Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .wolfssl_known_macro_extras
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@ CRYP_HEADERWIDTHUNIT_BYTE
CRYP_KEYIVCONFIG_ONCE
CRYP_KEYSIZE_192B
CSM_UNSUPPORTED_ALGS
CTAO_CRYPT_AES_H
CTYPE_USER
CURVED448_SMALL
CUSTOM_ENTROPY_TIMEHIRES
Expand Down Expand Up @@ -717,6 +718,7 @@ WC_ASYNC_THREAD_BIND
WC_BLINDING_NO_RNG_ACKNOWLEDGE_WEAKNESS
WC_CACHE_RESISTANT_BASE64_TABLE
WC_DISABLE_RADIX_ZERO_PAD
WC_FIPS_AESGCM_ONE_SHOT_EXT_IV_ALLOWED
WC_FLAG_DONT_USE_AESNI
WC_FORCE_LINUXKM_FORTIFY_SOURCE
WC_HASH_CUSTOM_MAX_BLOCK_SIZE
Expand Down Expand Up @@ -1061,12 +1063,15 @@ WOLFSSL_ZEPHYR
WOLF_ALLOW_BUILTIN
WOLF_CRYPTO_CB_CMD
WOLF_CRYPTO_DEV
WOLF_CRYPT_FIPS_H
WOLF_NO_TRAILING_ENUM_COMMAS
WindowsCE
XGETPASSWD
XMSS_CALL_PRF_KEYGEN
XPAR_VERSAL_CIPS_0_PSPMC_0_PSV_CORTEXA72_0_TIMESTAMP_CLK_FREQ
XSECURE_CACHE_DISABLE
fipsCastStatus_get
wc_Des3_SetKey
_ABI64
_ABIO64
_ARCH_PPC64
Expand Down
19 changes: 17 additions & 2 deletions configure.ac
Original file line number Diff line number Diff line change
Expand Up @@ -1571,9 +1571,9 @@ then
enable_aesgcm_stream=no
fi

# All wolfCrypt features:
# All wolfCrypt features except quantum-resistant asymmetric:
AC_ARG_ENABLE([all-crypto],
[AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms (default: disabled)])],
[AS_HELP_STRING([--enable-all-crypto],[Enable all wolfcrypt algorithms except quantum-resistant asymmetric (default: disabled)])],
[ ENABLED_ALL_CRYPT=$enableval ],
[ ENABLED_ALL_CRYPT=no ]
)
Expand Down Expand Up @@ -1713,6 +1713,21 @@ then
AM_CFLAGS="$AM_CFLAGS -DWC_KDF_NIST_SP_800_56C"
fi

# All native quantum-resistant asymmetric algorithms:
AC_ARG_ENABLE([all-quantum-crypto],
[AS_HELP_STRING([--enable-all-quantum-crypto],[Enable all quantum-resistant asymmetric algorithms (default: disabled)])],
[ ENABLED_ALL_QUANTUM_CRYPT=$enableval ],
[ ENABLED_ALL_QUANTUM_CRYPT=no ]
)
if test "$ENABLED_ALL_QUANTUM_CRYPT" = "yes"
then
test "$enable_mlkem" = "" && enable_mlkem=yes
test "$enable_mldsa" = "" && enable_mldsa=yes
test "$enable_xmss" = "" && enable_xmss=yes
test "$enable_lms" = "" && enable_lms=yes
test "$enable_slhdsa" = "" && enable_slhdsa='yes,sha2'
fi

# kernel-appropriate settings, also in enable-all-crypto above:
if test "$KERNEL_MODE_DEFAULTS" = "yes" && test "$ENABLED_ALL_CRYPT" != "yes"
then
Expand Down
30 changes: 30 additions & 0 deletions linuxkm/lkcapi_aes_glue.c
Original file line number Diff line number Diff line change
Expand Up @@ -1121,6 +1121,16 @@ static int km_AesGcmSetAuthsize_Rfc4106(struct crypto_aead *tfm, unsigned int au

