forked from wolfSSL/wolfssl
configure.ac and wolfssl/wolfcrypt/asn_public.h: add --enable-fips=v5-RC8 for use with WCv5.0-RC8 codebase; add HAVE_FIPS_VERSION_MINOR, and refactor main $ENABLED_FIPS switch to set HAVE_FIPS_VERSION and if applicable HAVE_FIPS_VERSION_MINOR for use in subsequent tests and the main FIPS setup code; in asn_public.h, use HAVE_FIPS_VERSION_MINOR to exclude declaration of wc_RsaKeyToPublicDer() when building FIPS WCv5.0-RC8.
This commit is contained in:
Daniel Pouzzner
88
configure.ac
88
configure.ac
@@ -199,7 +199,7 @@ fi
|
||||
AC_SUBST([ENABLED_ASM])
|
||||
|
||||
|
||||
# FIPS 140-2
|
||||
# FIPS 140
|
||||
AC_ARG_ENABLE([fips],
|
||||
[AS_HELP_STRING([--enable-fips],[Enable FIPS 140-2, Will NOT work w/o FIPS license (default: disabled)])],
|
||||
[ENABLED_FIPS=$enableval],
|
||||
@@ -211,6 +211,7 @@ then
|
||||
fi
|
||||
|
||||
# The FIPS options are:
|
||||
# v5-RC8 - FIPS 140-3 (wolfCrypt WCv5.0-RC8)
|
||||
# v5 - FIPS 140-3 (wolfCrypt v5.0.0)
|
||||
# v3 - FIPS Ready
|
||||
# ready - same as v3
|
||||
@@ -220,11 +221,6 @@ fi
|
||||
# v1 - FIPS 140-2 Cert 2425
|
||||
# default - same as v1
|
||||
AS_CASE([$ENABLED_FIPS],
|
||||
[ready|v3],[
|
||||
ENABLED_FIPS="yes"
|
||||
FIPS_VERSION="v3"
|
||||
FIPS_READY="yes"
|
||||
],
|
||||
[no],[
|
||||
FIPS_VERSION="none"
|
||||
ENABLED_FIPS="no"
|
||||
@@ -233,26 +229,59 @@ AS_CASE([$ENABLED_FIPS],
|
||||
FIPS_VERSION="disabled"
|
||||
ENABLED_FIPS="no"
|
||||
],
|
||||
[rand|v1|v2|v5],[
|
||||
[ready|v3],[
|
||||
ENABLED_FIPS="yes"
|
||||
FIPS_VERSION="v3"
|
||||
HAVE_FIPS_VERSION=3
|
||||
FIPS_READY="yes"
|
||||
],
|
||||
[rand],[
|
||||
FIPS_VERSION="$ENABLED_FIPS"
|
||||
HAVE_FIPS_VERSION=3
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[yes],
|
||||
[
|
||||
# FIPS v1
|
||||
ENABLED_FIPS="yes"
|
||||
[v1|yes|cert2425],[
|
||||
FIPS_VERSION="v1"
|
||||
HAVE_FIPS_VERSION=1
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[v2|cert3389],[
|
||||
FIPS_VERSION="$ENABLED_FIPS"
|
||||
HAVE_FIPS_VERSION=2
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[v5-RC8],[
|
||||
FIPS_VERSION="$ENABLED_FIPS"
|
||||
HAVE_FIPS_VERSION=5
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[v5],[
|
||||
FIPS_VERSION="$ENABLED_FIPS"
|
||||
HAVE_FIPS_VERSION=5
|
||||
HAVE_FIPS_VERSION_MINOR=1
|
||||
ENABLED_FIPS="yes"
|
||||
],
|
||||
[
|
||||
AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (allowed: ready, rand, v1, v2, v5, no, disabled)])
|
||||
AC_MSG_ERROR([Invalid value for --enable-fips "$ENABLED_FIPS" (allowed: ready, rand, v1, v2, v5-RC8, v5, no, disabled)])
|
||||
])
|
||||
|
||||
if test -z "$HAVE_FIPS_VERSION_MINOR"
|
||||
then
|
||||
HAVE_FIPS_VERSION_MINOR=0
|
||||
fi
|
||||
if test -z "$HAVE_FIPS_VERSION"
|
||||
then
|
||||
HAVE_FIPS_VERSION=0
|
||||
fi
|
||||
|
||||
AS_CASE([$FIPS_VERSION],
|
||||
[none],
|
||||
[
|
||||
AS_IF([ test -s $srcdir/wolfcrypt/src/fips.c -o -s $srcdir/ctaocrypt/src/fips.c ],
|
||||
[AC_MSG_ERROR([FIPS source tree is incompatible with non-FIPS build (requires --enable-fips)])])
|
||||
],
|
||||
[disabled],
|
||||
[],
|
||||
[v1],
|
||||
[
|
||||
AS_IF([ ! test -s $srcdir/ctaocrypt/src/fips.c],
|
||||
@@ -264,13 +293,6 @@ AS_CASE([$FIPS_VERSION],
