Comments for SP800-38E TODO, wolfEntropy optional setup and remove forced errors api.c

2025-07-30 02:37:28 +02:00 · 2024-03-22 17:06:57 -04:00
parent 8092104396
commit 2e63ae750d
3 changed files with 29 additions and 3 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -79,19 +79,16 @@
    /* ecc key sizes: 14, 16, 20, 24, 28, 30, 32, 40, 48, 64 */
    /* logic to choose right key ECC size */
    #if (defined(HAVE_ECC112) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 112
-#error "NO"
        #define KEY14 14
    #else
        #define KEY14 32
    #endif
    #if (defined(HAVE_ECC128) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 128
-#error "NO2"
        #define KEY16 16
    #else
        #define KEY16 32
    #endif
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
-#error "NO3"
        #define KEY20 20
    #else
        #define KEY20 32
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@ -12702,6 +12702,14 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,

    aes = &xaes->aes;

+/* FIPS TODO: SP800-38E - Restrict data unit to 2^20 blocks per key. A block is
+ * AES_BLOCK_SIZE or 16-bytes (128-bits). So each key may only be used to
+ * protect up to 1,048,576 blocks of AES_BLOCK_SIZE (16,777,216 bytes or
+ * 134,217,728-bits) Add helpful printout and message along with BAD_FUNC_ARG
+ * return whenever sz / AES_BLOCK_SIZE > 1,048,576 or equal to that and sz is
+ * not a sequence of complete blocks.
+ */
+
    if (aes->keylen == 0) {
        WOLFSSL_MSG("wc_AesXtsEncrypt called with unset encryption key.");
        return BAD_FUNC_ARG;
@ -12930,6 +12938,14 @@ int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
    aes = &xaes->aes;
 #endif

+/* FIPS TODO: SP800-38E - Restrict data unit to 2^20 blocks per key. A block is
+ * AES_BLOCK_SIZE or 16-bytes (128-bits). So each key may only be used to
+ * protect up to 1,048,576 blocks of AES_BLOCK_SIZE (16,777,216 bytes or
+ * 134,217,728-bits) Add helpful printout and message along with BAD_FUNC_ARG
+ * return whenever sz / AES_BLOCK_SIZE > 1,048,576 or equal to that and sz is
+ * not a sequence of complete blocks.
+ */
+
    if (aes->keylen == 0) {
        WOLFSSL_MSG("wc_AesXtsDecrypt called with unset decryption key.");
        return BAD_FUNC_ARG;
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -3486,6 +3486,19 @@ extern void uITRON4_free(void *p) ;
    #endif
 #endif

+/* if configure.ac turned on, HAVE_ENTROPY_MEMUSE will be set */
+#ifdef HAVE_ENTROPY_MEMUSE
+    #ifndef HAVE_WOLFENTROPY
+        #define HAVE_WOLFENTROPY
+    #endif
+#elif defined(HAVE_WOLFENTROPY)
+    /* else if user_settings.h only defined HAVE_WOLFENTROPY
+     * also define HAVE_ENTROPY_MEMUSE */
+    #ifndef HAVE_ENTROPY_MEMUSE
+        #define HAVE_ENTROPY_MEMUSE
+    #endif
+#endif /* HAVE_ENTROPY_MEMUSE */
+
 #ifdef __cplusplus
    }   /* extern "C" */
 #endif