diff --git a/tests/api/test_aes.c b/tests/api/test_aes.c index 72221cd04ad..1409564453e 100644 --- a/tests/api/test_aes.c +++ b/tests/api/test_aes.c @@ -3727,7 +3727,8 @@ int test_wc_AesGcmNonStdNonce(void) * and cannot exercise the GHASH-based counter derivation. */ #if !defined(NO_AES) && defined(HAVE_AESGCM) && \ !defined(HAVE_FIPS) && \ - !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI) + !defined(WOLFSSL_AFALG) && !defined(WOLFSSL_KCAPI) && \ + !defined(WOLFSSL_DEVCRYPTO_AES) /* ------------------------------------------------------------------ * Section 1: 1-byte IV, AES-128 diff --git a/wolfcrypt/src/des3.c b/wolfcrypt/src/des3.c index f1beae1b60c..23bcb678ecb 100644 --- a/wolfcrypt/src/des3.c +++ b/wolfcrypt/src/des3.c @@ -1571,10 +1571,14 @@ /* rotate left and right halves independently */ for (j = 0; j < 48; j++) { /* select bits individually */ - if (pcr[pc2[j] - 1]) { /* check bit that goes to ks[j] */ - l= j % 6; /* mask it in if it's there */ - ks[j/6] |= (byte)(bytebit[l] >> 2); - } + byte bit; + byte mask; + bit = + (byte)(pcr[pc2[j] - 1]); /* all pcr values are either 0 or 1 */ + mask = (byte)(0 - bit); /* mask is either 0xFF or 0x00 */ + ks[j/6] |= + (byte)((bytebit[j % 6] >> 2) & mask); /* only set to bytebit value + if bit == 1*/ } /* Now convert to odd/even interleaved form for use in F */ diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c index 6ae9d0a1ab6..bfc40ae8cad 100644 --- a/wolfcrypt/src/dsa.c +++ b/wolfcrypt/src/dsa.c @@ -1121,6 +1121,9 @@ int wc_DsaVerify_ex(const byte* digest, word32 digestSz, const byte* sig, if (digest == NULL || sig == NULL || key == NULL || answer == NULL) return BAD_FUNC_ARG; + /* assign default value so we return 0 on error */ + *answer = 0; + /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A. diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index a3476d4e146..3c9145a574a 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -254,10 +254,6 @@ ECC Curve Sizes: #include #endif -#if defined(WOLFSSL_CAAM) - #include -#endif - #if defined(WOLFSSL_KCAPI_ECC) #include #endif @@ -10043,7 +10039,7 @@ static int _ecc_export_x963(ecc_key* key, byte* out, word32* outLen) /* store byte point type */ out[0] = ECC_POINT_UNCOMP; - if (caamReadPartition((CAAM_ADDRESS)key->securePubKey, out+1, keySz*2) != 0) + if (caamReadPartition(key->securePubKey, out+1, keySz*2) != 0) return WC_HW_E; *outLen = 1 + 2*keySz; @@ -11636,7 +11632,7 @@ static int _ecc_import_private_key_ex(const byte* priv, word32 privSz, } key->partNum = part; - key->blackKey = (word32)vaddr; + key->blackKey = vaddr; if (caamWriteToPartition(vaddr, priv, privSz) != 0) return WC_HW_E; @@ -11644,7 +11640,7 @@ static int _ecc_import_private_key_ex(const byte* priv, word32 privSz, /* +1 to account for x963 compressed bit */ if (caamWriteToPartition(vaddr + privSz, pub + 1, pubSz - 1) != 0) return WC_HW_E; - key->securePubKey = (word32)vaddr + privSz; + key->securePubKey = vaddr + privSz; } } else { diff --git a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c index 76c8abdb1c4..6cad5fb5bb8 100644 --- a/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c +++ b/wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c @@ -983,14 +983,12 @@ static CB_INLINE int wolfssl_ssl_conf_verify_cb_no_signer(int preverify, /* Clean up and exit */ if ((_crt_found == 0) && (bundle_cert != NULL)) { ESP_LOGW(TAG, "Cert not found, free bundle_cert"); + /* this_subject and this_issuer are apart of bundle_cert and will be + * freed here*/ wolfSSL_X509_free(bundle_cert); bundle_cert = NULL; - /* this_subject and this_issuer are pointers into cert used. - * Don't free if the cert was