#ifdef WOLFSSL_AESGCM_STREAM

/* Don't incur the FIPS check overhead inside the loop -- the Final() call will
* check and error if the module entered degraded state during the loop.
*/
#if defined(HAVE_FIPS) && !defined(FIPS_NO_WRAPPERS)
#undef wc_AesGcmDecryptUpdate
#undef wc_AesGcmEncryptUpdate
typeof(wc_AesGcmDecryptUpdate_fips) wc_AesGcmDecryptUpdate;
typeof(wc_AesGcmEncryptUpdate_fips) wc_AesGcmEncryptUpdate;
#endif

static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p)
{
struct crypto_aead * tfm = NULL;
Expand Down Expand Up @@ -1340,6 +1350,11 @@ static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p)
return err;
}

#if defined(HAVE_FIPS) && !defined(FIPS_NO_WRAPPERS)
#define wc_AesGcmDecryptUpdate wc_AesGcmDecryptUpdate_fips
#define wc_AesGcmEncryptUpdate wc_AesGcmEncryptUpdate_fips
#endif

#else /* !WOLFSSL_AESGCM_STREAM */

static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p)
Expand Down Expand Up @@ -2205,6 +2220,16 @@ static int km_AesXtsSetKey(struct crypto_skcipher *tfm, const u8 *in_key,

/* see /usr/src/linux/drivers/md/dm-crypt.c */

/* Don't incur the FIPS check overhead inside the loop -- the Final() call will
* check and error if the module entered degraded state during the loop.
*/
#if defined(HAVE_FIPS) && !defined(FIPS_NO_WRAPPERS)
#undef wc_AesXtsDecryptUpdate
#undef wc_AesXtsEncryptUpdate
typeof(wc_AesXtsDecryptUpdate_fips) wc_AesXtsDecryptUpdate;
typeof(wc_AesXtsEncryptUpdate_fips) wc_AesXtsEncryptUpdate;
#endif

static int km_AesXtsEncrypt(struct skcipher_request *req)
{
int err;
Expand Down Expand Up @@ -2507,6 +2532,11 @@ static int km_AesXtsDecrypt(struct skcipher_request *req)
return err;
}

#if defined(HAVE_FIPS) && !defined(FIPS_NO_WRAPPERS)
#define wc_AesXtsDecryptUpdate wc_AesXtsDecryptUpdate_fips
#define wc_AesXtsEncryptUpdate wc_AesXtsEncryptUpdate_fips
#endif

static struct skcipher_alg xtsAesAlg = {
.base.cra_name = WOLFKM_AESXTS_NAME,
.base.cra_driver_name = WOLFKM_AESXTS_DRIVER,
Expand Down
10 changes: 6 additions & 4 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -28447,6 +28447,8 @@ static const char* wolfSSL_ERR_reason_error_string_OpenSSL(unsigned long e)
}
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL || HAVE_WEBSERVER || HAVE_MEMCACHED */

wc_static_assert((int)WC_LAST_E <= (int)WOLFSSL_LAST_E);

