Commit Graph

49 Commits

Author SHA1 Message Date
David Garske bb68766bda For ED255219 and ED448 if importing private only and public key is already set then check it. 2022-07-01 14:13:45 -07:00
Sean Parkinson 2c943282f0 Ed25519/Ed448: assume public key is not trusted
In defense against attack, assume the imported public key is not trusted
and check it matches the private key if set.
Added APIs that allow application to explicitly trust public key.
Original APIs default to not trusting public key.
2022-07-01 09:05:43 -07:00
Kareem 13beadbfc3 Fix missing return checks in KSDK ED25519 code. 2022-06-30 13:35:00 -07:00
Sean Parkinson 1b29f7353a Check memory is zeroized
Add a define WOLFSSL_CHECK_MEM_ZERO to turn on code that checks that
memory that must be zeroized before going out of use is zero.
Everytime sensitive data is put into a allocated buffer or stack buffer;
the address, its length and a name is stored to be checked later.
Where the stack buffer is about to go out of use, a call is added to
check that the required parts are zero.

wc_MemZero_Add() adds an address with length and name to a table of
addressed to be checked later.
wc_MemZero_Check() checks that the memory associated with the address is
zeroized where required.
mp_memzero_add() adds mp_int's data pointer with length and name to
table.
mp_memzero_check() checks that the data pointer is zeroized where
required.

Freeing memory will check the address. The length was prepended on
allocation.
Realloction was changed for WOLFSSL_CHECK_MEM_ZERO to perform an
allocate, check, copy, free.
2022-06-16 10:22:32 +10:00
Sean Parkinson f1ce0cc95d Memory zeroization fixes
Zeroize secrets in stack buffers and allocated memory.
mp_forcezero to ensure private MP integers are zeroized.
Fix whitespace and add some comments.
2022-06-15 11:26:11 +10:00
Sean Parkinson e9187f5f00 Wycheproof fixes/changes
Allow Chachac20-Poly1305 to take an empty msg.
Allow AES-SIV to have an empty nonce.
Don't allow the length to be malleable. Must use the smallest number of
bytes to represent value.
ECDSA and DSA signature values are positive.
Add Sha512-224 and Sha512-256 OIDs.
ASN template - ensure the ECDSA/DSA signature uses all data.
Curve25519/Curve448 - WOLFSSL_ECDHX_SHARED_NOT_ZERO means shared secret
can't be 0.
Curve25519/Curve448 - check public value is less than order.
ECC - x or y may be zero but not both.
Ed25519/Ed448 - check S is less than order.
Ed448 - ge_p3_dbl can be simplified for ASM.
Prime check (integer.c/tfm.c/sp_int.c): Don't allow negative values and
make sure random candidate doesn't have bits higher than those in a set
when bits not a multiple of 8.
RSA: support Sha512-224 and Sha512-256.
RSA: Fix check for invalid in decryption. Affects plaintexts 256 bytes
and longer.
RSA: Don't allow base be larger than modulus.
RSA: Check small ciphertext (1 or 0) on decrypt when not using OAEP.
RSA: WOLFSSL_RSA_DECRYPT_TO_0_LEN allows decrypted value to be 0.
SP math all: fix div to handle large a and d when checking size of
remainder.
SP math all: set sign of result in sp_mod_2d()
2022-04-06 15:35:01 +10:00
David Garske 7396a0cb3a Resolves all peer review comments. Fixes to get Curve25519 working on real hardware. Regression testing fixes for ECC. 2021-11-23 15:03:53 -08:00
David Garske 29f051e585 Fixes and cleanups for NXP SE050 support. 2021-10-11 11:53:19 -07:00
Ethan 3f76a76c46 SE050 port with support for RNG, SHA, AES, ECC (sign/verify/shared secret) and ED25519 2021-10-11 11:52:12 -07:00
Sean Parkinson dc19ba2aa7 Memory allocation: fixes from memory usage generation
1. Configuration: If not fast math then don't set ALT_ECC_SIZE when
configuring.
2. ECC KeyShare: Key share entry's key was allocated with type
DYNAMIC_TYPE_PRIVATE_KEY, free with same type.
3. Ed25519: free the SHA-512 temporary object. WOLFSSL_SMALL_STACK_CACHE
builds have dynamicaly allocated data.
4. RSA: Don't keep allocating a new hash object in RsaMGF1 when compiled
with WOLFSSL_SMALL_STACK_CACHE.
2021-07-21 09:54:11 +10:00
Daniel Pouzzner 5e8da2348f ED: add --enable-ed25519-stream and --enable-ed448-stream to configure.ac, disabled by default, and add them to --enable-all and --enable-all-crypto lists, along with --enable-aesgcm-stream; report AES-GCM and ED* streaming API options in feature summary rendered at end;
refactor ED routines to pivot on WOLFSSL_ED*_PERSISTENT_SHA and WOLFSSL_ED*_STREAMING_VERIFY macros, with sha state in the key struct only when WOLFSSL_ED*_PERSISTENT_SHA, otherwise on the stack as before;

add ed*_hash_init() and ed*_hash_free() local helpers;

