From c38f11b9a726f867721ee711f2a9e88fc8bd654c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 16 Jun 2026 00:12:54 -0500 Subject: [PATCH 01/22] fixes for false positives on linuxkm CONFIG_FORTIFY_SOURCE builds on gcc-16: linuxkm/linuxkm_memory.c: use packed-struct intermediates rather than memcpy()s for wc_get_unaligned() and wc_put_unaligned(). linuxkm/linuxkm_wc_port.h: on old FIPS, retrofit nonnull attribute to GHASH() arg 1, so that it unconditionally writes out the hash. wolfcrypt/src/aes.c and wolfssl/wolfcrypt/aes.h: in GHASH(), add nonnull attribute to arg 1, and remove runtime nullness check for arg 1 in the implementations. --- linuxkm/linuxkm_memory.c | 7 +++++-- linuxkm/linuxkm_wc_port.h | 19 +++++++++++++++++++ wolfcrypt/src/aes.c | 20 -------------------- wolfssl/wolfcrypt/aes.h | 5 +++-- 4 files changed, 27 insertions(+), 24 deletions(-) diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index 32aa241404a..0b0861d1b03 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -122,8 +122,11 @@ static inline long find_reloc_tab_offset( * build and target host, but if we were, these macros would byte swap. * Currently, we detect and fail early on endianness conflicts. */ -#define wc_get_unaligned(v) ({ typeof(*(v)) _v_aligned; XMEMCPY((void *)&_v_aligned, (void *)(v), sizeof _v_aligned); _v_aligned; }) -#define wc_put_unaligned(v, v_out) do { typeof(v) _v = (v); XMEMCPY((void *)(v_out), (void *)&_v, sizeof(typeof(*(v_out)))); } while (0) +#define wc_get_unaligned(v) (((const struct __attribute__((packed)) { typeof(*(v)) x; } *)(v))->x) +#define wc_put_unaligned(v, v_out) do { \ + struct __attribute__((packed)) { typeof(*(v_out)) x; } *_pptr = (typeof(_pptr))(v_out); \ + _pptr->x = (v); \ +} while (0) ssize_t wc_reloc_normalize_segment( const byte *seg_in, diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 2a47722ad02..80e49da632d 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -784,6 +784,25 @@ _Pragma("GCC diagnostic pop"); + #if defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0) && !defined(NO_AES) + /* with CONFIG_FORTIFY_SOURCE we've seen false positive + * maybe-uninitialized on counter in AES_GCM_encrypt_C(). This is easy + * to mitigate with a grafted-on attribute. + */ + #if FIPS_VERSION3_LT(6,0,0) + struct Aes; + WOLFSSL_LOCAL void __attribute__((nonnull(1))) GHASH(struct Aes *aes, const unsigned char* a, + unsigned int aSz, const unsigned char* c, + unsigned int cSz, unsigned char* s, unsigned int sSz); + #else + struct Gcm; + WOLFSSL_LOCAL void __attribute__((nonnull(1))) GHASH(struct Gcm *gcm, const unsigned char* a, + unsigned int aSz, const unsigned char* c, + unsigned int cSz, unsigned char* s, unsigned int sSz); + #endif + _Pragma("GCC diagnostic ignored \"-Wnonnull-compare\""); + #endif + /* avoid -Wpointer-arith, encountered when -DCONFIG_FORTIFY_SOURCE */ #undef __is_constexpr #define __is_constexpr(x) __builtin_constant_p(x) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 62b7d8ab841..a6d1e29eab0 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -8476,10 +8476,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 blocks, partial; byte* h; - if (gcm == NULL) { - return; - } - h = gcm->H; XMEMSET(x, 0, WC_AES_BLOCK_SIZE); @@ -8811,10 +8807,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, byte scratch[WC_AES_BLOCK_SIZE]; word32 blocks, partial; - if (gcm == NULL) { - return; - } - XMEMSET(x, 0, WC_AES_BLOCK_SIZE); /* Hash in A, the Additional Authentication Data */ @@ -9303,10 +9295,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, byte scratch[WC_AES_BLOCK_SIZE]; word32 blocks, partial; - if (gcm == NULL) { - return; - } - XMEMSET(x, 0, WC_AES_BLOCK_SIZE); /* Hash in A, the Additional Authentication Data */ @@ -9459,10 +9447,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 blocks, partial; word64 bigH[2]; - if (gcm == NULL) { - return; - } - XMEMCPY(bigH, gcm->H, WC_AES_BLOCK_SIZE); #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords64(bigH, bigH, WC_AES_BLOCK_SIZE); @@ -9776,10 +9760,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 blocks, partial; word32 bigH[4]; - if (gcm == NULL) { - return; - } - XMEMCPY(bigH, gcm->H, WC_AES_BLOCK_SIZE); #ifdef LITTLE_ENDIAN_ORDER ByteReverseWords(bigH, bigH, WC_AES_BLOCK_SIZE); diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index e3d7637470d..2271636f942 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -70,8 +70,9 @@ WOLFSSL_LOCAL void GenerateM0(Gcm* gcm); !defined(WOLFSSL_ARMASM_NO_HW_CRYPTO) WOLFSSL_LOCAL void GMULT(byte* X, byte* Y); #endif -WOLFSSL_LOCAL void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, - word32 cSz, byte* s, word32 sSz); +WOLFSSL_LOCAL void WC_ARG_NOT_NULL(1) GHASH(Gcm* gcm, const byte* a, + word32 aSz, const byte* c, + word32 cSz, byte* s, word32 sSz); #endif #ifndef NO_AES From d4eaeb1b2e9144b78d0a83b24dcb0adea87a7934 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Tue, 16 Jun 2026 12:19:57 -0500 Subject: [PATCH 02/22] linuxkm/lkcapi_sha_glue.c: refactor error code handling in wc_linuxkm_drbg_generate() (followup to 3c9996efe0 in #10688). --- linuxkm/lkcapi_sha_glue.c | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/linuxkm/lkcapi_sha_glue.c b/linuxkm/lkcapi_sha_glue.c index 2711f81f1e7..68a61d90689 100644 --- a/linuxkm/lkcapi_sha_glue.c +++ b/linuxkm/lkcapi_sha_glue.c @@ -1231,15 +1231,11 @@ static int wc_linuxkm_drbg_generate(struct wc_rng_bank *ctx, continue; if (unlikely(ret == WC_NO_ERR_TRACE(RNG_FAILURE_E))) { - if (slen > 0) { - ret = -EINVAL; + if (slen > 0) break; - } - if (retried) { - ret = -EINVAL; + if (retried) break; - } retried = 1; ret = wc_rng_bank_inst_reinit(ctx, @@ -1248,20 +1244,21 @@ static int wc_linuxkm_drbg_generate(struct wc_rng_bank *ctx, WC_RNG_BANK_FLAG_CAN_WAIT); if (ret == 0) { - pr_warn("WARNING: reinitialized DRBG #%d after RNG_FAILURE_E from wc_RNG_GenerateBlock().\n", raw_smp_processor_id()); + pr_warn_ratelimited("WARNING: reinitialized DRBG #%d after RNG_FAILURE_E from wc_RNG_GenerateBlock().\n", raw_smp_processor_id()); continue; } else { - pr_warn_once("ERROR: reinitialization of DRBG #%d after RNG_FAILURE_E failed with ret %d.\n", raw_smp_processor_id(), ret); - ret = -EINVAL; + pr_err_ratelimited("ERROR: reinitialization of DRBG #%d after RNG_FAILURE_E failed with ret %d.\n", raw_smp_processor_id(), ret); break; } } - else { - pr_warn_once("ERROR: wc_linuxkm_drbg_generate() wc_RNG_GenerateBlock returned %d.\n",ret); - ret = -EINVAL; + else break; - } + } + + if (ret != 0) { + pr_err_ratelimited("ERROR: wc_linuxkm_drbg_generate() failing on wolfCrypt code %d.\n",ret); + ret = -EINVAL; } out: From 479a6851997a937c2a11585c0a3466d42e077713 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:03:42 -0500 Subject: [PATCH 03/22] wolfcrypt/src/aes.c: fix performance regressions on GMAC and AES-CFB decrypt: * add WC_VAES_MIN_BLOCKS, WC_VAES_ECB_MIN_BLOCKS, and WC_VAES_GCM_MIN_BLOCKS, and check against them before using AVX512/VAES implementations. * in AesCfbDecrypt_C(), enlarge the tmp[] buffer and parameterize its size with newly added WC_AES_CFB_DEC_BUF_BLOCKS. --- wolfcrypt/src/aes.c | 133 ++++++++++++++++++++++++++++++++------------ 1 file changed, 98 insertions(+), 35 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index a6d1e29eab0..608a35e11fb 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -827,6 +827,30 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits #if !defined(NO_AVX512_SUPPORT) && !defined(HAVE_INTEL_AVX512) #define HAVE_INTEL_AVX512 #endif + + /* Below this threshold the narrower path (AVX1 / AES-NI) is faster on + * Zen 4 than the wide VAES/AVX512 path. Verify and tune + * per-microarchecture. + */ + #ifndef WC_VAES_MIN_BLOCKS + #define WC_VAES_MIN_BLOCKS 8 + #elif WC_VAES_MIN_BLOCKS < 1 + #error Invalid WC_VAES_MIN_BLOCKS + #endif + /* CFB/ECB: wide ECB setup (key broadcast) doesn't pay off below this. */ + #ifndef WC_VAES_ECB_MIN_BLOCKS + #define WC_VAES_ECB_MIN_BLOCKS WC_VAES_MIN_BLOCKS + #elif WC_VAES_ECB_MIN_BLOCKS < 1 + #error Invalid WC_VAES_ECB_MIN_BLOCKS + #endif + /* GCM one-shot: AVX2 faster than wide below this (layout/setup, not + * amortization); pure GMAC (sz==0) routes to AVX2 by construction. + */ + #ifndef WC_VAES_GCM_MIN_BLOCKS + #define WC_VAES_GCM_MIN_BLOCKS WC_VAES_MIN_BLOCKS + #elif WC_VAES_GCM_MIN_BLOCKS < 1 + #error Invalid WC_VAES_GCM_MIN_BLOCKS + #endif #endif void AES_CTR_encrypt_AESNI(const unsigned char* in, unsigned char* out, @@ -885,13 +909,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits unsigned char* out, word32 sz, const unsigned char* key, int nr) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_ECB_encrypt_avx512(in, out, sz, key, nr); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_ECB_encrypt_vaes(in, out, sz, key, nr); } else @@ -912,13 +938,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits unsigned char* out, word32 sz, const unsigned char* key, int nr) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_ECB_decrypt_avx512(in, out, sz, key, nr); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_ECB_decrypt_vaes(in, out, sz, key, nr); } else @@ -941,13 +969,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits const unsigned char* key, int nr) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CBC_encrypt_avx512(in, out, iv, sz, key, nr); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CBC_encrypt_vaes(in, out, iv, sz, key, nr); } else @@ -970,13 +1000,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits const unsigned char* key, int nr) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CBC_decrypt_avx512(in, out, iv, sz, key, nr); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CBC_decrypt_vaes(in, out, iv, sz, key, nr); } else @@ -998,13 +1030,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits unsigned char* ctr) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CTR_encrypt_avx512(in, out, sz, key, nr, ctr); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_ECB_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_CTR_encrypt_vaes(in, out, sz, key, nr, ctr); } else @@ -10817,7 +10851,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, #ifdef WOLFSSL_AESNI if (aes->use_aesni) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_encrypt_avx512(in, out, authIn, iv, authTag, sz, authInSz, ivSz, authTagSz, (const byte*)aes->key, (int)aes->rounds); ret = 0; @@ -10825,7 +10860,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_encrypt_vaes(in, out, authIn, iv, authTag, sz, authInSz, ivSz, authTagSz, (const byte*)aes->key, (int)aes->rounds); ret = 0; @@ -11591,7 +11627,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, #ifdef WOLFSSL_AESNI if (aes->use_aesni) { #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_decrypt_avx512(in, out, authIn, iv, authTag, sz, authInSz, ivSz, authTagSz, (byte*)aes->key, (int)aes->rounds, &res); if (res == 0) @@ -11602,7 +11639,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_AES_BLOCK_SIZE * WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_decrypt_vaes(in, out, authIn, iv, authTag, sz, authInSz, ivSz, authTagSz, (byte*)aes->key, (int)aes->rounds, &res); if (res == 0) @@ -12074,14 +12112,16 @@ static WARN_UNUSED_RESULT int AesGcmAadUpdate_aesni( if (blocks > 0) { /* GHASH full blocks now. */ #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_aad_update_avx512(a, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H); } else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_aad_update_vaes(a, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H); } @@ -12248,7 +12288,8 @@ static WARN_UNUSED_RESULT int AesGcmEncryptUpdate_aesni( if (blocks > 0) { /* Encrypt and GHASH full blocks now. */ #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_encrypt_update_avx512((byte*)aes->key, (int)aes->rounds, c, p, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H, AES_COUNTER(aes)); @@ -12256,7 +12297,8 @@ static WARN_UNUSED_RESULT int AesGcmEncryptUpdate_aesni( else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_encrypt_update_vaes((byte*)aes->key, (int)aes->rounds, c, p, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H, AES_COUNTER(aes)); @@ -12573,7 +12615,8 @@ static WARN_UNUSED_RESULT int AesGcmDecryptUpdate_aesni( if (blocks > 0) { /* Decrypt and GHASH full blocks now. */ #ifdef HAVE_INTEL_AVX512 - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_decrypt_update_avx512((byte*)aes->key, (int)aes->rounds, p, c, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H, AES_COUNTER(aes)); @@ -12581,7 +12624,8 @@ static WARN_UNUSED_RESULT int AesGcmDecryptUpdate_aesni( else #endif #ifdef HAVE_INTEL_VAES - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((blocks >= WC_VAES_GCM_MIN_BLOCKS) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_GCM_decrypt_update_vaes((byte*)aes->key, (int)aes->rounds, p, c, blocks * WC_AES_BLOCK_SIZE, AES_TAG(aes), aes->gcm.H, AES_COUNTER(aes)); @@ -13866,6 +13910,9 @@ int wc_GmacSetKey(Gmac* gmac, const byte* key, word32 len) } +/* Note, wc_GmacUpdate() is not a streaming API, it's a one-shot calculation of + * the authTag. + */ int wc_GmacUpdate(Gmac* gmac, const byte* iv, word32 ivSz, const byte* authIn, word32 authInSz, byte* authTag, word32 authTagSz) @@ -15426,19 +15473,29 @@ static WARN_UNUSED_RESULT int AesCfbDecrypt_C(Aes* aes, byte* out, !defined(WOLFSSL_PIC32MZ_CRYPT) && \ (defined(USE_INTEL_SPEEDUP) || defined(WOLFSSL_ARMASM)) { - ALIGN16 byte tmp[4 * WC_AES_BLOCK_SIZE]; - while (sz >= 4 * WC_AES_BLOCK_SIZE) { + #ifndef WC_AES_CFB_DEC_BUF_BLOCKS + #define WC_AES_CFB_DEC_BUF_BLOCKS 32 + #elif WC_AES_CFB_DEC_BUF_BLOCKS < 2 + #error Invalid WC_AES_CFB_DEC_BUF_BLOCKS + #endif + ALIGN16 byte tmp[WC_AES_CFB_DEC_BUF_BLOCKS * WC_AES_BLOCK_SIZE]; + while (sz >= 2 * WC_AES_BLOCK_SIZE) { + word32 blocks = sz / WC_AES_BLOCK_SIZE; + word32 nbytes; + if (blocks > WC_AES_CFB_DEC_BUF_BLOCKS) + blocks = WC_AES_CFB_DEC_BUF_BLOCKS; + nbytes = blocks * WC_AES_BLOCK_SIZE; XMEMCPY(tmp, aes->reg, WC_AES_BLOCK_SIZE); - XMEMCPY(tmp + WC_AES_BLOCK_SIZE, in, 3 * WC_AES_BLOCK_SIZE); - XMEMCPY(aes->reg, in + 3 * WC_AES_BLOCK_SIZE, WC_AES_BLOCK_SIZE); - ret = wc_AesEcbEncrypt(aes, tmp, tmp, 4 * WC_AES_BLOCK_SIZE); + XMEMCPY(tmp + WC_AES_BLOCK_SIZE, in, nbytes - WC_AES_BLOCK_SIZE); + XMEMCPY(aes->reg, in + nbytes - WC_AES_BLOCK_SIZE, WC_AES_BLOCK_SIZE); + ret = wc_AesEcbEncrypt(aes, tmp, tmp, nbytes); if (ret != 0) { break; } - xorbufout(out, in, tmp, 4 * WC_AES_BLOCK_SIZE); - out += 4 * WC_AES_BLOCK_SIZE; - in += 4 * WC_AES_BLOCK_SIZE; - sz -= 4 * WC_AES_BLOCK_SIZE; + xorbufout(out, in, tmp, nbytes); + out += nbytes; + in += nbytes; + sz -= nbytes; } } #endif @@ -16733,7 +16790,8 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz, if (aes->use_aesni) { SAVE_VECTOR_REGISTERS(return _svr_ret;); #if defined(HAVE_INTEL_AVX512) - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_encrypt_avx512(in, out, sz, i, (const byte*)aes->key, (const byte*)xaes->tweak.key, @@ -16743,7 +16801,8 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz, else #endif #if defined(HAVE_INTEL_VAES) - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_encrypt_vaes(in, out, sz, i, (const byte*)aes->key, (const byte*)xaes->tweak.key, @@ -16968,7 +17027,8 @@ static int AesXtsEncryptUpdate(XtsAes* xaes, byte* out, const byte* in, word32 s if (aes->use_aesni) { SAVE_VECTOR_REGISTERS(return _svr_ret;); #if defined(HAVE_INTEL_AVX512) - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_encrypt_update_avx512(in, out, sz, (const byte*)aes->key, stream->tweak_block, @@ -17272,7 +17332,8 @@ int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz, if (aes->use_aesni) { SAVE_VECTOR_REGISTERS(return _svr_ret;); #if defined(HAVE_INTEL_AVX512) - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_decrypt_avx512(in, out, sz, i, (const byte*)aes->key, (const byte*)xaes->tweak.key, @@ -17502,7 +17563,8 @@ static int AesXtsDecryptUpdate(XtsAes* xaes, byte* out, const byte* in, word32 s if (aes->use_aesni) { SAVE_VECTOR_REGISTERS(return _svr_ret;); #if defined(HAVE_INTEL_AVX512) - if (IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX512(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_decrypt_update_avx512(in, out, sz, (const byte*)aes->key, stream->tweak_block, @@ -17512,7 +17574,8 @@ static int AesXtsDecryptUpdate(XtsAes* xaes, byte* out, const byte* in, word32 s else #endif #if defined(HAVE_INTEL_VAES) - if (IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { + if ((sz >= WC_VAES_ECB_MIN_BLOCKS * WC_AES_BLOCK_SIZE) && + IS_INTEL_AVX2(intel_flags) && IS_INTEL_VAES(intel_flags)) { AES_XTS_decrypt_update_vaes(in, out, sz, (const byte*)aes->key, stream->tweak_block, From 300f58db6ea74e192bc9c949fa3bf5e9471d110b Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:04:12 -0500 Subject: [PATCH 04/22] src/include.am: remove wolfcrypt/src/aes_x86_64_asm.S from AESNI source lists in FIPS v2/v5/v6 sections. --- src/include.am | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/include.am b/src/include.am index ad8060f1f58..9f41ec074ef 100644 --- a/src/include.am +++ b/src/include.am @@ -109,7 +109,6 @@ endif if BUILD_AESNI src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_asm.S -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_x86_64_asm.S if BUILD_X86_ASM src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_x86_asm.S else @@ -260,7 +259,6 @@ endif BUILD_PPC64_ASM if BUILD_AESNI src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_asm.S -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_x86_64_asm.S if BUILD_X86_ASM src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_x86_asm.S else @@ -534,7 +532,6 @@ endif BUILD_PPC64_ASM if BUILD_AESNI src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_asm.S -src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_x86_64_asm.S if BUILD_X86_ASM src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/aes_gcm_x86_asm.S else From 6d21d600f674ab948f07b8b89322aac2f7edfe8c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:06:52 -0500 Subject: [PATCH 05/22] in all FIPS-relevant C sources, add a "#define _WC_BUILDING_foo" first (where foo is a stylization of the filename), before including libwolfssl_sources.h, to allow future file-specific suppressions or other settings without altering FIPS sources. --- wolfcrypt/src/aes.c | 2 ++ wolfcrypt/src/cmac.c | 2 ++ wolfcrypt/src/curve25519.c | 4 +++- wolfcrypt/src/curve448.c | 2 ++ wolfcrypt/src/dh.c | 2 ++ wolfcrypt/src/ecc.c | 2 ++ wolfcrypt/src/ed25519.c | 2 ++ wolfcrypt/src/ed448.c | 2 ++ wolfcrypt/src/hmac.c | 2 ++ wolfcrypt/src/kdf.c | 2 ++ wolfcrypt/src/pwdbased.c | 2 ++ wolfcrypt/src/random.c | 2 ++ wolfcrypt/src/rsa.c | 2 ++ wolfcrypt/src/sha.c | 2 ++ wolfcrypt/src/sha256.c | 2 ++ wolfcrypt/src/sha3.c | 2 ++ wolfcrypt/src/sha512.c | 2 ++ wolfcrypt/src/wc_lms.c | 2 ++ wolfcrypt/src/wc_lms_impl.c | 2 ++ wolfcrypt/src/wc_mldsa.c | 2 ++ wolfcrypt/src/wc_mlkem.c | 2 ++ wolfcrypt/src/wc_mlkem_poly.c | 2 ++ wolfcrypt/src/wc_slhdsa.c | 2 ++ wolfcrypt/src/wc_xmss.c | 2 ++ wolfcrypt/src/wc_xmss_impl.c | 2 ++ 25 files changed, 51 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 608a35e11fb..9c69327cdd6 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -110,6 +110,8 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits * WOLFSSL_HW_METRICS: Track hardware acceleration usage default: off */ +#define _WC_BUILDING_AES_C + #include #if !defined(NO_AES) diff --git a/wolfcrypt/src/cmac.c b/wolfcrypt/src/cmac.c index 43108d226cd..cc05015d65a 100644 --- a/wolfcrypt/src/cmac.c +++ b/wolfcrypt/src/cmac.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_CMAC_C + #include #ifdef WOLFSSL_QNX_CAAM diff --git a/wolfcrypt/src/curve25519.c b/wolfcrypt/src/curve25519.c index fb1007ce6f4..12efe361f92 100644 --- a/wolfcrypt/src/curve25519.c +++ b/wolfcrypt/src/curve25519.c @@ -29,7 +29,9 @@ * secret. Requires CURVE25519_SMALL. Default: off. */ - #include +#define _WC_BUILDING_CURVE25519_C + +#include #ifdef NO_CURVED25519_X64 #undef USE_INTEL_SPEEDUP diff --git a/wolfcrypt/src/curve448.c b/wolfcrypt/src/curve448.c index 63c0f68089e..1247abc2a52 100644 --- a/wolfcrypt/src/curve448.c +++ b/wolfcrypt/src/curve448.c @@ -37,6 +37,8 @@ * default: off */ +#define _WC_BUILDING_CURVE448_C + #include #ifdef HAVE_CURVE448 diff --git a/wolfcrypt/src/dh.c b/wolfcrypt/src/dh.c index 3e9abe3d869..55d82c0e233 100644 --- a/wolfcrypt/src/dh.c +++ b/wolfcrypt/src/dh.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_DH_C + #include #ifndef NO_DH diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index a3476d4e146..a3e708e9892 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_ECC_C + #include #ifdef WOLFSSL_ECC_NO_SMALL_STACK diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c index 281e34b24ff..3cf8d807fec 100644 --- a/wolfcrypt/src/ed25519.c +++ b/wolfcrypt/src/ed25519.c @@ -28,6 +28,8 @@ * Check that the private key didn't change during the signing operations. */ +#define _WC_BUILDING_ED25519_C + #include #ifdef HAVE_ED25519 diff --git a/wolfcrypt/src/ed448.c b/wolfcrypt/src/ed448.c index a85ff6b9773..b25e3ff23f6 100644 --- a/wolfcrypt/src/ed448.c +++ b/wolfcrypt/src/ed448.c @@ -30,6 +30,8 @@ * Check that the private key didn't change during the signing operations. */ +#define _WC_BUILDING_ED448_C + #include #ifdef HAVE_ED448 diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index 7bf9231a3dc..07ce9761008 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -35,6 +35,8 @@ * WOLFSSL_KCAPI_HMAC: Linux kernel crypto API for HMAC default: off */ +#define _WC_BUILDING_HMAC_C + #include #ifndef NO_HMAC diff --git a/wolfcrypt/src/kdf.c b/wolfcrypt/src/kdf.c index 3e9dc23b6ad..4ae7d584f9a 100644 --- a/wolfcrypt/src/kdf.c +++ b/wolfcrypt/src/kdf.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_KDF_C + #include #ifndef NO_KDF diff --git a/wolfcrypt/src/pwdbased.c b/wolfcrypt/src/pwdbased.c index c27e12515b6..e5a1eac43b7 100644 --- a/wolfcrypt/src/pwdbased.c +++ b/wolfcrypt/src/pwdbased.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_PWDBASED_C + #include #ifndef NO_PWDBASED diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 609e7fb6b45..cfee74e2fb1 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -102,6 +102,8 @@ This library contains implementation for the random number generator. * WOLFSSL_XILINX_CRYPT_VERSAL: Xilinx Versal crypto RNG default: off */ +#define _WC_BUILDING_RANDOM_C + #include /* on HPUX 11 you may need to install /dev/random see diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 0a6b6143a7a..cd66eab2efd 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -27,6 +27,8 @@ RSA keys can be used to encrypt, decrypt, sign and verify data. */ +#define _WC_BUILDING_RSA_C + #include #ifndef NO_RSA diff --git a/wolfcrypt/src/sha.c b/wolfcrypt/src/sha.c index 9e94e3f0088..b8f717ab747 100644 --- a/wolfcrypt/src/sha.c +++ b/wolfcrypt/src/sha.c @@ -39,6 +39,8 @@ * PSOC6_HASH_SHA1: PSoC6 hardware SHA-1 default: off */ +#define _WC_BUILDING_SHA_C + #include #ifdef DEBUG_WOLFSSL_VERBOSE diff --git a/wolfcrypt/src/sha256.c b/wolfcrypt/src/sha256.c index 047c57dade8..87d05686248 100644 --- a/wolfcrypt/src/sha256.c +++ b/wolfcrypt/src/sha256.c @@ -38,6 +38,8 @@ on the specific device platform. */ +#define _WC_BUILDING_SHA256_C + #include /* diff --git a/wolfcrypt/src/sha3.c b/wolfcrypt/src/sha3.c index efcf424cdce..ca357ecbf9c 100644 --- a/wolfcrypt/src/sha3.c +++ b/wolfcrypt/src/sha3.c @@ -38,6 +38,8 @@ * PSOC6_HASH_SHA3: PSoC6 hardware SHA-3 default: off */ +#define _WC_BUILDING_SHA3_C + #include #ifdef WC_SHA3_NO_ASM diff --git a/wolfcrypt/src/sha512.c b/wolfcrypt/src/sha512.c index 111b00b1068..503adaab458 100644 --- a/wolfcrypt/src/sha512.c +++ b/wolfcrypt/src/sha512.c @@ -54,6 +54,8 @@ * WOLFSSL_RENESAS_RSIP: Renesas RSIP SHA acceleration default: off */ +#define _WC_BUILDING_SHA512_C + #include #if (defined(WOLFSSL_SHA512) || defined(WOLFSSL_SHA384)) && \ diff --git a/wolfcrypt/src/wc_lms.c b/wolfcrypt/src/wc_lms.c index f2b62ea5901..595b93622d8 100644 --- a/wolfcrypt/src/wc_lms.c +++ b/wolfcrypt/src/wc_lms.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_WC_LMS_C + #include #if defined(WOLFSSL_HAVE_LMS) diff --git a/wolfcrypt/src/wc_lms_impl.c b/wolfcrypt/src/wc_lms_impl.c index 25e89901a9b..e88c032d87e 100644 --- a/wolfcrypt/src/wc_lms_impl.c +++ b/wolfcrypt/src/wc_lms_impl.c @@ -37,6 +37,8 @@ * Enable when memory is limited. */ +#define _WC_BUILDING_WC_LMS_IMPL_C + #include #include diff --git a/wolfcrypt/src/wc_mldsa.c b/wolfcrypt/src/wc_mldsa.c index 578428f2da6..4adfa004d09 100644 --- a/wolfcrypt/src/wc_mldsa.c +++ b/wolfcrypt/src/wc_mldsa.c @@ -135,6 +135,8 @@ * shift equivalent. */ +#define _WC_BUILDING_WC_MLDSA_C + #include #if FIPS_VERSION3_GE(2,0,0) diff --git a/wolfcrypt/src/wc_mlkem.c b/wolfcrypt/src/wc_mlkem.c index d03539f7053..eb96e9526b7 100644 --- a/wolfcrypt/src/wc_mlkem.c +++ b/wolfcrypt/src/wc_mlkem.c @@ -70,6 +70,8 @@ * Cannot be used with WOLFSSL_NO_MALLOC. */ +#define _WC_BUILDING_WC_MLKEM_C + #include #ifdef WC_MLKEM_NO_ASM diff --git a/wolfcrypt/src/wc_mlkem_poly.c b/wolfcrypt/src/wc_mlkem_poly.c index 4b812cd11d2..cd067b46e78 100644 --- a/wolfcrypt/src/wc_mlkem_poly.c +++ b/wolfcrypt/src/wc_mlkem_poly.c @@ -67,6 +67,8 @@ * some platforms and is smaller in code size. */ +#define _WC_BUILDING_WC_MLKEM_POLY_C + #include #ifdef WC_MLKEM_NO_ASM diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c index 4f14658644d..7dd6a717533 100644 --- a/wolfcrypt/src/wc_slhdsa.c +++ b/wolfcrypt/src/wc_slhdsa.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_WC_SLHDSA_C + #include #if FIPS_VERSION3_GE(2,0,0) diff --git a/wolfcrypt/src/wc_xmss.c b/wolfcrypt/src/wc_xmss.c index 9ad311d0bab..b4f4c761850 100644 --- a/wolfcrypt/src/wc_xmss.c +++ b/wolfcrypt/src/wc_xmss.c @@ -19,6 +19,8 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ +#define _WC_BUILDING_WC_XMSS_C + #include #ifdef WOLFSSL_HAVE_XMSS diff --git a/wolfcrypt/src/wc_xmss_impl.c b/wolfcrypt/src/wc_xmss_impl.c index d1598c4d372..9029fca4a06 100644 --- a/wolfcrypt/src/wc_xmss_impl.c +++ b/wolfcrypt/src/wc_xmss_impl.c @@ -29,6 +29,8 @@ * (https://ece.engr.uvic.ca/~raltawy/SAC2021/9.pdf) */ +#define _WC_BUILDING_WC_XMSS_IMPL_C + #include #include From 5ae99fb03b30995e5d5f7e293978c78e3026db69 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:12:34 -0500 Subject: [PATCH 06/22] wolfcrypt/src/aes.c, wolfcrypt/src/port/, wolfssl/wolfcrypt/aes.h, wolfcrypt/src/pkcs7.c, wolfcrypt/test/test.c: * implement wc_local_AesGcmCheckTagSz() with pedantic checks for valid authtag size. SP 800-38D restrictions are now uniformly imposed, unless WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH is defined (not allow with FIPS). * refactor tag size checks in wc_AesGcmEncrypt(), wc_AesGcmDecrypt(), wc_AesGcmEncryptFinal(), wc_AesGcmDecryptFinal(), and wc_PKCS7_DecodeAuthEnvelopedData(). * in test.c, update aesgcm_non12iv_test() to skip tag sizes expected to fail. --- wolfcrypt/src/aes.c | 103 ++++++++++++++---- wolfcrypt/src/pkcs7.c | 10 +- .../src/port/Renesas/renesas_fspsm_aes.c | 7 +- wolfcrypt/src/port/af_alg/afalg_aes.c | 22 +--- wolfcrypt/src/port/devcrypto/devcrypto_aes.c | 11 +- wolfcrypt/src/port/kcapi/kcapi_aes.c | 12 +- wolfcrypt/src/port/riscv/riscv-64-aes.c | 23 ++-- wolfcrypt/src/port/ti/ti-aes.c | 7 +- wolfcrypt/test/test.c | 17 ++- wolfssl/wolfcrypt/aes.h | 1 + 10 files changed, 141 insertions(+), 72 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 9c69327cdd6..40ee5502d2f 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -7995,6 +7995,63 @@ static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz) #endif +#if !defined(NO_INLINE) && defined(__GNUC__) +/* Inline for callers here in aes.c, but a callable local function for outside + * callers. Don't use WC_INLINE unconditionally, because we can't count on + * correct behavior beyond gcc/clang, and we don't want the the WC_MAYBE_UNUSED + * attribute in NO_INLINE builds. + */ +WC_INLINE +#endif +int wc_local_AesGcmCheckTagSz(word32 authTagSz) { +#ifdef WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH + #ifdef HAVE_FIPS + #error WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH not allowed with FIPS 140. + #endif + wc_static_assert(WOLFSSL_MIN_AUTH_TAG_SZ >= 4); + if ((authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) || + (authTagSz > WC_AES_BLOCK_SIZE)) + { + WOLFSSL_MSG("AES-GCM unsupported authTagSz"); + return BAD_FUNC_ARG; + } + else + return 0; +#else + /* A switch is actually better for the optimizer than most hand-rolled + * equivalents, because it hands the compiler the exact value set and lets + * it pick the best lowering per WOLFSSL_MIN_AUTH_TAG_SZ configuration. + */ + switch (authTagSz) { +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 4 + case 4: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 8 + case 8: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 12 + case 12: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 13 + case 13: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 14 + case 14: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 15 + case 15: +#endif +#if WOLFSSL_MIN_AUTH_TAG_SZ <= 16 + case 16: +#endif + return 0; + default: + WOLFSSL_MSG("AES-GCM unsupported authTagSz"); + return BAD_FUNC_ARG; + } +#endif +} + #if defined(WOLFSSL_RISCV_ASM) /* implemented in wolfcrypt/src/port/risc-v/riscv-64-aes.c */ @@ -10184,14 +10241,13 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, word32 keySize; /* argument checks */ - if (aes == NULL || authTagSz > WC_AES_BLOCK_SIZE || ivSz == 0) { + if (aes == NULL || ivSz == 0) { return BAD_FUNC_ARG; } - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + status = wc_local_AesGcmCheckTagSz(authTagSz); + if (status != 0) + return status; status = wc_AesGetKeySize(aes, &keySize); if (status) @@ -10715,16 +10771,15 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, * out are don't cares (GMAC case), matching wc_AesGcmDecrypt. */ if (aes == NULL || iv == NULL || ivSz == 0 || (sz != 0 && (in == NULL || out == NULL)) || - authTag == NULL || authTagSz > WC_AES_BLOCK_SIZE || + authTag == NULL || ((authInSz > 0) && (authIn == NULL))) { return BAD_FUNC_ARG; } - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; #ifdef WOLF_CRYPTO_CB #ifndef WOLF_CRYPTO_CB_FIND @@ -10922,13 +10977,16 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, /* If the sz is non-zero, both in and out must be set. If sz is 0, * in and out are don't cares, as this is is the GMAC case. */ if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) || - authTag == NULL || authTagSz > WC_AES_BLOCK_SIZE || - authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ || ivSz == 0 || + authTag == NULL || ivSz == 0 || ((authInSz > 0) && (authIn == NULL))) { return BAD_FUNC_ARG; } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; + ret = wc_AesGetKeySize(aes, &keySize); if (ret != 0) { return ret; @@ -11488,12 +11546,15 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, /* If the sz is non-zero, both in and out must be set. If sz is 0, * in and out are don't cares, as this is is the GMAC case. */ if (aes == NULL || iv == NULL || (sz != 0 && (in == NULL || out == NULL)) || - authTag == NULL || authTagSz > WC_AES_BLOCK_SIZE || - authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ || ivSz == 0) { - + authTag == NULL || ivSz == 0) + { return BAD_FUNC_ARG; } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; + #ifdef WOLF_CRYPTO_CB #ifndef WOLF_CRYPTO_CB_FIND if (aes->devId != INVALID_DEVID) @@ -13513,11 +13574,13 @@ int wc_AesGcmEncryptFinal(Aes* aes, byte* authTag, word32 authTagSz) int ret = 0; /* Check validity of parameters. */ - if ((aes == NULL) || (authTag == NULL) || (authTagSz > WC_AES_BLOCK_SIZE) || - (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)) { + if ((aes == NULL) || (authTag == NULL)) { ret = BAD_FUNC_ARG; } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(authTagSz); + /* Check key has been set. */ if ((ret == 0) && (!aes->gcmKeySet)) { ret = MISSING_KEY; @@ -13655,11 +13718,13 @@ int wc_AesGcmDecryptFinal(Aes* aes, const byte* authTag, word32 authTagSz) int ret = 0; /* Check validity of parameters. */ - if ((aes == NULL) || (authTag == NULL) || (authTagSz > WC_AES_BLOCK_SIZE) || - (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)) { + if ((aes == NULL) || (authTag == NULL)) { ret = BAD_FUNC_ARG; } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(authTagSz); + /* Check key has been set. */ if ((ret == 0) && (!aes->gcmKeySet)) { ret = MISSING_KEY; diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index b04504a0054..866dac4716e 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15262,10 +15262,12 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, } if (ret == 0 && (encOID == AES128GCMb || encOID == AES192GCMb || - encOID == AES256GCMb) && - authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("AuthEnvelopedData GCM authTag too small"); - ret = ASN_PARSE_E; + encOID == AES256GCMb)) { + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) { + ret = ASN_PARSE_E; + WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size"); + } } #ifndef NO_PKCS7_STREAM diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c index fb9b70db48b..d818ee00870 100644 --- a/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c +++ b/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c @@ -354,10 +354,9 @@ int wc_fspsm_AesGcmEncrypt(struct Aes* aes, byte* out, return BAD_FUNC_ARG; } - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; if (aes->ctx.keySize != 16 && aes->ctx.keySize != 32) { WOLFSSL_MSG("keySize is invalid, neither 16 or 32."); diff --git a/wolfcrypt/src/port/af_alg/afalg_aes.c b/wolfcrypt/src/port/af_alg/afalg_aes.c index 0a3d8b6cc1f..060ed8000b9 100644 --- a/wolfcrypt/src/port/af_alg/afalg_aes.c +++ b/wolfcrypt/src/port/af_alg/afalg_aes.c @@ -584,15 +584,10 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, WOLFSSL_MSG("IV size not supported on system"); return BAD_FUNC_ARG; } - if (authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ) { - WOLFSSL_MSG("Authentication tag size not supported on system"); - return BAD_FUNC_ARG; - } - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; if (aes->alFd == WC_SOCK_NOTSET) { WOLFSSL_MSG("AF_ALG GcmEncrypt called with alFd unset"); @@ -796,15 +791,10 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, WOLFSSL_MSG("IV size not supported on system"); return BAD_FUNC_ARG; } - if (authTagSz > WOLFSSL_MAX_AUTH_TAG_SZ) { - WOLFSSL_MSG("Authentication tag size not supported on system"); - return BAD_FUNC_ARG; - } - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; if (aes->rdFd == WC_SOCK_NOTSET) { aes->dir = AES_DECRYPTION; diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c index 6f976fa8cca..62cd624f017 100644 --- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c +++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c @@ -357,10 +357,9 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz) { - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - return BAD_FUNC_ARG; - } + int ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; return wc_DevCrypto_AesGcm(aes, out, (byte*)in, sz, iv, ivSz, authTag, authTagSz, authIn, authInSz, @@ -374,6 +373,10 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, const byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz) { + int ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; + return wc_DevCrypto_AesGcm(aes, out, (byte*)in, sz, iv, ivSz, (byte*)authTag, authTagSz, authIn, authInSz, COP_DECRYPT); diff --git a/wolfcrypt/src/port/kcapi/kcapi_aes.c b/wolfcrypt/src/port/kcapi/kcapi_aes.c index 5003d52e679..30ad3e9d034 100644 --- a/wolfcrypt/src/port/kcapi/kcapi_aes.c +++ b/wolfcrypt/src/port/kcapi/kcapi_aes.c @@ -246,10 +246,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, ret = BAD_FUNC_ARG; } - if ((ret == 0) && (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)) { - WOLFSSL_MSG("GcmEncrypt authTagSz too small error"); - ret = BAD_FUNC_ARG; - } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret == 0) { ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0); @@ -361,10 +359,8 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, ret = BAD_FUNC_ARG; } - if ((ret == 0) && (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ)) { - WOLFSSL_MSG("GcmDecrypt authTagSz too small error"); - ret = BAD_FUNC_ARG; - } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret == 0) { ret = kcapi_aead_init(&aes->handle, WC_NAME_AESGCM, 0); diff --git a/wolfcrypt/src/port/riscv/riscv-64-aes.c b/wolfcrypt/src/port/riscv/riscv-64-aes.c index 8dee9a87d51..2f23070ce09 100644 --- a/wolfcrypt/src/port/riscv/riscv-64-aes.c +++ b/wolfcrypt/src/port/riscv/riscv-64-aes.c @@ -6932,11 +6932,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, ret = BAD_FUNC_ARG; } - if ((ret == 0) && ((tagSz < WOLFSSL_MIN_AUTH_TAG_SZ) || - (tagSz > WC_AES_BLOCK_SIZE))) { - WOLFSSL_MSG("GcmEncrypt tagSz error"); - ret = BAD_FUNC_ARG; - } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(tagSz); if (ret == 0) { switch (aes->rounds) { @@ -8572,13 +8569,15 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, /* sanity checks */ if ((aes == NULL) || (nonce == NULL) || (tag == NULL) || - (tagSz > WC_AES_BLOCK_SIZE) || (tagSz < WOLFSSL_MIN_AUTH_TAG_SZ) || ((aad == NULL) && (aadSz > 0)) || (nonceSz == 0) || ((sz != 0) && ((in == NULL) || (out == NULL)))) { WOLFSSL_MSG("a NULL parameter passed in when size is larger than 0"); return BAD_FUNC_ARG; } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(tagSz); + if (ret == 0) { switch (aes->rounds) { #ifdef WOLFSSL_AES_128 @@ -8835,12 +8834,8 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, ret = BAD_FUNC_ARG; } - if ((ret == 0) && ((tagSz < WOLFSSL_MIN_AUTH_TAG_SZ) || - (tagSz > WC_AES_BLOCK_SIZE))) { - WOLFSSL_MSG("GcmEncrypt tagSz error"); - ret = BAD_FUNC_ARG; - } - + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(tagSz); if (ret == 0) { if (nonceSz == GCM_NONCE_MID_SZ) { @@ -8931,13 +8926,15 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, /* Validate parameters. */ if ((aes == NULL) || (nonce == NULL) || (tag == NULL) || - (tagSz > WC_AES_BLOCK_SIZE) || (tagSz < WOLFSSL_MIN_AUTH_TAG_SZ) || ((aad == NULL) && (aadSz > 0)) || (nonceSz == 0) || ((sz != 0) && ((in == NULL) || (out == NULL)))) { WOLFSSL_MSG("a NULL parameter passed in when size is larger than 0"); ret = BAD_FUNC_ARG; } + if (ret == 0) + ret = wc_local_AesGcmCheckTagSz(tagSz); + if (ret == 0) { if (nonceSz == GCM_NONCE_MID_SZ) { /* Counter is IV with bottom 4 bytes set to: 0x00,0x00,0x00,0x01. */ diff --git a/wolfcrypt/src/port/ti/ti-aes.c b/wolfcrypt/src/port/ti/ti-aes.c index 3d8897156c3..4d77dcfe16e 100644 --- a/wolfcrypt/src/port/ti/ti-aes.c +++ b/wolfcrypt/src/port/ti/ti-aes.c @@ -687,9 +687,10 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, byte* authTag, word32 authTagSz, const byte* authIn, word32 authInSz) { - if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { - return BAD_FUNC_ARG; - } + int ret = wc_local_AesGcmCheckTagSz(authTagSz); + if (ret != 0) + return ret; + return AesAuthEncrypt(aes, out, in, sz, iv, ivSz, authTag, authTagSz, authIn, authInSz, AES_CFG_MODE_GCM_HY0CALC); } diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 49deeaf0cec..2fb85db9e10 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -19580,9 +19580,24 @@ static wc_test_ret_t aesgcm_non12iv_test(Aes* enc, Aes* dec) ERROR_OUT(WC_TEST_RET_ENC_NC, out); #endif /* HAVE_AES_DECRYPT */ - for (tlen = WOLFSSL_MIN_AUTH_TAG_SZ; tlen < 16; tlen++) { + for (tlen = WOLFSSL_MIN_AUTH_TAG_SZ; tlen <= WC_AES_BLOCK_SIZE; tlen++) { int ii; +#ifndef WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH + switch (tlen) { + case 4: + case 8: + case 12: + case 13: + case 14: + case 15: + case 16: + break; + default: + continue; + } +#endif + XMEMSET(resultT, 0, sizeof(resultT)); wc_AesGcmSetKey(enc, k3, (word32)k3Sz); /* AES-GCM encrypt and decrypt both use AES encrypt internally */ diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 2271636f942..1d2dd000a81 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -615,6 +615,7 @@ WOLFSSL_API int wc_AesEcbDecrypt(Aes* aes, byte* out, #endif #ifdef HAVE_AESGCM +WOLFSSL_LOCAL int wc_local_AesGcmCheckTagSz(word32 authTagSz); #ifdef WOLFSSL_XILINX_CRYPT WOLFSSL_API int wc_AesGcmSetKey_ex(Aes* aes, const byte* key, word32 len, word32 kup); From 4d46e1eb74eae7962538ef25457425165aeb3fee Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:14:31 -0500 Subject: [PATCH 07/22] wolfcrypt/test/test.c: * in slhdsa_keygen_kat() and slhdsa_id_label_test(), pass devId to wc_SlhDsaKey_Init*() * in cryptocb_test(), inhibit the callback verification check for SLHDSA if FIPS (no crypto callbacks in FIPS-wrapped calls). --- wolfcrypt/test/test.c | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 2fb85db9e10..af06d3be5f3 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -57790,7 +57790,7 @@ static wc_test_ret_t slhdsa_keygen_kat(enum SlhDsaParam param, DYNAMIC_TYPE_TMP_BUFFER, return WC_TEST_RET_ENC_EC(MEMORY_E)); XMEMSET(key, 0, sizeof(*key)); - ret = wc_SlhDsaKey_Init(key, param, NULL, INVALID_DEVID); + ret = wc_SlhDsaKey_Init(key, param, NULL, devId); if (ret != 0) { ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); } @@ -58073,30 +58073,30 @@ static wc_test_ret_t slhdsa_id_label_test(void) /* NULL key rejected. */ ret = wc_SlhDsaKey_Init_id(NULL, param, id, (int)sizeof(id), HEAP_HINT, - INVALID_DEVID); + devId); if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_EC(ret); /* (id == NULL, len > 0) is the silent-contradiction case the original * review flagged; must be rejected. */ - ret = wc_SlhDsaKey_Init_id(&key, param, NULL, 8, HEAP_HINT, INVALID_DEVID); + ret = wc_SlhDsaKey_Init_id(&key, param, NULL, 8, HEAP_HINT, devId); if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_EC(ret); /* Length over the cap rejected with BUFFER_E. */ ret = wc_SlhDsaKey_Init_id(&key, param, id, SLHDSA_MAX_ID_LEN + 1, - HEAP_HINT, INVALID_DEVID); + HEAP_HINT, devId); if (ret != WC_NO_ERR_TRACE(BUFFER_E)) return WC_TEST_RET_ENC_EC(ret); /* Negative length rejected. */ - ret = wc_SlhDsaKey_Init_id(&key, param, id, -1, HEAP_HINT, INVALID_DEVID); + ret = wc_SlhDsaKey_Init_id(&key, param, id, -1, HEAP_HINT, devId); if (ret != WC_NO_ERR_TRACE(BUFFER_E)) return WC_TEST_RET_ENC_EC(ret); /* Successful init copies the id and stores its length. */ ret = wc_SlhDsaKey_Init_id(&key, param, id, (int)sizeof(id), HEAP_HINT, - INVALID_DEVID); + devId); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); if (key.idLen != (int)sizeof(id)) @@ -58109,7 +58109,7 @@ static wc_test_ret_t slhdsa_id_label_test(void) XMEMSET(&key, 0, sizeof(key)); /* (id != NULL, len == 0) is accepted as a no-op. */ - ret = wc_SlhDsaKey_Init_id(&key, param, id, 0, HEAP_HINT, INVALID_DEVID); + ret = wc_SlhDsaKey_Init_id(&key, param, id, 0, HEAP_HINT, devId); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); if (key.idLen != 0) @@ -58127,7 +58127,7 @@ static wc_test_ret_t slhdsa_id_label_test(void) for (i = 0; i < SLHDSA_MAX_ID_LEN; i++) id_max[i] = (unsigned char)(0x40 + i); ret = wc_SlhDsaKey_Init_id(&key, param, id_max, SLHDSA_MAX_ID_LEN, - HEAP_HINT, INVALID_DEVID); + HEAP_HINT, devId); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); if (key.idLen != SLHDSA_MAX_ID_LEN) @@ -58143,22 +58143,22 @@ static wc_test_ret_t slhdsa_id_label_test(void) /* Init_label: NULL label / NULL key rejected. */ ret = wc_SlhDsaKey_Init_label(NULL, param, label, HEAP_HINT, - INVALID_DEVID); + devId); if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_EC(ret); ret = wc_SlhDsaKey_Init_label(&key, param, NULL, HEAP_HINT, - INVALID_DEVID); + devId); if (ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) return WC_TEST_RET_ENC_EC(ret); /* Empty label is rejected. */ - ret = wc_SlhDsaKey_Init_label(&key, param, "", HEAP_HINT, INVALID_DEVID); + ret = wc_SlhDsaKey_Init_label(&key, param, "", HEAP_HINT, devId); if (ret != WC_NO_ERR_TRACE(BUFFER_E)) return WC_TEST_RET_ENC_EC(ret); /* Successful init copies the label and stores its length. */ ret = wc_SlhDsaKey_Init_label(&key, param, label, HEAP_HINT, - INVALID_DEVID); + devId); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); if (key.labelLen != (int)XSTRLEN(label)) @@ -58182,7 +58182,7 @@ static wc_test_ret_t slhdsa_id_label_test(void) label_max[i] = 'L'; label_max[SLHDSA_MAX_LABEL_LEN] = '\0'; ret = wc_SlhDsaKey_Init_label(&key, param, label_max, HEAP_HINT, - INVALID_DEVID); + devId); if (ret != 0) return WC_TEST_RET_ENC_EC(ret); if (key.labelLen != SLHDSA_MAX_LABEL_LEN) @@ -59249,7 +59249,7 @@ wc_test_ret_t slhdsa_test(void) #endif #ifndef WOLFSSL_SLHDSA_VERIFY_ONLY - ret = wc_SlhDsaKey_Init(key, SLHDSA_SHAKE128S, NULL, INVALID_DEVID); + ret = wc_SlhDsaKey_Init(key, SLHDSA_SHAKE128S, NULL, devId); if (ret != 0) { ERROR_OUT(WC_TEST_RET_ENC_EC(ret), out); } @@ -74929,11 +74929,16 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t cryptocb_test(void) * * Only enforce when slhdsa_test() actually runs a