|
||||
]
|
||||
)
|
||||
|
||||
# FIPS 140-3
|
||||
AC_ARG_ENABLE([fips-3],
|
||||
[AS_HELP_STRING([--enable-fips-3],[Enable FIPS 140-3, Will NOT work w/o FIPS license (default: disabled)])],
|
||||
[ENABLED_FIPS_140_3=$enableval],
|
||||
[ENABLED_FIPS_140_3="no"])
|
||||
AS_IF([test "x$ENABLED_FIPS_140_3" = "xyes"],[ENABLED_FIPS="yes";FIPS_VERSION="v5"])
|
||||
|
||||
|
||||
# For reproducible build, gate out from the build anything that might
|
||||
# introduce semantically frivolous jitter, maximizing chance of
|
||||
@@ -2021,7 +2043,7 @@ fi
|
||||
SHA224_DEFAULT=no
|
||||
if test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64"
|
||||
then
|
||||
if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" && ( test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" )
|
||||
if test "x$ENABLED_AFALG" = "xno" && test "x$ENABLED_DEVCRYPTO" = "xno" && ( test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" = 2 )
|
||||
then
|
||||
SHA224_DEFAULT=yes
|
||||
fi
|
||||
@@ -2044,7 +2066,7 @@ fi
|
||||
SHA3_DEFAULT=no
|
||||
if (test "$host_cpu" = "x86_64" || test "$host_cpu" = "aarch64") && test "$ENABLED_32BIT" = "no"
|
||||
then
|
||||
if test "x$ENABLED_FIPS" = "xno" || test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5"
|
||||
if test "x$ENABLED_FIPS" = "xno" || test "$HAVE_FIPS_VERSION" -ge 2
|
||||
then
|
||||
SHA3_DEFAULT=yes
|
||||
fi
|
||||
@@ -2471,7 +2493,7 @@ then
|
||||
then
|
||||
AC_MSG_ERROR([cannot enable ed448 without enabling sha512.])
|
||||
fi
|
||||
if test "$FIPS_VERSION" = "v2"
|
||||
if test "$HAVE_FIPS_VERSION" = 2
|
||||
then
|
||||
AC_MSG_ERROR([cannot enable ed448 w/ dependency shake256 in FIPSv2 mode])
|
||||
fi
|
||||
@@ -3376,8 +3398,8 @@ fi
|
||||
|
||||
# FIPS
|
||||
AS_CASE([$FIPS_VERSION],
|
||||
["v5"], [ # FIPS 140-3
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=5 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
|
||||
[v5*], [ # FIPS 140-3
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_ECDSA_SET_K"
|
||||
ENABLED_KEYGEN="yes"; ENABLED_SHA224="yes"; ENABLED_DES3="no"
|
||||
# Shake256 is a SHA-3 algorithm not in our FIPS algorithm list
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_SHAKE256"
|
||||
@@ -3413,7 +3435,7 @@ AS_CASE([$FIPS_VERSION],
|
||||
DEFAULT_MAX_CLASSIC_ASYM_KEY_BITS=8192
|
||||
],
|
||||
["v3"],[ # FIPS Ready
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=3 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DWOLFSSL_ECDSA_SET_K"
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DWOLFSSL_ECDSA_SET_K"
|
||||
ENABLED_KEYGEN="yes"
|
||||
ENABLED_SHA224="yes"
|
||||
ENABLED_DES3="yes"
|
||||
@@ -3448,7 +3470,7 @@ AS_CASE([$FIPS_VERSION],
|
||||
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
|
||||
],
|
||||
["v2"],[ # Cert 3389
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=2 -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_PUBLIC_FFDHE"
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR -DWOLFSSL_KEY_GEN -DWOLFSSL_SHA224 -DWOLFSSL_AES_DIRECT -DHAVE_AES_ECB -DHAVE_ECC_CDH -DWC_RSA_NO_PADDING -DWOLFSSL_VALIDATE_FFC_IMPORT -DHAVE_FFDHE_Q -DHAVE_PUBLIC_FFDHE"
|
||||
ENABLED_KEYGEN="yes"
|
||||
