Add AES-GCM DEM, CryptoCb support, and devId threading to ECIES#10883
Add AES-GCM DEM, CryptoCb support, and devId threading to ECIES#10883night1rider wants to merge 2 commits into
Conversation
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10883
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Findings: 4
4 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
|
retest this please |
Add AES-GCM (128/256) as an ECIES DEM next to the AES-CBC/CTR+HMAC modes. Only the encryption key comes from the KDF; the mac salt is bound as GCM AAD and the 16-byte tag replaces the HMAC. The GCM DEM honors all three IV build modes, and default fixed-nonce GCM is gated behind the new WOLFSSL_ECIES_STATIC_GCM_NONCE opt-in. Adds ECIES CryptoCb encrypt/decrypt, the WOLF_CRYPTO_CB ctx getters, devId/heap threading into the DEM primitives, and test/benchmark/CI coverage.
e077b08 to
55e2253
Compare
…Id field by reading it into a guarded local (PLUTON_CRYPTO_ECC/WOLF_CRYPTO_CB) that defaults to INVALID_DEVID
|
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #10883
Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Failed targets: wolfcrypt-rs-bugs
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
| { | ||
| ret = wc_CryptoCb_EciesEncrypt(privKey, pubKey, msg, msgSz, out, outSz, | ||
| ctx, compressed); | ||
| if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
There was a problem hiding this comment.
🟠 [Medium] CryptoCb ECIES dispatch bypasses single-use context state machine · Cryptographic correctness
The CryptoCb early-return at line 15260 exits before the state machine checks (lines 15300–15309) that enforce single-use of the ecEncCtx. A pure-hardware CryptoCb implementation that services ECIES without forwarding to software never transitions ctx->cliSt from ecCLI_SALT_SET to ecCLI_SENT_REQ, allowing the same (ctx, privKey) pair to be encrypted with repeatedly — which is catastrophic for the static-nonce GCM DEM whose only safety argument is a fresh key per message.
Fix: Update the state machine (ctx->cliSt/ctx->srvSt) inside wc_CryptoCb_EciesEncrypt before invoking the callback, or enforce the state check before the CryptoCb dispatch.
Add AES-GCM (128/256) as an ECIES DEM next to the AES-CBC/CTR+HMAC modes.
Only the encryption key comes from the KDF; the mac salt is bound as GCM AAD and the 16-byte tag replaces the HMAC.
The GCM DEM honors all three IV build modes, and default fixed-nonce GCM is gated behind the new WOLFSSL_ECIES_STATIC_GCM_NONCE opt-in. Adds ECIES CryptoCb encrypt/decrypt, the WOLF_CRYPTO_CB ctx getters, devId/heap threading into the DEM primitives, and test/benchmark/CI coverage.