Various Espressif HW crypto, SHA2, AES, MP updates.

[gojimmypi]

Description

This PR includes the bulk of the Espressif-specific wolfcrypt updates as related to HW acceleration, separated out into this PR from my ED25519_SHA2_fix branch.

Code is considerably more multi-thread RTOS friendly with a improved robust fallback to software when the HW engine is busy. There's a new breadcrumb initializer attribute for keeping track of the address of the ctx that initialized a given instance: this is quite handy for detecting an unexpected copy of a ctx object and in particular ensuring only one instance can have active hardware-accelerated encryption active at a given time.

This is not the final update, but the as the changes have been accumulating for literally months, this is a good working version.

See #6234 for Espressif Roadmap and related updates.

This PR resolves:

• [Bug]: ed25519_test fails on ESP32 #5948
• [Bug]: Espressif SHA224 Fails wolfssl_test #6059

Fixes zd# n/a

Testing

How did you test?

Run Espressif benchmark and wolfssl test apps.

optional linux test:

git checkout Espressif_HW_Updates
./autogen.sh
./configure CC=clang --enable-all && make && ./wolfcrypt/test/testwolfcrypt
./wolfcrypt/benchmark/benchmark

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[dgarske]

Wow a ton of great work here. Please do a couple cleanups and then it should be ready to merge.

[dgarske]

Please add static. These don't need to be available outside benchmark.

[gojimmypi]

Got it. Done.

[dgarske]

Might consider uint64_t to match gptimer_get_raw_count. Does it need ;;? Just one ; please.

[gojimmypi]

Ah yes, good catch.

[dgarske]

Check indents here.

[gojimmypi]

ah yes, I neglected to format the code copied from #5950

I've cleaned up this, and others too.

[dgarske]

Copy paste has unicode here before 19.4.3. Please correct.

[gojimmypi]

unicode char removed

[dgarske]

Same variable declarations at top.

[gojimmypi]

done. also renamed to simply OperandBits

[dgarske]

Should below occur even if esp_sha512_digest_process returns a failure?

[gojimmypi]

esp_sha512_digest_process is currently hard-coded to return success, and remains so in this PR.

So, no: code should abort. This should be checked & I will revisit in the next update.

[gojimmypi]

@dgarske on this topic, which flow model to you prefer:

1. mid-function return <code>
2. goto out

There are plenty of examples of each. I'm generally not a big fan of goto, but in the this case of exit, it makes sense.

if (something) {
  goto out;
} 
else {
  return err;
}
...more code....

out:
  return ret;

[dgarske]

Neither. The ideal is one exit and no goto's. Like this:

int rc;

rc = do_func()
if (rc == 0)
    rc = do_func2()
if (rc == 0)
    rc = do_func3()

return rc;

[gojimmypi]

ok, might as well completely resolve this topic: What about in the case of bad parameters?

What are your thoughts on return BAD_FUNC_ARG early on? Good practice for this extra exit, eh?

int coolthing(int* param) 
{
    int rc;

    if (param == NULL) {
        return BAD_FUNC_ARG;
    }    
    
    rc = do_func()
    if (rc == 0)
        rc = do_func2()
    if (rc == 0)
        rc = do_func3()

    return rc;
}

Or would you prefer to wrap the entire function in if (all good params) { } ?

[dgarske]

Variables declared at top please.

[dgarske]

Same here

[gojimmypi]

Wow a ton of great work here.

Thank you! I cannot take all of the credit, as @PaulMartinsen contributed some excellent ESP32-S3 Xtensa support in #5950. As I was not yet ready to create a PR to wolfssl, I manually merged most of his changes from that PR into my branch so that we could move forward on his project.

This PR does not fully support ESP32-C3 yet. While making the changes here, I was reminded that although there are some changes for the RISC-V chipsets (ESP32-C3 and ESP32-C6), not all of the essential updates are here for optimal user experience. There are other interdependent changes in my ED25519_SHA2_fix branch, specifically the new CMakeLists.txt. PR for that coming soon.

