addressed review comments

tsip_usable() reconstruction
2019-09-19 11:23:55 +09:00 · 2019-09-19 11:23:55 +09:00 · 5c5aa45a5e
parent a37b604da9
commit 5c5aa45a5e
9 changed files with 69 additions and 42 deletions
--- a/IDE/Renesas/e2studio/Projects/test/src/wolf_client.c
+++ b/IDE/Renesas/e2studio/Projects/test/src/wolf_client.c
@ -47,8 +47,10 @@ static int my_IORecv(WOLFSSL* ssl, char* buff, int sz, void* ctx)
        return WOLFSSL_CBIO_ERR_GENERAL;

    ret = tcp_rcv_dat(cepid, buff, sz, TMO_FEVR);
-    if(ret > 0)return ret;
-    else         return WOLFSSL_CBIO_ERR_GENERAL;
+    if(ret > 0)
+        return ret;
+    else
+        return WOLFSSL_CBIO_ERR_GENERAL;
 }

 static int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
@ -57,13 +59,15 @@ static int my_IOSend(WOLFSSL* ssl, char* buff, int sz, void* ctx)
    ID  cepid;

    if(ctx != NULL)
-    	cepid = *(ID *)ctx;
+        cepid = *(ID *)ctx;
    else
-    	return WOLFSSL_CBIO_ERR_GENERAL;
+        return WOLFSSL_CBIO_ERR_GENERAL;

    ret = tcp_snd_dat(cepid, buff, sz, TMO_FEVR);
-    if(ret == sz)return ret;
-    else         return WOLFSSL_CBIO_ERR_GENERAL;
+    if(ret == sz)
+        return ret;
+    else
+        return WOLFSSL_CBIO_ERR_GENERAL;
 }

 static int getIPaddr(char *arg)
--- a/src/internal.c
+++ b/src/internal.c
@ -172,7 +172,7 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
 #endif

 #ifdef WOLFSSL_RENESAS_TSIP_TLS
-    byte tsip_useable(byte cipher0, byte cipher, byte side);
+    int tsip_useable(const WOLFSSL *ssl);
    int tsip_generatePremasterSecret();
    int tsip_generateEncryptPreMasterSecret(WOLFSSL *ssl, byte *out, word32 *outSz);
 #endif
@ -12674,10 +12674,8 @@ static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
        #endif
        #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
            !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-            if (tsip_useable(ssl->options.cipherSuite0,
-                             ssl->options.cipherSuite,
-                             ssl->options.side)) {
-                wc_tsip_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
+            if (tsip_useable(ssl)) {
+                ret = wc_tsip_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
            } else
        #endif
            ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
@ -12959,9 +12957,7 @@ static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
        #endif
        #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
            !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-            if (tsip_useable(ssl->options.cipherSuite0,
-                             ssl->options.cipherSuite,
-                             ssl->options.side)) {
+            if (tsip_useable(ssl)) {
                ret = wc_tsip_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz);
            } else
        #endif
@ -21025,9 +21021,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
                    /* build PreMasterSecret with RNG data */
                    #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
                       !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-                    if (tsip_useable(ssl->options.cipherSuite0,
-                                     ssl->options.cipherSuite,
-                                     ssl->options.side)) {
+                    if (tsip_useable(ssl)) {
                        ret = tsip_generatePremasterSecret( 
                        &ssl->arrays->preMasterSecret[VERSION_SZ], 
                        ENCRYPT_LEN - VERSION_SZ);
@ -21372,9 +21366,7 @@ int SendClientKeyExchange(WOLFSSL* ssl)
                {
                    #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
                       !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-                    if (tsip_useable(ssl->options.cipherSuite0,
-                                     ssl->options.cipherSuite,
-                                     ssl->options.side) && 
+                    if (tsip_useable(ssl) && 
                                     wc_RsaEncryptSize(ssl->peerRsaKey) == 256) {
                        ret = tsip_generateEncryptPreMasterSecret(ssl,
                                                            args->encSecret,
--- a/src/keys.c
+++ b/src/keys.c
@ -46,7 +46,7 @@