const char* wolfSSL_ERR_reason_error_string(unsigned long e)
{
#ifdef NO_ERROR_STRINGS
Expand Down Expand Up @@ -42275,8 +42277,8 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
* @return MEMORY_E when dynamic memory allocation fails.
* @return Other value when encryption/decryption fails.
*/
static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
byte* in, int inLen, byte* out, int* outLen, byte* tag,
static int TicketEncDec(const byte* key, int keyLen, const byte* iv, const byte* aad, int aadSz,
const byte* in, int inLen, byte* out, int* outLen, byte* tag,
void* heap, int enc)
{
int ret;
Expand All @@ -42293,7 +42295,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
ret = wc_AesGcmSetKey(aes, key, keyLen);
}
if (ret == 0) {
ret = wc_AesGcmEncrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
ret = wc_AesGcmEncrypt(aes, out, in, inLen, iv, GCM_NONCE_MID_SZ,
tag, WC_AES_BLOCK_SIZE, aad, aadSz);
}
wc_AesFree(aes);
Expand All @@ -42304,7 +42306,7 @@ static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
ret = wc_AesGcmSetKey(aes, key, keyLen);
}
if (ret == 0) {
ret = wc_AesGcmDecrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
ret = wc_AesGcmDecrypt(aes, out, in, inLen, iv, GCM_NONCE_MID_SZ,
tag, WC_AES_BLOCK_SIZE, aad, aadSz);
}
wc_AesFree(aes);
Expand Down
3 changes: 2 additions & 1 deletion tests/api/test_aes.c
Original file line number Diff line number Diff line change
Expand Up @@ -3399,7 +3399,8 @@ int test_wc_AesGcmEncryptDecrypt(void)
* bound on the IV length. */
#if (!defined(HAVE_FIPS) || \
(defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2))) && \
!defined(WOLFSSL_AES_GCM_FIXED_IV_AAD)
!defined(WOLFSSL_AES_GCM_FIXED_IV_AAD) && \
!defined(WC_TEST_AES_GCM_ENCRYPT_NO_NONSTD_IV)
ExpectIntEQ(wc_AesGcmEncrypt(&aes, enc, vector, sizeof(vector), longIV,
sizeof(longIV)/sizeof(byte), resultT, sizeof(resultT), a, sizeof(a)),
0);
Expand Down
8 changes: 8 additions & 0 deletions tests/api/test_ed25519.c
Original file line number Diff line number Diff line change
Expand Up @@ -979,6 +979,7 @@ int test_wc_ed25519_sign_verify_ctx_ph(void)
&verify_ok, &key, ctx, sizeof(ctx)), 0);
ExpectIntEQ(verify_ok, 1);

#if !defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)
/* Ed25519ph length check true side: wrong-size "hash" input. */
sigLen = sizeof(sig);
ExpectIntEQ(wc_ed25519_sign_msg_ex(hash, sizeof(hash) - 1, sig, &sigLen,
Expand All @@ -988,6 +989,7 @@ int test_wc_ed25519_sign_verify_ctx_ph(void)
ExpectIntEQ(wc_ed25519_verify_msg_ex(sig, sizeof(sig), hash,
sizeof(hash) - 1, &verify_ok, &key, (byte)Ed25519ph, ctx,
sizeof(ctx)), WC_NO_ERR_TRACE(BAD_LENGTH_E));
#endif

/* context==NULL && contextLen!=0 compound: TRUE side, direct low-level
* calls (the ctx/ph wrappers above always pass a real, non-NULL
Expand Down Expand Up @@ -1054,8 +1056,10 @@ int test_wc_ed25519_verify_streaming(void)
/* init: NULL args. */
ExpectIntEQ(wc_ed25519_verify_msg_init(NULL, sigLen, &key, (byte)Ed25519,
NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if !defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)
ExpectIntEQ(wc_ed25519_verify_msg_init(sig, sigLen, NULL, (byte)Ed25519,
NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
/* init: sigLen wrong. */
ExpectIntEQ(wc_ed25519_verify_msg_init(sig, sigLen - 1, &key,
(byte)Ed25519, NULL, 0), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
Expand All @@ -1069,8 +1073,10 @@ int test_wc_ed25519_verify_streaming(void)
/* update: NULL msgSegment, then NULL key (independent operand). */
ExpectIntEQ(wc_ed25519_verify_msg_update(NULL, 4, &key),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if !defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)
ExpectIntEQ(wc_ed25519_verify_msg_update(msg, 4, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif

/* init: context==NULL/contextLen!=0 compound, explicit both-sides
* pairing within this function (type left as plain Ed25519 so the
Expand All @@ -1092,8 +1098,10 @@ int test_wc_ed25519_verify_streaming(void)
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
ExpectIntEQ(wc_ed25519_verify_msg_final(sig, sigLen, NULL, &key),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#if !defined(HAVE_FIPS) || FIPS_VERSION3_GT(6,0,0)
ExpectIntEQ(wc_ed25519_verify_msg_final(sig, sigLen, &verify_ok, NULL),
WC_NO_ERR_TRACE(BAD_FUNC_ARG));
#endif
/* final: sigLen wrong. */
ExpectIntEQ(wc_ed25519_verify_msg_final(sig, sigLen - 1, &verify_ok,
&key), WC_NO_ERR_TRACE(BAD_FUNC_ARG));
Expand Down
1 change: 1 addition & 0 deletions wolfcrypt/benchmark/benchmark.c
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@
#include <wolfssl/wolfcrypt/error-crypt.h>
#include <wolfssl/wolfcrypt/asn.h>
#include <wolfssl/version.h>
#include <wolfssl/wolfcrypt/wc_compat.h>

