; + /* aes 128 */ + guser_PKCbInfo.aes128_installedkey_set = 0; +#endif +``` + +To install key, please refer [Installing and Updating Secure Keys](chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/https://www.renesas.com/us/en/document/apn/installing-and-updating-secure-keys-ra-family). + +You can update code above to handle AES128 key when you install its key. + +3.) Run Benchmark and Crypto Test From d00c7641ae1fd876e25a3f9dab5c61719b36b30a Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 20 Nov 2021 09:14:21 +0900 Subject: [PATCH 4/7] addressed jenkins failure --- IDE/Renesas/e2studio/RA6M4/include.am | 1 + src/internal.c | 1 + src/tls.c | 2 ++ 3 files changed, 4 insertions(+) diff --git a/IDE/Renesas/e2studio/RA6M4/include.am b/IDE/Renesas/e2studio/RA6M4/include.am index d7d652ca6..e9066d832 100644 --- a/IDE/Renesas/e2studio/RA6M4/include.am +++ b/IDE/Renesas/e2studio/RA6M4/include.am @@ -15,6 +15,7 @@ EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c +EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h diff --git a/src/internal.c b/src/internal.c index ef5de9538..029ae655b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -16712,6 +16712,7 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, if (ssl->options.tls) { #if defined(HAVE_PK_CALLBACKS) + ret = PROTOCOLCB_UNAVAILABLE; if(ssl->ctx->VerifymacCb) { void* ctx = wolfSSL_GetVerifymacCtx(ssl); ret = ssl->ctx->VerifymacCb(ssl, input, diff --git a/src/tls.c b/src/tls.c index 7c8b1df9c..32cac7352 100644 --- a/src/tls.c +++ b/src/tls.c @@ -402,6 +402,7 @@ int DeriveTlsKeys(WOLFSSL* ssl) else { #endif #if defined(HAVE_PK_CALLBACKS) + ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->GenSessionKeyCb) { void* ctx = wolfSSL_GetGenSesssionKeyCtx(ssl); ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); @@ -593,6 +594,7 @@ int MakeTlsMasterSecret(WOLFSSL* ssl) } else #endif #if defined(HAVE_PK_CALLBACKS) + ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->GenMasterCb) { void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl); ret = ssl->ctx->GenMasterCb(ssl, ctx); From 82eb23b3004e4f6e203c33b0e6226d7d4b6a63ac Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Sat, 20 Nov 2021 10:15:57 +0900 Subject: [PATCH 5/7] addressed jenkins failures --- src/internal.c | 2 +- src/keys.c | 3 ++- src/tls.c | 6 +++--- wolfssl/test.h | 4 ++++ 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index 029ae655b..91411de3c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -16711,7 +16711,7 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, padByte = 1; if (ssl->options.tls) { -#if defined(HAVE_PK_CALLBACKS) +#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; if(ssl->ctx->VerifymacCb) { void* ctx = wolfSSL_GetVerifymacCtx(ssl); diff --git a/src/keys.c b/src/keys.c index 5831b8595..8a8a9cb73 100644 --- a/src/keys.c +++ b/src/keys.c @@ -3119,7 +3119,8 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) else #endif -#if defined(HAVE_PK_CALLBACKS) +#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) + ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->SetKeysCb) { void* ctx = wolfSSL_GetSetKeysCtx(ssl); ret = ssl->ctx->SetKeysCb(ssl, ctx); diff --git a/src/tls.c b/src/tls.c index 32cac7352..c59f7e82f 100644 --- a/src/tls.c +++ b/src/tls.c @@ -210,7 +210,7 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) side = tls_server; #ifdef WOLFSSL_HAVE_PRF -#if defined(HAVE_PK_CALLBACKS) +#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) if (ssl->ctx->TlsFinishedCb) { void* ctx = wolfSSL_GetTlsFinishedCtx(ssl); ret = ssl->ctx->TlsFinishedCb(ssl, side, handshake_hash, @@ -401,7 +401,7 @@ int DeriveTlsKeys(WOLFSSL* ssl) ret = tsip_generateSeesionKey(ssl); else { #endif -#if defined(HAVE_PK_CALLBACKS) +#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->GenSessionKeyCb) { void* ctx = wolfSSL_GetGenSesssionKeyCtx(ssl); @@ -593,7 +593,7 @@ int MakeTlsMasterSecret(WOLFSSL* ssl) #endif } else #endif -#if defined(HAVE_PK_CALLBACKS) +#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->GenMasterCb) { void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl); diff --git a/wolfssl/test.h b/wolfssl/test.h index 9c8badec5..19a1eea5d 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4768,6 +4768,7 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) wolfSSL_CTX_SetRsaDecCb(ctx, myRsaDec); #endif /* NO_RSA */ + #ifndef NO_CERTS wolfSSL_CTX_SetGenMasterSecretCb(ctx, myGenMaster); wolfSSL_CTX_SetGenPreMasterCb(ctx, myGenPreMaster); wolfSSL_CTX_SetGenSesssionKeyCb(ctx, myGenSessionKey); @@ -4778,6 +4779,7 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) #endif wolfSSL_CTX_SetTlsFinishedCb(ctx, myTlsFinished); + #endif /* NO_CERTS */ } static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) @@ -4818,6 +4820,7 @@ static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) wolfSSL_SetRsaDecCtx(ssl, myCtx); #endif /* NO_RSA */ + #ifndef NO_CERTS wolfSSL_SetGenMasterSecretCtx(ssl, myCtx); wolfSSL_SetGenPreMasterCtx(ssl, myCtx); wolfSSL_SetGenSesssionKeyCtx(ssl, myCtx); @@ -4828,6 +4831,7 @@ static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) #endif wolfSSL_SetTlsFinishedCtx(ssl, myCtx); + #endif } #endif /* HAVE_PK_CALLBACKS */ From 89ed811e23cc633638dc96dc4efb2dc73cadfbda Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Mon, 22 Nov 2021 21:36:02 +0900 Subject: [PATCH 6/7] fix compile error when disabled SCEPROTECT --- .../e2studio/RA6M4/common/user_settings.h | 2 +- .../e2studio/RA6M4/common/wolfssl_demo.h | 2 +- .../e2studio/RA6M4/test/src/test_main.c | 49 ++++++++++++------- .../e2studio/RA6M4/test/src/wolf_client.c | 30 ++++++++---- wolfcrypt/src/port/Renesas/renesas_common.c | 4 +- 5 files changed, 55 insertions(+), 32 deletions(-) diff --git a/IDE/Renesas/e2studio/RA6M4/common/user_settings.h b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h index 2615f540c..2284f0985 100644 --- a/IDE/Renesas/e2studio/RA6M4/common/user_settings.h +++ b/IDE/Renesas/e2studio/RA6M4/common/user_settings.h @@ -75,6 +75,6 @@ #define WOLF_CRYPTO_CB /* Enable SCEKEY_INSTALLED if keys are installed */ #define SCEKEY_INSTALLED -#if defined(SCEKEY_INSTALLED) +#if defined(WOLFSSL_RENESAS_SCEPROTECT) && defined(SCEKEY_INSTALLED) #define HAVE_RENESAS_SYNC #endif diff --git a/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h index 6c2320439..59bd001c8 100644 --- a/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h +++ b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h @@ -59,7 +59,7 @@ #endif void wolfSSL_TLS_client_init(); -void wolfSSL_TLS_client(); +uint32_t wolfSSL_TLS_client(); static void util_Cleanup(xSocket_t xSock, WOLFSSL_CTX *ctx, WOLFSSL *ssl) { printf("Cleaning up socket and wolfSSL objects.\n"); diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c index 5edd53517..fea8333fb 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c @@ -24,7 +24,10 @@ #include "stdint.h" #include #include +#if defined(WOLFSSL_RENESAS_SCEPROTECT) #include +User_SCEPKCbInfo guser_PKCbInfo; +#endif #include #include "key_data.h" @@ -34,7 +37,7 @@ void abort(void); } #endif -User_SCEPKCbInfo guser_PKCbInfo; + #if defined(TLS_CLIENT) || defined(TLS_SERVER) || defined(EXTRA_SCE_TSIP_TEST) @@ -117,7 +120,7 @@ void sce_test(void) #include "r_sce.h" printf("Prepare Installed key\n"); -#if defined(SCEKEY_INSTALLED) +#if defined(WOLFSSL_RENESAS_SCEPROTECT) && defined(SCEKEY_INSTALLED) /* aes 256 */ memcpy(guser_PKCbInfo.sce_wrapped_key_aes256.value, (uint32_t *)DIRECT_KEY_ADDRESS, HW_SCE_AES256_KEY_INDEX_WORD_SIZE*4); @@ -135,22 +138,22 @@ void sce_test(void) #include "hal_data.h" #include "r_sce.h" -#if defined(WOLFSSL_RENESAS_SCEPROTECT) #if defined(USE_CERT_BUFFERS_256) -#ifdef TEST_CIPHER_SPECIFIED + #if defined(TEST_CIPHER_SPECIFIED) const char* cipherlist[] = { "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256" }; const int cipherlist_sz = 2; -#else + #else const char* cipherlist[] = { NULL }; const int cipherlist_sz = 1; -#endif + #endif /* TEST_CIPHER_SPECIFIED */ + #else -#ifdef TEST_CIPHER_SPECIFIED + #if defined(TEST_CIPHER_SPECIFIED) const char* cipherlist[] = { "AES128-SHA256", "AES256-SHA256", @@ -158,34 +161,42 @@ void sce_test(void) "ECDHE-RSA-AES128-GCM-SHA256" }; const int cipherlist_sz = 4; -#else + #else const char* cipherlist[] = { NULL }; const int cipherlist_sz = 1; -#endif + #endif /* TEST_CIPHER_SPECIFIED */ #endif -#else - const char* cipherlist[] = { NULL }; - const int cipherlist_sz = 0; -#endif int i = 0; - + int j = 0; + uint32_t elapsed_time_total = 0; + uint32_t elapsed_time = 0.0; + const int benchmark_times = 1; + SetScetlsKey(); TCPInit(); do { - if(cipherlist_sz > 0 && cipherlist[i] != NULL ) printf("cipher : %s\n", cipherlist[i]); + if(cipherlist_sz > 0 && cipherlist[i] != NULL ) + printf("cipher : %s\n", cipherlist[i]); - wolfSSL_TLS_client_init(cipherlist[i]); - - wolfSSL_TLS_client(); + elapsed_time_total = 0; + for(j = 0; j < benchmark_times; j++){ + wolfSSL_TLS_client_init(cipherlist[i]); + elapsed_time = wolfSSL_TLS_client(); + elapsed_time_total += elapsed_time; + printf("elapsed_time(%d) %d mS\n", j, elapsed_time); + } + if(cipherlist_sz > 0 && i < cipherlist_sz && cipherlist[i] != NULL ) { + printf("cipher : %s took %d mS for TLS connection(%d times).\n\n", cipherlist[i], + elapsed_time_total, benchmark_times); + } i++; } while (i < cipherlist_sz); - #endif } diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c index 770862636..7f763bf4f 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c @@ -23,6 +23,7 @@ #include #include +#include #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/ssl.h" #include "wolfssl/certs_test.h" @@ -44,6 +45,13 @@ static const byte ucDNSServerAddress[4] = { 192, 168, 11, 1 }; #define FR_SOCKET_SUCCESS 0 +static uint32_t TimeNowInMilliseconds(void) +{ + return (unsigned int)(((float)xTaskGetTickCount()) / + (configTICK_RATE_HZ / 1000)); +} + + void TCPInit( ) { BaseType_t fr_status; @@ -88,7 +96,7 @@ void wolfSSL_TLS_client_init(const char* cipherlist) printf("ERROR: failed to create WOLFSSL_CTX\n"); return; } - #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + #if defined(WOLFSSL_RENESAS_SCEPROTECT) /* set callback functions for ECC */ sce_set_callbacks(client_ctx); #endif @@ -112,11 +120,11 @@ void wolfSSL_TLS_client_init(const char* cipherlist) } } -void wolfSSL_TLS_client( ) +uint32_t wolfSSL_TLS_client( ) { int ret; /* FreeRTOS+TCP Objects */ - + uint32_t elipsed_time = 0; socklen_t xSize = sizeof(struct freertos_sockaddr); xSocket_t xClientSocket = NULL; struct freertos_sockaddr xRemoteAddress; @@ -151,9 +159,9 @@ void wolfSSL_TLS_client( ) if((ssl = wolfSSL_new(ctx)) == NULL) { printf("ERROR wolfSSL_new: %d\n", wolfSSL_get_error(ssl, 0)); - return; + return elipsed_time; } - #if defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) + #if defined(WOLFSSL_RENESAS_SCEPROTECT) /* set callback ctx */ sce_set_callback_ctx(ssl, (void*)&guser_PKCbInfo); #endif @@ -163,20 +171,22 @@ void wolfSSL_TLS_client( ) printf("Error [%d]: wolfSSL_set_fd.\n",ret); util_inf_loop(xClientSocket, ctx, ssl); } - + + elipsed_time = TimeNowInMilliseconds( ); if(wolfSSL_connect(ssl) != SSL_SUCCESS) { printf("ERROR SSL connect: %d\n", wolfSSL_get_error(ssl, 0)); - return; + return elipsed_time;; } + elipsed_time = TimeNowInMilliseconds( ) - elipsed_time; if (wolfSSL_write(ssl, sendBuff, strlen(sendBuff)) != strlen(sendBuff)) { printf("ERROR SSL write: %d\n", wolfSSL_get_error(ssl, 0)); - return; + return elipsed_time;; } if ((ret=wolfSSL_read(ssl, rcvBuff, BUFF_SIZE)) < 0) { printf("ERROR SSL read: %d\n", wolfSSL_get_error(ssl, 0)); - return; + return elipsed_time;; } rcvBuff[ret] = '\0' ; @@ -188,5 +198,5 @@ void wolfSSL_TLS_client( ) wolfSSL_Cleanup(); - return; + return elipsed_time; } diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c index 260ab1799..87581fb28 100644 --- a/wolfcrypt/src/port/Renesas/renesas_common.c +++ b/wolfcrypt/src/port/Renesas/renesas_common.c @@ -21,6 +21,8 @@ #include +#if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS) + #if defined(WOLFSSL_RENESAS_SCEPROTECT) #include #elif defined(WOLFSSL_RENESAS_TSIP_TLS) @@ -802,4 +804,4 @@ int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, return ret; } - +#endif /* SCEPROTECT || TSIP */ From fb4e39f00ac43d3291ad436f1f575f560fed506e Mon Sep 17 00:00:00 2001 From: Hideki Miyazaki Date: Wed, 24 Nov 2021 19:11:16 +0900 Subject: [PATCH 7/7] addressed review comments prt1 --- IDE/Renesas/e2studio/RA6M4/README.md | 86 +- .../e2studio/RA6M4/common/wolfssl_demo.h | 14 +- IDE/Renesas/e2studio/RA6M4/include.am | 4 - .../e2studio/RA6M4/test/key_data/key_data.h | 5 +- .../RA6M4/test/key_data/key_data_sce.c | 94 ++- .../e2studio/RA6M4/test/src/hal_entry.c | 59 -- .../RA6M4/test/src/sce_tst_thread_entry.c | 18 - .../e2studio/RA6M4/test/src/test_main.c | 49 +- .../e2studio/RA6M4/test/src/wolf_client.c | 27 +- .../RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg | 36 - .../e2studio/RA6M4/wolfssl/configuration.xml | 799 ------------------ src/internal.c | 50 +- src/keys.c | 12 +- src/ssl.c | 62 +- src/tls.c | 2 +- wolfcrypt/benchmark/benchmark.c | 4 +- wolfcrypt/src/asn.c | 28 +- wolfcrypt/src/port/Renesas/renesas_common.c | 163 ++-- wolfcrypt/src/port/Renesas/renesas_sce_aes.c | 63 +- wolfcrypt/src/port/Renesas/renesas_sce_sha.c | 8 +- wolfcrypt/src/port/Renesas/renesas_sce_util.c | 235 +++--- wolfcrypt/src/wc_port.c | 4 +- wolfcrypt/test/test.c | 2 +- wolfssl/internal.h | 8 +- wolfssl/ssl.h | 30 +- wolfssl/test.h | 32 +- wolfssl/wolfcrypt/asn.h | 6 +- .../port/Renesas/renesas-sce-crypt.h | 91 +- wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h | 38 +- wolfssl/wolfcrypt/port/Renesas/renesas_sync.h | 6 +- wolfssl/wolfcrypt/settings.h | 2 +- 31 files changed, 600 insertions(+), 1437 deletions(-) delete mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c delete mode 100644 IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c delete mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg delete mode 100644 IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml diff --git a/IDE/Renesas/e2studio/RA6M4/README.md b/IDE/Renesas/e2studio/RA6M4/README.md index 9727af816..b9eebcb17 100644 --- a/IDE/Renesas/e2studio/RA6M4/README.md +++ b/IDE/Renesas/e2studio/RA6M4/README.md @@ -1,19 +1,21 @@ -wolfSSL for Renesas RA Evaluation Kit (EK-RA6M4) +wolfSSL for Renesas RA Evaluation Kit (EK-RA6M4) ================================================= ## Description -This directory contains e2studio projects targeted at the Renesas RA 32-bit MCUs.\ -The example projects include a wolfSSL TLS client.\ +This directory contains e2studio projects targeted at the Renesas RA 32-bit MCUs. +The example projects include a wolfSSL TLS client. They also include benchmark and cryptography tests for the wolfCrypt library. -The wolfssl project contains both the wolfSSL and wolfCrypt libraries.\ -It is built as a `Renesas RA C Library Project` and contains the Renesas RA\ -configuration. The wolfssl project uses `Secure Cryptography Engine on RA6 Protected Mode` \ + +The wolfssl project contains both the wolfSSL and wolfCrypt libraries. +It is built as a `Renesas RA C Library Project` and contains the Renesas RA +configuration. The wolfssl project uses `Secure Cryptography Engine on RA6 Protected Mode` as hardware acceleration for cypto and TLS operation. -The other projects (benchmark, client, and test) are built as a\ -`Renesas RA C Project Using RA Library`, where the RA library is the wolfssl project.\ + +The other projects (benchmark, client, and test) are built as a +`Renesas RA C Project Using RA Library`, where the RA library is the wolfssl project. The wolfssl Project Summary is listed below and is relevant for every project. ### Project Summary @@ -51,25 +53,66 @@ The wolfssl Project Summary is listed below and is relevant for every project. + Deselect the Non-Eclipse project, RA6M4, by clicking the checkbox\ Only the folders with 'Eclipse project' under 'Import as' need to be selected. -2.) Create project Content by Smart Configurator +2.) Create a `dummy_library` Static Library. -+ Open Smart Configurator by clicking configuration.xml in wolfSSL_RA6M4 project -+ Create project content by clicking `Generate Project Content` ++ Click File->New->`RA C/C++ Project`. ++ Select `EK-RA6M4` from Drop-down list. ++ Check `Static Library`. ++ Select FreeRTOS from RTOS selection. Click Next. ++ Check `FreeRTOS minimal - Static Allocation`. Click Finish. ++ Open Smart Configurator by clicking configuration.xml in the project ++ Go to `BSP` tab and increase Heap Size under `RA Common` on Properties page ++ Go to `Stacks` tab ++ Add `SCE Protected Mode` stack from `New Stack` -> `Driver` -> `Crypt` ++ Add New thead and set properties + +|Property|Value| +|:--|:--| +|Thread Symbol|sce_tst_thread| +|Thread Name|sce_tst_thread| +|Thread Stack size|increase depending on your environment| +|Thread MemoryAllocation|Dyamic| +|Common General Use Mutexes|Enabled| +|Common General Enable Backward Compatibility|Enabled| +|Common Memory Allocation Support Dynamic Allocation|Enabled| +|Common Memory Allocation Total Heap Size|increase depending on your environment| + ++ Add `Heap 4` stack to sce_tst_thread from `New Stack` -> `FreeRTOS` -> `Memory Management` ++ Add `FreeRTOS + TCP` stack to sce_tst_thread from `New Stack` -> `FreeRTOS` -> `Libraries` and set properties + +|Property|Value| +|:--|:--| +|Network Events call vApplicationIPNetworkEventHook|Disable| +|Use DHCP|Disable| + ++ Save `dummy_library` FSP configuration ++ Copy configuration.xml and pincfg under `dummy_library` to `wolfSSL_RA6M4` ++ Open Smart Configurator by clicking copied configuration.xml ++ Click `Generate Project Content` on Smart Configurator 3.) Build the wolfSSL project -4.) Create a 'dummy' Renesas RA C Project Using RA Library. +4.) Create a 'dummy_application' Renesas RA C Project Using RA Library. + Click File->New->`RA C/C++ Project`. + Select `EK-RA6M4` from Drop-down list. + Check `Executable Using an RA Static Library`. + Select FreeRTOS from RTOS selection. Click Finish. -+ Enter `dummy_app` as the project name. Click Next. ++ Enter `dummy_application` as the project name. Click Next. + Under `RA library project`, select `wolfSSL_RA6M4`. + Click Finish. + Copy the followng folder inside dummy_app to `test_RA6M4`\ script/ + src/sce_tst_thread_entry.c ++ Add `sce_test()` call under /* TODO: add your own code here */ line at sce_tst_thread_entry.c +``` +... + /* TODO: add your own code here */ + sce_test(); +... +``` + 5.) Prepare SEGGER_RTT to logging + Download J-Link software from [Segger](https://www.segger.com/downloads/jlink) @@ -111,14 +154,14 @@ static const byte ucIPAddress[4] = { 192, 168, 11, 241 }; + On Linux ``` - $ autogen.sh - $ ./configure --enable-extended-master=no CFLAGS="-DWOLFSSL_STATIC_RSA -DHAVE_AES_CBC" +$ autogen.sh +$ ./configure --enable-extended-master=no CFLAGS="-DWOLFSSL_STATIC_RSA -DHAVE_AES_CBC" ``` Run peer wolfSSL server RSA sign and verify use, launch server with the following option ``` - $./example/server/server -b -d -i +$./example/server/server -b -d -i ``` You will see the following message on J-LinK RTT Viewer @@ -136,9 +179,9 @@ cipher : ECDHE-RSA-AES128-GCM-SHA256 Received: I hear you fa shizzle! ``` -ECDSA sign and verifyuse, launch server with the following option +ECDSA sign and verify use, launch server with the following option ``` - $./examples/server/server -b -d -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem +$./examples/server/server -b -d -c ./certs/server-ecc.pem -k ./certs/ecc-key.pem ``` You will see the following message on J-LinK RTT Viewer @@ -175,8 +218,13 @@ In the example code for benchmark, it assumes that AES key is installed at DIREC #endif ``` -To install key, please refer [Installing and Updating Secure Keys](chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/https://www.renesas.com/us/en/document/apn/installing-and-updating-secure-keys-ra-family). +To install key, please refer [Installing and Updating Secure Keys](https://www.renesas.com/us/en/document/apn/installing-and-updating-secure-keys-ra-family). You can update code above to handle AES128 key when you install its key. 3.) Run Benchmark and Crypto Test + + +## Support + +For support inquiries and questions, please email support@wolfssl.com. Feel free to reach out to info@wolfssl.jp as well. diff --git a/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h index 59bd001c8..617dad959 100644 --- a/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h +++ b/IDE/Renesas/e2studio/RA6M4/common/wolfssl_demo.h @@ -32,10 +32,8 @@ #define FLASH_HP_DF_BLOCK_1 0x08000040U /* 64 B: 0x40100040 - 0x4010007F */ #define FLASH_HP_DF_BLOCK_2 0x08000080U /* 64 B: 0x40100080 - 0x401000BF */ #define FLASH_HP_DF_BLOCK_3 0x080000C0U /* 64 B: 0x401000C0 - 0x401000FF */ - #define DIRECT_KEY_ADDRESS FLASH_HP_DF_BLOCK_1 - /* Enable wolfcrypt test */ /* can be enabled with benchmark test */ /*#define CRYPT_TEST*/ @@ -45,13 +43,17 @@ /*#define BENCHMARK*/ /* Enable TLS client */ -/* cannot enable with other definition */ +/* cannot enable with CRYPT_TEST or BENCHMARK */ #define TLS_CLIENT +/* Specifiy cipher suites that are supported by SCE + * ClientHello specifies the cipher suite to communicate peer Server + * so that TLS handshake uses SCE protect mode + */ #define TEST_CIPHER_SPECIFIED -/* RSA certification use */ +/* Use RSA certificates */ #define USE_CERT_BUFFERS_2048 -/* ECC certification use */ +/* Use ECC certificates */ /*#define USE_CERT_BUFFERS_256*/ #if defined(USE_CERT_BUFFERS_2048) && defined(USE_CERT_BUFFERS_256) @@ -59,7 +61,7 @@ #endif void wolfSSL_TLS_client_init(); -uint32_t wolfSSL_TLS_client(); +void wolfSSL_TLS_client(); static void util_Cleanup(xSocket_t xSock, WOLFSSL_CTX *ctx, WOLFSSL *ssl) { printf("Cleaning up socket and wolfSSL objects.\n"); diff --git a/IDE/Renesas/e2studio/RA6M4/include.am b/IDE/Renesas/e2studio/RA6M4/include.am index e9066d832..b975dca4d 100644 --- a/IDE/Renesas/e2studio/RA6M4/include.am +++ b/IDE/Renesas/e2studio/RA6M4/include.am @@ -5,15 +5,11 @@ EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/README.md EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/.cproject EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/.project -EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml -EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/.cproject EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/.project EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/test_RA6M4Debug.launch EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/test_main.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c -EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c -EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/SEGGER_RTT/myprint.c EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/src/common/.gitignore EXTRA_DIST+= IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c diff --git a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h index d4a3cd04d..78d660a74 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h +++ b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data.h @@ -6,13 +6,14 @@ /** Firmware update data and user key datas */ typedef struct user_key_block_data { + /* Provisioning key wapped by Renesas DLM */ uint8_t encrypted_provisioning_key[HW_SCE_AES_CBC_IV_BYTE_SIZE * 2]; + /* Initial vector to be used when creating encrypted key */ uint8_t iv[HW_SCE_AES_CBC_IV_BYTE_SIZE]; + /* RSA 2048 bit key, encrypted by AES128-ECB */ uint8_t encrypted_user_rsa2048_ne_key[HW_SCE_RSA2048_NE_KEY_BYTE_SIZE + 16]; - uint8_t encrypted_user_update_key[HW_SCE_AES256_KEY_BYTE_SIZE + 16]; } st_user_key_block_data_t; - extern const unsigned char ca_cert_der_sign[]; extern const unsigned char ca_ecc_cert_der_sign[]; diff --git a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c index ba53b1818..abc7fcb96 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c +++ b/IDE/Renesas/e2studio/RA6M4/test/key_data/key_data_sce.c @@ -1,52 +1,75 @@ - +/* key_data.h + * + * Copyright (C) 2006-2021 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ #include "key_data.h" #include "wolfssl_demo.h" -/********************************************************************************************************************** - Exported global variables - *********************************************************************************************************************/ +/******************************************************************************* + * SCE Key Information + *******************************************************************************/ const st_user_key_block_data_t g_key_block_data = { /* uint8_t encrypted_provisioning_key[R_TSIP_AES_CBC_IV_BYTE_SIZE * 2]; */ { - 0xE7, 0x1C, 0xEB, 0xCA, 0x3A, 0x64, 0x0B, 0xD2, 0xC5, 0xB8, 0xF2, 0xD0, 0xF7, 0x1B, 0xA9, 0x4A, - 0x98, 0xFF, 0xF3, 0x48, 0x81, 0xAD, 0xAF, 0x63, 0x19, 0x24, 0x4B, 0x2B, 0xC0, 0x8B, 0x9C, 0x6B + 0xE7, 0x1C, 0xEB, 0xCA, 0x3A, 0x64, 0x0B, 0xD2, 0xC5, 0xB8, 0xF2, 0xD0, + 0xF7, 0x1B, 0xA9, 0x4A, 0x98, 0xFF, 0xF3, 0x48, 0x81, 0xAD, 0xAF, 0x63, + 0x19, 0x24, 0x4B, 0x2B, 0xC0, 0x8B, 0x9C, 0x6B }, /* uint8_t iv[R_TSIP_AES_CBC_IV_BYTE_SIZE]; */ { - 0xD7, 0x97, 0x56, 0x82, 0x5B, 0x4B, 0x7F, 0xB2, 0x1C, 0x1F, 0xEE, 0x85, 0x02, 0xC5, 0xD0, 0xBA + 0xD7, 0x97, 0x56, 0x82, 0x5B, 0x4B, 0x7F, 0xB2, 0x1C, 0x1F, 0xEE, 0x85, + 0x02, 0xC5, 0xD0, 0xBA }, /* uint8_t encrypted_user_rsa2048_ne_key[R_TSIP_RSA2048_NE_KEY_BYTE_SIZE + 16]; */ { - 0x3F, 0xA5, 0xBE, 0xBF, 0x86, 0xEC, 0x23, 0x37, 0x82, 0x37, 0x71, 0x0C, 0x83, 0xA7, 0x8E, 0x86, - 0xF0, 0x16, 0xD3, 0x7B, 0xF1, 0x25, 0xA4, 0x37, 0x7A, 0x2D, 0x16, 0xF2, 0xFF, 0x3D, 0xEE, 0x46, - 0xE0, 0x05, 0x58, 0x56, 0xC2, 0xE7, 0x9D, 0x2C, 0x01, 0x84, 0x59, 0x8E, 0xA8, 0x9E, 0xEE, 0x3F, - 0x22, 0x83, 0x68, 0xDA, 0x9E, 0xCE, 0xEA, 0x99, 0xFD, 0xAF, 0xDF, 0x67, 0x1E, 0x73, 0x25, 0x68, - 0xBF, 0x0A, 0xDF, 0xAF, 0xC4, 0x3D, 0xF1, 0xBD, 0x41, 0xF5, 0xAC, 0xAC, 0xA4, 0x36, 0xF8, 0x96, - 0xC0, 0x8C, 0x2F, 0x1A, 0x79, 0x75, 0x28, 0xAE, 0x67, 0xC9, 0x5A, 0xDE, 0x2A, 0xB4, 0x99, 0xDB, - 0x8C, 0x25, 0x53, 0x58, 0x8C, 0xDC, 0xA8, 0x0D, 0xFE, 0xEE, 0x0F, 0x6C, 0x61, 0xE6, 0x43, 0x66, - 0xE8, 0x4A, 0xE3, 0xEB, 0xAB, 0xA2, 0x52, 0xE4, 0x67, 0xC2, 0x9A, 0x57, 0xA4, 0x1F, 0xE0, 0xFC, - 0x2B, 0xBE, 0x25, 0xBF, 0xF0, 0x70, 0x18, 0x88, 0x93, 0xB7, 0x2F, 0x74, 0xF8, 0xF3, 0x88, 0xB8, - 0xFA, 0x18, 0xBE, 0xC1, 0xB2, 0x24, 0x4B, 0xBC, 0x89, 0x2D, 0xC4, 0x02, 0xB3, 0x82, 0xEC, 0xDB, - 0xC9, 0xF0, 0xA9, 0xC3, 0x30, 0x7C, 0xF5, 0x15, 0xEB, 0x9B, 0x16, 0x8C, 0x9D, 0xEF, 0x42, 0x8A, - 0xCA, 0x5D, 0x28, 0xDF, 0x68, 0xEA, 0xE0, 0xB8, 0x76, 0x7C, 0xBB, 0x4A, 0x51, 0xDD, 0x55, 0x14, - 0xB7, 0xAB, 0xD2, 0xF1, 0xB9, 0x51, 0x19, 0x05, 0x26, 0x87, 0xF7, 0x5C, 0x69, 0x45, 0x3C, 0x82, - 0xE8, 0x82, 0x05, 0x5D, 0x33, 0x8E, 0xD1, 0x42, 0x71, 0xD6, 0x96, 0xDA, 0xAB, 0xB8, 0xC0, 0x0F, - 0xF7, 0x85, 0x8A, 0x12, 0xEF, 0xB9, 0x53, 0xFF, 0xD2, 0x95, 0x18, 0x2F, 0x0C, 0xA6, 0x72, 0x98, - 0xC3, 0xC6, 0x9B, 0x95, 0x70, 0x69, 0xC5, 0xB7, 0xD5, 0x24, 0x77, 0x05, 0xD0, 0x68, 0x85, 0x36, - 0xB8, 0x57, 0xE3, 0xED, 0x2E, 0x4D, 0x95, 0xD3, 0xFC, 0x24, 0x1B, 0x22, 0xFA, 0x43, 0xD8, 0x62, - 0x28, 0x57, 0x6B, 0x34, 0xBF, 0xD1, 0x63, 0x4B, 0xB5, 0xF5, 0x88, 0xBC, 0xB8, 0x69, 0xF3, 0xB5 - }, - /* uint8_t encrypted_user_update_key[R_TSIP_AES256_KEY_BYTE_SIZE + 16]; */ - { - 0x96, 0x15, 0xD0, 0x32, 0x6C, 0x80, 0xDB, 0xF7, 0x5D, 0xD7, 0x28, 0xAF, 0xFD, 0x0F, 0xA5, 0xB0, - 0x44, 0x76, 0x19, 0x75, 0x13, 0x3A, 0x10, 0x92, 0xE2, 0x97, 0xE3, 0x83, 0x6C, 0x42, 0x69, 0xA3, - 0x7E, 0x30, 0x5D, 0xFE, 0x7B, 0x2A, 0x8F, 0x30, 0x92, 0x25, 0x8C, 0xC5, 0xDB, 0x3E, 0x68, 0x06 + 0x3F, 0xA5, 0xBE, 0xBF, 0x86, 0xEC, 0x23, 0x37, 0x82, 0x37, 0x71, 0x0C, + 0x83, 0xA7, 0x8E, 0x86, 0xF0, 0x16, 0xD3, 0x7B, 0xF1, 0x25, 0xA4, 0x37, + 0x7A, 0x2D, 0x16, 0xF2, 0xFF, 0x3D, 0xEE, 0x46, 0xE0, 0x05, 0x58, 0x56, + 0xC2, 0xE7, 0x9D, 0x2C, 0x01, 0x84, 0x59, 0x8E, 0xA8, 0x9E, 0xEE, 0x3F, + 0x22, 0x83, 0x68, 0xDA, 0x9E, 0xCE, 0xEA, 0x99, 0xFD, 0xAF, 0xDF, 0x67, + 0x1E, 0x73, 0x25, 0x68, 0xBF, 0x0A, 0xDF, 0xAF, 0xC4, 0x3D, 0xF1, 0xBD, + 0x41, 0xF5, 0xAC, 0xAC, 0xA4, 0x36, 0xF8, 0x96, 0xC0, 0x8C, 0x2F, 0x1A, + 0x79, 0x75, 0x28, 0xAE, 0x67, 0xC9, 0x5A, 0xDE, 0x2A, 0xB4, 0x99, 0xDB, + 0x8C, 0x25, 0x53, 0x58, 0x8C, 0xDC, 0xA8, 0x0D, 0xFE, 0xEE, 0x0F, 0x6C, + 0x61, 0xE6, 0x43, 0x66, 0xE8, 0x4A, 0xE3, 0xEB, 0xAB, 0xA2, 0x52, 0xE4, + 0x67, 0xC2, 0x9A, 0x57, 0xA4, 0x1F, 0xE0, 0xFC, 0x2B, 0xBE, 0x25, 0xBF, + 0xF0, 0x70, 0x18, 0x88, 0x93, 0xB7, 0x2F, 0x74, 0xF8, 0xF3, 0x88, 0xB8, + 0xFA, 0x18, 0xBE, 0xC1, 0xB2, 0x24, 0x4B, 0xBC, 0x89, 0x2D, 0xC4, 0x02, + 0xB3, 0x82, 0xEC, 0xDB, 0xC9, 0xF0, 0xA9, 0xC3, 0x30, 0x7C, 0xF5, 0x15, + 0xEB, 0x9B, 0x16, 0x8C, 0x9D, 0xEF, 0x42, 0x8A, 0xCA, 0x5D, 0x28, 0xDF, + 0x68, 0xEA, 0xE0, 0xB8, 0x76, 0x7C, 0xBB, 0x4A, 0x51, 0xDD, 0x55, 0x14, + 0xB7, 0xAB, 0xD2, 0xF1, 0xB9, 0x51, 0x19, 0x05, 0x26, 0x87, 0xF7, 0x5C, + 0x69, 0x45, 0x3C, 0x82, 0xE8, 0x82, 0x05, 0x5D, 0x33, 0x8E, 0xD1, 0x42, + 0x71, 0xD6, 0x96, 0xDA, 0xAB, 0xB8, 0xC0, 0x0F, 0xF7, 0x85, 0x8A, 0x12, + 0xEF, 0xB9, 0x53, 0xFF, 0xD2, 0x95, 0x18, 0x2F, 0x0C, 0xA6, 0x72, 0x98, + 0xC3, 0xC6, 0x9B, 0x95, 0x70, 0x69, 0xC5, 0xB7, 0xD5, 0x24, 0x77, 0x05, + 0xD0, 0x68, 0x85, 0x36, 0xB8, 0x57, 0xE3, 0xED, 0x2E, 0x4D, 0x95, 0xD3, + 0xFC, 0x24, 0x1B, 0x22, 0xFA, 0x43, 0xD8, 0x62, 0x28, 0x57, 0x6B, 0x34, + 0xBF, 0xD1, 0x63, 0x4B, 0xB5, 0xF5, 0x88, 0xBC, 0xB8, 0x69, 0xF3, 0xB5 }, }; #ifndef USE_CERT_BUFFERS_256 -/* ca-cert.der.sign, */ +/* ca-cert.der.sign, + * ca-cert.der signed by RSA2048 PSS with SHA256 + * This is used for Root Certificate verify by SCE */ const unsigned char ca_cert_der_sign[] = { 0x07, 0x1A, 0x68, 0xF4, 0x53, 0x2A, 0x9B, 0x1F, 0xF7, 0x7B, @@ -79,7 +102,10 @@ const unsigned char ca_cert_der_sign[] = const int sizeof_ca_cert_der_sign = sizeof(ca_cert_der_sign); #else -/* ca-ecc-cert.der.sign, */ +/* ca-ecc-cert.der.sign, + * ca-ecc-cert.der signed by RSA2048 PSS with SHA256 + * This is used for Root Certificate verify by SCE + */ const unsigned char ca_ecc_cert_der_sign[] = { 0x07, 0xCA, 0x3B, 0x8F, 0x49, 0x26, 0x33, 0x80, 0x46, 0xFE, @@ -110,4 +136,4 @@ const unsigned char ca_ecc_cert_der_sign[] = 0x5B, 0x52, 0xFB, 0x37, 0x4E, 0x23 }; static const int sizeof_ca_ecc_cert_der_sign = sizeof(ca_ecc_cert_der_sign); -#endif +#endif /* USE_CERT_BUFFERS_256 */ diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c b/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c deleted file mode 100644 index 4f769369c..000000000 --- a/IDE/Renesas/e2studio/RA6M4/test/src/hal_entry.c +++ /dev/null @@ -1,59 +0,0 @@ -#include "hal_data.h" - -FSP_CPP_HEADER -void R_BSP_WarmStart(bsp_warm_start_event_t event); -FSP_CPP_FOOTER - -/*******************************************************************************************************************//** - * main() is generated by the RA Configuration editor and is used to generate threads if an RTOS is used. This function - * is called by main() when no RTOS is used. - **********************************************************************************************************************/ -void hal_entry(void) -{ - /* TODO: add your own code here */ - -#if BSP_TZ_SECURE_BUILD - /* Enter non-secure code */ - R_BSP_NonSecureEnter(); -#endif -} - -/*******************************************************************************************************************//** - * This function is called at various points during the startup process. This implementation uses the event that is - * called right before main() to set up the pins. - * - * @param[in] event Where at in the start up process the code is currently at - **********************************************************************************************************************/ -void R_BSP_WarmStart (bsp_warm_start_event_t event) -{ - if (BSP_WARM_START_RESET == event) - { -#if BSP_FEATURE_FLASH_LP_VERSION != 0 - - /* Enable reading from data flash. */ - R_FACI_LP->DFLCTL = 1U; - - /* Would normally have to wait tDSTOP(6us) for data flash recovery. Placing the enable here, before clock and - * C runtime initialization, should negate the need for a delay since the initialization will typically take more than 6us. */ -#endif - } - - if (BSP_WARM_START_POST_C == event) - { - /* C runtime environment and system clocks are setup. */ - - /* Configure pins. */ - R_IOPORT_Open(&g_ioport_ctrl, g_ioport.p_cfg); - } -} - -#if BSP_TZ_SECURE_BUILD - -BSP_CMSE_NONSECURE_ENTRY void template_nonsecure_callable (); - -/* Trustzone Secure Projects require at least one nonsecure callable function in order to build (Remove this if it is not required to build). */ -BSP_CMSE_NONSECURE_ENTRY void template_nonsecure_callable () -{ - -} -#endif diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c b/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c deleted file mode 100644 index 7466a8106..000000000 --- a/IDE/Renesas/e2studio/RA6M4/test/src/sce_tst_thread_entry.c +++ /dev/null @@ -1,18 +0,0 @@ -#include "sce_tst_thread.h" -#include "user_settings.h" -/* sce_tst_thread entry function */ -/* pvParameters contains TaskHandle_t */ - -int sce_test(); - -void sce_tst_thread_entry(void *pvParameters) -{ - FSP_PARAMETER_NOT_USED (pvParameters); - - /* TODO: add your own code here */ - sce_test(); - while (1) - { - vTaskDelay (1); - } -} diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c index fea8333fb..96199642d 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/test_main.c @@ -24,12 +24,15 @@ #include "stdint.h" #include #include + #if defined(WOLFSSL_RENESAS_SCEPROTECT) -#include -User_SCEPKCbInfo guser_PKCbInfo; + #include + User_SCEPKCbInfo guser_PKCbInfo; #endif + #include #include "key_data.h" +#include "hal_data.h" #ifdef __cplusplus extern "C" { @@ -37,7 +40,17 @@ void abort(void); } #endif +/* the function is called just before main() to set up pins */ +/* this needs to be called to setup IO Port */ +void R_BSP_WarmStart (bsp_warm_start_event_t event) +{ + if (BSP_WARM_START_POST_C == event) { + /* C runtime environment and system clocks are setup. */ + /* Configure pins. */ + R_IOPORT_Open(&g_ioport_ctrl, g_ioport.p_cfg); + } +} #if defined(TLS_CLIENT) || defined(TLS_SERVER) || defined(EXTRA_SCE_TSIP_TEST) @@ -53,12 +66,12 @@ static int SetScetlsKey() #if defined(TLS_CLIENT) || defined(EXTRA_SCE_TSIP_TEST) #if defined(USE_CERT_BUFFERS_256) - sce_inform_cert_sign((const byte *)ca_ecc_cert_der_sign); + wc_sce_inform_cert_sign((const byte *)ca_ecc_cert_der_sign); encrypted_user_key_type = 2; #else - sce_inform_cert_sign((const byte *)ca_cert_der_sign); + wc_sce_inform_cert_sign((const byte *)ca_cert_der_sign); #endif - sce_inform_user_keys( + wc_sce_inform_user_keys( (byte*)&g_key_block_data.encrypted_provisioning_key, (byte*)&g_key_block_data.iv, (byte*)&g_key_block_data.encrypted_user_rsa2048_ne_key, @@ -69,8 +82,8 @@ static int SetScetlsKey() #elif defined(TLS_SERVER) - sce_inform_cert_sign((const byte *)client_cert_der_sign); - sce_inform_user_keys( + wc_sce_inform_cert_sign((const byte *)client_cert_der_sign); + wc_sce_inform_user_keys( (byte*)&g_key_block_data.encrypted_provisioning_key, (byte*)&g_key_block_data.iv, (byte*)&g_key_block_data.encrypted_user_rsa2048_ne_key, @@ -96,7 +109,6 @@ int benchmark_test(void *args); void sce_test(void) { - /*(void)timeTick;*/ #if defined(CRYPT_TEST) || defined(BENCHMARK) #if defined(CRYPT_TEST) @@ -170,10 +182,6 @@ void sce_test(void) #endif int i = 0; - int j = 0; - uint32_t elapsed_time_total = 0; - uint32_t elapsed_time = 0.0; - const int benchmark_times = 1; SetScetlsKey(); @@ -181,20 +189,11 @@ void sce_test(void) do { if(cipherlist_sz > 0 && cipherlist[i] != NULL ) - printf("cipher : %s\n", cipherlist[i]); - - elapsed_time_total = 0; - for(j = 0; j < benchmark_times; j++){ - wolfSSL_TLS_client_init(cipherlist[i]); - elapsed_time = wolfSSL_TLS_client(); - elapsed_time_total += elapsed_time; - printf("elapsed_time(%d) %d mS\n", j, elapsed_time); - } - if(cipherlist_sz > 0 && i < cipherlist_sz && cipherlist[i] != NULL ) { - printf("cipher : %s took %d mS for TLS connection(%d times).\n\n", cipherlist[i], - elapsed_time_total, benchmark_times); - } + printf("cipher : %s\n", cipherlist[i]); + wolfSSL_TLS_client_init(cipherlist[i]); + wolfSSL_TLS_client(); + i++; } while (i < cipherlist_sz); #endif diff --git a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c index 7f763bf4f..4aa1463a3 100644 --- a/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c +++ b/IDE/Renesas/e2studio/RA6M4/test/src/wolf_client.c @@ -45,13 +45,6 @@ static const byte ucDNSServerAddress[4] = { 192, 168, 11, 1 }; #define FR_SOCKET_SUCCESS 0 -static uint32_t TimeNowInMilliseconds(void) -{ - return (unsigned int)(((float)xTaskGetTickCount()) / - (configTICK_RATE_HZ / 1000)); -} - - void TCPInit( ) { BaseType_t fr_status; @@ -98,7 +91,7 @@ void wolfSSL_TLS_client_init(const char* cipherlist) } #if defined(WOLFSSL_RENESAS_SCEPROTECT) /* set callback functions for ECC */ - sce_set_callbacks(client_ctx); + wc_sce_set_callbacks(client_ctx); #endif #if !defined(NO_FILESYSTEM) @@ -120,11 +113,10 @@ void wolfSSL_TLS_client_init(const char* cipherlist) } } -uint32_t wolfSSL_TLS_client( ) +void wolfSSL_TLS_client( ) { int ret; /* FreeRTOS+TCP Objects */ - uint32_t elipsed_time = 0; socklen_t xSize = sizeof(struct freertos_sockaddr); xSocket_t xClientSocket = NULL; struct freertos_sockaddr xRemoteAddress; @@ -159,11 +151,11 @@ uint32_t wolfSSL_TLS_client( ) if((ssl = wolfSSL_new(ctx)) == NULL) { printf("ERROR wolfSSL_new: %d\n", wolfSSL_get_error(ssl, 0)); - return elipsed_time; + return; } #if defined(WOLFSSL_RENESAS_SCEPROTECT) /* set callback ctx */ - sce_set_callback_ctx(ssl, (void*)&guser_PKCbInfo); + wc_sce_set_callback_ctx(ssl, (void*)&guser_PKCbInfo); #endif /* Attach wolfSSL to the socket */ ret = wolfSSL_set_fd(ssl, (int) xClientSocket); @@ -172,21 +164,19 @@ uint32_t wolfSSL_TLS_client( ) util_inf_loop(xClientSocket, ctx, ssl); } - elipsed_time = TimeNowInMilliseconds( ); if(wolfSSL_connect(ssl) != SSL_SUCCESS) { printf("ERROR SSL connect: %d\n", wolfSSL_get_error(ssl, 0)); - return elipsed_time;; + return; } - elipsed_time = TimeNowInMilliseconds( ) - elipsed_time; if (wolfSSL_write(ssl, sendBuff, strlen(sendBuff)) != strlen(sendBuff)) { printf("ERROR SSL write: %d\n", wolfSSL_get_error(ssl, 0)); - return elipsed_time;; + return; } if ((ret=wolfSSL_read(ssl, rcvBuff, BUFF_SIZE)) < 0) { printf("ERROR SSL read: %d\n", wolfSSL_get_error(ssl, 0)); - return elipsed_time;; + return; } rcvBuff[ret] = '\0' ; @@ -196,7 +186,4 @@ uint32_t wolfSSL_TLS_client( ) wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); wolfSSL_Cleanup(); - - - return elipsed_time; } diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg b/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg deleted file mode 100644 index 94f220b8e..000000000 --- a/IDE/Renesas/e2studio/RA6M4/wolfssl/R7FA6M4AF3CFB.pincfg +++ /dev/null @@ -1,36 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml b/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml deleted file mode 100644 index 9b4ddeb9f..000000000 --- a/IDE/Renesas/e2studio/RA6M4/wolfssl/configuration.xml +++ /dev/null @@ -1,799 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Board Support Package Common Files - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - Ethernet PHY - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - Ethernet - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - I/O Port - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - Secure Cryptography Engine on RA6 Protected Mode - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - r_ether to FreeRTOS+TCP Wrapper - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - FreeRTOS Port - Renesas.RA.3.4.0-alpha0+20210926.81b96644.pack - - - FreeRTOS - Buffer Allocation 2 - Amazon.FreeRTOS-Plus-TCP.2.3.2+fsp.3.4.0.alpha0.20210926.81b96644.pack - - - FreeRTOS+TCP - Amazon.FreeRTOS-Plus-TCP.2.3.2+fsp.3.4.0.alpha0.20210926.81b96644.pack - - - Arm CMSIS Version 5 - Core (M) - Arm.CMSIS5.5.7.0+fsp.3.4.0.alpha0.20210926.81b96644.pack - - - Board support package for R7FA6M4AF3CFB - Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack - - - Board support package for RA6M4 - Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack - - - Board support package for RA6M4 - FSP Data - Renesas.RA_mcu_ra6m4.3.4.0-alpha0+20210926.81b96644.pack - - - FreeRTOS - Amazon.FreeRTOS-Kernel.10.4.3+fsp.3.4.0.alpha0.20210926.81b96644.pack - - - FreeRTOS - Memory Management - Heap 4 - Amazon.FreeRTOS-Kernel.10.4.3+fsp.3.4.0.alpha0.20210926.81b96644.pack - - - RA6M4-EK Board Support Files - Renesas.RA_board_ra6m4_ek.3.4.0-alpha0+20210926.81b96644.pack - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/src/internal.c b/src/internal.c index 91411de3c..51c81a1f8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -225,15 +225,8 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int tsip_generatePremasterSecret(); int tsip_generateEncryptPreMasterSecret(WOLFSSL *ssl, byte *out, word32 *outSz); #endif -#ifdef WOLFSSL_RENESAS_SCEPROTECT - int Renesas_cmn_useable(const WOLFSSL *ssl, byte seskey_gennerated); - int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, - unsigned char** out, const unsigned char* keyDer, unsigned int keySz, - void* ctx); - int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, - const unsigned char* hash, unsigned int hashSz, - const unsigned char* keyDer, unsigned int keySz, - int* result, void* ctx); +#if defined(WOLFSSL_RENESAS_SCEPROTECT) +#include #endif #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK) @@ -11071,29 +11064,29 @@ int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx) /* only setup the verify callback if a PK is set */ #ifdef HAVE_ECC - #if !defined(WOLFSSL_RENESAS_SCEPROTECT) + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + sigCtx->pkCbEcc = Renesas_cmn_SigPkCbEccVerify; + sigCtx->pkCtxEcc = (void*)&sigCtx->CertAtt; + (void)SigPkCbEccVerify; + #else if (ssl->ctx->EccVerifyCb) { sigCtx->pkCbEcc = SigPkCbEccVerify; sigCtx->pkCtxEcc = ssl; } - #else - sigCtx->pkCbEcc = Renesas_cmn_SigPkCbEccVerify; - sigCtx->pkCtxEcc = (void*)&sigCtx->CertAtt; - (void)SigPkCbEccVerify; #endif #endif #ifndef NO_RSA /* only setup the verify callback if a PK is set */ - #if !defined(WOLFSSL_RENESAS_SCEPROTECT) + #if defined(WOLFSSL_RENESAS_SCEPROTECT) + sigCtx->pkCbRsa = Renesas_cmn_SigPkCbRsaVerify; + sigCtx->pkCtxRsa = (void*)&sigCtx->CertAtt; + (void)SigPkCbRsaVerify; + #else if (ssl->ctx->RsaVerifyCb) { sigCtx->pkCbRsa = SigPkCbRsaVerify; sigCtx->pkCtxRsa = ssl; } - #else - sigCtx->pkCbRsa = Renesas_cmn_SigPkCbRsaVerify; - sigCtx->pkCtxRsa = (void*)&sigCtx->CertAtt; - (void)SigPkCbRsaVerify; #endif #endif @@ -12824,7 +12817,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { ssl->peerRsaKeyPresent = 1; - #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) + #if defined(WOLFSSL_RENESAS_TSIP_TLS) || \ + defined(WOLFSSL_RENESAS_SCEPROTECT) /* copy encrypted tsip key index into ssl object */ if (args->dCert->sce_tsip_encRsaKeyIdx) { if (!ssl->peerSceTsipEncRsaKeyIndex) { @@ -12888,7 +12882,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, int keyRet = 0; word32 idx = 0; #if defined(WOLFSSL_RENESAS_SCEPROTECT) - /* copy encrypted tsip key index into ssl object */ + /* copy encrypted tsip/sce key index into ssl object */ if (args->dCert->sce_tsip_encRsaKeyIdx) { if (!ssl->peerSceTsipEncRsaKeyIndex) { ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC( @@ -12896,7 +12890,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ssl->heap, DYNAMIC_TYPE_RSA); if (!ssl->peerSceTsipEncRsaKeyIndex) { args->lastErr = MEMORY_E; - goto exit_ppc; + ERROR_OUT(MEMORY_ERROR, exit_ppc); } } @@ -16713,16 +16707,16 @@ static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz, if (ssl->options.tls) { #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; - if(ssl->ctx->VerifymacCb) { - void* ctx = wolfSSL_GetVerifymacCtx(ssl); - ret = ssl->ctx->VerifymacCb(ssl, input, + if(ssl->ctx->VerifyMacCb) { + void* ctx = wolfSSL_GetVerifyMacCtx(ssl); + ret = ssl->ctx->VerifyMacCb(ssl, input, (msgSz - ivExtra) - digestSz - pad - 1, digestSz, content, ctx); if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) { return ret; } } - if (!ssl->ctx->VerifymacCb || ret == PROTOCOLCB_UNAVAILABLE) + if (!ssl->ctx->VerifyMacCb || ret == PROTOCOLCB_UNAVAILABLE) #endif ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra, content); @@ -24935,9 +24929,9 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input, defined(WOLFSSL_RENESAS_SCEPROTECT_ECC) /* already checked signature result by SCE */ /* skip the sign checks below */ - if (Renesas_cmn_useable(ssl, 0)) { + if (Renesas_cmn_usable(ssl, 0)) { break; - } else + } #endif if (IsAtLeastTLSv1_2(ssl)) { #ifdef WOLFSSL_SMALL_STACK diff --git a/src/keys.c b/src/keys.c index 8a8a9cb73..f162af097 100644 --- a/src/keys.c +++ b/src/keys.c @@ -44,9 +44,7 @@ #endif #if defined(WOLFSSL_RENESAS_SCEPROTECT) -/* callback for TLS hmac in SCE use case */ -int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, - word32 sz, int padSz, int content, int verify, int epochOrder); +#include #endif int SetCipherSpecs(WOLFSSL* ssl) @@ -3121,11 +3119,11 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side) #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; - if (ssl->ctx->SetKeysCb) { - void* ctx = wolfSSL_GetSetKeysCtx(ssl); - ret = ssl->ctx->SetKeysCb(ssl, ctx); + if (ssl->ctx->EncryptKeysCb) { + void* ctx = wolfSSL_GetEncryptKeysCtx(ssl); + ret = ssl->ctx->EncryptKeysCb(ssl, ctx); } - if (!ssl->ctx->SetKeysCb || ret == PROTOCOLCB_UNAVAILABLE) + if (!ssl->ctx->EncryptKeysCb || ret == PROTOCOLCB_UNAVAILABLE) #endif ret = SetKeys(wc_encrypt, wc_decrypt, keys, &ssl->specs, ssl->options.side, ssl->heap, ssl->devId, ssl->rng, ssl->options.tls1_3); diff --git a/src/ssl.c b/src/ssl.c index ec495b95e..3e73f9e10 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -239,11 +239,7 @@ const WOLF_EC_NIST_NAME kNistCurves[] = { #endif #if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) - /* for root ca verification */ -int Renesas_cmn_RootCertVerify(const byte *cert, word32 cert_len, - word32 key_n_start, word32 key_n_len, - word32 key_e_start, word32 key_e_len, - word32 cm_row); +#include #endif #ifdef WOLFSSL_SESSION_EXPORT @@ -5006,7 +5002,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) if ( ret == 0 && signer != NULL ) { signer->cm_idx = row; if (type == WOLFSSL_USER_CA) { - if ((ret = Renesas_cmn_RootCertVerify(cert->source, cert->maxIdx, + if ((ret = wc_Renesas_cmn_RootCertVerify(cert->source, cert->maxIdx, cert->sigCtx.CertAtt.pubkey_n_start, cert->sigCtx.CertAtt.pubkey_n_len - 1, cert->sigCtx.CertAtt.pubkey_e_start, @@ -41986,13 +41982,13 @@ void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX* ctx, CallbackGenPreMaster cb) if (ctx) ctx->GenPreMasterCb = cb; } -/* Set master secret generation callback context */ +/* Set premaster secret generation callback context */ void wolfSSL_SetGenPreMasterCtx(WOLFSSL* ssl, void *ctx) { if (ssl) ssl->GenPreMasterCtx = ctx; } -/* Get master secret generation callback context */ +/* Get premaster secret generation callback context */ void* wolfSSL_GetGenPreMasterCtx(WOLFSSL* ssl) { if (ssl) @@ -42001,19 +41997,19 @@ void* wolfSSL_GetGenPreMasterCtx(WOLFSSL* ssl) return NULL; } -/* callback for premaster secret generation */ +/* callback for master secret generation */ void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX* ctx, CallbackGenMasterSecret cb) { if (ctx) ctx->GenMasterCb = cb; } -/* Set premaster secret generation callback context */ +/* Set master secret generation callback context */ void wolfSSL_SetGenMasterSecretCtx(WOLFSSL* ssl, void *ctx) { if (ssl) ssl->GenMasterCtx = ctx; } -/* Get premaster secret generation callback context */ +/* Get master secret generation callback context */ void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl) { if (ssl) @@ -42023,19 +42019,19 @@ void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl) } /* callback for session key generation */ -void wolfSSL_CTX_SetGenSesssionKeyCb(WOLFSSL_CTX* ctx, CallbackGenSessionKey cb) +void wolfSSL_CTX_SetGenSessionKeyCb(WOLFSSL_CTX* ctx, CallbackGenSessionKey cb) { if (ctx) ctx->GenSessionKeyCb = cb; } /* Set sesssion key generation callback context */ -void wolfSSL_SetGenSesssionKeyCtx(WOLFSSL* ssl, void *ctx) +void wolfSSL_SetGenSessionKeyCtx(WOLFSSL* ssl, void *ctx) { if (ssl) ssl->GenSessionKeyCtx = ctx; } /* Get sesssion key generation callback context */ -void* wolfSSL_GetGenSesssionKeyCtx(WOLFSSL* ssl) +void* wolfSSL_GetGenSessionKeyCtx(WOLFSSL* ssl) { if (ssl) return ssl->GenSessionKeyCtx; @@ -42043,40 +42039,41 @@ void* wolfSSL_GetGenSesssionKeyCtx(WOLFSSL* ssl) return NULL; } -/* callback for set keys */ -void wolfSSL_CTX_SetSetKeysCb(WOLFSSL_CTX* ctx, CallbackSetKeys cb) +/* callback for setting encryption keys */ +void wolfSSL_CTX_SetEncryptKeysCb(WOLFSSL_CTX* ctx, CallbackEncryptKeys cb) { if (ctx) - ctx->SetKeysCb = cb; + ctx->EncryptKeysCb = cb; } -/* Set set keys callback context */ -void wolfSSL_SetSetKeysCtx(WOLFSSL* ssl, void *ctx) +/* Set encryption keys callback context */ +void wolfSSL_SetEncryptKeysCtx(WOLFSSL* ssl, void *ctx) { if (ssl) - ssl->SetKeysCtx = ctx; + ssl->EncryptKeysCtx = ctx; } -/* Get set keys callback context */ -void* wolfSSL_GetSetKeysCtx(WOLFSSL* ssl) +/* Get encryption keys callback context */ +void* wolfSSL_GetEncryptKeysCtx(WOLFSSL* ssl) { if (ssl) - return ssl->SetKeysCtx; + return ssl->EncryptKeysCtx; return NULL; } -/* callback for verify data */ +/* callback for Tls finished */ +/* the callback can be used to build TLS Finished message if enabled */ void wolfSSL_CTX_SetTlsFinishedCb(WOLFSSL_CTX* ctx, CallbackTlsFinished cb) { if (ctx) ctx->TlsFinishedCb = cb; } -/* Set set keys callback context */ +/* Set Tls finished callback context */ void wolfSSL_SetTlsFinishedCtx(WOLFSSL* ssl, void *ctx) { if (ssl) ssl->TlsFinishedCtx = ctx; } -/* Get set keys callback context */ +/* Get Tls finished callback context */ void* wolfSSL_GetTlsFinishedCtx(WOLFSSL* ssl) { if (ssl) @@ -42086,22 +42083,23 @@ void* wolfSSL_GetTlsFinishedCtx(WOLFSSL* ssl) } #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) /* callback for verify data */ -void wolfSSL_CTX_SetVerifymacCb(WOLFSSL_CTX* ctx, CallbackVerifymac cb) +void wolfSSL_CTX_SetVerifyMacCb(WOLFSSL_CTX* ctx, CallbackVerifyMac cb) { if (ctx) - ctx->VerifymacCb = cb; + ctx->VerifyMacCb = cb; } + /* Set set keys callback context */ -void wolfSSL_SetVerifymacCtx(WOLFSSL* ssl, void *ctx) +void wolfSSL_SetVerifyMacCtx(WOLFSSL* ssl, void *ctx) { if (ssl) - ssl->VerifymacCtx = ctx; + ssl->VerifyMacCtx = ctx; } /* Get set keys callback context */ -void* wolfSSL_GetVerifymacCtx(WOLFSSL* ssl) +void* wolfSSL_GetVerifyMacCtx(WOLFSSL* ssl) { if (ssl) - return ssl->VerifymacCtx; + return ssl->VerifyMacCtx; return NULL; } diff --git a/src/tls.c b/src/tls.c index c59f7e82f..a9600568a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -404,7 +404,7 @@ int DeriveTlsKeys(WOLFSSL* ssl) #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) ret = PROTOCOLCB_UNAVAILABLE; if (ssl->ctx->GenSessionKeyCb) { - void* ctx = wolfSSL_GetGenSesssionKeyCtx(ssl); + void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl); ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); } if (!ssl->ctx->GenSessionKeyCb || ret == PROTOCOLCB_UNAVAILABLE) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 85689a1d3..9ec37b768 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -1441,7 +1441,7 @@ static void* benchmarks_do(void* args) } #endif #ifdef HAVE_RENESAS_SYNC - devId = wc_CryptoCb_CryptInitRenesascmn(NULL, &guser_PKCbInfo); + devId = wc_CryptoCb_CryptInitRenesasCmn(NULL, &guser_PKCbInfo); if (devId == INVALID_DEVID) { printf("Couldn't get the Renesas device ID\n"); } @@ -2119,7 +2119,7 @@ int benchmark_free(void) wc_CryptoCb_CleanupOcteon(&devId); #endif #ifdef HAVE_RENESAS_SYNC - wc_CryptoCb_CleanupRenesascmn(&devId); + wc_CryptoCb_CleanupRenesasCmn(&devId); #endif #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 80107bf98..c3b44f176 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -139,6 +139,10 @@ ASN Options: #include #endif +#ifdef WOLFSSL_RENESAS_SCEPROTECT + #include +#endif + #ifndef NO_RSA #include #if defined(WOLFSSL_XILINX_CRYPT) || defined(WOLFSSL_CRYPTOCELL) @@ -198,9 +202,7 @@ int tsip_tls_CertVerify(const byte *cert, word32 certSz, word32 key_e_start, word32 key_e_len, byte *tsip_encRsaKeyIdx); #endif -#ifdef WOLFSSL_RENESAS_SCEPROTECT -byte Rnesas_cmn_checkCA(word32 cmdIdx); -#endif + /* Calculates the minimum number of bytes required to encode the value. * @@ -13105,9 +13107,7 @@ static int ConfirmSignature(SignatureCtx* sigCtx, #else CertAttribute* certatt = NULL; - #if !defined(NO_RSA) - certatt = (CertAttribute*)&sigCtx->CertAtt; - #elif defined(HAVE_ECC) + #if !defined(NO_RSA) || defined(HAVE_ECC) certatt = (CertAttribute*)&sigCtx->CertAtt; #endif if(certatt) { @@ -13462,12 +13462,12 @@ static int ConfirmSignature(SignatureCtx* sigCtx, if (rsaKeyIdx != NULL) { ret = tsip_tls_CertVerify(buf, bufSz, sigCtx->sigCpy, - sigSz, - sigCtx->.CertAtt.pubkey_n_start - sigCtx->certBegin, - sigCtx->.CertAtt.pubkey_n_len - 1, - sigCtx->.CertAtt.pubkey_e_start - sigCtx->certBegin, - sigCtx->.CertAtt.pubkey_e_len - 1, - rsaKeyIdx); + sigSz, + sigCtx->.CertAtt.pubkey_n_start - sigCtx->certBegin, + sigCtx->.CertAtt.pubkey_n_len - 1, + sigCtx->.CertAtt.pubkey_e_start - sigCtx->certBegin, + sigCtx->.CertAtt.pubkey_e_len - 1, + rsaKeyIdx); if (ret == 0){ sigCtx->verifyByTSIP_SCE = 1; @@ -18209,7 +18209,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) /* check if we can use TSIP for cert verification */ /* if the ca is verified as tsip root ca. */ /* TSIP can only handle 2048 bits(256 byte) key. */ - if (cert->ca && Rnesas_cmn_checkCA(cert->ca->cm_idx) != 0 && + if (cert->ca && Renesas_cmn_checkCA(cert->ca->cm_idx) != 0 && (cert->sigCtx.CertAtt.pubkey_n_len == 256 || cert->sigCtx.CertAtt.curve_id == ECC_SECP256R1)) { @@ -18223,7 +18223,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } else { if (cert->ca) { /* TSIP isn't usable */ - if (Rnesas_cmn_checkCA(cert->ca->cm_idx) == 0) + if (Renesas_cmn_checkCA(cert->ca->cm_idx) == 0) WOLFSSL_MSG("SCE-TSIP isn't usable because the ca isn't verified " "by TSIP."); else if (cert->sigCtx.CertAtt.pubkey_n_len != 256) diff --git a/wolfcrypt/src/port/Renesas/renesas_common.c b/wolfcrypt/src/port/Renesas/renesas_common.c index 87581fb28..e856af20b 100644 --- a/wolfcrypt/src/port/Renesas/renesas_common.c +++ b/wolfcrypt/src/port/Renesas/renesas_common.c @@ -35,10 +35,10 @@ #include #include #include +#include - -extern uint32_t g_CAscm_Idx; /* index of CM table */ -static int devId = 7890; /* dev Id for Crypt Callback */ +extern uint32_t g_CAscm_Idx = (uint32_t)-1; /* index of CM table */ +static int devId = 7890; /* dev Id for Crypt Callback */ #ifdef WOLF_CRYPTO_CB @@ -219,14 +219,14 @@ static int Renesas_cmn_CryptoDevCb(int devIdArg, wc_CryptoInfo* info, void* ctx) * session_key_generated : if session key has been generated * return 1 for usable, 0 for unusable */ -int Renesas_cmn_useable(const WOLFSSL* ssl, byte session_key_generated) +int Renesas_cmn_usable(const WOLFSSL* ssl, byte session_key_generated) { int ret; #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = sce_useable(ssl, session_key_generated); + ret = wc_sce_usable(ssl, session_key_generated); #endif return ret; @@ -239,7 +239,7 @@ int Renesas_cmn_useable(const WOLFSSL* ssl, byte session_key_generated) * ctx : callback context * return valid device Id on success, otherwise INVALID_DEVIID */ -int wc_CryptoCb_CryptInitRenesascmn(WOLFSSL* ssl, void* ctx) +int wc_CryptoCb_CryptInitRenesasCmn(WOLFSSL* ssl, void* ctx) { (void)ssl; (void)ctx; @@ -266,7 +266,7 @@ int wc_CryptoCb_CryptInitRenesascmn(WOLFSSL* ssl, void* ctx) * id : a pointer to device id to unregister * no return value */ -void wc_CryptoCb_CleanupRenesascmn(int* id) +void wc_CryptoCb_CleanupRenesasCmn(int* id) { wc_CryptoCb_UnRegisterDevice(*id); *id = INVALID_DEVID; @@ -281,7 +281,7 @@ void wc_CryptoCb_CleanupRenesascmn(int* id) * cmdIdx : ca index * return 1 can be used, otherwise 0 */ -byte Rnesas_cmn_checkCA(word32 cmIdx) +WOLFSSL_LOCAL byte Renesas_cmn_checkCA(word32 cmIdx) { return (cmIdx == g_CAscm_Idx? 1:0); } @@ -304,7 +304,7 @@ static byte sce_tsip_rootCAverified( ) * keySz Length of key in bytes * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code */ -int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz, +WOLFSSL_LOCAL int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz, byte** out, const byte* key, word32 keySz, void* ctx) { int ret; @@ -312,17 +312,17 @@ int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz, #if defined(WOLFSSL_RENESAS_TSIP) /* TODO TSIP */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = SCE_RsaVerify(ssl, sig, sigSz, out,key, keySz, ctx); + ret = wc_SCE_RsaVerify(ssl, sig, sigSz, out,key, keySz, ctx); - if (ret == 0 && ret != CRYPTOCB_UNAVAILABLE) { - /* Set Call back for SharedScret when being successful */ - wolfSSL_CTX_SetEccSharedSecretCb(ssl->ctx, SCE_EccSharedSecret); - wolfSSL_SetEccSharedSecretCtx(ssl, ctx); - } else { - WOLFSSL_MSG("failed R_SCE_TLS_ServerKeyExchangeVerify"); - wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); - wolfSSL_SetEccSharedSecretCtx(ssl, NULL); - } + if (ret == 0 && ret != CRYPTOCB_UNAVAILABLE) { + /* Set Call back for SharedScret when being successful */ + wolfSSL_CTX_SetEccSharedSecretCb(ssl->ctx, SCE_EccSharedSecret); + wolfSSL_SetEccSharedSecretCtx(ssl, ctx); + } else { + WOLFSSL_MSG("failed R_SCE_TLS_ServerKeyExchangeVerify"); + wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); + wolfSSL_SetEccSharedSecretCtx(ssl, NULL); + } #endif return ret; @@ -340,16 +340,16 @@ int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, word32 sigSz, * result a pointer to int indicates if the verify is ok * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code */ -int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, - const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, - int* result, void* ctx) +WOLFSSL_LOCAL int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, + uint32_t sigSz, const uint8_t* hash, uint32_t hashSz, + const uint8_t* key, uint32_t keySz, int* result, void* ctx) { int ret; #if defined(WOLFSSL_RENESAS_TSIP) /* TODO TSIP */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = SCE_EccVerify(ssl, sig, sigSz, hash, hashSz, key, keySz, + ret = wc_SCE_EccVerify(ssl, sig, sigSz, hash, hashSz, key, keySz, result, ctx); if (ret == 0 && *result == 1 && ret != CRYPTOCB_UNAVAILABLE) { /* Set Call back for SharedScret when being successful */ @@ -376,7 +376,7 @@ int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, * cm_row CA index * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code */ -int Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start, +int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start, word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row) { int ret; @@ -389,7 +389,7 @@ int Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_s #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = sce_tls_RootCertVerify(cert, cert_len, key_n_start, + ret = wc_sce_tls_RootCertVerify(cert, cert_len, key_n_start, key_n_len, key_e_start, key_e_len, cm_row); #endif } else { @@ -405,10 +405,10 @@ int Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_s * ssl the WOLFSSL object * side CLIENT or SERVER * handshake_hash hash while doing handshake - * hashes calculated data by SCE/TSIP pseduo reandom function + * hashes calculated data by SCE/TSIP pseduo random function * return FSP_SUCCESS(0) on sucess, otherwise FSP/TSIP error code */ -int Renesas_cmn_TlsFinished(WOLFSSL* ssl, const byte *side, +WOLFSSL_LOCAL int Renesas_cmn_TlsFinished(WOLFSSL* ssl, const byte *side, const byte *handshake_hash, byte *hashes, void* ctx) { @@ -423,7 +423,7 @@ int Renesas_cmn_TlsFinished(WOLFSSL* ssl, const byte *side, #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = sce_generateVerifyData(ssl->arrays->sce_masterSecret, /* master secret */ + ret = wc_sce_generateVerifyData(ssl->arrays->sce_masterSecret, /* master secret */ side, handshake_hash, hashes); #endif @@ -431,14 +431,14 @@ int Renesas_cmn_TlsFinished(WOLFSSL* ssl, const byte *side, } /* Renesas Security Library Common Callback - * Callback for Set Keys. - * Register callback for tls finished when keys are generated by SCE/TSIP + * Callback for setting Encrypt Keys. + * Register callback for setting Encrypt Keys when keys are generated by SCE/TSIP * * ssl the WOLFSSL object * ctx Callback context * return 0 on sucess, -1 when keys are not generated by SCE/TSIP */ -int Renesas_cmn_SetKeys(WOLFSSL* ssl, void* ctx) +static int Renesas_cmn_EncryptKeys(WOLFSSL* ssl, void* ctx) { int ret; @@ -473,7 +473,7 @@ int Renesas_cmn_SetKeys(WOLFSSL* ssl, void* ctx) * ctx Callback context * return FSP_SUCCESS(0) on sucess, otherwise SCE/TSIP error code */ -int Renesas_cmn_generateSeesionKey(WOLFSSL* ssl, void* ctx) +WOLFSSL_LOCAL int Renesas_cmn_generateSeesionKey(WOLFSSL* ssl, void* ctx) { int ret = -1; @@ -485,13 +485,13 @@ int Renesas_cmn_generateSeesionKey(WOLFSSL* ssl, void* ctx) #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = sce_generateSeesionKey(ssl, ctx, devId); + ret = wc_sce_generateSeesionKey(ssl, ctx, devId); if (ret == 0) { - wolfSSL_CTX_SetSetKeysCb(ssl->ctx, Renesas_cmn_SetKeys); - wolfSSL_SetSetKeysCtx(ssl, ctx); + wolfSSL_CTX_SetEncryptKeysCb(ssl->ctx, Renesas_cmn_EncryptKeys); + wolfSSL_SetEncryptKeysCtx(ssl, ctx); } else { - wolfSSL_CTX_SetSetKeysCb(ssl->ctx, NULL); - wolfSSL_SetSetKeysCtx(ssl, NULL); + wolfSSL_CTX_SetEncryptKeysCb(ssl->ctx, NULL); + wolfSSL_SetEncryptKeysCtx(ssl, NULL); } #endif return ret; @@ -510,8 +510,8 @@ int Renesas_cmn_generateSeesionKey(WOLFSSL* ssl, void* ctx) * otherwise PROTOCOLCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, - word32 preSz, void* ctx) +WOLFSSL_LOCAL int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, + byte *premaster, word32 preSz, void* ctx) { int ret; @@ -521,8 +521,8 @@ int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - if (Renesas_cmn_useable(ssl, 0)) { - ret = sce_generatePremasterSecret(premaster, preSz); + if (Renesas_cmn_usable(ssl, 0)) { + ret = wc_sce_generatePremasterSecret(premaster, preSz); ssl->arrays->preMasterSz = preSz; } else ret = PROTOCOLCB_UNAVAILABLE; @@ -542,7 +542,7 @@ int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, * otherwise PROTOCOLCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) +WOLFSSL_LOCAL int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) { int ret = WOLFSSL_NOT_IMPLEMENTED; @@ -552,8 +552,8 @@ int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - if (Renesas_cmn_useable(ssl, 0)) { - ret = sce_generateMasterSecret( + if (Renesas_cmn_usable(ssl, 0)) { + ret = wc_sce_generateMasterSecret( ssl->options.cipherSuite0, ssl->options.cipherSuite, ssl->arrays->preMasterSecret, @@ -561,13 +561,14 @@ int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) ssl->arrays->serverRandom, ssl->arrays->sce_masterSecret); if (ret == 0) { - sce_storeKeyCtx(ssl, ctx); + wc_sce_storeKeyCtx(ssl, ctx); /* set Session Key generation Callback for use */ - wolfSSL_CTX_SetGenSesssionKeyCb(ssl->ctx, Renesas_cmn_generateSeesionKey); - wolfSSL_SetGenSesssionKeyCtx(ssl, ctx); + wolfSSL_CTX_SetGenSessionKeyCb(ssl->ctx, + Renesas_cmn_generateSeesionKey); + wolfSSL_SetGenSessionKeyCtx(ssl, ctx); } else { - wolfSSL_CTX_SetGenSesssionKeyCb(ssl->ctx, NULL); - wolfSSL_SetGenSesssionKeyCtx(ssl, NULL); + wolfSSL_CTX_SetGenSessionKeyCb(ssl->ctx, NULL); + wolfSSL_SetGenSessionKeyCtx(ssl, NULL); } } else ret = PROTOCOLCB_UNAVAILABLE; @@ -591,25 +592,40 @@ int Renesas_cmn_genMasterSecret(struct WOLFSSL* ssl, void* ctx) * otherwise CRYPTOCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, +WOLFSSL_LOCAL int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, unsigned int inSz, unsigned char* out, word32* outSz, const unsigned char* keyDer, unsigned int keySz, void* ctx) { int ret; - + int EncSz; + (void)ctx; (void)in; (void)inSz; (void)keyDer; (void)keySz; + (void)EncSz; + + /* sanity check */ + if (ssl == NULL || in == NULL || out == NULL || keyDer == NULL || + ctx == NULL) { + return BAD_FUNC_ARG; + } + + EncSz = wc_RsaEncryptSize(ssl->peerRsaKey); #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - if (sce_useable(ssl, 0) && wc_RsaEncryptSize(ssl->peerRsaKey) == 256) { - ret = sce_generateEncryptPreMasterSecret(ssl, out, outSz); - } else + if (wc_sce_usable(ssl, 0) && EncSz == 256) { + ret = wc_sce_generateEncryptPreMasterSecret(ssl, out, outSz); + } else { + if (EncSz != 256) + WOLFSSL_MSG("SCE cannot use" + "because Rsa Encrypt Size isn't 256 bytes(2048 bits)."); + ret = CRYPTOCB_UNAVAILABLE; + } #endif return ret; } @@ -627,7 +643,7 @@ int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, * otherwise PROTOCOLCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, +WOLFSSL_LOCAL int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, word32 messageSz, word32 macSz, word32 content, void* ctx) { int ret; @@ -636,8 +652,8 @@ int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - if (sce_useable(ssl, 1)) { - ret = sce_Sha256VerifyHmac(ssl, message, messageSz, macSz, content); + if (wc_sce_usable(ssl, 1)) { + ret = wc_sce_Sha256VerifyHmac(ssl, message, messageSz, macSz, content); } else ret = PROTOCOLCB_UNAVAILABLE; #endif @@ -657,8 +673,8 @@ int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, * epocOrder * return FSP_SUCCESS(0) on sucess, otherwise error code */ -int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, - word32 sz, int padSz, int content, int verify, int epochOrder) +WOLFSSL_LOCAL int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, + const byte* in, word32 sz, int padSz, int content, int verify, int epochOrder) { int ret; byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ]; @@ -666,11 +682,11 @@ int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, #if defined(WOLFSSL_RENESAS_TSIP) /* TODO call tsip api */ #elif defined(WOLFSSL_RENESAS_SCEPROTECT) - if (Renesas_cmn_useable(ssl, 1)) { + if (Renesas_cmn_usable(ssl, 1)) { if (ssl->specs.hash_size == WC_SHA256_DIGEST_SIZE) { wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); - ret = sce_Sha256GenerateHmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ, - in, sz, digest); + ret = wc_sce_Sha256GenerateHmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ, + in, sz, digest); } else ret = TSIP_MAC_DIGSZ_E; @@ -697,9 +713,9 @@ int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, * otherwise CRYPTOCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, - unsigned char** out, const unsigned char* keyDer, unsigned int keySz, - void* ctx) +WOLFSSL_LOCAL int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, + unsigned int sigSz, unsigned char** out, const unsigned char* keyDer, + unsigned int keySz, void* ctx) { int ret; CertAttribute* CertAtt; @@ -722,7 +738,7 @@ int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, #elif defined(WOLFSSL_RENESAS_SCEPROTECT) if (CertAtt->keyIndex != NULL) { - ret = sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, + ret = wc_sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, CertAtt->pubkey_n_start - CertAtt->certBegin, CertAtt->pubkey_n_len - 1, CertAtt->pubkey_e_start - CertAtt->certBegin, @@ -731,7 +747,7 @@ int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, if (ret == 0){ CertAtt->verifyByTSIP_SCE = 1; } else { - WOLFSSL_MSG("RSA Verify by tsip didn't match"); + WOLFSSL_MSG("RSA Verify by SCE didn't match"); ret = ASN_SIG_CONFIRM_E; } } else @@ -756,8 +772,8 @@ int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, * otherwise CRYPTOCB_UNAVAILABLE * so that caller could continue to process if want */ -int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, - const unsigned char* hash, unsigned int hashSz, +WOLFSSL_LOCAL int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, + unsigned int sigSz, const unsigned char* hash, unsigned int hashSz, const unsigned char* keyDer, unsigned int keySz, int* result, void* ctx) { @@ -770,7 +786,7 @@ int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, (void)hash; (void)hashSz; /* sanity check */ - if (sig == NULL || keyDer == NULL || hash == NULL || ctx == NULL|| + if (sig == NULL || keyDer == NULL || hash == NULL || ctx == NULL || result == NULL) return BAD_FUNC_ARG; @@ -785,17 +801,17 @@ int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, #elif defined(WOLFSSL_RENESAS_SCEPROTECT) if (CertAtt->keyIndex != NULL) { - ret = sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, + ret = wc_sce_tls_CertVerify(CertAtt->cert, CertAtt->certSz, sig, sigSz, CertAtt->pubkey_n_start - CertAtt->certBegin, CertAtt->pubkey_n_len - 1, CertAtt->pubkey_e_start - CertAtt->certBegin, CertAtt->pubkey_e_len -1, (uint8_t*)CertAtt->keyIndex); - if (ret == 0){ + if (ret == 0) { CertAtt->verifyByTSIP_SCE = 1; *result = 1; } else { - WOLFSSL_MSG("RSA Verify by tsip didn't match"); + WOLFSSL_MSG("RSA Verify by SCE didn't match"); ret = ASN_SIG_CONFIRM_E; } } else @@ -804,4 +820,5 @@ int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, return ret; } + #endif /* SCEPROTECT || TSIP */ diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_aes.c b/wolfcrypt/src/port/Renesas/renesas_sce_aes.c index 4294ff189..1ae2641ec 100644 --- a/wolfcrypt/src/port/Renesas/renesas_sce_aes.c +++ b/wolfcrypt/src/port/Renesas/renesas_sce_aes.c @@ -68,12 +68,12 @@ typedef fsp_err_t (*aesGcmDecFinalFn) * sz Length of cipher text/plaintext in bytes * iv Buffer holding IV/nonce * ivSz Length of IV/nonce in bytes - * authTag Buffer to hold authntication data + * authTag Buffer to hold authentication data * authTagSz Length of authentication data in bytes * ctx The callback context * return FSP_SUCCESS(0) on Success, otherwise negative value */ -int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, +WOLFSSL_LOCAL int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz, byte* iv, word32 ivSz, byte* authTag, word32 authTagSz, @@ -111,6 +111,11 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, return BAD_FUNC_ARG; } + if (aes->ctx.keySize != 16 && aes->ctx.keySize != 32) { + WOLFSSL_MSG("keySize is invalid, neither 16 or 32."); + return BAD_FUNC_ARG; + } + if (aes->ctx.keySize == 16) { initFn = R_SCE_AES128GCM_EncryptInit; updateFn = R_SCE_AES128GCM_EncryptUpdate; @@ -124,10 +129,10 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, /* check if AES GCM can be used by SCE */ - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { /* allocate buffers for plaintaxt, ciphertext and authTag to make sure - * those buffers 32bit aligned as TSIP requests. + * those buffers 32bit aligned as SCE requests. */ delta = sz % AES_BLOCK_SIZE; plainBuf = XMALLOC(sz, aes->heap, DYNAMIC_TYPE_AES); @@ -136,7 +141,7 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, DYNAMIC_TYPE_AES); if (plainBuf == NULL || cipherBuf == NULL || aTagBuf == NULL) { - WOLFSSL_MSG("wc_tsip_AesGcmEncrypt: buffer allocation faild"); + WOLFSSL_MSG("wc_sce_AesGcmEncrypt: buffer allocation faild"); ret = -1; } @@ -189,14 +194,14 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, ret = updateFn(&_handle, plainBuf, cipherBuf, sz, NULL, 0UL); } if (ret != FSP_SUCCESS) { - WOLFSSL_MSG("R_TSIP_AesXXXGcmEncryptUpdate: failed"); + WOLFSSL_MSG("R_SCE_AesXXXGcmEncryptUpdate: failed"); ret = -1; } if (ret == FSP_SUCCESS) { - /* Once R_TSIP_AesxxxGcmEncryptInit or R_TSIP_AesxxxEncryptUpdate is - * called, R_TSIP_AesxxxGcmEncryptFinal must be called regardless of - * the result of the previous call. Otherwise, TSIP can not come out + /* Once R_SCE_AesxxxGcmEncryptInit or R_SCE_AesxxxEncryptUpdate is + * called, R_SCE_AesxxxGcmEncryptFinal must be called regardless of + * the result of the previous call. Otherwise, SCE can not come out * from its error state and all the trailing APIs will fail. */ dataLen = 0; @@ -215,7 +220,7 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, } else { - WOLFSSL_MSG("R_TSIP_AesxxxGcmEncryptFinal: failed"); + WOLFSSL_MSG("R_SCE_AesxxxGcmEncryptFinal: failed"); ret = -1; } } @@ -225,7 +230,7 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES); XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES); - sce_hw_unlock(); + wc_sce_hw_unlock(); } @@ -244,7 +249,7 @@ int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, * ctx The Callback context * return FSP_SUCCESS(0) on Success, otherwise negative value */ -int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, +WOLFSSL_LOCAL int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz, const byte* iv, word32 ivSz, const byte* authTag, word32 authTagSz, @@ -282,7 +287,11 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, return BAD_FUNC_ARG; } - + if (aes->ctx.keySize != 16 && aes->ctx.keySize != 32) { + WOLFSSL_MSG("keySize is invalid, neither 16 or 32."); + return BAD_FUNC_ARG; + } + if (aes->ctx.keySize == 16) { initFn = R_SCE_AES128GCM_DecryptInit; updateFn = R_SCE_AES128GCM_DecryptUpdate; @@ -295,7 +304,7 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, } - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { /* allocate buffers for plain-taxt, cipher-text, authTag and AAD. * TSIP requests those buffers 32bit aligned. */ @@ -332,7 +341,7 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, &key_server_aes, NULL, NULL); if (ret != FSP_SUCCESS) { - WOLFSSL_MSG("R_TSIP_TlsGenerateSessionKey failed"); + WOLFSSL_MSG("R_SCE_TLS_SessionKeyGenerate failed"); ret = -1; } } else if (info->aes256_installedkey_set == 1) { @@ -358,7 +367,7 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, ret = updateFn(&_handle, cipherBuf, plainBuf, sz, NULL, 0UL); } if (ret != FSP_SUCCESS) { - WOLFSSL_MSG("R_TSIP_AesXXXGcmDecryptUpdate: failed in decrypt"); + WOLFSSL_MSG("R_SCE_AesXXXGcmDecryptUpdate: failed in decrypt"); ret = -1; } @@ -375,7 +384,7 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, XMEMCPY(out, plainBuf, dataLen); } else { - WOLFSSL_MSG("R_TSIP_AesXXXGcmDecryptFinal: failed"); + WOLFSSL_MSG("R_SCE_AesXXXGcmDecryptFinal: failed"); ret = -1; } } @@ -385,7 +394,7 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES); XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES); - sce_hw_unlock(); + wc_sce_hw_unlock(); } return ret; @@ -398,7 +407,8 @@ int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, * sz Length of cipher text/plaintext in bytes * return FSP_SUCCESS(0) on Success, otherwise negative value */ -int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) +WOLFSSL_LOCAL int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, + const byte* in, word32 sz) { sce_aes_handle_t _handle; word32 ret; @@ -413,7 +423,7 @@ int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) * on the device. iv is dummy */ iv = (uint8_t*)aes->reg; - if((ret = sce_hw_lock()) != 0){ + if((ret = wc_sce_hw_lock()) != 0){ WOLFSSL_MSG("Failed to lock"); return ret; } @@ -423,7 +433,8 @@ int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) } else if (aes->ctx.keySize == 32) { ret = R_SCE_AES256CBC_EncryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); } else { - sce_hw_unlock(); + WOLFSSL_MSG("invalid key Size for SCE. Key size is neither 16 or 32."); + wc_sce_hw_unlock(); return -1; } @@ -451,7 +462,7 @@ int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) ret = -1; } - sce_hw_unlock(); + wc_sce_hw_unlock(); return ret; } /* Perform Aes Cbc decryption by SCE @@ -462,7 +473,7 @@ int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) * sz Length of cipher text/plaintext in bytes * return FSP_SUCCESS(0) on Success, otherwise negative value */ -int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) +WOLFSSL_LOCAL int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) { sce_aes_handle_t _handle; word32 ret; @@ -475,7 +486,7 @@ int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) iv = (uint8_t*)aes->reg; - if((ret = sce_hw_lock()) != 0){ + if((ret = wc_sce_hw_lock()) != 0){ WOLFSSL_MSG("Failed to lock"); return ret; } @@ -485,7 +496,7 @@ int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) } else if (aes->ctx.keySize == 32) { ret = R_SCE_AES256CBC_DecryptInit(&_handle, &aes->ctx.sce_wrapped_key, iv); } else { - sce_hw_unlock(); + wc_sce_hw_unlock(); return -1; } @@ -512,7 +523,7 @@ int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz) ret = -1; } - sce_hw_unlock(); + wc_sce_hw_unlock(); return ret; } diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_sha.c b/wolfcrypt/src/port/Renesas/renesas_sce_sha.c index 226354706..a705e81eb 100644 --- a/wolfcrypt/src/port/Renesas/renesas_sce_sha.c +++ b/wolfcrypt/src/port/Renesas/renesas_sce_sha.c @@ -156,7 +156,7 @@ static int SCEHashFinal(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) heap = hash->heap; - sce_hw_lock(); + wc_sce_hw_lock(); if (Init(&handle) == FSP_SUCCESS) { ret = Update(&handle, (uint8_t*)hash->msg, hash->used); @@ -167,7 +167,7 @@ static int SCEHashFinal(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) } } } - sce_hw_unlock(); + wc_sce_hw_unlock(); SCEHashFree(hash); return SCEHashInit(hash, heap, 0, hash->sha_type); @@ -194,7 +194,7 @@ static int SCEHashGet(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) } else return BAD_FUNC_ARG; - sce_hw_lock(); + wc_sce_hw_lock(); if (Init(&handle) == FSP_SUCCESS) { ret = Update(&handle, (uint8_t*)hash->msg, hash->used); @@ -206,7 +206,7 @@ static int SCEHashGet(wolfssl_SCE_Hash* hash, byte* out, word32 outSz) } } - sce_hw_unlock(); + wc_sce_hw_unlock(); return 0; } diff --git a/wolfcrypt/src/port/Renesas/renesas_sce_util.c b/wolfcrypt/src/port/Renesas/renesas_sce_util.c index ec930bf7e..f494924a2 100644 --- a/wolfcrypt/src/port/Renesas/renesas_sce_util.c +++ b/wolfcrypt/src/port/Renesas/renesas_sce_util.c @@ -78,7 +78,7 @@ static int sce_CryptHwMutexUnLock(wolfSSL_Mutex* mutex) * lock hw engine * this should be called before using engine. */ -int sce_hw_lock() +WOLFSSL_LOCAL int wc_sce_hw_lock() { int ret = 0; @@ -104,17 +104,17 @@ int sce_hw_lock() /* * release hw engine */ -void sce_hw_unlock( void ) +WOLFSSL_LOCAL void wc_sce_hw_unlock( void ) { sce_CryptHwMutexUnLock(&sce_mutex); } /* Open sce driver for use */ -int sce_Open() +WOLFSSL_LOCAL int wc_sce_Open() { - WOLFSSL_ENTER("sce_Open"); + WOLFSSL_ENTER("wc_sce_Open"); int ret; - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { ret = R_SCE_Open(&sce_ctrl, &sce_cfg); @@ -139,24 +139,24 @@ int sce_Open() } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); - WOLFSSL_LEAVE("sce_Open", ret); + WOLFSSL_LEAVE("wc_sce_Open", ret); return ret; } /* close SCE driver */ -void sce_Close() +WOLFSSL_LOCAL void wc_sce_Close() { WOLFSSL_ENTER("sce Close"); int ret; - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { /* close SCE */ ret = R_SCE_Close(&sce_ctrl); /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); if( ret != FSP_SUCCESS ) { WOLFSSL_MSG("RENESAS SCE Close failed"); } @@ -226,7 +226,7 @@ static int SCE_ServerKeyExVerify(uint32_t type, WOLFSSL* ssl, const uint8_t* sig return ret; } /* Callback for Rsa Verify */ -int SCE_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, +WOLFSSL_LOCAL int wc_SCE_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, uint8_t** out, const byte* key, uint32_t keySz, void* ctx) { int ret = WOLFSSL_FAILURE; @@ -236,7 +236,7 @@ int SCE_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, WOLFSSL_PKMSG("SCE RSA Verify: sigSz %d, keySz %d\n", sigSz, keySz); - if (sce_useable(ssl, 0)) + if (wc_sce_usable(ssl, 0)) ret = SCE_ServerKeyExVerify(0, ssl, sig, sigSz, ctx); else ret = CRYPTOCB_UNAVAILABLE; @@ -249,9 +249,9 @@ int SCE_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, return ret; } /* Callback for Ecc Verify */ -int SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, - const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, - int* result, void* ctx) +WOLFSSL_LOCAL int wc_SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig, + uint32_t sigSz, const uint8_t* hash, uint32_t hashSz, + const uint8_t* key, uint32_t keySz, int* result, void* ctx) { int ret = WOLFSSL_FAILURE; uint8_t *sigforSCE; @@ -270,7 +270,7 @@ int SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, WOLFSSL_PKMSG("SCE ECC Verify: ssl->options.serverState = %d sigSz %d, hashSz %d, keySz %d\n", ssl->options.serverState, sigSz, hashSz, keySz); - if (!sce_useable(ssl, 0)) { + if (!wc_sce_usable(ssl, 0)) { WOLFSSL_PKMSG("Cannot handle cipher suite by SCE"); return CRYPTOCB_UNAVAILABLE; } @@ -321,7 +321,7 @@ int SCE_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, return ret; } /* Callback for ECC shared secret */ -int SCE_EccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey, +WOLFSSL_LOCAL int SCE_EccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey, uint8_t* pubKeyDer, unsigned int* pubKeySz, uint8_t* out, unsigned int* outlen, int side, void* ctx) { @@ -379,30 +379,21 @@ int SCE_EccSharedSecret(WOLFSSL* ssl, ecc_key* otherKey, return ret; } #endif -/* Return cipher suite enumuration used in SCE library */ -uint32_t GetSceCipherSuite( +/* Return tls cipher suite enumuration that is supported by SCE library */ +static uint32_t GetSceCipherSuite( uint8_t cipherSuiteFirst, uint8_t cipherSuite) { - WOLFSSL_ENTER("GetTsipCipherSuite"); + WOLFSSL_ENTER("GetSceCipherSuite"); uint32_t sceCipher; if(cipherSuiteFirst == CIPHER_BYTE ) { switch(cipherSuite){ - - case TLS_RSA_WITH_AES_128_CBC_SHA: /*2F*/ - sceCipher = SCE_TLS_RSA_WITH_AES_128_CBC_SHA; /*0*/ - break; - case TLS_RSA_WITH_AES_128_CBC_SHA256: sceCipher = SCE_TLS_RSA_WITH_AES_128_CBC_SHA256; break; - case TLS_RSA_WITH_AES_256_CBC_SHA: - sceCipher = SCE_TLS_RSA_WITH_AES_256_CBC_SHA; - break; - case TLS_RSA_WITH_AES_256_CBC_SHA256: sceCipher = SCE_TLS_RSA_WITH_AES_256_CBC_SHA256; break; @@ -411,7 +402,7 @@ uint32_t GetSceCipherSuite( sceCipher = (uint32_t)WOLFSSL_SCE_ILLEGAL_CIPHERSUITE; break; } - WOLFSSL_MSG( "<< GetTsipCipherSuite"); + WOLFSSL_MSG( "<< GetSceCipherSuite"); return sceCipher; } else if( cipherSuiteFirst == ECC_BYTE ) @@ -454,10 +445,11 @@ uint32_t GetSceCipherSuite( /* ssl : a pointer to WOLFSSL object */ /* session_key_generated : if session key has been generated */ /* return 1 for usable, 0 for unusable */ -int sce_useable(const struct WOLFSSL *ssl, uint8_t session_key_generated) +WOLFSSL_LOCAL int wc_sce_usable(const struct WOLFSSL *ssl, + uint8_t session_key_generated) { WOLFSSL_ENTER("sce_usable"); - byte cipher; + byte Scecipher; byte side; const Ciphers *enc; const Ciphers *dec; @@ -492,25 +484,19 @@ int sce_useable(const struct WOLFSSL *ssl, uint8_t session_key_generated) return 0; } } - - cipher = ssl->options.cipherSuite; + /* retrieve cipher suite if SCE supports */ + Scecipher = GetSceCipherSuite(ssl->options.cipherSuite0, + ssl->options.cipherSuite); side = ssl->options.side; - if (((cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA256 || - cipher == l_TLS_RSA_WITH_AES_256_CBC_SHA256) || - (cipher == l_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 || - cipher == l_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 || - cipher == l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 || - cipher == l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)) && - side == WOLFSSL_CLIENT_END) - + if (Scecipher != WOLFSSL_SCE_ILLEGAL_CIPHERSUITE && side == WOLFSSL_CLIENT_END) return 1; else return 0; } /* Generate Hmac by sha256*/ -int sce_Sha256GenerateHmac(const struct WOLFSSL *ssl,const uint8_t* myInner, +WOLFSSL_LOCAL int wc_sce_Sha256GenerateHmac(const struct WOLFSSL *ssl,const uint8_t* myInner, uint32_t innerSz,const uint8_t* in, uint32_t sz, byte* digest) { WOLFSSL_ENTER("sce_Sha256HmacGenerate"); @@ -525,7 +511,7 @@ int sce_Sha256GenerateHmac(const struct WOLFSSL *ssl,const uint8_t* myInner, wrapped_key = ssl->keys.sce_client_write_MAC_secret; - if ((ret = sce_hw_lock()) != 0) { + if ((ret = wc_sce_hw_lock()) != 0) { WOLFSSL_MSG("hw lock failed\n"); return ret; } @@ -555,14 +541,15 @@ int sce_Sha256GenerateHmac(const struct WOLFSSL *ssl,const uint8_t* myInner, ret = WOLFSSL_FAILURE; /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); WOLFSSL_LEAVE("sce_Sha256HmacGenerate", ret); return ret; } /* Verify hmac */ -int sce_Sha256VerifyHmac(const struct WOLFSSL *ssl,const uint8_t* message, - uint32_t messageSz,uint32_t macSz, uint32_t content) +WOLFSSL_LOCAL int wc_sce_Sha256VerifyHmac(const struct WOLFSSL *ssl, + const uint8_t* message, uint32_t messageSz, + uint32_t macSz, uint32_t content) { WOLFSSL_ENTER("sce_Sha256HmacVerify"); @@ -576,7 +563,7 @@ int sce_Sha256VerifyHmac(const struct WOLFSSL *ssl,const uint8_t* message, wrapped_key = ssl->keys.sce_server_write_MAC_secret; - if ((ret = sce_hw_lock()) != 0) { + if ((ret = wc_sce_hw_lock()) != 0) { WOLFSSL_MSG("hw lock failed\n"); return ret; } @@ -611,13 +598,13 @@ int sce_Sha256VerifyHmac(const struct WOLFSSL *ssl,const uint8_t* message, } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); WOLFSSL_LEAVE("sce_Sha256HmacVerify", ret); return ret; } /* generate Verify Data based on master secret */ -int sce_generateVerifyData(const uint8_t *ms, /* master secret */ +WOLFSSL_LOCAL int wc_sce_generateVerifyData(const uint8_t *ms, /* master secret */ const uint8_t *side, const uint8_t *handshake_hash, uint8_t *hashes /* out */) { @@ -635,7 +622,7 @@ int sce_generateVerifyData(const uint8_t *ms, /* master secret */ l_side = SCE_TLS_GENERATE_SERVER_VERIFY; } - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { ret = R_SCE_TLS_VerifyDataGenerate(l_side, (uint32_t*)ms, (uint8_t*)handshake_hash, hashes/* out */); if (ret != FSP_SUCCESS) { @@ -643,14 +630,14 @@ int sce_generateVerifyData(const uint8_t *ms, /* master secret */ } } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); WOLFSSL_LEAVE("sce_generateVerifyData", ret); return ret; } /* generate keys for TLS communication */ -int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, - int devId) +WOLFSSL_LOCAL int wc_sce_generateSeesionKey(struct WOLFSSL *ssl, + User_SCEPKCbInfo* cbInfo, int devId) { WOLFSSL_MSG("sce_generateSeesionKey()"); int ret; @@ -667,9 +654,9 @@ int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, return BAD_FUNC_ARG; - if ((ret = sce_hw_lock()) == 0) { - if (sceCS == l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 || - sceCS == l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) + if ((ret = wc_sce_hw_lock()) == 0) { + if (sceCS == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 || + sceCS == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) { WOLFSSL_MSG("Session key for AES-GCM generation skipped."); @@ -736,18 +723,18 @@ int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, XMEMCPY(&dec->aes->ctx.sce_wrapped_key, &key_client_aes, sizeof(key_client_aes)); } - /* copy