Merge pull request #7434 from douzzer/20240416-fips-v6-fixes

20240416-fips-v6-fixes

Author: JacobBarthelmeh

configure.ac

@@ -809,6 +809,8 @@ then
     test "$enable_camellia" = "" && enable_camellia=yes
     test "$enable_ripemd" = "" && enable_ripemd=yes
     test "$enable_sha224" = "" && enable_sha224=yes
+    test "$enable_sha512" = "" && enable_sha512=yes
+    test "$enable_sha3" = "" && enable_sha3=yes
     test "$enable_shake128" = "" && enable_shake128=yes
     test "$enable_shake256" = "" && enable_shake256=yes
     test "$enable_sessioncerts" = "" && enable_sessioncerts=yes
@@ -867,12 +869,6 @@ then
     test "$enable_ech" = "" && enable_ech=yes
     test "$enable_srtp" = "" && enable_srtp=yes
 
-    if test "$ENABLED_32BIT" != "yes"
-    then
-        test "$enable_sha512" = "" && enable_sha512=yes
-        test "$enable_sha3" = "" && enable_sha3=yes
-    fi
-
     if test "$ENABLED_LINUXKM_DEFAULTS" != "yes"
     then
         test "$enable_compkey" = "" && enable_compkey=yes
@@ -923,13 +919,10 @@ then
         test "$enable_pkcs7" = "" && enable_pkcs7=yes
         test "$enable_nullcipher" = "" && enable_nullcipher=yes
         test "$enable_mcast" = "" && enable_mcast=yes
-        if test "$ENABLED_32BIT" != "yes"
-        then
-            test "$enable_ed25519" = "" && enable_ed25519=yes
-            test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
-            test "$enable_ed448" = "" && enable_ed448=yes
-            test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
-        fi
+        test "$enable_ed25519" = "" && enable_ed25519=yes
+        test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
+        test "$enable_ed448" = "" && enable_ed448=yes
+        test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
 
         if test "$ENABLED_LINUXKM_DEFAULTS" != "yes"
         then
@@ -1005,6 +998,8 @@ then
     test "$enable_camellia" = "" && enable_camellia=yes
     test "$enable_ripemd" = "" && enable_ripemd=yes
     test "$enable_sha224" = "" && enable_sha224=yes
+    test "$enable_sha512" = "" && enable_sha512=yes
+    test "$enable_sha3" = "" && enable_sha3=yes
     test "$enable_shake128" = "" && enable_shake128=yes
     test "$enable_shake256" = "" && enable_shake256=yes
     test "$enable_sessioncerts" = "" && enable_sessioncerts=yes
@@ -1047,12 +1042,6 @@ then
     test "$enable_ssh" = "" && test "$enable_hmac" != "no" && enable_ssh=yes
     test "$enable_srtp_kdf" = "" && enable_srtp_kdf=yes
 
-    if test "$ENABLED_32BIT" != "yes"
-    then
-        test "$enable_sha512" = "" && enable_sha512=yes
-        test "$enable_sha3" = "" && enable_sha3=yes
-    fi
-
     if test "$ENABLED_LINUXKM_DEFAULTS" != "yes"
     then
         test "$enable_compkey" = "" && enable_compkey=yes
@@ -1074,13 +1063,10 @@ then
         test "$enable_xchacha" = "" && test "$enable_chacha" != "no" && enable_xchacha=yes
         test "$enable_pkcs7" = "" && enable_pkcs7=yes
         test "$enable_nullcipher" = "" && enable_nullcipher=yes
-        if test "$ENABLED_32BIT" != "yes"
-        then
-            test "$enable_ed25519" = "" && enable_ed25519=yes
-            test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
-            test "$enable_ed448" = "" && enable_ed448=yes
-            test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
-        fi
+        test "$enable_ed25519" = "" && enable_ed25519=yes
+        test "$enable_ed25519_stream" = "" && test "$enable_ed25519" != "no" && enable_ed25519_stream=yes
+        test "$enable_ed448" = "" && enable_ed448=yes
+        test "$enable_ed448_stream" = "" && test "$enable_ed448" != "no" && enable_ed448_stream=yes
 
         if test "$ENABLED_LINUXKM_DEFAULTS" != "yes"
         then
@@ -3433,7 +3419,7 @@ fi
 # set sha3 default
 SHA3_DEFAULT=no
 if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64" ||
-    test "$host_cpu" = "amd64") && test "$ENABLED_32BIT" = "no"
+    test "$host_cpu" = "amd64")
 then
     if test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" -ge 2
     then
@@ -3475,7 +3461,7 @@ AC_ARG_ENABLE([sha512],
     )
 
