From 6633b52e28694a5406350b11a3ac0ec7c2a5e004 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Jun 2025 16:16:49 -0700 Subject: [PATCH 1/7] Don't try to build wc_RsaSSL_Sign in asn.c MakeSignature if RSA public or verify only is enabled. --- wolfcrypt/src/asn.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 80b3ce76e..b1c22578b 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -31689,7 +31689,7 @@ static int MakeSignature(CertSignCtx* certSignCtx, const byte* buf, word32 sz, certSignCtx->state = CERTSIGN_STATE_DO; ret = -1; /* default to error, reassigned to ALGO_ID_E below. */ - #ifndef NO_RSA + #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY) if (rsaKey) { /* signature */ ret = wc_RsaSSL_Sign(certSignCtx->encSig, From e8c110d2ac54cecf268411af2dd09620adb1ad86 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Jun 2025 16:17:23 -0700 Subject: [PATCH 2/7] Rename get_digit* to mp_get_digit* to avoid conflicts with other functions named get_digit. --- tests/api/test_wolfmath.c | 28 ++++++++++++++-------------- tests/api/test_wolfmath.h | 12 ++++++------ wolfcrypt/src/ecc.c | 6 +++--- wolfcrypt/src/rsa.c | 4 ++-- wolfcrypt/src/wolfmath.c | 14 +++++++------- wolfssl/wolfcrypt/wolfmath.h | 6 +++--- 6 files changed, 35 insertions(+), 35 deletions(-) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index 1b6c6ec85..7d15b4bd4 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -34,9 +34,9 @@ #include /* - * Testing get_digit_count + * Testing mp_get_digit_count */ -int test_get_digit_count(void) +int test_mp_get_digit_count(void) { EXPECT_DECLS; #if !defined(WOLFSSL_SP_MATH) && defined(WOLFSSL_PUBLIC_MP) @@ -46,8 +46,8 @@ int test_get_digit_count(void) ExpectIntEQ(mp_init(&a), 0); - ExpectIntEQ(get_digit_count(NULL), 0); - ExpectIntEQ(get_digit_count(&a), 0); + ExpectIntEQ(mp_get_digit_count(NULL), 0); + ExpectIntEQ(mp_get_digit_count(&a), 0); mp_clear(&a); #endif @@ -55,9 +55,9 @@ int test_get_digit_count(void) } /* End test_get_digit_count */ /* - * Testing get_digit + * Testing mp_get_digit */ -int test_get_digit(void) +int test_mp_get_digit(void) { EXPECT_DECLS; #if defined(WOLFSSL_PUBLIC_MP) @@ -67,8 +67,8 @@ int test_get_digit(void) XMEMSET(&a, 0, sizeof(mp_int)); ExpectIntEQ(mp_init(&a), MP_OKAY); - ExpectIntEQ(get_digit(NULL, n), 0); - ExpectIntEQ(get_digit(&a, n), 0); + ExpectIntEQ(mp_get_digit(NULL, n), 0); + ExpectIntEQ(mp_get_digit(&a, n), 0); mp_clear(&a); #endif @@ -76,9 +76,9 @@ int test_get_digit(void) } /* End test_get_digit */ /* - * Testing get_rand_digit + * Testing mp_get_rand_digit */ -int test_get_rand_digit(void) +int test_mp_get_rand_digit(void) { EXPECT_DECLS; #if !defined(WC_NO_RNG) && defined(WOLFSSL_PUBLIC_MP) @@ -89,10 +89,10 @@ int test_get_rand_digit(void) ExpectIntEQ(wc_InitRng(&rng), 0); - ExpectIntEQ(get_rand_digit(&rng, &d), 0); - ExpectIntEQ(get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(mp_get_rand_digit(&rng, &d), 0); + ExpectIntEQ(mp_get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(mp_get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(mp_get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); DoExpectIntEQ(wc_FreeRng(&rng), 0); #endif diff --git a/tests/api/test_wolfmath.h b/tests/api/test_wolfmath.h index e02020c75..73f416933 100644 --- a/tests/api/test_wolfmath.h +++ b/tests/api/test_wolfmath.h @@ -24,17 +24,17 @@ #include -int test_get_digit_count(void); -int test_get_digit(void); -int test_get_rand_digit(void); +int test_mp_get_digit_count(void); +int test_mp_get_digit(void); +int test_mp_get_rand_digit(void); int test_mp_cond_copy(void); int test_mp_rand(void); int test_wc_export_int(void); #define TEST_WOLFMATH_DECLS \ - TEST_DECL_GROUP("wolfmath", test_get_digit_count), \ - TEST_DECL_GROUP("wolfmath", test_get_digit), \ - TEST_DECL_GROUP("wolfmath", test_get_rand_digit), \ + TEST_DECL_GROUP("wolfmath", test_mp_get_digit_count), \ + TEST_DECL_GROUP("wolfmath", test_mp_get_digit), \ + TEST_DECL_GROUP("wolfmath", test_mp_get_rand_digit), \ TEST_DECL_GROUP("wolfmath", test_mp_cond_copy), \ TEST_DECL_GROUP("wolfmath", test_mp_rand), \ TEST_DECL_GROUP("wolfmath", test_wc_export_int) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 747f9f1fb..ea9db7e6f 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -2054,7 +2054,7 @@ static int _ecc_projective_add_point(ecc_point* P, ecc_point* Q, ecc_point* R, } if (err == MP_OKAY) { if ( (mp_cmp(P->x, Q->x) == MP_EQ) && - (get_digit_count(Q->z) && mp_cmp(P->z, Q->z) == MP_EQ) && + (mp_get_digit_count(Q->z) && mp_cmp(P->z, Q->z) == MP_EQ) && (mp_cmp(P->y, Q->y) == MP_EQ || mp_cmp(P->y, t1) == MP_EQ)) { mp_clear(t1); mp_clear(t2); @@ -2990,7 +2990,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* tG, ecc_point* R, mode = 0; bitcnt = 1; buf = 0; - digidx = get_digit_count(k) - 1; + digidx = mp_get_digit_count(k) - 1; bitcpy = bitbuf = 0; first = 1; @@ -3001,7 +3001,7 @@ static int ecc_mulmod(const mp_int* k, ecc_point* tG, ecc_point* R, if (digidx == -1) { break; } - buf = get_digit(k, digidx); + buf = mp_get_digit(k, digidx); bitcnt = (int) DIGIT_BIT; --digidx; } diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 16f2159f6..fa455cc36 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -2551,7 +2551,7 @@ static int RsaFunctionPrivate(mp_int* tmp, RsaKey* key, WC_RNG* rng) if (ret == 0) { /* blind */ - ret = mp_rand(rnd, get_digit_count(&key->n), rng); + ret = mp_rand(rnd, mp_get_digit_count(&key->n), rng); } if (ret == 0) { /* rndi = 1/rnd mod n */ @@ -5090,7 +5090,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) /* Blind the inverse operation with a value that is invertable */ if (err == MP_OKAY) { do { - err = mp_rand(&key->p, get_digit_count(tmp3), rng); + err = mp_rand(&key->p, mp_get_digit_count(tmp3), rng); if (err == MP_OKAY) err = mp_set_bit(&key->p, 0); if (err == MP_OKAY) diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 9f14d0190..9ca1865bd 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -85,7 +85,7 @@ void mp_reverse(unsigned char *s, int len) } } -int get_digit_count(const mp_int* a) +int mp_get_digit_count(const mp_int* a) { if (a == NULL) return 0; @@ -93,7 +93,7 @@ int get_digit_count(const mp_int* a) return (int)a->used; } -mp_digit get_digit(const mp_int* a, int n) +mp_digit mp_get_digit(const mp_int* a, int n) { if (a == NULL) return 0; @@ -135,13 +135,13 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) * When mask all set, b ^ b ^ a = a */ /* Conditionally copy all digits and then number of used digits. - * get_digit() returns 0 when index greater than available digit. + * mp_get_digit() returns 0 when index greater than available digit. */ for (i = 0; i < a->used; i++) { - b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; + b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; } for (; i < b->used; i++) { - b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; + b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; } b->used ^= (a->used ^ b->used) & (wc_mp_size_t)mask; #if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \ @@ -156,7 +156,7 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) #ifndef WC_NO_RNG -int get_rand_digit(WC_RNG* rng, mp_digit* d) +int mp_get_rand_digit(WC_RNG* rng, mp_digit* d) { return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); } @@ -205,7 +205,7 @@ int mp_rand(mp_int* a, int digits, WC_RNG* rng) #endif /* ensure top digit is not zero */ while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) { - ret = get_rand_digit(rng, &a->dp[a->used - 1]); + ret = mp_get_rand_digit(rng, &a->dp[a->used - 1]); #ifdef USE_INTEGER_HEAP_MATH a->dp[a->used - 1] &= MP_MASK; #endif diff --git a/wolfssl/wolfcrypt/wolfmath.h b/wolfssl/wolfcrypt/wolfmath.h index e2e854525..03d79d9f4 100644 --- a/wolfssl/wolfcrypt/wolfmath.h +++ b/wolfssl/wolfcrypt/wolfmath.h @@ -83,9 +83,9 @@ This library provides big integer math functions. #if !defined(NO_BIG_INT) /* common math functions */ -MP_API int get_digit_count(const mp_int* a); -MP_API mp_digit get_digit(const mp_int* a, int n); -MP_API int get_rand_digit(WC_RNG* rng, mp_digit* d); +MP_API int mp_get_digit_count(const mp_int* a); +MP_API mp_digit mp_get_digit(const mp_int* a, int n); +MP_API int mp_get_rand_digit(WC_RNG* rng, mp_digit* d); WOLFSSL_LOCAL void mp_reverse(unsigned char *s, int len); WOLFSSL_API int mp_cond_copy(mp_int* a, int copy, mp_int* b); From 304019d28dc7dbe1e9726bf8d3d3efe99f32df78 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Jun 2025 16:18:22 -0700 Subject: [PATCH 3/7] Fix inclusion guard around wc_RsaSSL_Verify. The current condition of !WOLFSSL_RSA_VERIFY_ONLY doesn't make sense, as the verify only case will want this function. Based on the original change and the context, it looks like this was a typo meant to be !WOLFSSL_RSA_VERIFY_INLINE. --- wolfcrypt/src/rsa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index fa455cc36..ce3abf4f4 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -3871,7 +3871,7 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) } #endif -#ifndef WOLFSSL_RSA_VERIFY_ONLY +#ifndef WOLFSSL_RSA_VERIFY_INLINE int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, RsaKey* key) { From 2366718d5a484aeb9dce7907f302a471d778774d Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 11 Jun 2025 16:36:53 -0700 Subject: [PATCH 4/7] Add args->input free in FreeSskeArgs. This free is redundant in most cases but it covers the specific case of using async, exiting SendServerKeyExchange early due to WANT_WRITE or WC_PENDING_E, then later freeing the async context without calling SendServerKeyExchange again. --- src/internal.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/internal.c b/src/internal.c index e7f2103c8..0edd4f226 100644 --- a/src/internal.c +++ b/src/internal.c @@ -35727,6 +35727,16 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE); args->verifySig = NULL; #endif + + if ( + #ifdef WOLFSSL_ASYNC_IO + args != NULL && + #endif + args->input != NULL) { + XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER); + args->input = NULL; + } + (void)args; } From 05aa4f5f08bbf90b4c8d6ecfff5362d58fb4eb79 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 12 Jun 2025 12:27:10 -0700 Subject: [PATCH 5/7] Make mp_get_digit refactor FIPS friendly. --- tests/api/test_wolfmath.c | 17 +++++++++++++++++ wolfcrypt/src/wolfmath.c | 20 ++++++++++++++++++++ wolfssl/wolfcrypt/wolfmath.h | 6 ++++++ 3 files changed, 43 insertions(+) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index 7d15b4bd4..813fd1d46 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -46,8 +46,13 @@ int test_mp_get_digit_count(void) ExpectIntEQ(mp_init(&a), 0); +#ifdef HAVE_FIPS + ExpectIntEQ(get_digit_count(NULL), 0); + ExpectIntEQ(get_digit_count(&a), 0); +#else ExpectIntEQ(mp_get_digit_count(NULL), 0); ExpectIntEQ(mp_get_digit_count(&a), 0); +#endif mp_clear(&a); #endif @@ -67,8 +72,13 @@ int test_mp_get_digit(void) XMEMSET(&a, 0, sizeof(mp_int)); ExpectIntEQ(mp_init(&a), MP_OKAY); +#ifdef HAVE_FIPS + ExpectIntEQ(get_digit(NULL, n), 0); + ExpectIntEQ(get_digit(&a, n), 0); +#else ExpectIntEQ(mp_get_digit(NULL, n), 0); ExpectIntEQ(mp_get_digit(&a, n), 0); +#endif