wolfssl/wolfcrypt/aes.h: add key_C_fallback[] to struct Aes, and remove comment that "AESNI needs key first, rounds 2nd, not sure why yet" now that AES_128_Key_Expansion_AESNI no longer writes rounds after the expanded key.
wolfcrypt/src/aes.c:
* add _AESNI or _aesni suffixes/infixes to AESNI implementations that were missing them: AES_CBC_encrypt(), AES_CBC_decrypt_by*(), AES_ECB_encrypt(), AES_*_Key_Expansion(), AES_set_encrypt_key(), AES_set_decrypt_key(), AES_GCM_encrypt(), AES_GCM_decrypt(), AES_XTS_encrypt(), and AES_XTS_decrypt().
* move key size check from to start of wc_AesSetKeyLocal().
* refactor pure-C AES setkey and cipher implementations to use aes->key_C_fallback when defined(WC_AES_C_DYNAMIC_FALLBACK).
* refactor wc_AesSetKeyLocal() to set up both AESNI and pure-C expanded keys when defined(WC_AES_C_DYNAMIC_FALLBACK).
* refactor all (haveAESNI && aes->use_aesni) conditions to just (aes->use_aesni).
* add macros VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, which do nothing but push a brace level when !defined(WC_AES_C_DYNAMIC_FALLBACK), but when defined(WC_AES_C_DYNAMIC_FALLBACK), they call SAVE_VECTOR_REGISTERS2() and on failure, temporarily clear aes->use_aesni and restore at _POP().
* refactor all invocations of SAVE_VECTOR_REGISTERS() and RESTORE_VECTOR_REGISTERS() to VECTOR_REGISTERS_PUSH and VECTOR_REGISTERS_POP, except in wc_AesSetKeyLocal(), wc_AesXtsEncrypt(), and wc_AesXtsDecrypt(), which are refactored to use SAVE_VECTOR_REGISTERS2(), with graceful failure concealment if defined(WC_AES_C_DYNAMIC_FALLBACK).
* orthogonalize cleanup code in wc_AesCbcEncrypt(), wc_AesCcmEncrypt() and wc_AesCcmDecrypt().
* streamline fallthrough software definitions of wc_AesEncryptDirect() and wc_AesDecryptDirect(), and remove special-casing for defined(WOLFSSL_LINUXKM)&&defined(WOLFSSL_AESNI).
wolfcrypt/src/aes_asm.{S,asm}:
* remove errant "movl $10, 240(%rsi)" from AES_128_Key_Expansion_AESNI.
* add _AESNI suffixes/infixes to implementations that needed them.
wolfcrypt/src/{aes_gcm_asm.{S,asm},aes_xts_asm.S}: regenerate from revisions in scripts#357 -- adds _aesni suffixes to implementations that were missing them.
wolfssl/wolfcrypt/types.h: remove DEBUG_VECTOR_REGISTER_ACCESS macros, and add dummy fallthrough definitions for SAVE_VECTOR_REGISTERS2 and WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL.
wolfssl/wolfcrypt/memory.h: adopt DEBUG_VECTOR_REGISTER_ACCESS code from types.h, and add definitions for WC_DEBUG_VECTOR_REGISTERS_RETVAL_INITVAL and WC_DEBUG_SET_VECTOR_REGISTERS_RETVAL.
linuxkm/linuxkm_wc_port.h: add arch-specific macro definitions for SAVE_VECTOR_REGISTERS2().
wolfcrypt/benchmark/benchmark.c: add missing gates around calls to RESTORE_VECTOR_REGISTERS().
configure.ac:
* cover various interdependencies in enable-all/enable-all-crypto, for better behavior in combination with --disable-aesgcm, --disable-ecc, --disable-ocsp, --disable-hmac, --disable-chacha, --disable-ed25519, and --disable-ed448.
* inhibit aesgcm_stream in enable-all/enable-all-crypto when ENABLED_LINUXKM_DEFAULTS, because it is currently incompatible with WC_AES_C_DYNAMIC_FALLBACK.
* add -DWC_AES_C_DYNAMIC_FALLBACK when ENABLED_LINUXKM_DEFAULTS.