#ifdef WOLFSSL_LINUXKM
/* remap current_time() -- collides with a function in kernel linux/fs.h */
Expand Down
54 changes: 29 additions & 25 deletions wolfcrypt/src/aes.c
Original file line number Diff line number Diff line change
Expand Up @@ -673,16 +673,18 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
#define AESNI_ALIGN 16
#endif

/* Accessed with the wolfSSL atomic APIs so the one-time detection is free of
* data races. Writes are also idempotent (all callers compute the same
* value), so a benign concurrent double-write is harmless. */
static wolfSSL_Atomic_Uint checkedAESNI = WOLFSSL_ATOMIC_INITIALIZER(0);
static wolfSSL_Atomic_Uint haveAESNI = WOLFSSL_ATOMIC_INITIALIZER(0);
static cpuid_flags_atomic_t intel_flags = WC_CPUID_ATOMIC_INITIALIZER;
/* Note that all write access to these static variables must be idempotent,
* as arranged by Check_CPU_support_AES(), else they will be susceptible to
* data races. Don't use wolfSSL_Atomic_Uint here, to avoid atomic access
* overhead on subsequent calls.
*/
static int checkedAESNI = 0;
static int haveAESNI = 0;
static cpuid_flags_t intel_flags = WC_CPUID_INITIALIZER;

static WARN_UNUSED_RESULT int Check_CPU_support_AES(void)
{
cpuid_get_flags_atomic(&intel_flags);
cpuid_get_flags_ex(&intel_flags);

return IS_INTEL_AESNI(intel_flags) != 0;
}
Expand Down Expand Up @@ -1086,11 +1088,12 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits

#elif defined(WOLFSSL_ARMASM)
#if defined(__aarch64__) && !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
static cpuid_flags_atomic_t cpuid_flags = WC_CPUID_ATOMIC_INITIALIZER;
static cpuid_flags_t cpuid_flags = WC_CPUID_INITIALIZER;

static void Check_CPU_support_HwCrypto(Aes* aes)
{
cpuid_get_flags_atomic(&cpuid_flags);
if (cpuid_flags == WC_CPUID_INITIALIZER)
cpuid_get_flags_ex(&cpuid_flags);
aes->use_aes_hw_crypto = IS_AARCH64_AES(cpuid_flags);
#ifdef HAVE_AESGCM
aes->use_pmull_hw_crypto = IS_AARCH64_PMULL(cpuid_flags);
Expand Down Expand Up @@ -1177,21 +1180,22 @@ static WARN_UNUSED_RESULT int wc_AesDecrypt(Aes* aes, const byte* inBlock,
* branches that also call these names are #if'd out, so only the live PPC call
* sites are redirected. */

/* Resolved dispatch decision (0 = base, 1 = vector-crypto), accessed with the
* wolfSSL atomic APIs so the one-time detection is free of data races. The
* master cpuid flags read by cpuid_get_flags() are themselves atomic; the write
* here is idempotent so a benign concurrent double-write is harmless. */
static wolfSSL_Atomic_Uint aes_ppc64_use_crypto = WOLFSSL_ATOMIC_INITIALIZER(0);
/* Resolved dispatch decision (0 = base, 1 = vector-crypto). The write here is
* idempotent so a benign concurrent double-write is harmless. Avoid atomic for
* this, as for intel_flags above, to avoid unnecessary expensive reads. */
static int aes_ppc64_use_crypto = 0;