ED* peer review: fix line lengths, remove superfluous retval checks, tweaks for efficiency, and add ED448_PREHASH_SIZE to ed448.h.
2021-07-16 13:49:47 -05:00
Daniel Pouzzner 9b43e57ccf ED: add streaming API to the ED verify routines: wc_ed*_verify_msg_init(), wc_ed*_verify_msg_update(), wc_ed*_verify_msg_final();
harmonize the ED448 API with the ED25519 API by making wc_ed448_verify_msg_ex() and wc_ed448_init_ex() public functions;

track devId and heap pointer in ed*_key.{devId,heap}, and pass them through to sha init functions;

add ed*_key.{sha,sha_clean_flag}, and ed*_hash_{reset,update,final} functions, and use them for all ED hashing ops, to support streaming API and for optimally efficient reuse for the preexisting ED calls;

add ed448_hash() akin to ed25519_hash(), and use it in place of wc_Shake256Hash(), for .sha_clean_flag dynamics.

add to wc_ed*_import_private_key() the ability to import the combined key generated by wc_ed*_export_private() without supplying the redundant public key;

add macro asserts near top of ed*.h to assure the required hash functions are available;

fix {NO,HAVE}_ED*_{SIGN,VERIFY};

wolfcrypt/test/test.c: add missing key initializations in ed*_test();