* add 3 new interdependency checks: "ECCSI requires ECC.", "SAKKE requires ECC.", "WOLFSSH requires HMAC."
wolfcrypt/src/asn.c: tweak gating to accommodate defined(NO_RSA) && !defined(HAVE_ECC).
wolfcrypt/src/evp.c: tweak gating to accommodate defined(NO_HMAC).
wolfcrypt/src/logging.c: remove DEBUG_VECTOR_REGISTER_ACCESS code (moved to memory.c).
wolfcrypt/src/memory.c: change #include of settings.h to types.h; adopt DEBUG_VECTOR_REGISTER_ACCESS code from logging.c; add implementation of SAVE_VECTOR_REGISTERS2_fuzzer().
wolfcrypt/src/pwdbased.c: add explanatory #error scrypt requires HMAC.
wolfcrypt/test/test.c:
* add DEBUG_VECTOR_REGISTER_ACCESS clauses to aes_xts_128_test(), aesecb_test(), aesctr_test(), aes_test() CBC section, aes256_test() CBC section, and aesgcm_default_test_helper()
* remove duplicate wc_AesEcbDecrypt() in aesecb_test().
* add gating for pbkdf2_test().
* fix cleanup code in dsa_test().
* fix gating in pkcs7authenveloped_run_vectors() to accommodate !defined(HAVE_AESGCM).
* fix gating in cryptocb_test() to accommodate defined(NO_HMAC).
wolfssl/wolfcrypt/cryptocb.h: remove gates around "pk" sub-struct of struct wc_CryptoInfo -- wc_CryptoInfo.pk.type (an int) is used unconditionally when --enable-debug, and is used with DH.
wolfssl/wolfcrypt/error-crypt.h: fix whitespace.
Add implementation of SRTP KDF and SRTCP KDF.
One shot APIs compatible with SP 800-135 and ACVP testing.
Tests added to test.c.
Benchmarking added.
Doxygen added.
AES bitsliced implementation that is cache attack safe.
Configure with:
--enable-aes-bitslice
or define:
WC_AES_BITSLICE
HAVE_AES_ECB
HAVE_AES_DIRECT
Very slow for CBC, CFB, OFB and any mode that uses a previous encrypt
block to calculate current.
CTR, GCM, XTS can parallelize the data and be much faster.
Added AES-ECB test to test.c.
Optimised assembly of AES-XTS for Aarch64 and ARM32 using hardware
crypto instructions.
Aarch64 has loop unrolling.
Update aes.c to not have AES-XTS implementation when assembly
compilable.
Update test of AES-XTS to check expected cipher text of partial block
encryption.
Add support for compiling ASM for Thumb2
Add Curve25519 ASM for Thumb2
Limit assembly code compiled when Ed25519 not required.
Rework all assembly implementations to replace ge_*() functions instead
of having fe_ge_*() versions that take many parameters.
Get ARM32 inline asm working.
tweak several #includes of settings.h to include types.h instead (all of these are for clarity, as types.h is indirectly included by later #includes), and add #include <wolfssl/wolfcrypt/types.h> where missing;
remove trailing semicolons from PRAGMA*() macro invocations as they are unneeded and can be harmful (inducing frivolous -Wdeclaration-after-statement etc.).
Address PR comments + other cleanup
Addressing PR comments
Minor change
Make sure the last line gets output as well
Add in ARIA SHA256 session to internal structure
Add in ARIA SHA384 session to internal structure
Add necessary function for ARIA to extract key
Fix unit tests
Rename HAVE_ARIAGCM to HAVE_ARIA
Move aria.* to wolfcrypt/port/aria
Separate out aria-crypt init functions
Adding in ECC+SHA callbacks
Avoid using AC_CHECK_FILE
Rename Aria to wc_Aria
Don't need special cases
Addressing PR comments
Code cleanup
C89 support
Remove TODO
Add documentation about buffer size
Clean up header files
Use ARIA_DEVID by default if available
Dummy update call to make MagicCrypto happy
Fix for detecting what algo type to use
Documentation
Use the appropriate sign/verify
Collect MagicCrypto functions together (and avoid leaks)
Fall back on other implementations on failure
Fix issue when compiling without CRYPTOCB
Addressing PR comments
Better cleanup
Addressing PR comments
Cleaner exit in case of error
Add support for:
- SM2 elliptic curve and SM2 sign/verify
- SM3 digest
- SM4 cipher with modes ECB/CBC/CTR/GCM/CCM
Add APIs for SM3 and SM4.
