Commit Graph

94 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 109e765b5b Clear sensitive stack buffers in ed25519 signing
F-764
2026-03-16 15:15:11 -07:00
JacobBarthelmeh a156ed7bc7 update Copyright year 2026-02-18 09:52:21 -07:00
David Garske 84aeeb655f Merge pull request #9580 from SparkiDev/curve25519_smul_improv
Curve25519 improvements
2026-01-07 08:25:41 -08:00
Sean Parkinson 38241227a2 Curve25519 improvements
Add non-constant time implemenations of mod_inv for x64 and Aarch64
assembly.

Generate base point table, with better formatting, for double smul with
a script.
Increase Bi table size to 32 entries for 64-bit asm.
Minor improvements to double smul.

WOLFSSL_CURVE25519_NOT_USE_ED25519 to not use ed25519 base smul in
curve25519 base smul.
2026-01-06 10:24:21 +10:00
Juliusz Sosinowicz dd35f10b57 ed25519: validate presence of keys in export functions 2025-12-19 10:14:26 +01:00
Sean Parkinson f54266c2c6 Curve25519: improved smul
Use the Ed25519 base smul in Curve25519 base mul and covert to
Montogmery curve for a faster implementation.
Only when Ed25519 is compiled in or WOLFSSL_CURVE25519_USE_ED25519 is
defined.
When compiling Intel x64 assembly and Aarch64 assembly, always define
WOLFSSL_CURVE25519_USE_ED25519.
Can't use with blinding - normal C implementation.

Optimized the Curve25519 smul slightly for Intel x64 and Aarch64.
Improved the conditional table lookup on Intel x64 to use AVX2 when
available.
2025-12-17 13:25:36 +10:00
Josh Holtrop 7cbcd0b00d Rust wrapper: add wolfssl::wolfcrypt::ed25519 module 2025-10-31 11:03:15 -04:00
JacobBarthelmeh 629c5b4cf6 updating license from GPLv2 to GPLv3 2025-07-10 16:11:36 -06:00
Daniel Pouzzner c401f5caf2 move the newly added wolfcrypt/src/wolfssl_sources.h to wolfssl/wolfcrypt/libwolfssl_sources.h, and likewise for wolfssl_sources_asm.h; revert changes to IDE/ project files. 2025-04-04 18:44:12 -05:00
Daniel Pouzzner 217440c885 Add wolfcrypt/src/wolfssl_sources.h and wolfcrypt/src/wolfssl_sources_asm.h,
which force on BUILDING_WOLFSSL and do boilerplate includes, and update library
  sources to include them at the top.

  wolfssl_sources.h includes types.h, error-crypt.h, and logging.h, and
  conditionally, config.h.  settings.h and wc_port.h are unconditionally
  included at the top of types.h.

  wolfssl_sources_asm.h includes settings.h, and conditionally, config.h.

Add wolfssl_sources*.h to wolfcrypt/src/include.am, and to several IDE/ project
  files.

Also added a TEST_WOLFSSL_SOURCES_INCLUSION_SEQUENCE clause in
  wolfssl/wolfcrypt/settings.h to allow coverage testing.

In wolfcrypt/src/misc.c, retain existing ad hoc boilerplate includes, and use
  them if WOLFSSL_VIS_FOR_TESTS, otherwise include the new wolfssl_sources.h.

Define WOLFSSL_VIS_FOR_TESTS at top of wolfcrypt/test/test.c.

Also renamed WOLFSSL_NEED_LINUX_CURRENT to WOLFSSL_LINUXKM_NEED_LINUX_CURRENT,
  for clarity.
2025-04-04 16:51:04 -05:00
Andrew Hutchings cb42f18a47 Minor SE050 improvements
Adds two features for SE050:

1. `WOLFSSL_SE050_AUTO_ERASE`. When enabled, this will automatically
   erase a key from the SE050 when `wc_ecc_free()` and friends are
   called.
2. `WOLFSSL_SE050_NO_RSA`. This stops RSA offloading onto the SE050,
   useful for the SE050E which does not have RSA support.
2025-02-11 16:25:06 +00:00
JacobBarthelmeh 2c24291ed5 update copyright date 2025-01-21 09:55:03 -07:00
JacobBarthelmeh 87ae31b48f some additional sanity checks with harden build 2024-12-17 12:47:42 -07:00
JacobBarthelmeh f0f50f1837 add option for additional sanity checks 2024-12-13 14:42:51 -07:00
Daniel Pouzzner 996986d0c1 refactor wc_AesDelete, wc_curve25519_delete, wc_ed25519_delete, wc_HashDelete, and wc_DeleteRsaKey to take two arguments, the first a required pointer to the object, the second an optional pointer to the pointer to be zeroed upon successful deletion, for the benefit of calling from C# without unsafe code.
wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs: update for new calling conventions around wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey, and the corresponding delete functions.
2024-10-18 21:13:38 -05:00
Daniel Pouzzner f44d12026a wolfssl/wolfcrypt/{aes.h,curve25519.h,ed25519.h,hash.h,rsa.h}: remove unneeded .isAllocated member from struct definitions, and add int *result_code argument to constructor prototypes;
wolfssl/wolfcrypt/aes.h: add Aes.streamData_sz;