 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
- int tsip_useable(byte cipher0, byte ciphper1, byte side);
+ int tsip_useable(const WOLFSSL *ssl);
 #endif
 int SetCipherSpecs(WOLFSSL* ssl)
 {
@ -3179,8 +3179,7 @@ int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
    /* check if keys for TSIP has been created */
-    if (tsip_useable(ssl->options.cipherSuite0, ssl->options.cipherSuite,
-                    ssl->options.side) == 1)
+    if (tsip_useable(ssl) == 1)
        ret = 0;
    else
 #endif
--- a/src/ssl.c
+++ b/src/ssl.c
@ -109,7 +109,7 @@

 #if defined(WOLFSSL_RENESAS_TSIP_TLS)
    /* for root ca verification */
-int tsip_tls_RootCertVerify(const byte *cert  , word32 cert_len,
+int tsip_tls_RootCertVerify(const byte *cert, word32 cert_len,
                            word32 key_n_start, word32 key_n_len,
                            word32 key_e_start, word32 key_e_len,
                            word32 cm_row);
--- a/src/tls.c
+++ b/src/tls.c
@ -132,7 +132,7 @@ static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
 #endif

 #ifdef WOLFSSL_RENESAS_TSIP_TLS
-    int tsip_useable(byte cipher0, byte cipher, byte side);
+    int tsip_useable(const WOLFSSL *ssl);
    int tsip_generateMasterSecret(const byte *pre,
                                const byte *cr,const byte *sr,
                                byte *ms/* out */);
@ -204,9 +204,7 @@ int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
 #ifdef WOLFSSL_HAVE_PRF
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-        if (tsip_useable(ssl->options.cipherSuite0,
-                           ssl->options.cipherSuite,
-                           ssl->options.side)) {
+        if (tsip_useable(ssl)) {
            ret = tsip_generateVerifyData(ssl->arrays->tsip_masterSecret,
                            side, handshake_hash, (byte*)hashes /* out */);
        } else
@ -376,9 +374,7 @@ int DeriveTlsKeys(WOLFSSL* ssl)
 #endif
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-    if (tsip_useable(ssl->options.cipherSuite0,
-                     ssl->options.cipherSuite,
-                     ssl->options.side))
+    if (tsip_useable(ssl))
        ret = tsip_generateSeesionKey(ssl);
    else {
 #endif
@ -535,9 +531,7 @@ int MakeTlsMasterSecret(WOLFSSL* ssl)
    {
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-        if (tsip_useable(ssl->options.cipherSuite0,
-                         ssl->options.cipherSuite,
-                         ssl->options.side)) {
+        if (tsip_useable(ssl)) {
            ret = tsip_generateMasterSecret(
                            &ssl->arrays->preMasterSecret[VERSION_SZ],
                            ssl->arrays->clientRandom,
@ -1198,9 +1192,7 @@ int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
    wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
 #if defined(WOLFSSL_RENESAS_TSIP_TLS) && \
    !defined(NO_WOLFSSL_RENESAS_TSIP_TLS_SESSION)
-    if (tsip_useable(ssl->options.cipherSuite0,
-                     ssl->options.cipherSuite,
-                     ssl->options.side)) {
+    if (tsip_useable(ssl)) {
        if (ssl->specs.hash_size == WC_SHA_DIGEST_SIZE)
            ret = tsip_Sha1Hmac(ssl, myInner, WOLFSSL_TLS_HMAC_INNER_SZ, 
                                                        in, sz, digest, verify);
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -8448,9 +8448,21 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                             cert->heap, DYNAMIC_TYPE_RSA);
        if (cert->tsip_encRsaKeyIdx == NULL)
                return MEMORY_E;
-    } else
+    } else {
+        if (cert->ca) {
+            /* TSIP isn't usable */
+            if (tsip_checkCA(cert->ca->cm_idx) == 0)
+                WOLFSSL_MSG("TSIP isn't usable because the ca isn't verified by TSIP.");
+            else if (cert->sigCtx.pubkey_n_len != 256)
+                WOLFSSL_MSG("TSIP isn't usable because the ca isn't signed by RSA 2048.");
+            else
+                WOLFSSL_MSG("TSIP isn't usable");
+        }
 #endif
    cert->tsip_encRsaKeyIdx = NULL;
+#if defined(WOLFSSL_RENESAS_TSIP)
+    }
+#endif