Add SM2 sign and verify APIs.
Add support for SM3 in wc_Hash and wc_Hmac API.
Add support for SM3 and SM4 through EVP layer.
Add support for SM2-SM3 certificates. Support key ID and name hash being
with SHA-1/256 or SM3.
Add support for TLS 1.3 cipher suites: TLS-SM4-GCM-SM3, TLS-SM4-CCM-SM3
Add support for TLS 1.2 SM cipher suite: ECDHE-ECDSA-SM4-CBC-SM3
Add support for SM3 in wc_PRF_TLS.
Add SM2-SM3 certificates and keys. Generated with GmSSL-3.0.0 and
OpenSSL.
Fix: ./configure --disable-shared --enable-smallstack --enable-all
CFLAGS=-DNO_ASN_TIME
Don't compile mp_test when compiling for SP Math All and RSA
verification only - very few functions available.
ssl.c:
wolfSSL_Rehandshake(): wolfSSL_UseSessionTicket only available when
not NO_WOLFSSL_CLIENT
api.c:
test_wolfSSL_ticket_keys(): meant to be tested on server
* set dev ID with signature check
* refactor devId use and add API to set devId in WOLFSSL_CERT_MANAGER structure
* add api.c call to set devid with WOLFSSL_CERT_MANAGER
* resolving devID CRL issue and CM pointer
* add device find callback
* add simple test case
- Add CONFIG_PTHREAD_IPC when using threads
- Add logging config suggestions
- test.c: fix undefined `ret` error
- Increase stack size for samples
- Ignore ASN_BEFORE_DATE_E in examples
- wc_port.h: add missing posix thread includes
- wc_port.h: move definitions to relevant section
- benchmark.c: fix missing `arc` and `argv` errors
- benchmark.c: fflush does not work on stdout in Zephyr
- Update z_fs_open implementation to support flags
Fix checking of negative with unsigned variables.
Check digestSz for 0 in wc_SSH_KDF() so that no possibility of dividing
by zero.
Change XMEMCPY to XMEMSET in renesas_sce_util.c.
Fix test.c to free prvTmp and pubTmp on read error.
Remove unused variables.
XFREE checks for NULL so don't check before call.
Move variable declarations to reduce scope.
* Add introspection for math build.
* Raise build error if more than one multi-precision math library used.
* Fix ESP32 to support using any multi-precision math option.
* Refactor math headers to use `wolfmath.h`
* Refactor of the opaque math variable type `MATH_INT_T` used by crypto hardware (QuickAssist, SE050, ESP32 and STM32).
* Cleanups for building with `WOLFCRYPT_ONLY` and `NO_BIG_INT`.
* Stop forcing use of fast math by default for platforms in settings.h. Note: For users that still want to use fast math (tfm.c) they will need to add USE_FAST_MATH to their build settings.
Applies To:
```
WOLFSSL_ESPWROOM32
WOLFSSL_ESPWROOM32SE
MICROCHIP_PIC32
WOLFSSL_PICOTCP_DEMO
WOLFSSL_UTASKER
WOLFSSL_NRF5x
FREERTOS_TCP
WOLFSSL_TIRTOS
EBSNET
FREESCALE_COMMON
FREESCALE_KSDK_BM
WOLFSSL_DEOS
MICRIUM
WOLFSSL_SGX
```
* wolfcrypt/test/test.{c,h}: refactor to capture and encode error retvals using WC_TEST_RET_*() macros (based on line numbers), and print line and return code in err_sys().
* wolfcrypt/test/test.h: cast back to int in WC_TEST_RET_ENC(), to fix MSVC warning.
* configure.ac: add shake128 and shake256 to enable-all and enable-all-crypto;
* wolfcrypt/benchmark/benchmark.c: fix gating for bench_shake128() from !defined(WOLFSSL_NO_SHAKE128) to defined(WOLFSSL_SHAKE128).
