XTS streaming support on aarch64

FIPS 140-3 disable XTS-384 in FIPS mode
FIPS 140-3 v6.0.0 SRTP-KDF RC3
2025-03-10 13:34:13 -06:00 · 2025-02-26 07:34:39 -07:00 · 2025-01-02 11:05:25 -07:00
3 changed files with 21 additions and 2 deletions
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 *** Description ***
+*** FIPS 140-3 module v6.0.0 SRTP-KDF Release Candidate 3 ***

 The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight SSL/TLS
 library written in ANSI C and targeted for embedded, RTOS, and
--- a/README.md
+++ b/README.md
@ -1,4 +1,5 @@
 # wolfSSL Embedded SSL/TLS Library
+# FIPS 140-3 module v6.0.0 SRTP-KDF Release Candidate 3

 The [wolfSSL embedded SSL library](https://www.wolfssl.com/products/wolfssl/)
 (formerly CyaSSL) is a lightweight SSL/TLS library written in ANSI C and
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -11832,7 +11832,13 @@ static WARN_UNUSED_RESULT int _AesEcbEncrypt(
 #elif defined(__aarch64__) && defined(WOLFSSL_ARMASM) && \
      !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
    if (aes->use_aes_hw_crypto) {
-        AES_encrypt_AARCH64(in, out, (byte*)aes->key, (int)aes->rounds);
+       word32 i;
+
+        for (i = 0; i < sz; i += WC_AES_BLOCK_SIZE) {
+            AES_encrypt_AARCH64(in, out, (byte*)aes->key, (int)aes->rounds);
+            in += WC_AES_BLOCK_SIZE;
+            out += WC_AES_BLOCK_SIZE;
+        }
    }
    else
 #endif
@ -11890,7 +11896,13 @@ static WARN_UNUSED_RESULT int _AesEcbDecrypt(
 #elif defined(__aarch64__) && defined(WOLFSSL_ARMASM) && \
      !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO)
    if (aes->use_aes_hw_crypto) {
-        AES_decrypt_AARCH64(in, out, (byte*)aes->key, (int)aes->rounds);
+        word32 i;
+
+        for (i = 0; i < sz; i += WC_AES_BLOCK_SIZE) {
+            AES_decrypt_AARCH64(in, out, (byte*)aes->key, (int)aes->rounds);
+            in += WC_AES_BLOCK_SIZE;
+            out += WC_AES_BLOCK_SIZE;
+        }
    }
    else
 #endif
@ -12753,7 +12765,12 @@ int wc_AesXtsSetKeyNoInit(XtsAes* aes, const byte* key, word32 len, int dir)
    }

    if ((len != (AES_128_KEY_SIZE*2)) &&
+#ifndef HAVE_FIPS
+        /* XTS-384 not allowed by FIPS and can not be treated like
+         * RSA-4096 bit keys back in the day, can not vendor affirm
+         * the use of 2 concatenated 192-bit keys (XTS-384) */
        (len != (AES_192_KEY_SIZE*2)) &&
+#endif
        (len != (AES_256_KEY_SIZE*2)))
    {
        WOLFSSL_MSG("Unsupported key size");
Author	SHA1	Message	Date
kaleb-himes	184c8128ac	XTS streaming support on aarch64	2025-03-10 13:34:13 -06:00
kaleb-himes	81beda3f40	FIPS 140-3 disable XTS-384 in FIPS mode	2025-02-26 07:34:39 -07:00
kaleb-himes	9a411ca710	FIPS 140-3 v6.0.0 SRTP-KDF RC3	2025-01-02 11:05:25 -07:00