src/tls13.c: fix devId passed to wc_HmacInit() in CreateCookieExt() and TlsCheckCookie();

src/keys.c: in SetKeys(), call wc_HmacInit() on hmacs only if newly allocated;

wolfcrypt/src/aes.c:
* in wc_Gmac(), wc_GmacVerify(), and AesSivCipher(), use wc_AesNew() and wc_AesDelete();
* in wc_AesInit(), zero the object on entry, and remove superseded piecemeal initializations to zero;
* in wc_AesFree(), zero aes->streamData, and zero the entire object as final cleanup;

wolfcrypt/src/curve25519.c: in wc_curve25519_free(), zero the entire object rather than zeroing piecemeal;

wolfcrypt/test/test.c:
* add fallback implementations (for old FIPS) of wc_HashNew(), wc_HashDelete(), wc_curve25519_new(), wc_curve25519_delete(), wc_ed25519_new(), and wc_ed25519_delete();
* update constructor calls throughout for new semantics;
* refactor ed25519_test() for proper cleanup and error encoding.
2024-10-18 17:49:28 -05:00
Daniel Pouzzner 984d16b727 refactor wolfcrypt constructors:
add delete APIs, matching recently added wc_AesNew, wc_curve25519_new, wc_ed25519_new, wc_HashNew, and wc_NewRsaKey:
* wc_AesDelete()
* wc_HashDelete()
* wc_DeleteRsaKey()
* wc_curve25519_delete()
* wc_ed25519_delete()

* remove handling in corresponding preexisting free APIs for recently added .isAllocated member -- this restores preexisting semantics;

* add WC_NO_CONSTRUCTORS gate, and auto-activate it when NO_WOLFSSL_MEMORY && WOLFSSL_NO_MALLOC (unless preempted by XMALLOC_USER or XMALLOC_OVERRIDE);

* exclude recently added .isAllocated members from wolfcrypt structs when defined(WC_NO_CONSTRUCTORS);

