From 575ac48664bcbb22c258a57be22a587e821e8b47 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 14 Apr 2026 23:08:59 -0500 Subject: [PATCH] wolfssl/wolfcrypt/aes.h and wolfssl/wolfcrypt/cmac.h: fix circular dependency mitigation for struct AesEax more robustly. --- wolfssl/wolfcrypt/aes.h | 39 ++++++++++++++++++++++++--------------- wolfssl/wolfcrypt/cmac.h | 7 ++++++- 2 files changed, 30 insertions(+), 16 deletions(-) diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index d1ab4baf52..c64f8b658e 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -821,22 +821,11 @@ WOLFSSL_LOCAL int wc_local_CmacUpdateAes(struct Cmac *cmac, const byte* in, #ifdef WOLFSSL_AES_EAX -/* Because of the circular dependency between AES and CMAC, we need to prevent - * inclusion of AES EAX from CMAC to avoid a recursive inclusion */ -#ifndef WOLF_CRYPT_CMAC_H -#include -struct AesEax { - Aes aes; - Cmac nonceCmac; - Cmac aadCmac; - Cmac ciphertextCmac; - byte nonceCmacFinal[WC_AES_BLOCK_SIZE]; - byte aadCmacFinal[WC_AES_BLOCK_SIZE]; - byte ciphertextCmacFinal[WC_AES_BLOCK_SIZE]; - byte prefixBuf[WC_AES_BLOCK_SIZE]; -}; -#endif /* !defined(WOLF_CRYPT_CMAC_H) */ +/* Note that struct AesEax is defined at the end of this file, to work around + * circular dependency between AES and CMAC. + */ +struct AesEax; typedef struct AesEax AesEax; /* One-shot API */ @@ -1120,3 +1109,23 @@ WOLFSSL_LOCAL void AES_XTS_decrypt_AARCH32(const byte* in, byte* out, #endif /* NO_AES */ #endif /* WOLF_CRYPT_AES_H */ + +/* Because of the circular dependency between AES and CMAC, we need to define + * struct AesEax here, with careful gating. + */ +#if defined(WOLFSSL_AES_EAX) && !defined(WC_AES_INCLUDE_FOR_CMAC_H) && \ + !defined(WC_AESEAX_STRUCT_DEFINED) +#include +struct AesEax { + Aes aes; + Cmac nonceCmac; + Cmac aadCmac; + Cmac ciphertextCmac; + byte nonceCmacFinal[WC_AES_BLOCK_SIZE]; + byte aadCmacFinal[WC_AES_BLOCK_SIZE]; + byte ciphertextCmacFinal[WC_AES_BLOCK_SIZE]; + byte prefixBuf[WC_AES_BLOCK_SIZE]; +}; +#define WC_AESEAX_STRUCT_DEFINED +#endif /* WOLFSSL_AES_EAX && !WC_AES_INCLUDE_FOR_CMAC_H && */ + /* !WC_AESEAX_STRUCT_DEFINED */ diff --git a/wolfssl/wolfcrypt/cmac.h b/wolfssl/wolfcrypt/cmac.h index e64ab322b1..13998f6f06 100644 --- a/wolfssl/wolfcrypt/cmac.h +++ b/wolfssl/wolfcrypt/cmac.h @@ -28,7 +28,12 @@ #ifdef WOLFSSL_CMAC #ifndef NO_AES -#include + /* Inhibit definition of struct AesEax, with its circular dependency on the + * below definition of struct Cmac. + */ + #define WC_AES_INCLUDE_FOR_CMAC_H + #include + #undef WC_AES_INCLUDE_FOR_CMAC_H #endif #if defined(HAVE_FIPS) && \