diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 9419a12a52c..0e9b800acc5 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -78,7 +78,8 @@ jobs: -DWOLFSSL_TLSX:BOOL=yes -DWOLFSSL_TPM:BOOL=yes -DWOLFSSL_CLU:BOOL=yes -DWOLFSSL_USER_SETTINGS:BOOL=no \ -DWOLFSSL_USER_SETTINGS_ASM:BOOL=no -DWOLFSSL_WOLFSSH:BOOL=ON -DWOLFSSL_X86_64_BUILD_ASM:BOOL=yes \ -DWOLFSSL_MLKEM=1 -DWOLFSSL_LMS=1 -DWOLFSSL_LMSSHA256192=1 -DWOLFSSL_EXPERIMENTAL=1 \ - -DWOLFSSL_X963KDF:BOOL=yes \ + -DWOLFSSL_X963KDF:BOOL=yes -DWOLFSSL_DILITHIUM:BOOL=yes -DWOLFSSL_PKCS11:BOOL=yes \ + -DWOLFSSL_ECCSI:BOOL=yes -DWOLFSSL_SAKKE:BOOL=yes -DWOLFSSL_SIPHASH:BOOL=yes \ -DCMAKE_C_FLAGS="-DWOLFSSL_DTLS_CH_FRAG" \ .. cmake --build . @@ -89,9 +90,6 @@ jobs: cd .. rm -rf build - # Kyber Cmake broken - # -DWOLFSSL_KYBER:BOOL=yes - # build "lean-tls" wolfssl - name: Build wolfssl with lean-tls working-directory: ./wolfssl @@ -107,3 +105,22 @@ jobs: # clean up cd .. rm -rf build + +# CMake build with user_settings.h + - name: Build wolfssl with user_settings.h + working-directory: ./wolfssl + run: | + mkdir build + cp examples/configs/user_settings_all.h ./build/user_settings.h + cd build + cmake -DCMAKE_VERBOSE_MAKEFILE:BOOL=ON -DWOLFSSL_INSTALL=yes -DCMAKE_INSTALL_PREFIX="$GITHUB_WORKSPACE/install" \ + -DWOLFSSL_USER_SETTINGS=ON -DWOLFSSL_USER_SETTINGS_ASM=ON -DWOLFSSL_EXAMPLES=ON -DWOLFSSL_CRYPT_TESTS=ON \ + -DCMAKE_C_FLAGS="${CMAKE_C_FLAGS} -I ." \ + .. + cmake --build . + ctest -j $(nproc) + cmake --install . + + # clean up + cd .. + rm -rf build diff --git a/.github/workflows/pq-all.yml b/.github/workflows/pq-all.yml index fc32344f6c5..6d1b50f3b52 100644 --- a/.github/workflows/pq-all.yml +++ b/.github/workflows/pq-all.yml @@ -19,9 +19,14 @@ jobs: config: [ # Add new configs here '--enable-intelasm --enable-sp-asm --enable-mlkem=yes,kyber,ml-kem CPPFLAGS="-DWOLFSSL_ML_KEM_USE_OLD_IDS"', - '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', - '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', - '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-kyber=yes,original --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++' + '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', + '--enable-smallstack --enable-smallstackcache --enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"', + '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE" CC=c++', + '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"', + '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_BLIND_PRIVATE_KEY"', + '--enable-intelasm --enable-sp-asm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem --enable-lms --enable-xmss --enable-dilithium --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"', + '--disable-intelasm --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"', + '--disable-intelasm --enable-smallstack --enable-smallstackcache --enable-all --enable-testcert --enable-acert --enable-dtls13 --enable-dtls-mtu --enable-dtls-frag-ch --enable-dtlscid --enable-quic --with-sys-crypto-policy --enable-experimental --enable-mlkem=yes,kyber,ml-kem,small --enable-lms=yes,small --enable-xmss=yes,small --enable-dilithium=yes,small --enable-dual-alg-certs --disable-qt CPPFLAGS="-pedantic -Wdeclaration-after-statement -DWOLFCRYPT_TEST_LINT -DNO_WOLFSSL_CIPHER_SUITE_TEST -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE -DWOLFSSL_MLKEM_MAKEKEY_SMALL_MEM -DWOLFSSL_MLKEM_ENCAPSULATE_SMALL_MEM -DWOLFSSL_MLKEM_NO_LARGE_CODE -DWOLFSSL_DILITHIUM_SIGN_SMALL_MEM -DWOLFSSL_DILITHIUM_VERIFY_SMALL_MEM -DWOLFSSL_DILITHIUM_MAKE_KEY_SMALL_MEM -DWOLFSSL_DILITHIUM_NO_LARGE_CODE"', ] name: make check if: github.repository_owner == 'wolfssl' diff --git a/CMakeLists.txt b/CMakeLists.txt index b782c5b5c34..218185f4f59 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -711,11 +711,18 @@ if (WOLFSSL_EXPERIMENTAL) set(WOLFSSL_FOUND_EXPERIMENTAL_FEATURE 1) message(STATUS "Automatically set related requirements for Dilithium:") - set_wolfssl_definitions("HAVE_DILITHIUM" RESUlT) - set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESUlT) - set_wolfssl_definitions("WOLFSSL_SHA3" RESUlT) - set_wolfssl_definitions("WOLFSSL_SHAKE128" RESUlT) - set_wolfssl_definitions("WOLFSSL_SHAKE256" RESUlT) + add_definitions("-DHAVE_DILITHIUM") + add_definitions("-DWOLFSSL_WC_DILITHIUM") + add_definitions("-DWOLFSSL_SHA3") + add_definitions("-DWOLFSSL_SHAKE128") + add_definitions("-DWOLFSSL_SHAKE256") + + message(STATUS "Automatically set related requirements for Dilithium:") + set_wolfssl_definitions("HAVE_DILITHIUM" RESULT) + set_wolfssl_definitions("WOLFSSL_WC_DILITHIUM" RESULT) + set_wolfssl_definitions("WOLFSSL_SHA3" RESULT) + set_wolfssl_definitions("WOLFSSL_SHAKE128" RESULT) + set_wolfssl_definitions("WOLFSSL_SHAKE256" RESULT) message(STATUS "Looking for WOLFSSL_DILITHIUM - found") else() message(STATUS "Looking for WOLFSSL_DILITHIUM - not found") @@ -1063,6 +1070,41 @@ if(WOLFSSL_ECC) endif() endif() +# ECCSI +add_option("WOLFSSL_ECCSI" + "Enable ECCSI (default: disabled)" + "no" "yes;no") + +if(WOLFSSL_ECCSI) + if (NOT WOLFSSL_ECC) + message(FATAL_ERROR "cannot enable ECCSI without enabling ECC.") + endif() + + list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_ECCSI -DWOLFSSL_PUBLIC_MP") +endif() + +# SAKKE +add_option("WOLFSSL_SAKKE" + "Enable SAKKE (default: disabled)" + "no" "yes;no") + +if(WOLFSSL_SAKKE) + if (NOT WOLFSSL_ECC) + message(FATAL_ERROR "cannot enable SAKKE without enabling ECC.") + endif() + + list(APPEND WOLFSSL_DEFINITIONS "-DWOLFCRYPT_HAVE_SAKKE") +endif() + +# SipHash +add_option("WOLFSSL_SIPHASH" + "Enable SipHash (default: disabled)" + "no" "yes;no") + +if(WOLFSSL_SIPHASH) + list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SIPHASH") +endif() + # TODO: - Compressed key # - FP ECC, fixed point cache ECC # - ECC encrypt @@ -1898,6 +1940,7 @@ add_option("WOLFSSL_PKCS11" "no" "yes;no") if(WOLFSSL_PKCS11 AND NOT WIN32) + list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS11 -DHAVE_WOLF_BIGINT") list(APPEND WOLFSSL_LINK_LIBS ${CMAKE_DL_LIBS}) endif() diff --git a/cmake/functions.cmake b/cmake/functions.cmake index a011faf58e0..5a7754855ab 100644 --- a/cmake/functions.cmake +++ b/cmake/functions.cmake @@ -108,6 +108,15 @@ function(generate_build_flags) if(WOLFSSL_ECC OR WOLFSSL_USER_SETTINGS) set(BUILD_ECC "yes" PARENT_SCOPE) endif() + if(WOLFSSL_ECCSI OR WOLFSSL_USER_SETTINGS) + set(BUILD_ECCSI "yes" PARENT_SCOPE) + endif() + if(WOLFSSL_SAKKE OR WOLFSSL_USER_SETTINGS) + set(BUILD_SAKKE "yes" PARENT_SCOPE) + endif() + if(WOLFSSL_SIPHASH OR WOLFSSL_USER_SETTINGS) + set(BUILD_SIPHASH "yes" PARENT_SCOPE) + endif() if(WOLFSSL_ED25519 OR WOLFSSL_USER_SETTINGS) set(BUILD_ED25519 "yes" PARENT_SCOPE) endif() @@ -914,6 +923,18 @@ function(generate_lib_src_list LIB_SOURCES) list(APPEND LIB_SOURCES wolfcrypt/src/ecc.c) endif() + if(BUILD_ECCSI) + list(APPEND LIB_SOURCES wolfcrypt/src/eccsi.c) + endif() + + if(BUILD_SAKKE) + list(APPEND LIB_SOURCES wolfcrypt/src/sakke.c) + endif() + + if(BUILD_SIPHASH) + list(APPEND LIB_SOURCES wolfcrypt/src/siphash.c) + endif() + if(BUILD_CURVE25519) list(APPEND LIB_SOURCES wolfcrypt/src/curve25519.c) if(BUILD_ARMASM) @@ -942,21 +963,17 @@ function(generate_lib_src_list LIB_SOURCES) endif() if(BUILD_FEMATH) - if(BUILD_CURVE25519_SMALL) list(APPEND LIB_SOURCES wolfcrypt/src/fe_low_mem.c) - else() + if(BUILD_INTELASM) list(APPEND LIB_SOURCES wolfcrypt/src/fe_x25519_asm.S) else() list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c) endif() - endif() endif() if(BUILD_GEMATH) - if(BUILD_ED25519_SMALL) list(APPEND LIB_SOURCES wolfcrypt/src/ge_low_mem.c) - else() list(APPEND LIB_SOURCES wolfcrypt/src/ge_operations.c) if(NOT BUILD_FEMATH) @@ -966,7 +983,6 @@ function(generate_lib_src_list LIB_SOURCES) list(APPEND LIB_SOURCES wolfcrypt/src/fe_operations.c) endif() endif() - endif() endif() if(BUILD_CURVE448) diff --git a/examples/configs/user_settings_all.h b/examples/configs/user_settings_all.h index 442b1354467..8940e83f241 100644 --- a/examples/configs/user_settings_all.h +++ b/examples/configs/user_settings_all.h @@ -216,8 +216,9 @@ extern "C" { #define HAVE_HASHDRBG #define HAVE_CURVE25519 #define HAVE_ED25519 +#define ED25519_SMALL #define WOLFSSL_ED25519_STREAMING_VERIFY -#define CURVED25519_SMALL +#define CURVE25519_SMALL #define HAVE_ED448 #define WOLFSSL_ED448_STREAMING_VERIFY #define HAVE_CURVE448 diff --git a/src/internal.c b/src/internal.c index 5e5cf3cc4dd..c931e2a1068 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7124,6 +7124,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) if (ret != 0) { return ret; } + ret = WOLFSSL_SUCCESS; } #endif ssl->buffers.keyType = ctx->privateKeyType; diff --git a/src/ssl.c b/src/ssl.c index 95319bff0a7..efac5e7d973 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -7519,11 +7519,19 @@ int wolfSSL_CTX_check_private_key(const WOLFSSL_CTX* ctx) #ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_BLIND_PRIVATE_KEY privateKey = wolfssl_priv_der_unblind(ctx->privateKey, ctx->privateKeyMask); - altPrivateKey = wolfssl_priv_der_unblind(ctx->altPrivateKey, - ctx->altPrivateKeyMask); - if ((privateKey == NULL) || (altPrivateKey == NULL)) { + if (privateKey == NULL) { res = WOLFSSL_FAILURE; } + if (ctx->altPrivateKey != NULL) { + altPrivateKey = wolfssl_priv_der_unblind(ctx->altPrivateKey, + ctx->altPrivateKeyMask); + if (altPrivateKey == NULL) { + res = WOLFSSL_FAILURE; + } + } + else { + altPrivateKey = NULL; + } #else privateKey = ctx->privateKey; altPrivateKey = ctx->altPrivateKey; @@ -8866,47 +8874,69 @@ int wolfSSL_check_private_key(const WOLFSSL* ssl) { int res = WOLFSSL_SUCCESS; +#ifdef WOLFSSL_BLIND_PRIVATE_KEY + DerBuffer *privateKey; +#ifdef WOLFSSL_DUAL_ALG_CERTS + DerBuffer *altPrivateKey; +#endif +#else + const DerBuffer *privateKey; +#ifdef WOLFSSL_DUAL_ALG_CERTS + const DerBuffer *altPrivateKey; +#endif +#endif + if (ssl == NULL) { return WOLFSSL_FAILURE; } #ifdef WOLFSSL_DUAL_ALG_CERTS #ifdef WOLFSSL_BLIND_PRIVATE_KEY - wolfssl_priv_der_unblind(ssl->buffers.key, ssl->buffers.keyMask); - wolfssl_priv_der_unblind(ssl->buffers.altKey, ssl->buffers.altKeyMask); -#endif - res = check_cert_key(ssl->buffers.certificate, ssl->buffers.key, - ssl->buffers.altKey, ssl->heap, ssl->buffers.keyDevId, - ssl->buffers.keyLabel, ssl->buffers.keyId, ssl->buffers.altKeyDevId, - ssl->buffers.altKeyLabel, ssl->buffers.altKeyId); -#ifdef WOLFSSL_BLIND_PRIVATE_KEY - if (res == WOLFSSL_SUCCESS) { - int ret; - ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key, - (DerBuffer**)&ssl->buffers.keyMask); - if (ret == 0) { - ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey, - (DerBuffer**)&ssl->buffers.altKeyMask); - } - if (ret != 0) { + privateKey = wolfssl_priv_der_unblind(ssl->buffers.key, + ssl->buffers.keyMask); + if (privateKey == NULL) { + res = WOLFSSL_FAILURE; + } + if (ssl->buffers.altKey != NULL) { + altPrivateKey = wolfssl_priv_der_unblind(ssl->buffers.altKey, + ssl->buffers.altKeyMask); + if (altPrivateKey == NULL) { res = WOLFSSL_FAILURE; } } -#endif + else { + altPrivateKey = NULL; + } #else + privateKey = ssl->buffers.key; + altPrivateKey = ssl->buffers.altKey; +#endif + if (res == WOLFSSL_SUCCESS) { + res = check_cert_key(ssl->buffers.certificate, privateKey, + altPrivateKey, ssl->heap, ssl->buffers.keyDevId, + ssl->buffers.keyLabel, ssl->buffers.keyId, ssl->buffers.altKeyDevId, + ssl->buffers.altKeyLabel, ssl->buffers.altKeyId); + } #ifdef WOLFSSL_BLIND_PRIVATE_KEY - wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask); + wolfssl_priv_der_unblind_free(privateKey); + wolfssl_priv_der_unblind_free(altPrivateKey); #endif - res = check_cert_key(ssl->buffers.certificate, ssl->buffers.key, NULL, - ssl->heap, ssl->buffers.keyDevId, ssl->buffers.keyLabel, - ssl->buffers.keyId, INVALID_DEVID, 0, 0); +#else #ifdef WOLFSSL_BLIND_PRIVATE_KEY + privateKey = wolfssl_priv_der_unblind(ssl->buffers.key, + ssl->buffers.keyMask); + if (privateKey == NULL) { + res = WOLFSSL_FAILURE; + } +#else + privateKey = ssl->buffers.key; +#endif if (res == WOLFSSL_SUCCESS) { - int ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key, - (DerBuffer**)&ssl->buffers.keyMask); - if (ret != 0) { - res = WOLFSSL_FAILURE; - } + res = check_cert_key(ssl->buffers.certificate, privateKey, NULL, + ssl->heap, ssl->buffers.keyDevId, ssl->buffers.keyLabel, + ssl->buffers.keyId, INVALID_DEVID, 0, 0); } +#ifdef WOLFSSL_BLIND_PRIVATE_KEY + wolfssl_priv_der_unblind_free(privateKey); #endif #endif @@ -20988,14 +21018,15 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) ssl->buffers.altKey = ctx->altPrivateKey; #else if (ctx->altPrivateKey != NULL) { - ret = AllocCopyDer(&ssl->buffers.altkey, ctx->altPrivateKey->buffer, + ret = AllocCopyDer(&ssl->buffers.altKey, ctx->altPrivateKey->buffer, ctx->altPrivateKey->length, ctx->altPrivateKey->type, ctx->altPrivateKey->heap); if (ret != 0) { return NULL; } /* Blind the private key for the SSL with new random mask. */ - wolfssl_priv_der_unblind(ssl->buffers.altKey, ctx->altPrivateKeyMask); + wolfssl_priv_der_blind_toggle(ssl->buffers.altKey, + ctx->altPrivateKeyMask); ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.altKey, &ssl->buffers.altKeyMask); if (ret != 0) { diff --git a/wolfcrypt/src/dilithium.c b/wolfcrypt/src/dilithium.c index dcb42e59fc0..86e92113c19 100644 --- a/wolfcrypt/src/dilithium.c +++ b/wolfcrypt/src/dilithium.c @@ -8788,9 +8788,9 @@ static int dilithium_sign_with_seed_mu(dilithium_key* key, const byte* s2pt = s2p; #endif sword32* cs2 = ct0; + byte idx = 0; w0t = w0; w1t = w1; - byte idx = 0; for (r = 0; valid && (r < params->k); r++) { #ifndef WOLFSSL_DILITHIUM_SIGN_SMALL_MEM_PRECALC diff --git a/wolfcrypt/src/wc_lms_impl.c b/wolfcrypt/src/wc_lms_impl.c index e2a4949ff48..d36fdf3edbb 100644 --- a/wolfcrypt/src/wc_lms_impl.c +++ b/wolfcrypt/src/wc_lms_impl.c @@ -3185,9 +3185,14 @@ int wc_hss_reload_key(LmsState* state, const byte* priv_raw, (void)pub_root; /* Defend against undefined shifts; LmsParams* params = state->params */ - if ((state->params->cacheBits >= 32U) || (state->params->height >= 32U)) { + if (state->params->height >= 32U) { return BAD_FUNC_ARG; } +#ifndef WOLFSSL_WC_LMS_SMALL + if (state->params->cacheBits >= 32U) { + return BAD_FUNC_ARG; + } +#endif wc_hss_priv_data_load(state->params, priv_key, priv_data); #ifndef WOLFSSL_WC_LMS_SMALL