hac key index into keys */ + /* copy mac key index into keys */ ssl->keys.sce_client_write_MAC_secret = key_client_mac; ssl->keys.sce_server_write_MAC_secret = key_server_mac; - /* set up key size and marked readly */ + /* set up key size and marked ready */ if (enc){ enc->aes->ctx.keySize = ssl->specs.key_size; enc->aes->ctx.setup = 1; /* ready for use */ enc->setup = 1; } - /* set up key size and marked readly */ + /* set up key size and marked ready */ if (dec) { dec->aes->ctx.keySize = ssl->specs.key_size; dec->aes->ctx.setup = 1; @@ -767,7 +754,7 @@ int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, cbInfo->session_key_set = 1; } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); } else WOLFSSL_LEAVE("hw lock failed\n", ret); @@ -776,7 +763,7 @@ int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, } /* generate master secret based on pre-master which is generated by SCE */ -int sce_generateMasterSecret( +WOLFSSL_LOCAL int wc_sce_generateMasterSecret( uint8_t cipherSuiteFirst, uint8_t cipherSuite, const uint8_t *pr, /* pre-master */ @@ -795,7 +782,7 @@ int sce_generateMasterSecret( if( sceCS == 0xffffffff) return BAD_FUNC_ARG; - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { ret = R_SCE_TLS_MasterSecretGenerate( sceCS, (uint32_t*)pr, @@ -804,7 +791,7 @@ int sce_generateMasterSecret( WOLFSSL_MSG("R_SCE_TLS_MasterSecretGenerate failed\n"); } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); } else { WOLFSSL_MSG(" hw lock failed "); } @@ -813,7 +800,8 @@ int sce_generateMasterSecret( } /* generate pre-Master secrete by SCE */ -int sce_generatePremasterSecret(uint8_t *premaster, uint32_t preSz) +WOLFSSL_LOCAL int wc_sce_generatePremasterSecret(uint8_t *premaster, + uint32_t preSz) { WOLFSSL_ENTER("sce_generatePremasterSecret"); int ret; @@ -821,7 +809,7 @@ int sce_generatePremasterSecret(uint8_t *premaster, uint32_t preSz) if (premaster == NULL) return BAD_FUNC_ARG; - if ((ret = sce_hw_lock()) == 0 && preSz >= + if ((ret = wc_sce_hw_lock()) == 0 && preSz >= (SCE_TLS_MASTER_SECRET_WORD_SIZE*4)) { /* generate pre-master, 80 bytes */ ret = R_SCE_TLS_PreMasterSecretGenerateForRSA2048((uint32_t*)premaster); @@ -829,7 +817,7 @@ int sce_generatePremasterSecret(uint8_t *premaster, uint32_t preSz) WOLFSSL_MSG(" R_SCE_TLS_GeneratePreMasterSecret failed\n"); } /* unlock hw */ - sce_hw_unlock(); + wc_sce_hw_unlock(); } else { WOLFSSL_MSG(" hw lock failed or preSz is smaller than 80"); } @@ -842,7 +830,7 @@ int sce_generatePremasterSecret(uint8_t *premaster, uint32_t preSz) /* * generate encrypted pre-Master secrete by SCE */ -int sce_generateEncryptPreMasterSecret( +WOLFSSL_LOCAL int wc_sce_generateEncryptPreMasterSecret( WOLFSSL* ssl, uint8_t* out, uint32_t* outSz) @@ -853,7 +841,7 @@ int sce_generateEncryptPreMasterSecret( if ((ssl == NULL) || (out == NULL) || (outSz == NULL)) return BAD_FUNC_ARG; - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { if (*outSz >= 256) ret = R_SCE_TLS_PreMasterSecretEncryptWithRSA2048( (uint32_t*)ssl->peerSceTsipEncRsaKeyIndex, @@ -865,13 +853,14 @@ int sce_generateEncryptPreMasterSecret( if (ret != FSP_SUCCESS) { WOLFSSL_MSG("R_SCE_TLS_PreMasterSecretEncryptWithRSA2048 failed\n"); } else { - *outSz = 256; /* TSIP can only handles 2048 RSA */ - /* set GenMaster Callbackt for Master secret generation */ + *outSz = 256; /* SCE can only handles 2048 RSA */ + /* set GenMaster Callback for Master secret generation */ void* ctx = wolfSSL_GetRsaVerifyCtx(ssl); - wolfSSL_CTX_SetGenMasterSecretCb(ssl->ctx, Renesas_cmn_genMasterSecret); + wolfSSL_CTX_SetGenMasterSecretCb(ssl->ctx, + Renesas_cmn_genMasterSecret); wolfSSL_SetGenMasterSecretCtx(ssl, ctx); } - sce_hw_unlock(); + wc_sce_hw_unlock(); } else { WOLFSSL_MSG(" hw lock failed "); @@ -882,7 +871,7 @@ int sce_generateEncryptPreMasterSecret( /* Certificate verification by SCE */ -int sce_tls_CertVerify( +WOLFSSL_LOCAL int wc_sce_tls_CertVerify( const uint8_t* cert, uint32_t certSz, const uint8_t* signature, uint32_t sigSz, uint32_t key_n_start,uint32_t key_n_len, @@ -948,7 +937,7 @@ int sce_tls_CertVerify( } - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { ret = R_SCE_TLS_CertificateVerify( g_user_key_info.encrypted_user_tls_key_type, (uint32_t*)g_encrypted_publicCA_key,/* encrypted public key */ @@ -967,7 +956,7 @@ int sce_tls_CertVerify( if (sigforSCE) { XFREE(sigforSCE, NULL, DYNAMIC_TYPE_TEMP); } - sce_hw_unlock(); + wc_sce_hw_unlock(); } else { WOLFSSL_MSG(" hw lock failed "); } @@ -976,7 +965,7 @@ int sce_tls_CertVerify( } /* Root Certificate verification */ -int sce_tls_RootCertVerify( +WOLFSSL_LOCAL int wc_sce_tls_RootCertVerify( const uint8_t* cert, uint32_t cert_len, uint32_t key_n_start, uint32_t key_n_len, uint32_t key_e_start, uint32_t key_e_len, @@ -986,7 +975,7 @@ int sce_tls_RootCertVerify( /* call to generate encrypted public key for certificate verification */ uint8_t *signature = (uint8_t*)ca_cert_sig; - WOLFSSL_ENTER("sce_tls_RootCertVerify"); + WOLFSSL_ENTER("wc_sce_tls_RootCertVerify"); if (cert == NULL) return BAD_FUNC_ARG; @@ -996,7 +985,7 @@ int sce_tls_RootCertVerify( return -1; } - if ((ret = sce_hw_lock()) == 0) { + if ((ret = wc_sce_hw_lock()) == 0) { ret = R_SCE_TLS_RootCertificateVerify( g_user_key_info.encrypted_user_tls_key_type, (uint8_t*)cert, /* CA cert */ @@ -1013,52 +1002,18 @@ int sce_tls_RootCertVerify( } else { g_CAscm_Idx = cm_row; } - sce_hw_unlock(); + wc_sce_hw_unlock(); } else { WOLFSSL_MSG(" hw lock failed "); } - WOLFSSL_LEAVE("sce_tls_RootCertVerify", ret); + WOLFSSL_LEAVE("wc_sce_tls_RootCertVerify", ret); return ret; } -/* to inform ca certificate sign */ -/* signature format expects RSA 2048 PSS with SHA256 */ -void sce_inform_cert_sign(const uint8_t *sign) -{ - if(sign) - ca_cert_sig = sign; -} - -void sce_inform_user_keys( - uint8_t* encrypted_provisioning_key, - uint8_t* iv, - uint8_t* encrypted_user_tls_key, - uint32_t encrypted_user_tls_key_type) -{ - WOLFSSL_ENTER("sce_inform_user_keys"); - g_user_key_info.encrypted_provisioning_key = NULL; - g_user_key_info.iv = NULL; - g_user_key_info.encrypted_user_tls_key = NULL; - - if ( encrypted_provisioning_key ) { - g_user_key_info.encrypted_provisioning_key = encrypted_provisioning_key; - } - if ( iv ) { - g_user_key_info.iv = iv; - } - if ( encrypted_user_tls_key ) { - g_user_key_info.encrypted_user_tls_key = encrypted_user_tls_key; - } - - g_user_key_info.encrypted_user_tls_key_type = encrypted_user_tls_key_type; - - /* set callback for ECC */ - WOLFSSL_MSG("sce_inform_user_keys_ex"); -} /* store elements for session key generation into ssl->keys. * return 0 on success, negative value on failure */ -int sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info) +WOLFSSL_LOCAL int wc_sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info) { int ret = 0; @@ -1080,19 +1035,56 @@ int sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info) return ret; } +/* to inform ca certificate sign */ +/* signature format expects RSA 2048 PSS with SHA256 */ +WOLFSSL_API void wc_sce_inform_cert_sign(const uint8_t *sign) +{ + if(sign) + ca_cert_sig = sign; +} + +/* let wolfSSL know user key information using TLS operation by SCE */ +WOLFSSL_API void wc_sce_inform_user_keys( + uint8_t* encrypted_provisioning_key, + uint8_t* iv, + uint8_t* encrypted_user_tls_key, + uint32_t encrypted_user_tls_key_type) +{ + WOLFSSL_ENTER("sce_inform_user_keys"); + g_user_key_info.encrypted_provisioning_key = NULL; + g_user_key_info.iv = NULL; + g_user_key_info.encrypted_user_tls_key = NULL; + + if ( encrypted_provisioning_key ) { + g_user_key_info.encrypted_provisioning_key = encrypted_provisioning_key; + } + if ( iv ) { + g_user_key_info.iv = iv; + } + if ( encrypted_user_tls_key ) { + g_user_key_info.encrypted_user_tls_key = encrypted_user_tls_key; + } + + g_user_key_info.encrypted_user_tls_key_type = encrypted_user_tls_key_type; + + /* set callback for ECC */ + WOLFSSL_MSG("sce_inform_user_keys_ex"); +} + + /* Set callbacks needed for sce TLS api handling */ -void sce_set_callbacks(WOLFSSL_CTX* ctx) +WOLFSSL_API void wc_sce_set_callbacks(WOLFSSL_CTX* ctx) { wolfSSL_CTX_SetEccVerifyCb(ctx, Renesas_cmn_EccVerify); wolfSSL_CTX_SetRsaVerifyCb(ctx, Renesas_cmn_RsaVerify); wolfSSL_CTX_SetGenPreMasterCb(ctx, Renesas_cmn_generatePremasterSecret); wolfSSL_CTX_SetRsaEncCb(ctx, Renesas_cmn_RsaEnc); - wolfSSL_CTX_SetVerifymacCb(ctx, Renesas_cmn_VerifyHmac); + wolfSSL_CTX_SetVerifyMacCb(ctx, Renesas_cmn_VerifyHmac); wolfSSL_CTX_SetEccSharedSecretCb(ctx, NULL); } /* Set callback contexts needed for sce TLS api handling */ -int sce_set_callback_ctx(WOLFSSL* ssl, void* user_ctx) +WOLFSSL_API int wc_sce_set_callback_ctx(WOLFSSL* ssl, void* user_ctx) { if (sce_sess_idx > MAX_SCE_CBINDEX) { WOLFSSL_MSG("exceeds maximum session index"); @@ -1103,13 +1095,14 @@ int sce_set_callback_ctx(WOLFSSL* ssl, void* user_ctx) gSCE_PKCbInfo.user_PKCbInfo[sce_sess_idx]->session_key_set = 0; wolfSSL_SetEccVerifyCtx(ssl, user_ctx); + wolfSSL_SetRsaEncCtx(ssl, user_ctx); wolfSSL_SetRsaVerifyCtx(ssl, user_ctx); wolfSSL_SetGenPreMasterCtx(ssl, user_ctx); wolfSSL_SetEccSharedSecretCtx(ssl, NULL); - wolfSSL_SetVerifymacCtx(ssl, user_ctx); + wolfSSL_SetVerifyMacCtx(ssl, user_ctx); /* set up crypt callback */ - wc_CryptoCb_CryptInitRenesascmn(ssl, user_ctx); + wc_CryptoCb_CryptInitRenesasCmn(ssl, user_ctx); gSCE_PKCbInfo.num_session = ++sce_sess_idx; diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 2b4c359f5..597b03e26 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -158,7 +158,7 @@ int wolfCrypt_Init(void) #endif #if defined(WOLFSSL_RENESAS_SCEPROTECT) - ret = sce_Open( ); + ret = wc_sce_Open( ); if( ret != FSP_SUCCESS ) { WOLFSSL_MSG("RENESAS SCE Open failed"); /* not return 1 since WOLFSSL_SUCCESS=1*/ @@ -368,7 +368,7 @@ int wolfCrypt_Cleanup(void) #endif #ifdef WOLFSSL_RENESAS_SCEPROTECT - sce_Close(); + wc_sce_Close(); #else #ifdef WOLFSSL_SCE diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 94defd0b2..018da31cc 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -22721,7 +22721,7 @@ static int ecc_exp_imp_test(ecc_key* key) #else ecc_key keyImp[1]; #endif - byte priv[32*4]; + byte priv[32]; word32 privLen; byte pub[65*2]; word32 pubLen, pubLenX, pubLenY; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 38cda0bb2..9036fb7d3 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -3060,9 +3060,9 @@ struct WOLFSSL_CTX { CallbackGenPreMaster GenPreMasterCb; /* Use generate pre-master handler */ CallbackGenMasterSecret GenMasterCb; /* Use generate master secret handler */ CallbackGenSessionKey GenSessionKeyCb; /* Use generate session key handler */ - CallbackSetKeys SetKeysCb; /* Use set keys handler */ + CallbackEncryptKeys EncryptKeysCb;/* Use setting encrypt keys handler */ CallbackTlsFinished TlsFinishedCb; /* Use Tls finished handler */ - CallbackVerifymac VerifymacCb; /* Use Verify mac handler */ + CallbackVerifyMac VerifyMacCb; /* Use Verify mac handler */ #endif /* HAVE_PK_CALLBACKS */ #ifdef HAVE_WOLF_EVENT WOLF_EVENT_QUEUE event_queue; @@ -4485,9 +4485,9 @@ struct WOLFSSL { void* GenPreMasterCtx; /* Generate Premaster Callback Context */ void* GenMasterCtx; /* Generate Master Callback Context */ void* GenSessionKeyCtx; /* Generate Sesssion Key Callback Context */ - void* SetKeysCtx; /* Generate Sesssion Key Callback Context */ + void* EncryptKeysCtx; /* Set Encrypt keys Callback Context */ void* TlsFinishedCtx; /* Generate Tls Finished Callback Context */ - void* VerifymacCtx; /* Verify mac Callback Context */ + void* VerifyMacCtx; /* Verify mac Callback Context */ #endif /* HAVE_PK_CALLBACKS */ #ifdef HAVE_SECRET_CALLBACK SessionSecretCb sessionSecretCb; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index c529dbe86..71c14ba78 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3209,25 +3209,29 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); /* Protocol Callback */ typedef int (*CallbackGenMasterSecret)(WOLFSSL* ssl, void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX*, CallbackGenMasterSecret); +WOLFSSL_API void wolfSSL_CTX_SetGenMasterSecretCb(WOLFSSL_CTX*, + CallbackGenMasterSecret); WOLFSSL_API void wolfSSL_SetGenMasterSecretCtx(WOLFSSL* ssl, void *ctx); WOLFSSL_API void* wolfSSL_GetGenMasterSecretCtx(WOLFSSL* ssl); typedef int (*CallbackGenPreMaster)(WOLFSSL* ssl, byte *premaster, word32 preSz, void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX*, CallbackGenPreMaster); +WOLFSSL_API void wolfSSL_CTX_SetGenPreMasterCb(WOLFSSL_CTX*, + CallbackGenPreMaster); WOLFSSL_API void wolfSSL_SetGenPreMasterCtx(WOLFSSL* ssl, void *ctx); WOLFSSL_API void* wolfSSL_GetGenPreMasterCtx(WOLFSSL* ssl); typedef int (*CallbackGenSessionKey)(WOLFSSL* ssl, void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetGenSesssionKeyCb(WOLFSSL_CTX*, CallbackGenSessionKey); -WOLFSSL_API void wolfSSL_SetGenSesssionKeyCtx(WOLFSSL* ssl, void *ctx); -WOLFSSL_API void* wolfSSL_GetGenSesssionKeyCtx(WOLFSSL* ssl); +WOLFSSL_API void wolfSSL_CTX_SetGenSessionKeyCb(WOLFSSL_CTX*, + CallbackGenSessionKey); +WOLFSSL_API void wolfSSL_SetGenSessionKeyCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetGenSessionKeyCtx(WOLFSSL* ssl); -typedef int (*CallbackSetKeys)(WOLFSSL* ssl, void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetSetKeysCb(WOLFSSL_CTX*, CallbackSetKeys); -WOLFSSL_API void wolfSSL_SetSetKeysCtx(WOLFSSL* ssl, void *ctx); -WOLFSSL_API void* wolfSSL_GetSetKeysCtx(WOLFSSL* ssl); +typedef int (*CallbackEncryptKeys)(WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wolfSSL_CTX_SetEncryptKeysCb(WOLFSSL_CTX*, + CallbackEncryptKeys); +WOLFSSL_API void wolfSSL_SetEncryptKeysCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetEncryptKeysCtx(WOLFSSL* ssl); typedef int (*CallbackTlsFinished)(WOLFSSL* ssl, const byte *side, @@ -3238,11 +3242,11 @@ WOLFSSL_API void wolfSSL_SetTlsFinishedCtx(WOLFSSL* ssl, void *ctx); WOLFSSL_API void* wolfSSL_GetTlsFinishedCtx(WOLFSSL* ssl); #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) -typedef int (*CallbackVerifymac)(WOLFSSL *ssl, const byte* message, +typedef int (*CallbackVerifyMac)(WOLFSSL *ssl, const byte* message, word32 messageSz, word32 macSz, word32 content, void* ctx); -WOLFSSL_API void wolfSSL_CTX_SetVerifymacCb(WOLFSSL_CTX*, CallbackVerifymac); -WOLFSSL_API void wolfSSL_SetVerifymacCtx(WOLFSSL* ssl, void *ctx); -WOLFSSL_API void* wolfSSL_GetVerifymacCtx(WOLFSSL* ssl); +WOLFSSL_API void