* adjust wolfcrypt/test/test.c for consistency with the above, and fix cleanup codes/dynamics in several tests.
2024-10-17 18:48:07 -05:00
Daniel Pouzzner 551eb3f44b wolfcrypt/src/ed25519.c and wolfcrypt/src/hash.c: remove gating around isAllocated XFREE()s in wc_ed25519_free() and wc_HashFree(). 2024-10-14 14:21:28 -05:00
Daniel Pouzzner ee92f38f88 Revert "fix unused variables"
This reverts commit 06195a2e2a.
2024-10-14 14:21:28 -05:00
Daniele Lacamera 06195a2e2a fix unused variables 2024-10-09 14:06:38 +02:00
Daniele Lacamera 43574e2255 Allow building with WOLFSSL_NO_MALLOC again 2024-10-09 13:44:03 +02:00
David Garske 4753e1c32e Use byte for isAllocated bit-field. Cleanup some of the "heap" hint logic. 2024-10-08 10:37:45 -07:00
Aidan Garske e10c943bf3 wolfCrypt CSharp Wrapper:
* Adds RNG, ECC(ECIES and ECDHE), RSA, ED25519/Curve25519, AES-GCM, and Hashing to the CSharp wrapper.
* Adds GitHub action for building the CSharp wrapper solution and running wolfCrypt test and a TLS server/client example.
* Adds "new" API's for wolfCrypt for platforms that cannot tolerate the structs directly.
* Fixes for several scan-build warnings.
2024-10-05 11:44:58 -07:00
JacobBarthelmeh 31a6a2bf59 update copyright to 2024 2024-07-19 13:15:05 -06:00
Daniel Pouzzner b3e8f0ad24 add --enable-debug-trace-errcodes, WOLFSSL_DEBUG_TRACE_ERROR_CODES, WC_ERR_TRACE(), WC_NO_ERR_TRACE(), support/gen-debug-trace-error-codes.sh. also add numerous deployments of WC_NO_ERR_TRACE() to inhibit frivolous/misleading errcode traces when -DWOLFSSL_DEBUG_TRACE_ERROR_CODES. 2024-06-08 16:39:53 -05:00
Juliusz Sosinowicz ab03324dc7 ed25519: put entire order into buffer for sanity check 2024-05-09 10:36:37 +02:00
Juliusz Sosinowicz 2508c9e1f4 ed25519: check that the signature is smaller than the order 2024-05-08 17:54:37 +02:00
Daniel Pouzzner 0264a518e1 wolfcrypt/src/ed25519.c: in ed25519_pairwise_consistency_test(), add casts to mollify -Wconversion. 2024-04-19 01:41:35 -05:00
kaleb-himes 0bd5967093 Adjust FIPS version and default configuration 2024-04-18 08:41:05 -06:00
Sean Parkinson c590fe514f EdDSA FIPS checks on public key
Check that the Ed25519 and Ed448 public key is valid even without
private key.
Perform pairwise consistency test, only in FIPS, when making a key i
Ed25519 and Ed448.
2024-04-17 17:50:33 +10:00
kaleb-himes b8d31b042f Windows support 2024-04-09 13:55:05 -06:00
kaleb-himes e45867bbc3 WIN fips section refactor / wolfEntropy API syntax adjustment 2024-04-09 09:48:33 -06:00
kaleb_himes 81f5ac7f6c SRTP-KDF FS Preview 2024-04-09 09:48:33 -06:00
David Garske c8d0bb0bd8 Merge pull request #7212 from SparkiDev/eddsa_check_priv
EdDsa: check private value after sign
2024-02-13 09:27:34 -08:00
Sean Parkinson e28d6a7b71 EdDsa: check private value after sign
Check the private value hasn't changed during signing with EdDSA.
2024-02-13 22:11:48 +10:00
Juliusz Sosinowicz bdc0b80ddb Don't include unnecessary headers in public header file 2024-02-06 13:27:34 +01:00
Sean Parkinson 90467aa578 Curve25519/Ed25519: align buffers
Make data structures align buffers.
Align buffers in functions.
Add versions that don't use umaal
2023-09-08 15:23:15 +10:00
Sean Parkinson 36b92a4cef Thumb2 ASM, Curve25519
Add support for compiling ASM for Thumb2
Add Curve25519 ASM for Thumb2
Limit assembly code compiled when Ed25519 not required.
Rework all assembly implementations to replace ge_*() functions instead
of having fe_ge_*() versions that take many parameters.
Get ARM32 inline asm working.
2023-08-24 17:43:03 +10:00
gojimmypi 98b718f91b wolfcrypt polish: init, checks, corrections (#6249)
* wolfcrypt polish: init, checks, corrections
2023-04-18 09:41:42 -07:00
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Chris Conlon 45bf793b5a SE050 expansion: add RSA support, allow for larger key IDs, get/set key ID from ecc_key/RsaKey, fixes for SE050 hashing, remove XREALLOC dependency, API to store/get binary object, API to erase object, test.c compatibility 2022-11-11 12:14:14 -07:00
Sean Parkinson f807c70637 Ed make public key wasn't checking whether private key set
Ed25519 and Ed448 make public key APIs now check whether the private key
was set.
The private key and public key flags setting and clearing also updated.
Testing of unset private key and calling make public key added for
Ed25519 and Ed448.
2022-09-05 12:21:51 +10:00
Jacob Barthelmeh 8eaa85e412 update copyright year to 2022 2022-07-19 10:44:31 -06:00
Juliusz Sosinowicz 4caffee590 ForceZero the private key on import error 2022-07-05 13:44:31 +02:00
Sean Parkinson 4a962b7fb2 Ed25519/448: improvements
Check lengths of buffers in import functions.
priv/pub key set flag set on success only.
2022-07-05 09:02:05 +10:00
David Garske bb68766bda For ED255219 and ED448 if importing private only and public key is already set then check it. 2022-07-01 14:13:45 -07:00
Sean Parkinson 2c943282f0 Ed25519/Ed448: assume public key is not trusted
In defense against attack, assume the imported public key is not trusted
and check it matches the private key if set.
Added APIs that allow application to explicitly trust public key.
Original APIs default to not trusting public key.
2022-07-01 09:05:43 -07:00
Kareem 13beadbfc3 Fix missing return checks in KSDK ED25519 code. 2022-06-30 13:35:00 -07:00
Sean Parkinson 1b29f7353a Check memory is zeroized
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.

wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.

Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
2022-06-16 10:22:32 +10:00
Sean Parkinson f1ce0cc95d Memory zeroization fixes
Zeroize secrets in stack buffers and allocated memory.
mp_forcezero to ensure private MP integers are zeroized.
Fix whitespace and add some comments.
2022-06-15 11:26:11 +10:00