mp_clear(&a); #endif @@ -89,10 +99,17 @@ int test_mp_get_rand_digit(void) ExpectIntEQ(wc_InitRng(&rng), 0); +#ifdef HAVE_FIPS + ExpectIntEQ(get_rand_digit(&rng, &d), 0); + ExpectIntEQ(get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); + ExpectIntEQ(get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#else ExpectIntEQ(mp_get_rand_digit(&rng, &d), 0); ExpectIntEQ(mp_get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(mp_get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(mp_get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); +#endif DoExpectIntEQ(wc_FreeRng(&rng), 0); #endif diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 9ca1865bd..688c98a54 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -85,7 +85,11 @@ void mp_reverse(unsigned char *s, int len) } } +#ifdef HAVE_FIPS +int get_digit_count(const mp_int* a) +#else int mp_get_digit_count(const mp_int* a) +#endif { if (a == NULL) return 0; @@ -93,7 +97,11 @@ int mp_get_digit_count(const mp_int* a) return (int)a->used; } +#ifdef HAVE_FIPS +mp_digit get_digit(const mp_int* a, int n) +#else mp_digit mp_get_digit(const mp_int* a, int n) +#endif { if (a == NULL) return 0; @@ -138,10 +146,18 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) * mp_get_digit() returns 0 when index greater than available digit. */ for (i = 0; i < a->used; i++) { +#ifdef HAVE_FIPS + b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; +#else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; +#endif } for (; i < b->used; i++) { +#ifdef HAVE_FIPS + b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; +#else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; +#endif } b->used ^= (a->used ^ b->used) & (wc_mp_size_t)mask; #if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \ @@ -156,7 +172,11 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) #ifndef WC_NO_RNG +#ifdef HAVE_FIPS +int get_rand_digit(WC_RNG* rng, mp_digit* d) +#else int mp_get_rand_digit(WC_RNG* rng, mp_digit* d) +#endif { return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); } diff --git a/wolfssl/wolfcrypt/wolfmath.h b/wolfssl/wolfcrypt/wolfmath.h index 03d79d9f4..809523a6e 100644 --- a/wolfssl/wolfcrypt/wolfmath.h +++ b/wolfssl/wolfcrypt/wolfmath.h @@ -83,9 +83,15 @@ This library provides big integer math functions. #if !defined(NO_BIG_INT) /* common math functions */ +#ifdef HAVE_FIPS +MP_API int get_digit_count(const mp_int* a); +MP_API mp_digit get_digit(const mp_int* a, int n); +MP_API int get_rand_digit(WC_RNG* rng, mp_digit* d); +#else MP_API int mp_get_digit_count(const mp_int* a); MP_API mp_digit mp_get_digit(const mp_int* a, int n); MP_API int mp_get_rand_digit(WC_RNG* rng, mp_digit* d); +#endif WOLFSSL_LOCAL void mp_reverse(unsigned char *s, int len); WOLFSSL_API int mp_cond_copy(mp_int* a, int copy, mp_int* b); From 9c9465aa23a4baff4ae146940fe98eb30882725b Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 12 Jun 2025 12:52:35 -0700 Subject: [PATCH 6/7] Also account for selftest for mp_get_digit refactor. --- tests/api/test_wolfmath.c | 6 +++--- wolfcrypt/src/wolfmath.c | 14 +++++++++----- wolfssl/wolfcrypt/wolfmath.h | 2 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index 813fd1d46..a8145b6e7 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -46,7 +46,7 @@ int test_mp_get_digit_count(void) ExpectIntEQ(mp_init(&a), 0); -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) ExpectIntEQ(get_digit_count(NULL), 0); ExpectIntEQ(get_digit_count(&a), 0); #else @@ -72,7 +72,7 @@ int test_mp_get_digit(void) XMEMSET(&a, 0, sizeof(mp_int)); ExpectIntEQ(mp_init(&a), MP_OKAY); -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) ExpectIntEQ(get_digit(NULL, n), 0); ExpectIntEQ(get_digit(&a, n), 0); #else @@ -99,7 +99,7 @@ int test_mp_get_rand_digit(void) ExpectIntEQ(wc_InitRng(&rng), 0); -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) ExpectIntEQ(get_rand_digit(&rng, &d), 0); ExpectIntEQ(get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index 688c98a54..f39d2d937 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -85,7 +85,7 @@ void mp_reverse(unsigned char *s, int len) } } -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) int get_digit_count(const mp_int* a) #else int mp_get_digit_count(const mp_int* a) @@ -97,7 +97,7 @@ int mp_get_digit_count(const mp_int* a) return (int)a->used; } -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) mp_digit get_digit(const mp_int* a, int n) #else mp_digit mp_get_digit(const mp_int* a, int n) @@ -146,14 +146,14 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) * mp_get_digit() returns 0 when index greater than available digit. */ for (i = 0; i < a->used; i++) { -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; #else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; #endif } for (; i < b->used; i++) { -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; #else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; @@ -172,7 +172,7 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) #ifndef WC_NO_RNG -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) int get_rand_digit(WC_RNG* rng, mp_digit* d) #else int mp_get_rand_digit(WC_RNG* rng, mp_digit* d) @@ -225,7 +225,11 @@ int mp_rand(mp_int* a, int digits, WC_RNG* rng) #endif /* ensure top digit is not zero */ while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) { +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) + ret = get_rand_digit(rng, &a->dp[a->used - 1]); +#else ret = mp_get_rand_digit(rng, &a->dp[a->used - 1]); +#endif #ifdef USE_INTEGER_HEAP_MATH a->dp[a->used - 1] &= MP_MASK; #endif diff --git a/wolfssl/wolfcrypt/wolfmath.h b/wolfssl/wolfcrypt/wolfmath.h index 809523a6e..49c6c750a 100644 --- a/wolfssl/wolfcrypt/wolfmath.h +++ b/wolfssl/wolfcrypt/wolfmath.h @@ -83,7 +83,7 @@ This library provides big integer math functions. #if !defined(NO_BIG_INT) /* common math functions */ -#ifdef HAVE_FIPS +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) MP_API int get_digit_count(const mp_int* a); MP_API mp_digit get_digit(const mp_int* a, int n); MP_API int get_rand_digit(WC_RNG* rng, mp_digit* d); From 7e4ec8412498ebd3bc509bff7ff582945f255634 Mon Sep 17 00:00:00 2001 From: Kareem Date: Thu, 12 Jun 2025 15:07:31 -0700 Subject: [PATCH 7/7] Add macros for legacy get_digit functions for FIPS/selftest. --- tests/api/test_wolfmath.c | 17 ----------------- wolfcrypt/src/wolfmath.c | 24 ------------------------ wolfssl/wolfcrypt/wolfmath.h | 12 ++++++------ 3 files changed, 6 insertions(+), 47 deletions(-) diff --git a/tests/api/test_wolfmath.c b/tests/api/test_wolfmath.c index a8145b6e7..7d15b4bd4 100644 --- a/tests/api/test_wolfmath.c +++ b/tests/api/test_wolfmath.c @@ -46,13 +46,8 @@ int test_mp_get_digit_count(void) ExpectIntEQ(mp_init(&a), 0); -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - ExpectIntEQ(get_digit_count(NULL), 0); - ExpectIntEQ(get_digit_count(&a), 0); -#else ExpectIntEQ(mp_get_digit_count(NULL), 0); ExpectIntEQ(mp_get_digit_count(&a), 0); -#endif mp_clear(&a); #endif @@ -72,13 +67,8 @@ int test_mp_get_digit(void) XMEMSET(&a, 0, sizeof(mp_int)); ExpectIntEQ(mp_init(&a), MP_OKAY); -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - ExpectIntEQ(get_digit(NULL, n), 0); - ExpectIntEQ(get_digit(&a, n), 0); -#else ExpectIntEQ(mp_get_digit(NULL, n), 0); ExpectIntEQ(mp_get_digit(&a, n), 0); -#endif mp_clear(&a); #endif @@ -99,17 +89,10 @@ int test_mp_get_rand_digit(void) ExpectIntEQ(wc_InitRng(&rng), 