Commit Graph

322 Commits

Author SHA1 Message Date
Martin Stolpe 81484ef74b Fix compilation of wc_RsaFunctionNonBlock if WOLFSSL_RSA_PUBLIC_ONLY is defined 2023-06-30 13:05:21 -07:00
Sean Parkinson b62e0b7ceb Fix type conversion warnings by gcc 2023-06-01 14:21:41 +10:00
Sean Parkinson e954110cc5 CryptoCb, PKCS#11: add RSA key size lookup
wc_RsaEncryptSize(): assumed a key size of 2048 when using hardware key.
Added callback to do lookup and implemented for PKCS#11.
If lookup not supported then assumes 2048 bits.
2023-05-24 11:42:52 +10:00
Chris Conlon a474179cdf Merge pull request #6301 from miyazakh/ra_cryptonly
Add Renesas SCE RSA Crypt Only support
2023-05-12 16:32:15 -06:00
lealem47 79a5c49e47 Skip Async_DevCtxInit when using init rsa/ecc label/id api's (#6393)
* Skip Async_DevCtxInit when using init rsa/ecc label/id api's

---------

Co-authored-by: Lealem Amedie <lealem47@github.com>
2023-05-12 11:54:03 -07:00
JacobBarthelmeh bab35c4de2 add WOLF_CRYPTO_CB_FIND macro to guard find device ID callback 2023-05-10 15:28:19 -07:00
Hideki Miyazaki a2776ad35e addressed review comments 2023-05-10 13:55:34 +09:00
JacobBarthelmeh 71ca447b6b resolve CB_ONLY cases 2023-05-09 09:08:32 -07:00
JacobBarthelmeh 71cbc019d7 always call crypto cb when compiled in 2023-05-08 09:49:50 -07:00
Hideki Miyazaki 4fd629d4e7 fix white spaces and overlong lines 2023-04-20 16:07:51 +09:00
Daniel Pouzzner f396989d20 more -Wconversion fixes, now covering everything inside the 140-3 boundary with default build options, everything in wolfcrypt with default build options, all modes of AES, builds with/without intelasm, all permutations of c89/c99 32/64 bit, and much of the crypto-all-cryptonly boundary;
also a gating fix for asn.c:SetShortInt().
2023-04-19 15:26:05 -05:00
Juliusz Sosinowicz 82e8eb2f70 rsa.c: Use xorbuf when possible 2023-04-19 17:06:25 +02:00
Daniel Pouzzner ac85cfa3d5 fix "comma at end of enumerator list" warnings in wolfcrypt for C89 compatibility, mostly by just snipping out unneeded comma, but several using WOLF_ENUM_DUMMY_LAST_ELEMENT() to preserve gated enum values as-is. 2023-04-14 13:48:03 -05:00
Hideki Miyazaki 35f6099d7c Add SCE RSA Crypt Only feature
- RSA SSA 1024/2048 Sign/verify
  - RSA ES 1024/2048 Enc/Dec
  - Unit test for these RSA operation
2023-04-14 06:41:24 +09:00
Daniel Pouzzner 7155c5748e fix overlong lines. 2023-04-12 01:37:09 -05:00
Daniel Pouzzner ed11669f3c more fixes for implicit casts, including asn=template. 2023-04-12 01:37:09 -05:00
Sean Parkinson 8065139050 SP int: improve use of stack
Minimize use of stack.
Make very large stack allocations dynamic memory allocations unless
WOLFSSL_SP_NO_MALLOC.

ProcessBufferTryDecode() split up into a function for each type.
ProcessBufferTryDecodeRsa() decodes the data and gets key size rather
than having or allocating an RsaKey.
Added wc_RsaPrivateKeyValidate() that only validates the encoding is an
RSA key and returns the key size in bytes.

For SP int, only create sp_ints of required size in RSA and ECC
implementation. For WOLFSSL_SMALL_STACK, memory is allocated to have
just enough bytes and size is set to maximum supported. Otherwise,
relies on dynamic stack variables.
For ECC, MAX_ECC_BITS_USE used when dynamic stack variables not
supported. Significantly reduces memory usage when RSA/DH is also built.

Add macros to sp_int.h, tfm.h and integer.h to support declaring,
allocating, initializing and freeing mp_ints.
For integer.h, mp_int is always static as size is no more than 32 bytes.
For tfm.h, WOLFSSL_SMALL_STACK has a full mp_int allocated, otherwise
the full mp_int is put on the stack.
For sp_int.h  with new macros, dynamically allocate sp_int to minimal
size when WOLFSSL_SMALL_STACK, or when dynamic stack variables, declare
them to be of minimal size or otherwise declare with a fixed max.
Added mp_bitsused(), for all implementations, to get the number of bits
available based on used. Included for RSA to get the size of the
modulus.