ENABLED_SHA224="yes"
|
||||
ENABLED_DES3="yes"
|
||||
@@ -3483,7 +3505,7 @@ AS_CASE([$FIPS_VERSION],
|
||||
[ENABLED_AESGCM="yes"; AM_CFLAGS="$AM_CFLAGS -DHAVE_AESGCM"])
|
||||
],
|
||||
["rand"],[
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=2"
|
||||
AM_CFLAGS="$AM_CFLAGS -DWOLFCRYPT_FIPS_RAND -DHAVE_FIPS -DHAVE_FIPS_VERSION=$HAVE_FIPS_VERSION -DHAVE_FIPS_VERSION_MINOR=$HAVE_FIPS_VERSION_MINOR"
|
||||
],
|
||||
["v1"],[ # Cert 2425
|
||||
AM_CFLAGS="$AM_CFLAGS -DHAVE_FIPS"
|
||||
@@ -6907,7 +6929,7 @@ AS_IF([test "x$ENABLED_NULL_CIPHER" = "xno" && \
|
||||
ENABLED_NULL_CIPHER=yes])
|
||||
|
||||
# FIPSv5 requires the wolfSSH option.
|
||||
AS_IF([test "x$FIPS_VERSION" = "xv5"],[ENABLED_WOLFSSH="yes"])
|
||||
AS_IF([test "$HAVE_FIPS_VERSION" -ge 5],[ENABLED_WOLFSSH="yes"])
|
||||
|
||||
# wolfSSH and WPA Supplicant both need Public MP, only enable once.
|
||||
# This will let you know if you enabled wolfSSH but have any of the prereqs
|
||||
@@ -7139,12 +7161,12 @@ AM_CONDITIONAL([BUILD_SHA],[test "x$ENABLED_SHA" = "xyes" || test "x$ENABLED_USE
|
||||
AM_CONDITIONAL([BUILD_HC128],[test "x$ENABLED_HC128" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_RABBIT],[test "x$ENABLED_RABBIT" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_FIPS],[test "x$ENABLED_FIPS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V1],[test "x$FIPS_VERSION" = "xv1"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V2],[test "x$FIPS_VERSION" = "xv2"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V1],[test "$HAVE_FIPS_VERSION" = 1])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V2],[test "$HAVE_FIPS_VERSION" = 2])
|
||||
AM_CONDITIONAL([BUILD_FIPS_RAND],[test "x$FIPS_VERSION" = "xrand"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V3],[test "x$FIPS_VERSION" = "xv3"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V5],[test "x$FIPS_VERSION" = "xv5"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "x$FIPS_VERSION" = "xv2" || test "x$FIPS_VERSION" = "xv3" || test "x$FIPS_VERSION" = "xv5"])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V3],[test "$HAVE_FIPS_VERSION" = 3])
|
||||
AM_CONDITIONAL([BUILD_FIPS_V5],[test "$HAVE_FIPS_VERSION" = 5])
|
||||
AM_CONDITIONAL([BUILD_FIPS_CURRENT],[test "$HAVE_FIPS_VERSION" -ge 2 ])
|
||||
AM_CONDITIONAL([BUILD_CMAC],[test "x$ENABLED_CMAC" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_SELFTEST],[test "x$ENABLED_SELFTEST" = "xyes"])
|
||||
AM_CONDITIONAL([BUILD_SHA224],[test "x$ENABLED_SHA224" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
|
||||
|
||||
@@ -533,7 +533,9 @@ WOLFSSL_API void wc_FreeDer(DerBuffer** pDer);
|
||||
word32 inSz, const byte** n, word32* nSz, const byte** e, word32* eSz);
|
||||
/* For FIPS v1/v2 and selftest this is in rsa.h */
|
||||
#if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \
|
||||
(!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION > 2)))
|
||||
!defined(HAVE_FIPS_VERSION) || \
|
||||
((HAVE_FIPS_VERSION > 2) && \
|
||||
(! ((HAVE_FIPS_VERSION == 5) && (HAVE_FIPS_VERSION_MINOR == 0)))))
|
||||
WOLFSSL_API int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen);
|
||||
#endif
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user