diff --git a/configure.ac b/configure.ac index 77eaa724e..788b69a81 100644 --- a/configure.ac +++ b/configure.ac @@ -7354,7 +7354,7 @@ then AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS" fi else - if test "$ENABLED_SP" = "yes" && test "$ENABLED_SP_SMALL" = "no" + if (test "$ENABLED_SP" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes") && test "$ENABLED_SP_SMALL" = "no" then AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS" if test "$ENABLED_FASTHUGEMATH" = "yes" diff --git a/fips-check.sh b/fips-check.sh index 14ebc21e1..497bd992a 100755 --- a/fips-check.sh +++ b/fips-check.sh @@ -184,6 +184,7 @@ linuxv2) FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c ) FIPS_INCS=( fips.h ) FIPS_OPTION=v2 + COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm ) ;; netbsd-selftest) FIPS_VERSION=$NETBSD_FIPS_VERSION @@ -234,6 +235,7 @@ linuxv5) FIPS_INCS=( fips.h ) FIPS_OPTION="v5-RC12" COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm + wolfcrypt/src/aes_gcm_asm.S wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S ) ;; linuxv5-ready|fips-ready|fips-v5-ready) @@ -372,17 +374,17 @@ esac # clone the FIPS repository case "$FIPS_OPTION" in *dev) - if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then + if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then echo "fips-check: Couldn't check out the FIPS repository for fips-dev." exit 1 - fi - ;; + fi + ;; *) - if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then + if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then echo "fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO}." exit 1 - fi - ;; + fi + ;; esac for SRC in "${FIPS_SRCS[@]}" diff --git a/scripts/ocsp.test b/scripts/ocsp.test index acedc254e..325ef9e44 100755 --- a/scripts/ocsp.test +++ b/scripts/ocsp.test @@ -26,11 +26,15 @@ OUTPUT=$(eval "./examples/client/client -S check") if [ "$OUTPUT" = "SNI is: ON" ]; then printf '\n\n%s\n\n' "SNI is on, proceed with globalsign test" - # is our desired server there? - "${SCRIPT_DIR}/ping.test" $server 2 - RESULT=$? - if [ $RESULT -ne 0 ]; then - GL_UNREACHABLE=1 + if [ "$AM_BWRAPPED" != "yes" ]; then + # is our desired server there? + "${SCRIPT_DIR}/ping.test" $server 2 + RESULT=$? + if [ $RESULT -ne 0 ]; then + GL_UNREACHABLE=1 + fi + else + RESULT=0 fi if [ $RESULT -eq 0 ]; then @@ -50,9 +54,14 @@ fi server=www.google.com ca=${SCRIPT_DIR}/../certs/external/ca-google-root.pem -# is our desired server there? -${SCRIPT_DIR}/ping.test $server 2 -RESULT=$? +if [ "$AM_BWRAPPED" != "yes" ]; then + # is our desired server there? + ${SCRIPT_DIR}/ping.test $server 2 + RESULT=$? +else + RESULT=0 +fi + if [ $RESULT -eq 0 ]; then # client test against the server echo "./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N" diff --git a/scripts/unit.test.in b/scripts/unit.test.in index 2bb3012ad..e954e75a6 100644 --- a/scripts/unit.test.in +++ b/scripts/unit.test.in @@ -1,8 +1,12 @@ #!/bin/sh -bwrap_path="$(command -v bwrap)" -if [ -n "$bwrap_path" ]; then - exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@" +if [ "${AM_BWRAPPED-}" != "yes" ]; then + bwrap_path="$(command -v bwrap)" + if [ -n "$bwrap_path" ]; then + exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@" + else + exec "@builddir@/tests/unit.test" "$@" + fi else - exec "@builddir@/tests/unit.test" "$@" + exec "@builddir@/tests/unit.test" "$@" fi diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index f66727aad..811151ba2 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -104,19 +104,34 @@ int testsuite_test(int argc, char** argv) THREAD_TYPE serverThread; #ifndef USE_WINDOWS_API - char tempName[] = "/tmp/output-XXXXXX"; - int len = 18; - int num = 6; + const char *tempDir = NULL; + char tempName[128]; + int tempName_len; + int tempName_Xnum; #else char