Skip to content

20260713-WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED-etc#10920

Open
douzzer wants to merge 10 commits into
wolfSSL:masterfrom
douzzer:20260713-WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED-etc
Open

20260713-WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED-etc#10920
douzzer wants to merge 10 commits into
wolfSSL:masterfrom
douzzer:20260713-WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED-etc

Conversation

@douzzer

@douzzer douzzer commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Implement FIPS shimming for wc_AesGcmEncrypt():

wolfssl/wolfcrypt/aes.h: if HAVE_FIPS && !WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED, make wc_AesGcmEncrypt() a WOLFSSL_LOCAL, and if !_WC_BUILDING_AES_C, add a WC_DEPRECATED() attribute to it.

wolfssl/wolfcrypt/wc_compat.h, wolfssl/wolfcrypt/include.am, .wolfssl_known_macro_extras: add wc_compat.h: when HAVE_FIPS and !WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED, shim wc_AesGcmEncrypt() to remap it to FIPS-allowed APIs.

wolfssl/wolfcrypt/types.h: at the end, #ifndef BUILDING_WOLFSSL, #include <wolfssl/wolfcrypt/wc_compat.h>, to assure transparent shimming of wc_AesGcmEncrypt() for all outside callers.

wolfcrypt/src/evp.c, wolfcrypt/src/hpke.c, wolfcrypt/src/pkcs7.c, wolfcrypt/benchmark/benchmark.c, wolfcrypt/test/test.c, wolfssl/ssl.h: #include <wolfssl/wolfcrypt/wc_compat.h> to shim in-library/in-module calls to wc_AesGcmEncrypt().

src/internal.c: in TicketEncDec(), add const attributes to constable input args, and fix swapped out/in in calls to wc_AesGcmEncrypt().

tests/api/test_aes.c: in test_wc_AesGcmEncryptDecrypt(), skip longIV test if WC_TEST_AES_GCM_ENCRYPT_NO_NONSTD_IV (defined by wc_compat.h when needed).

wolfssl/wolfcrypt/error-crypt.h, wolfssl/error-ssl.h, wolfcrypt/src/error.c, src/internal.c:

  • add FIPS_WRONG_API_E;
  • put several error codes back into sequence in wc_GetErrorString() switch().
  • move wc_static_assert()s from headers to corresponding .c files, to eliminate dependency on wolfcrypt/types.h;
  • remove unneeded #include <wolfssl/wolfcrypt/types.h> from error-crypt.h.

linuxkm/lkcapi_aes_glue.c: in the inner streaming loops for AES-GCM and AES-XTS (AesGcmCrypt_1(), km_AesXtsEncrypt(), and km_AesXtsDecrypt()), bypass FIPS wrappers to avoid frivolous overhead, with decisive check after looping by the Final function.

wolfcrypt/src/aes.c: revert atomic refactor of checkedAESNI, haveAESNI, and intel_flags (3f3ebca / #10871) to avoid frivolous atomic access overhead. Also use regular int, not cpuid_flags_atomic_t, for cpuid_flags in the WOLFSSL_ARMASM path, and similarly use a regular int for aes_ppc64_use_crypto in the WOLFSSL_PPC64_ASM_CRYPTO path.

wolfssl/wolfcrypt/wc_compat.h, wolfssl/wolfcrypt/fips_test.h, .wolfssl_known_macro_extras:

  • also inhibit recursive evaluation midway through random.h, fips.h, and fips_test.h (circular dependencies).
  • add WC_FIPS_ENUM_CAST_ID_DEFINED to allow detection of fips_test.h incomplete evaluation.

wolfcrypt/src/ed25519.c, tests/api/test_ed25519.c:

  • add missing null key checks to wc_ed25519_verify_msg_init(), wc_ed25519_verify_msg_update(), and wc_ed25519_verify_msg_final().
  • add WC_ARG_NOT_NULL() attributes to args of static functions as appropriate.
  • add FIPS >v6 gates to new null key tests and a new invalid hash size test in test_wc_ed25519_sign_verify_ctx_ph() and test_wc_ed25519_verify_streaming().

configure.ac: add --enable-all-quantum-crypto "Enable all quantum-resistant asymmetric algorithms (default: disabled)".

tested in conjunction with FIPS 20260508-wrapper-signature-harmony and WolfGuard 20260713-wc_AesGcmEncrypt_fips using

wolfssl-multi-test.sh ...
pr-check
check-source-text-fips-dev

quantum-safe-wolfssl-all-crypto-only-intelasm-fips-dev-linuxkm-next-insmod-gcc-latest
quantum-safe-wolfssl-all-crypto-only-noasm-fips-dev-linuxkm-next-clang-tidy
quantum-safe-wolfssl-all-crypto-only-intelasm-sp-asm-sp-linuxkm-next-insmod
quantum-safe-sanitizer-all-crypto-intelasm-c-fallback-fuzzer

fips-140-3-optest-acvp-defaults
fips-140-3-pilot-optest-acvp-sp-asm
fips-140-3-optest-acvp-defaults
fips-140-2-optest
fips-140-2-openssl-all
fips-140-2-wolfrand-defaults
fips-140-3-v5-ready-optest-acvp-intelasm
fips-140-3-v6-optest-acvp-sp-asm
fips-140-3-dev-optest-acvp-sp-asm-gcc-latest
fips-140-3-v6-optest-acvp-sp-asm
fips-140-3-optest-acvp-sp-asm
fips-140-3-dev-optest-acvp-sp-noasm
fips-140-3-all

linuxkm-defaults-all-fips-v6-sanitizer
linuxkm-defaults-all-quantum-safe-fips-dev-gcc-latest
linuxkm-defaults-all-fips-dev-sanitizer

cross-armv7a-armasm-fips-140-3-dev-sp-all-testsuite-sanitizer
cross-aarch64-armasm-fips-140-3-dev-all-unittest
cross-powerpc64-all-asm

defaults-cryptonly-Wconversion-intelasm-build
defaults-cryptonly-Wconversion-intelasm-fips-140-3-dev-build
allcryptonly-Wconversion-intelasm-build

linuxkm-benchmarks-asm-insmod
linuxkm-benchmarks-fips-insmod
linuxkm-fips-v6-dist-insmod-cust-kernel-2
linuxkm-fips-v5-strict-dist-insmod-cust-kernel-2-amdrdseed
linuxkm-fips-dev-dist-insmod-cust-kernel-2-amdrdseed
'.*cust-kernel-3.*'

douzzer added 7 commits July 15, 2026 10:10
wolfssl/wolfcrypt/aes.h: if HAVE_FIPS && !WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED, make wc_AesGcmEncrypt() a WOLFSSL_LOCAL, and if !_WC_BUILDING_AES_C, add a WC_DEPRECATED() attribute to it.

wolfssl/wolfcrypt/wc_compat.h, wolfssl/wolfcrypt/include.am, .wolfssl_known_macro_extras: add wc_compat.h: when HAVE_FIPS and !WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED, shim wc_AesGcmEncrypt() to remap it to FIPS-allowed APIs.

wolfssl/wolfcrypt/types.h: at the end, #ifndef BUILDING_WOLFSSL, #include <wolfssl/wolfcrypt/wc_compat.h>, to assure transparent shimming of wc_AesGcmEncrypt() for all outside callers.

wolfcrypt/src/evp.c, wolfcrypt/src/hpke.c, wolfcrypt/src/pkcs7.c, wolfcrypt/benchmark/benchmark.c, wolfcrypt/test/test.c, wolfssl/ssl.h: #include <wolfssl/wolfcrypt/wc_compat.h> to shim in-library/in-module calls to wc_AesGcmEncrypt().

src/internal.c: in TicketEncDec(), add const attributes to constable input args, and fix swapped out/in in calls to wc_AesGcmEncrypt().

tests/api/test_aes.c: in test_wc_AesGcmEncryptDecrypt(), skip longIV test if WC_TEST_AES_GCM_ENCRYPT_NO_NONSTD_IV (defined by wc_compat.h when needed).

