Commit Graph

433 Commits

Author SHA1 Message Date
Daniel Pouzzner b16c2a2aef fix clang-analyzer-deadcode.DeadStores in sp_div(). 2022-07-01 23:49:58 -05:00
David Garske 0459e83a59 Merge pull request #5310 from SparkiDev/memusage_fix_1
TLS memusage: reduce usage
2022-07-01 09:13:05 -07:00
Sean Parkinson 7d58dc5678 TLS memusage: reduce usage
Reduce the amount allocated to reduce maximum overall dynamic memory
usage.
Rework ServerKeyExchange by extracting the handling of the signed data.
2022-07-01 14:24:59 +10:00
Sean Parkinson 0159f17692 SP int math; submod fix
Fix for sp_submod() to reduce by modulus when a or b are equal to
modulus as well as when greater.
2022-06-30 08:53:25 +10:00
Sean Parkinson 22336d30e5 SP math all: don't use sp_int_word when SQR_MUL_ASM available
1. _WIN64 doesn't have 128-bit type but now can use 64-bit sp_int_digit
when assembly code snippets are being used.
2. Fix sp_div() to support values closer to maximum size.
3. Fix builds to work for more configurations.
4. Have ECC uncompressed code keep intermediate values in range of
maximum (x^3 calculation fixed).
5. Fix configuation.ac's check of FIPS for using signed SP Math All.
Default now not signed as intended.
2022-06-28 15:51:53 +10:00
Daniel Pouzzner 9211825121 sp_int.c: fix refactor of undefined-semantics shift in _sp_mul(). 2022-06-24 18:04:51 -05:00
Daniel Pouzzner 047c662af8 fix math errors unmasked by change to sp-math-all as default math back end. 2022-06-24 15:56:54 -05:00
David Garske 00b82888bc Merge pull request #4759 from dgarske/sp_math_default
Enable wolfSSL SP Math all (sp_int.c) by default
2022-06-23 16:14:54 -07:00
Sean Parkinson ee12c12e98 Fixes required to make SP Math default
fasthugemath means turn on fastmath
Use sp_int_digit and not sp_digit in sp_int.c.
test.c needs to use large static buffer when SP Math used like fastmath.
When building static memroy, SP math all without WOLFSSL_SP_NO_MALLOC is
a valid configuration.
Fix freeing of bigint in sp_int.c.
Cast x to a signed value to negate and then back to unsigned. (For
Windows builds.)
Remove warning about empty file on Windows about integer.obj.
Allow RSA verify only and RSA public only to be used with other public
key algorithms.
If building for FIPS, then older versions of RSA and ECC require SP Math
to support negative numbers.
Get old FIPS files building with SP int.
Disallow --enable-sp-math and --enable-sp-math-all.
When just --enable-sp-math on configuration line then disable SP Math
all.
2022-06-23 14:15:54 +10:00
David Garske 6d2a41b9fd Enable wolfSSL SP Math all (sp_int.c) by default. If --enable-fastmath or USE_FAST_MATH is set the older tfm.c fast math will be used. To use the old integer.c heap math use --enable-heapmath or USE_INTEGER_HEAP_MATH. 2022-06-16 10:57:30 +10:00
Sean Parkinson 1b29f7353a Check memory is zeroized
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.

wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.

Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
2022-06-16 10:22:32 +10:00
Sean Parkinson f1ce0cc95d Memory zeroization fixes
Zeroize secrets in stack buffers and allocated memory.
mp_forcezero to ensure private MP integers are zeroized.
Fix whitespace and add some comments.
2022-06-15 11:26:11 +10:00
kaleb-himes cb6a138caf Implement peer review feedback 2022-05-10 08:43:18 -06:00
kaleb-himes d5f7beefd4 Address issues ID'd by new windows multi-config test 2022-05-09 16:50:56 -06:00
David Garske 25e8bd6b45 Merge pull request #5044 from SparkiDev/sp_read_radix_10_oob
SP Math
2022-04-26 16:21:11 -07:00
David Garske 659d33fdaf Fixes for minor sniffer and async issues:
* Sniffer: Remove old restrictions for max strength, encrypt-then-mac and forcing openssl-extra.
* Fix bound warning with strncpy in sniffer.c.
* Fix for async DH issue.
* Fix for SP math all not initializing raw big int.
* Fix for array bounds warning with "-O3" on SetEccPublicKey.
* Fix a sniffer async edge case with TLS v1.2 static RSA and extended master.
* Improved the sniffer test script detection of features.
* Disable ECC custom curve test with Intel QuickAssist.
2022-04-18 11:46:40 -07:00
Sean Parkinson 55e13d40b3 SP Math
sp_read_radix_10: check _sp_add_d doesn't error due to overflow
_sp_add_d: Don't change value of used for result until it is known to be
valid.
2022-04-13 08:33:30 +10:00
Sean Parkinson e9187f5f00 Wycheproof fixes/changes
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
2022-04-06 15:35:01 +10:00
Sean Parkinson 3d5b933f3c SP math all: IAR doesn't accept comment lines in assembly
Replace assembly comment lines with C comment lines.
2022-02-24 16:06:31 +10:00
Sean Parkinson 2eb044dc60 SP: Add support for P521 2022-02-23 14:51:47 +10:00
Sean Parkinson ea5785f6fd SP int: Montgomery Reduction
Improve performance for ECC curves when all bits in words are used (mask
is 0).
On 64-bit platforms, improves performance for 256 and 384 bit curves.
On 32-bit platforms, improves performance for 224, 256, 384 bit curves.
2022-02-15 17:19:57 +10:00
Sean Parkinson 6571151d17 SP int: fixup ARM Thumb asm for small builds
Small builds or arm Thumb can't use r7.
2022-02-15 08:34:21 +10:00
Daniel Pouzzner fbf38fff07 wolfcrypt/src/sp_int.c: fix comment around clang-12+ -Os. 2022-02-10 16:43:17 -06:00
Daniel Pouzzner 91578df19d fixes for clang -Os on clang >= 12.0.0; fixes for bugs in blake2s. 2022-02-10 15:54:10 -06:00
Sean Parkinson e8fb17f7b5 SP int, cortex, thumb div_word: fix to work
Cortex builds needed # before number. Arm32 works with or without.
Thumb div_word needed to shift up if divisor too small (like other ARM
implementations).
2022-02-10 12:07:11 +10:00
Sean Parkinson bd1b58dd7f SP math, Aarch64, ARM32: div word asm fixup
ASM code is dividing by top half of divisor. If this value is very small
then bad results are calculated.
Moved the divisor up by a quarter of the width if top quarter of divisor
is 0.
2022-02-04 11:59:31 +10:00
Sean Parkinson 3d63e41653 SP int: sp_modinv fixes for sizes
sp_invmod with even modulus requires a multiplication by modulus. Don't
let modulus overflow result variable 'r'.
Fix allocation of temporary sp_ints to be correct size.
Add test for maximum modulus size in test.c.

Remove leading spaces on functions so git correctly determines which
function has changed.
Put in Thumb code for more sizes of _sp_mul_*().
2022-01-24 15:18:20 +10:00
David Garske 7a36d57e8f Merge pull request #4784 from SparkiDev/sp_int_modinv_perf
SP int: minor improvements to sp_invmod
2022-01-21 10:30:09 -08:00
Daniel Pouzzner 6a56d3e131 jumbo patch of fixes for clang-tidy gripes (with some bug fixes).
defect/gripe statistics:

    configured --enable-all --enable-sp-math-all --enable-intelasm

    with LLVM 13 clang-tidy -checks=readability-*,bugprone-*,misc-no-recursion,misc-misplaced-const,misc-redundant-expression,misc-unused-parameters,misc-unused-using-decls,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,-clang-analyzer-optin.performance.Padding,-readability-braces-around-statements,-readability-function-size,-readability-function-cognitive-complexity,-bugprone-suspicious-include,-bugprone-easily-swappable-parameters,-readability-isolate-declaration,-readability-magic-numbers,-readability-else-after-return,-bugprone-reserved-identifier,-readability-suspicious-call-argument,-bugprone-suspicious-string-compare,-bugprone-branch-clone,-misc-redundant-expression,-readability-non-const-parameter,-readability-redundant-control-flow,-readability-misleading-indentation,-bugprone-narrowing-conversions,-bugprone-implicit-widening-of-multiplication-result

    [note these figures don't reflect additional defects fixed in this commit for --enable-smallstack, --enable-fips, --enable-async, --enable-asn=template, and --enable-fastmath, and --disable-fastmath]

    pre-patch warning count per file, with suppressions:

    clang-analyzer-security.insecureAPI.strcpy    6  wolfssl/tests/suites.c
    clang-analyzer-security.insecureAPI.strcpy    2  wolfssl/testsuite/testsuite.c
    bugprone-suspicious-missing-comma             3  wolfssl/examples/server/server.c
    bugprone-suspicious-missing-comma             3  wolfssl/examples/client/client.c
    readability-redundant-preprocessor            2  wolfssl/wolfcrypt/src/asn.c
    readability-redundant-preprocessor            1  wolfssl/wolfcrypt/src/rsa.c
    readability-redundant-preprocessor            9  wolfssl/src/ssl.c
    readability-redundant-preprocessor            2  wolfssl/src/tls13.c
    readability-redundant-preprocessor           18  wolfssl/tests/api.c
    readability-redundant-preprocessor            3  wolfssl/src/internal.c
    readability-redundant-preprocessor           10  wolfssl/wolfcrypt/test/test.c
    readability-named-parameter                   1  wolfssl/wolfcrypt/benchmark/benchmark.c
    readability-named-parameter                   7  wolfssl/src/internal.c
    readability-named-parameter                   1  wolfssl/wolfcrypt/src/ecc.c
    readability-named-parameter                   1  wolfssl/testsuite/testsuite.c
    readability-named-parameter                  11  wolfssl/wolfcrypt/src/ge_operations.c
    misc-no-recursion                             3  wolfssl/src/ssl.c
    readability-uppercase-literal-suffix          4  wolfssl/wolfcrypt/src/asn.c
    readability-uppercase-literal-suffix          1  wolfssl/src/ssl.c
    readability-uppercase-literal-suffix         13  wolfssl/wolfcrypt/benchmark/benchmark.c
    bugprone-too-small-loop-variable              1  wolfssl/wolfcrypt/src/rsa.c
    bugprone-too-small-loop-variable              2  wolfssl/wolfcrypt/src/sha3.c
    bugprone-too-small-loop-variable              4  wolfssl/wolfcrypt/src/idea.c
    bugprone-signed-char-misuse                   2  wolfssl/src/ssl.c
    bugprone-signed-char-misuse                   3  wolfssl/wolfcrypt/src/sp_int.c
    bugprone-signed-char-misuse                   3  wolfssl/examples/client/client.c
    bugprone-macro-parentheses                   19  wolfssl/wolfcrypt/src/aes.c
    bugprone-macro-parentheses                  109  wolfssl/wolfcrypt/src/camellia.c
    bugprone-macro-parentheses                    1  wolfssl/src/tls.c
    bugprone-macro-parentheses                    3  wolfssl/wolfcrypt/src/md4.c
    bugprone-macro-parentheses                    2  wolfssl/wolfcrypt/src/asn.c
    bugprone-macro-parentheses                   26  wolfssl/wolfcrypt/src/blake2b.c
    bugprone-macro-parentheses                  257  wolfssl/wolfcrypt/src/sha3.c
    bugprone-macro-parentheses                   15  wolfssl/src/ssl.c
    bugprone-macro-parentheses                    1  wolfssl/wolfcrypt/src/sha.c
    bugprone-macro-parentheses                    8  wolfssl/tests/api.c
    bugprone-macro-parentheses                    4  wolfssl/wolfcrypt/src/sp_int.c
    bugprone-macro-parentheses                    6  wolfssl/wolfcrypt/benchmark/benchmark.c
    bugprone-macro-parentheses                   38  wolfssl/wolfcrypt/src/hc128.c
    bugprone-macro-parentheses                   12  wolfssl/wolfcrypt/src/md5.c
    bugprone-macro-parentheses                   10  wolfssl/wolfcrypt/src/sha256.c
    bugprone-macro-parentheses                    4  wolfssl/wolfcrypt/test/test.c
    bugprone-macro-parentheses                    3  wolfssl/wolfcrypt/src/ecc.c
    bugprone-macro-parentheses                    2  wolfssl/tests/suites.c
    bugprone-macro-parentheses                    4  wolfssl/wolfcrypt/src/cpuid.c
    bugprone-macro-parentheses                   26  wolfssl/wolfcrypt/src/blake2s.c
    bugprone-macro-parentheses                   24  wolfssl/wolfcrypt/src/sha512.c
    bugprone-macro-parentheses                    3  wolfssl/wolfcrypt/src/poly1305.c
    bugprone-macro-parentheses                   24  wolfssl/wolfcrypt/src/ripemd.c
    readability-inconsistent-declaration-parameter-name    1  wolfssl/src/internal.c
    readability-inconsistent-declaration-parameter-name    1  wolfssl/testsuite/testsuite.c