cb-routed op: * !VERIFY_ONLY runs slhdsa_test_param (uses devId), or - * PARAM_128S enables the in-tree KAT verify (also uses devId). */ + * PARAM_128S enables the in-tree KAT verify (also uses devId). + * + * The FIPS wrappers force the devId to FIPS_INVALID_DEVID, so we skip + * the check for FIPS. + */ int baseline = myCtx.exampleVar; ret = slhdsa_test(); - #if !defined(WOLFSSL_SLHDSA_VERIFY_ONLY) || \ - defined(WOLFSSL_SLHDSA_PARAM_128S) + #if (!defined(WOLFSSL_SLHDSA_VERIFY_ONLY) || \ + defined(WOLFSSL_SLHDSA_PARAM_128S)) && \ + !defined(HAVE_FIPS) if ((ret == 0) && (myCtx.exampleVar == baseline)) ret = WC_TEST_RET_ENC_NC; #endif From 8b5b6af44e6f57de234219afe65073ef330783e8 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:21:00 -0500 Subject: [PATCH 08/22] linuxkm/x86_vector_register_glue.c, linuxkm/linuxkm_wc_port.h, wolfssl/wolfcrypt/memory.h: add WC_SVR_FLAG_FUZZ, implement support for DEBUG_VECTOR_REGISTER_ACCESS_FUZZING directly in the save/restore implementations, and properly reflect existing save state there and in the _FUZZING variants of SAVE_VECTOR_REGISTERS2(). --- linuxkm/linuxkm_wc_port.h | 14 +++----------- linuxkm/x86_vector_register_glue.c | 13 +++++++++++++ wolfssl/wolfcrypt/memory.h | 18 +++++++++++++----- 3 files changed, 29 insertions(+), 16 deletions(-) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 80e49da632d..58650fc402b 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -192,6 +192,7 @@ enum wc_svr_flags { WC_SVR_FLAG_NONE = 0, WC_SVR_FLAG_INHIBIT = 1, + WC_SVR_FLAG_FUZZ }; #if defined(WOLFSSL_AESNI) || defined(USE_INTEL_SPEEDUP) || \ @@ -705,11 +706,7 @@ #endif #endif #ifndef CAN_SAVE_VECTOR_REGISTERS - #ifdef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING - #define CAN_SAVE_VECTOR_REGISTERS() (wc_can_save_vector_registers_x86() && (SAVE_VECTOR_REGISTERS2_fuzzer() == 0)) - #else - #define CAN_SAVE_VECTOR_REGISTERS() wc_can_save_vector_registers_x86() - #endif + #define CAN_SAVE_VECTOR_REGISTERS() wc_can_save_vector_registers_x86() #endif #ifndef SAVE_VECTOR_REGISTERS #define SAVE_VECTOR_REGISTERS(fail_clause) { \ @@ -721,12 +718,7 @@ #endif #ifndef SAVE_VECTOR_REGISTERS2 #ifdef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING - #define SAVE_VECTOR_REGISTERS2() ({ \ - int _fuzzer_ret = SAVE_VECTOR_REGISTERS2_fuzzer(); \ - (_fuzzer_ret == 0) ? \ - wc_save_vector_registers_x86(WC_SVR_FLAG_NONE) : \ - _fuzzer_ret; \ - }) + #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(WC_SVR_FLAG_FUZZ) #else #define SAVE_VECTOR_REGISTERS2() wc_save_vector_registers_x86(WC_SVR_FLAG_NONE) #endif diff --git a/linuxkm/x86_vector_register_glue.c b/linuxkm/x86_vector_register_glue.c index 107c7e11274..e33c3d719e8 100644 --- a/linuxkm/x86_vector_register_glue.c +++ b/linuxkm/x86_vector_register_glue.c @@ -323,6 +323,11 @@ WARN_UNUSED_RESULT int wc_can_save_vector_registers_x86(void) } } +#ifdef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + if (SAVE_VECTOR_REGISTERS2_fuzzer() != 0) + return 0; +#endif + if ((preempt_count() == 0) || may_use_simd()) return 1; else @@ -423,6 +428,14 @@ WARN_UNUSED_RESULT int wc_save_vector_registers_x86(enum wc_svr_flags flags) return 0; } +#ifdef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + if (flags & WC_SVR_FLAG_FUZZ) { + int ret = SAVE_VECTOR_REGISTERS2_fuzzer(); + if (ret != 0) + return ret; + } +#endif + if ((preempt_count() == 0) || may_use_simd()) { /* fpregs_lock() calls either local_bh_disable() or preempt_disable() * depending on CONFIG_PREEMPT_RT -- we call both, explicitly. diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index cdc6a040452..f0a4c0c4426 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -356,9 +356,6 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, #ifndef WC_DEBUG_VECTOR_REGISTERS_FUZZING_SEED #define WC_DEBUG_VECTOR_REGISTERS_FUZZING_SEED 0 #endif - #ifndef CAN_SAVE_VECTOR_REGISTERS - #define CAN_SAVE_VECTOR_REGISTERS() (SAVE_VECTOR_REGISTERS2_fuzzer() == 0) - #endif #endif #ifdef DEBUG_VECTOR_REGISTER_ACCESS @@ -420,15 +417,26 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, } while (0) #ifdef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + + #ifndef CAN_SAVE_VECTOR_REGISTERS + #define CAN_SAVE_VECTOR_REGISTERS() \ + ((wc_svr_count > 0) ? 1 : \ + SAVE_VECTOR_REGISTERS2_fuzzer() == 0) + #endif + #define SAVE_VECTOR_REGISTERS2(...) ({ \ - int _svr2_val = SAVE_VECTOR_REGISTERS2_fuzzer(); \ + int _svr2_val; \ + if (wc_svr_count > 0) \ + _svr2_val = 0; \ + else \ + _svr2_val = SAVE_VECTOR_REGISTERS2_fuzzer(); \ if (_svr2_val == 0) { \ ++wc_svr_count; \ if (wc_svr_count > 5) { \ fprintf(stderr, \ ("%s() %s @ L %d : incr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ From 7a402566b607bf7bcc0acd9ff7ce16124f280b8c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:21:36 -0500 Subject: [PATCH 09/22] wolfcrypt/src/sha3.c: refactor WC_C_DYNAMIC_FALLBACK using SAVE_VECTOR_REGISTERS2(). --- wolfcrypt/src/sha3.c | 121 ++++++++++++++++++++++++++++++++----------- 1 file changed, 92 insertions(+), 29 deletions(-) diff --git a/wolfcrypt/src/sha3.c b/wolfcrypt/src/sha3.c index ca357ecbf9c..052cd4a94b7 100644 --- a/wolfcrypt/src/sha3.c +++ b/wolfcrypt/src/sha3.c @@ -754,12 +754,26 @@ static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) word32 check = 0; word32 total_check = 0; #endif +#ifdef USE_INTEL_SPEEDUP +#ifdef WC_C_DYNAMIC_FALLBACK + void (*sha3_block)(word64 *s) = SHA3_BLOCK; + void (*sha3_block_n)(word64 *s, const byte* data, word32 n, + word64 c) = SHA3_BLOCK_N; +#endif -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) { - SAVE_VECTOR_REGISTERS(return _svr_ret;); - } + if (sha3_block == sha3_block_avx2) { + int ret = SAVE_VECTOR_REGISTERS2(); + if (ret != 0) { +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = BlockSha3; + sha3_block_n = NULL; +#else + return ret; #endif + } + } +#endif /* USE_INTEL_SPEEDUP */ + if (sha3->i > 0) { byte *t; byte l = (byte)(p * 8 - sha3->i); @@ -802,7 +816,7 @@ static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) #endif #endif #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(sha3->s); + (*sha3_block)(sha3->s); #else BlockSha3(sha3->s); #endif @@ -811,8 +825,8 @@ static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) } blocks = len / (p * 8U); #ifdef SHA3_FUNC_PTR - if ((SHA3_BLOCK_N != NULL) && (blocks > 0)) { - (*SHA3_BLOCK_N)(sha3->s, data, blocks, p * 8U); + if ((sha3_block_n != NULL) && (blocks > 0)) { + (*sha3_block_n)(sha3->s, data, blocks, p * 8U); len -= blocks * (p * 8U); data += blocks * (p * 8U); blocks = 0; @@ -838,7 +852,7 @@ static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) #endif #endif #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(sha3->s); + (*sha3_block)(sha3->s); #else BlockSha3(sha3->s); #endif @@ -850,8 +864,8 @@ static int Sha3Update(wc_Sha3* sha3, const byte* data, word32 len, byte p) return BAD_COND_E; } #endif -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) { +#ifdef USE_INTEL_SPEEDUP + if (sha3_block == sha3_block_avx2) { RESTORE_VECTOR_REGISTERS(); } #endif @@ -881,6 +895,9 @@ static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) #ifdef WC_SHA3_FAULT_HARDEN int check = 0; #endif +#if defined(WC_C_DYNAMIC_FALLBACK) && defined(USE_INTEL_SPEEDUP) + void (*sha3_block)(word64 *s) = SHA3_BLOCK; +#endif #if !defined(BIG_ENDIAN_ORDER) && !defined(WC_SHA3_FAULT_HARDEN) xorbuf(sha3->s, sha3->t, sha3->i); @@ -916,14 +933,22 @@ static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) #endif #endif -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) - SAVE_VECTOR_REGISTERS(return _svr_ret;); +#ifdef USE_INTEL_SPEEDUP + if (sha3_block == sha3_block_avx2) { + int ret = SAVE_VECTOR_REGISTERS2(); + if (ret != 0) { +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = BlockSha3; +#else + return ret; +#endif + } + } #endif for (j = 0; l - j >= rate; j += rate) { #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(sha3->s); + (*sha3_block)(sha3->s); #else BlockSha3(sha3->s); #endif @@ -935,7 +960,7 @@ static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) } if (j != l) { #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(sha3->s); + (*sha3_block)(sha3->s); #else BlockSha3(sha3->s); #endif @@ -944,8 +969,8 @@ static int Sha3Final(wc_Sha3* sha3, byte padChar, byte* hash, byte p, word32 l) #endif XMEMCPY(hash + j, sha3->s, l - j); } -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) { +#ifdef USE_INTEL_SPEEDUP + if (sha3_block == sha3_block_avx2) { RESTORE_VECTOR_REGISTERS(); } #endif @@ -1906,16 +1931,34 @@ int wc_Shake128_Absorb(wc_Shake* shake, const byte* data, word32 len) */ int wc_Shake128_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) { +#if defined(WC_C_DYNAMIC_FALLBACK) && defined(USE_INTEL_SPEEDUP) + void (*sha3_block)(word64 *s); +#endif + if ((shake == NULL) || (out == NULL && blockCnt != 0)) { return BAD_FUNC_ARG; } -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) - SAVE_VECTOR_REGISTERS(return _svr_ret;); + +#ifdef USE_INTEL_SPEEDUP +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = SHA3_BLOCK; #endif + + if (sha3_block == sha3_block_avx2) { + int ret = SAVE_VECTOR_REGISTERS2(); + if (ret != 0) { +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = BlockSha3; +#else + return ret; +#endif + } + } +#endif /* USE_INTEL_SPEEDUP */ + for (; (blockCnt > 0); blockCnt--) { #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(shake->s); + (*sha3_block)(shake->s); #else BlockSha3(shake->s); #endif @@ -1926,8 +1969,9 @@ int wc_Shake128_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) #endif out += WC_SHA3_128_COUNT * 8; } -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) + +#ifdef USE_INTEL_SPEEDUP + if (sha3_block == sha3_block_avx2) RESTORE_VECTOR_REGISTERS(); #endif @@ -2147,16 +2191,34 @@ int wc_Shake256_Absorb(wc_Shake* shake, const byte* data, word32 len) */ int wc_Shake256_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) { +#if defined(WC_C_DYNAMIC_FALLBACK) && defined(USE_INTEL_SPEEDUP) + void (*sha3_block)(word64 *s); +#endif + if ((shake == NULL) || (out == NULL && blockCnt != 0)) { return BAD_FUNC_ARG; } -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) - SAVE_VECTOR_REGISTERS(return _svr_ret;); + +#ifdef USE_INTEL_SPEEDUP +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = SHA3_BLOCK; +#endif + + if (sha3_block == sha3_block_avx2) { + int ret = SAVE_VECTOR_REGISTERS2(); + if (ret != 0) { +#ifdef WC_C_DYNAMIC_FALLBACK + sha3_block = BlockSha3; +#else + return ret; #endif + } + } +#endif /* USE_INTEL_SPEEDUP */ + for (; (blockCnt > 0); blockCnt--) { #ifdef SHA3_FUNC_PTR - (*SHA3_BLOCK)(shake->s); + (*sha3_block)(shake->s); #else BlockSha3(shake->s); #endif @@ -2167,8 +2229,9 @@ int wc_Shake256_SqueezeBlocks(wc_Shake* shake, byte* out, word32 blockCnt) #endif out += WC_SHA3_256_COUNT * 8; } -#if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) && defined(USE_INTEL_SPEEDUP) - if (SHA3_BLOCK == sha3_block_avx2) + +#ifdef USE_INTEL_SPEEDUP + if (sha3_block == sha3_block_avx2) RESTORE_VECTOR_REGISTERS(); #endif From 7545798248aaf2ee9bbd3e2504afd89842ee4d78 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:26:56 -0500 Subject: [PATCH 10/22] clean up setup code for kernel modules: configure.ac: * remove -DWC_SHA3_NO_ASM from ENABLED_LINUXKM AM_CFLAGS. * refactor initial setup for KERNEL_MODE_DEFAULTS, adding generic --enable-kernel-settings while retaining legacy --enable-linuxkm-defaults. * rename $DEF_SP_MATH to $DEF_SP_MATH_ALL. * remove redundant and unneeded setup for KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM (leverage existing setup in settings.h). * move some still-needed KERNEL_MODE_DEFAULTS and ENABLED_LINUXKM setup from configure.ac to settings.h. * set up -DWOLFSSL_KERNEL_MODE_DEFAULTS, so that settings.h can pivot on it. wolfssl/wolfcrypt/settings.h: * revise WOLFSSL_LINUXKM section of settings.h to require WOLFSSL_MIN_AUTH_TAG_SZ at least 8 for old FIPS and 12 for new FIPS. still force down to 4 bytes if crypto fuzzer is enabled, otherwise force down to 8 to support legacy IPsec ESP. * in the WOLFSSL_LINUXKM section, don't set WC_MLKEM_NO_ASM, and disable DEBUG_VECTOR_REGISTER_ACCESS_FUZZING in ML-KEM, ML-DSA, and SLH-DSA -- intelasm works right, but fuzzing doesn't (yet). --- configure.ac | 98 +++++++++++++++++++----------------- wolfssl/wolfcrypt/settings.h | 56 ++++++++++++++++++--- 2 files changed, 99 insertions(+), 55 deletions(-) diff --git a/configure.ac b/configure.ac index 2a58545fcc6..f90fddec757 100644 --- a/configure.ac +++ b/configure.ac @@ -165,12 +165,6 @@ AC_ARG_ENABLE([linuxkm], [ENABLED_LINUXKM=no] ) -AC_ARG_ENABLE([linuxkm-defaults], - [AS_HELP_STRING([--enable-linuxkm-defaults],[Enable feature defaults for Linux Kernel Module (default: disabled)])], - [KERNEL_MODE_DEFAULTS=$enableval], - [KERNEL_MODE_DEFAULTS=$ENABLED_LINUXKM] - ) - # FreeBSD Kernel Module AC_ARG_ENABLE([freebsdkm], [AS_HELP_STRING([--enable-freebsdkm],[Enable FreeBSD Kernel Module (default: disabled)])], @@ -178,6 +172,29 @@ AC_ARG_ENABLE([freebsdkm], [ENABLED_BSDKM=no] ) +if test "$ENABLED_LINUXKM" != "no" || test "$ENABLED_BSDKM" != "no" +then + KERNEL_MODE_DEFAULTS=yes +else + KERNEL_MODE_DEFAULTS=no +fi + +AC_ARG_ENABLE([kernel-settings], + [AS_HELP_STRING([--enable-kernel-settings],[Enable default settings appropriate for kernel modules (default: disabled)])], + [KERNEL_MODE_DEFAULTS=$enableval] + ) + +# backward-compat alias for --enable-kernel-settings +AC_ARG_ENABLE([linuxkm-defaults], + [AS_HELP_STRING([--enable-linuxkm-defaults],[Enable default settings appropriate for kernel modules (default: disabled)])], + [KERNEL_MODE_DEFAULTS=$enableval] + ) + +if test "$KERNEL_MODE_DEFAULTS" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KERNEL_MODE_DEFAULTS" +fi + AC_ARG_ENABLE([freebsdkm-crypto-register], [AS_HELP_STRING([--enable-freebsdkm-crypto-register],[Register wolfCrypt implementations with the FreeBSD kernel opencrypto framework. (default: disabled)])], [ENABLED_BSDKM_REGISTER=$enableval], @@ -446,7 +463,7 @@ AC_SUBST([ENABLED_ASM]) # Default math is SP Math all and not fast math # FIPS v1 and v2 must use fast math -DEF_SP_MATH="yes" +DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" # FIPS 140 @@ -557,7 +574,7 @@ AS_CASE([$ENABLED_FIPS], FIPS_VERSION="v1" HAVE_FIPS_VERSION_MAJOR=1 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="yes" ], [v2|cert3389],[ @@ -565,7 +582,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MAJOR=2 HAVE_FIPS_VERSION_MINOR=0 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="yes" ], [rand],[ @@ -573,7 +590,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MAJOR=2 HAVE_FIPS_VERSION_MINOR=1 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="no" ], [v5|cert4718],[ @@ -582,7 +599,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=2 HAVE_FIPS_VERSION_PATCH=1 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="yes" ], [v5.2.3],[ @@ -591,7 +608,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=2 HAVE_FIPS_VERSION_PATCH=3 ENABLED_FIPS="yes" - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" ], [v5.2.4],[ @@ -600,7 +617,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=2 HAVE_FIPS_VERSION_PATCH=4 ENABLED_FIPS="yes" - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" ], [v5-RC12],[ @@ -609,7 +626,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=2 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="yes" ], [v5-ready],[ @@ -617,7 +634,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MAJOR=5 HAVE_FIPS_VERSION_MINOR=3 ENABLED_FIPS="yes" - DEF_SP_MATH="no" + DEF_SP_MATH_ALL="no" DEF_FAST_MATH="yes" ], [v5-dev],[ @@ -626,7 +643,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=2 HAVE_FIPS_VERSION_PATCH=1 ENABLED_FIPS="yes" - # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) + # for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) ], [v5-kcapi],[ FIPS_VERSION="v5-dev" @@ -634,7 +651,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=3 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) + # for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) ], [v6|v6-dev],[ FIPS_VERSION="v6" @@ -643,7 +660,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=0 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" ], [v7],[ @@ -653,7 +670,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=0 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" ], # Should always remain one ahead of the latest so as not to be confused with @@ -665,7 +682,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=0 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" ], [dev|v7-dev],[ @@ -674,7 +691,7 @@ AS_CASE([$ENABLED_FIPS], HAVE_FIPS_VERSION_MINOR=0 HAVE_FIPS_VERSION_PATCH=0 ENABLED_FIPS="yes" - # for dev, DEF_SP_MATH and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) + # for dev, DEF_SP_MATH_ALL and DEF_FAST_MATH follow non-FIPS defaults (currently sp-math-all) ], [lean-aesgcm|lean-aesgcm-ready|lean-aesgcm-dev],[ FIPS_VERSION="$ENABLED_FIPS" @@ -809,16 +826,10 @@ then fi AC_SUBST([ENABLED_KERNEL_BENCHMARKS]) -if test "$ENABLED_LINUXKM" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "yes" +# Kernel mode only supports sp-math-all with smallstack. +if test "$KERNEL_MODE_DEFAULTS" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DH_CONST -DWOLFSSL_SP_MOD_WORD_RP -DWOLFSSL_SP_DIV_64 -DWOLFSSL_SP_DIV_WORD_HALF -DWOLFSSL_SMALL_STACK_STATIC -DWC_SHA3_NO_ASM" - if test "$ENABLED_LINUXKM_PIE" = "yes"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_OCSP_ISSUER_CHECK" - fi - if test "$ENABLED_FIPS" = "no"; then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_OLD_PRIME_CHECK" - fi - DEF_SP_MATH="yes" + DEF_SP_MATH_ALL="yes" DEF_FAST_MATH="no" fi @@ -848,11 +859,11 @@ then # Currently DWARF 5 is the default debug format, but it results in # "Unsupported DW_TAG_atomic_type(0x47): type: 0x1eefc" in some # kernel module builds. - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -gdwarf-4" AS_IF([test "$ax_enable_debug" = "yes"], [AM_CFLAGS="$AM_CFLAGS -g3"], [AM_CFLAGS="$AM_CFLAGS -g1"]) - AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -DWC_SIPHASH_NO_ASM -gdwarf-4" + AM_CCASFLAGS="$AM_CFLAGS -DWOLFSSL_LINUXKM -gdwarf-4" AS_IF([test "$ax_enable_debug" = "yes"], [AM_CCASFLAGS="$AM_CFLAGS -g3"], [AM_CCASFLAGS="$AM_CFLAGS -g1"]) @@ -879,8 +890,6 @@ then if test "${KERNEL_ARCH}" = ""; then AC_MSG_ERROR([Linux kernel target architecture for build tree ${KERNEL_ROOT} could not be determined. Is target kernel configured?]) fi - - AM_CFLAGS="$AM_CFLAGS -DNO_DEV_RANDOM -DNO_WRITEV -DNO_STDIO_FILESYSTEM -DWOLFSSL_NO_SOCK -DWOLFSSL_USER_IO" fi # @@ -894,7 +903,6 @@ if test "x$ENABLED_BSDKM" = "xyes" then # note: bsdkm is wolfcrypt only for now. HAVE_KERNEL_MODE=yes - KERNEL_MODE_DEFAULTS=yes ENABLED_NO_LIBRARY=yes ENABLED_BENCHMARK=no @@ -938,9 +946,9 @@ then DEF_FAST_MATH=no fi -if test "$DEF_SP_MATH" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes") +if test "$DEF_SP_MATH_ALL" = "yes" && (test "$enable_fastmath" = "yes" || test "$enable_fasthugemath" = "yes" || test "$enable_heapmath" = "yes") then - DEF_SP_MATH=no + DEF_SP_MATH_ALL=no fi # Single Precision maths implementation @@ -953,7 +961,7 @@ AC_ARG_ENABLE([sp], AC_ARG_ENABLE([sp-math-all], [AS_HELP_STRING([--enable-sp-math-all],[Enable Single Precision math implementation for full algorithm suite (default: enabled)])], [ ENABLED_SP_MATH_ALL=$enableval ], - [ ENABLED_SP_MATH_ALL=$DEF_SP_MATH ], + [ ENABLED_SP_MATH_ALL=$DEF_SP_MATH_ALL ], ) # Single Precision maths (acceleration for common key sizes and curves) @@ -985,7 +993,7 @@ then fi fi -# enable SP math assembly support automatically for x86_64 and aarch64 (except Linux kernel module) +# enable SP math assembly support automatically for x86_64 and aarch64 (except kernel modules) SP_ASM_DEFAULT=no if test "$ENABLED_SP_MATH" = "yes" && test "$KERNEL_MODE_DEFAULTS" = "no" then @@ -1272,7 +1280,7 @@ then if test "$ENABLED_SP_MATH" != "yes" then - # linuxkm is incompatible with opensslextra and its dependents. + # kernel modules are currently incompatible with opensslextra and its dependents. if test "$KERNEL_MODE_DEFAULTS" != "yes" then test "$enable_opensslextra" = "" && enable_opensslextra=yes @@ -1318,7 +1326,7 @@ if test "$ENABLED_ALL_OSP" = "yes" then if test "$KERNEL_MODE_DEFAULTS" = "yes" then - AC_MSG_ERROR([--enable-all-osp is incompatible with --enable-linuxkm-defaults]) + AC_MSG_ERROR([--enable-all-osp is incompatible with kernel mode defaults]) fi test "$enable_tailscale" = "" && enable_tailscale=yes @@ -1593,12 +1601,8 @@ then # AFALG lacks AES-EAX test "$enable_aeseax" = "" && test "$enable_afalg" != "yes" && enable_aeseax=yes test "$enable_sakke" = "" && test "$enable_ecc" != "no" && enable_sakke=yes - - if test "$KERNEL_MODE_DEFAULTS" != "yes" - then - test "$enable_cryptocb" = "" && enable_cryptocb=yes - test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes - fi + test "$enable_cryptocb" = "" && enable_cryptocb=yes + test "$enable_pkcallbacks" = "" && enable_pkcallbacks=yes fi if test "$ENABLED_FIPS" = "no" || test "$HAVE_FIPS_VERSION" -ge 6 diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 9f699145847..a3ac739be54 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3998,8 +3998,31 @@ #undef HAVE_PUBLIC_FFDHE #endif - #undef WOLFSSL_MIN_AUTH_TAG_SZ - #define WOLFSSL_MIN_AUTH_TAG_SZ 4 + #if defined(HAVE_FIPS) + #if FIPS_VERSION3_LT(7, 0, 0) + /* support RFC 4106 IPsec ESP 64 bit tags */ + #undef WOLFSSL_MIN_AUTH_TAG_SZ + #define WOLFSSL_MIN_AUTH_TAG_SZ 8 + #else + /* No short (<96 bit) tags per SP 800-38D 2026 revision in process. */ + #if WOLFSSL_MIN_AUTH_TAG_SZ < 12 + #undef WOLFSSL_MIN_AUTH_TAG_SZ + #define WOLFSSL_MIN_AUTH_TAG_SZ 12 + #endif + #endif + #elif defined(CONFIG_CRYPTO_MANAGER_EXTRA_TESTS) || defined(CONFIG_CRYPTO_SELFTESTS_FULL) + /* The Linux kernel native crypto fuzzer expects small AES-GCM tag sizes to succeed. */ + #if WOLFSSL_MIN_AUTH_TAG_SZ > 4 + #undef WOLFSSL_MIN_AUTH_TAG_SZ + #define WOLFSSL_MIN_AUTH_TAG_SZ 4 + #endif + #else + /* support RFC 4106 IPsec ESP */ + #if WOLFSSL_MIN_AUTH_TAG_SZ > 8 + #undef WOLFSSL_MIN_AUTH_TAG_SZ + #define WOLFSSL_MIN_AUTH_TAG_SZ 8 + #endif + #endif #if defined(LINUXKM_LKCAPI_REGISTER) && !defined(WOLFSSL_ASN_INT_LEAD_0_ANY) /* kernel 5.10 crypto manager tests key(s) that fail unless leading @@ -4011,9 +4034,20 @@ #define WOLFSSL_AARCH64_PRIVILEGE_MODE #endif - /* USE_INTEL_SPEEDUP currently gives wrong results for ML-KEM in linuxkm. */ - #if !defined(WC_MLKEM_NO_ASM) && !defined(WC_MLKEM_KERNEL_ASM) - #define WC_MLKEM_NO_ASM + /* SHA-3 low level state can't alternate freely between C and intelasm. */ + #ifdef _WC_BUILDING_WC_MLKEM_POLY_C + #undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + #endif + #ifdef _WC_BUILDING_WC_MLDSA_C + #undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + #endif + #ifdef _WC_BUILDING_WC_SLHDSA_C + #undef DEBUG_VECTOR_REGISTER_ACCESS_FUZZING + #endif + + #ifndef WC_SIPHASH_NO_ASM + /* siphash asm produces wrong results in kernel mode. */ + #define WC_SIPHASH_NO_ASM #endif #endif /* WOLFSSL_LINUXKM */ @@ -4094,8 +4128,10 @@ #define WOLFSSL_HAVE_MAX #endif /* WOLFSSL_BSDKM */ -/* Common setup for kernel mode builds */ -#ifdef WOLFSSL_KERNEL_MODE +/* Common setup for kernel mode builds, also compatible with user library via + * WOLFSSL_KERNEL_MODE_DEFAULTS. + */ +#if defined(WOLFSSL_KERNEL_MODE) || defined(WOLFSSL_KERNEL_MODE_DEFAULTS) #ifndef WOLFSSL_API_PREFIX_MAP #define WOLFSSL_API_PREFIX_MAP #endif @@ -4149,7 +4185,11 @@ #undef WOLFSSL_GENERAL_ALIGNMENT #define WOLFSSL_GENERAL_ALIGNMENT SIZEOF_LONG #endif -#endif /* WOLFSSL_KERNEL_MODE */ + + #ifndef WOLFSSL_SMALL_STACK_STATIC + #define WOLFSSL_SMALL_STACK_STATIC + #endif +#endif /* WOLFSSL_KERNEL_MODE || WOLFSSL_KERNEL_MODE_DEFAULTS */ #if defined(WC_SYM_RELOC_TABLES) && defined(HAVE_FIPS) && \ !defined(WC_PIE_RELOC_TABLES) From 948ba6ec10c92be9be7e25eafbac8ea83400c096 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:29:06 -0500 Subject: [PATCH 11/22] * add hard compile-time assert in settings.h for FIPS v7+ asserting that WOLFSSL_MIN_AUTH_TAG_SZ meets SP 800-38D Rev 1 requirements. --- wolfssl/wolfcrypt/settings.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index a3ac739be54..8293226b3d4 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -3558,6 +3558,12 @@ #error WOLFSSL_MIN_AUTH_TAG_SZ must be at least 1 #endif +#if defined(HAVE_FIPS) && FIPS_VERSION3_GE(7, 0, 0) + /* No short (<96 bit) tags per SP 800-38D 2026 revision in process. */ + #if WOLFSSL_MIN_AUTH_TAG_SZ < 12 + #error WOLFSSL_MIN_AUTH_TAG_SZ must be >= 12 per SP 800-38D Rev 1 + #endif +#endif /* sniffer requires: * static RSA cipher suites From 538262a5dc9e140c17dd5452a740347237213745 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:30:57 -0500 Subject: [PATCH 12/22] linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c: add linuxkm-pie support for CheckOcspResponder() (WOLFSSL_NO_OCSP_ISSUER_CHECK is no longer implied by KERNEL_MODE_DEFAULTS). --- linuxkm/linuxkm_wc_port.h | 15 +++++++++++++++ linuxkm/module_hooks.c | 4 ++++ 2 files changed, 19 insertions(+) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index 58650fc402b..b3ead58babf 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -907,6 +907,13 @@ extern struct WOLFSSL_X509_NAME* wolfSSL_X509_NAME_new_ex(void *heap); #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #ifdef HAVE_OCSP + struct OcspResponse; + extern int CheckOcspResponder(struct OcspResponse *bs, unsigned char* subjectNameHash, + unsigned char* subjectKeyHash, unsigned char extExtKeyUsage, unsigned char* issuerNameHash, + unsigned char* issuerKeyHash); + #endif + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #if defined(WC_CONTAINERIZE_THIS) && !defined(WC_SYM_RELOC_TABLES) @@ -1222,6 +1229,10 @@ typeof(wolfSSL_X509_NAME_new_ex) *wolfSSL_X509_NAME_new_ex; #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #ifdef HAVE_OCSP + typeof(CheckOcspResponder) *CheckOcspResponder; + #endif + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ typeof(dump_stack) *dump_stack; @@ -1515,6 +1526,10 @@ #define wolfSSL_X509_NAME_new_ex WC_PIE_INDIRECT_SYM(wolfSSL_X509_NAME_new_ex) #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ + #ifdef HAVE_OCSP + #define CheckOcspResponder WC_PIE_INDIRECT_SYM(CheckOcspResponder) + #endif + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ #define dump_stack WC_PIE_INDIRECT_SYM(dump_stack) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index 66b953048e4..d9f51654c15 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -1689,6 +1689,10 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_free = wolfSSL_X509_NAME_free; wolfssl_linuxkm_pie_redirect_table.wolfSSL_X509_NAME_new_ex = wolfSSL_X509_NAME_new_ex; #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ +#ifdef HAVE_OCSP + wolfssl_linuxkm_pie_redirect_table.CheckOcspResponder = CheckOcspResponder; +#endif + #endif /* !WOLFCRYPT_ONLY && !NO_CERTS */ wolfssl_linuxkm_pie_redirect_table.dump_stack = dump_stack; From bf088dfc3cae454c526a34b9783982a85b616f76 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:34:06 -0500 Subject: [PATCH 13/22] linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c: on kernel >= 7.2, remove indirect symbol support for strncpy and add backward-compat implementation wc_linuxkm_strncpy(). --- linuxkm/linuxkm_wc_port.h | 22 ++++++++++++++++++++++ linuxkm/module_hooks.c | 2 ++ 2 files changed, 24 insertions(+) diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index b3ead58babf..ebeeaa22d18 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -1012,9 +1012,12 @@ #ifndef __ARCH_STRSTR_NO_REDIRECT typeof(strstr) *strstr; #endif + #if LINUX_VERSION_CODE < KERNEL_VERSION(7, 2, 0) + /* note strncpy() purged from kernel by 079a028d63 */ #ifndef __ARCH_STRNCPY_NO_REDIRECT typeof(strncpy) *strncpy; #endif + #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(7, 2, 0) */ #ifndef __ARCH_STRNCAT_NO_REDIRECT typeof(strncat) *strncat; #endif @@ -1364,9 +1367,11 @@ #ifndef __ARCH_STRSTR_NO_REDIRECT #define strstr WC_PIE_INDIRECT_SYM(strstr) #endif + #if LINUX_VERSION_CODE < KERNEL_VERSION(7, 2, 0) #ifndef __ARCH_STRNCPY_NO_REDIRECT #define strncpy WC_PIE_INDIRECT_SYM(strncpy) #endif + #endif #ifndef __ARCH_STRNCAT_NO_REDIRECT #define strncat WC_PIE_INDIRECT_SYM(strncat) #endif @@ -1774,6 +1779,23 @@ #endif /* BUILDING_WOLFSSL */ + #if LINUX_VERSION_CODE >= KERNEL_VERSION(7, 2, 0) + /* note strncpy() purged from kernel by 079a028d63 */ + static __always_inline char *wc_linuxkm_strncpy(char *dst, const char *src, size_t dsize) { + char *dstart = dst, *dend = dst + dsize; + while (dst < dend) { + if (*src == 0) { + *dst = 0; + /* don't bother zero-filling dst. */ + break; + } + *dst++ = *src++; + } + return dstart; + } + #define strncpy wc_linuxkm_strncpy + #endif + #if !defined(BUILDING_WOLFSSL) /* some caller code needs these. */ #if defined(WOLFSSL_USE_SAVE_VECTOR_REGISTERS) diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index d9f51654c15..a940aa53875 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -1412,9 +1412,11 @@ static int set_up_wolfssl_linuxkm_pie_redirect_table(void) { #ifndef __ARCH_STRSTR_NO_REDIRECT wolfssl_linuxkm_pie_redirect_table.strstr = strstr; #endif +#if LINUX_VERSION_CODE < KERNEL_VERSION(7, 2, 0) #ifndef __ARCH_STRNCPY_NO_REDIRECT wolfssl_linuxkm_pie_redirect_table.strncpy = strncpy; #endif +#endif #ifndef __ARCH_STRNCAT_NO_REDIRECT wolfssl_linuxkm_pie_redirect_table.strncat = strncat; #endif From 649197d159f0aca88e12fe306b389aeda56a32d0 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:37:35 -0500 Subject: [PATCH 14/22] replace several nonconformant uses of __FUNCTION__ with __func__ (linuxkm/linuxkm_memory.c, wolfcrypt/src/random.c, wolfcrypt/test/test.c, wolfssl/wolfcrypt/mem_track.h, wolfssl/wolfcrypt/memory.h, wolfssl/wolfcrypt/settings.h). --- linuxkm/linuxkm_memory.c | 6 +++--- wolfcrypt/src/random.c | 4 ++-- wolfcrypt/test/test.c | 2 +- wolfssl/wolfcrypt/mem_track.h | 2 +- wolfssl/wolfcrypt/memory.h | 14 +++++++------- wolfssl/wolfcrypt/settings.h | 18 +++++++++--------- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/linuxkm/linuxkm_memory.c b/linuxkm/linuxkm_memory.c index 0b0861d1b03..2f1b75e1125 100644 --- a/linuxkm/linuxkm_memory.c +++ b/linuxkm/linuxkm_memory.c @@ -82,7 +82,7 @@ static inline long find_reloc_tab_offset( unsigned long hop; if (seg_in_offset >= (size_t)reloc_tab[reloc_tab_len - 1].offset) { - RELOC_DEBUG_PRINTF("ERROR: %s failed.\n", __FUNCTION__); + RELOC_DEBUG_PRINTF("ERROR: %s failed.\n", __func__); return BAD_FUNC_ARG; } @@ -113,7 +113,7 @@ static inline long find_reloc_tab_offset( #ifdef DEBUG_LINUXKM_PIE_SUPPORT if (ret < 0) - RELOC_DEBUG_PRINTF("ERROR: %s returning %ld.\n", __FUNCTION__, ret); + RELOC_DEBUG_PRINTF("ERROR: %s returning %ld.\n", __func__, ret); #endif return ret; } @@ -176,7 +176,7 @@ ssize_t wc_reloc_normalize_segment( else { RELOC_DEBUG_PRINTF("ERROR: %s returning BAD_FUNC_ARG with span %llx-%llx versus text %llx-%llx and rodata %llx-%llx.\n", - __FUNCTION__, + __func__, (unsigned long long)(uintptr_t)seg_in, (unsigned long long)(uintptr_t)(seg_in + *seg_in_out_len), (unsigned long long)seg_map->text_start, diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index cfee74e2fb1..eb519650248 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -555,7 +555,7 @@ static int Hash_df(DRBG_internal* drbg, byte* out, word32 outSz, byte type, #ifdef WC_VERBOSE_RNG if (ret != 0) - WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __FUNCTION__, + WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __func__, ret); #endif @@ -1148,7 +1148,7 @@ static int Hash512_df(DRBG_SHA512_internal* drbg, byte* out, word32 outSz, #ifdef WC_VERBOSE_RNG if (ret != 0) - WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __FUNCTION__, + WOLFSSL_DEBUG_PRINTF("ERROR: %s failed with err = %d", __func__, ret); #endif diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index af06d3be5f3..351f2c10c77 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1127,7 +1127,7 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t aes_cts_test(void); do { \ ret = (err); \ ESP_LOGE(ESPIDF_TAG, "Failed: Error = %d during %s, line %d", \ - err, __FUNCTION__, __LINE__); \ + err, __func__, __LINE__); \ ESP_LOGI(ESPIDF_TAG, "Extended system info:"); \ esp_ShowExtendedSystemInfo(); \ ESP_LOGW(ESPIDF_TAG, "Paused for %d seconds! " \ diff --git a/wolfssl/wolfcrypt/mem_track.h b/wolfssl/wolfcrypt/mem_track.h index daef2753df2..be2a1c35292 100644 --- a/wolfssl/wolfcrypt/mem_track.h +++ b/wolfssl/wolfcrypt/mem_track.h @@ -728,7 +728,7 @@ int StackSizeHWMReset(void) #if defined(__GNUC__) || defined(__clang__) #define STACK_SIZE_INIT() \ - (void)StackSizeSetOffset(__FUNCTION__, __builtin_frame_address(0)) + (void)StackSizeSetOffset(__func__, __builtin_frame_address(0)) #endif #endif /* HAVE_STACK_SIZE_VERBOSE */ diff --git a/wolfssl/wolfcrypt/memory.h b/wolfssl/wolfcrypt/memory.h index f0a4c0c4426..66bc257ee10 100644 --- a/wolfssl/wolfcrypt/memory.h +++ b/wolfssl/wolfcrypt/memory.h @@ -382,7 +382,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("%s() %s @ L %d : incr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -405,7 +405,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("%s() %s @ L %d : incr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -460,7 +460,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("%s() %s @ L %d : incr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -475,7 +475,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("%s() %s @ L %d : incr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -497,7 +497,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("ASSERT_SAVED_VECTOR_REGISTERS : %s() %s @ L %d : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -511,7 +511,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("ASSERT_RESTORED_VECTOR_REGISTERS : %s() %s @ L %d" \ " : wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ @@ -527,7 +527,7 @@ WOLFSSL_LOCAL int wc_debug_CipherLifecycleFree(void **CipherLifecycleTag, fprintf(stderr, \ ("%s() %s @ L %d : decr : " \ "wc_svr_count %d (last op %s L %d)\n"), \ - __FUNCTION__, \ + __func__, \ __FILE__, \ __LINE__, \ wc_svr_count, \ diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8293226b3d4..8beccaa3dbc 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1641,14 +1641,14 @@ #if (defined(DEBUG_WOLFSSL) || defined(DEBUG_WOLFSSL_MALLOC)) #define XMALLOC(s, h, type) \ ((void)(h), (void)(type), wc_debug_pvPortMalloc( \ - (s), (__FILE__), (__LINE__), (__FUNCTION__) )) + s, __FILE__, __LINE__, __func__)) #else #define XMALLOC(s, h, type) \ - ((void)(h), (void)(type), wc_pvPortMalloc((s))) /* native heap */ + ((void)(h), (void)(type), wc_pvPortMalloc(s)) /* native heap */ #endif #else #define XMALLOC(s, h, type) \ - ((void)(h), (void)(type), pvPortMalloc((s))) /* native heap */ + ((void)(h), (void)(type), pvPortMalloc(s)) /* native heap */ #endif /* XFREE */ @@ -1656,14 +1656,14 @@ #if (defined(DEBUG_WOLFSSL) || defined(DEBUG_WOLFSSL_MALLOC)) #define XFREE(p, h, type) \ ((void)(h), (void)(type), wc_debug_pvPortFree( \ - (p), (__FILE__), (__LINE__), (__FUNCTION__) )) + p, __FILE__, __LINE__, __func__)) #else #define XFREE(p, h, type) \ - ((void)(h), (void)(type), wc_pvPortFree((p))) + ((void)(h), (void)(type), wc_pvPortFree(p)) #endif #else #define XFREE(p, h, type) \ - ((void)(h), (void)(type), vPortFree((p))) /* native heap */ + ((void)(h), (void)(type), vPortFree(p)) /* native heap */ #endif /* XREALLOC */ @@ -1671,19 +1671,19 @@ #if (defined(DEBUG_WOLFSSL) || defined(DEBUG_WOLFSSL_MALLOC)) #define XREALLOC(p, n, h, t) \ ((void)(h), (void)(t), wc_debug_pvPortRealloc( \ - (p), (n),(__FILE__), (__LINE__), (__FUNCTION__) )) + p, n, __FILE__, __LINE__, __func__)) #else /* In the Espressif EDP-IDF, realloc(p, n) is equivalent to * heap_caps_realloc(p, s, MALLOC_CAP_8BIT) * There's no pvPortRealloc available, use native heap: */ #define XREALLOC(p, n, h, t) \ - ((void)(h), (void)(t), wc_pvPortRealloc((p), (n))) + ((void)(h), (void)(t), wc_pvPortRealloc(p, n)) #endif #elif defined(USE_INTEGER_HEAP_MATH) || defined(OPENSSL_EXTRA) || \ defined(OPENSSL_ALL) /* FreeRTOS pvPortRealloc() implementation can be found here: * https://github.com/wolfSSL/wolfssl-freertos/pull/3/files */ - #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), pvPortRealloc((p), (n))) + #define XREALLOC(p, n, h, t) ((void)(h), (void)(t), pvPortRealloc(p, n)) #else /* no XREALLOC available */ #endif From cba69093cc82102f148c33d57549ef6914ba8eae Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:41:17 -0500 Subject: [PATCH 15/22] wolfcrypt/src/port/riscv/riscv-64-aes.c: in GHASH(), remove runtime nullness check for arg 1 (matching nonnull attribute to arg 1 added to prototype in earlier commit). --- wolfcrypt/src/port/riscv/riscv-64-aes.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/wolfcrypt/src/port/riscv/riscv-64-aes.c b/wolfcrypt/src/port/riscv/riscv-64-aes.c index 2f23070ce09..4e1c14c842e 100644 --- a/wolfcrypt/src/port/riscv/riscv-64-aes.c +++ b/wolfcrypt/src/port/riscv/riscv-64-aes.c @@ -4552,7 +4552,6 @@ static WC_INLINE void FlattenSzInBits(byte* buf, word32 sz) void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, byte* s, word32 sSz) { - if (gcm != NULL) { ALIGN8 byte x[WC_AES_BLOCK_SIZE]; ALIGN8 byte scratch[WC_AES_BLOCK_SIZE]; byte* h = gcm->H; @@ -4688,7 +4687,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, /* Copy the result into s. */ XMEMCPY(s, x, sSz); - } } #define HAVE_GHASH @@ -5295,7 +5293,6 @@ static void ghash_blocks(byte* x, byte* y, const byte* in, word32 blocks) void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, byte* s, word32 sSz) { - if (gcm != NULL) { ALIGN8 byte x[WC_AES_BLOCK_SIZE]; ALIGN8 byte scratch[WC_AES_BLOCK_SIZE]; word32 blocks, partial; @@ -5343,7 +5340,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, /* Copy the result into s. */ XMEMCPY(s, x, sSz); - } } #define HAVE_GHASH @@ -8720,7 +8716,6 @@ static WC_INLINE void GMULT(byte *x, byte m[32][WC_AES_BLOCK_SIZE]) void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, byte* s, word32 sSz) { - if (gcm != NULL) { ALIGN8 byte x[WC_AES_BLOCK_SIZE]; ALIGN8 byte scratch[WC_AES_BLOCK_SIZE]; word32 blocks, partial; @@ -8769,7 +8764,6 @@ void GHASH(Gcm* gcm, const byte* a, word32 aSz, const byte* c, word32 cSz, /* Copy the result into s. */ XMEMCPY(s, x, sSz); - } } #endif /* !HAVE_GHASH */ From ac5f2b98e7ce63db87325ea600327d05dd0cc56c Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:41:44 -0500 Subject: [PATCH 16/22] wolfcrypt/src/wc_slhdsa.c: * disable asm accelerations if WC_SHA3_NO_ASM is set. * fix an uninited-data warning in slhdsakey_wots_pkgen_chain_c(). --- wolfcrypt/src/wc_slhdsa.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/wc_slhdsa.c b/wolfcrypt/src/wc_slhdsa.c index 7dd6a717533..4d24d5ff968 100644 --- a/wolfcrypt/src/wc_slhdsa.c +++ b/wolfcrypt/src/wc_slhdsa.c @@ -49,7 +49,7 @@ #include #endif -#ifdef WC_SLHDSA_NO_ASM +#if defined(WC_SLHDSA_NO_ASM) || defined(WC_SHA3_NO_ASM) #undef USE_INTEL_SPEEDUP #undef WOLFSSL_ARMASM #undef WOLFSSL_RISCV_ASM @@ -3283,6 +3283,8 @@ static int slhdsakey_wots_pkgen_chain_c(SlhDsaKey* key, const byte* sk_seed, WC_ALLOC_VAR_EX(sk, byte, (SLHDSA_MAX_MSG_SZ + 3) * SLHDSA_MAX_N, key->heap, DYNAMIC_TYPE_SLHDSA, ret = MEMORY_E); + if (ret == 0) + XMEMSET(sk, 0, (SLHDSA_MAX_MSG_SZ + 3) * SLHDSA_MAX_N); if (ret == 0) { /* Step 4. len consecutive addresses. */ for (i = 0; i < len; i++) { From 3811ec0aa73a6f947159f5426539d954a41e1da0 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:47:32 -0500 Subject: [PATCH 17/22] linuxkm-related loose ends: * wolfssl/ocsp.h: gate out the CheckOcspResponder() prototype if defined(CheckOcspResponder) (for linuxkm-pie). * wolfcrypt/src/wc_mldsa.c: add support for WC_MLDSA_NO_ASM. * .wolfssl_known_macro_extras: add new macros. --- .wolfssl_known_macro_extras | 2 ++ wolfcrypt/src/wc_mldsa.c | 6 ++++++ wolfssl/ocsp.h | 2 ++ 3 files changed, 10 insertions(+) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index de6f2452f14..f1e8684b390 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -634,6 +634,7 @@ USE_WOLF_STRNSTR USS_API WC_AESXTS_STREAM_NO_REQUEST_ACCOUNTING WC_AES_BS_WORD_SIZE +WC_AES_GCM_ALLOW_NONSTANDARD_TAG_LENGTH WC_AES_GCM_DEC_AUTH_EARLY WC_ALLOW_ECC_ZERO_HASH WC_ASN_HASH_SHA256 @@ -669,6 +670,7 @@ WC_HASH_CUSTOM_MAX_DIGEST_SIZE WC_HASH_CUSTOM_MIN_DIGEST_SIZE WC_INIT_ERROR_WHEN_CONTENDED WC_LINUXKM_NO_USE_HEAP_WRAPPERS +WC_MLDSA_NO_ASM WC_MLKEM_KERNEL_ASM WC_NO_ASYNC_SLEEP WC_NO_RNG_SIMPLE diff --git a/wolfcrypt/src/wc_mldsa.c b/wolfcrypt/src/wc_mldsa.c index 4adfa004d09..79d18dddb67 100644 --- a/wolfcrypt/src/wc_mldsa.c +++ b/wolfcrypt/src/wc_mldsa.c @@ -150,6 +150,12 @@ #if defined(WOLFSSL_HAVE_MLDSA) +#if defined(WC_MLDSA_NO_ASM) || defined(WC_SHA3_NO_ASM) + #undef USE_INTEL_SPEEDUP + #undef WOLFSSL_ARMASM + #undef WOLFSSL_RISCV_ASM +#endif + /* Pull in the legacy compatibility shim. wc_mldsa.h pulls in dilithium.h * itself for the forward arm of the sub-config gate translation (so the * canonical WOLFSSL_MLDSA_* gates are visible to wc_mldsa.h's own diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 103475c0b84..b0ec5045bf7 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -74,9 +74,11 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp OcspEntry *entry, OcspRequest *ocspRequest, void* heap); +#ifndef CheckOcspResponder WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash, byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerNameHash, byte* issuerKeyHash); +#endif /* Allocates and initializes a WOLFSSL_OCSP object */ WOLFSSL_API WOLFSSL_OCSP* wc_NewOCSP(WOLFSSL_CERT_MANAGER* cm); From 262b0ed3b87690da633988004964a62d6759c4f3 Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 14:48:17 -0500 Subject: [PATCH 18/22] tweaks for linuxkm targeting clang-built kernels: linuxkm/: when logging PTR_ERR(), cast it to int, and use "%d" as the format. Globally, `#define PTR_ERR(x) ((int)PTR_ERR(x))` in linuxkm_wc_port.h to fix clang warnings on kernel headers. linuxkm/lkcapi_aes_glue.c: add casts in linuxkm_test_aesgcm() to mollify clang. linuxkm/linuxkm_wc_port.h, linuxkm/module_hooks.c: * add __clang__ compat code to allow including clang stdatomic.h while masking out kernel-incompatible __CLANG_STDINT_H. * add clang-specific suppressions for kernel headers (-Wshorten-64-to-32, -Wframe-address). linuxkm/lkcapi_sha_glue.c: * in wc__get_random_bytes(), add bounds-checking for len. * in wc_extract_crng_user(), fix type conflicts. wolfssl/wolfcrypt/wc_port.h and wolfssl/wolfcrypt/types.h: * move the old-FIPS compatibility mapping from INLINE to WC_INLINE from types.h to wc_port.h. * activate stdatomic.h for clang kernel module builds. linuxkm/Kbuild: * add clang-specific flags. * add gcc gate around gcc-specific flags. * allow override value for MAX_STACK_FRAME_SIZE. wolfcrypt/src/asn.c: add casts in GetFormattedTime_ex() to mollify clang build of linuxkm. --- linuxkm/Kbuild | 14 ++++++++++++- linuxkm/linuxkm_wc_port.h | 36 +++++++++++++++++++++++++++++++-- linuxkm/lkcapi_aes_glue.c | 40 ++++++++++++++++++------------------- linuxkm/lkcapi_dh_glue.c | 4 ++-- linuxkm/lkcapi_ecdh_glue.c | 8 ++++---- linuxkm/lkcapi_ecdsa_glue.c | 8 ++++---- linuxkm/lkcapi_glue.c | 12 +++++------ linuxkm/lkcapi_rsa_glue.c | 12 +++++------ linuxkm/lkcapi_sha_glue.c | 29 +++++++++++++++++---------- linuxkm/module_hooks.c | 4 ++-- wolfcrypt/src/asn.c | 6 +++--- wolfssl/wolfcrypt/types.h | 4 ---- wolfssl/wolfcrypt/wc_port.h | 12 ++++++++--- 13 files changed, 121 insertions(+), 68 deletions(-) diff --git a/linuxkm/Kbuild b/linuxkm/Kbuild index 831a45c76a4..e5974e4a930 100644 --- a/linuxkm/Kbuild +++ b/linuxkm/Kbuild @@ -80,11 +80,21 @@ endif HOST_EXTRACFLAGS += $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(KBUILD_CFLAGS) -static -fno-omit-frame-pointer +ifdef CONFIG_CC_IS_CLANG + HOST_EXTRACFLAGS += -mfunction-return=keep +endif + # "-mindirect-branch=keep -mfunction-return=keep" to avoid "undefined reference # to `__x86_return_thunk'" on CONFIG_RETHUNK kernels (5.19.0-rc7) +ifdef CONFIG_CC_IS_GCC ifeq "$(KERNEL_ARCH_X86)" "yes" HOST_EXTRACFLAGS += -mindirect-branch=keep -mfunction-return=keep endif +endif + +ifdef CONFIG_CC_IS_CLANG + WOLFSSL_CFLAGS += -Wno-unused-parameter +endif # this rule is needed to get build to succeed in 4.x (get_thread_size still doesn't get built) $(obj)/linuxkm/get_thread_size: $(src)/linuxkm/get_thread_size.c @@ -93,7 +103,9 @@ ifndef KERNEL_THREAD_STACK_SIZE $(WOLFSSL_OBJ_TARGETS): | $(obj)/linuxkm/get_thread_size KERNEL_THREAD_STACK_SIZE=$(shell test -x $(obj)/linuxkm/get_thread_size && $(obj)/linuxkm/get_thread_size || echo 16384) endif -MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4))) +ifndef MAX_STACK_FRAME_SIZE + MAX_STACK_FRAME_SIZE=$(shell echo $$(( $(KERNEL_THREAD_STACK_SIZE) / 4))) +endif $(LIBWOLFSSL_NAME)-y := $(WOLFSSL_OBJ_FILES) linuxkm/module_hooks.o linuxkm/module_exports.o diff --git