Please do a couple cleanups and then it should be ready to merge.

I've completed some cleanups & will push updates soon after more testing.

[gojimmypi]

I've applied the code review suggestions, but build is still failing:

compiled without BUILD_INTROSPECTION.
skipping WOLFSSL_EXTERNAL_TEST because -UHAVE_ECC configuration of build is incompatible.
SKIP scripts/external.test (exit status: 77)

FAIL: scripts/openssl
=====================

and

# ./examples/server/server -p 59482 -g -v d -x -i -a  -l ALL "" "" ""
wolfSSL server started successfully on port 59482
waiting for OpenSSL_RSA ready...
OpenSSL_RSA ready!
waiting for wolfSSL_RSA ready...
SSL_accept error -341, record layer length error
wolfSSL error: SSL_accept failed
Continuing server execution...

and

SSL_accept error -501, can't match cipher suite
wolfSSL error: SSL_accept failed
140419066090816:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40
Continuing server execution...

I've looked over my update & cannot seem to find anything related to OpenSSL and HAVE_ECC . Any suggestions would be appreciated.

[gojimmypi]

Jenkins retest this please.

[dgarske]

There is already a (void)devId; below at line 588

[gojimmypi]

Removed duplicate

[dgarske]

Changes should be less intrusive by default. Please revert yours and leave the original else logic, which should cover 100% of the cases.

[dgarske]

This and the #else case are the same. Please combine and just document with a comment.

[gojimmypi]

Yes, they were the same on purpose as a placeholder for the -C3, but I agree that's probably not a great idea. Combined and comment added as requested.

[dgarske]

This is not valid. Please use wc_Sha tmpSha[1]; and do not duplicate code below.

[gojimmypi]

eek. I don't know what I was thinking that day! We certainly don't need a massive array of those, eh? Good catch, thank you. Fixed.

[dgarske]

Check indent here

[gojimmypi]

Ah yes, there was no reason for that indent. Fixed.

[dgarske]

Should you have a log string declared at top and use it?

#ifdef WOLFSSL_ESPIDF
     /* Define the ESP_LOGx(TAG, "" value for output messages here.
     **
     ** Beware of possible conflict in test.c (that one now named TEST_TAG)
     */
     static const char* TAG = "wc_sha";
#endif

[gojimmypi]

yes. updated.

[dgarske]

Same should there be a logging string? wc_sha512 in all cases. SHA2-384 is SHA2-512 truncated.

[gojimmypi]

Yes, updated.

This was the only ESP_LOG in the entire file. It was only an "interesting" case for SHA384 during debugging and only displays during verbose Espressif logging.

But you are correct: it should have been declared as a static const char* TAG

[dgarske]

Changes should be less intrusive by default. Please revert yours and leave the original else logic, which should cover 100% of the cases.

[dgarske]

Consider bit-field byte isfirstblock:1;.

[gojimmypi]

Changing only isfirstblock:1 would not have much benefit alone, but I also changed lockDepth:7, reducing the struct size from 20 to 16 bytes.

There's an expected slight performance penalty: 19.946 MiB/s for SHA-512 using bit-length bytes, vs 20.020 MiB/s using integers:

Bit-sized:

SHA                         21 MiB took 1.000 seconds,   21.484 MiB/s Cycles per byte =   7.10
SHA-256                     21 MiB took 1.000 seconds,   20.825 MiB/s Cycles per byte =   7.32
SHA-512                     20 MiB took 1.000 seconds,   19.946 MiB/s Cycles per byte =   7.65

Integers:

SHA                         21 MiB took 1.000 seconds,   21.411 MiB/s Cycles per byte =   7.12
SHA-256                     21 MiB took 1.000 seconds,   20.728 MiB/s Cycles per byte =   7.36
SHA-512                     20 MiB took 1.000 seconds,   20.020 MiB/s Cycles per byte =   7.62

Do you think it's worthwhile to have a gate like WOLFSSL_SP_SMALL to make these optional, and of so... which would you use?