found. */ - wolfSSL_X509_NAME_free(this_subject); - this_subject = NULL; - wolfSSL_X509_NAME_free(this_issuer); this_issuer = NULL; + this_subject = NULL; } /* We don't clean up the store_cert and x509 as we are in a callback, diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c index fb9b70db48b..89ac3192e77 100644 --- a/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c +++ b/wolfcrypt/src/port/Renesas/renesas_fspsm_aes.c @@ -415,6 +415,7 @@ int wc_fspsm_AesGcmEncrypt(struct Aes* aes, byte* out, XFREE(plainBuf, aes->heap, DYNAMIC_TYPE_AES); XFREE(cipherBuf, aes->heap, DYNAMIC_TYPE_AES); XFREE(aTagBuf, aes->heap, DYNAMIC_TYPE_AES); + wc_fspsm_hw_unlock(); return MEMORY_E; } diff --git a/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c b/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c index c543946a164..8a263a63fd1 100644 --- a/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c +++ b/wolfcrypt/src/port/Renesas/renesas_fspsm_sha.c @@ -418,7 +418,7 @@ static int FSPSM_HashFinal(wolfssl_FSPSM_Hash* hash, byte* out, word32 outSz) #endif wc_fspsm_hw_lock(); - if (Init(&handle) == FSP_SUCCESS) { + if ((ret = Init(&handle)) == FSP_SUCCESS) { ret = Update(&handle, (uint8_t*)hash->msg, hash->used); if (ret == FSP_SUCCESS) { ret = Final(&handle, out, (uint32_t*)&sz); diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c index 6f976fa8cca..6f38075035f 100644 --- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c +++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c @@ -110,7 +110,7 @@ int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const word32 max_key_len = (AES_MAX_KEY_SIZE / 8); #endif - if (aes == NULL || + if (aes == NULL || userKey == NULL || !((keylen == 16) || (keylen == 24) || (keylen == 32))) { return BAD_FUNC_ARG; } diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_hash.c b/wolfcrypt/src/port/devcrypto/devcrypto_hash.c index 37f9763fc2f..35ae2e42a62 100644 --- a/wolfcrypt/src/port/devcrypto/devcrypto_hash.c +++ b/wolfcrypt/src/port/devcrypto/devcrypto_hash.c @@ -135,20 +135,14 @@ int wc_Sha256Update(wc_Sha256* sha, const byte* in, word32 sz) #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP /* keep full message to hash at end instead of incremental updates */ if (sha->len < sha->used + sz) { - if (sha->msg == NULL) { - sha->msg = (byte*)XMALLOC(sha->used + sz, sha->heap, - DYNAMIC_TYPE_TMP_BUFFER); - } else { - byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap, - DYNAMIC_TYPE_TMP_BUFFER); - if (pt == NULL) { - return MEMORY_E; - } - sha->msg = pt; - } - if (sha->msg == NULL) { + byte* pt = (byte*)XREALLOC(sha->msg, sha->used + sz, sha->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (pt == NULL) { return MEMORY_E; } + + sha->msg = pt; + sha->len = sha->used + sz; } XMEMCPY(sha->msg + sha->used, in, sz); @@ -180,7 +174,8 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash) #endif ret = GetDigest(sha, CRYPTO_SHA2_256, hash); if (ret != 0) { - return ret; + wc_Sha256Free(sha); + return ret; } wc_Sha256Free(sha); @@ -190,6 +185,7 @@ int wc_Sha256Final(wc_Sha256* sha, byte* hash) int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) { + if (sha == NULL || hash == NULL) { return BAD_FUNC_ARG; } @@ -198,9 +194,15 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) { int ret; wc_Sha256 cpy; - wc_Sha256Copy(sha, &cpy); - - if ((ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) { + XMEMSET(&cpy, 0, sizeof(cpy)); /* ZII */ + /* mark as having no /dev/crypto session yet so the wc_Sha256Free() + * in wc_Sha256Copy() does not close fd 0 (cfd == -1 is the + * "no session" sentinel, matching wc_AesInit()) */ + cpy.ctx.cfd = -1; + ret = wc_Sha256Copy(sha, &cpy); + + if (ret == 0 && + (ret = HashUpdate(&cpy, CRYPTO_SHA2_256, cpy.msg, cpy.used)) == 0) { /* help static analysis tools out */ XMEMSET(hash, 0, WC_SHA256_DIGEST_SIZE); ret = GetDigest(&cpy, CRYPTO_SHA2_256, hash); @@ -219,12 +221,14 @@ int wc_Sha256GetHash(wc_Sha256* sha, byte* hash) int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst) { + if (src == NULL || dst == NULL) { return BAD_FUNC_ARG; } - wc_InitSha256_ex(dst, src->heap, 0); #ifdef WOLFSSL_DEVCRYPTO_HASH_KEEP + wc_Sha256Free(dst); + wc_InitSha256_ex(dst, src->heap, 0); dst->len = src->len; dst->used = src->used; dst->msg = (byte*)XMALLOC(src->len, dst->heap, DYNAMIC_TYPE_TMP_BUFFER); @@ -232,9 +236,15 @@ int wc_Sha256Copy(wc_Sha256* src, wc_Sha256* dst) return MEMORY_E; } XMEMCPY(dst->msg, src->msg, src->len); -#endif return 0; +#else + (void)src; + (void)dst; + + WOLFSSL_MSG("Compile with WOLFSSL_DEVCRYPTO_HASH_KEEP for this feature"); + return NOT_COMPILED_IN; +#endif } #endif /* !NO_SHA256 */ diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 609e7fb6b45..d38c34f6656 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -380,19 +380,29 @@ static int sha512DrbgDisabled = 0; static wolfSSL_Mutex drbgStateMutex WOLFSSL_MUTEX_INITIALIZER_CLAUSE(drbgStateMutex); #ifndef WOLFSSL_MUTEX_INITIALIZER +#ifdef WOLFSSL_ATOMIC_OPS +static wolfSSL_Atomic_Int drbgStateMutex_inited = WOLFSSL_ATOMIC_INITIALIZER(0); +#else static int drbgStateMutex_inited = 0; #endif +#endif #endif /* !SINGLE_THREADED */ int wc_DrbgState_MutexInit(void) { #ifndef SINGLE_THREADED #ifndef WOLFSSL_MUTEX_INITIALIZER - if (!drbgStateMutex_inited) { + int expected = 0; + /* Check if mutex is not inited and set it to true before init. + * This means that the mutex is marked as init before it actually is. + * Necessary to ensure that two threads don't init at the same time.*/ + if (wolfSSL_Atomic_Int_CompareExchange(&drbgStateMutex_inited, + &expected, 1)) { int ret = wc_InitMutex(&drbgStateMutex); - if (ret != 0) + if (ret != 0) { + (void)wolfSSL_Atomic_Int_Exchange(&drbgStateMutex_inited, 0); return ret; - drbgStateMutex_inited = 1; + } } #endif #endif @@ -3716,9 +3726,11 @@ static int wc_GenerateSeed_IntelRD(OS_Seed* os, byte* output, word32 sz) for (; (sz / sizeof(word64)) > 0; sz -= sizeof(word64), output += sizeof(word64)) { - ret = IntelRDseed64_r((word64*)output); + word64 rndTmpLocal; + ret = IntelRDseed64_r(&rndTmpLocal); if (ret != 0) return ret; + writeUnalignedWord64(output, rndTmpLocal); } if (sz == 0) return 0; diff --git a/wolfcrypt/src/siphash.c b/wolfcrypt/src/siphash.c index 28047be30b5..b8159c2957c 100644 --- a/wolfcrypt/src/siphash.c +++ b/wolfcrypt/src/siphash.c @@ -411,8 +411,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz, return BAD_FUNC_ARG; } - k0 = ((const word64*)key)[0]; - k1 = ((const word64*)key)[1]; + k0 = GET_U64(key); + k1 = GET_U64(key + 8); __asm__ __volatile__ ( "xorq %[k0], %[v0]\n\t" "xorq %[k1], %[v1]\n\t" @@ -640,8 +640,8 @@ int wc_SipHash(const unsigned char* key, const unsigned char* in, word32 inSz, return BAD_FUNC_ARG; } - k0 = ((word64*)key)[0]; - k1 = ((word64*)key)[1]; + k0 = GET_U64(key + 0); + k1 = GET_U64(key + 8); __asm__ __volatile__ ( "eor %[v0], %[v0], %[k0]\n\t" "eor %[v1], %[v1], %[k1]\n\t" diff --git a/wolfcrypt/src/wc_mlkem_poly.c b/wolfcrypt/src/wc_mlkem_poly.c index 4b812cd11d2..1eaf4dac1ad 100644 --- a/wolfcrypt/src/wc_mlkem_poly.c +++ b/wolfcrypt/src/wc_mlkem_poly.c @@ -4347,13 +4347,16 @@ static int mlkem_get_noise_k4_avx2(MLKEM_PRF_T* prf, sword16* vec1, */ static void mlkem_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o) { - word64* state = (word64*)rand; + word64 state[3 * 25]; state[0*25 + 4] = 0x1f00 + 0 + o; state[1*25 + 4] = 0x1f00 + 1 + o; state[2*25 + 4] = 0x1f00 + 2 + o; mlkem_shake256_blocksx3_seed_neon(state, seed); + XMEMCPY(rand + 0 * 25 * 8, state + 0*25, ETA2_RAND_SIZE); + XMEMCPY(rand + 1 * 25 * 8, state + 1*25, ETA2_RAND_SIZE); + XMEMCPY(rand + 2 * 25 * 8, state + 2*25, ETA2_RAND_SIZE); } #if defined(WOLFSSL_KYBER512) || defined(WOLFSSL_WC_ML_KEM_512) @@ -4376,24 +4379,18 @@ static void mlkem_get_noise_x3_eta2_aarch64(byte* rand, byte* seed, byte o) */ static void mlkem_get_noise_x3_eta3_aarch64(byte* rand, byte* seed, byte o) { - word64 state[3 * 25]; - - state[0*25 + 4] = 0x1f00 + 0 + o; - state[1*25 + 4] = 0x1f00 + 1 + o; - state[2*25 + 4] = 0x1f00 + 2 + o; + word64 state[25]; + byte i; - mlkem_shake256_blocksx3_seed_neon(state, seed); - XMEMCPY(rand + 0 * ETA3_RAND_SIZE, state + 0*25, SHA3_256_BYTES); - XMEMCPY(rand + 1 * ETA3_RAND_SIZE, state + 1*25, SHA3_256_BYTES); - XMEMCPY(rand + 2 * ETA3_RAND_SIZE, state + 2*25, SHA3_256_BYTES); - mlkem_sha3_blocksx3_neon(state); - rand += SHA3_256_BYTES; - XMEMCPY(rand + 0 * ETA3_RAND_SIZE, state + 0*25, - ETA3_RAND_SIZE - SHA3_256_BYTES); - XMEMCPY(rand + 1 * ETA3_RAND_SIZE, state + 1*25, - ETA3_RAND_SIZE - SHA3_256_BYTES); - XMEMCPY(rand + 2 * ETA3_RAND_SIZE, state + 2*25, - ETA3_RAND_SIZE - SHA3_256_BYTES); + for (i = 0; i < 3; i++) { + state[4] = 0x1f00 + i + o; + mlkem_shake256_blocksx3_seed_neon(state, seed); + XMEMCPY(rand + i * ETA3_RAND_SIZE, state, SHA3_256_BYTES); + mlkem_sha3_blocksx3_neon(state); + rand += SHA3_256_BYTES; + XMEMCPY(rand + i * ETA3_RAND_SIZE, state, + ETA3_RAND_SIZE - SHA3_256_BYTES); + } } /* Get the noise/error by calculating random bytes. @@ -4411,10 +4408,7 @@ static void mlkem_get_noise_eta3_aarch64(byte* rand, byte* seed, byte o) { word64 state[25]; - state[0] = ((word64*)seed)[0]; - state[1] = ((word64*)seed)[1]; - state[2] = ((word64*)seed)[2]; - state[3] = ((word64*)seed)[3]; + readUnalignedWords64(state, seed, 4); state[4] = 0x1f00 + o; XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5)); state[16] = W64LIT(0x8000000000000000); @@ -4474,17 +4468,15 @@ static int mlkem_get_noise_k2_aarch64(sword16* vec1, sword16* vec2, */ static void mlkem_get_noise_eta2_aarch64(byte* rand, byte* seed, byte o) { - word64* state = (word64*)rand; + word64 state[25]; - state[0] = ((word64*)seed)[0]; - state[1] = ((word64*)seed)[1]; - state[2] = ((word64*)seed)[2]; - state[3] = ((word64*)seed)[3]; + readUnalignedWords64(state, seed, 4); /* Transposed value same as not. */ state[4] = 0x1f00 + o; XMEMSET(state + 5, 0, sizeof(*state) * (25 - 5)); state[16] = W64LIT(0x8000000000000000); BlockSha3(state); + XMEMCPY(rand, state, ETA2_RAND_SIZE); } /* Get the noise/error by calculating random bytes and sampling to a binomial diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index bfb4ba86791..41ce2ce923f 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -76,6 +76,10 @@ #endif +#if defined(WOLFSSL_CAAM) + #include +#endif + #ifdef __cplusplus extern "C" { #endif @@ -528,8 +532,13 @@ struct ecc_key { #endif #ifdef WOLFSSL_CAAM - word32 blackKey; /* address of key encrypted and in secure memory */ - word32 securePubKey; /* address of public key in secure memory */ + #ifdef CAAM_ADDRESS + CAAM_ADDRESS blackKey; /* address of key encrypted and in secure memory */ + CAAM_ADDRESS securePubKey; /* address of public key in secure memory */ + #else + word32 blackKey; /* address of key encrypted and in secure memory */ + word32 securePubKey; /* address of public key in secure memory */ + #endif int partNum; /* partition number*/ #endif #ifdef WOLFSSL_SE050