* wolfcrypt/test/test.h: add WC_TEST_RET_TAG_* and WC_TEST_RET_DEC_TAG(), and refactor WC_TEST_RET_{ENC,DEC}_*() macros to implement the tag mechanism;
* add render_error_message() with tag-specific rendering of error strings;
* wolfcrypt/test/test.c: smallstack refactor of shake128_test() and shake128_absorb_test();
* wolfcrypt/test/test.c: change gating around mp_test() and related routines from defined(HAVE_VALGRIND) to defined(WOLFSSL_PUBLIC_MP);
* smallstack refactor of mp_test();
* refactor a slew of WC_TEST_RET_ENC_NC associated with XFOPEN/XFREAD to be WC_TEST_RET_ENC_ERRNO, and add error detection for XFREAD (previously silently tolerating zero retvals).
* wolfcrypt/test/test.c: build mp_test() only if WOLFSSL_SP_MATH_ALL or USE_FAST_MATH (in addition to WOLFSSL_PUBLIC_MP), because many general purpose functions such as sp_mulmod() are gated out in SP builds without WOLFSSL_SP_MATH_ALL.
* wolfcrypt/test/test.c: fix array bounds flubs in shake128_test();
* don't print_fiducials() in wolfcrypt_test() header, but rather, after render_error_message() in err_sys().
* wolfcrypt/test/test.{c,h}: wrap some overlong lines, and fix an unused-variable warning in mp_test_set_is_bit().
* wolfcrypt/test/test.c: fixes for several misplaced and several missing WC_TEST_RET_ENC_EC()s.
* set the client state correctly when wc_ecc_ctx_set_kdf_salt is called
* add test that covers wc_ecc_ctx_set_kdf_salt
* use shared key and smallstack to reduce test stack usage
used and size have no reason to be negative - change type.
Change code to match unsigned change. Mostly change variables to be
unsigned where possible.
integer.c: Only have mp_rand_prime available when needed and
mp_prime_is_prime_ex is available.
Fixes from regression testing.
fix file descriptor leaks in AF_ALG code, and fix return codes (WC_AFALG_SOCK_E, not -1) in afalg_aes.c;
fixes for sanitizer-detected forbidden null pointer args in AfalgHashUpdate() and AfalgHashCopy();
fixes for resource leaks in api.c test_wolfSSL_AES_cbc_encrypt() (missing wc_AesFree()s);
fixes for resource leaks in test.c openssl_test() (missing wolfSSL_EVP_CIPHER_CTX_cleanup());
also some local fixes for bugprone-signed-char-misuse, readability-redundant-preprocessor, and clang-diagnostic-strict-prototypes, in src/pk.c and src/ssl.c.
* Fix for STM32 Hash peripherals (like on F437) with FIFO depth = 1.
* Cleanups for `XREALLOC` and new `WOLFSSL_NO_REALLOC` to force undef of `XREALLOC`.
* Change STM32 Cube to default to `NO_TLS_UART_TEST`.
mp_to_unsigned_len checks length and front pads with zeros.
Return MP_VAL when length is too small in all implemenations.
Make TFM implementation check length.
Add test case.
* Fixed `PEM_BUFSIZE` macro redefined when building with coexist.
* Updated the `user_settings_all.h` and `user_settings_wolfboot_keytools.h` to include latest options.
* Improved API unit test error case checking where `TEST_RES_CHECK` is not used.
* Changed `TEST_SKIPPED` to unique value.
* Added CI tests for enable-all, small stack, and user setting templates.
Enabling SP with ASM didn't enable SP or error out when SP wasn't
configured. Now enables SP when '' and errors when 'no'.
SAKKE modinv used large amounts of stack. Change to have more temporary
memory allocated increased to cover the usage.
ECC, SAKKE: sp_<bits>_ecc_mulmod_<cpu><words>() used large amounts of
stack. Allocate when WOLFSSL_SMALL_STACK.
wc_DhCheckKeyPair() not available when HAVE_SELFTEST.
Wasn't compiled in before as WOLFSSL_HAVE_SP_DH wasn't defined.
Make sp_rshd not available when WOLFSSL_SP_MATH in header.
sp_rshd is not required by any wolfCrypt code.
Fix sp_rshd comment on #endif
Make sp_div publicly available in some WOLFSSL_SP_MATH builds.
Delare sp_div for some WOLFSSL_SP_MATH builds.
Fix test.c to compile with WOLFSL_SP_MATH and HAVE_VALGRIND.
Tidy up Espressif ESP32 test and benchmark examples:
* add VisualGDB project and solution files for server and client
* "hardware in use revert to software" is now verbose level message
* Remove (void) TAG; - not needed to appease compiler
* include esp_log.h lib with defined(WOLFSSL_ESPIDF)
* large ESP32 default stack size
* check for max number of arguments assembled into array
* cleanup & comments per code review
* wolfssl_test VisualGDB updates
* Espressif wolfssl_test default stack 55,000 bytes
1. Add a flag to the DH test to indicate that the second key is initted.
2. Add a flag to the DH test to indicate that the RNG is initted.
Fixes an issue where the DH wolfCrypt test can crash or lock up when
the DH parameters file is missing. Localized to the test only.
Added new x86 assembly for AES.
AES-CBC decrypt only 4 blocks at a time (not 6 or 8) due to reduces
register count.
GCM implementation for AVX2, AVX1 and AESNI only.
Disabled looking for other assembly files for x86.
* add Versal specific glue
The same structure of an "XSecure client" is used throughout the API's,
therefor define it once and re-use in all clients.
* integrate Versal AES-GCM engine
* integrate Versal SHA3-384 engine
* add versal support to tests
- There's no intermediate-hash API for Versal.
* add specific test with large AAD
Test only with `n*16 byte` wide chunks of AAD, so it gets processed in the
hardware engine.
* add specific test with misaligned AES-GCM arguments
* integrate Versal RSA engine
* disable failing RSA test-case when Xilinx Crypto is enabled
* introduce define `WOLFSSL_XILINX_CRYPT_VERSAL`
* integrate Versal TRNG engine
* allow using Versal TRNG w/o wolfcrypt DRBG
Versal TRNG already provides a HRNG mode which does the same as the
wolfcrypt DRBG implementation.
* add support for user-supplied nonce to Versal TRNG
* add `wc_XsecureErrorToString()` to map PLM error codes to messages.
* integrate Versal EcDSA engine
* update tests to work with Versal EcDSA
If deterministic K is enabled, the tests failed here since the Versal
EcDSA engine doesn't support the SECP256R1 curve yet.
* Xilinx crypto engines like aligned memory very much
Make this a default choice, not via the user configuration.
* add Xilinx-specific `WOLFSSL_MSG()` equivalent
`WOLFSSL_XIL_MSG()` does the same as `WOLFSSL_MSG()` besides waiting for
1 second before printing to stdout, since the PLM maybe prints to same and
outputs would be mixed up.
This waiting can be disabled by defining `WOLFSSL_XIL_MSG_NO_SLEEP`.
* add option to enable DPA CounterMeasures in AES-GCM crypto engine
* add "command mode" to Xilinx bare-metal example
* update Xilinx default user settings
* add script to execute benchmarks
* add scripts to create graphics
* add Vitis 2022.1 example projects
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
* fix compilation warning
* adjust SHA3-384 test error-codes
The way the codes were constructed before, they were not unique.
* unify code
Instead of having `ifdef`'s in the code, define our own wrapper around
the keysource as required.
* add CMake option for help-text in wolfCrypt tests
* expose test `main()` as `wolfcrypt_test_main()`
* Don't overwrite previously set errors
* add FreeRTOS support for Xilinx demo
* move `fp_reverse` from `tfm.c` to `wolfmath.c` and rename to
`mp_reverse`.
Signed-off-by: Steffen Jaeckel <jaeckel-floss@eyet-services.de>
Add x86_64 assembly code:
- BMI2
- AVX2 (using ymm, slower than BMI2)
- AVX2 of 4 similtaneous hashes
Add SHAKE128 functions and tests.
Add Absorb and Squeeze functions for SHAKE128 and SHAK256 and tests.
Add doxygen for SHA-3 and SHAKE functions.
Update other generated x86_64 assembly files to include settings.h.
P-256/384/521.
New functions:
- sp_ecc_make_key_256_nb
- sp_ecc_make_key_384_nb
- sp_ecc_make_key_521_nb
- sp_ecc_secret_gen_256_nb
- sp_ecc_secret_gen_384_nb
- sp_ecc_secret_gen_521_nb
This commit also tweaks the testing for ECDSA testing in test.c. Instead of
testing with one of P-256/384/521, we test with all that are available.
Fix handling of counter to support incrementing across all bytes in
ARM32 crypto asm.
Added test cases for wrapping of counter when 2 blocks are being
encrypted to check assembly alternative path.
Fix handling of counter to support incrementing across all bytes in ARM
crypto asm.
Added test cases for wrapping of counter.
Extracted ARM ASM for AES-CTR.
Use ASM to created encrypted temporary block.
* PSA: set AES key bits, define PSA_ALG_NONE/PSA_KEY_ID_NULL if needed
* Zephyr: add TimeNowInMilliseconds() for tls13.c, clock_settime() for test.c, update CMakeLists.txt
* Skip including unistd.h for Zephyr in benchmark.c
* Zephyr: update README, add nRF5340dk support to wolfssl_test sample app
* Zephyr: add wolfCrypt benchmark sample app
* Zephyr: add nRF5340 support to tls_thread sample app
* PSA: use specific hash algo with psa_sign/verify_hash()
* Zephyr: add support for PSA Crypto API with PK callbacks to wolfssl_tls_threaded sample app
* Zephyr: add new files to zephyr/include.am
added numerous missing _SMALL_STACK code paths (PK objects on the stack);
in settings.h, enable WOLFSSL_SMALL_STACK_STATIC by default when WOLFSSL_SMALL_STACK is defined (NO_WOLFSSL_SMALL_STACK_STATIC to override);
fixes for unsafe strcat()s in tests/quic.c;
fix for unsafe macro WOLFSSL_IS_QUIC();
fix to exclude quic from enable-all when enable-linuxkm (quic needs opensslextra, and opensslextra currently only works in-kernel in cryptonly builds);
fix for signed/unsigned clash in wolfSSL_quic_receive().
add wolfCrypt error codes IO_FAILED_E "Input/output failure" and SYSLIB_FAILED_E "System/library call failed";
tests/api.c and tests/unit.c: flush stdout for error message in Fail() macro, add fflush(stdout) after printf()s, print success message at end of unit_test(), and send several error messages to stderr instead of stdout;
wolfcrypt/test/test.c: add fallthrough macro definition of printf() that pairs it with fflush(stdout);
unit.h: in definition of macro AssertPtr(), add PRAGMA_GCC("GCC diagnostic ignored \"-Wpedantic\"");
sp_int.c: refactor several lingering instances of "if (0) { ... }" code pattern to #if 0 ... #endif.
In defense against attack, assume the imported public key is not trusted
and check it matches the private key if set.
Added APIs that allow application to explicitly trust public key.
Original APIs default to not trusting public key.
fasthugemath means turn on fastmath
Use sp_int_digit and not sp_digit in sp_int.c.
test.c needs to use large static buffer when SP Math used like fastmath.
When building static memroy, SP math all without WOLFSSL_SP_NO_MALLOC is
a valid configuration.
Fix freeing of bigint in sp_int.c.
Cast x to a signed value to negate and then back to unsigned. (For
Windows builds.)
Remove warning about empty file on Windows about integer.obj.
Allow RSA verify only and RSA public only to be used with other public
key algorithms.
If building for FIPS, then older versions of RSA and ECC require SP Math
to support negative numbers.
Get old FIPS files building with SP int.
Disallow --enable-sp-math and --enable-sp-math-all.
When just --enable-sp-math on configuration line then disable SP Math
all.
JacobBarthelmeh
Sean Parkinson
jordan
Daniel Pouzzner
gojimmypi
David Garske
Lealem Amedie
Chris Conlon
Hideki Miyazaki
Brett Nicholas
John Safranek
Andras Fekete
billphipps
Dimitri Papadopoulos
dell5060
Juliusz Sosinowicz
Eric Blankenhorn
kaleb-himes
John Bland
Kareem
Anthony Tatowicz
Anthony Hu
Stefan Eissing
Hayden Roche
Steffen Jaeckel