Skip to content

Add AES-GCM DEM, CryptoCb support, and devId threading to ECIES#10883

Open
night1rider wants to merge 2 commits into
wolfSSL:masterfrom
night1rider:Extend-ECIES
Open

Add AES-GCM DEM, CryptoCb support, and devId threading to ECIES#10883
night1rider wants to merge 2 commits into
wolfSSL:masterfrom
night1rider:Extend-ECIES

Conversation

@night1rider

Copy link
Copy Markdown
Contributor

Add AES-GCM (128/256) as an ECIES DEM next to the AES-CBC/CTR+HMAC modes.

Only the encryption key comes from the KDF; the mac salt is bound as GCM AAD and the 16-byte tag replaces the HMAC.

The GCM DEM honors all three IV build modes, and default fixed-nonce GCM is gated behind the new WOLFSSL_ECIES_STATIC_GCM_NONCE opt-in. Adds ECIES CryptoCb encrypt/decrypt, the WOLF_CRYPTO_CB ctx getters, devId/heap threading into the DEM primitives, and test/benchmark/CI coverage.

@night1rider night1rider self-assigned this Jul 10, 2026

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10883

Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-rs-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src

Findings: 4
4 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

@night1rider night1rider marked this pull request as ready for review July 11, 2026 00:28
@github-actions

Copy link
Copy Markdown

retest this please

Add AES-GCM (128/256) as an ECIES DEM next to the AES-CBC/CTR+HMAC modes. Only the encryption key comes from the KDF; the mac salt is bound as GCM AAD and the 16-byte tag replaces the HMAC. The GCM DEM honors all three IV build modes, and default fixed-nonce GCM is gated behind the new WOLFSSL_ECIES_STATIC_GCM_NONCE opt-in. Adds ECIES CryptoCb encrypt/decrypt, the WOLF_CRYPTO_CB ctx getters, devId/heap threading into the DEM primitives, and test/benchmark/CI coverage.
…Id field by reading it into a guarded local (PLUTON_CRYPTO_ECC/WOLF_CRYPTO_CB) that defaults to INVALID_DEVID
@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #10883

Scan targets checked: wolfcrypt-bugs, wolfcrypt-port-bugs, wolfcrypt-src, wolfssl-bugs, wolfssl-src
Failed targets: wolfcrypt-rs-bugs

Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread wolfcrypt/src/ecc.c
{
ret = wc_CryptoCb_EciesEncrypt(privKey, pubKey, msg, msgSz, out, outSz,
ctx, compressed);
if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] CryptoCb ECIES dispatch bypasses single-use context state machine · Cryptographic correctness

The CryptoCb early-return at line 15260 exits before the state machine checks (lines 15300–15309) that enforce single-use of the ecEncCtx. A pure-hardware CryptoCb implementation that services ECIES without forwarding to software never transitions ctx->cliSt from ecCLI_SALT_SET to ecCLI_SENT_REQ, allowing the same (ctx, privKey) pair to be encrypted with repeatedly — which is catastrophic for the static-nonce GCM DEM whose only safety argument is a fresh key per message.

Fix: Update the state machine (ctx->cliSt/ctx->srvSt) inside wc_CryptoCb_EciesEncrypt before invoking the callback, or enforce the state check before the CryptoCb dispatch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants