Commit Graph

179 Commits

Author SHA1 Message Date
Daniel Pouzzner 323027d1d2 Merge pull request #10820 from lealem47/dh_min_sz
FIPS: Default to 2048 bit min DH crypto
2026-07-01 14:40:04 -05:00
Lealem Amedie 277bd66624 FIPS: Default to 2048 bit min DH crypto 2026-07-01 08:26:23 -06:00
Kaleb Himes 6dae0c9dd4 Merge pull request #10818 from dgarske/dh_checkprivkey_prime
DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317)
2026-07-01 05:34:47 -06:00
David Garske 5fa08e767b DH: honor explicit prime in wc_DhCheckPrivKey_ex (Fenrir F5317) 2026-06-30 07:49:00 -07:00
Daniel Pouzzner 6d21d600f6 in all FIPS-relevant C sources, add a "#define _WC_BUILDING_foo" first (where foo is a stylization of the filename), before including libwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources. 2026-06-27 14:06:52 -05:00
jordan c78fb5f41b dh: fix subgroup check in wc_DhAgree. 2026-06-10 01:28:12 -05:00
Daniel Pouzzner 3121c55e4e linuxkm on x86: global refactor across PK implementations of sp-asm vector register preservation, including removal of all residual can't-fail vector paths in PK algs.
wolfcrypt/src/sp_x86_64.c:

* fix ASSERT_SAVED_VECTOR_REGISTERS() in C wrappers: add where missing for implementations that use AVX2, and remove frivolous checks for ones that don't.

* refactor vector save-restore with a single locally tracked save in sp_RsaPublic_#(), sp_RsaPrivate_#(), sp_ecc_mulmod_add_#(), sp_ecc_mulmod_base_add_#(), sp_ecc_make_key_#(), and sp_#_calc_s_#().

* fix feature test in sp_ModExp_Fp_star_1024(), sp_Pairing_1024(), and sp_Pairing_gen_precomp_1024(), to properly gate on IS_INTEL_AVX2(cpuid_flags) and SAVE_VECTOR_REGISTERS2() == 0.

wolfcrypt/src/{dh.c,dsa.c,ecc.c,eccsi.c,rsa.c,sp_int.c}:

* remove all vector register provisions (SAVE_VECTOR_REGISTERS(), RESTORE_VECTOR_REGISTERS(), ASSERT_SAVED_VECTOR_REGISTERS());

* add explicit WC_CHECK_FOR_INTR_SIGNALS() and WC_RELAX_LONG_LOOP() to the lengthy loops in wc_DhGenerateParams(), wc_MakeDsaParameters(), ecc_sign_hash_sw(), and wc_MakeRsaKey().

wolfssl/wolfcrypt/{error-crypt.h,logging.h,memory.h}:

* make wc_backtrace_render() and wc_backtrace_set_fp() available whenever defined(WOLFSSL_DEBUG_BACKTRACE_ERROR_CODES);

* add support for DEBUG_VECTOR_REGISTERS_BACKTRACE_ON_FAIL, activating backtraces on vector register errors.

* also improve the debugging format from the DEBUG_VECTOR_REGISTER_ACCESS variants of SAVE_VECTOR_REGISTERS() and friends.

linuxkm/lkcapi_{dh,ecdh,ecdsa,rsa}_glue.c: harmonize PK driver names with AES, SHA, and DRBG, notably adding AVX2 annotation when enabled.

wolfcrypt/src/{sp_x86_64_asm.S,sp_x86_64_asm.asm}: synchronize with wolfssl/scripts#581 (removes SSE2 implementations of sp_#_get_from_table_#(), which no longer have users).
2026-05-30 15:11:15 -05:00
Eric Blankenhorn dc6db15b19 Check params to GeneratePrivateDh186 2026-05-13 17:00:13 -05:00
David Garske d465d8b130 Add RSA/DH SP non-blocking support for C/Small 2048/3072/4096 2026-05-08 10:36:28 -07:00
kaleb-himes 08fd7bde58 PQ FIPS v7.0.0 Phase 2 & 3: All changes
Implement peer review feedback
2026-04-24 06:52:49 -06:00
Tobias Frauenschläger 50f28d907e fix for wc_DhAgree public key validation
Reported by: Nicholas Carlini <npc@anthropic.com>
2026-04-05 11:32:53 +02:00
Daniel Pouzzner 52d5d0a940 linuxkm/, wolfcrypt/src/dh.c, wolfcrypt/test/test.c, wolfcrypt/test/test.h, wolfssl/wolfcrypt/wc_port.h:
fixes and workarounds for clang-tidy complaints:
  * clang-diagnostic-unknown-warning-option
  * bugprone-sizeof-expression
  * clang-diagnostic-error "address argument to atomic operation must be a pointer to a trivially-copyable type"
  * bugprone-macro-parentheses
  * clang-diagnostic-unused-but-set-variable
  * readability-redundant-declaration
2026-03-26 15:41:47 -05:00
Sean Parkinson f15199906d SP int: fixes from AI review
Re-implemented wc_PKCS12_PBKDF() to not use MP. Added tests to
unit.test.

sp_int.c:
  Fixes to comments.
  Added more define build options documentation to top of file.
  Fixes for builds with WOLFSSL_SP_INT_NEGATIVE defined.
Fixes for when a->used is 0 and no underflow - not actually a problem
but cleaner code.
  sp_sub has different checks on a->used when values are only positive.
  sp_dic_2d  missing check for e less than zero.
sp_to_unsigned_bin_len_ct: remove redundant check of outSz. Change i
to int to handle a->used of 0 and make code tidier.

Configuration testing fixes.
Fix formatting in test.c.
Added 128-bit types word128 and sword128 for cleaner PKCS#12 code.
2026-03-24 10:49:58 +10:00
Juliusz Sosinowicz e4b55be65a Use mp_forcezero for DH private key in async path
F-766
2026-03-16 15:15:11 -07:00
Eric Blankenhorn 203cce48ef f287 harden wc_DhImportKeyPair 2026-03-05 15:44:12 -06:00
Eric Blankenhorn 296493acf0 f283 harden GeneratePrivateDh186 2026-03-05 15:43:10 -06:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
Josh Holtrop c61ac22e89 Rust wrapper: enable conditional compilation based on C library build options 2025-11-14 10:44:25 -05:00
Daniel Pouzzner 477d7fae54 remove WOLFSSL_DH_GEN_PUB, WOLFSSL_NO_DH_GEN_PUB, and WOLFSSL_DH_EXTRA gating re wc_DhGeneratePublic(), consistent with recent FIPS changes. 2025-10-01 09:38:27 -05:00
Daniel Pouzzner 234ba7780a Merge pull request #9148 from SparkiDev/ct_volatile
Mark variables as volatile
2025-09-30 20:35:52 -05:00
Daniel Pouzzner 7ea66aeffe refactor WOLFSSL_LINUXKM gates as generic WOLFSSL_KERNEL_MODE gates where appropriate:
rename WOLFSSL_LINUXKM_USE_SAVE_VECTOR_REGISTERS to WOLFSSL_USE_SAVE_VECTOR_REGISTERS, and wherever appropriate, replace defined(WOLFSSL_LINUXKM) with defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS).

rename WC_WANT_FLAG_DONT_USE_AESNI to WC_WANT_FLAG_DONT_USE_VECTOR_OPS.

rename lkm_printf() to wc_km_printf().

replace WOLFSSL_LINUXKM gates on kernel-incompatible includes with header-specific gates NO_STRING_H, NO_STDINT_H, NO_LIMITS_H, NO_CTYPE_H, NO_STDLIB_H

remove low level threading setup section of wolfssl/internal.h, which duplicated existing logic in wc_port.h, except for off-topic WOLFSSL_APACHE_MYNEWT TLS-layer setup, which is preserved, and a defined(__NT__) clause, which is now merged into the existing section in wc_port.h.
2025-09-29 16:59:12 -05:00
Sean Parkinson aa87b35964 Mark variables as volatile
Ensures compiler optimizers don't stop code from being constant time.
2025-09-24 08:47:20 +10:00
Daniel Pouzzner 77dccc0c32 linuxkm:
* add wc_linuxkm_check_for_intr_signals(), wc_linuxkm_relax_long_loop(),
  WC_CHECK_FOR_INTR_SIGNALS(), WC_RELAX_LONG_LOOP(), SAVE_NO_VECTOR_REGISTERS(),
  RESTORE_NO_VECTOR_REGISTERS(), and new error code INTERRUPTED_E ("Process
  interrupted");

* update the no-asm remaps in the PK implementations to use
  SAVE_NO_VECTOR_REGISTERS() and RESTORE_NO_VECTOR_REGISTERS(), so that inner
  loops in them are always covered by the new logic.
2025-07-25 15:56:48 -05:00
David Garske 2db1669713 Merge pull request #8988 from JacobBarthelmeh/visibility
remove WOLFSSL_API in source code when already used in header file
2025-07-24 11:00:55 -07:00
JacobBarthelmeh 01cd91cbea removing more locations of WOLFSSL_API used with function implementations 2025-07-10 16:44:28 -06:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Sean Parkinson f1cb4d579c Regression testing
Fixes to get WOLFSSL_PUBLIC_MP testing passing.
Fix DH constant time agreement:
  - implement constant time encoding to big-endian byte array in TFM
- only force x to be zero for SP math as others implementations ensure
unused words are zero
- exponentiate in constant time to the smallest number of words
possible
- no need to encode into separate buffer anymore as encoding is
constant time and front padded
- make requested_sz be the maximum size for the parameters and check
against agreeSz
- update agreeSz to be the maximum valid size instead of filling all
the buffer which may be many times too big
- fix SP result to front pad when doing constant time
2025-06-26 21:21:05 +10:00
jordan f6f3b0a1ee linuxkm: register dh and ffdhe. 2025-04-25 21:21:26 -05:00
Daniel Pouzzner ed5d8f8e6b update several files in wolfcrypt/src/port/arm to include libwolfssl_sources.h;
update wolfcrypt/src/port/af_alg, wolfcrypt/src/port/devcrypto, and wolfcrypt/src/port/kcapi to include libwolfssl_sources.h;

remove a slew of includes across lib sources made redundant by libwolfssl_sources.h.
2025-04-11 13:57:23 -05:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
Daniel Pouzzner 7cd2fd3617 numerous fixes for memory errors reported by clang-tidy, most of them true positives, unmasked by CPPFLAGS=-DNO_WOLFSSL_MEMORY: clang-analyzer-unix.Malloc, clang-analyzer-core.NullDereference, clang-analyzer-core.uninitialized.Assign, clang-analyzer-core.UndefinedBinaryOperatorResult, and clang-analyzer-optin.portability.UnixAPI (re malloc(0)).
several fixes for defects reported by cppcheck:

wolfcrypt/src/ecc.c: fix for cppcheck oppositeInnerCondition from cppcheck-2.16.0 in _ecc_make_key_ex(), and fixes for related unhandled errors discovered by manual inspection;

wolfcrypt/test/test.c: fix XREALLOC call in memcb_test() to resolve cppcheck-detected memleak.
2025-01-10 14:30:42 -06:00
Daniel Pouzzner 632d1c7ada wolfcrypt/src/wc_xmss_impl.c: fix error-checking comparisons in wc_xmss_bds_state_load() and wc_xmss_bds_state_store(), and remove no-longer-needed suppression in wc_xmss_sign().
.wolfssl_known_macro_extras: remove unneeded WOLFSSL_GAISLER_BCC and WOLFSSL_NO_AES_CFB_1_8.

wolfcrypt/src/dh.c: reformat overlong lines.
2025-01-07 17:37:11 -06:00
Daniel Pouzzner fffafe661a wolfcrypt/src/dh.c: in _DhSetKey(), add short-circuit comparisons to RFC 7919 known-good moduli, preempting overhead from mp_prime_is_prime().
wolfcrypt/test/test.c: in dh_ffdhe_test(), when defined(HAVE_PUBLIC_FFDHE), use wc_DhSetKey_ex() rather than wc_DhSetKey() to exercise the primality check in _DhSetKey().
2025-01-06 14:52:42 -06:00
David Garske 99daac3974 Improvement for SAVE_VECTOR_REGISTERS 2024-11-01 13:57:02 -07:00
Daniel Pouzzner 0d5d05d44d more WOLFSSL_NO_MALLOC fixes:
wolfcrypt/src/dh.c: in wc_DhGenerateParams(), use named constant for buf size, and only XFREE it if !WOLFSSL_NO_MALLOC;