a/linuxkm/linuxkm_wc_port.h b/linuxkm/linuxkm_wc_port.h index ebeeaa22d18..ed4e50d54d7 100644 --- a/linuxkm/linuxkm_wc_port.h +++ b/linuxkm/linuxkm_wc_port.h @@ -76,6 +76,31 @@ #define _GCC_STDINT_H #define WC_PTR_TYPE uintptr_t + #ifdef __clang__ + /* inhibit inclusion of LLVM stdint.h (included via LLVM stdatomic.h) to + * avoid conflicts with linux/types.h. + */ + #define __CLANG_STDINT_H + #define uint_least64_t uint64_t + #define int_least64_t int64_t + #define uint_least32_t uint32_t + #define int_least32_t int32_t + #define uint_least16_t uint16_t + #define int_least16_t int16_t + #define uint_least8_t uint8_t + #define int_least8_t int8_t + #define uint_fast64_t uint64_t + #define int_fast64_t int64_t + #define uint_fast32_t uint32_t + #define int_fast32_t int32_t + #define uint_fast16_t uint16_t + #define int_fast16_t int16_t + #define uint_fast8_t uint8_t + #define int_fast8_t int8_t + #define uintmax_t uint64_t + #define intmax_t int64_t + #endif + /* needed to suppress inclusion of stdio.h in wolfssl/wolfcrypt/types.h */ #define XSNPRINTF snprintf @@ -320,6 +345,10 @@ _Pragma("GCC diagnostic ignored \"-Wcast-function-type\""); /* needed for kernel 4.14.336 */ _Pragma("GCC diagnostic ignored \"-Wformat-nonliteral\""); /* needed for kernel 4.9.282 */ _Pragma("GCC diagnostic ignored \"-Wattributes\""); +#ifdef __clang__ + _Pragma("clang diagnostic ignored \"-Wshorten-64-to-32\""); + _Pragma("clang diagnostic ignored \"-Wframe-address\""); +#endif #ifdef CONFIG_KASAN #ifndef WC_SANITIZE_DISABLE @@ -776,6 +805,8 @@ _Pragma("GCC diagnostic pop"); + #define PTR_ERR(x) ((int)PTR_ERR(x)) + #if defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0) && !defined(NO_AES) /* with CONFIG_FORTIFY_SOURCE we've seen false positive * maybe-uninitialized on counter in AES_GCM_encrypt_C(). This is easy @@ -792,6 +823,7 @@ unsigned int aSz, const unsigned char* c, unsigned int cSz, unsigned char* s, unsigned int sSz); #endif + /* Need to suppress the otherwise-warned nullness checks in old FIPS aes.c. */ _Pragma("GCC diagnostic ignored \"-Wnonnull-compare\""); #endif @@ -1211,8 +1243,8 @@ typeof(wolfCrypt_FIPS_ft_ro_sanity) *wolfCrypt_FIPS_ft_ro_sanity; typeof(wolfCrypt_FIPS_f_ro_sanity) *wolfCrypt_FIPS_f_ro_sanity; typeof(wc_RunAllCast_fips) *wc_RunAllCast_fips; - #endif - #endif + #endif /* FIPS_VERSION3_GE(6,0,0) */ + #endif /* HAVE_FIPS */ #if !defined(WOLFCRYPT_ONLY) && !defined(NO_CERTS) typeof(GetCA) *GetCA; diff --git a/linuxkm/lkcapi_aes_glue.c b/linuxkm/lkcapi_aes_glue.c index 48e4cdf957e..8fea174bf21 100644 --- a/linuxkm/lkcapi_aes_glue.c +++ b/linuxkm/lkcapi_aes_glue.c @@ -1201,9 +1201,9 @@ static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p) #endif if (unlikely(IS_ERR(assoc))) { err = (int)PTR_ERR(assoc); - pr_err("%s: scatterwalk_map failed: %ld\n", + pr_err("%s: scatterwalk_map failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), - PTR_ERR(assoc)); + (int)PTR_ERR(assoc)); assoc = NULL; goto out; } @@ -1415,9 +1415,9 @@ static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p) #endif if (unlikely(IS_ERR(in_map))) { err = (int)PTR_ERR(in_map); - pr_err("%s: scatterwalk_map failed: %ld\n", + pr_err("%s: scatterwalk_map failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), - PTR_ERR(in_map)); + (int)PTR_ERR(in_map)); in_map = NULL; goto out; } @@ -1433,9 +1433,9 @@ static int AesGcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4106_p) #endif if (unlikely(IS_ERR(out_map))) { err = (int)PTR_ERR(out_map); - pr_err("%s: scatterwalk_map failed: %ld\n", + pr_err("%s: scatterwalk_map failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), - PTR_ERR(out_map)); + (int)PTR_ERR(out_map)); out_map = NULL; goto out; } @@ -1916,9 +1916,9 @@ static int AesCcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4309_p) #endif if (unlikely(IS_ERR(in_map))) { err = (int)PTR_ERR(in_map); - pr_err("%s: scatterwalk_map failed: %ld\n", + pr_err("%s: scatterwalk_map failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), - PTR_ERR(in_map)); + (int)PTR_ERR(in_map)); in_map = NULL; goto out; } @@ -1934,9 +1934,9 @@ static int AesCcmCrypt_1(struct aead_request *req, int decrypt_p, int rfc4309_p) #endif if (unlikely(IS_ERR(out_map))) { err = (int)PTR_ERR(out_map); - pr_err("%s: scatterwalk_map failed: %ld\n", + pr_err("%s: scatterwalk_map failed: %d\n", crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)), - PTR_ERR(out_map)); + (int)PTR_ERR(out_map)); out_map = NULL; goto out; } @@ -3129,8 +3129,8 @@ static int linuxkm_test_aescbc(void) tfm = crypto_alloc_skcipher(WOLFKM_AESCBC_NAME, 0, 0); if (IS_ERR(tfm)) { - pr_err("error: allocating AES skcipher algorithm %s failed: %ld\n", - WOLFKM_AESCBC_DRIVER, PTR_ERR(tfm)); + pr_err("error: allocating AES skcipher algorithm %s failed: %d\n", + WOLFKM_AESCBC_DRIVER, (int)PTR_ERR(tfm)); tfm = NULL; goto test_cbc_end; } @@ -3342,8 +3342,8 @@ static int linuxkm_test_aescfb(void) tfm = crypto_alloc_skcipher(WOLFKM_AESCFB_NAME, 0, 0); if (IS_ERR(tfm)) { - pr_err("error: allocating AES skcipher algorithm %s failed: %ld\n", - WOLFKM_AESCFB_DRIVER, PTR_ERR(tfm)); + pr_err("error: allocating AES skcipher algorithm %s failed: %d\n", + WOLFKM_AESCFB_DRIVER, (int)PTR_ERR(tfm)); tfm = NULL; goto test_cfb_end; } @@ -3606,8 +3606,8 @@ static int linuxkm_test_aesgcm(void) tfm = crypto_alloc_aead(WOLFKM_AESGCM_NAME, 0, 0); if (IS_ERR(tfm)) { - pr_err("error: allocating AES aead algorithm %s failed: %ld\n", - WOLFKM_AESGCM_DRIVER, PTR_ERR(tfm)); + pr_err("error: allocating AES aead algorithm %s failed: %d\n", + WOLFKM_AESGCM_DRIVER, (int)PTR_ERR(tfm)); tfm = NULL; goto test_gcm_end; } @@ -3658,7 +3658,7 @@ static int linuxkm_test_aesgcm(void) sg_init_table(dst, 2); sg_set_buf(dst, assoc2, sizeof(assoc)); - sg_set_buf(&dst[1], enc2, decryptLen); + sg_set_buf(&dst[1], enc2, (unsigned int)decryptLen); aead_request_set_callback(req, 0, NULL, NULL); aead_request_set_ad(req, sizeof(assoc)); @@ -3686,7 +3686,7 @@ static int linuxkm_test_aesgcm(void) /* Now decrypt crypto request. Reverse src and dst. */ XMEMSET(dec2, 0, decryptLen); aead_request_set_ad(req, sizeof(assoc)); - aead_request_set_crypt(req, dst, src, decryptLen, iv); + aead_request_set_crypt(req, dst, src, (unsigned int)decryptLen, iv); ret = crypto_aead_decrypt(req); @@ -4209,7 +4209,7 @@ static int aes_xts_128_test(void) tfm = crypto_alloc_skcipher(WOLFKM_AESXTS_NAME, 0, 0); if (IS_ERR(tfm)) { - ret = PTR_ERR(tfm); + ret = (int)PTR_ERR(tfm); pr_err("error: allocating AES skcipher algorithm %s failed: %d\n", WOLFKM_AESXTS_DRIVER, ret); tfm = NULL; @@ -4706,7 +4706,7 @@ static int aes_xts_256_test(void) tfm = crypto_alloc_skcipher(WOLFKM_AESXTS_NAME, 0, 0); if (IS_ERR(tfm)) { - ret = PTR_ERR(tfm); + ret = (int)PTR_ERR(tfm); pr_err("error: allocating AES skcipher algorithm %s failed: %d\n", WOLFKM_AESXTS_DRIVER, ret); tfm = NULL; diff --git a/linuxkm/lkcapi_dh_glue.c b/linuxkm/lkcapi_dh_glue.c index b96a66e5fa4..f5a70492ef0 100644 --- a/linuxkm/lkcapi_dh_glue.c +++ b/linuxkm/lkcapi_dh_glue.c @@ -2901,8 +2901,8 @@ static int linuxkm_test_kpp_driver(const char * driver, * */ tfm = crypto_alloc_kpp(driver, 0, 0); if (IS_ERR(tfm)) { - pr_err("error: allocating kpp algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating kpp algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else diff --git a/linuxkm/lkcapi_ecdh_glue.c b/linuxkm/lkcapi_ecdh_glue.c index c3403bc576b..9cd05d99e1a 100644 --- a/linuxkm/lkcapi_ecdh_glue.c +++ b/linuxkm/lkcapi_ecdh_glue.c @@ -911,15 +911,15 @@ static int linuxkm_test_ecdh_nist_driver(const char * driver, #if defined(HAVE_FIPS) && defined(CONFIG_CRYPTO_MANAGER) && \ !defined(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) if ((PTR_ERR(tfm) == -ENOENT) && fips_enabled) { - pr_info("info: skipping unsupported kpp algorithm %s: %ld\n", - driver, PTR_ERR(tfm)); + pr_info("info: skipping unsupported kpp algorithm %s: %d\n", + driver, (int)PTR_ERR(tfm)); test_rc = NOT_COMPILED_IN; } else #endif { - pr_err("error: allocating kpp algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating kpp algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else diff --git a/linuxkm/lkcapi_ecdsa_glue.c b/linuxkm/lkcapi_ecdsa_glue.c index 4cece534320..c9daf0b000a 100644 --- a/linuxkm/lkcapi_ecdsa_glue.c +++ b/linuxkm/lkcapi_ecdsa_glue.c @@ -749,15 +749,15 @@ static int linuxkm_test_ecdsa_nist_driver(const char * driver, * in kernel crypto/testmgr.c, and the kernel will block * its allocation if fips_enabled is set. */ if ((PTR_ERR(tfm) == -ENOENT) && fips_enabled) { - pr_info("info: skipping unsupported akcipher algorithm %s: %ld\n", - driver, PTR_ERR(tfm)); + pr_info("info: skipping unsupported akcipher algorithm %s: %d\n", + driver, (int)PTR_ERR(tfm)); test_rc = NOT_COMPILED_IN; } else #endif { - pr_err("error: allocating akcipher algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating akcipher algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); if (PTR_ERR(tfm) == -ENOMEM) test_rc = MEMORY_E; else diff --git a/linuxkm/lkcapi_glue.c b/linuxkm/lkcapi_glue.c index 8b23b015ac4..a3c00449387 100644 --- a/linuxkm/lkcapi_glue.c +++ b/linuxkm/lkcapi_glue.c @@ -125,8 +125,8 @@ WC_MAYBE_UNUSED static int check_skcipher_driver_masking(struct crypto_skcipher tfm = crypto_alloc_skcipher(alg_name, 0, 0); } if (IS_ERR(tfm)) { - pr_err("error: allocating skcipher algorithm %s failed: %ld\n", - alg_name, PTR_ERR(tfm)); + pr_err("error: allocating skcipher algorithm %s failed: %d\n", + alg_name, (int)PTR_ERR(tfm)); return -EINVAL; } actual_driver_name = crypto_tfm_alg_driver_name(crypto_skcipher_tfm(tfm)); @@ -158,8 +158,8 @@ WC_MAYBE_UNUSED static int check_aead_driver_masking(struct crypto_aead *tfm, co tfm = crypto_alloc_aead(alg_name, 0, 0); } if (IS_ERR(tfm)) { - pr_err("error: allocating AEAD algorithm %s failed: %ld\n", - alg_name, PTR_ERR(tfm)); + pr_err("error: allocating AEAD algorithm %s failed: %d\n", + alg_name, (int)PTR_ERR(tfm)); return -EINVAL; } actual_driver_name = crypto_tfm_alg_driver_name(crypto_aead_tfm(tfm)); @@ -191,8 +191,8 @@ WC_MAYBE_UNUSED static int check_shash_driver_masking(struct crypto_shash *tfm, tfm = crypto_alloc_shash(alg_name, 0, 0); } if (IS_ERR(tfm)) { - pr_err("error: allocating shash algorithm %s failed: %ld\n", - alg_name, PTR_ERR(tfm)); + pr_err("error: allocating shash algorithm %s failed: %d\n", + alg_name, (int)PTR_ERR(tfm)); return -EINVAL; } actual_driver_name = crypto_tfm_alg_driver_name(crypto_shash_tfm(tfm)); diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c index 92cdef8f007..17e8618c95c 100644 --- a/linuxkm/lkcapi_rsa_glue.c +++ b/linuxkm/lkcapi_rsa_glue.c @@ -2298,8 +2298,8 @@ static int linuxkm_test_rsa_driver(const char * driver, int nbits) * */ tfm = crypto_alloc_akcipher(driver, 0, 0); if (IS_ERR(tfm)) { - pr_err("error: allocating akcipher algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating akcipher algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); tfm = NULL; goto test_rsa_end; } @@ -2722,8 +2722,8 @@ static int linuxkm_test_pkcs1pad_driver(const char * driver, int nbits, skipped = 1; } else { - pr_err("error: allocating akcipher algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating akcipher algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); if (PTR_ERR(tfm) == -ENOMEM) { test_rc = MEMORY_E; } @@ -3229,8 +3229,8 @@ static int linuxkm_test_pkcs1_driver(const char * driver, int nbits, skipped = 1; } else { - pr_err("error: allocating sig algorithm %s failed: %ld\n", - driver, PTR_ERR(tfm)); + pr_err("error: allocating sig algorithm %s failed: %d\n", + driver, (int)PTR_ERR(tfm)); if (PTR_ERR(tfm) == -ENOMEM) { test_rc = MEMORY_E; } diff --git a/linuxkm/lkcapi_sha_glue.c b/linuxkm/lkcapi_sha_glue.c index 68a61d90689..33b91048eab 100644 --- a/linuxkm/lkcapi_sha_glue.c +++ b/linuxkm/lkcapi_sha_glue.c @@ -1352,7 +1352,12 @@ static int wc_linuxkm_drbg_loaded = 0; static int wc__get_random_bytes(void *buf, size_t len) { struct wc_rng_bank *current_default_wc_rng_bank; - int ret = wc_rng_bank_default_checkout(¤t_default_wc_rng_bank); + int ret; + + if (len > WC_MAX_UINT_OF(unsigned int)) + return -EINVAL; + + ret = wc_rng_bank_default_checkout(¤t_default_wc_rng_bank); if (ret) { #ifdef WC_VERBOSE_RNG pr_err_ratelimited("ERROR: wc_rng_bank_default_checkout() in wc__get_random_bytes() returned %d.\n", ret); @@ -1361,7 +1366,7 @@ static int wc__get_random_bytes(void *buf, size_t len) } else { ret = wc_linuxkm_drbg_generate(current_default_wc_rng_bank, - NULL, 0, buf, len); + NULL, 0, buf, (unsigned int)len); (void)wc_rng_bank_default_checkin(¤t_default_wc_rng_bank); if (ret) { pr_warn("BUG: wc__get_random_bytes falling through to native get_random_bytes with wc_linuxkm_drbg_default_instance_registered, ret=%d.\n", ret); @@ -1374,14 +1379,14 @@ static int wc__get_random_bytes(void *buf, size_t len) /* used by kernel >=5.14.0 */ static ssize_t wc_get_random_bytes_user(struct iov_iter *iter) { struct wc_rng_bank *current_default_wc_rng_bank; - int ret; + ssize_t ret; if (unlikely(!iov_iter_count(iter))) return 0; ret = wc_rng_bank_default_checkout(¤t_default_wc_rng_bank); if (ret) { #ifdef WC_VERBOSE_RNG - pr_err_ratelimited("ERROR: wc_rng_bank_default_checkout() in wc_get_random_bytes_user() returned %d.\n", ret); + pr_err_ratelimited("ERROR: wc_rng_bank_default_checkout() in wc_get_random_bytes_user() returned %ld.\n", ret); #endif return -ECANCELED; } @@ -1393,7 +1398,7 @@ static ssize_t wc_get_random_bytes_user(struct iov_iter *iter) { ret = wc_linuxkm_drbg_generate(current_default_wc_rng_bank, NULL, 0, block, sizeof block); if (unlikely(ret != 0)) { - pr_err("ERROR: wc_get_random_bytes_user() wc_linuxkm_drbg_generate() returned %d.\n", ret); + pr_err("ERROR: wc_get_random_bytes_user() wc_linuxkm_drbg_generate() returned %ld.\n", ret); break; } @@ -1435,7 +1440,7 @@ static ssize_t wc_get_random_bytes_user(struct iov_iter *iter) { /* used by kernel 4.9.0-5.13.x */ static ssize_t wc_extract_crng_user(void __user *buf, size_t nbytes) { - int ret; + ssize_t ret; struct wc_rng_bank *current_default_wc_rng_bank; if (unlikely(!nbytes)) return 0; @@ -1443,7 +1448,7 @@ static ssize_t wc_extract_crng_user(void __user *buf, size_t nbytes) { ret = wc_rng_bank_default_checkout(¤t_default_wc_rng_bank); if (ret) { #ifdef WC_VERBOSE_RNG - pr_err_ratelimited("ERROR: wc_rng_bank_default_checkout() in wc_extract_crng_user() returned %d.\n", ret); + pr_err_ratelimited("ERROR: wc_rng_bank_default_checkout() in wc_extract_crng_user() returned %ld.\n", ret); #endif return -ECANCELED; } @@ -1455,11 +1460,13 @@ static ssize_t wc_extract_crng_user(void __user *buf, size_t nbytes) { ret = wc_linuxkm_drbg_generate(current_default_wc_rng_bank, NULL, 0, block, sizeof block); if (unlikely(ret != 0)) { - pr_err("ERROR: wc_extract_crng_user() wc_linuxkm_drbg_generate() returned %d.\n", ret); + pr_err("ERROR: wc_extract_crng_user() wc_linuxkm_drbg_generate() returned %ld.\n", ret); break; } - this_copied = min(nbytes - total_copied, sizeof(block)); + this_copied = nbytes - total_copied; + if (this_copied > sizeof(block)) + this_copied = sizeof(block); if (copy_to_user((byte *)buf + total_copied, block, this_copied)) { ret = -EFAULT; break; @@ -1808,8 +1815,8 @@ static int wc_linuxkm_drbg_startup(void) { struct crypto_rng *tfm = crypto_alloc_rng(wc_linuxkm_drbg.base.cra_name, 0, 0); if (IS_ERR(tfm)) { - pr_err("ERROR: allocating rng algorithm %s failed: %ld\n", - wc_linuxkm_drbg.base.cra_name, PTR_ERR(tfm)); + pr_err("ERROR: allocating rng algorithm %s failed: %d\n", + wc_linuxkm_drbg.base.cra_name, (int)PTR_ERR(tfm)); ret = PTR_ERR(tfm); tfm = NULL; } diff --git a/linuxkm/module_hooks.c b/linuxkm/module_hooks.c index a940aa53875..55fc70e0a7f 100644 --- a/linuxkm/module_hooks.c +++ b/linuxkm/module_hooks.c @@ -265,7 +265,7 @@ static ssize_t dump_to_file(const char *path, const u8 *buf, size_t buf_len) fp = filp_open(path, O_WRONLY | O_CREAT, 0644); if (IS_ERR(fp)) { - pr_err("libwolfssl: cannot open %s: %ld\n", path, PTR_ERR(fp)); + pr_err("libwolfssl: cannot open %s: %d\n", path, (int)PTR_ERR(fp)); return PTR_ERR(fp); } @@ -1873,7 +1873,7 @@ static int updateFipsHash(void) pr_err("ERROR: crypto_alloc_shash failed: target kernel is missing algorithm implementation for hash type %u\n", FIPS_IN_CORE_HASH_TYPE); ret = NOT_COMPILED_IN; } else { - pr_err("ERROR: crypto_alloc_shash failed with ret %ld\n",PTR_ERR(tfm)); + pr_err("ERROR: crypto_alloc_shash failed with ret %d\n", (int)PTR_ERR(tfm)); ret = HASH_TYPE_E; } tfm = NULL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7e855986f67..25548bdbc4c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -15340,10 +15340,10 @@ int GetFormattedTime_ex(void* currTime, byte* buf, word32 len, byte format) if (format == ASN_UTC_TIME) { /* UTC Time */ if (ts->tm_year >= 50 && ts->tm_year < 100) { - year = ts->tm_year; + year = (int)ts->tm_year; } else { - year = ts->tm_year - 100; + year = (int)ts->tm_year - 100; } mon = ts->tm_mon + 1; day = ts->tm_mday; @@ -15360,7 +15360,7 @@ int GetFormattedTime_ex(void* currTime, byte* buf, word32 len, byte format) } else { /* GeneralizedTime */ - year = ts->tm_year + 1900; + year = (int)ts->tm_year + 1900; mon = ts->tm_mon + 1; day = ts->tm_mday; hour = ts->tm_hour; diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index c15e2bec7a1..423efb0f59e 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -433,10 +433,6 @@ enum { #endif #endif -#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) - #define INLINE WC_INLINE -#endif - /* set up rotate style */ #if ((defined(_MSC_VER) && !defined(WOLFSSL_NOT_WINDOWS_API)) || \ defined(__BCPLUSPLUS__)) && !defined(WOLFSSL_SGX) && \ diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 97f249fd3d6..3ef6df3b286 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -106,7 +106,10 @@ #endif #endif /* !WC_DEPRECATED */ -/* use inlining if compiler allows */ +/* Use inlining if compiler allows -- omit the static attribute here, so that + * WC_INLINE can be used on functions that are instantiated both inline in the + * TU, and callable from outside the TU. + */ #ifndef WC_INLINE #ifndef NO_INLINE #ifdef _MSC_VER @@ -143,6 +146,10 @@ #endif #endif +#if (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)) || defined(HAVE_SELFTEST) + #define INLINE WC_INLINE +#endif + #ifndef WC_NO_INLINE #ifdef noinline #define WC_NO_INLINE noinline @@ -549,8 +556,7 @@ * should not be included. Use FreeBSD instead. * definitions are in bsdkm/bsdkm_wc_port.h */ #elif defined(HAVE_C___ATOMIC) && defined(WOLFSSL_HAVE_ATOMIC_H) && \ - !defined(__cplusplus) && \ - !(defined(__clang__) && defined(WOLFSSL_KERNEL_MODE)) + !defined(__cplusplus) /* Default C Implementation */ #include typedef atomic_int wolfSSL_Atomic_Int; From 47cf8d066c6422279a8bcd11b7cbae17ca7a368f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 16:09:57 -0500 Subject: [PATCH 19/22] wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate AES*GCMb with !HAVE_AESGCM, and add AES-CCM authTagSz check. --- wolfcrypt/src/pkcs7.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index 866dac4716e..a12eb7e9242 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15263,11 +15263,23 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, if (ret == 0 && (encOID == AES128GCMb || encOID == AES192GCMb || encOID == AES256GCMb)) { +#ifdef HAVE_AESGCM ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret != 0) { ret = ASN_PARSE_E; WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size"); } +#else + ret = ASN_PARSE_E; + WOLFSSL_MSG("AuthEnvelopedData GCM with GCM not compiled in"); +#endif + } + if (ret == 0 && + (encOID == AES128CCMb || encOID == AES192CCMb || + encOID == AES256CCMb) && + authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("AuthEnvelopedData CCM authTag too small"); + ret = ASN_PARSE_E; } #ifndef NO_PKCS7_STREAM From d69d49cc68331e2657e82c2469039cc6d72b644a Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 16:14:59 -0500 Subject: [PATCH 20/22] wolfcrypt/src/aes.c: don't use explicit inline attribute on wc_local_AesGcmCheckTagSz() with C++ (namespace breakage). --- wolfcrypt/src/aes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 40ee5502d2f..bc9d8710380 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -7995,7 +7995,7 @@ static WC_INLINE void IncCtr(byte* ctr, word32 ctrSz) #endif -#if !defined(NO_INLINE) && defined(__GNUC__) +#if !defined(NO_INLINE) && defined(__GNUC__) && !defined(__cplusplus) /* Inline for callers here in aes.c, but a callable local function for outside * callers. Don't use WC_INLINE unconditionally, because we can't count on * correct behavior beyond gcc/clang, and we don't want the the WC_MAYBE_UNUSED From 568c660bf5648a68db156d394b239ac6c4e41f3f Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 19:50:52 -0500 Subject: [PATCH 21/22] wolfcrypt/src/pkcs7.c: in wc_PKCS7_DecodeAuthEnvelopedData(), accommodate old FIPS using old authTagSz check. --- wolfcrypt/src/pkcs7.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index a12eb7e9242..9f6b26e99bd 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -15263,16 +15263,19 @@ int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* in, if (ret == 0 && (encOID == AES128GCMb || encOID == AES192GCMb || encOID == AES256GCMb)) { -#ifdef HAVE_AESGCM + #if (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)) || \ + defined(HAVE_SELFTEST) || !defined(HAVE_AESGCM) + if (authTagSz < WOLFSSL_MIN_AUTH_TAG_SZ) { + WOLFSSL_MSG("AuthEnvelopedData GCM authTag too small"); + ret = ASN_PARSE_E; + } + #else ret = wc_local_AesGcmCheckTagSz(authTagSz); if (ret != 0) { ret = ASN_PARSE_E; WOLFSSL_MSG("AuthEnvelopedData GCM authTag invalid size"); } -#else - ret = ASN_PARSE_E; - WOLFSSL_MSG("AuthEnvelopedData GCM with GCM not compiled in"); -#endif + #endif } if (ret == 0 && (encOID == AES128CCMb || encOID == AES192CCMb || From 8452f2b2e0a690bb92b16192b659f190f1f65eab Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Sat, 27 Jun 2026 22:31:48 -0500 Subject: [PATCH 22/22] wolfssl/wolfcrypt/wc_port.h: keep #define INLINE WC_INLINE even for latest FIPS; tests/api.c: use WOLFSSL_FILETYPE_PEM, not SSL_FILETYPE_PEM; tests/api/test_dtls.c and tests/api/test_dtls13.c: use WOLFSSL_ERROR_WANT_READ, not SSL_ERROR_WANT_READ. --- tests/api.c | 52 ++++++++++++++++++------------------- tests/api/test_dtls.c | 10 +++---- tests/api/test_dtls13.c | 8 +++--- wolfssl/wolfcrypt/wc_port.h | 2 +- 4 files changed, 36 insertions(+), 36 deletions(-) diff --git a/tests/api.c b/tests/api.c index 32b90b9a079..0645aed2a48 100644 --- a/tests/api.c +++ b/tests/api.c @@ -14185,9 +14185,9 @@ static int test_wolfSSL_ECH_conn_ex(method_provider serverMeth, ExpectIntEQ(WOLFSSL_SUCCESS, wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, WOLFSSL_FILETYPE_PEM)); ExpectIntEQ(WOLFSSL_SUCCESS, - wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, WOLFSSL_FILETYPE_PEM)); tcp_connect(&sockfd, wolfSSLIP, server_args.signal->port, 0, 0, NULL); @@ -16358,8 +16358,8 @@ static int test_wolfSSL_sk_SSL_CIPHER(void) #else ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif - ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); ExpectNotNull(ssl = SSL_new(ctx)); ExpectNotNull(sk = SSL_get_ciphers(ssl)); ExpectNotNull(dupSk = sk_SSL_CIPHER_dup(sk)); @@ -16394,8 +16394,8 @@ static int test_wolfSSL_set1_curves_list(void) ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif ExpectTrue(SSL_CTX_use_certificate_file(ctx, eccCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, eccKeyFile, WOLFSSL_FILETYPE_PEM)); ExpectNotNull(ssl = SSL_new(ctx)); ExpectIntEQ(SSL_CTX_set1_curves_list(ctx, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); @@ -16553,8 +16553,8 @@ static int test_wolfSSL_set1_sigalgs_list(void) ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_client_method())); #endif ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); ExpectNotNull(ssl = SSL_new(ctx)); ExpectIntEQ(wolfSSL_CTX_set1_sigalgs_list(NULL, NULL), WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); @@ -16703,8 +16703,8 @@ static int test_wolfSSL_set_tlsext_status_type(void) ExpectNotNull(ctx = SSL_CTX_new(wolfSSLv23_server_method())); ExpectTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, - SSL_FILETYPE_PEM)); - ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); + ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, WOLFSSL_FILETYPE_PEM)); ExpectNotNull(ssl = SSL_new(ctx)); ExpectIntEQ(SSL_set_tlsext_status_type(ssl,TLSEXT_STATUSTYPE_ocsp), SSL_SUCCESS); @@ -16774,7 +16774,7 @@ static int test_wolfSSL_X509_ALGOR_get0(void) const byte badObj[] = { 0x06, 0x00 }; ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectNotNull(alg = X509_get0_tbs_sigalg(x509)); /* Invalid case */ @@ -19807,7 +19807,7 @@ static int test_wolfSSL_X509_SEP(void) #if 0 /* Use certificate with the extension here. */ ExpectNotNull(x509 = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); outSz = 0; ExpectNotNull(out = wolfSSL_X509_get_device_type(x509, NULL, &outSz)); @@ -20592,7 +20592,7 @@ static int test_wolfSSL_CTX_ctrl(void) SSL_FILETYPE_ASN1)); #else ExpectNotNull(ecX509 = wolfSSL_X509_load_certificate_file( - cliEccCertFile, SSL_FILETYPE_PEM)); + cliEccCertFile, WOLFSSL_FILETYPE_PEM)); #endif ExpectNotNull(pkey = X509_get_pubkey(ecX509)); /* current ECC key is 256 bit (32 bytes) */ @@ -21022,9 +21022,9 @@ static int test_wolfSSL_OCSP_id_get0_info(void) ASN1_INTEGER* x509Int = NULL; ExpectNotNull(cert = wolfSSL_X509_load_certificate_file(svrCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectNotNull(issuer = wolfSSL_X509_load_certificate_file(caCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectNotNull(id = OCSP_cert_to_id(NULL, cert, issuer)); ExpectNotNull(id2 = OCSP_cert_to_id(NULL, cert, issuer)); @@ -27379,7 +27379,7 @@ static int test_wolfSSL_crypto_policy_certs_and_keys(void) if (ctx != NULL) { /* 1024 RSA */ rc = SSL_CTX_use_PrivateKey_file(ctx, key1024, - SSL_FILETYPE_PEM); + WOLFSSL_FILETYPE_PEM); if (is_legacy) { ExpectIntEQ(rc, WOLFSSL_SUCCESS); @@ -27390,7 +27390,7 @@ static int test_wolfSSL_crypto_policy_certs_and_keys(void) /* 2048 RSA */ rc = SSL_CTX_use_PrivateKey_file(ctx, key2048, - SSL_FILETYPE_PEM); + WOLFSSL_FILETYPE_PEM); if (!is_future) { ExpectIntEQ(rc, WOLFSSL_SUCCESS); @@ -27401,17 +27401,17 @@ static int test_wolfSSL_crypto_policy_certs_and_keys(void) /* 3072 RSA */ rc = SSL_CTX_use_PrivateKey_file(ctx, key3072, - SSL_FILETYPE_PEM); + WOLFSSL_FILETYPE_PEM); ExpectIntEQ(rc, WOLFSSL_SUCCESS); /* 256 ecc */ rc = SSL_CTX_use_PrivateKey_file(ctx, key256, - SSL_FILETYPE_PEM); + WOLFSSL_FILETYPE_PEM); ExpectIntEQ(rc, WOLFSSL_SUCCESS); /* 384 ecc */ rc = SSL_CTX_use_PrivateKey_file(ctx, key384, - SSL_FILETYPE_PEM); + WOLFSSL_FILETYPE_PEM); ExpectIntEQ(rc, WOLFSSL_SUCCESS); /* cleanup */ @@ -27867,9 +27867,9 @@ static int test_wolfSSL_SSL_in_init(void) #endif if ((testCertFile != NULL) && (testKeyFile != NULL)) { ExpectTrue(SSL_CTX_use_certificate_file(ctx, testCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, testKeyFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); } ExpectNotNull(ssl = SSL_new(ctx)); @@ -28192,9 +28192,9 @@ static int test_wolfSSL_set_psk_use_session_callback(void) #endif if ((testCertFile != NULL) && (testKeyFile != NULL)) { ExpectTrue(SSL_CTX_use_certificate_file(ctx, testCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, testKeyFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); } ExpectNotNull(ssl = SSL_new(ctx)); @@ -28413,9 +28413,9 @@ static int test_SSL_CIPHER_get_xxx(void) #endif if (testCertFile != NULL && testKeyFile != NULL) { ExpectTrue(SSL_CTX_use_certificate_file(ctx, testCertFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); ExpectTrue(SSL_CTX_use_PrivateKey_file(ctx, testKeyFile, - SSL_FILETYPE_PEM)); + WOLFSSL_FILETYPE_PEM)); } ExpectNotNull(ssl = SSL_new(ctx)); diff --git a/tests/api/test_dtls.c b/tests/api/test_dtls.c index ccacf370baa..f8524fe3dfc 100644 --- a/tests/api/test_dtls.c +++ b/tests/api/test_dtls.c @@ -1291,22 +1291,22 @@ int test_dtls_rtx_across_epoch_change(void) /* CH0 */ wolfSSL_SetLoggingPrefix("client:"); ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* HRR */ wolfSSL_SetLoggingPrefix("server:"); ExpectIntEQ(wolfSSL_accept(ssl_s), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); /* CH1 */ wolfSSL_SetLoggingPrefix("client:"); ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* SH ... FINISHED */ wolfSSL_SetLoggingPrefix("server:"); ExpectIntEQ(wolfSSL_accept(ssl_s), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); /* we should have now SH ... FINISHED messages in the buffer*/ ExpectIntGE(test_ctx.c_msg_count, 2); @@ -1319,7 +1319,7 @@ int test_dtls_rtx_across_epoch_change(void) /* Read the SH */ wolfSSL_SetLoggingPrefix("client:"); ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* trigger client timeout */ ExpectIntEQ(wolfSSL_dtls_got_timeout(ssl_c), WOLFSSL_SUCCESS); diff --git a/tests/api/test_dtls13.c b/tests/api/test_dtls13.c index 3be0df3ebf2..43f992e9d3d 100644 --- a/tests/api/test_dtls13.c +++ b/tests/api/test_dtls13.c @@ -1530,19 +1530,19 @@ int test_dtls13_min_rtx_interval(void) /* CH0 */ ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* HRR */ ExpectIntEQ(wolfSSL_accept(ssl_s), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); /* CH1 */ ExpectIntEQ(wolfSSL_connect(ssl_c), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_c, -1), WOLFSSL_ERROR_WANT_READ); /* SH ... FINISHED */ ExpectIntEQ(wolfSSL_accept(ssl_s), -1); - ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), SSL_ERROR_WANT_READ); + ExpectIntEQ(wolfSSL_get_error(ssl_s, -1), WOLFSSL_ERROR_WANT_READ); /* We should have SH ... FINISHED messages in the buffer */ ExpectIntGE(test_ctx.c_msg_count, 2); diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 3ef6df3b286..07f5829f1ee 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -146,7 +146,7 @@ #endif #endif -#if (defined(HAVE_FIPS) && FIPS_VERSION3_LT(7,0,0)) || defined(HAVE_SELFTEST) +#if defined(HAVE_FIPS) || defined(HAVE_SELFTEST) #define INLINE WC_INLINE #endif