wolfSSL_CTX_SetVerifyMacCb(WOLFSSL_CTX*, CallbackVerifyMac); +WOLFSSL_API void wolfSSL_SetVerifyMacCtx(WOLFSSL* ssl, void *ctx); +WOLFSSL_API void* wolfSSL_GetVerifyMacCtx(WOLFSSL* ssl); #endif #endif /* HAVE_PK_CALLBACKS */ diff --git a/wolfssl/test.h b/wolfssl/test.h index 19a1eea5d..8f11dbc9e 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -4615,7 +4615,7 @@ static WC_INLINE int myGenMaster(WOLFSSL* ssl, void* ctx) (void)cbInfo; WOLFSSL_PKMSG("Gen Master"); - /* fall through original routine */ + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; WOLFSSL_PKMSG("Gen Master: ret %d\n", ret); @@ -4634,7 +4634,7 @@ static WC_INLINE int myGenPreMaster(WOLFSSL* ssl, byte *premaster, (void) preSz; WOLFSSL_PKMSG("Gen Pre-Master Cb"); - /* fall through original routine */ + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; WOLFSSL_PKMSG("Gen Pre-Master Cb: ret %d\n", ret); @@ -4650,14 +4650,14 @@ static WC_INLINE int myGenSessionKey(WOLFSSL* ssl, void* ctx) (void)cbInfo; WOLFSSL_PKMSG("Gen Master Cb"); - /* fall through original routine */ + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; WOLFSSL_PKMSG("Gen Master Cb: ret %d\n", ret); return ret; } -static WC_INLINE int mySetKeys(WOLFSSL* ssl, void* ctx) +static WC_INLINE int mySetEncryptKeys(WOLFSSL* ssl, void* ctx) { int ret; PkCbInfo* cbInfo = (PkCbInfo*)ctx; @@ -4665,16 +4665,16 @@ static WC_INLINE int mySetKeys(WOLFSSL* ssl, void* ctx) (void)ssl; (void)cbInfo; - WOLFSSL_PKMSG("Set Keys Cb"); - /* fall through original routine */ + WOLFSSL_PKMSG("Set Encrypt Keys Cb"); + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; - WOLFSSL_PKMSG("Set Keys Cb: ret %d\n", ret); + WOLFSSL_PKMSG("Set Encrypt Keys Cb: ret %d\n", ret); return ret; } #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) -static WC_INLINE int myVerifymac(WOLFSSL *ssl, const byte* message, +static WC_INLINE int myVerifyMac(WOLFSSL *ssl, const byte* message, word32 messageSz, word32 macSz, word32 content, void* ctx) { int ret; @@ -4688,7 +4688,7 @@ static WC_INLINE int myVerifymac(WOLFSSL *ssl, const byte* message, (void)cbInfo; WOLFSSL_PKMSG("Verify Mac Cb"); - /* fall through original routine */ + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; WOLFSSL_PKMSG("Verify Mac Cb: ret %d\n", ret); @@ -4711,7 +4711,7 @@ static WC_INLINE int myTlsFinished(WOLFSSL* ssl, (void)hashes; WOLFSSL_PKMSG("Tls Finished Cb"); - /* fall through original routine */ + /* fall through to original routine */ ret = PROTOCOLCB_UNAVAILABLE; WOLFSSL_PKMSG("Tls Finished Cb: ret %d\n", ret); @@ -4771,11 +4771,11 @@ static WC_INLINE void SetupPkCallbacks(WOLFSSL_CTX* ctx) #ifndef NO_CERTS wolfSSL_CTX_SetGenMasterSecretCb(ctx, myGenMaster); wolfSSL_CTX_SetGenPreMasterCb(ctx, myGenPreMaster); - wolfSSL_CTX_SetGenSesssionKeyCb(ctx, myGenSessionKey); - wolfSSL_CTX_SetSetKeysCb(ctx, mySetKeys); + wolfSSL_CTX_SetGenSessionKeyCb(ctx, myGenSessionKey); + wolfSSL_CTX_SetEncryptKeysCb(ctx, mySetEncryptKeys); #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) - wolfSSL_CTX_SetVerifymacCb(ctx, myVerifymac); + wolfSSL_CTX_SetVerifyMacCb(ctx, myVerifyMac); #endif wolfSSL_CTX_SetTlsFinishedCb(ctx, myTlsFinished); @@ -4823,11 +4823,11 @@ static WC_INLINE void SetupPkCallbackContexts(WOLFSSL* ssl, void* myCtx) #ifndef NO_CERTS wolfSSL_SetGenMasterSecretCtx(ssl, myCtx); wolfSSL_SetGenPreMasterCtx(ssl, myCtx); - wolfSSL_SetGenSesssionKeyCtx(ssl, myCtx); - wolfSSL_SetSetKeysCtx(ssl, myCtx); + wolfSSL_SetGenSessionKeyCtx(ssl, myCtx); + wolfSSL_SetEncryptKeysCtx(ssl, myCtx); #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY) - wolfSSL_SetVerifymacCtx(ssl, myCtx); + wolfSSL_SetVerifyMacCtx(ssl, myCtx); #endif wolfSSL_SetTlsFinishedCtx(ssl, myCtx); diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index dc077fe4a..06b2a4283 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -1213,7 +1213,8 @@ enum SignatureState { #endif #endif /* HAVE_PK_CALLBACKS */ -#if defined(WOLFSSL_RENESAS_TSIP_TLS) ||defined(WOLFSSL_RENESAS_SCEPROTECT) +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) ||\ + defined(HAVE_PK_CALLBACKS) typedef struct tagCertAttribute { byte verifyByTSIP_SCE; word32 certBegin; @@ -1283,7 +1284,8 @@ struct SignatureCtx { #endif #endif /* HAVE_PK_CALLBACKS */ #ifndef NO_RSA -#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) +#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT) ||\ + defined(HAVE_PK_CALLBACKS) CertAttribute CertAtt; #endif #endif diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h b/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h index 023a01039..a05d62e5d 100644 --- a/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h +++ b/wolfssl/wolfcrypt/port/Renesas/renesas-sce-crypt.h @@ -32,17 +32,6 @@ extern "C" { #define SCE_SESSIONKEY_NONCE_SIZE 8 #define WOLFSSL_SCE_ILLEGAL_CIPHERSUITE -1 - enum { - l_TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F, - l_TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x3c, - l_TLS_RSA_WITH_AES_256_CBC_SHA = 0x35, - l_TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x3d, - l_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0x27, - l_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0x23, - l_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x2b, - l_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x2f, -}; - #define MAX_SCE_CBINDEX 5 typedef struct tagUser_SCEPKCbInfo { @@ -89,11 +78,12 @@ struct WOLFSSL; struct WOLFSSL_CTX; struct ecc_key; -int sce_Open(); -void sce_Close(); -int sce_hw_lock(); -void sce_hw_unlock( void ); -int sce_usable(const struct WOLFSSL *ssl); +WOLFSSL_LOCAL int wc_sce_Open(); +WOLFSSL_LOCAL void wc_sce_Close(); +WOLFSSL_LOCAL int wc_sce_hw_lock(); +WOLFSSL_LOCAL void wc_sce_hw_unlock( void ); +WOLFSSL_LOCAL int wc_sce_usable(const struct WOLFSSL *ssl, + uint8_t session_key_generated); typedef struct { sce_aes_wrapped_key_t sce_wrapped_key; @@ -102,19 +92,19 @@ typedef struct { } SCE_AES_CTX; struct Aes; -int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, +WOLFSSL_LOCAL int wc_sce_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz); -int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, +WOLFSSL_LOCAL int wc_sce_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz); -int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, +WOLFSSL_LOCAL int wc_sce_AesGcmEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz, byte* iv, word32 ivSz, byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz, void* ctx); - -int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, + +WOLFSSL_LOCAL int wc_sce_AesGcmDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz, const byte* iv, word32 ivSz, const byte* authTag, word32 authTagSz, @@ -147,19 +137,14 @@ typedef wolfssl_SCE_Hash wc_Sha256; #endif /* NO_SHA */ -void sce_inform_cert_sign(const uint8_t *sign); -byte sce_rootCAverified(); - -byte sce_checkCA(uint32_t cmIdx); - -int sce_tls_RootCertVerify( +WOLFSSL_LOCAL int wc_sce_tls_RootCertVerify( const uint8_t* cert, uint32_t cert_len, uint32_t key_n_start, uint32_t key_n_len, uint32_t key_e_start, uint32_t key_e_len, uint32_t cm_row); -int sce_tls_CertVerify( +WOLFSSL_LOCAL int wc_sce_tls_CertVerify( const uint8_t* cert, uint32_t certSz, const uint8_t* signature, uint32_t sigSz, uint32_t key_n_start, uint32_t key_n_len, @@ -167,16 +152,16 @@ int sce_tls_CertVerify( uint8_t* sce_encRsaKeyIdx); -int sce_generatePremasterSecret( +WOLFSSL_LOCAL int wc_sce_generatePremasterSecret( uint8_t* premaster, uint32_t preSz); -int sce_generateEncryptPreMasterSecret( +WOLFSSL_LOCAL int wc_sce_generateEncryptPreMasterSecret( struct WOLFSSL* ssl, uint8_t* out, uint32_t* outSz); -int sce_Sha256GenerateHmac( +WOLFSSL_LOCAL int wc_sce_Sha256GenerateHmac( const struct WOLFSSL *ssl, const uint8_t* myInner, uint32_t innerSz, @@ -184,35 +169,20 @@ int sce_Sha256GenerateHmac( uint32_t sz, uint8_t* digest); -int sce_Sha256VerifyHmac( +WOLFSSL_LOCAL int wc_sce_Sha256VerifyHmac( const struct WOLFSSL *ssl, const uint8_t* message, uint32_t messageSz, uint32_t macSz, uint32_t content); - -void sce_inform_user_keys( - uint8_t* encrypted_provisioning_key, - uint8_t* iv, - uint8_t* encrypted_user_tls_key, - uint32_t encrypted_user_tls_key_type); -void sce_set_callbacks(struct WOLFSSL_CTX* ctx); -int sce_set_callback_ctx(struct WOLFSSL* ssl, void* user_ctx); - -uint32_t GetSceCipherSuite( - uint8_t cipherSuiteFirst, - uint8_t cipherSuite); - -int sce_useable(const struct WOLFSSL *ssl, - uint8_t session_key_generated); -int sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info); -int sce_generateVerifyData(const uint8_t *ms, /* master secret */ +WOLFSSL_LOCAL int wc_sce_storeKeyCtx(struct WOLFSSL* ssl, User_SCEPKCbInfo* info); +WOLFSSL_LOCAL int wc_sce_generateVerifyData(const uint8_t *ms, /* master secret */ const uint8_t *side, const uint8_t *handshake_hash, uint8_t *hashes /* out */); -int sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, +WOLFSSL_LOCAL int wc_sce_generateSeesionKey(struct WOLFSSL *ssl, User_SCEPKCbInfo* cbInfo, int devId); -int sce_generateMasterSecret( +WOLFSSL_LOCAL int wc_sce_generateMasterSecret( uint8_t cipherSuiteFirst, uint8_t cipherSuite, const uint8_t *pr, /* pre-master */ @@ -220,12 +190,25 @@ int sce_generateMasterSecret( const uint8_t *sr, /* server random */ uint8_t *ms); -int SCE_RsaVerify(struct WOLFSSL* ssl, byte* sig, uint32_t sigSz, +WOLFSSL_LOCAL int wc_SCE_RsaVerify(struct WOLFSSL* ssl, byte* sig, uint32_t sigSz, uint8_t** out, const byte* key, uint32_t keySz, void* ctx); -int SCE_EccVerify(struct WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, +WOLFSSL_LOCAL int wc_SCE_EccVerify(struct WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, int* result, void* ctx); -int SCE_EccSharedSecret(struct WOLFSSL* ssl, struct ecc_key* otherKey, +/* Callback for EccShareSecret */ +WOLFSSL_LOCAL int SCE_EccSharedSecret(struct WOLFSSL* ssl, struct ecc_key* otherKey, uint8_t* pubKeyDer, unsigned int* pubKeySz, uint8_t* out, unsigned int* outlen, int side, void* ctx); + +/* user API */ +WOLFSSL_API void wc_sce_inform_user_keys( + uint8_t* encrypted_provisioning_key, + uint8_t* iv, + uint8_t* encrypted_user_tls_key, + uint32_t encrypted_user_tls_key_type); + +WOLFSSL_API void wc_sce_set_callbacks(struct WOLFSSL_CTX* ctx); +WOLFSSL_API int wc_sce_set_callback_ctx(struct WOLFSSL* ssl, void* user_ctx); +WOLFSSL_API void wc_sce_inform_cert_sign(const uint8_t *sign); + #endif /* __RENESAS_SCE_CRYPT_H__ */ diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h b/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h index f3df9a2ba..c049c6345 100755 --- a/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h +++ b/wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h @@ -24,20 +24,36 @@ #include #include -/* Common Callback and Method */ -int Renesas_cmn_genMasterSecret(WOLFSSL* ssl, void* ctx); -int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, byte *premaster, - word32 preSz, void* ctx); -int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, +/* Common Callbacks */ +WOLFSSL_LOCAL int Renesas_cmn_genMasterSecret(WOLFSSL* ssl, void* ctx); +WOLFSSL_LOCAL int Renesas_cmn_generatePremasterSecret(WOLFSSL* ssl, + byte *premaster, word32 preSz, void* ctx); +WOLFSSL_LOCAL int Renesas_cmn_RsaEnc(WOLFSSL* ssl, const unsigned char* in, unsigned int inSz, unsigned char* out, word32* outSz, const unsigned char* keyDer, unsigned int keySz, void* ctx); -int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, +WOLFSSL_LOCAL int Renesas_cmn_VerifyHmac(WOLFSSL *ssl, const byte* message, word32 messageSz, word32 macSz, word32 content); -int wc_CryptoCb_CryptInitRenesascmn(WOLFSSL* ssl, void* ctx); -int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, uint32_t sigSz, - const uint8_t* hash, uint32_t hashSz, const uint8_t* key, uint32_t keySz, - int* result, void* ctx); -int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, +WOLFSSL_LOCAL int Renesas_cmn_EccVerify(WOLFSSL* ssl, const uint8_t* sig, + uint32_t sigSz, const uint8_t* hash, uint32_t hashSz, + const uint8_t* key, uint32_t keySz, int* result, void* ctx); +WOLFSSL_LOCAL int Renesas_cmn_RsaVerify(WOLFSSL* ssl, byte* sig, uint32_t sigSz, uint8_t** out, const byte* key, uint32_t keySz, void* ctx); +WOLFSSL_LOCAL int Renesas_cmn_TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, + word32 sz, int padSz, int content, int verify, int epochOrder); +WOLFSSL_LOCAL int Renesas_cmn_usable(const WOLFSSL *ssl, byte seskey_gennerated); +WOLFSSL_LOCAL int Renesas_cmn_SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz, + unsigned char** out, const unsigned char* keyDer, unsigned int keySz, + void* ctx); +WOLFSSL_LOCAL int Renesas_cmn_SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz, + const unsigned char* hash, unsigned int hashSz, + const unsigned char* keyDer, unsigned int keySz, + int* result, void* ctx); +/* Common Methods */ +int wc_CryptoCb_CryptInitRenesasCmn(WOLFSSL* ssl, void* ctx); +void wc_CryptoCb_CleanupRenesasCmn(int* id); +int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, + word32 key_n_start, word32 key_n_len, word32 key_e_start, + word32 key_e_len, word32 cm_row); +WOLFSSL_LOCAL byte Renesas_cmn_checkCA(word32 cmIdx); #endif /* __RENESAS_CMN_H__ */ \ No newline at end of file diff --git a/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h b/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h index ea18d4411..c97718eaf 100644 --- a/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h +++ b/wolfssl/wolfcrypt/port/Renesas/renesas_sync.h @@ -1,4 +1,4 @@ -/* cavium_octeon_sync.h +/* renesas_sync.h * * Copyright (C) 2006-2021 wolfSSL Inc. * @@ -28,8 +28,8 @@ struct WOLFSSL; struct User_SCEPKCbInfo; extern User_SCEPKCbInfo guser_PKCbInfo; -WOLFSSL_API int wc_CryptoCb_CryptInitRenesascmn(struct WOLFSSL* ssl, void* ctx); -WOLFSSL_API void wc_CryptoCb_CleanupRenesascmn(int* id); +WOLFSSL_API int wc_CryptoCb_CryptInitRenesasCmn(struct WOLFSSL* ssl, void* ctx); +WOLFSSL_API void wc_CryptoCb_CleanupRenesasCmn(int* id); #endif /* HAVE_RENESAS_SYNC */ #endif /* _RENESAS_SYNC_H_ */ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 1a8960d12..551270ffc 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -212,7 +212,7 @@ /* Uncomment next line if using RENESAS RX64N */ /* #define WOLFSSL_RENESAS_RX65N */ -/* Uncomment next line if using RENESAS SCE PROTECT MODE */ +/* Uncomment next line if using RENESAS SCE Protected Mode */ /* #define WOLFSSL_RENESAS_SCEPROTECT */ /* Uncomment next line if using RENESAS RA6M4 */