0); -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - ExpectIntEQ(get_rand_digit(&rng, &d), 0); - ExpectIntEQ(get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); - ExpectIntEQ(get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#else ExpectIntEQ(mp_get_rand_digit(&rng, &d), 0); ExpectIntEQ(mp_get_rand_digit(NULL, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(mp_get_rand_digit(NULL, &d), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); ExpectIntEQ(mp_get_rand_digit(&rng, NULL), WC_NO_ERR_TRACE(BAD_FUNC_ARG)); -#endif DoExpectIntEQ(wc_FreeRng(&rng), 0); #endif diff --git a/wolfcrypt/src/wolfmath.c b/wolfcrypt/src/wolfmath.c index f39d2d937..9ca1865bd 100644 --- a/wolfcrypt/src/wolfmath.c +++ b/wolfcrypt/src/wolfmath.c @@ -85,11 +85,7 @@ void mp_reverse(unsigned char *s, int len) } } -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) -int get_digit_count(const mp_int* a) -#else int mp_get_digit_count(const mp_int* a) -#endif { if (a == NULL) return 0; @@ -97,11 +93,7 @@ int mp_get_digit_count(const mp_int* a) return (int)a->used; } -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) -mp_digit get_digit(const mp_int* a, int n) -#else mp_digit mp_get_digit(const mp_int* a, int n) -#endif { if (a == NULL) return 0; @@ -146,18 +138,10 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) * mp_get_digit() returns 0 when index greater than available digit. */ for (i = 0; i < a->used; i++) { -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; -#else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; -#endif } for (; i < b->used; i++) { -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - b->dp[i] ^= (get_digit(a, (int)i) ^ get_digit(b, (int)i)) & mask; -#else b->dp[i] ^= (mp_get_digit(a, (int)i) ^ mp_get_digit(b, (int)i)) & mask; -#endif } b->used ^= (a->used ^ b->used) & (wc_mp_size_t)mask; #if (!defined(WOLFSSL_SP_MATH) && !defined(WOLFSSL_SP_MATH_ALL)) || \ @@ -172,11 +156,7 @@ int mp_cond_copy(mp_int* a, int copy, mp_int* b) #ifndef WC_NO_RNG -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) -int get_rand_digit(WC_RNG* rng, mp_digit* d) -#else int mp_get_rand_digit(WC_RNG* rng, mp_digit* d) -#endif { return wc_RNG_GenerateBlock(rng, (byte*)d, sizeof(mp_digit)); } @@ -225,11 +205,7 @@ int mp_rand(mp_int* a, int digits, WC_RNG* rng) #endif /* ensure top digit is not zero */ while ((ret == MP_OKAY) && (a->dp[a->used - 1] == 0)) { -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - ret = get_rand_digit(rng, &a->dp[a->used - 1]); -#else ret = mp_get_rand_digit(rng, &a->dp[a->used - 1]); -#endif #ifdef USE_INTEGER_HEAP_MATH a->dp[a->used - 1] &= MP_MASK; #endif diff --git a/wolfssl/wolfcrypt/wolfmath.h b/wolfssl/wolfcrypt/wolfmath.h index 49c6c750a..bfdda62ad 100644 --- a/wolfssl/wolfcrypt/wolfmath.h +++ b/wolfssl/wolfcrypt/wolfmath.h @@ -83,17 +83,17 @@ This library provides big integer math functions. #if !defined(NO_BIG_INT) /* common math functions */ -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) -MP_API int get_digit_count(const mp_int* a); -MP_API mp_digit get_digit(const mp_int* a, int n); -MP_API int get_rand_digit(WC_RNG* rng, mp_digit* d); -#else MP_API int mp_get_digit_count(const mp_int* a); MP_API mp_digit mp_get_digit(const mp_int* a, int n); MP_API int mp_get_rand_digit(WC_RNG* rng, mp_digit* d); -#endif WOLFSSL_LOCAL void mp_reverse(unsigned char *s, int len); +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) +#define get_digit_count mp_get_digit_count +#define get_digit mp_get_digit +#define get_rand_digit mp_get_rand_digit +#endif + WOLFSSL_API int mp_cond_copy(mp_int* a, int copy, mp_int* b); WOLFSSL_API int mp_rand(mp_int* a, int digits, WC_RNG* rng); #endif