Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion RPi-Pico/src/tlsClient_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -158,11 +158,12 @@ void tlsClient_test(void *arg)
goto exit;
}

ret = wolfSSL_read(ssl, buffer, BUFF_SIZE);
ret = wolfSSL_read(ssl, buffer, BUFF_SIZE - 1);
if (ret < 0) {
printf("Failed to read data. err=%d\n", ret);
goto exit;
}
buffer[ret] = '\0';
printf("Message: %s\n", buffer);

wolfSSL_free(ssl);
Expand Down
37 changes: 34 additions & 3 deletions ccb_vaultic/ccb_vaultic.c
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@

/* wolfcrypt includes */
#include "wolfssl/wolfcrypt/types.h" /* types and X-defines */
#include "wolfssl/wolfcrypt/memory.h" /* For wc_ForceZero */

#ifndef CCBVAULTIC_NO_SHA
#include "wolfssl/wolfcrypt/hash.h" /* For HASH_FLAGS and types */
Expand Down Expand Up @@ -156,6 +157,31 @@ static void hexdump(const unsigned char* p, size_t len)
}
#endif

#ifdef WOLF_CRYPTO_CB
/* Constant-time buffer compare for secret material.
*
* wolfSSL's own constant-time compare (ConstantCompare() in
* wolfcrypt/src/misc.c) is WOLFSSL_LOCAL and not exported, so it can't be
* called from application code. Every byte is compared regardless of where
* a mismatch occurs, so the runtime doesn't leak position information via
* early-exit timing.
*
* Returns 0 if the buffers are equal, non-zero otherwise. */
static int const_time_memcmp(const void* a, const void* b, size_t len)
Comment thread
stenslae marked this conversation as resolved.
{
const byte* pa = (const byte*)a;
const byte* pb = (const byte*)b;
byte diff = 0;
size_t i;

for (i = 0; i < len; i++) {
diff |= (byte)(pa[i] ^ pb[i]);
}

return (int)diff;
}
#endif /* WOLF_CRYPTO_CB */

/* Helper to translate vlt return codes to wolfSSL code */
static int translateError(int vlt_rc)
{
Expand Down Expand Up @@ -233,8 +259,10 @@ void ccbVaultIc_Cleanup(ccbVaultIc_Context *c)
/* Free allocated buffers */
if (c->m != NULL)
XFREE(c->m, NULL, NULL);
if (c->aescbc_key != NULL)
if (c->aescbc_key != NULL) {
wc_ForceZero(c->aescbc_key, c->aescbc_keylen);
XFREE(c->aescbc_key, NULL, NULL);
}

clearContext(c);

Expand Down Expand Up @@ -975,17 +1003,20 @@ static int HandleCipherCallback(int devId, wc_CryptoInfo* info,
vlt_mode = VLT_DECRYPT_MODE;
}

/* Check if key is not the same as last time */
/* Check if key is not the same as last time. Uses a constant-time
* compare since this is secret key material, even though this
* check only gates a cache refresh (not authentication). */
if ((c->aescbc_key == NULL) ||
(c->aescbc_keylen != aes->keylen) ||
(XMEMCMP(c->aescbc_key, aes->devKey, aes->keylen))) {
(const_time_memcmp(c->aescbc_key, aes->devKey, aes->keylen))) {
#if defined(CCBVAULTIC_DEBUG_ALL)
XPRINTF(" New AES Key: ckey:%p clen:%lu akey:%p alen:%u\n",
c->aescbc_key,c->aescbc_keylen, aes->devKey, aes->keylen);
hexdump((void*)aes->devKey, aes->keylen);
#endif
/* Free the current key buffer if necessary */
if (c->aescbc_key != NULL) {
wc_ForceZero(c->aescbc_key, c->aescbc_keylen);
XFREE(c->aescbc_key, NULL, NULL);
c->aescbc_key = NULL;
c->aescbc_keylen = 0;
Expand Down
2 changes: 1 addition & 1 deletion certfields/all-fields/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ int main(int argc, char** argv)

RsaKey pubKeyRsa;
ecc_key pubKeyEcc;
WOLFSSL_X509* cert;
WOLFSSL_X509* cert = NULL;
WOLFSSL_EVP_PKEY* pubKeyTmp;
WOLFSSL_X509_NAME* name;

Expand Down
3 changes: 3 additions & 0 deletions certgen/csr_example.c
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@ static int init_pk_key(Cert* req, void** keyPtr, WC_RNG* rng, byte* der,
ret = wc_ecc_init((ecc_key*)*keyPtr);
if (ret != 0) {
XFREE(*keyPtr, NULL, DYNAMIC_TYPE_ECC);
*keyPtr = NULL;
break;
}
ret = wc_ecc_make_key_ex(rng, 32, (ecc_key*)*keyPtr, ECC_SECP256R1);
Expand Down Expand Up @@ -249,6 +250,7 @@ static int init_pk_key(Cert* req, void** keyPtr, WC_RNG* rng, byte* der,
ret = wc_InitRsaKey((RsaKey*)*keyPtr, NULL);
if (ret != 0) {
XFREE(*keyPtr, NULL, DYNAMIC_TYPE_RSA);
*keyPtr = NULL;
break;
}
ret = wc_MakeRsaKey((RsaKey*)*keyPtr, 2048, WC_RSA_EXPONENT, rng);
Expand Down Expand Up @@ -280,6 +282,7 @@ static int init_pk_key(Cert* req, void** keyPtr, WC_RNG* rng, byte* der,
ret = wc_ed25519_init((ed25519_key*)*keyPtr);
if (ret != 0) {
XFREE(*keyPtr, NULL, DYNAMIC_TYPE_ED25519);
*keyPtr = NULL;
break;
}
ret = wc_ed25519_make_key(rng, ED25519_KEY_SIZE,
Expand Down
Loading