 # options that don't require sha512
-if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_32BIT" = "yes" || test "$ENABLED_16BIT" = "yes"
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
 then
     ENABLED_SHA512="no"
 fi
@@ -3501,7 +3487,7 @@ AC_ARG_ENABLE([sha384],
     )
 
 # options that don't require sha384
-if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_32BIT" = "yes" || test "$ENABLED_16BIT" = "yes"
+if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes" || test "$ENABLED_16BIT" = "yes"
 then
     ENABLED_SHA384="no"
 fi
@@ -5363,7 +5349,7 @@ then
 fi
 
 # Ed448
-if test "$ENABLED_ED448" != "no" && test "$ENABLED_32BIT" = "no"
+if test "$ENABLED_ED448" != "no"
 then
     if test "$ENABLED_ED448" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
     then
@@ -5406,7 +5392,7 @@ then
 fi
 
 # Set SHA-3 flags
-if test "$ENABLED_SHA3" != "no" && test "$ENABLED_32BIT" = "no"
+if test "$ENABLED_SHA3" != "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHA3"
 fi
@@ -5416,7 +5402,7 @@ fi
 AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
         [ENABLED_SHAKE128="no"])
 
-if test "$ENABLED_SHAKE128" != "no" && test "$ENABLED_32BIT" = "no"
+if test "$ENABLED_SHAKE128" != "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE128"
     if test "$ENABLED_SHA3" = "no"
@@ -5432,7 +5418,7 @@ fi
 AS_IF([test "x$ENABLED_FIPS" = "xyes" && test $HAVE_FIPS_VERSION -lt 6],
         [ENABLED_SHAKE256="no"])
 
-if test "$ENABLED_SHAKE256" != "no" && test "$ENABLED_32BIT" = "no"
+if test "$ENABLED_SHAKE256" != "no"
 then
     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SHAKE256"
     if test "$ENABLED_SHA3" = "no"
@@ -8667,7 +8653,7 @@ then
     ENABLED_OPENSSLEXTRA="yes"
 fi
 
-if test "$ENABLED_ED25519" != "no" && test "$ENABLED_32BIT" = "no"
+if test "$ENABLED_ED25519" != "no"
 then
     if test "$ENABLED_ED25519" = "small" || test "$ENABLED_LOWRESOURCE" = "yes"
     then
@@ -8835,9 +8821,9 @@ AS_IF([test "x$ENABLED_CERTGEN" = "xyes"],
 AS_IF([test "x$ENABLED_CERTEXT" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_CERT_EXT"])
 
-AS_IF([test "x$ENABLED_ED25519" = "xyes" && test "x$ENABLED_32BIT" = "xno"],
+AS_IF([test "x$ENABLED_ED25519" = "xyes"],
       [AM_CFLAGS="$AM_CFLAGS -DHAVE_ED25519"])
-AS_IF([test "x$ENABLED_ED25519" = "xyes" && test "x$ENABLED_32BIT" = "xno"],
+AS_IF([test "x$ENABLED_ED25519" = "xyes"],
       [AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_ED25519"])
 
 AS_IF([test "x$ENABLED_ED25519_SMALL" = "xyes"],

scripts/aria-cmake-build-test.sh

@@ -115,8 +115,7 @@ build_aria_test() {
 
     # View the available ciphers with:
     echo "checking wolfsl client ssl version numbers SSLv3(0) - TLS1.3(4):"
-    ./examples/client/client -V
-    if [ $? -eq 0 ]; then
+    if ./examples/client/client -V; then
         echo "Confirmed ./examples/client/client operational."
     else
         echo "ERROR ./examples/client/client error = $?"

src/pk.c

@@ -16198,7 +16198,7 @@ int wolfSSL_PEM_write_bio_PKCS8PrivateKey(WOLFSSL_BIO* bio,
     int passwdSz, wc_pem_password_cb* cb, void* ctx)
 {
     byte* pem = NULL;
-    int pemSz;
+    int pemSz = 0;
     int res = 1;
 
     /* Validate parameters. */
@@ -16243,7 +16243,7 @@ int wolfSSL_PEM_write_PKCS8PrivateKey(XFILE f, WOLFSSL_EVP_PKEY* pkey,
     wc_pem_password_cb* cb, void* ctx)
 {
     byte* pem = NULL;
-    int pemSz;
+    int pemSz = 0;
     int res = 1;
 
     /* Validate parameters. */

src/ssl_load.c

@@ -1529,7 +1529,7 @@ static void ProcessBufferCertSetHave(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
     if (ssl != NULL) {
         ssl->pkCurveOID = cert->pkCurveOID;
     }
-    else {
+    else if (ctx) {
         ctx->pkCurveOID = cert->pkCurveOID;
     }
     #endif
@@ -1540,7 +1540,7 @@ static void ProcessBufferCertSetHave(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
     if (ssl != NULL) {
         ssl->options.haveECC = ssl->options.haveECDSAsig;
     }
-    else {
+    else if (ctx) {
         ctx->haveECC = ctx->haveECDSAsig;
     }
 #endif /* !WC_STRICT_SIG */

wolfcrypt/src/aes.c

@@ -12726,19 +12726,8 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
 
     {
 #ifdef WOLFSSL_AESNI
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-        int orig_use_aesni = aes->use_aesni;
-#endif
-
-        if (aes->use_aesni && ((ret = SAVE_VECTOR_REGISTERS2()) != 0)) {
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-            aes->use_aesni = 0;
-            xaes->tweak.use_aesni = 0;
-#else
-            return ret;
-#endif
-        }
         if (aes->use_aesni) {
+            SAVE_VECTOR_REGISTERS(return _svr_ret;);
 #if defined(HAVE_INTEL_AVX1)
             if (IS_INTEL_AVX1(intel_flags)) {
                 AES_XTS_encrypt_avx1(in, out, sz, i,
@@ -12756,23 +12745,13 @@ int wc_AesXtsEncrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
                                       (int)aes->rounds);
                 ret = 0;
             }
+            RESTORE_VECTOR_REGISTERS();
         }
         else
 #endif
         {
             ret = AesXtsEncrypt_sw(xaes, out, in, sz, i);
         }
-
-#ifdef WOLFSSL_AESNI
-        if (aes->use_aesni)
-            RESTORE_VECTOR_REGISTERS();
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-        else if (orig_use_aesni) {
-            aes->use_aesni = orig_use_aesni;
-            xaes->tweak.use_aesni = orig_use_aesni;
-        }
-#endif
-#endif
     }
 
     return ret;
@@ -12962,19 +12941,8 @@ int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
 
     {
 #ifdef WOLFSSL_AESNI
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-        int orig_use_aesni = aes->use_aesni;
-#endif
-
-        if (aes->use_aesni && ((ret = SAVE_VECTOR_REGISTERS2() != 0))) {
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-            aes->use_aesni = 0;
-            xaes->tweak.use_aesni = 0;
-#else
-            return ret;
-#endif
-        }
         if (aes->use_aesni) {
+            SAVE_VECTOR_REGISTERS(return _svr_ret;);
 #if defined(HAVE_INTEL_AVX1)
             if (IS_INTEL_AVX1(intel_flags)) {
                 AES_XTS_decrypt_avx1(in, out, sz, i,
@@ -12992,24 +12960,14 @@ int wc_AesXtsDecrypt(XtsAes* xaes, byte* out, const byte* in, word32 sz,
                                       (int)aes->rounds);
                 ret = 0;
             }
+            RESTORE_VECTOR_REGISTERS();
         }
         else
 #endif
         {
             ret = AesXtsDecrypt_sw(xaes, out, in, sz, i);
         }
 
-#ifdef WOLFSSL_AESNI
-        if (aes->use_aesni)
-            RESTORE_VECTOR_REGISTERS();
-#ifdef WC_AES_C_DYNAMIC_FALLBACK
-        else if (orig_use_aesni) {
-            aes->use_aesni = orig_use_aesni;
-            xaes->tweak.use_aesni = orig_use_aesni;
-        }
-#endif
-#endif
-
         return ret;
     }
 }

wolfcrypt/src/fe_448.c

@@ -1437,56 +1437,56 @@ void fe448_to_bytes(unsigned char* b, const sword32* a)
     b[ 0] = (byte)(in0  >>  0);
     b[ 1] = (byte)(in0  >>  8);
     b[ 2] = (byte)(in0  >> 16);
-    b[ 3] = (byte)(in0  >> 24) + ((in1  >>  0) <<  4);
+    b[ 3] = (byte)((in0  >> 24) + ((in1  >>  0) <<  4));
     b[ 4] = (byte)(in1  >>  4);
     b[ 5] = (byte)(in1  >> 12);
     b[ 6] = (byte)(in1  >> 20);
     b[ 7] = (byte)(in2  >>  0);
     b[ 8] = (byte)(in2  >>  8);
     b[ 9] = (byte)(in2  >> 16);
-    b[10] = (byte)(in2  >> 24) + ((in3  >>  0) <<  4);
+    b[10] = (byte)((in2  >> 24) + ((in3  >>  0) <<  4));
     b[11] = (byte)(in3  >>  4);
     b[12] = (byte)(in3  >> 12);
     b[13] = (byte)(in3  >> 20);
     b[14] = (byte)(in4  >>  0);
     b[15] = (byte)(in4  >>  8);
     b[16] = (byte)(in4  >> 16);
-    b[17] = (byte)(in4  >> 24) + ((in5  >>  0) <<  4);
+    b[17] = (byte)((in4  >> 24) + ((in5  >>  0) <<  4));
     b[18] = (byte)(in5  >>  4);
     b[19] = (byte)(in5  >> 12);
     b[20] = (byte)(in5  >> 20);
     b[21] = (byte)(in6  >>  0);
     b[22] = (byte)(in6  >>  8);
     b[23] = (byte)(in6  >> 16);
-    b[24] = (byte)(in6  >> 24) + ((in7  >>  0) <<  4);
+    b[24] = (byte)((in6  >> 24) + ((in7  >>  0) <<  4));
     b[25] = (byte)(in7  >>  4);
     b[26] = (byte)(in7  >> 12);
     b[27] = (byte)(in7  >> 20);
     b[28] = (byte)(in8  >>  0);
     b[29] = (byte)(in8  >>  8);
     b[30] = (byte)(in8  >> 16);
-    b[31] = (byte)(in8  >> 24) + ((in9  >>  0) <<  4);
+    b[31] = (byte)((in8  >> 24) + ((in9  >>  0) <<  4));
     b[32] = (byte)(in9  >>  4);
     b[33] = (byte)(in9  >> 12);
     b[34] = (byte)(in9  >> 20);
     b[35] = (byte)(in10 >>  0);
     b[36] = (byte)(in10 >>  8);
     b[37] = (byte)(in10 >> 16);
-    b[38] = (byte)(in10 >> 24) + ((in11 >>  0) <<  4);
+    b[38] = (byte)((in10 >> 24) + ((in11 >>  0) <<  4));
     b[39] = (byte)(in11 >>  4);
     b[40] = (byte)(in11 >> 12);
     b[41] = (byte)(in11 >> 20);
     b[42] = (byte)(in12 >>  0);
     b[43] = (byte)(in12 >>  8);
     b[44] = (byte)(in12 >> 16);
-    b[45] = (byte)(in12 >> 24) + ((in13 >>  0) <<  4);
+    b[45] = (byte)((in12 >> 24) + ((in13 >>  0) <<  4));
     b[46] = (byte)(in13 >>  4);
     b[47] = (byte)(in13 >> 12);
     b[48] = (byte)(in13 >> 20);
     b[49] = (byte)(in14 >>  0);
     b[50] = (byte)(in14 >>  8);
     b[51] = (byte)(in14 >> 16);
-    b[52] = (byte)(in14 >> 24) + ((in15 >>  0) <<  4);
+    b[52] = (byte)((in14 >> 24) + ((in15 >>  0) <<  4));
     b[53] = (byte)(in15 >>  4);
     b[54] = (byte)(in15 >> 12);
     b[55] = (byte)(in15 >> 20);
@@ -1834,6 +1834,7 @@ static WC_INLINE void fe448_mul_8(sword32* r, const sword32* a, const sword32* b
     sword64 t13  = (sword64)a[ 6] * b[ 7];
     sword64 t113 = (sword64)a[ 7] * b[ 6];
     sword64 t14  = (sword64)a[ 7] * b[ 7];
+    sword64 o, t15;
     t1  += t101;
     t2  += t102; t2  += t202;
     t3  += t103; t3  += t203; t3  += t303;
@@ -1850,8 +1851,8 @@ static WC_INLINE void fe448_mul_8(sword32* r, const sword32* a, const sword32* b
     t11 += t111; t11 += t211; t11 += t311;
     t12 += t112; t12 += t212;
     t13 += t113;
-    sword64 o = t14 >> 28;
-    sword64 t15 = o;
+    o = t14 >> 28;
+    t15 = o;
     t14 -= o << 28;
     o = (t0  >> 28); t1  += o; t = o << 28; t0  -= t;
     o = (t1  >> 28); t2  += o; t = o << 28; t1  -= t;