    pre-patch warning count summaries, with suppressions:

    clang-analyzer-security.insecureAPI.strcpy                  8
    bugprone-suspicious-missing-comma                           6
    readability-redundant-preprocessor                         45
    readability-named-parameter                                21
    misc-no-recursion                                           3
    readability-uppercase-literal-suffix                       18
    bugprone-too-small-loop-variable                            7
    bugprone-signed-char-misuse                                 8
    bugprone-macro-parentheses                                601
    readability-inconsistent-declaration-parameter-name         2

    pre-patch warning count summaries, without suppressions:

    clang-analyzer-security.insecureAPI.strcpy                  8
    bugprone-branch-clone                                     152
    readability-non-const-parameter                           118
    bugprone-suspicious-missing-comma                           6
    bugprone-suspicious-include                                52
    readability-magic-numbers                               22423
    readability-redundant-preprocessor                         45
    readability-named-parameter                                21
    readability-function-cognitive-complexity                 845
    readability-else-after-return                             398
    bugprone-implicit-widening-of-multiplication-result       595
    readability-function-size                                  21
    readability-isolate-declaration                          1090
    misc-redundant-expression                                   2
    bugprone-narrowing-conversions                            994
    misc-no-recursion                                           3
    readability-uppercase-literal-suffix                       18
    bugprone-reserved-identifier                               56
    readability-suspicious-call-argument                       74
    bugprone-too-small-loop-variable                            7
    bugprone-easily-swappable-parameters                      437
    bugprone-signed-char-misuse                                 8
    readability-misleading-indentation                         94
    bugprone-macro-parentheses                                601
    readability-inconsistent-declaration-parameter-name         2
    bugprone-suspicious-string-compare                        495
    readability-redundant-control-flow                         20
    readability-braces-around-statements                    11483
    clang-analyzer-valist.Uninitialized                         1
    clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling   3502
2022-01-21 01:25:48 -06:00
Sean Parkinson b75fe633ad SP int: minor improvements to sp_invmod 2022-01-21 16:47:59 +10:00
David Garske d728a7f0e6 Merge pull request #4777 from SparkiDev/sp_modinv_even_fix
SP int: fix rework of sp_invmod
2022-01-19 20:32:48 -08:00
David Garske 95efdccd7f Merge pull request #4751 from SparkiDev/sp_int_thumb_asm
SP int: ARM Thumb asm snippets
2022-01-19 18:52:02 -08:00
Sean Parkinson b767857abb SP int: fix rework of sp_invmod
Simplify code and check for m mod a == 0 which means there is no
inverse.
2022-01-20 10:37:31 +10:00
Sean Parkinson a1185adf2c SP int: ARM Thumb asm snippets 2022-01-20 09:16:45 +10:00
Daniel Pouzzner 2984cb5abf Merge pull request #4768 from SparkiDev/sp_invmod_nr
SP math: sp_invmod changed to not call itself
2022-01-18 16:20:37 -06:00
Sean Parkinson 53a4903e2f SP math neg: Mont Reduce fix
Compare the absolute value for negatives.
2022-01-18 16:22:38 +10:00
Sean Parkinson fc861f3d6d SP math: sp_invmod changed to not call itself
When the modulus is even, calculate m^-1 mod a instead and fixup after.
Don't call self to do inverse.
2022-01-18 10:45:57 +10:00
Sean Parkinson 0acf8d0e75 Merge pull request #4732 from embhorn/zd13375
SP int, TFM: Init vars for static analysis
2022-01-13 07:06:19 +10:00
Eric Blankenhorn 5cce1926bb Init vars for static analysis 2022-01-10 08:24:29 -06:00
Sean Parkinson 6398087d5b SP int: ARM64/32 sp_div_word changes
Fixup up formatting.
Fix comments.
Aarch64: don't use variable r when hi can be used.
ARM 32-bit: Add a version that uses udiv - not available on all chips
and can be slower anyway.
2022-01-10 16:27:39 +10:00
Sean Parkinson 80a4793201 SP int: transplant the div_word from SP into SP int for ARM64 and ARM32 2021-12-24 12:26:19 +10:00
David Garske 3644d97dd8 Merge pull request #4613 from SparkiDev/sp_div_max
SP math all: div handling of length of dividend
2021-12-20 15:10:35 -08:00
David Garske ce4f436d0f Merge pull request #4587 from SparkiDev/dis_algs_fix_1
Disable algorithms: fixes
2021-12-19 20:12:30 -08:00
Eric Blankenhorn 53eb5d2e5a Fix _sp_exptmod_base_2 to init vars. 2021-12-13 10:16:55 -06:00
David Garske 48b15b0dfb Merge pull request #4616 from SparkiDev/sp_int_mips32
SP math all: MIPS asm fix
2021-12-01 16:16:14 -08:00
David Garske 9f611e8b80 Merge pull request #4589 from JacobBarthelmeh/native-lwip
Native LwIP support update
2021-12-01 10:37:13 -08:00
Sean Parkinson a7d538a82f SP math all: MIPS asm fix
Names $lo and $hi in register list are not supported with old GCC
compiler. Newer compiler also supports %lo and %hi.
2021-11-30 12:56:08 +10:00
Sean Parkinson e5e280b175 SP math all: fix exponent bit count
Only when using non-constant time implementation and modulus even.
2021-11-30 10:28:42 +10:00
Sean Parkinson a3d46bee32 SP math all: div handling of length of dividend
Fail when dividend is maximum size as we may be shifting left and
overflow when divisor is not on a word boundary.
2021-11-30 09:46:11 +10:00
Sean Parkinson 5a72fee3df Disable algorithms: fixes
WOLFSSL_PUBLIC_MP and disable algorithms didn't work because of api.c.
 - mp_cond_copy not available unless ECC compiled in
 - wc_export_int not available unless ECC compiled in
Enabling only DH and using SP with SP Math didn't work as the DH
parameters were too small.
sp_cmp is needed when only DH.
mp_set_int is was not available in SP math when RSA is not defined.
mp_set is close enough for the use cases.
Configure with SP and SP math but not RSA, DH and ECC didn't configure -
now default to small maths.
2021-11-19 16:56:33 +10:00