    if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
        if (cert->ca) {
--- a/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
+++ b/wolfcrypt/src/port/Renesas/renesas_tsip_aes.c
@ -89,6 +89,9 @@ int wc_tsip_AesCbcEncrypt(struct Aes* aes, byte* out, const byte* in, word32 sz)
        } else {
            ret = R_TSIP_Aes256CbcEncryptFinal(&_handle, out, &dataLength);
        }
+    } else {
+        WOLFSSL_MSG("TSIP AES CBC encryption failed");
+        ret = -1;
    }
    
    tsip_hw_unlock();
@ -140,6 +143,9 @@ int wc_tsip_AesCbcDecrypt(struct Aes* aes, byte* out, const byte* in, word32 sz)
            ret = R_TSIP_Aes128CbcDecryptFinal(&_handle, out, &dataLength);
        else
            ret = R_TSIP_Aes256CbcDecryptFinal(&_handle, out, &dataLength);
+    } else {
+        WOLFSSL_MSG("TSIP AES CBC decryption failed");
+        ret = -1;
    }
    
    tsip_hw_unlock();
--- a/wolfcrypt/src/port/Renesas/renesas_tsip_util.c
+++ b/wolfcrypt/src/port/Renesas/renesas_tsip_util.c
@ -106,9 +106,31 @@ void tsip_hw_unlock( void )
 /* cipher0 : in the some cipher suite,                         */
 /*           first byte becomes greater than 0, otherwise 0x00 */
 /* side    : CLIENT END or SEVER END                           */
-byte tsip_useable(byte cipher0, byte cipher, byte side)
+int tsip_useable(const struct WOLFSSL *ssl)
 {
-    if (cipher0 > 0x00) return 0;
+    byte cipher0;
+    byte cipher;
+    byte side;
+    
+    /* sanity check */
+    if (ssl == NULL)
+        return BAD_FUNC_ARG;
+    
+    /* when rsa key index == NULL, tsip isn't used for cert verification. */
+    /* in the case, we cannot use TSIP.                                   */
+    if (!ssl->peerTsipEncRsaKeyIndex)
+        return 0;
+
+    /* when enabled Extended Master Secret, we cannot use TSIP.           */
+    if (ssl->options.haveEMS)
+        return 0;
+        
+    cipher0 = ssl->options.cipherSuite0;
+    cipher = ssl->options.cipherSuite;
+    side = ssl->options.side;
+    
+    if (cipher0 > 0x00) 
+        return 0;

    if ((cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA ||
         cipher == l_TLS_RSA_WITH_AES_128_CBC_SHA256 ||
@ -267,7 +289,7 @@ int tsip_Sha1Hmac(const struct WOLFSSL *ssl, const byte *myInner,
    int ret;

    if ((ssl == NULL) || (myInner == NULL) || (in == NULL) ||
-    		(digest == NULL))
+        (digest == NULL))
      return BAD_FUNC_ARG;
    
    if ((ret = tsip_hw_lock()) != 0) {
--- a/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
+++ b/wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h
@ -65,7 +65,7 @@ int  tsip_Open( );
 void tsip_Close( );
 int tsip_hw_lock();
 void tsip_hw_unlock( void );
-int tsip_usable(byte cipher0, byte cipher, byte side);
+int tsip_usable(const struct WOLFSSL *ssl);
 void tsip_inform_sflash_signedcacert(const byte *ps_flash, 
    const byte *psigned_ca_cert, word32 len);
 void tsip_inform_cert_sign(const byte *sign);