Fix for FIPS 140-2 and older ACVP math selection. Fix for building with "--disable-sp-math-all --disable-fastmath". Fix for building SAKKE with HAVE_WOLF_BIGINT.

2025-08-01 03:34:39 +02:00 · 2022-06-23 09:45:13 -07:00
parent ee12c12e98
commit 78d3284c3c
4 changed files with 20 additions and 12 deletions
--- a/configure.ac
+++ b/configure.ac
@@ -5839,7 +5839,7 @@ AC_ARG_ENABLE([heapmath],
    [ ENABLED_HEAPMATH=$enableval ],
    [ ENABLED_HEAPMATH=no]
    )
-if test "x$ENABLED_HEAPMATH" = "xyes"
+if test "x$ENABLED_HEAPMATH" = "xyes" || (test "x$ENABLED_SP_MATH_ALL" = "xno" && test "x$ENABLED_FASTMATH" = "xno")
 then
    AM_CFLAGS="$AM_CFLAGS -DUSE_INTEGER_HEAP_MATH"
    ENABLED_HEAPMATH=yes
--- a/wolfcrypt/src/wolfmath.c
+++ b/wolfcrypt/src/wolfmath.c
@@ -361,8 +361,7 @@ int wc_mp_to_bigint_sz(mp_int* src, WC_BIGINT* dst, word32 sz)

    /* make sure destination is allocated and large enough */
    err = wc_bigint_alloc(dst, sz);
-    if (err == MP_OKAY) {
-
+    if (err == MP_OKAY && sz > 0) {
        /* leading zero pad */
        y = sz - x;
        XMEMSET(dst->buf, 0, y);
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -30392,7 +30392,7 @@ static int sakke_api_test(WC_RNG* rng, SakkeKey* key, ecc_point* rsk)

 static int sakke_kat_derive_test(SakkeKey* key, ecc_point* rsk)
 {
-    static const byte pubData[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte pubData[] = {
        0x59, 0x58, 0xEF, 0x1B, 0x16, 0x79, 0xBF, 0x09,
        0x9B, 0x3A, 0x03, 0x0D, 0xF2, 0x55, 0xAA, 0x6A,
        0x23, 0xC1, 0xD8, 0xF1, 0x43, 0xD4, 0xD2, 0x3F,
@@ -30426,7 +30426,7 @@ static int sakke_kat_derive_test(SakkeKey* key, ecc_point* rsk)
        0xB5, 0x8B, 0x7C, 0xC7, 0x96, 0xE2, 0x4E, 0x9A,
        0x39, 0x40, 0x95, 0x75, 0x4F, 0x5F, 0x8B, 0xAE
    };
-    static const byte rskData[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte rskData[] = {
        0x93, 0xAF, 0x67, 0xE5, 0x00, 0x7B, 0xA6, 0xE6,
        0xA8, 0x0D, 0xA7, 0x93, 0xDA, 0x30, 0x0F, 0xA4,
        0xB5, 0x2D, 0x0A, 0x74, 0xE2, 0x5E, 0x6E, 0x7B,
@@ -30461,17 +30461,17 @@ static int sakke_kat_derive_test(SakkeKey* key, ecc_point* rsk)
        0x33, 0x21, 0x51, 0x23, 0x5D, 0xEC, 0xB0, 0xF5

    };
-    static const byte id[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte id[] = {
        0x32, 0x30, 0x31, 0x31, 0x2D, 0x30, 0x32, 0x00,
        0x74, 0x65, 0x6C, 0x3A, 0x2B, 0x34, 0x34, 0x37,
        0x37, 0x30, 0x30, 0x39, 0x30, 0x30, 0x31, 0x32,
        0x33, 0x00
    };
-    static const byte ssv[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte ssv[] = {
        0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0,
        0x12, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0
    };
-    static const byte auth[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte auth[] = {
        0x04,
        0x44, 0xE8, 0xAD, 0x44, 0xAB, 0x85, 0x92, 0xA6,
        0xA5, 0xA3, 0xDD, 0xCA, 0x5C, 0xF8, 0x96, 0xC7,
@@ -30506,7 +30506,7 @@ static int sakke_kat_derive_test(SakkeKey* key, ecc_point* rsk)
        0xC5, 0xE2, 0x75, 0x74, 0xB0, 0x77, 0x39, 0xB3,
        0x4B, 0xE7, 0x4A, 0x53, 0x2F, 0x74, 0x7B, 0x86
    };
-    byte encSsv[] = {
+    WOLFSSL_SMALL_STACK_STATIC const byte encSsv[] = {
        0x89, 0xE0, 0xBC, 0x66, 0x1A, 0xA1, 0xE9, 0x16,
        0x38, 0xE6, 0xAC, 0xC8, 0x4E, 0x49, 0x65, 0x07
    };
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -1886,8 +1886,9 @@ extern void uITRON4_free(void *p) ;
 /* ---------------------------------------------------------------------------
 * Math Library Selection (in order of preference)
 * ---------------------------------------------------------------------------*/
-/* Only evaluate this if it is A) not fips or B) only 140-3 FIPS
- * (v5 or greater) */
+/* Only evaluate this if:
+ *  A) Not fips
+ *  B) FIPS 140-3 (v5 or greater) */
 #if !defined(HAVE_FIPS_VERSION) || \
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 5))
    /*  1) SP Math: wolfSSL proprietary math implementation (sp_int.c).
@@ -1911,7 +1912,15 @@ extern void uITRON4_free(void *p) ;
    #elif defined(USE_FAST_MATH)
        /* 2) Using fast math (tfm.c) - USE_FAST_MATH */
    #else
-        /* 3) Using heap based (integer.c) math - USE_INTEGER_HEAP_MATH */
+        /* 3) Using heap math (integer.c) - USE_INTEGER_HEAP_MATH */
+    #endif
+#else
+    /* FIPS 140-2 or older */
+    /* Default to fast math (tfm.c), but allow heap math (integer.c) */
+    #if !defined(USE_INTEGER_HEAP_MATH)
+        #undef  USE_FAST_MATH
+        #define USE_FAST_MATH
+        #define FP_MAX_BITS 8192
    #endif
 #endif
 /*----------------------------------------------------------------------------*/