Merge pull request #5393 from TakayukiMatsuo/leakfix

2022-07-26 09:44:19 -06:00 · 2022-07-26 09:44:19 -06:00 · a5b1838d8f
parent a05b38059e 5a0afc512e
commit a5b1838d8f
5 changed files with 30 additions and 23 deletions
--- a/IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/wolf_client.c
+++ b/IDE/Renesas/e2studio/RX65N/GR-ROSE/test/src/wolf_client.c
@ -27,7 +27,9 @@
 #include "wolfssl/certs_test.h"
 #include "key_data.h"
 #include "wolfssl_demo.h"
-
+#if defined(WOLFSSL_RENESAS_TSIP_TLS)
+    #include <wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h>
+#endif

 #define SIMPLE_TLSSEVER_IP       "192.168.1.12"
 #define SIMPLE_TLSSERVER_PORT    "11111"
--- a/wolfcrypt/src/port/Renesas/renesas_common.c
+++ b/wolfcrypt/src/port/Renesas/renesas_common.c
@ -548,7 +548,7 @@ WOLFSSL_LOCAL int Renesas_cmn_EccVerify(WOLFSSL* ssl, const unsigned char* sig,
 * key_e_start Byte position of public key exponent in cert
 * key_e_len   Length of public key exponent
 * cm_row      CA index
- * return FSP_SUCCESS(0) on success, otherwise FSP/TSIP error code
+ * return FSP_SUCCESS(0) on success, otherwise WOLFSSL_FATAL_ERROR
 */
 int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_n_start,
        word32 key_n_len, word32 key_e_start, word32 key_e_len, word32 cm_row)
@ -568,11 +568,16 @@ int wc_Renesas_cmn_RootCertVerify(const byte* cert, word32 cert_len, word32 key_
        ret = wc_sce_tls_RootCertVerify(cert, cert_len, key_n_start,
                key_n_len, key_e_start, key_e_len, cm_row);
    #endif
+
+        if (ret != TSIP_SUCCESS) {
+            ret = WOLFSSL_FATAL_ERROR;
+        }
    }
    else {
        /* already verified. skipped */
        ret = 0;
    }
+    WOLFSSL_LEAVE("wc_Renesas_cmn_RootCertVerify", ret);
    return ret;
 }

--- a/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
+++ b/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
@ -723,7 +723,7 @@ int wc_tsip_AesGcmEncrypt(
             * iv init func.
             * It expects to pass iv when users create their own key.
             */
-            err = initFn(&hdl, &key_client_aes, iv_l, ivSz_l);
+            err = initFn(&hdl, &key_client_aes, (uint8_t*)iv_l, ivSz_l);

            if (err == TSIP_SUCCESS) {
            	err = updateFn(&hdl, NULL, NULL, 0UL, (uint8_t*)aadBuf, authInSz);
@ -917,7 +917,7 @@ int wc_tsip_AesGcmDecrypt(
             *
             * It expects to pass iv when users create their own key.
             */
-            err = initFn(&hdl, &key_server_aes, iv_l, ivSz_l);
+            err = initFn(&hdl, &key_server_aes, (uint8_t*)iv_l, ivSz_l);

            if (err == TSIP_SUCCESS) {
                /* pass only AAD and it's size before passing cipher text */
--- a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c
+++ b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c
@ -2028,8 +2028,19 @@ int wc_tsip_RsaVerify(
    WOLFSSL_LEAVE("tsip_RsaVerify", ret);
    return ret;
 }
-/*
- *  return 0 on success
+/*  Verify signature for Server Key Exchange with TSIP
+ *  TSIP can handle prime256v1 curve and sha256 hash
+ *  parameters:
+ *   ssl    WOLFSSL object
+ *   sig    buffer holding DER encoded ecdsa signature data
+ *   sigSz  signature data size
+ *   hash   buffer holding sha256 hash data
+ *   hashSz hash data size
+ *   key    buffer holding peer's public key (NOT used in this function)
+ *   keySz  public key size((NOT used in this function))
+ *   result address of the variable to output result
+ *   ctx    context 
+ *  return 0 on success, CRYPTOCB_UNAVAILABLE in case TSIP cannot handle 
 */
 int wc_tsip_EccVerify(
        WOLFSSL*  ssl,
@ -2039,8 +2050,7 @@ int wc_tsip_EccVerify(
        int*  result,       void*  ctx)
 {
    int         ret = WOLFSSL_FAILURE;
-    uint8_t*    sigforSCE = NULL;
-    uint8_t*    pSig = NULL;
+    uint8_t     sigforSCE [R_TSIP_ECDSA_DATA_BYTE_SIZE] = {0};
    const byte  rs_size = R_TSIP_ECDSA_DATA_BYTE_SIZE/2;
    byte        offset = 0x3;

@ -2060,18 +2070,7 @@ int wc_tsip_EccVerify(
        return CRYPTOCB_UNAVAILABLE;
    }

-   sigforSCE = (uint8_t*)XMALLOC(R_TSIP_ECDSA_DATA_BYTE_SIZE, NULL,
-                                            DYNAMIC_TYPE_TMP_BUFFER);
-
-    if (sigforSCE == NULL) {
-        WOLFSSL_MSG("failed to malloc memory");
-        WOLFSSL_LEAVE("wc_tsip_EccVerify", MEMORY_E);
-        return MEMORY_E;
-    }
-
-    /* initialization */
-    XMEMCPY(sigforSCE, 0, R_TSIP_ECDSA_DATA_BYTE_SIZE);
-
+    /* concatenate r and s parts of the signature so that TSIP can handle it*/
    /* r */
    if (sig[offset] == 0x20) {
        XMEMCPY(sigforSCE, &sig[offset+1], rs_size);
@ -2098,9 +2097,7 @@ int wc_tsip_EccVerify(
        }
    }

-    pSig = sigforSCE;
-
-    ret = tsip_ServerKeyExVerify(2, ssl, pSig, 64, ctx);
+    ret = tsip_ServerKeyExVerify(2, ssl, sigforSCE, 64, ctx);

    if (ret == WOLFSSL_SUCCESS) {
        *result = 1;
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -257,6 +257,9 @@
    #include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
 #endif

+#if defined(WOLFSSL_RENESAS_TSIP_TLS)
+    #include <wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h>
+#endif

 #ifdef __cplusplus
    extern "C" {