/* True when the CPU supports the vector-crypto instructions. */
#define AES_PPC64_USE_CRYPTO() (WOLFSSL_ATOMIC_LOAD(aes_ppc64_use_crypto) != 0)
#define AES_PPC64_USE_CRYPTO() (aes_ppc64_use_crypto != 0)

/* Check and set the decision together (as Check_CPU_support_AES/HwCrypto do);
* called from the key-setup path before any AES_*_crypto use. */
static void Aes_SetCrypto(void)
{
WOLFSSL_ATOMIC_STORE(aes_ppc64_use_crypto,
(unsigned int)(IS_PPC64_VEC_CRYPTO(cpuid_get_flags()) != 0));
static cpuid_flags_t cpu_flags = WC_CPUID_INITIALIZER;
if (cpu_flags == WC_CPUID_INITIALIZER)
cpuid_get_flags_ex(&cpu_flags);
aes_ppc64_use_crypto = (IS_PPC64_VEC_CRYPTO(cpu_flags) != 0);
}

#define AES_set_encrypt_key(key, len, ks) \
Expand Down Expand Up @@ -5648,11 +5652,11 @@ static void AesSetKey_C(Aes* aes, const byte* key, word32 keySz, int dir)
* function correctly with default build settings.
*/

if (WOLFSSL_ATOMIC_LOAD(checkedAESNI) == 0) {
WOLFSSL_ATOMIC_STORE(haveAESNI, Check_CPU_support_AES());
WOLFSSL_ATOMIC_STORE(checkedAESNI, 1);
if (checkedAESNI == 0) {
haveAESNI = Check_CPU_support_AES();
checkedAESNI = 1;
}
if (WOLFSSL_ATOMIC_LOAD(haveAESNI)
if (haveAESNI
#if defined(WC_FLAG_DONT_USE_VECTOR_OPS) && !defined(WC_C_DYNAMIC_FALLBACK)
&& (aes->use_aesni != WC_FLAG_DONT_USE_VECTOR_OPS)
#endif
Expand Down Expand Up @@ -18893,7 +18897,7 @@ static AesGcmSivPolyvalFn AesGcmSivPolyvalAsm(void)
static AesGcmSivPolyvalFn AesGcmSivPolyvalAsm(void)
{
#ifndef WOLFSSL_ARMASM_NO_HW_CRYPTO
cpuid_get_flags_atomic(&cpuid_flags);
cpuid_get_flags_ex(&cpuid_flags);
if (IS_AARCH64_PMULL(cpuid_flags)) {
return &AES_GCMSIV_polyval_pmull;
}
Expand All @@ -18912,7 +18916,7 @@ static AesGcmSivPolyvalFn AesGcmSivPolyvalAsm(void)
* AES-NI gates the base path (matching wolfSSL's AES-GCM). */
static AesGcmSivPolyvalFn AesGcmSivPolyvalAsm(void)
{
cpuid_get_flags_atomic(&intel_flags);
cpuid_get_flags_ex(&intel_flags);
if (!IS_INTEL_AESNI(intel_flags)) {
return NULL;
}
Expand Down Expand Up @@ -18957,7 +18961,7 @@ static AesGcmSivCtrFn AesGcmSivCtrAsm(void)
static AesGcmSivCtrFn AesGcmSivCtrAsm(void)
{
#ifndef WOLFSSL_ARMASM_NO_HW_CRYPTO
cpuid_get_flags_atomic(&cpuid_flags);
cpuid_get_flags_ex(&cpuid_flags);
if (IS_AARCH64_AES(cpuid_flags)) {
return &AES_GCMSIV_ctr_aarch64;
}
Expand All @@ -18975,7 +18979,7 @@ static AesGcmSivCtrFn AesGcmSivCtrAsm(void)
* the base; AVX1/VAES/AVX512 are progressively wider pipelines. */
static AesGcmSivCtrFn AesGcmSivCtrAsm(void)
{
cpuid_get_flags_atomic(&intel_flags);
cpuid_get_flags_ex(&intel_flags);
if (!IS_INTEL_AESNI(intel_flags)) {
return NULL;
}
Expand Down
Loading
Loading