wolfcrypt/test/test.c: fix unaligned access in myDecryptionFunc() detected by -fsanitize=address,undefined.
2021-07-16 13:49:47 -05:00
Jacob Barthelmeh ae00b5acd0 some minor changes for unintialized and null infer reports 2021-07-06 14:13:45 +07:00
David Garske 0fc9c33f84 Wire up Ed25519 SHA512 to use devId. 2021-06-16 13:15:06 -07:00
David Garske 15d761a0c2 Added ED25519 and Curve25519 crypto callback support. 2021-06-16 11:49:24 -07:00
David Garske 21060afb80 Fix for building SP math only (small) with key generation. Fix for WOLFSSL_EXTRA. Fix for RSA without PSS. Fix for ed25519 spelling error. 2021-06-03 10:56:54 -07:00
Jacob Barthelmeh c729318ddd update copyright date 2021-03-11 13:42:46 +07:00
kaleb-himes 722961f55c ed25519 and ed448 check sigLen against expected 2020-06-23 17:32:00 -06:00
Sean Parkinson 7a15639927 Add Doxygen documentation for Curve448/Ed448
Update Curve25519/Ed25519 Doxygen documentation too.
Make public key is a public API - check pubKey pointer is not NULL.
2020-06-16 22:16:13 +10:00
Sean Parkinson 411aee6e05 Fixes from cppcheck
Added PRIVATE_D version of rsa private key operation for SP
implementation for specific platforms.
WC_NO_RNG results in warnings when RNG calls don't do anything.
Added ifdef checks for variables not used otherwise.
Remove superfluous if statements like when checking ret == 0.
Change names of globals that are generic and are used locally before
global definition.
Remove definition of variable len that isn't used except as a
replacement for sz which is parameter.
Don't subtract two variables when one has just been assigned the value
of the other.
Fix shifting of signed value.
Fix parameter checking in aes.c and des3.c for platform specific code.
2020-04-08 09:46:22 +10:00
Chris Conlon 45c5a2d39c update copyright to 2020 2020-01-03 15:06:03 -08:00
David Garske 3b6112e317 Fixes for using Keil with single precision math. 2019-09-19 14:34:30 -07:00
Sean Parkinson e1b03aa056 Fix length of buffer to match string length for g++ 2019-06-20 17:01:16 +10:00
Sean Parkinson 9d736898cc Support Ed25519 sign/verify algorithms ctx and ph 2019-04-30 16:57:20 +10:00
John Safranek 246c444b93 Updates for v4.0.0
Update the copyright dates on all the source files to the current year.
2019-03-15 10:37:36 -07:00
Sean Parkinson a364874b48 Implement check for Ed25519 private matching public
Add test SSL test that uses the Ed25519 private key only
2019-03-05 08:19:33 +10:00
Sean Parkinson 6d3e145571 Changes to build with X25519 and Ed25519 only
Allows configurations without RSA, DH and ECC but with Curve25519
algorithms to work with SSL/TLS using X25519 key exchange and Ed25519
certificates.
Fix Ed25519 code to call wc_Sha512Free().
Add certificates to test.h and fix examples to use them.
2018-07-23 10:20:18 +10:00
Sean Parkinson 58f523beba Allow Ed25519 private-only keys to work in TLS
Change Ed25519 in TLS 1.2 to keep a copy of all the messages for
certificate verification - interop with OpenSSL.
2018-05-24 08:43:28 +10:00
Sean Parkinson c457ca462a Only implement and call fe_init when available 2017-12-08 14:16:24 +10:00
Sean Parkinson 3cdf3565c8 Intel ASM code for Curve25519
AVX2 added as well
2017-11-30 12:34:05 +10:00
David Garske 911b6f95f8 Release v3.12.2 (lib 14.0.0). Updated copywright. 2017-10-22 15:58:35 -07:00
David Garske 6707be2b0e Added new --disable-oldnames option to allow for using openssl along-side wolfssl headers (without OPENSSL_EXTRA). Add --enable-opensslcoexist which makes sure oldnames is disabled. Refactor of SSL_ to WOLF_SSL_. Refactor of SHA, MD5, SHA224, SHA256, SHA512 and SHA384 to WC_ naming. 2017-10-11 09:10:42 -07:00
David Garske 3c173ba366 Enhancement to support different sized Curve/Ed math library implementations for FE/GE. Remains backwards compatible with CURVED25519_SMALL define. Adds new defines CURVE25519_SMALL and ED25519_SMALL to allow individual enabling of math library choice (_low_mem or _operations). Example: ./configure --enable-ed25519=small --enable-curve25519. 2017-06-16 09:41:10 -07:00
Sean Parkinson 4beda52dcd Ed25519 Certificates 2017-06-08 09:26:49 +10:00
Jacob Barthelmeh 450ff55d83 fix warnings and errors with FreeBSD PowerPC 2017-04-28 17:57:48 -06:00
David Garske a6b96b17ff Fixes to include path for NXP ksdk_port. Fixes for time USER/OVERRIDES so their #ifdef's are checked first. Fix to initialize LTC via new "ksdk_port_init" function. Cleanup of the ksdk_port.c for formatting, macros, statics and line length. Cleanup of the AES code for key size. Cleanup of the wolfCrypt sha.c for readability. Added support for the KSDK bare metal drivers to the IDE Rowley CrossWorks example. Updated the settings.h to allow for overrides in Freescale section. Updated README with info for using LTC. 2016-12-05 09:01:59 -08:00
David Garske 8e64d564dc NXP/Freescale K8X MMCAU / LTC core support for RSA, ECC, Ed/Curve25519, AES, DSA, DES3, MD5, RNG, SHA and SHA2. 2016-12-05 09:01:59 -08:00
Jacob Barthelmeh e60adfc9da better naming of macro and alter misc.c check 2016-03-29 13:42:40 -06:00
Jacob Barthelmeh 2665db73a4 check for compiling misc.c when not needed 2016-03-28 16:03:15 -06:00
Jacob Barthelmeh e99a5b0483 prepare for release v3.9.0 2016-03-17 16:02:13 -06:00
David Garske a38183b816 Port for Nordic nRF51 RNG, RTC and AES. Added RNG test for wc_RNG_GenerateBlock 0's check even if HAVE_HASHDRBG is enabled. Added NIST test vectors for ECC P-256, P-384 and P-521. Added helpful debug message in ECC import if issue finding ecc_sets[] for curve. Moved memory tracker into separate file and added support for it to wolfcrypt test and benchmark. Added Ed255519/Curve25519 options for granular control of sign, verify, shared secret, import and export. Added AES options for max key size (AES_MAX_KEY_SIZE), no decrypt (NO_AES_DECRYPT) and no CBC (NO_AES_CBC). 2016-03-15 13:58:51 -07:00
Jacob Barthelmeh fea769816c ed25519 verify function return descriptive error value 2015-12-02 15:55:40 -07:00
Chris Conlon 5d40c5f566 Rename RNG to WC_RNG for Freescale, add NO_OLD_RNGNAME define to completely remove RNG type usage 2015-08-07 11:53:19 -06:00
Jacob Barthelmeh 590f3e1ca0 Merge pull request #113 from lfcrypto/wolfssl
add check of ret value
2015-08-06 09:01:12 -07:00
Ludovic FLAMENT d050c10581 add support for curve 25519 and Ed25519 in OpenSSH
refactor curve25519 and Ed25519 code
fix warning in PEM_xxx_mem_xxx functions
2015-08-06 08:51:41 -07:00
toddouska 08959624f2 fix ed25519 with external hash functions 2015-08-03 15:30:07 -07:00
Jacob Barthelmeh e461bc72b8 curve25519 and ed25519 low memory 2015-06-05 15:39:37 -06:00
toddouska 478a8bb059 adjust ./configure format, change ed sign/verify to msg from hash 2015-03-19 12:48:32 -07:00
Jacob Barthelmeh d89d524570 initial ed25519 implementation 2015-03-19 11:40:41 -06:00