wolfcrypt/src/ecc.c and wolfssl/wolfcrypt/ecc.h: in wc_ecc_new_point_ex(), remove !WOLFSSL_NO_MALLOC gate around XMALLOC(), and if XMALLOC()ed, set ecc_point.isAllocated, then in wc_ecc_del_point_ex, XFREE() iff ecc_point.isAllocated;

wolfcrypt/src/pkcs7.c: in wc_PKCS7_RsaVerify(), when WOLFSSL_NO_MALLOC, jumbo-size the digest buffer to cope with in-place dynamics in RsaUnPad();

wolfcrypt/test/test.c: add !WOLFSSL_NO_MALLOC gates around various XFREE()s of objects that are on the stack in WOLFSSL_NO_MALLOC builds;

wolfssl/wolfcrypt/types.h: add an unconditional include of memory.h (itself guarded against multiple inclusion) to assure availability of WC_DEBUG_CIPHER_LIFECYCLE prototypes/macros.
2024-10-14 14:21:29 -05:00
Daniel Pouzzner 886ebb6ec0 fixes for enable-all-crypto enable-cryptonly WOLFSSL_NO_MALLOC:
wolfcrypt/src//asn.c: add stack buffer codepaths in ParseKeyUsageStr(), SetKeyIdFromPublicKey(), and EncodePolicyOID;

wolfcrypt/src/dh.c: add stack buffer codepath in wc_DhGenerateParams();

wolfcrypt/src/ecc.c: add always-fail codepath to find_hole() to preempt heap allocation attempts;

wolfcrypt/test/test.c: gate out several heap-dependent subtests when defined(WOLFSSL_NO_MALLOC), and add a stack buffer codepath in ed448_test();

wolfssl/wolfcrypt/types.h: harmonize macro definitions of XFREE() to use do { ... } while (0) wrappers to assure syntactic indivisibility.
2024-10-14 14:21:28 -05:00
Daniel Pouzzner 072c5311a5 m4/ax_atomic.m4: fixes for C++ compatibility.
wolfssl/wolfcrypt/wc_port.h: add WOLFSSL_API attribute to wolfSSL_Atomic_Int_Init, wolfSSL_Atomic_Int_FetchAdd, and wolfSSL_Atomic_Int_FetchAdd, and add fallback definitions for them, allowing elimination of SINGLE_THREADED implementations of wolfSSL_Ref*(), and allowing ungated use of wolfSSL_Atomic_* calls in api.c.

wolfcrypt/src/dh.c: in wc_DhAgree_ct(), remove frivolous XMEMSET() and stray semicolon.

wolfcrypt/benchmark/benchmark.c: fix bench_rsaKeyGen() to skip tests of key sizes below RSA_MIN_SIZE, and add 4096 bit benchmark if RSA_MAX_SIZE is big enough.

tests/unit.h:
* adopt definitions of TEST_FAIL, TEST_SUCCESS, and TEST_SKIPPED from unit.c, remap TEST_SKIPPED from -7777 to 3, and add TEST_SUCCESS_NO_MSGS, TEST_SKIPPED_NO_MSGS, EXPECT_DECLS_NO_MSGS(), and EXPECT_FAILURE_CODEPOINT_ID, to support existing and future expected-particular-failure test cases without log noise.
* rename outer gate from CyaSSL_UNIT_H to TESTS_UNIT_H.

tests/api.c:
* use EXPECT_DECLS_NO_MSGS() in test_ssl_memio_setup(), test_ssl_memio_read_write(), and test_wolfSSL_client_server_nofail_memio(), and globally update affected expected error codes to correspond.
* use atomics for {client,server}SessRemCount{Malloc,free} to fix races in SessRemCtxCb() and SessRemSslSetupCb().
2024-09-18 16:25:26 -05:00
Daniel Pouzzner 04c781ad9b wolfcrypt/src/dh.c: in wc_DhAgree_ct(), implement failsafe constant-time key size fixup, to work around sp-math constant-time key clamping.
also fix a -Wunused in src/ssl_load.c:DataToDerBuffer() teased out by configuration permutations.
2024-09-16 17:33:25 -05:00
Daniel Pouzzner 49a680540c add constant time DH key agreement APIs:
* adds wc_DhAgree_ct().
* adds wolfSSL_DH_compute_key_padded(), using wc_DhAgree_ct() if available, with fallback fixup code.
* adds unit test coverage in api.c:test_wolfSSL_DH() for expected-success calls to wolfSSL_DH_compute_key() and wolfSSL_DH_compute_key_padded().
2024-09-09 16:24:07 -05:00
Daniel Pouzzner c81c9be9ce error code fixes:
* fix TLS layer to consistently use WOLFSSL_FATAL_ERROR for error retvals, rather than literal -1.
* add WC_NO_ERR_TRACE() wrapper around LENGTH_ONLY_E (it does not signify an error condition).
* refactor errcode handling for traceability in wolfSSL_DSA_do_sign(), wolfSSL_DH_size(), wolfSSL_EC_KEY_get_conv_form(), wolfSSL_d2i_DSA_SIG(), wolfSSL_DSA_do_sign(), SetDhInternal(), and wolfSSL_EC_KEY_get_conv_form().
2024-09-06 19:33:48 -05:00
Anthony Hu 3cf3f297ba Update to the maxq10xx support 2024-08-06 10:19:09 -07:00
Daniel Pouzzner 367508f498 wolfcrypt/src/asn.c: in EccSpecifiedECDomainDecode(), in calls to DataToHexString(), cast curve->size to word32 to resolve -Wconversion.
wolfcrypt/src/dh.c: in GeneratePrivateDh186(), add explicit suppression of uninitvar for "cBuf" arg that isn't fully initialized.

wolfcrypt/test/test.c: in mp_test_param(), explicitly initialize "buffer" to avoid uninitvar warning.

configure.ac: in FIPS builds, don't include enable_cryptocb in --enable-all or --enable-all-crypto.  (they can still be enabled explicitly in FIPS builds with --enable-cryptocb, but the combination is not currently supported.)
2024-07-22 18:21:36 -05:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
JacobBarthelmeh 50a7243486 fix for coverity issue 394670 possible overflow 2024-07-05 11:53:19 -06:00
kaleb-himes e45867bbc3 WIN fips section refactor / wolfEntropy API syntax adjustment 2024-04-09 09:48:33 -06:00
kaleb_himes 81f5ac7f6c SRTP-KDF FS Preview 2024-04-09 09:48:33 -06:00
Daniel Pouzzner 6146485d2a linuxkm/linuxkm_wc_port.h:
* add support for DEBUG_LINUXKM_FORTIFY_OVERLAY to allow KASAN analysis of the overlay without actually enabling CONFIG_FORTIFY_SOURCE (which is buggy in combination with KASAN).
* make SAVE_VECTOR_REGISTERS2 definition conditional on !defined(SAVE_VECTOR_REGISTERS2).

wolfssl/wolfcrypt/memory.h: fix the DEBUG_VECTOR_REGISTER_ACCESS definition for SAVE_VECTOR_REGISTERS to properly omit the on-success bookkeeping code even if the supplied fail_clause doesn't return.

wolfcrypt/src/rsa.c: in wc_MakeRsaKey() primality loop, invoke RESTORE_VECTOR_REGISTERS() SAVE_VECTOR_REGISTERS() to prevent lengthy kernel lockups.

wolfcrypt/src/dh.c: in wc_DhGenerateParams() primality loop, invoke RESTORE_VECTOR_REGISTERS() SAVE_VECTOR_REGISTERS() to prevent lengthy kernel lockups.

wolfcrypt/src/{curve25519.c,dh.c,dsa.c,ecc.c,eccsi.c,rsa.c,sakke.c,sp_int.c}: when WOLFSSL_LINUXKM, force {SAVE,RESTORE}_VECTOR_REGISTERS() to WC_DO_NOTHING if settings gate out applicable asm.
2024-02-09 00:47:23 -06:00
Andras Fekete ad9779cdc1 Explicitly define code with WOLFCRYPT_ASYNC_CRYPT_SW 2023-09-19 13:10:16 -04:00