wolfssl/wolfcrypt/error-crypt.h, wolfssl/error-ssl.h, wolfcrypt/src/error.c, src/internal.c:
* add FIPS_WRONG_API_E;
* put several error codes back into sequence in wc_GetErrorString() switch().
* move wc_static_assert()s from headers to corresponding .c files, to eliminate dependency on wolfcrypt/types.h;
* remove unneeded #include <wolfssl/wolfcrypt/types.h> from error-crypt.h.
…nd AES-XTS (AesGcmCrypt_1(), km_AesXtsEncrypt(), and km_AesXtsDecrypt()), bypass FIPS wrappers to avoid frivolous overhead, with decisive check after looping by the Final function.
…I, and intel_flags (3f3ebca / wolfSSL#10871) to avoid frivolous atomic access overhead.  Also use regular int, not cpuid_flags_atomic_t, for cpuid_flags in the WOLFSSL_ARMASM path, and similarly use a regular int for aes_ppc64_use_crypto in the WOLFSSL_PPC64_ASM_CRYPTO path.
…l_known_macro_extras:

* also inhibit recursive evaluation midway through random.h, fips.h, and fips_test.h (circular dependencies).
* add WC_FIPS_ENUM_CAST_ID_DEFINED to allow detection of fips_test.h incomplete evaluation.
* add missing null key checks to wc_ed25519_verify_msg_init(), wc_ed25519_verify_msg_update(), and wc_ed25519_verify_msg_final().
* add WC_ARG_NOT_NULL() attributes to args of static functions as appropriate.
* add FIPS >v6 gates to new null key tests and a new invalid hash size test in test_wc_ed25519_sign_verify_ctx_ph() and test_wc_ed25519_verify_streaming().
…istant asymmetric algorithms (default: disabled)".
@github-actions

github-actions Bot commented Jul 15, 2026

Copy link
Copy Markdown

MemBrowse Memory Report

gcc-arm-cortex-m4

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B (+0.0%, 200,430 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m4-crypto-only

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B (+0.0%, 174,614 B / 262,144 B, total: 67% used)

gcc-arm-cortex-m4-openssl-compat

  • FLASH: .rodata +56 B, .text +64 B (+0.0%, 771,332 B / 1,048,576 B, total: 74% used)

gcc-arm-cortex-m4-pkcs7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B (+0.0%, 212,762 B / 262,144 B, total: 81% used)

gcc-arm-cortex-m4-pq

  • FLASH: .rodata +52 B, .text +64 B (+0.0%, 279,576 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m4-rsa-only

  • FLASH: .rodata +56 B (+0.0%, 325,176 B / 1,048,576 B, total: 31% used)

gcc-arm-cortex-m4-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B, .text +64 B (+0.0%, 236,256 B / 262,144 B, total: 90% used)

gcc-arm-cortex-m7

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B (+0.0%, 200,366 B / 262,144 B, total: 76% used)

gcc-arm-cortex-m7-pq

  • FLASH: .rodata +52 B, .text +64 B (+0.0%, 280,152 B / 1,048,576 B, total: 27% used)

gcc-arm-cortex-m7-tls13

  • FLASH: .rodata.CSWTCH.1 +4 B, .rodata.str1.1 +42 B (+0.0%, 236,256 B / 262,144 B, total: 90% used)

stm32-sim-stm32h753

…h> where previously #include <wolfssl/wolfcrypt/types.h>, to retain standalone compilability without provoking circular dependencies via wc_compat.h.

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10920

⚠️ The automated review timed out after 120 minutes and was terminated. Please retrigger the review manually or contact the Fenrir team.

@JacobBarthelmeh JacobBarthelmeh requested review from wolfSSL-Fenrir-bot and removed request for wolfSSL-Fenrir-bot July 15, 2026 22:06
@douzzer

douzzer commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Retest this please
(tooling glitches)

@JacobBarthelmeh

Copy link
Copy Markdown
Contributor

Retest this please Jenkins. CAVP self test failed Unable to start agent

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10920

Scan targets checked: linuxkm-bugs, linuxkm-src, wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

No new issues found in the changed files. ✅

douzzer added 2 commits July 15, 2026 20:27
…at_shim(), restore aes->reg to the supplied IV after wc_AesGcmEncrypt_ex() increments it, supporting the EVP access pattern.
@douzzer

douzzer commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

retest this please

@JacobBarthelmeh

Copy link
Copy Markdown
Contributor

Needs fully reviewed for being allowed with FIPS use before merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants