Merge pull request #4847 from douzzer/20220209_clang-Os

fixes for clang -Os on clang >= 12.0.0

configure.ac

@@ -7354,7 +7354,7 @@ then
                 AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_HUGE_CFLAGS"
             fi
         else
-            if test "$ENABLED_SP" = "yes" && test "$ENABLED_SP_SMALL" = "no"
+            if (test "$ENABLED_SP" = "yes" || test "$ENABLED_SP_MATH_ALL" = "yes") && test "$ENABLED_SP_SMALL" = "no"
             then
                 AM_CFLAGS="$AM_CFLAGS $OPTIMIZE_FAST_CFLAGS"
                 if test "$ENABLED_FASTHUGEMATH" = "yes"

fips-check.sh

@@ -184,6 +184,7 @@ linuxv2)
   FIPS_SRCS+=( wolfcrypt_first.c wolfcrypt_last.c )
   FIPS_INCS=( fips.h )
   FIPS_OPTION=v2
+  COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm )
   ;;
 netbsd-selftest)
   FIPS_VERSION=$NETBSD_FIPS_VERSION
@@ -234,6 +235,7 @@ linuxv5)
   FIPS_INCS=( fips.h )
   FIPS_OPTION="v5-RC12"
   COPY_DIRECT=( wolfcrypt/src/aes_asm.S wolfcrypt/src/aes_asm.asm
+                wolfcrypt/src/aes_gcm_asm.S
                 wolfcrypt/src/sha256_asm.S wolfcrypt/src/sha512_asm.S )
   ;;
 linuxv5-ready|fips-ready|fips-v5-ready)
@@ -372,17 +374,17 @@ esac
 # clone the FIPS repository
 case "$FIPS_OPTION" in
     *dev)
-	if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then
+        if ! $GIT clone --depth 1 "$FIPS_REPO" fips; then
             echo "fips-check: Couldn't check out the FIPS repository for fips-dev."
             exit 1
-	fi
-	;;
+        fi
+        ;;
     *)
-	if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then
+        if ! $GIT clone --depth 1 -b "$FIPS_VERSION" "$FIPS_REPO" fips; then
             echo "fips-check: Couldn't check out ${FIPS_VERSION} from repository ${FIPS_REPO}."
             exit 1
-	fi
-	;;
+        fi
+        ;;
 esac
 
 for SRC in "${FIPS_SRCS[@]}"

scripts/ocsp.test

@@ -26,11 +26,15 @@ OUTPUT=$(eval "./examples/client/client -S check")
 if [ "$OUTPUT" = "SNI is: ON" ]; then
     printf '\n\n%s\n\n' "SNI is on, proceed with globalsign test"
 
-    # is our desired server there?
-    "${SCRIPT_DIR}/ping.test" $server 2
-    RESULT=$?
-    if [ $RESULT -ne 0 ]; then
-        GL_UNREACHABLE=1
+    if [ "$AM_BWRAPPED" != "yes" ]; then
+	# is our desired server there?
+	"${SCRIPT_DIR}/ping.test" $server 2
+	RESULT=$?
+	if [ $RESULT -ne 0 ]; then
+            GL_UNREACHABLE=1
+	fi
+    else
+	RESULT=0
     fi
 
     if [ $RESULT -eq 0 ]; then
@@ -50,9 +54,14 @@ fi
 server=www.google.com
 ca=${SCRIPT_DIR}/../certs/external/ca-google-root.pem
 
-# is our desired server there?
-${SCRIPT_DIR}/ping.test $server 2
-RESULT=$?
+if [ "$AM_BWRAPPED" != "yes" ]; then
+    # is our desired server there?
+    ${SCRIPT_DIR}/ping.test $server 2
+    RESULT=$?
+else
+    RESULT=0
+fi
+
 if [ $RESULT -eq 0 ]; then
     # client test against the server
     echo "./examples/client/client -X -C -h $server -p 443 -A "$ca" -g -o -N"

scripts/unit.test.in

@@ -1,8 +1,12 @@
 #!/bin/sh
 
-bwrap_path="$(command -v bwrap)"
-if [ -n "$bwrap_path" ]; then
-    exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@"
+if [ "${AM_BWRAPPED-}" != "yes" ]; then
+    bwrap_path="$(command -v bwrap)"
+    if [ -n "$bwrap_path" ]; then
+	exec "$bwrap_path" --unshare-net --dev-bind / / "@builddir@/tests/unit.test" "$@"
+    else
+	exec "@builddir@/tests/unit.test" "$@"
+    fi
 else
-    exec "@builddir@/tests/unit.test" "$@"
+	exec "@builddir@/tests/unit.test" "$@"
 fi

testsuite/testsuite.c

@@ -104,19 +104,34 @@ int testsuite_test(int argc, char** argv)
     THREAD_TYPE serverThread;
 
 #ifndef USE_WINDOWS_API
-    char tempName[] = "/tmp/output-XXXXXX";
-    int len = 18;
-    int num = 6;
+    const char *tempDir = NULL;
+    char tempName[128];
+    int tempName_len;
+    int tempName_Xnum;
 #else
     char tempName[] = "fnXXXXXX";
-    int len = 8;
-    int num = 6;
+    const int tempName_len = 8;
+    const int tempName_Xnum = 6;
 #endif
 #ifdef HAVE_STACK_SIZE
     void *serverThreadStackContext = NULL;
 #endif
     int ret;
 
+#ifndef USE_WINDOWS_API
+#ifdef XGETENV
+    tempDir = XGETENV("TMPDIR");
+    if (tempDir == NULL)
+#endif
+    {
+        tempDir = "/tmp";
+    }
+    XSTRLCPY(tempName, tempDir, sizeof(tempName));
+    XSTRLCAT(tempName, "/testsuite-output-XXXXXX", sizeof(tempName));
+    tempName_len = (int)XSTRLEN(tempName);
+    tempName_Xnum = 6;
+#endif /* !USE_WINDOWS_API */
+
 #ifdef HAVE_WNR
     if (wc_InitNetRandom(wnrConfig, NULL, 5000) != 0) {
         err_sys("Whitewood netRandom global config failed");
@@ -172,7 +187,7 @@ int testsuite_test(int argc, char** argv)
     #endif
 
     /* Create unique file name */
-    outputName = mymktemp(tempName, len, num);
+    outputName = mymktemp(tempName, tempName_len, tempName_Xnum);
     if (outputName == NULL) {
         printf("Could not create unique file name");
         return EXIT_FAILURE;
@@ -241,7 +256,7 @@ static int test_tls(func_args* server_args)
 {
     func_args echo_args;
     char* myArgv[NUMARGS];
-    char arg[3][32];
+    char arg[3][128];
 
     /* Set up command line arguments for echoclient to send input file
      * and write echoed data to temporary output file. */

wolfcrypt/src/blake2b.c

@@ -120,10 +120,13 @@ int blake2b_init_param( blake2b_state *S, const blake2b_param *P )
 }
 
 
-
 int blake2b_init( blake2b_state *S, const byte outlen )
 {
+#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
   blake2b_param P[1];
+#else
+  volatile blake2b_param P[1];
+#endif
 
   if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
 
@@ -140,12 +143,12 @@ int blake2b_init( blake2b_state *S, const byte outlen )
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
 #else
-  XMEMSET( P, 0, sizeof( *P ) );
+  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
   P->digest_length = outlen;
   P->fanout        = 1;
   P->depth         = 1;
 #endif
-  return blake2b_init_param( S, P );
+  return blake2b_init_param( S, (blake2b_param *)P );
 }
 
 
@@ -153,7 +156,11 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
                       const byte keylen )
 {
   int ret = 0;
+#ifdef WOLFSSL_BLAKE2B_INIT_EACH_FIELD
   blake2b_param P[1];
+#else
+  volatile blake2b_param P[1];
+#endif
 
   if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return BAD_FUNC_ARG;
 
@@ -172,14 +179,14 @@ int blake2b_init_key( blake2b_state *S, const byte outlen, const void *key,
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
 #else
-  XMEMSET( P, 0, sizeof( *P ) );
+  XMEMSET( (blake2b_param *)P, 0, sizeof( *P ) );
   P->digest_length = outlen;
   P->key_length    = keylen;
   P->fanout        = 1;
   P->depth         = 1;
 #endif
 
-  ret = blake2b_init_param( S, P );
+  ret = blake2b_init_param( S, (blake2b_param *)P );
   if ( ret < 0 ) return ret;
 
   {

wolfcrypt/src/blake2s.c

@@ -119,7 +119,11 @@ int blake2s_init_param( blake2s_state *S, const blake2s_param *P )
 
 int blake2s_init( blake2s_state *S, const byte outlen )
 {
+#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
   blake2s_param P[1];
+#else
+  volatile blake2s_param P[1];
+#endif
 
   if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;
 
@@ -132,16 +136,15 @@ int blake2s_init( blake2s_state *S, const byte outlen )
   store32( &P->node_offset, 0 );
   P->node_depth    = 0;
   P->inner_length  = 0;
-  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
 #else
-  XMEMSET( P, 0, sizeof( *P ) );
+  XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) );
   P->digest_length = outlen;
   P->fanout        = 1;
   P->depth         = 1;
 #endif
-  return blake2s_init_param( S, P );
+  return blake2s_init_param( S, (blake2s_param *)P );
 }
 
 
@@ -149,7 +152,11 @@ int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key,
                       const byte keylen )
 {
   int ret = 0;
+#ifdef WOLFSSL_BLAKE2S_INIT_EACH_FIELD
   blake2s_param P[1];
+#else
+  volatile blake2s_param P[1];
+#endif
 
   if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return BAD_FUNC_ARG;
 
@@ -164,18 +171,17 @@ int blake2s_init_key( blake2s_state *S, const byte outlen, const void *key,
   store64( &P->node_offset, 0 );
   P->node_depth    = 0;
   P->inner_length  = 0;
-  XMEMSET( P->reserved, 0, sizeof( P->reserved ) );
   XMEMSET( P->salt,     0, sizeof( P->salt ) );
   XMEMSET( P->personal, 0, sizeof( P->personal ) );
 #else
-  XMEMSET( P, 0, sizeof( *P ) );
+  XMEMSET( (blake2s_param *)P, 0, sizeof( *P ) );
   P->digest_length = outlen;
   P->key_length    = keylen;
   P->fanout        = 1;
   P->depth         = 1;
 #endif
 
-  ret = blake2s_init_param( S, P );
+  ret = blake2s_init_param( S, (blake2s_param *)P );
   if (ret < 0)
       return ret;
 

wolfcrypt/src/sp_int.c

@@ -93,6 +93,12 @@ This library provides single precision (SP) integer math functions.
  * WOLFSSL_SP_FAST_MODEXP       Allow fast mod_exp with small C code
  */
 
+/* TODO: WOLFSSL_SP_SMALL is incompatible with clang-12+ -Os. */
+#if defined(__clang__) && defined(__clang_major__) && \
+    (__clang_major__ >= 12) && defined(WOLFSSL_SP_SMALL)
+    #undef WOLFSSL_SP_SMALL
+#endif
+
 #include <wolfssl/wolfcrypt/sp_int.h>
 
 /* DECL_SP_INT: Declare one variable of type 'sp_int'. */

wolfcrypt/test/test.c

@@ -23871,6 +23871,12 @@ done:
 #if defined(HAVE_ECC_ENCRYPT) && defined(HAVE_AES_CBC) && \
     (defined(WOLFSSL_AES_128) || defined(WOLFSSL_AES_256))
 
+/* ecc_encrypt_e2e_test() uses wc_ecc_ctx_set_algo(), which was added in
+ * wolfFIPS 5.3.
+ * ecc_encrypt_kat() is used only by ecc_encrypt_e2e_test().
+ */
+#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+
 #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && \
     ECC_MIN_KEY_SZ <= 256 && defined(WOLFSSL_AES_128)
 static int ecc_encrypt_kat(WC_RNG *rng)
@@ -24343,6 +24349,8 @@ done:
     return ret;
 }
 
+#endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */
+
 WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void)
 {
     WC_RNG  rng;
@@ -24412,6 +24420,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void)
     }
 #endif
 
+#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))
+
 #if !defined(NO_AES) && defined(HAVE_AES_CBC)
 #ifdef WOLFSSL_AES_128
     if (ret == 0) {
@@ -24453,6 +24463,8 @@ WOLFSSL_TEST_SUBROUTINE int ecc_encrypt_test(void)
 #endif
 #endif
 
+#endif /* !HAVE_FIPS || FIPS_VERSION_GE(5,3) */
+
 done:
 #ifdef WOLFSSL_SMALL_STACK
     if (userA != NULL) {

wolfssl/wolfcrypt/blake2-int.h

@@ -73,7 +73,7 @@
     byte  node_depth;    /* 15 */
     byte  inner_length;  /* 16 */
     /* byte  reserved[0]; */
-    byte  salt[BLAKE2B_SALTBYTES]; /* 24 */
+    byte  salt[BLAKE2S_SALTBYTES]; /* 24 */
     byte  personal[BLAKE2S_PERSONALBYTES];  /* 32 */
   } blake2s_param;
 

wolfssl/wolfcrypt/types.h

@@ -761,13 +761,12 @@ decouple library dependencies with standard string, memory and so on.
         #define XSTRLCAT(s1,s2,n) wc_strlcat((s1),(s2),(n))
     #endif
 
-    #if !defined(NO_FILESYSTEM) && defined(OPENSSL_EXTRA) && \
-        !defined(NO_STDIO_FILESYSTEM)
+    #if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM)
         #ifndef XGETENV
             #include <stdlib.h>
             #define XGETENV getenv
         #endif
-    #endif /* OPENSSL_EXTRA */
+    #endif /* !NO_FILESYSTEM && !NO_STDIO_FILESYSTEM */
 
         #ifndef CTYPE_USER
             #ifndef WOLFSSL_LINUXKM