Skip to content

Fix IAR warning about volatile access#10045

Open
embhorn wants to merge 1 commit intowolfSSL:masterfrom
embhorn:zd21385
Open

Fix IAR warning about volatile access#10045
embhorn wants to merge 1 commit intowolfSSL:masterfrom
embhorn:zd21385

Conversation

@embhorn
Copy link
Member

@embhorn embhorn commented Mar 23, 2026

Description

Read the volatile once into a local copy, then use the copy in expressions — satisfying IAR's stricter volatile access rules.

Fixes zd21385

Testing

Customer confirmed clean build with IAR tools

Checklist

  • added tests
  • updated/added doxygen
  • updated appropriate READMEs
  • Updated manual and documentation

@embhorn embhorn self-assigned this Mar 23, 2026
Copilot AI review requested due to automatic review settings March 23, 2026 13:24
Copilot AI reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates RSA unpadding and ticket decryption error masking to satisfy IAR’s stricter rules around volatile access by first reading volatile values into local copies and using those in subsequent expressions.

Changes:

  • Refactored constant-time RSA unpadding checks to use local copies of volatile variables in expressions.
  • Updated ticket encryption callback RSA path to use a local copy of a volatile mask when composing lastErr.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
wolfcrypt/src/rsa.c Reads volatile masking state into local temporaries before combining/deriving masks to avoid IAR volatile-use warnings.
src/internal.c Uses a local copy of lenErrMask when building args->lastErr to avoid volatile access in compound expressions.
Comments suppressed due to low confidence (2)

src/internal.c:1

  • Since lenErrMaskCopy is the value actually used in subsequent expressions, computing directly into the non-volatile local (and only keeping volatile if it’s required for the toolchain workaround) would reduce noise and avoid an extra volatile write+read pair. For example, compute the mask into lenErrMaskCopy and use that consistently.
    src/internal.c:1
  • Since lenErrMaskCopy is the value actually used in subsequent expressions, computing directly into the non-volatile local (and only keeping volatile if it’s required for the toolchain workaround) would reduce noise and avoid an extra volatile write+read pair. For example, compute the mask into lenErrMaskCopy and use that consistently.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

wolfcrypt/src/rsa.c
volatile byte invalid = 0;
volatile byte minPad;
volatile int invalidMask;
word16 pastSepCopy;
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pastSepCopy is declared as word16 but is later complemented and truncated to byte. If pastSep is intended to be an 8-bit mask (as implied by (byte)~pastSep previously), widening to 16-bit before ~ can change the intermediate value and makes the operation dependent on implicit promotions/truncation. Prefer declaring pastSepCopy with the same type/width as pastSep (or explicitly cast before the bitwise NOT) to preserve exact semantics.

Copilot uses AI. Check for mistakes.
wolfcrypt/src/rsa.c
Comment on lines +1913 to +1915
pastSepCopy = pastSep;
invalidCopy = invalid;
invalid = invalidCopy | (byte)~pastSepCopy;
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pastSepCopy is declared as word16 but is later complemented and truncated to byte. If pastSep is intended to be an 8-bit mask (as implied by (byte)~pastSep previously), widening to 16-bit before ~ can change the intermediate value and makes the operation dependent on implicit promotions/truncation. Prefer declaring pastSepCopy with the same type/width as pastSep (or explicitly cast before the bitwise NOT) to preserve exact semantics.

Copilot uses AI. Check for mistakes.
wolfcrypt/src/rsa.c
Comment on lines +1909 to +1921
minPadCopy = minPad;
invalidCopy = invalid;
invalid = invalidCopy | minPadCopy;
/* Must have seen separator. */
invalid |= (byte)~pastSep;
pastSepCopy = pastSep;
invalidCopy = invalid;
invalid = invalidCopy | (byte)~pastSepCopy;
/* First byte must be 0x00. */
invalid |= ctMaskNotEq(pkcsBlock[0], 0x00);
invalidCopy = invalid;
invalid = invalidCopy | ctMaskNotEq(pkcsBlock[0], 0x00);
/* Check against expected block type: padValue */
invalid |= ctMaskNotEq(pkcsBlock[1], padValue);
invalidCopy = invalid;
invalid = invalidCopy | ctMaskNotEq(pkcsBlock[1], padValue);
Copy link

Copilot AI Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repeated volatile-to-local copy pattern is easy to get wrong over time and makes the constant-time logic harder to audit. Consider consolidating this into a small helper/macro (e.g., a READ_VOLATILE(x) and/or OR_ASSIGN_VOLATILE(dst, src) pattern) so each operation is expressed once and the IAR workaround is localized.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@embhorn embhorn

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@embhorn