SP int now always uses dynamic stack variables if possible rather than
for builds with WOLFSSL_SP_SMALL.
Moved code out into separate functions so that stack allocations don't
happen when not going down code path.
2023-04-06 10:04:39 +10:00
Sean Parkinson 8851065848 cppcheck fixes
Fix checking of negative with unsigned variables.
Check digestSz for 0 in wc_SSH_KDF() so that no possibility of dividing
by zero.
Change XMEMCPY to XMEMSET in renesas_sce_util.c.
Fix test.c to free prvTmp and pubTmp on read error.
Remove unused variables.
XFREE checks for NULL so don't check before call.
Move variable declarations to reduce scope.
2023-04-03 16:59:58 +10:00
Sean Parkinson d1e4349661 MemZero check fixes
ForceZero the client and server secret regardless of whether TLS 1.3 as
it may change but have been copied in.
ForceZero the input buffer in wolfSSL_Clear() when encryption was on.

Changed wc_PRF_TLS to only check the parts of data used.
Changed where scatch is added for checking in wc_AesCtrEncrypt.
Change wc_MakeRsaKey to memset p, q, tmp1, tmp2 and tmp3 to all zeros so
that MemZero check works. Memset not needed otherwise.
Changes for new compiler - thinks uninitialized.
2023-03-23 12:27:38 +10:00
Sean Parkinson 9ec742b11f Regression testing fixes
HAVE_ECH only used by TLS 1.3 add protection around all code.
ssl->options.onlyPskDheKe only available when HAVE_SUPPORTED_CURVES.
CleanupClientTickets() defined when HAVE_SUPPORTED_CURVES.
TLSX_KeyShare_DeriveSecret only defined when HAVE_SUPPORTED_CURVES.
DecodeResponseData - initialize variable single.
New OpenSSL compatibility BN code requires mp_read_radix - turn on in
integer.c, sp_int.c when OPENSSL_EXTRA defined.
rsa.c:_CheckProbablePrime - make sure tmp1 and tmp2 are initialized
before error handling jumps to freeing them.

test_remove_hs_message uses 1024-bit DH key which is not supported when
using SP math with SP.
2023-03-22 08:57:20 +10:00
Sean Parkinson 2a33f24dc9 RSA padding - no pad length check fix
Perform correct length check of input bytes based on bits in key in
wc_RsaPad_ex when no padding to be done.
2023-03-01 09:42:39 +10:00
Sean Parkinson 49a500c2af Merge pull request #6070 from bandi13/coverityFixes
Coverity fixes
2023-02-09 10:21:12 +10:00
Andras Fekete 767c282c1d Addressing PR comments 2023-02-08 16:35:03 -05:00
Chris Conlon f14c27f644 Fix SE050 RSA public key loading and RSA/ECC SE050 usage from TLS with WOLF_PRIVATE_KEY_ID 2023-01-27 14:28:47 -07:00
Andras Fekete 5b36d5235c Always check to make sure 'sigCheckBuf' is within range 2023-01-26 16:23:39 -05:00
David Garske 023db01aca * Fixed some build configuration variations.
* Fixed `PEM_BUFSIZE` macro redefined when building with coexist.
* Updated the `user_settings_all.h` and `user_settings_wolfboot_keytools.h` to include latest options.
* Improved API unit test error case checking where `TEST_RES_CHECK` is not used.
* Changed `TEST_SKIPPED` to unique value.
* Added CI tests for enable-all, small stack, and user setting templates.
2023-01-03 10:59:59 -08:00
Jacob Barthelmeh 9dcc48c8f7 update copyright to 2023 2022-12-30 17:12:11 -07:00
Anthony Hu f9ccdd7ffc Change comment to reflect that RSA blind is enabled by default 2022-12-28 13:09:59 -05:00
Sean Parkinson 7005d416ce SP int: Comment and rework some code
Improvements to sp_int.c that make it slightly quicker and documented.
2022-11-28 18:06:09 +10:00
Chris Conlon 45bf793b5a SE050 expansion: add RSA support, allow for larger key IDs, get/set key ID from ecc_key/RsaKey, fixes for SE050 hashing, remove XREALLOC dependency, API to store/get binary object, API to erase object, test.c compatibility 2022-11-11 12:14:14 -07:00
Steffen Jaeckel 0e57e9858f Integrate Xilinx Versal
* add Versal specific glue
   The same structure of an "XSecure client" is used throughout the API's,
   therefor define it once and re-use in all clients.
* integrate Versal AES-GCM engine
* integrate Versal SHA3-384 engine
* add versal support to tests
  - There's no intermediate-hash API for Versal.
* add specific test with large AAD
   Test only with `n*16 byte` wide chunks of AAD, so it gets processed in the
   hardware engine.
* add specific test with misaligned AES-GCM arguments
* integrate Versal RSA engine
* disable failing RSA test-case when Xilinx Crypto is enabled
* introduce define `WOLFSSL_XILINX_CRYPT_VERSAL`
* integrate Versal TRNG engine
* allow using Versal TRNG w/o wolfcrypt DRBG
   Versal TRNG already provides a HRNG mode which does the same as the
   wolfcrypt DRBG implementation.
* add support for user-supplied nonce to Versal TRNG
* add `wc_XsecureErrorToString()` to map PLM error codes to messages.
* integrate Versal EcDSA engine
* update tests to work with Versal EcDSA
   If deterministic K is enabled, the tests failed here since the Versal
   EcDSA engine doesn't support the SECP256R1 curve yet.
* Xilinx crypto engines like aligned memory very much
   Make this a default choice, not via the user configuration.
* add Xilinx-specific `WOLFSSL_MSG()` equivalent
   `WOLFSSL_XIL_MSG()` does the same as `WOLFSSL_MSG()` besides waiting for
   1 second before printing to stdout, since the PLM maybe prints to same and
   outputs would be mixed up.
   This waiting can be disabled by defining `WOLFSSL_XIL_MSG_NO_SLEEP`.
* add option to enable DPA CounterMeasures in AES-GCM crypto engine
* add "command mode" to Xilinx bare-metal example
* update Xilinx default user settings
* add script to execute benchmarks
* add scripts to create graphics
* add Vitis 2022.1 example projects

Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
2022-09-29 09:39:57 -06:00
David Garske 221fd275fd Fixes for building without SHAKE. 2022-09-23 14:50:16 -07:00
David Garske e49efbc101 Merge pull request #5544 from haydenroche5/async_sw
Migrate async names from "test" to "software."
2022-09-08 10:18:26 -07:00
Hayden Roche 959386422e Migrate async names from "test" to "software."
See async PR 52.
2022-09-01 17:53:18 -07:00
Sean Parkinson ce8959ea77 SHA-3 improvements
Add x86_64 assembly code:
  - BMI2
  - AVX2 (using ymm, slower than BMI2)
  - AVX2 of 4 similtaneous hashes
Add SHAKE128 functions and tests.
Add Absorb and Squeeze functions for SHAKE128 and SHAK256 and tests.
Add doxygen for SHA-3 and SHAKE functions.
Update other generated x86_64 assembly files to include settings.h.
2022-09-01 17:11:58 +10:00
Sean Parkinson 460845ba49 Maths bit size: ensure size is right
Ensure WOLFSSL_MAX_RSA_BITS works.
Fix SP math size defines.
Regression testing maths implementations.
2022-07-27 18:58:30 +10:00
Jacob Barthelmeh 8eaa85e412 update copyright year to 2022 2022-07-19 10:44:31 -06:00
Sean Parkinson 7d58dc5678 TLS memusage: reduce usage
Reduce the amount allocated to reduce maximum overall dynamic memory
usage.
Rework ServerKeyExchange by extracting the handling of the signed data.
2022-07-01 14:24:59 +10:00
David Garske 390908bccc Merge pull request #5236 from SparkiDev/mem_zero
Check memory is zeroized
2022-06-17 12:01:34 -07:00
Sean Parkinson 1b29f7353a Check memory is zeroized
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.

wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.

Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
2022-06-16 10:22:32 +10:00
David Garske 7e1549c684 Cleanup the RSA consistency check. Should only be enabled for FIPS v2 (3389), FIPS v5 or later. Can be forcefully enabled for non-FIPS using WOLFSSL_RSA_KEY_CHECK. The existing WOLFSSL_NO_RSA_KEY_CHECK macro will also disable it. This change was introduced in PR #4359. 2022-06-15 14:46:23 -07:00
Sean Parkinson f1ce0cc95d Memory zeroization fixes
Zeroize secrets in stack buffers and allocated memory.
mp_forcezero to ensure private MP integers are zeroized.
Fix whitespace and add some comments.
2022-06-15 11:26:11 +10:00
Tesfa Mael 2748bfc737 Add a check in RsaPad_OAEP 2022-06-08 10:07:26 -07:00
Takashi Kojo 1b9f922ec3 wc_MakeRsKey with static mem pool 2022-06-05 09:04:42 +09:00
David Garske 56c48b31ad Merge pull request #5105 from tmael/rsa_oaep_nomalloc
Support RSA OAEP with nomalloc
2022-06-02 08:45:01 -07:00
Tesfa Mael d6935ed3be Review comments 2022-05-17 09:21:20 -07:00
Tesfa Mael 74b3df4f6c Refactor tmpF in RsaMGF1 2022-05-06 16:14:47 -07:00
Tesfa Mael ad2119b2f8 Review comments 2022-05-06 12:00:32 -07:00
David Garske 6e880495dc Merge pull request #5102 from SparkiDev/ct_valgrind_fixes_1
Constant time changes
2022-05-05 07:43:00 -07:00
Sean Parkinson 189c9ab234 Constant time changes
GCM: make borrow constant time.
AES-GCM decrypt: compare at end and constant time.
Random: array_add touchs all elements every time.
RSA-OAEP: look for padding byte in constant time (look at every byte in
array).
SP
 - reduce conditional use (make them bit ops)
 - Fix point adds to not use double when adding infinity to infinity
 - Implement signed div as __divi3 is not constant time.
 - Move check sof input variables to API.
2022-05-05 12:26:57 +10:00