From 940d0140f9d4f12a961f0df225910d98a62bba73 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Jun 2022 15:55:08 -0500 Subject: [PATCH 1/5] configure.ac fixes related to change in default math back end (to sp-math-all): wolfRand doesn't use fastmath; FIPS v5-dev follows the non-FIPS default (now sp-math-all); add -DWC_NO_CACHE_RESISTANT to AM_CFLAGS when $ENABLED_HARDEN != yes; add ENABLED_BIGNUM sensor and use it in linuxkm math back end assert; add configuration callout for "Side-channel Hardening" reporting value of $ENABLED_HARDEN. --- configure.ac | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 4c92fc364..25a6f82f9 100644 --- a/configure.ac +++ b/configure.ac @@ -315,7 +315,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=1 ENABLED_FIPS="yes" DEF_SP_MATH="no" - DEF_FAST_MATH="yes" + DEF_FAST_MATH="no" ], [v5-RC8],[ FIPS_VERSION="v5-RC8" @@ -370,8 +370,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION=5 HAVE_FIPS_VERSION_MINOR=3 ENABLED_FIPS="yes" - DEF_SP_MATH="no" - DEF_FAST_MATH="yes" + # for v5-dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) ], [ AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (main options: v1, v2, v5, ready, dev, rand, no, disabled)]) @@ -478,6 +477,8 @@ then if test "$ENABLED_FIPS" = "no"; then AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK" fi + DEF_SP_MATH="yes" + DEF_FAST_MATH="no" fi AC_ARG_WITH([linux-source], @@ -1411,7 +1412,7 @@ then AM_CFLAGS="$AM_CFLAGS -DWC_RSA_BLINDING" fi else - AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN" + AM_CFLAGS="$AM_CFLAGS -DWC_NO_HARDEN -DWC_NO_CACHE_RESISTANT" fi @@ -3524,12 +3525,15 @@ then AC_MSG_ERROR([please disable dsa if disabling asn.]) fi -# No Big Int (ASN, RSA, DH and ECC need bigint) -if test "$ENABLED_ASN" = "no" && test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && test "$ENABLED_RSA" = "no" +# No Big Int (ASN, DSA, RSA, DH and ECC need bigint) +if test "$ENABLED_ASN" = "no" && test "$ENABLED_DSA" = no && test "$ENABLED_DH" = "no" && test "$ENABLED_ECC" = "no" && test "$ENABLED_RSA" = "no" then ENABLED_SP_MATH_ALL=no ENABLED_FASTMATH=no ENABLED_HEAPMATH=no + ENABLED_BIGNUM=no +else + ENABLED_BIGNUM=yes fi @@ -7779,7 +7783,7 @@ if test "x$ENABLED_LINUXKM" = "xyes"; then if test "$ENABLED_SMALL_STACK" != "yes"; then AC_MSG_ERROR([--enable-smallstack is required for --enable-linuxkm.]) fi - if test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no"; then + if test "$ENABLED_SP_MATH" = "no" && test "$ENABLED_SP_MATH_ALL" = "no" && test "$ENABLED_BIGNUM" != "no"; then AC_MSG_ERROR([--enable-sp-math or --enable-sp-math-all is required for --enable-linuxkm.]) fi if test "$ENABLED_STACKSIZE" != "no"; then @@ -8164,6 +8168,8 @@ echo " * Old Names: $ENABLED_OLDNAMES" echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" echo " * Distro Build: $ENABLED_DISTRO" echo " * Reproducible Build: $ENABLED_REPRODUCIBLE_BUILD" +echo " * Side-channel Hardening: $ENABLED_HARDEN" + echo " * Single Precision Math: $ENABLED_SP" if test "$ENABLED_SP_MATH_ALL" != "no" then From 047c662af82418c87e598f59e2231292accf86f3 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Jun 2022 15:56:54 -0500 Subject: [PATCH 2/5] fix math errors unmasked by change to sp-math-all as default math back end. --- src/x509.c | 2 +- wolfcrypt/src/sp_int.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/x509.c b/src/x509.c index cff25bf11..d0783d787 100644 --- a/src/x509.c +++ b/src/x509.c @@ -12233,7 +12233,7 @@ int wolfSSL_X509_set_pubkey(WOLFSSL_X509 *cert, WOLFSSL_EVP_PKEY *pkey) int wolfSSL_X509_set_version(WOLFSSL_X509* x509, long v) { WOLFSSL_ENTER("wolfSSL_X509_set_version"); - if ((x509 == NULL) || (v < 0) || (v > INT_MAX)) { + if ((x509 == NULL) || (v < 0) || (v >= INT_MAX)) { return WOLFSSL_FAILURE; } x509->version = (int) v + 1; diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index d1c91bdf4..94e12e988 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -7277,7 +7277,7 @@ static int _sp_mul(sp_int* a, sp_int* b, sp_int* r) #endif for (k = 1; k <= (a->used - 1) + (b->used - 1); k++) { i = k - (b->used - 1); - i &= ~(i >> (sizeof(i) * 8 - 1)); + i &= ~((unsigned int)i >> (sizeof(i) * 8 - 1)); j = k - i; for (; (i < a->used) && (j >= 0); i++, j--) { w = (sp_int_word)a->dp[i] * b->dp[j]; From 9a29dfc8cb02516fa5dc1638d9994f8b8645d35a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Jun 2022 16:08:38 -0500 Subject: [PATCH 3/5] fix whitespace. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 25a6f82f9..18e063154 100644 --- a/configure.ac +++ b/configure.ac @@ -370,7 +370,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION=5 HAVE_FIPS_VERSION_MINOR=3 ENABLED_FIPS="yes" - # for v5-dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) + # for v5-dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) ], [ AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (main options: v1, v2, v5, ready, dev, rand, no, disabled)]) From 790584113f5ad7537c85ac3184f84945fba8b3f5 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Jun 2022 16:38:56 -0500 Subject: [PATCH 4/5] configure.ac: WOLFSSL_WPAS[_SMALL] requires OPENSSL_EXTRA. --- configure.ac | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/configure.ac b/configure.ac index 18e063154..244707955 100644 --- a/configure.ac +++ b/configure.ac @@ -1456,6 +1456,12 @@ then AM_CFLAGS="$AM_CFLAGS -DKEEP_PEER_CERT" AM_CFLAGS="$AM_CFLAGS -DHAVE_KEYING_MATERIAL" AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF" + + if test "$ENABLED_OPENSSLEXTRA" = "no" + then + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA" + fi fi if test "$ENABLED_FORTRESS" = "yes" From 9211825121b63ac49faed556a855b9f6208fc66c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Fri, 24 Jun 2022 18:04:51 -0500 Subject: [PATCH 5/5] sp_int.c: fix refactor of undefined-semantics shift in _sp_mul(). --- wolfcrypt/src/sp_int.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/sp_int.c b/wolfcrypt/src/sp_int.c index 94e12e988..1a92e619f 100644 --- a/wolfcrypt/src/sp_int.c +++ b/wolfcrypt/src/sp_int.c @@ -7277,7 +7277,7 @@ static int _sp_mul(sp_int* a, sp_int* b, sp_int* r) #endif for (k = 1; k <= (a->used - 1) + (b->used - 1); k++) { i = k - (b->used - 1); - i &= ~((unsigned int)i >> (sizeof(i) * 8 - 1)); + i &= (((unsigned int)i >> (sizeof(i) * 8 - 1)) - 1U); j = k - i; for (; (i < a->used) && (j >= 0); i++, j--) { w = (sp_int_word)a->dp[i] * b->dp[j];