tempName[] = "fnXXXXXX"; - int len = 8; - int num = 6; + const int tempName_len = 8; + const int tempName_Xnum = 6; #endif #ifdef HAVE_STACK_SIZE void *serverThreadStackContext = NULL; #endif int ret; +#ifndef USE_WINDOWS_API +#ifdef XGETENV + tempDir = XGETENV("TMPDIR"); + if (tempDir == NULL) +#endif + { + tempDir = "/tmp"; + } + XSTRLCPY(tempName, tempDir, sizeof(tempName)); + XSTRLCAT(tempName, "/testsuite-output-XXXXXX", sizeof(tempName)); + tempName_len = (int)XSTRLEN(tempName); + tempName_Xnum = 6; +#endif /* !USE_WINDOWS_API */ + #ifdef HAVE_WNR if (wc_InitNetRandom(wnrConfig, NULL, 5000) != 0) { err_sys("Whitewood netRandom global config failed"); @@ -172,7 +187,7 @@ int testsuite_test(int argc, char** argv) #endif /* Create unique file name */ - outputName = mymktemp(tempName, len, num); + outputName = mymktemp(tempName, tempName_len, tempName_Xnum); if (outputName == NULL) { printf("Could not create unique file name"); return EXIT_FAILURE; @@ -241,7 +256,7 @@ static int test_tls(func_args* server_args) { func_args echo_args; char* myArgv[NUMARGS]; - char arg[3][32]; + char arg[3][128]; /* Set up command line arguments for echoclient to send input file * and write echoed data to temporary output file. */ diff --git a/wolfcrypt/src/blake2b.c b/wolfcrypt/src/blake2b.c index 26466aebf..9ed1fe70e 100644 --- a/wolfcrypt/src/blake2b.c +++ b/wolfcrypt/src/blake2b.c @@ -120,10 +120,13 @@ int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) } - int blake2b_init( blake2b_state *S, const byte outlen ) { +#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD blake2b_param P[1]; +#else + volatile blake2b_param P[1]; +#endif if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG; @@ -140,12 +143,12 @@ int blake2b_init( blake2b_state *S, const byte outlen ) XMEMSET( P->salt, 0, sizeof( P->salt ) ); XMEMSET( P->personal, 0, sizeof( P->personal ) ); #else - XMEMSET( P, 0, sizeof( *P ) ); + XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) ); P->digest_length = outlen; P->fanout = 1; P->depth = 1; #endif - return blake2b_init_param( S, P ); + return blake2b_init_param( S, (blake2b_param *)P ); } @@ -153,7 +156,11 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key, const byte keylen ) { int ret = 0; +#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD blake2b_param P[1]; +#else + volatile blake2b_param P[1]; +#endif if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG; @@ -172,14 +179,14 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key, XMEMSET( P->salt, 0, sizeof( P->salt ) ); XMEMSET( P->personal, 0, sizeof( P->personal ) ); #else - XMEMSET( P, 0, sizeof( *P ) ); + XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) ); P->digest_length = outlen; P->key_length = keylen; P->fanout = 1; P->depth = 1; #endif - ret = blake2b_init_param( S, P ); + ret = blake2b_init_param( S, (blake2b_param *)P ); if ( ret < 0 ) return ret; { diff --git a/wolfcrypt/src/blake2s.c b/wolfcrypt/src/blake2s.c index f73fe2ab1..f6478dd0e 100644 --- a/wolfcrypt/src/blake2s.c +++ b/wolfcrypt/src/blake2s.c @@ -119,7 +119,11 @@ int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) int blake2s_init( blake2s_state *S, const byte outlen ) { +#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD blake2s_param P[1]; +#else + volatile blake2s_param P[1]; +#endif if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG; @@ -132,16 +136,15 @@ int blake2s_init( blake2s_state *S, const byte outlen ) store32( &P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; - XMEMSET( P->reserved, 0, sizeof( P->reserved ) ); XMEMSET( P->salt, 0, sizeof( P->salt ) ); XMEMSET( P->personal, 0, sizeof( P->personal ) ); #else - XMEMSET( P, 0, sizeof( *P ) ); + XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) ); P->digest_length = outlen; P->fanout = 1; P->depth = 1; #endif - return blake2s_init_param( S, P ); + return blake2s_init_param( S, (blake2s_param *)P ); } @@ -149,7 +152,11 @@ int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key, const byte keylen ) { int ret = 0; +#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD blake2s_param P[1]; +#else + volatile blake2s_param P[1]; +#endif if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG; @@ -164,18 +171,17 @@ int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key, store64( &P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; - XMEMSET( P->reserved, 0, sizeof( P->reserved ) ); XMEMSET( P->salt, 0, sizeof( P->salt ) ); XMEMSET( P->personal, 0, sizeof( P->personal ) ); #else - XMEMSET( P, 0, sizeof( *P ) ); + XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) ); P->digest_length = outlen; P->key_length = keylen; P->fanout = 1; P->depth = 1; #endif - ret = blake2s_init_param( S, P ); + ret = blake2s_init_param( S, (blake2s_param *)P ); if (ret < 0) return ret; diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index 0effb7f7d..046e81ce1 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -93,6 +93,12 @@ This library provides single precision (SP) integer math functions. * WOLFSSL_SP_FAST_MODEXP Allow fast mod_exp with small C code */ +/* TODO: WOLFSSL_SP_SMALL is incompatible with clang-12+ -Os. */ +#if defined(__clang__) && defined(__clang_major__) && \ + (__clang_major__ >= 12) && defined(WOLFSSL_SP_SMALL) + #undef WOLFSSL_SP_SMALL +#endif + #include /* DECL_SP_INT: Declare one variable of type 'sp_int'. */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 205cc2661..a4ef84533 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -23871,6 +23871,12 @@ done: #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \ (defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_256)) +/* ecc_encrypt_e2e_test() uses wc_ecc_ctx_set_algo(), which was added in + * wolfFIPS 5.3. + * ecc_encrypt_kat() is used only by ecc_encrypt_e2e_test(). + */ +#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ ECC_MIN_KEY_SZ <= 256 && defined(WOLFSSL_AES_128) static int ecc_encrypt_kat(WC_RNG *rng) @@ -24343,6 +24349,8 @@ done: return ret; } +#endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */ + WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void) { WC_RNG rng; @@ -24412,6 +24420,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void) } #endif +#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)) + #if !defined(NO_AES) && defined(HAVE_AES_CBC) #ifdef WOLFSSL_AES_128 if (ret == 0) { @@ -24453,6 +24463,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void) #endif #endif +#endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */ + done: #ifdef WOLFSSL_SMALL_STACK if (userA != NULL) { diff --git a/wolfssl/wolfcrypt/blake2-int.h b/wolfssl/wolfcrypt/blake2-int.h index e1c73fc85..de44a3524 100644 --- a/wolfssl/wolfcrypt/blake2-int.h +++ b/wolfssl/wolfcrypt/blake2-int.h @@ -73,7 +73,7 @@ byte node_depth; /* 15 */ byte inner_length; /* 16 */ /* byte reserved[0]; */ - byte salt[BLAKE2B_SALTBYTES]; /* 24 */ + byte salt[BLAKE2S_SALTBYTES]; /* 24 */ byte personal[BLAKE2S_PERSONALBYTES]; /* 32 */ } blake2s_param; diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index b6b6b60a1..8d723ff77 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -761,13 +761,12 @@ decouple library dependencies with standard string, memory and so on. #define XSTRLCAT(s1,s2,n) wc_strlcat((s1),(s2),(n)) #endif - #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \ - !defined(NO_STDIO_FILESYSTEM) + #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) #ifndef XGETENV #include #define XGETENV getenv #endif - #endif /* OPENSSL_EXTRA */ + #endif /* !NO_FILESYSTEM && !NO_STDIO_FILESYSTEM */ #ifndef CTYPE_USER #ifndef WOLFSSL_LINUXKM